# RPCPROG_MNT: RPC: Authentication error; why = Client credential too weak



## mamalos (Mar 30, 2011)

Hi everybody,

this (the title of this thread) is the error I am getting from my NFS client when I try to mount a filesystem from my NFS server. On the server I get:

```
[tcp] 192.168.100.11:home: RPCPROG_MNT: RPC: Authentication error; why = Client credential too weak
```
I am executing the command as root, and both server and client run a version of FreeBSD-8 (not the latest). `$ shomount -e server`shows the correct information. If I start *mountd* with the *-n* option (on the server), then everything works just fine.

*tcpdump* shows that the client connects from an unprivileged port, indeed, which worries me. 

Is there a way to understand why my client tries to mount remote filesystems using a non-privileged port, even though the *mount* command is executed as root?

For the POC, I switched the roles of server and client, and I had exactly the same problem.

I know I am missing something easy on this, but my head is stuck. If anyone can help, it would be really great!

Thank you all in advance.


----------



## SirDice (Mar 30, 2011)

It's probably rpcbind. What does `# rpcinfo server` tell you?
Are mountd and nfs properly registered? Do you set any flags for rpcbind, mountd and/or nfsd?


----------



## mamalos (Mar 31, 2011)

SirDice,

Thank you for your answer. Here is what *rpcinfo* shows:

```
# rpcinfo server
   program version netid     address                service    owner
    100000    4    tcp       0.0.0.0.0.111          rpcbind    superuser
    100000    3    tcp       0.0.0.0.0.111          rpcbind    superuser
    100000    2    tcp       0.0.0.0.0.111          rpcbind    superuser
    100000    4    udp       0.0.0.0.0.111          rpcbind    superuser
    100000    3    udp       0.0.0.0.0.111          rpcbind    superuser
    100000    2    udp       0.0.0.0.0.111          rpcbind    superuser
    100000    4    tcp6      ::.0.111               rpcbind    superuser
    100000    3    tcp6      ::.0.111               rpcbind    superuser
    100000    4    udp6      ::.0.111               rpcbind    superuser
    100000    3    udp6      ::.0.111               rpcbind    superuser
    100000    4    local     /var/run/rpcbind.sock  rpcbind    superuser
    100000    3    local     /var/run/rpcbind.sock  rpcbind    superuser
    100000    2    local     /var/run/rpcbind.sock  rpcbind    superuser
    100003    2    udp       0.0.0.0.8.1            nfs        superuser
    100003    3    udp       0.0.0.0.8.1            nfs        superuser
    100003    2    udp6      ::.8.1                 nfs        superuser
    100003    3    udp6      ::.8.1                 nfs        superuser
    100003    2    tcp       0.0.0.0.8.1            nfs        superuser
    100003    3    tcp       0.0.0.0.8.1            nfs        superuser
    100003    2    tcp6      ::.8.1                 nfs        superuser
    100003    3    tcp6      ::.8.1                 nfs        superuser
    100005    1    udp6      ::.2.108               mountd     superuser
    100005    3    udp6      ::.2.108               mountd     superuser
    100005    1    tcp6      ::.2.108               mountd     superuser
    100005    3    tcp6      ::.2.108               mountd     superuser
    100005    1    udp       0.0.0.0.2.108          mountd     superuser
    100005    3    udp       0.0.0.0.2.108          mountd     superuser
    100005    1    tcp       0.0.0.0.2.108          mountd     superuser
    100005    3    tcp       0.0.0.0.2.108          mountd     superuser
```
Excerpt from the server's /etc/rc.conf:

```
rpcbind_enable="YES"
mountd_flags="-nr"
nfs_server_enable="YES"
nfs_client_enable="YES"
mountd_enable="YES"
```
Excerpt from the client's /etc/rc.conf:

```
rpcbind_enable="YES"
mountd_enable="YES"
mountd_flags="-e"
rpc_statd_enable="YES"
rpc_lockd_enable="YES"
nfs_server_enable="YES"
nfs_client_enable="YES"
nfs_client_flags="-n 4"
nfsuserd_enable="YES"
gssd_enable="YES"
```
Excerpt from the server's kernel config file:

```
options 	NFSCLIENT		# Network Filesystem Client
options		NFSD			# NFSv4 server
options 	NFSLOCKD		# Network Lock Manager
options 	NFS_ROOT		# NFS usable as /, requires NFSCLIENT
options		KGSSAPI			# Gia to kerberized NFS
device		crypto			# Epishs gia to kerberized NFS
```
Excerpt from the client's kernel config file:

```
options 	NFSCLIENT		# Network Filesystem Client
options 	NFSSERVER		# Network Filesystem Server
options 	NFSLOCKD		# Network Lock Manager
options 	NFS_ROOT		# NFS usable as /, requires NFSCLIENT
options		KGSSAPI			# Gia to kerberized NFS
device		crypto			# Epishs gia to kerberized NFS
```
As you can see, my nfs client works as an nfs server too (using *gssapi sec=krb5i* exports). I've tried mounting the share from another FreeBSD client, and had the same results. Moreover, you can see that my server is built with nfs4 support, but I don't think that this is the problem, since trying to mount my client's nfs share from the another client machine (also FreeBSD) has the exact same results. Nonetheless, when I mount the same shares from my linux clients, it works (linux uses a privileged port).

