Solved

NFS Problems, Permission denied

Posted on 2004-09-23
23
568 Views
Last Modified: 2013-12-05
Running OpenServer 5
To servers on the same subnet, connectivity is fine.  In scoadmin, when I go to backup manager, and try to pull up the other server, it gives me a permission denied.  If I try to copy a file from one to the other, I get permission denied as well.   Ive edited hosts.equiv, and it looks good to me....but it still asks for a password when doing an rlogin from one server to the other.  Where else should I start digging?
0
Comment
Question by:wirthr
  • 12
  • 11
23 Comments
 
LVL 20

Expert Comment

by:tfewster
ID: 12138764
More detail on your setup, please!

> connectivity is fine.
Do you mean they can ping each other? Or that rlogin works on the same subnet?
Ensure both systems have entries in /etc/hosts for the other host - Especially if you have multiple NICs, the "connected" hostname must be in the hosts file, e.g. "hostname-lancard2   ip.address.of.lancard2"

> If I try to copy a file from one to the other, I get permission denied as well
I presume this is trying to copy a file from an NFS mount; The NFS share must be exported to give root equivalence to the NFS client if restricted files are to be read and/or deletes allowed.

> Ive edited hosts.equiv
Are you trying to rlogin as a user defined on both servers, or as root? root usually needs an explicit /.rhosts file (same format as hosts.equiv) - root equivalence is denied by default on most Unixen

0
 
LVL 6

Author Comment

by:wirthr
ID: 12138802
/etc/hosts should be fine, I just rebuilt it today

yes, trying to copy a file from an nfs mount.  Not sure what you mean by nfs share must be exported....please explain if you could

and I telnet to server a, login as root, the rlogin to server b so your answer is yes, I am trying to rlogin as root.  I just checked .rhosts, looks good to me, rhost file for server a has           serverb.ourdomain.com    root

and vise versa.
0
 
LVL 6

Author Comment

by:wirthr
ID: 12138818
what else would you like to know about the setup?  Yes, they can ping, the are both on private ip's 192.168......, and both on the same cisco 2950 switch.   I can rlogin, telnet, and connect everyway that I need to, just need to fix these stinkin permission errors.  Thanks for the help!
0
 
LVL 20

Expert Comment

by:tfewster
ID: 12138937
If the files you are trying to copy are RO for root and  no read permission for "other" users, when exporting the filesystem from the "server" you will have to explicitly grant root equivalence to the "client" with a line in /etc/exports  like "/dir/being/exported  root=client_hostname" .  Obviously this creates a security risk, which is why root equivalence is not the default.

 
>and I telnet to server a, login as root, the rlogin to server b so your answer is yes, I am trying to rlogin as root.  I >just checked .rhosts, looks good to me, rhost file for server a has           serverb.ourdomain.com    root

This looks like you have created the .rhosts on the "source" system instead of the "target" - The /.rhosts on serverb needs the details of servera (possibly without the "ourdomain.com" extension);  As it is, I bet you can rlogin from serverb to servera without a password ;-)
0
 
LVL 6

Author Comment

by:wirthr
ID: 12138978
no I can'tr rlogin without a password,  thats the problem, its the same on both servers, with the obvious exception.  Ive tried it by hostname, fully qualified domain name, and by ip.  doesnt seem to work.  when I make changes, do I have to restart something, or will that take effect right off the bat?
0
 
LVL 20

Expert Comment

by:tfewster
ID: 12141533
You don't need to restart anything.

Check /.rhosts does not have write permission for Group or Other and is owned by root.
0
 
LVL 6

Author Comment

by:wirthr
ID: 12143891
ok, did chmod go=w .rhosts
and
chown -R root .rhosts

on both servers a and b

still asks for a password to rlogin
0
 
LVL 20

Expert Comment

by:tfewster
ID: 12150088
> chmod go=w .rhosts

Needs to be chmod go-w .rhosts  (i.e. _remove_  write permission from group & other)

I prefer the absolute-mode syntax of chmod:
chmod 600 .rhosts
0
 
LVL 6

Author Comment

by:wirthr
ID: 12162455
ok, tried that, still doesn't work
0
 
LVL 20

Expert Comment

by:tfewster
ID: 12164543
Is the NFS access working OK now for root?  I forgot to mention that after editing /etc/exports, you have to re-export the "share" fronm the server with `exportfs -a`  and then unmount/remount it on the NFS client. If not, please post the line from /etc/exports where you export the directory (or filesystem) to be NFS mounted on the other server

On the rhosts issue, I'm not sure we're on the same wavelength here, so please run the following commands on each server and post the output; (By all means "obscure" any sensitive info like public IP addresses or real domain names, so long as it's done consistently)

hostname

grep `hostname` /etc/hosts

ls -l /.rhosts

cat /.rhosts

for HOST in `cat /.rhosts`
do
   grep $HOST /etc/hosts
done
0
 
LVL 6

Author Comment

by:wirthr
ID: 12164768
ok, havne't worried about the mounted share, rlogin still asks for a password, so I think that's the key.

on serverA        grep (serverA) /etc/hosts returns:

 xxx.xxx.xxx.84      serverA         serverA.domainname.com


on server A       grep (serverB) /etc/hosts returns:

xxx.xxx.xxx.77        serverB        serverB.domainname.com


On server B    grep (serverB) /etc/hosts returns:

xxx.xxx.xxx.77       serverB           serverB.domainname.com

on server B grep (serverA) /etc/hosts returns:

xxx.xxx.xxx.84      serverA         serverA.domainname.com


ls -l /.rhosts on server B returns:

# ls -l /.rhosts
-rw-------   1 root     sys          112 Sep 24 08:47 /.rhosts


On server A:

-rw-------   1 root     sys          112 Sep 24 08:55 /.rhosts

on server A:

cat /.rhosts returns:


# cat /.rhosts
serverB   root
serverA   root

on server B:

same exact as on server B


not sure exactly what you wanted me to do right here:

for HOST in `cat /.rhosts`
do
   grep $HOST /etc/hosts
done








0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 20

Expert Comment

by:tfewster
ID: 12173612
All those settings look fine to me - so I'm out of ideas.  There's a faint possibility that rlogin authentication isn't resolving the hostname properly (e.g. if it's using DNS or NIS) - You could try putting the fully qualified domain name [serverX.ourdomain.com] in the .rhosts file (and/or the IP address, so you have 3 chances of matching the remote system ;-)

Or some other security setting is preventing the rhosts authentication being used, but I don't know how to test that.
0
 
LVL 6

Author Comment

by:wirthr
ID: 12173665
I have an internal dns server, should I pull the dns settings out of the sco boxes, so I can be sure it's using its own hosts file?  
0
 
LVL 6

Author Comment

by:wirthr
ID: 12173811
ok, so apparently its not getting the correct info from dns, I took out the internal dns server ip, and now rlogin works.  So, any ideas there?
0
 
LVL 20

Expert Comment

by:tfewster
ID: 12173948
Aha!  We may be getting somewhere.  I guess your /etc/resolve.conf looks something like
hosts  dns [NOTFOUND=RETURN] files
So when the rlogin daemon tries to resolve the IP address to a hostname using DNS it doesn't find an entry - And it returns without checking /etc/hosts

With DNS disabled, the system _does_ check the hosts file & succeeds.


Obviously you want to keep using DNS;  So you can either change the line in /etc/resolv.conf to read
hosts  dns [NOTFOUND=CONTINUE] files                # (If not found in DNS, try the next info source)

or just put the hostname as returned by DNS into the /.rhosts file - I assume this is of the form "serverX.ourdomain.com"

0
 
LVL 6

Author Comment

by:wirthr
ID: 12174028
yeah, i tried that one, the fully qualified hostname in .rhosts

/etc/resolv.conf


nameserver         192.168.0.5
nameserver          207.xxx.xxx.xxx
nameserver          207.xxx.xxx.xxx



and thats all thats in there, exactly like that except for the correct ip addresses
0
 
LVL 20

Expert Comment

by:tfewster
ID: 12174182
Doh!  Sorry, I meant /etc/nsswitch.conf not resolv.conf
0
 
LVL 6

Author Comment

by:wirthr
ID: 12174206
dont have an /etc/nsswitch.conf
0
 
LVL 20

Accepted Solution

by:
tfewster earned 500 total points
ID: 12174479
Hmm - Checking the SCO docs, Openserver 5 doesn't seem to support nsswitch.conf - if DNS isn't running, it "knows" to change to /etc/hosts

man rlogind says
" 2. The server checks the client's source address and requests the corresponding host name (see gethostbyaddr(SLIB), hosts(SFF), and named(ADMN)). If the hostname cannot be determined, the dot-notation representation of the host address is used. "

But you already tried putting just the IP address in /.rhosts?


Alternatively, try adding a line to /etc/resolv.conf:
hostresorder local bind
(Tho' I'm not sure if this works for "reverse lookup" where we're trying to get a hostname from an IP address)
0
 
LVL 6

Author Comment

by:wirthr
ID: 12174619
thank you, thank you


that worked!

we win!!!!!
0
 
LVL 20

Expert Comment

by:tfewster
ID: 12174645
Hang on - What worked? The IP address in /.rhosts or modifying resolv.conf?

And we haven't fixed the NFS problem yet ;-)
0
 
LVL 20

Expert Comment

by:tfewster
ID: 12174711
Actually, NFS only checks /etc/hosts to resolve IP addresses to hostnames, so my previous comments should solve that problem:
- Grant root equivalence to the NFS "client" with a line in /etc/exports on the NFS server like "/dir/being/exported  root=client_hostname";
- On the server, run `exportfs -a` to re-share the directory with the new rules;
- (This may not be necessary, but on the NFS client, umount & then remount the NFS filesystem to ensure the new settings are picked up)
0
 
LVL 6

Author Comment

by:wirthr
ID: 12174900
lol, I did both, I put the ip address back in .rhosts, and added that line to resolv.conf.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Let's say you need to move the data of a file system from one partition to another. This generally involves dismounting the file system, backing it up to tapes, and restoring it to a new partition. You may also copy the file system from one place to…
This tech tip describes how to install the Solaris Operating System from a tape backup that was created using the Solaris flash archive utility. I have used this procedure on the Solaris 8 and 9 OS, and it shoudl also work well on the Solaris 10 rel…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now