background image

Access Control and Authentication

165

Table 16-2   

Access Rights Explanation

NSS Access Control on OES

Table 16-3

 provides links to documentation that discusses the various NSS-specific access control 

features.

eDirectory 
Objects

File System Trustee 
Rights

Directory and File 
Attributes

Directories and Files

eDirectory 
objects (in 
most cases 
users and 
groups) gain 
access to 
the file 
system 
through 
eDirectory.

File system trustee 
rights govern access 
and usage by the 
eDirectory object 
specified for the 
directory or file to 
which the rights are 
granted.

Trustee rights are 
overridden by 
directory and file 
attributes.

For example, even 
though Nancy has the 
Supervisor (all) 
trustee right at the 
directory (and, 
therefore, to the files it 
contains), she cannot 
delete File2 because it 
has the Read Only 
attribute set. 

Of course, Nancy 
could modify the file 
attributes so that File2 
could then be deleted.

Each directory and 
file has attributes 
associated with it. 
These attributes 
apply universally to 
all trustees 
regardless of the 
trustee rights an 
object might have.

For example, a file 
that has the Read 
Only attribute is 
Read Only for all 
users. 

Attributes can be set 
by any trustee that 
has the Modify 
trustee right to the 
directory or file.

The possible actions by the eDirectory 
users and group shown in this example 
are as follows:

Nancy has the Supervisor trustee 
right at the directory level, meaning 
that she can perform any action not 
blocked by a directory or file 
attribute. 

The Di (Delete Inhibit) and Ri 
(Rename Inhibit) Attributes on 
Directory A prevent Nancy from 
deleting or renaming the directory 
unless she modifies the attributes 
first. The same principle applies to 
her ability to modify File2.

Because Joe is a member of the 
Reporters group, he can view file and 
directory names inside DirectoryA 
and also see the directory structure 
up to the root directory.

Joe also has rights to open and read 
any files in DirectoryA and to execute 
any applications in DirectoryA.

Because Bert is a member of the 
Reporters group, he can view file and 
directory names inside DirectoryA 
and also see the directory structure 
up to the root directory.

Bert also has rights to open and read 
File1 and to execute it if it's an 
application.

And Bert has rights to grant any 
eDirectory user access to File1.

Because all three users are 
members of the Reporters group, 
they can grant any eDirectory user 
access to File2.

Of course, for Nancy this is 
redundant because she has the 
Supervisor right at the directory level.

Summary of Contents for OPEN ENTERPRISE SERVER - CONVERSION GUIDE 12-2010

Page 1: ...Novell www novell com AUTHORIZED DOCUMENTATION Open Enterprise Server 2 SP3 December 2010 Planning and Implementation Guide...

Page 2: ...classification to export re export or import deliverables You agree not to export or re export to entities on the current U S export exclusion lists or to any embargoed or terrorist countries as spec...

Page 3: ...Windows 7 Client Support 19 1 4 New in OES 2 SP1 19 1 4 1 YaST Install Changes 19 1 4 2 Novell AFP 20 1 4 3 Novell CIFS 20 1 4 4 Novell Domain Services for Windows 21 1 4 5 Migration Tool 21 1 5 New...

Page 4: ...s 43 3 9 20 VNC Install Fails to Set the IP Address in etc hosts 46 3 10 Consider Coexistence and Migration Issues 46 3 11 Understand Your Installation Options 46 3 11 1 OES 2 Installation Overview 46...

Page 5: ...ES 2 Server 65 6 10 LDAP Preventing Bad XML Errors 66 6 11 LUM Cache Refresh No Longer Persistent 66 6 12 Management 66 6 12 1 iManager RBS Configuration with OES 2 67 6 12 2 Storage Error in iManager...

Page 6: ...ools 83 11 4 SSH Services on OES 2 91 11 4 1 Overview 91 11 4 2 Setting Up SSH Access for LUM enabled eDirectory Users 93 12 Network Services 97 12 1 TCP IP 97 12 1 1 Coexistence and Migration Issues...

Page 7: ...ows 137 14 1 Overview of Directory Services 137 14 2 eDirectory 138 14 2 1 Installing and Managing eDirectory on OES 138 14 2 2 Planning Your eDirectory Tree 139 14 2 3 eDirectory Coexistence and Migr...

Page 8: ...File Service Options 188 17 2 3 Planning Your File Services 190 17 3 Coexistence and Migration of File Services 191 17 3 1 Novell Client NCP 191 17 3 2 NetStorage 191 17 3 3 Novell AFP 192 17 3 4 Nov...

Page 9: ...Finder 209 19 Print Services 211 19 1 Overview of Print Services 211 19 1 1 Using This Overview 211 19 1 2 iPrint Components 212 19 1 3 iPrint Functionality 212 19 2 Planning for Print Services 213 19...

Page 10: ...he Server Reconfiguration 239 B 6 1 QuickFinder 240 B 6 2 DHCP 240 B 6 3 DSfW 240 B 6 4 iPrint 242 B 6 5 NetStorage 243 B 7 Modifying a Cluster 243 B 8 Checking SLES Services 243 B 9 Reconfiguring Ser...

Page 11: ...I 8 System Groups 281 I 9 Auditing System Users 282 J Administrative Users in OES 2 SP3 285 K Coordinating Password Policies Among Multiple File Services 287 K 1 Overview 287 K 2 Concepts and Prerequi...

Page 12: ...12 OES 2 SP3 Planning and Implementation Guide...

Page 13: ...w novell com documentation feedback html and enter your comments there Documentation Updates Changes to this guide are summarized in a Documentation Updates appendix at the end of this guide The lack...

Page 14: ...to OES 2 also apply to OES 2 SP3 unless otherwise indicated In this documentation a greater than symbol is used to separate actions within a step and items within a cross reference path When a single...

Page 15: ...ation for all OES 2 products Table 1 1 What s New Product Link to What s New Section Archive and Version Services 2 1 Linux Administration Guide User Guide DHCP Administration Guide Distributed File S...

Page 16: ...page 196 Novell iFolder 3 8 Administration Guide User Guide Novell Remote Manager Administration Guide Novell Storage Services NSS Administration Guide NSS Auditing Client What s New for VLOG OES 2 I...

