diff options
author | obrien <obrien@FreeBSD.org> | 1998-12-30 12:42:36 +0800 |
---|---|---|
committer | obrien <obrien@FreeBSD.org> | 1998-12-30 12:42:36 +0800 |
commit | 25972c17c6f3098dbd285409041ea8f344772615 (patch) | |
tree | 7b724f42a9c15c3953ed01e3d59460051516641b /misc | |
parent | ebd6ded6df7fc465d1cc238c01fbcc9d9413dc72 (diff) | |
download | freebsd-ports-gnome-25972c17c6f3098dbd285409041ea8f344772615.tar.gz freebsd-ports-gnome-25972c17c6f3098dbd285409041ea8f344772615.tar.zst freebsd-ports-gnome-25972c17c6f3098dbd285409041ea8f344772615.zip |
This is the result from some discussion in some list (can't remember which)
where someone suggested taking the Linux HOW-TOs and make them applicable
to FreeBSD.
Everyone please feel free to add to this framework.
Diffstat (limited to 'misc')
-rw-r--r-- | misc/Howto/Makefile | 59 | ||||
-rw-r--r-- | misc/Howto/distinfo | 6 | ||||
-rw-r--r-- | misc/Howto/files/HOWTO-INDEX.html | 52 | ||||
-rw-r--r-- | misc/Howto/files/patch-dns | 689 | ||||
-rw-r--r-- | misc/Howto/files/patch-nfs | 369 | ||||
-rw-r--r-- | misc/Howto/files/patch-nis | 936 | ||||
-rw-r--r-- | misc/Howto/pkg-comment | 1 | ||||
-rw-r--r-- | misc/Howto/pkg-descr | 1 | ||||
-rw-r--r-- | misc/Howto/pkg-plist | 2 |
9 files changed, 2115 insertions, 0 deletions
diff --git a/misc/Howto/Makefile b/misc/Howto/Makefile new file mode 100644 index 000000000000..14c700147530 --- /dev/null +++ b/misc/Howto/Makefile @@ -0,0 +1,59 @@ +# ex:ts=8 +# Ports collection makefile for: Howto +# Version required: 1.0 +# Date created: Fri Oct 02, 1998 +# Whom: David O'Brien (obrien@FreeBSD.org) +# +# $Id: Makefile,v 1.2 1997/01/25 18:08:40 obrien Exp $ +# + +DISTNAME= Howto-1.0 +CATEGORIES= misc +MASTER_SITES= ftp://sunsite.unc.edu/pub/Linux/docs/HOWTO/other-formats/sgml/ \ + ftp://sunsite.unc.edu/pub/Linux/docs/HOWTO/mini/other-formats/sgml/ \ + http://sunsite.unc.edu/mdw/HOWTO/ +DISTFILES= Linux+FreeBSD.sgml.gz \ + DNS-HOWTO.sgml.gz \ + NFS-HOWTO.sgml.gz \ + NIS-HOWTO.sgml.gz \ + Security-HOWTO.sgml.gz + +MAINTAINER= ports@FreeBSD.org + +BUILD_DEPENDS= sgmlfmt:${PORTSDIR}/textproc/sgmlformat + +DIST_SUBDIR= Howto +NO_WRKSUBDIR= yes + +do-extract: + @${MKDIR} ${WRKSRC} + @for file in ${DISTFILES}; do \ + ${CP} ${_DISTDIR}/$$file ${WRKSRC} ; \ + case $$file in \ + *.Z|*.gz) \ + ${GZIP_CMD} -d ${WRKSRC}/$$file ; \ + ;; \ + *.zip) \ + cd ${WRKSRC} && unzip $$file ; \ + ;; \ + *.bz2) \ + bzip2 -d ${WRKSRC}/$$file ; \ + ;; \ + esac; \ + done + +do-build: +.for howto in ${DISTFILES:S/.gz//} + @cd ${WRKSRC} && sgmlfmt -f ascii ${howto} + @cd ${WRKSRC} && sgmlfmt -f latin1 ${howto} + @cd ${WRKSRC} && sgmlfmt -f html ${howto} +.endfor + +do-install: + @${MKDIR} ${PREFIX}/share/doc/Howto/HTML + @${INSTALL_MAN} ${FILESDIR}/HOWTO-INDEX.html ${PREFIX}/share/doc/Howto + @${INSTALL_MAN} ${WRKSRC}/*.html ${PREFIX}/share/doc/Howto/HTML + @${INSTALL_MAN} ${WRKSRC}/*.latin1 ${PREFIX}/share/doc/Howto + @${INSTALL_MAN} ${WRKSRC}/*.ascii ${PREFIX}/share/doc/Howto + +.include <bsd.port.mk> diff --git a/misc/Howto/distinfo b/misc/Howto/distinfo new file mode 100644 index 000000000000..e0bee2f11f9c --- /dev/null +++ b/misc/Howto/distinfo @@ -0,0 +1,6 @@ +MD5 (Howto/Linux+FreeBSD.sgml.gz) = 88bac5898787488b98b2d92d60e6cfe3 +MD5 (Howto/DNS-HOWTO.sgml.gz) = 119c95e11b0c58a885a04a896877f2be +MD5 (Howto/NFS-HOWTO.sgml.gz) = 857f74f17b4c532cdf3016aa691db457 +MD5 (Howto/NIS-HOWTO.sgml.gz) = f9bb53765e6cdbe7c9206e4023c620a2 +MD5 (Howto/Security-HOWTO.sgml.gz) = 7037dbd0722ea4973eb3badbddea456d +MD5 (Howto/Advocacy.sgml.gz) = 9e84754b1074f3129f7b03b3eaa6bbe5 diff --git a/misc/Howto/files/HOWTO-INDEX.html b/misc/Howto/files/HOWTO-INDEX.html new file mode 100644 index 000000000000..e8bfbe1818ed --- /dev/null +++ b/misc/Howto/files/HOWTO-INDEX.html @@ -0,0 +1,52 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> + +<!-- taken from http://sunsite.unc.edu/mdw/HOWTO/HOWTO-INDEX-3.html --> + +<HTML> +<HEAD> + <META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.7"> + <TITLE>The FreeBSD HOWTO Index: Index</TITLE> +</HEAD> +<BODY> + +<H2><A NAME="ss3.1">HOWTOs Index</A> +</H2> + +<P>The following FreeBSD HOWTOs are currently available: +<P> +<UL> + + +<LI> +<A HREF="HTML/DNS-HOWTO_toc.html">DNS HOWTO</A> +How to set up DNS. +Updated 25 August 1998. +</LI> + +<LI> +<A HREF="HTML/Linux+FreeBSD_toc.html">Linux+FreeBSD mini-HOWTO</A> +How to use Linux and FreeBSD together. +Updated 18 June 1998. +</LI> + +<LI> +<A HREF="HTML/NFS-HOWTO_toc.html">NFS HOWTO</A> +How to set up NFS clients and servers. +Updated 3 November 1997. +</LI> + +<LI> +<A HREF="HTML/NIS-HOWTO_toc.html">NIS HOWTO</A> +Information on using NIS/YP on FreeBSD systems. +Updated 12 June 1998. +</LI> + +<LI> +<A HREF="HTML/Security-HOWTO_toc.html">Security HOWTO</A> +General overview of security issues. +Updated 1 May 1998. +</LI> + + +</BODY> +</HTML> diff --git a/misc/Howto/files/patch-dns b/misc/Howto/files/patch-dns new file mode 100644 index 000000000000..63f3d11dbd07 --- /dev/null +++ b/misc/Howto/files/patch-dns @@ -0,0 +1,689 @@ +--- DNS-HOWTO.sgml.orig Sat Oct 3 15:27:23 1998 ++++ DNS-HOWTO.sgml Sat Oct 3 16:32:31 1998 +@@ -1,4 +1,4 @@ +-<!doctype linuxdoc system> ++<!doctype linuxdoc public "-//FreeBSD//DTD linuxdoc 1.1//EN"> + <!-- -*-SGML-*- --> + <article> + <title>DNS HOWTO +@@ -50,9 +50,9 @@ + <p>For starters, DNS is is the Domain Name System. DNS converts + machine names to the IP numbers that are all the machines addresses, + it maps from name to address and from address to name. This HOWTO +-documents how to define such mappings using a Linux system. A mapping ++documents how to define such mappings using a FreeBSD system. A mapping + i simply a association between two things, in this case a machine +-name, like ftp.linux.org, and the machines IP number, 199.249.150.4. ++name, like ftp.freebsd.org, and the machines IP number, 209.155.82.18. + + <p>DNS is, to the uninitiated (you ;-), one of the more opaque areas + of network administration. This HOWTO will try to make a few things +@@ -85,11 +85,14 @@ + + <p>Name serving on Unix is done by a program called <tt/named/. This + is a part of the bind package which is coordinated by Paul Vixie for +-The Internet Software Consortium. <tt/Named/ is included in most +-Linux distributions and is usually installed as +-<tt>/usr/sbin/named</tt>. If you have a named you can probably use +-it; if you don't have one you can get a binary off a Linux ftp site, +-or get the latest and greatest source from <htmlurl ++The Internet Software Consortium. <tt/Named/ is included in all ++FreeBSD distributions and is installed as ++<tt>/usr/sbin/named</tt>. ++You can get the latest and greatest source from <htmlurl ++url="ftp://ftp.freebsd.org/pub/FreeBSD/FreeBSD-stable/src/contrib/bind/" ++name="ftp.freebsd.org:/pub/FreeBSD/FreeBSD-stable/src/contrib/bind/"> ++or the offical distribution source which the FreeBSD version is based on ++from <htmlurl + url="ftp://ftp.isc.org/isc/bind/src/cur/bind-8/" + name="ftp.isc.org:/isc/bind/src/cur/bind-8/">. This HOWTO is about + bind version 8. The old version of the HOWTO, about bind 4 is still +@@ -124,14 +127,14 @@ + waiting time the next time significantly, esp. if you're on a slow + connection. + +-<p>First you need a file called <tt>/etc/named.conf</tt>. This is ++<p>First you need a file called <tt>/etc/namedb/named.conf</tt>. This is + read when named starts. For now it should simply contain: + + <code> + // Config file for caching only name server + + options { +- directory "/var/named"; ++ directory "/etc/namedb"; + + // Uncommenting this might help if you have to go through a + // firewall and things are not working out: +@@ -146,18 +149,17 @@ + + zone "0.0.127.in-addr.arpa" { + type master; +- file "pz/127.0.0"; ++ file "localhost.rev"; + }; + </code> + + <p>The `<tt/directory/' line tells named where to look for files. All +-files named subsequently will be relative to this. Thus <tt>pz</tt> +-is a directory under <tt>/var/named</tt>, i.e., +-<tt>/var/named/pz</tt>. <tt>/var/named</tt> is the right directory +-according to the <em/Linux File system Standard/. ++files named subsequently will be relative to this. ++<tt>/etc/namedb</tt> is the standard directory ++according to the <em>hier(7)</em> manpage. + +-<p>The file named <tt>/var/named/root.hints</tt> is named in this. +-<tt>/var/named/root.hints</tt> should contain this: ++<p>The file named <tt>/etc/namedb/named.root</tt> is named in this. ++<tt>/etc/namedb/named.root</tt> should contain something simular to this: + + <code> + . 6D IN NS G.ROOT-SERVERS.NET. +@@ -195,16 +197,16 @@ + + The next section in <tt/named.conf/ is the last <tt/zone/. I will + explain its use in a later chapter, for now just make this a file +-named <tt/127.0.0/ in the subdirectory <tt/pz/: ++named <tt/localhost.rev/ in the subdirectory <tt//etc/namedb/: + + <code> +-@ IN SOA ns.linux.bogus. hostmaster.linux.bogus. ( ++@ IN SOA ns.freebsd.bogus. hostmaster.freebsd.bogus. ( + 1 ; Serial + 8H ; Refresh + 2H ; Retry + 1W ; Expire + 1D) ; Minimum TTL +- NS ns.linux.bogus. ++ NS ns.freebsd.bogus. + 1 PTR localhost. + </code> + +@@ -283,7 +285,7 @@ + the host name resolving routines to first look in <tt>/etc/hosts</tt>, + then ask the name server (which you in <tt/resolv.conf/ said is at + 127.0.0.1) These two latest files are documented in the resolv(8) man +-page (do `<tt/man 8 resolv/') in most Linux distributions. That man ++page (do `<tt/man 8 resolv/') in most FreeBSD distributions. That man + page is IMHO readable, and everyone, especially DNS admins, should + read it. Do it now, if you say to yourself "I'll do it later" you'll + never get around to it. +@@ -315,7 +317,7 @@ + </verb></tscreen> + + <p>If there are any messages about errors then there is a mistake. +-Named will name the file it is in (one of named.conf and root.hints I ++Named will name the file it is in (one of named.conf and named.root I + hope :-) Kill named and go back and check the file. + + <p>Now it's time to start nslookup to examine your handy-work. +@@ -587,7 +589,7 @@ + <sect1>Our own domain + + <p>Now to define our own domain. We're going to make the domain +-<em/linux.bogus/ and define machines in it. I use a totally bogus ++<em/freebsd.bogus/ and define machines in it. I use a totally bogus + domain name to make sure we disturb no-one Out There. + + <p>One more thing before we start: Not all characters are allowed in +@@ -601,24 +603,24 @@ + <code> + zone "0.0.127.in-addr.arpa" { + type master; +- file "pz/127.0.0"; ++ file "localhost.rev"; + }; + </code> + + <p>Please note the lack of `<tt/./' at the end of the domain names in + this file. This says that now we will define the zone + <tt/0.0.127.in-addr.arpa/, that we're the master server for it and +-that it is stored in a file called <tt>pz/127.0.0</tt>. We've already ++that it is stored in a file called <tt>localhost.rev</tt>. We've already + set up this file, it reads: + + <code> +-@ IN SOA ns.linux.bogus. hostmaster.linux.bogus. ( ++@ IN SOA ns.freebsd.bogus. hostmaster.freebsd.bogus. ( + 1 ; Serial + 8H ; Refresh + 2H ; Retry + 1W ; Expire + 1D) ; Minimum TTL +- NS ns.linux.bogus. ++ NS ns.freebsd.bogus. + 1 PTR localhost. + </code> + +@@ -643,11 +645,11 @@ + Saves some typing that. So the NS line really reads + + <tscreen><verb> +-0.0.127.in-addr.arpa. IN NS ns.linux.bogus ++0.0.127.in-addr.arpa. IN NS ns.freebsd.bogus + </verb></tscreen> + + <p>It tells DNS what machine is the name server of the domain +-<tt/0.0.127.in-addr.arpa/, it is <tt/ns.linux.bogus/. 