HP-UX Internet Services Administrator’s Guide HP-UX 11i v2 Edition 1 Manufacturing Part Number: B2355-90774 August 2003 U.S.A. © Copyright 2003 Hewlett-Packard Development Company L.P. All Rights Reserved.
Legal Notices The information in this document is subject to change without notice. Hewlett-Packard makes no warranty of any kind with regard to this manual, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be held liable for errors contained herein or direct, indirect, special, incidental or consequential damages in connection with the furnishing, performance, or use of this material.
© Copyright 1989-93 The Open Software Foundation, Inc. © Copyright 1986 Digital Equipment Corporation. © Copyright 1990 Motorola, Inc. © Copyright 1990, 1991, 1992 Cornell University © Copyright 1989-1991 The University of Maryland © Copyright 1988 Carnegie Mellon University Trademark Notices UNIX is a registered trademark in the United States and other countries, licensed exclusively through The Open Group. Intel Itanium Processor Family is a trademark of Intel Corporation in the U.S.
Contents About This Document 1. Internet Services Overview Introduction to Internet Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Software Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Software Descriptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The ftp Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Maintaining System Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Configuring inetd Connection Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Configuring ftpd Session Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 3. TCP Wrappers Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The tcpd Features .
Contents Example 3: Evaluating Time Servers in Australia . . . . . . . . . . . . . . . . . . . . . . . . . Backup Time Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The NTP Daemon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The NTP Configuration File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring Your Primary NTP Server . . . . . .
Contents Diagnosing Repeater and Gateway Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Troubleshooting Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Flowchart Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Services Checklist . . . . . . . .
About This Document This guide provides an overview of the Internet Services software and describes how to install and configure it on your HP-UX 11i v2 operating system. It is one of the five new manuals documenting the Internet Services suite of products. See “Related Documentation” on page 11 for a list of the other new Internet Services manuals. These manuals replace the manual Installing and Administering Internet Services (B2355-90685), which was shipped with previous releases of the operating system.
Table 1 HP-UX 11i Releases (Continued) Release Identifier Release Name B.11.23 HP-UX 11i v2.0 Supported Processor Architecture Intel Itanium Processor Family Publishing History Table 2 provides, for a particular document, the manufacturing part number, the respective operating systems, and the publication date. Table 2 Publishing History Details Document Manufacturing Part Number Operating System Supported Publication Date B2355-90110 10.x June 1996 B2355-90147 11.
Table 3 Document Organization (Continued) Chapter Description Installing and Configuring Internet Services Describes how to configure the Internet Services software on your system. Troubleshooting Internet Services Describes how to troubleshoot the Internet Services software.
• HP-UX Remote Access Services Administrator’s Guide Provides information about the Remote Access Services available in the HP-UX 11i v2 operating system: r-commands, WU-FTP, and telnet. You can access this manual at the following URL: http://www.docs.hp.com/hpux/netcom/index.html#Internet%2 0Services • Request for Comments (RFC) Many sections of this manual refer to RFCs for more information about certain networking topics.
a hot link to the manpage itself. From the HP-UX command line, you can enter “man audit” or “man 5 audit” to view the manpage. See man (1). Book Title The title of a book. On the Web and on the Instant Information CD, it may be a hot link to the book itself. ComputerOut Text displayed by the computer. Command A command name or qualified command phrase, daemon, file, or option name. $ The system prompt for the Bourne, Korn, and POSIX shells. # The superuser prompt.
• The section numbers and page numbers of the information on which you are commenting. • The version of HP-UX that you are using.
1 Internet Services Overview The HP-UX Internet Services software, (formerly the ARPA Services suite of products) enables your HP Integrity system to carry out the following tasks: Chapter 1 15
Internet Services Overview • Transfer files. • Log on to remote hosts. • Execute commands remotely. • Manage IP addresses and network clients. • Perform all routing protocols. • Exchange mail with remote hosts on the network. • Locate and configure networked services in enterprise networks. • Start network services such as ftp, telnet, rlogin, and tftp without overloading the system. • Implement a powerful security mechanism for various services spawned by inetd, the Internet super daemon.
Internet Services Overview Introduction to Internet Services Introduction to Internet Services The HP-UX Internet Services software combines services developed by the University of California at Berkeley (UCB), Cornell University, Merit Network, Inc., Carnegie-Mellon University (CMU), Hewlett-Packard, Massachusetts Institute of Technology (MIT), Internet Software Consortium, and other public domain sources.
Internet Services Overview Introduction to Internet Services Software Versions Table 1-1 lists the product versions that have been made available with this version of Internet Services on the HP-UX 11i v2 operating system. The software versions listed in this table are public domain versions. Table 1-1 Software Versions Software Version ftp 2.6.1 sendmail 8.11.1 BIND 9.2.0 gated 3.5.9 Software Descriptions This chapter provides an overview of Internet Services.
Internet Services Overview Introduction to Internet Services The ftp Service The ftp (File Transfer Protocol) service copies files among hosts on the network that support Internet Services. It runs on the client host and supports ASCII, binary, and tenex file transfer protocol types. ASCII is the default type. Whenever ftp establishes a connection between two similar systems, it automatically switches to the binary type. For more information, type man 1 ftp or man 1M ftpd at the HP-UX prompt.
