Home
/
Novell
/
LINUX ENTERPRISE SERVER 10 - INSTALLATION AND ADMINISTRATION 11-05-2007
/
Installation Manual

Novell LINUX ENTERPRISE SERVER 10 - INSTALLATION AND ADMINISTRATION 11-05-2007, Installation Manual

Share

Page: 901 / 982

Novell LINUX ENTERPRISE SERVER 10 - INSTALLATION AND ADMINISTRATION 11-05-2007 Installation Manual Download Page 901

The permissions of the more than 200,000 files included in a SUSE Linux Enterprise
distribution are carefully chosen. A system administrator who installs additional software
or other files should take great care when doing so, especially when setting the permis-
sion bits. Experienced and security-conscious system administrators always use the

-l

option with the command

ls

to get an extensive file list, which allows them to detect

any incorrect file permissions immediately. An incorrect file attribute does not only
mean that files could be changed or deleted. These modified files could be executed by

root

or, in the case of configuration files, programs could use such files with the per-

missions of

root

. This significantly increases the possibilities of an attacker. Attacks

like this are called cuckoo eggs, because the program (the egg) is executed (hatched)
by a different user (bird), just like a cuckoo tricks other birds into hatching its eggs.

A SUSE Linux Enterprise system includes the files

permissions

,

permissions

.easy

,

permissions.secure

, and

permissions.paranoid

, all in the direc-

tory

/etc

. The purpose of these files is to define special permissions, such as world-

writable directories or, for files, the setuser ID bit (programs with the setuser ID bit set
do not run with the permissions of the user that has launched it, but with the permissions
of the file owner, in most cases

root

). An administrator can use the file

/etc/

permissions.local

to add his own settings.

To define which of the above files is used by SUSE Linux Enterprise's configuration
programs to set permissions accordingly, select Local Security in the Security and Users
section of YaST. To learn more about the topic, read the comments in

/etc/

permissions

or consult the manual page of

chmod

(

man chmod

).

49.1.5 Buffer Overflows and Format String

Bugs

Special care must be taken whenever a program is supposed to process data that can or
could be changed by a user, but this is more of an issue for the programmer of an appli-
cation than for regular users. The programmer must make sure that his application in-
terprets data in the correct way, without writing it into memory areas that are too small
to hold it. Also, the program should hand over data in a consistent manner, using the
interfaces defined for that purpose.

A buffer overflow can happen if the actual size of a memory buffer is not taken into
account when writing to that buffer. There are cases where this data (as generated by
the user) uses up some more space than what is available in the buffer. As a result, data

Security and Confidentiality

883

«
...
899
900
901
902
903
...
»

Summary of Contents for LINUX ENTERPRISE SERVER 10 - INSTALLATION AND ADMINISTRATION 11-05-2007

Page 1: ...SUSE Linux Enterprise Server www novell com 10 May 11 2007 Installation and Administration...

Page 2: ...That this manual specifically for the printed format is reproduced and or distributed for noncommercial use only The express authorization of Novell Inc must be obtained prior to any other use of any...

Page 3: ...s 7 2 2 Deploying up to 100 Workstations 9 2 3 Deploying More than 100 Workstations 16 3 Installation with YaST 17 3 1 IBM System z System Start Up for Installation 17 3 2 System Start Up for Installa...

Page 4: ...ing the Master Machine 100 6 2 Customizing the firstboot Installation 100 6 3 Cloning the Master Installation 108 6 4 Personalizing the Installation 109 7 Advanced Disk Setup 111 7 1 LVM Configuration...

Page 5: ...234 11 3 For More Information 254 12 Mass Storage over IP Networks iSCSI 257 12 1 Setting Up an iSCSI Target 257 12 2 Configuring iSCSI Initiator 262 13 Oracle Cluster File System 2 267 13 1 Overview...

Page 6: ...Information 328 16 9 Time and Date 329 17 Working with the Shell 331 17 1 Getting Started with the Bash Shell 332 17 2 Users and Access Permissions 343 17 3 Important Linux Commands 347 17 4 The vi E...

Page 7: ...g the Virtualization Host Server 427 22 5 Managing Virtual Machines 428 22 6 Creating Virtual Machines 431 22 7 Windows Server 2003 Virtual Machines 432 22 8 For More Information 433 23 Printer Operat...

Page 8: ...figuring the X Window System 481 26 2 Installing and Configuring Fonts 488 26 3 For More Information 493 27 Authentication with PAM 495 27 1 Structure of a PAM Configuration File 496 27 2 The PAM Conf...

Page 9: ...ion with NTP 603 32 1 Configuring an NTP Client with YaST 603 32 2 Configuring xntp in the Network 607 32 3 Setting Up a Local Reference Clock 607 33 The Domain Name System 609 33 1 DNS Terminology 60...

Page 10: ...rver in the Network with Active Directory 705 37 7 Migrating a Windows NT Server to Samba 707 37 8 For More Information 709 38 Sharing File Systems with NFS 711 38 1 Installing the Required Software 7...

Page 11: ...n with Calamaris 797 41 9 For More Information 798 Part V Security 799 42 Managing X 509 Certification 801 42 1 The Principles of Digital Certification 801 42 2 YaST Modules for CA Management 806 43 M...

Page 12: ...rberos 855 46 10 Configuring SSH for Kerberos Authentication 856 46 11 Using LDAP and Kerberos 857 47 Encrypting Partitions and Files 861 47 1 Setting Up an Encrypted File System with YaST 862 47 2 Us...

Page 13: ...Documentation 902 50 8 Usenet 903 50 9 Standards and Specifications 903 51 Common Problems and Their Solutions 907 51 1 Finding and Gathering Information 907 51 2 Installation Problems 910 51 3 Boot P...

Page 14: ......

Page 15: ...eployment strategy and disk setup that is best suited for your scenario Learn how to install your system manually how to use network installation setups and how to perform an autoinstal lation Configu...

Page 16: ...and suggestions about this manual and the other doc umentation included with this product Please use the User Comments feature at the bottom of each page of the online documentation and enter your com...

Page 17: ...www novell com documentation sled10 index html The following manuals are exclusively available for SUSE Linux Enterprise Desktop GNOME User Guide A comprehensive guide to the GNOME desktop and its mos...

Page 18: ...ey combination keys are shown in uppercase as on a keyboard File File Save As menu items buttons amd64 ipf This paragraph is only relevant for the specified architectures The arrows mark the beginning...

Page 19: ...Part I Deployment...

Page 20: ......

Page 21: ...information see Chapter 22 Virtualization page 421 YaST Several new configuration options have been developed for YaST These are nor mally described in the chapters about the technology involved CIM M...

Page 22: ...e Systems with NFS page 711 Oracle Cluster File System 2 OCFS2 is a general purpose journaling file system that is fully integrated in the Linux 2 6 kernel and later Find an overview of OCFS2 in Chapt...

Page 23: ...r your local installation Novell provides training support and consulting for all topics around SUSE Linux Enterprise Find more information about this at http www novell com products linuxenterprisese...

Page 24: ...tware installation you should consider training the end users of the systems as well as help desk staff 1 3 Running SUSE Linux Enterprise The SUSE Linux Enterprise operating system is a well tested an...

Page 25: ...x Enterprise is a plain manual installation as featured in Chapter 3 Installation with YaST page 17 Manual installa tion can be done in several different ways depending on your requirements Installing...

Page 26: ...talling from the SUSE Linux En terprise Media page 19 Details Table 2 2 Installing from a Network Server Using SLP Network installation server holding the SUSE Linux Enterprise installation media Inst...

Page 27: ...manually There are many automated or semiautomated approaches as well as several options to perform an installation with minimal to no physical user interaction Before considering a fully automated a...

Page 28: ...LAN page 13 Consider this approach in a small to medium scenario that should be installed via network and without physical interaction with the installation targets A network a network installation se...

Page 29: ...y Physical access is needed for booting Section 4 1 1 Simple Remote Installation via VNC Static Network Configuration page 44 Details Table 2 5 Simple Remote Installation via VNC Dynamic Network Confi...

Page 30: ...Small to medium scenarios with varying hardware Completely remote installs cross site deployment Each machine must be set up manually Drawbacks Section 4 1 3 Remote Installation via VNC PXE Boot and...

Page 31: ...the installation source Booting from installation media Remote SSH Control and Monitoring Best Suited For Small to medium scenarios with varying hardware Low bandwidth connections to target Drawbacks...

Page 32: ...ally Drawbacks Section 4 1 6 Remote Installation via SSH PXE Boot and Wake on LAN page 51 Details Table 2 10 Simple Mass Installation Preferably network Installation Source Preparations Gathering hard...

Page 33: ...bly network Installation Source Preparations Gathering hardware information Creating AutoYaST profiles Creating AutoYaST rules Setting up the installation server Distributing the profile Setting up ne...

Page 34: ...ever with a growing number of installation targets the benefits of a fully automated installation method outweigh its disadvantages It pays off to invest a considerable amount of time to create a soph...

Page 35: ...s described in the Archi tecture Specific Information manual SUSE Linux Enterprise does not show a splash screen on these systems During the installation load the kernel initrd and parmfile manually Y...

Page 36: ...e 18 Table 3 1 Boot Options Description Boot Option This is the easiest boot option This option can be used if the system has a local CD ROM drive that is supported by Linux CD ROM The images for gene...

Page 37: ...P and configures the network connection with DHCP If the DHCP network configuration fails you are prompted to enter the appropriate parameters manually The installation then proceeds normally 3 2 4 In...

Page 38: ...PI Dis abled or Installation Safe Settings Installation Safe Settings Boots the system with the DMA mode for CD ROM drives and power management functions disabled Experts can also use the command line...

Page 39: ...s press Esc to see the messages and copyright notices At the end of the loading process the YaST installation program starts After a few more seconds the screen should display the graphical installer...

Page 40: ...channels to display To filter the list according to such a range select Filter See Figure 3 1 IBM System z Selecting a DASD page 22 Figure 3 1 IBM System z Selecting a DASD Now specify the DASDs to u...

Page 41: ...ZFCP disks available on the system In this dialog select Add to open another dialog in which to enter ZFCP parameters See Figure 3 3 IBM System z Overview of Available ZFCP Disks page 23 To make a ZFC...

Page 42: ...n thoroughly If you agree to the terms choose Yes I Agree to the License Agreement and click Next to confirm your selection If you do not agree to the license agreement you cannot install SUSE Linux E...

Page 43: ...ystem To include add on products during the installation of SUSE Linux Enterprise select Include Add On Products from Separate Media and click Next In the next dialog click Add to select the source fr...

Page 44: ...egory to change After configuring any of the items presented in these dialogs you are always returned to the summary window which is updated accordingly TIP Resetting the Installation Summary to the D...

Page 45: ...the next dialog For completely different partitioning select Create Custom Partition Setup In the next dialog choose the disk to partition or Custom Partitioning The YaST partitioner provides tools f...

Page 46: ...prise is GNOME To install KDE click Software and select KDE Desktop Environment from Graphical Environments Figure 3 5 Installing and Removing Software with the YaST Package Manager 3 9 4 Language To...

Page 47: ...add remove or modify add on products here if needed Booting zseries This module cannot be used to configure the boot loader zipl on the IBM System z platforms During installation YaST proposes a boot...

Page 48: ...M System z IPLing the Installed System On the IBM System z platforms another IPL must be performed after installing the selected software packages However the procedure varies according to the type of...

Page 49: ...apable browser enter the complete URL consisting of the IP address of the installed system along with the port number in the following fashion http IP of installed system 5801 Using X to Connect When...

Page 50: ...working Internet connection you can perform an update of the system as part of the installation You can also configure an authentication server for centralized user administration in a local network...

Page 51: ...address 127 0 0 2 to the name both with and without the domain To change hostname settings at any time after installation use YaST Network Devices Network Card For more information see Section 30 4 1...

Page 52: ...s modified To adapt the auto matic settings to your own preferences click Change Firewall In the dialog that opens determine whether the firewall should be started If you do not want the firewall to b...

Page 53: ...g online If you have multiple network interfaces in your system verify that the the desired card is used to connect to the Internet To do so click Change device 3 11 4 Customer Center To get technical...

Page 54: ...tallation see Section 8 3 5 YaST Online Update page 136 If YaST was able to connect to the SUSE Linux Enterprise servers select whether to perform a YaST online update If there are any patched package...

Page 55: ...manage a range of configuration files Typically an LDAP server handles user account data but with SUSE Linux Enterprise it can also be used for mail DHCP and DNS data By default an LDAP server is set...

Page 56: ...if no network is available If YaST found a former version of SUSE Linux Enterprise or another system using etc passwd it offers the possibility to import local users To do so check Read User Data from...

Page 57: ...3 11 9 Release Notes After completing the user authentication setup YaST displays the release notes Reading them is advised because they contain important up to date information that was not availabl...

Page 58: ...es by clicking Change Reset to Defaults YaST then shows the original proposal again 3 11 11 Completing the Installation After a successful installation YaST shows the Installation Completed dialog In...

Page 59: ...Linux Enterprise is now installed Unless you enabled the automatic login function or customized the default runlevel you should see the graphical login on your screen in which to enter a username and...

Page 60: ......

Page 61: ...installation scenarios NOTE In the following sections the system to hold your new SUSE Linux Enterprise installation is referred to as target system or installation target The term instal lation sour...

Page 62: ...e sure that the following requirements are met Remote installation source NFS HTTP FTP or SMB with working network connection Target system with working network connection Controlling system with work...

Page 63: ...er and connect to the target system as described in Section 4 5 1 VNC Installation page 77 5 Perform the installation as described in Chapter 3 Installation with YaST page 17 Reconnect to the target s...

Page 64: ...ppears use the boot options prompt to set the appropriate VNC options and the address of the installation source This is described in detail in Section 4 4 Booting the Target System for Instal lation...

Page 65: ...fox Konqueror Internet Explorer or Opera To perform this type of installation proceed as follows 1 Set up the installation source as described in Section 4 2 Setting Up the Server Holding the Installa...

Page 66: ...boot for installation and to determine the IP address of the installation target The installation itself is entirely controlled from a remote workstation using SSH to connect to the installer User int...

Page 67: ...ment giving the network address under which the graphical installation environment can be addressed by any SSH client 4 On the controlling workstation open a terminal window and connect to the target...

Page 68: ...tem using the first CD or DVD of the SUSE Linux Enterprise media kit 3 When the boot screen of the target system appears use the boot options prompt to pass the appropriate parameters for network conn...

Page 69: ...described in Section 4 2 Setting Up the Server Holding the Installation Sources page 52 Choose an NFS HTTP or FTP network server For the configuration of an SMB installation source refer to Section 4...

Page 70: ...iguration The easiest way to set up an installation server is to use YaST on SUSE Linux Enterprise Server 9 or 10 orSUSE Linux 9 3 and higher On other versions of SUSE Linux Enter prise Server or SUSE...

Page 71: ...in the previous step define wild cards and export options The NFS server will be accessible under nfs Server IP Name Details of NFS and exports can be found in Chapter 38 Sharing File Systems with NFS...

Page 72: ...every time the system is started No further intervention is re quired You only need to configure and start this service correctly by hand if you have deactivated the automatic configuration of the se...

Page 73: ...ion server di rectory cp a media path_to_your_CD ROM_drive Replace path_to_your_CD ROM_drive with the actual path under which your CD or DVD drive is addressed Depending on the type of drive used in y...

Page 74: ...ile etc exports and enter the following line productversion ro root_squash sync This exports the directory productversion to any host that is part of this network or to any host that can connect to th...

Page 75: ...ork page 599 4 2 3 Setting Up an FTP Installation Source Manually Creating an FTP installation source is very similar to creating an NFS installation source FTP installation sources can be announced o...

Page 76: ...n Server service install suse ftp HOSTNAME srv ftp instsource CD1 en 65535 description FTP Installation Source Replace instsource with the actual name to the installation source direc tory on your ser...

Page 77: ...uration file of the HTTP server etc apache2 default server conf to make it follow symbolic links Replace the following line Options None with Options Indexes FollowSymLinks 2e Reload the HTTP server c...

Page 78: ...TALL for example 3 Export this share according the procedure outlined in your Windows documenta tion 4 Enter this share and create a subfolder called product Replace product with the actual product na...

Page 79: ...nually page 57 or Section 4 2 4 Setting Up an HTTP Installation Source Manually page 58 4 Create subdirectories for each CD or DVD 5 To mount and unpack each ISO image to the final location issue the...

Page 80: ...Setting Up a DHCP Server with YaST To announce the TFTP server s location to the network clients and specify the boot image file the installation target should use add two declarations to your DHCP se...

Page 81: ...get machine 1 Log in as root to the machine hosting the DHCP server 2 Append the following lines to your DHCP server s configuration file located under etc dhcpd conf group PXE related stuff next serv...

Page 82: ...you to connect to the system via SSH 4 3 2 Setting Up a TFTP Server Set up a TFTP server with YaST on SUSE Linux Enterprise Server and SUSE Linux Enterprise or set it up manually on any other Linux op...

Page 83: ...te files needed for the boot image as described in Section 4 3 3 Using PXE Boot page 66 4 Modify the configuration of xinetd located under etc xinetd d to make sure that the TFTP server is started on...

Page 84: ...ux pxelinux 0 file to the srv tftpboot directory by entering the following cp a usr share syslinux pxelinux 0 srv tftpboot 4 Change to the directory of your installation repository and copy the isolin...

Page 85: ...installation routines such as SSH or VNC boot parameters append them to the install entry An overview of parameters and some examples are given in Section 4 4 Booting the Target System for Installatio...

Page 86: ...ith the values used in your setup The following section serves as a short reference to the PXELINUX options used in this setup Find more information about the options available in the documen tation o...

Page 87: ...of the file before the first LABEL command The default for image is the same as label and if no APPEND is given the default is to use the global entry if any Up to 128 LABEL entries are permitted Note...

Page 88: ...s of 1 10 second The time out is canceled as soon as the user types anything on the keyboard assuming the user will complete the command begun A time out of zero disables the time out completely this...

Page 89: ...to the installation Also note down the MAC address of the target system This data is needed to initiate Wake on LAN 4 3 7 Wake on LAN Wake on LAN allows a machine to be turned on by a special network...

Page 90: ...ement and install the package netdiag 3 Open a terminal and enter the following command as root to wake the target ether wake mac_of_target Replace mac_of_target with the actual MAC address of the tar...

Page 91: ...fers some advanced functionality needed in some setups Using the F keys you can specify additional options to pass to the installation routines without having to know the detailed syntax of these para...

Page 92: ...ptions is easier In some automated setups the boot options can be provided with initrd or an info file The following table lists all installation scenarios mentioned in this chapter with the required...

Page 93: ...k Gateway ed if several network de vices are available VNC enablement VNC password hostip some_ip netmask some _netmask gateway ip_gateway vnc 1 vncpassword some _password Section 4 1 2 Simple Remote...

Page 94: ...d hostip some_ip netmask some _netmask gateway ip_gateway usessh 1 sshpassword some _password Section 4 1 5 Simple Remote Installation via install nfs http ftp smb path_to _instmedia Location of the i...

Page 95: ...ll you need to do on the installation target to prepare for a VNC installation is to provide the appropriate boot options at the initial boot for installation see Section 4 4 3 Using Custom Boot Optio...

Page 96: ...or Mac OS On a Linux machine make sure that the package tightvnc is installed On a Windows machine install the Windows port of this application which can be obtained at the TightVNC home page http ww...

Page 97: ...ons to enable SSH for installation See Section 4 4 3 Using Custom Boot Options page 74 for details OpenSSH is installed by default on any SUSE Linux based operating system Connecting to the Installati...

Page 98: ...ion After you have successfully authenticated a command line prompt for the installation target appears 5 Enter yast to launch the installation program A window opens showing the normal YaST screens a...

Page 99: ...SUSE Linux Enterprise to a set of machines with exactly the same hardware configuration To prepare for an AutoYaST mass installation proceed as follows 1 Create an AutoYaST profile that contains the i...

Page 100: ...s Clone a fresh installation from a reference machine to a set of identical machines Use the AutoYaST GUI to create and modify a profile to meet your requirements Use an XML editor and create a profil...

Page 101: ...rite it to a new profile 6 To proceed choose one of the following If the profile is complete and matches your requirements select File Save as and enter a filename for the profile such as autoinst xml...

Page 102: ...ake the profile location known to the installation routines on the client The location of the profile is passed to the installation routines by means of the boot prompt or an info file that is loaded...

Page 103: ...riggers a search for the con trol file on any USB attached device autoyast usb path USB Flash Disk Has the installation routines retrieve the control file from an NFS server autoyast nfs server path N...

Page 104: ...ine the location of the profile in the following way 1 YaST searches for the profile using its own IP address in uppercase hexadecimal for example 192 0 2 91 is C000025B 2 If this file is not found Ya...

Page 105: ...and PXE the boot image and control file can be pulled in via TFTP and the installation sources from any network installation server Bootable CD ROM You can use the original SUSE Linux Enterprise medi...

Page 106: ...several ways in which booting from CD ROM can come into play in Auto YaST installations Choose from the following scenarios Boot from SUSE Linux Enterprise Media Get the Profile over the Network Use...

Page 107: ...ing both the installa tion data and the profile itself might prove a good idea especially if no network is available in your setup 5 1 5 Creating the info File The installation routines at the target...

Page 108: ...ests Only needed if several network devices are available netdevice When empty the client sends a BOOTP request Otherwise the client is configured using the specified data hostip Netmask netmask Gatew...

Page 109: ...ble to linuxrc in various different ways As a file in the root directory of a floppy that is in the client s floppy drive at instal lation time As a file in the root directory of the initial RAM disk...

Page 110: ...ding on the scenario chosen for booting and monitoring the process physical interaction with the client may be needed If the client system boots from any kind of physical media either product media or...

Page 111: ...le to match a heterogeneous scenario by merging several profiles into one Each rule describes one particular distinctive feature of your setup such as disk size and tells AutoYaST which profile to use...

Page 112: ...5 2 2 Example Scenario for Rule Based Autoinstallation page 95 3 Determine the source of the AutoYaST profile and the parameter to pass to the installation routines as described in Section 5 1 2 Dist...

Page 113: ...int Server This machine just needs a minimal installation without a desktop environment and a limited set of software packages Workstations in the Engineering Department These machines need a desktop...

Page 114: ...s Eng Profile Sales Profile Print Server Profile Rule 1 Rule 2 Rule 3 Enigineering Department Computers Sales Department Laptops Print Server AutoYaST Directory Merge Process rules xml File 96 Install...

Page 115: ...rtment software selection 3 If none of the above is true consider the machine a developer workstation and install accordingly Roughly sketched this translates into a rules xml file with the following...

Page 116: ...y specified in the autoyast protocol serverip profiles URL AutoYaST looks for a rules subdirectory containing a file named rules xml first then loads and merges the profiles specified in the rules fil...

Page 117: ...rsonalizing the final product involves the following steps 1 Prepare the master machine whose disk should be cloned to the client machines For more information refer to Section 6 1 Preparing the Maste...

Page 118: ...5 page 100 5 Enable firstboot as root 5a Create an empty file etc reconfig_system to trigger firstboot s exe cution This file is deleted once the firstboot configuration has been success fully accompl...

Page 119: ...etc sysconfig firstboot Configure various aspects of firstboot such as release notes scripts and license actions etc YaST2 firstboot xml Configure the installation workflow by enabling or disabling c...

Page 120: ...ysconfig firstboot configuration file Proceed in a similar way to configure customized license and finish messages These variables are FIRSTBOOT_LICENSE_DIR and FIRSTBOOT_FINISH_FILE 6 2 2 Customizing...

Page 121: ...n release notes file Use the RTF format as in the example file in usr share doc release notes and save the result as RELEASE NOTES lang rtf 2 Store optional localized version next to the original vers...

Page 122: ...nstallation workflow In it see the basic syntax of the firstboot configuration file and how the key elements are configured Example 6 1 Configuring the Proposal Screens proposals config type list prop...

Page 123: ...t workflow defaults enable_back yes enable_back enable_next yes enable_next archs all archs defaults stage firstboot stage label Configuration label mode installation mode list of modules modules work...

Page 124: ...oot instal lation proceed as follows 1 Open the firstboot configuration file at etc YaST2 firstboot xml 2 Delete or add proposal screens or change the order of the existing ones To delete an entire pr...

Page 125: ...me firstboot_timezone name module 3 Apply your changes and close the configuration file To add a custom made module to the workflow proceed as follows 1 Create your own YaST module and store the modul...

Page 126: ...ts firstboot can be configured to execute additional scripts after the firstboot workflow has been completed To add additional scripts to the firstboot sequence proceed as follows 1 Open the etc sysco...

Page 127: ...page 103 Only the components included in the firstboot workflow configuration are started Any other installation steps are skipped The end user adjusts language keyboard network and password settings...

Page 128: ......

Page 129: ...er also supports multipath I O For details see the chapter about multipath I O in Storage Ad ministration Guide Starting with SUSE Linux Enterprise 10 there is also the option to use iSCSI as a networ...

Page 130: ...titioning can be found in Section Par tition Types page 151 and Section 8 5 7 Using the YaST Partitioner page 149 Figure 7 1 Physical Partitioning versus LVM PART PART PART PART PART DISK PART PART PA...

Page 131: ...atabases music archives or user directories LVM is just the right thing for you This would allow file systems that are larger than the physical hard disk Another advantage of LVM is that up to 256 LVs...

Page 132: ...stem yet you are prompted to add one see Fig ure 7 2 Creating a Volume Group page 114 It is possible to create additional groups with Add group but usually one single volume group is sufficient system...

Page 133: ...olume groups Only volume groups that do not have any partitions assigned can be deleted All partitions that are assigned to a volume group are also referred to as a physical volumes PV Figure 7 3 Phys...

Page 134: ...ume group Figure 7 4 Logical Volume Management To create a new logical volume click Add and fill out the pop up that opens As for partitioning enter the size file system and mount point Normally a fil...

Page 135: ...have already configured LVM on your system the existing logical volumes can be entered now Before continuing assign appropriate mount points to these logical volumes too With Next return to the YaST...

Page 136: ...ng the following storage resources Physical disks and logical devices on local media and SAN based media including iSCSI Software RAIDs 0 1 4 and 5 for high availability Cluster aware multipath I O fo...

Page 137: ...in dev evms md To activate EVMS at boot time add boot evms to the boot scripts in the YaST runlevel editor See also Section 19 2 3 Configuring System Services Runlevel with YaST page 382 For More Info...

Page 138: ...a RAID because it does not provide data backup but the name RAID 0 for this type of system has become the norm With RAID 0 two or more hard disks are pooled together The performance is very good but...

Page 139: ...h RAID 5 no more than one hard disk can fail at the same time If one hard disk fails it must be replaced as soon as pos sible to avoid the risk of losing data Other RAID Levels Several other RAID leve...

Page 140: ...is already assigned to a RAID volume the name of the RAID device for example dev md0 is shown in the list Unassigned partitions are indicated with Figure 7 6 RAID Partitions To add a previously unass...

Page 141: ...roubleshooting Check the file proc mdstats to find out whether a RAID partition has been de stroyed In the event of a system failure shut down your Linux system and replace the defective hard disk wit...

Page 142: ...ta bookinfo html usr share doc packages mdadm Software RAID HOWTO html http en tldp org HOWTO Software RAID HOWTO html Linux RAID mailing lists are also available such as http marc theaimsgroup com l...

Page 143: ...start the YaST Control Center from the main menu Before YaST starts you are prompted to enter the root password because YaST needs system ad ministrator permissions to change the system files To start...

Page 144: ...ble set to your preferred language Use a long language code in the format langcode_statecode For example for American English enter LANG en_US yast2 This command starts YaST using the specified langua...

Page 145: ...ettings complete the pro cedure by pressing Accept on the last page of the configuration dialog The configuration is then saved Figure 8 1 The YaST Control Center 8 3 Software 8 3 1 Installing and Rem...

Page 146: ...a symbol in a status box at the beginning of the line Change the status by clicking or selecting the desired status from the menu that opens when the item is right clicked Depending on the current sit...

Page 147: ...kages To display all packages on your installation media use the filter Package Groups and select zzz All at the bottom of the tree SUSE Linux Enterprise contains a number of packages and it might tak...

Page 148: ...ted source To restrict the list use a secondary filter To view a list of the all installed packages from the selected installation source select the filter Installation Sources then select Installatio...

Page 149: ...alled packages is marked for deletion the package manager issues an alert with detailed information and alternative solutions Reinstalling Packages If you find damaged files that belong to package or...

Page 150: ...program packages by subjects such as applications development and hardware in a tree structure to the left The more you expand the branches the more specific the selection is This means fewer packages...

Page 151: ...tem and displays installed pack ages When you select to install and remove packages the package manager can auto matically check the dependencies and select any other required packages resolution of d...

Page 152: ...w the suggestions of YaST when handling package conflicts because otherwise the stability and functionality of your system could be endangered by the existing conflict Figure 8 3 Conflict Management o...

Page 153: ...developer novell com wiki index php Creating_Add On_Media_with_YaST Find technical background information at http developer novell com wiki index php Creating_Add Ons 8 3 3 Selecting the Installation...

Page 154: ...logs use the Software Installation Source module described in Section 8 3 3 Selecting the Installation Source page 135 NOTE Before starting the update of SUSE Linux Enterprise configure the Novell Cus...

Page 155: ...symbol and the patch name For a list of possible symbols press Shift F1 New patches that are not yet installed are marked with a small arrow in front of the symbol Patches that are already installed a...

Page 156: ...to install patches that require interaction When Only Download Patches is checked the patches are downloaded at the specified time but not installed They must be installed manually The patches are do...

Page 157: ...Installed Packages This option merely updates packages that already exist on the system No new features are installed Additionally you can use Delete Outdated Packages to remove packages that do not e...

Page 158: ...adopt any personal settings of the installed packages In most cases YaST replaces old versions with new ones without problems A backup of the existing system should be performed prior to updating to e...

Page 159: ...tomatically detected by YaST and the technical data is displayed If the automatic detection fails YaST offers a list of devices model vendor etc from which to select the suitable device Consult the do...

Page 160: ...urrent settings work before they are saved permanently in the system WARNING Configuration of the Hard Disk Controller It is advised to test the settings before making them permanent in the system Inc...

Page 161: ...s that your data can be transferred directly to the RAM bypassing the processor control 8 4 7 IBM System z DASD Devices To add a DASD to the installed system there are two possibilities YaST To add a...

Page 162: ...e list provided If your joystick is not listed select Generic Analog Joystick After selecting your joystick make sure that it is connected then click Test to test the functionality Click Continue and...

Page 163: ...eyboard Layout Find information about the graphical configuration in Section 8 14 3 Keyboard Properties page 190 8 4 11 Mouse Model When configuring the mouse for the graphical environment click Mouse...

Page 164: ...hare doc packages alsa cards txt and at http www alsa project org alsa doc After making your se lection click Next 2 In Sound Card Configuration choose the configuration level in the first setup scree...

Page 165: ...ck Other to customize one of the following options manually Volume Use this dialog for setting the volume Start Sequencer For playback of MIDI files check this option Set as Primary Card Click Set as...

Page 166: ...dates and files not belonging to packages such as many of the configuration files in etc or the directories under home 8 5 2 Restoration With System System Restoration restore your system from a backu...

Page 167: ...lume management system EVMS is like LVM a tool for custom partitioning and grouping of hard disks into virtual volumes It is flexible extensible and can be tailored using a plug in model to individual...

Page 168: ...or sda for the first recognized device All existing or suggested partitions on all connected hard disks are displayed in the list of the YaST Expert Partitioner dialog Entire hard disks are listed as...

Page 169: ...sists of a continuous range of cylinders physical disk areas assigned to a particular operating system With primary partitions only you are limited to four partitions per hard disk because more do not...

Page 170: ...tup require them For details of the options available refer to Section Editing a Partition page 152 5 Click OK Apply to apply your partitioning setup and leave the partitioning module If you created t...

Page 171: ...eed because the encryption takes some time More information about the encryption of file systems is provided in Chapter 47 Encrypting Partitions and Files page 861 Fstab Options Here specify various p...

Page 172: ...re which is needed for executing programs from the location However to run programs from there you can enter this option manually This measure is necessary if you encounter system messages such as bad...

Page 173: ...physical partition 8 5 8 PCI Device Drivers TIP IBM System z Continuing For IBM System z continue with Section 8 5 12 System Services Runlevel page 157 Each kernel driver contains a list of device ID...

Page 174: ...p a PCI ID Click OK to save your changes To edit a PCI ID select the device driver from the list and click Edit Edit the information and click OK to save your changes To delete an ID select the driver...

Page 175: ...evertheless this feature is useful even for stationary machines because it enables the use of various hardware components or test configura tions 8 5 12 System Services Runlevel Configure runlevels an...

Page 176: ...stly use local time Set the current system time and date with Change In the dialog that opens modify the time and date by entering new values or adjusting them with the arrow buttons Press Apply to sa...

Page 177: ...le in the main list These settings are written into the file etc sysconfig language 8 6 Network Devices All network devices connected to the system must be initialized before they can be used by a ser...

Page 178: ...end your e mail with sendmail postfix or the SMTP server of your provider You can fetch mail via the fetchmail program for which you can also enter the details of the POP3 or IMAP server of your provi...

Page 179: ...Configuration The mail server module of SUSE Linux Enterprise only works if the users groups and the DNS and DHCP services are managed with LDAP The mail server module allows configuration of SUSE Lin...

Page 180: ...mail Vir tual mail addresses are set up in the user management module of YaST 8 7 3 Other Available Services Many other network modules are available in YaST Network Services DHCP Server Use this to...

Page 181: ...on 46 6 Configuring a Kerberos Client with YaST page 849 LDAP Client If using LDAP for user authentication in the network configure the client in LDAP Client Information about LDAP and a detailed desc...

Page 182: ...requires a lot of maintenance In this case administer user data on a central server and distribute it to the clients from there NIS is one option for this Detailed information about NIS and its confi...

Page 183: ...a VNC client in Section 4 1 1 Simple Remote Installation via VNC Static Network Configu ration page 44 Allow remote administration by selecting Allow Remote Administration in Remote Administration Se...

Page 184: ...nfiguration with YaST are described in Section 4 3 2 Setting Up a TFTP Server page 64 WOL WOL wake on LAN refers to the possibility of waking up a computer from standby mode over the network using spe...

Page 185: ...pability Consequently several users can work independently on the same Linux system Each user has a user account identified by a login name and a personal password for logging in to the system All use...

Page 186: ...assword expiration length and expiration warnings use the Password Settings tab 5 Write the user account configuration by clicking Accept The new user can immediately log in with the created login nam...

Page 187: ...s with Accept To create an encrypted home for an existing user proceed as follows 1 Select a user from the list and click Edit 2 In the Details tab enable Use Encrypted Home Directory 3 Enter the pass...

Page 188: ...s Then uncheck Auto Login and click OK Login without a Password WARNING Allowing Login without a Password Using the passwordless login feature on any system that can be physically ac cessed by more th...

Page 189: ...Data 3 Apply your settings with Accept Enforcing Password Policies On any system with multiple users it is a good idea to enforce at least basic password security policies Users should change their p...

Page 190: ...tion Date is given the user account never expires Changing the Default Settings for New Users When creating new local users several defaults settings are used by YaST You can change these default sett...

Page 191: ...the user au thentication method in the installed system select Expert Options Authentication and User Sources The module provides a configuration overview and the option to configure the client Advan...

Page 192: ...the key combination Ctrl Alt Del should be interpreted by selecting the desired action Normally this combination when entered in the text console causes the system to reboot Do not modify this setting...

Page 193: ...launch the updatedb program if installed This pro gram which automatically runs on a daily basis or after booting generates a database locatedb in which the location of each file on your computer is s...

Page 194: ...ation for the Xen virtualization system For detailed information about Xen see Chapter 22 Virtualization page 421 The following modules are available in the Virtualization section Installing Hyperviso...

Page 195: ...Autoin stallation prepare profiles for this tool Find detailed information about automated in stallation with AutoYaST in Chapter 5 Automated Installation page 81 The informa tion about using the Aut...

Page 196: ...Kernel messages sorted according to date and time are also recorded here View the status of certain system components using the box at the top The following options are possible from the system log an...

Page 197: ...is displays all system warnings 8 11 8 Vendor Driver CD Install device drivers from a Linux driver CD that contains drivers for SUSE Linux Enterprise with Miscellaneous Vendor Driver CD When installin...

Page 198: ...category Software is selected automati cally Use and to change the category To start a module from the selected category press The module selection now appears with a thick border Use and to select th...

Page 199: ...his combination can also be used if using or would result in changing the active frame or the current selection list as in the Control Center Buttons Radio Buttons and Check Boxes To select buttons wi...

Page 200: ...example Esc H replaces Alt H Backward and Forward Navigation with Ctrl F and Ctrl B If the Alt and Shift combinations are occupied by the window manager or the ter minal use the combinations Ctrl F f...

Page 201: ...module_name command option value Some modules do not support the command line mode because command line tools with the same functionality already exist The modules concerned and the command line tools...

Page 202: ...enter the username and password all other settings are made automatically in accordance with default configuration The functionality provided by the command line is the same as in the graphical inter...

Page 203: ...o execute scripts again To display a configuration summary for the network use yast lan list The first item in the output of Example 8 4 Sample Output of yast lan list page 185 is a device ID To get m...

Page 204: ...phics card and display device in Card and Monitor Properties If you have more than one graphics card installed each device is shown in a separate dialog reachable by a tab At the top of the dialog see...

Page 205: ...log opens in which to adjust various monitor specific settings This dialog has several tabs for various aspects of monitor operation Select the first tab to manually select the vendor and model of the...

Page 206: ...e screens in the dual head dialog The tabs in the row at the top of the dialog each correspond to a graphics card in your system Select the card to configure and set its multihead options in the dialo...

Page 207: ...SaX2 configures a standard layout that follows the sequence of the detected graphics cards arranging all screens in a row from left to right The additional Arrangement tab allows for changing this la...

Page 208: ...s in the opposite direction For touch pads this feature is sometimes useful Emulate Wheel with Mouse Button If your mouse does not have a scroll wheel but you want to use similar functional ity you ca...

Page 209: ...e for your needs If your graphics tablet supports electronic pens configure them in Electronic Pens Add eraser and pen and set their properties after clicking Properties When you are satisfied with th...

Page 210: ...tiple VNC Connections if more than one VNC client should connect to the X server at the same time Allow HTTP access by checking Activate HTTP Access and setting the port to be use in HTTP Port When yo...

Page 211: ...in Section 3 11 4 Customer Center page 35 The back end daemon for the Novell ZENworks Linux Management Agent is the ZENworks Management Daemon ZMD ZMD performs software management func tions The daemo...

Page 212: ...d services are mount for local files and yum or ZENworks for servers rug sorts software from services into catalogs also known as channels groups of similar software For example one catalog might cont...

Page 213: ...moving Software with rug To install a package from any subscribed catalogs use rug in package_name To install from a selected catalog only add entire catalog and the catalog to install use to the comm...

Page 214: ...o update the system use the command rug ua username upgrade Replace username with the name of the user To revoke the privileges of a user use command rug ud username To list users with their rights us...

Page 215: ...g the updates send your username and password to the proxy server To do so use the commands rug set proxy url url_path rug set proxy username name rug set proxy password password Replace url_path with...

Page 216: ...your system are available right click the application icon and choose Refresh to force an immediate check The Software Updater applet in the panel changes from a globe to an exclamation mark on an or...

Page 217: ...staller The interface is almost identical to Software Updater see Sec tion 9 2 2 Obtaining and Installing Software Updates page 198 The only difference is a search panel you can use to search for pack...

Page 218: ...ns Services Catalogs and Preferences Services and Catalogs Services are basically sources that provide software packages and information about these packages Each service can offer one or more catalog...

Page 219: ...d ZENworks Opencarpet Red Carpet Enterprise or ZENworks services are only available if your company or organization has set up these services within your internal network This may for example be the c...

Page 220: ...d to this catalog If you unsubscribe the packages from this catalog are still listed in the update window but you cannot install them Preferences On the Preferences tab specify whether Software Update...

Page 221: ...on space with df before updating If you suspect you are running short of disk space secure your data before updating and repartition your system There is no general rule of thumb regarding how much sp...

Page 222: ...Depending on your customizations some steps or the entire update procedure may fail and you must resort to copying back your backup data Check the following issues before starting the system update Ch...

Page 223: ...nd to enhance your system check the packages offered in the Software Selection submenus or add support for additional languages 4a Click Update Options to update only software that is already installe...

Page 224: ...10 SP x arch SLES 10 SP x arch or SLED 10 SP x arch where x is the number of the Service Pack and arch is the name of your hardware architecture and make it available via NFS HTTP or FTP 10 2 2 Insta...

Page 225: ...th on the installation server and the target machine that includes a name service DHCP optional but needed for PXE boot and OpenSLP optional The SUSE Linux Enterprise SP CD 1 or DVD 1 to boot the targ...

Page 226: ...r SUSE Linux Enterprise Service Pack for this and otherwise follow the instructions in Section 4 3 2 Setting Up a TFTP Server page 64 3 Prepare PXE boot and Wake on LAN on the target machine 4 Initiat...

Page 227: ...nd choose Update as the installation mode in YaST For more detailed information and finishing the update see Section 10 1 3 Updating with YaST page 204 Starting with YaST Online Update Before initiati...

Page 228: ...10 1 Update to Service Pack 1 page 210 In the pop up window click Accept to confirm the start of the update procedure to the service pack feature level 3 The Patch Download and Installation dialog tra...

Page 229: ...r 10 SP1 refer to the release notes of the service pack View them in the installed system using the YaST release notes module 10 3 1 Multiple Kernels It is possible to install multiple kernels side by...

Page 230: ...rds The following modules were not part of the distribution and will not be added in the future ati fglrx ATI FireGL Graphics Cards nvidia gfx NVIDIA gfx driver km_smartlink softmodem Smart Link Soft...

Page 231: ...on makes tar fail Check your backup scripts Commands such as the following no longer work tar czf etc tar gz etc atime preserve See the tar info pages for more information 10 3 6 Apache 2 Replaced wit...

Page 232: ...g Events Handled by the udev Daemon Hotplug events are now completely handled by the udev daemon udevd The event multiplexer system in etc hotplug d and etc dev d is no longer used Instead udevd calls...

Page 233: ...Online Update now supports a special kind of RPM package that only stores the binary difference from a given base package This technique significantly reduces the package size and download time at th...

Page 234: ...X2 writes the X Org configuration settings into etc X11 xorg conf During an installation from scratch no compatibility link from XF86Config to xorg conf is created 10 3 15 XView and OpenLook Support D...

Page 235: ...ow installed in usr lib ooo 2 0 instead of opt OpenOffice org The default directory for user settings is now ooo 2 0 instead of OpenOffice org1 1 Wrapper There are some new wrappers for starting the O...

Page 236: ...able in the OpenOffice_org kde and OpenOffice_org gnome packages 10 3 18 Sound Mixer kmix The sound mixer kmix is preset as the default For high end hardware there are other mixers like QAMix KAMix en...

Page 237: ...g with JFS 10 3 22 AIDE as a Tripwire Replacement As an intrusion detection system use AIDE package name aide which is released under the GPL Tripwire is no longer available on SUSE Linux 10 3 23 PAM...

Page 238: ...yp session required pam_unix2 so you can change it to PAM 1 0 auth include common auth account include common account password include common password session include common session 10 3 24 Becoming t...

Page 239: ...etc sysconfig powersave events The names of sleep states have changed from suspend ACPI S4 APM suspend standby ACPI S3 APM standby To suspend to disk ACPI S4 APM suspend suspend to ram ACPI S3 APM su...

Page 240: ...e systemwide etc X11 xinit xinitrc uses dbus launch to start the window manager If you have a local xinitrc file you must change it accordingly Otherwise ap plications like f spot banshee tomboy or Ne...

Page 241: ...FAM is running you probably want remote notification which is supported only by FAM 10 3 31 Starting an FTP Server vsftpd By default xinetd no longer starts the vsftpd FTP server It is now a stand alo...

Page 242: ...From the command line you can influence the behavior by using firefox new window url or firefox new tab url 224 Installation and Administration...

Page 243: ...Part II Administration...

Page 244: ......

Page 245: ...management and Internet standard technologies developed to unify the management of enterprise computing environments WBEM provides the ability for the industry to deliver a well inte grated set of sta...

Page 246: ...ore specifically an application that manages objects according to the CIM standard CIMOM providers are software that performs specific tasks within the CIMOM that are requested by client applications...

Page 247: ...s a set of software components that help facilitate the deployment of the Distributed Manage ment Task Force DMTF CIM and WBEM technologies If you are not familiar with the DMTF and its technologies y...

Page 248: ...k As root in a console shell enter rcowcimomd start Start owcimomd As root in a console shell enter rcowcimomd stop Stop owcimomd As root in a console shell enter rcowcimomd status Check owcimomd stat...

Page 249: ...ficate use the following command Running this command replaces the current certificate so Novell recommends making a copy of the old certificate before generating a new one As root in a console shell...

Page 250: ...ces Unse cure 5988 This setting is disabled by default With this setting all communications between the CIMOM and client applications are open for review when sent over the Internet between servers an...

Page 251: ...nwbem authentication libpamauthentication so The OpenWBEM CIMOM is PAM enabled by default therefore the local root user can authenticate to the OpenWBEM CIMOM with local root user credentials 11 1 3 S...

Page 252: ...ngs in the openwbem conf file This section discusses the following configuration settings Section 11 2 1 Changing the Authentication Configuration page 234 Section 11 2 2 Changing the Certificate Conf...

Page 253: ...ow_anonymous page 239 Section owcimomd allowed_users page 240 Section owcimomd authentication_module page 241 Section simple_auth password_file page 241 http_server allow_local_authentication Purpose...

Page 254: ...ntax http_server digest_password_file path_filename The following is the default path and filename for the digest password file etc openwbem digest_auth passwd Example http_server digest_password_file...

Page 255: ...ing disabled This is the default setting Allows a trusted certificate to be authenticated no HTTP authen tication is necessary optional Also allows an untrusted certificate to pass the SSL handshake i...

Page 256: ...you must set up the digest password file using owdigestgenpass Digest doesn t use the authentication module specified by the owcimomd authentica tion_module configuration setting Syntax http_server us...

Page 257: ...red ACL processing is not enabled until the OpenWBEM_Acl1 0 mof file has been im ported Syntax owcimomd ACL_superuser username Example owcimomd ACL_superuser root owcimomd allow_anonymous Purpose Enab...

Page 258: ...users option Description Option Specifies one or more users who are allowed to access the owci momd data username Separate each username with a space Allows all users to authenticate for example if yo...

Page 259: ...ath and filename for the authentication modules usr lib openwbem authentication libpamauthentication so Example owcimomd authentication_module usr lib openwbem authentication libpamauthentication so s...

Page 260: ...owing default location etc openwbem servercert pem etc openwbem serverkey pem Syntax http_server SSL_cert path_filename or http_server SSL_key path_filename NOTE Both the key and certificate can be in...

Page 261: ...tion Option Specify the specific port for HTTP or HTTPS com munications Specific_port_number For HTTP the default port is 5988 For HTTPS the default port is 5989 Disables HTTP or HTTPS connections for...

Page 262: ...page 246 Section log main level page 249 Section log main location page 250 Section log main max_backup_index page 250 Section log main max_file_size page 251 Section log main type page 251 If you wa...

Page 263: ...el page 249 If specified in this option the predefined categories are not treated as levels but as independent categories No default is available and if a category is not set no categories are logged...

Page 264: ...own components Specifies that all components are logged This is the default setting Example log main components owcimomd nssd log main format Purpose Specifies the format text mixed with printf style...

Page 265: ...ound in the ctime header Message as XML CDATA This includes the CDATA and ending e Filename F Filename and line number For example file cpp 100 l Line number L Method name where the logging request wa...

Page 266: ...ccording to the justification flag If the data item is larger than the minimum field width the field is expanded to accommodate the data The maximum field width modifier is designated by a period foll...

Page 267: ...log outputs all predefined categories at and above the specified level Syntax log main level option Description Option Logs all Debug Info Error and Fatal error messages DEBUG Logs all Error and Fatal...

Page 268: ...wcimomd log log main max_backup_index Purpose Specifies the amount of backup logs that are kept before the oldest is erased Syntax log main backup_index option Description Option Specifies the number...

Page 269: ...certain size in KB unsigned _integer_in_KB Lets the log grow to an unlimited size 0 This is the default setting Example log main max_file_size 0 log main type Purpose Specifies the type of main log o...

Page 270: ...h the following settings log debug categories log debug components log debug format t m log debug level log debug type stderr Debug Log with Color If you want a color version of the debug log use the...

Page 271: ...0m yellow x1b 0 33 40m dark yellow x1b 1 34 40m blue x1b 0 34 40m dark blue x1b 1 35 40m purple x1b 0 35 40m dark purple x1b 1 36 40m cyan x1b 0 36 40m dark cyan x1b 1 37 40m white x1b 0 37 40m dark w...

Page 272: ...g_name format log log_name level log log_name location log log_name max_backup_index log log_name max_file_size Example owcimomd additional_logs errorlog1 errorlog2 errorlog3 11 3 For More Information...

Page 273: ...ool Solutions Article An Introduction to WBEM and OpenWBEM in SUSE Linux http www novell com coolsolutions feature 14625 html OpenWBEM Web site http www openwbem org DMTF Web site http www dmtf org Op...

Page 274: ......

Page 275: ...hat is commonly known as an iSCSI initiator The packages are then transferred to the corresponding iSCSI remote station also called iSCSI target Many storage solutions provide access over iSCSI but it...

Page 276: ...cation set here is used for the discovery of services not for accessing the targets If you do not want to restrict the access to the discovery use No Authentication If authentication is needed there a...

Page 277: ...c ietd conf All parameters in this file before the first Target declaration are global for the file Authentication information in this portion has a special meaning it is not global but is used for th...

Page 278: ...0 iotype fileio path var lib xen images xen 1 There are many more options that control the behavior of the iSCSI target Find them in the manual page of ietd conf Active sessions are also displayed in...

Page 279: ...delete active connections First check all active connections with the command cat proc net iet session This may look like cat proc net iet session tid 1 name iqn 2006 03 com example iserv system sid 2...

Page 280: ...m are not permanent for the system These changes are lost at the next reboot if they are not added to the configuration file etc ietd conf Depending on the usage of iSCSI in your network this may lead...

Page 281: ...n to activate the target You will be asked for authentication information to use the selected iSCSI target Next finishes the configura tion If everything went well the target now appears in Connected...

Page 282: ...iadm creates all needed devices iscsiadm m node r bd0ac2 login The newly generated devices show up in the output of lsscsi and can now be accessed by mount 12 2 3 The iSCSI Client Databases All inform...

Page 283: ...alizes set the variable node startup to the value automatic iscsiadm m node r bd0ac2 op update name node startup value automatic Remove obsolete data sets with the operation delete If the record bd0ac...

Page 284: ...There is also some online documentation available See the manual pages of iscsiadm iscsid ietd conf and ietd and the example configuration file etc iscsid conf 266 Installation and Administration...

Page 285: ...on devices in a SAN All nodes in a cluster have concurrent read and write access to the file system A distributed lock manager helps prevent file access conflicts OCFS2 supports up to 32 000 subdirec...

Page 286: ...olume in the cluster All nodes can concurrently read and write directly to storage via the standard file system interface enabling easy management of applications that run across a cluster File access...

Page 287: ...to manage OCFS2 services and volumes You can enable these modules to be loaded and mounted system boot For instructions see Section 13 2 2 Configuring OCFS2 Services page 274 Table 13 1 O2CB Cluster S...

Page 288: ...slot assignment Each node reads the file and writes to its assigned block in the file at two second inter vals Changes to a node s time stamp indicates the node is alive A node is dead if it does not...

Page 289: ...e node The cluster configuration file etc ocfs2 cluster conf resides on each node assigned to the cluster The ocfs2console utility is a GTK GUI based interface for managing the configu ration of the O...

Page 290: ...reates a context dependent symbolic link CDSL for a specified filename file or directory for a node A CDSL filename has its own image for a specific node but has a common name in the OCFS2 ocfs2cdsl C...

Page 291: ...ter named ocfs2 by offlining the cluster and unloading the O2CB modules and in memory file systems etc init d o2cb stop ocfs2 13 1 6 OCFS2 Packages The OCFS2 kernel module ocfs2 is installed automatic...

Page 292: ...nting For example the Oracle RAC database volume requires the datavolume and nointr mounting options but the Oracle Home volume should never use these options Make sure that the ocfs2console and ocfs2...

Page 293: ...none to clear ocfs2 prompt enter none This choice presumes that you are setting up OCFS2 for the first time or re setting the service You specify a cluster name in the next step when you set up the et...

Page 294: ...box 5d In the Add Node dialog box specify the unique name of your primary node a unique IP address such as 192 168 1 1 and the port number optional default is 7777 then click OK The ocfs2console cons...

Page 295: ...te and format the volume using one of the following methods In EVMSGUI go to the Volumes page select Make a file system OCFS2 then specify the configuration settings Use the mkfs ocfs2 utility For inf...

Page 296: ...endian architectures such as x86 x86 64 and ia64 and big endian architectures such as ppc64 and s390x Node specific files are referred to as local files A node slot number is appended to the local fi...

Page 297: ...OK Mount the volume from the command line using the mount command Mount the volume from the etc fstab file on system boot Mounting an OCFS2 volume takes about 5 seconds depending on how long it takes...

Page 298: ...interruptions Ensures the IO is not interrupted by signals nointr 13 4 Additional Information For information about using OCFS2 see the OCFS2 User Guide http oss oracle com projects ocfs2 documentati...

Page 299: ...scribed in this chapter follows these two standards as well They can be viewed at http wt xpilot org publications posix 1e 14 1 Traditional File Permissions The basics of traditional Linux file permis...

Page 300: ...to which the direc tory belongs Consider the following example directory drwxrws 2 tux archive 48 Nov 19 17 12 backup You can see the s that denotes that the setgid bit is set for the group permissio...

Page 301: ...realized without implementing complex permission models on the application level The advantages of ACLs are evident if you want to replace a Windows server with a Linux server Some of the connected wo...

Page 302: ...group entry defines the permissions of the group specified in the entry s qualifier field Only the named user and named group entries have a qualifier field that is not empty The other entry defines t...

Page 303: ...CL ACL Entries Compared to Permission Bits page 286 and Figure 14 2 Extended ACL ACL Entries Compared to Permission Bits page 286 illustrate the two cases of a minimum ACL and an extended ACL The figu...

Page 304: ...mask entry This is shown in Figure 14 2 Extended ACL ACL Entries Compared to Permission Bits page 286 Figure 14 2 Extended ACL ACL Entries Compared to Permission Bits This mapping approach ensures the...

Page 305: ...tion like file mydir owner tux group project3 user rwx group r x other The first three output lines display the name owner and owning group of the directory The next three lines contain the three ACL...

Page 306: ...ACL for this item According to the output of the ls command the permissions for the mask entry include write access Traditionally such permission bits would mean that the owning group here project3 al...

Page 307: ...ault ACL affects both subdirectories and files Effects of a Default ACL There are two ways in which the permissions of a directory s default ACL are passed to the files and subdirectories A subdirecto...

Page 308: ...up mascots r x default mask r x default other getfacl returns both the access ACL and the default ACL The default ACL is formed by all lines that start with default Although you merely executed the se...

Page 309: ...e ls l mydir myfile then shows rw r tux project3 mydir myfile The output of getfacl mydir myfile is file mydir myfile owner tux group project3 user rw group r x effective r group mascots r x effective...

Page 310: ...result access granted Likewise if none of the suitable group entries contains the required permissions a randomly selected entry triggers the final result access denied 14 5 ACL Support in Application...

Page 311: ...14 6 For More Information Detailed information about ACLs is available at http acl bestbits at Also see the man pages for getfacl 1 acl 5 and setfacl 1 Access Control Lists in Linux 293...

Page 312: ......

Page 313: ...nstallable RPM archives are packed in a special binary format These archives consist of the program files to install and certain meta information used during the installation by rpm to configure the s...

Page 314: ...re no conflicts with other packages With an error message rpm requests those packages that need to be installed to meet dependency requirements In the background the RPM database ensures that no confl...

Page 315: ...o a newer RPM rpmnew does not disclose any information as to whether the system administrator has made any changes to the configuration file A list of these files is available in var adm rpmconfigchec...

Page 316: ...ee different versions of pine The installed version in the example is also listed so the patch can be installed Which files are replaced by the patch The files affected by a patch can easily be seen i...

Page 317: ...elta RPM on an old RPM results in the complete new RPM It is not necessary to have a copy of the old RPM because a delta RPM can also work with an installed RPM The delta RPM packages are even smaller...

Page 318: ...to query the RPM database of installed packages Several switches are available to specify the type of information required See Table 15 1 The Most Important RPM Query Options page 300 Table 15 1 The M...

Page 319: ...re DSA SHA1 Sat 02 Oct 2004 03 59 56 AM CEST Key ID a84edae89c800aca Packager http www suse de feedback URL http wget sunsite dk Summary A tool for mirroring FTP and HTTP servers Description Wget enab...

Page 320: ...n be made Initiate these with V y or verify With this option rpm shows all files in a package that have been changed since installation rpm uses eight character symbols to give some hints about the fo...

Page 321: ...ry a src rpm extension source RPM TIP Source packages can be copied from the installation medium to the hard disk and unpacked with YaST They are not however marked as installed i in the package manag...

Page 322: ...ges SOURCES wget 1 9 1 ipvmisc patch usr src packages SOURCES wget 1 9 1 brokentime patch usr src packages SOURCES wget 1 9 1 passive_ftp diff usr src packages SOURCES wget LFS 20040909 tar bz2 usr sr...

Page 323: ...built To establish this chroot environment the build script must be provided with a complete package tree This tree can be made available on the hard disk via NFS or from DVD Set the position with bui...

Page 324: ...opy parts of them It represents archives as virtual file systems offering all usual menu options of Midnight Commander Display the HEADER with F3 View the archive structure with the cursor keys and En...

Page 325: ...gn prompt Omissions are indicated with square brackets and long lines are wrapped where necessary Line breaks for long lines are indicated by a backslash command x y output line 1 output line 2 output...

Page 326: ...ynamic executable tester linux file bin sash bin sash ELF 32 bit LSB executable Intel 80386 version 1 SYSV for GNU Linux 2 6 4 statically linked for GNU Linux 2 6 4 stripped 16 1 2 Library Calls of a...

Page 327: ...89696 0 mmap2 NULL 89696 PROT_READ MAP_PRIVATE 3 0 0xb7ef2000 close 3 0 open lib librt so 1 O_RDONLY 3 read 3 177ELF 1 1 1 0 0 0 0 0 0 0 0 0 3 0 3 0 1 0 0 0000 36 0 512 512 fstat64 3 st_mode S_IFREG 0...

Page 328: ...inux 2 2 5 dynamically linked uses shared libs stripped The parameter f list specifies a file with a list of filenames to examine The z allows file to look inside compressed files tester linux file us...

Page 329: ...K 252M 1 dev dev hda1 16M 6 6M 7 8M 46 boot dev hda4 27G 34M 27G 1 local Display the total size of all the files in a given directory and its subdirectories with the command du The parameter s suppres...

Page 330: ...etc profile File etc profile Size 7930 Blocks 16 IO Block 4096 regular file Device 303h 771d Inode 40657 Links 1 Access 0644 rw r r Uid 0 root Gid 0 root Access 2006 01 06 16 45 43 000000000 0100 Modi...

Page 331: ...dge rev 81 00 1f 0 ISA bridge Intel Corporation 82801DB DBL ICH4 ICH4 L LPC Interface Bridge rev 01 00 1f 1 IDE interface Intel Corporation 82801DB ICH4 IDE Controller rev 01 00 1f 3 SMBus Intel Corpo...

Page 332: ...lash 2 0 Astone USB Drive Bus 004 Device 006 ID 04b4 6830 Cypress Semiconductor Corp USB 2 0 IDE Adapter Bus 004 Device 005 ID 05e3 0605 Genesys Logic Inc Bus 004 Device 001 ID 0000 0000 Bus 003 Devic...

Page 333: ...grown table increases it might be a good idea to replace the hard disk 16 4 Networking 16 4 1 Show the Network Status netstat netstat shows network connections routing tables r interfaces i masquerade...

Page 334: ...x2 trc netpoll ESTABLISHED 19422 s tcp 0 0 localhost ssh localhost 17828 ESTABLISHED In the following statistics for the TCP protocol are displayed tester linux netstat s t Tcp 2427 active connections...

Page 335: ...042 2 0 XT PIC cascade 5 564535 XT PIC Intel 82801DB ICH4 7 1 XT PIC parport0 8 2 XT PIC rtc 9 1 XT PIC acpi uhci_hcd usb1 ehci_hcd usb4 10 0 XT PIC uhci_hcd usb3 11 71772 XT PIC uhci_hcd usb2 eth0 12...

Page 336: ...s 0 2006 01 09 17 04 mem r r r 1 tester users 0 2006 01 09 17 04 mounts rw r r 1 tester users 0 2006 01 09 17 04 oom_adj r r r 1 tester users 0 2006 01 09 17 04 oom_score lrwxrwxrwx 1 tester users 0 2...

Page 337: ...73024 Swap 658656 0 658656 Bootup Mon Jan 9 12 59 08 2006 Load average 0 10 0 04 0 05 1 86 5406 user 0 02 07 98 0 8 page in 442638 disk 1 20125r 134 nice 0 02 20 91 0 9 page out 134950 system 0 00 42...

Page 338: ...66 192000 2 0x00000000 83984391 tester 666 282464 2 0x00000000 84738056 root 644 151552 2 dest Semaphore Arrays key semid owner perms nsems 0x4d038abf 0 tester 600 8 Message Queues key msqid owner per...

Page 339: ...hd init pid 4813 Ss 0 00 sshd tester priv 4817 R 0 00 sshd tester pts 0 The process list can be formatted according to your needs The option L returns a list of all keywords Enter the following comman...

Page 340: ...xmatrix kdesud kdm X kdm startkde kwrapper The parameter p adds the process ID to a given name To have the command lines displayed as well use the a parameter 16 6 4 Processes top The command top whic...

Page 341: ...serfs 0 923 root 13 4 1712 552 344 S 0 0 0 1 0 00 67 udevd 1343 root 10 5 0 0 0 S 0 0 0 0 0 00 00 khubd 1587 root 20 0 0 0 0 S 0 0 0 0 0 00 00 shpchpd_event 1746 root 15 0 0 0 0 S 0 0 0 0 0 00 00 w1_c...

Page 342: ...swap areas are shown tester linux free total used free shared buffers cached Mem 515584 501704 13880 0 73040 334592 buffers cache 94072 421512 Swap 658656 0 658656 The options b k m g show output in b...

Page 343: ...ole 0 changed to on NET Registered protocol family 10 Disabled Privacy Extensions on device c0326ea0 lo IPv6 over IPv4 tunneling driver powernow This module only works with AMD K7 CPUs bootsplash stat...

Page 344: ...B bash 5552 tester mem REG 3 3 97165 8828 lib ld 2 3 6 so bash 5552 tester 0u CHR 136 5 7 dev pts 5 bash 5552 tester 1u CHR 136 5 7 dev pts 5 bash 5552 tester 2u CHR 136 5 7 dev pts 5 bash 5552 tester...

Page 345: ...138806692 add class scsi_generic sg1 UEVENT 1138806692 add class scsi_device 4 0 0 0 UDEV 1138806693 add devices pci0000 00 0000 00 1d 7 usb4 4 2 4 2 2 4 2 2 UDEV 1138806693 add class scsi_generic sg1...

Page 346: ...54 9 1 30 31 42K 3K 45K SUSEWatche 4400000 2 11 1 30 34 34K 2K 36K 16489 kdesu 1a00000 255 7 0 42 11 19K 6K 26K KMix 3800000 2 14 1 34 37 21K 2K 24K 22242 knotify 1e00000 10 7 0 42 9 15K 624B 15K KPo...

Page 347: ...etermine the time spent by commands with the time utility This utility is available in two versions as a shell built in and as a program usr bin time tester linux time find dev null real 0m4 051s user...

Page 348: ......

Page 349: ...slow network links or if you want to perform tasks as root on the command line For Linux newbies it might be rather unusual to enter commands in a shell but you will soon realize that the shell is not...

Page 350: ...the hostname of your computer here knox and the current path in this case your home directory indicated by the tilde symbol When you are logged in on a remote computer this information always shows yo...

Page 351: ...nts of a directory The command can be used with or without options En tering the plain ls command shows the contents of the current directory Figure 17 2 The ls Command Unlike in other operating syste...

Page 352: ...rmissions and the user concept of Linux in Section 17 2 Users and Access Permissions page 343 The next column shows the file size in bytes Then date and time of the last change are displayed The last...

Page 353: ...directories of the example users yxz linux and tux The home directory contains the directories in which the individual users can store their personal files NOTE Home Directory in a Network Environment...

Page 354: ...ams and local distribution indepen dent extensions usr local usr usr local Generally accessible programs usr bin and reserved for the system administrator usr sbin usr bin usr sbin Various documentati...

Page 355: ...To change directories use the cd command To switch to your home directory enter cd Refer to the current directory with a dot This is mainly useful for other com mands cp mv The next higher level in t...

Page 356: ...mp test without changing the name of the file 2d Check this by entering ls l tmp test The file myfile txt should appear in the list of contents for tmp test To list the contents of home directories of...

Page 357: ...type the first letters then press If the filename or path can be uniquely identified it is completed at once and the cursor moves to the end of the filename You can then enter the next option of the...

Page 358: ...character is a number ls Testfile 1 9 or using classes ls Testfile digit Of the four types of wild cards the most inclusive one is the asterisk It could be used to copy all files contained in one dir...

Page 359: ...existing file named file txt If the file does not exist it is created Sometimes it is also useful to use a file as the input for a command For example with the tr command you can replace characters r...

Page 360: ...s on screen while creating the archive f for file Choose a filename for the archive file When creating an archive this option must always be given as the last one To pack the test directory with all i...

Page 361: ...ry 17 1 6 Cleaning Up After this crash course you should be familiar with the basics of the Linux shell or command line You may want to clean up your home directory by deleting the various test files...

Page 362: ...mber File Access The organization of permissions in the file system differs for files and directories File permission information can be displayed with the command ls l The output could appear as in E...

Page 363: ...Directory Permissions drwxrwxr x 1 tux project3 35 Jun 21 15 15 ProjectData In Example 17 2 Sample Output Showing Directory Permissions page 345 the owner tux and the owning group project3 of the dir...

Page 364: ...s he can do this by entering the command chmod go w ProjectData To prohibit all users from adding a new file to the folder ProjectData enter chmod w ProjectData Now not even the owner can create a new...

Page 365: ...PgUp and PgDn Move between the beginning and the end of a document with Home and End End this viewing mode by pressing Q Learn more about the man command itself with man man In the following overview...

Page 366: ...isting targetfile is overwritten rm options files Removes the specified files from the file system Directories are not removed by rm unless the option r is used r Deletes any existing subdirectories i...

Page 367: ...the specified username R Changes files and directories in all subdirectories chgrp options groupname files Transfers the group ownership of a given file to the group with the specified group name The...

Page 368: ...h 4 the write permission with 2 and the permission for executing a file is set with 1 The owner of a file would usually receive a 6 or a 7 for executable files gzip parameters files This program compr...

Page 369: ...This command is only available if you have installed the findutils locate package The locate command can find in which directory a specified file is lo cated If desired use wild cards to specify filen...

Page 370: ...specified files z Tries to look inside compressed files cat options files The cat command displays the contents of a file printing the entire contents to the screen without interruption n Numbers the...

Page 371: ...es the output more readable File Systems mount options device mountpoint This command can be used to mount any data media such as hard disks CD ROM drives and other drives to a directory of the Linux...

Page 372: ...on df options directory The df disk free command when used without any options displays information about the total disk space the disk space currently in use and the free space on all the mounted dri...

Page 373: ...to access a page that briefly explains the main options for customizing the program ps options process ID If run without any options this command displays a table of all your own programs or processes...

Page 374: ...twork link is basically functioning c number Determines the total number of packages to send and ends after they have been dispatched by default there is no limitation set f flood ping sends as many d...

Page 375: ...ssword The password is not required from root because root is authorized to assume the identity of any user When using the command without specifying a username you are prompted for the root password...

Page 376: ...ode On start up vi is normally set to the command mode The first thing to learn is how to switch between the modes Command Mode to Insert Mode There are many possibilities including A for append I for...

Page 377: ...ed mode w stands for write and q for quit 17 4 2 vi in Action vi can be used as a normal editor In insert mode enter text and delete text with the and Del keys Use the arrow keys to move the cursor Ho...

Page 378: ...rrent cursor position A Change to insert mode characters are added at the end of the line Shift A Change to replace mode overwrite the old text Shift R Replace the character under the cursor R Change...

Page 379: ...book OPL pdf The Web pages of the vim project at http www vim org feature all kinds of news mailing lists and other documentation A number of vim sources are available on the Internet http www selflin...

Page 380: ......

Page 381: ...Part III System...

Page 382: ......

Page 383: ...about the kernel API and an explanation of how 32 bit applications can run under a 64 bit kernel NOTE 31 Bit Applications on IBM System z s390 on IBM System z uses a 31 bit environment References to...

Page 384: ...nvironments All 64 bit libraries and object files are located in directories called lib64 The 64 bit object files you would normally expect to find under lib usr lib and usr X11R6 lib are now found un...

Page 385: ...o linkers and assemblers A biarch development tool chain currently exists for amd64 supports development for x86 and amd64 instructions for s390x and for ppc64 32 bit objects are normally created on t...

Page 386: ...archi tecture is a 32 bit architecture x86_64 or s390x you need the following RPMs libaio 32bit 32 bit runtime package libaio devel 32bit Headers and libraries for 32 bit development libaio 64 bit run...

Page 387: ...o on come from usr lib LDFLAGS L usr lib 5 Determine that the libraries are stored in the lib subdirectory libdir usr lib 6 Determine that the 32 bit X libraries are used x libraries usr X11R6 lib Not...

Page 388: ...ber of applications like lspci must be compiled on non ppc64 platforms as 64 bit pro grams to function properly On IBM System z not all ioctls are available in the 32 bit kernel ABI A 64 bit kernel ca...

Page 389: ...ine does not access any mass storage media Subsequently the information about the current date time and the most important peripherals are loaded from the CMOS values When the first hard disk and its...

Page 390: ...the root device 4 init on initramfs This program performs all actions needed to mount the proper root file system like providing kernel functionality for the needed file system and device drivers for...

Page 391: ...e INITRD_MODULES in etc sysconfig kernel After installation this variable is automatically set to the correct value The modules are loaded in exactly the order in which they appear in INITRD_MODULES T...

Page 392: ...led during the initial boot as part of the installation process its tasks differ from those mentioned earlier Finding the Installation Medium As you start the installation process your machine loads a...

Page 393: ...d daemons are available in each of the levels Depending on the entries in etc inittab several scripts are run by init For reasons of clarity these scripts called init scripts all reside in the directo...

Page 394: ...if your system mounts a partition like usr via NFS The system might behave unexpectedly if program files or libraries are missing because the NFS service is not available in runlevel 2 local multiuser...

Page 395: ...6 The X Window System page 481 before the run level can be switched to 5 If this is done check whether the system works in the desired way by entering telinit 5 If everything turns out as expected you...

Page 396: ...nit q 19 2 2 Init Scripts There are two types of scripts in etc init d Scripts Executed Directly by init This is the case only during the boot process or if an immediate system shutdown is initiated p...

Page 397: ...runlevel specific subdirectory make it possible to associate scripts with different runlevels When installing or uninstalling packages these links are added and removed with the help of the program i...

Page 398: ...fter first entering the root password Last executed is the script boot local boot local Here enter additional commands to execute at boot before changing into a runlevel It can be compared to AUTOEXEC...

Page 399: ...ault Start 3 5 Default Stop 0 1 2 6 Description Start FOO to allow XY and provide YZ END INIT INFO In the first line of the INFO block after Provides specify the name of the program or service control...

Page 400: ...when insserv is run later for some other service The manually added service will be removed with the next run of insserv 19 2 3 Configuring System Services Runlevel with YaST After starting this YaST...

Page 401: ...individual services and daemons The table lists the services and daemons available shows whether they are currently enabled on your system and if so for which runlevels After selecting one of the rows...

Page 402: ...to the file etc host conf as well because this is one of the files relevant for the network configuration This concept allows most configurations to be made in one central place without fiddling with...

Page 403: ...selection and the current setting of this variable Below a third window displays a short description of the variable s purpose possible values the default value and the actual configuration file from...

Page 404: ...el with a command like init default_runlevel Replace default_runlevel with the default run level of the system Choose 5 if you want to return to full multiuser with network and X or choose 3 if you pr...

Page 405: ...ader directly impacts the start of the operating system The following terms appear frequently in this chapter and might need some explanation Master Boot Record The structure of the MBR is defined by...

Page 406: ...If you update from an older SUSE Linux Enterprise version that uses LILO LILO is in stalled Information about the installation and configuration of LILO is available in the Support Database under the...

Page 407: ...ly GRUB can be controlled in various ways Boot entries from an existing configuration can be selected from the graphical menu splash screen The configuration is loaded from the file menu lst In GRUB a...

Page 408: ...played as a selectable option in the menu All commands up to the next title are executed when this menu item is selected The simplest case is the redirection to boot loaders of other operating systems...

Page 409: ...differ from those used for normal Linux devices It more closely resembles the simple disk enumeration the BIOS does and the syntax is similar to that used in some BSD derivatives In GRUB the numberin...

Page 410: ...tructure of a GRUB menu file The example instal lation has a Linux boot partition under dev hda5 a root partition under dev hda7 and a Windows installation under dev hda1 gfxmenu hd0 4 message color w...

Page 411: ...nel parameters such as the root partition and VGA mode are appended here The root partition is specified according to the Linux naming convention dev hda7 because this information is read by the kerne...

Page 412: ...edure is also useful for testing new settings without impairing the native system After activating the editing mode use the arrow keys to select the menu entry of the configuration to edit To make the...

Page 413: ...various factors and Linux is not able to identify the mapping the sequence in the file device map can be set manually If you encounter problems when booting check if the sequence in this file corresp...

Page 414: ...ader should be installed in the the extended partition container grub stage1 hd0 3 This is a slightly esoteric configuration but it is known to work in many cases stage2 should be loaded to the memory...

Page 415: ...However users can still boot all operating systems from the boot menu 3 To prevent one or several operating systems from being booted from the boot menu add the entry lock to every section in menu ls...

Page 416: ...1 Boot Loader Settings Use the Section Management tab to edit change and delete boot loader sections for the individual operating systems To add an option click Add To change the value of an existing...

Page 417: ...ation Have YaST propose a new configuration Convert Current Configuration Have YaST convert the current configuration When converting the configu ration some settings may be lost Start New Configurati...

Page 418: ...o change the location of the boot loader follow these steps Procedure 20 2 Changing the Boot Loader Location 1 Select the Boot Loader Installation tab then select one of the following options for Boot...

Page 419: ...ot boot the default system immediately During the time out you can select the system to boot or write some kernel parameters To set the boot loader time out proceed as follows Procedure 20 4 Changing...

Page 420: ...it had prior to the installation of Linux During the installation YaST automatically creates a backup copy of the original MBR and restores it on request To uninstall GRUB start the YaST boot loader...

Page 421: ...p boot initrd iso boot cp boot message iso boot cp usr lib grub stage2_eltorito iso boot grub cp boot grub menu lst iso boot grub 4 Adjust the path entries in iso boot grub menu lst to make them point...

Page 422: ...s to disable the SUSE screen if desired Disabling the SUSE Screen When Necessary Enter the command echo 0 proc splash on the command line to disable the graphical screen To activate it again enter ech...

Page 423: ...tallation configuration and maintenance of LILO is available in the Support Database under the keyword LILO GRUB also returns this error message if Linux was installed on an additional hard disk that...

Page 424: ...arted from the second hard disk For this purpose the logical order of the hard disks is changed with map This change does not affect the logic within the GRUB menu file Therefore the second hard disk...

Page 425: ...by a section about language and country specific settings I18N and L10N 21 1 Information about Special Software Packages The programs bash cron logrotate locate ulimit and free and the file resolv co...

Page 426: ...aditional tool to use cron is driven by specially formatted time tables Some of of them come with the system and users can write their own tables if needed The cron tables are located in var spool cro...

Page 427: ...rity They are contained in the package aaa_base etc cron daily con tains for example the components suse de backup rpmdb suse de clean tmp or suse de cron local 21 1 3 Log Files Package logrotate Ther...

Page 428: ...ate 0664 root utmp rotate 1 system specific logs may be also be configured here logrotate is controlled through cron and is called daily by etc cron daily logrotate IMPORTANT The create option reads a...

Page 429: ...page 411 Table 21 1 ulimit Setting Resources for the User Maximum size of physical memory m Maximum size of virtual memory v Maximum size of the stack s Maximum size of the core files c Display of li...

Page 430: ...ct knowledge of any applications or user data Instead it manages applications and user data in a page cache If memory runs short parts of it are written to the swap partition or to files from which th...

Page 431: ...ividual users from etc skel emacs in turn reads the file etc skel gnu emacs To customize the program copy gnu emacs to the home directory with cp etc skel gnu emacs gnu emacs and make the desired sett...

Page 432: ...multitasking system The advantages of these features can be appreciated even on a stand alone PC system In text mode there are six virtual consoles available Switch between them using Alt F1 to Alt F...

Page 433: ...iled information about the input of Chinese Japanese and Korean CJK is available at Mike Fabian s page http www suse de mfabian suse cjk input html 21 4 Language and Country Specific Settings The syst...

Page 434: ...onfig Editor page 384 The value of such a variable contains the language code country code encoding and modifier The individual components are connected by special characters LANG language _ COUNTRY E...

Page 435: ...lso covers the Euro symbol It is only useful if an application does not support UTF 8 but ISO 8859 15 SuSEconfig reads the variables in etc sysconfig language and writes the necessary changes to etc S...

Page 436: ...Nynorsk and Bokm l instead with additional fallback to no LANG nn_NO LANGUAGE nn_NO nb_NO no or LANG nb_NO LANGUAGE nb_NO nn_NO no Note that in Norwegian LC_TIME is also treated differently One proble...

Page 437: ...kus Kuhn UTF 8 and Unicode FAQ for Unix Linux currently at http www cl cam ac uk mgk25 unicode html Unicode Howto by Bruno Haible usr share doc howto en html Unicode HOWTO html Special System Features...

Page 438: ......

Page 439: ...1 System and Software Requirements page 422 Section 22 2 Virtualization Infrastructure page 425 Section 22 3 Installing Virtualization Software page 426 Section 22 4 Starting the Virtualization Host S...

Page 440: ...nts for the virtualization host server are the same as those for the SUSE Linux operating system but additional CPU disk memory and network requirements should be added to accomodate the resource dema...

Page 441: ...ernel xenpae used instead of kernel xen this package is required to enable a 32 bit virtualization host server to access memory over 3 GB yast2 vm You should install the newest version available Updat...

Page 442: ...t Table 22 2 Modified Operating Systems Tested to Run in Paravirtual Mode x86 64 bit x86 32 bit Operating System X X SUSE Linux Enterprise Server 10 SP1 X X SUSE Linux Enterprise Desktop 10 SP1 X Open...

Page 443: ...aravirtual mode Full virtualization mode lets virtual machines run unmodified operating systems such as Windows Server 2003 but requires the computer running the virtualization host server to support...

Page 444: ...dy running SUSE Linux NOTE Only applications and processes required for virtualization should be installed on the virtualization host server Virtualization software can be installed by using one of th...

Page 445: ...the virtualization host server desktop and run the rpm U package_name command Restart the computer NOTE If you use the rpm command you can safely ignore any messages stating Cannot determine dependenc...

Page 446: ...een updated 22 5 Managing Virtual Machines Virtual machines can be created and managed by using the Virtual Machine Manager 1 On the virtualization host server click YaST Virtualization Virtual Machin...

Page 447: ...console for the selected virtual machine Delete completely removes the selected virtual machine Start a virtual machine by selecting it from the list click Open and then click Run Virtual Machine Man...

Page 448: ...console of an already run ning virtual machine xm console vm_name Change the memory available to a virtual machine xm mem set vm_name MB_Memory Perform a normal shutdown of the virtual machine s opera...

Page 449: ...2 Choose between installing an operating system or using a disk or disk image that already has an installed operating system The option to set up a virtual machine based on an existing disk or disk i...

Page 450: ...e host operating system and the operating system of each virtual machine you plan to run simultaneously For example simultaneously running four Windows Server 2003 R2 Standard Edition virtual machines...

Page 451: ...ation source can be launched from CD DVD or from ISO image files Virtual disks can be based on a file partition volume or other type of block device Virtual machines are managed using the Virtual Mach...

Page 452: ......

Page 453: ...like USB or parallel port that is available on your hardware and a suitable printer language Printers can be categorized on the basis of the following three classes of printer languages PostScript Pr...

Page 454: ...mmon printer languages They use their own undocumented printer languages which are subject to change when a new edition of a model is released Usually only Windows drivers are available for these prin...

Page 455: ...filter system makes sure that options selected by the user are enabled If you use a PostScript printer the filter system converts the data into printer specific PostScript This does not require a prin...

Page 456: ...he installation of SUSE Linux Enterprise many PPD files are prein stalled to enable even printers without PostScript support to be used To configure a PostScript printer the best approach is to get a...

Page 457: ...Manually page 439 If the manual configuration does not work communication between printer and computer is not possible Check the cable and the plugs to make sure that the printer is properly connected...

Page 458: ...port to which the printer is connected usually USB or parallel port and choose the device in the next configuration screen It is recommended to Test the Printer Connection at this point If problems o...

Page 459: ...ry contains the following entries which you can also modify with Edit Name and basic settings Printer Model and Connection let you change en tries made while following this procedure Refer to Section...

Page 460: ...ing Database When downloading PPD files from linuxprint ing org keep in mind that it always shows the latest Linux support status which is not necessarily met by SUSE Linux Enterprise Choosing an Alte...

Page 461: ...the printer port for example socket 192 168 0 202 9100 LPD Line Printer Daemon The proven LPD protocol is described in RFC 1179 Under this protocol some job related data such as the ID of the printer...

Page 462: ...139 515 631 9100 10000 printerIP 23 5 1 Configuring Network Printers with YaST Network printers are not detected automatically They must be configured manually using the YaST printer module Depending...

Page 463: ...ueues To add a print queue use the following syntax lpadmin p queue v device URI P PPD file E Then the device v is available as queue p using the specified PPD file P This means that you must know the...

Page 464: ...oot settings are written to etc cups lpoptions 23 6 Graphical Printing Interfaces Tools such as xpp and the KDE program KPrinter provide a graphical interface for choosing queues and setting both CUPS...

Page 465: ...Server and Firewall There are several ways to configure CUPS as the client of a network server 1 For every queue on the network server you can configure a local queue through which to forward all jobs...

Page 466: ...aST page 822 for details of firewall configuration Alternatively the user can detect CUPS servers by actively scanning the local network hosts or configure all queues manually However this method is n...

Page 467: ...rom 127 0 0 2 Allow From LOCAL Location In this way only LOCAL hosts can access cupsd on a CUPS server LOCAL hosts are hosts whose IP addresses belong to a non PPP interface interfaces whose IFF_POINT...

Page 468: ...he vendor and model database For example if you only have PostScript printers normally you do not need the Foomatic PPD files in the cups drivers package or the Gimp Print PPD files in the cups driver...

Page 469: ...uitable PPD file of the printer manufacturer because this file enables the use of all functions of the PostScript printer YaST prefers a PPD file from the manufacturer PPDs package if the following co...

Page 470: ...1 Printers without Standard Printer Language Support These printers do not support any common printer language and can only be addressed with special proprietary control sequences Therefore they can o...

Page 471: ...lopments in the print system 23 9 2 No Suitable PPD File Available for a PostScript Printer If the manufacturer PPDs package does not contain any suitable PPD file for a PostScript printer it should b...

Page 472: ...Mode for the First Parallel Port page 454 Before ac tivating the interrupt mode check the file proc interrupts to see which interrupts are already in use Only the interrupts currently being used are d...

Page 473: ...possible on the queue on host If you receive a response like that in Example 23 2 Error Message from lpd page 455 the problem is caused by the remote lpd Example 23 2 Error Message from lpd lpd your...

Page 474: ...ometimes cause problems when they have to deal with a lot of print jobs Because this is caused by the spooler in the print server box there is nothing you can do about it As a work around circumvent t...

Page 475: ...when the CUPS back end completes the data transfer to the recipient printer If the further processing on the recipient fails for example if the printer is not able to print the printer specific data t...

Page 476: ...print job on the server can be deleted cancel h print server queue jobnnumber 23 9 8 Defective Print Jobs and Data Transfer Errors Print jobs remain in the queues and printing resumes if you switch th...

