Bug 168383

Summary: mountd / tcp_wrappers not honoring NIS netgroup
Product: Red Hat Enterprise Linux 4 Reporter: Joseph Kotran <jkotran>
Component: nfs-utilsAssignee: Steve Dickson <steved>
Status: CLOSED NOTABUG QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0CC: cfeist, chantra, herrold, jwest, tao
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-06-07 05:26:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Joseph Kotran 2005-09-15 15:42:26 UTC
Description of problem:

Via tcp_wrappers and NIS we restrict access to desktop client NFS shares to
members of an NIS netgroup called @trusted_clients.  The Red Hat 4 mountd does
not honor netgroup membership.  As a work around I had to switch to IP based
access control.

Version-Release number of selected component (if applicable):

nfs-utils-1.0.6-46

How reproducible:

Every time

Steps to Reproduce:

1. NIS directory service required.  Netgroup should contain a list of trusted
computers.

2. Tcp_wrappers should be configured as such:

/etc/hosts.allow:

ALL EXCEPT sshd: 127.0.0.1 @trusted_clients
sshd: ALL
portmap: 192.168.2.0/255.255.248.0


/etc/hosts.deny:

ALL: ALL: spawn (/usr/sbin/safe_finger -l @%h | /bin/mail -s %d-%h root) &


3. Attempt to mount an Red Hat 4 NFS share from a trusted member of netgroup.
  
Actual results:

On NFS client: Permission denied.

On RedHat 4 NFS share server: Tcp_wrappers / mountd will deny the access request
and email the output of safe_finger to root.

Note: The safe_finger output reports the client via IP, short hostname, and
fully qualified DNS hostname:

mountd-192.168.2.10
mountd-elaine
mountd-elaine.foo.com


Expected results:

The NFS mount should succeed.


Additional info:

As a work around I setup tcp_wrappers /etc/hosts.allow as follows:

ALL EXCEPT mountd sshd: 127.0.0.1 @trusted_clients
sshd: ALL
mountd: 192.168.2.0/255.255.248.0
portmap: 192.168.2.0/255.255.248.0

Comment 3 Joseph Kotran 2005-10-22 14:16:05 UTC
I understand that RedHat advises customers to use IPTables instead of TCP
Wrappers.  Please note that this suggestion is not valid for a corporate LAN
environment.  We are trying to prevent Windows clients from NFS mounting Linux
shares.  The Windows and Linux clients are in the same IP space / pool.

We would have to readdress to accomidate IP TAbles usage.  That is not practical
because boxes often switch to / from Windows and other boxes are dual booted.

- Joe Kotran

Comment 6 chantra 2007-11-04 17:36:09 UTC
Hi Joe,

Even thugh this bug report is 2 years old, I gonna give it a try.

I think I encountered the same issue with sshd service.
I set up netgroup to use an ldap backend. 
I found out that I needed to reload the service after the change were made in
/etc/nsswitch.conf in order to have tcpd resolving the netgroup.

This does not happen on a fedora 7. any changes made are directly taken into
account (which is the expected behaviour).

Can you confirm this?