Configuring and Managing MPE/iX Internet Services HP 3000 MPE/iX Computer Systems Edition 4 Manufacturing Part Number: 32650-90897 E0400 U.S.A.
Notice The information contained in this document is subject to change without notice. Hewlett-Packard makes no warranty of any kind with regard to this material, including, but not limited to, the implied warranties of merchantability or fitness for a particular purpose. Hewlett-Packard shall not be liable for errors contained herein or for direct, indirect, special, incidental or consequential damages in connection with the furnishing or use of this material.
Contents 1. Introduction to Internet Services Overview of Internet Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Summary of HP 3000 Internet Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Verifying Installation of Internet Services Files . . . . . . . . . . . . . . . . . . .
Contents Summary of inetd Command Line Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38 Using inetd Message Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39 Connection Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39 Enable and Disable Connection Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents 5. TFTP Service Overview of tftpd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring tftpd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Editing the Services File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Adding TFTP Service to inetd Configuration . . . . . . . . . . . . . . . . . .
Contents Global Printer Service Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94 Controlling User Access Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95 Share Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96 Setting the Shared Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Configuring the DNS Resolver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . List of Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DNS and Electronic Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MX Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Log on as MGR.APACHE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .170 Create Your Private Server Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .170 Create Your Certificate Signing Request (CSR) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .172 Submit Your CSR to an External Trusted CA For Signing... . . . . . . . . . . . . . . . . . . . . . . . .174 ...
Figures Figure 7-1. HP 3000 Interoperating With Microsoft Platforms . . . . . . . . . . . . . . . . . . . . . 85 Figure 7-2. SMB Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Figure 7-3. SMB NegProt Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Figure 7-4. SMB Sesssetup Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Figure 7-5.
Figures 10
Tables Table 1-1. Summary of HP 3000 Internet Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Table 1-2. Configuration Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Table 2-1. The Internet Daemon Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Table 4-1. Files for bootpd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Table 7-1.
Tables 12
Preface This manual describes how to configure and operate Internet Services on the HP 3000. It is written for members of the system administration staff who have been assigned system manager (SM) or system supervisor (OP) capability and who are responsible for installing, configuring and managing system and network software. As such, it presumes a good understanding of networking concepts and familiarity with HP 3000 system operations.
Appendix C , “BIND 8.1 Enhanced Features,” describes the options and enhanced features available. Appendix D , “Server Configuration Migration,” describes configuration migration utilities. Appendix E , “Configure and Run Syslog/iX,” describes the parameters in a syslog configuration file.
Introduction to Internet Services 1 Introduction to Internet Services The HP 3000 Internet Services consist of a set of programs that help the HP 3000 computer exchange information with other nodes on the internet. The Internet Services offered on the HP 3000 are a subset of the Internet Services available on the HP 9000, which were previously called the ARPA Services.
Introduction to Internet Services Overview of Internet Services Overview of Internet Services Internet Services on the HP 3000 consist of eight individual services that enable the HP 3000 to communicate with other nodes on an internetwork. The program and configuration files needed to run Internet Services is part of the MPE/iX Fundamental Operating Software. No separate software product is necessary to use Internet Services.
Introduction to Internet Services Overview of Internet Services System Requirements The Internet Services program and configuration files come with version C.55.00 or greater, of the MPE/iX Fundamental Operating Software (FOS). (The exception to this is the Telnet Client, which was made available to customers on the earlier version of MPE/iX, C.50.00.) As part of MPE/iX FOS, Internet Services can run on any Precision Architecture-RISC model of the HP 3000.
Introduction to Internet Services Overview of Internet Services You will see information similar to the following: : nmmaint,73 NMS Maintenance Utility 32098-20014 B.00.09 (C) Hewlett Packard Co. 1984 WED, JUL 23, 1997, 11:08 AM Data comm products build version: N.55.
Introduction to Internet Services Overview of Internet Services To view the group of files installed in NET.SYS, enter: :LISTFILE @.NET.SYS To configure Internet Services, you will do one of two things: • If there are configuration files already in use, you will add the information needed to use each of the Internet Services to those files.
Introduction to Internet Services Overview of Internet Services Installed Configuration Files If you install and configure all of the Internet Services according to the instructions in this manual, you will have the set of files described in Table 1-2 Table 1-2 Configuration Files Sample name MPE name space HFS name space Description SERVSAMP. NET.SYS SERVICES.NET.
Introduction to Internet Services Services File Services File The services file associates an official service name and alias with the port number and protocol that a service uses. You will edit the services file for each new service that you want to add to your system. The remaining chapters in this book, which describe the configuration of individual services, will assume that you know the following information. And, of course, you can refer back to this section as needed.
Introduction to Internet Services Services File discard daytime daytime chargen chargen ftp telnet time time domain domain bootps bootpc tftp DAServer shell 9/udp 13/tcp 13/udp 19/tcp 19/udp 21/tcp 23/tcp 37/tcp 37/udp 53/tcp 53/udp 67/udp 68/udp 69/udp 987/tcp 514/tcp sink null ttytst source ttytst source timeserver timeserver nameserver nameserver cmd # # Daytime # # Character Generator # # # # # # # # # # Time Domain Name Service Bootstrap Protocol Server Bootstrap Protocol Client Trivial File Tr
Introduction to Internet Services Protocols File Protocols File The protocols file contains a list of protocols known to the system, plus the identification number and one or more aliases for each. It is unlikely that you will need to edit the protocols file, but you may need to install and link it. Creating and Linking Protocols File You may already have a protocols file installed on your system.
Introduction to Internet Services Protocols File Viewing Protocols File Use an MPE text editor to open the file. It is unlikely that you will need to edit the file, but you can look at it now to familiarize yourself with its contents. # This file associates protocol numbers with official protocol names and # aliases. This allows the user to refer to a protocol by a symbolic # name instead of a number.
Internet Daemon 2 Internet Daemon The Internet daemon inetd is the master server (sometimes called a “superserver”) for the Internet Services. When it is running, inetd listens for connection requests for the services listed in its configuration file and, in response to such requests, starts the appropriate server. You, as system manager, determine which Internet Services are available to your users by editing the inetd configuration file.
Internet Daemon Overview of inetd Overview of inetd The Internet daemon, or inetd, is the master server that coordinates the use of individual network services on your system. It listens for connection requests from other nodes on the network who want access to a service such as tftpd or bootpd. The Internet daemon checks if the requesting node has permission to use the service, starts the appropriate server if it does and, optionally, records information about the connection request.
Internet Daemon Overview of inetd Internal Services Provided by inetd The Internet daemon provides several internal trivial services which are described here. Service Description echo Returns a character to the socket that sent it discard Discards all input from socket chargen Generates characters and sends them to a socket daytime Returns the current time in a format readable by people.
Internet Daemon inetd Configuration File inetd Configuration File The Internet daemon accesses the configuration data it needs by reading the file /etc/inetd.conf in the POSIX name space. When you install or update to version C.60.00 of MPE/iX, you receive a sample configuration file that you can use as a template for your own inetd configuration file if you don’t already have one.
Internet Daemon inetd Configuration File Adding New Services to inetd Configuration There are two steps required to add a new service to the suite of Internet Services offered on your system. First you enter a line of information for the specific service to the inetd configuration file. Then you have inetd reread its configuration file, which is sometimes called reconfiguring the Internet daemon.
Internet Daemon inetd Configuration File are explained later in this chapter.) If not, enter the line now using the “Editing Tips” section, as a guideline. For more information on FTP, refer to Installing and Managing HP ARPA File Transfer Protocol Network Manager’s Guide or HP ARPA File Transfer Protocol User’s Guide. NOTE 3. Save the file and exit the editor program. 4. Signal inetd to reread the configuration file by entering the following command at the CI prompt: INETD.NET.
Internet Daemon inetd Configuration File Reading an entry from left to right, these fields are: Field Purpose service name The name of the service in the services file. socket type Either stream if the socket is a stream socket, or dgram if the socket is a datagram socket. protocol A valid protocol name, either tcp or udp, as entered in the protocols file. wait state One of two states, wait or nowait, that applies only to datagram sockets.
Internet Daemon inetd Security File inetd Security File There is an optional security file associated with inetd that allows you to control which nodes have access to the Internet Services available on your system. The inetd security file will prevent inetd from starting a service unless the node making the request has permission to do so. Individual entries in the inetd security file determine which nodes are allowed or disallowed for a particular service.
Internet Daemon inetd Security File Updating inetd Security File Each line in the inetd security file contains a service name, a permission field, and the IP addresses or domain names of the hosts and networks allowed to use that service on your host system. You can open the file to view the current security restraints or to change them. To do so: 1. Open the security file with an MPE text editor.
Internet Daemon inetd Security File Editing Tips When you edit the inetd security file, remember the following points: • To “comment out” a line, begin column 1 with a pound symbol (#). To enable a security provision that has been commented out, delete the pound symbol and any blank spaces preceding the service name. • Enter the real service name, not the alias, of a valid service in the inetd configuration file. • Separate the IP addresses and domain names by a white space.
Internet Daemon inetd Security File Using Range Character You may use the range indicator (-) in any of the fields of the address to specify which hosts or networks in a group are exempted from the permission assignment. This makes it more convenient to allow or deny a service for a subnet within the network you specify. The following sample entry, for example, denies hosts in subnets 3 through 5 of network 10 access to Telnet.
Internet Daemon Starting and Stopping inetd Starting and Stopping inetd On the HP 3000, the instructions for starting the Internet daemon are contained in the job file JINETD.NET.SYS. When you stream JINETD, it invokes the daemon and reads the inetd configuration file to determine what services have been configured, and listens for connection requests for those services. Any messages relating to inetd are sent either to the console or to $STDLIST for JINETD, which is a spool file.
Internet Daemon Starting and Stopping inetd Passwords on JINETD When you stream the job file JINETD.NET.SYS, it logs on as MANAGER.SYS. As part of the installation of inetd, you must take care of any password requirements for this job. Two of the ways that you can do this include: • Add the MANAGER.SYS passwords directly to the job file, then alter the file security afterwards so that only MANAGER.SYS can read it. For example: :ALTSEC JINETD.NET.
Internet Daemon Starting and Stopping inetd You will see a display of job information similar to the following: JOBNUM STATE IPRI JIN #J6546 #J6539 #J6540 EXEC EXEC EXEC JLIST 10S LP 10S PP 10S LP INTRODUCED JOB NAME THU 12:42A THU 12:32A THU 12:41A TRNSPOOL,MGR.NSD SPOOLJ,UNISPOOL.SYS JINETD.NET.
Internet Daemon Using inetd Message Logging Using inetd Message Logging There are two kinds of message logging that you, as System Manager, can use to monitor and manage Internet Services on your system. The first type is event logging, which is always enabled. It records informational messages, error messages and warnings about the Internet Services. The second type is connection logging, which you can enable and disable. It records successful and failed connection attempts and its own status (on or off).
Internet Daemon Using inetd Message Logging Enable and Disable Connection Logging The same command turns connection logging on or off, depending upon its current state. So, for example, if message logging is currently disabled, enter the following command at the CI prompt to turn it on: :INETD.NET.SYS -1’’ Or, from the POSIX shell, enter the following command: $/etc/inetd -1 If message logging is enabled, use either the CI or POSIX command shown above to turn it off.
Internet Daemon Troubleshooting inetd Troubleshooting inetd This section explains the kinds of error messages you may see regarding the operation of inetd. The messages will appear either on the console or they will be sent to the $STDLIST for inetd or both, depending upon the message’s level of importance. Message Explanation An inetd is already running You attempted to start inetd when one is already running.
Internet Daemon Troubleshooting inetd Message Explanation Too many services running The maximum number of services allowed to access inetd simultaneously has been exceeded. file: found before end of the line An entry in a configuration file may need to exceed one line. If so, you indicate that the line continues by inserting a backslash at the end, then continue typing data on the next line.
Internet Daemon Troubleshooting inetd The following diagnostic and error messages are generated by problems in the inetd security file. Message Explanation /usr/adm/inetd.sec: Field contains other characters in addition to * for service The wildcard character (*) is used in combination with additional integer(s) in one part of an address field, which is not allowed. For example, the Internet address 10.5*.8.
Internet Daemon Implementation Differences Implementation Differences The implementation of inetd on the HP 3000 differs from inetd on the HP 9000 in the following ways: • On the HP 3000, you normally run inetd as a job. • On the HP 3000, there is no syslogd server. Instead, all error and informational messages about inetd are automatically written to $STDLIST for inetd. When you run inetd as a job, messages are sent to the job’s output spool file.
Telnet Service 3 Telnet Service With the release of version C.55.00 of MPE/iX, Telnet server functionality is available to HP 3000 customers. The Telnet server allows users on a remote system that supports the TCP/IP and Telnet protocols to log on and run applications on the HP 3000. The Telnet client, which was first made available on version C.50.00 of MPE/iX, gives users on an HP 3000 direct access to other systems that support Telnet and TCP/IP.
Telnet Service Overview of Telnet Service Overview of Telnet Service Telnet service consists of a Telnet client and a Telnet server. The Telnet server uses the standard virtual terminal protocol, originally developed by the Advanced Research Projects Agency (ARPA) to allow users on a remote node that supports the Telnet and TCP/IP protocols to log on and run applications on the host HP 3000.
Telnet Service Verifying Installation of Telnet Files Verifying Installation of Telnet Files If you have installed or updated to version C.60.00 of MPE/iX, use the following steps to verify that the Telnet software exists on your system: 1. If necessary, log on the system as MANAGER.SYS. 2. Run NMMAINT to verify that you have successfully installed the Telnet files. :NMMAINT,72 You will see information similar to the following. NMS Maintenance Utility 32098-20014 B.00.09 (C) Hewlett Packard Co.
Telnet Service Configuring Telnet Server Configuring Telnet Server To configure Telnet, you will edit two files: the services file, which lists the individual services that comprise the suite of Internet Services, and the inetd configuration file, which informs the Internet daemon about running Telnet on this system. Editing the Services File The services file associates official service names and aliases with the port number and protocol the services use.
Telnet Service Configuring Telnet Server 5. Signal inetd to reread the configuration file by entering the following command at the CI prompt: :INETD.NET.SYS -c Or you may enter this command from the POSIX shell: $/etc/inetd -c 6. If you have added the Telnet server to the inetd configuration file while the Internet daemon is not running, you must start inetd to start the Telnet server. To do so, stream the job JINETD.NET.SYS from the CI prompt. :STREAM JINETD.NET.
Telnet Service Troubleshooting Telnet Troubleshooting Telnet This section explains the kinds of errors that may arise regarding the operation of Telnet. The Telnet client user will, in all but one case, be alerted about the problem directly; an error message will appear on the client's terminal. You, as system manager of the host system may receive phone calls from client asking you to investigate the problem. Problem Explanation Unknown service This message will be written to $STDLIST for JINETD.NET.
Telnet Service Troubleshooting Telnet Problem Explanation The Telnet server cannot run an application The Telnet client successfully established a Telnet connection and logs on to the host system. But, when the user runs the application, the software behaves oddly or it produces error messages.
Telnet Service Implementation Differences Implementation Differences The implementation of Telnet on the HP 3000 does not use a separate telnetd server file similar to the tftpd or bootpd server. Instead, Telnet server functionality is provided by code that resides in NL.PUB.SYS on version C.60.00 of MPE/iX. As a result, the last column of the Telnet entry in the inetd configuration file is the word “internal.” For example: telnet stream tcp nowait MANAGER.
BOOTP Service 4 BOOTP Service The Internet Boot Protocol daemon, or bootpd, is used to boot LAN devices such as routers, printers, X-terminals, and diskless workstations. Nodes on the network use bootpd to get configuration information such as an IP address and a subnet mask and automatically boot the device. This chapter describes: • How to configure bootpd. • How to start bootpd once it has been configured. • Implementation differences between bootpd for MPE/iX and bootpd for HP-UX.
BOOTP Service Overview of bootpd Overview of bootpd The Bootstrap Protocol BOOTP allows a client system to get boot information such as its own IP address, the address of a BOOTP server, and the name of the file it needs to load into its memory and execute to boot the printer. The bootstrap operation happens in two phases. In the first phase, the BOOTP daemon bootpd determines the address of a BOOTP server and selects a boot file.
BOOTP Service Configuring bootpd Configuring bootpd To configure bootpd, you will edit three files: the services file, which lists the individual services that comprise the suite of Internet Services, the inetd configuration file, which informs the Internet daemon about running bootpd on this host, and the bootpd configuration file, which contains client and relay information. These tasks are explained in the following sections.
BOOTP Service Configuring bootpd 4. Save the file and exit the editor program. 5. Signal inetd to reread the configuration file by entering the following command at the CI prompt: :INETD.NET.SYS -c Or you may enter this command from the POSIX shell: $/etc/inetd -c 6. If you have added bootpd to the inetd configuration file while the Internet daemon is not running, you must start inetd to start the BOOTP server. To do so, stream the job JINETD.NET.SYS from the CI prompt. :STREAM JINETD.NET.
BOOTP Service The bootpd Configuration File The bootpd Configuration File When bootpd is started, it reads a configuration file to find out information about clients and relays, then listens for boot request packets. By default, bootpd uses the configuration file /etc/bootptab, but you may specify another configuration file.
BOOTP Service The bootpd Configuration File Adding Client and Relay Data to bootpd Configuration File To allow a client to boot from your local system or to allow a boot request to be relayed to the appropriate boot server, you must add information about the client to the bootpd configuration file. This file contains client entries and relay entries. Client entries provide the information necessary to allow clients to boot from your system.
BOOTP Service The bootpd Configuration File forwarded. Syntax of bootpd Configuration Entries An entry in the bootpd configuration file consists of a single line with the following format: hostname:tag=value tag=value tag=value The hostname is the actual name of a BOOTP client and the tag is a two-character case-sensitive symbol. Most tags are followed by an equal sign and a value, as shown above, though some tags do not require a value.
BOOTP Service The bootpd Configuration File Tag Description gw=ip address list Specifies the IP address of one or more gateways for the client’s subnet. If you prefer one of multiple gateways, list it first. ha=hardware-address Specifies the hardware address of the client in hexadecimal. You may include periods and/or a leading 0x for readability. The ha tag must be preceded by the ht tag either explicitly or implicitly; see tc below.
BOOTP Service The bootpd Configuration File Tag Description to=offset Specifies the client’s time zone offset in seconds from UTC. The time offset can be either a signed decimal integer or the keyword auto which uses the server’s time zone offset. ts=ip_address_list Specifies the IP address of one or more RFC868 Time Protocol servers.
BOOTP Service The bootpd Configuration File Sample bootpd Configuration Files The two following examples show sample bootpd configuration files. The first examle shows the configuration for a simple network without gateways or subnets. # # # The first entry is the template for options common to all of the printers. # #global.defaults:\\ # hn:\\ # ht=ether:\\ # vm=rfc1048:\\ # # Now the actual entries for the individual printers are listed. # #printer1:\\ # tc=global.
BOOTP Service Starting bootpd Starting bootpd To successfully start bootpd, you must have a current and correct configuration file for it. The default file is /etc/bootptab but you may use an alternate configuration file by specifying its POSIX file name on the command line. Without this configuration file, bootpd will not be able to service BOOTP requests. You can run bootpd under the Internet daemon only. You may not run it as a standalone server.
BOOTP Service Troubleshooting bootpd Troubleshooting bootpd The BOOTPQRY program is a diagnostic tool used to check the configuration of bootpd. It uses the supplied parameters to construct a boot request to send to a BOOTP server. It prints the contents of the boot reply, including the client’s Internet address, the name of a boot file, and the name and address of the server that sent the reply. BOOTPQRY formats and prints RFC1048 or CMU-style vendor information included in the reply.
BOOTP Service Troubleshooting bootpd bootreply. Otherwise, the server returns the bootreply directly to ipaddr. -s The name of the BOOTP server to which the boot request should be sent directly. When the BOOTP server is known, the boot request is not broadcast. -v Request vendor information for . The vendor can be specified as rfc1048 or CMU. For any other vendor specification, the first four characters of the parameter are used as the vendor magic cookie.
BOOTP Service Implementation Differences Implementation Differences The implementation of bootpd on the HP 3000 differs from bootpd on the HP 9000 in following ways: • The BOOTP entry in the inetd configuration file must have an MPE/iX compatible user name. Hewlett-Packard recommends that you use MANAGER.SYS. • You cannot run bootpd as a standalone server. It can only be run by the Internet daemon.
TFTP Service 5 TFTP Service The Trivial File Transfer Protocol (TFTP) is a basic communications protocol used to transmit files between nodes on a network. It is implemented on top of the Internet User Datagram Protocol (UDP), so it can be used across networks that support UDP. On the HP 3000, the TFTP daemon tftpd transfers boot files to or from the host HP 3000 to remote nodes on the network. This permits a network device to get the information it needs to start itself.
TFTP Service Overview of tftpd Overview of tftpd TFTP is a simplified version of the File Transfer Protocol (FTP). The primary function of the TFTP daemon tftpd is to support the Bootstrap Protocol BOOTP, which allows network devices to get the information they need to boot, or start, themselves. Network devices commonly use TFTP to transmit boot files because TFTP is simple enough to be implemented in ROM.
TFTP Service Configuring tftpd Configuring tftpd To configure tftpd, you will edit two files: the services file, which lists the individual services that comprise the suite of Internet Services, and the inetd configuration file, which informs the Internet daemon about running tftpd on this system. These tasks are explained in the next sections. Editing the Services File The services file associates official service names and aliases with the port number and protocol the services use.
TFTP Service Configuring tftpd There are two options in the tftpd entry, [user] and [path], which are explained in the next two sections. For more detailed information about editing the configuration file, read Chapter 2 , “Internet Daemon.” Specifying the TFTP User The Internet daemon runs tftpd as the user specified in the [user] parameter of its entry in the inetd configuration file. For example, this entry instructs inetd to run the TFTP server as USER.TFTP: tftp dgram udp wait USER.
TFTP Service Configuring tftpd Specifying a Search Path As an option, you can use the [path…] parameter in the inetd configuration file entry to specify the list of files or directories that are available to TFTP clients. For example, if you would like to have the /tmp and /bin directories available to TFTP clients in addition to the home group of the TFTP user, edit the line to look like this: tftp dgram udp wait USER.
TFTP Service Starting tftpd Starting tftpd The TFTP daemon runs under the Internet daemon. If you have just added tftpd to the inetd configuration, you must reconfigure inetd to begin using TFTP. To reconfigure inetd, enter the following command at the CI prompt: :INETD.NET.SYS -c Or, from the POSIX shell, enter this command: $/etc/inetd -c If you have added tftpd to the inetd configuration file while the Internet daemon is not running, you must start inetd to start the TFTP server.
TFTP Service Troubleshooting tftpd Troubleshooting tftpd The following error messages may be generated by TFTP and logged with the syslog facility, if it is enabled. Message Explanation Unknown option ignored An invalid option was specified in the tftpd arguments. Remove or correct the arguments and restart tftpd. Invalid total time-out The value given for the -T option was either not a number or was a negative number. Correct the value and restart tftpd.
TFTP Service Implementation Differences Implementation Differences The implementation of tftpd on the HP 3000 differs from tftpd on the HP 9000 in three ways: • On HP-UX, tftpd is usually run as root. On MPE/iX, it is usually run as USER.TFTP. • On HP-UX, tftpd checks if the user tftp can write to or read the file. On MPE, tftpd checks if the user specified in its configuration file can write to or read the file. If you configure tftpd as recommended in this chapter, USER.
REMSH Service 6 REMSH Service The remote shell, or remsh, service is used to connect to a specified host and execute a command on that remote host. The remote shell or remsh is available with version C.60.00 of the MPE/iX operating system. This chapter describes: • How to configure the services file to allow remsh to run. • How to verify that remsh is available on the system. • How to run remsh • Implementation differences between remsh on MPE/iX and remsh for HP-UX.
REMSH Service Overview of remsh Service Overview of remsh Service The remote shell remsh, is the same service as rsh on BSD UNIX systems. The name was changed due to a conflict with the existing command rsh (restricted shell) on System V UNIX systems. Use remsh to connect to the remote system and execute a command on that remote system. Output from the remote command is sent to standard output for remsh, so the user can see the results of the command.
REMSH Service Configuring remsh Client Configuring remsh Client There is only one file on the MPE/iX system that you will need to change in order to allow use of the remsh client. That is the file SERVICES.NET.SYS. However, there are some files that will need to be configured on the remote UNIX systems. Editing the Services File The services file associates official service names and aliases with the port number and protocol the services use. To enable remsh, you must edit the services file.
REMSH Service Configuring remsh Client UNIX Configuration The remsh service does not prompt for user ID and passwords. That information is handled via the command line parameters and configuration on the UNIX host. See the “Using remsh” section for details on how the user id is determined and passed to the UNIX host. Password information is bypassed by use of a .rhosts in the remote user’s home directory or by use of the file /etc/hosts.equiv.
REMSH Service Using remsh Using remsh The remsh service is accessed by running the REMSH.NET.SYS program. You may do so under the MPE/iX CI or under the POSIX shell. While the format of the commands will differ depending on how you run the program, the parameter list remains the same. For the purposes of explaining the parameters, look at a sample invocation from the POSIX shell. Detailed examples of both the POSIX shell and MPE/iX invocations will follow later.
REMSH Service Using remsh MPE/iX Examples To run remsh from MPE/iX prompt, type: run remsh.net.sys;info="remotehost -l remoteuser remotecommand" jhereg(PUB): run remsh.net.
REMSH Service Troubleshooting remsh shell/iX>taltos -l cawti pwd /u2/home/cawti shell/iX> Troubleshooting remsh remsh MPE/iX/X version won’t support rlogin or rexec functionality usage: remsh host -l login -n command Be sure to provide a command to execute. remshd Login incorrect. Probably invalid entry in remote .rhosts file. Be sure host name and user id are correct. User ID must be in uppercase.
REMSH Service Implementation Differences Implementation Differences The full remote shell service typically consists of two parts (the remsh client which allows a user on this machine to access remote hosts and the remshd server which allows remsh clients on other hosts to access the local host). Only the remsh client functionality has been implemented on the MPE/iX system. The UNIX version of the remsh client has an optional -n parameter that tells the client to not read from STDIN.
7 Samba/iX Services Samba/iX is a suite of programs which work together to allow clients to access a server’s file space and printers via the Server Message Block (SMB) file server. Samba/iX runs on MPE/iX shell operating system starting in the MPE/iX 6.0 release. It allows the MPE/iX shell operating system to act as a file and printer server for SMB clients, which are, primarily, Windows for Workgroups, Windows 95, Windows NT, and other clients.
Samba/iX Services Overview of Samba/iX Overview of Samba/iX Samba/iX is a suite of programs which allow an HP 3000 running MPE/iX operating system to provide service using a Microsoft networking protocol called Server Message Block (SMB).
Samba/iX Services Overview of Samba/iX any other SMB (Server Message Block) servers. This capability enables these operating systems to act like a LAN server or Windows NT server. See Figure 7-1 for HP 3000 interoperating with the Microsoft platforms.
Samba/iX Services Overview of Samba/iX Major Components of Samba/iX Table 7-1 shows the major components of the Samba/iX suite. Table 7-1 Major Components SMBD The SMB server handles connections from clients, performing all the file, permission, and username authentication. NMBD The NetBIOS name server advertises Samba/iX on the network, and helps clients locate servers. SMBCLIENT Client program on MPE/iX host. SMB.CONF Samba/iX runtime configuration file.
Samba/iX Services Overview of Samba/iX When this program is run on the HP 3000, it will be acting as a client. It is a command line program and offers an interface similar to that of the FTP program. Operations include things like “getting” files from the server to the local machine, “putting” files from the local machine to the server, retrieving directory information from the server, etc. • SMB.CONF: The SMB.
Samba/iX Services Overview of Samba/iX Figure 7-2 SMB Protocol Applications SMB NetBIOS on TCP/IP NetBeui NetBIOS API NetBIOS on IPX PPP, 802.x Token Ring, Ethernet, Serial The SMB messages can be categorized into four types of messages: session control, file, printer, and message. Session control messages start, authenticate, and terminate sessions. File command controls file access and printer command controls printer access.
Samba/iX Services Overview of Samba/iX Figure 7-3 SMB NegProt Connection NegProt command Client NegProt response Server Once a protocol has been established, the client can proceed to logon to the server. Client now sends a SMB Session Setup command (SesssetupX), see Figure 7-4. The response indicates whether the username password pair is valid, and if so, can provide additional information.
Samba/iX Services Samba/iX Configuration File Options Samba/iX Configuration File Options The Samba/iX configuration file contains the runtime configuration information for Samba/iX. This file contains the sections and parameters. There are four special sections: the [global] section, the [printers] section, [homes] section and other sections. This file also contains the information required for each share (service) and defines attributes like associated directory path, read or write access for each share.
Samba/iX Services Samba/iX Configuration File Options Global Configuration Options The global configuration options can be defined in the [Global] Section in the “smb.
Samba/iX Services Samba/iX Configuration File Options Mapping PC Usernames to MPE Usernames username map This username map parameter allows you to map PC style usernames to MPE style usernames. You can specify the location of your username map file with the username map parameters. Example: username map = /usr/location/samba/lib/user.map The syntax of the username map file is simple. Each line consists of a MPE style name like manager.
Samba/iX Services Samba/iX Configuration File Options Setting Logging Behavior max log size The max log size option specifies the maximum size in kilobytes to which log files can grow. The default value of the maximum log file size is 5000 in kilobytes. If the file exceeds the specified size, it is renamed by adding the .old extension.
Samba/iX Services Samba/iX Configuration File Options Global Printer Service Options The global printer service options allows you to specify the location of the “printcap”, printer command parameter used by Samba/iX. The following global printer configuration options are supported for use by HP: load printers The load printers parameter is used in conjunction with printcap file and [printers] section.
Samba/iX Services Samba/iX Configuration File Options Controlling User Access Rights allow hosts Default: none deny hosts These parameters allow users to define a set of client IP addresses which will be granted access to service. If an allow hosts option is present, only hosts matching the pattern are allowed to access the service. If a deny hosts option exists, only hosts not matching the pattern will be granted access. Example: allow hosts = 192.1.2.
Samba/iX Services Samba/iX Configuration File Options Share Configuration Options This section covers the share configuration options that you use when you configure for a specific disk or printer share in the Samba/iX configuration file. Setting the Shared Directory path The path parameter specifies the pathname of the shared directory.
Samba/iX Services Samba/iX Configuration File Options Controlling Read/Write Access guest ok If guest ok is true, then guest access will be allowed. The access rights of a client connecting as guest will be those of the username set in the “guest account.” Example: guest ok = yes Default: guest ok = no guest only If guest only is true, then access of service/share is only granted with the rights of usernames given in the “guest account” parameter.
Samba/iX Services Samba/iX Configuration File Options Configuring the Shares for File Sharing The PCs can access the server side filespaces using Samba/iX. Whenever the clients want to connect to the server, the server side validates the username and password which are sent by the client and grants access to the requests share if it is appropriate. You can configure the file service with guest access and the Samba/iX server can grant to the guest users without a validated user ID and password.
Samba/iX Services Samba/iX Configuration File Options samp-printcap file: LP|6|HP3000 System LP Here is a sample example for the configuration option that you may configure with [global] and [printers] sections in the Samba/iX configuration file — smb-conf: [global] # You need supply IP address and subnet mask of your 3000 with the interface parameter interface = ip address/subnet mask # printcap file lists printer names for use by [printer] section printcap name = /usr/local/samba/lib/printcap # shares ma
Samba/iX Services Samba/iX Configuration File Options Figure 7-6 ADD a Printer You can connect your server shares using the NT explorer, as shown in Figure 7-7. The menu tool includes a “map network drive” which brings up the small windows shown in Figure 7-7. You connect a network driver by typing in a share name with \\servername\sharename syntax in the “path” box.
Samba/iX Services Samba/iX Configuration File Options Figure 7-7 Connect to the HP 3000 Shares You can view the contents of the share from NT explorer, as shown in Figure 7-8.
Samba/iX Services Starting and Stopping Samba/iX Starting and Stopping Samba/iX This section covers the steps to start or stop Samba/iX. Starting Samba/iX Before you start to run Samba/iX server or client components, you should have set up the TCP/IP networking on your HP 3000 system as well as your PC. On the HP 3000 system side, you should have a proper IP address and subnet mask configured in NMMGR as well as NETCONTROL START successfully executed.
Samba/iX Services Starting and Stopping Samba/iX The following example displays when you run the command netcontrol status; net = lan1. NETWORK NAME: LAN1 NETWORK IP ADDRESS: $0F0DC750 15.13.188.80 NETWORK SUBNET MASK: $0FF000000 255.0.0.0 Add PM Capability To access share security modes, both samba and mgr.samba user accounts should have PM capabilities. 1. Logon as manager.sys 2. Add PM capability to samba account 3. Add PM capability to mgr.samba user Starting SMBD and NMBD Listener Jobs 1.
Samba/iX Services Starting and Stopping Samba/iX Starting Samba/iX Under the INETD Control If you choose to run SMBD and NMBD processes under control of INETD, you should have new entries in SERVICES.NET.SYS and INETDCNF.NET.SYS and then you have to create symbolic links to make SERVICES.NET.SYS link to /etc/services and INETDCNF.NET.SYS symbolic links to /etc/inetd.conf respectively. Perform the following steps: 1. Logon as manager.sys. 2. Copy SERVSAMP.NET.SYS file to SERVICES.NET.SYS if SERVICES.NET.
Samba/iX Services Starting and Stopping Samba/iX 2. Use the following two commands to stop Samba/iX: NOTE :abortjob #smbjobnumber :abortjob #nmbjobnumber Clients connected and writing to files will loose data if an abortjob is done with clients active. Initial Test With smbclient Utility The smbclient utility provides access to SMB servers with an FTP-like user interface. You can run smbclient utility on POSIX/Shell environment. Logon to your MPE system as mgr.samba: : sh.hpbin.
Samba/iX Services Starting and Stopping Samba/iX shell/iX> smbclient \\\\\\sambadoc -N -c help This command should connect to the sambdoc share on your HP 3000 using -N to suppress password prompt and effectively become guest user and display the contents of on-line help screen of smbclient, see Figure 7-10. Figure 7-10 smbclient for MPE/iX (2) NOTE All smbclient examples used the -c option to specify the command on the command line.
Samba/iX Services Starting and Stopping Samba/iX Figure 7-11 Display Available Shares From a PC Client If you want to display a list of available shares on the Samba/iX server named “HP 3000; enter the following command at the DOS prompt: Example: C:\> net view \\hp3000 C:\>net use x:\\servername\servicename This command will connect to a network drive X by entering the sharename \\servername\servicename.
Samba/iX Services Samba/iX Share level Security Mode Samba/iX Share level Security Mode The process of user authentication depends whether Samba/iX is running in share level or user level. The “security” parameter in the configuration file is used to specify the share level or user level authentication. If the “security” parameter is set to share, Samba/iX will tell clients it is granting access under share mode security.
Samba/iX Services Samba/iX Server Security Mode Samba/iX Server Security Mode Samba/iX server mode security is just one of the security policies of user level authentication. This mode of security is one of the types in processing user authentication. After the user is validated, access rights are enforced for the user: To make Samba/iX operate in server security mode: • Add security = server in the [global] section for smb.conf specifying security = server in smb.conf, the server security mode is on.
Samba/iX Services Troubleshooting Samba/iX Server Troubleshooting Samba/iX Server This section covers a list of tests you can perform to validate or diagnose your Samba/iX server. If it passes all these tests, then it is probably working fine. Prerequisites In all of the tests it is assumed you have a Samba/iX server 1.19.16p9 or later running on your HP 3000. It is also assumed that the PC is running Windows for Workgroups, Windows 95 or Windows NT with a recent copy of the Microsoft TCP/IP stack.
Samba/iX Services Troubleshooting Samba/iX Server If you get a “connection refused” response, then the SMBD server could not be running. If you get a “session request failed” then the server refused the connection to SMBD. Check your config file (smb.conf) for syntax errors with “testparm” as well as the various directories where Samba/iX keeps its log and lock files.
Samba/iX Services Troubleshooting Samba/iX Server TEST 7: On the PC, type the command “net view \\SAMBAIXSERVER”. You will need to do this from within a “DOS prompt” window. You should get a list of available shares on the server. If you get a “network name not found” or similar error then NetBIOS name resolution is not working. This is usually caused by a problem in NMBD. To overcome the error you could do one of the following (you only need to choose one): • Fix the NMBD installation.
Samba/iX Services Troubleshooting Samba/iX Server • verify full file read and create access to the user’s default home share. 2. Configure Samba/iX in Share security mode, and set passwords on file shares. • verify that the file and print access from PC users works. 3. Configure Samba/iX in Server security mode, pointing user validation to a NT server. • verify users logged into the Windows NT domain being used as a validation server have the appropriate access to shares and printing on Samba/iX. 4.
Samba/iX Services Troubleshooting Samba/iX Server Using Logfiles of Samba/iX In case of problems, check for the job listings for useful error messages and also look into the Samba/iX log file /usr/local/samba/var/log.smb and log.nmb for hints. You can control amount of log messages with the “debug level” directive inside the config file smb.conf. Increasing the log level to 3 or 4 can shed light on the cause of most problems. This also may lead to a large amount of details to be logged into these files.
8 DNS BIND/iX BIND (Berkeley Internet Name Domain) is an implementation of the Domain Name System (DNS). It consists of a network of servers which provide a distributed database, including names and addresses of host machines. This information is accessible to client hosts which are running resolver software. This enables them to send queries to and receive replies from the servers. The resolver software runs on MPE/iX versions preceding 6.
DNS BIND/iX Introduction Introduction This section of the Configuring and Managing MPE/iX Internet Services manual assumes that the reader has prior experience with DNS BIND as implemented on other operating systems, or has familiarity with the concepts involved. There are a number of good textbooks available on this subject to which the reader is recommended — the following is a brief overview of a sophisticated system. The Domain Name System is a distributed and structured directory of information.
DNS BIND/iX Introduction commonly used version 4.9.4, (with which the majority of experienced DNS users will be familiar). This is the latest version of BIND, 8.1.1.
DNS BIND/iX Explanation of Terms Explanation of Terms BIND, which stands for Berkeley Internet Name Domain, is the most commonly used implementation of DNS. DNS is essentially a distributed data base, with control of the different elements of the data base maintained by individuals responsible for the domain served by that DNS server.
DNS BIND/iX Explanation of Terms known as “primary” and “secondary”. The rest of this section concerns itself with only “leaf ” DNS servers, that is. servers that only serve hosts. These servers have no domains under it, only hosts. There are four types of db or zone files used by a DNS server, each identified in the server’s named.conf file: • zone.DOMAIN — provides name-to-address mapping • zone.ADDR — provides address-to-name mapping • zone.LOCAL — a zone.
DNS BIND/iX Overview of DNS BIND/iX Overview of DNS BIND/iX In this implementation of BIND 8.1.1, the configuration and data files for the DNS server are found under the /BIND/PUB directory of the POSIX name space, though the DNS server is started by running a job from the MPE/iX name space — JNAMED.PUB.BIND which runs program NAMED.PUB.BIND.
DNS BIND/iX DNS BIND/iX Component Files DNS BIND/iX Component Files The major files for the implementation of DNS BIND/iX are found in PUB.BIND and NET.SYS in the MPE/iX name space, and under directories /BIND/PUB and /etc in the POSIX name space. JNAMED.PUB.BIN The job which runs the DNS server. NAMED.PUB.BIND The DNS server program. RESLVCNF.NET.SYS The DNS client (resolver) configuration file. Linked to /etc/resolv.conf. /etc/resolv.conf The DNS client (resolver) configuration file. Linked to RESLVCNF.
DNS BIND/iX DNS BIND/iX Component Files /BIND/PUB/bin/ addr Address lookup tool. /BIND/PUB/bin/ named- bootconf.pl Perl script to assist in converting BIND 4.x named.boot to 8.x named.conf. /BIND/PUB/bin/ nsupdate Zone transfer program — called internally by nameservers to transfer zone information from primary to secondary servers /BIND/PUB/ public_html Linked to sub-directory /BIND/PUB/doc-8.1.
DNS BIND/iX Server Configuration File named.conf Server Configuration File named.conf The configuration file, named.conf, has a completely new syntax. The configuration file in BIND 4.x was called named.boot. The utility “named-bootconf.pl”, written in Perl, available with the package, can be used to convert 4.x (8.1.1) configuration files. The complete path of this file in the installation is /BIND/PUB/bin/named-bootconf.pl.
DNS BIND/iX Server Configuration File named.conf Advanced users may need to refer to Appendix B , “BIND 8 Configuration File,” for a complete list of directives that can be configured for BIND 8. The following is the template /BIND/PUB/etc/named.conf file: options { directory “/BIND/PUB/etc”; // The following is the IP address of the MPE/iX system that is running NAMED. // YOU MUST CHANGE THIS TO BE YOUR OWN IP ADDRESS! listen-on { nnn.nnn.nnn.
DNS BIND/iX Server Configuration File named.conf Configuring Master Zones A sample configuration unit for a master zone is shown here: Example: zone “43.10.15.IN-ADDR.ARPA” { type master; file “zone.15.10.43”; }; The file zone.15.10.43 will have entries like: IN SOA IN NS bindserver.india.hp.com. 104 10800 3600 604800 86400 ) bindserver.india.hp.com. 1 2 3 4 5 IN IN IN IN IN PTR PTR PTR PTR PTR ; ; ; ; ; bind_admin.india.hp.com.
DNS BIND/iX Data Files Data Files The files that the primary nameservers load their zone data from are called data files or zone files. They are also referred to as db files, short for database files. The data files contain resource records that describe the zone. The resource records describe all the hosts in the zone. Root Cache Data (Hint File) Besides your local information, the nameserver also needs to know where the nameservers for the root domain are.
DNS BIND/iX Data Files news mail ns loghost lucy linux lucy messdos messdos pentium solaris solaris maxx4 maxx5 maxx5 maxx6 maxx6 IN IN IN IN IN IN IN IN IN IN IN IN IN IN IN IN IN CNAME CNAME CNAME CNAME A CNAME MX 10 A MX 10 CNAME A MX 10 CNAME A MX 10 A MX 10 nova.maxx.net. nova.maxx.net. nova.maxx.net. nova.maxx.net. 204.251.17.242 lucy.maxx.net. lucy.maxx.net. 204.251.17.243 messdos.maxx.net. messdos.maxx.net. 204.251.17.244 solaris.maxx.net. solaris.maxx.net. 204.251.17.245 maxx5.maxx.net. 204.251.
DNS BIND/iX Data Files The open parenthesis at the end of the line allows you to split the SOA record across physical lines for readability: 9602171 ; Serial 36000 3600 360000 36000 ; ; ; ; Refresh every 10 hours Retry after 1 hour Expire after 100 hours Minimum TTL is 10 hours ) The “serial” field was discussed earlier.
DNS BIND/iX Data Files queries, that is, queries for the host maxx.net. Other A records like this one: lucy IN A 204.251.17.242 provide name-to-address mapping for a specific named host. The domain defined in this file (maxx.net) is appended to the host name you show in the first field. The CNAME records create aliases for existing hosts. These examples illustrate a few common uses: www IN CNAME maxx.maxx.net. ftp IN CNAME maxx.maxx.net.
DNS BIND/iX Data Files Address-to-Name Mapping Also called reverse mapping, the zone.ADDR db file allows resolvers to post queries armed with only the IP address of a host. This reverse mapping is used, for example, by Internet server software that prefers to log host names rather than less informative IP addresses. Address-to-name mapping data will be provided for a DNS server by PTR entries in its zone.ADDR files, one for every network served by this DNS server, and its zone.LOCAL file.
DNS BIND/iX Data Files This file lists the root domain servers in human-readable format. You’ll need to reformat it for consumption by named. Here’s what the cache file looks like: ; ; ; . . . . . . . . . Servers from the root domain ftp://nic.ddn.mil/netinfo/root-servers.txt 99999999 99999999 99999999 99999999 99999999 99999999 99999999 99999999 99999999 IN IN IN IN IN IN IN IN IN NS NS NS NS NS NS NS NS NS A.ROOT-SERVERS.NET B.ROOT-SERVERS.NET C.ROOT-SERVERS.NET D.ROOT-SERVERS.NET E.ROOT-SERVERS.
DNS BIND/iX Data Files command line arguments, it displays a prompt and waits for your command: >server mpe3000 Default Name Server: mpe3000.cup.hp.com Address: 15.13.199.80 By default, nslookup performs queries based on host names you submit; just enter a host name after the prompt: > romeo Server: Address: mpe3000.cup.hp.com 15.13.199.80 Name: Address: romeo.cup.hp.com 15.13.194.242 > 15.12.194.242 Server: mpe3000.cup.hp.com Address: 15.13.199.80 Name: Address: romeo.cup.hp.com 15.12.194.
DNS BIND/iX How to Run The DNS Server How to Run The DNS Server 1. Configure and start Syslog/iX see Appendix E , “Configure and Run Syslog/iX.” 2. Examine /BIND/PUB/etc/named.conf and customize for your own environment. 3. Configure the zone data files referenced in your /BIND/PUB/etc/named.conf. 4. Add your server’s IP address as the first nameserver entry in /etc/resolv.conf for all MPE and HPUX hosts that you wish to use this server for resolution queries. On MPE hosts, make sure that /etc/resolv.
DNS BIND/iX Configuring the DNS Resolver Configuring the DNS Resolver The file RESLVCNF.NET.SYS is the configuration file for the Domain Name resolver. It should be linked to /etc/resolv.conf. If the file does not already exist, then it can be copied from RSLVSAMP.NET.SYS to RESLVCNF.NET.SYS and then modified to contain information about your local domain and servers. Each entry in the resolver file consists of a keyword followed by a value separated by white space.
DNS BIND/iX Configuring the DNS Resolver servers if there is no response, if the previous nameserver has already replied that it cannot resolve a query, no further lookup will be attempted. NOTE It is very important that you omit the leading zeros in the domain name resolver files. If you enter leading zeros here, the resolver routines will interpret the numbers as octal numbers.
DNS BIND/iX List of Utilities List of Utilities • nslookup — query Internet name servers interactively Example: * nslookup quasar.india.hp.com Name Server: hpmpea2.cup.hp.com Address: 15.61.192.116 Non-authoritative answer: Name: quasar.india.hp.com Address: 15.10.45.114 • dig — Domain Information Groper Example: shell/iX> dig ; <<>> DiG 8.
DNS BIND/iX List of Utilities ;; ;; ;; ;; Total query time: 0 msec FROM: mpeworld to SERVER: default -- 0.0.0.0 WHEN: Mon May 18 22:15:45 1998 MSG SIZE sent: 17 rcvd: 494 • host — look up host names using domain server. Example: shell/iX> host quasar.india.hp.com quasar.india.hp.com has address 15.10.45.114 quasar.india.hp.com mail is handled (pri=90) by hpmdd58.india.hp.com quasar.india.hp.com mail is handled (pri=100) by palsmtp.hp.com quasar.india.hp.com mail is handled (pri=150) by atlsmtp.hp.
DNS BIND/iX DNS and Electronic Mail DNS and Electronic Mail One of the advantages of the Domain Name System over host tables is its support of advanced mail routing. DNS offers a mechanism for specifying backup hosts for mail delivery. The mechanism also allows hosts to assume mail handling responsibilities for other hosts. This lets diskless workstations that don’t run mailers, for example, have mail addressed to them processed by their server.
DNS BIND/iX DNS BIND Troubleshooting Steps DNS BIND Troubleshooting Steps 1. Resources: Find a resource who is experienced with DNS BIND/iX! If you’re entering into this without DNS BIND/iX experience, you’re off to a difficult start. Problems with this product are generally caused by poor configuration, so it’s critical to have a DNS BIND literate engineering resource available for problem classification and management. 2.
DNS BIND/iX DNS BIND Troubleshooting Steps Figure 8-1 Labeling Nodes server1.cup.hp.com IP Addr: 15.1.1.1 Function: Primary Nameserver server2.cup.hp.com IP Addr: 15.1.1.2 Function: Secondary Nameserver foo.cup.hp.com IP Addr: 15.1.1.3 Function: DNS User 5. Configuration Gathering: Once you have a good understanding of the history, symptoms, and topology, it’s time start examining the DNS configuration at the site. Relying on assumptions does not work with DNS BIND troubleshooting.
DNS BIND/iX DNS BIND Troubleshooting Steps Experience is the best tool, but there is one very good resource available that will help in troubleshooting DNS BIND: DNS & BIND is a book written by Paul Albitz and Cricket Lui. The 2nd edition has recently been published, with some useful additions for the newer, post 4.8.3, versions of BIND (4.9.3 is covered in some detail). Published by O’Reilly & Associated, Inc. [2nd Edition ISBN: 1-56592-236-0] 7.
DNS BIND/iX DNS BIND Troubleshooting Steps 142 Chapter 8
Apache for MPE/iX 9 Apache for MPE/iX Apache for MPE/iX is server software which turns your HP 3000 into a full-featured web server. With the Apache Webserver, HP 3000 users can now do business over the Internet. As a web server, your HP 3000 can provide users with direct access to documents and applications residing on your system. These applications can include internet and intranet dynamic database connectivity using a browser as a common, easily maintained interface.
Apache for MPE/iX Introduction Introduction Users make requests to the web server via a client browser using the Hypertext Transfer Protocol (HTTP). The client browser can be any one of a variety of browsers, including those from Microsoft and Netscape. The sole purpose of a web server is to translate the client’s request (URL) into either a filename, and then send that file back over the network, or into a program name, and then run that program and send its output back.
Apache for MPE/iX Feature Set Feature Set Apache supports a rich set of features. The feature set for Apache running on MPE/iX is determined by the set of modules that are compiled into the Apache program. Additional features will be selected for future releases. The current version of Apache for MPE/iX is based on Apache 1.3.4 from the Apache Software Foundation. In addition to the http core that is the heart of the Apache code, 28 more Apache modules are included in the Apache program.
Apache for MPE/iX Feature Set Cookies Cookies are pieces of information generated by the web server and sent back to the browser for storage. For each subsequent request from the same client, the cookie is returned to the server. Cookies are useful for tracking what clients are accessing on a server. Server-side Imagemaps Server-side imagemaps are zones defined in an image that, when clicked, will send the client to a different URL.
Apache for MPE/iX Feature Set For a complete list of Apache modules, run the program file with the -l option: shell> /APACHE/PUB/HTTPD -l Compiled-in modules: http_core.c mod_env.c mod_log_config.c mod_log_agent.c mod_log_referer.c mod_mime_magic.c mod_mime.c mod_negotiation.c mod_status.c mod_info.c mod_include.c mod_autoindex.c mod_dir.c mod_cgi.c mod_asis.c mod_imap.c mod_actions.c mod_speling.c mod_userdir.c mod_alias.c mod_access.c mod_auth.c mod_auth_anon.c mod_cern_meta.c mod_expires.c mod_headers.
Apache for MPE/iX Major Components Major Components The major components for Apache are the web server program (HTTPD), the job stream file which runs the HTTPD program (JHTTPD), a set of configuration files for enabling Apache features, the htdocs directory containing HTML pages, the logs directory, and the cgi-bin directory. Apache also comes with a full, on-line manual set. • HTTPD is the Apache web server program. “HTTP” stands for the protocol used between the client browser and the Apache web server.
Apache for MPE/iX Major Components Access to the manual documents is specified with the URL, http://yourserver.com/manual/index.html, where “yourserver.com” is the name of your HP 3000. Hardware Requirements The following are estimates for hardware resources required for an Apache installation. • 32 MB of memory (64 MB recommended for machines with high traffic) • 25 MB Disk Space (Apache directories and files + log files) • Additional disk space for your documents.
Apache for MPE/iX Major Components TCP/IP transport subsystem) is configured on your HP 3000 using NMMGR. In NMMGR, configure your system’s IP address and subnet mask in screen NEXTPORT.NI.Niname.PROTOCOL.IP. TCP should also be configured with the recommended values in the table below using screen NEXTPORT.GPROT.TCP. Information on the TCP/IP parameters is available in the NS3000/iX NMMGR Screens Reference Manual from http://docs.hp.com/mpeix.
Apache for MPE/iX Major Components Configure Apache Apache reads two global configuration files when it starts: httpd.conf and mime.types. These configuration files determine how Apache behaves. Earlier versions of Apache read two additional global configuration files: access.conf and srm.conf. These additional global configuration files can be still be used, but by default they are empty and their original content is now included in the httpd.conf file. Edit your Configuration File The mime.
Apache for MPE/iX Major Components Edit the JHTTPD Job Stream File The JHTTPD Job Stream File is used to run the HTTPD web server program in standalone mode with your local timezone: !job jhttpd,www.apache,pub;outclass=,2 !setvar TZ ‘PST8PDT’ !run HTTPD;info=’-f /APACHE/PUB/conf/httpd.conf’ !eoj The timezone variable, TZ, should be set to your local timezone (for example, EST5EDT for Eastern Daylight Time, PST8PDT for Pacific Daylight Time, and MST7MDT for Mountain Daylight Time).
Apache for MPE/iX Major Components Verify that Apache is Running There are a number of ways to verify if the Apache web server is running or, if it is not, to isolate how far the startup process progressed. After streaming the JHTTPD file, use :SHOWJOB to view the running job: JOBNUM STATE IPRI JIN #J16 EXEC JLIST 10S LP INTRODUCED JOB NAME TUE 10:27A JHTTPD,WWW.APACHE Another method is to check server status using either ps from the POSIX shell or using :SHOWPROC at the CI.
Apache for MPE/iX Major Components If you are unsuccessful in starting the HTTPD program, you can get more information about the problem by trying one or more of these troubleshooting techniques: 1. Look at the output of the JHTTPD spoolfile 2. Check the messages in the /APACHE/PUB/logs/error_log file 3. Verify the syntax of the httpd.conf file. This catches many, but not all, syntax problems in the httpd.conf file :run HTTPD.PUB.APACHE:info=”-t” 4.
