name spaces documentation new
TRANSCRIPT
-
8/3/2019 Name Spaces Documentation New
1/31
1
System and Network
Administration
Namespaces and
Documentation
-
8/3/2019 Name Spaces Documentation New
2/31
2
Topics
1. Namespaces
2. Policies: selection, lifetime, scope, security
3. User Accounts
4. Directories
-
8/3/2019 Name Spaces Documentation New
3/31
3
Namespaces
Namespaces the lists and directories in your environment
files in file system (File system Pathnames)
account names in use (User Account Names)
printers available
names of hosts (Hostnames)
IP addresses service-name/port-number lists
home directory location maps
-
8/3/2019 Name Spaces Documentation New
4/31
4
Namespaces
Some namespaces are flat
there are no duplicates
Some namespaces are hierarchical
duplicates within different branches of a tree
Need policies to govern namespaces
Ideally, written policies
Can become training for new SAs Needed to enforce adherence to policy
-
8/3/2019 Name Spaces Documentation New
5/31
5
Flat Namespace
Flat Name Architecture (Flat Name Space)
-
8/3/2019 Name Spaces Documentation New
6/31
6
Hierarchical
Namespace
Hierarchical Name Architecture (Structured Name Space)
-
8/3/2019 Name Spaces Documentation New
7/31
7
Naming Policies
Naming policy
What names are permitted/not permitted?
Technology specific syntax Organizational not offensive
Standards compliance
How are names selected?
How are collisions resolved?
How do you merge namespaces?
Technological and political concerns
-
8/3/2019 Name Spaces Documentation New
8/31
8
Naming Policies
Naming policy How are names selected?
Formulaic
e.g., hostname pc-0418; user-id xyz204
Thematic
e.g., using planet names for servers; coffee for printers Functional
e.g., specific-purpose accounts admin, secretary, guest;
hostnames dns1, web3; disk partitions /finance, /devel
Descriptive
e.g., location, object type (pl122-ps) No method
Everyone picks their own, first-come first-serve
Once you choose one scheme, difficult to change
-
8/3/2019 Name Spaces Documentation New
9/31
9
Naming Policies
Longevity policy
When are entries removed? after IP address not used for months contractor ID each year student accounts a year after graduation employee accounts the day they leave
Functional names might be exceptions
-
8/3/2019 Name Spaces Documentation New
10/31
10
Naming Policies
Scope policy Where is the namespace to be used? How widely (geographically) shall it be used?
Global authentication is possible with RADIUS
NIS often provides a different space per cluster
How many services will use it? (thickness)
ID might serve for login, email, VPN, name on modem pools
Across different authentication services
ActiveDirectory, NIS, RADIUS (even with different pw) What happens when a user must span namespaces?
Different IDs? Confusing, lead to collisions
Single flat namespace is appealing; not always needed
-
8/3/2019 Name Spaces Documentation New
11/31
11
Naming Policies
Consistency policy Where the same name is used in multiple namespaces,
which attributes are also retained? E.g., UNIX name, requires same (real) person,
same UID, but not same password for email, login
Reuse policy
How soon after deletion can the name be reused? Sometimes want immediate re-use (new printer)
Sometimes long periods (prevent confusion and oldemail from being sent to new user)
-
8/3/2019 Name Spaces Documentation New
12/31
12
Naming Policies
Protection policy
What kind of protection does the namespace require? password list UIDs login IDs, e-mail addresses
Who can add/delete/change an entry?
Need backups or change management to roll back a
change
-
8/3/2019 Name Spaces Documentation New
13/31
13
Naming Policies
Comments on Naming
Some schemes are easier to use than others
easier to remember/figure out, to type, etc.
Some names imply interesting targets
secureserver, sourcecodedb, accounting, etc.
avoid exceptions to formulaic names
Sometimes helpful when desktop matches user's name
Assuming user wants to be easily identified
-
8/3/2019 Name Spaces Documentation New
14/31
14
Name Lifetime
When are names removed?
Immediately after PC, user leaves organization.
Set time after resource is no longer in use.
When are names re-used?
Immediately: functional names.
Never in some cases.
After a set time: usernames, email addresses.
-
8/3/2019 Name Spaces Documentation New
15/31
15
Namespace Scope
Geographical scopes
Local machine.
Local network.
Organization. Global (e.g., DNS.)
Service scopes
Single username for UNIX, NT, RADIUS, e-mail,
VPN?
Transferring scopes
Difficult without advance planning.
Some names may have to change.
-
8/3/2019 Name Spaces Documentation New
16/31
16
Namespace Management
Namespace change procedures
Need procedures for additions, changes, and deletions
Likely restricted to subgroup of admins
Documentation can provide for enforcement, trainingand step-by-step instruction
Namespace management
Should be centralized Maintain, backup, and distribute from one source
Difficult to enforce uniqueness when distributed
Centralization provides consistency
-
8/3/2019 Name Spaces Documentation New
17/31
17
User Account Types
OS files
UNIX /etc/{passwd,shadow}
Windows SAM (System Administration Manager)
Network service
NIS (Network Information Service)
LDAP (Lightweight Directory Access Protocol)
KerberosActive Directory
RADIUS
Windows SAM The Security Accounts Manager (SAM) is a database stored as a registry file
-
8/3/2019 Name Spaces Documentation New
18/31
18
Windows SAM - The Security Accounts Manager (SAM) is a database stored as a registry filein Windows NT, Windows 2000, and later versions of Windows. It stores users' passwords in ahashed format (in LM hash and NTLM hash). Since a hash function is one-way, this providessome measure of security for the storage of the passwords.
Network Information Service (NIS) -The Network Information Service (NIS) [9] is anadministrative database that provides central control and automatic dissemination of important
administrative files. NIS converts several standard UNIX files into databases that can bequeried over the network.
The Lightweight Directory Access Protocol(LDAP) -is an application protocol for queryingand modifying directory services running over TCP/IP.[1]
Kerberos - is a computer network authentication protocol, which allows nodes communicating
over a non-secure network to prove their identity to one another in a secure manner. It is also asuite of free software published by Massachusetts Institute of Technology (MIT) that implementsthis protocol. Its designers aimed primarily at a client-server model, and it provides mutualauthentication both the user and the server verify each other's identity. Kerberos protocolmessages are protected against eavesdropping and replay attacks.
RADIUS - Radius is a server for remote user authentication and accounting. Its primary use is
for Internet Service Providers, though it may as well be used on any network that needs acentralized authentication and/or accounting service for its workstations.
The package includes an authentication and accounting server and some administrator tools.
Active Directory - An active directory is a directory structure used on Microsoft Windows basedcomputers and servers to store information and data about networks and domains. It is primarily
used for online information and was originally created in 1996 and first used with Windows2000.
-
8/3/2019 Name Spaces Documentation New
19/31
19
What is a Directory?
Directory: A collection of information that is primarily searched and
read, rarely modified.
Directory Service: Provides access to directory information.
Directory Server: Application that provides a directory service.
-
8/3/2019 Name Spaces Documentation New
20/31
20
Directories vs. Databases
Directories are optimized for reading.
Databases balanced for read and write.
Directories are tree-structured. Databases typically have relational structure.
Directories are usually replicated.
Databases can be replicated too.
Both are extensible data storage systems.
Both have advanced search capabilities.
-
8/3/2019 Name Spaces Documentation New
21/31
21
System
Administration Directories
Types of directory data
Accounts
Mail aliases and lists (address book)
Cryptographic keys
IP addresses
Hostnames
PrintersCommon directory services
DNS, LDAP, NIS
-
8/3/2019 Name Spaces Documentation New
22/31
22
Advantages of Directories
Make administration easier.
Change data only once: people, accounts, hosts.
Unify access to network resources.
Single sign on. Single place for users to search (address book)
Improve data management
Improve consistency (one location vs many)
Secure data through only one server.
-
8/3/2019 Name Spaces Documentation New
23/31
23
Documentation
-
8/3/2019 Name Spaces Documentation New
24/31
24
Topics
1. Why document
2. How to document
3. External documentation
-
8/3/2019 Name Spaces Documentation New
25/31
25
Why Document
Teaches SAs how to do critical procedures
So you can go on vacation.
So you can get promoted.
Self-help desk
Let users solve their problems quickly.
Requires less time from SAs.
-
8/3/2019 Name Spaces Documentation New
26/31
26
Forms of Documentation
Text files and web pages
Generic free form text, READMEs, etc.
Man pages
UNIX manual pages for commands, configs, etc.FAQs
Frequently asked question lists.
Reference Lists
Vendors w/ contact info, serial numbers, employee dirChecklists and HOWTOs
Step by step description of a procedure.
Ex: new hire, installs, OS hardening
-
8/3/2019 Name Spaces Documentation New
27/31
27
Documentation Template
Title:
Simple, short description.
Metadata:
Author with contact information Revision date, history
What:
Description of what the document tells you to do.
How
Step by step description of procedure.
Indicate why youre doing steps where appropriate.
-
8/3/2019 Name Spaces Documentation New
28/31
28
Sources for Documentation
Command history
Use script command before starting.
Use history command after finishing.
Screen shots Print screen
import command to grab windows.
Email
Email conversations may describe commands. Dont use as documentation; just as a source.
Request Tickets
Problem solutions often documented in notes.
-
8/3/2019 Name Spaces Documentation New
29/31
29
Documentation Storage
Shared directory
README to describe rules and policies.
Subdirectories for topics.
Text or HTML files in directories.
Web site
Directory shared via web server.
Content Management System Web-based publishing and collaboration tool.
Provides access control, versioning, easy markup.
-
8/3/2019 Name Spaces Documentation New
30/31
30
Wiki
Collaborative web-editing software.
Invented by Ward Cunningham in 1995.
Wiki is a Hawaiian word for fast.
Features Edit pages within web browser.
Simplified markup language.
Version control of pages.
Access control limits who can read and/or edit.
-
8/3/2019 Name Spaces Documentation New
31/31
31
References
1. Mark Burgess, Principles of Network and System Administration, 2nd
edition, Wiley, 2004.
2. Aeleen Frisch, Essential System Administration, 3rdedition, OReilly,
2002.
3. Thomas A. Limoncelli and Christine Hogan, The Practice of System
and Network Administration, 2ndedition, Addison-Wesley, 2007.
4. Evi Nemeth et al, UNIX System Administration Handbook, 3rdedition,
Prentice Hall, 2001.