diff options
author | Dru Lavigne <dru@FreeBSD.org> | 2013-10-15 22:42:10 +0000 |
---|---|---|
committer | Dru Lavigne <dru@FreeBSD.org> | 2013-10-15 22:42:10 +0000 |
commit | 8d6573c9fc2a81153d01dc7b44102429500a222e (patch) | |
tree | 131aa188d11c7330e2514565c52af983b80181e7 /en_US.ISO8859-1/books/handbook/network-servers/chapter.xml | |
parent | 97f01eecdca6b24b727e1a8ea2a8fa6300497fb6 (diff) | |
download | doc-8d6573c9fc2a81153d01dc7b44102429500a222e.tar.gz doc-8d6573c9fc2a81153d01dc7b44102429500a222e.zip |
White space fix only. Translators can ignore.
Notes
Notes:
svn path=/head/; revision=42971
Diffstat (limited to 'en_US.ISO8859-1/books/handbook/network-servers/chapter.xml')
-rw-r--r-- | en_US.ISO8859-1/books/handbook/network-servers/chapter.xml | 449 |
1 files changed, 225 insertions, 224 deletions
diff --git a/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml b/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml index be3da183f4..9ee678fccb 100644 --- a/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml +++ b/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml @@ -1036,7 +1036,8 @@ Exports list on foobar: </authorgroup> </sect1info> --> - <title>Network Information System (<acronym>NIS</acronym>)</title> + <title>Network Information System + (<acronym>NIS</acronym>)</title> <indexterm><primary>NIS</primary></indexterm> <indexterm><primary>Solaris</primary></indexterm> @@ -1104,10 +1105,10 @@ Exports list on foobar: <row> <entry><acronym>NIS</acronym> domain name</entry> - <entry><acronym>NIS</acronym> servers and - clients share an - <acronym>NIS</acronym> domain name. Typically, this name does not have - anything to do with <acronym>DNS</acronym>.</entry> + <entry><acronym>NIS</acronym> servers and clients share + an <acronym>NIS</acronym> domain name. Typically, + this name does not have anything to do with + <acronym>DNS</acronym>.</entry> </row> <row> @@ -1191,9 +1192,9 @@ Exports list on foobar: clients are stored on the master server. While it is possible for one machine to be an <acronym>NIS</acronym> master server for more than one <acronym>NIS</acronym> - domain, this type of configuration will not be covered in this chapter as it - assumes a relatively small-scale <acronym>NIS</acronym> - environment.</para> + domain, this type of configuration will not be covered in + this chapter as it assumes a relatively small-scale + <acronym>NIS</acronym> environment.</para> </listitem> <listitem> @@ -1345,7 +1346,8 @@ Exports list on foobar: </sect2> <sect2> - <title>Configuring the <acronym>NIS</acronym> Master Server</title> + <title>Configuring the <acronym>NIS</acronym> Master + Server</title> <para> The canonical copies of all <acronym>NIS</acronym> files are stored on the master server. The databases used @@ -1366,61 +1368,58 @@ Exports list on foobar: database file, and transmitting data from the database back to the client.</para> - <indexterm> - <primary>NIS</primary> - <secondary>server configuration</secondary> - </indexterm> - <para>Setting up a master <acronym>NIS</acronym> server can - be relatively straight forward, depending on environmental - needs. Since &os; provides built-in - <acronym>NIS</acronym> support, it only needs to be - enabled by adding the following lines to - <filename>/etc/rc.conf</filename>:</para> - - <procedure> - <step> - <programlisting>nisdomainname="test-domain"</programlisting> - - <para>This line sets the <acronym>NIS</acronym> domain - name to <literal>test-domain</literal>.</para> - </step> - - <step> - <programlisting>nis_server_enable="YES"</programlisting> - - <para>This automates the start up of the - <acronym>NIS</acronym> server processes when the - system boots.</para> - </step> - - <step> - <programlisting>nis_yppasswdd_enable="YES"</programlisting> - - <para>This enables the - &man.rpc.yppasswdd.8; daemon so that - users can change their <acronym>NIS</acronym> - password from a client machine.</para> - </step> - </procedure> + <indexterm><primary>NIS</primary> + <secondary>server configuration</secondary> + </indexterm> + <para>Setting up a master <acronym>NIS</acronym> server can + be relatively straight forward, depending on environmental + needs. Since &os; provides built-in + <acronym>NIS</acronym> support, it only needs to be + enabled by adding the following lines to + <filename>/etc/rc.conf</filename>:</para> - <para>Care must be taken - in a multi-server domain - where the server machines are also <acronym>NIS</acronym> - clients. It is generally a good idea to force the servers to - bind to themselves rather than allowing them to broadcast bind - requests and possibly become bound to each other. Strange - failure modes can result if one server goes down and others - are dependent upon it. Eventually, all the clients will time - out and attempt to bind to other servers, but the delay - involved can be considerable and the failure mode is still - present since the servers might bind to each other all over - again.</para> - - <para>A server that is also a client can be forced to bind to a particular server by - adding these additional lines to - <filename>/etc/rc.conf</filename>:</para> + <procedure> + <step> + <programlisting>nisdomainname="test-domain"</programlisting> + + <para>This line sets the <acronym>NIS</acronym> domain + name to <literal>test-domain</literal>.</para> + </step> + + <step> + <programlisting>nis_server_enable="YES"</programlisting> + + <para>This automates the start up of the + <acronym>NIS</acronym> server processes when the + system boots.</para> + </step> + + <step> + <programlisting>nis_yppasswdd_enable="YES"</programlisting> + + <para>This enables the &man.rpc.yppasswdd.8; daemon so + that users can change their <acronym>NIS</acronym> + password from a client machine.</para> + </step> + </procedure> + + <para>Care must be taken in a multi-server domain where the + server machines are also <acronym>NIS</acronym> clients. It + is generally a good idea to force the servers to bind to + themselves rather than allowing them to broadcast bind + requests and possibly become bound to each other. Strange + failure modes can result if one server goes down and others + are dependent upon it. Eventually, all the clients will + time out and attempt to bind to other servers, but the delay + involved can be considerable and the failure mode is still + present since the servers might bind to each other all over + again.</para> + + <para>A server that is also a client can be forced to bind to + a particular server by adding these additional lines to + <filename>/etc/rc.conf</filename>:</para> - <programlisting>nis_client_enable="YES" # run client stuff as well + <programlisting>nis_client_enable="YES" # run client stuff as well nis_client_flags="-S <replaceable>NIS domain</replaceable>,<replaceable>server</replaceable>"</programlisting> <para>After saving the edits, type @@ -1495,19 +1494,19 @@ Is this correct? [y/n: y] <userinput>y</userinput> NIS Map update completed. ellington has been setup as an YP master server without any errors.</screen> - <para>This will - create <filename>/var/yp/Makefile</filename> from - <filename>/var/yp/Makefile.dist</filename>. By default, - this file assumes that the environment has a - single <acronym>NIS</acronym> server with only &os; - clients. Since <literal>test-domain</literal> has a - slave server, edit this line in - <filename>/var/yp/Makefile</filename> so that it begins with a - comment (<literal>#</literal>):</para> - - <programlisting>NOPUSH = "True"</programlisting> - </sect3> - </sect2> + <para>This will create + <filename>/var/yp/Makefile</filename> from + <filename>/var/yp/Makefile.dist</filename>. By + default, this file assumes that the environment has a + single <acronym>NIS</acronym> server with only &os; + clients. Since <literal>test-domain</literal> has a + slave server, edit this line in + <filename>/var/yp/Makefile</filename> so that it begins + with a comment (<literal>#</literal>):</para> + + <programlisting>NOPUSH = "True"</programlisting> + </sect3> + </sect2> <sect2> <title>Setting up a <acronym>NIS</acronym> Slave @@ -1517,17 +1516,17 @@ ellington has been setup as an YP master server without any errors.</screen> <primary>NIS</primary> <secondary>slave server</secondary> </indexterm> - <para>To set up an <acronym>NIS</acronym> slave server, log on to - the slave server and edit - <filename>/etc/rc.conf</filename> as for the master server. - Do not generate any <acronym>NIS</acronym> maps, as these - already exist on the master server. When running + <para>To set up an <acronym>NIS</acronym> slave server, log + on to the slave server and edit + <filename>/etc/rc.conf</filename> as for the master + server. Do not generate any <acronym>NIS</acronym> maps, + as these already exist on the master server. When running <command>ypinit</command> on the slave server, use - <option>-s</option> (for slave) instead of - <option>-m</option> (for master). This option - requires the name of the <acronym>NIS</acronym> master in - addition to the domain name, as - seen in this example:</para> + <option>-s</option> (for slave) instead of + <option>-m</option> (for master). This option requires + the name of the <acronym>NIS</acronym> master in + addition to the domain name, as seen in this + example:</para> <screen>coltrane&prompt.root; <userinput>ypinit -s ellington test-domain</userinput> @@ -1586,53 +1585,52 @@ ypxfr: Exiting: Map successfully transferred coltrane has been setup as an YP slave server without any errors. Remember to update map ypservers on ellington.</screen> - <para>This will generate a directory on the slave server called - <filename class="directory">/var/yp/test-domain</filename> which contains copies of the - <acronym>NIS</acronym> master server's maps. - Adding these <filename>/etc/crontab</filename> entries on each - slave server will force the slaves to sync their maps with - the maps on the master server:</para> + <para>This will generate a directory on the slave server + called <filename + class="directory">/var/yp/test-domain</filename> which + contains copies of the <acronym>NIS</acronym> master + server's maps. Adding these + <filename>/etc/crontab</filename> entries on each slave + server will force the slaves to sync their maps with the + maps on the master server:</para> <programlisting>20 * * * * root /usr/libexec/ypxfr passwd.byname 21 * * * * root /usr/libexec/ypxfr passwd.byuid</programlisting> <para>These entries are not mandatory because the master server automatically attempts - to push any map changes to its slaves. However, since clients may - depend upon the slave server to provide correct password information, - it is recommended - to force frequent password map updates. - This is especially important on busy networks where map - updates might not always complete.</para> - - <para>To finish the configuration, run <command>/etc/netstart</command> - on the slave server in order to start the <acronym>NIS</acronym> + to push any map changes to its slaves. However, since + clients may depend upon the slave server to provide correct + password information, it is recommended to force frequent + password map updates. This is especially important on busy + networks where map updates might not always complete.</para> + + <para>To finish the configuration, run + <command>/etc/netstart</command> on the slave server in + order to start the <acronym>NIS</acronym> services.</para> </sect2> <sect2> <title>Setting Up an <acronym>NIS</acronym> Client</title> - <para>An <acronym>NIS</acronym> client binds - to an <acronym>NIS</acronym> - server using &man.ypbind.8;. This - daemon - broadcasts RPC requests on the local network. These + <para>An <acronym>NIS</acronym> client binds to an + <acronym>NIS</acronym> server using &man.ypbind.8;. This + daemon broadcasts RPC requests on the local network. These requests specify the domain name configured on the client. If an <acronym>NIS</acronym> server in the same domain - receives one of the broadcasts, it will - respond to <application>ypbind</application>, which will record the + receives one of the broadcasts, it will respond to + <application>ypbind</application>, which will record the server's address. If there are several servers available, - the client will use the address of the first - server to respond and will - direct all of its <acronym>NIS</acronym> requests to that - server. The client will automatically - <application>ping</application> the server on a regular basis to make sure it is still - available. If it fails to receive a reply - within a reasonable amount of time, - <application>ypbind</application> will mark the domain as unbound - and begin broadcasting again in the hopes of locating - another server.</para> + the client will use the address of the first server to + respond and will direct all of its <acronym>NIS</acronym> + requests to that server. The client will automatically + <application>ping</application> the server on a regular + basis to make sure it is still available. If it fails to + receive a reply within a reasonable amount of time, + <application>ypbind</application> will mark the domain as + unbound and begin broadcasting again in the hopes of + locating another server.</para> <indexterm><primary>NIS</primary> <secondary>client configuration</secondary> @@ -1641,49 +1639,50 @@ Remember to update map ypservers on ellington.</screen> <para>To configure a &os; machine to be an <acronym>NIS</acronym> client:</para> - <procedure> - <step> - <para>Edit <filename>/etc/rc.conf</filename> and add the - following lines in order to set the - <acronym>NIS</acronym> domain name and start - &man.ypbind.8; during network - startup:</para> + <procedure> + <step> + <para>Edit <filename>/etc/rc.conf</filename> and add the + following lines in order to set the + <acronym>NIS</acronym> domain name and start + &man.ypbind.8; during network + startup:</para> - <programlisting>nisdomainname="test-domain" + <programlisting>nisdomainname="test-domain" nis_client_enable="YES"</programlisting> </step> <step> <para>To import all possible password entries from the <acronym>NIS</acronym> server, use - <command>vipw</command> to remove all user - accounts except one from - <filename>/etc/master.passwd</filename>. When removing - the accounts, keep in mind that at least one local account - should remain and this - account should be a member of - <groupname>wheel</groupname>. If there is a problem - with <acronym>NIS</acronym>, this local account can be used to log in - remotely, become the superuser, and fix - the problem. Before saving the edits, add the following line to - the end of the file:</para> + <command>vipw</command> to remove all user accounts + except one from + <filename>/etc/master.passwd</filename>. When + removing the accounts, keep in mind that at least one + local account should remain and this account should be + a member of <groupname>wheel</groupname>. If there is + a problem with <acronym>NIS</acronym>, this local + account can be used to log in remotely, become the + superuser, and fix the problem. Before saving the + edits, add the following line to the end of the + file:</para> <programlisting>+:::::::::</programlisting> - <para>This line configures the client to provide anyone with a valid - account in the <acronym>NIS</acronym> server's - password maps an account on the client. There are many ways to - configure the <acronym>NIS</acronym> - client by modifying this line. One method is described in - <xref linkend="network-netgroups"/>. For - more detailed reading, refer to the book - <literal>Managing NFS and NIS</literal>, published by - O'Reilly Media.</para> + <para>This line configures the client to provide + anyone with a valid account in the + <acronym>NIS</acronym> server's password maps an + account on the client. There are many ways to + configure the <acronym>NIS</acronym> client by + modifying this line. One method is described in + <xref linkend="network-netgroups"/>. For + more detailed reading, refer to the book + <literal>Managing NFS and NIS</literal>, published + by O'Reilly Media.</para> </step> <step> - <para>To import all possible group entries from the <acronym>NIS</acronym> - server, add this line to + <para>To import all possible group entries from the + <acronym>NIS</acronym> server, add this line to <filename>/etc/group</filename>:</para> <programlisting>+:*::</programlisting> @@ -1697,26 +1696,27 @@ nis_client_enable="YES"</programlisting> <screen>&prompt.root; <userinput>/etc/netstart</userinput> &prompt.root; <userinput>service ypbind start</userinput></screen> - <para>After completing these steps, running - <command>ypcat passwd</command> on the client should show the - server's <filename>passwd</filename> map.</para> + <para>After completing these steps, running + <command>ypcat passwd</command> on the client should show + the server's <filename>passwd</filename> map.</para> </sect2> <sect2> <title><acronym>NIS</acronym> Security</title> - <para>Since <acronym>RPC</acronym> is a broadcast-based service, - any system running <application>ypbind</application> within the same domain - can retrieve the contents of the - <acronym>NIS</acronym> maps. To prevent unauthorized transactions, - &man.ypserv.8; supports a feature called + <para>Since <acronym>RPC</acronym> is a broadcast-based service, + any system running <application>ypbind</application> within + the same domain can retrieve the contents of the + <acronym>NIS</acronym> maps. To prevent unauthorized + transactions, &man.ypserv.8; supports a feature called <quote>securenets</quote> which can be used to restrict access - to a given set of hosts. By default, this information is stored in - <filename>/var/yp/securenets</filename>, unless &man.ypserv.8; is started with - <option>-p</option> and an alternate path. This file contains entries - that consist of a network specification and a network mask - separated by white space. Lines starting with - <literal>#</literal> are considered to be comments. A sample + to a given set of hosts. By default, this information is + stored in <filename>/var/yp/securenets</filename>, unless + &man.ypserv.8; is started with <option>-p</option> and an + alternate path. This file contains entries that consist of a + network specification and a network mask separated by white + space. Lines starting with <literal>#</literal> are + considered to be comments. A sample <filename>securenets</filename> might look like this:</para> <programlisting># allow connections from local host -- mandatory @@ -1737,60 +1737,61 @@ nis_client_enable="YES"</programlisting> <command>ypserv</command> will allow connections from any host.</para> - <para><xref linkend="tcpwrappers"/> is - an alternate mechanism for providing - access control instead of - <filename>securenets</filename>. While either access control mechanism adds - some security, they are both - vulnerable to <quote>IP spoofing</quote> attacks. All - <acronym>NIS</acronym>-related traffic should be blocked at the - firewall.</para> - - <para>Servers using <filename>securenets</filename> - may fail to serve legitimate <acronym>NIS</acronym> clients - with archaic TCP/IP implementations. Some of these - implementations set all host bits to zero when doing - broadcasts or fail to observe the subnet mask when - calculating the broadcast address. While some of these - problems can be fixed by changing the client configuration, - other problems may force the retirement of these client - systems or the abandonment of - <filename>securenets</filename>.</para> - - <indexterm><primary>TCP Wrapper</primary></indexterm> - <para>The use of <application>TCP Wrapper</application> - increases the latency of the <acronym>NIS</acronym> server. - The additional delay may be long enough to cause timeouts in - client programs, especially in busy networks with slow - <acronym>NIS</acronym> servers. If one or more clients suffer - from latency, convert those clients - into <acronym>NIS</acronym> slave servers and force them to - bind to themselves.</para> - - <sect3> - <title>Barring Some Users</title> - - <para>In this example, the <hostid>basie</hostid> system - is a faculty workstation within the <acronym>NIS</acronym> domain. - The <filename>passwd</filename> map on the master - <acronym>NIS</acronym> server contains accounts for both - faculty and students. This section demonstrates how to allow - faculty logins on this system while refusing student logins.</para> - - <para>To prevent specified users from logging on to a - system, even if they are present in the - <acronym>NIS</acronym> database, use <command>vipw</command> to add - <literal>-<replaceable>username</replaceable></literal> with - the correct number of colons towards the end of - <filename>/etc/master.passwd</filename> on the client, - where <replaceable>username</replaceable> is the - username of a user to bar from logging in. The line with - the blocked user must be before the <literal>+</literal> line - that allows <acronym>NIS</acronym> users. - In this example, <username>bill</username> is barred from - logging on to <hostid>basie</hostid>:</para> - - <screen>basie&prompt.root; <userinput>cat /etc/master.passwd</userinput> + <para><xref linkend="tcpwrappers"/> is an alternate mechanism + for providing access control instead of + <filename>securenets</filename>. While either access control + mechanism adds some security, they are both vulnerable to + <quote>IP spoofing</quote> attacks. All + <acronym>NIS</acronym>-related traffic should be blocked at + the firewall.</para> + + <para>Servers using <filename>securenets</filename> + may fail to serve legitimate <acronym>NIS</acronym> clients + with archaic TCP/IP implementations. Some of these + implementations set all host bits to zero when doing + broadcasts or fail to observe the subnet mask when + calculating the broadcast address. While some of these + problems can be fixed by changing the client configuration, + other problems may force the retirement of these client + systems or the abandonment of + <filename>securenets</filename>.</para> + + <indexterm><primary>TCP Wrapper</primary></indexterm> + <para>The use of <application>TCP Wrapper</application> + increases the latency of the <acronym>NIS</acronym> server. + The additional delay may be long enough to cause timeouts in + client programs, especially in busy networks with slow + <acronym>NIS</acronym> servers. If one or more clients suffer + from latency, convert those clients into + <acronym>NIS</acronym> slave servers and force them to bind to + themselves.</para> + + <sect3> + <title>Barring Some Users</title> + + <para>In this example, the <hostid>basie</hostid> system + is a faculty workstation within the <acronym>NIS</acronym> + domain. The <filename>passwd</filename> map on the master + <acronym>NIS</acronym> server contains accounts for both + faculty and students. This section demonstrates how to + allow faculty logins on this system while refusing student + logins.</para> + + <para>To prevent specified users from logging on to a + system, even if they are present in the + <acronym>NIS</acronym> database, use <command>vipw</command> + to add + <literal>-<replaceable>username</replaceable></literal> with + the correct number of colons towards the end of + <filename>/etc/master.passwd</filename> on the client, + where <replaceable>username</replaceable> is the username of + a user to bar from logging in. The line with the blocked + user must be before the <literal>+</literal> line that + allows <acronym>NIS</acronym> users. In this example, + <username>bill</username> is barred from logging on to + <hostid>basie</hostid>:</para> + + <screen>basie&prompt.root; <userinput>cat /etc/master.passwd</userinput> root:[password]:0:0::0:0:The super-user:/root:/bin/csh toor:[password]:0:0::0:0:The other super-user:/root:/bin/sh daemon:*:1:1::0:0:Owner of many system processes:/root:/sbin/nologin @@ -2938,9 +2939,8 @@ dhclient_flags=""</programlisting> <listitem> <para><filename>/sbin/dhclient</filename></para> - <para>More information - about - <command>dhclient</command> can be found in &man.dhclient.8;.</para> + <para>More information about <command>dhclient</command> can + be found in &man.dhclient.8;.</para> </listitem> <listitem> @@ -3169,7 +3169,8 @@ dhcpd_ifaces="dc0"</programlisting> linked and resides in <filename>/usr/local/sbin</filename>. More information about - <application>dhcpd</application> can be found in &man.dhcpd.8;.</para> + <application>dhcpd</application> can be found in + &man.dhcpd.8;.</para> </listitem> <listitem> @@ -3191,9 +3192,9 @@ dhcpd_ifaces="dc0"</programlisting> <para><filename>/var/db/dhcpd.leases</filename></para> <para>The DHCP server keeps a database of leases it has - issued in this file, which is written as a log. The port installs - &man.dhcpd.leases.5;, which - gives a slightly longer description.</para> + issued in this file, which is written as a log. The + port installs &man.dhcpd.leases.5;, which gives a + slightly longer description.</para> </listitem> <listitem> @@ -3205,8 +3206,8 @@ dhcpd_ifaces="dc0"</programlisting> separate network. If this functionality is required, then install the <filename role="package">net/isc-dhcp42-relay</filename> - port. The port installs &man.dhcrelay.8;, which provides - more detail.</para> + port. The port installs &man.dhcrelay.8;, which + provides more detail.</para> </listitem> </itemizedlist> </sect3> |