I am the technology coordinator for a small, private K12 school in rural Upstate New York.  One of our challenges is filtering Internet access so that the students may have access to the Internet as much as possible while not requiring constant, direct supervision.

To meet these needs we decided that we were limited to WhiteListing – managing a list of all allowed websites and blocking everything by default as opposed to blacklisting where everything is allowed except for a specific list of banned sites.  Whitelisting means that we have to manually maintain a list of approved websites, but the parents are confident that the students are only able to access pre-approved web sites.

Our Infrastructure

Before getting into the implementation details, I would like to detail how our network is laid out to put this project into context.  We are a pure 32bit Novell OpenSUSE environment, both desktops and servers, with a single Netgear ProSafe Firewall connecting us to a donated Time-Warner RoadRunner cable connection (Thank You, Time Warner RR!!)

Each desktop is setup without routing so they are limited to communications within the subnet only.  We have no fears of needing to grow beyond our /25 subnet’s limit anytime soon.  We have no DHCP and use static IP assignments throughout the school including machines connected via wireless.  Those machines used for administrators (not teachers – but office use where students do not have access) are routable and will not use our filter (for extra security they are allowed external access at the firewall via an IP list.)  All other machines can only get access to the Internet through the use of the proxy server.  This also allows us to improve bandwidth utilization through aggressive caching since the set of allowed sites is so limited and well known.

For our proxy server hardware we are using an HP Proliant DL380 G2 with dual Pentium IIIs 1.4GHz processors, 1.25GB and six hot-swap 36GB 10,000RPM SCSI drives arranged as RAID 0+1.  This machines is far more than adequate for our needs and does an amazing job.  We could easily run on a DL360 G1 with just a single processor, half that memory and two drives in RAID 1 without any problem.  Our previous machine, which we used for years without any issues in performance, was a Proliant 3000, dual Pentium II 333MHz, 1GB and five 4.3GB 7,200RPM drives in RAID 5.

The older system ran SUSE 9.2 and ran wonderfully for a long time.  I am writing this HowTo guide as I move us to OpenSUSE 11 and do a fresh installation of our proxy server.

The Software

As we are running on OpenSUSE Linux 11, I want to work with Novell managed packages as much as possible.  For the proxy portion of our system we will use the Linux standard proxy server Squid.  OpenSUSE’s repository offers us both Squid3 and Squid2.  We will go ahead and use the latest Squid Proxy package for OpenSUSE 11, Squid3 3.0.5.  The downside to going with the newer Squid3 package is that OpenSUSE’s YaST tool cannot yet manage it so you are stuck working only from the configuration files.

For advanced filtering we have two primary choices: SquidGuard and DansGuardian.  SquidGuard has the advantage of being included in the OpenSUSE repositories making it easier to manage from a patch perspective.  DansGuardian is what I have used in the past.  It is available as an RPM from the OpenSUSE Build site but is not available through the YaST repositories.  DansGuardian is GPL’d but the author asks that you not exercise your GPL right (GPL in fact but not in spirit.)  So, I like to avoid DansGuardian simply because I can’t figure out if the author even wants me to use his software or not.

For our purposes here, using nothing but whitelisting, we do not need the features of either SquidGuard or DansGuardian and can avoid them completely.  If you are looking to do more than just whitefiltering they are your best bets.

Installing the Proxy Server: Squid

Installing Squid3 on OpenSUSE 11 is extremely simple.

zypper install squid3

Of course, if you prefer, you can always use OpenSUSE’s YaST utility, either graphically through the desktop or through an ncurses interface on the command line to install Squid and any necessary dependencies.  I find that working through Zypper (or Yum on a Red Hat, CentOS or Fedora system) to be the most effecient by far.

Configuring Squid

These are the changes that I made to /etc/squid/squid.conf:

acl localnet srv 192.168.4.0/25
http_access allow all whitelist
http_access deny all
http_port 8080

That’s it.  Very, very simple.  The first line is simply to allow my local network.  You will need to add in your own local network and not mine for this to work for you.  If you stick with the Squid3 defaults then all private networks are allowed locally by default so that is a completely viable option.

The next two lines, http_access, first tell the system to allow access to anyone “all” to sites included in the whitelist.  The next line says to deny access to anyone who did not get allowed from the previous rule.

The last line, http_port, is also completely optionaly.  The default port for Squid is 3128 but I prefer to run my proxy on the more common 8080 port.  This is just easier to remember when setting up desktops.

With the default install of Squid3, Squid is not configured to start automatically.  So we need to use chkconfig to configure Squid to start on system boot.  You can skip this step if, for some reason, you do not want your proxy system to start automatically when your server restarts.

chkconfig –level 3 squid

Before we actually start Squid, though, we will want to create our whitelist file which will be the main configuration file that we will be using after Squid is up and running.

Creating the Whitelist

Using your favourite text editor (that’s vi for me) create the file /etc/squid/whitelist.  This file is just a simple list of websites that will be allowed.  The one thing of which to be aware is the fact that your entries need to lead with a dot.  If you leave off the dot you will have problems.  Here is an example from my own whitelist:

.gov
.sheepguardingllama.com
.unicef.org
.eff.org
.conversationsnetwork.org

In this example, all United States government web sites will be allowed (those ending in .gov) as well as this blog, UNICEF, the Electronic Frontier Foundation and The Conversations Network.  Anytime that you alter this file you will need to ask Squid to reread its configuration.

Configuring the Desktop Clients

If you are like me, you will be using OpenSUSE on your desktops as well which I highly recommend.  OpenSUSE makes a wonderful desktop, especially with KDE4.  With OpenSUSE you have the option of setting your proxy settings using the handy YaST tool.  This is fine.  If you are like me, you will prefer to use the command line – mostly because it is easily scriptable but also because it will work for non-SUSE Linux boxes as well.

To set your proxy temporarily just for the current session to test your proxy server you can simply:

http_proxy="http://192.168.4.2:8080/"

Notice that you will need to use your own IP address here as well as your own port number if you decided to use one other than 8080.  My proxy server’s IP address is 192.168.4.2 so modify accordingly.

The most common means of setting this variable to survive through a reboot is to use /etc/profile so that it will apply to all users.  Simply add this line to /etc/profile:

export http_proxy=http://192.168.4.2:8080/

In OpenSUSE, there is a better place to set this information.  Let’s look at /etc/sysconfig/proxy.  This file is a central proxy settings file for all of the OpenSUSE which makes it very handy so that we don’t have to worry about users not picking up changes from other locations.  It is also nice as it will allow us to have some advanced settings if we so desire.

In my case, I am only using the proxy server to handle HTTP and HTTPS requests (we are blocking FTP and GOPHER entirely) so we only need to edit the two lines pertaining to those protocols as well as the “no proxy” setting to list which locations should not be proxied but accessed directly.  Here are my settings:

HTTP_PROXY="http://192.168.4.2:8080/"
HTTPS_PROXY="http://192.168.4.2:8080/"
NO_PROXY="localhost, 127.0.0.1"

With these changes you should now have a functioning, whitelisting proxy server to protect your network.  OpenSUSE’s default installation of FireFox is set to bypass its own proxy settings and to pick up the system changes automatically.  Tools like w3m and wget will use the system proxy settings as well.  If you are using a client that is either unable to or is not configured to get its settings from the system then you will need to configure its proxy settings manually on an application by application basis.

For those unfamiliar with the landscape, Linux is a family of operating systems that are generally considered to fall under the Unix umbrella although Linux is legally not Unix just highly Unix-like. Individual Linux packages are referred to as distributions or distros, for short. Unlike Windows or Mac OS X which come from a single vendor, Linux is available from many commercial vendors as well as from non-profit groups and individual distribution makers. Instead of there being just one Linux there are actually hundreds or thousands of different distributions. Each one is different in some way. This creates choice but also confusion. To make matters even worse some major vendors such as Red Hat and Novell release more than one Linux distribution targeted at different markets, and within a single distribution will often package features separately. This myriad of choices, before even acquiring your first installation disc does not help make Linux uptake in companies go any faster.

In reality the choices for business use are few and obvious with a little bit of research. To make things easier for you, I will just tell you what you need to know. Problem solved. Now if managing your Linux environment could be so easy!

Before we get started I want to stress that this article is about using Linux for enterprise infrastructure – that is, as a server operating system in a business. I am not looking into desktop Linux or high performance computational clusters and grid or specialty applications or home use. This article is about standard, traditional server applications that require stability, up time, reliability, accessibility, manageability, etc. If you are looking for my guide to the “ultimate Linux desktop environment”, this isn’t it. Desktops, even in the enterprise, do not necessarily have the same criteria as servers. They might, but not necessarily so.

