From nobody@FreeBSD.org  Thu Jun 17 12:41:05 2010
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 4AC62106567B
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 17 Jun 2010 12:41:05 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 39ED58FC22
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 17 Jun 2010 12:41:05 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id o5HCf4qg093949
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 17 Jun 2010 12:41:04 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id o5HCf4Lu093948;
	Thu, 17 Jun 2010 12:41:04 GMT
	(envelope-from nobody)
Message-Id: <201006171241.o5HCf4Lu093948@www.freebsd.org>
Date: Thu, 17 Jun 2010 12:41:04 GMT
From: Robert Schulze <rs@bytecamp.net>
To: freebsd-gnats-submit@FreeBSD.org
Subject: mounting >1k TCP-NFS mounts fails
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         147940
>Category:       kern
>Synopsis:       [nfs] mounting >1k TCP-NFS mounts fails
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-fs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jun 17 12:50:03 UTC 2010
>Closed-Date:    Tue Jul 20 15:55:50 UTC 2010
>Last-Modified:  Tue Jul 20 15:55:50 UTC 2010
>Originator:     Robert Schulze
>Release:        7.1-RELEASE-p11
>Organization:
>Environment:
FreeBSD XXXXX 7.1-RELEASE-p11 FreeBSD 7.1-RELEASE-p11 #5: Tue Mar  2 12:44:28 CET 2010     root@XXXXX:/usr/obj/usr/src/sys/XXXXX  amd64

>Description:
Having >1k mountpoints in fstab, mount -a fails after the 212th mountpoint with the following message:

"RPCPROG_MNT: RPC: Authentication error; why = Client credential too weak"

All mountpoints are mounted with:

rw,soft,noatime,-N,-T,noinet6,-r=8192,-w=8192

Ommitting the -T flag and so using UDP mounts, everything is OK as long as -N is given, otherwise even UDP mounts fail. 

The Server is FreeBSD-8.0, exporting >1k ZFS mountpoints.
In /var/log/messages, there is the following hint

"mount request from XXXXX from unprivileged port"

As mountd(8) says, one may set vfs.nfsrv.nfs_privport to 0, but could that expose a security risk?
>How-To-Repeat:
create /etc/fstab with a large number of NFS mounts

$ mount -a
>Fix:


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-fs 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sun Jul 18 15:44:34 UTC 2010 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=147940 

From: John Baldwin <jhb@freebsd.org>
To: bug-followup@freebsd.org,
 rs@bytecamp.net
Cc:  
Subject: Re: kern/147940: [nfs] mounting &gt;1k TCP-NFS mounts fails
Date: Tue, 20 Jul 2010 10:42:37 -0400

 There are a limited number of privileged ports on a client, only 1k, and some 
 of those ports are used for other services, so you certainly cannot mount 1k 
 TCP NFS mounts unless you disable the privileged port check on the server.
 
 nfs_privport=0 is not necessarily a risk if you trust all machines that are 
 able to connect to your NFS server (e.g. you manage all the clients and the 
 server is on a LAN or WAN and not directly connected to the Internet).  Even 
 with nfs_privport=1 you are still trusting root on any client machines, 
 nfs_privport=0 only prevents non-root users on client machines from 
 establishing mounts.
 
 However, this isn't a bug, this is just the way IP works, and as a result, the 
 way that NFS mounts work.  -N for the UDP mounts is effectively similar to 
 having nfs_privport set to 0.  I'm not sure exactly how it works (perhaps it 
 requires the mount request to be privileged, but not the normal RPC traffic?), 
 but that is why it is "working".
 
 -- 
 John Baldwin
State-Changed-From-To: open->closed 
State-Changed-By: jhb 
State-Changed-When: Tue Jul 20 15:55:25 UTC 2010 
State-Changed-Why:  
This isn't a bug in the FreeBSD NFS client but a limit of IP. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=147940 
>Unformatted:
