Edition 1
smb.conf Fileproc File SystemDHCP, BIND, Apache HTTP Server, Postfix, Sendmail and other enterprise-class servers and software
kdump
/etc/sysconfig/network-scripts/ directory. Read this chapter for information how to use these files to configure network interfaces.
systemctl utility.
sshd service, as well as a basic usage of the ssh, scp, sftp client utilities. Read this chapter if you need a remote access to a machine.
rsyslog daemon, and explains how to locate, view, and monitor log files. Read this chapter to learn how to work with log files.
cron, at, and batch utilities. Read this chapter to learn how to use these utilities to perform automated tasks.
rpm command instead of yum. Read this chapter if you cannot update a kernel package with the Yum package manager.
kdump service in Fedora, and provides a brief overview of how to analyze the resulting core dump using the crash debugging utility. Read this chapter to learn how to enable kdump on your system.
rpm utility. Read this appendix if you need to use rpm instead of yum.
/etc/sysconfig/ directory. Read this appendix if you want to learn more about these files and directories, their function, and their contents.
proc file system (that is, the /proc/ directory). Read this appendix if you want to learn more about this file system.
Mono-spaced Bold
To see the contents of the filemy_next_bestselling_novelin your current working directory, enter thecat my_next_bestselling_novelcommand at the shell prompt and press Enter to execute the command.
Press Enter to execute the command.Press Ctrl+Alt+F2 to switch to the first virtual terminal. Press Ctrl+Alt+F1 to return to your X-Windows session.
mono-spaced bold. For example:
File-related classes includefilesystemfor file systems,filefor files, anddirfor directories. Each class has its own associated set of permissions.
Choose → → from the main menu bar to launch Mouse Preferences. In the Buttons tab, click the Left-handed mouse check box and click to switch the primary mouse button from the left to the right (making the mouse suitable for use in the left hand).To insert a special character into a gedit file, choose → → from the main menu bar. Next, choose → from the Character Map menu bar, type the name of the character in the Search field and click . The character you sought will be highlighted in the Character Table. Double-click this highlighted character to place it in the Text to copy field and then click the button. Now switch back to your document and choose → from the gedit menu bar.
Mono-spaced Bold ItalicProportional Bold Italic
To connect to a remote machine using ssh, typesshat a shell prompt. If the remote machine isusername@domain.nameexample.comand your username on that machine is john, typessh john@example.com.Themount -o remountcommand remounts the named file system. For example, to remount thefile-system/homefile system, the command ismount -o remount /home.To see the version of a currently installed package, use therpm -qcommand. It will return a result as follows:package.package-version-release
Publican is a DocBook publishing system.
mono-spaced roman and presented thus:
books Desktop documentation drafts mss photos stuff svn books_tests Desktop1 downloads images notes scripts svgs
mono-spaced roman but add syntax highlighting as follows:
package org.jboss.book.jca.ex1; import javax.naming.InitialContext; public class ExClient { public static void main(String args[]) throws Exception { InitialContext iniCtx = new InitialContext(); Object ref = iniCtx.lookup("EchoBean"); EchoHome home = (EchoHome) ref; Echo echo = home.create(); System.out.println("Created Echo"); System.out.println("Echo.echo('Hello') = " + echo.echo("Hello")); } }
deployment-guide
15
Table of Contents
root is allowed to set the system date and time. To unlock the configuration tool for changes, click the button in the bottom-left corner of the window, and provide the root password when prompted.
root. To do so, type the following at a shell prompt:
su -date command allows the superuser to set the system date and time manually:
YYYY with a four-digit year, MM with a two-digit month, and DD with a two-digit day of the month:
date +%D -s YYYY-MM-DD~]# date +%D -s 2010-06-02HH stands for an hour, MM is a minute, and SS is a second, all typed in a two-digit form:
date +%T -s HH:MM:SSdate +%T -s HH:MM:SS -u~]# date +%T -s 23:26:00 -udate without any additional argument, for example:
~]$ date
Wed Jun 2 11:58:48 CEST 2010ntpdate command in the following form:
ntpdate -q server_address0.fedora.pool.ntp.org, type:
~]# ntpdate -q 0.fedora.pool.ntp.org
server 204.15.208.61, stratum 2, offset -39.275438, delay 0.16083
server 69.65.40.29, stratum 2, offset -39.269122, delay 0.17191
server 148.167.132.201, stratum 2, offset -39.270239, delay 0.20482
23 May 01:05:54 ntpdate[10619]: step time server 204.15.208.61 offset -39.275438 secntpdate server_address...~]# ntpdate 0.fedora.pool.ntp.org 1.fedora.pool.ntp.org
23 May 01:07:13 ntpdate[10669]: step time server 204.15.208.61 offset -39.275436 secdate without any additional arguments as shown in Section 2.2.1, “Configuring the Date and Time”.
systemctl enable ntpdate.service/var/log/boot.log system log, try to add the following line to /etc/sysconfig/network:
NETWORKWAIT=1
ntpd daemon to synchronize the time at boot time automatically:
/etc/ntp.conf in a text editor, creating a new one if it does not already exist.
server 0.fedora.pool.ntp.org iburst server 1.fedora.pool.ntp.org iburst server 2.fedora.pool.ntp.org iburst
iburst directive is added at the end of each server line.
restrict default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery restrict 127.0.0.1 restrict -6 ::1
systemctl restart ntpd.servicentpd daemon is started at boot time:
systemctl enable ntpd.servicedate(1) — The manual page for the date utility.
ntpdate(8) — The manual page for the ntpdate utility.
ntpd(8) — The manual page for the ntpd service.
root user, and access permissions can be changed by both the root user and file owner.
root is allowed to configure users and groups. To unlock the configuration tool for all kinds of changes, click the button in the bottom-left corner of the window, and provide the root password when prompted.
Administrator and Standard (the default option).
/etc/skel/ directory into the new home directory.
system-config-users at the shell prompt to open the User Manager. Viewing and modifying user and group information requires superuser privileges. If you are not the superuser when you open the User Manager, it will prompt you for the superuser password.
/bin/bash. The default home directory is /home/username/. You can change the home directory that is created for the user, or you can choose not to create the home directory by unselecting Create home directory.
/etc/skel/ directory into the new home directory.
system-config-users). For more information on User Manager, refer to Section 3.2, “User Manager Tool”.
useradd, usermod, and userdel — Industry-standard methods of adding, deleting and modifying user accounts
groupadd, groupmod, and groupdel — Industry-standard methods of adding, deleting, and modifying user groups
gpasswd — Industry-standard method of administering the /etc/group file
pwck, grpck — Tools used for the verification of the password, group, and associated shadow files
pwconv, pwunconv — Tools used for the conversion of passwords to shadow passwords and back to standard passwords
useradd are detailed in Table 3.1, “useradd Command Line Options”.
useradd Command Line Options| Option | Description |
|---|---|
-c 'comment'
|
comment can be replaced with any string. This option is generally used to specify the full name of a user.
|
-d home_directory
|
Home directory to be used instead of default /home/.
|
-e date
| Date for the account to be disabled in the format YYYY-MM-DD. |
-f days
|
Number of days after the password expires until the account is disabled. If 0 is specified, the account is disabled immediately after the password expires. If -1 is specified, the account is not be disabled after the password expires.
|
-g group_name
| Group name or group number for the user's default group. The group must exist prior to being specified here. |
-G group_list
| List of additional (other than default) group names or group numbers, separated by commas, of which the user is a member. The groups must exist prior to being specified here. |
-m
| Create the home directory if it does not exist. |
-M
| Do not create the home directory. |
-N
| Do not create a user private group for the user. |
-p password
|
The password encrypted with crypt.
|
-r
| Create a system account with a UID less than 500 and without a home directory. |
-s
|
User's login shell, which defaults to /bin/bash.
|
-u uid
| User ID for the user, which must be unique and greater than 499. |
groupadd:
groupaddgroup_name
groupadd are detailed in Table 3.2, “groupadd Command Line Options”.
groupadd Command Line Options| Option | Description |
|---|---|
-f, --force
|
When used with -g gid and gid already exists, groupadd will choose another unique gid for the group.
|
-g gid
| Group ID for the group, which must be unique and greater than 499. |
-K, --key key=value
|
Override /etc/login.defs defaults.
|
-o, --non-unique
| Allow to create groups with duplicate. |
-p, --password password
| Use this encrypted password for the new group. |
-r
| Create a system group with a GID less than 500. |
chage command with an option from Table 3.3, “chage Command Line Options”, followed by the username.
chage command. For more information, see Section 3.7, “Shadow Passwords”.
chage Command Line Options| Option | Description |
|---|---|
-d days
| Specifies the number of days since January 1, 1970 the password was changed. |
-E date
| Specifies the date on which the account is locked, in the format YYYY-MM-DD. Instead of the date, the number of days since January 1, 1970 can also be used. |
-I days
|
Specifies the number of inactive days after the password expiration before locking the account. If the value is 0, the account is not locked after the password expires.
|
-l
| Lists current account aging settings. |
-m days
|
Specify the minimum number of days after which the user must change passwords. If the value is 0, the password does not expire.
|
-M days
|
Specify the maximum number of days for which the password is valid. When the number of days specified by this option plus the number of days specified with the -d option is less than the current day, the user must change passwords before using the account.
|
-W days
| Specifies the number of days before the password expiration date to warn the user. |
chage command is followed directly by a username (with no options), it displays the current password aging values and allows them to be changed interactively.
passwdusername
passwd-dusername
chage-d0username
useradd juan is issued on a system that has shadow passwords enabled:
juan is created in /etc/passwd:
juan:x:501:501::/home/juan:/bin/bash
juan.
x for the password field indicating that the system is using shadow passwords.
juan is set to /home/juan/.
/bin/bash.
juan is created in /etc/shadow:
juan:!!:14798:0:99999:7:::
juan.
!!) appear in the password field of the /etc/shadow file, which locks the account.
-p flag, it is placed in the /etc/shadow file on the new line for the user.
juan is created in /etc/group:
juan:x:501:
/etc/group has the following characteristics:
juan.
x appears in the password field indicating that the system is using shadow group passwords.
juan in /etc/passwd.
juan is created in /etc/gshadow:
juan:!::
juan.
!) appears in the password field of the /etc/gshadow file, which locks the group.
juan is created in the /home/ directory:
~]# ls -l /home
total 4
drwx------. 4 juan juan 4096 Mar 3 18:23 juanjuan and group juan. It has read, write, and execute privileges only for the user juan. All other permissions are denied.
/etc/skel/ directory (which contain default user settings) are copied into the new /home/juan/ directory:
~]# ls -la /home/juan
total 28
drwx------. 4 juan juan 4096 Mar 3 18:23 .
drwxr-xr-x. 5 root root 4096 Mar 3 18:23 ..
-rw-r--r--. 1 juan juan 18 Jun 22 2010 .bash_logout
-rw-r--r--. 1 juan juan 176 Jun 22 2010 .bash_profile
-rw-r--r--. 1 juan juan 124 Jun 22 2010 .bashrc
drwxr-xr-x. 2 juan juan 4096 Jul 14 2010 .gnome2
drwxr-xr-x. 4 juan juan 4096 Nov 23 15:09 .mozillajuan exists on the system. To activate it, the administrator must next assign a password to the account using the passwd command and, optionally, set password aging guidelines.
/etc/passwd file by an Everything installation. The group ID (GID) in this table is the primary group for the user. See Section 3.5, “Standard Groups” for a listing of standard groups.
| User | UID | GID | Home Directory | Shell | Packages |
|---|---|---|---|---|---|
root
| 0 | 0 |
/root
|
/bin/bash
| setup |
bin
| 1 | 1 |
/bin
|
/sbin/nologin
| setup |
daemon
| 2 | 2 |
/sbin
|
/sbin/nologin
| setup |
sys
| — | 3 | — | — | setup |
adm
| 3 | 4 |
/var/adm
|
/bin/bash
| setup |
tty
| — | 5 | — | — | setup |
disk
| — | 6 | — | — | setup |
lp
| 4 | 7 |
/var/spool/lpd
|
/sbin/nologin
| setup |
mem
| — | 8 | — | — | setup |
kmem
| — | 9 | — | — | setup |
wheel
| — | 10 | — | — | setup |
cdrom
| — | 11 | — | — | udev, MAKEDEV |
sync
| 5 | (0) |
/sbin
|
/bin/sync
| setup |
shutdown
| 6 | (0) |
/sbin
|
/sbin/shutdown
| setup |
halt
| 7 | (0) |
/sbin
|
/sbin/halt
| setup |
mail
| 8 | 12 |
/var/spool/mail
|
/sbin/nologin
| setup |
news
| 9 | 13 |
/var/spool/news
|
/sbin/nologin
| setup |
uucp
| 10 | 14 |
/var/spool/uucp
|
/sbin/nologin
| setup |
operator
| 11 | (0) |
/root
|
/sbin/nologin
| setup |
games
| 12 | (100) |
/usr/games
|
/sbin/nologin
| setup |
gopher
| 13 | 30 |
/usr/lib/gopher-data
|
/sbin/nologin
| setup |
ftp
| 14 | 50 |
/var/ftp
|
/sbin/nologin
| setup |
man
| — | 15 | — | — | setup |
oprofile
| 16 | 16 |
/home/oprofile
|
/sbin/nologin
| oprofile |
pkiuser
| 17 | 17 |
/usr/share/pki
|
/sbin/nologin
| pki-ca, rhpki-ca |
dialout
| — | 18 | — | — | udev, MAKEDEV |
floppy
| — | 19 | — | — | dev, MAKEDEV |
games
| — | 20 | — | — | setup |
slocate
| — | 21 | — | — | slocate |
utmp
| — | 22 | — | — | initscripts, libutempter |
squid
| 23 | 23 |
/var/spool/squid
|
/dev/null
| squid |
pvm
| 24 | 24 |
/usr/share/pvm3
|
/bin/bash
| pvm |
named
| 25 | 25 |
/var/named
|
/bin/false
| bind |
postgres
| 26 | 26 |
/var/lib/pgsql
|
/bin/bash
| postgresql-server |
mysql
| 27 | 27 |
/var/lib/mysql
|
/bin/bash
| mysql |
nscd
| 28 | 28 |
/
|
/bin/false
| nscd |
rpcuser
| 29 | 29 |
/var/lib/nfs
|
/bin/false
| nfs-utils |
console
| — | 31 | — | — | dev |
rpc
| 32 | 32 |
/
|
/bin/false
| portmap |
amanda
| 33 | (6) |
/var/lib/amanda
|
/bin/false
| amanda |
tape
| — | 33 | — | — | udev, MAKEDEV |
netdump
| 34 | 34 |
/var/crash
|
/bin/bash
| netdump-client, netdump-server |
utempter
| — | 35 | — | — | libutempter |
vdsm
| 36 | — |
/
|
/bin/bash
| kvm, vdsm |
kvm
| — | 36 | — | — | kvm, vdsm, libvirt |
rpm
| 37 | 37 |
/var/lib/rpm
|
/bin/bash
| rpm |
ntp
| 38 | 38 |
/etc/ntp
|
/sbin/nologin
| ntp |
video
| — | 39 | — | — | setup |
dip
| — | 40 | — | — | setup |
mailman
| 41 | 41 |
/var/mailman
|
/bin/false
| mailman |
gdm
| 42 | 42 |
/var/gdm
|
/bin/bash
| gdm |
xfs
| 43 | 43 |
/etc/X11/fs
|
/bin/false
| XFree86-xfs |
pppusers
| — | 44 | — | — | linuxconf |
popusers
| — | 45 | — | — | linuxconf |
slipusers
| — | 46 | — | — | linuxconf |
mailnull
| 47 | 47 |
/var/spool/mqueue
|
/dev/null
| sendmail |
apache
| 48 | 48 |
/var/www
|
/bin/false
| apache |
wnn
| 49 | 49 |
/home/wnn
|
/bin/bash
| FreeWnn |
smmsp
| 51 | 51 |
/var/spool/mqueue
|
/dev/null
| sendmail |
puppet
| 52 | 52 |
/var/lib/puppet
|
/sbin/nologin
| puppet |
tomcat
| 53 | 53 |
/var/lib/tomcat
|
/sbin/nologin
| tomcat |
lock
| — | 54 | — | — | lockdev |
ldap
| 55 | 55 |
/var/lib/ldap
|
/bin/false
| openldap-servers |
frontpage
| 56 | 56 |
/var/www
|
/bin/false
| mod_frontpage |
nut
| 57 | 57 |
/var/lib/ups
|
/bin/false
| nut |
beagleindex
| 58 | 58 |
/var/cache/beagle
|
/bin/false
| beagle |
tss
| 59 | 59 | — |
/sbin/nologin
| trousers |
piranha
| 60 | 60 |
/etc/sysconfig/ha
|
/dev/null
| piranha |
prelude-manager
| 61 | 61 | — |
/sbin/nologin
| prelude-manager |
snortd
| 62 | 62 | — |
/sbin/nologin
| snortd |
audio
| — | 63 | — | — | setup |
condor
| 64 | 64 |
/var/lib/condor
|
/sbin/nologin
| condord |
nslcd
| 65 | (55) |
/
|
/sbin/nologin
| nslcd |
wine
| — | 66 | — | — | wine |
pegasus
| 66 | 65 |
/var/lib/Pegasus
|
/sbin/nologin
| tog-pegasus |
webalizer
| 67 | 67 |
/var/www/html/usage
|
/sbin/nologin
| webalizer |
haldaemon
| 68 | 68 |
/
|
/sbin/nologin
| hal |
vcsa
| 69 | 69 | — |
/sbin/nologin
| dev, MAKEDEV |
avahi
| 70 | 70 |
/var/run/avahi-daemon
|
/sbin/nologin
| avahi |
realtime
| — | 71 | — | — | — |
tcpdump
| 72 | 72 |
/
|
/sbin/nologin
| tcpdump |
privoxy
| 73 | 73 |
/etc/privoxy
|
/bin/bash
| privoxy |
sshd
| 74 | 74 |
/var/empty/sshd
|
/sbin/nologin
| openssh-server |
radvd
| 75 | 75 |
/
|
/bin/false
| radvd |
cyrus
| 76 | (12) |
/var/imap
|
/bin/bash
| cyrus-imapd |
saslauth
| — | 76 | — | — | cyrus-imapd |
arpwatch
| 77 | 77 |
/var/lib/arpwatch
|
/sbin/nologin
| arpwatch |
fax
| 78 | 78 |
/var/spool/fax
|
/sbin/nologin
| mgetty |
nocpulse
| 79 | 79 |
/etc/sysconfig/nocpulse
|
/bin/bash
| nocpulse |
desktop
| 80 | 80 | — |
/sbin/nologin
| desktop-file-utils |
dbus
| 81 | 81 |
/
|
/sbin/nologin
| dbus |
jonas
| 82 | 82 |
/var/lib/jonas
|
/sbin/nologin
| jonas |
clamav
| 83 | 83 |
/tmp
|
/sbin/nologin
| clamav |
screen
| — | 84 | — | — | screen |
quaggavt
| — | 85 | — | — | quagga |
sabayon
| 86 | 86 | — |
/sbin/nologin
| sabayon |
polkituser
| 87 | 87 |
/
|
/sbin/nologin
| PolicyKit |
wbpriv
| — | 88 | — | — | samba-common |
postfix
| 89 | 89 |
/var/spool/postfix
|
/bin/true
| postfix |
postdrop
| — | 90 | — | — | postfix |
majordomo
| 91 | 91 |
/usr/lib/majordomo
|
/bin/bash
| majordomo |
quagga
| 92 | 92 |
/
|
/sbin/nologin
| quagga |
exim
| 93 | 93 |
/var/spool/exim
|
/sbin/nologin
| exim |
distcache
| 94 | 94 |
/
|
/sbin/nologin
| distcache |
radiusd
| 95 | 95 |
/
|
/bin/false
| freeradius |
hsqldb
| 96 | 96 |
/var/lib/hsqldb
|
/sbin/nologin
| hsqldb |
dovecot
| 97 | 97 |
/usr/libexec/dovecot
|
/sbin/nologin
| dovecot |
ident
| 98 | 98 |
/
|
/sbin/nologin
| ident |
nobody
| 99 | 99 |
/
|
/sbin/nologin
| setup |
users
| — | 100 | — | — | setup |
qemu
| 107 | 107 |
/
|
/sbin/nologin
| libvirt |
ovirt
| 108 | 108 |
/
|
/sbin/nologin
| libvirt |
saned
| 111 | 111 |
/
|
/sbin/nologin
| sane-backends |
vhostmd
| 112 | 112 |
/usr/share/vhostmd
|
/sbin/nologin
| vhostmd |
usbmuxd
| 113 | 113 |
/
|
/sbin/nologin
| usbmuxd |
bacula
| 133 | 133 |
/var/spool/bacula
|
/sbin/nologin
| bacula |
ricci
| 140 | 140 |
/var/lib/ricci
|
/sbin/nologin
| ricci |
luci
| 141 | 141 |
/var/lib/luci
|
/sbin/nologin
| luci |
stap-server
| 155 | 155 |
/var/lib/stap-server
|
/sbin/nologin
| systemtap |
avahi-autoipd
| 170 | 170 |
/var/lib/avahi-autoipd
|
/sbin/nologin
| avahi |
pulse
| 171 | 171 |
/var/run/pulse
|
/sbin/nologin
| pulseaudio |
rtkit
| 172 | 172 |
/proc
|
/sbin/nologin
| rtkit |
nfsnobody
| 65534[a] | 65534 |
/var/lib/nfs
|
/sbin/nologin
| nfs-utils |
[a]
nfsnobdy is 4294967294 on 64-bit platforms
| |||||
/etc/group file.
| Group | GID | Members |
|---|---|---|
root
| 0 |
root
|
bin
| 1 |
root, bin, daemon
|
daemon
| 2 |
root, bin, daemon
|
sys
| 3 |
root, bin, adm
|
adm
| 4 |
root, adm, daemon
|
tty
| 5 | — |
disk
| 6 |
root
|
lp
| 7 |
daemon, lp
|
mem
| 8 | — |
kmem
| 9 | — |
wheel
| 10 |
root
|
mail
| 12 |
mail, postfix
|
uucp
| 14 |
uucp
|
man
| 15 | — |
games
| 20 | — |
gopher
| 30 | — |
video
| 39 | — |
dip
| 40 | — |
ftp
| 50 | — |
lock
| 54 | — |
audio
| 63 | — |
nobody
| 99 | — |
users
| 100 | — |
dbus
| 81 | — |
usbmuxd
| 113 | — |
utmp
| 22 | — |
utempter
| 35 | — |
avahi-autoipd
| 170 | — |
floppy
| 19 | — |
vcsa
| 69 | — |
rpc
| 32 | — |
rtkit
| 499 | — |
abrt
| 498 | — |
nscd
| 28 | — |
desktop_admin_r
| 497 | — |
desktop_user_r
| 496 | — |
cdrom
| 11 | — |
tape
| 33 | — |
dialout
| 18 | — |
haldaemon
| 68 |
haldaemon
|
apache
| 48 | — |
ldap
| 55 | — |
saslauth
| 495 | — |
postdrop
| 90 | — |
postfix
| 89 | — |
avahi
| 70 | — |
ntp
| 38 | — |
rpcuser
| 29 | — |
nfsnobody
| 65534 | — |
pulse
| 494 | — |
pulse-access
| 493 | — |
fuse
| 492 | — |
gdm
| 42 | — |
stapdev
| 491 | — |
stapusr
| 490 | — |
sshd
| 74 | — |
tcpdump
| 72 | — |
slocate
| 21 | — |
dovecot
| 97 | — |
dovenull
| 489 | — |
mailnull
| 47 | — |
smmsp
| 51 | — |
/etc/bashrc file. Traditionally on UNIX systems, the umask is set to 022, which allows only the user who created the file or directory to make modifications. Under this scheme, all other users, including members of the creator's group, are not allowed to make any modifications. However, under the UPG scheme, this "group protection" is not necessary since every user has their own private group.
/opt/myproject/ directory. Some people are trusted to modify the contents of this directory, but not everyone.
root, create the /opt/myproject/ directory by typing the following at a shell prompt:
mkdir /opt/myprojectmyproject group to the system:
groupadd myproject/opt/myproject/ directory with the myproject group:
chown root:myproject /opt/myprojectchmod 2775 /opt/myprojectmyproject group can create and edit files in the /opt/myproject/ directory without the administrator having to change file permissions every time users write new files. To verify that the permissions have been set correctly, run the following command:
~]# ls -l /opt
total 4
drwxrwsr-x. 3 root myproject 4096 Mar 3 18:31 myprojectshadow-utils package). Doing so enhances the security of system authentication files. For this reason, the installation program enables shadow passwords by default.
/etc/passwd file to /etc/shadow, which is readable only by the root user.
/etc/login.defs file to enforce security policies.
shadow-utils package work properly whether or not shadow passwords are enabled. However, since password aging information is stored exclusively in the /etc/shadow file, any commands which create or modify password aging information do not work.
chage
gpasswd
usermod -e or -f options
useradd -e or -f options
man chage — A command to modify password aging policies and account expiration.
man gpasswd — A command to administer the /etc/group file.
man groupadd — A command to add groups.
man grpck — A command to verify the /etc/group file.
man groupdel — A command to remove groups.
man groupmod — A command to modify group membership.
man pwck — A command to verify the /etc/passwd and /etc/shadow files.
man pwconv — A tool to convert standard passwords to shadow passwords.
man pwunconv — A tool to convert shadow passwords to standard passwords.
man useradd — A command to add users.
man userdel — A command to remove users.
man usermod — A command to modify users.
man 5 group — The file containing group information for the system.
man 5 passwd — The file containing user information for the system.
man 5 shadow — The file containing passwords and account expiration information for the system.
Table of Contents
yum to install, update or remove packages on your system. All examples in this chapter assume that you have already obtained superuser privileges by using either the su or sudo command.
yum check-update command to see which installed packages on your system have updates available:
~]# yum check-update
Loaded plugins: langpacks, presto, refresh-packagekit
PackageKit.x86_64 0.6.14-2.fc15 fedora
PackageKit-command-not-found.x86_64 0.6.14-2.fc15 fedora
PackageKit-device-rebind.x86_64 0.6.14-2.fc15 fedora
PackageKit-glib.x86_64 0.6.14-2.fc15 fedora
PackageKit-gstreamer-plugin.x86_64 0.6.14-2.fc15 fedora
PackageKit-gtk-module.x86_64 0.6.14-2.fc15 fedora
PackageKit-gtk3-module.x86_64 0.6.14-2.fc15 fedora
PackageKit-yum.x86_64 0.6.14-2.fc15 fedora
PackageKit-yum-plugin.x86_64 0.6.14-2.fc15 fedora
gdb.x86_64 7.2.90.20110429-36.fc15 fedora
kernel.x86_64 2.6.38.6-26.fc15 fedora
rpm.x86_64 4.9.0-6.fc15 fedora
rpm-libs.x86_64 4.9.0-6.fc15 fedora
rpm-python.x86_64 4.9.0-6.fc15 fedora
yum.noarch 3.2.29-5.fc15 fedoraPackageKit — the name of the package
x86_64 — the CPU architecture the package was built for
0.6.14 — the version of the updated package to be installed
fedora — the repository in which the updated package is located
yum and rpm packages), as well as their dependencies (such as the rpm-libs and rpm-python packages), all using yum.
yum update package_name, for example:
~]# yum update gdb
Loaded plugins: langpacks, presto, refresh-packagekit
Setting up Update Process
Resolving Dependencies
--> Running transaction check
---> Package gdb.x86_64 0:7.2.90.20110411-34.fc15 will be updated
---> Package gdb.x86_64 0:7.2.90.20110429-36.fc15 will be an update
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Updating:
gdb x86_64 7.2.90.20110429-36.fc15 fedora 1.9 M
Transaction Summary
================================================================================
Upgrade 1 Package(s)
Total download size: 1.9 M
Is this ok [y/N]:Loaded plugins: — yum always informs you which Yum plugins are installed and enabled. Here, yum is using the langpacks, presto, and refresh-packagekit plugins. Refer to Section 4.4, “Yum Plugins” for general information on Yum plugins, or to Section 4.4.3, “Plugin Descriptions” for descriptions of specific plugins.
gdb.x86_64 — you can download and install new gdb package.
yum presents the update information and then prompts you as to whether you want it to perform the update; yum runs interactively by default. If you already know which transactions yum plans to perform, you can use the -y option to automatically answer yes to any questions yum may ask (in which case it runs non-interactively). However, you should always examine which changes yum plans to make to the system so that you can easily troubleshoot any problems that might arise.
cat /var/log/yum.log command at a shell prompt. The most recent transactions are listed at the end of the log file.
yum always installs a new kernel in the same sense that RPM installs a new kernel when you use the command rpm -i kernel. Therefore, you do not need to worry about the distinction between installing and upgrading a kernel package when you use yum: it will do the right thing, regardless of whether you are using the yum update or yum install command.
rpm -i kernel command (which installs a new kernel) instead of rpm -u kernel (which replaces the current kernel). Refer to Section A.2.2, “Installing and Upgrading” for more information on installing/updating kernels with RPM.
yum update command (without any arguments):
~]# yum updateyum command with a set of highly-useful security-centric commands, subcommands and options. Refer to Section 4.4.3, “Plugin Descriptions” for specific information.
yum search term [more_terms] command. yum displays the list of matches for each term, for example:
~]# yum search meld kompare
Loaded plugins: langpacks, presto, refresh-packagekit
============================== N/S Matched: meld ===============================
meld.noarch : Visual diff and merge tool
python-meld3.x86_64 : HTML/XML templating system for Python
============================= N/S Matched: kompare =============================
komparator.x86_64 : Kompare and merge two folders
Name and summary matches only, use "search all" for everything.yum search command is useful for searching for packages you do not know the name of, but for which you know a related term.
yum list and related commands provide information about packages, package groups, and repositories.
* (which expands to match any character multiple times) and ? (which expands to match any one character).
yum command, otherwise the Bash shell will interpret these expressions as pathname expansions, and potentially pass all files in the current directory that match the globs to yum. To make sure the glob expressions are passed to yum as intended, either:
yum list glob_expr [more_glob_exprs] ~]# yum list abrt-addon\* abrt-plugin\*
Loaded plugins: langpacks, presto, refresh-packagekit
Installed Packages
abrt-addon-ccpp.x86_64 2.0.2-5.fc15 @fedora
abrt-addon-kerneloops.x86_64 2.0.2-5.fc15 @fedora
abrt-addon-python.x86_64 2.0.2-5.fc15 @fedora
abrt-plugin-bugzilla.x86_64 2.0.2-5.fc15 @fedora
abrt-plugin-logger.x86_64 2.0.2-5.fc15 @fedora
Available Packages
abrt-plugin-mailx.x86_64 2.0.2-5.fc15 updates
abrt-plugin-reportuploader.x86_64 2.0.2-5.fc15 updates
abrt-plugin-rhtsupport.x86_64 2.0.2-5.fc15 updatesyum list all ~]# yum list all
Loaded plugins: langpacks, presto, refresh-packagekit
Installed Packages
ConsoleKit.x86_64 0.4.4-1.fc15 @fedora
ConsoleKit-libs.x86_64 0.4.4-1.fc15 @fedora
ConsoleKit-x11.x86_64 0.4.4-1.fc15 @fedora
GConf2.x86_64 2.32.3-1.fc15 @fedora
GConf2-gtk.x86_64 2.32.3-1.fc15 @fedora
ModemManager.x86_64 0.4-7.git20110201.fc15 @fedora
NetworkManager.x86_64 1:0.8.998-4.git20110427.fc15 @fedora
NetworkManager-glib.x86_64 1:0.8.998-4.git20110427.fc15 @fedora
NetworkManager-gnome.x86_64 1:0.8.998-4.git20110427.fc15 @fedora
NetworkManager-openconnect.x86_64 0.8.1-9.git20110419.fc15 @fedora
[output truncated]yum list installed ~]# yum list installed "krb?-*"
Loaded plugins: langpacks, presto, refresh-packagekit
Installed Packages
krb5-libs.x86_64 1.9-7.fc15 @fedorayum list available ~]# yum list available gstreamer\*plugin\*
Loaded plugins: langpacks, presto, refresh-packagekit
Available Packages
gstreamer-plugin-crystalhd.x86_64 3.5.1-1.fc14 fedora
gstreamer-plugins-bad-free.x86_64 0.10.22-1.fc15 updates
gstreamer-plugins-bad-free-devel.x86_64 0.10.22-1.fc15 updates
gstreamer-plugins-bad-free-devel-docs.x86_64 0.10.22-1.fc15 updates
gstreamer-plugins-bad-free-extras.x86_64 0.10.22-1.fc15 updates
gstreamer-plugins-base.x86_64 0.10.33-1.fc15 updates
gstreamer-plugins-base-devel.x86_64 0.10.33-1.fc15 updates
gstreamer-plugins-base-devel-docs.noarch 0.10.33-1.fc15 updates
gstreamer-plugins-base-tools.x86_64 0.10.33-1.fc15 updates
gstreamer-plugins-espeak.x86_64 0.3.3-3.fc15 fedora
gstreamer-plugins-fc.x86_64 0.2-2.fc15 fedora
gstreamer-plugins-good.x86_64 0.10.29-1.fc15 updates
gstreamer-plugins-good-devel-docs.noarch 0.10.29-1.fc15 updatesyum grouplist ~]# yum grouplist
Loaded plugins: langpacks, presto, refresh-packagekit
Setting up Group Process
Installed Groups:
Administration Tools
Design Suite
Dial-up Networking Support
Fonts
GNOME Desktop Environment
[output truncated]yum repolist ~]# yum repolist
Loaded plugins: langpacks, presto, refresh-packagekit
repo id repo name status
fedora Fedora 15 - i386 19,365
updates Fedora 15 - i386 - Updates 3,848
repolist: 23,213yum info package_name [more_names] command displays information about one or more packages (glob expressions are valid here as well). For example, to display information about the abrt package, type:
~]# yum info abrt
Loaded plugins: langpacks, presto, refresh-packagekit
Installed Packages
Name : abrt
Arch : x86_64
Version : 2.0.1
Release : 2.fc15
Size : 806 k
Repo : installed
From repo : fedora
Summary : Automatic bug detection and reporting tool
URL : https://fedorahosted.org/abrt/
License : GPLv2+
Description : abrt is a tool to help users to detect defects in applications and
: to create a bug report with all informations needed by maintainer
: to fix it. It uses plugin system to extend its functionality.yum info package_name is similar to the rpm -q --info package_name command, but provides as additional information the ID of the Yum repository the RPM package is found in (look for the From repo line in the output).
yumdb info package_name [more_names] command can be used to query the Yum database for alternative and useful information about a package, including the checksum of the package (and algorithm used to produce it, such as SHA-256), the command given on the command line that was invoked to install the package (if any), and the reason that the package is installed on the system (where user indicates it was installed by the user, and dep means it was brought in as a dependency). For example, to display additional information about the yum package, type:
~]# yumdb info yum
Loaded plugins: langpacks, presto, refresh-packagekit
yum-3.2.29-4.fc15.noarch
checksum_data = 249f21fb43c41381c8c9b0cd98d2ea5fa0aa165e81ed2009cfda74c05af67246
checksum_type = sha256
from_repo = fedora
from_repo_revision = 1304429533
from_repo_timestamp = 1304442346
installed_by = 0
reason = user
releasever = $releaseveryumdb command, see man yumdb.
yum history command can be used to show a timeline of Yum transactions, the dates and times on when they occurred, the number of packages affected, whether transactions succeeded or were aborted, and if the RPM database was changed between transactions. Refer to the history section of man yum for details.
yum install package_nameyum install package_name [more_names].arch to the package name. For example, to install the sqlite2 package for i686, type:
~]# yum install sqlite2.i686~]# yum install audacious-plugins-\*yum install. If you know the name of the binary you want to install, but not its package name, you can give yum install the path name:
~]# yum install /usr/sbin/namedyum then searches through its package lists, finds the package which provides /usr/sbin/named, if any, and prompts you as to whether you want to install it.
named binary, but you do not know in which bin or sbin directory is the file installed, use the yum provides command with a glob expression:
~]# yum provides "*bin/named"
Loaded plugins: langpacks, presto, refresh-packagekit
32:bind-9.8.0-3.P1.fc15.i686 : The Berkeley Internet Name Domain (BIND) DNS
: (Domain Name System) server
Repo : fedora
Matched from:
Filename : /usr/sbin/namedyum provides "*/file_name" is a common and useful trick to find the packages that contain file_name.
yum grouplist -v command lists the names of all package groups, and, next to each of them, their groupid in parentheses. The groupid is always the term in the last pair of parentheses, such as kde-desktop in the following example:
~]# yum -v grouplist kde\*
Not loading "blacklist" plugin, as it is disabled
Loading "langpacks" plugin
Loading "presto" plugin
Loading "refresh-packagekit" plugin
Not loading "whiteout" plugin, as it is disabled
Adding en_US to language list
Config time: 0.900
Yum Version: 3.2.29
Setting up Group Process
rpmdb time: 0.002
group time: 0.995
Available Groups:
KDE Software Compilation (kde-desktop)
KDE Software Development (kde-software-development)
Donegroupinstall, for example:
~]# yum groupinstall "KDE Software Compilation"~]# yum groupinstall kde-desktopinstall command if you prepend it with an @-symbol (which tells yum that you want to perform a groupinstall):
~]# yum install @kde-desktopyum remove package_name uninstalls (removes in RPM and Yum terminology) the package, as well as any packages that depend on it. As when you install multiple packages, you can remove several at once by adding more package names to the command. For example, to remove totem, rhythmbox, and sound-juicer, type the following at a shell prompt:
~]# yum remove totem rhythmbox sound-juicerinstall, remove can take these arguments:
install syntax. The following are alternative but equivalent ways of removing the KDE Software Compilation group:
~]#yum groupremove "KDE Software Compilation"~]#yum groupremove kde-desktop~]#yum remove @kde-desktop
yum to remove only those packages which are not required by any other packages or groups by adding the groupremove_leaf_only=1 directive to the [main] section of the /etc/yum.conf configuration file. For more information on this directive, refer to Section 4.3.1, “Setting [main] Options”.
[main] section of the /etc/yum.conf configuration file;
[repository] sections in /etc/yum.conf and .repo files in the /etc/yum.repos.d/ directory;
/etc/yum.conf and files in /etc/yum.repos.d/ so that dynamic version and architecture values are handled correctly; and,
/etc/yum.conf configuration file contains one mandatory [main] section under which you can set Yum options. The values that you define in the [main] section of yum.conf have global effect, and may override values set in individual [repository] sections. You can also add [repository] sections to /etc/yum.conf; however, best practice is to define individual repositories in new or existing .repo files in the /etc/yum.repos.d/directory. Refer to Section 4.3.2, “Setting [repository] Options” if you need to add or edit repository-specific information.
/etc/yum.conf configuration file contains exactly one [main] section. You can add many additional options under the [main] section heading in /etc/yum.conf. Some of the key-value pairs in the [main] section affect how yum operates; others affect how Yum treats repositories. The best source of information for all Yum options is in the [main] OPTIONS and [repository] OPTIONS sections of man yum.conf.
/etc/yum.conf configuration file can look like this:
[main]
cachedir=/var/cache/yum/$basearch/$releasever
keepcache=0
debuglevel=2
logfile=/var/log/yum.log
exactarch=1
obsoletes=1
gpgcheck=1
plugins=1
installonly_limit=3
[comments abridged]
# PUT YOUR REPOS HERE OR IN separate files named file.repo
# in /etc/yum.repos.d[main] section, and descriptions for each:
valuevalue is one of:
0 — yum should prompt for confirmation of critical actions it performs. This is the default.
1 — Do not prompt for confirmation of critical yum actions. If assumeyes=1 is set, yum behaves in the same way that the command line option -y does.
/var/cache/yum/$basearch/$releasever/var/cache/yum/$basearch/$releasever. See Section 4.3.3, “Using Yum Variables” for descriptions of the $basearch and $releasever Yum variables.
valuevalue is an integer between 1 and 10. Setting a higher debuglevel value causes yum to display more detailed debugging output. debuglevel=0 disables debugging output, while debuglevel=2 is the default.
valuevalue is one of:
0 — Do not take into account the exact architecture when updating packages.
1 — Consider the exact architecture when updating packages. With this setting, yum will not install an i686 package to update an i386 package already installed on the system. This is the default.
package_name [more_package_names]* and ?) are allowed.
valuevalue is one of:
0 — Disable GPG signature-checking on packages in all repositories, including local package installation.
1 — Enable GPG signature-checking on all packages in all repositories, including local package installation. gpgcheck=1 is the default, and thus all packages' signatures are checked.
[main] section of the /etc/yum.conf file, it sets the GPG-checking rule for all repositories. However, you can also set gpgcheck=value for individual repositories instead; i.e., you can enable GPG-checking on one repository while disabling it on another. Setting gpgcheck=value for an individual repository in its corresponding .repo file overrides the default if it is present in /etc/yum.conf. Refer to Section A.3, “Checking a Package's Signature” for further information on GPG signature-checking.
valuevalue is one of:
0 — yum should not check the dependencies of each package when removing a package group. With this setting, yum removes all packages in a package group, regardless of whether those packages are required by other packages or groups. groupremove_leaf_only=0 is the default.
1 — yum should check the dependencies of each package when removing a package group, and remove only those packages which are not not required by any other package or group.
space separated list of packagesyum can install, but will never update. Refer to man yum.conf for the list of packages which are install-only by default. If you add the installonlypkgs directive to /etc/yum.conf, you should ensure that you list all of the packages that should be install-only, including any of those listed under the installonlypkgs section of man yum.conf. In particular, kernel packages should always be listed in installonlypkgs (as they are by default), and installonly_limit should always be set to a value greater than 2 so that a backup kernel is always available in case the default one fails to boot. Refer to installonly_limit=value for details on the installonly_limit directive.
valuevalue is an integer representing the maximum number of versions that can be installed simultaneously for any single package listed in the installonlypkgs directive. The defaults for the installonlypkgs directive include several different kernel packages, so be aware that changing the value of installonly_limit will also affect the maximum number of installed versions of any single kernel package. The default value listed in /etc/yum.conf is installonly_limit=3, and it is not recommended to decrease this value, particularly below 2.
valuevalue is one of:
0 — Do not retain the cache of headers and packages after a successful installation. This is the default.
1 — Retain the cache after a successful installation.
/var/log/yum.logyum should send its logging output. By default, yum logs to /var/log/yum.log.
valuevalue is one of:
best — install the best-choice architecture for this system. For example, setting multilib_policy=best on an AMD64 system causes yum to install 64-bit versions of all packages.
all — always install every possible architecture for every package. For example, with multilib_policy set to all on an AMD64 system, yum would install both the i686 and AMD64 versions of a package, if both were available.
valuevalue is one of:
0 — Disable yum's obsoletes processing logic when performing updates.
1 — Enable yum's obsoletes processing logic when performing updates. When one package declares in its spec file that it obsoletes another package, the latter package will be replaced by the former package when the former package is installed. Obsoletes are declared, for example, when a package is renamed. obsoletes=1 the default.
valuevalue is one of:
0 — Disable all Yum plugins globally.
Yum services. Disabling plugins globally is provided as a convenience option, and is generally only recommended when diagnosing a potential problem with Yum.
1 — Enable all Yum plugins globally. With plugins=1, you can still disable a specific Yum plugin by setting enabled=0 in that plugin's configuration file. Refer to Section 4.4, “Yum Plugins” for more information about various Yum plugins, or to Section 4.4.1, “Enabling, Configuring and Disabling Yum Plugins” for further information on controlling plugins.
/absolute/path/to/directory/containing/repo/files.repo files are located. All .repo files contain repository information (similar to the [repository] sections of /etc/yum.conf). yum collects all repository information from .repo files and the [repository] section of the /etc/yum.conf file to create a master list of repositories to use for transactions. Refer to Section 4.3.2, “Setting [repository] Options” for more information about options you can use for both the [repository] section and .repo files. If reposdir is not set, yum uses the default directory /etc/yum.repos.d/.
valuevalue is an integer 0 or greater. This value sets the number of times yum should attempt to retrieve a file before returning an error. Setting this to 0 makes yum retry forever. The default value is 10.
[repository] sections (where repository is a unique repository ID, such as my_personal_repo) allow you to define individual Yum repositories. To define a new repository, either add this section to the /etc/yum.conf file, or to a .repo file in the /etc/yum.repos.d/ directory.
.repo files in /etc/yum.repos.d/are read by yum, which allows you to create new, custom .repo files in this directory. Best practice is to define your repositories here instead of in /etc/yum.conf.
.repo file takes:
[repository_ID] name=A Repository Name baseurl=http://path/to/repo or ftp://path/to/repo or file:///path/to/local/repo
[repository] section must contain the following minimum directives:
repository_ID]A Repository Namehttp://path/to/repo, ftp://path/to/repo, file:///path/to/local/repobaseurl=http://path/to/repo/releases/$releasever/server/$basearch/os/
$releasever, $arch and $basearch variables in URLs. See Section 4.3.3, “Using Yum Variables” for explanations of all Yum variables.
ftp://path/to/repo
file:///path/to/local/repo
http://path/to/repo by prepending it as username:password@linkbaseurl link could be specified as:
baseurl=http://user:password@www.example.com/repo/
[repository] directive:
valuevalue is one of:
0 — do not include this repository as a package source when performing updates and installs. This is an easy way of quickly turning repositories on and off, which is useful when you desire a single package from a repository that you do not want to enable for updates or installs.
1 — include this repository as a package source.
--enablerepo=repo_name or --disablerepo=repo_name option to yum, or through the Add/Remove Software window of the PackageKit utility.
[repository] options exist. Refer to the [repository] OPTIONS section of man yum.conf for the exhaustive list and descriptions for each.
yum commands and in all Yum configuration files (that is, /etc/yum.conf and all .repo files in the /etc/yum.repos.d/ directory):
$releasever $releasever from the distroverpkg=value line in the /etc/yum.conf configuration file. If there is no such line in /etc/yum.conf, then yum infers the correct value by deriving the version number from the redhat-release package.
$arch os.uname() function. Valid values for $arch include: i586, i686, and x86_64.
$basearch $basearch to reference the base architecture of the system. For example, i686 and i586 machines both have a base architecture of i386, and AMD64 and Intel 64 machines have a base architecture of x86_64.
$uuid $YUM0-9 /etc/yum.conf for example) and a shell environment variable with the same name does not exist, then the configuration file variable is not replaced.
$” sign) in the /etc/yum/vars/ directory, and add the desired value on its first line.
$osname, create a new file with “Fedora” on the first line and save it as /etc/yum/vars/osname. For example:
~]# echo "Fedora" > /etc/yum/vars/osname.repo files:
name=$osname $releasever
~]# yum install createrepo/mnt/local_repo/.
createrepo --database command on that directory:
~]# createrepo --database /mnt/local_repo/yum operations.
yum command:
~]# yum info yum
Loaded plugins: langpacks, presto, refresh-packagekit
[output truncated]Loaded plugins are the names you can provide to the --disableplugins=plugin_name option.
plugins= is present in the [main] section of /etc/yum.conf, and that its value is set to 1:
plugins=1
plugins=0.
Yum services. Disabling plugins globally is provided as a convenience option, and is generally only recommended when diagnosing a potential problem with Yum.
/etc/yum/pluginconf.d/ directory. You can set plugin-specific options in these files. For example, the following is the content of refresh-packagekit.conf, the configuration file for the refresh-packagekit plugin:
[main] enabled=1
[main] section (similar to Yum's /etc/yum.conf file) in which there is (or you can place if it is missing) an enabled= option that controls whether the plugin is enabled when you run yum commands.
enabled=0 in /etc/yum.conf, then all plugins are disabled regardless of whether they are enabled in their individual configuration files.
yum command, use the --noplugins option.
yum command, add the --disableplugin=plugin_name option to the command. For example, to disable the presto plugin while updating a system, type:
~]# yum update --disableplugin=presto--disableplugin= option are the same names listed after the Loaded plugins line in the output of any yum command. You can disable multiple plugins by separating their names with commas. In addition, you can match multiple plugin names or shorten long ones by using glob expressions:
~]# yum update --disableplugin=presto,refresh-pack*yum-plugin-plugin_name package-naming convention, but not always: the package which provides the presto plugin is named yum-presto, for example. You can install a Yum plugin in the same way you install other packages. For instance, to install the security plugin, type the following at a shell prompt:
~]# yum install yum-plugin-securityyum is run. The refresh-packagekit plugin is installed by default.
RHN Classic. This allows systems registered with RHN Classic to update and install packages from this system.
man rhnplugin for more information about the plugin.
yum with a set of highly-useful security-related commands, subcommands and options.
~]# yum check-update --security
Loaded plugins: langpacks, presto, refresh-packagekit, security
Limiting package lists to security relevant ones
updates-testing/updateinfo | 329 kB 00:00
9 package(s) needed for security, out of 270 available
ConsoleKit.x86_64 0.4.5-1.fc15 updates
ConsoleKit-libs.x86_64 0.4.5-1.fc15 updates
ConsoleKit-x11.x86_64 0.4.5-1.fc15 updates
NetworkManager.x86_64 1:0.8.999-2.git20110509.fc15 updates
NetworkManager-glib.x86_64 1:0.8.999-2.git20110509.fc15 updates
[output truncated]yum update --security or yum update-minimal --security to update those packages which are affected by security advisories. Both of these commands update all packages on the system for which a security advisory has been issued. yum update-minimal --security updates them to the latest packages which were released as part of a security advisory, while yum update --security will update all packages affected by a security advisory to the latest version of that package available.
yum update-minimal --security will update you to kernel-2.6.38.6-22, and yum update --security will update you to kernel-2.6.38.6-26. Conservative system administrators may want to use update-minimal to reduce the risk incurred by updating packages as much as possible.
man yum-security for usage details and further explanation of the enhancements the security plugin adds to yum.
Yum Guides section of the Yum wiki contains more documentation.
gpk-update-viewer command at the shell prompt. In the Software Updates window, all available updates are listed along with the names of the packages being updated (minus the .rpm suffix, but including the CPU architecture), a short summary of the package, and, usually, short descriptions of the changes the update provides. Any updates you do not wish to install can be de-selected here by unchecking the checkbox corresponding to the update.
kernel package, then it will prompt you after installation, asking you whether you want to reboot the system and thereby boot into the newly-installed kernel.
name=My Repository Name field of all [repository] sections in the /etc/yum.conf configuration file, and in all repository.repo/etc/yum.repos.d/ directory.
enabled=<1 or 0> field in [repository] sections. Checking an unchecked box enables the Yum repository, and unchecking it disables it. Performing either function causes PolicyKit to prompt for superuser authentication to enable or disable the repository. PackageKit actually inserts the enabled=<1 or 0> line into the correct [repository] section if it does not exist, or changes the value if it does. This means that enabling or disabling a repository through the Software Sources window causes that change to persist after closing the window or rebooting the system. The ability to quickly enable and disable repositories based on our needs is a highly-convenient feature of PackageKit.
gpk-application command at the shell prompt.
package_name-devel
package package-devel
package-libs
package-libs-devel
package-debuginfo
crontabs-1.10-32.1.el6.noarch.rpm) are never filtered out by checking . This filter has no affect on non-multilib systems, such as x86 machines.
htop, a colorful and enhanced version of the top process viewer, by opening a shell prompt and entering:
htoptop is good enough for us and we want to uninstall it. Remembering that we need to change the filter we recently used to install it to in → , we search for htop again and uncheck it. The program did not install any dependencies of its own; if it had, those would be automatically removed as well, as long as they were not also dependencies of any other packages still installed on our system.
gpk-log command at the shell prompt.
