[opensuse] nfs server /require/ reverse DNS lookup working?!
Dear list I have learned long time ago that NFS require working reverse DNS lookup. Below is quote from http://www.yiluda.net/manual/linux/rute/node31.html Sharing a directory with a remote machine requires that forward and reverse DNS lookups be working for the server machine as well as all client machines. However, I have been using NFS a few years and never actually worried about it: my office network and the whole campus network do not have reverse dns setup and running, yet I am able to set up and use NFS just fine. The client and server are both SuSE, also Gentoo, Ubuntu and Debian are being used as NFS client, no problem! No reverse DNS lookup! Until one day I try to add a Windows client and I got a problem. After installed NFS client on Windows (this is part of Microsoft's product "Services for Unix"), I try to access NFS share '/home/packman' on the NFS server and was told access denied. Then check SuSE Linux NFS server log and I see this: Apr 9 14:58:29 joe mountd[17301]: can't get hostname of 218.193.55.201 Apr 9 14:58:29 joe mountd[17301]: can't get hostname of 218.193.55.201 Apr 9 14:58:29 joe mountd[17301]: refused mount request from 218.193.55.201 for /home (/): not exported Apr 9 14:58:29 joe mountd[17301]: can't get hostname of 218.193.55.201 Apr 9 14:58:48 joe mountd[17301]: can't get hostname of 218.193.55.201 Apr 9 14:58:53 joe su: (to root) zhangweiwu on /dev/pts/2 Apr 9 14:58:58 joe mountd[17301]: can't get hostname of 218.193.55.201 Apr 9 15:18:35 joe syslog-ng[4024]: STATS: dropped 0 Apr 9 15:46:47 joe mountd[17301]: refused mount request from 218.193.55.201 for /home (/): not exported Apr 9 15:46:57 joe mountd[17301]: can't get hostname of 218.193.55.201 This is the first time I see mount failed because reverse DNS lookup failed. My dumb questions are: 1. If reverse lookup had been a must, why I hadn't have this problem with Linux clients? 2. Can I turn off reverse lookup on the DNS server? It's impossible for me to set up reverse lookup because client is not in the network managed by me and I don't see how reverse lookup offered better security: because I only export read-only shares! Thanks in advance! my /etc/exports (using SuSE 10.2), FYI: joe:/home/zhangweiwu # cat /etc/exports /home/packman/ *(ro,no_subtree_check,insecure,sync) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sunday 08 April 2007, Zhang Weiwu wrote:
Apr 9 15:46:47 joe mountd[17301]: refused mount request from 218.193.55.201 for /home (/): not exported Apr 9 15:46:57 joe mountd[17301]: can't get hostname of 218.193.55.201
This is the first time I see mount failed because reverse DNS lookup failed. My dumb questions are:
1. If reverse lookup had been a must, why I hadn't have this problem with Linux clients? 2. Can I turn off reverse lookup on the DNS server? It's impossible for me to set up reverse lookup because client is not in the network managed by me and I don't see how reverse lookup offered better security: because I only export read-only shares!
Looks to me like windows was trying to mount /home instead of '/home/packman' and that is what it is complaining about. Did you try to add 218.193.55.201 to hosts file? -- _____________________________________ John Andersen
John Andersen 写道:
On Sunday 08 April 2007, Zhang Weiwu wrote:
Apr 9 15:46:47 joe mountd[17301]: refused mount request from 218.193.55.201 for /home (/): not exported Apr 9 15:46:57 joe mountd[17301]: can't get hostname of 218.193.55.201
This is the first time I see mount failed because reverse DNS lookup failed. My dumb questions are:
1. If reverse lookup had been a must, why I hadn't have this problem with Linux clients? 2. Can I turn off reverse lookup on the DNS server? It's impossible for me to set up reverse lookup because client is not in the network managed by me and I don't see how reverse lookup offered better security: because I only export read-only shares!
Looks to me like windows was trying to mount /home instead of '/home/packman' and that is what it is complaining about.
I thought the same but later I read this article http://support.microsoft.com/kb/926095 Seems MS is aware of this.
