Date: Fri, 31 Jan 2014 18:43:29 +0000 (UTC) From: Dru Lavigne <dru@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r43708 - head/en_US.ISO8859-1/books/handbook/network-servers Message-ID: <201401311843.s0VIhTJ9046134@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dru Date: Fri Jan 31 18:43:29 2014 New Revision: 43708 URL: http://svnweb.freebsd.org/changeset/doc/43708 Log: White space fix only. Translators can ignore. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Fri Jan 31 17:03:23 2014 (r43707) +++ head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Fri Jan 31 18:43:29 2014 (r43708) @@ -113,9 +113,9 @@ </sect1> <sect1 xml:id="network-inetd"> - <title>The <application>inetd</application> + <title>The <application>inetd</application> Super-Server</title> - + <!-- <sect1info> <authorgroup> @@ -133,53 +133,54 @@ </authorgroup> </sect1info> --> - - <para>The &man.inetd.8; daemon is sometimes referred to as a - Super-Server because it manages - connections for many services. Instead of starting multiple - applications, only the <application>inetd</application> service - needs to be started. When a connection is received - for a service that is managed by <application>inetd</application>, it determines which - program the connection is destined for, spawns a - process for that program, and delegates the program a socket. - Using <application>inetd</application> - for services that are not heavily used can reduce - system load, when compared to running each daemon individually - in stand-alone mode.</para> - - <para>Primarily, <application>inetd</application> is used to - spawn other daemons, but several trivial protocols are handled - internally, such as <application>chargen</application>, - <application>auth</application>, - <application>time</application>, - <application>echo</application>, - <application>discard</application>, and - <application>daytime</application>.</para> - <para>This section covers the basics of configuring - <application>inetd</application>.</para> + <para>The &man.inetd.8; daemon is sometimes referred to as a + Super-Server because it manages connections for many services. + Instead of starting multiple applications, only the + <application>inetd</application> service needs to be started. + When a connection is received for a service that is managed by + <application>inetd</application>, it determines which program + the connection is destined for, spawns a process for that + program, and delegates the program a socket. Using + <application>inetd</application> for services that are not + heavily used can reduce system load, when compared to running + each daemon individually in stand-alone mode.</para> + + <para>Primarily, <application>inetd</application> is used to + spawn other daemons, but several trivial protocols are handled + internally, such as <application>chargen</application>, + <application>auth</application>, + <application>time</application>, + <application>echo</application>, + <application>discard</application>, and + <application>daytime</application>.</para> + + <para>This section covers the basics of configuring + <application>inetd</application>.</para> <sect2 xml:id="network-inetd-conf"> <title>Configuration File</title> <para>Configuration of <application>inetd</application> is - done by editing <filename>/etc/inetd.conf</filename>. Each line of this configuration file represents an application + done by editing <filename>/etc/inetd.conf</filename>. Each + line of this configuration file represents an application which can be started by <application>inetd</application>. By default, every line starts with a comment - (<literal>#</literal>), meaning that <application>inetd</application> - is not listening for any applications. To configure - <application>inetd</application> to listen for an application's - connections, remove the <literal>#</literal> at the beginning of - the line for that application.</para> - - <para>After saving your edits, configure <application>inetd</application> - to start at system boot by editing <filename>/etc/rc.conf</filename>:</para> + (<literal>#</literal>), meaning that + <application>inetd</application> is not listening for any + applications. To configure <application>inetd</application> + to listen for an application's connections, remove the + <literal>#</literal> at the beginning of the line for that + application.</para> + + <para>After saving your edits, configure + <application>inetd</application> to start at system boot by + editing <filename>/etc/rc.conf</filename>:</para> <programlisting>inetd_enable="YES"</programlisting> - <para>To start - <application>inetd</application> now, so that it listens for - the service you configured, type:</para> + <para>To start <application>inetd</application> now, so that it + listens for the service you configured, type:</para> <screen>&prompt.root; <userinput>service inetd start</userinput></screen> @@ -192,16 +193,17 @@ Configuration File</title> <screen>&prompt.root; <userinput>service inetd reload</userinput></screen> - </example> + </example> <para>Typically, the default entry for an application does not - need to be edited beyond removing the <literal>#</literal>. + need to be edited beyond removing the <literal>#</literal>. In some situations, it may be appropriate to edit the default entry.</para> - <para>As an example, this is the default entry for &man.ftpd.8; over IPv4:</para> + <para>As an example, this is the default entry for &man.ftpd.8; + over IPv4:</para> - <programlisting>ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l</programlisting> + <programlisting>ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l</programlisting> <para>The seven columns in an entry are as follows:</para> @@ -220,13 +222,13 @@ server-program-arguments</programlisting <term>service-name</term> <listitem> - <para>The service name of the daemon to start. - It must correspond to a service listed in + <para>The service name of the daemon to start. It must + correspond to a service listed in <filename>/etc/services</filename>. This determines which port <application>inetd</application> listens on - for incoming connections to that service. - When using a custom service, it must first be - added to <filename>/etc/services</filename>.</para> + for incoming connections to that service. When using a + custom service, it must first be added to + <filename>/etc/services</filename>.</para> </listitem> </varlistentry> @@ -236,8 +238,8 @@ server-program-arguments</programlisting <listitem> <para>Either <literal>stream</literal>, <literal>dgram</literal>, <literal>raw</literal>, or - <literal>seqpacket</literal>. Use <literal>stream</literal> - for TCP connections and + <literal>seqpacket</literal>. Use + <literal>stream</literal> for TCP connections and <literal>dgram</literal> for <acronym>UDP</acronym> services.</para> </listitem> @@ -286,7 +288,8 @@ server-program-arguments</programlisting <row> <entry>udp46</entry> - <entry>Both <acronym>UDP</acronym> IPv4 and IPv6</entry> + <entry>Both <acronym>UDP</acronym> IPv4 and + IPv6</entry> </row> </tbody> </tgroup> @@ -304,42 +307,40 @@ server-program-arguments</programlisting <option>max-connections-per-ip-per-minute</option> and <option>max-child-per-ip</option> are optional.</para> - <para><option>wait|nowait</option> indicates whether or not the - service is - able to handle its own socket. + <para><option>wait|nowait</option> indicates whether or + not the service is able to handle its own socket. <option>dgram</option> socket types must use the - <option>wait</option> option while <option>stream</option> - daemons, which are usually multi-threaded, should use - <option>nowait</option>. <option>wait</option> usually - hands off multiple sockets to a single daemon, while - <option>nowait</option> spawns a child daemon for each - new socket.</para> + <option>wait</option> option while + <option>stream</option> daemons, which are usually + multi-threaded, should use <option>nowait</option>. + <option>wait</option> usually hands off multiple sockets + to a single daemon, while <option>nowait</option> spawns + a child daemon for each new socket.</para> <para>The maximum number of child daemons <application>inetd</application> may spawn is set by - <option>max-child</option>. For example, to limit - ten instances of the daemon, place a - <literal>/10</literal> after - <option>nowait</option>. Specifying + <option>max-child</option>. For example, to limit ten + instances of the daemon, place a <literal>/10</literal> + after <option>nowait</option>. Specifying <literal>/0</literal> allows an unlimited number of children.</para> <para><option>max-connections-per-ip-per-minute</option> limits the number of connections from any particular - <acronym>IP</acronym> address per minute. Once the limit - is reached, further connections from this IP address - will be dropped until the end of the minute. For example, a value - of <literal>/10</literal> would limit any particular <acronym>IP</acronym> - address to ten - connection attempts per minute. <option>max-child-per-ip</option> - limits the number of child processes that can be started on - behalf on any single <acronym>IP</acronym> address at - any moment. These options can limit - excessive resource - consumption and help to prevent Denial of Service attacks.</para> + <acronym>IP</acronym> address per minute. Once the + limit is reached, further connections from this IP + address will be dropped until the end of the minute. + For example, a value of <literal>/10</literal> would + limit any particular <acronym>IP</acronym> address to + ten connection attempts per minute. + <option>max-child-per-ip</option> limits the number of + child processes that can be started on behalf on any + single <acronym>IP</acronym> address at any moment. + These options can limit excessive resource consumption + and help to prevent Denial of Service attacks.</para> - <para>An example can be seen in the default - settings for &man.fingerd.8;:</para> + <para>An example can be seen in the default settings for + &man.fingerd.8;:</para> <programlisting>finger stream tcp nowait/3/10 nobody /usr/libexec/fingerd fingerd -k -s</programlisting> </listitem> @@ -361,10 +362,9 @@ server-program-arguments</programlisting <term>server-program</term> <listitem> - <para>The full path to the daemon. - If the daemon is a service - provided by <application>inetd</application> internally, - use <option>internal</option>.</para> + <para>The full path to the daemon. If the daemon is a + service provided by <application>inetd</application> + internally, use <option>internal</option>.</para> </listitem> </varlistentry> @@ -372,11 +372,9 @@ server-program-arguments</programlisting <term>server-program-arguments</term> <listitem> - <para>Used to - specify any command - arguments to be - passed to the daemon on invocation. If - the daemon is an internal service, use + <para>Used to specify any command arguments to be passed + to the daemon on invocation. If the daemon is an + internal service, use <option>internal</option>.</para> </listitem> </varlistentry> @@ -387,17 +385,17 @@ server-program-arguments</programlisting <title>Command-Line Options</title> <para>Like most server daemons, <application>inetd</application> - has a number of options that can be used to - modify its behaviour. By default, - <application>inetd</application> is started with - <literal>-wW -C 60</literal>. These options enable TCP wrappers for - all services, including internal services, and prevent any - <acronym>IP</acronym> address from requesting any - service more than 60 times per minute.</para> - - <para>To change the default options which are passed to <application>inetd</application>, - add an entry for <literal>inetd_flags</literal> in - <filename>/etc/rc.conf</filename>. If + has a number of options that can be used to modify its + behaviour. By default, <application>inetd</application> is + started with <literal>-wW -C 60</literal>. These options + enable TCP wrappers for all services, including internal + services, and prevent any <acronym>IP</acronym> address from + requesting any service more than 60 times per minute.</para> + + <para>To change the default options which are passed to + <application>inetd</application>, add an entry for + <literal>inetd_flags</literal> in + <filename>/etc/rc.conf</filename>. If <application>inetd</application> is already running, restart it with <command>service inetd restart</command>.</para> @@ -409,9 +407,10 @@ server-program-arguments</programlisting <listitem> <para>Specify the default maximum number of simultaneous - invocations of each service, where the default is unlimited. - May be overridden on a per-service basis by using - <option>max-child</option> in <filename>/etc/inetd.conf</filename>.</para> + invocations of each service, where the default is + unlimited. May be overridden on a per-service basis by + using <option>max-child</option> in + <filename>/etc/inetd.conf</filename>.</para> </listitem> </varlistentry> @@ -421,8 +420,8 @@ server-program-arguments</programlisting <listitem> <para>Specify the default maximum number of times a service can be invoked from a single - <acronym>IP</acronym> address per minute. May be overridden on a per-service basis - by using + <acronym>IP</acronym> address per minute. May be + overridden on a per-service basis by using <option>max-connections-per-ip-per-minute</option> in <filename>/etc/inetd.conf</filename>.</para> </listitem> @@ -433,7 +432,8 @@ server-program-arguments</programlisting <listitem> <para>Specify the maximum number of times a service can be - invoked in one minute, where the default is <literal>256</literal>. A rate of <literal>0</literal> + invoked in one minute, where the default is + <literal>256</literal>. A rate of <literal>0</literal> allows an unlimited number.</para> </listitem> </varlistentry> @@ -446,13 +446,14 @@ server-program-arguments</programlisting invoked from a single <acronym>IP</acronym> address at any one time, where the default is unlimited. May be overridden on a per-service basis by using - <option>max-child-per-ip</option> in <filename>/etc/inetd.conf</filename>.</para> + <option>max-child-per-ip</option> in + <filename>/etc/inetd.conf</filename>.</para> </listitem> </varlistentry> </variablelist> - <para>Additional options are available. Refer to &man.inetd.8; for - the full list of options.</para> + <para>Additional options are available. Refer to &man.inetd.8; + for the full list of options.</para> </sect2> <sect2 xml:id="network-inetd-security"> @@ -460,19 +461,18 @@ server-program-arguments</programlisting <para>Many of the daemons which can be managed by <application>inetd</application> are not security-conscious. - Some daemons, such as - <application>fingerd</application>, can - provide information that may be useful to an - attacker. Only enable the services which are needed and - monitor the system for excessive connection attempts. + Some daemons, such as <application>fingerd</application>, can + provide information that may be useful to an attacker. Only + enable the services which are needed and monitor the system + for excessive connection attempts. <literal>max-connections-per-ip-per-minute</literal>, <literal>max-child</literal> and <literal>max-child-per-ip</literal> can be used to limit such attacks.</para> <para>By default, TCP wrappers is enabled. Consult - &man.hosts.access.5; for more information on - placing TCP restrictions on various + &man.hosts.access.5; for more information on placing TCP + restrictions on various <application>inetd</application> invoked daemons.