>>>>> "ea" == erik ableson <eable...@me.com> writes: >>>>> "dc" == Dennis Clarke <dcla...@blastwave.org> writes:
>> "rw,ro...@100.198.100.0/24", it works fine, and the NFS client
>> can do the write without error.
ea> I' ve found that the NFS host based settings required the
ea> FQDN, and that the reverse lookup must be available in your
ea> DNS.
I found, oddly, the @a.b.c.d/y syntax works only if the client's IP
has reverse lookup. I had to add bogus hostnames to /etc/hosts for
the whole /24 because if I didn't, for v3 it would reject mounts
immediately, and for v4 mountd would core dump (and get restarted)
which you see from the client as a mount that appears to hang. This
is all using the @ip/mask syntax.
http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=6901832
If you use hostnames instead, it makes sense that you would have to
use FQDN's. If you want to rewrite mountd to allow using short
hostnames, the access checking has to be done like this:
at export time:
given hostname-> forward nss lookup -> list of IP's -> remember IP's
at mount time:
client IP -> check against list of remembered IP's
but with fqdn's it can be:
at export time:
given hostname -> remember it
at mount time:
client IP -> reverse nss lookup -> check against remembered list
\-->forward lookup->verify client IP among results
The second way, all the lookups happen at mount time rather than
export time. This way the data in the nameservice can change without
forcing you to learn and then invoke some kind of ``rescan the
exported filesystems'' command or making mountd remember TTL's for its
cached nss data, or any such complexity. Keep all the nameservice
caching inside nscd so there is only one place to flush it! However
the forward lookup is mandatory for security, not optional OCDism.
Without it, anyone from any IP can access your NFS server so long as
he has control of his reverse lookup, which he probably does. I hope
mountd is doing that forward lookup!
dc> Try to use a backslash to escape those special chars like so :
dc> zfs set
dc> sharenfs=nosub\,nosuid\,rw\=hostname1\:hostname2\,root\=hostname2
dc> zpoolname/zfsname/pathname
wth? Commas and colons are not special characters. This is silly.
pgptWVuUb6wBm.pgp
Description: PGP signature
_______________________________________________ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
