From owner-svn-doc-all@FreeBSD.ORG Wed Oct 16 18:17:34 2013 Return-Path: Delivered-To: svn-doc-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id E1FCEF16; Wed, 16 Oct 2013 18:17:33 +0000 (UTC) (envelope-from dru@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id CCB25216D; Wed, 16 Oct 2013 18:17:33 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id r9GIHX0N085261; Wed, 16 Oct 2013 18:17:33 GMT (envelope-from dru@svn.freebsd.org) Received: (from dru@localhost) by svn.freebsd.org (8.14.7/8.14.5/Submit) id r9GIHX0F085260; Wed, 16 Oct 2013 18:17:33 GMT (envelope-from dru@svn.freebsd.org) Message-Id: <201310161817.r9GIHX0F085260@svn.freebsd.org> From: Dru Lavigne Date: Wed, 16 Oct 2013 18:17:33 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r42975 - head/en_US.ISO8859-1/books/handbook/network-servers X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-all@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "SVN commit messages for the entire doc trees \(except for " user" , " projects" , and " translations" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Oct 2013 18:17:34 -0000 Author: dru Date: Wed Oct 16 18:17:33 2013 New Revision: 42975 URL: http://svnweb.freebsd.org/changeset/doc/42975 Log: White space fix only. Translators can ignore. Modified: head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Wed Oct 16 16:57:38 2013 (r42974) +++ head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Wed Oct 16 18:17:33 2013 (r42975) @@ -1074,7 +1074,7 @@ Exports list on foobar: configuration data and to add, remove, or modify configuration data from a single location. - &os; uses version 2 of the NIS + &os; uses version 2 of the NIS protocol. @@ -1459,17 +1459,19 @@ nis_client_flags="-S NIS do It is advisable to remove all entries for system accounts as well as any user accounts that do not need to be propagated to the NIS clients, such - as the root and any other administrative accounts. + as the root and any other + administrative accounts. Ensure that the /var/yp/master.passwd is neither group or world readable by setting its permissions to - 600. + 600. + - After completing this task, - initialize the NIS maps. &os; includes - the &man.ypinit.8; script to do this. When generating - maps for the master server, include + After completing this task, initialize the + NIS maps. &os; includes the + &man.ypinit.8; script to do this. When generating maps + for the master server, include and specify the NIS domain name: @@ -1509,27 +1511,27 @@ ellington has been setup as an YP master NOPUSH = "True" - + - Adding New Users + Adding New Users - Every time a new user is created, the user account must - be added to the master NIS server and - the NIS maps rebuilt. Until this occurs, - the new user will not be able to - login anywhere except on the NIS - master. For example, to add the new user - jsmith to the - test-domain domain, run these commands on the - master server: + Every time a new user is created, the user account + must be added to the master NIS + server and the NIS maps rebuilt. + Until this occurs, the new user will not be able to + login anywhere except on the NIS + master. For example, to add the new user + jsmith to the + test-domain domain, run these + commands on the master server: - &prompt.root; pw useradd jsmith + &prompt.root; pw useradd jsmith &prompt.root; cd /var/yp &prompt.root; make test-domain - The user could also be added using - adduser jsmith - instead of pw useradd jsmith. + The user could also be added using adduser + jsmith instead of pw useradd + jsmith. @@ -1693,16 +1695,16 @@ nis_client_enable="YES" +::::::::: - This line configures the client to provide - anyone with a valid account in the - NIS server's password maps an - account on the client. There are many ways to - configure the NIS client by - modifying this line. One method is described in - . For - more detailed reading, refer to the book - Managing NFS and NIS, published - by O'Reilly Media. + This line configures the client to provide + anyone with a valid account in the + NIS server's password maps an + account on the client. There are many ways to + configure the NIS client by + modifying this line. One method is described in + . For + more detailed reading, refer to the book + Managing NFS and NIS, published + by O'Reilly Media. @@ -1856,20 +1858,20 @@ basie&prompt.root; netgroups - Barring specified users from logging on to individual systems - becomes unscaleable on - larger networks and quickly loses the main benefit of NIS: + Barring specified users from logging on to individual + systems becomes unscaleable on larger networks and quickly + loses the main benefit of NIS: centralized administration. Netgroups were developed to handle large, complex networks with hundreds of users and machines. Their use is comparable - to &unix; groups, where the main difference is the - lack of a numeric ID and the ability to define a netgroup by - including both user accounts and other netgroups. + to &unix; groups, where the main difference is the lack of a + numeric ID and the ability to define a netgroup by including + both user accounts and other netgroups. To expand on the example used in this chapter, the - NIS domain will be extended to add the users - and systems shown in Tables 28.2 and 28.3: + NIS domain will be extended to add the + users and systems shown in Tables 28.2 and 28.3: Additional Users @@ -1929,8 +1931,8 @@ basie&prompt.root;war, death, famine, pollution - Only IT - employees are allowed to log onto these servers. + Only IT employees are allowed to log onto these + servers. @@ -1938,9 +1940,8 @@ basie&prompt.root; pride, greed, envy, wrath, lust, sloth - All members of the IT - department are allowed to login onto these - servers. + All members of the IT department are allowed to + login onto these servers. @@ -1960,25 +1961,24 @@ basie&prompt.root;
- When using netgroups to configure this scenario, - each user is - assigned to one or more netgroups and logins are then + When using netgroups to configure this scenario, each user + is assigned to one or more netgroups and logins are then allowed or forbidden for all members of the netgroup. When adding a new machine, login restrictions must be defined for - all netgroups. When a new user is added, the account must be added to - one or more netgroups. If the NIS setup is - planned carefully, only one central configuration file needs - modification to grant or deny access to machines. + all netgroups. When a new user is added, the account must be + added to one or more netgroups. If the + NIS setup is planned carefully, only one + central configuration file needs modification to grant or deny + access to machines. The first step is the initialization of the - NIS netgroup map. In &os;, - this map is not created by default. On the - NIS master server, use an editor to create + NIS netgroup map. In + &os;, this map is not created by default. On the + NIS master server, use an editor to create a map named /var/yp/netgroup. - This example creates - four netgroups to represent IT employees, IT apprentices, - employees, and interns: + This example creates four netgroups to represent IT + employees, IT apprentices, employees, and interns: IT_EMP (,alpha,test-domain) (,beta,test-domain) IT_APP (,charlie,test-domain) (,delta,test-domain) @@ -1986,17 +1986,17 @@ USERS (,echo,test-domain) (,foxtro (,golf,test-domain) INTERNS (,able,test-domain) (,baker,test-domain) - Each entry configures a netgroup. The first column in an entry - is the name of the netgroup. Each set of brackets represents - either a group of one or more users or the name of another netgroup. - When specifying a user, the three comma-delimited fields inside each - group represent: + Each entry configures a netgroup. The first column in an + entry is the name of the netgroup. Each set of brackets + represents either a group of one or more users or the name of + another netgroup. When specifying a user, the three + comma-delimited fields inside each group represent: - The name of the host(s) where the other fields representing the user are - valid. If a hostname is not specified, the entry is valid - on all hosts. + The name of the host(s) where the other fields + representing the user are valid. If a hostname is not + specified, the entry is valid on all hosts. @@ -2011,31 +2011,29 @@ INTERNS (,able,test-domain) (,baker, - If a group contains multiple users, separate each user with - whitespace. Additionally, each field may contain wildcards. See - &man.netgroup.5; for details. - - netgroups - Netgroup names longer than 8 characters should not be - used. The names - are case sensitive and using capital letters for netgroup names - is an easy way to distinguish between user, machine and - netgroup names. - - Some non-&os; NIS clients - cannot handle netgroups containing more than 15 - entries. This limit may be - circumvented by creating several sub-netgroups with 15 users - or fewer and a real netgroup consisting of the - sub-netgroups, as seen in this example: + If a group contains multiple users, separate each user + with whitespace. Additionally, each field may contain + wildcards. See &man.netgroup.5; for details. - BIGGRP1 (,joe1,domain) (,joe2,domain) (,joe3,domain) [...] + netgroups + Netgroup names longer than 8 characters should not be + The names are case sensitive and using capital letters + letters for netgroup names is an easy way to distinguish + between user, machine and netgroup names. + + Some non-&os; NIS clients cannot + handle netgroups containing more than 15 entries. This + limit may be circumvented by creating several sub-netgroups + with 15 users or fewer and a real netgroup consisting of the + sub-netgroups, as seen in this example: + + BIGGRP1 (,joe1,domain) (,joe2,domain) (,joe3,domain) [...] BIGGRP2 (,joe16,domain) (,joe17,domain) [...] BIGGRP3 (,joe31,domain) (,joe32,domain) BIGGROUP BIGGRP1 BIGGRP2 BIGGRP3 - Repeat this process if more than 225 (15 times 15) users exist - within a single netgroup. + Repeat this process if more than 225 (15 times 15) users + exist within a single netgroup. To activate and distribute the new NIS map: @@ -2046,9 +2044,9 @@ ellington&prompt.root; makeThis will generate the three NIS maps netgroup, netgroup.byhost and - netgroup.byuser. Use the map key option of &man.ypcat.1; to - check if the new NIS maps are - available: + netgroup.byuser. Use the map key option + of &man.ypcat.1; to check if the new NIS + maps are available: ellington&prompt.user; ypcat -k netgroup ellington&prompt.user; ypcat -k netgroup.byhost @@ -2056,14 +2054,13 @@ ellington&prompt.user; ypcat The output of the first command should resemble the contents of /var/yp/netgroup. The second - command only produces output if - host-specific netgroups were created. The third command is used to get - the list of netgroups for a user. - - To configure a client, use &man.vipw.8; to specify the name - of the netgroup. For example, on the server named - war, replace this - line: + command only produces output if host-specific netgroups were + created. The third command is used to get the list of + netgroups for a user. + + To configure a client, use &man.vipw.8; to specify the + name of the netgroup. For example, on the server named + war, replace this line: +::::::::: @@ -2073,38 +2070,38 @@ ellington&prompt.user; ypcat This specifies that only the users defined in the netgroup IT_EMP will be imported into this system's - password database and only those users - are allowed to login to this system. + password database and only those users