Applies To:Show Versions
When an NFS client accesses a share as root (a UNIX superuser), an NFS-access list typically re-maps the users identity to that of the anonymous user, which has very low access rights. This security feature is called root squashing. Use the anonymous-gid command to change the Group ID (GID) for the anonymous user.
Use the no form of the command to revert to the default GID for anonymous.
id (1-65535) is a group ID number that the access list uses when it squashes root access.
bstnA(gbl-nfs-acl[eastcoast])# anonymous-gid 100
sets the anonymous GID to 100.
When an NFS client accesses a share as root (a UNIX superuser), an NFS-access list typically re-maps the users identity to that of the anonymous user, which has very low access rights. This security feature is called root squashing. Use the anonymous-uid command to change the User ID (UID) for the anonymous user.
Use the no form of the command to revert to the default UID for anonymous.
id (1-65535) is a User ID number that the access list uses when it squashes root access.
bstnA(gbl-nfs-acl[eastcoast])# anonymous-uid 100
sets the anonymous UID to 100.
Use the no form of the command to remove a deny rule from the current access list.
deny ip-address mask
no deny ip-address mask
ip-address (0.0.0.0-255.255.255.255) is the address of the subnet to be denied access.
mask (0.0.0.0-255.255.255.255) is the netmask (network part of the ip address).
You may have a situation where most of a large subnet should be permitted access to NFS, but some portions of the subnet should be denied access. From gbl-nfs-acl mode, use this command to add a deny rule for one subnet. Use the permit command to allow access for a subnet. Order is important; if a client matches both rules, only the first one is enforced.
bstnA(gbl-nfs-acl[eastcoast])# deny 192.168.77.0 255.255.255.0
bstnA(gbl-nfs-acl[eastcoast])# deny 192.168.202.0 255.255.255.0
bstnA(gbl-nfs-acl[eastcoast])# permit 192.168.0.0 255.255.0.0 read-write
denies access to two Class C subnets, but then permits access to any other IP inside their Class B supernet, 192.168.0.0/16.
Use the optional description command to include a descriptive string for an access list.
Use the no form of the command to remove the description from the current access list.
text (1-255 characters) is your description for the current access list. Surround the text with quotation marks () if it contains any spaces.
bstnA(gbl-nfs-acl[eastcoast])# description allowable subnets in MA, NY, & DC
Use the ip address command to identify one NIS server for the current NIS domain.
Use the no form of the command to remove one NIS server from the list.
ip address address
no ip address address
You can enter this command multiple times to identify up to four servers for the same NIS domain. The switch uses the first server for all of its netgroup lookups, falling back on the rest in case the first server fails or times out. The servers are used in the order that they are defined; if the first server is unreachable, the switch tries the second server, and so on. Use show nis domain to see the current order of NIS servers.
bstnA(gbl-nis-dom[mydom.org])# ip address 192.168.78.55
bstnA(gbl-nis-dom[mydom.org])# no ip address 10.10.25.1
Use this command to create an access list (optional) for NFS services. An access list is a list of IP hosts to which you permit or deny access to the NFS service. You can use an NFS access list (or create additional ones) for any number of NFS services.
Use the no form of the command to remove an access list.
no nfs-access-list list-name
list-name (1-64 characters) is a name you choose for the access list.
The CLI prompts for confirmation before creating a new NFS access list; enter yes to continue. (You can use terminal expert to eliminate confirmation prompts for creating new objects.)
When you configure an NFS service, you can optionally apply one NFS access list to the service. This command places you in gbl-nfs-acl mode, from which you can configure various permit and deny rules for specific subnets and/or NIS netgroups. For example, you could permit access from the subnet at 192.168.101.0 but deny access from all other subnets. By default, all subnets are denied any access. Use the permit (gbl-nfs-acl) and deny commands to add permit and deny access rules, respectively. To use NIS netgroups from your back-end servers, use nis domain to create a NIS domain on the switch, use nis domain (gbl-nfs-acl) to apply it to the access list, and use permit netgroup to allow access to the hosts in one netgroup.
When you use the no form of the command to remove an access list, you must first remove all references to the access list before you can remove the list itself.
bstnA(gbl)# no nfs-access-list testacl
Use the nis domain command to identify a Network Information System (NIS) domain to be used in one or more NFS access lists.
Use no nis domain to remove the NIS-domain configuration from the ARX.
nis domain domain
no nis domain domain
domain (1-256 characters) is the NIS-domain name (for example, company or company.com).
This command places you into gbl-nis-dom mode, where you use the ip address (gbl-nis-dom) command to identify at least one NIS server for the domain. After you specify one or more NIS servers, the ARX looks up all of the netgroups in the domain, then performs DNS lookups for all hostnames in those netgroups. The results are cached on the switch, to prevent excessive traffic between the switch and the DNS server; the show nis netgroup command shows the contents of this cache. Use nis update to refresh this cache by performing all of the necessary lookups.
The switch ignores all users and groups in these netgroups. As a proxy, the ARX does not authenticate specific users and groups; the back-end filers perform user/group authentications, and the switch passes the results back to the client.
bstnA(gbl)# nis domain wwmed.com
bstnA(gbl)# no nis domain testnis
Use the gbl-nfs-acl nis domain command to set the NIS domain for the current NFS access list.
