First, emerge --info, to get it over and done with: Portage 2.1.1 (selinux/2005.1/x86, gcc-3.4.6, glibc-2.4-r3, 2.6.17-gentoo-r8 i686) ================================================================= System uname: 2.6.17-gentoo-r8 i686 Intel(R) Pentium(R) 4 CPU 2.53GHz Gentoo Base System version 1.6.15 Last Sync: Sun, 17 Sep 2006 20:50:01 +0000 ccache version 2.3 [enabled] app-admin/eselect-compiler: [Not Present] dev-java/java-config: 1.2.11-r1 dev-lang/python: 2.4.3-r1 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.3 dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r3 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r1 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -pipe -march=pentium4 -momit-leaf-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb /var/bind" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/splash /etc/terminfo" CXXFLAGS="-O2 -pipe -march=pentium4 -momit-leaf-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache distlocks metadata-transfer sandbox selinux sfperms strict userfetch userpriv usersandbox" GENTOO_MIRRORS="http://mirror.datapipe.net/gentoo http://gentoo.osuosl.org/ http://gentoo.mirrors.pair.com/" LDFLAGS="-Wl,-O1" LINGUAS="" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.us.gentoo.org/gentoo-portage" USE="X acpi alsa apache2 berkdb caps crypt cups dri eds elibc_glibc fam gdbm gif gnome gtk idn input_devices_keyboard input_devices_mouse ipv6 jpeg kernel_linux logrotate mad mbox mmap mmx motif ncurses nfs nis nls nptl nptlonly offensive pam pcre perl pic png posix python qt4 readline sdl seamonkey selinux spell spl sse sse2 ssl tcpd threads truetype userland_GNU video_cards_radeon video_cards_vesa x86 xml zlib" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY Problem: When using subnets in /etc/exports, rpc.mountd disallows the first listed mount of the last entry. Example: On server: cat /etc/exports: /usr/share/storage 172.16.24.0/27(rw,root_squash,async) 172.16.25.0/27(rw,root_squash,async) /usr/portage/distfiles 172.16.24.0/27(rw,root_squash,async) 172.16.25.0/27(rw,root_squash,async) on client, on 172.16.24.0/27 network: # showmount -e tree Export list for tree: /usr/share/storage 172.16.25.0/27,172.16.24.0/27 /usr/portage/distfiles 172.16.25.0/27,172.16.24.0/27 # mkdir /tmp/storage /tmp/distfiles # mount -t nfs tree:/usr/share/storage /tmp/storage # mount -t nfs tree:/usr/portage/distfiles /tmp/distfiles mount: tree:/usr/share/distfiles failed, reason given by server: Permission Denied # df -t nfs Filesystem 1K-blocks Used Available Use% Mounted on tree:/usr/share/storage 127935328 38986496 88948832 31% /tmp/storage Checking logs on the server shows: Sep 17 21:01:37 tree rpc.mountd: export request from 172.16.24.18 Sep 17 21:02:00 tree rpc.mountd: authenticated mount request from fairy.broomstick.com:853 for /usr/share/storage (/usr/share/storage) Sep 17 21:02:13 tree rpc.mountd: refused mount request from fairy.broomstick.com for /usr/portage/distfiles (/): not exported # nslookup fairy.broomstick.com Server: 127.0.0.1 Address: 127.0.0.1#53 Name: fairy.broomstick.com Address: 172.16.24.18 # grep hosts /etc/nsswitch.conf hosts: files dns nis # cat /etc/hosts.allow mountd: LOCAL, 172.16.24.0/27, 172.16.25.0/27 ALL : LOCAL, 172.16.24.0/27, 172.16.25.0/27 nscd is not running on either client or server portmap, mountd and statd are running on both client and server NFS kernel options same on servers and client: CONFIG_NFS_FS=y CONFIG_NFS_V3=y CONFIG_NFS_V3_ACL=y # CONFIG_NFS_V4 is not set # CONFIG_NFS_DIRECTIO is not set CONFIG_NFSD=m CONFIG_NFSD_V2_ACL=y CONFIG_NFSD_V3=y CONFIG_NFSD_V3_ACL=y # CONFIG_NFSD_V4 is not set CONFIG_NFSD_TCP=y CONFIG_NFS_ACL_SUPPORT=y CONFIG_NFS_COMMON=y The problem is repeatable with two different clients. Workaround: Add *.domain.name(...) entry to /etc/exports, followed by /etc/init.d/nfs stop, zonk /var/lib/nfs/(e|rm)tab, and /etc/init.d/nfs start This makes the entry mountable. This is obviously a bad workaround for security reasons.
can you upgrade to nfs-utils-1.0.12 and see if this is still a problem ?
(In reply to comment #1) > can you upgrade to nfs-utils-1.0.12 and see if this is still a problem ? > Still a problem with nfs-utils-1.0.12. It only appears to happen when having multiple entries in /etc/exports that are ip/mask based. If specifying hostnames or netgroups in exports, everything is fine. From troubleshooting more, it appears to be DNS callout related. The mountd authentication appears to only accept the IP without checking DNS for the first entry in /etc/exports. For subsequent entries, the reverse DNS (or similar, depending on resolver methods) is checked, and access denied if it doesn't match the hostname. This makes sense for name based access lists, but not when the IP matches. That it doesn't happen for the first entry makes me suspect there's a conditional for when to check the hostname that isn't reset between entries.
