Managing NFS and NIS, 2nd Edition - Mike Eisler [94]
Security
Aside from lack of multivendor support, the other problem with NFS security flavors is that they become obsolete rather quickly. To mitigate this, IETF specified the RPCSEC_GSS security flavor that NFS and other RPC-based protocols could use to normalize access to different security mechanisms. RPCSEC_GSS accomplishes this using another IETF specification called the Generic Security Services Application Programming Interface (GSS-API). GSS-API is an abstract layer for generating messages that are encrypted or signed in a form that can be sent to a peer on the network for decryption or verification. GSS-API has been specified to work over Kerberos V5, the Simple Public Key Mechanism, and the Low Infrastructure Public Key system (LIPKEY). We will discuss NFS security, RPCSEC_GSS, and Kerberos V5 in more detail in Chapter 12.
The Secure Socket Layer (SSL) and IPSec were considered as candidates to provide NFS security. SSL wasn't feasible because it was confined to connection-oriented protocols like TCP, and NFS and RPC work over TCP and UDP. IPSec wasn't feasible because, as noted in the section Section 7.2.7, NFS clients typically don't have a TCP connection per user; whereas, it is hard, if not impossible, for an IPSec implementation to authenticate multiple users over a single TCP/IP connection.
Chapter 8. Diskless Clients
This chapter is devoted to diskless clients running Solaris. Diskless Solaris clients need not be served by Solaris machines, since many vendors have adopted Sun's diskless boot protocols. The current Solaris diskless client support relies entirely on NFS for root and swap filesystem service and uses NIS maps for host configuration information. Diskless clients are probably the most troublesome part of NFS. It is a nontrivial matter to get a machine with no local resources to come up as a fully functioning member of the network, and the interactions between NIS servers, boot servers, and diskless clients create many ways for the boot procedure to fail.
There are many motivations for using diskless clients:
They are quieter than machines with disks.
They are easier to administer, since there is no local copy of the operating system that requires updates.
When using fast network media, like 100Mb ethernet, diskless clients can perform faster if the server is storing the client's data in a disk array. The reason is that client workstations typically have one or two disk spindles, whereas if the client data can be striped across many, usually faster spindles, on the server, the server can provide better response.
In Solaris 8, support for the unbundled tools (AdminSuite) necessary to configure a server for diskless client support was dropped. As the Solaris 8 release notes stated:
Solstice AdminSuite 2.3 software is no longer supported with the Solaris 8 operating environment. Any attempt to run Solstice AdminSuite 2.3 to configure Solstice AutoClients or diskless clients will result in a failure for which no patch is available or planned. While it may be possible to manually edit configuration files to enable diskless clients, such an operation is not recommended or supported.
Setting up a diskless client from scratch without tools is very impractical. Fortunately, Solaris 8, 1/01 Update has been released, which replaces the unbundled AdminSuite with bundled tools for administering diskless support on the Solaris 8, 1/01 Update servers. Unfortunately, Solaris 8, 1/01 Update was not available in time to write about its new diskless tools in this book. Thus, the discussion in the remainder of this chapter focuses on diskless support in Solaris through and including Solaris 7.
NFS support for diskless clients
Prior to SunOS 4.0, diskless clients were supported through a separate distributed filesystem protocol called Network Disk, or ND. A single raw disk partition was divided into several logical partitions, each of which had a root or swap filesystem on it. Once an ND partition was created, changing a client's partition size entailed rebuilding the diskless