|
|
В категории материалов: 67
Показано материалов: 1-10 |
Страницы: 1 2 3 ... 6 7 » |
Сортировать по: Дате↓ · Названию · Рейтингу · Комментариям · Просмотрам
Certification SummarySolaris supports a number of naming services to maintain network information
on servers, which serve this information to the clients. DNS is the naming
service running on the Internet to support TCP/IP networks. DNS makes
communication simpler by using machine names (called domain names) instead of
numerical IP addresses, whereas the focus of NIS is on making network
administration more manageable and less error prone by providing centralized
control over a variety of network information such as machine names, machine
addresses, user names, and network services. Whereas NIS was developed in a
proprietary environment, LDAP is based on an open standard and is poised to
eventually replace NIS. Both LDAP and NIS+ offer security features. The
nsswitch.conf file is used to coordinate the use of different naming services on
your system. |
The naming service cache daemon (nscd) provides cache for common
naming
service requests. The daemon automatically starts when the Solaris
system is
booted and provides caching for the following service databases:
exec_attr. Contains execution profiles (RBAC).
group. Contains group security information.
hosts. Contains the machine name and IP address information.
ipnodes. Contains IP address and machine name information. |
Certification Objective 11.04—The NIS+ SecurityThe main NIS+ security concepts are described in the following:
NIS+ object. NIS+ objects are the NIS+ entities (things) that are
secured—for example, the server itself, the NIS+ table, the table entries, and
so forth. The access rights (permissions) are set on an object, meaning who can
do what to this object.
NIS+ principal. An NIS+ principal is an entity that seeks access to an
NIS+ object. In other words, all requests for NIS+ services will come from NIS+
principals. Note that a principal does not always have to be a user. For
example, a request made by an ordinary user on a client machine would come from
the client user, whereas a request made by the root user on a client machine
would come from the client machine itself. NIS objects do not grant permissions
to principals directly. To have access to an object, a principal must be a
member of an authorization class. |
You can configure your machine as an NIS client by using either of
the two
methods described here. The recommended method for configuring a client
machine
to use NIS is to log in to the machine as superuser and execute the
following
command: ypinit - c |
Certification Objective 11.02—Working with NISAs you know, NIS is used to manage network information. The set of files in
which NIS keeps the information is referred to as NIS maps. These files are
written in a binary format called ndbm. Historically speaking, network
information was originally maintained in /etc and some other configuration
files, and the maps were designed to replace those files. As you will see, the
maps contain much more than just the names and addresses. |
Certification Objective 11.01—Understanding Naming ServicesAs you learned in the previous chapters, we build computer networks to share
resources. To do that the computers need some network information, necessary to
communicate over the network and to share the resources. In principle, each
machine can maintain its own information and the information about other
machines and resources on the network locally. Still, this can be a cumbersome
task and can lead to errors. Suppose you just installed a printer on the
network; you then need to enter information about it individually on all the
machines on the network. If information about one machine changes, you must
update this information on all the machines individually. So it's not only a
cumbersome task—the consistency is also at risk. This is where naming services
come into the picture by offering centralized management of network information
such as machine addresses, user names, passwords, access permissions, printer
names, and so forth. Furthermore, naming services simplify machine addressing,
by allowing you to refer to the machines with names that are easy to remember
rather than numerical addresses such as IP address. The Solaris system supports
a number of naming services. |
|
As you learned in the previous chapter, we build computer networks to share
resources. To share or use the shared resources, the computers need some network
information necessary to communicate over the network, such as machine
addresses, user names, passwords, access permissions, printer names, and so
forth. Each machine on the network can maintain this information on its own, but
that would be a cumbersome task for a network administrator, a task prone to
errors and inconsistencies. The solution to this problem is to maintain this
information on a centralized machine called a naming server and let other
machines retrieve this information from this server, which offers what is a
called a naming service. |
Certification SummaryThe node name of a machine can be found in a file /etc/<nodeName> on
the machine, and the host name associated with an interface (specified by
<interface>) of the machine can be found in the
/etc/hostname.<interface> file.
Each entry in the /etc/hosts contains the following information about a host:
host name, IP address associated with it, and nickname (alias), if any.
When you enable or disable a network service on your Solaris system by using,
say, the svcadm command, the service status change is recorded in the service
configuration repository and will persist across reboots.
Look Out
Because a hardware address is burned into the Ethernet NIC, if you change the
Ethernet card, the hardware address of your computer changes.
Because every IP address has a network component in it, if you move your
machine from one network to another, its IP address will change.
The inetadm command is used to manage inetd-controlled services, whereas
svcadm is the SMF command to manage the network services.
Memorize
The netsat utility is used to view the network packets' activity (statistics)
on inbound/outbound connections of your machine.
The ping command is used to check the reachability of another host on the
network (or the Internet).
The snoop command is used to look into the incoming/outgoing packets on your
machine (e.g., the values for the header fields).
The ifconfig command is used to configure a network interface such as assign
an IP address to it, bring it up, or shut it down. You can also use this command
to obtain configuration information about an interface. |
Certification SummaryThe TCP/IP protocol suite makes the Internet appear to be a big single
network to millions of users, even though underneath it is a collection of
heterogeneous networks. TCP/IP protocols are organized into five layers that
closely correspond to the seven layers of the OSI reference model. Each machine
has hardware (MAC) address (defined in the data link layer), which is its
identity on a LAN, and an IP address (defined in the network layer) which is its
identity on the Internet. Furthermore, a frame (data packet defined in the data
link layer) can only be delivered locally, and an IP datagram (a data packet
defined in the network layer) can be sent across multiple networks—that is, over
the Internet. Each router on the way reframes the datagram as it hops from
network to network on its route from source to destination.
You can view the packet traffic on the inbound/outbound connections of your
machine by using the netstat command, and if you suspect a problem you can use
the ping command to test the reachability of another host. You can also use the
snoop command to look into the header of a packet. The packets that you can
monitor by using these commands enter or exit through an interface that you can
configure by using the ifconfig command.
Once your system is connected to the network through interfaces that you have
configured, you need to manage the services running on your system. Standard
Internet services are started by inetd at boot time. Solaris 10 offers Services
Management Facility (SMF), which augments the traditional UNIX startup scripts
and configuration files. The inetadm command is used to manage the inetd
controlled services, and svcadm is the SMF utility used to manage the network
services.
It's easier to remember a machine on the network by a name rather than by IP
address. An entry in the /etc/inet/hosts file on your system contains the
following information about a host name associated with your machine: the host
name, the corresponding IP address, and an alias for the host name, if any. This
file needs entries about other machines on the network only if the network is
using the local files for the name service. Usually the network uses the NIS and
DNS name services, which maintain host names and addresses on one or more
servers. We explore the name services in the next chapter. |
Certification Objective 10.02—Working with Network ServicesMost of the network services are offered in a client/server environment. A
client refers to a host that makes requests to another host on the network
called a server. The client machine has a client program running on it to make
these requests. Examples of clients are web browsers, such as Netscape Navigator
and Internet Explorer, an email client, or an FTP client. A server is a machine
that has resources to serve, such as files or web pages. A server program
running on the machine accepts the incoming requests. It may ask other programs
running on the machine to prepare the response and then will send the response
back to the client. |
|
|