Apache for MPE/iX Major Components By default, the level is set to warn. Using a level of at least crit is recommended. Adding Documents Add new documents by creating them under the document root, /APACHE/PUB/htdocs. Documents can also be added outside of the document root using the Alias directive in the httpd.conf file or by using symbolic links. The web server children that handle user requests run as WWW.APACHE, the username specified in the JHTTPD file. For more security, user WWW.
Apache for MPE/iX Major Components Performance For best performance, files returned to the user should be in bytestream format. For example, .html, .htm, .shtml, .shtm, .txt, .gif, .jpeg, and .jpg files, should be in bytestream format instead of in MPE-type format. Bytestream files are more compatible with Apache and with other POSIX applications than are MPE-type files. If you have a web page that calls many images which are not in bytestream format (BA), you could have noticeable performance degradation.
Apache for MPE/iX Major Components Additional Documentation Much of the public information available on Apache can be used for administrating Apache on MPE/iX. This especially applies to the description and usage of the over 128 different Apache configuration directives. Sources for additional information include • The Apache on-line manual pages included as part of MPE FOS at http://yourserver.com/manual/index.html • The Apache Software Foundation’s on-line documentation at http://www.apache.
Apache for MPE/iX Major Components 158 Chapter 9
HP WebWise MPE/iX Secure Web Server 10 HP WebWise MPE/iX Secure Web Server HP WebWise MPE/iX Secure Web Server offers secure encrypted communications between browser and server via the SSL and TLS protocols, as well as strong authentication of both the server and the browsers via X.509 digital certificates. The current release of the HP WebWise MPE/iX Secure Web Server is A.01.00 and is composed of: • Apache 1.3.
HP WebWise MPE/iX Secure Web Server System Requirements System Requirements The following software requirements must be met prior to installing HP WebWise MPE/iX Secure Web Server A.01.00: • MPE/iX 6.0 or later. • Patches required for MPE/iX 6.0: — MPEKXT3B — MPELX36A — MPELX44A • Patches required for MPE/iX 6.5: — MPELX36B — MPELX44B • The latest network transport patch (NSTxxxxx) is also strongly recommended for all versions of MPE/iX.
HP WebWise MPE/iX Secure Web Server Feature Set Feature Set HP WebWise MPE/iX Secure Web Server offers secure encrypted communications between browser and server via the SSL and TLS protocols, as well as strong authentication of both the server and the browsers via X.509 digital certificates. HP WebWise MPE/iX Secure Web Server is: • NOT a substitute for a firewall (explicitly allow acceptable connections, etc.
HP WebWise MPE/iX Secure Web Server Feature Set Painless Migration of Existing Apache Content Your existing non-secure Apache content can be migrated without change to HP WebWise MPE/iX Secure Web Server and the SSL/TLS protocols. This includes CGI applications, which will have access to a wide variety of new security-related environment variables under HP WebWise MPE/iX Secure Web Server that will permit granular, custom security checking.
HP WebWise MPE/iX Secure Web Server Feature Set • mod_cgi • mod_digest • mod_dir • mod_env • mod_expires • mod_headers • mod_imap • mod_include • mod_info • mod_log_agent • mod_log_config • mod_log_referer • mod_mime • mod_mime_magic • mod_negotiation • mod_proxy • mod_rewrite • mod_setenvif • mod_so • mod_speling • mod_ssl • mod_status • mod_unique_id • mod_userdir • mod_usertrack • mod_vhost_alias The following modules are supplied as external DSOs: • mod_example (see /APACHE/SECURE/libexec/README and mo
HP WebWise MPE/iX Secure Web Server Compatibility With Apache for MPE/iX Compatibility With Apache for MPE/iX HP WebWise MPE/iX Secure Web Server installs in a different HFS directory tree than Apache, and so will not overlay your existing Apache environment in any way. If you want to run both HP WebWise MPE/iX Secure Web Server and Apache at the same time on the same machine, make sure you configure HP WebWise MPE/iX Secure Web Server to use different TCP listening ports than Apache.
HP WebWise MPE/iX Secure Web Server Major Components Major Components HP WebWise MPE/iX Secure Web Server consists of a job stream (JHTTPDS) which runs the server program (HTTPDS), a set of configuration files, a complete set of online documentation, and miscellaneous utilities and scripts. /APACHE/SECURE/ The MPE group and HFS directory under which all HP WebWise MPE/iX Secure Web Server files reside. This group requires PM capability, and MGR.
HP WebWise MPE/iX Secure Web Server Major Components key is EXTREMELY sensitive information and should be protected by both owner-only file permissions and a pass phrase. MGR.APACHE should be the only user with read access to this directory and the files contained within. htdocs/ This subdirectory contains the content that will be visible to browser users accessing your web server. If a user specifies a URL of http://your.host.name/foo.
HP WebWise MPE/iX Secure Web Server Copying the Software to Your e3000 Copying the Software to Your e3000 The software may be electronically downloaded from HP Software Depot, ordered on CDROM media, or ordered on DDS media. If using DDS media, perform the follow steps to copy the software to your e3000: 1. :HELLO MANAGER.SYS 2. :FILE T;DEV=TAPE 3. :RESTORE *T;@.@.@;SHOW 4. The file /tmp/webwise-A0100.tar.Z will be restored to your e3000.
HP WebWise MPE/iX Secure Web Server Installing the Software Installing the Software The installation job will create the following objects if they do not already exist: • an APACHE account • an MGR.APACHE user • a PUB.APACHE group • a SECURE.APACHE user • a SECURE.APACHE group Note that all of the above objects except for the SECURE.APACHE user have PRIV-MODE (PM) capability.
HP WebWise MPE/iX Secure Web Server Configuring the Software Configuring the Software 1. :HELLO MGR.APACHE,SECURE 2. :XEQ SH.HPBIN.SYS -L 3. $ cd /APACHE/SECURE 4. $ cp JHTTPDS.sample JHTTPDS 5. Edit the newly created JHTTPDS job stream file to specify the proper TZ timezone value for your location as well as any other customizations appropriate for your site: !job jhttpds,mgr.apache,secure;outclass=,2 !setvar TZ 'PST8PDT' !xeq sh.hpbin.sys "-c 'umask 007; ./HTTPDS -DSSL -f conf/httpd.
HP WebWise MPE/iX Secure Web Server Server Keys and Certificates Server Keys and Certificates This is a fairly large and complicated topic. You are STRONGLY ENCOURAGED to read about it in detail in the Mod_ssl manual, Chapter 2 Introduction and Chapter 6 FAQ List either at http://www.modssl.org/docs/2.4/ or the copy that comes with your HP WebWise MPE/iX Secure Web Server (/APACHE/SECURE/htdocs/manual/mod/mod_ssl/ssl_intro.html and ssl_faq.html) and is accessible from the default home page.
HP WebWise MPE/iX Secure Web Server Server Keys and Certificates supplied to the web server at start up time, either by inserting it directly into the /APACHE/SECURE/JHTTPDS job stream after the command that invokes HTTPDS (caution — the pass phrase will be in plain text in the JHTTPDS job stream, so you’ll need to protect the job stream too), or by writing a special script or program that HTTPDS will invoke to obtain the pass phrase.
HP WebWise MPE/iX Secure Web Server Server Keys and Certificates 2a:59:f8:fc:c7:2d:e0:69:cb:5b:a5:32:ec:d2:56: e2:0f:b0:c5:39:b8:50:5b:f1 prime1: 00:fa:06:99:8b:68:55:5b:a8:ff:25:5a:f5:82:26: 4c:73:2d:a0:70:75:e6:72:2c:25:70:22:49:5d:1a: 96:0e:32:ce:4f:d9:7f:31:94:2c:62:8b:02:3c:c8: 8f:4f:04:58:5b:6a:c0:66:fe:a1:d1:35:21:0e:c1: bb:4d:66:a7:83 prime2: 00:d7:df:d2:7e:68:7f:5c:04:fe:08:64:48:2e:ee: b5:8a:06:40:55:38:14:b4:f1:86:04:5b:98:78:77: cf:ab:c8:97:b4:e5:e7:ca:30:b5:8e:4d:93:23:7b: 41:66:c7:29:8e:d4:f9:
HP WebWise MPE/iX Secure Web Server Server Keys and Certificates To create your CSR: 1. $ cd ../ssl.csr 2. $ openssl req -new -key ../ssl.key/server.key -out server.csr Using configuration from /APACHE/SECURE/ssl/openssl.cnf Enter PEM pass phrase:******** You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN.
HP WebWise MPE/iX Secure Web Server Server Keys and Certificates 19:02:9d:3e:9f:32:d0:be:9a:54:3d:bc:c0:ed:63:67:cd:a3: eb:68:a1:2d:7a:0f:94:87:f0:a8:14:f6:45:cf:bd:a9:bc:13: 9a:4c:cc:fb:a7:ab:73:88:17:23:90:b3:49:58:7f:d5:02:55: f1:85:81:f8:ea:48:d9:40:bc:29:de:f8:ed:e3:04:9c:b9:b1: c2:ce:8d:c2:c8:43:e7:73:bc:e6:e5:9f:99:b5:73:98:dd:65: 38:ba 4. $ chmod 400 server.csr You’re now ready to have your CSR signed by a Certificate Authority (CA). This results in the creation of a server certificate.
HP WebWise MPE/iX Secure Web Server Server Keys and Certificates Your signed certificate will arrive in raw PEM format, which looks like this: -----BEGIN CERTIFICATE----MIICsTCCAhoCAQEwDQYJKoZIhvcNAQEEBQAwgaAxCzAJBgNVBAYTAlVTMREwDwYD VQQIEwhNeSBTdGF0ZTEQMA4GA1UEBxMHTXkgQ2l0eTETMBEGA1UEChMKTXkgQ29t cGFueTEWMBQGA1UECxMNTXkgQ29tcGFueSBDQTEeMBwGA1UEAxMVQ2VydGlmaWNh dGUgQXV0aG9yaXR5MR8wHQYJKoZIhvcNAQkBFhBjYUBteWNvbXBhbnkuY29tMB4X DTAwMDQxMzE4MzY0MVoXDTAxMDQxMzE4MzY0MVowgaAxCzAJBgNVBAYTAlVTMREw DwYDVQQIEwhNeSBTd
HP WebWise MPE/iX Secure Web Server Server Keys and Certificates 4. $ openssl req -new -x509 -days 365 -key ca.key -out ca.crt Using configuration from /APACHE/SECURE/ssl/openssl.cnf Enter PEM pass phrase:******** You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN.
