× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. December 2018

RE: NFS security solved

NFSv3 works this way, but NFSv4 has a way to do id mapping. I know this is
supported on Linux (primarily only when using Kerberos/NIS/LDAP), but I've
never actually gotten it to work (probably because I wasn't using
Kerberos). I have no idea if it is supported or works on IBM i or whether
it requires Kerberos/LDAP/etc.

----- Original message -----
From: "Mitchell, Dana" <dmitche@xxxxxxxxxx>
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Cc:
Subject: RE: NFS security solved
Date: Fri, Nov 30, 2018 2:15 PM

As it turns out, it is WAD. But ultimately, I was overestimating what
it was doing.

The NFS client sends UID and GID of the user to the NFS server. What I
*thought* it would do, is look up what IBMi user profile on the NFS
Server system had the corresponding UID and use that user profile to
allow/deny access to the files. All it actually does is looks at
the UID and GID on the files/directories to determine access. If
there is no matching IBMi user profile with a matching UID or GID, then
the 'anonymous user' user profile is used to allow/deny access to the
files.

Apparently this fact is little known within IBM as it took a L2 guy to
webex into our system for a while to determine what was going on.

Dana

-----Original Message-----
From: MIDRANGE-L [[1]mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf
Of Mitchell, Dana
Sent: Wednesday, November 21, 2018 10:34 AM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Subject: RE: NFS security

On the mount definitely 'soft'

I've tried both version 3 and 4 and the behavior seems to be same
either way. I have a PMR open to get IBM's help

Dana

-----Original Message-----
From: MIDRANGE-L [[2]mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf
Of Paul Roy
Sent: Tuesday, November 20, 2018 3:19 PM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Subject: RE: NFS security

what options are you using on the export and the mount command?

From: "Mitchell, Dana" <dmitche@xxxxxxxxxx>
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Date: 20/11/2018 20:43
Subject: RE: NFS security
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>

In our testing I have USER1 on the client machine with UID(106) and
USER2 on the server machine with UID(106). When USER1 accesses the
nfs
mount and gets an auth failure, according to the audjrne it is not
USER2 getting the failure (because USER2 does have authority to the
directory) but is showing the userid that we have specified in the
export as the
anonyumous user. I see no other settings or knobs that need adjusted
in order to get it to use the UID found on the NFS server machine.

Dana

Attention: This electronic document and associated attachments (if any)
may contain confidential information of the sender (SHAZAM Network) and
is intended solely for use by the addressee(s). Review by unintended
individuals is prohibited. If you are not the intended recipient: (i) do
not read, transmit, copy, disclose, store, or utilize this communication
in any manner; (ii) please reply to the sender immediately, state that
you received it in error and permanently delete this message and any
attachment(s) from your computer and destroy the material in its
entirety if in hard copy format. If you are the intended recipient,
please use discretion in any email reply to ensure that you do not send
confidential information as we cannot secure it through this medium. By
responding to us through internet e-mail, you agree to hold SHAZAM, Inc.
and all affiliated companies harmless for any unintentional
dissemination of information contained in your message. Thank you.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: [3]https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at [4]https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: [5]https://amazon.midrange.com




References

Visible links
1. mailto:midrange-l-bounces@xxxxxxxxxxxx
2. mailto:midrange-l-bounces@xxxxxxxxxxxx
3. https://lists.midrange.com/mailman/listinfo/midrange-l
4. https://archive.midrange.com/midrange-l
5. https://amazon.midrange.com/

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.