Re: [CentOS] /etc/gai.conf fails to prefer IPv4 over IPv6 for NFS
In article <05fc7f7d-897a-8a6e-f91c-f79f8aefd...@gmail.com>, Gordon Messmer wrote: >On 06/09/2018 07:51 AM, Steve Rikli wrote: >> >> I had hopes for gai.conf as the more universal solution, but apparently >> it's not useable here. > >gai.conf works as intended for most applications, here. For example, if >I uncomment the block of "precedence" lines, and swap between "10" and >"100" for the last line, then "telnet www.google.com 80" will connect to >either the IPv4 or IPv6 address based on that value. Have you verified >that works for you? Do the results for that test not match the results >for NFS mounts? That's correct -- to be clearer, gai.conf works as expected for other things, but not what we wanted for the NFS automounter. Thanks, sr. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] /etc/gai.conf fails to prefer IPv4 over IPv6 for NFS
In article , Gordon Messmer wrote: >On 06/08/2018 03:23 PM, Steve Rikli wrote: >> >> This seems the most likely explanation, I'd just like to know for certain >> before I give up on gai.conf and restort to disabling IPv6 or other >> workarounds (e.g. /etc/nfsmount.conf). > >Have you tried specifying "proto=tcp" as a mount option? That *should* >limit the client to IPv4. Yes -- that's the other workaround I tried successfully. Either in auto.master mount options for the map, or Defaultproto=tcp in nfsmount.conf works as desired. I had hopes for gai.conf as the more universal solution, but apparently it's not useable here. Thanks, sr. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] /etc/gai.conf fails to prefer IPv4 over IPv6 for NFS
In article <669037eb-029c-eb3b-0c60-6a5121142...@gmail.com>, Gordon Messmer wrote: >On 06/08/2018 10:42 AM, Steve Rikli wrote: > >> I found posts from others in a similar situation, and proposed solutions >> included modifying /etc/gai.conf to use: >> >> precedence :::0:0/96 100 > > From my reading of that file, you'd need to uncomment all of the > default precedence lines, and modify the last one. You couldn't use > that one line, alone. It's hard to tell if that's what you did. > /etc/gai.conf would contain: > > precedence ::1/128      50 > precedence ::/0         40 > precedence 2002::/16    30 > precedence ::/96         20 > precedence :::0:0/96 100 Yes, I tried that permutation too. Some posts claimed you only need the last "100" precendence line, but I tried it both ways, as well as other combinations, by following the file's comments. > ...also of note is that gai.conf should only affect the getaddrinfo() > API. If the client is using an older API like gethostbyname(), it won't > order DNS results correctly. I suspect you're right; how to tell what system call is used by CentOS 6.9 NFS automounter? I've watched the automounter daemon in foreground debug mode, and it does show the NFS server mount attempt with IPv6 first, but the actual API call name isn't displayed there. This seems the most likely explanation, I'd just like to know for certain before I give up on gai.conf and restort to disabling IPv6 or other workarounds (e.g. /etc/nfsmount.conf). Thanks, sr. -- || Steve Rikli ||| Well, we've stared at it... that oughta || || Systems Administrator ||| fix it! Let's get outta here. || || Genyosha Networks ||| || || s...@genyosha.net ||| - Crow, MST3K || ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] /etc/gai.conf fails to prefer IPv4 over IPv6 for NFS
Using CentOS 6.9 with IPv4 configured, and _not_ disabling IPv6 yet, we want this NFS client system to prefer the IPv4 address of a dual-stack remote NFS server, which has both A and records in DNS. Otherwise we get a minutes long pause while automounter tries to mount the IPv6 address -- I can see automounter's '/bin/mount' running, using the record of the server, until that times-out and the IPv4 address of the server mounts successfully. Disabling IPv6 altogether works around the problem as expected, but is a bigger hammer than we wanted to use. :-) I found posts from others in a similar situation, and proposed solutions included modifying /etc/gai.conf to use: precedence :::0:0/96 100 I cp'd /usr/share/doc/glibc-common-2.12/gai.conf to /etc/ and tried that, with several other permutations (e.g. uncommenting other blocks of "label" and "precedence" settings) but none achieved the desired effect. Am I misunderstanding how this is supposed to work? Cheers, sr. -- || Steve Rikli ||| Well, we've stared at it... that oughta || || Systems Administrator ||| fix it! Let's get outta here. || || Genyosha Networks ||| || || s...@genyosha.net ||| - Crow, MST3K || ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Odd issue with C6 and NIS
In article , John Hodrien wrote: >On Thu, 6 Oct 2011, Steve Rikli wrote: > >> That's what I thought. But doesn't that "lookup" account need to have >> a published password (and likewise, hardcoded in scripts and config >> files and whatnot) in order to do the LDAP querying without end-user >> interactivity? > >Yes. Either you're talking about a samba tdb file, a password in plain text, >or a kerberos keytab file. GSSAPI means you don't need to hardcode anything, >as it just fishes around in your keytab. > >> Granted, we're talking about "public data" in this example (i.e. automount >> map data) so security isn't a concern for that part; but the "lookup" >> account could potentially be used for other means, yes? > >It can be used to do what you grant it access to do (but it can be >constrained). That's not worse than NIS. Well, somewhat. E.g. my NIS master doesn't need to publish a "passwd" map in order to provide "auto.home" map or whatever, and I don't need a "lookup" account to get at the required data in the case of NIS. [ other useful info & ideas for research deleted for brevity ] Thanks for the discussion & sharing the benefits of your experience, John -- much appreciated. Cheers, sr. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Odd issue with C6 and NIS
