EMC CS told me that I need to run following command: [nasadmin@emccs nasadmin]$ server_export server_2 -i -o rw=10.10.13.5:10.10.13.6:10.10.13.3:10.10.11.12,access=10.10.13.5:10.10.13.6:10.10.13.3:10.10.11.12,anon=0 /EMC_CHCS_MOD server_2 : done
I can not understand why should add anon=0 argument.
Looks like I'm the victim of some of the "lore" that's surrounded the "anon" option for years.
I'd posted something a message a while back, but what I described was not correct.
The "anon" option says "assign the root user a UID of x", where "x" is the value you've configured "anon" to be. This applies to anyone who's attempting to mount an FS and isn't in the "root=" list for that export.
People frequently use the option "anon=0" to allow the root user on ALL clients to have root privileges without having to manage a "root=" access list. It's shorthand to enable root access from all clients.
It does NOT provide non-root users root access, and does not affect any user other than root.
The reason that the param is called "anon" is historical, and doesn't originate with Celerra. Some early (and even some modern) NFS servers had the concept of "anonymous" users - ones that the NFS server didn't recognize. When these users attempted to access an export, they were translated to the "anonymous" (or "unknown", or "nobody") UID, which typically had restricted permissions to files.
For security reasons, "root user" was also assigned to this "anonymous" pool, unless overridden (say, by adding a "root=" option to the export to say that root access was allowed from a client). Usually you'd have a list of "trusted" systems, ones that were controlled by a known administrator, and for which root access was strictly controlled. Otherwise anyone could set up a rogue Unix system that they had root access to, connect to your NFS share, and do anything they wanted to the filesystem.
For the most part, the "anonymous" concept doesn't exist anymore, and Celerra has NO concept of it (with NFSv2 and v3 - there's a new "nobody" user and group in NFSv4 that has a similar meaning, but is something else). The only "anonymous" user is "root". That's true on most systems these days.
So when support recommended that you set "anon=0", it's because that allows root access to the root user on all clients. By default they don't, and you can also specify a manual list of clients that SHOULD get root access with the "root=" option.
dynamox
9 Legend
•
20.4K Posts
0
December 16th, 2007 19:00
IanSchorr
117 Posts
0
December 16th, 2007 22:00
sarpydog
2 Intern
•
360 Posts
0
December 16th, 2007 22:00
Thanks for you reply first.
EMC CS told me that I need to run following command:
[nasadmin@emccs nasadmin]$ server_export server_2 -i -o rw=10.10.13.5:10.10.13.6:10.10.13.3:10.10.11.12,access=10.10.13.5:10.10.13.6:10.10.13.3:10.10.11.12,anon=0 /EMC_CHCS_MOD
server_2 : done
I can not understand why should add anon=0 argument.
Dennis Dai
dynamox
9 Legend
•
20.4K Posts
0
December 17th, 2007 07:00
Rainer_EMC
4 Operator
•
8.6K Posts
0
December 17th, 2007 07:00
Attached is the document that Ian referred to
It's a good guide which options are actually need - must admins use too many without real effect
1 Attachment
NFS_exports.pdf
Rainer_EMC
4 Operator
•
8.6K Posts
0
December 17th, 2007 07:00
In my view there is an "Attach Files" button between the "Preview" and the "Post Message" button that I just press
dynamox
9 Legend
•
20.4K Posts
0
December 17th, 2007 07:00
how do you attach documents to your posts ?
IanSchorr
117 Posts
0
December 27th, 2007 10:00
I'd posted something a message a while back, but what I described was not correct.
The "anon" option says "assign the root user a UID of x", where "x" is the value you've configured "anon" to be. This applies to anyone who's attempting to mount an FS and isn't in the "root=" list for that export.
People frequently use the option "anon=0" to allow the root user on ALL clients to have root privileges without having to manage a "root=" access list. It's shorthand to enable root access from all clients.
It does NOT provide non-root users root access, and does not affect any user other than root.
The reason that the param is called "anon" is historical, and doesn't originate with Celerra. Some early (and even some modern) NFS servers had the concept of "anonymous" users - ones that the NFS server didn't recognize. When these users attempted to access an export, they were translated to the "anonymous" (or "unknown", or "nobody") UID, which typically had restricted permissions to files.
For security reasons, "root user" was also assigned to this "anonymous" pool, unless overridden (say, by adding a "root=" option to the export to say that root access was allowed from a client). Usually you'd have a list of "trusted" systems, ones that were controlled by a known administrator, and for which root access was strictly controlled. Otherwise anyone could set up a rogue Unix system that they had root access to, connect to your NFS share, and do anything they wanted to the filesystem.
For the most part, the "anonymous" concept doesn't exist anymore, and Celerra has NO concept of it (with NFSv2 and v3 - there's a new "nobody" user and group in NFSv4 that has a similar meaning, but is something else). The only "anonymous" user is "root". That's true on most systems these days.
So when support recommended that you set "anon=0", it's because that allows root access to the root user on all clients. By default they don't, and you can also specify a manual list of clients that SHOULD get root access with the "root=" option.