Access lists allow us to group machines together when specifying share options. In fact, we've just shown the most common method of using them: a list of individual host names, similar to that shown below: server# share -F nfs -o ro=helium:lithium /file/to/share server# An access list can be formatted in a number of other ways. These are shown in the table below. Any of the types in Table 18.5 can be used, so long as the list is colon-separated. Table 18.5. Access List TypesType | Used For | Example |
---|
Host name | List of individual hosts | lithium | Netgroup | Name of an NIS netgroup map | some_machines | Network | Network name or IP address, identified by an "@" | @192.168.22 | DNS | Machines in a specific domain, identified by a "." | .sun.com | (Deny access) | Deny access to this type, identified by a "-" | -hydrogen | Using this allows us to create quite a complicated access list. For example, to deny read-write access to lithium, allow all machines on the 192.168.22.0 network, allow any that are in the "some_machines" netgroup, and lastly include hydrogen, we could use something similar to the following syntax: server# share -F nfs -o rw=-lithium:@192.168.22:some_machines:hydrogen /file/to/share server# Using Netgroups Netgroups are a special casethey only work with NIS or NIS+, not "local files." For example, if NIS is configured on the network, the netgroup's map can be used to provide a series of machine or user names that can be used when sharing resources. It may prove easier to maintain an NIS map and plug the netgroup into the dfstab file, rather than adding every machine. Each entry in the configuration file, /etc/netgroup, is defined as a set of triples consisting of the host name, user name, and the domain name. We're only concerned about machine-level access here, so we can ignore the other two entries in each triple. To configure netgroups we would create the input file, /etc/netgroup, on the NIS server. This is only used as an intermediate file, to populate the NIS map. Next, we would build the maps following the steps explained in Chapter 12, "Naming Services and NIS." For example, if we wanted to create two netgroups to suit the machines on our two subnets, say, machines_22_net and machines_44_net, the /etc/netgroup file could be similar to that shown below: nis server# cat /etc/netgroup machines_22_net (hydrogen,,), (helium,,), (lithium,,) ? (n,,) machines_44_net (tin,,), (iodine,,), (xenon,,) ? (n,,) nis server# cd /var/yp nis server# make nis server# Once the map has been built, it can be used within the share options, as shown below, as long as the NFS server was also configured for NIS: helium# cat /etc/dfs/dfstab share -F nfs -o rw=machines_22_net /data share -F nfs -o ro=machines_44_net /data helium# |