Date: Wed, 16 Oct 2013 18:17:33 +0000 (UTC) From: Dru Lavigne <dru@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r42975 - head/en_US.ISO8859-1/books/handbook/network-servers Message-ID: <201310161817.r9GIHX0F085260@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dru Date: Wed Oct 16 18:17:33 2013 New Revision: 42975 URL: http://svnweb.freebsd.org/changeset/doc/42975 Log: White space fix only. Translators can ignore. Modified: head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Wed Oct 16 16:57:38 2013 (r42974) +++ head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Wed Oct 16 18:17:33 2013 (r42975) @@ -1074,7 +1074,7 @@ Exports list on foobar: configuration data and to add, remove, or modify configuration data from a single location.</para> - <para>&os; uses version 2 of the <acronym>NIS</acronym> + <para>&os; uses version 2 of the <acronym>NIS</acronym> protocol.</para> <sect2> @@ -1459,17 +1459,19 @@ nis_client_flags="-S <replaceable>NIS do <para>It is advisable to remove all entries for system accounts as well as any user accounts that do not need to be propagated to the <acronym>NIS</acronym> clients, such - as the <username>root</username> and any other administrative accounts.</para> + as the <username>root</username> and any other + administrative accounts.</para> <note><para>Ensure that the <filename>/var/yp/master.passwd</filename> is neither group or world readable by setting its permissions to - <literal>600</literal>.</para></note> + <literal>600</literal>.</para> + </note> - <para>After completing this task, - initialize the <acronym>NIS</acronym> maps. &os; includes - the &man.ypinit.8; script to do this. When generating - maps for the master server, include + <para>After completing this task, initialize the + <acronym>NIS</acronym> maps. &os; includes the + &man.ypinit.8; script to do this. When generating maps + for the master server, include <option>-m</option> and specify the <acronym>NIS</acronym> domain name:</para> @@ -1509,27 +1511,27 @@ ellington has been setup as an YP master <programlisting>NOPUSH = "True"</programlisting> </sect3> - + <sect3> - <title>Adding New Users</title> + <title>Adding New Users</title> - <para>Every time a new user is created, the user account must - be added to the master <acronym>NIS</acronym> server and - the <acronym>NIS</acronym> maps rebuilt. Until this occurs, - the new user will not be able to - login anywhere except on the <acronym>NIS</acronym> - master. For example, to add the new user - <username>jsmith</username> to the - <literal>test-domain</literal> domain, run these commands on the - master server:</para> + <para>Every time a new user is created, the user account + must be added to the master <acronym>NIS</acronym> + server and the <acronym>NIS</acronym> maps rebuilt. + Until this occurs, the new user will not be able to + login anywhere except on the <acronym>NIS</acronym> + master. For example, to add the new user + <username>jsmith</username> to the + <literal>test-domain</literal> domain, run these + commands on the master server:</para> - <screen>&prompt.root; <userinput>pw useradd jsmith</userinput> + <screen>&prompt.root; <userinput>pw useradd jsmith</userinput> &prompt.root; <userinput>cd /var/yp</userinput> &prompt.root; <userinput>make test-domain</userinput></screen> - <para>The user could also be added using - <command>adduser jsmith</command> - instead of <command>pw useradd jsmith</command>.</para> + <para>The user could also be added using <command>adduser + jsmith</command> instead of <command>pw useradd + jsmith</command>.</para> </sect3> </sect2> @@ -1693,16 +1695,16 @@ nis_client_enable="YES"</programlisting> <programlisting>+:::::::::</programlisting> - <para>This line configures the client to provide - anyone with a valid account in the - <acronym>NIS</acronym> server's password maps an - account on the client. There are many ways to - configure the <acronym>NIS</acronym> client by - modifying this line. One method is described in - <xref linkend="network-netgroups"/>. For - more detailed reading, refer to the book - <literal>Managing NFS and NIS</literal>, published - by O'Reilly Media.