Did you try to add 218.193.55.201 to hosts file? Why? But anyway I added this line to my /etc/hosts 218.193.55.201 abcdefg
strange, after I added this line to /etc/hosts there is no longer error message in /var/log/messages. But still Windows client cannot connect. Some times, the Windows client ask for a username and password, because this is anonymous share I don't know what to fill in, typed several username like 'guest' 'anonymous' and finally some real username and password: no access. Press "ESC" to get rid of login dialog, trying connect to NFS share again got "Network Path Not Found" error from Windows client. During all these, no error messages produced in /var/log/messages. If the MS KB article had been right, that "Some NFS servers require valid PTR records as part of the security mechanism." Then why all other Linux hosts in the same local network (e.g. 218.193.55.200, 218.193.55.202...) mounts just fine? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Zhang Weiwu 写道:
John Andersen 写道:
On Sunday 08 April 2007, Zhang Weiwu wrote:
Apr 9 15:46:47 joe mountd[17301]: refused mount request from 218.193.55.201 for /home (/): not exported Apr 9 15:46:57 joe mountd[17301]: can't get hostname of 218.193.55.201
This is the first time I see mount failed because reverse DNS lookup failed. My dumb questions are:
1. If reverse lookup had been a must, why I hadn't have this problem with Linux clients? 2. Can I turn off reverse lookup on the DNS server? It's impossible for me to set up reverse lookup because client is not in the network managed by me and I don't see how reverse lookup offered better security: because I only export read-only shares!
Looks to me like windows was trying to mount /home instead of '/home/packman' and that is what it is complaining about.
I thought the same but later I read this article http://support.microsoft.com/kb/926095 Seems MS is aware of this.
Did you try to add 218.193.55.201 to hosts file?
Why? But anyway I added this line to my /etc/hosts 218.193.55.201 abcdefg
strange, after I added this line to /etc/hosts there is no longer error message in /var/log/messages. But still Windows client cannot connect. Some times, the Windows client ask for a username and password, because this is anonymous share I don't know what to fill in, typed several username like 'guest' 'anonymous' and finally some real username and password: no access. Press "ESC" to get rid of login dialog, trying connect to NFS share again got "Network Path Not Found" error from Windows client. During all these, no error messages produced in /var/log/messages.
If the MS KB article had been right, that "Some NFS servers require valid PTR records as part of the security mechanism." Then why all other Linux hosts in the same local network (e.g. 218.193.55.200, 218.193.55.202...) mounts just fine?
A little bit of progress as I digging through documents: This is quote from nfs.sf.net Acquire and install a recent distribution of Linux. To enable NLM lock recovery, ensure your client's host name, as returned by uname -n, matches the host name returned by DNS. So, hostname reverse lookup is needed if NLM lock recovery is enabled. So, perhaps Linux NFS clients do not enable NLM by default and Windows clients do. I wouldn't be surprised if MS Product don't let me switch NLM on and off because in general MS products are not tweak-able without 3rd party software. Well after I start NFS client administration (mmc) on Windows, there is no option for NLM. So, I tried to add no_auth_nlm option to /etc/exports... no use. Same old behavior. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Monday 09 April 2007 09:49, Zhang Weiwu wrote:
joe:/home/zhangweiwu # cat /etc/exports /home/packman/ *(ro,no_subtree_check,insecure,sync)
Don't use * as a wildcard in /etc/exports. It says explicitly in the documentation that this can happen. * requires reverse DNS. If you don't want to have reverse DNS, use IP notation 0.0.0.0/0.0.0.0 instead. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Anders Johansson 写道:
On Monday 09 April 2007 09:49, Zhang Weiwu wrote:
joe:/home/zhangweiwu # cat /etc/exports /home/packman/ *(ro,no_subtree_check,insecure,sync)
Don't use * as a wildcard in /etc/exports. It says explicitly in the documentation that this can happen. * requires reverse DNS.
Hell, which document?? man exports even didn't mentioned the word "reverse" nor 'DNS'
If you don't want to have reverse DNS, use IP notation 0.0.0.0/0.0.0.0 instead. strangely, even if I use 0.0.0.0/0.0.0.0 (and restart nfs) I still cannot connect, behavior:
If I use 0.0.0.0/0.0.0.0 in place of wildcard (*), there is no longer error message in /var/log/messages. But still Windows client cannot connect. Some times, the Windows client ask for a username and password, because this is anonymous share I don't know what to fill in, typed several username like 'guest' 'anonymous' and finally some real username and password but still no access. Press "ESC" to get rid of login dialog, trying connect to NFS share again got "Network Path Not Found" error from Windows client. During all these, no error messages produced in /var/log/messages. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Monday 09 April 2007 12:38:05 Zhang Weiwu wrote:
Anders Johansson 写道:
On Monday 09 April 2007 09:49, Zhang Weiwu wrote:
joe:/home/zhangweiwu # cat /etc/exports /home/packman/ *(ro,no_subtree_check,insecure,sync)
Don't use * as a wildcard in /etc/exports. It says explicitly in the documentation that this can happen. * requires reverse DNS.
