Документ взят из кэша поисковой машины. Адрес оригинального документа : http://itpm.msu.su/LDP/LinuxAdministration/linux-admin-made-easy-7.html
Дата изменения: Sun Apr 18 13:35:40 1999
Дата индексирования: Mon Oct 1 21:59:03 2012
Кодировка:

Поисковые слова: shadow
Linux Administration Made Easy: Custom Configuration and Administration Issues Next Previous Contents

7. Custom Configuration and Administration Issues

For both personal use as well as at work, I was able to start with a standard installation of the Red Hat Linux distribution and provide services "out-of-the-box" with little or no changes to default configuration settings.

However, there were a number of small changes and extra services that were necessary to provide all the Internet, file & print services, and other services that are in use at my place of employment. The local administrator should be aware of the following:

7.1 Web Server and HTTP Caching Proxy Administration

(WARNING: DISREGARD THIS SECTION!)

  1. Create an Internet user as per normal. The "shell" account should be ``/bin/bash'' (as FTP requires a valid shell).

  2. ``cd /home ; chown root.root theuser'' This makes "theuser"'s directory belong to root, for security reasons.

  3. ``cd /home/theuser ; mkdir www ; chown theuser.theuser'' This creates their "www" directory, and sets ownership so they can read/write to it.

  4. ``echo "exit" > .profile'' This creates a ``.profile'' file with the single line ``exit'' in it. If the user tries to log in via telnet, they will get disconnected immediately.

  5. Do an ``ls -l'' and make sure there are only 2 files in the directory (not including ``..'' and ``.''): All other files can be deleted (eg. ``rm .less ; rm .lessrc'')

  6. If the user needs to have e-mail forwarding enabled you could create a .forward file which simply has the proper e-mail as the first and only line in the file.

That's it. The user can use FTP to update the pages.

7.2 Domain Name Server (DNS) Configuration and Administration

At my place of employment, we are using Linux as a DNS server. It performs exceptionally well. This section will address configuration of DNS tables for these services under Linux.

Configuration DNS services under Linux involves the following steps:

  1. To enable DNS services, the ``/etc/host.conf'' file should look like this:


    # Lookup names via /etc/hosts first, then by DNS query
    order hosts, bind
    # We don't have machines with multiple addresses
    multi on
    # Check for IP address spoofing
    nospoof on
    # Warn us if someone attempts to spoof
    alert on
    

    The extra spoof detection adds a bit of a performance hit to DNS lookups (although negligible), so if you're not too worried about this you may wish to disable the "nospool" and "alert" entries.

  2. Configure the ``/etc/hosts'' file as needed. Typically there doesn't need to be much in here, but for improved performance you can add any hosts you access often (such as local servers) to avoid performing DNS lookups on them.

  3. The ``/etc/named.boot'' file should be configured to point to your DNS tables as follows (Note: IP addresses shown are examples only and must be replaced with your own class addresses!):


    ; DNS tables are located in the /var/named directory
    directory               /var/named
    ; Enable caching and load root server info
    cache           named.root
    ; All our DNS information is stored in /var/named/mydomain_name.db
    ; (eg. if mydomain.name = foobar.com then use foobar_com.db)
    primary         mydomain.name           mydomain_name.db
    ; Reverse lookups for 123.12.41.*, .42.*, .43.*, .44.* class C's
    ; (these are example Class C's only -- do not use!)
    primary         12.123.IN-ADDR.ARPA     123_12.rev
    ; Reverse lookups for 126.27.18.*, .19.*, .20.* class C's
    ; (these are example Class C's only -- do not use!)
    primary         27.126.IN-ADDR.ARPA     126_27.rev
    ; Forward any unresolved requests to our ISP's name server
    ; (this is an example IP address only -- do not use!)
    forwarders      123.12.40.17
    

  4. Now you can set up your DNS tables in the ``var/named/'' directory as configured in the ``/etc/named.boot'' file in step three. Configuring DNS database files for the first time is a major undertaking, and is beyond the scope of this document. There are several guides, online and in printed form that should be referred to. However, several examples are provided below.

