Hi,
Now this was a tough one: With the help of Wietse Venema, the author of
the tcp_wrappers/secure portmap/rpcbind I was able to track down what was
happening.
In a nutshell, there was/is a problem on both Digital Unix and Solaris.
First, the Solaris' 2.5 automounter suddenly and with no apparent reason
started to use TCP for the NFS transport protocol rather than UDP.
And this is not consistent across mounts: I mean. The first one or
two mounts were using UDP and for the following mounts it insisted
on TCP. This is independend of the newly installed secure rpcbind under
Solaris. I *think* that the problem already started after I've installed
the latest patch cluster but it was just not discovered until now. It
is also independend whether or not the remote computer (the Alpha)
runs the new secure portmap.
Secondly, my Digital Unix 4.0D installation has TCP transport for NFS
disabled (NUM_TCPD=0 in /etc/rc.config) but still announces the NFS/TCP
transport availability via the portmapper. I consider this an inconsistency,
at least. From my point of view, if I don't offer a NFS/TCP, the
portmapper should not list it as well.
Now what happend is clear: The Solaris automounter tried to use NFS/TCP
to mount the Digital Unix filesystem. As there is no NFSD thread
for TCP running (-t 0 parameter to nfsd) it just plain hangs.
The solution is clear as well: On the Solaris side, I needed to force
the automounter to use UDP transport rather than TCP. I've never needed
to explicitly specify this before and I cannot quite reconstruct what
has lead to this.
So I got something like this in my /etc/auto_home now:
/home/users -proto=udp,vers=3 alpha:/home/users
I can now run the secure portmap on all my server machines and still
use the automounter under Solaris.
BTW: While secure portmap/rpcbind is not perfect in keeping off RPC
hackers as they can guess the NFS ports even without it, it is a really
good first warning tool to indicate that a system is being attacked.
I get e-mails sent now as soon as someone is doing a "rpcinfo"
or "showmount" on one of my hosts.
So thanks again Wietse for providing this software and for helping
me to track down what happend.
Tom
---------------------- here's my original posting ------------------
From: Thomas Leitner <tom@finwds01.tu-graz.ac.at>
Cc: DEC Unix Managers <alpha-osf-managers@ornl.gov>,
Wietse Venema <wietse@wzv.win.tue.nl>
Subject: Secure portmap on Digital Unix / Sun Automount Problems ....
Hi,
In an attempt to tighten our network security a bit, I've installed
the secure portmap process (ftp://ftp.win.tue.nl:/pub/security) on our
Digital Unix V4.0D machines, on our Ultrix machine as well as the Solaris
secure rpcbind counterpart under Solaris 2.5.
The Digital Unix Server is NFS exporting user home directories and
other stuff to the Solarix box where these things are auto-mounted.
The major problem I have currently is this: As soon as the Digital
Unix machine runs the secure portmap (version 4 or version 5 beta
makes no difference), the Solaris 2.5 automounter does not work
anymore! This is really weird as I can manually mount the remote
filesystem on the Solaris box without problems. Only the automounter
causes accesses to the remote filesystem to hang and "NFS server
not responding still trying" messages to appear in the logs.
Other machines like the Ultrix box and other Alphas, though
work flawlessly. Also their automounters mount the exported file
systems without problems.
On the other hand, the Ultrix box too is now running the secure portmap
as well and the Solaris box *can* auto-mount its exported file systems.
Only the Solaris 2.5 automounter doesn`t seem to like the secure
portmap running on Digital Unix. It's only this particular combination
which causes the problems. BTW: This is independend of the Solaris' own
rpcbind process, wether running the secure version or the original
version. It makes no difference.
So: I'm currently stuck and need to stick with the original portmap
on our main NFS server.
Any clue for me anyone?
Thanks a lot // Tom
--------------------------------------------------------------------------
T o m L e i t n e r Dept. of Communications
Graz University of Technology,
e-mail : tom@finwds01.tu-graz.ac.at Inffeldgasse 12
Phone : +43-316-873-7455 A-8010 Graz / Austria / Europe
Fax : +43-316-463-697
Home page : http://wiis.tu-graz.ac.at/people/tom.html
PGP public key on : ftp://wiis.tu-graz.ac.at/pgp-keys/tom.asc or send
mail with subject "get Thomas Leitner" to pgp-public-keys@keys.pgp.net
--------------------------------------------------------------------------
Before we have the paperless office, we have the paperless toilet!
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:40 CDT