DOCSLIB.ORG

AIX and Linux Interoperability

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
AIX and Linux Interoperability Front cover AIX and Linux Interoperability Effective centralized user management in AIX 5L and Linux environments Sharing files and printers between AIX 5L and Linux systems Learn interoperable networking solutions Abhijit Chavan Dejan Muhamedagic Jackson Afonso Krainer Janethe Co KyeongWon Jeong ibm.com/redbooks International Technical Support Organization AIX and Linux Interoperability April 2003 SG24-6622-00 Note: Before using this information and the product it supports, read the information in “Notices” on page xi. First Edition (April 2003) This edition applies to IBM ^ pSeries and RS/6000 Systems for use with the AIX 5L for POWER Version 5.2 Operating System, Program Number 5765-E62, and is based on information available in November 2002. © Copyright International Business Machines Corporation 2003. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Figures . .ix Notices . .xi Trademarks . xii Preface . xiii The team that wrote this redbook. xiii Become a published author . xv Comments welcome. xv Chapter 1. Identification and authentication . 1 1.1 User security mechanisms . 2 1.1.1 AIX security . 2 1.1.2 Linux security . 4 1.2 Pluggable Authentication Modules (PAM). 5 1.2.1 PAM configuration. 5 1.2.2 PAM keywords . 6 1.3 Linux PAM implementation . 8 1.4 AIX PAM implementation . 9 1.4.1 PAM modules and AIX . 9 1.4.2 PAM applications and AIX. 12 Chapter 2. Centralized user management. 15 2.1 Lightweight Directory Access Protocol (LDAP) . 16 2.1.1 Introduction to LDAP . 16 2.1.2 Using LDAP for authentication . 17 2.2 Planning for LDAP authentication . 19 2.3 LDAP servers . 20 2.3.1 IBM Directory Server. 22 2.3.2 The OpenLDAP directory server . 26 2.4 Migrating user information to LDAP . 29 2.4.1 Migrating users on Linux . 30 2.4.2 Migrating users on AIX . 30 2.5 LDAP authentication clients . 34 2.5.1 AIX LDAP authentication client . 34 2.5.2 Linux LDAP authentication client . 35 2.5.3 PAM and NSS LDAP modules on AIX . 36 2.6 Deploying LDAP for authentication . 38 2.6.1 OpenLDAP server setup . 38 © Copyright IBM Corp. 2003. All rights reserved. iii 2.6.2 AIX LDAP client setup. 44 2.6.3 Linux LDAP client setup . 45 2.7 Security considerations . 47 2.7.1 Host access control. 47 2.7.2 LDAP servers access and database backup . 48 2.7.3 Encryption and PKI . 48 Chapter 3. Single sign-on . 51 3.1 The Kerberos way . 53 3.2 Kerberos configuration . 54 3.2.1 Kerberos configuration files. 55 3.2.2 Kerberos database . 57 3.2.3 Controlling access to Kerberos . 58 3.2.4 Starting Kerberos . 59 3.3 Kerberos administration . 59 3.3.1 Kerberos principals . 59 3.3.2 Kerberos policies. 61 3.3.3 Kerberos database management . 63 3.3.4 Kerberos database replication . 63 3.4 AIX Network Authentication Service (NAS). 64 3.4.1 Installing required packages . 65 3.4.2 AIX Kerberos master server . 65 3.5 Linux Kerberos support . 71 3.5.1 Red Hat Linux Kerberos packages . 71 3.5.2 Configuring Kerberos on Linux . 72 3.6 Discovering Kerberos services . 72 3.6.1 Discovering Kerberos services using AIX NAS and LDAP . 72 3.6.2 Discovering Kerberos services using DNS . 73 3.7 Integrating Kerberos authentication . 74 3.7.1 KDC setup. 74 3.7.2 Standard Kerberos services . 77 3.7.3 Kerberos authentication clients . 78 3.8 Migrating users to Kerberos . 81 3.9 Security considerations . 82 3.10 Enterprise Identity Mapping (EIM). 82 3.10.1 EIM concepts . 82 3.10.2 Using Enterprise Identity Mapping . 83 Chapter 4. Networking services. 85 4.1 Protocols . 86 4.1.1 Domain Name System (DNS) . 86 4.1.2 Dynamic Host Configuration Protocol (DHCP) . 94 4.1.3 Network Time Protocol (NTP) . 98 iv AIX and Linux Interoperability 4.1.4 Network Information Service (NIS) . 101 4.2 Data transfers . 102 4.2.1 rsync . 102 4.2.2 rdist . 105 4.3 Network management . 106 4.3.1 SNMP . 106 4.3.2 IBM Tivoli® Netview . 107 4.3.3 ntop . 109 4.3.4 UNIX network performance management commands . 112 Chapter 5. Sendmail . 113 5.1 Sendmail overview . ..
Load more

Recommended publications
  • TCPDUMP Caution
    TCPDUMP q Refer to book ”Open Source Network Administration” m Online sample chapter: http://www.phptr.com/articles/article.asp?p=170902&seqNum=4 q Some tools are not based directly on the data being transmitted on a network, but information related to that data. m For example, network bandwidth values m System logs on network equipment q Sometimes needs to examine the packets themselves. m Diagnose some particularly tricky network problems q Widely used open source tool for directly analyzing packets: tcpdump m http://www.tcpdump.org/ Network Analyzer 1-1 Caution q Before you use tcpdump or other analyzer: m Will be able to see some private data m Consult/research Legal implication first m Respect the privacy of other users Network Analyzer 1-2 1 What Tcpdump can do for you q View the entire data portion of an Ethernet frame or other link layer protocol m An IP packet m An ARP packet m Or any protocol at a higher layer than Ethernet. q Very useful m Tcpdump is to a network administrator like a microscope to a biologist. m Give a very clear picture of a specific part of your network m Can be used when the problem is simply that something is not working properly. Network Analyzer 1-3 What tcpdump can do for you? q Case1 : Web browser can not load pages from a server – it hangs. m Problem with client? Server? Or between? m Run tcpdump while loading • Watch every stage to see the following – DNS query – HTTP request to server – Server respond q Case 2: help debug denial of service attacks.
    [Show full text]
  • NOAA Technical Report NOS NGS 60
    NOAA Technical Report NOS NGS 60 NAD83 (NSR2007) National Readjustment Final Report Dale G. Pursell Mike Potterfield Rockville, MD August 2008 NOAA Technical Report NOS NGS 60 NAD 83(NSRS2007) National Readjustment Final Report Dale G. Pursell Mike Potterfield Silver Spring, MD August 2008 U.S. DEPARTMENT OF COMMERCE National Oceanic and Atmospheric Administration National Ocean Service Contents Overview ........................................................................................................................ 1 Part I. Background .................................................................................................... 5 1. North American Datum of 1983 (1986) .......................................................................... 5 2. High Accuracy Reference Networks (HARNs) .............................................................. 5 3. Continuously Operating Reference Stations (CORS) .................................................... 7 4. Federal Base Networks (FBNs) ...................................................................................... 8 5. National Readjustment .................................................................................................... 9 Part II. Data Inventory, Assessment and Input ....................................... 11 6. Preliminary GPS Project Analysis ................................................................................11 7. Master File .....................................................................................................................11
    [Show full text]
  • A Longitudinal and Cross-Dataset Study of Internet Latency and Path Stability
    A Longitudinal and Cross-Dataset Study of Internet Latency and Path Stability Mosharaf Chowdhury Rachit Agarwal Vyas Sekar Ion Stoica Electrical Engineering and Computer Sciences University of California at Berkeley Technical Report No. UCB/EECS-2014-172 http://www.eecs.berkeley.edu/Pubs/TechRpts/2014/EECS-2014-172.html October 11, 2014 Copyright © 2014, by the author(s). All rights reserved. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission. A Longitudinal and Cross-Dataset Study of Internet Latency and Path Stability Mosharaf Chowdhury Rachit Agarwal Vyas Sekar Ion Stoica UC Berkeley UC Berkeley Carnegie Mellon University UC Berkeley ABSTRACT Even though our work does not provide new active mea- We present a retrospective and longitudinal study of Internet surement techniques or new datasets, we believe that there is value in this retrospective analysis on several fronts. First, it latency and path stability using three large-scale traceroute provides a historical and longitudinal perspective of Internet datasets collected over several years: Ark and iPlane from path properties that are surprisingly lacking in the measure- 2008 to 2013 and a proprietary CDN’s traceroute dataset spanning 2012 and 2013. Using these different “lenses”, we ment community today. Second, it can help us revisit and revisit classical properties of Internet paths such as end-to- reappraise classical assumptions about path latency and sta- end latency, stability, and of routing graph structure.
    [Show full text]
  • I3: Maximizing Packet Capture Performance
    I3: Maximizing Packet Capture Performance Andrew Brown Agenda • Why do captures drop packets, how can you tell? • Software considerations • Hardware considerations • Potential hardware improvements • Test configurations/parameters • Performance results Sharkfest 2014 What is a drop? • Failure to capture a packet that is part of the traffic in which you’re interested • Dropped packets tend to be the most important • Capture filter will not necessarily help Sharkfest 2014 Why do drops occur? • Applications don’t know that their data is being captured • Result: Only one chance to capture a packet • What can go wrong? Let’s look at the life of a packet Sharkfest 2014 Internal packet flow • Path of a packet from NIC to application (Linux) • Switch output queue drops • Interface drops • Kernel drops Sharkfest 2014 Identifying drops • Software reports drops • L4 indicators (TCP ACKed lost segment) • L7 indicators (app-level sequence numbers revealed by dissector) Sharkfest 2014 When is (and isn’t) it necessary to take steps to maximize capture performance? • Not typically necessary when capturing traffic of <= 1G end device • More commonly necessary when capturing uplink traffic from a TAP or SPAN port • Some sort of action is almost always necessary at 10G • Methods described aren’t always necessary • Methods focus on free solutions Sharkfest 2014 Software considerations - Windows • Quit unnecessary programs • Avoid Wireshark for capturing ˗ Saves to TEMP ˗ Additional processing for packet statistics • Uses CPU • Uses memory over time, can lead
    [Show full text]
  • Pluggable Authentication Modules
    Who this book is written for This book is for experienced system administrators and developers working with multiple Linux/UNIX servers or with both UNIX and Pluggable Authentication Windows servers. It assumes a good level of admin knowledge, and that developers are competent in C development on UNIX-based systems. Pluggable Authentication Modules PAM (Pluggable Authentication Modules) is a modular and flexible authentication management layer that sits between Linux applications and the native underlying authentication system. The PAM framework is widely used by most Linux distributions for authentication purposes. Modules Originating from Solaris 2.6 ten years ago, PAM is used today by most proprietary and free UNIX operating systems including GNU/Linux, FreeBSD, and Solaris, following both the design concept and the practical details. PAM is thus a unifying technology for authentication mechanisms in UNIX. This book provides a practical approach to UNIX/Linux authentication. The design principles are thoroughly explained, then illustrated through the examination of popular modules. It is intended as a one-stop introduction and reference to PAM. What you will learn from this book From Technologies to Solutions • Install, compile, and configure Linux-PAM on your system • Download and compile third-party modules • Understand the PAM framework and how it works • Learn to work with PAM’s management groups and control fl ags • Test and debug your PAM confi guration Pluggable Authentication Modules • Install and configure the pamtester utility
    [Show full text]
  • Strong Distributed Authentication Architecture for UNIX Ashwin Ganti
    University of Illinois at Chicago Strong Distributed Authentication Architecture for UNIX by Ashwin Ganti A PROJECT SUBMITTED IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE MASTER OF SCIENCE in COMPUTER SCIENCE Approved, MASTERS PROJECT COMMITTEE Jon Solworth, Adviser Associate Professor of Computer Science V.N. Venkatakrishnan Assistant Professor of Computer Science Chicago, Illinois December, 2007 This project is dedicated to my family. Acknowledgments I would like to thank my adviser Jon Solworth for his invaluable guidance throughout the course of the research for this project and for having been most patient and supportive of me during the entire duration of my time in graduate school. Ashwin 2 Contents 1 Introduction 7 2 Overview of the Frameworks used 9 2.1 PAM........................................ 10 2.2 Name Service Module . 11 2.3 IPSec . 12 3 System Design 12 3.1 Statics . 12 3.1.1 Modules of the system . 12 3.1.2 Relation between the Modules . 13 3.1.3 SayAnything Certificates Used . 13 3.1.4 Relation between certificates . 15 3.2 Dynamics - Logical Flow . 17 4 System Internals 18 4.1 pam sayAnything . 18 4.2 nss sayAnything . 18 4.2.1 getpwuid (uid t uid) . 19 4.2.2 getpwnam (char* name) . 20 4.2.3 setpwent (void) . 20 4.2.4 getpwent (void) . 20 4.2.5 endpwent (void) . 21 4.3 sayAnything Agent . 21 4.3.1 Overview . 22 4.3.2 Logical Flow . 22 4.4 Certificate Server . 24 3 4.4.1 Add Certificate . 24 4.4.2 Get Certificate . 24 5 System Administration 25 5.1 pam sayAnything .
    [Show full text]
  • Powerview Command Reference
    PowerView Command Reference TRACE32 Online Help TRACE32 Directory TRACE32 Index TRACE32 Documents ...................................................................................................................... PowerView User Interface ............................................................................................................ PowerView Command Reference .............................................................................................1 History ...................................................................................................................................... 12 ABORT ...................................................................................................................................... 13 ABORT Abort driver program 13 AREA ........................................................................................................................................ 14 AREA Message windows 14 AREA.CLEAR Clear area 15 AREA.CLOSE Close output file 15 AREA.Create Create or modify message area 16 AREA.Delete Delete message area 17 AREA.List Display a detailed list off all message areas 18 AREA.OPEN Open output file 20 AREA.PIPE Redirect area to stdout 21 AREA.RESet Reset areas 21 AREA.SAVE Save AREA window contents to file 21 AREA.Select Select area 22 AREA.STDERR Redirect area to stderr 23 AREA.STDOUT Redirect area to stdout 23 AREA.view Display message area in AREA window 24 AutoSTOre ..............................................................................................................................
    [Show full text]
  • Misleading Stars: What Cannot Be Measured in the Internet?
    Noname manuscript No. (will be inserted by the editor) Misleading Stars: What Cannot Be Measured in the Internet? Yvonne-Anne Pignolet · Stefan Schmid · Gilles Tredan Abstract Traceroute measurements are one of the main in- set can help to determine global properties such as the con- struments to shed light onto the structure and properties of nectivity. today’s complex networks such as the Internet. This arti- cle studies the feasibility and infeasibility of inferring the network topology given traceroute data from a worst-case 1 Introduction perspective, i.e., without any probabilistic assumptions on, e.g., the nodes’ degree distribution. We attend to a scenario Surprisingly little is known about the structure of many im- where some of the routers are anonymous, and propose two portant complex networks such as the Internet. One reason fundamental axioms that model two basic assumptions on is the inherent difficulty of performing accurate, large-scale the traceroute data: (1) each trace corresponds to a real path and preferably synchronous measurements from a large in the network, and (2) the routing paths are at most a factor number of different vantage points. Another reason are pri- 1/α off the shortest paths, for some parameter α 2 (0; 1]. vacy and information hiding issues: for example, network In contrast to existing literature that focuses on the cardi- providers may seek to hide the details of their infrastructure nality of the set of (often only minimal) inferrable topolo- to avoid tailored attacks. gies, we argue that a large number of possible topologies Knowledge of the network characteristics is crucial for alone is often unproblematic, as long as the networks have many applications as well as for an efficient operation of the a similar structure.
    [Show full text]
  • PAX A920 Mobile Smart Terminal Quick Setup Guide
    PAX A920 QUICK SETUP GUIDE PAX A920 Mobile Smart Terminal Quick Setup Guide 2018000702 v1.8 1 PAX Technology® Customer Support [email protected] (877) 859-0099 www.pax.us PAX A920 QUICK SETUP GUIDE PAX A920 Mobile Terminal Intelligence of an ECR in a handheld point of sale. The PAX A920 is an elegantly designed compact secure portable payment terminal powered by an Android operating system. The A920 comes with a large high definition color display. A thermal printer and includes NFC contactless and electronic signature capture. Great battery life for portable use. 2018000702 v1.8 2 PAX Technology® Customer Support [email protected] (877) 859-0099 www.pax.us PAX A920 QUICK SETUP GUIDE 1 What’s in The Box The PAX A920 includes the following items in the box. 2018000702 v1.8 3 PAX Technology® Customer Support [email protected] (877) 859-0099 www.pax.us PAX A920 QUICK SETUP GUIDE 2 A920 Charging Instructions Before starting the A920 battery should be fully charged by plugging the USB to micro USB cord to a PC or an AC power supply and then plug the other end with the micro USB connector into the micro USB port on the left side of the terminal. Charge the battery until full. Note: There is a protective cover on the new battery terminals that must be removed before charging the battery. See Remove and Replace Battery section. 2018000702 v1.8 4 PAX Technology® Customer Support [email protected] (877) 859-0099 www.pax.us PAX A920 QUICK SETUP GUIDE 3 A920 Buttons and Functions Front Description 6 1 2 7 3 8 9 4 5 2018000702 v1.8 5 PAX Technology® Customer Support [email protected] (877) 859-0099 www.pax.us PAX A920 QUICK SETUP GUIDE 3.1 A920 Buttons and Functions Front Description 1.
    [Show full text]
  • PAX-It! TM Applications the Paxcam Digital USB 2.0 Camera System
    Digital Imaging Workflow for Industrial From the Makers of PAX-it! TM Applications The PAXcam Digital USB 2.0 Camera System l Affordable camera for microscopy, with an easy-to-use interface l Beautiful, high-resolution images; true color rendition l Fully integrated package with camera and software l USB 2.0 interface for the fastest live digital color preview on the market l Easy-to-use interface for color balance, exposure & contrast control, including focus indicator tool l Adjustable capture resolution settings (true optical resolution -- no interpolation) l Auto exposure, auto white balance and manual color adjustment are supported l Create and apply templates and transparencies over the live image l Acquire images directly into the PAX-it archive for easy workflow l Easy one-cable connection to computer; can also be used on a laptop l Adjustable region of interest means smaller file sizes when capturing images l PAXcam interface can control multiple cameras from the same computer l Stored presets may be used to save all camera settings for repeat conditions Capture Images Directly to PAX-it Image Database Software Includes PAXcam Video Agent for motion video capture l Time lapse image capture l Combine still images to create movie files l Extract individual frames of video clips as bitmap images Live preview up to 40 fps PAX-it! l File & retrieve images in easy-to-use cabinet/folder structure l Store images, video clips, documents, and other standard digital file types l Images and other files are in a searchable database that you
    [Show full text]
  • Of Mobile Devices: a Survey on Network Traffic Analysis
    1 The Dark Side(-Channel) of Mobile Devices: A Survey on Network Traffic Analysis Mauro Conti, Senior Member, IEEE, QianQian Li, Alberto Maragno, and Riccardo Spolaor*, Member, IEEE. Abstract—In recent years, mobile devices (e.g., smartphones elements enable both smartphones and tablets to have the and tablets) have met an increasing commercial success and same functionalities typically offered by laptops and desktop have become a fundamental element of the everyday life for computers. billions of people all around the world. Mobile devices are used not only for traditional communication activities (e.g., voice According to the statistics reported in [1], smartphone calls and messages) but also for more advanced tasks made users were 25:3% of the global population in 2015, and this possible by an enormous amount of multi-purpose applications percentage is expected to grow till 37% in 2020. Similarly, the (e.g., finance, gaming, and shopping). As a result, those devices statistics about tablets reported in [2] indicate a global penetra- generate a significant network traffic (a consistent part of the overall Internet traffic). For this reason, the research community tion of 13:8% in 2015, expected to reach 19:2% in 2020. The has been investigating security and privacy issues that are related driving forces of this tremendous success are the ubiquitous to the network traffic generated by mobile devices, which could Internet connectivity, thanks to the worldwide deployment of be analyzed to obtain information useful for a variety of goals cellular and Wi-Fi networks, and a large number of apps (ranging from fine-grained user profiling to device security and available in the official (and unofficial) marketplaces.
    [Show full text]
  • PF: the Openbsd Packet Filter
    PF: The OpenBSD Packet Filter Languages: [en] [de] [es] [fr] [id] [ja] [pl] [up to FAQ] [Next: Getting Started] PF: The OpenBSD Packet Filter Table of Contents ● Basic Configuration ❍ Getting Started ❍ Lists and Macros ❍ Tables ❍ Packet Filtering ❍ Network Address Translation ❍ Traffic Redirection (Port Forwarding) ❍ Shortcuts For Creating Rulesets ● Advanced Configuration ❍ Runtime Options ❍ Scrub (Packet Normalization) ❍ Anchors and Named (Sub) Rulesets ❍ Packet Queueing and Prioritization ❍ Address Pools and Load Balancing ❍ Packet Tagging ● Additional Topics ❍ Logging ❍ Performance ❍ Issues with FTP ❍ Authpf: User Shell for Authenticating Gateways ● Example Rulesets ❍ Example: Firewall for Home or Small Office Packet Filter (from here on referred to as PF) is OpenBSD's system for filtering TCP/IP traffic and doing Network Address Translation. PF is also capable of normalizing and conditioning TCP/IP traffic and providing bandwidth control and packet prioritization. PF has been a part of the GENERIC OpenBSD kernel since OpenBSD 3.0. Previous OpenBSD releases used a different firewall/NAT package which is no longer supported. PF was originally developed by Daniel Hartmeier and is now maintained and developed by Daniel and the rest of the OpenBSD team. This set of documents is intended as a general introduction to the PF system as run on OpenBSD. It is intended to be used as a supplement to the man pages, not as a replacement for them. This document covers all of PF's major features. For a complete and http://www.openbsd.org/faq/pf/index.html (1 of 2) [02/06/2005 14:54:58] PF: The OpenBSD Packet Filter in-depth view of what PF can do, please start by reading the pf(4) man page.
    [Show full text]