HPE Community
Operating System - OpenVMS
1828355 Members
3158 Online
109976 Solutions
New Discussion

NFS Client does not use Proxy

 
Gerhard Olsson
Advisor

‎12-10-2004 06:51 AM

‎12-10-2004 06:51 AM

NFS Client does not use Proxy

When mounting a NFS disk in OpenVMS to a NFS server (that is not OpenVMS), the Proxy database does not seem to be used at all in my setup.

I have tried with a HP NAS (with NFS Server) and Solaris 9. To get read access (write is not interresting), the read permission for 'other' must be enabled. Otherwise the access is denied. (The NAS does not acknowledge the request at all, causing TCPIP 5.0 to hang _forever_ on the request, reuiring a reboot.) The response in Solaris is the following:
-RMS-E-PRV, insufficient privilege or file protection violation
Accessing the NAS and Solaris NFS Server is fine from Solaris clients.

I have tried adding/deleting the user and TCPIP$NOBODY in the TCPIP Proxy without any success. The users are visible in the cache.
Using TCPTRACE/TCPDUMP, but do not know how to check the actual uid/gid.


Gerhard Olsson

OpenVMS 7.3-2, TCPIP 5.4 ECO4 (and ECO2)
Tested with OpenVMS 7.2-1 and TCPIP 5.0 first.

VMS User_name Type User_ID Group_ID Host_name

GO OND 27598 6660 *
0 Kudos
Reply
4 REPLIES 4
Volker Halle
Honored Contributor

‎12-10-2004 08:02 PM

‎12-10-2004 08:02 PM

Re: NFS Client does not use Proxy

Gerhard,

with a little bit of experimenting (varying GID/UID and running TCPTRACE), here is where you can find the GID and UID in the first NFS TCP packet (sent from NFS client to NFS server when issueing the MOUNT command):

I64VMS $ tcpip mount dnfs:/host=axpvms/path="/vms_nfs/nfs"/gid=6660/uid=27598
%TCPIP$DNFSMOUNT-E-MOUNTFAIL, error mounting _DNFS18:[000000]
-SYSTEM-F-INVLOGIN, login information invalid at remote node

%%%%%%%%%%% OPCOM 11-DEC-2004 09:46:22.66 %%%%%%%%%
Message from user TCPIP$NFS on AXPVMS
%TCPIP-S-NFS_MNTSUC, mounted file system /vms_nfs/nfs
-TCPIP-S-NFS_CLIENT, uid=27598 gid=6660 host_name = I64VMS

CE6B0000 0000736D 76343669 06000000 0040 ....i64vms....k.
^^^^=UID
00000000 041A0000 01000000 041A0000 0050 ................
---------------------------------------------^^^^GID

$ uid=%x6bce
$ sho sym uid
UID = 27598 Hex = 00006BCE Octal = 00000065716
$ gid=%x1a04
$ sho sym gid
GID = 6660 Hex = 00001A04 Octal = 00000015004

The UID is sent at hex offset 4E/4F (high byte/low byte) and the GID is at hex offset 52/53

In the example above, I've used your UID/GID pair, to make it easier for you to find the data in your trace.

Volker.
0 Kudos
Reply
Gerhard Olsson
Advisor

‎12-12-2004 09:05 AM

‎12-12-2004 09:05 AM

Re: NFS Client does not use Proxy

The proxy seems to be working correctly, there is something else that is the problem...
Unix NFS: Works if I define GO as default user. Not the ideal solution, but still a solution. However, I would prefer using the NAS, to avoid mirroring the data from the NAS to the Solaris disk.

NAS: Does not work at all...
I have tried a few mount options, no success.

Anyone using OpenVMS as client for a HP NAS?
(The model may be HP 4000, not sure.)
The NAS does not seem to have much trouble shooting options. There is a log that the mount is OK, then there is nothing. The NAS rejects for some reason.


unix nfs, no default user
22:45:21.867102 pacman.b971db3b > clearcase01.mobitex.local.nfs-v2: 104 call get
attr fh 21505.33554432.2560.2808283648 (DF)
4500 0084 5d49 4000 3c11 ccae 0a01 003c E...]I@.<.Ã ....<
0a01 0034 0259 0801 0070 1984 b971 db3b ...4.Y...p..¹qà ;
0000 0000 0000 0002 0001 86a3 0000 0002 ...........£....
0000 0001 0000 0001 0000 0020 41bc bbf1 ........... A¼»ñ
0000 0006 7061 636d 616e 0000 0000 6bce ....pacman....kÃ
0000 1a04 0000 0001 0000 1a04 0000 0000 ................
0000 0000 0154 0000 0000 0002 000a 0000 .....T..........
0002 63a7 259c 032a 000a 0000 0002 1d98 ..c§%..*........
01d9 2b31 .Ã +1
unix nfs, default user is GO
22:48:29.949596 pacman.8ce1da3b > clearcase01.mobitex.local.nfs-v2: 104 call get
attr fh 21505.33554432.2560.2552037888 (DF)
4500 0084 5da0 4000 3c11 cc57 0a01 003c E...].@.<.Ã W...<
0a01 0034 0259 0801 0070 8823 8ce1 da3b ...4.Y...p.#.áà ;
0000 0000 0000 0002 0001 86a3 0000 0002 ...........£....
0000 0001 0000 0001 0000 0020 41bc bcad ........... A¼¼.
0000 0006 7061 636d 616e 0000 0000 6bce ....pacman....kÃ
0000 1a04 0000 0001 0000 1a04 0000 0000 ................
0000 0000 0154 0000 0000 0002 000a 0000 .....T..........
0002 1d98 01d9 2b31 000a 0000 0002 1d98 .....Ã +1........
01d9 2b31 .Ã +1