Page 17: ...is enhanced to achieve communication across multiple directory agents For more information see OpenSLP Implementation in the OES 2 SP3 Planning and Implementation Guide 1 2 5 QuickFinder The QuickFind...

Page 18: ...d devices over 20 GB in size this option creates a boot partition and a container for the swap and root volumes in up to the first 20 GB and leaves the remainder of the space on the device as unpartit...

Page 19: ...e for Linux 1 3 8 Performance Increases AFP NCP and Samba all have improved performance in OES 2 SP2 1 3 9 Pure FTPd Gateway parity with NetWare 1 3 10 Upgrading Online Support for upgrading through t...

Page 20: ...not available for NetWare DHX authentication mechanism Provides a secure way to transport passwords of up to 64 characters to the server Management You can use iManager to administer and configure th...

Page 21: ...trusted Active Directory forests For more information see the OES 2 SP3 Domain Services for Windows Administration Guide 1 4 5 Migration Tool The new OES 2 SP2 Migration Tool uses a plug in architectu...

Page 22: ...lization Technology Both OES 2 and NetWare 6 5 SP8 can run in virtual machines on either an OES 2 or a SUSE Linux Enterprise Server 10 SP1 or later server This is especially valuable to those organiza...

Page 23: ...For a list of OES 2 services see Table 3 1 Service Comparison Between NetWare 6 5 SP8 and OES 2 SP3 Linux on page 25 is running on OES AFP Backup SMS Clustering High Availability DNS DHCP Domain Servi...

Page 24: ...24 OES 2 SP3 Planning and Implementation Guide...

Page 25: ...o Consider Before You Install on page 34 Section 3 10 Consider Coexistence and Migration Issues on page 46 Section 3 11 Understand Your Installation Options on page 46 3 1 What Services Are Included i...

Page 26: ...rvices Yes NFAP Yes Novell CIFS and Novell Samba Both NFAP and Novell CIFS are Novell proprietary and tightly integrated with eDirectory and Novell Storage Services NSS Samba is an open source product...

Page 27: ...ology No Yes DST runs on OES 2 An NSS volume on NetWare is supported only as the secondary volume in a shadow pair When using DST in a cluster each of the NSS volumes in a shadow pair must reside on O...

Page 28: ...t support eDirectory access controls like the NetWare target does Nor is the iSCSI initiator or target in OES 2 integrated with NetWare Remote Manager management You use YaST management tools instead...

Page 29: ...Traditional File System to Linux NetWare Traditional Volumes Yes N A NFS Yes NFAP Yes native to Linux For NetWare see Working with UNIX Machines in the NW 6 5 SP8 AFP CIFS and NFS NFAP Administration...

Page 30: ...roduct Linux includes the open source product itself See Functions Unique to the NetWare Platform in the NW 6 5 SP8 OpenSSH Administration Guide PAM Pluggable Authentication Modules No Yes PAM is a Li...

Page 31: ...es 0 1 5 10 15 Yes 0 1 5 10 15 See Understanding Software RAID Devices in the OES 2 SP3 NSS File System Administration Guide for Linux Storage Management Services SMS Yes Yes No functional differences...

Page 32: ...the first installation The first server permanently hosts the Certificate Authority for your organization To ensure that your eDirectory tree meets your needs take time to plan the following Structur...

Page 33: ...a Purpose for Each Server Large networks usually have one or more servers dedicated to providing a single network service For example one or more servers might be designated to provide Novell iFolder...

Page 34: ...t Be Planned Before Installing OES 2 on page 35 Section 3 9 6 Cross Protocol File Locking Has Changed on page 36 Section 3 9 7 Do Not Create Local POSIX Users on page 36 Section 3 9 8 Do Not Upgrade t...

Page 35: ...d manually For example if you specified the wrong server context while initially configuring eDirectory the NSS and LUM configurations still have the wrong context You must select each service individ...

Page 36: ...vailable for OES 1 SP2 Linux and earlier After a volume has been upgraded to the new media format you cannot fail it over to a node that is running OES 1 SP2 Linux or earlier 3 9 6 Cross Protocol File...

Page 37: ...ers have needed adjustment Be sure to read the information and follow the instructions in this section if your network has ever included an OES 1 Linux server with both LUM and NSS installed NetStorag...

Page 38: ...nd GID in eDirectory NetStorage couldn t access the NSS volumes on the server The OES 1 Solution The nssid sh Script To solve this problem the OES 1 installation program looked for XTier ID conflicts...

Page 39: ...server context This is the context of the XTier user and group objects Replace this variable with the fully distinguished name of the context where the objects reside For example if the objects are an...

Page 40: ...r Server This is especially critical if you plan to use NSS for your iFolder 3 8 data volume 3 9 12 Incompatible TLS Configurations Give No Warning When you install a new eDirectory tree the eDirector...

Page 41: ...nning eDirectory eDirectory must be installed in conjunction with the installation of OES services Be Sure That eDirectory Is Healthy Review and follow the guidelines in Keeping eDirectory Healthy in...

Page 42: ...If you have configured Role Based Services you need to make sure the licensing plug in is installed and added to the RBS collection For more information see Upgrading iManager in the Novell iManager 2...

Page 43: ...y can rectify the situation by uninstalling and then reinstalling eDirectory This simply cannot be done In fact OES services cannot be uninstalled For more information see Disabling OES 2 Services in...

Page 44: ...an actually be installed and run on the server but DSfW cannot run as a clustered service Novell FTP Novell iFolder Novell NetStorage Novell Pre Migration Server Novell QuickFinder Novell Samba Xen Vi...

Page 45: ...ual Machine Host Server Novell Samba File Server Samba Novell CIFS Novell Domain Services for Windows Xen Virtual Machine Host Server Novell Storage Services NSS Xen Virtual Machine Host Server Xen Vi...

Page 46: ...e every combination of services that you might have Therefore we intend to continue developing coexistence and migration information For information about coexistence of OES 2 servers with existing Ne...

Page 47: ...or physical media from a Novell Authorized Reseller Decide whether to install from files on the network or directly from physical media Network install path Physical media install path Create physical...

Page 48: ...r more information see Installing Upgrading or Updating OES on a Xen based VM in the OES 2 SP3 Installation Guide Installing and Managing NetWare on a Xen based VM in the OES 2 SP3 Installation Guide...

