Revision: $Revision: 1.7 $ ($Date: 2004/03/03 15:03:36 $)
This topic has a total weight of 6 points and contains the following 4 objectives:
- Objective 2.210.1; DHCP Configuration (2 points)
This objective includes being able to configure a DHCP server, set default options, create a subnet, create a dynamically allocated range, adding a static host, setting options for a single host, adding bootp hosts, configure a DHCP relay client and reload the DHCP server after making changes.
- Objective 2.210.2; NIS configuration (1 point)
This objective includes being able to configure a NIS server, create NIS maps for major configuration files, configuring a system as a NIS client, setting up a NIS slave server and configuring the ability to search local files, DNS, NIS etc. in
nsswitch.conf.
- Objective 2.210.3; LDAP configuration (1 point)
This objective includes being able to configure a LDAP server, configure a directory hierarchy, add groups, hosts, services and other data to the hierarchy, import items from LDIF files and add items with a management tool, as well as add users to the directory and change their passwords.
- Objective 2.210.4; PAM authentication (2 points)
This objective includes being able to configure PAM support authentication using /etc/passwd, shadow passwords, NIS and LDAP.
The candidate should be able to configure a DHCP server and set default options, create a subnet and create a dynamically-allocated range. This objective includes adding a static host, setting options for a single host and adding bootp hosts. Also included the configuration of a DHCP relay agent and reloading the DHCP server after making changes.
Key files, terms and utilities include:
dhcpd.conf |
dhcpd.leases |
DHCP stands for “Dynamic Host Configuration Protocol”. DHCP consists of two components: a protocol for delivering client-specific configuration parameters from a DHCP server to a DHCP client and a mechanism for the allocation of network addresses to clients.
Amongst the most commonly used configuration items are:
ip-address, host-name,
domain-name, subnet-mask,
broadcast-address, routers and
domain-name-servers.
The information is requested by a DHCP client and provided by a DHCP
server. By default, the server listens for requests on udp port 67 and
answers through udp port 68, but it can be told to listen to another
port instead with the -p option. The DHCP server will
then answer through an udp port with a number one higher than the port
it listens to.
The web-site Resources for DHCP contains a lot of (pointers to) information on the DHCP protocol, including RFC's.
The configuration of the DHCP server, dhcpd, is done
by means of its configuration file /etc/dhcpd.conf.
The elements that can be used in a configuration file are: (global) parameters, shared networks, subnets, groups and hosts.
Parameters can be seen as variables that get assigned a value and are passed from the server to the client. Some parameters start with the option keyword and some do not. Parameters that do not start with the option keyword are either parameters that control the behavior of the DHCP server or are parameters that are optional in the DHCP protocol.
The difference between “normal” parameters and “global” parameters
lies purely in the scope of the parameters.
If, for instance, the DNS is always the same, it is pointless to add
a domain-name-servers parameter-definition
statement to every network-definition statement. By assigning the
domain-name-servers parameter a value at the
beginning of the configuration file, the parameter becomes a global
parameter and its value becomes the default value for that parameter.
The value of a global parameter can be overridden by assigning the parameter another value in subsequent sections.
A shared-network declaration is used if there are multiple subnets on the same physical network. Parameters that are the same for all the subnets belonging to the shared-network can be defined once above the subnet-declarations within the shared-network declaration that encompasses those subnet-declarations.
A subnet-declaration is used to define a network segment. Parameters that only apply to the subnet in question are defined within the subnet-declaration.
A subnet-declaration must contain a range statement that defines the IP-addresses the DHCP-server can give to clients on that subnet.
Consider a firm which has four departments: Sales, Administration, Engineering and Management. All departments are located in the same building and each department has three floors to its disposal.
On each floor, there are up to 200 workstations and one laser printer (LPRT-xx). Furthermore each department has its own color laser-printer (CLPRT-xx) located on the middle floor. The printers can only be used by users of the department the printers belong to.
All users obtain an IP-address from the company's DHCP-server and must be able to reach the company's DNS-server and NTP-server. All users get their mail using the POP3 protocol, send their mail using the SMTP protocol and read their news using the NNTP protocol.
A graphical representation of the company's network is shown below:
Assuming that the IP range 21.31.x.x has been assigned to the company and that each department has its own network (determined by the highest four bits of the third octet), the subnets could be set up as follows:
Table 10.1. The first two octets are 21.31
| Dept. | Floor | IP range | Router | Description |
|---|---|---|---|---|
| 0001 | 0001 | 21.31.17.0 - 21.31.17.255 | Sales floor #1 | |
| 0001 | 0010 | 21.31.18.0 - 21.31.18.255 | 21.31.17.1 | Sales floor #2 |
| 0001 | 0011 | 21.31.19.0 - 21.31.19.255 | Sales floor #3 | |
| 0010 | 0100 | 21.31.36.0 - 21.31.36.255 | Administration #4 | |
| 0010 | 0101 | 21.31.37.0 - 21.31.37.255 | 21.31.36.1 | Administration #5 |
| 0010 | 0110 | 21.31.37.0 - 21.31.37.255 | Administration #6 | |
| 0011 | 0111 | 21.31.55.0 - 21.31.55.255 | Engineering floor #7 | |
| 0011 | 1000 | 21.31.56.0 - 21.31.56.255 | 21.31.55.1 | Engineering floor #8 |
| 0011 | 1001 | 21.31.57.0 - 21.31.57.255 | Engineering floor #9 | |
| 0100 | 1010 | 21.31.74.0 - 21.31.74.255 | Management floor #10 | |
| 0100 | 1011 | 21.31.75.0 - 21.31.75.255 | 21.31.74.1 | Management floor #11 |
| 0100 | 1100 | 21.31.76.0 - 21.31.76.255 | Management floor #12 |
The workstations on the company's network obtain their IP-address and the IP-addresses of the available network services from the company's DHCP-server via the department's DHCP-relay which also functions as a router.
Subnet-independent services are the services that are available to all workstations on the company's network regardless the subnet they are on. The table below shows those services and their fixed IP-addresses.
Table 10.2. Company-wide services
| Service | Description | IP-address | Host name |
|---|---|---|---|
| DHCP | The company's DHCP-server | 21.31.0.1 | dhcp.company.com |
| DNS | The company's DNS | 21.31.0.2 | dns.company.com |
| SMTP | The company's SMTP-server | 21.31.0.3 | smtp.company.com |
| POP3 | The company's POP3-server | 21.31.0.4 | pop3.company.com |
| NEWS | The company's NNTP-server | 21.31.0.5 | news.company.com |
| NTP | The company's NTP-server | 21.31.0.6 | ntp.company.com |
Subnet-dependent services are the services that are only available to the workstations on the same subnet as the service. The table below shows those services and their fixed IP-addresses.
Table 10.3. Subnet-dependent Services
| Department | Service | Description | IP-address | Name |
|---|---|---|---|---|
| Router | Sales Router floor #2 | 21.31.17.1 | rtr-02.company.com | |
| Printer | Laser Printer floor #1 | 21.31.17.2 | lprt-01.company.com | |
| Sales | Printer | Laser Printer floor #2 | 21.31.18.2 | lprt-02.company.com |
| Printer | Laser Printer floor #3 | 21.31.19.2 | lprt-03.company.com | |
| Printer | Color Laser Printer floor #2 | 21.31.18.3 | clprt-02.company.com | |
| Router | Administration Router floor #5 | 21.31.36.1 | rtr-05.company.com | |
| Printer | Laser Printer floor #4 | 21.31.36.2 | lprt-04.company.com | |
| Administration | Printer | Laser Printer floor #5 | 21.31.37.2 | lprt-05.company.com |
| Printer | Laser Printer floor #6 | 21.31.38.2 | lprt-06.company.com | |
| Printer | Color Laser Printer floor #5 | 21.31.37.3 | clprt-05.company.com | |
| Router | Engineering Router floor #8 | 21.31.55.1 | rtr-08.company.com | |
| Printer | Laser Printer floor #7 | 21.31.55.2 | lprt-07.company.com | |
| Engineering | Printer | Laser Printer floor #8 | 21.31.56.2 | lprt-08.company.com |
| Printer | Laser Printer floor #9 | 21.31.57.2 | lprt-09.company.com | |
| Printer | Color Laser Printer floor #8 | 21.31.56.3 | clprt-08.company.com | |
| Router | Management Router floor #11 | 21.31.74.1 | rtr-11.company.com | |
| Printer | Laser Printer floor #10 | 21.31.74.2 | lprt-10.company.com | |
| Management | Printer | Laser Printer floor #11 | 21.31.75.2 | lprt-11.company.com |
| Printer | Laser Printer floor #12 | 21.31.76.2 | lprt-12.company.com | |
| Printer | Color Laser Printer floor #11 | 21.31.75.3 | clprt-11.company.com |
The information needed to be able to build a configuration file has already been gathered in the previous sections when the network topology was devised.
In this section the actual configuration file
/etc/dhcpd.conf will be filled with the
necessary information.
Global parameters are put at the top of the configuration file:
# DNS
option domain-name-servers 21.31.0.2;
# SMTP
option smtp-server 21.31.0.3;
# POP3
option pop-server 21.31.0.4;
# NEWS
option nntp-server 21.31.0.5;
# NTP
option time-servers 21.31.0.6;
Another way to do this is by using domain names. A single domain name must resolve to a single IP-address. Using domain names, you would put the following entries in the configuration file:
# DNS
option domain-name-servers dns.company.com;
# SMTP
option smtp-server smtp.company.com;
# POP3
option pop-server pop3.company.com;
# NEWS
option nntp-server news.company.com;
# NTP
option time-servers ntp.company.com;
As has been discussed in the previous sections, there are four different networks, one for each department and there are twelve different IP-address ranges, one for each floor. Furthermore, each network has its own router and printers.
This translates into four shared-networks each having their own netmask and broadcast-address and encompassing three IP-address ranges.
The netmask is an IP-address used to determine the network a workstation, or some other network device that uses an IP-address, is on. A netmask has 1's in the bit-positions that are the same for all network devices in that network and 0's in the other positions. Since all the subnets on a department's shared-network are on the same physical network, the distinction is made on the shared-network level, not on the floor level. The floor level has been coded into the IP-address (low-nibble of the third octet) to prepare for the planned installment next year of one router per floor in stead of one router per department. The netmask is calculated as follows:
21.31.16.0 - : | 0001 0101 | 0001 1111 | 0001 0000 | 0000 0000 | SALES
21.31.31.255 : | 0001 0101 | 0001 1111 | 0001 1111 | 1111 1111 | NETWORK
21.31.32.0 - : | 0001 0101 | 0001 1111 | 0010 0000 | 0000 0000 | ADMINISTRATION
21.31.47.255 : | 0001 0101 | 0001 1111 | 0010 1111 | 1111 1111 | NETWORK
21.31.48.0 - : | 0001 0101 | 0001 1111 | 0011 0000 | 0000 0000 | ENGINEERING
21.31.63.255 : | 0001 0101 | 0001 1111 | 0011 1111 | 1111 1111 | NETWORK
21.31.64.0 - : | 0001 0101 | 0001 1111 | 0100 0000 | 0000 0000 | MANAGEMENT
21.31.79.255 : | 0001 0101 | 0001 1111 | 0100 1111 | 1111 1111 | NETWORK
fixed-bits : | 1111 1111 | 1111 1111 | 1111 0000 | 0000 0000 | NETMASK
255 255 240 0
Using a netmask of 255.255.240.0, the network an IP-address is on can be determined. This is done by AND-ing the IP-address with the netmask. To determine on which of the four networks a workstation with IP-address 21.31.57.105 is, the following calculation is performed:
21.31.57.105 : | 0001 0101 | 0001 1111 | 0011 1001 | 0110 1001 | IP-ADDRESS
255.255.240.0: | 1111 1111 | 1111 1111 | 1111 0000 | 0000 0000 | AND NETMASK
21.31.48.0: | 0001 0101 | 0001 1111 | 0011 0000 | 0000 0000 | GIVES NETWORK
The IP-address 21.31.57.105 is on the 21.31.48.0 network, which is the Engineering-network.
The broadcast-address is used to send packets to every workstation on a network. A broadcast-address differs per network and can be determined by replacing all bits that can vary within a network with 1's.
Another way of determining the broadcast-address is to take the inverse of the netmask, in this case 0.0.15.255, and then OR the result with the network address:
21.31.16.0 - : | 0001 0101 | 0001 1111 | 0001 0000 | 0000 0000 | SALES
0.0.15.255 : | 0000 0000 | 0000 0000 | 0000 1111 | 1111 1111 | OR INV NETMASK
21.31.31.255 : | 0001 0101 | 0001 1111 | 0001 1111 | 1111 1111 | GIVES BCAST
21.31.32.0 - : | 0001 0101 | 0001 1111 | 0010 0000 | 0000 0000 | ADMINISTRATION
0.0.15.255 : | 0000 0000 | 0000 0000 | 0000 1111 | 1111 1111 | OR INV NETMASK
21.31.47.255 : | 0001 0101 | 0001 1111 | 0010 1111 | 1111 1111 | GIVES BCAST
21.31.48.0 - : | 0001 0101 | 0001 1111 | 0011 0000 | 0000 0000 | ENGINEERING
0.0.15.255 : | 0000 0000 | 0000 0000 | 0000 1111 | 1111 1111 | OR INV NETMASK
21.31.63.255 : | 0001 0101 | 0001 1111 | 0011 1111 | 1111 1111 | GIVES BCAST
21.31.64.0 - : | 0001 0101 | 0001 1111 | 0100 0000 | 0000 0000 | MANAGEMENT
0.0.15.255 : | 0000 0000 | 0000 0000 | 0000 1111 | 1111 1111 | OR INV NETMASK
21.31.79.255 : | 0001 0101 | 0001 1111 | 0100 1111 | 1111 1111 | GIVES BCAST
The broadcast-address for the network an IP-address is on can be determined by OR-ing the IP-address with the inverse-netmask. For a workstation with IP-address 21.31.57.105, the broadcast-address can be calculated as follows:
21.31.57.105 : | 0001 0101 | 0001 1111 | 0011 1001 | 0110 1001 | IP-ADDRESS
0.0.15.255 : | 0000 0000 | 0000 0000 | 0000 1111 | 1111 1111 | OR INV NETMASK
21.31.63.255 : | 0001 0101 | 0001 1111 | 0011 1111 | 1111 1111 | GIVES BCAST
The IP-address 21.31.57.105 belongs to a network that has broadcast-address 21.31.63.255, which is correct since the IP-address is on the Engineering-network.
To tell the DHCP-server what IP-addresses to give-out per subnet, a range stement must be added to the subnet. Is this example the IP-addresses 21.31.x.0 to 21.31.x.10 and 21.31.x.211 to 21.31.x.255 on every floor are reserved for printers and routers. This means that for every subnet the range statement is:
range 21.31.x.11 21.31.x.210
Where “x” depends on the department and the floor.
To implement this structure, the following lines are added to the configuration-file:
# The Sales network, floors 1-3
shared-network sales-net {
# Sales-net specific parameters
option routers 21.31.17.1;
option lpr-servers 21.31.17.2, 21.31.18.2, 21.31.19.2, 21.31.18.3;
option broadcast-address 21.31.31.255;
subnet 21.31.17.0 netmask 255.255.240.0 {
# Floor #1 specific parameters
range 21.31.17.11 21.31.17.210;
}
subnet 21.31.18.0 netmask 255.255.240.0 {
# Floor #2 specific parameters
range 21.31.18.11 21.31.18.210;
}
subnet 21.31.19.0 netmask 255.255.240.0 {
# Floor #3 specific parameters
range 21.31.19.11 21.31.19.210;
}
}
# The Administration network, floors 4-6
shared-network administration-net {
# Administration-net specific parameters
option routers 21.31.36.1;
option lpr-servers 21.31.36.2, 21.31.37.2, 21.31.38.2, 21.31.37.3;
option broadcast-address 21.31.47.255;
subnet 21.31.36.0 netmask 255.255.240.0 {
# Floor #4 specific parameters
range 21.31.36.11 21.31.36.210;
}
subnet 21.31.18.0 netmask 255.255.240.0 {
# Floor #5 specific parameters
range 21.31.37.11 21.31.37.210;
}
subnet 21.31.19.0 netmask 255.255.240.0 {
# Floor #6 specific parameters
range 21.31.38.11 21.31.38.210;
}
}
# The Engineering network, floors 7-9
shared-network engineering-net {
# Engineering-net specific parameters
option routers 21.31.55.1;
option lpr-servers 21.31.55.2, 21.31.56.2, 21.31.57.2, 21.31.56.3;
option broadcast-address 21.31.63.255;
subnet 21.31.55.0 netmask 255.255.240.0 {
# Floor #7 specific parameters
range 21.31.55.11 21.31.55.210;
}
subnet 21.31.18.0 netmask 255.255.240.0 {
# Floor #8 specific parameters
range 21.31.56.11 21.31.56.210;
}
subnet 21.31.19.0 netmask 255.255.240.0 {
# Floor #9 specific parameters
range 21.31.57.11 21.31.57.210;
}
}
# The Management network, floors 10-12
shared-network management-net {
# Management-net specific parameters
option routers 21.31.74.1;
option lpr-servers 21.31.74.2, 21.31.75.2, 21.31.76.2, 21.31.75.3;
option broadcast-address 21.31.79.255;
subnet 21.31.74.0 netmask 255.255.240.0 {
# Floor #10 specific parameters
range 21.31.74.11 21.31.74.210;
}
subnet 21.31.18.0 netmask 255.255.240.0 {
# Floor #11 specific parameters
range 21.31.75.11 21.31.75.210;
}
subnet 21.31.19.0 netmask 255.255.240.0 {
# Floor #12 specific parameters
range 21.31.76.11 21.31.76.210;
}
}
A static host is a host that always gets the same IP-address from the DHCP-server in opposite to dynamic hosts which get their IP-address from a range of IP-addresses.
Obviously, the DHCP-server must be able recognize the host to be able
to conclude that the host has been defined as a static one in the
DHCP-server's configuration file. This can be done by using the
dhcp-client-identifier option or by using the
hardware ethernet option.
The dhcp-client-identifier is send to the server by
the client (host) and must uniquely identify that client. This is
not safe because there is no way to be sure that there isn't a second
client that uses the same identifier.
The hardware ethernet option causes the match to be
done on the client's NIC-address which is world-wide unique.
If the client does not send a dhcp-client-identifier,
then the NIC-address is used to identify the client.
There are two designers, working for the Engineering department, that come to the office sometimes to get a hardcopy of their designs in colour. These designers are called “luke” and “leah” and they bring their laptops and connect them to the Engineering-network. The host names of their machines will be “luke” and “leah”.
To make this so, the administrator has added the following lines to the DHCP-server's configuration file:
group {
# options that apply to all the static hosts
option routers 21.31.55.1;
option lpr-servers 21.31.56.3;
option broadcast-address 21.31.63.255;
netmask 255.255.240.0;
host luke {
# specific for luke
hardware ethernet AA:88:54:72:7F:92;
fixed-address 21.31.55.211;
option host-name "luke";
}
host leah {
# specific for leah
hardware ethernet CC:88:54:72:84:4F;
fixed-address 21.31.55.212;
option host-name "leah";
}
}
This is a special static host. If luke and leah's laptops were BOOTP-clients, the administrator could have added the following lines to the DHCP-server's configuration file:
group {
# options that apply to all the static hosts
option routers 21.31.55.1;
option lpr-servers 21.31.56.3;
option broadcast-address 21.31.63.255;
netmask 255.255.240.0;
host luke {
# specific for luke
filename "lukes-boot-file";
server-name "server name to send to luke";
next-server <address of server to load boot-file from>;
hardware ethernet AA:88:54:72:7F:92;
fixed-address 21.31.55.211;
option host-name "luke";
}
host leah {
# specific for leah
filename "leahs-boot-file";
server-name "server name to send to leah";
next-server <address of server to load boot-file from>;
hardware ethernet CC:88:54:72:84:4F;
fixed-address 21.31.55.212;
option host-name "leah";
}
}
The filename option states the name of the file
to get from the server defined in the next-server
option. If the next-server is omitted, the server
to get the file from is the DHCP-server.
The server-name can be used to send the name of
the server the client is booting from to the client.
For information on the valid options, consult the dhcp-options man page (man dhcp-options) and the dhcpd.conf man page (man dhcpd.conf).
A lease is the amount of time a client may use the IP-address it got from the DHCP-server. The client must refresh the lease periodically because the IP-address can be given to another client if the lease is expired. Normally, a client will be given the same IP-address if the lease is refreshed before it expired.
The option max-lease-time is used to specify the
maximum amount of time in seconds that will be assigned to a lease
if the client asks for a specific expiration time.
The option default-lease-time is used to specify the
amount of time in seconds that will be assigned to a lease if a
client does not ask for a specific expiration time.
The DHCP-server keeps a database of the leases it has issued in the
file /var/dhcp/dhcpd.leases. If this file is
empty, this is probably caused by the fact that you have only
defined static hosts in the DHCP-server's configuration file and
you haven't used any range statements.
Unless you specify otherwise, dhcpd will listen on all interfaces for a dhcp request. If you only want to serve requests on eth0 for instance, you can tell this to the daemon by including the parameter on the command line that starts the daemon.
In our earlier example there is one DHCP-server for the whole network and there are routers between the clients and that server.
If a client would be able to connect to the DHCP-server through a router, the DHCP-server would not see the NIC-address of the client but the NIC-address of the router. This would mean that a static host for instance, could not be recognized by its hardware address.
A DHCP-relay agent, such as dhcrelay provides a means for relaying DHCP and BOOTP requests from one of the subnets to the company's DHCP-server.
If you need more information, consult The Internet Consortium DHCP Homepage.
If not specified otherwise on the command line, the DHCP-relay agent listens for DHCP requests on all interfaces and forwards them to the DHCP-servers specified on the command line. A reply is only sent to the network the request came from.
Please consult the man page (man dhcrelay) for further details.