Home / server / Questions / 1112345
Accepted
Richard T
Asked: 2022-10-06 14:38:40 +0800 CST

Trouble mounting an NFS mount-point on a firewall system which works perfectly on other internal systems: How do I find the cause?

  • 772

This is on Fedora Core 35: This environment is mature and has a few systems that are called either firewalls or gateways, and for the first time, we want to do an NFS share to one of these systems.

After having trouble with the mount on the client, I proved the server's config is fine by doing an identical mount on a different internal system using copy-paste of the /etc/fstab entry. I figured it had to be a firewall issue, so I changed the interface to be in the "trusted" zone. And yet I still get:

mount.nfs: access denied by server while mounting 192.168.1.1:/fu

So, I did some research and figured out to do:

rpcdebug -m nfsd -s all

But I get nothing related to the mount in question - in fact NOTHING goes into /var/log/messages ... isn't that where I'm supposed to look?! (Other nfs related items are going there, but not this mount.)

So, I tried our backup server and got the same (null) result. And I also tried changing from using the hostname and using the IP address on the client - same results either way, nothing but what I've reported.)

nfs

2 Answers

  1. The line

    mount.nfs: access denied by server while mounting 192.168.1.1:/fu

    clearly indicates that the NFS server (to be precise - mountd) denied the mount request for the client. Most probably this happened due to the fact that the client IP was not mentioned in the exports file on the server.

    I suppose you review it one more time.

    • 0
  2. Best Answer

    I figured it out.

    Apparently, the export function stops reading the /etc/export file on any error. The exports that have been read in already and are "valid" are exported, however, any further exports that may be in the file are ignored because processing stops.

    Unfortunately, such errors are NOT logged in /var/log/messages (the system error log file) by nfs. So far as I have discovered to date, the ONLY place these errors are reported is by running:

    exportfs -a

    In this case, most of my entries began with "rw", a few "ro" and the error that caused all this was one that was just "r". Oops! That's where the exporting stopped.

    Also worthy of attention are these additional tools that helped me find the problem:

    As already noted in the question, here for making a thorough answer, this sends "all" errors to the system log file (/var/log/messages):

    rpcdebug -m nfsd -s all

    Again,NOT ALL ERRORS ACTUALLY CAN GO HERE, as already noted about /etc/export errors.

    List all current exports possible: From a server:

    exportfs

    From a client:

    showmount -e <host>

    Note that showmount is a DANGEROUS possible security hole because it can let clients easily know what a server can do and thus about other systems. So in a case like this one, where it's a "firewall / gateway" machine, make sure ONLY root can run it!

    And, finally, you can also get a network dump:

    tcpdump -s0 -i <interface> host <host_ip> -w <file>

    I don't have a good pointer for how to interpret said dump, but you can run strings on it to at least confirm you got the right packets.

    • 0