In article , John Hodrien wrote: >On Thu, 6 Oct 2011, Steve Rikli wrote: > >> So, back to my original example of automount maps (which I've long thought >> about implementing in LDAP but never pursued), how do you deal with the >> situation of needing map(s) loaded, without an active user on the system >> to authenticate the LDAP query with their username/password? > >> That is, NIS clients bind to the NIS server, and thereby have access to >> auto.home map or what have you, whether a user ever logs into the client >> system or not. Automounter is functional and has the map data. > >You need an account that can do lookups. Either you have one 'lookup' account >that you share between multiple machines, That's what I thought. But doesn't that "lookup" account need to have a published password (and likewise, hardcoded in scripts and config files and whatnot) in order to do the LDAP querying without end-user interactivity? Granted, we're talking about "public data" in this example (i.e. automount map data) so security isn't a concern for that part; but the "lookup" account could potentially be used for other means, yes? > or you do it AD style and have an account per machine. OK for user workstations, impractical when you're talking about servers, no? Or do I misunderstand your example? > As I do it, this auth is done with a kerberos keytab credential with > GSSAPI. Sounds like I would need to research that, then. This replaces the need for the "lookup" account, or augments it, or something else entirely? >> What's the functional equivalent for LDAP automount maps? > >Automount maps work just nicely in LDAP, there's a standard schema and you >just populate the records and it works. I grok'd that part; it was the "NIS binding" sort of equivalent behavior that I was specifically interested in for LDAP. Cheers, sr. -- || Steve Rikli ||| Every normal man must be tempted, at|| || Systems Administrator ||| times, to spit on his hands, hoist the || || Genyosha Networks ||| black flag, and begin slitting throats. || || s...@genyosha.net ||| - H. L. Mencken || ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Odd issue with C6 and NIS
In article , John Hodrien wrote: >... > >A good LDAP setup with nested groups, and GSSAPI just beats NIS over the head >with a stick in terms of security, and once you've got a good LDAP >infrastructure you start to discover just how many tools offer some form of >LDAP integration. Extending the schema to suit internal uses is also easy, >and querying it from within your own apps/scripts is far from difficult. Thanks, good perspective. [ about to display ignorance of LDAP ... ] So, back to my original example of automount maps (which I've long thought about implementing in LDAP but never pursued), how do you deal with the situation of needing map(s) loaded, without an active user on the system to authenticate the LDAP query with their username/password? That is, NIS clients bind to the NIS server, and thereby have access to auto.home map or what have you, whether a user ever logs into the client system or not. Automounter is functional and has the map data. What's the functional equivalent for LDAP automount maps? Cheers, sr. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Odd issue with C6 and NIS
In article , John Hodrien wrote: >On Wed, 5 Oct 2011, Steve Rikli wrote: > >> ... >> I'll also readily agree I wouldn't want NIS on internet-facing systems, >> but for things like automount maps on the internal corporate LAN, is >> it really a catastropic problem? > >The problem you get is when you compare it with LDAP. Compare in what way? What characteristics are you contrasting? I'm genuinely trying to understand the problem you're talking about for the case I've presented, and pro-con from someone who has done both would be appreciated. Thanks, sr. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Odd issue with C6 and NIS
In article , Jim Perrin wrote: >... >Current versions of fedora do this as well, in addition to f15 having a >buggy startup script for yp*. I agree with you that if you specify auth, the >tools for it should be there. > >That said, NIS needs to die. Quickly. Why? I'll grant NIS is insecure at best for login auth, and should not be used for that purpose (at least not outside the lab). But for other purposes e.g. automount maps, NIS is simple and easy and still functional. I'll also readily agree I wouldn't want NIS on internet-facing systems, but for things like automount maps on the internal corporate LAN, is it really a catastropic problem? Cheers, sr. -- || Steve Rikli ||| || || Systems Administrator ||| How can something that is almost 3 MB || || Genyosha Networks ||| in size be called a "kernel"? || || s...@genyosha.net ||| || ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