Internet Services Overview Introduction to Internet Services remsh works in the same way as rexec, except that it executes commands from a remote shell. Type man 1 remsh or man 1M remshd at the HP-UX prompt for more information. • ruptime You can obtain information about specified UNIX nodes running the rwhod daemon by running the ruptime command. It is not supported over X.25 networks or over networks using the PPL (SLIP) product.
Internet Services Overview Introduction to Internet Services The Sendmail Utility The Sendmail service works with your network mailers (for example, elm and mailx) to perform internetwork mail routing among UNIX and non-UNIX hosts on the network. It allows you to exchange mail messages with other hosts on the local area network via gateways. Type man 1M sendmail at the HP-UX prompt for more information.
Internet Services Overview Introduction to Internet Services The gated Service The gated service determines routing over the Internet. See the HP-UX Routing Services Administrator’s Guide at the URL http://www.docs.hp.com/hpux/netcom/index.html#Internet%20Se rvices, or type man 1M gated at the HP-UX prompt for more information. NTP Network Time Protocol (NTP) maintains the local clock on an HP-UX workstation in agreement with Internet-standard time servers.
2 Installing and Configuring Internet Services This chapter describes how to install and configure the Internet Services software on your system.
Installing and Configuring Internet Services 24 • “Installing the Internet Services Software” on page 25 • “Configuring the Internet Services Software” on page 26 Chapter 2
Installing and Configuring Internet Services Installing the Internet Services Software Installing the Internet Services Software The Internet Services software is packaged along with the core HP-UX 11i v2 operating system. Do not create or modify any system file while installing the operating system on your machine. The core operating system creates and modifies the necessary files on your system automatically.
Installing and Configuring Internet Services Configuring the Internet Services Software Configuring the Internet Services Software This chapter describes how to configure the Internet Services software on your system.
Installing and Configuring Internet Services Configuring the Internet Services Software NOTE HP recommends that you do not configure your system to use both NIS and NIS+. For host information, you can configure your system to use BIND (DNS), NIS, NIS+, or the /etc/hosts file. The default name service switch configuration is adequate for most installations, so you probably do not have to change it. The default configuration is explained in the section “Default Configuration” on page 28.
Installing and Configuring Internet Services Configuring the Internet Services Software NOTE Configuring the name service switch is a separate task from configuring the name services themselves. You must also configure the name services before using them. The name service switch just determines which name services are queried and in what order.
Installing and Configuring Internet Services Configuring the Internet Services Software The lookup_type can be hosts, passwd, or group. The lookup_query can be a host name or an IP address, a user name or user ID, or a group name or group ID. The following example uses nsquery to perform a lookup of the host name brock: # /usr/contrib/bin/nsquery hosts brock Using “nisplus [NOTFOUND=return] files” for the hosts policy.
Installing and Configuring Internet Services Configuring the Internet Services Software • “Editing the /etc/hosts File” on page 31 • “Configuring a Route” on page 32 • “Changing a Host’s IP Address” on page 33 Choosing a Name Service HP-UX provides ways to translate host names to IP addresses or IP addresses to host names: • BIND (Berkeley Internet Name Domain), which is Berkeley’s implementation of the Domain Name System (DNS).
Installing and Configuring Internet Services Configuring the Internet Services Software Alternatively, you can use the /etc/hosts file as your primary name service. Each host in your network needs a copy of the /etc/hosts file containing the names and addresses of all the other hosts in your network. For information on the /etc/hosts file, see “Editing the /etc/hosts File” on page 31.
Installing and Configuring Internet Services Configuring the Internet Services Software 5. Add any other hosts to the /etc/hosts file that you need to reach. If you use a BIND, NIS, or NIS+ server on a different host, add that host to your /etc/hosts file. If you have no default gateway configured, and you add a host that is not on your subnet, SAM will prompt you for the gateway. To stop the prompting, configure a default gateway. 6.
Installing and Configuring Internet Services Configuring the Internet Services Software Then, create a new set of routing variables in the /etc/rc.config.d/netconf file for each network interface. Whenever you create a new set of variables, increment the number in square brackets, as in the following example: ROUTE_DESTINATION[1]="15.13.131.0" ROUTE_GATEWAY[1]="15.13.131.213" ROUTE_COUNT[1]="0" 3. If you will not be using gated, configure routes to all the networks you need to reach.
Installing and Configuring Internet Services Configuring the Internet Services Software 2. Change the IP_ADDRESS[n] variable in the /etc/rc.config.d/netconf file to the new IP address. 3. If the host is on a network that uses BIND, change the host’s IP address in the data files of the authoritative name servers. See “Configuring and Administering the BIND Name Service” in the HP-UX IP Address and Client Management Administrator’s Guide at the URL http://www.docs.hp.com/hpux/netcom/index.
Installing and Configuring Internet Services Configuring the Internet Services Software at the URL http://www.docs.hp.com/hpux/netcom/index.html#Internet%2 0Services for more information. 8. If the host is an NTP server, change its IP address in the /etc/ntp.conf file on NTP clients. If the host is an NTP client and is moving to another network, you might have to configure a different NTP server in its /etc/ntp.conf file.
Installing and Configuring Internet Services Configuring the Internet Services Software 1. Make sure /etc/inetd.conf contains the following lines. If any of the lines start with a number sign (#), remove the number sign to enable that particular service.
Installing and Configuring Internet Services Configuring the Internet Services Software where service_name is the first field in an entry in the /etc/inetd.conf file, and host_specifier is a host name, IP address, IP address range, or the wildcard character (*). 3. Make sure the /var/adm/inetd.sec file is owned by user root and group other, and make sure its permissions are set to 0444 (-r--r--r--). Following are some example lines from an inetd.sec file: login allow 10.
Installing and Configuring Internet Services Configuring the Internet Services Software The part of the selector that specifies where a message comes from is called the facility. All Internet daemons and servers, except sendmail, log messages to the daemon facility. sendmail logs messages to the mail facility. syslogd logs messages to the syslog facility. You can indicate all facilities in the configuration file with an asterisk (*).
Installing and Configuring Internet Services Configuring the Internet Services Software cd /sbin/init.d syslogd stop syslogd start When you reboot your system, each log file is moved to filename.old automatically, and new log files are started. Configuring inetd Connection Logging The inetd daemon logs connection requests through syslogd. It logs successful connections at the information level and unsuccessful connection attempts at the notice level.
Installing and Configuring Internet Services Configuring the Internet Services Software 40 Chapter 2
3 TCP Wrappers The Transmission Control Protocol (TCP) Wrappers product suite provides an enhanced security mechanism for services spawned by the Internet Services daemon, inetd.
TCP Wrappers This chapter discusses the following topics: 42 • “Overview” on page 43 • “The tcpd Features” on page 44 • “TCP Wrappers Files” on page 47 • “IPv6 Support” on page 53 • “Troubleshooting” on page 54 Chapter 3
TCP Wrappers Overview Overview The Internet services server, inetd, allows a single process to wait for multiple services instead of the single process waiting for each service. When a connection is established with inetd for a service, inetd runs the appropriate server specified in the /etc/inetd.conf file and waits for other connections. If you enable TCP wrappers, inetd runs a TCP wrapper daemon, tcpd, instead of running the requested service directly.
TCP Wrappers The tcpd Features The tcpd Features The tcpd program provides the following features to enforce access control checks for a service: • Access Control • Host name or Address Spoofing • Client User Name • Setting Traps • Banner Messages Access Control TCP wrappers uses the files /etc/hosts.allow and /etc/hosts.deny as Access Control Lists (ACLs). These access control files are used to match the client and server entries with the service request.
TCP Wrappers The tcpd Features 1. The /etc/hosts.allow file – If a daemon-client pair matches an entry in this file, access is granted. 2. The /etc/hosts.deny file – If a daemon-client pair matches an entry in this file, access is denied. 3. If a daemon-client pair match is not found in either of the access control files, access is granted. Following are examples of different entries in the files /etc/hosts.allow and /etc/hosts.deny: 1.
TCP Wrappers The tcpd Features configuration file. If you enable client user name lookup in the configuration file, tcpd assumes that the client requesting the service runs a RFC931-compliant daemon, such as IDENT. Trap Setting This feature allows you to trigger appropriate action on the host depending on the number of denied connection attempts. For example, the following rule in the /etc/hosts.
TCP Wrappers TCP Wrappers Files TCP Wrappers Files The TCP Wrappers product suite contains the following files: • The tcpd Daemon • The libwrap.a Library API • The tcpdchk Tool • The tcpdmatch Tool • The try-from Utility • The safe_finger Program The tcpd Daemon The tcpd daemon monitors access to a service, logs the host name and the remote user name owning the connection, and performs some additional access control checks.
TCP Wrappers TCP Wrappers Files NOTE If you specify this entry without the absolute path of telnetd (/usr/lbin/telnetd), tcpd searches the telnetd binary in the /usr/lbin/wrapper directory. The last component of the path name, /usr/lbin/telnetd telnetd, is used for access control and logging. When the telnet service is requested, inetd invokes the tcpd server instead of invoking the telnet server. tcpd performs access control checks and verifies whether the connection is valid.
TCP Wrappers TCP Wrappers Files To enforce the host access control in an independent daemon, a service must include the tcpd.h header file and link with the libwrap.a library APIs. The libwrap.a library contains the following APIs: • request_init() Initializes the request_info structure with the client request information. • request_set() Updates an initialized request_info structure.
TCP Wrappers TCP Wrappers Files The tcpdchk Tool The tcpdchk tool performs the following functions: • Examines the validity of entries in the /etc/inetd.conf file and ACLs. • Inspects the TCP wrapper configurations and reports problems, if any. • Checks the tcpd access control files (/etc/hosts.allow and /etc/hosts.deny), and compares the entries in these files with the entries in the /etc/inetd.conf file.
TCP Wrappers TCP Wrappers Files You can execute the tcpdmatch tool on the command line using the following formats: 1. /usr/bin/tcpdmatch [-d] [-i inet_conf] daemon client 2. /usr/bin/tcpdmatch [-d] [-i inet_conf] daemon@[server] [use r@]client daemon Specifies a daemon name. client Specifies the host name, network address, or the unknown or paranoid wildcard formats. server Specifies a host name or network address or the unknown or paranoid wildcard formats.
TCP Wrappers TCP Wrappers Files The try-from utility can be executed from the command line as follows: # remsh host /usr/bin/try-from When the try-from utility is invoked, it prints the following output: client client client client server server server server address hostname username info address hostname process info (%a): (%n): (%u): (%c): (%A): (%N): (%d): (%s): The client information describes how the remote host recognizes the client in terms of an address, name, and user name, whereas, the server
TCP Wrappers IPv6 Support IPv6 Support To enable access control mechanism to IPv6 connections of a service, you must enable IPv6 support to that service in the /etc/inetd.conf file. You must specify the protocol in the /etc/inetd.conf file as tcp6 or upd6, to enable IPv6 support for a particular service. For example, to support IPv6 functionality for the ftpd service, you must modify the /etc/inetd.
TCP Wrappers Troubleshooting Troubleshooting tcpd logs the connection-related information and problems encountered during a connection in the /var/adm/syslog/syslog.log file, before invoking the actual service daemon. You can enable logging in tcpd by specifying the logging level parameter in the /etc/tcpd.conf file.
4 Configuring NTP The Network Time Protocol (NTP) assures accurate synchronization of the computer’s clock time with reference to a number of primary reference sources, using an equipment such as a radio receiver.
Configuring NTP as a continuous background client process on a system, and sends periodic time requests to primary servers to obtain the time stamps. It also checks for errors caused due to equipment or propagation failures. This chapter describes the basic and advanced NTP concepts, components and configuration instructions required to use NTP. This chapter also includes troubleshooting information.
Configuring NTP Getting Started with NTP Getting Started with NTP The Network Time Protocol (NTP) is a family of programs used to adjust the system clock on your computer and to synchronize it with external sources of time. Computers are very sensitive to time deviations caused by drifting. All clocks drift including the clock inside the computers. NTP provides accurate time in the range of microsecond to millisecond and helps overcome drifting.
Configuring NTP Getting Started with NTP NTP Equipment The following equipments are required to effectively use the NTP programs: • Internet or your own radio receiver, such as GPS (Global Positioning System), as a time source. • An ordinary network, such as an Ethernet, in your building. • Familiarity with configuring and setting up NTP. Starting NTP Configuration For a basic NTP configuration, you must complete the following steps: 1. Choose a source of time. 2.
Configuring NTP Getting Started with NTP Available Time Sources The most common time distribution mechanisms from which you can draw time are: • Public time server (phone or modem) via the Internet • Local clock impersonators • Radio receiver – Terrestrial and satellite broadcast Public Time Server You can connect to public time servers via the Internet free of charge for a limited time. Public time servers also provide dial-up access through a modem. This is the cheapest and most popular method.
Configuring NTP Getting Started with NTP Local Clock Impersonators You can use a local clock impersonator in either of the following instances: • If you are behind a firewall. • If you are not connected to the Internet. • If you cannot afford a radio receiver. You can declare your NTP machine as a time server, and this machine can serve time within a closed domain. Because this time server is isolated, it does not synchronize with the real time.
Configuring NTP Getting Started with NTP 1. Install and connect the receiver and antenna to a serial port on the HP-UX machine. 2. Append the following entries in the /etc/ntp.conf file: server 127.127.26.1 # fudge 127.127.26.1 # fudge 127.127.26.1 minpoll 3 maxpoll 4 time1 -0.955 #s700 time1 -0.930 #s800 3. Uncomment the appropriate # fudge entry for your architecture. Uncomment the #fudge ... #s800 entry for servers or uncomment #fudge ... #s700 entry for workstations.
Configuring NTP Getting Started with NTP Location of Time Source You must always select a time server that is physically close to your network; otherwise, it may lead to poor network connectivity and delays. You must also consider the network path that a packet needs to travel, because if a time server is physically close but takes excessive number of hops to reach, you may experience network delays.
Configuring NTP Getting Started with NTP The best primary server for the NTP client located in California is the time server situated in New York because the ping command response time is only 5 millisecond. The ping command response time for the time server in Australia takes 500 milliseconds. Therefore, selecting the time server situated in Australia is not recommended because it may cause network delays. Example 1: Locating the Best Primary Server Table 4-1 shows the servers the time client can access.
Configuring NTP Getting Started with NTP The public stratum-2 servers provides time service for all clients. Also, their access policies are less restrictive than the stratum-1 servers. The errors displayed while connecting your machine with the public time server (or ISP) denotes the quality of the network service. This makes the distinction between stratum-1 and stratum-2 almost meaningless for most purposes.
Configuring NTP Getting Started with NTP Determining Synchronization Sources You can query the time server using the following command to check the synchronization sources: /usr/bin/ntpq -p ntp-cup.external.hp.com Table 8-2 displays the synchronized time servers. Table 4-2 Locating Synchronized Time Servers remote refid st t when poll reach delay offset disp ============================================================================ *REFCLK(29,1) .GPS. 0 l 35 32 376 0.00 -0.004 0.02 -bigben.cac.wash .
Configuring NTP Getting Started with NTP Synchronization: NTP secondary (stratum 2), Sun/Unix Service Area: Sprintlink/NYSERnet Access Policy: open access, authenticated NTP (DES/MD5) availa ble Contact: Seth Robertson (timekeeper@ctr.columbia.edu) Note: IP addresses are subject to change; please use DNS /usr/sbin/ping ntp.ctr.columbia.edu 64 5 PING 128.59.64.60: 64 byte packets 64 bytes from 128.59.64.60: icmp_seq=0. time=83. ms 64 bytes from 128.59.64.60: icmp_seq=1. time=86. ms 64 bytes from 128.59.64.