</para> + <para>This line configures the client to provide + anyone with a valid account in the + <acronym>NIS</acronym> server's password maps an + account on the client. There are many ways to + configure the <acronym>NIS</acronym> client by + modifying this line. One method is described in + <xref linkend="network-netgroups"/>. For + more detailed reading, refer to the book + <literal>Managing NFS and NIS</literal>, published + by O'Reilly Media.</para> </step> <step> @@ -1856,20 +1858,20 @@ basie&prompt.root;</screen> <indexterm><primary>netgroups</primary></indexterm> - <para>Barring specified users from logging on to individual systems - becomes unscaleable on - larger networks and quickly loses the main benefit of <acronym>NIS</acronym>: + <para>Barring specified users from logging on to individual + systems becomes unscaleable on larger networks and quickly + loses the main benefit of <acronym>NIS</acronym>: <emphasis>centralized</emphasis> administration.</para> <para>Netgroups were developed to handle large, complex networks with hundreds of users and machines. Their use is comparable - to &unix; groups, where the main difference is the - lack of a numeric ID and the ability to define a netgroup by - including both user accounts and other netgroups.</para> + to &unix; groups, where the main difference is the lack of a + numeric ID and the ability to define a netgroup by including + both user accounts and other netgroups.</para> <para>To expand on the example used in this chapter, the - <acronym>NIS</acronym> domain will be extended to add the users - and systems shown in Tables 28.2 and 28.3:</para> + <acronym>NIS</acronym> domain will be extended to add the + users and systems shown in Tables 28.2 and 28.3:</para> <table frame="none" pgwide="1"> <title>Additional Users</title> @@ -1929,8 +1931,8 @@ basie&prompt.root;</screen> <entry><hostid>war</hostid>, <hostid>death</hostid>, <hostid>famine</hostid>, <hostid>pollution</hostid></entry> - <entry>Only IT - employees are allowed to log onto these servers.</entry> + <entry>Only IT employees are allowed to log onto these + servers.</entry> </row> <row> @@ -1938,9 +1940,8 @@ basie&prompt.root;</screen> <entry><hostid>pride</hostid>, <hostid>greed</hostid>, <hostid>envy</hostid>, <hostid>wrath</hostid>, <hostid>lust</hostid>, <hostid>sloth</hostid></entry> - <entry>All members of the IT - department are allowed to login onto these - servers.</entry> + <entry>All members of the IT department are allowed to + login onto these servers.</entry> </row> <row> @@ -1960,25 +1961,24 @@ basie&prompt.root;</screen> </tgroup> </table> - <para>When using netgroups to configure this scenario, - each user is - assigned to one or more netgroups and logins are then + <para>When using netgroups to configure this scenario, each user + is assigned to one or more netgroups and logins are then allowed or forbidden for all members of the netgroup. When adding a new machine, login restrictions must be defined for - all netgroups. When a new user is added, the account must be added to - one or more netgroups. If the <acronym>NIS</acronym> setup is - planned carefully, only one central configuration file needs - modification to grant or deny access to machines.</para> + all netgroups. When a new user is added, the account must be + added to one or more netgroups. If the + <acronym>NIS</acronym> setup is planned carefully, only one + central configuration file needs modification to grant or deny + access to machines.</para> <para>The first step is the initialization of the - <acronym>NIS</acronym> <literal>netgroup</literal> map. In &os;, - this map is not created by default. On the - <acronym>NIS</acronym> master server, use an editor to create + <acronym>NIS</acronym> <literal>netgroup</literal> map. In + &os;, this map is not created by default. On the + <acronym>NIS</acronym> master server, use an editor to create a map named <filename>/var/yp/netgroup</filename>.