System and Network Administration

Namespaces and Documentation

Topics

1. 2. 3. 4.

Namespaces Policies: selection, lifetime, scope, security User Accounts Directories

Namespaces
Namespaces the lists and directories in your environment files in file system (File system Pathnames) account names in use (User Account Names) printers available names of hosts (Hostnames) IP addresses service-name/port-number lists home directory location maps
3

Namespaces
Some namespaces are flat there are no duplicates Some namespaces are hierarchical duplicates within different branches of a tree Need policies to govern namespaces Ideally, written policies Can become training for new SAs Needed to enforce adherence to policy

Flat Namespace

Flat Name Architecture (Flat Name Space)

Hierarchical Namespace

Hierarchical Name Architecture (Structured Name Space)

Naming Policies
Naming policy What names are permitted/not permitted? Technology specific syntax Organizational not offensive Standards compliance How are names selected? How are collisions resolved? How do you merge namespaces? Technological and political concerns
7

Naming Policies
Naming policy How are names selected? Formulaic e.g., hostname pc-0418; user-id xyz204 Thematic e.g., using planet names for servers; coffee for printers Functional e.g., specific-purpose accounts admin, secretary, guest; hostnames dns1, web3; disk partitions /finance, /devel Descriptive e.g., location, object type (pl122-ps) No method Everyone picks their own, first-come first-serve Once you choose one scheme, difficult to change
8

Naming Policies
Longevity policy When are entries removed? after IP address not used for months contractor ID each year student accounts a year after graduation employee accounts the day they leave Functional names might be exceptions sales@company.com president@university.edu

Naming Policies
Scope policy Where is the namespace to be used? How widely (geographically) shall it be used? Global authentication is possible with RADIUS NIS often provides a different space per cluster How many services will use it? (thickness) ID might serve for login, email, VPN, name on modem pools Across different authentication services ActiveDirectory, NIS, RADIUS (even with different pw) What happens when a user must span namespaces? Different IDs? Confusing, lead to collisions Single flat namespace is appealing; not always needed
10

Naming Policies
Consistency policy Where the same name is used in multiple namespaces, which attributes are also retained? E.g., UNIX name, requires same (real) person, same UID, but not same password for email, login Reuse policy How soon after deletion can the name be reused? Sometimes want immediate re-use (new printer) Sometimes long periods (prevent confusion and old email from being sent to new user)

11

Naming Policies
Protection policy What kind of protection does the namespace require? password list UIDs login IDs, e-mail addresses Who can add/delete/change an entry? Need backups or change management to roll back a change

12

Naming Policies
Comments on Naming Some schemes are easier to use than others easier to remember/figure out, to type, etc. Some names imply interesting targets secureserver, sourcecodedb, accounting, etc. avoid exceptions to formulaic names Sometimes helpful when desktop matches user's name Assuming user wants to be easily identified
13

Name Lifetime
When are names removed? Immediately after PC, user leaves organization. Set time after resource is no longer in use. When are names re-used? Immediately: functional names. Never in some cases. After a set time: usernames, email addresses.

14

Namespace Scope
Geographical scopes Local machine. Local network. Organization. Global (e.g., DNS.) Service scopes Single username for UNIX, NT, RADIUS, e-mail, VPN? Transferring scopes Difficult without advance planning. Some names may have to change.

15

Namespace Management
Namespace change procedures Need procedures for additions, changes, and deletions Likely restricted to subgroup of admins Documentation can provide for enforcement, training and step-by-step instruction Namespace management Should be centralized Maintain, backup, and distribute from one source Difficult to enforce uniqueness when distributed Centralization provides consistency
16

User Account Types

OS files UNIX /etc/{passwd,shadow} Windows SAM (System Administration Manager) Network service NIS (Network Information Service) LDAP (Lightweight Directory Access Protocol) Kerberos Active Directory RADIUS
17

Windows SAM - The Security Accounts Manager (SAM) is a database stored as a registry file in Windows NT, Windows 2000, and later versions of Windows. It stores users' passwords in a hashed format (in LM hash and NTLM hash). Since a hash function is one-way, this provides some measure of security for the storage of the passwords. Network Information Service (NIS) -The Network Information Service (NIS) [9] is an administrative database that provides central control and automatic dissemination of important administrative files. NIS converts several standard UNIX files into databases that can be queried over the network. The Lightweight Directory Access Protocol(LDAP) -is an application protocol for querying and modifying directory services running over TCP/IP.[1] Kerberos - is a computer network authentication protocol, which allows nodes communicating over a non-secure network to prove their identity to one another in a secure manner. It is also a suite of free software published by Massachusetts Institute of Technology (MIT) that implements this protocol. Its designers aimed primarily at a client-server model, and it provides mutual authentication both the user and the server verify each other's identity. Kerberos protocol messages are protected against eavesdropping and replay attacks. RADIUS - Radius is a server for remote user authentication and accounting. Its primary use is for Internet Service Providers, though it may as well be used on any network that needs a centralized authentication and/or accounting service for its workstations. The package includes an authentication and accounting server and some administrator tools. Active Directory - An active directory is a directory structure used on Microsoft Windows based computers and servers to store information and data about networks and domains. It is primarily used for online information and was originally created in 1996 and first used with Windows 18 2000.

What is a Directory?
Directory: A collection of information that is primarily searched and read, rarely modified. Directory Service: Provides access to directory information. Directory Server: Application that provides a directory service.

19

Directories vs. Databases

Directories are optimized for reading. Databases balanced for read and write. Directories are tree-structured. Databases typically have relational structure. Directories are usually replicated. Databases can be replicated too. Both are extensible data storage systems. Both have advanced search capabilities.
20

System Administration Directories

Types of directory data Accounts Mail aliases and lists (address book) Cryptographic keys IP addresses Hostnames Printers Common directory services DNS, LDAP, NIS
21

Advantages of Directories
Make administration easier. Change data only once: people, accounts, hosts. Unify access to network resources. Single sign on. Single place for users to search (address book) Improve data management Improve consistency (one location vs many) Secure data through only one server.

22

Documentation

23

Topics

1. 2. 3.

Why document How to document External documentation

24

Why Document

Teaches SAs how to do critical procedures So you can go on vacation. So you can get promoted. Self-help desk Let users solve their problems quickly. Requires less time from SAs.

25

Forms of Documentation
Text files and web pages Generic free form text, READMEs, etc. Man pages UNIX manual pages for commands, configs, etc. FAQs Frequently asked question lists. Reference Lists Vendors w/ contact info, serial numbers, employee dir Checklists and HOWTOs Step by step description of a procedure. Ex: new hire, installs, OS hardening
26

Documentation Template
Title: Simple, short description. Metadata: Author with contact information Revision date, history What: Description of what the document tells you to do. How Step by step description of procedure. Indicate why youre doing steps where appropriate.
27

Sources for Documentation

Command history Use script command before starting. Use history command after finishing. Screen shots Print screen import command to grab windows. Email Email conversations may describe commands. Dont use as documentation; just as a source. Request Tickets Problem solutions often documented in notes.
28

Documentation Storage
Shared directory README to describe rules and policies. Subdirectories for topics. Text or HTML files in directories. Web site Directory shared via web server. Content Management System Web-based publishing and collaboration tool. Provides access control, versioning, easy markup.
29

Wiki
Collaborative web-editing software. Invented by Ward Cunningham in 1995. Wiki is a Hawaiian word for fast. Features Edit pages within web browser. Simplified markup language. Version control of pages. Access control limits who can read and/or edit.

30

References

1. 2. 3. 4.

Mark Burgess, Principles of Network and System Administration, 2nd edition, Wiley, 2004. Aeleen Frisch, Essential System Administration, 3rd edition, OReilly, 2002. Thomas A. Limoncelli and Christine Hogan, The Practice of System and Network Administration, 2nd edition, Addison-Wesley, 2007. Evi Nemeth et al, UNIX System Administration Handbook, 3rd edition, Prentice Hall, 2001.

31