Updated Packages or Installed Packages, the Date on which that action was performed, the Username of the user who performed the action, and the front end Application the user used (such as Add/Remove Software, or Update System). The Details column provides the types of the transactions, such as Updated, Installed, or Removed, as well as the list of packages the transactions were performed on.
packagekitd daemon back end, which communicates with a package manager-specific back end that utilizes Yum to perform the actual transactions, such as installing and removing packages, etc.
| Window Title | Function | How to Open | Shell Command |
|---|---|---|---|
| Add/Remove Software | Install, remove or view package info |
From the GNOME panel: → →
| gpk-application |
| Software Update | Perform package updates |
From the GNOME panel: → →
| gpk-update-viewer |
| Software Sources | Enable and disable Yum repositories |
From Add/Remove Software: →
| gpk-repo |
| Software Log Viewer | View the transaction log |
From Add/Remove Software: →
| gpk-log |
| Software Update Preferences | Set PackageKit preferences | gpk-prefs | |
| (Notification Area Alert) | Alerts you when updates are available |
From the GNOME panel: → → , Startup Programs tab
| gpk-update-icon |
packagekitd daemon runs outside the user session and communicates with the various graphical front ends. The packagekitd daemon[1] communicates via the DBus system message bus with another back end, which utilizes Yum's Python API to perform queries and make changes to the system. On Linux systems other than Red Hat Enterprise Linux and Fedora, packagekitd can communicate with other back ends that are able to utilize the native package manager for that system. This modular architecture provides the abstraction necessary for the graphical interfaces to work with many different package managers to perform essentially the same types of package management tasks. Learning how to use the PackageKit front ends means that you can use the same familiar graphical interface across many different Linux distributions, even when they utilize a native package manager other than Yum.
packagekitd daemon, which runs outside of the user session.
gnome-packagekit package instead of by PackageKit and its dependencies. Users working in a KDE environment may prefer to install the kpackagekit package, which provides a KDE interface for PackageKit.
pkcon.
systemctl command and can be turned on or off permanently by using the systemctl enable or systemctl disablecommands. They can typically be recognized by a “d” appended to their name, such as the packagekitd daemon. Refer to Chapter 7, Services and Daemons for information about system services.
/etc/sysconfig/network-scripts/ directory. The scripts used to activate and deactivate these network interfaces are also located here. Although the number and type of interface files can differ from system to system, there are three categories of files that exist in this directory:
/etc/hosts 127.0.0.1) as localhost.localdomain. For more information, refer to the hosts man page.
/etc/resolv.conf resolv.conf man page.
/etc/sysconfig/network /etc/sysconfig/network-scripts/ifcfg-interface-name /etc/sysconfig/networking/ directory is used by the Network Administration Tool (system-config-network) and its contents should not be edited manually. Using only one method for network configuration is strongly encouraged, due to the risk of configuration deletion.
ifcfg-name , where name refers to the name of the device that the configuration file controls.
ifcfg-eth0, which controls the first Ethernet network interface card or NIC in the system. In a system with multiple NICs, there are multiple ifcfg-ethX files (where X is a unique number corresponding to a specific interface). Because each device has its own configuration file, an administrator can control how each interface functions individually.
ifcfg-eth0 file for a system using a fixed IP address:
DEVICE=eth0 BOOTPROTO=none ONBOOT=yes NETMASK=255.255.255.0 IPADDR=10.0.1.27 USERCTL=no
ifcfg-eth0 file for an interface using DHCP looks different because IP information is provided by the DHCP server:
DEVICE=eth0 BOOTPROTO=dhcp ONBOOT=yes
system-config-network) is an easy way to make changes to the various network interface configuration files.
BONDING_OPTS=parameters /etc/sysconfig/network-scripts/ifcfg-bondN (see Section 6.2.2, “Channel Bonding Interfaces”). These parameters are identical to those used for bonding devices in /sys/class/net/bonding device/bonding, and the module parameters for the bonding driver as described in bonding Module Directives.
BONDING_OPTS directive in ifcfg-name. Do not specify options for the bonding device in /etc/modprobe.d/bonding.conf, or in the deprecated /etc/modprobe.conf file.
BOOTPROTO=protocol protocol none — No boot-time protocol should be used.
bootp — The BOOTP protocol should be used.
dhcp — The DHCP protocol should be used.
BROADCAST=address address ipcalc.
DEVICE=name name DHCP_HOSTNAME=name name is a short hostname to be sent to the DHCP server. Use this option only if the DHCP server requires the client to specify a hostname before receiving an IP address.
DNS{1,2}=address address /etc/resolv.conf if the PEERDNS directive is set to yes.
ETHTOOL_OPTS=options options ethtool. For example, if you wanted to force 100Mb, full duplex:
ETHTOOL_OPTS="autoneg off speed 100 duplex full"ETHTOOL_OPTS to set the interface speed and duplex settings. Custom initscripts run outside of the network init script lead to unpredictable results during a post-boot network service restart.
autoneg off option. This needs to be stated first, as the option entries are order-dependent.
GATEWAY=address address is the IP address of the network router or gateway device (if any).
HOTPLUG=answeranswer is one of the following:
yes — This device should be activated when it is hot-plugged (this is the default option).
no — This device should not be activated when it is hot-plugged.
HOTPLUG=no option can be used to prevent a channel bonding interface from being activated when a bonding kernel module is loaded.
HWADDR=MAC-address MAC-address is the hardware address of the Ethernet device in the form AA:BB:CC:DD:EE:FF. This directive must be used in machines containing more than one NIC to ensure that the interfaces are assigned the correct device names regardless of the configured load order for each NIC's module. This directive should not be used in conjunction with MACADDR.
IPADDR=address address LINKDELAY=time time is the number of seconds to wait for link negotiation before configuring the device.
MACADDR=MAC-address MAC-address is the hardware address of the Ethernet device in the form AA:BB:CC:DD:EE:FF. This directive is used to assign a MAC address to an interface, overriding the one assigned to the physical NIC. This directive should not be used in conjunction with HWADDR.
MASTER=bond-interface bond-interface SLAVE directive.
NETMASK=mask mask NETWORK=address address ipcalc.
ONBOOT=answer answer yes — This device should be activated at boot-time.
no — This device should not be activated at boot-time.
PEERDNS=answer answer yes — Modify /etc/resolv.conf if the DNS directive is set. If using DHCP, then yes is the default.
no — Do not modify /etc/resolv.conf.
SLAVE=answer answer yes — This device is controlled by the channel bonding interface specified in the MASTER directive.
no — This device is not controlled by the channel bonding interface specified in the MASTER directive.
MASTER directive.
SRCADDR=address address USERCTL=answer answer yes — Non-root users are allowed to control this device.
no — Non-root users are not allowed to control this device.
bonding kernel module and a special network interface called a channel bonding interface. Channel bonding enables two or more network interfaces to act as one, simultaneously increasing the bandwidth and providing redundancy.
/etc/sysconfig/network-scripts/ directory called ifcfg-bondN , replacing N with the number for the interface, such as 0.
DEVICE= directive must be bondN , replacing N with the number for the interface.
DEVICE=bond0
IPADDR=192.168.1.1
NETMASK=255.255.255.0
ONBOOT=yes
BOOTPROTO=none
USERCTL=no
BONDING_OPTS="bonding parameters separated by spaces"MASTER= and SLAVE= directives to their configuration files. The configuration files for each of the channel-bonded interfaces can be nearly identical.
eth0 and eth1 may look like the following example:
DEVICE=ethN
BOOTPROTO=none
ONBOOT=yes
MASTER=bond0
SLAVE=yes
USERCTL=noN with the numerical value for the interface.
root named bonding.conf/etc/modprobe.d/ directory. Note that you can name this file anything you like as long as it ends with a .conf extension. Insert the following line in this new file:
alias bondN bondingN with the interface number, such as 0. For each configured channel bonding interface, there must be a corresponding entry in your new /etc/modprobe.d/bonding.conf file.
BONDING_OPTS="bonding parameters" directive in the ifcfg-bondN interface file. Do not specify options for the bonding device in /etc/modprobe.d/bonding.conf, or in the deprecated /etc/modprobe.conf file. For further instructions and advice on configuring the bonding module and to view the list of bonding parameters, refer to Section 21.7.2, “Using Channel Bonding”.
ifcfg-if-name:alias-value naming scheme.
ifcfg-eth0:0 file could be configured to specify DEVICE=eth0:0 and a static IP address of 10.0.0.2, serving as an alias of an Ethernet interface already configured to receive its IP information via DHCP in ifcfg-eth0. Under this configuration, eth0 is bound to a dynamic IP address, but the same physical network card can receive requests via the fixed, 10.0.0.2 IP address.
ifcfg-if-name-clone-name . While an alias file allows multiple addresses for an existing interface, a clone file is used to specify additional options for an interface. For example, a standard DHCP Ethernet interface called eth0, may look similar to this:
DEVICE=eth0 ONBOOT=yes BOOTPROTO=dhcp
USERCTL directive is no if it is not specified, users cannot bring this interface up and down. To give users the ability to control the interface, create a clone by copying ifcfg-eth0 to ifcfg-eth0-user and add the following line to ifcfg-eth0-user:
USERCTL=yes
eth0 interface using the /sbin/ifup eth0-user command because the configuration options from ifcfg-eth0 and ifcfg-eth0-user are combined. While this is a very basic example, this method can be used with a variety of options and interfaces.
ifcfg-pppX X is a unique number corresponding to a specific interface.
wvdial, the Network Administration Tool or Kppp is used to create a dialup account. It is also possible to create and edit this file manually.
ifcfg-ppp0 file:
DEVICE=ppp0 NAME=test WVDIALSECT=test MODEMPORT=/dev/modem LINESPEED=115200 PAPNAME=test USERCTL=true ONBOOT=no PERSIST=no DEFROUTE=yes PEERDNS=yes DEMAND=no IDLETIMEOUT=600
ifcfg-sl0.
DEFROUTE=answer answer yes — Set this interface as the default route.
no — Do not set this interface as the default route.
DEMAND=answer answer yes — This interface allows pppd to initiate a connection when someone attempts to use it.
no — A connection must be manually established for this interface.
IDLETIMEOUT=value value INITSTRING=string string LINESPEED=value value 57600, 38400, 19200, and 9600.
MODEMPORT=device device MTU=value value 576 results in fewer packets dropped and a slight improvement to the throughput for a connection.
NAME=name name PAPNAME=name name PERSIST=answer answer yes — This interface should be kept active at all times, even if deactivated after a modem hang up.
no — This interface should not be kept active at all times.
REMIP=address address WVDIALSECT=name name /etc/wvdial.conf. This file contains the phone number to be dialed and other important information for the interface.
ifcfg-lo /etc/sysconfig/network-scripts/ifcfg-lo, should never be edited manually. Doing so can prevent the system from operating correctly.
ifcfg-irlan0 ifcfg-plip0 /etc/sysconfig/network-scripts/ directory: /sbin/ifdown and /sbin/ifup.
ifup and ifdown interface scripts are symbolic links to scripts in the /sbin/ directory. When either of these scripts are called, they require the value of the interface to be specified, such as:
ifup eth0ifup and ifdown interface scripts are the only scripts that the user should use to bring up and take down network interfaces.
/etc/rc.d/init.d/functions and /etc/sysconfig/network-scripts/network-functions. Refer to Section 6.5, “Network Function Files” for more information.
/etc/sysconfig/network-scripts/ directory:
ifup-aliases ifup-ippp and ifdown-ippp ifup-ipv6 and ifdown-ipv6 ifup-plip ifup-plusb ifup-post and ifdown-post ifup-ppp and ifdown-ppp ifup-routes ifdown-sit and ifup-sit ifup-wireless /etc/sysconfig/network-scripts/ directory can cause interface connections to act irregularly or fail. Only advanced users should modify scripts related to a network interface.
systemctl command on the network service (/etc/rc.d/init.d/network), as illustrated the following command:
systemctl action network.serviceaction can be either start, stop, or restart.
service network statusroute command to display the IP routing table.
/etc/sysconfig/network-scripts/route-interface file. For example, static routes for the eth0 interface would be stored in the /etc/sysconfig/network-scripts/route-eth0 file. The route-interface file has two formats: IP command arguments and network/netmask directives.
default viaX.X.X.Xdevinterface
X.X.X.X is the IP address of the default gateway. The interface is the interface that is connected to, or can reach, the default gateway.
X.X.X.X/XviaX.X.X.Xdevinterface
X.X.X.X/X is the network number and netmask for the static route. X.X.X.X and interface are the IP address and interface for the default gateway respectively. The X.X.X.X address does not have to be the default gateway IP address. In most cases, X.X.X.X will be an IP address in a different subnet, and interface will be the interface that is connected to, or can reach, that subnet. Add as many static routes as required.
route-eth0 file using the IP command arguments format. The default gateway is 192.168.0.1, interface eth0. The two static routes are for the 10.10.10.0/24 and 172.16.1.0/24 networks:
default via 192.168.0.1 dev eth0 10.10.10.0/24 via 192.168.0.1 dev eth0 172.16.1.0/24 via 192.168.0.1 dev eth0
10.10.10.0/24 via 10.10.10.1 dev eth1
ifup command: "RTNETLINK answers: File exists" or 'Error: either "to" is a duplicate, or "X.X.X.X" is a garbage.', where X.X.X.X is the gateway, or a different IP address. These errors can also occur if you have another route to another network using the default gateway. Both of these errors are safe to ignore.
route-interface files. The following is a template for the network/netmask format, with instructions following afterwards:
ADDRESS0=X.X.X.XNETMASK0=X.X.X.XGATEWAY0=X.X.X.X
ADDRESS0=X.X.X.X is the network number for the static route.
NETMASK0=X.X.X.X is the netmask for the network number defined with ADDRESS0=X.X.X.X .
GATEWAY0=X.X.X.X is the default gateway, or an IP address that can be used to reach ADDRESS0=X.X.X.X
route-eth0 file using the network/netmask directives format. The default gateway is 192.168.0.1, interface eth0. The two static routes are for the 10.10.10.0/24 and 172.16.1.0/24 networks. However, as mentioned before, this example is not necessary as the 10.10.10.0/24 and 172.16.1.0/24 networks would use the default gateway anyway:
ADDRESS0=10.10.10.0 NETMASK0=255.255.255.0 GATEWAY0=192.168.0.1 ADDRESS1=172.16.1.0 NETMASK1=255.255.255.0 GATEWAY1=192.168.0.1
ADDRESS0, ADDRESS1, ADDRESS2, and so on.
ADDRESS0=10.10.10.0 NETMASK0=255.255.255.0 GATEWAY0=10.10.10.1
/etc/sysconfig/network-scripts/network-functions file contains the most commonly used IPv4 functions, which are useful to many interface control scripts. These functions include contacting running programs that have requested information about changes in the status of an interface, setting hostnames, finding a gateway device, verifying whether or not a particular device is down, and adding a default route.
/etc/sysconfig/network-scripts/network-functions-ipv6 file exists specifically to hold this information. The functions in this file configure and delete static IPv6 routes, create and remove tunnels, add and remove IPv6 addresses to an interface, and test for the existence of an IPv6 address on an interface.
/usr/share/doc/initscripts-version/sysconfig.txt /usr/share/doc/iproute-version/ip-cref.ps ip command, which can be used to manipulate routing tables, among other things. Use the ggv or kghostview application to view this file.
httpd if you are running a web server). However, if you do not need to provide a service, you should turn it off to minimize your exposure to possible bug exploits.
/etc/rc.d/init.d/ directory, it is advised that you use the systemctl utility.
irqbalance service is enabled. In most cases, this service is installed and configured to run during the Fedora 15 installation. To verify that irqbalance is running, type the following at a shell prompt:
systemctl status irqbalance.servicesystemctl command in the following form:
systemctlenableservice_name.service
httpd service by typing the following at a shell prompt as root:
~]# systemctl enable httpd.servicesystemctl command in the following form:
systemctldisableservice_name.service
telnet service is disabled by running the following command as root:
~]# systemctl disable telnet.service/etc/rc.d/init.d/ directory, it is advised that you use the systemctl utility.
systemctl command in the following form:
systemctlstatusservice_name.service
systemctl command in the following form instead:
systemctlis-activeservice_name.service
httpd service at boot time. Imagine that the system has been restarted and you need to verify that the service is really running. You can do so by typing the following at a shell prompt:
~]$ systemctl is-active httpd.service
active~]$ systemctl status httpd.service
httpd.service - LSB: start and stop Apache HTTP Server
Loaded: loaded (/etc/rc.d/init.d/httpd)
Active: active (running) since Mon, 23 May 2011 21:38:57 +0200; 27s ago
Process: 2997 ExecStart=/etc/rc.d/init.d/httpd start (code=exited, status=0/SUCCESS)
Main PID: 3002 (httpd)
CGroup: name=systemd:/system/httpd.service
├ 3002 /usr/sbin/httpd
├ 3004 /usr/sbin/httpd
├ 3005 /usr/sbin/httpd
├ 3006 /usr/sbin/httpd
├ 3007 /usr/sbin/httpd
├ 3008 /usr/sbin/httpd
├ 3009 /usr/sbin/httpd
├ 3010 /usr/sbin/httpd
└ 3011 /usr/sbin/httpdsystemctl list-units --type=serviceUNIT — A systemd unit name. In this case, a service name.
LOAD — Information whether the systemd unit was properly loaded.
ACTIVE — A high-level unit activation state.
SUB — A low-level unit activation state.
JOB — A pending job for the unit.
DESCRIPTION — A brief description of the unit.
~]$ systemctl list-units --type=service
UNIT LOAD ACTIVE SUB JOB DESCRIPTION
abrt-ccpp.service loaded active exited LSB: Installs coredump handler which saves segfault data
abrt-oops.service loaded active running LSB: Watches system log for oops messages, creates ABRT dump directories for each oops
abrtd.service loaded active running ABRT Automated Bug Reporting Tool
accounts-daemon.service loaded active running Accounts Service
atd.service loaded active running Job spooling tools
[output truncated]abrtd service is loaded, active, and running, and it does not have any pending jobs.
systemctl command in the following form:
systemctlstartservice_name.service
httpd service at boot time. You can start the service immediately by typing the following at a shell prompt as root:
~]# systemctl start httpd.servicesystemctl command in the following form:
systemctlstopservice_name.service
telnet service at boot time. You can stop the service immediately by running the following command as root:
~]# systemctl stop telnet.servicesystemctl command in the following form:
systemctlrestartservice_name.service
/etc/ssh/sshd_config configuration file to take effect, it is required that you restart the sshd service. You can do so by typing the following at a shell prompt as root:
~]# systemctl restart httpd.servicesystemctl(1) — The manual page for the systemctl utility.
system-config-authentication at a shell prompt (for example, in an XTerm or a GNOME terminal).
LDAP server.
Transport Layer Security (TLC) will be used to encrypt passwords sent to the LDAP server. The option allows you to specify a URL from which to download a valid Certificate Authority certificate (CA). A valid CA certificate must be in the Privacy Enhanced Mail (PEM) format.
ldaps:// server address is specified in the LDAP Server field.
openldap-clients package must be installed for this option to work.
kadmind.
krb5-libs and krb5-workstation packages must be installed for this option to work. For more information about Kerberos, refer to section Using Kerberos of the Fedora 15 Managing Single Sign-On and Smart Cards guide.
ldaps:// server address or use TLS for LDAP authentication.
portmap and ypbind services are started and are also enabled to start at boot time.
krb5-server package must be installed, and Kerberos must be configured properly.
winbind should use. For more information about domain controllers, please refer to Section 15.1.6.3, “Domain Controller”.
winbindd daemon uses the value chosen here to specify the login shell for that user.
winbindd service, refer to Section 15.1.2, “Samba Daemons and Related Services”.
/etc/security/access.conf is consulted for authorization of a user.
authconfig man page or by typing authconfig --help at the shell prompt.
| Option | Description |
|---|---|
--enableshadow, --useshadow
| Enable shadow passwords |
--disableshadow
| Disable shadow passwords |
--passalgo=
| Hash/crypt algorithm to be used |
--enablenis
| Enable NIS for user account configuration |
--disablenis
| Disable NIS for user account configuration |
--nisdomain=
| Specify an NIS domain |
--nisserver=
| Specify an NIS server |
--enableldap
| Enable LDAP for user account configuration |
--disableldap
| Disable LDAP for user account configuration |
--enableldaptls
| Enable use of TLS with LDAP |
--disableldaptls
| Disable use of TLS with LDAP |
--enablerfc2307bis
| Enable use of RFC-2307bis schema for LDAP user information lookups |
--disablerfc2307bis
| Disable use of RFC-2307bis schema for LDAP user information lookups |
--enableldapauth
| Enable LDAP for authentication |
--disableldapauth
| Disable LDAP for authentication |
--ldapserver=
| Specify an LDAP server |
--ldapbasedn=
| Specify an LDAP base DN (Distinguished Name) |
--ldaploadcacert=
| Load a CA certificate from the specified URL |
--enablekrb5
| Enable Kerberos for authentication |
--disablekrb5
| Disable Kerberos for authentication |
--krb5kdc=
| Specify Kerberos KDC server |
--krb5adminserver=
| Specify Kerberos administration server |
--krb5realm=
| Specify Kerberos realm |
--enablekrb5kdcdns
| Enable use of DNS to find Kerberos KDCs |
--disablekrb5kdcdns
| Disable use of DNS to find Kerberos KDCs |
--enablekrb5realmdns
| Enable use of DNS to find Kerberos realms |
--disablekrb5realmdns
| Disable use of DNS to find Kerberos realms |
--enablewinbind
| Enable winbind for user account configuration |
--disablewinbind
| Disable winbind for user account configuration |
--enablewinbindauth
| Enable winbindauth for authentication |
--disablewinbindauth
| Disable winbindauth for authentication |
--winbindseparator=
|
Character used to separate the domain and user part of winbind usernames if winbindusedefaultdomain is not enabled
|
--winbindtemplatehomedir=
| Directory that winbind users have as their home |
--winbindtemplateprimarygroup=
| Group that winbind users have as their primary group |
--winbindtemplateshell=
| Shell that winbind users have as their default login shell |
--enablewinbindusedefaultdomain
| Configures winbind to assume that users with no domain in their usernames are domain users |
--disablewinbindusedefaultdomain
| Configures winbind to assume that users with no domain in their usernames are not domain users |
--winbindjoin=
| Joins the winbind domain or ADS realm as the specified administrator |
--enablewinbindoffline
| Configures winbind to allow offline login |
--disablewinbindoffline
| Configures winbind to prevent offline login |
--smbsecurity=
| Security mode to use for the Samba and Winbind services |
--smbrealm=
| Default realm for Samba and Winbind services when security is set to |
--enablewins
| Enable Wins for hostname resolution |
--disablewins
| Disable Wins for hostname resolution |
--enablesssd
| Enable SSSD for user information |
--disablesssd
| Disable SSSD for user information |
--enablecache
|
Enable nscd
|
--disablecache
|
Disable nscd
|
--enablelocauthorize
| Local authorization is sufficient for local users |
--disablelocauthorize
| Local users are also authorized through a remote service |
--enablesysnetauth
| Authenticate system accounts with network services |
--disablesysnetauth
| Authenticate system accounts with local files only |
--enablepamaccess
|
Check /etc/security/access.conf during account authorization
|
--disablepamaccess
|
Do not check /etc/security/access.conf during account authorization
|
--enablemkhomedir
| Create a home directory for a user on the first login |
--disablemkhomedir
| Do not create a home directory for a user on the first login |
--enablesmartcard
| Enable authentication with a smart card |
--disablesmartcard
| Disable authentication with a smart card |
--enablerequiresmartcard
| Require smart card for authentication |
--disablerequiresmartcard
| Do not require smart card for authentication |
--smartcardmodule=
| Default smart card module to use |
--smartcardaction=
| Action to be taken when smart card removal is detected |
--enablefingerprint
| Enable fingerprint authentication |
--disablefingerprint
| Disable fingerprint authentication |
--nostart
|
Do not start or stop the portmap, ypbind, or nscd services even if they are configured
|
--test
| Do not update the configuration files, only print the new settings |
--update, --kickstart
|
Opposite of --test, update configuration files with changed settings
|
--updateall
| Update all configuration files |
--probe
| Probe and display network defaults |
--savebackup=
| Save a backup of all configuration files |
--restorebackup=
| Restore a backup of all configuration files |
--restorelastbackup
| Restore the backup of configuration files saved before the previous configuration change |
nsswitch.conf file configuration, with which you can only request user information from a single server of any particular type (LDAP, NIS, etc.). With SSSD, you can create multiple domains of the same, or of different types of identity provider.
sssd and deleting the corresponding cache file. These cache files are stored in the /var/lib/sss/db/ directory.
cache_DOMAINNAME.ldb.
ldap_referrals option to TRUE in the LDAP domain configuration section of the /etc/sssd/sssd.conf file. This will enable anonymous access to the second LDAP server.
kate in the ldap.example.com domain from the user kate in the ldap.myhome.com domain. You can use SSSD to make requests using fully-qualified usernames. If you request information for kate, you will receive the information from whichever domain is listed first in the look-up order. If you request information for kate@ldap.myhome.com, however, you will receive the correct user information.
filter_users option, which you can use to exclude certain users from being fetched from the database. Refer to the sssd.conf(5) manual page for full details about this option.
ipa_dyndns_update, used to enable dynamic DNS updates; and ipa_dyndns_iface, which specifies the interface whose IP address should be used for dynamic DNS updates.