</para> - <para>This example creates - four netgroups to represent IT employees, IT apprentices, - employees, and interns:</para> + <para>This example creates four netgroups to represent IT + employees, IT apprentices, employees, and interns:</para> <programlisting>IT_EMP (,alpha,test-domain) (,beta,test-domain) IT_APP (,charlie,test-domain) (,delta,test-domain) @@ -1986,17 +1986,17 @@ USERS (,echo,test-domain) (,foxtro (,golf,test-domain) INTERNS (,able,test-domain) (,baker,test-domain)</programlisting> - <para>Each entry configures a netgroup. The first column in an entry - is the name of the netgroup. Each set of brackets represents - either a group of one or more users or the name of another netgroup. - When specifying a user, the three comma-delimited fields inside each - group represent:</para> + <para>Each entry configures a netgroup. The first column in an + entry is the name of the netgroup. Each set of brackets + represents either a group of one or more users or the name of + another netgroup. When specifying a user, the three + comma-delimited fields inside each group represent:</para> <orderedlist> <listitem> - <para>The name of the host(s) where the other fields representing the user are - valid. If a hostname is not specified, the entry is valid - on all hosts.</para> + <para>The name of the host(s) where the other fields + representing the user are valid. If a hostname is not + specified, the entry is valid on all hosts.</para> </listitem> <listitem> @@ -2011,31 +2011,29 @@ INTERNS (,able,test-domain) (,baker, </listitem> </orderedlist> - <para>If a group contains multiple users, separate each user with - whitespace. Additionally, each field may contain wildcards. See - &man.netgroup.5; for details.</para> - - <indexterm><primary>netgroups</primary></indexterm> - <para>Netgroup names longer than 8 characters should not be - used. The names - are case sensitive and using capital letters for netgroup names - is an easy way to distinguish between user, machine and - netgroup names.</para> - - <para>Some non-&os; <acronym>NIS</acronym> clients - cannot handle netgroups containing more than 15 - entries. This limit may be - circumvented by creating several sub-netgroups with 15 users - or fewer and a real netgroup consisting of the - sub-netgroups, as seen in this example:</para> + <para>If a group contains multiple users, separate each user + with whitespace. Additionally, each field may contain + wildcards. See &man.netgroup.5; for details.</para> - <programlisting>BIGGRP1 (,joe1,domain) (,joe2,domain) (,joe3,domain) [...] + <indexterm><primary>netgroups</primary></indexterm> + <para>Netgroup names longer than 8 characters should not be + The names are case sensitive and using capital letters + letters for netgroup names is an easy way to distinguish + between user, machine and netgroup names.</para> + + <para>Some non-&os; <acronym>NIS</acronym> clients cannot + handle netgroups containing more than 15 entries. This + limit may be circumvented by creating several sub-netgroups + with 15 users or fewer and a real netgroup consisting of the + sub-netgroups, as seen in this example:</para> + + <programlisting>BIGGRP1 (,joe1,domain) (,joe2,domain) (,joe3,domain) [...] BIGGRP2 (,joe16,domain) (,joe17,domain) [...] BIGGRP3 (,joe31,domain) (,joe32,domain) BIGGROUP BIGGRP1 BIGGRP2 BIGGRP3</programlisting> - <para>Repeat this process if more than 225 (15 times 15) users exist - within a single netgroup.</para> + <para>Repeat this process if more than 225 (15 times 15) users + exist within a single netgroup.</para> <para>To activate and distribute the new <acronym>NIS</acronym> map:</para> @@ -2046,9 +2044,9 @@ ellington&prompt.root; <userinput>make</ <para>This will generate the three <acronym>NIS</acronym> maps <filename>netgroup</filename>, <filename>netgroup.byhost</filename> and - <filename>netgroup.byuser</filename>. Use the map key option of &man.ypcat.1; to - check if the new <acronym>NIS</acronym> maps are - available:</para> + <filename>netgroup.byuser</filename>. Use the map key option + of &man.ypcat.1; to check if the new <acronym>NIS</acronym> + maps are available:</para> <screen>ellington&prompt.user; <userinput>ypcat -k netgroup</userinput> ellington&prompt.user; <userinput>ypcat -k netgroup.byhost</userinput> @@ -2056,14 +2054,13 @@ ellington&prompt.user; <userinput>ypcat <para>The output of the first command should resemble the contents of <filename>/var/yp/netgroup</filename>. The second - command only produces output if - host-specific netgroups were created. The third command is used to get - the list of netgroups for a user.