Bug 168383 - mountd / tcp_wrappers not honoring NIS netgroup
mountd / tcp_wrappers not honoring NIS netgroup
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: nfs-utils (Show other bugs)
4.0
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Steve Dickson
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-09-15 11:42 EDT by Joseph Kotran
Modified: 2010-06-07 01:26 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-06-07 01:26:09 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Joseph Kotran 2005-09-15 11:42:26 EDT
Description of problem:

Via tcp_wrappers and NIS we restrict access to desktop client NFS shares to
members of an NIS netgroup called @trusted_clients.  The Red Hat 4 mountd does
not honor netgroup membership.  As a work around I had to switch to IP based
access control.

Version-Release number of selected component (if applicable):

nfs-utils-1.0.6-46

How reproducible:

Every time

Steps to Reproduce:

1. NIS directory service required.  Netgroup should contain a list of trusted
computers.

2. Tcp_wrappers should be configured as such:

/etc/hosts.allow:

ALL EXCEPT sshd: 127.0.0.1 @trusted_clients
sshd: ALL
portmap: 192.168.2.0/255.255.248.0


/etc/hosts.deny:

ALL: ALL: spawn (/usr/sbin/safe_finger -l @%h | /bin/mail -s %d-%h root) &


3. Attempt to mount an Red Hat 4 NFS share from a trusted member of netgroup.
  
Actual results:

On NFS client: Permission denied.

On RedHat 4 NFS share server: Tcp_wrappers / mountd will deny the access request
and email the output of safe_finger to root@foo.com.

Note: The safe_finger output reports the client via IP, short hostname, and
fully qualified DNS hostname:

mountd-192.168.2.10
mountd-elaine
mountd-elaine.foo.com


Expected results:

The NFS mount should succeed.


Additional info:

As a work around I setup tcp_wrappers /etc/hosts.allow as follows:

ALL EXCEPT mountd sshd: 127.0.0.1 @trusted_clients
sshd: ALL
mountd: 192.168.2.0/255.255.248.0
portmap: 192.168.2.0/255.255.248.0
Comment 3 Joseph Kotran 2005-10-22 10:16:05 EDT
I understand that RedHat advises customers to use IPTables instead of TCP
Wrappers.  Please note that this suggestion is not valid for a corporate LAN
environment.  We are trying to prevent Windows clients from NFS mounting Linux
shares.  The Windows and Linux clients are in the same IP space / pool.

We would have to readdress to accomidate IP TAbles usage.  That is not practical
because boxes often switch to / from Windows and other boxes are dual booted.

- Joe Kotran
Comment 6 chantra 2007-11-04 12:36:09 EST
Hi Joe,

Even thugh this bug report is 2 years old, I gonna give it a try.

I think I encountered the same issue with sshd service.
I set up netgroup to use an ldap backend. 
I found out that I needed to reload the service after the change were made in
/etc/nsswitch.conf in order to have tcpd resolving the netgroup.

This does not happen on a fedora 7. any changes made are directly taken into
account (which is the expected behaviour).

Can you confirm this?

Note You need to log in before you can comment on or make changes to this bug.