Page 49: ...Drive Linux Server Many are interested in Novell Storage Services NSS running on Linux If you plan to experiment with NSS on a single drive server be sure to follow the instructions in Installing with...

Page 50: ...50 OES 2 SP3 Planning and Implementation Guide...

Page 51: ...n expires After your protection expires the OES 2 upgrade link disappears from your account page For more information and to start the upgrade process do the following 1 Using your Novell account info...

Page 52: ...ready done so be sure to review the information in Section 3 11 Understand Your Installation Options on page 46 and then skip to Chapter 5 Installing OES 2 on page 57 4 4 Evaluating OES 2 Software Thi...

Page 53: ...SP3 product media CDs and DVDs skip to Section 4 4 4 Installing OES 2 for Evaluation Purposes on page 54 To download ISO image files from the Web 1 If you don t already have a Novell account register...

Page 54: ...st you printed in Step 15 For example on a Linux system you can enter the following command md5sum filename where filename is the name of the iso file you are verifying For a Windows system you need t...

Page 55: ...n see the OES 2 SP3 Getting Started with OES 2 and Virtualized NetWare After working through the lab guide we recommend that you review all of the information in this guide to gain a comprehensive ove...

Page 56: ...te http www novell com licensing oes_licensing html 4 5 2 SLES Licensing Entitlements in OES 2 SUSE Linux Enterprise Server SLES entitlements in OES 2 have changed For more information refer to the EU...

Page 57: ...3 Installing OES 2 SP3 as a New Installation 3 Make sure you always download the latest patches as part of the Customer Center configuration during the install This ensures the most stable configurati...

Page 58: ...SP3 VM host server creating a VM and then installing an OES 2 server NetWare or Linux in the VM To get started with Xen virtualization in OES 2 see the following Introduction to Xen Virtualization htt...

Page 59: ...n 6 7 eDirectory on page 63 Section 6 8 iFolder 3 8 on page 64 Section 6 9 iPrint on page 64 Section 6 10 LDAP Preventing Bad XML Errors on page 66 Section 6 11 LUM Cache Refresh No Longer Persistent...

Page 60: ...ess you are aware of the users and groups in both systems especially those that are system created you might easily create an invalid configuration on an OES 2 server 6 2 2 Three Examples The followin...

Page 61: ...s a LUM enabled group in eDirectory with the same name Again the LUM enabled users who are members of the eDirectory group won t have access through POSIX This is why we recommend that as a general ru...

Page 62: ...ise and ZENworks for Desktops 7 If you need to use ConsoleOne to manage either of these supported products on OES 2 make sure you have installed version 1 3 6h or later Earlier versions of ConsoleOne...

Page 63: ...The configuration files for many OES services point to configuration data stored within eDirectory Although eDirectory tracks all changes internally OES services do not Therefore if you rename your eD...

Page 64: ...ema extension If the username or password contains special characters such as and so on escape the character by preceding it with a backslash For example an administrator username of cn admin name o c...

Page 65: ...queror cannot be used to upload drivers Uploading PPD printer drivers from a Windows workstation requires Internet Explorer 5 5 or later Other browsers running on Windows do not work for uploading dri...

Page 66: ...efits from having an index present The subtree search performance issue is resolved in the eDirectory 8 8 x release with the addition of the AncestorID feature 6 11 LUM Cache Refresh No Longer Persist...

Page 67: ...tion wizard After that the roles and tasks are available only to the Admin user and other users or groups you specifically designate Figure 6 1 iManager Roles and Tasks For more information on iManage...

Page 68: ...tribute support by copying or migrating files directories and metadata from an NSS volume to a defined NCP volume on a Linux POSIX partition However this doesn t work because NSS file attributes are o...

Page 69: ...2 services and uses the same ports as OpenLDAP 6 17 Samba For Samba implementation caveats see Samba Caveats in the OES2 SP3 Samba Administration Guide 6 18 Virtualization Issues The following are ca...

Page 70: ...and follow the instructions in Virtual Machine Clock Settings http www novell com documentation sles10 book_virtualization_xen data sec_guest_suse html sec_xen_time in the Virtual Machine Clock Settin...

Page 71: ...are treated differently by default when you upgrade an OES server depending on the version of the server you are upgrading OES 1 Applications are deleted by default during an upgrade OES 2 Applicatio...

Page 72: ...NOTE Physical installations cannot be upgraded to virtual installations and the reverse is also true Only physical to physical and virtual to virtual upgrades are supported For complete upgrade instr...

Page 73: ...n Tool The OES 2 SP3 Migration Tool lets you migrate and or consolidate data and services from one or more NetWare OES 1 or OES 2 source servers to an OES 2 SP3 target server The source servers must e...

Page 74: ...74 OES 2 SP3 Planning and Implementation Guide...

Page 75: ...ble only to OES 2 registered customers 9 1 Graphical Overview of Virtualization in OES 2 Figure 9 1 illustrates how a single VM host server can support multiple VM guest servers that in turn provide O...

Page 76: ...the VM host NetWare Response File Utility Lets you pre answer the same questions as you would during a physical NetWare installation When the time comes to run the NetWare Install program the installa...

Page 77: ...dding the services See the instructions in the Important note in Installing or Configuring OES Services on an Existing Server in the OES 2 SP3 Installation Guide NCP Server Dynamic Storage Technology...

Page 78: ...78 OES 2 SP3 Planning and Implementation Guide...

Page 79: ...hase is a multinode clustering product that Can include up to 32 servers Is supported for both NetWare and Linux Is eDirectory enabled for single point ease of management Supports failover failback an...

Page 80: ...80 OES 2 SP3 Planning and Implementation Guide...

Page 81: ...s that help you implement and maintain your network Access to most of these management interfaces is controlled through eDirectory However a few interfaces such as YaST on SUSE Linux Enterprise Server...

Page 82: ...dministrative Access from the Welcome Web Site on page 83 11 2 1 The Welcome Site Requires JavaScript Apache and Tomcat Browsers accessing the Welcome site must have JavaScript enabled to function cor...

Page 83: ...nal information see Verifying That the Installation Was Successful in the OES 2 SP3 Installation Guide 11 2 3 The Welcome Web Site Is Available to All Users Although the Welcome Web site is designed p...

Page 84: ...the Linux server For more information or help understanding and using bash search the Web for any of the numerous articles and tutorials on using the shell Health Monitoring Services Monitor the healt...

Page 85: ...tion iManager Workstation formerly Mobile iManager Manage eDirectory Create and manage users groups and other objects Manage OES 2 services Access various other management tools and plug ins On a Linu...

Page 86: ...e Novell eDirectory 8 8 Administration Guide iPrint Map Designer Create a printer map to aid in printer selection installation Edit an existing printer map 1 In a supported Web browser enter the follo...

Page 87: ...you can salvage and purge deleted files For more information see Managing File Security and Passwords in the Novell Client 4 91 SP5 for Windows XP 2003 Installation and Administration Guide Novell iFo...

Page 88: ...a Linux POSIX username and password Functionality is limited for non Admin or non root users on both platforms NRM on Linux doesn t include all the functionality of NRM on NetWare For more informatio...

Page 89: ...st allow for SSH access eDirectory users must be enabled for SSH access For more information see Section 11 4 SSH Services on OES 2 on page 91 OpenWBEM Perform tasks instrumented by specific providers...

Page 90: ...ote Manager See Novell Remote Manager SNMP for eDirectory Lets you use standard SNMP tools to Monitor an eDirectory server Track the status of eDirectory to verify normal operations Spot and react to...

Page 91: ...Manage the Linux server and standard Linux services from the command prompt Enter the desired command at the command prompt For more information see System Monitoring Utilities http www novell com do...

Page 92: ...eb access to directories and files on other servers or on itself Typically either an NCP or a CIFS connection is used for connecting the NetStorage server with storage targets However an SSH connectio...

Page 93: ...Users for LUM on page 94 Restricting SSH Access to Only Certain LUM Enabled Users on page 94 Providing SSH Access for Samba Users on page 95 Allowing SSH Access Through the Firewall 1 On the OES 2 se...

Page 94: ...server On the other hand if you have installed Samba on the server or if you install Samba in the future the users who are configured for Samba access will have SSH access disabled To restore access f...

Page 95: ...ding SSH access to users who have been enabled for Samba access You can remove the user from the server_name W SambaUserGroup IMPORTANT This presupposes that the user is a member of a different LUM en...

Page 96: ...96 OES 2 SP3 Planning and Implementation Guide...

Page 97: ...oint to point connections so that nodes can send messages to each other and have the packets arrive intact and in the correct order The transport protocol also specifies how nodes are identified with...

Page 98: ...No Fault Tolerance Yes Yes Filenames and paths Server binary sys system named nlm opt novell named bin novell named db jnl file sys etc dns etc opt novell named named conf Stat file info file var opt...

Page 99: ...4 Implementing Time Synchronization on page 108 Feature or Command NetWare 6 5 SP8 OES 2 Auditing Yes No Filenames and paths Conf file N A etc dhcpd conf Leases Stored in eDirectory var lib dhcp db dh...

Page 100: ...les that each operating system uses and how these modules can interact with each other OES 2 vs NetWare 6 5 on page 100 OES 2 Servers Use the Network Time Protocol NTP to Communicate on page 100 Compa...

Page 101: ...ation Modules Compatibility with Earlier Versions of NetWare Earlier versions of NetWare version 4 2 through version 6 0 do not include an NTP time module Their time synchronization options are theref...

Page 102: ...5 server IMPORTANT As shown in Figure 12 4 we recommend that NetWare 4 2 servers not be used as a time source OES 2 Servers as Time Providers Figure 12 5 shows how OES 2 servers can function as time...

Page 103: ...planning information refer to the following resources How Timesync Works in the NW 6 5 SP8 Network Time Synchronization Administration Guide Network Time Protocol in the NW 6 5 SP8 NTP Administration...

Page 104: ...ith other servers in peer to peer relationships to ensure that they are synchronized Basic planning steps are summarized in Planning a Time Synchronization Hierarchy before Installing OES on page 105...

Page 105: ...imately obtain time from a public NTP server If your network doesn t currently employ time synchronization refer to the list of public NTP servers published on the ntp org Web site http ntp isc org bi...

Page 106: ...s can be introduced into an existing network environment without disrupting any of the products and services that are in place This section discusses the issues involved in the coexistence and migrati...

Page 107: ...e 101 Upgrading from NetWare to OES 2 The OES 2 SP3 Migration Tool can migrate time synchronization services from NetWare to Linux For more information see Migrating Timesync NTP from NetWare to NTP o...

Page 108: ...ompts you for the IP address or DNS name of an NTP v3 compatible time server If you are installing the first server in a new eDirectory tree you have two choices You can enter the IP address or DNS na...

Page 109: ...ces to ensure fault tolerance For more information see Changing Time Synchronization Settings on a SLES 10 Server on page 110 NetWare 6 5 SP8 If you are installing into an existing tree the NetWare 6...

Page 110: ...t daylight saving time DST see the DST Master TID on the Novell Support site http www novell com support php search do cmd displayKC docType kc externalId 3094409 12 4 Discovery Services Various disco...

Page 111: ...SP3 the UDDI server component was removed from the list of products that could be installed The Novell UDDI server has been released as open source software and is available for download on the Novell...

Page 112: ...5 2 Comparing Novell SLP and OpenSLP Table 12 4 SLP Solutions Platform NetWare OES 2 SLP Solution Novell SLP OpenSLP About the Solution The Novell version of SLP adapted portions of the SLP standard t...

Page 113: ...their SLP scope in eDirectory As a new service registration is stored in eDirectory other DAs assigned to the same scope are notified so that they can refresh their caches with the latest service info...

Page 114: ...one might expect them to be Therefore the scope names created or configured by the statement after the first comma actually have leading spaces in them For example the first scope name is myScope1 bu...

Page 115: ...5 Configuring for DA Access Before or After Installing the OES 2 Server on page 116 Configuring for DA Access During the OES 2 Installation As you install OES 2 by using the instructions in the Novell...

Page 116: ...the spaces between the entries 3 Modify the line by removing the semicolon and typing the name or names of the scopes you want this server to have access to Be sure to include the scope you defined i...

Page 117: ...istry and restart the SLP service set slp scope list scope1 scope2 flush cdbe set slp reset on 4 Verify that SLP is functioning correctly by entering the following command display slp services 12 5 4...