When choosing a distribution for servers we must first consider the target purpose of the distro. Only a handful of Linux distros are built with the primary purpose of being used as a server. If your distro maintainer does not have the same principles in mind that you do it is probably best to avoid that distro for this particular purpose. Server distributions target longer time between releases, security over features, stability over features, rapid patching, support, documentation, etc.

In addition to targeting the distribution in harmony with our own goals we also need to work with a company that is reliable, has the resources necessary to support the product and has a track record with a successful product. Choosing a distribution is a vendor selection process. There are three key enterprise players in the Linux space: Red Hat, Novell and Canonical.

For many Red Hat is synonymous with Linux, having been one of the earliest American Linux distributions and having been a driving force behind the enterprise adoption of Linux globally. Red Hat makes “Red Hat Enterprise Linux”, known widely as RHEL, as well as Fedora Linux. Red Hat is the biggest Linux vendor and important in any Linux vendor discussion.

Novell is the second big Linux vendor having purchased German Linux vendor SUSE some years ago. Novell makes two products as well, Suse Linux Enterprise and OpenSUSE.

The third big Linux enterprise vendor is Canonical well known for the Ubuntu family of Linux distributions. While the Ubuntu distro family includes many members we are only interested in discussing Canonical’s own Ubuntu LTS distribution. LTS stands for “Long Term Support” and is effectively Canonical’s server offering. Their approach to versioning and packaging is quite different from Red Hat and Novell and can be rather confusing.

Before we become overwhelmed with choices (we have presented five so far) we have one here that we can further eliminate. Red Hat’s Fedora is not an “enterprise targeted” distributions. This is a “testing” and “community” platform designed primarily as a desktop and research vehicle and not as a stable server operating system. To be sure it is extremely valuable and a great contribution to the Linux community and has its place but as server operating system it does not shine. Nevertheless, without Fedora as a proving ground for new technologies it is unlikely that Red Hat Enterprise Linux would be as robust and capable as it is.

We can also effectively eliminate OpenSUSE.  OpenSUSE is the unsupported, community driven sibling to Novell SUSE Linux Enterprise.  However, unlike Fedora which is an independant product from RHEL, OpenSUSE is the same code base as SUSE Linux Enterprise but without Novell’s support.  This is a great advantage to the SUSE product line as there is a very large base of home and hobby users in addition to the enterprise users all using the exact same code and finding bugs for each other.  Going forward we will only consider SUSE Linux Enterprise as support is a key factor in the enterprise.  But OpenSUSE, for shops not needing commercial support from the vendor, is a great option as the product is the same, stable release as the supported version.

So we are left with three serious competitors for your enterprise Linux platform: Red Hat Linux, Novell Suse Linux and Ubuntu LTS. All three of these competitors are solid, reliable offerings for the enterprise. Red Hat and Novell obviously have the advantage of having been in the server operating system market for a long time and have experience on their side. But Canonical has really made a lot of headway in the last few years and is definitely worth considering.

Red Hat Linux and Suse Linux Enterprise have a few key advantages over Ubuntu. The first is that they both share the standard RPM package management system. Because RPM is the standard in the enterprise it is well tested and understood and most Linux administrators are well versed in its functionality. Ubuntu uses the Debian based package format which is far less common and finding administrators with existing knowledge of it is far less likely – although this is changing rapidly as Ubuntu has become the leading home desktop Linux distribution recently.

In general, Red Hat Linux and Suse Linux Enterprise have more in common with each other making them able to share resources more easily and giving administrators a broader platform to focus skills upon. This is a significant advantage when it comes time to staff up and support your infrastructure.

Ubuntu suffers from having a directly tie to a “non-enterprise” operating system that is particularly popular with the desktop “tweaking” crowd.  Unlike Red Hat and Suse, Ubuntu is coming at the enterprise from the home market and brings a stigma with it.  Administrators trained on RHEL, for example, tend to be taught enterprise type tasks performed in a business like manner.  Administrators with Ubuntu experience tend to be home users who have been running Linux for their own desktop and entertainment tasks.  This makes the interview and hiring process that much more difficult.  This is in no way a slight against the Ubuntu LTS product which is an amazing, enterprise-ready operating system which should seriously be considered, but shops need to be aware that the vast majority of Ubuntu users are not enterprise system administrators and their experience may be mostly from a non-critical desktop focused role.  It is rare to find anyone running RHEL or Suse Linux in this manner.

In my own experience, having software popular with home users in the enterprise also brings in factors of misguided user expectations.  Users expect the enterprise installations to include any package that the users can install at home and that update cycles be similar.  This can cause additional headaches although the Windows world has been dealing with these issues since the beginning.

At this point you have probably noticed that choosing either Suse and Ubuntu leaves you with the option of both free and fully supported versions, direct from the vendors.  This is a major feature of these distributions because it provides a great cost savings and greater flexibility.  For example, development machines can be run on OpenSUSE and production machines on Suse Enterprise lowering the overall cost if full support isn’t necessary for development environments.  You can run labs from free versions for learning and testing or only pay for support for critical infrastructure pieces.  Or, if you are really looking to save money or feel that your internal support is good enough, running completely on the free, unsupported versions is a viable option because you are still using the stable, enterprise-class code base.

Red Hat, as a vendor, does not supply a freely available edition of Red Hat Enterprise Linux.  Instead, they make their code repositories available to the public and expect interested parties to build their own version of RHEL using these repositories.  If you are interested in a freely available version of RHEL, look no further than CentOS.

CentOS, or the Community ENTerprise Operating System, is a code identical rebuild of RHEL.  It is identical in everyway except for branding.  CentOS is completely free – but unsupported.  CentOS is used in organizations of all sizes exactly like a free copy of RHEL would be expected to be used and many businesses choose to run CentOS exclusively.  As RHEL is the most popular Linux distribution in large businesses and as the commercially support version is rather expensive, CentOS also provides a very important resource to the community by allowing new administrators to experience RHEL at home without the expense of unneeded support.

Choosing between the Red Hat, Suse and Ubuntu families is much more difficult than whittling the list down to these three.  In many cases choosing between these three will be based upon cost, application demands, existing administration experience and features.  It is not uncommon for larger businesses to use two or possibly all three of these distributions as features are needed, but most commonly a single distribution is chosen for ease of management.  All three distributions are solid and capable.

Another potentially deciding factor is if your enterprise is considering using Linux on the desktop.  While RHEL can be used as a desktop operating system it is generally considered to be substantially weaker than Suse and Ubuntu when it comes to desktop environments.  Because of this, Fedora is generally seen as Red Hat’s desktop option but this is not supported by Red Hat nor does it share a code base with RHEL causing support to be somewhat less than unified even though to two are very similar.

For mixed server and desktop environments, Suse and Ubuntu have a very strong lead.  Both of these distributions focus a great many resources onto their desktop systems and they keep these components very much up to date and pay great attention to the user experience.  For a small company that can manage to use only one single distribution on every machine that they own this can be a major advantage.  Homogeneous environments can be extremely cost effective as a much narrower skill set is needed to manage and support them.

In conclusion: Red Hat Enterprise Linux, Novel Suse Enterprise and Ubuntu LTS, in both their supported versions as well as in their free versions (CentOS in the case of RHEL and OpenSUSE in the case of Novell, Ubuntu uses the same package) all represent great opportunities for the data center.  Do not be lulled into using non-enterprise Linux distributions because they are cool, flashy or popular.  Linux lends itself to being in the news often and to generating excess hype.  None of these things are good indicators of data center stability.  The data center is a serious business component and should not be treated lightly.  Linux is a great choice for the corporate IT department but you will be very unhappy if you pick your backbone server architecture based on its popularity as a gaming platform rather than on its uptime and management cost.

Dominica and I both slept in a bit this morning before getting up and doing a bunch of apartment cleaning that was very much over due.  No one has been visiting us recently and we have been letting the apartment go quite a bit as our schedules have been pretty busy and I have not been working from home as much as usual which always leads to a lack of time for housework.

We found out last night that a new and as yet unnamed Boston Terrier puppy, just nine weeks old, has moved onto our floor at Eleven80.  We haven’t met the new puppy yet but expect to do so soon.  There are now three full time Boston Terrier residents in the building but Oreo is the only mature one.

Around noon Ramona and Winni came by to visit with the intent of playing a small Dungeons and Dragons game.  We haven’t seen either of them in at least two months.  Winni is living in New Hampshire now, but is moving to Frederick, Maryland in a few weeks, and Ramona recently moved from the Ironbound, here in Newark, to Flushing in Queens.

