os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

White space fix only. Translators can ignore.

Browse source
This commit is contained in:
Dru Lavigne 2013-10-16 18:17:33 +00:00
parent a016628fd0
commit 28378719d4
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=42975
1 changed files with 148 additions and 150 deletions

298
en_US.ISO8859-1/books/handbook/network-servers/chapter.xml
View file

@ -1074,7 +1074,7 @@ Exports list on foobar:
configuration data and to add, remove, or modify configuration
data from a single location.</para>
<para>&os; uses version 2 of the <acronym>NIS</acronym>
<para>&os; uses version 2 of the <acronym>NIS</acronym>
protocol.</para>
<sect2>
@ -1459,17 +1459,19 @@ nis_client_flags="-S <replaceable>NIS domain</replaceable>,<replaceable>server</
<para>It is advisable to remove all entries for system
accounts as well as any user accounts that do not need to
be propagated to the <acronym>NIS</acronym> clients, such
as the <username>root</username> and any other administrative accounts.</para>
as the <username>root</username> and any other
administrative accounts.</para>
<note><para>Ensure that the
<filename>/var/yp/master.passwd</filename> is neither
group or world readable by setting its permissions to
<literal>600</literal>.</para></note>
<literal>600</literal>.</para>
</note>
<para>After completing this task,
initialize the <acronym>NIS</acronym> maps. &os; includes
the &man.ypinit.8; script to do this. When generating
maps for the master server, include
<para>After completing this task, initialize the
<acronym>NIS</acronym> maps. &os; includes the
&man.ypinit.8; script to do this. When generating maps
for the master server, include
<option>-m</option> and specify the <acronym>NIS</acronym>
domain name:</para>
@ -1509,27 +1511,27 @@ ellington has been setup as an YP master server without any errors.</screen>
<programlisting>NOPUSH = "True"</programlisting>
</sect3>
<sect3>
<title>Adding New Users</title>
<title>Adding New Users</title>
<para>Every time a new user is created, the user account must
be added to the master <acronym>NIS</acronym> server and
the <acronym>NIS</acronym> maps rebuilt. Until this occurs,
the new user will not be able to
login anywhere except on the <acronym>NIS</acronym>
master. For example, to add the new user
<username>jsmith</username> to the
<literal>test-domain</literal> domain, run these commands on the
master server:</para>
<para>Every time a new user is created, the user account
must be added to the master <acronym>NIS</acronym>
server and the <acronym>NIS</acronym> maps rebuilt.
Until this occurs, the new user will not be able to
login anywhere except on the <acronym>NIS</acronym>
master. For example, to add the new user
<username>jsmith</username> to the
<literal>test-domain</literal> domain, run these
commands on the master server:</para>
<screen>&prompt.root; <userinput>pw useradd jsmith</userinput>
<screen>&prompt.root; <userinput>pw useradd jsmith</userinput>
&prompt.root; <userinput>cd /var/yp</userinput>
&prompt.root; <userinput>make test-domain</userinput></screen>
<para>The user could also be added using
<command>adduser jsmith</command>
instead of <command>pw useradd jsmith</command>.</para>
<para>The user could also be added using <command>adduser
jsmith</command> instead of <command>pw useradd
jsmith</command>.</para>
</sect3>
</sect2>
@ -1693,16 +1695,16 @@ nis_client_enable="YES"</programlisting>
<programlisting>+:::::::::</programlisting>
<para>This line configures the client to provide
anyone with a valid account in the
<acronym>NIS</acronym> server's password maps an
account on the client. There are many ways to
configure the <acronym>NIS</acronym> client by
modifying this line. One method is described in
<xref linkend="network-netgroups"/>. For
more detailed reading, refer to the book
<literal>Managing NFS and NIS</literal>, published
by O'Reilly Media.</para>
<para>This line configures the client to provide
anyone with a valid account in the
<acronym>NIS</acronym> server's password maps an
account on the client. There are many ways to
configure the <acronym>NIS</acronym> client by
modifying this line. One method is described in
<xref linkend="network-netgroups"/>. For
more detailed reading, refer to the book
<literal>Managing NFS and NIS</literal>, published
by O'Reilly Media.</para>
</step>
<step>
@ -1856,20 +1858,20 @@ basie&prompt.root;</screen>
<indexterm><primary>netgroups</primary></indexterm>
<para>Barring specified users from logging on to individual systems
becomes unscaleable on
larger networks and quickly loses the main benefit of <acronym>NIS</acronym>:
<para>Barring specified users from logging on to individual
systems becomes unscaleable on larger networks and quickly
loses the main benefit of <acronym>NIS</acronym>:
<emphasis>centralized</emphasis> administration.</para>
<para>Netgroups were developed to handle large, complex networks
with hundreds of users and machines. Their use is comparable
to &unix; groups, where the main difference is the
lack of a numeric ID and the ability to define a netgroup by
including both user accounts and other netgroups.</para>
to &unix; groups, where the main difference is the lack of a
numeric ID and the ability to define a netgroup by including
both user accounts and other netgroups.</para>
<para>To expand on the example used in this chapter, the
<acronym>NIS</acronym> domain will be extended to add the users
and systems shown in Tables 28.2 and 28.3:</para>
<acronym>NIS</acronym> domain will be extended to add the
users and systems shown in Tables 28.2 and 28.3:</para>
<table frame="none" pgwide="1">
<title>Additional Users</title>
@ -1929,8 +1931,8 @@ basie&prompt.root;</screen>
<entry><hostid>war</hostid>,
<hostid>death</hostid>, <hostid>famine</hostid>,
<hostid>pollution</hostid></entry>
<entry>Only IT
employees are allowed to log onto these servers.</entry>
<entry>Only IT employees are allowed to log onto these
servers.</entry>
</row>
<row>
@ -1938,9 +1940,8 @@ basie&prompt.root;</screen>
<entry><hostid>pride</hostid>, <hostid>greed</hostid>,
<hostid>envy</hostid>, <hostid>wrath</hostid>,
<hostid>lust</hostid>, <hostid>sloth</hostid></entry>
<entry>All members of the IT
department are allowed to login onto these
servers.</entry>
<entry>All members of the IT department are allowed to
login onto these servers.</entry>
</row>
<row>
@ -1960,25 +1961,24 @@ basie&prompt.root;</screen>
</tgroup>
</table>
<para>When using netgroups to configure this scenario,
each user is
assigned to one or more netgroups and logins are then
<para>When using netgroups to configure this scenario, each user
is assigned to one or more netgroups and logins are then
allowed or forbidden for all members of the netgroup. When
adding a new machine, login restrictions must be defined for
all netgroups. When a new user is added, the account must be added to
one or more netgroups. If the <acronym>NIS</acronym> setup is
planned carefully, only one central configuration file needs
modification to grant or deny access to machines.</para>
all netgroups. When a new user is added, the account must be
added to one or more netgroups. If the
<acronym>NIS</acronym> setup is planned carefully, only one
central configuration file needs modification to grant or deny
access to machines.</para>
<para>The first step is the initialization of the
<acronym>NIS</acronym> <literal>netgroup</literal> map. In &os;,
this map is not created by default. On the
<acronym>NIS</acronym> master server, use an editor to create
<acronym>NIS</acronym> <literal>netgroup</literal> map. In
&os;, this map is not created by default. On the
<acronym>NIS</acronym> master server, use an editor to create
a map named <filename>/var/yp/netgroup</filename>.</para>
<para>This example creates
four netgroups to represent IT employees, IT apprentices,
employees, and interns:</para>
<para>This example creates four netgroups to represent IT
employees, IT apprentices, employees, and interns:</para>
<programlisting>IT_EMP (,alpha,test-domain) (,beta,test-domain)
IT_APP (,charlie,test-domain) (,delta,test-domain)
@ -1986,17 +1986,17 @@ USERS (,echo,test-domain) (,foxtrott,test-domain) \
(,golf,test-domain)
INTERNS (,able,test-domain) (,baker,test-domain)</programlisting>
<para>Each entry configures a netgroup. The first column in an entry
is the name of the netgroup. Each set of brackets represents
either a group of one or more users or the name of another netgroup.
When specifying a user, the three comma-delimited fields inside each
group represent:</para>
<para>Each entry configures a netgroup. The first column in an
entry is the name of the netgroup. Each set of brackets
represents either a group of one or more users or the name of
another netgroup. When specifying a user, the three
comma-delimited fields inside each group represent:</para>
<orderedlist>
<listitem>
<para>The name of the host(s) where the other fields representing the user are
valid. If a hostname is not specified, the entry is valid
on all hosts.</para>
<para>The name of the host(s) where the other fields
representing the user are valid. If a hostname is not
specified, the entry is valid on all hosts.</para>
</listitem>
<listitem>
@ -2011,31 +2011,29 @@ INTERNS (,able,test-domain) (,baker,test-domain)</programlisting>
</listitem>
</orderedlist>
<para>If a group contains multiple users, separate each user with
whitespace. Additionally, each field may contain wildcards. See
&man.netgroup.5; for details.</para>
<para>If a group contains multiple users, separate each user
with whitespace. Additionally, each field may contain
wildcards. See &man.netgroup.5; for details.</para>
<indexterm><primary>netgroups</primary></indexterm>
<para>Netgroup names longer than 8 characters should not be
used. The names
are case sensitive and using capital letters for netgroup names
is an easy way to distinguish between user, machine and
netgroup names.</para>
<indexterm><primary>netgroups</primary></indexterm>
<para>Netgroup names longer than 8 characters should not be
The names are case sensitive and using capital letters
letters for netgroup names is an easy way to distinguish
between user, machine and netgroup names.</para>
<para>Some non-&os; <acronym>NIS</acronym> clients
cannot handle netgroups containing more than 15
entries. This limit may be
circumvented by creating several sub-netgroups with 15 users
or fewer and a real netgroup consisting of the
sub-netgroups, as seen in this example:</para>
<para>Some non-&os; <acronym>NIS</acronym> clients cannot
handle netgroups containing more than 15 entries. This
limit may be circumvented by creating several sub-netgroups
with 15 users or fewer and a real netgroup consisting of the
sub-netgroups, as seen in this example:</para>
<programlisting>BIGGRP1 (,joe1,domain) (,joe2,domain) (,joe3,domain) [...]
<programlisting>BIGGRP1 (,joe1,domain) (,joe2,domain) (,joe3,domain) [...]
BIGGRP2 (,joe16,domain) (,joe17,domain) [...]
BIGGRP3 (,joe31,domain) (,joe32,domain)
BIGGROUP BIGGRP1 BIGGRP2 BIGGRP3</programlisting>
<para>Repeat this process if more than 225 (15 times 15) users exist
within a single netgroup.</para>
<para>Repeat this process if more than 225 (15 times 15) users
exist within a single netgroup.</para>
<para>To activate and distribute the new
<acronym>NIS</acronym> map:</para>
@ -2046,9 +2044,9 @@ ellington&prompt.root; <userinput>make</userinput></screen>
<para>This will generate the three <acronym>NIS</acronym> maps
<filename>netgroup</filename>,
<filename>netgroup.byhost</filename> and
<filename>netgroup.byuser</filename>. Use the map key option of &man.ypcat.1; to
check if the new <acronym>NIS</acronym> maps are
available:</para>
<filename>netgroup.byuser</filename>. Use the map key option
of &man.ypcat.1; to check if the new <acronym>NIS</acronym>
maps are available:</para>
<screen>ellington&prompt.user; <userinput>ypcat -k netgroup</userinput>
ellington&prompt.user; <userinput>ypcat -k netgroup.byhost</userinput>
@ -2056,14 +2054,13 @@ ellington&prompt.user; <userinput>ypcat -k netgroup.byuser</userinput></screen>
<para>The output of the first command should resemble the
contents of <filename>/var/yp/netgroup</filename>. The second
command only produces output if
host-specific netgroups were created. The third command is used to get
the list of netgroups for a user.</para>
command only produces output if host-specific netgroups were
created. The third command is used to get the list of
netgroups for a user.</para>
<para>To configure a client, use &man.vipw.8; to specify the name
of the netgroup. For example, on the server named
<hostid>war</hostid>, replace this
line:</para>
<para>To configure a client, use &man.vipw.8; to specify the
name of the netgroup. For example, on the server named
<hostid>war</hostid>, replace this line:</para>
<programlisting>+:::::::::</programlisting>
