From 2d7802b6558ff38d51e5da28e23416c1d04aac8b Mon Sep 17 00:00:00 2001 From: Dru Lavigne Date: Tue, 15 Oct 2013 16:57:03 +0000 Subject: [PATCH] White space fix only. Translators can ignore. --- .../handbook/network-servers/chapter.xml | 1003 +++++++++-------- 1 file changed, 524 insertions(+), 479 deletions(-) diff --git a/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml b/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml index 60817b233a..94682bfff6 100644 --- a/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml +++ b/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml @@ -600,19 +600,19 @@ server-program-arguments - NFS consists of at least two main - parts: a server and one or more clients. The client remotely - accesses the data that is stored on the server machine. In - order for this to function properly a few processes have to be - configured and running. + NFS consists of at least two main + parts: a server and one or more clients. The client + remotely accesses the data that is stored on the server + machine. In order for this to function properly a few + processes have to be configured and running. - These daemons must be running on the server: - - NFS + These daemons must be running on the server: + + NFS server - - - file server + + + file server UNIX clients @@ -666,21 +666,21 @@ server-program-arguments Running &man.nfsiod.8; can improve performance on the client, but is not required. - - Configuring <acronym>NFS</acronym> + + Configuring <acronym>NFS</acronym> - - NFS - configuration - + + NFS + configuration + - Enabling the NFS server - is straightforward. The required processes - can be set to start at boot time by adding - these options to - /etc/rc.conf: + Enabling the NFS server + is straightforward. The required processes + can be set to start at boot time by adding + these options to + /etc/rc.conf: - rpcbind_enable="YES" + rpcbind_enable="YES" nfs_server_enable="YES" mountd_flags="-r" @@ -1037,7 +1037,8 @@ Exports list on foobar: --> - Network Information System (NIS/YP) + Network Information System (NIS/YP) + NIS Solaris HP-UX @@ -1051,14 +1052,13 @@ Exports list on foobar: Network Information System (NIS) - is designed - to centralize administration of &unix;-like - systems such as - &solaris;, HP-UX, &aix;, Linux, NetBSD, OpenBSD, and &os;. - NIS - was originally known as Yellow Pages but the name was changed due to trademark - issues. This is the reason why NIS - commands begin with yp. + is designed to centralize administration of &unix;-like + systems such as &solaris;, HP-UX, &aix;, Linux, NetBSD, + OpenBSD, and &os;. NIS was originally + known as Yellow Pages but the name was changed due to + trademark issues. This is the reason why + NIS commands begin with + yp. NIS @@ -1066,18 +1066,19 @@ Exports list on foobar: NIS is a Remote Procedure Call - (RPC)-based client/server system that allows a group - of machines within an NIS domain to share a common set of - configuration files. This permits a system administrator to - set up NIS client systems with only minimal configuration data - and add, remove or modify configuration data from a single - location. + (RPC)-based client/server system that + allows a group of machines within an NIS + domain to share a common set of configuration files. This + permits a system administrator to set up + NIS client systems with only minimal + configuration data and add, remove or modify configuration + data from a single location. <acronym>NIS</acronym> Terms and Processes - Table 28.1 summarizes the terms and important processes used - by NIS: + Table 28.1 summarizes the terms and important processes + used by NIS: rpcbind @@ -1088,6 +1089,7 @@ Exports list on foobar: <acronym>NIS</acronym> Terminology + @@ -1103,42 +1105,41 @@ Exports list on foobar: NIS domain name - An NIS master server and all of its clients, - including its slave servers, share a NIS domain name - which - does not have anything to do with - DNS. + An NIS master server and all + of its clients, including its slave servers, share a + NIS domain name which does not have + anything to do with DNS. &man.rpcbind.8; This service enables RPC and - must be running - in order to run an NIS server or act as - an NIS client. + must be running in order to run an + NIS server or act as an + NIS client. &man.ypbind.8; - This service binds an NIS client to its NIS - server. It will take the NIS domain name - and use RPC to connect to - the server. It is the - core of client/server communication in an NIS - environment. If this service is not running - on a client machine, it will not be able to access the - NIS server. + This service binds an NIS + client to its NIS server. It will + take the NIS domain name and use + RPC to connect to the server. It + is the core of client/server communication in an + NIS environment. If this service + is not running on a client machine, it will not be + able to access the NIS + server. &man.ypserv.8; - This is the process for - the NIS server. If this service stops running, - the server will no longer be able to - respond to NIS requests so hopefully, there is a slave - server to take over. Some - non-&os; clients + This is the process for the + NIS server. If this service stops + running, the server will no longer be able to respond + to NIS requests so hopefully, there + is a slave server to take over. Some non-&os; clients will not try to reconnect using a slave server and the ypbind process may need to be restarted on these @@ -1148,11 +1149,12 @@ Exports list on foobar: &man.rpc.yppasswdd.8; This process only runs on - NIS master servers. This daemon allows - NIS clients to change their NIS passwords. If this - daemon is not running, users will have to login to the - NIS master server and change their passwords - there. + NIS master servers. This daemon + allows NIS clients to change their + NIS passwords. If this daemon is + not running, users will have to login to the + NIS master server and change their + passwords there. @@ -1163,64 +1165,68 @@ Exports list on foobar: Machine Types + NIS - master server - - - NIS - slave server - - - NIS - client - + master server + + NIS + slave server + + NIS + client + - There are three types of hosts in an NIS environment: + There are three types of hosts in an + NIS environment: - - - NIS master server - - This server acts as a - central repository for host configuration information and - maintains the authoritative copy of the files used by all of the NIS - clients. The passwd, - group, and other various files used - by NIS clients are stored on the master server. While - it is possible for one machine to be an NIS master - server for more than one NIS domain, this - will not be covered in chapter as it - assumes a relatively small-scale NIS - environment. - + + + NIS master server - - NIS slave servers + This server acts as a central repository for host + configuration information and maintains the + authoritative copy of the files used by all of the + NIS clients. The + passwd, group, + and other various files used by NIS + clients are stored on the master server. While it is + possible for one machine to be an NIS + master server for more than one NIS + domain, this will not be covered in chapter as it + assumes a relatively small-scale NIS + environment. + - NIS slave servers maintain copies of the - NIS master's data files in order to provide - redundancy. - Slave servers also help to balance the load of the master server as - NIS clients always attach to the NIS server which - responds first. - + + NIS slave servers - - NIS clients + NIS slave servers maintain copies + of the NIS master's data files in + order to provide redundancy. Slave servers also help to + balance the load of the master server as + NIS clients always attach to the + NIS server which responds + first. + - NIS clients - authenticate against the NIS server - during log on. - - + + NIS clients - Information in many files can be shared using NIS. - The master.passwd, + NIS clients authenticate + against the NIS server during log + on. + + + + Information in many files can be shared using + NIS. The + master.passwd, group, and hosts - files are commonly shared via NIS. Whenever a process on a - client needs information that would normally be found in these - files locally, it makes a query to the NIS server that it is - bound to instead. + files are commonly shared via NIS. + Whenever a process on a client needs information that would + normally be found in these files locally, it makes a query to + the NIS server that it is bound to + instead. @@ -1232,8 +1238,8 @@ Exports list on foobar: machine has its own /etc/passwd and /etc/master.passwd. These files are kept in sync with each other only through manual - intervention. Currently, when a user is added to the lab, the - process must be repeated on all 15 machines.. + intervention. Currently, when a user is added to the lab, + the process must be repeated on all 15 machines.. The configuration of the lab will be as follows: @@ -1295,28 +1301,29 @@ Exports list on foobar: NIS domain name - When a client broadcasts - its requests for info, it includes the name of the NIS - domain that it is part of. This is how multiple servers - on one network can tell which server should answer which - request. Think of the NIS domain name as the name for a - group of hosts. + When a client broadcasts its requests for info, it + includes the name of the NIS domain + that it is part of. This is how multiple servers on one + network can tell which server should answer which request. + Think of the NIS domain name as the + name for a group of hosts. - Some organizations choose to use their Internet - domain name for their NIS domain name. This is not - recommended as it can cause confusion when trying to debug - network problems. The NIS domain name should be unique - within the network and it is helpful if it describes the - group of machines it represents. For example, the Art - department at Acme Inc. might be in the - acme-art NIS domain. This example - will use the domain name - test-domain. + Some organizations choose to use their Internet domain + name for their NIS domain name. This + is not recommended as it can cause confusion when trying + to debug network problems. The NIS + domain name should be unique within the network and it is + helpful if it describes the group of machines it + represents. For example, the Art department at Acme Inc. + might be in the acme-art + NIS domain. This example will use the + domain name test-domain. - However, some non-&os; operating systems require - the NIS domain name to be the same as the Internet domain name. If - one or more machines on the network have this - restriction, the Internet domain name must be used as the + However, some non-&os; operating systems require the + NIS domain name to be the same as the + Internet domain name. If one or more machines on the + network have this restriction, the Internet domain name + must be used as the NIS domain name. @@ -1324,69 +1331,71 @@ Exports list on foobar: Physical Server Requirements There are several things to keep in mind when choosing - a machine to use as a NIS server. Since - NIS clients depend upon the availability - of the server, choose a machine that is - not rebooted frequently. The NIS server should ideally be a stand - alone machine whose sole purpose is to be an NIS - server. If the network is not heavily used, it is - acceptable to put the NIS server on a machine running - other services. However, if the NIS server becomes - unavailable, it will adversely affect - all NIS clients. - - + a machine to use as a NIS server. + Since NIS clients depend upon the + availability of the server, choose a machine that is not + rebooted frequently. The NIS server + should ideally be a stand alone machine whose sole purpose + is to be an NIS server. If the network + is not heavily used, it is acceptable to put the + NIS server on a machine running other + services. However, if the NIS server + becomes unavailable, it will adversely affect all + NIS clients. + + Configuring the <acronym>NIS</acronym> Servers - The canonical copies of all NIS files are stored - on the master server. The - databases used to store the information are called NIS maps. - In &os;, these maps are stored in + The canonical copies of