Having >1k mountpoints in fstab, mount -a fails after the 212th mountpoint with the following message: "RPCPROG_MNT: RPC: Authentication error; why = Client credential too weak" All mountpoints are mounted with: rw,soft,noatime,-N,-T,noinet6,-r=8192,-w=8192 Ommitting the -T flag and so using UDP mounts, everything is OK as long as -N is given, otherwise even UDP mounts fail. The Server is FreeBSD-8.0, exporting >1k ZFS mountpoints. In /var/log/messages, there is the following hint "mount request from XXXXX from unprivileged port" As mountd(8) says, one may set vfs.nfsrv.nfs_privport to 0, but could that expose a security risk? How-To-Repeat: create /etc/fstab with a large number of NFS mounts $ mount -a
Responsible Changed From-To: freebsd-bugs->freebsd-fs Over to maintainer(s).
There are a limited number of privileged ports on a client, only 1k, and some of those ports are used for other services, so you certainly cannot mount 1k TCP NFS mounts unless you disable the privileged port check on the server. nfs_privport=0 is not necessarily a risk if you trust all machines that are able to connect to your NFS server (e.g. you manage all the clients and the server is on a LAN or WAN and not directly connected to the Internet). Even with nfs_privport=1 you are still trusting root on any client machines, nfs_privport=0 only prevents non-root users on client machines from establishing mounts. However, this isn't a bug, this is just the way IP works, and as a result, the way that NFS mounts work. -N for the UDP mounts is effectively similar to having nfs_privport set to 0. I'm not sure exactly how it works (perhaps it requires the mount request to be privileged, but not the normal RPC traffic?), but that is why it is "working". -- John Baldwin
State Changed From-To: open->closed This isn't a bug in the FreeBSD NFS client but a limit of IP.