Name Services Discovery

Name Services Discovery

Contents

• Discovery procedure
• Configuring DHCP server
• Configuring DNS server
• LDAP attributes
• Performing a discovery

Discovery procedure

The Name Service discovery procedure works in the following way:

• Step 1: Send the DHCPINFORM request for the options:
  DNSdmain (15), DNSserv (6), NISdmain (40), NISservs (41), NIS+dom (64), NIS+serv (65).
  Refer to dhcp_inittab(4) and /etc/dhcp/inittab.
  In case of the machine is already has DHCP configured interfaces, step 1 just gets these options from the dhcpagent(1M).
• Step 2: Make necessary backend configurations based on:
  • predefined configuration template for the particular backend type;
  • values of the DHCP options retrieved.
• Step 3: If DNSdmain and DNSserv are specified:
  Query "_ldap._tcp._ns.<domain name>" records of SRV and TXT type from the DNS and generate the backend configuration. These SRV/TXT resource records basically tell where the LDAP server is and how to access it.
  The "<domain name>" is basically the value of DNSdmain option, target DNS server address is the value of DNSserv option correspondingly.
• Step 4: Based on the discovered configurations for the available backends, make the corresponding Name Service profile.
  Each name service database (e.g. "passwd", "hosts", etc.) has two entities associated with it:
  • A default list of backends supporting this database.
    This list is ordered according to a backend preferences. For example, for the "hosts" database the preference is DNS, LDAP, NIS+, NIS.
  • A default policy, which is one of the following:
    • P_FILES_ONLY -- the only local files can be used;
    • P_FILES_NS -- try local files, then Name Service;
    • P_NS_FALLBACK -- try Name Service, and only in case of it is unavailable, use local files;
    • P_NS_ONLY -- use a Name Service only.
      So, going through the database list, step 4 finds the most efficient according to preferences backend, and generates a property based on the policy.
      For example, consider "hosts" database, which has preferences: DNS, LDAP, NIS+, NIS, and the policy is P_NS_FALLBACK -- in this case if there are DNS and NIS backends discovered, we'll get the following property generated:

hosts = dns [NOTFOUND=return] files

Refer to nsswitch.conf(4).

• Step 5: Put all configuration profiles created to the repository. In particular, the configuration profiles are:
  • Configurations of the backends discovered at the steps 2 and 3;
  • Switch configuration generated at the step 4.
    The default name for all configuration profiles is auto, however the name can be changed by the -n option in the discover subcommand of the nscfg(1M).

Configuring DHCP server

Assume that DHCP server (known as in.dhcpd(1M), which is basically the smf(5) service named network/dhcp-server) is unconfigured and therefore disabled.

# dhcpconfig -Sq
dhcpconfig: Error - failed to read DHCP server parameters.

# svcs dhcp-server
STATE     STIME    FMRI
disabled  12:42:43 svc:/network/dhcp-server:default

So, firstly DHCP must be initialized. Simpliest way of doing that is to create DHCP configuration database as a number of plain text files somewhere in /var/dhcp:

# dhcpconfig -D -r SUNWfiles -p /var/dhcp
Created DHCP configuration file.
Created dhcptab.
Added "Locale" macro to dhcptab.
Added server macro to dhcptab.
DHCP server started.

If you're not ok with that "dhcpconfig -D" starts DHCP service automatically after initialization, do "dhcpconfig -Sd" or "svcadm -v disable dhcp-server" to stop it.

NOTE: "dhcpconfig -U" unconfigures everything.

Now you can configure the network, supposed to be served by this DHCP server. As an example, if your network is 10.18.138.0/26, then you can create the network table in the following way:

# pntadm -C 10.18.138.0

NOTE: before adding the network definition, make sure you have correct netmask specified in the netmasks(4) database:

# getent netmasks 10.18.138.0
10.18.138.0   255.255.255.192

The next step is to create the macro containing your DNS, NIS, NIS+ settings. The name of this macro can be equal to the network name, so all DHCPDISCOVER or DHCPINFORM requests coming from this network will get the DHCPOFFER or DHCPACK with the settings in this macro.

Example: add the macro 10.18.138.0 with the network settings, DNS and NIS options:

# dhtadm -A -m 10.18.138.0 -d \
':Subnet=255.255.255.192'\
':Router=10.18.138.1'\
':NISdmain="lab.sun.com"'\
':NISservs=129.157.72.244'\
':DNSdmain="lab.sun.com"'\
':DNSserv=10.18.138.43 10.18.138.22:'

NOTE: DHCP option names are declared in the /etc/dhcp/inittab file, see dhcp_inittab(4) for a details.

So, it's time to start/restart the DHCP server

# svcadm -v enable dhcp-server
svc:/network/dhcp-server:default enabled.

In order to verify whether the DHCP does respond with the right options, it's possible to run snoop(1M) on the server machine and dhcpinfo(1) on the client machine.

Example: snoop(1M) running at the server machine:

# snoop -v dhcp
Using device eri0 (promiscuous mode)
...
DHCP: Message type = DHCPINFORM
DHCP: Maximum DHCP Message Size = 1472 bytes
DHCP: Client Class Identifier = "SUNW.i86pc"
...
DHCP: Message type = DHCPACK
DHCP: DHCP Server Identifier = 10.18.138.22
DHCP: DNS Servers at = 10.18.138.43
DHCP: DNS Servers at = 10.18.138.22
DHCP: DNS Domain Name = lab.sun.com
DHCP: NIS Servers at = 129.157.72.244
DHCP: NIS Domainname = lab.sun.com
DHCP: Subnet Mask = 255.255.255.192
DHCP: Router at = 10.18.138.1
DHCP: Broadcast Address = 10.18.138.63
...

Example: dhcpinfo(1) running at the client machine, where bge0 is the statically configured network interface, so the DHCPINFORM needs to be sent explicitly using ifconfig(1M):

# ifconfig -a
    lo0: <UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL>
        inet 127.0.0.1 netmask ff000000
    bge0: <UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS>
        inet 10.18.138.12 netmask ffffffc0

# ifconfig bge0 dhcp status
ifconfig: bge0: interface is not under DHCP control

# ifconfig bge0 dhcp inform

# dhcpinfo -i bge0 DNSdmain
lab.sun.com

# ifconfig bge0 dhcp drop

DHCP server looks up and running.

Configuring DNS server

The default config file for the named(1M) DNS server, also known as network/dns/server in smf(5), is the /etc/named.conf.

The minimal /etc/named.conf may look like the following:

# cat /etc/named.conf
options {
    directory "/var/named";
    recursion no;
};
zone "lab.sun.com" {
    type master;
    file "lab.sun.com";
};

where:

* options -- server options:

• • directory -- working directory for the server;
  • "recursion no" just prevents our DNS server from forwarding the DNS requests to the other servers;
• zone -- a zone definition for our lab.sun.com domain:
  • "type master" tells that we're the master for lab.sun.com data;
  • "file lab.sun.com" means that actual data is stored in the /var/named/lab.sun.com file.

Here is an example of the zone file:

# cat /var/named/lab.sun.com
$TTL 86400
lab.sun.com.            IN SOA  ascaris root.ascaris (
                            20070530   ; serial
                            21600      ; refresh after 6 hours
                            3600       ; retry after 1 hour
                            604800     ; expire after 1 week
                            86400      ; minimum TTL of 1 day
                            )
                        IN NS   ascaris

ascaris                 IN A    10.18.138.22
adorus                  IN A    10.18.138.43

_ldap._tcp._ns          IN SRV  0 0 389 adorus
                        IN SRV  1 0 389 ascaris
                        IN TXT  "NS_LDAP_SERVERS=10.18.138.43"
                        IN TXT  "NS_LDAP_SEARCH_BASEDN=dc=lab"
                        IN TXT  "NS_LDAP_CREDENTIAL_LEVEL=anonymous"

where:

* $TTL -- default Time To Live (sec.) for resource records;

• IN -- means the Internet class of the resource records;
• SOA -- Start of Authority resource record:
  • lab.sun.com -- domain name / origin of the zone;
  • ascaris -- the primary DNS server for the zone;
  • root.ascaris -- the e-mail address of the zone's administator, a period "." is used instead of "@";
  • 20070530 -- the serial number;
  • 21600 -- refresh interval (sec.) -- this is how often the secondary name servers check with the primary name server to see if any changes have been made;
  • 3600 -- retry interval (sec.) -- this is the time a secondary server waits before retrying a failed zone transfer;
  • 604800 -- expire interval (sec.) -- the time before a secondary server stops responding to queries after a lapsed refresh interval where the zone was not refreshed or updated;
  • 86400 -- minimum Time To Live interval (sec.) of all resource records from this zone;
• NS -- authoritative Name Server, several NS records can be specified;
• A -- a host Address (IPv4);
• SRV -- a Service record (RFC 2782):

+~---------- the priority of this target host
| +~-------- relative weight for entries with
| |         the same priority
| | +~------ service port
| | |   +~-- service host
V V V   V
0 0 389 adorus

• TXT -- Text record, usually consists of one or several "name=value" pairs;
• _ldap._tcp._ns is the name used for the RFC2307 LDAP Name Service definition.
  For the list of LDAP properties, refer to the "LDAP settings" section below. Note that currently the ldap client uses "NS_LDAP_*" property names.

Now try to start / restart the DNS server:

# svcadm -v enable dns/server
svc:/network/dns/server:default enabled.

The verification lookup may be the following:

# nslookup -type=any _ldap._tcp._ns.lab.sun.com 10.18.138.22
Server:         10.18.138.22
Address:        10.18.138.22#53

_ldap._tcp._ns.lab.sun.com service = 0 0 389 adorus.lab.sun.com.
_ldap._tcp._ns.lab.sun.com text = NS_LDAP_SERVERS=10.18.138.43
_ldap._tcp._ns.lab.sun.com text = NS_LDAP_CREDENTIAL_LEVEL=anonymous
_ldap._tcp._ns.lab.sun.com text = NS_LDAP_SEARCH_BASEDN=dc=lab

So, we have the reference to the LDAP Name Service in DNS.

LDAP attributes

Here is the summary table, contains properties recognized by the native ldap client:

where:

* Name in DUA profile -- an attribute name used by the ldapclient(1M) and identified in RFC 4876 (http://www.ietf.org/rfc/rfc4876.txt);

• Name in Native LDAP -- a property name used by the Native LDAP client internally. In particular, the ldap cache manager, ldap_cachemgr(1M), uses these names in its configuration files, /var/ldap/ldap_client_file and /var/ldap/ldap_client_cred;

NOTE: the NS_LDAP_FILE_VERSION property is not a part of DUA profile, it just used internally by the Native LDAP client.

Performing a discovery

Here is an example of the discover subcommand usage in the nscfg(1M):

# nscfg

nscfg> help discover

    Usage: discover [ -n bec_name ] [ -w timeout_sec ]

    Query DHCP and DNS to find Name Services back-end(s) available
    on the network and store their configuration(s) under 'bec_name'

nscfg> discover

The name for the back-end configuration(s) is defaulting to 'auto'
Discover timeout is defaulting to 5 sec.
3 back-end(s) discovered

ldap auto
    NS_LDAP_SERVERS          = "10.18.138.43"
    NS_LDAP_CREDENTIAL_LEVEL = "anonymous"
    NS_LDAP_SEARCH_BASEDN    = "dc=lab"

dns auto
    domain     = "lab.sun.com"
    nameserver = "10.18.138.43 10.18.138.22"

nis auto
    domainname = "lab.sun.com"
    serverlist = "129.157.72.244"

nsswitch auto
    passwd = "files ldap"
    hosts  = "dns [NOTFOUND=return] files"
    ...
    PROF_profile_be_ldap = "auto"
    PROF_profile_be_dns  = "auto"

So, now there is the "auto" Name Service profile defined in the system:

# nsadm list
    Profile 'auto' (LDAP:'auto', DNS:'auto')