Re: NFS root
From: Dave Uhring (daveuhring_at_yahoo.com)
Date: 09/30/04
- Next message: Neil W Rickert: "Re: no /usr/sbin/rtc, but in crontab"
- Previous message: Rich Teer: "Re: Anyone else seeing this management trend favoring Linux?"
- In reply to: Juhan Leemet: "Re: NFS root"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Thu, 30 Sep 2004 11:28:11 -0500
On Thu, 30 Sep 2004 13:30:19 -0200, Juhan Leemet wrote:
> On Wed, 29 Sep 2004 21:26:31 -0500, Dave Uhring wrote:
>> The jumpstart setup instructions specifically mention setting that option.
>
> Doh! I had forgotten, or never realized. Time to hit the books again...
> Hmm, I have the following in my /etc/dfs/dfstab (but I might have goofed?)
>
> share -F nfs -o nosuid -d "home dirs" /export/home
> share -F nfs -o ro,anon=0 -d "Sun jumpstart directory" /export/jumpstart
> share -F nfs -o ro,anon=0 -d "Sun install server directory" /export/install
> ...etc...
> share -F nfs -o ro,anon=0 -d "JET Framework" /opt/jet
Since you have ro with anon=0 there should be little chance of an unknown
user modifying your jumpstart files.
> It was a while, since I setup my jumpstart stuff, but I did follow the
> destructions in the Solaris installation kit documentation. I notice that
> in all these cases the combination is "ro,anon=0", which I read as "give
> any unknown users root equivalent read-only access". That makes sense for
> installation stuff. You don't ever want reads to fail. I would still be
> uneasy about using "rw" together with "anon=0".
Restriction by domain.tld prevents unknown users from rw access, presuming
that physical security of the network hosts is present.
> I suppose the Windows users in your setup drive that requirement? I guess
> that would be the case if the Windows users are not known to the Solaris
> O/S as valid users. I guess that seems fairly obvious, now. Generally, I
> would like to have authentication done from the Solaris side, via samba if
> necessary/possible. My own samba setup works, but is not ideal/perfect. I
> should review it, and tune it up. How do you manage your Windows users?
Windoze users have user accounts on the server so they cannot be
"unknown". But the factor here is that Windoze (without SFU) cannot mount
NFS shares anyway. Their access is through samba with security=user and
encrypt passwords=yes. Besides, the Windoze users are isolated on a
separate subnet so DNS lookups fail.
The only user management problem I have had was from not enforcing quotas
but a gentle hint is all that is usually required to free up some space.
- Next message: Neil W Rickert: "Re: no /usr/sbin/rtc, but in crontab"
- Previous message: Rich Teer: "Re: Anyone else seeing this management trend favoring Linux?"
- In reply to: Juhan Leemet: "Re: NFS root"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