Hell, which document?? man exports even didn't mentioned the word "reverse" nor 'DNS'
No, but in the section "wildcards" it clearly states that * matches host- and domain names, not IP addresses. And if that is going to work, you have to have reverse lookup configured and working
If you don't want to have reverse DNS, use IP notation 0.0.0.0/0.0.0.0 instead.
strangely, even if I use 0.0.0.0/0.0.0.0 (and restart nfs) I still cannot connect, behavior:
If I use 0.0.0.0/0.0.0.0 in place of wildcard (*), there is no longer error message in /var/log/messages. But still Windows client cannot connect. Some times, the Windows client ask for a username and password, because this is anonymous share I don't know what to fill in, typed several username like 'guest' 'anonymous' and finally some real username and password but still no access. Press "ESC" to get rid of login dialog, trying connect to NFS share again got "Network Path Not Found" error from Windows client. During all these, no error messages produced in /var/log/messages.
I don't know. There is no authentication in NFSv3, so I can only assume that you are doing something wrong on the windows side. 0.0.0.0/0.0.0.0 means "allow everyone" -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Anders Johansson 写道:
I don't know. There is no authentication in NFSv3, so I can only assume that you are doing something wrong on the windows side. 0.0.0.0/0.0.0.0 means "allow everyone"
I have finally solved this problem: I have started to use DiskAccess NFS client rather then Microsoft SFU NFS client and everything is fine! I shouldn't known that MS probably doesn't intend to make the inter-connection between *nix and Windows easier. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Zhang Weiwu wrote:
Anders Johansson 写道:
I don't know. There is no authentication in NFSv3, so I can only assume that you are doing something wrong on the windows side. 0.0.0.0/0.0.0.0 means "allow everyone"
I have finally solved this problem: I have started to use DiskAccess NFS client rather then Microsoft SFU NFS client and everything is fine! I shouldn't known that MS probably doesn't intend to make the inter-connection between *nix and Windows easier.
It's a bit pricey though. Even the "Lite" version is $169. -- Use OpenOffice.org http://www.openoffice.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Mon, 2007-04-09 at 18:38 +0800, Zhang Weiwu wrote:
Anders Johansson 写道:
On Monday 09 April 2007 09:49, Zhang Weiwu wrote:
joe:/home/zhangweiwu # cat /etc/exports /home/packman/ *(ro,no_subtree_check,insecure,sync)
Don't use * as a wildcard in /etc/exports. It says explicitly in the documentation that this can happen. * requires reverse DNS.
Hell, which document?? man exports even didn't mentioned the word "reverse" nor 'DNS'
If you don't want to have reverse DNS, use IP notation 0.0.0.0/0.0.0.0 instead. strangely, even if I use 0.0.0.0/0.0.0.0 (and restart nfs) I still cannot connect, behavior:
If I use 0.0.0.0/0.0.0.0 in place of wildcard (*), there is no longer error message in /var/log/messages. But still Windows client cannot connect. Some times, the Windows client ask for a username and password, because this is anonymous share I don't know what to fill in, typed several username like 'guest' 'anonymous' and finally some real username and password but still no access. Press "ESC" to get rid of login dialog, trying connect to NFS share again got "Network Path Not Found" error from Windows client. During all these, no error messages produced in /var/log/messages.
Hello Zhang, Have you considered that it might actually be a security issue? When you installed the MS SFU NFS client how did you answer the Username Mapping Server question? K -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Mon, 2007-04-09 at 22:14 -0500, Ken Gramm wrote:
Hello Zhang, Have you considered that it might actually be a security issue? When you installed the MS SFU NFS client how did you answer the Username Mapping Server question?
