• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 602
  • Last Modified:

NFS Problems, Permission denied

Running OpenServer 5
To servers on the same subnet, connectivity is fine.  In scoadmin, when I go to backup manager, and try to pull up the other server, it gives me a permission denied.  If I try to copy a file from one to the other, I get permission denied as well.   Ive edited hosts.equiv, and it looks good to me....but it still asks for a password when doing an rlogin from one server to the other.  Where else should I start digging?
0
wirthr
Asked:
wirthr
  • 12
  • 11
1 Solution
 
tfewsterCommented:
More detail on your setup, please!

> connectivity is fine.
Do you mean they can ping each other? Or that rlogin works on the same subnet?
Ensure both systems have entries in /etc/hosts for the other host - Especially if you have multiple NICs, the "connected" hostname must be in the hosts file, e.g. "hostname-lancard2   ip.address.of.lancard2"

> If I try to copy a file from one to the other, I get permission denied as well
I presume this is trying to copy a file from an NFS mount; The NFS share must be exported to give root equivalence to the NFS client if restricted files are to be read and/or deletes allowed.

> Ive edited hosts.equiv
Are you trying to rlogin as a user defined on both servers, or as root? root usually needs an explicit /.rhosts file (same format as hosts.equiv) - root equivalence is denied by default on most Unixen

0
 
wirthrAuthor Commented:
/etc/hosts should be fine, I just rebuilt it today

yes, trying to copy a file from an nfs mount.  Not sure what you mean by nfs share must be exported....please explain if you could

and I telnet to server a, login as root, the rlogin to server b so your answer is yes, I am trying to rlogin as root.  I just checked .rhosts, looks good to me, rhost file for server a has           serverb.ourdomain.com    root

and vise versa.
0
 
wirthrAuthor Commented:
what else would you like to know about the setup?  Yes, they can ping, the are both on private ip's 192.168......, and both on the same cisco 2950 switch.   I can rlogin, telnet, and connect everyway that I need to, just need to fix these stinkin permission errors.  Thanks for the help!
0
Cloud Class® Course: SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

 
tfewsterCommented:
If the files you are trying to copy are RO for root and  no read permission for "other" users, when exporting the filesystem from the "server" you will have to explicitly grant root equivalence to the "client" with a line in /etc/exports  like "/dir/being/exported  root=client_hostname" .  Obviously this creates a security risk, which is why root equivalence is not the default.

 
>and I telnet to server a, login as root, the rlogin to server b so your answer is yes, I am trying to rlogin as root.  I >just checked .rhosts, looks good to me, rhost file for server a has           serverb.ourdomain.com    root

This looks like you have created the .rhosts on the "source" system instead of the "target" - The /.rhosts on serverb needs the details of servera (possibly without the "ourdomain.com" extension);  As it is, I bet you can rlogin from serverb to servera without a password ;-)
0
 
wirthrAuthor Commented:
no I can'tr rlogin without a password,  thats the problem, its the same on both servers, with the obvious exception.  Ive tried it by hostname, fully qualified domain name, and by ip.  doesnt seem to work.  when I make changes, do I have to restart something, or will that take effect right off the bat?
0
 
tfewsterCommented:
You don't need to restart anything.

Check /.rhosts does not have write permission for Group or Other and is owned by root.
0
 
wirthrAuthor Commented:
ok, did chmod go=w .rhosts
and
chown -R root .rhosts

on both servers a and b

still asks for a password to rlogin
0
 
tfewsterCommented:
> chmod go=w .rhosts

Needs to be chmod go-w .rhosts  (i.e. _remove_  write permission from group & other)

I prefer the absolute-mode syntax of chmod:
chmod 600 .rhosts
0
 
wirthrAuthor Commented:
ok, tried that, still doesn't work
0
 
tfewsterCommented:
Is the NFS access working OK now for root?  I forgot to mention that after editing /etc/exports, you have to re-export the "share" fronm the server with `exportfs -a`  and then unmount/remount it on the NFS client. If not, please post the line from /etc/exports where you export the directory (or filesystem) to be NFS mounted on the other server

On the rhosts issue, I'm not sure we're on the same wavelength here, so please run the following commands on each server and post the output; (By all means "obscure" any sensitive info like public IP addresses or real domain names, so long as it's done consistently)

hostname

grep `hostname` /etc/hosts

ls -l /.rhosts

cat /.rhosts

for HOST in `cat /.rhosts`
do
   grep $HOST /etc/hosts
done
0
 
wirthrAuthor Commented:
ok, havne't worried about the mounted share, rlogin still asks for a password, so I think that's the key.

on serverA        grep (serverA) /etc/hosts returns:

 xxx.xxx.xxx.84      serverA         serverA.domainname.com


on server A       grep (serverB) /etc/hosts returns:

xxx.xxx.xxx.77        serverB        serverB.domainname.com


On server B    grep (serverB) /etc/hosts returns:

xxx.xxx.xxx.77       serverB           serverB.domainname.com

on server B grep (serverA) /etc/hosts returns:

xxx.xxx.xxx.84      serverA         serverA.domainname.com


ls -l /.rhosts on server B returns:

# ls -l /.rhosts
-rw-------   1 root     sys          112 Sep 24 08:47 /.rhosts


On server A:

-rw-------   1 root     sys          112 Sep 24 08:55 /.rhosts

on server A:

cat /.rhosts returns:


# cat /.rhosts
serverB   root
serverA   root

on server B:

same exact as on server B


not sure exactly what you wanted me to do right here:

for HOST in `cat /.rhosts`
do
   grep $HOST /etc/hosts
done








0
 
tfewsterCommented:
All those settings look fine to me - so I'm out of ideas.  There's a faint possibility that rlogin authentication isn't resolving the hostname properly (e.g. if it's using DNS or NIS) - You could try putting the fully qualified domain name [serverX.ourdomain.com] in the .rhosts file (and/or the IP address, so you have 3 chances of matching the remote system ;-)

Or some other security setting is preventing the rhosts authentication being used, but I don't know how to test that.
0
 
wirthrAuthor Commented:
I have an internal dns server, should I pull the dns settings out of the sco boxes, so I can be sure it's using its own hosts file?  
0
 
wirthrAuthor Commented:
ok, so apparently its not getting the correct info from dns, I took out the internal dns server ip, and now rlogin works.  So, any ideas there?
0
 
tfewsterCommented:
Aha!  We may be getting somewhere.  I guess your /etc/resolve.conf looks something like
hosts  dns [NOTFOUND=RETURN] files
So when the rlogin daemon tries to resolve the IP address to a hostname using DNS it doesn't find an entry - And it returns without checking /etc/hosts

With DNS disabled, the system _does_ check the hosts file & succeeds.


Obviously you want to keep using DNS;  So you can either change the line in /etc/resolv.conf to read
hosts  dns [NOTFOUND=CONTINUE] files                # (If not found in DNS, try the next info source)

or just put the hostname as returned by DNS into the /.rhosts file - I assume this is of the form "serverX.ourdomain.com"

0
 
wirthrAuthor Commented:
yeah, i tried that one, the fully qualified hostname in .rhosts

/etc/resolv.conf


nameserver         192.168.0.5
nameserver          207.xxx.xxx.xxx
nameserver          207.xxx.xxx.xxx



and thats all thats in there, exactly like that except for the correct ip addresses
0
 
tfewsterCommented:
Doh!  Sorry, I meant /etc/nsswitch.conf not resolv.conf
0
 
wirthrAuthor Commented:
dont have an /etc/nsswitch.conf
0
 
tfewsterCommented:
Hmm - Checking the SCO docs, Openserver 5 doesn't seem to support nsswitch.conf - if DNS isn't running, it "knows" to change to /etc/hosts

man rlogind says
" 2. The server checks the client's source address and requests the corresponding host name (see gethostbyaddr(SLIB), hosts(SFF), and named(ADMN)). If the hostname cannot be determined, the dot-notation representation of the host address is used. "

But you already tried putting just the IP address in /.rhosts?


Alternatively, try adding a line to /etc/resolv.conf:
hostresorder local bind
(Tho' I'm not sure if this works for "reverse lookup" where we're trying to get a hostname from an IP address)
0
 
wirthrAuthor Commented:
thank you, thank you


that worked!

we win!!!!!
0
 
tfewsterCommented:
Hang on - What worked? The IP address in /.rhosts or modifying resolv.conf?

And we haven't fixed the NFS problem yet ;-)
0
 
tfewsterCommented:
Actually, NFS only checks /etc/hosts to resolve IP addresses to hostnames, so my previous comments should solve that problem:
- Grant root equivalence to the NFS "client" with a line in /etc/exports on the NFS server like "/dir/being/exported  root=client_hostname";
- On the server, run `exportfs -a` to re-share the directory with the new rules;
- (This may not be necessary, but on the NFS client, umount & then remount the NFS filesystem to ensure the new settings are picked up)
0
 
wirthrAuthor Commented:
lol, I did both, I put the ip address back in .rhosts, and added that line to resolv.conf.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

  • 12
  • 11
Tackle projects and never again get stuck behind a technical roadblock.
Join Now