The idea today was to play a quick, little D&D Fourth Edition adventure which Winni had put together just so that we could test out the fourth edition rules, but we didn’t have a lot of time in which to play as they needed to get over to Ramona’s old apartment to deal with some final packing and stuff and none of us had seen in each other in quite a while so we just spent the afternoon visiting.

We ordered in lunch from Nino’s as pretty much everyone was in the mood for some Italian.  We ate and opened a bottle of Miles Wine Cellars 2005 Cabernet Frank which everyone really enjoyed.

Winni and Ramona left around six and I went to work on a few things.  Almost right away while attempting to get my dual monitors working on my new OpenSUSE 11 workstation I did something that caused the root directory to just vanish.  So there was little that I could do but to install again.  So I kicked off another install.  Crappy.

Dominica and I have our nieces coming to visit us sometime in the next couple weeks and we are attempting to figure out what we are going to do.  The original plan was to go see “The Little Mermaid” on Broadway but the cost was going to be astronomic – like close to $600 or more – and we have heard that the show isn’t very good.  We thought about doing the Bronx Zoo and the science center but Dominica doesn’t think that she could spend a day walking at the Bronx Zoo.  We considered spending the weekend at a resort in the Poconos but that was really expensive as well.

Our final idea was to take the girls camping.  Dominica has never been camping (not actual camping) and I have not gone since going t Allegheny National Forest near Warren, Pennsylvania in June, 1994.  I have never owned a tent of my own and things have improved a lot since Eric and I went all of those years ago.  We thought that camping would be pretty expensive but we compared it to the price of going to see a show on Broadway or to a night or two in the Poconos and it turns out that buying all new, top end camping gear would be significantly cheaper – plus it is all reusable.

We hunted around and the best Coleman tent is only $175 from Amazon ($250 MSRP) and the types of sleeping bags that we would need are very cheap.  Some nice LED lights and tent fans (to keep cool) all came up to being very inexpensive.  After looking at the cool gadgets to get Dominica got really excited about camping and has been going crazy shopping for cool camping stuff for the last two days.

We were hoping to be able to camp at a New York State state park but have not been able to find any camp sites that will work for us.  We absolutely need electrical hookup (cheesy for real camping, I know) because I cannot sleep without my CPAP so there is no way around that requirement.  We almost didn’t think of that and might have booked a camp site without power which would have been disastrous, but since we know now that we have to have it it means that we know ahead of time that we can take the laptop and watch movies at night and charge our phones and stuff.  It’s not exactly “roughing it” camping but that really isn’t an option at this point in our lives anymore and that wasn’t quite what Dominica wanted to do anyway.  It does mean, though, that we can never camp at Handsome Lake again which I would have liked to have been able to have done again.

So since the state parks aren’t available to us in July when we need to go we decided to look at KOA (Kampgrounds of America) and many of them come with power and wireless Internet access which is extremely cool.  That means that we can keep in full contact with the outside world and that I don’t even have to go off of being “on call” for the weekend.  I will be able to work as usual while camping giving us a lot more flexibility to do this more often.  Plus, I think, that camping with this level of amenities makes camping a lot more attractive to us in general.  We just don’t live lives that allow for us to completely break contact with the outside world.  We won’t have the camera problems that I have had in the past either since we will always have the car near by in which to store valuables where they can be locked up safe.

So the plan is that sometime in the next two to three weeks that the four of us will head out into the “wilderness” to go camping.  Dominica is even excited about camping recipes and cooking over an open fire!

Tomorrow morning we have a doctor’s appointment in the morning.  I will be working from home before the appointment and Dominica will be off until after lunch.  So she just has a half day.  I will just be “out” for about two hours.

My morning started nice and early.  I was online and working starting at a quarter until eight and had to keep working for the office until one thirty in the afternoon.  Almost six hours of work first thing in the morning.  Not the way that I pictured that I would be spending my Saturday mornings when I was a child – I probably thought that I would be busy watching cartoons and eating cereal – but it does help to pay the bills and with the house payments coming up soon it all helps.

At one thirty I quickly jumped into the shower and got ready to go.  Dominica and I were out the door at ten till two.  We met out real estate agent in Peekskill, New York at three.  We had several townhouses which Dominica had picked out to look at today.

