HP-UX Internet Services Administrator’s Guide HP-UX 11i v2, HP-UX 11i v3 HP Part Number: B2355-91094 Published: May 2010 Edition: 3
Legal Notices © Copyright 2004–2010 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Copyright © 1995-1998 Eric Young.All rights reserved. Portions Copyright © 1996-2001 Nominum, Inc. Portions Copyright © 1995-2000 by Network Associates, Inc. Copyright © 2001 Stig Venaas Copyright © 2001 Jeff McNeil Portions Copyright © 1995 by International Business Machines, Inc. Copyright © 1995, 1996, 1997, and 1998 WIDE Project. Copyright © 1998-2000 The OpenSSL Project. Copyright Patrick Powell 1995 Copyright © Microsoft Corp. 1993. Copyright © 1998-2001 Sendmail, Inc. and its suppliers.
Table of Contents About This Document...................................................................................................................13 New and Changed Information in This Edition.................................................................13 Intended Audience.............................................................................................................13 HP-UX Release Name and Release Identifier.....................................................................
Choosing a Name Service........................................................................................28 Editing the /etc/hosts File.........................................................................................29 Configuring a Route.................................................................................................29 Changing a Host’s IP Address.................................................................................31 Configuring inetd...............................
Setting up a Spectracom Netclock/2...................................................................49 Location of Time Source................................................................................................49 Example 1: Locating the Best Primary Server .........................................................50 Determining Synchronization Sources....................................................................51 Example 2: Evaluating Time Servers in Eastern United States.................
Characterizing a Problem..............................................................................................75 Diagnostic Tools Summary...........................................................................................76 Diagnosing Repeater and Gateway Problems..............................................................77 Troubleshooting Tips..........................................................................................................78 Flowchart Format.......................
List of Figures 4-1 4-2 4-3 4-4 4-5 5-1 5-2 5-3 5-4 5-5 Survey of Best Time Servers........................................................................................49 Stratum-1 Time Servers...............................................................................................58 Example of Relationships Between Time Servers.......................................................59 Example Configurations............................................................................................
List of Tables 1-1 1-2 4-1 4-2 4-3 4-4 4-5 4-6 4-7 4-8 5-1 5-2 5-3 5-4 5-5 10 The Internet Services Products....................................................................................19 Software Versions........................................................................................................20 Available Time Servers................................................................................................50 Locating Synchronized Time Servers....................................
List of Examples 3-1 Sample Usage of the tcpdmatch Tool..........................................................................
About This Document This document provides an overview of the Internet Services software and describes how to install and configure it on your operating system. It is one of the documents available for the Internet Services suite of products. For a list of other Internet Services documents, see “Related Documentation” (page 14). These documents replace the document Installing and Administering Internet Services (B2355-90685), which was shipped with releases prior to the HP-UX 11i v2 operating system.
Publishing History The following table lists the publishing details of this document for various HP-UX releases.
• HP-UX ramD Administrator’s Guide at: http://docs.hp.com/en/netcom.html#Routing • Using HP-UX Internet Services at: http://www.docs.hp.com/hpux/netcom/index.html#Internet%20Services • Request for Comments (RFC) at: http://www.ietf.org/rfc.html • Other Documents For detailed technical and conceptual information about BIND, as well as information about planning a BIND hierarchy and using Sendmail with BIND, HP recommends that you read Paul Albitz and Cricket Liu, 2001. DNS and BIND.
[] The contents are optional in formats and command descriptions. If the contents are a list separated by |, you can choose one of the items. {} The contents are required in formats and command description. If the contents are a list separated by |, you must choose one of the items. (Ctrl+A) This symbol indicates that you hold down the first named key while pressing the key or mouse button that follows the plus. Bold The defined use of an important word or phrase. ...
1 Internet Services Overview The HP-UX Internet Services software, (formerly the ARPA Services suite of products) enables your HP system to carry out the following tasks: • Transfer files. • Log on to remote hosts. • Execute commands remotely. • Manage IP addresses and network clients. • Perform all routing protocols. • Exchange mail with remote hosts on the network. • Locate and configure networked services in enterprise networks.
ARPA services include the set of services developed by UCB for the Advanced Research Projects Agency (ARPA): ftp and telnet. ARPA services are used to communicate with HP-UX, UNIX®, and non-UNIX systems. Berkeley services include the set of services developed by UCB to implement UCB protocols: BIND, sendmail, finger, the rexec library, rcp, rlogin, remsh, ruptime, rwho, and rdist. Berkeley Services are used to communicate with HP-UX or other UNIX systems.
Table 1-1 The Internet Services Products Product Name Bundle Name Category Bundle description Restructured Products in the InternetSrvcs Product DHCPv4 HPUX-DHCPv4 Recommended This bundle contains the Dynamic Host Configuration Protocol (DHCP) daemon, the Bootstrap Protocol (BOOTP) server, clients, utilities, and sample configuration files. DHCPv6 HPUX-DHCPv6 Recommended This bundle contains the DHCP product for IPv6, the DHCPv6 server, clients, utilities, and sample configuration files.
Software Versions Table 1-2 lists the product versions that have been made available with this version of Internet Services on the HP-UX 11i v2 and HP-UX 11i v3 operating systems. The software versions listed in this table are public domain versions. Table 1-2 Software Versions Software Version FTP 2.6.1 Sendmail 8.13.3 BIND 9.3.2 gated 3.5.9 mrouted 3.8 TCP Wrappers 7.6.1 Software Descriptions This chapter provides an overview of Internet Services.
The tftp Service The tftp (Trivial File Transfer Protocol) service, used with bootp to enable some diskless systems (such as the HP 700/X terminal), transfers files containing bootstrap code, fonts, or other configuration information. You must invoke the tftpd server via inetd. Type man 1 tftp or man 1M tftpd at the HP-UX prompt for more information. The telnet Command The telnet command allows you to log on to a remote host that supports Internet Services.
See “Installing and Configuring Internet Services” (page 25) for information on installing and configuring the previous services. See HP-UX Remote Access Services Administrator’s Guide, at the URL http://www.docs.hp.com/hpux/netcom/index.html#Internet%20Services, for complete information about these services. The elm Utility elm’s screen-oriented interface runs with Sendmail or with any other UNIX Mail Transport Agent and enables you to read and compose mail messages.
of addresses. See the HP-UX IP Address and Client Management Administrator’s Guide at the URL http://www.docs.hp.com/hpux/netcom/index.html#Internet%20Services, or type man 1M dhcpv6d at the HP-UX prompt for more information. The gated Service The gated service determines routing over the Internet. See the HP-UX Routing Services Administrator’s Guide at the URL http://www.docs.hp.com/hpux/netcom/index.html#Internet%20Services, or type man 1M gated at the HP-UX prompt for more information.
http://www.docs.hp.com/hpux/netcom/index.html#Internet%20Services, or type man 1M ramD at the HP-UX prompt for more information. Secure Internet Services Secure Internet Services (SIS) is an optionally enabled mechanism that incorporates Kerberos V5 Release 1.0 authentication and authorization for the following services: ftp, rcp, remsh, rlogin, and telnet. See Installing and Administering Security Services on HP-UX 11i v2, at the URL http://www.docs.hp.com/hpux/netcom/index.html for more information.
2 Installing and Configuring Internet Services This chapter describes how to install and configure the Internet Services software on your system. It discusses the following topics: • “Installing the Internet Services Software” (page 25) • “Configuring the Internet Services Software” (page 25) Installing the Internet Services Software The Internet Services software is packaged along with the core HP-UX 11i v2 and HP-UX 11i v3 operating systems.
For host information, you can configure your system to use BIND (DNS), NIS, or the /etc/hosts file. The default name service switch configuration is adequate for most installations, so you probably do not have to change it. The default configuration is explained in the section “Default Configuration” (page 26).
passwd: group: hosts: networks: protocols: rpc: publickey: netgroup: automount: aliases: services files nis files nis dns [NOTFOUND=return] nis [NOTFOUND=return] nis [NOTFOUND=return] nis [NOTFOUND=return] nis [NOTFOUND=return] nis [NOTFOUND=return] files nis files nis nis [NOTFOUND=return] nis [NOTFOUND=return] files files files files files files files If your /etc/nsswitch.conf file contains a syntactically correct line for a particular type of information, that line is used instead of the default.
For more information, type man 1 nsquery at the HP-UX prompt. Configuring an Internet Address This section describes how to configure your host to find other hosts on the network, by host name or IP address.
NOTE: If you choose to use BIND or NIS as your primary name service, you still need to configure a minimal /etc/hosts file so that your host can boot if BIND or NIS is not available. Editing the /etc/hosts File You can use any text editor to edit the /etc/hosts file, or you can use the HP System Management Homepage (HP SMH). Follow these steps to edit the /etc/hosts file: 1. 2.
1. If you use only one gateway to reach all systems on other parts of the network, configure a default gateway. You can use SAM to configure a default gateway, or if you are not using SAM, issue the following command: /usr/sbin/route add default gateway_address 1 where gateway_address is the IP address of the gateway host. Then, set the following environment variables in the /etc/rc.config.
For more information on static routing, type man 1M route or man 7 routing at the HP-UX prompt. If you have a large and complicated network, use gated for dynamic routing. See “Configuring gated” in the HP-UX Routing Services Administrator’s Guide at the URL http://www.docs.hp.com/hpux/netcom/index.html#Internet%20Services for more information. Changing a Host’s IP Address When you use SAM to change a host’s IP address, SAM does not perform all these steps.
8. 9. configured to relay boot requests to the host, change the host’s IP address in the /etc/bootptab file on the BOOTP relay agent. See “Configuring TFTP and BOOTP Servers” in the HP-UX Remote Access Services Administrator’s Guide at the URL http://www.docs.hp.com/hpux/netcom/index.html#Internet%20Services for more information. If the host is an NTP server, change its IP address in the /etc/ntp.conf file on NTP clients.
ftp telnet tftp bootps finger login shell exec stream stream dgram dgram stream stream stream stream tcp tcp udp udp tcp tcp tcp tcp nowait nowait wait wait nowait nowait nowait nowait root root root root bin root root root /usr/lbin/ftpd /usr/lbin/telnetd /usr/lbin/tftpd /usr/lbin/bootpd /usr/lbin/fingerd /usr/lbin/rlogind /usr/lbin/remshd /usr/lbin/rexecd ftpd -l telnetd tftpd bootpd fingerd rlogind remshd rexecd To disable any of these services, comment out the line by typing a pound sign (#) as t
The first example allows access to rlogin from any IP address beginning with 10. The second example denies access to remsh and rcp from hosts vandal and hun. The third example denies everyone access to tftp. Only the services configured in /etc/inetd.conf can be configured in /var/adm/inetd.sec. For more information, type man 4 inetd.sec or man 1M inetd at the HP-UX prompt.
With this configuration, all mail log messages at the debug level or higher are sent to /var/adm/syslog/mail.log. Log messages from any facility at the information level or higher (but no mail messages) are sent to /var/adm/syslog/syslog.log. Log messages from any facility at the alert level or higher are sent to the console and to any terminal where the superuser is logged in. All messages at the emergency level or higher are sent to all users on the system.
/usr/sbin/inetd -c For more information, type man 1M ftpd at the HP-UX prompt. This manpage contains a complete list of error messages. See “Configuring Logging for ftp” in the HP-UX Remote Access Services Administrator’s Guide at the URL http://www.docs.hp.com/hpux/netcom/index.html#Internet%20Services for more information on logging ftp file transfer information.
3 TCP Wrappers The Transmission Control Protocol (TCP) Wrappers product suite provides an enhanced security mechanism for services spawned by the Internet Services daemon, inetd.
Access Control TCP wrappers uses the files /etc/hosts.allow and /etc/hosts.deny as Access Control Lists (ACLs). These access control files are used to match the client and server entries with the service request. These files are based on pattern matching and can be extended via optional extensions such as allowing spawning of a shell command. Each access control file consists of a set of access control rules for different services that use tcpd.
For more information on the access control language and ACL options, type man 5 hosts_access or man 5 hosts_options at the HP-UX prompt. Host Name/Address Spoofing tcpd prevents an illegal host that behaves as a legal host from accessing services. If any discrepancy is identified in the client address or name, the wrapper program denies access to that host and logs the information. tcpd also disables the source-routing socket options on all the host’s connections.
The tcpd Daemon The tcpd daemon monitors access to a service, logs the host name and the remote user name owning the connection, and performs some additional access control checks. After tcpd checks the connection, the wrapper invokes the desired server program and exits. Enabling tcpd You can use either of the following methods to enable tcpd: 1. Edit each entry in the /etc/inetd.conf file to include the tcpd server program, /usr/lbin/tcpd. The server program field in the /etc/inetd.
When an ftp service is requested, inetd spawns the /usr/lbin/ftpd daemon which is actually the tcpd daemon. Then, tcpd performs access control checks before invoking the ftpd daemon in the /usr/lbin/wrapper directory. For more information on tcpd configuration, type man 1M tcpd or man 4 tcpd.conf at the HP-UX prompt. The libwrap.a Library The libwrap.a library provides a set of APIs for independent applications to enforce host access control based on the files /etc/hosts.allow and /etc/hosts.deny files.
The tcpdchk Tool The tcpdchk tool performs the following functions: • • • Examines the validity of entries in the /etc/inetd.conf file and ACLs. Inspects the TCP wrapper configurations and reports problems, if any. Checks the tcpd access control files (/etc/hosts.allow and /etc/hosts.deny), and compares the entries in these files with the entries in the /etc/inetd.conf file.
user Indicates a client user identifier, and specifies a login name or address. The default user name is unknown. You can use the first tcpd syntax when a server has more than one address or name. Example 3-1 Sample Usage of the tcpdmatch Tool The following example denotes how tcpd handles an ftp request from a local system: # tcpdmatch ftpd localhost If the host name lookup fails, the same request is handled by tcpd as follows: # tcpdmatch ftpd 127.0.0.
For more information, type man 1 finger at the HP-UX prompt. Following is an example of the safe_finger command: # /usr/bin/safe_finger -l @xyz.abc.def.com This command prints the user information on the remote host xyz.abc.def.com. HP recommends you to use this program to implement traps in the access control language of the files /etc/hosts.allow and /etc/hosts.deny. For more information on setting traps, type man 5 hosts_access at the HP-UX prompt.
4 Configuring NTP The Network Time Protocol (NTP) assures accurate synchronization of the computer’s clock time with reference to a number of primary reference sources, using an equipment such as a radio receiver. NTP runs as a continuous background client process on a system, and sends periodic time requests to primary servers to obtain the time stamps. It also checks for errors caused due to equipment or propagation failures.
be synchronized close to 1000 milliseconds, to ensure that make compiles the appropriate files. The following topics are discussed in this section: • • • • “NTP Equipment” (page 46) “Choosing the Source of Time” (page 46) “Backup Time Servers” (page 55) “Configuring Your Primary NTP Server” (page 56) NTP Equipment The following equipments are required to effectively use the NTP programs: • • • Internet or your own radio receiver, such as GPS (Global Positioning System), as a time source.
Available Time Sources The most common time distribution mechanisms from which you can draw time are: • • • Public time server (phone or modem) via the Internet Local clock impersonators Radio receiver – Terrestrial and satellite broadcast Public Time Server You can connect to public time servers via the Internet free of charge for a limited time. Public time servers also provide dial-up access through a modem. This is the cheapest and most popular method.
IMPORTANT: Using this option may cause problems if you are always connected outside your domain. To set up the local clock impersonator, add the following entry to the /etc/ntp.conf file: server 127.127.1.1 minpoll 3 maxpoll 4 Radio Receiver The radio receiver is the most accurate and expensive time distribution mechanism. Radio receiver provides a stable time and is not affected by network delays, congestion, or outrages.
