PCNFSD(8C)PCNFSD(8C)NAMEpcnfsd - (PC)NFS authentication and print request server
SYNOPSIS
/usr/contrib/bin/pcnfsd
AVAILABILITY
This program is freely redistributable.
DESCRIPTIONpcnfsd is an RPC server that supports ONC clients on PC
(DOS, OS/2, Macintosh, and other) systems. This page
describes version two of the pcnfsd server.
pcnfsd may be started from /etc/rc.local or by the
inetd(8) superdaemon. It reads the configuration file
/etc/pcnfsd.conf if present, and then services RPC
requests directed to program number 150001. This release
of the pcnfsd daemon supports both version 1 and version 2
of the pcnfsd protocol. Consult the rpcgen source file
pcnfsd.x for details of the protocols.
The requests serviced by pcnfsd fall into three cate-
gories: authentication, printing, and other. Only the
authentication and printing services have administrative
significance.
AUTHENTICATION
When pcnfsd receives a PCNFSD_AUTH or PCNFSD2_AUTH
request, it will "log in" the user by validating the user-
name and password and returning the corresponding uid,
gids, home directory, and umask. If pcnfsd was built with
the WTMP compile-time option, it will also append a record
to the wtmp(5) data base. If you do not wish to record PC
"logins" in this way, you should add a line of the form
wtmp off
to the /etc/pcnfsd.conf file.
By default, pcnfsd will only allow authentication or print
requests for users with uids in the range 101 to 60002.
(This corresponds in SVR4 to the range for non-system
accounts.) To override this, you may add a line of the
form
uidrange range[,range]...
to the /etc/pcnfsd.conf file. Here, each range is of the
form
uid
or
25 April 1991 1
PCNFSD(8C)PCNFSD(8C)
uid-uid
indicating an inclusive range.
PRINTINGpcnfsd supports a printing model based on the use of NFS
to transfer the actual print data from the client to the
server. The client system issues a PCNFSD_PR_INIT or PCN-
FSD2_PR_INIT request, and the server returns the path to a
spool directory which the client may use and which is
exported by NFS. pcnfsd creates a subdirectory for each
of its clients: the parent directory is normally
/usr/spool/pcnfs and the subdirectory is the hostname of
the client system. If you wish to use a different parent
directory, you should add a line of the form
spooldir path
to the /etc/pcnfsd.conf file.
Once a client has mounted the spool directory using NFS
and has transferred print data to a file in this direc-
tory, it will issue a PCNFSD_PR_START or PCNFSD2_PR_START
request. pcnfsd handles this, and most other print-
related requests, by constructing a command based on the
printing services of the server operating system and exe-
cuting the command using the identity of the PC user.
Since this involves set-user-id privileges, pcnfsd must be
run as root.
Every print request from the client includes the name of
the printer which is to be used. In SunOS, this name cor-
responds to a printer definition in the /etc/printcap(5)
database. If you wish to define a non-standard way of pro-
cessing print data, you should define a new printer and
arrange for the client to print to this printer. There are
two ways of setting up a new printer. The first involves
the addition of an entry to /etc/printcap(5) and the cre-
ation of filters to perform the required processing. This
is outside the scope of this discussion. In addition, pcn-
fsd includes a mechanism by which you can define virtual
printers known only to pcnfsd clients. Each printer is
defined by a line in the /etc/pcnfsd.conf file of the fol-
lowing form
printer name alias-for command
name is the name of the printer you want to define. alias-
for is the name of a "real" printer which corresponds to
this printer. For example, a request to display the queue
for name will be translated into the corresponding request
for the printer alias-for. If you have defined a printer
in such a way that there is no "real" printer to which it
corresponds, use a single "-" for this field. (See the
25 April 1991 2
PCNFSD(8C)PCNFSD(8C)
definition of the printer test below for an example.) com-
mand is a command which will be executed whenever a file
is printed on name. This command is executed by the
Bourne shell, /bin/sh using the -c option. For complex
operations you should construct an executable shell pro-
gram and invoke that in command. Within command the fol-
lowing tokens will be replaced:
Token Substitution
$FILE Replaced by the full path name of the print data
file. When the command has been executed, the
file will be unlinked.
$USER Replaced by the username of the user logged in
to the client system.
$HOST Replaced by the host name of the client system.
Consider the following example /etc/pcnfsd.conf file:
printer rotated lw /usr/local/bin/enscript -2r
$FILE
printer test - /usr/bin/cp $FILE
/usr/tmp/$HOST-$USER
If a client system prints a job on the printer rotated the
utility enscript will be invoked to pre-process the file
$FILE. In this case, the -2r option causes the file to be
printed in two-column rotated format on the default
PostScript(R) printer. If the client requests a list of
the print queue for the printer rotated the pcnfsd daemon
will translate this into a request for a listing for the
printer lw.
The printer test is used only for testing. Any file sent
to this printer will be copied into /usr/tmp. Any request
to list the queue, check the status, etc. of printer test
will be rejected because the alias-for has been specified
as "-".
RECONFIGURATIONpcnfsd will detect when printers are added or deleted and
will rebuild its list of valid printers. To do this, it
checks the modification time of /etc/printcap for BSD-
style systems or /etc/lp/printers for SVR4-based systems.
However, it does not monitor the file /etc/pcnfsd.conf for
updates; if you change this file, it is still necessary to
kill and restart pcnfsd in order that the changes can take
effect.
SECURITY CONSIDERATIONS
Enabling pcnfsd can weaken the security of a system.
25 April 1991 3
PCNFSD(8C)PCNFSD(8C)
Pcnfsd's mapping and authentication calls can easily be
exploited in an attempt to ``dictionary crack'' user's
passwords. Mechanisms have been added to pcnfsd to dis-
courage this type of attack, but steps should be taken to
limit the exposure. In addition, pcnfsd will log failed
authentication requests at the authpriv level.
The use of a IP fire-wall to restrict access to pcnfsd is
strongly recommended. Also recommended is use of the
attribute in to restrict the authentication of users by
pcnfsd to those users who will actually use it. The
attribute in may also be used to enable an script which
further restricts the pcnfsd authentication functions.
FILES
/etc/pcnfsd.conf
SEE ALSOlp(1)lpstat(1)lpq(1)
25 April 1991 4