I totally do not understand username mapping server and I am not sure if I need it. As I am setting up read-only NFS exports applying restriction only on IP addresses, I just think perhaps I can forget all these authentication and authorization things. However so far I could not successfully connect SFU to ANY nfs server in my office, I tried opensuse, gentoo Linux and FreeBSD. SFU always ends up with a message from SFU: "Network Path Not Found." I tried these to get around the error message, all failed: 1. use IP address in /etc/exports rather then hostname or wildcard 2. supply no_auth_nlm to Linux's /etc/exports (FreeBSD I cannot find this parameter); 3. switch between TCP and UDP on SFU; The last thing I didn't try is to set up reverse DNS lookup, which is impossible because the whole campus have been running without reverse DNS for a lot of years and it will not be changed because I want it to change. Everytime I got "network path not found" message from Windows' SFU I try mount same mount point with Linux and always successful. I even wonder if Microsoft Intentionally break NFS client because they know people eventually will turn to SMB and live with it. If they supply a NFS client, it should be working with at least Linux or FreeBSD or True64 Unix on normal network. I think perhaps MS NFS client do not work with any *nix on normal (no reverse DNS) network. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hi Zhang, Sorry it took a few days to reply. On Tue, 2007-04-10 at 21:08 +0800, Zhang Weiwu wrote:
On Mon, 2007-04-09 at 22:14 -0500, Ken Gramm wrote:
Hello Zhang, Have you considered that it might actually be a security issue? When you installed the MS SFU NFS client how did you answer the Username Mapping Server question?
I totally do not understand username mapping server and I am not sure if I need it.
As the name implies, the username mapping server is used to match Windows user ID's to your *nix user ID (i.e. SID to UID matching). Without it, your Windows client will not be able to provide the NFS server with the proper UID. If your Windows box gets it's username from a Domain, you'll need to install the mapping server on one of your DCs and then point your workstation to the correct server. If it is a stand-alone machine (or if your using a local account), you'll need to install the username mapping locally.
As I am setting up read-only NFS exports applying restriction only on IP addresses, I just think perhaps I can forget all these authentication and authorization things. However so far I could not successfully connect SFU to ANY nfs server in my office, I tried opensuse, gentoo Linux and FreeBSD. SFU always ends up with a message from SFU: "Network Path Not Found." I tried these to get around the error message, all failed:
How are you trying to connect to the NFS server? For me, I just right click on "My Network Places" and select "Map Network Drive". Then I enter the path (i.e. \\servername\share_name). When you click OK, you should get a "NFS Login Successful" dialog box that summarizes your current login credentials and asks if you'd like to accept the current login or change your login settings. Once finished, you should have a drive mapped to your NFS share.
1. use IP address in /etc/exports rather then hostname or wildcard 2. supply no_auth_nlm to Linux's /etc/exports (FreeBSD I cannot find this parameter); 3. switch between TCP and UDP on SFU;
The last thing I didn't try is to set up reverse DNS lookup, which is impossible because the whole campus have been running without reverse DNS for a lot of years and it will not be changed because I want it to change.
I'll admit that I've always use reverse DNS, but if you enter the machines into the hosts file you should get the same effect. Good luck! -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Ken 写道:
Hi Zhang, Sorry it took a few days to reply.
On Tue, 2007-04-10 at 21:08 +0800, Zhang Weiwu wrote:
On Mon, 2007-04-09 at 22:14 -0500, Ken Gramm wrote:
Hello Zhang, Have you considered that it might actually be a security issue? When you installed the MS SFU NFS client how did you answer the Username Mapping Server question?
I totally do not understand username mapping server and I am not sure if I need it.
As the name implies, the username mapping server is used to match Windows user ID's to your *nix user ID (i.e. SID to UID matching). Without it, your Windows client will not be able to provide the NFS server with the proper UID.
If your Windows box gets it's username from a Domain, you'll need to install the mapping server on one of your DCs and then point your workstation to the correct server. If it is a stand-alone machine (or if your using a local account), you'll need to install the username mapping locally.
Thanks!
As I am setting up read-only NFS exports applying restriction only on IP addresses, I just think perhaps I can forget all these authentication and authorization things. However so far I could not successfully connect SFU to ANY nfs server in my office, I tried opensuse, gentoo Linux and FreeBSD. SFU always ends up with a message from SFU: "Network Path Not Found." I tried these to get around the error message, all failed:
How are you trying to connect to the NFS server? For me, I just right click on "My Network Places" and select "Map Network Drive". Then I enter the path (i.e. \\servername\share_name). When you click OK, you should get a "NFS Login Successful" dialog box that summarizes your current login credentials and asks if you'd like to accept the current login or change your login settings. Once finished, you should have a drive mapped to your NFS share.
Strange, I used exactly the same way as you did to mount, in the first 2 days it wasn't successful, later it works. Still don't know why. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (6)
-
Anders Johansson
-
James Knott
-
John Andersen
-
Ken
-
Ken Gramm
-
Zhang Weiwu