nfs mount: security mode does not match?

kayasaman · 06-10-2009, 06:13 PM

Hi, this is a bit of a serious issue!

While trying to add DVD player availability to my laptop running SXCE b_111 I was told to download the BeleniX spkg application then install software via that instead of using Blastwave which doesn't work so well with SXCE.

Anyway it managed to download a whole bunch of new Gnome2 packages and update the old ones turning my GUI into a mess with OpenSolaris icons and menus...

I am trying desperately to recover the system, I know inevitably it has to be wiped and re-installed but before I proceed I would like to backup /etc and /export/home to NFS server.

I have a Milax boot CD version 0.31 for x86 of which I am trying to mount the NFS server and I am coming into dramatic errors regarding the security mode??

The error is: the security mode does not match the server!!

My servers share is so:

Code:

/mnt/hda        192.168.1.0/255.255.255.0(rw,root_squash,sync,no_subtree_check)

it runs KUbuntu Linux and is using NFS v.3.

I have tried no_root_squash as well but still get the same error...

I am mounting it with:

Code:

mount -F nfs -o rw,vers=3 server_ip:/mnt/hda /mnt/vaio

I also added sec=sys to the -o flag but it didn't do any good

I really need to back this machine up before re-installing but I have no idea how I am going to go about it without the NFS mount.

Also I have noticed the using: cp -r /etc dest_dir doesn't work either and hangs after a while! With Milax I used: cp -r /mnt/solaris0/etc /mnt/solaris1/

and that didn't work either, which tells me that over NFS it will be the same too so if someone could help me with that one too it would be great!

Many thanks for any advice

kayasaman · 06-10-2009, 06:48 PM

Well, some good news!

The first thing I was able to do was actually find a file called /etc/nfssec.conf which had an option in there called none: sec=none

this however still didn't work

Much better news though I managed to tar /etc of my original build and save that to /export/home using:

Code:

tar cf /mnt/solaris1/etc.tar /mnt/solaris0/etc

Now it looks like I am going to have to take the long way round in restoring by first re-installing SXCE / as my /export/home dir is on another slice so I think it is safe (for now!) and I can just tell the Solaris installer to use that slice for /export/home but not format it.... I think or best leave it unused then add it into /etc/vfstab later on.

I will then use NFS to backup accordingly and re-adjust the size of my partitions so that maybe if there is a way of playing DVD's without messing up the system I have enough space to install as much software as I want.

Long winded but then I am not sure that one can resize slices or even if that is a good idea!

If there are better suggestions which I am sure more experienced people will have it would be much appreciated but for now I will go the long way

jlliagre · 06-11-2009, 03:09 AM

You might want to use ZFS instead of UFS in your reinstallation. Should you have done it before, a snapshot done before you messed Gnome would have allowed you to rollback your system to a stable configuration.
Also, ZFS removes the fixed size filesystem issues you are complaining of.

kayasaman · 06-11-2009, 06:46 AM

Many thanks jlliagre! Always nice to be helped or be given tips by you

In all truth and honesty the first thing I did when I first installed SXCE was install the ZFS file system!

It was so painfully slow as my laptop is quite old in laptop terms as I got it when I was at university so we're talking about something like 2002/2003??

It only has 512MB of RAM and a 1.7GHz Pentium Centrino so ZFS performance is highly compromised. The OS itself and it's apps took ages to start up and that's only if they ran in the first place as even with UFS file system although performance is much better I do get a lot of "failed to fork not enough space" errors...

That's really the only reason why I am using fixed filesystem! Apart from that I would only be too happy to move to ZFS.

I am not sure about SXCE but I have read that there is development version called SXDE which takes 768MB for it's Java based GUI, I can see SXCE being quite similar though as initially I attempted OpenSolaris which didn't even install most likely due to lack of memory and not being able to fork the install process. It took about 4 hours to boot too which was pathetic.

kayasaman · 06-11-2009, 07:09 AM

Ok this is very frustrating!

I just cranked up the new install of SXCE and I manage to get the same errors regarding the NFS mount about security mode...

This seems to be only with my UBuntu machine as my other servers based round CentOS and Debian worked fine previously

Actually I just checked the CentOS system and it mounts fine! I guess I will need to investigate more with KUbuntu as this is my first ever install with it so I'm not that familiar with it yet. However if there is a Solaris override for this error it would be great to know as then I can just dump my files and look at getting the system back to what it was previously.

kayasaman · 06-11-2009, 08:16 AM

Wow ok this is different but cool none the less and this might even be a little mini howto for people with the same issue that are seeking an answer!

Basically, although NFS v.3 has been used by default Solaris 11 and 11+ uses NFS v.4 so lets stick with that since in our KUbuntu Linux server is native to NFS v.4 to as part of the kernel support, although backwards compatible with NFS v.3 somehow there seems to be a conflict somewhere!