all NIS + files are stored on the master server. The databases used + to store the information are called NIS + maps. In &os;, these maps are stored in /var/yp/[domain name] where - [domain name] is the name of the NIS - domain. Since multiple - domains are supported, it is possible to have - several directories, one for each domain. - Each domain will have its own independent set of - maps. + [domain name] is the name of the + NIS domain. Since multiple domains are + supported, it is possible to have several directories, one + for each domain. Each domain will have its own independent + set of maps. - NIS master and slave servers handle all NIS requests - through &man.ypserv.8;. This daemon - is responsible for receiving - incoming requests from NIS clients, translating the + NIS master and slave servers handle + all NIS requests through &man.ypserv.8;. + This daemon is responsible for receiving incoming requests + from NIS clients, translating the requested domain and map name to a path to the corresponding database file, and transmitting data from the database back to the client. - Setting Up a <acronym>NIS</acronym> Master Server + Setting Up a <acronym>NIS</acronym> Master + Server NIS server configuration - Setting up a master NIS server can be relatively - straight forward, depending on environmental needs. Since &os; - provides built-in NIS support, it only needs - to be enabled by adding the following lines to + Setting up a master NIS server can + be relatively straight forward, depending on environmental + needs. Since &os; provides built-in + NIS support, it only needs to be + enabled by adding the following lines to /etc/rc.conf: nisdomainname="test-domain" - This line sets the NIS domain name to - test-domain. + This line sets the NIS domain + name to test-domain. nis_server_enable="YES" - This automates the start up of the NIS server - processes when the system - boots. + This automates the start up of the + NIS server processes when the + system boots. @@ -1399,56 +1408,61 @@ Exports list on foobar: - Depending on the NIS setup, additional entries may - be required. Refer to - if - the NIS server is also an NIS clients. + Depending on the NIS setup, + additional entries may be required. Refer to if the + NIS server is also an + NIS clients. After saving the edits, type - /etc/netstart to restart the network and - apply the values defined in - /etc/rc.conf. Before - initializing the NIS maps, start + /etc/netstart to restart the network + and apply the values defined in + /etc/rc.conf. Before initializing + the NIS maps, start &man.ypserv.8;: &prompt.root; service ypserv start - Initializing the <acronym>NIS</acronym> Maps + Initializing the <acronym>NIS</acronym> + Maps NIS maps - NIS maps are database files - stored in /var/yp. - They are generated from configuration files in - /etc on the NIS master, - with one exception: - /etc/master.passwd. This is to prevent the - propagation passwords to all the servers in the NIS domain. Therefore, - before the NIS maps are initialized, configure the primary - password files: + NIS maps are database files stored + in /var/yp. They + are generated from configuration files in /etc on the + NIS master, with one exception: + /etc/master.passwd. This is to + prevent the propagation passwords to all the servers in + the NIS domain. Therefore, before the + NIS maps are initialized, configure the + primary password files: &prompt.root; cp /etc/master.passwd /var/yp/master.passwd &prompt.root; cd /var/yp &prompt.root; vi master.passwd It is advisable to remove all entries for system - accounts as well as any user accounts - that do not need to be propagated to the NIS clients, such as - the root accounts. + accounts as well as any user accounts that do not need to + be propagated to the NIS clients, such + as the root accounts. Ensure that the /var/yp/master.passwd is neither - group or world readable by setting its permissions to 600. + group or world readable by setting its permissions to + 600. When this task has been completed, it is time to - initialize the NIS maps. &os; includes the - &man.ypinit.8; script to do this. When generating + initialize the NIS maps. &os; includes + the &man.ypinit.8; script to do this. When generating maps for the master server, include - and specify the NIS domain name: + and specify the NIS + domain name: ellington&prompt.root; ypinit -m test-domain Server Type: MASTER Domain: test-domain @@ -1478,9 +1492,10 @@ ellington has been setup as an YP master server without any errors. created /var/yp/Makefile from /var/yp/Makefile.dist. When created, this file assumes that the operating environment is a - single server NIS system with only &os; machines. Since - test-domain has a slave server as well, - edit /var/yp/Makefile as well: + single server NIS system with only &os; + machines. Since test-domain has a + slave server as well, edit + /var/yp/Makefile as well: ellington&prompt.root; vi /var/yp/Makefile @@ -1492,20 +1507,23 @@ ellington has been setup as an YP master server without any errors. - Setting up a <acronym>NIS</acronym> Slave Server + Setting up a <acronym>NIS</acronym> Slave + Server NIS slave server - Setting up an NIS slave server is even more simple - than setting up the master. Log on to the slave server - and edit the file /etc/rc.conf as you - did before. The only difference is that we now must use - the option when running + Setting up an NIS slave server is + even more simple than setting up the master. Log on to + the slave server and edit the file + /etc/rc.conf as you did before. The + only difference is that we now must use the + option when running ypinit. The option - requires the name of the NIS master be passed to it as - well, so our command line looks like: + requires the name of the NIS master be + passed to it as well, so our command line looks + like: coltrane&prompt.root; ypinit -s ellington test-domain @@ -1564,38 +1582,39 @@ ypxfr: Exiting: Map successfully transferred coltrane has been setup as an YP slave server without any errors. Remember to update map ypservers on ellington. - There should be a directory called - /var/yp/test-domain. Copies of the - NIS master server's maps should be in this directory. - These files must always be up to date. The following - /etc/crontab entries on the slave - servers should do the job: + There should be a directory called + /var/yp/test-domain. Copies of the + NIS master server's maps should be in + this directory. These files must always be up to date. + The following /etc/crontab entries on + the slave servers should do the job: - 20 * * * * root /usr/libexec/ypxfr passwd.byname + 20 * * * * root /usr/libexec/ypxfr passwd.byname 21 * * * * root /usr/libexec/ypxfr passwd.byuid - These two lines force the slave to sync its maps with - the maps on the master server. These entries are not - mandatory because the master server automatically attempts - to push any map changes to its slaves; however, due to - the importance of correct password information on other - clients depending on the slave server, it is recommended - to specifically force the password map updates frequently. - This is especially important on busy networks where map - updates might not always complete. + These two lines force the slave to sync its maps with + the maps on the master server. These entries are not + mandatory because the master server automatically attempts + to push any map changes to its slaves; however, due to + the importance of correct password information on other + clients depending on the slave server, it is recommended + to specifically force the password map updates frequently. + This is especially important on busy networks where map + updates might not always complete. - Now, run the command /etc/netstart - on the slave server as well, which again starts the NIS - server. + Now, run the command /etc/netstart + on the slave server as well, which again starts the NIS + server. Setting Up a <acronym>NIS</acronym> Client - An NIS client establishes what is called a binding to a - particular NIS server using the ypbind - daemon. The ypbind command checks the - system's default domain (as set by the + An NIS client establishes what is + called a binding to a particular NIS + server using the ypbind daemon. The + ypbind command checks the system's + default domain (as set by the domainname command), and begins broadcasting RPC requests on the local network. These requests specify the name of the domain for which @@ -1607,8 +1626,8 @@ Remember to update map ypservers on ellington. master and several slaves, for example), ypbind will use the address of the first one to respond. From that point on, the client system will - direct all of its NIS requests to that server. - ypbind will occasionally + direct all of its NIS requests to that + server. ypbind will occasionally ping the server to make sure it is still up and running. If it fails to receive a reply to one of its pings within a reasonable amount of time, @@ -1616,18 +1635,20 @@ Remember to update map ypservers on ellington. and begin broadcasting again in the hopes of locating another server. - - NIS - client configuration - - Setting up a FreeBSD machine to be a NIS client is - fairly straightforward. + NIS + client configuration + + + Setting up a FreeBSD machine to be a + NIS client is fairly + straightforward. Edit /etc/rc.conf and add the - following lines in order to set the NIS domain name and - start ypbind during network + following lines in order to set the + NIS domain name and start + ypbind during network startup: nisdomainname="test-domain" @@ -1636,7 +1657,8 @@ nis_client_enable="YES" To import all possible password entries from the - NIS server, remove all user accounts from the + NIS server, remove all user + accounts from the /etc/master.passwd file and use vipw to add the following line to the end of the file: @@ -1645,8 +1667,9 @@ nis_client_enable="YES" This line will afford anyone with a valid - account in the NIS server's password maps an - account. There are many ways to configure the NIS + account in the NIS server's + password maps an account. There are many ways to + configure the NIS client by changing this line. See the netgroups section below for more information. For @@ -1675,15 +1698,16 @@ nis_client_enable="YES" - To start the NIS client immediately, execute the - following commands as the superuser: + To start the NIS client + immediately, execute the following commands as the + superuser: &prompt.root; /etc/netstart &prompt.root; service ypbind start - After completing these steps, the command, - ypcat passwd, should show the - server's passwd map. + After completing these steps, the command, + ypcat passwd, should show the + server's passwd map. @@ -1691,13 +1715,13 @@ nis_client_enable="YES"<acronym>NIS</acronym> SecurityIn general, any remote user may issue an RPC to - &man.ypserv.8; and retrieve the contents of the NIS maps, - provided the remote user knows the domain name. To prevent - such unauthorized transactions, &man.ypserv.8; supports a - feature called securenets which can be used to - restrict access to a given set of hosts. At startup, - &man.ypserv.8; will attempt to load the securenets information - from a file called + &man.ypserv.8; and retrieve the contents of the + NIS maps, provided the remote user knows + the domain name. To prevent such unauthorized transactions, + &man.ypserv.8; supports a feature called + securenets which can be used to restrict access + to a given set of hosts. At startup, &man.ypserv.8; will + attempt to load the securenets information from a file called /var/yp/securenets. @@ -1742,30 +1766,31 @@ nis_client_enable="YES" firewall. Servers using /var/yp/securenets - may fail to serve legitimate NIS clients with archaic TCP/IP - implementations. Some of these implementations set all host - bits to zero when doing broadcasts and/or fail to observe - the subnet mask when calculating the broadcast address. - While some of these problems can be fixed by changing the - client configuration, other problems may force - the retirement of the client systems in question or the - abandonment of + may fail to serve legitimate NIS clients + with archaic TCP/IP implementations. Some of these + implementations set all host bits to zero when doing + broadcasts and/or fail to observe the subnet mask when + calculating the broadcast address. While some of these + problems can be fixed by changing the client configuration, + other problems may force the retirement of the client + systems in question or the abandonment of /var/yp/securenets. Using /var/yp/securenets on a server with such an archaic implementation of TCP/IP is a - really bad idea and will lead to loss of NIS functionality - for large parts of the network. + really bad idea and will lead to loss of + NIS functionality for large parts of the + network. TCP Wrappers The use of TCP Wrapper - increases the latency of the NIS server. The additional - delay may be long enough to cause timeouts in client - programs, especially in busy networks or with slow NIS - servers. If one or more of the client systems suffers from - these symptoms, convert the client systems in question into - NIS slave servers and force them to bind to - themselves. + increases the latency of the NIS server. + The additional delay may be long enough to cause timeouts in + client programs, especially in busy networks or with slow + NIS servers. If one or more of the client systems suffers + from these symptoms, convert the client systems in question + into NIS slave servers and force them to + bind to themselves. @@ -1774,21 +1799,23 @@ nis_client_enable="YES"In our lab, there is a machine basie that is supposed to be a faculty only workstation. We do not want - to take this machine out of the NIS domain, yet the - passwd file on the master NIS server - contains accounts for both faculty and students. What can we + to take this machine out of the NIS domain, + yet the passwd file on the master + NIS server contains accounts for both + faculty and students. What can we do?There is a way to bar specific users from logging on to a - machine, even if they are present in the NIS database. To do - this, add + machine, even if they are present in the + NIS database. To do this, add -username with the correct number of colons like other entries to the end of the /etc/master.passwd file on the client machine, where username is the username of the user to bar from logging in. The line with the blocked user must be before the + line - for allowing NIS users. This should preferably be done using + for allowing NIS users. This should + preferably be done using vipw, since vipw will sanity check the changes to /etc/master.passwd, as well as @@ -1849,12 +1876,12 @@ basie&prompt.root; each machine separately, thus losing the main benefit of NIS: centralized administration. - The NIS developers' solution for this problem is called - netgroups. Their purpose and semantics - can be compared to the normal groups used by &unix; file - systems. The main differences are the lack of a numeric ID - and the ability to define a netgroup by including both user - accounts and other netgroups. + The NIS developers' solution for this + problem is called netgroups. Their + purpose and semantics can be compared to the normal groups + used by &unix; file systems. The main differences are the + lack of a numeric ID and the ability to define a netgroup by + including both user accounts and other netgroups.Netgroups were developed to handle large, complex networks with hundreds of users and machines. On one hand, this is a @@ -1863,11 +1890,13 @@ basie&prompt.root; with really simple examples. The example used in the remainder of this section demonstrates this problem. - Let us assume that the successful introduction of NIS in - the laboratory caught a superiors' interest. The next task is - to extend the NIS domain to cover some of the other machines - on campus. The two tables contain the names of the new users - and new machines as well as brief descriptions of them. + Let us assume that the successful introduction of + NIS in the laboratory caught a superiors' + interest. The next task is to extend the + NIS domain to cover some of the other + machines on campus. The two tables contain the names of the + new users and new machines as well as brief descriptions of + them. @@ -1973,15 +2002,15 @@ basie&prompt.root; adding a new machine, login restrictions must be defined for all netgroups. If a new user is added, they must be added to one or more netgroups. Those changes are independent of each - other: no more - for each combination of user and machine do... - If the NIS setup is planned carefully, only one central - configuration file needs modification to grant or deny access - to machines. + other: no more for each combination of user and machine + do... If the NIS setup is + planned carefully, only one central configuration file needs + modification to grant or deny access to machines. - The first step is the initialization of the NIS map - netgroup. &os;'s &man.ypinit.8; does not create this map by - default, but its NIS implementation will support it after + The first step is the initialization of the + NIS map netgroup. &os;'s &man.ypinit.8; + does not create this map by default, but its + NIS implementation will support it after creation. To create an empty map, simply type ellington&prompt.root; vi /var/yp/netgroup @@ -2015,8 +2044,9 @@ INTERNS (,able,test-domain) (,baker,test-domain) - The NIS domain for the account. Accounts may be - imported from other NIS domains into a netgroup. + The NIS domain for the account. + Accounts may be imported from other NIS + domains into a netgroup. @@ -2027,18 +2057,19 @@ INTERNS (,able,test-domain) (,baker,test-domain) netgroups Netgroup names longer than 8 characters should not be used, especially with machines running other operating - systems within the NIS domain. The names are case - sensitive; using capital letters for netgroup names is an - easy way to distinguish between user, machine and netgroup - names. + systems within the NIS domain. The names + are case sensitive; using capital letters for netgroup names + is an easy way to distinguish between user, machine and + netgroup names. - Some NIS clients (other than &os;) cannot handle - netgroups with a large number of entries. For example, some - older versions of &sunos; start to cause trouble if a - netgroup contains more than 15 entries. - This limit