Reese Knowledgebase

mount: RPC: Authentication error; why = Client credential too weak

View Kristian Reese's profile on LinkedIn

If you like this article, please +1 or Recommend via FB with the provided buttons above:

Article ID: 25
by: Reese K.
Posted: 16 Dec, 2011
Last updated: 12 Dec, 2012
Views: 4285

mount: RPC: Authentication error; why = Client credential too weak


You will have to set the option nfs.mount_rootonly to off.

Possible Issue #1: Mount requests are coming from ports higher than 1024 and are getting discarded as client (ie non-root level) requests.
Possible Issue #2: Though attempts are made to mount as root user, NFS is negotiating requests over ports >1024, possible due to firewall

from NetApp manpage:

When enabled, the mount server will deny the request if the client is not root user using privileged ports. Valid values for this option are on (enabled) or off (disabled). The default value for this option is on for more secure access.

from NetApp NOW:

NetApp is one of the last holdouts when it comes to NFS servers requiring reserved source ports (i.e. port number less than 1024) from clients. Port monitoring is discouraged in RFC 2623 (see sections 2.1.1 and 2.1 of RFC 2623 - a proposed IETF standard).

Moving from UDP mount to TCP mount on the client suggests that the NFS/TCP path in the client is not binding to the reserved ports, which for interoperability is highly recommended (see section 2.1 of RFC 2623). Problem is arising when Linux client still attempts to use a reserved port after moving to the TCP mount. Check with Linux vendor for any kernel patches.

Since DATA ONTAP does not allow mounts issued by root that are coming from non-reserved ports (i.e. ports number greater than 1024), there is a workaround. Set nfs.mount_rootonly option to false, but that would mean allowing non-root users to mount an export, which is not usually recommended:

filer> options nfs.mount_rootonly off

This article was:   Helpful | Not Helpful
Prev   Next
Alias a netapp interface     Eliminate messages from system console