@ -2073,38 +2070,38 @@ ellington&prompt.user; <userinput>ypcat -k netgroup.byuser</userinput></screen>
<para>This specifies that only the users defined in the netgroup
<literal>IT_EMP</literal> will be imported into this system's
password database and only those users
are allowed to login to this system.</para>
password database and only those users are allowed to login to
this system.</para>
<para>This configuration also applies to the
<literal>~</literal> function of the shell and all routines which
convert between user names and numerical user IDs. In
<literal>~</literal> function of the shell and all routines
which convert between user names and numerical user IDs. In
other words,
<command>cd ~<replaceable>user</replaceable></command> will
not work, <command>ls -l</command> will show the numerical ID
instead of the username, and
<command>find . -user joe -print</command> will fail with the message
instead of the username, and <command>find . -user joe
-print</command> will fail with the message
<errorname>No such user</errorname>. To fix this, import all
user entries without allowing them to login into the
servers. This can be achieved by adding an extra line:</para>
user entries without allowing them to login into the servers.
This can be achieved by adding an extra line:</para>
<programlisting>+:::::::::/sbin/nologin</programlisting>
<para>This line configures the client to
import all entries but to replace the shell in those entries with
<para>This line configures the client to import all entries but
to replace the shell in those entries with
<filename>/sbin/nologin</filename>.</para>
<!-- Been there, done that, got the scars to prove it - ue -->
<para>Make sure that extra line
is placed <emphasis>after</emphasis>
<literal>+@IT_EMP:::::::::</literal>. Otherwise, all user
accounts imported from <acronym>NIS</acronym> will have
<filename>/sbin/nologin</filename> as their login
shell and noone will be able to login to the system.</para>
<para>Make sure that extra line is placed
<emphasis>after</emphasis>
<literal>+@IT_EMP:::::::::</literal>. Otherwise, all user
accounts imported from <acronym>NIS</acronym> will have
<filename>/sbin/nologin</filename> as their login
shell and noone will be able to login to the system.</para>
<para>To configure the less important servers,
replace the old <literal>+:::::::::</literal>
on the servers with these lines:</para>
<para>To configure the less important servers, replace the old
<literal>+:::::::::</literal> on the servers with these
lines:</para>
<programlisting>+@IT_EMP:::::::::
+@IT_APP:::::::::
@ -2117,18 +2114,18 @@ ellington&prompt.user; <userinput>ypcat -k netgroup.byuser</userinput></screen>
+@USERS:::::::::
+:::::::::/sbin/nologin</programlisting>
<para>NIS supports the creation of netgroups from other netgroups which
can be useful if the policy regarding user access changes. One possibility is
the creation of role-based netgroups. For example, one might
create a netgroup called <literal>BIGSRV</literal> to define
the login restrictions for the important servers, another
netgroup called <literal>SMALLSRV</literal> for the less
important servers, and a third netgroup called
<literal>USERBOX</literal> for the workstations. Each
of these netgroups contains the netgroups that are allowed to
login onto these machines. The new entries for the
<acronym>NIS</acronym> <literal>netgroup</literal> map would look like
this:</para>
<para>NIS supports the creation of netgroups from other
netgroups which can be useful if the policy regarding user
access changes. One possibility is the creation of role-based
netgroups. For example, one might create a netgroup called
<literal>BIGSRV</literal> to define the login restrictions for
the important servers, another netgroup called
<literal>SMALLSRV</literal> for the less important servers,
and a third netgroup called <literal>USERBOX</literal> for the
workstations. Each of these netgroups contains the netgroups
that are allowed to login onto these machines. The new
entries for the <acronym>NIS</acronym>
<literal>netgroup</literal> map would look like this:</para>
<programlisting>BIGSRV IT_EMP IT_APP
SMALLSRV IT_EMP IT_APP ITINTERN
@ -2142,9 +2139,9 @@ USERBOX IT_EMP ITINTERN USERS</programlisting>
required.</para>
<para>Machine-specific netgroup definitions are another
possibility to deal with the policy changes. In
this scenario, the <filename>/etc/master.passwd</filename> of
each system contains two lines starting with <quote>+</quote>.