Configuring NTP Getting Started with NTP Table 4-3 describes time servers in eastern United States. Table 4-3 Evaluating Time Servers in Eastern United States remote refid st t when poll reach delay offset disp ============================================================================= == +clepsydra.dec.c usno.pa-x.dec.c 2 u 927 1024 355 108.49 -18.215 3.6 3 otc1.psu.edu .WWV. 1 - 17d 1024 0 28.26 -25.362 16000. 0 *NAVOBS1.MIT.EDU .USNO. 1 u 214 1024 377 38.48 -0.536 0.9 0 tick.CS.UNLV.ED tock.CS.UNLV.
Configuring NTP Getting Started with NTP Example 3: Evaluating Time Servers in Australia Look at a time server in Australia. Here are the details: ntp.adelaide.edu.au (129.127.40.3) Location: University of Adelaide, South Australia Synchronization: NTP V3 secondary (stratum 2), DECsystem 5000/ 25 Unix Service Area: AARNet Access Policy: open access Contact: Danielle Hopkins (dani@itd.adelaide.edu.au) /usr/sbin/ping ntp.adelaide.edu.au 64 5 PING huon.itd.adelaide.edu.AU: 64 byte packets 64 bytes from 129.
Configuring NTP Getting Started with NTP Table 4-4 Evaluating Time Sources in Australia remote refid st t when poll reach delay offset disp ============================================================================= .otto.bf.rmit.ed 130.155.98.1 2 u 229 1024 376 16.34 7.132 7.87 .student.ntu.edu murgon.cs.mu.OZ 2 u 47 128 377 81.34 5.166 5.25 .203.31.96.1 murgon.cs.mu.OZ 2 u 13 256 373 115.74 30.147 38.54 .203.172.21.222 tick.usno.navy. 2 u 43 1024 367 866.64 47.316 65.32 -128.184.1.4 tictoc.tip.
Configuring NTP Getting Started with NTP When the time server in Silicon Valley is configured to use sirius.ctr.columbia.edu and gpo.adelaide.edu as time sources, the output from ntpq -p looks like this (about 10 minutes after daemon startup): Table 4-5 Output from ntpq for Configuring Silicon Valley Time Server remote refid st t when poll reach delay offset disp ========================================================================= *REFCLK(29,1) .GPS. 0 l 25 32 377 0.00 0.413 0.03 +bigben.cac.wash .
Configuring NTP Getting Started with NTP server ntp-cup.external.hp.com server bigben.cac.washington.edu server sirius.ctr.columbia.edu Backup Time Servers After selecting the primary time server, you must select two additional time servers that serve as backup time servers. The closest and fastest time server must be the primary time server. Backup time servers act as stand-by servers when the primary time server is not available.
Configuring NTP Getting Started with NTP xntpd reads the NTP configuration file, /etc/ntp.conf, during startup to determine the synchronization sources and operating modes. You can also specify the configuration options on the command line when you start xntpd. While xntpd is running, you can also display xntpd variables and modify configuration options using the ntpq and xntpdc utilities. For more information, type man 1M xntpd, man 1M ntpq or man 1M xntpdc at the HP-UX prompt.
Configuring NTP Getting Started with NTP server my_server.mydomain.my_org.com my_server.mydomain.my_org.com is the complete name of the server. 4. Specify the time source and add its information to the configuration file. • For Radio Receivers: a. Uncomment the following fudge line found at the end of the file /etc/ntp.conf server 127.127.26.1. #fudge 127.127.26.1 time1 -0.955 b.
Configuring NTP Getting Started with NTP This starts the daemon automatically when the system transitions from level 1 to 2. c. Start the daemon using the startup script: /sbin/init.d/xntpd start d. Verify whether the daemon process is running using the following command: ps -ef | grep ntp The line /usr/sbin/xntpd appears in the list of running processes.
Configuring NTP Advanced NTP Topics Advanced NTP Topics This section includes advanced NTP topics and is ideal for experienced users.
Configuring NTP Advanced NTP Topics time source can be a device such as a radio receiver. Figure 4-2 shows the relationship between the GPS receiver time source and the stratum-1 server associated with it. Figure 4-2 Stratum-1 Time Servers Stratum 1 Server Stratum 2 Server external clock --Stratum 0 Server Stratum 2 Server Stratum-2 and -3 Time Servers Stratum-2 time servers use stratum-1 servers as their time source. Likewise, stratum-3 servers use stratum-2 servers as their time sources.
Configuring NTP Advanced NTP Topics NOTE • Broadcaster — Provides time to the specified remote host, or more typically, the broadcast address on a LAN. This role is most appropriate for an NTP time server that provides time to workstation clients on a LAN. • Broadcast Client — Listens for and synchronizes with the broadcast time. This role is most appropriate for time server clients on a LAN. Broadcasting is not recommended especially when used with local clock impersonators.
Configuring NTP Advanced NTP Topics • Every NTP hierarchy must have atleast one stratum-1 server. You can configure the administrative domain to contain outside sources of synchronization, which ultimately link to stratum-1 server, or you can implement your own hierarchy of NTP time servers with one or more stratum-1 servers. • Configure atleast three time servers in the administrative domain because it is important to provide multiple, redundant sources of time synchronization.
Configuring NTP Advanced NTP Topics • “Configuring Authentication” on page 83 Configuring Relationships with Other Time Servers The role of a time server depends on its relationship with other servers in the synchronization subnet.
Configuring NTP Advanced NTP Topics • prefer This option specifies that the host must be the primary source for synchronization when it is one of several valid sources. This option is useful for a time server on a high-speed LAN that is equipped with an external time source, such as a radio clock. You can use external sources for time synchronization. However, the local time server must be the preferred synchronization source.
Configuring NTP Advanced NTP Topics Configuring an External Clock Clocks are normally configured with server statements in the configuration file. You can configure xntpd to support an external clock. You can insert the clock address anywhere in the configuration file. Clocks are referenced by an address of the format 127.127.t.
Configuring NTP Advanced NTP Topics Figure 4-4 shows the peer, server, and broadcast statements that are configured for all the servers. Figure 4-4 Example Configurations Bonita External Clock Gordo server 127.127.4.1 External Clock server 127.127.4.1 Penelope Golden server bonita peer golden broadcast 193.100.255.255 server gordo peer penelope broadcast 193.100.255.255 Hugo broadcastclient yes You must configure the time server in the client system.
Configuring NTP Advanced NTP Topics driftfile driftfile where, driftfile specifies the file name used to record the frequency offset of the local clock oscillator. HP recommends the location /etc/ntp.drift for storing the driftfile. The following is an example of a driftfile statement: driftfile /etc/ntp.drift Configuring Authentication Authentication is a mechanism used to prevent unauthorized access to time servers. Authentication is enabled on a system-by-system basis.
Configuring NTP Advanced NTP Topics /usr/newconfig/etc/ntp.keys. HP recommends the location /etc/ntp.keys for storing the key file. You must secure the key file by giving the permission 600. While the key file can contain many keys, you can declare a subset of these keys as trusted keys. Trusted keys are used to determine if a time server is trusted as a potential synchronization candidate.
Configuring NTP Advanced NTP Topics authenticate yes If you do not specify this statement, authentication is not enabled. When you enable authentication, you can specify the following options: • -e authdelay This option indicates the amount of time (in seconds) required to encrypt an NTP authentication field on the local host. IMPORTANT The startup script automatically calculates the proper value for authdelay for the local system and writes it into the configuration file /etc/ntp.conf.
Configuring NTP Advanced NTP Topics restrict address [mask mask] [ntpport] [flag] [flag2]... The keyword ntpport causes the restriction list entry to be matched only if the source port in the packet is the NTP UDP port 123. Table 4-6 shows the flags that can be specified for xntpd: Table 4-6 Restrict Option Flags Flag Effect ignore Ignore all packets. noquery Ignore ntpq queries. nomodify Ignore ntpq packets that attempt to modify the state of the server.
Configuring NTP Advanced NTP Topics #default entry - matches *all* source addresses restrict default notrust nomodify #trust for time, but do not allow ntpq requests restrict 193.100.0.0 mask 255.255.0.0 nomodify noquery #ignore time requests, but allow ntpq requests restrict 193.8.10.1 noserve #local host address is unrestricted restrict 193.100.100.7 Starting and Stopping xntpd To start xntpd, do one of the following: • Set the environment variable XNTPD to 1 in the file /etc/rc.config.d/netdaemons.
Configuring NTP Advanced NTP Topics Using ntpq to Query Systems Running xntpd The standard network time protocol query program, ntpq, is used to query systems that implement the NTP mode 6 control message, about the current state of the server. It can also be used to obtain a list of a server’s peers. ntpq sends requests to and receives responses from NTP time servers using a special form of NTP messages called mode-6 control messages.
Configuring NTP Advanced NTP Topics The ntpq Program Output The -p option prints a list of peers known to the server, along with a summary of their states as shown in Table 4-7. Table 4-7 An ntpq Output Indicating Known NTP Hosts remote refid st t when poll reach delay offset disp ================================================================== *GPS_HP(1) GPS 0 l 48 64 377 0.00 0.516 4.19 hpps.cup.hp cupertino 3 u 467 1024 377 7.20 -12.430 15.67 +server2 WWVB 1 u 173 256 377 279.95 20.56 16.
Configuring NTP Advanced NTP Topics • The st (stratum) column indicates the stratum level of the remote host. • The t (types) column denotes the available types, which include — l=local (such as a GPS clock) — u=unicast (this is the common type) — m = multicast — b= broadcast — - = netaddr (usually 0) 90 • The when column indicates the number of seconds since the remote host response was received.
Configuring NTP Troubleshooting NTP Troubleshooting NTP This section outlines techniques that can help you diagnose and correct common problems with the NTP. Verifying That xntpd is Running Issue the following command to determine out if xntpd is running: /usr/bin/ps -ef | /usr/bin/grep xntpd This command reports the process identification (PID), current time, and the command invoked (xntpd).
Configuring NTP Troubleshooting NTP Table 4-8 indicates that the local NTP daemon has established an association with the NTP daemon on node good.cup.hp. Table 4-8 remote An ntpq Output Indicating NTP Associations refid st when poll reach delay offset disp ==================================================================== *good.cup.hp LOCAL(1) 2 29 64 377 bad 0.0.0.0 - 31 64 0 5.43 -0.16 16.
Configuring NTP Troubleshooting NTP No server suitable for synchronization found. This message indicates that the NTP server is not responding. Packets were sent out, but a reply was not returned. The reason may be that the server is down, or the network link is broken or extremely congested. Or, perhaps the NTP daemon died on the server and has not locked on to its time sources. NTP version 3.
