System and Network Administration

lecture in color

Dependencies

not just between source files.
not just between masters and slaves.
also between network entities.
can bring network to a grinding halt.

What happened in task 3:

mount filesystems from tcp on e12
tcp won't come up until e12, because it waits for the filesystem from e12.
mount filesystems from e12 on tcp
e12 won't come up until tcp, because it waits for the filesystem from tcp.
circular dependency => DEADLOCK. If power fails, and we boot tcp and e12 together, NEITHER WILL EVER COME UP!

The dependency game

servers provide services.
usually interdependent.
some services required for boot.
- requirements graph must form a directed acyclic graph of servers.
```
 q -> r -> s -> t    a -> b means 'a needs b'
                |
                v
 x -> y -> z -> w 'root server'
```
- boot root node first.
- work backward through the hierarchy.

Basic model of network services:

the 'remote procedure call' (RPC)

do something on a client that causes a procedure to be run on a server.

 program=>query: what is foo?
 client ------------------------------------------> server
        <------------------------------------------
                  response: foo is 192.138.178.156<=daemon

connection between 'client' and 'server'
- client: the machine requiring information.
- server: the machine providing information.

connection identified by 'ports'

numbers between 0-65535
on server, number identifies the SERVICE
port number is random on client.

a connection is a quadruple

 (requesting address, requesting port, server address, server port)

server port number maps to kind of service: /etc/services

 tcpmux           1/tcp
 echo             7/tcp
 echo             7/udp
 discard          9/tcp                 sink null
 discard          9/udp                 sink null
 systat           11/tcp                users
 daytime          13/tcp
 daytime          13/udp
 netstat          15/tcp
 chargen          19/tcp                ttytst source
 chargen          19/udp                ttytst source
 ftp-data         20/tcp
 ftp              21/tcp
 telnet           23/tcp
 smtp             25/tcp                mail
 time             37/tcp                timserver
 time             37/udp                timserver
 name             42/udp                nameserver
 whois            43/tcp                nicname                # usually to sri-nic
 domain           53/udp
 domain           53/tcp
 bootps           67/udp                                # BOOTP/DHCP server
 bootpc           68/udp                                # BOOTP/DHCP client
 hostnames        101/tcp                hostname       # usually to sri-nic
 pop2             109/tcp                pop-2          # Post Office Protocol - V2
 pop3             110/tcp                               # Post Office Protocol - Version 3
 sunrpc           111/udp                rpcbind
 sunrpc           111/tcp                rpcbind
 imap             143/tcp                imap2          # Internet Mail Access Protocol v2
 ldap             389/tcp                               # Lightweight Directory Access Protocol        
 ldap             389/udp                               # Lightweight Directory Access Protocol
 ldaps            636/tcp                               # LDAP protocol over TLS/SSL (was sldap)
 ldaps            636/udp                               # LDAP protocol over TLS/SSL (was sldap)
 #
 # Host specific functions
 #
 tftp            69/udp
 rje             77/tcp
 finger          79/tcp
 link            87/tcp        ttylink
 supdup          95/tcp
 iso-tsap        102/tcp
 x400            103/tcp                            # ISO Mail
 x400-snd        104/tcp
 csnet-ns        105/tcp
 pop-2           109/tcp                            # Post Office
 uucp-path       117/tcp
 nntp            119/tcp        usenet              # Network News Transfer
 ntp             123/tcp                            # Network Time Protocol
 ntp             123/udp                            # Network Time Protocol
 NeWS            144/tcp        news                # Window System
 cvc_hostd       442/tcp                            # Network Console
 #
 # UNIX specific services
 #
 # these are NOT officially assigned
 #
 exec            512/tcp
 login           513/tcp
 shell           514/tcp        cmd              # no passwords used
 printer         515/tcp        spooler          # line printer spooler
 courier         530/tcp        rpc              # experimental
 uucp            540/tcp        uucpd            # uucp daemon
 biff            512/udp        comsat
 who             513/udp        whod
 syslog          514/udp
 talk            517/udp
 route           520/udp        router routed
 klogin          543/tcp                         # Kerberos auth rlogin
 new-rwho        550/udp        new-who          # experimental
 rmonitor        560/udp        rmonitord        # experimental
 monitor         561/udp                         # experimental
 pcserver        600/tcp                         # ECD Integrated PC board srvr
 kerberos-adm    749/tcp                         # Kerberos V5 Administration
 kerberos-adm    749/udp                         # Kerberos V5 Administration
 kerberos        750/udp         kdc             # Kerberos key server
 kerberos        750/tcp         kdc             # Kerberos key server
 krb5_prop       754/tcp                         # Kerberos V5 KDC propogation
 ufsd            1008/tcp        ufsd            # UFS-aware server
 ufsd            1008/udp        ufsd
 cvc             1495/tcp                        # Network Console
 ingreslock      1524/tcp
 www-ldap-gw     1760/tcp                        # HTTP to LDAP gateway
 www-ldap-gw     1760/udp                        # HTTP to LDAP gateway
 listen          2766/tcp                        # System V listener port
 nfsd            2049/udp        nfs                # NFS server daemon (clts)
 nfsd            2049/tcp        nfs                # NFS server daemon (cots)
 eklogin         2105/tcp                        # Kerberos encrypted rlogin
 lockd           4045/udp                        # NFS lock daemon/manager
 lockd           4045/tcp
 dtspc           6112/tcp                        # CDE subprocess control
 fs              7100/tcp                        # Font server
 
 ########
 # customizations for eecs.tufts.edu 
 ########
 
 # kerberos authentication
 klogin          543/tcp                         # Kerberos authenticated rlogin
 # kerberos      750/udp         kdc             # Kerberos authentication--udp
 # kerberos      750/tcp         kdc             # Kerberos authentication--tcp
 kerberos_master 751/udp                         # Kerberos authentication
 kerberos_master 751/tcp                         # Kerberos authentication
 passwd_server   752/udp                         # Kerberos passwd server
 userreg_server  753/udp                         # Kerberos userreg server
 kpop            1109/tcp                        # Pop with Kerberos
 knetd           2053/tcp                        # Kerberos de-multiplexor
 kshell          544/tcp         cmd             # and remote shell
 krb_prop        754/tcp                         # Kerberos slave propagation
 erlogin         888/tcp                         # Login and environment passing
 eklogin         2105/tcp                        # Kerberos encrypted rlogin
 
 # httpd server
 http            80/tcp
 
 # samba - netbios services
 netbios-ssn     139/tcp
 netbios-ns      137/udp
  
 # snmp services
 snmp            161/udp
 snmp-trap       162/udp
 snmp-rt         167/udp
 
 # appletalk service
 at-rtmp         201/udp
 at-nbp          202/udp
 at-echo         204/udp
 at-zis          206/udp
  
 # Alternate talk protocol
 ntalk           518/udp
  
 #  RADIUS server
 radius          1645/udp
 radacct         1646/udp
 
 # gnu-finger 
 cfinger         2003/tcp
 
 # hylafax
 fax             4557/tcp
 
 # cfengine server 'cfd' 
 cfengine        5308/tcp 
 
 # CUSTOM SERVICES 
 commplex-main   50000/tcp
 commplex-link   50001/tcp

Service comments

may be tcp or udp depending upon service.
may have to use a specific program to query, or may utilize a library instead to allow ANY program to make a query.

Kinds of Services:

unauthenticated: anyone can use.
semi-authenticated: some limits.
authenticated: strict limits.

Unauthenticated services

Domain Name Service (DNS, bind) provides
- ip to name maps
- name to ip maps
- special information about hosts.
Lightweight Directory Access Protocol (LDAP) provides
- maps of people's names to mailing addresses
- any other directory information you want.
X.500 (Heavyweight Directory Access Protocol:)
- same as LDAP, but hierarchical and possible to distribute servers.
provide information
inherently insecure (because you don't know WHO's getting information)
lately, many 'enhancements' limit information availability.
hopefully you don't distribute anything crucial using them.

Case study: BIND (named)

started out insecure
anyone could do anything.
was very handy for crackers: could 'ls' whole domains and get lists of machines to attack.

bind-8: access control: largo:/etc/named.conf

 options {
       directory "/var/local/named";
       allow-query {
               130.64.23/24;
               130.64.24/24;
               130.64.1.1;
               130.64.5.1;
               130.64.1.29;
               130.64.5.6;
               192.168/16;
       };
 };

Semi-authenticated services

'sort of' protected but not really
network information service (nis)

Authenticated services

NIS+: successor to nis
NFS: network file service

Authenticated services

in PRINCIPLE, any authenticated service may be authenticated by any method,
in PRACTICE, only a few authentication methods are allowed.

Network niceties

remote filesystems
automount: mount filesystems when needed.
remote printing

Remote filesystems

NFS: Network file system (SUN)
- host-based authentication
- support for host credentials
- ubiquitous and freely available.
AFS: Andrew file system (CMU)
- used to be free
- now costs big $
- because banks want it.
- more secure.
DFS: Distributed File System (DEC)
- based on doomed DCE (distributed computing environment)
- encrypted.
- costs big $

Network file service

/etc/exports: determines files to serve
- service is down until it contains an entry.
- must reboot to make it work.
service daemon: nfsd
- provides files to remote hosts.
service daemon: mountd
- authenticates requests for service.
/etc/fstab: determines directories to access
- both NFS and UFS

Differences between NFS and UFS

NFS: any directory can be mounted.
UFS: limited to mounting partitions of devices.
NFS: mounts can't cross partition boundaries.
NFS: multiple machines can access the same remote directory.
UFS: only one mount per directory.

How NFS works:

mount : asks remote nfsd for service.
remote nfsd: asks remote mountd if it's OK.
If ok, issues an access cookie to nfsd.
If not ok, no issue.

Access cookies.

Client server receives one access cookie for each remote mount.
When running, every NFS request from client to server contains the access cookie.
If the server dies, the client access cookie remains valid!
Access cookie codes RIGHTS, including read/write and root!
so if you get that cookie, you have rights EVEN IF THE SERVER REVOKES THEM!
Hackers find these cookies quite delicious and habit-forming.

True Story

I wanted to move a filesystem
I unexported it.
I copied it elsewhere.
I checked the result and the copy was DIFFERENT! OOPS!
I investigated: several hosts still had cookies for the filesystem.
So even though I thought I'd limited access, I hadn't!

Discovering dependencies

Let's explore the sun network:
First the master fileserver:

largo{couch}56: df -k

Filesystem kbytes used avail capacity Mounted on

 /dev/dsk/c0t0d0s0      53343   39492    8517    83%    /
 /dev/dsk/c0t0d0s6     487759  426093   12891    98%    /usr
 /proc                      0       0       0     0%    /proc
 fd                         0       0       0     0%    /dev/fd
 /dev/dsk/c0t0d0s4     356687  255152   65867    80%    /var
 /dev/dsk/c0t0d0s5     178335   29260  131242    19%    /opt
 swap                  291472    2328  289144     1%    /tmp
 /dev/dsk/c0t0d0s3     571583  361965  152460    71%    /old
 /dev/dsk/c0t1d0s3    4425381  964507 3018336    25%    /admin
 /dev/dsk/c0t1d0s4     947487  511074  341665    60%    /var/export
 /dev/dsk/c0t1d0s0     141631  123935    3533    98%    /export/root
 /dev/dsk/c0t2d0s2    8360226 4642122 2882082    62%    /export/2
 /dev/dsk/c0t3d0s2    8360226 3905441 3618763    52%    /export/4
 /dev/dsk/c1t0d0s2    8321498 4540569 2948780    61%    /export/0
 /dev/dsk/c1t1d0s3    7741772 3772492 3195103    55%    /export/A
 /dev/dsk/c1t1d0s4    7741772 2323926 4643669    34%    /export/B
 /dev/dsk/c1t1d0s5    5835357 4666028  585794    89%    /export/C
 /dev/dsk/c1t13d0s3   8751429 7748831  915084    90%    /export/D
 /dev/dsk/c1t13d0s4   8753629 3573827 5092266    42%    /export/E
 /dev/dsk/c1t3d0s2    8709501 4644974 3977432    54%    /export/3
 /dev/dsk/c2t1d0s2    8321498 7382282  107067    99%    /export/5
 /dev/dsk/c2t2d0s2    8749013 8597222   64301   100%    /export/6
 /dev/dsk/c2t3d0s2    8321498 7342078  147271    99%    /export/7
 /dev/dsk/c2t0d0s0    8751429 1618197 7045718    19%    /export/F
 /dev/dsk/c2t0d0s1    8753629 3918441 4747652    46%    /export/G
 /dev/dsk/c2t4d0s0    1919959  116387 1745974     7%    /export/H/p/3
 /dev/dsk/c2t4d0s1    1919959   18389 1843972     1%    /export/H/p/4
 /dev/dsk/c2t4d0s3    1919959   98711 1763650     6%    /export/H/p/5
 /dev/dsk/c2t4d0s4    1919959  325061 1537300    18%    /export/H/p/6
 /dev/dsk/c2t4d0s5    1919959  241346 1621015    13%    /export/H/p/7
 /dev/dsk/c2t4d0s6    1919959  669131 1193230    36%    /export/H/p/8
 /dev/dsk/c2t4d0s7    1919959      16 1862345     1%    /export/H/p/9
 /export/A/s/0        7741772 3772492 3195103    55%    /s/0
 /export/D/u/f        8751429 7748831  915084    90%    /u/f
 /export/C/u/t        5835357 4666028  585794    89%    /u/t
 /var/export/mail      947487  511074  341665    60%    /var/mail
 /export/5/loc/SLINK  8321498 7382282  107067    99%    /local
 /export/0/s/9        8321498 4540569 2948780    61%    /s/9
 /export/5/loc/utils  8321498 7382282  107067    99%    /loc/utils
 /export/C/u/s        5835357 4666028  585794    89%    /u/s
 /export/5/loc/net    8321498 7382282  107067    99%    /loc/net
 /export/E/u/m        8753629 3573827 5092266    42%    /u/m
 /export/B/s/1        7741772 2323926 4643669    34%    /s/1
 /export/B/s/8        7741772 2323926 4643669    34%    /s/8
 /export/H/p/8        1919959  669131 1193230    36%    /p/8
 /export/H/p/7        1919959  241346 1621015    13%    /p/7
 /export/H/p/6        1919959  325061 1537300    18%    /p/6
 /export/H/p/5        1919959   98711 1763650     6%    /p/5
 /export/H/p/4        1919959   18389 1843972     1%    /p/4
 /export/H/p/3        1919959  116387 1745974     7%    /p/3
 /export/H/p/9        1919959      16 1862345     1%    /p/9
 /export/0/s/5        8321498 4540569 2948780    61%    /s/5
 /export/5/loc/X11    8321498 7382282  107067    99%    /loc/X11

then a typical network client:

 blackhole{couch}51: df -k 
 Filesystem            kbytes    used   avail capacity  Mounted on
 /proc                      0       0       0     0%    /proc
 /dev/dsk/c0t3d0s0      83319   27401   47587    37%    /
 /dev/dsk/c0t3d0s6     746982  485182  202042    71%    /usr
 fd                         0       0       0     0%    /dev/fd
 /dev/dsk/c0t3d0s1      41407   12706   24561    35%    /var
 swap                   73088     284   72804     1%    /tmp
 /dev/dsk/c0t2d0s2     955189  188118  709760    21%    /export/1
 largo:/export/cf       53343   39492    8517    83%    /cf
 largo:/export/5/loc/fax
                      8321498 7382282  107067    99%    /loc/fax
 largo:/export/D/u/f  8751429 7748831  915084    90%    /u/f
 largo:/export/3/g    8709501 4644974 3977432    54%    /g
 largo:/export/5/loc/lang
                      8321498 7382282  107067    99%    /loc/lang
 largo:/export/5/loc/xclients
                      8321498 7382282  107067    99%    /loc/xclients
 largo:/export/5/loc/shells
                      8321498 7382282  107067    99%    /loc/shells
 largo:/var/export/mail
                       947487  511014  341725    60%    /var/mail
 largo:/export/5/loc/SLINK
                      8321498 7382282  107067    99%    /local
 largo:/export/7/loc/gnu
                      8321498 7342077  147272    99%    /loc/gnu
 largo:/export/5/loc/X11
                      8321498 7382282  107067    99%    /loc/X11
 blackhole{couch}52:

Whoa, something is strange

things aren't mounted on the client
but if we ask for them, they get mounted.
answer: automounting!o

The 'Automounter'

'automount' daemon runs on client
fakes being nfsd.
watches for access to its filesystem.
if it gets a request for its filesystem, it mounts it!
If the filesystem remains unused, it gets unmounted.

Why automounting?

avoids dependencies!
saves boot time!
doesn't ever do unneeded mounts!

Setting up automounting:

/etc/auto.master
```
 /homes /etc/auto.homes
```
says to mount a bunch of directories under /homes. These are listed in /etc/auto.homes:
```
 e01 e01:/export/home
 e02 e02:/export/home
 ...
```
/etc/rc.d/init.d/autofs : script that starts up automounting.
must link to this from /etc/rc.d/rc3.d/S??autofs to start up automounting! ?? determines when!

Automount behavior

if you ls /homes, you get nothing.
if you cd /homes/e01, it's mounted.
if you then ls /homes, it contains e01.

Case study: when automounting fails

license server has to run on allegro
file stored on largo
license server runs before autofs in /etc/rc2.d.
so automounting isn't up yet.
so license server fails to run.

Revised Task 5: set this up!

tcp already automounts /homes
you make e?? automount /local, /home
so there will be no dependencies.

Types of network services:

stateless: every query or request starts in the same state, legal queries or information provided don't change in nature over time.
- File Service (sort-of)
- Name Service
- Information Services (unless they can change their contents)
stateful: queries change the state of a server so that further queries react differently
- License Service (when you check out a license, it's no longer available)
- Printer Service (when you ask for something to be printed, it's queued)

Kinds of network services:

file service: where can I store info? we're familier with NFS.
mail service: how can I communicate with others? we're familiar with sendmail.
databases: what about you can I find out?
printer service: how can I print things out?
authentication: are you actually you?
authorization: are you entitled to things?

Authentication services

ask a host to tell whether you're you or not
may require a password, etc.

Network authentication services

radius
- specifically for dialups
- just lets you into a dialup bank such as Tufts'
kerberos
- for all kinds of systems
- for all kinds of services

Lessons:

application-specific is always easier to deal with than generic (but you have to run more daemons)
generic methods gain power at the expense of complexity.

lecture in color

/comp/150NET/notes/depend-old.php
downloaded on Nov-23-2009 04:48:56 PM,
was last modified on Feb-17-2004 10:47:44 PM.
All lecture note content is copyright 2004 by
Alva L. Couch, Computer Science, Tufts University