HOWTO - Configure Harold
Jonathan Marks
jm (at) cmex (dot) org
Copyright © 2001 by Jonathan Marks, All rights reserved.
| Revision History | ||
|---|---|---|
| Revision 0.01 | 24-Aug-2001 | Revised by: jm |
| Initial Entry: | ||
$id:$
This document covers the installation and configuration of software on "harold". "harold" is a general virtual server, serving up http, ftp, smtp, pop3, dns, mgetty, faxing, printing, cvs, nfs, samba, pptp vpn, and many other services. It is intended to be used behind a firewall in a Demilitarized Zone (DMZ). This type of configuration is typical for a small low volume site. Its prime purpose is to document the configuration of one of my servers. I share this in the hope that it may help others.
- Table of Contents
- 1. Introduction and Administrivia
- 1.1. Introduction
- 1.2. Document Conventions
- 1.3. Document Blah
- References
- 2. Harold's Hardware
- 2.1. Motherboard
- 2.2. CPU
- 2.3. Video Controller
- 2.4. Ethernet Network Controller
- 2.5. Serial Ports
- 2.6. Parallel Port
- 2.7. IDE, Hardrives, CDROM's and Controllers
- 2.8. Floppy Drive
- References
- 3. Installing Linux
- 4. Initial Configuring and Securing
- 4.1. Configuring and Securing Bootup
- 4.1.1. init and /etc/inittab
- 4.1.2. /etc/rc.d/rc.sysinit
- 4.1.3. /etc/rc.d/rc.local
- 4.2. Enabling Remote Services
- 4.2.1. Enabling Telnet
- 4.2.2. Enabling FTP
- 4.2.3. TCP Wrappers Settings
- 4.2.4. Making It Work
- 4.3. Console Fonts
- 4.4. Bash Configuration
- References
- 5. Upgrading the Kernel
- 5.1. Introduction
- 5.2. Installing the Latest Kernel Source and Patches
- 5.3. Configuring the Kernel for Build
- 5.3.1. Upgrading a Earlier Kernel Version Custom Build
- 5.3.2. Configuring the Kernel
- 5.3.2.1. Code Maturity Level
- 5.3.2.2. Loadable Module Support
- 5.3.2.3. Processor type and features
- 5.3.2.4. General Setup
- 5.3.2.5. Binary emulation of other systems
- 5.3.2.6. Memory Technology Devices (MTD)
- 5.3.2.7. Parallel Port Support
- 5.3.2.8. Plug and Play Configuration
- 5.3.2.9. Block Devices
- 5.3.2.10. Multi-device Support
- 5.3.2.11. Networking Options
- 5.3.2.12. Telephony Support
- 5.3.2.13. ATA/IDE/MFM/RLL Support
- 5.3.2.14. SCSI Support
- 5.3.2.15. FireWire Support
- 5.3.2.16. I2O Support
- 5.3.2.17. Network Device Support
- 5.3.2.18. Amateur Radio Support
- 5.3.2.19. IrDA Support
- 5.3.2.20. ISDN Subsystem
- 5.3.2.21. Old CDROM Drivers
- 5.3.2.22. Input Core Support
- 5.3.2.23. Character Devices
- 5.3.2.24. Multimedia Devices
- 5.3.2.25. Crypto Hardware Support
- 5.3.2.26. File Systems
- 5.3.2.27. Console Drivers
- 5.3.2.28. Sound Support
- 5.3.2.29. USB support
- 5.3.2.30. Bluetooth support
- 5.3.2.31. Kernel Hacking
- 5.4. Building the Kernel
- 5.5. Installing the Kernel
- 5.5.1. First Time Kernel Install
- 5.5.2. Following Kernel Installs
- References
- 6. Network Configuration
- 7. Name Serving (DNS)
- 7.1. DNS Configuration
- 7.2. DNS Maintenance
- 7.3. Verifying DNS Operation
- 8. File System Mounts NFS and Automount Configuration
- 8.1. File System Mounts
- 8.2. NFS Setup
- 8.2.1. NFS Daemons
- 8.2.2. NFS Exports
- 8.3. Automounter
- 9. Printer Configuration
- 10. Samba Configuration
- 10.1. Setting up Samba
- 10.2. Samba Passwords for Windows Logins
- 10.3. Samba Printer Sharing
- 11. Tips and Tricks
- A. Harold's Configuration Files
- A.1. /etc/auto.master
- A.2. /etc/auto.mnt
- A.3. /etc/bashrc
- A.4. /etc/exports
- A.5. /etc/ftpaccess
- A.6. /etc/fstab
- A.7. /etc/host.conf
- A.8. /etc/hosts
- A.9. /etc/hosts.allow
- A.10. /etc/hosts.deny
- A.11. /etc/inittab
- A.12. /etc/lilo.conf
- A.13. /etc/named.conf
- A.14. /etc/nsswitch.conf
- A.15. /etc/printcap
- A.16. /etc/profile
- A.17. /etc/rc.d/rc.local
- A.18. /etc/resolv.conf
- A.19. /etc/samba/smb.conf
- A.20. /etc/securetty
- A.21. /etc/skel/.bashrc
- A.22. /etc/skel/.bash_profile
- A.23. /etc/sysconfig/i18n
- A.24. /etc/sysconfig/network
- A.25. /etc/sysconfig/network-scripts/ifcfg-eth0
- A.26. /etc/sysconfig/network-scripts/ifcfg-eth0-rng0
- A.27. /etc/sysconfig/network-scripts/ifup-ipalias
- A.28. /etc/xinetd.d/telnet
- A.29. /etc/xinetd.d/wu-ftp
- A.30. /usr/src/linux-2.4/.config
- A.31. /var/named/db.127.0.0
- A.32. /var/named/db.root
- A.33. /var/named/ext-pri/db.209.53.193
- A.34. /var/named/ext-pri/db.64.114.81
- A.35. /var/named/ext-pri-db.cara-marks.com
- A.36. /var/named/ext-pri/db.cmex.org
- A.37. /var/named/ext-pri/db.e-voice-mail.com
- A.38. /var/named/ext-pri-db.jonathan-marks.com
- A.39. /var/named/ext-pri/db.jmarks-asc.com
- A.40. /var/named/ext-pri/networksrus.com
- A.41. /var/named/ext-pri/db.networks-r-us.com
- A.42. /var/named/ext-pri/db.novatek.co.nz
- A.43. /var/named/ext-pri/db.software-foundry.com
- A.44. /var/named/ext-pri/db.sorcerers-foundry.com
- A.45. /var/named/ext-pri/db.steven-marks.com
- A.46. /var/named/ext-pri/db.vanessa-marks.com
- A.47. /var/named/int-pri/db.192.168.0
- A.48. /var/named/int-pri-db.cara-marks.com
- A.49. /var/named/int-pri/db.cmex.org
- A.50. /var/named/int-pri/db.e-voice-mail.com
- A.51. /var/named/int-pri/db.jonathan-marks.com
- A.52. /var/named/int-pri/db.jmarks-asc.com
- A.53. /var/named/int-pri/networksrus.com
- A.54. /var/named/int-pri/db.networks-r-us.com
- A.55. /var/named/int-pri/db.novatek.co.nz
- A.56. /var/named/int-pri/db.software-foundry.com
- A.57. /var/named/int-pri/db.sorcerers-foundry.com
- A.58. /var/named/int-pri/db.steven-marks.com
- A.59. /var/named/int-pri/db.vanessa-marks.com
- A.60. /var/named/update-db.root
Chapter 1. Introduction and Administrivia
$id:$
1.2. Document Conventions
DocBook defaults are changed to provide line numbering for <screen> and <programlisting> tags. For ease of use it is easy to copy this "literal layout text" for your use and get rid of the line numbering in the first 5 columns using your favourite editor. The command to do this in vi is :%s/^.\{5}//g.
FIXTHIS - I'll get to this later
References
[1] Jonathan A. Marks, 2001, Not a reference.
Chapter 2. Harold's Hardware
$id:$
2.1. Motherboard
ASUS TXP4 Rev 1.2 with BIOS V1.09, Intel 430TX PCI chipset
Intel Pentium MMX, 233MHz with F00F bug
256Mb SDRAM
2.2. CPU
CPU info obtained with: cat /proc/cpuinfo
processor : 0 vendor_id : GenuineIntel cpu family : 5 model : 4 model name : Pentium MMX stepping : 3 cpu MHz : 233.868 fdiv_bug : no hlt_bug : no f00f_bug : yes coma_bug : no fpu : yes fpu_exception : yes cpuid level : 1 wp : yes flags : fpu vme de pse tsc msr mce cx8 mmx bogomips : 466.94 |
2.3. Video Controller
Probed with /usr/bin/X11/SuperProbe, part of the X installation.
