>>>>>> "ea" == erik ableson <eable...@me.com> writes: >>>>>> "dc" == Dennis Clarke <dcla...@blastwave.org> writes: > > >> "rw,ro...@100.198.100.0/24", it works fine, and the NFS client > >> can do the write without error. > > ea> I' ve found that the NFS host based settings required the > ea> FQDN, and that the reverse lookup must be available in your > ea> DNS. > > I found, oddly, the @a.b.c.d/y syntax works only if the client's IP > has reverse lookup. I had to add bogus hostnames to /etc/hosts for > the whole /24 because if I didn't, for v3 it would reject mounts > immediately, and for v4 mountd would core dump (and get restarted) > which you see from the client as a mount that appears to hang. This > is all using the @ip/mask syntax.
I have LDAP and DNS in place for name resolution and NFS v4 works fine with either format in the sharenfs parameter. Never seen a problem. The Solaris 8 an 9 NFS clients work fine also. > > http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=6901832 > > If you use hostnames instead, it makes sense that you would have to > use FQDN's. If you want to rewrite mountd to allow using short > hostnames, the access checking has to be done like this: > > at export time: > given hostname-> forward nss lookup -> list of IP's -> remember IP's > > at mount time: > client IP -> check against list of remembered IP's > > but with fqdn's it can be: > > at export time: > given hostname -> remember it > > at mount time: > client IP -> reverse nss lookup -> check against remembered list > \-->forward lookup->verify client IP among results > > The second way, all the lookups happen at mount time rather than > export time. This way the data in the nameservice can change without > forcing you to learn and then invoke some kind of ``rescan the > exported filesystems'' command or making mountd remember TTL's for its > cached nss data, or any such complexity. Keep all the nameservice > caching inside nscd so there is only one place to flush it! However > the forward lookup is mandatory for security, not optional OCDism. > Without it, anyone from any IP can access your NFS server so long as > he has control of his reverse lookup, which he probably does. I hope > mountd is doing that forward lookup! > > dc> Try to use a backslash to escape those special chars like so : > > dc> zfs set > dc> sharenfs=nosub\,nosuid\,rw\=hostname1\:hostname2\,root\=hostname2 > dc> zpoolname/zfsname/pathname > > wth? Commas and colons are not special characters. This is silly. Works real well. -- Dennis _______________________________________________ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
