Name Spaces Documentation New

8/3/2019 Name Spaces Documentation New

1/31

1

System and Network

Administration

Namespaces and

Documentation


2/31

2

Topics

1. Namespaces

2. Policies: selection, lifetime, scope, security

3. User Accounts

4. Directories


3/31

3

Namespaces

Namespaces the lists and directories in your environment

files in file system (File system Pathnames)

account names in use (User Account Names)

printers available

names of hosts (Hostnames)

IP addresses service-name/port-number lists

home directory location maps


4/31

4

Namespaces

Some namespaces are flat

there are no duplicates

Some namespaces are hierarchical

duplicates within different branches of a tree

Need policies to govern namespaces

Ideally, written policies

Can become training for new SAs Needed to enforce adherence to policy


5/31

5

Flat Namespace

Flat Name Architecture (Flat Name Space)


6/31

6

Hierarchical

Namespace

Hierarchical Name Architecture (Structured Name Space)


7/31

7

Naming Policies

Naming policy

What names are permitted/not permitted?

Technology specific syntax Organizational not offensive

Standards compliance

How are names selected?

How are collisions resolved?

How do you merge namespaces?

Technological and political concerns


8/31

8

Naming Policies

Naming policy How are names selected?

Formulaic

e.g., hostname pc-0418; user-id xyz204

Thematic

e.g., using planet names for servers; coffee for printers Functional

e.g., specific-purpose accounts admin, secretary, guest;

hostnames dns1, web3; disk partitions /finance, /devel

Descriptive

e.g., location, object type (pl122-ps) No method

Everyone picks their own, first-come first-serve

Once you choose one scheme, difficult to change


9/31

9

Naming Policies

Longevity policy

When are entries removed? after IP address not used for months contractor ID each year student accounts a year after graduation employee accounts the day they leave

Functional names might be exceptions

[email protected] [email protected]


10/31

10

Naming Policies

Scope policy Where is the namespace to be used? How widely (geographically) shall it be used?

Global authentication is possible with RADIUS

NIS often provides a different space per cluster

How many services will use it? (thickness)

ID might serve for login, email, VPN, name on modem pools

Across different authentication services

ActiveDirectory, NIS, RADIUS (even with different pw) What happens when a user must span namespaces?

Different IDs? Confusing, lead to collisions

Single flat namespace is appealing; not always needed


11/31

11

Naming Policies

Consistency policy Where the same name is used in multiple namespaces,

which attributes are also retained? E.g., UNIX name, requires same (real) person,

same UID, but not same password for email, login

Reuse policy

How soon after deletion can the name be reused? Sometimes want immediate re-use (new printer)

Sometimes long periods (prevent confusion and oldemail from being sent to new user)


12/31

12

Naming Policies

Protection policy

What kind of protection does the namespace require? password list UIDs login IDs, e-mail addresses

Who can add/delete/change an entry?

Need backups or change management to roll back a

change


13/31

13

Naming Policies

Comments on Naming

Some schemes are easier to use than others

easier to remember/figure out, to type, etc.

Some names imply interesting targets

secureserver, sourcecodedb, accounting, etc.

avoid exceptions to formulaic names

Sometimes helpful when desktop matches user's name

Assuming user wants to be easily identified


14/31

14

Name Lifetime

When are names removed?

Immediately after PC, user leaves organization.

Set time after resource is no longer in use.

When are names re-used?

Immediately: functional names.

Never in some cases.

After a set time: usernames, email addresses.


15/31

15

Namespace Scope

Geographical scopes

Local machine.

Local network.

Organization. Global (e.g., DNS.)

Service scopes

Single username for UNIX, NT, RADIUS, e-mail,

VPN?

Transferring scopes

Difficult without advance planning.

Some names may have to change.


16/31

16

Namespace Management

Namespace change procedures

Need procedures for additions, changes, and deletions

Likely restricted to subgroup of admins

Documentation can provide for enforcement, trainingand step-by-step instruction

Namespace management

Should be centralized Maintain, backup, and distribute from one source

Difficult to enforce uniqueness when distributed

Centralization provides consistency


17/31

17

User Account Types

OS files

UNIX /etc/{passwd,shadow}

Windows SAM (System Administration Manager)

Network service

NIS (Network Information Service)

LDAP (Lightweight Directory Access Protocol)

KerberosActive Directory

RADIUS

Windows SAM The Security Accounts Manager (SAM) is a database stored as a registry file


18/31

18

Windows SAM - The Security Accounts Manager (SAM) is a database stored as a registry filein Windows NT, Windows 2000, and later versions of Windows. It stores users' passwords in ahashed format (in LM hash and NTLM hash). Since a hash function is one-way, this providessome measure of security for the storage of the passwords.

Network Information Service (NIS) -The Network Information Service (NIS) [9] is anadministrative database that provides central control and automatic dissemination of important

administrative files. NIS converts several standard UNIX files into databases that can bequeried over the network.

The Lightweight Directory Access Protocol(LDAP) -is an application protocol for queryingand modifying directory services running over TCP/IP.[1]

Kerberos - is a computer network authentication protocol, which allows nodes communicating

over a non-secure network to prove their identity to one another in a secure manner. It is also asuite of free software published by Massachusetts Institute of Technology (MIT) that implementsthis protocol. Its designers aimed primarily at a client-server model, and it provides mutualauthentication both the user and the server verify each other's identity. Kerberos protocolmessages are protected against eavesdropping and replay attacks.

RADIUS - Radius is a server for remote user authentication and accounting. Its primary use is

for Internet Service Providers, though it may as well be used on any network that needs acentralized authentication and/or accounting service for its workstations.

The package includes an authentication and accounting server and some administrator tools.

Active Directory - An active directory is a directory structure used on Microsoft Windows basedcomputers and servers to store information and data about networks and domains. It is primarily

used for online information and was originally created in 1996 and first used with Windows2000.


19/31

19

What is a Directory?

Directory: A collection of information that is primarily searched and

read, rarely modified.

Directory Service: Provides access to directory information.

Directory Server: Application that provides a directory service.


20/31

20

Directories vs. Databases

Directories are optimized for reading.

Databases balanced for read and write.

Directories are tree-structured. Databases typically have relational structure.

Directories are usually replicated.

Databases can be replicated too.

Both are extensible data storage systems.

Both have advanced search capabilities.


21/31

21

System

Administration Directories

Types of directory data

Accounts

Mail aliases and lists (address book)

Cryptographic keys

IP addresses

Hostnames

PrintersCommon directory services

DNS, LDAP, NIS


22/31

22

Advantages of Directories

Make administration easier.

Change data only once: people, accounts, hosts.

Unify access to network resources.

Single sign on. Single place for users to search (address book)

Improve data management

Improve consistency (one location vs many)

Secure data through only one server.


23/31

23

Documentation


24/31

24

Topics

1. Why document

2. How to document

3. External documentation


25/31

25

Why Document

Teaches SAs how to do critical procedures

So you can go on vacation.

So you can get promoted.

Self-help desk

Let users solve their problems quickly.

Requires less time from SAs.


26/31

26

Forms of Documentation

Text files and web pages

Generic free form text, READMEs, etc.

Man pages

UNIX manual pages for commands, configs, etc.FAQs

Frequently asked question lists.

Reference Lists

Vendors w/ contact info, serial numbers, employee dirChecklists and HOWTOs

Step by step description of a procedure.

Ex: new hire, installs, OS hardening


27/31

27

Documentation Template

Title:

Simple, short description.

Metadata:

Author with contact information Revision date, history

What:

Description of what the document tells you to do.

How

Step by step description of procedure.

Indicate why youre doing steps where appropriate.


28/31

28

Sources for Documentation

Command history

Use script command before starting.

Use history command after finishing.

Screen shots Print screen

import command to grab windows.

Email

Email conversations may describe commands. Dont use as documentation; just as a source.

Request Tickets

Problem solutions often documented in notes.


29/31

29

Documentation Storage

Shared directory

README to describe rules and policies.

Subdirectories for topics.

Text or HTML files in directories.

Web site

Directory shared via web server.

Content Management System Web-based publishing and collaboration tool.

Provides access control, versioning, easy markup.


30/31

30

Wiki

Collaborative web-editing software.

Invented by Ward Cunningham in 1995.

Wiki is a Hawaiian word for fast.

Features Edit pages within web browser.

Simplified markup language.

Version control of pages.

Access control limits who can read and/or edit.


31/31

31

References

1. Mark Burgess, Principles of Network and System Administration, 2nd

edition, Wiley, 2004.

2. Aeleen Frisch, Essential System Administration, 3rdedition, OReilly,

2002.

3. Thomas A. Limoncelli and Christine Hogan, The Practice of System

and Network Administration, 2ndedition, Addison-Wesley, 2007.

4. Evi Nemeth et al, UNIX System Administration Handbook, 3rdedition,

Prentice Hall, 2001.

Name Spaces Documentation New

Documents

Transcript of Name Spaces Documentation New