Configuring NTP Troubleshooting NTP stratum-1 server in the hierarchy does not exist, association is not formed. To verify whether the local xntpd is able to form an association, issue the following command: /usr/sbin/ntpdate server The server is the name of a trusted server, such as a peer or high-level (lower stratum) server. If the local xntpd is unable to form any association, this command returns the message No suitable server for synchronization found.
Configuring NTP Troubleshooting NTP For HP-UX NFS Diskless Clusters, the /sbin/init.d/xntpd script on the diskless clients executes xntpdate to synchronize time with the diskless cluster server before starting xntpd. You can also specify a trusted time server explicitly in the file /etc/rc.config.d/netdaemons, and /sbin/init.d/xntpd will execute xntpdate, querying the specified time server.
Configuring NTP Troubleshooting NTP 96 • NTP statistics file (if configured) • The /var/adm/syslog/syslog.log file (xntpd/NTP entries) • The /usr/sbin/ntpq -p output • The ntpdate -d server output (stop the local xntpd first).
5 Troubleshooting Internet Services This chapter describes how to troubleshoot the Internet Services software.
Troubleshooting Internet Services It discusses the following topics: 98 • “Troubleshooting Overview” on page 99 • “Troubleshooting Tips” on page 104 • “Reporting Problems to Your Hewlett-Packard Support Contact” on page 118 Chapter 5
Troubleshooting Internet Services Troubleshooting Overview Troubleshooting Overview Troubleshooting data communications problems may require you to investigate many hardware and software components. Some problems can be quickly identified and resolved. These include invalid software installation, version incompatibilities, insufficient HP-UX resources, corrupt configuration shell scripts, and programming or command errors. Other problems require more investigation.
Troubleshooting Internet Services Troubleshooting Overview • Does the problem affect all users? The entire node? Has anything changed recently? The possibilities are as follows: — New software and hardware installation. — Same hardware but changes to the software. Has the configuration file been modified? Has the HP-UX configuration been changed? — Same software but changes to the hardware.
Troubleshooting Internet Services Troubleshooting Overview Table 5-1 Diagnostic Tools (Continued) Tool Chapter 5 Description landiag A diagnostic program that tests LAN connections between HP Integrity computers. linkloop A diagnostic program that runs link-level loopback tests between HP Integrity systems. linkloop uses IEEE 802.3 link-level test frames to check physical connectivity with the LAN.
Troubleshooting Internet Services Troubleshooting Overview Table 5-1 Diagnostic Tools (Continued) Tool Network Tracing Description A utility that traces link-level traffic to and from a node. HP recommends that you enable tracing only when troubleshooting a problem unsolved by other means. Diagnosing Repeater and Gateway Problems If you are using a repeater, and hosts on either side of the repeater are having difficulty communicating with each other, a repeater subsystem failure may have occurred.
Troubleshooting Internet Services Troubleshooting Overview The statistics could indicate a bad route, suggesting a problem with a gateway node. To identify such errors, do the following: • Check with the node manager of the gateway node to ascertain proper operation of the gateway. • You can detect problems with the X.25 line by the number of errors shown when you execute the following: x25stat -f -d /devicefile For more information on troubleshooting gateways, see the appropriate link manual.
Troubleshooting Internet Services Troubleshooting Tips Troubleshooting Tips This section provides useful tips for troubleshooting the Internet Services software. When troubleshooting problems with the Internet Services, you need a reference point to work from.
Troubleshooting Internet Services Troubleshooting Tips Flowchart Format The flowcharts in this section each have a corresponding set of labeled explanations. You can follow the flowcharts alone or follow the flowcharts and read the explanations for more detail. The explanations are on the pages that follow each flowchart. Figure 5-2 Flowchart Symbols n Start of flowchart n; re-enter current flowchart. n Go to and enter flowchart n. Make a decision. Perform an action. Exit flowchart.
Troubleshooting Internet Services Troubleshooting Tips Whenever you receive an error message, follow the corrective action supplied in the manpage for that service. The error message is preceded by the name of the service. Table 5-2 shows the appropriate manpage to consult for a description of the error messages.
Troubleshooting Internet Services Troubleshooting Tips Flowchart 1. Checking for a Server Follow Flowchart 1 for all services and servers, and replace the words service and server with the appropriate service name or server name. Figure 5-3 Flowchart 1.
Troubleshooting Internet Services Troubleshooting Tips 1B. List current servers. List the servers currently running on your system by executing the following: netstat -a Table 5-3 lists the servers required for each service. Table 5-3 Servers Required for Each Service Local Address Client/Request TCP State *.ftp ftp LISTEN *.telnet telnet LISTEN *.login rlogin LISTEN *.shell remsh, rcp LISTEN *.exec rexec library LISTEN *.who rwho, ruptime *.smtp sendmail SMTP LISTEN *.
Troubleshooting Internet Services Troubleshooting Tips Table 5-4 lists the entries that are required in the /etc/inetd.conf file. Table 5-4 Entries Required in /etc/inetd.conf Service Requested inetd.