</para> </sect2> </sect1> @@ -657,28 +657,28 @@ mountd_flags="-r"</programlisting> read-only, preventing clients from making any changes to those exported file systems.</para> - <para>The next example exports - <filename>/home</filename> to three clients - by <acronym>IP</acronym> address. This can be useful for - networks without <acronym>DNS</acronym>. Optionally, - <filename>/etc/hosts</filename> could be configured for - internal hostnames; please review &man.hosts.5; for more - information. The <literal>-alldirs</literal> flag allows - subdirectories to be mount points. In other words, it will - not mount the subdirectories but permit the client to mount - only the directories that are required or needed.</para> + <para>The next example exports <filename>/home</filename> to + three clients by <acronym>IP</acronym> address. This can be + useful for networks without <acronym>DNS</acronym>. + Optionally, <filename>/etc/hosts</filename> could be + configured for internal hostnames; please review &man.hosts.5; + for more information. The <literal>-alldirs</literal> flag + allows subdirectories to be mount points. In other words, it + will not mount the subdirectories but permit the client to + mount only the directories that are required or needed.</para> <programlisting>/home -alldirs 10.0.0.2 10.0.0.3 10.0.0.4</programlisting> - <para>This next line exports - <filename>/a</filename> so that two clients - from different domains may access the file system. The - <option>-maproot=root</option> flag allows the - <systemitem class="username">root</systemitem> user on the remote system to write - data on the exported file system as <systemitem class="username">root</systemitem>. - If the <literal>-maproot=root</literal> flag is not specified, - the client's <systemitem class="username">root</systemitem> user will be mapped to - the server's <systemitem class="username">nobody</systemitem> account and will be + <para>This next line exports <filename>/a</filename> so that two + clients from different domains may access the file system. + The <option>-maproot=root</option> flag allows the + <systemitem class="username">root</systemitem> user on the + remote system to write data on the exported file system as + <systemitem class="username">root</systemitem>. If the + <literal>-maproot=root</literal> flag is not specified, the + client's <systemitem class="username">root</systemitem> user + will be mapped to the server's <systemitem + class="username">nobody</systemitem> account and will be subject to the access limitations defined for user, <systemitem class="username">nobody</systemitem>.</para> @@ -692,16 +692,16 @@ mountd_flags="-r"</programlisting> the export information for one file system to one or more clients. A remote host can only be specified once per file system. For example, assume that - <filename>/usr</filename> is a single file - system. This entry, in <filename>/etc/exports</filename>, - would be invalid:</para> + <filename>/usr</filename> is a single file system. This + entry, in <filename>/etc/exports</filename>, would be + invalid:</para> <programlisting># Invalid when /usr is one file system /usr/src client /usr/ports client</programlisting> - <para>The <filename>/usr</filename> file - system has two lines specifying exports to the same host, + <para>The <filename>/usr</filename> file system has two lines + specifying exports to the same host, <systemitem>client</systemitem>. The correct format for this situation is:</para> @@ -713,9 +713,8 @@ mountd_flags="-r"</programlisting> system.</para> <para>The following is an example of a valid export list, where - <filename>/usr</filename> and - <filename>/exports</filename> are local - file systems:</para> + <filename>/usr</filename> and <filename>/exports</filename> + are local file systems:</para> <programlisting># Export src and ports to client01 and client02, but only # client01 has root privileges on it @@ -739,7 +738,8 @@ mountd_flags="-r"</programlisting> <para>On a new server being configured with <acronym>NFS</acronym> services, the server can be started by - running this command as <systemitem class="username">root</systemitem>:</para> + running this command as <systemitem + class="username">root</systemitem>:</para> <screen>&prompt.root; <userinput>service nfsd start</userinput></screen> @@ -750,9 +750,10 @@ mountd_flags="-r"</programlisting> <para>The client now has everything it needs to mount a remote file system. In these examples, the server's name is <systemitem>server</systemitem> and the client's name is - <systemitem>client</systemitem>. For testing or to temporarily mount - a remote file system, execute <application>mount</application> - as <systemitem class="username">root</systemitem> on + <systemitem>client</systemitem>. For testing or to + temporarily mount a remote file system, execute + <application>mount</application> as <systemitem + class="username">root</systemitem> on <systemitem>client</systemitem>:</para> <indexterm> @@ -762,16 +763,16 @@ mountd_flags="-r"</programlisting> <screen>&prompt.root; <userinput>mount server:/home /mnt</userinput></screen> <para>This mounts the <systemitem>server</systemitem>: - <filename>/home</filename> file system to - the <systemitem>client</systemitem>: - <filename>/mnt</filename> mount point. The - files and directories in the <systemitem>server</systemitem> - <filename>/home</filename> file system will - now be available on <systemitem>client</systemitem>, in the + <filename>/home</filename> file system to the + <systemitem>client</systemitem>: + <filename>/mnt</filename> mount point. The files and + directories in the <systemitem>server</systemitem> + <filename>/home</filename> file system will now be available + on <systemitem>client</systemitem>, in the <filename>/mnt</filename> directory.