HPE Community
Operating System - HP-UX
1823097 Members
3157 Online
109646 Solutions
New Discussion юеВ

Problems with NIS' securenets and secureservers mechanism

 
Ron Barak
Advisor

тАО01-28-2002 08:33 AM

тАО01-28-2002 08:33 AM

Problems with NIS' securenets and secureservers mechanism

Hi Guys,

I have a question on NIS' /var/yp/securenets and /var/yp/secureservers mechanism:

I've set up a NIS Master server (on HP-UX 11.0), with the /var/yp/securenets (And also tried the same file as /var/yp/secureservers) file shown below. My understanding is that the NIS server would serve only the three machines mentioned in the file and reject bind requests from NIS clients not in the file.
However, I see that other machines on the yp domain are also binding to that NIS server, and receive yp services from it.

Could someone shed light on how /var/yp/securenets should be used, to serve only certain yp clients in the yp domain ?

Thanks,
Ron.

----------------------------------------------


# securenets $Revision: 1.1.211.1 $ $Date: 96/10/09 11:26:11 $
#
# /var/yp/securenets file
#
# The format of this file is one of more lines of
#
# netmask netaddr
# Both netmask and netaddr must be dotted quads.
#
# Note that for a machine with two Ethernet interfaces (i.e. a gateway
# machine), the IP addresses of both have to be in /var/yp/securenets.
#
# for example:
#255.255.255.0 128.185.124.00
255.255.255.255 143.185.96.213
255.255.255.255 143.185.96.214
255.255.255.255 143.185.92.168

Bye,

Ron.
0 Kudos
Reply
7 REPLIES 7
Helen French
Honored Contributor

тАО01-28-2002 08:45 AM

тАО01-28-2002 08:45 AM

Re: Problems with NIS' securenets and secureservers mechanism

Hi,

Things are little different. First of all the /var/yp/securenets should be used in the server side and /var/yp/securenets should be used in the client side.

And the format is like this:

netmask netaddr

The netmask and netaddr will be logically ANDed when starting the yp daemons.

So in your eg:, 255.255.255.255 netmask will match with any address while ANDing.

For more explanation, check this out:

http://us-support3.external.hp.com/cki/bin/doc.pl/sid=582e01470314683eb5/screen=ckiDisplayDocument?docId=200000053127882

HTH,
Shiju

Life is a promise, fulfill it!
0 Kudos
Reply
Patrick Wallek
Honored Contributor

тАО01-28-2002 08:48 AM

тАО01-28-2002 08:48 AM

Re: Problems with NIS' securenets and secureservers mechanism

Check out the TKB document: KBRC00004639 (I have attached it for your convenience)

I don't know if it will really help you, and I'm not sure I quite understand what they mean with the sentence about the '....0 address in the same place...'.

Hopefully it'll help.
0 Kudos
Reply
Helen French
Honored Contributor

тАО01-28-2002 08:50 AM

тАО01-28-2002 08:50 AM

Re: Problems with NIS' securenets and secureservers mechanism

Hi,

Sorry ..typing mistake .. /var/yp/secureservers in the client side.

Shiju
Life is a promise, fulfill it!
0 Kudos
Reply
Pal Szabo_1
Valued Contributor

тАО01-28-2002 08:57 AM

тАО01-28-2002 08:57 AM

Re: Problems with NIS' securenets and secureservers mechanism

Hi!

1. Have you tried /etc/securenets file?

2. If it isn't work try to
shut down ypserv process.
then use
# touch /etc/securenets
# touch /var/yp/securenets
# tusc -o /tmp/xxx ypserv
# cat /tmp/xxx | grep open
It shows which file is used during startup ...

Regards:
Paul
0 Kudos
Reply
Helen French
Honored Contributor

тАО01-28-2002 09:13 AM

тАО01-28-2002 09:13 AM

Re: Problems with NIS' securenets and secureservers mechanism

Hi,

Agaian,

1) Try restarting your yp daemons after making changes to these files.

2) Put only entry for a specific subnet and see whether it accepts the value. for eg:

255.255.255.0 80.1.1.0 - should accept any hosts from the 80.1.1 subnet.

3) Check the permissions of the /var/yp files.

4) check any entries in /etc/securenets.

