Very Computer

Posted this to comp.protocols.nfs without response, so I'm trying
again ...

I'm trying to increase the security of some local NFS mounts and have
been experimenting with using the "secure" option to NFS.

The host exporting the filesystem, "server", is running NIS+.  I am testing
with two clients, client1 and client2.  client1 is not using NIS+ but client2
is.  client1 and client2 are both in server's NIS+ hosts table and are also
known to DNS.  All the machines are running Solaris 2.

In server's dfstab, I put the following:

share -F nfs -o secure,ro=client1:client2 /sunsolve

If I try to mount /sunsolve with just:

  mount server:/sunsolve /mnt

on either client1 or client2, things work as expected.  The mount works, but
all users on the client are treated as nobody.  Attempts to view a file even
when one is the "owner" of the file on the client machine properly return
an error message.  (Though why it's this:  

   cat: write error: Permission denied  

when I'm only trying to read the file, I don't know.)

But if I try to use the secure option to *mount* the filesystem, like this:

  mount -o secure server:/sunsolve /mnt

I get failures, but different ones, from the two systems.

On client1 (where NIS+ is not running), I get:

  NFS getattr failed for server server: RPC: Authentication error
  nfs mount: mount: /mnt: I/O error

On client2, (where NIS+ is running), I get:

  nfs mount: mount: /mnt: Invalid argument

Can someone explain what these mean (especially the second one; I can guess
the first one is because parts of NIS+ are needed) and what I can do to make
the mounts work?  I'm especially surprised the mount didn't work on the
client that is running NIS+ (it's in the same domain as the server, in fact
server is its NIS+ server).

So my problems are:

How to make a secure NFS mount work if the client is running NIS+?
How to make a "secure" NFS mount work if the client machine is *not* running NIS+?
Is it possible?  Is it possible if the client is a non-UNIX machine?

Thanks for any help!

: Posted this to comp.protocols.nfs without response, so I'm trying
: again ...

: The host exporting the filesystem, "server", is running NIS+.  I am testing
: with two clients, client1 and client2.  client1 is not using NIS+ but client2
: is.  client1 and client2 are both in server's NIS+ hosts table and are also
: known to DNS.  All the machines are running Solaris 2.

Before we Start:

1) Do you know how the Authentication works. In other words what's
needed to make use of SecureRPC ??

2) Is the *users* authenticated via the keyserver ??

3) Is there a /etc/.rootkey ??

Okay, now we all know what's happening after we've read
 a) The manual pages
 b) a encryption text-book (Not necesary, but help full)
 c) The Answerbook on Nameservices and authentication etc.

: In server's dfstab, I put the following:

: share -F nfs -o secure,ro=client1:client2 /sunsolve

Fine.

: If I try to mount /sunsolve with just:

:   mount server:/sunsolve /mnt

Oh-oh...

should be:
(*a)            mount -F nfs -o secure,ro server:/sunsolve /mnt

: on either client1 or client2, things work as expected.  The mount works, but
: all users on the client are treated as nobody.  

See (*a) 'cause the client is mounting it as a NORMAL nfs mount.

: But if I try to use the secure option to *mount* the filesystem, like this:

:   mount -o secure server:/sunsolve /mnt

: I get failures, but different ones, from the two systems.

: On client1 (where NIS+ is not running), I get:

:   NFS getattr failed for server server: RPC: Authentication error
:   nfs mount: mount: /mnt: I/O error

It doesn't have a public/secret key pair for the Authentication...

: On client2, (where NIS+ is running), I get:

:   nfs mount: mount: /mnt: Invalid argument

Hmmmmm..... this is interesting......

1) check the Credentials again
2) make sure that if you export something read-only, you also import
it read-only (It might give problems sometimes I've moticed..)
3) Make sure that /mnt is correct....
4) Keyserver running ???
5) /etc/.rootkey ???

: Can someone explain what these mean (especially the second one; I can guess
: the first one is because parts of NIS+ are needed) and what I can do to make
: the mounts work?  I'm especially surprised the mount didn't work on the
: client that is running NIS+ (it's in the same domain as the server, in fact
: server is its NIS+ server).

: So my problems are:

: How to make a secure NFS mount work if the client is running NIS+?

Make sure that the clients *AND* users have the correct and working credentials.

: How to make a "secure" NFS mount work if the client machine is *not* running NIS+?

Get /etc/publickey updated somehow from NIS+, make sure keyserv is running....

: Is it possible?  Is it possible if the client is a non-UNIX machine?

It needs:
 1) SecureRPC capabilities
 2) To get the Secret/Publickeys from somewhere

------
Groetend / Sincerely Yours

Hendrik Visage
#include <Standard/Disclaimer>
Vector Customer Support
+27 11 315 4330