== How Solaris matches names in NFS exports Recently, I accidentally found out which of two options Solaris uses for matching names in NFS exports. As traditional, I did this by [[stubbing my toe ../sysadmin/SysadminAphorism]]. Given a name in an _/etc/dfs/sharetab_ line, there are two possible ways of checking if it matches an incoming NFS request: you could resolve the _sharetab_ name to its IP addresses and see if the request's IP address matched, or you could take the request's IP address and try to turn it into a hostname and see if the resolved hostname is the same. There are good reasons *and* complexities in both approaches, and I've run into software that does name checks both ways. (And when I wrote software that did tcpwrappers-style permissions checks I put in options to do *both* sorts of verification, which came in handy more than once.) It turns out that Solaris does _sharetab_ name checks by resolving incoming IP addresses to names (now that I look carefully at the share_nfs(1M) manpage, this is more or less implied by the phrasing of some stuff). I discovered this by adding DNS name resolution to a system that was NFS-exporting filesystems using a _sharetab_ something like this: > _/data - nfs ro=backup,root=backup_ When I added DNS name resolution to _/etc/nsswitch.conf_, I followed the example in the nsswitch.dns file and put '_dns_' before '_files_' in the _hosts:_ entry. The NFS mount the backup server was trying to do promptly broke. While the short name 'backup' was the name of the IP address in _/etc/hosts_, the system was now using DNS first, and DNS said that the name of the IP address was actually 'backup.*mumble*.utoronto.ca'. (I can be sure it was doing the IP to name check because a DNS lookup was happy to turn a plain 'backup' into the right IP address, due to an appropriate _domain_ directive in _/etc/resolv.conf_.) The bonus embarrassment is that our Linux nfsswitch.conf configuration is careful to check files before DNS, for much the same reason. I just didn't think about the issue when I was making the change on the Solaris machine.