>We are having a problem with Solaris 2.6 hosts and NFS.
>When a 2.6 host (logic) exports a filesystem with root permissions
>to a second host (catalina) using catalinas A record name, catalina
>does have root permissions on logics filesystem. However, if the
>filesystem is exported to catalina by catalinas CNAME, root on
>catalina gets a permission denied error message when root actions
>If the filesystem is exported to catalinas CNAME and permissions are
>changed on the exported filesystem to 777, root on catalina can
>create a file (of course) but the file owner is nobody.
>This happens with both automounted and manually mounted filesystems.
>We also tested and found that it does not matter if the mounting host
>is 2.5.1 or 2.6 as long as the server is 2.6.
You haven't specified whether you're using read-write or root
permission for host-based mounting permission, i.e. with "share".
Quoting the relevant line from /etc/dfs/sharetab would be helpful.
Plus, isn't exporting to a CNAME somewhat dangerous anyway, since the
mountd is going to go through all kinds of elaborate checks when a
remote system makes a mount request? O.K., maybe not elaborate checks,
but it's going to at some point reverse-resolve the IP address into a
hostname and check that against your export permissions, as well as
resolving the hostname into an IP address to make sure everything is
O.K. from that end of things as well.
I don't really know the full behavior of mountd, but it presumably
must at least do the step where the exported hostname is compared
to what is gotten by reverse resolving the IP address whence the
mount request came, since it says this in the manual page:
Some routines that compare hostnames use case-sensitive
string comparisons; some do not. If an incoming request
fails, verify that the case of the hostname in the file to
be parsed matches the case of the hostname called for, and
attempt the request again.
In other words, I'm questioning whether exporting to CNAMEs is a good
idea in the first place if you want to maintain compatibility with the
various versions of various operating systems. Besides which, CNAMEs
are not aliases, they are pointers to the *canonical* name of a host.
They are not intended to be used as substitute names. They are
intended to be used to allow hosts which don't have the new (canonical)
name to still contact the host until they can be fixed.
Personally, I recommend using additional "A" records instead of CNAMEs
in most cases, although that can be tricky too if you need to worry
about reverse resolution. Another approach is to actually use a
separate IP address and an alias on the interface, although that
approach has its problems too (replies to network requests can come
from a "different host" altogether!).