The first townhouse wasn’t in the best part of town and had no basement.  For us the basement is very important because we need the storage space, the utility space and a place for me to have computer equipment that isn’t sitting in the “middle of the house.”  While we could make due in a house without a basement it is extremely unlikely that we will find a house that is cost effective for us without one.  Basements are cheap compared to a lot of other types of space, like extra bedrooms, and serve our purposes just as well or better, in many cases.  This first place was nothing special and the current owner hadn’t vacated like he was supposed to have done so we had a really awkward situation of being shown around by both the real estate agent and the owner and not being able to discuss anything.  There were even someone sleeping in one of the rooms that we were there to see.  Luckily we weren’t impressed with the place at all so it wasn’t like that swayed us in any way.  It just wasn’t the right place for us.  Not a bad place, just not a good fit for us.

Our next stop was to a townhouse down in Croton-on-Hudson.  That was its address but in reality it was more like Cortlandt – which might be even better.  This place, a three bedroom with a great deck and a tiny basement, was very nice and we were quite impressed.  The area was gorgeous and the neighbourhood seemed really nice too.  We were impressed with everything.  The price is a little higher than we were hoping for but technically within our range.  It even had a garage.  This one is the first definite consideration that we have seen thus far in all of our house hunting.  Our selection process has definitely improved.

Next we saw two, nearly identical, townhouses in Peekskill on the east side of town.  The first was amazing but expensive and really set up for adults without children.  Lots of living space but very little bedroom / bathroom space.  It would be great if we weren’t planning on having kids but it isn’t what we need now.

The next place was much better.  More modern than the townhouse in Croton-on-Hudson and with more space (1850 sq. ft. vs 1800 sq. ft.) in a more sensible design.  It is only a two bedroom but with three and a half baths, which is awesome.  It had a giant basement.  The yard, street and neighbourhood weren’t as nice as in Croton but the structure is much nicer.  It is also slightly cheaper although the Croton townhouse is a better market value making it a safer investment, but we are thrilled to have two places that we are really interested in on just our second day.

We looked at one final place in a different complex. It wasn’t a great place but the price was really good and we wouldn’t be unhappy if it was all that we could get.  Not a top contender but a decent fall back option.  Now that we know what we are looking for almost everything that we are seeing is a consideration and we know even more for next time.  This last place was smaller and not as nice.  The lack of space would be tough but workable.  If possible we will shoot for at least 1800 square feet.

It was almost seven when we got back home to Newark.  Oreo did pretty well with us being gone.  We would have taken him with us today but it was horribly hot – well over ninety degrees with a heat index several degrees warmer.  He would have been cooking in the car the whole time.  It was really uncomfortable being in the houses that we were looking at because almost none of them were air conditioned in any way, which didn’t seem like a good sales tactic to me.   I realize that keeping them cool would be expensive when no one was living there but it seems to me that making potential buyers feel more comfortable in the house would trigger a happier memory of it as well as make them less likely to want to leave as quickly as possible.  It definitely shortened the amount of time that we spent in almost all of the houses.

I ended up doing a bit more work this evening.  Another two hours throughout the night.  In between bits of work Dominica and I watched some more Third Rock from the Sun. Then she went to bed a bit after eleven and I worked for a while until almost one in the morning.

Today is my first day really working with OpenSUSE 11.0 which I finally got installed on my HP dx5150 desktop (AMD Athlon64 3200+ 64Bit processor with 2.5GB of memory) late last night.  I have it installed at home now and at the office in Microsoft VirtualPC 2007 SP1.  The install went pretty well and so far I am liking what I see.  It is not a major upgrade over OpenSUSE 10.3 which I have been using for the past six months but all of the packages are slightly updated and now FireFox 3.0 is included which is a very big deal.  The big, new “toy” in the system is KDE 4.0.4 which I am excited to try.

automount[10581]: >> mount: block device 192.168.0.2:/data/home/samiller is write-protected, mounting read-only
kernel: call_verify: server 192.168.0.2 requires stronger authentication.

It turns out that the solution is quite simple. The issue is with a mismatch of anonymous credentials. Let’s take a look at the erroneous entry in /etc/dfs/dfstab on the Solaris NFS server:

share -F nfs -o public,nosuid,rw,anon=-1 -d "backup" /data

The piece of this configuration that is an issue here is “anon=-1”. In theory this is designed to block users who do not have accounts on the local system. However this causes issues with Linux systems. You can solve this problem by simply removing the anon setting from the configuration file. Not an ideal fix but it does solve the problem.

share -F nfs -o public,nosuid,rw -d "backup" /data

Simply run the “shareall” command and you should be back in business.