possibility to deal with the policy changes. In this
scenario, the <filename>/etc/master.passwd</filename> of each
system contains two lines starting with <quote>+</quote>.
The first line adds a netgroup with the accounts allowed to
login onto this machine and the second line adds all other
accounts with <filename>/sbin/nologin</filename> as shell. It
@ -2210,39 +2207,40 @@ TWO (,hotel,test-domain)
<indexterm>
<primary>NIS</primary>
<secondary>password formats</secondary>
<secondary>password formats</secondary>
</indexterm>
<para><acronym>NIS</acronym> requires that all hosts within an
<acronym>NIS</acronym> domain use the same format for encrypting passwords.
If users have trouble authenticating on an
<acronym>NIS</acronym> client, it may be due to a differing password format.
In a heterogeneous network, the format must be supported by all operating systems, where
<acronym>DES</acronym>
is the lowest common standard.</para>
<para>To check which format a server or client is using,
look at this section of <filename>/etc/login.conf</filename>:</para>
<acronym>NIS</acronym> domain use the same format for
encrypting passwords. If users have trouble authenticating on
an <acronym>NIS</acronym> client, it may be due to a differing
password format. In a heterogeneous network, the format must
be supported by all operating systems, where
<acronym>DES</acronym> is the lowest common standard.</para>
<para>To check which format a server or client is using, look
at this section of
<filename>/etc/login.conf</filename>:</para>
<programlisting>default:\
:passwd_format=des:\
:copyright=/etc/COPYRIGHT:\
[Further entries elided]</programlisting>
<para>In this example, the system is using the <acronym>DES</acronym>
format. Other possible values are
<literal>blf</literal> for Blowfish and <literal>md5</literal> for
MD5 encrypted passwords.</para>
<para>In this example, the system is using the
<acronym>DES</acronym> format. Other possible values are
<literal>blf</literal> for Blowfish and <literal>md5</literal>
for MD5 encrypted passwords.</para>
<para>If the format on a host needs to be edited to match the one
being used in the <acronym>NIS</acronym> domain,
the login capability
database must be rebuilt after saving the change:</para>
<para>If the format on a host needs to be edited to match the
one being used in the <acronym>NIS</acronym> domain, the
login capability database must be rebuilt after saving the
change:</para>
<screen>&prompt.root; <userinput>cap_mkdb /etc/login.conf</userinput></screen>
<note>
<para>The format of passwords for existing user accounts will not be updated
until each user changes their password
<para>The format of passwords for existing user accounts will
not be updated until each user changes their password
<emphasis>after</emphasis> the login capability database is
rebuilt.</para>
</note>
@ -3073,7 +3071,7 @@ dhcpd_ifaces="dc0"</programlisting>
separate network. If this functionality is required,
then install the
<filename role="package">net/isc-dhcp42-relay</filename>
port. The port installs &man.dhcrelay.8;, which
port. The port installs &man.dhcrelay.8;, which
provides more detail.</para>
</listitem>
</itemizedlist>