Page 118: ...k Manage Applications SLP You can list multiple scopes separated by commas no spaces For example you might type Directory in the field 3 In the Configured SLP Directory Agent field type the IP address...

Page 119: ...to verify that the DA and scopes you configured are recognized slptool findsrvs service The DA server should be listed slptool findscopes The scopes should be listed 9 If you did this after installing...

Page 120: ...P Directory Agents get the service URL information This is achieved by NetWare SLP Directory Agent listening to the modified events from eDirectory and using the same eDirectory Backup registrations a...

Page 121: ...torage services in OES Section 13 1 Overview of OES 2 Storage on page 121 Section 13 2 Planning OES File Storage on page 126 Section 13 3 Coexistence and Migration of Storage Services on page 132 Sect...

Page 122: ...More Information Linux POSIX File Systems SLES 10 includes a number of different file systems the most common of which are Ext3 Reiser and XFS OES 2 services are supported on Ext3 Reiser and XFS For...

Page 123: ...Comparison of NSS on NetWare and NSS on Linux NSS Linux vs Linux POSIX Comparison of NSS on Linux and NCP Volumes on Linux POSIX File Systems NSS and Storage Devices NSS supports both physical devices...

Page 124: ...e NSS File System in the OES 2 SP3 File Systems Management Guide NetWare Storage Devices NetWare lets you use many different kinds of storage devices including server disks single storage devices arra...

Page 125: ...File Services Overview Advanced Storage Options NSS volumes support the following advanced storage solutions as documented in the OES 2 SP3 Storage and File Services Overview Network Attached Storage...

Page 126: ...olumes The main difference in access control between NSS volumes and Linux POSIX volumes that are defined as NCP volumes is that NSS extended file and directory attributes are not available on Linux P...

Page 127: ...OES 2 Workloads on page 130 The Workgroup Environment When selecting a file system it is important to understand the environment in which it operates For OES 2 the primary target environment is the wo...

Page 128: ...xt2 on page 129 Ext3 on page 129 Reiser on page 129 XFS on page 129 Novell Storage Services NSS Supported only through EVMS not currently supported through LVM Best for shared LAN file serving excelle...

Page 129: ...and quick although it does not scale well to large volumes or a great number of files A scalability feature has been added called H trees which significantly improved Ext3 s scalability However it is...

Page 130: ...of files HTTP The Hypertext Transfer Protocol HTTP is the dominant protocol on the World Wide Web today and is the one spoken by Web browser clients and Web servers It is like FTP in being designed st...

Page 131: ...access Network Printing iPrint iPrint is file system agnostic There is no noticeable difference in performance or reliability on any of the file systems iFolder Novell iFolder does not depend on a pa...

Page 132: ...n NSS volume the secondary volume must also be NSS 13 2 5 NSS Planning Considerations Consider the following when planning for NSS Device Size Limit on page 132 Other NSS Planning Topics on page 132 D...

Page 133: ...and create an NSS volume see Installing with EVMS as the Volume Manager of the System Device in the OES 2 SP3 Installation Guide On OES 2 you can use NSS volumes only as data volumes Configure NSS poo...

Page 134: ...originally created on a NetWare server can fail over between kernels allowing for full data and file system feature preservation when migrating data to Linux Supporting NSS volumes in a mixed environm...

Page 135: ...cessible to software that circumvents normal access control Managing Encrypted NSS Volumes in the OES 2 SP3 NSS File System Administration Guide for Linux EVMS Use EVMS which is required for NSS to ma...

Page 136: ...rious tools available to manage NSS volumes the tool capabilities and how to use them Management Tools for NSS in the OES 2 SP3 NSS File System Administration Guide for Linux Troubleshooting Troublesh...

Page 137: ...ctory services is a fundamental expectation for networking In the simplest terms Novell eDirectory is a tree structure containing a list of objects or identities that represent network resources such...

Page 138: ...tory Coexistence and Migration on page 139 14 2 1 Installing and Managing eDirectory on OES The tools you can use to install and manage eDirectory on OES are outlined in the following sections OES Ins...

Page 139: ...ing started using eDirectory see Designing Your Novell eDirectory Network in the Novell eDirectory 8 8 Installation Guide To learn what s new in eDirectory 8 8 see the Novell eDirectory 8 8 What apos...

Page 140: ...ory Management Utilities in the Novell eDirectory 8 8 Administration Guide 14 3 4 eDirectory LDAP Implementation Suggestions For help with setting up and using LDAP for eDirectory refer to Configuring...

Page 141: ...143 File Access Figure 14 2 DSfW File Access Overview Could be on a seperate OES 2 server in or out of the domain Could be on a separate Windows server eDirectory DSfW server eDirectory User Windows...

Page 142: ...lso access files through a normal NCP connection For eDirectory users file service access is controlled by authentication through the eDirectory server using common Windows authentication protocols in...

Page 143: ...sers like other eDirectory users MMC manages both AD users and DSfW users as though they were AD users DSfW users must have the Default Domain Password policy assigned and a valid Universal Password D...

Page 144: ...icy assigned they won t be able to log in without the Novell Client until the Universal Password has been set Therefore you should consider implementing Universal Password and giving users an opportun...

Page 145: ...tainer is Partitioned in the OES 2 SP3 Domain Services for Windows Administration Guide Install DSfW on a New OES 2 Server When Possible Because of the service limitations mentioned in OES 2 Service L...

Page 146: ...146 OES 2 SP3 Planning and Implementation Guide...

Page 147: ...sources you can manage through eDirectory The Lab Guide for OES 2 provides basic instructions for creating container objects as well as Group and User objects in eDirectory For more information about...

Page 148: ...Require LUM Enabled Access on page 150 Services That Do Not Require LUM Enabled Access But Have Some LUM Requirements on page 151 Services That Do Not Require LUM enabled Access on page 152 LUM Enabl...

Page 149: ...rvices Remote user access is enabled through the Pluggable Authentication Module PAM architecture on Linux The Linux POSIX compliant interfaces can authenticate both kinds of users independent of wher...

Page 150: ...ho are configured to access the server This is because Samba requires POSIX identification for access By extension NetStorage users who need access to Samba CIFS Storage Location objects that point to...

Page 151: ...purging files through NetStorage on an NSS volume can only be done by users who are enabled for Linux IMPORTANT Files that are uploaded by non LUM users via NetStorage are owned from a POSIX perspecti...

Page 152: ...file system Samba users must be LUM enabled to access an NSS volume Services That Do Not Require LUM enabled Access The following end user services do not require LUM enabled access iFolder 3 8 iPrin...

Page 153: ...rvices mentioned 3 On your planning sheets note the users and groups that you need to enable and the servers you need to enable them to access Be Aware of System Created Users and Groups You should al...

Page 154: ...and Linux Workstation refer to the same eDirectory objects Enabling Users to Access Multiple OES 2 Servers IMPORTANT Users gain server access through their LUM enabled group assignment rather than thr...

Page 155: ...the Command Prompt on page 155 Using iManager The following steps assume that the eDirectory User objects already exist 1 Log in to iManager as the eDirectory Admin user or equivalent 2 Click Linux Us...

Page 156: ...mentation and Maintenance on page 202 and Chapter 19 Print Services on page 211 If you want eDirectory users to have access to OES 2 services that require POSIX authentication you can enable the users...

Page 157: ...ules on these platforms you must purchase Identity Manager 15 4 3 Installation Considerations Novell Identity Manager Bundle Edition contains components that can be installed within your environment o...

Page 158: ...tasks 1 Browse to the Identity Manager Bundle Edition Registration http download novell com delivery reg idm_bundled jsp Web site 2 Enter your OES activation code then click Submit 3 Do one of the fol...

Page 159: ...Manager on a Solaris or AIX Server Not with the Bundle Edition However you can still synchronize data held on these platforms by using the Identity Manager Remote Loader service The Remote Loader ena...

Page 160: ...ng and Implementation Guide How do I know what s activated For information about how to view currently activated products see Viewing Product Activations http www novell com documentation idm36 instal...

Page 161: ...offer and the ways your configure those services This section can help you understand access control at a high level so that you can plan implement and control access to services More detail about the...

Page 162: ...he HTTP protocol Each workstation type has file access protocols associated with it Linux uses NFS as its native protocol for file services access Macintosh workstations communicate using AFP or CIFS...

Page 163: ...and POSIX access rights How to approximate the NCP or NetWare access control model on POSIX file systems Section 17 4 Aligning NCP and POSIX File Access Rights on page 192 Directory and file attribut...

Page 164: ...access rights illustrated in Figure 16 2 Overview of SVN Help Development and Localization Writers CM Help development related checkins and checkouts happen only in the documentation SVN repository T...

Page 165: ...can be set by any trustee that has the Modify trustee right to the directory or file The possible actions by the eDirectory users and group shown in this example are as follows Nancy has the Superviso...

Page 166: ...ight for Your Network Although Novell offers services that don t require Novell Client such as NetStorage Novell iFolder 3 8 and iPrint many network administrators continue to prefer the Novell Client...

Page 167: ...t of this on you as the network administrator is that these users and groups must be enabled for eDirectory LDAP authentication to the local server For more information see Linux User Management Acces...

Page 168: ...nting resources You can also use iPrint to set up print services that don t require authentication NOTE Access control for printers is supported only on the Windows iPrint Client For more information...

Page 169: ...ach interface supports 3 In the right column view the services available to the interfaces via the protocols Figure 16 3 Access Interfaces and Services and the Protocols That Connect Them Access Inter...

Page 170: ...s instructions to your network users For a summary of access methods see Appendix E Quick Reference to OES 2 User Services on page 249 16 1 5 Configuring and Administering Access to Services The follo...

Page 171: ...Novell Client to Change File and Directory Attributes and Trustee Rights You can use the Novell Client to change NSS file and directory attributes and to grant trustee rights to an NSS volume on an OE...

Page 172: ...ection briefly discusses the following topics Section 16 2 1 Overview of Authentication Services on page 172 Section 16 2 2 Planning for Authentication on page 175 Section 16 2 3 Authentication Coexis...

Page 173: ...You can have users log in through a combination of methods to provide a higher level of security Some login methods require additional hardware and software You must have all of the necessary hardware...

Page 174: ...FS In OES 2 AFP and CIFS users have Universal Password policies assigned by default More information about password policy planning is available in Appendix K Coordinating Password Policies Among Mult...

Page 175: ...the Secure Password Manager SPM a component of the NMAS module installed on OES 2 servers All password restrictions and policies expiration minimum length etc are supported All the existing managemen...

Page 176: ...176 OES 2 SP3 Planning and Implementation Guide...

Page 177: ...s to and from OES 2 servers NetWare Core Protocol page 178 Provides NetWare Core Protocol NCP access to NCP volumes including NSS volumes that you define on OES 2 server partitions NetStorage page 179...

Page 178: ...also migrate an existing FTP server configuration from a NetWare server to OES 2 For migration instructions and a brief FAQ see Migrating FTP from NetWare to OES 2 Linux in the OES 2 SP3 Migration Too...

Page 179: ...ile access is often confusing and frustrating to users as illustrated in Figure 17 2 Access Methods Authentication NCP Services Access is through an NCP client specifically the Novell Client All file...

Page 180: ...ical to those who must travel However access method support varies widely among file service providers Authentication helps protect information assets but having diverse authentication methods leads t...

Page 181: ...ed in Figure 17 3 Windows Explorer Browser PDA Access Methods Authentication NetStorage Server eDirectory LDAP OES 2 NetStorage on OES 2 NSS volume NCP volume NetWare Traditional volume CIFS share NFA...

Page 182: ...login script drive mapping NCP server required or through Storage Location Objects File service access is controlled by LDAP based authentication through the eDirectory LDAP server Although shown sep...

Page 183: ...OES 2 server All file service access is controlled by LDAP based authentication through the eDirectory LDAP server Although shown separately eDirectory could be installed on the OES 2 server Of course...

Page 184: ...S Client Access Windows Explorer users can access and modify files on the OES 2 server just as they would on any workgroup server share Web Folder Users can create Web Folders in Windows Explorer or I...

Page 185: ...ntication through the eDirectory LDAP server Although shown separately eDirectory could be installed on the OES 2 server Files can be encrypted for transport using SSL connections HTTPS Slave servers...