</para> - - <para>To configure a client, use &man.vipw.8; to specify the name - of the netgroup. For example, on the server named - <hostid>war</hostid>, replace this - line:</para> + command only produces output if host-specific netgroups were + created. The third command is used to get the list of + netgroups for a user.</para> + + <para>To configure a client, use &man.vipw.8; to specify the + name of the netgroup. For example, on the server named + <hostid>war</hostid>, replace this line:</para> <programlisting>+:::::::::</programlisting> @@ -2073,38 +2070,38 @@ ellington&prompt.user; <userinput>ypcat <para>This specifies that only the users defined in the netgroup <literal>IT_EMP</literal> will be imported into this system's - password database and only those users - are allowed to login to this system.</para> + password database and only those users are allowed to login to + this system.</para> <para>This configuration also applies to the - <literal>~</literal> function of the shell and all routines which - convert between user names and numerical user IDs. In + <literal>~</literal> function of the shell and all routines + which convert between user names and numerical user IDs. In other words, <command>cd ~<replaceable>user</replaceable></command> will not work, <command>ls -l</command> will show the numerical ID - instead of the username, and - <command>find . -user joe -print</command> will fail with the message + instead of the username, and <command>find . -user joe + -print</command> will fail with the message <errorname>No such user</errorname>. To fix this, import all - user entries without allowing them to login into the - servers. This can be achieved by adding an extra line:</para> - + user entries without allowing them to login into the servers. + This can be achieved by adding an extra line:</para> + <programlisting>+:::::::::/sbin/nologin</programlisting> - <para>This line configures the client to - import all entries but to replace the shell in those entries with + <para>This line configures the client to import all entries but + to replace the shell in those entries with <filename>/sbin/nologin</filename>.</para> <!-- Been there, done that, got the scars to prove it - ue --> - <para>Make sure that extra line - is placed <emphasis>after</emphasis> - <literal>+@IT_EMP:::::::::</literal>. Otherwise, all user - accounts imported from <acronym>NIS</acronym> will have - <filename>/sbin/nologin</filename> as their login - shell and noone will be able to login to the system.</para> - - <para>To configure the less important servers, - replace the old <literal>+:::::::::</literal> - on the servers with these lines:</para> + <para>Make sure that extra line is placed + <emphasis>after</emphasis> + <literal>+@IT_EMP:::::::::</literal>. Otherwise, all user + accounts imported from <acronym>NIS</acronym> will have + <filename>/sbin/nologin</filename> as their login + shell and noone will be able to login to the system.</para> + + <para>To configure the less important servers, replace the old + <literal>+:::::::::</literal> on the servers with these + lines:</para> <programlisting>+@IT_EMP::::::::: +@IT_APP::::::::: @@ -2117,18 +2114,18 @@ ellington&prompt.user; <userinput>ypcat +@USERS::::::::: +:::::::::/sbin/nologin</programlisting> - <para>NIS supports the creation of netgroups from other netgroups which - can be useful if the policy regarding user access changes. One possibility is - the creation of role-based netgroups. For example, one might - create a netgroup called <literal>BIGSRV</literal> to define - the login restrictions for the important servers, another - netgroup called <literal>SMALLSRV</literal> for the less - important servers, and a third netgroup called - <literal>USERBOX</literal> for the workstations. Each - of these netgroups contains the netgroups that are allowed to - login onto these machines. The new entries for the - <acronym>NIS</acronym> <literal>netgroup</literal> map would look like - this:</para> + <para>NIS supports the creation of netgroups from other + netgroups which can be useful if the policy regarding user + access changes. One possibility is the creation of role-based + netgroups. For example, one might create a netgroup called + <literal>BIGSRV</literal> to define the login restrictions for + the important servers, another netgroup called + <literal>SMALLSRV</literal> for the less important servers, + and a third netgroup called <literal>USERBOX</literal> for the + workstations. Each of these netgroups contains the netgroups + that are allowed to login onto these machines. The new + entries for the <acronym>NIS</acronym> + <literal>netgroup</literal> map would look like this:</para> <programlisting>BIGSRV IT_EMP IT_APP SMALLSRV IT_EMP IT_APP ITINTERN @@ -2142,9 +2139,9 @@ USERBOX IT_EMP ITINTERN USERS</progra required.</para> <para>Machine-specific netgroup definitions are another - possibility to deal with the policy changes. In - this scenario, the <filename>/etc/master.passwd</filename> of - each system contains two lines starting with <quote>+</quote>. + possibility to deal with the policy changes. In this + scenario, the <filename>/etc/master.passwd</filename> of each + system contains two lines starting with <quote>+</quote>. The first line adds a netgroup with the accounts allowed to login onto this machine and the second line adds all other accounts with <filename>/sbin/nologin</filename> as shell. It @@ -2210,39 +2207,40 @@ TWO (,hotel,test-domain) <indexterm> <primary>NIS</primary> - <secondary>password formats</secondary> + <secondary>password formats</secondary> </indexterm> <para><acronym>NIS</acronym> requires that all hosts within an - <acronym>NIS</acronym> domain use the same format for encrypting passwords. - If users have trouble authenticating on an - <acronym>NIS</acronym> client, it may be due to a differing password format. - In a heterogeneous network, the format must be supported by all operating systems, where - <acronym>DES</acronym> - is the lowest common standard.</para> - - <para>To check which format a server or client is using, - look at this section of <filename>/etc/login.conf</filename>:</para> + <acronym>NIS</acronym> domain use the same format for + encrypting passwords. If users have trouble authenticating on + an <acronym>NIS</acronym> client, it may be due to a differing + password format. In a heterogeneous network, the format must + be supported by all operating systems, where + <acronym>DES</acronym> is the lowest common standard.</para> + + <para>To check which format a server or client is using, look + at this section of + <filename>/etc/login.conf</filename>:</para> <programlisting>default:\ :passwd_format=des:\ :copyright=/etc/COPYRIGHT:\ [Further entries elided]</programlisting> - <para>In this example, the system is using the <acronym>DES</acronym> - format. Other possible values are - <literal>blf</literal> for Blowfish and <literal>md5</literal> for - MD5 encrypted passwords.</para> - - <para>If the format on a host needs to be edited to match the one - being used in the <acronym>NIS</acronym> domain, - the login capability - database must be rebuilt after saving the change:</para> + <para>In this example, the system is using the + <acronym>DES</acronym> format. Other possible values are + <literal>blf</literal> for Blowfish and <literal>md5</literal> + for MD5 encrypted passwords.</para> + + <para>If the format on a host needs to be edited to match the + one being used in the <acronym>NIS</acronym> domain, the + login capability database must be rebuilt after saving the + change:</para> <screen>&prompt.root; <userinput>cap_mkdb /etc/login.conf</userinput></screen> <note> - <para>The format of passwords for existing user accounts will not be updated - until each user changes their password + <para>The format of passwords for existing user accounts will + not be updated until each user changes their password <emphasis>after</emphasis> the login capability database is rebuilt.</para> </note> @@ -3073,7 +3071,7 @@ dhcpd_ifaces="dc0"</programlisting> separate network. If this functionality is required, then install the <filename role="package">net/isc-dhcp42-relay</filename> - port. The port installs &man.dhcrelay.8;, which + port. The port installs &man.dhcrelay.8;, which provides more detail.</para> </listitem> </itemizedlist>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201310161817.r9GIHX0F085260>