Installing and Administering Internet Services HP 9000 Networking Edition 8 Manufacturing Part Number: B2355-90685 E1200 U.S.A. © Copyright 2000, Hewlett-Packard Company.
Legal Notices The information in this document is subject to change without notice. Hewlett-Packard makes no warranty of any kind with regard to this manual, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be held liable for errors contained herein or direct, indirect, special, incidental or consequential damages in connection with the furnishing, performance, or use of this material. Warranty.
California. ©copyright 1980, 1984, 1986 Novell, Inc. ©copyright 1986-1992 Sun Microsystems, Inc. ©copyright 1985-86, 1988 Massachusetts Institute of Technology. ©copyright 1989-93 The Open Software Foundation, Inc. ©copyright 1986 Digital Equipment Corporation. ©copyright 1990 Motorola, Inc. ©copyright 1990, 1991, 1992 Cornell University ©copyright 1989-1991 The University of Maryland ©copyright 1988 Carnegie Mellon University Trademark Notices UNIX is a registered trademark of The Open Group.
Contents 1. Product Overview The Internet Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21 Military Standards and Request for Comment Documents . . . . . . . . . .25 2. Installing and Configuring Internet Services Installing the Internet Services Software . . . . . . . . . . . . . . . . . . . . . . . .29 Configuring the Name Service Switch . . . . . . . . . . . . . . . . . . . . . . . . . . .30 Default Configuration . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Configuring Logging for ftp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Logging ftp Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Logging ftp File Transfers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Installing sendmail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installing sendmail on a Standalone System . . . . . . . . . . . . . . . . . . .
Contents Configuring a Primary Master Name Server. . . . . . . . . . . . . . . . . . . . . .86 To Create the Data Files for a Primary Master Server . . . . . . . . . . . .86 To Set the Default Domain Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88 The BIND Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88 options Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94 Migrating /etc/named.boot to /etc/named.conf . . .
Contents To Update /etc/hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 Delegating a Subdomain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 Configuring a Root Name Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 Configuring BIND in SAM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 The Logging System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents How sendmail Routes Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . .172 Default Client-Server Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . .178 How sendmail Handles Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .180 Sendmail and the LDAP Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .183 Enabling Address Lookups Using LDAP . . . . . . . . . . . . . . . . . . . . . .183 Modifying the Default sendmail Configuration File .
Contents Contacting the sendmail Daemon to Verify Connectivity. . . . . . . . . Setting Your Domain Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Attempting to Start Multiple sendmail Daemons. . . . . . . . . . . . . . . Configuring and Reading the sendmail Log . . . . . . . . . . . . . . . . . . . Printing and Reading the Mail Queue. . . . . . . . . . . . . . . . . . . . . . . . 209 210 210 211 214 5. Configuring TFTP and BOOTP Servers Chapter Overview . . . . . . . . . . . . . .
Contents Error Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245 6. Dynamic Host Configuration Protocol (DHCP) Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .253 Benefits of Using DHCP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .253 DHCP Components and Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . .254 DHCP Servers. . . . . . . . . . . . . . . . . . . . .
Contents Configuring DHCP to Deny Address Allocation to Specific Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274 Monitoring and Troubleshooting DHCP Operations . . . . . . . . . . . . . . Troubleshooting Techniques. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DHCP Troubleshooting Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Callbacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents 8. Configuring gated Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .321 Advantages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .321 When to Use gated . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .322 Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .322 Configuration Overview . . . . . . . . . . . . . . . .
Contents Installing Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370 Setting Interface States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371 Specifying Tracing Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372 Specifying Route Preference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374 Importing and Exporting Routes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Sources for Additional Information . . . . . . . . . . . . . . . . . . . . . . . . . . . .404 RFC documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .404 Other Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .404 10. Using rdist Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .407 Setting Up remsh. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents System Requirements for the Secure Internet Services . . . . . . . . . . . 448 Configuring the Secure Internet Services. . . . . . . . . . . . . . . . . . . . . . . 449 The KDC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449 Security Clients. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449 Migrating Version 5 Beta 4 Files to Version 5 Release 1.0 . . . . . . . . .
Contents Diagnostic Tools Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .468 Diagnosing Repeater and Gateway Problems . . . . . . . . . . . . . . . . . . . .469 Flowchart Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .471 Troubleshooting the Internet Services . . . . . . . . . . . . . . . . . . . . . . . . . .472 Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .472 Services Checklist.
Contents 18
1 Product Overview The HP 9000 Internet Services enable your HP 9000 computer to transfer files, log into remote hosts, execute commands remotely, and exchange mail with remote hosts on the network. The Internet Services product was previously called the ARPA Services.
Product Overview A link product, such as LAN/9000 or X.25/9000, must be installed for the Internet Services to function. The link product provides the hardware and software needed for communication by an HP 9000 computer over an IEEE 802.3, Ethernet Local Area Network, or X.25 packet switch network. NS and NFS Services also require link software and can run concurrently on the same node with the Internet Services.
Product Overview The Internet Services The Internet Services The HP 9000 Internet Services product combines services developed by the University of California at Berkeley (UCB), Cornell University, Merit Network, Inc., Carnegie-Mellon University (CMU), Hewlett-Packard, Massachusetts Institute of Technology (MIT), Internet Software Consortium, and other public domain sources. ARPA Services include the set of services developed by UCB for the Advanced Research Projects Agency (ARPA): ftp and telnet.
Product Overview The Internet Services Table 1-1 lists the Internet Services. Table 1-1 The Internet Services ftp Copies files among hosts on the network that support Internet Services. For more information, see “Installing and Configuring Internet Services” on page 27 or type man 1 ftp or man 1M ftpd. telnet Allows you to log onto a remote host that supports Internet Services. For more information, see “Installing and Configuring Internet Services” on page 27 or type man 1 telnet or man 1M telenetd.
Product Overview The Internet Services Table 1-1 The Internet Services NTP Maintains the local clock on an HP-UX workstation in agreement with Internet-standard time servers. For more information, see “Configuring the Network Time Protocol (NTP)” on page 281, or type man 1M xntpd. rexec A library routine used to execute commands on a remote UNIX host on the network. For more information, see “Installing and Configuring Internet Services” on page 27 or type man 3N rexec or man 1M rexecd.
Product Overview The Internet Services Table 1-1 The Internet Services DDFA Allows access from HP-UX systems and user-written applications to HP DTCs. For more information, see the DTC Device File Access Utilities manual. Secure Internet Services An optionally enabled mechanism that incorporates Kerberos V5 Release 1.0 authentication and authorization for the following services: ftp, rcp, remsh, rlogin, and telnet. For more information, see “Secure Internet Services” on page 425.
Product Overview Military Standards and Request for Comment Documents Military Standards and Request for Comment Documents To obtain information about available MIL-STD specifications, contact the following: Department of the Navy Naval Publications and Forms Center 5801 Tabor Avenue Philadelphia, PA 19120-5099 To obtain information about available RFCs, contact the following: Government Systems, Inc.
Product Overview Military Standards and Request for Comment Documents 26 Chapter 1
2 Installing and Configuring Internet Services This chapter describes how to install the Internet Services and configure them for your system.
Installing and Configuring Internet Services • “Installing the Internet Services Software” on page 29 • “Configuring the Internet Daemon, inetd” on page 39 • “Configuring Logging for the Internet Services” on page 42 28 Chapter 2
Installing and Configuring Internet Services Installing the Internet Services Software Installing the Internet Services Software Before you begin to install the software, make sure you have the correct operating system on your computer. The HP-UX operating system, the required link software, and the Internet Services software must all be the same version. You can check your HP-UX operating system version with the uname -r command.
Installing and Configuring Internet Services Configuring the Name Service Switch Configuring the Name Service Switch The Name Service Switch determines where your system will look for the information that is traditionally stored in the following files: /etc/mail/aliases AutoFS maps (like /etc/auto_master and /etc/auto_home) /etc/group /etc/hosts /etc/netgroup /etc/networks /etc/passwd /etc/protocols /etc/publickey /etc/rpc /etc/services For all types of information except host information, you can configur
Installing and Configuring Internet Services Configuring the Name Service Switch Also, for more information about the Name Service Switch configuration files supplied in the /etc directory, see Installing and Administering NFS Services. The ability to consult more than one name service for host information is often called hostname fallback.
Installing and Configuring Internet Services Configuring the Name Service Switch Default Configuration If the /etc/nsswitch.
Installing and Configuring Internet Services Configuring the Name Service Switch Switch configuration: Terminates Search As an optional third argument to nsquery, you can supply a Name Service Switch configuration in double quotes, as in the following example: # /usr/contrib/bin/nsquery passwd 30 "files nis" Using "files nis" for the passwd policy.
Installing and Configuring Internet Services Configuring Internet Addresses Configuring Internet Addresses This section tells you how to configure your host to find other hosts on the network, by host name or IP address.
Installing and Configuring Internet Services Configuring Internet Addresses administered centrally on one of your hosts, but it must contain the names and IP addresses of all the other hosts in your network. For information on NIS, see Installing and Administering NFS Services. If you have a small network and little need for Internet connectivity, you can use the /etc/hosts file as your primary name service.
Installing and Configuring Internet Services Configuring Internet Addresses host to your /etc/hosts file. If you have no default gateway configured, and you add a host that is not on your subnet, SAM will prompt you for the gateway. To stop the prompting, configure a default gateway. 6. If you are not using SAM, you must configure a gateway for each host that is not on your subnet. See “To Configure Routes” on page 36. 7.
Installing and Configuring Internet Services Configuring Internet Addresses ROUTE_GATEWAY[1]="15.13.131.213" ROUTE_COUNT[1]="0" 3. If you will not be using gated, configure routes to all the networks you need to reach. Type the following command for each network you need to reach from your host: /usr/sbin/route add net network_address gateway_address Then, create a new set of routing variables in the /etc/rc.config.d/netconf file for each new route.
Installing and Configuring Internet Services Configuring Internet Addresses /etc/hosts file on the NIS master server, and issue the following commands to regenerate the hosts database and push it out to the NIS slave servers: cd var/yp /usr/ccs/bin/make hosts If the host is on a network that uses NIS+, use the nistbladm (1) command to change the host’s IP address in the NIS+ hosts table. 4.
Installing and Configuring Internet Services Configuring the Internet Daemon, inetd Configuring the Internet Daemon, inetd The internet daemon, /usr/sbin/inetd, is the master server for many of the Internet Services. The inetd daemon listens for connection requests for the services listed in its configuration file and starts up the appropriate server when it receives a request. The inetd daemon is always started as part of the boot process, by the startup script /sbin/init.d/inetd. The /etc/inetd.
Installing and Configuring Internet Services Configuring the Internet Daemon, inetd /usr/sbin/inetd -c 3. Make sure /etc/inetd.conf is owned by user root and group other, and make sure its permissions are set to 0444 (-r--r--r--). For more information, type man 4 inetd.conf or man 1M inetd. To Edit the /var/adm/inetd.sec File The /var/adm/inetd.sec file is a security file that inetd reads to determine which remote hosts are allowed access to the services on your host. The inetd.
Installing and Configuring Internet Services Configuring the Internet Daemon, inetd Only the services configured in /etc/inetd.conf can be configured in /var/adm/inetd.sec. For more information, type man 4 inetd.sec or man 1M inetd.
Installing and Configuring Internet Services Configuring Logging for the Internet Services Configuring Logging for the Internet Services This section tells you how to complete the following tasks: • “To Configure syslogd” on page 42 • “To Maintain System Log Files” on page 43 • “To Configure inetd Connection Logging” on page 43 • “To Configure ftpd Session Logging” on page 44 To Configure syslogd The Internet daemons and servers log informational and error messages through syslog.
Installing and Configuring Internet Services Configuring Logging for the Internet Services With this configuration, all mail log messages at the debug level or higher are sent to /var/adm/syslog/mail.log. Log messages from any facility at the information level or higher (but no mail messages) are sent to /var/adm/syslog/syslog.log. Log messages from any facility at the alert level or higher are sent to the console and any terminal where the superuser is logged in.
Installing and Configuring Internet Services Configuring Logging for the Internet Services To Configure ftpd Session Logging To configure ftpd to log messages about an ftp session, including commands, logins, login failures, and anonymous ftp activity, follow these steps: 1. Add the -L option to the ftp line in the /etc/inetd.conf file, as in the following example: ftp stream tcp nowait root /usr/lbin/ftpd ftpd -L 2.
Installing and Configuring Internet Services Configuring ftp Configuring ftp Beginning with HP-UX 11.0, ftp provides support for Pluggable Authentication Module (PAM). PAM is an Open Group standard (RFC 86.0) for user authentication, password modification, and validation of accounts. The PAM configuration file (/etc/pam.conf) has been updated to include ftp. The default authentication mechanism is UNIX, and its entry in pam.conf is as follows: ftp ftp auth required /usr/lib/security/libpam_unix.
Installing and Configuring Internet Services Configuring Anonymous ftp Access Configuring Anonymous ftp Access Anonymous ftp allows a user without a login on your host to transfer files to and from a public directory. A user types the ftp command to connect to your host and types anonymous or ftp as a login name. The user can type any string of characters as a password. (By convention, the password is the host name of the user’s host).
Installing and Configuring Internet Services Configuring Anonymous ftp Access 2. Create the subdirectory /usr/bin under the ftp home directory: cd /home/ftp mkdir usr cd usr mkdir bin 3. Copy the ls and pwd commands from /sbin to ˜ftp/usr/bin, and set the permissions on the commands to 0111 (executable only): cp /sbin/ls /home/ftp/usr/bin cp /sbin/pwd /home/ftp/usr/bin chmod 0111 /home/ftp/usr/bin/ls chmod 0111 /home/ftp/usr/bin/pwd 4.
Installing and Configuring Internet Services Configuring Anonymous ftp Access chown root /home/ftp/etc/group chmod 0444 /home/ftp/etc/group 10. Set the owner of ˜ftp/etc to root, and set the permissions to 0555 (not writeable): chown root /home/ftp/etc chmod 0555 /home/ftp/etc 11. Create a directory called pub under ˜ftp. Set its owner to user ftp and its permissions to 0777 (writeable by all). Anonymous ftp users can put files in this directory to make them available to other anonymous ftp users.
Installing and Configuring Internet Services Configuring Anonymous ftp Access Figure 2-1 Directory Structure for Anonymous ftp Account / usr home etc bin usr ... passwd file ftp ftp etc pub dist passwd group ls ... pwd Chapter 2 ...
Installing and Configuring Internet Services Configuring ftp with /etc/ftpd/ftpaccess Configuring ftp with /etc/ftpd/ftpaccess The /etc/ftpd/ftpaccess configuration file is the primary configuration file for defining how the ftpd daemon operates. The /etc/ftpd/ftpaccess file allows you to configure a wide variety of ftp features, such as the number of ftp login tries permitted, ftp banner displays, logging of incoming and outgoing file transfers, access permissions, use of regular expressions, etc.
Installing and Configuring Internet Services Configuring Logging for ftp Configuring Logging for ftp You can log both ftp session information and file transfer information, as explained in the following sections. Logging ftp Sessions You can specify ftp session logging using the log commands keyword in the /etc/ftpd/ftpaccess file. log commands Enables or disables logging of an ftp session to syslog, including commands, logins, login failures, and anonymous ftp activity.
Installing and Configuring Internet Services Configuring Logging for ftp Configuring Logging in the /etc/ftpd/ftpaccess File To log incoming and outgoing ftp file transfers, edit the /etc/ftpd/ftpaccess file using the log transfers keyword. log transfers Enables or disables logging of file transfers for real or anonymous ftp users to /var/adm/syslog/xferlog. Logging of transfers to the server (incoming) can be enabled separately from transfers from the server (outbound).
Installing and Configuring Internet Services Installing sendmail Installing sendmail When you install sendmail, the installation script creates and modifies files on the system that are needed for sendmail operation. The sendmail configuration file supplied with HP-UX 11.0 will work without modifications for most installations. Therefore, the only steps you must do are: set up sendmail servers to run with NFS, configure and start sendmail clients, and verify that sendmail is running properly.
Installing and Configuring Internet Services Installing sendmail • Creates /etc/mail/sendmail.cf and /etc/mail/aliases files with default configurations. These files are created with root as the owner, other as the group, and permissions set to 0444. NOTE If an /etc/mail/sendmail.cf file already exists, the existing file is saved to /etc/mail/#sendmail. If an /etc/mail/aliases file already exists, then the sendmail installation script does not create it. • Creates the file /etc/mail/sendmail.
Installing and Configuring Internet Services Installing sendmail The sendmail installation script performs the configuration changes that are described in “Installing sendmail on a Standalone System” on page 53. To set the system up as an NFS server and allow the sendmail clients to read and write to the /var/mail directory, do the following: 1. Make sure all mail users have accounts on the mail server and that their user IDs and group IDs on the mail server are the same as on the client machines.
Installing and Configuring Internet Services Installing sendmail 2. In the /etc/rc.config.d/mailservs file, use a text editor to set the SENDMAIL_SERVER_NAME variable to the host name or IP address of the mail server you will use (the machine that will run the sendmail daemon). 3. In the /etc/rc.config.d/nfsconf file, use a text editor to set the NFS_CLIENT variable to 1. 4.
Installing and Configuring Internet Services Installing sendmail Verifying Your sendmail Installation You can verify that sendmail has been installed properly and is working properly by doing the things described in the following sections: • “Mailing to a Local User” on page 57 • “Mailing to a Remote User with UUCP Addressing” on page 57 (if you are using it). • “Mailing to a Remote User with the SMTP Transport” on page 58 (if you are using it).
Installing and Configuring Internet Services Installing sendmail date | mailx -s "UUCP Test" node1!node2!joe and node2 is your local host, you should receive a message similar to this: From node1!node2!joe Wed Aug 6 09:48 MDT 1986 Received: by node2; Wed, 6 Aug 86 09:48:09 mdt Return-Path: Received: from node1.UUCP; Wed, 6 Aug 86 09:30:16 Received: by node1; Wed, 6 Aug 86 09:30:16 mdt Received: from node2.
Installing and Configuring Internet Services Installing sendmail you should receive a message similar to the following: From joe@node2 Wed Aug 6 14:22 MDT 1986 Received: from node1 by node2; Wed, 6 Aug 86 14:22:56 Return-Path: Received: from node2 by node1; Wed, 6 Aug 86 14:25:04 Received: by node2; Wed, 6 Aug 86 14:22:31 mdt Date: Wed, 6 Aug 86 14:22:31 mdt From: Joe User To: joe%node2@node1 Subject: Round Robin SMTP Wed Aug mdt mdt 6 14:22:28 MDT 1986 An entry in your /var/adm/s
Installing and Configuring Internet Services Troubleshooting sendmail Troubleshooting sendmail This section describes the following techniques for troubleshooting sendmail: • “Keeping the Aliases Database Up to Date” on page 60 • “Verifying Address Resolution and Aliasing” on page 60 • “Verifying Message Delivery” on page 61 • “Contacting the sendmail Daemon to Verify Connectivity” on page 62 • “Setting Your Domain Name” on page 63 • “Attempting to Start Multiple sendmail Daemons” on page 63 • “Configuring
Installing and Configuring Internet Services Troubleshooting sendmail to a particular address, issue the following command: /usr/sbin/sendmail -bv -v -oL10 address [address...] The -bv (verify mode) option causes sendmail to verify addresses without collecting or sending a message. The -v (verbose) flag causes sendmail to report alias expansion and duplicate suppression. The -oL10 (log level) option sets the log level to 10.
Installing and Configuring Internet Services Troubleshooting sendmail sendmail responds with the following information: myname@cup.hp.com... Connecting to local host (local)... myname@cup.hp.com... Executing "/bin/rmail -d myname" myname@cup.hp.com... Sent sendmail has interfaces to three types of delivery agents.
Installing and Configuring Internet Services Troubleshooting sendmail vrfy aen 250 Alfred E. Newman vrfy blemph@morb.poot 554 blemph@morb.poot: unable to route to domain morb.poot quit 221 furschlugginer.bftxp.edu SMTP server shutting down Not all SMTP servers support the VRFY and EXPN commands.
Installing and Configuring Internet Services Troubleshooting sendmail Configuring and Reading the sendmail Log sendmail logs its mail messages through the syslogd logging facility. The syslogd configuration should write mail logging to the file /var/adm/syslog/mail.log. You can do this by adding the following line in /etc/syslog.conf: mail.debug /var/adm/syslog/mail.
Installing and Configuring Internet Services Troubleshooting sendmail Table 2-1 sendmail Logging Levels 5 Messages being added to the queue in routine circumstances. 6 Unusual but benign incidents, such as trying to process a locked queue file. 9 Log internal queue ID to external message ID mappings. This can be useful for tracing a message as it travels between several hosts. 10 The name of the mailer used, the host (if non-local), and the user name passed to the mailer are logged.
Installing and Configuring Internet Services Troubleshooting sendmail present. This ID uniquely identifies a message and can be used to trace the progress of a message through mail relays. from= The sender of the message and the message size are logged. to= The recipient of the message. One message may have multiple recipients.
Installing and Configuring Internet Services Troubleshooting sendmail kill -1 `cat /var/run/syslog.pid` Printing and Reading the Mail Queue The current contents of the mail queue can be printed with the following command: mailq The output looks similar to this example:. Mail Queue (3 requests) ---QID--- --Size-----Q-Time-------Sender/Recipient----AA15841 86 Wed Feb 9 07:08 janet (Deferred: Connection refused by med.hub.com) ees@vetmed.umd.edu ebs@surv.ob.
Installing and Configuring Internet Services Troubleshooting sendmail time the mail queue is processed. If mailq is run in verbose mode (with the -v option), then when it prints the queue, it will also show the priority of each queued message. The Files in the Mail Queue The files that sendmail creates in the mail queue all have names of the form zzTAAnnnnn, where zz is the type of the queue file and TAA is an identifier used to distinguish separate queue entries that happen to have the same process ID.
Installing and Configuring Internet Services Troubleshooting sendmail Table 2-2 Lines in Queue-Control Files Initial Letter Content of Line H A header definition. There can be many H lines in the queue-control file. Header definitions follow the header definition syntax in the configuration file. P The current message priority. This is used to order the queue. Higher numbers mean lower priorities. The priority decreases (that is, the number grows) as the message sits in the queue.
