RPCPROG_MNT: RPC: Authentication error; why = Client credential too weak

mamalos

Well-Known Member

Reaction score: 51
Messages: 446

Hi everybody,

this (the title of this thread) is the error I am getting from my NFS client when I try to mount a filesystem from my NFS server. On the server I get:
Code:
[tcp] 192.168.100.11:home: RPCPROG_MNT: RPC: Authentication error; why = Client credential too weak
I am executing the command as root, and both server and client run a version of FreeBSD-8 (not the latest). $ shomount -e servershows the correct information. If I start mountd with the -n option (on the server), then everything works just fine.

tcpdump shows that the client connects from an unprivileged port, indeed, which worries me.

Is there a way to understand why my client tries to mount remote filesystems using a non-privileged port, even though the mount command is executed as root?

For the POC, I switched the roles of server and client, and I had exactly the same problem.

I know I am missing something easy on this, but my head is stuck. If anyone can help, it would be really great!

Thank you all in advance.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 13,908
Messages: 40,632

It's probably rpcbind. What does # rpcinfo server tell you?
Are mountd and nfs properly registered? Do you set any flags for rpcbind, mountd and/or nfsd?
 
OP
M

mamalos

Well-Known Member

Reaction score: 51
Messages: 446

SirDice,

Thank you for your answer. Here is what rpcinfo shows:
Code:
 # rpcinfo server
   program version netid     address                service    owner
    100000    4    tcp       0.0.0.0.0.111          rpcbind    superuser
    100000    3    tcp       0.0.0.0.0.111          rpcbind    superuser
    100000    2    tcp       0.0.0.0.0.111          rpcbind    superuser
    100000    4    udp       0.0.0.0.0.111          rpcbind    superuser
    100000    3    udp       0.0.0.0.0.111          rpcbind    superuser
    100000    2    udp       0.0.0.0.0.111          rpcbind    superuser
    100000    4    tcp6      ::.0.111               rpcbind    superuser
    100000    3    tcp6      ::.0.111               rpcbind    superuser
    100000    4    udp6      ::.0.111               rpcbind    superuser
    100000    3    udp6      ::.0.111               rpcbind    superuser
    100000    4    local     /var/run/rpcbind.sock  rpcbind    superuser
    100000    3    local     /var/run/rpcbind.sock  rpcbind    superuser
    100000    2    local     /var/run/rpcbind.sock  rpcbind    superuser
    100003    2    udp       0.0.0.0.8.1            nfs        superuser
    100003    3    udp       0.0.0.0.8.1            nfs        superuser
    100003    2    udp6      ::.8.1                 nfs        superuser
    100003    3    udp6      ::.8.1                 nfs        superuser
    100003    2    tcp       0.0.0.0.8.1            nfs        superuser
    100003    3    tcp       0.0.0.0.8.1            nfs        superuser
    100003    2    tcp6      ::.8.1                 nfs        superuser
    100003    3    tcp6      ::.8.1                 nfs        superuser
    100005    1    udp6      ::.2.108               mountd     superuser
    100005    3    udp6      ::.2.108               mountd     superuser
    100005    1    tcp6      ::.2.108               mountd     superuser
    100005    3    tcp6      ::.2.108               mountd     superuser
    100005    1    udp       0.0.0.0.2.108          mountd     superuser
    100005    3    udp       0.0.0.0.2.108          mountd     superuser
    100005    1    tcp       0.0.0.0.2.108          mountd     superuser
    100005    3    tcp       0.0.0.0.2.108          mountd     superuser
Excerpt from the server's /etc/rc.conf:
Code:
rpcbind_enable="YES"
mountd_flags="-nr"
nfs_server_enable="YES"
nfs_client_enable="YES"
mountd_enable="YES"
Excerpt from the client's /etc/rc.conf:
Code:
rpcbind_enable="YES"
mountd_enable="YES"
mountd_flags="-e"
rpc_statd_enable="YES"
rpc_lockd_enable="YES"
nfs_server_enable="YES"
nfs_client_enable="YES"
nfs_client_flags="-n 4"
nfsuserd_enable="YES"
gssd_enable="YES"
Excerpt from the server's kernel config file:
Code:
options 	NFSCLIENT		# Network Filesystem Client
options		NFSD			# NFSv4 server
options 	NFSLOCKD		# Network Lock Manager
options 	NFS_ROOT		# NFS usable as /, requires NFSCLIENT
options		KGSSAPI			# Gia to kerberized NFS
device		crypto			# Epishs gia to kerberized NFS
Excerpt from the client's kernel config file:
Code:
options 	NFSCLIENT		# Network Filesystem Client
options 	NFSSERVER		# Network Filesystem Server
options 	NFSLOCKD		# Network Lock Manager
options 	NFS_ROOT		# NFS usable as /, requires NFSCLIENT
options		KGSSAPI			# Gia to kerberized NFS
device		crypto			# Epishs gia to kerberized NFS
As you can see, my nfs client works as an nfs server too (using gssapi sec=krb5i exports). I've tried mounting the share from another FreeBSD client, and had the same results. Moreover, you can see that my server is built with nfs4 support, but I don't think that this is the problem, since trying to mount my client's nfs share from the another client machine (also FreeBSD) has the exact same results. Nonetheless, when I mount the same shares from my linux clients, it works (linux uses a privileged port).

