The authentication mechanism used by the network file system (NFS) protocol is based on trust relationships between host computers. That is, an NFS server accepts the user identifiers (UIDs) and group identifiers (GIDs) from a given client computer because the server is configured to recognize the client computer as trustworthy.
User Name Mapping acts as an intermediary between NFS servers and NFS clients on a network containing UNIX hosts and Windows computers. To maintain the implicit trust relationship between NFS client and host computers, it is essential that you control which computers can access User Name Mapping and hence act as a trusted host on the NFS network.
You control which computers can access User Name Mapping by editing a file named .maphosts in the %sfudir%\Mapper directory of the server running User Name Mapping. By adding entries in this file, you can easily permit or deny access by any other computer to User Name Mapping. If the .maphosts file is present but not empty, then only those computers allowed access by entries in the file can access User Name mapping. If the .maphosts file is present but empty (the default), no computers except the computer running User Name Mapping itself can access User Name Mapping. If the .maphosts file is not present, no computers can access User Name Mapping, including the computer running User Name Mapping itself.
The .maphosts file consists of a list of one or more of the elements described in the following table, each on a separate line. When matching a computer making a request against the elements in the list, User Name Mapping searches from the top down until it finds a match. Consequently, order is essential.
Element | Description |
---|---|
host | Specifies one or more computers that can access User Name Mapping. The host can be specified as an Internet Protocol (IP) address (IP version 4), or as a host name that resolves to one or more IP addresses. |
host – | Specifies one or more computers that are denied access to User Name Mapping. The host can be specified as an IP address (IP version 4), or as a host name that resolves to one or more IP addresses. Note that there must be at least one blank space between host and the dash (–). |
+ | Specifies that all computers can access User Name Mapping unless disallowed by an earlier entry in the list. All entries in the list following this element are ignored. |
– | Specifies that all computers are disallowed access to User Name Mapping unless allowed by an earlier entry in the list. All entries in the list following this element are ignored. |
The # character can be used to add comments to the file; everything on a line following the # character is ignored.
Access by the computer running User Name Mapping (localhost) is always allowed unless specifically denied in the .maphosts file, or the .maphosts file is not present. In case of a multihomed User Name Mapping server, access to the service running on other nodes from any of the nodes is also allowed, unless explicitly denied.
The following file allows access only by computers named mktg_nfs and sales_nfs:
mktg_nfs
sales_nfs
-
The following example file allows access by all computers except computers named rogue_host and hacker_wks:
rogue_host -
hacker_wks -
+
In the next example, rogue_host is denied access even though it appears in the list without a minus sign (–) because it follows a minus sign on its own line:
mktg_nfs
sales_nfs
-
rogue_host