Troubleshooting Internet Services Troubleshooting Tips Table 5-5 Entries Required in /etc/services (Continued) ftp ftp 21/tcp telnet telnet 23/tcp sendmail/SMTP smtp 25/tcp rexec library exec 512/tcp rlogin login 513/tcp remsh and rcp shell 514/tcp rwho and ruptime who 513/tcp tftp tftp 69/udp bootpd bootps 67/udp and bootpc fingerd finger 79/tcp 68/udp If the file entries or permissions are not correct, continue with 1E. 1D1.
Troubleshooting Internet Services Troubleshooting Tips 1D4. Go to 1B. After inetd is running, repeat this flowchart beginning with 1B. 1E. Correct the files. If there was an incorrect entry or no entry in the /etc/inetd.conf or /etc/services files, enter the correct information and continue with 1D1. 1F. Reconfigure the Internet daemon. To reconfigure inetd, execute the following as superuser: /usr/sbin/inetd -c Continue with 1G. 1G. Go to 1B. Repeat flowchart from 1B to check if the server exists.
Troubleshooting Internet Services Troubleshooting Tips Follow Flowchart 2 to troubleshoot security for telnet and ftp services. Figure 5-4 Flowchart 2. Security for telnet and ftp 2 2A Determine number of existing connections 2B Maximum number of connections ? No 2C Access to the server ? 2D Yes Yes No See node manager 2B1 See node manager 2C2 2C1 Yes Using Using telnet or ftp ftp ? ? No No 2E 2F 3 Yes telnet should work 2C4 2C3 Yes $HOME/.
Troubleshooting Internet Services Troubleshooting Tips Chapter 5 2A. Determine the number of existing connections. If inetd was started with the -l option, the system log may list the number of connections. If these messages do not appear in the system log, continue with 2B, or enable the connection logging with inetd -l. 2B. Maximum number of connections? The maximum number of simultaneous connections is specified in the optional file /var/adm/inetd.sec.
Troubleshooting Internet Services Troubleshooting Tips 114 2C5. Fix $HOME/.netrc. If the file is incorrect, make corrections to it and go to 2C6. 2C6. After you have made the corrections, repeat this flowchart beginning with 2A. 2D. See the node manager. If your system was denied access to the server system by the /var/adm/inetd.sec file, but you want to use the server, contact the node manager of the server system and request access. 2E. Go to Flowchart 3.
Troubleshooting Internet Services Troubleshooting Tips Flowchart 3. Security for Berkeley Services Flowchart 3 is for troubleshooting security for the Berkeley Services: sendmail, BIND, finger, the rexec library, and those services that begin with r. The following information assumes an account has a password. If it does not, the security checks are not performed. Figure 5-5 Flowchart 3.
Troubleshooting Internet Services Troubleshooting Tips 116 3A. User name exists on server host? Does the user name that you want to log in as exist on the server host? You can specify another user’s name by using the -1 option with rlogin. If the desired user name does not exist on the server host, continue with 3B. 3A1. Accessing server system as yourself? If not, go to 3D. 3A2. Are you superuser? If you are, go to 3D; otherwise, continue with 3C. 3B. Cannot access.
Troubleshooting Internet Services Troubleshooting Tips NOTE Chapter 5 For C2 Security, see A Beginner’s Guide to HP-UX and the HP-UX System Security Manual.
Troubleshooting Internet Services Reporting Problems to Your Hewlett-Packard Support Contact Reporting Problems to Your Hewlett-Packard Support Contact If you do not have a service contract with HP, you may follow the procedure described in this section, but you will be billed accordingly for time and materials. If you have a service contract with HP, document the problem as a Service Request (SR) and forward it to your Hewlett-Packard support contact.
Troubleshooting Internet Services Reporting Problems to Your Hewlett-Packard Support Contact Chapter 5 • Try to determine the general area within the software where you think the problem exists. Refer to the appropriate reference manual and follow the guidelines on gathering information for problems. • Document your interim or “workaround” solution. The cause of the problem can sometimes be found by comparing the circumstances in which it occurs with the circumstances in which it does not occur.
Troubleshooting Internet Services Reporting Problems to Your Hewlett-Packard Support Contact 120 Chapter 5
Index A action, 38 in syslog.conf file, 37 authenticate statement, in ntp.conf, 84 authentication NTP, 84 B Berkeley Internet Name Domain, See BIND Berkeley services, 17 BIND, 21, 30, 34 further reading, 17 BOOTP, 35 broadcast client, NTP, 77 broadcast statement, in ntp.conf, 79 broadcastclient statement, in ntp.
Index inetd.sec file, 36, 113, 114 Internet address changing, 33 configuring, 29 Internet Services, 15 further reading, 17 IP address, See Internet Address IP_ADDRESS variable, 34 L landiag, 101 level in syslog.
Index restrict statement, in ntp.conf, 85 restriction list, NTP, 85 rexec, 19 .rhosts file, 116 rlb, 101 rlogin, 19 troubleshooting, 116 route, 32 configuring, 33 static, 32, 34 ROUTE_COUNT variable, 32, 33 ROUTE_DESTINATION variable, 32, 33 ROUTE_GATEWAY variable, 32, 33 ruptime, 20 rwho, 20 S SAM adding default gateway, 32 editing /etc/hosts file, 31 savecore, 119 /sbin/savecore utility, 119 security inetd, 36 troubleshooting, 112 selector in syslog.
Index starting, 87 startup script, 87 stopping, 87 XNTPD variable, 87 XNTPD_ARGS variable, 87 Y Yellow Pages, 30 124