    Sample entries in the ``/var/named/mydomain_name.db'' forward lookup file:


    ; This is the Start of Authority (SOA) record.  Contains contact
    ; & other information about the name server.  The serial number
    ; must be changed whenever the file is updated (to inform secondary
    ; servers that zone information has changed).
        @ IN SOA mydomain.name.  postmaster.mydomain.name. (
            19990415        ; Serial number
            3600            ; 1 hour refresh
            300             ; 5 minutes retry
            172800          ; 2 days expiry
            43200 )         ; 12 hours minimum
    
    ; List the name servers in use.  Unresolved (entries in other zones)
    ; will go to our ISP's name server isp.domain.name.com
            IN NS           mydomain.name.
            IN NS           isp.domain.name.com.
    
    ; This is the mail-exchanger.  You can list more than one (if
    ; applicable), with the integer field indicating priority (lowest
    ; being a higher priority)
            IN MX           mail.mydomain.name.
    
    ; Provides optional information on the machine type & operating system
    ; used for the server
            IN HINFO        Pentium/350     LINUX
    
    ; A list of machine names & addresses
        spock.mydomain.name.    IN A    123.12.41.40   ; OpenVMS Alpha
        mail.mydomain.name.     IN A    123.12.41.41   ; Linux (main server)
        kirk.mydomain.name.     IN A    123.12.41.42   ; Windows NT (blech!)
    
    ; Including any in our other class C's
        twixel.mydomain.name.   IN A    126.27.18.161  ; Linux test machine
        foxone.mydomain.name.   IN A    126.27.18.162  ; Linux devel. kernel
    
    ; Alias (canonical) names
        gopher      IN CNAME        mail.mydomain.name.
        ftp         IN CNAME        mail.mydomain.name.
        www         IN CNAME        mail.mydomain.name.
    

    Sample entries in the ``/var/named/123_12.rev'' reverse lookup file:


    ; This is the Start of Authority record.  Same as in forward lookup table.
        @ IN SOA mydomain.name.  postmaster.mydomain.name. (
            19990415        ; Serial number
            3600            ; 1 hour refresh
            300             ; 5 minutes retry
            172800          ; 2 days expiry
            43200 )         ; 12 hours minimum
    
    ; Name servers listed as in forward lookup table
            IN NS           mail.mydomain.name.
            IN NS           isp.domain.name.com.
    
    ; A list of machine names & addresses, in reverse.  We are mapping
    ; more than one class C here, so we need to list the class B portion
    ; as well.
        40.41       IN PTR    spock.mydomain.name.
        41.41       IN PTR    mail.mydomain.name.
        42.41       IN PTR    kirk.mydomain.name.
    
    ; As you can see, we can map our other class C's as long as they are
    ; under the 123.12.* class B addresses
        24.42       IN PTR    tsingtao.mydomain.name.
        250.42      IN PTR    redstripe.mydomain.name.
        24.43       IN PTR    kirin.mydomain.name.
        66.44       IN PTR    sapporo.mydomain.name.
    
    ; No alias (canonical) names should be listed in the reverse lookup
    ; file (for obvious reasons).
    

    Any other reverse lookup files needed to map addresses in a different class B (such as 126.27.*) can be created, and would look much the same as the example reverse lookup file above.

  5. Make sure the named daemon is running. This daemon is usually started from the ``/etc/rc.d/init.d/named'' file upon system boot. You can also start and stop the daemon manually; type ``named start'' and ``named stop'', respectively.

  6. Whenever changes are made to the DNS tables, the DNS server should be restarted by typing ``/etc/rc.d/init.d/named restart''. You may then wish to test your changes by using a tool such as "nslookup" to query the machine you have added or changed.