'ns' is a ++<tt/0.0.127.in-addr.arpa/, it is <tt/ns.freebsd.bogus/. 'ns' is a + customary name for name-servers, but as with web servers who are + customarily named <tt/www./<em/something/ the name may be anything. + +@@ -658,8 +660,8 @@ + <p>The SOA record is the preamble to <em/all/ zone files, and there + should be exactly one in each zone file, the very first record. It + describes the zone, where it comes from (a machine called +-<tt/ns.linux.bogus/), who is responsible for its contents +-(<tt/hostmaster@linux.bogus/), what version of the zone file this is ++<tt/ns.freebsd.bogus/), who is responsible for its contents ++(<tt/hostmaster@freebsd.bogus/), what version of the zone file this is + (serial: 1), and other things having to do with caching and secondary + DNS servers. For the rest of the fields, refresh, retry, expire and + minimum use the numbers used in this HOWTO and you should be safe. +@@ -682,28 +684,28 @@ + </verb></tscreen> + + so it manages to get <tt/localhost/ from 127.0.0.1, good. Now for our +-main task, the <tt/linux.bogus/ domain, insert a new 'zone' section in ++main task, the <tt/freebsd.bogus/ domain, insert a new 'zone' section in + <tt/named.conf/: + + <code> +-zone "linux.bogus" { ++zone "freebsd.bogus" { + notify no; + type master; +- file "pz/linux.bogus"; ++ file "freebsd.bogus"; + }; + </code> + + <p>Note the continued lack of ending `<tt/./' on the domain name in the + <tt/named.conf/ file. + +-<p>In the linux.bogus zone file we'll put some totally bogus data: ++<p>In the freebsd.bogus zone file we'll put some totally bogus data: + <code> + ; +-; Zone file for linux.bogus ++; Zone file for freebsd.bogus + ; + ; The full zone file + ; +-@ IN SOA ns.linux.bogus. hostmaster.linux.bogus. ( ++@ IN SOA ns.freebsd.bogus. hostmaster.freebsd.bogus. ( + 199802151 ; serial, todays date + todays serial # + 8H ; refresh, seconds + 2H ; retry, seconds +@@ -711,7 +713,7 @@ + 1D ) ; minimum, seconds + ; + NS ns ; Inet Address of name server +- MX 10 mail.linux.bogus ; Primary Mail Exchanger ++ MX 10 mail.freebsd.bogus ; Primary Mail Exchanger + MX 20 mail.friend.bogus. ; Secondary Mail Exchanger + ; + localhost A 127.0.0.1 +@@ -719,11 +721,11 @@ + mail A 192.168.196.4 + </code> + +-<p>Two things must be noted about the SOA record. ns.linux.bogus ++<p>Two things must be noted about the SOA record. ns.freebsd.bogus + <em/must/ be a actual machine with a A record. It is not legal to + have a CNAME record for he machine mentioned in the SOA record. It's + name need not be `ns', it could be any legal host name. Next, +-hostmaster.linux.bogus should be read as hostmaster@linux.bogus, this ++hostmaster.freebsd.bogus should be read as hostmaster@freebsd.bogus, this + should be a mail alias, or a mailbox, where the person(s) maintaining + DNS should read mail frequently. Any mail regarding the domain will + be sent to the address listed here. The name need not be +@@ -732,7 +734,7 @@ + + <p>There is one new RR type in this file, the MX, or Mail eXchanger + RR. It tells mail systems where to send mail that is addressed to +-<tt/someone@linux.bogus/, namely too <tt/mail.linux.bogus/ or ++<tt/someone@freebsd.bogus/, namely too <tt/mail.freebsd.bogus/ or + <tt/mail.friend.bogus/. The number before each machine name is that + MX RRs priority. The RR with the lowest number (10) is the one mail + should be sent to primarily. If that fails it can be sent to one with +@@ -745,51 +747,51 @@ + <tscreen><verb> + $ nslookup + > set q=any +-> linux.bogus ++> freebsd.bogus + Server: localhost + Address: 127.0.0.1 + +-linux.bogus +- origin = ns.linux.bogus +- mail addr = hostmaster.linux.bogus ++freebsd.bogus ++ origin = ns.freebsd.bogus ++ mail addr = hostmaster.freebsd.bogus + serial = 199802151 + refresh = 28800 (8 hours) + retry = 7200 (2 hours) + expire = 604800 (7 days) + minimum ttl = 86400 (1 day) +-linux.bogus nameserver = ns.linux.bogus +-linux.bogus preference = 10, mail exchanger = mail.linux.bogus.linux.bogus +-linux.bogus preference = 20, mail exchanger = mail.friend.bogus +-linux.bogus nameserver = ns.linux.bogus +-ns.linux.bogus internet address = 192.168.196.2 +-mail.linux.bogus internet address = 192.168.196.4 ++freebsd.bogus nameserver = ns.freebsd.bogus ++freebsd.bogus preference = 10, mail exchanger = mail.freebsd.bogus.freebsd.bogus ++freebsd.bogus preference = 20, mail exchanger = mail.friend.bogus ++freebsd.bogus nameserver = ns.freebsd.bogus ++ns.freebsd.bogus internet address = 192.168.196.2 ++mail.freebsd.bogus internet address = 192.168.196.4 + </verb></tscreen> + + <p>Upon careful examination you will discover a bug. The line + + <tscreen><verb> +-linux.bogus preference = 10, mail exchanger = mail.linux.bogus.linux.bogus ++freebsd.bogus preference = 10, mail exchanger = mail.freebsd.bogus.freebsd.bogus + </verb></tscreen> + + is all wrong. It should be + + <tscreen><verb> +-linux.bogus preference = 10, mail exchanger = mail.linux.bogus ++freebsd.bogus preference = 10, mail exchanger = mail.freebsd.bogus + </verb></tscreen> + + <p>I deliberately made a mistake so you could learn from it :-) Looking + in the zone file we find that the line + + <tscreen><verb> +- MX 10 mail.linux.bogus ; Primary Mail Exchanger ++ MX 10 mail.freebsd.bogus ; Primary Mail Exchanger + </verb></tscreen> + +-is missing a period. Or has a 'linux.bogus' too many. If a machine ++is missing a period. Or has a 'freebsd.bogus' too many. If a machine + name does not end in a period in a zone file the origin is added to +-its end causing the double <tt/linux.bogus.linux.bogus/. So either ++its end causing the double <tt/freebsd.bogus.freebsd.bogus/. So either + + <code> +- MX 10 mail.linux.bogus. ; Primary Mail Exchanger ++ MX 10 mail.freebsd.bogus. ; Primary Mail Exchanger + </code> + + or +@@ -814,18 +816,18 @@ + + <code> + ; +-; Zone file for linux.bogus ++; Zone file for freebsd.bogus + ; + ; The full zone file + ; +-@ IN SOA ns.linux.bogus. hostmaster.linux.bogus. ( ++@ IN SOA ns.freebsd.bogus. hostmaster.freebsd.bogus. ( + 199802151 ; serial, todays date + todays serial # + 8H ; refresh, seconds + 2H ; retry, seconds + 1W ; expire, seconds + 1D ) ; minimum, seconds + ; +- TXT "Linux.Bogus, your DNS consultants" ++ TXT "FreeBSD.Bogus, your DNS consultants" + NS ns ; Inet Address of name server + NS ns.friend.bogus. + MX 10 mail ; Primary Mail Exchanger +@@ -840,31 +842,31 @@ + ns A 192.168.196.2 + MX 10 mail + MX 20 mail.friend.bogus. +- HINFO "Pentium" "Linux 2.0" ++ HINFO "Pentium" "FreeBSD 3.0" + www CNAME ns + + donald A 192.168.196.3 + MX 10 mail + MX 20 mail.friend.bogus. +- HINFO "i486" "Linux 2.0" ++ HINFO "i486" "FreeBSD 3.0" + TXT "DEK" + + mail A 192.168.196.4 + MX 10 mail + MX 20 mail.friend.bogus. +- HINFO "386sx" "Linux 1.2" ++ HINFO "386sx" "FreeBSD 2.2" + + ftp A 192.168.196.5 + MX 10 mail + MX 20 mail.friend.bogus. +- HINFO "P6" "Linux 2.1.86" ++ HINFO "P6" "FreeBSD 2.1.86" + </code> + + <p>There are a number of new RRs here: HINFO (Host INFOrmation) has + two parts, it's a good habit to quote each. The first part is the + hardware or CPU on the machine, and the second part the software or OS + on the machine. The machine called 'ns' has a Pentium CPU and runs +-Linux 2.0. CNAME (Canonical NAME) is a way to give each machine ++FreeBSD 3.0. CNAME (Canonical NAME) is a way to give each machine + several names. So www is an alias for ns. + + <p>CNAME record usage is a bit controversial. But it's safe to follow +@@ -883,7 +885,7 @@ + </code> + + <p>It's also safe to assume that a CNAME is not a legal host name for +-a e-mail address: <tt/webmaster@www.linux.bogus/ is an ilegal e-mail ++a e-mail address: <tt/webmaster@www.freebsd.bogus/ is an ilegal e-mail + address given the setup above. You can expect quite a few mail admins + Out There to enforce this rule even if it works for you. The way to + avoid this is to use A records (and perhaps some others too, like a MX +@@ -907,14 +909,14 @@ + Default Server: localhost + Address: 127.0.0.1 + +-> ls -d linux.bogus ++> ls -d freebsd.bogus + </verb></tscreen> + + <p>This means that all records should be listed. It results in this: + + <tscreen><verb> + [localhost] +-$ORIGIN linux.bogus. ++$ORIGIN freebsd.bogus. + @ 1D IN SOA ns hostmaster ( + 199802151 ; serial + 8H ; refresh +@@ -924,7 +926,7 @@ + + 1D IN NS ns + 1D IN NS ns.friend.bogus. +- 1D IN TXT "Linux.Bogus, your DNS consultants" ++ 1D IN TXT "FreeBSD.Bogus, your DNS consultants" + 1D IN MX 10 mail + 1D IN MX 20 mail.friend.bogus. + gw 1D IN A 192.168.196.1 +@@ -933,22 +935,22 @@ + mail 1D IN A 192.168.196.4 + 1D IN MX 10 mail + 1D IN MX 20 mail.friend.bogus. +- 1D IN HINFO "386sx" "Linux 1.0.9" ++ 1D IN HINFO "386sx" "FreeBSD 2.1.5" + localhost 1D IN A 127.0.0.1 + www 1D IN CNAME ns + donald 1D IN A 192.168.196.3 + 1D IN MX 10 mail + 1D IN MX 20 mail.friend.bogus. +- 1D IN HINFO "i486" "Linux 1.2" ++ 1D IN HINFO "i486" "FreeBSD 2.2" + 1D IN TXT "DEK" + ftp 1D IN A 192.168.196.5 + 1D IN MX 10 mail + 1D IN MX 20 mail.friend.bogus. +- 1D IN HINFO "P6" "Linux 1.3.59" ++ 1D IN HINFO "P6" "FreeBSD 2.2.7" + ns 1D IN A 192.168.196.2 + 1D IN MX 10 mail + 1D IN MX 20 mail.friend.bogus. +- 1D IN HINFO "Pentium" "Linux 1.2" ++ 1D IN HINFO "Pentium" "FreeBSD 2.2" + @ 1D IN SOA ns hostmaster ( + 199802151 ; serial + 8H ; refresh +@@ -962,25 +964,25 @@ + + <tscreen><verb> + > set q=any +-> www.linux.bogus. ++> www.freebsd.bogus. + Server: localhost + Address: 127.0.0.1 + +-www.linux.bogus canonical name = ns.linux.bogus +-linux.bogus nameserver = ns.linux.bogus +-linux.bogus nameserver = ns.friend.bogus +-ns.linux.bogus internet address = 192.168.196.2 ++www.freebsd.bogus canonical name = ns.freebsd.bogus ++freebsd.bogus nameserver = ns.freebsd.bogus ++freebsd.bogus nameserver = ns.friend.bogus ++ns.freebsd.bogus internet address = 192.168.196.2 + </verb></tscreen> + +-<p>In other words, the real name of <tt>www.linux.bogus</tt> is +-<tt/ns.linux.bogus/, and it gives you some of the information it has ++<p>In other words, the real name of <tt>www.freebsd.bogus</tt> is ++<tt/ns.freebsd.bogus/, and it gives you some of the information it has + about ns as well, enough to connect to it if you were a program. + + <p>Now we're halfway. + + <sect1>The reverse zone + +-<p>Now programs can convert the names in linux.bogus to addresses ++<p>Now programs can convert the names in freebsd.bogus to addresses + which they can connect to. But also required is a reverse zone, one + making DNS able to convert from an address to a name. This name is + used buy a lot of servers of different kinds (FTP, IRC, WWW and +@@ -994,7 +996,7 @@ + zone "196.168.192.in-addr.arpa" { + notify no; + type master; +- file "pz/192.168.196"; ++ file "192.168.196"; + }; + </code> + +@@ -1002,19 +1004,19 @@ + contents are similar: + + <code> +-@ IN SOA ns.linux.bogus. hostmaster.linux.bogus. ( ++@ IN SOA ns.freebsd.bogus. hostmaster.freebsd.bogus. ( + 199802151 ; Serial, todays date + todays serial + 8H ; Refresh + 2H ; Retry + 1W ; Expire + 1D) ; Minimum TTL +- NS ns.linux.bogus. ++ NS ns.freebsd.bogus. + +-1 PTR gw.linux.bogus. +-2 PTR ns.linux.bogus. +-3 PTR donald.linux.bogus. +-4 PTR mail.linux.bogus. +-5 PTR ftp.linux.bogus. ++1 PTR gw.freebsd.bogus. ++2 PTR ns.freebsd.bogus. ++3 PTR donald.freebsd.bogus. ++4 PTR mail.freebsd.bogus. ++5 PTR ftp.freebsd.bogus. + </code> + + <p>Now you restart your named (<tt/ndc restart/) and examine your +@@ -1025,7 +1027,7 @@ + Server: localhost + Address: 127.0.0.1 + +-Name: mail.linux.bogus ++Name: mail.freebsd.bogus + Address: 192.168.196.4 + </code> + +@@ -1035,20 +1037,20 @@ + > ls -d 196.168.192.in-addr.arpa + [localhost] + $ORIGIN 196.168.192.in-addr.arpa. +-@ 1D IN SOA ns.linux.bogus. hostmaster.linux.bogus. ( ++@ 1D IN SOA ns.freebsd.bogus. hostmaster.freebsd.bogus. ( + 199802151 ; serial + 8H ; refresh + 2H ; retry + 1W ; expiry + 1D ) ; minimum + +- 1D IN NS ns.linux.bogus. +-1 1D IN PTR gw.linux.bogus. +-2 1D IN PTR ns.linux.bogus. +-3 1D IN PTR donald.linux.bogus. +-4 1D IN PTR mail.linux.bogus. +-5 1D IN PTR ftp.linux.bogus. +-@ 1D IN SOA ns.linux.bogus. hostmaster.linux.bogus. ( ++ 1D IN NS ns.freebsd.bogus. ++1 1D IN PTR gw.freebsd.bogus. ++2 1D IN PTR ns.freebsd.bogus. ++3 1D IN PTR donald.freebsd.bogus. ++4 1D IN PTR mail.freebsd.bogus. ++5 1D IN PTR ftp.freebsd.bogus. ++@ 1D IN SOA ns.freebsd.bogus. hostmaster.freebsd.bogus. ( + 199802151 ; serial + 8H ; refresh + 2H ; retry +@@ -1086,19 +1088,19 @@ + here differs a bit from what you find if you query LAND-5's name + servers now. + +-<sect1>/etc/named.conf (or /var/named/named.conf) ++<sect1>/etc/namedb/named.conf + + <p>Here we find master zone sections for the two reverse zones needed: + the 127.0.0 net, as well as LAND-5's 206.6.177 subnet. And a primary + line for land-5's forward zone land-5.com. Also note that instead of +-stuffing the files in a directory called <tt/pz/, as I do in this ++stuffing the files in the <tt>namedb</tt>, as I do in this + HOWTO, he puts them in a directory called <tt/zone/. + + <code> + // Boot file for LAND-5 name server + + options { +- directory "/var/named"; ++ directory "/etc/namedb"; + }; + + zone "." { +@@ -1126,7 +1128,7 @@ + put <tt/notify no;/ in the zone sections for the two land-5 zones so + as to avoid accidents. + +-<sect1>/var/named/root.hints ++<sect1>/etc/namedb/named.root + + <p>Keep in mind that this file is dynamic, and the one listed here is + old. You're better off using one produced now, with dig, as explained +@@ -1178,7 +1180,7 @@ + ;; MSG SIZE sent: 17 rcvd: 436 + </code> + +-<sect1>/var/named/zone/127.0.0 ++<sect1>/etc/namedb/localhost.rev + + <p>Just the basics, the obligatory SOA record, and a record that maps + 127.0.0.1 to <tt/localhost/. Both are required. No more should be in +@@ -1197,7 +1199,7 @@ + 1 PTR localhost. + </code> + +-<sect1>/var/named/zone/land-5.com ++<sect1>/etc/namedb/land-5.com + + <p>Here we see the mandatory SOA record, the needed NS records. We + can see that he has a secondary name server at ns2.psi.net. This is +@@ -1286,7 +1288,7 @@ + <p>We also see that funn.land-5.com is an alias for land-5.com, but + using an A record, not a CNAME record. + +-<sect1>/var/named/zone/206.6.177 ++<sect1>/etc/namedb/206.6.177 + + <p>I'll comment on this file after it. + +@@ -1394,25 +1396,25 @@ + echo + + export PATH=/sbin:/usr/sbin:/bin:/usr/bin: +- cd /var/named ++ cd /etc/namedb + +- dig @rs.internic.net . ns >root.hints.new ++ dig @rs.internic.net . ns >named.root.new + + echo "The named.conf file has been updated to contain the following + information:" + echo +- cat root.hints.new ++ cat named.root.new + +- chown root.root root.hints.new +- chmod 444 root.hints.new +- rm -f root.hints.old +- mv root.hints root.hints.old +- mv root.hints.new root.hints ++ chown root.root named.root.new ++ chmod 444 named.root.new ++ rm -f named.root.old ++ mv named.root named.root.old ++ mv named.root.new named.root + ndc restart + echo + echo "The nameserver has been restarted to ensure that the update is complete." +- echo "The previous root.hints file is now called +-/var/named/root.hints.old." ++ echo "The previous named.root file is now called ++/etc/namedb/named.root.old." + ) 2>&1 | /usr/lib/sendmail -t + exit 0 + </code> +@@ -1433,7 +1435,7 @@ + style) for a cache-only name server:å + + <code> +-directory /var/named ++directory /etc/namedb + cache . root.hints + primary 0.0.127.IN-ADDR.ARPA 127.0.0.zone + primary localhost localhost.zone +@@ -1454,7 +1456,7 @@ + // generated by named-bootconf.pl + + options { +- directory "/var/named"; ++ directory "/etc/namedb"; + }; + + zone "." { +@@ -1480,13 +1482,13 @@ + + <code> + // This is a configuration file for named (from BIND 8.1 or later). +-// It would normally be installed as /etc/named.conf. ++// It would normally be installed as /etc/namedb/named.conf. + // The only change made from the `stock' named.conf (aside from this + // comment :) is that the directory line was uncommented, since I +-// already had the zone files in /var/named. ++// already had the zone files in /etc/namedb. + + options { +- directory "/var/named"; ++ directory "/etc/namedb"; + check-names master warn; /* default. */ + datasize 20M; + }; +@@ -1556,9 +1558,9 @@ + like this in the named.conf file of your secondary: + + <code> +- zone "linux.bogus" { ++ zone "freebsd.bogus" { + type slave; +- file "sz/linux.bogus"; ++ file "freebsd.bogus"; + masters { 127.0.0.1; }; + }; + </code> diff --git a/misc/Howto/files/patch-nfs b/misc/Howto/files/patch-nfs new file mode 100644 index 000000000000..441f0636fda0 --- /dev/null +++ b/misc/Howto/files/patch-nfs @@ -0,0 +1,369 @@ +--- NFS-HOWTO.sgml.orig Sat Oct 3 01:30:40 1998 ++++ NFS-HOWTO.sgml Sat Oct 3 02:20:23 1998 +@@ -67,7 +67,7 @@ + networking and the terms used. If you don't recognize the terms you + can either go back and check the networking HOWTO, wing it, or get a + book about TCP/IP network administration to familiarize yourself with +-TCP/IP. That's a good idea anyway if you're administrating UNIX/Linux ++TCP/IP. That's a good idea anyway if you're administrating UNIX + machines. A very good book on the subject is <em>TCP/IP Network + Administration</em> by Craig Hunt, published by O'Reilly & + Associates, Inc. And after you've read it and understood it you'll +@@ -96,7 +96,7 @@ + skip ahead to the section on <ref id="nfs-client" name="setting up a + NFS client"> + +-<p>If you need to set up a non-Linux box as server you will have to ++<p>If you need to set up a non-FreeBSD box as server you will have to + read the system manual(s) to discover how to enable NFS serving and + export of file systems through NFS. There is a separate section in + this HOWTO on how to do it on many different systems. After you have +@@ -109,8 +109,8 @@ + + <sect1>The portmapper<label id="portmapper"> + +-<p>The portmapper on Linux is called either <tt/portmap/ or +-<tt/rpc.portmap/. The man page on my system says it is a "DARPA port ++<p>The portmapper on FreeBSD is called <tt/portmap/. ++The man page on my system says it is a "DARPA port + to RPC program number mapper". It is the first security holes you'll + open reading this HOWTO. Description of how to close one of the holes + is in the <ref id="nfs-security" name="security section">. Which I, +@@ -157,24 +157,23 @@ + use./ There is a separate section in this HOWTO about other Unixes + <tt/exports/ files. + +-<p>Now we're set to start mountd (or maybe it's called <tt/rpc.mountd/ +-and then nfsd (which could be called <tt/rpc.nfsd/). They will both ++<p>Now we're set to start mountd ++and then nfsd. They will both + read the exports file. + + <p>If you edit <tt>/etc/exports</tt> you will have to make sure nfsd + and mountd knows that the files have changed. The traditonal way is +-to run <tt/exportfs/. Many Linux distributions lack a exportfs +-program. If you're exportfs-less you can install this script on your ++to run <tt/exportfs/. FreeBSD lacks a exportfs ++program. Yyou can install this script on your + machine: + + <code> + #!/bin/sh +-killall -HUP /usr/sbin/rpc.mountd +-killall -HUP /usr/sbin/rpc.nfsd ++/bin/kill -HUP `/bin/cat /var/run/mountd.pid` + echo re-exported file systems + </code> + +-<p>Save it in, say, <tt>/usr/sbin/exportfs</tt>, and don't forget to ++<p>Save it in, say, <tt>/usr/local/sbin/exportfs</tt>, and don't forget to + <tt/chmod a+rx/ it. Now, whenever you change your exports file, you + run exportfs after, as root. + +@@ -221,12 +220,8 @@ + <sect>Setting up a NFS client<label id="nfs-client"> + + <p>First you will need a kernel with the NFS file system either +-compiled in or available as a module. This is configured before you +-compile the kernel. If you have never compiled a kernel before you +-might need to check the kernel HOWTO and figure it out. If you're +-using a very cool distribution (like Red Hat) and you've never fiddled +-with the kernel or modules on it (and thus ruined it ;-), nfs is +-likely automagicaly available to you. ++compiled in or available as a module. This is configured in the GENERIC ++FreeBSD kernel for you. + + <p>You can now, at a root prompt, enter a appropriate mount command and + the file system will appear. Continuing the example in the previous +@@ -259,7 +254,7 @@ + as this is required: + + <code> +-# device mountpoint fs-type options dump fsckorder ++# Device Mountpoint FStype Options Dump Pass# + ... + eris:/mn/eris/local /mnt nfs rsize=1024,wsize=1024 0 0 + ... +@@ -294,7 +289,7 @@ + <p>Picking up the previous example, this is now your fstab entry: + + <code> +-# device mountpoint fs-type options dump fsckorder ++# Device Mountpoint FStype Options Dump Pass# + ... + eris:/mn/eris/local /mnt nfs rsize=1024,wsize=1024,hard,intr 0 0 + ... +@@ -304,8 +299,8 @@ + <sect1>Optimizing NFS<label id="optimizing"> + + <p>Normally, if no rsize and wsize options are specified NFS will read +-and write in chunks of 4096 or 8192 bytes. Some combinations of Linux +-kernels and network cards cannot handle that large blocks, and it ++and write in chunks of 4096 or 8192 bytes. Some ++network cards cannot handle that large blocks, and it + might not be optimal, anyway. So we'll want to experiment and find a + rsize and wsize that works and is as fast as possible. You can test + the speed of your options with some simple commands. Given the mount +@@ -341,7 +336,7 @@ + have different optimal sizes. SunOS and Solaris is reputedly a lot + faster with 4096 byte blocks than with anything else. + +-<p>Newer Linux kernels (since 1.3 sometime) perform read-ahead for ++<p>Newer FreeBSD kernels (since 3.0) perform read-ahead for + rsizes larger or equal to the machine page size. On Intel CPUs the + page size is 4096 bytes. Read ahead will <em/significantly/ increase + the NFS read performance. So on a Intel machine you will want 4096 +@@ -355,13 +350,13 @@ + requests shall not be considered finished before the data written is + on a non-volatile medium (normally the disk). This restricts the + write performance somewhat, asynchronous writes will speed NFS writes +-up. The Linux nfsd has never done synchronous writes since the Linux ++up. The FreeBSD nfsd has never done synchronous writes since the FreeBSD + file system implementation does not lend itself to this, but on +-non-Linux servers you can increase the performance this way with this ++non-FreeBSD servers you can increase the performance this way with this + in your exports file: + + <code> +-/dir -async,access=linuxbox ++/dir -async,access=freebsdbox + </code> + + <p>or something similar. Please refer to the exports man page on the +@@ -587,10 +582,10 @@ + servers root account. In the NFSd man page there are several other + squash options listed so that you can decide to mistrust whomever you + (don't) like on the clients. You also have options to squash any UID +-and GID range you want to. This is described in the Linux NFSd man ++and GID range you want to. This is described in the FreeBSD NFSd man + page. + +-<p>root_squash is in fact the default with the Linux NFSd, to grant ++<p>root_squash is in fact the default with the FreeBSD NFSd, to grant + root access to a filesystem use <tt/no_root_squash/. + + <p>Another important thing is to ensure that nfsd checks that all it's +@@ -598,7 +593,7 @@ + any old port on the client a user with no special privileges can run a + program that's is easy to obtain over the Internet. It talks nfs + protocol and will claim that the user is anyone the user wants to be. +-Spooky. The Linux nfsd does this check by default, on other OSes you ++Spooky. The FreeBSD nfsd does this check by default, on other OSes you + have to enable this check yourself. This should be described in the + nfsd man page for the OS. + +@@ -609,74 +604,9 @@ + + <p>The basic portmapper, in combination with nfsd has a design problem + that makes it possible to get to files on NFS servers without any +-privileges. Fortunately the portmapper Linux uses is relatively +-secure against this attack, and can be made more secure by configuring +-up access lists in two files. ++privileges. Fortunately the portmapper FreeBSD uses is relatively ++secure against this attack. + +-<p>First we edit <tt>/etc/hosts.deny</tt>. It should contain the line +- +-<code> +-portmap: ALL +-</code> +- +-which will deny access to <em/everyone/. That's a bit drastic +-perhaps, so we open it again by editing <tt>/etc/hosts.allow</tt>. +-But first we need to figure out what to put in it. It should +-basically list all machines that should have access to your +-portmapper. On a run of the mill Linux system there are very few +-machines that need any access for any reason. The portmapper +-administrates nfsd, mountd, ypbind/ypserv, pcnfsd, and 'r' services +-like ruptime and rusers. Of these only nfsd, mountd, ypbind/ypserv +-and perhaps pcnfsd are of any consequence. All machines that needs to +-access services on your machine should be allowed to do that. Let's +-say that your machines address is 129.240.223.254 and that it lives on +-the subnet 129.240.223.0 should have access to it (those are terms +-introduced by the networking HOWTO, go back and refresh your memory if +-you need to). Then we write +- +-<code> +-portmap: 129.240.223.0/255.255.255.0 +-</code> +- +-in <tt/hosts.allow/. This is the same as the network address you give +-to route and the subnet mask you give to ifconfig. For the device +-<tt/eth0/ on this machine <tt/ifconfig/ should show +- +-<code> +-... +-eth0 Link encap:10Mbps Ethernet HWaddr 00:60:8C:96:D5:56 +- inet addr:129.240.223.254 Bcast:129.240.223.255 Mask:255.255.255.0 +- UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 +- RX packets:360315 errors:0 dropped:0 overruns:0 +- TX packets:179274 errors:0 dropped:0 overruns:0 +- Interrupt:10 Base address:0x320 +-... +-</code> +- +-and <tt/netstat -rn/ should show +- +-<code> +-Kernel routing table +-Destination Gateway Genmask Flags Metric Ref Use Iface +-... +-129.240.223.0 0.0.0.0 255.255.255.0 U 0 0 174412 eth0 +-... +-</code> +- +-(Network address in first column). +- +-The <tt/hosts.deny/ and <tt/hosts.allow/ files are described in the +-manual pages of the same names. +- +-<p><bf/IMPORTANT:/ Do <em/not/ put <em/anything/ but <em/IP NUMBERS/ in +-the portmap lines of these files. Host name lookups can indirectly +-cause portmap activity which will trigger host name lookups which can +-indirectly cause portmap activity which will trigger... +- +-<p>The above things should make your server tighter. The only +-remaining problem (Yeah, right!) is someone breaking root (or boot +-MS-DOS) on a trusted machine and using that privilege to send requests +-from a secure port as any user they want to be. + + <sect1>NFS and firewalls<label id="security-firewalls"> + +@@ -692,13 +622,13 @@ + + <sect1>Summary<label id="security-summary"> + +-<p>If you use the hosts.allow/deny, root_squash, nosuid and privileged ++<p>If you use the nosuid and privileged + port features in the portmapper/nfs software you avoid many of the + presently known bugs in nfs and can almost feel secure about <em/that/ + at least. But still, after all that: When an intruder has access to + your network, s/he can make strange commands appear in your + <tt/.forward/ or mailbox file when <tt>/home</tt> or +-<tt>/var/spool/mail</tt> are mounted over NFS. For the same reason, ++<tt>/var/mail</tt> are mounted over NFS. For the same reason, + you should never access your PGP private key over nfs. Or at least + you should know the risk involved. And now you know a bit of it. + +@@ -706,10 +636,10 @@ + it's not totally unlikely that new bugs will be discovered, either in + the basic design or the implementation we use. There might even be + holes known now, which someone is abusing. But that's life. To keep +-abreast of things like this you should at least read the newsgroups +-<htmlurl url="news:comp.os.linux.announce" +-name="comp.os.linux.announce"> and <htmlurl +-url="news:comp.security.announce" name="comp.security.announce"> at a ++abreast of things like this you should at least read the mailing lists ++<htmlurl url="mailto:freebsd-security@FreeBSD.org" ++name="freebsd-security@FreeBSD.org"> ++at a + absolute minimum. + + <sect>Mount Checklist +@@ -761,10 +691,7 @@ + + <p><bf/Fix:/ Get the date set right. + +-<p>The HOWTO author recommends using NTP to synchronize clocks. Since +-there are export restrictions on NTP in the US you have to get NTP for +-debian, redhat or slackware from +-ftp://ftp.hacktic.nl/pub/replay/pub/linux or a mirror. ++<p>The HOWTO author recommends using NTP to synchronize clocks. + + <item>The server can not accept a mount from a user that is in more + than 8 groups. +@@ -774,93 +701,10 @@ + + </enum> + +-<sect>FAQs +- +-<p>This is the FAQ section. Most of it was written by Alan Cox. +- +-<enum> +- +- <item>I get a lot of 'stale nfs handle' errors when using Linux as +- a nfs server. +- +- <p>This is caused by a bug in some oldish nfsd versions. It is +- fixed in nfs-server2.2beta16 and later. +- +- <item>When I try to mount a file system I get +- +- <tscreen><verb> +- can't register with portmap: system error on send +- </verb></tscreen> +- +- <p>You are probably using a Caldera system. There is a bug in the +- rc scripts. Please contact Caldera to obtain a fix. +- +- <item>Why can't I execute a file after copying it to the NFS server? +- +- <p>The reason is that nfsd caches open file handles for performance +- reasons (remember, it runs in user space). While nfsd has a file +- open (as is the case after writing to it), the kernel won't allow +- you to execute it. Nfsds newer than ~spring 95 release open files +- after a few seconds, older ones would cling to them for days. +- +- <item>My NFS files are all read only +- +- <p>The Linux NFS server defaults to read only. RTFM the ``exports'' +- and nfsd manual pages. You will need to alter <tt>/etc/exports</tt>. +- +- <item>I mount from a linux nfs server and while ls works I can't +- read or write files. +- +- <p>On older versions of Linux you must mount a NFS servers with +- <tt/rsize=1024,wsize=1024/. +- +- <item>I mount from a Linux NFS server with a block size of between +- 3500-4000 and it crashes the Linux box regularly +- +- <p>Basically don't do it then. +- +- <item>Can Linux do NFS over TCP +- +- <p>No, not at present. +- +- <item>I get loads of strange errors trying to mount a machine from a +- Linux box. +- +- <p>Make sure your users are in 8 groups or less. Older servers +- require this. +- +- <item>When I reboot my machine it sometimes hangs when trying to +- unmount a hung NFS server. +- +- <p>Do <bf/not/ unmount NFS servers when rebooting or halting, just +- ignore them, it will not hurt anything if you don't unmount them. +- The command is <tt/umount -avt nonfs/. +- +- <item>Linux NFS clients are very slow when writing to Sun and BSD +- systems +- +- <p>NFS writes are normally synchronous (you can disable this if you +- don't mind risking losing data). Worse still BSD derived kernels +- tend to be unable to work in small blocks. Thus when you write 4K of +- data from a Linux box in the 1K packets it uses BSD does this +- +- <tscreen><verb> +- read 4K page +- alter 1K +- write 4K back to physical disk +- read 4K page +- alter 1K +- write 4K page back to physical disk +- etc.. +- </verb></tscreen> +- +-</enum> +- +- + <sect>Exporting filesystems + + <p>The way to export filesytems with NFS is not completely consistent +-across platforms of course. In this case Linux and Solaris 2 are the ++across platforms of course. In this case FreeBSD and Solaris 2 are the + deviants. This section lists, superficially the way to do it on most + systems. If the kind of system you have is not covered you must check + your OS man-pages. Keywords are: nfsd, system administration tool, rc diff --git a/misc/Howto/files/patch-nis b/misc/Howto/files/patch-nis new file mode 100644 index 000000000000..e2a4ece83a0c --- /dev/null +++ b/misc/Howto/files/patch-nis @@ -0,0 +1,936 @@ +--- NIS-HOWTO.sgml.orig Sat Oct 3 10:52:24 1998 ++++ NIS-HOWTO.sgml Sat Oct 3 12:56:20 1998 +@@ -1,21 +1,20 @@ + <!doctype linuxdoc system> + +-<!-- This is the Linux NIS-HOWTO. It describes how to install and configure +- Linux as NIS client and server and as NIS+ client. ++<!-- This is the FreeBSD NIS-HOWTO. It describes how to install and configure ++ FreeBSD as NIS client and server. + --> + + <article> + +-<title>The Linux NIS(YP)/NYS/NIS+ HOWTO +-<author>Thorsten Kukuk ++<title>The FreeBSD NIS(YP) HOWTO ++<author>Linux version by Thorsten Kukuk + <date>v0.12, 12 June 1998 + + <abstract> + <nidx>HOWTOs!NIS</nidx> + <nidx>HOWTOs!YP</nidx> +-<nidx>HOWTOs!NYS</nidx> + <nidx>HOWTOs!NIS+</nidx> +-This document describes how to configure Linux as NIS(YP) or NIS+ client ++This document describes how to configure FreeBSD as a NIS(YP) client + and how to install as NIS server. + </abstract> + +@@ -25,18 +24,17 @@ + <sect>Introduction + + <p> +-More and more, Linux machines are installed as part of a network of ++More and more, FreeBSD machines are installed as part of a network of + computers. To simplify network administration, most networks (mostly +-Sun-based networks) run the Network Information Service. Linux machines ++Sun-based networks) run the Network Information Service. FreeBSD machines + can take full advantage of existing NIS service or provide NIS service +-themselves. Linux machines can also act as full NIS+ clients, this +-support is in beta stage. ++themselves. + +-This document tries to answer questions about setting up NIS(YP) and NIS+ +-on your Linux machine. Don't forget to read the section about ++This document tries to answer questions about setting up NIS(YP) ++on your FreeBSD machine. Don't forget to read the section about + <ref id="portmapper" name="the RPC Portmapper"> + +-The NIS-Howto is edited and maintained by: ++The Linux version of the NIS-Howto is edited and maintained by: + + <quote> + Thorsten Kukuk, <tt/kukuk@vt.uni-paderborn.de/ +@@ -60,10 +58,7 @@ + the URL <url url="http://sunsite.unc.edu/mdw/HOWTO/NIS-HOWTO.html" + name="http://sunsite.unc.edu/mdw/HOWTO/NIS-HOWTO.html">. + +-New versions of this document will also be uploaded to various +-Linux WWW and FTP sites, including the LDP home page. +- +-Links to translations of this document could be found at ++Links to translations of the Linux document can be found at + <url url="http://www-vt.uni-paderborn.de/~kukuk/linux/nis-howto.html" + name="http://www-vt.uni-paderborn.de/~kukuk/linux/nis-howto.html">. + <sect1>Disclaimer +@@ -86,9 +81,9 @@ + document, please let me know so I can correct it in the next + version. Thanks. + +-Please do <em/not/ mail me questions about special problems with your Linux +-Distribution! I don't know every Linux Distribution. But I will try to add +-every solution you send me. ++Please do <em/not/ mail Thorsten questions about special problems with FreeBSD. ++The FreeBSD changes to the Linux document were done by the FreeBSD ++Documentation Project. Please send comments to docs@freebsd.org + + <sect1>Acknowledgements + +@@ -102,25 +97,21 @@ + </verb></tscreen> + + Theo de Raadt <deraadt@theos.com> is responsible for the original +-yp-clients code. Swen Thuemmler <swen@uni-paderborn.de> ported the +-yp-clients code to Linux and also ported the yp-routines in libc +-(again based on Theo's work). Thorsten Kukuk has written the NIS(YP) +-and NIS+ routines for GNU libc 2.x from scratch. ++yp-clients code. + + <sect>Glossary and General Information + + <sect1>Glossary of Terms + <nidx>NIS!glossary</nidx> + <nidx>YP!glossary</nidx> +-<nidx>NYS!glossary</nidx> + <nidx>NIS+!glossary</nidx> +-<nidx>glossary!NIS/NYS/YP/NIS+</nidx> ++<nidx>glossary!NIS/YP/NIS+</nidx> + <p> + In this document a lot of acronyms are used. Here are the most + important acronyms and a brief explanation: + + <descrip> +-<tag/DBM/DataBase Management, a library of functions which ++<tag/DB/Database Management, a library of functions which + maintain key-content pairs in a data base. + + <tag/DLL/Dynamically Linked Library, a library linked to an +@@ -136,8 +127,7 @@ + files between two computers. + + <tag/libnsl/Name services library, a library of name service calls +- (getpwnam, getservbyname, etc...) on SVR4 Unixes. GNU libc +- uses this for the NIS (YP) and NIS+ functions. ++ (getpwnam, getservbyname, etc...) on SVR4 Unixes. + + <tag/libsocket/Socket services library, a library for the socket + service calls (socket, bind, listen, etc...) on SVR4 Unixes. +@@ -153,12 +143,7 @@ + replacement for NIS with better security and better handling + of _large_ installations. + +-<tag/NYS/This is the name of a project and stands for NIS+, YP and Switch +- and is managed by Peter Eriksson <peter@ifm.liu.se>. It contains +- among other things a complete reimplementation of the NIS (= YP) code +- that uses the Name Services Switch functionality of the NYS library. +- +-<tag/NSS/Name Service Switch. The /etc/nsswitch.conf file determines the order ++<tag/NSS/Name Service Switch. On Solaris, the /etc/nsswitch.conf file determines the order + of lookups performed when a certain piece of information is requested. + + <tag/RPC/Remote Procedure Call. RPC routines allow C programs to +@@ -177,7 +162,6 @@ + <sect1>Some General Information + <nidx>NIS!general information</nidx> + <nidx>YP!general information</nidx> +-<nidx>NYS!general information</nidx> + <nidx>NIS+!general information</nidx> + + <p> +@@ -197,7 +181,7 @@ + distributed by NIS is: + + <itemize> +-<item>login names/passwords/home directories (/etc/passwd) ++<item>login names/passwords/home directories (/etc/master.passwd) + <item>group information (/etc/group) + </itemize> + +@@ -217,37 +201,8 @@ + use NIS+ or have severe security needs. NIS+ is _much_ more problematic + to administer (it's pretty easy to handle on the client side, but the + server side is horrible). Another problem is that the support for NIS+ +-under Linux is still under developement - you need the latest glibc +-snapshot for it or have to wait for glibc 2.1. There is a port of the +-glibc NIS+ support for libc5 as drop in replacement. +- +-<sect1>libc 4/5 with traditional NIS or NYS ? +-<nidx>libc4/5, use with NIS/NYS</nidx> +-<nidx>NIS/NYS, use with libc4/5</nidx> +- +-<p> +-The choice between "traditional NIS" or the NIS code in the NYS library +-is a choice between laziness and maturity vs. flexibility and love of +-adventure. +- +-The "traditional NIS" code is in the standard C library and has been +-around longer and sometimes suffers from it's age and slight +-inflexibility. +- +-The NIS code in the NYS library requires you to recompile the libc +-library to include the NYS code into the libc library (or maybe you can +-go get a precompiled version of libc from someone who has already done it). +- +-Another difference is that the traditional NIS code has some support +-for NIS Netgroups, which the NYS code doesn't. On the other hand +-the NYS code allows you to handle Shadow Passwords in a transparent +-way. The "traditonal NIS" code doesn't support Shadow Passwords over NIS. +- +-Forgot this all if you use the new GNU C Library 2.x (aka libc6). It +-has real NSS (name switch service) support, which makes it very flexible, +-and contains support for the following NIS/NIS+ maps: aliases, ethers, group, +-hosts, netgroups, networks, protocols, publickey, passwd, rpc, services +-and shadow. The GNU C Library has no problems with shadow passwords over NIS. ++under FreeBSD is still under developement, and is not ready for Alpha testing ++yet. + + <sect>How it works + +@@ -316,10 +271,9 @@ + + <p> + To run any of the software mentioned below you will need to run the +-program /usr/sbin/portmap. Some Linux distributions already have +-the code in the /etc/rc.d/ files to start up this daemon. +-All you have to do is to activate it and reboot your Linux machine. +-Read your Linux Distribution Documentation how to do this. ++program /usr/sbin/portmap. In FreeBSD you specify your desire to run the ++Portmapper in /etc/rc.conf. ++All you have to do is to activate it and reboot your FreeBSD machine. + + The RPC portmapper (portmap(8)) is a server that converts RPC program + numbers into TCP/IP (or UDP/IP) protocol port numbers. It must be +@@ -365,54 +319,23 @@ + ypcat, yppoll, ypmatch). The most important program is ypbind. This + program must be running at all times, that is, it should always appear + in the list of processes. It's a so-called daemon process and needs to +-be started from the system's startup file (eg. /etc/rc.local, /etc/init.d/nis, +-/etc/rc.d/init.d/ypbind). ++be started from the system's startup file (eg. /etc/rc.network). ++You specify your desire to run ypbind in /etc/rc.conf. + As soon as ypbind is running, your system has become a NIS client. + + In the second case, if you don't have NIS servers, then you will also + need a NIS server program (usually called ypserv). Section 8 describes +-how to set up a NIS server on your Linux machine using the "ypserv" +-implementation by Peter Eriksson and Thorsten Kukuk. +-Note that from version 0.14 this implementation supports the +-master-slave concept talked about in section 4.1. +- +-There is also another free NIS server available, called "yps", written +-by Tobias Reber in Germany which does support the master-slave concept, +-but has other limitations and isn't supported any longer. ++how to set up a NIS server on your FreeBSD machine using "ypserv". + + + <sect1>The Software + <nidx>NIS!library requirements</nidx> + + <p> +-The system library "/usr/lib/libc.a" (version 4.4.2 and better) or the +-shared library "/lib/libc.so.x" contain all necessary system calls to +-succesfully compile the NIS client and server software. For glibc 2.x, +-you also need /lib/libnsl.so.1. +- +-Some people reported that NIS only works with "/usr/lib/libc.a" version +-4.5.21 and better so if you want to play it safe don't use older +-libc's. The NIS client software can be obtained from: +- +-<tscreen><verb> +- Site Directory File Name +- +- ftp.kernel.org /pub/linux/utils/net/NIS yp-tools-2.0.tar.gz +- ftp.kernel.org /pub/linux/utils/net/NIS ypbind-mt-1.2.tar.gz +- ftp.kernel.org /pub/linux/utils/net/NIS ypbind-3.3.tar.gz +- sunsite.unc.edu /pub/Linux/system/Network/admin yp-clients-2.2.tar.gz +- ftp.uni-paderborn.de /linux/local/yp yp-clients-2.2.tar.gz +- ftp.uni-paderborn.de /linux/local/yp ypbind-3.3.tar.gz +-</verb></tscreen> ++The system libraries "/usr/lib/libc.so.x" and "/usr/lib/libc.a" ++contain all necessary system calls to ++succesfully compile the NIS client and server software. + +-Once you obtained the software, please follow the instructions which +-come with the software. yp-clients 2.2 are for use with libc4 and libc5 +-until 5.4.20. libc 5.4.21 and glibc 2.x needs yp-tools 1.4.1. The new +-yp-tools 2.0 will work with every Linux libc. Since there was some bugs +-in the NIS code, you shouldn't use libc 5.4.21-5.4.35. Use libc 5.4.36 or +-later instead, or the most YP programs will not work. ypbind 3.3 will +-work with all libraries, too. You should never use the ypbind from +-yp-clients 2.2. + + <sect1>The ypbind daemon + <nidx>NIS!ypbind daemon</nidx> +@@ -420,29 +343,15 @@ + <nidx>daemon!ypbind</nidx> + + <p> +-Assuming you have succesfully compiled the software you are now ready +-to install the software. A suitable place for the ypbind daemon is +-the directory /usr/sbin. Some people may tell you, that you don't need +-ypbind on a system with NYS. This is wrong, ypwhich and ypcat need it. +- +-You'll need to do this as root of course. The other binaries (ypwhich, +-ypcat, yppoll, ypmatch) should go in a directory accessible by all +-users, normally /usr/bin. +- +-The ypbind process has a configuration file called /etc/yp.conf. You can +-hardcode a NIS server there - for more info see the manual page for ypbind(8). +-You also need this file for NYS. +-An example: +-<tscreen><verb> +- ypserver voyager +- ypserver ds9 +-</verb></tscreen> ++The ypbind process can be forced to bind to a specific NIS server by specifing ++the server in /etc/rc.conf. ++For more info see the manual page for ypbind(8). + + If the system could resolv the hostnames without NIS, you could use + the name, else you have to use the IP address. + +-It might be a good idea to test ypbind before incorporating it in the +-/etc/rc.d/ files. To test ypbind do the following: ++It might be a good idea to test ypbind before incorporating it in the ++/etc/rc.conf files. To test ypbind do the following: + + <itemize> + <item>Make sure you have your domain name set. If it is not set then +@@ -500,15 +409,10 @@ + + This directory MUST exist for ypbind to start up succesfully. + +-To check if the domainname is set correct, use the /bin/ypdomainname from +-yp-tools 2.0. It uses the yp_get_default_domain function, which is more +-restrict. It doesn't allow for example the "(none)" domainname, which +-is the default under Linux and makes a lot of problems. +- +-If the test worked you may now want to change the files in /etc/rc.d/ ++If the test worked you may now want to change the /etc/rc.conf file + on your system so that ypbind will be started up at boot time and your + system will act as a NIS client. Make sure, that the domainname will +-be set at boot time. ++be set at boot time (also set in /etc/rc.conf). + + Well, that's it. Reboot the machine and watch the boot messages to see + if ypbind is actually started. +@@ -519,20 +423,20 @@ + + <p> + For host lookups you must set (or add) "nis" to the lookup order line +-in your /etc/host.conf file. Please read the manpage "resolv+.8" for ++in your /etc/host.conf file. Please see the comments in /etc/host.conf + more details. + +-Add the following line to /etc/passwd on your NIS clients: ++Add the following line to /etc/master.passwd using vipw on your NIS clients: + + <tscreen><verb> +-+:::::: +++::::::::: + </verb></tscreen> + + You can also use the + and - characters to include/exclude or change + users. If you want to exclude the user guest just add -guest to your +-/etc/passwd file. You want to use a different shell (e.g. ksh) for +-the user "linux"? No problem, just add "+linux::::::/bin/ksh" +-(without the quotes) to your /etc/passwd. Fields that you don't want ++/etc/master.passwd file. You want to use a different shell (e.g. sh) for ++the user "ken"? No problem, just add "+ken:::::::::/usr/local/bin/bash" ++(without the quotes) to your /etc/master.passwd using vipw. Fields that you don't want + to change have to be left empty. You could also use Netgroups for + user control. + +@@ -541,343 +445,22 @@ + of all other users available: + + <tscreen><verb> +- +miquels::::::: +- +ed::::::: +- +dth::::::: +- +@sysadmins::::::: +- -ftp +- +:*::::::/etc/NoShell ++ +dennis::::::::: ++ +@sysadmins::::::::: ++ -ftp::::::::: ++ +@rejected-users::32767:32767::::::/bin/false + </verb></tscreen> + +-Note that in Linux you can also override the password field, as we did ++Note that in FreeBSD you can also override the password field, as we did + in this example. In this example, we also remove the login "ftp", so + it isn't known any longer, and anonymous ftp will not work. ++See the ``man 5 passwd'' for further explantion and more examples. + + The netgroup would be look like + <tscreen><verb> + sysadmins (-,software,) (-,kukuk,) + </verb></tscreen> + +-IMPORTANT: Note that the netgroup feature is implemented starting +-from libc 4.5.26. But if you have a version of libc earlier than 4.5.26, +-every user in the NIS password database can access your linux machine if +-you run "ypbind". +- +- +-<sect1>Setting up a NIS Client using NYS +-<nidx>NYS!client setup</nidx> +- +-<p> +-All that is required is that the NIS configuration file +-(/etc/yp.conf) points to the correct server(s) for its information. +-Also, the Name Services Switch configuration file (/etc/nsswitch.conf) +-must be correctly set up. +- +-You should install ypbind. It isn't needed by the libc, but the NIS(YP) +-tools need it. +- +-If you wish to use the include/exclude user feature (+/-guest/+@admins), +-you have to use "passwd: compat" and "group: compat". Note, that there +-is no "shadow: compat" ! You have to use "shadow: files nis" in this +-case. +- +-The NYS sources are part of the libc 5 sources. When run configure, +-say the first time "NO" to the "Values correct" question, +-then say "YES" to "Build a NYS libc from nys". +- +-<sect1>Setting up a NIS Client using glibc 2.x +-<nidx>NIS!client setup!using glibc 2.x</nidx> +- +-<p> +-The glibc uses "traditional NIS", so you need to start ypbind. The +-Name Services Switch configuration file (/etc/nsswitch.conf) must be +-correctly set up. If you use the compat mode for passwd, shadow or group, +-you have to add the "+" at the end of this files, and you could use +-the include/exclude user feature. The configuration is excatly the same +-as under Solaris 2.x. +- +-<sect1>The nsswitch.conf File +-<nidx>nsswitch.conf file</nidx> +-<nidx>NIS!nsswitch.conf file</nidx> +- +-<p> +-The Network Services switch file /etc/nsswitch.conf determines the +-order of lookups performed when a certain piece of information is +-requested, just like the /etc/host.conf file which determines the way +-host lookups are performed. For example, the line +- +-<tscreen><verb> +- hosts: files nis dns +-</verb></tscreen> +- +-specifies that host lookup functions should first look in the local +-/etc/hosts file, followed by a NIS lookup and finally thru the domain +-name service (/etc/resolv.conf and named), at which point if no match +-is found an error is returned. This file must be readable for every +-user ! +- +-A good /etc/nsswitch.conf file for NIS is: +-<tscreen><verb> +-# +-# /etc/nsswitch.conf +-# +-# An example Name Service Switch config file. This file should be +-# sorted with the most-used services at the beginning. +-# +-# The entry '[NOTFOUND=return]' means that the search for an +-# entry should stop if the search in the previous entry turned +-# up nothing. Note that if the search failed due to some other reason +-# (like no NIS server responding) then the search continues with the +-# next entry. +-# +-# Legal entries are: +-# +-# nisplus Use NIS+ (NIS version 3) +-# nis Use NIS (NIS version 2), also called YP +-# dns Use DNS (Domain Name Service) +-# files Use the local files +-# db Use the /var/db databases +-# [NOTFOUND=return] Stop searching if not found so far +-# +- +-passwd: compat +-group: compat +-shadow: compat +- +-passwd_compat: nis +-group_compat: nis +-shadow_compat: nis +- +-hosts: nis files dns +- +-services: nis [NOTFOUND=return] files +-networks: nis [NOTFOUND=return] files +-protocols: nis [NOTFOUND=return] files +-rpc: nis [NOTFOUND=return] files +-ethers: nis [NOTFOUND=return] files +-netmasks: nis [NOTFOUND=return] files +-netgroup: nis +-bootparams: nis [NOTFOUND=return] files +-publickey: nis [NOTFOUND=return] files +-automount: files +-aliases: nis [NOTFOUND=return] files +-</verb></tscreen> +- +-passwd_compat, group_compat and shadow_compat are only supported by glibc 2.x. +-If there are no shadow rules in /etc/nsswitch.conf, glibc will use the passwd +-rule for lookups. There are some more lookup module for glibc like hesoid. +-For more information, read the glibc documentation. +- +-<sect> Shadow Passwords with NIS and PAM +-<nidx>NIS!shadow passwords</nidx> +-<nidx>PAM!shadow passwords</nidx> +-<p> +-Shadow passwords over NIS are always a bad idea. You lost the security, +-which shadow gives you. A good way to avoid shadow passwords over NIS is, +-to put only the local system users in /etc/shadow. Remove the NIS user +-entries from the shadow database, and put the password back in passwd. +-So you could use shadow for the root login, and normal passwd for NIS +-user. This has the advantage, that it will work with every NIS client. +- +-If this is not an option for you, you need the GNU C Library 2.x. This +-is the only Linux libc, which supports shadow passwords over NIS. Linux +-libc5 has no support for it. Linux libc5 compiled with NYS enabled has +-some code for it. But this code is badly broken in some cases and doesn't +-work with all correct shadow entries. +- +-The next problem is PAM. The GNU C Library support Shadow passwords over +-NIS, but PAM does not, especially pam_pwdb/libpwdb. This is a big problem +-for RedHat 5.x users. If you have glibc and PAM, you need to change the +-/etc/pam.d/* entries. Replace all pam_pwdb rules through pam_auth_unix_* +-modules. This will work. +- +- +-<sect> What do you need to set up NIS+ ? +- +-<sect1>The Software +-<nidx>NIS+!software required</nidx> +- +-<p> +-The Linux NIS+ client code was developed for the GNU C library 2. +-There is also a port for Linux libc5, since all commercial Applications +-are linked against this library, and you couldn't recompile them for +-using glibc. There are problems with libc5 and NIS+: You couldn't link +-static programs with it, and programs compiled with this library will +-not work with other libc5 versions. +- +- +-You need to retrieve and compile the latest GNU C library 2 snapshot. +-And you need a glibc based system like RedHat 5.x or the upcoming +-Debian 2.0. But be warned: This is beta Software ! Read the Docs about +-glibc snapshots and from the Distributions ! glibc 2.0.x doesn't contain +-the NIS+ support, and will never contain it. The first public version +-with NIS+ support will be 2.1. +- +-The NIS+ client software can be obtained from: +-<tscreen><verb> +- Site Directory File Name +- +- ftp.kernel.org /pub/software/libs/glibc libc-*, glibc-crypt-*, +- glibc-linuxthreads-* +- ftp.kernel.org /pub/linux/utils/net/NIS+ nis-tools-1.4.2.tar.gz +- ftp.kernel.org /pub/linux/utils/net/NIS+ pam_keylogin-1.2.tar.gz +-</verb></tscreen> +- +-Distributions based on glibc can be fetched from: +-<tscreen><verb> +- Site Directory +- +- ftp.redhat.com /pub/redhat/redhat-5.1 +- ftp.debian.org /pub/debian/dists/hamm +-</verb></tscreen> +- +-For compilation of the GNU C Library, please follow the instructions +-which come with the software. Here you could find the patched libc5, +-based on NYS and the glibc sources as drop in replacement for the +-standart libc5: +- +-<tscreen><verb> +- Site Directory File Name +- +- ftp.kernel.org /pub/linux/utils/net/NIS+ libc-5.4.44-nsl-0.4.10.tar.gz +-</verb></tscreen> +- +-You should also look at +- <url url="http://www-vt.uni-paderborn.de/~kukuk/linux/nisplus.html" +- name="http://www-vt.uni-paderborn.de/~kukuk/linux/nisplus.html"> +-for more information and the latest sources. +- +-<sect1>Setting up a NIS+ client +-<nidx>NIS+!client setup</nidx> +- +-<p> +-IMPORTANT: For setting up a NIS+ client, read your Solaris NIS+ docs +-what to do on the server side ! This document only describes what to do +-on the client side ! +- +-After installing the new libc and nis-tools, create the credentials for +-the new client on the NIS+ server. Make sure, portmap is running. Then +-check, if your Linux PC has the same time as the NIS+ Server. For secure RPC, +-you have only a small window from about 3 minutes, in which the credentials +-are valid. A good idea is to run xntpd on every host. After this, run +- +-<tscreen><verb> +-domainname nisplus.domain. +-nisinit -c -H <NIS+ server> +-</verb></tscreen> +- +-to initialize the cold Start File. Read the nisinit man page for more +-options. Make sure, that the domainname will always be set after a reboot. +-If you don't know what the NIS+ domain name is on your network, ask +-your system/network administrator. +- +-Now you should change your /etc/nsswitch.conf file. Make sure, that the +-only service after publickey is nisplus ("publickey: nisplus"), and nothing +-else ! +- +-After this, start keyserv and make sure, that it will always be started +-at boot time. Run +-<tscreen><verb> +-keylogin -r +-</verb></tscreen> +-to store the root secretkey on your system. (I hope you have added the +-publickey for the new host on the NIS+ Server ?). +- +-"niscat passwd.org_dir" should now show you all entries in the passwd database. +- +- +-<sect1>NIS+, keylogin, login and PAM +-<nidx>NIS+!use of PAM with</nidx> +- +-<p> +-When the user logs in, he need to set his secretkey to keyserv. This is done +-by calling "keylogin". The login from the shadow package will do this for the +-user. For a PAM aware login, you have to install pam_keylogin-1.1.tar.gz +-and change the /etc/pam.d/login file to use pam_unix_auth, not pwdb, which +-doesn't support NIS+. An example: +- +-<tscreen><verb> +-#%PAM-1.0 +-auth required /lib/security/pam_securetty.so +-auth required /lib/security/pam_keylogin.so +-auth required /lib/security/pam_unix_auth.so +-auth required /lib/security/pam_nologin.so +-account required /lib/security/pam_unix_acct.so +-password required /lib/security/pam_unix_passwd.so +-session required /lib/security/pam_unix_session.so +-</verb></tscreen> +- +- +-<sect1>The nsswitch.conf File +-<nidx>nsswitch.conf file</nidx> +-<nidx>NIS+!nsswitch.conf file</nidx> +- +-<p> +-The Network Services switch file /etc/nsswitch.conf determines the +-order of lookups performed when a certain piece of information is +-requested, just like the /etc/host.conf file which determines the way +-host lookups are performed. For example, the line +- +-<tscreen><verb> +- hosts: files nisplus dns +-</verb></tscreen> +- +-specifies that host lookup functions should first look in the local +-/etc/hosts file, followed by a NIS+ lookup and finally thru the domain +-name service (/etc/resolv.conf and named), at which point if no match +-is found an error is returned. +- +-A good /etc/nsswitch.conf file for NIS+ is: +-<tscreen><verb> +-# +-# /etc/nsswitch.conf +-# +-# An example Name Service Switch config file. This file should be +-# sorted with the most-used services at the beginning. +-# +-# The entry '[NOTFOUND=return]' means that the search for an +-# entry should stop if the search in the previous entry turned +-# up nothing. Note that if the search failed due to some other reason +-# (like no NIS server responding) then the search continues with the +-# next entry. +-# +-# Legal entries are: +-# +-# nisplus Use NIS+ (NIS version 3) +-# nis Use NIS (NIS version 2), also called YP +-# dns Use DNS (Domain Name Service) +-# files Use the local files +-# db Use the /var/db databases +-# [NOTFOUND=return] Stop searching if not found so far +-# +- +-passwd: compat +-# for libc5: passwd: files nisplus +-group: compat +-# for libc5: group: files nisplus +-shadow: compat +-# for libc5: shadow: files nisplus +- +-passwd_compat: nisplus +-group_compat: nisplus +-shadow_compat: nisplus +- +-hosts: nisplus files dns +- +-services: nisplus [NOTFOUND=return] files +-networks: nisplus [NOTFOUND=return] files +-protocols: nisplus [NOTFOUND=return] files +-rpc: nisplus [NOTFOUND=return] files +-ethers: nisplus [NOTFOUND=return] files +-netmasks: nisplus [NOTFOUND=return] files +-netgroup: nisplus +-bootparams: nisplus [NOTFOUND=return] files +-publickey: nisplus +-automount: files +-aliases: nisplus [NOTFOUND=return] files +-</verb></tscreen> +- +- + <sect>Setting up a NIS Server + <nidx>NIS!server setup</nidx> + +@@ -888,36 +471,14 @@ + <p> + This document only describes how to set up the "ypserv" NIS server. + +-The NIS server software can be found on: +- +-<tscreen><verb> +- Site Directory File Name +- +- ftp.kernel.org /pub/linux/utils/net/NIS ypserv-1.3.2.tar.gz +- wauug.erols.com /pub/net/nis ypserv-1.3.2.tar.gz +-</verb></tscreen> +- +-You could also look at +- <url url="http://www-vt.uni-paderborn.de/~kukuk/linux/nis.html" +- name="http://www-vt.uni-paderborn.de/~kukuk/linux/nis.html"> +-for more information. ++The NIS server software can be found as /usr/sbin/ypserv. + +-The server setup is the same for both traditional NIS and NYS. +- +-Compile the software to generate the "ypserv" and "makedbm" +-programs. If you run your server as master, determine what files you ++If you run your server as master, determine what files you + require to be available via NIS and then add or remove the appropriate + entries to the <tt>/var/yp/Makefile</tt>. + +-There was one big change between ypserv 1.1 and ypserv 1.2. Since 1.2, +-ypserv caches the file handles. This means, you have to call makedbm with +-the -c option always if you create new maps. Make sure, you are using the +-new <tt>/var/yp/Makefile</tt> from ypserv 1.2 or later, or add the -c flag +-to makedbm in the Makefile. If you don't do that, ypserv will continue to +-use the old maps, and not the new one. +- +-Now edit /var/yp/securenets and /etc/ypserv.conf. +-For more information, read the ypserv(8) and ypserv.conf(5) manual pages. ++Now edit /var/yp/securenets and /etc/rc.conf. ++For more information, read the ypserv(8) manual page and /etc/rc.conf comments. + + Make sure the portmapper (portmap(8)) is running, and start the + server "ypserv". The command +@@ -935,13 +496,13 @@ + Now generate the NIS (YP) database. On the master, run + + <tscreen><verb> +- % /usr/lib/yp/ypinit -m ++ % /usr/sbin/ypinit -m + </verb></tscreen> + + On a slave, make sure that ypwhich -m works. This means, that your slave + must be configured as NIS client before you could run + <tscreen><verb> +- % /usr/lib/yp/ypinit -s masterhost ++ % /usr/sbin/ypinit -s masterhost + </verb></tscreen> + to install the host as NIS slave. + +@@ -953,13 +514,13 @@ + wrong. + + +-You might want to edit root's crontab *on the slave* server and add the ++You might want to edit the system crontab (/etc/crontab) *on the slave* server and add the + following lines: + + <tscreen><verb> +- 20 * * * * /usr/lib/yp/ypxfr_1perhour +- 40 6 * * * /usr/lib/yp/ypxfr_1perday +- 55 6,18 * * * /usr/lib/yp/ypxfr_2perday ++ 20 * * * * root /usr/libexec/ypxfr passwd.byname ++ 21 * * * * root /usr/libexec/ypxfr passwd.byuid ++ 55 19 * * * root /usr/libexec/ypxfr hosts.ypname + </verb></tscreen> + This will ensure that most NIS maps are kept up-to-date, even if an + update is missed because the slave was down at the time the update was +@@ -968,14 +529,14 @@ + You could add a slave at every time later. At first, make sure that + the new ypserv has permissions to contact the NIS master. Then run + <tscreen><verb> +- % /usr/lib/yp/ypinit -s masterhost ++ % /usr/sbin/ypinit -s masterhost + </verb></tscreen> + on the new slave, and add the server name to /var/yp/ypservers. + After this, run make in /var/yp to update the maps. + + If you want to restrict access for users to your NIS server, you'll have + to setup the NIS server as a client as well by running ypbind and adding the +-plus-entries to /etc/passwd _halfway_ the password file. The library ++plus-entries to /etc/master.passwd _halfway_ the password file. The library + functions will ignore all normal entries after the first NIS entry, and + will get the rest of the info through NIS. This way the NIS access rules + are maintained. example: +@@ -993,65 +554,28 @@ + news:*:9:9:news:/var/spool/news: + uucp:*:10:50:uucp:/var/spool/uucp: + nobody:*:65534:65534:noone at all,,,,:/dev/null: +- +miquels:::::: +- +:*:::::/etc/NoShell ++ +dennis::::::::: ++ +*:::::::::/bin/false + [ All normal users AFTER this line! ] + tester:*:299:10:Just a test account:/tmp: +- miquels:1234567890123:101:10:Miquel van Smoorenburg:/home/miquels:/bin/zsh ++ obrien:1765:01:10::0:0:David O'Brien:/home/obrien:/bin/sh + </verb></tscreen> + +-The user tester will exist, but have a shell of /etc/NoShell. miquels ++The user tester will exist, but have a shell of /bin/false. obrien + will have normal access. + + Alternatively, you could edit the /var/yp/Makefile file and set NIS to use + another source password file. On big systems, the NIS password and group +-files are usually stored in /var/yp/ypfiles/. If you do this the normal ++files are sometimes stored in /var/yp/ypfiles/. If you do this the normal + tools to administrate the password file such as "passwd", "chfn", + "adduser" will not work anymore and you will need special homemade tools + for this. + + However yppasswd, ypchsh and ypchfn will work ofcourse. + +-<sect1>The Server Program yps +-<nidx>NIS!yps server</nidx> +-<nidx>yps NIS server</nidx> +-<p> +-To set up the "yps" NIS server please refer to the previous paragraph. +-The "yps" server setup is similar, _but_ not exactly the same so +-beware if you try to apply the "ypserv" instructions to "yps"! +-"yps" is not supported by any author, and contains some security leaks. +-You shouldn't really use it ! +- +-The "yps" NIS server software can be found on: +- +-<tscreen><verb> +- Site Directory File Name +- +- ftp.lysator.liu.se /pub/NYS/servers yps-0.21.tar.gz +-</verb></tscreen> +- +- +-<sect1>The Program rpc.yppasswdd +- +-<p> +-Whenever users change their passwords, the NIS password database and +-probably other NIS databases, which depend on the NIS password +-database, should be updated. The program "rpc.yppasswdd" is a server that +-handles password changes and makes sure that the NIS information will +-be updated accordingly. rpc.yppasswdd is now integrated in ypserv. You +-don't need the older, separate yppasswd-0.9.tar.gz or yppasswd-0.10.tar.gz, +-and you shouldn't use them any longer. The rpc.yppasswdd in ypserv 1.3.2 +-has full shadow support. yppasswd is now part of yp-tools-2.0.tar.gz, +- +-You need to start rpc.yppasswdd only on the NIS master server. By default, +-users are not allowed to change their full name or the login shell. +-You could allow this with the -e chfn or -e chsh option. +- +- + + <sect>Verifying the NIS/NYS Installation + <nidx>NIS!verification of operation</nidx> +-<nidx>NYS!verification of operation</nidx> + + <p> + If everything is fine (as it should be), you should be able to verify +@@ -1069,9 +593,7 @@ + </verb></tscreen> + + (where userid is the login name of an arbitrary user) should give you +-the user's entry in the NIS passwd file. The "ypcat" and "ypmatch" +-programs should be included with your distribution of traditional +-NIS or NYS. ++the user's entry in the NIS passwd file. + + If a user couldn't log in, run the following program on the client: + <tscreen><verb> +@@ -1118,49 +640,6 @@ + <nidx>NIS!troubleshooting</nidx> + <nidx>NIS!problems with</nidx> + +-<p> +-Here are some common problems reported by various users: +- +-<enum> +-<item>The libraries for 4.5.19 are broken. NIS won't work with it. +- +-<item>If you upgrade the libraries from 4.5.19 to 4.5.24 then the +- su command breaks. You need to get the su command from the +- slackware 1.2.0 distribution. Incidentally that's where you +- can get the updated libraries. +- +-<item>You could run into trouble with NIS and DNS on the same machine +- using an old a.out distribution. The DNS server occasionally will +- not bring up NIS. +- +-<item>When a NIS server goes down and comes up again ypbind starts +- complaining with messages like: +- +- <verb> +- yp_match: clnt_call: +- RPC: Unable to receive; errno = Connection refused +- </verb> +- +- and logins are refused for those who are registered in the +- NIS database. Try to login as root and if you succeed, then kill +- ypbind and start it up again. An update to ypbind 3.3 or higher +- should also help. +- +-<item>After upgrade the libc to a version greater then 5.4.20, the YP tools +- will not work any longer. You need yp-tools 1.2 or later for +- libc >= 5.4.21 and glibc 2.x and yp-clients 2.2. for earlier versions. +- yp-tools 2.0 should work for all libraries. +- +-<item>In libc 5.4.21 - 5.4.35 yp_maplist is broken, you need 5.4.36 or later, +- or some YP programs like ypwhich will seg.fault. +- +-<item>libc 5 with traditional NIS doesn't support shadow passwords over NIS. +- You need libc5 + NYS or glibc 2.x. +-<item>ypcat shadow doesn't show the shadow map. This is correct, the name of +- the shadow map is shadow.byname, not shadow. +-</enum> +- +- + <sect>Frequently Asked Questions + <nidx>NIS!frequently asked questions</nidx> + +@@ -1169,15 +648,13 @@ + questions unanswered you might want to post a message to + + <tscreen><verb> +- comp.os.linux.help ++ freebsd-questions@FreeBSD.org + </verb></tscreen> + + or + + <tscreen><verb> +- comp.os.linux.networking ++ hackers@FreeBSD.org + </verb></tscreen> +- +-or contact one of the authors of this HOWTO. + + </article> diff --git a/misc/Howto/pkg-comment b/misc/Howto/pkg-comment new file mode 100644 index 000000000000..53a517ccb591 --- /dev/null +++ b/misc/Howto/pkg-comment @@ -0,0 +1 @@ +Linux HOW-TOs modified for applicablity on FreeBSD diff --git a/misc/Howto/pkg-descr b/misc/Howto/pkg-descr new file mode 100644 index 000000000000..53a517ccb591 --- /dev/null +++ b/misc/Howto/pkg-descr @@ -0,0 +1 @@ +Linux HOW-TOs modified for applicablity on FreeBSD diff --git a/misc/Howto/pkg-plist b/misc/Howto/pkg-plist new file mode 100644 index 000000000000..28696356685f --- /dev/null +++ b/misc/Howto/pkg-plist @@ -0,0 +1,2 @@ +share/doc/Howto +@unexec /bin/rm -rf %D/share/doc/Howto |