HTH,
Shiju
Life is a promise, fulfill it!
0 Kudos
Reply
Ron Barak
Advisor

тАО01-28-2002 10:37 AM

тАО01-28-2002 10:37 AM

Re: Problems with NIS' securenets and secureservers mechanism

Hi Paul,

I tried your excelent suggestion to use tusc, and seems that neither /var/yp/securenets nor /etc/securenets are consulted (see below).

Bye,
Ron.

loan167 [423] sudo /opt/tusc/bin/tusc -o /tmp/ypserv.tmp /sbin/init.d/nis.server start
starting NIS SERVER networking
starting up the rpcbind
rpcbind already started, using pid: 623
domainname idcto
starting up the Network Information Service
starting up the ypserv daemon
/usr/lib/netsvc/yp/ypserv
starting up the ypxfrd daemon
/usr/sbin/ypxfrd
starting up the rpc.yppasswdd daemon
/usr/lib/netsvc/yp/rpc.yppasswdd /etc/passwd -m passwd PWFILE=/etc/passwd
starting up the rpc.ypupdated daemon
/usr/lib/netsvc/yp/rpc.ypupdated
starting up the keyserv daemon
keyserv already started, using pid: 14545
loan167 [424] grep open /tmp/ypserv.tmp
open("/dev/null", O_RDONLY, 02) .............................. = 4
open("/sbin/init.d/nis.server", O_RDONLY, 0123132) ........... = 4
open("/etc/rc.config.d/namesvrs", O_RDONLY, 056624) .......... = 4
0 Kudos
Reply
Pal Szabo_1
Valued Contributor

тАО01-29-2002 01:56 AM

тАО01-29-2002 01:56 AM

Re: Problems with NIS' securenets and secureservers mechanism

Hi!

You didn't see the opened files of ypserv beacuse
nis.server is an script.

My suggestion:
(kill the ypserv,then start it manually)

# ps -ef | grep ypserv
root 19542 1 0 08:25:11 ? 0:00 /usr/lib/netsvc/yp/ypserv
# kill -9 19542
# /opt/tusc/bin/tusc -o /tmp/xxx /usr/lib/netsvc/yp/ypserv
# cat /tmp/xxx | grep open

My output was the following:
open("/usr/lib/dld.sl", O_RDONLY, 017737401304) .................. = 4
open("/usr/lib/libdld.2", O_RDONLY, 0) ........................... = 4
open("/usr/lib/libc.2", O_RDONLY, 02) ............................ = 4
open("/usr/lib/libdld.2", O_RDONLY, 02) .......................... = 4
open("/usr/lib/libc.2", O_RDONLY, 0) ............................. = 4
open("/usr/lib/libnsl.1", O_RDONLY, 0) ........................... = 4
open("/usr/lib/libxti.2", O_RDONLY, 02) .......................... = 4
open("/usr/lib/libndbm.2", O_RDONLY, 0) .......................... = 4
open("/var/yp/a21435768901334", O_RDONLY|O_CREAT|O_EXCL, 0177270) = 4
open("/var/yp/securenets", O_RDONLY, 0666) ....................... = 0
open("/dev/log", O_WRONLY|O_NONBLOCK, 0) ......................... = 5
open("/usr/lib/tztab", O_RDONLY, 0177270) ........................ = 6
open("/etc/netconfig", O_RDONLY, 0666) ........................... = 6
open("/usr/lib/libstraddr.1", O_RDONLY, 03) ...................... = 6
open("/usr/lib/libdld.2", O_RDONLY, 01) .......................... = 6
open("/usr/lib/libc.2", O_RDONLY, 03) ............................ = 6
open("/usr/lib/libnsl.1", O_RDONLY, 03) .......................... = 6
open("/dev/tlclts", O_RDWR, 01400) ............................... = 6
open("/dev/tlclts", O_RDWR, 0) ................................... = 6
open("/dev/tlclts", O_RDWR, 0) ................................... = 6
open("/dev/tlclts", O_RDWR, 0) ................................... = 6

You see,it uses the securenets file.(Sorry,not in the /etc directory)
And the number in the securenets row shows, that ypserv opened this file.
If ypserv can't open your
securenets file,you will show
ENOENT in the tracing results.
I this case,check the permissions of securenets file.My permissions are:
(r--r--r--)

Please do this on your machine.I do it on my master server.

I check if it is well,and i see i see in syslog:

Jan 29 08:44:27 dorka syslog: ypserv: access denied for 192.168.103.2


Regards:
Paul

PS:
If it doesn't work try it:

Have you see ypserv messages in your syslog?
What network patches are installed on this machine?



0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.