LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 12-08-2005, 04:44 PM   #1
toreric
Member
 
Registered: Dec 2005
Location: Tväråmark, Sweden
Distribution: Debian/Kubuntu
Posts: 98

Rep: Reputation: 16
NFS mount: Permission denied


This is a purified and ridiculous "access denied"-problem, which I cannot resolve, trying to connect two simple Debian Linux boxes using simple NFS.

Is there a bug, or have I just missed some basic access permission setting? The most significant recommendation from my friends is to start from scratch by reinstallation and so on. I hesitate strongly, since the boxes have come to a mature state as regards all other configuration aspects. They are well customized and in 'production use', one of them as a working Samba server. All other ways to resolve this must be investigated, and at the moment I have exhausted all internet manual sources that I can find. Then I recently found an old thread at LQ touching this problem, though without key information that helps me. So I'm launching a new, hopefully more distinct thread. Here is my story:

Nfs networking - is it possible?

This is a summary (condensed* in an attempt to exclude a lot of 'related' but seemingly irrelevant information) of extended studies of what happens when nfs file sharing/mounting is initiated using two cable-router-connected Linux 2.6 boxes, both run with nfs-kernel-server (a brief test using nfs-user-server produced equivalent results).

This is the computer setup, though it's insignificant which box is chosen as server and client, respectively:
Code:
Computername  IPno          Nfs-role  Linux kernel       Debian dist
scandic       127.168.0.11  server    2.6.8-2-686 i686   Sarge (stable)
andromeda     127.168.0.12  client    2.6.12-1-686 i686  Etch (testing)
I intend to mount a home directory on scandic (/home/tore) at a mounting point of andromeda (/mnt/scandic), that is, to mount scandic:/home/tore at andromeda:/mnt/scandic (Oops! important: since both boxes have equal basic directory structures, don't mix up file references between them!).

CHAPTER 1. Server preparation. I put this in the file /etc/exports (just one significant line):
Code:
/home/tore/     127.168.0.12(rw,no_root_squash,sync)
After server reboot: Is the directory REALLY exported? It doesn't seem so, since /var/lib/nfs/xtab is empty. OK, then run exportfs that will force export:
Code:
root@scandic:~# exportfs -rav
exporting andromeda:/home/tore
reexporting andromeda:/home/tore to kernel
Note 1. Inconsistent export naming. The file 'andromeda:/home/tore' is not intended to exist as such (although it does, on andromeda!) but should mean that andromeda is allowed to mount /home/tore (OK?).

Note 2. Since this is nfs-kernel-server, the initial boot export was not shown in /var/lib/nfs/xtab although a silent export occurred into the kernel. This is indirectly verified by the message indicating that exportfs REexports into the kernel. Conclusion: OK, exportfs wasn't necessary, xtab obsolete (?), xtab content (that we generated):
Code:
/home/tore      andromeda(rw,sync,wdelay,hide,nocrossmnt,secure,no_root_squash, 
no_all_squash,subtree_check,secure_locks,mapping=identity,anonuid=-2,anongid=-2)
Note 3. We can see that the computername-IPno translation is correct, since whether 127.168.0.12 or andromeda is used in /etc/exports, exportfs always reports andromeda.

CHAPTER 2. We check that required daemons are up and running, using rpcinfo -p. Running daemons are: portmapper (v.2), nfs (v.2,3,4), nlockmngr (v.1,3,4), mountd (v.1,2,3), and status (v.1), each in both tcp and udp versions; also sgi_fam (v.2, tcp only). That should be sufficient. BTW, let's test rpcinfo -p andromeda from the server! Result: Identical. And the other way round, that is, the client's daemon list and scandic listed from the client: Equal.

Note 4. Thus the two boxes communicate well, which can also be shown by pinging each other. So far, so good!

CHAPTER 3. Client preparation (except that we have already verified the daemon population): Make the mounting point mnt/scandic. Add one (1) line to /etc/fstab in order to make mounting more convenient with some pre-defined parameters. I have tested various versions, we may use one of these (note that user and users are different parameters):
Code:
scandic:/home/tore  /mnt/scandic  nfs  rw,users,timeo=14,hard,intr 0 0

scandic:/home/tore  /mnt/scandic  nfs  rw,user,rsize=8192,wsize=8192,timeo=14,intr 0 0
The variations should be insignificant for mounting/unmounting-tests as root. So far, still good.

Note 5. The /etc/hosts file content on the server, just as reference:
Code:
127.0.0.1       localhost.localdomain   localhost       scandic
127.168.0.11    scandic
127.168.0.12    andromeda
Note 6. The /etc/hosts file content on the client, just as reference:
Code:
127.0.0.1       localhost.localdomain   localhost       andromeda
127.168.0.11    scandic
127.168.0.12    andromeda
CHAPTER 4. Mount the server directory scandic:/home/tore on the client andromeda as [andromeda:]/mnt/scandic
First attempt:
Code:
root@andromeda:~# mount -t nfs scandic:/home/tore /mnt/scandic
mount: scandic:/home/tore failed, reason given by server: Permission denied
Second attempt (relying on fstab):
Code:
root@andromeda:~# mount /mnt/scandic
mount: scandic:/home/tore failed, reason given by server: Permission denied
So far, no good!

CHAPTER 5. Investigate the server syslog, since we were told that the reason should be given by the server. There is nothing to find!

CHAPTER 6. Investigate the client syslog. It says:
Code:
Dec  1 22:53:22 localhost mountd[4963]: refused mount request from scandic for /home/tore (/): no export entry

Dec  1 22:54:38 localhost mountd[4963]: refused mount request from scandic for /home/tore (/): no export entry
- thus repeating the same message for each of the two attempts. To add: This is the case even at a pure manual mount attempt (like First try) without any information in fstab (such as the line we added) that might possibly intervene.

Note 7. The syslog message is somewhat confusing. Who is requesting what? For an ignorant observer the terminology seems awkward, since didn't we request andromeda to mount? Haven't we verified that scandic has exported /home/tore? True, however, that andromeda hasn't exported /home/tore !! (In case scandic would request it.) All confusing. This may finish my 'Linux project'!

Note 8. Further investigations show that if similar /etc/exports and /etc/fstab files are set up on both boxes (both client and/or server), mounting in this way virtually functions well, but any of them will happily mount it's OWN directory (remember: equal structures). That was my very first experience (really cheated!). What is going on? Next step is, of course, trying to separate the client and server functionality by defining exports from only a single SERVER and using the other box as only CLIENT. As shown. So far, still worse. This may finish my Linux.

Note 9. I think I can run a net entirely with Samba, but I refuse to use Samba for pure Linux-to-Linux connections, just by stubbornness (and a few more reasons). This may finish ...

* yes, wasn't it condensed?
 
Old 12-09-2005, 10:25 AM   #2
Mad Scientist
Member
 
Registered: May 2003
Posts: 167

Rep: Reputation: 30
Wow, that's a lot of information. It's hard to digest at one time, so I'm going to ask you to do something that might be frustrating for you. Post the results of the command "rpcinfo -p scandic" from andromeda and then post the results of the command "rpcinfo -p andromeda" from scandic.

Unfortunately, all of my experience with NFS comes from Red Hat-based systems. All of it should translate to Debian, but for whatever reason these things don't seem to work out quite so conveniently. We'll see.
 
Old 12-09-2005, 12:01 PM   #3
toreric
Member
 
Registered: Dec 2005
Location: Tväråmark, Sweden
Distribution: Debian/Kubuntu
Posts: 98

Original Poster
Rep: Reputation: 16
Thank you being interested, rpcinfo lists:
Code:
root@andromeda:/home/tore# rpcinfo -p scandic
   program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    391002    2   tcp    856  sgi_fam
    100024    1   udp    863  status
    100024    1   tcp    866  status
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100003    4   udp   2049  nfs
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs
    100003    4   tcp   2049  nfs
    100021    1   udp  32770  nlockmgr
    100021    3   udp  32770  nlockmgr
    100021    4   udp  32770  nlockmgr
    100021    1   tcp  32769  nlockmgr
    100021    3   tcp  32769  nlockmgr
    100021    4   tcp  32769  nlockmgr
    100005    1   udp    891  mountd
    100005    1   tcp    894  mountd
    100005    2   udp    891  mountd
    100005    2   tcp    894  mountd
    100005    3   udp    891  mountd
    100005    3   tcp    894  mountd
Code:
root@scandic:/home/tore# rpcinfo -p andromeda
   program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100003    4   udp   2049  nfs
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs
    100003    4   tcp   2049  nfs
    100021    1   udp   1024  nlockmgr
    100021    3   udp   1024  nlockmgr
    100021    4   udp   1024  nlockmgr
    100021    1   tcp   1024  nlockmgr
    100021    3   tcp   1024  nlockmgr
    100021    4   tcp   1024  nlockmgr
    100005    1   udp    666  mountd
    100005    1   tcp    669  mountd
    100005    2   udp    666  mountd
    100005    2   tcp    669  mountd
    100005    3   udp    666  mountd
    100005    3   tcp    669  mountd
    391002    2   tcp    722  sgi_fam
    100024    1   udp    729  status
    100024    1   tcp    732  status
Hope you'll find something, please...
 
Old 12-09-2005, 12:06 PM   #4
Mad Scientist
Member
 
Registered: May 2003
Posts: 167

Rep: Reputation: 30
Okay, this is <em>very</em> interesting. Whenever I have had hangups in the past, the "rpcinfo" command has usually exposed them. That output you posted, though, looks exactly right. And obviously they can ping each other if the "rpcinfo" command is working.

Alright, now what does the command "exportfs" give you on the server? I know you posted the "exportfs -rav", but just do "exportfs" and let me know what you see.
 
Old 12-09-2005, 12:38 PM   #5
toreric
Member
 
Registered: Dec 2005
Location: Tväråmark, Sweden
Distribution: Debian/Kubuntu
Posts: 98

Original Poster
Rep: Reputation: 16
Code:
root@scandic:/home/tore# exportfs
/home/tore      andromeda
 
Old 12-09-2005, 12:41 PM   #6
Mad Scientist
Member
 
Registered: May 2003
Posts: 167

Rep: Reputation: 30
Have you checked your /etc/hosts.allow and /etc/hosts.deny files? In the hosts.allow file on the server (ie. scandic), try putting

Code:
ALL: andromeda
and see if that works.
 
Old 12-09-2005, 01:10 PM   #7
toreric
Member
 
Registered: Dec 2005
Location: Tväråmark, Sweden
Distribution: Debian/Kubuntu
Posts: 98

Original Poster
Rep: Reputation: 16
[As you may imagine, I have left the hosts.allow and hosts.deny files empty, since I have felt uncomfortable involving another set of possibly intervening settings.]

I now entered the line

ALL: andromeda

into the server /etc/hosts.allow file, and to be sure of 'system reset' I restarted the scandic server.

Mount attemts on andromeda still exactly reproduce CHAPTER 4
 
Old 12-09-2005, 01:24 PM   #8
Mad Scientist
Member
 
Registered: May 2003
Posts: 167

Rep: Reputation: 30
Ouch, okay, we're getting desperate here. One other thing that comes to mind is that you cannot re-mount an already mounted directory. So, is /home/tore locally on scandic, or has scandic mounted this from another NFS server?
 
Old 12-09-2005, 02:18 PM   #9
toreric
Member
 
Registered: Dec 2005
Location: Tväråmark, Sweden
Distribution: Debian/Kubuntu
Posts: 98

Original Poster
Rep: Reputation: 16
Quote:
Originally Posted by Mad Scientist
So, is /home/tore locally on scandic, or has scandic mounted this from another NFS server?
The directory structures and names are virtually identical on the two computers. This means, for example, that /home/tore exists as directories on both. On the server, the disk is a single partition. On the client andromeda the disk have some partitions where /home is one of them.

Considering the partitions, on scandic / is mounted. On andromeda, in addition to /, /usr, /var, /tmp, /home, and /dev are put each on its own partition, and are as such mount points (OK?).

There are directories /home/tore/ on both boxes.

The /home/tore/ directory is exported on scandic but not on andromeda.

I try to mount the exported directory at /mnt/scandic on andromeda, but this mount point has never been established so far (please notice, however, the awquard mounting I produced in my earliest attempts: Note 8).

This was the exhausted list of hard disk mount points, except that both boxes also (at the moment) has mounted a MSWinXP smb directory, each at /mnt/nilsjonas (in accordance with 'equal directory structure'). The smb mounts are in function and a means of indirect communication between the Linux boxes.

Let me stress, that the change of role between Linux server and Linux client has produced the same CHAPTER 4 results in my former tests.

There are only two Linux boxes and one MSW box on my network. Whether the MSW box is powered on or not does not affect my test results (the samba server on scandic is always running, though).

Sorry being lengthy, trying to be complete
 
Old 12-09-2005, 09:41 PM   #10
deception
LQ Newbie
 
Registered: Oct 2005
Location: NL
Distribution: Debian,Suse
Posts: 17

Rep: Reputation: 0
I'm also experiencing permission denied errors. Posted this to some user lists.
I'm unable to mount a nfs share. I've followed the howto from
nfs.sourceforge.
Is there anything else I have to think of in Debian? Or am I just plain
stupid?
Can't get it to work.

On the client:

rpcinfo -p 192.168.0.21 gives me:
programma versie protocol poort
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100021 1 udp 32768 nlockmgr
100021 3 udp 32768 nlockmgr
100005 1 udp 1014 mountd
100005 1 tcp 1017 mountd
391002 2 tcp 625 sgi_fam
100024 1 udp 633 status
100024 1 tcp 636 status

On the server:

cat /proc/fs/nfs/exp*
# Version 1.1
# Path Client(Flags) # IPs
/data *(rw,no_root_squash,sync,wdelay)

syslog:
Dec 10 02:29:58 mainframe mountd[5502]: authenticated mount request from
router.deception.lan:819 for /data (/data)

I'm trying to mount as root, since I haven't added the share to fstab yet.



Thx.
 
Old 12-10-2005, 01:40 AM   #11
toreric
Member
 
Registered: Dec 2005
Location: Tväråmark, Sweden
Distribution: Debian/Kubuntu
Posts: 98

Original Poster
Rep: Reputation: 16
First many thanks to Jeff who has begun to penetrate this problem.

To 'deception' who encounters about the same difficulties I will give examples of documentation: I suppose you already have read all this. If not, please take another glance hoping that you will find the 'key' that solves this problem. Then please tell everybody!

http://ldp.linuxhelp.ca/HOWTO/NFS-HOWTO/index.html
http://ldp.linuxhelp.ca/HOWTO/NFS-HOWTO/server.html
http://nfs.sourceforge.net/

I did long ago submit the Debian bug report #335418: nfs-kernel-server: Cannot use nfs - mounting impossible [Package: nfs-kernel-server (nfs-kernel-server 1:1.0.7-3)] but without response. Close after my submission the package maintainer submitted report #336108: nfs-kernel-server. It may be a hint concerning the difficulties when a thing like this is coming up.

Further, this is my view of the NFS mounting problem

(still with the reservation that all may be caused by some ridiculous oversight of mine!)

Within bug reports (and similar sources) there are scattered questions and notes about this type of problems arising. The cases I have encountered concern more diverse network environments, and they seem to be resolved using various circumventing solutions. Also, since Linux develops quite rapidly, I think that many network maintainers still use older and mayby more safe (or own-built) kernels in order to avoid accidents like this. Unfortunately, I don't compile kernels yet (I'm intending to utilize Debian standards).

My case might be the purified-problem template where two up-to-date Linux 2.6 boxes cannot communicate using NFS, caused by some oversight by either the user or by some deficit in Debian. Since I find my setup very significant with respect to this NFS behaviour I would like to keep up until this is eventually resolved.

Last edited by toreric; 12-10-2005 at 01:42 AM.
 
Old 12-10-2005, 07:18 PM   #12
deception
LQ Newbie
 
Registered: Oct 2005
Location: NL
Distribution: Debian,Suse
Posts: 17

Rep: Reputation: 0
Posted this in reply to someone on debian userlist.

Also I've done some further experimenting.
From my laptop running Suse, I can mount the share on the server without
any problems.

I can mount a share on the Suse laptop from the server.

I can't mount anything from the "client".

Conclusion: problem exsists at the client.

So, I thought it had something to do with name-resolving. It had
multiple domain names. Changed the configuration to have one name.
No result.
Thought it would have something to do with the user accounts numbering,
but as it is root who's mounting (which is 0). The system shouldn't get
confused with user rights. Not sure though.

The client is my router, mail server, runs bind, dhcp, and netfilter. It
should have complete access, back and forth to the lan.

Solved it. Brought down netfilter.

Firewall on the client was giving me the troubles. Have to closely
reexamine the firewall rules.
 
Old 12-11-2005, 03:02 AM   #13
toreric
Member
 
Registered: Dec 2005
Location: Tväråmark, Sweden
Distribution: Debian/Kubuntu
Posts: 98

Original Poster
Rep: Reputation: 16
Thanks for the hint! Maybe my router does, unintentionally, imply some "internal firewall" functionality that cheats me totally. I will carefully check this track, although my router is supposed to execute just simple routing without any restrictions.
--------------------------
Later:

Have played with some 'meaningless' settings that should not be significant. They seem to be really non-significant. Don't think the router can generate any extra "firewall condition" for this connection that is fully vital (using e.g. ping and rpcinfo).

According to the syslog, the primary point to investigate further might be: Why is the server export (here: server `exportfs` => "/home/tore andromeda") virtually invisible for the client (andromeda)?

Is there an alternative (better) starting point for investigation?

I am prepared to investigate, but I have to learn how . I would really, very much appreciate an advise that points to a "howto short-cut", or if not, a thorough reading ! I suggest the reading should concern, to begin with, how to produce detailed logging of the mount daemon or similar. I am in a too early stage of 'Linux development' to readily identify how to proceed, but there must be tools!
--------------------------
Still later:

I have tested with the computers connected outside the router with a switch. The error remains exactly the same, permanent reproducable. Also checked the iptables (never used them) and they contain of course nothing (no rules). Thus any "firewall behaviour" from somewhere isn't very probable.

Last edited by toreric; 12-12-2005 at 03:10 PM.
 
Old 01-27-2006, 05:18 PM   #14
toreric
Member
 
Registered: Dec 2005
Location: Tväråmark, Sweden
Distribution: Debian/Kubuntu
Posts: 98

Original Poster
Rep: Reputation: 16
Works fine with right IP numbers!

The non-functionality was caused by bad IP numbers used in combination with an internal system loop-back behavior that seemed to verify correct connection through ping testing. This was false, but as being not enough familiar with Linux and IP networking I could not discover it until today.

Maybe it can be for someone's help this experience that entirely good-looking ping resposes between two Linux computers may be false, caused by unsuitable IP numbers in their /etc/hosts tables!

Thanks a lot anyhow!
 
Old 03-02-2006, 07:23 PM   #15
deception
LQ Newbie
 
Registered: Oct 2005
Location: NL
Distribution: Debian,Suse
Posts: 17

Rep: Reputation: 0
Thumbs up

I see what you mean.

One fault, someone, like myself, should have noticed.
You already posted it when you were asking help in the very first post.

scandic 127.168.0.11 server 2.6.8-2-686 i686 Sarge (stable)
andromeda 127.168.0.12 client 2.6.12-1-686 i686 Etch (testing)

Sorry, indeed it's the loopback interface which you were addressing.

Fault is very slim to notice, someone overreeds it fast, like me.

I hope your system is to your liking now. And I want to complement you on you're stamina and pursuing your goal.
If you stick with debian/linux it won't be the last.

Have you already signed up at users mailing list of debian?
For future problems, there a lot of people willing to help out.

Deception.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
NFS mount of smb mount of windows share: permission denied problem :( Bagatur Linux - Networking 4 07-07-2009 11:34 AM
NFS mount permission denied! naesyllek Linux - Networking 25 06-06-2007 04:24 AM
nfs mount: permission denied kpachopoulos Linux - General 13 02-12-2007 12:07 PM
nfs mount permission denied, over diff over 2 networks dtzWill Linux - General 4 08-20-2005 09:22 PM
NFS permission denied somesh Linux - Software 2 07-22-2003 02:42 PM


All times are GMT -5. The time now is 10:58 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration