topic Re: Problems with NIS' securenets and secureservers mechanism in Operating System - HP-UX

Problems with NIS' securenets and secureservers mechanism

Ron Barak — Mon, 28 Jan 2002 16:33:57 GMT

Hi Guys,

I have a question on NIS' /var/yp/securenets and /var/yp/secureservers mechanism:

I've set up a NIS Master server (on HP-UX 11.0), with the /var/yp/securenets (And also tried the same file as /var/yp/secureservers) file shown below. My understanding is that the NIS server would serve only the three machines mentioned in the file and reject bind requests from NIS clients not in the file.
However, I see that other machines on the yp domain are also binding to that NIS server, and receive yp services from it.

Could someone shed light on how /var/yp/securenets should be used, to serve only certain yp clients in the yp domain ?

Thanks,
Ron.

----------------------------------------------

# securenets $Revision: 1.1.211.1 $ $Date: 96/10/09 11:26:11 $
#
# /var/yp/securenets file
#
# The format of this file is one of more lines of
#
# netmask netaddr
# Both netmask and netaddr must be dotted quads.
#
# Note that for a machine with two Ethernet interfaces (i.e. a gateway
# machine), the IP addresses of both have to be in /var/yp/securenets.
#
# for example:
#255.255.255.0 128.185.124.00
255.255.255.255 143.185.96.213
255.255.255.255 143.185.96.214
255.255.255.255 143.185.92.168

Bye,

Ron.

Re: Problems with NIS' securenets and secureservers mechanism

Helen French — Mon, 28 Jan 2002 16:45:15 GMT

Hi,

Things are little different. First of all the /var/yp/securenets should be used in the server side and /var/yp/securenets should be used in the client side.

And the format is like this:

netmask netaddr

The netmask and netaddr will be logically ANDed when starting the yp daemons.

So in your eg:, 255.255.255.255 netmask will match with any address while ANDing.

For more explanation, check this out:

http://us-support3.external.hp.com/cki/bin/doc.pl/sid=582e01470314683eb5/screen=ckiDisplayDocument?docId=200000053127882

HTH,
Shiju

Re: Problems with NIS' securenets and secureservers mechanism

Patrick Wallek — Mon, 28 Jan 2002 16:48:43 GMT

Check out the TKB document: KBRC00004639 (I have attached it for your convenience)

I don't know if it will really help you, and I'm not sure I quite understand what they mean with the sentence about the '....0 address in the same place...'.

Hopefully it'll help.

Re: Problems with NIS' securenets and secureservers mechanism

Helen French — Mon, 28 Jan 2002 16:50:48 GMT

Hi,

Sorry ..typing mistake .. /var/yp/secureservers in the client side.

Shiju

Re: Problems with NIS' securenets and secureservers mechanism

Pal Szabo_1 — Mon, 28 Jan 2002 16:57:49 GMT

Hi!

1. Have you tried /etc/securenets file?

2. If it isn't work try to
shut down ypserv process.
then use
# touch /etc/securenets
# touch /var/yp/securenets
# tusc -o /tmp/xxx ypserv
# cat /tmp/xxx | grep open
It shows which file is used during startup ...

Regards:
Paul

Re: Problems with NIS' securenets and secureservers mechanism

Helen French — Mon, 28 Jan 2002 17:13:33 GMT

Hi,

Agaian,

1) Try restarting your yp daemons after making changes to these files.

2) Put only entry for a specific subnet and see whether it accepts the value. for eg:

255.255.255.0 80.1.1.0 - should accept any hosts from the 80.1.1 subnet.

3) Check the permissions of the /var/yp files.

4) check any entries in /etc/securenets.

HTH,
Shiju

Re: Problems with NIS' securenets and secureservers mechanism

Ron Barak — Mon, 28 Jan 2002 18:37:55 GMT

Hi Paul,

I tried your excelent suggestion to use tusc, and seems that neither /var/yp/securenets nor /etc/securenets are consulted (see below).

Bye,
Ron.

loan167 [423] sudo /opt/tusc/bin/tusc -o /tmp/ypserv.tmp /sbin/init.d/nis.server start
starting NIS SERVER networking
starting up the rpcbind
rpcbind already started, using pid: 623
domainname idcto
starting up the Network Information Service
starting up the ypserv daemon
/usr/lib/netsvc/yp/ypserv
starting up the ypxfrd daemon
/usr/sbin/ypxfrd
starting up the rpc.yppasswdd daemon
/usr/lib/netsvc/yp/rpc.yppasswdd /etc/passwd -m passwd PWFILE=/etc/passwd
starting up the rpc.ypupdated daemon
/usr/lib/netsvc/yp/rpc.ypupdated
starting up the keyserv daemon
keyserv already started, using pid: 14545
loan167 [424] grep open /tmp/ypserv.tmp
open("/dev/null", O_RDONLY, 02) .............................. = 4
open("/sbin/init.d/nis.server", O_RDONLY, 0123132) ........... = 4
open("/etc/rc.config.d/namesvrs", O_RDONLY, 056624) .......... = 4

Re: Problems with NIS' securenets and secureservers mechanism

Pal Szabo_1 — Tue, 29 Jan 2002 09:56:38 GMT

Hi!

You didn't see the opened files of ypserv beacuse
nis.server is an script.

My suggestion:
(kill the ypserv,then start it manually)

# ps -ef | grep ypserv
root 19542 1 0 08:25:11 ? 0:00 /usr/lib/netsvc/yp/ypserv
# kill -9 19542
# /opt/tusc/bin/tusc -o /tmp/xxx /usr/lib/netsvc/yp/ypserv
# cat /tmp/xxx | grep open

My output was the following:
open("/usr/lib/dld.sl", O_RDONLY, 017737401304) .................. = 4
open("/usr/lib/libdld.2", O_RDONLY, 0) ........................... = 4
open("/usr/lib/libc.2", O_RDONLY, 02) ............................ = 4
open("/usr/lib/libdld.2", O_RDONLY, 02) .......................... = 4
open("/usr/lib/libc.2", O_RDONLY, 0) ............................. = 4
open("/usr/lib/libnsl.1", O_RDONLY, 0) ........................... = 4
open("/usr/lib/libxti.2", O_RDONLY, 02) .......................... = 4
open("/usr/lib/libndbm.2", O_RDONLY, 0) .......................... = 4
open("/var/yp/a21435768901334", O_RDONLY|O_CREAT|O_EXCL, 0177270) = 4
open("/var/yp/securenets", O_RDONLY, 0666) ....................... = 0
open("/dev/log", O_WRONLY|O_NONBLOCK, 0) ......................... = 5
open("/usr/lib/tztab", O_RDONLY, 0177270) ........................ = 6
open("/etc/netconfig", O_RDONLY, 0666) ........................... = 6
open("/usr/lib/libstraddr.1", O_RDONLY, 03) ...................... = 6
open("/usr/lib/libdld.2", O_RDONLY, 01) .......................... = 6
open("/usr/lib/libc.2", O_RDONLY, 03) ............................ = 6
open("/usr/lib/libnsl.1", O_RDONLY, 03) .......................... = 6
open("/dev/tlclts", O_RDWR, 01400) ............................... = 6
open("/dev/tlclts", O_RDWR, 0) ................................... = 6
open("/dev/tlclts", O_RDWR, 0) ................................... = 6
open("/dev/tlclts", O_RDWR, 0) ................................... = 6

You see,it uses the securenets file.(Sorry,not in the /etc directory)
And the number in the securenets row shows, that ypserv opened this file.
If ypserv can't open your
securenets file,you will show
ENOENT in the tracing results.
I this case,check the permissions of securenets file.My permissions are:
(r--r--r--)

Please do this on your machine.I do it on my master server.

I check if it is well,and i see i see in syslog:

Jan 29 08:44:27 dorka syslog: ypserv: access denied for 192.168.103.2

Regards:
Paul

PS:
If it doesn't work try it:

Have you see ypserv messages in your syslog?
What network patches are installed on this machine?