System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

11.31 NFS using FQDN in "share" command

 
SoorajCleris
Honored Contributor

11.31 NFS using FQDN in "share" command

Hi everyone

In reference
http://forums13.itrc.hp.com/service/forums/questionanswer.do?admit=109447627+1263170752116+28353475&threadId=1146006

I was just trying to findout the reason, why it happend like that. If we are using hosts file, then also do we need to use FQDN?

Becasue man share_nfs says that,


hostname
The name of a host. With a server configured for DNS or LDAP
naming in the nsswitch "hosts" entry, any hostname must be
represented as a fully qualified DNS or LDAP name.



command line used, ( with out using FQDN it was not working)
# share -F nfs -o sec=sys,rw=hpuxtest.sooraj.com,root=hpuxtest.sooraj.com -d "testing" /nfstest

# grep host /etc/nsswitch.conf
hosts: files [NOTFOUND=continue UNAVAIL=continue] dns

Am I understanding anything wrong from manpage?

So I would like to know your suggetions too..

Thanks..
Sooraj
"UNIX is basically a simple operating system, but you have to be a genius to understand the simplicity" - Dennis Ritchie
17 REPLIES
SoorajCleris
Honored Contributor

Re: 11.31 NFS using FQDN in "share" command

Hi,

waiting for your advices.

thanks,
Sooraj
"UNIX is basically a simple operating system, but you have to be a genius to understand the simplicity" - Dennis Ritchie
Horia Chirculescu
Honored Contributor

Re: 11.31 NFS using FQDN in "share" command

Hello,

How about editing the nsswitch.conf file and change the hosts line to read:

hosts: files

Maybe share reads nsswitch.conf file?

Best regards,
Horia
Best regards from Romania,
Horia.
SoorajCleris
Honored Contributor

Re: 11.31 NFS using FQDN in "share" command

Hi ,

I have already mentioned

# grep host /etc/nsswitch.conf
hosts: files [NOTFOUND=continue UNAVAIL=continue] dns

Regards,
Sooraj
"UNIX is basically a simple operating system, but you have to be a genius to understand the simplicity" - Dennis Ritchie
Steven Schweda
Honored Contributor

Re: 11.31 NFS using FQDN in "share" command

> hosts: files [NOTFOUND=continue UNAVAIL=continue] dns

Ok. And, according to you, the "man" page
says 'With a server configured for DNS or
LDAP naming in the nsswitch "hosts" entry',
and I see "dns" in your 'nsswitch "hosts"
entry'. It says "DNS". It does _not_ say
"_only_ DNS". Where's the mystery?
SoorajCleris
Honored Contributor

Re: 11.31 NFS using FQDN in "share" command

Hi Steven,

You mean to say, the manpage clear that if at all there is dns mentioned in nsswitch we should use FQDN?

Thanks
Sooraj
"UNIX is basically a simple operating system, but you have to be a genius to understand the simplicity" - Dennis Ritchie
mvpel
Trusted Contributor

Re: 11.31 NFS using FQDN in "share" command

Interesting, I didn't realize that they were starting to enforce FQDNs in that circumstance.

It's a security issue.

If you specify an unqualified hostname, with DNS it can match other things than what you intend, depending on factors external to the NFS server.

If you specify an unqualified hostname:

share -F nfs -o rw=pcvm0101,root=pcvm0101 -d "IS OIL sapmnt" /sapmnt/IE1

... then anyone who can reach your network who also has control over a DNS server could bypass your restrictions. In the old days, the host would allow read/write/root mounts from not only pcvm0101.yourdomain.com, but also pcvm0101.competitor.com, pcvm0101.hackers.com, and pcvm0101.intelligence.ir, for example.

The server does a reverse lookup on the client IP address, and uses the hostname it gets back from DNS in granting access. Since it shouldn't trust outside DNS servers, it shouldn't grant access to any matching hostname in any domain.

And that's the way it works now, thankfully.

If you use only "files" for host lookups, the FQDN restriction doesn't apply since NFS is not depending on resources that are outside the control of the local system to make security decisions.
Steven Schweda
Honored Contributor

Re: 11.31 NFS using FQDN in "share" command

> You mean to say, [...]

That's how I read it.

> It's a security issue. [...]

That would seem to explain why. (I've seen
this on Solaris systems for years, and always
wondered why, but was always too lazy to
investigate.)
SoorajCleris
Honored Contributor

Re: 11.31 NFS using FQDN in "share" command

Hi steven and mpvel,

Thanks for your valuable suggetions.
I will simulate this, check and will comeback.

Regards,
Sooraj
"UNIX is basically a simple operating system, but you have to be a genius to understand the simplicity" - Dennis Ritchie
SoorajCleris
Honored Contributor

Re: 11.31 NFS using FQDN in "share" command

Hi ,

Its funny, I am using only hosts, but the output

[rx26-156]/etc
# nslookup
Using /etc/hosts on: rx26-156

>
----------------------------------------
# share -F nfs -o sec=sys,rw=rx260-16,root=rx260-16 -d "test Export" /tmp/soo>
[rx26-156]/tmp/sooraj
------------------------------------------
# nslookup
Using /etc/hosts on: rx260-16

>

# mount -F nfs rx26-156:/tmp/sooraj /sooraj
Permission denied
[rx260-16]/
===============================================================
# share -F nfs -o sec=sys,rw=rx260-16.usa.hp.com,root=rx260-16.usa.hp.com -d >
[rx26-156]/tmp/sooraj

---------------------------------------------------------
# mount -F nfs rx26-156:/tmp/sooraj /sooraj
[rx260-16]/
# touch /sooraj/check
[rx260-16]/

=============================================

SO I fee like we should always use FQDN.

Regards,
Sooraj
"UNIX is basically a simple operating system, but you have to be a genius to understand the simplicity" - Dennis Ritchie
Dave Olker
HPE Pro

Re: 11.31 NFS using FQDN in "share" command

What happens when you actually resolve the non-fully-qualified hostname on both the NFS client and server system?

# nslookup rx260-16
mvpel
Trusted Contributor

Re: 11.31 NFS using FQDN in "share" command

It's the nsswitch.conf and /etc/hosts files on your NFS server, not your client, that you need to concern yourself with.

I assume RX26-156 was able to ping RX260-16 by hostname when you made the nsswitch.conf change, right? What did the /etc/hosts entry for RS260-16 on RX26-156 look like?
SoorajCleris
Honored Contributor

Re: 11.31 NFS using FQDN in "share" command

Hi,

# nslookup rx260-16
Using /etc/hosts on: rx26-156

looking up FILES
Name: rx260-16
Address: 192.168.112.142
Aliases: rx260-16
==================================
/etc/hosts - rx26-156 ( I tried to use both rx260-16 and rx260-16.usa.hp.com)

16.118.114.125 rx26-156.usa.hp.com rx26-156
127.0.0.1 localhost loopback
16.118.114.250 hpvldas1 hpvldas1.usa.hp.com
192.168.112.142 rx260-16 rx260-16

=================================
Thanks
sooraj
"UNIX is basically a simple operating system, but you have to be a genius to understand the simplicity" - Dennis Ritchie
Dave Olker
HPE Pro

Re: 11.31 NFS using FQDN in "share" command

Do you get the exact same output on both the NFS client and server?

Is there a need to have the same hostname listed twice on the same line?

192.168.112.142 rx260-16 rx260-16

Do you get the same behavior if you change the line to:

192.168.112.142 rx260-16

on both the NFS client and server?

Dave
Horia Chirculescu
Honored Contributor

Re: 11.31 NFS using FQDN in "share" command

Hello Sooraj,

This is what I understand from the man page and tried to suggest you in my first intervention.

>Hi Steven,

>You mean to say, the manpage clear that if at >all there is dns mentioned in nsswitch we >should use FQDN?

Horia.
Best regards from Romania,
Horia.
SoorajCleris
Honored Contributor

Re: 11.31 NFS using FQDN in "share" command

but horea , I have used the same but see the output posted above.

Regards,
Sooraj
"UNIX is basically a simple operating system, but you have to be a genius to understand the simplicity" - Dennis Ritchie
mvpel
Trusted Contributor

Re: 11.31 NFS using FQDN in "share" command

Maybe the share command allows unqualified hostnames if DNS is not used, but someone forgot to tell the nfsd team and so it doesn't allow unqualified names when making hostname-based access decisions.

But in any case, using FQDNs is a better practice in general, since it removes any ambiguity about which host you're referring to. I ran into the same situation in Nortel a few years ago, where we had five internal domain names in active use.
SoorajCleris
Honored Contributor

Re: 11.31 NFS using FQDN in "share" command

ha ha .. thats great. I am planning to tell NFSD team :)
"UNIX is basically a simple operating system, but you have to be a genius to understand the simplicity" - Dennis Ritchie