diff options
Diffstat (limited to 'documentation/content/en/books/handbook/network-servers/_index.adoc')
| -rw-r--r-- | documentation/content/en/books/handbook/network-servers/_index.adoc | 110 |
1 files changed, 69 insertions, 41 deletions
diff --git a/documentation/content/en/books/handbook/network-servers/_index.adoc b/documentation/content/en/books/handbook/network-servers/_index.adoc index 1b8d48eb95..d7ac579d4f 100644 --- a/documentation/content/en/books/handbook/network-servers/_index.adoc +++ b/documentation/content/en/books/handbook/network-servers/_index.adoc @@ -1,13 +1,14 @@ --- -title: Chapter 30. Network Servers +title: Chapter 32. Network Servers part: IV. Network Communication prev: books/handbook/mail next: books/handbook/firewalls description: This chapter covers some of the more frequently used network services on UNIX systems tags: ["network", "servers", "inetd", "NFS", "NIS", "LDAP", "DHCP", "DNS", "Apache HTTP", "FTP", "Samba", "NTP", "iSCSI"] showBookMenu: true -weight: 35 -path: "/books/handbook/" +weight: 37 +params: + path: "/books/handbook/network-servers/" --- [[network-servers]] @@ -18,7 +19,7 @@ path: "/books/handbook/" :icons: font :sectnums: :sectnumlevels: 6 -:sectnumoffset: 30 +:sectnumoffset: 32 :partnums: :source-highlighter: rouge :experimental: @@ -92,17 +93,17 @@ This section covers the basics of configuring inetd. Configuration of inetd is done by editing [.filename]#/etc/inetd.conf#. Each line of this configuration file represents an application which can be started by inetd. -By default, every line starts with a comment (`#`), meaning that inetd is not listening for any applications. -To configure inetd to listen for an application's connections, remove the `#` at the beginning of the line for that application. +By default, every line starts with a comment (`+#+`), meaning that inetd is not listening for any applications. +To configure inetd to listen for an application's connections, remove the `+#+` at the beginning of the line for that application. -After saving your edits, configure inetd to start at system boot by editing [.filename]#/etc/rc.conf#: +After saving the edits, configure inetd to start at system boot by editing [.filename]#/etc/rc.conf#: [.programlisting] .... inetd_enable="YES" .... -To start inetd now, so that it listens for the service you configured, type: +To start inetd now, so that it listens for the configured service, type: [source,shell] .... @@ -123,7 +124,7 @@ Once inetd is started, it needs to be notified whenever a modification is made t ==== -Typically, the default entry for an application does not need to be edited beyond removing the `#`. +Typically, the default entry for an application does not need to be edited beyond removing the `+#+`. In some situations, it may be appropriate to edit the default entry. As an example, this is the default entry for man:ftpd[8] over IPv4: @@ -318,11 +319,11 @@ The examples can be modified to match the file systems and client names on the r There are many options that can be used in this file, but only a few will be mentioned here. See man:exports[5] for the full list of options. -This example shows how to export [.filename]#/cdrom# to three hosts named _alpha_, _bravo_, and _charlie_: +This example shows how to export [.filename]#/media# to three hosts named _alpha_, _bravo_, and _charlie_: [.programlisting] .... -/cdrom -ro alpha bravo charlie +/media -ro alpha bravo charlie .... The `-ro` flag makes the file system read-only, preventing clients from making any changes to the exported file system. @@ -404,6 +405,9 @@ To make subsequent [.filename]#/etc/exports# edits take effect immediately, forc # service mountd reload .... +Refer to man:zfs-share[8] for a description of exporting ZFS datasets via NFS using the `sharenfs` ZFS property instead of the man:exports[5] file. + +Refer to man:nfsv4[4] for a description of an NFS Version 4 setup. === Configuring the Client @@ -444,20 +448,18 @@ Refer to man:fstab[5] for a description of all available options. === Locking Some applications require file locking to operate correctly. -To enable locking, add these lines to [.filename]#/etc/rc.conf# on both the client and server: +To enable locking, execute the following command on both the client and server: -[.programlisting] +[source,shell] .... -rpc_lockd_enable="YES" -rpc_statd_enable="YES" +# sysrc rpc_lockd_enable="YES" .... -Then start the applications: +Then start the man:rpc.lockd[8] service: [source,shell] .... # service lockd start -# service statd start .... If locking is not required on the server, the NFS client can be configured to lock locally by including `-L` when running mount. @@ -641,7 +643,7 @@ Think of the NIS domain name as the name for a group of hosts. Some organizations choose to use their Internet domain name for their NIS domain name. This is not recommended as it can cause confusion when trying to debug network problems. The NIS domain name should be unique within the network and it is helpful if it describes the group of machines it represents. -For example, the Art department at Acme Inc. might be in the "acme-art"NIS domain. +For example, the Art department at Acme Inc. might be in the "acme-art" NIS domain. This example will use the domain name `test-domain`. However, some non-FreeBSD operating systems require the NIS domain name to be the same as the Internet domain name. @@ -758,7 +760,7 @@ ellington has been setup as an YP master server without any errors. This will create [.filename]#/var/yp/Makefile# from [.filename]#/var/yp/Makefile.dist#. By default, this file assumes that the environment has a single NIS server with only FreeBSD clients. -Since `test-domain` has a slave server, edit this line in [.filename]#/var/yp/Makefile# so that it begins with a comment (`#`): +Since `test-domain` has a slave server, edit this line in [.filename]#/var/yp/Makefile# so that it begins with a comment (`+#+`): [.programlisting] .... @@ -894,7 +896,7 @@ nis_client_enable="YES" + This line configures the client to provide anyone with a valid account in the NIS server's password maps an account on the client. There are many ways to configure the NIS client by modifying this line. -One method is described in <<network-netgroups>>. +One method is described in crossref:network-servers[network-netgroups, Using Netgroups]. For more detailed reading, refer to the book `Managing NFS and NIS`, published by O'Reilly Media. . To import all possible group entries from the NIS server, add this line to [.filename]#/etc/group#: + @@ -920,7 +922,7 @@ Since RPC is a broadcast-based service, any system running ypbind within the sam To prevent unauthorized transactions, man:ypserv[8] supports a feature called "securenets" which can be used to restrict access to a given set of hosts. By default, this information is stored in [.filename]#/var/yp/securenets#, unless man:ypserv[8] is started with `-p` and an alternate path. This file contains entries that consist of a network specification and a network mask separated by white space. -Lines starting with `#` are considered to be comments. +Lines starting with `+"#"+` are considered to be comments. A sample [.filename]#securenets# might look like this: [.programlisting] @@ -1040,7 +1042,7 @@ When adding a new machine, login restrictions must be defined for all netgroups. When a new user is added, the account must be added to one or more netgroups. If the NIS setup is planned carefully, only one central configuration file needs modification to grant or deny access to machines. -The first step is the initialization of the NIS`netgroup` map. +The first step is the initialization of the NIS `netgroup` map. In FreeBSD, this map is not created by default. On the NIS master server, use an editor to create a map named [.filename]#/var/yp/netgroup#. @@ -1056,7 +1058,7 @@ INTERNS (,able,test-domain) (,baker,test-domain) .... Each entry configures a netgroup. The first column in an entry is the name of the netgroup. -Each set of brackets represents either a group of one or more users or the name of another netgroup. +Each set of parentheses represents either a group of one or more users or the name of another netgroup. When specifying a user, the three comma-delimited fields inside each group represent: . The name of the host(s) where the other fields representing the user are valid. If a hostname is not specified, the entry is valid on all hosts. @@ -1247,7 +1249,7 @@ default:\ In this example, the system is using the DES format for password hashing. Other possible values include `blf` for Blowfish, `md5` for MD5, `sha256` and `sha512` for SHA-256 and SHA-512 respectively. -For more information and the up to date list of what is available on your system, consult the man:crypt[3] manpage. +For more information and the up to date list of what is available on the system, consult the man:crypt[3] manpage. If the format on a host needs to be edited to match the one being used in the NIS domain, the login capability database must be rebuilt after saving the change: @@ -2002,6 +2004,34 @@ freebsd.org. (A) ;; Chase successful .... +=== Authoritative Name Server Configuration +FreeBSD does not provide authoritative name server software in the base system. +Users are encouraged to install third party applications, like package:dns/nsd[] or package:dns/bind918[] package or port. + +[[network-zeroconf]] +== Zero-configuration Networking (mDNS/DNS-SD) + +https://en.wikipedia.org/wiki/Zero-configuration_networking[Zero-configuration networking] (sometimes referred to as _Zeroconf_) is a set of technologies, which simplify network configuration. +The main parts of Zeroconf are: + +- Link-Local Addressing providing automatic assignment of numeric network addresses. +- Multicast DNS (_mDNS_) providing automatic distribution and resolution of hostnames. +- DNS-Based Service Discovery (_DNS-SD_) providing automatic discovery of service instances. + +=== Configuring and Starting Avahi + +One of the popular implementations of zeroconf is https://avahi.org/[Avahi]. +Avahi can be installed and configured with the following commands: + +[source,shell] +.... +# pkg install avahi-app nss_mdns +# grep -q '^hosts:.*\<mdns\>' /etc/nsswitch.conf || sed -i "" 's/^hosts: .*/& mdns/' /etc/nsswitch.conf +# service dbus enable +# service avahi-daemon enable +# service dbus start +# service avahi-daemon start +.... [[network-apache]] == Apache HTTP Server @@ -2015,14 +2045,14 @@ For more detailed information about Apache 2.X and its configuration directives, === Configuring and Starting Apache In FreeBSD, the main Apache HTTP Server configuration file is installed as [.filename]#/usr/local/etc/apache2x/httpd.conf#, where _x_ represents the version number. -This ASCII text file begins comment lines with a `#`. +This ASCII text file begins comment lines with a `+#+`. The most frequently modified directives are: `ServerRoot "/usr/local"`:: Specifies the default directory hierarchy for the Apache installation. Binaries are stored in the [.filename]#bin# and [.filename]#sbin# subdirectories of the server root and configuration files are stored in the [.filename]#etc/apache2x# subdirectory. -`ServerAdmin you@example.com`:: +`ServerAdmin \you@example.com`:: Change this to the email address to receive problems with the server. This address also appears on some server-generated pages, such as error documents. @@ -2115,7 +2145,7 @@ This section describes three of the most commonly used modules. ==== SSL support -At one in point in time, support for SSL inside of Apache required a secondary module called [.filename]#mod_ssl#. +At one point, support for SSL inside of Apache required a secondary module called [.filename]#mod_ssl#. This is no longer the case and the default install of Apache comes with SSL built into the web server. An example of how to enable support for SSL websites is available in the installed file, [.filename]#httpd-ssl.conf# inside of the [.filename]#/usr/local/etc/apache24/extra# directory Inside this directory is also a sample file called named [.filename]#ssl.conf-sample#. @@ -2238,7 +2268,7 @@ The first is to install the full PHP binary and running the command to gain the [source,shell] .... -# php -i |less +# php -i | less .... It is necessary to pass the output to a pager, such as the `more` or `less` to easier digest the amount of output. @@ -2443,10 +2473,10 @@ It can be added to non-Microsoft(R) Windows(R) systems by installing the Samba c The protocol allows clients to access shared data and printers. These shares can be mapped as a local disk drive and shared printers can be used as if they were local printers. -On FreeBSD, the Samba client libraries can be installed using the package:net/samba413[] port or package. +On FreeBSD, the Samba client libraries can be installed using the package:net/samba416[] port or package. The client provides the ability for a FreeBSD system to access SMB/CIFS shares in a Microsoft(R) Windows(R) network. -A FreeBSD system can also be configured to act as a Samba server by installing the same package:net/samba413[] port or package. +A FreeBSD system can also be configured to act as a Samba server by installing the same package:net/samba416[] port or package. This allows the administrator to create SMB/CIFS shares on the FreeBSD system which can be accessed by clients running Microsoft(R) Windows(R) or the Samba client libraries. === Server Configuration @@ -2506,12 +2536,10 @@ The most important settings in [.filename]#/usr/local/etc/smb4.conf# are the sec These directives control the options: `security`:: -The most common settings are `security = share` and `security = user`. If the clients use usernames that are the same as their usernames on the FreeBSD machine, user level security should be used. -This is the default security policy and it requires clients to first log on before they can access shared resources. +`security = user` is the default security policy and it requires clients to first log on before they can access shared resources. + -In share level security, clients do not need to log onto the server with a valid username and password before attempting to connect to a shared resource. -This was the default security model for older versions of Samba. +Refer to man:smb.conf[5] to learn about other supported settings for the `security` option. `passdb backend`:: Samba has several different backend authentication models. @@ -2527,7 +2555,7 @@ Map existing FreeBSD user accounts using man:pdbedit[8]: [source,shell] .... -# pdbedit -a username +# pdbedit -a -u username .... This section has only mentioned the most commonly used settings. @@ -2590,7 +2618,7 @@ On FreeBSD, the built-in ntpd can be used to synchronize a system's clock. ntpd is configured using man:rc.conf[5] variables and [.filename]#/etc/ntp.conf#, as detailed in the following sections. ntpd communicates with its network peers using UDP packets. -Any firewalls between your machine and its NTP peers must be configured to allow UDP packets in and out on port 123. +Any firewalls between the machine and its NTP peers must be configured to allow UDP packets in and out on port 123. ==== The [.filename]#/etc/ntp.conf# file @@ -2680,12 +2708,12 @@ Set `ntpd_flags=` to contain any other ntpd flags as needed, but avoid using the * `-c` (set `ntpd_config=` instead) -==== ntpd and the unpriveleged `ntpd` user +==== ntpd and the unprivileged `ntpd` user -ntpd on FreeBSD can start and run as an unpriveleged user. +ntpd on FreeBSD can start and run as an unprivileged user. Doing so requires the man:mac_ntpd[4] policy module. The [.filename]#/etc/rc.d/ntpd# startup script first examines the NTP configuration. -If possible, it loads the `mac_ntpd` module, then starts ntpd as unpriveleged user `ntpd` (user id 123). +If possible, it loads the `mac_ntpd` module, then starts ntpd as unprivileged user `ntpd` (user id 123). To avoid problems with file and directory access, the startup script will not automatically start ntpd as `ntpd` when the configuration contains any file-related options. The presence of any of the following in `ntpd_flags` requires manual configuration as described below to run as the `ntpd` user: @@ -2704,7 +2732,7 @@ The presence of any of the following keywords in [.filename]#ntp.conf# requires * logdir * statsdir -To manually configure ntpd to run as user `ntpd` you must: +To manually configure ntpd to run as user `ntpd`: * Ensure that the `ntpd` user has access to all the files and directories specified in the configuration. * Arrange for the `mac_ntpd` module to be loaded or compiled into the kernel. See man:mac_ntpd[4] for details. @@ -2758,7 +2786,7 @@ This section describes how to configure a FreeBSD system as a target or an initi To configure an iSCSI target, create the [.filename]#/etc/ctl.conf# configuration file, add a line to [.filename]#/etc/rc.conf# to make sure the man:ctld[8] daemon is automatically started at boot, and then start the daemon. The following is an example of a simple [.filename]#/etc/ctl.conf# configuration file. -Refer to man:ctl.conf[5] for a more complete description of this file's available options. +Refer to man:ctl.conf[5] for a complete description of this file's available options. [.programlisting] .... |