[SOLVED] NFSv4 - mount.nsf4: access denied by server while mounting

chuckd333 · 2024-05-18 23:29:42

I have Arch on server and client. I followed the wiki on setting up NFSv4.

I saw sec=sys won't work with idmapping. I didn't add sec=sys to /etc/exports and included insecure.

https://wiki.archlinux.org/title/NFS#En … _idmapping

# cat /etc/exports
/srv/nfs nfs-server.example.com(rw,sync,fsid=0,no_subtree_check,all_squash,insecure)
/srv/nfs/work-dir nfs-server.example.com(rw,sync,no_subtree_check,all_squash,nohide,insecure)

After I update exports -arv and run # exportfs -v there a number of other options I haven't included which I think might be added by default including sec=sys.

# exportfs -v
/srv/nfs      	  nfs-server.example.com(sync,wdelay,hide,no_subtree_check,fsid=0,sec=sys,rw,insecure,root_squash,all_squash)
/srv/nfs/work-dir   nfs-server.example.com(sync,wdelay,nohide,no_subtree_check,sec=sys,rw,insecure,root_squash,all_squash)

I have same UID/GID on client and server. I changed ownership on client and server for /srv/nfs/ and /mnt/work-dir. Domains are the same in /etc/idmap.conf

If sec=sys is included by default how can I use NFSv4 with idmapping to use a domain? I followed this link:
https://unix.stackexchange.com/question … 950#464950
on client and server

 # echo "N" > /sys/module/nfsd/parameters/nfs4_disable_idmapping

On NFSv4-CLIENT

# mount -vvv -t nfs4 -o vers=4.2 nfs-server.example.com:/srv/nfs/work-dir /mnt/work-dir
mount.nfs4: timeout set for Sat May 18 18:49:57 2024
mount.nfs4: trying text-based options 'vers=4.2,addr=192.168.1.124,clientaddr=192.168.1.117'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting nfs-server.example.com:/work-dir

on SERVER though:

# dmesg | grep id_resolver
#

returns nothing. Is that the problem and if so how to I get that id_resolver?

Many thanks.

Last edited by chuckd333 (2024-05-19 16:05:50)

seth · 2024-05-19 07:29:42

Is nfs-server.example.com a bunch of unrelated placeholders in your post or literal?

In /etc/exports it's a client restriction, you typically want your LAN netmask or some specific LAN client(s) there.
In mount it's the server address, so it should be the IP or a resolvable domain of the server.

The releavant IPs seem to be 192.168.1.117 and 192.168.1.124 for client and server respectively.
In case you're trying to obfuscate something, LAN IPs (check "whois 192.168.1.124") are completely meaningless outside the LAN and you can reveal them verbatim.

chuckd333 · 2024-05-19 15:22:56

nfs-server.example.com is just a placeholder. It's my work url.

the LAN IPs are my actual IPs.

On the CLIENT:

# cat /etc/hosts
192.168.1.124 nfs-server.example.com nfs-server

SERVER:

# cat hostname
nfs-server.example.com

I will try with the IP and not the url.

seth · 2024-05-19 15:44:18

Using the server IP in exports is borderline pointless

# exportfs -v
/srv/nfs      	  192.168.1.0/24(sync,wdelay,hide,no_subtree_check,fsid=0,sec=sys,rw,insecure,root_squash,all_squash)
/srv/nfs/work-dir   192.168.1.0/24(sync,wdelay,nohide,no_subtree_check,sec=sys,rw,insecure,root_squash,all_squash)

exports to your entire WLAN segment, 192.168.1.117 isntead of 192.168.1.0/24 will restrict this to the very specific client.
Don't forget to run "exportfs -arv" after editing the file.

chuckd333 · 2024-05-19 15:52:01

Thank you.

After re-reading you reply, on the server I changed the the /etc/exports to have the client hostname, not the server:

# cat /etc/exports
/srv/nfs client.example.com(rw,sync,fsid=0,no_subtree_check,all_squash,insecure)
/srv/nfs/work-dir client.example.com(rw,sync,no_subtree_check,all_squash,nohide,insecure)

For others, I originally added server name, not the client IP/hostname: per the wiki]"Add directories to be shared and limit them to a range of addresses via a CIDR or hostname(s) of client machines that will be allowed to mount them in /etc/exports"

Still, though, why do I get all these other options that aren't in my exports file when I run below:

# exportfs -v
/srv/nfs      	client.example.com(sync,wdelay,hide,no_subtree_check,fsid=0,sec=sys,rw,insecure,root_squash,all_squash)
/srv/nfs/work-dir 		client.example.com(sync,wdelay,nohide,no_subtree_check,sec=sys,rw,insecure,root_squash,all_squash)

chuckd333 · 2024-05-19 15:54:47

understood. I thought I'd try to be more secure since it's just me working from home with the one laptop.

seth · 2024-05-19 16:00:00

It lists the (applied) defaults, https://man.archlinux.org/man/exports.5

Do NFS mounts now work or are there remaining issues?

chuckd333 · 2024-05-19 16:05:17

ok thanks. I 'll read through that link again.

yes everything works now.

I'll mark as solved.

Thanks again.

Arch Linux

#1 2024-05-18 23:29:42

[SOLVED] NFSv4 - mount.nsf4: access denied by server while mounting

#2 2024-05-19 07:29:42

Re: [SOLVED] NFSv4 - mount.nsf4: access denied by server while mounting

#3 2024-05-19 15:22:56

Re: [SOLVED] NFSv4 - mount.nsf4: access denied by server while mounting

#4 2024-05-19 15:44:18

Re: [SOLVED] NFSv4 - mount.nsf4: access denied by server while mounting

#5 2024-05-19 15:52:01

Re: [SOLVED] NFSv4 - mount.nsf4: access denied by server while mounting

#6 2024-05-19 15:54:47

Re: [SOLVED] NFSv4 - mount.nsf4: access denied by server while mounting

#7 2024-05-19 16:00:00

Re: [SOLVED] NFSv4 - mount.nsf4: access denied by server while mounting

#8 2024-05-19 16:05:17

Re: [SOLVED] NFSv4 - mount.nsf4: access denied by server while mounting

Board footer