diff options
Diffstat (limited to 'documentation/content/en/books/handbook/network-servers/_index.adoc')
| -rw-r--r-- | documentation/content/en/books/handbook/network-servers/_index.adoc | 149 |
1 files changed, 89 insertions, 60 deletions
diff --git a/documentation/content/en/books/handbook/network-servers/_index.adoc b/documentation/content/en/books/handbook/network-servers/_index.adoc index a028dfa190..d7ac579d4f 100644 --- a/documentation/content/en/books/handbook/network-servers/_index.adoc +++ b/documentation/content/en/books/handbook/network-servers/_index.adoc @@ -1,13 +1,14 @@ --- -title: Chapter 30. Network Servers +title: Chapter 32. Network Servers part: IV. Network Communication prev: books/handbook/mail next: books/handbook/firewalls description: This chapter covers some of the more frequently used network services on UNIX systems tags: ["network", "servers", "inetd", "NFS", "NIS", "LDAP", "DHCP", "DNS", "Apache HTTP", "FTP", "Samba", "NTP", "iSCSI"] showBookMenu: true -weight: 35 -path: "/books/handbook/" +weight: 37 +params: + path: "/books/handbook/network-servers/" --- [[network-servers]] @@ -18,7 +19,7 @@ path: "/books/handbook/" :icons: font :sectnums: :sectnumlevels: 6 -:sectnumoffset: 30 +:sectnumoffset: 32 :partnums: :source-highlighter: rouge :experimental: @@ -92,17 +93,17 @@ This section covers the basics of configuring inetd. Configuration of inetd is done by editing [.filename]#/etc/inetd.conf#. Each line of this configuration file represents an application which can be started by inetd. -By default, every line starts with a comment (`#`), meaning that inetd is not listening for any applications. -To configure inetd to listen for an application's connections, remove the `#` at the beginning of the line for that application. +By default, every line starts with a comment (`+#+`), meaning that inetd is not listening for any applications. +To configure inetd to listen for an application's connections, remove the `+#+` at the beginning of the line for that application. -After saving your edits, configure inetd to start at system boot by editing [.filename]#/etc/rc.conf#: +After saving the edits, configure inetd to start at system boot by editing [.filename]#/etc/rc.conf#: [.programlisting] .... inetd_enable="YES" .... -To start inetd now, so that it listens for the service you configured, type: +To start inetd now, so that it listens for the configured service, type: [source,shell] .... @@ -123,7 +124,7 @@ Once inetd is started, it needs to be notified whenever a modification is made t ==== -Typically, the default entry for an application does not need to be edited beyond removing the `#`. +Typically, the default entry for an application does not need to be edited beyond removing the `+#+`. In some situations, it may be appropriate to edit the default entry. As an example, this is the default entry for man:ftpd[8] over IPv4: @@ -262,7 +263,7 @@ Some daemons, such as fingerd, can provide information that may be useful to an Only enable the services which are needed and monitor the system for excessive connection attempts. `max-connections-per-ip-per-minute`, `max-child` and `max-child-per-ip` can be used to limit such attacks. -By default, TCP wrappers is enabled. +By default, TCP wrappers are enabled. Consult man:hosts_access[5] for more information on placing TCP restrictions on various inetd invoked daemons. [[network-nfs]] @@ -318,11 +319,11 @@ The examples can be modified to match the file systems and client names on the r There are many options that can be used in this file, but only a few will be mentioned here. See man:exports[5] for the full list of options. -This example shows how to export [.filename]#/cdrom# to three hosts named _alpha_, _bravo_, and _charlie_: +This example shows how to export [.filename]#/media# to three hosts named _alpha_, _bravo_, and _charlie_: [.programlisting] .... -/cdrom -ro alpha bravo charlie +/media -ro alpha bravo charlie .... The `-ro` flag makes the file system read-only, preventing clients from making any changes to the exported file system. @@ -404,6 +405,9 @@ To make subsequent [.filename]#/etc/exports# edits take effect immediately, forc # service mountd reload .... +Refer to man:zfs-share[8] for a description of exporting ZFS datasets via NFS using the `sharenfs` ZFS property instead of the man:exports[5] file. + +Refer to man:nfsv4[4] for a description of an NFS Version 4 setup. === Configuring the Client @@ -444,20 +448,18 @@ Refer to man:fstab[5] for a description of all available options. === Locking Some applications require file locking to operate correctly. -To enable locking, add these lines to [.filename]#/etc/rc.conf# on both the client and server: +To enable locking, execute the following command on both the client and server: -[.programlisting] +[source,shell] .... -rpc_lockd_enable="YES" -rpc_statd_enable="YES" +# sysrc rpc_lockd_enable="YES" .... -Then start the applications: +Then start the man:rpc.lockd[8] service: [source,shell] .... # service lockd start -# service statd start .... If locking is not required on the server, the NFS client can be configured to lock locally by including `-L` when running mount. @@ -476,11 +478,13 @@ This chapter only describes the man:autofs[5] automounter. The man:autofs[5] facility is a common name for several components that, together, allow for automatic mounting of remote and local filesystems whenever a file or directory within that file system is accessed. It consists of the kernel component, man:autofs[5], and several userspace applications: man:automount[8], man:automountd[8] and man:autounmountd[8]. It serves as an alternative for man:amd[8] from previous FreeBSD releases. -Amd is still provided for backward compatibility purposes, as the two use different map format; the one used by autofs is the same as with other SVR4 automounters, such as the ones in Solaris, MacOS X, and Linux. +amd is still provided for backward compatibility purposes, as the two use different map formats; the one used by autofs is the same as with other SVR4 automounters, such as the ones in Solaris, MacOS X, and Linux. The man:autofs[5] virtual filesystem is mounted on specified mountpoints by man:automount[8], usually invoked during boot. -Whenever a process attempts to access file within the man:autofs[5] mountpoint, the kernel will notify man:automountd[8] daemon and pause the triggering process. The man:automountd[8] daemon will handle kernel requests by finding the proper map and mounting the filesystem according to it, then signal the kernel to release blocked process. The man:autounmountd[8] daemon automatically unmounts automounted filesystems after some time, unless they are still being used. +Whenever a process attempts to access a file within the man:autofs[5] mountpoint, the kernel will notify man:automountd[8] daemon and pause the triggering process. +The man:automountd[8] daemon will handle kernel requests by finding the proper map and mounting the filesystem according to it, then signal the kernel to release blocked process. +The man:autounmountd[8] daemon automatically unmounts automounted filesystems after some time, unless they are still being used. The primary autofs configuration file is [.filename]#/etc/auto_master#. It assigns individual maps to top-level mounts. For an explanation of [.filename]#auto_master# and the map syntax, refer to man:auto_master[5]. @@ -574,7 +578,7 @@ There are three types of hosts in an NIS environment: * NIS master server + -This server acts as a central repository for host configuration information and maintains the authoritative copy of the files used by all of the NIS clients. +This server acts as a central repository for host configuration information and maintains the authoritative copy of the files used by all of the NIS clients. The [.filename]#passwd#, [.filename]#group#, and other various files used by NIS clients are stored on the master server. While it is possible for one machine to be an NIS master server for more than one NIS domain, this type of configuration will not be covered in this chapter as it assumes a relatively small-scale NIS environment. * NIS slave servers @@ -639,7 +643,7 @@ Think of the NIS domain name as the name for a group of hosts. Some organizations choose to use their Internet domain name for their NIS domain name. This is not recommended as it can cause confusion when trying to debug network problems. The NIS domain name should be unique within the network and it is helpful if it describes the group of machines it represents. -For example, the Art department at Acme Inc. might be in the "acme-art"NIS domain. +For example, the Art department at Acme Inc. might be in the "acme-art" NIS domain. This example will use the domain name `test-domain`. However, some non-FreeBSD operating systems require the NIS domain name to be the same as the Internet domain name. @@ -756,7 +760,7 @@ ellington has been setup as an YP master server without any errors. This will create [.filename]#/var/yp/Makefile# from [.filename]#/var/yp/Makefile.dist#. By default, this file