TCP/IP Network Administration

TCP/IP Network AdministrationSearch this book
Previous: 8.5 Summary Chapter 9Next: 9.2 Line Printer Daemon
 

9. Configuring Network Servers

Contents:
The Network File System
Line Printer Daemon
Network Information Service
A BOOTP Server
DHCP
Managing Distributed Servers
Mail Servers
Summary

Now our attention turns to configuring network servers. As with name service, these servers are not strictly required for the network to operate, but they provide services that are central to the network's purpose.

There are many network services - many more than can be covered in this chapter. We concentrate on servers that provide "computer-to-computer" services. [1] The services covered in this chapter are:

[1] Notably absent is sendmail. It requires so much discussion, it has its own chapter (Chapter 10, sendmail )!

We begin with NFS, which is the server that provides file sharing on UNIX networks.

9.1 The Network File System

The Network File System (NFS) allows directories and files to be shared across a network. It was originally developed by Sun Microsystems, but is now supported by virtually all UNIX implementations and many non-UNIX operating systems. Through NFS, users and programs can access files located on remote systems as if they were local files. In a perfect NFS environment, the user neither knows nor cares where files are actually stored.

NFS has several benefits:

There are two sides to NFS - a client side and a server side. The client is the system that uses the remote directories as if they were part of its local filesystem. The server is the system that makes the directories available for use. Attaching a remote directory to the local filesystem (a client function) is called mounting a directory. Offering a directory for remote access (a server function) is called sharing a directory. [2] Frequently, a system runs both the client and the server NFS software. In this section we'll look at how to configure a system to share and mount directories using NFS.

[2] An older term for this function is exporting. Many systems still refer to file sharing as exporting.

If you're responsible for an NFS server for a large site, you should take care in planning and implementing the NFS environment. The discussion in this chapter tells how NFS is configured to run on a client and a server, but you may want more details to design an optimal NFS environment. For a comprehensive treatment, see Managing NFS and NIS, by Hal Stern (O'Reilly & Associates).

9.1.1 NFS Daemons

The Network File System is run by several daemons, some performing client functions and some performing server functions. Before we discuss the NFS configuration, let's look at the function of the daemons that run NFS:

nfsd [nservers]

The NFS daemon, nfsd, runs on NFS servers. This daemon services the client's NFS requests. The nservers option is available on Solaris systems. It specifies how many daemons should be started.

mountd

The NFS mount daemon, mountd, processes the clients' mount requests. NFS servers run the mount daemon.

lockd

The lock daemon, lockd, handles file lock requests. Both clients and servers run the lock daemon. Clients request file locks, and servers grant them.

statd

The network status monitor daemon, statd, is required by lockd to provide monitoring services. In particular, it allows locks to be reset properly after a crash. Both clients and servers run statd.

The daemons necessary to run NFS are started from boot scripts. On a Solaris system, two scripts located in the /etc/init.d directory, nfs.client and nfs.server, handle this job. The nfs.client script starts the statd and lockd programs. [3] NFS server systems run those two daemons, plus the NFS server daemon, nfsd, and the mount server daemon, mountd. On Solaris systems, the nfs.server script starts mountd and 16 copies of nfsd.

[3] On your system, the prefix "rpc." may be used on the daemon names. For example, the Slackware Linux system uses the filename rpc.nfsd for the NFS daemon. Check your system's documentation.

Each system has its own technique for starting these daemons. If some of the daemons aren't starting, make sure your startup scripts are correct.

9.1.2 Sharing Filesystems

The first step in configuring a server is deciding which filesystems will be shared, and what restrictions will be placed on them. Only filesystems that provide a benefit to the client should be shared. Before you share a filesystem, think about what purpose it will serve. Some common reasons for sharing filesystems are:

  • To provide disk space to diskless clients

  • To prevent unnecessary duplication of the same data on multiple systems

  • To provide centrally supported programs and data

  • To share data among users in a group

Once you've selected the filesystems you'll share, you must configuring them for sharing using the appropriate commands for your system. In the following sections we emphasize the way this is done on Solaris systems. It is very different on Linux systems. Check your system's documentation to find out exactly how it implements NFS file sharing.

9.1.2.1 The share command

On Solaris systems, directories are shared using the share command.

A simplified syntax for the share command is:

share -F nfs [-o options] pathname

where pathname is the path of the directory the server is offering to share with its clients, and options are the access controls for that directory. The commonly used options are:

rw

The rw option grants read and write access to the shared filesystem. It can be specified in the form rw=host:host... to identify the individual hosts that are granted this access. When used in this way, only the hosts identified in the list are given access to the filesystem. If the colon-separated list of hostnames is not provided with the rw option, all hosts are given read/write access to the filesystem. In fact, if no options are specified at all, the share command defaults to giving all clients read/write access. This default is acceptable if your systems are on an isolated network, but if they are on a connected network, this could open up a security hole. It is the best practice to restrict access to those hosts that you really trust.

ro

This option limits access to read-only. It also can be specified with a colon-separated host list, e.g., ro=host:host.... When the host list is included, only the hosts on the list have access and that access is limited to read-only.

root=host

This option allows the root user on the specified host to have root access to the shared filesystem. Normally, the root user on a remote system is mapped to the userid nobody and given only normal user privileges. Granting root access is a big security risk.

The rw and ro options can be combined to grant different levels of access to different clients. For example:

share -F nfs -o rw=almond:pecan ro  /usr/man
share -F nfs -o rw=peanut:almond:pecan:walnut  /export/home/research

The first share command grants read and write access to almond and peanut and read-only access to all other clients. On the other hand, the second share command grants read/write access to peanut, almond, pecan, and walnut, and no access of any kind to any other client.

The share command does not survive a boot. Put the share commands in the /etc/dfs/dfstab file to make sure that the filesystems continue to be offered to your clients even if the system reboots. Here is a sample dfstab file containing our two share commands:

% cat /etc/dfs/dfstab
#   place share(1M) commands here for automatic execution
#   on entering init state 3.
#
#   share [-F fstype] [ -o options] [-d "<text>"] <pathname> [resource]
#   .e.g,
#   share  -F nfs  -o rw=engineering  -d "home dirs"  /export/home2
share -F nfs -o rw=almond:pecan ro  /usr/man
share -F nfs -o rw=peanut:almond:pecan:walnut  /export/home/research

The share command, the dfstab file, and even the terminology "share" are Solaris-specific. Most UNIX systems say that they are exporting files, instead of sharing files, when they are offering files to NFS clients. Furthermore, they do not use the share command or the dfstab file; instead, they offer filesystems through the /etc/exports file. Linux is an example of such a system.

9.1.2.2 The /etc/exports file

The /etc/exports file is the NFS server configuration file for Linux systems. It controls which files and directories are shared (exported), which hosts can access them, and what kinds of access are allowed. A sample /etc/exports file might contain these entries:

/usr/man        almond(rw) pecan(rw)  (ro)
/usr/local      (ro)
/home/research  peanut(rw) almond(rw) pecan(rw) walnut(rw)

This sample file says that:

  • /usr/man can be mounted by any client, but it can be written to only by almond and pecan. Other clients have read-only access.

  • /usr/local can be mounted by any client, with read-only access.

  • /home/research can be mounted only by the hosts peanut, almond, pecan, and walnut. These four hosts have read-write access.

The options used in each of the entries in the /etc/exports file determine what kinds of access are allowed. The information derived from the sample file is based on the options specified on each line in the file. The general format of the entries is as follows:

directory [host(option)]...

directory names the directory or file that is available for export. The host is the name of the client granted access to the exported directory while the option specifies the type of access being granted. The options used in the sample file are:

ro

Read-only prevents NFS clients from writing to this directory. Attempts by clients to write to a read-only directory fail with the message: "Read-only filesystem" or "Permission denied." If ro is specified without a client hostname, all clients are granted read-only access.

rw

Read-write permits clients to read and write to this directory. When specified without hostname, as simply (rw), all clients are granted read-write access. If a hostname is specified, only the named host is given read-write permission.