Use no nis domain to remove the NIS domain from the access list.
nis domain domain
If you plan to use NIS groups in your NFS access list, you must identify the NIS domain with this command. Use show nis domain for a list of configured NIS domains, or use nis domain to create a new one. To view the netgroups in a domain, use show nis netgroup.
bstnA(gbl-nfs-acl[westcoast])# nis domain sfmed.com
bstnA(gbl-nfs-acl[midwest])# no nis-domain
The ARX caches a database of NIS netgroups and all of their DNS-resolved IP addresses. Use the nis update command to refresh this cache by querying the NIS server(s) and the local DNS server(s).
nis update [domain]
This command creates one report per updated domain. Each report is named nis-update.domain-name.rpt. Use show reports to list all reports, including NIS-update reports. To follow the progress of the NIS-update operation, you can use tail reports report-name follow. Use show reports file-name to read the report. You can search through the report with grep. To copy or delete it, use the copy or delete commands. If you want to truncate the report before it finishes, use the truncate-report command.
The show nis netgroup command shows the netgroups in a NIS domain, or the hosts in a particular netgroup. This is the contents of the current NIS-netgroup cache. The show nis domain command shows when the most-recent NIS update occurred.
In a redundant pair, the NIS update works independently on each peer. The output of show nis netgroup and the NIS reports therefore only apply to the current peer. The benefit of these redundant updates is that failovers do not incur any extra down time for NIS.
bstnA# nis update
bstnA# nis update wwmed.com
show nfs-access-list [list-name [resolve-netgroups]]
list-name (optional; 1-64 characters) is the access list you want to view.
resolve-netgroups (optional) expands the NIS netgroups. This shows every resolved host in every NIS netgroup, in order. Without this option, netgroups are summarized on a single line and counted as a single rule.
The show nfs-access-list command displays the following information:
Access List Name: The names of all configured access lists.
Anon UID: The anonymous User ID number assigned to root when root squashing is enabled (the default). You can change this with anonymous-uid.
Anon GID: The anonymous Group ID number assigned to root when root squashing is enabled (the default).Use anonymous-gid to edit this.
Num Rules: The number of permit and/or deny rules applied to this access list. This counts each NIS netgroup as a single rule; use the resolve-netgroups command to find the total count, including every host in every netgroup.
Num References: The number of times this access list is used by an NFS service(s).
If you enter a list name, the output also shows the description (gbl-nfs-acl) for the access list, if any, and the lists exact rules. The order is important; if a client matches two rules in the list, the switch follows the first rule and ignores the second.
Two additional fields appear at the bottom if you use the resolve-netgroups flag:
Number of entries in access list: The total number of rules, including each host in the expanded netgroups. An error appears above this field if the number of rules exceeds the maximum, 2048. Each host in a netgroup requires a rule, so large netgroups can cause an access list to exceed its maximum. Only the first 2048 rules are used.
Status line: A line summarizes the results of resolving all NIS netgroups and each hostname in the netgroup:
bstnA# show nfs-access-list
bstnA# show nfs-access-list eastcoast
displays detailed information for this access list, including the permit and deny rules for the associated subnet(s) and/or netgroups. See Figure 19.3 on page 19-19 for sample output.
bstnA# show nfs-access-list eastcoast resolve-netgroups
show nis domain [domain-name]
domain-name (optional; 1-256 characters) is the NIS domain you want to view. If you omit this, the output displays a summary of all NIS domains configured on the switch.
The summary form of the show nis domain command displays the following information:
NIS Domain is the name of the NIS domain. Use the nis domain command to configure a new NIS domain, or change an existing one.
Last Update is the date and time that the ARX last updated its internal NIS database. This occurs when each NIS domain is first configured, and whenever someone issues the nis update command.
Status summarizes the results of the most-recent NIS update. This is Success, Updating, or Failed.
Last Successful Update is the date and time for the last NIS update that ended with a Success status.
Netgroups is the number of netgroups defined for this NIS domain.
Netgroup Resolution Errors is the number of netgroup entries that the switch failed to parse. These are typically malformed lines in the NIS servers configuration file for netgroups.
Hosts is the number of hosts found in all the netgroups.
bstnA# show nis domain
displays a list of all configured NIS domains. See Figure 19.5 for sample output.
bstnA# show nis domain wwmed.com
displays detailed information for the wwmed.com NIS domain. Figure 19.6 shows sample output.
show nis netgroup domain [netgroup]
domain (1-256 characters) is the NIS domain you want to view.
netgroup (optional; 1-1024 characters) specifies a single netgroup. If you enter this, the command shows all hosts in the netgroup.
The summary form of the show nis netgroup command displays an alphabetical list of all netgroups defined for the domain. The ARX finds these at the back-end NIS servers; use show nis domain for a list of NIS servers.
The detailed form of the command shows a table with one row for each host found in the netgroup. The Hostname is the name found in the netgroup, and the IP Address is resolved at the local DNS server. Use show ip domain for a list of local DNS servers.
bstnA# show nis netgroup wwmed.com
displays a list of all netgroups in the wwmed.com domain. See Figure 19.7 for sample output.
bstnA# show nis netgroup wwmed.com medtechs