I wanted to prevent clients to see my home server's list of NFS shares, so I disabled its nfs-mountd.service because it is only needed for NFSv3:
- rpc.mountd
- This process is used by an NFS server to process MOUNT requests from NFSv3 clients. It checks that the requested NFS share is currently exported by the NFS server, and that the client is allowed to access it. If the mount request is allowed, the nfs-mountd service replies with a Success status and provides the File-Handle for this NFS share back to the NFS client.
And indeed, no share list was visible anymore:
$ showmount -e dojo
clnt_create: RPC: Program not registered
But this had consequences, although I tried to use NFSv4 only:
$ cat /etc/fstab | grep media-dojo dojo:/data/media /mnt/media-dojo nfs noauto,user,nolock,nfsvers=4 $ mount -v /mnt/media-dojo/ mount.nfs: timeout set for Thu Dec 21 21:20:46 2023 mount.nfs: trying text-based options 'nolock,vers=4.2,addr=fdc3:e153::3,clientaddr=fdc3:e153::dcbb:9cea:9873:1f10' mount.nfs: mount(2): Connection refused mount.nfs: trying text-based options 'nolock,vers=4.2,addr=192.168.3.3,clientaddr=192.168.3.5' mount.nfs: mount(2): Connection refused mount.nfs: trying text-based options 'nolock,vers=4.2,addr=fdc3:e153::3,clientaddr=fdc3:e153::dcbb:9cea:9873:1f10' mount.nfs: mount(2): Connection refused mount.nfs: trying text-based options 'nolock,vers=4.2,addr=192.168.3.3,clientaddr=192.168.3.5' mount.nfs: mount(2): Connection refused
I could not mount the shares from my Debian experimental (trixie) laptop anymore! After re-enabling nfs-mountd on the home server I could mount again:
$ mount -v /mnt/media-dojo/ mount.nfs: timeout set for Thu Dec 21 21:20:54 2023 mount.nfs: trying text-based options 'nolock,vers=4.2,addr=fdc3:e153::3,clientaddr=fdc3:e153::dcbb:9cea:9873:1f10' mount.nfs: mount(2): Permission denied mount.nfs: trying text-based options 'nolock,vers=4.2,addr=192.168.3.3,clientaddr=192.168.3.5' $
A comment on severfault.com explains it:
According to rpc.mountd(1),
"The rpc.mountd daemon implements the server side of the NFS MOUNT protocol, [...] It also responds to requests from the Linux kernel to authenticate clients and provides details of access permissions."
... so it's not needed on an NFSv4 client, but an NFSv4 server still needs it, even though there's no direct communication between clients and rpc.mountd.
Sam Morris, 2023-12-16
So I have to keep nfs-mountd running on the server, but I can deny access from the outside:
mountd: ALL
Listing mounts is not possible anymore, but mounting is:
$ showmount -e dojo rpc mount export: RPC: Authentication error; why = Failed (unspecified error)