assumes that the environment has a single NIS server with only FreeBSD clients. -Since `test-domain` has a slave server, edit this line in [.filename]#/var/yp/Makefile# so that it begins with a comment (`#`): +Since `test-domain` has a slave server, edit this line in [.filename]#/var/yp/Makefile# so that it begins with a comment (`+#+`): [.programlisting] .... @@ -892,7 +896,7 @@ nis_client_enable="YES" + This line configures the client to provide anyone with a valid account in the NIS server's password maps an account on the client. There are many ways to configure the NIS client by modifying this line. -One method is described in <<network-netgroups>>. +One method is described in crossref:network-servers[network-netgroups, Using Netgroups]. For more detailed reading, refer to the book `Managing NFS and NIS`, published by O'Reilly Media. . To import all possible group entries from the NIS server, add this line to [.filename]#/etc/group#: + @@ -915,10 +919,10 @@ After completing these steps, running `ypcat passwd` on the client should show t === NIS Security Since RPC is a broadcast-based service, any system running ypbind within the same domain can retrieve the contents of the NIS maps. -To prevent unauthorized transactions, man:ypserv[8] supports a feature called "securenets" which can be used to restrict access to a given set of hosts. +To prevent unauthorized transactions, man:ypserv[8] supports a feature called "securenets" which can be used to restrict access to a given set of hosts. By default, this information is stored in [.filename]#/var/yp/securenets#, unless man:ypserv[8] is started with `-p` and an alternate path. This file contains entries that consist of a network specification and a network mask separated by white space. -Lines starting with `#` are considered to be comments. +Lines starting with `+"#"+` are considered to be comments. A sample [.filename]#securenets# might look like this: [.programlisting] @@ -943,7 +947,7 @@ While either access control mechanism adds some security, they are both vulnerab All NIS-related traffic should be blocked at the firewall. Servers using [.filename]#securenets# may fail to serve legitimate NIS clients with archaic TCP/IP implementations. -Some of these implementations set all host bits to zero when doing broadcasts or fail to observe the subnet mask when calculating the broadcast address. +Some of these implementations set all host bits to zero when doing broadcasts or fail to observe the subnet mask when calculating the broadcast address. While some of these problems can be fixed by changing the client configuration, other problems may force the retirement of these client systems or the abandonment of [.filename]#securenets#. The use of TCP Wrapper increases the latency of the NIS server. @@ -1038,7 +1042,7 @@ When adding a new machine, login restrictions must be defined for all netgroups. When a new user is added, the account must be added to one or more netgroups. If the NIS setup is planned carefully, only one central configuration file needs modification to grant or deny access to machines. -The first step is the initialization of the NIS`netgroup` map. +The first step is the initialization of the NIS `netgroup` map. In FreeBSD, this map is not created by default. On the NIS master server, use an editor to create a map named [.filename]#/var/yp/netgroup#. @@ -1054,7 +1058,7 @@ INTERNS (,able,test-domain) (,baker,test-domain) .... Each entry configures a netgroup. The first column in an entry is the name of the netgroup. -Each set of brackets represents either a group of one or more users or the name of another netgroup. +Each set of parentheses represents either a group of one or more users or the name of another netgroup. When specifying a user, the three comma-delimited fields inside each group represent: . The name of the host(s) where the other fields representing the user are valid. If a hostname is not specified, the entry is valid on all hosts. @@ -1245,7 +1249,7 @@ default:\ In this example, the system is using the DES format for password hashing. Other possible values include `blf` for Blowfish, `md5` for MD5, `sha256` and `sha512` for SHA-256 and SHA-512 respectively. -For more information and the up to date list of what is available on your system, consult the man:crypt[3] manpage. +For more information and the up to date list of what is available on the system, consult the man:crypt[3] manpage. If the format on a host needs to be edited to match the one being used in the NIS domain, the login capability database must be rebuilt after saving the change: @@ -1793,9 +1797,9 @@ The DHCP client keeps a database of valid leases in this file, which is written === Installing and Configuring a DHCP Server This section demonstrates how to configure a FreeBSD system to act as a DHCP server using the Internet Systems Consortium (ISC) implementation of the DHCP server. -This implementation and its documentation can be installed using the package:net/isc-dhcp43-server[] package or port. +This implementation and its documentation can be installed using the package:net/isc-dhcp44-server[] package or port. -The installation of package:net/isc-dhcp43-server[] installs a sample configuration file. +The installation of package:net/isc-dhcp44-server[] installs a sample configuration file. Copy [.filename]#/usr/local/etc/dhcpd.conf.example# to [.filename]#/usr/local/etc/dhcpd.conf# and make any edits to this new file. The configuration file is comprised of declarations for subnets and hosts which define the information that is provided to DHCP clients. @@ -1872,7 +1876,7 @@ Refer to dhcpd.leases(5), which gives a slightly longer description. * [.filename]#/usr/local/sbin/dhcrelay# + This daemon is used in advanced environments where one DHCP server forwards a request from a client to another DHCP server on a separate network. -If this functionality is required, install the package:net/isc-dhcp43-relay[] package or port. +If this functionality is required, install the package:net/isc-dhcp44-relay[] package or port. The installation includes dhcrelay(8) which provides more detail. @@ -1960,13 +1964,12 @@ Any existing nameservers in [.filename]#/etc/resolv.conf# will be configured as If any of the listed nameservers do not support DNSSEC, local DNS resolution will fail. Be sure to test each nameserver and remove any that fail the test. The following command will show the trust tree or a failure for a nameserver running on `192.168.1.1`: -==== - [source,shell] .... % drill -S FreeBSD.org @192.168.1.1 .... +==== Once each nameserver is confirmed to support DNSSEC, start Unbound: @@ -2001,6 +2004,34 @@ freebsd.org. (A) ;; Chase successful .... +=== Authoritative Name Server Configuration +FreeBSD does not provide authoritative name server software in the base system. +Users are encouraged to install third party applications, like package:dns/nsd[] or package:dns/bind918[] package or port. + +[[network-zeroconf]] +== Zero-configuration Networking (mDNS/DNS-SD) + +https://en.wikipedia.org/wiki/Zero-configuration_networking[Zero-configuration networking] (sometimes referred to as _Zeroconf_) is a set of technologies, which simplify network configuration. +The main parts of Zeroconf are: + +- Link-Local Addressing providing automatic assignment of numeric network addresses. +- Multicast DNS (_mDNS_) providing automatic distribution and resolution of hostnames. +- DNS-Based Service Discovery (_DNS-SD_) providing automatic discovery of service instances. + +=== Configuring and Starting Avahi + +One of the popular implementations of zeroconf is https://avahi.org/[Avahi]. +Avahi can be installed and configured with the following commands: + +[source,shell] +.... +# pkg install avahi-app nss_mdns +# grep -q '^hosts:.*\<mdns\>' /etc/nsswitch.conf || sed -i "" 's/^hosts: .*/& mdns/' /etc/nsswitch.conf +# service dbus enable +# service avahi-daemon enable +# service dbus start +# service avahi-daemon start +.... [[network-apache]] == Apache HTTP Server @@ -2014,14 +2045,14 @@ For more detailed information about Apache 2.X and its configuration directives, === Configuring and Starting Apache In FreeBSD, the main Apache HTTP Server configuration file is installed as [.filename]#/usr/local/etc/apache2x/httpd.conf#, where _x_ represents the version number. -This ASCII text file begins comment lines with a `#`. +This ASCII text file begins comment lines with a `+#+`. The most frequently modified directives are: `ServerRoot "/usr/local"`:: Specifies the default directory hierarchy for the Apache installation. Binaries are stored in the [.filename]#bin# and [.filename]#sbin# subdirectories of the server root and configuration files are stored in the [.filename]#etc/apache2x# subdirectory. -`ServerAdmin you@example.com`:: +`ServerAdmin \you@example.com`:: Change this to the email address to receive problems with the server. This address also appears on some server-generated pages, such as error documents. @@ -2114,7 +2145,7 @@ This section describes three of the most commonly used modules. ==== SSL support -At one in point in time, support for SSL inside of Apache required a secondary module called [.filename]#mod_ssl#. +At one point, support for SSL inside of Apache required a secondary module called [.filename]#mod_ssl#. This is no longer the case and the default install of Apache comes with SSL built into the web server. An example of how to enable support for SSL websites is available in the installed file, [.filename]#httpd-ssl.conf# inside of the [.filename]#/usr/local/etc/apache24/extra# directory Inside this directory is also a sample file called named [.filename]#ssl.conf-sample#. @@ -2237,7 +2268,7 @@ The first is to install the full PHP binary and running the command to gain the [source,shell] .... -# php -i |less +# php -i | less .... It is necessary to pass the output to a pager, such as the `more` or `less` to easier digest the amount of output. @@ -2442,10 +2473,10 @@ It can be added to non-Microsoft(R) Windows(R) systems by installing the Samba c The protocol allows clients to access shared data and printers. These shares can be mapped as a local disk drive and shared printers can be used as if they were local printers. -On FreeBSD, the Samba client libraries can be installed using the package:net/samba413[] port or package. +On FreeBSD, the Samba client libraries can be installed using the package:net/samba416[] port or package. The client provides the ability for a FreeBSD system to access SMB/CIFS shares in a Microsoft(R) Windows(R) network. -A FreeBSD system can also be configured to act as a Samba server by installing the same package:net/samba413[] port or package. +A FreeBSD system can also be configured to act as a Samba server by installing the same package:net/samba416[] port or package. This allows the administrator to create SMB/CIFS shares on the FreeBSD system which can be accessed by clients running Microsoft(R) Windows(R) or the Samba client libraries. === Server Configuration @@ -2505,12 +2536,10 @@ The most important settings in [.filename]#/usr/local/etc/smb4.conf# are the sec These directives control the options: `security`:: -The most common settings are `security = share` and `security = user`. If the clients use usernames that are the same as their usernames on the FreeBSD machine, user level security should be used. -This is the default security policy and it requires clients to first log on before they can access shared resources. +`security = user` is the default security policy and it requires clients to first log on before they can access shared resources. + -In share level security, clients do not need to log onto the server with a valid username and password before attempting to connect to a shared resource. -This was the default security model for older versions of Samba. +Refer to man:smb.conf[5] to learn about other supported settings for the `security` option. `passdb backend`:: Samba has several different backend authentication models. @@ -2526,7 +2555,7 @@ Map existing FreeBSD user accounts using man:pdbedit[8]: [source,shell] .... -# pdbedit -a username +# pdbedit -a -u username .... This section has only mentioned the most commonly used settings. @@ -2586,14 +2615,14 @@ Further documentation can be found in [.filename]#/usr/share/doc/ntp/# in HTML f === NTP Configuration On FreeBSD, the built-in ntpd can be used to synchronize a system's clock. -Ntpd is configured using man:rc.conf[5] variables and [.filename]#/etc/ntp.conf#, as detailed in the following sections. +ntpd is configured using man:rc.conf[5] variables and [.filename]#/etc/ntp.conf#, as detailed in the following sections. -Ntpd communicates with its network peers using UDP packets. -Any firewalls between your machine and its NTP peers must be configured to allow UDP packets in and out on port 123. +ntpd communicates with its network peers using UDP packets. +Any firewalls between the machine and its NTP peers must be configured to allow UDP packets in and out on port 123. ==== The [.filename]#/etc/ntp.conf# file -Ntpd reads [.filename]#/etc/ntp.conf# to determine which NTP servers to query. +ntpd reads [.filename]#/etc/ntp.conf# to determine which NTP servers to query. Choosing several NTP servers is recommended in case one of the servers becomes unreachable or its clock proves unreliable. As ntpd receives responses, it favors reliable servers over the less reliable ones. The servers which are queried can be local to the network, provided by an ISP, or selected from an http://support.ntp.org/bin/view/Servers/WebHome[ online list of publicly accessible NTP servers]. @@ -2639,13 +2668,13 @@ The descriptions below provide a quick overview of just the keywords used in the By default, an NTP server is accessible to any network host. The `restrict` keyword controls which systems can access the server. Multiple `restrict` entries are supported, each one refining the restrictions given in previous statements. -The values shown in the example grant the local system full query and control access, while allowing remote systems only the ability to query the time. +The values shown in the example grant the local system full query and control access, while allowing remote systems only the ability to query the time. For more details, refer to the `Access Control Support` subsection of man:ntp.conf[5]. The `server` keyword specifies a single server to query. The file can contain multiple server keywords, with one server listed on each line. The `pool` keyword specifies a pool of servers. -Ntpd will add one or more servers from this pool as needed to reach the number of peers specified using the `tos minclock` value. +ntpd will add one or more servers from this pool as needed to reach the number of peers specified using the `tos minclock` value. The `iburst` keyword directs ntpd to perform a burst of eight quick packet exchanges with a server when contact is first established, to help quickly synchronize system time. The `leapfile` keyword specifies the location of a file containing information about leap seconds. @@ -2673,21 +2702,21 @@ Set `ntpd_oomprotect=YES` to protect the ntpd daemon from being killed by the sy Set `ntpd_config=` to the location of an alternate [.filename]#ntp.conf# file. -Set `ntpd_flags=` to contain any other ntpd flags as needed, but avoid using these flags which are managed internally by [.filename]#/etc/rc.d/ntpd#: +Set `ntpd_flags=` to contain any other ntpd flags as needed, but avoid using these flags which are managed internally by [.filename]#/etc/rc.d/ntpd#: * `-p` (pid file location) * `-c` (set `ntpd_config=` instead) -==== Ntpd and the unpriveleged `ntpd` user +==== ntpd and the unprivileged `ntpd` user -Ntpd on FreeBSD can start and run as an unpriveleged user. +ntpd on FreeBSD can start and run as an unprivileged user. Doing so requires the man:mac_ntpd[4] policy module. The [.filename]#/etc/rc.d/ntpd# startup script first examines the NTP configuration. -If possible, it loads the `mac_ntpd` module, then starts ntpd as unpriveleged user `ntpd` (user id 123). +If possible, it loads the `mac_ntpd` module, then starts ntpd as unprivileged user `ntpd` (user id 123). To avoid problems with file and directory access, the startup script will not automatically start ntpd as `ntpd` when the configuration contains any file-related options. -The presence of any of the following in `ntpd_flags` requires manual configuration as described below to run as the `ntpd` user: +The presence of any of the following in `ntpd_flags` requires manual configuration as described below to run as the `ntpd` user: * -f or --driftfile * -i or --jaildir @@ -2695,7 +2724,7 @@ The presence of any of the following in `ntpd_flags` requires manual configurati * -l or --logfile * -s or --statsdir -The presence of any of the following keywords in [.filename]#ntp.conf# requires manual configuration as described below to run as the `ntpd` user: +The presence of any of the following keywords in [.filename]#ntp.conf# requires manual configuration as described below to run as the `ntpd` user: * crypto * driftfile @@ -2703,7 +2732,7 @@ The presence of any of the following keywords in [.filename]#ntp.conf# requires * logdir * statsdir -To manually configure ntpd to run as user `ntpd` you must: +To manually configure ntpd to run as user `ntpd`: * Ensure that the `ntpd` user has access to all the files and directories specified in the configuration. * Arrange for the `mac_ntpd` module to be loaded or compiled into the kernel. See man:mac_ntpd[4] for details. @@ -2757,7 +2786,7 @@ This section describes how to configure a FreeBSD system as a target or an initi To configure an iSCSI target, create the [.filename]#/etc/ctl.conf# configuration file, add a line to [.filename]#/etc/rc.conf# to make sure the man:ctld[8] daemon is automatically started at boot, and then start the daemon. The following is an example of a simple [.filename]#/etc/ctl.conf# configuration file. -Refer to man:ctl.conf[5] for a more complete description of this file's available options. +Refer to man:ctl.conf[5] for a complete description of this file's available options. [.programlisting] .... |