Hello again.
It was indeed an issue to do with NSRAUTH.
It seems whoever coded the new authentication system wanted to do:
1st - NSRAUTH (SSL etc) [7.3 scheme]
2nd - SUN RPC based auth [6 and earlier scheme]
3rd - nsrexecd portmapper auth [7.? -> 7.2 scheme]
Changing the allowed authentication methods from :
auth methods: "0.0.0.0/0,nsrauth/oldauth";
to
auth methods: "0.0.0.0/0,oldauth";
has resolved the problem.
If I meet the programmer, I might buy him a beer...or perhaps not.
Thanks anyway folk.
From
Will
Will Parsons wrote:
Good afternoon all,
I've got a case logged on this with EMC, but in case any of you who've
already moved to 733 have hit this, I thought I'd ask the list as well:
I carried out an upgrade of our Networker data zone yesterday from
7.2.1 to 7.3.3 (Master server + 3 storage nodes). We identified a
serious issue during testing: Backups of clients behind firewalls were
unable to run. Our environment has storage nodes behind the firewalls,
on the same network as the clients. The same symptom was observed on
both a Checkpoint NG1 cluster, and a CISCO firewall module.
The fault seems to stem from the fact that the Master server is now
trying to contact clients initially on TCP port 111 - the SUN RPC
portmapper. This has been blocked by our firewalls since the
implementation of Networker 7, and has never been required before. It
feels as if the code has reverted to a previous version - prior to
nsrexecd running it's own portmapper on the clients.
As a temprary work around, the firewalls have been configured to allow
this traffic on port 111. However, this does pose an increased
security risk, and will probably have to be reverted very soon.
I'm wondering if this is anything to do with the NSRAUTH/OLDAUTH setup?
Any thoughts??
From
Will Parsons
--
w.parsons AT leeds.ac DOT uk
UNIX Support
Information Systems Services
The University of Leeds
+44 113 343 5670
To sign off this list, send email to listserv AT listserv.temple DOT edu and type
"signoff networker" in the body of the email. Please write to networker-request
AT listserv.temple DOT edu if you have any problems with this list. You can access the
archives at http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
|