Well we will start up by creating /etc/exports on the Linux server:

we can use any mount point we desire so lets just for a moment assume that we will export a dir called /export/users.

Create the dir like so mkdir -p /export/users

then we will add this to the /etc/exports file.

Code:

/export       192.168.1.0/24(rw,fsid=0,insecure,no_subtree_check,async)
/export/users 192.168.1.0/24(rw,nohide,insecure,no_subtree_check,async)

Although I haven't tested the syntax for the subnet in NFS v.4 certainly one can either put the subnet mask or CIDR notation for NFS v.3 (tested on KUbuntu 9.04 system based around Ubuntu Jaunty)

Once that is done we can proceed to tweaking our NFS v.4 security measures to off since we will not be using Kerberos.

This is done by editing the /etc/default/nfs-kernel-server and /etc/default/nfs-common files.

GSSD needs to be turned off in both and just to give an example of edits here are mine:

nfs-kernel-server

Code:

RPCNFSDCOUNT=8

# Runtime priority of server (see nice(1))
RPCNFSDPRIORITY=0

# Options for rpc.mountd.
# If you have a port-based firewall, you might want to set up
# a fixed port here using the --port option. For more information,
# see rpc.mountd(8) or http://wiki.debian.org/?SecuringNFS
RPCMOUNTDOPTS=--manage-gids

# Do you want to start the svcgssd daemon? It is only required for Kerberos
# exports. Valid alternatives are "yes" and "no"; the default is "no".
NEED_SVCGSSD=no

# Options for rpc.svcgssd.
RPCSVCGSSDOPTS

nfs-common:

Code:

# If you do not set values for the NEED_ options, they will be attempted
# autodetected; this should be sufficient for most people. Valid alternatives
# for the NEED_ options are "yes" and "no".

# Do you want to start the statd daemon? It is not needed for NFSv4.
NEED_STATD=yes

# Options for rpc.statd.
#   Should rpc.statd listen on a specific port? This is especially useful
#   when you have a port-based firewall. To use a fixed port, set this
#   this variable to a statd argument like: "--port 4000 --outgoing-port 4001".
#   For more information, see rpc.statd(8) or http://wiki.debian.org/?SecuringNFS
STATDOPTS=

# Do you want to start the idmapd daemon? It is only needed for NFSv4.
NEED_IDMAPD=no

# Do you want to start the gssd daemon? It is required for Kerberos mounts.
NEED_GSSD=no

We can now proceed onto setting up layer 3 security restrictions by editing /etc/hosts.allow and /etc/hosts.deny

In /etc/hosts.deny we want to use the syntax:

Code:

portmap mountd nfsd statd lockd rquotad : ALL

I usually put these in separately so that it creates a vertical line rather then horizontal each with an instance of ALL. But that's just a personal preference!

For hosts.allow we will add our local subnet or list of accessible IP addresses:

Code:

portmap mountd nfsd statd lockd rquotad : list of IP addresses

Again one is better off putting these in separately as each entity then can be tuned and tweaked as desired.

Once that is done we can proceed to exporting the filesystems with exportfs command: using exportfs -fs

then restart the portmap and kernel-server daemons:

Code:

#/etc/init.d/portmap restart

#/etc/init.d/nfs-kernel-server restart

Finally we can mount the NFS v.4 server in our Solaris client like so:

Code:

mount -F nfs -o rw ip_addr_of_server:/ /mount_point

Or add a static entry into /etc/vfstab then use only the: mount /mount_point command

and finally either cd or ls the mounted directory to check that all is well and mounted properly and that's it!

I hope this helps someone with the same or similar issue as I had!!

[edit]
P.s. if anyone wants any further reading on NFS for Ubuntu these are the sites I used:

https://help.ubuntu.com/community/SettingUpNFSHowTo

https://help.ubuntu.com/community/NFSv4Howto

Be warned though that these are for NFS v.4 and not v.3. With v.3 the syntax of /etc/exports and mounting procedure is slightly different!

Above in my previous post is a good example of v.3 for /etc/exports and bare in mind that you will need the vers=3 option either in mount command or /etc/vfstab entry when using Solaris!!

jiri · 09-15-2009, 02:13 PM

Got the problem solved by limiting OpenSolaris NFS to version 3 as described above and I had to use "sec=sys" in my exports file:

spot.home.net(rw,sec=sys,insecure,nohide,no_subtree_check)

Ubuntu 9.04 x86_64
OpenSolaris 0906

There is a nice blog on what the problems (as well as solutions) are:
http://blogs.sun.com/tdh/entry/some_...nteractions_at

Jiri