Page 186: ...7 Figure 17 7 How Samba on OES Works The following table explains the information illustrated in Figure 17 7 eDirectory LDAP server Samba users are enabled for Linux User Management LUM Any CIFS SMB C...

Page 187: ...Methods Authentication File Storage Services eDirectory users on Windows workstations have two native Windows file access options if their eDirectory accounts have been enabled for LUM and Samba CIFS...

Page 188: ...SS volumes Secure LDAP Authentication Novell CIFS Any CIFS client Remote access Web Folders in the Internet Explorer browser Windows Explorer NSS volumes Secure LDAP Authentication Novell iFolder 3 8...

Page 189: ...r the nssmu utility to create an NSS volume on an OES 2 server For instructions on how to set up an NSS volume see Managing NSS Volumes in the OES 2 SP3 File Systems Management Guide LUM and Samba ena...

Page 190: ...to other file storage services Novell AFP Allocate enough disk space for the partition containing the home directories to meet your users file storage needs Novell CIFS Allocate enough disk space for...

Page 191: ...s It supports traditional Novell protocols such as NCP RSA and NDAP and it interoperates with open protocols such as LDAP For more information on the Novell Client for Windows see the Novell Client 4...

Page 192: ...it Users can also participate in iFolder folders that others share with them Novell iFolder 3 8 is available only on OES 2 For information on migrating from iFolder 2 to iFolder 3 8 see Migrating iFo...

Page 193: ...ports access control lists ACLs to expand this capability However ACLs are outside the scope of this discussion For more information on ACLs see Access Control Lists http www novell com documentation...

Page 194: ...ubdirectories and files 2 Grant only the user read write and execute rights rwx to the directory For example you could use the chmod command as follows chmod R 700 path user_dir where path is the file...

Page 195: ...a trustee and then granting the required trustee rights to the directory For the work area itself you would set permissions for the owner group and all others to read write and execute rights rwx rwx...

Page 196: ...page 197 Section 17 5 3 Cluster Enabling Pure FTPd in an OES 2 Environment on page 201 Section 17 5 4 Troubleshooting PureFTPd on page 202 17 5 1 Configuring Pure FTPd on an OES 2 Server Edit the etc...

Page 197: ...t location Rename the file to pure ftpd1 conf and move it to etc opt novell pure ftpd1 conf 2 Modify the following settings in the configuration file to avoid IP address or port conflicts between the...

Page 198: ...o the server over the IP address being used by the pure ftpd instance must be created Unloading Specific Instances A new script pure ftp stop pl is added to unload an instance of pure ftpd and all its...

Page 199: ...file etc pure ftpd pure ftpd conf The configuration parameters for remote server navigation are as follows The following configuration parameters needs to be set for remote server navigation Entry Va...

Page 200: ...7 12 Linux FTP SITE command NOTE All the FTP users needs to be LUM enabled on the FTP server Entry Value Reason Why ChrootEveryone no Option yes restricts users to login only to his home directory and...

Page 201: ...S pool The PID file must be unique for each FTP instance running on the cluster 4 Copy the configuration file to the shared volume to etc opt novell on the shared volume Copying the configuration file...

Page 202: ...tions can help you get started with NCP on OES 2 servers Section 17 6 1 The Default NCP Volume on page 202 Section 17 6 2 Creating NCP Home and Data Volume Pointers on page 202 Section 17 6 3 Assignin...

Page 203: ...Trustees Trustee Rights and Attributes on NCP Volumes in the OES 2 SP3 NCP Server for Linux Administration Guide The ncpcon rights command is related to but not the same as the rights utility used to...

Page 204: ...a and SSH For more information see Section 11 4 SSH Services on OES 2 on page 91 17 7 3 Assigning User and Group Access Rights Because NetStorage provides access to other file storage systems the user...

Page 205: ...thenticate each time they access NetStorage in a browser This is true even if another browser window is open and authenticated on the same workstation The reason for this is that persistent cookies ar...

Page 206: ...ES 2 SP3 Novell CIFS for Linux Administration Guide Section 17 9 1 Implementing Novell CIFS File Services on page 206 Section 17 9 2 Maintaining Novell CIFS File Services on page 206 17 9 1 Implementi...

Page 207: ...Enable the User Account Policies for iFolder access 3 Optional Enable Account Quotas space limits for the user accounts 4 Create iFolders for users 5 Distribute the iFolder Client to users For more in...

Page 208: ...or Samba access can access the OES 2 server as they would any Windows server For instructions on implementing Samba see Installing Samba for OES 2 in the OES2 SP3 Samba Administration Guide 17 11 2 Ma...

Page 209: ...in NetWare 6 5 SP3 and earlier When you upgrade a NetWare server running NetWare Web Search Server to NetWare 6 5 Web Search Server is automatically upgraded to QuickFinder The upgrade identifies all...

Page 210: ...210 OES 2 SP3 Planning and Implementation Guide...

Page 211: ...Novell iPrint lets Linux Macintosh and Windows users Quickly locate network printers through a Web browser Easily install and configure a located printer through a native printer installation method P...

Page 212: ...tore and Broker and are not represented by objects in eDirectory Printer Objects These are eDirectory objects you create that store information about the printers available through iPrint The informat...

Page 213: ...for Windows users if needed The option to require authentication is not available for Linux and Macintosh users Although shown separately eDirectory could be installed on the OES 2 server Users with...

Page 214: ...Print on Your Server in the OES 2 SP3 iPrint for Linux Administration Guide In OES SP2 migrating iPrint services from a NetWare server to an OES 2 server is supported by the OES 2 Migration Tool For m...

Page 215: ...Printer in the OES 2 SP3 iPrint for Linux Administration Guide 5 Optional Create location based customized printing Web pages By default each iPrint installation includes the creation of a Default Pri...

Page 216: ...Print installation to reflect these changes After your installation is completed and users are printing you can monitor print performance by using the information located in Using the Print Manager He...

Page 217: ...f the hundreds of free Web applications that can be downloaded from the Internet Web and application services make it easy to build your own dynamic Web content and create customized Web database appl...

Page 218: ...218 OES 2 SP3 Planning and Implementation Guide...

Page 219: ...AppArmor Novell AppArmor provides easy to use application security for both servers and workstations You specify which files a program can read write and execute AppArmor enforces good application be...

