HOWTO - Configure Harold Jonathan Marks jm (at) cmex (dot) org Copyright © 2001 by Jonathan Marks, All rights reserved. Revision History Revision 0.01 24-Aug-2001 Revised by: jm Initial Entry: $id:$ This document covers the installation and configuration of software on "harold". "harold" is a general virtual server, serving up http, ftp, smtp, pop3, dns, mgetty, faxing, printing, cvs, nfs, samba, pptp vpn, and many other services. It is intended to be used behind a firewall in a Demilitarized Zone (DMZ). This type of configuration is typical for a small low volume site. Its prime purpose is to document the configuration of one of my servers. I share this in the hope that it may help others. _________________________________________________________________ Table of Contents 1. Introduction and Administrivia 1.1. Introduction 1.2. Document Conventions 1.3. Document Blah References 2. Harold's Hardware 2.1. Motherboard 2.2. CPU 2.3. Video Controller 2.4. Ethernet Network Controller 2.5. Serial Ports 2.6. Parallel Port 2.7. IDE, Hardrives, CDROM's and Controllers 2.8. Floppy Drive References 3. Installing Linux References 4. Initial Configuring and Securing 4.1. Configuring and Securing Bootup 4.1.1. init and /etc/inittab 4.1.2. /etc/rc.d/rc.sysinit 4.1.3. /etc/rc.d/rc.local 4.2. Enabling Remote Services 4.2.1. Enabling Telnet 4.2.2. Enabling FTP 4.2.3. TCP Wrappers Settings 4.2.4. Making It Work 4.3. Console Fonts 4.4. Bash Configuration References 5. Upgrading the Kernel 5.1. Introduction 5.2. Installing the Latest Kernel Source and Patches 5.2.1. Getting and Installing the Latest Kernel 5.2.2. Getting and Making the Patches 5.3. Configuring the Kernel for Build 5.3.1. Upgrading a Earlier Kernel Version Custom Build 5.3.2. Configuring the Kernel 5.3.2.1. Code Maturity Level 5.3.2.2. Loadable Module Support 5.3.2.3. Processor type and features 5.3.2.4. General Setup 5.3.2.5. Binary emulation of other systems 5.3.2.6. Memory Technology Devices (MTD) 5.3.2.7. Parallel Port Support 5.3.2.8. Plug and Play Configuration 5.3.2.9. Block Devices 5.3.2.10. Multi-device Support 5.3.2.11. Networking Options 5.3.2.12. Telephony Support 5.3.2.13. ATA/IDE/MFM/RLL Support 5.3.2.14. SCSI Support 5.3.2.15. FireWire Support 5.3.2.16. I2O Support 5.3.2.17. Network Device Support 5.3.2.18. Amateur Radio Support 5.3.2.19. IrDA Support 5.3.2.20. ISDN Subsystem 5.3.2.21. Old CDROM Drivers 5.3.2.22. Input Core Support 5.3.2.23. Character Devices 5.3.2.24. Multimedia Devices 5.3.2.25. Crypto Hardware Support 5.3.2.26. File Systems 5.3.2.27. Console Drivers 5.3.2.28. Sound Support 5.3.2.29. USB support 5.3.2.30. Bluetooth support 5.3.2.31. Kernel Hacking 5.4. Building the Kernel 5.5. Installing the Kernel 5.5.1. First Time Kernel Install 5.5.2. Following Kernel Installs References 6. Network Configuration 6.1. What do we want to achieve? 6.2. IP Configuration 6.3. IP Aliasing 6.4. Checking the IP Configuration 6.5. Resolver Configuration 6.6. Network Services Switch 6.7. Checking Network Resolution References 7. Name Serving (DNS) 7.1. DNS Configuration 7.2. DNS Maintenance 7.3. Verifying DNS Operation 8. File System Mounts NFS and Automount Configuration 8.1. File System Mounts 8.2. NFS Setup 8.2.1. NFS Daemons 8.2.2. NFS Exports 8.3. Automounter 9. Printer Configuration 9.1. Setting up a local printer 9.2. Printing to a remote printer under Linux 10. Samba Configuration 10.1. Setting up Samba 10.2. Samba Passwords for Windows Logins 10.3. Samba Printer Sharing 11. Tips and Tricks 11.1. Running X apps on remote hosts A. Harold's Configuration Files A.1. /etc/auto.master A.2. /etc/auto.mnt A.3. /etc/bashrc A.4. /etc/exports A.5. /etc/ftpaccess A.6. /etc/fstab A.7. /etc/host.conf A.8. /etc/hosts A.9. /etc/hosts.allow A.10. /etc/hosts.deny A.11. /etc/inittab A.12. /etc/lilo.conf A.13. /etc/named.conf A.14. /etc/nsswitch.conf A.15. /etc/printcap A.16. /etc/profile A.17. /etc/rc.d/rc.local A.18. /etc/resolv.conf A.19. /etc/samba/smb.conf A.20. /etc/securetty A.21. /etc/skel/.bashrc A.22. /etc/skel/.bash_profile A.23. /etc/sysconfig/i18n A.24. /etc/sysconfig/network A.25. /etc/sysconfig/network-scripts/ifcfg-eth0 A.26. /etc/sysconfig/network-scripts/ifcfg-eth0-rng0 A.27. /etc/sysconfig/network-scripts/ifup-ipalias A.28. /etc/xinetd.d/telnet A.29. /etc/xinetd.d/wu-ftp A.30. /usr/src/linux-2.4/.config A.31. /var/named/db.127.0.0 A.32. /var/named/db.root A.33. /var/named/ext-pri/db.209.53.193 A.34. /var/named/ext-pri/db.64.114.81 A.35. /var/named/ext-pri-db.cara-marks.com A.36. /var/named/ext-pri/db.cmex.org A.37. /var/named/ext-pri/db.e-voice-mail.com A.38. /var/named/ext-pri-db.jonathan-marks.com A.39. /var/named/ext-pri/db.jmarks-asc.com A.40. /var/named/ext-pri/networksrus.com A.41. /var/named/ext-pri/db.networks-r-us.com A.42. /var/named/ext-pri/db.novatek.co.nz A.43. /var/named/ext-pri/db.software-foundry.com A.44. /var/named/ext-pri/db.sorcerers-foundry.com A.45. /var/named/ext-pri/db.steven-marks.com A.46. /var/named/ext-pri/db.vanessa-marks.com A.47. /var/named/int-pri/db.192.168.0 A.48. /var/named/int-pri-db.cara-marks.com A.49. /var/named/int-pri/db.cmex.org A.50. /var/named/int-pri/db.e-voice-mail.com A.51. /var/named/int-pri/db.jonathan-marks.com A.52. /var/named/int-pri/db.jmarks-asc.com A.53. /var/named/int-pri/networksrus.com A.54. /var/named/int-pri/db.networks-r-us.com A.55. /var/named/int-pri/db.novatek.co.nz A.56. /var/named/int-pri/db.software-foundry.com A.57. /var/named/int-pri/db.sorcerers-foundry.com A.58. /var/named/int-pri/db.steven-marks.com A.59. /var/named/int-pri/db.vanessa-marks.com A.60. /var/named/update-db.root List of Figures 9-1. Printtool's main Screen 9-2. Printtool's New Printer Screen 9-3. Printtool's First Configure Screen 9-4. Printtool's Second Configure Screen 9-5. Printtool's Final Configure Screen 9-6. Printtool's Remote Unix LPD Configure Screen 9-7. Printtool's Remote Server LPD Configure Screen _________________________________________________________________ Chapter 1. Introduction and Administrivia $id:$ _________________________________________________________________ 1.1. Introduction FIXTHIS - I'll get to this later _________________________________________________________________ 1.2. Document Conventions DocBook defaults are changed to provide line numbering for and tags. For ease of use it is easy to copy this "literal layout text" for your use and get rid of the line numbering in the first 5 columns using your favourite editor. The command to do this in vi is :%s/^.\{5}//g. FIXTHIS - I'll get to this later _________________________________________________________________ 1.3. Document Blah FIXTHIS - I'll get to this later References [1] Jonathan A. Marks, 2001, Not a reference. _________________________________________________________________ Chapter 2. Harold's Hardware $id:$ _________________________________________________________________ 2.1. Motherboard ASUS TXP4 Rev 1.2 with BIOS V1.09, Intel 430TX PCI chipset Intel Pentium MMX, 233MHz with F00F bug 256Mb SDRAM _________________________________________________________________ 2.2. CPU CPU info obtained with: cat /proc/cpuinfo processor : 0 vendor_id : GenuineIntel cpu family : 5 model : 4 model name : Pentium MMX stepping : 3 cpu MHz : 233.868 fdiv_bug : no hlt_bug : no f00f_bug : yes coma_bug : no fpu : yes fpu_exception : yes cpuid level : 1 wp : yes flags : fpu vme de pse tsc msr mce cx8 mmx bogomips : 466.94 _________________________________________________________________ 2.3. Video Controller Probed with /usr/bin/X11/SuperProbe, part of the X installation. First video: Super-VGA Chipset: ATI 264GT-B+DVD (3D Rage II+DVD) (Port Probed) Memory: 2048 Kbytes RAMDAC: ATI Mach64 integrated 15/16/24/32-bit DAC w/clock (with 6-bit wide lookup tables (or in 6-bit mode)) (programmable for 6/8-bit wide lookup tables) Attached graphics coprocessor: Chipset: ATI Mach64 Memory: 2048 Kbytes _________________________________________________________________ 2.4. Ethernet Network Controller Harold has an SMC 10Mbit/s Controller. The kernel detects the following in bootup, found in dmesg. eth0: RealTek RTL-8029 found at 0xd000, IRQ 11, 00:E0:29:31:36:13. _________________________________________________________________ 2.5. Serial Ports Harold has three serial ports, ttyS0 and ttyS1 are the onboard serial ports and ttyS3 belongs to a modem. The serial port hardware is configured as follows: ttyS00 at 0x03f8 (irq = 4) is a 16550A (onboard - used for mouse) ttyS01 at 0x02f8 (irq = 3) is a 16550A (onboard - spare) ttyS03 at 0x02e8 (irq = 5) is a 16550A (modem) _________________________________________________________________ 2.6. Parallel Port Harold has a single parallel port which is on board the motherboard and is configured (through the bios setup) for ECP and EPP operation. dmesg shows the parallel port as: IO=0x378, IRQ=7, ECP and EPP-1.9, DMA chan 3 _________________________________________________________________ 2.7. IDE, Hardrives, CDROM's and Controllers The following output is snipped from dmesg. Uniform Multi-Platform E-IDE driver Revision: 6.31 ide: Assuming 33MHz system bus speed for PIO modes; override with idebus=xx PIIX4: IDE controller on PCI bus 00 dev 09 PIIX4: chipset revision 1 PIIX4: not 100% native mode: will probe irqs later ide0: BM-DMA at 0xe000-0xe007, BIOS settings: hda:DMA, hdb:pio ide1: BM-DMA at 0xe008-0xe00f, BIOS settings: hdc:DMA, hdd:DMA hda: Maxtor 5T020H2, ATA DISK drive hdc: QUANTUM FIREBALL_TM1700A, ATA DISK drive hdd: ATAPI CD-ROM DRIVE 24X MAXIMUM, ATAPI CD/DVD-ROM drive ide0 at 0x1f0-0x1f7,0x3f6 on irq 14 ide1 at 0x170-0x177,0x376 on irq 15 hda: 39062500 sectors (20000 MB) w/2048KiB Cache, CHS=2431/255/63, UDMA(33) hdc: 3335472 sectors (1708 MB) w/76KiB Cache, CHS=3309/16/63, DMA hdd: ATAPI 20X CD-ROM drive, 120kB Cache, DMA Uniform CD-ROM driver Revision: 3.12 Partition check: hda: hda1 hda2 hda3 hda4 hdc: [PTBL] [827/64/63] hdc1 hdc2 hdc3 Output of fdisk -l /dev/hda. Disk /dev/hda: 255 heads, 63 sectors, 2431 cylinders Units = cylinders of 16065 * 512 bytes Device Boot Start End Blocks Id System /dev/hda1 * 1 3 24066 83 Linux /dev/hda2 4 69 530145 82 Linux swap /dev/hda3 70 71 16065 83 Linux /dev/hda4 72 2431 18956700 83 Linux /dev/hda1 is created at the start of the drive and is mounted as /boot. This is to avoid the 1024 cylinder problem. /dev/hd2 is the swap partition, approximately twice the size of RAM. /dev/hda3 is a small partition used for ftp uploads - /usr/local/ftp/incoming. /dev/hd4 is the the remainder of the harddrive, mounted as "/". Output of fdisk -l /dev/hdc. Disk /dev/hdc: 64 heads, 63 sectors, 827 cylinders Units = cylinders of 4032 * 512 bytes Device Boot Start End Blocks Id System /dev/hdc1 1 5 10048+ 83 Linux /dev/hdc2 6 71 133056 82 Linux swap /dev/hdc3 72 827 1524096 83 Linux _________________________________________________________________ 2.8. Floppy Drive The following output is a snippet from dmesg. Floppy drive(s): fd0 is 1.44M FDC 0 is a post-1991 82077 References [1] Linux Hardware Compatibility. _________________________________________________________________ Chapter 3. Installing Linux $id:$ Current installation is " Red Hat Linux release 7.2 (Enigma)". The distribution is downloaded to an ftp server on the local net. I found most sites timed out ftp connections after two hours use, and it takes more than two hours to do an install over a DSL line. Create a bootnet.img floppy (as root): cd /os/i386/images dd if=bootnet.img of=/dev/fd0 bs=1440k Inserted the newly written floppy in the system to build and reboot. Follow the prompts. This is well documented in the RedHat installation guide. Do a custom install, no firewall. On the ip configuration screen choose an ip address that is part of the subnet. It is possible to change this later if we want. One of the first things we will do after the install is ensure that networking is working so we telnet into this box and configure it remotely. At the Packages Selection Dialag, select the "Select Individual packages" option. Install all the stuff you think you need. Scan through the the packages, and ensure that the following packages are installed. They are needed for this configuration. However, it does not matter if some apps were missed they can be got later. . . cpp gcc glibc kernel-source kernel-headers ncurses ncurses-devel tcl tk Create the boot floppy. It may come in handy, especially when booting a newly built and installed kernel that does a "kernel panic". Once the install is completed, get all the updates for the installed packages and install the updates. RedHat's list of mirrors. References [1] RedHat Installation Guide. _________________________________________________________________ Chapter 4. Initial Configuring and Securing $id:$ This section assumes that the hardware is not physically accessable to the public, but is virtually accessable through networking services such as telnet, ftp, etc. For a more secure configuration, have a look at the references below. _________________________________________________________________ 4.1. Configuring and Securing Bootup 4.1.1. init and /etc/inittab Once the kernel has loaded itself, configured its drivers and loaded its modules, it then executes /sbin/init. /sbin/init is the master process, from which all a first level of processes are invoked. It's operation is governed by the content of /etc/inittab. init * Determines the runlevel: + 0: Used to halt the system. + 1: Single user mode. + 2: Multi user mode - no network. + 