Sun Microsystems, Inc.
spacerspacer
spacer www.sun.com docs.sun.com |
spacer
black dot
 
 
15.  Remote File-System Administration (Tasks) Autofs Administration Task Overview How to Replicate Shared Files Across Several Servers  Previous   Contents   Next 
   
 

How to Apply Autofs Security Restrictions

  1. Become superuser or assume an equivalent role.

    For information about roles, see "Using Privileged Applications" in System Administration Guide: Security Services.

  2. Create the following entry in the name service auto_master file, either NIS or NIS+: 

    /home     auto_home     -nosuid

    The nosuid option prevents users from creating files with the setuid or setgid bit set.

    This entry overrides the entry for /home in a generic local /etc/auto_master file (see the previous example). The override happens because the +auto_master reference to the external name service map occurs before the /home entry in the file. If the entries in the auto_home map include mount options, the nosuid option is overwritten. Therefore, either no options should be used in the auto_home map or the nosuid option must be included with each entry.

    Note - Do not mount the home directory disk partitions on or under /home on the server.

How to Use a Public File Handle With Autofs

  1. Become superuser or assume an equivalent role.

    For information about roles, see "Using Privileged Applications" in System Administration Guide: Security Services.

  2. Create an entry in the autofs map such as the following:

    /usr/local     -ro,public    bee:/export/share/local

    The public option forces the public handle to be used. If the NFS server does not support a public file handle, the mount fails.

How to Use NFS URLs With Autofs

  1. Become superuser or assume an equivalent role.

    For information about roles, see "Using Privileged Applications" in System Administration Guide: Security Services.

  2. Create an autofs entry such as the following:

    /usr/local     -ro    nfs://bee/export/share/local

    The service tries to use the public file handle on the NFS server, but if the server does not support a public file handle, the MOUNT protocol is used.

Disabling Autofs Browsability

Starting with the Solaris 2.6 release, the default version of /etc/auto_master that is installed has the -nobrowse option added to the entries for /home and /net. In addition, the upgrade procedure adds the -nobrowse option to the /home and /net entries in /etc/auto_master if these entries have not been modified. However, you might have to make these changes manually or to turn off browsability for site-specific autofs mount points after the installation.

You can turn off the browsability feature in several ways. Disable the feature by using a command-line option to the automountd daemon, which completely disables autofs browsability for the client. Or disable browsability for each map entry on all clients by using the autofs maps in either a NIS or NIS+ name space. You can also disable the feature for each map entry on each client, using local autofs maps if no network-wide name space is being used.

How to Completely Disable Autofs Browsability on a Single NFS Client

  1. Become superuser or assume an equivalent role on the NFS client.

    For information about roles, see "Using Privileged Applications" in System Administration Guide: Security Services.

  2. Add the -n option to the startup script.

    As root, edit the /etc/init.d/autofs script and add the -n option to the line that starts the autmountd daemon:.

    /usr/lib/autofs/automountd -n \
                < /dev/null > /dev/console 2>&1  # start daemon

  3. Restart the autofs service. 

    # /etc/init.d/autofs stop
# /etc/init.d/autofs start

How to Disable Autofs Browsability for All Clients

To disable browsability for all clients, you must employ a name service such as NIS or NIS+. Otherwise, you need to manually edit the automounter maps on each client. In this example, the browsability of the /home directory is disabled. You must follow this procedure for each indirect autofs node that needs to be disabled.

  1. Add the -nobrowse option to the /home entry in the name service auto_master file. 

    /home     auto_home     -nobrowse

  2. On all clients: run the automount command.

    The new behavior becomes effective after you run the automount command on the client systems or after a reboot.

    # /usr/sbin/automount

How to Disable Autofs Browsability on a Selected File System

In this example, browsability of the /net directory is disabled. You can use the same procedure for /home or any other autofs mount points.

  1. Check the automount entry in /etc/nsswitch.conf.

    For local file entries to have precedence, the entry in the name service switch file should list files before the name service. For example:

    automount:  files nisplus

    This is the default configuration in a standard Solaris installation.

  2. Check the position of the +auto_master entry in /etc/auto_master.

    For additions to the local files to have precedence over the entries in the name space, the +auto_master entry must be moved below /net:

    # Master map for automounter
#
/net    -hosts     -nosuid
/home   auto_home
/xfn    -xfn
+auto_master

    A standard configuration places the +auto_master entry at the top of the file. This placement prevents any local changes from being used.

  3. Add the nobrowse option to the /net entry in the /etc/auto_master file. 

    /net     -hosts     -nosuid,nobrowse

  4. On all clients: run the automount command.

    The new behavior becomes effective after running the automount command on the client systems or after a reboot.

    # /usr/sbin/automount

Strategies for NFS Troubleshooting

When tracking down an NFS problem, remember the main points of possible failure: the server, the client, and the network. The strategy that is outlined in this section tries to isolate each individual component to find the one that is not working. In all situations, the mountd and nfsd daemons must be running on the server in order for remote mounts to succeed.

Note - The mountd and nfsd daemons start automatically at boot time only if NFS share entries are in the /etc/dfs/dfstab file. Therefore, you must start mountd and nfsd manually when you set up sharing for the first time.

The -intr option is set by default for all mounts. If a program hangs with a "server not responding" message, you can kill the program with the keyboard interrupt Control-c.

When the network or server has problems, programs that access hard-mounted remote files fail differently than those programs that access soft-mounted remote files. Hard-mounted remote file systems cause the client's kernel to retry the requests until the server responds again. Soft-mounted remote file systems cause the client's system calls to return an error after trying for awhile. Because these errors can result in unexpected application errors and data corruption, avoid soft mounting.

When a file system is hard mounted, a program that tries to access it hangs if the server fails to respond. In this situation, the NFS system displays the following message on the console: 

NFS server hostname not responding still trying

When the server finally responds, the following message appears on the console: 

NFS server hostname ok

A program that accesses a soft-mounted file system whose server is not responding generates the following message:

NFS operation failed for server hostname: error # (error_message)

Note - Because of possible errors, do not soft-mount file systems with read-write data or file systems from which executables are run. Writable data could be corrupted if the application ignores the errors. Mounted executables might not load properly and can fail.

 		 
 
  Previous   Contents   Next