------------------------ Exercise #13 for NET2003 due April 4/8, 2005 ------------------------ -Ian! D. Allen - idallen@idallen.ca Remember - knowing how to find out an answer is more important than memorizing the answer. Learn to fish! RTFM! (Read The Fine Manual) Global weight: 4% of your total mark this term Due dates: 1. in-lab live demo April 4 (1%) 2. electronic deliverables due 23h59 April 8 (3%) [NEW DATE] The electronic deliverables for this exercise are to be submitted online on the Course Linux Server using the "datsubmit" method described in the exercise description, below. No paper; no email; no FTP. Late-submission date: I will accept without penalty electronic deliverables that are submitted late but before 23h59 on Monday, April 11. After that late-submission date, the electronic deliverables are worth zero marks. In-lab demos cannot be submitted late. Exercises submitted by the *due date* will be marked online and your marks will be sent to you by email after the late-submission date. Exercise Philosophy: As with all exercises, the intent of this exercise is to lead you through finding out where things are in your Linux system. Simply copying the answers won't help you on the final exam; you have to follow the steps to know how to find things out by reading the start-up scripts and config files and following chains of file references. Exercise Synopsis (Summary Description): Configure a caching-only DNS server. Configure a forwarding DNS server. Demo a tcpdump of DNS traffic. Make your Mini system use your DNS as its default. Configure and test a few "master" DNS zones. Configure Samba. Configure HTTP. Submit answers to exercise questions. Where to work: Work anywhere that you can install your hard drive caddy and have your Mini system booted with networking at the same time. Exercise Preparation: See notes and readings in: week11notes.txt, week12notes.txt, chkconfig.txt ----------------------------------------------- Exercise Details (on your Mandrake Mini System) ----------------------------------------------- Have you done all the preparation steps? If not, go back and do them. Finish your Notes Readings (see the weekly Notes files). Any questions? See me in a lab or post questions to the Discussion news group (on the top left of the Course Home Page). Most of the work will require that you become the root user using the "su" command. Your prompt will change to include a "#" character, warning you that you have elevated privilege. ------------------------------------- Configuring a DNS caching-only server ------------------------------------- Prepare a text file week12answers.txt with your assignment label in it. Under the label answer these numbered questions: 0. Please number each answer clearly! 1. We need to ensure that we have the BIND package installed. What command line fetches the BIND package and installs it? Make sure the BIND package is fetched and installed on your Mini system. 2. We need to know if BIND is configured to start on the Mini system. What command line checks in which run levels the DNS server is started? 3. If the DNS service were not configured to start, what command would you use to "reset" the symbolic links for this service in all the usual run levels? 4. The command used in the previous question must find the run levels and Start/Stop information to "reset" the DNS service. In what file is this run level information stored, and what is the line in the file that is used by the program to reset the levels? Copy the line from the file to your answer. 5. In which run levels, and at which priority (Start/Stop) would a "reset" of the DNS service be installed on your Mini system? 6. We need to know if the actual name server program is executing on the Mini system. What command line could you use to find the executing DNS server process name in the list of all processes? If BIND is configured correctly to start in the current run level, but the name server program is not actually running when we boot the machine (or when we manually execute the start-up script to start the service), we have a problem. We need to examine two things to find out what is wrong: A. Perhaps the start-up script is not starting the daemon; or, B. perhaps the daemon is starting and then exiting for some reason. We need to debug by examining the DNS SysV start-up script and watching the system error log. (week08notes, week10notes, week11notes) 7. Use the DNS SysV start-up script to try to start the DNS service. What internal test is failing, that causes the start-up script to exit prematurely and avoid starting the name server program? (Hint: Running the script with debugging turned on is a great way to find out what actually executes and where the script exits.) The book says that you can have a working caching-only DNS even with an empty configuration file. Create an empty BIND configuration file and then try again to start the name server with its SysV start-up script. 8. Debugging shows that the SysV start-up script now does start the server (you even get an [OK] from the start-up script); but, the server process is not found to be running afterward. Where do you look to find the system error messages? 9. What logged file open error is causing the DNS program to exit early "due to early fatal error"? Copy the whole line from the system log file. 10. Who owns the directory in which the name.pid file is trying to be created? 11. What is the name of the Linux userid used to run the DNS system? (week12notes) 12. Based on the above two answers, why is the name server process exiting early due to a fatal error? Search the DNS FAQ for the answer to the pid file permissions question/error. (week12notes) 13. On your Mini system, who owns the directory mentioned in the FAQ? 14. Can the running DNS server write into the directory given in the FAQ? (Does the userid used to run the DNS system have write permission on the directory mentioned in the FAQ?) 15. The FAQ mentions setting "pid-file". What is the syntax given in the man page for this option name that you can configure in the DNS config file? (RTFM for the DNS config file) Copy the given syntax line from the man page to your answer file. Following the syntax used for "options" in the sample DNS config file in your ALN text, set just the pid-file option to the absolute pathname of the named.pid file given in the FAQ and restart the DNS service. (Do not set any other options! Do not copy unnecessary lines from the ALN textbook!) Add a comment to the top of your DNS config file indicating why you are setting the pid-file option. What problem does this solve? Stop and start the DNS server again. Make sure there are no fatal errors in the system log. (Warnings about a missing rndc.key and/or command channels are not fatal; ignore them for now.) The sysem log should show the log entry "running" as the last log event for the newly started DNS server. If not, go back and fix things. You now have a pure caching-only DNS server running. Congratulations! 16. Use a command line tool to look up the host name "idallen.ca" using the name server you just started on your local machine. (Do not use the default set of name servers.) What is the command line you used, and its output? (Copy both to your answer file.) (week12notes) 17. What is the content of your new (commented) DNS config file? (Copy the file content to your answer file.) ----------------------------------- Configuring a DNS forwarding server ----------------------------------- 18. When you use DHCP to get information at system boot time, where does the DHCP client store the IP addresses of your name servers? Using the syntax shown your ALN text, add the options "forwarders" and "forward first" to the DNS config options, under the pid-file option you already have. The IP addresses you should add are not the ones in the ALN text! At your home, use the DNS IP addresses for your ISP; at Algonquin College, use the College DNS IP addresses. (If you run DHCP, these addresses will already be fetched and stored in a file on your system. Copy those IP addresses to the forwarding section of your DNS config file using the correct config file syntax.) You can put many more than three IP addresses in the forwarders list. (So you can have both your home and College addresses there.) Add a comment to the config file stating what type of DNS server this config file now configures. Restart the DNS service; check for errors in the system log. 19. What is the content of your new (commented) DNS config file? (Copy the file content to your answer file.) You are now ready to do the In-Lab Demo. ------------------- In-Lab Demo April 4 ------------------- In your demo, limit your tcpdump output to DNS traffic only. Turn off DNS resolution in tcpdump (don't convert addresses to names), so that tcpdump itself does not try to do DNS lookups that will confuse your output. (RTFM for tcpdump) You may want to prepare three DNS config files to speed up the demo. a) Using tcpdump and the "dig" command (week12notes), demonstrate that when you make a "dig" DNS query to your local DNS for a host that is not already in your local cache, your DNS forwards the request to one of the forwarding IP addresses listed in your DNS config file. b) Temporarily disable forwarding and return your DNS server to caching-only. (Comment out the forwarding options.) Demonstrate using tcpdump that, unlike a forwarding server, a caching DNS server has to ask for the top-level domain information when you first query it for an address. (It has to do all the work itself.) c) Re-enable forwarding with an invalid forwarding name server IP address (e.g. use 172.16.17.18). Demonstrate using tcpdump that your forwarding server will try to forward to the invalid IP; but, it will fall back to behaving like a caching-only server when the invalid IP address fails to respond. d) Return your server to being a forwarding-first DNS server. Based on the above experiment, which type of server, caching or forwarding, generates the least network traffic? ------------------------------------------------- Making your Mini system use your local DNS server ------------------------------------------------- Since your Mini system configures itself via DHCP, the /etc/resolv.conf file that determines the DNS servers used by your system is set (overwritten) at boot and every time your DHCP lease is renewed. This makes it awkward to permanently set your system to use your own DNS server. Fortunately, the dhclient program we are using has a configuration file that lets us over-ride the DNS servers we receive from our DHCP host ("man dhclient.conf"). We can ignore the DHCP servers we are given and use our own instead. (You can also "prepend" your own DNS server IP address instead of doing a complete over-ride; see the man page.) Before switching over to use your own DNS, make sure it is working! Make sure the DHCP-supplied nameserver IP addresses from /etc/resolv.conf have been entered into your list of "forwarders" in your named.conf file. Make sure you can use "dig @localhost" to resolve domain names: # dig @localhost google.ca a # dig @localhost idallen.ca a If your localhost DNS is working, you can make it the default for your Mini system. Edit the file /etc/dhclient.conf and add this line: supersede domain-name-servers 0.0.0.0 ; Copy the file to /etc/dhclient-eth0.conf and to /etc/dhclient-eth1.conf. (If you look at the command line of the running dhclient process, you will see that your Mandrake Mini system uses separate dhclient config files for each interface, named after the interface.) Restart your networking (/etc/init.d/network restart), check for errors in the system log, and confirm that your /etc/resolv.conf file now contains only one DNS name server: nameserver 0.0.0.0 Reconfirm that your DNS is working, using "dig" again but without specifying a particular name server (dig will use the default name server from /etc/resolv.conf, which will now be your localhost DNS): # dig google.ca a # dig idallen.ca a Congratulations - your system is now using your own DNS to resolve host names. (If you want to confirm it one more time, you can stop your DNS server - /etc/init.d/named stop - and confirm that your system now fails to resolve host names. Remember to restart it!) 20. What is the content of your /etc/dhclient-eth1.conf file? (Copy the file content to your answer file.) 21. What is the content of your new /etc/resolv.conf file? (Copy the file content to your answer file.) Remember that when you move your caddy to another network, you will need a different set of "forwarders" in your main DNS config file, to keep your DNS working on the new network. You can disable your DNS and return to using the DHCP-set DNS servers by removing the "supersede" lines from the dhclient config files, letting DHCP set name servers in /etc/resolv.conf again. ----------------- Configuring Samba (week12notes.txt) ----------------- Your Mandrake Mini system already has Samba running with the default config file. List the shares and confirm that the Samba Domain is the default "MDKGROUP". Save a copy of your original Samba config file. As you make each change, below, you may wish to save and test that your change works. (If you make too many changes and an error occurs, you won't know which change caused the errors.) Samba errors are logged in separate files under /var/log/samba/. Edit the Samba config file and change the workgroup to be something of your own choosing. (Windows workgroups are limited to 14 characters.) Add your name to the end of the "server string" in the config file, so that your machine identifies itself uniquely. Make the "homes" share browseable, so that it appears in the list of shares. Add your name to the "homes" comment string. Create yourself a Samba password for your account on your Mini system. (Add yourself to the Samba password file.) Verify that you can connect to your home directory share and list your home directory files. In Linux, create a file "foo.txt" in /tmp. Make the file read-only for you, no permissions for anyone else. Un-comment the "tmp" share in the main Samba config file and connect to it (//localhost/tmp) using your account and Samba password. Create a new file here using the smbclient "put" command to copy the /tmp/foo.txt file to a new file named "bar.txt" (which will also be in /tmp). Use the smbclient "stat" command to display the permissions of the new bar.txt file. Exit smbclient. 22. What is the "stat" output for the bar.txt file? On a command line, use the "-c" option of smbclient with the "stat" command to generate the information on the new "bar.txt" file and save the output in a file. (See week12notes.txt for how to use "-c".) Append/read/add the output in the file to your answer file. 23. True/False: the permissions of the Linux source file affect the permissions of the destination file when using smbclient "put". 24. Run "diff -u" on your old and new Samba config file and put the diff output in diff24.txt for later submission. If you have a Windows system on your home network, you can try using smbclient to connect to it (probably by IP address) and browse its shares: $ smbclient -L 192.168.1.1 # use your Windows machine IP address $ smbclient //192.168.1.1/C -U someuser In the Algonquin labs, you can use smbclient to list shares on other students' machines. ------------------ Configuring Apache ------------------ A great resource that documents in short form all the many configuration directives used by Apache is the "Directive Quick-Reference" link under: http://httpd.apache.org/docs-2.0/ Your Mandrake Mini system already has Apache running. We want to locate the configuration file it is using. The Apache SysV start-up script gives you the name of the Apache daemon program that is started. The SysV script might actually start two daemons - one Perl-enabled server and one normal. 25. What is the absolute pathname of the Perl-enabled Apache daemon? 26. Does the Perl-enabled daemon program file actually exist on your Mini system? 27. What does the -f option mean to the Apache server program? (RTFM) The Apache SysV start-up script has two possible definitions for the $HTTPDCONF variable. Only one of them is executed, depending on whether or not the Perl-enabled version of Apache exits. 28. What is the absolute pathname of the Apache configuration file, as set in the $HTTPDCONF variable? In the list of all processes running on your Mini system, use grep to locate the running Apache program by name. (Use the "ww" options to ps to get the full wide listing.) Confirm your answer to the above question. Apache errors and accesses are logged in separate files defined by directive keywords in the Apache configuration file(s). Look in the Apache config file for the directives "ErrorLog" and "CustomLog". You might see an entry such as "logs/error_log", indicating that the error log file is under the "logs" directory in the Apache ServerRoot directory. Many Linux distributions have a symlink that aliases the Apache log files or log directory to be under /var/log/ with the other Linux log files. For example, you might see: # pwd /etc/httpd # ls -l logs lrwxrwxrwx 1 root root 19 Jan 1 00:00 logs -> ../../var/log/httpd/ The log file "logs/error_log" (really "/etc/httpd/logs/error_log" since the ServerRoot is often "/etc/httpd") would actually be "/etc/httpd/../../var/log/httpd/error_log" or simply "/var/log/httpd/error_log", under the /var/log/ directory with the other Linux logs. 29. Your Mini system defines both the error_log and access_log to be under the "logs" directory. Show a long listing ("ls") of the "logs" pathname under your Apache ServerRoot. (Show the pathname "logs" itself; do not show what is under the pathname if it is a directory or symbolic link.) Use the absolute pathname. 30. What is the absolute pathname of your Mini system CustomLog file? The Port and BindAddress directives documented in ALN p.537 only work for Apache v1. Apache v2 uses "Listen" to specify both the IP address and the port, e.g. "Listen 127.0.0.0:8080". You can omit the IP address. 31. True/False: The "Listen" directive can be given more than once, to make Apache listen on more than one TCP port. (Hint: See the "Directive Quick-Reference" mentioned above and in week12notes.txt.) Using the information in the Apache config file, find the main index.html file for your Apache server. (Hint: It's *NOT* located under the ServerRoot directory. The HTML of the file is "Welcome to the Advanced Extranet Server, ADVX!") 32. Generate a long listing ("ls") showing the inode number and inode change time (sometimes documented in man pages as "ctime" or "file status information modification time") of the main index.html file on your Mini system. Use the absolute pathname of the file. (RTFM) --------------------- Electronic Submission --------------------- Submit these files for marking (spelling counts): $ datsubmit 13 week12answers.txt diff24.txt Always submit all files for marking at the same time.