Hello,
From what I've found, NetApp filer will refuse mount requests if the source port of that request is less than 1024, or "unprivileged". The problem we have right now is accessing NetApp trough the firewall.
So we have a couple of NetApps and Sun servers that are behind port-mapping firewall. I can mount everything from Sun, but when we are trying to mount something from netapp, I get this error message on a client
client% mount netapp1:/some_dir mount: RPC: Authentication error; why = Client credential too weak
With tcpdump I see how mount requests from client (client.678 -> netap1.sunrpc)are being translated on firewall: firewall1.61128 -> netap1.sunrpc
My question is, if there is a way to put netapp in a less secure mode, to allow mount requests from unprivileged ports?
Thank you
Aleksandr.Rainchik@amermsx.med.ge.com writes: [...]
My question is, if there is a way to put netapp in a less secure mode, to allow mount requests from unprivileged ports?
Try "options nfs.mount_rootonly off".
Chris Thompson University of Cambridge Computing Service, Email: cet1@ucs.cam.ac.uk New Museums Site, Cambridge CB2 3QG, Phone: +44 1223 334715 United Kingdom.
----- Original Message ----- From: "Chris Thompson" cet1@cus.cam.ac.uk To: "Rainchik Aleksandr" Aleksandr.Rainchik@amermsx.med.ge.com Cc: toasters@mathworks.com Sent: Monday, October 23, 2000 1:58 PM Subject: Re: mount: RPC: Authentication error; why = Client credential too wea
Aleksandr.Rainchik@amermsx.med.ge.com writes: [...]
My question is, if there is a way to put netapp in a less secure mode, to allow mount requests from unprivileged ports?
Try "options nfs.mount_rootonly off".
Whoops; I forgot about that option. Still, it is a bad idea.
Bruce
"Bruce" == Bruce Sterling Woodcock sirbruce@ix.netcom.com writes:
>> Try "options nfs.mount_rootonly off". Bruce> Whoops; I forgot about that option. Still, it is a bad idea.
Why? The concept of privileged ports is meaningless today. NFS is insecure. Restricting mount requests to source ports < 1024 provides virtually no additional security.
I actually have a related question - mountd, lockd, and statd are all RPC services, thus requiring the portmapper. If you're trying to allow access to these services through a f/w, it can be difficult if the firewall doesn't understand the portmapper queries to dynamically allow the correspoing RPC request through the firewall (e.g, 1.2.3.4 makes does an RPC lookup for mountd, the portmapper replies with port 5678, the f/w then knows to allow requests from 1.2.3.4 to port 5678 on the filer through the firewall).
Anyway, the question is - do these services always bind to the same ports on the filer, or can they be made to (e.g., some mountd's allow you to specify what port they should use)?
j.
On Mon, 23 Oct 2000, Rainchik, Aleksandr (MED, Non GE) wrote:
From what I've found, NetApp filer will refuse mount requests if the
source port of that request is less than 1024, or "unprivileged". The problem we have right now is accessing NetApp trough the firewall.
Isn't this what the "nfs.mount_rootonly" option is for?
----- Original Message ----- From: "Rainchik, Aleksandr (MED, Non GE)" Aleksandr.Rainchik@amermsx.med.ge.com To: toasters@mathworks.com Sent: Monday, October 23, 2000 11:59 AM Subject: mount: RPC: Authentication error; why = Client credential too weak
Hello,
From what I've found, NetApp filer will refuse mount requests if the source port of that request is less than 1024, or "unprivileged". The problem we have right now is accessing NetApp trough the firewall.
So we have a couple of NetApps and Sun servers that are behind port-mapping firewall. I can mount everything from Sun, but when we are trying to mount something from netapp, I get this error message on a client
client% mount netapp1:/some_dir mount: RPC: Authentication error; why = Client credential too weak
With tcpdump I see how mount requests from client (client.678 -> netap1.sunrpc)are being translated on firewall: firewall1.61128 -> netap1.sunrpc
My question is, if there is a way to put netapp in a less secure mode, to allow mount requests from unprivileged ports?
Nope. And it's a bad idea for your Sun too; it is a security problem.
Why can't you just tell your firewall not to change the port # of the request, or select one below 1024?
Bruce
-
Bruce Sterling Woodcock -
Chris Thompson -
David H. Brierley -
Jay Soffian -
Rainchik, Aleksandr (MED, Non GE)