Lines 1-5788
Link Here
|
1 |
<?xml version="1.0" encoding="iso-8859-1"?> |
1 |
<?xml version="1.0" encoding="iso-8859-1"?> |
2 |
<!-- |
2 |
<!-- |
3 |
The FreeBSD Documentation Project |
3 |
The FreeBSD Documentation Project |
4 |
|
4 |
|
5 |
$FreeBSD$ |
5 |
$FreeBSD$ |
6 |
--> |
6 |
--> |
7 |
<chapter xmlns="http://docbook.org/ns/docbook" |
7 |
<chapter xmlns="http://docbook.org/ns/docbook" |
8 |
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" |
8 |
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" |
9 |
xml:id="network-servers"> |
9 |
xml:id="network-servers"> |
10 |
<!-- |
10 |
<!-- |
11 |
<chapterinfo> |
11 |
<chapterinfo> |
12 |
<authorgroup> |
12 |
<authorgroup> |
13 |
<author> |
13 |
<author> |
14 |
<firstname>Murray</firstname> |
14 |
<firstname>Murray</firstname> |
15 |
<surname>Stokely</surname> |
15 |
<surname>Stokely</surname> |
16 |
<contrib>Reorganized by in July 2004</contrib> |
16 |
<contrib>Reorganized by in July 2004</contrib> |
17 |
</author> |
17 |
</author> |
18 |
</authorgroup> |
18 |
</authorgroup> |
19 |
</chapterinfo> |
19 |
</chapterinfo> |
20 |
--> |
20 |
--> |
21 |
|
21 |
|
22 |
<title>Network Servers</title> |
22 |
<title>Network Servers</title> |
23 |
|
23 |
|
24 |
<sect1 xml:id="network-servers-synopsis"> |
24 |
<sect1 xml:id="network-servers-synopsis"> |
25 |
<title>Synopsis</title> |
25 |
<title>Synopsis</title> |
26 |
|
26 |
|
27 |
<para>This chapter covers some of the more frequently used network |
27 |
<para>This chapter covers some of the more frequently used network |
28 |
services on &unix; systems. This includes installing, |
28 |
services on &unix; systems. This includes installing, |
29 |
configuring, testing, and maintaining many different types of |
29 |
configuring, testing, and maintaining many different types of |
30 |
network services. Example configuration files are included |
30 |
network services. Example configuration files are included |
31 |
throughout this chapter for reference.</para> |
31 |
throughout this chapter for reference.</para> |
32 |
|
32 |
|
33 |
<para>By the end of this chapter, readers will know:</para> |
33 |
<para>By the end of this chapter, readers will know:</para> |
34 |
|
34 |
|
35 |
<itemizedlist> |
35 |
<itemizedlist> |
36 |
<listitem> |
36 |
<listitem> |
37 |
<para>How to manage the <application>inetd</application> |
37 |
<para>How to manage the <application>inetd</application> |
38 |
daemon.</para> |
38 |
daemon.</para> |
39 |
</listitem> |
39 |
</listitem> |
40 |
|
40 |
|
41 |
<listitem> |
41 |
<listitem> |
42 |
<para>How to set up the Network File System |
42 |
<para>How to set up the Network File System |
43 |
(<acronym>NFS</acronym>).</para> |
43 |
(<acronym>NFS</acronym>).</para> |
44 |
</listitem> |
44 |
</listitem> |
45 |
|
45 |
|
46 |
<listitem> |
46 |
<listitem> |
47 |
<para>How to set up the Network Information Server |
47 |
<para>How to set up the Network Information Server |
48 |
(<acronym>NIS</acronym>) for centralizing and sharing |
48 |
(<acronym>NIS</acronym>) for centralizing and sharing |
49 |
user accounts.</para> |
49 |
user accounts.</para> |
50 |
</listitem> |
50 |
</listitem> |
51 |
|
51 |
|
52 |
<listitem> |
52 |
<listitem> |
53 |
<para>How to set &os; up to act as an <acronym>LDAP</acronym> |
53 |
<para>How to set &os; up to act as an <acronym>LDAP</acronym> |
54 |
server or client</para> |
54 |
server or client</para> |
55 |
</listitem> |
55 |
</listitem> |
56 |
|
56 |
|
57 |
<listitem> |
57 |
<listitem> |
58 |
<para>How to set up automatic network settings using |
58 |
<para>How to set up automatic network settings using |
59 |
<acronym>DHCP</acronym>.</para> |
59 |
<acronym>DHCP</acronym>.</para> |
60 |
</listitem> |
60 |
</listitem> |
61 |
|
61 |
|
62 |
<listitem> |
62 |
<listitem> |
63 |
<para>How to set up a Domain Name Server |
63 |
<para>How to set up a Domain Name Server |
64 |
(<acronym>DNS</acronym>).</para> |
64 |
(<acronym>DNS</acronym>).</para> |
65 |
</listitem> |
65 |
</listitem> |
66 |
|
66 |
|
67 |
<listitem> |
67 |
<listitem> |
68 |
<para>How to set up the <application>Apache</application> |
68 |
<para>How to set up the <application>Apache</application> |
69 |
<acronym>HTTP</acronym> Server.</para> |
69 |
<acronym>HTTP</acronym> Server.</para> |
70 |
</listitem> |
70 |
</listitem> |
71 |
|
71 |
|
72 |
<listitem> |
72 |
<listitem> |
73 |
<para>How to set up a File Transfer Protocol |
73 |
<para>How to set up a File Transfer Protocol |
74 |
(<acronym>FTP</acronym>) server.</para> |
74 |
(<acronym>FTP</acronym>) server.</para> |
75 |
</listitem> |
75 |
</listitem> |
76 |
|
76 |
|
77 |
<listitem> |
77 |
<listitem> |
78 |
<para>How to set up a file and print server for &windows; |
78 |
<para>How to set up a file and print server for &windows; |
79 |
clients using <application>Samba</application>.</para> |
79 |
clients using <application>Samba</application>.</para> |
80 |
</listitem> |
80 |
</listitem> |
81 |
|
81 |
|
82 |
<listitem> |
82 |
<listitem> |
83 |
<para>How to synchronize the time and date, and set up a |
83 |
<para>How to synchronize the time and date, and set up a |
84 |
time server using the Network Time Protocol |
84 |
time server using the Network Time Protocol |
85 |
(<acronym>NTP</acronym>).</para> |
85 |
(<acronym>NTP</acronym>).</para> |
86 |
</listitem> |
86 |
</listitem> |
87 |
|
87 |
|
88 |
<listitem> |
88 |
<listitem> |
89 |
<para>How to set up <acronym>iSCSI</acronym>.</para> |
89 |
<para>How to set up <acronym>iSCSI</acronym>.</para> |
90 |
</listitem> |
90 |
</listitem> |
91 |
</itemizedlist> |
91 |
</itemizedlist> |
92 |
|
92 |
|
93 |
<para>This chapter assumes a basic knowledge of:</para> |
93 |
<para>This chapter assumes a basic knowledge of:</para> |
94 |
|
94 |
|
95 |
<itemizedlist> |
95 |
<itemizedlist> |
96 |
<listitem> |
96 |
<listitem> |
97 |
<para><filename>/etc/rc</filename> scripts.</para> |
97 |
<para><filename>/etc/rc</filename> scripts.</para> |
98 |
</listitem> |
98 |
</listitem> |
99 |
|
99 |
|
100 |
<listitem> |
100 |
<listitem> |
101 |
<para>Network terminology.</para> |
101 |
<para>Network terminology.</para> |
102 |
</listitem> |
102 |
</listitem> |
103 |
|
103 |
|
104 |
<listitem> |
104 |
<listitem> |
105 |
<para>Installation of additional third-party |
105 |
<para>Installation of additional third-party |
106 |
software (<xref linkend="ports"/>).</para> |
106 |
software (<xref linkend="ports"/>).</para> |
107 |
</listitem> |
107 |
</listitem> |
108 |
</itemizedlist> |
108 |
</itemizedlist> |
109 |
</sect1> |
109 |
</sect1> |
110 |
|
110 |
|
111 |
<sect1 xml:id="network-inetd"> |
111 |
<sect1 xml:id="network-inetd"> |
112 |
<title>The <application>inetd</application> |
112 |
<title>The <application>inetd</application> |
113 |
Super-Server</title> |
113 |
Super-Server</title> |
114 |
|
114 |
|
115 |
<!-- |
115 |
<!-- |
116 |
<sect1info> |
116 |
<sect1info> |
117 |
<authorgroup> |
117 |
<authorgroup> |
118 |
<author> |
118 |
<author> |
119 |
<firstname>Chern</firstname> |
119 |
<firstname>Chern</firstname> |
120 |
<surname>Lee</surname> |
120 |
<surname>Lee</surname> |
121 |
<contrib>Contributed by </contrib> |
121 |
<contrib>Contributed by </contrib> |
122 |
</author> |
122 |
</author> |
123 |
</authorgroup> |
123 |
</authorgroup> |
124 |
<authorgroup> |
124 |
<authorgroup> |
125 |
<author> |
125 |
<author> |
126 |
<contrib>Updated by </contrib> |
126 |
<contrib>Updated by </contrib> |
127 |
<othername>The &os; Documentation Project</othername> |
127 |
<othername>The &os; Documentation Project</othername> |
128 |
</author> |
128 |
</author> |
129 |
</authorgroup> |
129 |
</authorgroup> |
130 |
</sect1info> |
130 |
</sect1info> |
131 |
--> |
131 |
--> |
132 |
|
132 |
|
133 |
<para>The &man.inetd.8; daemon is sometimes referred to as a |
133 |
<para>The &man.inetd.8; daemon is sometimes referred to as a |
134 |
Super-Server because it manages connections for many services. |
134 |
Super-Server because it manages connections for many services. |
135 |
Instead of starting multiple applications, only the |
135 |
Instead of starting multiple applications, only the |
136 |
<application>inetd</application> service needs to be started. |
136 |
<application>inetd</application> service needs to be started. |
137 |
When a connection is received for a service that is managed by |
137 |
When a connection is received for a service that is managed by |
138 |
<application>inetd</application>, it determines which program |
138 |
<application>inetd</application>, it determines which program |
139 |
the connection is destined for, spawns a process for that |
139 |
the connection is destined for, spawns a process for that |
140 |
program, and delegates the program a socket. Using |
140 |
program, and delegates the program a socket. Using |
141 |
<application>inetd</application> for services that are not |
141 |
<application>inetd</application> for services that are not |
142 |
heavily used can reduce system load, when compared to running |
142 |
heavily used can reduce system load, when compared to running |
143 |
each daemon individually in stand-alone mode.</para> |
143 |
each daemon individually in stand-alone mode.</para> |
144 |
|
144 |
|
145 |
<para>Primarily, <application>inetd</application> is used to |
145 |
<para>Primarily, <application>inetd</application> is used to |
146 |
spawn other daemons, but several trivial protocols are handled |
146 |
spawn other daemons, but several trivial protocols are handled |
147 |
internally, such as <application>chargen</application>, |
147 |
internally, such as <application>chargen</application>, |
148 |
<application>auth</application>, |
148 |
<application>auth</application>, |
149 |
<application>time</application>, |
149 |
<application>time</application>, |
150 |
<application>echo</application>, |
150 |
<application>echo</application>, |
151 |
<application>discard</application>, and |
151 |
<application>discard</application>, and |
152 |
<application>daytime</application>.</para> |
152 |
<application>daytime</application>.</para> |
153 |
|
153 |
|
154 |
<para>This section covers the basics of configuring |
154 |
<para>This section covers the basics of configuring |
155 |
<application>inetd</application>.</para> |
155 |
<application>inetd</application>.</para> |
156 |
|
156 |
|
157 |
<sect2 xml:id="network-inetd-conf"> |
157 |
<sect2 xml:id="network-inetd-conf"> |
158 |
<title>Configuration File</title> |
158 |
<title>Configuration File</title> |
159 |
|
159 |
|
160 |
<para>Configuration of <application>inetd</application> is |
160 |
<para>Configuration of <application>inetd</application> is |
161 |
done by editing <filename>/etc/inetd.conf</filename>. Each |
161 |
done by editing <filename>/etc/inetd.conf</filename>. Each |
162 |
line of this configuration file represents an application |
162 |
line of this configuration file represents an application |
163 |
which can be started by <application>inetd</application>. By |
163 |
which can be started by <application>inetd</application>. By |
164 |
default, every line starts with a comment |
164 |
default, every line starts with a comment |
165 |
(<literal>#</literal>), meaning that |
165 |
(<literal>#</literal>), meaning that |
166 |
<application>inetd</application> is not listening for any |
166 |
<application>inetd</application> is not listening for any |
167 |
applications. To configure <application>inetd</application> |
167 |
applications. To configure <application>inetd</application> |
168 |
to listen for an application's connections, remove the |
168 |
to listen for an application's connections, remove the |
169 |
<literal>#</literal> at the beginning of the line for that |
169 |
<literal>#</literal> at the beginning of the line for that |
170 |
application.</para> |
170 |
application.</para> |
171 |
|
171 |
|
172 |
<para>After saving your edits, configure |
172 |
<para>After saving your edits, configure |
173 |
<application>inetd</application> to start at system boot by |
173 |
<application>inetd</application> to start at system boot by |
174 |
editing <filename>/etc/rc.conf</filename>:</para> |
174 |
editing <filename>/etc/rc.conf</filename>:</para> |
175 |
|
175 |
|
176 |
<programlisting>inetd_enable="YES"</programlisting> |
176 |
<programlisting>inetd_enable="YES"</programlisting> |
177 |
|
177 |
|
178 |
<para>To start <application>inetd</application> now, so that it |
178 |
<para>To start <application>inetd</application> now, so that it |
179 |
listens for the service you configured, type:</para> |
179 |
listens for the service you configured, type:</para> |
180 |
|
180 |
|
181 |
<screen>&prompt.root; <userinput>service inetd start</userinput></screen> |
181 |
<screen>&prompt.root; <userinput>service inetd start</userinput></screen> |
182 |
|
182 |
|
183 |
<para>Once <application>inetd</application> is started, it needs |
183 |
<para>Once <application>inetd</application> is started, it needs |
184 |
to be notified whenever a modification is made to |
184 |
to be notified whenever a modification is made to |
185 |
<filename>/etc/inetd.conf</filename>:</para> |
185 |
<filename>/etc/inetd.conf</filename>:</para> |
186 |
|
186 |
|
187 |
<example xml:id="network-inetd-reread"> |
187 |
<example xml:id="network-inetd-reread"> |
188 |
<title>Reloading the <application>inetd</application> |
188 |
<title>Reloading the <application>inetd</application> |
189 |
Configuration File</title> |
189 |
Configuration File</title> |
190 |
|
190 |
|
191 |
<screen>&prompt.root; <userinput>service inetd reload</userinput></screen> |
191 |
<screen>&prompt.root; <userinput>service inetd reload</userinput></screen> |
192 |
</example> |
192 |
</example> |
193 |
|
193 |
|
194 |
<para>Typically, the default entry for an application does not |
194 |
<para>Typically, the default entry for an application does not |
195 |
need to be edited beyond removing the <literal>#</literal>. |
195 |
need to be edited beyond removing the <literal>#</literal>. |
196 |
In some situations, it may be appropriate to edit the default |
196 |
In some situations, it may be appropriate to edit the default |
197 |
entry.</para> |
197 |
entry.</para> |
198 |
|
198 |
|
199 |
<para>As an example, this is the default entry for &man.ftpd.8; |
199 |
<para>As an example, this is the default entry for &man.ftpd.8; |
200 |
over IPv4:</para> |
200 |
over IPv4:</para> |
201 |
|
201 |
|
202 |
<programlisting>ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l</programlisting> |
202 |
<programlisting>ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l</programlisting> |
203 |
|
203 |
|
204 |
<para>The seven columns in an entry are as follows:</para> |
204 |
<para>The seven columns in an entry are as follows:</para> |
205 |
|
205 |
|
206 |
<programlisting>service-name |
206 |
<programlisting>service-name |
207 |
socket-type |
207 |
socket-type |
208 |
protocol |
208 |
protocol |
209 |
{wait|nowait}[/max-child[/max-connections-per-ip-per-minute[/max-child-per-ip]]] |
209 |
{wait|nowait}[/max-child[/max-connections-per-ip-per-minute[/max-child-per-ip]]] |
210 |
user[:group][/login-class] |
210 |
user[:group][/login-class] |
211 |
server-program |
211 |
server-program |
212 |
server-program-arguments</programlisting> |
212 |
server-program-arguments</programlisting> |
213 |
|
213 |
|
214 |
<para>where:</para> |
214 |
<para>where:</para> |
215 |
|
215 |
|
216 |
<variablelist> |
216 |
<variablelist> |
217 |
<varlistentry> |
217 |
<varlistentry> |
218 |
<term>service-name</term> |
218 |
<term>service-name</term> |
219 |
|
219 |
|
220 |
<listitem> |
220 |
<listitem> |
221 |
<para>The service name of the daemon to start. It must |
221 |
<para>The service name of the daemon to start. It must |
222 |
correspond to a service listed in |
222 |
correspond to a service listed in |
223 |
<filename>/etc/services</filename>. This determines |
223 |
<filename>/etc/services</filename>. This determines |
224 |
which port <application>inetd</application> listens on |
224 |
which port <application>inetd</application> listens on |
225 |
for incoming connections to that service. When using a |
225 |
for incoming connections to that service. When using a |
226 |
custom service, it must first be added to |
226 |
custom service, it must first be added to |
227 |
<filename>/etc/services</filename>.</para> |
227 |
<filename>/etc/services</filename>.</para> |
228 |
</listitem> |
228 |
</listitem> |
229 |
</varlistentry> |
229 |
</varlistentry> |
230 |
|
230 |
|
231 |
<varlistentry> |
231 |
<varlistentry> |
232 |
<term>socket-type</term> |
232 |
<term>socket-type</term> |
233 |
|
233 |
|
234 |
<listitem> |
234 |
<listitem> |
235 |
<para>Either <literal>stream</literal>, |
235 |
<para>Either <literal>stream</literal>, |
236 |
<literal>dgram</literal>, <literal>raw</literal>, or |
236 |
<literal>dgram</literal>, <literal>raw</literal>, or |
237 |
<literal>seqpacket</literal>. Use |
237 |
<literal>seqpacket</literal>. Use |
238 |
<literal>stream</literal> for TCP connections and |
238 |
<literal>stream</literal> for TCP connections and |
239 |
<literal>dgram</literal> for |
239 |
<literal>dgram</literal> for |
240 |
<acronym>UDP</acronym> services.</para> |
240 |
<acronym>UDP</acronym> services.</para> |
241 |
</listitem> |
241 |
</listitem> |
242 |
</varlistentry> |
242 |
</varlistentry> |
243 |
|
243 |
|
244 |
<varlistentry> |
244 |
<varlistentry> |
245 |
<term>protocol</term> |
245 |
<term>protocol</term> |
246 |
|
246 |
|
247 |
<listitem> |
247 |
<listitem> |
248 |
<para>Use one of the following protocol names:</para> |
248 |
<para>Use one of the following protocol names:</para> |
249 |
|
249 |
|
250 |
<informaltable frame="none" pgwide="1"> |
250 |
<informaltable frame="none" pgwide="1"> |
251 |
<tgroup cols="2"> |
251 |
<tgroup cols="2"> |
252 |
<thead> |
252 |
<thead> |
253 |
<row> |
253 |
<row> |
254 |
<entry>Protocol Name</entry> |
254 |
<entry>Protocol Name</entry> |
255 |
<entry>Explanation</entry> |
255 |
<entry>Explanation</entry> |
256 |
</row> |
256 |
</row> |
257 |
</thead> |
257 |
</thead> |
258 |
|
258 |
|
259 |
<tbody> |
259 |
<tbody> |
260 |
<row> |
260 |
<row> |
261 |
<entry>tcp or tcp4</entry> |
261 |
<entry>tcp or tcp4</entry> |
262 |
<entry>TCP IPv4</entry> |
262 |
<entry>TCP IPv4</entry> |
263 |
</row> |
263 |
</row> |
264 |
|
264 |
|
265 |
<row> |
265 |
<row> |
266 |
<entry>udp or udp4</entry> |
266 |
<entry>udp or udp4</entry> |
267 |
<entry><acronym>UDP</acronym> IPv4</entry> |
267 |
<entry><acronym>UDP</acronym> IPv4</entry> |
268 |
</row> |
268 |
</row> |
269 |
|
269 |
|
270 |
<row> |
270 |
<row> |
271 |
<entry>tcp6</entry> |
271 |
<entry>tcp6</entry> |
272 |
<entry>TCP IPv6</entry> |
272 |
<entry>TCP IPv6</entry> |
273 |
</row> |
273 |
</row> |
274 |
|
274 |
|
275 |
<row> |
275 |
<row> |
276 |
<entry>udp6</entry> |
276 |
<entry>udp6</entry> |
277 |
<entry><acronym>UDP</acronym> IPv6</entry> |
277 |
<entry><acronym>UDP</acronym> IPv6</entry> |
278 |
</row> |
278 |
</row> |
279 |
|
279 |
|
280 |
<row> |
280 |
<row> |
281 |
<entry>tcp46</entry> |
281 |
<entry>tcp46</entry> |
282 |
<entry>Both TCP IPv4 and IPv6</entry> |
282 |
<entry>Both TCP IPv4 and IPv6</entry> |
283 |
</row> |
283 |
</row> |
284 |
|
284 |
|
285 |
<row> |
285 |
<row> |
286 |
<entry>udp46</entry> |
286 |
<entry>udp46</entry> |
287 |
<entry>Both <acronym>UDP</acronym> IPv4 and |
287 |
<entry>Both <acronym>UDP</acronym> IPv4 and |
288 |
IPv6</entry> |
288 |
IPv6</entry> |
289 |
</row> |
289 |
</row> |
290 |
</tbody> |
290 |
</tbody> |
291 |
</tgroup> |
291 |
</tgroup> |
292 |
</informaltable> |
292 |
</informaltable> |
293 |
</listitem> |
293 |
</listitem> |
294 |
</varlistentry> |
294 |
</varlistentry> |
295 |
|
295 |
|
296 |
<varlistentry> |
296 |
<varlistentry> |
297 |
<term>{wait|nowait}[/max-child[/max-connections-per-ip-per-minute[/max-child-per-ip]]]</term> |
297 |
<term>{wait|nowait}[/max-child[/max-connections-per-ip-per-minute[/max-child-per-ip]]]</term> |
298 |
|
298 |
|
299 |
<listitem> |
299 |
<listitem> |
300 |
<para>In this field, <option>wait</option> or |
300 |
<para>In this field, <option>wait</option> or |
301 |
<option>nowait</option> must be specified. |
301 |
<option>nowait</option> must be specified. |
302 |
<option>max-child</option>, |
302 |
<option>max-child</option>, |
303 |
<option>max-connections-per-ip-per-minute</option> and |
303 |
<option>max-connections-per-ip-per-minute</option> and |
304 |
<option>max-child-per-ip</option> are optional.</para> |
304 |
<option>max-child-per-ip</option> are optional.</para> |
305 |
|
305 |
|
306 |
<para><option>wait|nowait</option> indicates whether or |
306 |
<para><option>wait|nowait</option> indicates whether or |
307 |
not the service is able to handle its own socket. |
307 |
not the service is able to handle its own socket. |
308 |
<option>dgram</option> socket types must use |
308 |
<option>dgram</option> socket types must use |
309 |
<option>wait</option> while |
309 |
<option>wait</option> while |
310 |
<option>stream</option> daemons, which are usually |
310 |
<option>stream</option> daemons, which are usually |
311 |
multi-threaded, should use <option>nowait</option>. |
311 |
multi-threaded, should use <option>nowait</option>. |
312 |
<option>wait</option> usually hands off multiple sockets |
312 |
<option>wait</option> usually hands off multiple sockets |
313 |
to a single daemon, while <option>nowait</option> spawns |
313 |
to a single daemon, while <option>nowait</option> spawns |
314 |
a child daemon for each new socket.</para> |
314 |
a child daemon for each new socket.</para> |
315 |
|
315 |
|
316 |
<para>The maximum number of child daemons |
316 |
<para>The maximum number of child daemons |
317 |
<application>inetd</application> may spawn is set by |
317 |
<application>inetd</application> may spawn is set by |
318 |
<option>max-child</option>. For example, to limit ten |
318 |
<option>max-child</option>. For example, to limit ten |
319 |
instances of the daemon, place a <literal>/10</literal> |
319 |
instances of the daemon, place a <literal>/10</literal> |
320 |
after <option>nowait</option>. Specifying |
320 |
after <option>nowait</option>. Specifying |
321 |
<literal>/0</literal> allows an unlimited number of |
321 |
<literal>/0</literal> allows an unlimited number of |
322 |
children.</para> |
322 |
children.</para> |
323 |
|
323 |
|
324 |
<para><option>max-connections-per-ip-per-minute</option> |
324 |
<para><option>max-connections-per-ip-per-minute</option> |
325 |
limits the number of connections from any particular |
325 |
limits the number of connections from any particular |
326 |
<acronym>IP</acronym> address per minute. Once the |
326 |
<acronym>IP</acronym> address per minute. Once the |
327 |
limit is reached, further connections from this IP |
327 |
limit is reached, further connections from this IP |
328 |
address will be dropped until the end of the minute. |
328 |
address will be dropped until the end of the minute. |
329 |
For example, a value of <literal>/10</literal> would |
329 |
For example, a value of <literal>/10</literal> would |
330 |
limit any particular <acronym>IP</acronym> address to |
330 |
limit any particular <acronym>IP</acronym> address to |
331 |
ten connection attempts per minute. |
331 |
ten connection attempts per minute. |
332 |
<option>max-child-per-ip</option> limits the number of |
332 |
<option>max-child-per-ip</option> limits the number of |
333 |
child processes that can be started on behalf on any |
333 |
child processes that can be started on behalf on any |
334 |
single <acronym>IP</acronym> address at any moment. |
334 |
single <acronym>IP</acronym> address at any moment. |
335 |
These options can limit excessive resource consumption |
335 |
These options can limit excessive resource consumption |
336 |
and help to prevent Denial of Service attacks.</para> |
336 |
and help to prevent Denial of Service attacks.</para> |
337 |
|
337 |
|
338 |
<para>An example can be seen in the default settings for |
338 |
<para>An example can be seen in the default settings for |
339 |
&man.fingerd.8;:</para> |
339 |
&man.fingerd.8;:</para> |
340 |
|
340 |
|
341 |
<programlisting>finger stream tcp nowait/3/10 nobody /usr/libexec/fingerd fingerd -k -s</programlisting> |
341 |
<programlisting>finger stream tcp nowait/3/10 nobody /usr/libexec/fingerd fingerd -k -s</programlisting> |
342 |
</listitem> |
342 |
</listitem> |
343 |
</varlistentry> |
343 |
</varlistentry> |
344 |
|
344 |
|
345 |
<varlistentry> |
345 |
<varlistentry> |
346 |
<term>user</term> |
346 |
<term>user</term> |
347 |
|
347 |
|
348 |
<listitem> |
348 |
<listitem> |
349 |
<para>The username the daemon |
349 |
<para>The username the daemon |
350 |
will run as. Daemons typically run as |
350 |
will run as. Daemons typically run as |
351 |
<systemitem class="username">root</systemitem>, |
351 |
<systemitem class="username">root</systemitem>, |
352 |
<systemitem class="username">daemon</systemitem>, or |
352 |
<systemitem class="username">daemon</systemitem>, or |
353 |
<systemitem class="username">nobody</systemitem>.</para> |
353 |
<systemitem class="username">nobody</systemitem>.</para> |
354 |
</listitem> |
354 |
</listitem> |
355 |
</varlistentry> |
355 |
</varlistentry> |
356 |
|
356 |
|
357 |
<varlistentry> |
357 |
<varlistentry> |
358 |
<term>server-program</term> |
358 |
<term>server-program</term> |
359 |
|
359 |
|
360 |
<listitem> |
360 |
<listitem> |
361 |
<para>The full path to the daemon. If the daemon is a |
361 |
<para>The full path to the daemon. If the daemon is a |
362 |
service provided by <application>inetd</application> |
362 |
service provided by <application>inetd</application> |
363 |
internally, use <option>internal</option>.</para> |
363 |
internally, use <option>internal</option>.</para> |
364 |
</listitem> |
364 |
</listitem> |
365 |
</varlistentry> |
365 |
</varlistentry> |
366 |
|
366 |
|
367 |
<varlistentry> |
367 |
<varlistentry> |
368 |
<term>server-program-arguments</term> |
368 |
<term>server-program-arguments</term> |
369 |
|
369 |
|
370 |
<listitem> |
370 |
<listitem> |
371 |
<para>Used to specify any command arguments to be passed |
371 |
<para>Used to specify any command arguments to be passed |
372 |
to the daemon on invocation. If the daemon is an |
372 |
to the daemon on invocation. If the daemon is an |
373 |
internal service, use |
373 |
internal service, use |
374 |
<option>internal</option>.</para> |
374 |
<option>internal</option>.</para> |
375 |
</listitem> |
375 |
</listitem> |
376 |
</varlistentry> |
376 |
</varlistentry> |
377 |
</variablelist> |
377 |
</variablelist> |
378 |
</sect2> |
378 |
</sect2> |
379 |
|
379 |
|
380 |
<sect2 xml:id="network-inetd-cmdline"> |
380 |
<sect2 xml:id="network-inetd-cmdline"> |
381 |
<title>Command-Line Options</title> |
381 |
<title>Command-Line Options</title> |
382 |
|
382 |
|
383 |
<para>Like most server daemons, <application>inetd</application> |
383 |
<para>Like most server daemons, <application>inetd</application> |
384 |
has a number of options that can be used to modify its |
384 |
has a number of options that can be used to modify its |
385 |
behavior. By default, <application>inetd</application> is |
385 |
behavior. By default, <application>inetd</application> is |
386 |
started with <literal>-wW -C 60</literal>. These options |
386 |
started with <literal>-wW -C 60</literal>. These options |
387 |
enable TCP wrappers for all services, including internal |
387 |
enable TCP wrappers for all services, including internal |
388 |
services, and prevent any <acronym>IP</acronym> address from |
388 |
services, and prevent any <acronym>IP</acronym> address from |
389 |
requesting any service more than 60 times per minute.</para> |
389 |
requesting any service more than 60 times per minute.</para> |
390 |
|
390 |
|
391 |
<para>To change the default options which are passed to |
391 |
<para>To change the default options which are passed to |
392 |
<application>inetd</application>, add an entry for |
392 |
<application>inetd</application>, add an entry for |
393 |
<literal>inetd_flags</literal> in |
393 |
<literal>inetd_flags</literal> in |
394 |
<filename>/etc/rc.conf</filename>. If |
394 |
<filename>/etc/rc.conf</filename>. If |
395 |
<application>inetd</application> is already running, restart |
395 |
<application>inetd</application> is already running, restart |
396 |
it with <command>service inetd restart</command>.</para> |
396 |
it with <command>service inetd restart</command>.</para> |
397 |
|
397 |
|
398 |
<para>The available rate limiting options are:</para> |
398 |
<para>The available rate limiting options are:</para> |
399 |
|
399 |
|
400 |
<variablelist> |
400 |
<variablelist> |
401 |
<varlistentry> |
401 |
<varlistentry> |
402 |
<term>-c maximum</term> |
402 |
<term>-c maximum</term> |
403 |
|
403 |
|
404 |
<listitem> |
404 |
<listitem> |
405 |
<para>Specify the default maximum number of simultaneous |
405 |
<para>Specify the default maximum number of simultaneous |
406 |
invocations of each service, where the default is |
406 |
invocations of each service, where the default is |
407 |
unlimited. May be overridden on a per-service basis by |
407 |
unlimited. May be overridden on a per-service basis by |
408 |
using <option>max-child</option> in |
408 |
using <option>max-child</option> in |
409 |
<filename>/etc/inetd.conf</filename>.</para> |
409 |
<filename>/etc/inetd.conf</filename>.</para> |
410 |
</listitem> |
410 |
</listitem> |
411 |
</varlistentry> |
411 |
</varlistentry> |
412 |
|
412 |
|
413 |
<varlistentry> |
413 |
<varlistentry> |
414 |
<term>-C rate</term> |
414 |
<term>-C rate</term> |
415 |
|
415 |
|
416 |
<listitem> |
416 |
<listitem> |
417 |
<para>Specify the default maximum number of times a |
417 |
<para>Specify the default maximum number of times a |
418 |
service can be invoked from a single |
418 |
service can be invoked from a single |
419 |
<acronym>IP</acronym> address per minute. May be |
419 |
<acronym>IP</acronym> address per minute. May be |
420 |
overridden on a per-service basis by using |
420 |
overridden on a per-service basis by using |
421 |
<option>max-connections-per-ip-per-minute</option> in |
421 |
<option>max-connections-per-ip-per-minute</option> in |
422 |
<filename>/etc/inetd.conf</filename>.</para> |
422 |
<filename>/etc/inetd.conf</filename>.</para> |
423 |
</listitem> |
423 |
</listitem> |
424 |
</varlistentry> |
424 |
</varlistentry> |
425 |
|
425 |
|
426 |
<varlistentry> |
426 |
<varlistentry> |
427 |
<term>-R rate</term> |
427 |
<term>-R rate</term> |
428 |
|
428 |
|
429 |
<listitem> |
429 |
<listitem> |
430 |
<para>Specify the maximum number of times a service can be |
430 |
<para>Specify the maximum number of times a service can be |
431 |
invoked in one minute, where the default is |
431 |
invoked in one minute, where the default is |
432 |
<literal>256</literal>. A rate of <literal>0</literal> |
432 |
<literal>256</literal>. A rate of <literal>0</literal> |
433 |
allows an unlimited number.</para> |
433 |
allows an unlimited number.</para> |
434 |
</listitem> |
434 |
</listitem> |
435 |
</varlistentry> |
435 |
</varlistentry> |
436 |
|
436 |
|
437 |
<varlistentry> |
437 |
<varlistentry> |
438 |
<term>-s maximum</term> |
438 |
<term>-s maximum</term> |
439 |
|
439 |
|
440 |
<listitem> |
440 |
<listitem> |
441 |
<para>Specify the maximum number of times a service can be |
441 |
<para>Specify the maximum number of times a service can be |
442 |
invoked from a single <acronym>IP</acronym> address at |
442 |
invoked from a single <acronym>IP</acronym> address at |
443 |
any one time, where the default is unlimited. May be |
443 |
any one time, where the default is unlimited. May be |
444 |
overridden on a per-service basis by using |
444 |
overridden on a per-service basis by using |
445 |
<option>max-child-per-ip</option> in |
445 |
<option>max-child-per-ip</option> in |
446 |
<filename>/etc/inetd.conf</filename>.</para> |
446 |
<filename>/etc/inetd.conf</filename>.</para> |
447 |
</listitem> |
447 |
</listitem> |
448 |
</varlistentry> |
448 |
</varlistentry> |
449 |
</variablelist> |
449 |
</variablelist> |
450 |
|
450 |
|
451 |
<para>Additional options are available. Refer to &man.inetd.8; |
451 |
<para>Additional options are available. Refer to &man.inetd.8; |
452 |
for the full list of options.</para> |
452 |
for the full list of options.</para> |
453 |
</sect2> |
453 |
</sect2> |
454 |
|
454 |
|
455 |
<sect2 xml:id="network-inetd-security"> |
455 |
<sect2 xml:id="network-inetd-security"> |
456 |
<title>Security Considerations</title> |
456 |
<title>Security Considerations</title> |
457 |
|
457 |
|
458 |
<para>Many of the daemons which can be managed by |
458 |
<para>Many of the daemons which can be managed by |
459 |
<application>inetd</application> are not security-conscious. |
459 |
<application>inetd</application> are not security-conscious. |
460 |
Some daemons, such as <application>fingerd</application>, can |
460 |
Some daemons, such as <application>fingerd</application>, can |
461 |
provide information that may be useful to an attacker. Only |
461 |
provide information that may be useful to an attacker. Only |
462 |
enable the services which are needed and monitor the system |
462 |
enable the services which are needed and monitor the system |
463 |
for excessive connection attempts. |
463 |
for excessive connection attempts. |
464 |
<literal>max-connections-per-ip-per-minute</literal>, |
464 |
<literal>max-connections-per-ip-per-minute</literal>, |
465 |
<literal>max-child</literal> and |
465 |
<literal>max-child</literal> and |
466 |
<literal>max-child-per-ip</literal> can be used to limit such |
466 |
<literal>max-child-per-ip</literal> can be used to limit such |
467 |
attacks.</para> |
467 |
attacks.</para> |
468 |
|
468 |
|
469 |
<para>By default, TCP wrappers is enabled. Consult |
469 |
<para>By default, TCP wrappers is enabled. Consult |
470 |
&man.hosts.access.5; for more information on placing TCP |
470 |
&man.hosts.access.5; for more information on placing TCP |
471 |
restrictions on various |
471 |
restrictions on various |
472 |
<application>inetd</application> invoked daemons.</para> |
472 |
<application>inetd</application> invoked daemons.</para> |
473 |
</sect2> |
473 |
</sect2> |
474 |
</sect1> |
474 |
</sect1> |
475 |
|
475 |
|
476 |
<sect1 xml:id="network-nfs"> |
476 |
<sect1 xml:id="network-nfs"> |
477 |
<info> |
477 |
<info> |
478 |
<title>Network File System (NFS)</title> |
478 |
<title>Network File System (NFS)</title> |
479 |
|
479 |
|
480 |
<authorgroup> |
480 |
<authorgroup> |
481 |
<author> |
481 |
<author> |
482 |
<personname> |
482 |
<personname> |
483 |
<firstname>Tom</firstname> |
483 |
<firstname>Tom</firstname> |
484 |
<surname>Rhodes</surname> |
484 |
<surname>Rhodes</surname> |
485 |
</personname> |
485 |
</personname> |
486 |
<contrib>Reorganized and enhanced by </contrib> |
486 |
<contrib>Reorganized and enhanced by </contrib> |
487 |
</author> |
487 |
</author> |
488 |
</authorgroup> |
488 |
</authorgroup> |
489 |
|
489 |
|
490 |
<authorgroup> |
490 |
<authorgroup> |
491 |
<author> |
491 |
<author> |
492 |
<personname> |
492 |
<personname> |
493 |
<firstname>Bill</firstname> |
493 |
<firstname>Bill</firstname> |
494 |
<surname>Swingle</surname> |
494 |
<surname>Swingle</surname> |
495 |
</personname> |
495 |
</personname> |
496 |
<contrib>Written by </contrib> |
496 |
<contrib>Written by </contrib> |
497 |
</author> |
497 |
</author> |
498 |
</authorgroup> |
498 |
</authorgroup> |
499 |
</info> |
499 |
</info> |
500 |
|
500 |
|
501 |
<indexterm><primary>NFS</primary></indexterm> |
501 |
<indexterm><primary>NFS</primary></indexterm> |
502 |
<para>&os; supports the Network File System |
502 |
<para>&os; supports the Network File System |
503 |
(<acronym>NFS</acronym>), which allows a server to share |
503 |
(<acronym>NFS</acronym>), which allows a server to share |
504 |
directories and files with clients over a network. With |
504 |
directories and files with clients over a network. With |
505 |
<acronym>NFS</acronym>, users and programs can access files on |
505 |
<acronym>NFS</acronym>, users and programs can access files on |
506 |
remote systems as if they were stored locally.</para> |
506 |
remote systems as if they were stored locally.</para> |
507 |
|
507 |
|
508 |
<para><acronym>NFS</acronym> has many practical uses. Some of |
508 |
<para><acronym>NFS</acronym> has many practical uses. Some of |
509 |
the more common uses include:</para> |
509 |
the more common uses include:</para> |
510 |
|
510 |
|
511 |
<itemizedlist> |
511 |
<itemizedlist> |
512 |
<listitem> |
512 |
<listitem> |
513 |
<para>Data that would otherwise be duplicated on each client |
513 |
<para>Data that would otherwise be duplicated on each client |
514 |
can be kept in a single location and accessed by clients |
514 |
can be kept in a single location and accessed by clients |
515 |
on the network.</para> |
515 |
on the network.</para> |
516 |
</listitem> |
516 |
</listitem> |
517 |
|
517 |
|
518 |
<listitem> |
518 |
<listitem> |
519 |
<para>Several clients may need access to the |
519 |
<para>Several clients may need access to the |
520 |
<filename>/usr/ports/distfiles</filename> directory. |
520 |
<filename>/usr/ports/distfiles</filename> directory. |
521 |
Sharing that directory allows for quick access to the |
521 |
Sharing that directory allows for quick access to the |
522 |
source files without having to download them to each |
522 |
source files without having to download them to each |
523 |
client.</para> |
523 |
client.</para> |
524 |
</listitem> |
524 |
</listitem> |
525 |
|
525 |
|
526 |
<listitem> |
526 |
<listitem> |
527 |
<para>On large networks, it is often more convenient to |
527 |
<para>On large networks, it is often more convenient to |
528 |
configure a central <acronym>NFS</acronym> server on which |
528 |
configure a central <acronym>NFS</acronym> server on which |
529 |
all user home directories are stored. Users can log into |
529 |
all user home directories are stored. Users can log into |
530 |
a client anywhere on the network and have access to their |
530 |
a client anywhere on the network and have access to their |
531 |
home directories.</para> |
531 |
home directories.</para> |
532 |
</listitem> |
532 |
</listitem> |
533 |
|
533 |
|
534 |
<listitem> |
534 |
<listitem> |
535 |
<para>Administration of <acronym>NFS</acronym> exports is |
535 |
<para>Administration of <acronym>NFS</acronym> exports is |
536 |
simplified. For example, there is only one file system |
536 |
simplified. For example, there is only one file system |
537 |
where security or backup policies must be set.</para> |
537 |
where security or backup policies must be set.</para> |
538 |
</listitem> |
538 |
</listitem> |
539 |
|
539 |
|
540 |
<listitem> |
540 |
<listitem> |
541 |
<para>Removable media storage devices can be used by other |
541 |
<para>Removable media storage devices can be used by other |
542 |
machines on the network. This reduces the number of devices |
542 |
machines on the network. This reduces the number of devices |
543 |
throughout the network and provides a centralized location |
543 |
throughout the network and provides a centralized location |
544 |
to manage their security. It is often more convenient to |
544 |
to manage their security. It is often more convenient to |
545 |
install software on multiple machines from a centralized |
545 |
install software on multiple machines from a centralized |
546 |
installation media.</para> |
546 |
installation media.</para> |
547 |
</listitem> |
547 |
</listitem> |
548 |
</itemizedlist> |
548 |
</itemizedlist> |
549 |
|
549 |
|
550 |
<para><acronym>NFS</acronym> consists of a server and one or more |
550 |
<para><acronym>NFS</acronym> consists of a server and one or more |
551 |
clients. The client remotely accesses the data that is stored |
551 |
clients. The client remotely accesses the data that is stored |
552 |
on the server machine. In order for this to function properly, |
552 |
on the server machine. In order for this to function properly, |
553 |
a few processes have to be configured and running.</para> |
553 |
a few processes have to be configured and running.</para> |
554 |
|
554 |
|
555 |
<para>These daemons must be running on the server:</para> |
555 |
<para>These daemons must be running on the server:</para> |
556 |
<indexterm> |
556 |
<indexterm> |
557 |
<primary>NFS</primary> |
557 |
<primary>NFS</primary> |
558 |
<secondary>server</secondary> |
558 |
<secondary>server</secondary> |
559 |
</indexterm> |
559 |
</indexterm> |
560 |
<indexterm> |
560 |
<indexterm> |
561 |
<primary>file server</primary> |
561 |
<primary>file server</primary> |
562 |
<secondary>UNIX clients</secondary> |
562 |
<secondary>UNIX clients</secondary> |
563 |
</indexterm> |
563 |
</indexterm> |
564 |
|
564 |
|
565 |
<indexterm> |
565 |
<indexterm> |
566 |
<primary><application>rpcbind</application></primary> |
566 |
<primary><application>rpcbind</application></primary> |
567 |
</indexterm> |
567 |
</indexterm> |
568 |
<indexterm> |
568 |
<indexterm> |
569 |
<primary><application>mountd</application></primary> |
569 |
<primary><application>mountd</application></primary> |
570 |
</indexterm> |
570 |
</indexterm> |
571 |
<indexterm> |
571 |
<indexterm> |
572 |
<primary><application>nfsd</application></primary> |
572 |
<primary><application>nfsd</application></primary> |
573 |
</indexterm> |
573 |
</indexterm> |
574 |
|
574 |
|
575 |
<informaltable frame="none" pgwide="1"> |
575 |
<informaltable frame="none" pgwide="1"> |
576 |
<tgroup cols="2"> |
576 |
<tgroup cols="2"> |
577 |
<colspec colwidth="1*"/> |
577 |
<colspec colwidth="1*"/> |
578 |
<colspec colwidth="3*"/> |
578 |
<colspec colwidth="3*"/> |
579 |
|
579 |
|
580 |
<thead> |
580 |
<thead> |
581 |
<row> |
581 |
<row> |
582 |
<entry>Daemon</entry> |
582 |
<entry>Daemon</entry> |
583 |
<entry>Description</entry> |
583 |
<entry>Description</entry> |
584 |
</row> |
584 |
</row> |
585 |
</thead> |
585 |
</thead> |
586 |
|
586 |
|
587 |
<tbody> |
587 |
<tbody> |
588 |
<row> |
588 |
<row> |
589 |
<entry><application>nfsd</application></entry> |
589 |
<entry><application>nfsd</application></entry> |
590 |
<entry>The <acronym>NFS</acronym> daemon which services |
590 |
<entry>The <acronym>NFS</acronym> daemon which services |
591 |
requests from <acronym>NFS</acronym> clients.</entry> |
591 |
requests from <acronym>NFS</acronym> clients.</entry> |
592 |
</row> |
592 |
</row> |
593 |
|
593 |
|
594 |
<row> |
594 |
<row> |
595 |
<entry><application>mountd</application></entry> |
595 |
<entry><application>mountd</application></entry> |
596 |
<entry>The <acronym>NFS</acronym> mount daemon which |
596 |
<entry>The <acronym>NFS</acronym> mount daemon which |
597 |
carries out requests received from |
597 |
carries out requests received from |
598 |
<application>nfsd</application>.</entry> |
598 |
<application>nfsd</application>.</entry> |
599 |
</row> |
599 |
</row> |
600 |
|
600 |
|
601 |
<row> |
601 |
<row> |
602 |
<entry><application>rpcbind</application></entry> |
602 |
<entry><application>rpcbind</application></entry> |
603 |
<entry> This daemon allows <acronym>NFS</acronym> |
603 |
<entry> This daemon allows <acronym>NFS</acronym> |
604 |
clients to discover which port the |
604 |
clients to discover which port the |
605 |
<acronym>NFS</acronym> server is using.</entry> |
605 |
<acronym>NFS</acronym> server is using.</entry> |
606 |
</row> |
606 |
</row> |
607 |
</tbody> |
607 |
</tbody> |
608 |
</tgroup> |
608 |
</tgroup> |
609 |
</informaltable> |
609 |
</informaltable> |
610 |
|
610 |
|
611 |
<para>Running &man.nfsiod.8; on the client can improve |
611 |
<para>Running &man.nfsiod.8; on the client can improve |
612 |
performance, but is not required.</para> |
612 |
performance, but is not required.</para> |
613 |
|
613 |
|
614 |
<sect2 xml:id="network-configuring-nfs"> |
614 |
<sect2 xml:id="network-configuring-nfs"> |
615 |
<title>Configuring the Server</title> |
615 |
<title>Configuring the Server</title> |
616 |
|
616 |
|
617 |
<indexterm> |
617 |
<indexterm> |
618 |
<primary>NFS</primary> |
618 |
<primary>NFS</primary> |
619 |
<secondary>configuration</secondary> |
619 |
<secondary>configuration</secondary> |
620 |
</indexterm> |
620 |
</indexterm> |
621 |
|
621 |
|
622 |
<para>The file systems which the <acronym>NFS</acronym> server |
622 |
<para>The file systems which the <acronym>NFS</acronym> server |
623 |
will share are specified in <filename>/etc/exports</filename>. |
623 |
will share are specified in <filename>/etc/exports</filename>. |
624 |
Each line in this file specifies a file system to be exported, |
624 |
Each line in this file specifies a file system to be exported, |
625 |
which clients have access to that file system, and any access |
625 |
which clients have access to that file system, and any access |
626 |
options. When adding entries to this file, each exported file |
626 |
options. When adding entries to this file, each exported file |
627 |
system, its properties, and allowed hosts must occur on a |
627 |
system, its properties, and allowed hosts must occur on a |
628 |
single line. If no clients are listed in the entry, then any |
628 |
single line. If no clients are listed in the entry, then any |
629 |
client on the network can mount that file system.</para> |
629 |
client on the network can mount that file system.</para> |
630 |
|
630 |
|
631 |
<indexterm> |
631 |
<indexterm> |
632 |
<primary>NFS</primary> |
632 |
<primary>NFS</primary> |
633 |
<secondary>export examples</secondary> |
633 |
<secondary>export examples</secondary> |
634 |
</indexterm> |
634 |
</indexterm> |
635 |
|
635 |
|
636 |
<para>The following <filename>/etc/exports</filename> entries |
636 |
<para>The following <filename>/etc/exports</filename> entries |
637 |
demonstrate how to export file systems. The examples can be |
637 |
demonstrate how to export file systems. The examples can be |
638 |
modified to match the file systems and client names on the |
638 |
modified to match the file systems and client names on the |
639 |
reader's network. There are many options that can be used in |
639 |
reader's network. There are many options that can be used in |
640 |
this file, but only a few will be mentioned here. See |
640 |
this file, but only a few will be mentioned here. See |
641 |
&man.exports.5; for the full list of options.</para> |
641 |
&man.exports.5; for the full list of options.</para> |
642 |
|
642 |
|
643 |
<para>This example shows how to export |
643 |
<para>This example shows how to export |
644 |
<filename>/cdrom</filename> to three hosts named |
644 |
<filename>/cdrom</filename> to three hosts named |
645 |
<replaceable>alpha</replaceable>, |
645 |
<replaceable>alpha</replaceable>, |
646 |
<replaceable>bravo</replaceable>, and |
646 |
<replaceable>bravo</replaceable>, and |
647 |
<replaceable>charlie</replaceable>:</para> |
647 |
<replaceable>charlie</replaceable>:</para> |
648 |
|
648 |
|
649 |
<programlisting>/cdrom -ro <replaceable>alpha</replaceable> <replaceable>bravo</replaceable> <replaceable>charlie</replaceable></programlisting> |
649 |
<programlisting>/cdrom -ro <replaceable>alpha</replaceable> <replaceable>bravo</replaceable> <replaceable>charlie</replaceable></programlisting> |
650 |
|
650 |
|
651 |
<para>The <literal>-ro</literal> flag makes the file system |
651 |
<para>The <literal>-ro</literal> flag makes the file system |
652 |
read-only, preventing clients from making any changes to the |
652 |
read-only, preventing clients from making any changes to the |
653 |
exported file system. This example assumes that the host |
653 |
exported file system. This example assumes that the host |
654 |
names are either in <acronym>DNS</acronym> or in |
654 |
names are either in <acronym>DNS</acronym> or in |
655 |
<filename>/etc/hosts</filename>. Refer to &man.hosts.5; if |
655 |
<filename>/etc/hosts</filename>. Refer to &man.hosts.5; if |
656 |
the network does not have a <acronym>DNS</acronym> |
656 |
the network does not have a <acronym>DNS</acronym> |
657 |
server.</para> |
657 |
server.</para> |
658 |
|
658 |
|
659 |
<para>The next example exports <filename>/home</filename> to |
659 |
<para>The next example exports <filename>/home</filename> to |
660 |
three clients by <acronym>IP</acronym> address. This can be |
660 |
three clients by <acronym>IP</acronym> address. This can be |
661 |
useful for networks without <acronym>DNS</acronym> or |
661 |
useful for networks without <acronym>DNS</acronym> or |
662 |
<filename>/etc/hosts</filename> entries. The |
662 |
<filename>/etc/hosts</filename> entries. The |
663 |
<literal>-alldirs</literal> flag allows subdirectories to be |
663 |
<literal>-alldirs</literal> flag allows subdirectories to be |
664 |
mount points. In other words, it will not automatically mount |
664 |
mount points. In other words, it will not automatically mount |
665 |
the subdirectories, but will permit the client to mount the |
665 |
the subdirectories, but will permit the client to mount the |
666 |
directories that are required as needed.</para> |
666 |
directories that are required as needed.</para> |
667 |
|
667 |
|
668 |
<programlisting>/usr/home -alldirs 10.0.0.2 10.0.0.3 10.0.0.4</programlisting> |
668 |
<programlisting>/usr/home -alldirs 10.0.0.2 10.0.0.3 10.0.0.4</programlisting> |
669 |
|
669 |
|
670 |
<para>This next example exports <filename>/a</filename> so that |
670 |
<para>This next example exports <filename>/a</filename> so that |
671 |
two clients from different domains may access that file |
671 |
two clients from different domains may access that file |
672 |
system. The <option>-maproot=root</option> allows <systemitem |
672 |
system. The <option>-maproot=root</option> allows <systemitem |
673 |
class="username">root</systemitem> on the remote system to |
673 |
class="username">root</systemitem> on the remote system to |
674 |
write data on the exported file system as <systemitem |
674 |
write data on the exported file system as <systemitem |
675 |
class="username">root</systemitem>. If |
675 |
class="username">root</systemitem>. If |
676 |
<literal>-maproot=root</literal> is not specified, the |
676 |
<literal>-maproot=root</literal> is not specified, the |
677 |
client's <systemitem class="username">root</systemitem> user |
677 |
client's <systemitem class="username">root</systemitem> user |
678 |
will be mapped to the server's <systemitem |
678 |
will be mapped to the server's <systemitem |
679 |
class="username">nobody</systemitem> account and will be |
679 |
class="username">nobody</systemitem> account and will be |
680 |
subject to the access limitations defined for <systemitem |
680 |
subject to the access limitations defined for <systemitem |
681 |
class="username">nobody</systemitem>.</para> |
681 |
class="username">nobody</systemitem>.</para> |
682 |
|
682 |
|
683 |
<programlisting>/a -maproot=root host.example.com box.example.org</programlisting> |
683 |
<programlisting>/a -maproot=root host.example.com box.example.org</programlisting> |
684 |
|
684 |
|
685 |
<para>A client can only be specified once per file system. For |
685 |
<para>A client can only be specified once per file system. For |
686 |
example, if <filename>/usr</filename> is a single file system, |
686 |
example, if <filename>/usr</filename> is a single file system, |
687 |
these entries would be invalid as both entries specify the |
687 |
these entries would be invalid as both entries specify the |
688 |
same host:</para> |
688 |
same host:</para> |
689 |
|
689 |
|
690 |
<programlisting># Invalid when /usr is one file system |
690 |
<programlisting># Invalid when /usr is one file system |
691 |
/usr/src client |
691 |
/usr/src client |
692 |
/usr/ports client</programlisting> |
692 |
/usr/ports client</programlisting> |
693 |
|
693 |
|
694 |
<para>The correct format for this situation is to use one |
694 |
<para>The correct format for this situation is to use one |
695 |
entry:</para> |
695 |
entry:</para> |
696 |
|
696 |
|
697 |
<programlisting>/usr/src /usr/ports client</programlisting> |
697 |
<programlisting>/usr/src /usr/ports client</programlisting> |
698 |
|
698 |
|
699 |
<para>The following is an example of a valid export list, where |
699 |
<para>The following is an example of a valid export list, where |
700 |
<filename>/usr</filename> and <filename>/exports</filename> |
700 |
<filename>/usr</filename> and <filename>/exports</filename> |
701 |
are local file systems:</para> |
701 |
are local file systems:</para> |
702 |
|
702 |
|
703 |
<programlisting># Export src and ports to client01 and client02, but only |
703 |
<programlisting># Export src and ports to client01 and client02, but only |
704 |
# client01 has root privileges on it |
704 |
# client01 has root privileges on it |
705 |
/usr/src /usr/ports -maproot=root client01 |
705 |
/usr/src /usr/ports -maproot=root client01 |
706 |
/usr/src /usr/ports client02 |
706 |
/usr/src /usr/ports client02 |
707 |
# The client machines have root and can mount anywhere |
707 |
# The client machines have root and can mount anywhere |
708 |
# on /exports. Anyone in the world can mount /exports/obj read-only |
708 |
# on /exports. Anyone in the world can mount /exports/obj read-only |
709 |
/exports -alldirs -maproot=root client01 client02 |
709 |
/exports -alldirs -maproot=root client01 client02 |
710 |
/exports/obj -ro</programlisting> |
710 |
/exports/obj -ro</programlisting> |
711 |
|
711 |
|
712 |
<para>To enable the processes required by the |
712 |
<para>To enable the processes required by the |
713 |
<acronym>NFS</acronym> server at boot time, add these options |
713 |
<acronym>NFS</acronym> server at boot time, add these options |
714 |
to <filename>/etc/rc.conf</filename>:</para> |
714 |
to <filename>/etc/rc.conf</filename>:</para> |
715 |
|
715 |
|
716 |
<programlisting>rpcbind_enable="YES" |
716 |
<programlisting>rpcbind_enable="YES" |
717 |
nfs_server_enable="YES" |
717 |
nfs_server_enable="YES" |
718 |
mountd_flags="-r"</programlisting> |
718 |
mountd_flags="-r"</programlisting> |
719 |
|
719 |
|
720 |
<para>The server can be started now by running this |
720 |
<para>The server can be started now by running this |
721 |
command:</para> |
721 |
command:</para> |
722 |
|
722 |
|
723 |
<screen>&prompt.root; <userinput>service nfsd start</userinput></screen> |
723 |
<screen>&prompt.root; <userinput>service nfsd start</userinput></screen> |
724 |
|
724 |
|
725 |
<para>Whenever the <acronym>NFS</acronym> server is started, |
725 |
<para>Whenever the <acronym>NFS</acronym> server is started, |
726 |
<application>mountd</application> also starts automatically. |
726 |
<application>mountd</application> also starts automatically. |
727 |
However, <application>mountd</application> only reads |
727 |
However, <application>mountd</application> only reads |
728 |
<filename>/etc/exports</filename> when it is started. To make |
728 |
<filename>/etc/exports</filename> when it is started. To make |
729 |
subsequent <filename>/etc/exports</filename> edits take effect |
729 |
subsequent <filename>/etc/exports</filename> edits take effect |
730 |
immediately, force <application>mountd</application> to reread |
730 |
immediately, force <application>mountd</application> to reread |
731 |
it:</para> |
731 |
it:</para> |
732 |
|
732 |
|
733 |
<screen>&prompt.root; <userinput>service mountd reload</userinput></screen> |
733 |
<screen>&prompt.root; <userinput>service mountd reload</userinput></screen> |
734 |
</sect2> |
734 |
</sect2> |
735 |
|
735 |
|
736 |
<sect2> |
736 |
<sect2> |
737 |
<title>Configuring the Client</title> |
737 |
<title>Configuring the Client</title> |
738 |
|
738 |
|
739 |
<para>To enable <acronym>NFS</acronym> clients, set this option |
739 |
<para>To enable <acronym>NFS</acronym> clients, set this option |
740 |
in each client's <filename>/etc/rc.conf</filename>:</para> |
740 |
in each client's <filename>/etc/rc.conf</filename>:</para> |
741 |
|
741 |
|
742 |
<programlisting>nfs_client_enable="YES"</programlisting> |
742 |
<programlisting>nfs_client_enable="YES"</programlisting> |
743 |
|
743 |
|
744 |
<para>Then, run this command on each <acronym>NFS</acronym> |
744 |
<para>Then, run this command on each <acronym>NFS</acronym> |
745 |
client:</para> |
745 |
client:</para> |
746 |
|
746 |
|
747 |
<screen>&prompt.root; <userinput>service nfsclient start</userinput></screen> |
747 |
<screen>&prompt.root; <userinput>service nfsclient start</userinput></screen> |
748 |
|
748 |
|
749 |
<para>The client now has everything it needs to mount a remote |
749 |
<para>The client now has everything it needs to mount a remote |
750 |
file system. In these examples, the server's name is |
750 |
file system. In these examples, the server's name is |
751 |
<systemitem>server</systemitem> and the client's name is |
751 |
<systemitem>server</systemitem> and the client's name is |
752 |
<systemitem>client</systemitem>. To mount |
752 |
<systemitem>client</systemitem>. To mount |
753 |
<filename>/home</filename> on |
753 |
<filename>/home</filename> on |
754 |
<systemitem>server</systemitem> to the |
754 |
<systemitem>server</systemitem> to the |
755 |
<filename>/mnt</filename> mount point on |
755 |
<filename>/mnt</filename> mount point on |
756 |
<systemitem>client</systemitem>:</para> |
756 |
<systemitem>client</systemitem>:</para> |
757 |
|
757 |
|
758 |
<indexterm> |
758 |
<indexterm> |
759 |
<primary>NFS</primary> |
759 |
<primary>NFS</primary> |
760 |
<secondary>mounting</secondary> |
760 |
<secondary>mounting</secondary> |
761 |
</indexterm> |
761 |
</indexterm> |
762 |
<screen>&prompt.root; <userinput>mount server:/home /mnt</userinput></screen> |
762 |
<screen>&prompt.root; <userinput>mount server:/home /mnt</userinput></screen> |
763 |
|
763 |
|
764 |
<para>The files and directories in |
764 |
<para>The files and directories in |
765 |
<filename>/home</filename> will now be available on |
765 |
<filename>/home</filename> will now be available on |
766 |
<systemitem>client</systemitem>, in the |
766 |
<systemitem>client</systemitem>, in the |
767 |
<filename>/mnt</filename> directory.</para> |
767 |
<filename>/mnt</filename> directory.</para> |
768 |
|
768 |
|
769 |
<para>To mount a remote file system each time the client boots, |
769 |
<para>To mount a remote file system each time the client boots, |
770 |
add it to <filename>/etc/fstab</filename>:</para> |
770 |
add it to <filename>/etc/fstab</filename>:</para> |
771 |
|
771 |
|
772 |
<programlisting>server:/home /mnt nfs rw 0 0</programlisting> |
772 |
<programlisting>server:/home /mnt nfs rw 0 0</programlisting> |
773 |
|
773 |
|
774 |
<para>Refer to &man.fstab.5; for a description of all available |
774 |
<para>Refer to &man.fstab.5; for a description of all available |
775 |
options.</para> |
775 |
options.</para> |
776 |
</sect2> |
776 |
</sect2> |
777 |
|
777 |
|
778 |
<sect2> |
778 |
<sect2> |
779 |
<title>Locking</title> |
779 |
<title>Locking</title> |
780 |
|
780 |
|
781 |
<para>Some applications require file locking to operate |
781 |
<para>Some applications require file locking to operate |
782 |
correctly. To enable locking, add these lines to |
782 |
correctly. To enable locking, add these lines to |
783 |
<filename>/etc/rc.conf</filename> on both the client and |
783 |
<filename>/etc/rc.conf</filename> on both the client and |
784 |
server:</para> |
784 |
server:</para> |
785 |
|
785 |
|
786 |
<programlisting>rpc_lockd_enable="YES" |
786 |
<programlisting>rpc_lockd_enable="YES" |
787 |
rpc_statd_enable="YES"</programlisting> |
787 |
rpc_statd_enable="YES"</programlisting> |
788 |
|
788 |
|
789 |
<para>Then start the applications:</para> |
789 |
<para>Then start the applications:</para> |
790 |
|
790 |
|
791 |
<screen>&prompt.root; <userinput>service lockd start</userinput> |
791 |
<screen>&prompt.root; <userinput>service lockd start</userinput> |
792 |
&prompt.root; <userinput>service statd start</userinput></screen> |
792 |
&prompt.root; <userinput>service statd start</userinput></screen> |
793 |
|
793 |
|
794 |
<para>If locking is not required on the server, the |
794 |
<para>If locking is not required on the server, the |
795 |
<acronym>NFS</acronym> client can be configured to lock |
795 |
<acronym>NFS</acronym> client can be configured to lock |
796 |
locally by including <option>-L</option> when running |
796 |
locally by including <option>-L</option> when running |
797 |
<application>mount</application>. Refer to &man.mount.nfs.8; |
797 |
<application>mount</application>. Refer to &man.mount.nfs.8; |
798 |
for further details.</para> |
798 |
for further details.</para> |
799 |
</sect2> |
799 |
</sect2> |
800 |
|
800 |
|
801 |
<sect2 xml:id="network-amd"> |
801 |
<sect2 xml:id="network-amd"> |
802 |
<info> |
802 |
<info> |
803 |
<title>Automating Mounts with &man.amd.8;</title> |
803 |
<title>Automating Mounts with &man.amd.8;</title> |
804 |
|
804 |
|
805 |
<authorgroup> |
805 |
<authorgroup> |
806 |
<author> |
806 |
<author> |
807 |
<personname> |
807 |
<personname> |
808 |
<firstname>Wylie</firstname> |
808 |
<firstname>Wylie</firstname> |
809 |
<surname>Stilwell</surname> |
809 |
<surname>Stilwell</surname> |
810 |
</personname> |
810 |
</personname> |
811 |
<contrib>Contributed by </contrib> |
811 |
<contrib>Contributed by </contrib> |
812 |
</author> |
812 |
</author> |
813 |
</authorgroup> |
813 |
</authorgroup> |
814 |
|
814 |
|
815 |
<authorgroup> |
815 |
<authorgroup> |
816 |
<author> |
816 |
<author> |
817 |
<personname> |
817 |
<personname> |
818 |
<firstname>Chern</firstname> |
818 |
<firstname>Chern</firstname> |
819 |
<surname>Lee</surname> |
819 |
<surname>Lee</surname> |
820 |
</personname> |
820 |
</personname> |
821 |
<contrib>Rewritten by </contrib> |
821 |
<contrib>Rewritten by </contrib> |
822 |
</author> |
822 |
</author> |
823 |
</authorgroup> |
823 |
</authorgroup> |
824 |
</info> |
824 |
</info> |
825 |
|
825 |
|
826 |
<indexterm><primary>amd</primary></indexterm> |
826 |
<indexterm><primary>amd</primary></indexterm> |
827 |
<indexterm> |
827 |
<indexterm> |
828 |
<primary>automatic mounter daemon</primary> |
828 |
<primary>automatic mounter daemon</primary> |
829 |
</indexterm> |
829 |
</indexterm> |
830 |
|
830 |
|
831 |
<para>The automatic mounter daemon, |
831 |
<para>The automatic mounter daemon, |
832 |
<application>amd</application>, automatically mounts a remote |
832 |
<application>amd</application>, automatically mounts a remote |
833 |
file system whenever a file or directory within that file |
833 |
file system whenever a file or directory within that file |
834 |
system is accessed. File systems that are inactive for a |
834 |
system is accessed. File systems that are inactive for a |
835 |
period of time will be automatically unmounted by |
835 |
period of time will be automatically unmounted by |
836 |
<application>amd</application>.</para> |
836 |
<application>amd</application>.</para> |
837 |
|
837 |
|
838 |
<para>This daemon provides an alternative to modifying |
838 |
<para>This daemon provides an alternative to modifying |
839 |
<filename>/etc/fstab</filename> to list every client. It |
839 |
<filename>/etc/fstab</filename> to list every client. It |
840 |
operates by attaching itself as an <acronym>NFS</acronym> |
840 |
operates by attaching itself as an <acronym>NFS</acronym> |
841 |
server to the <filename>/host</filename> and |
841 |
server to the <filename>/host</filename> and |
842 |
<filename>/net</filename> directories. When a file is |
842 |
<filename>/net</filename> directories. When a file is |
843 |
accessed within one of these directories, |
843 |
accessed within one of these directories, |
844 |
<application>amd</application> looks up the corresponding |
844 |
<application>amd</application> looks up the corresponding |
845 |
remote mount and automatically mounts it. |
845 |
remote mount and automatically mounts it. |
846 |
<filename>/net</filename> is used to mount an exported file |
846 |
<filename>/net</filename> is used to mount an exported file |
847 |
system from an <acronym>IP</acronym> address while |
847 |
system from an <acronym>IP</acronym> address while |
848 |
<filename>/host</filename> is used to mount an export from a |
848 |
<filename>/host</filename> is used to mount an export from a |
849 |
remote hostname. For instance, an attempt to access a file |
849 |
remote hostname. For instance, an attempt to access a file |
850 |
within <filename>/host/foobar/usr</filename> would tell |
850 |
within <filename>/host/foobar/usr</filename> would tell |
851 |
<application>amd</application> to mount the |
851 |
<application>amd</application> to mount the |
852 |
<filename>/usr</filename> export on the host |
852 |
<filename>/usr</filename> export on the host |
853 |
<systemitem>foobar</systemitem>.</para> |
853 |
<systemitem>foobar</systemitem>.</para> |
854 |
|
854 |
|
855 |
<example> |
855 |
<example> |
856 |
<title>Mounting an Export with |
856 |
<title>Mounting an Export with |
857 |
<application>amd</application></title> |
857 |
<application>amd</application></title> |
858 |
|
858 |
|
859 |
<para>In this example, <command>showmount -e</command> shows |