Installing and Configuring Internet Services Troubleshooting sendmail Happarently-to: carolyn 70 Chapter 2
3 Configuring and Administering the BIND Name Service The Berkeley Internet Name Domain (BIND) is a distributed network information lookup service.
Configuring and Administering the BIND Name Service internet addresses for any node on the network. It also provides mail routing capability by supplying a list of hosts that will accept mail for other hosts.
Configuring and Administering the BIND Name Service Overview of the BIND Name Service Overview of the BIND Name Service The Berkeley Internet Name Domain (BIND) is the Berkeley implementation of DNS (Domain Name System). It is a database, distributed across the Internet, which maps host names to internet addresses, maps internet addresses to host names, and facilitates internet mail routing. This section describes the components of BIND and how they work.
Configuring and Administering the BIND Name Service Overview of the BIND Name Service network by starting at the root server and working down. An NIS server can serve only the hosts on its local LAN. NIS clients send out broadcasts to locate and bind to NIS servers, and broadcasts do not cross network boundaries. Each NIS server must be able to answer all the host name queries from the hosts on its local LAN.
Configuring and Administering the BIND Name Service Overview of the BIND Name Service Figure 3-1 Structure of the DNS Name Space . (root) = domain com = host inc div indigo edu purdue nmt venus cs econ arthur DNS Change Notification Starting with BIND 8.1.2, DNS notification, also known as DNS notify is supported. This allows master servers to inform slaves that new information is ready.
Configuring and Administering the BIND Name Service Overview of the BIND Name Service The DNS Notify feature is enabled in the master server by default. In some environments, the master server in a zone might be an 8.1.2 server with DNS notify enabled, while the other servers in the zone are 4.x servers (without the DNS notify feature). In such environments, whenever the master changes and sends a notification to the other servers, the 4.
Configuring and Administering the BIND Name Service Overview of the BIND Name Service for the div.inc.com domain. If it does not, it returns the address of a name server for the div.inc.com domain. 9. The local name server queries the server for the div.inc.com domain to find the address of indigo.div.inc.com. 10. The server for the div.inc.com domain returns the address of indigo.div.inc.com to the local name server. 11.
Configuring and Administering the BIND Name Service Overview of the BIND Name Service transport software will select an interface for outbound traffic according to the target IP address and use that interface consistently, regardless of the interfaces on which it is receiving inbound traffic from the target IP address. Round-robin address cycling is enabled by default. However, with BIND 4.9.
Configuring and Administering the BIND Name Service Overview of the BIND Name Service The alias (the first field on each line) must be all one word, with no dots. To use the file, set the HOSTALIASES environment variable to the name of the file, as in the following example: export HOSTALIASES=/home/andrea/myaliases • If the input host name does not end with a dot, BIND looks it up with domain names appended to it.
Configuring and Administering the BIND Name Service Overview of the BIND Name Service specified. (Do not use the domain and search options together in the same /etc/resolv.conf file. If you do, the one that appears last in the file will be used, and any previous ones will be ignored.) For more information on how BIND resolves host names, type man 5 hostname or man 4 resolver at the HP-UX prompt.
Configuring and Administering the BIND Name Service Creating and Registering a New Domain Creating and Registering a New Domain Follow the steps in this section if you need to set up a new domain. Skip this section if you are interested only in adding hosts to an existing domain. 1. Ask the appropriate person or organization for a range of internet addresses to be assigned to the hosts in your domain.
Configuring and Administering the BIND Name Service Creating and Registering a New Domain 3. After you have registered your domain, you can create subdomains without registering them with the public network.
Configuring and Administering the BIND Name Service Configuring the Name Service Switch Configuring the Name Service Switch The Name Service Switch determines where your system will look for host information when it needs to resolve a host name to an IP address. For all types of information except host information, you can configure your system to use NIS (one of the NFS Services), NIS+ (the next generation of NIS), or the local /etc file, in any order.
Configuring and Administering the BIND Name Service Choosing Name Servers for Your Domain Choosing Name Servers for Your Domain You can configure your host as any of three types of BIND name servers: Primary Master Server A primary master server is the authority for its domain and contains all data corresponding to its domain. It reads its information from a master file on disk.
Configuring and Administering the BIND Name Service Choosing Name Servers for Your Domain • If your network is isolated from the Internet, and your host will be the only BIND name server in your organization, you need to configure a root name server. See “Configuring a Root Name Server” on page 132.
Configuring and Administering the BIND Name Service Configuring a Primary Master Name Server Configuring a Primary Master Name Server This section explains how to configure a primary master server in your domain. It also describes the name server data files in the primary master server configuration.
Configuring and Administering the BIND Name Service Configuring a Primary Master Name Server 5. Copy the file /usr/examples/bind/db.cache.arpa to the /etc/named.data directory. This file is a list of root name servers. You can also use anonymous ftp to get the current list of root name servers from rs.internic.net. Instructions are included in the /usr/examples/bind/db.cache.arpa file. 6. Use the list of root name servers from the /usr/examples/bind/db.cache.arpa file or from rs.internic.
Configuring and Administering the BIND Name Service Configuring a Primary Master Name Server To Set the Default Domain Name If you will be using an /etc/resolv.conf file on your host, configure the default domain name with the search or domain keyword. See “Configuring the Resolver to Query a Remote Name Server” on page 123. If you will not be using an /etc/resolv.conf file, follow these steps: 1.
Configuring and Administering the BIND Name Service Configuring a Primary Master Name Server • server Statement • zone Statement acl Statement The acl statement in the /etc/named.conf file is typically used to define a named IP address matching list for the purpose of access control, etc. This statement is typically used inside a zone Statement. The syntax to use this statement is as follows: acl name { address_match_list }; The acl statement creates a named address match list.
Configuring and Administering the BIND Name Service Configuring a Primary Master Name Server include /etc/security/keys.bind; include /etc/acls.bind; NOTE An include statement cannot be used within another statement. Therefore, a line such as the following is not allowed: acl internal_hosts {include internal_hosts.acl}; Also, do not type "#include" as you would in a C program. The symbol "#" is used to start a comment. The ACL statement, can_query, will allow queries from any host in network 1.2.3.
Configuring and Administering the BIND Name Service Configuring a Primary Master Name Server Specifying the Number of Log File Backups If you specify the versions (number|unlimited) options in the logging statement, then named will retain the specified number of backup versions of the log file by renaming them when opening. For example, if you choose to keep 3 old versions of the file lame.log, then just before it is opened lame.log is renamed to lame.log.2, lame.log.0 is renames to lame.log.1, and lame.
Configuring and Administering the BIND Name Service Configuring a Primary Master Name Server Example logging Statement This section provides an example log configuration. The default for most categories is default_syslog and default_debug. logging{ Channel lame { File lame-servers.log; Size 10M; Severity info; }; channel log { syslog local0;}; category lame-server {lame;}; category default {log;}; }; Channels and Channel Messages A channel describes a destination: a file, syslog, or the bit bucket.
Configuring and Administering the BIND Name Service Configuring a Primary Master Name Server The default channels are shown as follows: • default_syslog Sends messages to the daemon facility at severity info and higher. (info is a predefined severity level that allows messages of its severity level or higher to be logged to the channel.) • default_debug Sends messages tot he file named.run and tracks the daemon’s current dynamic debug level.
Configuring and Administering the BIND Name Service Configuring a Primary Master Name Server Table 3-1 Channel Message Categories Message Category Description eventlib Debugging information from the event system packet Dumps of packets received and sent notify The NOTIFY protocol security Approved/unapproved requests insist Internal consistency check failures db Database operations os Operating System problems maintenance Periodic maintenance events load Zone loading messages response-c
Configuring and Administering the BIND Name Service Configuring a Primary Master Name Server [ [ [ [ [ [ [ [ [ [ deallocate-on-exit yes_or_no; ] fake-iquery yes_or_no; ] fetch-glue yes_or_no; ] host-statistics yes_or_no; ] multiple-cnames yes_or_no; ] notify yes_or_no; ] recursion yes_or_no; ] forward ( only | first ); ] forwarders { [ in_addr ; ...
Configuring and Administering the BIND Name Service Configuring a Primary Master Name Server Table 3-2 lists the various options available. Table 3-2 HP-Specific option Statement Options Option Description noforward { [ domain; [domain; . . . ]]}; The noforward line specifies that the DNS server will not forward any request for something in or below the listed domains, even if the forwarders directive exists.
Configuring and Administering the BIND Name Service Configuring a Primary Master Name Server Table 3-3 Pathname Options Option Description pid-file path_name; This is the pathname of the file to which the server writes its process ID. If this is not specified, the default is /var/run/named.pid or /etc/named.pid. The pid-file is used by programs that send signals to the running nameserver.
Configuring and Administering the BIND Name Service Configuring a Primary Master Name Server Table 3-4 Boolean Options Option Description auth-nxdomain yes_or_no; If specified as yes, then the AA bit is always set on NXDOMAIN responses, even if the server is not actually authoritative. The default is yes.
Configuring and Administering the BIND Name Service Configuring a Primary Master Name Server Table 3-4 Boolean Options Option Description notify yes_or_no; The default is yes. When set to yes, DNS NOTIFY messages are sent when a zone for which the server is authorized changes. The use of NOTIFY speeds convergence between the master and its slaves. A slave server that received a NOTIFY message and understands it will contact the master server for the zone and see if a zone transfer is needed.
Configuring and Administering the BIND Name Service Configuring a Primary Master Name Server used as a hostname can be checked for compliance with the RFCs defining valid hostnames. check-names (master | slave | response ) (warn | fail |\ ignore); The server can check names in three areas: • master: check master zone files • slave: check slave zone files • response: check in response to queries the server has initiated. Three checking methods are available for check-names: • ignore: no checking is done.
Configuring and Administering the BIND Name Service Configuring a Primary Master Name Server Table 3-6 Access Control Options Options Descriptions allow-transfer { address_match_list}; This specifies which hosts are allowed to receive zone transfers from the server. The allow-transfer option may also be specified in the zone statement. If it is specified in the zone statement, it overrides the options allow-transfer statement. The default is to allow transfers from all hosts.
Configuring and Administering the BIND Name Service Configuring a Primary Master Name Server Table 3-7 Zone Transfer Options Options Description transfer-in number; The maximum number of inbound zone transfers that can be running concurrently. The default value is 10. Increasing transfer-in may speed up the coverage of slave zones, but it also may increase the load on the local system.
Configuring and Administering the BIND Name Service Configuring a Primary Master Name Server Table 3-8 Resource Limits Options Options Description file size_spec ; The maximum number of files the server may have open concurrently. The default is unlimited. Note that on some operating systems, the server cannot set an unlimited value and cannot determine the maximum number of open files the kernel can support.
Configuring and Administering the BIND Name Service Configuring a Primary Master Name Server Table 3-9 Periodic Task Intervals Options Options Description sortlist { ip_addr; ...} The sortlist line can be used to indicate networks that are preferred over other, unlisted networks. Address sorting only happens when the query is from a host on the same network as the server. The best address is placed first in the response.
Configuring and Administering the BIND Name Service Configuring a Primary Master Name Server zone Statement The zone statement in the /etc/named.conf file is used to define a zone. It declares the zone as one of four types: master, slave, stub, hint • master-- This is the master copy of the data in a zone. • slave-- A slave zone is a replica of a master zone. The master list specifies one or more IP addresses that the slave contacts to update its copy of the zone.
Configuring and Administering the BIND Name Service Configuring a Primary Master Name Server [ [ [ [ allow-transfer { address_match_list }; ] max-transfer-time-in number; ] notify yes_or_no; ] also-notify { ip_addr; [ ip_addr; ... ] }; }; zone . [ ( in | hs | hesiod | chaos ) ] { type hint; file path_name; [ check-names ( warn | fail | ignore ); ] } ; Migrating /etc/named.boot to /etc/named.conf To convert the BIND configuration file, /etc/named.boot to /etc/named.conf follow the below steps. 1.
Configuring and Administering the BIND Name Service Configuring a Primary Master Name Server Following is an example boot file for a primary server authoritative for the div.inc.com domain and for networks 15.19.8 and 15.19.13: ; ; type ; directory primary domain source file /etc/named.data ;running directory for named div.inc.com db.div primary 0.0.127.IN-ADDR.ARPA db.127.0.0 primary 8.19.15.IN-ADDR.ARPA db.15.19.8 primary db.15.19.13 13.19.15.IN-ADDR.ARPA cache db.
Configuring and Administering the BIND Name Service Configuring a Primary Master Name Server included in the file /usr/examples/bind/db.cache.arpa. Following is an example db.cache file for a primary master server: ; ; This file holds the information on root name servers needed ; to initialize cache of Internet domain name servers ; ; last update: May 11, 1994 ; related version of root zone: 940516 ; ; name ttl class type data ; . 99999999 IN NS NS.INTERNIC.NET. NS.INTERNIC.NET. 99999999 A 198.41.0.4 .
Configuring and Administering the BIND Name Service Configuring a Primary Master Name Server left blank, the class defaults to the last class specified. So, all the entries in this example db.cache file are of class IN. Type NS records list name servers. The first field in an NS record is the domain for which the name server has authority. The last field in an NS record is the fully qualified name of the name server. type Type A records list addresses.
Configuring and Administering the BIND Name Service Configuring a Primary Master Name Server name The name of the subdomain. In data files, @ represents the current origin. The current origin is the domain configured in this file, according to the boot file. The boot file says that the 0.0.127.in-addr.arpa domain is configured in the db.127.0.0 file. Therefore, every instance of @ in the db.127.0.0 file represents 0.0.127.in-addr.arpa.
Configuring and Administering the BIND Name Service Configuring a Primary Master Name Server Expire Indicates (in seconds) how long the secondary name server can use the data before it expires for lack of a refresh. Minimum ttl The minimum number of seconds for the time to live field on other resource records for this domain. The NS data is the fully qualified name of the name server. The PTR data is the loopback address of localhost, in the in-addr.arpa domain. The Primary Master Server’s db.
Configuring and Administering the BIND Name Service Configuring a Primary Master Name Server update its data from a master server. Retry Indicates (in seconds) how often a secondary server should retry after an attempted refresh fails. Expire Indicates (in seconds) how long the secondary name server can use the data before it expires for lack of a refresh. Minimum ttl The minimum number of seconds for the time to live field on other resource records for this domain. NS Name Server records.
Configuring and Administering the BIND Name Service Configuring a Primary Master Name Server host is down or inaccessible. The preference field specifies the order a mailer should follow if there is more than one mail exchanger for a given host. A low preference value indicates a higher precedence for the mail exchanger. In the example below, mail for rabbit should go first to rabbit.div.inc.com. If rabbit is down, its mail should be sent to indigo.div.inc.com.
Configuring and Administering the BIND Name Service Configuring a Primary Master Name Server IN HINFO IN WKS HP9000/850 HPUX 15.19.8.64 UDP syslog domain route IN WKS 15.19.8.64 TCP (telnet smtp ftp shell domain) rabbit rabbit IN MX 5 rabbit.div.inc.com. IN MX 10 indigo.div.inc.com. IN A 15.19.8.119 The Primary Master Server’s db.net Files A primary server has one db.net file for each network it serves.
Configuring and Administering the BIND Name Service Configuring a Primary Master Name Server IN NS rabbit.div.inc.com. IN NS indigo.div.inc.com. 119 IN PTR rabbit.div.inc.com. 64 IN PTR cheetah.div.inc.com. 197 IN PTR indigo.div.inc.com. This example file, db.15.19.8, contains the following records: SOA Start of Address record. The SOA record designates the start of a domain, and indicates that this server is authoritative for the data in the domain.
Configuring and Administering the BIND Name Service Configuring a Primary Master Name Server records for this domain. NS Name Server records. The NS records give the names of the name servers and the domains for which they have authority. The domain for the name servers in the example is the current origin (8.19.15.in-addr.arpa), because @ was the last domain specified. PTR Pointer records. PTR records are usually used to associate an address in the in-addr.arpa domain with the canonical name of a host.
Configuring and Administering the BIND Name Service Configuring a Primary Master Name Server To Delete a Host from the Domain Data Files 1. Delete the host from /etc/hosts and run hosts_to_named again. or Delete the host manually, as follows: • Edit db.[domain]. Delete all A, CNAME, HINFO, WKS, and MX resource records associated with the host. Increment the serial number in the SOA resource record. • Edit db.[net]. Delete all PTR resource records for the host.
Configuring and Administering the BIND Name Service Configuring a Secondary Master Name Server Configuring a Secondary Master Name Server A secondary master server can operate in either of two ways: • It can store the authoritative data in backup files on its disk. When this type of secondary server reboots, it reads its data from the backup files and does not have to rely on loading data from a primary server.
Configuring and Administering the BIND Name Service Configuring a Secondary Master Name Server on the secondary server. 3. On the secondary server, rename /etc/boot.sec.save or /etc/boot.sec to /etc/named.boot. 4. Copy the files /etc/named.data/db.cache and /etc/named.data/db.127.0.0 from the primary server to the secondary server. The format of the data files copied from the primary master server are described in “Configuring a Primary Master Name Server” on page 86.
Configuring and Administering the BIND Name Service Configuring a Secondary Master Name Server secondary db.div div.inc.com 15.19.8.119 primary db.127.0.0 0.0.127.IN-ADDR.ARPA secondary db.15.19.8 8.19.15.IN-ADDR.ARPA 15.19.8.119 secondary db.15.19.13 13.19.15.IN-ADDR-ARPA 15.19.8.119 cache db.cache This file specifies a file name in the fourth field for each domain. The secondary server will use this file as a backup file.
Configuring and Administering the BIND Name Service Configuring a Caching-Only Name Server Configuring a Caching-Only Name Server The boot file of a caching-only name server has no primary or secondary lines, except the primary line for the 0.0.127.in-addr.arpa domain (the loopback interface). Hosts running Berkeley networking use 127.0.0.1 as the address of the loopback interface. Since the network number 127.0.
Configuring and Administering the BIND Name Service Configuring a Caching-Only Name Server /usr/bin/hostname indigo.div.inc.com and set the HOSTNAME variable in the /etc/rc.config.d/netconf file to the same value, as in the following example: HOSTNAME=indigo.div.inc.com Do not put a trailing dot at the end of the domain name.
Configuring and Administering the BIND Name Service Configuring the Resolver to Query a Remote Name Server Configuring the Resolver to Query a Remote Name Server Follow these steps if you want your host to query a name server on a remote host: 1. Create a file on your host called /etc/resolv.conf. The /etc/resolv.conf file has three configuration options: • domain followed by the default domain name.
Configuring and Administering the BIND Name Service Configuring the Resolver to Query a Remote Name Server Do not put a trailing dot at the end of the domain name. NOTE If you want to run both BIND and HP VUE, you must have an /etc/resolv.conf file on your system, or HP VUE will not start. If a user sets the LOCALDOMAIN environment variable, any BIND requests made within the context of the user’s shell environment will use the search list specified in the LOCALDOMAIN variable.
Configuring and Administering the BIND Name Service Configuring the Resolver to Set Timeout Values Configuring the Resolver to Set Timeout Values Timeout values are configured for clients (resolver routines) that use DNS with the RES_RETRY and RES_RETRANS options. These options allow you to set the number of re-transmissions (RES_RETRY) and the time between each retransmission (RES_RETRANS). Setting smaller timeout values enable you to get better performance.
Configuring and Administering the BIND Name Service Configuring the Resolver to Set Timeout Values Configuring Timeout Values using the Configuration File You can set the RES_RETRY and RES_RETRANS options in the /etc/resolv.conf configuration file. Setting the timeout value with the configuration file sets the RES_RETRY and RES_RETRANS values on a specific system. • Add the following line to the /etc/resolv.conf configuration file after the domain and nameserver entries.
Configuring and Administering the BIND Name Service Configuring the Resolver to Set Timeout Values parameter value is the pointer to the location where the option value is stored. The sizeof value parameter is used to obtain the number of bytes required for the variable so that memory can be allocated to that variable when a function is invoked. The return value of this function is 0 if the function successfully gets the value of the field in the value parameter. It will return -1 on failure.
Configuring and Administering the BIND Name Service Starting the Name Server Daemon Starting the Name Server Daemon The name server daemon, /usr/sbin/named, must be running on every primary, secondary, and caching-only name server. If you have configured your system to query a remote name server (that is, if you have created an /etc/resolv.conf file that directs BIND queries to a name server on another host), you do not have to run the named daemon on your host.
Configuring and Administering the BIND Name Service Starting the Name Server Daemon 4. At the > prompt, type the name of a host for the name server to look up, as in the following example > charlie You should see output similar to the following: Name Server: indigo.div.inc.com Addresses: 15.19.14.100, 15.19.15.100 Name: charlie.div.inc.com Address: 15.19.9.100 5. Look up several host names and IP addresses of hosts in the name server’s domain. 6.
Configuring and Administering the BIND Name Service Updating Network-Related Files Updating Network-Related Files After you configure your system to use BIND, the following network-related configuration files require fully-qualified domain names for all hosts outside your local domain: /etc/hosts.equiv $HOME/.rhosts /var/adm/inetd.sec $HOME/.netrc To Update /etc/hosts.equiv and $HOME/.
Configuring and Administering the BIND Name Service Delegating a Subdomain Delegating a Subdomain Within your own domain, you may delegate any number and level of subdomains to distribute control and management responsibility. These subdomains need not be registered with the parent network. The organization that owns a zone or subdomain is responsible for maintaining the data and ensuring that up-to-date data is available from multiple, redundant servers. Follow these steps to add a subdomain: 1.
Configuring and Administering the BIND Name Service Configuring a Root Name Server Configuring a Root Name Server If you are connected to the Internet, use the root servers already available. (For a list of root servers, use anonymous ftp to get the file /domain/named.ca from nic.ddn.mil.) However, if you are on an isolated network, you must set up your own root servers. A root server does not have a cache line in its boot file.