First video: Super-VGA Chipset: ATI 264GT-B+DVD (3D Rage II+DVD) (Port Probed) Memory: 2048 Kbytes RAMDAC: ATI Mach64 integrated 15/16/24/32-bit DAC w/clock (with 6-bit wide lookup tables (or in 6-bit mode)) (programmable for 6/8-bit wide lookup tables) Attached graphics coprocessor: Chipset: ATI Mach64 Memory: 2048 Kbytes |
2.4. Ethernet Network Controller
Harold has an SMC 10Mbit/s Controller. The kernel detects the following in bootup, found in dmesg.
eth0: RealTek RTL-8029 found at 0xd000, IRQ 11, 00:E0:29:31:36:13. |
2.5. Serial Ports
Harold has three serial ports, ttyS0 and ttyS1 are the onboard serial ports and ttyS3 belongs to a modem. The serial port hardware is configured as follows:
ttyS00 at 0x03f8 (irq = 4) is a 16550A (onboard - used for mouse)
ttyS01 at 0x02f8 (irq = 3) is a 16550A (onboard - spare)
ttyS03 at 0x02e8 (irq = 5) is a 16550A (modem)
2.6. Parallel Port
Harold has a single parallel port which is on board the motherboard and is configured (through the bios setup) for ECP and EPP operation. dmesg shows the parallel port as:
IO=0x378, IRQ=7, ECP and EPP-1.9, DMA chan 3 |
2.7. IDE, Hardrives, CDROM's and Controllers
The following output is snipped from dmesg.
Uniform Multi-Platform E-IDE driver Revision: 6.31
ide: Assuming 33MHz system bus speed for PIO modes; override with idebus=xx
PIIX4: IDE controller on PCI bus 00 dev 09
PIIX4: chipset revision 1
PIIX4: not 100% native mode: will probe irqs later
ide0: BM-DMA at 0xe000-0xe007, BIOS settings: hda:DMA, hdb:pio
ide1: BM-DMA at 0xe008-0xe00f, BIOS settings: hdc:DMA, hdd:DMA
hda: Maxtor 5T020H2, ATA DISK drive
hdc: QUANTUM FIREBALL_TM1700A, ATA DISK drive
hdd: ATAPI CD-ROM DRIVE 24X MAXIMUM, ATAPI CD/DVD-ROM drive
ide0 at 0x1f0-0x1f7,0x3f6 on irq 14
ide1 at 0x170-0x177,0x376 on irq 15
hda: 39062500 sectors (20000 MB) w/2048KiB Cache, CHS=2431/255/63, UDMA(33)
hdc: 3335472 sectors (1708 MB) w/76KiB Cache, CHS=3309/16/63, DMA
hdd: ATAPI 20X CD-ROM drive, 120kB Cache, DMA
Uniform CD-ROM driver Revision: 3.12
Partition check:
hda: hda1 hda2 hda3 hda4
hdc: [PTBL] [827/64/63] hdc1 hdc2 hdc3 |
Output of fdisk -l /dev/hda.
Disk /dev/hda: 255 heads, 63 sectors, 2431 cylinders Units = cylinders of 16065 * 512 bytes Device Boot Start End Blocks Id System /dev/hda1 * 1 3 24066 83 Linux /dev/hda2 4 69 530145 82 Linux swap /dev/hda3 70 71 16065 83 Linux /dev/hda4 72 2431 18956700 83 Linux |
/dev/hda1 is created at the start of the drive and is mounted as /boot. This is to avoid the 1024 cylinder problem. /dev/hd2 is the swap partition, approximately twice the size of RAM. /dev/hda3 is a small partition used for ftp uploads - /usr/local/ftp/incoming. /dev/hd4 is the the remainder of the harddrive, mounted as "/".
Output of fdisk -l /dev/hdc.
Disk /dev/hdc: 64 heads, 63 sectors, 827 cylinders Units = cylinders of 4032 * 512 bytes Device Boot Start End Blocks Id System /dev/hdc1 1 5 10048+ 83 Linux /dev/hdc2 6 71 133056 82 Linux swap /dev/hdc3 72 827 1524096 83 Linux |
2.8. Floppy Drive
The following output is a snippet from dmesg.
Floppy drive(s): fd0 is 1.44M FDC 0 is a post-1991 82077 |
References
Chapter 3. Installing Linux
$id:$
Current installation is " Red Hat Linux release 7.2 (Enigma)". The distribution is downloaded to an ftp server on the local net. I found most sites timed out ftp connections after two hours use, and it takes more than two hours to do an install over a DSL line. Create a bootnet.img floppy (as root):
cd <some parent dir tree>/os/i386/images
dd if=bootnet.img of=/dev/fd0 bs=1440k
Inserted the newly written floppy in the system to build and reboot. Follow the prompts. This is well documented in the RedHat installation guide. Do a custom install, no firewall. On the ip configuration screen choose an ip address that is part of the subnet. It is possible to change this later if we want. One of the first things we will do after the install is ensure that networking is working so we telnet into this box and configure it remotely.
At the Packages Selection Dialag, select the "Select Individual packages" option. Install all the stuff you think you need. Scan through the the packages, and ensure that the following packages are installed. They are needed for this configuration. However, it does not matter if some apps were missed they can be got later. . .
cpp
gcc
glibc
kernel-source
kernel-headers
ncurses
ncurses-devel
tcl
tk
Create the boot floppy. It may come in handy, especially when booting a newly built and installed kernel that does a "kernel panic".
Once the install is completed, get all the updates for the installed packages and install the updates. RedHat's list of mirrors.
References
Chapter 4. Initial Configuring and Securing
$id:$
This section assumes that the hardware is not physically accessable to the public, but is virtually accessable through networking services such as telnet, ftp, etc. For a more secure configuration, have a look at the references below.
4.1. Configuring and Securing Bootup
4.1.1. init and /etc/inittab
Once the kernel has loaded itself, configured its drivers and loaded its modules, it then executes /sbin/init. /sbin/init is the master process, from which all a first level of processes are invoked. It's operation is governed by the content of /etc/inittab.
init
Determines the runlevel:
0: Used to halt the system.
1: Single user mode.
2: Multi user mode - no network.
3: Multi user mode - console.
4: Spare.
5: Multi user mode - X.
6: Reboot.
Runs up the console and serial port gettys and respawns them if they die.
If runlevel 5 is selected, runs up the xdm daemon.
Executes /etc/rc.d/rc.sysinit, the startup script file that loads all the system daemons, according to the scripts in /etc/init.d/, and the configuration settings in /etc/sysconfig/.
In inittab confirm that initdefault selects runlevel 3, and comment out the ctrlaltdel line.
As root, run telinit q and exit X (if running) with [ctrl][alt][bs], for changes to take effect.
4.1.2. /etc/rc.d/rc.sysinit
/etc/rc.d/rc.sysinit runs up all the daemons configured for startup in /etc/init.d and /etc/sysconfig/. Note that this is RedHat specific, other distributions will differ.
chkconfig is the my utility of choice for configuring the startup daemons. It is worthwhile reading its man page. Other utilities are ntsysv, tksysv, or by hand. Running chkconfig --list should produce an output something similar to this:
atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off rwhod 0:off 1:off 2:off 3:off 4:off 5:off 6:off keytable 0:off 1:on 2:on 3:on 4:on 5:on 6:off nscd 0:off 1:off 2:off 3:off 4:off 5:off 6:off syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off gpm 0:off 1:off 2:on 3:on 4:on 5:on 6:off kudzu 0:off 1:off 2:off 3:on 4:on 5:on 6:off kdcrotate 0:off 1:off 2:off 3:off 4:off 5:off 6:off lpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off autofs 0:off 1:off 2:off 3:on 4:on 5:on 6:off sendmail 0:off 1:off 2:on 3:on 4:on 5:on 6:off rhnsd 0:off 1:off 2:off 3:off 4:off 5:off 6:off netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off network 0:off 1:off 2:on 3:on 4:on 5:on 6:off random 0:off 1:off 2:on 3:on 4:on 5:on 6:off rawdevices 0:off 1:off 2:off 3:on 4:on 5:on 6:off apmd 0:off 1:off 2:on 3:on 4:on 5:on 6:off ipchains 0:off 1:off 2:on 3:on 4:on 5:on 6:off iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off identd 0:off 1:off 2:off 3:off 4:off 5:off 6:off portmap 0:off 1:off 2:off 3:on 4:on 5:on 6:off nfs 0:off 1:off 2:off 3:off 4:off 5:off 6:off nfslock 0:off 1:off 2:off 3:on 4:on 5:on 6:off pppoe 0:off 1:off 2:on 3:on 4:on 5:on 6:off crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off anacron 0:off 1:off 2:on 3:on 4:on 5:on 6:off xfs 0:off 1:off 2:on 3:on 4:on 5:on 6:off isdn 0:off 1:off 2:on 3:on 4:on 5:on 6:off yppasswdd 0:off 1:off 2:off 3:off 4:off 5:off 6:off ypserv 0:off 1:off 2:off 3:off 4:off 5:off 6:off ypbind 0:off 1:off 2:off 3:off 4:off 5:off 6:off sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off xinetd 0:off 1:off 2:off 3:on 4:on 5:on 6:off innd 0:off 1:off 2:off 3:off 4:off 5:off 6:off pcmcia 0:off 1:off 2:on 3:off 4:on 5:off 6:off pxe 0:off 1:off 2:off 3:off 4:off 5:off 6:off rstatd 0:off 1:off 2:off 3:off 4:off 5:off 6:off rusersd 0:off 1:off 2:off 3:off 4:off 5:off 6:off squid 0:off 1:off 2:off 3:off 4:off 5:off 6:off postgresql 0:off 1:off 2:off 3:off 4:off 5:off 6:off httpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off tux 0:off 1:off 2:off 3:off 4:off 5:off 6:off named 0:off 1:off 2:off 3:off 4:off 5:off 6:off snmpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off reconfig 0:off 1:off 2:off 3:on 4:on 5:on 6:off dhcpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off linuxconf 0:off 1:off 2:on 3:on 4:on 5:on 6:off mysqld 0:off 1:off 2:off 3:off 4:off 5:off 6:off ntpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off ups 0:off 1:off 2:off 3:off 4:off 5:off 6:off smb 0:off 1:off 2:off 3:off 4:off 5:off 6:off ldap 0:off 1:off 2:off 3:off 4:off 5:off 6:off xinetd based services: chargen: off chargen-udp: off daytime: off daytime-udp: off echo: off echo-udp: off time: off time-udp: off telnet: on wu-ftpd: on rsync: off imap: off imaps: off ipop2: off ipop3: off pop3s: off linuxconf-web: off swat: off |
Your output may vary. Lets go through some the options. The enable/disable recommendations below may not be reflected in the above listing.
- apmd
Optionally required. Runlevels 2345. Advanced power management is only really required for power management on a laptop. A server should be up all the time, so it is disabled on Harold.
- anacron
Optionally required Runlevels 2345. This task scheduling daemon has a resolution of days, and is used to schedule tasks on a machine that is not (almost) permanently on. Server's tend to be "always on", so not enabled on Harold.
- atd
Required. Runlevels 2345. This is the daemon that runs commands some time in the future as entered with the at command.
- autofs
Optionally Required. Runlevels 2345. Used to automatically mount and unmount file systems, be they CDROM, floppy or nfs. I enable it, eventhough it may be considered a security risk. Autofs operation is is configured by /etc/auto.master. Automount configuration is covered in ???????FIXME.
- crond
Required Runlevels 2345. Executes scheduled commands as configured in crontab. Read the crontab man page.
- dhcpd
Optionally required. Runlevels 345. Dynamic host contropl protocol daemon. Used to serve dynamic ip address allocation and configuration on a network. Disable for now, will be configured later in ??????FIXME.
- httpd
Required for web page serving. Runlevels 345. Httpd server. Disabled for now. Apache will be configured later.
- gpm
Required for console mouse operation. Runlevels 2345. X uses a different mechanism.
- identd
Disable. Runlevels 345. Identd serves up the user's identity and process id, of the associated tcp/ip port connection being queried. An obvious security hole if enabled.
- innd
Optionally required. Runlevels 345. Innd is the Internet News Server, necessary if spooling news. Disabled on harold for the moment.
- ipchains
Optionally required. Runlevels 345. Should be enabled if this is a firewall. Harold is not, so this is disabled.
- iptables
Optionally required. Runlevels 345. Should be enabled if this is a firewall. Harold is not, so this is disabled.
- isdn
Optionally required. Runlevels 345. Only necessary if connecting to the network with isdn, disabled on harold.
- kdcrotate
Required for Kerberos. Kerberos is not installed on this server, therfore it is disabled. Only required for runlevels 345.
- keytable
Required. Runlevels 12345. Serves the selected keboard mapping (translating keystrokes into something the computer understands).
- kudzu
Optionally required Runlevels 2345. Used to detect and configure hardware configurations of a system on startup. I disable it, as I know and manually configure the hardware on the system.
- ldap
Optionally Required Runlevels 345. Lightweight Directory Access Protocol, disabled on Harold.
- linuxconf
Disable Runlevels 345. Used to remotely configure this server over the network.
- lpd
Required for printing. Runlevels 2345. This is the print spooler daemon. It is required if printing from this machine. The printer need not be attached to this machine. I enable it.
- mysqld
Optionally Required. Runlevels 345. Mysql is a simple free sql database. This is the daemon that handles mysql requests. Disable for now, will be configured later in ??????????FIXME.
- named
Optionally Required. Runlevels 345. Dynamic name server. Disable for now, will be configured later in ??????????FIXME.
- netfs
Optionally Required. Runlevels 345. Network file system mounter. I disable it, as autofs is used to mount nfs volumes.
- network
Required Runlevesl 345. Enables networking on the machine. Network configuration is controlled through settings and scripts in /etc/sysconfig/network and /etc/sysconfig/network-scripts/. See ?????????????FIXME.
- nfs
Optionally required Run levels 345. Nfs is enabled on Harold.
- nfslock
Optionally required. Run levels 345. Should only be enabled if nfs is enabled. Provides file locking capabilities to nfs. Enabled on Harold.
- nscd
Optionally required. Runlevels 345. This is a name switch cache for name serving services such as NIS, NIS+, etc. Disabled on harold.
- ntpd
Optionally required. Runlevels 345. NTP time synchronizing server. Disable for now, will be configured in ??????FIXME.
- pcmcia
Optionally required. Run levels 345. Typically required for laptops with pcmcia card support. Disabled on harold.
- portmap
Optionally required. Run levels 345. Maps RPC calls to tcp ports. Required if any RPC app (nfs, for example) is running. Enabled on harold.
- postgresql
Optionally required. Run levels 345. Postgres is an SQL database. Required to accept SQL requests Disabled for now, set up later in ????FIXME.
- pppoe
Optionally Required Run levels 345. PPP over Ethernet is required by some ADSL modems. Not required on harold.
- pxe
Optionally Required Run levels 345. Pre-boot execution environment is a mechanism to serve the booting diskless workstations over a network link. Not required on harold.
- random
Required Runlevels 2345. Ensures randomness of the internal random number generator (not pn sequence generated), across power downs and power ups.
- rawdevices
Optionally required Runlevels 345. Used to map raw character devices to block devices. For example in database applications that have there own filesystem management. Not enabled on harold.
- reconfig
Disabled. Runlevels 2345. Used to call anaconda to reconfigure the installation.
- rhnsd
Optionally Required. Runlevels 345. Redhat Network System daemon. I disable it.
- rstatd
Disable. This daemon serves requests relating to the performance statistics of this server. Not recommended if security is a concern.
- rusersd
Disable. This daemon serves requests from remote machines about who is logged into this server. Not recommended if security is a concern.
- rwhod
Disable. This daemon serves requests relating to the status about, and who is logged into the server. Not recommended if security is a concern.
- sendmail
Required. Runlevels 2345. This is the Mail transfer agent. Required even if machine is not being used to send and receive mail, because some programs use smtp to transfer messages to the user or root. Will be configured as a multiple domain mail server later in ????FIXME.
- smb
Optionally required Runlevels 345. Samba server. Disable for now. Will be configured later in ???FIXME to provide file and printer sharing to Windows machines.
- snmpd
Optionally required Runlevels 345. Simple Network Management Protocol daemon. Not enabled on harold.
- squid
Optionally required Runlevels 345. Squid is an httpd proxy server. Not enabled on harold.
- sshd
Optionally required Runlevels 345. Provides encrypted secure shell access. Disabled for now. Can be used to provide secure mail retrieval and other secure tunnels.
- syslog
Required. Runlevels 2345. Starts the syslogd and klogd - system and kernel message logging daemons. See the syslogd manpage.
- tux
Optionally required for http serving. Runlevels 345. Tux is the interface to the kernel space web page serving interface. Disable for now, it will be configured and enabled later in ????????????FIXME.
- ups
Optionally required. Runlevels 345. Manages the orderly shutdown of a number of machines connected to ups's. Disable for now. It's configuration is covered in detail in ????????????FIXME.
- xinetd
Required. Runlevels 345. Inetd replacement that serves up common tcp/udp protocol servers such as telnet, ftp, imap, pop3, etc. It's configuration is covered in detail in ????????????FIXME.
- xfs
Required Runlevels 345. Serves up fonts to X applications running on this server. X is configured to use this on RedHat distributions.
- ypbind
Optionally required Runlevels 345. Only required if running as a NIS or NIS+ client. Disabled on harold.
- yppasswd
Optionally required Runlevels 345. Only required if running as a NIS or NIS+ server. Disabled on harold.
- ypserv
Optionally required Runlevels 345. Only required if running as a NIS or NIS+ server. Disabled on harold.
The xinetd services are listed below. Redhat out the box configures them all disabled. That is fine for now, as we go through the configuration, we will enable those we need:
- chargen
Disable. Serve requests on tcp port 19.
- chargen-udp
Disable. Serves requests on udp port 19.
- daytime
Disable. Serves time requests on tcp port 13, providing time in ascii format.
- daytime-udp
Disable. Serves time requests on udp port 13, providing time in ascii format.
- echo
Disable. Serve echo requests on tcp port 7.
- echo-udp
Disable. Serves echo requests on udp port 7.
- imap
Disable for now. Imap mail collection serving See ?????FIXME
- imaps
Disable for now. Does imap using ssh. See ?????FIXME
- ipop2
Disable. Old pop protocol. use pop3 instead.
- ipop3
Disable for now. Mail retrieval protocol. See ????FIXME
- linuxconf-web
Disable. No remote linux configuration, especially over the web.
- pop3s
Disable for now. Secure Mail retrieval protocol using ssh. See ????FIXME.
- rsyncp
Disable. Serves the ability to sync local and remote filesystem directories.
- swat
Disable. Remote configuration of Apache web server.
- telnet
Enabled. Telnet server for remote login on port 23. See Enabling Telnet
- time
Disable. Serves time requests on tcp port 37, providing time in binary format.
- time-udp
Disable. Serves time requests on udp port 37, providing time in binary format.
