Manualshelf

NFS Services Administrator's Guide (B1031-90072, March 2011)

ManualsBrandsHP ManualsSoftwareHP-UX 11i v3 ONC and NFS Software
21222324252627282930
share -F nfs -o root=Red:Blue:Green /var/mail
In this example, the /var/mail directory is shared. Root access is allowed for clients Red,
Blue, and Green. Superusers on all other clients are considered as unknown by the NFS
server, and are given the access privileges of an anonymous user. Non-superusers on all
clients are allowed read-write access to the /var/mail directory if the HP-UX permissions
on the /var/mail directory allow them read-write access.
Sharing a directory with root access for superuser and read-write access for other users
share -F nfs -o rw=Red,root=Red /var/mail/Red
In this example, the /var/mail/Red directory is shared. Only the superuser on client Red
is granted root access to the directory. All other users on client Red have read-write access if
they are provided read-write access by the regular HP-UX permissions. Users on other clients
have read-only access if they are allowed read access through the HP-UX permissions.
Sharing directories with anonymous users based on access rights given to the superuser
share -F nfs -o rw=Green,root=Green,anon=65535 /vol1/grp1/Green
In this example, superusers on host Green use uid 0 and are treated as root. The root users
on other hosts (Red and Blue) are considered anonymous and their uids and gids are
re-mapped to 65535. The superusers on host Green are allowed read-write access. All other
clients get read-only access.
Sharing directories with anonymous users based on access rights given to them
share -F nfs -o anon=200 /export/newsletter
In this example, the /export/newsletter directory is shared with all clients. Anonymous
users are given the effective user ID of 200. Other users retain their own user IDs (even if they
do not exist in the NFS server’s passwd database).
Anonymous users are users who have not been authenticated, or requests that use the
AUTH_NONE security mode, or root users on hosts not included in the root=list. By default,
anonymous users are given the effective user ID, UID_NOBODY. If the user ID is set to -1, access
is denied.
The ls command displays that a file created by a superuser is owned by user ID 200. If an
anonymous user with a non-zero user ID, for example, 840, is allowed to create a file in this
directory, the ls command displays that it is owned by user ID 840.
Secure Sharing of Directories
The share command enables you to specify a security mode for NFS. Use the sec option to
specify the different security modes. Table 4 describes the security modes of the share command.
Table 4 Security Modes of the share command
DescriptionSecurity Mode
Uses the default authentication method, AUTH_SYS. The sys mode is a simple authentication
method that uses UID/GID UNIX permissions, and is used by NFS servers and NFS clients using
the version 2, 3, and 4 protocol.
sys
Uses the Diffie-Hellman public-key system and uses the AUTH_DES authentication.dh
Uses Kerberos V5 protocol to authenticate users before granting access to the shared filesystems.krb5
Uses Kerberos V5 authentication with integrity checking to verify that the data is not tampered
with, while in transit between the NFS clients and servers.
krb5i
24 Configuring and Administering NFS Services