squeak!
Syllabus Homepage
Course Overview
Course resources
Day 1
Day 2
Day 3
Day 4
Day 5
Day 6
Day 7
Day 8
Common errors
Internet Glossary
About Your Instructor
Credits: This site powered by the vi text editor, apache webserver, perl scripting, and Debian linux.
squeak!

solaris8 II - Day 4

Goals

  • learn about Master-Slave communications
  • set all boxes to look at utaced nis server.
  • get an overview of NFS
  • work with NFS

POST

This exercise will be done on your NIS box.
  1. to which NIS server is your box bound? Does it ever seem to change or does your client seem to like that server?
  2. change the password on your NIS account
  3. How do you know this didn't change the password on your local box?
  4. what is the home directory for that user?
  5. NIS allows users to log in from all over. What happens if the homedir does not exist on the box the user is logging in on?
  6. What is preferred way to change a boxes setup when moving it from one network to another, or making some other substantial networking change?
  7. what does co do?
  8. what does ci do?
  9. what does rcslog do?
  10. install your rcs editing wrapper script into /usr/local/bin
  11. make a simpler name for it using a link.

master-slave communications

  • yppush pushes out maps (kinda)
  • ypxfr picks up maps (kinda)

Domain Name Service

  • internet used to run on hostfiles
  • DNS is a distributed database
  • registrar controls the root servers and namespace
  • root servers know which DNS servers are authoritative for a given domain.
  • authoritative DNS server has info specific to the domain
  • DNS records include serial number, MX, A, CNAME and other records. They also include various kinds of time recommendations.
  • an authoritative server may have several slaves
  • DNS lookups are required for every hostname-based access on the net
  • DNS lookups are usually performed by the users ISP's DNS box
  • DNS lookups are usually cached, leading to "propagation" effects.

practicum: reset boxes to normal domain

NFS introduction

  • centralization of data
  • consistency of data
  • leverage SANS, etc
  • homedir appears to follow the user around
  • share discspace between machines
  • do not crossmount
  • NFS failures can cause box or app lockups
  • NFS mounts can take a while, especially at boot time
  • NFS is now TCP transport, but initial contact can be a UDP RCP call to the portmapper to find out where the TCP port is going to be (whew!).
  • WebNFS is a little-known NFS variant that works on stable ports (useful through firewalls). Rarely used.

practicum: mounting userdirs on fileserver

  • mount options pp. 610-11 (see permissions digression below)
  • mount manually: mount -F nfs [-o options] host:filesystem mountpoint
  • mount automatically: /etc/vfstab

advanced permissions

 
---s--s--t 7000 setuid, setgid, sticky 
---s--s--- 6000 setuid, setgid
---s-----t 5000 setuid, sticky
---s------ 4000 setuid
------s--t 3000 setgid, sticky
---s------ 2000 setgid
---------t 1000 sticky
---------- 0000 none


/usr/bin/find / -user root -perm -4000 -o -perm -2000
  • Access Control Lists (ACLs) (Solaris only) File Access Control Lists are a way to achieve finer permissions granularity than normal unix ownership/permissions allows. ACLs are allowed on files and dirs, and dirs can have (and should have) a default ACL.

    • getfacl shows the current ACL 
      $ getfacl examplefile

# file: examplefile
# owner: snelling
# group: snelling
user::rw-
group::r--              #effective:r--
mask:r--
other:r--

      The main difference here is the presence of a mask which specifies the maximal permission for any non-user (ie, non-owner) account.

    • setfacl sets the ACL for a file or directory
      setfacl -s acl_settings file - set the ACL. cf numerical mode chmod
      setfacl -m acl_settings file - modify the ACL. cf symbolic mode chmod 
      u[ser]::perms
g[roup]::perms
o[ther]:perms
m[ask]:perms
u[ser]:uid:perms
g[roup]:gid:perms
d[efault]:u[ser]::perms
d[efault]:g[roup]::perms
d[efault]:o[ther]:perms
d[efault]:m[ask]:perms
d[efault]:u[ser]:uid:perms
d[efault]:g[roup]:gid:perms

    getfacl bar | setfacl -f - foo

  • RBAC RBAC is generally implemented via the SMC.
    1. some utilities are RBAC-aware; some will need to be run through SMC
    2. may require the creation of roles before granting privs to users

    practicum: sharing NFS filesystems

    • share options pp. 606-07
    • share manually: share -F nfs [-o options] path
    • share automatically: /etc/dfs/dfstab. Run as a script? Latest mount supercedes preceding ones.

    Homework

    http://www.mousetrap.net/syllabus/solaris8-nfs/day4.html
    $Id: day4.orb,v 1.3 2002/11/14 18:20:06 mouse Exp $

    • © 1994-2002 jason carr.
    distributed under the terms of the GNU Free Documentation License.

    jason carr

    Reminders

    • Classroom temperature can be wildly variable. Dress lightly and bring layers.
    • your username is based on the class title and the last two digits of your workstation's hostname.
    • remember to take your work with you.