9.1.3 Mounting Remote Filesystems

You need some basic information before you can decide which NFS directories to mount on your system. You need to know which servers are connected to your network, and which directories are available from those servers. A directory cannot be mounted unless it is first exported by a server.

Your network administrator is a good source for this information. The administrator can tell you what systems are providing NFS service, what directories they are exporting, and what these directories contain. If you are the administrator of an NFS server, you should develop this type of information for your users. See Chapter 4, Getting Started .

On Solaris systems you can also obtain information about the shared directories directly from the servers by using the showmount command. The NFS servers are usually the same centrally supported systems that provide other services such as mail and domain name service. Select a likely server and query it with the command showmount -e hostname. In response to this command, the server lists the directories that it exports and the conditions applied to their export.

For example, a showmount -e query to filbert produces the following output:

% showmount -e filbert
export list for filbert:
/usr/man           (everyone)
/home/research     peanut,almond,walnut,pecan
/usr/local         (everyone)

The export list shows the NFS directories exported by filbert, as well as who is allowed to access those directories. From this list, peanut's administrator may decide to mount any of the directories offered by filbert. Our imaginary administrator decides to:

  1. Mount /usr/man from filbert instead of maintaining the man pages locally.

  2. Mount /home/research to more easily share files with other systems in the research group.

  3. Mount the centrally maintained programs in /usr/local.

These selections represent some of the most common motivations for mounting NFS directories. These are to:

  • Save disk space

  • Share files with other systems

  • Maintain common files centrally

The amount to which you use NFS is a personal choice. Some people prefer the greater personal control you get from keeping files locally, while others prefer the convenience offered by NFS. Your site may have guidelines for how NFS should be used, which directories should be mounted, and which files should be centrally maintained. Check with your network administrator if you're unsure about how NFS is used at your site.

9.1.3.1 The mount command

A client must mount a shared directory before using it. "Mounting" the directory attaches it to the client's filesystem hierarchy. Only directories offered by the servers can be mounted, but any part of the offered directory, such as a subdirectory or a file, can be mounted.

NFS directories are mounted using the mount command. The general structure of the mount command is:

mount hostname:remote-directory local-directory

The hostname identifies an NFS server, and the remote-directory identifies all or part of a directory offered by that server. The mount command attaches that remote directory to the client's filesystem using the directory name provided for local-directory. The client's local directory, called the mount point, must be created before mount is executed. Once the mount is completed, files located in the remote directory can be accessed through the local directory exactly as if they were local files.

For example, assume that filbert.nuts.com is an NFS server and that it shares the files shown in the section above. Further assume that the administrator of peanut wants to access the /home/research directory. The administrator simply creates a local /home/research directory, and mounts the remote /home/research directory offered by filbert on this newly created mount point.

# mkdir /home/research
# mount filbert:/home/research /home/research

Once a remote directory is mounted, it stays attached to the local file system until it is explicitly dismounted or the local system reboots. To dismount a directory, use the umount command. On the umount command line, specify either the local or remote name of the directory that is to be dismounted. For example, the administrator of peanut can dismount the remote filbert:/home/research filesystem from the local /home/research mount point, with either:

# umount /home/research

or:

# umount filbert:/home/research

Booting also dismounts NFS directories. Because systems frequently wish to mount the same filesystems every time they boot, UNIX provides a system for automatically remounting after a boot.

9.1.3.2 The vfstab and fstab files

UNIX systems use the information provided in a special table to remount all types of filesystems, including NFS directories, after a system reboot. The table is a critical part of providing users consistent access to software and files, so care should be taken whenever it is modified. Two different files with two different formats are used for this purpose by the different flavors of UNIX. Linux and BSD systems use the /etc/fstab file and Solaris, our System V example, uses the /etc/vfstab file.

The format of the NFS entries in the Solaris vfstab file is:

filesystem  - mountpoint  nfs  -  yes  options

The various fields in the entry must appear in the order shown above and they must be separated by whitespace. The items in bold (both dashes and the words nfs and yes) are keywords that must appear exactly as shown above. filesystem is the name of the directory offered by the server. mountpoint is the pathname of the local mount point, and options are the mount options discussed below. A sample NFS vfstab entry is:

filbert:/home/research  -  /home/research  nfs  -  yes  rw,soft

This entry mounts the NFS filesystem filbert:/home/research on the local mount point /home/research. The filesystem is mounted with the rw and soft options set. The mount options available on Solaris systems are:

rw

If permitted, mount the filesystem read/write. If the filesystem is restricted by the server to read-only, a warning is issued and the filesystem is mounted read-only.

ro

Mount the filesystem read-only.

remount

If the filesystem is already mounted read-only, remount the filesystem as read/write.

soft

If the server fails to respond, return an error and don't retry the request.

hard

If the server fails to respond, retry until it does respond. This is the default.

bg

Do the retries in background mode.

fg

Do the retries in foreground mode.

intr

Allow a keyboard interrupt to kill a process that is hung waiting for the server to respond. Hard-mounted filesystems can become hung because the client retries forever, even if the server is down. This is a default.

nointr

Don't allow keyboard interrupts. In general, this is a bad idea.

nosuid

Do not allow an executable stored on the mounted filesystem to run setuid. This improves security but may limit utility.

On the Solaris system, the NFS filesystems defined in the vfstab file are mounted by a mountall command located in a startup file. On the Linux system, the startup file contains a mount command with the -a flag set, which causes Linux to mount all filesystems listed in fstab. The format of NFS entries in the /etc/fstab file is:

filesystem  mountpoint  nfs  options

The fields must appear in the order shown and must be separated by whitespace. The keyword nfs is required for NFS filesystems. filesystem is the name of the directory being mounted. mountpoint is the pathname of the local mount point. options are any of the Linux mount options listed in Table 9.1

Table 9.1: Linux Mount Options
OptionPurpose
asyncUse asynchronous file I/O.
autoMount when -a option is used.
devAllow character and block special devices on the filesystem.
execPermit execution of files from the filesystem.
noautoDon't mount with the -a option.
nodevDon't allow character and block special devices on the filesystem.
noexecDon't allow execution of files from the filesystem.
nosuidDon't allow programs stored on the filesystem to run setuid or setgid.
nouserOnly root can mount the filesystem.
remountRemount a mounted filesystem with new options.
roMount the filesystem read-only.
rwMount the filesystem read-write.
suidAllow programs to run setuid or setgid.
syncUse synchronous filesystem I/O.
userPermit ordinary users to mount the filesystem.
softAllow the access to time out if the server doesn't respond.
timeo=timeThe length of time before an access times out. Must be used with soft.

A grep of fstab shows sample NFS entries. [4]

[4] grep is used because the fstab file contains other information not related to NFS.

% grep nfs /etc/fstab
filbert:/usr/spool/mail   /usr/spool/mail   nfs rw     0 0
filbert:/usr/man          /usr/man          nfs rw     0 0
filbert:/home/research    /home/research    nfs rw     0 0

The grep shows that there are three NFS filesystems contained in the /etc/fstab file. The mount -a command in the boot script remounts these three directories every time the system boots.

The vfstab and fstab files are the most common methods used for mounting filesystems at boot time. There is another technique that automatically mounts NFS filesystems, but only when they are actually needed. It is called automounter.

9.1.4 NFS Automounter

Automounter is a feature available in some NFS implementations. The best example of automounter is the implementation that comes with Solaris, which is the implementation we use in this section.

The automounter configuration files are called maps. Three basic map types are used to define the automounter filesystem (autofs).

These map types are:

Master map

The configuration file read by automount. It lists all of the other maps that are used to define the autofs filesystem.

Direct map

A configuration file that lists the mount points, pathnames, and options of filesystems that are to be mounted by the automounter daemon (automountd).

Indirect map

A configuration file that contains pathnames and "relative" mount points. The mount points are relative to a directory path declared in the master map. How indirect maps are used will become clear in the examples.

On Solaris systems the automounter daemon (automountd) and the automount command are started by the /etc/init.d/autofs script. The script is run with the start option to start automounter, i.e., autofs start. It is run with the stop option to shut down automounter. automount and automountd are two distinct, separate programs. automountd runs as a daemon and dynamically mounts filesystems when they are needed. automount processes the auto_master file to determine the filesystems that can be dynamically mounted.

To use automounter, first configure the /etc/auto_master file. Entries in the auto_master file have this format:

mount-point     map-name        options

The Solaris system comes with a default auto_master file preconfigured. Customize the file for your configuration. Comment out the +auto_master entry. It is only used if you run NIS+ and your servers offer a centrally maintained auto_master map. Also ignore the /xfn entry. It does not apply to systems that use DNS. Add an entry for your direct map. In the example it is called auto_direct. Here is /etc/auto_master after our modifications:

# Master map for automounter
#
#+auto_master
#/xfn           -xfn
/net            -hosts          -nosuid
/home           auto_home
/-              auto_direct

All lines that begin with a sharp sign (#) are comments, including the +auto_master and /xfn lines we commented out. The first real entry in the file specifies that the shared filesystems offered by every NFS server listed in the /etc/hosts file are automatically mounted under the /net directory. A sub-directory is created for each server under /net using the server's hostname. For example: assume that filbert is listed in the hosts file and that it exports the /usr/local directory. This auto_master entry automatically makes that remote directory available on the local host as /net/filbert/usr/local.

The second entry automatically mounts the home directories listed in the /etc/auto_home map under the /home directory. A default /etc/auto_home file is provided with the Solaris system. Comment out the +auto_home entry found in the default file. It is used only if you run NIS+ and your servers offer a centrally maintained auto_home map. Add entries for individual user home directories or for all home directories from specific servers. Here is a modified auto_home map:

# Home directory map for automounter
#
#+auto_home
craig           almond:/export/home/craig
*               pecan:/export/home/&

The first entry mounts the /export/home/craig filesystem shared by almond on the local mount point /home/craig. The auto_home map is an indirect map, so the mount point specified in the map (craig) is relative to the /home mount point defined in the auto_master map. The second entry mounts every home directory found in the /export/home filesystem offered by pecan to a "like-named" mount point on the local host. For example: assume that pecan has two home directories, /export/home/daniel and /export/home/kristin. Automounter makes them both available on the local host as /home/daniel and /home/kristin. The asterisk (*) and the ampersand (&) are wildcard characters used specifically for this purpose in autofs maps.

That's it for the auto_home map. Refer back to the auto_master map. The third and final entry in the /etc/auto_master file is:

/-              auto_direct

We added this entry for our direct map. The special mount point /- means that the map name refers to a direct map. Therefore the real mount points are found in the direct map file. We named our direct map file /etc/auto_direct. There is no default direct map file. You must create it from scratch. The file we created is:

# Direct map for automounter
#
/home/research  -rw       filbert:/home/research
/usr/man        -ro,soft  pecan,almond,filbert:/usr/share/man

The format of entries in a direct map file is:

mount-point     options   remote filesystem

Our sample file contains two typical entries. The first entry mounts the remote filesystem /home/research offered by the server filbert on the local mount point /home/research. It is mounted read-write. The second entry mounts the man pages read-only with a "soft" timeout. [5] Note that three servers are specified for the man pages in a comma-separated list. If a server is unavailable or fails to respond within the soft timeout period, the client asks the next server in the list. This is one of the nice features of automounter.

[5] See the description of NFS mount options earlier in this chapter.

Automounter has four key features: the -hosts map, wildcarding, automounting, and multiple servers. The -hosts map makes every exported filesystem from every server listed in the /etc/hosts file available to the local user. The wildcard characters make it very easy to mount every directory from a remote server to a like-named directory on the local system. Automounting goes hand-in-glove with these two features because only the filesystems that are actually used are mounted. While -hosts and wildcards make a very large number of filesystems available to the local host, automounting limits the filesystems that are actually mounted to those that are needed. The last feature, multiple servers, improves the reliability of NFS by removing the dependence on a single server.

9.1.5 NFS Authentication Server

The PC NFS Authentication and Print Server (pcnfsd) is needed to support non-UNIX clients on an NFS network. The print services of this daemon are covered in the next section. The authentication services are the services needed by NFS.

The reason NFS needs an authentication server for some clients springs from the difference between trusted host security and password authenticated security. Trusted host security is discussed in Chapter 12, Network Security . Essentially, it works this way: we trust that a remote host has already authenticated its users, and we grant those users equivalent access to our local host. This is more or less how NFS treats its clients. The Solaris share command grants NFS access to hosts. A user is allowed to access files through NFS using standard UNIX user, group, and world file permissions based on the userid (UID) and groupid (GID) provided by the trusted host. Remember, unless a share command option is used to restrict access, all hosts are trusted to access the shared filesystem.

The trusted host model does not work for non-UNIX clients for a couple of reasons. First, some systems do not perform local user authentication; for example, anyone who sits at the keyboard of a DOS PC has complete access to the system. Second, some systems do not employ user or group IDs and do not have any values that can be mapped to the UNIX user or group file permissions. At best, an unauthenticated user can be granted world permissions. [6] We need a server that authenticates usernames and passwords and assigns UIDs and GIDs to the authenticated users. That's what the PC NFS authentication server does.

[6] Users who have not been authenticated are assigned the user ID nobody and given world permissions.

The authentication server can run on any system on the network. It is not necessary to run it on the NFS server, but that is the most common configuration. The PC NFS authentication server is not included in the software of all UNIX systems. It is included with our Linux system but not with our Solaris system. If it doesn't come with your UNIX system, don't worry; the source code for pcnfsd is available from many anonymous FTP servers on the Internet. Download the source code. Compile the software with make. [7] If pcnfsd compiles without errors, copy the daemon into a system directory such as /usr/etc. Then add code to start pcnfsd from a boot script. On a Slackware Linux system, simply uncomment the lines in the /etc/rc.d/rc.inet2 file that start rpc.nfsd.

[7] See Networking Personal Computers with TCP/IP by Craig Hunt (O'Reilly & Associates) for a full example of downloading, compiling, and installing pcnfsd.

Normally starting a daemon from inetd is an alternative to starting it from a boot script. However, Sun cautions against starting pcnfsd from inetd because the slow startup of this daemon can cause time-out errors.

Once the pcnfsd daemon is installed and running, the server authenticates usernames and passwords for its clients. Here's how. When the user asks to mount a remote filesystem, the client software prompts him for a username and password. It sends them to the authentication server. The server validates them against its /etc/passwd file. A user that can successfully login to the server is consider to be a valid NFS user. The server sends the client the UID and GID that are assigned to the user in the passwd file. The client uses them for NFS access.

The authentication server must have an entry in the /etc/passwd file for every user who needs NFS access. It is common for a large UNIX server, such as the mail server that has an account for every mail user, to be used as the authentication server.

9.1.5.1 NFS print services

NFS-based print services are easy to understand and simple to configure. The NFS server exports a printer spool directory to its clients, and the clients copy print files into that directory. pcnfsd sends files deposited in the directory to printers accessible to the server. Any printer defined by the server can be used.

To add NFS print service to an NFS server, first install pcnfsd. Next, make a print spool directory on the server for the print clients. Add the spool directory to the shared filesystems in the /etc/dfs/dfstab file or /etc/exports file, as appropriate for your system.

Finally tell pcnfsd what directory to use for spooling print jobs. Use the spool command in the /etc/pcnfsd.conf configuration file to define the directory name on most systems. On others, for example our Linux system, define the directory on the pcnfsd command line. See the pcnfsd manpage for details.

Finished! Running pcnfsd and exporting the printer spool directory are all that is required to configure an NFS print server, assuming that the printers are already properly configured. Check the printers by logging directly into the print server and issuing an lpr command for each printer you wish to test. See the following section on lpr and lpd if a printer is not properly configured.


Previous: 8.5 Summary TCP/IP Network AdministrationNext: 9.2 Line Printer Daemon
8.5 Summary Book Index9.2 Line Printer Daemon