From owner-svn-doc-head@FreeBSD.ORG Tue Oct 15 22:42:10 2013 Return-Path: Delivered-To: svn-doc-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 87464685; Tue, 15 Oct 2013 22:42:10 +0000 (UTC) (envelope-from dru@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 66ADA2D94; Tue, 15 Oct 2013 22:42:10 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id r9FMgAo0066770; Tue, 15 Oct 2013 22:42:10 GMT (envelope-from dru@svn.freebsd.org) Received: (from dru@localhost) by svn.freebsd.org (8.14.7/8.14.5/Submit) id r9FMgAQ7066769; Tue, 15 Oct 2013 22:42:10 GMT (envelope-from dru@svn.freebsd.org) Message-Id: <201310152242.r9FMgAQ7066769@svn.freebsd.org> From: Dru Lavigne Date: Tue, 15 Oct 2013 22:42:10 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r42971 - head/en_US.ISO8859-1/books/handbook/network-servers X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-head@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for the doc tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Oct 2013 22:42:10 -0000 Author: dru Date: Tue Oct 15 22:42:10 2013 New Revision: 42971 URL: http://svnweb.freebsd.org/changeset/doc/42971 Log: White space fix only. Translators can ignore. Modified: head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Tue Oct 15 22:03:04 2013 (r42970) +++ head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Tue Oct 15 22:42:10 2013 (r42971) @@ -1036,7 +1036,8 @@ Exports list on foobar: --> - Network Information System (<acronym>NIS</acronym>) + Network Information System + (<acronym>NIS</acronym>) NIS Solaris @@ -1104,10 +1105,10 @@ Exports list on foobar: NIS domain name - NIS servers and - clients share an - NIS domain name. Typically, this name does not have - anything to do with DNS. + NIS servers and clients share + an NIS domain name. Typically, + this name does not have anything to do with + DNS. @@ -1191,9 +1192,9 @@ Exports list on foobar: clients are stored on the master server. While it is possible for one machine to be an NIS master server for more than one NIS - domain, this type of configuration will not be covered in this chapter as it - assumes a relatively small-scale NIS - environment. + domain, this type of configuration will not be covered in + this chapter as it assumes a relatively small-scale + NIS environment. @@ -1345,7 +1346,8 @@ Exports list on foobar: - Configuring the <acronym>NIS</acronym> Master Server + Configuring the <acronym>NIS</acronym> Master + Server The canonical copies of all NIS files are stored on the master server. The databases used @@ -1366,61 +1368,58 @@ Exports list on foobar: database file, and transmitting data from the database back to the client. - - NIS - server configuration - - Setting up a master NIS server can - be relatively straight forward, depending on environmental - needs. Since &os; provides built-in - NIS support, it only needs to be - enabled by adding the following lines to - /etc/rc.conf: - - - - nisdomainname="test-domain" - - This line sets the NIS domain - name to test-domain. - - - - nis_server_enable="YES" - - This automates the start up of the - NIS server processes when the - system boots. - - - - nis_yppasswdd_enable="YES" - - This enables the - &man.rpc.yppasswdd.8; daemon so that - users can change their NIS - password from a client machine. - - - - Care must be taken - in a multi-server domain - where the server machines are also NIS - clients. It is generally a good idea to force the servers to - bind to themselves rather than allowing them to broadcast bind - requests and possibly become bound to each other. Strange - failure modes can result if one server goes down and others - are dependent upon it. Eventually, all the clients will time - out and attempt to bind to other servers, but the delay - involved can be considerable and the failure mode is still - present since the servers might bind to each other all over - again. - - A server that is also a client can be forced to bind to a particular server by - adding these additional lines to - /etc/rc.conf: + NIS + server configuration + + Setting up a master NIS server can + be relatively straight forward, depending on environmental + needs. Since &os; provides built-in + NIS support, it only needs to be + enabled by adding the following lines to + /etc/rc.conf: + + + + nisdomainname="test-domain" + + This line sets the NIS domain + name to test-domain. + + + + nis_server_enable="YES" + + This automates the start up of the + NIS server processes when the + system boots. + + + + nis_yppasswdd_enable="YES" + + This enables the &man.rpc.yppasswdd.8; daemon so + that users can change their NIS + password from a client machine. + + + + Care must be taken in a multi-server domain where the + server machines are also NIS clients. It + is generally a good idea to force the servers to bind to + themselves rather than allowing them to broadcast bind + requests and possibly become bound to each other. Strange + failure modes can result if one server goes down and others + are dependent upon it. Eventually, all the clients will + time out and attempt to bind to other servers, but the delay + involved can be considerable and the failure mode is still + present since the servers might bind to each other all over + again. + + A server that is also a client can be forced to bind to + a particular server by adding these additional lines to + /etc/rc.conf: - nis_client_enable="YES" # run client stuff as well + nis_client_enable="YES" # run client stuff as well nis_client_flags="-S NIS domain,server" After saving the edits, type @@ -1495,19 +1494,19 @@ Is this correct? [y/n: y] y< NIS Map update completed. ellington has been setup as an YP master server without any errors. - This will - create /var/yp/Makefile from - /var/yp/Makefile.dist. By default, - this file assumes that the environment has a - single NIS server with only &os; - clients. Since test-domain has a - slave server, edit this line in - /var/yp/Makefile so that it begins with a - comment (#): - - NOPUSH = "True" - - + This will create + /var/yp/Makefile from + /var/yp/Makefile.dist. By + default, this file assumes that the environment has a + single NIS server with only &os; + clients. Since test-domain has a + slave server, edit this line in + /var/yp/Makefile so that it begins + with a comment (#): + + NOPUSH = "True" + + Setting up a <acronym>NIS</acronym> Slave @@ -1517,17 +1516,17 @@ ellington has been setup as an YP master <primary>NIS</primary> <secondary>slave server</secondary> </indexterm> - <para>To set up an <acronym>NIS</acronym> slave server, log on to - the slave server and edit - <filename>/etc/rc.conf</filename> as for the master server. - Do not generate any <acronym>NIS</acronym> maps, as these - already exist on the master server. When running + <para>To set up an <acronym>NIS</acronym> slave server, log + on to the slave server and edit + <filename>/etc/rc.conf</filename> as for the master + server. Do not generate any <acronym>NIS</acronym> maps, + as these already exist on the master server. When running <command>ypinit</command> on the slave server, use - <option>-s</option> (for slave) instead of - <option>-m</option> (for master). This option - requires the name of the <acronym>NIS</acronym> master in - addition to the domain name, as - seen in this example:</para> + <option>-s</option> (for slave) instead of + <option>-m</option> (for master). This option requires + the name of the <acronym>NIS</acronym> master in + addition to the domain name, as seen in this + example:</para> <screen>coltrane&prompt.root; <userinput>ypinit -s ellington test-domain</userinput> @@ -1586,53 +1585,52 @@ ypxfr: Exiting: Map successfully transfe coltrane has been setup as an YP slave server without any errors. Remember to update map ypservers on ellington.</screen> - <para>This will generate a directory on the slave server called - <filename class="directory">/var/yp/test-domain</filename> which contains copies of the - <acronym>NIS</acronym> master server's maps. - Adding these <filename>/etc/crontab</filename> entries on each - slave server will force the slaves to sync their maps with - the maps on the master server:</para> + <para>This will generate a directory on the slave server + called <filename + class="directory">/var/yp/test-domain</filename> which + contains copies of the <acronym>NIS</acronym> master + server's maps. Adding these + <filename>/etc/crontab</filename> entries on each slave + server will force the slaves to sync their maps with the + maps on the master server:</para> <programlisting>20 * * * * root /usr/libexec/ypxfr passwd.byname 21 * * * * root /usr/libexec/ypxfr passwd.byuid</programlisting> <para>These entries are not mandatory because the master server automatically attempts - to push any map changes to its slaves. However, since clients may - depend upon the slave server to provide correct password information, - it is recommended - to force frequent password map updates. - This is especially important on busy networks where map - updates might not always complete.</para> - - <para>To finish the configuration, run <command>/etc/netstart</command> - on the slave server in order to start the <acronym>NIS</acronym> + to push any map changes to its slaves. However, since + clients may depend upon the slave server to provide correct + password information, it is recommended to force frequent + password map updates. This is especially important on busy + networks where map updates might not always complete.</para> + + <para>To finish the configuration, run + <command>/etc/netstart</command> on the slave server in + order to start the <acronym>NIS</acronym> services.