Novell CLIENT FOR LINUX 2.0 SP1 - ADMINISTRATION Administration Manual Download Page 41 | Manualshive

Page: 41 / 89

background image

Security Considerations

41

n

ov

do

cx (e

n)

11
Ju

ly 20

08

5.3.1 Identification and Authentication

This product uses XTier to authenticate users via user identity information stored in eDirectory and
resource authorization and access control provided by eDirectory. The product takes a user name
and password supplied directly by the user and transfers that information to XTier for use within its
supported authentication mechanisms (via XTier’s plug-in authentication module architecture). If
configured to do so, this product authenticates (using PAM NAM (Linux User Management)) to
eDirectory through SSL and LDAP Simple Bind Protocol.

This product does not itself authenticate to another product, system or service. No portion of this
product authenticates to another.

5.3.2 Authorization and Access Control

This product allows the protections supplied by eDirectory for access control to be fully realized for
those resources that are contained within eDirectory. Access to resources is protected based on user
identity (as stored within eDirectory). The VFS, daemon, and XTier work together to compare
ACLs for a given file system path or object retrieved from eDirectory to the identity and session
scope established for the identity that owns a given connection.

The VFS acts as a proxy to the local file system (via redirection of its local mount point) to make
such decisions for network-based file system paths or objects.

5.3.3 Roles

This product does not define or manage roles. It simply makes use of roles that have already been
defined elsewhere and treats role access privileges in the same way as any user identity.

Because the product has a VFS module running in the kernel, it does not require

root

access for

users to create mount points (as do NCPFS and other similar open source offerings to date). The
product does not require use of SETUID for any of its operations.

5.3.4 Security Auditing

No security auditing is performed by this product.

5.4 New and Modified Files

The following sections describe the files that are added or modified during the installation of the
Novell Client for Linux.

Section 5.4.1, “Configuration Files,” on page 42

Section 5.4.2, “PAM Login Files,” on page 42

Section 5.4.3, “User Profile Startup Files,” on page 43

Section 5.4.4, “KDE and GNOME Desktop Startup Files,” on page 43

Section 5.4.5, “Installation Files,” on page 44

«
...
39
40
41
42
43
...
»

Summary of Contents for CLIENT FOR LINUX 2.0 SP1 - ADMINISTRATION

Page 1: ...Novell www novell com novdocx en 11 July 2008 AUTHORIZED DOCUMENTATION Novell Client 2 0 SP1 for Linux Administration Guide ClientTM for Linux 2 0 SP1 August 2008 Administration Guide...

Page 2: ...t or re export to entities on the current U S export exclusion lists or to any embargoed or terrorist countries as specified in the U S export laws You agree to not use deliverables for prohibited nuc...

Page 3: ...Trademarks For Novell trademarks see the Novell Trademark and Service Mark list http www novell com company legal trademarks tmlist html Third Party Materials All third party trademarks are the prope...

Page 4: ...novdocx en 11 July 2008...

Page 5: ...Settings 18 2 1 5 Configuring File Browser Settings 18 2 1 6 Configuring OpenSLP Settings 20 2 2 Using Configuration Files to Preconfigure the Novell Client 21 3 Managing Login 23 3 1 Setting Up Inte...

Page 6: ...ing the Novell Client Virtual File System Kernel Module 46 A 2 1 Compiling the Novell Client Virtual File System Kernel Module After a Kernel Update 46 A 2 2 Compiling the Novell Client Virtual File S...

Page 7: ...ation included with this product Please use the User Comments feature at the bottom of each page of the online documentation or go to www novell com documentation feedback html and enter your comments...

Page 8: ...8 Novell Client 2 0 SP1 for Linux Administration Guide novdocx en 11 July 2008...

Page 9: ...Novell Client for Linux differs in a few ways from using the Novell Client for Windows For users and network administrators who are familiar with the Novell Client for Windows knowing these difference...

Page 10: ...ne Utilities on page 49 and Appendix C Novell Client for Linux Man Pages on page 53 1 1 4 Login Scripts Novell has ported the vast majority of login script functionality to the Linux platform This mea...

Page 11: ...atible with the Linux kernel version on your workstation However when later shipping versions of SUSE Linux Enterprise Desktop are provided by Novell the Novell Client Virtual File System Kernel Modul...

Page 12: ...12 Novell Client 2 0 SP1 for Linux Administration Guide novdocx en 11 July 2008...

Page 13: ...ing Configuration Files to Preconfigure the Novell Client page 21 2 1 Using the Novell Client Configuration Wizard The Novell Client for Linux includes a Novell Client Configuration Wizard to simplify...

Page 14: ...ocol Settings page or the Service Location Protocol OpenSLP Settings page you must reboot the machine for those changes to take effect Any changes you make to the Novell Client settings are written to...

Page 15: ...rator and cannot be overridden by the user Display Integrated Login Results When this option is disabled all login scripts are run silently and the script results window is not displayed but login scr...

Page 16: ...create symbolic links in the user s home directory First Network Drive Select the first letter for Map to use when creating symbolic links to network resources This setting is used in commands such a...

Page 17: ...includes the use of a message digest algorithm and a per connection per request session state The values are as follows 0 Disabled 1 Enabled but not preferred 2 Preferred 3 Required Changing the valu...

Page 18: ...ray Application Select this option to automatically launch the Novell Client Tray Application Tray Application Menu Options Enables or disables the options available to users on the Tray Application m...

Page 19: ...le in a file manager File and Folder Information Enables or disables the File Information and Folder Information tabs on the File and Folder Properties pages available when users right click a Novell...

Page 20: ...sts or registering or the scopes that a directory agent DA must support Directory Agent List Specify the specific DAs that UA and SA agents must use If this setting is not used dynamic DA discovery is...

Page 21: ...data bu01sei html hn62kppa in the Novell Client for Windows Installation and Administration Guide for more information Preconfiguring the Novell Client for Linux requires the novell client conf spec f...

Page 22: ...ovell Client using YaST Add the location of the newly created novell client conf version_number platform rpm to the list of installation sources in YaST add a local directory in the Installation Sourc...

Page 23: ...es not work if a workstation is set up to not ask for a password in the display manager greeter For integrated login to work the Novell Common Authentication Services Adapter CASA must be installed an...

Page 24: ...the YaST Control Center GNOME Click Computer More Applications System YaST KDE Click the menu button System YaST 2 Click Security and Users in the left column then click CASA in the right column 3 Cl...

Page 25: ...our SUSE Linux workstation you also automatically log into the Novell server specified in Step 3 3 1 3 Managing System Wide Integrated Login Settings 1 Launch the Novell Client Configuration Wizard by...

Page 26: ...scripts see the Novell Login Scripts Guide 3 3 Setting Up Login Restrictions Login restrictions are limitations on user accounts that control access to the network These restrictions can be set by an...

Page 27: ...e Restrictions tab or drop down list depending on the browser you are using The following options appear They open pages that display various properties Password Restrictions Login Restrictions Time R...

Page 28: ...applications on your workstation require more advanced settings you can modify the etc slp conf file to set advanced settings For more information on advanced SLP configuration see the OpenSLP Web sit...

Page 29: ...vell Client Configuration Wizard 5 Restart the workstation 3 4 2 Troubleshooting SLP Configuration If users cannot see a list of available trees contexts and servers when they use the Novell Client fo...

Page 30: ...Firewall on page 30 Adding SLP Daemon Rules for External or DMZ Firewall Zones on page 31 Changing Your LAN Interface Definition to Internal on page 31 Turning Off the SUSE Firewall 1 Launch the YaST...

Page 31: ...d Users in the left column then click Firewall in the right column 3 Click Allowed Services in the left column to open the Firewall Configuration Allowed Services screen 4 Select SLP Daemon from the S...

Page 32: ...32 Novell Client 2 0 SP1 for Linux Administration Guide novdocx en 11 July 2008...

Page 33: ...ther by using any method other than NCOPY at the command terminal For more information on the specific rights on NetWare and OES servers see File Services http www novell com documentation oes implgde...

Page 34: ...receive rights in a number of ways such as explicit trustee assignments inheritance and security equivalence see eDirectory Rights Concepts http www novell com documentation edir88 edir88 data fbachi...

Page 35: ...and write to the file Erase Grants the right to delete the directory or file Create For a directory grants the right to create new files and directories in the directory For a file grants the right t...

Page 36: ...ants the right to change the attributes or name of the directory or file but does not grant the right to change its contents changing the contents requires the Write right File Scan Grants the right t...

Page 37: ...s to Kim and Nancy you would select Combine Multiple Trustees The following would then be true Kim has Read and File Scan rights to both FILEA and FILEB Her Access Control right is lost because the co...

Page 38: ...38 Novell Client 2 0 SP1 for Linux Administration Guide novdocx en 11 July 2008...

Page 39: ...upported via SSL and Simple Bind protocol Servers devices and or services are authenticated Yes Connections to servers are authenticated via user supplied credentials No device authentication is suppo...

Page 40: ...of packet signing Packet signing is enabled by default FIPS 140 2 compliant No This product currently uses the ATB authentication toolbox instead of the Novell NICI product Therefore this product is...

Page 41: ...together to compare ACLs for a given file system path or object retrieved from eDirectory to the identity and session scope established for the identity that owns a given connection The VFS acts as a...

Page 42: ...configuration file All fields in the Novell Login dialog box except the password are stored in this file HOME novell ncl MapDrives conf This user configuration file specifies the drive mapping to run...

Page 43: ...startup for ncl_autologin HOME gnome2 session manual X GNOME startup for ncl_autologin opt novell ncl bin ncl_autologin X Validates and runs nwlogin or gnwlogin opt novell ncl bin nwlogin This existin...

Page 44: ...be compromised For example if a malicious entity gets root access it might be able to steal user credentials and authenticate to the network with those credentials File New Modified Description opt n...

Page 45: ...on failed you do not need to repeat this step 3 Compile the Novell Client Virtual File System Kernel Module See Section A 2 Compiling the Novell Client Virtual File System Kernel Module on page 46 4 R...

Page 46: ...een installed click Close to close the YaST Control Center A 2 Compiling the Novell Client Virtual File System Kernel Module Depending on whether or not you have a standard kernel that has been update...

Page 47: ...tom kernel 1 In a terminal log in as root 2 Unpack the proc config gz file and copy the resulting config to the new name usr src linux config 3 In the usr src linux directory enter the following comma...

Page 48: ...48 Novell Client 2 0 SP1 for Linux Administration Guide novdocx en 11 July 2008...

Page 49: ...located in the opt novell ncl bin directory and include the following Section B 1 Shell Commands on page 49 Section B 2 GUI Utilities on page 50 B 1 Shell Commands Table B 1 The Novell Client for Lin...

Page 50: ...entering the following ncl_man utility_name For example ncl_man ncl_tray map Creates a mapping mount from a local file system to a remote file system on a Novell file server map d drive s server v vol...

Page 51: ...and End keys to move between the beginning and the end of a document To exit a man page press q You can learn more about the man command by entering man man in a terminal window You can also enter uti...

Page 52: ...52 Novell Client 2 0 SP1 for Linux Administration Guide novdocx en 11 July 2008...

Page 53: ...9 ncl_control 8 on page 61 ncl_install 8 on page 62 ncl_man 1 on page 64 ncl_tray 1 on page 65 nwconnections 1 on page 66 nwcopy 1 on page 67 nwflag 1 on page 69 nwlogin 1 on page 72 nwlogout 1 on pag...

Page 54: ...ons c context context context Specifies the context that the user is logging in to This value is required u name user name Specifies the user s eDirectory username This value is required s server serv...

Page 55: ...n script There are four n variables that can be specified during login 2 3 4 and 5 The utility then substitutes these parameters for the n variables in the login script The variables are replaced in t...

Page 56: ...es in the login script The variables are replaced in the order specified by selecting 2 3 4 or 5 clearconn Clears existing server connections before logging in to the current server ignore_rest Ignore...

Page 57: ...ow_Integrated_Login true or false Globally enables or disables automatic login for the workstation Allow_Integrated_LoginGUI true or false If authentication fails calls gnwlogin so the user can reente...

Page 58: ...y 2008 Clear_Username true Allow_Integrated_Login false Default_Tree mycompany Default_Context marketing Authors Copyright 2005 2007 Novell Inc All rights reserved http www novell com To report proble...

Page 59: ...assword at desktop startup Usage Each entry occupies a single line in the file Lines that are blank or that start with a pound sign are ignored home steve Desktop Q Location and name of drive link Use...

Page 60: ...erence life span 192 n4u nds inactivity synchronization interval 60 n4u nds synchronization restrictions off n4u nds janitor interval 2 n4u nds backlink interval 7 Authors Copyright 2005 2007 Novell I...

Page 61: ...on modules stop Stops all Novell Client for Linux daemon modules restart Stops and then reloads all Novell Client for Linux daemon modules status Verifies that the Novell Client for Linux daemon modul...

Page 62: ...to run this utility Options install Installs all Novell Client for Linux packages install force Forces the installation of all Novell Client for Linux packages upgrade Upgrades all Novell Client for L...

Page 63: ...or Linux Man Pages 63 novdocx en 11 July 2008 Authors Copyright 2005 2007 Novell Inc All rights reserved http www novell com To report problems with this software or its documentation visit http bugzi...

Page 64: ...ing error is displayed No manual entry for Novell Client man page name Entering ncl_man Novell Client man page name adds the Novell Client man path to the MANPATH and launches man which displays the s...

Page 65: ...apping drives and many other functions It requires the X Windows System to be running because it is a GUI application Options Basic Options waitfortray integer Wait for tray value required author Show...

Page 66: ...s for the currently logged in user Use the nwmap utility to detach from listed connections Options ignore_rest Ignores the rest of the labeled arguments following this flag v Displays the version for...

Page 67: ...te if it is supported s subdir Traverses the subdirectories t string target string Specifies the target path where you want the files copied to p string source string Specifies the source path of the...

Page 68: ...py f p my_vol t your_vol Copies all files or directories from my_vol to your_vol and rewrites the existing targets Authors Copyright 2005 2007 Novell Inc All rights reserved http www novell com To rep...

Page 69: ...the attributes of files or directories Type Displays or sets either the attributes or the owner flag information a attributes Displays or sets attribute flags n owner Displays or sets owner flags Opt...

Page 70: ...ion on flags See http www novell com documentation oes stor_filesys data bs3fih1 html o Read only w Read write c Compressed h Hidden y System k Can t Compress p Purge a Archive Needed m Migrated d Del...

Page 71: ...ed and Immediate Compress nwflag n e s f adam cont org Makes user ADAM the owner of the files in the current directory and subdirectories nwflag n w s f MYSERVER USER grep i adam cont org Lists all fi...

Page 72: ...ies the context that the user is logging in to This value is required t string tree string Specifies the tree that the user is logging in to This value is required p string password string Specifies t...

Page 73: ...d in the order specified by selecting 2 3 4 or 5 4 string variable4 string Allows an additional parameter to be entered that the login utility passes to the login script There are four n variables tha...

Page 74: ...tration Guide novdocx en 11 July 2008 Authors Copyright 2005 2007 Novell Inc All rights reserved http www novell com See Also nwlogout 1 nwconnections 1 To report problems with this software or its do...

Page 75: ...of This value is required if either the tree or closeall option is not used t string tree string Specifies the tree that the user will be logged out of This value is required if either the server or c...

Page 76: ...Administration Guide novdocx en 11 July 2008 Authors Copyright 2005 2007 Novell Inc All rights reserved http www novell com See Also nwlogin 1 To report problems with this software or its documentati...

Page 77: ...ou are mapping to The path can be in the following forms server volume path server volume server volume path directory_object_name fully_distiguished_eDirectory_path such as a cluster volume for examp...

Page 78: ...OOT This does not function in Linux It is included for script compatibility only C or CHANGE This does not function in Linux It is included for script compatibility only P or PHYSICAL This does not fu...

Page 79: ...p target_path Specifies the source path of the files you want to purge a path Purges all the files at the specified source path c path Purges all the files at the specified source path as well as all...

Page 80: ...n a Novell server Rights can be given directly or through inherited rights filters Options r rights Allows you to add or delete specified rights to or from the rights list The rights are s Supervisor...

Page 81: ...2008 p network path Specifies the network path to the file h Displays the help strings Authors Copyright 2005 2007 Novell Inc All rights reserved http www novell com To report problems with this softw...

Page 82: ...systems Options p string Specifies the source path of the files you want to salvage a string Salvages all the files at the specified source path c string Salvages all the files at the specified sourc...

Page 83: ...s to users or groups who are currently connected to a Novell server or allows you to send a message to the server console Options c message Sends a message to the server console s server_name Specifie...

Page 84: ...ree the user is logging in to This line is required Context context The location of the User object in the eDirectory tree This line is required Server server name The name or IP address of the server...

Page 85: ...ional parameters can be entered that the LOGIN utility passes to the login script The utility then substitutes these parameters for any n variables in the login script These variables are replaced in...

Page 86: ...tration Guide novdocx en 11 July 2008 Variable2 Variable3 Variable4 Variable5 Authors Copyright 2007 Novell Inc All rights reserved http www novell com To report problems with this software or its doc...

Page 87: ...p startup Usage Each entry occupies a single line in the file Lines that are blank or that start with a pound sign are ignored home username Desktop drive_link Location and name of drive link UserName...

Page 88: ...d mycompany sys home mycompany Desktop pub UserName admin novell Tree MYCOMPANY_TREE Context Mapped mycompany SYS PUBLIC Authors Copyright 2007 Novell Inc All rights reserved http www novell com To re...

Page 89: ...ent changes made in this guide since the initial release of the Novell ClientTM for Linux The information will help you keep current on updates to the documentation The documentation was updated on th...

Reviews:

No comments

Related manuals for CLIENT FOR LINUX 2.0 SP1 - ADMINISTRATION

Brand: Yamaha Pages: 89

CRESTRON-APP-SSTV

Brand: Crestron Pages: 28

Brand: Alphasmart Pages: 4

Brand: Lexmark Pages: 20

Brand: IBM Pages: 481

WINDOWS LIVE MESSENGER - LEARN MORE

Brand: Blackberry Pages: 18

Phaser 340 Installer

Brand: Xerox Pages: 2

Brand: FARONICS Pages: 42

Brand: Primera Pages: 48

AMIGOPOD 0.99.35

Brand: AMIGOPOD Pages: 23

Brand: AMIGOPOD Pages: 47

Brand: Avaya Pages: 48

Web-based Management Utility

Brand: Supermicro Pages: 64

Brand: Vonamic Pages: 30

Brand: Acroprint Pages: 68

Software Desktop Monitor

Brand: Intel Pages: 4

Application Accelerator RAID Edition

Brand: Intel Pages: 85

NetBackupTM 5.0

Brand: VERITAS Pages: 428

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands