Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: nsp: ipv6

Netgroup support of ipv6 in Solaris/Linux

 

 

nsp ipv6 RSS feed   Index | Next | Previous | View Threaded


mhuff at ox

Jan 15, 2012, 1:50 PM

Post #1 of 9 (1546 views)
Permalink
Netgroup support of ipv6 in Solaris/Linux

So far, it appears that ipv6 breaks netgroups in both Solaris and Linux. Has anyone run into this or have a solution?

Basically if two machines both have IPv6 addresses even with fully resolvable inverse addresses, tools that depend on netgroups fail. Disabling ipv6 on either of the machine resolves the problem.

Any ideas?

----
Matthew Huff  | 1 Manhattanville Rd
Director of Operations   | Purchase, NY 10577
OTA Management LLC | Phone: 914-460-4039
aim: matthewbhuff  | Fax:   914-460-4139


ignatios at cs

Jan 16, 2012, 5:54 AM

Post #2 of 9 (1486 views)
Permalink
Re: Netgroup support of ipv6 in Solaris/Linux [In reply to]

On Sun, Jan 15, 2012 at 04:50:25PM -0500, Matthew Huff wrote:
> So far, it appears that ipv6 breaks netgroups in both Solaris and Linux. Has anyone run into this or have a solution?
>
> Basically if two machines both have IPv6 addresses even with fully resolvable inverse addresses, tools that depend on netgroups fail. Disabling ipv6 on either of the machine resolves the problem.

no problem here.

I use a NetBSD-5.99 server, until a year ago a Solaris10 server.
I use NetBSD-5 and Solaris10 clients.

Tow services are using netgroups:

a)

passwd: compat
passwd_compat: nis

for password selection and

b) NFS filesystem exports.

It's no problem, but you have to make sure to make put the fully
qualified domain name (maybe as well as the shortened) into the
netgroup, _as it comes out of reverse resolving_ - you might have
the same host in several domains (as we do) and the wrong one won't
do in netgroup for nfs access checking. (We're mounting a filesystem
for student home directories from the neighbour department, and had
that problem in the past.)

Regards,
-is


mhuff at ox

Jan 16, 2012, 6:27 AM

Post #3 of 9 (1502 views)
Permalink
RE: Netgroup support of ipv6 in Solaris/Linux [In reply to]

Both the short name and long name have been present for 15+ years. The ipv4 and ipv6 resolve both forward and backward to the same name. However, any combination linux to linux, linux to solaris, solaris to linux or solaris to solaris prompts for password if the destination server and source server have ipv6. Some are on different subnets so I know they aren't using link locals. I have also verified that the servers are not using temporary addresses.

If I disable ipv6 on either machine, netgroups work.

I'm stumped.

> -----Original Message-----
> From: ipv6-ops-bounces+mhuff=ox.com [at] lists [mailto:ipv6-ops-
> bounces+mhuff=ox.com [at] lists] On Behalf Of Ignatios Souvatzis
> Sent: Monday, January 16, 2012 8:55 AM
> To: Matthew Huff
> Cc: 'ipv6-ops [at] lists'
> Subject: Re: Netgroup support of ipv6 in Solaris/Linux
>
> On Sun, Jan 15, 2012 at 04:50:25PM -0500, Matthew Huff wrote:
> > So far, it appears that ipv6 breaks netgroups in both Solaris and Linux. Has anyone run
> into this or have a solution?
> >
> > Basically if two machines both have IPv6 addresses even with fully resolvable inverse
> addresses, tools that depend on netgroups fail. Disabling ipv6 on either of the machine
> resolves the problem.
>
> no problem here.
>
> I use a NetBSD-5.99 server, until a year ago a Solaris10 server.
> I use NetBSD-5 and Solaris10 clients.
>
> Tow services are using netgroups:
>
> a)
>
> passwd: compat
> passwd_compat: nis
>
> for password selection and
>
> b) NFS filesystem exports.
>
> It's no problem, but you have to make sure to make put the fully
> qualified domain name (maybe as well as the shortened) into the
> netgroup, _as it comes out of reverse resolving_ - you might have
> the same host in several domains (as we do) and the wrong one won't
> do in netgroup for nfs access checking. (We're mounting a filesystem
> for student home directories from the neighbour department, and had
> that problem in the past.)
>
> Regards,
> -is


ignatios at cs

Jan 17, 2012, 2:52 AM

Post #4 of 9 (1481 views)
Permalink
Re: Netgroup support of ipv6 in Solaris/Linux [In reply to]

On Mon, Jan 16, 2012 at 09:27:51AM -0500, Matthew Huff wrote:

> Both the short name and long name have been present for 15+ years.
> The ipv4 and ipv6 resolve both forward and backward to the same name.
> However, any combination linux to linux, linux to solaris, solaris to
> linux or solaris to solaris prompts for password if the destination
> server and source server have ipv6. Some are on different subnets so I
> know they aren't using link locals. I have also verified that the
> servers are not using temporary addresses.

But... do the clients? I hear nowadays Linux can do that, for example.
The problem might be that the servers won't recognize the clients if
they come in via v6 from a temporary address.

(I had much ... fun ... diagnosing why WIndows XP could lpr print on
our NetBSD server while Windows 7 (Vista?) couldn't...)

Do the servers have useful log about why they refused to serve?

-is


mhuff at ox

Jan 17, 2012, 5:12 AM

Post #5 of 9 (1480 views)
Permalink
RE: Netgroup support of ipv6 in Solaris/Linux [In reply to]

By servers, I meant the NIS clients, sorry (They are both Linux and Solaris servers).

There are no logs that I can see (nothing is put in auth.* nor /var/log/messages)

----
Matthew Huff  | 1 Manhattanville Rd
Director of Operations   | Purchase, NY 10577
OTA Management LLC | Phone: 914-460-4039
aim: matthewbhuff  | Fax:   914-460-4139

> -----Original Message-----
> From: Ignatios Souvatzis [mailto:ignatios [at] cs]
> Sent: Tuesday, January 17, 2012 5:52 AM
> To: 'ipv6-ops [at] lists'
> Cc: Matthew Huff
> Subject: Re: Netgroup support of ipv6 in Solaris/Linux
>
> On Mon, Jan 16, 2012 at 09:27:51AM -0500, Matthew Huff wrote:
>
> > Both the short name and long name have been present for 15+ years.
> > The ipv4 and ipv6 resolve both forward and backward to the same name.
> > However, any combination linux to linux, linux to solaris, solaris to
> > linux or solaris to solaris prompts for password if the destination
> > server and source server have ipv6. Some are on different subnets so
> I
> > know they aren't using link locals. I have also verified that the
> > servers are not using temporary addresses.
>
> But... do the clients? I hear nowadays Linux can do that, for example.
> The problem might be that the servers won't recognize the clients if
> they come in via v6 from a temporary address.
>
> (I had much ... fun ... diagnosing why WIndows XP could lpr print on
> our NetBSD server while Windows 7 (Vista?) couldn't...)
>
> Do the servers have useful log about why they refused to serve?
>
> -is


ignatios at cs

Jan 17, 2012, 6:33 AM

Post #6 of 9 (1487 views)
Permalink
Re: Netgroup support of ipv6 in Solaris/Linux [In reply to]

On Tue, Jan 17, 2012 at 08:12:21AM -0500, Matthew Huff wrote:
> By servers, I meant the NIS clients, sorry (They are both Linux and Solaris servers).
>
> There are no logs that I can see (nothing is put in auth.* nor /var/log/messages)

Well... look on the NIS servers (of course) and if you can't find
anything in /var/log (or /var/adm for Solaris) increase the debugging
level. If you can't find out how, use snoop or tcpdump in verbose
setting to watch the traffic... you might have to slilghtly increase
capture size... it will decode the RPC packets and tell you the error
returned and the address used.

Regards,
-is


mhuff at ox

Jan 18, 2012, 6:52 AM

Post #7 of 9 (1456 views)
Permalink
RE: Netgroup support of ipv6 in Solaris/Linux [In reply to]

Found it.

Solaris doesn't do reverse lookups for ipv6 in DNS unless there is an entry for ipnodes in nsswitch.conf. Since we are probably using a template in jumpstart from years ago, we didn't have it.

Once we added:

Ipnodes: files dns

Everything worked.



----
Matthew Huff  | 1 Manhattanville Rd
Director of Operations   | Purchase, NY 10577
OTA Management LLC | Phone: 914-460-4039
aim: matthewbhuff  | Fax:   914-460-4139

> -----Original Message-----
> From: Ignatios Souvatzis [mailto:ignatios [at] cs]
> Sent: Tuesday, January 17, 2012 9:34 AM
> To: 'ipv6-ops [at] lists'
> Cc: Matthew Huff
> Subject: Re: Netgroup support of ipv6 in Solaris/Linux
>
> On Tue, Jan 17, 2012 at 08:12:21AM -0500, Matthew Huff wrote:
> > By servers, I meant the NIS clients, sorry (They are both Linux and
> Solaris servers).
> >
> > There are no logs that I can see (nothing is put in auth.* nor
> > /var/log/messages)
>
> Well... look on the NIS servers (of course) and if you can't find
> anything in /var/log (or /var/adm for Solaris) increase the debugging
> level. If you can't find out how, use snoop or tcpdump in verbose
> setting to watch the traffic... you might have to slilghtly increase
> capture size... it will decode the RPC packets and tell you the error
> returned and the address used.
>
> Regards,
> -is


ignatios at cs

Jan 18, 2012, 7:55 AM

Post #8 of 9 (1448 views)
Permalink
Re: Netgroup support of ipv6 in Solaris/Linux [In reply to]

On Wed, Jan 18, 2012 at 09:52:48AM -0500, Matthew Huff wrote:
> Found it.

Ah, good!

> Solaris doesn't do reverse lookups for ipv6 in DNS unless there is an
> entry for ipnodes in nsswitch.conf. Since we are probably using a
> template in jumpstart from years ago, we didn't have it.
>
> Once we added:
>
> Ipnodes: files dns
>
> Everything worked.

What about Linux? Or doesn't it run as NIS server?

-is


mhuff at ox

Jan 18, 2012, 8:45 AM

Post #9 of 9 (1461 views)
Permalink
RE: Netgroup support of ipv6 in Solaris/Linux [In reply to]

I haven't worked on the Linux boxes yet, but since I found the source of problem on the Solaris box and it was an understandable fix, I now know it isn't a fundamental ipv6 incompatibility. I'll do some tcpdumps on Linux as well and I figure it is something similar.

----
Matthew Huff  | 1 Manhattanville Rd
Director of Operations   | Purchase, NY 10577
OTA Management LLC | Phone: 914-460-4039
aim: matthewbhuff  | Fax:   914-460-4139


> -----Original Message-----
> From: ipv6-ops-bounces+mhuff=ox.com [at] lists [mailto:ipv6-ops-
> bounces+mhuff=ox.com [at] lists] On Behalf Of Ignatios Souvatzis
> Sent: Wednesday, January 18, 2012 10:56 AM
> To: 'ipv6-ops [at] lists'
> Cc: Matthew Huff
> Subject: Re: Netgroup support of ipv6 in Solaris/Linux
>
> On Wed, Jan 18, 2012 at 09:52:48AM -0500, Matthew Huff wrote:
> > Found it.
>
> Ah, good!
>
> > Solaris doesn't do reverse lookups for ipv6 in DNS unless there is an
> > entry for ipnodes in nsswitch.conf. Since we are probably using a
> > template in jumpstart from years ago, we didn't have it.
> >
> > Once we added:
> >
> > Ipnodes: files dns
> >
> > Everything worked.
>
> What about Linux? Or doesn't it run as NIS server?
>
> -is

nsp ipv6 RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.