HPE Community
Operating System - HP-UX
1824169 Members
3224 Online
109669 Solutions
New Discussion юеВ

NFS Server need to deny anonymous accounts

 
Kenneth Martin
Occasional Advisor

тАО07-17-2000 01:19 PM

тАО07-17-2000 01:19 PM

NFS Server need to deny anonymous accounts

I am running an HP server D270 running HP/UX 10.20. I have a requirement to allow P.C.'s to make PCNFS connections to specific directories on the HP server. Using the HP documentation I have been unable to stop accounts from connecting using anonymous connections? Is there a way that names must be validated (I.E. /etc/passwd) or the NFS connection is refused? By the way some clients are running D.H.C.P. if that matters and all of the clients are running WRQ Reflections NFS client. The important thing is to keep non validated users from making NFS connections. Thanks!


0 Kudos
Reply
6 REPLIES 6
RikTytgat
Honored Contributor

тАО07-17-2000 01:34 PM

тАО07-17-2000 01:34 PM

Re: NFS Server need to deny anonymous accounts

Hi,

You cannot refuse nfs connections based on usernames, but you can refuse connections based on hostname (that is, you can accept connections from a list of hosts).

The access to the files on you NFS exports is controlled by the UNIX permissions (owner, group and mode).

It is important not to treat root users as root on an nfs mounted file system. This is the case if there is no root=hostname:hostname option for an exported fs in /etc/exportfs

Hope this helps,
Rik.
0 Kudos
Reply
Kenneth Martin
Occasional Advisor

тАО07-17-2000 02:01 PM

тАО07-17-2000 02:01 PM

Re: NFS Server need to deny anonymous accounts

What happens when the connecting clients are running D.H.C.P. The I.P. address in /etc/hosts won't always match. Actually with P.C. clients running D.H.C.P. /etc/hosts isn't of much value? Also, the HP server is not the DNS server.

If I could get fixed (static) I.P. addresses how would I set it up on the HP server side to "only allow" connections from specific I.P. addresses?

0 Kudos
Reply
Antoanetta Naghiu
Esteemed Contributor

тАО07-17-2000 02:11 PM

тАО07-17-2000 02:11 PM

Re: NFS Server need to deny anonymous accounts

The file that you are looking for is /etc/exports. (see man exports for details). As Rick said, you can not enable/disable at user level, you can just play at file system level in Unix (for server) and hosts (for clients). You can enable anonymous user that allows users that don't have uid, gid in Unix environment to connect.
Can you group NT users in a netgroup? If yes, you can use the netgroup ( see man netgroup) in stead of hostname and your problem is solved.
Hope it helps!
0 Kudos
Reply
Tim Malnati
Honored Contributor

тАО07-17-2000 03:16 PM

тАО07-17-2000 03:16 PM

Re: NFS Server need to deny anonymous accounts

The only good solution that I can see to the DHCP dilema would be to setup DHCP reservations for the workstations/servers that you want to have access to the HPUX box and setup the /etc/exports file accordingly.

What may be a better solution to your situation may be the Advanced Server/9000 (AS/U) product (J2715BA). You can get a limited use edition at http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=J2715BA This product sort of fools Microsoft client machines into thinking that they are connecting to an NT box when in actuality it's and HPUX machine doing the work. It has been a while since I looked at it, so I can't vouch for it, but it may your best bet overall. It would also eliminate the need for Reflections NFS which is quite a resource pig.
0 Kudos
Reply
Andreas Voss
Honored Contributor

тАО07-17-2000 10:59 PM

тАО07-17-2000 10:59 PM

Re: NFS Server need to deny anonymous accounts

Hi,

the best and inexpensive thing is to use SAMBA for PC connections. It acts like a nt server and you are able to restrict the access by user level and more.
Also there is no need for any additional software at the pc clients, just adding remote lan disk drives whithin ms-windows would do the job.
The administration is very simple: Using any Web browser on port 901 (default) is sufficient.
Here the dowload URL:
http://us1.samba.org/samba/ftp/Binary_Packages/hp/

Regards

Andrew
0 Kudos
Reply
Jeremy Dean_3
Occasional Advisor

тАО07-27-2000 12:36 PM

тАО07-27-2000 12:36 PM

Re: NFS Server need to deny anonymous accounts

This works for me using PCNFSD
It could be that you are not correctly running pcnfsd and that the PCNFS mount request is not being authenticated and is then being handed-off to the NFS mountd server as an anonymous request - see #1 below

The key is to:-
1. Set -anon=-1 in the /etc/exports file
Use SAM and Set the Unknown User option
Disable Unknown UID Access

This should update /etc/exports to use the
"-anon=-1" option for all filesystems to disable anonymous access from UNIX (NFS) and PC (PCNFS) clients.
Example /etc/exports entry:
/my_filesys -anon=-1

If editing the file by hand, then run
exportfs -a; exportfs
afterwards to update and re-display the internal maps for validation.

See the exports(4) and exportfs(1m) man pages
On older systems the uids were unsigned ints and hence anon=-1 is 65535 and anon=-2 is 65534
See /usr/include/sys/param.h - UID_NOBODY

2. Ensure that pcnfsd is running
On HP-UX
ch_rc -l -p PCNFS_SERVER

rpcinfo -p hostname|egrep -i pcnfs

Where hostname is the HP servername

I verified this using Hummingbird NFS Maestro v6.01; you should get the same mileage with the WRQ product as this is server-side authentication.
---
It is also true that Samba is increasingly an interesting option, especially as it is now supported via HP as the "CIFS-Server" product - CIFS/9000 (Samba) File and Print Services
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.