Next Previous Contents

File serving is accomplished by Network File Services (NFS). NFS basically works by having the server export filesystems to clients. The clients can then mount any or all of the filesystems. The exporting of filesystems by the server is controlled by the /etc/exports file. The mounting of filesystems on the client is controlled by the /etc/fstab file. If you make changes to /etc/exports, you should issue the exportfs -a command to have your changes take effect. Here is what a /etc/exports file might looks like on a server:

/econ/home      *.econ.yale.edu(rw,no_root_squash) 
/econ/www       *.econ.yale.edu(rw,no_root_squash) 
/econ/local     *.econ.yale.edu(rw,no_root_squash) 
/econ/project   *.econ.yale.edu(rw,no_root_squash) 
/usr/spool/mail *.econ.yale.edu(rw,no_root_squash)

The rw option lets users both read and write (if they have permission) to the disks from the client machines. The no_root_squash option allows root to have write permission from the client machines.

Here is a sample /etc/fstab from a client machine. I will ONLY list the NFS directories since the local directories may vary from machine to machine:

aida:/econ/local        /local  nfs     bg,hard,intr,rsize=8196,wsize=8196,exec,
dev,suid,rw
aida:/econ/local/linux/rh6 /usr/local nfs bg,hard,intr,rsize=8196,wsize=8196,exe
c,dev,suid,rw
aida:/econ/home /home  nfs bg,hard,intr,rsize=8196,wsize=8196,exec,dev,suid,rw
aida:/econ/www /www  nfs  bg,hard,intr,rsize=8196,wsize=8196,exec,dev,suid,rw
aida:/econ/project  /project nfs bg,hard,intr,rsize=8196,wsize=8196,exec,dev,s
uid,rw
aida:/usr/spool/mail /var/spool/mail nfs bg,hard,intr,rsize=8196,wsize=8196,exec
,dev,suid,rw

The option bg mounts to filesystem in background.

The option hard means it's a hard mount.

The option intr means you can interrupt the NFS mount if it hangs.

The options rsize=8196 and wsize=8196 set the read and write buffers to 8196 bytes which helps increase performance.

The option exec permits execution of binaries.

The option dev interprets character or block special devices on the file system.

The option suid allows set-user-identifier or set-group-identifier bits to take effect.

The option rw means the filesystem is mounted with read and write permission.

You can also see that the physical filesystem names on the server is mounted on a different filesystem on the client machine. The first column shows the server name and filesystem exported by /etc/exports on the server. The second column shows where that filesystem is mounted on the local client machine.

The start, stop, status and reload script for NFS is /etc/rc.d/init.d/nfs

6.2 Mail Services

The official policy is that individuals and departments, should NOT be running a mail server. All people must receive email at the Pantheon or some other outside mail server. The fact is there are many times that it's necessary to be running a mail server. The primary functions of the mail server are: accept mail for users, redirect any incoming mail to real mailboxes (most likely this is the Pantheon), rewrite outgoing mail return addresses and run mailing lists.

The mail server we will be running is called postfix. We are not running sendmail. Postfix attempts to be fast, easy to administer, and secure, while at the same time being sendmail compatible enough to not upset existing users. To learn more about postfix and join the mailing list you should visit here: http://www.postfix.org/

Both sendmail and postfix are installed and the default it to use sendmail. To switch to postfix just do the following:

  /usr/bin/system-switch-mail

The postfix configuration and database files are located in /etc/postfix on the server. The main configuration file is called main.cf. There are several sample configuration files if you wish to add functionality. The two database files also being used are canonical and relocated. canonical is the redirect and rewriting list. It's a two column ASCII file with the local username in the first column and the address to redirect and rewrite mail to in the second column (most likely first.last@yale.edu). relocated is the bounce list. It's a two column ASCII file with the local username in the first column and some information text in the second column.

If you make a change to either canonical or relocated the changes will take effect automatically in a few hours. In most cases, it's probably needed to make the changes take effect immediately. To do this, you simply remake the database by typing /usr/sbin/postmap "database-file" where "database-file" is either canonical or relocated. Next you must reload the new database into postfix. To do this simply type /etc/rc.d/init.d/postfix reload.

The start, stop, status and reload script for postfix is /etc/rc.d/init.d/postfix

Important Note: In order to get mail actually delivered locally I had to do the following:

  cd /var/spool
  chmod o+w mail
  chmod o+t mail

You may also wish to install a postfix log check PERL script called pflogsumm.pl You can download pflogsumm.pl from here: http://jimsun.linxnet.com/postfix_contrib.html. I then moved the PERL script to /usr/sbin. You will also need the following PERL module: Date::Calc. You can download it here: http://search.cpan.org/search?module=Date::Calc or get the RPM from here: ftp://at.rpmfind.net/linux/redhat.com/dist/cpan/6.2/i386/perl-Date-Calc-4.3-6.i386.rpm . Tp use the postfix log check script, you should add the following line to /etc/cron.daily/postfix:

/usr/sbin/pflogsumm.pl --problems_first --smtpd_stats --verbose_msg_detail 
                       -d yesterday /var/log/maillog | mail 
       yourfirstname.yourlastname@yale.edu -s "Mail Problems and Stats"

SPAM controls

You may also install some SPAM controls to the mailing lists. These SPAM controls work by rejecting a specific user@spamhost from delivering mail to local-maillist@host.yale.edu. You must modify /etc/postfix/main.cf and add the following lines:

smtpd_client_restrictions = permit_mynetworks
                       check_recipient_access hash:/etc/postfix/recipients
                       reject_unknown_client
                       reject_maps_rbl
 
#
# Define the restriction class used in the file "recipients" here:
#
smtpd_restriction_classes = some.guy_restricted
some.guy_restricted =
        check_sender_access hash:/etc/postfix/sites-to-reject
        check_relay_domains

The smtpd_client_restrictions line tells postfix who to permit, check or reject. In this case of check, the hash /etc/postfix/recipients is checked. The smtpd_restriction_classes just defines a new variable name for a "class" pf potential SPAM hosts. The some.guy_restricted definition just defines what to use for the new class. In this case it's the hash /etc/postfix/sites-to-reject.

Right now, all the local email addresses should be in the /etc/postfix/recipients file. If you start to get SPAM to the mailing lists, just add the new email address of where the SPAM is coming from to /etc/postfix/sites-to-reject. If/When you modify recipients or sites-to-reject make sure you run the postmap command to regenerate the new hashes:

  /usr/sbin/postmap /etc/postfix/recipients
  /usr/sbin/postmap /etc/postfix/sites-to-reject
  /etc/rc.d/init.d/postfix reload

If your German is good, I got the majority of this information from http://www.stahl.bau.tu-bs.de/~hildeb/postfix/restriction_classes.shtml.

http://www.stahl.bau.tu-bs.de/ hildeb/postfix/restriction_classes.shtml

6.3 Mailing Lists

Email lists are maintained by a program called mailman. mailman has both a web interface and command line scripts available. Mailman is software to help manage email discussion lists, much like Majordomo and Smartmail. Unlike most similar products, Mailman gives each mailing list a web page, and allows users to subscribe, unsubscribe, etc. over the web. Even the list manager can administer his or her list entirely from the web. Mailman also integrates most things people want to do with mailing lists, including archiving, mail-to-news gateways, and so on. Mailman has all of the features you expect from such a product, plus integrated support for the web (including web based archiving), automated bounce handling and integrated spam prevention. To find out more about mailman and join the mailing list just visit: http://www.list.org/ Here is a brief overview of features:

Most standard mailing list features, including list moderation, mail based commands, digests (both MIME and `plain'), and so on.
An extensive web-based user interface that is customizable on a per-list basis. This allows users to manage their own subscriptions, with support for temporarily disabling their accounts, selecting digest modes, hiding their email addresses from other members, etc.
A web-based list administration interface for all admin-type tasks, including list configuration, moderation (post approvals), selection of posting and subscribing rules, management of user accounts via the web, etc.
Automatic web-based hypermail-style archiving, including provisions for private archives.
Integrated gatewaying to and from Usenet.
Smart bounce detection with automatic disposition (i.e. configurable disabling, unsubscribing).
Direct SMTP delivery of messages, including integrated fast bulk mailing.
Smart spam protection.
Multiple list owners and moderators are possible.
Optional (per-user) MIME-compliant digests.
Support for virtual domains.

To use the command line interface, simply "su - mailman". The scripts are in the bin directory. Use these scripts to quickly create a new list or list the members of a list.

Installation and configuration of Mailman

Download the latest version of Mailman from http://sourceforge.net/projects/mailman. Make sure you have a user and a group called mailman in /etc/passwd and /etc/group. Make sure the user has a shell and a home directory. I use bash and /home/mailman. Gunzip and untar the source as user mailman. Then


 ./configure --prefix=/home/mailman --with-mail-gid=nobody --with-cgi-gid=apache
 make
 make install

Also make sure the web server is running as user apache. If you have to tweak the above configuration, just make sure that:

  --with-mail-gid=nobody   matches 
       /etc/postfix/main.cf #default_privs = nobody
  --with-cgi-gid=apache    matches
       /etc/httpd/conf/httpd.conf    Group apache

Forgot admin password

You can reset the password by visiting the list's admin page and using the site password. You can then scroll down and reset the admin password for that list. Now if you forgot the site password, you'll have to "sudo su - mailman" and run " mailman/bin/mmsitepass" to reset the site password first.

6.4 Web Server

You may wish to be running the apache web server. To learn more about the apache web server just visit http://www.apache.org/

The configuration files are located in /etc/httpd/conf/httpd.conf. There are far too many options to list here.

Important Note:You should run as user and group "apache" so that it matches Mailman.

The log files are in /var/log/httpd. The logs are rotated and compressed once a week. The rotation happens are 4am Sunday morning. The rotation schedule and compressing is controlled by /etc/logrotate.conf and /etc/logrotate.d/apache.

There is a file robots.txt in DocumentRoot. This file is used to stop robots, spiders and search engines from indexing certain web pages. Suppose you have a subdirectory called "doco" that contains local documentation that you don't want search engines to index. Just create a file called robots.txt and place it in the DocumentRoot directory. Here is what the file should look like:

  User-agent: *
  Disallow: /doco/*

You may wish to add other areas of the web server.

The start, stop, status and reload script for the web server is /etc/rc.d/init.d/httpd

6.5 NIS master

You may wish to run Network Information Services (NIS). The server is the NIS master. So it contains all the source and database files that get shared throughout the department. NIS can share many pieces of information both standard and custom information. These bits of information are called NIS maps. The most common files to share are: group, netgroup, and passwd. All of the source files for these maps are located in /etc. If you make a change to one of the source files you must propagate the NIS map out to the clients. To do this:

   cd /var/yp
   make

To make a machine the NIS master server, just type: "/usr/lib/yp/ypinit -m". Then take a look at /var/yp/Makefile for the details of how the NIS maps are created.

The NIS domain name should be something you can remember, but perhaps a little difficult to guess. Something like phunstuff. The NIS maps are created and stored in /var/yp/phunstuff then. Just run the Makefile in /var/yp to recreate and push out the NIS maps. The file /var/yp/ypservers contains a list of the NIS servers.

You can restrict access to the NIS maps. This is controlled by the /etc/hosts.allow and /etc/hosts.deny files since TCP wrappers are used by NIS.

There is an NIS password daemon running which allows users to change their NIS passwords. The daemon is called yppasswdd. To start, stop, status and reload the NIS password server /etc/rc.d/init.d/yppasswdd.

The start, stop, status and reload script for the NIS server is /etc/rc.d/init.d/ypserv

6.6 Samba

The Samba software suite is a collection of programs that implements the Server Message Block(commonly abbreviated as SMB) protocol for UNIX systems. This protocol is sometimes also referred to as the Common Internet File System (CIFS), LanManager or NetBIOS protocol. Basically Samba is used to talk "Windows". To learn more about Samba, read the man pages (man samba) or visit http://www.samba.org/

Samba is used so users of Windows machines can have direct access to their home directories on the linux server. On the Windows side of things, this is called "mapping a network drive".

The samba configuration file is /etc/samba/smb.conf. The samba server should be configured to use the YALE domain to verify credentials. This eliminates the need for samba usernames and passwords. The only constraint is that the samba user's local Linux account name and NetID MUST be the same. This is done using the following in /etc/samba/smb.conf:

# Security mode. Most people will want user level security. See
# security_level.txt for details.
   security = server
# Use password server option only with security = server
   password server = windows-auth.its.yale.edu, windows-auth2.its.yale.edu

When a Windows user is using samba for the first time, his/her YALE NetID password may not be synchronized with their UNIX (Pantheon) password. This is particularly true for someone that has never logged into the YALE domain before. They will have to synchronize their UNIX and NT passwords on the Pantheon first. To accomplish this, the user should visit: http://www.yale.edu/password/

The start, stop, status and reload script for Samba is /etc/rc.d/init.d/smb

6.7 Postgresql Database Server

If you'd like to run the Postgres database server, here are some helpful configuration files to get you started. You can get a sample postgresql.conf file here: ftp://ftp.wss.yale.edu/pub/linux/yale/configs/postgresql.conf This configuration file will send the postgres messages to /var/log/postgres instead of /var/log/messages. You will also need to append the following file to /etc/syslog.conf to make the work: ftp://ftp.wss.yale.edu/pub/linux/yale/configs/postgresql.syslog. You will probably want to rotate the postgres logs as well. So here is a file that you should place in /etc/logrotate.d and call it postgres: ftp://ftp.wss.yale.edu/pub/linux/yale/configs/postgresql.logrotate.