Setting up a Spectracom Netclock/2 The following steps describe how to set up a Spectracom Netclock/2: 1. 2. Install and connect the WWVB receiver to a serial port on the HP-UX machine. Append the following entries in the /etc/ntp.conf file: server 127.127.4.1 minpoll 3 maxpoll 4 # no fudge required # fudge 127.127.26.1 time1 -0.930 #s800 3.
milliseconds. Therefore, selecting the time server situated in Australia is not recommended because it may cause network delays. Example 1: Locating the Best Primary Server Table 4-1 shows the servers the time client can access. The primary time server is NAVOBS1.MIT.EDU. The other time servers within reasonable physical and network distance are cs.columbia.edu, 129.236.2.199, and clepsydra.dec.c .
You can evaluate different public time servers from the stratum-2 list. Following is the stratum-2 listing of the an HP machine which was provided in the Silicon Valley for public use in North America. ntp-cup.external.hp.com (192.6.38.127) Location: Cupertino CA (SF Bay area) 37:20N/122:00W Synchronization: NTPv3 primary (GPS), HP-UX Service Area: West Coast USA Access Policy: open access Contact: timer@cup.hp.
The time server ntp-cup.external.hp.com is the appropriate time server because it is only 5 milliseconds from the NTP client and it the right choice for a public time server. The ping command round-trip time determines whether this time server is the right choice for a public time server. Example 2: Evaluating Time Servers in Eastern United States For a time server located on the east coast of Northern America, following are the details: ntp.ctr.columbia.edu (128.59.64.
(tick.CS.UNLV.EDU). As before, this is due to networking problems between client and server (New York to Las Vegas, over 3000 km), not some fault with the NTP implementation at either end. This time server at Columbia is currently synchronized to NAVOBS1.MIT.EDU, but three others (marked with "+" in column one) are attractive and could step in immediately if NAVOBS1 failed for any reason. Example 3: Evaluating Time Servers in Australia Look at a time server in Australia. Here are the details: ntp.adelaide.
Table 4-4 Evaluating Time Sources in Australia remote refid st t when poll reach delay offset disp ============================================================================= .otto.bf.rmit.ed 130.155.98.1 2 u 229 1024 376 16.34 7.132 7.87 .student.ntu.edu murgon.cs.mu.OZ 2 u 47 128 377 81.34 5.166 5.25 .203.31.96.1 murgon.cs.mu.OZ 2 u 13 256 373 115.74 30.147 38.54 .203.172.21.222 tick.usno.navy. 2 u 43 1024 367 866.64 47.316 65.32 -128.184.1.4 tictoc.tip.CSIR 2 u 99 128 377 13.40 -2.976 5.66 129.127.40.
not vary a lot as more packets are exchanged. Less than 1 millisecond is an excellent dispersion value for a trip of 15,000 kilometers. The time server in Australia is working out better than expected at this distance, but it is still noticeably poorer than the other choices that are in North America. The time server at Columbia is better than the time server in Australia, due to the closer distance, but still noticeably worse than all of the other time sources.
options on the command line when you start xntpd. While xntpd is running, you can also display xntpd variables and modify configuration options using the ntpq and xntpdc utilities. For more information, type man 1M xntpd, man 1M ntpq or man 1M xntpdc at the HP-UX prompt. The NTP Configuration File The NTP configuration file, /etc/ntp.conf, contains the initial values for synchronization sources, modes and other related information. The xntpd daemon reads the /etc/ntp.
a. Uncomment the following fudge line found at the end of the file /etc/ ntp.conf server 127.127.26.1. #fudge 127.127.26.1 time1 -0.955 b. Make a link to the device file that corresponds to the serial port you are connecting to the GPS unit by typing the following: /usr/bin/ln -s /dev/tty0p0 /dev/hpgps1(device name for HP GPS) • For the local NTP Machine, add the following lines at the end of the /etc/ ntp.conf file: server 127.127.1.1 fudge 127.127.1.
Advanced NTP Topics This section includes advanced NTP topics and is ideal for experienced users.
Stratum-2 and -3 Time Servers Stratum-2 time servers use stratum-1 servers as their time source. Likewise, stratum-3 servers use stratum-2 servers as their time sources. The maximum stratum level a server can have is 15. Time Server Roles An NTP time server can take different roles in its relationships with other time servers in the synchronization subnet. A time server can take one or more of the following roles: • • • • • Server— Provides time to clients when requested.
Planning a Multiple-Server NTP Configuration You must consider the following guidelines when planning your configuration: • • • • • • Every NTP hierarchy must have atleast one stratum-1 server. You can configure the administrative domain to contain outside sources of synchronization, which ultimately link to stratum-1 server, or you can implement your own hierarchy of NTP time servers with one or more stratum-1 servers.
• • • peer host IP_address specifies that host must provide time to the local host with which the local host can synchronize its time, and the local host must also provide time to the host. server host IP_address specifies that host must provide time that the local host can synchronize to, and the local host does not provide time to which the host can synchronize to. (The local host is a client for the host.
NOTE: Every node in an NTP hierarchy must have either a server statement or a broadcastclient yes statement in its configuration file. Every node must have an upper-level server. A stratum-1 server must also have a server statement in its configuration file, which specifies a radio clock or internal system clock as a time source. If the local host assumes the role of a server in providing time to the clients, you need not configure the local host as a time server on the local system.
For more information on configuring external clocks, type man 1M xntpd at the HP-UX prompt. Figure 4-4 shows the peer, server, and broadcast statements that are configured for all the servers. Figure 4-4 Example Configurations You must configure the time server in the client system. For example, if Penelope is a client for Bonita, you must configure the name or IP address of Bonita on Penelope. You need not configure Penelope as a client on Bonita.
Configuring Authentication Authentication is a mechanism used to prevent unauthorized access to time servers. Authentication is enabled on a system-by-system basis. Once enabled on a system, authentication applies to all NTP relationships configured on the system. If you enable authentication on a host, the host synchronizes time only with those time servers that send messages encrypted with a configured key.
Figure 4-5 Authentication Example In Figure 4-5, authentication is enabled for both Penelope and Golden. An NTP time request from Penelope to Golden includes the authentication fields – key ID (10), and a checksum, tickle, encrypted with the key corresponding to the key ID 10. When Golden receives this request, it recomputes the checksum using the packet’s key ID field (10) to look up for the key ID 10 in its key file (tickle) and compares the checksum with the authentication field in the request.
IMPORTANT: The startup script automatically calculates the proper value for authdelay for the local system and writes it into the configuration file /etc/ntp.conf. Do not modify this value. • -k keyfile This option specifies the file that contains the encryption keys used by xntpd. • -t key This option specifies the encryption key IDs that are trusted as synchronization sources. Restricting Incoming NTP Packets xntpd provides a mechanism for restricting access to the local daemon from certain sources.
Table 4-6 Restrict Option Flags (continued) Flag Effect nopeer Provide time service, but do not form peer association. notrust Do not use the host as a synchronization source. A restriction list entry with no flags set leaves matching hosts unrestricted. A source address of an incoming packet may match several entries in the restriction list. The entry that matches the source address most specifically is the entry that is applied.
#local host address is unrestricted restrict 193.100.100.7 Starting and Stopping xntpd To start xntpd, do one of the following: • • Set the environment variable XNTPD to 1 in the file /etc/rc.config.d/netdaemons. This causes xntpd to start automatically when you boot the system. Issue the following command to run the xntpd startup script: /sbin/init.d/xntpd start You can specify command-line arguments for starting xntpd with the XNTPD_ARGS environment variable in the file /etc/rc.config.d/netdaemons.
NOTE: When you specify time-related configuration options in the /etc/ntp.conf file, you specify the values in seconds. ntpq, however, displays time values in milliseconds, as specified by RFC 1305 (Network Time Protocol (Version 3) – Specification and Implementation) NTP standard. Verifying ntpq Use ntpq to verify whether: • • xntpd can form associations with other NTP hosts. Synchronization is happening correctly.
□ - indicates a host discarded by the clustering algorithm. □ blank indicates a host is discarded due to high stratum and/or failed sanity checks. • • • The refid (reference identification) column indicates the current source of synchronization for the remote host. .WWVB. indicates that the host uses a radio clock that receives time signals from the U.S. government radio station WWVB. The st (stratum) column indicates the stratum level of the remote host.