Page 477: ...e precisely the parallel port 4 Reset the printer completely by switching it off for some time Then insert the paper and turn on the printer 23 9 9 Debugging the CUPS Print System Use the following ge...

Page 478: ......

Page 479: ...est and import additional data to evaluate during device handling 24 1 The dev Directory The device nodes in the dev directory provide access to the corresponding kernel devices With udev the dev dire...

Page 480: ...ules and Devices The kernel bus drivers probe for devices For every detected device the kernel creates an internal device structure and the driver core sends a uevent to the udev daemon Bus devices id...

Page 481: ...vents from the kernel after the root file system is available so the event for the USB mouse device just runs again Now it finds the kernel module on the mounted root file system and the USB mouse can...

Page 482: ...M 1043 PHYSDEVPATH devices pci0000 00 0000 00 1d 1 usb2 2 2 2 2 1 0 PHYSDEVBUS usb PHYSDEVDRIVER usbhid PRODUCT 3 46d c03e 2000 NAME Logitech USB PS 2 Optical Mouse PHYS usb 0000 00 1d 1 2 input0 UNIQ...

Page 483: ...appropriate block device the kernel creates is examined by tools with special knowledge about certain buses drive types or file systems Along with the dynamic kernel provided device node name udev ma...

Page 484: ...the blacklist option in modprobe conf etc dev d Replaced by the udev rule RUN key etc hotplug d Replaced by the udev rule RUN key sbin hotplug Replaced by udevd listening to netlink only used in the i...

Page 485: ...ion about udev keys rules and other important configuration is sues udevinfo udevinfo can be used to query device information from the udev database udevd Information about the udev event managing dae...

Page 486: ......

Page 487: ...ut the data Almost every file system has its own structure of metadata which is part of why the file systems show different performance characteristics It is extremely important to maintain metadata i...

Page 488: ...chapter do not refer to the consistency of the user space data the data your application writes to its files Whether this data is consistent must be controlled by the application itself IMPORTANT Set...

Page 489: ...cepts outlined in the Ext3 section Section 25 2 3 Ext3 page 472 The default mode is data ordered which ensures both data and metadata integrity but uses journaling only for metadata 25 2 2 Ext2 The o...

Page 490: ...at Ext3 supports journaling In summary Ext3 has three major advantages to offer Easy and Highly Reliable Upgrades from Ext2 Because Ext3 is based on the Ext2 code and shares its on disk format as well...

Page 491: ...ify something else Ext3 is run with the data ordered default 25 2 4 Converting an Ext2 File System into Ext3 To convert an Ext2 file system to Ext3 proceed as follows 1 Create an Ext3 journal by runni...

Page 492: ...Naturally the concept of independent allocation groups suits the needs of multiprocessor systems High Performance through Efficient Management of Disk Space Free space and inodes are handled by B tree...

Page 493: ...node man ager NM To monitor the availability of the nodes in a cluster OCFS2 includes a simple heartbeat implementation To avoid chaos arising from various nodes directly accessing the file system OCF...

Page 494: ...so9660 This file system originated from academic projects on operating systems and was the first file system used in Linux Today it is used as a file system for floppy disks minix fat the file system...

Page 495: ...fied to support file sizes larger than 2 GB when using a new set of in terfaces that applications must use Today almost all major file systems offer LFS support allowing you to perform high end comput...

Page 496: ...s follows File Size On 32 bit systems files may not exceed the size of 2 TB 2 41 bytes File System Size File systems may be up to 2 73 bytes in size However this limit is still out of reach for the cu...

Page 497: ...IBM de veloperWorks http www 106 ibm com developerworks library l fs html A very in depth comparison of file systems not only Linux file systems is available from the Wikipedia project http en wikiped...

Page 498: ......

Page 499: ...prise TIP IBM System z Configuring the Graphical User Interface IBM System z do not have any input and output devices supported by X Org Therefore none of the configuration procedures described in thi...

Page 500: ...he primary configuration file for the X Window System Find all the settings here concerning your graphics card mouse and monitor IMPORTANT Using X configure Use X configure to configure your X setup i...

Page 501: ...mally the server refuses any modeline that does not correspond with the specification of the monitor This prevents too high frequencies from being sent to the monitor by accident The modeline paramete...

Page 502: ...ther information about the other sections can be found in the manual pages of X Org and xorg conf There can be several different Monitor and Device sections in xorg conf Even multiple Screen sections...

Page 503: ...splay sections are specified Depth determines the color depth to use with this set of Display settings Possible values are 8 15 16 24 and 32 although not all of these are supported by all X server mod...

Page 504: ...referenced in the following ServerLayout sec tion The lines Device and Monitor specify the graphics card and the monitor that belong to this definition These are just links to the Device and Monitor s...

Page 505: ...g software Depending on the driver module there are various options available which can be found in the description files of the driver modules in the directory usr share doc package_name Generally va...

Page 506: ...installation directory should be a subdirectory of the directories configured in etc fonts fonts conf see Sec tion 26 2 2 Xft page 490 or be included into this file with etc fonts suse font dirs conf...

Page 507: ...systems 26 2 1 X11 Core Fonts Today the X11 core font system supports not only bitmap fonts but also scalable fonts like Type1 fonts TrueType and OpenType fonts Scalable fonts are only supported witho...

Page 508: ...p iso10646 1 Nearly all Unicode fonts available in SUSE Linux Enterprise contain at least the glyphs needed for European languages formerly encoded as iso 8859 26 2 2 Xft From the outset the programme...

Page 509: ...e fonts For example enter match target font edit name antialias mode assign bool false bool edit match to disable antialiasing for all fonts or match target font test name family string Luxi Mono stri...

Page 510: ...eir style style their weight weight and the name of the files containing the fonts enter the following command fc list lang he scalable true family style weight The output of this command could look l...

Page 511: ...e lang The font weight such as 80 for regular or 200 for bold weight The slant usually 0 for none and 100 for italic slant The name of the file containing the font file true for outline fonts or false...

Page 512: ......

Page 513: ...these drawbacks is to separate applications from the authentication mechanism and delegate authentication to centrally managed modules Whenever a newly required authentication scheme is needed it is...

Page 514: ...les of this type check whether the user has general permission to use the re quested service As an example such a check should be performed to ensure that no one can log in under the username of an ex...

Page 515: ...module with the required flag The failure of a module with the sufficient flag has no direct conse quences in the sense that any subsequent modules are processed in their respective order optional The...

Page 516: ...installed Now the PAM configuration is made with central configuration files and all changes are automatically inherited by the PAM configuration of each service The first include file common auth cal...

Page 517: ...assword Section password required pam_pwcheck so nullok password required pam_unix2 so nullok use_first_pass use_authtok password required pam_make so var yp Again the PAM configuration of sshd involv...

Page 518: ...3 1 pam_unix2 conf The traditional password based authentication method is controlled by the PAM module pam_unix2 It can read the necessary data from etc passwd etc shadow NIS maps NIS tables or an L...

Page 519: ...RIDE PAM_RHOST DISPLAY DEFAULT REMOTEHOST 0 0 OVERRIDE DISPLAY The first line sets the value of the REMOTEHOST variable to localhost which is used whenever pam_env cannot determine any other value The...

Page 520: ...System Administrators Guide This document includes everything that a system administrator should know about PAM It discusses a range of topics from the syntax of configuration files to the security a...

Page 521: ...ent only the hardware information and configuration tool ACPI is available on all modern computers laptops desktops and servers All power management technologies require suitable hardware and BIOS rou...

Page 522: ...orresponds to the ACPI state S3 The support of this state is still under development and therefore largely depends on the hardware Hibernation suspend to disk In this operating mode the entire system...

Page 523: ...BIOS itself On many laptops standby and suspend states can be activated with key combinations or by closing the lid without any special operating system function However to activate these modes with...

Page 524: ...after shutdown bounce interval n Time in hundredths of a second after a suspend event during which additional suspend events are ignored idle threshold n System inactivity percentage from which the BI...

Page 525: ...ameter acpi force may be necessary for some older machines The computer must support ACPI 2 0 or later Check the kernel boot messages in var log boot msg to see if ACPI was activated Subsequently a nu...

Page 526: ...ir documentation are lo cated in the package pmtools For example acpidmp DSDT acpidisasm proc acpi ac_adapter AC state Shows whether the AC adapter is connected proc acpi battery BAT alarm info state...

Page 527: ...ontrolled by a daemon the maximum limits can be specified here Some of the limits are deter mined by the system Some can be adjusted by the user proc acpi thermal_zone A separate subdirectory exists f...

Page 528: ..._frequency causes the temper ature to be queried every X seconds Set X 0 to disable polling None of these settings information and events need to be edited manually This can be done with the Powersave...

Page 529: ...more conservative policy is used The load of the system must be high for a specific amount of time before the CPU frequency is increased powersave governor The cpu frequency is statically set to the...

Page 530: ...e CPU has little to do In SUSE Linux Enterprise these technologies are controlled by the powersave daemon The configuration is explained in Section 28 5 The powersave Package page 515 28 3 3 ACPI Tool...

Page 531: ...em may not be caused by ACPI after booting If an error occurs while parsing an ACPI table the most important table the DS DT can be replaced with an improved version In this case the faulty DSDT of th...

Page 532: ...Management Module page 524 The hdparm application can be used to modify various hard disk settings The option y instantly switches the hard disk to the standby mode Y puts it to sleep hdparm S x cause...

Page 533: ...loped for mobile devices See usr src linux Documentation laptop mode txt for details Another important factor is the way active programs behave For example good editors regularly write hidden backups...

Page 534: ...option listed there contains additional documentation about its functionality etc sysconfig powersave common This file contains general settings for the powersave daemon For example the amount of deb...

Page 535: ...gout Saves the settings and logs out from GNOME KDE or other window managers wm_shutdown Saves the GNOME or KDE settings and shuts down the system set_disk_settings Executes the disk settings made in...

Page 536: ...ical modules should be unloaded and which services should be stopped prior to a suspend or standby event When the system is resumed these modules are reloaded and the services are restarted You can ev...

Page 537: ...ed in the usr sbin s2ram binary provided by the suspend package To modify the default parameters for example to generally disable the suspend to ram sleep mode or to force it even for machines not lis...

Page 538: ...page 516 EVENT_BATTERY_NORMAL ignore EVENT_BATTERY_WARNING notify EVENT_BATTERY_LOW notify EVENT_BATTERY_CRITICAL wm_shutdown Adapting Power Consumption to Various Conditions The system behavior can b...

Page 539: ..._BUTTON_POWER wm_shutdown When the power button is pressed the system responds by shutting down the re spective window manager KDE GNOME fvwm etc EVENT_BUTTON_SLEEP suspend_to_disk When the sleep butt...

Page 540: ...urer to comply with the latest ACPI specification If the errors persist after the BIOS update proceed as follows to replace the faulty DSDT table in your BIOS with an updated DSDT 1 Download the DSDT...

Page 541: ...revented the sleep mode The log files generated by the powersave daemon in var log suspend2ram log and var log suspend2disk log are very helpful in this regard If the computer does not enter the sleep...

Page 542: ...jects_Powersave Project page in the openSUSE wiki 28 6 The YaST Power Management Module The YaST power management module can configure all power management settings already described When started from...

Page 543: ...he existing schemes like that shown in Figure 28 2 Overview of Existing Schemes page 525 Figure 28 2 Overview of Existing Schemes In the scheme overview select the scheme to modify then click Edit To...

Page 544: ...he noise level of the hard disk supported by few hard disks The Cooling Policy determines the cooling method to use Unfortunately this type of thermal control is rarely supported by the BIOS Read usr...

Page 545: ...ty and Critical Capacity Specific actions are triggered when the charge level drops under these limits Usually the first two states merely trigger a notification to the user The third critical level t...

Page 546: ...ystem response to pressing the power button pressing the sleep button and closing the laptop lid Click OK to complete the configuration and return to the start dialog Click Enable Suspend to enter a d...

Page 547: ...come an indispensable aspect of mobile computing Today most laptops have built in WLAN cards The 802 11 standard for the wireless commu nication of WLAN cards was prepared by the IEEE organization Ori...

Page 548: ...imes referred to as 802 11b However the popularity of cards using this standard is limited 29 1 1 Hardware 802 11 cards are not supported by SUSE Linux Enterprise Most cards using 802 11a 802 11b and...

Page 549: ...are used to ensure fast high quality and secure connections Different operating types suit different setups It can be difficult to choose the right authentication method The available encryption meth...

Page 550: ...During the authentication process both sides exchange the same information once in encrypted form and once in unen crypted form This makes it possible for the key to be reconstructed with suitable to...

Page 551: ...tage a secure is established and in the second one the client authentication data is exchanged They require far less certification management overhead than TLS if any Encryption There are various encr...

Page 552: ...ype Wireless in Network Address Setup and click Next In Wireless Network Card Configuration shown in Figure 29 1 YaST Configuring the Wireless Network Card page 534 make the basic settings for the WLA...

Page 553: ...y page 538 for information Depending on the selected authentication method YaST prompts you to fine tune the settings in another dialog For Open there is nothing to configure because this setting impl...

Page 554: ...he second stage of EAP TTLS or EAP PEAP communication If you selected TTLS in the previous dialog choose any MD5 GTC CHAP PAP MSCHAPv1 or MSCHAPv2 If you selected PEAP choose any MD5 GTC or MSCHAPv2 P...

Page 555: ...lity as well as security aspects of your WLAN Stability and Speed The performance and reliability of a wireless network mainly depend on whether the participating stations receive a clean signal from...

Page 556: ...than no encryption In enterprises with advanced security requirements wireless networks should only be operated with WPA 29 1 6 Troubleshooting If your WLAN card fails to respond check if you have do...

Page 557: ...wireless LAN cards and drivers support WPA Some cards need a firmware update to enable WPA If you want to use WPA read usr share doc packages wireless tools README wpa 29 1 7 For More Information The...

Page 558: ......

Page 559: ...Part IV Services...

Page 560: ......

Page 561: ...otocol but a family of network protocols that offer various services The protocols listed in Table 30 1 Several Protocols in the TCP IP Protocol Family page 544 are provided for the purpose of exchang...

Page 562: ...aranteed and data loss is a possibility UDP is suitable for record oriented appli cations It features a smaller latency period than TCP Internet Control Message Protocol Essentially this is not a prot...

Page 563: ...s work on a packet oriented basis The data to transmit is packaged in packets because it cannot be sent all at once The maximum size of a TCP IP packet is approximately 64 KB Packets are normally quit...

Page 564: ...ssed to the next layer The lowest layer is ultimately responsible for sending the data The entire procedure is reversed when data is received Like the layers of an onion in each layer the protocol hea...

Page 565: ...in IP addresses indicate the hierarchical system Until the 1990s IP addresses were strictly categorized in classes However this system has proven too inflexible and was discontinued Now classless rou...

Page 566: ...10111111 00001111 11001000 Netmask 255 255 255 0 11111111 11111111 11111111 00000000 Result of the link 11010101 10111111 00001111 00000000 In the decimal system 213 95 15 0 To give another example al...

Page 567: ...he address 127 0 0 1 is assigned to the loopback device on each host A connection can be set up to your own machine with this address Local Host Because IP addresses must be unique all over the world...

Page 568: ...ubnetwork with 256 IP addresses from which only 254 are usable because two IP addresses are needed for the structure of the subnetwork itself the broadcast and the base network address Under the curre...

Page 569: ...address from the information made available by the neighboring routers relying on a pro tocol called the neighbor discovery ND protocol This method does not require any intervention on the administrat...

Page 570: ...individually through unicasting Which hosts are addressed as a group may depend on the concrete application There are some predefined groups to ad dress all name servers the all name servers multicas...

Page 571: ...Any leading zero bytes within a given field may be dropped but zeros within the field or at its end may not Another convention is that more than four consecutive zero bytes may be collapsed into a do...

Page 572: ...2 or 3 as the first digit Currently there are the following address spaces 2001 16 production quality address space and 2002 16 6to4 address space Link local addresses Addresses with this prefix shou...

Page 573: ...unspecified This address is used by the host as its source address when the interface is initialized for the first time when the address cannot yet be determined by other means 1 loopback The address...

Page 574: ...For a host to go back and forth between different networks it needs at least two address es One of them the home address not only contains the interface ID but also an iden tifier of the home network...

Page 575: ...often too labor intensive to use them for daily communication needs Therefore IPv6 provides for three different methods of dynamic tunneling 6over4 IPv6 packets are automatically encapsulated as IPv4...

Page 576: ...x and gateways should be implemented The radvd program can be used to set up an IPv6 router This program informs the worksta tions which prefix to use for the IPv6 addresses and which routers Alternat...

Page 577: ...tter ISO national codes are the standard In addition to that longer TLDs were introduced in 2000 that represent certain spheres of activity for example info name museum In the early days of the Intern...

Page 578: ...twork configuration see Section 30 6 Configuring a Network Connection Manually page 580 During installation YaST can be used to configure automatically all interfaces that have been detected Additiona...

Page 579: ...dialog shows a list with all the network cards available for configuration Any card properly detected is listed with its name To change the confi guration of the selected device click Edit Devices tha...

Page 580: ...ting Advanced DHCP Options Specify whether the DHCP server should always honor broadcast requests and any identifier to use If you have a virtual host setup where different hosts communicate through t...

Page 581: ...k configuration during installation and the wired card was available a hostname was automatically generated for your computer and DHCP was activated The same applies to the name service information yo...

Page 582: ...tworks routing information must be given to make network traffic take the correct path If DHCP is used this information is automatically provided If a static setup is used this data must be added manu...

Page 583: ...never To change device start up proceed as follows 1 Select a card from the list of detected cards in the YaST network card configura tion module and click Edit 2 In the General tab select the desired...

Page 584: ...External Zone The firewall is run on this interface and fully protects it against other pre sumably hostile network traffic This is the default option 4 Click Next 5 Activate the configuration by cli...

Page 585: ...configure the wireless connection in the next dialog Detailed information about wireless device confi guration is available in Section 29 1 Wireless LAN page 529 5 In the General tab set the Firewall...

Page 586: ...rate and the modem initialization strings Only change these settings if your modem was not detected automatically or if it requires special settings for data transmission to work This is mainly the c...

Page 587: ...sable this option and enter the DNS data manually Stupid Mode This option is enabled by default With it input prompts sent by the ISP s server are ignored to prevent them from interfering with the con...

Page 588: ...ning of the card Figure 30 5 ISDN Configuration In the next dialog shown in Figure 30 5 ISDN Configuration page 570 select the protocol to use The default is Euro ISDN EDSS1 but for older or larger ex...

Page 589: ...re 30 6 ISDN Interface Configuration The number to enter for My Phone Number depends on your particular setup ISDN Card Directly Connected to Phone Outlet A standard ISDN line provides three phone num...

Page 590: ...permissions to activate or deactivate the interface select the User Controlled Details opens a dialog in which to implement more complex connection schemes which are not relevant for normal home users...

Page 591: ...able subscriber usually gets a modem that is connected to the TV cable outlet on one side and to a computer network card on the other using a 10Base TG twisted pair cable The cable modem then provides...

Page 592: ...ave not done so yet first configure the card by selecting Configure Network Cards see Sec tion 30 4 1 Configuring the Network Card with YaST page 560 In the case of a DSL link addresses may be assigne...

Page 593: ...o far which is why they are only briefly mentioned in the following paragraphs For details on the available options read the detailed help available from the dialogs To use Dial on Demand on a stand a...

Page 594: ...dress setup dialog specify the IP address and netmask for the new inter face and leave the network configuration by pressing Next and Finish The qeth ethernet Device To add a qeth ethernet IBM OSA Exp...

Page 595: ...ns see the Linux for IBM System z Device Drivers Features and Commands manual for reference at http www ibm com developerworks linux linux390 index html your IP address and an appropriate netmask Leav...

Page 596: ...a virtual system inside Xen You want to use SCPM for network configuration management To use SCPM and NetworkManager at the same time SCPM cannot control network resources You want to use more than on...

Page 597: ...rivileges For this reason NetworkManager is the ideal solution for a mobile workstation Traditional configuration with ifup also provides some ways to switch stop or start the connection with or witho...

Page 598: ...alization of the device with the script hwup When the network card is initialized as a new network interface the kernel generates another hotplug event that triggers the setup of the inter face with i...

Page 599: ...terface The search for the most suitable configuration is handled by getcfg The output of getcfg delivers all information that can be used for describing a device Details regarding the specification o...

Page 600: ...s automatically executed for the new interface via hotplug and the interface is set up if the start mode is onboot hotplug or auto and the network service was started Formerly the command ifup interfa...

Page 601: ...configuration files and explains their purpose and the format used etc syconfig hardware hwcfg These files contain the hardware configurations of network cards and other devices They contain the need...

Page 602: ...guration file etc sysconfig network ifroute Replace with the name of the inter face The entries in the routing configuration files look like this Destination Dummy Gateway Netmask Device 127 0 0 0 0 0...

Page 603: ...erver nameserver 192 168 0 20 Some services like pppd wvdial ipppd isdn dhcp dhcpcd and dhclient pcmcia and hotplug modify the file etc resolv conf by means of the script modify_resolvconf If the file...

Page 604: ...ere For each host enter a line consisting of the IP address the fully qualified hostname and the hostname into the file The IP address must be at the beginning of the line and the entries separated by...

Page 605: ...he etc hosts file bind Accesses a name server nis Uses NIS Defines if a host entered in etc hosts can have multiple IP addresses multi on off These parameters influence the name server spoofing but ap...

Page 606: ...ge 609 Example 30 9 etc nsswitch conf passwd compat group compat hosts files dns networks files dns services db files protocols db files netgroup files automount files nis The databases available over...

Page 607: ...protocols 5 man page protocols Remote procedure call names and addresses used by getrpcbyname and similar functions rpc Network services used by getservent services Shadow passwords of users used by...

Page 608: ...without the domain name attached This file is read by several scripts while the machine is booting It may only contain one line in which the hostname is set 30 6 2 Testing the Configuration Before you...

Page 609: ...the state of a device with the command ip link set device_name command For example to deactivate device eth0 enter ip link seteth0 down To activate it again use ip link seteth0 up After activating a...

Page 610: ...data packet ECHO_REQUEST datagram to the destination host requesting an immediate reply If this works ping displays a message to that effect which indicates that the network link is basically function...

Page 611: ...es it is sometimes useful to send the ping through a specific interface address To do so use the I option with the name of the selected device for example ping I wlan1 192 168 0 For more options and i...

Page 612: ...addr 00 0E 2E 52 3B 1D inet addr 192 168 2 4 Bcast 192 168 2 255 Mask 255 255 255 0 inet6 addr fe80 20e 2eff fe52 3b1d 64 Scope Link UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU 1500 Metric 1 RX pack...

Page 613: ...nlevels Some of these scripts are de scribed in Table 30 9 Some Start Up Scripts for Network Programs page 595 Table 30 9 Some Start Up Scripts for Network Programs This script handles the configurati...

Page 614: ...grams the required pppd or ipppd and controls its dial up properties Second it makes various providers available to the user programs and transmits information about the current status of the connecti...

Page 615: ...8 and smpppd conf 5 man pages 30 7 2 Configuring KInternet cinternet and qinternet for Remote Use KInternet cinternet and qinternet can be used to control a local or remote smpppd cinternet is the com...

Page 616: ...Insert the password selected for smpppd If smpppd is active you can now try to access it for example with cinternet verbose interface list If you experience difficulties at this point refer to the smp...

Page 617: ...th integrated support for SLP YaST and Konqueror both have appropriate front ends for SLP You can use SLP to provide net worked clients with central functions such as an installation server file serve...

Page 618: ...ation YaST SLP Browser YaST contains a separate SLP browser that lists all services in the local network announced by SLP in a tree diagram Find it as Network Services SLP Browser Konqueror When used...

Page 619: ...on the server HOSTNAME is automatically replaced with the full hostname The name of the TCP port on which the relevant service can be found follows separated by a colon Then enter the language in whi...

Page 620: ...RFC 2608 generally deals with the definition of SLP RFC 2609 deals with the syntax of the service URLs used in greater detail and RFC 2610 deals with DHCP via SLP http www openslp org The home page o...

Page 621: ...for ex ample a backward leap can cause malfunction of critical applications Within a network it is usually necessary to synchronize the system time of all machines but manual time adjustment is a bad...

Page 622: ...di alog in which to select a suitable time server for your network Figure 32 1 YaST Configuring an NTP Client In the detailed server selection dialog determine whether to implement time synchro nizati...

Page 623: ...Complex NTP Configuration In Complex NTP Configuration determine whether xntpd should be started in a chroot jail By default Run NTP Daemon in Chroot Jail is activated This increases the secu rity in...

Page 624: ...is a machine to which a symmetric relationship is established it acts both as a time server and as a client To use a peer in the same network instead of a server enter the address of the system The re...

Page 625: ...ait for NTP broadcasts sent out by broadcast time servers in the network This approach has the disadvantage that the quality of the server is unknown and a server sending out wrong information can cau...

Page 626: ...The Conrad DCF77 receiver module for example has mode 5 To use this clock as a preferred reference specify the keyword prefer The complete server line for a Conrad DCF77 receiver module would be serv...

Page 627: ...xample section or zone of the org domain DNS server The DNS server is a server that maintains the name and IP information for a domain You can have a primary DNS server for master zone a secondary ser...

Page 628: ...sing DNS to synchronize data between multiple comput ers 33 2 Configuration with YaST You can use the DNS module of YaST to configure a DNS server for your local network To configure a Samba server st...

Page 629: ...ally Figure 33 1 DNS Server Installation Forwarder Settings 2 The DNS Zones dialog consists of several parts and is responsible for the man agement of zone files described in Section 33 5 Zone Files p...

Page 630: ...n open the DNS port in the firewall by clicking Open Port in Firewall Then decide whether or not the DNS server should be started On or Off You can also activate LDAP support See Figure 33 3 DNS Serve...

Page 631: ...em or manually To start the DNS server immediately select Start DNS Server Now To stop the DNS server select Stop DNS Server Now To save the current settings select Save Settings and Restart DNS Serve...

Page 632: ...e additionally specify a name the maximum file size in megabytes and the number of versions of log files to store Further options are available under Additional Logging Enabling Log All DNS Queries ca...

Page 633: ...Secure Transactions page 631 To generate a TSIG key enter a distinctive name in the field labeled Key ID and specify the file where the key should be stored Filename Confirm your choices with Add To u...

Page 634: ...s Basic the one opened first NS Records MX Records SOA and Records The basic dialog shown in Figure 33 6 DNS Server Zone Editor Basic page 617 lets you define settings for dynamic DNS and access optio...

Page 635: ...u to define alternative name servers for the zones specified Make sure that your own name server is included in the list To add a record enter its name under Name Server to Add then confirm with Add S...

Page 636: ...X Records To add a mail server for the current zone to the existing list enter the corresponding address and priority value After doing so confirm by selecting Add See Fig ure 33 8 DNS Server Zone Edi...

Page 637: ...s page allows you to create SOA start of authority records For an explanation of the individual options refer to Example 33 6 File var lib named world zone page 627 Changing SOA records is not support...

Page 638: ...rkeley Internet name domain comes preconfigured so it can be started right after installation without any problem If you already have a functioning Internet connection and have entered 127 0 0 1 as th...

Page 639: ...een started successfully Test the name server immediately on the local system with the host or dig programs which should return localhost as the default server with the address 127 0 0 1 If this is no...

Page 640: ...ime by entering rcnamed stop 33 4 The Configuration File etc named conf All the settings for the BIND name server itself are stored in the file etc named conf However the zone data for the domains to...

Page 641: ...stly of the provider to which DNS requests should be forwarded if they cannot be resolved directly Replace ip address with an IP address like 10 0 0 1 forward first Causes DNS requests to be forwarded...

Page 642: ...e netmask in this case 255 255 255 0 allow transfer Controls which hosts can request zone transfers In the example such requests are completely denied with Without this entry zone transfers can be req...

Page 643: ...tries Example 33 4 Zone Entry for my domain de zone my domain de in type master file my domain zone notify no After zone specify the name of the domain to administer my domain de followed by in and a...

Page 644: ...se this data is fetched from another name server To differentiate master and slave files use the directory slave for the slave files masters server ip address This entry is only needed for slave zones...

Page 645: ...teway root world cosmos 2003072441 serial 1D refresh 2H retry 1W expiry 2D minimum IN NS gateway IN MX 10 sun gateway IN A 192 168 0 1 IN A 192 168 1 1 sun IN A 192 168 0 2 moon IN A 192 168 0 3 earth...

Page 646: ...e interval at which the secondary name servers verify the zone serial number In this case one day Line 5 The retry rate specifies the time interval at which a secondary name server in case of error at...

Page 647: ...AAAA If the ad dress is an IPv6 address the entry is marked with AAAA 0 The previous token for IPv6 addresses was only AAAA which is now obsolete NOTE IPv6 Syntax A IPv6 record has a slightly differe...

Page 648: ...ine 2 The configuration file should activate reverse lookup for the network 192 168 1 0 Given that the zone is called 1 168 192 in addr arpa should not be added to the hostnames Therefore all hostname...

Page 649: ...f this command check the manual page for nsupdate man 8 nsupdate For security reasons any such update should be performed using TSIG keys as described in Section 33 7 Secure Transactions page 631 33 7...

Page 650: ...an extra file with specially limited permissions which is then included from etc named conf To include an external file use include filename Replace filename with an absolute path to your file with k...

Page 651: ...ne set which must then be transferred to the parent zone in a secure manner On the parent the set is signed with dnssec signkey The files generated by this command are then used to sign the zones with...

Page 652: ......

Page 653: ...work cards These cards are the only ones with a MAC which is required for the DHCP autoconfiguration features One way to configure a DHCP server is to identify each client using the hardware address o...

Page 654: ...er configuration locally on the host that runs the DHCP server or to have its configuration data managed by an LDAP server The YaST DHCP module allows you to set up your own DHCP server for the local...

Page 655: ...lds provide the network specifics for all clients the DHCP server should manage These specifics are the domain name address of a time server addresses of the primary and secondary name server addresse...

Page 656: ...DHCP clients All these addresses must be covered by the same netmask Also specify the lease time during which a client may keep its IP address without needing to request an extension of the lease Opti...

Page 657: ...start the DHCP server automatically when the system is booted or manually when needed for example for test purposes Click Finish to complete the configuration of the server See Figure 34 4 DHCP Serve...

Page 658: ...e entry fields provided in the lower part to specify a list of the clients to manage in this way Specifically provide the Name and the IP Address to give to such a client the Hardware Address and the...

Page 659: ...un in a chroot environment or chroot jail to secure the server host If the DHCP server should ever be compromised by an outside attack the attacker will still be behind bars in the chroot jail which p...

Page 660: ...CP server are made up of a number of declarations This dialog lets you set the declaration types Subnet Host Shared Network Group Pool of Addresses and Class This example shows the selection of a new...

Page 661: ...ration This dialog allows you specify a new subnet with its IP address and netmask In the middle part of the dialog modify the DHCP server start options for the selected subnet using Add Edit and Dele...

Page 662: ...in the previous dialog you can now con figure the key management for a secure zone transfer Selecting OK takes you to another dialog in which to configure the interface for dynamic DNS see Fig ure 34...

Page 663: ...ettings enable the automatic update and adjustment of the global DHCP server settings according to the dynamic DNS environment Finally define which forward and reverse zones should be updated per dyna...

Page 664: ...isplayed select one or more that should be attended by the the DHCP server If clients in all of the subnets should be able to communicate with the server and the server host also runs a firewall adjus...

Page 665: ...onsortium On the client side choose between two different DHCP client programs dhcp client also from ISC and the DHCP client daemon in the dhcpcd package SUSE Linux Enterprise installs dhcpcd by defau...

Page 666: ...range 192 168 1 100 192 168 1 200 This simple configuration file should be sufficient to get the DHCP server to assign IP addresses in the network Make sure that a semicolon is inserted at the end of...

Page 667: ...168 1 20 as well as 192 168 1 100 and 192 168 1 200 After editing these few lines you should be able to activate the DHCP daemon with the command rcdhcpd start It will be ready for use immediately Us...

Page 668: ...st line and the MAC address in the second line On Linux hosts find the MAC address with the command ip link show followed by the network device for example eth0 The output should contain something lik...

Page 669: ...s like etc ppp ip up However there should be no need to worry about this if the configuration file only specifies IP addresses instead of host names If your configuration includes additional files tha...

Page 670: ......

Page 671: ...roup across networks NIS can also be used for other purposes making the contents of files like etc hosts or etc services available for example but this is beyond the scope of this introduction People...

Page 672: ...erver 2 If you need just one NIS server in your network or if this server is to act as the master for further NIS slave servers select Install and set up NIS Master Server YaST installs the required p...

Page 673: ...nges to GECOS Field and Allow Changes to Login Shell available GECOS means that the users can also change their names and address settings with the command ypchfn SHELL al lows users to change their d...

Page 674: ...ur settings and return to the previous screen Figure 35 3 Changing the Directory and Synchronizing Files for a NIS Server 4 If you previously enabled Active Slave NIS Server Exists enter the hostnames...

Page 675: ...ton Specify from which networks requests can be sent to the NIS server Normally this is your internal network In this case there should be the following two entries 255 0 0 0 127 0 0 0 0 0 0 0 0 0 0 0...

Page 676: ...llows 1 Start YaST Network Services NIS Server 2 Select Install and set up NIS Slave Server and click Next TIP If NIS server software is already installed on your machine initiate the creation of a NI...

Page 677: ...the module NIS Client to configure a workstation to use NIS Select whether the host has a static IP address or receives one issued by DHCP DHCP can also provide the NIS domain and the NIS server For...

Page 678: ...ing Broken Server the client is enabled to receive replies from a server communicating through an unprivileged port For further information see man ypbind After you have made your settings click Finis...

Page 679: ...archable form In the ideal case a central server keeps the data in a directory and distributes it to all clients using a certain protocol The data is structured in a way that allows a wide range of ap...

Page 680: ...echanisms All applications accessing this service should gain access quickly and easily 36 1 LDAP versus NIS The Unix system administrator traditionally uses the NIS service for name resolution and da...

Page 681: ...t is called distinguished name or DN A single node along the path to this entry is called relative distinguished name or RDN Objects can generally be assigned to one of two possible types container Th...

Page 682: ...llowing a scheme The type of an object is determined by the object class The object class de termines what attributes the concerned object must or can be assigned A scheme therefore must contain defin...

Page 683: ...2 DESC RFC2256 organizational unit this object belongs to 3 SUP name 4 objectclass 2 5 6 5 NAME organizationalUnit 5 DESC RFC2256 an organizational unit 6 SUP top STRUCTURAL 7 MUST ou 8 MAY userPassw...

Page 684: ...types that are permitted in conjunction with this object class A very good introduction to the use of schemes can be found in the documentation of OpenLDAP When installed find it in usr share doc pac...

Page 685: ...thenticated users read access Allow anonymous users to authenticate access to dn by read access to by self write by users read by anonymous auth if no access controls are present the default is Allow...

Page 686: ...determined with what Regular expressions may be used slapd again aborts the evaluation of who after the first match so more specific rules should be listed before the more general ones The entries sh...

Page 687: ...conf Example for Access Control access to dn regex ou dc example dc com by dn regex cn Administrator ou 1 dc example dc com write by user read by none This rule declares that only its respective admin...

Page 688: ...slapd conf 5 for details Use of strong authentication encouraged rootpw secret The database directory MUST exist prior to running slapd AND should only be accessible by the slapd tools Mode 700 recom...

Page 689: ...cy_hash_cleartext specifies that clear text passwords present in add and modify requests are hashed before being stored in the database When this option is used it is recommended to deny compare searc...

Page 690: ...rting Data into an LDAP Directory Once the configuration of your LDAP server in etc openldap slapd conf is correct and ready to go it features appropriate entries for suffix directory rootdn rootpw an...

Page 691: ...of Emacs Other wise avoid umlauts and other special characters or use recode to recode the input to UTF 8 Save the file with the ldif suffix then pass it to the server with the following com mand lda...

Page 692: ...il tux example com uid tux telephoneNumber 49 1234 567 8 An LDIF file can contain an arbitrary number of objects It is possible to pass entire directory branches to the server at once or only parts of...

Page 693: ...dapmodify x D cn Administrator dc example dc com W Enter LDAP password 2 Enter the changes while carefully complying with the syntax in the order presented below dn cn Tux Linux ou devel dc example dc...

Page 694: ...ify that all entries have been recorded correctly and the server responds as desired Find more information about the use of ldapsearch in the corresponding man page ldapsearch 1 36 4 4 Deleting Data f...

Page 695: ...its services via SLP check Register at an SLP Daemon 5 Select Configure to configure General Settings and Databases To configure the Global Settings of your LDAP server proceed as follows 1 Accept or...

Page 696: ...nnect without authentication anonymously using a DN but no password update_anon Enabling this option allows nonauthenticated anonymous update operations Access is restricted according to ACLs and othe...

Page 697: ...orithm to use to secure the password of Root DN Choose crypt smd5 ssha or sha The dialog also includes a plain option to enable the use of plain text passwords but enabling this is not recommend ed fo...

Page 698: ...server password 2 Configure the password change policies 2a Determine the number of passwords stored in the password history Saved passwords may not be reused by the user 2b Determine whether users ca...

Page 699: ...right part of the window YaST displays a dialog similar to the one used for the creation of a new database with the main difference that the base DN entry is grayed out and cannot be changed After le...

Page 700: ...on file corresponding to the service in etc pam d Configuration files already adapted to individual services can be found in usr share doc packages pam_ldap pam d Copy appropriate files to etc pam d g...

Page 701: ...d in Section Basic Configuration page 683 Use the YaST LDAP client to further configure the YaST group and user configuration modules This includes manipulating the default settings for new users and...

Page 702: ...Enter the IP address of the LDAP server to use 3 Enter the LDAP base DN to select the search base on the LDAP server To retrieve the base DN automatically click Fetch DN YaST then checks for any LDAP...

Page 703: ...onfiguration The following dialog is split in two tabs See Figure 36 4 YaST Advanced Configuration page 685 1 In the Client Settings tab adjust the following settings to your needs 1a If the search ba...

Page 704: ...istrator 2c Check Create Default Configuration Objects to create the basic configuration objects on the server to enable user management via LDAP 2d If your client machine should act as a file server...

Page 705: ...for user and group management The registered data is stored as LDAP objects on the server Figure 36 5 YaST Module Configuration The dialog for module configuration Figure 36 5 YaST Module Configuratio...

Page 706: ...of the module Clicking Delete deletes the currently selected module 4 After you click Accept the new module is added to the selection menu The YaST modules for group and user administration embed temp...

Page 707: ...values for an attribute can be created from other attributes by using a variable instead of an absolute value For example when creating a new user cn sn givenName is created automatically from the att...

Page 708: ...y username login and password in the User Data tab 3b Check the Details tab for the group membership login shell and home di rectory of the new user If necessary change the default to values that bett...

Page 709: ...ser administration offers LDAP Options This gives the pos sibility to apply LDAP search filters to the set of available users or go to the module for the configuration of LDAP users and groups by sele...

Page 710: ...stratorDN and the password for the RootDN of this server if you need both to read and write the data stored on the server Alternatively choose Anonymous Access and do not provide the password to gain...

Page 711: ...de the RootDN password when prompted 6 Leave the LDAP browser with Close 36 9 For More Information More complex subjects like SASL configuration or establishment of a replicating LDAP server that dist...

Page 712: ...ll important aspects of LDAP configuration including access controls and encryption See http www openldap org doc admin22 or on an installed system usr share doc packages openldap2 admin guide index h...

Page 713: ...ol that is based on the NetBIOS services Due to pressure from IBM Microsoft released the protocol so other soft ware manufacturers could establish connections to a Microsoft domain network With Samba...

Page 714: ...names that correspond to DNS hostnames to make administration easier This is the default used by Samba Samba server Samba server is a server that provides SMB CIFS services and NetBIOS over IP naming...

Page 715: ...convenience of the YaST GUI 37 3 1 Configuring a Samba Server with YaST To configure a Samba server start YaST and select Network Services Samba Server When starting the module for the first time the...

Page 716: ...network interfaces select the network interface for Samba services by clicking Firewall Details selecting the interfaces and clicking OK Shares In the Shares tab determine the Samba shares to activat...

Page 717: ...lation SWAT is not activated To activate it open Network Services Network Services xinetd in YaST enable the network services configuration select swat from the table and click Toggle Status On or Off...

Page 718: ...ch as a Windows NT or 2000 server and you want the Samba server to keep a list of all systems present in the local environment set the os level to a higher value for example 65 Your Samba server is th...

Page 719: ...twork An additional comment can be added to further describe the share path media cdrom path exports the directory media cdrom By means of a very restrictive default configuration this kind of share i...

Page 720: ...isible in the network environment read only No By default Samba prohibits write access to any exported share by means of the read only Yes parameter To make a share writable set the value read only No...

Page 721: ...xpects an additional parameter password server The selection of share user or server level security applies to the entire server It is not possible to offer individual shares of a server configuration...

Page 722: ...an input format 37 5 Samba as Login Server In networks where predominantly Windows clients are found it is often preferable that users may only register with a valid account and password In a Windows...

Page 723: ...dd g nogroup c NT Machine Account s bin false m To make sure that Samba can execute this script correctly choose a Samba user with the required administrator permissions To do so select one user and a...

Page 724: ...ip 3 Enter the domain to join at Domain or Workgroup in the Windows Domain Membership screen Alternately use Browse to get a list of all available domains and select one Figure 37 1 Determining Window...

Page 725: ...should be the configuration of the LDAP server You need to add base DN information and entries for accounts of your software clients with passwords Detailed information about LDAP configuration is pro...

Page 726: ...rd are essential to add or modify accounts stored in the LDAP directory 37 7 3 Migrating the Windows Profiles For every profile to migrate complete these steps Procedure 37 1 Migrating a Profile 1 On...

Page 727: ...ixgroup root net groupmap modify ntgroup Domain Users unixgroup users net groupmap modify ntgroup Domain Guests unixgroup nobody Our domain global groups net groupmap add ntgroup Operation unixgroup o...

Page 728: ...hecking your configuration You can find Samba HOWTO Collection in usr share doc packages samba Samba HOWTO Collection pdf after installing the package samba doc Find detailed information about LDAP an...

Page 729: ...using IP addresses only To avoid time outs however you should have a working DNS system This is necessary at least for logging purposes because the mountd daemon does reverse lookups 38 1 Installing t...

Page 730: ...to open the firewall to allow access to the service from remote computers The firewall status is displayed next to the check box Clicking Finish to saves your changes See Figure 38 1 NFS Client Confi...

Page 731: ...start Use rcidmapd status to check the status of idmapd The idmapd services stores its parameters in the etc idmapd conf file Leave the value of the Domain parameter as localdomain Ensure that the va...

Page 732: ...nt fstype nfs4 server2 Activate the settings with rcautofs start For this example nfsmounts localdata the data directory of server1 is then mounted with NFS and nfsmounts nfs4mount from server2 is mou...

Page 733: ...e NFSv4 domain name Click Enable GSS Security if you need secure access to the server A prerequisite for this is to have Kerberos installed in your domain and both the server and the clients are kerbe...

Page 734: ...NFSv4 Clients Activate Enable NFSv4 to support NFSv4 clients Clients with NFSv3 can still access the server s exported directories if they are exported appropriately This is explained in detail in Sec...

Page 735: ...file system This pseudo file system acts as a base point under which all file systems exported for the same client set take their place For a client or set of clients only one directory on the server...

Page 736: ...for this make sure that bind exports data is in the list and that exports data is an already existing subdirectory of exports Any change in the option bind target path whether addition deletion or cha...

Page 737: ...sidered v3 exports Consider the example in Figure 38 4 Exporting Directories with NFSv4 page 717 If you add another directory such as data2 using Add Directory then in the corre sponding options list...

Page 738: ...ates a directory that is shared and how it is shared A typical entry in etc exports consists of shared directory host option_list For example export 192 168 1 2 rw fsid 0 sync data 192 168 1 2 rw bind...

Page 739: ...pd conf Every user on a Linux machine has a name and ID idmapd does the name to ID mapping for NFSv4 requests to the server and replies to the client This must be running on both server and client for...

Page 740: ...Exporting File Systems with NFSv4 page 720 for exporting with NFSv4 Exporting file systems with NFS involves two configuration files etc exports and etc sysconfig nfs A typical etc exports file entry...

Page 741: ...rther information about configuring kerberized NFS refer to the links in Sec tion 38 7 For More Information page 723 38 7 For More Information As well as the man pages of exports nfs and mount informa...

Page 742: ......

Page 743: ...is case use a network file system like NFS and store the files on a server enabling all hosts to access the same data via the network This approach is impossible if the network connection is poor or n...

Page 744: ...hanges that are performed locally are committed to the repository and can be retrieved from other computers by means of an update Both procedures must be initiated by the user CVS is very resilient to...

Page 745: ...can also act as a server 39 2 2 Portability CVS and rsync are also available for many other operating systems including various Unix and Windows systems 39 2 3 Interactive versus Automatic In CVS the...

Page 746: ...based on the content and the remarks This is a valuable aid for theses and program texts 39 2 7 Data Volume and Hard Disk Requirements A sufficient amount of free space for all distributed data is re...

Page 747: ...n and ma nipulation CVS and rsync can easily be used via ssh secure shell providing security against attacks of this kind Running CVS via rsh remote shell should be avoided Accessing CVS with the pser...

Page 748: ...bilities of CVS cannot be used The use of CVS for synchronizing files is only possible if all workstations can access the same server 39 3 1 Configuring a CVS Server The server is the host on which al...

Page 749: ...he comment in advance on the com mand line such as in the following example cvs import m this is a test synchome tux wilber 39 3 2 Using CVS The synchronization repository can now be checked out from...

Page 750: ...server C The local file conflicts with current version in the repository This file does not exist in CVS The status M indicates a locally modified file Either commit the local copy to the server or r...

Page 751: ...on to provide directories to the network The basic mode of operation of rsync does not require any special configuration rsync directly allows mirroring complete directories onto another system As an...

Page 752: ...le listing all connections This file is stored in var log rsyncd log It is then possible to test the transfer from a client system Do this with the following command rsync avz sun FTP This command lis...

Page 753: ...rence about the operating principles of rsync is featured in usr share doc packages rsync tech_report ps Find the latest news about rsync on the project Web site at http rsync samba org If you want Su...

Page 754: ......

Page 755: ...2 2 In this chapter learn how to install configure and set up a Web server how to use SSL CGI and additional modules and how to troubleshoot Apache 40 1 Quick Start With the help of this section quic...

Page 756: ...ages to finish the installation process Apache is installed with a standard predefined configuration that runs out of the box The installation includes the multiprocessing module apache2 prefork as we...

Page 757: ...wo different ways with YaST or manually Manual configuration offers a higher level of detail but lacks the convenience of the YaST GUI IMPORTANT Configuration Changes Changes to most configuration val...

Page 758: ...configuration needs etc apache2 etc apache2 hosts all configuration files for Apache In the following the purpose of each file is explained Each file includes several configuration options also referr...

Page 759: ...irtual hosts edit this file Otherwise overwrite these directives in your virtual host con figurations extra conf The upstream configuration files delivered with the original package by the Apache Soft...

Page 760: ...roperly test your Web server when making changes here ssl global conf and ssl Global SSL configuration and SSL certificate data Refer to Section 40 6 Setting Up a Secure Web Server with SSL page 766 f...

Page 761: ...st template or vhost ssl template for a virtual host with SSL support TIP Always Create a Virtual Host Configuration It is recommended to always create a virtual host configuration file even if your W...

Page 762: ...ddress and the port number to receive re quests on all interfaces IPv6 addresses must be enclosed in square brackets Example 40 1 Variations of Name Based VirtualHost Entries NameVirtualHost IP addres...

Page 763: ...ma chine One instance of Apache hosts several domains each of which is assigned a dif ferent IP The physical server must have one IP address for each IP based virtual host If the machine does not have...

Page 764: ...tc apache2 vhosts d vhost template for more options ServerName The fully qualified domain name under which the host should be addressed DocumentRoot Path to the directory from which Apache should serv...

Page 765: ...refore explicitly unlock the DocumentRoot directory in which you have placed the files Apache should serve Directory srv www example com_htdocs Order allow deny Allow from all Directory The complete c...

Page 766: ...ion of existing network interfaces and their respec tive IP addresses Ports from all three ranges well known ports registered ports and dynamic or private ports that are not reserved by other services...

Page 767: ...s choose the appropriate entry in the table then click Edit To add new directives click Add To delete a directive select it and click Delete Figure 40 1 HTTP Server Wizard Default Host Here is list of...

Page 768: ...ctory containing the configuration files that come with external modules By default all files in this directory conf are included etc apache2 conf d apache2 manual conf is the directory containing all...

Page 769: ...ptions are explained in Section Default Host page 749 Clicking Next advances to the second part of the virtual host configuration dialog In part two of the virtual host configuration you can specify w...

Page 770: ...og described in Section HTTP Server Configuration page 752 Figure 40 2 HTTP Server Wizard Summary HTTP Server Configuration The HTTP Server Configuration dialog also lets you make even more adjustment...

Page 771: ...y With Log Files watch either the access log or the error log This is useful if you want to test your configuration The log file opens in a separate window from which you can also restart or reload th...

Page 772: ...and Section Virtual Hosts page 751 40 3 Starting and Stopping Apache If configured with YaST see Section 40 2 2 Configuring Apache with YaST page 748 Apache is started at boot time in runlevels 3 and...

Page 773: ...only if it has been running before reload or graceful Stops the Web server by advising all forked Apache processes to first finish their requests before shutting down As each process dies it is repla...

Page 774: ...sks is handled by modules This has progressed so far that even HTTP is processed by a module http_core Apache modules can be compiled into the Apache binary at build time or dynamically loaded at runt...

Page 775: ...ocessing module Prefork MPM and the external modules mod_php5 and mod_python You can install additional external modules by starting YaST and choosing Software Software Management Now choose Filter Se...

Page 776: ...rtain MIME type such as application pdf a file with a specific extension like rpm or a certain request method such as GET is requested This module is enabled by default mod_alias Provides Alias and Re...

Page 777: ...lt It also provides an automatic redirect to the correct URl when a directory request does not contain a trailing slash This module is enabled by de fault mod_env Controls the environment that is pass...

Page 778: ...rules request headers and more mod_setenvif Sets environment variables based on details of the client s request such as the browser string the client sends or the client s IP address This module is e...

Page 779: ...atic requests cannot affect others avoiding a lockup of the Web server While providing stability with this process based approach the prefork MPM consumes more system resources than its counterpart th...

Page 780: ...t of all external modules shipped with SUSE Linux Enterprise Server here Find the module s documentation in the listed directory mod apparmor Adds support to Apache to provide Novell AppArmor confinem...

Page 781: ...nal modules for Apache apxs2 enables the compilation and installation of modules from source code including the required changes to the configuration files which creates dynamic shared objects DSOs th...

Page 782: ...ti vated mod_alias is also needed Both modules are enabled by default Refer to Sec tion 40 4 2 Activation and Deactivation page 757 for details on activating modules WARNING CGI Security Allowing the...

Page 783: ...ed by a MIME Type header such as Content type text html This header is sent to the client so it understands what kind of content it receives Secondly the script s output must be something the client u...

Page 784: ...CGI directory and execute the ls l test cgi Its output should start with rwxr xr x 1 root root Make sure that the script does not contain programming errors If you have not changed test cgi this shoul...

Page 785: ...with Apache is that URLs are prefixed with https instead of http 40 6 1 Creating an SSL Certificate In order to use SSL TSL with the Web server you need to create an SSL certificate This certificate...

Page 786: ...a defined circle of users it might be sufficient if you sign a certificate with your own certificate authority CA Creating a self signed certificate is an interactive nine step process Change into the...

Page 787: ...ate key for SERVER 1024 bit No interaction needed 6 Generating X 509 certificate signing request for SERVER Create the distinguished name for the server key here Questions are almost identical to the...

Page 788: ...etc sysconfig apache2 Otherwise you do not have enough time to enter the passphrase before the attempt to start the server is stopped unsuccessfully The script s result page presents a list of certif...

Page 789: ...country name or organization name Enter valid data everything you enter here later shows up in the certificate and is checked You do not need to answer every question If one does not apply to you or...

Page 790: ...nfiguration page 743 for the general virtual host configuration To get started it should be sufficient to adjust the values for the following directives DocumentRoot ServerName ServerAdmin ErrorLog Tr...

Page 791: ...nd group root You should not change these permissions If the directories were writable for all any user could place files into them These files might then be executed by Apache with the permissions of...

Page 792: ...suEXEC lets you run CGI scripts under a different user and group 40 7 5 User Directories When enabling user directories with mod_userdir or mod_rewrite you should strongly consider not allowing htacc...

Page 793: ...a separate option available to take care of this specific issue see Section 40 2 2 Configuring Apache with YaST page 748 If you are configuring Apache manually open firewall ports for HTTP and HTTPS...

Page 794: ...owing locations mod apparmor http en opensuse org AppArmor mod_perl http perl apache org mod_php5 http www php net manual en install unix apache2 php mod_python http www modpython org 40 9 3 Developme...

Page 795: ...che in SUSE Linux Enterprise Server take a look at the Technical Information Search at http www novell com support The history of Apache is provided at http httpd apache org ABOUT _APACHE html This pa...

Page 796: ......

Page 797: ...the same object can be served from the hard disk cache This enables clients to receive the data much faster than from the Internet This procedure also reduces the network traffic Along with the actua...

Page 798: ...d can be configured to exchange objects between them This reduces the total system load and increases the chances of finding an object already existing in the local network It is also possible to conf...

Page 799: ...red in the cache should stay there To determine this all objects in the cache are assigned one of various possible states Web and proxy servers find out the status of an object by adding headers to th...

Page 800: ...d days to fill the cache The easiest way to determine the needed cache size is to consider the maximum transfer rate of the connection With a 1 Mbit s connection the maximum transfer rate is 125 KB s...

Page 801: ...rk should be configured in a way that at least one name server and the Internet can be reached Problems can arise if a dial up connection is used with a dynamic DNS configuration In this case at least...

Page 802: ...e deleted If Squid dies after a short period of time even though it was started successfully check whether there is a faulty name server entry or whether the etc resolv conf file is missing Squid logs...

Page 803: ...he sysconfig variable MODIFY_NAMED_CONF_DYNAMICALLY to YES Static DNS With static DNS no automatic DNS adjustments take place while establishing a connection so there is no need to change any sysconfi...

Page 804: ...on which Squid listens for client requests The default port is 3128 but 8080 is also common If desired specify several port numbers separated by blank spaces cache_peer hostname type proxy port icp po...

Page 805: ...re_log var log squid store log These three entries specify the paths where Squid logs all its actions Normally nothing is changed here If Squid is experiencing a heavy usage burden it might make sense...

Page 806: ...h as this change the minutes to seconds then after clicking Reload in the browser the dial up process should be reengaged after a few seconds never_direct allow acl_name To prevent Squid from taking r...

Page 807: ...d above which can deny or allow access via deny or allow A list containing any number of http_access entries can be created processed from top to bottom and depending on which occurs first access is a...

Page 808: ...QUIRED http_access allow password http_access deny all The REQUIRED after proxy_auth can be replaced with a list of permitted usernames or with the path to such a list ident_lookup_access allow acl_na...

Page 809: ...t the existing clients should retain their old configuration In all these cases a transparent proxy may be used The principle is very easy the proxy intercepts and answers the requests of the Web brow...

Page 810: ...NT eth0 Define ports and services see etc services on the firewall that are accessed from untrusted external networks such as the Internet In this example only Web services are offered to the outside...

Page 811: ...l port to which these requests are sent and finally the port to which all these requests are redirected Because Squid supports protocols other than HTTP redirect requests from other ports to the proxy...

Page 812: ...art to start Apache with the SUSE Linux Enterprise Server default settings The last step to set it up is to copy the file cachemgr cgi to the Apache directory cgi bin cp usr share doc packages squid s...

Page 813: ...w manager webserver http_access deny manager Configure a password for the manager for access to more options like closing the cache remotely or viewing more information about the cache For this config...

Page 814: ...ess to some listed or blacklisted Web servers or URLs for some users Block access to URLs matching a list of regular expressions or words for some users Redirect blocked URLs to an intelligent CGI bas...

Page 815: ...d to set more than four processes because the allocation of these processes would consume an excessive amount of memory redirect_children 4 Last have Squid load the new configuration by running rcsqui...

Page 816: ...SARG Squid Analysis Report Gener ator More information about this is available at http sarg sourceforge net 41 9 For More Information Visit the home page of Squid at http www squid cache org Here find...

Page 817: ...Part V Security...

Page 818: ......

Page 819: ...modules for certification which offer basic management functions for digital X 509 certificates The following sections explain the basics of digital certi fication and how to use YaST to create and a...

Page 820: ...tificates An infras tructure of this kind is generally referred to as a public key infrastructure or PKI One familiar PKI is the OpenPGP standard in which users publish their certificates them selves...

Page 821: ...to be able to evaluate an extension if it is identified as critical If an application does not recognize a critical extension it must reject the certificate Some extensions are only useful for a spec...

Page 822: ...list CRL These lists are supplied by the CA to public CRL distribution points CDPs at regular intervals The CDP can optionally be named as an extension in the certificate so a checker can fetch a cur...

Page 823: ...ice page 661 Chapter 40 The Apache HTTP Server page 737 contains information about the HTTP server 42 1 5 Proprietary PKI YaST contains modules for the basic management of X 509 certificates This main...

Page 824: ...hen setting up a PKI is to create a root CA Do the following 1 Start YaST and go to Security and Users CA Management 2 Click Create Root CA 3 Enter the basic data for the CA in the first dialog shown...

Page 825: ...a sub CA or generating certificates The text fields have the following meaning Key Length Key Length contains a meaningful default and does not generally need to be changed unless an application cann...

Page 826: ...A A sub CA is created in exactly the same way as a root CA Do the following 1 Start YaST and open the CA module 2 Select the required CA and click Enter CA NOTE The validity period for a sub CA must b...

Page 827: ...creation of CRLs is described in Section 42 2 5 Creating CRLs page 813 7 Finish with Ok 42 2 3 Creating or Revoking User Certificates Creating client and server certificates is very similar to the on...

Page 828: ...Start YaST and open the CA module 2 Select the required CA and click Enter CA 3 Enter the password if entering a CA for the first time YaST displays the CA key information in the Description tab 4 Cli...

Page 829: ...s page 813 explains how to create CRLs Revoked certificates can be completely removed after publica tion in a CRL with Delete 42 2 4 Changing Default Values The previous sections explained how to crea...

Page 830: ...Figure 42 4 YaST CA Module Extended Settings 5 Change the associated value on the right side and set or delete the critical setting with critical 6 Click Next to see a short summary 7 Finish your cha...

Page 831: ...mary of the last CRL of this CA 4 Create a new CRL with Generate CRL if you have revoked new sub CAs or certificates since its creation 5 Specify the period of validity for the new CRL default 30 days...

Page 832: ...T LDAP client the fields are already partly completed Otherwise enter all the data manually Entries are made in LDAP in a separate tree with the attribute caCertificate Exporting a Certificate to LDAP...

Page 833: ...ilename The cer tificate is stored at the required location after you click OK TIP You can select any storage location in the file system This option can also be used to save CA objects on a transport...

Page 834: ...tificate do the following 1 Start YaST and open Common Server Certificate under Security and Users 2 View the data for the current certificate in the description field after YaST has been started 3 Se...

Page 835: ...3 1 Packet Filtering with iptables The components netfilter and iptables are responsible for the filtering and manipulation of network packets as well as for network address translation NAT The filter...

Page 836: ...Paths Routing Routing in the local system Processes outgoing packet incoming packet filter nat mangle POSTROUTING PREROUTING nat mangle FORWARD mangle filter INPUT mangle filter OUTPUT nat mangle Thes...

Page 837: ...f NAT network address translation It can be used to connect a small LAN where hosts use IP addresses from the private range see Section 30 1 2 Netmasks and Routing page 547 with the Internet where off...

Page 838: ...ble so the entry cannot be used by another connection As a consequence of all this you might experience some problems with a number of application protocols such as ICQ cucme IRC DCC CTCP and FTP in P...

Page 839: ...firewalling read the Firewall HOWTO included in the howto package If this package is installed read the HOWTO with less usr share doc howto en txt Firewall HOWTO gz 43 4 SuSEfirewall2 SuSEfirewall2 is...

Page 840: ...ewall Configuration After the installation YaST automatically starts a firewall on all configured in terfaces If a server is configured and activated on the system YaST can modify the automatically ge...

Page 841: ...etwork seem to be issued by the masquerading server when seen externally If special services of an internal machine need to be available to the external network add special redirect rules for the serv...

Page 842: ...inked to the Internet For a modem connection enter ppp0 For an ISDN link use ippp0 DSL connections use dsl0 Specify auto to use the in terface that corresponds to the default route FW_DEV_INT firewall...

Page 843: ...ake it available to the outside The services that use UDP include include DNS servers IPsec TFTP DHCP and others In that case enter the UDP ports to use FW_SERVICES_INT_TCP firewall With this variable...

Page 844: ...of nessus resides in the directory usr share doc packages nessus core after installing the respective package 43 5 For More Information The most up to date information and other documentation about t...

Page 845: ...e are other unprotected communication channels like the traditional FTP protocol and some remote copying programs The SSH suite provides the necessary protection by encrypting the authentication strin...

Page 846: ...The program output is displayed on the local terminal of the host earth ssh otherplanet uptime mkdir tmp Password 1 21pm up 2 17 9 users load average 0 15 0 04 0 02 Quotation marks are necessary here...

Page 847: ...running in the background listening for connections on TCP IP port 22 The daemon generates three key pairs when starting for the first time Each key pair consist of a private and a public key Therefo...

Page 848: ...can decrypt the session key using its private keys see man usr share doc packages openssh RFC nroff This initial connection phase can be watched closely by turning on the verbose debugging option v o...

Page 849: ...the example to the re mote machine and save it to ssh authorized_keys You will be asked to authenticate yourself with your passphrase the next time you establish a connection If this does not occur v...

Page 850: ...c ssh sshd_config or the user s ssh config ssh can also be used to redirect TCP IP connections In the examples below SSH is told to redirect the SMTP and the POP3 port respectively ssh L 25 sun 25 ear...

Page 851: ...e that no one can take the identity of someone else Make sure that each network server also proves its identity Otherwise an attacker might be able to impersonate the server and obtain sensitive infor...

Page 852: ...which it is re questing a service An authenticator can only be used once unlike a ticket A client can build an authenticator itself principal A Kerberos principal is a unique entity a user or service...

Page 853: ...and ticket granting server on a dedicated machine Make sure that only the administrator can access this machine physically and over the network Reduce the networking services run on it to the absolute...

Page 854: ...authenticator An authenticator consists of the following components The client s principal The client s IP address The current time A checksum chosen by the client All this information is encrypted u...

Page 855: ...plements a mecha nism to obtain tickets for individual servers This service is called the ticket granting service The ticket granting service is a service just like any other service mentioned before...

Page 856: ...Ideally a user s one and only contact with Kerberos happens during login at the work station The login process includes obtaining a ticket granting ticket At logout a user s Kerberos tickets are autom...

Page 857: ...twork applications in Kerberos V5 UNIX User s Guide at http web mit edu kerberos 45 4 For More Information The official site of the MIT Kerberos is http web mit edu kerberos There find links to any ot...

Page 858: ......

Page 859: ...It is also a good idea to use your DNS domain name or a subdomain such as ACCOUNTING FOOBAR COM As shown below your life as an administrator can be much easier if you configure your Kerberos clients...

Page 860: ...as a locked server room to which only a very few people have access 2 Do not run any network applications on it except the KDC This includes servers and clients for example the KDC should not import a...

Page 861: ...with a central time source A simple way to do so is by installing an NTP time server on one machine and having all clients synchronize their clocks with this server Do this either by running an NTP d...

Page 862: ...rators You need at least one administrative principal to run and administer Kerberos This principal must be added before starting the KDC 6 Start the Kerberos Daemon Once the KDC software is installed...

Page 863: ...Password It is important that you NOT FORGET this password Enter KDC database master key Type the master password Re enter KDC database master key to verify Type it again To verify that it did anythin...

Page 864: ...ation in the etc krb5 conf file or dynamic configuration with DNS With DNS configuration Kerberos applications try to locate the KDC services using DNS records With static configuration add the hostna...

Page 865: ...ction Also add a statement to this file that tells applications how to map hostnames to a realm For example when connecting to a remote host the Kerberos library needs to know in which realm this host...

Page 866: ...obably do not need any of this so it is okay to set these to zero MIT Kerberos currently looks up the following names when looking for services _kerberos This defines the location of the KDC daemon th...

Page 867: ...with YaST As an alternative to the manual configuration described above use YaST to configure a Kerberos client Proceed as follows 1 Log in as root and select Network Services Kerberos Client 2 Select...

Page 868: ...hosts select For wardable Enable the transfer of certain tickets by selecting Proxiable Keep tickets available with a PAM module even after a session has ended by en abling Retained Enable Kerberos a...

Page 869: ...igure 46 2 YaST Advanced Configuration of a Kerberos Client 46 7 Remote Kerberos Administration To be able to add and remove principals from the Kerberos database without accessing the KDC s console d...

Page 870: ...ave The list shown above is the full set of privileges As an example modify the principal newbie kadmin p newbie admin Authenticating as principal newbie admin EXAMPLE COM with password Password for n...

Page 871: ...ros www krb5 1 4 krb5 1 4 doc krb5 admin html Kadmin 20Options or look at man 8 kadmin 46 8 Creating Kerberos Host Principals In addition to making sure every machine on your network knows which Kerbe...

Page 872: ...licy specified for host test example com EXAMPLE COM defaulting to no policy Principal host test example com EXAMPLE COM created Instead of setting a password for the new principal the randkey flag te...

Page 873: ...e_krb5 password use_krb5 nullok session none After that all programs evaluating the entries in this file use Kerberos for user authen tication For a user that does not have a Kerberos principal pam_un...

Page 874: ...for protocol version 1 KerberosAuthentication yes KerberosTicketCleanup yes These are for version 2 better to use this GSSAPIAuthentication yes GSSAPICleanupCredentials yes Then restart your SSH daem...

Page 875: ...LDAP server create a principal ldap earth example com and add that to the keytab By default the LDAP server slapd runs as user and group ldap while the keytab file is readable by root only Therefore e...

Page 876: ...to use a different keytab file change the following variable in etc sysconfig openldap OPENLDAP_KRB5_KEYTAB etc openldap ldap keytab Finally restart the LDAP server using rcldap restart 46 11 1 Using...

Page 877: ...er to modify the login shell attribute of their LDAP user record Assuming you have a schema where the LDAP entry of user joe is located at uid joe ou people dc example dc com set up the following acce...

Page 878: ...ured it checks the DN formed from the SASL information using the first argument as a regular expression If this regular expression matches the name is replaced with the second argument of the authz re...

Page 879: ...ing installation or in an already installed system See Section 47 1 1 Creating an Encrypted Partition during In stallation page 863 and Section 47 1 2 Creating an Encrypted Partition on a Running Syst...

Page 880: ...it However encrypted media is useful for cases such as loss or theft of your computer or to prevent unauthorized individuals from reading your confidential data 47 1 Setting Up an Encrypted File Syst...

Page 881: ...ot to mount during boot the operating system requests the password while booting before mounting the partition The partition is available to all users once it has been mounted To skip mounting the enc...

Page 882: ...on page 863 47 1 3 Creating an Encrypted File as a Container Instead of using a partition it is possible to create an encrypted file of a certain size that can then hold other files or folders contain...

Page 883: ...han FAT change the ownership explicitly for users other than root to read or write files on the device 47 2 Using Encrypted Home Directories To protect data in home directories against theft and hard...

Page 884: ...s YaST offers you can use the cryptconfig command line tool for some special tasks For example as a safety for users that may lose their key files you can create and add an additional key to the image...

Page 885: ...encrypted mode Use vi x filename to edit a new file vi prompts you to set a password after which it encrypts the content of the file Whenever you access this file vi requests the correct password For...

Page 886: ......

Page 887: ...e With Novell AppArmor you only need to profile the programs that are exposed to attack in your environment which drastically reduces the amount of work required to harden your computer AppArmor profi...

Page 888: ...r this kind of behavior This guide outlines the basic tasks that need to be performed with AppArmor to effec tively harden a system For more in depth information refer to Novell AppArmor Ad ministrati...

Page 889: ...ed as follows 1 Log in as root and start YaST 2 Select System System Services Runlevel 3 Select Expert Mode 4 Select boot apparmor and click Set Reset Disable the service 5 Exit the YaST Runlevel tool...

Page 890: ...es or you need to react to security events logged by AppArmor s reporting tool Refer to Section 48 3 4 Updating Your Profiles page 878 48 3 1 Choosing the Applications to Profile You only need to prot...

Page 891: ...o Section 1 2 Determining Programs to Immunize Chapter 1 Immunizing Programs Novell AppArmor Administration Guide 48 3 2 Building and Modifying Profiles Novell AppArmor on SUSE Linux Enterprise ships...

Page 892: ...file is completed AppArmor scans the logs it recorded during the application s run and asks you to set the access rights for each event that was logged Either set them for each file or use globbing 4...

Page 893: ...talled and auditd is running AppArmor events are logged as follows type APPARMOR msg audit 1140325305 502 1407 REJECTING w access to usr lib firefox update test firefox bin 9469 profile usr lib firefo...

Page 894: ...rity level This feature is currently available in the YaST interface To set up event notification in YaST proceed as follows 1 Make sure that a mail server is running on your system to deliver the eve...

Page 895: ...on frequency e mail address export format and location of the reports by selecting Edit and providing the requested data 4 To run a report of the selected type click Run Now 5 Browse through the archi...

Page 896: ...ofile Wizard To update your profile set proceed as follows 1 Log in as root and start YaST 2 Start Novell AppArmor Update Profile Wizard 3 Adjust access or execute rights to any resource or for any ex...

Page 897: ...teed Data security was already an important issue even before computers could be linked through networks Just like today the most im portant concern was the ability to keep data available in spite of...

Page 898: ...own bits and pieces to win the confidence of that person by using clever rhetoric The victim could be led to reveal gradually more information maybe without even becoming aware of it Among hackers thi...

Page 899: ...s or the identity of another This is a general rule to be observed but it is especially true for the user root who holds the supreme power on the system root can take on the identity of any other loca...

Page 900: ...e following safe password TNotRbUE9 In contrast passwords like beerbud dy or jasmine76 are easily guessed even by someone who has only some casual knowledge about you 49 1 3 The Boot Procedure Configu...

Page 901: ...es or for files the setuser ID bit programs with the setuser ID bit set do not run with the permissions of the user that has launched it but with the permissions of the file owner in most cases root A...

Page 902: ...d over a network link Accordingly buffer overflows and format string bugs should be classified as being relevant for both local and network security 49 1 6 Viruses Contrary to what some people say the...

Page 903: ...s feature in an impressive way With X it is basically no problem to log in at a remote host and start a graphical program that is then sent over the network to be displayed on your computer When an X...

Page 904: ...X server on the server side and setting a DISPLAY variable for the shell on the remote host Further details about SSH can be found in Chapter 44 SSH Secure Network Op erations page 827 WARNING If you...

Page 905: ...niffing TCP connection hijacking spoofing and DNS poisoning 49 1 11 Man in the Middle Sniffing Hijacking Spoofing In general any remote attack performed by an attacker who puts himself between the com...

Page 906: ...r hostnames The attacker needs a good understanding of the actual structure of the trust relationships among hosts to disguise itself as one of the trusted hosts Usually the attacker analyzes some pac...

Page 907: ...us com is one of the best known security mailing lists worldwide Reading this list which receives between 15 and 20 postings per day is recommended More information can be found at http www securityfo...

Page 908: ...a host without the explicit approval of the administrator Finally remember that it is important not only to scan TCP ports but also UDP ports options sS and sU To monitor the integrity of the files o...

Page 909: ...cess Use SuSEfirewall to enhance the security provided by tcpd tcp_wrapper Design your security measures to be redundant a message seen twice is much better than no message at all 49 3 Using the Centr...

Page 910: ......

Page 911: ...Part VI Troubleshooting...

Page 912: ......

Page 913: ...elp Center page 896 is displayed The dialog window consists of three main areas Menu Bar and Toolbar The menu bar provides the main editing navigation and configuration options File contains the optio...

Page 914: ...ook icons to open and browse the individual categories View Window The view window always displays the currently selected contents such as online manuals search results or Web pages Figure 50 1 The Ma...

Page 915: ...once a search index has been generated 50 1 2 The Search Function To search all installed information sources of SUSE Linux Enterprise generate a search index and set a number of search parameters To...

Page 916: ...for determining the selection area Default A predefined selection of sources is searched All All sources are searched None No sources selected for the search Custom Determine the sources to search by...

Page 917: ...ually found in dev 4 File formats and conventions etc fstab 5 Games 6 Miscellaneous including macro packages and conventions for example man 7 groff 7 7 System administration commands usually only for...

Page 918: ...ion Project The Linux Documentation Project TLDP is run by a team of volunteers who write Linux and Linux related documentation see http www tldp org The set of documents contains tutorials for beginn...

Page 919: ...e provide HTML and PDF versions of our books in different languages The PDF file is available on the DVD in the direc tory docu For HTML install the package opensuse manual_LANG replace LANG with your...

Page 920: ...ackage Usually also a link to a Bugzilla Web page where you can search all bugs CHANGES ChangeLog Summary of changes from version to version Usually interesting for developers because it is very detai...

Page 921: ...s and exchanges articles with them Not all news groups may be available on your news server Interesting newsgroups for Linux users are comp os linux apps comp os linux questions and comp os linux hard...

Page 922: ...ree of charge There are six types of RFC proposed standards draft standards Internet standards experimental protocols information documents and historic standards Only the first three proposed draft a...

Page 923: ...cturers consumers trade professionals service companies scientists and others who have an interest in the establishment of standards The standards are subject to a fee and can be ordered using the DIN...

Page 924: ......

Page 925: ...are several places to look when you have problems with your system most of which are standard to Linux systems in gen eral and some of which are peculiar to SUSE Linux Enterprise systems Most log fil...

Page 926: ...All messages from the kernel and system log daemon assigned WARNING level or higher var log warn Binary file containing user login records for the current machine session View it with last var log wt...

Page 927: ...l modules proc modules This displays devices currently mounted proc mounts This shows the partitioning of all hard disks proc partitions This displays the current version of Linux proc version Linux c...

Page 928: ...heck the MD5 checksum of the medium This may take several minutes If errors are detected do not use this medium for installation 51 2 2 Hardware Information Display detected hardware and technical dat...

Page 929: ...NUX enables the selection of a kernel during the boot procedure and the specification of any parameters needed for the hardware used The program linuxrc supports the loading of kernel modules for your...

Page 930: ...to read the boot image on CD 1 In this case use CD 2 to boot the system CD 2 contains a conventional 2 88 MB boot image that can be read even by unsupported drives and allows you to perform the insta...

Page 931: ...en set to something like C A or A C In the former case the ma chine first searches the hard disk C then the floppy drive A to find a bootable medium Change the settings by pressing PgUp or PgDown unti...

Page 932: ...type of hardware is missing from the installation kernel or due to certain functionality included in this kernel such as ACPI that still cause problems on some hardware If your system fails to install...

Page 933: ...boot prompt prior to booting for installation acpi off This parameter disables the complete ACPI subsystem on your computer This may be useful if your computer cannot handle ACPI at all or if you thi...

Page 934: ...alogs Select Text Mode for installation Do a remote installation via VNC using the graphical installer To change to another screen resolution for installation proceed as follows 1 Boot for installatio...

Page 935: ...e 5801 A dialog opens in the browser window prompting you for the VNC password Enter it and proceed with the installation as described in Chapter 3 Installation with YaST page 17 IMPORTANT Installatio...

Page 936: ...n Section 51 2 5 Fails to Boot page 914 To launch the installation process press Enter Screen Resolutions Use the F keys to determine the screen resolution for installation If you need to boot in text...

Page 937: ...as not enabled your system might install properly but fail to boot when access to the hard disk is required 51 3 2 No Graphical Login If the machine comes up but does not boot into the graphical login...

Page 938: ...ed in on the console If that does not work it should log errors to the console For more information about the X Window system configuration refer to Chapter 26 The X Window System page 481 51 4 Login...

Page 939: ...ring of directives For additional background information about PAM and the syntax of the configu ration files involved refer to Chapter 27 Authentication with PAM page 495 In all cases that do not inv...

Page 940: ...sful the blame cannot be put on PAM because it is possible to authenticate this user on this machine Try to locate any problems with the X Window System or the desktop GNOME or KDE For more informatio...

Page 941: ...to log in to that host The machine cannot reach the authentication server or directory server that contains that user s information There might be problems with the X Window System authenticating this...

Page 942: ...y to start an X session on another display the first one 0 is already in use startx 1 This should bring up a graphical screen and your desktop If it does not check the log files of the X Window System...

Page 943: ...s causes the login problems attempt to recover only the critical application data and reconfigure the remainder of the applications 51 4 4 Login Successful but KDE Desktop Fails There are several reas...

Page 944: ...text console by pressing Ctrl Alt F1 2 Log in with your username 3 Move the KDE configuration directory and the skel files to a temporary loca tion mv kde kde ORIG RECOVER mv skel skel ORIG RECOVER 4...

Page 945: ...network servers needed in your setup Either look them up in the appropriate YaST module or ask your system administrator The following list gives some of the typical net work servers involved in a set...

Page 946: ...ether the network servers are running and whether your network setup allows you to establish a connection IMPORTANT The debugging procedure described below only applies to a simple net work server cli...

Page 947: ...ing If the host command fails check all network configura tion files relating to name and address resolution on your host etc resolv conf This file is used to keep track of the name server and domain...

Page 948: ...Make sure that both inet address and Mask are configured correctly An error in the IP address or a missing bit in your network mask would render your network configuration unusable If necessary perfor...

Page 949: ...ata Problems Data problems are when the machine might or might not boot properly but in either case it is clear that there is data corruption on the system and that the system needs to be recovered Th...

Page 950: ...entire hard disk areas Current ly this option only applies to the Ext2 file system 2f Finally set the search constraints to exclude certain system areas from the backup area that do not need to be ba...

Page 951: ...CD Then click Next The following dialog displays a summary of the archive properties such as the filename date of creation type of backup and optional comments 3 Review the archived content by clickin...

Page 952: ...system is to blame for the failure use Automatic Repair An ex tensive automated check will be performed on all components of your installed system For a detailed description of this procedure refer to...

Page 953: ...ext 6 In System Analysis select Other Repair Installed System 7 Select Automatic Repair YaST now launches an extensive analysis of the installed system The progress of the procedure is displayed at th...

Page 954: ...sake of a higher system repair speed File Systems All detected file systems are subjected to a file system specific check Entries in the File etc fstab The entries in the file are checked for complet...

Page 955: ...oots Customized Repair To launch the Customized Repair mode and selectively check certain components of your installed system proceed as follows 1 Insert the first installation medium of SUSE Linux En...

Page 956: ...have a very clear idea of what needs to be repaired in your system directly apply the tools skipping the system analysis To make use of the Expert Tools feature of the YaST System Repair module procee...

Page 957: ...le cases Save System Settings to Floppy This option saves important system files to a floppy disk If one of these files become damaged it can be restored from disk Verify Installed Software This check...

Page 958: ...tallation 1 Enter the configuration of your PXE boot setup and replace install protocol instsource with rescue protocol instsource As with a normal installation protocol stands for any of the supporte...

Page 959: ...ted under mnt 3 Change the directory to the mounted root file system cd mnt 4 Open the problematic configuration file in the vi editor Adjust and save the configuration 5 Unmount the root file system...

Page 960: ...ent based on the installed system proceed as fol lows 1 First mount the root partition from the installed system and the device file system mount dev sda6 mnt mount bind dev mnt dev 2 Now you can chan...

Page 961: ...cause the boot loader configuration is corrupted The start up routines cannot for example translate physical drives to the actual locations in the Linux file system without a working boot loader To ch...

Page 962: ...am can be executed to update the IPL record 51 7 1 IPLing the Rescue System IMPORTANT Making the Installation Data Available For this method to work the SUSE Linux Enterprise Server for IBM System z i...

Page 963: ...ing DASDs 1 Configure DASDs with the following command dasd_configure 0 0 0150 1 0 0 0 0150 is the channel to which the DASD is connected The 1 means activate the disk a 0 at this place would deactiva...

Page 964: ...root device is on the second partition of the DASD device dev dasda2 the corresponding command is mount dev dasda2 mnt IMPORTANT File System Consistency If the installed system has not been shut down...

Page 965: ...ing Kernel Image boot kernel image located at 0x00010000 adding Ramdisk boot initrd located at 0x00800000 adding Parmline boot zipl parmfile located at 0x00001000 Bootloader for ECKD type devices with...

Page 966: ...the rescue system with the halt command The SUSE Linux Enterprise Server system can now be IPLed as described in Section 3 10 1 IBM System z IPLing the Installed System page 30 948 Installation and Ad...

Page 967: ...talling 738 modules 756 764 available 758 building 763 external 762 installing 757 multiprocessing 761 quick start 737 security 772 Squid 794 SSL 766 772 configure Apache with SSL 771 creating an SSL...

Page 968: ...53 du 354 file 352 find 352 fonts config 489 free 355 412 getfacl 287 grep 352 grub 388 gzip 343 350 halt 357 help 334 ifconfig 593 ip 590 kadmin 845 kill 355 killall 356 kinit 852 ktadd 854 ldapadd 6...

Page 969: ...nf 621 631 784 network 584 networks 586 nscd conf 590 nsswitch conf 588 682 openldap 857 pam_unix2 conf 682 855 passwd 204 permissions 890 powersave 507 powersave conf 221 profile 407 411 417 resolv c...

Page 970: ...tem services 164 T DSL 576 time zone 158 users 167 wireless cards 159 ZFCP 144 consoles assigning 414 graphical 404 switching 414 core files 411 cp 348 cpuspeed 515 cron 408 CVS 726 730 733 D date 355...

Page 971: ...reter 154 permission denied 154 F file 352 file servers 164 file systems 469 479 ACLs 281 293 changing 153 cryptofs 861 encrypting 861 Ext2 471 472 Ext3 472 473 LFS 477 limitations 477 OCFS2 267 280 4...

Page 972: ...5 uninstalling 402 gunzip 343 gzip 343 350 H halt 357 hard disks DMA 142 hardware DASD 143 graphics cards 186 hard disk controllers 142 information 142 910 ISDN 570 monitor 186 ZFCP 144 help 895 898 b...

Page 973: ...clock synchronization 843 configuring clients 846 848 credentials 834 installing 841 860 KDC 842 846 administering 851 nsswitch conf 842 starting 846 keytab 854 LDAP and 857 860 master key 844 PAM su...

Page 974: ...haring files with another OS 695 uninstalling 402 linuxrc manual installation 219 ln 348 local APIC disabling 20 localization 415 locate 351 410 log files 174 409 boot msg 178 507 messages 178 621 825...

Page 975: ...ounting 713 servers 164 715 NIS 653 660 clients 164 659 masters 653 659 servers 164 slaves 653 659 nslookup 356 NSS 588 databases 588 NTP client 164 O OpenLDAP see LDAP OpenSSH see SSH OpenWBEM 227 25...

Page 976: ...nfiguring 516 printing 435 command line 447 configuration with YaST 439 local printers 439 network printers 444 CUPS 446 GDI printers 452 kprinter 446 network 454 Samba 696 troubleshooting network 454...

Page 977: ...inters 696 printing 704 security 703 server 696 servers 166 697 703 shares 696 701 SMB 695 starting 697 stopping 697 swat 699 TCP IP and 695 SaX2 display device 187 display settings 186 dual head 188...

Page 978: ...nqueror 600 providing services 601 registering services 601 slptool 600 SMB see Samba smpd 695 soft RAID see RAID software compiling 303 installing 127 134 removing 127 134 sound configuring in YaST 1...

Page 979: ...CP IP 543 ICMP 544 IGMP 544 layer model 544 packets 545 546 TCP 544 UDP 544 telnet 356 time zones 158 TLDP 900 top 355 Tripwire replaced by AIDE 219 U ulimit 411 options 411 umount 354 uninstalling GR...

Page 980: ...03 principles 801 repository 805 revocation list 804 YaST 801 X Org 481 Xft 490 xinetd 164 XKB see keyboard XKB xorg conf color depth 485 Depth 485 Device 486 Display 485 Files 483 InputDevice 483 Mod...

Page 981: ...k card 560 network configuration 33 159 167 NFS clients 163 NFS server 164 NIS clients 659 Novell AppArmor 167 Novell Customer Center 136 NTP client 164 online update 136 138 partitioning 27 149 PCI d...

Page 982: ...09 certification 801 certificates 809 changing default values 811 creating CRLs 813 exporting CA objects as a file 815 exporting CA objects to LDAP 813 importing general server certificates 815 root C...

Reviews:

No comments

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands