Bug#329371: acknowledged by developer (Re: Bug#329371: nis: ypbind/ypserv and broadcast option)

[Mark Brown]

On Mon, Sep 26, 2005 at 07:43:07PM +0200, Bas van der Vlies wrote:

> After an day of debugging and restarting some servers. I have a strace 
> of binding to the wrong server. Hopefully t is enough.

Right, this is great.

> sendto(7, "%$e\202\0\0\0\0\0\0\0\2\0\1\206\244\0\0\0\2\0\0\0\1\0\0"..., 52, 
> 0, {sa_family=AF_INET, sin_port=htons(666), 
> sin_addr=inet_addr("192.168.16.19")}, 16) = 52
> poll([{fd=7, events=POLLIN, revents=POLLERR}], 1, 1000) = 1
> recvmsg(7, {msg_name(16)={sa_family=AF_INET, sin_port=htons(666), 
> sin_addr=inet_addr("192.168.16.19")}, 
> msg_iov(1)=[{"%$e\202\0\0\0\0\0\0\0\2\0\1\206\244\0\0\0\2\0\0\0\1\0\0"..., 
> 52}], msg_controllen=44, {cmsg_len=44, cmsg_level=SOL_IP, cmsg_type=, ...}, 
> msg_flags=MSG_ERRQUEUE}, MSG_ERRQUEUE) = 52
> write(2, "Server for domain \'elsacafe\' doe"..., 44Server for domain 
> 'elsacafe' doesn't answer.) = 44

The server doesn't reply or a network error occurs, forcing a rescan for
servers...

> sendto(6, "_\256\177o\0\0\0\0\0\0\0\2\0\1\206\240\0\0\0\2\0\0\0\5"..., 112, 
> 0, {sa_family=AF_INET, sin_port=htons(111), 
> sin_addr=inet_addr("10.0.19.255")}, 16) = 112
> sendto(6, "_\256\177o\0\0\0\0\0\0\0\2\0\1\206\240\0\0\0\2\0\0\0\5"..., 112, 
> 0, {sa_family=AF_INET, sin_port=htons(111), 
> sin_addr=inet_addr("192.168.19.255")}, 16) = 112

...the client broadcasts on both interfaces...

> recvfrom(6, "_\256\177o\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 
> 8800, 0, {sa_family=AF_INET, sin_port=htons(111), 
> sin_addr=inet_addr("10.0.17.130")}, [16]) = 36
> socket(PF_FILE, SOCK_STREAM, 0)         = 7

...but gets a reply which claims to be from 10.0.17.130 which isn't
supposed to do that.

However, I do have an idea what might be going wrong here: the broadcast
RPC call is proxied through portmap on the server boxes.  Unfortunately,
when doing the onward call portmap appears to always send the request to
the localhost.  This, of course, defeats the access checking in ypserv
since it sees the request as arriving from localhost.  

Could you try configuring hosts.{allow,deny} for portmap to prevent
access to portmap via the infiniband network (if that is possible).
Doing something like:

   portmap: 192.168.

in hosts.allow and

   pormap: ALL

in hosts.deny on the servers should I think do the trick (again,
untested so this may not work).

-- 
"You grabbed my hand and we fell into it, like a daydream - or a fever."

signature.asc
Description: Digital signature