- wu-ftp
Enabled. Ftp server. See Enabling Ftp, and ????FIXME
4.1.3. /etc/rc.d/rc.local
/etc/rc.d/rc.local gets executed last after /etc/rc.d/rc.sysint has completed its thing. On Harold, this file is used to enable network ip aliases, configure ip-forward and fragmentation kernel options (for VPN setup)and change the splash before the login prompt on a console, telnet or dialin. Read the mgetty and telnetd man pages, about /etc/issue(for virtual consoles), /etc/issue.net(used by telnetd - remote network logins), and /etc/issue.tty (used by serial line / dialup logins).
4.2. Enabling Remote Services
I like to work on a Workstation box using a big high res monitor running X with multiple open window. Typically a server is stuck away in a corner and shares a cheap small monitor with other servers. RedHat, out the box has both remote telnet and ftp disabled. This can be confirmed by running the following as root:
chkconfig --list
4.2.1. Enabling Telnet
Edit the file /etc/xinetd.d/telnet as root. Near the bottom of the file comment out the line starting with disable.
Generally it is not a good thing to permit root telnet access. This is controlled by a file /etc/securetty . If this file does not exist then root access is permitted from every tty. If it exists, then root access is only permitted from the listed ttys.
4.2.2. Enabling FTP
Edit the file /etc/xinetd.d/wu-ftp as root. Near the bottom of the file comment out the line starting with disable.
Out the box RedHat permits root ftp access. Perhaps convenient this way, it is more secure to disable it. This is done by removing guest and anonymous from the class all line in /etc/ftpaccess. See line 27 in the listing.
4.2.3. TCP Wrappers Settings
RedHat out the box has a "mostly open" TCP wrappers policy. A "mostly closed" policy is better. TCP wrappers are controlled by two files /etc/hosts.deny and /etc/hosts.allow. Look at man hosts.deny. A mostly closed policy requires only an ALL: ALL in /etc/hosts.deny. Initially, while configuring harold remotely (from 192.168.0.4), we only have ALL: 192.168.0.4 in /etc/hosts.allow.
4.2.4. Making It Work
Restart the xinetd service:
/etc/init.d/xinetd restart
Stopping xinetd: [ OK ]
Starting xinetd: [ OK ]
Test this configuration by telnet'ing and ftp'ing to "harold" (which is assigned an ip address 192.168.0.10) from the remote box. which is called "hal-9000".
4.3. Console Fonts
In the Lilo configuration below, the console resolution is set to a high resolution 60lines x 80chars. Whenever RedHat Linux reboots, the /etc/rc.d/rc.sysinit script reloads the console fonts to 25lines x 80chars. This is annoying! A way to correct this is to comment out the SYSFONT line in /etc/sysconfig/i18n .
4.4. Bash Configuration
Global Bash configuration is set by /etc/profile and /etc/bashrc. Default individual users' configuration is set by /etc/skel/.bash_profile and /etc/skel/.bashrc. Whenever a new user is created (say using useradd), the files and directories are recursively copied out of /etc/skel/* to the new User's home directory root. Each user is free to customize their bash environment with their copies of $HOME/.bashrc and $HOME/.bash_profile. A read of the bash man page, especially the section on INVOCATION will help. On invocation, bash will first execute the commands in /etc/profile, then in $HOME/.bash_profile. $HOME/.bash_profile executes the commands in $HOME/.bashrc. $HOME/.bashrc, in turn, executes the commands in /etc/bashrc. . . Confused?
References
Chapter 5. Upgrading the Kernel
$id:$
5.1. Introduction
To install a vpn, the kernel needs to be patched, and rebuild.
Even if this was not the case, it is often a good idea to get the latest kernel. It is also often a good idea to make a custom build of the kernel to suit the hardware. Redhat kernel's are provided with a gizillion modules and drivers for every conceivable application and manufacture's hardware. This is good if one is a "lay user", and does not need any applications that require specific features that have not been compiled into the kernel.
For the rest of us, well . . . lets rebuild the kernel.
5.2. Installing the Latest Kernel Source and Patches
5.2.1. Getting and Installing the Latest Kernel
When I am feeling adventurous, I get the latest Rawhide kernel-source and kernel-headers rpms. Otherwise, if they exist, I download the latest kernel source and headers from RedHat Support.
The current kernel on harold is 2.4.13-0.3custom
Install the rpms as root.
cd <directory where rpms are located>
rpm -Uhv kernel-source* kernel-headers*
5.2.2. Getting and Making the Patches
To support VPN, and ppp the kernel need to be patched. These patches are obtained from mirror.binarix.com. Be sure to look at the README for latest information. For this configuration the latest version of linux-2.4.x-openssl-0.9.6a-mppe patch is required. While here, also get the latest ppp-2.4.x-openssl-0.9.6-mppe patch, and ppp-2.4.x-MSCHAPv2 patch for ppp-2.4.x. These are required later.
Carry out the following instructions as root to install the patch:
cd /usr/src
ln -s linux-2.4 linux
zcat <patch dir>/linux-2.4.x-openssl-0.9.6a-mppe.patch.gz | patch -p0
5.3. Configuring the Kernel for Build
This kernel is configured with make xconfig. This uses the Tk/Tcl library. For a ncurses text based user interface use make menuconfig. The content and configuration output for both methods is exactly the same, the only difference being xconfig is graphics based under X, and menuconfig is text screen based.
This configuration favours limitted modules and is built specifically for "harold's" hardware. Different hardware will require a different set of drivers. This document will annotate selections as it progresses through the configuration.
5.3.1. Upgrading a Earlier Kernel Version Custom Build
This is an optional, but very useful step. It is only valid if a earlier kernel has been built on this system.
Say the earlier kernel was 2.4.x, carry out the following steps as root to upgrade the configuration file to the current kernel.
cd /usr/src/linux-2.4
cp ../linux-2.4.x/.config .
make oldconfig
Make a best guess for the options when prompted. After this step, it is worthwhile to go through the configuration thoroughly using a screen based configurator that has access to help information.
5.3.2. Configuring the Kernel
This is not an exhaustive review of the configuration options, I just highlight options dependent on this hardware for the server configuration. When completed, choose save the kernel and exit. The resulting makefile config file is stored in /usr/src/linux-2.4/.config.
5.3.2.2. Loadable Module Support
Enable all the options, ie., Module support, Setting version information and kernel module loader.
5.3.2.4. General Setup
Enable networking.
PCI and hot pluggable support is dependant on hardware.
Enable SysV IPC.
Enable BSD Process accounting.
Enable sysctl support.
Kernel core is in ELF format.
Enabling support for a.out (old style) binaries is optional.
Enable support for ELF and MISC binaries.
Disable power management support.
Disable all the APM options.
Enable RTC stores time in GMT.
5.3.2.8. Plug and Play Configuration
Plug and play support is optional and depends on hardware. I enable Plug and Play, ISA, and PNPBIOS support.
5.3.2.9. Block Devices
Enable PC floppy disk
Disable XT HDD, and Parallel port IDE - hardware dependant.
Disable Compaq Smart2 and smart array support.
Disable Mylex Raid controller support.
Enable loopback and network block device support.
RAM disk support is optional, I've disabled it.
5.3.2.11. Networking Options
Enable Packet socket and Packet socket: mmapped IO
Enable Netlink socket, routing messages and device emulation.
Disable Network Packet filtering
Enable socket filtering (required by DHCP server)
Enable Unix Domain Sockets and TCP/IP
Enable TUX and its sub options except debug TUX.
Disable IP Multicast and Advanced router (both optional)
Disable Kernel Level Autoconfiguration
Disable IP Tunnelling and IP GRE
Disable ARP Daemon support
Disable Explicit Congestion Notification
Enable TCP Syn cookie support.
Disable IPV6, Kernel httpd, and ATM.
Disable all the other protocols (optional)
Disable Wan Router, Fast Switching and high speed forwarding
Disable QoS
5.3.2.13. ATA/IDE/MFM/RLL Support
Enabled, enabling of various options depends on hardware. On harold, only enabled: IDE/ATA Disk support, CDROM support. Generic PCI IDE support and sub-options except ATA works in progress. Support for PIIXn
5.3.2.17. Network Device Support
Hardware specific selection. Enabled overall support, and selected 10/100 Ethernet devices, and selected PCI NE2000 driver. Towards the end of this menu:
Disable PLIP (optional)
Enable PPP and sub-options (required for VPN server)except:
Disable Sync PPP and PPP over Ethernet
Enable SLIP and sub-options (optional)
5.3.2.23. Character Devices
Enabled Virtual Terminal and Console Support
Enabled Standard Serial Port Support, except irq autodetect.
Disabled support for Multiport cards and non standard ports
Enabled Unix98 PTY support / 256 PTYSs
Enabled Parallel Support, disabled sub-options.
Disabled I2C, Mice, Joystick, and QIC-2 support.
Disabled Watchdog cards and Random Number hardware
Enabled /dev/nvram and Real time clock support
Disabled the remaining character devices.
5.3.2.26. File Systems
Enabled quota support Kernel.
Disabled Automounter and Enabled Automounter V4.
Disabled all file systems except:
Ext3 Journalling and JBD
Virtual Memory file system.
ISO9660 CDROM and Microsoft Joliet extensions
/proc filesystem
/dev/pty filesystem
Second extended file system
Enabled NFS and NFS V3 client and server support
Enabled SMB support, disabled default NLS
Disabled NCP File support
Disbled Advanced Partition selection
iso8859-1 as default NLS
Only enabled codepage 437 and iso8859-1
Disabled all the other NLS, (breaks build as modules).
5.3.2.27. Console Drivers
Enabled VGA console, and mode selction.
Disabled MDA console and frame buffer support
5.4. Building the Kernel
Too be able to recover, as root, move aside the current kernel modules before building:
mv /lib/modules/<xx.yy.zz> /lib/modules/<xx.yy.zz>.old
Then enter
make dep clean bzImage modules modules_install
The kernel build will take a while, anything from a few hours to a few minutes, depending on the speed of the hardware.
5.5. Installing the Kernel
5.5.1. First Time Kernel Install
Kernel installation is done as root. Once the kernel build completes, do the following:
cp /usr/src/linux-2.4/arch/i386/boot/bzImage /boot/bzImage
cp /boot/bzImage /boot/bzImage.old
mv/boot/System.map /boot/System.map.orig
cp /usr/src/linux-2.4/System.map /boot/System.map
cp /boot/System.map /boot/System.map.old
Laying out the files this way works with the following lilo configuration file. Keep the original vmlinuz, create a previous image bzImage.old and the normally used image bzImage.
Create the following /etc/lilo.conf as root.
Enter the following commands to install lilo and reboot.
lilo
sync; sync; reboot
With a bit of luck the system should reboot smoothly with the new kernel. If not re-boot with the boot floppy created during the Linux install.
To track down and fix the error, I normally search on the output error message in a www search engine, and start reading through the pages it finds.
5.5.2. Following Kernel Installs
To install a newly compiled kernel after the first build, carry out the following commands:
cp /boot/bzImage /boot/bzImage.old
cp /boot/System.map /boot/System.map.old
cp /usr/src/linux/arch/i386/boot/bzImage /boot/bzImage
cp /usr/src/linux-2.4/System.map /boot/System.map
lilo
sync; sync; reboot
If the newly built kernel does not work, it is always possible to either boot from the old kernel, or from the boot floppy. To boot the old kernel, enter o at the LILO: boot prompt.
References
[1] Linux Kernel HOWTO.
[3] LILO Mini HOWTO.
Chapter 6. Network Configuration
$id:$
6.1. What do we want to achieve?
Harold is to be configured to virtually serve, mail, http, smtp, pop3/imap, cvs, news, etc., etc. for multiple domains. Harold is situated behind a firewall which directs the appropriate requests to it.
6.2. IP Configuration
This is RedHat specific. The files to configure are:
The options in these files are documented at RedHat. The initialization scripts uses these configuration settings to set up the ip addresses and static routes. From that documentation note that FORWARD_IPV4 is not supported, and GATEWAY is not required in /etc/sysconfig/network.
6.3. IP Aliasing
RedHat has a un-documented method to create a number of ip aliases. It is flawed, so it is replaced. Do not use the name /etc/sysconfig/network-scripts/ifup-aliases for this script, it will be wiped out by a RedHat upgrade. On harold, the script is written to /etc/sysconfig/network-scripts/ifup-ipalias, which is called from /etc/rc.d/rc.local.
This script is depends on one or more configuration files with names of the form: /etc/sysconfig/network-scripts/ifcfg-eth<n>-rng<m>, where <n> and <m> are the number of the device and range respectively. Harold is only configured with a single range of 16 consecutive addresses on eth0: /etc/sysconfig/network-scripts/ifcfg-eth0-rng0.
6.4. Checking the IP Configuration
One can make the necessary changes for harold to take on the new configuration. However rebooting the computer is recommended to ensure that the scripts behave well in the manner they are to be used.
To check that the configuration is successful, as root execute. ifconfig. The resulting output should look something like the following screen - listing the original ip address configuration on eth0, and the 16 aliassed ip addresses on eth0:0 thru' eth0:15.
eth0 Link encap:Ethernet HWaddr 00:E0:29:31:36:13
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:9628 errors:0 dropped:0 overruns:0 frame:0
TX packets:1440 errors:0 dropped:0 overruns:0 carrier:0
collisions:3 txqueuelen:100
Interrupt:11 Base address:0xd000
eth0:0 Link encap:Ethernet HWaddr 00:E0:29:31:36:13
inet addr:192.168.0.220 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:11 Base address:0xd000
eth0:1 Link encap:Ethernet HWaddr 00:E0:29:31:36:13
inet addr:192.168.0.221 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:11 Base address:0xd000
eth0:2 Link encap:Ethernet HWaddr 00:E0:29:31:36:13
inet addr:192.168.0.222 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:11 Base address:0xd000
eth0:3 Link encap:Ethernet HWaddr 00:E0:29:31:36:13
inet addr:192.168.0.223 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:11 Base address:0xd000
eth0:4 Link encap:Ethernet HWaddr 00:E0:29:31:36:13
inet addr:192.168.0.224 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:11 Base address:0xd000
eth0:5 Link encap:Ethernet HWaddr 00:E0:29:31:36:13
inet addr:192.168.0.225 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:11 Base address:0xd000
eth0:6 Link encap:Ethernet HWaddr 00:E0:29:31:36:13
inet addr:192.168.0.226 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:11 Base address:0xd000
eth0:7 Link encap:Ethernet HWaddr 00:E0:29:31:36:13
inet addr:192.168.0.227 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:11 Base address:0xd000
eth0:8 Link encap:Ethernet HWaddr 00:E0:29:31:36:13
inet addr:192.168.0.228 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:11 Base address:0xd000
eth0:9 Link encap:Ethernet HWaddr 00:E0:29:31:36:13
inet addr:192.168.0.229 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:11 Base address:0xd000
eth0:10 Link encap:Ethernet HWaddr 00:E0:29:31:36:13
inet addr:192.168.0.230 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:11 Base address:0xd000
eth0:11 Link encap:Ethernet HWaddr 00:E0:29:31:36:13
inet addr:192.168.0.231 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:11 Base address:0xd000
eth0:12 Link encap:Ethernet HWaddr 00:E0:29:31:36:13
inet addr:192.168.0.232 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:11 Base address:0xd000
eth0:13 Link encap:Ethernet HWaddr 00:E0:29:31:36:13
inet addr:192.168.0.233 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:11 Base address:0xd000
eth0:14 Link encap:Ethernet HWaddr 00:E0:29:31:36:13
inet addr:192.168.0.234 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:11 Base address:0xd000
eth0:15 Link encap:Ethernet HWaddr 00:E0:29:31:36:13
inet addr:192.168.0.235 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:11 Base address:0xd000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:12 errors:0 dropped:0 overruns:0 frame:0
TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0 |
Next run (also as root) route -n to see the static routing table. The -n switch inhibits ip to domain name lookups as we do not have DNS configured and enabled yet. The output should look something like the following.
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 192.168.0.254 0.0.0.0 UG 0 0 0 eth0 |
This screen tells us that all to addresses in the 192.168.0.0/24 range are directed to the eth0 interface, and all addresses in teh 127.0.0.0/8 range are directed to the local loopback interface. All other addresses are forwarded to the gateway 192.168.0.254, and exit out interface eth0.
ping the interfaces using ip addresses. Ping the:
local interface: 127.0.0.1
ethernet interface: 192.168.0.1
the gateway address: 192.168.0.254
An external ip address, say linux.com which is: 216.136.171.205
The results from the ping should look something like:
root@harold:~>ping 216.136.171.205 PING 216.136.171.205 (216.136.171.205) from 192.168.0.1 : 56(84) bytes of data. 64 bytes from 216.136.171.205: icmp_seq=0 ttl=245 time=55.254 msec 64 bytes from 216.136.171.205: icmp_seq=1 ttl=245 time=49.937 msec 64 bytes from 216.136.171.205: icmp_seq=2 ttl=245 time=49.951 msec 64 bytes from 216.136.171.205: icmp_seq=3 ttl=245 time=49.953 msec 64 bytes from 216.136.171.205: icmp_seq=4 ttl=245 time=49.953 msec 64 bytes from 216.136.171.205: icmp_seq=5 ttl=245 time=49.956 msec 64 bytes from 216.136.171.205: icmp_seq=6 ttl=245 time=49.942 msec 64 bytes from 216.136.171.205: icmp_seq=7 ttl=245 time=49.956 msec 64 bytes from 216.136.171.205: icmp_seq=8 ttl=245 time=49.956 msec 64 bytes from 216.136.171.205: icmp_seq=9 ttl=245 time=49.954 msec 64 bytes from 216.136.171.205: icmp_seq=10 ttl=245 time=49.954 msec --- 216.136.171.205 ping statistics --- 11 packets transmitted, 11 packets received, 0% packet loss round-trip min/avg/max/mdev = 49.937/50.433/55.254/1.533 ms |
Type ^C to exit ping
6.5. Resolver Configuration
The resolver is suite of C library functions supporting the resolution of ip addresses and domain names. These functions depend on the following files for their configuration:
Look at the man pages for the respective configuration files. In /etc/host.conf do not use the nospoof configuration item. This will guide the resolver library to do a reverse lookup on an ip address from in-addr.arpa that it found from a domain name to confirm that the domain name is not spoofed.
These days it is usual to spoof domain names. For example your upstream ISP gives you some static ip addresses, but does not delegate the ip reverse lookup to you, a reverse lookup will pick up the ISP's domain name assignment rather than yours, and an affirmative nospoof setting will fail.
It in the interim, /etc/resolv.conf points to a name server located on a different machine. Once harold's name server is configured, /etc/resolv.conf will point here too. Note that the "search" configuration item removes the need to have a "domain" configuration item too.
6.6. Network Services Switch
The network services switch is a suite of C library functions that work co-operatively with the resolver library, in providing additional name services such as NIS. These functions depend on /etc/nsswitch.conf for its configuration. Look at man nsswitch.conf. Harold is configured to depend mostly on the configuration files in /etc/ for its configuration. In most cases the library functions are guided to look in these "files" before querying "nisplus" (which by the way is not enabled on harold). Host lookup is also instructed to query "dns" if the query is not satisfied using "files" or "nisplus"
6.7. Checking Network Resolution
ping is the most useful tool for this exercise. Ping using names instead of ip addresses:
local interface: localhost
ethernet interface: harold.cmex.org and harold.
the gateway address: gateway.
An external ip address, say linux.com.
References
[1] Net-HOWTO.
Chapter 7. Name Serving (DNS)
$id:$
Name serving is the task of relating domain names and URL's to ip addresses and vice-versa. The DNS database is probably the largest public worldwide distributed and cached database.
This section describes the configuration of Bind V 9.2.x, that serves up an internal ip address view to the local network, and an external view to the rest of the world. Using a RedHat install, ensure that both bind-9.2*.rpm and bind-utils-9.2*.rpm are installed. Both rpms must be the same version.
7.1. DNS Configuration
Nameserver configuration with bind is governed by /etc/named.conf. This file specifies the behaviour of named - the nameserver daemon. The following is a short description of the contents /etc/named.conf.
First an acl statement is used to define the group of internal network addresses int-ips. Acl is short for "Access Control List", a fancy name for a list of addresses.
Following the acl statement, the global options are defined. directory specifies the directory root for the zone file database. If the address translation (either URL to ip address, or vice versa) cannot be found in the local nameserver cache, forward first and forwarders statements instruct the nameserver to first look in the caches' of the nameservers at the specified addresses before carrying out a recusursive search for the address translation.
The last global option tells named to listen-on the only ethernet address and the local host address for queries.
Following the global options are the internal view and external view. The internal view is only presented to the internal network, and the external view is presented only to the rest of the world. This feature solves these situations elegantly:
The IP addresses bastion hosts (servers sitting behind the firewall) present to the rest of the world with external ip addresses which are port forwarded with local network addresses. For example, the ip address for www.cmex.org, when queried from the internet resolves to the external ip address 209.53.193.13. The same query made from an internal host will resolve to an internal network address.
Queries from the internal network are permitted to make recursive queries, whereas external queries are not permitted.
The internal view resolves address for all hosts on the local network. External view does not show the internal network hosts.
Each zone specification in both the internal and external views references a zone database file either in /var/named or some subdirectory off it. A PDF of the bind documentaion is found at ISC's website.
Reverse lookup does not work because the upstream ISP has not delegated reverse zone lookup.
7.2. DNS Maintenance
Once DNS is running, the hints database needs to be periodically, say, once a month. The following /var/named/update-db.root script (plagiarised from the DNS HOWTO and TrinityOS) does just that.
Now make the file rwx only by root.
chmod 744 /var/named/root-hints-update
And create a symbolic link to it from the monthly cron job.
ln -s /var/named/update-db.root /etc/cron.monthly/update-db.root
7.3. Verifying DNS Operation
As root, stop and start the named server:
/etc/init.d/named restart
The screen output should indicate it started correctly. All the startup tracing by default is logged to /var/log/messages. A relevent sample snippet is shown below.
Nov 2 19:10:48 harold named[2437]: shutting down Nov 2 19:10:48 harold named[2437]: stopping command channel on 0.0.0.0#953 Nov 2 19:10:48 harold named[2437]: no longer listening on 127.0.0.1#53 Nov 2 19:10:48 harold named[2437]: no longer listening on 192.168.0.1#53 5 Nov 2 19:10:48 harold named[2434]: exiting Nov 2 19:10:48 harold named: named shutdown succeeded Nov 2 19:10:49 harold named[2469]: starting BIND 9.2.0rc8 -u named Nov 2 19:10:49 harold named[2469]: using 1 CPU Nov 2 19:10:49 harold named[2471]: loading configuration from '/etc/named.conf' 10 Nov 2 19:10:49 harold named[2471]: no IPv6 interfaces found Nov 2 19:10:49 harold named[2471]: listening on IPv4 interface lo, 127.0.0.1#53 Nov 2 19:10:49 harold named[2471]: listening on IPv4 interface eth0, 192.168.0.1#53 Nov 2 19:10:49 harold named: named startup succeeded Nov 2 19:10:49 harold named[2471]: command channel listening on 0.0.0.0#953 15 Nov 2 19:10:49 harold named[2471]: zone 0.0.127.in-addr.arpa/IN: loaded serial 1999022700 Nov 2 19:10:49 harold named[2471]: zone 0.168.192.in-addr.arpa/IN: loaded serial 2000022643 Nov 2 19:10:49 harold named[2471]: zone cara-marks.com/IN: loaded serial 2000022805 Nov 2 19:10:49 harold named[2471]: zone e-voice-mail.com/IN: loaded serial 2000022803 Nov 2 19:10:49 harold named[2471]: zone jmarks-asc.com/IN: loaded serial 2000022804 20 Nov 2 19:10:49 harold named[2471]: zone jonathan-marks.com/IN: loaded serial 2000022803 Nov 2 19:10:49 harold named[2471]: zone networks-r-us.com/IN: loaded serial 2000022803 Nov 2 19:10:49 harold named[2471]: zone networksrus.com/IN: loaded serial 2000022803 Nov 2 19:10:49 harold named[2471]: zone software-foundry.com/IN: loaded serial 2000022803 Nov 2 19:10:49 harold named[2471]: zone sorcerers-foundry.com/IN: loaded serial 2000022803 25 Nov 2 19:10:49 harold named[2471]: zone steven-marks.com/IN: loaded serial 2000022803 Nov 2 19:10:49 harold named[2471]: zone vanessa-marks.com/IN: loaded serial 2000022803 Nov 2 19:10:49 harold named[2471]: zone novatek.co.nz/IN: loaded serial 2000022813 Nov 2 19:10:49 harold named[2471]: zone cmex.org/IN: loaded serial 2000022805 Nov 2 19:10:49 harold named[2471]: zone 0.0.127.in-addr.arpa/IN: loaded serial 1999022700 30 Nov 2 19:10:49 harold named[2471]: zone 193.53.209.in-addr.arpa/IN: loaded serial 2000071802 Nov 2 19:10:49 harold named[2471]: zone 81.114.64.in-addr.arpa/IN: loaded serial 2000071802 Nov 2 19:10:49 harold named[2471]: zone cara-marks.com/IN: loaded serial 2000071805 Nov 2 19:10:49 harold named[2471]: zone e-voice-mail.com/IN: loaded serial 2000071802 Nov 2 19:10:49 harold named[2471]: zone jmarks-asc.com/IN: loaded serial 2000071802 35 Nov 2 19:10:49 harold named[2471]: zone jonathan-marks.com/IN: loaded serial 2000071804 Nov 2 19:10:49 harold named[2471]: zone networks-r-us.com/IN: loaded serial 2000071805 Nov 2 19:10:49 harold named[2471]: zone networksrus.com/IN: loaded serial 2000071805 Nov 2 19:10:49 harold named[2471]: zone software-foundry.com/IN: loaded serial 2000071804 Nov 2 19:10:49 harold named[2471]: zone sorcerers-foundry.com/IN: loaded serial 2000071805 40 Nov 2 19:10:49 harold named[2471]: zone steven-marks.com/IN: loaded serial 2000071804 Nov 2 19:10:49 harold named[2471]: zone vanessa-marks.com/IN: loaded serial 2000071803 Nov 2 19:10:49 harold named[2471]: zone novatek.co.nz/IN: loaded serial 2000071804 Nov 2 19:10:49 harold named[2471]: zone cmex.org/IN: loaded serial 2000071807 Nov 2 19:10:49 harold named[2471]: running 45 Nov 2 19:10:49 harold named[2471]: zone novatek.co.nz/IN: sending notifies (serial 2000022813) Nov 2 19:10:49 harold named[2471]: zone novatek.co.nz/IN: sending notifies (serial 2000071804) Nov 2 19:10:49 harold named[2471]: zone sorcerers-foundry.com/IN: sending notifies (serial 2000022803) Nov 2 19:10:49 harold named[2471]: zone sorcerers-foundry.com/IN: sending notifies (serial 2000071805) Nov 2 19:10:49 harold named[2471]: zone software-foundry.com/IN: sending notifies (serial 2000022803) 50 Nov 2 19:10:49 harold named[2471]: zone cara-marks.com/IN: sending notifies (serial 2000022805) Nov 2 19:10:49 harold named[2471]: zone software-foundry.com/IN: sending notifies (serial 2000071804) Nov 2 19:10:49 harold named[2471]: zone cara-marks.com/IN: sending notifies (serial 2000071805) Nov 2 19:10:49 harold named[2471]: zone e-voice-mail.com/IN: sending notifies (serial 2000022803) Nov 2 19:10:49 harold named[2471]: zone steven-marks.com/IN: sending notifies (serial 2000022803) 55 Nov 2 19:10:49 harold named[2471]: zone e-voice-mail.com/IN: sending notifies (serial 2000071802) Nov 2 19:10:49 harold named[2471]: zone steven-marks.com/IN: sending notifies (serial 2000071804) Nov 2 19:10:49 harold named[2471]: zone jmarks-asc.com/IN: sending notifies (serial 2000022804) Nov 2 19:10:49 harold named[2471]: zone jmarks-asc.com/IN: sending notifies (serial 2000071802) Nov 2 19:10:49 harold named[2471]: zone jonathan-marks.com/IN: sending notifies (serial 2000022803) 60 Nov 2 19:10:49 harold named[2471]: zone vanessa-marks.com/IN: sending notifies (serial 2000022803) Nov 2 19:10:49 harold named[2471]: zone jonathan-marks.com/IN: sending notifies (serial 2000071804) Nov 2 19:10:49 harold named[2471]: zone vanessa-marks.com/IN: sending notifies (serial 2000071803) Nov 2 19:10:49 harold named[2471]: zone cmex.org/IN: sending notifies (serial 2000022805) Nov 2 19:10:49 harold named[2471]: zone networksrus.com/IN: sending notifies (serial 2000022803) 65 Nov 2 19:10:49 harold named[2471]: zone networks-r-us.com/IN: sending notifies (serial 2000022803) Nov 2 19:10:49 harold named[2471]: zone cmex.org/IN: sending notifies (serial 2000071807) Nov 2 19:10:49 harold named[2471]: zone networksrus.com/IN: sending notifies (serial 2000071805) Nov 2 19:10:49 harold named[2471]: zone networks-r-us.com/IN: sending notifies (serial 2000071805) Nov 2 19:10:50 harold named[2471]: client 192.168.0.3#2995: transfer of 'cara-marks.com/IN': AXFR-style IXFR started 70 |
The first 6 lines indicate the shutting down of the previous instance of the named server, the following trace the startup of the new named task. The zone files appear to be loaded twice, this is not the case, by configuration, both and internal network and rest of the world zone files exist with the same name. The trace after line 45, indicates named is notifying the the other name servers listed in the zone files for each domain with the serial number of this zone file. If the serial number on a secondary dns zone database is less than this value, it requests a zone transfer, as indicated on the last line of the trace.
Testing the internal name servering, first we dig a local address:
# dig @192.168.0.1 www.jonathan-marks.com ; <lt;<lt;>> DiG 9.2.0rc5 <lt;<lt;>> @192.168.0.1 www.jonathan-marks.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<lt;<lt;- opcode: QUERY, status: NOERROR, id: 25909 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;www.jonathan-marks.com. IN A ;; ANSWER SECTION: www.jonathan-marks.com. 86400 IN A 192.168.0.222 ;; AUTHORITY SECTION: jonathan-marks.com. 86400 IN NS ns1.cmex.org. ;; ADDITIONAL SECTION: ns1.cmex.org. 86400 IN A 192.168.0.1 ;; Query time: 22 msec ;; SERVER: 192.168.0.1#53(192.168.0.1) ;; WHEN: Fri Nov 2 21:08:53 2001 ;; MSG SIZE rcvd: 98 |
Note that I use the raw ip address of harold, rather than ns1.cmex.org, as that name resolves to another nameserver on the network while this server is being built.
Next we can dig an external address from the internal network: This verifies that the name server can do recursive lookups from the internal network.
# dig @192.168.0.1 www.linux.org ; <<>> DiG 9.2.0rc5 <<>> @192.168.0.1 www.linux.org ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37403 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.linux.org. IN A ;; ANSWER SECTION: www.linux.org. 15890 IN A 198.182.196.56 ;; Query time: 84 msec ;; SERVER: 192.168.0.1#53(192.168.0.1) ;; WHEN: Fri Nov 2 21:16:52 2001 ;; MSG SIZE rcvd: 47 |
Then we dig a whole zone from of an internal domain name:
# dig @192.168.0.1 jonathan-marks.com axfr ; <<>> DiG 9.2.0rc5 <<>> @192.168.0.1 jonathan-marks.com axfr ;; global options: printcmd jonathan-marks.com. 86400 IN SOA harold.cmex.org. hostmaster.cmex.org. 2000022803 28800 7200 604800 86400 jonathan-marks.com. 86400 IN A 192.168.0.222 jonathan-marks.com. 86400 IN NS ns1.cmex.org. jonathan-marks.com. 86400 IN NS ns2.cmex.org. jonathan-marks.com. 86400 IN MX 10 mail.jonathan-marks.com. ftp.jonathan-marks.com. 86400 IN A 192.168.0.223 mail.jonathan-marks.com. 86400 IN A 192.168.0.224 www.jonathan-marks.com. 86400 IN A 192.168.0.222 jonathan-marks.com. 86400 IN SOA harold.cmex.org. hostmaster.cmex.org. 2000022803 28800 7200 604800 86400 ;; Query time: 9 msec ;; SERVER: 192.168.0.1#53(192.168.0.1) ;; WHEN: Fri Nov 2 21:36:06 2001 ;; XFR size: 10 records |
Everything appears to work fine so far. Now from a host external to the local network. Presently I have only set up ns2.cmex.org to be port-forwarded from the firewall to this server. Lets see what it serves up, first a local domain:
# dig @ns2.cmex.org www.jonathan-marks.com ; <<>> DiG 8.3 <<>> @ns2.cmex.org www.jonathan-marks.com ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUERY SECTION: ;; www.jonathan-marks.com, type = A, class = IN ;; ANSWER SECTION: www.jonathan-marks.com. 1D IN A 64.114.81.253 ;; AUTHORITY SECTION: jonathan-marks.com. 1D IN NS ns2.cmex.org. jonathan-marks.com. 1D IN NS ns1.cmex.org. ;; ADDITIONAL SECTION: ns1.cmex.org. 1D IN A 64.114.81.252 ns2.cmex.org. 1D IN A 209.53.193.13 ;; Total query time: 164 msec ;; FROM: homer.mostscents.com to SERVER: ns2.cmex.org 209.53.193.13 ;; WHEN: Fri Nov 2 22:59:16 2001 ;; MSG SIZE sent: 40 rcvd: 132 |
Great, that works! Notice the external ip addresses for URL and the name servers. Now lets attempt a recursive lookup - this should fail as recursive lookups are disabled for the external network.
# dig @ns2.cmex.org www.linux.org ; <<>> DiG 8.3 <<>> @ns2.cmex.org www.linux.org ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0 ;; QUERY SECTION: ;; www.linux.org, type = A, class = IN ;; AUTHORITY SECTION: . 6D IN NS E.ROOT-SERVERS.NET. . 6D IN NS F.ROOT-SERVERS.NET. . 6D IN NS G.ROOT-SERVERS.NET. . 6D IN NS H.ROOT-SERVERS.NET. . 6D IN NS I.ROOT-SERVERS.NET. . 6D IN NS J.ROOT-SERVERS.NET. . 6D IN NS K.ROOT-SERVERS.NET. . 6D IN NS L.ROOT-SERVERS.NET. . 6D IN NS M.ROOT-SERVERS.NET. . 6D IN NS A.ROOT-SERVERS.NET. . 6D IN NS B.ROOT-SERVERS.NET. . 6D IN NS C.ROOT-SERVERS.NET. . 6D IN NS D.ROOT-SERVERS.NET. ;; Total query time: 167 msec ;; FROM: homer.mostscents.com to SERVER: ns2.cmex.org 209.53.193.13 ;; WHEN: Fri Nov 2 23:04:36 2001 ;; MSG SIZE sent: 31 rcvd: 242 |
That works too, note how the server did initiate the recursive lookup, but referred the querying server to the root servers. Finally, we attempt to dig a whole zone, first from an authorized transferee, and then from an unauthorized transferee.
# dig @ns2.cmex.org jonathan-marks.com axfr ; <<>> DiG 8.3 <<>> @ns2.cmex.org jonathan-marks.com axfr ; (1 server found) $ORIGIN jonathan-marks.com. @ 1D IN SOA cmex.org. hostmaster.cmex.org. ( 2000071804 ; serial 8H ; refresh 2H ; retry 1W ; expiry 1D ) ; minimum 1D IN A 64.114.81.252 1D IN NS ns1.cmex.org. 1D IN NS ns2.cmex.org. 1D IN MX 10 mail ftp 1D IN A 64.114.81.253 mail 1D IN A 64.114.81.252 www 1D IN A 64.114.81.253 @ 1D IN SOA cmex.org. hostmaster.cmex.org. ( 2000071804 ; serial 8H ; refresh 2H ; retry 1W ; expiry 1D ) ; minimum ;; Received 1 answer (9 records). ;; FROM: homer.mostscents.com to SERVER: 209.53.193.13 ;; WHEN: Fri Nov 2 23:11:47 2001 |
That works too. From an unathorized transferee, we should see:
# dig @ns2.cmex.org jonathan-marks.com axfr ; <<>> DiG 8.3 <<>> @ns2.cmex.org jonathan-marks.com axfr ; (1 server found) ;; Received 0 answers (0 records). ;; FROM: homer.mostscents.com to SERVER: 209.53.193.13 ;; WHEN: Fri Nov 2 23:15:42 2001 |
This is correct, unauthorized transferee's should not get the zone information.
These tests conclude that the nameserver config files are working The last thing to test is the /var/named/update-db.root script and check that it delivers an email to root. The sendmail setup shows how to forward root's email to a "worldly" email address. Execute /var/named/update-db.root, and when it completes execute mail, and look for a message whose subject starts with either "SUCCESS: DNS monthly hints.db update." or "FAILED: DNS monthly hints.db update.". If the email was successful, it should look like:
Date: Fri, 2 Nov 2001 18:37:27 -0800 From: system <root@harold.cmex.org> To: hostmaster <root@harold.cmex.org> Subject: DNS monthly hints.db update status: SUCCESS. ; <<>> DiG 9.1.3 <<>> @a.root-servers.net . ns ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7662 ;; flags: qr aa rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 13 ;; QUESTION SECTION: ;. IN NS ;; ANSWER SECTION: . 518400 IN NS A.ROOT-SERVERS.NET. . 518400 IN NS H.ROOT-SERVERS.NET. . 518400 IN NS C.ROOT-SERVERS.NET. . 518400 IN NS G.ROOT-SERVERS.NET. . 518400 IN NS F.ROOT-SERVERS.NET. . 518400 IN NS B.ROOT-SERVERS.NET. . 518400 IN NS J.ROOT-SERVERS.NET. . 518400 IN NS K.ROOT-SERVERS.NET. . 518400 IN NS L.ROOT-SERVERS.NET. . 518400 IN NS M.ROOT-SERVERS.NET. . 518400 IN NS I.ROOT-SERVERS.NET. . 518400 IN NS E.ROOT-SERVERS.NET. . 518400 IN NS D.ROOT-SERVERS.NET. ;; ADDITIONAL SECTION: A.ROOT-SERVERS.NET. 3600000 IN A 198.41.0.4 H.ROOT-SERVERS.NET. 3600000 IN A 128.63.2.53 C.ROOT-SERVERS.NET. 3600000 IN A 192.33.4.12 G.ROOT-SERVERS.NET. 3600000 IN A 192.112.36.4 F.ROOT-SERVERS.NET. 3600000 IN A 192.5.5.241 B.ROOT-SERVERS.NET. 3600000 IN A 128.9.0.107 J.ROOT-SERVERS.NET. 3600000 IN A 198.41.0.10 K.ROOT-SERVERS.NET. 3600000 IN A 193.0.14.129 L.ROOT-SERVERS.NET. 3600000 IN A 198.32.64.12 M.ROOT-SERVERS.NET. 3600000 IN A 202.12.27.33 I.ROOT-SERVERS.NET. 3600000 IN A 192.36.148.17 E.ROOT-SERVERS.NET. 3600000 IN A 192.203.230.10 D.ROOT-SERVERS.NET. 3600000 IN A 128.8.10.90 ;; Query time: 110 msec ;; SERVER: 198.41.0.4#53(a.root-servers.net) ;; WHEN: Fri Nov 2 18:37:27 2001 ;; MSG SIZE rcvd: 436 Restarting named: Stopping named: ^[[60G[^[[1;31mFAILED^[[0;39m] Starting named: ^[[60G[^[[1;31mFAILED^[[0;39m] |
Chapter 8. File System Mounts NFS and Automount Configuration
$id:$
It is useful for harold to be able to automatically mount the filesystems of the other machines - read only, as well as be able to automount its own CD drive and floppy disc drive. Also it is useful for other (privilaged) machines to be permitted (read only) access to harold's file system.
8.1. File System Mounts
File system mounting is controlled by /etc/fstab. mount, when called from rc.sysinit looks at this file to determine what to mount. In harold's configuration, only harddrives, ptys and the proc file systems are mounted.
With the new /etc/fstab, reboot the computer. We could unmount and remount the filesystems without rebooting, but we need to check that the configuration will behave as expected on bootup. Once the system has booted enter mount. It should produce similar output:
/dev/hda4 on / type ext2 (rw) none on /proc type proc (rw) /dev/hda1 on /boot type ext2 (rw) /dev/hda3 on /usr/local/ftp/incoming type ext2 (rw) /dev/hdc3 on /disk2 type ext2 (rw) /dev/hdc1 on /disk2/boot type ext2 (rw) none on /dev/pts type devpts (rw,gid=5,mode=620) automount(pid544) on /misc type autofs (rw,fd=5,pgrp=544,minproto=2,maxproto=3) |
If the last line does not appear on the screen output, do not worry, it just means that the automounter daemon is not running, its configuration is explained below.
8.2. NFS Setup
8.2.1. NFS Daemons
Firstly, the kernel must be compiled to support nfs. If not, first rebuild the kernel. (If someone knows knows how to do a simple check from the command line to determine if nfs is compiled in, please let me know - jm at cmex dot org). As root, run chkconfig --list and check that the following lines appear in the listing:
. . . nfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off nfslock 0:off 1:off 2:off 3:on 4:on 5:on 6:off |
If the entries do not exist, install the latest nfs-utils rpm, available from any RedHat mirror
If the entries exist, but are not on for levels 3, 4, and 5, this is fixed by:
chkconfig --level 345 nfs on
chkconfig --level 345 nfslock on
/etc/init.d/nfs stop #just in case
/etc/init.d/nfslock stop #just in case
/etc/init.d/nfs start
/etc/init.d/nfslock start
The nfslock startup is not crucial, it is useful in tracking nfs file locks across host reboots. See the nfslock man page.
To get nfs to work, the exports file needs to be set up - see below.
8.2.2. NFS Exports
In order to permit other hosts to nfs access harold, harold's /etc/exports file needs to have entries to support it. harold permits read only access from its root directory to the listed hosts. See the exports man page, there are examples at the bottom of the manpage. Restart nfs /etc/init.d/nfs restart, for the new exports to be read into the kernel, which can be checked by less /proc/fs/nfs/exports
Correspondingly other hosts that harold may which to access through nfs should have their exports files set up appropriately.
8.3. Automounter
autofs is the automounting software used on harold. It is used to mount floppy discs, CD's and nfs mounts. If not installed, install the latest autofs rpm. To check if it is running, execute ps ax, and look for automount in the output.
Autofs's configuration is determined by /etc/auto.master and /etc/auto.mnt. See the man pages for autofs, automount, and auto.master. DNS and domain name, and reverse domain name lookup must be working for this to work. NFS will do a name lookup and reverse name lookup and verify the looked up name matches the name given. Also for the NFS mounts to other hosts, the hosts must permit harold access.
As root, create a /mnt/ directory - the directory name specified in /etc/auto.master. with 755 attributes.
mkdir /mnt
chmod 755 /mnt
Chapter 9. Printer Configuration
The RedHat printtool GUI utility is effective in configuring the printer. Since we are at a different host to harold, there are a few things that need to be done to be able to run an X app on a remote host.
This section only deals with setting a lpd print server, The section on Samba deals with printer sharing for Windows type networks.
9.1. Setting up a local printer
Run up printtool
Click on the "New" toolbar button, This launches a RedHat Printer installation wizard. Select "Next" on the Add A New Printer Queue Wizard. Enter a name in the Queue Name field to uniquely identify the printer
Press Next, Ensure that the printer to be configured is selected.
Press Next, and select an appropriate driver Note the expanded window to illustrate the printer selection.
Press Next, The finish screen appears
Press Finish, The print config window shows the printer installed. This process creates the file /etc/printcap.
It is worth also mentioning that the default parameters and permissions for lpd can be changed with /etc/lpd.conf and /etc/lpd.perms respectively. The defaults from the RedHat install are fine for this config. Here's a link to the latest LPRng documentation. It is also worthwhile taking a look at the "lpr", "lpd", "lprm" and "lpq" man pages. Also ensure that the lpd daemon is configured to start up on reboot.
If this is the default printer, this can be set as an environment variable with:
export PRINTER=hp850c
A similar line can be inserted either in ~/.bashrc for just this login, or /etc/profile for the benefit of all logins.
9.2. Printing to a remote printer under Linux
As for the local printer, run up printtool. Select "New" from the tool bar. Select "Next" on the first screen of the RedHat Printer Install Wizard. On the next screen enter a printer queue name, and select Unix printer. This is the host that does not have the printer physically attached to it.
Press next, on the next screen enter the server and printer queue of the host that has the printer attached.
Press next and select the printer driver, and finish like the local configuration.
Chapter 10. Samba Configuration
Harold requires a rather simple Samba workgroup configuration. This section covers the setting up of Samba, Creating windows logins, and setting up network printers from Samba. The samba version set up here is 2.2.2.
10.1. Setting up Samba
The Samba configuration is governed by /etc/samba/smb.conf. Basically it provides:
A Private Windows Wshare for each login,
A shared network printer for Windows Workgroups,
A public share (remember to mkdir /usr/local/public, and
A share to the automountable CD ROM on harold
In the [global] section it is useful to point out the following:
security = user, meaning that security is per user login rather than per shared resource.
map to guest = bad user is used to give access to Windows users in unsecured Win98 and ME boxes without correct logins - especially for printer sharing
Through hosts allow, this samba service is only accessable to hosts on the local private subnet.
Encrypted passwords, more of this in the next section.
10.2. Samba Passwords for Windows Logins
In the past (Win95, and NT4 SP2 and earlier) the Microsoft default was to pass cleartext passwords over the network. This default changed to encrypted passwords with later Windows products. There are notes in the Release documentation on how to chage the defaults back to clear text (WinNT.txt). This is ill advised, better to set Samba up to deal with encryption.
For Samba to handle encrypted Windows passwords correctly, firstly /etc/samba/smb.conf must be configured with