Re: Network members

To: Daniel D Jones <ddjones@riddlemaster.org>, debian-user@lists.debian.org
Subject: Re: Network members
From: "Doug MacFarlane" <madmac@covad.net>
Date: Sat, 03 Aug 2002 17:35:39 +0000
Message-id: <[🔎] 200208031742.NAA24551@smtp1.covad.net>
Reply-to: madmac@covad.net
References: <[🔎] 1028390770.1003.12.camel@mandor>

My apologies if current technology has made my response moot, but to teh
best of my knowledge. . . 

On 03 Aug 2002, 12:06:10, Daniel D Jones wrote:
> 
> How does the system determine what computers belong to a network?  For
> example, given an exports entry like:
> 
> /share		*.domain.org
> 
> how does the system know whether a particular IP is part of that
> network?

It does reverse address lookups.  Assuming you use DNS and using your example below, PTR records in the DNS database would be
setup as follows:

117.z.x.y.in-addr.arpa.		IN		PTR			host117.domain.org
118.z.x.y.in-addr.arpa.		IN		PTR			host118.domain.org
119.z.x.y.in-addr.arpa.		IN		PTR			host119.domain.org
120.z.x.y.in-addr.arpa.		IN		PTR			host120.domain.org

These mappings are typically contained on your ISP's nameserver, and the
ISP has to maintain them for you.  Typically, they resolve to something ugly,
such as: client1.board. router.pop.isp.net . . . . some ISPs let you set
them yourself via a web-interface, or will take an email from you and enter
them by hand on your behalf . . . 

So, when the host sees an access from x.y.z.118 or x.y.z.119, it issues a
request for a reverse lookup on that IP address, and gets (hopefully) a name
back that it can compare to *.domain.org.

If it matches, access is allowed.

If you use /etc/hosts file instead, you need to have the name to address
mappings for all 4 hosts on all 4 workstations AND you have to be sure your
workstations are configured to use /etc/hosts before querying DNS.

> I have four static IPs x.y.z.117 - 120.  IP x.y.z.117 is sharing a
> directory with an entry similar to the above.  x.y.z.119 can access the
> share.  x.y.z.118 is explicitly denied - /var/logs/daemon.log shows an
> "Unauthorized access by NFS client x.y.z.118" and "Blocked attempt of
> x.y.z.118 to mount /share"
> 118 is listed by qualified and unqualified name in my hosts file.  I can
> ping 118name and 118name.domain.org successfully from the machine
> sharing the directory.
> 
> How do I tell it that x.y.z.118 is part of the domain, and why does it
> recognize x.y.z.119 but not x.y.z.118?

Since host119 can access, and host118 can't, if the /etc/hosts or dns information
is correct, it sounds like permissions errors.  Can root on host118 access
/share without error?

You will need some way to keep username and UIDs (the numbers) and groupnames
and GIDs consistent accross the systems.

madmac

> 
> 
> 
> 
> 
> 

-- 
Doug MacFarlane
madmac@covad.net

Reply to:

References:
- Network members
  - From: Daniel D Jones <ddjones@riddlemaster.org>

Prev by Date: VPN Tools!
Next by Date: 2.4.19 modules_install failed
Previous by thread: Network members
Next by thread: Problem setting up Linux LAN
Index(es):
- Date
- Thread