Configuring and Administering the BIND Name Service Configuring a Root Name Server IN NS denny.dept.inc.com. IN NS sally.dept.inc.com. rabbit.div.inc.com. 86400 IN A 15.19.8.119 denny.dept.inc.com. 86400 IN A 15.19.15.33 sally.doc.inc.com. 86400 IN A 15.19.9.17 259200 IN NS eduardo.inc.com. 25920 IN NS labs.inc.com. 259200 IN NS eduardo.inc.com. 259200 IN NS labs.inc.com. eduardo.inc.com. 259200 IN A 15.19.11.2 labs.inc.com. 259200 IN A 15.19.13.
Configuring and Administering the BIND Name Service Configuring BIND in SAM Configuring BIND in SAM On the local system, you can configure a primary server, a secondary server, a caching-only server, and resolver; start, restart, or stop the server; specify a parent domain; update the DNS database files; and configure NS resource records. More information on configuring BIND in sam can be found by running sam and referring to the help screens.
Configuring and Administering the BIND Name Service The Logging System The Logging System The logging system give you control over how the server logs events. The logging system is configured via the logging statement in the /etc/named.conf file. The logging system allows you to do the following: • limit incoming messages to a given severity level. • place a limit on the size of the logging file. • manage multiple versions for the logging file (to maintain historic data).
Configuring and Administering the BIND Name Service Troubleshooting the BIND Name Server Troubleshooting the BIND Name Server This section tells you how to identify and correct problems with the BIND name server.
Configuring and Administering the BIND Name Service Troubleshooting the BIND Name Server looked up. You can also use it to check network connectivity to the name server. $ /usr/sbin/ping hostname If host name lookups are failing, use ping with an IP address to test network connectivity.
Configuring and Administering the BIND Name Service Troubleshooting the BIND Name Server if a zone is up to date. 3 This level gives detailed information about internal operation, most of it not useful. This level tells you when a resolver retransmission is dropped, what name servers were found for a remote domain, and how many addresses were found for each server. When a secondary server checks with the primary to see if the secondary’s data is up to date, an SOA query is made.
Configuring and Administering the BIND Name Service Troubleshooting the BIND Name Server • After configuring the primary server for the first time, names in the local domain cannot be found. Check the following: — Problem 2, Syntax Errors — Problem 1, Incorrect hosts_to_named Parameters — Problem 8, Local Domain Not Set • After configuring the primary server for the first time, names in the local domain can be found, but names in remote domains fail.
Configuring and Administering the BIND Name Service Troubleshooting the BIND Name Server — Problem 10, /etc/hosts or NIS or NIS+ Contains Incorrect Data • Names in the local and remote domains are looked up successfully. However, other servers not in your domain cannot look up names within your domain. Check the following: — Problem 7, Incorrect Delegation of Subdomain Name Server Problems This section explains the problems that may cause the symptoms listed above, and suggests ways to solve the problems.
Configuring and Administering the BIND Name Service Troubleshooting the BIND Name Server log the following message: No root name servers for class 1. (Class 1 is the IN class.) • nslookup May fail to look up the local host’s name on startup and give a servfail message. To check root server information, execute the following: $ nslookup > set type=NS > . This asks for the NS records for the root. If no records for root servers are present, it returns Can't find ".": Server failed.
Configuring and Administering the BIND Name Service Troubleshooting the BIND Name Server 5. Network connectivity problems may cause certain lookups to fail. See the Installing and Administering LAN/9000 Software manual for information on troubleshooting network connectivity. • Name server debugging output Turn on debug level 1. ping the host name. Check the name server debugging output in /var/tmp/named.run for lines like this: req: found 'cucard.med.columbia.edu' as 'columbia.
Configuring and Administering the BIND Name Service Troubleshooting the BIND Name Server remote SOA serial number for this zone. • ping IP_address Verify connectivity to the server the secondary is trying to load from. If the host is temporarily unreachable, the secondary server will load when it is reachable. • nslookup Use nslookup and set the name server to the master the secondary is trying to load from. $ nslookup > server server_name or IP_address > ls domain The ls command initiates a zone transfer.
Configuring and Administering the BIND Name Service Troubleshooting the BIND Name Server > set type=ns > div.inc.com Name Server: eduardo.doc.inc.com Address: 15.19.11.2 Set query type to ns (nameserver). Look up the div.inc.com domain. Non-authoritative answer: div.inc.com nameserver = walleye.div.inc.com div.inc.com nameserver = friday.div.inc.com Name server records for div.inc.com, the delegated subdomain. Authoritative answers can be found from: walleye.div.inc.com inet address = 15.19.13.197 friday.
Configuring and Administering the BIND Name Service Troubleshooting the BIND Name Server • ping hostname hostname is found only when it is a completely specified domain name (with or without a trailing dot). 9. The /etc/nsswitch.conf file, if it exists, is not configured correctly. If you want to query BIND before querying NIS or NIS+ or the /etc/hosts file, make sure dns is listed first on the hosts line. See “Configuring the Name Service Switch” on page 30. 10.
Configuring and Administering the BIND Name Service Troubleshooting the BIND Name Server datagram from 15.19.15.15 port 53, fd 6, len 51 send_msg -> 15.19.10.14 (UDP 7 4258) id=1 Debug turned OFF, Level 1 • In the first group of four lines, a query is received for john.dept.inc.com. The query is forwarded to a root server, ns.inc.ddn.mil at address 192.67.67.53 • In the second group of four lines, ns.nic.ddn.mil responded with NS records for inc.com. • In the third group of four lines, the inc.
Configuring and Administering the BIND Name Service Troubleshooting the BIND Name Server forw: forw -> 192.67.67.53 6 (53) nsid=29 id=1 0ms retry 4 sec The query was forwarded to 192.67.67.53. The name server tags each query it sends out so that it can detect duplicate responses. Here the assigned ID is 29. The original ID was 1. The query will be retried in four seconds. resp: found 'john.dept.inc.com' as 'inc.com' (cname=0) After the response from the root server, the database is searched again. inc.
Configuring and Administering the BIND Name Service Troubleshooting the BIND Name Server (cname=0) resend(addr=1 n=0) -> 128.59.32.1 6 (53) nsid=18 id=1 0ms resend(addr=2 n=0) -> 128.59.40.130 6 (53) nsid=18 id=1 0ms datagram from 15.19.10.14 port 4253, fd 6, len 41 req: nlookup(cucard.med.columbia.edu) id 1 type=1 req: found ’cucard.med.columbia.edu’ as ’columbia.edu’ (cname=0) resend(addr=3 n=0) -> 128.103.1.1 6 (53) nsid=18 id=1 764ms datagram from 128.103.1.1 port 53, fd 6, len 57 send_msg -> 15.19.10.
Configuring and Administering the BIND Name Service Troubleshooting the BIND Name Server Statistics are appended to the file.
Configuring and Administering the BIND Name Service Troubleshooting the BIND Name Server dump, starting with unknown query types. iqueries is the number of inverse queries. Inverse queries can be used to map a host address to a domain name, although PTR queries (discussed below) are the normal method. Some versions of nslookup send inverse queries when they are starting up. duplicate queries are retransmitted queries for pending lookups that the resolver sends to the name server.
Configuring and Administering the BIND Name Service Troubleshooting the BIND Name Server martian responses are responses from unexpected addresses. The name server keeps track of how long it takes for a remote name server to respond. If the remote name server is a multi-homed host, a query to one of the addresses may result in a response from another of its addresses. If the local server does not know about this other address, the response is counted as a martian response.
Configuring and Administering the BIND Name Service Troubleshooting the BIND Name Server 152 Chapter 3
4 Installing and Administering sendmail This chapter describes sendmail, the Internet Services mail routing facility.
Installing and Administering sendmail programs for delivery and further routing. sendmail allows you to send mail to and receive mail from other hosts on a local area network or through a gateway.
Installing and Administering sendmail NOTE sendmail for HP-UX 11.0 is an HP implementation of version 8.9.3 of publicly-available sendmail software. HP provides support for the features documented in this chapter and in the sendmail man page.
Installing and Administering sendmail Deciding Whether to Install sendmail Deciding Whether to Install sendmail You must install sendmail in order to do the following things: • Deliver mail to other machines using the SMTP protocol over a LAN or WAN. • Route X.400 mail using the X.400/9000 delivery agent. • Route OpenMail or X.400 mail using the OpenMail product. If you do not install sendmail, only local and UUCP mail will work.
Installing and Administering sendmail Installing sendmail Installing sendmail When you install sendmail, the installation script creates and modifies files on the system that are needed for sendmail operation. The sendmail configuration file supplied with HP-UX 11.0 will work without modifications for most installations. Therefore, the only steps you must do are: set up sendmail servers to run with NFS, configure and start sendmail clients, and verify that sendmail is running properly.
Installing and Administering sendmail Installing sendmail • Creates /etc/mail/sendmail.cf and /etc/mail/aliases files with default configurations. These files are created with root as the owner, other as the group, and permissions set to 0444. NOTE If an /etc/mail/sendmail.cf file already exists, the existing file is saved to /etc/mail/#sendmail. If an /etc/mail/aliases file already exists, then the sendmail installation script does not create it. • Creates the file /etc/mail/sendmail.
Installing and Administering sendmail Installing sendmail The sendmail installation script performs the configuration changes that are described in “Installing sendmail on a Standalone System” on page 157. To set the system up as an NFS server and allow the sendmail clients to read and write to the /var/mail directory, do the following: 1. Make sure all mail users have accounts on the mail server and that their user IDs and group IDs on the mail server are the same as on the client machines.
Installing and Administering sendmail Installing sendmail sendmail startup script. 2. In the /etc/rc.config.d/mailservs file, use a text editor to set the SENDMAIL_SERVER_NAME variable to the host name or IP address of the mail server you will use (the machine that will run the sendmail daemon). 3. In the /etc/rc.config.d/nfsconf file, use a text editor to set the NFS_CLIENT variable to 1. 4.
Installing and Administering sendmail Installing sendmail Verifying Your sendmail Installation You can verify that sendmail has been installed properly and is working properly by doing the things described in the following sections: • “Mailing to a Local User” on page 161 • “Mailing to a Remote User with UUCP Addressing” on page 161 (if you are using it). • “Mailing to a Remote User with the SMTP Transport” on page 162 (if you are using it).
Installing and Administering sendmail Installing sendmail date | mailx -s "UUCP Test" node1!node2!joe and node2 is your local host, you should receive a message similar to this: From node1!node2!joe Wed Aug 6 09:48 MDT 1986 Received: by node2; Wed, 6 Aug 86 09:48:09 mdt Return-Path: Received: from node1.UUCP; Wed, 6 Aug 86 09:30:16 Received: by node1; Wed, 6 Aug 86 09:30:16 mdt Received: from node2.
Installing and Administering sendmail Installing sendmail you should receive a message similar to the following: From joe@node2 Wed Aug 6 14:22 MDT 1986 Received: from node1 by node2; Wed, 6 Aug 86 14:22:56 Return-Path: Received: from node2 by node1; Wed, 6 Aug 86 14:25:04 Received: by node2; Wed, 6 Aug 86 14:22:31 mdt Date: Wed, 6 Aug 86 14:22:31 mdt From: Joe User To: joe%node2@node1 Subject: Round Robin SMTP Wed Aug mdt mdt 6 14:22:28 MDT 1986 An entry in your /var/adm/syslog/m
Installing and Administering sendmail Creating sendmail Aliases Creating sendmail Aliases The sendmail aliases database stores mailing lists and mail aliases. You create the aliases database by adding aliases to the file /etc/mail/aliases and then running the newaliases script to generate the database from the file. The generated database is stored in the file /etc/mail/aliases.db. The sendmail startup script also generates the aliases database when you reboot your system.
Installing and Administering sendmail Creating sendmail Aliases This command creates the aliases database, which is located in the file /etc/mail/aliases. Table 4-1 Things That May Be Included in a Mailing List A local user name will be looked up in the aliases database unless you put a backslash (\) before it. To prevent sendmail from performing unnecessary alias lookups, put backslashes before local user names.
Installing and Administering sendmail Creating sendmail Aliases Table 4-1 Things That May Be Included in a Mailing List sendmail pipes the message as standard input to the specified command. The double quotes are required to protect the command line from being interpreted by sendmail. Commands must be listed as full pathnames. "| command" If stdout and stderr are not redirected, they are not printed to the terminal, and they disappear.
Installing and Administering sendmail Creating sendmail Aliases Configuring Owners for Mailing Lists Because the sender of a message often does not control the mailing list to which the message is addressed, sendmail allows you to configure an owner for a mailing list. If sendmail encounters an error while attempting to deliver a message to the members of a mailing list, it looks for an alias of the form owner-mailing_list and sends the error message to the owner.
Installing and Administering sendmail Creating sendmail Aliases two systems. sendmail adds a tracing header line (Received:) with each hop. When 30 tracing header lines have been added, sendmail recognizes the aliasing loop and aborts the delivery with an error message. Creating a Postmaster Alias RFC 822 requires that a “postmaster” alias be defined on every host. The postmaster is the person in charge of handling problems with the mail system on that host.
Installing and Administering sendmail Creating sendmail Aliases server contains all the sendmail aliases you want to make globally available through NIS or NIS+. The sendmail program uses the Name Service Switch to determine where to look for sendmail aliases. Modifying Your NIS Aliases Database For information about the NIS or NIS+ aliases database, see Installing and Administering NFS Services.
Installing and Administering sendmail Creating sendmail Aliases Forwarding Your Own Mail with a .forward File You can redirect your own mail by creating a .forward file in your home directory. If a .forward file exists in your home directory and is owned by you, sendmail will redirect mail addressed to you to the addresses in the .forward file. A .forward file can contain anything that can appear on the right side of an alias definition, including programs and files. (See Table 4-1 earlier in this chapter.
Installing and Administering sendmail How sendmail Works How sendmail Works sendmail acts as a post office to which all messages can be submitted for routing. sendmail can interpret both Internet-style addressing (that is, user@domain) and UUCP-style addressing (that is, host!user). How addresses are interpreted is controlled by the sendmail configuration file. sendmail can rewrite message addresses to conform to standards on many common target networks.
Installing and Administering sendmail How sendmail Works How sendmail Collects Messages sendmail can receive messages from any of the following: • A user agent that calls sendmail to route a piece of mail. User agents that are supported by HP for use with HP-UX 11.0 sendmail include elm, mail, mailx, and rmail. • A sendmail daemon or other mail program that calls sendmail to route a piece of mail received from the network or the mail queue. • A user that calls sendmail directly from the command line.
Installing and Administering sendmail How sendmail Works Figure 4-1 Flow of Mail Through sendmail User mailx rmail elm ... User Agents Local Host sendmail OpenMail Delivery Agent X.400 Delivery Agent SMTP Delivery Agent OpenMail or X.25 Network X.400 Network Local Area Network OpenMail Receiving Agent X.
Installing and Administering sendmail How sendmail Works files.) Mail to programs is normally piped to the prog mailer (/usr/bin/sh -c), which executes the command specified in the alias or .forward file definition. (You can restrict the programs that can be run through the aliases or .forward files. See “Security” on page 190 for more information.) Mail to a file is directly appended to the file by sendmail if certain conditions of ownership and permission are met.
Installing and Administering sendmail How sendmail Works instructions for arranging to relay such mail through hosts to which you can connect. SMTP Addresses RFC 822-style addresses in any of the following forms, where host is not the local host name, are routed by SMTP over TCP/IP: user@host user@host.domain <@host,@host2,@host3:user@host4> user@[remote_host’s_internet_address] If the name server is in use, sendmail requests MX (mail exchanger) records for the remote host.
Installing and Administering sendmail How sendmail Works MX records, see Chapter 3 , “Configuring and Administering the BIND Name Service,” on page 71. MX records are used only if a message address resolves to an IPC mailer (that is, one that uses SMTP over sockets to perform delivery.) Instead of attempting to connect directly to the recipient host, sendmail first queries the name server, if it is running, for MX records for that host.
Installing and Administering sendmail How sendmail Works In the following example, the name server serving the domain paf.edu has the following MX records configured to provide backup for host bling: ;name ttl bling class MX preference mail exchanger IN IN IN MX MX MX 0 20 30 bling.paf.edu. wheo.paf.edu. munch.pag.edu. Ordinarily, mail for bling will go directly to bling. However, if bling is down, or if the sending host cannot connect to bling, sendmail will route mail for it to wheo.
Installing and Administering sendmail How sendmail Works sendmail reports the failure attempting to connect to the last MX host (that is, the highest preference value) in the list that it tried. For example, with mail exchangers configured as in the paf.edu example earlier, if the attempts to connect to bling and wheo result in temporary failures, but the attempt to connect to munch fails permanently, the message will be returned as an error.
Installing and Administering sendmail How sendmail Works Figure 4-2 sendmail Client-Server Operation company.com Domain mailserv Incoming remote mail to user1@mailserv.company.com Incoming remote mail for user1@mailclient Local mail to/from mailclient users mailclient Internet Outgoing remote mail from user1@mailserv.company.com user1 Outgoing mail from user1 can be “local” mail that is intended for any user on mailclient.
Installing and Administering sendmail How sendmail Works also modify the /etc/mail/sendmail.cf file so that the clients relay all outbound mail to the server; this is described in “Modifying the Default sendmail Configuration File” on page 185. How sendmail Handles Errors By default sendmail immediately reports to standard output any errors that occur during the routing or delivery of a message. sendmail distinguishes between “temporary failures” and “permanent failures.
Installing and Administering sendmail How sendmail Works For more information, see “MX Records” on page 175. If delivery failed on an alias, and an owner is configured for that alias in the aliases database, sendmail returns the message and transcript to the alias owner. If there is an Errors-To: header line in the message header, sendmail returns the message and transcript to the address on the Errors-To: line instead of to the sender.
Installing and Administering sendmail How sendmail Works sendmail then processes the message just as it did when it was originally collected. If sendmail detects, from the time stamp in a queued message, that the message has been in the mail queue longer than the queue timeout, it returns the message to the sender. The queue timeout is set with the Timeout.queuereturn option in the /etc/mail/sendmail.cf file and, by default, is five days.
Installing and Administering sendmail Sendmail and the LDAP Protocol Sendmail and the LDAP Protocol LDAP (Lightweight Directory Access Protocol) enables servers to share static information. Combining sendmail and LDAP increases the speed and efficiency at which network information is collected and displayed. Sendmail supports the use of the LDAP protocol to look up addresses. The ldapx class, which is a database, is used to look up items in the ldap directory service.
Installing and Administering sendmail Sendmail and the LDAP Protocol #R$+ < @ $+ > $: $: $(ldap $1 $: $1<@$2>$) ldap support 3. Uncomment the following line in the configuration file: Kldap dapx -k”uid=%s” -v”mail” -htest.india.hp.
Installing and Administering sendmail Modifying the Default sendmail Configuration File Modifying the Default sendmail Configuration File The sendmail configuration file that is supplied with HP-UX will work correctly for most sendmail configurations, so you probably do not need to modify it. However, certain modifications to the file are supported. This section describes examples of modifications that you may want to make.
Installing and Administering sendmail Modifying the Default sendmail Configuration File recipient addresses are to be interpreted. • Defines the delivery agents (mailers) to be used for delivering the mail. • Specifies how sendmail should rewrite addresses in the header, if necessary, so that the message address can be understood by the receiving host. The address rewriting process is controlled by sets of address rewriting rules called “rulesets.
Installing and Administering sendmail Modifying the Default sendmail Configuration File allowed in the mail header If a mail header exceeds the maximum value, an error message will be displayed for the user who sent the message, which reads: 552 Headers too larger #MaxHeadersLength. Limiting Message Recipients By default, the maximum number of recipients is 100. You can limit the number of users allowed to receive a single mail message. This helps discourage the flow of spam on the mail server.
Installing and Administering sendmail Migrating the sendmail Configuration File Migrating the sendmail Configuration File Beginning with the earlier HP-UX 10.20 release, the format of the sendmail configuration file /etc/mail/sendmail.cf changed from the version 1 format to the version 6 format. You cannot use a pre-10.20 version (that is, version 1) of the sendmail configuration file with the sendmail included with HP-UX 10.20 and later.
Installing and Administering sendmail Migrating the sendmail Configuration File sendmail configuration file contains many site-specific rulesets that are not easily redefined in the version 6 sendmail.cf format.
Installing and Administering sendmail Security Security sendmail on HP-UX 10.30 and later allows the aliases file or a user’s .forward file to specify programs to be run. These programs are by default invoked through /usr/bin/sh -c. The sendmail restricted shell (smrsh) program allows you to restrict the programs that can be run through the aliases file or through a .forward file; only programs that are linked to the /var/adm/sm.bin directory can be invoked. To use the smrsh program: 1.
Installing and Administering sendmail Security In the sendmail.cf file, change the DontBlameSendmail=option_value, where option_value is any of the options listed in the table below. The default option value is “safe.” Once you change the value option, that value (the new value you just specified) becomes the default value. Table 4-3 option_values for DontBlameSendmail Option Value Description safe Allows the files only in safe directory. All files accessed by sendmail must be safe.
Installing and Administering sendmail Security Table 4-3 option_values for DontBlameSendmail Option Value Description LinkedAliasFileInWritableDir Allows an alias file that is a link in a writable directory. LinkedClassFileInWritableDir Allows class files that are links in writable directories. LinkedForwardFileInWritableDir Allows .forward files that are links in writable directories.
Installing and Administering sendmail Security • PrivacyOptions=noverb The noverb flag will disable the SMTP VERB command, turning off verbose mode.
Installing and Administering sendmail Configuring sendmail to Reject Unsolicited Mail Configuring sendmail to Reject Unsolicited Mail You can set up sendmail so that unsolicited or spam mail (unsolicited mail sent to large numbers of users) is not transmitted through or received by users on the network. The first step in configuration is to enable the anti-spamming rulesets. You then edit other configuration files to control mail transmission.
