10 - System Management
random name like "Eepoo5vi" can marginally improve security, though the effect is mostly in 
security by obscurity. In case you need to maintain several distinct YP domains, it's probably better 
to choose descriptive names like "sales", "marketing" and "research" in order to forestall system 
administration errors caused by obscurity. Also note that some versions of SunOS require using the 
host's DNS domain name, so your choice might be restricted in a network including such hosts. 
Use the 
domainname(1)
 utility to set the domain name, and put it into the file 
defaultdomain(5)
to 
have it automatically set at system startup time. 
echo "puffynet" > /etc/defaultdomain
domainname `cat /etc/defaultdomain`
2. Initialise the YP server using the interactive command 
ypinit -m
At this point, it is not necessary to specify slave servers yet. To add slave servers, you can rerun 
ypinit(8)
 later, using the 
-u
option. Setting up at least one slave server for each domain is useful to 
avoid service interruptions, should the master server ever go down or lose network connectivity, in 
particular since client processes trying to access YP maps block indefinitely until they receive the 
requested information. Thus, YP service interruptions typically render the client hosts completely 
unusable until YP is back to service. 
3. Decide where to store the source files to generate your YP maps from. Keeping the server 
configuration separate from the served configuration helps to control which information will be 
served and which won't, so the default 
/etc
often isn't the best choice. 
The only inconvenience caused by changing the source directory is that you will not be able to add, 
remove and modify users and groups in the YP domain using utilities like 
user(8)
 and 
group(8)
. 
Instead, you will have to edit the configuration files with a text editor. 
To define the source directory, edit the file 
/var/yp/`domainname`/Makefile
and change 
the 
DIR
variable, e.g. 
DIR=/etc/yp/src/puffynet
4. Consider customizing other variables in 
/var/yp/`domainname`/Makefile
. See 
Makefile.
yp(8)
for details. 
For example, even in case you use the default source directory 
/etc
, you do not usually need all 
accounts and groups existing on the server on all your client hosts. In particular, not serving the 
root account and thus keeping root's password hash confidential is often beneficial to security. 
Review the values of 
MINUID
, 
MAXUID
, 
MINGID
and 
MAXGID
and adjust them to you needs. 
http://www.openbsd.org/faq/faq10.html (28 of 32)9/4/2011 10:02:15 AM

10 - System Management
If all your YP clients run OpenBSD or FreeBSD, exclude the encrypted passwords from the 
passwd
maps by setting 
UNSECURE=""
in 
/var/yp/`domainname`/Makefile
. 
The former practice of editing the template file 
/var/yp/Makefile.yp
is no longer 
recommended. Changes to that file affect all domains initialized after the change, but do not affect 
domains initialized before the change, so this is error-prone either way: You both risk that the 
intended changes do not take effect, and you risk to forget about them and have them affect other 
domains later which they were never intended for. 
5. Create the source directory and populate it with the configuration files you need. See 
Makefile.yp
(8)
 to learn which YP maps require which source files. For the format of the individual 
configuration files, refer to 
passwd(5)
, 
group(5)
, 
hosts(5)
and so on, and look at the examples in 
/
etc
. 
6. Create the initial version of your YP maps using the commands 
cd /var/yp
make
Do not worry about error messages from 
yppush(8)
right now. The YP server is not yet running. 
7. YP uses 
rpc(3)
(remote procedure calls) to communicate with clients, so it is necessary to enable 
portmap(8)
. To do so, edit 
rc.conf.local(8)
 and set 
portmap=YES
. This will start the portmapper 
on next boot. You can avoid rebooting by also starting it manually: 
echo "portmap=YES" >> /etc/rc.conf.local
portmap
8. Consider using either the 
securenet(5)
 or the 
ypserv.acl(5)
 security feature of the YP server 
daemon. But be aware that both of these only provide IP based access control. Thus, they only help 
as long as potential attackers have neither physical access to the hardware of the network segments 
carrying your YP traffic nor root access to any host connected to those network segments. 
9. Finally, start the YP server daemon: 
ypserv
It will automatically be restarted at boot time as long as the directory 
/var/yp/`domainname`
continues to exist. 
10. To test the new server, consider making it its own client, following the instructions in the first part 
of the next section. In case you don't want the server to use its own maps, you can disable the client 

Download 1.27 Mb.

Do'stlaringiz bilan baham: