We are trying to set up an internal firewall/gateway system that will
run cross network services for different components of the company. For
example, this system will keep mailboxes that people will use a POP-3
reader (like Eudora) to access. No internet access is allowed from this
sub-net, so there's no problems in that regard. This is purely an
intranet environment.
This box is a Sun running Solaris 2.4 (we could upgrade to Solaris 2.5
and plan to). It is setup to run a DNS (properly set in nsswitch.conf)
and since none of us are fans of NIS, we are not running NIS. This box
has been stripped of as many services as possible and we even replaced
the System V/Solaris line printer stuff for an lpd clone. The system
is running the latest, and patched, versions of sendmail and bind as
well as tcp_wrappers around other services. IP forwarding on this box
is turned off.
There is a need to allow NFS mounts from both sides to a sharable area.
Of the clients that need these NFS mounts are pee cees running Windoze
client software.
The problem is that under this configuration (using the DNS), we cannot
get the system to recognize system names without the domainname. For
example, if pc1 (a Windoze pee cee) is in the DNS to mount the
filesystem on gw1 (the Solaris box), the dfstab has to have the full
domainname (pc1.disclosure.com) in order to recognize pc1 as a "legal"
system. The system pc1 has to request the mount from gw1.disclosure.com
in order to do the mount.
This is OK except the dfstab gets unweildy because of the long names and
the pee cees running Novell's LanWorkplace NFS client is having a hard
time with those long names. (For now, dumping LWP for something better
is not an option)
If we remove the DNS from the picture, the system names have to be in
the /etc/hosts file and the names WITHOUT the domainname must be the
first ones listed after the IP address.
Additionally, on systems on the trusted (Unix) side of the network, we
allow the Berkeley "r" commands. In order for it to work, the remote
.rhosts have to have the full name and domainname and does not work if I
put just the system name.
THEORY: This is a Sun-ism because of NIS. With everything hacked
because of NIS, I believe its that code that is getting in our way. I
believe this because iI behaves a lot like SunOS 4 before I go through
the motions to remove it from the system.
I would like to find out if (a) my theory is true, plausible, or I need
to re-examine it; (b) if it is NIS getting in my way, how to get it out
of my way; and (c) if it is not NIS, then what is it and how do I fix
it?
Let's keep this off the list and, if there's a request, I'll sumarize
what I find and post it later.
THANKS!!
scott barman
--
scott barman DISCLAIMER: I speak to anyone who will listen,
scott @
disclosure .
com and I speak only for myself.
barman @
ix .
netcom .
com
"Micro$oft and Windoze/NT will be the cause of the de-evolution of
network security just as the original PC and BASIC was the cause of
the de-evolution of programming." - scott barman
|
|