Installing and Administering sendmail Configuring sendmail to Reject Unsolicited Mail /etc/Mail/Spammer and /etc/Mail/SpamDomains files. Rejecting Mail from Specific Users Enter the user’s complete mail address into the /etc/Mail/Spammer file. sally@cup.hp.com john@rose.hp.com All messages from Sally and John will be rejected. Rejecting Mail from All Users in a Specific Domain Enter the domain address into the /etc/Mail/SpamDomain file. pests.com rose.hp.
Installing and Administering sendmail Configuring sendmail to Reject Unsolicited Mail Specifying Local Hosts that can Use Your Machine as a Host You can identify hosts for which you are willing to receive and forward mail messages either by IP address or hostname. NOTE You cannot specify domain names here. • Enter the IP address of the local hosts for which you are willing to act as a relay host in the file /etc/Mail/LocalIP. 199.28.9.20 199.32.7.
Installing and Administering sendmail Configuring sendmail to Reject Unsolicited Mail Screening Incoming Network Connection Requests The check_relay ruleset allows you to examine incoming network connections and accept or reject them based on hostnames, domain, or IP addresses. To reject relay access to specific hosts, specify the IP address of the host in the /etc/Mail/DeniedIP file. 15.10.43.248 15.10.43.
Installing and Administering sendmail Configuring sendmail to Reject Unsolicited Mail • Relaying Capability • Validating Senders • Checking Headers Enabling Sendmail Anti-Spamming Security Features You must run the gen_cf script to turn on relaying, validating, and checking features. The access database also allows you to control the message flow. See the section “Using the Access Database to Allow or Reject Mail Messages” on page 198 for more information. Running the gen_cf Script 1. Become user root. 2.
Installing and Administering sendmail Configuring sendmail to Reject Unsolicited Mail Access Database Format This section includes a few key points about the database and describes the format of the database. • Every line of the access database file has a key and a value pair. • The value part of the database can be any of the following as listed in Table 4-4. The key can be an IP address, a domain name, a hostname or an e-mail address.
Installing and Administering sendmail Configuring sendmail to Reject Unsolicited Mail Below is a sample access database file, /etc/mail/access. Table 4-5 Access Database Text File Example cyberspammer.com 550 We don’t accept mail from spammers okay.cyberspammer.com OK 128.32 RELAY spammer@aol.com REJECT 192.168.212 DISCARD In the above Access Database file, all mail messages from the cyberspammer.com domain are rejected and the error message "550 We don’t accept mail from spammers" is displayed.
Installing and Administering sendmail Configuring sendmail to Reject Unsolicited Mail mail through your site. Relay Entire Domain: Relaying from Any Host in the Domain By default only hosts listed as RELAY in the Access Database are allowed to relay messages. The hosts must be defined in the m class ($=m) macro to relay. However, this feature allows any host in your domain to relay mail messages.
Installing and Administering sendmail Configuring sendmail to Reject Unsolicited Mail described in this section. Any of these features can be enabled when you run the gen_cf script, which is distributed with Sendmail. • Accept Unresolvable Domain • Accept Unqualified Senders • Black list Recipients • Real-time Blackhole List Accept Unresolvable Domains This feature enables sendmail to accept all MAIL FROM: parameters that are not fully qualified.
Installing and Administering sendmail Configuring sendmail to Reject Unsolicited Mail Example 2 spammer@aol.com REJECT cyberspammer.com REJECT Mail can’t be sent to spammer@aol.com or anyone at cyberspammer.com. Real-time Blackhole List This feature will reject hosts listed in the Real-time Blackhole List, which is found in the Real-time Blackhole List server. The server is rbl.maps.vix.com. To use this feature, you must add the following to the DNS database: 1.5.5.192.rbl.maps.vix.com. IN A 127.0.0.
Installing and Administering sendmail Configuring sendmail to Reject Unsolicited Mail If any of the “check” rulesets (check_mail, check_rcpt, check_relay, or check_compat) or the header checking ruleset resolves a mail address to the $#discard mailer, then all the SMTP commands will be accepted, but the message will be discarded. If only one of message recipients address resolves to the $#discard mailer, none of the recipients will receive the mail message.
Installing and Administering sendmail Configuring sendmail to Reject Unsolicited Mail • The "QueueSortOrder" option is case sensitive.
Installing and Administering sendmail Turning off Virtual Interfaces Turning off Virtual Interfaces You can disable the ability to include all the interface names in the $=w macro on startup. Turning off virtual interfaces speeds up start up process. However, if you turn virtual interfaces off, mail sent to those addresses will bounce back to the sender. To turn of Virtual Interfaces, do the following: • Open the sendmail.cf file. • Uncomment the line “DontProbeInterfaces.
Installing and Administering sendmail Troubleshooting sendmail Troubleshooting sendmail This section describes the following techniques for troubleshooting sendmail: • “Keeping the Aliases Database Up to Date” on page 207 • “Verifying Address Resolution and Aliasing” on page 208 • “Verifying Message Delivery” on page 208 • “Contacting the sendmail Daemon to Verify Connectivity” on page 209 • “Setting Your Domain Name” on page 210 • “Attempting to Start Multiple sendmail Daemons” on page 210 • “Configuring
Installing and Administering sendmail Troubleshooting sendmail Verifying Address Resolution and Aliasing In order to deliver a message, sendmail must first resolve the recipient addresses appropriately. To determine how sendmail would route mail to a particular address, issue the following command: /usr/sbin/sendmail -bv -v -oL10 address [address...] The -bv (verify mode) option causes sendmail to verify addresses without collecting or sending a message.
Installing and Administering sendmail Troubleshooting sendmail type a period (.) on a line by itself, as in the following example: This is only a test. . sendmail responds with the following information: myname@cup.hp.com... Connecting to local host (local)... myname@cup.hp.com... Executing "/bin/rmail -d myname" myname@cup.hp.com... Sent sendmail has interfaces to three types of delivery agents.
Installing and Administering sendmail Troubleshooting sendmail particular address. For example, telnet furschlugginer 25 220 furschlugginer.bftxp.edu SMTP server ready vrfy aen 250 Alfred E. Newman vrfy blemph@morb.poot 554 blemph@morb.poot: unable to route to domain morb.poot quit 221 furschlugginer.bftxp.edu SMTP server shutting down Not all SMTP servers support the VRFY and EXPN commands.
Installing and Administering sendmail Troubleshooting sendmail Configuring and Reading the sendmail Log sendmail logs its mail messages through the syslogd logging facility. The syslogd configuration should write mail logging to the file /var/adm/syslog/mail.log. You can do this by adding the following line in /etc/syslog.conf: mail.debug /var/adm/syslog/mail.
Installing and Administering sendmail Troubleshooting sendmail Table 4-6 sendmail Logging Levels 5 Messages being added to the queue in routine circumstances. 6 Unusual but benign incidents, such as trying to process a locked queue file. 9 Log internal queue ID to external message ID mappings. This can be useful for tracing a message as it travels between several hosts. 10 The name of the mailer used, the host (if non-local), and the user name passed to the mailer are logged.
Installing and Administering sendmail Troubleshooting sendmail be used to trace the progress of a message through mail relays. from= The sender of the message and the message size are logged. to= The recipient of the message. One message may have multiple recipients. sendmail logs a separate entry for each separate delivery attempt it makes, so multiple recipients on the same host may appear on the same line, but multiple recipients on different hosts will appear on different lines.
Installing and Administering sendmail Troubleshooting sendmail Printing and Reading the Mail Queue The current contents of the mail queue can be printed with the following command: mailq The output looks similar to this example:. Mail Queue (3 requests) ---QID--- --Size-----Q-Time-------Sender/Recipient----AA15841 86 Wed Feb 9 07:08 janet (Deferred: Connection refused by med.hub.com) ees@vetmed.umd.edu ebs@surv.ob.com AA15794 1482 Wed Feb 9 07:57 carole bja@edp.cloq.potlatch.com vls@ee.cmu.
Installing and Administering sendmail Troubleshooting sendmail the queue, it will also show the priority of each queued message. The Files in the Mail Queue The files that sendmail creates in the mail queue all have names of the form zzTAAnnnnn, where zz is the type of the queue file and TAA is an identifier used to distinguish separate queue entries that happen to have the same process ID. sendmail starts with TAA and loops through TAB, TAC, and so on, until it is able to form a unique ID.
Installing and Administering sendmail Troubleshooting sendmail Table 4-7 Lines in Queue-Control Files Initial Letter Content of Line P The current message priority. This is used to order the queue. Higher numbers mean lower priorities. The priority decreases (that is, the number grows) as the message sits in the queue. The initial priority depends on the message precedence, the number of recipients, and the size of the message. M A message.
5 Configuring TFTP and BOOTP Servers The Trivial File Transfer Protocol (TFTP) is a simple protocol used to read and write files to or from a remote system.
Configuring TFTP and BOOTP Servers The Bootstrap Protocol (BOOTP) allows certain systems to discover network configuration information (such as an IP address and a subnet mask) and boot information automatically. Together, TFTP and BOOTP allow a system to provide boot information for client systems that support BOOTP, such as HP’s 700/X terminal. These protocols are implemented on top of the Internet User Datagram Protocol (UDP), so they can be used across networks that support UDP.
Configuring TFTP and BOOTP Servers Chapter Overview Chapter Overview The topics covered in this chapter include the following: • “How BOOTP Works” on page 220 • “Booting RMP Clients” on page 223 • “Configuring the TFTP Server” on page 225 • “Configuring the BOOTP Server” on page 228 • “Adding Client or Relay Information” on page 230 • “Command Options for Using TFTP” on page 238 • “Troubleshooting BOOTP and TFTP Servers” on page 239 Chapter 5 219
Configuring TFTP and BOOTP Servers How BOOTP Works How BOOTP Works The Bootstrap Protocol (BOOTP) allows a client system to discover its own IP address, the address of a BOOTP server, and the name of a file to be loaded into memory and executed. The bootstrap operation happens in two phases. In the first phase, address determination and bootfile selection occur. This phase uses the BOOTP server, bootpd.
Configuring TFTP and BOOTP Servers How BOOTP Works interface (lan0). The bootrequest also contains the client’s hardware address, and, if known, its IP address. 3. The BOOTP server checks to see if boot information for the client is in its database. If boot information for the client is available in the server’s database, the server answers the bootrequest with a bootreply packet. 4.
Configuring TFTP and BOOTP Servers How BOOTP Works A to server B to server C. Server C finds the client’s boot information in its database, and sends the bootreply back to server A. Server A then sends the bootreply to the client. Figure 5-1 Bootrequest Relay Example Client 1 Server A Server B Server C 1 Bootrequest 2 Bootreply NOTE BOOTP clients can be booted over a gateway; however, the BOOTP server with the relay information for the client must be on the same side of the gateway as the client.
Configuring TFTP and BOOTP Servers Booting RMP Clients Booting RMP Clients Remote Maintenance Protocol (RMP) is an HP-proprietary boot and file transfer protocol used in early Series 700 workstations and in the Datacommunications and Terminal Controllers (DTC/9000). The rbootd daemon allows BOOTP servers to serve clients that use RMP. rbootd must be run on a BOOTP server on the same subnet as the RMP client. That is, both rbootd and bootpd must run on the same system.
Configuring TFTP and BOOTP Servers Booting RMP Clients daemon, which then sends the bootreply back to the rbootd daemon on its local system. rbootd uses either NFS or TFTP to transfer boot files from the remote server to its local system. (TFTP is the default file transfer method.) rbootd then transfers bootable images to the client in the form of RMP packets. If TFTP is used to transfer boot files from a remote server, the boot files must be accessible via TFTP.
Configuring TFTP and BOOTP Servers Configuring the TFTP Server Configuring the TFTP Server To manually configure the TFTP server, tftpd, you need to modify the tftpd entry in the /etc/inetd.conf file or create an entry for the user tftp in the /etc/passwd file. If you use SAM to configure your system as a BOOTP server, your system is automatically configured as a TFTP server. The following sections explain the manual method for configuring and verifying tftpd.
Configuring TFTP and BOOTP Servers Configuring the TFTP Server $ $ $ $ mkdir chown chgrp chmod /home/tftpdir$ tftp /home/tftpdir guest /home/tftpdir 700 /home/tftpdir • Specify the files available to clients in the tftpd command line in /etc/inetd.conf: tftpd dgram udp wait root /usr/lbin/tftpd tftpd [path...] [path...] is a list of the files or directories that you want to make available to TFTP clients. File or directory names are separated by spaces.
Configuring TFTP and BOOTP Servers Configuring the TFTP Server tftpd command, you must specify the full path name. If this step fails, see “Troubleshooting BOOTP and TFTP Servers” on page 239. 3. Compare the ASCII files to verify data transfer: $ diff testfile /export/testfile $ 4. Remove the test file once you have verified the installation.
Configuring TFTP and BOOTP Servers Configuring the BOOTP Server Configuring the BOOTP Server To manually configure the BOOTP server daemon, bootpd, you need to add entries to the files /etc/services and /etc/inetd.conf. When you use SAM to do the configuration, entries are made to the appropriate files automatically. The following sections explain the manual method for configuring and verifying bootpd. NOTE You must be superuser to configure the BOOTP server.
Configuring TFTP and BOOTP Servers Configuring the BOOTP Server Verify Your bootpd Installation The verification step only ensures that bootpd is started by inetd. To test whether you have correctly configured bootpd to handle boot requests, perform the following steps: 1. On the host where you configured bootpd, use bootpquery to send a boot request to the server. (Type man 1M bootpquery for more information.
Configuring TFTP and BOOTP Servers Adding Client or Relay Information Adding Client or Relay Information To allow a client to boot from your local system or to allow a bootrequest to be relayed to the appropriate boot server, you must add information about the client in your /etc/bootptab file. bootpd uses the /etc/bootptab file as the database for two types of entries: • Client entries that contain information that allows the clients to boot from your system.
Configuring TFTP and BOOTP Servers Adding Client or Relay Information where the client resides. • Gateway address—the address of the gateway that connects the client’s local subnet to the BOOTP server’s subnet. • Boot server(s) for client—the boot servers to which the local system will relay the client’s bootrequest. • Threshold value—the number of seconds since the client sent its first request. • Maximum hops—the maximum number of hops that the client’s bootrequest can be forwarded.
Configuring TFTP and BOOTP Servers Adding Client or Relay Information (hardware address) and hm (hardware mask) tags. • If the gw (gateway IP address) tag is specified, the sm (subnet mask) tag must also be specified. Other points to know when adding an entry in /etc/bootptab include the following: • IP addresses listed for a single tag must be separated by a space. • A single client entry can be extended over multiple lines if you use a backslash (\) at the end of each line.
Configuring TFTP and BOOTP Servers Adding Client or Relay Information Table 5-1 Tags for Defining Client Options in bootptab sm The subnet mask for the client’s network. tc Specifies previously-listed entry that contains tag values that are shared by several client entries. vm The format of the vendor extensions on the bootrequest and bootreply.
Configuring TFTP and BOOTP Servers Adding Client or Relay Information Examples of Adding BOOTP Clients This section shows examples of adding entries to the /etc/bootptab file. The first example shows how to configure a BOOTP server for an HP 700/X terminal. The second example shows how to configure a BOOTP server to relay a client’s bootrequest to another server. Example 1: Adding an HP 700/X Terminal as a Client Figure 5-3 shows the network configuration for this example.
Configuring TFTP and BOOTP Servers Adding Client or Relay Information /usr/sbin/bootpquery 080009030165 -s hpserver The following output is displayed: Received BOOTREPLY from hpserver.hp.com (15.19.8.119) Hardware Address: Hardware Type: IP Address: Boot file: 08:00:09:03:01:65 ethernet 15.19.8.37 /xterminal RFC 1048 Vendor Information: Subnet Mask: Gateway: Domain Name Server: Host Name: 255.255.248.0 15.19.8.1 15.19.8.119 term01.hp.
Configuring TFTP and BOOTP Servers Adding Client or Relay Information Figure 5-4 Example Configuration: Relay Entry BOOTP Server B (HP Only) BOOTP Server C (Others) IP address: 15.4.3.142 IP address: 15.4.3.136 IP address: 15.4.3.138 BOOTP Server A IP address: 15.4.8.1 Client Host name: xterm02 IP address: 15.19.8.
Configuring TFTP and BOOTP Servers Adding Client or Relay Information ip=15.19.8.39: sm=255.255.248.0: \ gw=15.19.8.1: ds=15.19.8.119: bf=/xterminal: The gateway address (gw=15.19.8.1) is passed back to the client in the bootreply and allows the client to send a TFTP request to the BOOTP server to get its boot file. To verify the new /etc/bootptab entry, do the following: 1.
Configuring TFTP and BOOTP Servers Command Options for Using TFTP 3. Remove the ba tag entry from the /etc/bootptab file. Command Options for Using TFTP Internet Services includes a TFTP client implementation, /usr/bin/tftp. You can use this client to verify that your TFTP server is working correctly.
Configuring TFTP and BOOTP Servers Troubleshooting BOOTP and TFTP Servers Troubleshooting BOOTP and TFTP Servers This section outlines techniques that can help you diagnose and correct common problems with the BOOTP and TFTP servers. Helpful Configuration Changes To make troubleshooting easier, configure your system as follows: • Ensure syslogd is configured to log daemon information messages to the file /var/adm/syslog/syslog.log. To check this configuration, make sure /etc/syslog.
Configuring TFTP and BOOTP Servers Troubleshooting BOOTP and TFTP Servers broadcast bootreply by adding the ba tap to the client’s /etc/bootptab entry. Use the bootpquery command to emulate the client’s bootrequest: bootpquery client_link_address -s servername bootpquery prints the reply it receives from the server, which allows you to examine the information supplied to the client. Remove the ba tag from the configuration entry once you’ve verified the correctness of the bootreply.
Configuring TFTP and BOOTP Servers Troubleshooting BOOTP and TFTP Servers reboot the BOOTP client. ❏ Ensure that the hardware address you specified for the ha tag matches the hardware address that /usr/lbin/bootpd said it could not find. Correct the tag and reboot the BOOTP client. ❏ Ensure the hardware type tag ht has the correct value for the client. For example, if you have specified ether but the client is reporting ieee in its bootrequest, bootpd will reject the request.
Configuring TFTP and BOOTP Servers Troubleshooting BOOTP and TFTP Servers address for the server’s network.
Configuring TFTP and BOOTP Servers Troubleshooting BOOTP and TFTP Servers lg = log_server_addresses sm = subnet_mask to = time_offset Tnnn = generic_information Cause: Too many RFC-1048 options have been specified for the client’s configuration entry in /etc/bootptab. The BOOTP protocol allows only 64 bytes of “vendor extension” information.
Configuring TFTP and BOOTP Servers Troubleshooting BOOTP and TFTP Servers It might be helpful to try the transfer from another node on your network rather than from the server node itself. If the server still fails to start when the client attempts the file transfer, then you probably have a connectivity problem. Refer to Installing and Administering LAN/9000 Software or the BOOTP client manual (for example, HP 700/X documentation). Symptom: File transfer “timed out.
Configuring TFTP and BOOTP Servers Troubleshooting BOOTP and TFTP Servers specify at least one file or directory with the tftpd command. Make sure that you specify the full path name when attempting to get a file from a directory specified with the tftpd command. Symptom: File transfer fails with Access Violation, Permission Denied, or TFTP Error Code 2 message. Cause: tftpd does not have permission to read the file.
Configuring TFTP and BOOTP Servers Troubleshooting BOOTP and TFTP Servers Information Log Level The following messages are logged at the syslogd information log level. • exiting after time minutes of inactivity If bootpd hasn’t received a bootrequest within time minutes (the timeout set with the -t option), it issues this message and exits. • reading configuration_file reading new configuration_file bootpd is reading or rereading configuration information from the indicated configuration_file.
Configuring TFTP and BOOTP Servers Troubleshooting BOOTP and TFTP Servers • bootptab mtime is time bootpd uses the indicated modification time to determine if the configuration file has been modified and should be reread. This message is logged at debug level 3. Notice Log Level There may be cases where bootpd receives a bootrequest but does not send a bootreply.
Configuring TFTP and BOOTP Servers Troubleshooting BOOTP and TFTP Servers addresses separated by a space, and/or one or more network broadcast addresses. • bad hardware mask value for host hostname The value for the hardware address mask tag hm was incorrectly formatted in the configuration file entry for hostname. Correct the configuration entry and try to reboot the BOOTP client. The subnet mask must be specified in hex.
Configuring TFTP and BOOTP Servers Troubleshooting BOOTP and TFTP Servers The value for the to tag was not a valid number. Correct the configuration entry and try to reboot the BOOTP client. The to value may be either a signed decimal integer or the keyword auto, which uses the server’s time zone offset. • bad vendor magic cookie for host hostname The vendor magic cookie, specified with the vm tag, was incorrectly formatted. Correct the configuration entry and try to reboot the BOOTP client.
Configuring TFTP and BOOTP Servers Troubleshooting BOOTP and TFTP Servers 250 Chapter 5
6 Dynamic Host Configuration Protocol (DHCP) DHCP (Dynamic Host Configuration Protocol) is an extension of bootp that defines a protocol for passing configuration information to hosts on a 251
Dynamic Host Configuration Protocol (DHCP) TCP/IP network. The key use for DHCP is its capability to automatically allocate IP addresses to clients booting on the TCP/IP network for the first time. The DHCP server passes full IP information and other start-up information to clients, including the name of the Domain Name Service (DNS) server.
Dynamic Host Configuration Protocol (DHCP) Overview Overview DHCP is built on top of bootp. There is one executable (/usr/lbin/bootpd) and one daemon (bootpd) that handles the job for DHCP and BOOTP. Also the DHCP and BOOTP daemon is a subsidiary of inetd, and will be started or restarted automatically (that is, as requests are passed to it). This chapter provides information to help you configure DHCP servers and troubleshoot potential problems with DHCP servers.
Dynamic Host Configuration Protocol (DHCP) DHCP Components and Concepts DHCP Components and Concepts The primary components of DHCP discussed in this section include the DHCP server, DHCP client, and DHCP leases. DHCP Servers The DHCP server dispenses and manages network IP addresses. It assigns IP addresses to clients that are connecting to the network for the first time. When a client connects to the network, the server automatically assigns it an IP address from an appropriate pool of addresses.
Dynamic Host Configuration Protocol (DHCP) DHCP Components and Concepts DHCP Leases The DHCP server has control of the IP address block. It grants DHCP clients permission to use IP addresses on a lease basis. The IP address is “leased” to the client for a fixed amount of time. The administrator sets the lease time, which can last from 120 seconds to infinity. During the lease, DHCP guarantees that the IP address assigned to the client will not be re-assigned to another client.
Dynamic Host Configuration Protocol (DHCP) DHCP Components and Concepts network. HP strongly recommends that you have only one DHCP server on the network. If the client likes the offer, it sends a DHCPREQUEST packet to the server. This indicates a formal request to lease the IP address offered by the server. NOTE The HP-UX client rejects offers for IP addresses with very short lease times. For example, the client will reject an offer with a lease time of 10 seconds. Step 4.
Dynamic Host Configuration Protocol (DHCP) DHCP Components and Concepts Figure 6-1 DHCP Client and Server Transaction DHCP Client STEP 1: Client sends DHCPDISCOVER broadcast packet DHCP Server STEP 2: Server receives DHCPDISCOVER packet and offers available IP address to client by sending DHCPOFFER DHCP Client STEP 3: Client receives DHCPOFFER and sends DHCPREQUEST requesting the IP address lease offered DHCP Server STEP 4: Server receives DHCPREQUEST and grants IP address lease officially by sending D
Dynamic Host Configuration Protocol (DHCP) Dynamic Updates Dynamic Updates DHCP can now dynamically update the DNS server. DHCP updates DNS with the host name and IP address of the client. For every client DHCP assigns a name and IP address to, it also adds an address record (“A”), a pointer record (“PTR”), and a resource record (“RR”) of that client to the DNS server. To assign a name for every IP address, there is a new tag known as “pcsn.
Dynamic Host Configuration Protocol (DHCP) Dynamic Updates Figure 6-2 DHCP Server and DNS Server running on HP-UX HP-UX Host DNS Server DHCP Server named /usr/lbin/bootpd Configuring the DHCP Server to Perform Dynamic Updates Add the tags “pcsn” and “ddns-address,” which specifies the address of the DDNS server, to the dhcp_pool_group or the dhcp_device_group keywords to enable the DHCP server to update the DDNS. The ddns-address must be the IP address of a local DHCP server.
Dynamic Host Configuration Protocol (DHCP) Configuration Overview Configuration Overview You should configure and administer the DHCP server using SAM. You can also edit the configuration files /etc/bootptab and /etc/dhcptab manually, but it is not recommended. This section covers steps you must take to configure DHCP using SAM.
Dynamic Host Configuration Protocol (DHCP) Configuration Overview In the example above, ba indicates the broadcast flag has been turned on. Most clients need this flag, so it will be in most pool group entries. The pool-name is a label that helps the system administrator identify the pool group. The client is not aware of this name. The beginning and end of the address range in the pool is defined by addr-pool-start-address and addr-pool-last-address.
Dynamic Host Configuration Protocol (DHCP) Configuration Overview terminals. These clients must all match the device type specified in the class-id field in the /etc/dhcptab file. In the example below, all the clients in this device group must be xterminals. DHCP_DEVICE_GROUP:\ class-name=XTERM_GROUP:\ class-id=”Xterminal:”\ subnet-mask=255.255.255.0:\ addr-pool-start-address= 15.13.100.50\ addr-pool-last-address= 15.13.100.59: NOTE It is not very common for the class_id field to be defined.
Dynamic Host Configuration Protocol (DHCP) Configuration Overview lg=123.123.123.123 55.55.55.55:\ lp=45.45.45.45:\ ns=66.66.66.66:\ rl=123.77.99.35:\ to=153:\ ts=88.99.88.99:\ vm=rfc1048:\ hn:\ bs=auto:\ md=/tmp/dumpfile.of.the.century:\ dn=cup.hp.com:\ ef=/tmp/extensions:\ nt=194.88.200.244:\ rp=/turnip/onion/carrot:\ ss=200.233.200.233:\ tr=50:\ tv=87:\ xd=77.11.1.244:\ xf=77.11.1.245:\ yd=hp.com:\ ys=9.7.5.3: For more information about the other flags in this example, see the bootpd(1m) man page.
Dynamic Host Configuration Protocol (DHCP) Configuration Overview Figure 6-4 DHCP Devices Can Have Fixed IP Addresses Group A Group A Fixed Fixed DHCP Client1 DHCP Client2 DHCP Client3 DHCP Client4 DHCP Server 0x080009445566 0x080009112233 In Figure 6-4, assume that you have configured a DHCP group (group A) to include Client1 and Client2, meaning that each will receive an IP address from a pool of available addresses at boot request.
Dynamic Host Configuration Protocol (DHCP) Configuration Overview Figure 6-5 Relay Agent Scenario Server Client 1 Gateway Client 2 Relay Agent In Figure 6-5, suppose that Client2 broadcasts a boot request. The server containing the booting information belongs to a remote network. Therefore, the broadcast message is received by the local machine known as the relay agent.
Dynamic Host Configuration Protocol (DHCP) Configuration Overview through the BOOTP Relay Agent, see “Configuring a DHCP Server to Distribute IP Addresses through a BOOTP Relay Agent” on page 271. Configuring PING Timeouts The DHCP server optionally sends a PING (ICMP echo) request to see if the IP address it wants to assign to a client is in use or not. If the server does not receive the reply in a specified time, the server assumes the IP address is NOT in use.
Dynamic Host Configuration Protocol (DHCP) Configuring DHCP Configuring DHCP This section contains information needed to configure DHCP servers to distribute IP addresses to client groups, individual clients, and all clients via a BOOTP Relay Agent. Before configuring the DHCP server, you must set up the broadcast address and set aside a block of addresses for DHCP server to distribute.
Dynamic Host Configuration Protocol (DHCP) Configuring DHCP For example: 15.1.48.50 - 15.1.48.80 The DHCP server will assign IP addresses to clients from this set of IP addresses. 2. Pre-assign and register hostnames to the IP address allocated above. Using the -h option to the dhcptools(1M) command may be useful. For example: dhcptools -h fip=15.1.48.50 no=30 sm=255.255.255.0 hn=devlab## This command will create a file in /tmp/dhcphosts that can be incorporated into your /etc/hosts or DNS/NIS database. 3.
Dynamic Host Configuration Protocol (DHCP) Configuring DHCP number. An example of a subnet mask is 255.255.255.0. Subnet Address Pool: Click this button to select the range of IP addresses that you allocated in the section, “Preparing to Configure a DHCP Server” on page 267. A new screen will be displayed where you can enter the START and END address. If there are addresses within the range that you picked that you do not want allocated via DHCP, you can use the Reserved Addresses button to specify those.
Dynamic Host Configuration Protocol (DHCP) Configuring DHCP 11. Go to the Action Menu and enable the Boot Server, if it is not already enabled. Configuring a DHCP Server to Distribute IP Addresses to Individual Devices 12. Start SAM. 13. Double-click the Networking and Communication icon. 14. Double-click the Bootable Devices icon. 15. Double-click the “Fixed-Address Devices Booting from this Server” icon. 16. Click the Action menu item, then choose Add Fixed-Address Device to add the individual device.
Dynamic Host Configuration Protocol (DHCP) Configuring DHCP Boot File Name: This file contains all necessary booting information for the client. You can specify the path name of the boot file relative to tftp’s home directory. 18. After filling in the parameter fields listed in step 6, click OK. SAM will make the modifications to the /etc/bootptab file. 19. Go to the Action Menu and click “Enable the Boot Server,” if it is not already enabled.
Dynamic Host Configuration Protocol (DHCP) Configuring DHCP from a single device. You can enter the station address. The station address mask will default to all Fs. Station Address: This is the 12-digit hexadecimal address of a client or group of clients requests will be sent to. Station Address Mask: This is the hexadecimal value used to filter client boot requests according to their station address.
Dynamic Host Configuration Protocol (DHCP) Configuring DHCP Enabling DHCP on a System Not Initially Configured with DHCP 1. As root, start SAM. 2. Double-click Networking and Communications. 3. Double-click Network Interface Cards. 4. Highlight the card you wish to enable DHCP on. 5. Go to the Actions menu and select Configure. 6. Click once on the Enable DHCP button. 7. Click OK and exit SAM. Your system will start using DHCP after the next reboot.
Dynamic Host Configuration Protocol (DHCP) Configuring DHCP BOOTP client part of a DHCP group that has been defined. bootpd is the internet boot protocol server daemon that implements DHCP, BOOTP, and DHCP/BOOTP relay agents. DHCP is backwards compatible with BOOTP, so no changes are required of existing users of BOOTP. Configuring DHCP to be Used with OL* To use DHCP with OL*, you will need to kill the bootp daemon after you complete the replacement for OL*.
Dynamic Host Configuration Protocol (DHCP) Monitoring and Troubleshooting DHCP Operations Monitoring and Troubleshooting DHCP Operations This section describes techniques and tools you can use to troubleshoot problems found with the DHCP server.
Dynamic Host Configuration Protocol (DHCP) Monitoring and Troubleshooting DHCP Operations • Is the reply appropriate for the client? Table 6-1 lists some of the common error messages you may see in the syslog when a client fails to get an address lease. Table 6-1 Common Errors Found in Syslog Error Cause 304 A client requests an address on a subnet not available or accessible from this DHCP server. The client gets no response from this server. 305 The pool or device group is full.
Dynamic Host Configuration Protocol (DHCP) Monitoring and Troubleshooting DHCP Operations /tmp/dhcp.dump.bootptab and /tmp/dhcp.dump.dhcptab. Review the contents of /tmp/dhcpdb, which is a less verbose version of /tmp/dhcp.dump.dhcptab. The file /tmp/dhcpdb is continually updated by the daemon. DHCP Troubleshooting Tools The HP-UX DHCP server has tools that will help you debug problems and make adjustments while the server is running.
Dynamic Host Configuration Protocol (DHCP) Monitoring and Troubleshooting DHCP Operations /usdhcptools -p ht=hardware_type ha=hardware_address\ sn=subnet_identifier [lt=lease_time][rip=requested_IP_address] dhcptools -r Allows you to reclaim an individual lease address, making it available for a new client.
Dynamic Host Configuration Protocol (DHCP) Monitoring and Troubleshooting DHCP Operations hardware address, client IP address, class-id, etc.) to the executable file named in /etc/dhcptab. The executable is typically a shell script, but it can be any executable file. This is commonly used to send mail to the network administrator or store data in a file about DHCP clients that have succeeded or failed in negotiating a lease.
Dynamic Host Configuration Protocol (DHCP) Monitoring and Troubleshooting DHCP Operations 280 Chapter 6
7 Configuring the Network Time Protocol (NTP) This chapter describes basic and advanced NTP concepts, components needed to use NTP, and NTP configuration instructions.
Configuring the Network Time Protocol (NTP) also includes troubleshooting information. This chapter is divided into two major parts. The first part covers basic concepts and procedures. It is ideal if you have limited experience with NTP.
Configuring the Network Time Protocol (NTP) Getting Started with NTP Getting Started with NTP The Network Time Protocol (NTP) is a family of programs used to adjust the system clock on your computer and keep it synchronized with external sources of time. All clocks drift including clocks inside your computers. Computers are very sensitive to time deviations caused by this drifting. NTP provides accuracy from the microsecond to millisecond range.
Configuring the Network Time Protocol (NTP) Getting Started with NTP Steps to Start NTP Configuration For your basic NTP configuration, you will need to do the following Step 1. Choose a source of time. Step 2. Determine how frequently your system clock should synchronize with the source of time selected. Step 3. Select back-up time servers. Step 4. Configure your primary NTP server. The following sections cover these steps in detail.
Configuring the Network Time Protocol (NTP) Getting Started with NTP Public Time Server You can connect to public time servers via the internet free of charge, for a limited time. Public time servers also provide dial-up access through a modem. This is the cheapest and most popular method. One of the main problems with this option is that many people are protected behind firewalls and cannot use the public time servers. There are several public time servers that you can access.
Configuring the Network Time Protocol (NTP) Getting Started with NTP To set up the local clock impersonator, add the following line to the /etc/ntp.conf file: server 127.127.1.1 minpoll 3 maxpoll 4 Radio Receiver The radio receiver is the most accurate. When you use it, you have no worries about network delays, congestion, or outages. It is, however, the most expensive time distribution mechanism.
Configuring the Network Time Protocol (NTP) Getting Started with NTP 3. Add the following to the device file (which device file do you edit?) /usr/bin/ln -s /dev/tty0p0 /dev/palisade1 To Set up a Spectracom Netclock/2 1. Install and connect the WWVB receiver to a serial port on the HP-UX machine. 2. Add the following files to the end of your /etc/ntp.conf file: server 127.127.4.1 minpoll 3 maxpoll 4 # no fudge required # fudge 127.127.26.1 time1 -0.930 #s800 3.
Configuring the Network Time Protocol (NTP) Getting Started with NTP Figure 7-1 Survey of Best Time Servers NTP Time Server in NY 86ms roundtrip PING time Your NTP Time Client NTP Time Server in CA 5ms roundtrip PING time NTP Time Server in Australia 500ms roundtrip PING time Example 1: Locating the Best Primary Server In Table 7-1, you can see that there are a number of servers the time client can access. The primary time server is NAVOBS1.MIT.EDU.
Configuring the Network Time Protocol (NTP) Getting Started with NTP You will need to evaluate these potential time servers (and the network paths) to decide if they are close enough (ping time, delay and variation) and well configured before you use them. Some time servers may also require notification before you use them, so pay attention to the ettiquitte of the listings at UDelaware. Do not point more than three of your machines at any one public time server.
Configuring the Network Time Protocol (NTP) Getting Started with NTP ntp-cup.external.hp.com (192.6.38.127) Location: Cupertino CA (SF Bay area) 37:20N/122:00W Synchronization: NTPv3 primary (GPS), HP-UX Service Area: West Coast USA Access Policy: open access Contact: timer@cup.hp.com Note: no need to notify for access, go right ahead! If you are located in Silicon Valley, you can ping this time server and see that it is about 5 milliseconds away: /usr/sbin/ping ntp-cup.external.hp.com 64 5 PING ntp-cup.
Configuring the Network Time Protocol (NTP) Getting Started with NTP server also has several good stratum-1 and stratum-2 servers which it can fall back on if the GPS receiver stops working for any reason. Notice the line for hpsdlo.sdd.hp.com which has delay, offset, and dispersion measures that are markedly worse than any of the other sources. The time server hpsdlo is good enough, but the network in between has some problems, mainly evidenced by the large dispersion figure.
Configuring the Network Time Protocol (NTP) Getting Started with NTP Nonetheless, 85 milliseconds is not too bad for general NTP purposes. You will generally see dispersion measurements somewhat less than the ping round-trip times. The NTP daemon has an interesting watershed at 128 milliseconds, but this example server at 85 milliseconds is comfortably below that. You can use the server at columbia. /usr/sbin/ntpq Table 7-3 -p ntp.ctr.columbia.
Configuring the Network Time Protocol (NTP) Getting Started with NTP Example 3: Evaluating Time Servers in Australia Look at a time server in Australia. Here are the details: ntp.adelaide.edu.au (129.127.40.3) Location: University of Adelaide, South Australia Synchronization: NTP V3 secondary (stratum 2), DECsystem 5000/25 Unix Service Area: AARNet Access Policy: open access Contact: Danielle Hopkins (dani@itd.adelaide.edu.au) /usr/sbin/ping ntp.adelaide.edu.au 64 5 PING huon.itd.adelaide.edu.
Configuring the Network Time Protocol (NTP) Getting Started with NTP /usr/sbin/ntpq -p ntp.adelaide.edu.au Table 7-4 Evaluating Time Sources in Australia remote refid st t when poll reach delay offset disp ============================================================================= .otto.bf.rmit.ed 130.155.98.1 2 u 229 1024 376 16.34 7.132 7.87 .student.ntu.edu murgon.cs.mu.OZ 2 u 47 128 377 81.34 5.166 5.25 .203.31.96.1 murgon.cs.mu.OZ 2 u 13 256 373 115.74 30.147 38.54 .203.172.21.222 tick.usno.navy.
Configuring the Network Time Protocol (NTP) Getting Started with NTP When the time server in Silicon Valley is configured to use "sirius.ctr.columbia.edu" and "gpo.adelaide.edu" as time sources, the output from "ntpq -p" looks like this (about 10 minutes after daemon startup): Table 7-5 Output from ntpq for Configuring Silicon Valley Time Server remote refid st t when poll reach delay offset disp ========================================================================= *REFCLK(29,1) .GPS. 0 l 25 32 377 0.
Configuring the Network Time Protocol (NTP) Getting Started with NTP server ntp-cup.external.hp.com server bigben.cac.washington.edu server sirius.ctr.columbia.edu Back-up Time Servers After you have found a well-configured time server that is an acceptable distance away, you must select two additional servers. These servers will serve as back up time servers. The closest and fastest one will be your primary time server. The others will do the job if the primary server becomes unavailable.
Configuring the Network Time Protocol (NTP) Getting Started with NTP /usr/bin/ln -s /dev/tty0p0 /dev/hpgps1 (device name for HP GPS) • For the Local NTP Machine, add the following line to the end of the /etc/ntp.conf file: server 127.127.1.1 fudge 127.127.1.
Configuring the Network Time Protocol (NTP) Advanced NTP Topics Advanced NTP Topics Stratum Levels and Time Server Hierarchy An NTP synchronization subnet is a network of timekeeping systems, called time servers. These time servers are a subset of the systems on a network or an internetwork. Each time server synchronizes to Universal Coordinated Time (also known by the acronym UTC). Each server measures the time difference between its local system clock and the system clocks of its neighbors.
Configuring the Network Time Protocol (NTP) Advanced NTP Topics The maximum stratum level a server can have is 15. Time Server Roles An NTP time server can assume different roles in its relationships with other time servers in the synchronization subnet. A time server can assume one or more of the following roles: • Server— provides time to clients when requested. This role can be assumed by time servers at various strata.
Configuring the Network Time Protocol (NTP) Advanced NTP Topics Figure 7-3 Example of Relationships Between Time Servers Stratum 1 Gordo Bonita (server) (server) (client) (client) Stratum 2 (peer) (peer) Penelope (broadcaster) Stratum 3 Golden (broadcaster) Hugo (broadcast client) Planning a Multiple-Server NTP Configuration The following are guidelines that you should consider when planning your configuration: • Every NTP hierarchy must have at least one stratum-1 server.
Configuring the Network Time Protocol (NTP) Advanced NTP Topics administrative domains, and should be accessed from different gateways and access paths. Avoid loops and common points of failure. Do not synchronize multiple time servers in an administrative domain to the same outside source, if possible. • For enterprise networks that contain hundreds or thousands of file servers and workstations, the local time servers should obtain service from stratum-1 servers.
Configuring the Network Time Protocol (NTP) Advanced NTP Topics provide time to which the named host may be synchronized. (The local host is a client of the named host.) In addition, server statements are used to configure external clocks (radio clocks or local system clocks) for stratum-1 servers. Refer to “Configuring External Clocks” on page 303 for more information.
Configuring the Network Time Protocol (NTP) Advanced NTP Topics NOTE Every node in an NTP hierarchy must have either a server statement or a broadcastclient yes statement in its configuration file. Every node must have an upper-level server. A stratum-1 server must also have a server statement in its configuration file, which specifies a radio clock or internal system clock as a time source.
Configuring the Network Time Protocol (NTP) Advanced NTP Topics u is a value between 1 and 4. You must create a device file /dev/wwvb%u. • Local synchronization clock, also known as a “pseudo” clock. A system with this type of clock configured uses the local system clock as a time source. The address used to configure this clock is 127.127.1.u, where u is a value between 0 and 15 and specifies the stratum level at which the clock runs.
Configuring the Network Time Protocol (NTP) Advanced NTP Topics Configuring a Driftfile xntpd computes the error in the frequency of the clock in the local host. It usually takes xntpd a day or so after it is started to compute a good estimate of the frequency error. The current value of the frequency error may be stored in a driftfile.
Configuring the Network Time Protocol (NTP) Advanced NTP Topics When authentication is enabled on a host, the following time servers will not be considered by the host for synchronization: • Time servers that send unauthenticated NTP packets. • Time servers that send authenticated packets that the host is unable to decrypt. • Time servers that send authenticated packets encrypted using a non-trusted key. An authentication key file is specified on the host.
Configuring the Network Time Protocol (NTP) Advanced NTP Topics In the example in Figure 7-5, authentication is enabled for both Penelope and Golden. An NTP time request from Penelope to Golden will include authentication fields—the key ID 10, and a checksum encrypted with the key corresponding to the key ID 10, “tickle.
Configuring the Network Time Protocol (NTP) Advanced NTP Topics address-mask specified in the restriction list, you can define zero or more flags to restrict time service or queries to the local host. The source address of each incoming NTP packet is then compared to the restriction list. If a source address matches an entry in the restriction list, the restriction defined by the corresponding flag is applied to the incoming packet.
Configuring the Network Time Protocol (NTP) Advanced NTP Topics The first entry causes packets from source addresses on net 193.100 to be ignored. However, packets from host 193.100.10.8 are unrestricted, as specified by the second entry. The two restriction list entries effectively cause all packets from net 193.100 to be ignored, with the exception of packets from host 193.100.10.8. The following are examples of restriction list entries for a local host with the address 193.100.100.7.
Configuring the Network Time Protocol (NTP) Advanced NTP Topics If you modify the configuration file or the XNTPD_ARGS environment variable in the file /etc/rc.config.d/netdaemons while xntpd is running, you have to stop and restart the daemon in order for the configuration changes to take effect. To stop xntpd, issue the following command: /sbin/init.d/xntpd stop Using ntpq to Query Systems Running xntpd ntpq is a program used to query systems that are running xntpd about the current state of the server.