859 |
<para>In this example, <command>showmount -e</command> shows |
860 |
the exported file systems that can be mounted from the |
860 |
the exported file systems that can be mounted from the |
861 |
<acronym>NFS</acronym> server, |
861 |
<acronym>NFS</acronym> server, |
862 |
<systemitem>foobar</systemitem>:</para> |
862 |
<systemitem>foobar</systemitem>:</para> |
863 |
|
863 |
|
864 |
<screen>&prompt.user; <userinput>showmount -e foobar</userinput> |
864 |
<screen>&prompt.user; <userinput>showmount -e foobar</userinput> |
865 |
Exports list on foobar: |
865 |
Exports list on foobar: |
866 |
/usr 10.10.10.0 |
866 |
/usr 10.10.10.0 |
867 |
/a 10.10.10.0 |
867 |
/a 10.10.10.0 |
868 |
&prompt.user; <userinput>cd /host/foobar/usr</userinput></screen> |
868 |
&prompt.user; <userinput>cd /host/foobar/usr</userinput></screen> |
869 |
</example> |
869 |
</example> |
870 |
|
870 |
|
871 |
<para>The output from <command>showmount</command> shows |
871 |
<para>The output from <command>showmount</command> shows |
872 |
<filename>/usr</filename> as an export. When changing |
872 |
<filename>/usr</filename> as an export. When changing |
873 |
directories to <filename>/host/foobar/usr</filename>, |
873 |
directories to <filename>/host/foobar/usr</filename>, |
874 |
<application>amd</application> intercepts the request and |
874 |
<application>amd</application> intercepts the request and |
875 |
attempts to resolve the hostname |
875 |
attempts to resolve the hostname |
876 |
<systemitem>foobar</systemitem>. If successful, |
876 |
<systemitem>foobar</systemitem>. If successful, |
877 |
<application>amd</application> automatically mounts the |
877 |
<application>amd</application> automatically mounts the |
878 |
desired export.</para> |
878 |
desired export.</para> |
879 |
|
879 |
|
880 |
<para>To enable <application>amd</application> at boot time, add |
880 |
<para>To enable <application>amd</application> at boot time, add |
881 |
this line to <filename>/etc/rc.conf</filename>:</para> |
881 |
this line to <filename>/etc/rc.conf</filename>:</para> |
882 |
|
882 |
|
883 |
<programlisting>amd_enable="YES"</programlisting> |
883 |
<programlisting>amd_enable="YES"</programlisting> |
884 |
|
884 |
|
885 |
<para>To start <application>amd</application> now:</para> |
885 |
<para>To start <application>amd</application> now:</para> |
886 |
|
886 |
|
887 |
<screen>&prompt.root; <userinput>service amd start</userinput></screen> |
887 |
<screen>&prompt.root; <userinput>service amd start</userinput></screen> |
888 |
|
888 |
|
889 |
<para>Custom flags can be passed to |
889 |
<para>Custom flags can be passed to |
890 |
<application>amd</application> from the |
890 |
<application>amd</application> from the |
891 |
<varname>amd_flags</varname> environment variable. By |
891 |
<varname>amd_flags</varname> environment variable. By |
892 |
default, <varname>amd_flags</varname> is set to:</para> |
892 |
default, <varname>amd_flags</varname> is set to:</para> |
893 |
|
893 |
|
894 |
<programlisting>amd_flags="-a /.amd_mnt -l syslog /host /etc/amd.map /net /etc/amd.map"</programlisting> |
894 |
<programlisting>amd_flags="-a /.amd_mnt -l syslog /host /etc/amd.map /net /etc/amd.map"</programlisting> |
895 |
|
895 |
|
896 |
<para>The default options with which exports are mounted are |
896 |
<para>The default options with which exports are mounted are |
897 |
defined in <filename>/etc/amd.map</filename>. Some of the |
897 |
defined in <filename>/etc/amd.map</filename>. Some of the |
898 |
more advanced features of <application>amd</application> are |
898 |
more advanced features of <application>amd</application> are |
899 |
defined in <filename>/etc/amd.conf</filename>.</para> |
899 |
defined in <filename>/etc/amd.conf</filename>.</para> |
900 |
|
900 |
|
901 |
<para>Consult &man.amd.8; and &man.amd.conf.5; for more |
901 |
<para>Consult &man.amd.8; and &man.amd.conf.5; for more |
902 |
information.</para> |
902 |
information.</para> |
903 |
</sect2> |
903 |
</sect2> |
904 |
|
904 |
|
905 |
<sect2 xml:id="network-autofs"> |
905 |
<sect2 xml:id="network-autofs"> |
906 |
<title>Automating Mounts with &man.autofs.5;</title> |
906 |
<title>Automating Mounts with &man.autofs.5;</title> |
907 |
|
907 |
|
908 |
<note> |
908 |
<note> |
909 |
<para>The &man.autofs.5; automount facility is supported |
909 |
<para>The &man.autofs.5; automount facility is supported |
910 |
starting with &os; 10.1-RELEASE. To use the |
910 |
starting with &os; 10.1-RELEASE. To use the |
911 |
automounter functionality in older versions of &os;, use |
911 |
automounter functionality in older versions of &os;, use |
912 |
&man.amd.8; instead. This chapter only describes the |
912 |
&man.amd.8; instead. This chapter only describes the |
913 |
&man.autofs.5; automounter.</para> |
913 |
&man.autofs.5; automounter.</para> |
914 |
</note> |
914 |
</note> |
915 |
|
915 |
|
916 |
|
916 |
|
917 |
<indexterm><primary>autofs</primary></indexterm> |
917 |
<indexterm><primary>autofs</primary></indexterm> |
918 |
<indexterm> |
918 |
<indexterm> |
919 |
<primary>automounter subsystem</primary> |
919 |
<primary>automounter subsystem</primary> |
920 |
</indexterm> |
920 |
</indexterm> |
921 |
|
921 |
|
922 |
<para>The &man.autofs.5; facility is a common name for several |
922 |
<para>The &man.autofs.5; facility is a common name for several |
923 |
components that, together, allow for automatic mounting of |
923 |
components that, together, allow for automatic mounting of |
924 |
remote and local filesystems whenever a file or directory |
924 |
remote and local filesystems whenever a file or directory |
925 |
within that file system is accessed. It consists of the |
925 |
within that file system is accessed. It consists of the |
926 |
kernel component, &man.autofs.5;, and several userspace |
926 |
kernel component, &man.autofs.5;, and several userspace |
927 |
applications: &man.automount.8;, &man.automountd.8; and |
927 |
applications: &man.automount.8;, &man.automountd.8; and |
928 |
&man.autounmountd.8;. It serves as an alternative for |
928 |
&man.autounmountd.8;. It serves as an alternative for |
929 |
&man.amd.8; from previous &os; releases. Amd is still |
929 |
&man.amd.8; from previous &os; releases. Amd is still |
930 |
provided for backward compatibility purposes, as the two use |
930 |
provided for backward compatibility purposes, as the two use |
931 |
different map format; the one used by autofs is the same as |
931 |
different map format; the one used by autofs is the same as |
932 |
with other SVR4 automounters, such as the ones in Solaris, |
932 |
with other SVR4 automounters, such as the ones in Solaris, |
933 |
MacOS X, and Linux.</para> |
933 |
MacOS X, and Linux.</para> |
934 |
|
934 |
|
935 |
<para>The &man.autofs.5; virtual filesystem is mounted on |
935 |
<para>The &man.autofs.5; virtual filesystem is mounted on |
936 |
specified mountpoints by &man.automount.8;, usually invoked |
936 |
specified mountpoints by &man.automount.8;, usually invoked |
937 |
during boot.</para> |
937 |
during boot.</para> |
938 |
|
938 |
|
939 |
<para>Whenever a process attempts to access file within the |
939 |
<para>Whenever a process attempts to access file within the |
940 |
&man.autofs.5; mountpoint, the kernel will notify |
940 |
&man.autofs.5; mountpoint, the kernel will notify |
941 |
&man.automountd.8; daemon and pause the triggering process. |
941 |
&man.automountd.8; daemon and pause the triggering process. |
942 |
The &man.automountd.8; daemon will handle kernel requests by |
942 |
The &man.automountd.8; daemon will handle kernel requests by |
943 |
finding the proper map and mounting the filesystem according |
943 |
finding the proper map and mounting the filesystem according |
944 |
to it, then signal the kernel to release blocked process. The |
944 |
to it, then signal the kernel to release blocked process. The |
945 |
&man.autounmountd.8; daemon automatically unmounts automounted |
945 |
&man.autounmountd.8; daemon automatically unmounts automounted |
946 |
filesystems after some time, unless they are still being |
946 |
filesystems after some time, unless they are still being |
947 |
used.</para> |
947 |
used.</para> |
948 |
|
948 |
|
949 |
<para>The primary autofs configuration file is |
949 |
<para>The primary autofs configuration file is |
950 |
<filename>/etc/auto_master</filename>. It assigns individual |
950 |
<filename>/etc/auto_master</filename>. It assigns individual |
951 |
maps to top-level mounts. For an explanation of |
951 |
maps to top-level mounts. For an explanation of |
952 |
<filename>auto_master</filename> and the map syntax, refer to |
952 |
<filename>auto_master</filename> and the map syntax, refer to |
953 |
&man.auto.master.5;.</para> |
953 |
&man.auto.master.5;.</para> |
954 |
|
954 |
|
955 |
<para>There is a special automounter map mounted on |
955 |
<para>There is a special automounter map mounted on |
956 |
<filename>/net</filename>. When a file is accessed within |
956 |
<filename>/net</filename>. When a file is accessed within |
957 |
this directory, &man.autofs.5; looks up the corresponding |
957 |
this directory, &man.autofs.5; looks up the corresponding |
958 |
remote mount and automatically mounts it. For instance, an |
958 |
remote mount and automatically mounts it. For instance, an |
959 |
attempt to access a file within |
959 |
attempt to access a file within |
960 |
<filename>/net/foobar/usr</filename> would tell |
960 |
<filename>/net/foobar/usr</filename> would tell |
961 |
&man.automountd.8; to mount the <filename |
961 |
&man.automountd.8; to mount the <filename |
962 |
>/usr</filename> export from the host |
962 |
>/usr</filename> export from the host |
963 |
<systemitem class="fqdomainname">foobar</systemitem>.</para> |
963 |
<systemitem class="fqdomainname">foobar</systemitem>.</para> |
964 |
|
964 |
|
965 |
<example> |
965 |
<example> |
966 |
<title>Mounting an Export with &man.autofs.5;</title> |
966 |
<title>Mounting an Export with &man.autofs.5;</title> |
967 |
|
967 |
|
968 |
<para>In this example, <command>showmount -e</command> shows |
968 |
<para>In this example, <command>showmount -e</command> shows |
969 |
the exported file systems that can be mounted from the |
969 |
the exported file systems that can be mounted from the |
970 |
<acronym>NFS</acronym> server, |
970 |
<acronym>NFS</acronym> server, |
971 |
<systemitem class="fqdomainname">foobar</systemitem>:</para> |
971 |
<systemitem class="fqdomainname">foobar</systemitem>:</para> |
972 |
|
972 |
|
973 |
<screen>&prompt.user; <userinput>showmount -e foobar</userinput> |
973 |
<screen>&prompt.user; <userinput>showmount -e foobar</userinput> |
974 |
Exports list on foobar: |
974 |
Exports list on foobar: |
975 |
/usr 10.10.10.0 |
975 |
/usr 10.10.10.0 |
976 |
/a 10.10.10.0 |
976 |
/a 10.10.10.0 |
977 |
&prompt.user; <userinput>cd /net/foobar/usr</userinput></screen> |
977 |
&prompt.user; <userinput>cd /net/foobar/usr</userinput></screen> |
978 |
</example> |
978 |
</example> |
979 |
|
979 |
|
980 |
<para>The output from <command>showmount</command> shows |
980 |
<para>The output from <command>showmount</command> shows |
981 |
<filename>/usr</filename> as an export. |
981 |
<filename>/usr</filename> as an export. |
982 |
When changing directories to <filename |
982 |
When changing directories to <filename |
983 |
>/host/foobar/usr</filename>, |
983 |
>/host/foobar/usr</filename>, |
984 |
&man.automountd.8; intercepts the request and attempts to |
984 |
&man.automountd.8; intercepts the request and attempts to |
985 |
resolve the hostname <systemitem |
985 |
resolve the hostname <systemitem |
986 |
class="fqdomainname">foobar</systemitem>. If successful, |
986 |
class="fqdomainname">foobar</systemitem>. If successful, |
987 |
&man.automountd.8; automatically mounts the source |
987 |
&man.automountd.8; automatically mounts the source |
988 |
export.</para> |
988 |
export.</para> |
989 |
|
989 |
|
990 |
<para>To enable &man.autofs.5; at boot time, add this line to |
990 |
<para>To enable &man.autofs.5; at boot time, add this line to |
991 |
<filename>/etc/rc.conf</filename>:</para> |
991 |
<filename>/etc/rc.conf</filename>:</para> |
992 |
|
992 |
|
993 |
<programlisting>autofs_enable="YES"</programlisting> |
993 |
<programlisting>autofs_enable="YES"</programlisting> |
994 |
|
994 |
|
995 |
<para>Then &man.autofs.5; can be started by running:</para> |
995 |
<para>Then &man.autofs.5; can be started by running:</para> |
996 |
|
996 |
|
997 |
<screen>&prompt.root; <userinput>service automount start</userinput> |
997 |
<screen>&prompt.root; <userinput>service automount start</userinput> |
998 |
&prompt.root; <userinput>service automountd start</userinput> |
998 |
&prompt.root; <userinput>service automountd start</userinput> |
999 |
&prompt.root; <userinput>service autounmountd start</userinput></screen> |
999 |
&prompt.root; <userinput>service autounmountd start</userinput></screen> |
1000 |
|
1000 |
|
1001 |
<para>The &man.autofs.5; map format is the same as in other |
1001 |
<para>The &man.autofs.5; map format is the same as in other |
1002 |
operating systems. Information about this format from other |
1002 |
operating systems, it might be desirable to consult |
1003 |
sources can be useful, like the <link |
1003 |
information from other operating systems, such as the <link |
1004 |
xlink:href="http://web.archive.org/web/20160813071113/http://images.apple.com/business/docs/Autofs.pdf">Mac |
1004 |
xlink:href="http://images.apple.com/business/docs/Autofs.pdf">Mac |
1005 |
OS X document</link>.</para> |
1005 |
OS X document</link>.</para> |
1006 |
|
1006 |
|
1007 |
<para>Consult the &man.automount.8;, &man.automountd.8;, |
1007 |
<para>Consult the &man.automount.8;, &man.automountd.8;, |
1008 |
&man.autounmountd.8;, and &man.auto.master.5; manual pages for |
1008 |
&man.autounmountd.8;, and &man.auto.master.5; manual pages for |
1009 |
more information.</para> |
1009 |
more information.</para> |
1010 |
</sect2> |
1010 |
</sect2> |
1011 |
</sect1> |
1011 |
</sect1> |
1012 |
|
1012 |
|
1013 |
<sect1 xml:id="network-nis"> |
1013 |
<sect1 xml:id="network-nis"> |
1014 |
<!-- |
1014 |
<!-- |
1015 |
<sect1info> |
1015 |
<sect1info> |
1016 |
<authorgroup> |
1016 |
<authorgroup> |
1017 |
<author> |
1017 |
<author> |
1018 |
<firstname>Bill</firstname> |
1018 |
<firstname>Bill</firstname> |
1019 |
<surname>Swingle</surname> |
1019 |
<surname>Swingle</surname> |
1020 |
<contrib>Written by </contrib> |
1020 |
<contrib>Written by </contrib> |
1021 |
</author> |
1021 |
</author> |
1022 |
</authorgroup> |
1022 |
</authorgroup> |
1023 |
<authorgroup> |
1023 |
<authorgroup> |
1024 |
<author> |
1024 |
<author> |
1025 |
<firstname>Eric</firstname> |
1025 |
<firstname>Eric</firstname> |
1026 |
<surname>Ogren</surname> |
1026 |
<surname>Ogren</surname> |
1027 |
<contrib>Enhanced by </contrib> |
1027 |
<contrib>Enhanced by </contrib> |
1028 |
</author> |
1028 |
</author> |
1029 |
<author> |
1029 |
<author> |
1030 |
<firstname>Udo</firstname> |
1030 |
<firstname>Udo</firstname> |
1031 |
<surname>Erdelhoff</surname> |
1031 |
<surname>Erdelhoff</surname> |
1032 |
</author> |
1032 |
</author> |
1033 |
</authorgroup> |
1033 |
</authorgroup> |
1034 |
</sect1info> |
1034 |
</sect1info> |
1035 |
--> |
1035 |
--> |
1036 |
<title>Network Information System |
1036 |
<title>Network Information System |
1037 |
(<acronym>NIS</acronym>)</title> |
1037 |
(<acronym>NIS</acronym>)</title> |
1038 |
|
1038 |
|
1039 |
<indexterm><primary>NIS</primary></indexterm> |
1039 |
<indexterm><primary>NIS</primary></indexterm> |
1040 |
<indexterm><primary>Solaris</primary></indexterm> |
1040 |
<indexterm><primary>Solaris</primary></indexterm> |
1041 |
<indexterm><primary>HP-UX</primary></indexterm> |
1041 |
<indexterm><primary>HP-UX</primary></indexterm> |
1042 |
<indexterm><primary>AIX</primary></indexterm> |
1042 |
<indexterm><primary>AIX</primary></indexterm> |
1043 |
<indexterm><primary>Linux</primary></indexterm> |
1043 |
<indexterm><primary>Linux</primary></indexterm> |
1044 |
<indexterm><primary>NetBSD</primary></indexterm> |
1044 |
<indexterm><primary>NetBSD</primary></indexterm> |
1045 |
<indexterm><primary>OpenBSD</primary></indexterm> |
1045 |
<indexterm><primary>OpenBSD</primary></indexterm> |
1046 |
<indexterm> |
1046 |
<indexterm> |
1047 |
<primary>yellow pages</primary> |
1047 |
<primary>yellow pages</primary> |
1048 |
<see>NIS</see> |
1048 |
<see>NIS</see> |
1049 |
</indexterm> |
1049 |
</indexterm> |
1050 |
|
1050 |
|
1051 |
<para>Network Information System (<acronym>NIS</acronym>) is |
1051 |
<para>Network Information System (<acronym>NIS</acronym>) is |
1052 |
designed to centralize administration of &unix;-like systems |
1052 |
designed to centralize administration of &unix;-like systems |
1053 |
such as &solaris;, HP-UX, &aix;, Linux, NetBSD, OpenBSD, and |
1053 |
such as &solaris;, HP-UX, &aix;, Linux, NetBSD, OpenBSD, and |
1054 |
&os;. <acronym>NIS</acronym> was originally known as Yellow |
1054 |
&os;. <acronym>NIS</acronym> was originally known as Yellow |
1055 |
Pages but the name was changed due to trademark issues. This |
1055 |
Pages but the name was changed due to trademark issues. This |
1056 |
is the reason why <acronym>NIS</acronym> commands begin with |
1056 |
is the reason why <acronym>NIS</acronym> commands begin with |
1057 |
<literal>yp</literal>.</para> |
1057 |
<literal>yp</literal>.</para> |
1058 |
|
1058 |
|
1059 |
<indexterm> |
1059 |
<indexterm> |
1060 |
<primary>NIS</primary> |
1060 |
<primary>NIS</primary> |
1061 |
<secondary>domains</secondary> |
1061 |
<secondary>domains</secondary> |
1062 |
</indexterm> |
1062 |
</indexterm> |
1063 |
|
1063 |
|
1064 |
<para><acronym>NIS</acronym> is a Remote Procedure Call |
1064 |
<para><acronym>NIS</acronym> is a Remote Procedure Call |
1065 |
(<acronym>RPC</acronym>)-based client/server system that allows |
1065 |
(<acronym>RPC</acronym>)-based client/server system that allows |
1066 |
a group of machines within an <acronym>NIS</acronym> domain to |
1066 |
a group of machines within an <acronym>NIS</acronym> domain to |
1067 |
share a common set of configuration files. This permits a |
1067 |
share a common set of configuration files. This permits a |
1068 |
system administrator to set up <acronym>NIS</acronym> client |
1068 |
system administrator to set up <acronym>NIS</acronym> client |
1069 |
systems with only minimal configuration data and to add, remove, |
1069 |
systems with only minimal configuration data and to add, remove, |
1070 |
or modify configuration data from a single location.</para> |
1070 |
or modify configuration data from a single location.</para> |
1071 |
|
1071 |
|
1072 |
<para>&os; uses version 2 of the <acronym>NIS</acronym> |
1072 |
<para>&os; uses version 2 of the <acronym>NIS</acronym> |
1073 |
protocol.</para> |
1073 |
protocol.</para> |
1074 |
|
1074 |
|
1075 |
<sect2> |
1075 |
<sect2> |
1076 |
<title><acronym>NIS</acronym> Terms and Processes</title> |
1076 |
<title><acronym>NIS</acronym> Terms and Processes</title> |
1077 |
|
1077 |
|
1078 |
<para>Table 28.1 summarizes the terms and important processes |
1078 |
<para>Table 28.1 summarizes the terms and important processes |
1079 |
used by <acronym>NIS</acronym>:</para> |
1079 |
used by <acronym>NIS</acronym>:</para> |
1080 |
|
1080 |
|
1081 |
<indexterm> |
1081 |
<indexterm> |
1082 |
<primary><application>rpcbind</application></primary> |
1082 |
<primary><application>rpcbind</application></primary> |
1083 |
</indexterm> |
1083 |
</indexterm> |
1084 |
<indexterm> |
1084 |
<indexterm> |
1085 |
<primary><application>portmap</application></primary> |
1085 |
<primary><application>portmap</application></primary> |
1086 |
</indexterm> |
1086 |
</indexterm> |
1087 |
|
1087 |
|
1088 |
<table frame="none" pgwide="1"> |
1088 |
<table frame="none" pgwide="1"> |
1089 |
<title><acronym>NIS</acronym> Terminology</title> |
1089 |
<title><acronym>NIS</acronym> Terminology</title> |
1090 |
|
1090 |
|
1091 |
<tgroup cols="2"> |
1091 |
<tgroup cols="2"> |
1092 |
<colspec colwidth="1*"/> |
1092 |
<colspec colwidth="1*"/> |
1093 |
<colspec colwidth="3*"/> |
1093 |
<colspec colwidth="3*"/> |
1094 |
|
1094 |
|
1095 |
<thead> |
1095 |
<thead> |
1096 |
<row> |
1096 |
<row> |
1097 |
<entry>Term</entry> |
1097 |
<entry>Term</entry> |
1098 |
<entry>Description</entry> |
1098 |
<entry>Description</entry> |
1099 |
</row> |
1099 |
</row> |
1100 |
</thead> |
1100 |
</thead> |
1101 |
|
1101 |
|
1102 |
<tbody> |
1102 |
<tbody> |
1103 |
<row> |
1103 |
<row> |
1104 |
<entry><acronym>NIS</acronym> domain name</entry> |
1104 |
<entry><acronym>NIS</acronym> domain name</entry> |
1105 |
|
1105 |
|
1106 |
<entry><acronym>NIS</acronym> servers and clients share |
1106 |
<entry><acronym>NIS</acronym> servers and clients share |
1107 |
an <acronym>NIS</acronym> domain name. Typically, |
1107 |
an <acronym>NIS</acronym> domain name. Typically, |
1108 |
this name does not have anything to do with |
1108 |
this name does not have anything to do with |
1109 |
<acronym>DNS</acronym>.</entry> |
1109 |
<acronym>DNS</acronym>.</entry> |
1110 |
</row> |
1110 |
</row> |
1111 |
|
1111 |
|
1112 |
<row> |
1112 |
<row> |
1113 |
<entry>&man.rpcbind.8;</entry> |
1113 |
<entry>&man.rpcbind.8;</entry> |
1114 |
|
1114 |
|
1115 |
<entry>This service enables <acronym>RPC</acronym> and |
1115 |
<entry>This service enables <acronym>RPC</acronym> and |
1116 |
must be running in order to run an |
1116 |
must be running in order to run an |
1117 |
<acronym>NIS</acronym> server or act as an |
1117 |
<acronym>NIS</acronym> server or act as an |
1118 |
<acronym>NIS</acronym> client.</entry> |
1118 |
<acronym>NIS</acronym> client.</entry> |
1119 |
</row> |
1119 |
</row> |
1120 |
|
1120 |
|
1121 |
<row> |
1121 |
<row> |
1122 |
<entry>&man.ypbind.8;</entry> |
1122 |
<entry>&man.ypbind.8;</entry> |
1123 |
<entry>This service binds an <acronym>NIS</acronym> |
1123 |
<entry>This service binds an <acronym>NIS</acronym> |
1124 |
client to its <acronym>NIS</acronym> server. It will |
1124 |
client to its <acronym>NIS</acronym> server. It will |
1125 |
take the <acronym>NIS</acronym> domain name and use |
1125 |
take the <acronym>NIS</acronym> domain name and use |
1126 |
<acronym>RPC</acronym> to connect to the server. It |
1126 |
<acronym>RPC</acronym> to connect to the server. It |
1127 |
is the core of client/server communication in an |
1127 |
is the core of client/server communication in an |
1128 |
<acronym>NIS</acronym> environment. If this service |
1128 |
<acronym>NIS</acronym> environment. If this service |
1129 |
is not running on a client machine, it will not be |
1129 |
is not running on a client machine, it will not be |
1130 |
able to access the <acronym>NIS</acronym> |
1130 |
able to access the <acronym>NIS</acronym> |
1131 |
server.</entry> |
1131 |
server.</entry> |
1132 |
</row> |
1132 |
</row> |
1133 |
|
1133 |
|
1134 |
<row> |
1134 |
<row> |
1135 |
<entry>&man.ypserv.8;</entry> |
1135 |
<entry>&man.ypserv.8;</entry> |
1136 |
<entry>This is the process for the |
1136 |
<entry>This is the process for the |
1137 |
<acronym>NIS</acronym> server. If this service stops |
1137 |
<acronym>NIS</acronym> server. If this service stops |
1138 |
running, the server will no longer be able to respond |
1138 |
running, the server will no longer be able to respond |
1139 |
to <acronym>NIS</acronym> requests so hopefully, there |
1139 |
to <acronym>NIS</acronym> requests so hopefully, there |
1140 |
is a slave server to take over. Some non-&os; clients |
1140 |
is a slave server to take over. Some non-&os; clients |
1141 |
will not try to reconnect using a slave server and the |
1141 |
will not try to reconnect using a slave server and the |
1142 |
<application>ypbind</application> process may need to |
1142 |
<application>ypbind</application> process may need to |
1143 |
be restarted on these |
1143 |
be restarted on these |
1144 |
clients.</entry> |
1144 |
clients.</entry> |
1145 |
</row> |
1145 |
</row> |
1146 |
|
1146 |
|
1147 |
<row> |
1147 |
<row> |
1148 |
<entry>&man.rpc.yppasswdd.8;</entry> |
1148 |
<entry>&man.rpc.yppasswdd.8;</entry> |
1149 |
<entry>This process only runs on |
1149 |
<entry>This process only runs on |
1150 |
<acronym>NIS</acronym> master servers. This daemon |
1150 |
<acronym>NIS</acronym> master servers. This daemon |
1151 |
allows <acronym>NIS</acronym> clients to change their |
1151 |
allows <acronym>NIS</acronym> clients to change their |
1152 |
<acronym>NIS</acronym> passwords. If this daemon is |
1152 |
<acronym>NIS</acronym> passwords. If this daemon is |
1153 |
not running, users will have to login to the |
1153 |
not running, users will have to login to the |
1154 |
<acronym>NIS</acronym> master server and change their |
1154 |
<acronym>NIS</acronym> master server and change their |
1155 |
passwords there.</entry> |
1155 |
passwords there.</entry> |
1156 |
</row> |
1156 |
</row> |
1157 |
</tbody> |
1157 |
</tbody> |
1158 |
</tgroup> |
1158 |
</tgroup> |
1159 |
</table> |
1159 |
</table> |
1160 |
<!-- XXX Missing: rpc.ypxfrd (not important, though) May only run |
1160 |
<!-- XXX Missing: rpc.ypxfrd (not important, though) May only run |
1161 |
on the master --> |
1161 |
on the master --> |
1162 |
</sect2> |
1162 |
</sect2> |
1163 |
|
1163 |
|
1164 |
<sect2> |
1164 |
<sect2> |
1165 |
<title>Machine Types</title> |
1165 |
<title>Machine Types</title> |
1166 |
|
1166 |
|
1167 |
<indexterm><primary>NIS</primary> |
1167 |
<indexterm><primary>NIS</primary> |
1168 |
<secondary>master server</secondary> |
1168 |
<secondary>master server</secondary> |
1169 |
</indexterm> |
1169 |
</indexterm> |
1170 |
<indexterm><primary>NIS</primary> |
1170 |
<indexterm><primary>NIS</primary> |
1171 |
<secondary>slave server</secondary> |
1171 |
<secondary>slave server</secondary> |
1172 |
</indexterm> |
1172 |
</indexterm> |
1173 |
<indexterm><primary>NIS</primary> |
1173 |
<indexterm><primary>NIS</primary> |
1174 |
<secondary>client</secondary> |
1174 |
<secondary>client</secondary> |
1175 |
</indexterm> |
1175 |
</indexterm> |
1176 |
|
1176 |
|
1177 |
<para>There are three types of hosts in an |
1177 |
<para>There are three types of hosts in an |
1178 |
<acronym>NIS</acronym> environment:</para> |
1178 |
<acronym>NIS</acronym> environment:</para> |
1179 |
|
1179 |
|
1180 |
<itemizedlist> |
1180 |
<itemizedlist> |
1181 |
<listitem> |
1181 |
<listitem> |
1182 |
<para><acronym>NIS</acronym> master server</para> |
1182 |
<para><acronym>NIS</acronym> master server</para> |
1183 |
|
1183 |
|
1184 |
<para>This server acts as a central repository for host |
1184 |
<para>This server acts as a central repository for host |
1185 |
configuration information and maintains the |
1185 |
configuration information and maintains the |
1186 |
authoritative copy of the files used by all of the |
1186 |
authoritative copy of the files used by all of the |
1187 |
<acronym>NIS</acronym> clients. The |
1187 |
<acronym>NIS</acronym> clients. The |
1188 |
<filename>passwd</filename>, <filename>group</filename>, |
1188 |
<filename>passwd</filename>, <filename>group</filename>, |
1189 |
and other various files used by <acronym>NIS</acronym> |
1189 |
and other various files used by <acronym>NIS</acronym> |
1190 |
clients are stored on the master server. While it is |
1190 |
clients are stored on the master server. While it is |
1191 |
possible for one machine to be an <acronym>NIS</acronym> |
1191 |
possible for one machine to be an <acronym>NIS</acronym> |
1192 |
master server for more than one <acronym>NIS</acronym> |
1192 |
master server for more than one <acronym>NIS</acronym> |
1193 |
domain, this type of configuration will not be covered in |
1193 |
domain, this type of configuration will not be covered in |
1194 |
this chapter as it assumes a relatively small-scale |
1194 |
this chapter as it assumes a relatively small-scale |
1195 |
<acronym>NIS</acronym> environment.</para> |
1195 |
<acronym>NIS</acronym> environment.</para> |
1196 |
</listitem> |
1196 |
</listitem> |
1197 |
|
1197 |
|
1198 |
<listitem> |
1198 |
<listitem> |
1199 |
<para><acronym>NIS</acronym> slave servers</para> |
1199 |
<para><acronym>NIS</acronym> slave servers</para> |
1200 |
|
1200 |
|
1201 |
<para><acronym>NIS</acronym> slave servers maintain copies |
1201 |
<para><acronym>NIS</acronym> slave servers maintain copies |
1202 |
of the <acronym>NIS</acronym> master's data files in |
1202 |
of the <acronym>NIS</acronym> master's data files in |
1203 |
order to provide redundancy. Slave servers also help to |
1203 |
order to provide redundancy. Slave servers also help to |
1204 |
balance the load of the master server as |
1204 |
balance the load of the master server as |
1205 |
<acronym>NIS</acronym> clients always attach to the |
1205 |
<acronym>NIS</acronym> clients always attach to the |
1206 |
<acronym>NIS</acronym> server which responds |
1206 |
<acronym>NIS</acronym> server which responds |
1207 |
first.</para> |
1207 |
first.</para> |
1208 |
</listitem> |
1208 |
</listitem> |
1209 |
|
1209 |
|
1210 |
<listitem> |
1210 |
<listitem> |
1211 |
<para><acronym>NIS</acronym> clients</para> |
1211 |
<para><acronym>NIS</acronym> clients</para> |
1212 |
|
1212 |
|
1213 |
<para><acronym>NIS</acronym> clients authenticate |
1213 |
<para><acronym>NIS</acronym> clients authenticate |
1214 |
against the <acronym>NIS</acronym> server during log |
1214 |
against the <acronym>NIS</acronym> server during log |
1215 |
on.</para> |
1215 |
on.</para> |
1216 |
</listitem> |
1216 |
</listitem> |
1217 |
</itemizedlist> |
1217 |
</itemizedlist> |
1218 |
|
1218 |
|
1219 |
<para>Information in many files can be shared using |
1219 |
<para>Information in many files can be shared using |
1220 |
<acronym>NIS</acronym>. The |
1220 |
<acronym>NIS</acronym>. The |
1221 |
<filename>master.passwd</filename>, |
1221 |
<filename>master.passwd</filename>, |
1222 |
<filename>group</filename>, and <filename>hosts</filename> |
1222 |
<filename>group</filename>, and <filename>hosts</filename> |
1223 |
files are commonly shared via <acronym>NIS</acronym>. |
1223 |
files are commonly shared via <acronym>NIS</acronym>. |
1224 |
Whenever a process on a client needs information that would |
1224 |
Whenever a process on a client needs information that would |
1225 |
normally be found in these files locally, it makes a query to |
1225 |
normally be found in these files locally, it makes a query to |
1226 |
the <acronym>NIS</acronym> server that it is bound to |
1226 |
the <acronym>NIS</acronym> server that it is bound to |
1227 |
instead.</para> |
1227 |
instead.</para> |
1228 |
</sect2> |
1228 |
</sect2> |
1229 |
|
1229 |
|
1230 |
<sect2> |
1230 |
<sect2> |
1231 |
<title>Planning Considerations</title> |
1231 |
<title>Planning Considerations</title> |
1232 |
|
1232 |
|
1233 |
<para>This section describes a sample <acronym>NIS</acronym> |
1233 |
<para>This section describes a sample <acronym>NIS</acronym> |
1234 |
environment which consists of 15 &os; machines with no |
1234 |
environment which consists of 15 &os; machines with no |
1235 |
centralized point of administration. Each machine has its own |
1235 |
centralized point of administration. Each machine has its own |
1236 |
<filename>/etc/passwd</filename> and |
1236 |
<filename>/etc/passwd</filename> and |
1237 |
<filename>/etc/master.passwd</filename>. These files are kept |
1237 |
<filename>/etc/master.passwd</filename>. These files are kept |
1238 |
in sync with each other only through manual intervention. |
1238 |
in sync with each other only through manual intervention. |
1239 |
Currently, when a user is added to the lab, the process must |
1239 |
Currently, when a user is added to the lab, the process must |
1240 |
be repeated on all 15 machines.</para> |
1240 |
be repeated on all 15 machines.</para> |
1241 |
|
1241 |
|
1242 |
<para>The configuration of the lab will be as follows:</para> |
1242 |
<para>The configuration of the lab will be as follows:</para> |
1243 |
|
1243 |
|
1244 |
<informaltable frame="none" pgwide="1"> |
1244 |
<informaltable frame="none" pgwide="1"> |
1245 |
<tgroup cols="3"> |
1245 |
<tgroup cols="3"> |
1246 |
<thead> |
1246 |
<thead> |
1247 |
<row> |
1247 |
<row> |
1248 |
<entry>Machine name</entry> |
1248 |
<entry>Machine name</entry> |
1249 |
<entry><acronym>IP</acronym> address</entry> |
1249 |
<entry><acronym>IP</acronym> address</entry> |
1250 |
<entry>Machine role</entry> |
1250 |
<entry>Machine role</entry> |
1251 |
</row> |
1251 |
</row> |
1252 |
</thead> |
1252 |
</thead> |
1253 |
|
1253 |
|
1254 |
<tbody> |
1254 |
<tbody> |
1255 |
<row> |
1255 |
<row> |
1256 |
<entry><systemitem>ellington</systemitem></entry> |
1256 |
<entry><systemitem>ellington</systemitem></entry> |
1257 |
<entry><systemitem |
1257 |
<entry><systemitem |
1258 |
class="ipaddress">10.0.0.2</systemitem></entry> |
1258 |
class="ipaddress">10.0.0.2</systemitem></entry> |
1259 |
<entry><acronym>NIS</acronym> master</entry> |
1259 |
<entry><acronym>NIS</acronym> master</entry> |
1260 |
</row> |
1260 |
</row> |
1261 |
|
1261 |
|
1262 |
<row> |
1262 |
<row> |
1263 |
<entry><systemitem>coltrane</systemitem></entry> |
1263 |
<entry><systemitem>coltrane</systemitem></entry> |
1264 |
<entry><systemitem |
1264 |
<entry><systemitem |
1265 |
class="ipaddress">10.0.0.3</systemitem></entry> |
1265 |
class="ipaddress">10.0.0.3</systemitem></entry> |
1266 |
<entry><acronym>NIS</acronym> slave</entry> |
1266 |
<entry><acronym>NIS</acronym> slave</entry> |
1267 |
</row> |
1267 |
</row> |
1268 |
|
1268 |
|
1269 |
<row> |
1269 |
<row> |
1270 |
<entry><systemitem>basie</systemitem></entry> |
1270 |
<entry><systemitem>basie</systemitem></entry> |
1271 |
<entry><systemitem |
1271 |
<entry><systemitem |
1272 |
class="ipaddress">10.0.0.4</systemitem></entry> |
1272 |
class="ipaddress">10.0.0.4</systemitem></entry> |
1273 |
<entry>Faculty workstation</entry> |
1273 |
<entry>Faculty workstation</entry> |
1274 |
</row> |
1274 |
</row> |
1275 |
|
1275 |
|
1276 |
<row> |
1276 |
<row> |
1277 |
<entry><systemitem>bird</systemitem></entry> |
1277 |
<entry><systemitem>bird</systemitem></entry> |
1278 |
<entry><systemitem |
1278 |
<entry><systemitem |
1279 |
class="ipaddress">10.0.0.5</systemitem></entry> |
1279 |
class="ipaddress">10.0.0.5</systemitem></entry> |
1280 |
<entry>Client machine</entry> |
1280 |
<entry>Client machine</entry> |
1281 |
</row> |
1281 |
</row> |
1282 |
|
1282 |
|
1283 |
<row> |
1283 |
<row> |
1284 |
<entry><systemitem>cli[1-11]</systemitem></entry> |
1284 |
<entry><systemitem>cli[1-11]</systemitem></entry> |
1285 |
<entry> |
1285 |
<entry> |
1286 |
<systemitem |
1286 |
<systemitem |
1287 |
class="ipaddress">10.0.0.[6-17]</systemitem></entry> |
1287 |
class="ipaddress">10.0.0.[6-17]</systemitem></entry> |
1288 |
<entry>Other client machines</entry> |
1288 |
<entry>Other client machines</entry> |
1289 |
</row> |
1289 |
</row> |
1290 |
</tbody> |
1290 |
</tbody> |
1291 |
</tgroup> |
1291 |
</tgroup> |
1292 |
</informaltable> |
1292 |
</informaltable> |
1293 |
|
1293 |
|
1294 |
<para>If this is the first time an <acronym>NIS</acronym> |
1294 |
<para>If this is the first time an <acronym>NIS</acronym> |
1295 |
scheme is being developed, it should be thoroughly planned |
1295 |
scheme is being developed, it should be thoroughly planned |
1296 |
ahead of time. Regardless of network size, several decisions |
1296 |
ahead of time. Regardless of network size, several decisions |
1297 |
need to be made as part of the planning process.</para> |
1297 |
need to be made as part of the planning process.</para> |
1298 |
|
1298 |
|
1299 |
<sect3> |
1299 |
<sect3> |
1300 |
<title>Choosing a <acronym>NIS</acronym> Domain Name</title> |
1300 |
<title>Choosing a <acronym>NIS</acronym> Domain Name</title> |
1301 |
|
1301 |
|
1302 |
<indexterm> |
1302 |
<indexterm> |
1303 |
<primary>NIS</primary> |
1303 |
<primary>NIS</primary> |
1304 |
<secondary>domain name</secondary> |
1304 |
<secondary>domain name</secondary> |
1305 |
</indexterm> |
1305 |
</indexterm> |
1306 |
<para>When a client broadcasts its requests for info, it |
1306 |
<para>When a client broadcasts its requests for info, it |
1307 |
includes the name of the <acronym>NIS</acronym> domain that |
1307 |
includes the name of the <acronym>NIS</acronym> domain that |
1308 |
it is part of. This is how multiple servers on one network |
1308 |
it is part of. This is how multiple servers on one network |
1309 |
can tell which server should answer which request. Think of |
1309 |
can tell which server should answer which request. Think of |
1310 |
the <acronym>NIS</acronym> domain name as the name for a |
1310 |
the <acronym>NIS</acronym> domain name as the name for a |
1311 |
group of hosts.</para> |
1311 |
group of hosts.</para> |
1312 |
|
1312 |
|
1313 |
<para>Some organizations choose to use their Internet domain |
1313 |
<para>Some organizations choose to use their Internet domain |
1314 |
name for their <acronym>NIS</acronym> domain name. This is |
1314 |
name for their <acronym>NIS</acronym> domain name. This is |
1315 |
not recommended as it can cause confusion when trying to |
1315 |
not recommended as it can cause confusion when trying to |
1316 |
debug network problems. The <acronym>NIS</acronym> domain |
1316 |
debug network problems. The <acronym>NIS</acronym> domain |
1317 |
name should be unique within the network and it is helpful |
1317 |
name should be unique within the network and it is helpful |
1318 |
if it describes the group of machines it represents. For |
1318 |
if it describes the group of machines it represents. For |
1319 |
example, the Art department at Acme Inc. might be in the |
1319 |
example, the Art department at Acme Inc. might be in the |
1320 |
<quote>acme-art</quote> <acronym>NIS</acronym> domain. This |
1320 |
<quote>acme-art</quote> <acronym>NIS</acronym> domain. This |
1321 |
example will use the domain name |
1321 |
example will use the domain name |
1322 |
<literal>test-domain</literal>.</para> |
1322 |
<literal>test-domain</literal>.</para> |
1323 |
|
1323 |
|
1324 |
<para>However, some non-&os; operating systems require the |
1324 |
<para>However, some non-&os; operating systems require the |
1325 |
<acronym>NIS</acronym> domain name to be the same as the |
1325 |
<acronym>NIS</acronym> domain name to be the same as the |
1326 |
Internet domain name. If one or more machines on the |
1326 |
Internet domain name. If one or more machines on the |
1327 |
network have this restriction, the Internet domain name |
1327 |
network have this restriction, the Internet domain name |
1328 |
<emphasis>must</emphasis> be used as the |
1328 |
<emphasis>must</emphasis> be used as the |
1329 |
<acronym>NIS</acronym> domain name.</para> |
1329 |
<acronym>NIS</acronym> domain name.</para> |
1330 |
</sect3> |
1330 |
</sect3> |
1331 |
|
1331 |
|
1332 |
<sect3> |
1332 |
<sect3> |
1333 |
<title>Physical Server Requirements</title> |
1333 |
<title>Physical Server Requirements</title> |
1334 |
|
1334 |
|
1335 |
<para>There are several things to keep in mind when choosing a |
1335 |
<para>There are several things to keep in mind when choosing a |
1336 |
machine to use as a <acronym>NIS</acronym> server. Since |
1336 |
machine to use as a <acronym>NIS</acronym> server. Since |
1337 |
<acronym>NIS</acronym> clients depend upon the availability |
1337 |
<acronym>NIS</acronym> clients depend upon the availability |
1338 |
of the server, choose a machine that is not rebooted |
1338 |
of the server, choose a machine that is not rebooted |
1339 |
frequently. The <acronym>NIS</acronym> server should |
1339 |
frequently. The <acronym>NIS</acronym> server should |
1340 |
ideally be a stand alone machine whose sole purpose is to be |
1340 |
ideally be a stand alone machine whose sole purpose is to be |
1341 |
an <acronym>NIS</acronym> server. If the network is not |
1341 |
an <acronym>NIS</acronym> server. If the network is not |
1342 |
heavily used, it is acceptable to put the |
1342 |
heavily used, it is acceptable to put the |
1343 |
<acronym>NIS</acronym> server on a machine running other |
1343 |
<acronym>NIS</acronym> server on a machine running other |
1344 |
services. However, if the <acronym>NIS</acronym> server |
1344 |
services. However, if the <acronym>NIS</acronym> server |
1345 |
becomes unavailable, it will adversely affect all |
1345 |
becomes unavailable, it will adversely affect all |
1346 |
<acronym>NIS</acronym> clients.</para> |
1346 |
<acronym>NIS</acronym> clients.</para> |
1347 |
</sect3> |
1347 |
</sect3> |
1348 |
</sect2> |
1348 |
</sect2> |
1349 |
|
1349 |
|
1350 |
<sect2> |
1350 |
<sect2> |
1351 |
<title>Configuring the <acronym>NIS</acronym> Master |
1351 |
<title>Configuring the <acronym>NIS</acronym> Master |
1352 |
Server</title> |
1352 |
Server</title> |
1353 |
|
1353 |
|
1354 |
<para>The canonical copies of all <acronym>NIS</acronym> files |
1354 |
<para>The canonical copies of all <acronym>NIS</acronym> files |
1355 |
are stored on the master server. The databases used to store |
1355 |
are stored on the master server. The databases used to store |
1356 |
the information are called <acronym>NIS</acronym> maps. In |
1356 |
the information are called <acronym>NIS</acronym> maps. In |
1357 |
&os;, these maps are stored in |
1357 |
&os;, these maps are stored in |
1358 |
<filename>/var/yp/[domainname]</filename> where |
1358 |
<filename>/var/yp/[domainname]</filename> where |
1359 |
<filename>[domainname]</filename> is the name of the |
1359 |
<filename>[domainname]</filename> is the name of the |
1360 |
<acronym>NIS</acronym> domain. Since multiple domains are |
1360 |
<acronym>NIS</acronym> domain. Since multiple domains are |
1361 |
supported, it is possible to have several directories, one for |
1361 |
supported, it is possible to have several directories, one for |
1362 |
each domain. Each domain will have its own independent set of |
1362 |
each domain. Each domain will have its own independent set of |
1363 |
maps.</para> |
1363 |
maps.</para> |
1364 |
|
1364 |
|
1365 |
<para><acronym>NIS</acronym> master and slave servers handle all |
1365 |
<para><acronym>NIS</acronym> master and slave servers handle all |
1366 |
<acronym>NIS</acronym> requests through &man.ypserv.8;. This |
1366 |
<acronym>NIS</acronym> requests through &man.ypserv.8;. This |
1367 |
daemon is responsible for receiving incoming requests from |
1367 |
daemon is responsible for receiving incoming requests from |
1368 |
<acronym>NIS</acronym> clients, translating the requested |
1368 |
<acronym>NIS</acronym> clients, translating the requested |
1369 |
domain and map name to a path to the corresponding database |
1369 |
domain and map name to a path to the corresponding database |
1370 |
file, and transmitting data from the database back to the |
1370 |
file, and transmitting data from the database back to the |
1371 |
client.</para> |
1371 |
client.</para> |
1372 |
|
1372 |
|
1373 |
<indexterm><primary>NIS</primary> |
1373 |
<indexterm><primary>NIS</primary> |
1374 |
<secondary>server configuration</secondary> |
1374 |
<secondary>server configuration</secondary> |
1375 |
</indexterm> |
1375 |
</indexterm> |
1376 |
<para>Setting up a master <acronym>NIS</acronym> server can be |
1376 |
<para>Setting up a master <acronym>NIS</acronym> server can be |
1377 |
relatively straight forward, depending on environmental needs. |
1377 |
relatively straight forward, depending on environmental needs. |
1378 |
Since &os; provides built-in <acronym>NIS</acronym> support, |
1378 |
Since &os; provides built-in <acronym>NIS</acronym> support, |
1379 |
it only needs to be enabled by adding the following lines to |
1379 |
it only needs to be enabled by adding the following lines to |
1380 |
<filename>/etc/rc.conf</filename>:</para> |
1380 |
<filename>/etc/rc.conf</filename>:</para> |
1381 |
|
1381 |
|
1382 |
<programlisting>nisdomainname="test-domain" <co xml:id="network-nis-co-domainname" /> |
1382 |
<programlisting>nisdomainname="test-domain" <co xml:id="network-nis-co-domainname" /> |
1383 |
nis_server_enable="YES" <co xml:id="network-nis-co-server" /> |
1383 |
nis_server_enable="YES" <co xml:id="network-nis-co-server" /> |
1384 |
nis_yppasswdd_enable="YES" <co xml:id="network-nis-co-yppasswdd" /></programlisting> |
1384 |
nis_yppasswdd_enable="YES" <co xml:id="network-nis-co-yppasswdd" /></programlisting> |
1385 |
|
1385 |
|
1386 |
<calloutlist> |
1386 |
<calloutlist> |
1387 |
<callout arearefs="network-nis-co-domainname"> |
1387 |
<callout arearefs="network-nis-co-domainname"> |
1388 |
<para>This line sets the <acronym>NIS</acronym> domain name |
1388 |
<para>This line sets the <acronym>NIS</acronym> domain name |
1389 |
to <literal>test-domain</literal>.</para> |
1389 |
to <literal>test-domain</literal>.</para> |
1390 |
</callout> |
1390 |
</callout> |
1391 |
|
1391 |
|
1392 |
<callout arearefs="network-nis-co-server"> |
1392 |
<callout arearefs="network-nis-co-server"> |
1393 |
<para>This automates the start up of the |
1393 |
<para>This automates the start up of the |
1394 |
<acronym>NIS</acronym> server processes when the system |
1394 |
<acronym>NIS</acronym> server processes when the system |
1395 |
boots.</para> |
1395 |
boots.</para> |
1396 |
</callout> |
1396 |
</callout> |
1397 |
|
1397 |
|
1398 |
<callout arearefs="network-nis-co-yppasswdd"> |
1398 |
<callout arearefs="network-nis-co-yppasswdd"> |
1399 |
<para>This enables the &man.rpc.yppasswdd.8; daemon so that |
1399 |
<para>This enables the &man.rpc.yppasswdd.8; daemon so that |
1400 |
users can change their <acronym>NIS</acronym> password |
1400 |
users can change their <acronym>NIS</acronym> password |
1401 |
from a client machine.</para> |
1401 |
from a client machine.</para> |
1402 |
</callout> |
1402 |
</callout> |
1403 |
</calloutlist> |
1403 |
</calloutlist> |
1404 |
|
1404 |
|
1405 |
<para>Care must be taken in a multi-server domain where the |
1405 |
<para>Care must be taken in a multi-server domain where the |
1406 |
server machines are also <acronym>NIS</acronym> clients. It |
1406 |
server machines are also <acronym>NIS</acronym> clients. It |
1407 |
is generally a good idea to force the servers to bind to |
1407 |
is generally a good idea to force the servers to bind to |
1408 |
themselves rather than allowing them to broadcast bind |
1408 |
themselves rather than allowing them to broadcast bind |
1409 |
requests and possibly become bound to each other. Strange |
1409 |
requests and possibly become bound to each other. Strange |
1410 |
failure modes can result if one server goes down and others |
1410 |
failure modes can result if one server goes down and others |
1411 |
are dependent upon it. Eventually, all the clients will time |
1411 |
are dependent upon it. Eventually, all the clients will time |
1412 |
out and attempt to bind to other servers, but the delay |
1412 |
out and attempt to bind to other servers, but the delay |
1413 |
involved can be considerable and the failure mode is still |
1413 |
involved can be considerable and the failure mode is still |
1414 |
present since the servers might bind to each other all over |
1414 |
present since the servers might bind to each other all over |
1415 |
again.</para> |
1415 |
again.</para> |
1416 |
|
1416 |
|
1417 |
<para>A server that is also a client can be forced to bind to a |
1417 |
<para>A server that is also a client can be forced to bind to a |
1418 |
particular server by adding these additional lines to |
1418 |
particular server by adding these additional lines to |
1419 |
<filename>/etc/rc.conf</filename>:</para> |
1419 |
<filename>/etc/rc.conf</filename>:</para> |
1420 |
|
1420 |
|
1421 |
<programlisting>nis_client_enable="YES" # run client stuff as well |
1421 |
<programlisting>nis_client_enable="YES" # run client stuff as well |
1422 |
nis_client_flags="-S <replaceable>NIS domain</replaceable>,<replaceable>server</replaceable>"</programlisting> |
1422 |
nis_client_flags="-S <replaceable>NIS domain</replaceable>,<replaceable>server</replaceable>"</programlisting> |
1423 |
|
1423 |
|
1424 |
<para>After saving the edits, type |
1424 |
<para>After saving the edits, type |
1425 |
<command>/etc/netstart</command> to restart the network and |
1425 |
<command>/etc/netstart</command> to restart the network and |
1426 |
apply the values defined in <filename>/etc/rc.conf</filename>. |
1426 |
apply the values defined in <filename>/etc/rc.conf</filename>. |
1427 |
Before initializing the <acronym>NIS</acronym> maps, start |
1427 |
Before initializing the <acronym>NIS</acronym> maps, start |
1428 |
&man.ypserv.8;:</para> |
1428 |
&man.ypserv.8;:</para> |
1429 |
|
1429 |
|
1430 |
<screen>&prompt.root; <userinput>service ypserv start</userinput></screen> |
1430 |
<screen>&prompt.root; <userinput>service ypserv start</userinput></screen> |
1431 |
|
1431 |
|
1432 |
<sect3> |
1432 |
<sect3> |
1433 |
<title>Initializing the <acronym>NIS</acronym> Maps</title> |
1433 |
<title>Initializing the <acronym>NIS</acronym> Maps</title> |
1434 |
|
1434 |
|
1435 |
<indexterm> |
1435 |
<indexterm> |
1436 |
<primary>NIS</primary> |
1436 |
<primary>NIS</primary> |
1437 |
<secondary>maps</secondary> |
1437 |
<secondary>maps</secondary> |
1438 |
</indexterm> |
1438 |
</indexterm> |
1439 |
<para><acronym>NIS</acronym> maps are generated from the |
1439 |
<para><acronym>NIS</acronym> maps are generated from the |
1440 |
configuration files in <filename>/etc</filename> on the |
1440 |
configuration files in <filename>/etc</filename> on the |
1441 |
<acronym>NIS</acronym> master, with one exception: |
1441 |
<acronym>NIS</acronym> master, with one exception: |
1442 |
<filename>/etc/master.passwd</filename>. This is to prevent |
1442 |
<filename>/etc/master.passwd</filename>. This is to prevent |
1443 |
the propagation of passwords to all the servers in the |
1443 |
the propagation of passwords to all the servers in the |
1444 |
<acronym>NIS</acronym> domain. Therefore, before the |
1444 |
<acronym>NIS</acronym> domain. Therefore, before the |
1445 |
<acronym>NIS</acronym> maps are initialized, configure the |
1445 |
<acronym>NIS</acronym> maps are initialized, configure the |
1446 |
primary password files:</para> |
1446 |
primary password files:</para> |
1447 |
|
1447 |
|
1448 |
<screen>&prompt.root; <userinput>cp /etc/master.passwd /var/yp/master.passwd</userinput> |
1448 |
<screen>&prompt.root; <userinput>cp /etc/master.passwd /var/yp/master.passwd</userinput> |
1449 |
&prompt.root; <userinput>cd /var/yp</userinput> |
1449 |
&prompt.root; <userinput>cd /var/yp</userinput> |
1450 |
&prompt.root; <userinput>vi master.passwd</userinput></screen> |
1450 |
&prompt.root; <userinput>vi master.passwd</userinput></screen> |
1451 |
|
1451 |
|
1452 |
<para>It is advisable to remove all entries for system |
1452 |
<para>It is advisable to remove all entries for system |
1453 |
accounts as well as any user accounts that do not need to be |
1453 |
accounts as well as any user accounts that do not need to be |
1454 |
propagated to the <acronym>NIS</acronym> clients, such as |
1454 |
propagated to the <acronym>NIS</acronym> clients, such as |
1455 |
the <systemitem class="username">root</systemitem> and any |
1455 |
the <systemitem class="username">root</systemitem> and any |
1456 |
other administrative accounts.</para> |
1456 |
other administrative accounts.</para> |
1457 |
|
1457 |
|
1458 |
<note> |
1458 |
<note> |
1459 |
<para>Ensure that the |
1459 |
<para>Ensure that the |
1460 |
<filename>/var/yp/master.passwd</filename> is neither |
1460 |
<filename>/var/yp/master.passwd</filename> is neither |
1461 |
group or world readable by setting its permissions to |
1461 |
group or world readable by setting its permissions to |
1462 |
<literal>600</literal>.</para> |
1462 |
<literal>600</literal>.</para> |
1463 |
</note> |
1463 |
</note> |
1464 |
|
1464 |
|
1465 |
<para>After completing this task, initialize the |
1465 |
<para>After completing this task, initialize the |
1466 |
<acronym>NIS</acronym> maps. &os; includes the |
1466 |
<acronym>NIS</acronym> maps. &os; includes the |
1467 |
&man.ypinit.8; script to do this. When generating maps |
1467 |
&man.ypinit.8; script to do this. When generating maps |
1468 |
for the master server, include <option>-m</option> and |
1468 |
for the master server, include <option>-m</option> and |
1469 |
specify the <acronym>NIS</acronym> domain name:</para> |
1469 |
specify the <acronym>NIS</acronym> domain name:</para> |
1470 |
|
1470 |
|
1471 |
<screen>ellington&prompt.root; <userinput>ypinit -m test-domain</userinput> |
1471 |
<screen>ellington&prompt.root; <userinput>ypinit -m test-domain</userinput> |
1472 |
Server Type: MASTER Domain: test-domain |
1472 |
Server Type: MASTER Domain: test-domain |
1473 |
Creating an YP server will require that you answer a few questions. |
1473 |
Creating an YP server will require that you answer a few questions. |
1474 |
Questions will all be asked at the beginning of the procedure. |
1474 |
Questions will all be asked at the beginning of the procedure. |
1475 |
Do you want this procedure to quit on non-fatal errors? [y/n: n] <userinput>n</userinput> |
1475 |
Do you want this procedure to quit on non-fatal errors? [y/n: n] <userinput>n</userinput> |
1476 |
Ok, please remember to go back and redo manually whatever fails. |
1476 |
Ok, please remember to go back and redo manually whatever fails. |
1477 |
If not, something might not work. |
1477 |
If not, something might not work. |
1478 |
At this point, we have to construct a list of this domains YP servers. |
1478 |
At this point, we have to construct a list of this domains YP servers. |
1479 |
rod.darktech.org is already known as master server. |
1479 |
rod.darktech.org is already known as master server. |
1480 |
Please continue to add any slave servers, one per line. When you are |
1480 |
Please continue to add any slave servers, one per line. When you are |
1481 |
done with the list, type a <control D>. |
1481 |
done with the list, type a <control D>. |
1482 |
master server : ellington |
1482 |
master server : ellington |
1483 |
next host to add: <userinput>coltrane</userinput> |
1483 |
next host to add: <userinput>coltrane</userinput> |
1484 |
next host to add: <userinput>^D</userinput> |
1484 |
next host to add: <userinput>^D</userinput> |
1485 |
The current list of NIS servers looks like this: |
1485 |
The current list of NIS servers looks like this: |
1486 |
ellington |
1486 |
ellington |
1487 |
coltrane |
1487 |
coltrane |
1488 |
Is this correct? [y/n: y] <userinput>y</userinput> |
1488 |
Is this correct? [y/n: y] <userinput>y</userinput> |
1489 |
|
1489 |
|
1490 |
[..output from map generation..] |
1490 |
[..output from map generation..] |
1491 |
|
1491 |
|
1492 |
NIS Map update completed. |
1492 |
NIS Map update completed. |
1493 |
ellington has been setup as an YP master server without any errors.</screen> |
1493 |
ellington has been setup as an YP master server without any errors.</screen> |
1494 |
|
1494 |
|
1495 |
<para>This will create <filename>/var/yp/Makefile</filename> |
1495 |
<para>This will create <filename>/var/yp/Makefile</filename> |
1496 |
from <filename>/var/yp/Makefile.dist</filename>. By |
1496 |
from <filename>/var/yp/Makefile.dist</filename>. By |
1497 |
default, this file assumes that the environment has a |
1497 |
default, this file assumes that the environment has a |
1498 |
single <acronym>NIS</acronym> server with only &os; clients. |
1498 |
single <acronym>NIS</acronym> server with only &os; clients. |
1499 |
Since <literal>test-domain</literal> has a slave server, |
1499 |
Since <literal>test-domain</literal> has a slave server, |
1500 |
edit this line in <filename>/var/yp/Makefile</filename> so |
1500 |
edit this line in <filename>/var/yp/Makefile</filename> so |
1501 |
that it begins with a comment |
1501 |
that it begins with a comment |
1502 |
(<literal>#</literal>):</para> |
1502 |
(<literal>#</literal>):</para> |
1503 |
|
1503 |
|
1504 |
<programlisting>NOPUSH = "True"</programlisting> |
1504 |
<programlisting>NOPUSH = "True"</programlisting> |
1505 |
</sect3> |
1505 |
</sect3> |
1506 |
|
1506 |
|
1507 |
<sect3> |
1507 |
<sect3> |
1508 |
<title>Adding New Users</title> |
1508 |
<title>Adding New Users</title> |
1509 |
|
1509 |
|
1510 |
<para>Every time a new user is created, the user account must |
1510 |
<para>Every time a new user is created, the user account must |
1511 |
be added to the master <acronym>NIS</acronym> server and the |
1511 |
be added to the master <acronym>NIS</acronym> server and the |
1512 |
<acronym>NIS</acronym> maps rebuilt. Until this occurs, the |
1512 |
<acronym>NIS</acronym> maps rebuilt. Until this occurs, the |
1513 |
new user will not be able to login anywhere except on the |
1513 |
new user will not be able to login anywhere except on the |
1514 |
<acronym>NIS</acronym> master. For example, to add the new |
1514 |
<acronym>NIS</acronym> master. For example, to add the new |
1515 |
user <systemitem class="username">jsmith</systemitem> to the |
1515 |
user <systemitem class="username">jsmith</systemitem> to the |
1516 |
<literal>test-domain</literal> domain, run these commands on |
1516 |
<literal>test-domain</literal> domain, run these commands on |
1517 |
the master server:</para> |
1517 |
the master server:</para> |
1518 |
|
1518 |
|
1519 |
<screen>&prompt.root; <userinput>pw useradd jsmith</userinput> |
1519 |
<screen>&prompt.root; <userinput>pw useradd jsmith</userinput> |
1520 |
&prompt.root; <userinput>cd /var/yp</userinput> |
1520 |
&prompt.root; <userinput>cd /var/yp</userinput> |
1521 |
&prompt.root; <userinput>make test-domain</userinput></screen> |
1521 |
&prompt.root; <userinput>make test-domain</userinput></screen> |
1522 |
|
1522 |
|
1523 |
<para>The user could also be added using <command>adduser |
1523 |
<para>The user could also be added using <command>adduser |
1524 |
jsmith</command> instead of <command>pw useradd |
1524 |
jsmith</command> instead of <command>pw useradd |
1525 |
smith</command>.</para> |
1525 |
smith</command>.</para> |
1526 |
</sect3> |
1526 |
</sect3> |
1527 |
</sect2> |
1527 |
</sect2> |
1528 |
|
1528 |
|
1529 |
<sect2> |
1529 |
<sect2> |
1530 |
<title>Setting up a <acronym>NIS</acronym> Slave Server</title> |
1530 |
<title>Setting up a <acronym>NIS</acronym> Slave Server</title> |
1531 |
|
1531 |
|
1532 |
<indexterm> |
1532 |
<indexterm> |
1533 |
<primary>NIS</primary> |
1533 |
<primary>NIS</primary> |
1534 |
<secondary>slave server</secondary> |
1534 |
<secondary>slave server</secondary> |
1535 |
</indexterm> |
1535 |
</indexterm> |
1536 |
<para>To set up an <acronym>NIS</acronym> slave server, log on |
1536 |
<para>To set up an <acronym>NIS</acronym> slave server, log on |
1537 |
to the slave server and edit <filename>/etc/rc.conf</filename> |
1537 |
to the slave server and edit <filename>/etc/rc.conf</filename> |
1538 |
as for the master server. Do not generate any |
1538 |
as for the master server. Do not generate any |
1539 |
<acronym>NIS</acronym> maps, as these already exist on the |
1539 |
<acronym>NIS</acronym> maps, as these already exist on the |
1540 |
master server. When running <command>ypinit</command> on the |
1540 |
master server. When running <command>ypinit</command> on the |
1541 |
slave server, use <option>-s</option> (for slave) instead of |
1541 |
slave server, use <option>-s</option> (for slave) instead of |
1542 |
<option>-m</option> (for master). This option requires the |
1542 |
<option>-m</option> (for master). This option requires the |
1543 |
name of the <acronym>NIS</acronym> master in addition to the |
1543 |
name of the <acronym>NIS</acronym> master in addition to the |
1544 |
domain name, as seen in this example:</para> |
1544 |
domain name, as seen in this example:</para> |
1545 |
|
1545 |
|
1546 |
<screen>coltrane&prompt.root; <userinput>ypinit -s ellington test-domain</userinput> |
1546 |
<screen>coltrane&prompt.root; <userinput>ypinit -s ellington test-domain</userinput> |
1547 |
|
1547 |
|
1548 |
Server Type: SLAVE Domain: test-domain Master: ellington |
1548 |
Server Type: SLAVE Domain: test-domain Master: ellington |
1549 |
|
1549 |
|
1550 |
Creating an YP server will require that you answer a few questions. |
1550 |
Creating an YP server will require that you answer a few questions. |
1551 |
Questions will all be asked at the beginning of the procedure. |
1551 |
Questions will all be asked at the beginning of the procedure. |
1552 |
|
1552 |
|
1553 |
Do you want this procedure to quit on non-fatal errors? [y/n: n] <userinput>n</userinput> |
1553 |
Do you want this procedure to quit on non-fatal errors? [y/n: n] <userinput>n</userinput> |
1554 |
|
1554 |
|
1555 |
Ok, please remember to go back and redo manually whatever fails. |
1555 |
Ok, please remember to go back and redo manually whatever fails. |
1556 |
If not, something might not work. |
1556 |
If not, something might not work. |
1557 |
There will be no further questions. The remainder of the procedure |
1557 |
There will be no further questions. The remainder of the procedure |
1558 |
should take a few minutes, to copy the databases from ellington. |
1558 |
should take a few minutes, to copy the databases from ellington. |
1559 |
Transferring netgroup... |
1559 |
Transferring netgroup... |
1560 |
ypxfr: Exiting: Map successfully transferred |
1560 |
ypxfr: Exiting: Map successfully transferred |
1561 |
Transferring netgroup.byuser... |
1561 |
Transferring netgroup.byuser... |
1562 |
ypxfr: Exiting: Map successfully transferred |
1562 |
ypxfr: Exiting: Map successfully transferred |
1563 |
Transferring netgroup.byhost... |
1563 |
Transferring netgroup.byhost... |
1564 |
ypxfr: Exiting: Map successfully transferred |
1564 |
ypxfr: Exiting: Map successfully transferred |
1565 |
Transferring master.passwd.byuid... |
1565 |
Transferring master.passwd.byuid... |
1566 |
ypxfr: Exiting: Map successfully transferred |
1566 |
ypxfr: Exiting: Map successfully transferred |
1567 |
Transferring passwd.byuid... |
1567 |
Transferring passwd.byuid... |
1568 |
ypxfr: Exiting: Map successfully transferred |
1568 |
ypxfr: Exiting: Map successfully transferred |
1569 |
Transferring passwd.byname... |
1569 |
Transferring passwd.byname... |
1570 |
ypxfr: Exiting: Map successfully transferred |
1570 |
ypxfr: Exiting: Map successfully transferred |
1571 |
Transferring group.bygid... |
1571 |
Transferring group.bygid... |
1572 |
ypxfr: Exiting: Map successfully transferred |
1572 |
ypxfr: Exiting: Map successfully transferred |
1573 |
Transferring group.byname... |
1573 |
Transferring group.byname... |
1574 |
ypxfr: Exiting: Map successfully transferred |
1574 |
ypxfr: Exiting: Map successfully transferred |
1575 |
Transferring services.byname... |
1575 |
Transferring services.byname... |
1576 |
ypxfr: Exiting: Map successfully transferred |
1576 |
ypxfr: Exiting: Map successfully transferred |
1577 |
Transferring rpc.bynumber... |
1577 |
Transferring rpc.bynumber... |
1578 |
ypxfr: Exiting: Map successfully transferred |
1578 |
ypxfr: Exiting: Map successfully transferred |
1579 |
Transferring rpc.byname... |
1579 |
Transferring rpc.byname... |
1580 |
ypxfr: Exiting: Map successfully transferred |
1580 |
ypxfr: Exiting: Map successfully transferred |
1581 |
Transferring protocols.byname... |
1581 |
Transferring protocols.byname... |
1582 |
ypxfr: Exiting: Map successfully transferred |
1582 |
ypxfr: Exiting: Map successfully transferred |
1583 |
Transferring master.passwd.byname... |
1583 |
Transferring master.passwd.byname... |
1584 |
ypxfr: Exiting: Map successfully transferred |
1584 |
ypxfr: Exiting: Map successfully transferred |
1585 |
Transferring networks.byname... |
1585 |
Transferring networks.byname... |
1586 |
ypxfr: Exiting: Map successfully transferred |
1586 |
ypxfr: Exiting: Map successfully transferred |
1587 |
Transferring networks.byaddr... |
1587 |
Transferring networks.byaddr... |
1588 |
ypxfr: Exiting: Map successfully transferred |
1588 |
ypxfr: Exiting: Map successfully transferred |
1589 |
Transferring netid.byname... |
1589 |
Transferring netid.byname... |
1590 |
ypxfr: Exiting: Map successfully transferred |
1590 |
ypxfr: Exiting: Map successfully transferred |
1591 |
Transferring hosts.byaddr... |
1591 |
Transferring hosts.byaddr... |
1592 |
ypxfr: Exiting: Map successfully transferred |
1592 |
ypxfr: Exiting: Map successfully transferred |
1593 |
Transferring protocols.bynumber... |
1593 |
Transferring protocols.bynumber... |
1594 |
ypxfr: Exiting: Map successfully transferred |
1594 |
ypxfr: Exiting: Map successfully transferred |
1595 |
Transferring ypservers... |
1595 |
Transferring ypservers... |
1596 |
ypxfr: Exiting: Map successfully transferred |
1596 |
ypxfr: Exiting: Map successfully transferred |
1597 |
Transferring hosts.byname... |
1597 |
Transferring hosts.byname... |
1598 |
ypxfr: Exiting: Map successfully transferred |
1598 |
ypxfr: Exiting: Map successfully transferred |
1599 |
|
1599 |
|
1600 |
coltrane has been setup as an YP slave server without any errors. |
1600 |
coltrane has been setup as an YP slave server without any errors. |
1601 |
Remember to update map ypservers on ellington.</screen> |
1601 |
Remember to update map ypservers on ellington.</screen> |
1602 |
|
1602 |
|
1603 |
<para>This will generate a directory on the slave server called |
1603 |
<para>This will generate a directory on the slave server called |
1604 |
<filename>/var/yp/test-domain</filename> which contains copies |
1604 |
<filename>/var/yp/test-domain</filename> which contains copies |
1605 |
of the <acronym>NIS</acronym> master server's maps. Adding |
1605 |
of the <acronym>NIS</acronym> master server's maps. Adding |
1606 |
these <filename>/etc/crontab</filename> entries on each slave |
1606 |
these <filename>/etc/crontab</filename> entries on each slave |
1607 |
server will force the slaves to sync their maps with the maps |
1607 |
server will force the slaves to sync their maps with the maps |
1608 |
on the master server:</para> |
1608 |
on the master server:</para> |
1609 |
|
1609 |
|
1610 |
<programlisting>20 * * * * root /usr/libexec/ypxfr passwd.byname |
1610 |
<programlisting>20 * * * * root /usr/libexec/ypxfr passwd.byname |
1611 |
21 * * * * root /usr/libexec/ypxfr passwd.byuid</programlisting> |
1611 |
21 * * * * root /usr/libexec/ypxfr passwd.byuid</programlisting> |
1612 |
|
1612 |
|
1613 |
<para>These entries are not mandatory because the master server |
1613 |
<para>These entries are not mandatory because the master server |
1614 |
automatically attempts to push any map changes to its slaves. |
1614 |
automatically attempts to push any map changes to its slaves. |
1615 |
However, since clients may depend upon the slave server to |
1615 |
However, since clients may depend upon the slave server to |
1616 |
provide correct password information, it is recommended to |
1616 |
provide correct password information, it is recommended to |
1617 |
force frequent password map updates. This is especially |
1617 |
force frequent password map updates. This is especially |
1618 |
important on busy networks where map updates might not always |
1618 |
important on busy networks where map updates might not always |
1619 |
complete.</para> |
1619 |
complete.</para> |
1620 |
|
1620 |
|
1621 |
<para>To finish the configuration, run |
1621 |
<para>To finish the configuration, run |
1622 |
<command>/etc/netstart</command> on the slave server in order |
1622 |
<command>/etc/netstart</command> on the slave server in order |
1623 |
to start the <acronym>NIS</acronym> services.</para> |
1623 |
to start the <acronym>NIS</acronym> services.</para> |
1624 |
</sect2> |
1624 |
</sect2> |
1625 |
|
1625 |
|
1626 |
<sect2> |
1626 |
<sect2> |
1627 |
<title>Setting Up an <acronym>NIS</acronym> Client</title> |
1627 |
<title>Setting Up an <acronym>NIS</acronym> Client</title> |
1628 |
|
1628 |
|
1629 |
<para>An <acronym>NIS</acronym> client binds to an |
1629 |
<para>An <acronym>NIS</acronym> client binds to an |
1630 |
<acronym>NIS</acronym> server using &man.ypbind.8;. This |
1630 |
<acronym>NIS</acronym> server using &man.ypbind.8;. This |
1631 |
daemon broadcasts RPC requests on the local network. These |
1631 |
daemon broadcasts RPC requests on the local network. These |
1632 |
requests specify the domain name configured on the client. If |
1632 |
requests specify the domain name configured on the client. If |
1633 |
an <acronym>NIS</acronym> server in the same domain receives |
1633 |
an <acronym>NIS</acronym> server in the same domain receives |
1634 |
one of the broadcasts, it will respond to |
1634 |
one of the broadcasts, it will respond to |
1635 |
<application>ypbind</application>, which will record the |
1635 |
<application>ypbind</application>, which will record the |
1636 |
server's address. If there are several servers available, |
1636 |
server's address. If there are several servers available, |
1637 |
the client will use the address of the first server to respond |
1637 |
the client will use the address of the first server to respond |
1638 |
and will direct all of its <acronym>NIS</acronym> requests to |
1638 |
and will direct all of its <acronym>NIS</acronym> requests to |
1639 |
that server. The client will automatically |
1639 |
that server. The client will automatically |
1640 |
<application>ping</application> the server on a regular basis |
1640 |
<application>ping</application> the server on a regular basis |
1641 |
to make sure it is still available. If it fails to receive a |
1641 |
to make sure it is still available. If it fails to receive a |
1642 |
reply within a reasonable amount of time, |
1642 |
reply within a reasonable amount of time, |
1643 |
<application>ypbind</application> will mark the domain as |
1643 |
<application>ypbind</application> will mark the domain as |
1644 |
unbound and begin broadcasting again in the hopes of locating |
1644 |
unbound and begin broadcasting again in the hopes of locating |
1645 |
another server.</para> |
1645 |
another server.</para> |
1646 |
|
1646 |
|
1647 |
<indexterm><primary>NIS</primary> |
1647 |
<indexterm><primary>NIS</primary> |
1648 |
<secondary>client configuration</secondary> |
1648 |
<secondary>client configuration</secondary> |
1649 |
</indexterm> |
1649 |
</indexterm> |
1650 |
|
1650 |
|
1651 |
<para>To configure a &os; machine to be an |
1651 |
<para>To configure a &os; machine to be an |
1652 |
<acronym>NIS</acronym> client:</para> |
1652 |
<acronym>NIS</acronym> client:</para> |
1653 |
|
1653 |
|
1654 |
<procedure> |
1654 |
<procedure> |
1655 |
<step> |
1655 |
<step> |
1656 |
<para>Edit <filename>/etc/rc.conf</filename> and add the |
1656 |
<para>Edit <filename>/etc/rc.conf</filename> and add the |
1657 |
following lines in order to set the |
1657 |
following lines in order to set the |
1658 |
<acronym>NIS</acronym> domain name and start |
1658 |
<acronym>NIS</acronym> domain name and start |
1659 |
&man.ypbind.8; during network startup:</para> |
1659 |
&man.ypbind.8; during network startup:</para> |
1660 |
|
1660 |
|
1661 |
<programlisting>nisdomainname="test-domain" |
1661 |
<programlisting>nisdomainname="test-domain" |
1662 |
nis_client_enable="YES"</programlisting> |
1662 |
nis_client_enable="YES"</programlisting> |
1663 |
</step> |
1663 |
</step> |
1664 |
|
1664 |
|
1665 |
<step> |
1665 |
<step> |
1666 |
<para>To import all possible password entries from the |
1666 |
<para>To import all possible password entries from the |
1667 |
<acronym>NIS</acronym> server, use |
1667 |
<acronym>NIS</acronym> server, use |
1668 |
<command>vipw</command> to remove all user accounts |
1668 |
<command>vipw</command> to remove all user accounts |
1669 |
except one from <filename>/etc/master.passwd</filename>. |
1669 |
except one from <filename>/etc/master.passwd</filename>. |
1670 |
When removing the accounts, keep in mind that at least one |
1670 |
When removing the accounts, keep in mind that at least one |
1671 |
local account should remain and this account should be a |
1671 |
local account should remain and this account should be a |
1672 |
member of <systemitem |
1672 |
member of <systemitem |
1673 |
class="groupname">wheel</systemitem>. If there is a |
1673 |
class="groupname">wheel</systemitem>. If there is a |
1674 |
problem with <acronym>NIS</acronym>, this local account |
1674 |
problem with <acronym>NIS</acronym>, this local account |
1675 |
can be used to log in remotely, become the superuser, and |
1675 |
can be used to log in remotely, become the superuser, and |
1676 |
fix the problem. Before saving the edits, add the |
1676 |
fix the problem. Before saving the edits, add the |
1677 |
following line to the end of the file:</para> |
1677 |
following line to the end of the file:</para> |
1678 |
|
1678 |
|
1679 |
<programlisting>+:::::::::</programlisting> |
1679 |
<programlisting>+:::::::::</programlisting> |
1680 |
|
1680 |
|
1681 |
<para>This line configures the client to provide anyone with |
1681 |
<para>This line configures the client to provide anyone with |
1682 |
a valid account in the <acronym>NIS</acronym> server's |
1682 |
a valid account in the <acronym>NIS</acronym> server's |
1683 |
password maps an account on the client. There are many |
1683 |
password maps an account on the client. There are many |
1684 |
ways to configure the <acronym>NIS</acronym> client by |
1684 |
ways to configure the <acronym>NIS</acronym> client by |
1685 |
modifying this line. One method is described in <xref |
1685 |
modifying this line. One method is described in <xref |
1686 |
linkend="network-netgroups"/>. For more detailed |
1686 |
linkend="network-netgroups"/>. For more detailed |
1687 |
reading, refer to the book |
1687 |
reading, refer to the book |
1688 |
<literal>Managing NFS and NIS</literal>, published by |
1688 |
<literal>Managing NFS and NIS</literal>, published by |
1689 |
O'Reilly Media.</para> |
1689 |
O'Reilly Media.</para> |
1690 |
</step> |
1690 |
</step> |
1691 |
|
1691 |
|
1692 |
<step> |
1692 |
<step> |
1693 |
<para>To import all possible group entries from the |
1693 |
<para>To import all possible group entries from the |
1694 |
<acronym>NIS</acronym> server, add this line to |
1694 |
<acronym>NIS</acronym> server, add this line to |
1695 |
<filename>/etc/group</filename>:</para> |
1695 |
<filename>/etc/group</filename>:</para> |
1696 |
|
1696 |
|
1697 |
<programlisting>+:*::</programlisting> |
1697 |
<programlisting>+:*::</programlisting> |
1698 |
</step> |
1698 |
</step> |
1699 |
</procedure> |
1699 |
</procedure> |
1700 |
|
1700 |
|
1701 |
<para>To start the <acronym>NIS</acronym> client immediately, |
1701 |
<para>To start the <acronym>NIS</acronym> client immediately, |
1702 |
execute the following commands as the superuser:</para> |
1702 |
execute the following commands as the superuser:</para> |
1703 |
|
1703 |
|
1704 |
<screen>&prompt.root; <userinput>/etc/netstart</userinput> |
1704 |
<screen>&prompt.root; <userinput>/etc/netstart</userinput> |
1705 |
&prompt.root; <userinput>service ypbind start</userinput></screen> |
1705 |
&prompt.root; <userinput>service ypbind start</userinput></screen> |
1706 |
|
1706 |
|
1707 |
<para>After completing these steps, running |
1707 |
<para>After completing these steps, running |
1708 |
<command>ypcat passwd</command> on the client should show |
1708 |
<command>ypcat passwd</command> on the client should show |
1709 |
the server's <filename>passwd</filename> map.</para> |
1709 |
the server's <filename>passwd</filename> map.</para> |
1710 |
</sect2> |
1710 |
</sect2> |
1711 |
|
1711 |
|
1712 |
<sect2> |
1712 |
<sect2> |
1713 |
<title><acronym>NIS</acronym> Security</title> |
1713 |
<title><acronym>NIS</acronym> Security</title> |
1714 |
|
1714 |
|
1715 |
<para>Since <acronym>RPC</acronym> is a broadcast-based service, |
1715 |
<para>Since <acronym>RPC</acronym> is a broadcast-based service, |
1716 |
any system running <application>ypbind</application> within |
1716 |
any system running <application>ypbind</application> within |
1717 |
the same domain can retrieve the contents of the |
1717 |
the same domain can retrieve the contents of the |
1718 |
<acronym>NIS</acronym> maps. To prevent unauthorized |
1718 |
<acronym>NIS</acronym> maps. To prevent unauthorized |
1719 |
transactions, &man.ypserv.8; supports a feature called |
1719 |
transactions, &man.ypserv.8; supports a feature called |
1720 |
<quote>securenets</quote> which can be used to restrict access |
1720 |
<quote>securenets</quote> which can be used to restrict access |
1721 |
to a given set of hosts. By default, this information is |
1721 |
to a given set of hosts. By default, this information is |
1722 |
stored in <filename>/var/yp/securenets</filename>, unless |
1722 |
stored in <filename>/var/yp/securenets</filename>, unless |
1723 |
&man.ypserv.8; is started with <option>-p</option> and an |
1723 |
&man.ypserv.8; is started with <option>-p</option> and an |
1724 |
alternate path. This file contains entries that consist of a |
1724 |
alternate path. This file contains entries that consist of a |
1725 |
network specification and a network mask separated by white |
1725 |
network specification and a network mask separated by white |
1726 |
space. Lines starting with <literal>#</literal> are |
1726 |
space. Lines starting with <literal>#</literal> are |
1727 |
considered to be comments. A sample |
1727 |
considered to be comments. A sample |
1728 |
<filename>securenets</filename> might look like this:</para> |
1728 |
<filename>securenets</filename> might look like this:</para> |
1729 |
|
1729 |
|
1730 |
<programlisting># allow connections from local host -- mandatory |
1730 |
<programlisting># allow connections from local host -- mandatory |
1731 |
127.0.0.1 255.255.255.255 |
1731 |
127.0.0.1 255.255.255.255 |
1732 |
# allow connections from any host |
1732 |
# allow connections from any host |
1733 |
# on the 192.168.128.0 network |
1733 |
# on the 192.168.128.0 network |
1734 |
192.168.128.0 255.255.255.0 |
1734 |
192.168.128.0 255.255.255.0 |
1735 |
# allow connections from any host |
1735 |
# allow connections from any host |
1736 |
# between 10.0.0.0 to 10.0.15.255 |
1736 |
# between 10.0.0.0 to 10.0.15.255 |
1737 |
# this includes the machines in the testlab |
1737 |
# this includes the machines in the testlab |
1738 |
10.0.0.0 255.255.240.0</programlisting> |
1738 |
10.0.0.0 255.255.240.0</programlisting> |
1739 |
|
1739 |
|
1740 |
<para>If &man.ypserv.8; receives a request from an address that |
1740 |
<para>If &man.ypserv.8; receives a request from an address that |
1741 |
matches one of these rules, it will process the request |
1741 |
matches one of these rules, it will process the request |
1742 |
normally. If the address fails to match a rule, the request |
1742 |
normally. If the address fails to match a rule, the request |
1743 |
will be ignored and a warning message will be logged. If the |
1743 |
will be ignored and a warning message will be logged. If the |
1744 |
<filename>securenets</filename> does not exist, |
1744 |
<filename>securenets</filename> does not exist, |
1745 |
<command>ypserv</command> will allow connections from any |
1745 |
<command>ypserv</command> will allow connections from any |
1746 |
host.</para> |
1746 |
host.</para> |
1747 |
|
1747 |
|
1748 |
<para><xref linkend="tcpwrappers"/> is an alternate mechanism |
1748 |
<para><xref linkend="tcpwrappers"/> is an alternate mechanism |
1749 |
for providing access control instead of |
1749 |
for providing access control instead of |
1750 |
<filename>securenets</filename>. While either access control |
1750 |
<filename>securenets</filename>. While either access control |
1751 |
mechanism adds some security, they are both vulnerable to |
1751 |
mechanism adds some security, they are both vulnerable to |
1752 |
<quote><acronym>IP</acronym> spoofing</quote> attacks. All |
1752 |
<quote><acronym>IP</acronym> spoofing</quote> attacks. All |
1753 |
<acronym>NIS</acronym>-related traffic should be blocked at |
1753 |
<acronym>NIS</acronym>-related traffic should be blocked at |
1754 |
the firewall.</para> |
1754 |
the firewall.</para> |
1755 |
|
1755 |
|
1756 |
<para>Servers using <filename>securenets</filename> |
1756 |
<para>Servers using <filename>securenets</filename> |
1757 |
may fail to serve legitimate <acronym>NIS</acronym> clients |
1757 |
may fail to serve legitimate <acronym>NIS</acronym> clients |
1758 |
with archaic TCP/IP implementations. Some of these |
1758 |
with archaic TCP/IP implementations. Some of these |
1759 |
implementations set all host bits to zero when doing |
1759 |
implementations set all host bits to zero when doing |
1760 |
broadcasts or fail to observe the subnet mask when |
1760 |
broadcasts or fail to observe the subnet mask when |
1761 |
calculating the broadcast address. While some of these |
1761 |
calculating the broadcast address. While some of these |
1762 |
problems can be fixed by changing the client configuration, |
1762 |
problems can be fixed by changing the client configuration, |
1763 |
other problems may force the retirement of these client |
1763 |
other problems may force the retirement of these client |
1764 |
systems or the abandonment of |
1764 |
systems or the abandonment of |
1765 |
<filename>securenets</filename>.</para> |
1765 |
<filename>securenets</filename>.</para> |
1766 |
|
1766 |
|
1767 |
<indexterm><primary>TCP Wrapper</primary></indexterm> |
1767 |
<indexterm><primary>TCP Wrapper</primary></indexterm> |
1768 |
<para>The use of <application>TCP Wrapper</application> |
1768 |
<para>The use of <application>TCP Wrapper</application> |
1769 |
increases the latency of the <acronym>NIS</acronym> server. |
1769 |
increases the latency of the <acronym>NIS</acronym> server. |
1770 |
The additional delay may be long enough to cause timeouts in |
1770 |
The additional delay may be long enough to cause timeouts in |
1771 |
client programs, especially in busy networks with slow |
1771 |
client programs, especially in busy networks with slow |
1772 |
<acronym>NIS</acronym> servers. If one or more clients suffer |
1772 |
<acronym>NIS</acronym> servers. If one or more clients suffer |
1773 |
from latency, convert those clients into |
1773 |
from latency, convert those clients into |
1774 |
<acronym>NIS</acronym> slave servers and force them to bind to |
1774 |
<acronym>NIS</acronym> slave servers and force them to bind to |
1775 |
themselves.</para> |
1775 |
themselves.</para> |
1776 |
|
1776 |
|
1777 |
<sect3> |
1777 |
<sect3> |
1778 |
<title>Barring Some Users</title> |
1778 |
<title>Barring Some Users</title> |
1779 |
|
1779 |
|
1780 |
<para>In this example, the <systemitem>basie</systemitem> |
1780 |
<para>In this example, the <systemitem>basie</systemitem> |
1781 |
system is a faculty workstation within the |
1781 |
system is a faculty workstation within the |
1782 |
<acronym>NIS</acronym> domain. The |
1782 |
<acronym>NIS</acronym> domain. The |
1783 |
<filename>passwd</filename> map on the master |
1783 |
<filename>passwd</filename> map on the master |
1784 |
<acronym>NIS</acronym> server contains accounts for both |
1784 |
<acronym>NIS</acronym> server contains accounts for both |
1785 |
faculty and students. This section demonstrates how to |
1785 |
faculty and students. This section demonstrates how to |
1786 |
allow faculty logins on this system while refusing student |
1786 |
allow faculty logins on this system while refusing student |
1787 |
logins.</para> |
1787 |
logins.</para> |
1788 |
|
1788 |
|
1789 |
<para>To prevent specified users from logging on to a system, |
1789 |
<para>To prevent specified users from logging on to a system, |
1790 |
even if they are present in the <acronym>NIS</acronym> |
1790 |
even if they are present in the <acronym>NIS</acronym> |
1791 |
database, use <command>vipw</command> to add |
1791 |
database, use <command>vipw</command> to add |
1792 |
<literal>-<replaceable>username</replaceable></literal> with |
1792 |
<literal>-<replaceable>username</replaceable></literal> with |
1793 |
the correct number of colons towards the end of |
1793 |
the correct number of colons towards the end of |
1794 |
<filename>/etc/master.passwd</filename> on the client, |
1794 |
<filename>/etc/master.passwd</filename> on the client, |
1795 |
where <replaceable>username</replaceable> is the username of |
1795 |
where <replaceable>username</replaceable> is the username of |
1796 |
a user to bar from logging in. The line with the blocked |
1796 |
a user to bar from logging in. The line with the blocked |
1797 |
user must be before the <literal>+</literal> line that |
1797 |
user must be before the <literal>+</literal> line that |
1798 |
allows <acronym>NIS</acronym> users. In this example, |
1798 |
allows <acronym>NIS</acronym> users. In this example, |
1799 |
<systemitem class="username">bill</systemitem> is barred |
1799 |
<systemitem class="username">bill</systemitem> is barred |
1800 |
from logging on to <systemitem>basie</systemitem>:</para> |
1800 |
from logging on to <systemitem>basie</systemitem>:</para> |
1801 |
|
1801 |
|
1802 |
<screen>basie&prompt.root; <userinput>cat /etc/master.passwd</userinput> |
1802 |
<screen>basie&prompt.root; <userinput>cat /etc/master.passwd</userinput> |
1803 |
root:[password]:0:0::0:0:The super-user:/root:/bin/csh |
1803 |
root:[password]:0:0::0:0:The super-user:/root:/bin/csh |
1804 |
toor:[password]:0:0::0:0:The other super-user:/root:/bin/sh |
1804 |
toor:[password]:0:0::0:0:The other super-user:/root:/bin/sh |
1805 |
daemon:*:1:1::0:0:Owner of many system processes:/root:/sbin/nologin |
1805 |
daemon:*:1:1::0:0:Owner of many system processes:/root:/sbin/nologin |
1806 |
operator:*:2:5::0:0:System &:/:/sbin/nologin |
1806 |
operator:*:2:5::0:0:System &:/:/sbin/nologin |
1807 |
bin:*:3:7::0:0:Binaries Commands and Source,,,:/:/sbin/nologin |
1807 |
bin:*:3:7::0:0:Binaries Commands and Source,,,:/:/sbin/nologin |
1808 |
tty:*:4:65533::0:0:Tty Sandbox:/:/sbin/nologin |
1808 |
tty:*:4:65533::0:0:Tty Sandbox:/:/sbin/nologin |
1809 |
kmem:*:5:65533::0:0:KMem Sandbox:/:/sbin/nologin |
1809 |
kmem:*:5:65533::0:0:KMem Sandbox:/:/sbin/nologin |
1810 |
games:*:7:13::0:0:Games pseudo-user:/usr/games:/sbin/nologin |
1810 |
games:*:7:13::0:0:Games pseudo-user:/usr/games:/sbin/nologin |
1811 |
news:*:8:8::0:0:News Subsystem:/:/sbin/nologin |
1811 |
news:*:8:8::0:0:News Subsystem:/:/sbin/nologin |
1812 |
man:*:9:9::0:0:Mister Man Pages:/usr/share/man:/sbin/nologin |
1812 |
man:*:9:9::0:0:Mister Man Pages:/usr/share/man:/sbin/nologin |
1813 |
bind:*:53:53::0:0:Bind Sandbox:/:/sbin/nologin |
1813 |
bind:*:53:53::0:0:Bind Sandbox:/:/sbin/nologin |
1814 |
uucp:*:66:66::0:0:UUCP pseudo-user:/var/spool/uucppublic:/usr/libexec/uucp/uucico |
1814 |
uucp:*:66:66::0:0:UUCP pseudo-user:/var/spool/uucppublic:/usr/libexec/uucp/uucico |
1815 |
xten:*:67:67::0:0:X-10 daemon:/usr/local/xten:/sbin/nologin |
1815 |
xten:*:67:67::0:0:X-10 daemon:/usr/local/xten:/sbin/nologin |
1816 |
pop:*:68:6::0:0:Post Office Owner:/nonexistent:/sbin/nologin |
1816 |
pop:*:68:6::0:0:Post Office Owner:/nonexistent:/sbin/nologin |
1817 |
nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/sbin/nologin |
1817 |
nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/sbin/nologin |
1818 |
-bill::::::::: |
1818 |
-bill::::::::: |
1819 |
+::::::::: |
1819 |
+::::::::: |
1820 |
|
1820 |
|
1821 |
basie&prompt.root;</screen> |
1821 |
basie&prompt.root;</screen> |
1822 |
</sect3> |
1822 |
</sect3> |
1823 |
</sect2> |
1823 |
</sect2> |
1824 |
|
1824 |
|
1825 |
<sect2 xml:id="network-netgroups"> |
1825 |
<sect2 xml:id="network-netgroups"> |
1826 |
<!-- |
1826 |
<!-- |
1827 |
<sect2info> |
1827 |
<sect2info> |
1828 |
<authorgroup> |
1828 |
<authorgroup> |
1829 |
<author> |
1829 |
<author> |
1830 |
<firstname>Udo</firstname> |
1830 |
<firstname>Udo</firstname> |
1831 |
<surname>Erdelhoff</surname> |
1831 |
<surname>Erdelhoff</surname> |
1832 |
<contrib>Contributed by </contrib> |
1832 |
<contrib>Contributed by </contrib> |
1833 |
</author> |
1833 |
</author> |
1834 |
</authorgroup> |
1834 |
</authorgroup> |
1835 |
</sect2info> |
1835 |
</sect2info> |
1836 |
--> |
1836 |
--> |
1837 |
|
1837 |
|
1838 |
<title>Using Netgroups</title> |
1838 |
<title>Using Netgroups</title> |
1839 |
|
1839 |
|
1840 |
<indexterm><primary>netgroups</primary></indexterm> |
1840 |
<indexterm><primary>netgroups</primary></indexterm> |
1841 |
|
1841 |
|
1842 |
<para>Barring specified users from logging on to individual |
1842 |
<para>Barring specified users from logging on to individual |
1843 |
systems becomes unscaleable on larger networks and quickly |
1843 |
systems becomes unscaleable on larger networks and quickly |
1844 |
loses the main benefit of <acronym>NIS</acronym>: |
1844 |
loses the main benefit of <acronym>NIS</acronym>: |
1845 |
<emphasis>centralized</emphasis> administration.</para> |
1845 |
<emphasis>centralized</emphasis> administration.</para> |
1846 |
|
1846 |
|
1847 |
<para>Netgroups were developed to handle large, complex networks |
1847 |
<para>Netgroups were developed to handle large, complex networks |
1848 |
with hundreds of users and machines. Their use is comparable |
1848 |
with hundreds of users and machines. Their use is comparable |
1849 |
to &unix; groups, where the main difference is the lack of a |
1849 |
to &unix; groups, where the main difference is the lack of a |
1850 |
numeric ID and the ability to define a netgroup by including |
1850 |
numeric ID and the ability to define a netgroup by including |
1851 |
both user accounts and other netgroups.</para> |
1851 |
both user accounts and other netgroups.</para> |
1852 |
|
1852 |
|
1853 |
<para>To expand on the example used in this chapter, the |
1853 |
<para>To expand on the example used in this chapter, the |
1854 |
<acronym>NIS</acronym> domain will be extended to add the |
1854 |
<acronym>NIS</acronym> domain will be extended to add the |
1855 |
users and systems shown in Tables 28.2 and 28.3:</para> |
1855 |
users and systems shown in Tables 28.2 and 28.3:</para> |
1856 |
|
1856 |
|
1857 |
<table frame="none" pgwide="1"> |
1857 |
<table frame="none" pgwide="1"> |
1858 |
<title>Additional Users</title> |
1858 |
<title>Additional Users</title> |
1859 |
|
1859 |
|
1860 |
<tgroup cols="2"> |
1860 |
<tgroup cols="2"> |
1861 |
<thead> |
1861 |
<thead> |
1862 |
<row> |
1862 |
<row> |
1863 |
<entry>User Name(s)</entry> |
1863 |
<entry>User Name(s)</entry> |
1864 |
<entry>Description</entry> |
1864 |
<entry>Description</entry> |
1865 |
</row> |
1865 |
</row> |
1866 |
</thead> |
1866 |
</thead> |
1867 |
|
1867 |
|
1868 |
<tbody> |
1868 |
<tbody> |
1869 |
<row> |
1869 |
<row> |
1870 |
<entry><systemitem class="username">alpha</systemitem>, |
1870 |
<entry><systemitem class="username">alpha</systemitem>, |
1871 |
<systemitem class="username">beta</systemitem></entry> |
1871 |
<systemitem class="username">beta</systemitem></entry> |
1872 |
<entry>IT department employees</entry> |
1872 |
<entry>IT department employees</entry> |
1873 |
</row> |
1873 |
</row> |
1874 |
|
1874 |
|
1875 |
<row> |
1875 |
<row> |
1876 |
<entry><systemitem |
1876 |
<entry><systemitem |
1877 |
class="username">charlie</systemitem>, <systemitem |
1877 |
class="username">charlie</systemitem>, <systemitem |
1878 |
class="username">delta</systemitem></entry> |
1878 |
class="username">delta</systemitem></entry> |
1879 |
<entry>IT department apprentices</entry> |
1879 |
<entry>IT department apprentices</entry> |
1880 |
</row> |
1880 |
</row> |
1881 |
|
1881 |
|
1882 |
<row> |
1882 |
<row> |
1883 |
<entry><systemitem class="username">echo</systemitem>, |
1883 |
<entry><systemitem class="username">echo</systemitem>, |
1884 |
<systemitem class="username">foxtrott</systemitem>, |
1884 |
<systemitem class="username">foxtrott</systemitem>, |
1885 |
<systemitem class="username">golf</systemitem>, |
1885 |
<systemitem class="username">golf</systemitem>, |
1886 |
...</entry> |
1886 |
...</entry> |
1887 |
<entry>employees</entry> |
1887 |
<entry>employees</entry> |
1888 |
</row> |
1888 |
</row> |
1889 |
|
1889 |
|
1890 |
<row> |
1890 |
<row> |
1891 |
<entry><systemitem class="username">able</systemitem>, |
1891 |
<entry><systemitem class="username">able</systemitem>, |
1892 |
<systemitem class="username">baker</systemitem>, |
1892 |
<systemitem class="username">baker</systemitem>, |
1893 |
...</entry> |
1893 |
...</entry> |
1894 |
<entry>interns</entry> |
1894 |
<entry>interns</entry> |
1895 |
</row> |
1895 |
</row> |
1896 |
</tbody> |
1896 |
</tbody> |
1897 |
</tgroup> |
1897 |
</tgroup> |
1898 |
</table> |
1898 |
</table> |
1899 |
|
1899 |
|
1900 |
<table frame="none" pgwide="1"> |
1900 |
<table frame="none" pgwide="1"> |
1901 |
<title>Additional Systems</title> |
1901 |
<title>Additional Systems</title> |
1902 |
|
1902 |
|
1903 |
<tgroup cols="2"> |
1903 |
<tgroup cols="2"> |
1904 |
<thead> |
1904 |
<thead> |
1905 |
<row> |
1905 |
<row> |
1906 |
<entry>Machine Name(s)</entry> |
1906 |
<entry>Machine Name(s)</entry> |
1907 |
<entry>Description</entry> |
1907 |
<entry>Description</entry> |
1908 |
</row> |
1908 |
</row> |
1909 |
</thead> |
1909 |
</thead> |
1910 |
|
1910 |
|
1911 |
<tbody> |
1911 |
<tbody> |
1912 |
<row> |
1912 |
<row> |
1913 |
<!-- Names taken from "Good Omens" by Neil Gaiman and Terry |
1913 |
<!-- Names taken from "Good Omens" by Neil Gaiman and Terry |
1914 |
Pratchett. Many thanks for a brilliant book. --> |
1914 |
Pratchett. Many thanks for a brilliant book. --> |
1915 |
<entry><systemitem>war</systemitem>, |
1915 |
<entry><systemitem>war</systemitem>, |
1916 |
<systemitem>death</systemitem>, |
1916 |
<systemitem>death</systemitem>, |
1917 |
<systemitem>famine</systemitem>, |
1917 |
<systemitem>famine</systemitem>, |
1918 |
<systemitem>pollution</systemitem></entry> |
1918 |
<systemitem>pollution</systemitem></entry> |
1919 |
<entry>Only IT employees are allowed to log onto these |
1919 |
<entry>Only IT employees are allowed to log onto these |
1920 |
servers.</entry> |
1920 |
servers.</entry> |
1921 |
</row> |
1921 |
</row> |
1922 |
|
1922 |
|
1923 |
<row> |
1923 |
<row> |
1924 |
<!-- gluttony was omitted because it was too fat --> |
1924 |
<!-- gluttony was omitted because it was too fat --> |
1925 |
<entry><systemitem>pride</systemitem>, |
1925 |
<entry><systemitem>pride</systemitem>, |
1926 |
<systemitem>greed</systemitem>, |
1926 |
<systemitem>greed</systemitem>, |
1927 |
<systemitem>envy</systemitem>, |
1927 |
<systemitem>envy</systemitem>, |
1928 |
<systemitem>wrath</systemitem>, |
1928 |
<systemitem>wrath</systemitem>, |
1929 |
<systemitem>lust</systemitem>, |
1929 |
<systemitem>lust</systemitem>, |
1930 |
<systemitem>sloth</systemitem></entry> |
1930 |
<systemitem>sloth</systemitem></entry> |
1931 |
<entry>All members of the IT department are allowed to |
1931 |
<entry>All members of the IT department are allowed to |
1932 |
login onto these servers.</entry> |
1932 |
login onto these servers.</entry> |
1933 |
</row> |
1933 |
</row> |
1934 |
|
1934 |
|
1935 |
<row> |
1935 |
<row> |
1936 |
<entry><systemitem>one</systemitem>, |
1936 |
<entry><systemitem>one</systemitem>, |
1937 |
<systemitem>two</systemitem>, |
1937 |
<systemitem>two</systemitem>, |
1938 |
<systemitem>three</systemitem>, |
1938 |
<systemitem>three</systemitem>, |
1939 |
<systemitem>four</systemitem>, |
1939 |
<systemitem>four</systemitem>, |
1940 |
...</entry> |
1940 |
...</entry> |
1941 |
<entry>Ordinary workstations used by |
1941 |
<entry>Ordinary workstations used by |
1942 |
employees.</entry> |
1942 |
employees.</entry> |
1943 |
</row> |
1943 |
</row> |
1944 |
|
1944 |
|
1945 |
<row> |
1945 |
<row> |
1946 |
<entry><systemitem>trashcan</systemitem></entry> |
1946 |
<entry><systemitem>trashcan</systemitem></entry> |
1947 |
<entry>A very old machine without any critical data. |
1947 |
<entry>A very old machine without any critical data. |
1948 |
Even interns are allowed to use this system.</entry> |
1948 |
Even interns are allowed to use this system.</entry> |
1949 |
</row> |
1949 |
</row> |
1950 |
</tbody> |
1950 |
</tbody> |
1951 |
</tgroup> |
1951 |
</tgroup> |
1952 |
</table> |
1952 |
</table> |
1953 |
|
1953 |
|
1954 |
<para>When using netgroups to configure this scenario, each user |
1954 |
<para>When using netgroups to configure this scenario, each user |
1955 |
is assigned to one or more netgroups and logins are then |
1955 |
is assigned to one or more netgroups and logins are then |
1956 |
allowed or forbidden for all members of the netgroup. When |
1956 |
allowed or forbidden for all members of the netgroup. When |
1957 |
adding a new machine, login restrictions must be defined for |
1957 |
adding a new machine, login restrictions must be defined for |
1958 |
all netgroups. When a new user is added, the account must be |
1958 |
all netgroups. When a new user is added, the account must be |
1959 |
added to one or more netgroups. If the |
1959 |
added to one or more netgroups. If the |
1960 |
<acronym>NIS</acronym> setup is planned carefully, only one |
1960 |
<acronym>NIS</acronym> setup is planned carefully, only one |
1961 |
central configuration file needs modification to grant or deny |
1961 |
central configuration file needs modification to grant or deny |
1962 |
access to machines.</para> |
1962 |
access to machines.</para> |
1963 |
|
1963 |
|
1964 |
<para>The first step is the initialization of the |
1964 |
<para>The first step is the initialization of the |
1965 |
<acronym>NIS</acronym> <literal>netgroup</literal> map. In |
1965 |
<acronym>NIS</acronym> <literal>netgroup</literal> map. In |
1966 |
&os;, this map is not created by default. On the |
1966 |
&os;, this map is not created by default. On the |
1967 |
<acronym>NIS</acronym> master server, use an editor to create |
1967 |
<acronym>NIS</acronym> master server, use an editor to create |
1968 |
a map named <filename>/var/yp/netgroup</filename>.</para> |
1968 |
a map named <filename>/var/yp/netgroup</filename>.</para> |
1969 |
|
1969 |
|
1970 |
<para>This example creates four netgroups to represent IT |
1970 |
<para>This example creates four netgroups to represent IT |
1971 |
employees, IT apprentices, employees, and interns:</para> |
1971 |
employees, IT apprentices, employees, and interns:</para> |
1972 |
|
1972 |
|
1973 |
<programlisting>IT_EMP (,alpha,test-domain) (,beta,test-domain) |
1973 |
<programlisting>IT_EMP (,alpha,test-domain) (,beta,test-domain) |
1974 |
IT_APP (,charlie,test-domain) (,delta,test-domain) |
1974 |
IT_APP (,charlie,test-domain) (,delta,test-domain) |
1975 |
USERS (,echo,test-domain) (,foxtrott,test-domain) \ |
1975 |
USERS (,echo,test-domain) (,foxtrott,test-domain) \ |
1976 |
(,golf,test-domain) |
1976 |
(,golf,test-domain) |
1977 |
INTERNS (,able,test-domain) (,baker,test-domain)</programlisting> |
1977 |
INTERNS (,able,test-domain) (,baker,test-domain)</programlisting> |
1978 |
|
1978 |
|
1979 |
<para>Each entry configures a netgroup. The first column in an |
1979 |
<para>Each entry configures a netgroup. The first column in an |
1980 |
entry is the name of the netgroup. Each set of brackets |
1980 |
entry is the name of the netgroup. Each set of brackets |
1981 |
represents either a group of one or more users or the name of |
1981 |
represents either a group of one or more users or the name of |
1982 |
another netgroup. When specifying a user, the three |
1982 |
another netgroup. When specifying a user, the three |
1983 |
comma-delimited fields inside each group represent:</para> |
1983 |
comma-delimited fields inside each group represent:</para> |
1984 |
|
1984 |
|
1985 |
<orderedlist> |
1985 |
<orderedlist> |
1986 |
<listitem> |
1986 |
<listitem> |
1987 |
<para>The name of the host(s) where the other fields |
1987 |
<para>The name of the host(s) where the other fields |
1988 |
representing the user are valid. If a hostname is not |
1988 |
representing the user are valid. If a hostname is not |
1989 |
specified, the entry is valid on all hosts.</para> |
1989 |
specified, the entry is valid on all hosts.</para> |
1990 |
</listitem> |
1990 |
</listitem> |
1991 |
|
1991 |
|
1992 |
<listitem> |
1992 |
<listitem> |
1993 |
<para>The name of the account that belongs to this |
1993 |
<para>The name of the account that belongs to this |
1994 |
netgroup.</para> |
1994 |
netgroup.</para> |
1995 |
</listitem> |
1995 |
</listitem> |
1996 |
|
1996 |
|
1997 |
<listitem> |
1997 |
<listitem> |
1998 |
<para>The <acronym>NIS</acronym> domain for the account. |
1998 |
<para>The <acronym>NIS</acronym> domain for the account. |
1999 |
Accounts may be imported from other <acronym>NIS</acronym> |
1999 |
Accounts may be imported from other <acronym>NIS</acronym> |
2000 |
domains into a netgroup.</para> |
2000 |
domains into a netgroup.</para> |
2001 |
</listitem> |
2001 |
</listitem> |
2002 |
</orderedlist> |
2002 |
</orderedlist> |
2003 |
|
2003 |
|
2004 |
<para>If a group contains multiple users, separate each user |
2004 |
<para>If a group contains multiple users, separate each user |
2005 |
with whitespace. Additionally, each field may contain |
2005 |
with whitespace. Additionally, each field may contain |
2006 |
wildcards. See &man.netgroup.5; for details.</para> |
2006 |
wildcards. See &man.netgroup.5; for details.</para> |
2007 |
|
2007 |
|
2008 |
<indexterm><primary>netgroups</primary></indexterm> |
2008 |
<indexterm><primary>netgroups</primary></indexterm> |
2009 |
<para>Netgroup names longer than 8 characters should not be |
2009 |
<para>Netgroup names longer than 8 characters should not be |
2010 |
used. The names are case sensitive and using capital letters |
2010 |
used. The names are case sensitive and using capital letters |
2011 |
for netgroup names is an easy way to distinguish between user, |
2011 |
for netgroup names is an easy way to distinguish between user, |
2012 |
machine and netgroup names.</para> |
2012 |
machine and netgroup names.</para> |
2013 |
|
2013 |
|
2014 |
<para>Some non-&os; <acronym>NIS</acronym> clients cannot |
2014 |
<para>Some non-&os; <acronym>NIS</acronym> clients cannot |
2015 |
handle netgroups containing more than 15 entries. This |
2015 |
handle netgroups containing more than 15 entries. This |
2016 |
limit may be circumvented by creating several sub-netgroups |
2016 |
limit may be circumvented by creating several sub-netgroups |
2017 |
with 15 users or fewer and a real netgroup consisting of the |
2017 |
with 15 users or fewer and a real netgroup consisting of the |
2018 |
sub-netgroups, as seen in this example:</para> |
2018 |
sub-netgroups, as seen in this example:</para> |
2019 |
|
2019 |
|
2020 |
<programlisting>BIGGRP1 (,joe1,domain) (,joe2,domain) (,joe3,domain) [...] |
2020 |
<programlisting>BIGGRP1 (,joe1,domain) (,joe2,domain) (,joe3,domain) [...] |
2021 |
BIGGRP2 (,joe16,domain) (,joe17,domain) [...] |
2021 |
BIGGRP2 (,joe16,domain) (,joe17,domain) [...] |
2022 |
BIGGRP3 (,joe31,domain) (,joe32,domain) |
2022 |
BIGGRP3 (,joe31,domain) (,joe32,domain) |
2023 |
BIGGROUP BIGGRP1 BIGGRP2 BIGGRP3</programlisting> |
2023 |
BIGGROUP BIGGRP1 BIGGRP2 BIGGRP3</programlisting> |
2024 |
|
2024 |
|
2025 |
<para>Repeat this process if more than 225 (15 times 15) users |
2025 |
<para>Repeat this process if more than 225 (15 times 15) users |
2026 |
exist within a single netgroup.</para> |
2026 |
exist within a single netgroup.</para> |
2027 |
|
2027 |
|
2028 |
<para>To activate and distribute the new |
2028 |
<para>To activate and distribute the new |
2029 |
<acronym>NIS</acronym> map:</para> |
2029 |
<acronym>NIS</acronym> map:</para> |
2030 |
|
2030 |
|
2031 |
<screen>ellington&prompt.root; <userinput>cd /var/yp</userinput> |
2031 |
<screen>ellington&prompt.root; <userinput>cd /var/yp</userinput> |
2032 |
ellington&prompt.root; <userinput>make</userinput></screen> |
2032 |
ellington&prompt.root; <userinput>make</userinput></screen> |
2033 |
|
2033 |
|
2034 |
<para>This will generate the three <acronym>NIS</acronym> maps |
2034 |
<para>This will generate the three <acronym>NIS</acronym> maps |
2035 |
<filename>netgroup</filename>, |
2035 |
<filename>netgroup</filename>, |
2036 |
<filename>netgroup.byhost</filename> and |
2036 |
<filename>netgroup.byhost</filename> and |
2037 |
<filename>netgroup.byuser</filename>. Use the map key option |
2037 |
<filename>netgroup.byuser</filename>. Use the map key option |
2038 |
of &man.ypcat.1; to check if the new <acronym>NIS</acronym> |
2038 |
of &man.ypcat.1; to check if the new <acronym>NIS</acronym> |
2039 |
maps are available:</para> |
2039 |
maps are available:</para> |
2040 |
|
2040 |
|
2041 |
<screen>ellington&prompt.user; <userinput>ypcat -k netgroup</userinput> |
2041 |
<screen>ellington&prompt.user; <userinput>ypcat -k netgroup</userinput> |
2042 |
ellington&prompt.user; <userinput>ypcat -k netgroup.byhost</userinput> |
2042 |
ellington&prompt.user; <userinput>ypcat -k netgroup.byhost</userinput> |
2043 |
ellington&prompt.user; <userinput>ypcat -k netgroup.byuser</userinput></screen> |
2043 |
ellington&prompt.user; <userinput>ypcat -k netgroup.byuser</userinput></screen> |
2044 |
|
2044 |
|
2045 |
<para>The output of the first command should resemble the |
2045 |
<para>The output of the first command should resemble the |
2046 |
contents of <filename>/var/yp/netgroup</filename>. The second |
2046 |
contents of <filename>/var/yp/netgroup</filename>. The second |
2047 |
command only produces output if host-specific netgroups were |
2047 |
command only produces output if host-specific netgroups were |
2048 |
created. The third command is used to get the list of |
2048 |
created. The third command is used to get the list of |
2049 |
netgroups for a user.</para> |
2049 |
netgroups for a user.</para> |
2050 |
|
2050 |
|
2051 |
<para>To configure a client, use &man.vipw.8; to specify the |
2051 |
<para>To configure a client, use &man.vipw.8; to specify the |
2052 |
name of the netgroup. For example, on the server named |
2052 |
name of the netgroup. For example, on the server named |
2053 |
<systemitem>war</systemitem>, replace this line:</para> |
2053 |
<systemitem>war</systemitem>, replace this line:</para> |
2054 |
|
2054 |
|
2055 |
<programlisting>+:::::::::</programlisting> |
2055 |
<programlisting>+:::::::::</programlisting> |
2056 |
|
2056 |
|
2057 |
<para>with</para> |
2057 |
<para>with</para> |
2058 |
|
2058 |
|
2059 |
<programlisting>+@IT_EMP:::::::::</programlisting> |
2059 |
<programlisting>+@IT_EMP:::::::::</programlisting> |
2060 |
|
2060 |
|
2061 |
<para>This specifies that only the users defined in the netgroup |
2061 |
<para>This specifies that only the users defined in the netgroup |
2062 |
<literal>IT_EMP</literal> will be imported into this system's |
2062 |
<literal>IT_EMP</literal> will be imported into this system's |
2063 |
password database and only those users are allowed to login to |
2063 |
password database and only those users are allowed to login to |
2064 |
this system.</para> |
2064 |
this system.</para> |
2065 |
|
2065 |
|
2066 |
<para>This configuration also applies to the |
2066 |
<para>This configuration also applies to the |
2067 |
<literal>~</literal> function of the shell and all routines |
2067 |
<literal>~</literal> function of the shell and all routines |
2068 |
which convert between user names and numerical user IDs. In |
2068 |
which convert between user names and numerical user IDs. In |
2069 |
other words, |
2069 |
other words, |
2070 |
<command>cd ~<replaceable>user</replaceable></command> will |
2070 |
<command>cd ~<replaceable>user</replaceable></command> will |
2071 |
not work, <command>ls -l</command> will show the numerical ID |
2071 |
not work, <command>ls -l</command> will show the numerical ID |
2072 |
instead of the username, and <command>find . -user joe |
2072 |
instead of the username, and <command>find . -user joe |
2073 |
-print</command> will fail with the message |
2073 |
-print</command> will fail with the message |
2074 |
<errorname>No such user</errorname>. To fix this, import all |
2074 |
<errorname>No such user</errorname>. To fix this, import all |
2075 |
user entries without allowing them to login into the servers. |
2075 |
user entries without allowing them to login into the servers. |
2076 |
This can be achieved by adding an extra line:</para> |
2076 |
This can be achieved by adding an extra line:</para> |
2077 |
|
2077 |
|
2078 |
<programlisting>+:::::::::/sbin/nologin</programlisting> |
2078 |
<programlisting>+:::::::::/sbin/nologin</programlisting> |
2079 |
|
2079 |
|
2080 |
<para>This line configures the client to import all entries but |
2080 |
<para>This line configures the client to import all entries but |
2081 |
to replace the shell in those entries with |
2081 |
to replace the shell in those entries with |
2082 |
<filename>/sbin/nologin</filename>.</para> |
2082 |
<filename>/sbin/nologin</filename>.</para> |
2083 |
|
2083 |
|
2084 |
<!-- Been there, done that, got the scars to prove it - ue --> |
2084 |
<!-- Been there, done that, got the scars to prove it - ue --> |
2085 |
<para>Make sure that extra line is placed |
2085 |
<para>Make sure that extra line is placed |
2086 |
<emphasis>after</emphasis> |
2086 |
<emphasis>after</emphasis> |
2087 |
<literal>+@IT_EMP:::::::::</literal>. Otherwise, all user |
2087 |
<literal>+@IT_EMP:::::::::</literal>. Otherwise, all user |
2088 |
accounts imported from <acronym>NIS</acronym> will have |
2088 |
accounts imported from <acronym>NIS</acronym> will have |
2089 |
<filename>/sbin/nologin</filename> as their login |
2089 |
<filename>/sbin/nologin</filename> as their login |
2090 |
shell and no one will be able to login to the system.</para> |
2090 |
shell and no one will be able to login to the system.</para> |
2091 |
|
2091 |
|
2092 |
<para>To configure the less important servers, replace the old |
2092 |
<para>To configure the less important servers, replace the old |
2093 |
<literal>+:::::::::</literal> on the servers with these |
2093 |
<literal>+:::::::::</literal> on the servers with these |
2094 |
lines:</para> |
2094 |
lines:</para> |
2095 |
|
2095 |
|
2096 |
<programlisting>+@IT_EMP::::::::: |
2096 |
<programlisting>+@IT_EMP::::::::: |
2097 |
+@IT_APP::::::::: |
2097 |
+@IT_APP::::::::: |
2098 |
+:::::::::/sbin/nologin</programlisting> |
2098 |
+:::::::::/sbin/nologin</programlisting> |
2099 |
|
2099 |
|
2100 |
<para>The corresponding lines for the workstations |
2100 |
<para>The corresponding lines for the workstations |
2101 |
would be:</para> |
2101 |
would be:</para> |
2102 |
|
2102 |
|
2103 |
<programlisting>+@IT_EMP::::::::: |
2103 |
<programlisting>+@IT_EMP::::::::: |
2104 |
+@USERS::::::::: |
2104 |
+@USERS::::::::: |
2105 |
+:::::::::/sbin/nologin</programlisting> |
2105 |
+:::::::::/sbin/nologin</programlisting> |
2106 |
|
2106 |
|
2107 |
<para>NIS supports the creation of netgroups from other |
2107 |
<para>NIS supports the creation of netgroups from other |
2108 |
netgroups which can be useful if the policy regarding user |
2108 |
netgroups which can be useful if the policy regarding user |
2109 |
access changes. One possibility is the creation of role-based |
2109 |
access changes. One possibility is the creation of role-based |
2110 |
netgroups. For example, one might create a netgroup called |
2110 |
netgroups. For example, one might create a netgroup called |
2111 |
<literal>BIGSRV</literal> to define the login restrictions for |
2111 |
<literal>BIGSRV</literal> to define the login restrictions for |
2112 |
the important servers, another netgroup called |
2112 |
the important servers, another netgroup called |
2113 |
<literal>SMALLSRV</literal> for the less important servers, |
2113 |
<literal>SMALLSRV</literal> for the less important servers, |
2114 |
and a third netgroup called <literal>USERBOX</literal> for the |
2114 |
and a third netgroup called <literal>USERBOX</literal> for the |
2115 |
workstations. Each of these netgroups contains the netgroups |
2115 |
workstations. Each of these netgroups contains the netgroups |
2116 |
that are allowed to login onto these machines. The new |
2116 |
that are allowed to login onto these machines. The new |
2117 |
entries for the <acronym>NIS</acronym> |
2117 |
entries for the <acronym>NIS</acronym> |
2118 |
<literal>netgroup</literal> map would look like this:</para> |
2118 |
<literal>netgroup</literal> map would look like this:</para> |
2119 |
|
2119 |
|
2120 |
<programlisting>BIGSRV IT_EMP IT_APP |
2120 |
<programlisting>BIGSRV IT_EMP IT_APP |
2121 |
SMALLSRV IT_EMP IT_APP ITINTERN |
2121 |
SMALLSRV IT_EMP IT_APP ITINTERN |
2122 |
USERBOX IT_EMP ITINTERN USERS</programlisting> |
2122 |
USERBOX IT_EMP ITINTERN USERS</programlisting> |
2123 |
|
2123 |
|
2124 |
<para>This method of defining login restrictions works |
2124 |
<para>This method of defining login restrictions works |
2125 |
reasonably well when it is possible to define groups of |
2125 |
reasonably well when it is possible to define groups of |
2126 |
machines with identical restrictions. Unfortunately, this is |
2126 |
machines with identical restrictions. Unfortunately, this is |
2127 |
the exception and not the rule. Most of the time, the ability |
2127 |
the exception and not the rule. Most of the time, the ability |
2128 |
to define login restrictions on a per-machine basis is |
2128 |
to define login restrictions on a per-machine basis is |
2129 |
required.</para> |
2129 |
required.</para> |
2130 |
|
2130 |
|
2131 |
<para>Machine-specific netgroup definitions are another |
2131 |
<para>Machine-specific netgroup definitions are another |
2132 |
possibility to deal with the policy changes. In this |
2132 |
possibility to deal with the policy changes. In this |
2133 |
scenario, the <filename>/etc/master.passwd</filename> of each |
2133 |
scenario, the <filename>/etc/master.passwd</filename> of each |
2134 |
system contains two lines starting with <quote>+</quote>. |
2134 |
system contains two lines starting with <quote>+</quote>. |
2135 |
The first line adds a netgroup with the accounts allowed to |
2135 |
The first line adds a netgroup with the accounts allowed to |
2136 |
login onto this machine and the second line adds all other |
2136 |
login onto this machine and the second line adds all other |
2137 |
accounts with <filename>/sbin/nologin</filename> as shell. It |
2137 |
accounts with <filename>/sbin/nologin</filename> as shell. It |
2138 |
is recommended to use the <quote>ALL-CAPS</quote> version of |
2138 |
is recommended to use the <quote>ALL-CAPS</quote> version of |
2139 |
the hostname as the name of the netgroup:</para> |
2139 |
the hostname as the name of the netgroup:</para> |
2140 |
|
2140 |
|
2141 |
<programlisting>+@<replaceable>BOXNAME</replaceable>::::::::: |
2141 |
<programlisting>+@<replaceable>BOXNAME</replaceable>::::::::: |
2142 |
+:::::::::/sbin/nologin</programlisting> |
2142 |
+:::::::::/sbin/nologin</programlisting> |
2143 |
|
2143 |
|
2144 |
<para>Once this task is completed on all the machines, there is |
2144 |
<para>Once this task is completed on all the machines, there is |
2145 |
no longer a need to modify the local versions of |
2145 |
no longer a need to modify the local versions of |
2146 |
<filename>/etc/master.passwd</filename> ever again. All |
2146 |
<filename>/etc/master.passwd</filename> ever again. All |
2147 |
further changes can be handled by modifying the |
2147 |
further changes can be handled by modifying the |
2148 |
<acronym>NIS</acronym> map. Here is an example of a possible |
2148 |
<acronym>NIS</acronym> map. Here is an example of a possible |
2149 |
<literal>netgroup</literal> map for this scenario:</para> |
2149 |
<literal>netgroup</literal> map for this scenario:</para> |
2150 |
|
2150 |
|
2151 |
<programlisting># Define groups of users first |
2151 |
<programlisting># Define groups of users first |
2152 |
IT_EMP (,alpha,test-domain) (,beta,test-domain) |
2152 |
IT_EMP (,alpha,test-domain) (,beta,test-domain) |
2153 |
IT_APP (,charlie,test-domain) (,delta,test-domain) |
2153 |
IT_APP (,charlie,test-domain) (,delta,test-domain) |
2154 |
DEPT1 (,echo,test-domain) (,foxtrott,test-domain) |
2154 |
DEPT1 (,echo,test-domain) (,foxtrott,test-domain) |
2155 |
DEPT2 (,golf,test-domain) (,hotel,test-domain) |
2155 |
DEPT2 (,golf,test-domain) (,hotel,test-domain) |
2156 |
DEPT3 (,india,test-domain) (,juliet,test-domain) |
2156 |
DEPT3 (,india,test-domain) (,juliet,test-domain) |
2157 |
ITINTERN (,kilo,test-domain) (,lima,test-domain) |
2157 |
ITINTERN (,kilo,test-domain) (,lima,test-domain) |
2158 |
D_INTERNS (,able,test-domain) (,baker,test-domain) |
2158 |
D_INTERNS (,able,test-domain) (,baker,test-domain) |
2159 |
# |
2159 |
# |
2160 |
# Now, define some groups based on roles |
2160 |
# Now, define some groups based on roles |
2161 |
USERS DEPT1 DEPT2 DEPT3 |
2161 |
USERS DEPT1 DEPT2 DEPT3 |
2162 |
BIGSRV IT_EMP IT_APP |
2162 |
BIGSRV IT_EMP IT_APP |
2163 |
SMALLSRV IT_EMP IT_APP ITINTERN |
2163 |
SMALLSRV IT_EMP IT_APP ITINTERN |
2164 |
USERBOX IT_EMP ITINTERN USERS |
2164 |
USERBOX IT_EMP ITINTERN USERS |
2165 |
# |
2165 |
# |
2166 |
# And a groups for a special tasks |
2166 |
# And a groups for a special tasks |
2167 |
# Allow echo and golf to access our anti-virus-machine |
2167 |
# Allow echo and golf to access our anti-virus-machine |
2168 |
SECURITY IT_EMP (,echo,test-domain) (,golf,test-domain) |
2168 |
SECURITY IT_EMP (,echo,test-domain) (,golf,test-domain) |
2169 |
# |
2169 |
# |
2170 |
# machine-based netgroups |
2170 |
# machine-based netgroups |
2171 |
# Our main servers |
2171 |
# Our main servers |
2172 |
WAR BIGSRV |
2172 |
WAR BIGSRV |
2173 |
FAMINE BIGSRV |
2173 |
FAMINE BIGSRV |
2174 |
# User india needs access to this server |
2174 |
# User india needs access to this server |
2175 |
POLLUTION BIGSRV (,india,test-domain) |
2175 |
POLLUTION BIGSRV (,india,test-domain) |
2176 |
# |
2176 |
# |
2177 |
# This one is really important and needs more access restrictions |
2177 |
# This one is really important and needs more access restrictions |
2178 |
DEATH IT_EMP |
2178 |
DEATH IT_EMP |
2179 |
# |
2179 |
# |
2180 |
# The anti-virus-machine mentioned above |
2180 |
# The anti-virus-machine mentioned above |
2181 |
ONE SECURITY |
2181 |
ONE SECURITY |
2182 |
# |
2182 |
# |
2183 |
# Restrict a machine to a single user |
2183 |
# Restrict a machine to a single user |
2184 |
TWO (,hotel,test-domain) |
2184 |
TWO (,hotel,test-domain) |
2185 |
# [...more groups to follow]</programlisting> |
2185 |
# [...more groups to follow]</programlisting> |
2186 |
|
2186 |
|
2187 |
<para>It may not always be advisable |
2187 |
<para>It may not always be advisable |
2188 |
to use machine-based netgroups. When deploying a couple of |
2188 |
to use machine-based netgroups. When deploying a couple of |
2189 |
dozen or hundreds of systems, |
2189 |
dozen or hundreds of systems, |
2190 |
role-based netgroups instead of machine-based netgroups may be |
2190 |
role-based netgroups instead of machine-based netgroups may be |
2191 |
used to keep the size of the <acronym>NIS</acronym> map within |
2191 |
used to keep the size of the <acronym>NIS</acronym> map within |
2192 |
reasonable limits.</para> |
2192 |
reasonable limits.</para> |
2193 |
</sect2> |
2193 |
</sect2> |
2194 |
|
2194 |
|
2195 |
<sect2> |
2195 |
<sect2> |
2196 |
<title>Password Formats</title> |
2196 |
<title>Password Formats</title> |
2197 |
|
2197 |
|
2198 |
<indexterm> |
2198 |
<indexterm> |
2199 |
<primary>NIS</primary> |
2199 |
<primary>NIS</primary> |
2200 |
<secondary>password formats</secondary> |
2200 |
<secondary>password formats</secondary> |
2201 |
</indexterm> |
2201 |
</indexterm> |
2202 |
<para><acronym>NIS</acronym> requires that all hosts within an |
2202 |
<para><acronym>NIS</acronym> requires that all hosts within an |
2203 |
<acronym>NIS</acronym> domain use the same format for |
2203 |
<acronym>NIS</acronym> domain use the same format for |
2204 |
encrypting passwords. If users have trouble authenticating on |
2204 |
encrypting passwords. If users have trouble authenticating on |
2205 |
an <acronym>NIS</acronym> client, it may be due to a differing |
2205 |
an <acronym>NIS</acronym> client, it may be due to a differing |
2206 |
password format. In a heterogeneous network, the format must |
2206 |
password format. In a heterogeneous network, the format must |
2207 |
be supported by all operating systems, where |
2207 |
be supported by all operating systems, where |
2208 |
<acronym>DES</acronym> is the lowest common standard.</para> |
2208 |
<acronym>DES</acronym> is the lowest common standard.</para> |
2209 |
|
2209 |
|
2210 |
<para>To check which format a server or client is using, look |
2210 |
<para>To check which format a server or client is using, look |
2211 |
at this section of |
2211 |
at this section of |
2212 |
<filename>/etc/login.conf</filename>:</para> |
2212 |
<filename>/etc/login.conf</filename>:</para> |
2213 |
|
2213 |
|
2214 |
<programlisting>default:\ |
2214 |
<programlisting>default:\ |
2215 |
:passwd_format=des:\ |
2215 |
:passwd_format=des:\ |
2216 |
:copyright=/etc/COPYRIGHT:\ |
2216 |
:copyright=/etc/COPYRIGHT:\ |
2217 |
[Further entries elided]</programlisting> |
2217 |
[Further entries elided]</programlisting> |
2218 |
|
2218 |
|
2219 |
<para>In this example, the system is using the |
2219 |
<para>In this example, the system is using the |
2220 |
<acronym>DES</acronym> format. Other possible values are |
2220 |
<acronym>DES</acronym> format. Other possible values are |
2221 |
<literal>blf</literal> for Blowfish and <literal>md5</literal> |
2221 |
<literal>blf</literal> for Blowfish and <literal>md5</literal> |
2222 |
for MD5 encrypted passwords.</para> |
2222 |
for MD5 encrypted passwords.</para> |
2223 |
|
2223 |
|
2224 |
<para>If the format on a host needs to be edited to match the |
2224 |
<para>If the format on a host needs to be edited to match the |
2225 |
one being used in the <acronym>NIS</acronym> domain, the |
2225 |
one being used in the <acronym>NIS</acronym> domain, the |
2226 |
login capability database must be rebuilt after saving the |
2226 |
login capability database must be rebuilt after saving the |
2227 |
change:</para> |
2227 |
change:</para> |
2228 |
|
2228 |
|
2229 |
<screen>&prompt.root; <userinput>cap_mkdb /etc/login.conf</userinput></screen> |
2229 |
<screen>&prompt.root; <userinput>cap_mkdb /etc/login.conf</userinput></screen> |
2230 |
|
2230 |
|
2231 |
<note> |
2231 |
<note> |
2232 |
<para>The format of passwords for existing user accounts will |
2232 |
<para>The format of passwords for existing user accounts will |
2233 |
not be updated until each user changes their password |
2233 |
not be updated until each user changes their password |
2234 |
<emphasis>after</emphasis> the login capability database is |
2234 |
<emphasis>after</emphasis> the login capability database is |
2235 |
rebuilt.</para> |
2235 |
rebuilt.</para> |
2236 |
</note> |
2236 |
</note> |
2237 |
</sect2> |
2237 |
</sect2> |
2238 |
</sect1> |
2238 |
</sect1> |
2239 |
|
2239 |
|
2240 |
<sect1 xml:id="network-ldap"> |
2240 |
<sect1 xml:id="network-ldap"> |
2241 |
<info> |
2241 |
<info> |
2242 |
<title>Lightweight Directory Access Protocol |
2242 |
<title>Lightweight Directory Access Protocol |
2243 |
(<acronym>LDAP</acronym>)</title> |
2243 |
(<acronym>LDAP</acronym>)</title> |
2244 |
|
2244 |
|
2245 |
<authorgroup> |
2245 |
<authorgroup> |
2246 |
<author> |
2246 |
<author> |
2247 |
<personname> |
2247 |
<personname> |
|
|
2248 |
<firstname>Rocky</firstname> |
2249 |
<surname>Hotas</surname> |
2250 |
</personname> |
2251 |
<contrib>Updated and restructured by </contrib> |
2252 |
</author> |
2253 |
</authorgroup> |
2254 |
|
2255 |
<authorgroup> |
2256 |
<author> |
2257 |
<personname> |
2248 |
<firstname>Tom</firstname> |
2258 |
<firstname>Tom</firstname> |
2249 |
<surname>Rhodes</surname> |
2259 |
<surname>Rhodes</surname> |
2250 |
</personname> |
2260 |
</personname> |
2251 |
<contrib>Written by </contrib> |
2261 |
<contrib>Originally contributed by </contrib> |
2252 |
</author> |
2262 |
</author> |
2253 |
</authorgroup> |
2263 |
</authorgroup> |
|
|
2264 |
|
2254 |
</info> |
2265 |
</info> |
2255 |
|
2266 |
|
2256 |
<indexterm><primary>LDAP</primary></indexterm> |
2267 |
<indexterm><primary>LDAP</primary></indexterm> |
2257 |
|
2268 |
|
2258 |
<para>The Lightweight Directory Access Protocol |
2269 |
<para>The Lightweight Directory Access Protocol |
2259 |
(<acronym>LDAP</acronym>) is an application layer protocol used |
2270 |
(<acronym>LDAP</acronym>) is an application layer protocol used |
2260 |
to access, modify, and authenticate objects using a distributed |
2271 |
to access, modify, and authenticate objects using a distributed |
2261 |
directory information service. Think of it as a phone or record |
2272 |
directory information service. Think of it as a phone or record |
2262 |
book which stores several levels of hierarchical, homogeneous |
2273 |
book which stores several levels of hierarchical, homogeneous |
2263 |
information. It is used in Active Directory and |
2274 |
information. It is used in Active Directory and |
2264 |
<application>OpenLDAP</application> networks and allows users to |
2275 |
<application>OpenLDAP</application> networks and allows users to |
2265 |
access to several levels of internal information utilizing a |
2276 |
access to several levels of internal information utilizing a |
2266 |
single account. For example, email authentication, pulling |
2277 |
single account. For example, email authentication, pulling |
2267 |
employee contact information, and internal website |
2278 |
employee contact information, and internal website |
2268 |
authentication might all make use of a single user account in |
2279 |
authentication might all make use of a single user account in |
2269 |
the <acronym>LDAP</acronym> server's record base.</para> |
2280 |
the <acronym>LDAP</acronym> server's record base.</para> |
2270 |
|
2281 |
|
2271 |
<para>This section provides a quick start guide for configuring an |
2282 |
<para>This section provides a quick start guide for configuring an |
2272 |
<acronym>LDAP</acronym> server on a &os; system. It assumes |
2283 |
<acronym>LDAP</acronym> server on a &os; system. It assumes |
2273 |
that the administrator already has a design plan which includes |
2284 |
that the administrator already has a design plan which includes |
2274 |
the type of information to store, what that information will be |
2285 |
the type of information to store, what that information will be |
2275 |
used for, which users should have access to that information, |
2286 |
used for, which users should have access to that information, |
2276 |
and how to secure this information from unauthorized |
2287 |
and how to secure this information from unauthorized |
2277 |
access.</para> |
2288 |
access.</para> |
2278 |
|
2289 |
|
2279 |
<sect2> |
2290 |
<sect2> |
2280 |
<title><acronym>LDAP</acronym> Terminology and Structure</title> |
2291 |
<title><acronym>LDAP</acronym> Terminology and Structure</title> |
2281 |
|
2292 |
|
2282 |
<para><acronym>LDAP</acronym> uses several terms which should be |
2293 |
<para><acronym>LDAP</acronym> uses several terms which should be |
2283 |
understood before starting the configuration. All directory |
2294 |
understood before starting the configuration. All directory |
2284 |
entries consist of a group of |
2295 |
entries consist of a group of |
2285 |
<firstterm>attributes</firstterm>. Each of these attribute |
2296 |
<firstterm>attributes</firstterm>. Each of these attribute |
2286 |
sets contains a unique identifier known as a |
2297 |
sets contains a unique identifier known as a |
2287 |
<firstterm>Distinguished Name</firstterm> |
2298 |
<firstterm>Distinguished Name</firstterm> |
2288 |
(<acronym>DN</acronym>) which is normally built from several |
2299 |
(<acronym>DN</acronym>) which is normally built from several |
2289 |
other attributes such as the common or |
2300 |
other attributes such as the common or |
2290 |
<firstterm>Relative Distinguished Name</firstterm> |
2301 |
<firstterm>Relative Distinguished Name</firstterm> |
2291 |
(<acronym>RDN</acronym>). Similar to how directories have |
2302 |
(<acronym>RDN</acronym>). Similar to how directories have |
2292 |
absolute and relative paths, consider a <acronym>DN</acronym> |
2303 |
absolute and relative paths, consider a <acronym>DN</acronym> |
2293 |
as an absolute path and the <acronym>RDN</acronym> as the |
2304 |
as an absolute path and the <acronym>RDN</acronym> as the |
2294 |
relative path.</para> |
2305 |
relative path.</para> |
2295 |
|
2306 |
|
2296 |
<para>An example <acronym>LDAP</acronym> entry looks like the |
2307 |
<para>An example <acronym>LDAP</acronym> entry looks like the |
2297 |
following. This example searches for the entry for the |
2308 |
following. This example searches for the entry for the |
2298 |
specified user account (<literal>uid</literal>), |
2309 |
specified user account (<literal>uid</literal>), |
2299 |
organizational unit (<literal>ou</literal>), and organization |
2310 |
organizational unit (<literal>ou</literal>), and organization |
2300 |
(<literal>o</literal>):</para> |
2311 |
(<literal>o</literal>):</para> |
2301 |
|
2312 |
|
2302 |
<screen>&prompt.user; <userinput>ldapsearch -xb "uid=<replaceable>trhodes</replaceable>,ou=<replaceable>users</replaceable>,o=<replaceable>example.com</replaceable>"</userinput> |
2313 |
<screen>&prompt.user; <userinput>ldapsearch -xb "uid=<replaceable>trhodes</replaceable>,ou=<replaceable>users</replaceable>,o=<replaceable>example.com</replaceable>"</userinput> |
2303 |
# extended LDIF |
2314 |
# extended LDIF |
2304 |
# |
2315 |
# |
2305 |
# LDAPv3 |
2316 |
# LDAPv3 |
2306 |
# base <uid=trhodes,ou=users,o=example.com> with scope subtree |
2317 |
# base <uid=trhodes,ou=users,o=example.com> with scope subtree |
2307 |
# filter: (objectclass=*) |
2318 |
# filter: (objectclass=*) |
2308 |
# requesting: ALL |
2319 |
# requesting: ALL |
2309 |
# |
2320 |
# |
2310 |
|
2321 |
|
2311 |
# trhodes, users, example.com |
2322 |
# trhodes, users, example.com |
2312 |
dn: uid=trhodes,ou=users,o=example.com |
2323 |
dn: uid=trhodes,ou=users,o=example.com |
2313 |
mail: trhodes@example.com |
2324 |
mail: trhodes@example.com |
2314 |
cn: Tom Rhodes |
2325 |
cn: Tom Rhodes |
2315 |
uid: trhodes |
2326 |
uid: trhodes |
2316 |
telephoneNumber: (123) 456-7890 |
2327 |
telephoneNumber: (123) 456-7890 |
2317 |
|
2328 |
|
2318 |
# search result |
2329 |
# search result |
2319 |
search: 2 |
2330 |
search: 2 |
2320 |
result: 0 Success |
2331 |
result: 0 Success |
2321 |
|
2332 |
|
2322 |
# numResponses: 2 |
2333 |
# numResponses: 2 |
2323 |
# numEntries: 1</screen> |
2334 |
# numEntries: 1</screen> |
2324 |
|
2335 |
|
2325 |
<para>This example entry shows the values for the |
2336 |
<para>This example entry shows the values for the |
2326 |
<literal>dn</literal>, <literal>mail</literal>, |
2337 |
<literal>dn</literal>, <literal>mail</literal>, |
2327 |
<literal>cn</literal>, <literal>uid</literal>, and |
2338 |
<literal>cn</literal>, <literal>uid</literal>, and |
2328 |
<literal>telephoneNumber</literal> attributes. The |
2339 |
<literal>telephoneNumber</literal> attributes. The |
2329 |
<acronym>cn</acronym> attribute is the |
2340 |
<acronym>cn</acronym> attribute is the |
2330 |
<acronym>RDN</acronym>.</para> |
2341 |
<acronym>RDN</acronym>.</para> |
2331 |
|
2342 |
|
2332 |
<para>More information about <acronym>LDAP</acronym> and its |
2343 |
<para>More information about <acronym>LDAP</acronym> and its |
2333 |
terminology can be found at <uri |
2344 |
terminology can be found at <uri |
2334 |
xlink:href="http://www.openldap.org/doc/admin24/intro.html">http://www.openldap.org/doc/admin24/intro.html</uri>.</para> |
2345 |
xlink:href="http://www.openldap.org/doc/admin24/intro.html" |
|
|
2346 |
>http://www.openldap.org/doc/admin24/intro.html</uri> |
2347 |
.</para> |
2335 |
</sect2> |
2348 |
</sect2> |
2336 |
|
2349 |
|
2337 |
<sect2 xml:id="ldap-config"> |
2350 |
<sect2 xml:id="ldap-config"> |
2338 |
<title>Configuring an <acronym>LDAP</acronym> Server</title> |
2351 |
<title>Configuring an <acronym>LDAP</acronym> Server</title> |
2339 |
|
2352 |
|
2340 |
<indexterm><primary>LDAP Server</primary></indexterm> |
2353 |
<indexterm><primary>LDAP Server</primary></indexterm> |
2341 |
|
2354 |
|
2342 |
<para>&os; does not provide a built-in <acronym>LDAP</acronym> |
2355 |
<para>&os; does not provide a built-in <acronym>LDAP</acronym> |
2343 |
server. Begin the configuration by installing the <package |
2356 |
server. Begin the configuration by installing the <package |
2344 |
role="port">net/openldap24-server</package> package or port. |
2357 |
role="port">net/openldap24-server</package> package or |
2345 |
Since the port has many configurable options, it is |
2358 |
port. Be sure to run all the commands listed from now on |
2346 |
recommended that the default options are reviewed to see if |
2359 |
being <systemitem class="username">root</systemitem>. This |
2347 |
the package is sufficient, and to instead compile the port if |
2360 |
|
2348 |
any options should be changed. In most cases, the defaults |
2361 |
<screen>&prompt.root; <userinput>pkg install openldap24-server</userinput></screen> |
2349 |
are fine. However, if SQL support is needed, this option must |
2362 |
|
2350 |
be enabled and the port compiled using the instructions in |
2363 |
installs the needed <emphasis>package</emphasis>, which is a |
2351 |
<xref linkend="ports-using"/>.</para> |
2364 |
particular kind of <emphasis>port</emphasis>: |
|
|
2365 |
the one with all options set to default. |
2366 |
In most cases, the defaults are fine and so the package is |
2367 |
too. But if for example SQL support is needed, |
2368 |
the relative option must be enabled and the port compiled |
2369 |
using the instructions in <xref linkend="ports-using"/>. |
2370 |
There are many other configurable options, so it is |
2371 |
recommended that the defaults are reviewed to see if |
2372 |
the <emphasis>package</emphasis> is sufficient, and to |
2373 |
instead compile the <emphasis>port</emphasis> if |
2374 |
any options should be changed.</para> |
2352 |
|
2375 |
|
2353 |
<para>Next, create the directories to hold the data and to store |
2376 |
<para>If the directories to store the data and certificates do |
2354 |
the certificates:</para> |
2377 |
not exist already, create them:</para> |
2355 |
|
2378 |
|
2356 |
<screen>&prompt.root; <userinput>mkdir /var/db/openldap-data</userinput> |
2379 |
<screen>&prompt.root; <userinput>mkdir /var/db/openldap-data</userinput> |
2357 |
&prompt.root; <userinput>mkdir /usr/local/etc/openldap/private</userinput></screen> |
2380 |
&prompt.root; <userinput>mkdir /usr/local/etc/openldap/private</userinput></screen> |
2358 |
|
2381 |
|
2359 |
<para>Copy over the database configuration file:</para> |
2382 |
<para>The database configuration file is</para> |
|
|
2383 |
|
2384 |
<screen>/usr/local/etc/openldap/DB_CONFIG.example</screen> |
2385 |
|
2386 |
<para>If this file is not present after the installation of |
2387 |
<package role="port">net/openldap24-server</package>, it is |
2388 |
available for download <link |
2389 |
xlink:href="http://wpollock.com/AUnixNet/LDAP/lister.php?file=DB_CONFIG.example&linenums&dl"> |
2390 |
here</link> (this is not the only suitable copy of this |
2391 |
file on the internet: other identical ones can be found |
2392 |
through a search engine, if this link is not available). |
2393 |
Further information about this file and its parameters can |
2394 |
be found in the <link xlink:href= |
2395 |
"http://www.openldap.org/faq/data/cache/1072.html"> |
2396 |
OpenLDAP FAQs</link>.</para> |
2397 |
|
2398 |
<para>Once downloaded, use the database configuration file in |
2399 |
an appropriate directory:</para> |
2360 |
|
2400 |
|
2361 |
<screen>&prompt.root; <userinput>cp /usr/local/etc/openldap/DB_CONFIG.example /var/db/openldap-data/DB_CONFIG</userinput></screen> |
2401 |
<screen>&prompt.root; <userinput>cp /usr/local/etc/openldap/DB_CONFIG.example /var/db/openldap-data/DB_CONFIG</userinput></screen> |
2362 |
|
2402 |
|
2363 |
<para>The next phase is to configure the certificate authority. |
2403 |
<para>When dealing with a brand new configuration, being not |
2364 |
The following commands must be executed from |
2404 |
in a big company or infrastructure who can buy or own |
2365 |
<filename>/usr/local/etc/openldap/private</filename>. This is |
2405 |
several Certificate Authorities, the cheapest and easiest |
2366 |
important as the file permissions need to be restrictive and |
2406 |
thing to do is to create a free, brand new Certificate |
2367 |
users should not have access to these files. To create the |
2407 |
Authority. It is a self-signed certificate, which will be |
2368 |
certificate authority, start with this command and follow the |
2408 |
the root, invisibile certificate that will be use to sign |
2369 |
prompts:</para> |
2409 |
all the other ones. Further information about this |
|
|
2410 |
procedure can be found in &man.openssl.1;, <link xlink:href= |
2411 |
"https://www.freebsd.org/cgi/man.cgi?query=req&manpath=FreeBSD+11.0-RELEASE+and+Ports"> |
2412 |
req(1)</link> and in the <link xlink:href= |
2413 |
"http://www.openldap.org/doc/admin24/tls.html">OpenLDAP |
2414 |
2.4 Administrator's Guide</link>. The following commands |
2415 |
must be executed from |
2416 |
<filename>/usr/local/etc/openldap/private</filename>. This |
2417 |
is important as the file permissions need to be restrictive |
2418 |
and users should not have access to these files. Here, |
2419 |
&man.openssl.1; will be used to create the Certificate |
2420 |
Authority, with the syntax shown below.</para> |
2421 |
|
2422 |
<para>Several questions must be answered to and |
2423 |
&man.openssl.1; will gather specific information to embed in |
2424 |
the certificate. As regards the OpenLDAP server |
2425 |
installation, <emphasis>all but one</emphasis> of these |
2426 |
questions are irrelevant. The only important question is |
2427 |
the one about the <literal>Common Name</literal>. All the |
2428 |
other answers may even be arbitrarily chosen or left empty. |
2429 |
Instead,</para> |
2430 |
|
2431 |
<important> |
2432 |
<para>The <literal>Common Name</literal> should be |
2433 |
<emphasis>carefully</emphasis> chosen: for the Certificate |
2434 |
Authority, it should be a name that will be never used |
2435 |
again.</para> |
2436 |
</important> |
2437 |
|
2438 |
<para>In this example, <literal>CAdomain.example</literal> |
2439 |
will be used. Another <literal>Common Name</literal> can be |
2440 |
freely, arbitrarily chosen: the only important issue is that |
2441 |
all the next certificates, that will be created and |
2442 |
<emphasis>signed</emphasis> with this one, must have a |
2443 |
different <literal>Common Name</literal>.</para> |
2370 |
|
2444 |
|
2371 |
<screen>&prompt.root; <userinput>openssl req -days <replaceable>365</replaceable> -nodes -new -x509 -keyout ca.key -out ../ca.crt</userinput></screen> |
2445 |
<screen>&prompt.root; <userinput>openssl req -days <replaceable>365</replaceable> -nodes -new -x509 -keyout ca.key -out ../ca.crt</userinput></screen> |
2372 |
|
2446 |
|
2373 |
<para>The entries for the prompts may be generic |
2447 |
<para>With this command, a Certificate Authority called |
2374 |
<emphasis>except</emphasis> for the |
2448 |
<filename>ca.crt</filename> is created in <filename> |
2375 |
<literal>Common Name</literal>. This entry must be |
2449 |
/usr/local/etc/openldap</filename> and its private key |
2376 |
<emphasis>different</emphasis> than the system hostname. If |
2450 |
<filename>ca.key</filename> is placed in |
2377 |
this will be a self signed certificate, prefix the hostname |
2451 |
<filename>/usr/local/etc/openldap/private</filename>.</para> |
2378 |
with <literal>CA</literal> for certificate authority.</para> |
2452 |
|
2379 |
|
2453 |
<para>A certificate (and a private key) for the |
2380 |
<para>The next task is to create a certificate signing request |
2454 |
<acronym>LDAP</acronym> server is now needed: it will be |
2381 |
and a private key. Input this command and follow the |
2455 |
initially called a "Certificate Signing Request"; then, |
2382 |
prompts:</para> |
2456 |
after being signed with the Certificate Authority, it will |
|
|
2457 |
actually be a certificate. Only the <literal>Common |
2458 |
Name</literal> attribute is important here like before: if |
2459 |
for the Certificate Authority |
2460 |
<filename>CAdomain.example</filename> was chosen, now the |
2461 |
full hostname of the server <systemitem class="systemname"> |
2462 |
domain.example</systemitem> can be used. This is a |
2463 |
trivial way to choose two different <literal>Common |
2464 |
Name</literal>s without effort.</para> |
2383 |
|
2465 |
|
2384 |
<screen>&prompt.root; <userinput>openssl req -days <replaceable>365</replaceable> -nodes -new -keyout server.key -out server.csr</userinput></screen> |
2466 |
<screen>&prompt.root; <userinput>openssl req -days <replaceable>365</replaceable> -nodes -new -keyout server.key -out server.csr</userinput></screen> |
2385 |
|
2467 |
|
2386 |
<para>During the certificate generation process, be sure to |
2468 |
<para>This Certificate Signing Request must be signed with the |
2387 |
correctly set the <literal>Common Name</literal> attribute. |
2469 |
Certificate Authority in order to be used as a valid |
2388 |
Once complete, sign the key:</para> |
2470 |
certificate:</para> |
2389 |
|
2471 |
|
2390 |
<screen>&prompt.root; <userinput>openssl x509 -req -days <replaceable>365</replaceable> -in server.csr -out ../server.crt -CA ../ca.crt -CAkey ca.key -CAcreateserial</userinput></screen> |
2472 |
<screen>&prompt.root; <userinput>openssl x509 -req -days <replaceable>365</replaceable> -in server.csr -out ../server.crt -CA ../ca.crt -CAkey ca.key -CAcreateserial</userinput></screen> |
2391 |
|
2473 |
|
2392 |
<para>The final part of the certificate generation process is to |
2474 |
<para>In <filename>/usr/local/etc/openldap</filename> a file |
2393 |
generate and sign the client certificates:</para> |
2475 |
called <filename>server.crt</filename> has been created |
|
|
2476 |
and it will be the server certificate: it is trusted |
2477 |
because it is signed with the Certificate Authority. |
2478 |
It is now possible to create even the <emphasis> |
2479 |
client</emphasis> Certificate Signing Request and to sign |
2480 |
it with the same Certificate Authority as before (only this |
2481 |
way also the client certificate will be trusted). |
2482 |
If the client and the server are the same machine, the same |
2483 |
<literal>Common Name</literal> as for |
2484 |
<filename>server.csr</filename> must be used. Otherwise, |
2485 |
whatever name can be chosen, as far as it is different from |
2486 |
the Certificate Authority <literal>Common Name</literal> |
2487 |
<filename>CAdomain.example</filename>.</para> |
2394 |
|
2488 |
|
2395 |
<screen>&prompt.root; <userinput>openssl req -days <replaceable>365</replaceable> -nodes -new -keyout client.key -out client.csr</userinput> |
2489 |
<screen>&prompt.root; <userinput>openssl req -days <replaceable>365</replaceable> -nodes -new -keyout client.key -out client.csr</userinput> |
2396 |
&prompt.root; <userinput>openssl x509 -req -days 3650 -in client.csr -out ../client.crt -CA ../ca.crt -CAkey ca.key</userinput></screen> |
2490 |
&prompt.root; <userinput>openssl x509 -req -days <replaceable>365</replaceable> -in client.csr -out ../client.crt -CA ../ca.crt -CAkey ca.key</userinput></screen> |
2397 |
|
2491 |
|
2398 |
<para>Remember to use the same <literal>Common Name</literal> |
2492 |
<para>When finished, be sure that eight new files have been |
2399 |
attribute when prompted. When finished, ensure that a total |
2493 |
created: the certificates <filename>ca.crt</filename>, |
2400 |
of eight (8) new files have been generated through the |
2494 |
<filename>server.crt</filename> and |
2401 |
proceeding commands. If so, the next step is to edit |
2495 |
<filename>client.crt</filename> in |
2402 |
<filename>/usr/local/etc/openldap/slapd.conf</filename> and |
2496 |
<filename>/usr/local/etc/openldap</filename> and |
2403 |
add the following options:</para> |
2497 |
<filename>ca.key</filename>, |
2404 |
|
2498 |
<filename>client.csr</filename>, |
2405 |
<programlisting>TLSCipherSuite HIGH:MEDIUM:+SSLv3 |
2499 |
<filename>client.key</filename>, |
2406 |
TLSCertificateFile /usr/local/etc/openldap/server.crt |
2500 |
<filename>server.csr</filename>, |
2407 |
TLSCertificateKeyFile /usr/local/etc/openldap/private/server.key |
2501 |
<filename>server.key</filename> in |
2408 |
TLSCACertificateFile /usr/local/etc/openldap/ca.crt</programlisting> |
2502 |
<filename>/usr/local/etc/openldap/private</filename>.</para> |
2409 |
|
2503 |
|
2410 |
<para>Then, edit |
2504 |
<para>The daemon running the OpenLDAP server is called |
2411 |
<filename>/usr/local/etc/openldap/ldap.conf</filename> and add |
2505 |
<filename>slapd</filename> and it must be configured. |
2412 |
the following lines:</para> |
2506 |
Such a configuration can be performed in two ways: through a |
2413 |
|
2507 |
<filename>slapd.conf</filename> configuration file, or |
2414 |
<programlisting>TLS_CACERT /usr/local/etc/openldap/ca.crt |
2508 |
through a database file <filename>slapd.ldif</filename>. |
2415 |
TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3</programlisting> |
2509 |
The former way is deprecated by OpenLDAP:</para> |
2416 |
|
2510 |
|
2417 |
<para>While editing this file, uncomment the following entries |
2511 |
<tip> |
2418 |
and set them to the desired values: <option>BASE</option>, |
2512 |
<para>The use of <filename>slapd.ldif</filename> is |
2419 |
<option>URI</option>, <option>SIZELIMIT</option> and |
2513 |
strongly recommended.</para> |
2420 |
<option>TIMELIMIT</option>. Set the <option>URI</option> to |
2514 |
</tip> |
2421 |
contain <option>ldap://</option> and |
2515 |
|
2422 |
<option>ldaps://</option>. Then, add two entries pointing to |
2516 |
<para>The structure of this file is not trivial. A |
2423 |
the certificate authority. When finished, the entries should |
2517 |
configuration example can be found <link xlink:href= |
2424 |
look similar to the following:</para> |
2518 |
"http://www.openldap.org/doc/admin24/slapdconf2.html"> |
2425 |
|
2519 |
here</link>, in paragraph 5.3. The directory |
2426 |
<programlisting>BASE dc=example,dc=com |
2520 |
<filename>/usr/local/etc/openldap</filename> contains a file |
2427 |
URI ldap:// ldaps:// |
2521 |
named <filename>slapd.ldif.sample</filename> in order to |
2428 |
|
2522 |
ease the configuration. |
2429 |
SIZELIMIT 12 |
2523 |
A full example of the <filename>slapd.ldif</filename> will |
2430 |
TIMELIMIT 15 |
2524 |
be provided below, with some comments. The file is composed |
2431 |
|
2525 |
by several parts: each of them is uniquely identified |
2432 |
TLS_CACERT /usr/local/etc/openldap/ca.crt |
2526 |
through a <literal>dn:</literal> (Distinguished Name). The |
2433 |
TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3</programlisting> |
2527 |
first one is the <emphasis>global configuration</emphasis> |
2434 |
|
2528 |
entry. Be sure that no blank lines are between the |
2435 |
<para>The default password for the server should then be |
2529 |
<literal>dn:</literal> statement and the desired end of the |
2436 |
changed:</para> |
2530 |
section, otherwise an error will be generated. |
2437 |
|
2531 |
In the global section, options regarding the execution of |
2438 |
<screen>&prompt.root; <userinput>slappasswd -h "{SHA}" >> /usr/local/etc/openldap/slapd.conf</userinput></screen> |
2532 |
<filename>slapd</filename> and security can be specified. |
2439 |
|
2533 |
The statements are generally the same as in <filename>slapd.conf |
2440 |
<para>This command will prompt for the password and, if the |
2534 |
</filename>, but preceded by "<literal>olc</literal>". |
2441 |
process does not fail, a password hash will be added to the |
2535 |
The beginning of the <filename>slapd.ldif</filename> |
2442 |
end of <filename>slapd.conf</filename>. Several hashing |
2536 |
configuration file is reported here: in |
2443 |
formats are supported. Refer to the manual page for |
2537 |
this section, the certificate file, its key, and the |
2444 |
<command>slappasswd</command> for more information.</para> |
2538 |
Certificate Authority file should be specified, if a secure |
2445 |
|
2539 |
connection for communications is required. In this example, |
2446 |
<para>Next, edit |
2540 |
TLS will be used to implement a secure channel. All the |
2447 |
<filename>/usr/local/etc/openldap/slapd.conf</filename> and |
2541 |
following options (and more) are documented in |
2448 |
add the following lines:</para> |
2542 |
<link xlink:href="https://www.freebsd.org/cgi/man.cgi?query=slapd-config&manpath=FreeBSD+11.0-RELEASE+and+Ports"> |
2449 |
|
2543 |
slapd-config(5)</link>, which is recommended |
2450 |
<programlisting>password-hash {sha} |
2544 |
to be consulted during configuration. |
2451 |
allow bind_v2</programlisting> |
2545 |
The following file is intended to work with the |
2452 |
|
2546 |
suggested TLS configuration.</para> |
2453 |
<para>The <option>suffix</option> in this file must be updated |
2547 |
|
2454 |
to match the <option>BASE</option> used in |
2548 |
<programlisting># |
2455 |
<filename>/usr/local/etc/openldap/ldap.conf</filename> and |
2549 |
# See slapd-config(5) for details on configuration options. |
2456 |
<option>rootdn</option> should also be set. A recommended |
2550 |
# This file should NOT be world readable. |
2457 |
value for <option>rootdn</option> is something like |
|
|
2458 |
<option>cn=Manager</option>. Before saving this file, place |
2459 |
the <option>rootpw</option> in front of the password output |
2460 |
from <command>slappasswd</command> and delete the old |
2461 |
<option>rootpw</option>. The end result should |
2462 |
look similar to this:</para> |
2463 |
|
2464 |
<programlisting>TLSCipherSuite HIGH:MEDIUM:+SSLv3 |
2465 |
TLSCertificateFile /usr/local/etc/openldap/server.crt |
2466 |
TLSCertificateKeyFile /usr/local/etc/openldap/private/server.key |
2467 |
TLSCACertificateFile /usr/local/etc/openldap/ca.crt |
2468 |
rootpw {SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=</programlisting> |
2469 |
|
2470 |
<para>Finally, enable the <application>OpenLDAP</application> |
2471 |
service in <filename>/etc/rc.conf</filename> and set the |
2472 |
<acronym>URI</acronym>:</para> |
2473 |
|
2474 |
<programlisting>slapd_enable="YES" |
2475 |
slapd_flags="-4 -h ldaps:///"</programlisting> |
2476 |
|
2477 |
<para>At this point the server can be started and tested:</para> |
2478 |
|
2479 |
<screen>&prompt.root; <userinput>service slapd start</userinput></screen> |
2480 |
|
2481 |
<para>If everything is configured correctly, a search of the |
2482 |
directory should show a successful connection with a single |
2483 |
response as in this example:</para> |
2484 |
|
2485 |
<screen>&prompt.root; <userinput>ldapsearch -Z</userinput> |
2486 |
# extended LDIF |
2487 |
# |
2551 |
# |
2488 |
# LDAPv3 |
2552 |
dn: cn=config |
2489 |
# base <dc=example,dc=com> (default) with scope subtree |
2553 |
objectClass: olcGlobal |
2490 |
# filter: (objectclass=*) |
2554 |
cn: config |
2491 |
# requesting: ALL |
2555 |
# |
|
|
2556 |
# |
2557 |
# Define global ACLs to disable default read access. |
2492 |
# |
2558 |
# |
|
|
2559 |
olcArgsFile: /var/run/openldap/slapd.args |
2560 |
olcPidFile: /var/run/openldap/slapd.pid |
2561 |
olcTLSCertificateFile: /usr/local/etc/openldap/server.crt <co xml:id="server-certificate"/> |
2562 |
olcTLSCertificateKeyFile: /usr/local/etc/openldap/private/server.key <co xml:id="server-key"/> |
2563 |
olcTLSCACertificateFile: /usr/local/etc/openldap/ca.crt <co xml:id="ca"/> |
2564 |
#olcTLSCipherSuite: HIGH:MEDIUM:+SSLv3 <co xml:id="cipher-suite"/> |
2565 |
olcTLSProtocolMin: 3.1 <co xml:id="protocol-min"/> |
2566 |
olcTLSVerifyClient: never <co xml:id="verify-client"/></programlisting> |
2493 |
|
2567 |
|
2494 |
# search result |
2568 |
<calloutlist> |
2495 |
search: 3 |
2569 |
<callout arearefs="server-certificate"> |
2496 |
result: 32 No such object |
2570 |
<para>Specifies the location of the server certificate |
|
|
2571 |
for TLS operations.</para> |
2572 |
</callout> |
2497 |
|
2573 |
|
2498 |
# numResponses: 1</screen> |
2574 |
<callout arearefs="server-key"> |
|
|
2575 |
<para>Specifies the location of the server key.</para> |
2576 |
</callout> |
2499 |
|
2577 |
|
2500 |
<note> |
2578 |
<callout arearefs="ca"> |
2501 |
<para>If the command fails and the configuration looks |
2579 |
<para>Specifies the location of the Certificate |
2502 |
correct, stop the <command>slapd</command> service and |
2580 |
Authority.</para> |
2503 |
restart it with debugging options:</para> |
2581 |
</callout> |
2504 |
|
2582 |
|
2505 |
<screen>&prompt.root; <userinput>service slapd stop</userinput> |
2583 |
<callout arearefs="cipher-suite"> |
2506 |
&prompt.root; <userinput>/usr/local/libexec/slapd -d -1</userinput></screen> |
2584 |
<para>An option <literal>olcTLSCipherSuite</literal> can |
2507 |
</note> |
2585 |
be specified, but here is commented; it was suggested |
|
|
2586 |
to have the value <literal>HIGH:MEDIUM:+SSLv3</literal>. |
2587 |
It should be noted in fact that <literal>SSLv3</literal> |
2588 |
has been deprecated by IETF and that the syntax |
2589 |
<literal>HIGH:MEDIUM</literal> is related to <filename> |
2590 |
openssl</filename>; when clients with different |
2591 |
Operating Systems try to connect to this server, they |
2592 |
may not be able to parse this value. In order to |
2593 |
connect to an <acronym>LDAP</acronym> server using TLS, |
2594 |
each client machine must run a <literal>TLS |
2595 |
client</literal>. Linux machines, for example, use |
2596 |
<filename>gnutls</filename> as <literal>TLS |
2597 |
client</literal> instead of <filename> |
2598 |
openssl</filename>. An error is generated if the |
2599 |
option |
2600 |
<literal>olcTLSCipherSuite: HIGH:MEDIUM:+SSLv3</literal> |
2601 |
is used with the shown syntax. |
2602 |
Otherwise <emphasis>all the clients</emphasis> won't run |
2603 |
FreeBSD, it is recommended to omit such a line, and let |
2604 |
the client OS choose the security cipher: this way, the |
2605 |
server configuration can be done and acceptable, |
2606 |
regardless of the <literal>TLS client</literal>s that |
2607 |
will connect. |
2608 |
The security cipher will be chosen according to the |
2609 |
available ciphers in the client machine, hopefully being |
2610 |
the most secure at the present time: it is not advisable |
2611 |
that the server force it and this is another benefit |
2612 |
when omitting the <literal>olcTLSCipherSuite</literal>. |
2613 |
The security of the client ciphers is demanded to the |
2614 |
package maintainers of the TLS clients.</para> |
2615 |
</callout> |
2508 |
|
2616 |
|
2509 |
<para>Once the service is responding, the directory can be |
2617 |
<callout arearefs="protocol-min"> |
2510 |
populated using <command>ldapadd</command>. In this example, |
2618 |
<para>The <acronym>LDAP</acronym> server Administrator can |
2511 |
a file containing this list of users is first created. Each |
2619 |
anyway specify a minimum security level required by the |
2512 |
user should use the following format:</para> |
2620 |
server. Unlike for the previous one, the use of this |
2513 |
|
2621 |
option is recommended: |
2514 |
<programlisting>dn: dc=<replaceable>example</replaceable>,dc=<replaceable>com</replaceable> |
2622 |
<literal>olcTLSProtocolMin</literal>.</para> |
2515 |
objectclass: dcObject |
2623 |
</callout> |
2516 |
objectclass: organization |
|
|
2517 |
o: <replaceable>Example</replaceable> |
2518 |
dc: <replaceable>Example</replaceable> |
2519 |
|
2520 |
dn: cn=<replaceable>Manager</replaceable>,dc=<replaceable>example</replaceable>,dc=<replaceable>com</replaceable> |
2521 |
objectclass: organizationalRole |
2522 |
cn: <replaceable>Manager</replaceable></programlisting> |
2523 |
|
2524 |
<para>To import this file, specify the file name. The following |
2525 |
command will prompt for the password specified earlier and the |
2526 |
output should look something like this:</para> |
2527 |
|
2528 |
<screen>&prompt.root; <userinput>ldapadd -Z -D "cn=<replaceable>Manager</replaceable>,dc=<replaceable>example</replaceable>,dc=<replaceable>com</replaceable>" -W -f <replaceable>import.ldif</replaceable></userinput> |
2529 |
Enter LDAP Password: |
2530 |
adding new entry "dc=example,dc=com" |
2531 |
|
2624 |
|
2532 |
adding new entry "cn=Manager,dc=example,dc=com"</screen> |
2625 |
<callout arearefs="verify-client"> |
|
|
2626 |
<para>Server must always be verified, while clients can or |
2627 |
can not be verified: here it has been chosen to not |
2628 |
verify them with |
2629 |
<literal>olcTLSVerifyClient</literal>.</para> |
2630 |
</callout> |
2533 |
|
2631 |
|
2534 |
<para>Verify the data was added by issuing a search on the |
2632 |
</calloutlist> |
2535 |
server using <command>ldapsearch</command>:</para> |
2633 |
|
|
|
2634 |
<para>The second part is about the backend modules and can be |
2635 |
configured as follows:</para> |
2636 |
|
2637 |
<programlisting># |
2638 |
# Load dynamic backend modules: |
2639 |
# |
2640 |
dn: cn=module,cn=config |
2641 |
objectClass: olcModuleList |
2642 |
cn: module |
2643 |
olcModulepath: /usr/local/libexec/openldap |
2644 |
olcModuleload: back_mdb.la |
2645 |
#olcModuleload: back_bdb.la |
2646 |
#olcModuleload: back_hdb.la |
2647 |
#olcModuleload: back_ldap.la |
2648 |
#olcModuleload: back_passwd.la |
2649 |
#olcModuleload: back_shell.la</programlisting> |
2650 |
|
2651 |
<para>The third part is devoted to load the needed <literal> |
2652 |
ldif</literal> schemas to be used by the databases: they |
2653 |
are essential.</para> |
2654 |
|
2655 |
<programlisting>dn: cn=schema,cn=config |
2656 |
objectClass: olcSchemaConfig |
2657 |
cn: schema |
2658 |
|
2659 |
include: file:///usr/local/etc/openldap/schema/core.ldif |
2660 |
include: file:///usr/local/etc/openldap/schema/cosine.ldif |
2661 |
include: file:///usr/local/etc/openldap/schema/inetorgperson.ldif |
2662 |
include: file:///usr/local/etc/openldap/schema/nis.ldif</programlisting> |
2663 |
|
2664 |
<para>Then, the frontend configuration follows:</para> |
2665 |
|
2666 |
<programlisting># Frontend settings |
2667 |
# |
2668 |
dn: olcDatabase={-1}frontend,cn=config |
2669 |
objectClass: olcDatabaseConfig |
2670 |
objectClass: olcFrontendConfig |
2671 |
olcDatabase: {-1}frontend |
2672 |
olcAccess: to * by * read |
2673 |
# |
2674 |
# Sample global access control policy: |
2675 |
# Root DSE: allow anyone to read it |
2676 |
# Subschema (sub)entry DSE: allow anyone to read it |
2677 |
# Other DSEs: |
2678 |
# Allow self write access |
2679 |
# Allow authenticated users read access |
2680 |
# Allow anonymous users to authenticate |
2681 |
# |
2682 |
#olcAccess: to dn.base="" by * read |
2683 |
#olcAccess: to dn.base="cn=Subschema" by * read |
2684 |
#olcAccess: to * |
2685 |
# by self write |
2686 |
# by users read |
2687 |
# by anonymous auth |
2688 |
# |
2689 |
# if no access controls are present, the default policy |
2690 |
# allows anyone and everyone to read anything but restricts |
2691 |
# updates to rootdn. (e.g., "access to * by * read") |
2692 |
# |
2693 |
# rootdn can always read and write EVERYTHING! |
2694 |
# |
2695 |
olcPasswordHash: {SSHA} |
2696 |
# {SSHA} is already the default for olcPasswordHash</programlisting> |
2697 |
|
2698 |
<para>The following section describes the configuration |
2699 |
backend: this will be the <emphasis>only way</emphasis> to |
2700 |
access the global configuration for the system |
2701 |
administrator, once this procedure is completed. Thus, it |
2702 |
is <emphasis>extremely important</emphasis> that all the |
2703 |
needed options are here specified. In particular, a root |
2704 |
password must be chosen: together with the default |
2705 |
administrator username <literal>cn=config</literal>, it will |
2706 |
let the server administrator to later edit the configuration |
2707 |
as the super-user. Note that, without the specification of |
2708 |
a <literal>olcRootPW</literal> here, after this file is |
2709 |
imported as a configuration file for <filename> |
2710 |
slapd</filename>, no one will be able to modify this |
2711 |
global configuration. This is highly undesirable. |
2712 |
If anyway something is wrong with the actual configuration, |
2713 |
later will be shown a way to delete (and hopefully replace) |
2714 |
it. |
2715 |
A password can be generated using <link xlink:href= |
2716 |
"https://www.freebsd.org/cgi/man.cgi?query=slappasswd&manpath=FreeBSD+11.0-RELEASE+and+Ports"> |
2717 |
slappasswd(8c)</link> in a shell and its entire output must be |
2718 |
used as a value for <literal>olcRootPW</literal>.</para> |
2719 |
|
2720 |
<programlisting>dn: olcDatabase={0}config,cn=config |
2721 |
objectClass: olcDatabaseConfig |
2722 |
olcDatabase: {0}config |
2723 |
olcAccess: to * by * none |
2724 |
olcRootPW: {SSHA}iae+lrQZILpiUdf16Z9KmDmSwT77Dj4U</programlisting> |
2725 |
|
2726 |
<para>The last section showed here is about the database |
2727 |
backend, used for the <emphasis>actual contents</emphasis> |
2728 |
of the <acronym>LDAP</acronym> directory. This database can |
2729 |
be used to add new groups and users as regards the domain |
2730 |
<literal>domain.example</literal>. Here, the database type |
2731 |
<literal>mdb</literal> is used and another super-user is |
2732 |
specified: it will be only able to modify this database and |
2733 |
not the previous sections of |
2734 |
<filename>slapd.ldif</filename>. Here, a username |
2735 |
<literal>olcRootDN</literal> can be specified, being related |
2736 |
to the domain. A password can be generated as |
2737 |
before.</para> |
2738 |
|
2739 |
<programlisting>####################################################################### |
2740 |
# LMDB database definitions |
2741 |
####################################################################### |
2742 |
# |
2743 |
dn: olcDatabase=mdb,cn=config |
2744 |
objectClass: olcDatabaseConfig |
2745 |
objectClass: olcMdbConfig |
2746 |
olcDatabase: mdb |
2747 |
olcDbMaxSize: 1073741824 |
2748 |
olcSuffix: dc=domain,dc=example |
2749 |
olcRootDN: cn=mdbadmin,dc=domain,dc=example |
2750 |
# Cleartext passwords, especially for the rootdn, should |
2751 |
# be avoided. See slappasswd(8) and slapd-config(5) for details. |
2752 |
# Use of strong authentication encouraged. |
2753 |
olcRootPW: {SSHA}X2wHvIWDk6G76CQyCMS1vDCvtICWgn0+ |
2754 |
# The database directory MUST exist prior to running slapd AND |
2755 |
# should only be accessible by the slapd and slap tools. |
2756 |
# Mode 700 recommended. |
2757 |
olcDbDirectory: /var/db/openldap-data |
2758 |
# Indices to maintain |
2759 |
olcDbIndex: objectClass eq</programlisting> |
2760 |
|
2761 |
<para>In <link xlink:href= |
2762 |
"http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=tree;f=tests/data/regressions/its8444;h=8a5e808e63b0de3d2bdaf2cf34fecca8577ca7fd;hb=HEAD">this |
2763 |
repository</link>, four examples of <filename>slapd.ldif</filename> |
2764 |
files are available (they are used as a 4-way multi master |
2765 |
<acronym>LDAP</acronym> server). At the bottom of <link |
2766 |
xlink:href="http://www.openldap.org/doc/admin24/slapdconf2.html"> |
2767 |
this page</link>, section 5.4, also a way to convert an |
2768 |
existing <filename>slapd.conf</filename> into a valid |
2769 |
<filename>slapd.ldif</filename> is presented. Please note |
2770 |
that this may introduce some unuseful options.</para> |
2771 |
|
2772 |
<para>Once the <filename>slapd.ldif</filename> configuration |
2773 |
is completed, this file must be imported in an empty |
2774 |
directory. It is recommended to create it with the |
2775 |
following name and location:</para> |
2776 |
|
2777 |
<screen>&prompt.root; <userinput>mkdir /usr/local/etc/openldap/slapd.d/</userinput></screen> |
2778 |
|
2779 |
<para>The commands suggested at points 9 and 10 in the <link |
2780 |
xlink:href="http://www.openldap.org/doc/admin24/quickstart.html"> |
2781 |
OpenLDAP Quick Start guide</link> (which can anyway be |
2782 |
considered as a reference for all the other operations) are |
2783 |
currently wrong: instead, it is advisable to use</para> |
2784 |
|
2785 |
<screen>&prompt.root; <userinput>/usr/local/sbin/slapadd -n0 -F /usr/local/etc/openldap/slapd.d/ -l /usr/local/etc/openldap/slapd.ldif</userinput></screen> |
2786 |
|
2787 |
<para>This will import the configuration database. To start |
2788 |
the slapd daemon,</para> |
2789 |
|
2790 |
<screen>&prompt.root; <userinput>/usr/local/libexec/slapd -F /usr/local/etc/openldap/slapd.d/</userinput></screen> |
2791 |
|
2792 |
<para>Option <literal>-d</literal> can be used for debugging, |
2793 |
as specified in <link xlink:href= |
2794 |
"https://www.freebsd.org/cgi/man.cgi?query=slapd&sektion=8&manpath=FreeBSD+11.0-RELEASE+and+Ports"> |
2795 |
slapd(8)</link>. To verify that the server is running and |
2796 |
working,</para> |
2536 |
|
2797 |
|
2537 |
<screen>&prompt.user; <userinput>ldapsearch -Z</userinput> |
2798 |
<screen>&prompt.root; <userinput>ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts</userinput> |
2538 |
# extended LDIF |
2799 |
# extended LDIF |
2539 |
# |
2800 |
# |
2540 |
# LDAPv3 |
2801 |
# LDAPv3 |
2541 |
# base <dc=example,dc=com> (default) with scope subtree |
2802 |
# base <> with scope baseObject |
2542 |
# filter: (objectclass=*) |
2803 |
# filter: (objectclass=*) |
2543 |
# requesting: ALL |
2804 |
# requesting: namingContexts |
2544 |
# |
2805 |
# |
2545 |
|
2806 |
|
2546 |
# example.com |
2807 |
# |
2547 |
dn: dc=example,dc=com |
2808 |
dn: |
2548 |
objectClass: dcObject |
2809 |
namingContexts: dc=domain,dc=example |
2549 |
objectClass: organization |
|
|
2550 |
o: Example |
2551 |
dc: Example |
2552 |
|
2553 |
# Manager, example.com |
2554 |
dn: cn=Manager,dc=example,dc=com |
2555 |
objectClass: organizationalRole |
2556 |
cn: Manager |
2557 |
|
2810 |
|
2558 |
# search result |
2811 |
# search result |
2559 |
search: 3 |
2812 |
search: 2 |
2560 |
result: 0 Success |
2813 |
result: 0 Success |
2561 |
|
2814 |
|
2562 |
# numResponses: 3 |
2815 |
# numResponses: 2 |
2563 |
# numEntries: 2</screen> |
2816 |
# numEntries: 1</screen> |
|
|
2817 |
|
2818 |
<para>The server won't still be recognized by any client as |
2819 |
trusted, anyway. |
2820 |
The certificates were created in non-standard directories |
2821 |
from the point of view of <filename>openssl</filename>. In |
2822 |
order for <filename>openssl</filename> to work, the |
2823 |
directories where the certificates are stored must contain |
2824 |
symbolic links (whose names are composed by a hash) to the |
2825 |
certificates. Even if some <filename>openssl</filename> |
2826 |
commands are already available in a FreeBSD base system, it |
2827 |
is necessary now to explicitly install the package:</para> |
2828 |
|
2829 |
<screen>&prompt.root; <userinput>pkg install openssl</userinput></screen> |
2830 |
|
2831 |
<para>This will provide the <link xlink:href= |
2832 |
"https://www.freebsd.org/cgi/man.cgi?query=c_rehash&manpath=FreeBSD+11.0-RELEASE+and+Ports">c_rehash(1)</link> |
2833 |
tool. Now run</para> |
2834 |
|
2835 |
<screen>&prompt.root; <userinput>c_rehash .</userinput></screen> |
2836 |
|
2837 |
<para>from the directory where the CA is stored (in this |
2838 |
example, <filename>/usr/local/etc/openldap</filename>, |
2839 |
which contains the file <filename>ca.crt</filename>). This |
2840 |
utility must create a symlink for each |
2841 |
<filename>.pem</filename>, <filename>.crt</filename>, |
2842 |
<filename>.crl</filename> or <filename>.cer</filename> file |
2843 |
in the directory. Only this way <filename>server.crt</filename> |
2844 |
can be recognized as a valid, trusted and acceptable |
2845 |
certificate. After having verified that symlinks have been |
2846 |
created, in order to verify if the server certificate is |
2847 |
trusted (and this is the operation each |
2848 |
<acronym>LDAP</acronym> client does before accessing the |
2849 |
server), run (from the <filename>server.crt</filename> |
2850 |
directory):</para> |
2851 |
|
2852 |
<screen>&prompt.root; <userinput>openssl verify -verbose -CApath . server.crt</userinput></screen> |
2853 |
|
2854 |
<para>If <filename>slapd</filename> was running, it must now |
2855 |
be restarted before using the server. |
2856 |
Please, carefully read the comments included in |
2857 |
<filename>/usr/local/etc/rc.d/slapd</filename>, to make a |
2858 |
correct configuration to run <filename>slapd</filename> at |
2859 |
boot. |
2860 |
An additional option is needed if the |
2861 |
<literal>cn=config</literal> style (that is: the file |
2862 |
<filename>slapd.ldif</filename>) is used for configuration. |
2863 |
You could put in <filename>/etc/rc.conf</filename> the |
2864 |
following lines:</para> |
2865 |
|
2866 |
<programlisting>lapd_enable="YES" |
2867 |
slapd_flags='-h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ |
2868 |
ldap://0.0.0.0/"' |
2869 |
slapd_sockets="/var/run/openldap/ldapi" |
2870 |
slapd_cn_config="YES"</programlisting> |
2871 |
|
2872 |
<para><filename>slapd</filename> doesn't provide debugging at |
2873 |
boot, but <filename>dmesg -a</filename>, <filename>/var/log/messages</filename> |
2874 |
and (in particular) <filename>/var/log/debug.log</filename> |
2875 |
can be checked.</para> |
2876 |
|
2877 |
<para>The <acronym>LDAP</acronym> users database is still |
2878 |
empty. An example, which adds a group called |
2879 |
<literal>team</literal> and a user called |
2880 |
<literal>john</literal> to the |
2881 |
<systemitem class="systemname">domain.example</systemitem> |
2882 |
database is here provided. Create a file |
2883 |
<filename>domain.ldif</filename> with the following |
2884 |
contents:</para> |
2885 |
|
2886 |
<screen>&prompt.root; <userinput>cat domain.ldif</userinput> |
2887 |
dn: dc=domain,dc=example |
2888 |
objectClass: dcObject |
2889 |
objectClass: organization |
2890 |
o: domain.example |
2891 |
dc: domain |
2892 |
|
2893 |
dn: ou=groups,dc=domain,dc=example |
2894 |
objectClass: top |
2895 |
objectClass: organizationalunit |
2896 |
ou: groups |
2897 |
|
2898 |
dn: ou=users,dc=domain,dc=example |
2899 |
objectClass: top |
2900 |
objectClass: organizationalunit |
2901 |
ou: users |
2902 |
|
2903 |
dn: cn=team,ou=groups,dc=domain,dc=example |
2904 |
objectClass: top |
2905 |
objectClass: posixGroup |
2906 |
cn: team |
2907 |
gidNumber: 10001 |
2908 |
|
2909 |
dn: uid=john,ou=users,dc=domain,dc=example |
2910 |
objectClass: top |
2911 |
objectClass: account |
2912 |
objectClass: posixAccount |
2913 |
objectClass: shadowAccount |
2914 |
cn: John McUser |
2915 |
uid: john |
2916 |
uidNumber: 10001 |
2917 |
gidNumber: 10001 |
2918 |
homeDirectory: /home/john/ |
2919 |
loginShell: /usr/bin/bash |
2920 |
userPassword: secret</screen> |
2921 |
|
2922 |
<para>Instead of being <literal>secret</literal>, the password |
2923 |
in the last line of <filename>domain.ldif</filename> for |
2924 |
<literal>john</literal> can be generated with |
2925 |
<link xlink:href= |
2926 |
"https://www.freebsd.org/cgi/man.cgi?query=slappasswd&manpath=FreeBSD+11.0-RELEASE+and+Ports"> |
2927 |
slappasswd(8c)</link>. Be careful about the |
2928 |
default shell path: if it doesn't exist in the system where |
2929 |
the user tries to log in, an error can be generated and the |
2930 |
user could not be able to actually log in. A symlink can be |
2931 |
created, or a different shell can be used to avoid this. |
2932 |
For the structure of the <literal>ldif</literal> files and |
2933 |
the <acronym>LDAP</acronym> directory, see the OpenLDAP |
2934 |
documentation. Such data can be added to the database using |
2935 |
the <literal>mdb</literal> administrator:</para> |
2936 |
|
2937 |
<screen>&prompt.root; <userinput>ldapadd -W -D "cn=mdbadmin,dc=domain,dc=example" -f domain.ldif</userinput></screen> |
2938 |
|
2939 |
<para>If instead a global option is to be modified, a |
2940 |
<emphasis>different user</emphasis> must be considered: as |
2941 |
anticipated, it is the <emphasis>global</emphasis> |
2942 |
super-user. Let's assume that the option |
2943 |
<literal>olcTLSCipherSuite: HIGH:MEDIUM:SSLv3</literal> was |
2944 |
specified before and now it must be deleted. The |
2945 |
instructions for the modification can be stored in the file |
2946 |
<filename>global_mod</filename>. |
2947 |
It must not contain the previous value of the option to be |
2948 |
deleted in the last line: this means that |
2949 |
<literal>olcTLSCipherSuite: HIGH:MEDIUM:SSLv3</literal> must |
2950 |
not be included as last line.</para> |
2951 |
|
2952 |
<screen>&prompt.root; <userinput>cat global_mod</userinput> |
2953 |
dn: cn=config |
2954 |
changetype: modify |
2955 |
delete: olcTLSCipherSuite</screen> |
2956 |
|
2957 |
<para>The modifications can be applied with</para> |
2958 |
|
2959 |
<screen>&prompt.root; <userinput>ldapmodify -f global_mod -x -D "cn=config" -W</userinput></screen> |
2960 |
|
2961 |
<para><literal>cn=config</literal> is the |
2962 |
<literal>dn</literal> (Distinguished Name) of the entry |
2963 |
(section) of the database to be modified. |
2964 |
Use <literal>ldapmodify</literal> to delete a single line |
2965 |
of the database; <literal>ldapdelete</literal> is used to |
2966 |
delete an entire entry (section) instead. |
2967 |
Each database section has its own administrator and it must |
2968 |
be specified while applying a modification. |
2969 |
The global super-user, whose name is by default |
2970 |
<literal>cn=config</literal>, should have a password set by |
2971 |
<literal>olcRootPW</literal> in the |
2972 |
<literal>dn: olcDatabase={0}config,cn=config</literal> |
2973 |
section. It is the one who must used here. If something |
2974 |
goes wrong, or if this root administrator cannot access the |
2975 |
configuration backend, it is possible to completeley delete |
2976 |
the current configuration. It can be done by removing the |
2977 |
directory that was previously created:</para> |
2978 |
|
2979 |
<screen>&prompt.root; <userinput>rm -rf /usr/local/etc/openldap/slapd.d/</userinput></screen> |
2980 |
|
2981 |
<para><filename>slapd.ldif</filename> can then be edited and |
2982 |
imported again. Please note that this procedure |
2983 |
is not to be considered as ordinary, nor normal: |
2984 |
it won't have side effects, but it should be followed |
2985 |
<emphasis>only</emphasis> when no other solution is |
2986 |
suitable.</para> |
2987 |
|
2988 |
<para>This is the configuration of the server only. The |
2989 |
client, which can be the server itself, and/or another |
2990 |
machine, relies upon other configuration files: a dedicated |
2991 |
guide must be followed for them.</para> |
2564 |
|
2992 |
|
2565 |
<para>At this point, the server should be configured and |
|
|
2566 |
functioning properly.</para> |
2567 |
</sect2> |
2993 |
</sect2> |
2568 |
</sect1> |
2994 |
</sect1> |
2569 |
|
2995 |
|
2570 |
<sect1 xml:id="network-dhcp"> |
2996 |
<sect1 xml:id="network-dhcp"> |
2571 |
<!-- |
2997 |
<!-- |
2572 |
<sect1info> |
2998 |
<sect1info> |
2573 |
<authorgroup> |
2999 |
<authorgroup> |
2574 |
<author> |
3000 |
<author> |
2575 |
<firstname>Greg</firstname> |
3001 |
<firstname>Greg</firstname> |
2576 |
<surname>Sutter</surname> |
3002 |
<surname>Sutter</surname> |
2577 |
<contrib>Written by </contrib> |
3003 |
<contrib>Written by </contrib> |
2578 |
</author> |
3004 |
</author> |
2579 |
</authorgroup> |
3005 |
</authorgroup> |
2580 |
</sect1info> |
3006 |
</sect1info> |
2581 |
--> |
3007 |
--> |
2582 |
<title>Dynamic Host Configuration Protocol |
3008 |
<title>Dynamic Host Configuration Protocol |
2583 |
(<acronym>DHCP</acronym>)</title> |
3009 |
(<acronym>DHCP</acronym>)</title> |
2584 |
|
3010 |
|
2585 |
<indexterm> |
3011 |
<indexterm> |
2586 |
<primary>Dynamic Host Configuration Protocol</primary> |
3012 |
<primary>Dynamic Host Configuration Protocol</primary> |
2587 |
<see><acronym>DHCP</acronym></see> |
3013 |
<see><acronym>DHCP</acronym></see> |
2588 |
</indexterm> |
3014 |
</indexterm> |
2589 |
<indexterm> |
3015 |
<indexterm> |
2590 |
<primary>Internet Systems Consortium (ISC)</primary> |
3016 |
<primary>Internet Systems Consortium (ISC)</primary> |
2591 |
</indexterm> |
3017 |
</indexterm> |
2592 |
|
3018 |
|
2593 |
<para>The Dynamic Host Configuration Protocol |
3019 |
<para>The Dynamic Host Configuration Protocol |
2594 |
(<acronym>DHCP</acronym>) allows a system to connect to a |
3020 |
(<acronym>DHCP</acronym>) allows a system to connect to a |
2595 |
network in order to be assigned the necessary addressing |
3021 |
network in order to be assigned the necessary addressing |
2596 |
information for communication on that network. &os; includes |
3022 |
information for communication on that network. &os; includes |
2597 |
the OpenBSD version of <command>dhclient</command> which is used |
3023 |
the OpenBSD version of <command>dhclient</command> which is used |
2598 |
by the client to obtain the addressing information. &os; does |
3024 |
by the client to obtain the addressing information. &os; does |
2599 |
not install a <acronym>DHCP</acronym> server, but several |
3025 |
not install a <acronym>DHCP</acronym> server, but several |
2600 |
servers are available in the &os; Ports Collection. The |
3026 |
servers are available in the &os; Ports Collection. The |
2601 |
<acronym>DHCP</acronym> protocol is fully described in <link |
3027 |
<acronym>DHCP</acronym> protocol is fully described in <link |
2602 |
xlink:href="http://www.freesoft.org/CIE/RFC/2131/">RFC |
3028 |
xlink:href="http://www.freesoft.org/CIE/RFC/2131/">RFC |
2603 |
2131</link>. |
3029 |
2131</link>. |
2604 |
Informational resources are also available at <link |
3030 |
Informational resources are also available at <link |
2605 |
xlink:href="http://www.isc.org/downloads/dhcp/">isc.org/downloads/dhcp/</link>.</para> |
3031 |
xlink:href="http://www.isc.org/downloads/dhcp/">isc.org/downloads/dhcp/</link>.</para> |
2606 |
|
3032 |
|
2607 |
<para>This section describes how to use the built-in |
3033 |
<para>This section describes how to use the built-in |
2608 |
<acronym>DHCP</acronym> client. It then describes how to |
3034 |
<acronym>DHCP</acronym> client. It then describes how to |
2609 |
install and configure a <acronym>DHCP</acronym> server.</para> |
3035 |
install and configure a <acronym>DHCP</acronym> server.</para> |
2610 |
|
3036 |
|
2611 |
<note> |
3037 |
<note> |
2612 |
<para>In &os;, the &man.bpf.4; device is needed by both the |
3038 |
<para>In &os;, the &man.bpf.4; device is needed by both the |
2613 |
<acronym>DHCP</acronym> server and <acronym>DHCP</acronym> |
3039 |
<acronym>DHCP</acronym> server and <acronym>DHCP</acronym> |
2614 |
client. This device is included in the |
3040 |
client. This device is included in the |
2615 |
<filename>GENERIC</filename> kernel that is installed with |
3041 |
<filename>GENERIC</filename> kernel that is installed with |
2616 |
&os;. Users who prefer to create a custom kernel need to keep |
3042 |
&os;. Users who prefer to create a custom kernel need to keep |
2617 |
this device if <acronym>DHCP</acronym> is used.</para> |
3043 |
this device if <acronym>DHCP</acronym> is used.</para> |
2618 |
|
3044 |
|
2619 |
<para>It should be noted that <filename>bpf</filename> also |
3045 |
<para>It should be noted that <filename>bpf</filename> also |
2620 |
allows privileged users to run network packet sniffers on |
3046 |
allows privileged users to run network packet sniffers on |
2621 |
that system.</para> |
3047 |
that system.</para> |
2622 |
</note> |
3048 |
</note> |
2623 |
|
3049 |
|
2624 |
<sect2> |
3050 |
<sect2> |
2625 |
<title>Configuring a <acronym>DHCP</acronym> Client</title> |
3051 |
<title>Configuring a <acronym>DHCP</acronym> Client</title> |
2626 |
|
3052 |
|
2627 |
<para><acronym>DHCP</acronym> client support is included in the |
3053 |
<para><acronym>DHCP</acronym> client support is included in the |
2628 |
&os; installer, making it easy to configure a newly installed |
3054 |
&os; installer, making it easy to configure a newly installed |
2629 |
system to automatically receive its networking addressing |
3055 |
system to automatically receive its networking addressing |
2630 |
information from an existing <acronym>DHCP</acronym> server. |
3056 |
information from an existing <acronym>DHCP</acronym> server. |
2631 |
Refer to <xref linkend="bsdinstall-post"/> for examples of |
3057 |
Refer to <xref linkend="bsdinstall-post"/> for examples of |
2632 |
network configuration.</para> |
3058 |
network configuration.</para> |
2633 |
|
3059 |
|
2634 |
<indexterm><primary><acronym>UDP</acronym></primary></indexterm> |
3060 |
<indexterm><primary><acronym>UDP</acronym></primary></indexterm> |
2635 |
<para>When <command>dhclient</command> is executed on the client |
3061 |
<para>When <command>dhclient</command> is executed on the client |
2636 |
machine, it begins broadcasting requests for configuration |
3062 |
machine, it begins broadcasting requests for configuration |
2637 |
information. By default, these requests use |
3063 |
information. By default, these requests use |
2638 |
<acronym>UDP</acronym> port 68. The server replies on |
3064 |
<acronym>UDP</acronym> port 68. The server replies on |
2639 |
<acronym>UDP</acronym> port 67, giving the client an |
3065 |
<acronym>UDP</acronym> port 67, giving the client an |
2640 |
<acronym>IP</acronym> address and other relevant network |
3066 |
<acronym>IP</acronym> address and other relevant network |
2641 |
information such as a subnet mask, default gateway, and |
3067 |
information such as a subnet mask, default gateway, and |
2642 |
<acronym>DNS</acronym> server addresses. This information is |
3068 |
<acronym>DNS</acronym> server addresses. This information is |
2643 |
in the form of a <acronym>DHCP</acronym> |
3069 |
in the form of a <acronym>DHCP</acronym> |
2644 |
<quote>lease</quote> and is valid for a configurable time. |
3070 |
<quote>lease</quote> and is valid for a configurable time. |
2645 |
This allows stale <acronym>IP</acronym> addresses for clients |
3071 |
This allows stale <acronym>IP</acronym> addresses for clients |
2646 |
no longer connected to the network to automatically be reused. |
3072 |
no longer connected to the network to automatically be reused. |
2647 |
<acronym>DHCP</acronym> clients can obtain a great deal of |
3073 |
<acronym>DHCP</acronym> clients can obtain a great deal of |
2648 |
information from the server. An exhaustive list may be found |
3074 |
information from the server. An exhaustive list may be found |
2649 |
in &man.dhcp-options.5;.</para> |
3075 |
in &man.dhcp-options.5;.</para> |
2650 |
|
3076 |
|
2651 |
<para>By default, when a &os; system boots, its |
3077 |
<para>By default, when a &os; system boots, its |
2652 |
<acronym>DHCP</acronym> client runs in the background, or |
3078 |
<acronym>DHCP</acronym> client runs in the background, or |
2653 |
<firstterm>asynchronously</firstterm>. Other startup scripts |
3079 |
<firstterm>asynchronously</firstterm>. Other startup scripts |
2654 |
continue to run while the <acronym>DHCP</acronym> process |
3080 |
continue to run while the <acronym>DHCP</acronym> process |
2655 |
completes, which speeds up system startup.</para> |
3081 |
completes, which speeds up system startup.</para> |
2656 |
|
3082 |
|
2657 |
<para>Background <acronym>DHCP</acronym> works well when the |
3083 |
<para>Background <acronym>DHCP</acronym> works well when the |
2658 |
<acronym>DHCP</acronym> server responds quickly to the |
3084 |
<acronym>DHCP</acronym> server responds quickly to the |
2659 |
client's requests. However, <acronym>DHCP</acronym> may take |
3085 |
client's requests. However, <acronym>DHCP</acronym> may take |
2660 |
a long time to complete on some systems. If network services |
3086 |
a long time to complete on some systems. If network services |
2661 |
attempt to run before <acronym>DHCP</acronym> has assigned the |
3087 |
attempt to run before <acronym>DHCP</acronym> has assigned the |
2662 |
network addressing information, they will fail. Using |
3088 |
network addressing information, they will fail. Using |
2663 |
<acronym>DHCP</acronym> in <firstterm>synchronous</firstterm> |
3089 |
<acronym>DHCP</acronym> in <firstterm>synchronous</firstterm> |
2664 |
mode prevents this problem as it pauses startup until the |
3090 |
mode prevents this problem as it pauses startup until the |
2665 |
<acronym>DHCP</acronym> configuration has completed.</para> |
3091 |
<acronym>DHCP</acronym> configuration has completed.</para> |
2666 |
|
3092 |
|
2667 |
<para>This line in <filename>/etc/rc.conf</filename> is used to |
3093 |
<para>This line in <filename>/etc/rc.conf</filename> is used to |
2668 |
configure background or asynchronous mode:</para> |
3094 |
configure background or asynchronous mode:</para> |
2669 |
|
3095 |
|
2670 |
<programlisting>ifconfig_<replaceable>fxp0</replaceable>="DHCP"</programlisting> |
3096 |
<programlisting>ifconfig_<replaceable>fxp0</replaceable>="DHCP"</programlisting> |
2671 |
|
3097 |
|
2672 |
<para>This line may already exist if the system was configured |
3098 |
<para>This line may already exist if the system was configured |
2673 |
to use <acronym>DHCP</acronym> during installation. Replace |
3099 |
to use <acronym>DHCP</acronym> during installation. Replace |
2674 |
the <replaceable>fxp0</replaceable> shown in these examples |
3100 |
the <replaceable>fxp0</replaceable> shown in these examples |
2675 |
with the name of the interface to be dynamically configured, |
3101 |
with the name of the interface to be dynamically configured, |
2676 |
as described in <xref linkend="config-network-setup"/>.</para> |
3102 |
as described in <xref linkend="config-network-setup"/>.</para> |
2677 |
|
3103 |
|
2678 |
<para>To instead configure the system to use synchronous mode, |
3104 |
<para>To instead configure the system to use synchronous mode, |
2679 |
and to pause during startup while <acronym>DHCP</acronym> |
3105 |
and to pause during startup while <acronym>DHCP</acronym> |
2680 |
completes, use |
3106 |
completes, use |
2681 |
<quote><literal>SYNCDHCP</literal></quote>:</para> |
3107 |
<quote><literal>SYNCDHCP</literal></quote>:</para> |
2682 |
|
3108 |
|
2683 |
<programlisting>ifconfig_<replaceable>fxp0</replaceable>="SYNCDHCP"</programlisting> |
3109 |
<programlisting>ifconfig_<replaceable>fxp0</replaceable>="SYNCDHCP"</programlisting> |
2684 |
|
3110 |
|
2685 |
<para>Additional client options are available. Search for |
3111 |
<para>Additional client options are available. Search for |
2686 |
<literal>dhclient</literal> in &man.rc.conf.5; for |
3112 |
<literal>dhclient</literal> in &man.rc.conf.5; for |
2687 |
details.</para> |
3113 |
details.</para> |
2688 |
|
3114 |
|
2689 |
<indexterm> |
3115 |
<indexterm> |
2690 |
<primary><acronym>DHCP</acronym></primary> |
3116 |
<primary><acronym>DHCP</acronym></primary> |
2691 |
<secondary>configuration files</secondary> |
3117 |
<secondary>configuration files</secondary> |
2692 |
</indexterm> |
3118 |
</indexterm> |
2693 |
|
3119 |
|
2694 |
<para>The <acronym>DHCP</acronym> client uses the following |
3120 |
<para>The <acronym>DHCP</acronym> client uses the following |
2695 |
files:</para> |
3121 |
files:</para> |
2696 |
|
3122 |
|
2697 |
<itemizedlist> |
3123 |
<itemizedlist> |
2698 |
<listitem> |
3124 |
<listitem> |
2699 |
<para><filename>/etc/dhclient.conf</filename></para> |
3125 |
<para><filename>/etc/dhclient.conf</filename></para> |
2700 |
|
3126 |
|
2701 |
<para>The configuration file used by |
3127 |
<para>The configuration file used by |
2702 |
<command>dhclient</command>. Typically, this file |
3128 |
<command>dhclient</command>. Typically, this file |
2703 |
contains only comments as the defaults are suitable for |
3129 |
contains only comments as the defaults are suitable for |
2704 |
most clients. This configuration file is described in |
3130 |
most clients. This configuration file is described in |
2705 |
&man.dhclient.conf.5;.</para> |
3131 |
&man.dhclient.conf.5;.</para> |
2706 |
</listitem> |
3132 |
</listitem> |
2707 |
|
3133 |
|
2708 |
<listitem> |
3134 |
<listitem> |
2709 |
<para><filename>/sbin/dhclient</filename></para> |
3135 |
<para><filename>/sbin/dhclient</filename></para> |
2710 |
|
3136 |
|
2711 |
<para>More information about the command itself can |
3137 |
<para>More information about the command itself can |
2712 |
be found in &man.dhclient.8;.</para> |
3138 |
be found in &man.dhclient.8;.</para> |
2713 |
</listitem> |
3139 |
</listitem> |
2714 |
|
3140 |
|
2715 |
<listitem> |
3141 |
<listitem> |
2716 |
<para><filename>/sbin/dhclient-script</filename></para> |
3142 |
<para><filename>/sbin/dhclient-script</filename></para> |
2717 |
|
3143 |
|
2718 |
<para>The |
3144 |
<para>The |
2719 |
&os;-specific <acronym>DHCP</acronym> client configuration |
3145 |
&os;-specific <acronym>DHCP</acronym> client configuration |
2720 |
script. It is described in &man.dhclient-script.8;, but |
3146 |
script. It is described in &man.dhclient-script.8;, but |
2721 |
should not need any user modification to function |
3147 |
should not need any user modification to function |
2722 |
properly.</para> |
3148 |
properly.</para> |
2723 |
</listitem> |
3149 |
</listitem> |
2724 |
|
3150 |
|
2725 |
<listitem> |
3151 |
<listitem> |
2726 |
<para><filename>/var/db/dhclient.leases.<replaceable>interface</replaceable></filename></para> |
3152 |
<para><filename>/var/db/dhclient.leases.<replaceable>interface</replaceable></filename></para> |
2727 |
|
3153 |
|
2728 |
<para>The <acronym>DHCP</acronym> client keeps a database of |
3154 |
<para>The <acronym>DHCP</acronym> client keeps a database of |
2729 |
valid leases in this file, which is written as a log and |
3155 |
valid leases in this file, which is written as a log and |
2730 |
is described in &man.dhclient.leases.5;.</para> |
3156 |
is described in &man.dhclient.leases.5;.</para> |
2731 |
</listitem> |
3157 |
</listitem> |
2732 |
</itemizedlist> |
3158 |
</itemizedlist> |
2733 |
</sect2> |
3159 |
</sect2> |
2734 |
|
3160 |
|
2735 |
<sect2 xml:id="network-dhcp-server"> |
3161 |
<sect2 xml:id="network-dhcp-server"> |
2736 |
<title>Installing and Configuring a <acronym>DHCP</acronym> |
3162 |
<title>Installing and Configuring a <acronym>DHCP</acronym> |
2737 |
Server</title> |
3163 |
Server</title> |
2738 |
|
3164 |
|
2739 |
<para>This section demonstrates how to configure a &os; system |
3165 |
<para>This section demonstrates how to configure a &os; system |
2740 |
to act as a <acronym>DHCP</acronym> server using the Internet |
3166 |
to act as a <acronym>DHCP</acronym> server using the Internet |
2741 |
Systems Consortium (<acronym>ISC</acronym>) implementation of |
3167 |
Systems Consortium (<acronym>ISC</acronym>) implementation of |
2742 |
the <acronym>DHCP</acronym> server. This implementation and |
3168 |
the <acronym>DHCP</acronym> server. This implementation and |
2743 |
its documentation can be installed using the |
3169 |
its documentation can be installed using the |
2744 |
<package>net/isc-dhcp43-server</package> package or |
3170 |
<package>net/isc-dhcp43-server</package> package or |
2745 |
port.</para> |
3171 |
port.</para> |
2746 |
|
3172 |
|
2747 |
<indexterm> |
3173 |
<indexterm> |
2748 |
<primary><acronym>DHCP</acronym></primary> |
3174 |
<primary><acronym>DHCP</acronym></primary> |
2749 |
<secondary>server</secondary> |
3175 |
<secondary>server</secondary> |
2750 |
</indexterm> |
3176 |
</indexterm> |
2751 |
|
3177 |
|
2752 |
<indexterm> |
3178 |
<indexterm> |
2753 |
<primary><acronym>DHCP</acronym></primary> |
3179 |
<primary><acronym>DHCP</acronym></primary> |
2754 |
<secondary>installation</secondary> |
3180 |
<secondary>installation</secondary> |
2755 |
</indexterm> |
3181 |
</indexterm> |
2756 |
|
3182 |
|
2757 |
<para>The installation of |
3183 |
<para>The installation of |
2758 |
<package>net/isc-dhcp43-server</package> installs a sample |
3184 |
<package>net/isc-dhcp43-server</package> installs a sample |
2759 |
configuration file. Copy |
3185 |
configuration file. Copy |
2760 |
<filename>/usr/local/etc/dhcpd.conf.example</filename> to |
3186 |
<filename>/usr/local/etc/dhcpd.conf.example</filename> to |
2761 |
<filename>/usr/local/etc/dhcpd.conf</filename> and make any |
3187 |
<filename>/usr/local/etc/dhcpd.conf</filename> and make any |
2762 |
edits to this new file.</para> |
3188 |
edits to this new file.</para> |
2763 |
|
3189 |
|
2764 |
<indexterm> |
3190 |
<indexterm> |
2765 |
<primary><acronym>DHCP</acronym></primary> |
3191 |
<primary><acronym>DHCP</acronym></primary> |
2766 |
<secondary>dhcpd.conf</secondary> |
3192 |
<secondary>dhcpd.conf</secondary> |
2767 |
</indexterm> |
3193 |
</indexterm> |
2768 |
<para>The configuration file is comprised of declarations for |
3194 |
<para>The configuration file is comprised of declarations for |
2769 |
subnets and hosts which define the information that is |
3195 |
subnets and hosts which define the information that is |
2770 |
provided to <acronym>DHCP</acronym> clients. For example, |
3196 |
provided to <acronym>DHCP</acronym> clients. For example, |
2771 |
these lines configure the following:</para> |
3197 |
these lines configure the following:</para> |
2772 |
|
3198 |
|
2773 |
<programlisting>option domain-name "example.org";<co xml:id="domain-name"/> |
3199 |
<programlisting>option domain-name "example.org";<co xml:id="domain-name"/> |
2774 |
option domain-name-servers ns1.example.org;<co xml:id="domain-name-servers"/> |
3200 |
option domain-name-servers ns1.example.org;<co xml:id="domain-name-servers"/> |
2775 |
option subnet-mask 255.255.255.0;<co xml:id="subnet-mask"/> |
3201 |
option subnet-mask 255.255.255.0;<co xml:id="subnet-mask"/> |
2776 |
|
3202 |
|
2777 |
default-lease-time 600;<co xml:id="default-lease-time"/> |
3203 |
default-lease-time 600;<co xml:id="default-lease-time"/> |
2778 |
max-lease-time 72400;<co xml:id="max-lease-time"/> |
3204 |
max-lease-time 72400;<co xml:id="max-lease-time"/> |
2779 |
ddns-update-style none;<co xml:id="ddns-update-style"/> |
3205 |
ddns-update-style none;<co xml:id="ddns-update-style"/> |
2780 |
|
3206 |
|
2781 |
subnet 10.254.239.0 netmask 255.255.255.224 { |
3207 |
subnet 10.254.239.0 netmask 255.255.255.224 { |
2782 |
range 10.254.239.10 10.254.239.20;<co xml:id="range"/> |
3208 |
range 10.254.239.10 10.254.239.20;<co xml:id="range"/> |
2783 |
option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;<co xml:id="routers"/> |
3209 |
option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;<co xml:id="routers"/> |
2784 |
} |
3210 |
} |
2785 |
|
3211 |
|
2786 |
host fantasia { |
3212 |
host fantasia { |
2787 |
hardware ethernet 08:00:07:26:c0:a5;<co xml:id="hardware"/> |
3213 |
hardware ethernet 08:00:07:26:c0:a5;<co xml:id="hardware"/> |
2788 |
fixed-address fantasia.fugue.com;<co xml:id="fixed-address"/> |
3214 |
fixed-address fantasia.fugue.com;<co xml:id="fixed-address"/> |
2789 |
}</programlisting> |
3215 |
}</programlisting> |
2790 |
|
3216 |
|
2791 |
<calloutlist> |
3217 |
<calloutlist> |
2792 |
<callout arearefs="domain-name"> |
3218 |
<callout arearefs="domain-name"> |
2793 |
<para>This option specifies the default search domain that |
3219 |
<para>This option specifies the default search domain that |
2794 |
will be provided to clients. Refer to |
3220 |
will be provided to clients. Refer to |
2795 |
&man.resolv.conf.5; for more information.</para> |
3221 |
&man.resolv.conf.5; for more information.</para> |
2796 |
</callout> |
3222 |
</callout> |
2797 |
|
3223 |
|
2798 |
<callout arearefs="domain-name-servers"> |
3224 |
<callout arearefs="domain-name-servers"> |
2799 |
<para>This option specifies a comma separated list of |
3225 |
<para>This option specifies a comma separated list of |
2800 |
<acronym>DNS</acronym> servers that the client should use. |
3226 |
<acronym>DNS</acronym> servers that the client should use. |
2801 |
They can be listed by their Fully Qualified Domain Names |
3227 |
They can be listed by their Fully Qualified Domain Names |
2802 |
(<acronym>FQDN</acronym>), as seen in the example, or by |
3228 |
(<acronym>FQDN</acronym>), as seen in the example, or by |
2803 |
their <acronym>IP</acronym> addresses.</para> |
3229 |
their <acronym>IP</acronym> addresses.</para> |
2804 |
</callout> |
3230 |
</callout> |
2805 |
|
3231 |
|
2806 |
<callout arearefs="subnet-mask"> |
3232 |
<callout arearefs="subnet-mask"> |
2807 |
<para>The subnet mask that will be provided to |
3233 |
<para>The subnet mask that will be provided to |
2808 |
clients.</para> |
3234 |
clients.</para> |
2809 |
</callout> |
3235 |
</callout> |
2810 |
|
3236 |
|
2811 |
<callout arearefs="default-lease-time"> |
3237 |
<callout arearefs="default-lease-time"> |
2812 |
<para>The default lease expiry time in seconds. A client |
3238 |
<para>The default lease expiry time in seconds. A client |
2813 |
can be configured to override this value. </para> |
3239 |
can be configured to override this value.</para> |
2814 |
</callout> |
3240 |
</callout> |
2815 |
|
3241 |
|
2816 |
<callout arearefs="max-lease-time"> |
3242 |
<callout arearefs="max-lease-time"> |
2817 |
<para>The maximum allowed length of time, in seconds, for a |
3243 |
<para>The maximum allowed length of time, in seconds, for a |
2818 |
lease. Should a client request a longer lease, a lease |
3244 |
lease. Should a client request a longer lease, a lease |
2819 |
will still be issued, but it will only be valid for |
3245 |
will still be issued, but it will only be valid for |
2820 |
<literal>max-lease-time</literal>.</para> |
3246 |
<literal>max-lease-time</literal>.</para> |
2821 |
</callout> |
3247 |
</callout> |
2822 |
|
3248 |
|
2823 |
<callout arearefs="ddns-update-style"> |
3249 |
<callout arearefs="ddns-update-style"> |
2824 |
<para>The default of <option>none</option> disables dynamic |
3250 |
<para>The default of <option>none</option> disables dynamic |
2825 |
DNS updates. Changing this to <option>interim</option> |
3251 |
DNS updates. Changing this to <option>interim</option> |
2826 |
configures the <acronym>DHCP</acronym> server to update a |
3252 |
configures the <acronym>DHCP</acronym> server to update a |
2827 |
<acronym>DNS</acronym> server whenever it hands out a |
3253 |
<acronym>DNS</acronym> server whenever it hands out a |
2828 |
lease so that the <acronym>DNS</acronym> server knows |
3254 |
lease so that the <acronym>DNS</acronym> server knows |
2829 |
which <acronym>IP</acronym> addresses are associated with |
3255 |
which <acronym>IP</acronym> addresses are associated with |
2830 |
which computers in the network. Do not change the default |
3256 |
which computers in the network. Do not change the default |
2831 |
setting unless the <acronym>DNS</acronym> server has been |
3257 |
setting unless the <acronym>DNS</acronym> server has been |
2832 |
configured to support dynamic |
3258 |
configured to support dynamic |
2833 |
<acronym>DNS</acronym>.</para> |
3259 |
<acronym>DNS</acronym>.</para> |
2834 |
</callout> |
3260 |
</callout> |
2835 |
|
3261 |
|
2836 |
<callout arearefs="range"> |
3262 |
<callout arearefs="range"> |
2837 |
<para>This line creates a pool of available |
3263 |
<para>This line creates a pool of available |
2838 |
<acronym>IP</acronym> addresses which are reserved for |
3264 |
<acronym>IP</acronym> addresses which are reserved for |
2839 |
allocation to <acronym>DHCP</acronym> clients. The range |
3265 |
allocation to <acronym>DHCP</acronym> clients. The range |
2840 |
of addresses must be valid for the network or subnet |
3266 |
of addresses must be valid for the network or subnet |
2841 |
specified in the previous line.</para> |
3267 |
specified in the previous line.</para> |
2842 |
</callout> |
3268 |
</callout> |
2843 |
|
3269 |
|
2844 |
<callout arearefs="routers"> |
3270 |
<callout arearefs="routers"> |
2845 |
<para>Declares the default gateway that is valid for the |
3271 |
<para>Declares the default gateway that is valid for the |
2846 |
network or subnet specified before the opening |
3272 |
network or subnet specified before the opening |
2847 |
<literal>{</literal> bracket.</para> |
3273 |
<literal>{</literal> bracket.</para> |
2848 |
</callout> |
3274 |
</callout> |
2849 |
|
3275 |
|
2850 |
<callout arearefs="hardware"> |
3276 |
<callout arearefs="hardware"> |
2851 |
<para>Specifies the hardware <acronym>MAC</acronym> address |
3277 |
<para>Specifies the hardware <acronym>MAC</acronym> address |
2852 |
of a client so that the <acronym>DHCP</acronym> server can |
3278 |
of a client so that the <acronym>DHCP</acronym> server can |
2853 |
recognize the client when it makes a request.</para> |
3279 |
recognize the client when it makes a request.</para> |
2854 |
</callout> |
3280 |
</callout> |
2855 |
|
3281 |
|
2856 |
<callout arearefs="fixed-address"> |
3282 |
<callout arearefs="fixed-address"> |
2857 |
<para>Specifies that this host should always be given the |
3283 |
<para>Specifies that this host should always be given the |
2858 |
same <acronym>IP</acronym> address. Using the hostname is |
3284 |
same <acronym>IP</acronym> address. Using the hostname is |
2859 |
correct, since the <acronym>DHCP</acronym> server will |
3285 |
correct, since the <acronym>DHCP</acronym> server will |
2860 |
resolve the hostname before returning the lease |
3286 |
resolve the hostname before returning the lease |
2861 |
information.</para> |
3287 |
information.</para> |
2862 |
</callout> |
3288 |
</callout> |
2863 |
</calloutlist> |
3289 |
</calloutlist> |
2864 |
|
3290 |
|
2865 |
<para>This configuration file supports many more options. Refer |
3291 |
<para>This configuration file supports many more options. Refer |
2866 |
to dhcpd.conf(5), installed with the server, for details and |
3292 |
to dhcpd.conf(5), installed with the server, for details and |
2867 |
examples.</para> |
3293 |
examples.</para> |
2868 |
|
3294 |
|
2869 |
<para>Once the configuration of <filename>dhcpd.conf</filename> |
3295 |
<para>Once the configuration of <filename>dhcpd.conf</filename> |
2870 |
is complete, enable the <acronym>DHCP</acronym> server in |
3296 |
is complete, enable the <acronym>DHCP</acronym> server in |
2871 |
<filename>/etc/rc.conf</filename>:</para> |
3297 |
<filename>/etc/rc.conf</filename>:</para> |
2872 |
|
3298 |
|
2873 |
<programlisting>dhcpd_enable="YES" |
3299 |
<programlisting>dhcpd_enable="YES" |
2874 |
dhcpd_ifaces="dc0"</programlisting> |
3300 |
dhcpd_ifaces="dc0"</programlisting> |
2875 |
|
3301 |
|
2876 |
<para>Replace the <literal>dc0</literal> with the interface (or |
3302 |
<para>Replace the <literal>dc0</literal> with the interface (or |
2877 |
interfaces, separated by whitespace) that the |
3303 |
interfaces, separated by whitespace) that the |
2878 |
<acronym>DHCP</acronym> server should listen on for |
3304 |
<acronym>DHCP</acronym> server should listen on for |
2879 |
<acronym>DHCP</acronym> client requests.</para> |
3305 |
<acronym>DHCP</acronym> client requests.</para> |
2880 |
|
3306 |
|
2881 |
<para>Start the server by issuing the following command:</para> |
3307 |
<para>Start the server by issuing the following command:</para> |
2882 |
|
3308 |
|
2883 |
<screen>&prompt.root; <userinput>service isc-dhcpd start</userinput></screen> |
3309 |
<screen>&prompt.root; <userinput>service isc-dhcpd start</userinput></screen> |
2884 |
|
3310 |
|
2885 |
<para>Any future changes to the configuration of the server will |
3311 |
<para>Any future changes to the configuration of the server will |
2886 |
require the <application>dhcpd</application> service to be |
3312 |
require the <application>dhcpd</application> service to be |
2887 |
stopped and then started using &man.service.8;.</para> |
3313 |
stopped and then started using &man.service.8;.</para> |
2888 |
|
3314 |
|
2889 |
<para>The <acronym>DHCP</acronym> server uses the following |
3315 |
<para>The <acronym>DHCP</acronym> server uses the following |
2890 |
files. Note that the manual pages are installed with the |
3316 |
files. Note that the manual pages are installed with the |
2891 |
server software.</para> |
3317 |
server software.</para> |
2892 |
|
3318 |
|
2893 |
<indexterm> |
3319 |
<indexterm> |
2894 |
<primary><acronym>DHCP</acronym></primary> |
3320 |
<primary><acronym>DHCP</acronym></primary> |
2895 |
<secondary>configuration files</secondary> |
3321 |
<secondary>configuration files</secondary> |
2896 |
</indexterm> |
3322 |
</indexterm> |
2897 |
<itemizedlist> |
3323 |
<itemizedlist> |
2898 |
<listitem> |
3324 |
<listitem> |
2899 |
<para><filename>/usr/local/sbin/dhcpd</filename></para> |
3325 |
<para><filename>/usr/local/sbin/dhcpd</filename></para> |
2900 |
|
3326 |
|
2901 |
<para>More information about the |
3327 |
<para>More information about the |
2902 |
<application>dhcpd</application> server can be found in |
3328 |
<application>dhcpd</application> server can be found in |
2903 |
dhcpd(8).</para> |
3329 |
dhcpd(8).</para> |
2904 |
</listitem> |
3330 |
</listitem> |
2905 |
|
3331 |
|
2906 |
<listitem> |
3332 |
<listitem> |
2907 |
<para><filename>/usr/local/etc/dhcpd.conf</filename></para> |
3333 |
<para><filename>/usr/local/etc/dhcpd.conf</filename></para> |
2908 |
|
3334 |
|
2909 |
<para>The server configuration file needs to contain all the |
3335 |
<para>The server configuration file needs to contain all the |
2910 |
information that should be provided to clients, along with |
3336 |
information that should be provided to clients, along with |
2911 |
information regarding the operation of the server. This |
3337 |
information regarding the operation of the server. This |
2912 |
configuration file is described in dhcpd.conf(5).</para> |
3338 |
configuration file is described in dhcpd.conf(5).</para> |
2913 |
</listitem> |
3339 |
</listitem> |
2914 |
|
3340 |
|
2915 |
<listitem> |
3341 |
<listitem> |
2916 |
<para><filename>/var/db/dhcpd.leases</filename></para> |
3342 |
<para><filename>/var/db/dhcpd.leases</filename></para> |
2917 |
|
3343 |
|
2918 |
<para>The <acronym>DHCP</acronym> server keeps a database of |
3344 |
<para>The <acronym>DHCP</acronym> server keeps a database of |
2919 |
leases it has issued in this file, which is written as a |
3345 |
leases it has issued in this file, which is written as a |
2920 |
log. Refer to dhcpd.leases(5), which gives a slightly |
3346 |
log. Refer to dhcpd.leases(5), which gives a slightly |
2921 |
longer description.</para> |
3347 |
longer description.</para> |
2922 |
</listitem> |
3348 |
</listitem> |
2923 |
|
3349 |
|
2924 |
<listitem> |
3350 |
<listitem> |
2925 |
<para><filename>/usr/local/sbin/dhcrelay</filename></para> |
3351 |
<para><filename>/usr/local/sbin/dhcrelay</filename></para> |
2926 |
|
3352 |
|
2927 |
<para>This daemon is used in advanced environments where one |
3353 |
<para>This daemon is used in advanced environments where one |
2928 |
<acronym>DHCP</acronym> server forwards a request from a |
3354 |
<acronym>DHCP</acronym> server forwards a request from a |
2929 |
client to another <acronym>DHCP</acronym> server on a |
3355 |
client to another <acronym>DHCP</acronym> server on a |
2930 |
separate network. If this functionality is required, |
3356 |
separate network. If this functionality is required, |
2931 |
install the <package>net/isc-dhcp43-relay</package> |
3357 |
install the <package>net/isc-dhcp43-relay</package> |
2932 |
package or port. The installation includes dhcrelay(8) |
3358 |
package or port. The installation includes dhcrelay(8) |
2933 |
which provides more detail.</para> |
3359 |
which provides more detail.</para> |
2934 |
</listitem> |
3360 |
</listitem> |
2935 |
</itemizedlist> |
3361 |
</itemizedlist> |
2936 |
</sect2> |
3362 |
</sect2> |
2937 |
</sect1> |
3363 |
</sect1> |
2938 |
|
3364 |
|
2939 |
<sect1 xml:id="network-dns"> |
3365 |
<sect1 xml:id="network-dns"> |
2940 |
<!-- |
3366 |
<!-- |
2941 |
<sect1info> |
3367 |
<sect1info> |
2942 |
<authorgroup> |
3368 |
<authorgroup> |
2943 |
<author> |
3369 |
<author> |
2944 |
<firstname>Chern</firstname> |
3370 |
<firstname>Chern</firstname> |
2945 |
<surname>Lee</surname> |
3371 |
<surname>Lee</surname> |
2946 |
<contrib>Contributed by </contrib> |
3372 |
<contrib>Contributed by </contrib> |
2947 |
</author> |
3373 |
</author> |
2948 |
|
3374 |
|
2949 |
<author> |
3375 |
<author> |
2950 |
<firstname>Tom</firstname> |
3376 |
<firstname>Tom</firstname> |
2951 |
<surname>Rhodes</surname> |
3377 |
<surname>Rhodes</surname> |
2952 |
</author> |
3378 |
</author> |
2953 |
|
3379 |
|
2954 |
<author> |
3380 |
<author> |
2955 |
<firstname>Daniel</firstname> |
3381 |
<firstname>Daniel</firstname> |
2956 |
<surname>Gerzo</surname> |
3382 |
<surname>Gerzo</surname> |
2957 |
</author> |
3383 |
</author> |
2958 |
</authorgroup> |
3384 |
</authorgroup> |
2959 |
</sect1info> |
3385 |
</sect1info> |
2960 |
--> |
3386 |
--> |
2961 |
<title>Domain Name System (<acronym>DNS</acronym>)</title> |
3387 |
<title>Domain Name System (<acronym>DNS</acronym>)</title> |
2962 |
|
3388 |
|
2963 |
<indexterm><primary>DNS</primary></indexterm> |
3389 |
<indexterm><primary>DNS</primary></indexterm> |
2964 |
|
3390 |
|
2965 |
<para>Domain Name System (<acronym>DNS</acronym>) is the protocol |
3391 |
<para>Domain Name System (<acronym>DNS</acronym>) is the protocol |
2966 |
through which domain names are mapped to <acronym>IP</acronym> |
3392 |
through which domain names are mapped to <acronym>IP</acronym> |
2967 |
addresses, and vice versa. <acronym>DNS</acronym> is |
3393 |
addresses, and vice versa. <acronym>DNS</acronym> is |
2968 |
coordinated across the Internet through a somewhat complex |
3394 |
coordinated across the Internet through a somewhat complex |
2969 |
system of authoritative root, Top Level Domain |
3395 |
system of authoritative root, Top Level Domain |
2970 |
(<acronym>TLD</acronym>), and other smaller-scale name servers, |
3396 |
(<acronym>TLD</acronym>), and other smaller-scale name servers, |
2971 |
which host and cache individual domain information. It is not |
3397 |
which host and cache individual domain information. It is not |
2972 |
necessary to run a name server to perform |
3398 |
necessary to run a name server to perform |
2973 |
<acronym>DNS</acronym> lookups on a system.</para> |
3399 |
<acronym>DNS</acronym> lookups on a system.</para> |
2974 |
|
3400 |
|
2975 |
<indexterm><primary>BIND</primary></indexterm> |
3401 |
<indexterm><primary>BIND</primary></indexterm> |
2976 |
|
3402 |
|
2977 |
<para>In &os; 10, the Berkeley Internet Name Domain |
3403 |
<para>In &os; 10, the Berkeley Internet Name Domain |
2978 |
(<acronym>BIND</acronym>) has been removed from the base system |
3404 |
(<acronym>BIND</acronym>) has been removed from the base system |
2979 |
and replaced with Unbound. Unbound as configured in the &os; |
3405 |
and replaced with Unbound. Unbound as configured in the &os; |
2980 |
Base is a local caching resolver. <acronym>BIND</acronym> is |
3406 |
Base is a local caching resolver. <acronym>BIND</acronym> is |
2981 |
still available from The Ports Collection as <package |
3407 |
still available from The Ports Collection as <package |
2982 |
role="port">dns/bind99</package> or <package |
3408 |
role="port">dns/bind99</package> or <package |
2983 |
role="port">dns/bind98</package>. In &os; 9 and lower, |
3409 |
role="port">dns/bind98</package>. In &os; 9 and lower, |
2984 |
<acronym>BIND</acronym> is included in &os; Base. The &os; |
3410 |
<acronym>BIND</acronym> is included in &os; Base. The &os; |
2985 |
version provides enhanced security features, a new file system |
3411 |
version provides enhanced security features, a new file system |
2986 |
layout, and automated &man.chroot.8; configuration. |
3412 |
layout, and automated &man.chroot.8; configuration. |
2987 |
<acronym>BIND</acronym> is maintained by the <link |
3413 |
<acronym>BIND</acronym> is maintained by the <link |
2988 |
xlink:href="https://www.isc.org/">Internet Systems |
3414 |
xlink:href="https://www.isc.org/">Internet Systems |
2989 |
Consortium</link>.</para> |
3415 |
Consortium</link>.</para> |
2990 |
|
3416 |
|
2991 |
<indexterm><primary>resolver</primary></indexterm> |
3417 |
<indexterm><primary>resolver</primary></indexterm> |
2992 |
<indexterm><primary>reverse |
3418 |
<indexterm><primary>reverse |
2993 |
<acronym>DNS</acronym></primary></indexterm> |
3419 |
<acronym>DNS</acronym></primary></indexterm> |
2994 |
<indexterm><primary>root zone</primary></indexterm> |
3420 |
<indexterm><primary>root zone</primary></indexterm> |
2995 |
|
3421 |
|
2996 |
<para>The following table describes some of the terms associated |
3422 |
<para>The following table describes some of the terms associated |
2997 |
with <acronym>DNS</acronym>:</para> |
3423 |
with <acronym>DNS</acronym>:</para> |
2998 |
|
3424 |
|
2999 |
<table frame="none" pgwide="1"> |
3425 |
<table frame="none" pgwide="1"> |
3000 |
<title><acronym>DNS</acronym> Terminology</title> |
3426 |
<title><acronym>DNS</acronym> Terminology</title> |
3001 |
|
3427 |
|
3002 |
<tgroup cols="2"> |
3428 |
<tgroup cols="2"> |
3003 |
<colspec colwidth="1*"/> |
3429 |
<colspec colwidth="1*"/> |
3004 |
<colspec colwidth="3*"/> |
3430 |
<colspec colwidth="3*"/> |
3005 |
|
3431 |
|
3006 |
<thead> |
3432 |
<thead> |
3007 |
<row> |
3433 |
<row> |
3008 |
<entry>Term</entry> |
3434 |
<entry>Term</entry> |
3009 |
<entry>Definition</entry> |
3435 |
<entry>Definition</entry> |
3010 |
</row> |
3436 |
</row> |
3011 |
</thead> |
3437 |
</thead> |
3012 |
|
3438 |
|
3013 |
<tbody> |
3439 |
<tbody> |
3014 |
<row> |
3440 |
<row> |
3015 |
<entry>Forward <acronym>DNS</acronym></entry> |
3441 |
<entry>Forward <acronym>DNS</acronym></entry> |
3016 |
<entry>Mapping of hostnames to <acronym>IP</acronym> |
3442 |
<entry>Mapping of hostnames to <acronym>IP</acronym> |
3017 |
addresses.</entry> |
3443 |
addresses.</entry> |
3018 |
</row> |
3444 |
</row> |
3019 |
|
3445 |
|
3020 |
<row> |
3446 |
<row> |
3021 |
<entry>Origin</entry> |
3447 |
<entry>Origin</entry> |
3022 |
<entry>Refers to the domain covered in a particular zone |
3448 |
<entry>Refers to the domain covered in a particular zone |
3023 |
file.</entry> |
3449 |
file.</entry> |
3024 |
</row> |
3450 |
</row> |
3025 |
|
3451 |
|
3026 |
<row> |
3452 |
<row> |
3027 |
<entry><application>named</application>, BIND</entry> |
3453 |
<entry><application>named</application>, BIND</entry> |
3028 |
<entry>Common names for the BIND name server package |
3454 |
<entry>Common names for the BIND name server package |
3029 |
within &os;.</entry> |
3455 |
within &os;.</entry> |
3030 |
</row> |
3456 |
</row> |
3031 |
|
3457 |
|
3032 |
<row> |
3458 |
<row> |
3033 |
<entry>Resolver</entry> |
3459 |
<entry>Resolver</entry> |
3034 |
<entry>A system process through which a machine queries |
3460 |
<entry>A system process through which a machine queries |
3035 |
a name server for zone information.</entry> |
3461 |
a name server for zone information.</entry> |
3036 |
</row> |
3462 |
</row> |
3037 |
|
3463 |
|
3038 |
<row> |
3464 |
<row> |
3039 |
<entry>Reverse <acronym>DNS</acronym></entry> |
3465 |
<entry>Reverse <acronym>DNS</acronym></entry> |
3040 |
<entry>Mapping of <acronym>IP</acronym> addresses to |
3466 |
<entry>Mapping of <acronym>IP</acronym> addresses to |
3041 |
hostnames.</entry> |
3467 |
hostnames.</entry> |
3042 |
</row> |
3468 |
</row> |
3043 |
|
3469 |
|
3044 |
<row> |
3470 |
<row> |
3045 |
<entry>Root zone</entry> |
3471 |
<entry>Root zone</entry> |
3046 |
|
3472 |
|
3047 |
<entry>The beginning of the Internet zone hierarchy. All |
3473 |
<entry>The beginning of the Internet zone hierarchy. All |
3048 |
zones fall under the root zone, similar to how all files |
3474 |
zones fall under the root zone, similar to how all files |
3049 |
in a file system fall under the root directory.</entry> |
3475 |
in a file system fall under the root directory.</entry> |
3050 |
</row> |
3476 |
</row> |
3051 |
|
3477 |
|
3052 |
<row> |
3478 |
<row> |
3053 |
<entry>Zone</entry> |
3479 |
<entry>Zone</entry> |
3054 |
<entry>An individual domain, subdomain, or portion of the |
3480 |
<entry>An individual domain, subdomain, or portion of the |
3055 |
<acronym>DNS</acronym> administered by the same |
3481 |
<acronym>DNS</acronym> administered by the same |
3056 |
authority.</entry> |
3482 |
authority.</entry> |
3057 |
</row> |
3483 |
</row> |
3058 |
</tbody> |
3484 |
</tbody> |
3059 |
</tgroup> |
3485 |
</tgroup> |
3060 |
</table> |
3486 |
</table> |
3061 |
|
3487 |
|
3062 |
<indexterm> |
3488 |
<indexterm> |
3063 |
<primary>zones</primary> |
3489 |
<primary>zones</primary> |
3064 |
<secondary>examples</secondary> |
3490 |
<secondary>examples</secondary> |
3065 |
</indexterm> |
3491 |
</indexterm> |
3066 |
|
3492 |
|
3067 |
<para>Examples of zones:</para> |
3493 |
<para>Examples of zones:</para> |
3068 |
|
3494 |
|
3069 |
<itemizedlist> |
3495 |
<itemizedlist> |
3070 |
<listitem> |
3496 |
<listitem> |
3071 |
<para><systemitem>.</systemitem> is how the root zone is |
3497 |
<para><systemitem>.</systemitem> is how the root zone is |
3072 |
usually referred to in documentation.</para> |
3498 |
usually referred to in documentation.</para> |
3073 |
</listitem> |
3499 |
</listitem> |
3074 |
|
3500 |
|
3075 |
<listitem> |
3501 |
<listitem> |
3076 |
<para><systemitem>org.</systemitem> is a Top Level Domain |
3502 |
<para><systemitem>org.</systemitem> is a Top Level Domain |
3077 |
(<acronym>TLD</acronym>) under the root zone.</para> |
3503 |
(<acronym>TLD</acronym>) under the root zone.</para> |
3078 |
</listitem> |
3504 |
</listitem> |
3079 |
|
3505 |
|
3080 |
<listitem> |
3506 |
<listitem> |
3081 |
<para><systemitem |
3507 |
<para><systemitem |
3082 |
class="fqdomainname">example.org.</systemitem> is a zone |
3508 |
class="fqdomainname">example.org.</systemitem> is a zone |
3083 |
under the <systemitem>org.</systemitem> |
3509 |
under the <systemitem>org.</systemitem> |
3084 |
<acronym>TLD</acronym>.</para> |
3510 |
<acronym>TLD</acronym>.</para> |
3085 |
</listitem> |
3511 |
</listitem> |
3086 |
|
3512 |
|
3087 |
<listitem> |
3513 |
<listitem> |
3088 |
<para><systemitem>1.168.192.in-addr.arpa</systemitem> is a |
3514 |
<para><systemitem>1.168.192.in-addr.arpa</systemitem> is a |
3089 |
zone referencing all <acronym>IP</acronym> addresses which |
3515 |
zone referencing all <acronym>IP</acronym> addresses which |
3090 |
fall under the <systemitem |
3516 |
fall under the <systemitem |
3091 |
class="ipaddress">192.168.1.*</systemitem> |
3517 |
class="ipaddress">192.168.1.*</systemitem> |
3092 |
<acronym>IP</acronym> address space.</para> |
3518 |
<acronym>IP</acronym> address space.</para> |
3093 |
</listitem> |
3519 |
</listitem> |
3094 |
</itemizedlist> |
3520 |
</itemizedlist> |
3095 |
|
3521 |
|
3096 |
<para>As one can see, the more specific part of a hostname |
3522 |
<para>As one can see, the more specific part of a hostname |
3097 |
appears to its left. For example, <systemitem |
3523 |
appears to its left. For example, <systemitem |
3098 |
class="fqdomainname">example.org.</systemitem> is more |
3524 |
class="fqdomainname">example.org.</systemitem> is more |
3099 |
specific than <systemitem>org.</systemitem>, as |
3525 |
specific than <systemitem>org.</systemitem>, as |
3100 |
<systemitem>org.</systemitem> is more specific than the root |
3526 |
<systemitem>org.</systemitem> is more specific than the root |
3101 |
zone. The layout of each part of a hostname is much like a file |
3527 |
zone. The layout of each part of a hostname is much like a file |
3102 |
system: the <filename>/dev</filename> directory falls within the |
3528 |
system: the <filename>/dev</filename> directory falls within the |
3103 |
root, and so on.</para> |
3529 |
root, and so on.</para> |
3104 |
|
3530 |
|
3105 |
<sect2> |
3531 |
<sect2> |
3106 |
<title>Reasons to Run a Name Server</title> |
3532 |
<title>Reasons to Run a Name Server</title> |
3107 |
|
3533 |
|
3108 |
<para>Name servers generally come in two forms: authoritative |
3534 |
<para>Name servers generally come in two forms: authoritative |
3109 |
name servers, and caching (also known as resolving) name |
3535 |
name servers, and caching (also known as resolving) name |
3110 |
servers.</para> |
3536 |
servers.</para> |
3111 |
|
3537 |
|
3112 |
<para>An authoritative name server is needed when:</para> |
3538 |
<para>An authoritative name server is needed when:</para> |
3113 |
|
3539 |
|
3114 |
<itemizedlist> |
3540 |
<itemizedlist> |
3115 |
<listitem> |
3541 |
<listitem> |
3116 |
<para>One wants to serve <acronym>DNS</acronym> information |
3542 |
<para>One wants to serve <acronym>DNS</acronym> information |
3117 |
to the world, replying authoritatively to queries.</para> |
3543 |
to the world, replying authoritatively to queries.</para> |
3118 |
</listitem> |
3544 |
</listitem> |
3119 |
|
3545 |
|
3120 |
<listitem> |
3546 |
<listitem> |
3121 |
<para>A domain, such as <systemitem |
3547 |
<para>A domain, such as <systemitem |
3122 |
class="fqdomainname">example.org</systemitem>, is |
3548 |
class="fqdomainname">example.org</systemitem>, is |
3123 |
registered and <acronym>IP</acronym> addresses need to be |
3549 |
registered and <acronym>IP</acronym> addresses need to be |
3124 |
assigned to hostnames under it.</para> |
3550 |
assigned to hostnames under it.</para> |
3125 |
</listitem> |
3551 |
</listitem> |
3126 |
|
3552 |
|
3127 |
<listitem> |
3553 |
<listitem> |
3128 |
<para>An <acronym>IP</acronym> address block requires |
3554 |
<para>An <acronym>IP</acronym> address block requires |
3129 |
reverse <acronym>DNS</acronym> entries |
3555 |
reverse <acronym>DNS</acronym> entries |
3130 |
(<acronym>IP</acronym> to hostname).</para> |
3556 |
(<acronym>IP</acronym> to hostname).</para> |
3131 |
</listitem> |
3557 |
</listitem> |
3132 |
|
3558 |
|
3133 |
<listitem> |
3559 |
<listitem> |
3134 |
<para>A backup or second name server, called a slave, will |
3560 |
<para>A backup or second name server, called a slave, will |
3135 |
reply to queries.</para> |
3561 |
reply to queries.</para> |
3136 |
</listitem> |
3562 |
</listitem> |
3137 |
</itemizedlist> |
3563 |
</itemizedlist> |
3138 |
|
3564 |
|
3139 |
<para>A caching name server is needed when:</para> |
3565 |
<para>A caching name server is needed when:</para> |
3140 |
|
3566 |
|
3141 |
<itemizedlist> |
3567 |
<itemizedlist> |
3142 |
<listitem> |
3568 |
<listitem> |
3143 |
<para>A local <acronym>DNS</acronym> server may cache and |
3569 |
<para>A local <acronym>DNS</acronym> server may cache and |
3144 |
respond more quickly than querying an outside name |
3570 |
respond more quickly than querying an outside name |
3145 |
server.</para> |
3571 |
server.</para> |
3146 |
</listitem> |
3572 |
</listitem> |
3147 |
</itemizedlist> |
3573 |
</itemizedlist> |
3148 |
|
3574 |
|
3149 |
<para>When one queries for <systemitem |
3575 |
<para>When one queries for <systemitem |
3150 |
class="fqdomainname">www.FreeBSD.org</systemitem>, the |
3576 |
class="fqdomainname">www.FreeBSD.org</systemitem>, the |
3151 |
resolver usually queries the uplink <acronym>ISP</acronym>'s |
3577 |
resolver usually queries the uplink <acronym>ISP</acronym>'s |
3152 |
name server, and retrieves the reply. With a local, caching |
3578 |
name server, and retrieves the reply. With a local, caching |
3153 |
<acronym>DNS</acronym> server, the query only has to be made |
3579 |
<acronym>DNS</acronym> server, the query only has to be made |
3154 |
once to the outside world by the caching |
3580 |
once to the outside world by the caching |
3155 |
<acronym>DNS</acronym> server. Additional queries will not |
3581 |
<acronym>DNS</acronym> server. Additional queries will not |
3156 |
have to go outside the local network, since the information is |
3582 |
have to go outside the local network, since the information is |
3157 |
cached locally.</para> |
3583 |
cached locally.</para> |
3158 |
</sect2> |
3584 |
</sect2> |
3159 |
|
3585 |
|
3160 |
<sect2> |
3586 |
<sect2> |
3161 |
<title><acronym>DNS</acronym> Server Configuration in &os; 10.0 |
3587 |
<title><acronym>DNS</acronym> Server Configuration in &os; 10.0 |
3162 |
and Later</title> |
3588 |
and Later</title> |
3163 |
|
3589 |
|
3164 |
<para>In &os; 10.0, <application>BIND</application> has been |
3590 |
<para>In &os; 10.0, <application>BIND</application> has been |
3165 |
replaced with <application>Unbound</application>. |
3591 |
replaced with <application>Unbound</application>. |
3166 |
<application>Unbound</application> is a validating caching |
3592 |
<application>Unbound</application> is a validating caching |
3167 |
resolver only. If an authoritative server is needed, many are |
3593 |
resolver only. If an authoritative server is needed, many are |
3168 |
available from the Ports Collection.</para> |
3594 |
available from the Ports Collection.</para> |
3169 |
|
3595 |
|
3170 |
<para><application>Unbound</application> is provided in the &os; |
3596 |
<para><application>Unbound</application> is provided in the &os; |
3171 |
base system. By default, it will provide |
3597 |
base system. By default, it will provide |
3172 |
<acronym>DNS</acronym> resolution to the local machine only. |
3598 |
<acronym>DNS</acronym> resolution to the local machine only. |
3173 |
While the base system package can be configured to provide |
3599 |
While the base system package can be configured to provide |
3174 |
resolution services beyond the local machine, it is |
3600 |
resolution services beyond the local machine, it is |
3175 |
recommended that such requirements be addressed by installing |
3601 |
recommended that such requirements be addressed by installing |
3176 |
<application>Unbound</application> from the &os; Ports |
3602 |
<application>Unbound</application> from the &os; Ports |
3177 |
Collection.</para> |
3603 |
Collection.</para> |
3178 |
|
3604 |
|
3179 |
<para>To enable <application>Unbound</application>, add the |
3605 |
<para>To enable <application>Unbound</application>, add the |
3180 |
following to <filename>/etc/rc.conf</filename>:</para> |
3606 |
following to <filename>/etc/rc.conf</filename>:</para> |
3181 |
|
3607 |
|
3182 |
<programlisting>local_unbound_enable="YES"</programlisting> |
3608 |
<programlisting>local_unbound_enable="YES"</programlisting> |
3183 |
|
3609 |
|
3184 |
<para>Any existing nameservers in |
3610 |
<para>Any existing nameservers in |
3185 |
<filename>/etc/resolv.conf</filename> will be configured as |
3611 |
<filename>/etc/resolv.conf</filename> will be configured as |
3186 |
forwarders in the new <application>Unbound</application> |
3612 |
forwarders in the new <application>Unbound</application> |
3187 |
configuration.</para> |
3613 |
configuration.</para> |
3188 |
|
3614 |
|
3189 |
<note> |
3615 |
<note> |
3190 |
<para>If any of the listed nameservers do not support |
3616 |
<para>If any of the listed nameservers do not support |
3191 |
<acronym>DNSSEC</acronym>, local <acronym>DNS</acronym> |
3617 |
<acronym>DNSSEC</acronym>, local <acronym>DNS</acronym> |
3192 |
resolution will fail. Be sure to test each nameserver and |
3618 |
resolution will fail. Be sure to test each nameserver and |
3193 |
remove any that fail the test. The following command will |
3619 |
remove any that fail the test. The following command will |
3194 |
show the trust tree or a failure for a nameserver running on |
3620 |
show the trust tree or a failure for a nameserver running on |
3195 |
<systemitem |
3621 |
<systemitem |
3196 |
class="ipaddress">192.168.1.1</systemitem>:</para> |
3622 |
class="ipaddress">192.168.1.1</systemitem>:</para> |
3197 |
</note> |
3623 |
</note> |
3198 |
|
3624 |
|
3199 |
<screen>&prompt.user; <userinput>drill -S FreeBSD.org @<replaceable>192.168.1.1</replaceable></userinput></screen> |
3625 |
<screen>&prompt.user; <userinput>drill -S FreeBSD.org @<replaceable>192.168.1.1</replaceable></userinput></screen> |
3200 |
|
3626 |
|
3201 |
<para>Once each nameserver is confirmed to support |
3627 |
<para>Once each nameserver is confirmed to support |
3202 |
<acronym>DNSSEC</acronym>, start |
3628 |
<acronym>DNSSEC</acronym>, start |
3203 |
<application>Unbound</application>:</para> |
3629 |
<application>Unbound</application>:</para> |
3204 |
|
3630 |
|
3205 |
<screen>&prompt.root; <userinput>service local_unbound onestart</userinput></screen> |
3631 |
<screen>&prompt.root; <userinput>service local_unbound onestart</userinput></screen> |
3206 |
|
3632 |
|
3207 |
<para>This will take care of updating |
3633 |
<para>This will take care of updating |
3208 |
<filename>/etc/resolv.conf</filename> so that queries for |
3634 |
<filename>/etc/resolv.conf</filename> so that queries for |
3209 |
<acronym>DNSSEC</acronym> secured domains will now work. For |
3635 |
<acronym>DNSSEC</acronym> secured domains will now work. For |
3210 |
example, run the following to validate the FreeBSD.org |
3636 |
example, run the following to validate the FreeBSD.org |
3211 |
<acronym>DNSSEC</acronym> trust tree:</para> |
3637 |
<acronym>DNSSEC</acronym> trust tree:</para> |
3212 |
|
3638 |
|
3213 |
<screen>&prompt.user; <userinput>drill -S FreeBSD.org</userinput> |
3639 |
<screen>&prompt.user; <userinput>drill -S FreeBSD.org</userinput> |
3214 |
;; Number of trusted keys: 1 |
3640 |
;; Number of trusted keys: 1 |
3215 |
;; Chasing: freebsd.org. A |
3641 |
;; Chasing: freebsd.org. A |
3216 |
|
3642 |
|
3217 |
DNSSEC Trust tree: |
3643 |
DNSSEC Trust tree: |
3218 |
freebsd.org. (A) |
3644 |
freebsd.org. (A) |
3219 |
|---freebsd.org. (DNSKEY keytag: 36786 alg: 8 flags: 256) |
3645 |
|---freebsd.org. (DNSKEY keytag: 36786 alg: 8 flags: 256) |
3220 |
|---freebsd.org. (DNSKEY keytag: 32659 alg: 8 flags: 257) |
3646 |
|---freebsd.org. (DNSKEY keytag: 32659 alg: 8 flags: 257) |
3221 |
|---freebsd.org. (DS keytag: 32659 digest type: 2) |
3647 |
|---freebsd.org. (DS keytag: 32659 digest type: 2) |
3222 |
|---org. (DNSKEY keytag: 49587 alg: 7 flags: 256) |
3648 |
|---org. (DNSKEY keytag: 49587 alg: 7 flags: 256) |
3223 |
|---org. (DNSKEY keytag: 9795 alg: 7 flags: 257) |
3649 |
|---org. (DNSKEY keytag: 9795 alg: 7 flags: 257) |
3224 |
|---org. (DNSKEY keytag: 21366 alg: 7 flags: 257) |
3650 |
|---org. (DNSKEY keytag: 21366 alg: 7 flags: 257) |
3225 |
|---org. (DS keytag: 21366 digest type: 1) |
3651 |
|---org. (DS keytag: 21366 digest type: 1) |
3226 |
| |---. (DNSKEY keytag: 40926 alg: 8 flags: 256) |
3652 |
| |---. (DNSKEY keytag: 40926 alg: 8 flags: 256) |
3227 |
| |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) |
3653 |
| |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) |
3228 |
|---org. (DS keytag: 21366 digest type: 2) |
3654 |
|---org. (DS keytag: 21366 digest type: 2) |
3229 |
|---. (DNSKEY keytag: 40926 alg: 8 flags: 256) |
3655 |
|---. (DNSKEY keytag: 40926 alg: 8 flags: 256) |
3230 |
|---. (DNSKEY keytag: 19036 alg: 8 flags: 257) |
3656 |
|---. (DNSKEY keytag: 19036 alg: 8 flags: 257) |
3231 |
;; Chase successful</screen> |
3657 |
;; Chase successful</screen> |
3232 |
</sect2> |
3658 |
</sect2> |
3233 |
|
3659 |
|
3234 |
<sect2> |
3660 |
<sect2> |
3235 |
<title>DNS Server Configuration in &os; |
3661 |
<title>DNS Server Configuration in &os; |
3236 |
9.<replaceable>X</replaceable></title> |
3662 |
9.<replaceable>X</replaceable></title> |
3237 |
|
3663 |
|
3238 |
<para>In &os;, the BIND daemon is called |
3664 |
<para>In &os;, the BIND daemon is called |
3239 |
<application>named</application>.</para> |
3665 |
<application>named</application>.</para> |
3240 |
|
3666 |
|
3241 |
<informaltable frame="none" pgwide="1"> |
3667 |
<informaltable frame="none" pgwide="1"> |
3242 |
<tgroup cols="2"> |
3668 |
<tgroup cols="2"> |
3243 |
<thead> |
3669 |
<thead> |
3244 |
<row> |
3670 |
<row> |
3245 |
<entry>File</entry> |
3671 |
<entry>File</entry> |
3246 |
<entry>Description</entry> |
3672 |
<entry>Description</entry> |
3247 |
</row> |
3673 |
</row> |
3248 |
</thead> |
3674 |
</thead> |
3249 |
|
3675 |
|
3250 |
<tbody> |
3676 |
<tbody> |
3251 |
<row> |
3677 |
<row> |
3252 |
<entry>&man.named.8;</entry> |
3678 |
<entry>&man.named.8;</entry> |
3253 |
<entry>The BIND daemon.</entry> |
3679 |
<entry>The BIND daemon.</entry> |
3254 |
</row> |
3680 |
</row> |
3255 |
|
3681 |
|
3256 |
<row> |
3682 |
<row> |
3257 |
<entry>&man.rndc.8;</entry> |
3683 |
<entry>&man.rndc.8;</entry> |
3258 |
<entry>Name server control utility.</entry> |
3684 |
<entry>Name server control utility.</entry> |
3259 |
</row> |
3685 |
</row> |
3260 |
|
3686 |
|
3261 |
<row> |
3687 |
<row> |
3262 |
<entry><filename>/etc/namedb</filename></entry> |
3688 |
<entry><filename>/etc/namedb</filename></entry> |
3263 |
<entry>Directory where BIND zone information |
3689 |
<entry>Directory where BIND zone information |
3264 |
resides.</entry> |
3690 |
resides.</entry> |
3265 |
</row> |
3691 |
</row> |
3266 |
|
3692 |
|
3267 |
<row> |
3693 |
<row> |
3268 |
<entry><filename>/etc/namedb/named.conf</filename></entry> |
3694 |
<entry><filename>/etc/namedb/named.conf</filename></entry> |
3269 |
<entry>Configuration file of the daemon.</entry> |
3695 |
<entry>Configuration file of the daemon.</entry> |
3270 |
</row> |
3696 |
</row> |
3271 |
</tbody> |
3697 |
</tbody> |
3272 |
</tgroup> |
3698 |
</tgroup> |
3273 |
</informaltable> |
3699 |
</informaltable> |
3274 |
|
3700 |
|
3275 |
<para>Depending on how a given zone is configured on the server, |
3701 |
<para>Depending on how a given zone is configured on the server, |
3276 |
the files related to that zone can be found in the |
3702 |
the files related to that zone can be found in the |
3277 |
<filename>master</filename>, |
3703 |
<filename>master</filename>, |
3278 |
<filename>slave</filename>, or |
3704 |
<filename>slave</filename>, or |
3279 |
<filename>dynamic</filename> subdirectories |
3705 |
<filename>dynamic</filename> subdirectories |
3280 |
of the <filename>/etc/namedb</filename> |
3706 |
of the <filename>/etc/namedb</filename> |
3281 |
directory. These files contain the <acronym>DNS</acronym> |
3707 |
directory. These files contain the <acronym>DNS</acronym> |
3282 |
information that will be given out by the name server in |
3708 |
information that will be given out by the name server in |
3283 |
response to queries.</para> |
3709 |
response to queries.</para> |
3284 |
|
3710 |
|
3285 |
<sect3> |
3711 |
<sect3> |
3286 |
<title>Starting BIND</title> |
3712 |
<title>Starting BIND</title> |
3287 |
|
3713 |
|
3288 |
<indexterm> |
3714 |
<indexterm> |
3289 |
<primary>BIND</primary> |
3715 |
<primary>BIND</primary> |
3290 |
<secondary>starting</secondary> |
3716 |
<secondary>starting</secondary> |
3291 |
</indexterm> |
3717 |
</indexterm> |
3292 |
|
3718 |
|
3293 |
<para>Since BIND is installed by default, configuring it is |
3719 |
<para>Since BIND is installed by default, configuring it is |
3294 |
relatively simple.</para> |
3720 |
relatively simple.</para> |
3295 |
|
3721 |
|
3296 |
<para>The default <application>named</application> |
3722 |
<para>The default <application>named</application> |
3297 |
configuration is that of a basic resolving name server, |
3723 |
configuration is that of a basic resolving name server, |
3298 |
running in a &man.chroot.8; environment, and restricted to |
3724 |
running in a &man.chroot.8; environment, and restricted to |
3299 |
listening on the local IPv4 loopback address (127.0.0.1). |
3725 |
listening on the local IPv4 loopback address (127.0.0.1). |
3300 |
To start the server one time with this configuration, use |
3726 |
To start the server one time with this configuration, use |
3301 |
the following command:</para> |
3727 |
the following command:</para> |
3302 |
|
3728 |
|
3303 |
<screen>&prompt.root; <userinput>service named onestart</userinput></screen> |
3729 |
<screen>&prompt.root; <userinput>service named onestart</userinput></screen> |
3304 |
|
3730 |
|
3305 |
<para>To ensure the <application>named</application> daemon is |
3731 |
<para>To ensure the <application>named</application> daemon is |
3306 |
started at boot each time, put the following line into the |
3732 |
started at boot each time, put the following line into the |
3307 |
<filename>/etc/rc.conf</filename>:</para> |
3733 |
<filename>/etc/rc.conf</filename>:</para> |
3308 |
|
3734 |
|
3309 |
<programlisting>named_enable="YES"</programlisting> |
3735 |
<programlisting>named_enable="YES"</programlisting> |
3310 |
|
3736 |
|
3311 |
<para>There are many configuration options for |
3737 |
<para>There are many configuration options for |
3312 |
<filename>/etc/namedb/named.conf</filename> that are beyond |
3738 |
<filename>/etc/namedb/named.conf</filename> that are beyond |
3313 |
the scope of this document. Other startup options for |
3739 |
the scope of this document. Other startup options for |
3314 |
<application>named</application> on &os; can be found in the |
3740 |
<application>named</application> on &os; can be found in the |
3315 |
<literal>named_<replaceable>*</replaceable></literal> flags |
3741 |
<literal>named_<replaceable>*</replaceable></literal> flags |
3316 |
in <filename>/etc/defaults/rc.conf</filename> and in |
3742 |
in <filename>/etc/defaults/rc.conf</filename> and in |
3317 |
&man.rc.conf.5;. The <xref linkend="configtuning-rcd"/> |
3743 |
&man.rc.conf.5;. The <xref linkend="configtuning-rcd"/> |
3318 |
section is also a good read.</para> |
3744 |
section is also a good read.</para> |
3319 |
</sect3> |
3745 |
</sect3> |
3320 |
|
3746 |
|
3321 |
<sect3> |
3747 |
<sect3> |
3322 |
<title>Configuration Files</title> |
3748 |
<title>Configuration Files</title> |
3323 |
|
3749 |
|
3324 |
<indexterm> |
3750 |
<indexterm> |
3325 |
<primary>BIND</primary> |
3751 |
<primary>BIND</primary> |
3326 |
<secondary>configuration files</secondary> |
3752 |
<secondary>configuration files</secondary> |
3327 |
</indexterm> |
3753 |
</indexterm> |
3328 |
|
3754 |
|
3329 |
<para>Configuration files for <application>named</application> |
3755 |
<para>Configuration files for <application>named</application> |
3330 |
currently reside in <filename>/etc/namedb</filename> |
3756 |
currently reside in <filename>/etc/namedb</filename> |
3331 |
directory and will need modification before use unless all |
3757 |
directory and will need modification before use unless all |
3332 |
that is needed is a simple resolver. This is where most of |
3758 |
that is needed is a simple resolver. This is where most of |
3333 |
the configuration will be performed.</para> |
3759 |
the configuration will be performed.</para> |
3334 |
|
3760 |
|
3335 |
<sect4> |
3761 |
<sect4> |
3336 |
<title><filename>/etc/namedb/named.conf</filename></title> |
3762 |
<title><filename>/etc/namedb/named.conf</filename></title> |
3337 |
|
3763 |
|
3338 |
<programlisting>// $FreeBSD$ |
3764 |
<programlisting>// $FreeBSD$ |
3339 |
// |
3765 |
// |
3340 |
// Refer to the named.conf(5) and named(8) man pages, and the documentation |
3766 |
// Refer to the named.conf(5) and named(8) man pages, and the documentation |
3341 |
// in /usr/share/doc/bind9 for more details. |
3767 |
// in /usr/share/doc/bind9 for more details. |
3342 |
// |
3768 |
// |
3343 |
// If you are going to set up an authoritative server, make sure you |
3769 |
// If you are going to set up an authoritative server, make sure you |
3344 |
// understand the hairy details of how DNS works. Even with |
3770 |
// understand the hairy details of how DNS works. Even with |
3345 |
// simple mistakes, you can break connectivity for affected parties, |
3771 |
// simple mistakes, you can break connectivity for affected parties, |
3346 |
// or cause huge amounts of useless Internet traffic. |
3772 |
// or cause huge amounts of useless Internet traffic. |
3347 |
|
3773 |
|
3348 |
options { |
3774 |
options { |
3349 |
// All file and path names are relative to the chroot directory, |
3775 |
// All file and path names are relative to the chroot directory, |
3350 |
// if any, and should be fully qualified. |
3776 |
// if any, and should be fully qualified. |
3351 |
directory "/etc/namedb/working"; |
3777 |
directory "/etc/namedb/working"; |
3352 |
pid-file "/var/run/named/pid"; |
3778 |
pid-file "/var/run/named/pid"; |
3353 |
dump-file "/var/dump/named_dump.db"; |
3779 |
dump-file "/var/dump/named_dump.db"; |
3354 |
statistics-file "/var/stats/named.stats"; |
3780 |
statistics-file "/var/stats/named.stats"; |
3355 |
|
3781 |
|
3356 |
// If named is being used only as a local resolver, this is a safe default. |
3782 |
// If named is being used only as a local resolver, this is a safe default. |
3357 |
// For named to be accessible to the network, comment this option, specify |
3783 |
// For named to be accessible to the network, comment this option, specify |
3358 |
// the proper IP address, or delete this option. |
3784 |
// the proper IP address, or delete this option. |
3359 |
listen-on { 127.0.0.1; }; |
3785 |
listen-on { 127.0.0.1; }; |
3360 |
|
3786 |
|
3361 |
// If you have IPv6 enabled on this system, uncomment this option for |
3787 |
// If you have IPv6 enabled on this system, uncomment this option for |
3362 |
// use as a local resolver. To give access to the network, specify |
3788 |
// use as a local resolver. To give access to the network, specify |
3363 |
// an IPv6 address, or the keyword "any". |
3789 |
// an IPv6 address, or the keyword "any". |
3364 |
// listen-on-v6 { ::1; }; |
3790 |
// listen-on-v6 { ::1; }; |
3365 |
|
3791 |
|
3366 |
// These zones are already covered by the empty zones listed below. |
3792 |
// These zones are already covered by the empty zones listed below. |
3367 |
// If you remove the related empty zones below, comment these lines out. |
3793 |
// If you remove the related empty zones below, comment these lines out. |
3368 |
disable-empty-zone "255.255.255.255.IN-ADDR.ARPA"; |
3794 |
disable-empty-zone "255.255.255.255.IN-ADDR.ARPA"; |
3369 |
disable-empty-zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA"; |
3795 |
disable-empty-zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA"; |
3370 |
disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA"; |
3796 |
disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA"; |
3371 |
|
3797 |
|
3372 |
// If you have a DNS server around at your upstream provider, enter |
3798 |
// If you've got a DNS server around at your upstream provider, enter |
3373 |
// its IP address here, and enable the line below. This will make you |
3799 |
// its IP address here, and enable the line below. This will make you |
3374 |
// benefit from its cache, thus reduce overall DNS traffic in the Internet. |
3800 |
// benefit from its cache, thus reduce overall DNS traffic in the Internet. |
3375 |
/* |
3801 |
/* |
3376 |
forwarders { |
3802 |
forwarders { |
3377 |
127.0.0.1; |
3803 |
127.0.0.1; |
3378 |
}; |
3804 |
}; |
3379 |
*/ |
3805 |
*/ |
3380 |
|
3806 |
|
3381 |
// If the 'forwarders' clause is not empty the default is to 'forward first' |
3807 |
// If the 'forwarders' clause is not empty the default is to 'forward first' |
3382 |
// which will fall back to sending a query from your local server if the name |
3808 |
// which will fall back to sending a query from your local server if the name |
3383 |
// servers in 'forwarders' do not have the answer. Alternatively you can |
3809 |
// servers in 'forwarders' do not have the answer. Alternatively you can |
3384 |
// force your name server to never initiate queries of its own by enabling the |
3810 |
// force your name server to never initiate queries of its own by enabling the |
3385 |
// following line: |
3811 |
// following line: |
3386 |
// forward only; |
3812 |
// forward only; |
3387 |
|
3813 |
|
3388 |
// If you wish to have forwarding configured automatically based on |
3814 |
// If you wish to have forwarding configured automatically based on |
3389 |
// the entries in /etc/resolv.conf, uncomment the following line and |
3815 |
// the entries in /etc/resolv.conf, uncomment the following line and |
3390 |
// set named_auto_forward=yes in /etc/rc.conf. You can also enable |
3816 |
// set named_auto_forward=yes in /etc/rc.conf. You can also enable |
3391 |
// named_auto_forward_only (the effect of which is described above). |
3817 |
// named_auto_forward_only (the effect of which is described above). |
3392 |
// include "/etc/namedb/auto_forward.conf";</programlisting> |
3818 |
// include "/etc/namedb/auto_forward.conf";</programlisting> |
3393 |
|
3819 |
|
3394 |
<para>Just as the comment says, to benefit from an uplink's |
3820 |
<para>Just as the comment says, to benefit from an uplink's |
3395 |
cache, <literal>forwarders</literal> can be enabled here. |
3821 |
cache, <literal>forwarders</literal> can be enabled here. |
3396 |
Under normal circumstances, a name server will recursively |
3822 |
Under normal circumstances, a name server will recursively |
3397 |
query the Internet looking at certain name servers until |
3823 |
query the Internet looking at certain name servers until |
3398 |
it finds the answer it is looking for. Having this |
3824 |
it finds the answer it is looking for. Having this |
3399 |
enabled will have it query the uplink's name server (or |
3825 |
enabled will have it query the uplink's name server (or |
3400 |
name server provided) first, taking advantage of its |
3826 |
name server provided) first, taking advantage of its |
3401 |
cache. If the uplink name server in question is a heavily |
3827 |
cache. If the uplink name server in question is a heavily |
3402 |
trafficked, fast name server, enabling this may be |
3828 |
trafficked, fast name server, enabling this may be |
3403 |
worthwhile.</para> |
3829 |
worthwhile.</para> |
3404 |
|
3830 |
|
3405 |
<warning> |
3831 |
<warning> |
3406 |
<para><systemitem class="ipaddress">127.0.0.1</systemitem> |
3832 |
<para><systemitem class="ipaddress">127.0.0.1</systemitem> |
3407 |
will <emphasis>not</emphasis> work here. Change this |
3833 |
will <emphasis>not</emphasis> work here. Change this |
3408 |
<acronym>IP</acronym> address to a name server at the |
3834 |
<acronym>IP</acronym> address to a name server at the |
3409 |
uplink.</para> |
3835 |
uplink.</para> |
3410 |
</warning> |
3836 |
</warning> |
3411 |
|
3837 |
|
3412 |
<programlisting> /* |
3838 |
<programlisting> /* |
3413 |
Modern versions of BIND use a random <acronym>UDP</acronym> port for each outgoing |
3839 |
Modern versions of BIND use a random <acronym>UDP</acronym> port for each outgoing |
3414 |
query by default in order to dramatically reduce the possibility |
3840 |
query by default in order to dramatically reduce the possibility |
3415 |
of cache poisoning. All users are strongly encouraged to utilize |
3841 |
of cache poisoning. All users are strongly encouraged to utilize |
3416 |
this feature, and to configure their firewalls to accommodate it. |
3842 |
this feature, and to configure their firewalls to accommodate it. |
3417 |
|
3843 |
|
3418 |
AS A LAST RESORT in order to get around a restrictive firewall |
3844 |
AS A LAST RESORT in order to get around a restrictive firewall |
3419 |
policy you can try enabling the option below. Use of this option |
3845 |
policy you can try enabling the option below. Use of this option |
3420 |
will significantly reduce your ability to withstand cache poisoning |
3846 |
will significantly reduce your ability to withstand cache poisoning |
3421 |
attacks, and should be avoided if at all possible. |
3847 |
attacks, and should be avoided if at all possible. |
3422 |
|
3848 |
|
3423 |
Replace NNNNN in the example with a number between 49160 and 65530. |
3849 |
Replace NNNNN in the example with a number between 49160 and 65530. |
3424 |
*/ |
3850 |
*/ |
3425 |
// query-source address * port NNNNN; |
3851 |
// query-source address * port NNNNN; |
3426 |
}; |
3852 |
}; |
3427 |
|
3853 |
|
3428 |
// If you enable a local name server, do not forget to enter 127.0.0.1 |
3854 |
// If you enable a local name server, don't forget to enter 127.0.0.1 |
3429 |
// first in your /etc/resolv.conf so this server will be queried. |
3855 |
// first in your /etc/resolv.conf so this server will be queried. |
3430 |
// Also, make sure to enable it in /etc/rc.conf. |
3856 |
// Also, make sure to enable it in /etc/rc.conf. |
3431 |
|
3857 |
|
3432 |
// The traditional root hints mechanism. Use this, OR the slave zones below. |
3858 |
// The traditional root hints mechanism. Use this, OR the slave zones below. |
3433 |
zone "." { type hint; file "/etc/namedb/named.root"; }; |
3859 |
zone "." { type hint; file "/etc/namedb/named.root"; }; |
3434 |
|
3860 |
|
3435 |
/* Slaving the following zones from the root name servers has some |
3861 |
/* Slaving the following zones from the root name servers has some |
3436 |
significant advantages: |
3862 |
significant advantages: |
3437 |
1. Faster local resolution for your users |
3863 |
1. Faster local resolution for your users |
3438 |
2. No spurious traffic will be sent from your network to the roots |
3864 |
2. No spurious traffic will be sent from your network to the roots |
3439 |
3. Greater resilience to any potential root server failure/DDoS |
3865 |
3. Greater resilience to any potential root server failure/DDoS |
3440 |
|
3866 |
|
3441 |
On the other hand, this method requires more monitoring than the |
3867 |
On the other hand, this method requires more monitoring than the |
3442 |
hints file to be sure that an unexpected failure mode has not |
3868 |
hints file to be sure that an unexpected failure mode has not |
3443 |
incapacitated your server. Name servers that are serving a lot |
3869 |
incapacitated your server. Name servers that are serving a lot |
3444 |
of clients will benefit more from this approach than individual |
3870 |
of clients will benefit more from this approach than individual |
3445 |
hosts. Use with caution. |
3871 |
hosts. Use with caution. |
3446 |
|
3872 |
|
3447 |
To use this mechanism, uncomment the entries below, and comment |
3873 |
To use this mechanism, uncomment the entries below, and comment |
3448 |
the hint zone above. |
3874 |
the hint zone above. |
3449 |
|
3875 |
|
3450 |
As documented at http://dns.icann.org/services/axfr/ these zones: |
3876 |
As documented at http://dns.icann.org/services/axfr/ these zones: |
3451 |
"." (the root), ARPA, IN-ADDR.ARPA, IP6.ARPA, and ROOT-SERVERS.NET |
3877 |
"." (the root), ARPA, IN-ADDR.ARPA, IP6.ARPA, and ROOT-SERVERS.NET |
3452 |
are available for AXFR from these servers on IPv4 and IPv6: |
3878 |
are available for AXFR from these servers on IPv4 and IPv6: |
3453 |
xfr.lax.dns.icann.org, xfr.cjr.dns.icann.org |
3879 |
xfr.lax.dns.icann.org, xfr.cjr.dns.icann.org |
3454 |
*/ |
3880 |
*/ |
3455 |
/* |
3881 |
/* |
3456 |
zone "." { |
3882 |
zone "." { |
3457 |
type slave; |
3883 |
type slave; |
3458 |
file "/etc/namedb/slave/root.slave"; |
3884 |
file "/etc/namedb/slave/root.slave"; |
3459 |
masters { |
3885 |
masters { |
3460 |
192.5.5.241; // F.ROOT-SERVERS.NET. |
3886 |
192.5.5.241; // F.ROOT-SERVERS.NET. |
3461 |
}; |
3887 |
}; |
3462 |
notify no; |
3888 |
notify no; |
3463 |
}; |
3889 |
}; |
3464 |
zone "arpa" { |
3890 |
zone "arpa" { |
3465 |
type slave; |
3891 |
type slave; |
3466 |
file "/etc/namedb/slave/arpa.slave"; |
3892 |
file "/etc/namedb/slave/arpa.slave"; |
3467 |
masters { |
3893 |
masters { |
3468 |
192.5.5.241; // F.ROOT-SERVERS.NET. |
3894 |
192.5.5.241; // F.ROOT-SERVERS.NET. |
3469 |
}; |
3895 |
}; |
3470 |
notify no; |
3896 |
notify no; |
3471 |
}; |
3897 |
}; |
3472 |
*/ |
3898 |
*/ |
3473 |
|
3899 |
|
3474 |
/* Serving the following zones locally will prevent any queries |
3900 |
/* Serving the following zones locally will prevent any queries |
3475 |
for these zones leaving your network and going to the root |
3901 |
for these zones leaving your network and going to the root |
3476 |
name servers. This has two significant advantages: |
3902 |
name servers. This has two significant advantages: |
3477 |
1. Faster local resolution for your users |
3903 |
1. Faster local resolution for your users |
3478 |
2. No spurious traffic will be sent from your network to the roots |
3904 |
2. No spurious traffic will be sent from your network to the roots |
3479 |
*/ |
3905 |
*/ |
3480 |
// RFCs 1912 and 5735 (and BCP 32 for localhost) |
3906 |
// RFCs 1912 and 5735 (and BCP 32 for localhost) |
3481 |
zone "localhost" { type master; file "/etc/namedb/master/localhost-forward.db"; }; |
3907 |
zone "localhost" { type master; file "/etc/namedb/master/localhost-forward.db"; }; |
3482 |
zone "127.in-addr.arpa" { type master; file "/etc/namedb/master/localhost-reverse.db"; }; |
3908 |
zone "127.in-addr.arpa" { type master; file "/etc/namedb/master/localhost-reverse.db"; }; |
3483 |
zone "255.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3909 |
zone "255.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3484 |
|
3910 |
|
3485 |
// RFC 1912-style zone for IPv6 localhost address |
3911 |
// RFC 1912-style zone for IPv6 localhost address |
3486 |
zone "0.ip6.arpa" { type master; file "/etc/namedb/master/localhost-reverse.db"; }; |
3912 |
zone "0.ip6.arpa" { type master; file "/etc/namedb/master/localhost-reverse.db"; }; |
3487 |
|
3913 |
|
3488 |
// "This" Network (RFCs 1912 and 5735) |
3914 |
// "This" Network (RFCs 1912 and 5735) |
3489 |
zone "0.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3915 |
zone "0.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3490 |
|
3916 |
|
3491 |
// Private Use Networks (RFCs 1918 and 5735) |
3917 |
// Private Use Networks (RFCs 1918 and 5735) |
3492 |
zone "10.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3918 |
zone "10.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3493 |
zone "16.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3919 |
zone "16.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3494 |
zone "17.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3920 |
zone "17.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3495 |
zone "18.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3921 |
zone "18.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3496 |
zone "19.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3922 |
zone "19.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3497 |
zone "20.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3923 |
zone "20.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3498 |
zone "21.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3924 |
zone "21.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3499 |
zone "22.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3925 |
zone "22.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3500 |
zone "23.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3926 |
zone "23.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3501 |
zone "24.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3927 |
zone "24.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3502 |
zone "25.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3928 |
zone "25.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3503 |
zone "26.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3929 |
zone "26.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3504 |
zone "27.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3930 |
zone "27.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3505 |
zone "28.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3931 |
zone "28.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3506 |
zone "29.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3932 |
zone "29.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3507 |
zone "30.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3933 |
zone "30.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3508 |
zone "31.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3934 |
zone "31.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3509 |
zone "168.192.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3935 |
zone "168.192.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3510 |
|
3936 |
|
3511 |
// Link-local/APIPA (RFCs 3927 and 5735) |
3937 |
// Link-local/APIPA (RFCs 3927 and 5735) |
3512 |
zone "254.169.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3938 |
zone "254.169.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3513 |
|
3939 |
|
3514 |
// IETF protocol assignments (RFCs 5735 and 5736) |
3940 |
// IETF protocol assignments (RFCs 5735 and 5736) |
3515 |
zone "0.0.192.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3941 |
zone "0.0.192.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3516 |
|
3942 |
|
3517 |
// TEST-NET-[1-3] for Documentation (RFCs 5735 and 5737) |
3943 |
// TEST-NET-[1-3] for Documentation (RFCs 5735 and 5737) |
3518 |
zone "2.0.192.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3944 |
zone "2.0.192.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3519 |
zone "100.51.198.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3945 |
zone "100.51.198.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3520 |
zone "113.0.203.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3946 |
zone "113.0.203.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3521 |
|
3947 |
|
3522 |
// IPv6 Range for Documentation (RFC 3849) |
3948 |
// IPv6 Range for Documentation (RFC 3849) |
3523 |
zone "8.b.d.0.1.0.0.2.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3949 |
zone "8.b.d.0.1.0.0.2.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3524 |
|
3950 |
|
3525 |
// Domain Names for Documentation and Testing (BCP 32) |
3951 |
// Domain Names for Documentation and Testing (BCP 32) |
3526 |
zone "test" { type master; file "/etc/namedb/master/empty.db"; }; |
3952 |
zone "test" { type master; file "/etc/namedb/master/empty.db"; }; |
3527 |
zone "example" { type master; file "/etc/namedb/master/empty.db"; }; |
3953 |
zone "example" { type master; file "/etc/namedb/master/empty.db"; }; |
3528 |
zone "invalid" { type master; file "/etc/namedb/master/empty.db"; }; |
3954 |
zone "invalid" { type master; file "/etc/namedb/master/empty.db"; }; |
3529 |
zone "example.com" { type master; file "/etc/namedb/master/empty.db"; }; |
3955 |
zone "example.com" { type master; file "/etc/namedb/master/empty.db"; }; |
3530 |
zone "example.net" { type master; file "/etc/namedb/master/empty.db"; }; |
3956 |
zone "example.net" { type master; file "/etc/namedb/master/empty.db"; }; |
3531 |
zone "example.org" { type master; file "/etc/namedb/master/empty.db"; }; |
3957 |
zone "example.org" { type master; file "/etc/namedb/master/empty.db"; }; |
3532 |
|
3958 |
|
3533 |
// Router Benchmark Testing (RFCs 2544 and 5735) |
3959 |
// Router Benchmark Testing (RFCs 2544 and 5735) |
3534 |
zone "18.198.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3960 |
zone "18.198.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3535 |
zone "19.198.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3961 |
zone "19.198.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3536 |
|
3962 |
|
3537 |
// IANA Reserved - Old Class E Space (RFC 5735) |
3963 |
// IANA Reserved - Old Class E Space (RFC 5735) |
3538 |
zone "240.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3964 |
zone "240.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3539 |
zone "241.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3965 |
zone "241.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3540 |
zone "242.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3966 |
zone "242.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3541 |
zone "243.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3967 |
zone "243.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3542 |
zone "244.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3968 |
zone "244.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3543 |
zone "245.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3969 |
zone "245.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3544 |
zone "246.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3970 |
zone "246.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3545 |
zone "247.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3971 |
zone "247.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3546 |
zone "248.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3972 |
zone "248.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3547 |
zone "249.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3973 |
