System and Network

Administration

COSC4036
BY Basha K | Faculty of Computing and Software Engineering |AMIT |
Learning Outcome
Upon successful completion of the course, students will be able to:
 Understand the concepts, principles, and roles of system and network administration.
 Understand how to install/configure Linux operating system
 Understand how to build network services to users
 Understand how to design/implement small to medium level network administration
 Understand how to identify security policies and troubleshooting
 Understand how to apply scripting for system administration

2
 Lecture Five
Installation of Application Server and
Management

3
Topics Covered
5.1 DHCP, DNS, Telnet server; compare with other NOS setup of corresponding network
services
5.2 Open SSH: Secure Network Communication
5.3 FTP and Setting-up Mail Servers and Client
5.4 Network Information Service (NIS) and Sharing File systems (NFS)
5.5 SAMBA: Linux and Windows File and Printer Sharing
5.6 DNS/BIND: Tracking Domain Names and Address
5.7 Setting up a Firewall and a Web server

4
5.1 DHCP, DNS, Telnet server; compare with other
NOS setup of corresponding network services
Configuring a DHCP Server

 In “Adding a New Network Host” in Chapter 4, we considered the process of

configuring a client system to obtain an IP address from a DHCP server.
 In this section, we complete the picture by discussing DHCP server configuration
and management.
 DHCP servers draw the IP addresses that they provide from lists of addresses that
they have been given to manage.
 These lists are known as scopes.
 Unix DHCP servers can manage one or more scopes.
6
Configuring a DHCP Server…

 For example,
 Suppose we have a network of two subnets,
 10.10.1.0/24 and 10.10.20.0/24, and we place a DHCP server on each one.
 We want to use 101 IP addresses from each subnet for dynamic assignment, hosts 100
through 200.
 We might divide up the addresses this way:

7
Configuring a DHCP Server…

 Each server is assigned part of the address range for each subnet.
 When a client requests an IP address, the DHCP server always assigns one
from the appropriate subnet (if none is available, the request fails).
 Splitting the addresses this way provides for some fault tolerance.

If either server goes down, a DHCP relay can be set up temporarily on its subnet

pointing to the other server, and

 IP address assignment will still take place

8
Configuring a DHCP Server…
 Within a scope,
 Certain IP addresses can be excluded,
 Meaning that they are permanently unavailable for assignment (perhaps some server is

using one as its static IP address).

 Certain addresses can be reserved for specific hosts

 Identified by their MAC address
 For example, for a laptop that you want to have the same IP address whenever
it is connected to a specific subnet but still changes IP addresses as it moves
around 9
DHCP server facilities (components)

 DHCP configuration for each operating system is different

 Each OS have their own DHCP Server and DHCP Relay

Components DHCP server DHCP relay

 Server executable
 Configuration file
 Boot script that starts the DHCP server
 Boot script configuration file: DHCP server-related entries
 Leases data files
10
DHCP server facilities (components)…
 AIX OS
 The AIX DHCP server is dhcpsd.
 It is configured via the /etc/dhcpsd.cnf configuration file.
 Here is a configuration file that I’ve annotated:

11
DHCP server facilities (components)…
 AIX OS…

12
 DHCP server facilities (components)…
 ISC DHCP: FreeBSD and
Linux
 The open source operating
systems all use the DHCP
implementation from the
Internet Software Consortium
(see http://www.isc.org).
 The DHCP server is dhcpd.
 It uses the configuration file
/etc/dhcpd.conf.
 Here is an example version
illustrating its features:

13
DHCP server facilities (components)…

 ISC DHCP: FreeBSD and Linux…

 There is a graphical utility for configuring the DHCP server available in the
KDE desktop environment.
 It is named kcmdhcpd and written by Karl Backström (http://
www.lysator.liu.se/~backstrom/kcmdhcpd/), and it is illustrated in Figure

14
DHCP server facilities (components)…

15
5.2 Open SSH: Secure Network Communication
The Secure Shell
 The secure shell is becoming the accepted mechanism for remote system access.
 The most widely used version is OpenSSH.
 OpenSSH is based on the version originally written by Tatu Ylönen.
 It is now handled by the OpenBSD team.
 The secure shell provides an alternative to the traditional clear-text remote sessions
using telnet or rlogin since the entire session is encrypted.
 The OpenSSH configuration file are stored in /etc/ssh.
 The most important of these is /etc/ssh/sshd_config.
17
The Secure Shell…
 Here is a simple, annotated example of this file:

18
The Secure Shell…
 Set up Remote Authentication
 Disable hosts.equiv and .rhosts passwordless authentication.
 Use ssh for remote user access

19
5.3 FTP and Setting-up Mail Servers and Client
5.4 Network Information Service (NIS) and Sharing
File systems (NFS)
NFS and NIS Configuration
 Once you have TCP/IP enabled on your system, you may wish to configure your
system to use the Network File System (NFS) or Network Information Service
(NIS).
 NFS allows your system to share files directly with a network of machines.
 File access across NFS is transparent; you simply access the files as if they were
stored on your local disk.
 In system administration terms, one system mounts another's filesystem on a
local directory, just as a local filesystem can be mounted.
 NFS also allows you to export filesystems, allowing other systems on the network
to mount your disks directly.

22
The Network Information Service (NIS)
 The Network Information Service (NIS) is another distributed database service that allows a single
set of system configuration files to be maintained for an entire local network of computers.
 With NIS, a single password file can be maintained for an entire network of computers almost
automatically (you still have to add or modify entries on one copy by hand).
 If your network
 has direct connections to other computers outside of your control, or
 if there are any internal systems that need to be protected from others within the local network,
 Then I’d advise you not to use NIS or even NIS+ (which fixes only a few of NIS’s most egregious
security flaws).

23
The Network Information Service (NIS)…

 Use NIS only when you want an open, mutually trusting security environment across an
entire local network that has all its entrances—from the outside world as well as
untrusted parts of the same site—protected by very rigorous firewalls.

24
The Network Information Service (NIS)…
 NIS (formerly known as the Yellow Pages, or YP, service) is a system that allows your host
to obtain information automatically on user accounts, groups, filesystem mount points,
and other system databases from servers on the network.
 For example, let's say you have a large collection of machines that should have the same
user accounts and groups (information usually found in /etc/passwd and /etc/group).
 Users should be able to log into any of these machines and access their files directly
(say, by mounting their home filesystem from a central location using NFS).

25
The Network Information Service (NIS)…

 Without NIS
 Obviously, maintaining user accounts across many machines would be problematic; in order
to add a new user, you would need to log into each machine and create the user account on
each.
 With NIS
 When you use NIS, however, the system automatically consults centrally maintained
databases across the network for such information, in addition to local files such as
/etc/passwd.
 NIS+ is an enhanced NIS service that is coming into use at some sites
26
The Network Information Service (NIS)…
 If your Linux system is to interact with other systems on a LAN, it's quite possible
that NFS and NIS are in wide use on your LAN.
 In this section, we’ll see how to configure your system as an NFS and NIS client;
that is, to mount remote filesystems and to participate in an existing NIS domain.
 It is possible to configure your system as an NFS and NIS server, but many subtle
issues are involved in configuring any Unix or Linux system as an NFS/NIS server.

27
Configuring Network File Sharing (NFS)
 Configuring your system to mount remote filesystems over NFS is a breeze.
 Assuming that you have TCP/IP configured and hostname lookup works correctly,
you can simply add a line to your /etc/fstab file such as the following:
# device directory type options
baba:/usr /fsys/baba/usr NFS defaults

28
Configuring NIS
 One goal of NIS is to ease network management.
 Allowing user account information (such as that stored in /etc/passwd), for
example, to be maintained on a single server makes it easy for many machines to
share the same user accounts.
 In an NIS configuration, there may be NIS servers, slaves, and clients.
 Servers are the systems where NIS databases originate and are maintained.
 NIS slaves are systems to which the server copies its databases.
 The slaves can provide the information to other systems, but changes to the databases must be made
from the server.
29
Configuring NIS…
 NIS clients are those systems that request database information from servers or
slaves.
 Slaves are simply used as a way to ease the load on the NIS server; otherwise, all
NIS requests would have to be serviced by a single machine.

30
5.5 SAMBA: Linux and Windows File and Printer
Sharing
Samba
 Linux is a remarkably effective operating system, which in many cases can completely replace MS-
DOS/Windows.
 However, there are always those of us who want to continue to use other operating systems as well
as Linux, or at least to exchange files directly with them.
 The free Samba facility allows Unix filesystems to be shared with Windows systems.
 With Samba, you can make Unix filesystems look like shared Windows filesystems, allowing them to
be accessed using the normal Windows facilities and commands such as net use.
 Linux systems can also mount Windows filesystems within the Unix filesystem using a related
facility.

32
Samba…
 Installing Samba is quite simple.
 Once you have built Samba, the next step is to create the Samba configuration file, smb.conf, usually
stored in the lib subdirectory of the main Samba directory or in /etc/samba
 You can use the testparm command to verify the syntax of a Samba configuration file before you
install it.
 Another useful Samba feature is the username mapping file, specified via a configuration file entry
like the following:
 username map = /etc/samba/smbusers

33
Samba…
 Installing Samba is quite simple.
 The smbstatus command may be used to display current remote users of local filesystems on the
Unix system:
$ smbstatus
Samba version 1.9.16
Service uid gid pid machine
chemdir nobody chemists 14810 vala (192.168.13.34) Jul 14 11:51:07 No locked files

34
Samba authentication
 In general, Samba prompts the user for a password when required.
 By default, these passwords are sent across the network in unencrypted form (i.e., as clear text).
 This is an insecure practice that most sites will find unacceptable.
 Samba can be modified to use only encoded passwords as follows:
 Add the following entries to the global section of the Samba configuration file:
 encrypt passwords = yes
 security = user
 Use the mksmbpasswd.sh script included with the Samba package source code to create the initial Samba password
file. For example:
 # cat /etc/passwd | mksmbpasswd.sh > /etc/samba/private/smbpasswd

35
Samba authentication
 The smbpasswd file should be owned by root and have the permissions mode 600.
 The subdirectory in which it resides should be protected 500.
 Once encrypted passwords are enabled, users must use the smbpasswd command in order to set
their Samba passwords.
 SAMBA configuration in LAB

36
5.6 Setting up a Firewall and a Web server
END
Q?

38