Configuring the Network Time Protocol (NTP) Advanced NTP Topics appears: Table 7-7 remote ntpq Output Showing Known NTP Hosts refid st t when poll reach delay offset disp ===================================================================== *GPS_HP(1) 0 l 48 64 377 0.00 0.516 4.19 hpps.cup.hp cupertino 3 u 467 1024 377 7.20 -12.430 15.67 +server2 +node1 GPS WWVB node3 1 2 u u 173 131 256 256 377 373 279.95 9.89 20.56 16.28 16.40 23.
Configuring the Network Time Protocol (NTP) Advanced NTP Topics type), m = multicast, b= broadcast, - = netaddr (usually 0). • The when column shows the number of seconds since the remote host response was received. • The poll (poll period) column shows the polling interval to the remote host, as determined by xntpd. You can define the minimum polling interval with the minpoll option in the peer, server, or broadcast definitions in the /etc/ntp.conf file.
Configuring the Network Time Protocol (NTP) Troubleshooting ntp Troubleshooting ntp If ntp is not operating properly, use this section to identify and correct the problem. To Find Out if xntpd is Running Issue the following command to find out if xntpd is running: /usr/bin/ps -ef | /usr/bin/grep xntpd This command reports the process identification (PID), current time, and the command invoked (xntpd).
Configuring the Network Time Protocol (NTP) Troubleshooting ntp the node bad: Table 7-8 ntpg Output Showing NTP Associations remote refid st when poll reach delay offset disp =========================================================================== *good.cup.hp LOCAL(1) 2 29 64 377 5.43 -0.16 16.40 bad 0.0.0.
Configuring the Network Time Protocol (NTP) Troubleshooting ntp No Server Suitable for synchronization found. This message indicates that the NTP server is not responding for some reason. Packets were sent out, but no reply was returned. Perhaps the server is down, or the network link is broken or extremely congested. Or perhaps the NTP daemon died on the server and has not yet locked on to its time sources. NTP version 3.
Configuring the Network Time Protocol (NTP) Troubleshooting ntp the command: /usr/sbin/ntpdate server The server is the name of a trusted server, such as a peer or higher-level (lower stratum) server. If the local xntpd is unable to form any associations, this command will return the message “No suitable server for synchronization found.” Check the sections below for possible causes.
Configuring the Network Time Protocol (NTP) Troubleshooting ntp systems. This will tell the version 3 system to use the older message formats when communicating with these systems. The following configuration file entries tell xntpd to use NTP version 2 message formats when communicating with some_ver2.sys and NTP version 1 when communicating with some_ver1.sys. server some_ver2.sys version 2 server some_ver1.
Configuring the Network Time Protocol (NTP) Troubleshooting ntp 318 Chapter 7
8 Configuring gated gated (pronounced “gate D”) is a routing daemon that handles multiple routing protocols. The gated daemon can be configured to perform all or any combination of the supported protocols.
Configuring gated Beginning with HP-UX 10.30, gated 3.0 was replaced by gated 3.5. HP-UX supports gated version 3.5.8 on 11.i and 3.5.9 on 11.0. This chapter contains information about how to configure and use these versions of gated.
Configuring gated Overview Overview A router is a device that has multiple network interfaces and transfers Internet Protocol (IP) packets from one network or subnet to another within an internetwork. (In many IP-related documents, this device is also referred to as a “gateway.” The term “router” is used in this chapter.) The gated daemon updates routing tables in internetwork routers.
Configuring gated Overview exchanging routing information via a common routing protocol. • gated gives the system administrator flexibility in setting up and controlling network routing. For example, gated can listen to network traffic at specified routers, determine available routes, and update local routing tables accordingly. When to Use gated gated is most often used in large networks, or small networks connected to larger wide-area networks.
Configuring gated Overview Authority (IANA). An interior gateway protocol is used to distribute routing information within the autonomous system. An exterior gateway protocol is used to distribute general routing information about an autonomous system to other autonomous systems. Dividing networks into autonomous systems keeps route changes inside the autonomous system from affecting other autonomous systems.
Configuring gated Overview NOTE Do not mix RIP and OSPF protocols within a single network, because the routing information might conflict. Table 8-1 compares the advantages and disadvantages of the RIP and OSPF protocols. Table 8-1 Comparison of RIP and OSPF Protocols RIP OSPF Advantage: RIP is easy to configure. Disadvantage: OSPF is complicated to configure and requires network design and planning.
Configuring gated Overview EGP protocol. BGP offers more flexibility and requires less bandwidth than EGP • BGP (Border Gateway Protocol) is intended as a replacement for EGP. BGP uses path attributes to select routes. One of the attributes that BGP can pass is the sequence of autonomous systems that must be traversed to reach a destination. gated supports BGP versions 2, 3, and 4, as described in RFCs 1163 and 1267.
Configuring gated Configuration Overview Configuration Overview When gated starts, it reads a configuration file to find out how each protocol should be used to manage routing. By default, it uses the configuration file called /etc/gated.conf. Creating the configuration file is usually the responsibility of the system administrator. The configuration file may include up to eight sections (called classes) of configuration statements. Statements can be further defined with optional clauses.
Configuring gated Configuration Overview NOTE If you do not want to use any of the gated 3.5 features added at HP-UX 10.30, and do not have any tracing configured in your gated 3.0 /etc/gated.conf configuration file, you can continue to use your 3.0 configuration file with gated 3.5. If you do have tracing configured in your gated 3.0 file, you must run the conv_config conversion tool on the file so that it follows the 3.5 syntax (see “Converting the Configuration File from 3.0 to 3.5” on page 329).
Configuring gated Configuration Overview type man 4 gated.conf at the HP-UX prompt. 3. Add statements as needed for any additional configuration information. See “Customizing Routes” on page 370, “Specifying Tracing Options” on page 372, and “Specifying Route Preference” on page 374 for other configuration options. In particular, you may want to prevent gated from deleting interfaces from the routing table if gated receives no routing protocol information from that interface.
Configuring gated Configuration Overview the -c or -C option. (gated exits after parsing the configuration file.) 6. Set the environment variable GATED to 1 in the file /etc/rc.config.d/netconf. This causes gated to start automatically whenever the system is booted. 7. To start gated, reboot your system or run the gated startup script with the following command: /sbin/init.
Configuring gated Configuration Overview • output_config_file is the name of the file you want to be the gated 3.5 file. Note that you must specify this name (the tool does not assume that you are giving the output file the default name, /etc/gated.conf). Continuing the example from step 1, the command would look like this: conv_config < /etc/gated.conf.30 > /etc/gated.
Configuring gated Configuring the RIP Protocol Configuring the RIP Protocol RIP uses hopcount to determine the shortest path to a destination. Hopcount is the number of routers a packet must pass through to reach its destination. If a path is directly connected, it has the lowest hopcount of 1. If the path passes through a single router, the hopcount increases to 2. Hopcount can increase to a maximum value of 16, which is RIP’s “infinity metric,” an indication that a network or node cannot be reached.
Configuring gated Configuring the RIP Protocol You can change the values of either option in the /etc/gated.conf file. If -e and -a options are specified on the command line and in the configuration file, gated will use the value specified in the configuration file. Simple RIP Configuration A simple configuration contains RIP routers and end nodes that listen to information exchanged by the RIP routers, as shown in Figure 8-1 below.
Configuring gated Configuring the RIP Protocol }; static { default interface 121.1.0.10 preference 255 ; }; With one interface, A can listen to RIP traffic on the network but does not forward routing information. Routers must be multicasting RIP packets on this network for A to learn about them and update its routing table. The first syntax statement enables RIP on node A’s interface (121.1.0.10). The second statement specifies a static local default route, to prevent gated from deleting it.
Configuring gated Configuring the RIP Protocol yes (or on) tells gated to enable the RIP protocol at this node and process RIP packets coming in from other nodes. no (or off) tells gated to disable the RIP protocol at this node. If gated finds fewer than two network interfaces, the node only listens to RIP information. If gated finds two or more network interfaces, the node both listens to and broadcasts or multicasts RIP information.
Configuring gated Configuring the RIP Protocol IP address (for example, 193.2.1.36), a domain or interface name (for example, lan0 or lan1), a wildcard name (for example, lan*), or all (which refers to all interfaces). Multiple interface statements may be specified with different clauses. If a clause is specified more than once, the instance with the most specific interface reference is used. noripin specifies that gated does not process any RIP information received through the specified interface.
Configuring gated Configuring the RIP Protocol sourcegateways specifies routers to which RIP routing packets may be sent. If the nobroadcast clause is specified, routing updates are sent only to routers listed in the sourcegateways clause. traceoptions enables tracing for the RIP protocol. See “Specifying Tracing Options” on page 372. Controlling RIP Traffic This section describes configuration options for RIP routing information sent out by gated from the node.
Configuring gated Configuring the RIP Protocol B, D, and E pass routing information among themselves and update their routes accordingly. C listens to the RIP conversation among B, D, and E, and updates its routes accordingly. If routers D and E can both provide a path to a network, but the path through router D is shorter, nodes B, C, and E will use router D when routing packets to that network. If D goes down, E becomes the new router to that network for nodes B, C, and E.
Configuring gated Configuring the RIP Protocol /etc/rc.config.d/netconf file as follows: ROUTE_DESTINATION[0]= "default" ROUTE_GATEWAY[0]= "130.15.0.6" ROUTE_COUNT[0]= "1" B: Cluster (or Root) Server Node Run gated to get routing information about the 121.0.0.0 network. Set up /etc/gated.conf as follows: interfaces { interface 130.15.0.6 121.1.0.92 passive ; }; rip yes { interface 130.15.0.6 noripout ; interface 121.1.0.92 version 2 multicast; }; static { default gateway 121.1.0.
Configuring gated Configuring the RIP Protocol C: End System on a LAN with RIP Routers Set up /etc/gated.conf as follows: rip yes { interface 121.1.0.10 version 2 multicast; }; static { default interface 121.1.0.10 preference 255 ; }; With one interface, C can listen to RIP traffic on the network but does not forward routing information. Routers must be multicasting RIP packets on this network for C to learn about them and update its routing table. D: Major Router Set up /etc/gated.
Configuring gated Configuring the OSPF Protocol Configuring the OSPF Protocol OSPF is a link-state routing protocol designed to distribute routing information between routers in a single autonomous system (AS). Each OSPF router transmits a packet with a description of its local links to all other OSPF routers. The distributed database is built from the collected descriptions.
Configuring gated Configuring the OSPF Protocol Routers that have all their directly-connected networks in the same area are called internal routers. In Figure 8-3, routers A, B, and H are internal routers. Routers that are connected to multiple areas are called area border routers. In Figure 8-3, routers F and G are area border routers. Routers that connect one AS to another are called AS boundary routers. In Figure 8-3, router D is an AS boundary router.
Configuring gated Configuring the OSPF Protocol state advertisements used by the OSPF protocol.
Configuring gated Configuring the OSPF Protocol 1. If your AS will be exchanging routing information with other autonomous systems, you need to obtain a unique AS number from the Internet Assigned Numbers Authority. 2. Partition the AS into areas. Any inter-connected networks can be partitioned into lists of address ranges, with each address range represented as an address-mask pair. The area border routers will summarize the area contents for each address range and distribute the summaries to the backbone.
Configuring gated Configuring the OSPF Protocol Enabling OSPF The default router identifier used by OSPF is the address of the first interface on the router encountered by gated. To set the router identifier to a specific address, specify the routerid interface statement in the Definition class of the /etc/gated.conf file. NOTE The OSPF protocol should be enabled only for routers. Once the OSPF protocol is enabled for a system, the system is treated as a router by other routers, and not a host.
Configuring gated Configuring the OSPF Protocol Figure 8-4 Area Border Router Configuration Example Area 0.0.0.1 Area 0.0.0.2 to Network A Area 193.2.1.33 Border Router 193.2.1.17 to Network B The following is an example of the area definitions in the router’s /etc/gated.conf file: ospf yes { area 0.0.0.1 { interface 193.2.1.33 { ... } ; } ; area 0.0.0.2 { interface 193.2.1.17 { ... } ; } ; } ; There are various other characteristics that you can define for the area and for the interface(s).
Configuring gated Configuring the OSPF Protocol border routers advertise a single route for each address range. Figure 8-5 shows an example of a router that is connected to area 0.0.0.1 through interface 193.2.1.33. The attached network consists of addresses 193.2.1.33 through 193.2.1.47. The other network in the area consists of addresses 193.2.1.17 through 193.2.1.31. Figure 8-5 Network Configuration Example Area 0.0.0.1 193.2.1.33 Router A 193.2.1.17 193.2.1.34 193.2.1.18 193.2.1.35 193.2.1.19 ...
Configuring gated Configuring the OSPF Protocol network(s). The interface may be specified with an address (for example, 193.2.1.36), a domain or interface name (for example, lan0 or lan1), a wildcard name (for example, lan*), or all. (The order of precedence is address, name, wildcard name, all.) Multiple interface statements may be specified with different clauses. If a clause is specified more than once, the instance with the most specific interface reference is used.
Configuring gated Configuring the OSPF Protocol Update Packet over this interface. This value must take into account the transmission and propagation delays for the interface. It must be greater than 0. A sample value for a LAN is 1 second. Default: None (you must specify a value) Range: Integer between 1 - 65535 priority should be configured only for interfaces to multi-access networks. This value specifies the priority of the router to become the Designated Router.
Configuring gated Configuring the OSPF Protocol authkey is the password used to validate protocol packets received on the router interface. The value is one of the following: 1 to 8 decimal digits separated by periods, a 1-byte to 8-byte hexadecimal string preceded by 0x, or a string of 1 to 8 characters in double quotes. Default: None Range: Up to 8 bytes NOTE To set an authkey value, the authtype clause must be set to 1 or simple for the area.
Configuring gated Configuring the OSPF Protocol Non-Broadcast Multi-Access (NBMA) Interface On NBMA networks, certain configuration information, including the routers that are attached to the network, must be supplied in order for OSPF’s Hello protocol to communicate with neighbor routers. An NBMA interface definition applies to both X.25 network interfaces as well as for systems that do not support IP multicast.
Configuring gated Configuring the OSPF Protocol Figure 8-7 Non-Broadcast Router Interface Example Router A 193.2.1.35 Router B 193.2.1.33 193.2.1.46 Router C The following is an example of the non-broadcast interface definition in router A’s /etc/gated.conf file: interface 193.2.1.35 nonbroadcast cost 5 { routers { 193.2.1.33 eligible ; 193.2.1.
Configuring gated Configuring the OSPF Protocol routers in the network. A sample value for a LAN is 5 seconds. Default: None (you must specify a value) Range: 0 - 65535 hellointerval specifies the number of seconds between transmission of OSPF Hello packets. Smaller intervals ensure that changes in network topology are detected faster; however, routing traffic can increase. A sample value for an X.25 network is 30 seconds. A sample value for a LAN is 10 seconds.
Configuring gated Configuring the OSPF Protocol If the device at the other end of the point-to-point network is not an OSPF router, you can prevent Hello packets from being sent to it. (*** This is done using the stubhosts statement. stubhosts specifies the IP address or domain name of the non-OSPF host. The cost of sending a packet to the host must also be specified. (In most cases, the host has only a single connection to the network so the cost configured has no effect on routing.
Configuring gated Configuring the OSPF Protocol Summary link advertisements (routes to destinations outside the area but within the AS) continue to be sent into the stub area. The stub statement specifies that the area is a stub area. A cost clause can optionally be defined that specifies the cost associated with the default route to be advertised in the stub area. Figure 8-9 shows an example of an area border router that is connected to area 0.0.0.2 through interface 193.2.1.20.
Configuring gated Configuring the OSPF Protocol routerdeadinterval 20 ; retransmitinterval 10 ; pollinterval 20 ; } ; } ; } ; Defining Backbones The OSPF backbone distributes routing information between areas. Backbones are defined with the same statements and clauses as areas. The stub statement may not be defined for a backbone. The backbone statement is used to define a router as a backbone router.
Configuring gated Configuring the OSPF Protocol Figure 8-10 Backbone Configuration Example Area 0.0.0.3 Area 0.0.0.1 Router A Area 0.0.0.2 15.13.115.156 Router B Area 0.0.0.4 The following is an example of the backbone router definition for router A’s /etc/gated.conf file: backbone { interface 15.13.115.
Configuring gated Configuring the OSPF Protocol implementations, a “virtual link” can be configured to join non-contiguous backbone routers. Virtual links are not supported on HP-UX systems. Authentication The OSPF protocol allows packets containing routing information to be authenticated. The authentication method used is configured on a per-area basis; different authentication methods may be used in different areas. gated supports a simple password authentication method.
Configuring gated Configuring the OSPF Protocol Figure 8-11 Simple Password Authentication A LAN 1 authkey "travis" B authkey "pepe" LAN 2 C The following example shows an authtype statement that enables a simple password authentication for the routers in the area and an authkey statement in the interface definition that defines a password (“travis”) to validate protocol packets received by the router: area 0.0.0.1 { authtype simple ; networks { 193.2.1.16 mask 0xfffffff0 ; 193.2.1.
Configuring gated Configuring the OSPF Protocol Cost The outbound side of each router interface is associated with a configurable cost. Lower cost interfaces are more likely to be used in forwarding data traffic. Cost values are assigned at the discretion of the network or system administrator. While the value is arbitrary, it should be a function of throughput or capacity of the interface: the higher the value, the lower the throughput or capacity.
Configuring gated Configuring the OSPF Protocol The lowest cost OSPF path between nodes A and D is therefore through node B. However, if there were a link failure between node B and LAN 2, packets would be rerouted through node C. There are other places in the /etc/gated.conf file where cost can optionally be defined: • In a defaults statement in the OSPF protocol configuration, which applies only to AS boundary routers. This cost definition applies to routes to destinations outside the AS.
Configuring gated Configuring the OSPF Protocol information can be tagged, where the source of the information is identified and stored along with the route information. Statements in the Control class of the /etc/gated.conf file control the importing of routes from routing protocols to a gated forwarding table and the exporting of routes from the gated forwarding table. See “Importing and Exporting Routes” on page 377.
Configuring gated Configuring the OSPF Protocol only the OSPF internal cost to the AS border router. Default: 1 • exportlimit specifies the rate that ASE routes are imported into the gated routing table for each exportinterval (see below). Default: 100 (ASE routes) Range: 0 - 65535 • exportinterval specifies the interval, in seconds, between ASE exports into OSPF. Default: 1 (second) Range: 0 - 2147483647 Sample OSPF Configuration Figure 8-13 shows an example of two areas.
Configuring gated Configuring the OSPF Protocol Figure 8-13 OSPF Sample Configuration Area 1 (Non-Stub) A 193.2.1.35 LAN 1 193.2.1.32 193.2.1.33 B 15.13.115.156 193.2.1.17 LAN 2 193.2.1.16 193.2.1.20 C Area 2 (Stub) A: Internal Router (Non-Stub Area) Set up /etc/gated.conf as follows: # Router A Configuration (non-stub area) OSPF yes { area 0.0.0.1 { interface 193.2.1.
Configuring gated Configuring the OSPF Protocol routerdeadinterval 20 ; retransmitinterval 10 ; } ; } ; } ; Note that the configuration shown above is for a multicast interface. For an NBMA interface, the configuration in /etc/gated.conf would be set up as follows: # Router A Configuration (non-stub area) OSPF yes { area 0.0.0.1 { interface 193.2.1.35 nonbroadcast cost 5 { routers { 193.2.1.
Configuring gated Configuring the OSPF Protocol retransmitinterval 10 ; } ; } ; area 0.0.0.2 { interface 193.2.1.17 cost 5 { priority 15 ; enable ; hellointerval 5 ; routerdeadinterval 20 ; retransmitinterval 10 ; } ; } ; backbone { interface 15.13.115.156 cost 5 { enable ; priority 10 ; hellointerval 5 ; routerdeadinterval 20 ; retransmitinterval 10 ; } ; } ; } ; C: Internal Router (Stub Area) Set up /etc/gated.conf as follows: OSPF yes { area 0.0.0.2 { stub cost 5 ; interface 193.2.1.
Configuring gated Configuring the OSPF Protocol Accessing the OSPF MIB HP’s gated also provides ospfagt, an OSPF Simple Management Network Protocol (SNMP) subagent that supports the OSPF MIB (Management Information Base) (see RFC 1253). The ospfagt subagent works with the HP SNMP Agent, snmpdm. If you are using an SNMP manager utility to manage your network, such as HP’s OpenView Network Node Manager, you may also want to use HP’s OSPF SNMP subagent.
Configuring gated Configuring the Router Discovery Protocol (RDP) Configuring the Router Discovery Protocol (RDP) The Router Discovery Protocol (RDP) is a standard protocol that is used to inform hosts of the presence of routers they can send packets to. RDP is intended to be used in place of hosts wiretapping routing protocols (for example, RIP). It is used instead of, or in addition to, having statically configured default routes in hosts.
Configuring gated Configuring the Router Discovery Protocol (RDP) 255.255.255.255, the advertisements contain all IP addresses configured on the physical interface. If advertisements are being sent to a net or subnet broadcast, only that net’s or subnet’s address is included in the advertisement. An example of the routerdiscovery server statement is shown below. In the example, the server is being enabled on physical interfaces lan0 and lan2, and the IP addresses 193.2.1.17, 193.2.1.33, and 193.2.1.
Configuring gated Configuring the Router Discovery Protocol (RDP) that router. The host also deletes any routes it learned from ICMP redirects pointing to the invalid addresses. Also, if a Router Advertisement is not received before the addresses it lists become invalid (that is, before its lifetime expires), the routes learned from that router are deleted by the host. An example of the routerdiscovery client statement is shown below.
Configuring gated Customizing Routes Customizing Routes gated maintains a complete routing table in the user space, and keeps the kernel routing table synchronized with that table. This section describes statements for setting up customized routes in the Static class of the gated configuration file, /etc/gated.conf. These statements can be used to specify default routers, static routes, passive interfaces, and routing metrics for interfaces.
Configuring gated Customizing Routes Setting Interface States gated times out routes that pass through interfaces that are not receiving any RIP, OSPF, or BGP packets. The passive clause in the interface statement in the Static class prevents gated from changing the preference of a route to the interface if routing information is not received for the interface. We recommend that you use the passive clause for all interfaces in HP-UX machines.
Configuring gated Specifying Tracing Options Specifying Tracing Options Trace options specify the desired level of tracing output from gated. Tracing output provides useful system information for setting up a node on the network. Use trace options if you are setting up a node and want a certain type of tracing sent to a log file. You can specify tracing in the following ways: • In a Protocol statement in the /etc/gated.conf configuration file. • In the Trace class of the /etc/gated.conf configuration file.
Configuring gated Specifying Tracing Options Table 8-3 Protocol-Related Global Trace Options for gated Configuration Files Option Effect task Traces the system interface and processing that is associated with this protocol or peer. timer Traces the timer usage by this protocol or peer. route Traces all routing table changes for routes installed by this protocol or peer. general A combination of normal and route. all Enables all of the above tracing options.
Configuring gated Specifying Route Preference Specifying Route Preference gated maintains a routing table that consists of route information learned from OSPF and from other active routing protocols, such as RIP or EGP. You can also configure static routes in the /etc/gated.conf file with one or more static clauses. (See “Installing Static Routes” on page 370.) The gated routing pool can therefore contain multiple routes to a single destination.
Configuring gated Specifying Route Preference Table 8-4 Default Preference Values of Routes Route Type Preference /etc/gated.config Configuration Static Routes 60 Can be changed in static statement in Static class. RIP 100 Can be changed with import statement in Control class. Point-to-point interface 110 Can be changed with interface statement in Interface class. “Down” interface 120 Can be changed with interface statement in Interface class.
Configuring gated Specifying Route Preference Routers Only)” on page 360. ASE routes are imported into OSPF with a default preference of 150. • In an import statement in the Control class of the /etc/gated.conf file. This preference definition overrides any preference defined in the defaults section of the OSPF protocol configuration. See “AS External Routes (AS Boundary Routers Only)” on page 360 and “Importing and Exporting Routes” on page 377.
Configuring gated Importing and Exporting Routes Importing and Exporting Routes The import and export control statements allow you to propagate routes from one routing protocol to another. Routes are imported into a gated forwarding table and exported out to the routing protocols. Type man 4 gated.conf for more information on import and export statements. import Statements import statements restrict or control how routes are imported to the gated forwarding table.
Configuring gated Importing and Exporting Routes Examples of import and export Statements The following import statement imports an BGP route for network 195.1.1 to the gated forwarding table with a preference of 15: import proto bgp as 1 { 195.1.1 mask 0xffffff00 preference 15 ; } ; The following export statement exports to OSPF the ASE route that was imported to the gated forwarding table in the example above. The route was originally built by BGP and the destination of the route is network 195.1.1.
Configuring gated Starting gated Starting gated 1. Set the environment variable GATED to 1 in the file /etc/rc.config.d/netconf. This causes gated to start automatically whenever the system is booted. 2. Reboot your system, or issue the following command to run the gated startup script: /sbin/init.d/gated start Command line arguments for starting gated may be specified with the GATED_ARGS environment variable in the file /etc/rc.config.d/netconf.
Configuring gated Starting gated /usr/bin/ps -ef | /usr/bin/grep gated This command reports the process identification (PID), current time, and the command invoked (gated).
Configuring gated Troubleshooting gated Troubleshooting gated If gated is not operating properly, use this section to identify and correct the problem. Troubleshooting Tools and Techniques This section describes the available tools for general troubleshooting of gated. Checking for Syntax Errors in the Configuration File After creating or modifying a gated configuration file, you should start gated from the command line with the -C option.
Configuring gated Troubleshooting gated the HP-UX prompt. Once tracing is started to a file, the trace file can be rotated. Receipt of a SIGUSR1 signal causes gated to stop tracing and closes the trace file. The trace file can then be moved out of the way. To send a SIGUSR1 signal to gated, issue one of the following commands: /usr/bin/kill -SIGUSR1 pid or /usr/bin/kill -USR1 pid where pid is gated’s process ID, determined by invoking the command ps -ef | grep gated.
Configuring gated Troubleshooting gated you may need to use the -p option. This option causes ripquery to initially send POLL commands and then, if there is no response, send RIP request commands. The default query (POLL commands) sent by ripquery may not be supported by all RIP routers. Type man 1M ripquery at the HP-UX prompt for more information.
Configuring gated Troubleshooting gated started with this configuration: trace_on: Tracing to "/tt" started Tracing flags enabled: general parse: conf.tt:4 Interface not found at ’lan3’ parse_parse: 2 parse errors Exit gated[15941] version @(#)Revision: 1.0 based on Cornell GateD R3_5Beta_3 Interface Configuration without strictintfs Option Specified The following configuration references a non-existent interface, but does not include the strictintfs option.
Configuring gated Troubleshooting gated proto: RIP State: lan0 Index 2 Address 802.2 8:0:9:1b:da:1f Change: <> State: <> Refcount: 2 Up-down transitions: 0 15.13.119.134 Metric: 0 Refcount: 6 Change: <> MTU: 1436 Preference: 0 Down: 120 State: Broadcast Address: 15.13.119.255 Subnet Number: 15.13.112 Mask: 255.255.248 Subnet lan2 Index 3 Address 802.2 8:0:9:3d:2c:b1 Change: <> State: <> Refcount: 2 Up-down transitions: 0 198.1.1.
Configuring gated Troubleshooting gated network interface). Problem 2: gated deletes routes from the routing table gated maintains a complete routing table in user space, and keeps the kernel routing table synchronized with its table. When gated starts, it reads the entries in the kernel routing table. However, if gated does not get confirmation from its routing protocols (RIP, OSPF, etc.) about a route, it will delete the route from its tables and the kernel routing table.
Configuring gated Troubleshooting gated on gated tracing. The tracing tells you which routers are advertising this route and the values attached to those routes. Problem 4: gated does not add routes that you think it should Tracking down this problem is much like the previous problem (problem 3, above). You expect one or more routers to advertise the route. Turn on gated tracing to verify that gated is receiving packets of the type of routing protocol you expect.
Configuring gated Troubleshooting gated 388 Chapter 8
9 Configuring mrouted mrouted (pronounced “M route D”) is a routing daemon that forwards IP multicast datagrams, within an autonomous network, through routers that support IP multicast addressing. The routing protocol implemented by mrouted is the Distance-Vector Multicast Routing Protocol (DVMRP).
Configuring mrouted The ultimate destination of multicast datagrams are host systems that are members of one or more multicast groups. Multicasting enables one-to-many and many-to-many communication among hosts and is used extensively in networking applications such as audio and video teleconferencing where multiple hosts need to communicate simultaneously. This chapter contains information about how to configure and use version 3.8 of mrouted.
Configuring mrouted Overview of Multicasting Overview of Multicasting DVMRP mrouted implements the Distance-Vector Multicast Routing Protocol (DVMRP). DVMRP is an Interior Gateway Protocol (IGP) used for routing multicast datagrams within an autonomous network. The primary purpose of DVMRP is to maintain the shortest return paths to the source of the multicast datagrams.
Configuring mrouted Overview of Multicasting packet, is sent through the intervening, non-multicast network to R2. R2 receives the packet and removes the outer IP header, thereby restoring the original multicast packet. R2 then forwards the multicast packet through its network interface to node N.
Configuring mrouted Overview of Multicasting other well-known permanent multicast groups are published in the “Assigned Numbers” RFC (RFC-1060, March 1990). IP multicast addresses can be used only as destination addresses and should never appear in the source address field of a datagram. It should also be noted that ICMP (Internet Control Message Protocol) error messages are not generated for multicast datagrams.
Configuring mrouted Overview of Multicasting well as to poll the hosts to determine whether the host is still an active group member. IGMP uses IP datagrams to carry information and is a TCP/IP standard that must be present on all systems that participate in IP multicast. While IGMP defines a standard for communicating information, it does not define a standard for how the multicast information is propagated among multicast routers.
Configuring mrouted Configuring mrouted Configuring mrouted When the mrouted daemon is started, it automatically reads the default ASCII text configuration file /etc/mrouted.conf. You can override the default configuration file by specifying an alternate file when invoking mrouted; refer to “Starting mrouted” on page 399. If mrouted.conf is changed while mrouted is running, you can issue the HP-UX command kill -HUP to signal mrouted to reread the configuration file.
Configuring mrouted Configuring mrouted alternatively replaced by the interface name, such as lan0. If phyint is attached to multiple IP subnets, use the altnet option to describe each additional subnet (one altnet option for each subnet). The tunnel command can be used to establish a tunnel link between local IP address local-addr and remote IP address remote-addr (see figure below). It can also be used to associate a non-default metric or threshold value with that tunnel.
Configuring mrouted Configuring mrouted on the given interface or tunnel, and is used primarily to influence the choice of routes over which the datagram is forwarded; the larger the value, the higher the cost. Metrics should be kept as small as possible since mrouted cannot route along paths with a sum of metrics greater than 31. In general, you should use a metric value of 1 for all links unless you are specifically attempting to force traffic to take another route.
Configuring mrouted Configuring mrouted The primary use of the boundary option is to allow concurrent use of the same IP multicast address(es) on downstream subnets without interfering with multicast broadcasts using the same IP multicast address(es) on subnets that are upstream from the mrouted gateway. The cache_lifetime value determines the amount of time that a cached multicast route remains in the kernel before timing out.
Configuring mrouted Starting mrouted Starting mrouted mrouted is started from the HP-UX prompt or from within a shell script by issuing the following command: /etc/mrouted [-p] [-c config_file] [-d debug_level] The -p option disables pruning by overriding a pruning on statement within the /etc/mrouted.conf configuration file. This option should be used only for testing. The -c option overrides the default configuration file /etc/mrouted.conf. Use config_file to specify the alternate configuration file.
Configuring mrouted Verifying mrouted Operation Verifying mrouted Operation You can use one or more of the following methods to verify that mrouted is operating: • Retrieve the Virtual Interface Table and the Multicast Routing Table to see if the correct virtual interfaces (vifs) are configured. Refer to “Displaying mrouted Routing Tables” on page 401 for information on retrieving these tables.
Configuring mrouted Displaying mrouted Routing Tables Displaying mrouted Routing Tables There are three routing tables associated with mrouted. They are the Virtual Interface Table, the Multicast Routing Table, and the Multicast Routing Cache Table.
Configuring mrouted Displaying mrouted Routing Tables where pid is the process ID of the mrouted daemon. Refer to the “Example” section of the mrouted (1m) man pages for an explanation of the contents of the mrouted routing tables. Refer to the “Signals” section of the mrouted (1m) man pages for additional information about other signals to which mrouted responds.
Configuring mrouted Multicast Routing Support Tools Multicast Routing Support Tools mrinfo mrinfo is a multicast routing tool that requests configuration information from mrouted and prints the information to standard out. By default, configuration information for the local instance of mrouted is returned. You can override the default request to the local instance of mrouted by specifying an alternate router IP address or system name. Type man 1m mrinfo for additional information on using mrinfo.
Configuring mrouted Sources for Additional Information Sources for Additional Information RFC documents Additional information pertaining to mrouted and IP multicast routing can be obtained from the following RFC (Request for Comment) documents. Refer to the section “Military Standards and Request for Comment Documents” within chapter 1 of this manual for information on accessing these documents: • RFC 1075: “Distance-Vector Multicast Routing Protocol” This RFC has been obsoleted and has no successor.
10 Using rdist This chapter contains information about how to use rdist, a program that distributes and maintains identical copies of files across multiple network hosts. System administrators can use rdist to install new or updated software on all machines in a network.
Using rdist the following sections: • “Overview” on page 407 • “Setting Up remsh” on page 409 • “Creating the Distfile” on page 412 • “Starting rdist” on page 418 • “Troubleshooting rdist” on page 422 406 Chapter 10
Using rdist Overview Overview To use rdist, one system in the network is designated as the master host. The master host contains the master copy of source files that are distributed to remote hosts. rdist software is installed as part of the operating system. It must reside in the /usr/bin directory on the master host and on the remote hosts that are to be updated. It must be owned by root and must have its access permissions set to rwsr-xr-x.
Using rdist Overview Figure 10-1 Distributing Files with rdist Standard Output: updating host B installing: filea1 installing: filea2 installing: filea3 updating host C ... System A (Master Host) rdist Source Files: filea1 filea2 filea3 System B System C rdist rdist Note that the rdist process does not prompt for passwords. The user on the master host who starts rdist (usually a system or network administrator) must have an account on the remote host and must be allowed remote command execution.
Using rdist Setting Up remsh Setting Up remsh rdist uses remsh as the mechanism for distributing files over the network. In order to use rdist, you must set up remsh on each of the remote hosts. Follow these steps: 1. On each of the remote hosts, create an entry for the master host in the $HOME/.rhosts file of the user who will run rdist. For example, if rdist will always be run by user root, create an entry for the master host in root’s .rhosts file (/.rhosts) on each of the remote hosts. 2.
Using rdist Setting Up remsh Service_name module_type control_flag module_path options. Here are a few examples of entries you may find in a PAM configuration file: dtlogin debug dtlogin OTHER auth required /usr/lib/security/libpam_unix.1 account required auth optional /usr/lib/security/libpam_unix.1 /usr/lib/security/libpam_unix.1 The service_name refers to the service.
Using rdist Setting Up remsh to authenticate the users. For every service (like rexec and remsh), it is possible to have more than one entry in the /etc/pam.conf file for each of the module types available. Refer to the pam.conf manpage for more information. Enabling DCE Integrated Logging Authentication To enable DCE integrated logging authentication mechanism, add the following line to the /etc/pam.conf file: rcomds auth required /usr/lib/security/libpam_dce.
Using rdist Creating the Distfile Creating the Distfile The distfile used by the master host contains a sequence of entries that specify the files to be copied, the destination hosts, and the operations to be performed to do the updating. Since a distfile is an ASCII file, you can create it with any text editor. If you are familiar with the make program, the structure of a distfile is somewhat similar to a makefile.
Using rdist Creating the Distfile Spaces or tabs immediately to the left and right of the “=” are ignored. Subsequent appearances of ${variable_name} in the distfile (except in comments) are replaced by name_list. (Braces can be omitted if variable_name consists of just one character.) Variable definitions can also be specified in the command line when invoking rdist; variable definitions in the command line override definitions in the distfile (see “Starting rdist” on page 418).
Using rdist Creating the Distfile [label:] source_list -> destination_list command_list ; label: is optional and is used to group command entries. You can use labels to perform a partial update. Normally, rdist updates all the files and directories listed in a distfile. You can invoke rdist with a specific label; in this case, rdist executes only the entries under the specified label.
Using rdist Creating the Distfile 10-1. Each command must end in a semicolon (;). Table 10-1 Distfile Commands Copies source files/directories to each host in the destination list. Any of the following options can be specified: install -b performs a binary comparison and updates files if they differ. Without this option, rdist updates files only if the size or modification time differs. -h follows symbolic links on the master host and copies the file(s) that the link points to.
Using rdist Creating the Distfile Table 10-1 Distfile Commands special [file] ”command” Specifies command(s) that are to be executed on the remote host after each specified file is updated or installed. Used to rebuild databases and configuration files after a program has been updated. If file is not specified, command is performed for every updated file. command can contain multiple commands, each separated by semicolons.
Using rdist Creating the Distfile Changed Files List Commands The third type of distfile entry is used to make a list of files that have been changed on the master host since a specified date. The format for this type of entry is as follows: [label:] source_list :: timestamp_file command_list ; label: and source_list are specified in the same manner as in the entries to distribute files. timestamp_file is a file on the local host, whose modification time is used as a timestamp.
Using rdist Starting rdist Starting rdist After creating the distfile on the master host, you can start rdist from the command line or from a cron file. rdist must be run as root on the master host. There are two forms of the rdist command syntax. One form is the following: /usr/bin/rdist [-b] [-h] [-i] [-n] [-q] [-R] [-v] [-w] [-y] [-d var=value] [-f distfile] [-m host] ... [label] -d var=value sets the value of the variable var to value.
Using rdist Starting rdist Other options are listed in Table 10-2. Table 10-2 rdist Command Line Options -b Performs a binary comparison and updates files if they differ. Without this option, rdist updates files only if the size or modification time differs. -h Follows symbolic links on the master host and copies the file(s) that the link points to. Without this option, rdist copies the name of a symbolic link. -i Ignores unresolved links.
Using rdist Starting rdist % /usr/bin/rdist updating host lassie installing: myprog.c special "cc" notify @lassie (bentley@tbear) updating host benji installing: myprog.c special "cc" notify @benji (bentley@tbear) Authentication for remsh and rexec Sercvices Pluggable Authenticaion Modules (PAM) for authentication is supported on HP-UX. PAM support enables users who are not listed in /etc/passwd file to use the rexecd and remshd service.
Using rdist Starting rdist configuration information for authenticating users. Adding the lines above tell rexec and remsh to use the UNIX authentication mechanism to authenticate the users. For every service (like rexec and remsh), it is possible to have more than one entry in the /etc/pam.conf file for each of the module types available.
Using rdist Troubleshooting rdist Troubleshooting rdist Errors, warnings, and other messages are sent to standard output on the master host. Use the notify command to mail a list of files updated and errors that may have occurred to the specified users on the remote host being updated. To mail the list to a user that is not on the remote host, make sure that you specify the mail recipient as user@host.
Using rdist Troubleshooting rdist NOTE The -M command line option may not be supported by non-HP rdist implementations.
Using rdist Troubleshooting rdist 424 Chapter 10
11 Secure Internet Services Before HP-UX 11.0, alternative versions of the Internet Services ftp, rcp, remsh, rlogin, and telnet were provided by the optionally installable Secure Internet Services product (InternetSvcSec).
Secure Internet Services authorization. Beginning with HP-UX 11.0, the Secure Internet Services product is replaced by the Secure Internet Services mechanism, which incorporates Kerberos V5 Release 1.0 authentication and authorization for the above services. The Secure Internet Services mechanism is part of the Internet Services product. So, if you want to use the Kerberos authentication, you just need to enable that mechanism, instead of installing a separate product.
Secure Internet Services Overview of the Secure Internet Services Overview of the Secure Internet Services Network security concerns are becoming increasingly important to the computer system user. The purpose of the Secure Internet Services is to allow the user greater security when running these services. When an Internet Services client connects to the server daemon, the server daemon requests authentication.
Secure Internet Services Overview of the Secure Internet Services the Secure Internet Services mechanism enabled, you can use a special command line option to bypass Kerberos authentication to access those remote systems. However, if a password is required to access the system, the password is sent in a readable form over the network. See “Bypassing and Enforcing Kerberos Authentication” on page 458 for more information.
Secure Internet Services Overview of the Secure Environment and the Kerberos V5 Protocol Overview of the Secure Environment and the Kerberos V5 Protocol This section gives an overview of the secure environment in which the Secure Internet Services operate, including a simplified overview of the Kerberos V5 authentication protocol and related Kerberos concepts. Kerberos, originally developed by MIT, refers to an authentication protocol for open network computing environments.
Secure Internet Services Overview of the Secure Environment and the Kerberos V5 Protocol Figure 11-1 The Secure Environment and the Kerberos V5 Protocol (A) Security Server KDC TGS AS 3 1 4 2 Security Client Runtime (e.g., kinit, klist) Application Client (e.g., ftp, telnet) Security Client (B) Security Client (C) 5 6 Application Server (e.g.
Secure Internet Services Overview of the Secure Environment and the Kerberos V5 Protocol • Application server (D in Figure 11-1): A Secure Internet Services daemon (ftpd, remshd, rlogind, or telnetd). • Security client runtime (B in Figure 11-1): A Kerberos command (kinit, klist, or kdestroy). Security clients communicate with the security server for authentication. Note that none of the components of the Kerberos environment are restricted to run on a specific type of system.
Secure Internet Services Overview of the Secure Environment and the Kerberos V5 Protocol When users invoke one of the Secure Internet Services, they enter the usual command along with any desired command options. From a user’s perspective, using the Internet Services with the Secure Internet Services mechanism enabled is virtually identical to using them without the mechanism enabled. The only difference is that the user is not prompted for a password.
Secure Internet Services Overview of the Secure Environment and the Kerberos V5 Protocol To summarize, • The user obtains a TGT from the AS portion of the KDC when it first issues the kinit, dce_login, or dess_login command to the KDC. • When the user invokes a Secure Internet Service, the client requests a service ticket from the TGS portion of the KDC. It obtains this service ticket by presenting the TGT and other credentials to the TGS portion of the KDC.
Secure Internet Services Overview of the Secure Environment and the Kerberos V5 Protocol be lowercase. It appears as a prefix and has a leading “/.../” in a principal name (/.../my_kdc_cell.com/david). Domains A P/SS domain defines an administrative structure and is equivalent to a Kerberos realm and an HP DCE cell. Like an HP DCE cell, its name must be lowercase. It appears as a prefix and has a leading “/.../” in a principal name (/.../my_domain/david).
Secure Internet Services Overview of the Secure Environment and the Kerberos V5 Protocol • HP DCE: /.../my_kdc_cell/susan • HP P/SS: /.../my_domain/susan Service Principal Names A service principal name is a principal name that authorizes an application server to use a particular service. For ftp, the service principal name is ftp (as a first choice) or host (as an acceptable second choice. Note that the actual name is host; it is not meant to be replaced by a host name.
Secure Internet Services Overview of the Secure Environment and the Kerberos V5 Protocol In this example, susan is the login user. Both of the following requirements must be met for authorization to succeed: • The login user must have an entry in the /etc/passwd file on the host where the application server is running. • One of the following three conditions must be met: — A $HOME/.
Secure Internet Services Overview of the Secure Environment and the Kerberos V5 Protocol -f option is specified when kinit is run, the TGT for the local system can be forwarded to the remote system. Then clients do not need to re-authenticate themselves from the remote system to the KDC. HP DCE clients can use dce_login -f to enable forwarding. However, HP P/SS clients must use kinit -f to enable forwarding because the dess_login utility does not have an option for ticket attributes.
Secure Internet Services Overview of the Secure Environment and the Kerberos V5 Protocol illustrate possible KDC/client configurations. The paragraphs following the figures describe the nodes in more detail and also discuss interoperability among the nodes.
Secure Internet Services Overview of the Secure Environment and the Kerberos V5 Protocol Figure 11-3 Client Interoperability with Non-HP Kerberos V5 KDCs (G) Non-HP Kerberos V5 KDC & HP Secure Internet Services Non-HP Kerberos Clients* & Non-HP Secure Internet Services (D) (E) HP Kerberos Clients* * "Clients" are security clients. They can be application clients or application servers. Figure 11-3 illustrates which security clients can interoperate in configurations using non-HP Kerberos V5 KDCs.
Secure Internet Services Overview of the Secure Environment and the Kerberos V5 Protocol • The HP P/SS can be configured to run with security clients using the Secure Internet Services and fulfill the role of the KDC. An HP P/SS security server node runs the HP P/SS security daemon secd. This node can be configured as the only member of a single-node P/SS domain, or as a member of a multi-node domain with HP P/SS clients.
Secure Internet Services Overview of the Secure Environment and the Kerberos V5 Protocol The Kerberos utilities kinit, klist, and kdestroy are supplied by HP on this client. However, this client generally obtains credentials using the dess_login command, instead of the Kerberos kinit command. This client can use dcecp and other administrative tools for Kerberos-related management tasks.
Secure Internet Services Overview of the Secure Environment and the Kerberos V5 Protocol Generally, configurations that contain non-HP security clients will interoperate securely with configurations that include the HP Secure Internet Services, provided all of the following things are true: • The Kerberos utilities kinit, klist, and kdestroy are based on Kerberos V5. • Secure versions of rcp/remshd, remsh/remshd, rlogin/rlogind, and telnet/telnetd either are implemented with Kerberos V5 Release 1.
Secure Internet Services Configuration and Kerberos Version Interoperability Requirements Configuration and Kerberos Version Interoperability Requirements The main purpose of this chapter is to provide information required specifically for the Secure Internet Services. However, since the successful usage of the Secure Internet Services requires a correctly configured secure environment, this section discusses some general requirements of the secure environment.
Secure Internet Services Configuration and Kerberos Version Interoperability Requirements This file is automatically created when the client is configured into the HP DCE cell (for HP DCE clients) or the HP P/SS domain (for HP P/SS clients). Additional entries can be added manually. • A realms file named /krb5/krb.realms. This file is used to associate host names to realm or cell names. Suggested ownership and permissions for this file are root, sys, -r--r--r--. • A keytab file named /krb5/v5srvtab.
Secure Internet Services Configuration and Kerberos Version Interoperability Requirements • The configuration file and realms file are combined into one configuration file with a new format. The new configuration file is named /etc/krb5.conf. The /etc/krb5.conf file specifies (1) defaults for the realm and for Kerberos applications, (2) mappings of host names onto Kerberos realms, and (3) the location of KDCs for the Kerberos realms. For HP DCE clients, the /etc/krb5.
Secure Internet Services Configuration and Kerberos Version Interoperability Requirements If the above entries need to be added to or changed in the configuration file, you must make the additions or changes manually (use the text editor of your choice). • The keytab file is named /etc/krb5.keytab. Note that, when an HP DCE or HP P/SS cell is configured, the keytab file is created automatically, but it is given the V5 Beta 4 name (/krb5/v5srvtab).
Secure Internet Services Configuration and Kerberos Version Interoperability Requirements • The V5 Beta 4 configuration file, realms file, and keytab file must exist, and the V5-1.0 configuration file and keytab file must exist, as explained in “Beginning with HP-UX 11.0” on page 444. • A $HOME/.k5login file must exist in each login user’s home directory. This file must be owned by the login user, and only the login user can have write permission.
Secure Internet Services System Requirements for the Secure Internet Services System Requirements for the Secure Internet Services The system requirements for the Secure Internet Services mechanism are shown in Table 11-1 below. Table 11-1 Secure Internet Services System Requirements Hardware Requirements HP 9000 system Software Requirements HP-UX 11.0 Disk Space No additional disk space is required. Memory No additional memory is required.
Secure Internet Services Configuring the Secure Internet Services Configuring the Secure Internet Services Provided that the general secure environment configuration requirements have been met (see “Configuration and Kerberos Version Interoperability Requirements” on page 443), the tasks required specifically for configuring the Secure Internet Services are described below. The KDC A properly configured KDC must be running for the Secure Internet Services to work.
Secure Internet Services Configuring the Secure Internet Services #login CAUTION stream tcp nowait root /usr/lbin/rlogind rlogind If the shell line is commented out, the rdist command will no longer work. 4. If you modified the /etc/inetd.conf file, run the inetd -c command to force inetd to reread its configuration file. 5. Repeat steps 1-4 for all systems where security clients are running.
Secure Internet Services Migrating Version 5 Beta 4 Files to Version 5 Release 1.0 Migrating Version 5 Beta 4 Files to Version 5 Release 1.0 To convert and combine the Version 5 Beta 4 /krb5/krb.conf configuration file and the /krb5/krb.realms realms file into the Version 5 Release 1.0 /etc/krb5.conf configuration file, run the convert_krb_config_files migration tool. The steps to follow are listed below. NOTE You must run the migration tool on each client (HP DCE, HP P/SS, and HP Kerberos). 1.
Secure Internet Services Enabling the Secure Internet Services Mechanism Enabling the Secure Internet Services Mechanism To use Kerberos authentication instead of the default UNIX (user/password) authentication, follow these steps to enable the Secure Internet Services mechanism: 1. Log in as root on the system where you want to enable the mechanism. 2. Type this command: /usr/sbin/inetsvcs_sec enable The system file /etc/inetsvcs.conf is updated with the entry kerberos true.
Secure Internet Services Disabling the Secure Internet Services Mechanism Disabling the Secure Internet Services Mechanism To disable the Secure Internet Services mechanism (and return to using the default UNIX authentication), follow these steps: 1. Log in as root on the system where you want to disable the mechanism. 2. Type this command: /usr/sbin/inetsvcs_sec disable The system file /etc/inetsvcs.conf is updated with the entry kerberos false.
Secure Internet Services Checking the Current Authentication Mechanism Checking the Current Authentication Mechanism To determine which authentication mechanism is currently in use, follow these steps: 1. Log in as root on the system where you want to check the mechanism. 2. Type this command: /usr/sbin/inetsvcs_sec status The name of the authentication mechanism currently in effect is displayed.
Secure Internet Services Verifying the Secure Internet Services Verifying the Secure Internet Services The tasks you should do if you want to verify that the Secure Internet Services have been configured correctly are described in the paragraphs below. Secure Environment Checklist The following is a quick checklist to verify that the secure environment is properly configured. 1. On the KDC, issue a ps -ef command and verify that the necessary security server executables are running.
Secure Internet Services Verifying the Secure Internet Services validation application, krbval. The krbval tool checks for proper configuration of security clients. It can be used to “ping” a particular realm’s KDC. It can also check the keys in the keytab file for agreement with the KDC. By acting as a client/daemon service itself, it can further assist in verifying the correctness of the configuration. For more information refer to the krbval(1M) man page.
Secure Internet Services Using the Secure Internet Services Using the Secure Internet Services Some things you, as network or system administrator, should be aware of, regarding how end users might use the Secure Internet Services, are described in the paragraphs below. Overview of the User’s Session • Users must issue a kinit (for HP DCE clients, a dce_login, or for HP P/SS clients, a dess_login) command so that they get a TGT from the KDC (for example, kinit amy@realm1.com).
Secure Internet Services Using the Secure Internet Services Bypassing and Enforcing Kerberos Authentication Depending on how certain options are used with these services, the Secure Internet Services clients will still be able to access non-secure remote hosts, and the daemons will still be able to accept requests from non-secure clients. To access a non-secure remote system on the network, users can use the -P option when issuing the client command to bypass Kerberos authentication.
Secure Internet Services Using the Secure Internet Services — rlogin accesses rlogind through the new port specified by the /etc/services entry klogin when operating as a secure client. If you invoke rlogin with the -P option, or if you run rlogin without the Secure Internet Services mechanism enabled, then rlogin will behave as a non-secure client and access rlogind through the login port.
Secure Internet Services Troubleshooting the Secure Internet Services Troubleshooting the Secure Internet Services Some guidelines for you to follow when you troubleshoot the Secure Internet Services are described below. The Verification Checklist Go through the checklist described in the section “Verifying the Secure Internet Services” on page 455: • Verify that the secure environment is correct. • Verify that the Secure Internet Services mechanism was successfully enabled.
Secure Internet Services Sources for Additional Information Sources for Additional Information Listed below are some other resources where you can find more information about Secure Internet Services. Additional HP Documentation Other Hewlett-Packard documentation that provides Secure Internet Services information is as follows: • Using HP DCE 9000 Security with Kerberos Applications Available in postscript and ASCII form in the directory /opt/dce/newconfig/RelNotes/ in the files krbWhitePaper.
Secure Internet Services Sources for Additional Information 462 Chapter 11
12 Troubleshooting Internet Services Troubleshooting data communications problems may require you to investigate many hardware and software components.
Troubleshooting Internet Services can be quickly identified and resolved. These include invalid software installation, version incompatibilities, insufficient HP-UX resources, corrupt configuration shell scripts, and programming or command errors. Other problems require more investigation. Once identified, most problems can be resolved by the programmer, user, or node manager, using the suggestions in this chapter or the error messages documented in the link installation manuals.
Troubleshooting Internet Services Chapter Overview Chapter Overview The strategy and tools to use while investigating the software and hardware components are provided in this chapter.
Troubleshooting Internet Services Characterizing the Problem Characterizing the Problem It is important to ask questions when you are trying to characterize a problem. Start with global questions and gradually get more specific. Depending on the response, ask another series of questions until you have enough information to understand exactly what happened.
Troubleshooting Internet Services Characterizing the Problem These are symptoms that would lead you to suspect the software: • Network services errors returned to users or programs. • Data corruption. • Logging messages at the console. Knowing what has recently changed on your network may also indicate whether the problem is software-related or hardware-related.
Troubleshooting Internet Services Diagnostic Tools Summary Diagnostic Tools Summary The most frequently used diagnostic tools are listed below. These tools are documented in the link installation manuals. Table 12-1 Diagnostic Tools netstat A nodal management command that returns statistical information regarding your network. landiag A diagnostic program that tests LAN connections between HP 9000 computers. linkloop A diagnostic program that runs link-level loopback tests between HP 9000 systems.
Troubleshooting Internet Services Diagnosing Repeater and Gateway Problems Diagnosing Repeater and Gateway Problems If you are using a repeater and hosts on either side of the repeater are having difficulty communicating with each other, a repeater subsystem failure may have occurred. In the illustration below, all of the systems on side A are able to communicate with one another. All the systems on side B are able to communicate with each other.
Troubleshooting Internet Services Diagnosing Repeater and Gateway Problems x25stat -f -d /devicefile For more information on troubleshooting gateways, refer to the appropriate link manual. For information on repeaters, refer to the HP-PB LAN Interface Controller (LANIC) Installation Manual.
Troubleshooting Internet Services Flowchart Format Flowchart Format The flowcharts in this chapter each have a corresponding set of labeled explanations. You can follow the flowcharts alone or follow the flowcharts and read the explanations for more detail. The explanations are on the pages that follow each flowchart.
Troubleshooting Internet Services Troubleshooting the Internet Services Troubleshooting the Internet Services When troubleshooting problems with the Internet Services, you need a reference point to work from. For example, does the problem exist on the remote system or on the local system? However, the terms “local” and “remote” are limited in their description of complex communications, such as when a local system logs onto a remote system and then the remote system logs back onto the local system.
Troubleshooting Internet Services Troubleshooting the Internet Services consult for a description of the error messages: Table 12-2 Reference Pages for Error Messages Service Client Server telnet telnet(1) telnetd(1M) ftp ftp(1) ftpd(1M) rlogin rlogin(1) rlogind(1M) remsh remsh(1) remshd(1M) rcp rcp(1) remshd(1M) ruptime ruptime(1) rwhod(1M) rwho rwho(1) rwhod(1M) ddfa user application ocd(1M) If the server or the client is not an HP 9000 computer, refer to the appropriate user’s
Troubleshooting Internet Services Troubleshooting the Internet Services Flowchart 1. Checking for a Server Follow this flowchart for all services and servers, and replace the words “service” and “server” with the appropriate service name or server name. Figure 12-3 Flowchart 1.
Troubleshooting Internet Services Troubleshooting the Internet Services 1B. List current servers. List the servers currently running on your system by executing the following: netstat -a Table 12-3 lists the servers required for each service. Table 12-3 Servers Required for Each Service Local Address Client/Request TCP State *.ftp ftp LISTEN *.telnet telnet LISTEN *.login rlogin LISTEN *.shell remsh, rcp LISTEN *.exec rexec library LISTEN *.who rwho, ruptime *.
Troubleshooting Internet Services Troubleshooting the Internet Services Table 12-4 lists the entries that are required in the /etc/inetd.conf file. Table 12-4 Entries Required in /etc/inetd.conf Service Requested inetd.
Troubleshooting Internet Services Troubleshooting the Internet Services Table 12-5 lists the entries that are required in the /etc/services file.
Troubleshooting Internet Services Troubleshooting the Internet Services inetd at boot time. See “Installing and Configuring Internet Services” on page 27. 1D4. Go to 1B. Once inetd is running, repeat this flowchart beginning with 1B. 1E. Correct files. If there was an incorrect entry or no entry in the /etc/inetd.conf or /etc/services files, enter the correct information and continue with 1D1. 1F. Reconfigure the internet daemon.
Troubleshooting Internet Services Troubleshooting the Internet Services Flowchart 2. Security for telnet and ftp Even though a server exists for a service, the server may not accept connections due to the security that has been implemented for the server. Figure 12-4 Flowchart 2.
Troubleshooting Internet Services Troubleshooting the Internet Services 2A. Determine number of existing connections. If inetd was started with the -l option, the system log may list the number of connections. If these messages do not appear in the system log, continue with 2B, or enable the connection logging with inetd -l. 2B. Maximum number of connections? The maximum number of simultaneous connections is specified in the optional file /var/adm/inetd.sec.
Troubleshooting Internet Services Troubleshooting the Internet Services 2C5. Fix $HOME/.netrc. If the file is incorrect, make corrections to it and go to 2C6. 2C6. Once the corrections are made, repeat this flowchart beginning with 2A. 2D. See node manager. If your system was denied access to the server system by the /var/adm/inetd.sec file, but you wish to use the server, contact the node manager of the server system and request access. 2E. Go to Flowchart 3.
Troubleshooting Internet Services Troubleshooting the Internet Services Flowchart 3. Security for Berkeley Services This flowchart is for troubleshooting security for the Berkeley Services: sendmail, BIND, finger, the rexec library, and those services that begin with “r”. The following information assumes an account has a password. If it does not, the security checks are not performed. Figure 12-5 Flowchart 3.
Troubleshooting Internet Services Troubleshooting the Internet Services 3A. User name exists on server host? Does the user name that you want to log in as exist on the server host? You can specify another user’s name by using the -1 option with rlogin. If the desired user name does not exist on the server host, continue with 3B. 3A1. Accessing server system as yourself? If not, go to 3D. 3A2. Are you superuser? If you are, go to 3D; otherwise continue with 3C. 3B. Cannot access.
Troubleshooting Internet Services Troubleshooting the Internet Services NOTE For C2 Security, refer to A Beginner’s Guide to HP-UX and the HP-UX System Security Manual.
Troubleshooting Internet Services Reporting Problems to Your Hewlett-Packard Support Contact Reporting Problems to Your Hewlett-Packard Support Contact If you do not have a service contract with HP, you may follow the procedure described below but you will be billed accordingly for time and materials. If you have a service contract with HP, document the problem as a Service Request (SR) and forward it to your Hewlett-Packard support contact.
Troubleshooting Internet Services Reporting Problems to Your Hewlett-Packard Support Contact • Try to determine the general area within the software where you think the problem exists. Refer to the appropriate reference manual and follow the guidelines on gathering information for problems. • Document your interim or “workaround” solution. The cause of the problem can sometimes be found by comparing the circumstances in which it occurs with the circumstances in which it does not occur.
Index Symbols $HOME/.netrc file, 480 with BIND, 130 $HOME/.rhosts file, 483 with BIND, 130 .forward file, 164, 170 .netrc file, with BIND, 130 .
Index configuring name of, 230, 231, 232 configuring size of, 232 in bootptab, 231, 232 path name, 244 transfer timed out, 243 transfering with TFTP, 222 boot file, BIND on caching-only server, 121 on primary master, 106 on secondary master, 118, 119 boot servers, in bootptab, 233 boot.cacheonly file, 121 boot.sec file, 118 boot.sec.
Index configuration options limiting message recipients, 187 setting header lengths, 186 configuring DHCP for OL*, 274 dynamic DNS, 259 external clocks, 303 multiple NTP servers, 300 NTP configuration file, 301 primary NTP server, 296 Configuring device groups, 260, 261, 268 Configuring DHCP groups of devices, 268 individual devices, 270 through BOOTP Relay Agent, 271 with SAM, 267 Configuring pool groups, 260, 268 Configuring RIP Protocol configuration options, 331 simple example, 332 connections monitori
Index DontBlameSendmail, 190 driftfile, NTP, 305 ds tag, in bootptab, 232 DTC, 24 boot clients, 223 duplicate hardware address message, 242, 249 DVMRP see Distance-Vector Multicast Routing Protocol, 391 dynamic DNS configuring, 259 Dynamic Host Configuration Protocol, see DHCP, 251 dynamic updates pre-requisites, 258 E EGP routing protocol, 324 elm, 172 encapsulation, IP multicast datagram, 391 encryption of NTP packets, 305 equal cost multipath, OSPF, 323 Errors-To, in sendmail header, 181 /etc/bootptab f
Index area statement, 344 authentication clause, 335 authkey statement, 349, 357 authtype statement, 357 backbone statement, 355 broadcast clause, 334, 335 checking syntax, 379 configuration classes, 326 cost clause, 347, 361 defaultmetric statement, 334 defaults statement, 360, 361 examples, 329 export statement, 360, 370, 377 exportinterval value, 362 exportlimit value, 362 hellointerval statement, 348, 352 import statement, 377 interface clause, 335, 347 metricin clause, 335 metricout clause, 335 multic
Index see Internet Control Message Protocol, 393 IEEE 802.3, 20 IFF_MULTICAST flag, 395 IGMP see Internet Group Management Protocol, 394 ignore restriction flag, 308 IN, in BIND data file, 109 IN, in BIND data files, 110 IN-ADDR.ARPA domain, 110, 114 include statement, 89 inetd, 39, 472 adding a service, 39 logging, 43, 243, 477 restricting access, 40 inetd.conf file, 39 BOOTP entry, 239 required entries, 476 Secure Internet Services, 449 TFTP entry, 225, 228, 243 inetd.
Index levels, 42 sendmail, 42, 57, 58, 59, 161, 162, 163 xntpd, 313 logging statement, 90 loopback address, 35, 107, 109, 121 M mail, 172 delivery authorization, 197 Mail Exchanger records, BIND see MX records, 113 mail header lengths setting, 186 mail queue, 181 printing, 67, 214 queue-control files, 68, 215 mail relay preventing unauthorized use, 195 mail routing, 172 mailing lists, sendmail, 165 configuring owners for, 167 mailq, 67, 214 mailservs file, 53, 56, 157, 160 mailx, 172 man pages, 473 message
Index Network Time Protocol, see NTP, 282 networks statement, in gated.conf, 345 networks, defining for OSPF, 345 NFS diskless, 223, 224 clients that use RMP, 223 NFS Services, 20, 31, 34 with rdist, 422 with sendmail, 56, 160 NFS_CLIENT variable, 56, 160 NFS_SERVER variable, 55, 159 nfsconf file, 55, 56, 159, 160 NIC, 25, 81, 87, 132 NIS, 31, 34 with BIND, 74 with sendmail aliases, 60, 168, 207 no root name servers message, 141 No Such File or Directory message, 244 nobroadcast clause, in gated.
Index peer statement, in ntp.conf, 302 peer, NTP, 299 Permission Denied message, 245 phyint command, in mrouted, 396 ping, 136, 468, 474 Pointer records, BIND see PTR records, 116 point-to-point network interface, 347, 351 configuration example, 353 pollinterval statement, gated.conf file, 350, 352 postmaster alias, 168 PPL, with BOOTP and TFTP, 218 prefer statement, in ntp.conf, 302 preference clause, in gated.
Index rip statement, in gated.conf, 333 ripin clause, in gated.conf, 335 ripout clause, in gated.
Index mailing to programs or files, 174 mailing to remote systems, 58, 162 masquerading, 56, 160 message header, 171 message structure, 171 migrating configuration file, 188 mtail utility, 64, 211 MX records, 176 rejecting mail from users, 195 rewriting from line, 169 routing, 172 see also aliases database, 164 site hiding, 56, 160 smrsh program, 190 startup script, 54, 158 troubleshooting, 60, 207 UUCP mailing, 57, 161 verbose mode, 61, 208 verifying installation, 57, 161 WWW site for, 21, 154 sendmail lo
Index Secure Internet Services mechanism for, 426, 436, 437 troubleshooting, 479 telnetd, Secure Internet Services mechanism for, 426 template for defaults, in bootptab, 233 TFTP, 217 common problems, 243 configuring, 225 example, 238 file transfer options, 238 home directory, 225, 226, 241 logging, 239 retransmission timeout, 244 testing, 226 troubleshooting, 239 unsupported products, 218 tftp, 22 TFTP Error Code 1 message, 244 TFTP Error Code 2 message, 245 tftpd, 220 threshold value, in bootrequest, 220
Index see named.stats file, 148 /var/tmp/named_dump.db file see named_dump.db file, 138 vendor extension, 242 vendor magic cookie, 242, 249 VERB privacy option, 192 verbose mode, sendmail, 61, 208 verbose TFTP option, 238 version clause, in gated.conf, 335 version statement, in ntp.