Документ взят из кэша поисковой машины. Адрес
оригинального документа
: http://itpm.msu.su/LDP/LinuxAdministration/linux-admin-made-easy-7.html
Дата изменения: Sun Apr 18 13:35:40 1999 Дата индексирования: Mon Oct 1 21:59:03 2012 Кодировка: Поисковые слова: shadow |
For both personal use as well as at work, I was able to start with a standard installation of the Red Hat Linux distribution and provide services "out-of-the-box" with little or no changes to default configuration settings.
However, there were a number of small changes and extra services that were necessary to provide all the Internet, file & print services, and other services that are in use at my place of employment. The local administrator should be aware of the following:
/etc/rc.d/rc.local
'' file is executed
upon system start-up and contains any extra services you have added to
your server that should be executed upon bootup.
/etc/inetd.conf
'' (you should ensure
unnecessary services were disabled such as finger, echo, chargen; as well
as add or change any services you may need)/etc/exports
'' (contains a list of hosts
allowed to mount NFS volumes; see the
"Network File System (NFS) Services" section for
details)/etc/organization
'',
``/etc/nntpserver
'',
``/etc/NNTP_INEWS_DOMAIN
'' (set as
appropriate)/etc/lilo.conf
'' (contains information for
the LILO boot loader -- the process which loads the Linux kernel upon
bootup; see the
"Booting with LILO" section for details)/etc/sudoers
'' (a list of users who should
be given special privileges, along with the commands they are allowed to
execute)/etc/named.boot
'' (for DNS use; see the
"Domain Name Server (DNS) Configuration and Administration"
section for details)
/usr/local/
'' (and
subdirectories) are extra packages or modifications to existing ones that
you have installed here, if you have installed from things like tarballs
instead of using RPM. (Or at least, you should have installed them here.)
These files, particularly in /usr/local/src/, should be kept up-to-date.
See the
"Upgrading Linux and Other Applications" section for details.
(WARNING: DISREGARD THIS SECTION!)
/bin/bash
'' (as FTP requires a
valid shell).
cd /home ; chown root.root theuser
'' This makes
"theuser"'s directory belong to root, for security reasons.
cd /home/theuser ; mkdir www ; chown theuser.theuser
''
This creates their "www" directory, and sets ownership so they
can read/write to it.
echo "exit" > .profile
'' This creates a
``.profile
'' file with the single line ``exit
''
in it. If the user tries to log in via telnet, they will get disconnected
immediately.
ls -l
'' and make sure there are only 2 files in the
directory (not including ``..'' and ``.''):
rm .less ; rm .lessrc
'')
That's it. The user can use FTP to update the pages.
At my place of employment, we are using Linux as a DNS server. It performs exceptionally well. This section will address configuration of DNS tables for these services under Linux.
Configuration DNS services under Linux involves the following steps:
/etc/host.conf
''
file should look like this:
# Lookup names via /etc/hosts first, then by DNS query
order hosts, bind
# We don't have machines with multiple addresses
multi on
# Check for IP address spoofing
nospoof on
# Warn us if someone attempts to spoof
alert on
The extra spoof detection adds a bit of a performance hit to DNS lookups (although negligible), so if you're not too worried about this you may wish to disable the "nospool" and "alert" entries.
/etc/hosts
'' file as needed.
Typically there doesn't need to be much in here, but for improved
performance you can add any hosts you access often (such as local servers)
to avoid performing DNS lookups on them.
/etc/named.boot
'' file should be
configured to point to your DNS tables as follows (Note: IP
addresses shown are examples only and must be replaced with your own
class addresses!):
; DNS tables are located in the /var/named directory
directory /var/named
; Enable caching and load root server info
cache named.root
; All our DNS information is stored in /var/named/mydomain_name.db
; (eg. if mydomain.name = foobar.com then use foobar_com.db)
primary mydomain.name mydomain_name.db
; Reverse lookups for 123.12.41.*, .42.*, .43.*, .44.* class C's
; (these are example Class C's only -- do not use!)
primary 12.123.IN-ADDR.ARPA 123_12.rev
; Reverse lookups for 126.27.18.*, .19.*, .20.* class C's
; (these are example Class C's only -- do not use!)
primary 27.126.IN-ADDR.ARPA 126_27.rev
; Forward any unresolved requests to our ISP's name server
; (this is an example IP address only -- do not use!)
forwarders 123.12.40.17
var/named/
'' directory as configured in the
``/etc/named.boot
'' file in step three. Configuring DNS
database files for the first time is a major undertaking, and is beyond
the scope of this document. There are several guides, online and in
printed form that should be referred to. However, several examples are
provided below.
Sample entries in the
``/var/named/mydomain_name.db
'' forward lookup
file:
; This is the Start of Authority (SOA) record. Contains contact
; & other information about the name server. The serial number
; must be changed whenever the file is updated (to inform secondary
; servers that zone information has changed).
@ IN SOA mydomain.name. postmaster.mydomain.name. (
19990415 ; Serial number
3600 ; 1 hour refresh
300 ; 5 minutes retry
172800 ; 2 days expiry
43200 ) ; 12 hours minimum
; List the name servers in use. Unresolved (entries in other zones)
; will go to our ISP's name server isp.domain.name.com
IN NS mydomain.name.
IN NS isp.domain.name.com.
; This is the mail-exchanger. You can list more than one (if
; applicable), with the integer field indicating priority (lowest
; being a higher priority)
IN MX mail.mydomain.name.
; Provides optional information on the machine type & operating system
; used for the server
IN HINFO Pentium/350 LINUX
; A list of machine names & addresses
spock.mydomain.name. IN A 123.12.41.40 ; OpenVMS Alpha
mail.mydomain.name. IN A 123.12.41.41 ; Linux (main server)
kirk.mydomain.name. IN A 123.12.41.42 ; Windows NT (blech!)
; Including any in our other class C's
twixel.mydomain.name. IN A 126.27.18.161 ; Linux test machine
foxone.mydomain.name. IN A 126.27.18.162 ; Linux devel. kernel
; Alias (canonical) names
gopher IN CNAME mail.mydomain.name.
ftp IN CNAME mail.mydomain.name.
www IN CNAME mail.mydomain.name.
Sample entries in the ``/var/named/123_12.rev
''
reverse lookup file:
; This is the Start of Authority record. Same as in forward lookup table.
@ IN SOA mydomain.name. postmaster.mydomain.name. (
19990415 ; Serial number
3600 ; 1 hour refresh
300 ; 5 minutes retry
172800 ; 2 days expiry
43200 ) ; 12 hours minimum
; Name servers listed as in forward lookup table
IN NS mail.mydomain.name.
IN NS isp.domain.name.com.
; A list of machine names & addresses, in reverse. We are mapping
; more than one class C here, so we need to list the class B portion
; as well.
40.41 IN PTR spock.mydomain.name.
41.41 IN PTR mail.mydomain.name.
42.41 IN PTR kirk.mydomain.name.
; As you can see, we can map our other class C's as long as they are
; under the 123.12.* class B addresses
24.42 IN PTR tsingtao.mydomain.name.
250.42 IN PTR redstripe.mydomain.name.
24.43 IN PTR kirin.mydomain.name.
66.44 IN PTR sapporo.mydomain.name.
; No alias (canonical) names should be listed in the reverse lookup
; file (for obvious reasons).
Any other reverse lookup files needed to map addresses in a different class B (such as 126.27.*) can be created, and would look much the same as the example reverse lookup file above.
/etc/rc.d/init.d/named
'' file
upon system boot. You can also start and stop the daemon manually; type
``named start
'' and ``named stop
'', respectively.
/etc/rc.d/init.d/named restart
''. You
may then wish to test your changes by using a tool such as
"nslookup
" to query the machine you have added or
changed.More information on configuring DNS services can be found in the ``DNS-HOWTO'' guide at http://metalab.unc.edu/Linux/HOWTO/DNS-HOWTO-5.html.
At my place of employment, for TACACS authentication of dial-up Internet users (who are connecting to our modem pool which are in turn connected to a couple of Cisco 250x access servers), we are using the Vikas version of "xtacacsd".
After compiling and installing the Vikas package (latest versions are
available from
ftp://ftp.navya.com/pub/vikas; I don't believe the package is
available in RPM format), you should add the following entries to the
``/etc/inetd.conf
'' file so that the daemon will be
loaded by the inetd daemon whenever a TACACS request is received.
# TACACS is a user authentication protocol used for Cisco Router products.
tacacs dgram udp wait root /etc/xtacacsd xtacacsd -c /etc/xtacacsd-conf
Next, you should edit the ``/etc/xtacacsd-conf
'' file and
customize it, as necessary, for your system (however you will probably be
able to use the default settings as-is).
NOTE: If you are using shadow passwords (see the
"Linux Password & Shadow File Formats"
section for details), you will have some problems with this package.
Unfortunately, PAM (Pluggable Authentication Module), which Red Hat uses
for user authentication, is not supported by this package. One workaround
that I use is to keep a separate ``passwd
'' file in
``/usr/local/xtacacs/etc/
'' which matches the one in
/etc/ but is non-shadowed. This is a bit of a hassle, and if you choose
to do this make sure you set permissions on the other password file to
make sure it is only readable by root:
chmod a-wr,u+r /usr/local/xtacacs/etc/passwd
If you do indeed use shadow, you will most certainly need to edit the
``/etc/xtacacsd-conf
'' file and location of the
non-shadowed password file (assuming you are using the workaround I have
suggested above).
The next step is to configure your access server(s) to authenticate logins for the desired devices (such as dial-up modems) with TACACS. Here is a sample session on how this is done:
mail:/tftpboot# telnet xyzrouter
Escape character is '^]'.
User Access Verification
Password: ****
xyzrouter> enable
Password: ****
xyzrouter# config terminal
Enter configuration commands, one per line. End with CNTL/Z.
xyzrouter(config)# tacacs-server attempts 3
xyzrouter(config)# tacacs-server authenticate connections
xyzrouter(config)# tacacs-server extended
xyzrouter(config)# tacacs-server host 123.12.41.41
xyzrouter(config)# tacacs-server notify connections
xyzrouter(config)# tacacs-server notify enable
xyzrouter(config)# tacacs-server notify logouts
xyzrouter(config)# tacacs-server notify slip
xyzrouter(config)# line 2 10
xyzrouter(config-line)# login tacacs
xyzrouter(config-line)# exit
xyzrouter(config)# exit
xyzrouter# write
Building configuration...
[OK]
xyzrouter# exit
Connection closed by foreign host.
All TACACS activity log messages will be recorded in
``/var/log/messages
'' for your perusal.
Linux can provide SMB services (eg. WfW, Win95, and NT-style network file & printer sharing), using the Samba package. This section will describe how to configure shares, and how to access them from client machines.
The Samba package is included with the Red Hat distribution, you can check if it is installed and what version you have by typing:
rpm -q samba
If it isn't installed, you will need to install it using the RPM utility. See the "Using the Red Hat Package Manager (RPM)" section for details on how to do this.
The most important Samba files you should concern yourself with are:
Samba configuration file where shares and other configuration parameters are set up (see below)
Location of Samba log files
Suggested location where file shares should be set up. However, you should choose a location where you have enough space on the file system to accomodate the files you will store. Personally, I usually set up a large partition mounted on /archive/ and place my shares here.
The file ``/etc/smb.conf
'' contains configuration
information on file & print shares. The first few lines of the file
contain global configuration directives, which are common to all shares
(unless they are over-ridden on a per-share basis), followed by share
sections.
The Samba installation includes a default smb.conf file which in many cases should be adequate for your needs and require only a few changes.
Here is an example of this file (which I have heavily customized to show you some of the more important and interesting options):
# Items common to all shares (unless over-ridden on a per-share basis)
[global]
# Number of minutes of inactivity before client is disconnected
# to avoid consuming resources. Most clients will automatically
# reconnect so this is a good idea to enable.
dead time = 10
# Don't let users connect as "root", just-in-case. :-)
invalid users = root
# Specify the account for guest shares (shares that don't require
# a password to connect to. This username must be a valid user
# in the /etc/passwd file.
guest account = guest
# Specify where log files should be written to. The "%m" suffix
# means that log files will be created in the format
# log.machine-name (eg. "log.twixel")
log file = /usr/local/samba/logs/log.%m
# Maximum size of log file, in Kilobytes.
max log size = 1000
# Password level 3 means that case is not an issue when entering
# passwords. A little less secure than level 1 or 2 would be,
# but seems to be a fair compromise for user convenience.
password level = 3
# Specify that all shares should appear in the browse list
# (override any you don't want on a per-share basis).
browseable = yes
# If this is enabled, you can see active connections using the
# "smbstatus" command.
status = yes
# The level of debugging information that is recorded in the log
# files. Higher values generate more information (which is
# probably not very useful, most of the time).
debug level = 2
# This will send any Windows-style "POPUP" messages received on
# the server to the postmaster by e-mail. Not very useful, but
# an interesting demonstration of what can be accomplished.
message command = /bin/mail -s 'Message from %f on %m' postmaster < %s; rm %s &
# This is a form of caching that, when enabled, may improve
# performance when reading files.
read prediction = true
# A list of services that should be added automatically to the
# browse-list.
auto services = cdrom
# The location of your "printcap" file, a text file containing
# definitions for your printers.
printcap name = /etc/printcap
# If enabled all printers in the /etc/printcap file will be
# loaded into the browse-list.
load printers = yes
# The print command by which data is spooled to a printer under Linux.
print command = lpr -r -P%p %s
# The print command by which job queue information (printer status)
# can be obtained.
lpq command = lpq -P%p
# The print command by which unwanted print jobs can be deleted
# from the queue.
lprm command = lprm -P%p %j
# The level at which Samba advertises itself for browse elections.
# Currently set to a high value to give it an even "foot-hold" with
# any swarmy NT servers on the network. :-)
os level = 34
# These are user's personal shares. If the client's username matches on the
# server, they can access their home directory (provided they enter the
# correct password).
[homes]
# The comments appear in the browse list.
comment = Home Directories
# This matches the username of the client to that of the share.
# If they do not match, no share will be displayed in the browse
# list, or available to connect to.
user = %S
# The path to the share. For example, "smithj" would map to
# "/home/smithj"
path = /home/%S
# If enabled, allow read/write access to the shares.
writeable = yes
# Just an inverted synonym for "writeable". We don't *really* need
# to use both. :-)
read only = no
# Keep this disabled so that a password is required to access these
# shares.
public = no
# We don't want this share (after all, it is private) to appear in
# the browse-list of other users.
browseable = no
# This is a publicly available print share, called "hp_laser". It appears
# on the browse lists and can be accessed without a password by any client.
[hp_laser]
# The comment that appears in the browse-list.
comment = Main office printer (HP Laserjet 400)
# The username that this share is accessed as (guest means all users).
user = guest
# All generated print files will first be created in the /tmp
# directory.
path = /tmp
# Do not allow file creation except through print spooling.
writeable = no
# Set permissions accordingly -- root access to print jobs only.
create mode = 0700
# If this is enabled a password is not required to access the share.
public = yes
# This should be enabled to indicate that this is a printer share.
printable = yes
# Here is a service providing access to the CD-ROM device.
[cdrom]
comment = Shared CD-ROM drive on Linux
user = guest
path = /cdrom
writeable = no
read only = true
browseable = yes
public = yes
guest ok = yes
Note: Recent versions of Samba, from 2.0 onwards, provide a very slick web-based configuration utility called ``swat'', which makes the process much more user-friendly. The utility listens on TCP port 901 of your server, so to use the utility just point your favourite web browser as follows:
mydomain.name:901
(Of course, in order to use the SWAT utility you will need to have a web server running, such as Apache. See the "Web Server and HTTP Caching Proxy Administration" section for details.)
The latest Samba versions also add considerable features in comparison with versions prior to 2.0. It is worth taking the time to upgrade this package.
A client must have a TCP/IP network stack running in order to connect to shares. Further, for browsing to work, the TCP/IP protocol must be bound to NETBEUI. Under Windows 95 this can be configured from the "Network" icon from within the Control Panel.
Assuming the client has been configured properly, you should see the server shares appear in their "Network Neighborhood" (or equivalent browsing scheme if you are not using Windows 95/NT). You can then map network drives from the network neighborhood, or type in an absolute path to the share (eg. "\\mail\cdrom"). If the shared service requires a password to be entered, you will be prompted for one.
More information on Samba can be obtained from the Samba Home Page at http://samba.anu.edu.au/samba/.
Linux can also provide Appleshare services (eg. Macintosh-style network file & printer sharing), using the Netatalk package. This section will describe how to configure shares, and how to access them from client machines.
In order to use Netatalk, you will need to have Appletalk networking support in your Linux kernel. Stock kernels from Red Hat usually already include this support as a module, or you can compile your own custom kernel with such support. Note: Make sure Appletalk support is compiled in as a module and not included as part of the kernel (see the "Linux Kernel Upgrades" section for details on how to upgrade or customize the Linux kernel). Otherwise you will have difficulties when stopping and then restarting the Netatalk daemon.
Once you have ensured your kernel is capable of supporting Appletalk, you will need to install the Netatalk package. Because Netatalk is not included with the Red Hat distribution, you will have to download and install a copy. The Netatalk package can be found on Red Hat's "contrib" site, at ftp://contrib.redhat.com/libc6/i386/.
After Netatalk has been installed, you may need to modify one or more
configuration files in ``/etc/atalk/
''. Most of
the files contain sample configuration examples, and therefore are
at least somewhat self-documenting. The files are:
This file contains configuration information for tuning your Netatalk daemon. This information is specified in environment variables, and this file is "sourced" (ie. read) by the Netatalk start up script before the service is started. You can specify the number of simultaneous connections, whether or not guest logins are allowed, etc. You will almost certainly want to modify this file according to your needs.
