Applies To:

Show Versions Show Versions

Manual Chapter: NFS Access Lists
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

19 
When an NFS client accesses a share as root (a UNIX superuser), an NFS-access list typically re-maps the users identity to that of the anonymous user, which has very low access rights. This security feature is called root squashing. Use the anonymous-gid command to change the Group ID (GID) for the anonymous user.
Use the no form of the command to revert to the default GID for anonymous.
id (1-65535) is a group ID number that the access list uses when it squashes root access.
When permit rules have root-squash enabled, they translate the Group ID (GID) of a root user to an anonymous GID. To set the user ID (UID), use anonymous-uid. Use show nfs-access-list to see the current GID and UID used for anonymous.
bstnA(gbl)# nfs-access-list eastcoast
sets the anonymous GID to 100.
When an NFS client accesses a share as root (a UNIX superuser), an NFS-access list typically re-maps the users identity to that of the anonymous user, which has very low access rights. This security feature is called root squashing. Use the anonymous-uid command to change the User ID (UID) for the anonymous user.
Use the no form of the command to revert to the default UID for anonymous.
id (1-65535) is a User ID number that the access list uses when it squashes root access.
When permit rules have root-squash enabled, they translate the User ID (UID) of a root user to an anonymous UID. To set the group ID (GID), use anonymous-gid. Use show nfs-access-list to see the current GID and UID used for anonymous.
bstnA(gbl)# nfs-access-list eastcoast
sets the anonymous UID to 100.
Use the no form of the command to remove a deny rule from the current access list.
deny ip-address mask
no deny ip-address mask
ip-address (0.0.0.0-255.255.255.255) is the address of the subnet to be denied access.
mask (0.0.0.0-255.255.255.255) is the netmask (network part of the ip address).
bstnA(gbl)# nfs-access-list eastcoast
bstnA(gbl-nfs-acl[eastcoast])# deny 192.168.77.0 255.255.255.0
bstnA(gbl-nfs-acl[eastcoast])# deny 192.168.202.0 255.255.255.0
bstnA(gbl-nfs-acl[eastcoast])# permit 192.168.0.0 255.255.0.0 read-write
Use the optional description command to include a descriptive string for an access list.
Use the no form of the command to remove the description from the current access list.
text (1-255 characters) is your description for the current access list. Surround the text with quotation marks () if it contains any spaces.
bstnA(gbl)# nfs-access-list eastcoast
bstnA(gbl-nfs-acl[eastcoast])# description allowable subnets in MA, NY, & DC
Use the ip address command to identify one NIS server for the current NIS domain.
Use the no form of the command to remove one NIS server from the list.
address identifies the NIS server (for example, 192.168.70.128). This address must be on a server/proxy-IP subnet (see ip proxy-address) or reachable through a gateway on that subnet (via static route: see ip route to create a static route).
bstnA(gbl-nis-dom[mydom.org])# ip address 192.168.78.55
bstnA(gbl-nis-dom[mydom.org])# no ip address 10.10.25.1
Use this command to create an access list (optional) for NFS services. An access list is a list of IP hosts to which you permit or deny access to the NFS service. You can use an NFS access list (or create additional ones) for any number of NFS services.
Use the no form of the command to remove an access list.
If you do not include an access list for an exported volume, all clients can access the share. See export (gbl-nfs) for more information.
list-name (1-64 characters) is a name you choose for the access list.
The CLI prompts for confirmation before creating a new NFS access list; enter yes to continue. (You can use terminal expert to eliminate confirmation prompts for creating new objects.)
When you use the no form of the command to remove an access list, you must first remove all references to the access list before you can remove the list itself.
bstnA(gbl)# nfs-access-list eastcoast
bstnA(gbl)# no nfs-access-list testacl
Use the nis domain command to identify a Network Information System (NIS) domain to be used in one or more NFS access lists.
Use no nis domain to remove the NIS-domain configuration from the ARX.
domain (1-256 characters) is the NIS-domain name (for example, company or company.com).
This command places you into gbl-nis-dom mode, where you use the ip address (gbl-nis-dom) command to identify at least one NIS server for the domain. After you specify one or more NIS servers, the ARX looks up all of the netgroups in the domain, then performs DNS lookups for all hostnames in those netgroups. The results are cached on the switch, to prevent excessive traffic between the switch and the DNS server; the show nis netgroup command shows the contents of this cache. Use nis update to refresh this cache by performing all of the necessary lookups.
You can use nis domain (gbl-nfs-acl) to use this NIS domain in an access list. The permit netgroup command (see permit (gbl-nfs-acl)) adds a permit rule for one netgroup. Use show nis domain to view all NIS domains and their configured NIS servers.
bstnA(gbl)# nis domain wwmed.com
bstnA(gbl)# no nis domain testnis
Use the gbl-nfs-acl nis domain command to set the NIS domain for the current NFS access list.
Use no nis domain to remove the NIS domain from the access list.
domain (1-256 characters) is the NIS-domain name (for example, myorg.org from lnx3.myorg.org). This domain must be pre-mapped to a NIS server with the nis domain command, from gbl mode.
If you plan to use NIS groups in your NFS access list, you must identify the NIS domain with this command. Use show nis domain for a list of configured NIS domains, or use nis domain to create a new one. To view the netgroups in a domain, use show nis netgroup.
The permit netgroup command (permit (gbl-nfs-acl)) permits all hosts in a netgroup to pass the NFS access list.
The ARX caches a database of NIS netgroups and all of their DNS-resolved IP addresses. Use the nis update command to refresh this cache by querying the NIS server(s) and the local DNS server(s).
domain (1-256 characters) focuses the update on a single NIS domain. Use show nis domain to view all NIS domains. If this is omitted, the switch refreshes its cache for all configured NIS domains.
This command creates one report per updated domain. Each report is named nis-update.domain-name.rpt. Use show reports to list all reports, including NIS-update reports. To follow the progress of the NIS-update operation, you can use tail reports report-name follow. Use show reports file-name to read the report. You can search through the report with grep. To copy or delete it, use the copy or delete commands. If you want to truncate the report before it finishes, use the truncate-report command.
The show nis netgroup command shows the netgroups in a NIS domain, or the hosts in a particular netgroup. This is the contents of the current NIS-netgroup cache. The show nis domain command shows when the most-recent NIS update occurred.
In a redundant pair, the NIS update works independently on each peer. The output of show nis netgroup and the NIS reports therefore only apply to the current peer. The benefit of these redundant updates is that failovers do not incur any extra down time for NIS.
bstnA# nis update
bstnA# nis update wwmed.com
bstnA# show reports nis-update.wwmed.com.rpt
Use the no form of the command to remove a permit rule for a subnet or netgroup.
permit ip-address mask [read-only] [ root {squash | allow} ]
no permit ip-address mask [read-only] [ root {squash | allow} ]
ip-address (0.0.0.0255.255.255.255) is the address of the subnet to be allowed access.
mask (0.0.0.0255.255.255.255) is the netmask (network part of the ip address).
read-only (optional) limits users to read-only access.
squash disables root access and remaps it to the configured UID and GID settings (provides more security).
allow enables root-user access.
permit netgroup group-name [read-only] [ root {squash | allow} ]
group-name (1-1024) is the address of the NIS netgroup to be allowed access.
read-only (optional) limits users to read-only access.
squash disables root access and remaps it to the configured UID and GID settings (provides more security).
allow enables root-user access.
A new permit rule squashes root access by default. That is, if a client logs in as the root user and accesses the NFS share, the ARX translates the clients user ID to an anonymous ID with limited access privileges. In gbl-nfs-acl mode, you can change the anonymous User/Group IDs through the anonymous-gid and anonymous-uid commands.
The no form of the command always removes the rule, whether or not you specify any options (such as read-write, root allow, and so on). This facilitates copying and pasting a rule from the show nfs-access-list output to the CLI and placing a no in front of it.
bstnA(gbl)# nfs-access-list eastcoast
bstnA(gbl-nfs-acl[eastcoast])# permit 172.16.100.0 255.255.255.0 read-write
bstnA(gbl)# nfs-access-list eastcoast
bstnA(gbl-nfs-acl[eastcoast])# permit 172.16.204.0 255.255.255.0 read-only root allow
allows root access from clients at 172.16.204.0. To control security, access is read-only for this rule.
bstnA(gbl-nfs-acl[eastcoast])# permit netgroup nurses
show nfs-access-list [list-name [resolve-netgroups]]
list-name (optional; 1-64 characters) is the access list you want to view.
resolve-netgroups (optional) expands the NIS netgroups. This shows every resolved host in every NIS netgroup, in order. Without this option, netgroups are summarized on a single line and counted as a single rule.
The show nfs-access-list command displays the following information:
Access List Name: The names of all configured access lists.
Anon UID: The anonymous User ID number assigned to root when root squashing is enabled (the default). You can change this with anonymous-uid.
Anon GID: The anonymous Group ID number assigned to root when root squashing is enabled (the default).Use anonymous-gid to edit this.
Num Rules: The number of permit and/or deny rules applied to this access list. This counts each NIS netgroup as a single rule; use the resolve-netgroups command to find the total count, including every host in every netgroup.
Num References: The number of times this access list is used by an NFS service(s).
If you enter a list name, the output also shows the description (gbl-nfs-acl) for the access list, if any, and the lists exact rules. The order is important; if a client matches two rules in the list, the switch follows the first rule and ignores the second.
Number of entries in access list: The total number of rules, including each host in the expanded netgroups. An error appears above this field if the number of rules exceeds the maximum, 2048. Each host in a netgroup requires a rule, so large netgroups can cause an access list to exceed its maximum. Only the first 2048 rules are used.
Domain was not found. The NIS domain for this access list, set with nis domain (gbl-nfs-acl), is not supported at the NIS server. Use show nis domain to find the NIS server(s) used by the ARX.
bstnA# show nfs-access-list
bstnA# show nfs-access-list eastcoast
bstnA# show nfs-access-list eastcoast resolve-netgroups
bstnA# show nfs-access-list
bstnA# show nfs-access-list eastcoast
bstnA# show nfs-access-list eastcoast resolve-netgroups
show nis domain [domain-name]
domain-name (optional; 1-256 characters) is the NIS domain you want to view. If you omit this, the output displays a summary of all NIS domains configured on the switch.
The summary form of the show nis domain command displays the following information:
NIS Domain is the name of the NIS domain. Use the nis domain command to configure a new NIS domain, or change an existing one.
Last Update is the date and time that the ARX last updated its internal NIS database. This occurs when each NIS domain is first configured, and whenever someone issues the nis update command.
Status summarizes the results of the most-recent NIS update. This is Success, Updating, or Failed.
Servers are the NIS servers for this NIS domain. You can use the ip address (gbl-nis-dom) command to identify more servers that support this domain. This shows the order in which the servers are used; if the first server fails, the switch tries the second, and so on.
Last Successful Update is the date and time for the last NIS update that ended with a Success status.
Netgroups is the number of netgroups defined for this NIS domain.
Netgroup Resolution Errors is the number of netgroup entries that the switch failed to parse. These are typically malformed lines in the NIS servers configuration file for netgroups.
Hosts is the number of hosts found in all the netgroups.
Hosts Resolved is the number of hosts that were successfully resolved to IP addresses. These are DNS resolutions, made by an external DNS server; use show ip domain to see the DNS server(s) used by this switch. If this number is lower than the number for Hosts, above, some hosts were not resolved.
bstnA# show nis domain
bstnA# show nis domain wwmed.com
bstnA# show nis domain
bstnA# show nis domain wwmed.com
show nis netgroup domain [netgroup]
domain (1-256 characters) is the NIS domain you want to view.
netgroup (optional; 1-1024 characters) specifies a single netgroup. If you enter this, the command shows all hosts in the netgroup.
The summary form of the show nis netgroup command displays an alphabetical list of all netgroups defined for the domain. The ARX finds these at the back-end NIS servers; use show nis domain for a list of NIS servers.
The detailed form of the command shows a table with one row for each host found in the netgroup. The Hostname is the name found in the netgroup, and the IP Address is resolved at the local DNS server. Use show ip domain for a list of local DNS servers.
bstnA# show nis netgroup wwmed.com
bstnA# show nis netgroup wwmed.com medtechs
bstnA# show nis netgroup wwmed.com
bstnA# show nis netgroup wwmed.com medtechs
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)