are allowed to login to + this system. This configuration also applies to the - ~ function of the shell and all routines which - convert between user names and numerical user IDs. In + ~ function of the shell and all routines + which convert between user names and numerical user IDs. In other words, cd ~user will not work, ls -l will show the numerical ID - instead of the username, and - find . -user joe -print will fail with the message + instead of the username, and find . -user joe + -print will fail with the message No such user. To fix this, import all - user entries without allowing them to login into the - servers. This can be achieved by adding an extra line: - + user entries without allowing them to login into the servers. + This can be achieved by adding an extra line: + +:::::::::/sbin/nologin - This line configures the client to - import all entries but to replace the shell in those entries with + This line configures the client to import all entries but + to replace the shell in those entries with /sbin/nologin. - Make sure that extra line - is placed after - +@IT_EMP:::::::::. Otherwise, all user - accounts imported from NIS will have - /sbin/nologin as their login - shell and noone will be able to login to the system. - - To configure the less important servers, - replace the old +::::::::: - on the servers with these lines: + Make sure that extra line is placed + after + +@IT_EMP:::::::::. Otherwise, all user + accounts imported from NIS will have + /sbin/nologin as their login + shell and noone will be able to login to the system. + + To configure the less important servers, replace the old + +::::::::: on the servers with these + lines: +@IT_EMP::::::::: +@IT_APP::::::::: @@ -2117,18 +2114,18 @@ ellington&prompt.user; ypcat +@USERS::::::::: +:::::::::/sbin/nologin - NIS supports the creation of netgroups from other netgroups which - can be useful if the policy regarding user access changes. One possibility is - the creation of role-based netgroups. For example, one might - create a netgroup called BIGSRV to define - the login restrictions for the important servers, another - netgroup called SMALLSRV for the less - important servers, and a third netgroup called - USERBOX for the workstations. Each - of these netgroups contains the netgroups that are allowed to - login onto these machines. The new entries for the - NIS netgroup map would look like - this: + NIS supports the creation of netgroups from other + netgroups which can be useful if the policy regarding user + access changes. One possibility is the creation of role-based + netgroups. For example, one might create a netgroup called + BIGSRV to define the login restrictions for + the important servers, another netgroup called + SMALLSRV for the less important servers, + and a third netgroup called USERBOX for the + workstations. Each of these netgroups contains the netgroups + that are allowed to login onto these machines. The new + entries for the NIS + netgroup map would look like this: BIGSRV IT_EMP IT_APP SMALLSRV IT_EMP IT_APP ITINTERN @@ -2142,9 +2139,9 @@ USERBOX IT_EMP ITINTERN USERS Machine-specific netgroup definitions are another - possibility to deal with the policy changes. In - this scenario, the /etc/master.passwd of - each system contains two lines starting with +. + possibility to deal with the policy changes. In this + scenario, the /etc/master.passwd of each + system contains two lines starting with +. The first line adds a netgroup with the accounts allowed to login onto this machine and the second line adds all other accounts with /sbin/nologin as shell. It @@ -2210,39 +2207,40 @@ TWO (,hotel,test-domain) NIS - password formats + password formats NIS requires that all hosts within an - NIS domain use the same format for encrypting passwords. - If users have trouble authenticating on an - NIS client, it may be due to a differing password format. - In a heterogeneous network, the format must be supported by all operating systems, where - DES - is the lowest common standard. - - To check which format a server or client is using, - look at this section of /etc/login.conf: + NIS domain use the same format for + encrypting passwords. If users have trouble authenticating on + an NIS client, it may be due to a differing + password format. In a heterogeneous network, the format must + be supported by all operating systems, where + DES is the lowest common standard. + + To check which format a server or client is using, look + at this section of + /etc/login.conf: default:\ :passwd_format=des:\ :copyright=/etc/COPYRIGHT:\ [Further entries elided] - In this example, the system is using the DES - format. Other possible values are - blf for Blowfish and md5 for - MD5 encrypted passwords. - - If the format on a host needs to be edited to match the one - being used in the NIS domain, - the login capability - database must be rebuilt after saving the change: + In this example, the system is using the + DES format. Other possible values are + blf for Blowfish and md5 + for MD5 encrypted passwords. + + If the format on a host needs to be edited to match the + one being used in the NIS domain, the + login capability database must be rebuilt after saving the + change: &prompt.root; cap_mkdb /etc/login.conf - The format of passwords for existing user accounts will not be updated - until each user changes their password + The format of passwords for existing user accounts will + not be updated until each user changes their password after the login capability database is rebuilt. @@ -3073,7 +3071,7 @@ dhcpd_ifaces="dc0" separate network. If this functionality is required, then install the net/isc-dhcp42-relay - port. The port installs &man.dhcrelay.8;, which + port. The port installs &man.dhcrelay.8;, which provides more detail.