3: Multi user mode - console. + 4: Spare. + 5: Multi user mode - X. + 6: Reboot. * Runs up the console and serial port gettys and respawns them if they die. * If runlevel 5 is selected, runs up the xdm daemon. * Executes /etc/rc.d/rc.sysinit, the startup script file that loads all the system daemons, according to the scripts in /etc/init.d/, and the configuration settings in /etc/sysconfig/. In inittab confirm that initdefault selects runlevel 3, and comment out the ctrlaltdel line. As root, run telinit q and exit X (if running) with [ctrl][alt][bs], for changes to take effect. _________________________________________________________________ 4.1.2. /etc/rc.d/rc.sysinit /etc/rc.d/rc.sysinit runs up all the daemons configured for startup in /etc/init.d and /etc/sysconfig/. Note that this is RedHat specific, other distributions will differ. chkconfig is the my utility of choice for configuring the startup daemons. It is worthwhile reading its man page. Other utilities are ntsysv, tksysv, or by hand. Running chkconfig --list should produce an output something similar to this: atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off rwhod 0:off 1:off 2:off 3:off 4:off 5:off 6:off keytable 0:off 1:on 2:on 3:on 4:on 5:on 6:off nscd 0:off 1:off 2:off 3:off 4:off 5:off 6:off syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off gpm 0:off 1:off 2:on 3:on 4:on 5:on 6:off kudzu 0:off 1:off 2:off 3:on 4:on 5:on 6:off kdcrotate 0:off 1:off 2:off 3:off 4:off 5:off 6:off lpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off autofs 0:off 1:off 2:off 3:on 4:on 5:on 6:off sendmail 0:off 1:off 2:on 3:on 4:on 5:on 6:off rhnsd 0:off 1:off 2:off 3:off 4:off 5:off 6:off netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off network 0:off 1:off 2:on 3:on 4:on 5:on 6:off random 0:off 1:off 2:on 3:on 4:on 5:on 6:off rawdevices 0:off 1:off 2:off 3:on 4:on 5:on 6:off apmd 0:off 1:off 2:on 3:on 4:on 5:on 6:off ipchains 0:off 1:off 2:on 3:on 4:on 5:on 6:off iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off identd 0:off 1:off 2:off 3:off 4:off 5:off 6:off portmap 0:off 1:off 2:off 3:on 4:on 5:on 6:off nfs 0:off 1:off 2:off 3:off 4:off 5:off 6:off nfslock 0:off 1:off 2:off 3:on 4:on 5:on 6:off pppoe 0:off 1:off 2:on 3:on 4:on 5:on 6:off crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off anacron 0:off 1:off 2:on 3:on 4:on 5:on 6:off xfs 0:off 1:off 2:on 3:on 4:on 5:on 6:off isdn 0:off 1:off 2:on 3:on 4:on 5:on 6:off yppasswdd 0:off 1:off 2:off 3:off 4:off 5:off 6:off ypserv 0:off 1:off 2:off 3:off 4:off 5:off 6:off ypbind 0:off 1:off 2:off 3:off 4:off 5:off 6:off sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off xinetd 0:off 1:off 2:off 3:on 4:on 5:on 6:off innd 0:off 1:off 2:off 3:off 4:off 5:off 6:off pcmcia 0:off 1:off 2:on 3:off 4:on 5:off 6:off pxe 0:off 1:off 2:off 3:off 4:off 5:off 6:off rstatd 0:off 1:off 2:off 3:off 4:off 5:off 6:off rusersd 0:off 1:off 2:off 3:off 4:off 5:off 6:off squid 0:off 1:off 2:off 3:off 4:off 5:off 6:off postgresql 0:off 1:off 2:off 3:off 4:off 5:off 6:off httpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off tux 0:off 1:off 2:off 3:off 4:off 5:off 6:off named 0:off 1:off 2:off 3:off 4:off 5:off 6:off snmpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off reconfig 0:off 1:off 2:off 3:on 4:on 5:on 6:off dhcpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off linuxconf 0:off 1:off 2:on 3:on 4:on 5:on 6:off mysqld 0:off 1:off 2:off 3:off 4:off 5:off 6:off ntpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off ups 0:off 1:off 2:off 3:off 4:off 5:off 6:off smb 0:off 1:off 2:off 3:off 4:off 5:off 6:off ldap 0:off 1:off 2:off 3:off 4:off 5:off 6:off xinetd based services: chargen: off chargen-udp: off daytime: off daytime-udp: off echo: off echo-udp: off time: off time-udp: off telnet: on wu-ftpd: on rsync: off imap: off imaps: off ipop2: off ipop3: off pop3s: off linuxconf-web: off swat: off Your output may vary. Lets go through some the options. The enable/disable recommendations below may not be reflected in the above listing. apmd Optionally required. Runlevels 2345. Advanced power management is only really required for power management on a laptop. A server should be up all the time, so it is disabled on Harold. anacron Optionally required Runlevels 2345. This task scheduling daemon has a resolution of days, and is used to schedule tasks on a machine that is not (almost) permanently on. Server's tend to be "always on", so not enabled on Harold. atd Required. Runlevels 2345. This is the daemon that runs commands some time in the future as entered with the at command. autofs Optionally Required. Runlevels 2345. Used to automatically mount and unmount file systems, be they CDROM, floppy or nfs. I enable it, eventhough it may be considered a security risk. Autofs operation is is configured by /etc/auto.master. Automount configuration is covered in ???????FIXME. crond Required Runlevels 2345. Executes scheduled commands as configured in crontab. Read the crontab man page. dhcpd Optionally required. Runlevels 345. Dynamic host contropl protocol daemon. Used to serve dynamic ip address allocation and configuration on a network. Disable for now, will be configured later in ??????FIXME. httpd Required for web page serving. Runlevels 345. Httpd server. Disabled for now. Apache will be configured later. gpm Required for console mouse operation. Runlevels 2345. X uses a different mechanism. identd Disable. Runlevels 345. Identd serves up the user's identity and process id, of the associated tcp/ip port connection being queried. An obvious security hole if enabled. innd Optionally required. Runlevels 345. Innd is the Internet News Server, necessary if spooling news. Disabled on harold for the moment. ipchains Optionally required. Runlevels 345. Should be enabled if this is a firewall. Harold is not, so this is disabled. iptables Optionally required. Runlevels 345. Should be enabled if this is a firewall. Harold is not, so this is disabled. isdn Optionally required. Runlevels 345. Only necessary if connecting to the network with isdn, disabled on harold. kdcrotate Required for Kerberos. Kerberos is not installed on this server, therfore it is disabled. Only required for runlevels 345. keytable Required. Runlevels 12345. Serves the selected keboard mapping (translating keystrokes into something the computer understands). kudzu Optionally required Runlevels 2345. Used to detect and configure hardware configurations of a system on startup. I disable it, as I know and manually configure the hardware on the system. ldap Optionally Required Runlevels 345. Lightweight Directory Access Protocol, disabled on Harold. linuxconf Disable Runlevels 345. Used to remotely configure this server over the network. lpd Required for printing. Runlevels 2345. This is the print spooler daemon. It is required if printing from this machine. The printer need not be attached to this machine. I enable it. mysqld Optionally Required. Runlevels 345. Mysql is a simple free sql database. This is the daemon that handles mysql requests. Disable for now, will be configured later in ??????????FIXME. named Optionally Required. Runlevels 345. Dynamic name server. Disable for now, will be configured later in ??????????FIXME. netfs Optionally Required. Runlevels 345. Network file system mounter. I disable it, as autofs is used to mount nfs volumes. network Required Runlevesl 345. Enables networking on the machine. Network configuration is controlled through settings and scripts in /etc/sysconfig/network and /etc/sysconfig/network-scripts/. See ?????????????FIXME. nfs Optionally required Run levels 345. Nfs is enabled on Harold. nfslock Optionally required. Run levels 345. Should only be enabled if nfs is enabled. Provides file locking capabilities to nfs. Enabled on Harold. nscd Optionally required. Runlevels 345. This is a name switch cache for name serving services such as NIS, NIS+, etc. Disabled on harold. ntpd Optionally required. Runlevels 345. NTP time synchronizing server. Disable for now, will be configured in ??????FIXME. pcmcia Optionally required. Run levels 345. Typically required for laptops with pcmcia card support. Disabled on harold. portmap Optionally required. Run levels 345. Maps RPC calls to tcp ports. Required if any RPC app (nfs, for example) is running. Enabled on harold. postgresql Optionally required. Run levels 345. Postgres is an SQL database. Required to accept SQL requests Disabled for now, set up later in ????FIXME. pppoe Optionally Required Run levels 345. PPP over Ethernet is required by some ADSL modems. Not required on harold. pxe Optionally Required Run levels 345. Pre-boot execution environment is a mechanism to serve the booting diskless workstations over a network link. Not required on harold. random Required Runlevels 2345. Ensures randomness of the internal random number generator (not pn sequence generated), across power downs and power ups. rawdevices Optionally required Runlevels 345. Used to map raw character devices to block devices. For example in database applications that have there own filesystem management. Not enabled on harold. reconfig Disabled. Runlevels 2345. Used to call anaconda to reconfigure the installation. rhnsd Optionally Required. Runlevels 345. Redhat Network System daemon. I disable it. rstatd Disable. This daemon serves requests relating to the performance statistics of this server. Not recommended if security is a concern. rusersd Disable. This daemon serves requests from remote machines about who is logged into this server. Not recommended if security is a concern. rwhod Disable. This daemon serves requests relating to the status about, and who is logged into the server. Not recommended if security is a concern. sendmail Required. Runlevels 2345. This is the Mail transfer agent. Required even if machine is not being used to send and receive mail, because some programs use smtp to transfer messages to the user or root. Will be configured as a multiple domain mail server later in ????FIXME. smb Optionally required Runlevels 345. Samba server. Disable for now. Will be configured later in ???FIXME to provide file and printer sharing to Windows machines. snmpd Optionally required Runlevels 345. Simple Network Management Protocol daemon. Not enabled on harold. squid Optionally required Runlevels 345. Squid is an httpd proxy server. Not enabled on harold. sshd Optionally required Runlevels 345. Provides encrypted secure shell access. Disabled for now. Can be used to provide secure mail retrieval and other secure tunnels. syslog Required. Runlevels 2345. Starts the syslogd and klogd - system and kernel message logging daemons. See the syslogd manpage. tux Optionally required for http serving. Runlevels 345. Tux is the interface to the kernel space web page serving interface. Disable for now, it will be configured and enabled later in ????????????FIXME. ups Optionally required. Runlevels 345. Manages the orderly shutdown of a number of machines connected to ups's. Disable for now. It's configuration is covered in detail in ????????????FIXME. xinetd Required. Runlevels 345. Inetd replacement that serves up common tcp/udp protocol servers such as telnet, ftp, imap, pop3, etc. It's configuration is covered in detail in ????????????FIXME. xfs Required Runlevels 345. Serves up fonts to X applications running on this server. X is configured to use this on RedHat distributions. ypbind Optionally required Runlevels 345. Only required if running as a NIS or NIS+ client. Disabled on harold. yppasswd Optionally required Runlevels 345. Only required if running as a NIS or NIS+ server. Disabled on harold. ypserv Optionally required Runlevels 345. Only required if running as a NIS or NIS+ server. Disabled on harold. The xinetd services are listed below. Redhat out the box configures them all disabled. That is fine for now, as we go through the configuration, we will enable those we need: chargen Disable. Serve requests on tcp port 19. chargen-udp Disable. Serves requests on udp port 19. daytime Disable. Serves time requests on tcp port 13, providing time in ascii format. daytime-udp Disable. Serves time requests on udp port 13, providing time in ascii format. echo Disable. Serve echo requests on tcp port 7. echo-udp Disable. Serves echo requests on udp port 7. imap Disable for now. Imap mail collection serving See ?????FIXME imaps Disable for now. Does imap using ssh. See ?????FIXME ipop2 Disable. Old pop protocol. use pop3 instead. ipop3 Disable for now. Mail retrieval protocol. See ????FIXME linuxconf-web Disable. No remote linux configuration, especially over the web. pop3s Disable for now. Secure Mail retrieval protocol using ssh. See ????FIXME. rsyncp Disable. Serves the ability to sync local and remote filesystem directories. swat Disable. Remote configuration of Apache web server. telnet Enabled. Telnet server for remote login on port 23. See Enabling Telnet time Disable. Serves time requests on tcp port 37, providing time in binary format. time-udp Disable. Serves time requests on udp port 37, providing time in binary format. wu-ftp Enabled. Ftp server. See Enabling Ftp, and ????FIXME _________________________________________________________________ 4.1.3. /etc/rc.d/rc.local /etc/rc.d/rc.local gets executed last after /etc/rc.d/rc.sysint has completed its thing. On Harold, this file is used to enable network ip aliases, configure ip-forward and fragmentation kernel options (for VPN setup)and change the splash before the login prompt on a console, telnet or dialin. Read the mgetty and telnetd man pages, about /etc/issue(for virtual consoles), /etc/issue.net(used by telnetd - remote network logins), and /etc/issue.tty (used by serial line / dialup logins). _________________________________________________________________ 4.2. Enabling Remote Services I like to work on a Workstation box using a big high res monitor running X with multiple open window. Typically a server is stuck away in a corner and shares a cheap small monitor with other servers. RedHat, out the box has both remote telnet and ftp disabled. This can be confirmed by running the following as root: chkconfig --list _________________________________________________________________ 4.2.1. Enabling Telnet Edit the file /etc/xinetd.d/telnet as root. Near the bottom of the file comment out the line starting with disable. Generally it is not a good thing to permit root telnet access. This is controlled by a file /etc/securetty . If this file does not exist then root access is permitted from every tty. If it exists, then root access is only permitted from the listed ttys. _________________________________________________________________ 4.2.2. Enabling FTP Edit the file /etc/xinetd.d/wu-ftp as root. Near the bottom of the file comment out the line starting with disable. Out the box RedHat permits root ftp access. Perhaps convenient this way, it is more secure to disable it. This is done by removing guest and anonymous from the class all line in /etc/ftpaccess. See line 27 in the listing. _________________________________________________________________ 4.2.3. TCP Wrappers Settings RedHat out the box has a "mostly open" TCP wrappers policy. A "mostly closed" policy is better. TCP wrappers are controlled by two files /etc/hosts.deny and /etc/hosts.allow. Look at man hosts.deny. A mostly closed policy requires only an ALL: ALL in /etc/hosts.deny. Initially, while configuring harold remotely (from 192.168.0.4), we only have ALL: 192.168.0.4 in /etc/hosts.allow. _________________________________________________________________ 4.2.4. Making It Work Restart the xinetd service: /etc/init.d/xinetd restart Stopping xinetd: [ OK ] Starting xinetd: [ OK ] Test this configuration by telnet'ing and ftp'ing to "harold" (which is assigned an ip address 192.168.0.10) from the remote box. which is called "hal-9000". _________________________________________________________________ 4.3. Console Fonts In the Lilo configuration below, the console resolution is set to a high resolution 60lines x 80chars. Whenever RedHat Linux reboots, the /etc/rc.d/rc.sysinit script reloads the console fonts to 25lines x 80chars. This is annoying! A way to correct this is to comment out the SYSFONT line in /etc/sysconfig/i18n . _________________________________________________________________ 4.4. Bash Configuration Global Bash configuration is set by /etc/profile and /etc/bashrc. Default individual users' configuration is set by /etc/skel/.bash_profile and /etc/skel/.bashrc. Whenever a new user is created (say using useradd), the files and directories are recursively copied out of /etc/skel/* to the new User's home directory root. Each user is free to customize their bash environment with their copies of $HOME/.bashrc and $HOME/.bash_profile. A read of the bash man page, especially the section on INVOCATION will help. On invocation, bash will first execute the commands in /etc/profile, then in $HOME/.bash_profile. $HOME/.bash_profile executes the commands in $HOME/.bashrc. $HOME/.bashrc, in turn, executes the commands in /etc/bashrc. . . Confused? References [1] TrinityOS Chapters 7 and 8. _________________________________________________________________ Chapter 5. Upgrading the Kernel $id:$ _________________________________________________________________ 5.1. Introduction To install a vpn, the kernel needs to be patched, and rebuild. Even if this was not the case, it is often a good idea to get the latest kernel. It is also often a good idea to make a custom build of the kernel to suit the hardware. Redhat kernel's are provided with a gizillion modules and drivers for every conceivable application and manufacture's hardware. This is good if one is a "lay user", and does not need any applications that require specific features that have not been compiled into the kernel. For the rest of us, well . . . lets rebuild the kernel. _________________________________________________________________ 5.2. Installing the Latest Kernel Source and Patches 5.2.1. Getting and Installing the Latest Kernel When I am feeling adventurous, I get the latest Rawhide kernel-source and kernel-headers rpms. Otherwise, if they exist, I download the latest kernel source and headers from RedHat Support. The current kernel on harold is 2.4.13-0.3custom Install the rpms as root. cd rpm -Uhv kernel-source* kernel-headers* The kernel source and headers are installed under /usr/src/linux-2.4.x. The installation also creates a simlink in /usr/src/ from linux-2.4.x to linux-2.4. _________________________________________________________________ 5.2.2. Getting and Making the Patches To support VPN, and ppp the kernel need to be patched. These patches are obtained from mirror.binarix.com. Be sure to look at the README for latest information. For this configuration the latest version of linux-2.4.x-openssl-0.9.6a-mppe patch is required. While here, also get the latest ppp-2.4.x-openssl-0.9.6-mppe patch, and ppp-2.4.x-MSCHAPv2 patch for ppp-2.4.x. These are required later. Carry out the following instructions as root to install the patch: cd /usr/src ln -s linux-2.4 linux zcat /linux-2.4.x-openssl-0.9.6a-mppe.patch.gz | patch -p0 _________________________________________________________________ 5.3. Configuring the Kernel for Build This kernel is configured with make xconfig. This uses the Tk/Tcl library. For a ncurses text based user interface use make menuconfig. The content and configuration output for both methods is exactly the same, the only difference being xconfig is graphics based under X, and menuconfig is text screen based. This configuration favours limitted modules and is built specifically for "harold's" hardware. Different hardware will require a different set of drivers. This document will annotate selections as it progresses through the configuration. _________________________________________________________________ 5.3.1. Upgrading a Earlier Kernel Version Custom Build This is an optional, but very useful step. It is only valid if a earlier kernel has been built on this system. Say the earlier kernel was 2.4.x, carry out the following steps as root to upgrade the configuration file to the current kernel. cd /usr/src/linux-2.4 cp ../linux-2.4.x/.config . make oldconfig Make a best guess for the options when prompted. After this step, it is worthwhile to go through the configuration thoroughly using a screen based configurator that has access to help information. _________________________________________________________________ 5.3.2. Configuring the Kernel This is not an exhaustive review of the configuration options, I just highlight options dependent on this hardware for the server configuration. When completed, choose save the kernel and exit. The resulting makefile config file is stored in /usr/src/linux-2.4/.config. _________________________________________________________________ 5.3.2.1. Code Maturity Level Enable "Prompt for development and/or incomplete code/drivers". _________________________________________________________________ 5.3.2.2. Loadable Module Support Enable all the options, ie., Module support, Setting version information and kernel module loader. _________________________________________________________________ 5.3.2.3. Processor type and features This is specific to the hardware. _________________________________________________________________ 5.3.2.4. General Setup Enable networking. PCI and hot pluggable support is dependant on hardware. Enable SysV IPC. Enable BSD Process accounting. Enable sysctl support. Kernel core is in ELF format. Enabling support for a.out (old style) binaries is optional. Enable support for ELF and MISC binaries. Disable power management support. Disable all the APM options. Enable RTC stores time in GMT. _________________________________________________________________ 5.3.2.5. Binary emulation of other systems Disable everything _________________________________________________________________ 5.3.2.6. Memory Technology Devices (MTD) Disable everything _________________________________________________________________ 5.3.2.7. Parallel Port Support Enable parallel port. Specific options are hardware dependent. _________________________________________________________________ 5.3.2.8. Plug and Play Configuration Plug and play support is optional and depends on hardware. I enable Plug and Play, ISA, and PNPBIOS support. _________________________________________________________________ 5.3.2.9. Block Devices Enable PC floppy disk Disable XT HDD, and Parallel port IDE - hardware dependant. Disable Compaq Smart2 and smart array support. Disable Mylex Raid controller support. Enable loopback and network block device support. RAM disk support is optional, I've disabled it. _________________________________________________________________ 5.3.2.10. Multi-device Support Disable everything. _________________________________________________________________ 5.3.2.11. Networking Options Enable Packet socket and Packet socket: mmapped IO Enable Netlink socket, routing messages and device emulation. Disable Network Packet filtering Enable socket filtering (required by DHCP server) Enable Unix Domain Sockets and TCP/IP Enable TUX and its sub options except debug TUX. Disable IP Multicast and Advanced router (both optional) Disable Kernel Level Autoconfiguration Disable IP Tunnelling and IP GRE Disable ARP Daemon support Disable Explicit Congestion Notification Enable TCP Syn cookie support. Disable IPV6, Kernel httpd, and ATM. Disable all the other protocols (optional) Disable Wan Router, Fast Switching and high speed forwarding Disable QoS _________________________________________________________________ 5.3.2.12. Telephony Support Depends on hardware. Disabled on harold. _________________________________________________________________ 5.3.2.13. ATA/IDE/MFM/RLL Support Enabled, enabling of various options depends on hardware. On harold, only enabled: IDE/ATA Disk support, CDROM support. Generic PCI IDE support and sub-options except ATA works in progress. Support for PIIXn _________________________________________________________________ 5.3.2.14. SCSI Support Depends on hardware, disabled on harold. _________________________________________________________________ 5.3.2.15. FireWire Support Depends on hardware, disabled on harold. _________________________________________________________________ 5.3.2.16. I2O Support Disabled _________________________________________________________________ 5.3.2.17. Network Device Support Hardware specific selection. Enabled overall support, and selected 10/100 Ethernet devices, and selected PCI NE2000 driver. Towards the end of this menu: Disable PLIP (optional) Enable PPP and sub-options (required for VPN server)except: Disable Sync PPP and PPP over Ethernet Enable SLIP and sub-options (optional) _________________________________________________________________ 5.3.2.18. Amateur Radio Support Disabled. _________________________________________________________________ 5.3.2.19. IrDA Support Disabled _________________________________________________________________ 5.3.2.20. ISDN Subsystem Disabled _________________________________________________________________ 5.3.2.21. Old CDROM Drivers Disabled _________________________________________________________________ 5.3.2.22. Input Core Support Disabled _________________________________________________________________ 5.3.2.23. Character Devices Enabled Virtual Terminal and Console Support Enabled Standard Serial Port Support, except irq autodetect. Disabled support for Multiport cards and non standard ports Enabled Unix98 PTY support / 256 PTYSs Enabled Parallel Support, disabled sub-options. Disabled I2C, Mice, Joystick, and QIC-2 support. Disabled Watchdog cards and Random Number hardware Enabled /dev/nvram and Real time clock support Disabled the remaining character devices. _________________________________________________________________ 5.3.2.24. Multimedia Devices Disabled. _________________________________________________________________ 5.3.2.25. Crypto Hardware Support Disabled. _________________________________________________________________ 5.3.2.26. File Systems Enabled quota support Kernel. Disabled Automounter and Enabled Automounter V4. Disabled all file systems except: Ext3 Journalling and JBD Virtual Memory file system. ISO9660 CDROM and Microsoft Joliet extensions /proc filesystem /dev/pty filesystem Second extended file system Enabled NFS and NFS V3 client and server support Enabled SMB support, disabled default NLS Disabled NCP File support Disbled Advanced Partition selection iso8859-1 as default NLS Only enabled codepage 437 and iso8859-1 Disabled all the other NLS, (breaks build as modules). _________________________________________________________________ 5.3.2.27. Console Drivers Enabled VGA console, and mode selction. Disabled MDA console and frame buffer support _________________________________________________________________ 5.3.2.28. Sound Support Disabled. _________________________________________________________________ 5.3.2.29. USB support Disabled _________________________________________________________________ 5.3.2.30. Bluetooth support Disabled _________________________________________________________________ 5.3.2.31. Kernel Hacking Disabled _________________________________________________________________ 5.4. Building the Kernel Too be able to recover, as root, move aside the current kernel modules before building: mv /lib/modules/ /lib/modules/.old Then enter make dep clean bzImage modules modules_install The kernel build will take a while, anything from a few hours to a few minutes, depending on the speed of the hardware. _________________________________________________________________ 5.5. Installing the Kernel 5.5.1. First Time Kernel Install Kernel installation is done as root. Once the kernel build completes, do the following: cp /usr/src/linux-2.4/arch/i386/boot/bzImage /boot/bzImage cp /boot/bzImage /boot/bzImage.old mv/boot/System.map /boot/System.map.orig cp /usr/src/linux-2.4/System.map /boot/System.map cp /boot/System.map /boot/System.map.old Laying out the files this way works with the following lilo configuration file. Keep the original vmlinuz, create a previous image bzImage.old and the normally used image bzImage. Create the following /etc/lilo.conf as root. Enter the following commands to install lilo and reboot. lilo sync; sync; reboot With a bit of luck the system should reboot smoothly with the new kernel. If not re-boot with the boot floppy created during the Linux install. To track down and fix the error, I normally search on the output error message in a www search engine, and start reading through the pages it finds. _________________________________________________________________ 5.5.2. Following Kernel Installs To install a newly compiled kernel after the first build, carry out the following commands: cp /boot/bzImage /boot/bzImage.old cp /boot/System.map /boot/System.map.old cp /usr/src/linux/arch/i386/boot/bzImage /boot/bzImage cp /usr/src/linux-2.4/System.map /boot/System.map lilo sync; sync; reboot If the newly built kernel does not work, it is always possible to either boot from the old kernel, or from the boot floppy. To boot the old kernel, enter o at the LILO: boot prompt. References [1] Linux Kernel HOWTO. [2] Linux Boot Prompt HOWTO. [3] LILO Mini HOWTO. _________________________________________________________________ Chapter 6. Network Configuration $id:$ _________________________________________________________________ 6.1. What do we want to achieve? Harold is to be configured to virtually serve, mail, http, smtp, pop3/imap, cvs, news, etc., etc. for multiple domains. Harold is situated behind a firewall which directs the appropriate requests to it. _________________________________________________________________ 6.2. IP Configuration This is RedHat specific. The files to configure are: * /etc/sysconfig/network, and * /etc/sysconfig/network-scripts/ifcfg-eth0. The options in these files are documented at RedHat. The initialization scripts uses these configuration settings to set up the ip addresses and static routes. From that documentation note that FORWARD_IPV4 is not supported, and GATEWAY is not required in /etc/sysconfig/network. _________________________________________________________________ 6.3. IP Aliasing RedHat has a un-documented method to create a number of ip aliases. It is flawed, so it is replaced. Do not use the name /etc/sysconfig/network-scripts/ifup-aliases for this script, it will be wiped out by a RedHat upgrade. On harold, the script is written to /etc/sysconfig/network-scripts/ifup-ipalias, which is called from /etc/rc.d/rc.local. This script is depends on one or more configuration files with names of the form: /etc/sysconfig/network-scripts/ifcfg-eth-rng, where and are the number of the device and range respectively. Harold is only configured with a single range of 16 consecutive addresses on eth0: /etc/sysconfig/network-scripts/ifcfg-eth0-rng0. _________________________________________________________________ 6.4. Checking the IP Configuration One can make the necessary changes for harold to take on the new configuration. However rebooting the computer is recommended to ensure that the scripts behave well in the manner they are to be used. To check that the configuration is successful, as root execute. ifconfig. The resulting output should look something like the following screen - listing the original ip address configuration on eth0, and the 16 aliassed ip addresses on eth0:0 thru' eth0:15. eth0 Link encap:Ethernet HWaddr 00:E0:29:31:36:13 inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:9628 errors:0 dropped:0 overruns:0 frame:0 TX packets:1440 errors:0 dropped:0 overruns:0 carrier:0 collisions:3 txqueuelen:100 Interrupt:11 Base address:0xd000 eth0:0 Link encap:Ethernet HWaddr 00:E0:29:31:36:13 inet addr:192.168.0.220 Bcast:192.168.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:11 Base address:0xd000 eth0:1 Link encap:Ethernet HWaddr 00:E0:29:31:36:13 inet addr:192.168.0.221 Bcast:192.168.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:11 Base address:0xd000 eth0:2 Link encap:Ethernet HWaddr 00:E0:29:31:36:13 inet addr:192.168.0.222 Bcast:192.168.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:11 Base address:0xd000 eth0:3 Link encap:Ethernet HWaddr 00:E0:29:31:36:13 inet addr:192.168.0.223 Bcast:192.168.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:11 Base address:0xd000 eth0:4 Link encap:Ethernet HWaddr 00:E0:29:31:36:13 inet addr:192.168.0.224 Bcast:192.168.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:11 Base address:0xd000 eth0:5 Link encap:Ethernet HWaddr 00:E0:29:31:36:13 inet addr:192.168.0.225 Bcast:192.168.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:11 Base address:0xd000 eth0:6 Link encap:Ethernet HWaddr 00:E0:29:31:36:13 inet addr:192.168.0.226 Bcast:192.168.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:11 Base address:0xd000 eth0:7 Link encap:Ethernet HWaddr 00:E0:29:31:36:13 inet addr:192.168.0.227 Bcast:192.168.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:11 Base address:0xd000 eth0:8 Link encap:Ethernet HWaddr 00:E0:29:31:36:13 inet addr:192.168.0.228 Bcast:192.168.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:11 Base address:0xd000 eth0:9 Link encap:Ethernet HWaddr 00:E0:29:31:36:13 inet addr:192.168.0.229 Bcast:192.168.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:11 Base address:0xd000 eth0:10 Link encap:Ethernet HWaddr 00:E0:29:31:36:13 inet addr:192.168.0.230 Bcast:192.168.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:11 Base address:0xd000 eth0:11 Link encap:Ethernet HWaddr 00:E0:29:31:36:13 inet addr:192.168.0.231 Bcast:192.168.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:11 Base address:0xd000 eth0:12 Link encap:Ethernet HWaddr 00:E0:29:31:36:13 inet addr:192.168.0.232 Bcast:192.168.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:11 Base address:0xd000 eth0:13 Link encap:Ethernet HWaddr 00:E0:29:31:36:13 inet addr:192.168.0.233 Bcast:192.168.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:11 Base address:0xd000 eth0:14 Link encap:Ethernet HWaddr 00:E0:29:31:36:13 inet addr:192.168.0.234 Bcast:192.168.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:11 Base address:0xd000 eth0:15 Link encap:Ethernet HWaddr 00:E0:29:31:36:13 inet addr:192.168.0.235 Bcast:192.168.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:11 Base address:0xd000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:12 errors:0 dropped:0 overruns:0 frame:0 TX packets:12 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 Next run (also as root) route -n to see the static routing table. The -n switch inhibits ip to domain name lookups as we do not have DNS configured and enabled yet. The output should look something like the following. Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 192.168.0.254 0.0.0.0 UG 0 0 0 eth0 This screen tells us that all to addresses in the 192.168.0.0/24 range are directed to the eth0 interface, and all addresses in teh 127.0.0.0/8 range are directed to the local loopback interface. All other addresses are forwarded to the gateway 192.168.0.254, and exit out interface eth0. ping the interfaces using ip addresses. Ping the: * local interface: 127.0.0.1 * ethernet interface: 192.168.0.1 * the gateway address: 192.168.0.254 * An external ip address, say linux.com which is: 216.136.171.205 The results from the ping should look something like: root@harold:~>ping 216.136.171.205 PING 216.136.171.205 (216.136.171.205) from 192.168.0.1 : 56(84) bytes of data. 64 bytes from 216.136.171.205: icmp_seq=0 ttl=245 time=55.254 msec 64 bytes from 216.136.171.205: icmp_seq=1 ttl=245 time=49.937 msec 64 bytes from 216.136.171.205: icmp_seq=2 ttl=245 time=49.951 msec 64 bytes from 216.136.171.205: icmp_seq=3 ttl=245 time=49.953 msec 64 bytes from 216.136.171.205: icmp_seq=4 ttl=245 time=49.953 msec 64 bytes from 216.136.171.205: icmp_seq=5 ttl=245 time=49.956 msec 64 bytes from 216.136.171.205: icmp_seq=6 ttl=245 time=49.942 msec 64 bytes from 216.136.171.205: icmp_seq=7 ttl=245 time=49.956 msec 64 bytes from 216.136.171.205: icmp_seq=8 ttl=245 time=49.956 msec 64 bytes from 216.136.171.205: icmp_seq=9 ttl=245 time=49.954 msec 64 bytes from 216.136.171.205: icmp_seq=10 ttl=245 time=49.954 msec --- 216.136.171.205 ping statistics --- 11 packets transmitted, 11 packets received, 0% packet loss round-trip min/avg/max/mdev = 49.937/50.433/55.254/1.533 ms Type ^C to exit ping _________________________________________________________________ 6.5. Resolver Configuration The resolver is suite of C library functions supporting the resolution of ip addresses and domain names. These functions depend on the following files for their configuration: * /etc/host.conf, * /etc/resolv.conf, and * /etc/hosts. Look at the man pages for the respective configuration files. In /etc/host.conf do not use the nospoof configuration item. This will guide the resolver library to do a reverse lookup on an ip address from in-addr.arpa that it found from a domain name to confirm that the domain name is not spoofed. These days it is usual to spoof domain names. For example your upstream ISP gives you some static ip addresses, but does not delegate the ip reverse lookup to you, a reverse lookup will pick up the ISP's domain name assignment rather than yours, and an affirmative nospoof setting will fail. It in the interim, /etc/resolv.conf points to a name server located on a different machine. Once harold's name server is configured, /etc/resolv.conf will point here too. Note that the "search" configuration item removes the need to have a "domain" configuration item too. _________________________________________________________________ 6.6. Network Services Switch The network services switch is a suite of C library functions that work co-operatively with the resolver library, in providing additional name services such as NIS. These functions depend on /etc/nsswitch.conf for its configuration. Look at man nsswitch.conf. Harold is configured to depend mostly on the configuration files in /etc/ for its configuration. In most cases the library functions are guided to look in these "files" before querying "nisplus" (which by the way is not enabled on harold). Host lookup is also instructed to query "dns" if the query is not satisfied using "files" or "nisplus" _________________________________________________________________ 6.7. Checking Network Resolution ping is the most useful tool for this exercise. Ping using names instead of ip addresses: * local interface: localhost * ethernet interface: harold.cmex.org and harold. * the gateway address: gateway. * An external ip address, say linux.com. References [1] Net-HOWTO. _________________________________________________________________ Chapter 7. Name Serving (DNS) $id:$ Name serving is the task of relating domain names and URL's to ip addresses and vice-versa. The DNS database is probably the largest public worldwide distributed and cached database. This section describes the configuration of Bind V 9.2.x, that serves up an internal ip address view to the local network, and an external view to the rest of the world. Using a RedHat install, ensure that both bind-9.2*.rpm and bind-utils-9.2*.rpm are installed. Both rpms must be the same version. _________________________________________________________________ 7.1. DNS Configuration Nameserver configuration with bind is governed by /etc/named.conf. This file specifies the behaviour of named - the nameserver daemon. The following is a short description of the contents /etc/named.conf. First an acl statement is used to define the group of internal network addresses int-ips. Acl is short for "Access Control List", a fancy name for a list of addresses. Following the acl statement, the global options are defined. directory specifies the directory root for the zone file database. If the address translation (either URL to ip address, or vice versa) cannot be found in the local nameserver cache, forward first and forwarders statements instruct the nameserver to first look in the caches' of the nameservers at the specified addresses before carrying out a recusursive search for the address translation. The last global option tells named to listen-on the only ethernet address and the local host address for queries. Following the global options are the internal view and external view. The internal view is only presented to the internal network, and the external view is presented only to the rest of the world. This feature solves these situations elegantly: * The IP addresses bastion hosts (servers sitting behind the firewall) present to the rest of the world with external ip addresses which are port forwarded with local network addresses. For example, the ip address for www.cmex.org, when queried from the internet resolves to the external ip address 209.53.193.13. The same query made from an internal host will resolve to an internal network address. * Queries from the internal network are permitted to make recursive queries, whereas external queries are not permitted. * The internal view resolves address for all hosts on the local network. External view does not show the internal network hosts. Each zone specification in both the internal and external views references a zone database file either in /var/named or some subdirectory off it. A PDF of the bind documentaion is found at ISC's website. Reverse lookup does not work because the upstream ISP has not delegated reverse zone lookup. _________________________________________________________________ 7.2. DNS Maintenance Once DNS is running, the hints database needs to be periodically, say, once a month. The following /var/named/update-db.root script (plagiarised from the DNS HOWTO and TrinityOS) does just that. Now make the file rwx only by root. chmod 744 /var/named/root-hints-update And create a symbolic link to it from the monthly cron job. ln -s /var/named/update-db.root /etc/cron.monthly/update-db.root _________________________________________________________________ 7.3. Verifying DNS Operation As root, stop and start the named server: /etc/init.d/named restart The screen output should indicate it started correctly. All the startup tracing by default is logged to /var/log/messages. A relevent sample snippet is shown below. Nov 2 19:10:48 harold named[2437]: shutting down Nov 2 19:10:48 harold named[2437]: stopping command channel on 0.0.0.0#953 Nov 2 19:10:48 harold named[2437]: no longer listening on 127.0.0.1#53 Nov 2 19:10:48 harold named[2437]: no longer listening on 192.168.0.1#53 5 Nov 2 19:10:48 harold named[2434]: exiting Nov 2 19:10:48 harold named: named shutdown succeeded Nov 2 19:10:49 harold named[2469]: starting BIND 9.2.0rc8 -u named Nov 2 19:10:49 harold named[2469]: using 1 CPU Nov 2 19:10:49 harold named[2471]: loading configuration from '/etc/named. conf' 10 Nov 2 19:10:49 harold named[2471]: no IPv6 interfaces found Nov 2 19:10:49 harold named[2471]: listening on IPv4 interface lo, 127.0.0 .1#53 Nov 2 19:10:49 harold named[2471]: listening on IPv4 interface eth0, 192.1 68.0.1#53 Nov 2 19:10:49 harold named: named startup succeeded Nov 2 19:10:49 harold named[2471]: command channel listening on 0.0.0.0#95 3 15 Nov 2 19:10:49 harold named[2471]: zone 0.0.127.in-addr.arpa/IN: loaded se rial 1999022700 Nov 2 19:10:49 harold named[2471]: zone 0.168.192.in-addr.arpa/IN: loaded serial 2000022643 Nov 2 19:10:49 harold named[2471]: zone cara-marks.com/IN: loaded serial 2 000022805 Nov 2 19:10:49 harold named[2471]: zone e-voice-mail.com/IN: loaded serial 2000022803 Nov 2 19:10:49 harold named[2471]: zone jmarks-asc.com/IN: loaded serial 2 000022804 20 Nov 2 19:10:49 harold named[2471]: zone jonathan-marks.com/IN: loaded seri al 2000022803 Nov 2 19:10:49 harold named[2471]: zone networks-r-us.com/IN: loaded seria l 2000022803 Nov 2 19:10:49 harold named[2471]: zone networksrus.com/IN: loaded serial 2000022803 Nov 2 19:10:49 harold named[2471]: zone software-foundry.com/IN: loaded se rial 2000022803 Nov 2 19:10:49 harold named[2471]: zone sorcerers-foundry.com/IN: loaded s erial 2000022803 25 Nov 2 19:10:49 harold named[2471]: zone steven-marks.com/IN: loaded serial 2000022803 Nov 2 19:10:49 harold named[2471]: zone vanessa-marks.com/IN: loaded seria l 2000022803 Nov 2 19:10:49 harold named[2471]: zone novatek.co.nz/IN: loaded serial 20 00022813 Nov 2 19:10:49 harold named[2471]: zone cmex.org/IN: loaded serial 2000022 805 Nov 2 19:10:49 harold named[2471]: zone 0.0.127.in-addr.arpa/IN: loaded se rial 1999022700 30 Nov 2 19:10:49 harold named[2471]: zone 193.53.209.in-addr.arpa/IN: loaded serial 2000071802 Nov 2 19:10:49 harold named[2471]: zone 81.114.64.in-addr.arpa/IN: loaded serial 2000071802 Nov 2 19:10:49 harold named[2471]: zone cara-marks.com/IN: loaded serial 2 000071805 Nov 2 19:10:49 harold named[2471]: zone e-voice-mail.com/IN: loaded serial 2000071802 Nov 2 19:10:49 harold named[2471]: zone jmarks-asc.com/IN: loaded serial 2 000071802 35 Nov 2 19:10:49 harold named[2471]: zone jonathan-marks.com/IN: loaded seri al 2000071804 Nov 2 19:10:49 harold named[2471]: zone networks-r-us.com/IN: loaded seria l 2000071805 Nov 2 19:10:49 harold named[2471]: zone networksrus.com/IN: loaded serial 2000071805 Nov 2 19:10:49 harold named[2471]: zone software-foundry.com/IN: loaded se rial 2000071804 Nov 2 19:10:49 harold named[2471]: zone sorcerers-foundry.com/IN: loaded s erial 2000071805 40 Nov 2 19:10:49 harold named[2471]: zone steven-marks.com/IN: loaded serial 2000071804 Nov 2 19:10:49 harold named[2471]: zone vanessa-marks.com/IN: loaded seria l 2000071803 Nov 2 19:10:49 harold named[2471]: zone novatek.co.nz/IN: loaded serial 20 00071804 Nov 2 19:10:49 harold named[2471]: zone cmex.org/IN: loaded serial 2000071 807 Nov 2 19:10:49 harold named[2471]: running 45 Nov 2 19:10:49 harold named[2471]: zone novatek.co.nz/IN: sending notifies (serial 2000022813) Nov 2 19:10:49 harold named[2471]: zone novatek.co.nz/IN: sending notifies (serial 2000071804) Nov 2 19:10:49 harold named[2471]: zone sorcerers-foundry.com/IN: sending notifies (serial 2000022803) Nov 2 19:10:49 harold named[2471]: zone sorcerers-foundry.com/IN: sending notifies (serial 2000071805) Nov 2 19:10:49 harold named[2471]: zone software-foundry.com/IN: sending n otifies (serial 2000022803) 50 Nov 2 19:10:49 harold named[2471]: zone cara-marks.com/IN: sending notifie s (serial 2000022805) Nov 2 19:10:49 harold named[2471]: zone software-foundry.com/IN: sending n otifies (serial 2000071804) Nov 2 19:10:49 harold named[2471]: zone cara-marks.com/IN: sending notifie s (serial 2000071805) Nov 2 19:10:49 harold named[2471]: zone e-voice-mail.com/IN: sending notif ies (serial 2000022803) Nov 2 19:10:49 harold named[2471]: zone steven-marks.com/IN: sending notif ies (serial 2000022803) 55 Nov 2 19:10:49 harold named[2471]: zone e-voice-mail.com/IN: sending notif ies (serial 2000071802) Nov 2 19:10:49 harold named[2471]: zone steven-marks.com/IN: sending notif ies (serial 2000071804) Nov 2 19:10:49 harold named[2471]: zone jmarks-asc.com/IN: sending notifie s (serial 2000022804) Nov 2 19:10:49 harold named[2471]: zone jmarks-asc.com/IN: sending notifie s (serial 2000071802) Nov 2 19:10:49 harold named[2471]: zone jonathan-marks.com/IN: sending not ifies (serial 2000022803) 60 Nov 2 19:10:49 harold named[2471]: zone vanessa-marks.com/IN: sending noti fies (serial 2000022803) Nov 2 19:10:49 harold named[2471]: zone jonathan-marks.com/IN: sending not ifies (serial 2000071804) Nov 2 19:10:49 harold named[2471]: zone vanessa-marks.com/IN: sending noti fies (serial 2000071803) Nov 2 19:10:49 harold named[2471]: zone cmex.org/IN: sending notifies (ser ial 2000022805) Nov 2 19:10:49 harold named[2471]: zone networksrus.com/IN: sending notifi es (serial 2000022803) 65 Nov 2 19:10:49 harold named[2471]: zone networks-r-us.com/IN: sending noti fies (serial 2000022803) Nov 2 19:10:49 harold named[2471]: zone cmex.org/IN: sending notifies (ser ial 2000071807) Nov 2 19:10:49 harold named[2471]: zone networksrus.com/IN: sending notifi es (serial 2000071805) Nov 2 19:10:49 harold named[2471]: zone networks-r-us.com/IN: sending noti fies (serial 2000071805) Nov 2 19:10:50 harold named[2471]: client 192.168.0.3#2995: transfer of 'c ara-marks.com/IN': AXFR-style IXFR started 70 The first 6 lines indicate the shutting down of the previous instance of the named server, the following trace the startup of the new named task. The zone files appear to be loaded twice, this is not the case, by configuration, both and internal network and rest of the world zone files exist with the same name. The trace after line 45, indicates named is notifying the the other name servers listed in the zone files for each domain with the serial number of this zone file. If the serial number on a secondary dns zone database is less than this value, it requests a zone transfer, as indicated on the last line of the trace. Testing the internal name servering, first we dig a local address: # dig @192.168.0.1 www.jonathan-marks.com ; > DiG 9.2.0rc5 > @192.168.0.1 www.jonathan-marks.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER> DiG 9.2.0rc5 <<>> @192.168.0.1 www.linux.org ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37403 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.linux.org. IN A ;; ANSWER SECTION: www.linux.org. 15890 IN A 198.182.196.56 ;; Query time: 84 msec ;; SERVER: 192.168.0.1#53(192.168.0.1) ;; WHEN: Fri Nov 2 21:16:52 2001 ;; MSG SIZE rcvd: 47 Then we dig a whole zone from of an internal domain name: # dig @192.168.0.1 jonathan-marks.com axfr ; <<>> DiG 9.2.0rc5 <<>> @192.168.0.1 jonathan-marks.com axfr ;; global options: printcmd jonathan-marks.com. 86400 IN SOA harold.cmex.org. hostmaster.cme x.org. 2000022803 28800 7200 604800 86400 jonathan-marks.com. 86400 IN A 192.168.0.222 jonathan-marks.com. 86400 IN NS ns1.cmex.org. jonathan-marks.com. 86400 IN NS ns2.cmex.org. jonathan-marks.com. 86400 IN MX 10 mail.jonathan-marks.com. ftp.jonathan-marks.com. 86400 IN A 192.168.0.223 mail.jonathan-marks.com. 86400 IN A 192.168.0.224 www.jonathan-marks.com. 86400 IN A 192.168.0.222 jonathan-marks.com. 86400 IN SOA harold.cmex.org. hostmaster.cme x.org. 2000022803 28800 7200 604800 86400 ;; Query time: 9 msec ;; SERVER: 192.168.0.1#53(192.168.0.1) ;; WHEN: Fri Nov 2 21:36:06 2001 ;; XFR size: 10 records Everything appears to work fine so far. Now from a host external to the local network. Presently I have only set up ns2.cmex.org to be port-forwarded from the firewall to this server. Lets see what it serves up, first a local domain: # dig @ns2.cmex.org www.jonathan-marks.com ; <<>> DiG 8.3 <<>> @ns2.cmex.org www.jonathan-marks.com ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUERY SECTION: ;; www.jonathan-marks.com, type = A, class = IN ;; ANSWER SECTION: www.jonathan-marks.com. 1D IN A 64.114.81.253 ;; AUTHORITY SECTION: jonathan-marks.com. 1D IN NS ns2.cmex.org. jonathan-marks.com. 1D IN NS ns1.cmex.org. ;; ADDITIONAL SECTION: ns1.cmex.org. 1D IN A 64.114.81.252 ns2.cmex.org. 1D IN A 209.53.193.13 ;; Total query time: 164 msec ;; FROM: homer.mostscents.com to SERVER: ns2.cmex.org 209.53.193.13 ;; WHEN: Fri Nov 2 22:59:16 2001 ;; MSG SIZE sent: 40 rcvd: 132 Great, that works! Notice the external ip addresses for URL and the name servers. Now lets attempt a recursive lookup - this should fail as recursive lookups are disabled for the external network. # dig @ns2.cmex.org www.linux.org ; <<>> DiG 8.3 <<>> @ns2.cmex.org www.linux.org ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0 ;; QUERY SECTION: ;; www.linux.org, type = A, class = IN ;; AUTHORITY SECTION: . 6D IN NS E.ROOT-SERVERS.NET. . 6D IN NS F.ROOT-SERVERS.NET. . 6D IN NS G.ROOT-SERVERS.NET. . 6D IN NS H.ROOT-SERVERS.NET. . 6D IN NS I.ROOT-SERVERS.NET. . 6D IN NS J.ROOT-SERVERS.NET. . 6D IN NS K.ROOT-SERVERS.NET. . 6D IN NS L.ROOT-SERVERS.NET. . 6D IN NS M.ROOT-SERVERS.NET. . 6D IN NS A.ROOT-SERVERS.NET. . 6D IN NS B.ROOT-SERVERS.NET. . 6D IN NS C.ROOT-SERVERS.NET. . 6D IN NS D.ROOT-SERVERS.NET. ;; Total query time: 167 msec ;; FROM: homer.mostscents.com to SERVER: ns2.cmex.org 209.53.193.13 ;; WHEN: Fri Nov 2 23:04:36 2001 ;; MSG SIZE sent: 31 rcvd: 242 That works too, note how the server did initiate the recursive lookup, but referred the querying server to the root servers. Finally, we attempt to dig a whole zone, first from an authorized transferee, and then from an unauthorized transferee. # dig @ns2.cmex.org jonathan-marks.com axfr ; <<>> DiG 8.3 <<>> @ns2.cmex.org jonathan-marks.com axfr ; (1 server found) $ORIGIN jonathan-marks.com. @ 1D IN SOA cmex.org. hostmaster.cmex.org. ( 2000071804 ; serial 8H ; refresh 2H ; retry 1W ; expiry 1D ) ; minimum 1D IN A 64.114.81.252 1D IN NS ns1.cmex.org. 1D IN NS ns2.cmex.org. 1D IN MX 10 mail ftp 1D IN A 64.114.81.253 mail 1D IN A 64.114.81.252 www 1D IN A 64.114.81.253 @ 1D IN SOA cmex.org. hostmaster.cmex.org. ( 2000071804 ; serial 8H ; refresh 2H ; retry 1W ; expiry 1D ) ; minimum ;; Received 1 answer (9 records). ;; FROM: homer.mostscents.com to SERVER: 209.53.193.13 ;; WHEN: Fri Nov 2 23:11:47 2001 That works too. From an unathorized transferee, we should see: # dig @ns2.cmex.org jonathan-marks.com axfr ; <<>> DiG 8.3 <<>> @ns2.cmex.org jonathan-marks.com axfr ; (1 server found) ;; Received 0 answers (0 records). ;; FROM: homer.mostscents.com to SERVER: 209.53.193.13 ;; WHEN: Fri Nov 2 23:15:42 2001 This is correct, unauthorized transferee's should not get the zone information. These tests conclude that the nameserver config files are working The last thing to test is the /var/named/update-db.root script and check that it delivers an email to root. The sendmail setup shows how to forward root's email to a "worldly" email address. Execute /var/named/update-db.root, and when it completes execute mail, and look for a message whose subject starts with either "SUCCESS: DNS monthly hints.db update." or "FAILED: DNS monthly hints.db update.". If the email was successful, it should look like: Date: Fri, 2 Nov 2001 18:37:27 -0800 From: system To: hostmaster Subject: DNS monthly hints.db update status: SUCCESS. ; <<>> DiG 9.1.3 <<>> @a.root-servers.net . ns ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7662 ;; flags: qr aa rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 13 ;; QUESTION SECTION: ;. IN NS ;; ANSWER SECTION: . 518400 IN NS A.ROOT-SERVERS.NET. . 518400 IN NS H.ROOT-SERVERS.NET. . 518400 IN NS C.ROOT-SERVERS.NET. . 518400 IN NS G.ROOT-SERVERS.NET. . 518400 IN NS F.ROOT-SERVERS.NET. . 518400 IN NS B.ROOT-SERVERS.NET. . 518400 IN NS J.ROOT-SERVERS.NET. . 518400 IN NS K.ROOT-SERVERS.NET. . 518400 IN NS L.ROOT-SERVERS.NET. . 518400 IN NS M.ROOT-SERVERS.NET. . 518400 IN NS I.ROOT-SERVERS.NET. . 518400 IN NS E.ROOT-SERVERS.NET. . 518400 IN NS D.ROOT-SERVERS.NET. ;; ADDITIONAL SECTION: A.ROOT-SERVERS.NET. 3600000 IN A 198.41.0.4 H.ROOT-SERVERS.NET. 3600000 IN A 128.63.2.53 C.ROOT-SERVERS.NET. 3600000 IN A 192.33.4.12 G.ROOT-SERVERS.NET. 3600000 IN A 192.112.36.4 F.ROOT-SERVERS.NET. 3600000 IN A 192.5.5.241 B.ROOT-SERVERS.NET. 3600000 IN A 128.9.0.107 J.ROOT-SERVERS.NET. 3600000 IN A 198.41.0.10 K.ROOT-SERVERS.NET. 3600000 IN A 193.0.14.129 L.ROOT-SERVERS.NET. 3600000 IN A 198.32.64.12 M.ROOT-SERVERS.NET. 3600000 IN A 202.12.27.33 I.ROOT-SERVERS.NET. 3600000 IN A 192.36.148.17 E.ROOT-SERVERS.NET. 3600000 IN A 192.203.230.10 D.ROOT-SERVERS.NET. 3600000 IN A 128.8.10.90 ;; Query time: 110 msec ;; SERVER: 198.41.0.4#53(a.root-servers.net) ;; WHEN: Fri Nov 2 18:37:27 2001 ;; MSG SIZE rcvd: 436 Restarting named: Stopping named: ^[[60G[^[[1;31mFAILED^[[0;39m] Starting named: ^[[60G[^[[1;31mFAILED^[[0;39m] _________________________________________________________________ Chapter 8. File System Mounts NFS and Automount Configuration $id:$ It is useful for harold to be able to automatically mount the filesystems of the other machines - read only, as well as be able to automount its own CD drive and floppy disc drive. Also it is useful for other (privilaged) machines to be permitted (read only) access to harold's file system. _________________________________________________________________ 8.1. File System Mounts File system mounting is controlled by /etc/fstab. mount, when called from rc.sysinit looks at this file to determine what to mount. In harold's configuration, only harddrives, ptys and the proc file systems are mounted. With the new /etc/fstab, reboot the computer. We could unmount and remount the filesystems without rebooting, but we need to check that the configuration will behave as expected on bootup. Once the system has booted enter mount. It should produce similar output: /dev/hda4 on / type ext2 (rw) none on /proc type proc (rw) /dev/hda1 on /boot type ext2 (rw) /dev/hda3 on /usr/local/ftp/incoming type ext2 (rw) /dev/hdc3 on /disk2 type ext2 (rw) /dev/hdc1 on /disk2/boot type ext2 (rw) none on /dev/pts type devpts (rw,gid=5,mode=620) automount(pid544) on /misc type autofs (rw,fd=5,pgrp=544,minproto=2,maxproto=3) If the last line does not appear on the screen output, do not worry, it just means that the automounter daemon is not running, its configuration is explained below. _________________________________________________________________ 8.2. NFS Setup 8.2.1. NFS Daemons Firstly, the kernel must be compiled to support nfs. If not, first rebuild the kernel. (If someone knows knows how to do a simple check from the command line to determine if nfs is compiled in, please let me know - jm at cmex dot org). As root, run chkconfig --list and check that the following lines appear in the listing: . . . nfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off nfslock 0:off 1:off 2:off 3:on 4:on 5:on 6:off If the entries do not exist, install the latest nfs-utils rpm, available from any RedHat mirror If the entries exist, but are not on for levels 3, 4, and 5, this is fixed by: chkconfig --level 345 nfs on chkconfig --level 345 nfslock on /etc/init.d/nfs stop #just in case /etc/init.d/nfslock stop #just in case /etc/init.d/nfs start /etc/init.d/nfslock start The nfslock startup is not crucial, it is useful in tracking nfs file locks across host reboots. See the nfslock man page. To get nfs to work, the exports file needs to be set up - see below. _________________________________________________________________ 8.2.2. NFS Exports In order to permit other hosts to nfs access harold, harold's /etc/exports file needs to have entries to support it. harold permits read only access from its root directory to the listed hosts. See the exports man page, there are examples at the bottom of the manpage. Restart nfs /etc/init.d/nfs restart, for the new exports to be read into the kernel, which can be checked by less /proc/fs/nfs/exports Correspondingly other hosts that harold may which to access through nfs should have their exports files set up appropriately. _________________________________________________________________ 8.3. Automounter autofs is the automounting software used on harold. It is used to mount floppy discs, CD's and nfs mounts. If not installed, install the latest autofs rpm. To check if it is running, execute ps ax, and look for automount in the output. Autofs's configuration is determined by /etc/auto.master and /etc/auto.mnt. See the man pages for autofs, automount, and auto.master. DNS and domain name, and reverse domain name lookup must be working for this to work. NFS will do a name lookup and reverse name lookup and verify the looked up name matches the name given. Also for the NFS mounts to other hosts, the hosts must permit harold access. As root, create a /mnt/ directory - the directory name specified in /etc/auto.master. with 755 attributes. mkdir /mnt chmod 755 /mnt _________________________________________________________________ Chapter 9. Printer Configuration The RedHat printtool GUI utility is effective in configuring the printer. Since we are at a different host to harold, there are a few things that need to be done to be able to run an X app on a remote host. This section only deals with setting a lpd print server, The section on Samba deals with printer sharing for Windows type networks. _________________________________________________________________ 9.1. Setting up a local printer Run up printtool Figure 9-1. Printtool's main Screen [printtool-main.png] Click on the "New" toolbar button, This launches a RedHat Printer installation wizard. Select "Next" on the Add A New Printer Queue Wizard. Enter a name in the Queue Name field to uniquely identify the printer Figure 9-2. Printtool's New Printer Screen [printtool-new.png] Press Next, Ensure that the printer to be configured is selected. Figure 9-3. Printtool's First Configure Screen [printtool-cfg1.png] Press Next, and select an appropriate driver Note the expanded window to illustrate the printer selection. Figure 9-4. Printtool's Second Configure Screen [printtool-cfg2.png] Press Next, The finish screen appears Figure 9-5. Printtool's Final Configure Screen [printtool-cfg3.png] Press Finish, The print config window shows the printer installed. This process creates the file /etc/printcap. It is worth also mentioning that the default parameters and permissions for lpd can be changed with /etc/lpd.conf and /etc/lpd.perms respectively. The defaults from the RedHat install are fine for this config. Here's a link to the latest LPRng documentation. It is also worthwhile taking a look at the "lpr", "lpd", "lprm" and "lpq" man pages. Also ensure that the lpd daemon is configured to start up on reboot. If this is the default printer, this can be set as an environment variable with: export PRINTER=hp850c A similar line can be inserted either in ~/.bashrc for just this login, or /etc/profile for the benefit of all logins. _________________________________________________________________ 9.2. Printing to a remote printer under Linux As for the local printer, run up printtool. Select "New" from the tool bar. Select "Next" on the first screen of the RedHat Printer Install Wizard. On the next screen enter a printer queue name, and select Unix printer. This is the host that does not have the printer physically attached to it. Figure 9-6. Printtool's Remote Unix LPD Configure Screen [printtool-cfg4.png] Press next, on the next screen enter the server and printer queue of the host that has the printer attached. Figure 9-7. Printtool's Remote Server LPD Configure Screen [printtool-cfg5.png] Press next and select the printer driver, and finish like the local configuration. _________________________________________________________________ Chapter 10. Samba Configuration Harold requires a rather simple Samba workgroup configuration. This section covers the setting up of Samba, Creating windows logins, and setting up network printers from Samba. The samba version set up here is 2.2.2. _________________________________________________________________ 10.1. Setting up Samba The Samba configuration is governed by /etc/samba/smb.conf. Basically it provides: * A Private Windows Wshare for each login, * A shared network printer for Windows Workgroups, * A public share (remember to mkdir /usr/local/public, and * A share to the automountable CD ROM on harold In the [global] section it is useful to point out the following: * security = user, meaning that security is per user login rather than per shared resource. * map to guest = bad user is used to give access to Windows users in unsecured Win98 and ME boxes without correct logins - especially for printer sharing * Through hosts allow, this samba service is only accessable to hosts on the local private subnet. * Encrypted passwords, more of this in the next section. _________________________________________________________________ 10.2. Samba Passwords for Windows Logins In the past (Win95, and NT4 SP2 and earlier) the Microsoft default was to pass cleartext passwords over the network. This default changed to encrypted passwords with later Windows products. There are notes in the Release documentation on how to chage the defaults back to clear text (WinNT.txt). This is ill advised, better to set Samba up to deal with encryption. For Samba to handle encrypted Windows passwords correctly, firstly /etc/samba/smb.conf must be configured with [global] encrypt passwords = yes smb passwd file = /etc/samba/smbpasswd Next, each Windows user needs to have a matching Linux login and and Samba login and password on the linux box serving samba. On the Samba host, add the user (I use adduser). The user login must be casewize identical to the Windows login. The login password can be different to the Windows login password. Create the user in /etc/samba/smbpasswd. If this this is the first Samba user being created, then execute: cat /etc/passwd | mksmbpasswd.sh > /etc/samba/smbpasswd For following users, just create the user entry in the /etc/samba/smbpasswd file by hand. Once the User exists in /etc/samba/smbpasswd, enter the password for the user with smbpasswd. The Samba password must exactly match the Windows password. This aspect of Samba is rather clunky, I look forward to a streamlining of this process. _________________________________________________________________ 10.3. Samba Printer Sharing On a Window's PC check that the Samba server and particularly the Printer share are available. Install as you would for any networked printer. I found on Win2K, I needed to first add the printer port (as a local port) first using an arbitary installed local printer. YMMV. _________________________________________________________________ Chapter 11. Tips and Tricks A collection of easy to forget reminders. _________________________________________________________________ 11.1. Running X apps on remote hosts Scenario: I am sitting infront of host "hal-9000", and I want to run an X app, (say, gv for example) on host "harold" and I want the window to be displayed on hal-9000. First open an xterm on hal-9000 and type xhost + to permit any other host to display windows in this X session. Then telnet to harold, and once logged into harold, change the DISPLAY environment variable to point to the opened X session on hal-9000. export DISPLAY=hal-9000:0.0 After that run up gv. _________________________________________________________________ Appendix A. Harold's Configuration Files A.1. /etc/auto.master Permissions, UID GID -rw-r--r-- root root /mnt /etc/auto.mnt --timeout=60 _________________________________________________________________ A.2. /etc/auto.mnt Permissions, UID GID -rw-r--r-- root root cd -fstype=iso9660,ro :/dev/cdrom fd -fstype=auto :/dev/fd0 gateway -ro,soft,intr gateway:/ hal-9000 -ro,soft,intr hal-9000:/ henry -ro,soft,intr henry:/ _________________________________________________________________ A.3. /etc/bashrc Permissions, UID GID -rw------- root root # /etc/bashrc # System wide functions and aliases # Environment stuff goes in /etc/profile # are we an interactive shell? if [ "$PS1" ]; then if [ -x /usr/bin/tput ]; then if [ "x`tput kbs`" != "x" ]; then # We can't do this with "dumb" terminal stty erase `tput kbs` elif [ -x /usr/bin/wc ]; then if [ "`tput kbs|wc -c `" -gt 0 ]; then # We can't do this with "dumb" t erminal stty erase `tput kbs` fi fi fi case $TERM in xterm*) PROMPT_COMMAND='echo -ne "\033]0;${USER}@${HOSTNAME}: ${PWD}\007"' ;; *) ;; esac if [ "x$SHLVL" != "x1" ]; then # We're not a login shell for i in /etc/profile.d/*.sh; do if [ -x $i ]; then . $i fi done fi fi PS1="\u@\h:\w>" PS2=". . .>" alias ls="ls --color=auto -s -F -T 0" alias dir="dir --full-time --color=auto -a -l -F -T 0" alias lo="logout" alias rm='rm -i' alias cp='cp -i' alias mv='mv -i' alias md='mkdir' _________________________________________________________________ A.4. /etc/exports Permissions, UID GID -rw-r--r-- root root / gateway(ro) hal-9000(ro) hershel(ro) henry(ro) _________________________________________________________________ A.5. /etc/ftpaccess Permissions, UID GID -rw------- root root # This file controls the behavior of the wu-ftpd # ftp server. # # If you're looking for a graphical frontend to # editing it, try kwuftpd from the kdeadmin # package. # Don't allow system accounts to log in over ftp deny-uid %-99 %65534- deny-gid %-99 %65534- allow-uid ftp allow-gid ftp # The ftpchroot group doesn't exist by default, this # entry is just supplied as an example. # To chroot a user, modify the line below or create # the ftpchroot group and add the user to it. # # You will need to setup the required applications # and libraries in the root directory (set using # guest-root). # # Look at the anonftp package for the files you'll need. guestgroup ftpchroot # User classes... class all real * #class all real,guest,anonymous * # Set this to your email address email jm@cmex.org # Allow 5 mistyped passwords loginfails 5 # Notify the users of README files at login and when # changing to a different directory readme README* login readme README* cwd=* # Messages displayed to the user message /welcome.msg login message .message cwd=* # Allow on-the-fly compression and tarring compress yes all tar yes all # Prevent anonymous users (and partially guest users) # from executing dangerous commands chmod no guest,anonymous delete no anonymous overwrite no anonymous rename no anonymous # Turn on logging to /var/log/xferlog log transfers anonymous,guest,real inbound,outbound # If /etc/shutmsg exists, don't allow logins # see ftpshut man page shutdown /etc/shutmsg # Ask users to use their email address as anonymous # password passwd-check rfc822 warn _________________________________________________________________ A.6. /etc/fstab Permissions, UID GID -rw-r--r-- root root /dev/hda4 / ext3 defaults 1 1 /dev/hdc3 /1 ext3 defaults 1 2 /dev/hdc1 /1/boot ext3 defaults 1 2 /dev/hda1 /boot ext3 defaults 1 2 none /dev/pts devpts gid=5,mode=620 0 0 none /proc proc defaults 0 0 none /dev/shm tmpfs defaults 0 0 /dev/hda3 /usr/local/ftp/incoming ext3 defaults 1 2 /dev/hdc2 swap swap defaults 0 0 /dev/hda2 swap swap defaults 0 0 _________________________________________________________________ A.7. /etc/host.conf Permissions, UID GID -rw-r--r-- root root order hosts,bind multi on _________________________________________________________________ A.8. /etc/hosts Permissions, UID GID -rw-r--r-- root root 127.0.0.1 harold harold.cmex.org localhost.localdomain localhost _________________________________________________________________ A.9. /etc/hosts.allow Permissions, UID GID -rw-r--r-- root root # # hosts.allow This file describes the names of the hosts which are # allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # ALL: 192.168.0.4 _________________________________________________________________ A.10. /etc/hosts.deny Permissions, UID GID -rw-r--r-- root root # # hosts.deny This file describes the names of the hosts which are # *not* allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # # The portmap line is redundant, but it is left to remind you that # the new secure portmap uses hosts.deny and hosts.allow. In particular # you should know that NFS uses portmap! ALL: ALL _________________________________________________________________ A.11. /etc/inittab Permissions, UID GID -rw-r--r-- root root # # inittab This file describes how the INIT process should set up # the system in a certain run-level. # # Author: Miquel van Smoorenburg, # Modified for RHS Linux by Marc Ewing and Donnie Barnes # # Default runlevel. The runlevels used by RHS are: # 0 - halt (Do NOT set initdefault to this) # 1 - Single user mode # 2 - Multiuser, without NFS (The same as 3, if you do not have networking) # 3 - Full multiuser mode # 4 - unused # 5 - X11 # 6 - reboot (Do NOT set initdefault to this) # id:3:initdefault: # System initialization. si::sysinit:/etc/rc.d/rc.sysinit l0:0:wait:/etc/rc.d/rc 0 l1:1:wait:/etc/rc.d/rc 1 l2:2:wait:/etc/rc.d/rc 2 l3:3:wait:/etc/rc.d/rc 3 l4:4:wait:/etc/rc.d/rc 4 l5:5:wait:/etc/rc.d/rc 5 l6:6:wait:/etc/rc.d/rc 6 # Things to run in every runlevel. ud::once:/sbin/update # Trap CTRL-ALT-DELETE #ca::ctrlaltdel:/sbin/shutdown -t3 -r now # When our UPS tells us power has failed, assume we have a few minutes # of power left. Schedule a shutdown for 2 minutes from now. # This does, of course, assume you have powerd installed and your # UPS connected and working correctly. pf::powerfail:/sbin/shutdown -f -h +2 "Power Failure; System Shutting Down" # If power was restored before the shutdown kicked in, cancel it. pr:12345:powerokwait:/sbin/shutdown -c "Power Restored; Shutdown Cancelled" # Run gettys in standard runlevels 1:2345:respawn:/sbin/mingetty tty1 2:2345:respawn:/sbin/mingetty tty2 3:2345:respawn:/sbin/mingetty tty3 4:2345:respawn:/sbin/mingetty tty4 5:2345:respawn:/sbin/mingetty tty5 6:2345:respawn:/sbin/mingetty tty6 S0:2345:respawn:/sbin/mgetty -s 115200 ttyS0 S2:2345:respawn:/sbin/mgetty -r -s 57600 ttyS2 S3:2345:respawn:/sbin/mgetty -r -s 115200 ttyS3 # Run xdm in runlevel 5 # xdm is now a separate service x:5:respawn:/etc/X11/prefdm -nodaemon _________________________________________________________________ A.12. /etc/lilo.conf Permissions, UID GID -rw-r--r-- root root boot=/dev/hda map=/boot/map install=/boot/boot.b prompt # display boot prompt vga=6 # vga 50 line mode timeout=50 # 5 sec timeout default=l single-key # use single keypress, no return reqrd lba32 image=/boot/bzImage label=l root=/dev/hda4 read-only image=/boot/vmlinuz label=f root=/dev/hda4 read-only image=/boot/bzImage.old label=o root=/dev/hda4 read-only image=/boot/vmlinuz-2.4.7-10 label=x read-only root=/dev/hda4 _________________________________________________________________ A.13. /etc/named.conf Permissions, UID GID -rw-r--r-- root root acl "int-ips" { 192.168.0.0/16; 5 }; options { // Root directory for master (db) files. directory "/var/named"; 10 // If a lookup is not in our cache, query these nameservers // (usually our ISP's) our ISP's nameservers before attempting // to resolve. forward first; 15 forwarders { 209.53.200.2; 209.53.200.3; }; listen-on port 53 { 20 127.0.0.1; // localhost 192.168.0.1; // physical ip address }; // may be required if this name server is behind a firewall 25 // query-source address * port 53; }; view "int-view" { match-clients { 30 int-ips; 127.0.0.0/8; }; allow-transfer { int-ips; 35 127.0.0.0/8; }; recursion yes; allow-query { 40 int-ips; 127.0.0.0/8; }; allow-recursion { int-ips; 45 127.0.0.0/8; }; zone "." { type hint; file "db.root"; 50 }; zone "0.0.127.in-addr.arpa" { type master; notify no; file "db.127.0.0"; 55 }; zone "novatek.co.nz" { type master; notify yes; file "int-pri/db.novatek.co.nz"; 60 }; zone "jmarks-asc.com" { type master; notify yes; file "int-pri/db.jmarks-asc.com"; 65 }; zone "cmex.org" { type master; notify yes; file "int-pri/db.cmex.org"; 70 }; zone "e-voice-mail.com" { type master; notify yes; file "int-pri/db.e-voice-mail.com"; 75 }; zone "networksrus.com" { type master; notify yes; file "int-pri/db.networksrus.com"; 80 }; zone "networks-r-us.com" { type master; notify yes; file "int-pri/db.networks-r-us.com"; 85 }; zone "software-foundry.com" { type master; notify yes; file "int-pri/db.software-foundry.com"; 90 }; zone "sorcerers-foundry.com" { type master; notify yes; file "int-pri/db.sorcerers-foundry.com"; 95 }; zone "jonathan-marks.com" { type master; notify yes; file "int-pri/db.jonathan-marks.com"; 100 }; zone "vanessa-marks.com" { type master; notify yes; file "int-pri/db.vanessa-marks.com"; 105 }; zone "steven-marks.com" { type master; notify yes; file "int-pri/db.steven-marks.com"; 110 }; zone "cara-marks.com" { type master; notify yes; file "int-pri/db.cara-marks.com"; 115 }; zone "0.168.192.in-addr.arpa" { type master; notify no; file "int-pri/db.192.168.0"; 120 }; }; view "ext-view" { match-clients { ! int-ips; 125 ! 127.0.0.0/8; any; }; allow-transfer { 192.168.0.254; // gateway 130 64.114.81.252; 64.114.81.253; 209.53.193.13; 24.71.7.165; }; 135 recursion no; allow-query { ! int-ips; ! 127.0.0.0/8; 140 any; }; zone "." { type hint; file "db.root"; 145 }; zone "0.0.127.in-addr.arpa" { type master; notify no; file "db.127.0.0."; 150 }; zone "novatek.co.nz" { type master; notify yes; file "ext-pri/db.novatek.co.nz"; 155 }; zone "jmarks-asc.com" { type master; notify yes; file "ext-pri/db.jmarks-asc.com"; 160 }; zone "cmex.org" { type master; notify yes; file "ext-pri/db.cmex.org"; 165 }; zone "e-voice-mail.com" { type master; notify yes; file "ext-pri/db.e-voice-mail.com"; 170 }; zone "networksrus.com" { type master; notify yes; file "ext-pri/db.networksrus.com"; 175 }; zone "networks-r-us.com" { type master; notify yes; file "ext-pri/db.networks-r-us.com" 180 }; zone "software-foundry.com" { type master; notify yes; file "ext-pri/db.software-foundry.com"; 185 }; zone "sorcerers-foundry.com" { type master; notify yes; file "ext-pri/db.sorcerers-foundry.com"; 190 }; zone "jonathan-marks.com" { type master; notify yes; file "ext-pri/db.jonathan-marks.com"; 195 }; zone "vanessa-marks.com" { type master; notify yes; file "ext-pri/db.vanessa-marks.com"; 200 }; zone "steven-marks.com" { type master; notify yes; file "ext-pri/db.steven-marks.com"; 205 }; zone "cara-marks.com" { type master; notify yes; file "ext-pri/db.cara-marks.com"; 210 }; zone "81.114.64.in-addr.arpa" { type master; notify no; file "ext-pri/db.64.114.81"; 215 }; zone "193.53.209.in-addr.arpa" { type master; notify no; file "ext-pri/db.209.53.193"; 220 }; }; _________________________________________________________________ A.14. /etc/nsswitch.conf Permissions, UID GID -rw-r--r-- root root passwd: files nisplus shadow: files nisplus group: files nisplus hosts: files nisplus dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files nisplus rpc: files services: files nisplus netgroup: files nisplus publickey: nisplus automount: files nisplus aliases: files nisplus _________________________________________________________________ A.15. /etc/printcap Permissions, UID GID -rw-r--r-- root root # /etc/printcap # # DO NOT EDIT! MANUAL CHANGES WILL BE LOST! # This file is autogenerated by printconf-backend during lpd init. # # Hand edited changes can be put in /etc/printcap.local, and will be included. hp850c:\ :sh:\ :ml=0:\ :mx=0:\ :sd=/var/spool/lpd/hp850c:\ :af=/var/spool/lpd/hp850c/hp850c.acct:\ :lp=/dev/lp0:\ :lpd_bounce=true:\ :if=/usr/share/printconf/util/mf_wrapper: ############################################################################### ## Everything below here is included verbatim from /etc/printcap.local ## ############################################################################### # printcap.local # # This file is included by printconf's generated printcap, # and can be used to specify custom hand edited printers. _________________________________________________________________ A.16. /etc/profile Permissions, UID GID -rw-r--r-- root root # /etc/profile if ! echo $PATH | /bin/grep -q "/usr/X11R6/bin" ; then export PATH="$PATH:/usr/X11R6/bin" fi ulimit -S -c 1000000 > /dev/null 2>&1 if [ `id -gn` = `id -un` -a `id -u` -gt 14 ]; then umask 002 else umask 022 fi export USER=`id -un` export LOGNAME=$USER export MAIL="/var/spool/mail/$USER" export VISUAL=vi export EDITOR=vi export HOSTNAME=`/bin/hostname` export HISTSIZE=1000 export PRINTER=hp850c if [ -z "$INPUTRC" -a ! -f "$HOME/.inputrc" ]; then export INPUTRC=/etc/inputrc fi # enable colour ls eval `dircolors /etc/DIR_COLORS -b` # customize less export LESS='-M-Q' export LESSEDIT="%E ?lt+%lt. %f" export LESSOPEN="| lesspipe.sh %s" export LESSCHARSET=latin1 export LESSCHARDEF=8bcccbcc13b.4b95.33b. # show colours in ls -l | less export noclobber export IGNOREEOF for i in /etc/profile.d/*.sh ; do if [ -x $i ]; then . $i fi done # call fortune, if available if [ -x /usr/games/fortune ] ; then echo ; /usr/games/fortune ; echo fi _________________________________________________________________ A.17. /etc/rc.d/rc.local Permissions, UID GID -rwx------ root root #!/bin/sh # This script will be executed *after* all the other init scripts. # You can put your own initialization stuff in here if you don't # want to do the full Sys V style init stuff. if [ -f /etc/sysconfig/network ]; then if [ -f /etc/sysconfig/network-scripts/ifup-ipalias ] ; then /etc/sysconfig/network-scripts/ifup-ipalias fi # Required for VPN network echo 1 > /proc/sys/net/ipv4/ip_forward fi if [ -f /etc/redhat-release ]; then R=$(cat /etc/redhat-release) uname -r > /etc/kernel-version arch=$(uname -m) a="a" case "_$arch" in _a*) a="an";; _i*) a="an";; esac # This will overwrite /etc/issue* on every boot. So, make any changes you # want to make to /etc/issue here or you will lose them when you reboot. # NOTE: we do not want users on the net with bad intent to know the OS and # version at the log in prompt. echo "" > /etc/issue echo "CMEX.org" >> /etc/issue echo "********" >> /etc/issue echo "" >> /etc/issue cp -f /etc/issue /etc/issue.net cp -f /etc/issue /etc/issue.tty echo "$R" >> /etc/issue echo "Kernel $(uname -r) on $a $(uname -m)" >> /etc/issue echo "" >> /etc/issue echo "\l@$(uname -n)" >> /etc/issue echo "telnet@$(uname -n)" >> /etc/issue.net echo "\P\@$(uname -n)" >> /etc/issue.tty echo "Connection string: \I" >> /etc/issue.tty echo "" >> /etc/issue echo "" >> /etc/issue.net echo "" >> /etc/issue.tty fi _________________________________________________________________ A.18. /etc/resolv.conf Permissions, UID GID -rw-r--r-- root root search cmex.org novatek.co.nz nameserver 192.168.0.1 nameserver 192.168.0.3 _________________________________________________________________ A.19. /etc/samba/smb.conf Permissions, UID GID -rw-r--r-- root root [global] workgroup = Novatek server string = Harold Resource Sharing security = user map to guest = bad user hosts allow = 192.168.0. localhost log file = /var/log/samba/log.%m max log size = 50 socket options = TCP_NODELAY IPTOS_LOWDELAY printcap name = /etc/printcap printing = lprng load printers = yes encrypt passwords = yes smb passwd file = /etc/samba/smbpasswd case sensitive = no short preserve case = yes preserve case = yes [homes] comment = Harold's Home Directories read only = No create mask = 0750 browseable = No [printers] security = share comment = All Printers path = /var/spool/samba public = Yes printable = Yes browseable = No writeable = No create mode = 700 [hp850c] security = share path = /var/spool/samba printer name = hp850c writable = Yes public = Yes printable = Yes [public] comment = Public Share path = /usr/local/public writeable = yes public = yes [cd] comment = Harold CDROM path = /mnt/cd read only = yes public = yes _________________________________________________________________ A.20. /etc/securetty Permissions, UID GID -rw------- root root vc/1 vc/2 vc/3 vc/4 vc/5 vc/6 vc/7 vc/8 vc/9 vc/10 vc/11 tty1 tty2 tty3 tty4 tty5 tty6 tty7 tty8 tty9 tty10 tty11 _________________________________________________________________ A.21. /etc/skel/.bashrc Permissions, UID GID -rw-r--r-- root root # .bashrc # User specific aliases and functions # Source global definitions if [ -f /etc/bashrc ]; then . /etc/bashrc fi _________________________________________________________________ A.22. /etc/skel/.bash_profile Permissions, UID GID -rw-r--r-- root root # .bash_profile # Get the aliases and functions if [ -f ~/.bashrc ]; then . ~/.bashrc fi # User specific environment and startup programs PATH=$PATH:$HOME/bin BASH_ENV=$HOME/.bashrc export BASH_ENV PATH unset USERNAME _________________________________________________________________ A.23. /etc/sysconfig/i18n Permissions, UID GID -rw-r--r-- root root LANG="en_CA" SUPPORTED="en_CA:en:en_US:en" #SYSFONT="lat0-sun16" SYSFONTACM="iso01" _________________________________________________________________ A.24. /etc/sysconfig/network Permissions, UID GID -rw-r--r-- root root NETWORKING=yes HOSTNAME=harold.cmex.org GATEWAY=192.168.0.254 GATEWAYDEV=eth0 NISDOMAIN="" _________________________________________________________________ A.25. /etc/sysconfig/network-scripts/ifcfg-eth0 Permissions, UID GID -rw-r--r-- root root DEVICE=eth0 ONBOOT=yes BOOTPROTO=static IPADDR=192.168.0.1 NETMASK=255.255.255.0 _________________________________________________________________ A.26. /etc/sysconfig/network-scripts/ifcfg-eth0-rng0 Permissions, UID GID -rw-r--r-- root root IPA_BASE_ADDR=192.168.0.220 IPA_NETMASK=255.255.255.0 IPA_QTY=16 IPA_BASE_CLONE=0 _________________________________________________________________ A.27. /etc/sysconfig/network-scripts/ifup-ipalias Permissions, UID GID -rwxr-xr-x root root #!/bin/sh #/etc/sysconfig/network-scripts/ifup-ipalias function inet_aton () { a=${ipa_a%%.*}; d=${ipa_a#*.} b=${d%%.*}; d=${d#*.} c=${d%%.*}; d=${d#*.} a=$((a << 24)); b=$((b << 16)); c=$((c << 8)) ipa_n=$((a + b + c + d)) } function inet_ntoa () { a=$((ipa_n & 0xff000000)); a=$((a >> 24)) if [ $a -lt 0 ] ; then a=$((a + 256)) ; fi b=$((ipa_n & 0x00ff0000)); b=$((b >> 16)) c=$((ipa_n & 0x0000ff00)); c=$((c >> 8)) d=$((ipa_n & 0x000000ff)) ipa_a=$a.$b.$c.$d } cd `dirname $0` for f in ifcfg-*-rng* ; do if [ "$f" = "ifcfg-*-rng*" ] ; then exit 0 fi dv=`basename $f | sed -e "s/^ifcfg-//" -e "s/-rng.*$//"` . $f eval `/bin/ipcalc --broadcast $IPA_BASE_ADDR $IPA_NETMASK` ipa_a=$IPA_BASE_ADDR; inet_aton ipa_cl=$IPA_BASE_CLONE ipa_nr=0 while [ $ipa_nr -lt $IPA_QTY ] ; do inet_ntoa /sbin/ifconfig $dv:$ipa_cl $ipa_a netmask $IPA_NETMASK broadcas t $BROADCAST ipa_cl=$((ipa_cl + 1)) ipa_nr=$((ipa_nr + 1)) ipa_n=$((ipa_n + 1)) done done _________________________________________________________________ A.28. /etc/xinetd.d/telnet Permissions, UID GID -rw-r--r-- root root # default: on # description: The telnet server serves telnet sessions; it uses \ # unencrypted username/password pairs for authentication. service telnet { flags = REUSE socket_type = stream wait = no user = root server = /usr/sbin/in.telnetd log_on_failure += USERID # disable = yes } _________________________________________________________________ A.29. /etc/xinetd.d/wu-ftp Permissions, UID GID -rw-r--r-- root root # default: on # description: The wu-ftpd FTP server serves FTP connections. It uses \ # normal, unencrypted usernames and passwords for authentication. service ftp { socket_type = stream wait = no user = root server = /usr/sbin/in.ftpd server_args = -l -a log_on_success += DURATION USERID log_on_failure += USERID nice = 10 # disable = yes } _________________________________________________________________ A.30. /usr/src/linux-2.4/.config Permissions, UID GID -rw-r--r-- root root # # Automatically generated make config: don't edit # CONFIG_X86=y CONFIG_ISA=y # CONFIG_SBUS is not set CONFIG_UID16=y # CONFIG_GENERIC_BUST_SPINLOCK is not set CONFIG_GENERIC_ISA_DMA=y # # Code maturity level options # CONFIG_EXPERIMENTAL=y # # Loadable module support # CONFIG_MODULES=y CONFIG_MODVERSIONS=y CONFIG_KMOD=y # # Processor type and features # # CONFIG_M386 is not set # CONFIG_M486 is not set CONFIG_M586=y # CONFIG_M586TSC is not set # CONFIG_M586MMX is not set # CONFIG_M686 is not set # CONFIG_MPENTIUMIII is not set # CONFIG_MPENTIUM4 is not set # CONFIG_MK6 is not set # CONFIG_MK7 is not set # CONFIG_MCRUSOE is not set # CONFIG_MWINCHIPC6 is not set # CONFIG_MWINCHIP2 is not set # CONFIG_MWINCHIP3D is not set # CONFIG_MCYRIXIII is not set CONFIG_X86_WP_WORKS_OK=y CONFIG_X86_INVLPG=y CONFIG_X86_CMPXCHG=y CONFIG_X86_XADD=y CONFIG_X86_BSWAP=y CONFIG_X86_POPAD_OK=y # CONFIG_RWSEM_GENERIC_SPINLOCK is not set CONFIG_RWSEM_XCHGADD_ALGORITHM=y CONFIG_X86_L1_CACHE_SHIFT=5 CONFIG_X86_USE_STRING_486=y CONFIG_X86_ALIGNMENT_16=y CONFIG_X86_PPRO_FENCE=y # CONFIG_TOSHIBA is not set # CONFIG_MICROCODE is not set # CONFIG_X86_MSR is not set # CONFIG_X86_CPUID is not set # CONFIG_E820_PROC is not set CONFIG_NOHIGHMEM=y # CONFIG_HIGHMEM4G is not set # CONFIG_HIGHMEM64G is not set # CONFIG_1GB is not set # CONFIG_2GB is not set CONFIG_3GB=y # CONFIG_MATH_EMULATION is not set # CONFIG_MTRR is not set # CONFIG_SMP is not set # CONFIG_X86_UP_APIC is not set # CONFIG_X86_UP_IOAPIC is not set # CONFIG_MXT is not set # # General setup # CONFIG_NET=y CONFIG_PCI=y # CONFIG_PCI_GOBIOS is not set # CONFIG_PCI_GODIRECT is not set CONFIG_PCI_GOANY=y CONFIG_PCI_BIOS=y CONFIG_PCI_DIRECT=y CONFIG_PCI_NAMES=y # CONFIG_EISA is not set # CONFIG_MCA is not set # CONFIG_HOTPLUG is not set # CONFIG_PCMCIA is not set # CONFIG_HOTPLUG_PCI is not set CONFIG_SYSVIPC=y CONFIG_BSD_PROCESS_ACCT=y CONFIG_SYSCTL=y CONFIG_KCORE_ELF=y # CONFIG_KCORE_AOUT is not set CONFIG_BINFMT_AOUT=y CONFIG_BINFMT_ELF=y CONFIG_BINFMT_MISC=y # CONFIG_PM is not set # CONFIG_ACPI is not set # CONFIG_APM is not set # # Memory Technology Devices (MTD) # # CONFIG_MTD is not set # # Parallel port support # CONFIG_PARPORT=y CONFIG_PARPORT_PC=y CONFIG_PARPORT_PC_CML1=y CONFIG_PARPORT_SERIAL=y # CONFIG_PARPORT_PC_FIFO is not set # CONFIG_PARPORT_PC_SUPERIO is not set # CONFIG_PARPORT_AMIGA is not set # CONFIG_PARPORT_MFC3 is not set # CONFIG_PARPORT_ATARI is not set # CONFIG_PARPORT_GSC is not set # CONFIG_PARPORT_SUNBPP is not set # CONFIG_PARPORT_OTHER is not set # CONFIG_PARPORT_1284 is not set # # Plug and Play configuration # CONFIG_PNP=y CONFIG_ISAPNP=y # CONFIG_PNPBIOS is not set # # Block devices # CONFIG_BLK_DEV_FD=y # CONFIG_BLK_DEV_XD is not set # CONFIG_PARIDE is not set # CONFIG_BLK_CPQ_DA is not set # CONFIG_BLK_CPQ_CISS_DA is not set # CONFIG_CISS_SCSI_TAPE is not set # CONFIG_BLK_DEV_DAC960 is not set CONFIG_BLK_DEV_LOOP=y CONFIG_BLK_DEV_NBD=y # CONFIG_BLK_DEV_RAM is not set # CONFIG_BLK_DEV_INITRD is not set # # Enterprise Volume Management System # # CONFIG_EVMS is not set # CONFIG_EVMS_LOCAL_DEV_MGR_PLUGIN is not set # CONFIG_EVMS_DOS_PARTITION_PLUGIN is not set # CONFIG_EVMS_SNAPSHOT_PLUGIN is not set # CONFIG_EVMS_DRIVELINK_PLUGIN is not set # CONFIG_EVMS_BBR_PLUGIN is not set # CONFIG_EVMS_LVM_PLUGIN is not set # CONFIG_EVMS_AIX_PLUGIN is not set # CONFIG_EVMS_OS2_PLUGIN is not set # # Multi-device support (RAID and LVM) # # CONFIG_MD is not set # CONFIG_BLK_DEV_MD is not set # CONFIG_MD_LINEAR is not set # CONFIG_MD_RAID0 is not set # CONFIG_MD_RAID1 is not set # CONFIG_MD_RAID5 is not set # CONFIG_MD_MULTIPATH is not set # CONFIG_BLK_DEV_LVM is not set # # Networking options # CONFIG_PACKET=y CONFIG_PACKET_MMAP=y CONFIG_NETLINK=y CONFIG_RTNETLINK=y CONFIG_NETLINK_DEV=y # CONFIG_NETFILTER is not set CONFIG_FILTER=y CONFIG_UNIX=y CONFIG_INET=y # CONFIG_IP_MULTICAST is not set CONFIG_IP_ADVANCED_ROUTER=y CONFIG_RTNETLINK=y CONFIG_NETLINK=y # CONFIG_IP_MULTIPLE_TABLES is not set # CONFIG_IP_ROUTE_MULTIPATH is not set # CONFIG_IP_ROUTE_TOS is not set CONFIG_IP_ROUTE_VERBOSE=y # CONFIG_IP_ROUTE_LARGE_TABLES is not set # CONFIG_IP_PNP is not set # CONFIG_NET_IPIP is not set # CONFIG_NET_IPGRE is not set # CONFIG_ARPD is not set # CONFIG_INET_ECN is not set CONFIG_SYN_COOKIES=y # CONFIG_IPV6 is not set # CONFIG_KHTTPD is not set # CONFIG_ATM is not set # # # # CONFIG_IPX is not set # CONFIG_ATALK is not set # CONFIG_DECNET is not set # CONFIG_BRIDGE is not set # CONFIG_X25 is not set # CONFIG_LAPB is not set # CONFIG_LLC is not set # CONFIG_NET_DIVERT is not set # CONFIG_ECONET is not set # CONFIG_WAN_ROUTER is not set # CONFIG_NET_FASTROUTE is not set # CONFIG_NET_HW_FLOWCONTROL is not set # # QoS and/or fair queueing # # CONFIG_NET_SCHED is not set # # Telephony Support # # CONFIG_PHONE is not set # CONFIG_PHONE_IXJ is not set # CONFIG_PHONE_IXJ_PCMCIA is not set # # ATA/IDE/MFM/RLL support # CONFIG_IDE=y # # IDE, ATA and ATAPI Block devices # CONFIG_BLK_DEV_IDE=y # # Please see Documentation/ide.txt for help/info on IDE drives # # CONFIG_BLK_DEV_HD_IDE is not set # CONFIG_BLK_DEV_HD is not set CONFIG_BLK_DEV_IDEDISK=y CONFIG_IDEDISK_MULTI_MODE=y CONFIG_IDEDISK_STROKE=y # CONFIG_BLK_DEV_IDEDISK_VENDOR is not set # CONFIG_BLK_DEV_IDEDISK_FUJITSU is not set # CONFIG_BLK_DEV_IDEDISK_IBM is not set # CONFIG_BLK_DEV_IDEDISK_MAXTOR is not set # CONFIG_BLK_DEV_IDEDISK_QUANTUM is not set # CONFIG_BLK_DEV_IDEDISK_SEAGATE is not set # CONFIG_BLK_DEV_IDEDISK_WD is not set # CONFIG_BLK_DEV_COMMERIAL is not set # CONFIG_BLK_DEV_TIVO is not set # CONFIG_BLK_DEV_IDECS is not set CONFIG_BLK_DEV_IDECD=y # CONFIG_BLK_DEV_IDETAPE is not set # CONFIG_BLK_DEV_IDEFLOPPY is not set # CONFIG_BLK_DEV_IDESCSI is not set # CONFIG_IDE_TASK_IOCTL is not set # CONFIG_PKT_TASK_IOCTL is not set # CONFIG_IDE_TASK_IOCTL_DEBUG is not set # CONFIG_IDE_TASKFILE_IO is not set # CONFIG_BLK_DEV_SERVICE is not set # # IDE chipset support/bugfixes # # CONFIG_BLK_DEV_CMD640 is not set # CONFIG_BLK_DEV_CMD640_ENHANCED is not set # CONFIG_BLK_DEV_ISAPNP is not set # CONFIG_BLK_DEV_RZ1000 is not set CONFIG_BLK_DEV_IDEPCI=y CONFIG_IDEPCI_SHARE_IRQ=y CONFIG_BLK_DEV_IDEDMA_PCI=y CONFIG_BLK_DEV_ADMA=y # CONFIG_BLK_DEV_OFFBOARD is not set CONFIG_IDEDMA_PCI_AUTO=y # CONFIG_IDEDMA_ONLYDISK is not set CONFIG_BLK_DEV_IDEDMA=y # CONFIG_IDEDMA_PCI_WIP is not set # CONFIG_IDEDMA_NEW_DRIVE_LISTINGS is not set # CONFIG_BLK_DEV_AEC62XX is not set # CONFIG_AEC62XX_TUNING is not set # CONFIG_BLK_DEV_ALI15X3 is not set # CONFIG_WDC_ALI15X3 is not set # CONFIG_BLK_DEV_AMD74XX is not set # CONFIG_AMD74XX_OVERRIDE is not set # CONFIG_BLK_DEV_CMD64X is not set # CONFIG_BLK_DEV_CY82C693 is not set # CONFIG_BLK_DEV_CS5530 is not set # CONFIG_BLK_DEV_HPT34X is not set # CONFIG_HPT34X_AUTODMA is not set # CONFIG_BLK_DEV_HPT366 is not set CONFIG_BLK_DEV_PIIX=y CONFIG_PIIX_TUNING=y # CONFIG_BLK_DEV_NS87415 is not set # CONFIG_BLK_DEV_OPTI621 is not set # CONFIG_BLK_DEV_PDC202XX is not set # CONFIG_PDC202XX_BURST is not set # CONFIG_PDC202XX_FORCE is not set # CONFIG_BLK_DEV_SVWKS is not set # CONFIG_BLK_DEV_SIS5513 is not set # CONFIG_BLK_DEV_SLC90E66 is not set # CONFIG_BLK_DEV_TRM290 is not set # CONFIG_BLK_DEV_VIA82CXXX is not set # CONFIG_IDE_CHIPSETS is not set CONFIG_IDEDMA_AUTO=y # CONFIG_IDEDMA_IVB is not set # CONFIG_DMA_NONPCI is not set CONFIG_BLK_DEV_IDE_MODES=y # CONFIG_BLK_DEV_ATARAID is not set # CONFIG_BLK_DEV_ATARAID_PDC is not set # CONFIG_BLK_DEV_ATARAID_HPT is not set # # SCSI support # # CONFIG_SCSI is not set # # Fusion MPT device support # # CONFIG_FUSION is not set # CONFIG_FUSION_BOOT is not set # CONFIG_FUSION_ISENSE is not set # CONFIG_FUSION_CTL is not set # CONFIG_FUSION_LAN is not set # # IEEE 1394 (FireWire) support (EXPERIMENTAL) # # CONFIG_IEEE1394 is not se