Posted this to comp.protocols.nfs without response, so I'm trying
I'm trying to increase the security of some local NFS mounts and have
been experimenting with using the "secure" option to NFS.
The host exporting the filesystem, "server", is running NIS+. I am testing
with two clients, client1 and client2. client1 is not using NIS+ but client2
is. client1 and client2 are both in server's NIS+ hosts table and are also
known to DNS. All the machines are running Solaris 2.
In server's dfstab, I put the following:
share -F nfs -o secure,ro=client1:client2 /sunsolve
If I try to mount /sunsolve with just:
mount server:/sunsolve /mnt
on either client1 or client2, things work as expected. The mount works, but
all users on the client are treated as nobody. Attempts to view a file even
when one is the "owner" of the file on the client machine properly return
an error message. (Though why it's this:
cat: write error: Permission denied
when I'm only trying to read the file, I don't know.)
But if I try to use the secure option to *mount* the filesystem, like this:
mount -o secure server:/sunsolve /mnt
I get failures, but different ones, from the two systems.
On client1 (where NIS+ is not running), I get:
NFS getattr failed for server server: RPC: Authentication error
nfs mount: mount: /mnt: I/O error
On client2, (where NIS+ is running), I get:
nfs mount: mount: /mnt: Invalid argument
Can someone explain what these mean (especially the second one; I can guess
the first one is because parts of NIS+ are needed) and what I can do to make
the mounts work? I'm especially surprised the mount didn't work on the
client that is running NIS+ (it's in the same domain as the server, in fact
server is its NIS+ server).
So my problems are:
How to make a secure NFS mount work if the client is running NIS+?
How to make a "secure" NFS mount work if the client machine is *not* running NIS+?
Is it possible? Is it possible if the client is a non-UNIX machine?
Thanks for any help!