NFS export config question

Phishfry

Son of Beastie

Reaction score: 1,206
Messages: 3,497

I am setting up NFSv3 server and I would like to have my servers /shared directory exported globally.

I want to have it available across several subnets and I wonder if I could streamline it better:
/etc/export
Code:
/shared -alldirs 192.168.1.0/24 192.168.50.0/24 192.168.100.0/24 192.168.111.0/24
How could I share to the entire third octet without adding all 255 addresses?
192.168.***.***

I was thinking 192.168.0.0/24 but I think that only references the 192.168.0.1 subnet.

I like to create separate projects on subnets and want to have NFS access on temporary subnets I might create.
 
OP
OP
Phishfry

Phishfry

Son of Beastie

Reaction score: 1,206
Messages: 3,497

That worked perfectly.

/etc/export
Code:
/shares -maproot=root -network 192.168.0.0/16
/etc/rc.conf on NFS Server
Code:
rpcbind_enable="YES"
nfs_server_enable="YES"
mountd_enable="YES"
mountd_flags="-n"
weak_mountd_authentication="YES"
That last line took me a while to find.
Was getting this message on the client end.
Code:
root@DELL:~ # mount 192.168.1.248:/shares /shared
[tcp] 192.168.1.248:/shares: RPCPROG_MNT: RPC: Authentication error; why = Client credential too weak
Client /etc/rc.conf
Code:
nfs_client_enable="YES"
#nfs_client_flags="-n 4"
#rpc_lockd_enable="YES"
#rpc_statd_enable="YES"
I had experimented with all the commented out lines.
 
Last edited:
OP
OP
Phishfry

Phishfry

Son of Beastie

Reaction score: 1,206
Messages: 3,497

I was worried about adding this line to /etc/rc.conf as I have not seen it used much.
weak_mountd_authentication="YES"
So I looked on the server log and determined that it is an RPC_PORTMAP problem. So reading on that I found a suggested fix by adding to /etc/host.allow this line:
portmap : 192.168.0.0/255.255.255.0 : allow
While I was there I added this too:
rpcbind : 192.168.0.0/255.255.255.0 : allow
/etc/host.allow
Code:
# Rpcbind is used for all RPC services; protect your NFS!
# Rpcbind should be running with -W option to support this.
# (IP addresses rather than hostnames *MUST* be used here)
#rpcbind : 192.0.2.32/255.255.255.224 : allow
#rpcbind : 192.0.2.96/255.255.255.224 : allow
portmap : 192.168.0.0/255.255.255.0  : allow
rpcbind : 192.168.0.0/255.255.255.0  : allow
My question is: Is this an OK fix? I was able to remove the "allow weak authentication line from /etc/rc.conf.
What does "protect your NFS" comment mean here?
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,183
Messages: 29,471

If portmapper/rpcbind are limited to 192.168.0.0/24 your NFS clients will be limited to that range too. NFS requires RPC access.
 
OP
OP
Phishfry

Phishfry

Son of Beastie

Reaction score: 1,206
Messages: 3,497

I see what you mean. You would think I need /16 but it works now. I did not get a chance to dig into RPC authentication.
I know I don't like the sound of weak mountd authentication.

So I should use this netmask than?
192.168.0.0/255.255.0.0
 
Top