HP WebWise MPE/iX Secure Web Server Server Keys and Certificates CA:TRUE Signature Algorithm: md5WithRSAEncryption a7:3d:21:6a:b8:bf:f2:67:01:81:e6:05:56:89:8a:21:ab:bf: d5:43:48:ad:06:af:51:66:2a:02:77:ba:30:41:57:26:a5:7c: eb:00:a0:77:bf:b8:2b:03:91:59:92:1c:0b:8d:fc:16:27:c1: 75:d3:90:1c:fd:de:9b:21:e1:34:27:2c:1c:4c:36:9c:7a:5f: 16:bf:df:66:85:43:35:9e:b2:e8:2d:04:08:af:b1:60:84:3f: 3e:5f:67:2b:38:75:38:2d:58:28:36:a2:56:19:fb:b3:66:d2: fd:8e:b9:30:02:5d:43:f9:57:bb:1f:b9:40:5d:32:b3:c0:4c: ba:dd 6.
HP WebWise MPE/iX Secure Web Server Server Keys and Certificates Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:d2:d6:24:48:b4:52:92:0f:33:a1:0d:28:45:7a: 88:96:91:f9:dc:d3:23:c6:a7:ba:e4:93:5e:d3:d3: 9c:ba:18:27:ec:25:db:5b:1f:f5:26:9f:6b:8c:fe: d4:8d:3a:28:2e:00:f0:58:71:ef:29:ac:b6:23:36: ac:97:63:84:01:0b:35:90:34:6b:ff:35:b1:83:0a: 81:a1:12:5a:d5:cf:00:44:62:70:72:f9:3c:8f:30: 5f:dd:61:d1:fe:d6:83:9a:69:36:74:64:4d:16:3f: 49:7a:0a:29:b3:cd
HP WebWise MPE/iX Secure Web Server Starting the Web Server Starting the Web Server Simply :STREAM JHTTPDS.SECURE.APACHE to start your web server. The server may spend as much as the first 5 minutes or so in a tight CPU loop generating temporary cryptographic keys before it will be ready to respond to browser requests. No records will be written to any of the log files in the logs/ directory during this time.
HP WebWise MPE/iX Secure Web Server Using the Web Server Using the Web Server Simply point your web browser to: • http://www.yourcompanyhere.com/ (for non-secure access; assumes a standard listening port of 80) • https://www.yourcompanyhere.com/ (for secure access; assumes a standard listening port of 443) Web server content located under the DocumentRoot of the secure virtual server is automatically secured when viewed with a https:// URL.
HP WebWise MPE/iX Secure Web Server Adding Content Adding Content There are several ways you can add content to your HP WebWise MPE/iX Secure Web Server: • Create additional files and directories below the DocumentRoot of /APACHE/SECURE/htdocs. • Use the Alias configuration directive to point to content directories outside of the DocumentRoot. • Create symbolic links below the DocumentRoot of /APACHE/SECURE/htdocs which point to content outside of the DocumentRoot subdirectory.
HP WebWise MPE/iX Secure Web Server Troubleshooting Troubleshooting Server Issues If the HP WebWise MPE/iX Secure Web Server job JHTTPDS aborts, first check the $STDLIST spoolfile for any error messages, followed by the error_log, followed by the ssl_engine_log. If the HP WebWise MPE/iX Secure Web Server job appears to be running normally, but browser users are receiving error messages instead of data, check the access_log to see if the server is receiving their request.
HP WebWise MPE/iX Secure Web Server Troubleshooting To verify the protocol and cipher your browser is using to talk to the server, either check the logs/ssl_request_log file on the server, or ask your browser for this information. If using Microsoft Internet Explorer, right-click anywhere on the web page, then left-click on the Properties menu item. If using Netscape Communicator, right-click anywhere on the web page, then left click on the View Info menu item.
HP WebWise MPE/iX Secure Web Server Performance Performance For best performance, files returned to the browser user should be in bytestream format. For example, .html, .htm, .shtml, .shtm, .txt, .gif, .jpeg, and .jpg files, should be in bytestream format instead of in MPE-type format. Bytestream files are more compatible with HP WebWise MPE/iX Secure Web Server and with other POSIX applications than are MPE-type files.
HP WebWise MPE/iX Secure Web Server Stopping the Web Server Stopping the Web Server Perform the following steps in order to stop your web server in an orderly manner: 1. :HELLO MANAGER.SYS or :HELLO MGR.APACHE,SECURE 2. :XEQ SH.HPBIN.SYS "-c 'kill `cat /APACHE/SECURE/logs/httpd.pid`'" :ABORTJOB should only be used as a last resort for stopping HP WebWise MPE/iX Secure Web Server. See Known Issues.
HP WebWise MPE/iX Secure Web Server Known Issues Known Issues 1. Using :ABORTJOB to stop HP WebWise MPE/iX Secure Web Server will result in leaked SVIPC semaphores. These semaphores are not expensive resources and HP WebWise MPE/iX Secure Web Server only uses a relative handful, but there is a finite number of semaphores allowed on a machine before you run out. The IPCS.HPBIN.SYS CI command file (NOT a shell script!) can be used to display SVIPC resources, and the IPCRM.HPBIN.
HP WebWise MPE/iX Secure Web Server Additional Documentation Additional Documentation • Configuring and Managing MPE/iX Internet Services Manual, Apache for MPE/iX Chapter. • http://jazz.external.hp.com/src/webwise/ (HP WebWise) • http://jazz.external.hp.com/src/apache/ (Apache for MPE/iX) • http://www.apache.org/ (Apache opensource project) • http://www.modssl.org/ (Mod_ssl opensource project) • http://www.engelschall.com/sw/mm/ (a library of shared memory functions) • http://www.openssl.
HP WebWise MPE/iX Secure Web Server Additional Documentation 188 Chapter 10
A Samba/iX Sample Comfiguration File The following is the sample configuration file samp-smb.cnf for Samba/iX that you can find in the /usr/local/samba/lib directory on the HP 3000 system: # Sample config file for Samba/iX 0.7 and later” # # # # Copy this file to /usr/local/samba/lib/smb.conf and adjust as needed. You must at least adjust the “interfaces” directive to match your IP address and subnet mask (if used) as the current version of Samba/iX is unable to retrieve the NMMGR configured values.
Samba/iX Sample Comfiguration File # --------------------------------------------------------------------# GLOBAL section (general parms and defaults for other sections) [global] # you MUST supply IP address and subnet mask of your 3000 here interfaces = 12.34.56.78/255.0.0.
Samba/iX Sample Comfiguration File load printers = yes # the workgroup that your server belongs to workgroup = SambaIX # these can be used e.g.
Samba/iX Sample Comfiguration File # --------------------------------------------------------------------# PRINTERS section (optional but useful) # # # # # This section work in conjunction with the printcap file and allows to configure a large number of printer shares without having to add separate detailed sections for each of them. The printer names and optional aliases are listed in the printcap file and the config parms are defined here. Special printers can still be defined explicitly.
Samba/iX Sample Comfiguration File # --------------------------------------------------------------------# HOMES section (optional but sometimes useful) # # # # # This section provides access to user’s home directories without having to add a separate section for each of them. The share name is considered to be a valid user id and the path defaults to that user’s home directory. The share is created “on the fly” by using attributes from this section.
Samba/iX Sample Comfiguration File # --------------------------------------------------------------------# OTHER sections (explicit definitions of file or printer shares) # The writable shares are placed under an MPE group with space limit [temp] # multiple users share one server directory but independent file # ownership is maintained so that they might be able to “see” other # users’ files but still be unable to get read or write access comment = Shared temp space for non-guest users guest ok = no write
BIND 8 Configuration File B The following is a dummy configuration file example. This explains in brief what each configuration directive is useful for and its syntax. All the directives are not required for a typical BIND configuration. /* * This is a worthless, nonrunnable example of a named.conf file that has * every conceivable syntax element in use. We use it to test the parser. * It could also be used as a conceptual template for users of new features.
BIND 8 Configuration File sites // for load balancing. allow-query { any; }; allow-transfer { any; }; transfers-in 10; be // DEFAULT_XFERS_RUNNING, cannot // set > than MAX_XFERS_RUNNING (20) transfers-per-ns 2; transfers-out 0; max-transfer-time-in 120; number // DEFAULT_XFERS_PER_NS // not implemented // MAX_XFER_TIME; the default // of minutes an inbound zone transfer // may run. May be set on a per-zone // basis. /* * The “transfer-format” option specifies the way outbound zone * transfers (i.e.
BIND 8 Configuration File forward first; forwarders { }; // default is no forwarders /* * Here’s a forwarders example that isn’t trivial */ /* forwarders { 1.2.3.4; 5.6.7.8; }; */ topology { localhost; localnets; }; // prefer local nameservers /* * Here’s a more complicated topology example; it’s commented out * because only one topology block is allowed. * topology { 10/8; // prefer network 10.0.0.0 // netmask 255.0.0.0 most !1.2.3/24; // don’t like 1.2.3.0 netmask // 255.255.255.0 at all { 1.
BIND 8 Configuration File }; zone “master.demo.zone” { type master; file “master.demo.zone”; check-names fail; allow-update { none; }; allow-transfer { any; }; allow-query { any; }; // notify yes; also-notify { }; // what used to be called “primary” // // // // // // // send NOTIFY messages for this zone? The global option is used if “notify” is not specified here. don’t notify any nameservers other than those on the NS list for this zone }; zone “slave.demo.zone” { type slave; file “slave.demo.
BIND 8 Configuration File acl can_query { !1.2.3/24; any; }; acl can_axfr { 1.2.3.4; can_query; }; // // // // network 1.2.3.0 mask 255.255.255.0 is disallowed; rest are OK host 1.2.3.4 and any host allowed by can_query are OK zone “non-default-acl.demo.zone” { type master; file “foo”; allow-query { can_query; }; allow-transfer { can_axfr; }; allow-update { 1.2.3.4; 5.6.7.8;servers.
BIND 8 Configuration File * critical * error * warning * notice * info * debug 1 * ... * debug 99 */ a fatal error a normal, but significant event an informational message the least detailed debugging info the most detailed debugging info /* * Here are the built-in channels: * * channel default_syslog { * syslog daemon; * severity info; * }; * * channel default_debug { * file “named.
BIND 8 Configuration File * * * they all end up here. also, if you don’t specify any channels for a category, the default category is used * * * * parser instead. high-level configuration file processing low-level configuration file * queries what used to be called “query * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ lame-servers statistics panic messages like “Lame server on ...
BIND 8 Configuration File /* * Note that debugging must have been turned on either * on the command line or with a signal to get debugging * output (non-debugging output will still be written to * this channel). */ }; /* * If you don’t want to see “zone XXXX loaded” messages but do * want to see any problems, you could do the following.
C BIND 8.1 Enhanced Features The following points are explained in this appendix. 1. BIND 8 highlights 2. BIND Configuration File Guide — Logging Statement 3. BIND Configuration File Guide — Zone Statement 4. BIND Configuration File Guide — Option Statement 5. Converting From BIND 4.9.
BIND 8.
BIND 8.1 Enhanced Features BIND 8 Highlights Definition and Usage The logging statement configures a wide variety of logging options for the nameserver. Its channel phrase associates output methods, format options and severity levels with a name that can then be used with the category phrase to select how various classes of messages are logged. Only one logging statement is used to define as many channels and categories as are wanted.
BIND 8.1 Enhanced Features BIND 8 Highlights in this manual. How syslog will handle messages sent to this facility is described under syslog.conf earlier in this manual. If you have a system which uses a very old version of syslog and that only uses two arguments to the openlog() function, then this clause is silently ignored. The severity clause works like syslog’s “priorities”, except that they can also be used if you are writing straight to a file rather than using syslog.
BIND 8.1 Enhanced Features BIND 8 Highlights The category phrase. channel default_syslog { syslog daemon; severity info; }; # send to syslog’s daemon facility # only send priority info and higher channel default_debug { file “named.run”; # write to named.run in the working directory # Note: stderr is used instead of “named.run” # if the server is started with the “-f” option.
BIND 8.1 Enhanced Features BIND 8 Highlights category is used instead. If you do not define the default category, the following definition is used: category default { default_syslog; default_debug; }; config High-level configuration file processing. parser Low-level configuration file processing. queries A short log message is generated for every query the server receives. lame-servers Messages like “Lame server on ...” statistics Statistics.
BIND 8.1 Enhanced Features BIND 8 Highlights security Approved/unapproved requests. os Operating system problems. insist Internal consistency check failures. maintenance Periodic maintenance events. load Zone loading messages. response-checks Messages arising from response checking, such as “Malformed response ...”, “wrong ans. name ...”, “unrelated additional info ...”, “invalid RR type ...”, and “bad referral ...”.
BIND 8.1 Enhanced Features BIND 8 Highlights Definition and Usage (Zone Types) NOTE master The master copy of the data in a zone. slave A slave zone is a replica of a master zone. The masters list specifies one or more IP addresses that the slave contacts to update its copy of the zone. If file is specified, then the replica will be written to the file. Use of file is recommended, since it often speeds server startup and eliminates a needless waste of bandwidth.
BIND 8.1 Enhanced Features BIND 8 Highlights DNS NOTIFY message for this zone is made up of all the listed nameservers for the zone (other than the primary master) plus any IP addresses specified with also-notify. also-notify is not meaningful for stub zones. The default is the empty list.
BIND 8.1 Enhanced Features BIND 8 Highlights Definition and Use The options statement sets up global options to be used by BIND. This statement may appear at only once in a configuration file; if more than one occurrence is found, the first occurrence determines the actual options used, and a warning will be generated. If there is no options statement, an options block with each option set to its default will be used. Pathnames directory The working directory of the server.
BIND 8.1 Enhanced Features BIND 8 Highlights specified, the default is “named.stats”. Boolean Options auth-nxdomain NOTE If yes, then the AA bit is always set on NXDOMAIN responses, even if the server is not actually authoritative. The default is yes. Do not turn off auth-nxdomain unless you are sure you know what you are doing, as some older software won’t like it.
BIND 8.1 Enhanced Features BIND 8 Highlights Forwarding notify If yes (the default), DNS NOTIFY messages are sent when a zone the server is authoritative for changes. The use of NOTIFY speeds convergence between the master and its slaves. Slave servers that receive a NOTIFY message and understand it, will contact the master server for the zone and see if they need to do a zone transfer, and if they do, they will initiate it immediately.
BIND 8.1 Enhanced Features BIND 8 Highlights Name Checking The server can check domain names based upon their expected client contexts. For example, a domain name used as a hostname can be checked for compliance with the RFCs defining valid hostnames. Three checking methods are available: ignore No checking is done. warn Names are checked against their expected client contexts. Invalid names are logged, but processing continues normally. fail Names are checked against their expected client contexts.
BIND 8.1 Enhanced Features BIND 8 Highlights Interfaces The interfaces and ports that the server will answer queries from may be specified using the listen-on option. listen-on takes an optional port, and an address_match_list. The server will listen on all interfaces allowed by the address match list. If a port is not specified, port 53 will be used. Multiple listen-on statements are allowed. For example: listen-on { 5.6.7.8; }; listen-on port 1234 { !1.2.3.4; 1.
BIND 8.1 Enhanced Features BIND 8 Highlights limit the number of concurrent outbound zone transfers. It is checked for syntax, but is otherwise ignored. transfers-per-ns The maximum number of inbound zone transfers (named-xfer processes) that can be concurrently transferring from a given remote nameserver. The default value is 2. Increasing transfers-per-ns may speed up the convergence of slave zones, but it also may increase the load on the remote nameserver.
BIND 8.1 Enhanced Features BIND 8 Highlights Periodic Task Intervals Topology cleaning-interval The server will remove expired resource records from the cache every cleaning-interval minutes. The default is 60 minutes. If set to 0, no periodic cleaning will occur. interface-interval The server will scan the network interface list every interface-interval minutes. The default is 60 minutes. If set to 0, interface scanning will only occur when the configuration file is loaded.
BIND 8.1 Enhanced Features BIND 8 Highlights Converting From BIND 4.9.x BIND 4.9.x configuration files can be converted to the new format by using src/bin/named/named-bootconf.pl, a perl script that is part of the BIND 8.1 source kit.
BIND 8.
D Server Configuration Migration There is a host of configuration migration utility available now. If you want to convert 4.x named.boot files to 8.x named.conf files, there is a perl script, named-bootconf.pl available on the system. This perl script file resides in /BIND/PUB/bin directory. Explanation of configuration migration utilities; The named-bootconf.pl is a perl script. Perl is a scripting language, like a shell script, it runs under an interpreter environment on MPE.
Server Configuration Migration 222 Appendix D
E Configure and Run Syslog/iX How to Run Syslog/iX: 1. Log on as mgr.syslog. 2. Examine syslog.conf and customize for your own environment. 3. :stream JSYSLOGD.PUB.SYSLOG. 4. Stop Syslog/iX by issuing the command :ABORTJOB.## ## ## :TELL @.@ ## *.emerg * ## ## Write to the :CONSOLE ## *.alert /dev/console ## ## :TELL @.SYSLOG ## *.crit @.SYSLOG ## ## :TELL MANAGER.SYS ## *.err MANAGER.SYS ## ## Forward to syslogd on another host via UDP ## *.warning @some.host.running.syslogd ## ## Write to the :CONSOLE *.
Configure and Run Syslog/iX They are classified as follows: debug info error critical warning alert emergency Now these messages could also be sent to a particular user by using the “tell” option followed by the user name. They can also be sent to another machine by using “@machine name”.
Glossary A address An identifier defined and used by a particular protocol and associated software to distinguish one node from another. address resolution In NS networks, the mapping of node names to IP addresses and the mapping of IP addresses to subnet addresses. See also probe protocol, ARP. alias A character string that is used as an alternate name for a protocol or a node. ARP Address Resolution Protocol. ARP provides IP to LAN station address resolution for Ethernet nodes on a LAN.
network connection (hence the term connectionless), each datagram must contain all the information required for its delivery. The protocol associated with datagram service is UDP, or User Datagram Protocol. See also datagram, protocol, and UDP. DTE Data Terminal Equipment. Equipment that converts user information into data transmission signals or reconverts received data signals into user information. Data terminal equipment operations in conjunction with data circuit-terminating equipment.
IEEE 802.3 A standard for a broadcast local area network published by the Institute for Electrical and Electronics Engineers (IEEE). This standard is used for both the ThinLAN and ThickLAN implementations of the Local Area Network (LAN). address used by the Internet Protocol to route information. A complete IP address comprises a network portion and a subnet portion to identify a specific network, and a node portion to identify a node within that network.
SNA, loopback, and gateway half. The maximum number of supportable network interfaces is 12, one of which is reserved for loopback. Network Services Software application products that can be used to access data, initiate processes, and exchange information among nodes in the network. The NS 3000/iX Network Services include RPM, VT, RFA, RDBA, and NFT. NMCONFIG.PUB.SYS The file that contains all the network configuration data for the HP 3000 Series 900 computer on which it resides.
and resolves IP addresses to IEEE 802.3 addresses. process A single instance of a program that is being executed by the operating system, also known as a task. protocol A set of rules that enables two or more data processing entities to exchange information. In networks, protocols are the rules and conventions that govern each layer of network architecture. They define what functions are performed and how messages are exchanged.
T V TAC Telnet Access Card. A board within a DTC 48 or 72MX. Virtual Terminal A network service that allows a user to establish interactive sessions on a node. TCP/IP Transmission Control Protocol/Internet Protocol. A set of rules that establishes and maintains connections between nodes on an internetwork.
Index Symbols $STDLIST messages, 41 /APACHE/SECURE/, 165 /etc directory, 19, 28 /etc/bootpd, 54 /etc/bootpquery, 54 /etc/bootptab, 20, 54, 57 /etc/hosts.equiv, 78 /etc/inetd, 27 /etc/inetd.conf, 20, 27, 28, 48, 55, 69 /etc/protocols, 20 /etc/services, 77 /usr/adm/inetd.
Index broadcast address, 59 browseable, 96 bs tag, 59 bytestream format, 184 bytestream format (BA), 184 C -c command, 38, 48, 56, 69, 72 CA, 174, 175 capabilities for ARPA.SYS, 47 for MGR.TFTP, 70 for USER.
Index entries in the inetd configuration file, 30 Equifax, 174 error messages inetd, 37, 41 tftpd, 73 error_log, 166, 182 event logging for inetd, 41 F FB, 184 fields in the inetd configuration file, 30 file access for TFTP clients, 71 to /etc/bootptab, 57 to BOOTPTAB.NET.
Index INSECSMP.NET.SYS, 20, 27 installing configuration files, 20 INTEDCNF.NET.
Index mod_setenvif, 163 mod_so, 162, 163 mod_speling, 163 Mod_ssl, 159 mod_ssl, 161, 163 mod_status, 163 mod_unique_id, 163 mod_userdir, 163 mod_usertrack, 163 mod_vhost_alias, 162, 163 MPE fixed ASCII, 184 MPE fixed ASCII (FA), 184 MPE variable ASCII, 184 MPE variable ASCII (VA), 184 MPE variable binary, 184 MPE variable binary (VB), 184 MPE/iX examples, 80 MPE/iX Secure Web Server, 159 multi-threaded datagram, 31 N named.conf, 123 negprot command, 88 Net Transport software, 17 NET.
Index server program field, 31 server string, 91 server, Internet, 16 service descriptions, 30 service name field, 31 service permissions, 33 services, 15 services file, 21 adding BOOTP service, 55 adding Telnet service, 48 adding TFTP service, 69 creating, 21 editing, 21 editing tips, 22 example of, 22 linking, 21 SIGHUP signal, 57 sign.sh, 165 single-threaded datagram, 31 slave zone, 125 SMB, 85, 87 Server Message Block, 85 SMB protocol, 86 SMB.
Index starting, 72 the TFTP user, 74 time service, 27 to=offset tag, 61 tobyte, 184 transmitting files with tftpd, 71 Trivial File Transfer Protocol, 67 trivial services, inetd, 27 U UDP/IP, 26 umask, 164 unique server certificate, 170 updating the Internet Services, 30 User Datagram Protocol, 67 user field, 31 USER.