Sna 2 V 2

Course Overview
Module 1
H3065S F.00
© 2005 Hewlett-Packard Development Company, L.P.

The information contained herein is subject to change without notice
Course Audience
This fast-paced 5-day course is the second of two courses HP offers to

prepare new UNIX administrators to successfully manage an HP-UX server or
workstation.
The course assumes that the student has experience with general UNIX user
commands, and basic administration skills such as managing devices and
device files, creating and mounting file systems, tuning the kernel, and
installing and removing software.
H3065S F.00 © 2005 Hewlett-Packard Development Company, L.P. 2

Course Agenda
Day 1: Day 4:
LAN Concepts Configuring DNS
LAN Hardware Concepts Configuring LDAP
Configuring TCP/IP Connectivity Configuring ARPA/Berkeley Services
Configuring IP Routing
Day 5:
Day 2:
Configuring Subnetting Configuring BOOTP/TFTP
Troubleshooting Network Connectivity Configuring NTP
Starting Network Services Configuring SSH
Configuring SD-UX Depot Servers
Day 3:
NFS Concepts
Configuring NFS
Configuring AutoFS

HP-UX System Administration Resources
HP’s product website:
In addition to the http://www.hp.com
traditional UNIX man
HP’s IT Resource Center:
pages, there are a http://itrc.hp.com
number of resources
HP’s documentation website:
that you can use to
http://docs.hp.com
learn more about your
HP-UX system. HP’s software download website:
http://software.hp.com
HP Education Services:
http://www.hp.com/education
Independent HP users’ group:

http://interex.org
Publisher of many books about UNIX network services:

http://www.ora.com

LAN Concepts
Module 2
H3065S F.00

What Is a Network?
• A Network is a series of devices interconnected by communication pathways.

• Local Area Networks (LANs) span relatively small geographic areas.
• Wide Area Networks (WANs) span relatively large geographic areas.
WAN
Chicago Office LAN Tokyo Office LAN
Boston Office LAN

The OSI Model in a Nutshell
7 Application How is data created and used?

6 Presentation How is the data represented to the application?
Is the data in EBCDIC or ASCII format?
5 Session How does an application initiate a connection?
How does an application actually transmit/receive data?
How does an application know data has been received?
4 Transport Should the receiver acknowledge receipt of a packet?
How should the acknowledgement be handled?
Which process should receive the data?
3 Network How is data routed between networks?
2 Data link How do I know when its my turn to transmit?
How do I know which data is for me?
How are collisions handled?
1 Physical What kinds of cabling are supported?
What kinds of connectors are supported?
What’s the longest supported cable segment?

Media Access Control (MAC) Addresses
• Every LAN card has a unique 48-bit MAC address.

• Every frame of data contains a source and destination MAC.
• Hosts accept frames destined for their MAC address.
• Hosts ignore frames destined for other MAC addresses.
Which frames
0x0060B07ef226 are for me?
Following These six hex These six hex

number is digits identify digits uniquely
in hex ... the card identify this
manufacturer card

Internet Protocol (IP) Addresses
• Every host on an IP network has a unique, 32-bit IP address.

• IP addresses make it possible to logically group nodes into IP networks.
• Network bits within the IP determine which network the host is on.
• Host bits within the IP distinguish each host from all other hosts on the network.
• Hosts with identical network bits are said to be on the same IP network.
128.1.1.1 128.1.1.1 128.1.1.2
Which network What is the

is the host on? host's address
on that 128.1 Network
network?

IP Network Classes
• The IP address network/host bit boundary varies from network to network.

• Networks with more host bits may have more hosts.
• Networks with fewer host bits may have fewer hosts.
/8 Network 8 Network Bits 8 Host Bits 8 Host Bits 8 Host Bits
/16 Network 8 Network Bits 8 Network Bits 8 Host Bits 8 Host Bits
/24 Network 8 Network Bits 8 Network Bits 8 Network Bits 8 Host Bits

The IP Netmask
IP Address:
100000000 00000001 00000001 00000001
128.1.1.1/16
Netmask:
111111111 11111111 00000000 00000000
255.255.0.0
or
0x ff ff 00 00
Netmask 1's identify network bits Netmask 0's identify host bits
Q: How many bits in my IP are network bits?

A: The netmask has the answer!

The IP Network Address
• Every host must know which network it is connected to.

• Formulate the network address by setting all IP host bits to "0".
128.1.1.1/16 Network Address: 128.1.0.0/16

128.1.1.2/16
100000000 00000001 00000000 00000000
128.1.1.3/16
192.1.1.1/24 Network Address: 192.1.1.0/24

192.1.1.2/24
192.1.1.3/24 110000000 00000001 00000001 00000000
Q: Which network am I on?

The IP Broadcast Address
Packets sent
to the network
128.1.1.1 128.1.1.2 128.1.1.3 broadcast address
are received by ALL
hosts on the
network.
Formulate the
broadcast address
by setting all
host bits to "1".
# ping 128.1.255.255

The IP Loopback Address
The loopback address, 127.0.0.1, is a special address

that always references your local host.
128.1.1.1 128.1.1.2 128.1.1.3
# ping 127.0.0.1

Obtaining an IP Address
Private Public
Intranet Internet
Firewall
Obtaining an IP address on Obtaining an IP address on

a Private Intranet allows the Public Internet allows
limited access to the Internet direct connectivity to millions
via a network Firewall. of hosts worldwide.

IP Address Examples
IP Address Netmask Network Broadcast
192.66.123.4/24
148.10.12.14/16
9.12.36.1/8
163.128.19.9/16
123.45.65.23/8
199.66.55.4/24

Host Names
/etc/hosts
128.1.1.1 sanfran
I can reference nodes 128.1.1.2 oakland
by host name and let 128.1.1.3 la
HP-UX automatically
128.1.1.4 sandiego
determine the IP
's IP?
addresses for me! nd .2
la .1
s oak 28
.1
h at i is 1
W 's IP
kl and
oa
Telnet request
To: 128.1.1.2
# telnet oakland
128.1.1.2 (oakland)

Converting IP Addresses to
MAC Addresses
Source MAC: 080009-000001

Destination MAC: 080009-000002
Outbound Frame
128.1.1.1 128.1.1.2
(sanfran) (oakland)
080009-000001 080009-000002
/etc/hosts ARP cache (memory resident)

128.1.1.1 sanfran 128.1.1.1 080009-000001
128.1.1.2 oakland 128.1.1.2 080009-000002
128.1.1.3 la 128.1.1.3 080009-000003
Example: System sanfran pings system oakland

1. Resolve hostname oakland to an IP address.
2. Lookup the MAC address in the ARP cache corresponding to oakland's IP address.
3. Send the packet to oakland's MAC address.

Populating the ARP Cache
Broadcast
6 3 Packet
4
ARP cache
2 128.1.1.1
128.1.1.2
080009-000001
080009-000002
128.1.1.2 128.1.1.3 128.1.1.4
128.1.1.3 080009-000003 (oakland) (la) (sandiego)
128.1.1.4 incomplete!
128.1.1.4 080009-23EF45
128.1.1.1
5
(sanfran) 1 $ ping sandiego
Example: sanfran pings sandiego
1. sanfran pings sandiego. sanfran resolves sandiego's IP address via /etc/hosts.
2. Search for sandiego's IP in the arp cache — the IP address is not found in ARP cache.
3. Send ARP broadcast on the local network to find the MAC address for 128.1.1.4.
4. System with the specified IP address responds with a packet containing its MAC.
5. The MAC address and corresponding IP address are added to sanfran's ARP cache.
6. The frame specifically addressed to sandiego's MAC address is sent.

Putting It All Together
Is the
hostname
destination a hostname
or an IP address?
Resolve hostname Is the

IP address to corresponding destination IP address
IP address. No found in ARP cache? Yes
Look for the destination

IP address in routing table. Send a broadcast requesting
the MAC for the destination IP.
Use the MAC address found
in ARP cache as the
Is the Destination machine responds destination MAC.
destination on the with its MAC address.
No local network? Yes, on local
network
Record the found MAC address
in the ARP cache for later reference.
Send packet to router Send the packet out on the wire

to be forwarded to with the source and destination
destination host. MAC and IP addresses.

Managing Packet Flow with TCP
Retransmit 4 3 Send
Packet
2 3 2 1 1 3 2
Acknowledgements 1 5
Data Packets
1
2 2 1
Open Close
3 Segment 2
6 Reassemble
sanfran Data
128.1.1.1
3 oakland
128.1.1.2
Sending a packet with TCP:

1. Open connection to remote node.
2. Segment data into “datagram” packets.
3. Send datagrams to destination node.
4. If there is no acknowledgement, retransmit!
5. Close connection after all datagrams are received.
6. Receiver node reassembles datagrams into proper order.

Managing Packet Flow with UDP
2 1
2
1 1 2 1 3
128.1.1.1 128.1.1.2
(sanfran) (oakland)
Sending a packet with UDP:

1. Packets cannot be segmented or streamed; a packet is always sent as a single message.
2. No connection is opened with the node; the packet is simply sent to the node.
3. No acknowledgement is sent back to the original sender.
• Since the original sender never knows if packet is received, sender never retransmits.
• The receiver doesn’t know if it received all of the intended packets.
• With UDP, the application is responsible for ensuring data transmission is complete.

Sending Data to Applications via Ports
To: port 23 To: port 21 To: port 513
Network Subsystem
128.1.1.2 128.1.1.3 128.1.1.4
(oakland) (la) (sandiego)
telnetd ftpd rlogind
port 23 port 21 port 513
$ telnet sanfran $ ftp sanfran $ rlogin sanfran
128.1.1.1 (sanfran)
Problem: Who gets the data?

Thousands of packets arrive every minute on the LAN interface card.
How does the network subsystem know to which application to deliver the network packets?
Solution: Assign each application a unique port number.

When each packet is sent, a port number will be included in the packet.
The port numbers identify which network application is to receive the packet.
Managing Ports with Sockets
To: port 23 To: port 23 To: port 23
Network Subsystem
128.1.1.2 128.1.1.3
telnetd ftpd
(oakland) (la)
telnetd
telnetd $ telnet sanfran $ telnet sanfran
$ telnet sanfran $ ftp sanfran
128.1.1.1 (sanfran)
Problem: Which network application gets the data when multiple instances are present?
Multiple clients can be executing the same network application.
Multiple instances of the network application can be running on the same client.
Solution: Create a unique socket for each process which runs a network application.
A socket is a port number combined with a node’s IP address.
A socket connection is the coupling of a client socket address with a server socket address.

More on Socket Connections
To: port 23 To: port 23
Network Subsystem
telnet telnet
128.1.1.2.50001 128.1.1.2.50002
telnetd telnetd
128.1.1.1.23 128.1.1.1.23 128.1.1.2 (oakland)
128.1.1.1 (sanfran) 128.1.1.2 . 50001 $ telnet sanfran
128.1.1.1 . 23 128.1.1.2 . 50002 $ telnet sanfran
128.1.1.1 . 23 Socket
Socket Communications between two processes

over the network are uniquely defined by
their socket connection.

Revisiting the OSI Model
7 Application Creates/receives the data.
6 Presentation Determines the format in which to represent the data.

Possible choices are EBCDIC or ASCII format.
5 Session Establishes a unique communication path between client/server.

Sockets are used to communicate between two systems.
A socket is an IP address plus a port number.
4 Transport TCP requires that a socket connection be established; UDP does not.
TCP requires packets be acknowledged; UDP does not.
TCP is streams-based; UDP is message-based.
3 Network IP addresses define a system’s network and host number.
2 Data link MAC addresses uniquely identify a LAN card.

Ultimately, packets are sent from one MAC address to another.
ARP caches map IP addresses to MAC addresses.
1 Physical The type of media used to connect the machines together.

The type of cabling used for the network.

Lab
activity

LAN Hardware
Concepts
Module 3
H3065S F.00

LAN Hardware Components
A LAN is comprised of a variety of
hardware components: Internet
Transmission Media
Interface Cards Firewall
Repeaters
Hubs
Gateway Router Router
Bridges
Switches
Bridge Switch
Routers (chicago office) (london office)
Gateways Mainframe
Hub Hub
Firewalls (sales) (research)

LAN Transmission Media
Central Copper Conduit Plastic Insulating Jacket
Twisted Pair
Plastic insulating jacket Non-conducting insulator
Coaxial Cable
Woven Metal Shield Central Copper Conduit
LED or Laser Transmitter Photodiode Receiver
Fiber Optic
Glass or Plastic Fiber Cable

LAN Topologies
Ring Bus
A LAN’s Physical Topology:

Describes how a network is
Star physically cabled.
Hub A LAN’s Logical Topology:
Describes the logical pathway
a signal follows as it passes
among the network nodes.

LAN Access Methods
CSMA/CD Method
Token Passing Method

Token+Data

Ethernet 802.3 Interface Cards
10Base2 10BaseF 10BaseT 100BaseTX 100BaseFX 1000BaseT 1000BaseSX
Data Rate 10Mbps 10Mbps 10Mbps 100Mbps 100Mbps 1000Mbps 1000Mbps
Log. Topology Bus Bus Bus Bus Bus Bus Bus
Phys. Topology Bus Star Star Star Star Star Star
Access CSMA/CD CSMA/CD CSMA/CD CSMA/CD CSMA/CD CSMA/CD CSMA/CD
Cable Type Coax Fiber Cat 3/5 Cat 5 Fiber Cat 5 Fiber
Max. Segment 185m 1000m+ 100m 100m 412m+ 100m 220m+
T T
Hub/Switch

Token Ring 802.5 Interface Cards
Token Ring
Data Rate 4 or 16 Mbps
Topology (Logical) Ring MultiStation
Topology (Physical) Star Access
Unit
Access Method Token
Cable Types Cat 3/5
Max. Segment 100m

FDDI Ring Interface Cards
FDDI Ring
Data Rate 100 Mbps
Single Attachment Stations
Topology (Logical) Ring
Topology (Physical) Dual Ring
Star
Access Method Token
Cable Type Fiber Concentrator
Max. Segment 2000m
Dual Attachment Station Dual Attachment Station

Repeaters
Repeaters extend
Repeater the maximum
allowed distance
between nodes.
telnet
Repeaters
• Repeaters repeat a signal from one port to another.

• Repeaters pass all traffic through without error checking or filtering..
• Repeaters pass collisions, too.
• Repeaters are used primarily to overcome maximum segment length restrictions.

Hubs
Hub
Hubs make it
very easy to add
and remove hosts
on a network.
telnet
Hubs…
• Hubs propagate a signal received on one port to all other ports..

• Hubs propagate errors and collisions across ports, too.
• Hubs simplify the addition and removal of nodes on a LAN.
• Hubs are also used to connect network segments cabled with different media types.

Bridges
Bridge
Hub Hub Bridges make it

possible to segment
your network into
separate collision
domains to minimize collisions and
improve performance.
telnet telnet
Separate Collision Domains
Bridges
• Bridges provide all the functionality of a hub, PLUS ...

• Bridges filter frames by destination MAC, and segment a LAN into multiple collision
domains.
• Bridges filter signal and timing errors.
• Bridges can be used to connect segments operating at different speeds.
Switches
Switch
Switches are
similar to bridges,
but offer multiple parallel
communication channels
across ports for improved
performance.
telnet telnet
Switches
• Switches provide all the functionality of a bridge PLUS ...

• Switches typically offer more ports than bridges.
• Switches allow for multiple, parallel channels of communication between ports.
• Switches sometimes offer “full-duplex” functionality.
• Switches are replacing both bridges and hubs in many modern networks.

Routers and Gateways
Router Router Router

Gateway
Router
Mainframe
Routers and Gateways
• Routers use IP addresses to route data between networks.

• Routers can be used to connect different network types.
• Routers don’t forward broadcast packets; broadcast packets are dropped.
• Gateways are used to connect dissimilar networks over all 7 OSI layers

Firewalls
Firewalls make it possible to

control access to and from
your local area network.
Internet Firewall
Firewalls
• Firewalls determine what traffic is allowed in and out of your network.

• Firewalls may filter packets by IP or port number.
• Firewalls may log what packets are sent to and from whom.
• Firewalls use these and many other features to improve network security.

Pulling It All Together
Internet
Firewall
Gateway Router Router
Bridge Switch
(chicago office) (london office)
Mainframe
Hub Hub
(sales) (research)

Configuring IP
Connectivity
Module 4
H3065S F.00

TCP/IP Configuration Overview
Obtain an IP address and hostname from your IT department or ISP.

Physically install the LAN card.
Install the appropriate LAN software.
Verify that the new card successfully autoconfigured.
Configure link layer connectivity.
Configure IP connectivity.
Configure IP multiplexing (optional).

Installing LAN Software
# swinstall Networking Kernel
Networking Subsystem
LANIC Drivers

Checking LANIC Autoconfiguration
# ioscan -fnC lan

Class I H/W Path Driver S/W State H/W Type Description
================================================================
lan 0 8/16/6 lan2 CLAIMED INTERFACE Built-in LAN
dev/diag/lan0 /dev/ether0 /dev/lan0
lan 1 8/20/5/1 btlan0 CLAIMED INTERFACE EISA card INP05
; Is the “S/W State” “CLAIMED” ?

(UNCLAIMED indicates missing drivers.)
; Does the LAN card appear to have device files?
(NOTE: Some EISA LAN cards do not require device files.)

HP-UX Network Startup Files
/sbin/init.d
hostname /etc/rc.config.d/netconf Host name configuration
hpbase100 /etc/rc.config.d/hpbase100conf
hpbaset /etc/rc.config.d/hpbasetconf
hpeisabt /etc/rc.config.d/hpeisabtconf
hpether /etc/rc.config.d/hpetherconf
Link layer configuration
hpgsc100 /etc/rc.config.d/hpgsc100conf
hpvgal /etc/rc.config.d/hpvgalconf
hptoken /etc/rc.config.d/hptokenconf
net /etc/rc.config.d/netconf IP configuration

Configuring Link Layer Connectivity
/etc/rc.config.d/hpbase100conf
HP_BASE100_INTERFACE_NAME[0]=lan0
HP_BASE100_STATION_ADDRESS[0]=0x080009000001
HP_BASE100_SPEED[0]=100FD
/sbin/init.d/hpbase100 start
lanadmin -A 0x080009000001 0
lanadmin -X 100FD 0

Configuring IP Connectivity
/etc/rc.config.d/netconf
HOSTNAME=sanfran
INTERFACE_NAME[0]=lan0
IP_ADDRESS[0]=128.1.1.1
SUBNET_MASK[0]=255.255.0.0
BROADCAST_ADDRESS[0]=""
INTERFACE_STATE[0]=""
DHCP_ENABLE[0]="0"
/sbin/init.d/hostname start
uname -S sanfran
hostname sanfran
/sbin/init.d/net start
ifconfig lan0 128.1.1.1 netmask 255.255.0.0 up

Configuring IP Multiplexing
INTERFACE_NAME[0]=lan0:0
Internet
IP_ADDRESS[0]=129.1.1.1
SUBNET_MASK[0]=255.255.0.0
129.1.1.1 ijunk.com
IP_ADDRESS[1]=129.2.1.1
SUBNET_MASK[1]=255.255.0.0
129.2.1.1 bigcorp.com
129.3.1.1 estuff.com
IP_ADDRESS[2]=129.3.1.1
SUBNET_MASK[2]=255.255.0.0
ifconfig lan0:0 129.1.1.1 netmask 255.255.0.0 up

Configuring /etc/hosts
# vi /etc/hosts
127.0.0.1 localhost loopback
# local net hosts Use the /etc/hosts

128.1.1.1 sanfran user1 file to easily map
128.1.1.2 oakland user2 hostnames to
128.1.1.3 la IP addresses.
# other servers
129.1.1.1 mailsvr
130.1.1.1 filesvr
IP Addresses Hostnames Aliases

Lab
activity

Module 5
H3065S F.00

Routing Concepts
Router
• The Internet is composed of many physical networks.

• Devices capable of routing data between these networks are called routers.
• A data packet may pass through multiple routers enroute to a destination host.

Routing Tables
sanfran mailsvr filesvr

128.1.1.1 129.1.1.1 130.1.1.1
RouterA RouterB
Net 128.1.0.0 Net 129.1.0.0 Net 130.1.0.0
128.1.0.1 129.1.0.1 129.1.0.2 130.1.0.1
Routing Table for RouterA Routing Table for RouterB

Dest. Network Next Hop Dest. Network Next Hop
128.1.0.0/16 128.1.0.1 128.1.0.0/16 129.1.0.1
129.1.0.0/16 129.1.0.1 129.1.0.0/16 129.1.0.2
130.1.0.0/16 129.1.0.2 130.1.0.0/16 130.1.0.1

Viewing Routing Tables
# netstat -rn
Dest Gateway Flags Refs Interface Pmtu
127.0.0.1 127.0.0.1 UH 0 lo0 4136
128.1.1.1 128.1.1.1 UH 0 lan0 4136
127.0.0.0 127.0.0.1 U 0 lo0 0
128.1.0.0 128.1.1.1 U 2 lan0 1500
129.1.0.0 128.1.0.1 UG 0 lan0 1500
130.1.0.0 128.1.0.1 UG 0 lan0 1500
Flags:
Destination H = Route is for a single host
Next Hop
Network U = Route is "Up"
G = Route requires a hop across a gateway

Configuring Static Routes
Use the route command to dynamically add and remove route table entries.
Add or delete a route to a specific host:

# route add host 129.1.1.1 128.1.0.1 1
# route delete host 129.1.1.1 128.1.0.1
Add or delete a route to a network:

# route add net 129.1.0.0 netmask 255.255.0.0 128.1.0.1 1
# route delete net 129.1.0.0 netmask 255.255.0.0 128.1.0.1
Flush all gateway entries from the routing table:
# route -f

Configuring a Default Route
128.1.1. 128.1.1. 128.1.1.

I'll deliver data to hosts on my
1 2 3
local network directly. All other
packets can simply be sent to
my default router!
128.1.0.1
Add a default route:
# route add default 128.1.0.1 1
To the Intranet
Delete the default route: and beyond!
# route delete default 128.1.0.1

Configuring Routes in
ROUTE_DESTINATION[0]="net 129.1.0.0"
ROUTE_MASK[0]="255.255.0.0"
ROUTE_GATEWAY[0]="128.1.0.1"
ROUTE_COUNT[0]="1"
ROUTE_ARGS[0]=""
ROUTE_DESTINATION[1]="default"
ROUTE_MASK[1]=""
ROUTE_GATEWAY[1]="128.1.0.1"
ROUTE_COUNT[1]="1"
ROUTE_ARGS[1]=""
route add net 129.1.0.0 netmask 255.255.0.0 128.1.0.1 1
route add default 128.1.0.1 1

Lab
activity

Configuring Subnetting
Module 6
H3065S F.00

Limitations of Large Networks
• /8 networks provide ~16 million host addresses
• /16 networks provide ~65 thousand host addresses
• Reasons for not putting 65 thousand hosts on one network:
...
packet
...
65,000 hosts

Subnetting Concept
• Break a large network into more manageable subnetworks

• Example: Subnetting a /16 network
Subnet 128.1.1.0
Router
(254 hosts)
Network 128.1.0.0/16
Subnet 128.1.2.0
(65,535 hosts) Router
(254 hosts)
Subnet 128.1.3.0
(254 hosts) Router
Non-subnetted network: Subnetted network:

one network with 65,535 nodes 254 subnets, each with 254 nodes
IP Addresses in a Subnetted Network
Non-subnetted network: IP addresses have two components.
128 . 1 . 0 . 0
1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
Network Bits Network Bits Host Bits Host Bits
Subnetted network: IP addresses have three components.
128 . 1 . 1 . 0
1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0
Network Bits Network Bits Subnet Bits Host Bits

Netmasks in a Subnetted Network
The netmask masks network and subnet bits with 1s.
Netmask for a non-subnetted /16 network:
1 1 1 1 1 1 11 1 1 1 1 1 1 11 0 0 0 0 0 0 00 0 0 0 0 0 0 00 = 255.255.0.0
Network Bits Network Bits Host Bits Host Bits
Netmask for /24 subnetworks on a /16 network:
1 1 1 1 1 1 11 1 1 1 1 1 1 11 1 1 1 1 1 1 11 0 0 0 0 0 0 00 = 255.255.255.0

Subnet Addresses
Example: Network 128.1.0.0/16 subnetted into 254 subnets
1 0 0 0 0 0 00 0 0 0 0 0 0 01 0 0 0 0 0 0 01 0 0 0 0 0 0 00 1st subnet
1 0 0 0 0 0 00 0 0 0 0 0 0 01 0 0 0 0 0 0 10 0 0 0 0 0 0 00 2nd subnet
1 0 0 0 0 0 00 0 0 0 0 0 0 01 0 0 0 0 0 0 11 0 0 0 0 0 0 00 3rd subnet
1 0 0 0 0 0 00 0 0 0 0 0 0 01 0 0 0 0 0 1 00 0 0 0 0 0 0 00 4th subnet
. . . .
. . . .
. . . .
1 0 0 0 0 0 00 0 0 0 0 0 0 01 1 1 1 1 1 11 0 0 0 0 0 0 0 00 254th subnet
Netmask = 255.255.255.0

Host IP Addresses on a Subnet
• The host address with all 0s represents the address for the entire subnet.
• The host address with all 1s represents the broadcast address for the subnet.
• All other addresses within the subnet may be used for hosts.
• Examples: IP addresses for subnet 128.1.1.0/24:
Subnet #1 : 10000000.00000001.00000001.00000000 = 128.1.1.0/24

Host #1 : 10000000.00000001.00000001.00000001 = 128.1.1.1/24
Host #2 : 10000000.00000001.00000001.00000010 = 128.1.1.2/24
Host #3 : 10000000.00000001.00000001.00000011 = 128.1.1.3/24
. . .
. . .
. . .
Host #253 : 10000000.00000001.00000001.11111101 = 128.1.1.253/24

Host #254 : 10000000.00000001.00000001.11111110 = 128.1.1.254/24
Broadcast : 10000000.00000001.00000001.11111111 = 128.1.1.255
Netmask = 255.255.255.0
Limitations of Subnetting on an Octet
Boundary
How would you subnet your network, if . . .

• You have a /24 network address?
• You want exactly six subnets from a /16 network address?

Subnetting on a Non-Octet Boundary
Example: Network 192.6.12.0/24 subnetted into 6 subnets:
1 1 0 0 0 0 00 0 0 0 0 0 1 10 0 0 0 0 1 1 00 0 0 1 0 0 0 00 1st subnet
1 1 0 0 0 0 00 0 0 0 0 0 1 10 0 0 0 0 1 1 00 0 1 0 0 0 0 00 2nd subnet
1 1 0 0 0 00 0 0 0 0 0 0 1 10 0 0 0 0 1 1 00 0 1 1 0 0 0 00 3rd subnet
1 1 0 0 0 0 00 0 0 0 0 0 1 10 0 0 0 0 1 1 00 10 0 0 0 0 0 0 4th subnet
1 1 0 0 0 0 00 0 0 0 0 0 1 10 0 0 0 0 1 1 00 10 1 0 0 0 0 0 5th subnet
1 1 0 0 0 0 00 0 0 0 0 0 1 10 0 0 0 0 1 1 00 11 0 0 0 0 0 0 6th subnet
Network Bits Network Bits Network Bits Subnet Host

Bits Bits
Netmask = 255 . 255 . 255 . 224

Routers in a Subnetted Network
Facilities subnet (192.6.12.128/27)
Finance subnet
(192.6.12.96/27)
Marketing subnet
(192.6.12.64/27)
Manufacturing subnet
(192.6.12.32/27)

Configuring Subnetting
Facilities subnet (192.6.12.128/27)

192.6.12.129/2
7
192.6.12.33/27
Manufacturing subnet
(192.6.12.32/27)
192.6.12.34/2 192.6.12.35/27 192.6.12.36/27

7 HostB HostC
HostA
HostA# ifconfig lan0 192.6.12.34 netmask 255.255.255.224 up

HostA# route add default 192.6.12.33 1

Lab
activity

Troubleshooting
Network Connectivity
Module 7
H3065S F.00

Network Troubleshooting Tools Overview
Several network troubleshooting tools are included with HP-UX, including:
• lanscan (HP-specific tool)

• lanadmin (HP-specific tool)
• linkloop (HP-specific tool)
• arp (BSD)
• ping (public domain)
• netstat (BSD)
• nslookup (BSD)

Potential Network Connectivity Problems
• LAN terminators are not connected properly.

• The LAN interface is not powered up.
• The LAN interface has the wrong IP address.
• The subnet mask is incorrect.
• The same IP address is used by another system.
• The routing table is configured incorrectly.
• The router is down.
• The LAN cable is defective.
• The LAN segment is too long.
• The /etc/hosts file is configured incorrectly.

The lanscan Command
Application 7
Presentation 6
Session 5
Transport 4
Networking 3
Data Link 2
Physical 1
• The lanscan command lists information for all LAN interface cards on the system.
• Example:
# lanscan
Hardware Station Crd Hdw Net-Interface NM MAC HP-DLPI DLPI
Path Address In# State NamePPA ID Type Support Mjr#
8/16/6 0x0060B0A39825 0 UP lan0 snap0 1 ETHER Yes 119
8/20/5/1 0x0060B058A8C6 1 UP lan1 snap1 2 ETHER Yes 119

The linkloop Command
Application 7 Application 7
Presentation 6 Presentation 6
Session 5 Session 5
Transport 4 Transport 4
Networking 3 Networking 3
Data Link 2 Data Link 2
Physical 1 Physical 1
• The linkloop command tests layer 2 connectivity.

• The linkloop command succeeds even if the client or server’s IP address is misconfigured
• Example:
# linkloop 0x0060b007c179
Link connectivity to LAN station: 0x0060b007c179
-- OK

The lanadmin Command
Application 7
Presentation 6
Session 5
Transport 4
Networking 3
Data Link 2
Physical 1
• The lanadmin command is an HPUX-only LAN diagnostic tool available

• The lanadmin command may be used to:
• reset the LAN interface card
• change the maximum packet size for the LAN card
• change the speed setting of the LAN card
• display driver statistics for the LAN card
• reset the driver statistics to zero for the LAN card

Example lanadmin
# lanadmin
LOCAL AREA NETWORK ONLINE ADMINISTRATION, Version 1.0
Wed, Aug 12,1998 23:03:30
Copyright 1994 Hewlett Packard Company.
All rights are reserved.
lan = LAN Interface Administration
menu = Display this menu
quit = Terminate the Administration
terse = Do not display command menu
verbose = Display command menu
Enter command: lan

LAN Interface test mode. LAN Interface PPA Number = 0
clear = Clear statistics registers
display = Display LAN Interface status and statistics registers
end = End LAN Interface Administration, return to Test Selection
menu = Display this menu
ppa = PPA Number of the LAN Interface
quit = Terminate the Administration, return to shell
reset = Reset LAN Interface to execute its selftest
Enter command: display
. . .

The arp Command
Application
Presentation
Session
Transport
Networking
Data Link
Physical
• ARP is the address resolution protocol.

• The arp command is used to display and modify entries in the ARP table.
• Options which modify the ARP table require root privilege.
• Example:
# /usr/sbin/arp -a
frank (192.6.30.1) at 0:60:b0:7:4c:4d ether
beverly (192.6.30.5) at 0:60:b0:7:c1:79 ether
jeff (192.6.30.4) at 0:60:b0:7:e1:12 ether
bill (192.6.30.2) at 0:60:b0:7:7e:69 ether
larry (192.6.30.3) at 0:60:b0:7:e1:a2 ether

The ping Command
Application 7 Application 7
Presentation 6 Presentation 6
Session 5 Session 5
Transport 4 Transport 4
Networking 3 Networking 3
Data Link 2 Data Link 2
Physical 1 Physical 1
• The ping command tests IP connectivity to a remote system.

• Example
# ping bill
PING 192.6.30.2: 64 byte packets
64 bytes from 192.6.30.2: icmp_seq=0. time=223. ms
64 bytes from 192.6.30.2: icmp_seq=1. time=43. ms
----bill PING Statistics----
2 packets transmitted, 2 packets received, 0% packet loss
round-trip (ms) min/avg/max = 43/158/223

The netstat -i Command
Application
Presentation
Session
Transport
Networking
Data Link
Physical
• The netstat -i command displays a LAN interface status report.

• The netstat -in command displays IPs instead of hostnames.
• An asterisk (*) in the output indicates the interface is down.
• Example:
# netstat -i
Name Mtu Network Address Ipkts Opkts
lo0 4136 127.0.0.0 localhost 838 838
lan0 1500 192.6.30.0 bill 160952 111715

The netstat -r Command
Application
Presentation
Session
Transport
Networking
Data Link
Physical
• The netstat -r command displays all routes defined in the route table.
• The netstat -rn command displays IP addresses instead of hostnames.
• Example:
# netstat -rn
Routing tables
Destination Gateway Flags Refs Interface Pmtu
127.0.0.1 127.0.0.1 UH 0 lo0 4136
192.6.30.2 192.6.30.2 UH 0 lan0 4136
192.6.30.0 192.6.30.2 U 2 lan0 1500
127.0.0.0 127.0.0.1 U 0 lo0 4136
default 192.6.30.1 UG 0 lan0 1500
The nslookup Command
Application
Presentation
Session
Transport
Networking
Data Link
Physical
• The nslookup command resolves hostnames to IP addresses.

• The nslookup command is useful for identifying problems with /etc/hosts.
• Example:
# nslookup mickie
Using /etc/hosts on: bill
Name: mickie
Address: 192.6.30.3

Lab
activity

Starting Network
Services
Module 8
H3065S F.00

Starting System and Network Services
NFS NIS CDE
NTP
inetd Q: After the kernel is loaded, how
does it know which daemons need
to be started when?
DNS A: /sbin/init and /sbin/rc

have the answer!

Run Levels
• init and /sbin/rc start and stop services in stages called run levels.
• The system run level determines what services are available.
• At boot, init progresses from run level 1 to 3, starting services.
• At shutdown, init progresses from run level 3 to 0, killing services.
• Example: (Not all run levels and services shown)
Run Level Services Available
Shutdown
3 syncer, NFS, CDE
Startup
2 syncer, NFS
1 syncer
0

/sbin/rc*.d Directories
• /sbin/rc*.d directories determine at which run levels services start and stop.
• /sbin/rc runs S scripts to start services during system startup.
• /sbin/rc runs K scripts to kill services during system shutdown.
/sbin
rc3.d K100dtlogin.rc
K900nfs.server
rc2.d
S340net
rc1.d S430nfs.client
S500inetd
rc0.d S660xntpd

S/K Script Naming Convention
/sbin/rc2.d/S730cron
Run Level
Type
Sequence Number
Service Name

/sbin/init.d/* Scripts
• Every service started by /sbin/rc has an associated script in /sbin/init.d.

• /sbin/init.d scripts contain code needed to start/kill services.
• /sbin/rc*.d/* scripts are just symbolic links to /sbin/init.d scripts!
/sbin
rc1.d init.d rc2.d
K270cron link cron link S730cron

What’s in an init.d Script?
• Scripts in /sbin/init.d accept a single argument.

• Scripts do one of four things, depending on the argument value.
• Sample init.d script (simplified):
/sbin/init.d/cron:
case $1 in
start_msg) echo “Start clock daemon”
stop_msg) echo “Stop clock daemon”
start) # Commands to start cron
stop) # Commands to kill cron
esac
• Never modify the scripts in /sbin/init.d!

/etc/rc.config.d/* Files
• You may wish to disable a service that’s not needed, or enable a new service.
• Services may be enabled or disabled via control variables.
• Control variables are defined in files under /etc/rc.config.d.
• /sbin/init.d/ scripts source /etc/rc.config.d/* files
/etc/rc.config.d/cron
CRON=1 # Set control variable to 1 to enable
# Set control variable to 0 to disable
/sbin/init.d/cron (simplified)
case $1 in
start_msg) echo “Start clock daemon”
stop_msg) echo “Stop clock daemon”
start) if CRON=1 then start the cron daemon
stop) if CRON=1 then kill the cron daemon
esac

Pulling It All Together
/sbin/rc1.d
at shutdown… K500inetd Startup/Shutdown Scripts Configuration Files
K660net /sbin/init.d/* /etc/rc.config.d
/sbin/rc
/sbin/rc2.d net netconf

at startup… K900nfs inetd netdaemons
/sbin/rc S340net nfs.server nfsconf
S500inetd nis.client
namesvrs
/sbin/rc3.d
S100nfs.server

Viewing Console Messages When Changing
Run Levels
init brings system to run level 2.
init calls /sbin/rc.
/sbin/rc executes /sbin/rc2.d/S* scripts with start_msg argument.

Start clock daemon..................[ ]
Start internet services daemon......[ ]
Start NFS client subsystem..........[ ]
/sbin/rc executes /sbin/rc2.d/S* scripts with start argument.
Start clock daemon..................[N/A]
Start internet services daemon......[OK ]
Start NFS client subsystem..........[OK ]
Transition to run level 2 complete.

Creating Custom Startup Scripts
1. cp /sbin/init.d/template /sbin/init.d/myservice
2. vi /sbin/init.d/myservice
a. Edit start_msg statement
b. Edit stop_msg statement
c. Edit start statement
i. Change CONTROL_VARIABLE to MYSERVICE
ii. Add command to start your service
iii. Add command set_return
d. Edit stop statement
i. Change CONTROL_VARIABLE to MYSERVICE
ii. Add command to stop your service
iii. Add command set_return
3. vi /etc/rc.config.d/myservice
a. Add single line, MYSERVICE=1
4. ln -s /sbin/init.d/myservice /sbin/rc3.d/S900myservice
ln -s /sbin/init.d/myservice /sbin/rc2.d/K100myservice

Lab
activity

NFS Concepts
Module 9
H3065S F.00

What Is NFS?
NFS is a service for sharing files and directories across a LAN.

NFS works across multiple UNIX and PC platforms.
NFS allows transparent access to files from any node on the LAN.
usr home tmp
user1 user2 user3 Client Workstations
I need to share my
home directories with other
systems on the network.

What Files Should I Share via NFS?
Good candidates for file sharing via NFS:

• Home directories
• Application files under /opt /
• Operating System files under /usr
• Data files used by multiple nodes usr home tmp
user1 user2 user3

Poor candidates for file sharing via NFS:
• Device files under /dev I’ll share my
• System-specific configuration files under /etc home
directories!
• Dynamic operating system files under /var
• Single-user mode command files under /sbin

NFS Servers and Clients
NFS Server NFS Client
/ /
usr tmp usr tmp

home home
user1 user2 user3 user1 user2 user3
Exported NFS File System Mounted NFS File System

NFS Remote Procedure Calls
Client
executes
RPC call message

Server invoked
Client Procedure called Server

blocks executes
procedure
Procedure returns
Client Request completed

continues
execution RPC return message

NFS portmap and rpcbind Daemons
Ports
To: Prog#100003 (nfs)
111 rpcbind
To: Prog#100005 (mountd)
2049 nfsd
The portmap/rpcbind daemons
are responsible for routing all
incoming RPC requests to the
appropriate RPC daemons on the NFS 4955 rpc.mountd
server.
6

NFS Stateless Servers
When my clients request access to a file, I just send back a “file handle”.
I don’t keep track of which files my clients are using.
After my initial “lookup” request, I can simply identify

the file I want to access by its file handle.
lookup(/home/user1/data)
file handle: 1234
Implications
Improved performance
NFS servers can reboot with minimal impact on their clients
NFS clients can reboot with minimal impact on their servers
Stale file handle errors may occur if a client removes a file being used by other clients
File locking, and other “stateful” operations are more complicated

NFS PV2 versus NFS PV3
NFS PV2 was used through HP-UX 10.20.

NFS PV3 was first implemented at HP-UX 11.00.
Features and benefits of NFS PV3 include:
Improved performance
Large File support
AutoFS support
NFS over TCP support

NFS versus CIFS
Sharing Files via NFS Sharing Files via CIFS
NFS CIFS
Unix Unix UNIX UNIX
CIFS
NFS
UNIX Windows
Unix Windows
CIFS
CIFS provides an easier, more flexible
mechanism for sharing files and UNIX Windows
directories between
HP-UX and Windows PCs using
CIFS
Microsoft’s CIFS protocol
Windows Windows
Configuring NFS
Module 10
H3065S F.00

NFS Configuration Considerations
Which files and directories should be shared?

What is an appropriate client-to-server ratio?
Which system should be used as the NFS server?
What are the implications if the server goes down?
What superuser access will be allowed?
usr home var
user1 user2 user3
NFS Server Exported File System NFS Clients

Configuring NFS Servers and Clients
1. Keep UIDs and GIDs consistent.

2. Configure the NFS server.
a. Ensure the NFS subsystem is in the kernel.
b. Edit the server’s /etc/rc.config.d/nfsconf file.
c. Start NFS server daemons.
d. Create the /etc/exports file.
e. Export the directories.
f. Check the server configuration.
3. Configure the NFS client.
b. Edit the client’s /etc/rc.config.d/nfsconf file.
c. Start NFS client daemons.
d. Create a new entry in the /etc/fstab file.
e. Mount the NFS file system.
f. Check the client configuration.
4. Keep the time synchronized with all other nodes.

Keep UIDs and GIDs Consistent

/ / b. Edit the server’s configuration file.
usr home var d. Create the /etc/exports file.
usr home var
user1 user2 user3 user1 user2 user3 3. Configure the NFS client.
(UID101)(UID102)(UID103) (UID101)(UID102)(UID103) a. Ensure the NFS subsystem is in the kernel.
server client b. Edit the client’s configuration file.
d. Create a new entry in /etc/fstab.
/home/user1 appears f. Check the client configuration.
to be owned by user3! 4. Keep the time synchronized with all other nodes.
server:/etc/passwd client:/etc/passwd
user1:…:101
user1:…:101:100:…:/home/user1:… user1:…:103:100:…:/home/user1:…
user2:…:102:100:…:/home/user2:… user2:…:102:100:…:/home/user2:…
user3:…:103:100:…:/home/user3:… user3:…:101
user3:…:101:100:…:/home/user3:…
Note: Avoid this user configuration!

Ensure That the NFS Subsystem Is in the Kernel
LANIC 1. Keep UIDs and GIDs consistent.

Network NFS b. Edit the server’s configuration file.
Subsystem Subsystem c. Start NFS server daemons.
Kernel f. Check the server configuration.
b. Edit the client’s configuration file.
Server f. Check the client configuration.
Verify that the NFS subsystem

is in the kernel

Edit NFS Server’s Configuration File

/etc/inittab a. Ensure the NFS subsystem is in the kernel.
/sbin/init
b. Edit the server’s configuration file.
/sbin/rc e. Export the directories.
Start Scripts Configuration File f. Check the server configuration.
/sbin/rc2.d/* /etc/rc.config.d/nfsconf a. Ensure the NFS subsystem is in the kernel.
/sbin/init.d/nfs.core f. Check the client configuration.
/sbin/init.d/nfs.client /etc/rc.config.d/nfsconf
NFS_CLIENT=1
NFS_SERVER=1 #Required!
NUM_NFSD=16 #Required!
/sbin/rc3.d/* NUM_NFSIOD=16
PCNFS_SERVER=1
PCNFS_SERVER=1 #Optional!
START_MOUNTD=1
START_MOUNTD=1 #Required!
/sbin/init.d/nfs.server NFS_TCP=1
NFS_TCP=1 #Optional!

Start NFS Server Daemons

NFS Server NFS Client 2. Configure the NFS server.
rpcbind c. Start NFS client daemons.
rpcbind d. Create a new entry in /etc/fstab.
nfsd 16 e. Mount the NFS file system.
rpc.mountd biod 16 (optional) f. Check the client configuration.
rpc.statd 4. Keep the time synchronized with all other nodes.
rpc.pcnfsd (optional)
rpc.lockd
rpc.statd
rpc.lockd
To start NFS server daemons:

/sbin/init.d/nfs.server start

Create the /etc/exports File
Examples: 1. Keep UIDs and GIDs consistent.

1. /usr/share/man b. Edit the server’s configuration file.
2. /home -access=oakland:la d.Create the /etc/exports file.
3. /opt/games -ro 3. Configure the NFS client.
4. /opt/appl -access=oakland:la,ro b. Edit the client’s configuration file.
5. /usr/local -rw=oakland d. Create a new entry in /etc/fstab.
6. /etc/opt/appl -root=oakland,access=la 4. Keep the time synchronized with all other nodes.
I can use the /etc/exports file to

control which clients mount my file systems!

Export the Directories
# exportfs -a 1. Keep UIDs and GIDs consistent.

/etc/exports /etc/xtab e. Export the directories.
/usr/share/man /usr/share/man 3. Configure the NFS client.
/opt/games -ro /opt/games -ro b. Edit the client’s configuration file.
# exportfs -a 4. Keep the time synchronized with all other nodes.
# exportfs
rpc.mountd Client
on server

Check the Server Configuration
Are the NFS server daemons registered?
# rpcinfo -p [server]
program vers proto port service
100003 2 tcp 2049 nfs 1. Keep UIDs and GIDs consistent.
100003 3 tcp 2049 nfs a. Ensure the NFS subsystem is in the kernel.
What file systems have been exported to whom? c. Start NFS server daemons.
# showmount -e [server] f. Check the server configuration.
/usr/share/man (everyone) a. Ensure the NFS subsystem is in the kernel.
/opt/games (everyone) b. Edit the client’s configuration file.
What export options were specified? e. Mount the NFS file system.
# exportfs
/usr/share/man
/opt/games -ro
Which clients currently have file systems mounted from the server?
# showmount -a [server]
client:/usr/share/man
client:/opt/games

Ensure that the NFS Subsystem is in the Kernel
LANIC 1. Keep UIDs and GIDs consistent.

Network NFS b. Edit the server’s configuration file.
Subsystem Subsystem c. Start NFS server daemons.
Kernel f. Check the server configuration.
Client f. Check the client configuration.
Verify that the NFS subsystem

is in the kernel

Edit the Client’s Configuration File

/sbin/init /etc/inittab b. Edit the server’s configuration file.
/sbin/rc
Start Scripts Configuration File f. Check the server configuration.
/sbin/rc2.d/* /etc/rc.config.d/nfsconf b. Edit the client’s configuration file.
/sbin/init.d/nfs.core 4. Keep the time synchronized with all other nodes.
/etc/rc.config.d/nfsconf
/sbin/init.d/nfs.client
NFS_CLIENT=1 #Required!
NFS_SERVER=1
NUM_NFSD=16
NUM_NFSIOD=16 #Optional!
/sbin/rc3.d/*
PCNFS_SERVER=1
START_MOUNTD=1
/sbin/init.d/nfs.server NFS_TCP=1
NFS_TCP=1 #Optional!

Start NFS Client Daemons

NFS Server NFS Client

rpcbind
biod 16 (optional) e. Mount the NFS file system.
nfsd 16
rpcbind 4. Keep the time synchronized with all other nodes.
rpc.pcnfsd (optional)
rpc.statd
rpc.mountd
rpc.lockd
rpc.statd
rpc.lockd
To start the client NFS daemons:

/sbin/init.d/nfs.client start

Create a New Entry in /etc/fstab

/ / d. Create the /etc/exports file.
usr home var usr home var f. Check the server configuration.
server client e. Mount the NFS file system.
client:/etc/fstab
server:/home /home nfs defaults 0 0
Server & Exported Mount File System Mount Backup fsck

File System Point Type Options Frequency Order

Mount the NFS File System

/ d. Create the /etc/exports file.
/
usr home var usr home var
server client e. Mount the NFS file system.
Mount Examples Umount Examples

# mount server:/home /home # umount server:/home
# mount /home # umount /home
# mount -aF nfs # umount -aF nfs
# mount -a # umount -a
# mount -v

Check the Client Configuration
Are the NFS client daemons running?

# ps -e | grep -e rpc -e biod 2. Configure the NFS server.
1000 ? 0:00 biod b. Edit the server’s configuration file.
1010 ? 0:00 rpcbind c. Start NFS server daemons.
1020 ? 0:00 rpc.lockd e. Export the directories.
1030 ? 0:00 rpc.statd f. Check the server configuration.
What file systems are available from the server? c. Start NFS client daemons.
# showmount -e server e. Mount the NFS file system.
/usr/share/man (everyone) 4. Keep the time synchronized with all other nodes.
/opt/games (everyone)
/home oakland,la
What file systems do I have mounted?

# mount -v
/dev/vg00/lvol1 on /stand type hfs defaults on Sat Jan 1 2004
/dev/vg00/lvol3 on / type vxfs defaults on Sat Jan 1 2004
server:/home on /home type nfs defaults,NFSv3 on Sat Jan 1 2004

Review: Configuring NFS Servers and Clients


Common NFS Problems
The /etc/exports file is missing, incomplete, or erroneous.

The /etc/exports file restricts file system access.
The /etc/exports file contains aliases rather than official host names.
A new entry in /etc/exports was not exported with exportfs.
The rpcbind daemon was accidentally killed.
The rpc.mountd daemon is not running on the server.
The NFS server is down.
The NFS server is heavily loaded.

Monitoring NFS Activity with nfsstat
# nfsstat -s
Server rpc:
Connection oriented:
calls badcalls nullrecv badlen xdrcall dupchecks dupreqs TCP
50505334 0 0 0 0 16826459 0
Connectionless oriented:
calls badcalls nullrecv badlen xdrcall dupchecks dupreqs UDP
11 0 0 0 0 0 0
Server nfs:
calls badcalls
38543 0
Version 2: (0 calls)
null getattr setattr root lookup readlink read
0 0% 0 0% 0 0% 0 0% 0 0% 0 0% 0 0%
wrcache write create remove rename link symlink PV2
0 0% 0 0% 0 0% 0 0% 0 0% 0 0% 0 0%
mkdir rmdir readdir statfs
0 0% 0 0% 0 0% 0 0%
Version 3: (50505345 calls)
null getattr setattr lookup access readlink read
4 0%
write
118 0%
create
2007 0%
mkdir
33678605 66%
symlink
106 0%
mknod
0 0%
remove
0 0%
rmdir
PV3
49 0% 16822390 0% 0 0% 0 0% 0 0% 1921 0% 0 0%
rename link readdir readdir+ fsstat fsinfo pathconf
46 0% 0 0% 0 0% 0 0% 0 0% 4 0% 0 0%

Lab
activity

Configuring AutoFS
Module 11
H3065S F.00

AutoFS Concepts
AutoFS is an NFS client-side service that

y Automatically mounts NFS file systems when needed
y Automatically unmounts NFS file systems that are no longer being accessed
y May be configured to provide load balancing across multiple NFS servers
I only want to NFS mount

users’ home directories
when they actually log in...
NFS Clients
NFS Server

AutoFS Maps
Q: Which file systems are managed by AutoFS?

Q: Which servers should AutoFS query to mount those file systems?
Q: Are any NFS mount options required?
A: The AutoFS map files have the answers!

AutoFS Commands and Daemons
AutoFS map files
users NFS
/net
and Server
/drawings
processes
/home
mount/umount
file access
automount
requests
requests
Kernel
mount table:
autofs mount requests
/stand HFS
/net AutoFS automountd
/drawings AutoFS
/home AutoFS autofs_proc umount requests

Starting and Stopping AutoFS
Enable AutoFS # /etc/rc.config.d/nfsconf

NFS_CLIENT=1
AUTOMOUNT=1 # 11i v1 only
AUTOFS=1
AUTOMOUNT_OPTIONS=""
AUTOMOUNTD_OPTIONS=""
Start/Stop AutoFS # /sbin/init.d/nfs.client start

# /sbin/init.d/nfs.client stop
Check AutoFS # ps -ef | grep automountd

# ps -ef | grep autofs_proc
# mount -v

Configuring the AutoFS Master Map
/etc/auto_master /
/net -hosts -soft,nosuid
drawings autofs
/drawings /etc/auto.drawings
/home /etc/auto.home home autofs
/- /etc/auto.direct
net autofs
opt
Which maps should

AutoFS consult?
The master map tells AutoFS

Which mount point directories where to find all other AutoFS maps!
are managed by AutoFS?

Configuring the AutoFS -hosts Map
# ll /net/svr1
AutoFS mounts all NFS file systems from svr1!
svr1
/etc/auto_master
Configuring the -hosts map allows
/net -hosts -soft,nosuid users to automatically mount
file systems from any NFS server
just by accessing /net/servername!
No need to issue a mount command!

No need to modify /etc/fstab!

Configuring the AutoFS Direct Map
Use the direct map to automatically

mount NFS file systems on
multiple unrelated mount points.
/etc/auto_master
/- /etc/auto.direct
/etc/auto.direct
/usr/contrib/games -ro gamesvr:/usr/contrib/games
/opt/tools -ro toolsvr:/opt/tools
/var/mail -rw mailsvr:/var/mail
Client-side mount points Mount options NFS server sources

Configuring the AutoFS Indirect Maps
Use indirect maps to automatically

mount multiple file systems under a
common parent directory.
/etc/auto_master
/drawings /etc/auto.drawings
/etc/auto.drawings
gizmos -ro gizmosvr:/drawings/gizmos
gadgets -ro gadgetsvr:/drawings/gadgets
widgets -ro widgetsvr:/drawings/widgets
Parent Directory Mount points Mount options NFS server sources

Comparing Direct versus Indirect Maps
Direct Maps
Direct mounted and local file systems may co-exist in the same parent directory
Large direct maps quickly lead to cluttered mount tables
The automount command must be executed every time the direct map changes
Indirect Maps
Indirect mounted and local file systems may not coexist in the same parent directory
Each indirect map yields just one entry in the mount table
AutoFS automatically recognizes indirect map changes

Mounting Home Directories with AutoFS
/home/sales /home/accts
user1 user2 user3 user4
sales accts
/etc/passwd
user1:x:101:101::/home/sales/user1:/usr/bin/sh
user3:x:103:101::/home/accts/user3:/usr/bin/sh
/etc/auto_master /etc/auto.home
/home /etc/auto.home sales sales:/home/sales
accts accts:/home/accts

Mounting Home Directories with AutoFS Key
Substitution
/home/sales /home/accts
user1 user2 user3 user4
sales accts
/etc/passwd
/etc/auto_master /etc/auto.home
/home /etc/auto.home * &:/home/&

Configuring AutoFS to Access
Replicated Servers
Replicated servers
provide load
balancing and toolsvr1 toolsvr2 toolsvr3
high availability
for read-only
file systems! I'll poll all three
servers and mount
/opt/tools from
/etc/auto_master
the first server
/- /etc/auto.direct that responds!
/etc/auto.direct
/opt/tools -ro toolsvr1:/opt/tools \
toolsvr2:/opt/tools \
toolsvr3:/opt/tools

Troubleshooting AutoFS
Verify that /etc/rc.config.d/nfsconf is configured properly.

Verify that the AutoFS daemons are running.
Verify that the AutoFS maps are configured properly.
Verify that DNS resolves the NFS server's hostname properly.
Verify that you have network connectivity to the NFS server.
Verify that the NFS server daemons are running.
Verify that the NFS server has exported the file systems in question.
Consider stopping and restarting AutoFS.
Consider enabling AutoFS logging.
Determine if the NFS server is overloaded.

Comparing AutoFS with Automounter
Automounter is the predecessor to AutoFS

Automounter is available on 11.00 and 11i v1, but not on 11i v2
Automounter's purpose and maps are identical to AutoFS
Automounter is inferior to AutoFS in several ways:
Automounter isn’t supported in 11i v2 or any future releases
Automounter doesn't support NFSv3
Automounter direct maps may cause "mount storms"
Automounter mounts file systems in /tmp_mnt
Automounter must be restarted when the master or direct maps change

Lab
activity

Configuring DNS
Module 12
H3065S F.00

Resolving Host Names to IP Addresses
DNS/BIND
Name Resolution
Possibilities
/etc/hosts NIS

DNS Overview
Hierarchical
Name Space
DNS
Components
Name
Servers Resolvers

The DNS Hierarchical Name Space
edu com gov
Domains
sun hp ibm
il ca ny
chicago sanfran nyc
Hosts peoria oakland albany
rockford la buffalo

Public and Private Name Spaces
. .
edu com gov com
sun hp ibm hp
il ca ny il ca ny
chicago sanfran nyc chicago sanfran nyc

peoria oakland albany peoria oakland albany
rockford la buffalo rockford la buffalo
Public Name Space Private Name Space

• Domain Names registered with ICANN • No need to register a domain name
• ICANN administers top-level name servers • You administer all name servers
• Required for hosts connected to Internet • Only possible on isolated networks

in-addr.arpa Name Space
arpa com
in-addr hp
1 128 254 ca
0 1 255 sanfran 128.1.1.1
oakland 128.1.1.2
0 1 255
la 128.1.1.3
1 2 3
sanfran oakland la
sanfran.ca.hp.com = 1.1.1.128.in-addr.arpa.

DNS Name Servers
I'm the authoritative ca.hp.com NS

source for all queries
about ca.hp.com! ca.hp.com Resolver Records
sanfran.ca.hp.com = 1.1.1.128.in-addr.arpa
oakland.ca.hp.com = 2.1.1.128.in-addr.arpa
la.ca.hp.com = 3.1.1.128.in-addr.arpa
We send all of our

name resolution
requests to our local
name server!
sanfran oakland la

DNS Name Server Zones
.
com. edu . gov .
hp.com Zone
hp .
.
corp ca . az . il . ga . wa . ny . .
tx nc .
Delegated Subdomains
hp.com domain

Resolving Host Names in the Local Domain
la.ca.hp.com?
la = 128.1.1.3
oakland.ca.hp.com ca.hp.com NS
# telnet la.ca.hp.com sanfran 128.1.1.1

oakland 128.1.1.2
la 128.1.1.3

Resolving Host Names in Other Domains
atlanta.ga.hp.com?
go to com. NS! . NS
atlanta.ga.hp.com?
oakland ca.hp.com NS go to hp.com. NS!
com. NS
atlanta.ga.hp.com?
128.1.3.1
atlanta.ga.hp.com? hp.com. NS
go to ga.hp.com. NS!
atlanta.ga.hp.com?
atlanta = 128.1.3.1
oakland# telnet atlanta.ga.hp.com ga.hp.com. NS

Configuring a Master Server
1. Notify ICANN of your new subdomain.

2. Fully qualify host names in /etc/hosts.
3. Create a directory for the DNS database files.
4. Create a param file for hosts_to_named.
5. Create the DNS data and boot files with hosts_to_named.
6. Download a db.cache file.
7. Modify /etc/rc.config.d/namesvrs.
8. Start the named daemon.
9. Configure DNS client functionality on the master server.
I'm the master authoritative source for the domain.

Record all new hostnames with me!
db.* files

Configuring a Slave Server
1. Create a directory for the DNS data files.

2. ftp copies the db.cache and db.127.0.0 files from the master.
3. Create the /etc/named.conf file.
6. Configure DNS client functionality on the slave server.
I regularly download all the domain database files

from the master so I can be an authoritative
source for the domain, too!
db.* files

Configuring a Cache-Only Name Server
1. Create a directory for the DNS data files.

2. ftp copies of the db.cache and db.127.0.0 files from the master.
3. Create the /etc/named.conf file.
6. Configure DNS client functionality on the cache-only server.
I don't download anything from the master server. I just

do recursive queries for my clients and cache the results!

Testing Name Servers with dig
I can use the dig command to verify that

my name server is functioning properly!
Syntax:
# dig [@NameserverIP] \ # optionally specify a name server to query
[+short] \ # optionally display short rather than verbose results
domain | host | -x IP \ # domain, hostname, or IP to resolve
[querytype] # optionally specify the query type (eg: a, mx, or ns)
Example: Lookup hostname “oakland.ca.hp.com” using the nameserver at 128.1.1.1

# dig @128.1.1.1 +short oakland.ca.hp.com
128.1.1.2
Example: Lookup IP address 128.1.1.2 using the nameserver at 128.1.1.1
# dig @128.1.1.1 +short -x 128.1.1.2
oakland.ca.hp.com
Example: Lookup the nameserver(s) for the ca domain using the nameserver at 128.1.1.1
# dig @128.1.1.1 +short ca.hp.com ns
sanfran.ca.hp.com
oakland.ca.hp.com

Configuring DNS Clients
1. Create /etc/resolv.conf
search ca.hp.com hp.com
nameserver 128.1.1.1
nameserver 128.1.1.2
2. Modify /etc/nsswitch.conf
hosts: dns nis files
3. Modify /etc/hosts
127.0.0.1 localhost
128.1.1.3 la.ca.hp.com la
4. Modify ~/.rhosts, /etc/hosts.equiv, and other configuration files

la user1
la.ca.hp.com user1

Configuring the Name Service Switch
Q: Where should I look up host names?

DNS? /etc/hosts? NIS?
A: Check /etc/nsswitch.conf!
hosts: files
or hosts: dns nis files
or hosts: dns [NOTFOUND=continue] files
or hosts: dns [NOTFOUND=return] files

Testing the Resolver with nsquery
I can use the nsquery command to verify that my

resolver is functioning properly!
# nsquery hosts sacramento

Using "dns [NOTFOUND=continue] files" for the hosts policy
Searching dns for sacramento.ca.hp.com

sacramento was NOTFOUND
Switch configuration: Allows fallback
Searching /etc/hosts for sacramento.ca.hp.com

Hostname: sacramento.ca.hp.com
Aliases:
Address: 128.1.1.4
Switch configuration: Terminates search

Introducing /etc/named.data
Default directory for all

/etc/named.data
DNS database files
File containing resolver records for

db.ca the ca.hp.com domain

db.127.0.0
the 0.0.127.in-addr.arpa domain

db.128.1.1
the 1.1.128.in-addr.arpa domain
Locations of root level name server,

db.cache
to be loaded in cache at startup

Introducing /etc/named.conf
/etc/named.conf on the master ca.hp.com name server:
// Define the DNS data directory
options {
check-names response fail;
check-names slave warn
directory = "/etc/named.data";
}
// Define which domains this name server

// can serve, and which file contains the
// records for each of those domains. Note
// this name server is primary for all
// of the domains listed here.
zone "ca.hp.com" { type master; file "db.ca"; };

zone "0.0.127.IN-ADDR.ARPA" { type master; file "db.127.0.0"; };
zone "1.1.128.IN-ADDR.ARPA" { type master; file "db.128.1.1"; };
zone "." { type hint; file "db.cache"; };

Loading the DNS Data Files
Ready to resolve host names!
named loads db files in cache /etc/named.data/db.*
named decides which db files to load /etc/named.conf
named starts at run level 2 /etc/rc.config.d/namesvrs
System boot initiated

Updating the Master Server
1. Update /etc/hosts on the master.

# vi /etc/hosts
2. Rebuild DNS data files with hosts_to_named.

# cd /etc/named.data
# hosts_to_named -f param
3. Reload DNS data files in cache with sig_named restart.

# sig_named restart

Updating the Slave Server
Q: How do I know if my DNS data files are up to date?

Q: When should I refresh my DNS data files?
Slave Name Server

named Daemon
A: named consults a data file’s SOA record to determines if/when the file must be updated:
ca.hp.com. IN SOA sanfran.ca.hp.com root.sanfran.ca.hp.com (
1 ; Serial
10800 ; Refresh every 3 hours
3600 ; Retry every 1 hour
604800 ; Expire after 1 week
86400 ) ; Minimum TTL of 1 day

Lab
activity

Configuring LDAP-UX
Module 13
H3065S F.00

Managing Users via /etc/passwd
The HP-UX operating system utilizes a variety of configuration files to manage

users, groups, and other critical information.
Traditionally, each HP-UX host on a network maintained an independent copy of

/etc/passwd, /etc/group, /etc/hosts and other configuration files.
As a result, adding a user, group, or host often required manual updates to

multiple configuration files on multiple hosts.
/etc/passwd /etc/passwd
/etc/group /etc/group How can I ensure
/etc/hosts /etc/hosts that all of my hosts
are configured
/etc/passwd /etc/passwd consistently?
/etc/group /etc/group
/etc/hosts /etc/hosts

Managing Users via NIS or LDAP
HP-UX now offers several alternative solutions for managing configuration information.
Of these solutions, LDAP provides the greatest scalability, security, and flexibility.
Solution Complexity Scalability Security Interoperability
Local Config Files Low One Host High UNIX only
NIS Medium Hundreds of Hosts Low UNIX only
LDAP Protocol High Thousands of Hosts High Most OSes

Many Applications

How Does LDAP Work?
• A directory server maintains a database of user, group, and other information

• Clients use the LDAP protocol to issue queries to the directory server
• The directory server retrieves the requested information from the database
• The directory server sends a reply back to the client via the LDAP protocol
What is user1’s UID?

LDAP client
Who belongs to the users group? Database Containing:

LDAP client
• User entries
• Group entries
LDAP client What is sanfran’s IP?
• Other entries
Directory Server
LDAP client What is telnet’s standard port#?
LDAP Protocol Queries/Replies

Schema
• Multiple applications and operating systems utilize directory services

• Each application may need to store different types of information in the directory
• Directory schema determine what types of information may be stored in a directory
• Directory server schema are extensible, to support various clients and applications
• eg: RFC 2256 defines a schema for representing general information about individuals
• eg: RFC 2307 defines a schema for representing UNIX users, groups, hosts, etc.
LDAP alternative to /etc/passwd
LDAP alternative to /etc/group
RFC 2307 LDAP alternative to /etc/hosts

Schema
LDAP alternative to /etc/services
LDAP alternative to /etc/networks
And others...

Object Classes and Attributes
• Every schema defines one or more object classes

• Every object class includes one or more object attributes
• Some attributes are required
• Some attributes are optional
• Some attributes may be included in multiple object classes
• Schema, object classes, and attributes may be customized to meet your needs
Schema Object Classes Attributes

RFC 2307 posixAccount uidNumber
posixGroup gidNumber
ipHost gecos
ipService homeDirectory
ipNetwork loginShell
and others.. and others...

Directory Entries
• A directory server database contains one or more directory entries

• Each entry contains a list of object classes
• Each entry’s object class(es) determines which attributes are allowed in the entry
• Each attribute has one or more values
A sample abbreviated directory entry for user1:
objectClass: top
objectClass: account
objectClass: posixAccount
cn: user1
uid: user1
uidNumber: 101
gidNumber: 101
homeDirectory: /home/user1
loginShell: /usr/bin/sh

Directory Information Trees
• Directory servers organize entries in a hierarchical Directory Information Tree (DIT)

• A directory’s tree structure may be customized as desired
o=hp.com
ou=western ou=eastern
ou=people ou=groups ou=people ou=groups
uid=user1 uid=user2 cn=users cn=adm uid=user3 uid=user4 cn=users cn=adm
entry for uid=user1 entry for uid=user3

uid=user1 uid=user3
uidNumber=101 uidNumber=103
... ...

DNs and RDNs
• Every entry in a DIT is identified by a Relative Distinguished Name (RDN)

• An RDN consists of one or more attribute/value pairs from the entry
• An entry’s RDN must distinguish the entry from other entries in the local subtree
• Every entry in a DIT also has a Distinguished Name (DN)
• An entry’s DN is a concatenation of RDNs leading to the entry
• An entry’s DN must be globally unique across the entire tree
o=hp.com Common RDN attributes:

• c = country
ou=western ou=eastern • st = state or province
• l = locality (county or city)
ou=people ou=groups • dc = DNS domain component
• o = organization
uid=user1 uid=user2 cn=users cn=admins • ou = organizational unit
• uid = user ID
• cn = common name
RDN: uid=user1
DN: uid=user1, ou=people, ou=western, o=hp.com
LDIF Files
Directory entries are commonly displayed, edited, imported, and exported

using Lightweight Data Interchange Format (LDIF) files.
• The first line in the LDIF identifies the entry’s globally unique DN
• The next few lines identify the object classes represented in the entry
• The remaining lines list the entry’s attribute/value pairs
/tmp/user1.ldif
dn: uid=user1, ou=people, ou=western, o=hp.com

objectClass: top
objectClass: person uidNumber: 101
objectClass: organizationalPerson gidNumber: 101
objectClass: inetOrgPerson homeDirectory: /home/user1
objectClass: posixAccount loginShell: /usr/bin/sh
uid: user1 gecos: Instructor
cn: Darren Miller telephoneNumber: 111-222-3333
sn: Miller mail: Darren.Miller@hp.com
givenName: Darren
continued at right Æ
Servers, Replicas, and LDAP Clients
A host may play one of several roles in an LDAP implementation

• A master server maintains the master copy of the directory database
• One or more replica servers may be configured for load balancing and redundancy
• LDAP Clients query directory servers via the LDAP protocol
Replica Server Master Directory Server Replica Server
Updates Updates
Clients Clients Clients

Referrals
• In smaller organizations, the organization’s entire DIT may reside in single database
• In larger organizations, the DIT may be distributed among multiple databases/servers
• Each server typically takes responsibility for one or more directory sub-trees
• Servers use referrals to redirect clients to other servers as needed
• Some servers use chaining to query other servers on behalf of clients
o=hp.com
I’m looking for an entry in

ou=eastern,o=hp.com ou=western ou=eastern
Contact ldap://nyc.ny.hp.com:389/
ou=eastern,o=hp.com

Security
LDAP-compliant Directory servers provide several mechanisms for securing directory data
• Password policies enforce password aging and format policies

• Resource limits prevent denial of service attacks
• Access Control Instructions (ACIs) determine who can access/edit each subtree/attribute
• Directory servers typically support several client authentication/encryption alternatives
• Anonymous Access: allows anyone to view/search the directory
• Simple Password Authentication: authenticates users via cleartext usernames/passwords
• SSL Simple Authentication: simple password authentication, but via an SSL connection
• SASL Authentication: provides an extensible, secure authentication mechanism

LDAP Software Solutions for HP-UX
Several LDAP-compliant directory server products are available free for HP-UX
• Netscape Directory Server

• Novell eDirectory Server
• OpenLDAP (unsupported, but included on the Internet Express DVD)
HP’s LDAP-UX client product is included on the Applications DVD
• LDAP-UX allows HP-UX to authenticate users via any LDAP compliant directory server
• LDAP-UX even allows HP-UX clients to authenticate users via MS Windows ActiveDirectory!
• LDAP-UX includes scripts to easily migrate UNIX configuration files to a directory server
• LDAP-UX supports LDAP resolution of users, groups, hosts, and other objects
• LDAP-UX is fully supported by HP

Installing a Basic Netscape Directory Server
• Installing Netscape Directory Server is a multi-step process.

• This slide provides an overview; see the notes for details.
• More complex configurations are also possible
Install J4258CA and

(optionally) J4269AA
Modify kernel
parameters
Run the server

setup script
Import data into the

directory
Use the console
GUI to customize
configuration

Verifying a Netscape Directory Server
Use the following commands to verify that a Directory Server is functional
1. Is the directory server daemon running?

# ps –ef | grep slapd
2. Is the directory server listening on port 389?
# netstat –an | grep 389
3. Is the directory server answering user queries?
# /opt/ldapux/bin/ldapsearch
-h 128.1.1.1 \
-b "ou=People,ou=MyOrganizationalUnit,o=hp.com" \
uid=*
4. Is the directory server answering group queries?
# /opt/ldapux/bin/ldapsearch
-h 128.1.1.1 \
-b "ou=groups,ou=MyOrganizationalUnit,o=hp.com" \
cn=*

Installing a Basic LDAP-UX Client
The LDAP-UX client setup script automates LDAP-UX configuration of the first client
1. Install J4269AA (LDAP-UX Client)

2. Run the menu-based client setup script
3. Review/customize the resulting /etc/opt/ldapux/ldapux_client.conf file
4. Review/customize the resulting /etc/opt/ldapux/ldapclientd.conf file
5. Review the /etc/opt/ldapux/ldapux_profile.ldif profile
6. Verify that the ldapuxclientd daemon is running
7. Add LDAP to the Name Service Switch configuration in /etc/nsswitch.conf
8. Add LDAP to the Pluggable Authentication Module configuration in /etc/pam.conf
9. Remove LDAP users and groups from /etc/passwd and /etc/group
10. Create a tar archive of the client’s configuration files

Using the LDAP-UX Client
• LDAP is just one of several mechanisms HP-UX uses to obtain configuration information
• HP-UX must be told when/if LDAP should be used for lookups
• Commands that authenticate users use /etc/pam.conf to select a lookup source
• Other commands use /etc/nsswitch.conf to select a lookup source
• In either case, if LDAP is selected, the ldapclientd daemon helps process the request
Client pam.conf
libpam_hpsec.so.1
$ login
$ su
PAM libpam_unix.so.1
$ ssh
libpam_ldap.so.1
Client nsswitch.conf LDAP Server
$ ll
$ ps
$ who NSS ldapclientd

Configuring /etc/nsswitch.conf
Some HP-UX commands such as ll, ps, who, and nsquery use the
/etc/nsswitch.conf file to determine how user, group, and other information
should be resolved.
/etc/nsswitch.conf without LDAP: /etc/nsswitch.conf with LDAP:
passwd: files passwd: files ldap

group: files group: files ldap
hosts: files dns hosts: files dns ldap
networks: files networks: files ldap
protocols: files protocols: files ldap
rpc: files rpc: files ldap
publickey: files publickey: files
netgroup: files netgroup: files ldap
automount: files automount: files
aliases: files aliases: files
services: files services: files ldap

Configuring /etc/pam.conf
Commands that authenticate users, such as su, login, and ssh, use Pluggable
Authentication Modules (PAM) to access user and password information. Make sure each
service in the /etc/pam.conf file consults libpam_ldap.so.1.
/etc/pam.conf entries for the login service on an LDAP client

# which modules should be used to authenticate users at login?
login auth required libpam_hpsec.so.1
login auth sufficient libpam_unix.so.1
login auth required libpam_ldap.so.1 try_first_pass
# which modules should be used determine if an account is valid?
login account required libpam_hpsec.so.1
login account sufficient libpam_unix.so.1
login account required libpam_ldap.so.1
# which modules should be used to setup/terminate login sessions?
login session required libpam_hpsec.so.1
login session sufficient libpam_unix.so.1
login session required libpam_ldap.so.1
# which modules should be used to change the user’s password?
login password required libpam_hpsec.so.1
login password sufficient libpam_unix.so.1
login password required libpam_ldap.so.1 try_first_pass
Updating Passwords
Users can change their own passwords via the ldappasswd command.
$ /opt/ldapux/bin/ldappasswd -h 128.1.1.1 -p 389 \

-b "ou=People, ou=MyOrganizationalUnit, o=hp.com“
Changing LDAP password for user1
Old password: ******
New password: ******
Retype new password: ******
Updating password in LDAP...
The directory server’s Directory Manager user can change anyone’s password.
# /opt/ldapux/bin/ldappasswd -h 128.1.1.1 -p 389 \

-b "ou=People, ou=MyOrganizationalUnit, o=hp.com" \
-D "cn=Directory Manager" -w "*****" \
-l user1
Changing LDAP password for user1
New password: ******
Retype new password: ******
Updating password in LDAP...

Managing Directory Entries
The directory server’s Directory Manager user can easily add/modify/delete the
most common UNIX directory entry types via the Netscape Directory Server
console GUI, or via the ldapentry command.
1. Define directory server connection information in ~/.profile

# vi ~/.profile
export PATH=/opt/ldapux/bin/:$PATH
export MANPATH=/opt/ldapux/share/man/:$MANPATH
export LDAP_HOST=128.1.1.1
export LDAP_BINDDN="cn=Directory Manager"
export LDAP_BASEDN="ou=MyOrganizationalUnix, o=hp.com"
export EDITOR=vi
# . ~/.profile
2. Add/modify/delete directory entries via ldapentry

# ldapentry –a type entry # add a new entry
# ldapentry –m type entry # modify an existing entry
# ldapentry –d type entry # delete an entry

Example: Managing Directory Entries
The example below shows the interface that ldapentry provides to add a user
# ldapentry –a passwd user25

dn: uid=user25,ou=MyOrganizationalUnit, o=hp.com
uid: user25
cn: user25
sn:
uidnumber: 325
gidnumber: 301
homedirectory: /home/user25
loginshell: /usr/bin/ksh
gecos:
telephonenumber:
givenname:
mail:
Do you want to specify userpassword? (y/n): y
value: ******
repeat: ******
Add entry to directory? (y/n): y
adding new entry uid=user25,ou=MyOrganizationalUnit, o=hp.com
Added.

For Further Study
LDAP and Netscape Directory Server are both very complex products. In order to
learn more about security, replication, referrals, more complex topologies, and
integration with Microsoft Active Directory see the references below.
On http://www.ietf.org/rfc.html:
• RFCs 2307, 2251-2256, and many others
On http://docs.hp.com:
• LDAP-UX Client Services B.03.30 Administrator's Guide
• HP CIFS Server Administrator’s Guide (includes an LDAP chapter)
On http://www.redhat.com:
•Netscape Directory Server Administrator’s Guide
•Netscape Directory Server Deployment Guide
•Netscape Directory Server Configuration, Command, and File Reference

Lab
activity

Configuring the
ARPA/Berkeley
Services
Module 14
H3065S F.00

Internet Services Overview
Capability ARPA Berkeley
Terminal access telnet rlogin

File transfer ftp, tftp rcp
Remote command execution remsh, rexec
Electronic mail SMTP sendmail (uses SMTP)
Interprocess communication Sockets
Network information finger rwho, ruptime
Dynamic routing gated
Name service BIND
Time synchronization NTP
Remote boot BOOTP
Remote printing printer (rlpdaemon)

Internet Service Clients and Servers
la sanfran
Clients use a service. Servers provide a service.
# rlogin sanfran rlogind

Starting Internet Services via /sbin/rc
/sbin/init
/sbin/rc
/sbin/rc2.d/S*
Linked to
/sbin/init.d/*
Execution Scripts Configuration Files
gated /etc/rc.config.d/netconf
inetd /etc/rc.config.d/netdaemons
named /etc/rc.config.d/namesvrs
rwhod
/etc/rc.config.d/netdaemons
xntpd
sendmail /etc/rc.config.d/mailservs

Starting Internet Services via inetd
la sanfran
inetd
inetd
/etc/inetd.conf
$ telnet sanfran
/etc/services
telnet telnetd
/var/adm/inetd.sec

Configuring /etc/rc.config.d/netdaemons
Q: Should I run the inetd daemon?

Q: Should I enable inetd logging?
/etc/rc.config.d/netdaemons has the answer!

:
export INETD=1 # set to 1 to run inetd
export INETD_ARGS=“-l“ # set to –l to enable inetd logging
:
# /sbin/init.d/inetd stop
# /sbin/init.d/inetd stop
# tail /var/adm/syslog/syslog.log
Sep 5 15:51:10 host1 inetd[2234]: telnet/tcp: Connection from host1
Sep 5 15:51:27 host2 inetd[2251]: login/tcp: Connection from host2

Configuring /etc/inetd.conf
inetd
Q: Should I provide FTP service?
Q: How do I start an ftp daemon?
/etc/inetd.conf has the answer!

:
ftp stream tcp nowait root /usr/lbin/ftpd ftpd -l
telnet stream tcp nowait root /usr/lbin/telnetd telnetd
# login stream tcp nowait root /usr/lbin/rlogind rlogind
shell stream tcp nowait root /usr/lbin/remshd remshd
:
# inetd -c

Configuring /etc/services
inetd
Q: Which port should I monitor for FTP requests?
/etc/services has the answer!

:
ftp 21/tcp # File Transfer Protocol (Control)
telnet 23/tcp # Virtual Terminal Protocol
login 513/tcp # remote login
shell 514/tcp # remote command, no passwd used
:

Configuring /var/adm/inetd.sec
inetd
Q: Which clients are allowed FTP access?
/var/adm/inetd.sec has the answer!
:
ftp deny 128.1.1.1
telnet deny 128.1.*.*
shell allow 192.1.1.* 192.1.3.*
login allow 192.1.1-3.* host1 host2
:

System and User Equivalency
Without Equivalency: With Equivalency:
# rlogin sanfran # rlogin sanfran

Password: ****** Welcome to
Welcome to sanfran!
sanfran!
System and user equivalency:

• allows some or all users password-free access to a host
• only apply to Berkeley services (rlogin, remsh, rcp)
• configured via: /etc/hosts.equiv and ~/.rhosts

Configuring /etc/hosts.equiv
host1 host2 host3
/etc/hosts.equiv /etc/hosts.equiv
login: leo host1 -sue host1 tom
host1
1 $ rlogin host2
2 $ rlogin host2 -l tom

3 $ remsh host3 ll
4 $ remsh host3 -l tom ll Which command
succeeds?
login: sue
5 rcp host2:.profile .

Configuring ~/.rhosts
host1 host2
~root/.rhosts
host1
login: leo
~sue/.rhosts
1 rlogin host2 -l root
host1 sue
2 remsh host2 ll
host1 joe
3 remsh host2 -l sue ll
login: sue ~leo/.rhosts

4 rlogin host2 host1 -sue
5 rcp leo@host2:.profile . host1 +
Question: Which command succeeds?

FTP Configuration Issues
Clients: Configuring FTP autologin

~/.netrc (rw-------)
machine host2 login user1 password abcde12
machine host3 login user1 password 12abcde
Servers: Using ftpusers to deny FTP access to selected users

/etc/ftpd/ftpusers (r--r--r--)
guest
orderentry
Servers: Configuring anonymous FTP access

/etc/passwd (r--r--r--)
ftp:*:500:10:Anon FTP:/home/ftp:/usr/bin/false

ARPA/Berkeley Services Review
/etc/inetd.conf
inetd
/etc/services
/var/adm/inetd.sec
syslog.log
ftpd telnetd remshd & rlogind
/etc/passwd /etc/passwd /etc/passwd
/etc/ftpd/ftpusers /etc/hosts.equiv
~/.netrc ~/.rhosts

Lab
activity

Configuring
BOOTP/TFTP
Module 15
H3065S F.00

BOOTP/TFTP Concept
BOOTP / TFTP make it possible to configure network settings

for network printers and other devices from a
central BOOTP/TFTP server
My MAC is 0x080009000001. What’s my IP?

BOOTP broadcast/response
Use IP = 128.1.1.1
GET hpnpl/myprinter.cfg
TFTP request/response
BOOTP/TFTP BOOTP/TFTP
hpnpl/myprinter.cfg
Client Server

Enabling bootp and tftp Services
1. Enable BOOTP and TFTP services:
# /usr/sbin/setup_bootp
# /usr/sbin/setup_tftp -h
2. Verify that the services are defined in /etc/services:
# cat /etc/services
bootps 67/udp
tftp 69/udp
3. Verify that the services are defined and enabled in /etc/inetd.conf:
# cat /etc/inetd.conf
bootps dgram udp wait root /usr/lbin/bootpd bootpd
tftp dgram udp wait root /usr/lbin/tftp tftp
4. Verify that the tftp account is defined in /etc/passwd:
# cat /etc/passwd
tftp:*:510:1:Trivial FTP User:/home/tftpdir:/usr/bin/false
5. Verify that /home/tftpdir exists:

# ll -d /home/tftpdir/
dr-xr-xr-x 2 tftp other 96 Aug 27 17:17 /home/tftpdir/

Configuring /etc/bootptab
The bootpd server process uses the /etc/bootptab file

to determine which IP address should be associated
with#each
vi MAC address. This file can be manually edited.
/etc/bootptab
myprinter:\
hn:\
ht=ether:\
ha=080009a752c3:\
ip=128.1.1.4:\
sm=255.255.0.0:\
gw=128.1.0.1:\
dn=ca.hp.com:\
ds=128.1.1.1:\
T144=“myprinter.cfg”:\
vm=rfc1048

Configuring /etc/bootptab via hppi (1 of 2)
You can add entries to /etc/bootptab using any editor,

but for network printers it’s easier to use HP’s hppi utility.
1. Enable BOOTP and TFTP

# setup_bootp
# setup_tftp –h
2. Install the HP Network Printer Library product

# swlist HPNPL
3. Add the printer’s hostname to DNS or /etc/hosts

# vi /etc/hosts
4. Run the HP Printer Installer

# hppi -> JetDirect Configuration
-> Create printer configuration in BOOTP/TFTP database

Configuring /etc/bootptab via hppi (2 of 2)
# hppi -> JetDirect Configuration

-> Create printer configuration in BOOTP/TFTP database
Enter the printer's LAN hardware address: 080009000003
Enter the network printer name (q - quit): myprinter
Enter IP address: 128.1.1.4
Add printer and 128.1.1.4 to /etc/hosts? (default=y): y
Other optional parameters:

-------------------------
1) Set printer location (uses tftp)
2) Set printer contact (uses tftp)
3) Set subnetmask
4) Set gateway
5) Set syslog (uses tftp)
6) Change idle timeout (uses tftp)
7) Create access list (up to 10 names) (uses tftp)
8) Other SNMP parameters (uses tftp)
9) Set HP JetDirect lpd banner page
Select an item for change, or '0' to configure (quit): 0

Lab
activity

Configuring NTP
Module 16
H3065S F.00

Introduction to the Network Time Protocol (NTP)
• Time synchronization determines consistency of:

– Time stamps used by incremental backup utilities
– Encryption key expiration times
– Programmer’s make files, and other applications
• HP-UX uses NTP to maintain time synchronization:
Without 9:02:15 9:03:02 9:01:52

NTP
9:02:15 9:02:15 9:02:15

With NTP
NTP Server NTP Client NTP Client

NTP Time Sources
NTP time sources can include:
• Radio clocks using signals from GPS satellites

(~cost $1000, most accurate)
• Network time sources on the Internet

(free, but less accurate)
• Built-in system clocks

(free, but least accurate)

NTP Stratum Levels
Accuracy of a time source is defined by its stratum level:
• Stratum = 1 Most accurate

• Stratum = 15 Least accurate
S1
System with a locally attached radio clock
S2
System getting time from an S1 NTP server
S3
System getting time from an S2 NTP server

NTP Roles
server1a server1b server1c server1d server1e server1f
Stratum 1
Servers
server2a server2b server2c

Stratum 2
Server Peers peers peers
Broadcast Clients Direct Polling Clients

Defining NTP Servers via /etc/ntp.conf
# vi /etc/ntp.conf
/etc/ntp.conf for server 127.127.26.1
server1a, with a locally peer server1b
attached radio clock. peer server1c
# vi /etc/ntp.conf
/etc/ntp.conf for server server1a
server 2a, which polls server server1b
two stratum 1 servers, and peer server2b
provides broadcast service. driftfile /etc/ntp.drift
broadcast 128.1.255.255
# vi /etc/ntp.conf
/etc/ntp.conf for
server 127.127.1.1
a stratum 10 server that uses
fudge 127.127.1.1 stratum 10
its own local system clock.
broadcast 128.1.255.255

Defining NTP Clients via /etc/ntp.conf
# vi /etc/ntp.conf
/etc/ntp.conf for server server2a
a direct polling client server server2b
driftfile /etc/ntp.drift
# vi /etc/ntp.conf
/etc/ntp.conf for broadcastclient yes
a broadcast client driftfile /etc/ntp.drift

How NTP Adjusts the System Clock
/usr/sbin/ntpdate -b server server server
• Utility called once at system boot

• Polls one or more NTP servers
• "Steps" local clock immediately to match the most accurate server
/usr/sbin/xntpd
• Daemon started at system boot

• Polls one or more NTP servers at regular intervals
• "Slews" local clock gradually to match the most accurate server
/etc/ntp.drift
• File maintained and used by xntpd

• Tracks the local clock’s accuracy over time

Configuring an NTP Server
1. Modify the /etc/rc.config.d/netdaemons file.

export NTPDATE_SERVER=
export XNTPD=1
export XNTPD_ARGS=
2. Modify the /etc/TIMEZONE file as appropriate.
TZ=CST6CDT
export TZ
3. Modify /etc/ntp.conf as described previously.
4. Run the /sbin/init.d/xntpd startup script.
5. Wait for NTP to establish associations with servers and peers. Be patient!
6. Run ntpq -p to check associations.

Configuring an NTP Client
1. Modify the /etc/rc.config.d/netdaemons file.

export NTPDATE_SERVER=’NTPserver1 NTPserver2’
export XNTPD=1
export XNTPD_ARGS=
2. Modify the /etc/TIMEZONE file as appropriate on all clients and servers.
TZ=CST6CDT
export TZ
3. Modify /etc/ntp.conf as described previously.
4. Run the /sbin/init.d/xntpd startup script.
5. Wait for NTP to establish associations with servers and peers. Be patient!
6. Run ntpq -p to check associations.

Verifying NTP Functionality
• View NTP activity and errors over time:

# more /var/adm/syslog/syslog.log
• Verify that the xntpd daemon is running:

# ps -e | grep xntpd
• Check associations with other nodes:

# ntpq -p
remote refid st t when poll reach delay offset disp
---------------------------------------------------------------
*server2a server1a 3 u 64 64 377 0.87 10.56 16.11
+server2b server1b 3 u 100 264 376 9.89 5.94 16.40
server2c 0.0.0.0 16 - - 64 0 0.00 0.00 1600.00

Lab
activity

Configuring SSH
Module 17
H3065S F.00

Network Service Vulnerabilities (1 of 2)
• Many network services send packets across the network unencrypted

• Hackers can intercept these packets via network “sniffers”
I’ll use a network

sniffer to eavesdrop on
all passing packets.
Cleartext telnet/ftp
usernames and passwords.

Network Service Vulnerabilities (2 of 2)
• Many network services authenticate clients via the source IP address in incoming packets
• Hackers use “IP spoofing” to send packets that appear to come from legitimate clients
I’ll use the nfs_shell utility to IP:192.1.1.1

IP:128.1.1.1
masquerade as legitimate NFS user
root@128.1.1.1. The server will
never know my true identity!
/etc/exports
/home –root=128.1.1.1 128.1.1.1 is trying to access a file
in my NFS file system. Since that IP
is in my /etc/exports file,
I’ll allow the change.

SSH Encryption and Server Authentication
Secure Shell (SSH) provides a secure alternative to the ARPA/Berkeley services

• SSH encrypts all network traffic between servers and clients
• SSH authenticates server hostnames, too
Am I connected to my real server?

Or am I falling victim to IP spoofing? rlogin
Is my data being intercepted by a sniffer?
I know I’m connected to my server... ssh

and all my data is encrypted, too!

Configuring SSH Encryption and
Server Authentication
1. Download and install bundle T1471AA from http://software.hp.com
2. If desired, edit the SSH configuration files:
server# vi /etc/opt/ssh/sshd_config
client# vi /etc/opt/ssh/ssh_config
3. Verify that the SSH control variable is enabled:
server# grep SSHD_START /etc/rc.config.d/sshd
4. Start the sshd daemon and verify that it is running and listening on port 22:
server# /sbin/init.d/secsh start
server# ps –ef | grep /opt/ssh/sbin/sshd
server# netstat –an | grep 22
5. Verify the public/private host keys:
server# ll /etc/opt/ssh/
-rw------- 1 root sys 887 May 1 13:41 ssh_host_rsa_key
-rw-r--r-- 1 root sys 222 May 1 13:41 ssh_host_rsa_key.pub
6. Test the new service!
client# ssh root@myserver
The authenticity of host 'myserver' can't be established.
RSA key fingerprint is ca:05:88:30:60:0c:f9:07:02:95:0b:c8:d4
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ' myserver' to the list of known hosts.
root@myserver's password: ********
SSH Client/User Authentication
• SSH client/user authentication enables SSH servers to authenticate clients & users
• SSH client/user authentication isn’t enabled by default
Did this rlogin request really come from

rlogin user1@myclient? Or is this a spoof packet?
I know this request came from user1@myclient

ssh since I’m using SSH client/user authentication.

Configuring SSH Client/User
Authentication
1. On each client, create a public/private key pair for each user account:
client$ ssh-keygen –t rsa
client$ ll ~user1/.ssh/id_rsa.pub
client$ cat ~user1/.ssh/id_rsa.pub
2. Copy the client’s id_rsa.pub public key file to the SSH server.
3. Create a ~user/.ssh/authorized_keys file on the server to store clients’ public keys:
server$ touch ~user/.ssh/authorized_keys
server$ chown user ~user1/.ssh/authorized_keys
server$ chmod 644 ~user1/.ssh/authorized_keys
4. Append each authorized client’s public key to the user’s authorized_keys on the server:
server$ cat id_rsa.pub >>~user/.ssh/authorized_keys
5. Test the client/user authentication!
client$ ssh user1@myserver
Enter passphrase for key '/home/user1/.ssh/id_rsa': ********
6. (Optional) Enforce public key client authentication on the server:
server# su -
server# vi /etc/opt/ssh/sshd_config
PasswordAuthentication no
server# /sbin/init.d/secsh stop; /sbin/init.d/secsh start

SSH Single Sign-On
• Using SSH single sign-on saves users from repeatedly entering their passphrase
• SSH single sign-on isn’t configured by default
I have to re-type my SSH passphrase every time I

ssh to another system – what a hassle!
I use the ssh-agent daemon so I only have to

enter my passphrase once!

Configuring SSH Single Sign-On
1. Configure client/user key authentication as described on the previously.

2. On the client, add a line in .profile to start the ssh-agent daemon at login
client$ vi ~/.profile
eval `ssh-agent`
3. On the client, add a line in .profile to kill the ssh-agent daemon at logout
client$ vi ~/.profile
trap ′ssh-agent –k’ 0
4. Load your private keys into the agent daemon’s key cache each time you login
client$ ssh-add ~/.ssh/id_rsa
5. Now simply ssh to servers as desired – no more passphrases required!
client$ ssh user1@myserver
6. Be sure to logout so others can’t use your ssh-agent to access other hosts
client$ exit

Using the UNIX SSH Clients
• SSH doesn’t just provide a secure alternative to the telnet service

• Consider using the SSH alternatives to remsh, rcp, and FTP, too!
• Initiate a simple interactive SSH login session (similar to rlogin and telnet):
# ssh user@server
• Initiate an interactive SSH login session with compression and X tunneling options:
# ssh [-C] [-X] user@server
• Initiate a non-interactive SSH login session (similar to remsh):

# ssh [-C] [-X] user@server “who”
• Initiate an interactive SSH file transfer (similar to ftp):

# sftp [-C] user@server
> help
> put /tmp/myfile
> get /tmp/myfile
> quit
• Initiate a non-interactive SSH file transfer (similar to rcp):

# scp [-C] /tmp/myfile user@server:/tmp/myfile

Using PuTTY SSH Clients
If you access your HP-UX host from a PC, use the free PuTTY SSH client
myserver.hp.com

Lab
activity

Managing Depots
with SD-UX
Module 18
H3065S F.00

What Is an SD-UX Depot?
An SD-UX “Depot” is a repository for software that has been bundled using HP’s
Software Distributor utilities and tools. Depots may be stored on CD, tape, in a
.depot file, or in a directory on disk.
Software from install CDs
Software from Support+ CDs
Patch Tapes from HP
Software from HP users’ group games.depot
depot

What Is an SD-UX Depot Server?
An SD-UX “Depot Server” is an HP-UX host that has one or more

registered depot directories from which clients can install software.
Mission Critical OE depot
Technical Computing OE depot
Application depot
depot server target clients

Why Create a Depot Server?
By configuring an SD-UX depot server …

• I don't have to deal with stacks of tapes and CDROMs!
• I can manage software from a single, central location
• I can ensure consistent software loads!
• I can push and pull software remotely across the network!
• swinstall automatically manages dependencies for me!
• swinstall automatically installs patches at product install time!

Planning for Depots
Where should I put my software depot?
9 Consider available disk space

9 Consider network connectivity
9 Will you create one depot on your server … or several?
9 Create a separate depot for each OS version
9 Create separate depots for the OS vs. Applications
9 Store products and their patches in the same depot

Adding Software to Depots
Create a directory for the depot

svr# mkdir /mydepot
Copy a single product from a CDROM depot to a directory depot
svr# swcopy –s /cdrom FooProd @ /mydepot
Copy all software from a CDROM depot to a directory depot
svr# swcopy –s /cdrom ‘*’ @ /mydepot
Copy all software from a tape depot to a directory depot
svr# swcopy –s /dev/rmt/0m ‘*’ @ /mydepot
Copy all software from one directory depot to another directory depot
svr# swcopy –s /myolddepot ‘*’ @ /mydepot
/mydepot

Adding Patches to a Depot
Adding patches to your depot offers several advantages:

9 Patches are installed automatically when installing products from the depot
9 Patches can easily and consistently be updated on all of your hosts
To add patches to a depot, use swcopy –x enforce_dependencies=false
PHCO_1000.depot
svr# swcopy \
–s /tmp/PHCO_xxxx.depot \
PHCO_2000.depot /mydepot
-x enforce_dependencies=false \
\* @ /mydepot
PHNE_3000.depot

Removing Software from a Depot
• Use the swremove –d command to remove products from a depot

• By default, swremove won’t remove filesets required to meet dependencies
for other products in the depot
Remove a single product from a depot

svr# swremove –d FooProd @ /mydepot
Remove all products from the depot, and the depot itself
svr# swremove –d \* @ /mydepot
svr# rm -rf /mydepot

Listing Software in a Depot
Listing available depots:
tgt# swlist –l depot @ sanfran
# Initializing...
# tgt “sanfran" has the following depot(s):
/mydepot
/myappdepot
Listing software in a depot:

tgt# swlist -s sanfran:/mydepot
# tgt: sanfran:/mydepot
# Bundle(s):
100BaseT-00 B.11.11.01 EISA 100BaseT
100BaseT-01 B.11.11.01 HP-PB 100BaseT

Registering or Unregistering a Depot
Register a depot:
svr# swreg –l depot @ /cdrom
svr# swlist –l depot
# Initializing...
# tgt “sanfran" has the following depot(s):
/cdrom
Unregister a depot:
svr# swreg –ul depot @ /cdrom
svr# swlist –l depot
# Initializing...
# WARNING: No depot was found for "sanfran:".

Pulling Software from a Depot
Once the depot server has been configured, any host on

the network can “pull” software from the depot server via the
swinstall command.
tgt# swinstall –s svr:/mydepot \

-x autoreboot=true FooProd
software pull
svr tgt host

Pushing Software from a Depot: Concept
Using the 11i swinstall “push” functionality allows you to

push software installs/updates from the depot server out to
one or more remote target hosts simultaneously.
Additional configuration is required on both the client and server to

allow a server to push software to a client.
tgt1
tgt2
software tgt3
push
svr

Pushing Software from a Depot: Commands
Configure push functionality on the depot server:

svr# touch /var/adm/sw/.sdkey
Allow the depot server to push software to a client: (repeat on each client)
tgt# /usr/lbin/sw/setaccess svrname
tgt# swacl –l root
Use the push functionality to remotely install, list, and remove software:
svr# swinstall –s svr:/mydepot FooProd @ tgt1 tgt2
svr# swlist @ tgt1 tgt2
svr# swremove FooProd @ tgt1 tgt2

Lab
activity

Course Review
Module 19
H3065S F.00

Review: What you Learned this Week
During this week, you’ve learned how to perform the most common HP-UX system
administration tasks. We hope that you will attend other courses in
HP Education’s advanced system and network administration curriculum to learn
how to better manage your HP-UX system.
Day 1: Day 4:
LAN Concepts Configuring DNS
LAN Hardware Concepts
Configuring LDAP
Configuring TCP/IP Connectivity
Configuring ARPA/Berkeley Services
Day 2: Day 5:
Configuring Subnetting Configuring BOOTP and TFTP
Troubleshooting Network Connectivity Configuring NTP
Starting Network Services Configuring SSH
Configuring SD-UX Depot Servers
Day 3:
NFS Concepts
Configuring NFS
Configuring AutoFS
Configuring NIS
Appendix C
H3065S F.00

Why Use NIS?
• NIS provides for single point administration of system configuration files.

• NIS ensures consistency of files across the LAN.
• Files maintained by NIS include:
/etc/hosts
/etc/passwd
Clients
/etc/group
.
.
.
others
All clients share a common
Server set of configuration files.
NIS Maps
chris:101:…
/etc/passwd scott:102:…
abby:103:…
passwd.byname MAP passwd.byuid MAP

Indexed abby abby:103:… Indexed 101 chris:101:…
by chris chris:101:… by 102 scott:102:…
Name scott scott:102:… UID 103 abby:103:…
•NIS maps are indexed databases created by NIS.

•NIS creates one or more indexed maps per ASCII configuration file.
•Additional, customized maps can be created if desired.

NIS Domains
•Each node can belong to a maximum of one domain.

•Nodes in a domain share a common set of maps.
•Domains can span multiple networks.
Server
NIS Maps
Client
NIS Domain

NIS Roles
NIS Domain
NIS Maps ASCII Files
Master Server
Clients
NIS Maps
Slave Server

NIS Startup Files
/sbin/init /etc/inittab
/sbin/rc
Start Scripts
Configuration File
/sbin/rc2.d/* /etc/rc.config.d/namesvrs
Run Scripts Sample File

/sbin/init.d/nis.server
/etc/rc.config.d/namesvrs
/sbin/init.d/nis.client NIS_MASTER_SERVER=1 nis_master
NIS_SLAVE_SERVER=0 nis.slave
nis_client
NIS_CLIENT=1 defaults
NIS_DOMAIN= nis domain
YPBIND_OPTIONS=“” ypbind.options
.
.
.
YPSET_ADDR=“” address of nis server

NIS Daemons
NIS Server NIS Slave NIS Client

ASCII Files
NIS Maps NIS Maps
portmap (HP-UX 10.20 and earlier) portmap (HP-UX 10.20 and earlier) portmap/rpcbind
rpcbind (HP-UX 10.30 and beyond) rpcbind (HP-UX 10.30 and beyond) ypbind
ypserv ypserv keyserv
ypxfrd ypxfrd
rpc.yppasswdd keyserv
rpc.ypupdated ypbind
keyserv
ypbind

Configuring NIS Servers and Clients
1.Create an NIS master server.

a. domainname [domain]
b. ypinit -m
(Answer questions.)
c. vi /etc/rc.config.d/namesvrs
(Edit appropriate NIS variables.)
d. shutdown -r
2.Create an NIS slave server (optional).
a. domainname [domain]
b. ypinit -s [master_server]
c. vi /etc/rc.config.d/namesvrs
(Edit appropriate NIS variables.)
d. shutdown -r
3.Create the NIS clients.
a. vi /etc/rc.config.d/namesvrs
b. shutdown -r

Testing NIS
• Are the server’s daemons running?

# rpcinfo -p servername
• Are the server’s map files configured properly?

# yppoll -h servername -d domain passwd.byname
• What domain am I a member of?

# domainname
• Which server am I bound to?

# ypwhich
• Which users are listed in the passwd map?

# ypcat -k passwd.byname
• Is user1 included in the passwd map?

# ypmatch user1 passwd.byname

Changing Passwords on an NIS Node
3 2 1
passwd.byname /etc/passwd
NIS Maps passwd
passwd.byuid
NIS Maps Client
Master Server
$ passwd
1. An NIS user issues the passwd command
Changing passwd for jim
to change his or her password.
Old NIS password: *****
2. The /etc/passwd file on the NIS master New Password: ******
server is updated to reflect the new Retype new password: ******
password.
3. The corresponding NIS maps are regenerated

to reflect the new password.

Updating and Propagating Maps on the Master
Server
4 3 2 1 vi /etc/hosts
# /var/yp/ypmake hosts
ypmake hosts
hosts.byname
NIS Maps
hosts.byaddr
/etc/hosts
NIS Maps
Master Server
Slave
1. The system administrator adds a new host # vi /etc/hosts

to the /etc/hosts file. (Modify contents and save)
2. The ypmake hosts command is executed
on the NIS master server. # /var/yp/ypmake hosts
3. The corresponding NIS maps are regenerated

to reflect the new entries.
4. The NIS maps are automatically pushed to

any slave servers (if they exist).
Fetching Maps from the Master Server
NIS Slave NIS Master

ASCII Files
NIS Maps NIS Maps
• The ypxfr command

- copies an NIS map from the master server to a slave
- must be invoked on the slave server
- transfers the map only if the master copy is more recent than the local copy
• The ypxfr command can be executed

- interactively, running the command on the slave server
- periodically, running the command from cron on each slave server
- periodically, running the yppush command on the master server
(yppush on the master server calls ypxfr on the slave)
Restricting Access to NIS Clients and Slave
Servers
/etc/nsswitch.conf /etc/passwd
passwd: files nis root:... Who can log in?
group: files nis user1:...
• all users in local passwd file
user2:...
• all users in NIS passwd map
/etc/nsswitch.conf /etc/passwd
passwd: compat root:... Who can log in?
group: compat user1:...
user2:...
+hubert • all users in local passwd file
+cleo • cleo and hubert from NIS
map

Restricting Access to the Master Server
Use an alternate password file as the source for the password

maps and reduce /etc/passwd on the master server.
1. Create an alternate password file as the source for the maps.
2. Reduce the /etc/passwd file and add escape entries.
3. Add passwd:compat and group: compat to
/etc/nsswitch.conf.
4. Modify YPPASSWDD_OPTIONS in /etc/rc.config.d/namesvrs.
5. Stop and start NIS server functionality.
6. Modify the PWFILE variable in /var/yp/ypmake.
7. Modify the PWFILE variable in /var/yp/Makefile.
8. Rebuild and propagate the new password maps.


Sna 2 V 2

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Sna 2 V 2

Загружено:

Авторское право:

Доступные форматы

Course Overview

© 2005 Hewlett-Packard Development Company, L.P.

This fast-paced 5-day course is the second of two courses HP offers to

H3065S F.00 © 2005 Hewlett-Packard Development Company, L.P. 2

H3065S F.00 © 2005 Hewlett-Packard Development Company, L.P. 3

Independent HP users’ group:

Publisher of many books about UNIX network services:

H3065S F.00 © 2005 Hewlett-Packard Development Company, L.P. 4

© 2005 Hewlett-Packard Development Company, L.P.

• A Network is a series of devices interconnected by communication pathways.

Chicago Office LAN Tokyo Office LAN

Boston Office LAN

H3065S F.00 © 2005 Hewlett-Packard Development Company, L.P. 2

7 Application How is data created and used?

H3065S F.00 © 2005 Hewlett-Packard Development Company, L.P. 3

• Every LAN card has a unique 48-bit MAC address.

Following These six hex These six hex

H3065S F.00 © 2005 Hewlett-Packard Development Company, L.P. 4

• Every host on an IP network has a unique, 32-bit IP address.

128.1.1.1 128.1.1.1 128.1.1.2

Which network What is the

H3065S F.00 © 2005 Hewlett-Packard Development Company, L.P. 5

• The IP address network/host bit boundary varies from network to network.

/8 Network 8 Network Bits 8 Host Bits 8 Host Bits 8 Host Bits

H3065S F.00 © 2005 Hewlett-Packard Development Company, L.P. 6

Q: How many bits in my IP are network bits?

H3065S F.00 © 2005 Hewlett-Packard Development Company, L.P. 7

• Every host must know which network it is connected to.

128.1.1.1/16 Network Address: 128.1.0.0/16

192.1.1.1/24 Network Address: 192.1.1.0/24

Q: Which network am I on?

H3065S F.00 © 2005 Hewlett-Packard Development Company, L.P. 8

H3065S F.00 © 2005 Hewlett-Packard Development Company, L.P. 9

The loopback address, 127.0.0.1, is a special address

128.1.1.1 128.1.1.2 128.1.1.3

H3065S F.00 © 2005 Hewlett-Packard Development Company, L.P. 10

Obtaining an IP address on Obtaining an IP address on

H3065S F.00 © 2005 Hewlett-Packard Development Company, L.P. 11

IP Address Netmask Network Broadcast

H3065S F.00 © 2005 Hewlett-Packard Development Company, L.P. 12

H3065S F.00 © 2005 Hewlett-Packard Development Company, L.P. 13

Source MAC: 080009-000001

/etc/hosts ARP cache (memory resident)

Example: System sanfran pings system oakland

H3065S F.00 © 2005 Hewlett-Packard Development Company, L.P. 14

H3065S F.00 © 2005 Hewlett-Packard Development Company, L.P. 15

Resolve hostname Is the

Look for the destination

Send packet to router Send the packet out on the wire

H3065S F.00 © 2005 Hewlett-Packard Development Company, L.P. 16

Sending a packet with TCP:

H3065S F.00 © 2005 Hewlett-Packard Development Company, L.P. 17

Sending a packet with UDP:

H3065S F.00 © 2005 Hewlett-Packard Development Company, L.P. 18

To: port 23 To: port 21 To: port 513

Problem: Who gets the data?

Solution: Assign each application a unique port number.

To: port 23 To: port 23 To: port 23

H3065S F.00 © 2005 Hewlett-Packard Development Company, L.P. 20

To: port 23 To: port 23

128.1.1.1 (sanfran) 128.1.1.2 . 50001 $ telnet sanfran

128.1.1.1 . 23 128.1.1.2 . 50002 $ telnet sanfran

Socket Communications between two processes