Solaris supports a number of naming services to maintain network information on servers, which serve this information to the clients. DNS is the naming service running on the Internet to support TCP/IP networks. DNS makes communication simpler by using machine names (called domain names) instead of numerical IP addresses, whereas the focus of NIS is on making network administration more manageable and less error prone by providing centralized control over a variety of network information such as machine names, machine addresses, user names, and network services. Whereas NIS was developed in a proprietary environment, LDAP is based on an open standard and is poised to eventually replace NIS. Both LDAP and NIS+ offer security features. The nsswitch.conf file is used to coordinate the use of different naming services on your system.

The naming service cache daemon (nscd) provides cache for common naming service requests. The daemon automatically starts when the Solaris system is booted and provides caching for the following service databases:

exec_attr. Contains execution profiles (RBAC).

group. Contains group security information.

hosts. Contains the machine name and IP address information.

ipnodes. Contains IP address and machine name information.

The main NIS+ security concepts are described in the following:

NIS+ object. NIS+ objects are the NIS+ entities (things) that are secured—for example, the server itself, the NIS+ table, the table entries, and so forth. The access rights (permissions) are set on an object, meaning who can do what to this object.

NIS+ principal. An NIS+ principal is an entity that seeks access to an NIS+ object. In other words, all requests for NIS+ services will come from NIS+ principals. Note that a principal does not always have to be a user. For example, a request made by an ordinary user on a client machine would come from the client user, whereas a request made by the root user on a client machine would come from the client machine itself. NIS objects do not grant permissions to principals directly. To have access to an object, a principal must be a member of an authorization class.

You can configure your machine as an NIS client by using either of the two methods described here. The recommended method for configuring a client machine to use NIS is to log in to the machine as superuser and execute the following command:

ypinit - c 

As you know, NIS is used to manage network information. The set of files in which NIS keeps the information is referred to as NIS maps. These files are written in a binary format called ndbm. Historically speaking, network information was originally maintained in /etc and some other configuration files, and the maps were designed to replace those files. As you will see, the maps contain much more than just the names and addresses.

As you learned in the previous chapters, we build computer networks to share resources. To do that the computers need some network information, necessary to communicate over the network and to share the resources. In principle, each machine can maintain its own information and the information about other machines and resources on the network locally. Still, this can be a cumbersome task and can lead to errors. Suppose you just installed a printer on the network; you then need to enter information about it individually on all the machines on the network. If information about one machine changes, you must update this information on all the machines individually. So it's not only a cumbersome task—the consistency is also at risk. This is where naming services come into the picture by offering centralized management of network information such as machine addresses, user names, passwords, access permissions, printer names, and so forth. Furthermore, naming services simplify machine addressing, by allowing you to refer to the machines with names that are easy to remember rather than numerical addresses such as IP address. The Solaris system supports a number of naming services.

The node name of a machine can be found in a file /etc/<nodeName> on the machine, and the host name associated with an interface (specified by <interface>) of the machine can be found in the /etc/hostname.<interface> file.

Each entry in the /etc/hosts contains the following information about a host: host name, IP address associated with it, and nickname (alias), if any.

When you enable or disable a network service on your Solaris system by using, say, the svcadm command, the service status change is recorded in the service configuration repository and will persist across reboots.

Look Out

Because a hardware address is burned into the Ethernet NIC, if you change the Ethernet card, the hardware address of your computer changes.

Because every IP address has a network component in it, if you move your machine from one network to another, its IP address will change.

The inetadm command is used to manage inetd-controlled services, whereas svcadm is the SMF command to manage the network services.

Memorize

The netsat utility is used to view the network packets' activity (statistics) on inbound/outbound connections of your machine.

The ping command is used to check the reachability of another host on the network (or the Internet).

The snoop command is used to look into the incoming/outgoing packets on your machine (e.g., the values for the header fields).

The ifconfig command is used to configure a network interface such as assign an IP address to it, bring it up, or shut it down. You can also use this command to obtain configuration information about an interface.

The TCP/IP protocol suite makes the Internet appear to be a big single network to millions of users, even though underneath it is a collection of heterogeneous networks. TCP/IP protocols are organized into five layers that closely correspond to the seven layers of the OSI reference model. Each machine has hardware (MAC) address (defined in the data link layer), which is its identity on a LAN, and an IP address (defined in the network layer) which is its identity on the Internet. Furthermore, a frame (data packet defined in the data link layer) can only be delivered locally, and an IP datagram (a data packet defined in the network layer) can be sent across multiple networks—that is, over the Internet. Each router on the way reframes the datagram as it hops from network to network on its route from source to destination.

You can view the packet traffic on the inbound/outbound connections of your machine by using the netstat command, and if you suspect a problem you can use the ping command to test the reachability of another host. You can also use the snoop command to look into the header of a packet. The packets that you can monitor by using these commands enter or exit through an interface that you can configure by using the ifconfig command.

Once your system is connected to the network through interfaces that you have configured, you need to manage the services running on your system. Standard Internet services are started by inetd at boot time. Solaris 10 offers Services Management Facility (SMF), which augments the traditional UNIX startup scripts and configuration files. The inetadm command is used to manage the inetd controlled services, and svcadm is the SMF utility used to manage the network services.

It's easier to remember a machine on the network by a name rather than by IP address. An entry in the /etc/inet/hosts file on your system contains the following information about a host name associated with your machine: the host name, the corresponding IP address, and an alias for the host name, if any. This file needs entries about other machines on the network only if the network is using the local files for the name service. Usually the network uses the NIS and DNS name services, which maintain host names and addresses on one or more servers. We explore the name services in the next chapter.

Most of the network services are offered in a client/server environment. A client refers to a host that makes requests to another host on the network called a server. The client machine has a client program running on it to make these requests. Examples of clients are web browsers, such as Netscape Navigator and Internet Explorer, an email client, or an FTP client. A server is a machine that has resources to serve, such as files or web pages. A server program running on the machine accepts the incoming requests. It may ask other programs running on the machine to prepare the response and then will send the response back to the client.