Académique Documents
Professionnel Documents
Culture Documents
Topics
1. 2. 3. 4.
Namespaces
Namespaces the lists and directories in your environment files in file system (File system Pathnames) account names in use (User Account Names) printers available names of hosts (Hostnames) IP addresses service-name/port-number lists home directory location maps
3
Namespaces
Some namespaces are flat there are no duplicates Some namespaces are hierarchical duplicates within different branches of a tree Need policies to govern namespaces Ideally, written policies Can become training for new SAs Needed to enforce adherence to policy
Flat Namespace
Hierarchical Namespace
Naming Policies
Naming policy What names are permitted/not permitted? Technology specific syntax Organizational not offensive Standards compliance How are names selected? How are collisions resolved? How do you merge namespaces? Technological and political concerns
7
Naming Policies
Naming policy How are names selected? Formulaic e.g., hostname pc-0418; user-id xyz204 Thematic e.g., using planet names for servers; coffee for printers Functional e.g., specific-purpose accounts admin, secretary, guest; hostnames dns1, web3; disk partitions /finance, /devel Descriptive e.g., location, object type (pl122-ps) No method Everyone picks their own, first-come first-serve Once you choose one scheme, difficult to change
8
Naming Policies
Longevity policy When are entries removed? after IP address not used for months contractor ID each year student accounts a year after graduation employee accounts the day they leave Functional names might be exceptions sales@company.com president@university.edu
Naming Policies
Scope policy Where is the namespace to be used? How widely (geographically) shall it be used? Global authentication is possible with RADIUS NIS often provides a different space per cluster How many services will use it? (thickness) ID might serve for login, email, VPN, name on modem pools Across different authentication services ActiveDirectory, NIS, RADIUS (even with different pw) What happens when a user must span namespaces? Different IDs? Confusing, lead to collisions Single flat namespace is appealing; not always needed
10
Naming Policies
Consistency policy Where the same name is used in multiple namespaces, which attributes are also retained? E.g., UNIX name, requires same (real) person, same UID, but not same password for email, login Reuse policy How soon after deletion can the name be reused? Sometimes want immediate re-use (new printer) Sometimes long periods (prevent confusion and old email from being sent to new user)
11
Naming Policies
Protection policy What kind of protection does the namespace require? password list UIDs login IDs, e-mail addresses Who can add/delete/change an entry? Need backups or change management to roll back a change
12
Naming Policies
Comments on Naming Some schemes are easier to use than others easier to remember/figure out, to type, etc. Some names imply interesting targets secureserver, sourcecodedb, accounting, etc. avoid exceptions to formulaic names Sometimes helpful when desktop matches user's name Assuming user wants to be easily identified
13
Name Lifetime
When are names removed? Immediately after PC, user leaves organization. Set time after resource is no longer in use. When are names re-used? Immediately: functional names. Never in some cases. After a set time: usernames, email addresses.
14
Namespace Scope
Geographical scopes Local machine. Local network. Organization. Global (e.g., DNS.) Service scopes Single username for UNIX, NT, RADIUS, e-mail, VPN? Transferring scopes Difficult without advance planning. Some names may have to change.
15
Namespace Management
Namespace change procedures Need procedures for additions, changes, and deletions Likely restricted to subgroup of admins Documentation can provide for enforcement, training and step-by-step instruction Namespace management Should be centralized Maintain, backup, and distribute from one source Difficult to enforce uniqueness when distributed Centralization provides consistency
16
Windows SAM - The Security Accounts Manager (SAM) is a database stored as a registry file in Windows NT, Windows 2000, and later versions of Windows. It stores users' passwords in a hashed format (in LM hash and NTLM hash). Since a hash function is one-way, this provides some measure of security for the storage of the passwords. Network Information Service (NIS) -The Network Information Service (NIS) [9] is an administrative database that provides central control and automatic dissemination of important administrative files. NIS converts several standard UNIX files into databases that can be queried over the network. The Lightweight Directory Access Protocol(LDAP) -is an application protocol for querying and modifying directory services running over TCP/IP.[1] Kerberos - is a computer network authentication protocol, which allows nodes communicating over a non-secure network to prove their identity to one another in a secure manner. It is also a suite of free software published by Massachusetts Institute of Technology (MIT) that implements this protocol. Its designers aimed primarily at a client-server model, and it provides mutual authentication both the user and the server verify each other's identity. Kerberos protocol messages are protected against eavesdropping and replay attacks. RADIUS - Radius is a server for remote user authentication and accounting. Its primary use is for Internet Service Providers, though it may as well be used on any network that needs a centralized authentication and/or accounting service for its workstations. The package includes an authentication and accounting server and some administrator tools. Active Directory - An active directory is a directory structure used on Microsoft Windows based computers and servers to store information and data about networks and domains. It is primarily used for online information and was originally created in 1996 and first used with Windows 18 2000.
What is a Directory?
Directory: A collection of information that is primarily searched and read, rarely modified. Directory Service: Provides access to directory information. Directory Server: Application that provides a directory service.
19
Advantages of Directories
Make administration easier. Change data only once: people, accounts, hosts. Unify access to network resources. Single sign on. Single place for users to search (address book) Improve data management Improve consistency (one location vs many) Secure data through only one server.
22
Documentation
23
Topics
1. 2. 3.
24
Why Document
Teaches SAs how to do critical procedures So you can go on vacation. So you can get promoted. Self-help desk Let users solve their problems quickly. Requires less time from SAs.
25
Forms of Documentation
Text files and web pages Generic free form text, READMEs, etc. Man pages UNIX manual pages for commands, configs, etc. FAQs Frequently asked question lists. Reference Lists Vendors w/ contact info, serial numbers, employee dir Checklists and HOWTOs Step by step description of a procedure. Ex: new hire, installs, OS hardening
26
Documentation Template
Title: Simple, short description. Metadata: Author with contact information Revision date, history What: Description of what the document tells you to do. How Step by step description of procedure. Indicate why youre doing steps where appropriate.
27
Documentation Storage
Shared directory README to describe rules and policies. Subdirectories for topics. Text or HTML files in directories. Web site Directory shared via web server. Content Management System Web-based publishing and collaboration tool. Provides access control, versioning, easy markup.
29
Wiki
Collaborative web-editing software. Invented by Ward Cunningham in 1995. Wiki is a Hawaiian word for fast. Features Edit pages within web browser. Simplified markup language. Version control of pages. Access control limits who can read and/or edit.
30
References
1. 2. 3. 4.
Mark Burgess, Principles of Network and System Administration, 2nd edition, Wiley, 2004. Aeleen Frisch, Essential System Administration, 3rd edition, OReilly, 2002. Thomas A. Limoncelli and Christine Hogan, The Practice of System and Network Administration, 2nd edition, Addison-Wesley, 2007. Evi Nemeth et al, UNIX System Administration Handbook, 3rd edition, Prentice Hall, 2001.
31