Quantum
NFS Share: Secure port access (DRAFT)

 

SR: 3308202

Product/Software Version: 4601 firmware version 2.1.1 (but applicable in other platforms and firmware versions, excluding firmware bellow 2.0.1)

PTR related:

 

OVERVIEW

 

This article will provide information about nfs secure port and the results that will occur when a unix client tries to access the port.

 

 

SYMPTOM

 

When customer tries to mount the share under AIX, the mount fails and the messages log under DXi reports the following error:

 

Jan 22 14:24:26 CV4601NAS mountd[28818]: authenticated mount request from 10.4.0.40:738 for /Q/shares/Symitar (/Q/shares/Symitar)

Jan 22 14:24:26 CV4601NAS kernel: nfsd: request from insecure port (10.4.0.40:46562)!

 

On the AIX client side, he receives an error indicating:

 

mount: giving up on: linuxserver:/temp/export vmount: Not owner*

 

 

RESOLUTION

 

NFS share by default has the ‘secure’ option set, this will prevent non-root users to access NFS via ‘secure tcp ports’ (i.e. port > 1024). This is something that was found in past release with Mac OS users and a syscli option was implemented on DXi version 2.0.1 to disable this feature.

 

Some unix OS will try to access the NFS via secure tcp ports (like aix and mac). In order to allow this access, you need to remove the secure option from the nfs share.

 

The secure option to NFS shares is customizable and can be executed by the customer customer (only via syscli) but also by the quantum engineer using the sharetool or syscli command (syscli command will call the sharetool command to apply this change)

 

 Here an example of using syscli and its output (again, customer can execute using cliadmin user):

 

# /opt/DXi/syscli --set nfssetting --secure no

 

Command completed successfully.

 

# /opt/DXi/syscli --get nfssetting --secure

nfssecure = no

 

Command completed successfully.

 

# /opt/DXi/syscli --set nfssetting --secure yes

 

Command completed successfully.

 

 

If an engineer decide to use sharetool, here how it works (don’t be surprised by the output, it says ‘CIFS’ but in fact is changing the nfs settings, this is a output bug)

 

# sharetool --change allshares --secure no

  Updating CIFS configuration global section

 

When you set nfs to insecure, you’ll see the changes under /etc/exports.

 

Here an example when nfs shares are set to secure = yes (default):

 

# cat /etc/exports

/Q/shares/dan3 *(sync,rw,root_squash,anonuid=4294967294,anongid=4294967294,no_subtree_check,fsid=20413)

/Q/shares/ryannfs *(sync,rw,root_squash,anonuid=4294967294,anongid=4294967294,no_subtree_check,fsid=20398)

/Q/shares/dan2 *(sync,rw,root_squash,anonuid=4294967294,anongid=4294967294,no_subtree_check,fsid=20411)

/Q/shares/MicahNFS *(sync,rw,root_squash,anonuid=4294967294,anongid=4294967294,no_subtree_check,fsid=20414)

/Q/shares/erika-nas-test *(sync,rw,root_squash,anonuid=4294967294,anongid=4294967294,no_subtree_check,fsid=20415)

 

 

And here an example when nfs shares are set to secure = no

 

# cat /etc/exports

/Q/shares/dan3 *(sync,rw,insecure,root_squash,anonuid=4294967294,anongid=4294967294,no_subtree_check,fsid=20413)

/Q/shares/ryannfs *(sync,rw,insecure,root_squash,anonuid=4294967294,anongid=4294967294,no_subtree_check,fsid=20398)

/Q/shares/dan2 *(sync,rw,insecure,root_squash,anonuid=4294967294,anongid=4294967294,no_subtree_check,fsid=20411)

/Q/shares/MicahNFS *(sync,rw,insecure,root_squash,anonuid=4294967294,anongid=4294967294,no_subtree_check,fsid=20414)

/Q/shares/erika-nas-test *(sync,rw,insecure,root_squash,anonuid=4294967294,anongid=4294967294,no_subtree_check,fsid=20415)

 

 

Please don’t discard the possibility that customer may request to apply this setting for one share only. In this case an enhancement request need to be filed to engineering. Please work with your senior or backline support to file this request and as workaround you can use the exportfs tool to set the option only for one share. Do not execute a manual customization on the export file without reporting on a ptr to engineering.

  

To enable this setting to one share, Quantum Engineering must to apply the following procedure:

 

  1. Edit via ‘vi’ command the file /etc/exports (please make sure you save a backup before edit this file)
  2. Add the word insecure (as shown in the example above) for the share you want to change
  3. Execute the command which will force nfs to reload the new exports file you just updated on the steps above.

 

# exportfs –ra


This page was generated by the BrainKeeper Enterprise Wiki, © 2018