may be circumvented by creating several - sub-netgroups with 15 users or fewer and a real netgroup - consisting of the sub-netgroups: + Some NIS clients (other than &os;) + cannot handle netgroups with a large number of entries. For + example, some older versions of &sunos; start to cause + trouble if a netgroup contains more than 15 + entries. This limit may be + circumvented by creating several sub-netgroups with 15 users + or fewer and a real netgroup consisting of the + sub-netgroups: BIGGRP1 (,joe1,domain) (,joe2,domain) (,joe3,domain) [...] BIGGRP2 (,joe16,domain) (,joe17,domain) [...] @@ -2049,8 +2080,8 @@ BIGGROUP BIGGRP1 BIGGRP2 BIGGRP3 within a single netgroup. - Activating and distributing the new NIS map is - easy: + Activating and distributing the new + NIS map is easy: ellington&prompt.root; cd /var/yp ellington&prompt.root; make @@ -2059,7 +2090,8 @@ ellington&prompt.root; make netgroup, netgroup.byhost and netgroup.byuser. Use &man.ypcat.1; to - check if the new NIS maps are available: + check if the new NIS maps are + available: ellington&prompt.user; ypcat -k netgroup ellington&prompt.user; ypcat -k netgroup.byhost @@ -2119,12 +2151,13 @@ ellington&prompt.user; ypcat -k netgroup.byuser shell. - After this change, the NIS map will only need modification - when a new employee joins the IT department. A similar - approach for the less important servers may be used by - replacing the old +::::::::: in their local - version of /etc/master.passwd with - something like this: + After this change, the NIS map will + only need modification when a new employee joins the IT + department. A similar approach for the less important servers + may be used by replacing the old +::::::::: + in their local version of + /etc/master.passwd with something like + this: +@IT_EMP::::::::: +@IT_APP::::::::: @@ -2157,8 +2190,9 @@ ellington&prompt.user; ypcat -k netgroup.byuser important servers and a third netgroup called USERBOX for the normal workstations. Each of these netgroups contains the netgroups that are allowed to - login onto these machines. The new entries for the NIS map - netgroup should look like this: + login onto these machines. The new entries for the + NIS map netgroup should look like + this: BIGSRV IT_EMP IT_APP SMALLSRV IT_EMP IT_APP ITINTERN @@ -2188,9 +2222,10 @@ USERBOX IT_EMP ITINTERN USERS Once this task is completed on all the machines, there is no longer a need to modify the local versions of /etc/master.passwd ever again. All - further changes can be handled by modifying the NIS map. Here - is an example of a possible netgroup map for this scenario - with some additional goodies: + further changes can be handled by modifying the + NIS map. Here is an example of a possible + netgroup map for this scenario with some additional + goodies: # Define groups of users first IT_EMP (,alpha,test-domain) (,beta,test-domain) @@ -2237,8 +2272,8 @@ TWO (,hotel,test-domain) to use machine-based netgroups. When deploying a couple of dozen or even hundreds of identical machines for student labs, role-based netgroups instead of machine-based netgroups may be - used to keep the size of the NIS map within reasonable - limits. + used to keep the size of the NIS map within + reasonable limits. @@ -2251,12 +2286,12 @@ TWO (,hotel,test-domain) Every time a new user is added to the lab, they must - be added to the master NIS server and the - NIS maps will need rebuilt. If this - step is omitted, the new user will not be able to login - anywhere except on the NIS master. For example, if we - needed to add a new user jsmith to - the lab, we would: + be added to the master NIS server and + the NIS maps will need rebuilt. If + this step is omitted, the new user will not be able to + login anywhere except on the NIS + master. For example, if we needed to add a new user + jsmith to the lab, we would: &prompt.root; pw useradd jsmith &prompt.root; cd /var/yp @@ -2269,24 +2304,24 @@ TWO (,hotel,test-domain) Keep the administration accounts out of the - NIS maps. This is undesirable as it will - create a security risk. These users and passwords should - not be propagated to all machines. Especially if these - machines will have users whom should not have access to - those accounts. + NIS maps. This is + undesirable as it will create a security risk. These + users and passwords should not be propagated to all + machines. Especially if these machines will have users + whom should not have access to those accounts. - Keep the NIS master and slave secure, and - minimize their downtime. If somebody either - hacks or simply turns off these machines, they have - effectively rendered many people without the ability to - login to the lab. + Keep the NIS master and + slave secure, and minimize their downtime. + If somebody either hacks or simply turns off these + machines, they have effectively rendered many people + without the ability to login to the lab. This is the chief weakness of any centralized - administration system. If the NIS servers are not - protected, there will be a lot of angry users and - unhappy management! + administration system. If the NIS + servers are not protected, there will be a lot of angry + users and unhappy management! @@ -2295,31 +2330,35 @@ TWO (,hotel,test-domain) <acronym>NIS</acronym> v1 Compatibility &os;'s ypserv has some support - for serving NIS v1 clients. &os;'s NIS implementation only - uses the NIS v2 protocol; however, other implementations - include support for the v1 protocol for backwards - compatibility with older systems. The + for serving NIS v1 clients. &os;'s + NIS implementation only uses the + NIS v2 protocol; however, other + implementations include support for the v1 protocol for + backwards compatibility with older systems. The ypbind daemons supplied with these - systems will attempt to establish a binding to an NIS v1 - server even though they may never actually need it (and they - may persist in broadcasting in search of one even after they - receive a response from a v2 server). Note that while support - for normal client calls is provided, this version of + systems will attempt to establish a binding to an + NISv1 server even though