Thanks again for your interest.


----------



## SirDice (Apr 1, 2011)

Try removing the mountd_flags on the server.


----------



## mamalos (Apr 1, 2011)

SirDice,

I commented out *mountd_flags* and had the exact same result. Then I realized that *mountd_flags* is set to *'-r'* in /etc/defaults/rc.conf (which was also proved by *ps axuww | grep -i mountd*), so I removed it, with no luck either.

I don't know why this is happening, I'll test it again after I upgrade all my machines (after I back them up) to the latest version of FreeBSD and relative ports.

Thanks again.


----------



## mamalos (Apr 1, 2011)

SirDice,

one more thing that I think should be highlighted: It must be the client's fault, not the server's. As I stated on a previous message, my linux clients work fine (they're using a privileged port).


----------



## Gkarfield (Aug 12, 2011)

hello mamalos

from fbsd 7.1 [client] I get connection with the server [ fbsd 8.1], the mount works fine.
But I decided before some days to built bsd inside bsd [virtual] and I get the same errror as you.

ftp works fine by the way.
----
I am a simple user [short of]


----------



## qsecofr (Aug 12, 2011)

Any permissions discrepancies on the exported directory tree and the mount point on the client?  

On the server, you can tell mountd which port to listen on with the "-p" option.  The man page for mount_nfs suggests that the "-P" and "-N" options are obsolete.


----------



## peetaur (Oct 7, 2011)

A NAT changes the port from the server's point of view so the server sees an insecure port. Perhaps you have the client behind a NAT?

In a Linux server, you can specify "insecure" in the options of the export line. 

In FreeBSD, I read that you can add to rc.conf:

```
nfs_reserved_port_only="NO"
```
I tried that, and it has no effect.


----------



## Trevor Bailey (Aug 16, 2015)

qsecofr said:


> Any permissions discrepancies on the exported directory tree and the mount point on the client?
> 
> On the server, you can tell mountd which port to listen on with the "-p" option.  The man page for mount_nfs suggests that the "-P" and "-N" options are obsolete.



Thanks.  This was my problem indeed.  I had added a new filesystem in /etc/fstab and was testing it out by re-mounting fstab using `mount -a` After receiving the above mentioned error, I realized that I didn't have permissions to write to the mount point I chose.  After running `sudo mount -a` it mounted successfully.  This is maybe not the issue you're having.  It was definitely a permissions discrepancy for me while connecting to my mount point.


----------