</para> - <para>To mount a remote file system each time the client - boots, add it to <filename>/etc/fstab</filename>:</para> + <para>To mount a remote file system each time the client boots, + add it to <filename>/etc/fstab</filename>:</para> <programlisting>server:/home /mnt nfs rw 0 0</programlisting> @@ -786,8 +787,8 @@ mountd_flags="-r"</programlisting> require file locking to operate correctly. In the case of <acronym>NFS</acronym>, <application>rpc.lockd</application> can be used for file locking. To enable it, add this line to - <filename>/etc/rc.conf</filename> on both client - and server:</para> + <filename>/etc/rc.conf</filename> on both client and + server:</para> <programlisting>rpc_lockd_enable="YES" rpc_statd_enable="YES"</programlisting> @@ -796,8 +797,8 @@ rpc_statd_enable="YES"</programlisting> <acronym>NFS</acronym> client and server are already configured.</para> - <para>Start the application, as <systemitem class="username">root</systemitem>, - with:</para> + <para>Start the application, as <systemitem + class="username">root</systemitem>, with:</para> <screen>&prompt.root; <userinput>service lockd start</userinput> &prompt.root; <userinput>service statd start</userinput></screen> @@ -805,8 +806,7 @@ rpc_statd_enable="YES"</programlisting> <para>If locking is not required on the server, the <acronym>NFS</acronym> client can be configured to lock locally by passing <option>-L</option> to &man.mount.nfs.8;. - Refer to &man.mount.nfs.8; for further - details.</para> + Refer to &man.mount.nfs.8; for further details.</para> </sect2> <sect2> @@ -836,10 +836,11 @@ rpc_statd_enable="YES"</programlisting> </listitem> <listitem> - <para>Several clients may need access to the <filename>/usr/ports/distfiles</filename> - directory. Sharing that directory allows for quick access - to the source files without having to download them to - each client.</para> + <para>Several clients may need access to the + <filename>/usr/ports/distfiles</filename> directory. + Sharing that directory allows for quick access to the + source files without having to download them to each + client.</para> </listitem> </itemizedlist> </sect2> @@ -886,14 +887,15 @@ rpc_statd_enable="YES"</programlisting> <filename>/net</filename> directories. When a file is accessed within one of these directories, <application>amd</application> looks up the corresponding - remote mount and automatically mounts it. <filename>/net</filename> is used to mount an - exported file system from an <acronym>IP</acronym> address, - while <filename>/host</filename> is used to - mount an export from a remote hostname.</para> + remote mount and automatically mounts it. + <filename>/net</filename> is used to mount an exported file + system from an <acronym>IP</acronym> address, while + <filename>/host</filename> is used to mount an export from a + remote hostname.</para> <para>For instance, an attempt to access a file within - <filename>/host/foobar/usr</filename> would - tell <application>amd</application> to mount the + <filename>/host/foobar/usr</filename> would tell + <application>amd</application> to mount the <filename>/usr</filename> export on the host <systemitem>foobar</systemitem>.</para> @@ -901,10 +903,9 @@ rpc_statd_enable="YES"</programlisting> <title>Mounting an Export with <application>amd</application></title> - <para><command>showmount -e</command> shows the - exported file systems that can be mounted from - the <acronym>NFS</acronym> server, - <systemitem>foobar</systemitem>:</para> + <para><command>showmount -e</command> shows the exported file + systems that can be mounted from the <acronym>NFS</acronym> + server, <systemitem>foobar</systemitem>:</para> <screen>&prompt.user; <userinput>showmount -e foobar</userinput> Exports list on foobar: @@ -914,13 +915,13 @@ Exports list on foobar: </example> <para>The output from <command>showmount</command> shows - <filename>/usr</filename> as an export. - When changing directories to - <filename>/host/foobar/usr</filename>, + <filename>/usr</filename> as an export. When changing + directories to <filename>/host/foobar/usr</filename>, <application>amd</application> intercepts the request and - attempts to resolve the hostname <systemitem>foobar</systemitem>. If - successful, <application>amd</application> automatically - mounts the desired export.</para> + attempts to resolve the hostname + <systemitem>foobar</systemitem>. If successful, + <application>amd</application> automatically mounts the + desired export.</para> <para><application>amd</application> is enabled by placing this line in <filename>/etc/rc.conf</filename>:</para> @@ -942,8 +943,8 @@ Exports list on foobar: <filename>/etc/amd.conf</filename> defines some of the more advanced features of <application>amd</application>.</para> - <para>Consult &man.amd.8; and &man.amd.conf.5; - for more information.</para> + <para>Consult &man.amd.8; and &man.amd.conf.5; for more + information.</para> </sect2> </sect1> @@ -1193,32 +1194,37 @@ Exports list on foobar: <tbody> <row> <entry><systemitem>ellington</systemitem></entry> - <entry><systemitem class="ipaddress">10.0.0.2</systemitem></entry> + <entry><systemitem + class="ipaddress">10.0.0.2</systemitem></entry> <entry><acronym>NIS</acronym> master</entry> </row> <row> <entry><systemitem>coltrane</systemitem></entry> - <entry><systemitem class="ipaddress">10.0.0.3</systemitem></entry> + <entry><systemitem + class="ipaddress">10.0.0.3</systemitem></entry> <entry><acronym>NIS</acronym> slave</entry> </row> <row> <entry><systemitem>basie</systemitem></entry> - <entry><systemitem class="ipaddress">10.0.0.4</systemitem></entry> + <entry><systemitem + class="ipaddress">10.0.0.4</systemitem></entry> <entry>Faculty workstation</entry> </row> <row> <entry><systemitem>bird</systemitem></entry> - <entry><systemitem class="ipaddress">10.0.0.5</systemitem></entry> + <entry><systemitem + class="ipaddress">10.0.0.5</systemitem></entry> <entry>Client machine</entry> </row> <row> <entry><systemitem>cli[1-11]</systemitem></entry> <entry> - <systemitem class="ipaddress">10.0.0.[6-17]</systemitem></entry> + <systemitem + class="ipaddress">10.0.0.[6-17]</systemitem></entry> <entry>Other client machines</entry> </row> </tbody> @@ -1376,8 +1382,8 @@ nis_client_flags="-S <replaceable>NIS do <primary>NIS</primary> <secondary>maps</secondary> </indexterm> - <para><acronym>NIS</acronym> maps - are generated from the configuration files in <filename>/etc</filename> on the + <para><acronym>NIS</acronym> maps are generated from the + configuration files in <filename>/etc</filename> on the <acronym>NIS</acronym> master, with one exception: <filename>/etc/master.passwd</filename>. This is to prevent the propagation of passwords to all the servers in @@ -1392,8 +1398,8 @@ nis_client_flags="-S <replaceable>NIS do <para>It is advisable to remove all entries for system accounts as well as any user accounts that do not need to be propagated to the <acronym>NIS</acronym> clients, such - as the <systemitem class="username">root</systemitem> and any other - administrative accounts.</para> + as the <systemitem class="username">root</systemitem> and + any other administrative accounts.</para> <note><para>Ensure that the <filename>/var/yp/master.passwd</filename> is neither @@ -1603,8 +1609,7 @@ Remember to update map ypservers on elli <para>Edit <filename>/etc/rc.conf</filename> and add the following lines in order to set the <acronym>NIS</acronym> domain name and start - &man.ypbind.8; during network - startup:</para> + &man.ypbind.8; during network startup:</para> <programlisting>nisdomainname="test-domain" nis_client_enable="YES"</programlisting> @@ -1618,7 +1623,8 @@ nis_client_enable="YES"</programlisting> <filename>/etc/master.passwd</filename>. When removing the accounts, keep in mind that at least one local account should remain and this account should be - a member of <systemitem class="groupname">wheel</systemitem>. If there is + a member of <systemitem + class="groupname">wheel</systemitem>. If there is a problem with <acronym>NIS</acronym>, this local account can be used to log in remotely, become the superuser, and fix the problem. Before saving the @@ -1633,8 +1639,8 @@ nis_client_enable="YES"</programlisting> account on the client. There are many ways to configure the <acronym>NIS</acronym> client by modifying this line. One method is described in - <xref linkend="network-netgroups"/>. For - more detailed reading, refer to the book + <xref linkend="network-netgroups"/>. For more + detailed reading, refer to the book <literal>Managing NFS and NIS</literal>, published by O'Reilly Media.</para> </step> @@ -1728,27 +1734,27 @@ nis_client_enable="YES"</programlisting> <sect3> <title>Barring Some Users</title> - <para>In this example, the <systemitem>basie</systemitem> system - is a faculty workstation within the <acronym>NIS</acronym> - domain. The <filename>passwd</filename> map on the master + <para>In this example, the <systemitem>basie</systemitem> + system is a faculty workstation within the + <acronym>NIS</acronym> domain. The + <filename>passwd</filename> map on the master <acronym>NIS</acronym> server contains accounts for both faculty and students. This section demonstrates how to allow faculty logins on this system while refusing student logins.</para> - <para>To prevent specified users from logging on to a - system, even if they are present in the + <para>To prevent specified users from logging on to a system, + even if they are present in the <acronym>NIS</acronym> database, use <command>vipw</command> - to add - <literal>-username</literal> with - the correct number of colons towards the end of + to add <literal>-username</literal> with the correct number + of colons towards the end of <filename>/etc/master.passwd</filename> on the client, where <replaceable>username</replaceable> is the username of a user to bar from logging in. The line with the blocked user must be before the <literal>+</literal> line that allows <acronym>NIS</acronym> users. In this example, - <systemitem class="username">bill</systemitem> is barred from logging on to - <systemitem>basie</systemitem>:</para> + <systemitem class="username">bill</systemitem> is barred + from logging on to <systemitem>basie</systemitem>:</para> <screen>basie&prompt.root; <userinput>cat /etc/master.passwd</userinput> root:[password]:0:0::0:0:The super-user:/root:/bin/csh @@ -1824,21 +1830,24 @@ basie&prompt.root;</screen> </row> <row> - <entry><systemitem class="username">charlie</systemitem>, - <systemitem class="username">delta</systemitem></entry> + <entry><systemitem + class="username">charlie</systemitem>, <systemitem + class="username">delta</systemitem></entry> <entry>IT department apprentices</entry> </row> <row> <entry><systemitem class="username">echo</systemitem>, <systemitem class="username">foxtrott</systemitem>, - <systemitem class="username">golf</systemitem>, ...</entry> + <systemitem class="username">golf</systemitem>, + ...</entry> <entry>employees</entry> </row> <row> <entry><systemitem class="username">able</systemitem>, - <systemitem class="username">baker</systemitem>, ...</entry> + <systemitem class="username">baker</systemitem>, + ...</entry> <entry>interns</entry> </row> </tbody> @@ -1861,7 +1870,8 @@ basie&prompt.root;</screen> <!-- Names taken from "Good Omens" by Neil Gaiman and Terry Pratchett. Many thanks for a brilliant book. --> <entry><systemitem>war</systemitem>, - <systemitem>death</systemitem>, <systemitem>famine</systemitem>, + <systemitem>death</systemitem>, + <systemitem>famine</systemitem>, <systemitem>pollution</systemitem></entry> <entry>Only IT employees are allowed to log onto these servers.</entry> @@ -1869,16 +1879,21 @@ basie&prompt.root;</screen> <row> <!-- gluttony was omitted because it was too fat --> - <entry><systemitem>pride</systemitem>, <systemitem>greed</systemitem>, - <systemitem>envy</systemitem>, <systemitem>wrath</systemitem>, - <systemitem>lust</systemitem>, <systemitem>sloth</systemitem></entry> + <entry><systemitem>pride</systemitem>, + <systemitem>greed</systemitem>, + <systemitem>envy</systemitem>, + <systemitem>wrath</systemitem>, + <systemitem>lust</systemitem>, + <systemitem>sloth</systemitem></entry> <entry>All members of the IT department are allowed to login onto these servers.</entry> </row> <row> - <entry><systemitem>one</systemitem>, <systemitem>two</systemitem>, - <systemitem>three</systemitem>, <systemitem>four</systemitem>, + <entry><systemitem>one</systemitem>, + <systemitem>two</systemitem>, + <systemitem>three</systemitem>, + <systemitem>four</systemitem>, ...</entry> <entry>Ordinary workstations used by employees.</entry> @@ -2567,8 +2582,11 @@ result: 0 Success by the client to obtain the addressing information. &os; does not install a <acronym>DHCP</acronym> server, but several servers are available in the &os; Ports Collection. The - <acronym>DHCP</acronym> protocol is fully described in <link xlink:href="http://www.freesoft.org/CIE/RFC/2131/">RFC 2131</link>. - Informational resources are also available at <link xlink:href="http://www.isc.org/downloads/dhcp/">isc.org/downloads/dhcp/</link>.</para> + <acronym>DHCP</acronym> protocol is fully described in <link + xlink:href="http://www.freesoft.org/CIE/RFC/2131/">RFC + 2131</link>. + Informational resources are also available at <link + xlink:href="http://www.isc.org/downloads/dhcp/">isc.org/downloads/dhcp/</link>.</para> <para>This section describes how to use the built-in <acronym>DHCP</acronym> client. It then describes how to @@ -2706,7 +2724,8 @@ result: 0 Success to act as a <acronym>DHCP</acronym> server using the Internet Systems Consortium (<acronym>ISC</acronym>) implementation of the <acronym>DHCP</acronym> server. This implementation and - its documentation can be installed using the <package>net/isc-dhcp42-server</package> package or + its documentation can be installed using the + <package>net/isc-dhcp42-server</package> package or port.</para> <indexterm> @@ -2719,8 +2738,9 @@ result: 0 Success <secondary>installation</secondary> </indexterm> - <para>The installation of <package>net/isc-dhcp42-server</package> installs a - sample configuration file. Copy + <para>The installation of + <package>net/isc-dhcp42-server</package> installs a sample + configuration file. Copy <filename>/usr/local/etc/dhcpd.conf.example</filename> to <filename>/usr/local/etc/dhcpd.conf</filename> and make any edits to this new file.</para> @@ -2898,9 +2918,10 @@ dhcpd_ifaces="dc0"</programlisting> one <acronym>DHCP</acronym> server forwards a request from a client to another <acronym>DHCP</acronym> server on a separate network. If this functionality is - required, install the <package>net/isc-dhcp42-relay</package> - package or port. The installation includes dhcrelay(8) - which provides more detail.</para> + required, install the + <package>net/isc-dhcp42-relay</package> package or port. + The installation includes dhcrelay(8) which provides + more detail.</para> </listitem> </itemizedlist> </sect2> @@ -2939,7 +2960,8 @@ dhcpd_ifaces="dc0"</programlisting> is the most common implementation of the <acronym>DNS</acronym> protocol. The &os; version provides enhanced security features, a new file system layout, and automated &man.chroot.8; - configuration. BIND is maintained by the <link xlink:href="https://www.isc.org/">isc.org</link>. It is not + configuration. BIND is maintained by the <link + xlink:href="https://www.isc.org/">isc.org</link>. It is not necessary to run a name server to perform <acronym>DNS</acronym> lookups on a system.</para> @@ -3028,8 +3050,8 @@ dhcpd_ifaces="dc0"</programlisting> <itemizedlist> <listitem> - <para><systemitem>.</systemitem> is how the root zone is usually - referred to in documentation.</para> + <para><systemitem>.</systemitem> is how the root zone is + usually referred to in documentation.</para> </listitem> <listitem> @@ -3038,24 +3060,28 @@ dhcpd_ifaces="dc0"</programlisting> </listitem> <listitem> - <para><systemitem class="fqdomainname">example.org.</systemitem> is a + <para><systemitem + class="fqdomainname">example.org.</systemitem> is a zone under the <systemitem>org.</systemitem> <acronym>TLD</acronym>.</para> </listitem> <listitem> - <para><systemitem>1.168.192.in-addr.arpa</systemitem> is a zone - referencing all <acronym>IP</acronym> addresses which fall - under the <systemitem class="ipaddress">192.168.1.*</systemitem> + <para><systemitem>1.168.192.in-addr.arpa</systemitem> is a + zone referencing all <acronym>IP</acronym> addresses which + fall under the <systemitem + class="ipaddress">192.168.1.*</systemitem> <acronym>IP</acronym> address space.</para> </listitem> </itemizedlist> <para>As one can see, the more specific part of a hostname - appears to its left. For example, <systemitem class="fqdomainname">example.org.</systemitem> is more specific than - <systemitem>org.</systemitem>, as <systemitem>org.</systemitem> is more specific - than the root zone. The layout of each part of a hostname is - much like a file system: the <filename>/dev</filename> directory falls within the + appears to its left. For example, <systemitem + class="fqdomainname">example.org.</systemitem> is more + specific than <systemitem>org.</systemitem>, as + <systemitem>org.</systemitem> is more specific than the root + zone. The layout of each part of a hostname is much like a file + system: the <filename>/dev</filename> directory falls within the root, and so on.</para> <sect2> @@ -3074,8 +3100,8 @@ dhcpd_ifaces="dc0"</programlisting> </listitem> <listitem> - <para>A domain, such as - <systemitem class="fqdomainname">example.org</systemitem>, is + <para>A domain, such as <systemitem + class="fqdomainname">example.org</systemitem>, is registered and <acronym>IP</acronym> addresses need to be assigned to hostnames under it.</para> </listitem> @@ -3102,10 +3128,10 @@ dhcpd_ifaces="dc0"</programlisting> </listitem> </itemizedlist> - <para>When one queries for - <systemitem class="fqdomainname">www.FreeBSD.org</systemitem>, the resolver - usually queries the uplink <acronym>ISP</acronym>'s name - server, and retrieves the reply. With a local, caching + <para>When one queries for <systemitem + class="fqdomainname">www.FreeBSD.org</systemitem>, the + resolver usually queries the uplink <acronym>ISP</acronym>'s + name server, and retrieves the reply. With a local, caching <acronym>DNS</acronym> server, the query only has to be made once to the outside world by the caching <acronym>DNS</acronym> server. Additional queries will not @@ -3286,8 +3312,8 @@ options { name server, enabling this may be worthwhile.</para> <warning> - <para><systemitem class="ipaddress">127.0.0.1</systemitem> will - <emphasis>not</emphasis> work here. Change this + <para><systemitem class="ipaddress">127.0.0.1</systemitem> + will <emphasis>not</emphasis> work here. Change this <acronym>IP</acronym> address to a name server at the uplink.</para> </warning> @@ -3538,8 +3564,8 @@ zone "1.168.192.in-addr.arpa" { to <filename>named.conf</filename>.</para> <para>For example, the simplest zone entry for - <systemitem class="fqdomainname">example.org</systemitem> can look - like:</para> + <systemitem class="fqdomainname">example.org</systemitem> + can look like:</para> <programlisting>zone "example.org" { type master; @@ -3573,8 +3599,8 @@ zone "1.168.192.in-addr.arpa" { <secondary>zone files</secondary> </indexterm> - <para>An example master zone file for - <systemitem class="fqdomainname">example.org</systemitem> (existing + <para>An example master zone file for <systemitem + class="fqdomainname">example.org</systemitem> (existing within <filename>/etc/namedb/master/example.org</filename>) is as follows:</para> @@ -3677,7 +3703,8 @@ www IN CNAME example. <variablelist> <varlistentry> - <term><systemitem class="fqdomainname">example.org.</systemitem></term> + <term><systemitem + class="fqdomainname">example.org.</systemitem></term> <listitem> <para>the domain name, also the origin for this @@ -3686,7 +3713,8 @@ www IN CNAME example. </varlistentry> <varlistentry> - <term><systemitem class="fqdomainname">ns1.example.org.</systemitem></term> + <term><systemitem *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201401311843.s0VIhTJ9046134>