nas, default user GO
23:06:58.701839 pacman.9056d83b > nas01.nfs-v2: 104 call getattr fh 319752.65536
.29.131072 (DF)
4500 0084 5ebc 4000 3c11 cb61 0a01 003c E...^¼@.<.à a...<
0a01 000e 0259 0801 0070 c560 9056 d83b .....Y...pà `.Và ;
0000 0000 0000 0002 0001 86a3 0000 0002 ...........£....
0000 0001 0000 0001 0000 0020 41bc c102 ........... A¼à .
0000 0006 7061 636d 616e 0000 0000 6bce ....pacman....kÃ
0000 1a04 0000 0001 0000 1a04 0000 0000 ................
0000 0000 08e1 0400 0000 0100 1d00 0000 .....á..........
0000 0200 44bb 9031 5203 0000 0000 0000 ....D».1R.......
0 Kudos
Reply
Gerhard Olsson
Advisor

‎12-14-2004 02:56 AM

‎12-14-2004 02:56 AM

Re: NFS Client does not use Proxy

By using Ethereal to analyze the tcpdumps, the complete packet including the NFS part, is disected. The UID/GID is always included, so the proxy is clearly working. However, I have still no clue to why access is allowed only in some situations with the Solaris NFS and not at all with the NAS.

The tcpdump shows that the OpenVMS client get a response from the NAS, but when the NFS client uses NFS readir to the Solaris NFS server, the client uses NFS lookup. The NAS does not respond to the lookup.

I will be happy if someone has any way to explain the problem from the VMS side. I will likely investigate further on the NAS side (there must be some way to get debug printouts!). If there are no comments in a week or so, I will close this thread.

Volker: Thanks for the response. I was too cheap with the points, I had the impresssion that I had 10p in total. I can compensate that if you add an additional response....

Gerhard
0 Kudos
Reply
Gorazd Kikelj
Occasional Visitor

‎04-03-2005 10:16 PM

‎04-03-2005 10:16 PM

Re: NFS Client does not use Proxy

Hi Gerhard,

this is usualy a username mapping problem. Did you configure User Name Mapping service appropriately? With OpenVMS system you must use local passwd and group files or you can use NIS server if you install it on NAS (or have one available) and import passwd and group records to it.

Then you must install NFS authorization service (in fact a dll file) to all domain controllers that will do authorization. And then you must enable all domain controllers in .maphosts file for username mapping to work.

There is a mention in the documentation, that in windows 2003 domain, you can only use one Domain controler with authorization service, but I can't make this to work. I was forced to install authorization service on all Domain Controllers.

As for passwd and group files, make sure, that UID field is unique. ANd if you want to use a secondary groups, use a NIS server. I can't make group file to work with secondary groups. And I still have some problems to solve controlling a write access to directories.

Also you must understand, that it is not one-to-one mapping of the access rights from OVMS to NT NFS server.

I have little or no problem giving a right read access to users, but have and still have quite a lot problems giving a right write access rights to users. I think that I solve most of them now, but some final testing is still to bo completed and documentation to be writen.

I prefer using simple maps if possible as it simplifys administration.


Example:

Define proxa records for users you wish to access NFS:

$TCPIP ADD PROX USER1/UID=1000/GID=1000
$TCPIP ADD PROX USER2/UID=1001/GID=1000
$TCPIP ADD PROX USER3/UID=1002/GID=1000

Create a passwd file:

$edit passwd.
NT_USER1::1000:1000::::::
NT_USER2::1001:1000::::::
NT_USER3::1002:1000::::::

Create a group file

$edit group
Users::1000:NT_USER1,NT_USER2,NT_USER3

Copy passwd and group files to directory, where your username mapping service expect them.

Ensure, that prerequisites are met. Authorization server DLL installed. Go to Control Panel/Add remove programs/Microsoft Windows Services for Unix/Add or remove/Authentication tools for NFS and select Server for NFS Authentication to install authentication service on all Domain controllers (repeate for each domain controller). (USE SFU 3.5 for this as on NAS there is a V3.0 that require a license key you don't have.)

Add all domain controllers into .maphosts file on ..\Mapper directory

Setup a right mapping server name on Serviuces For Unix home page at settings tab. Usualy this will be a localhost but can be a domain controller or something else.

Then you need to setup a unsername mapping. Choose what you prefer. If you have a NIS somewere, then I suggest to use a NIS, else use a passwd and group files.

If you maps as I suggest VMS users to NT users in that a way, that in passwd file you have only windows user names (and match vms users by proxy settings at UID field), then you can use a simple maps and save a lot of work.

The same is for group file.

This is a most important part of all setup. If this go wrong, you can't access the share as no GUEST access is by default enabled. There is some articles about enabling anonymous access but this require to grant some access rights to Everyone account that security people don't want to see.


After that I usualy didn't have any problems with read access (write access is still something I have some problems upon).

I hope that this is of some help.

Best, Gorazd
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.