</para> </sect2> <sect2> <title>Setting Up an <acronym>NIS</acronym> Client - An NIS client binds - to an NIS - server using &man.ypbind.8;. This - daemon - broadcasts RPC requests on the local network. These + An NIS client binds to an + NIS server using &man.ypbind.8;. This + daemon broadcasts RPC requests on the local network. These requests specify the domain name configured on the client. If an NIS server in the same domain - receives one of the broadcasts, it will - respond to ypbind, which will record the + receives one of the broadcasts, it will respond to + ypbind, which will record the server's address. If there are several servers available, - the client will use the address of the first - server to respond and will - direct all of its NIS requests to that - server. The client will automatically - ping the server on a regular basis to make sure it is still - available. If it fails to receive a reply - within a reasonable amount of time, - ypbind will mark the domain as unbound - and begin broadcasting again in the hopes of locating - another server. + the client will use the address of the first server to + respond and will direct all of its NIS + requests to that server. The client will automatically + ping the server on a regular + basis to make sure it is still available. If it fails to + receive a reply within a reasonable amount of time, + ypbind will mark the domain as + unbound and begin broadcasting again in the hopes of + locating another server. NIS client configuration @@ -1641,49 +1639,50 @@ Remember to update map ypservers on elli To configure a &os; machine to be an NIS client: - - - Edit /etc/rc.conf and add the - following lines in order to set the - NIS domain name and start - &man.ypbind.8; during network - startup: + + + Edit /etc/rc.conf and add the + following lines in order to set the + NIS domain name and start + &man.ypbind.8; during network + startup: - nisdomainname="test-domain" + nisdomainname="test-domain" nis_client_enable="YES" To import all possible password entries from the NIS server, use - vipw to remove all user - accounts except one from - /etc/master.passwd. When removing - the accounts, keep in mind that at least one local account - should remain and this - account should be a member of - wheel. If there is a problem - with NIS, this local account can be used to log in - remotely, become the superuser, and fix - the problem. Before saving the edits, add the following line to - the end of the file: + vipw to remove all user accounts + except one from + /etc/master.passwd. When + removing the accounts, keep in mind that at least one + local account should remain and this account should be + a member of wheel. If there is + a problem with NIS, this local + account can be used to log in remotely, become the + superuser, and fix the problem. Before saving the + edits, add the following line to the end of the + file: +::::::::: - This line configures the client to provide anyone with a valid - account in the NIS server's - password maps an account on the client. There are many ways to - configure the NIS - client by modifying this line. One method is described in - . For - more detailed reading, refer to the book - Managing NFS and NIS, published by - O'Reilly Media. + This line configures the client to provide + anyone with a valid account in the + NIS server's password maps an + account on the client. There are many ways to + configure the NIS client by + modifying this line. One method is described in + . For + more detailed reading, refer to the book + Managing NFS and NIS, published + by O'Reilly Media. - To import all possible group entries from the NIS - server, add this line to + To import all possible group entries from the + NIS server, add this line to /etc/group: +:*:: @@ -1697,26 +1696,27 @@ nis_client_enable="YES" &prompt.root; /etc/netstart &prompt.root; service ypbind start - After completing these steps, running - ypcat passwd on the client should show the - server's passwd map. + After completing these steps, running + ypcat passwd on the client should show + the server's passwd map. <acronym>NIS</acronym> Security - Since RPC is a broadcast-based service, - any system running ypbind within the same domain - can retrieve the contents of the - NIS maps. To prevent unauthorized transactions, - &man.ypserv.8; supports a feature called + Since RPC is a broadcast-based service, + any system running ypbind within + the same domain can retrieve the contents of the + NIS maps. To prevent unauthorized + transactions, &man.ypserv.8; supports a feature called securenets which can be used to restrict access - to a given set of hosts. By default, this information is stored in - /var/yp/securenets, unless &man.ypserv.8; is started with - and an alternate path. This file contains entries - that consist of a network specification and a network mask - separated by white space. Lines starting with - # are considered to be comments. A sample + to a given set of hosts. By default, this information is + stored in /var/yp/securenets, unless + &man.ypserv.8; is started with and an + alternate path. This file contains entries that consist of a + network specification and a network mask separated by white + space. Lines starting with # are + considered to be comments. A sample securenets might look like this: # allow connections from local host -- mandatory @@ -1737,60 +1737,61 @@ nis_client_enable="YES" ypserv will allow connections from any host. - is - an alternate mechanism for providing - access control instead of - securenets. While either access control mechanism adds - some security, they are both - vulnerable to IP spoofing attacks. All - NIS-related traffic should be blocked at the - firewall. - - Servers using securenets - may fail to serve legitimate NIS clients - with archaic TCP/IP implementations. Some of these - implementations set all host bits to zero when doing - broadcasts or fail to observe the subnet mask when - calculating the broadcast address. While some of these - problems can be fixed by changing the client configuration, - other problems may force the retirement of these client - systems or the abandonment of - securenets. - - TCP Wrapper - The use of TCP Wrapper - increases the latency of the NIS server. - The additional delay may be long enough to cause timeouts in - client programs, especially in busy networks with slow - NIS servers. If one or more clients suffer - from latency, convert those clients - into NIS slave servers and force them to - bind to themselves. - - - Barring Some Users - - In this example, the basie system - is a faculty workstation within the NIS domain. - The passwd map on the master - NIS server contains accounts for both - faculty and students. This section demonstrates how to allow - faculty logins on this system while refusing student logins. - - To prevent specified users from logging on to a - system, even if they are present in the - NIS database, use vipw to add - -username with - the correct number of colons towards the end of - /etc/master.passwd on the client, - where username is the - username of a user to bar from logging in. The line with - the blocked user must be before the + line - that allows NIS users. - In this example, bill is barred from - logging on to basie: + is an alternate mechanism + for providing access control instead of + securenets. While either access control + mechanism adds some security, they are both vulnerable to + IP spoofing attacks. All + NIS-related traffic should be blocked at + the firewall. + + Servers using securenets + may fail to serve legitimate NIS clients + with archaic TCP/IP implementations. Some of these + implementations set all host bits to zero when doing + broadcasts or fail to observe the subnet mask when + calculating the broadcast address. While some of these + problems can be fixed by changing the client configuration, + other problems may force the retirement of these client + systems or the abandonment of + securenets. + + TCP Wrapper + The use of TCP Wrapper + increases the latency of the NIS server. + The additional delay may be long enough to cause timeouts in + client programs, especially in busy networks with slow + NIS servers. If one or more clients suffer + from latency, convert those clients into + NIS slave servers and force them to bind to + themselves. + + + Barring Some Users + + In this example, the basie system + is a faculty workstation within the NIS + domain. The passwd map on the master + NIS server contains accounts for both + faculty and students. This section demonstrates how to + allow faculty logins on this system while refusing student + logins. + + To prevent specified users from logging on to a + system, even if they are present in the + NIS database, use vipw + to add + -username with + the correct number of colons towards the end of + /etc/master.passwd on the client, + where username is the username of + a user to bar from logging in. The line with the blocked + user must be before the + line that + allows NIS users. In this example, + bill is barred from logging on to + basie: - basie&prompt.root; cat /etc/master.passwd + basie&prompt.root; cat /etc/master.passwd root:[password]:0:0::0:0:The super-user:/root:/bin/csh toor:[password]:0:0::0:0:The other super-user:/root:/bin/sh daemon:*:1:1::0:0:Owner of many system processes:/root:/sbin/nologin @@ -2938,9 +2939,8 @@ dhclient_flags="" /sbin/dhclient - More information - about - dhclient can be found in &man.dhclient.8;. + More information about dhclient can + be found in &man.dhclient.8;. @@ -3169,7 +3169,8 @@ dhcpd_ifaces="dc0" linked and resides in /usr/local/sbin. More information about - dhcpd can be found in &man.dhcpd.8;. + dhcpd can be found in + &man.dhcpd.8;. @@ -3191,9 +3192,9 @@ dhcpd_ifaces="dc0" /var/db/dhcpd.leases The DHCP server keeps a database of leases it has - issued in this file, which is written as a log. The port installs - &man.dhcpd.leases.5;, which - gives a slightly longer description. + issued in this file, which is written as a log. The + port installs &man.dhcpd.leases.5;, which gives a + slightly longer description. @@ -3205,8 +3206,8 @@ dhcpd_ifaces="dc0" separate network. If this functionality is required, then install the net/isc-dhcp42-relay - port. The port installs &man.dhcrelay.8;, which provides - more detail. + port. The port installs &man.dhcrelay.8;, which + provides more detail.