View previous topic :: View next topic |
Author |
Message |
StrautC n00b
Joined: 07 Sep 2002 Posts: 15
|
Posted: Tue Sep 10, 2002 12:44 am Post subject: NFS / DNS issues |
|
|
I have two machines that get their IP's from a DHCP server and I am
using DynDNS and a perl script called ddclient to keep things in order.
Their DynDNS addresses are egore.mine.nu and dracula.mine.nu.
Dracula is running NFS and has several exported filesystems set up for
use by egore.mine.nu. Here is one of my lines in /etc/exports:
/net-shared egore.mine.nu(ro)
Now, egore is a laptop that gets rebooted fairly often, so its IP
address is constantly changing, but egore.mine.nu
always points to the proper IP thanks to ddclient, which is launched in
daemon mode by my init scripts.
Dracula's NFS server starts, exports the filesystems, and everything
works perfectly. At this point, egore can mount the shares and do
whatever it feels like doing with them.
Next, I reboot egore and it gets a different IP address from the DHCP
server. Ddclient executes and ensures that egore.mine.nu is pointing to
the proper IP address, just like it should. This is where the trouble
starts. Egore can no longer mount dracula's exported NFS shares -
access is denied. It works perfectly again if I restart NFS on dracula.
I think this is what is going on...
1. NFS starts on dracula
2. Egore tries to mount dracula.mine.nu:/net-shared
3. Dracula looks up egore.mine.nu - it turns out that the laptop's
current IP address is equal to that of egore.mine.nu. Access granted.
Cache the IP address for egore.mine.nu so that we do not need to perform
DNS lookups on this hostname in the future.
4. Egore unmounts dracula.mine.nu:/net-shared
5. Egore reboots and gets a new IP address, egore.mine.nu is updated
and is pointing to the correct address. Dracula can ping egore.mine.nu
successfully.
6. Egore tries to mount dracula.mine.nu:/net-shared
7. Dracula pulls the IP address for egore.mine.nu from its cache rather
than performing a DNS lookup. The IP address being stored in the cache
is out of date. Access is denied.
8. NFS is restarted on dracula. IP address cache is dumped.
9. Egore tries to mount dracula.mine.nu:/net-shared
10. See #3 above.
Is there any way to make the NFS server perform a DNS lookup every time
it checks to see if a client has permission to access the server?
Restarting NFS on dracula every time I reboot my laptop is getting
annoying
Or is something else going on here? |
|
Back to top |
|
|
psp Tux's lil' helper
Joined: 06 Aug 2002 Posts: 120 Location: Cape Town, South Africa
|
Posted: Tue Sep 10, 2002 9:55 am Post subject: |
|
|
You have pretty much hit the nail on the head. On startup the NFS server checks the hostname to ip address mapping and uses the ip address as the ACL mechanism.
As to a way around this? I'm not sure... perhaps you should try the NFS mailing list and their archives @ http://nfs.sourceforge.net or perhaps another filesystem.
Perhaps Intermezzo would better suit you? Sorry I could be of no more help |
|
Back to top |
|
|
scheuri n00b
Joined: 21 Aug 2002 Posts: 22 Location: region basel, switzerland
|
Posted: Tue Sep 10, 2002 10:08 am Post subject: |
|
|
hi there
just an idea...
1) does your dracula "suck" the IP of egore at the DNS? or has dracula the IP/DNS somehoe inserted in its hosts-file?
-> if last case is true...that might be a reason it wont work after reboot..
2) does dracula have a DNS-entry in its network-configuration...
I know...pretty basic things you might already have...but...I was just thinking a sec or two...
my 2 rappen
scheuri _________________ if someone finds any grammar errors...easy...keep them... |
|
Back to top |
|
|
psp Tux's lil' helper
Joined: 06 Aug 2002 Posts: 120 Location: Cape Town, South Africa
|
Posted: Tue Sep 10, 2002 10:27 am Post subject: |
|
|
Just thought of another method of controlling access to the nfs server...
You could allow read-only access to the network range in your exports file, then allow individual access with iptables, filtering on MAC address. Just make sure you've compiled you kernel with packet filtering support and support for MAC address matching.
This should and still give you the level of security you want - if not more secure |
|
Back to top |
|
|
|