# yum install sssd
/etc/sssd/sssd.conf file to the new format, and copy the existing version to /etc/sssd/sssd.conf.bak.
upgrade_config.py [
-f INFILE
] [
-o OUTFILE
] [
-verbose
] [
--no-backup
]
-f INFILE — the configuration file to upgrade. If not specified, this defaults to /etc/sssd/sssd.conf
-o OUTFILE — the name of the upgraded configuration file. If not specified, this defaults to /etc/sssd/sssd.conf
-verbose — produce more verbose output during the upgrade process
--no-backup — do not produce a back-up file. If not specified, this defaults to INFILE.bakservice command or the /etc/init.d/sssd script to control SSSD. For example, run the following command to start sssd:
# systemctl start sssd.service
systemctl command, as follows:
# systemctl enable sssd.service
/etc/sssd/sssd.conf file. This file consists of various sections, each of which contains a number of key/value pairs. Some keys accept multiple values; use commas to separate multiple values for such keys. This configuration file uses data types of string (no quotes required), integer and Boolean (with values of TRUE or FALSE). Comments are indicated by either a hash sign (#) or a semicolon (;) in the first column. The following example illustrates some of this syntax:
[section] # Keys with single values key1 = value key2 = val2 # Keys with multiple values key10 = val10,val11
-c (or --config) parameter on the command line to specify a different configuration file for SSSD.
sssd_nss, so that you can configure your system to use SSSD to retrieve user information. Edit the /etc/nsswitch.conf file for your system to use the sss name database. For example:
passwd: files sss group: files sss
/etc/pam.d/system-auth file. Edit this file to reflect the following example, and then restart sssd:
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session required pam_mkhomedir.so umask=0022 skel=/etc/skel/ session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session sufficient pam_sss.so session required pam_unix.so
/home, and if your system is configured to create home directories the first time your users log in, then these directories will be created with the wrong permissions. For example, instead of a typical home directory such as /home/<username>, your users might have home directories that include their locale, such as /home/<locale>/<username>. If this is true for your system, the following steps need to be taken (preemptively):
/home directory to the home directory that you use on your system. In the example above, the following command would achieve this result (replace the directory names with those that apply to your system):
# semanage fcontext -a -e /home /home/locale
pam_oddjob_mkhomedir.so library, which the Authentication Configuration tool will then use to create your custom home directories. You need to use this library to create your home directories, and not the default pam_mkhomedir.so library, because the latter cannot create SELinux labels.
pam_oddjob_mkhomedir.so library if it is available. Otherwise, it will default to using pam_mkhomedir.so.
# semanage fcontext -a -e /home /home/locale # restorecon -R -v /home/locale
include statements in PAM configurations. For example:
... session include system-auth session optional pam_console.so ...
sufficient condition from system-auth returns PAM_SUCCESS, pam_console.so will not be executed.
access_provider option in the [domain/<NAME>] section in the /etc/sssd/sssd.conf file.
access_provider option to simple, and then add usernames as a comma-separated list to either the simple_allow_users or simple_deny_users options.
example.com is one of the domains specified in the [sssd] section, and only shows the Simple Access Provider-specific options.
[domain/example.com] access_provider = simple simple_allow_users = user1, user2
simple as an access provider.
simple_allow_users is set, only users from this list are allowed access. This setting supersedes the simple_deny_users list (which would be redundant).
simple_allow_users list is empty, users are allowed access unless they appear in the simple_deny_users list.
simple_allow_users and simple_deny_users is a configuration error. If this occurs, SSSD will output an error to the /var/log/sssd/sssd_default.log log file when loading the back end, but continue to start normally. Future versions of SSSD will output an error and fail to start.
access_provider=ldap) and the associated filter option (ldap_access_filter) to specify which users are granted access to the specified host. Note that these two options are codependent; if you use LDAP as your access provider then you must specify a value for the ldap_access_filter option, otherwise all users will be denied access. If you are not using LDAP as your access provider, then the ldap_access_filter option has no effect.
example.com is one of the domains specified in the [sssd] section, and only shows the LDAP Access Provider-specific options.
[domain/example.com] access_provider = ldap ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com
[domain/<NAME>] sections of the /etc/sssd/sssd.conf file, and listed in order of preference. This list can contain any number of servers.
ldap_uri values:
ldap_uri = ldap://ldap0.mydomain.org, ldap://ldap1.mydomain.org, ldap://ldap2.mydomain.org
ldap://ldap0.mydomain.org functions as the primary server. If this server fails, the SSSD failover mechanism first attempts to connect to ldap1.mydomain.org, and if that server is unavailable, it then attempts to connect to ldap2.mydomain.org.
ldap_uri, krb5_server, …) is not specified, the back end defaults to using Use service discovery. Refer to Section 8.2.3.2.4.1, “Using SRV Records with Failover” for more information on service discovery.
ldap_uri parameters to specify your failover servers. The failover servers must be entered as a comma-separated list of values for a single ldap_uri parameter. If you enter multiple ldap_uri parameters, SSSD only recognizes the last entry.
ldap_uri entries.
priority and weight attributes of SRV records provide further opportunity for specifying which servers should be contacted first in the event that the primary server fails.
_service._protocol._domain TTL priority weight port hostname
service._protocol._domain, for example, _ldap._tcp._redhat.com. The client then sorts this list according to the priorities and weights, and connects to the first server in this sorted list.
[sssd] section also lists the services that are active and should be started when sssd starts within the services directive.
NSS — An NSS provider service that answers NSS requests from the sssd_nss module.
PAM — A PAM provider service that manages a PAM conversation through the sssd_pam PAM module.
monitor — A special service that monitors all other SSSD services, and starts or restarts them as needed. Its options are specified in the [sssd] section of the /etc/sssd/sssd.conf configuration file.
debug_level (integer)
[service/<NAME>] sections in the SSSD configuration file).
reconnection_retries (integer)
DNS lookup fails to return an IPv4 address for a hostname, SSSD attempts to look up an IPv6 address before returning a failure. Note that this only ensures that the async resolver identifies the correct address; there is currently a bug in the LDAP code that prevents SSSD from connecting to an LDAP server over IPv6. This is being investigated separately.
Name Service Switch (NSS) service. Refer to the sssd.conf(5) manual page for full details about each option.
enum_cache_timeout (integer)
entry_cache_nowait_percentage (integer)
0 disables this feature).
entry_cache_timeout value for the domain.
0-99, and represent a percentage of the entry_cache_timeout value for each domain.
entry_negative_timeout (integer)
filter_users, filter_groups (string)
root.
filter_users_in_groups (Boolean)
TRUE, specifies that users listed in the filter_users list do not appear in group memberships when performing group lookups. If set to FALSE, group lookups return all users that are members of that group. If not specified, defaults to TRUE.
Pluggable Authentication Module (PAM) service.
offline_credentials_expiration (integer)
0 (no limit).
offline_failed_login_attempts (integer)
0 (no limit).
offline_failed_login_delay (integer)
offline_failed_login_attempts has been reached before a new log in attempt is possible.
0, the user cannot authenticate offline if the value of offline_failed_login_attempts has been reached. Only a successful online authentication can re-enable offline authentication. If not specified, defaults to 5.
[sssd] section. This example shows only the configuration of Kerberos authentication; it does not include any identity provider.
[domain/FOO] auth_provider = krb5 krb5_server = 192.168.1.1 krb5_realm = EXAMPLE.COM
[domain/<NAME>] sections of the /etc/sssd/sssd.conf file, and then add the list of domains to the domains attribute of the [sssd] section, in the order you want them to be queried.
min_id,max_id (integer)
min_id is 1; the default value for max_id is 0 (unbounded).
min_id is unspecified, it defaults to 1 for any back end. This default was chosen to provide compatibility with existing systems and to ease any migration attempts. LDAP administrators should be aware that granting identities in this range may conflict with users in the local /etc/passwd file. To avoid these conflicts, min_id should be set to 1000 or higher wherever possible.
min_id option determines the minimum acceptable value for both UID and GID numbers. Accounts with either UID or GID values below the min_id value are filtered out and not made available on the client.
enumerate (Boolean)
FALSE. Set this value to TRUE to enable enumeration of users and groups of a domain.
timeout (integer)
10 seconds. Raising this timeout might prove useful for slower back ends, such as distant LDAP servers.
timeout = 0, SSSD reverts to the default value; you cannot force a timeout value of zero, because this would force the sssd daemon into a loop.
cache_credentials (Boolean)
FALSE. You should set this value to TRUE for domains other than local if you want to enable offline authentication.
id_provider (string)
NSS provider (for example, nss_nis).
id_provider to proxy, ensure that you also specify a value for proxy_lib_name. Refer to Section 8.2.7, “Configuring a Proxy Domain” for information on this attribute.
SSSD internal local provider.
LDAP provider.
entry_cache_timeout (integer)
use_fully_qualified_names (Boolean)
TRUE, all requests to this domain must use fully-qualified domain names. It also means that the output from the request displays the fully-qualified name.
ipauser01, and the use_fully_qualified_names attribute is set to TRUE:
# getent passwd ipauser01[no output]# getent passwd ipauser01@IPAipauser01@IPA:x:937315651:937315651:ipauser01:/home/ipauser01:/bin/sh
use_fully_qualified_names attribute is set to FALSE:
# getent passwd ipauser01ipauser01:x:937315651:937315651:ipauser01:/home/ipauser01:/bin/sh# getent passwd ipauser01@IPAipauser01:x:937315651:937315651:ipauser01:/home/ipauser01:/bin/sh
use_fully_qualified_names is set to FALSE, you can continue to use the fully-qualified name in your requests, but only the simplified version is displayed in the output.
name@domain, not name@realm. You can, however, use the same name for both your domain and your realm.
auth_provider (string)
id_provider if it is set and can handle authentication requests.
proxy_pam_target (string)
auth_provider option is set to proxy, and specifies the target to which PAM must proxy.
/etc/pam.d/ directory.
pam_sss.so.
proxy_lib_name (string)
id_provider option is set to proxy, and specifies which existing NSS library to proxy identity requests through.
nis to use the existing libnss_nis.so file.
id_provider option is set to ldap (id_provider = ldap). Such a domain requires a running LDAP server against which to authenticate. This can be an open source LDAP server such as OpenLDAP or Microsoft Active Directory. SSSD currently supports Microsoft Active Directory 2003 (+Services for UNIX) and Active Directory 2008 (+Subsystem for UNIX-based Applications). In all cases, the client configuration is stored in the /etc/sssd/sssd.conf file.
TLS/SSL or LDAPS is required. If the LDAP server is used only as an identity provider, an encrypted channel is not needed.
/etc/sssd/sssd.conf file to include the following settings:
# A native LDAP domain [domain/LDAP] enumerate = false cache_credentials = TRUE id_provider = ldap auth_provider = ldap ldap_schema = rfc2307 chpass_provider = ldap ldap_uri = ldap://ldap.mydomain.org ldap_search_base = dc=mydomain,dc=org ldap_tls_reqcert = demand ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
ldap_uri option instead of the server name, for example, if GSSAPI is used to avoid time consuming DNS lookups, the TSL/SSL setup might fail. This is due to the fact that TSL/SSL certificates contain the server name only. However, a special field in the certificate, called Subject Alternative Name (subjectAltName), can be used to additionally set the IP address of the server.
key.pem key) into a certificate request:
openssl x509 -x509toreq -in old_cert.pem -out req.pem -signkey key.pem
/etc/pki/tls/certs/slapd.pem), execute the following command:
openssl x509 -x509toreq -in old_cert.pem -out req.pem -signkey old_cert.pem
/etc/pki/tls/openssl.cnf configuration file to include the following line under the [ v3_ca ] section:
subjectAltName = IP:10.0.0.10
openssl x509 -req -in req.pem -out new_cert.pem -extfile ./openssl.cnf -extensions v3_ca -signkey old_cert.pem
openssl x509 command creates the new certificate.
-req option tells the command to expect a certificate request as an input.
-in and -out options specify the input and output files.
-extfile option expects a file containing certificate extensions to use (in our case the subjectAltName extension).
-extensions option specifies the section of the openssl.cnf file to add certificate extensions from (in this case, the [ v3_ca ] section).
-signkey option tells the command to self-sign the input file using the supplied private key.
man x509.
old_cert.pem file into the new_cert.pem file to keep all relevant information in one file.
DNS subject alternative names for certificate creation only.
ldap_schema attribute to either rfc2307 or rfc2307bis. These schema define how groups in LDAP are specified. In RFC 2307, group objects use a multi-valued attribute, memberuid, which lists the names of the users that belong to that group. In RFC 2307bis, instead of the memberuid, group objects use the member attribute. Rather than just the name of the user, this attribute contains the full Distinguished Name (DN) of another object in the LDAP database. This means that groups can have other groups as members. That is, it adds support for nested groups.
/etc/sssd/sssd.conf file accordingly, this can impact how your users and groups are displayed. It also means that some groups will not be available and network resources may be inaccessible even though you have permissions to use them.
id command to display these groups:
[f12server@ipaserver ~]$ id uid=500(f12server) gid=500(f12server) groups=500(f12server),510(f12tester)
ldap_search_timeout (integer) — Specifies the timeout (in seconds) that LDAP searches are allowed to run before they are canceled and cached results are returned (and offline mode is entered). If not specified:
enumerate = False
enumerate = True. This option is forced to a minimum of 30 in this case.
ldap_network_timeout (integer) — Specifies the timeout (in seconds) after which the poll(2)/select(2) following a connect(2) returns in case of no activity.
ldap_opt_timeout (integer) — Specifies the timeout (in seconds) after which calls to synchronous LDAP APIs will abort if no response is received. This option also controls the timeout when communicating with the KDC in case of a SASL bind.
DNS service discovery feature allows the LDAP back end to automatically find the appropriate DNS servers to connect to using a special DNS query. For more information on the DNS service discovery feature, refer to Section 8.2.3.2.4.1, “Using SRV Records with Failover”.
/etc/sssd/sssd.conf file that ships with SSSD contains the following sample configuration for Active Directory 2003:
# Example LDAP domain where the LDAP server is an Active Directory 2003 server. [domain/AD] description = LDAP domain with AD server enumerate = false min_id = 1000 ; id_provider = ldap auth_provider = ldap ldap_uri = ldap://your.ad.server.com ldap_schema = rfc2307bis ldap_search_base = dc=example,dc=com ldap_default_bind_dn = cn=Administrator,cn=Users,dc=example,dc=com ldap_default_authtok_type = password ldap_default_authtok = YOUR_PASSWORD ldap_user_object_class = person ldap_user_name = msSFU30Name ldap_user_uid_number = msSFU30UidNumber ldap_user_gid_number = msSFU30GidNumber ldap_user_home_directory = msSFU30HomeDirectory ldap_user_shell = msSFU30LoginShell ldap_user_principal = userPrincipalName ldap_group_object_class = group ldap_group_name = msSFU30Name ldap_group_gid_number = msSFU30GidNumber
/etc/openldap/cacerts) and that the c_rehash function has been used to create the appropriate symlinks.
/etc/sssd/sssd.conf to support Active Directory 2003 R2 or Active Directory 2008 as a back end is similar to that for AD 2003. The following example configuration highlights the necessary changes.
# Example LDAP domain where the LDAP server is an Active Directory 2003 R2 or an Active Directory 2008 server. [domain/AD] description = LDAP domain with AD server ; debug_level = 9 enumerate = false id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://your.ad.server.com ldap_tls_cacertdir = /etc/openldap/cacerts ldap_tls_cacert = /etc/openldap/cacerts/test.cer ldap_search_base = dc=example,dc=com ldap_default_bind_dn = cn=Administrator,cn=Users,dc=example,dc=com ldap_default_authtok_type = password ldap_default_authtok = YOUR_PASSWORD ldap_pwd_policy = none ldap_user_object_class = user ldap_group_object_class = group
/etc/openldap/cacerts) and that the c_rehash function has been used to create the appropriate symlinks.
/etc/sssd/sssd.conf file.
id_provider = ldap). Some information required by the Kerberos 5 authentication back end must be supplied by the identity provider, such as the user's Kerberos Principal Name (UPN). The identity provider configuration should contain an entry to specify this UPN. Refer to the manual page for the applicable identity provider for details on how to configure the UPN.
username@krb5_realm.
krb5_kpasswd option to specify where your password changing service is running, or if it is running on a non-default port. If the krb5_kpasswd option is not defined, SSSD tries to use the Kerberos KDC in order to change the password. Refer to the sssd-krb5(5) manual page for more information about this and all Kerberos configuration options.
/etc/sssd/sssd.conf file to include the following settings:
# A domain with identities provided by LDAP and authentication by Kerberos [domain/KRBDOMAIN] enumerate = false id_provider = ldap chpass_provider = krb5 ldap_uri = ldap://ldap.mydomain.org ldap_search_base = dc=mydomain,dc=org tls_reqcert = demand ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt auth_provider = krb5 krb5_server = 192.168.1.1 krb5_realm = EXAMPLE.COM krb5_changepw_principal = kadmin/changepw krb5_ccachedir = /tmp krb5_ccname_template = FILE:%d/krb5cc_%U_XXXXXX krb5_auth_timeout = 15
DNS service discovery feature allows the Kerberos 5 authentication back end to automatically find the appropriate DNS servers to connect to using a special DNS query. For more information on the DNS service discovery feature, refer to Section 8.2.3.2.4.1, “Using SRV Records with Failover”.
default_realm option in the [libdefaults] section and kdc option for your realm in the [realms] section in the /etc/krb5.conf configuration file not only on the directory server and the KDC but also on the client running SSSD. For more information on various /etc/krb5.conf options, refer to man krb5.conf
-randkey option for the kadmin's addprinc command to create the principal and assign it a random key:
kadmin: addprinc -randkey ldap/server.example.com
ktadd command to write the service principal to a file:
kadmin: ktadd -k /root/ldap.keytab ldap/server.example.com
-randkey option for the kadmin's addprinc command to create the principal and assign it a random key:
kadmin: addprinc -randkey host/client.example.com
ktadd command to write the host principal to a file:
kadmin: ktadd -k /root/client.keytab host/client.example.com
/root/ldap.keytab file from the KDC to the /etc/openldap/ directory and name it ldap.keytab.
/etc/openldap/ldap.keytab file read-writable for the ldap user and readable for the ldap group only.
/root/ldap.keytab file from the KDC to the /etc/dirsrv/ directory and name it ldap.keytab.
KRB5_KTNAME line in the /etc/sysconfig/dirsrv (or instance-specific) file, and set the keytab location for the KRB5_KTNAME variable. For example:
# In order to use SASL/GSSAPI the directory # server needs to know where to find its keytab # file - uncomment the following line and set # the path and filename appropriately KRB5_KTNAME=/etc/dirsrv/ldap.keytab; export KRB5_KTNAME
/root/client.keytab file from the KDC to the /etc/ directory and name it krb5.keytab. If the /etc/krb5.keytab file exists already, use the ktutil utility to merge both files properly. For more information on the ktutil utility, refer to man ktutil.
ldap_sasl_mech = gssapi ldap_sasl_authid = host/client.example.com@EXAMPLE.COM ldap_krb5_keytab = /etc/krb5.keytab (default) ldap_krb5_init_creds = true (default) ldap_krb5_ticket_lifetime = 86400 (default) krb5_realm = EXAMPLE.COM
/etc/sssd/sssd.conf configuration file to include the following settings:
[domain/PROXY_KRB5] auth_provider = krb5 krb5_server = 192.168.1.1 krb5_realm = EXAMPLE.COM id_provider = proxy proxy_lib_name = nis enumerate = true cache_credentials = true
/etc/sssd/sssd.conf configuration file to include the following settings:
[domain/LDAP_PROXY] id_provider = ldap ldap_uri = ldap://example.com ldap_search_base = dc=example,dc=com auth_provider = proxy proxy_pam_target = sssdpamproxy enumerate = true cache_credentials = true
/etc/pam.d/sssdpamproxy file which provides the needed module interfaces. Note that the pam_ldap.so file can be substituted with a PAM module of your choice.
/etc/pam.d/sssdpamproxy file (if not already created) and specify the following settings in it:
auth required pam_ldap.so account required pam_ldap.so password required pam_ldap.so session required pam_ldap.so
/etc/sssd/sssd.conf configuration file to include the following settings:
[domain/PROXY_PROXY] auth_provider = proxy id_provider = proxy proxy_lib_name = ldap proxy_pam_target = sssdproxyldap enumerate = true cache_credentials = true
/etc/pam.d/sssdproxyldap file which provides the needed module interfaces.
man sssd.conf
/etc/pam.d/sssdproxyldap file (if not already created) and specify the following settings in it:
auth required pam_ldap.so account required pam_ldap.so password required pam_ldap.so session required pam_ldap.so
/etc/nslcd.conf file (the default configuration file for the LDAP name service daemon) to include the following settings:
uid nslcd gid ldap uri ldaps://ldap.mydomain.org:636 base dc=mydomain,dc=org ssl on tls_cacertdir /etc/openldap/cacerts
man nslcd.conf
/var/log/sssd/ directory.
/etc/sssd/sssd.conf file), as well as an sssd_pam.log and an sssd_nss.log file. This level of granularity can help you to quickly isolate and resolve any errors or issues you might experience with SSSD.
/var/log/secure file, which logs authentication failures and the reason for the failure. For example, if you see Reason 4: System Error reported against any failure, you should increase the debug level of the log files.
debug_level option in the /etc/sssd/sssd.conf for the domain that is causing concern, and then restart SSSD. Refer to the sssd.conf(5) manual page for more information on how to set the debug_level for a specific domain.
FALSE in the /etc/sssd/sssd.conf file:
--debug-timestamps=FALSE
# sssd -d4
[sssd] [ldb] (3): server_sort:Unable to register control with rootdse! [sssd] [confdb_get_domains] (0): No domains configured, fatal error! [sssd] [get_monitor_config] (0): No domains configured.
/etc/sssd/sssd.conf file and ensure you have at least one properly configured domain, and then try to start SSSD.
# sssd -d4
[sssd] [ldb] (3): server_sort:Unable to register control with rootdse! [sssd] [get_monitor_config] (0): No services configured!
/etc/sssd/sssd.conf file and ensure you have at least one available service providers, and then try to start SSSD.
services entry in the /etc/sssd/sssd.conf file. If services are listed in multiple entries, only the last entry is recognized by SSSD.
NSS, their symptoms, and how to resolve them.
NSS fails to return user information
# systemctl is-active sssd.service
sssd (pid 21762) is running...
[nss] section of the /etc/sssd/sssd.conf file. For example, ensure that you have not misconfigured the filter_users or filter_groups attributes. Refer to the NSS configuration options section of the sssd.conf(5) manual page for information on how to configure these attributes.
nss in the list of services that sssd should start
/etc/nsswitch.conf file. Refer to the section Section 8.2.3.2.1, “Configuring NSS” for information on how to correctly configure this file.
PAM, their symptoms, and how to resolve them.
[root@clientF11 tmp]# passwd user1000 Changing password for user user1000. New password: Retype new password: New Password: Reenter new Password: passwd: all authentication tokens updated successfully.
use_authtok option is correctly configured in your /etc/pam.d/system-auth file.
nscd daemon, and will likely generate warnings in the SSSD log files. Even though SSSD does not directly conflict with nscd, the use of both at the same time can result in unexpected behavior (specifically with how long entries are being cached).
resolv.conf file. This file is typically only read once, and so any changes made to this file are not automatically applied.
nscd service is running, unless that service is manually restarted.
hosts and services in the /etc/nscd.conf file, and to rely on the SSSD cache for the passwd and group entries. With nscd answering hosts and services requests, these entries would have been cached and returned by nscd during the boot process.
use_fully_qualified_domains attribute to TRUE in the /etc/sssd/sssd.conf file.
sssd.conf(5)
sssd-ipa(5)
sssd-krb5(5)
sssd-ldap(5)
sssd(8)
sssd_krb5_locator_plugin(8)
pam_sss(8)
[sssd] config_file_version = 2 services = nss, pam domains = mybox.example.com, ldap.example.com, ipa.example.com, nis.example.com # sbus_timeout = 300 [nss] nss_filter_groups = root nss_filter_users = root nss_entry_cache_timeout = 30 nss_enum_cache_timeout = 30 [domain/mybox.example.com] domain_type = local enumerate = true min_id = 1000 # max_id = 2000 local_default_shell = /bin/bash local_default_homedir = /home # Possible overrides # id_provider = local # auth_provider = local # authz_provider = local # passwd_provider = local [domain/ldap.example.com] domain_type = ldap server = ldap.example.com, ldap3.example.com, 10.0.0.2 # ldap_uri = ldaps://ldap.example.com:9093 # ldap_use_tls = ssl ldap_search_base = dc=ldap,dc=example,dc=com enumerate = false # Possible overrides # id_provider = ldap # id_server = ldap2.example.com # auth_provider = krb5 # auth_server = krb5.example.com # krb5_realm = KRB5.EXAMPLE.COM [domain/ipa.example.com] domain_type = ipa server = ipa.example.com, ipa2.example.com enumerate = false # Possible overrides # id_provider = ldap # id_server = ldap2.example.com # auth_provider = krb5 # auth_server = krb5.example.com # krb5_realm = KRB5.EXAMPLE.COM [domain/nis.example.com] id_provider = proxy proxy_lib = nis auth_provider = proxy proxy_auth_target = nis_pam_proxy
SSH (Secure Shell) is a protocol which facilitates secure communications between two systems using a client/server architecture and allows users to log into server host systems remotely. Unlike other remote communication protocols, such as FTP or Telnet, SSH encrypts the login session, rendering the connection difficult for intruders to collect unencrypted passwords.
telnet or rsh. A related program called scp replaces older programs designed to copy files between hosts, such as rcp. Because these older applications do not encrypt passwords transmitted between the client and the server, avoid them whenever possible. Using secure methods to log into remote systems decreases the risks for both the client system and the remote host.
root by typing:
su -ssh, scp, and sftp), and those for the server (the sshd daemon).
/etc/ssh/ directory. See Table 9.1, “System-wide configuration files” for a description of its content.
| Configuration File | Description |
|---|---|
/etc/ssh/moduli
| Contains Diffie-Hellman groups used for the Diffie-Hellman key exchange which is critical for constructing a secure transport layer. When keys are exchanged at the beginning of an SSH session, a shared, secret value is created which cannot be determined by either party alone. This value is then used to provide host authentication. |
/etc/ssh/ssh_config
|
The default SSH client configuration file. Note that it is overridden by ~/.ssh/config if it exists.
|
/etc/ssh/sshd_config
|
The configuration file for the sshd daemon.
|
/etc/ssh/ssh_host_dsa_key
|
The DSA private key used by the sshd daemon.
|
/etc/ssh/ssh_host_dsa_key.pub
|
The DSA public key used by the sshd daemon.
|
/etc/ssh/ssh_host_key
|
The RSA private key used by the sshd daemon for version 1 of the SSH protocol.
|
/etc/ssh/ssh_host_key.pub
|
The RSA public key used by the sshd daemon for version 1 of the SSH protocol.
|
/etc/ssh/ssh_host_rsa_key
|
The RSA private key used by the sshd daemon for version 2 of the SSH protocol.
|
/etc/ssh/ssh_host_rsa_key.pub
|
The RSA public key used by the sshd for version 2 of the SSH protocol.
|
~/.ssh/ directory. See Table 9.2, “User-specific configuration files” for a description of its content.
| Configuration File | Description |
|---|---|
~/.ssh/authorized_keys
| Holds a list of authorized public keys for servers. When the client connects to a server, the server authenticates the client by checking its signed public key stored within this file. |
~/.ssh/id_dsa
| Contains the DSA private key of the user. |
~/.ssh/id_dsa.pub
| The DSA public key of the user. |
~/.ssh/id_rsa
|
The RSA private key used by ssh for version 2 of the SSH protocol.
|
~/.ssh/id_rsa.pub
|
The RSA public key used by ssh for version 2 of the SSH protocol
|
~/.ssh/identity
|
The RSA private key used by ssh for version 1 of the SSH protocol.
|
~/.ssh/identity.pub
|
The RSA public key used by ssh for version 1 of the SSH protocol.
|
~/.ssh/known_hosts
| Contains DSA host keys of SSH servers accessed by the user. This file is very important for ensuring that the SSH client is connecting the correct SSH server. |
ssh_config and sshd_config man pages for information concerning the various directives available in the SSH configuration files.
sshd daemon, type the following at a shell prompt:
systemctl start sshd.servicesshd daemon, use the following command:
systemctl stop sshd.servicesystemctl enable sshd.service@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed.
/etc/ssh/ directory (see Table 9.1, “System-wide configuration files” for a complete list), and restore them whenever you reinstall the system.
telnet, rsh, rlogin, and vsftpd.
systemctl stop telnet.servicesystemctl stop rsh.servicesystemctl stop rlogin.servicesystemctl stop vsftpd.service
systemctl disable telnet.servicesystemctl disable rsh.servicesystemctl disable rlogin.servicesystemctl disable vsftpd.service
/etc/ssh/sshd_config configuration file in a text editor, and change the PasswordAuthentication option as follows:
PasswordAuthentication no
ssh, scp, or sftp to connect to the server from a client machine, generate an authorization key pair by following the steps below. Note that keys must be generated for each user separately.
root, only root will be able to use the keys.
~/.ssh/ directory. After reinstalling, copy it back to your home directory. This process can be done for all users on your system, including root.
~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/john/.ssh/id_rsa):~/.ssh/id_rsa) for the newly created key.
Your identification has been saved in /home/john/.ssh/id_rsa. Your public key has been saved in /home/john/.ssh/id_rsa.pub. The key fingerprint is: e7:97:c7:e2:0e:f9:0e:fc:c4:d7:cb:e5:31:11:92:14 john@penguin.example.com The key's randomart image is: +--[ RSA 2048]----+ | E. | | . . | | o . | | . .| | S . . | | + o o ..| | * * +oo| | O +..=| | o* o.| +-----------------+
~/.ssh/ directory:
~]$ chmod 755 ~/.ssh~/.ssh/id_rsa.pub into the ~/.ssh/authorized_keys on the machine to which you want to connect, appending it to its end if the file already exists.
~/.ssh/authorized_keys file using the following command:
~]$ chmod 644 ~/.ssh/authorized_keys~]$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/john/.ssh/id_dsa):~/.ssh/id_dsa) for the newly created key.
Your identification has been saved in /home/john/.ssh/id_dsa. Your public key has been saved in /home/john/.ssh/id_dsa.pub. The key fingerprint is: 81:a1:91:a8:9f:e8:c5:66:0d:54:f5:90:cc:bc:cc:27 john@penguin.example.com The key's randomart image is: +--[ DSA 1024]----+ | .oo*o. | | ...o Bo | | .. . + o. | |. . E o | | o..o S | |. o= . | |. + | | . | | | +-----------------+
~/.ssh/ directory:
~]$ chmod 775 ~/.ssh~/.ssh/id_dsa.pub into the ~/.ssh/authorized_keys on the machine to which you want to connect, appending it to its end if the file already exists.
~/.ssh/authorized_keys file using the following command:
~]$ chmod 644 ~/.ssh/authorized_keys~]$ ssh-keygen -t rsa1
Generating public/private rsa1 key pair.
Enter file in which to save the key (/home/john/.ssh/identity):~/.ssh/identity) for the newly created key.
Your identification has been saved in /home/john/.ssh/identity. Your public key has been saved in /home/john/.ssh/identity.pub. The key fingerprint is: cb:f6:d5:cb:6e:5f:2b:28:ac:17:0c:e4:62:e4:6f:59 john@penguin.example.com The key's randomart image is: +--[RSA1 2048]----+ | | | . . | | o o | | + o E | | . o S | | = + . | | . = . o . .| | . = o o..o| | .o o o=o.| +-----------------+
~/.ssh/ directory:
~]$ chmod 755 ~/.ssh~/.ssh/identity.pub into the ~/.ssh/authorized_keys on the machine to which you want to connect, appending it to its end if the file already exists.
~/.ssh/authorized_keys file using the following command:
~]$ chmod 644 ~/.ssh/authorized_keysssh-agent authentication agent. To save your passphrase for a certain shell prompt, use the following command:
~]$ ssh-add
Enter passphrase for /home/john/.ssh/id_rsa:ssh allows you to log in to a remote machine and execute commands there. It is a secure replacement for the rlogin, rsh, and telnet programs.
telnet, to log in to a remote machine named penguin.example.com, type the following command at a shell prompt:
~]$ ssh penguin.example.comssh username@hostname form. For example, to log in as john, type:
~]$ ssh john@penguin.example.comThe authenticity of host 'penguin.example.com' can't be established. RSA key fingerprint is 94:68:3a:3a:bc:f3:9a:9b:01:5d:b3:07:38:e2:11:0c. Are you sure you want to continue connecting (yes/no)?
yes to confirm. You will see a notice that the server has been added to the list of known hosts, and a prompt asking for your password:
Warning: Permanently added 'penguin.example.com' (RSA) to the list of known hosts. john@penguin.example.com's password:
~/.ssh/known_hosts file. To do so, open the file in a text editor, and remove a line containing the remote machine name at the beginning. Before doing this, however, contact the system administrator of the SSH server to verify the server is not compromised.
ssh program can be used to execute a command on the remote machine without logging in to a shell prompt. The syntax for that is ssh [username@]hostname command. For example, if you want to execute the whoami command on penguin.example.com, type:
~]$ ssh john@penguin.example.com whoami
john@penguin.example.com's password:
johnscp Utilityscp can be used to transfer files between machines over a secure, encrypted connection. In its design, it is very similar to rcp.
scp localfile username@hostname:remotefiletaglist.vim to a remote machine named penguin.example.com, type the following at a shell prompt:
~]$ scp taglist.vim john@penguin.example.com:.vim/plugin/taglist.vim
john@penguin.example.com's password:
taglist.vim 100% 144KB 144.5KB/s 00:00.vim/plugin/ to the same directory on the remote machine penguin.example.com, type the following command:
~]$ scp .vim/plugin/* john@penguin.example.com:.vim/plugin/
john@penguin.example.com's password:
closetag.vim 100% 13KB 12.6KB/s 00:00
snippetsEmu.vim 100% 33KB 33.1KB/s 00:00
taglist.vim 100% 144KB 144.5KB/s 00:00scp username@hostname:remotefile localfile.vimrc configuration file from the remote machine, type:
~]$ scp john@penguin.example.com:.vimrc .vimrc
john@penguin.example.com's password:
.vimrc 100% 2233 2.2KB/s 00:00sftp Utilitysftp utility can be used to open a secure, interactive FTP session. In its design, it is similar to ftp except that it uses a secure, encrypted connection.
sftp username@hostnamepenguin.example.com with john as a username, type:
~]$ sftp john@penguin.example.com
john@penguin.example.com's password:
Connected to penguin.example.com.
sftp>sftp utility accepts a set of commands similar to those used by ftp (see Table 9.3, “A selection of available sftp commands”).
| Command | Description |
|---|---|
ls [directory]
|
List the content of a remote directory. If none is supplied, a current working directory is used by default.
|
cd directory
|
Change the remote working directory to directory.
|
mkdir directory
|
Create a remote directory.
|
rmdir path
|
Remove a remote directory.
|
put localfile [remotefile]
|
Transfer localfile to a remote machine.
|
get remotefile [localfile]
|
Transfer remotefile from a remote machine.
|
sftp man page.
ssh -Y username@hostnamepenguin.example.com with john as a username, type:
~]$ ssh -Y john@penguin.example.com
john@penguin.example.com's password:~]$ system-config-printer &TCP/IP protocols via port forwarding. When using this technique, the SSH server becomes an encrypted conduit to the SSH client.
localhost, use a command in the following form:
ssh -L local-port:remote-hostname:remote-port username@hostnamemail.example.com using POP3 through an encrypted connection, use the following command:
~]$ ssh -L 1100:mail.example.com:110 mail.example.com1100 on the localhost to check for new email. Any requests sent to port 1100 on the client system will be directed securely to the mail.example.com server.
mail.example.com is not running an SSH server, but another machine on the same network is, SSH can still be used to secure part of the connection. However, a slightly different command is necessary:
~]$ ssh -L 1100:mail.example.com:110 other.example.com1100 on the client machine are forwarded through the SSH connection on port 22 to the SSH server, other.example.com. Then, other.example.com connects to port 110 on mail.example.com to check for new email. Note that when using this technique, only the connection between the client system and other.example.com SSH server is secure.
No parameter for the AllowTcpForwarding line in /etc/ssh/sshd_config and restarting the sshd service.
man sshman scpman sftpman sshdman ssh-keygenman ssh_configman sshd_configTable of Contents
smb.conf Filedhcp package contains an ISC DHCP server. First, install the package as root:
yum install dhcpdhcp package creates a file, /etc/dhcp/dhcpd.conf, which is merely an empty configuration file:
# # DHCP Server Configuration file. # see /usr/share/doc/dhcp*/dhcpd.conf.sample # see dhcpd.conf(5) man page #
/usr/share/doc/dhcp-version/dhcpd.conf.sample. You should use this file to help you configure /etc/dhcp/dhcpd.conf, which is explained in detail below.
/var/lib/dhcpd/dhcpd.leases to store the client lease database. Refer to Section 10.2.2, “Lease Database” for more information.
root:
systemctl restart dhcpd.serviceomshell command provides an interactive way to connect to, query, and change the configuration of a DHCP server. By using omshell, all changes can be made while the server is running. For more information on omshell, refer to the omshell man page.
routers, subnet-mask, domain-search, domain-name-servers, and time-offset options are used for any host statements declared below it.
subnet can be declared, a subnet declaration must be included for every subnet in the network. If it is not, the DHCP server fails to start.
range declared. Clients are assigned an IP address within the range.
subnet 192.168.1.0 netmask 255.255.255.0 {
option routers 192.168.1.254;
option subnet-mask 255.255.255.0;
option domain-search "example.com";
option domain-name-servers 192.168.1.1;
option time-offset -18000; # Eastern Standard Time
range 192.168.1.10 192.168.1.100;
}range 192.168.1.10 and 192.168.1.100 to client systems.
default-lease-time 600;
max-lease-time 7200;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.1.255;
option routers 192.168.1.254;
option domain-name-servers 192.168.1.1, 192.168.1.2;
option domain-search "example.com";
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.10 192.168.1.100;
}hardware ethernet parameter within a host declaration. As demonstrated in Example 10.3, “Static IP address using DHCP”, the host apex declaration specifies that the network interface card with the MAC address 00:A0:78:8E:9E:AA always receives the IP address 192.168.1.4.
host-name can also be used to assign a host name to the client.
host apex {
option host-name "apex.example.com";
hardware ethernet 00:A0:78:8E:9E:AA;
fixed-address 192.168.1.4;
}shared-network declaration as shown in Example 10.4, “Shared-network declaration”. Parameters within the shared-network, but outside the enclosed subnet declarations, are considered to be global parameters. The name of the shared-network must be a descriptive title for the network, such as using the title 'test-lab' to describe all the subnets in a test lab environment.
group declaration is used to apply global parameters to a group of declarations. For example, shared networks, subnets, and hosts can be grouped.
group {
option routers 192.168.1.254;
option subnet-mask 255.255.255.0;
option domain-search "example.com";
option domain-name-servers 192.168.1.1;
option time-offset -18000; # Eastern Standard Time
host apex {
option host-name "apex.example.com";
hardware ethernet 00:A0:78:8E:9E:AA;
fixed-address 192.168.1.4;
}
host raleigh {
option host-name "raleigh.example.com";
hardware ethernet 00:A1:DD:74:C3:F2;
fixed-address 192.168.1.6;
}
}cp /usr/share/doc/dhcp-version-number/dhcpd.conf.sample /etc/dhcp/dhcpd.confversion-number is the DHCP version number.
dhcp-options man page.
/var/lib/dhcpd/dhcpd.leases stores the DHCP client lease database. Do not change this file. DHCP lease information for each recently assigned IP address is automatically stored in the lease database. The information includes the length of the lease, to whom the IP address has been assigned, the start and end dates for the lease, and the MAC address of the network interface card that was used to retrieve the lease.
dhcpd.leases file is renamed dhcpd.leases~ and the temporary lease database is written to dhcpd.leases.
dhcpd.leases file does not exist, but it is required to start the service. Do not create a new lease file. If you do, all old leases are lost which causes many problems. The correct solution is to rename the dhcpd.leases~ backup file to dhcpd.leases and then start the daemon.
dhcpd.leases file exists. Use the command touch /var/lib/dhcpd/dhcpd.leases to create the file if it does not exist.
named service automatically checks for a dhcpd.leases file.
systemctl start dhcpd.servicesystemctl stop dhcpd.servicesystemctl enable dhcpd.service/etc/sysconfig/dhcpd, add the name of the interface to the list of DHCPDARGS:
# Command line options here DHCPDARGS=eth0
/etc/sysconfig/dhcpd include:
-p portnum — Specifies the UDP port number on which dhcpd should listen. The default is port 67. The DHCP server transmits responses to the DHCP clients at a port number one greater than the UDP port specified. For example, if the default port 67 is used, the server listens on port 67 for requests and responses to the client on port 68. If a port is specified here and the DHCP relay agent is used, the same port on which the DHCP relay agent should listen must be specified. Refer to Section 10.2.4, “DHCP Relay Agent” for details.
-f — Runs the daemon as a foreground process. This is mostly used for debugging.
-d — Logs the DHCP server daemon to the standard error descriptor. This is mostly used for debugging. If this is not specified, the log is written to /var/log/messages.
-cf filename — Specifies the location of the configuration file. The default location is /etc/dhcp/dhcpd.conf.
-lf filename — Specifies the location of the lease database file. If a lease database file already exists, it is very important that the same file be used every time the DHCP server is started. It is strongly recommended that this option only be used for debugging purposes on non-production machines. The default location is /var/lib/dhcpd/dhcpd.leases.
-q — Do not print the entire copyright message when starting the daemon.
dhcrelay) allows for the relay of DHCP and BOOTP requests from a subnet with no DHCP server on it to one or more DHCP servers on other subnets.
/etc/sysconfig/dhcrelay with the INTERFACES directive.
systemctl start dhcrelay.service/etc/sysconfig/network file to enable networking and the configuration file for each network device in the /etc/sysconfig/network-scripts directory. In this directory, each device should have a configuration file named ifcfg-eth0, where eth0 is the network device name.
/etc/sysconfig/network-scripts/ifcfg-eth0 file should contain the following lines:
DEVICE=eth0 BOOTPROTO=dhcp ONBOOT=yes
DHCP_HOSTNAME — Only use this option if the DHCP server requires the client to specify a hostname before receiving an IP address. (The DHCP server daemon in Fedora does not support this feature.)
PEERDNS=answer , where answer yes — Modify /etc/resolv.conf with information from the server. If using DHCP, then yes is the default.
no — Do not modify /etc/resolv.conf.
dhclient and dhclient.conf man pages.
/etc/sysconfig/dhcpd and /etc/dhcp/dhcpd.conf files.
/etc/sysconfig/dhcpd file to specify which network interfaces the DHCP daemon listens on. The following /etc/sysconfig/dhcpd example specifies that the DHCP daemon listens on the eth0 and eth1 interfaces:
DHCPDARGS="eth0 eth1";
eth0, eth1, and eth2 -- and it is only desired that the DHCP daemon listens on eth0, then only specify eth0 in /etc/sysconfig/dhcpd:
DHCPDARGS="eth0";
/etc/dhcp/dhcpd.conf file, for a server that has two network interfaces, eth0 in a 10.0.0.0/24 network, and eth1 in a 172.16.0.0/24 network. Multiple subnet declarations allow different settings to be defined for multiple networks:
default-lease-time600; max-lease-time7200; subnet 10.0.0.0 netmask 255.255.255.0 { option subnet-mask 255.255.255.0; option routers 10.0.0.1; range 10.0.0.5 10.0.0.15; } subnet 172.16.0.0 netmask 255.255.255.0 { option subnet-mask 255.255.255.0; option routers 172.16.0.1; range 172.16.0.5 172.16.0.15; }
subnet 10.0.0.0 netmask 255.255.255.0; subnet declaration is required for every network your DHCP server is serving. Multiple subnets require multiple subnet declarations. If the DHCP server does not have a network interface in a range of a subnet declaration, the DHCP server does not serve that network.
subnet declaration, and no network interfaces are in the range of that subnet, the DHCP daemon fails to start, and an error such as the following is logged to /var/log/messages:
dhcpd: No subnet declaration for eth0 (0.0.0.0). dhcpd: ** Ignoring requests on eth0. If this is not what dhcpd: you want, please write a subnet declaration dhcpd: in your dhcpd.conf file for the network segment dhcpd: to which interface eth1 is attached. ** dhcpd: dhcpd: dhcpd: Not configured to listen on any interfaces!
option subnet-mask 255.255.255.0; option subnet-mask option defines a subnet mask, and overrides the netmask value in the subnet declaration. In simple cases, the subnet and netmask values are the same.
option routers 10.0.0.1; option routers option defines the default gateway for the subnet. This is required for systems to reach internal networks on a different subnet, as well as external networks.
range 10.0.0.5 10.0.0.15; range option specifies the pool of available IP addresses. Systems are assigned an address from the range of specified IP addresses.
dhcpd.conf(5) man page.
/etc/dhcp/dhcpd.conf, the DHCP daemon fails to start.
/etc/sysconfig/dhcpd and /etc/dhcp/dhcpd.conf files.
/etc/dhcp/dhcpd.conf example creates two subnets, and configures an IP address for the same system, depending on which network it connects to:
default-lease-time600; max-lease-time7200; subnet 10.0.0.0 netmask 255.255.255.0 { option subnet-mask 255.255.255.0; option routers 10.0.0.1; range 10.0.0.5 10.0.0.15; } subnet 172.16.0.0 netmask 255.255.255.0 { option subnet-mask 255.255.255.0; option routers 172.16.0.1; range 172.16.0.5 172.16.0.15; } host example0 { hardware ethernet 00:1A:6B:6A:2E:0B; fixed-address 10.0.0.20; } host example1 { hardware ethernet 00:1A:6B:6A:2E:0B; fixed-address 172.16.0.20; }
host example0 host declaration defines specific parameters for a single system, such as an IP address. To configure specific parameters for multiple hosts, use multiple host declarations.
host declarations, and as such, this name can anything, as long as it is unique to other host declarations. To configure the same system for multiple networks, use a different name for each host declaration, otherwise the DHCP daemon fails to start. Systems are identified by the hardware ethernet option, not the name in the host declaration.
hardware ethernet 00:1A:6B:6A:2E:0B; hardware ethernet option identifies the system. To find this address, run the ip link command.
fixed-address 10.0.0.20; fixed-address option assigns a valid IP address to the system specified by the hardware ethernet option. This address must be outside the IP address pool specified with the range option.
option statements do not end with a semicolon, the DHCP daemon fails to start, and an error such as the following is logged to /var/log/messages:
/etc/dhcp/dhcpd.conf line 20: semicolon expected. dhcpd: } dhcpd: ^ dhcpd: /etc/dhcp/dhcpd.conf line 38: unexpected end of file dhcpd: dhcpd: ^ dhcpd: Configuration file errors encountered -- exiting
host declarations configure a single system, that has multiple network interfaces, so that each interface receives the same IP address. This configuration will not work if both network interfaces are connected to the same network at the same time:
host interface0 {
hardware ethernet 00:1a:6b:6a:2e:0b;
fixed-address 10.0.0.18;
}
host interface1 {
hardware ethernet 00:1A:6B:6A:27:3A;
fixed-address 10.0.0.18;
}interface0 is the first network interface, and interface1 is the second interface. The different hardware ethernet options identify each interface.
host declarations, remembering to:
fixed-address for the network the host is connecting to.
host declaration unique.
host declaration is not unique, the DHCP daemon fails to start, and an error such as the following is logged to /var/log/messages:
dhcpd: /etc/dhcp/dhcpd.conf line 31: host interface0: already exists dhcpd: } dhcpd: ^ dhcpd: Configuration file errors encountered -- exiting
host interface0 declarations defined in /etc/dhcp/dhcpd.conf.
/etc/dhcp/dhcpd6.conf.
/usr/share/doc/dhcp-version/dhcpd6.conf.sample.
systemctl start dhcpd6.servicesubnet6 2001:db8:0:1::/64 {
range6 2001:db8:0:1::129 2001:db8:0:1::254;
option dhcp6.name-servers fec0:0:0:1::1;
option dhcp6.domain-search "domain.example";
}dhcpd man page — Describes how the DHCP daemon works.
dhcpd.conf man page — Explains how to configure the DHCP configuration file; includes some examples.
dhcpd.leases man page — Describes a persistent database of leases.
dhcp-options man page — Explains the syntax for declaring DHCP options in dhcpd.conf; includes some examples.
dhcrelay man page — Explains the DHCP Relay Agent and its configuration options.
/usr/share/doc/dhcp-version/ — Contains sample files, README files, and release notes for current versions of the DHCP service.
DNS (Domain Name System), also known as a nameserver, is a network system that associates hostnames with their respective IP addresses. For users, this has the advantage that they can refer to machines on the network by names that are usually easier to remember than the numerical network addresses. For system administrators, using the nameserver allows them to change the IP address for a host without ever affecting the name-based queries, or to decide which machines handle these queries.
bob.sales.example.com
.). In the example above, com defines the top-level domain, example its subdomain, and sales the subdomain of example. In this case, bob identifies a resource record that is part of the sales.example.com domain. With the exception of the part furthest to the left (that is, bob), each of these sections is called a zone and defines a specific namespace.
named, an administration utility called rndc, and a debugging tool called dig. Refer to Chapter 7, Services and Daemons for more information on how to configure services in Fedora.
BIND (Berkeley Internet Name Domain), the DNS server included in Fedora. It focuses on the structure of its configuration files, and describes how to administer it both locally and remotely.
named service is started, it reads the configuration from the files as described in Table 11.1, “The named service configuration files”.
| Path | Description |
|---|---|
/etc/named.conf
| The main configuration file. |
/etc/named/
| An auxiliary directory for configuration files that are included in the main configuration file. |
{ and }). Note that when editing the file, you have to be careful not to make any syntax error, otherwise the named service will not start. A typical /etc/named.conf file is organized as follows:
statement-1["statement-1-name"] [statement-1-class] {option-1;option-2;option-N; };statement-2["statement-2-name"] [statement-2-class] {option-1;option-2;option-N; };statement-N["statement-N-name"] [statement-N-class] {option-1;option-2;option-N; };
/var/named/chroot environment. In that case, the initialization script will mount the above configuration files using the mount --bind command, so that you can manage the configuration outside this environment.
/etc/named.conf:
acl acl (Access Control List) statement allows you to define groups of hosts, so that they can be permitted or denied access to the nameserver. It takes the following form:
aclacl-name{match-element; ... };
acl-name statement name is the name of the access control list, and the match-element option is usually an individual IP address (such as 10.0.1.1) or a CIDR network notation (for example, 10.0.1.0/24). For a list of already defined keywords, see Table 11.2, “Predefined access control lists”.
| Keyword | Description |
|---|---|
any
| Matches every IP address. |
localhost
| Matches any IP address that is in use by the local system. |
localnets
| Matches any IP address on any network to which the local system is connected. |
none
| Does not match any IP address. |
acl statement can be especially useful with conjunction with other statements such as options. Example 11.1, “Using acl in conjunction with options” defines two access control lists, black-hats and red-hats, and adds black-hats on the blacklist while granting red-hats a normal access.
acl black-hats {
10.0.2.0/24;
192.168.0.0/24;
1234:5678::9abc/24;
};
acl red-hats {
10.0.1.0/24;
};
options {
blackhole { black-hats; };
allow-query { red-hats; };
allow-query-cache { red-hats; };
};include include statement allows you to include files in the /etc/named.conf, so that potentially sensitive data can be placed in a separate file with restricted permissions. It takes the following form:
include "file-name"file-name statement name is an absolute path to a file.
include "/etc/named.rfc1912.zones";
options options statement allows you to define global server configuration options as well as to set defaults for other statements. It can be used to specify the location of the named working directory, the types of queries allowed, and much more. It takes the following form:
options {
option;
...
};option directives, see Table 11.3, “Commonly used options” below.
| Option | Description |
|---|---|
allow-query
| Specifies which hosts are allowed to query the nameserver for authoritative resource records. It accepts an access control lists, a collection of IP addresses, or networks in the CIDR notation. All hosts are allowed by default. |
allow-query-cache
|
Specifies which hosts are allowed to query the nameserver for non-authoritative data such as recursive queries. Only localhost and localnets are allowed by default.
|
blackhole
|
Specifies which hosts are not allowed to query the nameserver. This option should be used when particular host or network floods the server with requests. The default option is none.
|
directory
|
Specifies a working directory for the named service. The default option is /var/named/.
|
dnssec-enable
|
Specifies whether to return DNSSEC related resource records. The default option is yes.
|
dnssec-validation
|
Specifies whether to prove that resource records are authentic via DNSSEC. The default option is yes.
|
forwarders
| Specifies a list of valid IP addresses for nameservers to which the requests should be forwarded for resolution. |
forward
|
Specifies the behavior of the
forwarders directive. It accepts the following options:
|
listen-on
| Specifies the IPv4 network interface on which to listen for queries. On a DNS server that also acts as a gateway, you can use this option to answer queries originating from a single network only. All IPv4 interfaces are used by default. |
listen-on-v6
| Specifies the IPv6 network interface on which to listen for queries. On a DNS server that also acts as a gateway, you can use this option to answer queries originating from a single network only. All IPv6 interfaces are used by default. |
max-cache-size
|
Specifies the maximum amount of memory to be used for server caches. When the limit is reached, the server causes records to expire prematurely so that the limit is not exceeded. In a server with multiple views, the limit applies separately to the cache of each view. The default option is 32M.
|
notify
|
Specifies whether to notify the secondary nameservers when a zone is updated. It accepts the following options:
|
pid-file
|
Specifies the location of the process ID file created by the named service.
|
recursion
|
Specifies whether to act as a recursive server. The default option is yes.
|
statistics-file
|
Specifies an alternate location for statistics files. The /var/named/named.stats file is used by default.
|
allow-query-cache option to restrict recursive DNS services for a particular subset of clients only.
named.conf manual page for a complete list of available options.
options {
allow-query { localhost; };
listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
max-cache-size 256M;
directory "/var/named";
statistics-file "/var/named/data/named_stats.txt";
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
};zone zone statement allows you to define the characteristics of a zone, such as the location of its configuration file and zone-specific options, and can be used to override the global options statements. It takes the following form:
zonezone-name[zone-class] {option; ... };
zone-name attribute is the name of the zone, zone-class is the optional class of the zone, and option is a zone statement option as described in Table 11.4, “Commonly used options”.
zone-name attribute is particularly important, as it is the default value assigned for the $ORIGIN directive used within the corresponding zone file located in the /var/named/ directory. The named daemon appends the name of the zone to any non-fully qualified domain name listed in the zone file. For example, if a zone statement defines the namespace for example.com, use example.com as the zone-name so that it is placed at the end of hostnames within the example.com zone file.
| Option | Description |
|---|---|
allow-query
|
Specifies which clients are allowed to request information about this zone. This option overrides global allow-query option. All query requests are allowed by default.
|
allow-transfer
| Specifies which secondary servers are allowed to request a transfer of the zone's information. All transfer requests are allowed by default. |
allow-update
|
Specifies which hosts are allowed to dynamically update information in their zone. The default option is to deny all dynamic update requests.
Note that you should be careful when allowing hosts to update information about their zone. Do not set IP addresses in this option unless the server is in the trusted network. Instead, use TSIG key as described in Section 11.2.5.3, “Transaction SIGnatures (TSIG)”.
|
file
|
Specifies the name of the file in the named working directory that contains the zone's configuration data.
|
masters
|
Specifies from which IP addresses to request authoritative zone information. This option is used only if the zone is defined as type slave.
|
notify
|
Specifies whether to notify the secondary nameservers when a zone is updated. It accepts the following options:
|
type
|
Specifies the zone type. It accepts the following options:
|
/etc/named.conf file of a primary or secondary nameserver involve adding, modifying, or deleting zone statements, and only a small subset of zone statement options is usually needed for a nameserver to work efficiently.
example.com, the type is set to master, and the named service is instructed to read the /var/named/example.com.zone file. It also allows only a secondary nameserver (192.168.0.2) to transfer the zone.
zone "example.com" IN {
type master;
file "example.com.zone";
allow-transfer { 192.168.0.2; };
};zone statement is slightly different. The type is set to slave, and the masters directive is telling named the IP address of the master server.
named service is configured to query the primary server at the 192.168.0.1 IP address for information about the example.com zone. The received information is then saved to the /var/named/slaves/example.com.zone file. Note that you have to put all slave zones to /var/named/slaves directory, otherwise the service will fail to transfer the zone.
zone "example.com" {
type slave;
file "slaves/example.com.zone";
masters { 192.168.0.1; };
};/etc/named.conf:
controls controls statement allows you to configure various security requirements necessary to use the rndc command to administer the named service.
rndc utility and its usage.
key key statement allows you to define a particular key by name. Keys are used to authenticate various actions, such as secure updates or the use of the rndc command. Two options are used with key:
algorithm algorithm-name — The type of algorithm to be used (for example, hmac-md5).
secret "key-value" — The encrypted key.
rndc utility and its usage.
logging logging statement allows you to use multiple types of logs, so called channels. By using the channel option within the statement, you can construct a customized type of log with its own file name (file), size limit (size), versioning (version), and level of importance (severity). Once a customized channel is defined, a category option is used to categorize the channel and begin logging when the named service is restarted.
named sends standard messages to the rsyslog daemon, which places them in /var/log/messages. Several standard channels are built into BIND with various severity levels, such as default_syslog (which handles informational logging messages) and default_debug (which specifically handles debugging messages). A default category, called default, uses the built-in channels to do normal logging without any special configuration.
server server statement allows you to specify options that affect how the named service should respond to remote nameservers, especially with regard to notifications and zone transfers.
transfer-format option controls the number of resource records that are sent with each message. It can be either one-answer (only one resource record), or many-answers (multiple resource records). Note that while the many-answers option is more efficient, it is not supported by older versions of BIND.
trusted-keys trusted-keys statement allows you to specify assorted public keys used for secure DNS (DNSSEC). Refer to Section 11.2.5.4, “DNS Security Extensions (DNSSEC)” for more information on this topic.
view view statement allows you to create special views depending upon which network the host querying the nameserver is on. This allows some hosts to receive one answer regarding a zone while other hosts receive totally different information. Alternatively, certain zones may only be made available to particular trusted hosts while non-trusted hosts can only make queries for other zones.
match-clients option allows you to specify the IP addresses that apply to a particular view. If the options statement is used within a view, it overrides the already configured global options. Finally, most view statements contain multiple zone statements that apply to the match-clients list.
view statements are listed is important, as the first statement that matches a particular client's IP address is used. For more information on this topic, refer to Section 11.2.5.1, “Multiple Views”.
/etc/named.conf file can also contain comments. Comments are ignored by the named service, but can prove useful when providing additional information to a user. The following are valid comment tags:
//// characters to the end of the line is considered a comment. For example:
notify yes; // notify all secondary nameservers
## character to the end of the line is considered a comment. For example:
notify yes; # notify all secondary nameservers
/* and *//* and */ is considered a comment. For example:
notify yes; /* notify all secondary nameservers */
named working directory located in /var/named/ by default, and each zone file is named according to the file option in the zone statement, usually in a way that relates to the domain in question and identifies the file as containing zone data, such as example.com.zone.
| Path | Description |
|---|---|
/var/named/
|
The working directory for the named service. The nameserver is not allowed to write to this directory.
|
/var/named/slaves/
|
The directory for secondary zones. This directory is writable by the named service.
|
/var/named/dynamic/
|
The directory for other files, such as dynamic DNS (DDNS) zones or managed DNSSEC keys. This directory is writable by the named service.
|
/var/named/data/
|
The directory for various statistics and debugging files. This directory is writable by the named service.
|
$) followed by the name of the directive, and usually appear at the top of the file. The following directives are commonly used in zone files:
$INCLUDE $INCLUDE directive allows you to include another file at the place where it appears, so that other zone settings can be stored in a separate zone file.
$INCLUDE /var/named/penguin.example.com
$ORIGIN $ORIGIN directive allows you to append the domain name to unqualified records, such as those with the hostname only. Note that the use of this directive is not necessary if the zone is specified in /etc/named.conf, since the zone name is used by default.
. character) are appended with example.com.
$ORIGIN example.com.
$TTL $TTL directive allows you to set the default Time to Live (TTL) value for the zone, that is, how long is a zone record valid. Each resource record can contain its own TTL value, which overrides this directive.
$TTL 1D
A hostnameIN AIP-address
hostname value is omitted, the record will point to the last specified hostname.
server1.example.com are pointed to 10.0.1.3 or 10.0.1.5.
server1 IN A 10.0.1.3
IN A 10.0.1.5CNAME alias-nameIN CNAMEreal-name
CNAME records are most commonly used to point to services that use a common naming scheme, such as www for Web servers. However, there are multiple restrictions for their usage:
A record binds a hostname to an IP address, while the CNAME record points the commonly used www hostname to it.
server1 IN A 10.0.1.5 www IN CNAME server1
MX IN MXpreference-valueemail-server-name
email-server-name is a fully qualified domain name (FQDN). The preference-value allows numerical ranking of the email servers for a namespace, giving preference to some email systems over others. The MX resource record with the lowest preference-value is preferred over the others. However, multiple email servers can possess the same value to distribute email traffic evenly among them.
mail.example.com email server is preferred to the mail2.example.com email server when receiving email destined for the example.com domain.
example.com. IN MX 10 mail.example.com.
IN MX 20 mail2.example.com.NS IN NS nameserver-namenameserver-name should be a fully qualified domain name (FQDN). Note that when two nameservers are listed as authoritative for the domain, it is not important whether these nameservers are secondary nameservers, or if one of them is a primary server. They are both still considered authoritative.
IN NS dns1.example.com. IN NS dns2.example.com.
PTR last-IP-digitIN PTRFQDN-of-system
last-IP-digit directive is the last number in an IP address, and the FQDN-of-system is a fully qualified domain name (FQDN).
PTR records are primarily used for reverse name resolution, as they point IP addresses back to a particular name. Refer to Section 11.2.2.4.2, “A Reverse Name Resolution Zone File” for more examples of PTR records in use.
SOA @ IN SOAprimary-name-serverhostmaster-email(serial-numbertime-to-refreshtime-to-retrytime-to-expireminimum-TTL)
@ symbol places the $ORIGIN directive (or the zone's name if the $ORIGIN directive is not set) as the namespace being defined by this SOA resource record.
primary-name-server directive is the hostname of the primary nameserver that is authoritative for this domain.
hostmaster-email directive is the email of the person to contact about the namespace.
serial-number directive is a numerical value incremented every time the zone file is altered to indicate it is time for the named service to reload the zone.
time-to-refresh directive is the numerical value secondary nameservers use to determine how long to wait before asking the primary nameserver if any changes have been made to the zone.
time-to-retry directive is a numerical value used by secondary nameservers to determine the length of time to wait before issuing a refresh request in the event that the primary nameserver is not answering. If the primary server has not replied to a refresh request before the amount of time specified in the time-to-expire directive elapses, the secondary servers stop responding as an authority for requests concerning that namespace.
minimum-TTL directive is the amount of time other nameservers cache the zone's information. In BIND 9, it defines how long negative answers are cached for. Caching of negative answers can be set to a maximum of 3 hours (that is, 3H).
M), hours (H), days (D), and weeks (W). Table 11.6, “Seconds compared to other time units” shows an amount of time in seconds and the equivalent time in another format.
| Seconds | Other Time Units |
|---|---|
| 60 |
1M
|
| 1800 |
30M
|
| 3600 |
1H
|
| 10800 |
3H
|
| 21600 |
6H
|
| 43200 |
12H
|
| 86400 |
1D
|
| 259200 |
3D
|
| 604800 |
1W
|
| 31536000 |
365D
|
@ IN SOA dns1.example.com. hostmaster.example.com. (
2001062501 ; serial
21600 ; refresh after 6 hours
3600 ; retry after 1 hour
604800 ; expire after 1 week
86400 ) ; minimum TTL of 1 daynamed service, but can prove useful when providing additional information to the user. Any text after the semicolon character (that is, ;) to the end of the line is considered a comment. For example:
604800 ; expire after 1 week
SOA values.
$ORIGIN example.com.
$TTL 86400
@ IN SOA dns1.example.com. hostmaster.example.com. (
2001062501 ; serial
21600 ; refresh after 6 hours
3600 ; retry after 1 hour
604800 ; expire after 1 week
86400 ) ; minimum TTL of 1 day
;
;
IN NS dns1.example.com.
IN NS dns2.example.com.
dns1 IN A 10.0.1.1
IN AAAA aaaa:bbbb::1
dns2 IN A 10.0.1.2
IN AAAA aaaa:bbbb::2
;
;
@ IN MX 10 mail.example.com.
IN MX 20 mail2.example.com.
mail IN A 10.0.1.5
IN AAAA aaaa:bbbb::5
mail2 IN A 10.0.1.6
IN AAAA aaaa:bbbb::6
;
;
; This sample zone file illustrates sharing the same IP addresses
; for multiple services:
;
services IN A 10.0.1.10
IN AAAA aaaa:bbbb::10
IN A 10.0.1.11
IN AAAA aaaa:bbbb::11
ftp IN CNAME services.example.com.
www IN CNAME services.example.com.
;
;dns1.example.com and dns2.example.com, and are tied to the 10.0.1.1 and 10.0.1.2 IP addresses respectively using the A record.
MX records point to mail and mail2 via A records. Since these names do not end in a trailing period (that is, the . character), the $ORIGIN domain is placed after them, expanding them to mail.example.com and mail2.example.com.
www.example.com (WWW), are pointed at the appropriate servers using the CNAME record.
zone statement in the /etc/named.conf similar to the following:
zone "example.com" IN {
type master;
file "example.com.zone";
allow-update { none; };
};PTR resource records are used to link the IP addresses to a fully qualified domain name as shown in Example 11.15, “A reverse name resolution zone file”.
$ORIGIN 1.0.10.in-addr.arpa.
$TTL 86400
@ IN SOA dns1.example.com. hostmaster.example.com. (
2001062501 ; serial
21600 ; refresh after 6 hours
3600 ; retry after 1 hour
604800 ; expire after 1 week
86400 ) ; minimum TTL of 1 day
;
@ IN NS dns1.example.com.
;
1 IN PTR dns1.example.com.
2 IN PTR dns2.example.com.
;
5 IN PTR server1.example.com.
6 IN PTR server2.example.com.
;
3 IN PTR ftp.example.com.
4 IN PTR ftp.example.com.10.0.1.1 through 10.0.1.6 are pointed to the corresponding fully qualified domain name.
zone statement in the /etc/named.conf file similar to the following:
zone "1.0.10.in-addr.arpa" IN {
type master;
file "example.com.rr.zone";
allow-update { none; };
};zone statement, except for the zone name. Note that a reverse name resolution zone requires the first three blocks of the IP address reversed followed by .in-addr.arpa. This allows the single block of IP numbers used in the reverse name resolution zone file to be associated with the zone.
rndc utility is a command line tool that allows you to administer the named service, both locally and from a remote machine. Its usage is as follows:
rndc[option...]command[command-option]
named must be configured to listen on the selected port (that is, 953 by default), and an identical key must be used by both the service and the rndc utility.
rndc configuration is located in /etc/rndc.conf. If the file does not exist, the utility will use the key located in /etc/rndc.key, which was generated automatically during the installation process using the rndc-confgen -a command.
named service is configured using the controls statement in the /etc/named.conf configuration file as described in Section 11.2.1.2, “Other Statement Types”. Unless this statement is present, only the connections from the loopback address (that is, 127.0.0.1) will be allowed, and the key located in /etc/rndc.key will be used.
/etc/rndc.key file:
~]# chmod o-rwx /etc/rndc.keynamed service, use the following command:
~]# rndc status
version: 9.7.0-P2-RedHat-9.7.0-5.P2.el6
CPUs found: 1
worker threads: 1
number of zones: 16
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running~]# rndc reload
server reload successfulreload command, for example:
~]# rndc reload localhost
zone reload up-to-date~]# rndc reconfigfreeze command first:
~]# rndc freeze localhostthaw command to allow the DDNS again and reload the zone:
~]# rndc thaw localhost
The zone reload and thaw was successful.sign command. For example:
~]# rndc sign localhostauto-dnssec option has to be set to maintain in the zone statement. For instance:
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
auto-dnssec maintain;
};~]# rndc validation on~]# rndc validation offoptions statement described in Section 11.2.1.1, “Common Statement Types” for information on how configure this option in /etc/named.conf.
~]# rndc querylogstatus command as described in Section 11.2.3.2, “Checking the Service Status”.
dig utility is a command line tool that allows you to perform DNS lookups and debug a nameserver configuration. Its typical usage is as follows:
dig[@server] [option...]nametype
types.
dignameNS
dig utility is used to display nameservers for example.com.
~]$ dig example.com NS
; <<>> DiG 9.7.1-P2-RedHat-9.7.1-2.P2.fc13 <<>> example.com NS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57883
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;example.com. IN NS
;; ANSWER SECTION:
example.com. 99374 IN NS a.iana-servers.net.
example.com. 99374 IN NS b.iana-servers.net.
;; Query time: 1 msec
;; SERVER: 10.34.255.7#53(10.34.255.7)
;; WHEN: Wed Aug 18 18:04:06 2010
;; MSG SIZE rcvd: 77dignameA
dig utility is used to display the IP address of example.com.
~]$ dig example.com A
; <<>> DiG 9.7.1-P2-RedHat-9.7.1-2.P2.fc13 <<>> example.com A
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4849
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;; QUESTION SECTION:
;example.com. IN A
;; ANSWER SECTION:
example.com. 155606 IN A 192.0.32.10
;; AUTHORITY SECTION:
example.com. 99175 IN NS a.iana-servers.net.
example.com. 99175 IN NS b.iana-servers.net.
;; Query time: 1 msec
;; SERVER: 10.34.255.7#53(10.34.255.7)
;; WHEN: Wed Aug 18 18:07:25 2010
;; MSG SIZE rcvd: 93dig-xaddress
dig utility is used to display the hostname assigned to 192.0.32.10.
~]$ dig -x 192.0.32.10
; <<>> DiG 9.7.1-P2-RedHat-9.7.1-2.P2.fc13 <<>> -x 192.0.32.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29683
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 6
;; QUESTION SECTION:
;10.32.0.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
10.32.0.192.in-addr.arpa. 21600 IN PTR www.example.com.
;; AUTHORITY SECTION:
32.0.192.in-addr.arpa. 21600 IN NS b.iana-servers.org.
32.0.192.in-addr.arpa. 21600 IN NS c.iana-servers.net.
32.0.192.in-addr.arpa. 21600 IN NS d.iana-servers.net.
32.0.192.in-addr.arpa. 21600 IN NS ns.icann.org.
32.0.192.in-addr.arpa. 21600 IN NS a.iana-servers.net.
;; ADDITIONAL SECTION:
a.iana-servers.net. 13688 IN A 192.0.34.43
b.iana-servers.org. 5844 IN A 193.0.0.236
b.iana-servers.org. 5844 IN AAAA 2001:610:240:2::c100:ec
c.iana-servers.net. 12173 IN A 139.91.1.10
c.iana-servers.net. 12173 IN AAAA 2001:648:2c30::1:10
ns.icann.org. 12884 IN A 192.0.34.126
;; Query time: 156 msec
;; SERVER: 10.34.255.7#53(10.34.255.7)
;; WHEN: Wed Aug 18 18:25:15 2010
;; MSG SIZE rcvd: 310named service to provide name resolution services or to act as an authority for a particular domain. However, BIND version 9 has a number of advanced features that allow for a more secure and efficient DNS service.
view statement to the /etc/named.conf configuration file. Use the match-clients option to match IP addresses or entire networks and give them special options and zone data.
SERFVAIL response is returned for each resource record that fails the validation.
dig utility as described in Section 11.2.4, “Using the dig Utility”. Useful options are +dnssec (requests DNSSEC-related resource records by setting the DNSSEC OK bit), +cd (tells recursive nameserver not to validate the response), and +bufsize=512 (changes the packet size to 512B to get through some firewalls).
AAAA resource records, and the listen-on-v6 directive as described in Table 11.3, “Commonly used options”.
/etc/named.conf file can prevent the named service from starting.
. character) correctlynamed service will append the name of the zone or the value of $ORIGIN to complete it.
named service to other nameservers, the recommended best practice is to change the firewall settings whenever possible.
version with the version of the bind package installed on the system:
/usr/share/doc/bind-version//usr/share/doc/bind-version/arm//usr/share/doc/bind-version/draft//usr/share/doc/bind-version/misc/migration document for specific changes they must make when moving to BIND 9. The options file lists all of the options implemented in BIND 9 that are used in /etc/named.conf.
/usr/share/doc/bind-version/rfc/man rndcrndc containing the full documentation on its usage.
man namednamed containing the documentation on assorted arguments that can be used to control the BIND nameserver daemon.
man lwresdlwresd containing the full documentation on the lightweight resolver daemon and its usage.
man named.confnamed configuration file.
man rndc.confrndc configuration file.
HTTP (Hypertext Transfer Protocol) server, or a web server, is a network service that serves content to a client over the web. This typically means web pages, but any other documents can be served as well.
httpd service, and covers advanced topics such as adding server modules, setting up virtual hosts, or configuring the secure HTTP server.
httpd service configuration accordingly. This section reviews some of the newly added features, outlines important changes, and guides you through the update of older configuration files.
httpd service configuration:
LoadModule directive for each module that has been renamed.
/etc/httpd/conf.d/ssl.conf to enable the Secure Sockets Layer (SSL) protocol.
service httpd configtesthttpd service, make sure you have the httpd installed. You can do so by using the following command as root:
yum install httpdhttpd service, type the following at a shell prompt as root:
systemctl start httpd.servicesystemctl enable httpd.servicehttpd service, type the following at a shell prompt as root:
systemctl stop httpd.servicesystemctl disable httpd.servicehttpd service:
root:
systemctl restart httpd.servicehttpd service, and then start it again. Use this command after installing or removing a dynamically loaded module such as PHP.
root, type:
systemctl reload httpd.servicehttpd service to reload the configuration file. Note that any requests being currently processed will be interrupted, which may cause a client browser to display an error message or render a partial page.
root:
service httpd gracefulhttpd service to reload the configuration file. Note that any requests being currently processed will use the old configuration.
systemctl is-active httpd.servicehttpd service is started, by default, it reads the configuration from locations that are listed in Table 12.1, “The httpd service configuration files”.
httpd service.
service httpd configtest/etc/httpd/conf/httpd.conf configuration file:
<Directory> <Directory> directive allows you to apply certain directives to a particular directory only. It takes the following form:
<Directorydirectory>directive… </Directory>
directory can be either a full path to an existing directory in the local file system, or a wildcard expression.
cgi-bin directories for server-side scripts located outside the directory that is specified by ScriptAlias. In this case, the ExecCGI and AddHandler directives must be supplied, and the permissions on the target directory must be set correctly (that is, 0755).
<Directory /var/www/html> Options Indexes FollowSymLinks AllowOverride None Order allow,deny Allow from all </Directory>
<IfDefine> IfDefine directive allows you to use certain directives only when a particular parameter is supplied on the command line. It takes the following form:
<IfDefine [!]parameter>directive… </IfDefine>
parameter can be supplied at a shell prompt using the -Dparameter command line option (for example, httpd -DEnableHome). If the optional exclamation mark (that is, !) is present, the enclosed directives are used only when the parameter is not specified.
<IfDefine EnableHome> UserDir public_html </IfDefine>
<IfModule> <IfModule> directive allows you to use certain directive only when a particular module is loaded. It takes the following form:
<IfModule [!]module>directive… </IfModule>
module can be identified either by its name, or by the file name. If the optional exclamation mark (that is, !) is present, the enclosed directives are used only when the module is not loaded.
<IfModule mod_disk_cache.c> CacheEnable disk / CacheRoot /var/cache/mod_proxy </IfModule>
<Location> <Location> directive allows you to apply certain directives to a particular URL only. It takes the following form:
<Locationurl>directive… </Location>
url can be either a path relative to the directory specified by the DocumentRoot directive (for example, /server-info), or an external URL such as http://example.com/server-info.
<Location /server-info> SetHandler server-info Order deny,allow Deny from all Allow from .example.com </Location>
<Proxy> <Proxy> directive allows you to apply certain directives to the proxy server only. It takes the following form:
<Proxypattern>directive… </Proxy>
pattern can be an external URL, or a wildcard expression (for example, http://example.com/*).
<Proxy *> Order deny,allow Deny from all Allow from .example.com </Proxy>
<VirtualHost> <VirtualHost> directive allows you apply certain directives to particular virtual hosts only. It takes the following form:
<VirtualHostaddress[:port]…>directive… </VirtualHost>
address can be an IP address, a fully qualified domain name, or a special form as described in Table 12.2, “Available <VirtualHost> options”.
| Option | Description |
|---|---|
*
| Represents all IP addresses. |
_default_
| Represents unmatched IP addresses. |
<VirtualHost *:80> ServerAdmin webmaster@penguin.example.com DocumentRoot /www/docs/penguin.example.com ServerName penguin.example.com ErrorLog logs/penguin.example.com-error_log CustomLog logs/penguin.example.com-access_log common </VirtualHost>
AccessFileName AccessFileName directive allows you to specify the file to be used to customize access control information for each directory. It takes the following form:
AccessFileName filename…filename is a name of the file to look for in the requested directory. By default, the server looks for .htaccess.
Files tag to prevent the files beginning with .ht from being accessed by web clients. This includes the .htaccess and .htpasswd files.
AccessFileName .htaccess <Files ~ "^\.ht"> Order allow,deny Deny from all Satisfy All </Files>
Action Action directive allows you to specify a CGI script to be executed when a certain media type is requested. It takes the following form:
Actioncontent-typepath
content-type has to be a valid MIME type such as text/html, image/png, or application/pdf. The path refers to an existing CGI script, and must be relative to the directory specified by the DocumentRoot directive (for example, /cgi-bin/process-image.cgi).
Action image/png /cgi-bin/process-image.cgi
AddDescription AddDescription directive allows you to specify a short description to be displayed in server-generated directory listings for a given file. It takes the following form:
AddDescription "description"filename…
description should be a short text enclosed in double quotes (that is, "). The filename can be a full file name, a file extension, or a wildcard expression.
AddDescription "GZIP compressed tar archive" .tgz
AddEncoding AddEncoding directive allows you to specify an encoding type for a particular file extension. It takes the following form:
AddEncodingencodingextension…
encoding has to be a valid MIME encoding such as x-compress, x-gzip, etc. The extension is a case sensitive file extension, and is conventionally written with a leading dot (for example, .gz).
AddEncoding x-gzip .gz .tgz
AddHandler AddHandler directive allows you to map certain file extensions to a selected handler. It takes the following form:
AddHandlerhandlerextension…
handler has to be a name of previously defined handler. The extension is a case sensitive file extension, and is conventionally written with a leading dot (for example, .cgi).
.cgi extension as CGI scripts regardless of the directory they are in. Additionally, it is also commonly used to process server-parsed HTML and image-map files.
AddHandler cgi-script .cgi
AddIcon AddIcon directive allows you to specify an icon to be displayed for a particular file in server-generated directory listings. It takes the following form:
AddIconpathpattern…
path refers to an existing icon file, and must be relative to the directory specified by the DocumentRoot directive (for example, /icons/folder.png). The pattern can be a file name, a file extension, a wildcard expression, or a special form as described in the following table:
| Option | Description |
|---|---|
^^DIRECTORY^^
| Represents a directory. |
^^BLANKICON^^
| Represents a blank line. |
AddIcon /icons/text.png .txt README
AddIconByEncoding AddIconByEncoding directive allows you to specify an icon to be displayed for a particular encoding type in server-generated directory listings. It takes the following form:
AddIconByEncodingpathencoding…
path refers to an existing icon file, and must be relative to the directory specified by the DocumentRoot directive (for example, /icons/compressed.png). The encoding has to be a valid MIME encoding such as x-compress, x-gzip, etc.
AddIconByEncoding /icons/compressed.png x-compress x-gzip
AddIconByType AddIconByType directive allows you to specify an icon to be displayed for a particular media type in server-generated directory listings. It takes the following form:
AddIconByTypepathcontent-type…
path refers to an existing icon file, and must be relative to the directory specified by the DocumentRoot directive (for example, /icons/text.png). The content-type has to be either a valid MIME type (for example, text/html or image/png), or a wildcard expression such as text/*, image/*, etc.
AddIconByType /icons/video.png video/*
AddLanguage AddLanguage directive allows you to associate a file extension with a specific language. It takes the following form:
AddLanguagelanguageextension…
language has to be a valid MIME language such as cs, en, or fr. The extension is a case sensitive file extension, and is conventionally written with a leading dot (for example, .cs).
AddLanguage cs .cs .cz
AddType AddType directive allows you to define or override the media type for a particular file extension. It takes the following form:
AddTypecontent-typeextension…
content-type has to be a valid MIME type such as text/html, image/png, etc. The extension is a case sensitive file extension, and is conventionally written with a leading dot (for example, .cs).
AddType application/x-gzip .gz .tgz
Alias Alias directive allows you to refer to files and directories outside the default directory specified by the DocumentRoot directive. It takes the following form:
Aliasurl-pathreal-path
url-path must be relative to the directory specified by the DocumentRoot directive (for example, /images/). The real-path is a full path to a file or directory in the local file system.
Directory tag with additional permissions to access the target directory. By default, the /icons/ alias is created so that the icons from /var/www/icons/ are displayed in server-generated directory listings.
Alias /icons/ /var/www/icons/ <Directory "/var/www/icons"> Options Indexes MultiViews FollowSymLinks AllowOverride None Order allow,deny Allow from all <Directory>
AllowAllow directive allows you to specify which clients have permission to access a given directory. It takes the following form:
Allow from client…client can be a domain name, an IP address (both full and partial), a network/netmask pair, or all for all clients.
Allow from 192.168.1.0/255.255.255.0
AllowOverride AllowOverride directive allows you to specify which directives in a .htaccess file can override the default configuration. It takes the following form:
AllowOverride type…type has to be one of the available grouping options as described in Table 12.4, “Available AllowOverride options”.
| Option | Description |
|---|---|
All
|
All directives in .htaccess are allowed to override earlier configuration settings.
|
None
|
No directive in .htaccess is allowed to override earlier configuration settings.
|
AuthConfig
|
Allows the use of authorization directives such as AuthName, AuthType, or Require.
|
FileInfo
|
Allows the use of file type, metadata, and mod_rewrite directives such as DefaultType, RequestHeader, or RewriteEngine, as well as the Action directive.
|
Indexes
|
Allows the use of directory indexing directives such as AddDescription, AddIcon, or FancyIndexing.
|
Limit
|
Allows the use of host access directives, that is, Allow, Deny, and Order.
|
Options[=option,…]
|
Allows the use of the Options directive. Additionally, you can provide a comma-separated list of options to customize which options can be set using this directive.
|
AllowOverride FileInfo AuthConfig Limit
BrowserMatch BrowserMatch directive allows you to modify the server behavior based on the client's web browser type. It takes the following form:
BrowserMatchpatternvariable…
pattern is a regular expression to match the User-Agent HTTP header field. The variable is an environment variable that is set when the header field matches the pattern.
BrowserMatch "Mozilla/2" nokeepalive
CacheDefaultExpire CacheDefaultExpire option allows you to set how long to cache a document that does not have any expiration date or the date of its last modification specified. It takes the following form:
CacheDefaultExpire timetime is specified in seconds. The default option is 3600 (that is, one hour).
CacheDefaultExpire 3600
CacheDisable CacheDisable directive allows you to disable caching of certain URLs. It takes the following form:
CacheDisable pathpath must be relative to the directory specified by the DocumentRoot directive (for example, /files/).
CacheDisable /temporary
CacheEnable CacheEnable directive allows you to specify a cache type to be used for certain URLs. It takes the following form:
CacheEnabletypeurl
type has to be a valid cache type as described in Table 12.5, “Available cache types”. The url can be a path relative to the directory specified by the DocumentRoot directive (for example, /images/), a protocol (for example, ftp://), or an external URL such as http://example.com/.
| Type | Description |
|---|---|
mem
| The memory-based storage manager. |
disk
| The disk-based storage manager. |
fd
| The file descriptor cache. |
CacheEnable disk /
CacheLastModifiedFactor CacheLastModifiedFactor directive allows you to customize how long to cache a document that does not have any expiration date specified, but that provides information about the date of its last modification. It takes the following form:
CacheLastModifiedFactor numbernumber is a coefficient to be used to multiply the time that passed since the last modification of the document. The default option is 0.1 (that is, one tenth).
CacheLastModifiedFactor 0.1
CacheMaxExpire CacheMaxExpire directive allows you to specify the maximum amount of time to cache a document. It takes the following form:
CacheMaxExpire timetime is specified in seconds. The default option is 86400 (that is, one day).
CacheMaxExpire 86400
CacheNegotiatedDocs CacheNegotiatedDocs directive allows you to enable caching of the documents that were negotiated on the basis of content. It takes the following form:
CacheNegotiatedDocs optionoption has to be a valid keyword as described in Table 12.6, “Available CacheNegotiatedDocs options”. Since the content-negotiated documents may change over time or because of the input from the requester, the default option is Off.
| Option | Description |
|---|---|
On
| Enables caching the content-negotiated documents. |
Off
| Disables caching the content-negotiated documents. |
CacheNegotiatedDocs On
CacheRoot CacheRoot directive allows you to specify the directory to store cache files in. It takes the following form:
CacheRoot directorydirectory must be a full path to an existing directory in the local file system. The default option is /var/cache/mod_proxy/.
CacheRoot /var/cache/mod_proxy
CustomLog CustomLog directive allows you to specify the log file name and the log file format. It takes the following form:
CustomLogpathformat
path refers to a log file, and must be relative to the directory that is specified by the ServerRoot directive (that is, /etc/httpd/ by default). The format has to be either an explicit format string, or a format name that was previously defined using the LogFormat directive.
CustomLog logs/access_log combined
DefaultIcon DefaultIcon directive allows you to specify an icon to be displayed for a file in server-generated directory listings when no other icon is associated with it. It takes the following form:
DefaultIcon pathpath refers to an existing icon file, and must be relative to the directory specified by the DocumentRoot directive (for example, /icons/unknown.png).
DefaultIcon /icons/unknown.png
DefaultType DefaultType directive allows you to specify a media type to be used in case the proper MIME type cannot be determined by the server. It takes the following form:
DefaultType content-typecontent-type has to be a valid MIME type such as text/html, image/png, application/pdf, etc.
DefaultType text/plain
Deny Deny directive allows you to specify which clients are denied access to a given directory. It takes the following form:
Deny from client…client can be a domain name, an IP address (both full and partial), a network/netmask pair, or all for all clients.
Deny from 192.168.1.1
DirectoryIndex DirectoryIndex directive allows you to specify a document to be served to a client when a directory is requested (that is, when the URL ends with the / character). It takes the following form:
DirectoryIndex filename…filename is a name of the file to look for in the requested directory. By default, the server looks for index.html, and index.html.var.
DirectoryIndex index.html index.html.var
DocumentRoot DocumentRoot directive allows you to specify the main directory from which the content is served. It takes the following form:
DocumentRoot directorydirectory must be a full path to an existing directory in the local file system. The default option is /var/www/html/.
DocumentRoot /var/www/html
ErrorDocument ErrorDocument directive allows you to specify a document or a message to be displayed as a response to a particular error. It takes the following form:
ErrorDocumenterror-codeaction
error-code has to be a valid code such as 403 (Forbidden), 404 (Not Found), or 500 (Internal Server Error). The action can be either a URL (both local and external), or a message string enclosed in double quotes (that is, ").
ErrorDocument 403 "Access Denied" ErrorDocument 404 /404-not_found.html
ErrorLog ErrorLog directive allows you to specify a file to which the server errors are logged. It takes the following form:
ErrorLog pathpath refers to a log file, and can be either absolute, or relative to the directory that is specified by the ServerRoot directive (that is, /etc/httpd/ by default). The default option is logs/error_log
ErrorLog logs/error_log
ExtendedStatus ExtendedStatus directive allows you to enable detailed server status information. It takes the following form:
ExtendedStatus optionoption has to be a valid keyword as described in Table 12.7, “Available ExtendedStatus options”. The default option is Off.
| Option | Description |
|---|---|
On
| Enables generating the detailed server status. |
Off
| Disables generating the detailed server status. |
ExtendedStatus On
Group Group directive allows you to specify the group under which the httpd service will run. It takes the following form:
Group groupgroup has to be an existing UNIX group. The default option is apache.
Group is no longer supported inside <VirtualHost>, and has been replaced by the SuexecUserGroup directive.
Group apache
HeaderName HeaderName directive allows you to specify a file to be prepended to the beginning of the server-generated directory listing. It takes the following form:
HeaderName filenamefilename is a name of the file to look for in the requested directory. By default, the server looks for HEADER.html.
HeaderName HEADER.html
HostnameLookups HostnameLookups directive allows you to enable automatic resolving of IP addresses. It takes the following form:
HostnameLookups optionoption has to be a valid keyword as described in Table 12.8, “Available HostnameLookups options”. To conserve resources on the server, the default option is Off.
| Option | Description |
|---|---|
On
| Enables resolving the IP address for each connection so that the hostname can be logged. However, this also adds a significant processing overhead. |
Double
| Enables performing the double-reverse DNS lookup. In comparison to the above option, this adds even more processing overhead. |
Off
| Disables resolving the IP address for each connection. |
HostnameLookups Off
Include Include directive allows you to include other configuration files. It takes the following form:
Include filenamefilename can be an absolute path, a path relative to the directory specified by the ServerRoot directive, or a wildcard expression. All configuration files from the /etc/httpd/conf.d/ directory are loaded by default.
Include conf.d/*.conf
IndexIgnore IndexIgnore directive allows you to specify a list of file names to be omitted from the server-generated directory listings. It takes the following form:
IndexIgnore filename…filename option can be either a full file name, or a wildcard expression.
IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t
IndexOptions IndexOptions directive allows you to customize the behavior of server-generated directory listings. It takes the following form:
IndexOptions option…option has to be a valid keyword as described in Table 12.9, “Available directory listing options”. The default options are Charset=UTF-8, FancyIndexing, HTMLTable, NameWidth=*, and VersionSort.
| Option | Description |
|---|---|
Charset=encoding
|
Specifies the character set of a generated web page. The encoding has to be a valid character set such as UTF-8 or ISO-8859-2.
|
Type=content-type
|
Specifies the media type of a generated web page. The content-type has to be a valid MIME type such as text/html or text/plain.
|
DescriptionWidth=value
|
Specifies the width of the description column. The value can be either a number of characters, or an asterisk (that is, *) to adjust the width automatically.
|
FancyIndexing
| Enables advanced features such as different icons for certain files or possibility to re-sort a directory listing by clicking on a column header. |
FolderFirst
| Enables listing directories first, always placing them above files. |
HTMLTable
| Enables the use of HTML tables for directory listings. |
IconsAreLinks
| Enables using the icons as links. |
IconHeight=value
|
Specifies an icon height. The value is a number of pixels.
|
IconWidth=value
|
Specifies an icon width. The value is a number of pixels.
|
IgnoreCase
| Enables sorting files and directories in a case-sensitive manner. |
IgnoreClient
| Disables accepting query variables from a client. |
NameWidth=value
|
Specifies the width of the file name column. The value can be either a number of characters, or an asterisk (that is, *) to adjust the width automatically.
|
ScanHTMLTitles
|
Enables parsing the file for a description (that is, the title element) in case it is not provided by the AddDescription directive.
|
ShowForbidden
| Enables listing the files with otherwise restricted access. |
SuppressColumnSorting
| Disables re-sorting a directory listing by clicking on a column header. |
SuppressDescription
| Disables reserving a space for file descriptions. |
SuppressHTMLPreamble
|
Disables the use of standard HTML preamble when a file specified by the HeaderName directive is present.
|
SuppressIcon
| Disables the use of icons in directory listings. |
SuppressLastModified
| Disables displaying the date of the last modification field in directory listings. |
SuppressRules
| Disables the use of horizontal lines in directory listings. |
SuppressSize
| Disables displaying the file size field in directory listings. |
TrackModified
|
Enables returning the Last-Modified and ETag values in the HTTP header.
|
VersionSort
| Enables sorting files that contain a version number in the expected manner. |
XHTML
| Enables the use of XHTML 1.0 instead of the default HTML 3.2. |
IndexOptions FancyIndexing VersionSort NameWidth=* HTMLTable Charset=UTF-8
KeepAlive KeepAlive directive allows you to enable persistent connections. It takes the following form:
KeepAlive optionoption has to be a valid keyword as described in Table 12.10, “Available KeepAlive options”. The default option is Off.
| Option | Description |
|---|---|
On
| Enables the persistent connections. In this case, the server will accept more than one request per connection. |
Off
| Disables the keep-alive connections. |
KeepAliveTimeout to a low number, and monitor the /var/log/httpd/logs/error_log log file carefully.
KeepAlive Off
KeepAliveTimeout KeepAliveTimeout directive allows you to specify the amount of time to wait for another request before closing the connection. It takes the following form:
KeepAliveTimeout timetime is specified in seconds. The default option is 15.
KeepAliveTimeout 15
LanguagePriority LanguagePriority directive allows you to customize the precedence of languages. It takes the following form:
LanguagePriority language…language has to be a valid MIME language such as cs, en, or fr.
LanguagePriority sk cs en
Listen Listen directive allows you to specify IP addresses or ports to listen to. It takes the following form:
Listen [ip-address:]port[protocol]
ip-address is optional and unless supplied, the server will accept incoming requests on a given port from all IP addresses. Since the protocol is determined automatically from the port number, it can be usually omitted. The default option is to listen to port 80.
httpd service.
Listen 80
LoadModule LoadModule directive allows you to load a Dynamic Shared Object (DSO) module. It takes the following form:
LoadModulenamepath
name has to be a valid identifier of the required module. The path refers to an existing module file, and must be relative to the directory in which the libraries are placed (that is, /usr/lib/httpd/ on 32-bit and /usr/lib64/httpd/ on 64-bit systems by default).
LoadModule php5_module modules/libphp5.so
LogFormat LogFormat directive allows you to specify a log file format. It takes the following form:
LogFormatformatname
format is a string consisting of options as described in Table 12.11, “Common LogFormat options”. The name can be used instead of the format string in the CustomLog directive.
| Option | Description |
|---|---|
%b
| Represents the size of the response in bytes. |
%h
| Represents the IP address or hostname of a remote client. |
%l
|
Represents the remote log name if supplied. If not, a hyphen (that is, -) is used instead.
|
%r
| Represents the first line of the request string as it came from the browser or client. |
%s
| Represents the status code. |
%t
| Represents the date and time of the request. |
%u
|
If the authentication is required, it represents the remote user. If not, a hyphen (that is, -) is used instead.
|
%{
|
Represents the content of the HTTP header field. The common options include %{Referer} (the URL of the web page that referred the client to the server) and %{User-Agent} (the type of the web browser making the request).
|
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogLevel LogLevel directive allows you to customize the verbosity level of the error log. It takes the following form:
LogLevel optionoption has to be a valid keyword as described in Table 12.12, “Available LogLevel options”. The default option is warn.
| Option | Description |
|---|---|
emerg
| Only the emergency situations when the server cannot perform its work are logged. |
alert
| All situations when an immediate action is required are logged. |
crit
| All critical conditions are logged. |
error
| All error messages are logged. |
warn
| All warning messages are logged. |
notice
| Even normal, but still significant situations are logged. |
info
| Various informational messages are logged. |
debug
| Various debugging messages are logged. |
LogLevel warn
MaxKeepAliveRequests MaxKeepAliveRequests directive allows you to specify the maximum number of requests for a persistent connection. It takes the following form:
MaxKeepAliveRequests numbernumber can improve the performance of the server. Note that using 0 allows unlimited number of requests. The default option is 100.
MaxKeepAliveRequests 100
NameVirtualHost NameVirtualHost directive allows you to specify the IP address and port number for a name-based virtual host. It takes the following form:
NameVirtualHostip-address[:port]
ip-address can be either a full IP address, or an asterisk (that is, *) representing all interfaces. Note that IPv6 addresses have to be enclosed in square brackets (that is, [ and ]). The port is optional.
NameVirtualHost *:80
Options Options directive allows you to specify which server features are available in a particular directory. It takes the following form:
Options option…option has to be a valid keyword as described in Table 12.13, “Available server features”.
| Option | Description |
|---|---|
ExecCGI
| Enables the execution of CGI scripts. |
FollowSymLinks
| Enables following symbolic links in the directory. |
Includes
| Enables server-side includes. |
IncludesNOEXEC
| Enables server-side includes, but does not allow the execution of commands. |
Indexes
| Enables server-generated directory listings. |
MultiViews
| Enables content-negotiated “MultiViews”. |
SymLinksIfOwnerMatch
| Enables following symbolic links in the directory when both the link and the target file have the same owner. |
All
|
Enables all of the features above with the exception of MultiViews.
|
None
| Disables all of the features above. |
Options Indexes FollowSymLinks
Order Order directive allows you to specify the order in which the Allow and Deny directives are evaluated. It takes the following form:
Order optionoption has to be a valid keyword as described in Table 12.14, “Available Order options”. The default option is allow,deny.
| Option | Description |
|---|---|
allow,deny
|
Allow directives are evaluated first.
|
deny,allow
|
Deny directives are evaluated first.
|
Order allow,deny
PidFile PidFile directive allows you to specify a file to which the process ID (PID) of the server is stored. It takes the following form:
PidFile pathpath refers to a pid file, and can be either absolute, or relative to the directory that is specified by the ServerRoot directive (that is, /etc/httpd/ by default). The default option is run/httpd.pid.
PidFile run/httpd.pid
ProxyRequests ProxyRequests directive allows you to enable forward proxy requests. It takes the following form:
ProxyRequests optionoption has to be a valid keyword as described in Table 12.15, “Available ProxyRequests options”. The default option is Off.
| Option | Description |
|---|---|
On
| Enables forward proxy requests. |
Off
| Disables forward proxy requests. |
ProxyRequests On
ReadmeName ReadmeName directive allows you to specify a file to be appended to the end of the server-generated directory listing. It takes the following form:
ReadmeName filenamefilename is a name of the file to look for in the requested directory. By default, the server looks for README.html.
ReadmeName README.html
Redirect Redirect directive allows you to redirect a client to another URL. It takes the following form:
Redirect [status]pathurl
status is optional, and if provided, it has to be a valid keyword as described in Table 12.16, “Available status options”. The path refers to the old location, and must be relative to the directory specified by the DocumentRoot directive (for example, /docs). The url refers to the current location of the content (for example, http://docs.example.com).
| Status | Description |
|---|---|
permanent
|
Indicates that the requested resource has been moved permanently. The 301 (Moved Permanently) status code is returned to a client.
|
temp
|
Indicates that the requested resource has been moved only temporarily. The 302 (Found) status code is returned to a client.
|
seeother
|
Indicates that the requested resource has been replaced. The 303 (See Other) status code is returned to a client.
|
gone
|
Indicates that the requested resource has been removed permanently. The 410 (Gone) status is returned to a client.
|
mod_rewrite module that is part of the Apache HTTP Server installation.
Redirect permanent /docs http://docs.example.com
ScriptAlias ScriptAlias directive allows you to specify the location of CGI scripts. It takes the following form:
ScriptAliasurl-pathreal-path
url-path must be relative to the directory specified by the DocumentRoot directive (for example, /cgi-bin/). The real-path is a full path to a file or directory in the local file system.
Directory tag with additional permissions to access the target directory. By default, the /cgi-bin/ alias is created so that the scripts located in the /var/www/cgi-bin/ are accessible.
ScriptAlias directive is used for security reasons to prevent CGI scripts from being viewed as ordinary text documents.
ScriptAlias /cgi-bin/ /var/www/cgi-bin/ <Directory "/var/www/cgi-bin"> AllowOverride None Options None Order allow,deny Allow from all </Directory>
ServerAdmin ServerAdmin directive allows you to specify the email address of the server administrator to be displayed in server-generated web pages. It takes the following form:
ServerAdmin emailroot@localhost.
webmaster@hostname, where hostname is the address of the server. Once set, alias webmaster to the person responsible for the web server in /etc/aliases, and as superuser, run the newaliases command.
ServerAdmin webmaster@penguin.example.com
ServerName ServerName directive allows you to specify the hostname and the port number of a web server. It takes the following form:
ServerNamehostname[:port]
hostname has to be a fully qualified domain name (FQDN) of the server. The port is optional, but when supplied, it has to match the number specified by the Listen directive.
/etc/hosts file.
ServerName penguin.example.com:80
ServerRoot ServerRoot directive allows you to specify the directory in which the server operates. It takes the following form:
ServerRoot directorydirectory must be a full path to an existing directory in the local file system. The default option is /etc/httpd/.
ServerRoot /etc/httpd
ServerSignature ServerSignature directive allows you to enable displaying information about the server on server-generated documents. It takes the following form:
ServerSignature optionoption has to be a valid keyword as described in Table 12.17, “Available ServerSignature options”. The default option is On.
| Option | Description |
|---|---|
On
| Enables appending the server name and version to server-generated pages. |
Off
| Disables appending the server name and version to server-generated pages. |
EMail
|
Enables appending the server name, version, and the email address of the system administrator as specified by the ServerAdmin directive to server-generated pages.
|
ServerSignature On
ServerTokens ServerTokens directive allows you to customize what information are included in the Server response header. It takes the following form:
ServerTokens optionoption has to be a valid keyword as described in Table 12.18, “Available ServerTokens options”. The default option is OS.
| Option | Description |
|---|---|
Prod
|
Includes the product name only (that is, Apache).
|
Major
|
Includes the product name and the major version of the server (for example, 2).
|
Minor
|
Includes the product name and the minor version of the server (for example, 2.2).
|
Min
|
Includes the product name and the minimal version of the server (for example, 2.2.15).
|
OS
|
Includes the product name, the minimal version of the server, and the type of the operating system it is running on (for example, Red Hat).
|
Full
| Includes all the information above along with the list of loaded modules. |
ServerTokens Prod
SuexecUserGroup SuexecUserGroup directive allows you to specify the user and group under which the CGI scripts will be run. It takes the following form:
SuexecUserGroupusergroup
user has to be an existing user, and the group must be a valid UNIX group.
root privileges. Note that in <VirtualHost>, SuexecUserGroup replaces the User and Group directives.
SuexecUserGroup apache apache
Timeout Timeout directive allows you to specify the amount of time to wait for an event before closing a connection. It takes the following form:
Timeout timetime is specified in seconds. The default option is 60.
Timeout 60
TypesConfig TypesConfig allows you to specify the location of the MIME types configuration file. It takes the following form:
TypesConfig pathpath refers to an existing MIME types configuration file, and can be either absolute, or relative to the directory that is specified by the ServerRoot directive (that is, /etc/httpd/ by default). The default option is /etc/mime.types.
/etc/mime.types, the recommended way to add MIME type mapping to the Apache HTTP Server is to use the AddType directive.
TypesConfig /etc/mime.types
UseCanonicalName UseCanonicalName allows you to specify the way the server refers to itself. It takes the following form:
UseCanonicalName optionoption has to be a valid keyword as described in Table 12.19, “Available UseCanonicalName options”. The default option is Off.
| Option | Description |
|---|---|
On
|
Enables the use of the name that is specified by the ServerName directive.
|
Off
|
Disables the use of the name that is specified by the ServerName directive. The hostname and port number provided by the requesting client are used instead.
|
DNS
|
Disables the use of the name that is specified by the ServerName directive. The hostname determined by a reverse DNS lookup is used instead.
|
UseCanonicalName Off
User User directive allows you to specify the user under which the httpd service will run. It takes the following form:
User useruser has to be an existing UNIX user. The default option is apache.
httpd service should not be run with root privileges. Note that User is no longer supported inside <VirtualHost>, and has been replaced by the SuexecUserGroup directive.
User apache
UserDir UserDir directive allows you to enable serving content from users' home directories. It takes the following form:
UserDir optionoption can be either a name of the directory to look for in user's home directory (typically public_html), or a valid keyword as described in Table 12.20, “Available UserDir options”. The default option is disabled.
| Option | Description |
|---|---|
enabled user…
|
Enables serving content from home directories of given users.
|
disabled [user…]
|
Disables serving content from home directories, either for all users, or, if a space separated list of users is supplied, for given users only.
|
UserDir directive. For example, to allow access to public_html/ in the home directory of user joe, type the following at a shell prompt as root:
~]#chmod a+x /home/joe/~]#chmod a+rx /home/joe/public_html/
UserDir public_html
/etc/httpd/conf.d/ssl.conf:
SetEnvIf SetEnvIf directive allows you to set environment variables based on the headers of incoming connections. It takes the following form:
SetEnvIfoptionpattern[!]variable[=value]…
option can be either a HTTP header field, a previously defined environment variable name, or a valid keyword as described in Table 12.21, “Available SetEnvIf options”. The pattern is a regular expression. The variable is an environment variable that is set when the option matches the pattern. If the optional exclamation mark (that is, !) is present, the variable is removed instead of being set.
| Option | Description |
|---|---|
Remote_Host
| Refers to the client's hostname. |
Remote_Addr
| Refers to the client's IP address. |
Server_Addr
| Refers to the server's IP address. |
Request_Method
|
Refers to the request method (for example, GET).
|
Request_Protocol
|
Refers to the protocol name and version (for example, HTTP/1.1).
|
Request_URI
| Refers to the requested resource. |
SetEnvIf directive is used to disable HTTP keepalives, and to allow SSL to close the connection without a closing notification from the client browser. This is necessary for certain web browsers that do not reliably shut down the SSL connection.
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0/etc/httpd/conf.d/ssl.conf file to be present, the mod_ssl needs to be installed. Refer to Section 12.1.8, “Setting Up an SSL Server” for more information on how to install and configure an SSL server.
IfModule. By default, the server-pool is defined for both the prefork and worker MPMs.
/etc/httpd/conf/httpd.conf:
MaxClients MaxClients directive allows you to specify the maximum number of simultaneously connected clients to process at one time. It takes the following form:
MaxClients numbernumber can improve the performance of the server, although it is not recommended to exceed 256 when using the prefork MPM.
MaxClients 256
MaxRequestsPerChild MaxRequestsPerChild directive allows you to specify the maximum number of request a child process can serve before it dies. It takes the following form:
MaxRequestsPerChild numbernumber to 0 allows unlimited number of requests.
MaxRequestsPerChild directive is used to prevent long-lived processes from causing memory leaks.
MaxRequestsPerChild 4000
MaxSpareServers MaxSpareServers directive allows you to specify the maximum number of spare child processes. It takes the following form:
MaxSpareServers numberprefork MPM only.
MaxSpareServers 20
MaxSpareThreads MaxSpareThreads directive allows you to specify the maximum number of spare server threads. It takes the following form:
MaxSpareThreads numbernumber must be greater than or equal to the sum of MinSpareThreads and ThreadsPerChild. This directive is used by the worker MPM only.
MaxSpareThreads 75
MinSpareServers MinSpareServers directive allows you to specify the minimum number of spare child processes. It takes the following form:
MinSpareServers numbernumber can create a heavy processing load on the server. This directive is used by the prefork MPM only.
MinSpareServers 5
MinSpareThreads MinSpareThreads directive allows you to specify the minimum number of spare server threads. It takes the following form:
MinSpareThreads numberworker MPM only.
MinSpareThreads 75
StartServers StartServers directive allows you to specify the number of child processes to create when the service is started. It takes the following form:
StartServers numberStartServers 8
ThreadsPerChild ThreadsPerChild directive allows you to specify the number of threads a child process can create. It takes the following form:
ThreadsPerChild numberworker MPM only.
ThreadsPerChild 25
httpd service is distributed along with a number of Dynamic Shared Objects (DSOs), which can be dynamically loaded or unloaded at runtime as necessary. By default, these modules are located in /usr/lib/httpd/modules/ on 32-bit and in /usr/lib64/httpd/modules/ on 64-bit systems.
LoadModule directive as described in Section 12.1.5.1, “Common httpd.conf Directives”. Note that modules provided by a separate package often have their own configuration file in the /etc/httpd/conf.d/ directory.
LoadModule ssl_module modules/mod_ssl.so
httpd service.
root:
yum install httpd-develapxs) utility required to compile a module.
apxs -i -a -c module_name.c/etc/httpd/conf/httpd.conf as an example, remove the hash sign (that is, #) from the beginning of each line, and customize the options according to your requirements as shown in Example 12.80, “Sample virtual host configuration”.
NameVirtualHost penguin.example.com:80
<VirtualHost penguin.example.com:80>
ServerAdmin webmaster@penguin.example.com
DocumentRoot /www/docs/penguin.example.com
ServerName penguin.example.com:80
ErrorLog logs/penguin.example.com-error_log
CustomLog logs/penguin.example.com-access_log common
</VirtualHost>ServerName must be a valid DNS name assigned to the machine. The <VirtualHost> container is highly customizable, and accepts most of the directives available within the main server configuration. Directives that are not supported within this container include User and Group, which were replaced by SuexecUserGroup.
Listen directive in the global settings section of the /etc/httpd/conf/httpd.conf file accordingly.
httpd service.
mod_ssl, a module that uses the OpenSSL toolkit to provide the SSL/TLS support, is commonly referred to as the SSL server.
mod_ssl prevents any inspection or modification of the transmitted content. This section provides basic information on how to enable this module in the Apache HTTP Server configuration, and guides you through the process of generating private keys and self-signed certificates.
| Web Browser | Link |
|---|---|
| Mozilla Firefox | Mozilla root CA list. |
| Opera | The Opera Rootstore. |
| Internet Explorer | Windows root certificate program members. |
mod_ssl module) and openssl (the OpenSSL toolkit) packages installed. To do so, type the following at a shell prompt as root:
yum install mod_ssl opensslmod_ssl configuration file at /etc/httpd/conf.d/ssl.conf, which is included in the main Apache HTTP Server configuration file by default. For the module to be loaded, restart the httpd service as described in Section 12.1.4.3, “Restarting the Service”.
/etc/pki/tls/private/ and /etc/pki/tls/certs/ directories respectively. You can do so by running the following commands as root:
mvkey_file.key/etc/pki/tls/private/hostname.keymvcertificate.crt/etc/pki/tls/certs/hostname.crt
/etc/httpd/conf.d/ssl.conf configuration file:
SSLCertificateFile /etc/pki/tls/certs/hostname.crt SSLCertificateKeyFile /etc/pki/tls/private/hostname.key
httpd service as described in Section 12.1.4.3, “Restarting the Service”.
~]#mv /etc/httpd/conf/httpsd.key /etc/pki/tls/private/penguin.example.com.key~]#mv /etc/httpd/conf/httpsd.crt /etc/pki/tls/certs/penguin.example.com.crt
root, you can install it by typing the following at a shell prompt:
yum install crypto-utilsroot, use the following command instead of genkey:
openssl req -x509 -new -set_serial number -key hostname.key -out hostname.crtroot:
rm /etc/pki/tls/private/hostname.keyroot, run the genkey command followed by the appropriate hostname (for example, penguin.example.com):
genkeyhostname
1024 bits.
[*]) or disable ([ ]) the encryption of the private key.
/etc/httpd/conf.d/ssl.conf configuration file:
SSLCertificateFile /etc/pki/tls/certs/hostname.crt SSLCertificateKeyFile /etc/pki/tls/private/hostname.key
httpd service as described in Section 12.1.4.3, “Restarting the Service”, so that the updated configuration is loaded.
man httpdhttpd service containing the complete list of its command line options.
man genkeygenkey containing the full documentation on its usage.
dovecot package is installed on your system by running, as root:
yum install dovecotPOP server, email messages are downloaded by email client applications. By default, most POP email clients are automatically configured to delete the message on the email server after it has been successfully transferred, however this setting usually can be changed.
POP is fully compatible with important Internet messaging standards, such as Multipurpose Internet Mail Extensions (MIME), which allow for email attachments.
POP works best for users who have one system on which to read email. It also works well for users who do not have a persistent connection to the Internet or the network containing the mail server. Unfortunately for those with slow network connections, POP requires client programs upon authentication to download the entire content of each message. This can take a long time if any messages have large attachments.
POP protocol is POP3.
POP protocol variants:
POP3 with MDS (Monash Directory Service) authentication. An encoded hash of the user's password is sent from the email client to the server rather then sending an unencrypted password.
POP3 with Kerberos authentication.
POP3 with RPOP authentication. This uses a per-user ID, similar to a password, to authenticate POP requests. However, this ID is not encrypted, so RPOP is no more secure than standard POP.
pop3s service, or by using the /usr/sbin/stunnel application. For more information on securing email communication, refer to Section 13.5.1, “Securing Communication”.
IMAP server under Fedora is Dovecot and is provided by the dovecot package. Refer to Section 13.1.2.1, “POP” for information on how to install Dovecot.
IMAP mail server, email messages remain on the server where users can read or delete them. IMAP also allows client applications to create, rename, or delete mail directories on the server to organize and store email.
IMAP is particularly useful for users who access their email using multiple machines. The protocol is also convenient for users connecting to the mail server via a slow connection, because only the email header information is downloaded for messages until opened, saving bandwidth. The user also has the ability to delete messages without viewing or downloading them.
IMAP client applications are capable of caching copies of messages locally, so the user can browse previously read messages when not directly connected to the IMAP server.
IMAP, like POP, is fully compatible with important Internet messaging standards, such as MIME, which allow for email attachments.
SSL encryption for client authentication and data transfer sessions. This can be enabled by using the imaps service, or by using the /usr/sbin/stunnel program. For more information on securing email communication, refer to Section 13.5.1, “Securing Communication”.
imap-login and pop3-login processes which implement the IMAP and POP3 protocols are spawned by the master dovecot daemon included in the dovecot package. The use of IMAP and POP is configured through the /etc/dovecot/dovecot.conf configuration file; by default dovecot runs IMAP and POP3 together with their secure versions using SSL. To configure dovecot to use POP, complete the following steps:
/etc/dovecot/dovecot.conf configuration file to make sure the protocols variable is uncommented (remove the hash sign (#) at the beginning of the line) and contains the pop3 argument. For example:
protocols = imap imaps pop3 pop3s
protocols variable is left commented out, dovecot will use the default values specified for this variable.
root:
systemctl restart dovecot.servicesystemctl enable dovecot.servicedovecot only reports that it started the IMAP server, but also starts the POP3 server.
SMTP, both IMAP and POP3 require connecting clients to authenticate using a username and password. By default, passwords for both protocols are passed over the network unencrypted.
SSL on dovecot:
/etc/pki/dovecot/dovecot-openssl.conf configuration file as you prefer. However, in a typical installation, this file does not require modification.
/etc/pki/dovecot/certs/dovecot.pem and /etc/pki/dovecot/private/dovecot.pem.
/usr/libexec/dovecot/mkcert.sh script which creates the dovecot self signed certificates. These certificates are copied in the /etc/pki/dovecot/certs and /etc/pki/dovecot/private directories. To implement the changes, restart dovecot by typing the following at a shell prompt as root:
systemctl restart dovecot.servicedovecot can be found online at http://www.dovecot.org.
SMTP. A message may involve several MTAs as it moves to its intended destination.
mail or Procmail.
POP or IMAP protocols, setting up mailboxes to store messages, and sending outbound messages to an MTA.
root, you can either uninstall Postfix or use the following command to switch to Sendmail:
alternatives --config mtasystemctl enable|disable service.service/usr/sbin/postfix. This daemon launches all related processes needed to handle mail delivery.
/etc/postfix/ directory. The following is a list of the more commonly used files:
access — Used for access control, this file specifies which hosts are allowed to connect to Postfix.
main.cf — The global Postfix configuration file. The majority of configuration options are specified in this file.
master.cf — Specifies how Postfix interacts with various processes to accomplish mail delivery.
transport — Maps email addresses to relay hosts.
aliases file can be found in the /etc/ directory. This file is shared between Postfix and Sendmail. It is a configurable list required by the mail protocol that describes user ID aliases.
/etc/postfix/main.cf file does not allow Postfix to accept network connections from a host other than the local computer. For instructions on configuring Postfix as a server for other clients, refer to Section 13.3.1.2, “Basic Postfix Configuration”.
postfix service after changing any options in the configuration files under the /etc/postfix directory in order for those changes to take effect. To do so, run the following command as root:
systemctl restart postfix.serviceroot to enable mail delivery for other hosts on the network:
/etc/postfix/main.cf file with a text editor, such as vi.
mydomain line by removing the hash sign (#), and replace domain.tld with the domain the mail server is servicing, such as example.com.
myorigin = $mydomain line.
myhostname line, and replace host.domain.tld with the hostname for the machine.
mydestination = $myhostname, localhost.$mydomain line.
mynetworks line, and replace 168.100.189.0/28 with a valid network setting for hosts that can connect to the server.
inet_interfaces = all line.
inet_interfaces = localhost line.
postfix service.
/etc/postfix/main.cf configuration file. Additional resources including information about Postfix configuration, SpamAssassin integration, or detailed descriptions of the /etc/postfix/main.cf parameters are available online at http://www.postfix.org/.
LDAP directory as a source for various lookup tables (e.g.: aliases, virtual, canonical, etc.). This allows LDAP to store hierarchical user information and Postfix to only be given the result of LDAP queries when needed. By not storing this information locally, administrators can easily maintain it.
LDAP to look up the /etc/aliases file. Make sure your /etc/postfix/main.cf contains the following:
alias_maps = hash:/etc/aliases, ldap:/etc/postfix/ldap-aliases.cf
/etc/postfix/ldap-aliases.cf file if you do not have one created already and make sure it contains the following:
server_host =ldap.example.comsearch_base = dc=example, dc=com
ldap.example.com, example, and com are parameters that need to be replaced with specification of an existing available LDAP server.
/etc/postfix/ldap-aliases.cf file can specify various parameters, including parameters that enable LDAP SSL and STARTTLS. For more information, refer to the ldap_table(5) man page.
LDAP, refer to Section 14.1, “OpenLDAP”.
SMTP protocol. However, Sendmail is highly configurable, allowing control over almost every aspect of how email is handled, including the protocol used. Many system administrators elect to use Sendmail as their MTA due to its power and scalability.
POP or IMAP, to download their messages to their local machine. Or, they may prefer a Web interface to gain access to their mailbox. These other applications can work in conjunction with Sendmail, but they actually exist for different reasons and can operate separately from one another.
root:
yum install sendmailroot:
yum install sendmail-cf/usr/sbin/sendmail.
/etc/mail/sendmail.cf. Avoid editing the sendmail.cf file directly. To make configuration changes to Sendmail, edit the /etc/mail/sendmail.mc file, back up the original /etc/mail/sendmail.cf, and use the following alternatives to generate a new configuration file:
/etc/mail/ (~]# make all -C /etc/mail/) to create a new /etc/mail/sendmail.cf configuration file. All other generated files in /etc/mail (db files) will be regenerated if needed. The old makemap commands are still usable. The make command will automatically be used by systemctl start|restart|reload sendmail.service.
m4 macro processor to create a new /etc/mail/sendmail.cf. The m4 macro processor is not installed by default. Before using it to create /etc/mail/sendmail.cf, install the m4 package as root:
yum install m4/etc/mail/ directory including:
access — Specifies which systems can use Sendmail for outbound email.
domaintable — Specifies domain name mapping.
local-host-names — Specifies aliases for the host.
mailertable — Specifies instructions that override routing for particular domains.
virtusertable — Specifies a domain-specific form of aliasing, allowing multiple virtual domains to be hosted on one machine.
/etc/mail/, such as access, domaintable, mailertable and virtusertable, must actually store their information in database files before Sendmail can use any configuration changes. To include any changes made to these configurations in their database files, run the following command, as root:
makemap hash /etc/mail/name < /etc/mail/namename represents the name of the configuration file to be updated. You may also restart the sendmail service for the changes to take effect by running:
systemctl restart sendmail.serviceexample.com domain delivered to bob@other-example.com
, add the following line to the virtusertable file:
@example.com bob@other-example.comvirtusertable.db file must be updated:
makemap hash /etc/mail/virtusertable < /etc/mail/virtusertablevirtusertable.db file containing the new configuration.
/etc/mail/sendmail.cf file.
sendmail.cf file, it is a good idea to create a backup copy.
/etc/mail/sendmail.mc file as root. Once you are finished, restart the sendmail service and, if the m4 package is installed, the m4 macro processor will automatically generate a new sendmail.cf configuration file:
systemctl restart sendmail.servicesendmail.cf file does not allow Sendmail to accept network connections from any host other than the local computer. To configure Sendmail as a server for other clients, edit the /etc/mail/sendmail.mc file, and either change the address specified in the Addr= option of the DAEMON_OPTIONS directive from 127.0.0.1 to the IP address of an active network device or comment out the DAEMON_OPTIONS directive all together by placing dnl at the beginning of the line. When finished, regenerate /etc/mail/sendmail.cf by restarting the service:
systemctl restart sendmail.serviceSMTP-only sites. However, it does not work for UUCP (UNIX-to-UNIX Copy Protocol) sites. If using UUCP mail transfers, the /etc/mail/sendmail.mc file must be reconfigured and a new /etc/mail/sendmail.cf file must be generated.
/usr/share/sendmail-cf/README file before editing any files in the directories under the /usr/share/sendmail-cf directory, as they can affect the future configuration of the /etc/mail/sendmail.cf file.
mail.example.com that handles all of their email and assigns a consistent return address to all outgoing mail.
user@example.com instead of user@host.example.com.
/etc/mail/sendmail.mc:
FEATURE(always_add_domain)dnl FEATURE(`masquerade_entire_domain')dnl FEATURE(`masquerade_envelope')dnl FEATURE(`allmasquerade')dnl MASQUERADE_AS(`bigcorp.com.')dnl MASQUERADE_DOMAIN(`bigcorp.com.')dnl MASQUERADE_AS(bigcorp.com)dnl
sendmail.cf using the m4 macro processor, this configuration makes all mail from inside the network appear as if it were sent from bigcorp.com.
SMTP messages, also called relaying, has been disabled by default since Sendmail version 8.9. Before this change occurred, Sendmail directed the mail host (x.edu) to accept messages from one party (y.com) and sent them to a different party (z.net). Now, however, Sendmail must be configured to permit any domain to relay mail through the server. To configure relay domains, edit the /etc/mail/relay-domains file and restart Sendmail:
systemctl restart sendmail.service/etc/mail/access file can be used to prevent connections from unwanted hosts. The following example illustrates how this file can be used to both block and specifically allow access to the Sendmail server:
badspammer.com ERROR:550 "Go away and do not spam us" tux.badspammer.com OK 10.0 RELAY
badspammer.com is blocked with a 550 RFC-821 compliant error code, with a message sent back to the spammer. Email sent from the tux.badspammer.com sub-domain, is accepted. The last line shows that any email sent from the 10.0.*.* network can be relayed through the mail server.
/etc/mail/access.db file is a database, use the makemap command to update any changes. Do this using the following command as root:
makemap hash /etc/mail/access < /etc/mail/accessSMTP servers store information about an email's journey in the message header. As the message travels from one MTA to another, each puts in a Received header above all the other Received headers. It is important to note that this information may be altered by spammers.
/usr/share/sendmail-cf/README for more information and examples.
LDAP is a very quick and powerful way to find specific information about a particular user from a much larger group. For example, an LDAP server can be used to look up a particular email address from a common corporate directory by the user's last name. In this kind of implementation, LDAP is largely separate from Sendmail, with LDAP storing the hierarchical user information and Sendmail only being given the result of LDAP queries in pre-addressed email messages.
LDAP, where it uses LDAP to replace separately maintained files, such as /etc/aliases and /etc/mail/virtusertables, on different mail servers that work together to support a medium- to enterprise-level organization. In short, LDAP abstracts the mail routing level from Sendmail and its separate configuration files to a powerful LDAP cluster that can be leveraged by many different applications.
LDAP. To extend the Sendmail server using LDAP, first get an LDAP server, such as OpenLDAP, running and properly configured. Then edit the /etc/mail/sendmail.mc to include the following:
LDAPROUTE_DOMAIN('yourdomain.com')dnl
FEATURE('ldap_routing')dnlLDAP. The configuration can differ greatly from this depending on the implementation of LDAP, especially when configuring several Sendmail machines to use a common LDAP server.
/usr/share/sendmail-cf/README for detailed LDAP routing configuration instructions and examples.
/etc/mail/sendmail.cf file by running the m4 macro processor and again restarting Sendmail. Refer to Section 13.3.2.3, “Common Sendmail Configuration Changes” for instructions.
LDAP, refer to Section 14.1, “OpenLDAP”.
POP3 and IMAP. It can even forward email messages to an SMTP server, if necessary.
root:
yum install fetchmail.fetchmailrc file in the user's home directory. If it does not already exist, create the .fetchmailrc file in your home directory
.fetchmailrc file, Fetchmail checks for email on a remote server and downloads it. It then delivers it to port 25 on the local machine, using the local MTA to place the email in the correct user's spool file. If Procmail is available, it is launched to filter the email and place it in a mailbox so that it can be read by an MUA.
.fetchmailrc file is much easier. Place any desired configuration options in the .fetchmailrc file for those options to be used each time the fetchmail command is issued. It is possible to override these at the time Fetchmail is run by specifying that option on the command line.
.fetchmailrc file contains three classes of configuration options:
.fetchmailrc file, followed by one or more server options, each of which designate a different email server that Fetchmail should check. User options follow server options for each user account checking that email server. Like server options, multiple user options may be specified for use with a particular server as well as to check multiple email accounts on the same server.
.fetchmailrc file by the use of a special option verb, poll or skip, that precedes any of the server information. The poll action tells Fetchmail to use this server option when it is run, which checks for email using the specified user options. Any server options after a skip action, however, are not checked unless this server's hostname is specified when Fetchmail is invoked. The skip option is useful when testing configurations in the .fetchmailrc file because it only checks skipped servers when specifically invoked, and does not affect any currently working configurations.
.fetchmailrc file:
set postmaster "user1"
set bouncemail
poll pop.domain.com proto pop3
user 'user1' there with password 'secret' is user1 here
poll mail.domain2.com
user 'user5' there with password 'secret2' is user1 here
user 'user7' there with password 'secret3' is user1 herepostmaster option) and all email errors are sent to the postmaster instead of the sender (bouncemail option). The set action tells Fetchmail that this line contains a global option. Then, two email servers are specified, one set to check using POP3, the other for trying various protocols to find one that works. Two users are checked using the second server option, but all email found for any user is sent to user1's mail spool. This allows multiple mailboxes to be checked on multiple servers, while appearing in a single MUA inbox. Each user's specific information begins with the user action.
.fetchmailrc file. Omitting the with password 'password' section causes Fetchmail to ask for a password when it is launched.
fetchmail man page explains each option in detail, but the most common ones are listed in the following three sections.
set action.
daemon seconds — Specifies daemon-mode, where Fetchmail stays in the background. Replace seconds with the number of seconds Fetchmail is to wait before polling the server.
postmaster — Specifies a local user to send mail to in case of delivery problems.
syslog — Specifies the log file for errors and status messages. By default, this is /var/log/maillog.
.fetchmailrc after a poll or skip action.
auth auth-type — Replace auth-type with the type of authentication to be used. By default, password authentication is used, but some protocols support other types of authentication, including kerberos_v5, kerberos_v4, and ssh. If the any authentication type is used, Fetchmail first tries methods that do not require a password, then methods that mask the password, and finally attempts to send the password unencrypted to authenticate to the server.
interval number — Polls the specified server every number port port-number — Replace port-number with the port number. This value overrides the default port number for the specified protocol.
proto protocol — Replace protocol with the protocol, such as pop3 or imap, to use when checking for messages on the server.
timeout seconds — Replace seconds with the number of seconds of server inactivity after which Fetchmail gives up on a connection attempt. If this value is not set, a default of 300 seconds is assumed.
user option (defined below).
fetchall — Orders Fetchmail to download all messages in the queue, including messages that have already been viewed. By default, Fetchmail only pulls down new messages.
fetchlimit number — Replace number with the number of messages to be retrieved before stopping.
flush — Deletes all previously viewed messages in the queue before retrieving new messages.
limit max-number-bytes — Replace max-number-bytes with the maximum size in bytes that messages are allowed to be when retrieved by Fetchmail. This option is useful with slow network links, when a large message takes too long to download.
password 'password' — Replace password with the user's password.
preconnect "command" — Replace command with a command to be executed before retrieving messages for the user.
postconnect "command" — Replace command with a command to be executed after retrieving messages for the user.
ssl — Activates SSL encryption.
user "username" — Replace username with the username used by Fetchmail to retrieve messages. This option must precede all other user options.
fetchmail command mirror the .fetchmailrc configuration options. In this way, Fetchmail may be used with or without a configuration file. These options are not used on the command line by most users because it is easier to leave them in the .fetchmailrc file.
fetchmail command with other options for a particular purpose. It is possible to issue command options to temporarily override a .fetchmailrc setting that is causing an error, as any options specified at the command line override configuration file options.
fetchmail command can supply important information.
--configdump — Displays every possible option based on information from .fetchmailrc and Fetchmail defaults. No email is retrieved for any users when using this option.
-s — Executes Fetchmail in silent mode, preventing any messages, other than errors, from appearing after the fetchmail command.
-v — Executes Fetchmail in verbose mode, displaying every communication between Fetchmail and remote email servers.
-V — Displays detailed version information, lists its global options, and shows settings to be used with each user, including the email protocol and authentication method. No email is retrieved for any users when using this option.
.fetchmailrc file.
-a — Fetchmail downloads all messages from the remote email server, whether new or previously viewed. By default, Fetchmail only downloads new messages.
-k — Fetchmail leaves the messages on the remote email server after downloading them. This option overrides the default behavior of deleting messages after downloading them.
-l max-number-bytes — Fetchmail does not download any messages over a particular size and leaves them on the remote email server.
--qui