book

Managing NFS and NIS, 2nd Edition

by Mike Eisler, Ricardo Labiaga, Hal Stern

July 2001

Beginner

510 pages

15h 30m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Preface
Who this book is forVersionsOrganizationConventions used in this bookDifferences between the first edition and second editionComments and questionsHal’s acknowledgments from the first editionAcknowledgments for the second editionHal Stern’s acknowledgmentsMike Eisler’s acknowledgmentsRicardo Labiaga’s acknowledgments
1. Networking Fundamentals
1.1. Networking overview1.2. Physical and data link layers 1.2.1. Frames and network interfaces1.2.2. Ethernet addresses1.3. Network layer1.3.1. Datagrams and packets1.3.2. IP host addresses1.3.3. IPv4 address classes1.3.4. Classless IP addressing1.3.5. Virtual interfaces1.3.6. IP Version 61.3.6.1. IP Version 6 address pools1.3.6.2. IP Version 6 loopback address1.3.6.3. IP Version 6 unspecified address1.4. Transport layer1.4.1. TCP and UDP1.4.2. Port numbers1.5. The session and presentation layers1.5.1. The client-server model1.5.2. External data representation1.5.3. Internet and RPC server configuration1.5.3.1. Socket RPC and Transport Independent RPC
2. Introduction to Directory Services
2.1. Purpose of directory services2.1.1. The hosts database2.2. Brief survey of common directory services2.2.1. Directory Name Service (DNS)2.2.2. Network Information Service (NIS)2.2.3. NIS+2.2.4. X.5002.2.5. Lightweight Directory Access Protocol (LDAP)2.2.6. NT Domain2.3. Name service switch2.4. Which directory service to use
3. Network Information Service Operation
3.1. Masters, slaves, and clients3.2. Basics of NIS management3.2.1. Choosing NIS servers3.2.2. Installing the NIS master server3.2.3. Installing NIS slave servers3.2.3.1. Adding slave servers later3.2.4. Enabling NIS on client hosts3.3. Files managed under NIS3.3.1. Working with the maps3.3.2. Netgroups3.3.3. Hostname formats in netgroups3.3.4. Integrating NIS maps with local files3.3.5. Map files3.3.6. Map naming3.3.7. Map structure3.3.8. NIS domains3.3.8.1. Internet domains versus NIS domains3.3.9. The ypserv daemon3.3.10. The ypbind daemon3.3.11. NIS server as an NIS client3.4. Trace of a key match
4. System Management Using NIS
4.1. NIS network design4.1.1. Dividing a network into domains4.1.2. Domain names4.1.3. Number of NIS servers per domain4.2. Managing map files4.2.1. Map distribution4.2.2. Regular map transfers4.2.3. Map file dependencies4.2.4. Password file updates4.2.5. Source code control for map files4.2.6. Using alternate map source files4.3. Advanced NIS server administration4.3.1. Removing an NIS slave server4.3.2. Changing NIS master servers4.4. Managing multiple domains
5. Living with Multiple Directory Servers
5.1. Domain name servers5.1.1. DNS versus NIS5.1.2. DNS integration with NIS5.1.3. NIS and DNS domain names5.1.4. Domain aliases5.2. Implementation5.2.1. Run NIS without DNS on client and server5.2.2. Run NIS on client, enable DNS on NIS server5.2.3. Run DNS on NIS clients and servers5.2.4. Run NIS on client, enable DNS on NIS client5.3. Fully qualified and unqualified hostnames5.4. Centralized versus distributed management5.5. Migrating from NIS to DNS for host naming5.6. What next?
6. System Administration Using the Network File System
6.1. Setting up NFS6.2. Exporting filesystems6.2.1. Rules for exporting filesystems6.2.2. Exporting options6.3. Mounting filesystems6.3.1. Using /etc/vfstab6.3.2. Using mount6.3.3. Mount options6.3.4. Backgrounding mounts6.3.5. Hard and soft mounts6.3.6. Resolving mount problems6.4. Symbolic links6.4.1. Resolving symbolic links in NFS6.4.2. Absolute and relative pathnames6.4.3. Mount points, exports, and links6.5. Replication6.5.1. Properties of replicas6.5.2. Rules for mounting replicas6.5.3. Managing replicas6.5.4. Replicas and the automounter6.6. Naming schemes6.6.1. Solving the /usr/local puzzle
7. Network File System Design and Operation
7.1. Virtual filesystems and virtual nodes7.2. NFS protocol and implementation7.2.1. NFS RPC procedures7.2.2. Statelessness and crash recovery7.2.3. Request retransmission7.2.4. Preserving Unix filesystem semantics7.2.5. Pathnames and filehandles7.2.6. NFS Version 37.2.7. NFS over TCP7.3. NFS components7.3.1. nfsd and NFS server threads7.3.2. Client I/O system7.3.3. NFS kernel code7.4. Caching7.4.1. File attribute caching7.4.2. Client data caching7.4.3. Server-side caching7.5. File locking7.5.1. Lock and status daemons7.5.2. Client lock recovery7.5.3. Recreating state information7.6. NFS futures7.6.1. NFS Version 47.6.2. Security
8. Diskless Clients
8.1. NFS support for diskless clients8.2. Setting up a diskless client8.3. Diskless client boot process8.3.1. Reverse ARP requests8.3.2. Getting a boot block8.3.3. Booting a kernel8.3.4. Managing boot parameters8.4. Managing client swap space8.5. Changing a client’s name8.6. Troubleshooting8.6.1. Missing and inconsistent client information8.6.2. Checking boot parameters8.6.3. Debugging rarpd and bootparamd8.6.4. Missing /usr8.7. Configuration options8.7.1. Dataless clients8.7.2. Swapping on a local disk8.8. Brief introduction to JumpStart administration8.9. Client/server ratios
9. The Automounter
9.1. Automounter maps9.1.1. Indirect maps9.1.2. Inside the automounter9.1.2.1. User-level automounters9.1.2.2. The autofs automounter9.1.2.3. The enhanced autofs automounter: Browsing indirect maps9.1.3. Direct maps9.2. Invocation and the master map9.2.1. The master map9.2.2. Command-line options9.2.2.1. Automount command-line options9.2.2.2. Automountd command-line options9.2.3. The null map9.2.4. Tuning timeout values9.3. Integration with NIS9.3.1. Mixing NIS and files in the same map9.3.2. Updating NIS-managed automount maps9.4. Key and variable substitutions9.4.1. Key substitutions9.4.2. Variable substitutions9.4.2.1. Builtin variables9.5. Advanced map tricks9.5.1. Replicated servers9.5.2. Hierarchical mounts9.5.2.1. The -hosts map9.5.2.2. Hierarchical mounts in non -hosts maps9.5.3. Conversion of direct maps9.5.4. Multiple indirection9.5.5. Executable indirect maps9.6. Side effects9.6.1. Long search paths9.6.2. Avoiding automounted filesystems

10. PC/NFS Clients
10.1. PC/NFS today10.2. Limitations of PC/NFS10.2.1. NFS versus SMB (CIFS)10.2.2. Why PC/NFS?10.3. Configuring PC/NFS10.3.1. Server-side PC/NFS configuration10.4. Common PC/NFS usage issues10.4.1. Mounting filesystems10.4.2. Checking file permissions10.4.3. Unix to Windows/NT text file conversion10.5. Printer services
11. File Locking
11.1. What is file locking? 11.1.1. Exclusive and shared locks11.1.2. Record locks11.1.3. Mandatory versus advisory locking11.1.4. Windows/NT locking scheme11.2. NFS and file locking11.2.1. The NLM protocol11.2.2. NLM recovery11.2.2.1. Server crash11.2.2.2. Client crash11.2.2.3. Network partition11.2.3. Mandatory locking and NFS11.2.4. NFS and Windows lock semantics11.3. Troubleshooting locking problems11.3.1. Diagnosing NFS lock hangs11.3.2. Examining lock state on NFS/NLM servers11.3.3. Clearing lock state
12. Network Security
12.1. User-oriented network security12.1.1. Trusted hosts and trusted users12.1.2. Enabling transparent access12.1.3. Using netgroups12.2. How secure are NIS and NFS?12.3. Password and NIS security12.3.1. Managing the root password with NIS12.3.2. Making NIS more secure12.3.2.1. The secure nets file12.3.3. Unknown password entries12.4. NFS security12.4.1. RPC security12.4.2. Superuser mapping12.4.3. Unknown user mapping12.4.4. Access to filesystems12.4.5. Read-only access12.4.6. Port monitoring12.4.7. Using NFS through firewalls12.4.8. Access control lists12.4.8.1. ACLs that deny access12.4.8.2. ACLs and NFS12.4.8.3. Are ACLs worth it?12.5. Stronger security for NFS12.5.1. Security services12.5.2. Brief introduction to cryptography 12.5.2.1. Symmetric key encryption12.5.2.2. Asymmetric key encryption12.5.2.3. Public key exchange12.5.2.4. One-way hash functions and MACs12.5.3. NFS and IPSec12.5.4. AUTH_DH: Diffie-Hellman authentication12.5.4.1. Old terms: AUTH_DES, secure RPC, and, secure NFS12.5.4.2. Diffie-Hellman key exchange12.5.4.3. How RPC/DH works12.5.4.4. RPC/DH state and NFS statelessness12.5.4.5. Enabling NFS/dh12.5.4.6. Public and private keys12.5.4.7. Creating keys12.5.4.8. Establishing a session key12.5.4.9. NFS/dh checklist12.5.4.10. How secure is RPC/DH?12.5.5. RPCSEC_GSS: Generic security services for RPC12.5.5.1. Kerberos V512.5.5.2. SEAM: Kerberos V5 for Solaris12.5.5.3. Enabling Kerberized NFS12.5.5.4. Security and performance12.5.5.5. Combining krb5, krb5i, krb5p12.5.5.6. IPSec versus krb5i and krb5p12.5.6. Planning a transition from NFS/sys to stronger NFS security12.5.7. NFS security futures12.6. Viruses
13. Network Diagnostic and Administrative Tools
13.1. Broadcast addresses13.2. MAC and IP layer tools13.2.1. ifconfig: interface configuration13.2.1.1. Examining interfaces13.2.1.2. Initializing an interface13.2.1.3. Multiple interfaces13.2.1.4. Mismatched host information13.2.2. Subnetwork masks13.2.3. IP to MAC address mappings13.2.4. Using ping to check network connectivity13.2.5. Gauging Ethernet interface capacity13.3. Remote procedure call tools13.3.1. RPC mechanics13.3.1.1. Identifying RPC services13.3.1.2. RPC portmapper — rpcbind13.3.1.3. RPC version numbers13.3.2. RPC registration13.3.3. Debugging RPC problems13.4. NIS tools13.4.1. Key lookup13.4.2. Displaying and analyzing client bindings13.4.3. Other NIS map information13.4.4. Setting initial client bindings13.4.5. Modifying client bindings 13.5. Network analyzers13.5.1. snoop 13.5.2. ethereal / tethereal13.5.3. Capture filters13.5.4. Read filters
14. NFS Diagnostic Tools
14.1. NFS administration tools14.2. NFS statistics14.2.1. I/O statistics14.3. snoop14.3.1. Useful filters14.4. Publicly available diagnostics14.4.1. ethereal / tethereal14.4.2. Useful filters14.4.3. NFSWATCH14.4.4. nfsbug14.4.5. SATAN14.5. Version 2 and Version 3 differences14.6. NFS server logging14.6.1. NFS server logging mechanics14.6.2. Enabling NFS server logging14.6.3. NFS server logging configuration14.6.3.1. Basic versus extended log format14.6.4. The nfslogd daemon14.6.4.1. Consolidating file transfer information14.6.5. Filehandle to path mapping14.6.6. NFS log cycling14.6.7. Manipulating NFS log files14.6.8. Other configuration parameters14.6.9. Disabling NFS server logging14.7. Time synchronization
15. Debugging Network Problems
15.1. Duplicate ARP replies15.2. Renegade NIS server15.3. Boot parameter confusion15.4. Incorrect directory content caching15.5. Incorrect mount point permissions15.6. Asynchronous NFS error messages
16. Server-Side Performance Tuning
16.1. Characterization of NFS behavior16.2. Measuring performance16.3. Benchmarking16.4. Identifying NFS performance bottlenecks16.4.1. Problem areas16.4.2. Throughput16.4.2.1. NFS writes (NFS Version 2 versus NFS Version 3)16.4.2.2. NFS/TCP versus NFS/UDP16.4.3. Locating bottlenecks16.5. Server tuning16.5.1. CPU loading16.5.2. NFS server threads16.5.2.1. Context switching overhead16.5.2.2. Choosing the number of server threads16.5.3. Memory usage16.5.4. Disk and filesystem throughput16.5.4.1. Unix filesystem effects16.5.4.2. Disk array caching and Prestoserve16.5.4.3. Disk load balancing16.5.5. Kernel configuration16.5.6. Cross-mounting filesystems16.5.7. Multihomed servers
17. Network Performance Analysis
17.1. Network congestion and network interfaces17.1.1. Local network interface17.1.2. Collisions and network saturation17.2. Network partitioning hardware17.3. Network infrastructure17.3.1. Switched networks17.3.2. ATM and FDDI networks17.4. Impact of partitioning17.4.1. NIS in a partitioned network17.4.2. Effects on diskless nodes17.5. Protocol filtering
18. Client-Side Performance Tuning
18.1. Slow server compensation18.1.1. Identifying NFS retransmissions18.1.2. Timeout period calculation18.1.3. Retransmission rate thresholds18.1.4. NFS over TCP is your friend18.2. Soft mount issues18.3. Adjusting for network reliability problems18.4. NFS over wide-area networks18.5. NFS async thread tuning18.6. Attribute caching18.7. Mount point constructions18.8. Stale filehandles
A. IP Packet Routing
A.1. Routers and their routing tablesA.2. Static routing
B. NFS Problem Diagnosis
B.1. NFS server problemsB.2. NFS client problemsB.3. NFS errno values
C. Tunable Parameters
About the Authors
Colophon
Copyright

Content preview from Managing NFS and NIS, 2nd Edition

Chapter 12. Network Security

The simplicity and transparency provided by NFS and NIS must be weighed against security concerns. Providing access to all files to all users may not be in the best interests of security, particularly if the files contain sensitive or proprietary data. Not all hosts may be considered equally secure or “open,” so access may be restricted to certain users. Transparency must be limited when dealing with secured hosts: if you have taken precautions to prevent unauthorized access to a machine, you don’t want someone to be able to sit down and use an open window or logged-in terminal to access the secured machine. To enforce access restrictions, you always want password verification for users, which means eliminating some of the network transparency provided by NIS.

This chapter describes mechanisms for tightening access restrictions to machines and filesystems. It is not intended to be a complete list of security loopholes and their fixes. The facilities and administrative techniques covered are meant to complement the network transparency provided by NFS and NIS while still enforcing local security measures. For a more detailed treatment of security issues, refer to Practical Unix Security, by Garfinkel and Spafford (O’Reilly & Associates, 1996).

User-oriented network security

One area of concern is user access to hosts on the network. Figure 12-1 shows several classes of permissions to consider, reflecting the ways in which a user might access a host from ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Linux Network Administrator's Guide, Second Edition

Publisher Resources

ISBN: 1565925106Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Managing NFS and NIS, 2nd Edition

by Mike Eisler, Ricardo Labiaga, Hal Stern

Chapter 12. Network Security

User-oriented network security

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.