they may never + actually need it (and they may persist in broadcasting in + search of one even after they receive a response from a v2 + server). Note that while support for normal client calls is + provided, this version of ypserv does not handle v1 map transfer requests. Additionally, it cannot be used as a - master or slave in conjunction with older NIS servers that - only support the v1 protocol. Fortunately, there probably are - not any such servers still in use today. + master or slave in conjunction with older + NIS servers that only support the v1 + protocol. Fortunately, there probably are not any such + servers still in use today. - <acronym>NIS</acronym> Servers That Are Also <acronym>NIS</acronym> Clients + <acronym>NIS</acronym> Servers That Are Also + <acronym>NIS</acronym> Clients Care must be taken when running ypserv in a multi-server domain - where the server machines are also NIS clients. It is - generally a good idea to force the servers to bind to - themselves rather than allowing them to broadcast bind + where the server machines are also NIS + clients. It is generally a good idea to force the servers to + bind to themselves rather than allowing them to broadcast bind requests and possibly become bound to each other. Strange failure modes can result if one server goes down and others are dependent upon it. Eventually all the clients will time @@ -2348,11 +2387,13 @@ nis_client_flags="-S NIS domain,serverpassword formats One of the most common issues that people run into when - trying to implement NIS is password format compatibility. If - the NIS server is using DES encrypted passwords, it will only - support clients that are also using DES. For example, if any - &solaris; NIS clients exist on the network, there is a highly - likelihood DES must be used for encrypted passwords. + trying to implement NIS is password format + compatibility. If the NIS server is using + DES encrypted passwords, it will only support clients that are + also using DES. For example, if any &solaris; + NIS clients exist on the network, there is + a highly likelihood DES must be used for encrypted + passwords. To check which format the servers and clients are using, look at /etc/login.conf. If the host is @@ -2396,13 +2437,14 @@ nis_client_flags="-S NIS domain,servercrypt_default = des blf md5 Having followed the above steps on each of the &os; based - NIS servers and clients, verify that they all agree on which - password format is used within the network. If users have - trouble authenticating on an NIS client, this is a pretty good - place to start looking for possible problems. Remember: to - deploy an NIS server for a heterogeneous network, they will - probably have to use DES on all systems because it is the - lowest common standard. + NIS servers and clients, verify that they + all agree on which password format is used within the network. + If users have trouble authenticating on an + NIS client, this is a pretty good place to + start looking for possible problems. Remember: to deploy an + NIS server for a heterogeneous network, + they will probably have to use DES on all systems because it + is the lowest common standard. @@ -2777,32 +2819,33 @@ result: 0 Success --> Automatic Network Configuration (DHCP) - - Dynamic Host Configuration Protocol - DHCP - - - Internet Systems Consortium (ISC) - - DHCP, the Dynamic Host Configuration Protocol, describes - the means by which a system can connect to a network and - obtain the necessary information for communication upon that - network. FreeBSD uses the OpenBSD dhclient - taken from OpenBSD 3.7. All information here regarding - dhclient is for use with either of the ISC - or OpenBSD DHCP clients. The DHCP server is the one included - in the ISC distribution. + + Dynamic Host Configuration Protocol + DHCP + + + Internet Systems Consortium (ISC) + - This section describes both the client-side components of - the ISC and OpenBSD DHCP client and server-side components of - the ISC DHCP system. The client-side program, - dhclient, comes integrated within FreeBSD, - and the server-side portion is available from the net/isc-dhcp42-server port. The - &man.dhclient.8;, &man.dhcp-options.5;, and - &man.dhclient.conf.5; manual pages, in addition to the - references below, are useful resources. + DHCP, the Dynamic Host Configuration Protocol, describes + the means by which a system can connect to a network and + obtain the necessary information for communication upon that + network. FreeBSD uses the OpenBSD dhclient + taken from OpenBSD 3.7. All information here regarding + dhclient is for use with either of the ISC + or OpenBSD DHCP clients. The DHCP server is the one included + in the ISC distribution. + + This section describes both the client-side components of + the ISC and OpenBSD DHCP client and server-side components of + the ISC DHCP system. The client-side program, + dhclient, comes integrated within FreeBSD, + and the server-side portion is available from the net/isc-dhcp42-server port. The + &man.dhclient.8;, &man.dhcp-options.5;, and + &man.dhclient.conf.5; manual pages, in addition to the + references below, are useful resources. How It Works @@ -4682,26 +4725,26 @@ $include Kexample.com.+005+nnnnn.ZSK.key ; ZSK setting up Apache - &os; is used to run some of the busiest web sites in the - world. The majority of web servers on the Internet are using - the Apache HTTP Server. - Apache software packages should be - included on the &os; installation media. If - Apache was not installed while - installing &os;, then it can be installed from the - www/apache22 port. + &os; is used to run some of the busiest web sites in the + world. The majority of web servers on the Internet are using + the Apache HTTP Server. + Apache software packages should be + included on the &os; installation media. If + Apache was not installed while + installing &os;, then it can be installed from the + www/apache22 port. - Once Apache has been installed - successfully, it must be configured. + Once Apache has been installed + successfully, it must be configured. - - This section covers version 2.2.X of the - Apache HTTP Server as that is the - most widely used version for &os;. For more detailed - information beyond the scope of this document about - Apache 2.X, please see - . - + + This section covers version 2.2.X of the + Apache HTTP Server as that is the + most widely used version for &os;. For more detailed + information beyond the scope of this document about + Apache 2.X, please see + . + Configuration @@ -5169,15 +5212,15 @@ DocumentRoot /www/someotherdomain.tld FTP servers - The File Transfer Protocol (FTP) provides users with a - simple way to transfer files to and from an - FTP server. - &os; includes - FTP server - software, ftpd, in the base system. - This makes setting up and administering an - FTP server on - FreeBSD very straightforward. + The File Transfer Protocol (FTP) provides users with a + simple way to transfer files to and from an + FTP server. + &os; includes FTP server + software, ftpd, in the base system. + This makes setting up and administering an + FTP server on + FreeBSD very straightforward. Configuration @@ -5317,18 +5360,18 @@ DocumentRoot /www/someotherdomain.tld Windows clients - Samba is a popular open source - software package that provides file and print services for - µsoft.windows; clients. Such clients can connect to and - use &os; filespace as if it was a local disk drive, or - &os; printers as if they were local printers. + Samba is a popular open source + software package that provides file and print services for + µsoft.windows; clients. Such clients can connect to and + use &os; filespace as if it was a local disk drive, or + &os; printers as if they were local printers. - Samba software packages should - be included on the &os; installation media. If they were not - installed when first installing &os;, then they may be - installed from the - net/samba34 port or - package. + Samba software packages should + be included on the &os; installation media. If they were not + installed when first installing &os;, then they may be + installed from the net/samba34 port or + package. @@ -5582,30 +5625,30 @@ Starting smbd. NTP - Over time, a computer's clock is prone to drift. The - Network Time Protocol (NTP) is one way to ensure the clock - stays accurate. + Over time, a computer's clock is prone to drift. The + Network Time Protocol (NTP) is one way to ensure the clock + stays accurate. - Many Internet services rely on, or greatly benefit from, - computers' clocks being accurate. For example, a web server - may receive requests to send a file if it has been modified - since a certain time. In a local area network environment, it - is essential that computers sharing files from the same file - server have synchronized clocks so that file timestamps stay - consistent. Services such as &man.cron.8; also rely on an - accurate system clock to run commands at the specified - times. + Many Internet services rely on, or greatly benefit from, + computers' clocks being accurate. For example, a web server + may receive requests to send a file if it has been modified + since a certain time. In a local area network environment, it + is essential that computers sharing files from the same file + server have synchronized clocks so that file timestamps stay + consistent. Services such as &man.cron.8; also rely on an + accurate system clock to run commands at the specified + times. - - NTP - ntpd - - &os; ships with the &man.ntpd.8; - NTP server - which can be used to query other - NTP servers to - set the clock on the machine or provide time services to - others. + NTP + ntpd + + + &os; ships with the &man.ntpd.8; + NTP server + which can be used to query other + NTP servers to + set the clock on the machine or provide time services to + others. Choosing Appropriate NTP Servers @@ -6159,8 +6202,8 @@ Logging to FILE /var/log/messages the daemon. Simple ctl.conf(5) - configuration file might look like this: + url="http://www.freebsd.org/cgi/man.cgi?query=ctl.conf&sektion=5&manpath=FreeBSD+10-current">ctl.conf(5) + configuration file might look like this: portal-group pg0 { discovery-auth-group no-authentication @@ -6212,8 +6255,8 @@ target iqn.2012-06.com.example:target0 { Second line ("portal-group pg0") makes the target reachable through the "pg0" portal group. - After that come LUNs. To the initiator, each LUN will be - visible as a separate disk device - e.g. + After that come LUNs. To the initiator, each LUN will + be visible as a separate disk device - e.g. /dev/da0, /dev/da1 etc. There may be multiple LUNs defined for each target. LUNs are identified by numbers; LUN 0 is mandatory. First @@ -6224,9 +6267,9 @@ target iqn.2012-06.com.example:target0 { Second line is optional and specifies the size. To make sure ctld(8) - daemon is started at boot, one needs to add the following line - to /etc/rc.conf: + url="http://www.freebsd.org/cgi/man.cgi?query=ctld&sektion=8&manpath=FreeBSD+10-current">ctld(8) + daemon is started at boot, one needs to add the following + line to /etc/rc.conf: ctld_enable="YES" @@ -6237,14 +6280,14 @@ target iqn.2012-06.com.example:target0 { &prompt.root; service ctld start - The ctld(8) - daemon reads ctl.conf(5) - file when started. To make configuration changes take effect - immediately, force ctld(8) - to reread it: + The ctld(8) + daemon reads ctl.conf(5) + file when started. To make configuration changes take + effect immediately, force ctld(8) + to reread it: &prompt.root; service ctld reload @@ -6314,10 +6357,11 @@ target iqn.2012-06.com.example:target0 { The iSCSI initiator requires iscsid(8) - daemon to run. It does not use any kind of configuration file. - To make sure it gets started automatically at boot, add the - following line to /etc/rc.conf: + url="http://www.freebsd.org/cgi/man.cgi?query=iscsid&sektion=8&manpath=FreeBSD+10-current">iscsid(8) + daemon to run. It does not use any kind of configuration + file. To make sure it gets started automatically at boot, add + the following line to + /etc/rc.conf: iscsid_enable="YES" @@ -6371,6 +6415,7 @@ iqn.2012-06.com.example:target0 10.10.10.10 Waiting for iscs Target name Target addr State iqn.2012-06.com.example:target0 10.10.10.11 Connection refused + The following means the specified target name was wrong: