FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 11-30-2009, 12:00 PM
"Mike Yates"
 
Default NFS new security requirements?

Hi
I've suddenly lost access to some permanent cross-server shares.
I think this was following the Nov 5 new kernel, rather than the Centos version upgrade.
I don't see any difference to man mount.nfs

I have:-
[root@hs6 ~]# mount hs8:/data /sysback/hs8-data -v
mount: no type was given - I'll assume nfs because of the colon
mount: trying 172.26.0.8 prog 100003 vers 3 prot tcp port 2049
mount: trying 172.26.0.8 prog 100005 vers 3 prot udp port 735
mount: hs8:/data failed, reason given by server: Permission denied

Yet on hs8 the log shows:-
Nov 29 12:47:52 hs8 mountd[2255]: authenticated mount request from 172.26.0.6:617 for /data (/data)

No internal permissions have changed.
'


Mike Yates MBCS CITP (ISSG)
IT Support Engineer

Hawkgrove Ltd - Software Systems Design
2, The Business Courtyard, Marl Pits Lane, Trudoxhill, Frome, Somerset, BA11 5DL, UK
+44 (0)1373 837900 fax: +44 (0)8700 518155
Registered in England: 2756481 VAT Reg: UK 601 1137 11
Registered Office: NSO Associates LLP, 75 Springfield Road, Chelmsford, Essex CM2 6JB
All e-mail is subject to contract and is not intended to create a legally binding agreement.
Hawkgrove Ltd will only be bound by an agreement in writing signed by an authorized signatory.
All outgoing email is scanned by Kerio, using ClamAV 0.95.1/10094/Mon Nov 30 11:45:20 2009 Known viruses: 660218.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-30-2009, 02:25 PM
James Pearson
 
Default NFS new security requirements?

Mike Yates wrote:
> Hi
> I've suddenly lost access to some permanent cross-server shares.
> I think this was following the Nov 5 new kernel, rather than the Centos version upgrade.
> I don't see any difference to man mount.nfs
>
> I have:-
> [root@hs6 ~]# mount hs8:/data /sysback/hs8-data -v
> mount: no type was given - I'll assume nfs because of the colon
> mount: trying 172.26.0.8 prog 100003 vers 3 prot tcp port 2049
> mount: trying 172.26.0.8 prog 100005 vers 3 prot udp port 735
> mount: hs8:/data failed, reason given by server: Permission denied
>
> Yet on hs8 the log shows:-
> Nov 29 12:47:52 hs8 mountd[2255]: authenticated mount request from 172.26.0.6:617 for /data (/data)
>
> No internal permissions have changed.

What is the contents of /etc/exports on 'hs8' ?

What happens if you restart rpc.mountd on 'hs8' ?

James Pearson
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-01-2009, 08:23 AM
"Mike Yates"
 
Default NFS new security requirements?

Hi James
Please reply to me as well as the list as I only get the digest.
You wrote
> What is the contents of /etc/exports on 'hs8' ?

at present:-
#/data 172.26.0.6(rw,no_root_squash)
/data hs6(rw,sync,mp,no_root_squash,sec=none)
/backup 172.26.0.6(rw,sync,mp,no_root_squash)


> What happens if you restart rpc.mountd on 'hs8' ?

I've done this many times as I try different exports options:-

[root@hs8 ~]# /etc/init.d/nfs restart
Shutting down NFS mountd: [ OK ]
Shutting down NFS daemon: [ OK ]
Shutting down NFS quotas: [ OK ]
Shutting down NFS services: [ OK ]
Starting NFS services: [ OK ]
Starting NFS quotas: [ OK ]
Starting NFS daemon: [ OK ]
Starting NFS mountd: [ OK ]
[root@hs8 ~]# vi msg

SeLinux is disabled.

Mike Yates MBCS CITP (ISSG)
IT Support Engineer

Hawkgrove Ltd - Software Systems Design
2, The Business Courtyard, Marl Pits Lane, Trudoxhill, Frome, Somerset, BA11 5DL, UK
+44 (0)1373 837900 fax: +44 (0)8700 518155
Registered in England: 2756481 VAT Reg: UK 601 1137 11
Registered Office: NSO Associates LLP, 75 Springfield Road, Chelmsford, Essex CM2 6JB
All e-mail is subject to contract and is not intended to create a legally binding agreement.
Hawkgrove Ltd will only be bound by an agreement in writing signed by an authorized signatory.
All outgoing email is scanned by Kerio, using ClamAV 0.95.1/10098/Tue Dec 1 03:06:27 2009 Known viruses: 660899.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-01-2009, 09:41 AM
James Pearson
 
Default NFS new security requirements?

Mike Yates wrote:
>
>>What is the contents of /etc/exports on 'hs8' ?
>
>
> at present:-
> #/data 172.26.0.6(rw,no_root_squash)
> /data hs6(rw,sync,mp,no_root_squash,sec=none)
> /backup 172.26.0.6(rw,sync,mp,no_root_squash)

Can 'hs8' resolve 'hs6' to 172.26.0.6 ??

In your previous post you reported that hs8 logged:

Nov 29 12:47:52 hs8 mountd[2255]: authenticated mount request from
172.26.0.6:617 for /data (/data)

On my machines, the server reports 'authenticated mount requests' from a
hostname, not an IP address.

However, I guess you have already tested that given the commented out
line in /etc/exports

James Pearson

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-01-2009, 10:23 AM
"Mike Yates"
 
Default NFS new security requirements?

Hi James
Yes I've tried lots of things!
However, I discovered that hs8 was not running the Nov 3 kernel (uptime 68 days) so I rebooted this morning, forgetting to check /boot/grub/menu.lst where "default=2" put the same damn Sep 3 kernel up.
Users are busy on it until lunchtime, but I'll let you know if it still fails with both servers on Nov 3.


Mike Yates MBCS CITP (ISSG)
IT Support Engineer


----- Original Message -----
From: James Pearson
[mailto:james-p@moving-picture.com]
To: Mike Yates
[mailto:mike.yates@hawkgrove.co.uk]
Cc: centos@centos.org
Sent: Tue, 01 Dec
2009 10:41:13 +0000
Subject: Re: [CentOS] NFS new security requirements?


> Mike Yates wrote:
> >
> >>What is the contents of /etc/exports on 'hs8' ?
> >
> >
> > at present:-
> > #/data 172.26.0.6(rw,no_root_squash)
> > /data hs6(rw,sync,mp,no_root_squash,sec=none)
> > /backup 172.26.0.6(rw,sync,mp,no_root_squash)
>
> Can 'hs8' resolve 'hs6' to 172.26.0.6 ??
>
> In your previous post you reported that hs8 logged:
>
> Nov 29 12:47:52 hs8 mountd[2255]: authenticated mount request from
> 172.26.0.6:617 for /data (/data)
>
> On my machines, the server reports 'authenticated mount requests' from a
> hostname, not an IP address.
>
> However, I guess you have already tested that given the commented out
> line in /etc/exports
>
> James Pearson
>
>

Hawkgrove Ltd - Software Systems Design
2, The Business Courtyard, Marl Pits Lane, Trudoxhill, Frome, Somerset, BA11 5DL, UK
+44 (0)1373 837900 fax: +44 (0)8700 518155
Registered in England: 2756481 VAT Reg: UK 601 1137 11
Registered Office: NSO Associates LLP, 75 Springfield Road, Chelmsford, Essex CM2 6JB
All e-mail is subject to contract and is not intended to create a legally binding agreement.
Hawkgrove Ltd will only be bound by an agreement in writing signed by an authorized signatory.
All outgoing email is scanned by Kerio, using ClamAV 0.95.1/10098/Tue Dec 1 03:06:27 2009 Known viruses: 660899.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-07-2009, 11:59 AM
"Mike Yates"
 
Default NFS new security requirements?

This now mysteriously resolved after both servers have rebooted.
The long delay is due to the importance of high availability over the nfs links.

Mike Yates

Hawkgrove Ltd - Software Systems Design
2, The Business Courtyard, Marl Pits Lane, Trudoxhill, Frome, Somerset, BA11 5DL, UK
+44 (0)1373 837900 fax: +44 (0)8700 518155
Registered in England: 2756481 VAT Reg: UK 601 1137 11
Registered Office: NSO Associates LLP, 75 Springfield Road, Chelmsford, Essex CM2 6JB
All e-mail is subject to contract and is not intended to create a legally binding agreement.
Hawkgrove Ltd will only be bound by an agreement in writing signed by an authorized signatory.
All outgoing email is scanned by Kerio, using ClamAV 0.95.1/10117/Mon Dec 7 02:21:53 2009 Known viruses: 662464.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 09:16 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org