Thanks again for your interest.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 13,908
Messages: 40,632

Try removing the mountd_flags on the server.
 
OP
M

mamalos

Well-Known Member

Reaction score: 51
Messages: 446

SirDice,

I commented out mountd_flags and had the exact same result. Then I realized that mountd_flags is set to '-r' in /etc/defaults/rc.conf (which was also proved by ps axuww | grep -i mountd), so I removed it, with no luck either.

I don't know why this is happening, I'll test it again after I upgrade all my machines (after I back them up) to the latest version of FreeBSD and relative ports.

Thanks again.
 
OP
M

mamalos

Well-Known Member

Reaction score: 51
Messages: 446

SirDice,

one more thing that I think should be highlighted: It must be the client's fault, not the server's. As I stated on a previous message, my linux clients work fine (they're using a privileged port).
 

Gkarfield

New Member


Messages: 18

hello mamalos

from fbsd 7.1 [client] I get connection with the server [ fbsd 8.1], the mount works fine.
But I decided before some days to built bsd inside bsd [virtual] and I get the same errror as you.

ftp works fine by the way.
----
I am a simple user [short of]
 

qsecofr

Active Member

Reaction score: 15
Messages: 246

Any permissions discrepancies on the exported directory tree and the mount point on the client?

On the server, you can tell mountd which port to listen on with the "-p" option. The man page for mount_nfs suggests that the "-P" and "-N" options are obsolete.
 

peetaur

Active Member

Reaction score: 17
Messages: 167

A NAT changes the port from the server's point of view so the server sees an insecure port. Perhaps you have the client behind a NAT?

In a Linux server, you can specify "insecure" in the options of the export line.

In FreeBSD, I read that you can add to rc.conf:
Code:
nfs_reserved_port_only="NO"
I tried that, and it has no effect.
 

Trevor Bailey

New Member


Messages: 4

Any permissions discrepancies on the exported directory tree and the mount point on the client?

On the server, you can tell mountd which port to listen on with the "-p" option. The man page for mount_nfs suggests that the "-P" and "-N" options are obsolete.

Thanks. This was my problem indeed. I had added a new filesystem in /etc/fstab and was testing it out by re-mounting fstab using mount -a After receiving the above mentioned error, I realized that I didn't have permissions to write to the mount point I chose. After running sudo mount -a it mounted successfully. This is maybe not the issue you're having. It was definitely a permissions discrepancy for me while connecting to my mount point.
 
Last edited by a moderator:
Top