zone "249.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3548 |
zone "250.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3974 |
zone "250.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3549 |
zone "251.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3975 |
zone "251.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3550 |
zone "252.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3976 |
zone "252.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3551 |
zone "253.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3977 |
zone "253.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3552 |
zone "254.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3978 |
zone "254.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3553 |
|
3979 |
|
3554 |
// IPv6 Unassigned Addresses (RFC 4291) |
3980 |
// IPv6 Unassigned Addresses (RFC 4291) |
3555 |
zone "1.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3981 |
zone "1.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3556 |
zone "3.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3982 |
zone "3.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3557 |
zone "4.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3983 |
zone "4.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3558 |
zone "5.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3984 |
zone "5.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3559 |
zone "6.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3985 |
zone "6.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3560 |
zone "7.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3986 |
zone "7.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3561 |
zone "8.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3987 |
zone "8.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3562 |
zone "9.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3988 |
zone "9.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3563 |
zone "a.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3989 |
zone "a.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3564 |
zone "b.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3990 |
zone "b.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3565 |
zone "c.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3991 |
zone "c.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3566 |
zone "d.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3992 |
zone "d.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3567 |
zone "e.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3993 |
zone "e.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3568 |
zone "0.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3994 |
zone "0.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3569 |
zone "1.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3995 |
zone "1.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3570 |
zone "2.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3996 |
zone "2.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3571 |
zone "3.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3997 |
zone "3.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3572 |
zone "4.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3998 |
zone "4.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3573 |
zone "5.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3999 |
zone "5.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3574 |
zone "6.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
4000 |
zone "6.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3575 |
zone "7.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
4001 |
zone "7.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3576 |
zone "8.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
4002 |
zone "8.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3577 |
zone "9.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
4003 |
zone "9.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3578 |
zone "a.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
4004 |
zone "a.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3579 |
zone "b.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
4005 |
zone "b.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3580 |
zone "0.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
4006 |
zone "0.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3581 |
zone "1.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
4007 |
zone "1.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3582 |
zone "2.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
4008 |
zone "2.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3583 |
zone "3.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
4009 |
zone "3.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3584 |
zone "4.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
4010 |
zone "4.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3585 |
zone "5.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
4011 |
zone "5.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3586 |
zone "6.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
4012 |
zone "6.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3587 |
zone "7.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
4013 |
zone "7.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3588 |
|
4014 |
|
3589 |
// IPv6 ULA (RFC 4193) |
4015 |
// IPv6 ULA (RFC 4193) |
3590 |
zone "c.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
4016 |
zone "c.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3591 |
zone "d.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
4017 |
zone "d.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3592 |
|
4018 |
|
3593 |
// IPv6 Link Local (RFC 4291) |
4019 |
// IPv6 Link Local (RFC 4291) |
3594 |
zone "8.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
4020 |
zone "8.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3595 |
zone "9.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
4021 |
zone "9.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3596 |
zone "a.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
4022 |
zone "a.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3597 |
zone "b.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
4023 |
zone "b.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3598 |
|
4024 |
|
3599 |
// IPv6 Deprecated Site-Local Addresses (RFC 3879) |
4025 |
// IPv6 Deprecated Site-Local Addresses (RFC 3879) |
3600 |
zone "c.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
4026 |
zone "c.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3601 |
zone "d.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
4027 |
zone "d.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3602 |
zone "e.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
4028 |
zone "e.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3603 |
zone "f.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
4029 |
zone "f.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; |
3604 |
|
4030 |
|
3605 |
// IP6.INT is Deprecated (RFC 4159) |
4031 |
// IP6.INT is Deprecated (RFC 4159) |
3606 |
zone "ip6.int" { type master; file "/etc/namedb/master/empty.db"; }; |
4032 |
zone "ip6.int" { type master; file "/etc/namedb/master/empty.db"; }; |
3607 |
|
4033 |
|
3608 |
// NB: Do not use the IP addresses below, they are faked, and only |
4034 |
// NB: Do not use the IP addresses below, they are faked, and only |
3609 |
// serve demonstration/documentation purposes! |
4035 |
// serve demonstration/documentation purposes! |
3610 |
// |
4036 |
// |
3611 |
// Example slave zone config entries. It can be convenient to become |
4037 |
// Example slave zone config entries. It can be convenient to become |
3612 |
// a slave at least for the zone your own domain is in. Ask |
4038 |
// a slave at least for the zone your own domain is in. Ask |
3613 |
// your network administrator for the IP address of the responsible |
4039 |
// your network administrator for the IP address of the responsible |
3614 |
// master name server. |
4040 |
// master name server. |
3615 |
// |
4041 |
// |
3616 |
// Do not forget to include the reverse lookup zone! |
4042 |
// Do not forget to include the reverse lookup zone! |
3617 |
// This is named after the first bytes of the IP address, in reverse |
4043 |
// This is named after the first bytes of the IP address, in reverse |
3618 |
// order, with ".IN-ADDR.ARPA" appended, or ".IP6.ARPA" for IPv6. |
4044 |
// order, with ".IN-ADDR.ARPA" appended, or ".IP6.ARPA" for IPv6. |
3619 |
// |
4045 |
// |
3620 |
// Before starting to set up a master zone, make sure you fully |
4046 |
// Before starting to set up a master zone, make sure you fully |
3621 |
// understand how DNS and BIND work. There are sometimes |
4047 |
// understand how DNS and BIND work. There are sometimes |
3622 |
// non-obvious pitfalls. Setting up a slave zone is usually simpler. |
4048 |
// non-obvious pitfalls. Setting up a slave zone is usually simpler. |
3623 |
// |
4049 |
// |
3624 |
// NB: Do not blindly enable the examples below. :-) Use actual names |
4050 |
// NB: Don't blindly enable the examples below. :-) Use actual names |
3625 |
// and addresses instead. |
4051 |
// and addresses instead. |
3626 |
|
4052 |
|
3627 |
/* An example dynamic zone |
4053 |
/* An example dynamic zone |
3628 |
key "exampleorgkey" { |
4054 |
key "exampleorgkey" { |
3629 |
algorithm hmac-md5; |
4055 |
algorithm hmac-md5; |
3630 |
secret "sf87HJqjkqh8ac87a02lla=="; |
4056 |
secret "sf87HJqjkqh8ac87a02lla=="; |
3631 |
}; |
4057 |
}; |
3632 |
zone "example.org" { |
4058 |
zone "example.org" { |
3633 |
type master; |
4059 |
type master; |
3634 |
allow-update { |
4060 |
allow-update { |
3635 |
key "exampleorgkey"; |
4061 |
key "exampleorgkey"; |
3636 |
}; |
4062 |
}; |
3637 |
file "/etc/namedb/dynamic/example.org"; |
4063 |
file "/etc/namedb/dynamic/example.org"; |
3638 |
}; |
4064 |
}; |
3639 |
*/ |
4065 |
*/ |
3640 |
|
4066 |
|
3641 |
/* Example of a slave reverse zone |
4067 |
/* Example of a slave reverse zone |
3642 |
zone "1.168.192.in-addr.arpa" { |
4068 |
zone "1.168.192.in-addr.arpa" { |
3643 |
type slave; |
4069 |
type slave; |
3644 |
file "/etc/namedb/slave/1.168.192.in-addr.arpa"; |
4070 |
file "/etc/namedb/slave/1.168.192.in-addr.arpa"; |
3645 |
masters { |
4071 |
masters { |
3646 |
192.168.1.1; |
4072 |
192.168.1.1; |
3647 |
}; |
4073 |
}; |
3648 |
}; |
4074 |
}; |
3649 |
*/</programlisting> |
4075 |
*/</programlisting> |
3650 |
|
4076 |
|
3651 |
<para>In <filename>named.conf</filename>, these are examples |
4077 |
<para>In <filename>named.conf</filename>, these are examples |
3652 |
of slave entries for a forward and reverse zone.</para> |
4078 |
of slave entries for a forward and reverse zone.</para> |
3653 |
|
4079 |
|
3654 |
<para>For each new zone served, a new zone entry must be |
4080 |
<para>For each new zone served, a new zone entry must be |
3655 |
added to <filename>named.conf</filename>.</para> |
4081 |
added to <filename>named.conf</filename>.</para> |
3656 |
|
4082 |
|
3657 |
<para>For example, the simplest zone entry for |
4083 |
<para>For example, the simplest zone entry for |
3658 |
<systemitem class="fqdomainname">example.org</systemitem> |
4084 |
<systemitem class="fqdomainname">example.org</systemitem> |
3659 |
can look like:</para> |
4085 |
can look like:</para> |
3660 |
|
4086 |
|
3661 |
<programlisting>zone "example.org" { |
4087 |
<programlisting>zone "example.org" { |
3662 |
type master; |
4088 |
type master; |
3663 |
file "master/example.org"; |
4089 |
file "master/example.org"; |
3664 |
};</programlisting> |
4090 |
};</programlisting> |
3665 |
|
4091 |
|
3666 |
<para>The zone is a master, as indicated by the |
4092 |
<para>The zone is a master, as indicated by the |
3667 |
<option>type</option> statement, holding its zone |
4093 |
<option>type</option> statement, holding its zone |
3668 |
information in |
4094 |
information in |
3669 |
<filename>/etc/namedb/master/example.org</filename> |
4095 |
<filename>/etc/namedb/master/example.org</filename> |
3670 |
indicated by the <option>file</option> statement.</para> |
4096 |
indicated by the <option>file</option> statement.</para> |
3671 |
|
4097 |
|
3672 |
<programlisting>zone "example.org" { |
4098 |
<programlisting>zone "example.org" { |
3673 |
type slave; |
4099 |
type slave; |
3674 |
file "slave/example.org"; |
4100 |
file "slave/example.org"; |
3675 |
};</programlisting> |
4101 |
};</programlisting> |
3676 |
|
4102 |
|
3677 |
<para>In the slave case, the zone information is transferred |
4103 |
<para>In the slave case, the zone information is transferred |
3678 |
from the master name server for the particular zone, and |
4104 |
from the master name server for the particular zone, and |
3679 |
saved in the file specified. If and when the master |
4105 |
saved in the file specified. If and when the master |
3680 |
server dies or is unreachable, the slave name server will |
4106 |
server dies or is unreachable, the slave name server will |
3681 |
have the transferred zone information and will be able to |
4107 |
have the transferred zone information and will be able to |
3682 |
serve it.</para> |
4108 |
serve it.</para> |
3683 |
</sect4> |
4109 |
</sect4> |
3684 |
|
4110 |
|
3685 |
<sect4> |
4111 |
<sect4> |
3686 |
<title>Zone Files</title> |
4112 |
<title>Zone Files</title> |
3687 |
|
4113 |
|
3688 |
<indexterm> |
4114 |
<indexterm> |
3689 |
<primary>BIND</primary> |
4115 |
<primary>BIND</primary> |
3690 |
<secondary>zone files</secondary> |
4116 |
<secondary>zone files</secondary> |
3691 |
</indexterm> |
4117 |
</indexterm> |
3692 |
|
4118 |
|
3693 |
<para>An example master zone file for |
4119 |
<para>An example master zone file for |
3694 |
<systemitem class="fqdomainname">example.org</systemitem> |
4120 |
<systemitem class="fqdomainname">example.org</systemitem> |
3695 |
(existing within |
4121 |
(existing within |
3696 |
<filename>/etc/namedb/master/example.org</filename>) is as |
4122 |
<filename>/etc/namedb/master/example.org</filename>) is as |
3697 |
follows:</para> |
4123 |
follows:</para> |
3698 |
|
4124 |
|
3699 |
<programlisting>$TTL 3600 ; 1 hour default TTL |
4125 |
<programlisting>$TTL 3600 ; 1 hour default TTL |
3700 |
example.org. IN SOA ns1.example.org. admin.example.org. ( |
4126 |
example.org. IN SOA ns1.example.org. admin.example.org. ( |
3701 |
2006051501 ; Serial |
4127 |
2006051501 ; Serial |
3702 |
10800 ; Refresh |
4128 |
10800 ; Refresh |
3703 |
3600 ; Retry |
4129 |
3600 ; Retry |
3704 |
604800 ; Expire |
4130 |
604800 ; Expire |
3705 |
300 ; Negative Response TTL |
4131 |
300 ; Negative Response TTL |
3706 |
) |
4132 |
) |
3707 |
|
4133 |
|
3708 |
; DNS Servers |
4134 |
; DNS Servers |
3709 |
IN NS ns1.example.org. |
4135 |
IN NS ns1.example.org. |
3710 |
IN NS ns2.example.org. |
4136 |
IN NS ns2.example.org. |
3711 |
|
4137 |
|
3712 |
; MX Records |
4138 |
; MX Records |
3713 |
IN MX 10 mx.example.org. |
4139 |
IN MX 10 mx.example.org. |
3714 |
IN MX 20 mail.example.org. |
4140 |
IN MX 20 mail.example.org. |
3715 |
|
4141 |
|
3716 |
IN A 192.168.1.1 |
4142 |
IN A 192.168.1.1 |
3717 |
|
4143 |
|
3718 |
; Machine Names |
4144 |
; Machine Names |
3719 |
localhost IN A 127.0.0.1 |
4145 |
localhost IN A 127.0.0.1 |
3720 |
ns1 IN A 192.168.1.2 |
4146 |
ns1 IN A 192.168.1.2 |
3721 |
ns2 IN A 192.168.1.3 |
4147 |
ns2 IN A 192.168.1.3 |
3722 |
mx IN A 192.168.1.4 |
4148 |
mx IN A 192.168.1.4 |
3723 |
mail IN A 192.168.1.5 |
4149 |
mail IN A 192.168.1.5 |
3724 |
|
4150 |
|
3725 |
; Aliases |
4151 |
; Aliases |
3726 |
www IN CNAME example.org.</programlisting> |
4152 |
www IN CNAME example.org.</programlisting> |
3727 |
|
4153 |
|
3728 |
<para>Note that every hostname ending in a <quote>.</quote> |
4154 |
<para>Note that every hostname ending in a <quote>.</quote> |
3729 |
is an exact hostname, whereas everything without a |
4155 |
is an exact hostname, whereas everything without a |
3730 |
trailing <quote>.</quote> is relative to the origin. For |
4156 |
trailing <quote>.</quote> is relative to the origin. For |
3731 |
example, <literal>ns1</literal> is translated into |
4157 |
example, <literal>ns1</literal> is translated into |
3732 |
<literal>ns1.<replaceable>example.org.</replaceable></literal></para> |
4158 |
<literal>ns1.<replaceable>example.org.</replaceable></literal></para> |
3733 |
|
4159 |
|
3734 |
<para>The format of a zone file follows:</para> |
4160 |
<para>The format of a zone file follows:</para> |
3735 |
|
4161 |
|
3736 |
<programlisting>recordname IN recordtype value</programlisting> |
4162 |
<programlisting>recordname IN recordtype value</programlisting> |
3737 |
|
4163 |
|
3738 |
<indexterm> |
4164 |
<indexterm> |
3739 |
<primary><acronym>DNS</acronym></primary> |
4165 |
<primary><acronym>DNS</acronym></primary> |
3740 |
<secondary>records</secondary> |
4166 |
<secondary>records</secondary> |
3741 |
</indexterm> |
4167 |
</indexterm> |
3742 |
|
4168 |
|
3743 |
<para>The most commonly used <acronym>DNS</acronym> |
4169 |
<para>The most commonly used <acronym>DNS</acronym> |
3744 |
records:</para> |
4170 |
records:</para> |
3745 |
|
4171 |
|
3746 |
<variablelist> |
4172 |
<variablelist> |
3747 |
<varlistentry> |
4173 |
<varlistentry> |
3748 |
<term>SOA</term> |
4174 |
<term>SOA</term> |
3749 |
|
4175 |
|
3750 |
<listitem> |
4176 |
<listitem> |
3751 |
<para>start of zone authority</para> |
4177 |
<para>start of zone authority</para> |
3752 |
</listitem> |
4178 |
</listitem> |
3753 |
</varlistentry> |
4179 |
</varlistentry> |
3754 |
|
4180 |
|
3755 |
<varlistentry> |
4181 |
<varlistentry> |
3756 |
<term>NS</term> |
4182 |
<term>NS</term> |
3757 |
|
4183 |
|
3758 |
<listitem> |
4184 |
<listitem> |
3759 |
<para>an authoritative name server</para> |
4185 |
<para>an authoritative name server</para> |
3760 |
</listitem> |
4186 |
</listitem> |
3761 |
</varlistentry> |
4187 |
</varlistentry> |
3762 |
|
4188 |
|
3763 |
<varlistentry> |
4189 |
<varlistentry> |
3764 |
<term>A</term> |
4190 |
<term>A</term> |
3765 |
|
4191 |
|
3766 |
<listitem> |
4192 |
<listitem> |
3767 |
<para>a host address</para> |
4193 |
<para>a host address</para> |
3768 |
</listitem> |
4194 |
</listitem> |
3769 |
</varlistentry> |
4195 |
</varlistentry> |
3770 |
|
4196 |
|
3771 |
<varlistentry> |
4197 |
<varlistentry> |
3772 |
<term>CNAME</term> |
4198 |
<term>CNAME</term> |
3773 |
|
4199 |
|
3774 |
<listitem> |
4200 |
<listitem> |
3775 |
<para>the canonical name for an alias</para> |
4201 |
<para>the canonical name for an alias</para> |
3776 |
</listitem> |
4202 |
</listitem> |
3777 |
</varlistentry> |
4203 |
</varlistentry> |
3778 |
|
4204 |
|
3779 |
<varlistentry> |
4205 |
<varlistentry> |
3780 |
<term>MX</term> |
4206 |
<term>MX</term> |
3781 |
|
4207 |
|
3782 |
<listitem> |
4208 |
<listitem> |
3783 |
<para>mail exchanger</para> |
4209 |
<para>mail exchanger</para> |
3784 |
</listitem> |
4210 |
</listitem> |
3785 |
</varlistentry> |
4211 |
</varlistentry> |
3786 |
|
4212 |
|
3787 |
<varlistentry> |
4213 |
<varlistentry> |
3788 |
<term>PTR</term> |
4214 |
<term>PTR</term> |
3789 |
|
4215 |
|
3790 |
<listitem> |
4216 |
<listitem> |
3791 |
<para>a domain name pointer (used in reverse |
4217 |
<para>a domain name pointer (used in reverse |
3792 |
<acronym>DNS</acronym>)</para> |
4218 |
<acronym>DNS</acronym>)</para> |
3793 |
</listitem> |
4219 |
</listitem> |
3794 |
</varlistentry> |
4220 |
</varlistentry> |
3795 |
</variablelist> |
4221 |
</variablelist> |
3796 |
|
4222 |
|
3797 |
<programlisting>example.org. IN SOA ns1.example.org. admin.example.org. ( |
4223 |
<programlisting>example.org. IN SOA ns1.example.org. admin.example.org. ( |
3798 |
2006051501 ; Serial |
4224 |
2006051501 ; Serial |
3799 |
10800 ; Refresh after 3 hours |
4225 |
10800 ; Refresh after 3 hours |
3800 |
3600 ; Retry after 1 hour |
4226 |
3600 ; Retry after 1 hour |
3801 |
604800 ; Expire after 1 week |
4227 |
604800 ; Expire after 1 week |
3802 |
300 ) ; Negative Response TTL</programlisting> |
4228 |
300 ) ; Negative Response TTL</programlisting> |
3803 |
|
4229 |
|
3804 |
<variablelist> |
4230 |
<variablelist> |
3805 |
<varlistentry> |
4231 |
<varlistentry> |
3806 |
<term><systemitem |
4232 |
<term><systemitem |
3807 |
class="fqdomainname">example.org.</systemitem></term> |
4233 |
class="fqdomainname">example.org.</systemitem></term> |
3808 |
|
4234 |
|
3809 |
<listitem> |
4235 |
<listitem> |
3810 |
<para>the domain name, also the origin for this |
4236 |
<para>the domain name, also the origin for this |
3811 |
zone file.</para> |
4237 |
zone file.</para> |
3812 |
</listitem> |
4238 |
</listitem> |
3813 |
</varlistentry> |
4239 |
</varlistentry> |
3814 |
|
4240 |
|
3815 |
<varlistentry> |
4241 |
<varlistentry> |
3816 |
<term><systemitem |
4242 |
<term><systemitem |
3817 |
class="fqdomainname">ns1.example.org.</systemitem></term> |
4243 |
class="fqdomainname">ns1.example.org.</systemitem></term> |
3818 |
|
4244 |
|
3819 |
<listitem> |
4245 |
<listitem> |
3820 |
<para>the primary/authoritative name server for this |
4246 |
<para>the primary/authoritative name server for this |
3821 |
zone.</para> |
4247 |
zone.</para> |
3822 |
</listitem> |
4248 |
</listitem> |
3823 |
</varlistentry> |
4249 |
</varlistentry> |
3824 |
|
4250 |
|
3825 |
<varlistentry> |
4251 |
<varlistentry> |
3826 |
<term><literal>admin.example.org.</literal></term> |
4252 |
<term><literal>admin.example.org.</literal></term> |
3827 |
|
4253 |
|
3828 |
<listitem> |
4254 |
<listitem> |
3829 |
<para>the responsible person for this zone, |
4255 |
<para>the responsible person for this zone, |
3830 |
email address with <quote>@</quote> |
4256 |
email address with <quote>@</quote> |
3831 |
replaced. (<email>admin@example.org</email> becomes |
4257 |
replaced. (<email>admin@example.org</email> becomes |
3832 |
<literal>admin.example.org</literal>)</para> |
4258 |
<literal>admin.example.org</literal>)</para> |
3833 |
</listitem> |
4259 |
</listitem> |
3834 |
</varlistentry> |
4260 |
</varlistentry> |
3835 |
|
4261 |
|
3836 |
<varlistentry> |
4262 |
<varlistentry> |
3837 |
<term><literal>2006051501</literal></term> |
4263 |
<term><literal>2006051501</literal></term> |
3838 |
|
4264 |
|
3839 |
<listitem> |
4265 |
<listitem> |
3840 |
<para>the serial number of the file. This must be |
4266 |
<para>the serial number of the file. This must be |
3841 |
incremented each time the zone file is modified. |
4267 |
incremented each time the zone file is modified. |
3842 |
Nowadays, many admins prefer a |
4268 |
Nowadays, many admins prefer a |
3843 |
<literal>yyyymmddrr</literal> format for the serial |
4269 |
<literal>yyyymmddrr</literal> format for the serial |
3844 |
number. <literal>2006051501</literal> would mean |
4270 |
number. <literal>2006051501</literal> would mean |
3845 |
last modified 05/15/2006, the latter |
4271 |
last modified 05/15/2006, the latter |
3846 |
<literal>01</literal> being the first time the zone |
4272 |
<literal>01</literal> being the first time the zone |
3847 |
file has been modified this day. The serial number |
4273 |
file has been modified this day. The serial number |
3848 |
is important as it alerts slave name servers for a |
4274 |
is important as it alerts slave name servers for a |
3849 |
zone when it is updated.</para> |
4275 |
zone when it is updated.</para> |
3850 |
</listitem> |
4276 |
</listitem> |
3851 |
</varlistentry> |
4277 |
</varlistentry> |
3852 |
</variablelist> |
4278 |
</variablelist> |
3853 |
|
4279 |
|
3854 |
<programlisting> IN NS ns1.example.org.</programlisting> |
4280 |
<programlisting> IN NS ns1.example.org.</programlisting> |
3855 |
|
4281 |
|
3856 |
<para>This is an NS entry. Every name server that is going |
4282 |
<para>This is an NS entry. Every name server that is going |
3857 |
to reply authoritatively for the zone must have one of |
4283 |
to reply authoritatively for the zone must have one of |
3858 |
these entries.</para> |
4284 |
these entries.</para> |
3859 |
|
4285 |
|
3860 |
<programlisting>localhost IN A 127.0.0.1 |
4286 |
<programlisting>localhost IN A 127.0.0.1 |
3861 |
ns1 IN A 192.168.1.2 |
4287 |
ns1 IN A 192.168.1.2 |
3862 |
ns2 IN A 192.168.1.3 |
4288 |
ns2 IN A 192.168.1.3 |
3863 |
mx IN A 192.168.1.4 |
4289 |
mx IN A 192.168.1.4 |
3864 |
mail IN A 192.168.1.5</programlisting> |
4290 |
mail IN A 192.168.1.5</programlisting> |
3865 |
|
4291 |
|
3866 |
<para>The A record indicates machine names. As seen above, |
4292 |
<para>The A record indicates machine names. As seen above, |
3867 |
<systemitem |
4293 |
<systemitem |
3868 |
class="fqdomainname">ns1.example.org</systemitem> would |
4294 |
class="fqdomainname">ns1.example.org</systemitem> would |
3869 |
resolve to <systemitem |
4295 |
resolve to <systemitem |
3870 |
class="ipaddress">192.168.1.2</systemitem>.</para> |
4296 |
class="ipaddress">192.168.1.2</systemitem>.</para> |
3871 |
|
4297 |
|
3872 |
<programlisting> IN A 192.168.1.1</programlisting> |
4298 |
<programlisting> IN A 192.168.1.1</programlisting> |
3873 |
|
4299 |
|
3874 |
<para>This line assigns <acronym>IP</acronym> address |
4300 |
<para>This line assigns <acronym>IP</acronym> address |
3875 |
<systemitem class="ipaddress">192.168.1.1</systemitem> to |
4301 |
<systemitem class="ipaddress">192.168.1.1</systemitem> to |
3876 |
the current origin, in this case <systemitem |
4302 |
the current origin, in this case <systemitem |
3877 |
class="fqdomainname">example.org</systemitem>.</para> |
4303 |
class="fqdomainname">example.org</systemitem>.</para> |
3878 |
|
4304 |
|
3879 |
<programlisting>www IN CNAME @</programlisting> |
4305 |
<programlisting>www IN CNAME @</programlisting> |
3880 |
|
4306 |
|
3881 |
<para>The canonical name record is usually used for giving |
4307 |
<para>The canonical name record is usually used for giving |
3882 |
aliases to a machine. In the example, |
4308 |
aliases to a machine. In the example, |
3883 |
<systemitem>www</systemitem> is aliased to the |
4309 |
<systemitem>www</systemitem> is aliased to the |
3884 |
<quote>master</quote> machine whose name happens to be the |
4310 |
<quote>master</quote> machine whose name happens to be the |
3885 |
same as the domain name |
4311 |
same as the domain name |
3886 |
<systemitem class="fqdomainname">example.org</systemitem> |
4312 |
<systemitem class="fqdomainname">example.org</systemitem> |
3887 |
(<systemitem class="ipaddress">192.168.1.1</systemitem>). |
4313 |
(<systemitem class="ipaddress">192.168.1.1</systemitem>). |
3888 |
CNAMEs can never be used together with another kind of |
4314 |
CNAMEs can never be used together with another kind of |
3889 |
record for the same hostname.</para> |
4315 |
record for the same hostname.</para> |
3890 |
|
4316 |
|
3891 |
<indexterm> |
4317 |
<indexterm> |
3892 |
<primary>MX record</primary> |
4318 |
<primary>MX record</primary> |
3893 |
</indexterm> |
4319 |
</indexterm> |
3894 |
|
4320 |
|
3895 |
<programlisting> IN MX 10 mail.example.org.</programlisting> |
4321 |
<programlisting> IN MX 10 mail.example.org.</programlisting> |
3896 |
|
4322 |
|
3897 |
<para>The MX record indicates which mail servers are |
4323 |
<para>The MX record indicates which mail servers are |
3898 |
responsible for handling incoming mail for the zone. |
4324 |
responsible for handling incoming mail for the zone. |
3899 |
<systemitem |
4325 |
<systemitem |
3900 |
class="fqdomainname">mail.example.org</systemitem> is |
4326 |
class="fqdomainname">mail.example.org</systemitem> is |
3901 |
the hostname of a mail server, and 10 is the priority of |
4327 |
the hostname of a mail server, and 10 is the priority of |
3902 |
that mail server.</para> |
4328 |
that mail server.</para> |
3903 |
|
4329 |
|
3904 |
<para>One can have several mail servers, with priorities of |
4330 |
<para>One can have several mail servers, with priorities of |
3905 |
10, 20 and so on. A mail server attempting to deliver to |
4331 |
10, 20 and so on. A mail server attempting to deliver to |
3906 |
<systemitem class="fqdomainname">example.org</systemitem> |
4332 |
<systemitem class="fqdomainname">example.org</systemitem> |
3907 |
would first try the highest priority MX (the record with |
4333 |
would first try the highest priority MX (the record with |
3908 |
the lowest priority number), then the second highest, etc, |
4334 |
the lowest priority number), then the second highest, etc, |
3909 |
until the mail can be properly delivered.</para> |
4335 |
until the mail can be properly delivered.</para> |
3910 |
|
4336 |
|
3911 |
<para>For in-addr.arpa zone files (reverse |
4337 |
<para>For in-addr.arpa zone files (reverse |
3912 |
<acronym>DNS</acronym>), the same format is used, except |
4338 |
<acronym>DNS</acronym>), the same format is used, except |
3913 |
with PTR entries instead of A or CNAME.</para> |
4339 |
with PTR entries instead of A or CNAME.</para> |
3914 |
|
4340 |
|
3915 |
<programlisting>$TTL 3600 |
4341 |
<programlisting>$TTL 3600 |
3916 |
|
4342 |
|
3917 |
1.168.192.in-addr.arpa. IN SOA ns1.example.org. admin.example.org. ( |
4343 |
1.168.192.in-addr.arpa. IN SOA ns1.example.org. admin.example.org. ( |
3918 |
2006051501 ; Serial |
4344 |
2006051501 ; Serial |
3919 |
10800 ; Refresh |
4345 |
10800 ; Refresh |
3920 |
3600 ; Retry |
4346 |
3600 ; Retry |
3921 |
604800 ; Expire |
4347 |
604800 ; Expire |
3922 |
300 ) ; Negative Response TTL |
4348 |
300 ) ; Negative Response TTL |
3923 |
|
4349 |
|
3924 |
IN NS ns1.example.org. |
4350 |
IN NS ns1.example.org. |
3925 |
IN NS ns2.example.org. |
4351 |
IN NS ns2.example.org. |
3926 |
|
4352 |
|
3927 |
1 IN PTR example.org. |
4353 |
1 IN PTR example.org. |
3928 |
2 IN PTR ns1.example.org. |
4354 |
2 IN PTR ns1.example.org. |
3929 |
3 IN PTR ns2.example.org. |
4355 |
3 IN PTR ns2.example.org. |
3930 |
4 IN PTR mx.example.org. |
4356 |
4 IN PTR mx.example.org. |
3931 |
5 IN PTR mail.example.org.</programlisting> |
4357 |
5 IN PTR mail.example.org.</programlisting> |
3932 |
|
4358 |
|
3933 |
<para>This file gives the proper <acronym>IP</acronym> |
4359 |
<para>This file gives the proper <acronym>IP</acronym> |
3934 |
address to hostname mappings for the above fictitious |
4360 |
address to hostname mappings for the above fictitious |
3935 |
domain.</para> |
4361 |
domain.</para> |
3936 |
|
4362 |
|
3937 |
<para>It is worth noting that all names on the right side |
4363 |
<para>It is worth noting that all names on the right side |
3938 |
of a PTR record need to be fully qualified (i.e., end in |
4364 |
of a PTR record need to be fully qualified (i.e., end in |
3939 |
a <quote>.</quote>).</para> |
4365 |
a <quote>.</quote>).</para> |
3940 |
</sect4> |
4366 |
</sect4> |
3941 |
</sect3> |
4367 |
</sect3> |
3942 |
|
4368 |
|
3943 |
<sect3> |
4369 |
<sect3> |
3944 |
<title>Caching Name Server</title> |
4370 |
<title>Caching Name Server</title> |
3945 |
|
4371 |
|
3946 |
<indexterm> |
4372 |
<indexterm> |
3947 |
<primary>BIND</primary> |
4373 |
<primary>BIND</primary> |
3948 |
<secondary>caching name server</secondary> |
4374 |
<secondary>caching name server</secondary> |
3949 |
</indexterm> |
4375 |
</indexterm> |
3950 |
|
4376 |
|
3951 |
<para>A caching name server is a name server whose primary |
4377 |
<para>A caching name server is a name server whose primary |
3952 |
role is to resolve recursive queries. It simply asks |
4378 |
role is to resolve recursive queries. It simply asks |
3953 |
queries of its own, and remembers the answers for later |
4379 |
queries of its own, and remembers the answers for later |
3954 |
use.</para> |
4380 |
use.</para> |
3955 |
</sect3> |
4381 |
</sect3> |
3956 |
|
4382 |
|
3957 |
<sect3> |
4383 |
<sect3> |
3958 |
<title><acronym role="Domain Name Security |
4384 |
<title><acronym role="Domain Name Security |
3959 |
Extensions">DNSSEC</acronym></title> |
4385 |
Extensions">DNSSEC</acronym></title> |
3960 |
|
4386 |
|
3961 |
<indexterm> |
4387 |
<indexterm> |
3962 |
<primary>BIND</primary> |
4388 |
<primary>BIND</primary> |
3963 |
<secondary><acronym>DNS</acronym> security |
4389 |
<secondary><acronym>DNS</acronym> security |
3964 |
extensions</secondary> |
4390 |
extensions</secondary> |
3965 |
</indexterm> |
4391 |
</indexterm> |
3966 |
|
4392 |
|
3967 |
<para>Domain Name System Security Extensions, or <acronym |
4393 |
<para>Domain Name System Security Extensions, or <acronym |
3968 |
role="Domain Name Security Extensions">DNSSEC</acronym> |
4394 |
role="Domain Name Security Extensions">DNSSEC</acronym> |
3969 |
for short, is a suite of specifications to protect resolving |
4395 |
for short, is a suite of specifications to protect resolving |
3970 |
name servers from forged <acronym>DNS</acronym> data, such |
4396 |
name servers from forged <acronym>DNS</acronym> data, such |
3971 |
as spoofed <acronym>DNS</acronym> records. By using digital |
4397 |
as spoofed <acronym>DNS</acronym> records. By using digital |
3972 |
signatures, a resolver can verify the integrity of the |
4398 |
signatures, a resolver can verify the integrity of the |
3973 |
record. Note that <acronym role="Domain Name Security |
4399 |
record. Note that <acronym role="Domain Name Security |
3974 |
Extensions">DNSSEC</acronym> only provides integrity via |
4400 |
Extensions">DNSSEC</acronym> only provides integrity via |
3975 |
digitally signing the Resource Records (<acronym |
4401 |
digitally signing the Resource Records (<acronym |
3976 |
role="Resource Record">RR</acronym>s). It provides |
4402 |
role="Resource Record">RR</acronym>s). It provides |
3977 |
neither confidentiality nor protection against false |
4403 |
neither confidentiality nor protection against false |
3978 |
end-user assumptions. This means that it cannot protect |
4404 |
end-user assumptions. This means that it cannot protect |
3979 |
against people going to |
4405 |
against people going to |
3980 |
<systemitem class="fqdomainname">example.net</systemitem> |
4406 |
<systemitem class="fqdomainname">example.net</systemitem> |
3981 |
instead of |
4407 |
instead of |
3982 |
<systemitem class="fqdomainname">example.com</systemitem>. |
4408 |
<systemitem class="fqdomainname">example.com</systemitem>. |
3983 |
The only thing <acronym>DNSSEC</acronym> does is |
4409 |
The only thing <acronym>DNSSEC</acronym> does is |
3984 |
authenticate that the data has not been compromised in |
4410 |
authenticate that the data has not been compromised in |
3985 |
transit. The security of <acronym>DNS</acronym> is an |
4411 |
transit. The security of <acronym>DNS</acronym> is an |
3986 |
important step in securing the Internet in general. For |
4412 |
important step in securing the Internet in general. For |
3987 |
more in-depth details of how <acronym>DNSSEC</acronym> |
4413 |
more in-depth details of how <acronym>DNSSEC</acronym> |
3988 |
works, the relevant <acronym>RFC</acronym>s are a good place |
4414 |
works, the relevant <acronym>RFC</acronym>s are a good place |
3989 |
to start. See the list in |
4415 |
to start. See the list in |
3990 |
<xref linkend="dns-read"/>.</para> |
4416 |
<xref linkend="dns-read"/>.</para> |
3991 |
|
4417 |
|
3992 |
<para>The following sections will demonstrate how to enable |
4418 |
<para>The following sections will demonstrate how to enable |
3993 |
<acronym>DNSSEC</acronym> for an authoritative |
4419 |
<acronym>DNSSEC</acronym> for an authoritative |
3994 |
<acronym>DNS</acronym> server and a recursive (or caching) |
4420 |
<acronym>DNS</acronym> server and a recursive (or caching) |
3995 |
<acronym>DNS</acronym> server running |
4421 |
<acronym>DNS</acronym> server running |
3996 |
<acronym>BIND</acronym> 9. While all versions of |
4422 |
<acronym>BIND</acronym> 9. While all versions of |
3997 |
<acronym>BIND</acronym> 9 support <acronym>DNSSEC</acronym>, |
4423 |
<acronym>BIND</acronym> 9 support <acronym>DNSSEC</acronym>, |
3998 |
it is necessary to have at least version 9.6.2 in order to |
4424 |
it is necessary to have at least version 9.6.2 in order to |
3999 |
be able to use the signed root zone when validating |
4425 |
be able to use the signed root zone when validating |
4000 |
<acronym>DNS</acronym> queries. This is because earlier |
4426 |
<acronym>DNS</acronym> queries. This is because earlier |
4001 |
versions lack the required algorithms to enable validation |
4427 |
versions lack the required algorithms to enable validation |
4002 |
using the root zone key. It is strongly recommended to use |
4428 |
using the root zone key. It is strongly recommended to use |
4003 |
the latest version of <acronym>BIND</acronym> 9.7 or later |
4429 |
the latest version of <acronym>BIND</acronym> 9.7 or later |
4004 |
to take advantage of automatic key updating for the root |
4430 |
to take advantage of automatic key updating for the root |
4005 |
key, as well as other features to automatically keep zones |
4431 |
key, as well as other features to automatically keep zones |
4006 |
signed and signatures up to date. Where configurations |
4432 |
signed and signatures up to date. Where configurations |
4007 |
differ between 9.6.2 and 9.7 and later, differences will be |
4433 |
differ between 9.6.2 and 9.7 and later, differences will be |
4008 |
pointed out.</para> |
4434 |
pointed out.</para> |
4009 |
|
4435 |
|
4010 |
<sect4> |
4436 |
<sect4> |
4011 |
<title>Recursive <acronym>DNS</acronym> Server |
4437 |
<title>Recursive <acronym>DNS</acronym> Server |
4012 |
Configuration</title> |
4438 |
Configuration</title> |
4013 |
|
4439 |
|
4014 |
<para>Enabling <acronym>DNSSEC</acronym> validation of |
4440 |
<para>Enabling <acronym>DNSSEC</acronym> validation of |
4015 |
queries performed by a recursive <acronym>DNS</acronym> |
4441 |
queries performed by a recursive <acronym>DNS</acronym> |
4016 |
server requires a few changes to |
4442 |
server requires a few changes to |
4017 |
<filename>named.conf</filename>. Before making these |
4443 |
<filename>named.conf</filename>. Before making these |
4018 |
changes the root zone key, or trust anchor, must be |
4444 |
changes the root zone key, or trust anchor, must be |
4019 |
acquired. Currently the root zone key is not available in |
4445 |
acquired. Currently the root zone key is not available in |
4020 |
a file format <acronym>BIND</acronym> understands, so it |
4446 |
a file format <acronym>BIND</acronym> understands, so it |
4021 |
has to be manually converted into the proper format. The |
4447 |
has to be manually converted into the proper format. The |
4022 |
key itself can be obtained by querying the root zone for |
4448 |
key itself can be obtained by querying the root zone for |
4023 |
it using <application>dig</application>. By |
4449 |
it using <application>dig</application>. By |
4024 |
running</para> |
4450 |
running</para> |
4025 |
|
4451 |
|
4026 |
<screen>&prompt.user; <userinput>dig +multi +noall +answer DNSKEY . > root.dnskey</userinput></screen> |
4452 |
<screen>&prompt.user; <userinput>dig +multi +noall +answer DNSKEY . > root.dnskey</userinput></screen> |
4027 |
|
4453 |
|
4028 |
<para>the key will end up in |
4454 |
<para>the key will end up in |
4029 |
<filename>root.dnskey</filename>. The contents should |
4455 |
<filename>root.dnskey</filename>. The contents should |
4030 |
look something like this:</para> |
4456 |
look something like this:</para> |
4031 |
|
4457 |
|
4032 |
<programlisting>. 93910 IN DNSKEY 257 3 8 ( |
4458 |
<programlisting>. 93910 IN DNSKEY 257 3 8 ( |
4033 |
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ |
4459 |
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ |
4034 |
bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh |
4460 |
bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh |
4035 |
/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA |
4461 |
/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA |
4036 |
JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp |
4462 |
JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp |
4037 |
oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3 |
4463 |
oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3 |
4038 |
LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO |
4464 |
LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO |
4039 |
Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc |
4465 |
Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc |
4040 |
LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= |
4466 |
LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= |
4041 |
) ; key id = 19036 |
4467 |
) ; key id = 19036 |
4042 |
. 93910 IN DNSKEY 256 3 8 ( |
4468 |
. 93910 IN DNSKEY 256 3 8 ( |
4043 |
AwEAAcaGQEA+OJmOzfzVfoYN249JId7gx+OZMbxy69Hf |
4469 |
AwEAAcaGQEA+OJmOzfzVfoYN249JId7gx+OZMbxy69Hf |
4044 |
UyuGBbRN0+HuTOpBxxBCkNOL+EJB9qJxt+0FEY6ZUVjE |
4470 |
UyuGBbRN0+HuTOpBxxBCkNOL+EJB9qJxt+0FEY6ZUVjE |
4045 |
g58sRr4ZQ6Iu6b1xTBKgc193zUARk4mmQ/PPGxn7Cn5V |
4471 |
g58sRr4ZQ6Iu6b1xTBKgc193zUARk4mmQ/PPGxn7Cn5V |
4046 |
EGJ/1h6dNaiXuRHwR+7oWh7DnzkIJChcTqlFrXDW3tjt |
4472 |
EGJ/1h6dNaiXuRHwR+7oWh7DnzkIJChcTqlFrXDW3tjt |
4047 |
) ; key id = 34525</programlisting> |
4473 |
) ; key id = 34525</programlisting> |
4048 |
|
4474 |
|
4049 |
<para>Do not be alarmed if the obtained keys differ from |
4475 |
<para>Do not be alarmed if the obtained keys differ from |
4050 |
this example. They might have changed since these |
4476 |
this example. They might have changed since these |
4051 |
instructions were last updated. This output actually |
4477 |
instructions were last updated. This output actually |
4052 |
contains two keys. The first key in the listing, with the |
4478 |
contains two keys. The first key in the listing, with the |
4053 |
value 257 after the DNSKEY record type, is the one needed. |
4479 |
value 257 after the DNSKEY record type, is the one needed. |
4054 |
This value indicates that this is a Secure Entry Point |
4480 |
This value indicates that this is a Secure Entry Point |
4055 |
(<acronym role="Secure Entry Point">SEP</acronym>), |
4481 |
(<acronym role="Secure Entry Point">SEP</acronym>), |
4056 |
commonly known as a Key Signing Key |
4482 |
commonly known as a Key Signing Key |
4057 |
(<acronym role="Key Signing Key">KSK</acronym>). The |
4483 |
(<acronym role="Key Signing Key">KSK</acronym>). The |
4058 |
second key, with value 256, is a subordinate key, commonly |
4484 |
second key, with value 256, is a subordinate key, commonly |
4059 |
called a Zone Signing Key |
4485 |
called a Zone Signing Key |
4060 |
(<acronym role="Zone Signing Key">ZSK</acronym>). More on |
4486 |
(<acronym role="Zone Signing Key">ZSK</acronym>). More on |
4061 |
the different key types later in |
4487 |
the different key types later in |
4062 |
<xref linkend="dns-dnssec-auth"/>.</para> |
4488 |
<xref linkend="dns-dnssec-auth"/>.</para> |
4063 |
|
4489 |
|
4064 |
<para>Now the key must be verified and formatted so that |
4490 |
<para>Now the key must be verified and formatted so that |
4065 |
<acronym>BIND</acronym> can use it. To verify the key, |
4491 |
<acronym>BIND</acronym> can use it. To verify the key, |
4066 |
generate a <acronym role="Delegation Signer">DS</acronym> |
4492 |
generate a <acronym role="Delegation Signer">DS</acronym> |
4067 |
<acronym role="Resource Record">RR</acronym> set. Create |
4493 |
<acronym role="Resource Record">RR</acronym> set. Create |
4068 |
a file containing these |
4494 |
a file containing these |
4069 |
<acronym role="Resource Record">RR</acronym>s with</para> |
4495 |
<acronym role="Resource Record">RR</acronym>s with</para> |
4070 |
|
4496 |
|
4071 |
<screen>&prompt.user; <userinput>dnssec-dsfromkey -f root.dnskey . > root.ds</userinput></screen> |
4497 |
<screen>&prompt.user; <userinput>dnssec-dsfromkey -f root.dnskey . > root.ds</userinput></screen> |
4072 |
|
4498 |
|
4073 |
<para>These records use SHA-1 and SHA-256 respectively, and |
4499 |
<para>These records use SHA-1 and SHA-256 respectively, and |
4074 |
should look similar to the following example, where the |
4500 |
should look similar to the following example, where the |
4075 |
longer is using SHA-256.</para> |
4501 |
longer is using SHA-256.</para> |
4076 |
|
4502 |
|
4077 |
<programlisting>. IN DS 19036 8 1 |
4503 |
<programlisting>. IN DS 19036 8 1 |
4078 |
B256BD09DC8DD59F0E0F0D8541B8328DD986DF6E |
4504 |
B256BD09DC8DD59F0E0F0D8541B8328DD986DF6E |
4079 |
. IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5</programlisting> |
4505 |
. IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5</programlisting> |
4080 |
|
4506 |
|
4081 |
<para>The SHA-256 <acronym>RR</acronym> can now be compared |
4507 |
<para>The SHA-256 <acronym>RR</acronym> can now be compared |
4082 |
to the digest in <link |
4508 |
to the digest in <link |
4083 |
xlink:href="https://data.iana.org/root-anchors/root-anchors.xml">https://data.iana.org/root-anchors/root-anchors.xml</link>. |
4509 |
xlink:href="https://data.iana.org/root-anchors/root-anchors.xml">https://data.iana.org/root-anchors/root-anchors.xml</link>. |
4084 |
To be absolutely sure that the key has not been tampered |
4510 |
To be absolutely sure that the key has not been tampered |
4085 |
with the data in the <acronym>XML</acronym> file should be |
4511 |
with the data in the <acronym>XML</acronym> file can be |
4086 |
verified using a proper <acronym>PGP</acronym> signature.</para> |
4512 |
verified using the <acronym>PGP</acronym> signature in |
4087 |
|
4513 |
<link |
|
|
4514 |
xlink:href="https://data.iana.org/root-anchors/root-anchors.asc">https://data.iana.org/root-anchors/root-anchors.asc</link>.</para> |
4088 |
|
4515 |
|
4089 |
<para>Next, the key must be formatted properly. This |
4516 |
<para>Next, the key must be formatted properly. This |
4090 |
differs a little between <acronym>BIND</acronym> versions |
4517 |
differs a little between <acronym>BIND</acronym> versions |
4091 |
9.6.2 and 9.7 and later. In version 9.7 support was added |
4518 |
9.6.2 and 9.7 and later. In version 9.7 support was added |
4092 |
to automatically track changes to the key and update it as |
4519 |
to automatically track changes to the key and update it as |
4093 |
necessary. This is done using |
4520 |
necessary. This is done using |
4094 |
<literal>managed-keys</literal> as seen in the example |
4521 |
<literal>managed-keys</literal> as seen in the example |
4095 |
below. When using the older version, the key is added |
4522 |
below. When using the older version, the key is added |
4096 |
using a <literal>trusted-keys</literal> statement and |
4523 |
using a <literal>trusted-keys</literal> statement and |
4097 |
updates must be done manually. For |
4524 |
updates must be done manually. For |
4098 |
<acronym>BIND</acronym> 9.6.2 the format should look |
4525 |
<acronym>BIND</acronym> 9.6.2 the format should look |
4099 |
like:</para> |
4526 |
like:</para> |
4100 |
|
4527 |
|
4101 |
<programlisting>trusted-keys { |
4528 |
<programlisting>trusted-keys { |
4102 |
"." 257 3 8 |
4529 |
"." 257 3 8 |
4103 |
"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF |
4530 |
"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF |
4104 |
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX |
4531 |
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX |
4105 |
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD |
4532 |
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD |
4106 |
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz |
4533 |
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz |
4107 |
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS |
4534 |
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS |
4108 |
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq |
4535 |
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq |
4109 |
QxA+Uk1ihz0="; |
4536 |
QxA+Uk1ihz0="; |
4110 |
};</programlisting> |
4537 |
};</programlisting> |
4111 |
|
4538 |
|
4112 |
<para>For 9.7 the format will instead be:</para> |
4539 |
<para>For 9.7 the format will instead be:</para> |
4113 |
|
4540 |
|
4114 |
<programlisting>managed-keys { |
4541 |
<programlisting>managed-keys { |
4115 |
"." initial-key 257 3 8 |
4542 |
"." initial-key 257 3 8 |
4116 |
"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF |
4543 |
"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF |
4117 |
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX |
4544 |
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX |
4118 |
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD |
4545 |
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD |
4119 |
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz |
4546 |
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz |
4120 |
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS |
4547 |
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS |
4121 |
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq |
4548 |
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq |
4122 |
QxA+Uk1ihz0="; |
4549 |
QxA+Uk1ihz0="; |
4123 |
};</programlisting> |
4550 |
};</programlisting> |
4124 |
|
4551 |
|
4125 |
<para>The root key can now be added to |
4552 |
<para>The root key can now be added to |
4126 |
<filename>named.conf</filename> either directly or by |
4553 |
<filename>named.conf</filename> either directly or by |
4127 |
including a file containing the key. After these steps, |
4554 |
including a file containing the key. After these steps, |
4128 |
configure <acronym>BIND</acronym> to do |
4555 |
configure <acronym>BIND</acronym> to do |
4129 |
<acronym>DNSSEC</acronym> validation on queries by editing |
4556 |
<acronym>DNSSEC</acronym> validation on queries by editing |
4130 |
<filename>named.conf</filename> and adding the following |
4557 |
<filename>named.conf</filename> and adding the following |
4131 |
to the <literal>options</literal> directive:</para> |
4558 |
to the <literal>options</literal> directive:</para> |
4132 |
|
4559 |
|
4133 |
<programlisting>dnssec-enable yes; |
4560 |
<programlisting>dnssec-enable yes; |
4134 |
dnssec-validation yes;</programlisting> |
4561 |
dnssec-validation yes;</programlisting> |
4135 |
|
4562 |
|
4136 |
<para>To verify that it is actually working use |
4563 |
<para>To verify that it is actually working use |
4137 |
<application>dig</application> to make a query for a |
4564 |
<application>dig</application> to make a query for a |
4138 |
signed zone using the resolver just configured. A |
4565 |
signed zone using the resolver just configured. A |
4139 |
successful reply will contain the <literal>AD</literal> |
4566 |
successful reply will contain the <literal>AD</literal> |
4140 |
flag to indicate the data was authenticated. Running a |
4567 |
flag to indicate the data was authenticated. Running a |
4141 |
query such as</para> |
4568 |
query such as</para> |
4142 |
|
4569 |
|
4143 |
<screen>&prompt.user; <userinput>dig @<replaceable>resolver</replaceable> +dnssec se ds </userinput></screen> |
4570 |
<screen>&prompt.user; <userinput>dig @<replaceable>resolver</replaceable> +dnssec se ds </userinput></screen> |
4144 |
|
4571 |
|
4145 |
<para>should return the <acronym>DS</acronym> |
4572 |
<para>should return the <acronym>DS</acronym> |
4146 |
<acronym>RR</acronym> for the <literal>.se</literal> zone. |
4573 |
<acronym>RR</acronym> for the <literal>.se</literal> zone. |
4147 |
In the <literal>flags:</literal> section the |
4574 |
In the <literal>flags:</literal> section the |
4148 |
<literal>AD</literal> flag should be set, as seen |
4575 |
<literal>AD</literal> flag should be set, as seen |
4149 |
in:</para> |
4576 |
in:</para> |
4150 |
|
4577 |
|
4151 |
<programlisting>... |
4578 |
<programlisting>... |
4152 |
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 |
4579 |
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 |
4153 |
...</programlisting> |
4580 |
...</programlisting> |
4154 |
|
4581 |
|
4155 |
<para>The resolver is now capable of authenticating |
4582 |
<para>The resolver is now capable of authenticating |
4156 |
<acronym>DNS</acronym> queries.</para> |
4583 |
<acronym>DNS</acronym> queries.</para> |
4157 |
</sect4> |
4584 |
</sect4> |
4158 |
|
4585 |
|
4159 |
<sect4 xml:id="dns-dnssec-auth"> |
4586 |
<sect4 xml:id="dns-dnssec-auth"> |
4160 |
<title>Authoritative <acronym>DNS</acronym> Server |
4587 |
<title>Authoritative <acronym>DNS</acronym> Server |
4161 |
Configuration</title> |
4588 |
Configuration</title> |
4162 |
|
4589 |
|
4163 |
<para>In order to get an authoritative name server to serve |
4590 |
<para>In order to get an authoritative name server to serve |
4164 |
a <acronym>DNSSEC</acronym> signed zone a little more work |
4591 |
a <acronym>DNSSEC</acronym> signed zone a little more work |
4165 |
is required. A zone is signed using cryptographic keys |
4592 |
is required. A zone is signed using cryptographic keys |
4166 |
which must be generated. It is possible to use only one |
4593 |
which must be generated. It is possible to use only one |
4167 |
key for this. The preferred method however is to have a |
4594 |
key for this. The preferred method however is to have a |
4168 |
strong well-protected Key Signing Key |
4595 |
strong well-protected Key Signing Key |
4169 |
(<acronym role="Key Signing Key">KSK</acronym>) that is |
4596 |
(<acronym role="Key Signing Key">KSK</acronym>) that is |
4170 |
not rotated very often and a Zone Signing Key |
4597 |
not rotated very often and a Zone Signing Key |
4171 |
(<acronym role="Zone Signing Key">ZSK</acronym>) that is |
4598 |
(<acronym role="Zone Signing Key">ZSK</acronym>) that is |
4172 |
rotated more frequently. Information on recommended |
4599 |
rotated more frequently. Information on recommended |
4173 |
operational practices can be found in <link |
4600 |
operational practices can be found in <link |
4174 |
xlink:href="http://tools.ietf.org/rfc/rfc4641.txt"><acronym>RFC</acronym> |
4601 |
xlink:href="http://tools.ietf.org/rfc/rfc4641.txt"><acronym>RFC</acronym> |
4175 |
4641: <acronym>DNSSEC</acronym> Operational |
4602 |
4641: <acronym>DNSSEC</acronym> Operational |
4176 |
Practices</link>. Practices regarding the root zone can |
4603 |
Practices</link>. Practices regarding the root zone can |
4177 |
be found in <link |
4604 |
be found in <link |
4178 |
xlink:href="http://www.root-dnssec.org/wp-content/uploads/2010/06/icann-dps-00.txt"><acronym>DNSSEC</acronym> |
4605 |
xlink:href="http://www.root-dnssec.org/wp-content/uploads/2010/06/icann-dps-00.txt"><acronym>DNSSEC</acronym> |
4179 |
Practice Statement for the Root Zone |
4606 |
Practice Statement for the Root Zone |
4180 |
<acronym>KSK</acronym> operator</link> and <link |
4607 |
<acronym>KSK</acronym> operator</link> and <link |
4181 |
xlink:href="http://www.root-dnssec.org/wp-content/uploads/2010/06/vrsn-dps-00.txt"><acronym>DNSSEC</acronym> |
4608 |
xlink:href="http://www.root-dnssec.org/wp-content/uploads/2010/06/vrsn-dps-00.txt"><acronym>DNSSEC</acronym> |
4182 |
Practice Statement for the Root Zone |
4609 |
Practice Statement for the Root Zone |
4183 |
<acronym>ZSK</acronym> operator</link>. The |
4610 |
<acronym>ZSK</acronym> operator</link>. The |
4184 |
<acronym role="Key Signing Key">KSK</acronym> is used to |
4611 |
<acronym role="Key Signing Key">KSK</acronym> is used to |
4185 |
build a chain of authority to the data in need of |
4612 |
build a chain of authority to the data in need of |
4186 |
validation and as such is also called a Secure Entry Point |
4613 |
validation and as such is also called a Secure Entry Point |
4187 |
(<acronym role="Secure Entry Point">SEP</acronym>) key. A |
4614 |
(<acronym role="Secure Entry Point">SEP</acronym>) key. A |
4188 |
message digest of this key, called a Delegation Signer |
4615 |
message digest of this key, called a Delegation Signer |
4189 |
(<acronym role="Delegation Signer">DS</acronym>) record, |
4616 |
(<acronym role="Delegation Signer">DS</acronym>) record, |
4190 |
must be published in the parent zone to establish the |
4617 |
must be published in the parent zone to establish the |
4191 |
trust chain. How this is accomplished depends on the |
4618 |
trust chain. How this is accomplished depends on the |
4192 |
parent zone owner. The |
4619 |
parent zone owner. The |
4193 |
<acronym role="Zone Signing Key">ZSK</acronym> is used to |
4620 |
<acronym role="Zone Signing Key">ZSK</acronym> is used to |
4194 |
sign the zone, and only needs to be published |
4621 |
sign the zone, and only needs to be published |
4195 |
there.</para> |
4622 |
there.</para> |
4196 |
|
4623 |
|
4197 |
<para>To enable <acronym>DNSSEC</acronym> for the |
4624 |
<para>To enable <acronym>DNSSEC</acronym> for the |
4198 |
<systemitem class="fqdomainname">example.com</systemitem> |
4625 |
<systemitem class="fqdomainname">example.com</systemitem> |
4199 |
zone depicted in previous examples, the first step is to |
4626 |
zone depicted in previous examples, the first step is to |
4200 |
use <application>dnssec-keygen</application> to generate |
4627 |
use <application>dnssec-keygen</application> to generate |
4201 |
the <acronym>KSK</acronym> and <acronym>ZSK</acronym> key |
4628 |
the <acronym>KSK</acronym> and <acronym>ZSK</acronym> key |
4202 |
pair. This key pair can utilize different cryptographic |
4629 |
pair. This key pair can utilize different cryptographic |
4203 |
algorithms. It is recommended to use RSA/SHA256 for the |
4630 |
algorithms. It is recommended to use RSA/SHA256 for the |
4204 |
keys and 2048 bits key length should be enough. To |
4631 |
keys and 2048 bits key length should be enough. To |
4205 |
generate the <acronym>KSK</acronym> for |
4632 |
generate the <acronym>KSK</acronym> for |
4206 |
<systemitem class="fqdomainname">example.com</systemitem>, |
4633 |
<systemitem class="fqdomainname">example.com</systemitem>, |
4207 |
run</para> |
4634 |
run</para> |
4208 |
|
4635 |
|
4209 |
<screen>&prompt.user; <userinput>dnssec-keygen -f KSK -a RSASHA256 -b 2048 -n ZONE example.com</userinput></screen> |
4636 |
<screen>&prompt.user; <userinput>dnssec-keygen -f KSK -a RSASHA256 -b 2048 -n ZONE example.com</userinput></screen> |
4210 |
|
4637 |
|
4211 |
<para>and to generate the <acronym>ZSK</acronym>, run</para> |
4638 |
<para>and to generate the <acronym>ZSK</acronym>, run</para> |
4212 |
|
4639 |
|
4213 |
<screen>&prompt.user; <userinput>dnssec-keygen -a RSASHA256 -b 2048 -n ZONE example.com</userinput></screen> |
4640 |
<screen>&prompt.user; <userinput>dnssec-keygen -a RSASHA256 -b 2048 -n ZONE example.com</userinput></screen> |
4214 |
|
4641 |
|
4215 |
<para><application>dnssec-keygen</application> outputs two |
4642 |
<para><application>dnssec-keygen</application> outputs two |
4216 |
files, the public and the private keys in files named |
4643 |
files, the public and the private keys in files named |
4217 |
similar to |
4644 |
similar to |
4218 |
<filename>Kexample.com.+005+nnnnn.key</filename> (public) |
4645 |
<filename>Kexample.com.+005+nnnnn.key</filename> (public) |
4219 |
and <filename>Kexample.com.+005+nnnnn.private</filename> |
4646 |
and <filename>Kexample.com.+005+nnnnn.private</filename> |
4220 |
(private). The <literal>nnnnn</literal> part of the file |
4647 |
(private). The <literal>nnnnn</literal> part of the file |
4221 |
name is a five digit key ID. Keep track of which key ID |
4648 |
name is a five digit key ID. Keep track of which key ID |
4222 |
belongs to which key. This is especially important when |
4649 |
belongs to which key. This is especially important when |
4223 |
having more than one key in a zone. It is also possible |
4650 |
having more than one key in a zone. It is also possible |
4224 |
to rename the keys. For each <acronym>KSK</acronym> file |
4651 |
to rename the keys. For each <acronym>KSK</acronym> file |
4225 |
do:</para> |
4652 |
do:</para> |
4226 |
|
4653 |
|
4227 |
<screen>&prompt.user; <userinput>mv Kexample.com.+005+nnnnn.key Kexample.com.+005+nnnnn.KSK.key</userinput> |
4654 |
<screen>&prompt.user; <userinput>mv Kexample.com.+005+nnnnn.key Kexample.com.+005+nnnnn.KSK.key</userinput> |
4228 |
&prompt.user; <userinput>mv Kexample.com.+005+nnnnn.private Kexample.com.+005+nnnnn.KSK.private</userinput></screen> |
4655 |
&prompt.user; <userinput>mv Kexample.com.+005+nnnnn.private Kexample.com.+005+nnnnn.KSK.private</userinput></screen> |
4229 |
|
4656 |
|
4230 |
<para>For the <acronym>ZSK</acronym> files, substitute |
4657 |
<para>For the <acronym>ZSK</acronym> files, substitute |
4231 |
<literal>KSK</literal> for <literal>ZSK</literal> as |
4658 |
<literal>KSK</literal> for <literal>ZSK</literal> as |
4232 |
necessary. The files can now be included in the zone |
4659 |
necessary. The files can now be included in the zone |
4233 |
file, using the <literal>$include</literal> statement. It |
4660 |
file, using the <literal>$include</literal> statement. It |
4234 |
should look something like this:</para> |
4661 |
should look something like this:</para> |
4235 |
|
4662 |
|
4236 |
<programlisting>$include Kexample.com.+005+nnnnn.KSK.key ; KSK |
4663 |
<programlisting>$include Kexample.com.+005+nnnnn.KSK.key ; KSK |
4237 |
$include Kexample.com.+005+nnnnn.ZSK.key ; ZSK</programlisting> |
4664 |
$include Kexample.com.+005+nnnnn.ZSK.key ; ZSK</programlisting> |
4238 |
|
4665 |
|
4239 |
<para>Finally, sign the zone and tell |
4666 |
<para>Finally, sign the zone and tell |
4240 |
<acronym>BIND</acronym> to use the signed zone file. To |
4667 |
<acronym>BIND</acronym> to use the signed zone file. To |
4241 |
sign a zone <application>dnssec-signzone</application> is |
4668 |
sign a zone <application>dnssec-signzone</application> is |
4242 |
used. The command to sign the zone |
4669 |
used. The command to sign the zone |
4243 |
<systemitem class="fqdomainname">example.com</systemitem>, |
4670 |
<systemitem class="fqdomainname">example.com</systemitem>, |
4244 |
located in <filename>example.com.db</filename> would look |
4671 |
located in <filename>example.com.db</filename> would look |
4245 |
similar to</para> |
4672 |
similar to</para> |
4246 |
|
4673 |
|
4247 |
<screen>&prompt.user; <userinput>dnssec-signzone -o |
4674 |
<screen>&prompt.user; <userinput>dnssec-signzone -o |
4248 |
example.com -k Kexample.com.+005+nnnnn.KSK example.com.db |
4675 |
example.com -k Kexample.com.+005+nnnnn.KSK example.com.db |
4249 |
Kexample.com.+005+nnnnn.ZSK.key</userinput></screen> |
4676 |
Kexample.com.+005+nnnnn.ZSK.key</userinput></screen> |
4250 |
|
4677 |
|
4251 |
<para>The key supplied to the <option>-k</option> argument |
4678 |
<para>The key supplied to the <option>-k</option> argument |
4252 |
is the <acronym>KSK</acronym> and the other key file is |
4679 |
is the <acronym>KSK</acronym> and the other key file is |
4253 |
the <acronym>ZSK</acronym> that should be used in the |
4680 |
the <acronym>ZSK</acronym> that should be used in the |
4254 |
signing. It is possible to supply more than one |
4681 |
signing. It is possible to supply more than one |
4255 |
<acronym>KSK</acronym> and <acronym>ZSK</acronym>, which |
4682 |
<acronym>KSK</acronym> and <acronym>ZSK</acronym>, which |
4256 |
will result in the zone being signed with all supplied |
4683 |
will result in the zone being signed with all supplied |
4257 |
keys. This can be needed to supply zone data signed using |
4684 |
keys. This can be needed to supply zone data signed using |
4258 |
more than one algorithm. The output of |
4685 |
more than one algorithm. The output of |
4259 |
<application>dnssec-signzone</application> is a zone file |
4686 |
<application>dnssec-signzone</application> is a zone file |
4260 |
with all <acronym>RR</acronym>s signed. This output will |
4687 |
with all <acronym>RR</acronym>s signed. This output will |
4261 |
end up in a file with the extension |
4688 |
end up in a file with the extension |
4262 |
<literal>.signed</literal>, such as |
4689 |
<literal>.signed</literal>, such as |
4263 |
<filename>example.com.db.signed</filename>. The |
4690 |
<filename>example.com.db.signed</filename>. The |
4264 |
<acronym role="Delegation Signer">DS</acronym> records |
4691 |
<acronym role="Delegation Signer">DS</acronym> records |
4265 |
will also be written to a separate file |
4692 |
will also be written to a separate file |
4266 |
<filename>dsset-example.com</filename>. To use this |
4693 |
<filename>dsset-example.com</filename>. To use this |
4267 |
signed zone just modify the zone directive in |
4694 |
signed zone just modify the zone directive in |
4268 |
<filename>named.conf</filename> to use |
4695 |
<filename>named.conf</filename> to use |
4269 |
<filename>example.com.db.signed</filename>. By default, |
4696 |
<filename>example.com.db.signed</filename>. By default, |
4270 |
the signatures are only valid 30 days, meaning that the |
4697 |
the signatures are only valid 30 days, meaning that the |
4271 |
zone needs to be resigned in about 15 days to be sure |
4698 |
zone needs to be resigned in about 15 days to be sure |
4272 |
that resolvers are not caching records with stale |
4699 |
that resolvers are not caching records with stale |
4273 |
signatures. It is possible to make a script and a cron |
4700 |
signatures. It is possible to make a script and a cron |
4274 |
job to do this. See relevant manuals for details.</para> |
4701 |
job to do this. See relevant manuals for details.</para> |
4275 |
|
4702 |
|
4276 |
<para>Be sure to keep private keys confidential, as with all |
4703 |
<para>Be sure to keep private keys confidential, as with all |
4277 |
cryptographic keys. When changing a key it is best to |
4704 |
cryptographic keys. When changing a key it is best to |
4278 |
include the new key into the zone, while still signing |
4705 |
include the new key into the zone, while still signing |
4279 |
with the old one, and then move over to using the new key |
4706 |
with the old one, and then move over to using the new key |
4280 |
to sign. After these steps are done the old key can be |
4707 |
to sign. After these steps are done the old key can be |
4281 |
removed from the zone. Failure to do this might render |
4708 |
removed from the zone. Failure to do this might render |
4282 |
the <acronym>DNS</acronym> data unavailable for a time, |
4709 |
the <acronym>DNS</acronym> data unavailable for a time, |
4283 |
until the new key has propagated through the |
4710 |
until the new key has propagated through the |
4284 |
<acronym>DNS</acronym> hierarchy. For more information on |
4711 |
<acronym>DNS</acronym> hierarchy. For more information on |
4285 |
key rollovers and other <acronym>DNSSEC</acronym> |
4712 |
key rollovers and other <acronym>DNSSEC</acronym> |
4286 |
operational issues, see <link |
4713 |
operational issues, see <link |
4287 |
xlink:href="http://www.ietf.org/rfc/rfc4641.txt"><acronym>RFC</acronym> |
4714 |
xlink:href="http://www.ietf.org/rfc/rfc4641.txt"><acronym>RFC</acronym> |
4288 |
4641: <acronym>DNSSEC</acronym> Operational |
4715 |
4641: <acronym>DNSSEC</acronym> Operational |
4289 |
practices</link>.</para> |
4716 |
practices</link>.</para> |
4290 |
</sect4> |
4717 |
</sect4> |
4291 |
|
4718 |
|
4292 |
<sect4> |
4719 |
<sect4> |
4293 |
<title>Automation Using <acronym>BIND</acronym> 9.7 or |
4720 |
<title>Automation Using <acronym>BIND</acronym> 9.7 or |
4294 |
Later</title> |
4721 |
Later</title> |
4295 |
|
4722 |
|
4296 |
<para>Beginning with <acronym>BIND</acronym> version 9.7 a |
4723 |
<para>Beginning with <acronym>BIND</acronym> version 9.7 a |
4297 |
new feature called <emphasis>Smart Signing</emphasis> was |
4724 |
new feature called <emphasis>Smart Signing</emphasis> was |
4298 |
introduced. This feature aims to make the key management |
4725 |
introduced. This feature aims to make the key management |
4299 |
and signing process simpler by automating parts of the |
4726 |
and signing process simpler by automating parts of the |
4300 |
task. By putting the keys into a directory called a |
4727 |
task. By putting the keys into a directory called a |
4301 |
<emphasis>key repository</emphasis>, and using the new |
4728 |
<emphasis>key repository</emphasis>, and using the new |
4302 |
option <literal>auto-dnssec</literal>, it is possible to |
4729 |
option <literal>auto-dnssec</literal>, it is possible to |
4303 |
create a dynamic zone which will be resigned as needed. |
4730 |
create a dynamic zone which will be resigned as needed. |
4304 |
To update this zone use |
4731 |
To update this zone use |
4305 |
<application>nsupdate</application> with the new option |
4732 |
<application>nsupdate</application> with the new option |
4306 |
<option>-l</option>. <application>rndc</application> has |
4733 |
<option>-l</option>. <application>rndc</application> has |
4307 |
also grown the ability to sign zones with keys in the key |
4734 |
also grown the ability to sign zones with keys in the key |
4308 |
repository, using the option <option>sign</option>. To |
4735 |
repository, using the option <option>sign</option>. To |
4309 |
tell <acronym>BIND</acronym> to use this automatic signing |
4736 |
tell <acronym>BIND</acronym> to use this automatic signing |
4310 |
and zone updating for <systemitem |
4737 |
and zone updating for <systemitem |
4311 |
class="fqdomainname">example.com</systemitem>, add the |
4738 |
class="fqdomainname">example.com</systemitem>, add the |
4312 |
following to <filename>named.conf</filename>:</para> |
4739 |
following to <filename>named.conf</filename>:</para> |
4313 |
|
4740 |
|
4314 |
<programlisting>zone example.com { |
4741 |
<programlisting>zone example.com { |
4315 |
type master; |
4742 |
type master; |
4316 |
key-directory "/etc/named/keys"; |
4743 |
key-directory "/etc/named/keys"; |
4317 |
update-policy local; |
4744 |
update-policy local; |
4318 |
auto-dnssec maintain; |
4745 |
auto-dnssec maintain; |
4319 |
file "/etc/named/dynamic/example.com.zone"; |
4746 |
file "/etc/named/dynamic/example.com.zone"; |
4320 |
};</programlisting> |
4747 |
};</programlisting> |
4321 |
|
4748 |
|
4322 |
<para>After making these changes, generate keys for the zone |
4749 |
<para>After making these changes, generate keys for the zone |
4323 |
as explained in <xref linkend="dns-dnssec-auth"/>, put |
4750 |
as explained in <xref linkend="dns-dnssec-auth"/>, put |
4324 |
those keys in the key repository given as the argument to |
4751 |
those keys in the key repository given as the argument to |
4325 |
the <literal>key-directory</literal> in the zone |
4752 |
the <literal>key-directory</literal> in the zone |
4326 |
configuration and the zone will be signed automatically. |
4753 |
configuration and the zone will be signed automatically. |
4327 |
Updates to a zone configured this way must be done using |
4754 |
Updates to a zone configured this way must be done using |
4328 |
<application>nsupdate</application>, which will take care |
4755 |
<application>nsupdate</application>, which will take care |
4329 |
of re-signing the zone with the new data added. For |
4756 |
of re-signing the zone with the new data added. For |
4330 |
further details, see <xref linkend="dns-read"/> and the |
4757 |
further details, see <xref linkend="dns-read"/> and the |
4331 |
<acronym>BIND</acronym> documentation.</para> |
4758 |
<acronym>BIND</acronym> documentation.</para> |
4332 |
</sect4> |
4759 |
</sect4> |
4333 |
</sect3> |
4760 |
</sect3> |
4334 |
|
4761 |
|
4335 |
<sect3> |
4762 |
<sect3> |
4336 |
<title>Security</title> |
4763 |
<title>Security</title> |
4337 |
|
4764 |
|
4338 |
<para>Although BIND is the most common implementation of |
4765 |
<para>Although BIND is the most common implementation of |
4339 |
<acronym>DNS</acronym>, there is always the issue of |
4766 |
<acronym>DNS</acronym>, there is always the issue of |
4340 |
security. Possible and exploitable security holes are |
4767 |
security. Possible and exploitable security holes are |
4341 |
sometimes found.</para> |
4768 |
sometimes found.</para> |
4342 |
|
4769 |
|
4343 |
<para>While &os; automatically drops |
4770 |
<para>While &os; automatically drops |
4344 |
<application>named</application> into a &man.chroot.8; |
4771 |
<application>named</application> into a &man.chroot.8; |
4345 |
environment; there are several other security mechanisms in |
4772 |
environment; there are several other security mechanisms in |
4346 |
place which could help to lure off possible |
4773 |
place which could help to lure off possible |
4347 |
<acronym>DNS</acronym> service attacks.</para> |
4774 |
<acronym>DNS</acronym> service attacks.</para> |
4348 |
|
4775 |
|
4349 |
<para>It is always good idea to read |
4776 |
<para>It is always good idea to read |
4350 |
<link xlink:href="http://www.cert.org/">CERT</link>'s |
4777 |
<link xlink:href="http://www.cert.org/">CERT</link>'s |
4351 |
security advisories and to subscribe to the |
4778 |
security advisories and to subscribe to the |
4352 |
&a.security-notifications; to stay up to date with the |
4779 |
&a.security-notifications; to stay up to date with the |
4353 |
current Internet and &os; security issues.</para> |
4780 |
current Internet and &os; security issues.</para> |
4354 |
|
4781 |
|
4355 |
<tip> |
4782 |
<tip> |
4356 |
<para>If a problem arises, keeping sources up to date and |
4783 |
<para>If a problem arises, keeping sources up to date and |
4357 |
having a fresh build of <application>named</application> |
4784 |
having a fresh build of <application>named</application> |
4358 |
may help.</para> |
4785 |
may help.</para> |
4359 |
</tip> |
4786 |
</tip> |
4360 |
</sect3> |
4787 |
</sect3> |
4361 |
|
4788 |
|
4362 |
<sect3 xml:id="dns-read"> |
4789 |
<sect3 xml:id="dns-read"> |
4363 |
<title>Further Reading</title> |
4790 |
<title>Further Reading</title> |
4364 |
|
4791 |
|
4365 |
<para>BIND/<application>named</application> manual pages: |
4792 |
<para>BIND/<application>named</application> manual pages: |
4366 |
&man.rndc.8; &man.named.8; &man.named.conf.5; |
4793 |
&man.rndc.8; &man.named.8; &man.named.conf.5; |
4367 |
&man.nsupdate.1; &man.dnssec-signzone.8; |
4794 |
&man.nsupdate.1; &man.dnssec-signzone.8; |
4368 |
&man.dnssec-keygen.8;</para> |
4795 |
&man.dnssec-keygen.8;</para> |
4369 |
|
4796 |
|
4370 |
<itemizedlist> |
4797 |
<itemizedlist> |
4371 |
<listitem> |
4798 |
<listitem> |
4372 |
<para><link |
4799 |
<para><link |
4373 |
xlink:href="https://www.isc.org/software/bind">Official |
4800 |
xlink:href="https://www.isc.org/software/bind">Official |
4374 |
ISC BIND Page</link></para> |
4801 |
ISC BIND Page</link></para> |
4375 |
</listitem> |
4802 |
</listitem> |
4376 |
|
4803 |
|
4377 |
<listitem> |
4804 |
<listitem> |
4378 |
<para><link |
4805 |
<para><link |
4379 |
xlink:href="https://www.isc.org/software/guild">Official |
4806 |
xlink:href="https://www.isc.org/software/guild">Official |
4380 |
ISC BIND Forum</link></para> |
4807 |
ISC BIND Forum</link></para> |
4381 |
</listitem> |
4808 |
</listitem> |
4382 |
|
4809 |
|
4383 |
<listitem> |
4810 |
<listitem> |
4384 |
<para><link |
4811 |
<para><link |
4385 |
xlink:href="http://www.oreilly.com/catalog/dns5/">O'Reilly |
4812 |
xlink:href="http://www.oreilly.com/catalog/dns5/">O'Reilly |
4386 |
<acronym>DNS</acronym> and BIND 5th |
4813 |
<acronym>DNS</acronym> and BIND 5th |
4387 |
Edition</link></para> |
4814 |
Edition</link></para> |
4388 |
</listitem> |
4815 |
</listitem> |
4389 |
|
4816 |
|
4390 |
<listitem> |
4817 |
<listitem> |
4391 |
<para><link |
4818 |
<para><link |
4392 |
xlink:href="http://www.root-dnssec.org/documentation/">Root |
4819 |
xlink:href="http://www.root-dnssec.org/documentation/">Root |
4393 |
<acronym>DNSSEC</acronym></link></para> |
4820 |
<acronym>DNSSEC</acronym></link></para> |
4394 |
</listitem> |
4821 |
</listitem> |
4395 |
|
4822 |
|
4396 |
<listitem> |
4823 |
<listitem> |
4397 |
<para><link |
4824 |
<para><link |
4398 |
xlink:href="http://data.iana.org/root-anchors/draft-icann-dnssec-trust-anchor.html"><acronym>DNSSEC</acronym> |
4825 |
xlink:href="http://data.iana.org/root-anchors/draft-icann-dnssec-trust-anchor.html"><acronym>DNSSEC</acronym> |
4399 |
Trust Anchor Publication for the Root |
4826 |
Trust Anchor Publication for the Root |
4400 |
Zone</link></para> |
4827 |
Zone</link></para> |
4401 |
</listitem> |
4828 |
</listitem> |
4402 |
|
4829 |
|
4403 |
<listitem> |
4830 |
<listitem> |
4404 |
<para><link |
4831 |
<para><link |
4405 |
xlink:href="http://tools.ietf.org/html/rfc1034">RFC1034 |
4832 |
xlink:href="http://tools.ietf.org/html/rfc1034">RFC1034 |
4406 |
- Domain Names - Concepts and Facilities</link></para> |
4833 |
- Domain Names - Concepts and Facilities</link></para> |
4407 |
</listitem> |
4834 |
</listitem> |
4408 |
|
4835 |
|
4409 |
<listitem> |
4836 |
<listitem> |
4410 |
<para><link |
4837 |
<para><link |
4411 |
xlink:href="http://tools.ietf.org/html/rfc1035">RFC1035 |
4838 |
xlink:href="http://tools.ietf.org/html/rfc1035">RFC1035 |
4412 |
- Domain Names - Implementation and |
4839 |
- Domain Names - Implementation and |
4413 |
Specification</link></para> |
4840 |
Specification</link></para> |
4414 |
</listitem> |
4841 |
</listitem> |
4415 |
|
4842 |
|
4416 |
<listitem> |
4843 |
<listitem> |
4417 |
<para><link |
4844 |
<para><link |
4418 |
xlink:href="http://tools.ietf.org/html/rfc4033">RFC4033 |
4845 |
xlink:href="http://tools.ietf.org/html/rfc4033">RFC4033 |
4419 |
- <acronym>DNS</acronym> Security Introduction and |
4846 |
- <acronym>DNS</acronym> Security Introduction and |
4420 |
Requirements</link></para> |
4847 |
Requirements</link></para> |
4421 |
</listitem> |
4848 |
</listitem> |
4422 |
|
4849 |
|
4423 |
<listitem> |
4850 |
<listitem> |
4424 |
<para><link |
4851 |
<para><link |
4425 |
xlink:href="http://tools.ietf.org/html/rfc4034">RFC4034 |
4852 |
xlink:href="http://tools.ietf.org/html/rfc4034">RFC4034 |
4426 |
- Resource Records for the <acronym>DNS</acronym> |
4853 |
- Resource Records for the <acronym>DNS</acronym> |
4427 |
Security Extensions</link></para> |
4854 |
Security Extensions</link></para> |
4428 |
</listitem> |
4855 |
</listitem> |
4429 |
|
4856 |
|
4430 |
<listitem> |
4857 |
<listitem> |
4431 |
<para><link |
4858 |
<para><link |
4432 |
xlink:href="http://tools.ietf.org/html/rfc4035">RFC4035 |
4859 |
xlink:href="http://tools.ietf.org/html/rfc4035">RFC4035 |
4433 |
- Protocol Modifications for the |
4860 |
- Protocol Modifications for the |
4434 |
<acronym>DNS</acronym> Security |
4861 |
<acronym>DNS</acronym> Security |
4435 |
Extensions</link></para> |
4862 |
Extensions</link></para> |
4436 |
</listitem> |
4863 |
</listitem> |
4437 |
|
4864 |
|
4438 |
<listitem> |
4865 |
<listitem> |
4439 |
<para><link |
4866 |
<para><link |
4440 |
xlink:href="http://tools.ietf.org/html/rfc4641">RFC4641 |
4867 |
xlink:href="http://tools.ietf.org/html/rfc4641">RFC4641 |
4441 |
- DNSSEC Operational Practices</link></para> |
4868 |
- DNSSEC Operational Practices</link></para> |
4442 |
</listitem> |
4869 |
</listitem> |
4443 |
|
4870 |
|
4444 |
<listitem> |
4871 |
<listitem> |
4445 |
<para><link |
4872 |
<para><link |
4446 |
xlink:href="http://tools.ietf.org/html/rfc5011">RFC |
4873 |
xlink:href="http://tools.ietf.org/html/rfc5011">RFC |
4447 |
5011 - Automated Updates of <acronym>DNS</acronym> |
4874 |
5011 - Automated Updates of <acronym>DNS</acronym> |
4448 |
Security (<acronym>DNSSEC</acronym> |
4875 |
Security (<acronym>DNSSEC</acronym> |
4449 |
Trust Anchors</link></para> |
4876 |
Trust Anchors</link></para> |
4450 |
</listitem> |
4877 |
</listitem> |
4451 |
</itemizedlist> |
4878 |
</itemizedlist> |
4452 |
</sect3> |
4879 |
</sect3> |
4453 |
</sect2> |
4880 |
</sect2> |
4454 |
</sect1> |
4881 |
</sect1> |
4455 |
|
4882 |
|
4456 |
<sect1 xml:id="network-apache"> |
4883 |
<sect1 xml:id="network-apache"> |
4457 |
<info> |
4884 |
<info> |
4458 |
<title>Apache HTTP Server</title> |
4885 |
<title>Apache HTTP Server</title> |
4459 |
|
4886 |
|
4460 |
<authorgroup> |
4887 |
<authorgroup> |
4461 |
<author> |
4888 |
<author> |
4462 |
<personname> |
4889 |
<personname> |
4463 |
<firstname>Murray</firstname> |
4890 |
<firstname>Murray</firstname> |
4464 |
<surname>Stokely</surname> |
4891 |
<surname>Stokely</surname> |
4465 |
</personname> |
4892 |
</personname> |
4466 |
<contrib>Contributed by </contrib> |
4893 |
<contrib>Contributed by </contrib> |
4467 |
</author> |
4894 |
</author> |
4468 |
</authorgroup> |
4895 |
</authorgroup> |
4469 |
</info> |
4896 |
</info> |
4470 |
|
4897 |
|
4471 |
<indexterm><primary>web servers</primary> |
4898 |
<indexterm><primary>web servers</primary> |
4472 |
<secondary>setting up</secondary></indexterm> |
4899 |
<secondary>setting up</secondary></indexterm> |
4473 |
<indexterm><primary>Apache</primary></indexterm> |
4900 |
<indexterm><primary>Apache</primary></indexterm> |
4474 |
|
4901 |
|
4475 |
<para>The open source |
4902 |
<para>The open source |
4476 |
<application>Apache HTTP Server</application> is the most widely |
4903 |
<application>Apache HTTP Server</application> is the most widely |
4477 |
used web server. &os; does not install this web server by |
4904 |
used web server. &os; does not install this web server by |
4478 |
default, but it can be installed from the |
4905 |
default, but it can be installed from the |
4479 |
<package>www/apache24</package> package or port.</para> |
4906 |
<package>www/apache24</package> package or port.</para> |
4480 |
|
4907 |
|
4481 |
<para>This section summarizes how to configure and start version |
4908 |
<para>This section summarizes how to configure and start version |
4482 |
2.<replaceable>x</replaceable> of the <application>Apache HTTP |
4909 |
2.<replaceable>x</replaceable> of the <application>Apache HTTP |
4483 |
Server</application> on &os;. For more detailed information |
4910 |
Server</application> on &os;. For more detailed information |
4484 |
about <application>Apache</application> 2.X and its |
4911 |
about <application>Apache</application> 2.X and its |
4485 |
configuration directives, refer to <link |
4912 |
configuration directives, refer to <link |
4486 |
xlink:href="http://httpd.apache.org/">httpd.apache.org</link>.</para> |
4913 |
xlink:href="http://httpd.apache.org/">httpd.apache.org</link>.</para> |
4487 |
|
4914 |
|
4488 |
<sect2> |
4915 |
<sect2> |
4489 |
<title>Configuring and Starting Apache</title> |
4916 |
<title>Configuring and Starting Apache</title> |
4490 |
|
4917 |
|
4491 |
<indexterm><primary>Apache</primary> |
4918 |
<indexterm><primary>Apache</primary> |
4492 |
<secondary>configuration file</secondary></indexterm> |
4919 |
<secondary>configuration file</secondary></indexterm> |
4493 |
|
4920 |
|
4494 |
<para>In &os;, the main <application>Apache HTTP |
4921 |
<para>In &os;, the main <application>Apache HTTP |
4495 |
Server</application> configuration file is installed as |
4922 |
Server</application> configuration file is installed as |
4496 |
<filename>/usr/local/etc/apache2<replaceable>x</replaceable>/httpd.conf</filename>, |
4923 |
<filename>/usr/local/etc/apache2<replaceable>x</replaceable>/httpd.conf</filename>, |
4497 |
where <replaceable>x</replaceable> represents the version |
4924 |
where <replaceable>x</replaceable> represents the version |
4498 |
number. This <acronym>ASCII</acronym> text file begins |
4925 |
number. This <acronym>ASCII</acronym> text file begins |
4499 |
comment lines with a <literal>#</literal>. The most |
4926 |
comment lines with a <literal>#</literal>. The most |
4500 |
frequently modified directives are:</para> |
4927 |
frequently modified directives are:</para> |
4501 |
|
4928 |
|
4502 |
<variablelist> |
4929 |
<variablelist> |
4503 |
<varlistentry> |
4930 |
<varlistentry> |
4504 |
<term><literal>ServerRoot "/usr/local"</literal></term> |
4931 |
<term><literal>ServerRoot "/usr/local"</literal></term> |
4505 |
|
4932 |
|
4506 |
<listitem> |
4933 |
<listitem> |
4507 |
<para>Specifies the default directory hierarchy for the |
4934 |
<para>Specifies the default directory hierarchy for the |
4508 |
<application>Apache</application> installation. |
4935 |
<application>Apache</application> installation. |
4509 |
Binaries are stored in the <filename>bin</filename> and |
4936 |
Binaries are stored in the <filename>bin</filename> and |
4510 |
<filename>sbin</filename> subdirectories of the server |
4937 |
<filename>sbin</filename> subdirectories of the server |
4511 |
root and configuration files are stored in the <filename |
4938 |
root and configuration files are stored in the <filename |
4512 |
>etc/apache2<replaceable>x</replaceable></filename> |
4939 |
>etc/apache2<replaceable>x</replaceable></filename> |
4513 |
subdirectory.</para> |
4940 |
subdirectory.</para> |
4514 |
</listitem> |
4941 |
</listitem> |
4515 |
</varlistentry> |
4942 |
</varlistentry> |
4516 |
|
4943 |
|
4517 |
<varlistentry> |
4944 |
<varlistentry> |
4518 |
<term><literal>ServerAdmin you@example.com</literal></term> |
4945 |
<term><literal>ServerAdmin you@example.com</literal></term> |
4519 |
|
4946 |
|
4520 |
<listitem> |
4947 |
<listitem> |
4521 |
<para>Change this to the email address to receive problems |
4948 |
<para>Change this to the email address to receive problems |
4522 |
with the server. This address also appears on some |
4949 |
with the server. This address also appears on some |
4523 |
server-generated pages, such as error documents.</para> |
4950 |
server-generated pages, such as error documents.</para> |
4524 |
</listitem> |
4951 |
</listitem> |
4525 |
</varlistentry> |
4952 |
</varlistentry> |
4526 |
|
4953 |
|
4527 |
<varlistentry> |
4954 |
<varlistentry> |
4528 |
<term><literal>ServerName |
4955 |
<term><literal>ServerName |
4529 |
www.example.com:80</literal></term> |
4956 |
www.example.com:80</literal></term> |
4530 |
|
4957 |
|
4531 |
<listitem> |
4958 |
<listitem> |
4532 |
<para>Allows an administrator to set a hostname which is |
4959 |
<para>Allows an administrator to set a hostname which is |
4533 |
sent back to clients for the server. For example, |
4960 |
sent back to clients for the server. For example, |
4534 |
<systemitem>www</systemitem> can be used instead of the |
4961 |
<systemitem>www</systemitem> can be used instead of the |
4535 |
actual hostname. If the system does not have a |
4962 |
actual hostname. If the system does not have a |
4536 |
registered <acronym>DNS</acronym> name, enter its |
4963 |
registered <acronym>DNS</acronym> name, enter its |
4537 |
<acronym>IP</acronym> address instead. If the server |
4964 |
<acronym>IP</acronym> address instead. If the server |
4538 |
will listen on an alternate report, change |
4965 |
will listen on an alternate report, change |
4539 |
<literal>80</literal> to the alternate port |
4966 |
<literal>80</literal> to the alternate port |
4540 |
number.</para> |
4967 |
number.</para> |
4541 |
</listitem> |
4968 |
</listitem> |
4542 |
</varlistentry> |
4969 |
</varlistentry> |
4543 |
|
4970 |
|
4544 |
<varlistentry> |
4971 |
<varlistentry> |
4545 |
<term><literal>DocumentRoot |
4972 |
<term><literal>DocumentRoot |
4546 |
"/usr/local/www/apache2<replaceable>x</replaceable>/data"</literal></term> |
4973 |
"/usr/local/www/apache2<replaceable>x</replaceable>/data"</literal></term> |
4547 |
|
4974 |
|
4548 |
<listitem> |
4975 |
<listitem> |
4549 |
<para>The directory where documents will be served from. |
4976 |
<para>The directory where documents will be served from. |
4550 |
By default, all requests are taken from this directory, |
4977 |
By default, all requests are taken from this directory, |
4551 |
but symbolic links and aliases may be used to point to |
4978 |
but symbolic links and aliases may be used to point to |
4552 |
other locations.</para> |
4979 |
other locations.</para> |
4553 |
</listitem> |
4980 |
</listitem> |
4554 |
</varlistentry> |
4981 |
</varlistentry> |
4555 |
</variablelist> |
4982 |
</variablelist> |
4556 |
|
4983 |
|
4557 |
<para>It is always a good idea to make a backup copy of the |
4984 |
<para>It is always a good idea to make a backup copy of the |
4558 |
default <application>Apache</application> configuration file |
4985 |
default <application>Apache</application> configuration file |
4559 |
before making changes. When the configuration of |
4986 |
before making changes. When the configuration of |
4560 |
<application>Apache</application> is complete, save the file |
4987 |
<application>Apache</application> is complete, save the file |
4561 |
and verify the configuration using |
4988 |
and verify the configuration using |
4562 |
<command>apachectl</command>. Running <command>apachectl |
4989 |
<command>apachectl</command>. Running <command>apachectl |
4563 |
configtest</command> should return <literal>Syntax |
4990 |
configtest</command> should return <literal>Syntax |
4564 |
OK</literal>.</para> |
4991 |
OK</literal>.</para> |
4565 |
|
4992 |
|
4566 |
<indexterm><primary>Apache</primary> |
4993 |
<indexterm><primary>Apache</primary> |
4567 |
<secondary>starting or stopping</secondary></indexterm> |
4994 |
<secondary>starting or stopping</secondary></indexterm> |
4568 |
|
4995 |
|
4569 |
<para>To launch <application>Apache</application> at system |
4996 |
<para>To launch <application>Apache</application> at system |
4570 |
startup, add the following line to |
4997 |
startup, add the following line to |
4571 |
<filename>/etc/rc.conf</filename>:</para> |
4998 |
<filename>/etc/rc.conf</filename>:</para> |
4572 |
|
4999 |
|
4573 |
<programlisting>apache<replaceable>24</replaceable>_enable="YES"</programlisting> |
5000 |
<programlisting>apache<replaceable>24</replaceable>_enable="YES"</programlisting> |
4574 |
|
5001 |
|
4575 |
<para>If <application>Apache</application> should be started |
5002 |
<para>If <application>Apache</application> should be started |
4576 |
with non-default options, the following line may be added to |
5003 |
with non-default options, the following line may be added to |
4577 |
<filename>/etc/rc.conf</filename> to specify the needed |
5004 |
<filename>/etc/rc.conf</filename> to specify the needed |
4578 |
flags:</para> |
5005 |
flags:</para> |
4579 |
|
5006 |
|
4580 |
<programlisting>apache<replaceable>24</replaceable>_flags=""</programlisting> |
5007 |
<programlisting>apache<replaceable>24</replaceable>_flags=""</programlisting> |
4581 |
|
5008 |
|
4582 |
<para>If <application>apachectl</application> does not report |
5009 |
<para>If <application>apachectl</application> does not report |
4583 |
configuration errors, start <command>httpd</command> |
5010 |
configuration errors, start <command>httpd</command> |
4584 |
now:</para> |
5011 |
now:</para> |
4585 |
|
5012 |
|
4586 |
<screen>&prompt.root; <userinput>service apache<replaceable>24</replaceable> start</userinput></screen> |
5013 |
<screen>&prompt.root; <userinput>service apache<replaceable>24</replaceable> start</userinput></screen> |
4587 |
|
5014 |
|
4588 |
<para>The <command>httpd</command> service can be tested by |
5015 |
<para>The <command>httpd</command> service can be tested by |
4589 |
entering |
5016 |
entering |
4590 |
<literal>http://<replaceable>localhost</replaceable></literal> |
5017 |
<literal>http://<replaceable>localhost</replaceable></literal> |
4591 |
in a web browser, replacing |
5018 |
in a web browser, replacing |
4592 |
<replaceable>localhost</replaceable> with the fully-qualified |
5019 |
<replaceable>localhost</replaceable> with the fully-qualified |
4593 |
domain name of the machine running <command>httpd</command>. |
5020 |
domain name of the machine running <command>httpd</command>. |
4594 |
The default web page that is displayed is |
5021 |
The default web page that is displayed is |
4595 |
<filename>/usr/local/www/apache<replaceable>24</replaceable>/data/index.html</filename>.</para> |
5022 |
<filename>/usr/local/www/apache<replaceable>24</replaceable>/data/index.html</filename>.</para> |
4596 |
|
5023 |
|
4597 |
<para>The <application>Apache</application> configuration can be |
5024 |
<para>The <application>Apache</application> configuration can be |
4598 |
tested for errors after making subsequent configuration |
5025 |
tested for errors after making subsequent configuration |
4599 |
changes while <command>httpd</command> is running using the |
5026 |
changes while <command>httpd</command> is running using the |
4600 |
following command:</para> |
5027 |
following command:</para> |
4601 |
|
5028 |
|
4602 |
<screen>&prompt.root; <userinput>service apache<replaceable>24</replaceable> configtest</userinput></screen> |
5029 |
<screen>&prompt.root; <userinput>service apache<replaceable>24</replaceable> configtest</userinput></screen> |
4603 |
|
5030 |
|
4604 |
<note> |
5031 |
<note> |
4605 |
<para>It is important to note that |
5032 |
<para>It is important to note that |
4606 |
<literal>configtest</literal> is not an &man.rc.8; standard, |
5033 |
<literal>configtest</literal> is not an &man.rc.8; standard, |
4607 |
and should not be expected to work for all startup |
5034 |
and should not be expected to work for all startup |
4608 |
scripts.</para> |
5035 |
scripts.</para> |
4609 |
</note> |
5036 |
</note> |
4610 |
</sect2> |
5037 |
</sect2> |
4611 |
|
5038 |
|
4612 |
<sect2> |
5039 |
<sect2> |
4613 |
<title>Virtual Hosting</title> |
5040 |
<title>Virtual Hosting</title> |
4614 |
|
5041 |
|
4615 |
<para>Virtual hosting allows multiple websites to run on one |
5042 |
<para>Virtual hosting allows multiple websites to run on one |
4616 |
<application>Apache</application> server. The virtual hosts |
5043 |
<application>Apache</application> server. The virtual hosts |
4617 |
can be <firstterm>IP-based</firstterm> or |
5044 |
can be <firstterm>IP-based</firstterm> or |
4618 |
<firstterm>name-based</firstterm>. |
5045 |
<firstterm>name-based</firstterm>. |
4619 |
<acronym>IP</acronym>-based virtual hosting uses a different |
5046 |
<acronym>IP</acronym>-based virtual hosting uses a different |
4620 |
<acronym>IP</acronym> address for each website. Name-based |
5047 |
<acronym>IP</acronym> address for each website. Name-based |
4621 |
virtual hosting uses the clients HTTP/1.1 headers to figure |
5048 |
virtual hosting uses the clients HTTP/1.1 headers to figure |
4622 |
out the hostname, which allows the websites to share the same |
5049 |
out the hostname, which allows the websites to share the same |
4623 |
<acronym>IP</acronym> address.</para> |
5050 |
<acronym>IP</acronym> address.</para> |
4624 |
|
5051 |
|
4625 |
<para>To setup <application>Apache</application> to use |
5052 |
<para>To setup <application>Apache</application> to use |
4626 |
name-based virtual hosting, add a |
5053 |
name-based virtual hosting, add a |
4627 |
<literal>VirtualHost</literal> block for each website. For |
5054 |
<literal>VirtualHost</literal> block for each website. For |
4628 |
example, for the webserver named <systemitem |
5055 |
example, for the webserver named <systemitem |
4629 |
class="fqdomainname">www.domain.tld</systemitem> with a |
5056 |
class="fqdomainname">www.domain.tld</systemitem> with a |
4630 |
virtual domain of <systemitem |
5057 |
virtual domain of <systemitem |
4631 |
class="fqdomainname">www.someotherdomain.tld</systemitem>, |
5058 |
class="fqdomainname">www.someotherdomain.tld</systemitem>, |
4632 |
add the following entries to |
5059 |
add the following entries to |
4633 |
<filename>httpd.conf</filename>:</para> |
5060 |
<filename>httpd.conf</filename>:</para> |
4634 |
|
5061 |
|
4635 |
<programlisting><VirtualHost *> |
5062 |
<programlisting><VirtualHost *> |
4636 |
ServerName <replaceable>www.domain.tld</replaceable> |
5063 |
ServerName <replaceable>www.domain.tld</replaceable> |
4637 |
DocumentRoot <replaceable>/www/domain.tld</replaceable> |
5064 |
DocumentRoot <replaceable>/www/domain.tld</replaceable> |
4638 |
</VirtualHost> |
5065 |
</VirtualHost> |
4639 |
|
5066 |
|
4640 |
<VirtualHost *> |
5067 |
<VirtualHost *> |
4641 |
ServerName <replaceable>www.someotherdomain.tld</replaceable> |
5068 |
ServerName <replaceable>www.someotherdomain.tld</replaceable> |
4642 |
DocumentRoot <replaceable>/www/someotherdomain.tld</replaceable> |
5069 |
DocumentRoot <replaceable>/www/someotherdomain.tld</replaceable> |
4643 |
</VirtualHost></programlisting> |
5070 |
</VirtualHost></programlisting> |
4644 |
|
5071 |
|
4645 |
<para>For each virtual host, replace the values for |
5072 |
<para>For each virtual host, replace the values for |
4646 |
<literal>ServerName</literal> and |
5073 |
<literal>ServerName</literal> and |
4647 |
<literal>DocumentRoot</literal> with the values to be |
5074 |
<literal>DocumentRoot</literal> with the values to be |
4648 |
used.</para> |
5075 |
used.</para> |
4649 |
|
5076 |
|
4650 |
<para>For more information about setting up virtual hosts, |
5077 |
<para>For more information about setting up virtual hosts, |
4651 |
consult the official <application>Apache</application> |
5078 |
consult the official <application>Apache</application> |
4652 |
documentation at: <uri |
5079 |
documentation at: <uri |
4653 |
xlink:href="http://httpd.apache.org/docs/vhosts/">http://httpd.apache.org/docs/vhosts/</uri>.</para> |
5080 |
xlink:href="http://httpd.apache.org/docs/vhosts/">http://httpd.apache.org/docs/vhosts/</uri>.</para> |
4654 |
</sect2> |
5081 |
</sect2> |
4655 |
|
5082 |
|
4656 |
<sect2> |
5083 |
<sect2> |
4657 |
<title>Apache Modules</title> |
5084 |
<title>Apache Modules</title> |
4658 |
|
5085 |
|
4659 |
<indexterm><primary>Apache</primary> |
5086 |
<indexterm><primary>Apache</primary> |
4660 |
<secondary>modules</secondary></indexterm> |
5087 |
<secondary>modules</secondary></indexterm> |
4661 |
|
5088 |
|
4662 |
<para><application>Apache</application> uses modules to augment |
5089 |
<para><application>Apache</application> uses modules to augment |
4663 |
the functionality provided by the basic server. Refer to <uri |
5090 |
the functionality provided by the basic server. Refer to <uri |
4664 |
xlink:href="http://httpd.apache.org/docs/current/mod/">http://httpd.apache.org/docs/current/mod/</uri> |
5091 |
xlink:href="http://httpd.apache.org/docs/current/mod/">http://httpd.apache.org/docs/current/mod/</uri> |
4665 |
for a complete listing of and the configuration details for |
5092 |
for a complete listing of and the configuration details for |
4666 |
the available modules.</para> |
5093 |
the available modules.</para> |
4667 |
|
5094 |
|
4668 |
<para>In &os;, some modules can be compiled with the |
5095 |
<para>In &os;, some modules can be compiled with the |
4669 |
<package>www/apache24</package> port. Type <command>make |
5096 |
<package>www/apache24</package> port. Type <command>make |
4670 |
config</command> within |
5097 |
config</command> within |
4671 |
<filename>/usr/ports/www/apache24</filename> to see which |
5098 |
<filename>/usr/ports/www/apache24</filename> to see which |
4672 |
modules are available and which are enabled by default. If |
5099 |
modules are available and which are enabled by default. If |
4673 |
the module is not compiled with the port, the &os; Ports |
5100 |
the module is not compiled with the port, the &os; Ports |
4674 |
Collection provides an easy way to install many modules. This |
5101 |
Collection provides an easy way to install many modules. This |
4675 |
section describes three of the most commonly used |
5102 |
section describes three of the most commonly used |
4676 |
modules.</para> |
5103 |
modules.</para> |
4677 |
|
5104 |
|
4678 |
<sect3> |
5105 |
<sect3> |
4679 |
<title><filename>mod_ssl</filename></title> |
5106 |
<title><filename>mod_ssl</filename></title> |
4680 |
|
5107 |
|
4681 |
<indexterm> |
5108 |
<indexterm> |
4682 |
<primary>web servers</primary> |
5109 |
<primary>web servers</primary> |
4683 |
<secondary>secure</secondary> |
5110 |
<secondary>secure</secondary> |
4684 |
</indexterm> |
5111 |
</indexterm> |
4685 |
<indexterm><primary>SSL</primary></indexterm> |
5112 |
<indexterm><primary>SSL</primary></indexterm> |
4686 |
<indexterm><primary>cryptography</primary></indexterm> |
5113 |
<indexterm><primary>cryptography</primary></indexterm> |
4687 |
|
5114 |
|
4688 |
<para>The <filename>mod_ssl</filename> module uses the |
5115 |
<para>The <filename>mod_ssl</filename> module uses the |
4689 |
<application>OpenSSL</application> library to provide strong |
5116 |
<application>OpenSSL</application> library to provide strong |
4690 |
cryptography via the Secure Sockets Layer |
5117 |
cryptography via the Secure Sockets Layer |
4691 |
(<acronym>SSLv3</acronym>) and Transport Layer Security |
5118 |
(<acronym>SSLv3</acronym>) and Transport Layer Security |
4692 |
(<acronym>TLSv1</acronym>) protocols. This module provides |
5119 |
(<acronym>TLSv1</acronym>) protocols. This module provides |
4693 |
everything necessary to request a signed certificate from a |
5120 |
everything necessary to request a signed certificate from a |
4694 |
trusted certificate signing authority to run a secure web |
5121 |
trusted certificate signing authority to run a secure web |
4695 |
server on &os;.</para> |
5122 |
server on &os;.</para> |
4696 |
|
5123 |
|
4697 |
<para>In &os;, <filename>mod_ssl</filename> module is enabled |
5124 |
<para>In &os;, <filename>mod_ssl</filename> module is enabled |
4698 |
by default in both the package and the port. The available |
5125 |
by default in both the package and the port. The available |
4699 |
configuration directives are explained at <uri |
5126 |
configuration directives are explained at <uri |
4700 |
xlink:href="http://httpd.apache.org/docs/current/mod/mod_ssl.html">http://httpd.apache.org/docs/current/mod/mod_ssl.html</uri>.</para> |
5127 |
xlink:href="http://httpd.apache.org/docs/current/mod/mod_ssl.html">http://httpd.apache.org/docs/current/mod/mod_ssl.html</uri>.</para> |
4701 |
</sect3> |
5128 |
</sect3> |
4702 |
|
5129 |
|
4703 |
<sect3> |
5130 |
<sect3> |
4704 |
<title><filename>mod_perl</filename></title> |
5131 |
<title><filename>mod_perl</filename></title> |
4705 |
|
5132 |
|
4706 |
<indexterm> |
5133 |
<indexterm> |
4707 |
<primary>mod_perl</primary> |
5134 |
<primary>mod_perl</primary> |
4708 |
<secondary>Perl</secondary> |
5135 |
<secondary>Perl</secondary> |
4709 |
</indexterm> |
5136 |
</indexterm> |
4710 |
|
5137 |
|
4711 |
<para>The |
5138 |
<para>The |
4712 |
<filename>mod_perl</filename> module makes it possible to |
5139 |
<filename>mod_perl</filename> module makes it possible to |
4713 |
write <application>Apache</application> modules in |
5140 |
write <application>Apache</application> modules in |
4714 |
<application>Perl</application>. In addition, the |
5141 |
<application>Perl</application>. In addition, the |
4715 |
persistent interpreter embedded in the server avoids the |
5142 |
persistent interpreter embedded in the server avoids the |
4716 |
overhead of starting an external interpreter and the penalty |
5143 |
overhead of starting an external interpreter and the penalty |
4717 |
of <application>Perl</application> start-up time.</para> |
5144 |
of <application>Perl</application> start-up time.</para> |
4718 |
|
5145 |
|
4719 |
<para>The <filename>mod_perl</filename> can be installed using |
5146 |
<para>The <filename>mod_perl</filename> can be installed using |
4720 |
the <package>www/mod_perl2</package> package or port. |
5147 |
the <package>www/mod_perl2</package> package or port. |
4721 |
Documentation for using this module can be found at <uri |
5148 |
Documentation for using this module can be found at <uri |
4722 |
xlink:href="http://perl.apache.org/docs/2.0/index.html">http://perl.apache.org/docs/2.0/index.html</uri>.</para> |
5149 |
xlink:href="http://perl.apache.org/docs/2.0/index.html">http://perl.apache.org/docs/2.0/index.html</uri>.</para> |
4723 |
</sect3> |
5150 |
</sect3> |
4724 |
|
5151 |
|
4725 |
<sect3> |
5152 |
<sect3> |
4726 |
<info> |
5153 |
<info> |
4727 |
<title><filename>mod_php</filename></title> |
5154 |
<title><filename>mod_php</filename></title> |
4728 |
|
5155 |
|
4729 |
<authorgroup> |
5156 |
<authorgroup> |
4730 |
<author> |
5157 |
<author> |
4731 |
<personname> |
5158 |
<personname> |
4732 |
<firstname>Tom</firstname> |
5159 |
<firstname>Tom</firstname> |
4733 |
<surname>Rhodes</surname> |
5160 |
<surname>Rhodes</surname> |
4734 |
</personname> |
5161 |
</personname> |
4735 |
<contrib>Written by </contrib> |
5162 |
<contrib>Written by </contrib> |
4736 |
</author> |
5163 |
</author> |
4737 |
</authorgroup> |
5164 |
</authorgroup> |
4738 |
</info> |
5165 |
</info> |
4739 |
|
5166 |
|
4740 |
<indexterm> |
5167 |
<indexterm> |
4741 |
<primary>mod_php</primary> |
5168 |
<primary>mod_php</primary> |
4742 |
<secondary>PHP</secondary> |
5169 |
<secondary>PHP</secondary> |
4743 |
</indexterm> |
5170 |
</indexterm> |
4744 |
|
5171 |
|
4745 |
<para><firstterm>PHP: Hypertext Preprocessor</firstterm> |
5172 |
<para><firstterm>PHP: Hypertext Preprocessor</firstterm> |
4746 |
(<acronym>PHP</acronym>) is a general-purpose scripting |
5173 |
(<acronym>PHP</acronym>) is a general-purpose scripting |
4747 |
language that is especially suited for web development. |
5174 |
language that is especially suited for web development. |
4748 |
Capable of being embedded into <acronym>HTML</acronym>, its |
5175 |
Capable of being embedded into <acronym>HTML</acronym>, its |
4749 |
syntax draws upon <application>C</application>, &java;, and |
5176 |
syntax draws upon <application>C</application>, &java;, and |
4750 |
<application>Perl</application> with the intention of |
5177 |
<application>Perl</application> with the intention of |
4751 |
allowing web developers to write dynamically generated |
5178 |
allowing web developers to write dynamically generated |
4752 |
webpages quickly.</para> |
5179 |
webpages quickly.</para> |
4753 |
|
5180 |
|
4754 |
<para>To gain support for <acronym>PHP</acronym>5 for the |
5181 |
<para>To gain support for <acronym>PHP</acronym>5 for the |
4755 |
<application>Apache</application> web server, install the |
5182 |
<application>Apache</application> web server, install the |
4756 |
<package>www/mod_php56</package> package or port. This will |
5183 |
<package>www/mod_php56</package> package or port. This will |
4757 |
install and configure the modules required to support |
5184 |
install and configure the modules required to support |
4758 |
dynamic <acronym>PHP</acronym> applications. The |
5185 |
dynamic <acronym>PHP</acronym> applications. The |
4759 |
installation will automatically add this line to |
5186 |
installation will automatically add this line to |
4760 |
<filename>/usr/local/etc/apache2<replaceable>4</replaceable>/httpd.conf</filename>:</para> |
5187 |
<filename>/usr/local/etc/apache2<replaceable>4</replaceable>/httpd.conf</filename>:</para> |
4761 |
|
5188 |
|
4762 |
<programlisting>LoadModule php5_module libexec/apache24/libphp5.so</programlisting> |
5189 |
<programlisting>LoadModule php5_module libexec/apache24/libphp5.so</programlisting> |
4763 |
|
5190 |
|
4764 |
<!-- |
5191 |
<!-- |
4765 |
I do not think this is still needed |
5192 |
I don't think this is still needed |
4766 |
AddModule mod_php5.c |
5193 |
AddModule mod_php5.c |
4767 |
<IfModule mod_php5.c> |
5194 |
<IfModule mod_php5.c> |
4768 |
DirectoryIndex index.php index.html |
5195 |
DirectoryIndex index.php index.html |
4769 |
</IfModule> |
5196 |
</IfModule> |
4770 |
<IfModule mod_php5.c> |
5197 |
<IfModule mod_php5.c> |
4771 |
AddType application/x-httpd-php .php |
5198 |
AddType application/x-httpd-php .php |
4772 |
AddType application/x-httpd-php-source .phps |
5199 |
AddType application/x-httpd-php-source .phps |
4773 |
</IfModule></programlisting> |
5200 |
</IfModule></programlisting> |
4774 |
|
5201 |
|
4775 |
--> |
5202 |
--> |
4776 |
|
5203 |
|
4777 |
<para>Then, perform a graceful restart to load the |
5204 |
<para>Then, perform a graceful restart to load the |
4778 |
<acronym>PHP</acronym> module:</para> |
5205 |
<acronym>PHP</acronym> module:</para> |
4779 |
|
5206 |
|
4780 |
<screen>&prompt.root; <userinput>apachectl graceful</userinput></screen> |
5207 |
<screen>&prompt.root; <userinput>apachectl graceful</userinput></screen> |
4781 |
|
5208 |
|
4782 |
<para>The <acronym>PHP</acronym> support provided by |
5209 |
<para>The <acronym>PHP</acronym> support provided by |
4783 |
<package>www/mod_php56</package> is limited. Additional |
5210 |
<package>www/mod_php56</package> is limited. Additional |
4784 |
support can be installed using the |
5211 |
support can be installed using the |
4785 |
<package>lang/php56-extensions</package> port which provides |
5212 |
<package>lang/php56-extensions</package> port which provides |
4786 |
a menu driven interface to the available |
5213 |
a menu driven interface to the available |
4787 |
<acronym>PHP</acronym> extensions.</para> |
5214 |
<acronym>PHP</acronym> extensions.</para> |
4788 |
|
5215 |
|
4789 |
<para>Alternatively, individual extensions can be installed |
5216 |
<para>Alternatively, individual extensions can be installed |
4790 |
using the appropriate port. For instance, to add |
5217 |
using the appropriate port. For instance, to add |
4791 |
<acronym>PHP</acronym> support for the |
5218 |
<acronym>PHP</acronym> support for the |
4792 |
<application>MySQL</application> database server, install |
5219 |
<application>MySQL</application> database server, install |
4793 |
<package>databases/php56-mysql</package>.</para> |
5220 |
<package>databases/php56-mysql</package>.</para> |
4794 |
|
5221 |
|
4795 |
<para>After installing an extension, the |
5222 |
<para>After installing an extension, the |
4796 |
<application>Apache</application> server must be reloaded to |
5223 |
<application>Apache</application> server must be reloaded to |
4797 |
pick up the new configuration changes:</para> |
5224 |
pick up the new configuration changes:</para> |
4798 |
|
5225 |
|
4799 |
<screen>&prompt.root; <userinput>apachectl graceful</userinput></screen> |
5226 |
<screen>&prompt.root; <userinput>apachectl graceful</userinput></screen> |
4800 |
</sect3> |
5227 |
</sect3> |
4801 |
</sect2> |
5228 |
</sect2> |
4802 |
|
5229 |
|
4803 |
<sect2> |
5230 |
<sect2> |
4804 |
<title>Dynamic Websites</title> |
5231 |
<title>Dynamic Websites</title> |
4805 |
|
5232 |
|
4806 |
<indexterm> |
5233 |
<indexterm> |
4807 |
<primary>web servers</primary> |
5234 |
<primary>web servers</primary> |
4808 |
<secondary>dynamic</secondary> |
5235 |
<secondary>dynamic</secondary> |
4809 |
</indexterm> |
5236 |
</indexterm> |
4810 |
|
5237 |
|
4811 |
<para>In addition to <application>mod_perl</application> and |
5238 |
<para>In addition to <application>mod_perl</application> and |
4812 |
<application>mod_php</application>, other languages are |
5239 |
<application>mod_php</application>, other languages are |
4813 |
available for creating dynamic web content. These include |
5240 |
available for creating dynamic web content. These include |
4814 |
<application>Django</application> and |
5241 |
<application>Django</application> and |
4815 |
<application>Ruby on Rails</application>.</para> |
5242 |
<application>Ruby on Rails</application>.</para> |
4816 |
|
5243 |
|
4817 |
<sect3> |
5244 |
<sect3> |
4818 |
<title>Django</title> |
5245 |
<title>Django</title> |
4819 |
|
5246 |
|
4820 |
<indexterm><primary>Python</primary></indexterm> |
5247 |
<indexterm><primary>Python</primary></indexterm> |
4821 |
<indexterm><primary>Django</primary></indexterm> |
5248 |
<indexterm><primary>Django</primary></indexterm> |
4822 |
|
5249 |
|
4823 |
<para><application>Django</application> is a BSD-licensed |
5250 |
<para><application>Django</application> is a BSD-licensed |
4824 |
framework designed to allow developers to write high |
5251 |
framework designed to allow developers to write high |
4825 |
performance, elegant web applications quickly. It provides |
5252 |
performance, elegant web applications quickly. It provides |
4826 |
an object-relational mapper so that data types are developed |
5253 |
an object-relational mapper so that data types are developed |
4827 |
as <application>Python</application> objects. A rich |
5254 |
as <application>Python</application> objects. A rich |
4828 |
dynamic database-access <acronym>API</acronym> is provided |
5255 |
dynamic database-access <acronym>API</acronym> is provided |
4829 |
for those objects without the developer ever having to write |
5256 |
for those objects without the developer ever having to write |
4830 |
<acronym>SQL</acronym>. It also provides an extensible |
5257 |
<acronym>SQL</acronym>. It also provides an extensible |
4831 |
template system so that the logic of the application is |
5258 |
template system so that the logic of the application is |
4832 |
separated from the <acronym>HTML</acronym> |
5259 |
separated from the <acronym>HTML</acronym> |
4833 |
presentation.</para> |
5260 |
presentation.</para> |
4834 |
|
5261 |
|
4835 |
<para>Django depends on <filename>mod_python</filename>, and |
5262 |
<para>Django depends on <filename>mod_python</filename>, and |
4836 |
an <acronym>SQL</acronym> database engine. In &os;, the |
5263 |
an <acronym>SQL</acronym> database engine. In &os;, the |
4837 |
<package>www/py-django</package> port automatically installs |
5264 |
<package>www/py-django</package> port automatically installs |
4838 |
<filename>mod_python</filename> and supports the |
5265 |
<filename>mod_python</filename> and supports the |
4839 |
<application>PostgreSQL</application>, |
5266 |
<application>PostgreSQL</application>, |
4840 |
<application>MySQL</application>, or |
5267 |
<application>MySQL</application>, or |
4841 |
<application>SQLite</application> databases, with the |
5268 |
<application>SQLite</application> databases, with the |
4842 |
default being <application>SQLite</application>. To change |
5269 |
default being <application>SQLite</application>. To change |
4843 |
the database engine, type <command>make config</command> |
5270 |
the database engine, type <command>make config</command> |
4844 |
within <filename>/usr/ports/www/py-django</filename>, then |
5271 |
within <filename>/usr/ports/www/py-django</filename>, then |
4845 |
install the port.</para> |
5272 |
install the port.</para> |
4846 |
|
5273 |
|
4847 |
<para>Once <application>Django</application> is installed, the |
5274 |
<para>Once <application>Django</application> is installed, the |
4848 |
application will need a project directory along with the |
5275 |
application will need a project directory along with the |
4849 |
<application>Apache</application> configuration in order to |
5276 |
<application>Apache</application> configuration in order to |
4850 |
use the embedded <application>Python</application> |
5277 |
use the embedded <application>Python</application> |
4851 |
interpreter. This interpreter is used to call the |
5278 |
interpreter. This interpreter is used to call the |
4852 |
application for specific <acronym>URL</acronym>s on the |
5279 |
application for specific <acronym>URL</acronym>s on the |
4853 |
site.</para> |
5280 |
site.</para> |
4854 |
|
5281 |
|
4855 |
<para>To configure <application>Apache</application> to pass |
5282 |
<para>To configure <application>Apache</application> to pass |
4856 |
requests for certain <acronym>URL</acronym>s to the web |
5283 |
requests for certain <acronym>URL</acronym>s to the web |
4857 |
application, add the following to |
5284 |
application, add the following to |
4858 |
<filename>httpd.conf</filename>, specifying the full path to |
5285 |
<filename>httpd.conf</filename>, specifying the full path to |
4859 |
the project directory:</para> |
5286 |
the project directory:</para> |
4860 |
|
5287 |
|
4861 |
<programlisting><Location "/"> |
5288 |
<programlisting><Location "/"> |
4862 |
SetHandler python-program |
5289 |
SetHandler python-program |
4863 |
PythonPath "['<replaceable>/dir/to/the/django/packages/</replaceable>'] + sys.path" |
5290 |
PythonPath "['<replaceable>/dir/to/the/django/packages/</replaceable>'] + sys.path" |
4864 |
PythonHandler django.core.handlers.modpython |
5291 |
PythonHandler django.core.handlers.modpython |
4865 |
SetEnv DJANGO_SETTINGS_MODULE mysite.settings |
5292 |
SetEnv DJANGO_SETTINGS_MODULE mysite.settings |
4866 |
PythonAutoReload On |
5293 |
PythonAutoReload On |
4867 |
PythonDebug On |
5294 |
PythonDebug On |
4868 |
</Location></programlisting> |
5295 |
</Location></programlisting> |
4869 |
|
5296 |
|
4870 |
<para>Refer to <uri |
5297 |
<para>Refer to <uri |
4871 |
xlink:href="https://docs.djangoproject.com">https://docs.djangoproject.com</uri> |
5298 |
xlink:href="https://docs.djangoproject.com/en/1.6/">https://docs.djangoproject.com/en/1.6/</uri> |
4872 |
for more information on how to use |
5299 |
for more information on how to use |
4873 |
<application>Django</application>.</para> |
5300 |
<application>Django</application>.</para> |
4874 |
</sect3> |
5301 |
</sect3> |
4875 |
|
5302 |
|
4876 |
<sect3> |
5303 |
<sect3> |
4877 |
<title>Ruby on Rails</title> |
5304 |
<title>Ruby on Rails</title> |
4878 |
|
5305 |
|
4879 |
<indexterm><primary>Ruby on Rails</primary></indexterm> |
5306 |
<indexterm><primary>Ruby on Rails</primary></indexterm> |
4880 |
|
5307 |
|
4881 |
<para><application>Ruby on Rails</application> is another open |
5308 |
<para><application>Ruby on Rails</application> is another open |
4882 |
source web framework that provides a full development stack. |
5309 |
source web framework that provides a full development stack. |
4883 |
It is optimized to make web developers more productive and |
5310 |
It is optimized to make web developers more productive and |
4884 |
capable of writing powerful applications quickly. On &os;, |
5311 |
capable of writing powerful applications quickly. On &os;, |
4885 |
it can be installed using the |
5312 |
it can be installed using the |
4886 |
<package>www/rubygem-rails</package> package or port.</para> |
5313 |
<package>www/rubygem-rails</package> package or port.</para> |
4887 |
|
5314 |
|
4888 |
<para>Refer to <uri |
5315 |
<para>Refer to <uri |
4889 |
xlink:href="http://guides.rubyonrails.org">http://guides.rubyonrails.org</uri> |
5316 |
xlink:href="http://rubyonrails.org/documentation">http://rubyonrails.org/documentation</uri> |
4890 |
for more information on how to use <application>Ruby on |
5317 |
for more information on how to use <application>Ruby on |
4891 |
Rails</application>.</para> |
5318 |
Rails</application>.</para> |
4892 |
</sect3> |
5319 |
</sect3> |
4893 |
</sect2> |
5320 |
</sect2> |
4894 |
</sect1> |
5321 |
</sect1> |
4895 |
|
5322 |
|
4896 |
<sect1 xml:id="network-ftp"> |
5323 |
<sect1 xml:id="network-ftp"> |
4897 |
<!-- |
5324 |
<!-- |
4898 |
<sect1info> |
5325 |
<sect1info> |
4899 |
<authorgroup> |
5326 |
<authorgroup> |
4900 |
<author> |
5327 |
<author> |
4901 |
<firstname>Murray</firstname> |
5328 |
<firstname>Murray</firstname> |
4902 |
<surname>Stokely</surname> |
5329 |
<surname>Stokely</surname> |
4903 |
<contrib>Contributed by </contrib> |
5330 |
<contrib>Contributed by </contrib> |
4904 |
</author> |
5331 |
</author> |
4905 |
</authorgroup> |
5332 |
</authorgroup> |
4906 |
</sect1info> |
5333 |
</sect1info> |
4907 |
--> |
5334 |
--> |
4908 |
<title>File Transfer Protocol (<acronym>FTP</acronym>)</title> |
5335 |
<title>File Transfer Protocol (<acronym>FTP</acronym>)</title> |
4909 |
|
5336 |
|
4910 |
<indexterm><primary><acronym>FTP</acronym> |
5337 |
<indexterm><primary><acronym>FTP</acronym> |
4911 |
servers</primary></indexterm> |
5338 |
servers</primary></indexterm> |
4912 |
|
5339 |
|
4913 |
<para>The File Transfer Protocol (<acronym>FTP</acronym>) provides |
5340 |
<para>The File Transfer Protocol (<acronym>FTP</acronym>) provides |
4914 |
users with a simple way to transfer files to and from an |
5341 |
users with a simple way to transfer files to and from an |
4915 |
<acronym>FTP</acronym> server. &os; includes |
5342 |
<acronym>FTP</acronym> server. &os; includes |
4916 |
<acronym>FTP</acronym> server software, |
5343 |
<acronym>FTP</acronym> server software, |
4917 |
<application>ftpd</application>, in the base system.</para> |
5344 |
<application>ftpd</application>, in the base system.</para> |
4918 |
|
5345 |
|
4919 |
<para>&os; provides several configuration files for controlling |
5346 |
<para>&os; provides several configuration files for controlling |
4920 |
access to the <acronym>FTP</acronym> server. This section |
5347 |
access to the <acronym>FTP</acronym> server. This section |
4921 |
summarizes these files. Refer to &man.ftpd.8; for more details |
5348 |
summarizes these files. Refer to &man.ftpd.8; for more details |
4922 |
about the built-in <acronym>FTP</acronym> server.</para> |
5349 |
about the built-in <acronym>FTP</acronym> server.</para> |
4923 |
|
5350 |
|
4924 |
<sect2> |
5351 |
<sect2> |
4925 |
<title>Configuration</title> |
5352 |
<title>Configuration</title> |
4926 |
|
5353 |
|
4927 |
<para>The most important configuration step is deciding which |
5354 |
<para>The most important configuration step is deciding which |
4928 |
accounts will be allowed access to the <acronym>FTP</acronym> |
5355 |
accounts will be allowed access to the <acronym>FTP</acronym> |
4929 |
server. A &os; system has a number of system accounts which |
5356 |
server. A &os; system has a number of system accounts which |
4930 |
should not be allowed <acronym>FTP</acronym> access. The list |
5357 |
should not be allowed <acronym>FTP</acronym> access. The list |
4931 |
of users disallowed any <acronym>FTP</acronym> access can be |
5358 |
of users disallowed any <acronym>FTP</acronym> access can be |
4932 |
found in <filename>/etc/ftpusers</filename>. By default, it |
5359 |
found in <filename>/etc/ftpusers</filename>. By default, it |
4933 |
includes system accounts. Additional users that should not be |
5360 |
includes system accounts. Additional users that should not be |
4934 |
allowed access to <acronym>FTP</acronym> can be added.</para> |
5361 |
allowed access to <acronym>FTP</acronym> can be added.</para> |
4935 |
|
5362 |
|
4936 |
<para>In some cases it may be desirable to restrict the access |
5363 |
<para>In some cases it may be desirable to restrict the access |
4937 |
of some users without preventing them completely from using |
5364 |
of some users without preventing them completely from using |
4938 |
<acronym>FTP</acronym>. This can be accomplished be creating |
5365 |
<acronym>FTP</acronym>. This can be accomplished be creating |
4939 |
<filename>/etc/ftpchroot</filename> as described in |
5366 |
<filename>/etc/ftpchroot</filename> as described in |
4940 |
&man.ftpchroot.5;. This file lists users and groups subject |
5367 |
&man.ftpchroot.5;. This file lists users and groups subject |
4941 |
to <acronym>FTP</acronym> access restrictions.</para> |
5368 |
to <acronym>FTP</acronym> access restrictions.</para> |
4942 |
|
5369 |
|
4943 |
<indexterm> |
5370 |
<indexterm> |
4944 |
<primary><acronym>FTP</acronym></primary> |
5371 |
<primary><acronym>FTP</acronym></primary> |
4945 |
<secondary>anonymous</secondary> |
5372 |
<secondary>anonymous</secondary> |
4946 |
</indexterm> |
5373 |
</indexterm> |
4947 |
|
5374 |
|
4948 |
<para>To enable anonymous <acronym>FTP</acronym> access to the |
5375 |
<para>To enable anonymous <acronym>FTP</acronym> access to the |
4949 |
server, create a user named <systemitem |
5376 |
server, create a user named <systemitem |
4950 |
class="username">ftp</systemitem> on the &os; system. Users |
5377 |
class="username">ftp</systemitem> on the &os; system. Users |
4951 |
will then be able to log on to the |
5378 |
will then be able to log on to the |
4952 |
<acronym>FTP</acronym> server with a username of |
5379 |
<acronym>FTP</acronym> server with a username of |
4953 |
<systemitem class="username">ftp</systemitem> or <systemitem |
5380 |
<systemitem class="username">ftp</systemitem> or <systemitem |
4954 |
class="username">anonymous</systemitem>. When prompted for |
5381 |
class="username">anonymous</systemitem>. When prompted for |
4955 |
the password, any input will be accepted, but by convention, |
5382 |
the password, any input will be accepted, but by convention, |
4956 |
an email address should be used as the password. The |
5383 |
an email address should be used as the password. The |
4957 |
<acronym>FTP</acronym> server will call &man.chroot.2; when an |
5384 |
<acronym>FTP</acronym> server will call &man.chroot.2; when an |
4958 |
anonymous user logs in, to restrict access to only the home |
5385 |
anonymous user logs in, to restrict access to only the home |
4959 |
directory of the <systemitem |
5386 |
directory of the <systemitem |
4960 |
class="username">ftp</systemitem> user.</para> |
5387 |
class="username">ftp</systemitem> user.</para> |
4961 |
|
5388 |
|
4962 |
<para>There are two text files that can be created to specify |
5389 |
<para>There are two text files that can be created to specify |
4963 |
welcome messages to be displayed to <acronym>FTP</acronym> |
5390 |
welcome messages to be displayed to <acronym>FTP</acronym> |
4964 |
clients. The contents of |
5391 |
clients. The contents of |
4965 |
<filename>/etc/ftpwelcome</filename> will be displayed to |
5392 |
<filename>/etc/ftpwelcome</filename> will be displayed to |
4966 |
users before they reach the login prompt. After a successful |
5393 |
users before they reach the login prompt. After a successful |
4967 |
login, the contents of |
5394 |
login, the contents of |
4968 |
<filename>/etc/ftpmotd</filename> will be displayed. Note |
5395 |
<filename>/etc/ftpmotd</filename> will be displayed. Note |
4969 |
that the path to this file is relative to the login |
5396 |
that the path to this file is relative to the login |
4970 |
environment, so the contents of |
5397 |
environment, so the contents of |
4971 |
<filename>~ftp/etc/ftpmotd</filename> would be displayed for |
5398 |
<filename>~ftp/etc/ftpmotd</filename> would be displayed for |
4972 |
anonymous users.</para> |
5399 |
anonymous users.</para> |
4973 |
|
5400 |
|
4974 |
<para>Once the <acronym>FTP</acronym> server has been |
5401 |
<para>Once the <acronym>FTP</acronym> server has been |
4975 |
configured, set the appropriate variable in |
5402 |
configured, set the appropriate variable in |
4976 |
<filename>/etc/rc.conf</filename> to start the service during |
5403 |
<filename>/etc/rc.conf</filename> to start the service during |
4977 |
boot:</para> |
5404 |
boot:</para> |
4978 |
|
5405 |
|
4979 |
<programlisting>ftpd_enable="YES"</programlisting> |
5406 |
<programlisting>ftpd_enable="YES"</programlisting> |
4980 |
|
5407 |
|
4981 |
<para>To start the service now:</para> |
5408 |
<para>To start the service now:</para> |
4982 |
|
5409 |
|
4983 |
<screen>&prompt.root; <userinput>service ftpd start</userinput></screen> |
5410 |
<screen>&prompt.root; <userinput>service ftpd start</userinput></screen> |
4984 |
|
5411 |
|
4985 |
<para>Test the connection to the <acronym>FTP</acronym> server |
5412 |
<para>Test the connection to the <acronym>FTP</acronym> server |
4986 |
by typing:</para> |
5413 |
by typing:</para> |
4987 |
|
5414 |
|
4988 |
<screen>&prompt.user; <userinput>ftp localhost</userinput></screen> |
5415 |
<screen>&prompt.user; <userinput>ftp localhost</userinput></screen> |
4989 |
|
5416 |
|
4990 |
<indexterm><primary>syslog</primary></indexterm> |
5417 |
<indexterm><primary>syslog</primary></indexterm> |
4991 |
<indexterm><primary>log files</primary> |
5418 |
<indexterm><primary>log files</primary> |
4992 |
<secondary><acronym>FTP</acronym></secondary></indexterm> |
5419 |
<secondary><acronym>FTP</acronym></secondary></indexterm> |
4993 |
|
5420 |
|
4994 |
<para>The <application>ftpd</application> daemon uses |
5421 |
<para>The <application>ftpd</application> daemon uses |
4995 |
&man.syslog.3; to log messages. By default, the system log |
5422 |
&man.syslog.3; to log messages. By default, the system log |
4996 |
daemon will write messages related to <acronym>FTP</acronym> |
5423 |
daemon will write messages related to <acronym>FTP</acronym> |
4997 |
in <filename>/var/log/xferlog</filename>. The location of |
5424 |
in <filename>/var/log/xferlog</filename>. The location of |
4998 |
the <acronym>FTP</acronym> log can be modified by changing the |
5425 |
the <acronym>FTP</acronym> log can be modified by changing the |
4999 |
following line in |
5426 |
following line in |
5000 |
<filename>/etc/syslog.conf</filename>:</para> |
5427 |
<filename>/etc/syslog.conf</filename>:</para> |
5001 |
|
5428 |
|
5002 |
<programlisting>ftp.info /var/log/xferlog</programlisting> |
5429 |
<programlisting>ftp.info /var/log/xferlog</programlisting> |
5003 |
|
5430 |
|
5004 |
<indexterm> |
5431 |
<indexterm> |
5005 |
<primary><acronym>FTP</acronym></primary> |
5432 |
<primary><acronym>FTP</acronym></primary> |
5006 |
<secondary>anonymous</secondary> |
5433 |
<secondary>anonymous</secondary> |
5007 |
</indexterm> |
5434 |
</indexterm> |
5008 |
|
5435 |
|
5009 |
<note> |
5436 |
<note> |
5010 |
<para>Be aware of the potential problems involved with running |
5437 |
<para>Be aware of the potential problems involved with running |
5011 |
an anonymous <acronym>FTP</acronym> server. In particular, |
5438 |
an anonymous <acronym>FTP</acronym> server. In particular, |
5012 |
think twice about allowing anonymous users to upload files. |
5439 |
think twice about allowing anonymous users to upload files. |
5013 |
It may turn out that the <acronym>FTP</acronym> site becomes |
5440 |
It may turn out that the <acronym>FTP</acronym> site becomes |
5014 |
a forum for the trade of unlicensed commercial software or |
5441 |
a forum for the trade of unlicensed commercial software or |
5015 |
worse. If anonymous <acronym>FTP</acronym> uploads are |
5442 |
worse. If anonymous <acronym>FTP</acronym> uploads are |
5016 |
required, then verify the permissions so that these files |
5443 |
required, then verify the permissions so that these files |
5017 |
cannot be read by other anonymous users until they have |
5444 |
can not be read by other anonymous users until they have |
5018 |
been reviewed by an administrator.</para> |
5445 |
been reviewed by an administrator.</para> |
5019 |
</note> |
5446 |
</note> |
5020 |
</sect2> |
5447 |
</sect2> |
5021 |
</sect1> |
5448 |
</sect1> |
5022 |
|
5449 |
|
5023 |
<sect1 xml:id="network-samba"> |
5450 |
<sect1 xml:id="network-samba"> |
5024 |
<!-- |
5451 |
<!-- |
5025 |
<sect1info> |
5452 |
<sect1info> |
5026 |
<authorgroup> |
5453 |
<authorgroup> |
5027 |
<author> |
5454 |
<author> |
5028 |
<firstname>Murray</firstname> |
5455 |
<firstname>Murray</firstname> |
5029 |
<surname>Stokely</surname> |
5456 |
<surname>Stokely</surname> |
5030 |
<contrib>Contributed by </contrib> |
5457 |
<contrib>Contributed by </contrib> |
5031 |
</author> |
5458 |
</author> |
5032 |
</authorgroup> |
5459 |
</authorgroup> |
5033 |
</sect1info> |
5460 |
</sect1info> |
5034 |
--> |
5461 |
--> |
5035 |
<title>File and Print Services for µsoft.windows; Clients |
5462 |
<title>File and Print Services for µsoft.windows; Clients |
5036 |
(Samba)</title> |
5463 |
(Samba)</title> |
5037 |
|
5464 |
|
5038 |
<indexterm><primary>Samba server</primary></indexterm> |
5465 |
<indexterm><primary>Samba server</primary></indexterm> |
5039 |
<indexterm><primary>Microsoft Windows</primary></indexterm> |
5466 |
<indexterm><primary>Microsoft Windows</primary></indexterm> |
5040 |
<indexterm> |
5467 |
<indexterm> |
5041 |
<primary>file server</primary> |
5468 |
<primary>file server</primary> |
5042 |
<secondary>Windows clients</secondary> |
5469 |
<secondary>Windows clients</secondary> |
5043 |
</indexterm> |
5470 |
</indexterm> |
5044 |
<indexterm> |
5471 |
<indexterm> |
5045 |
<primary>print server</primary> |
5472 |
<primary>print server</primary> |
5046 |
<secondary>Windows clients</secondary> |
5473 |
<secondary>Windows clients</secondary> |
5047 |
</indexterm> |
5474 |
</indexterm> |
5048 |
|
5475 |
|
5049 |
<para><application>Samba</application> is a popular open source |
5476 |
<para><application>Samba</application> is a popular open source |
5050 |
software package that provides file and print services using the |
5477 |
software package that provides file and print services using the |
5051 |
<acronym>SMB/CIFS</acronym> protocol. This protocol is built |
5478 |
<acronym>SMB/CIFS</acronym> protocol. This protocol is built |
5052 |
into µsoft.windows; systems. It can be added to |
5479 |
into µsoft.windows; systems. It can be added to |
5053 |
non-µsoft.windows; systems by installing the |
5480 |
non-µsoft.windows; systems by installing the |
5054 |
<application>Samba</application> client libraries. The protocol |
5481 |
<application>Samba</application> client libraries. The protocol |
5055 |
allows clients to access shared data and printers. These shares |
5482 |
allows clients to access shared data and printers. These shares |
5056 |
can be mapped as a local disk drive and shared printers can be |
5483 |
can be mapped as a local disk drive and shared printers can be |
5057 |
used as if they were local printers.</para> |
5484 |
used as if they were local printers.</para> |
5058 |
|
5485 |
|
5059 |
<para>On &os;, the <application>Samba</application> client |
5486 |
<para>On &os;, the <application>Samba</application> client |
5060 |
libraries can be installed using the |
5487 |
libraries can be installed using the |
5061 |
<package>net/samba-smbclient</package> port or package. The |
5488 |
<package>net/samba-smbclient</package> port or package. The |
5062 |
client provides the ability for a &os; system to access |
5489 |
client provides the ability for a &os; system to access |
5063 |
<acronym>SMB/CIFS</acronym> shares in a µsoft.windows; |
5490 |
<acronym>SMB/CIFS</acronym> shares in a µsoft.windows; |
5064 |
network.</para> |
5491 |
network.</para> |
5065 |
|
5492 |
|
5066 |
<para>A &os; system can also be configured to act as a |
5493 |
<para>A &os; system can also be configured to act as a |
5067 |
<application>Samba</application> server by installing the |
5494 |
<application>Samba</application> server by installing the |
5068 |
<package>net/samba43</package> port or package. This allows the |
5495 |
<package>net/samba43</package> port or package. This allows the |
5069 |
administrator to create <acronym>SMB</acronym>/<acronym>CIFS</acronym> |
5496 |
administrator to create <acronym>SMB</acronym>/<acronym>CIFS</acronym>shares on |
5070 |
shares on |
|
|
5071 |
the &os; system which can be accessed by clients running |
5497 |
the &os; system which can be accessed by clients running |
5072 |
µsoft.windows; or the <application>Samba</application> |
5498 |
µsoft.windows; or the <application>Samba</application> |
5073 |
client libraries.</para> |
5499 |
client libraries.</para> |
5074 |
|
5500 |
|
5075 |
<sect2> |
5501 |
<sect2> |
5076 |
<title>Server Configuration</title> |
5502 |
<title>Server Configuration</title> |
5077 |
|
5503 |
|
5078 |
<para><application>Samba</application> is configured in |
5504 |
<para><application>Samba</application> is configured in |
5079 |
<filename>/usr/local/etc/smb4.conf</filename>. This file must |
5505 |
<filename>/usr/local/etc/smb4.conf</filename>. This file must |
5080 |
be created before <application>Samba</application> |
5506 |
be created before <application>Samba</application> |
5081 |
can be used.</para> |
5507 |
can be used.</para> |
5082 |
|
5508 |
|
5083 |
<para>A simple <filename>smb4.conf</filename> to share |
5509 |
<para>A simple <filename>smb4.conf</filename> to share |
5084 |
directories and printers with &windows; clients in a |
5510 |
directories and printers with &windows; clients in a |
5085 |
workgroup is shown here. For more complex setups |
5511 |
workgroup is shown here. For more complex setups |
5086 |
involving LDAP or Active Directory, it is easier to use |
5512 |
involving <acronym>LDAP</acronym> or Active Directory, it is |
5087 |
&man.samba-tool.8; to create the initial |
5513 |
easier to use &man.samba-tool.8; to create the initial |
5088 |
<filename>smb4.conf</filename>.</para> |
5514 |
<filename>smb4.conf</filename>.</para> |
5089 |
|
5515 |
|
5090 |
<programlisting>[global] |
5516 |
<programlisting>[global] |
5091 |
workgroup = WORKGROUP |
5517 |
workgroup = WORKGROUP |
5092 |
server string = Samba Server Version %v |
5518 |
server string = Samba Server Version %v |
5093 |
netbios name = ExampleMachine |
5519 |
netbios name = ExampleMachine |
5094 |
wins support = Yes |
5520 |
wins support = Yes |
5095 |
security = user |
5521 |
security = user |
5096 |
passdb backend = tdbsam |
5522 |
passdb backend = tdbsam |
5097 |
|
5523 |
|
5098 |
# Example: share /usr/src accessible only to 'developer' user |
5524 |
# Example: share /usr/src accessible only to 'developer' user |
5099 |
[src] |
5525 |
[src] |
5100 |
path = /usr/src |
5526 |
path = /usr/src |
5101 |
valid users = developer |
5527 |
valid users = developer |
5102 |
writable = yes |
5528 |
writable = yes |
5103 |
browsable = yes |
5529 |
browsable = yes |
5104 |
read only = no |
5530 |
read only = no |
5105 |
guest ok = no |
5531 |
guest ok = no |
5106 |
public = no |
5532 |
public = no |
5107 |
create mask = 0666 |
5533 |
create mask = 0666 |
5108 |
directory mask = 0755</programlisting> |
5534 |
directory mask = 0755</programlisting> |
5109 |
|
5535 |
|
5110 |
<sect3> |
5536 |
<sect3> |
5111 |
<title>Global Settings</title> |
5537 |
<title>Global Settings</title> |
5112 |
|
5538 |
|
5113 |
<para>Settings that describe the network are added in |
5539 |
<para>Settings that describe the network are added in |
5114 |
<filename>/usr/local/etc/smb4.conf</filename>:</para> |
5540 |
<filename>/usr/local/etc/smb4.conf</filename>:</para> |
5115 |
|
5541 |
|
5116 |
<variablelist> |
5542 |
<variablelist> |
5117 |
<varlistentry> |
5543 |
<varlistentry> |
5118 |
<term><literal>workgroup</literal></term> |
5544 |
<term><literal>workgroup</literal></term> |
5119 |
|
5545 |
|
5120 |
<listitem> |
5546 |
<listitem> |
5121 |
<para>The name of the workgroup to be served.</para> |
5547 |
<para>The name of the workgroup to be served.</para> |
5122 |
</listitem> |
5548 |
</listitem> |
5123 |
</varlistentry> |
5549 |
</varlistentry> |
5124 |
|
5550 |
|
5125 |
<varlistentry> |
5551 |
<varlistentry> |
5126 |
<term><literal>netbios name</literal></term> |
5552 |
<term><literal>netbios name</literal></term> |
5127 |
|
5553 |
|
5128 |
<listitem> |
5554 |
<listitem> |
5129 |
<para>The NetBIOS name by which a |
5555 |
<para>The NetBIOS name by which a |
5130 |
<application>Samba</application> server is known. By |
5556 |
<application>Samba</application> server is known. By |
5131 |
default, it is the same as the first component of the |
5557 |
default, it is the same as the first component of the |
5132 |
host's <acronym>DNS</acronym> name.</para> |
5558 |
host's <acronym>DNS</acronym> name.</para> |
5133 |
</listitem> |
5559 |
</listitem> |
5134 |
</varlistentry> |
5560 |
</varlistentry> |
5135 |
|
5561 |
|
5136 |
<varlistentry> |
5562 |
<varlistentry> |
5137 |
<term><literal>server string</literal></term> |
5563 |
<term><literal>server string</literal></term> |
5138 |
|
5564 |
|
5139 |
<listitem> |
5565 |
<listitem> |
5140 |
<para>The string that will be displayed in the output of |
5566 |
<para>The string that will be displayed in the output of |
5141 |
<command>net view</command> and some other |
5567 |
<command>net view</command> and some other |
5142 |
networking tools that seek to display descriptive text |
5568 |
networking tools that seek to display descriptive text |
5143 |
about the server.</para> |
5569 |
about the server.</para> |
5144 |
</listitem> |
5570 |
</listitem> |
5145 |
</varlistentry> |
5571 |
</varlistentry> |
5146 |
|
5572 |
|
5147 |
<varlistentry> |
5573 |
<varlistentry> |
5148 |
<term><literal>wins support</literal></term> |
5574 |
<term><literal>wins support</literal></term> |
5149 |
|
5575 |
|
5150 |
<listitem> |
5576 |
<listitem> |
5151 |
<para>Whether <application>Samba</application> will |
5577 |
<para>Whether <application>Samba</application> will |
5152 |
act as a <acronym>WINS</acronym> server. Do not |
5578 |
act as a <acronym>WINS</acronym> server. Do not |
5153 |
enable support for <acronym>WINS</acronym> on more than |
5579 |
enable support for <acronym>WINS</acronym> on more than |
5154 |
one server on the network.</para> |
5580 |
one server on the network.</para> |
5155 |
</listitem> |
5581 |
</listitem> |
5156 |
</varlistentry> |
5582 |
</varlistentry> |
5157 |
</variablelist> |
5583 |
</variablelist> |
5158 |
</sect3> |
5584 |
</sect3> |
5159 |
|
5585 |
|
5160 |
<sect3> |
5586 |
<sect3> |
5161 |
<title>Security Settings</title> |
5587 |
<title>Security Settings</title> |
5162 |
|
5588 |
|
5163 |
<para>The most important settings in |
5589 |
<para>The most important settings in |
5164 |
<filename>/usr/local/etc/smb4.conf</filename> are the |
5590 |
<filename>/usr/local/etc/smb4.conf</filename> are the |
5165 |
security model and the backend password format. These |
5591 |
security model and the backend password format. These |
5166 |
directives control the options:</para> |
5592 |
directives control the options:</para> |
5167 |
|
5593 |
|
5168 |
<variablelist> |
5594 |
<variablelist> |
5169 |
<varlistentry> |
5595 |
<varlistentry> |
5170 |
<term><literal>security</literal></term> |
5596 |
<term><literal>security</literal></term> |
5171 |
|
5597 |
|
5172 |
<listitem> |
5598 |
<listitem> |
5173 |
<para>The most common settings are |
5599 |
<para>The most common settings are |
5174 |
<literal>security = share</literal> and |
5600 |
<literal>security = share</literal> and |
5175 |
<literal>security = user</literal>. If the clients |
5601 |
<literal>security = user</literal>. If the clients |
5176 |
use usernames that are the same as their usernames on |
5602 |
use usernames that are the same as their usernames on |
5177 |
the &os; machine, user level security should be |
5603 |
the &os; machine, user level security should be |
5178 |
used. This is the default security policy and it |
5604 |
used. This is the default security policy and it |
5179 |
requires clients to first log on before they can |
5605 |
requires clients to first log on before they can |
5180 |
access shared resources.</para> |
5606 |
access shared resources.</para> |
5181 |
|
5607 |
|
5182 |
<para>In share level security, clients do not need to |
5608 |
<para>In share level security, clients do not need to |
5183 |
log onto the server with a valid username and password |
5609 |
log onto the server with a valid username and password |
5184 |
before attempting to connect to a shared resource. |
5610 |
before attempting to connect to a shared resource. |
5185 |
This was the default security model for older versions |
5611 |
This was the default security model for older versions |
5186 |
of <application>Samba</application>.</para> |
5612 |
of <application>Samba</application>.</para> |
5187 |
</listitem> |
5613 |
</listitem> |
5188 |
</varlistentry> |
5614 |
</varlistentry> |
5189 |
|
5615 |
|
5190 |
<varlistentry> |
5616 |
<varlistentry> |
5191 |
<term><literal>passdb backend</literal></term> |
5617 |
<term><literal>passdb backend</literal></term> |
5192 |
|
5618 |
|
5193 |
<listitem> |
5619 |
<listitem> |
5194 |
<indexterm><primary>NIS+</primary></indexterm> |
5620 |
<indexterm><primary>NIS+</primary></indexterm> |
5195 |
<indexterm><primary>LDAP</primary></indexterm> |
5621 |
<indexterm><primary>LDAP</primary></indexterm> |
5196 |
<indexterm><primary>SQL database</primary></indexterm> |
5622 |
<indexterm><primary>SQL database</primary></indexterm> |
5197 |
|
5623 |
|
5198 |
<para><application>Samba</application> has several |
5624 |
<para><application>Samba</application> has several |
5199 |
different backend authentication models. Clients may |
5625 |
different backend authentication models. Clients may |
5200 |
be authenticated with LDAP, NIS+, an SQL database, |
5626 |
be authenticated with LDAP, NIS+, an SQL database, |
5201 |
or a modified password file. The recommended |
5627 |
or a modified password file. The recommended |
5202 |
authentication method, <literal>tdbsam</literal>, |
5628 |
authentication method, <literal>tdbsam</literal>, |
5203 |
is ideal for simple networks and is covered here. |
5629 |
is ideal for simple networks and is covered here. |
5204 |
For larger or more complex networks, |
5630 |
For larger or more complex networks, |
5205 |
<literal>ldapsam</literal> is recommended. |
5631 |
<literal>ldapsam</literal> is recommended. |
5206 |
<literal>smbpasswd</literal> |
5632 |
<literal>smbpasswd</literal> |
5207 |
was the former default and is now obsolete.</para> |
5633 |
was the former default and is now obsolete.</para> |
5208 |
</listitem> |
5634 |
</listitem> |
5209 |
</varlistentry> |
5635 |
</varlistentry> |
5210 |
</variablelist> |
5636 |
</variablelist> |
5211 |
|
5637 |
|
5212 |
</sect3> |
5638 |
</sect3> |
5213 |
|
5639 |
|
5214 |
<sect3> |
5640 |
<sect3> |
5215 |
<title><application>Samba</application> Users</title> |
5641 |
<title><application>Samba</application> Users</title> |
5216 |
|
5642 |
|
5217 |
<para>&os; user accounts must be mapped to the |
5643 |
<para>&os; user accounts must be mapped to the |
5218 |
<literal>SambaSAMAccount</literal> database for |
5644 |
<literal>SambaSAMAccount</literal> database for |
5219 |
&windows; clients to access the share. |
5645 |
&windows; clients to access the share. |
5220 |
Map existing &os; user accounts using |
5646 |
Map existing &os; user accounts using |
5221 |
&man.pdbedit.8;:</para> |
5647 |
&man.pdbedit.8;:</para> |
5222 |
|
5648 |
|
5223 |
<screen>&prompt.root; <userinput>pdbedit -a <replaceable>username</replaceable></userinput></screen> |
5649 |
<screen>&prompt.root; <userinput>pdbedit -a <replaceable>username</replaceable></userinput></screen> |
5224 |
|
5650 |
|
5225 |
<para>This section has only mentioned the most commonly used |
5651 |
<para>This section has only mentioned the most commonly used |
5226 |
settings. Refer to the <link |
5652 |
settings. Refer to the <link |
5227 |
xlink:href="http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/">Official |
5653 |
xlink:href="http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/">Official |
5228 |
Samba HOWTO</link> for additional information about the |
5654 |
Samba HOWTO</link> for additional information about the |
5229 |
available configuration options.</para> |
5655 |
available configuration options.</para> |
5230 |
</sect3> |
5656 |
</sect3> |
5231 |
</sect2> |
5657 |
</sect2> |
5232 |
|
5658 |
|
5233 |
<sect2> |
5659 |
<sect2> |
5234 |
<title>Starting <application>Samba</application></title> |
5660 |
<title>Starting <application>Samba</application></title> |
5235 |
|
5661 |
|
5236 |
<para>To enable <application>Samba</application> at boot time, |
5662 |
<para>To enable <application>Samba</application> at boot time, |
5237 |
add the following line to |
5663 |
add the following line to |
5238 |
<filename>/etc/rc.conf</filename>:</para> |
5664 |
<filename>/etc/rc.conf</filename>:</para> |
5239 |
|
5665 |
|
5240 |
<programlisting>samba_enable="YES"</programlisting> |
5666 |
<programlisting>samba_enable="YES"</programlisting> |
5241 |
|
5667 |
|
5242 |
<para>To enable Samba4, use:</para> |
|
|
5243 |
<programlisting>samba_server_enable="YES"</programlisting> |
5244 |
|
5245 |
<para>To start <application>Samba</application> now:</para> |
5668 |
<para>To start <application>Samba</application> now:</para> |
5246 |
|
5669 |
|
5247 |
<screen>&prompt.root; <userinput>service samba start</userinput> |
5670 |
<screen>&prompt.root; <userinput>service samba start</userinput> |
5248 |
Starting SAMBA: removing stale tdbs : |
5671 |
Starting SAMBA: removing stale tdbs : |
5249 |
Starting nmbd. |
5672 |
Starting nmbd. |
5250 |
Starting smbd.</screen> |
5673 |
Starting smbd.</screen> |
5251 |
|
5674 |
|
5252 |
<para><application>Samba</application> consists of three |
5675 |
<para><application>Samba</application> consists of three |
5253 |
separate daemons. Both the <application>nmbd</application> |
5676 |
separate daemons. Both the <application>nmbd</application> |
5254 |
and <application>smbd</application> daemons are started by |
5677 |
and <application>smbd</application> daemons are started by |
5255 |
<varname>samba_enable</varname>. If winbind name resolution |
5678 |
<varname>samba_enable</varname>. If winbind name resolution |
5256 |
is also required, set:</para> |
5679 |
is also required, set:</para> |
5257 |
|
5680 |
|
5258 |
<programlisting>winbindd_enable="YES"</programlisting> |
5681 |
<programlisting>winbindd_enable="YES"</programlisting> |
5259 |
|
5682 |
|
5260 |
<para><application>Samba</application> can be stopped at any |
5683 |
<para><application>Samba</application> can be stopped at any |
5261 |
time by typing:</para> |
5684 |
time by typing:</para> |
5262 |
|
5685 |
|
5263 |
<screen>&prompt.root; <userinput>service samba stop</userinput></screen> |
5686 |
<screen>&prompt.root; <userinput>service samba stop</userinput></screen> |
5264 |
|
5687 |
|
5265 |
<para><application>Samba</application> is a complex software |
5688 |
<para><application>Samba</application> is a complex software |
5266 |
suite with functionality that allows broad integration with |
5689 |
suite with functionality that allows broad integration with |
5267 |
µsoft.windows; networks. For more information about |
5690 |
µsoft.windows; networks. For more information about |
5268 |
functionality beyond the basic configuration described here, |
5691 |
functionality beyond the basic configuration described here, |
5269 |
refer to <uri |
5692 |
refer to <uri |
5270 |
xlink:href="http://www.samba.org">http://www.samba.org</uri>.</para> |
5693 |
xlink:href="http://www.samba.org">http://www.samba.org</uri>.</para> |
5271 |
</sect2> |
5694 |
</sect2> |
5272 |
</sect1> |
5695 |
</sect1> |
5273 |
|
5696 |
|
5274 |
<sect1 xml:id="network-ntp"> |
5697 |
<sect1 xml:id="network-ntp"> |
5275 |
<!-- |
5698 |
<!-- |
5276 |
<sect1info> |
5699 |
<sect1info> |
5277 |
<authorgroup> |
5700 |
<authorgroup> |
5278 |
<author> |
5701 |
<author> |
5279 |
<firstname>Tom</firstname> |
5702 |
<firstname>Tom</firstname> |
5280 |
<surname>Hukins</surname> |
5703 |
<surname>Hukins</surname> |
5281 |
<contrib>Contributed by </contrib> |
5704 |
<contrib>Contributed by </contrib> |
5282 |
</author> |
5705 |
</author> |
5283 |
</authorgroup> |
5706 |
</authorgroup> |
5284 |
</sect1info> |
5707 |
</sect1info> |
5285 |
--> |
5708 |
--> |
5286 |
<title>Clock Synchronization with NTP</title> |
5709 |
<title>Clock Synchronization with NTP</title> |
5287 |
|
5710 |
|
5288 |
<indexterm><primary>NTP</primary> |
5711 |
<indexterm><primary>NTP</primary> |
5289 |
<secondary>ntpd</secondary> |
5712 |
<secondary>ntpd</secondary> |
5290 |
</indexterm> |
5713 |
</indexterm> |
5291 |
|
5714 |
|
5292 |
<para>Over time, a computer's clock is prone to drift. This is |
5715 |
<para>Over time, a computer's clock is prone to drift. This is |
5293 |
problematic as many network services require the computers on a |
5716 |
problematic as many network services require the computers on a |
5294 |
network to share the same accurate time. Accurate time is also |
5717 |
network to share the same accurate time. Accurate time is also |
5295 |
needed to ensure that file timestamps stay consistent. The |
5718 |
needed to ensure that file timestamps stay consistent. The |
5296 |
Network Time Protocol (<acronym>NTP</acronym>) is one way to |
5719 |
Network Time Protocol (<acronym>NTP</acronym>) is one way to |
5297 |
provide clock accuracy in a network.</para> |
5720 |
provide clock accuracy in a network.</para> |
5298 |
|
5721 |
|
5299 |
<para>&os; includes &man.ntpd.8; which can be configured to query |
5722 |
<para>&os; includes &man.ntpd.8; which can be configured to query |
5300 |
other <acronym>NTP</acronym> servers in order to synchronize the |
5723 |
other <acronym>NTP</acronym> servers in order to synchronize the |
5301 |
clock on that machine or to provide time services to other |
5724 |
clock on that machine or to provide time services to other |
5302 |
computers in the network. The servers which are queried can be |
5725 |
computers in the network. The servers which are queried can be |
5303 |
local to the network or provided by an <acronym>ISP</acronym>. |
5726 |
local to the network or provided by an <acronym>ISP</acronym>. |
5304 |
In addition, an <link |
5727 |
In addition, an <link |
5305 |
xlink:href="http://support.ntp.org/bin/view/Servers/WebHome">online |
5728 |
xlink:href="http://support.ntp.org/bin/view/Servers/WebHome">online |
5306 |
list of publicly accessible <acronym>NTP</acronym> |
5729 |
list of publicly accessible <acronym>NTP</acronym> |
5307 |
servers</link> is available. When choosing a public |
5730 |
servers</link> is available. When choosing a public |
5308 |
<acronym>NTP</acronym> server, select one that is geographically |
5731 |
<acronym>NTP</acronym> server, select one that is geographically |
5309 |
close and review its usage policy.</para> |
5732 |
close and review its usage policy.</para> |
5310 |
|
5733 |
|
5311 |
<para>Choosing several <acronym>NTP</acronym> servers is |
5734 |
<para>Choosing several <acronym>NTP</acronym> servers is |
5312 |
recommended in case one of the servers becomes unreachable or |
5735 |
recommended in case one of the servers becomes unreachable or |
5313 |
its clock proves unreliable. As <application>ntpd</application> |
5736 |
its clock proves unreliable. As <application>ntpd</application> |
5314 |
receives responses, it favors reliable servers over the less |
5737 |
receives responses, it favors reliable servers over the less |
5315 |
reliable ones.</para> |
5738 |
reliable ones.</para> |
5316 |
|
5739 |
|
5317 |
<para>This section describes how to configure |
5740 |
<para>This section describes how to configure |
5318 |
<application>ntpd</application> on &os;. Further documentation |
5741 |
<application>ntpd</application> on &os;. Further documentation |
5319 |
can be found in <filename>/usr/share/doc/ntp/</filename> in HTML |
5742 |
can be found in <filename>/usr/share/doc/ntp/</filename> in HTML |
5320 |
format.</para> |
5743 |
format.</para> |
5321 |
|
5744 |
|
5322 |
<sect2> |
5745 |
<sect2> |
5323 |
<title><acronym>NTP</acronym> Configuration</title> |
5746 |
<title><acronym>NTP</acronym> Configuration</title> |
5324 |
|
5747 |
|
5325 |
<indexterm><primary>NTP</primary> |
5748 |
<indexterm><primary>NTP</primary> |
5326 |
<secondary>ntp.conf</secondary> |
5749 |
<secondary>ntp.conf</secondary> |
5327 |
</indexterm> |
5750 |
</indexterm> |
5328 |
|
5751 |
|
5329 |
<para>On &os;, the built-in <application>ntpd</application> can |
5752 |
<para>On &os;, the built-in <application>ntpd</application> can |
5330 |
be used to synchronize a system's clock. To enable |
5753 |
be used to synchronize a system's clock. To enable |
5331 |
<application>ntpd</application> at boot time, add |
5754 |
<application>ntpd</application> at boot time, add |
5332 |
<literal>ntpd_enable="YES"</literal> to |
5755 |
<literal>ntpd_enable="YES"</literal> to |
5333 |
<filename>/etc/rc.conf</filename>. Additional variables can |
5756 |
<filename>/etc/rc.conf</filename>. Additional variables can |
5334 |
be specified in <filename>/etc/rc.conf</filename>. Refer to |
5757 |
be specified in <filename>/etc/rc.conf</filename>. Refer to |
5335 |
&man.rc.conf.5; and &man.ntpd.8; for |
5758 |
&man.rc.conf.5; and &man.ntpd.8; for |
5336 |
details.</para> |
5759 |
details.</para> |
5337 |
|
5760 |
|
5338 |
<para>This application reads <filename>/etc/ntp.conf</filename> |
5761 |
<para>This application reads <filename>/etc/ntp.conf</filename> |
5339 |
to determine which <acronym>NTP</acronym> servers to query. |
5762 |
to determine which <acronym>NTP</acronym> servers to query. |
5340 |
Here is a simple example of an |
5763 |
Here is a simple example of an |
5341 |
<filename>/etc/ntp.conf</filename>:</para> |
5764 |
<filename>/etc/ntp.conf</filename>:</para> |
5342 |
|
5765 |
|
5343 |
<example> |
5766 |
<example> |
5344 |
<title> Sample <filename>/etc/ntp.conf</filename></title> |
5767 |
<title> Sample <filename>/etc/ntp.conf</filename></title> |
5345 |
|
5768 |
|
5346 |
<programlisting>server ntplocal.example.com prefer |
5769 |
<programlisting>server ntplocal.example.com prefer |
5347 |
server timeserver.example.org |
5770 |
server timeserver.example.org |
5348 |
server ntp2a.example.net |
5771 |
server ntp2a.example.net |
5349 |
|
5772 |
|
5350 |
driftfile /var/db/ntp.drift</programlisting> |
5773 |
driftfile /var/db/ntp.drift</programlisting> |
5351 |
</example> |
5774 |
</example> |
5352 |
|
5775 |
|
5353 |
<para>The format of this file is described in &man.ntp.conf.5;. |
5776 |
<para>The format of this file is described in &man.ntp.conf.5;. |
5354 |
The <literal>server</literal> option specifies which servers |
5777 |
The <literal>server</literal> option specifies which servers |
5355 |
to query, with one server listed on each line. If a server |
5778 |
to query, with one server listed on each line. If a server |
5356 |
entry includes <literal>prefer</literal>, that server is |
5779 |
entry includes <literal>prefer</literal>, that server is |
5357 |
preferred over other servers. A response from a preferred |
5780 |
preferred over other servers. A response from a preferred |
5358 |
server will be discarded if it differs significantly from |
5781 |
server will be discarded if it differs significantly from |
5359 |
other servers' responses; otherwise it will be used. The |
5782 |
other servers' responses; otherwise it will be used. The |
5360 |
<literal>prefer</literal> argument should only be used for |
5783 |
<literal>prefer</literal> argument should only be used for |
5361 |
<acronym>NTP</acronym> servers that are known to be highly |
5784 |
<acronym>NTP</acronym> servers that are known to be highly |
5362 |
accurate, such as those with special time monitoring |
5785 |
accurate, such as those with special time monitoring |
5363 |
hardware.</para> |
5786 |
hardware.</para> |
5364 |
|
5787 |
|
5365 |
<para>The <literal>driftfile</literal> entry specifies which |
5788 |
<para>The <literal>driftfile</literal> entry specifies which |
5366 |
file is used to store the system clock's frequency offset. |
5789 |
file is used to store the system clock's frequency offset. |
5367 |
<application>ntpd</application> uses this to automatically |
5790 |
<application>ntpd</application> uses this to automatically |
5368 |
compensate for the clock's natural drift, allowing it to |
5791 |
compensate for the clock's natural drift, allowing it to |
5369 |
maintain a reasonably correct setting even if it is cut off |
5792 |
maintain a reasonably correct setting even if it is cut off |
5370 |
from all external time sources for a period of time. This |
5793 |
from all external time sources for a period of time. This |
5371 |
file also stores information about previous responses |
5794 |
file also stores information about previous responses |
5372 |
from <acronym>NTP</acronym> servers. Since this file contains |
5795 |
from <acronym>NTP</acronym> servers. Since this file contains |
5373 |
internal information for <acronym>NTP</acronym>, it should not |
5796 |
internal information for <acronym>NTP</acronym>, it should not |
5374 |
be modified.</para> |
5797 |
be modified.</para> |
5375 |
|
5798 |
|
5376 |
<para>By default, an <acronym>NTP</acronym> server is accessible |
5799 |
<para>By default, an <acronym>NTP</acronym> server is accessible |
5377 |
to any network host. The <literal>restrict</literal> option |
5800 |
to any network host. The <literal>restrict</literal> option |
5378 |
in <filename>/etc/ntp.conf</filename> can be used to control |
5801 |
in <filename>/etc/ntp.conf</filename> can be used to control |
5379 |
which systems can access the server. For example, to deny all |
5802 |
which systems can access the server. For example, to deny all |
5380 |
machines from accessing the <acronym>NTP</acronym> server, add |
5803 |
machines from accessing the <acronym>NTP</acronym> server, add |
5381 |
the following line to |
5804 |
the following line to |
5382 |
<filename>/etc/ntp.conf</filename>:</para> |
5805 |
<filename>/etc/ntp.conf</filename>:</para> |
5383 |
|
5806 |
|
5384 |
<programlisting>restrict default ignore</programlisting> |
5807 |
<programlisting>restrict default ignore</programlisting> |
5385 |
|
5808 |
|
5386 |
<note> |
5809 |
<note> |
5387 |
<para>This will also prevent access from other |
5810 |
<para>This will also prevent access from other |
5388 |
<acronym>NTP</acronym> servers. If there is a need to |
5811 |
<acronym>NTP</acronym> servers. If there is a need to |
5389 |
synchronize with an external <acronym>NTP</acronym> server, |
5812 |
synchronize with an external <acronym>NTP</acronym> server, |
5390 |
allow only that specific server. Refer to &man.ntp.conf.5; |
5813 |
allow only that specific server. Refer to &man.ntp.conf.5; |
5391 |
for more information.</para> |
5814 |
for more information.</para> |
5392 |
</note> |
5815 |
</note> |
5393 |
|
5816 |
|
5394 |
<para>To allow machines within the network to synchronize their |
5817 |
<para>To allow machines within the network to synchronize their |
5395 |
clocks with the server, but ensure they are not allowed to |
5818 |
clocks with the server, but ensure they are not allowed to |
5396 |
configure the server or be used as peers to synchronize |
5819 |
configure the server or be used as peers to synchronize |
5397 |
against, instead use:</para> |
5820 |
against, instead use:</para> |
5398 |
|
5821 |
|
5399 |
<programlisting>restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap</programlisting> |
5822 |
<programlisting>restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap</programlisting> |
5400 |
|
5823 |
|
5401 |
<para>where <systemitem |
5824 |
<para>where <systemitem |
5402 |
class="ipaddress">192.168.1.0</systemitem> is the local |
5825 |
class="ipaddress">192.168.1.0</systemitem> is the local |
5403 |
network address and <systemitem |
5826 |
network address and <systemitem |
5404 |
class="netmask">255.255.255.0</systemitem> is the network's |
5827 |
class="netmask">255.255.255.0</systemitem> is the network's |
5405 |
subnet mask.</para> |
5828 |
subnet mask.</para> |
5406 |
|
5829 |
|
5407 |
<para>Multiple <literal>restrict</literal> entries are |
5830 |
<para>Multiple <literal>restrict</literal> entries are |
5408 |
supported. For more details, refer to the <literal>Access |
5831 |
supported. For more details, refer to the <literal>Access |
5409 |
Control Support</literal> subsection of |
5832 |
Control Support</literal> subsection of |
5410 |
&man.ntp.conf.5;.</para> |
5833 |
&man.ntp.conf.5;.</para> |
5411 |
|
5834 |
|
5412 |
<para>Once <literal>ntpd_enable="YES"</literal> has been added |
5835 |
<para>Once <literal>ntpd_enable="YES"</literal> has been added |
5413 |
to <filename>/etc/rc.conf</filename>, |
5836 |
to <filename>/etc/rc.conf</filename>, |
5414 |
<application>ntpd</application> can be started now without |
5837 |
<application>ntpd</application> can be started now without |
5415 |
rebooting the system by typing:</para> |
5838 |
rebooting the system by typing:</para> |
5416 |
|
5839 |
|
5417 |
<screen>&prompt.root; <userinput>service ntpd start</userinput></screen> |
5840 |
<screen>&prompt.root; <userinput>service ntpd start</userinput></screen> |
5418 |
</sect2> |
5841 |
</sect2> |
5419 |
|
5842 |
|
5420 |
<sect2> |
5843 |
<sect2> |
5421 |
<title>Using <acronym>NTP</acronym> with a |
5844 |
<title>Using <acronym>NTP</acronym> with a |
5422 |
<acronym>PPP</acronym> Connection</title> |
5845 |
<acronym>PPP</acronym> Connection</title> |
5423 |
|
5846 |
|
5424 |
<para><application>ntpd</application> does not need a permanent |
5847 |
<para><application>ntpd</application> does not need a permanent |
5425 |
connection to the Internet to function properly. However, if |
5848 |
connection to the Internet to function properly. However, if |
5426 |
a <acronym>PPP</acronym> connection is configured to dial out |
5849 |
a <acronym>PPP</acronym> connection is configured to dial out |
5427 |
on demand, <acronym>NTP</acronym> traffic should be prevented |
5850 |
on demand, <acronym>NTP</acronym> traffic should be prevented |
5428 |
from triggering a dial out or keeping the connection alive. |
5851 |
from triggering a dial out or keeping the connection alive. |
5429 |
This can be configured with <literal>filter</literal> |
5852 |
This can be configured with <literal>filter</literal> |
5430 |
directives in <filename>/etc/ppp/ppp.conf</filename>. For |
5853 |
directives in <filename>/etc/ppp/ppp.conf</filename>. For |
5431 |
example:</para> |
5854 |
example:</para> |
5432 |
|
5855 |
|
5433 |
<programlisting> set filter dial 0 deny udp src eq 123 |
5856 |
<programlisting> set filter dial 0 deny udp src eq 123 |
5434 |
# Prevent NTP traffic from initiating dial out |
5857 |
# Prevent NTP traffic from initiating dial out |
5435 |
set filter dial 1 permit 0 0 |
5858 |
set filter dial 1 permit 0 0 |
5436 |
set filter alive 0 deny udp src eq 123 |
5859 |
set filter alive 0 deny udp src eq 123 |
5437 |
# Prevent incoming NTP traffic from keeping the connection open |
5860 |
# Prevent incoming NTP traffic from keeping the connection open |
5438 |
set filter alive 1 deny udp dst eq 123 |
5861 |
set filter alive 1 deny udp dst eq 123 |
5439 |
# Prevent outgoing NTP traffic from keeping the connection open |
5862 |
# Prevent outgoing NTP traffic from keeping the connection open |
5440 |
set filter alive 2 permit 0/0 0/0</programlisting> |
5863 |
set filter alive 2 permit 0/0 0/0</programlisting> |
5441 |
|
5864 |
|
5442 |
<para>For more details, refer to the |
5865 |
<para>For more details, refer to the |
5443 |
<literal>PACKET FILTERING</literal> section in &man.ppp.8; and |
5866 |
<literal>PACKET FILTERING</literal> section in &man.ppp.8; and |
5444 |
the examples in |
5867 |
the examples in |
5445 |
<filename>/usr/share/examples/ppp/</filename>.</para> |
5868 |
<filename>/usr/share/examples/ppp/</filename>.</para> |
5446 |
|
5869 |
|
5447 |
<note> |
5870 |
<note> |
5448 |
<para>Some Internet access providers block low-numbered ports, |
5871 |
<para>Some Internet access providers block low-numbered ports, |
5449 |
preventing NTP from functioning since replies never reach |
5872 |
preventing NTP from functioning since replies never reach |
5450 |
the machine.</para> |
5873 |
the machine.</para> |
5451 |
</note> |
5874 |
</note> |
5452 |
</sect2> |
5875 |
</sect2> |
5453 |
</sect1> |
5876 |
</sect1> |
5454 |
|
5877 |
|
5455 |
<sect1 xml:id="network-iscsi"> |
5878 |
<sect1 xml:id="network-iscsi"> |
5456 |
<!-- |
5879 |
<!-- |
5457 |
<sect1info> |
5880 |
<sect1info> |
5458 |
<authorgroup> |
5881 |
<authorgroup> |
5459 |
<author> |
5882 |
<author> |
5460 |
<firstname>Edward Tomasz</firstname> |
5883 |
<firstname>Edward Tomasz</firstname> |
5461 |
<surname>Napierala</surname> |
5884 |
<surname>Napierala</surname> |
5462 |
</author> |
5885 |
</author> |
5463 |
</authorgroup> |
5886 |
</authorgroup> |
5464 |
</sect1info> |
5887 |
</sect1info> |
5465 |
--> |
5888 |
--> |
5466 |
|
5889 |
|
5467 |
<title><acronym>iSCSI</acronym> Initiator and Target |
5890 |
<title><acronym>iSCSI</acronym> Initiator and Target |
5468 |
Configuration</title> |
5891 |
Configuration</title> |
5469 |
|
5892 |
|
5470 |
<para><acronym>iSCSI</acronym> is a way to share storage over a |
5893 |
<para><acronym>iSCSI</acronym> is a way to share storage over a |
5471 |
network. Unlike <acronym>NFS</acronym>, which works at the file |
5894 |
network. Unlike <acronym>NFS</acronym>, which works at the file |
5472 |
system level, <acronym>iSCSI</acronym> works at the block device |
5895 |
system level, <acronym>iSCSI</acronym> works at the block device |
5473 |
level.</para> |
5896 |
level.</para> |
5474 |
|
5897 |
|
5475 |
<para>In <acronym>iSCSI</acronym> terminology, the system that |
5898 |
<para>In <acronym>iSCSI</acronym> terminology, the system that |
5476 |
shares the storage is known as the <emphasis>target</emphasis>. |
5899 |
shares the storage is known as the <emphasis>target</emphasis>. |
5477 |
The storage can be a physical disk, or an area representing |
5900 |
The storage can be a physical disk, or an area representing |
5478 |
multiple disks or a portion of a physical disk. For example, if |
5901 |
multiple disks or a portion of a physical disk. For example, if |
5479 |
the disk(s) are formatted with <acronym>ZFS</acronym>, a zvol |
5902 |
the disk(s) are formatted with <acronym>ZFS</acronym>, a zvol |
5480 |
can be created to use as the <acronym>iSCSI</acronym> |
5903 |
can be created to use as the <acronym>iSCSI</acronym> |
5481 |
storage.</para> |
5904 |
storage.</para> |
5482 |
|
5905 |
|
5483 |
<para>The clients which access the <acronym>iSCSI</acronym> |
5906 |
<para>The clients which access the <acronym>iSCSI</acronym> |
5484 |
storage are called <emphasis>initiators</emphasis>. To |
5907 |
storage are called <emphasis>initiators</emphasis>. To |
5485 |
initiators, the storage available through |
5908 |
initiators, the storage available through |
5486 |
<acronym>iSCSI</acronym> appears as a raw, unformatted disk |
5909 |
<acronym>iSCSI</acronym> appears as a raw, unformatted disk |
5487 |
known as a <acronym>LUN</acronym>. Device nodes for the disk |
5910 |
known as a <acronym>LUN</acronym>. Device nodes for the disk |
5488 |
appear in <filename>/dev/</filename> and the device must be |
5911 |
appear in <filename>/dev/</filename> and the device must be |
5489 |
separately formatted and mounted.</para> |
5912 |
separately formatted and mounted.</para> |
5490 |
|
5913 |
|
5491 |
<para>Beginning with 10.0-RELEASE, &os; provides a native, |
5914 |
<para>Beginning with 10.0-RELEASE, &os; provides a native, |
5492 |
kernel-based <acronym>iSCSI</acronym> target and initiator. |
5915 |
kernel-based <acronym>iSCSI</acronym> target and initiator. |
5493 |
This section describes how to configure a &os; system as a |
5916 |
This section describes how to configure a &os; system as a |
5494 |
target or an initiator.</para> |
5917 |
target or an initiator.</para> |
5495 |
|
5918 |
|
5496 |
<sect2 xml:id="network-iscsi-target"> |
5919 |
<sect2 xml:id="network-iscsi-target"> |
5497 |
<title>Configuring an <acronym>iSCSI</acronym> Target</title> |
5920 |
<title>Configuring an <acronym>iSCSI</acronym> Target</title> |
5498 |
|
5921 |
|
5499 |
<note> |
5922 |
<note> |
5500 |
<para>The native <acronym>iSCSI</acronym> target is supported |
5923 |
<para>The native <acronym>iSCSI</acronym> target is supported |
5501 |
starting with &os; 10.0-RELEASE. To use |
5924 |
starting with &os; 10.0-RELEASE. To use |
5502 |
<acronym>iSCSI</acronym> in older versions of &os;, install |
5925 |
<acronym>iSCSI</acronym> in older versions of &os;, install |
5503 |
a userspace target from the Ports Collection, such as |
5926 |
a userspace target from the Ports Collection, such as |
5504 |
<package>net/istgt</package>. This chapter only describes |
5927 |
<package>net/istgt</package>. This chapter only describes |
5505 |
the native target.</para> |
5928 |
the native target.</para> |
5506 |
</note> |
5929 |
</note> |
5507 |
|
5930 |
|
5508 |
<para>To configure an <acronym>iSCSI</acronym> target, create |
5931 |
<para>To configure an <acronym>iSCSI</acronym> target, create |
5509 |
the <filename>/etc/ctl.conf</filename> configuration file, add |
5932 |
the <filename>/etc/ctl.conf</filename> configuration file, add |
5510 |
a line to <filename>/etc/rc.conf</filename> to make sure the |
5933 |
a line to <filename>/etc/rc.conf</filename> to make sure the |
5511 |
&man.ctld.8; daemon is automatically started at boot, and then |
5934 |
&man.ctld.8; daemon is automatically started at boot, and then |
5512 |
start the daemon.</para> |
5935 |
start the daemon.</para> |
5513 |
|
5936 |
|
5514 |
<para>The following is an example of a simple |
5937 |
<para>The following is an example of a simple |
5515 |
<filename>/etc/ctl.conf</filename> configuration file. Refer |
5938 |
<filename>/etc/ctl.conf</filename> configuration file. Refer |
5516 |
to &man.ctl.conf.5; for a more complete description of this |
5939 |
to &man.ctl.conf.5; for a more complete description of this |
5517 |
file's available options.</para> |
5940 |
file's available options.</para> |
5518 |
|
5941 |
|
5519 |
<programlisting>portal-group pg0 { |
5942 |
<programlisting>portal-group pg0 { |
5520 |
discovery-auth-group no-authentication |
5943 |
discovery-auth-group no-authentication |
5521 |
listen 0.0.0.0 |
5944 |
listen 0.0.0.0 |
5522 |
listen [::] |
5945 |
listen [::] |
5523 |
} |
5946 |
} |
5524 |
|
5947 |
|
5525 |
target iqn.2012-06.com.example:target0 { |
5948 |
target iqn.2012-06.com.example:target0 { |
5526 |
auth-group no-authentication |
5949 |
auth-group no-authentication |
5527 |
portal-group pg0 |
5950 |
portal-group pg0 |
5528 |
|
5951 |
|
5529 |
lun 0 { |
5952 |
lun 0 { |
5530 |
path /data/target0-0 |
5953 |
path /data/target0-0 |
5531 |
size 4G |
5954 |
size 4G |
5532 |
} |
5955 |
} |
5533 |
}</programlisting> |
5956 |
}</programlisting> |
5534 |
|
5957 |
|
5535 |
<para>The first entry defines the <literal>pg0</literal> portal |
5958 |
<para>The first entry defines the <literal>pg0</literal> portal |
5536 |
group. Portal groups define which network addresses the |
5959 |
group. Portal groups define which network addresses the |
5537 |
&man.ctld.8; daemon will listen on. The |
5960 |
&man.ctld.8; daemon will listen on. The |
5538 |
<literal>discovery-auth-group no-authentication</literal> |
5961 |
<literal>discovery-auth-group no-authentication</literal> |
5539 |
entry indicates that any initiator is allowed to perform |
5962 |
entry indicates that any initiator is allowed to perform |
5540 |
<acronym>iSCSI</acronym> target discovery without |
5963 |
<acronym>iSCSI</acronym> target discovery without |
5541 |
authentication. Lines three and four configure &man.ctld.8; |
5964 |
authentication. Lines three and four configure &man.ctld.8; |
5542 |
to listen on all <acronym>IPv4</acronym> |
5965 |
to listen on all <acronym>IPv4</acronym> |
5543 |
(<literal>listen 0.0.0.0</literal>) and |
5966 |
(<literal>listen 0.0.0.0</literal>) and |
5544 |
<acronym>IPv6</acronym> (<literal>listen [::]</literal>) |
5967 |
<acronym>IPv6</acronym> (<literal>listen [::]</literal>) |
5545 |
addresses on the default port of 3260.</para> |
5968 |
addresses on the default port of 3260.</para> |
5546 |
|
5969 |
|
5547 |
<para>It is not necessary to define a portal group as there is a |
5970 |
<para>It is not necessary to define a portal group as there is a |
5548 |
built-in portal group called <literal>default</literal>. In |
5971 |
built-in portal group called <literal>default</literal>. In |
5549 |
this case, the difference between <literal>default</literal> |
5972 |
this case, the difference between <literal>default</literal> |
5550 |
and <literal>pg0</literal> is that with |
5973 |
and <literal>pg0</literal> is that with |
5551 |
<literal>default</literal>, target discovery is always denied, |
5974 |
<literal>default</literal>, target discovery is always denied, |
5552 |
while with <literal>pg0</literal>, it is always |
5975 |
while with <literal>pg0</literal>, it is always |
5553 |
allowed.</para> |
5976 |
allowed.</para> |
5554 |
|
5977 |
|
5555 |
<para>The second entry defines a single target. Target has two |
5978 |
<para>The second entry defines a single target. Target has two |
5556 |
possible meanings: a machine serving <acronym>iSCSI</acronym> |
5979 |
possible meanings: a machine serving <acronym>iSCSI</acronym> |
5557 |
or a named group of <acronym>LUNs</acronym>. This example |
5980 |
or a named group of <acronym>LUNs</acronym>. This example |
5558 |
uses the latter meaning, where |
5981 |
uses the latter meaning, where |
5559 |
<literal>iqn.2012-06.com.example:target0</literal> is the |
5982 |
<literal>iqn.2012-06.com.example:target0</literal> is the |
5560 |
target name. This target name is suitable for testing |
5983 |
target name. This target name is suitable for testing |
5561 |
purposes. For actual use, change |
5984 |
purposes. For actual use, change |
5562 |
<literal>com.example</literal> to the real domain name, |
5985 |
<literal>com.example</literal> to the real domain name, |
5563 |
reversed. The <literal>2012-06</literal> represents the year |
5986 |
reversed. The <literal>2012-06</literal> represents the year |
5564 |
and month of acquiring control of that domain name, and |
5987 |
and month of acquiring control of that domain name, and |
5565 |
<literal>target0</literal> can be any value. Any number of |
5988 |
<literal>target0</literal> can be any value. Any number of |
5566 |
targets can be defined in this configuration file.</para> |
5989 |
targets can be defined in this configuration file.</para> |
5567 |
|
5990 |
|
5568 |
<para>The <literal>auth-group no-authentication</literal> line |
5991 |
<para>The <literal>auth-group no-authentication</literal> line |
5569 |
allows all initiators to connect to the specified target and |
5992 |
allows all initiators to connect to the specified target and |
5570 |
<literal>portal-group pg0</literal> makes the target reachable |
5993 |
<literal>portal-group pg0</literal> makes the target reachable |
5571 |
through the <literal>pg0</literal> portal group.</para> |
5994 |
through the <literal>pg0</literal> portal group.</para> |
5572 |
|
5995 |
|
5573 |
<para>The next section defines the <acronym>LUN</acronym>. To |
5996 |
<para>The next section defines the <acronym>LUN</acronym>. To |
5574 |
the initiator, each <acronym>LUN</acronym> will be visible as |
5997 |
the initiator, each <acronym>LUN</acronym> will be visible as |
5575 |
a separate disk device. Multiple <acronym>LUNs</acronym> can |
5998 |
a separate disk device. Multiple <acronym>LUNs</acronym> can |
5576 |
be defined for each target. Each <acronym>LUN</acronym> is |
5999 |
be defined for each target. Each <acronym>LUN</acronym> is |
5577 |
identified by a number, where <acronym>LUN</acronym> 0 is |
6000 |
identified by a number, where <acronym>LUN</acronym> 0 is |
5578 |
mandatory. The <literal>path /data/target0-0</literal> line |
6001 |
mandatory. The <literal>path /data/target0-0</literal> line |
5579 |
defines the full path to a file or zvol backing the |
6002 |
defines the full path to a file or zvol backing the |
5580 |
<acronym>LUN</acronym>. That path must exist before starting |
6003 |
<acronym>LUN</acronym>. That path must exist before starting |
5581 |
&man.ctld.8;. The second line is optional and specifies the |
6004 |
&man.ctld.8;. The second line is optional and specifies the |
5582 |
size of the <acronym>LUN</acronym>.</para> |
6005 |
size of the <acronym>LUN</acronym>.</para> |
5583 |
|
6006 |
|
5584 |
<para>Next, to make sure the &man.ctld.8; daemon is started at |
6007 |
<para>Next, to make sure the &man.ctld.8; daemon is started at |
5585 |
boot, add this line to |
6008 |
boot, add this line to |
5586 |
<filename>/etc/rc.conf</filename>:</para> |
6009 |
<filename>/etc/rc.conf</filename>:</para> |
5587 |
|
6010 |
|
5588 |
<programlisting>ctld_enable="YES"</programlisting> |
6011 |
<programlisting>ctld_enable="YES"</programlisting> |
5589 |
|
6012 |
|
5590 |
<para>To start &man.ctld.8; now, run this command:</para> |
6013 |
<para>To start &man.ctld.8; now, run this command:</para> |
5591 |
|
6014 |
|
5592 |
<screen>&prompt.root; <userinput>service ctld start</userinput></screen> |
6015 |
<screen>&prompt.root; <userinput>service ctld start</userinput></screen> |
5593 |
|
6016 |
|
5594 |
<para>As the &man.ctld.8; daemon is started, it reads |
6017 |
<para>As the &man.ctld.8; daemon is started, it reads |
5595 |
<filename>/etc/ctl.conf</filename>. If this file is edited |
6018 |
<filename>/etc/ctl.conf</filename>. If this file is edited |
5596 |
after the daemon starts, use this command so that the changes |
6019 |
after the daemon starts, use this command so that the changes |
5597 |
take effect immediately:</para> |
6020 |
take effect immediately:</para> |
5598 |
|
6021 |
|
5599 |
<screen>&prompt.root; <userinput>service ctld reload</userinput></screen> |
6022 |
<screen>&prompt.root; <userinput>service ctld reload</userinput></screen> |
5600 |
|
6023 |
|
5601 |
<sect3> |
6024 |
<sect3> |
5602 |
<title>Authentication</title> |
6025 |
<title>Authentication</title> |
5603 |
|
6026 |
|
5604 |
<para>The previous example is inherently insecure as it uses |
6027 |
<para>The previous example is inherently insecure as it uses |
5605 |
no authentication, granting anyone full access to all |
6028 |
no authentication, granting anyone full access to all |
5606 |
targets. To require a username and password to access |
6029 |
targets. To require a username and password to access |
5607 |
targets, modify the configuration as follows:</para> |
6030 |
targets, modify the configuration as follows:</para> |
5608 |
|
6031 |
|
5609 |
<programlisting>auth-group ag0 { |
6032 |
<programlisting>auth-group ag0 { |
5610 |
chap username1 secretsecret |
6033 |
chap username1 secretsecret |
5611 |
chap username2 anothersecret |
6034 |
chap username2 anothersecret |
5612 |
} |
6035 |
} |
5613 |
|
6036 |
|
5614 |
portal-group pg0 { |
6037 |
portal-group pg0 { |
5615 |
discovery-auth-group no-authentication |
6038 |
discovery-auth-group no-authentication |
5616 |
listen 0.0.0.0 |
6039 |
listen 0.0.0.0 |
5617 |
listen [::] |
6040 |
listen [::] |
5618 |
} |
6041 |
} |
5619 |
|
6042 |
|
5620 |
target iqn.2012-06.com.example:target0 { |
6043 |
target iqn.2012-06.com.example:target0 { |
5621 |
auth-group ag0 |
6044 |
auth-group ag0 |
5622 |
portal-group pg0 |
6045 |
portal-group pg0 |
5623 |
lun 0 { |
6046 |
lun 0 { |
5624 |
path /data/target0-0 |
6047 |
path /data/target0-0 |
5625 |
size 4G |
6048 |
size 4G |
5626 |
} |
6049 |
} |
5627 |
}</programlisting> |
6050 |
}</programlisting> |
5628 |
|
6051 |
|
5629 |
<para>The <literal>auth-group</literal> section defines |
6052 |
<para>The <literal>auth-group</literal> section defines |
5630 |
username and password pairs. An initiator trying to connect |
6053 |
username and password pairs. An initiator trying to connect |
5631 |
to <literal>iqn.2012-06.com.example:target0</literal> must |
6054 |
to <literal>iqn.2012-06.com.example:target0</literal> must |
5632 |
first specify a defined username and secret. However, |
6055 |
first specify a defined username and secret. However, |
5633 |
target discovery is still permitted without authentication. |
6056 |
target discovery is still permitted without authentication. |
5634 |
To require target discovery authentication, set |
6057 |
To require target discovery authentication, set |
5635 |
<literal>discovery-auth-group</literal> to a defined |
6058 |
<literal>discovery-auth-group</literal> to a defined |
5636 |
<literal>auth-group</literal> name instead of |
6059 |
<literal>auth-group</literal> name instead of |
5637 |
<literal>no-authentication</literal>.</para> |
6060 |
<literal>no-authentication</literal>.</para> |
5638 |
|
6061 |
|
5639 |
<para>It is common to define a single exported target for |
6062 |
<para>It is common to define a single exported target for |
5640 |
every initiator. As a shorthand for the syntax above, the |
6063 |
every initiator. As a shorthand for the syntax above, the |
5641 |
username and password can be specified directly in the |
6064 |
username and password can be specified directly in the |
5642 |
target entry:</para> |
6065 |
target entry:</para> |
5643 |
|
6066 |
|
5644 |
<programlisting>target iqn.2012-06.com.example:target0 { |
6067 |
<programlisting>target iqn.2012-06.com.example:target0 { |
5645 |
portal-group pg0 |
6068 |
portal-group pg0 |
5646 |
chap username1 secretsecret |
6069 |
chap username1 secretsecret |
5647 |
|
6070 |
|
5648 |
lun 0 { |
6071 |
lun 0 { |
5649 |
path /data/target0-0 |
6072 |
path /data/target0-0 |
5650 |
size 4G |
6073 |
size 4G |
5651 |
} |
6074 |
} |
5652 |
}</programlisting> |
6075 |
}</programlisting> |
5653 |
</sect3> |
6076 |
</sect3> |
5654 |
</sect2> |
6077 |
</sect2> |
5655 |
|
6078 |
|
5656 |
<sect2 xml:id="network-iscsi-initiator"> |
6079 |
<sect2 xml:id="network-iscsi-initiator"> |
5657 |
<title>Configuring an <acronym>iSCSI</acronym> Initiator</title> |
6080 |
<title>Configuring an <acronym>iSCSI</acronym> Initiator</title> |
5658 |
|
6081 |
|
5659 |
<note> |
6082 |
<note> |
5660 |
<para>The <acronym>iSCSI</acronym> initiator described in this |
6083 |
<para>The <acronym>iSCSI</acronym> initiator described in this |
5661 |
section is supported starting with &os; 10.0-RELEASE. To |
6084 |
section is supported starting with &os; 10.0-RELEASE. To |
5662 |
use the <acronym>iSCSI</acronym> initiator available in |
6085 |
use the <acronym>iSCSI</acronym> initiator available in |
5663 |
older versions, refer to &man.iscontrol.8;.</para> |
6086 |
older versions, refer to &man.iscontrol.8;.</para> |
5664 |
</note> |
6087 |
</note> |
5665 |
|
6088 |
|
5666 |
<para>The <acronym>iSCSI</acronym> initiator requires that the |
6089 |
<para>The <acronym>iSCSI</acronym> initiator requires that the |
5667 |
&man.iscsid.8; daemon is running. This daemon does not use a |
6090 |
&man.iscsid.8; daemon is running. This daemon does not use a |
5668 |
configuration file. To start it automatically at boot, add |
6091 |
configuration file. To start it automatically at boot, add |
5669 |
this line to <filename>/etc/rc.conf</filename>:</para> |
6092 |
this line to <filename>/etc/rc.conf</filename>:</para> |
5670 |
|
6093 |
|
5671 |
<programlisting>iscsid_enable="YES"</programlisting> |
6094 |
<programlisting>iscsid_enable="YES"</programlisting> |
5672 |
|
6095 |
|
5673 |
<para>To start &man.iscsid.8; now, run this command:</para> |
6096 |
<para>To start &man.iscsid.8; now, run this command:</para> |
5674 |
|
6097 |
|
5675 |
<screen>&prompt.root; <userinput>service iscsid start</userinput></screen> |
6098 |
<screen>&prompt.root; <userinput>service iscsid start</userinput></screen> |
5676 |
|
6099 |
|
5677 |
<para>Connecting to a target can be done with or without an |
6100 |
<para>Connecting to a target can be done with or without an |
5678 |
<filename>/etc/iscsi.conf</filename> configuration file. This |
6101 |
<filename>/etc/iscsi.conf</filename> configuration file. This |
5679 |
section demonstrates both types of connections.</para> |
6102 |
section demonstrates both types of connections.</para> |
5680 |
|
6103 |
|
5681 |
<sect3> |
6104 |
<sect3> |
5682 |
<title>Connecting to a Target Without a Configuration |
6105 |
<title>Connecting to a Target Without a Configuration |
5683 |
File</title> |
6106 |
File</title> |
5684 |
|
6107 |
|
5685 |
<para>To connect an initiator to a single target, specify the |
6108 |
<para>To connect an initiator to a single target, specify the |
5686 |
<acronym>IP</acronym> address of the portal and the name of |
6109 |
<acronym>IP</acronym> address of the portal and the name of |
5687 |
the target:</para> |
6110 |
the target:</para> |
5688 |
|
6111 |
|
5689 |
<screen>&prompt.root; <userinput>iscsictl -A -p <replaceable>10.10.10.10</replaceable> -t <replaceable>iqn.2012-06.com.example:target0</replaceable></userinput></screen> |
6112 |
<screen>&prompt.root; <userinput>iscsictl -A -p <replaceable>10.10.10.10</replaceable> -t <replaceable>iqn.2012-06.com.example:target0</replaceable></userinput></screen> |
5690 |
|
6113 |
|
5691 |
<para>To verify if the connection succeeded, run |
6114 |
<para>To verify if the connection succeeded, run |
5692 |
<command>iscsictl</command> without any arguments. The |
6115 |
<command>iscsictl</command> without any arguments. The |
5693 |
output should look similar to this:</para> |
6116 |
output should look similar to this:</para> |
5694 |
|
6117 |
|
5695 |
<programlisting>Target name Target portal State |
6118 |
<programlisting>Target name Target portal State |
5696 |
iqn.2012-06.com.example:target0 10.10.10.10 Connected: da0</programlisting> |
6119 |
iqn.2012-06.com.example:target0 10.10.10.10 Connected: da0</programlisting> |
5697 |
|
6120 |
|
5698 |
<para>In this example, the <acronym>iSCSI</acronym> session |
6121 |
<para>In this example, the <acronym>iSCSI</acronym> session |
5699 |
was successfully established, with |
6122 |
was successfully established, with |
5700 |
<filename>/dev/da0</filename> representing the attached |
6123 |
<filename>/dev/da0</filename> representing the attached |
5701 |
<acronym>LUN</acronym>. If the |
6124 |
<acronym>LUN</acronym>. If the |
5702 |
<literal>iqn.2012-06.com.example:target0</literal> target |
6125 |
<literal>iqn.2012-06.com.example:target0</literal> target |
5703 |
exports more than one <acronym>LUN</acronym>, multiple |
6126 |
exports more than one <acronym>LUN</acronym>, multiple |
5704 |
device nodes will be shown in that section of the |
6127 |
device nodes will be shown in that section of the |
5705 |
output:</para> |
6128 |
output:</para> |
5706 |
|
6129 |
|
5707 |
<screen>Connected: da0 da1 da2.</screen> |
6130 |
<screen>Connected: da0 da1 da2.</screen> |
5708 |
|
6131 |
|
5709 |
<para>Any errors will be reported in the output, as well as |
6132 |
<para>Any errors will be reported in the output, as well as |
5710 |
the system logs. For example, this message usually means |
6133 |
the system logs. For example, this message usually means |
5711 |
that the &man.iscsid.8; daemon is not running:</para> |
6134 |
that the &man.iscsid.8; daemon is not running:</para> |
5712 |
|
6135 |
|
5713 |
<programlisting>Target name Target portal State |
6136 |
<programlisting>Target name Target portal State |
5714 |
iqn.2012-06.com.example:target0 10.10.10.10 Waiting for iscsid(8)</programlisting> |
6137 |
iqn.2012-06.com.example:target0 10.10.10.10 Waiting for iscsid(8)</programlisting> |
5715 |
|
6138 |
|
5716 |
<para>The following message suggests a networking problem, |
6139 |
<para>The following message suggests a networking problem, |
5717 |
such as a wrong <acronym>IP</acronym> address or |
6140 |
such as a wrong <acronym>IP</acronym> address or |
5718 |
port:</para> |
6141 |
port:</para> |
5719 |
|
6142 |
|
5720 |
<programlisting>Target name Target portal State |
6143 |
<programlisting>Target name Target portal State |
5721 |
iqn.2012-06.com.example:target0 10.10.10.11 Connection refused</programlisting> |
6144 |
iqn.2012-06.com.example:target0 10.10.10.11 Connection refused</programlisting> |
5722 |
|
6145 |
|
5723 |
<para>This message means that the specified target name is |
6146 |
<para>This message means that the specified target name is |
5724 |
wrong:</para> |
6147 |
wrong:</para> |
5725 |
|
6148 |
|
5726 |
<programlisting>Target name Target portal State |
6149 |
<programlisting>Target name Target portal State |
5727 |
iqn.2012-06.com.example:target0 10.10.10.10 Not found</programlisting> |
6150 |
iqn.2012-06.com.example:target0 10.10.10.10 Not found</programlisting> |
5728 |
|
6151 |
|
5729 |
<para>This message means that the target requires |
6152 |
<para>This message means that the target requires |
5730 |
authentication:</para> |
6153 |
authentication:</para> |
5731 |
|
6154 |
|
5732 |
<programlisting>Target name Target portal State |
6155 |
<programlisting>Target name Target portal State |
5733 |
iqn.2012-06.com.example:target0 10.10.10.10 Authentication failed</programlisting> |
6156 |
iqn.2012-06.com.example:target0 10.10.10.10 Authentication failed</programlisting> |
5734 |
|
6157 |
|
5735 |
<para>To specify a <acronym>CHAP</acronym> username and |
6158 |
<para>To specify a <acronym>CHAP</acronym> username and |
5736 |
secret, use this syntax:</para> |
6159 |
secret, use this syntax:</para> |
5737 |
|
6160 |
|
5738 |
<screen>&prompt.root; <userinput>iscsictl -A -p <replaceable>10.10.10.10</replaceable> -t <replaceable>iqn.2012-06.com.example:target0</replaceable> -u <replaceable>user</replaceable> -s <replaceable>secretsecret</replaceable></userinput></screen> |
6161 |
<screen>&prompt.root; <userinput>iscsictl -A -p <replaceable>10.10.10.10</replaceable> -t <replaceable>iqn.2012-06.com.example:target0</replaceable> -u <replaceable>user</replaceable> -s <replaceable>secretsecret</replaceable></userinput></screen> |
5739 |
</sect3> |
6162 |
</sect3> |
5740 |
|
6163 |
|
5741 |
<sect3> |
6164 |
<sect3> |
5742 |
<title>Connecting to a Target with a Configuration |
6165 |
<title>Connecting to a Target with a Configuration |
5743 |
File</title> |
6166 |
File</title> |
5744 |
|
6167 |
|
5745 |
<para>To connect using a configuration file, create |
6168 |
<para>To connect using a configuration file, create |
5746 |
<filename>/etc/iscsi.conf</filename> with contents like |
6169 |
<filename>/etc/iscsi.conf</filename> with contents like |
5747 |
this:</para> |
6170 |
this:</para> |
5748 |
|
6171 |
|
5749 |
<programlisting>t0 { |
6172 |
<programlisting>t0 { |
5750 |
TargetAddress = 10.10.10.10 |
6173 |
TargetAddress = 10.10.10.10 |
5751 |
TargetName = iqn.2012-06.com.example:target0 |
6174 |
TargetName = iqn.2012-06.com.example:target0 |
5752 |
AuthMethod = CHAP |
6175 |
AuthMethod = CHAP |
5753 |
chapIName = user |
6176 |
chapIName = user |
5754 |
chapSecret = secretsecret |
6177 |
chapSecret = secretsecret |
5755 |
}</programlisting> |
6178 |
}</programlisting> |
5756 |
|
6179 |
|
5757 |
<para>The <literal>t0</literal> specifies a nickname for the |
6180 |
<para>The <literal>t0</literal> specifies a nickname for the |
5758 |
configuration file section. It will be used by the |
6181 |
configuration file section. It will be used by the |
5759 |
initiator to specify which configuration to use. The other |
6182 |
initiator to specify which configuration to use. The other |
5760 |
lines specify the parameters to use during connection. The |
6183 |
lines specify the parameters to use during connection. The |
5761 |
<literal>TargetAddress</literal> and |
6184 |
<literal>TargetAddress</literal> and |
5762 |
<literal>TargetName</literal> are mandatory, whereas the |
6185 |
<literal>TargetName</literal> are mandatory, whereas the |
5763 |
other options are optional. In this example, the |
6186 |
other options are optional. In this example, the |
5764 |
<acronym>CHAP</acronym> username and secret are |
6187 |
<acronym>CHAP</acronym> username and secret are |
5765 |
shown.</para> |
6188 |
shown.</para> |
5766 |
|
6189 |
|
5767 |
<para>To connect to the defined target, specify the |
6190 |
<para>To connect to the defined target, specify the |
5768 |
nickname:</para> |
6191 |
nickname:</para> |
5769 |
|
6192 |
|
5770 |
<screen>&prompt.root; <userinput>iscsictl -An <replaceable>t0</replaceable></userinput></screen> |
6193 |
<screen>&prompt.root; <userinput>iscsictl -An <replaceable>t0</replaceable></userinput></screen> |
5771 |
|
6194 |
|
5772 |
<para>Alternately, to connect to all targets defined in the |
6195 |
<para>Alternately, to connect to all targets defined in the |
5773 |
configuration file, use:</para> |
6196 |
configuration file, use:</para> |
5774 |
|
6197 |
|
5775 |
<screen>&prompt.root; <userinput>iscsictl -Aa</userinput></screen> |
6198 |
<screen>&prompt.root; <userinput>iscsictl -Aa</userinput></screen> |
5776 |
|
6199 |
|
5777 |
<para>To make the initiator automatically connect to all |
6200 |
<para>To make the initiator automatically connect to all |
5778 |
targets in <filename>/etc/iscsi.conf</filename>, add the |
6201 |
targets in <filename>/etc/iscsi.conf</filename>, add the |
5779 |
following to <filename>/etc/rc.conf</filename>:</para> |
6202 |
following to <filename>/etc/rc.conf</filename>:</para> |
5780 |
|
6203 |
|
5781 |
<programlisting>iscsictl_enable="YES" |
6204 |
<programlisting>iscsictl_enable="YES" |
5782 |
iscsictl_flags="-Aa"</programlisting> |
6205 |
iscsictl_flags="-Aa"</programlisting> |
5783 |
|
6206 |
|
5784 |
</sect3> |
6207 |
</sect3> |
5785 |
</sect2> |
6208 |
</sect2> |
5786 |
</sect1> |
6209 |
</sect1> |
5787 |
|
6210 |
|
5788 |
</chapter> |
6211 |
</chapter> |