This file contains information on which network interface to use, as well
as your Appletalk routing, name registration, and other related
information. You will likely not need to modify this file; the required
network information is detected and added to this file the first time you
start the Netatalk server. However, you may wish to add your server name.
Note: Type ``man atalkd
'' for more information on this
file.
This file allows you to specify additional parameters which are passed to
Netatalk by means of command-line options. You can specify which port or
IP address you wish to run the Netatalk server on, add a login message that
is displayed to connecting users, as well as other related options. You will
likely not need to modify this file.
Note: Type ``man afpd
'' for more information on this
file.
The file contains configuration information for enabling Mac users to
print to network printer shares. I haven't played with this yet, so
unfortunately I can't offer any advice on it.
Note: Type ``man papd
'' for more information on this
file.
This file lists the available file shares that a Mac user will see after logging in. To enable a share, enter the path to the file directory, followed by a textual description of it. For example:
~ "Home" /archive/busdept "Business Department Common Files"
(The above will provide two shares to connecting Mac users: their home directory, as well as a shared area for the business department.)
Note: A neat trick here is to set up shares with the same file paths under Samba, which would provide your users with platform- independent file shares for both your Mac as well as your Windows users. See the "Windows-style File and Print Services with Samba" section for details on using Samba.
This file also lists file shares just like
``AppleVolumes.default
'' does, the difference being
that these shares will be made available to all users, regardless
of whether or not they log in. This file also contains file-type mappings.
You will likely not need to modify this file unless you want to add general
shares available to anyone; this is probably a bad idea for most people.
Once everything has been set up with appropriate configuration information, you can start the Netatalk services manually by typing:
/etc/rc.d/init.d/atalk start
(The services should start up automatically at system boot).
More information on Netatalk can be obtained from the Netatalk Home Page at http://www.umich.edu/~rsug/netatalk/. In addition, very helpful configuration information is available in the Linux Netatalk HOWTO, available at http://thehamptons.com/anders/netatalk/.
Linux can act as both client and server for file systems shared using the Network File System (NFS) protocol, which is the defacto standard for providing file system mounts among Unix systems. Note: Please be aware that having an NFS service available on your system can be a security risk. Personally, I don't recommend using it.
In order to use NFS, you will need to ensure that NFS support has been included in your kernel or kernel modules. See the "Linux Kernel Upgrades" section for details on how to upgrade or customize the Linux kernel.
NFS shares are configured by modifying the
``/etc/exports
'' file. Here are some example
entries, showing some of the options available:
/archive spock.mydomain.name(ro)
/archive2 spock.mydomain.name(ro)
/mnt/cdrom other.domain(ro)
/archive2 10.23.14.8(ro,insecure)
The first couple of lines allow the host, ``spock.mydomain.name'' access
to both the ``/archive
'' as well as the
``/archive2
'' directories via NFS. These shares are
made available read-only with the ``(ro)
'' option. For security
reasons, it is a good idea to do this for all of your NFS shares if at all
possible.
The third line will allow any host in the ``domain.name'' domain name
space to access the CD-ROM drive. Of course, it is necessary to mount
the CD-ROM device to ``/mnt/cdrom
'' first. Note:Using
the ``(ro)
)'' option to mark this device read-only may seem
a bit redundant, however doing so will prevent a miscreant from writing
to a real file system should the CD-ROM device not be mounted.
After you have made changes to the ``/etc/exports
''
file, you will need to restart the NFS daemon. To do so, type:
/etc/rc.d/init.d/nfs restart
You can also configure your NFS mount points with the ``Network
Configurator
'' tool included in the ``Linuxconf
'' utility.
For more information on the Linuxconf utility, see the
"Configuration from A-Z with Linuxconf" section.
More information on NFS can be found in the ``NFS-HOWTO'' guide at
http://metalab.unc.edu/LDP/HOWTO/NFS-HOWTO.html, as well as in the
man pages on ``nfsd
'' and ``exports
''.
There is an excellent tool called ``linuxconf
'' which can make
many configuration issues easier to do. Linuxconf runs on whatever means
of display environment it has available to it -- you can run it from the
console, over a telnet session, and as a GUI-based tool under X and it will
automatically start up in the appropriate manner.
If you need to adjust your system time, modify your network settings, set up file systems, perform user administration, as well as perform many other administrative and configuration duties, you should give this tool a try. The only caveat I would give is that, at the time of this writing, the GUI- based tool is still a bit "buggy" and at times may stop responding to mouse clicks. However, this tool is a promising work in progress, and future revisions should become quite usable.