
Originally Posted by
suseendran.rengabashyam
Open the file /etc/default/nfs-kernel-server and comment out the line
Code:
RPCMOUNTDOPTS=--manage-gids
and add the following line
Code:
RPCMOUNTDOPTS="-p 33333 -g"
The 33333 is just an example, use something that is available on your system and isn't already defined in your /etc/services file.
Restart the NFS daemon
sudo /etc/init.d/nfs-server-kernel restart
for the changes to take effect.
Now configure the UFW to accept incoming connections on port 33333 apart from port 2049 and port 111.
Let me know if this helps.
I had already changed it in hopes it would solve the issue. My /etc/default/nfs-kernel-server line read:
Code:
RPCMOUNTDOPTS="--p 4002"
rpcinfo -p verified mountd was thus configured:
Code:
100005 1 udp 4002 mountd
100005 1 tcp 4002 mountd
100005 2 udp 4002 mountd
100005 2 tcp 4002 mountd
100005 3 udp 4002 mountd
100005 3 tcp 4002 mountd
...and as I stated in my original post, ufw was already configured to allow access to all the necessary ports:
Code:
111 ALLOW 192.0.0.0/24
2049 ALLOW 192.0.0.0/24
4002 ALLOW 192.0.0.0/24
So the RPCMOUNTDOPTS= options were different, but I changed it to what you suggested and then restarted nfs-kernel-server. I didn't even have to reboot my workstation to see the effects of the changes, as Nautilus stopped responding immediately, and playback of music files located on the server also stopped and froze Rhythmbox. Nautilus finally recovered after two or three minutes and was able to reopen (after killing the running processes), and I was also able to restart Rhythmbox.
But just to be safe, I decided to reboot the server first and see what happens. When it completed the reboot, my workstation was locked out of the shared folders again until I disabled the firewall on the server. I think I may have finally figured out what is causing the issue, though:
Code:
rpcinfo -p
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 4000 status
100024 1 tcp 4000 status
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100021 1 udp 46175 nlockmgr
100021 3 udp 46175 nlockmgr
100021 4 udp 46175 nlockmgr
100021 1 tcp 38333 nlockmgr
100021 3 tcp 38333 nlockmgr
100021 4 tcp 38333 nlockmgr
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100005 1 udp 4002 mountd
100005 1 tcp 4002 mountd
100005 2 udp 4002 mountd
100005 2 tcp 4002 mountd
100005 3 udp 4002 mountd
100005 3 tcp 4002 mountd
As you can see, the only random port being assigned is to nlockmgr. Unfortunately, it was difficult and very time-consuming to find any solution to setting nlockmgr to a specific port. All the information I found by Googling was distro-specific for anything except Ubuntu, until I found this Launchpad bug report:
https://bugs.launchpad.net/ubuntu/+s...ils/+bug/28706
One post recommends rebooting after creating a /etc/modprobe.d/options file and adding the following (the port numbers are of my choosing):
Code:
options lockd nlm_udpport=4001 nlm_tcpport=4001
Doing so does set the nlockmgr port accordingly, so it works quite nicely in that regard:
Code:
rpcinfo -p
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 4000 status
100024 1 tcp 4000 status
100021 1 udp 4001 nlockmgr
100021 3 udp 4001 nlockmgr
100021 4 udp 4001 nlockmgr
100021 1 tcp 4001 nlockmgr
100021 3 tcp 4001 nlockmgr
100021 4 tcp 4001 nlockmgr
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100005 1 udp 4002 mountd
100005 1 tcp 4002 mountd
100005 2 udp 4002 mountd
100005 2 tcp 4002 mountd
100005 3 udp 4002 mountd
100005 3 tcp 4002 mountd
And ufw now has all the appropriate open ports:
Code:
111 ALLOW 192.0.0.0/24
2049 ALLOW 192.0.0.0/24
4001 ALLOW 192.0.0.0/24
4002 ALLOW 192.0.0.0/24
4000 ALLOW 192.0.0.0/24
So you think I'd be good-to-go, right? Wrong. 
Unfortunately for me, it doesn't actually solve my problem. I'm still unable to connect to the shares on the firewalled server until I disable the firewall and then mount the shares on each client. And just like before, I can then re-enable the firewall without disconnecting the shares on each client.