Verifying That xntpd is Running Issue the following command to determine out if xntpd is running: /usr/bin/ps -ef /usr/bin/grep xntpd This command reports the process identification (PID), current time, and the command invoked (xntpd). Following is an example output: daemon 4484 1 0 Feb 18 ? 0:00 xntpd Ensure that syslogd is configured to log daemon information messages to the file /var/adm/syslog/syslog.log. To check this configuration, ensure that the file /etc/syslog.
Query with Debug Option If you cannot form an association with a server or peer, stop the local xntpd and send a time request to the server or peer using the ntpdate command and the debug (-d) option, as shown in the following example: #/sbin/init.d/xntpd stop #/usr/sbin/ntpdate -d server The debug (-d) option prints information about the requests sent to the remote xntpd daemon, and the information returned by the remote xntpd. The ntpdate command fails if xntpd is already running on the local system.
adjustments, it indicates a network congestion problem. To review this problem, do the following steps: 1. 2. Run ntpq -p Examine the dispersion statistics. Common Problems This section covers typical problems with ntp operation. Problem 1: No suitable server for synchronization found. Every NTP time hierarchy must have at least one stratum-1 server configured with an external time source, such as, an attached radio clock (Netclock/2 WWVB Synchronized Clock) or the local system clock.
first reception writes a value of 16000 seconds to the disp value for the broadcastclient entry. Because the client or peer polls the timeserver in case of a server entry, the original disp value is set to disp. For HP-UX NFS Diskless Clusters, the /sbin/init.d/xntpd script on the diskless clients executes xntpdate to synchronize time with the diskless cluster server before starting xntpd. You can also specify a trusted time server explicitly in the file /etc/rc.config.d/netdaemons, and /sbin/init.
5 Troubleshooting Internet Services This chapter describes how to troubleshoot the Internet Services software. It discusses the following topics: • “Troubleshooting Overview” (page 75) • “Troubleshooting Tips” (page 78) • “Reporting Problems to Your Hewlett-Packard Support Contact” (page 87) Troubleshooting Overview Troubleshooting data communications problems may require you to investigate many hardware and software components. Some problems can be quickly identified and resolved.
— When using a nodal management utility? — When transmitting data? • Does the problem affect all users? The entire node? Has anything changed recently? The possibilities are as follows: — New software and hardware installation. — Same hardware but changes to the software. Has the configuration file been modified? Has the HP-UX configuration been changed? — Same software but changes to the hardware.
Table 5-1 Diagnostic Tools (continued) Tool Description ping A diagnostic program that verifies the physical connection to a remote host and reports the round-trip communication time between the local and remote hosts. (Type man 1M ping for more information.) psidad A utility under DUI that can help to identify problems on the PSI/800 board/card. rlb A diagnostic program that tests LAN connections to other HP computers. rlb does not test a connection to an HP 1000 computer.
Figure 5-1 Troubleshooting Networks that Use Repeaters The same concept holds for communication through a gateway. If you suspect a gateway problem, try the following procedures: • To determine if you are set up to communicate with the desired node, execute the following: netstat -r • To obtain routing statistics, execute the following: netstat -rs The statistics could indicate a bad route, suggesting a problem with a gateway node.
A better solution is to use the terms client and server. The term client refers to a process that is requesting a service from another process. The term server refers to a process or host that performs operations requested by local or remote hosts that are running client processes. HP has implemented a super-server known as the Internet daemon, inetd. This program acts like a switchboard; that is, it listens for any request and activates the appropriate server based on the request.
Error Messages The error messages generated by a service as seen on the client can be generated by the client or by the server. Error messages from the client occur before a connection is completely established. Error messages from the server occur after a connection is completely established. Whenever you receive an error message, follow the corrective action supplied in the manpage for that service. The error message is preceded by the name of the service.
Flowchart 1. Checking for a Server Follow Flowchart 1 for all services and servers, and replace the words service and server with the appropriate service name or server name. Figure 5-3 Flowchart 1. Checking for a Server 1A. Assumptions. Before you begin Flowchart 1, you should have verified local node operations and verified connectivity with ping (see the troubleshooting section of Installing and Administering LAN/9000 Software). 1B. List current servers.
Table 5-3 Servers Required for Each Service (continued) *.telnet telnet LISTEN *.login rlogin LISTEN *.shell remsh, rcp LISTEN *.exec rexec library LISTEN *.who rwho, ruptime *.smtp sendmail SMTP LISTEN *.tftp tftp LISTEN *.bootps bootpd LISTEN *.finger fingerd LISTEN UDP-based protocols are datagram driven, so they do not show a TCP LISTEN status. 1C. Server exists for service? If the server does not exist for the requested service, continue with 1D to determine why.
must be owned and executable by root only. The file fingerd must be owned and executed by bin only. No other user should have permission to write them, although all users can read them. Table 5-5 lists the entries that are required in the /etc/services file.
1F. Reconfigure the Internet daemon. To reconfigure inetd, execute the following as superuser: /usr/sbin/inetd -c Continue with 1G. 1G. Go to 1B. Repeat flowchart from 1B to check if the server exists. Flowchart 2. Security for telnet and ftp Even though a server exists for a service, the server may not accept connections due to the security that has been implemented for the server. Follow Flowchart 2 to troubleshoot security for telnet and ftp services. Figure 5-4 Flowchart 2.
2B. Maximum number of connections? The maximum number of simultaneous connections is specified in the optional file /var/adm/inetd.sec. When inetd is configured, it checks this file to determine the number of allowable incoming connections. Look at this file to determine how many connections are allowed. The default is 1000. 2B1. See the node manager. If the maximum number of connections has been reached, the node manager can change this value in the /var/adm/inetd.sec file. 2C.
2G. See the node manager. You are not allowed to use ftp to access the server system. Check with the node manager of the server system and request that the appropriate user name be removed from the /etc/ftupusers file. 2H. ftp should work. If you have reached this point in the flowchart, the ftp server exists and you have access to the system. If you are using correct syntax and none of the error messages have solved the problem, report the problem to your Hewlett-Packard support contact. Flowchart 3.
-1 option with rlogin. If the desired user name does not exist on the server host, continue with 3B. 3A1. Accessing server system as yourself? If not, go to 3D. 3A2. Are you superuser? If you are, go to 3D; otherwise, continue with 3C. 3B. Cannot access. Because your user name or the user name that you want to use to log on does not exist on the remote system, you cannot log on to the remote system unless the remote system’s node manager creates an account for you. 3C. Entry in server’s /etc/hosts.
If you have a service contract with HP, document the problem as a Service Request (SR) and forward it to your Hewlett-Packard support contact. Include the following information where applicable: • A characterization of the problem. Describe the events leading up to and including the problem. Attempt to describe the source of the problem. Describe the symptoms of the problem and what led up to the problem.
Index A authenticate statement, in ntp.conf, 65 authentication NTP, 64 B Berkeley Internet Name Domain, (see BIND) Berkeley services, 18 BIND, 28, 31 further reading, 18 BOOTP, 32 broadcast client, NTP, 59 broadcast statement, in ntp.conf, 61 broadcastclient statement, in ntp.
//www.docs.hp.com/hpux/netcom/index.html#Internet%20Services, 14 mode-6 control messages, 68 multi-homed host, 29 P peer statement, in ntp.conf, 61 peer, NTP, 59 ping, 77, 81 prefer statement, in ntp.conf, 61 N name service, 28 choosing, 28 name service switch default configuration, 26 troubleshooting, 27 netconf file, 31 netdaemons file, 68 .
T TCP LISTEN status, 82 telnet, 21 troubleshooting, 84 tftp, 21 time server roles, 59 time sources location, 49 time synchronization, 58 timeserver hierarchy, 58 timeservers local impersonators, 47 public, 47 radio receiver, 48 tracing, 77 troubleshooting, 75 ftp, 84 name service switch, 27 networks using repeaters or gateways, 77 NTP, 71 rlogin, 87 security, 84 servers, 81 telnet, 84 tools, 76 U uname, 88 Universal Coordinated Time, see UTC, 58 UTC, 58 V /var/adm/inetd.sec file (see inetd.