More information on configuring DNS services can be found in the ``DNS-HOWTO'' guide at http://metalab.unc.edu/Linux/HOWTO/DNS-HOWTO-5.html.

7.3 Internet User Authentication with TACACS

At my place of employment, for TACACS authentication of dial-up Internet users (who are connecting to our modem pool which are in turn connected to a couple of Cisco 250x access servers), we are using the Vikas version of "xtacacsd".

After compiling and installing the Vikas package (latest versions are available from ftp://ftp.navya.com/pub/vikas; I don't believe the package is available in RPM format), you should add the following entries to the ``/etc/inetd.conf'' file so that the daemon will be loaded by the inetd daemon whenever a TACACS request is received.


# TACACS is a user authentication protocol used for Cisco Router products.
tacacs dgram udp wait root /etc/xtacacsd xtacacsd -c /etc/xtacacsd-conf

Next, you should edit the ``/etc/xtacacsd-conf'' file and customize it, as necessary, for your system (however you will probably be able to use the default settings as-is).

NOTE: If you are using shadow passwords (see the "Linux Password & Shadow File Formats" section for details), you will have some problems with this package. Unfortunately, PAM (Pluggable Authentication Module), which Red Hat uses for user authentication, is not supported by this package. One workaround that I use is to keep a separate ``passwd'' file in ``/usr/local/xtacacs/etc/'' which matches the one in /etc/ but is non-shadowed. This is a bit of a hassle, and if you choose to do this make sure you set permissions on the other password file to make sure it is only readable by root:

chmod a-wr,u+r /usr/local/xtacacs/etc/passwd

If you do indeed use shadow, you will most certainly need to edit the ``/etc/xtacacsd-conf'' file and location of the non-shadowed password file (assuming you are using the workaround I have suggested above).

The next step is to configure your access server(s) to authenticate logins for the desired devices (such as dial-up modems) with TACACS. Here is a sample session on how this is done:

mail:/tftpboot# telnet xyzrouter

Escape character is '^]'.

User Access Verification

Password: ****

xyzrouter> enable

Password: ****

xyzrouter# config terminal

Enter configuration commands, one per line. End with CNTL/Z.

xyzrouter(config)# tacacs-server attempts 3

xyzrouter(config)# tacacs-server authenticate connections

xyzrouter(config)# tacacs-server extended

xyzrouter(config)# tacacs-server host 123.12.41.41

xyzrouter(config)# tacacs-server notify connections

xyzrouter(config)# tacacs-server notify enable

xyzrouter(config)# tacacs-server notify logouts

xyzrouter(config)# tacacs-server notify slip

xyzrouter(config)# line 2 10

xyzrouter(config-line)# login tacacs

xyzrouter(config-line)# exit

xyzrouter(config)# exit

xyzrouter# write

Building configuration...

[OK]

xyzrouter# exit

Connection closed by foreign host.

All TACACS activity log messages will be recorded in ``/var/log/messages'' for your perusal.

7.4 Windows-style File and Print Services with Samba

Linux can provide SMB services (eg. WfW, Win95, and NT-style network file & printer sharing), using the Samba package. This section will describe how to configure shares, and how to access them from client machines.

The Samba package is included with the Red Hat distribution, you can check if it is installed and what version you have by typing:

rpm -q samba

If it isn't installed, you will need to install it using the RPM utility. See the "Using the Red Hat Package Manager (RPM)" section for details on how to do this.

The most important Samba files you should concern yourself with are:

/etc/smb.conf

Samba configuration file where shares and other configuration parameters are set up (see below)

/var/log/samba/

Location of Samba log files

/home/samba/

Suggested location where file shares should be set up. However, you should choose a location where you have enough space on the file system to accomodate the files you will store. Personally, I usually set up a large partition mounted on /archive/ and place my shares here.

The file ``/etc/smb.conf'' contains configuration information on file & print shares. The first few lines of the file contain global configuration directives, which are common to all shares (unless they are over-ridden on a per-share basis), followed by share sections.

The Samba installation includes a default smb.conf file which in many cases should be adequate for your needs and require only a few changes.

Here is an example of this file (which I have heavily customized to show you some of the more important and interesting options):


# Items common to all shares (unless over-ridden on a per-share basis)
[global]
   # Number of minutes of inactivity before client is disconnected
   # to avoid consuming resources.  Most clients will automatically
   # reconnect so this is a good idea to enable.
   dead time = 10

   # Don't let users connect as "root", just-in-case.  :-)
   invalid users = root

   # Specify the account for guest shares (shares that don't require
   # a password to connect to.  This username must be a valid user
   # in the /etc/passwd file.
   guest account = guest

   # Specify where log files should be written to.  The "%m" suffix
   # means that log files will be created in the format
   # log.machine-name (eg. "log.twixel")
   log file = /usr/local/samba/logs/log.%m

   # Maximum size of log file, in Kilobytes.
   max log size = 1000

   # Password level 3 means that case is not an issue when entering
   # passwords.  A little less secure than level 1 or 2 would be,
   # but seems to be a fair compromise for user convenience.
   password level = 3

   # Specify that all shares should appear in the browse list
   # (override any you don't want on a per-share basis).
   browseable = yes

   # If this is enabled, you can see active connections using the
   # "smbstatus" command.
   status = yes

   # The level of debugging information that is recorded in the log
   # files.  Higher values generate more information (which is
   # probably not very useful, most of the time).
   debug level = 2

   # This will send any Windows-style "POPUP" messages received on
   # the server to the postmaster by e-mail.  Not very useful, but
   # an interesting demonstration of what can be accomplished.
   message command = /bin/mail -s 'Message from %f on %m' postmaster < %s; rm %s &

   # This is a form of caching that, when enabled, may improve
   # performance when reading files.
   read prediction = true

   # A list of services that should be added automatically to the
   # browse-list.
   auto services = cdrom

   # The location of your "printcap" file, a text file containing
   # definitions for your printers.
   printcap name = /etc/printcap

   # If enabled all printers in the /etc/printcap file will be
   # loaded into the browse-list.
   load printers = yes

   # The print command by which data is spooled to a printer under Linux.
   print command = lpr -r -P%p %s

   # The print command by which job queue information (printer status)
   # can be obtained.
   lpq command = lpq -P%p

   # The print command by which unwanted print jobs can be deleted
   # from the queue.
   lprm command = lprm -P%p %j

   # The level at which Samba advertises itself for browse elections.
   # Currently set to a high value to give it an even "foot-hold" with
   # any swarmy NT servers on the network.  :-)
   os level = 34

# These are user's personal shares.  If the client's username matches on the
# server, they can access their home directory (provided they enter the
# correct password).
[homes]
   # The comments appear in the browse list.
   comment = Home Directories

   # This matches the username of the client to that of the share.
   # If they do not match, no share will be displayed in the browse
   # list, or available to connect to.
   user = %S

   # The path to the share.  For example, "smithj" would map to
   # "/home/smithj"
   path = /home/%S

   # If enabled, allow read/write access to the shares.
   writeable = yes

   # Just an inverted synonym for "writeable".  We don't *really* need
   # to use both.  :-)
   read only = no

   # Keep this disabled so that a password is required to access these 
   # shares.
   public = no

   # We don't want this share (after all, it is private) to appear in
   # the browse-list of other users.
   browseable = no

# This is a publicly available print share, called "hp_laser".  It appears
# on the browse lists and can be accessed without a password by any client.
[hp_laser]
   # The comment that appears in the browse-list.
   comment = Main office printer (HP Laserjet 400)

   # The username that this share is accessed as (guest means all users).
   user = guest

   # All generated print files will first be created in the /tmp
   # directory.
   path = /tmp

   # Do not allow file creation except through print spooling.
   writeable = no

   # Set permissions accordingly -- root access to print jobs only.
   create mode = 0700

   # If this is enabled a password is not required to access the share.
   public = yes

   # This should be enabled to indicate that this is a printer share.
   printable = yes

# Here is a service providing access to the CD-ROM device.
[cdrom]
   comment = Shared CD-ROM drive on Linux
   user = guest
   path = /cdrom
   writeable = no
   read only = true
   browseable = yes
   public = yes
   guest ok = yes

Note: Recent versions of Samba, from 2.0 onwards, provide a very slick web-based configuration utility called ``swat'', which makes the process much more user-friendly. The utility listens on TCP port 901 of your server, so to use the utility just point your favourite web browser as follows:

mydomain.name:901

(Of course, in order to use the SWAT utility you will need to have a web server running, such as Apache. See the "Web Server and HTTP Caching Proxy Administration" section for details.)

The latest Samba versions also add considerable features in comparison with versions prior to 2.0. It is worth taking the time to upgrade this package.

A client must have a TCP/IP network stack running in order to connect to shares. Further, for browsing to work, the TCP/IP protocol must be bound to NETBEUI. Under Windows 95 this can be configured from the "Network" icon from within the Control Panel.

Assuming the client has been configured properly, you should see the server shares appear in their "Network Neighborhood" (or equivalent browsing scheme if you are not using Windows 95/NT). You can then map network drives from the network neighborhood, or type in an absolute path to the share (eg. "\\mail\cdrom"). If the shared service requires a password to be entered, you will be prompted for one.

More information on Samba can be obtained from the Samba Home Page at http://samba.anu.edu.au/samba/.

7.5 Macintosh-style File and Print Services with Netatalk

Linux can also provide Appleshare services (eg. Macintosh-style network file & printer sharing), using the Netatalk package. This section will describe how to configure shares, and how to access them from client machines.

In order to use Netatalk, you will need to have Appletalk networking support in your Linux kernel. Stock kernels from Red Hat usually already include this support as a module, or you can compile your own custom kernel with such support. Note: Make sure Appletalk support is compiled in as a module and not included as part of the kernel (see the "Linux Kernel Upgrades" section for details on how to upgrade or customize the Linux kernel). Otherwise you will have difficulties when stopping and then restarting the Netatalk daemon.

Once you have ensured your kernel is capable of supporting Appletalk, you will need to install the Netatalk package. Because Netatalk is not included with the Red Hat distribution, you will have to download and install a copy. The Netatalk package can be found on Red Hat's "contrib" site, at ftp://contrib.redhat.com/libc6/i386/.

After Netatalk has been installed, you may need to modify one or more configuration files in ``/etc/atalk/''. Most of the files contain sample configuration examples, and therefore are at least somewhat self-documenting. The files are:

config

This file contains configuration information for tuning your Netatalk daemon. This information is specified in environment variables, and this file is "sourced" (ie. read) by the Netatalk start up script before the service is started. You can specify the number of simultaneous connections, whether or not guest logins are allowed, etc. You will almost certainly want to modify this file according to your needs.

atalk.conf

This file contains information on which network interface to use, as well as your Appletalk routing, name registration, and other related information. You will likely not need to modify this file; the required network information is detected and added to this file the first time you start the Netatalk server. However, you may wish to add your server name. Note: Type ``man atalkd'' for more information on this file.

afpd.conf

This file allows you to specify additional parameters which are passed to Netatalk by means of command-line options. You can specify which port or IP address you wish to run the Netatalk server on, add a login message that is displayed to connecting users, as well as other related options. You will likely not need to modify this file. Note: Type ``man afpd'' for more information on this file.

papd.conf

The file contains configuration information for enabling Mac users to print to network printer shares. I haven't played with this yet, so unfortunately I can't offer any advice on it. Note: Type ``man papd'' for more information on this file.

AppleVolumes.default

This file lists the available file shares that a Mac user will see after logging in. To enable a share, enter the path to the file directory, followed by a textual description of it. For example:

~                "Home"
/archive/busdept "Business Department Common Files"

(The above will provide two shares to connecting Mac users: their home directory, as well as a shared area for the business department.)

Note: A neat trick here is to set up shares with the same file paths under Samba, which would provide your users with platform- independent file shares for both your Mac as well as your Windows users. See the "Windows-style File and Print Services with Samba" section for details on using Samba.

AppleVolumes.system

This file also lists file shares just like ``AppleVolumes.default'' does, the difference being that these shares will be made available to all users, regardless of whether or not they log in. This file also contains file-type mappings. You will likely not need to modify this file unless you want to add general shares available to anyone; this is probably a bad idea for most people.

Once everything has been set up with appropriate configuration information, you can start the Netatalk services manually by typing:

/etc/rc.d/init.d/atalk start

(The services should start up automatically at system boot).

More information on Netatalk can be obtained from the Netatalk Home Page at http://www.umich.edu/~rsug/netatalk/. In addition, very helpful configuration information is available in the Linux Netatalk HOWTO, available at http://thehamptons.com/anders/netatalk/.

7.6 Network File System (NFS) Services

Linux can act as both client and server for file systems shared using the Network File System (NFS) protocol, which is the defacto standard for providing file system mounts among Unix systems. Note: Please be aware that having an NFS service available on your system can be a security risk. Personally, I don't recommend using it.

In order to use NFS, you will need to ensure that NFS support has been included in your kernel or kernel modules. See the "Linux Kernel Upgrades" section for details on how to upgrade or customize the Linux kernel.

NFS shares are configured by modifying the ``/etc/exports'' file. Here are some example entries, showing some of the options available:

/archive spock.mydomain.name(ro)  
/archive2 spock.mydomain.name(ro)  
/mnt/cdrom other.domain(ro)
/archive2 10.23.14.8(ro,insecure)  

The first couple of lines allow the host, ``spock.mydomain.name'' access to both the ``/archive'' as well as the ``/archive2'' directories via NFS. These shares are made available read-only with the ``(ro)'' option. For security reasons, it is a good idea to do this for all of your NFS shares if at all possible.

The third line will allow any host in the ``domain.name'' domain name space to access the CD-ROM drive. Of course, it is necessary to mount the CD-ROM device to ``/mnt/cdrom'' first. Note:Using the ``(ro))'' option to mark this device read-only may seem a bit redundant, however doing so will prevent a miscreant from writing to a real file system should the CD-ROM device not be mounted.

After you have made changes to the ``/etc/exports'' file, you will need to restart the NFS daemon. To do so, type:

/etc/rc.d/init.d/nfs restart

You can also configure your NFS mount points with the ``Network Configurator'' tool included in the ``Linuxconf'' utility. For more information on the Linuxconf utility, see the "Configuration from A-Z with Linuxconf" section.

More information on NFS can be found in the ``NFS-HOWTO'' guide at http://metalab.unc.edu/LDP/HOWTO/NFS-HOWTO.html, as well as in the man pages on ``nfsd'' and ``exports''.

7.7 Configuration from A-Z with Linuxconf

There is an excellent tool called ``linuxconf'' which can make many configuration issues easier to do. Linuxconf runs on whatever means of display environment it has available to it -- you can run it from the console, over a telnet session, and as a GUI-based tool under X and it will automatically start up in the appropriate manner.

If you need to adjust your system time, modify your network settings, set up file systems, perform user administration, as well as perform many other administrative and configuration duties, you should give this tool a try. The only caveat I would give is that, at the time of this writing, the GUI- based tool is still a bit "buggy" and at times may stop responding to mouse clicks. However, this tool is a promising work in progress, and future revisions should become quite usable.


Next Previous Contents