Page 220: ...includes the following key features Industry standards It implements the recognized industry standards Certified It is FIPS 140 1 certified on selected platforms Cross platform support It is availabl...

Page 221: ...e OES online documentation Section 21 2 1 Comparing the Linux and the Novell Trustee File Security Models on page 221 Section 21 2 2 User Restrictions Some OES 2 Limitations on page 223 21 2 1 Compari...

Page 222: ...irectory are secure If users want to share files with others they can grant trustee assignments to the individual files or they can create a shared subdirectory and assign trustees to it Inheritance f...

Page 223: ...e no concurrent connection or address restrictions imposed For this reason you probably want to consider not enabling services such as SSH and FTP for LUM when setting up Linux User Management For mor...

Page 224: ...nagement Administration Guide Novell AFP Security Guidelines for AFP in the OES 2 SP3 Novell AFP For Linux Administration Guide Novell CIFS Security Guidelines for CIFS in the OES 2 SP3 Novell CIFS fo...

Page 225: ...rations for QuickFinder Server in the QuickFinder Server 5 0 Administration Guide SuSEfirewall2 Masquerading and Firewalls http www novell com documentation sles10 book_sle_reference data cha_fire htm...

Page 226: ...226 OES 2 SP3 Planning and Implementation Guide...

Page 227: ...prise Server 2 includes solutions that address each of these issues at no additional expense This section discusses the certificate management enhancements available in OES 2 and how simple and straig...

Page 228: ...alled Where Key and certificate files are installed in the following locations Table 22 1 File Locations Location Details etc ssl certs This is the default location of trusted root certificates for cl...

Page 229: ...f Provisioning in the Novell Certificate Server 3 3 4 Administration Guide PKI Health Check The PKI health check runs whenever the certificate server starts If you have enabled Server Self Provisionin...

Page 230: ...isioning be enabled as follows 1 On the server you are configuring in iManager Roles and Tasks click the Novell Certificate Access Configure Certificate Authority option 2 Click Enable server self pro...

Page 231: ...t 8 Click Save the Exported Certificate and save the file to the local disk noting the filename and location if they are indicated 9 Click Close OK 10 Find the file you just saved By default it is usu...

Page 232: ...cates from the servers in the tree 22 3 If You Don t Want to Use eDirectory Certificates For most organizations the eDirectory certificate solution in OES 2 is an ideal way to eliminate the security v...

Page 233: ...ices are configured to use eDirectory certificates The current service certificates and configurations are retained Upgrade from OES 2 or OES 2 SP1 The same option is used as when OES 2 was installed...

Page 234: ...234 OES 2 SP3 Planning and Implementation Guide...

Page 235: ...set of services that can be either added to an existing server or installed at the same time as SUSE Linux Enterprise Server 10 SP1 After OES 2 services are added we refer to the server as an OES 2 se...

Page 236: ...236 OES 2 SP3 Planning and Implementation Guide...

Page 237: ...is section assume that only the IP address of the server is changing They do not cover changing the DNS hostname of the server B 2 Prerequisites Section B 2 1 General on page 237 Section B 2 2 iPrint...

Page 238: ...ion of the server you are reconfiguring 3 Open the YaST Control Center 4 In Network Devices select Network Card 5 Confirm that the Old IP address you listed in Section B 2 1 General on page 237 is in...

Page 239: ...ces 3 Type the Admin password when prompted You might need to wait a few minutes for the LDAP server to restart 4 When the script finishes restart the server by entering the following command at the t...

Page 240: ...egenerate the QuickFinder index by completing the instructions in see Creating Indexes in the OES 2 SP3 Novell QuickFinder Server 5 0 Administration Guide B 6 2 DHCP 1 Make sure the DHCP configuration...

Page 241: ...the domain name whose IP address is to be changed In this example it is the A record 2a Specify the Host Name using the search feature 2b Select the record and click Modify to change the IP address wi...

Page 242: ...name of the Reverse Lookup object will be 136_103_92_100_in addr_arpa OESSystemObjects nmfrd 3c Click iManager Directory Administration Modify Object Search and select the Reverse Lookup object from...

Page 243: ...newip c AuthenticationContext where newip is the new IP address used throughout this section and AuthenticationContext is the eDirectory context for NetStorage users NetStorage searches the eDirectory...

Page 244: ...244 OES 2 SP3 Planning and Implementation Guide...

Page 245: ...to date on all servers and workstations You can install product updates as they are made available through the ZENworks Linux Management update channel For instructions on setting up the ZENworks Linu...

Page 246: ...246 OES 2 SP3 Planning and Implementation Guide...

Page 247: ...users Users control who can participate in an iFolder and their access rights to the files in it Users can also participate in iFolders that others share with them Salvage and Purge By default all NSS...

Page 248: ...lity for OES Most of the SMS coexistence and migration issues are of concern only to backup application developers However administrators should be aware that SMS based applications must be used to ba...

Page 249: ...bDAV URL is case sensitive Novell Client 1 Install the Novell Client on a supported Windows workstation 2 Log in to eDirectory 3 Access NCP volumes on NetWare or Linux that you have the appropriate fi...

Page 250: ...250 OES 2 SP3 Planning and Implementation Guide...

Page 251: ...in Firefox Also iManager plug ins might not work properly if the highest priority Language setting for your Web browser is set to a language other than one of iManager s support languages To avoid pro...

Page 252: ...252 OES 2 SP3 Planning and Implementation Guide Tomcat Manager Managing Tomcat with Tomcat Admin in the NW 6 5 SP8 Tomcat Administration Guide Management Tool Supported Browser Information Link...

Page 253: ...crosoft Windows Vista Business 64 bit SP1 Microsoft Windows Vista Ultimate SP1 Microsoft Windows Vista Ultimate 64 bit SP1 Microsoft Windows Vista Enterprise SP1 Microsoft Windows Vista Enterprise 64...

Page 254: ...254 OES 2 SP3 Planning and Implementation Guide...

Page 255: ...he Apache Web Server rather than referencing the init script directly Archive and Version Services novell ark This lets you to start stop restart and display the status of the Archive and Version Serv...

Page 256: ...de the novell xsrvd XTier Web Services daemon and also utilizes Tomcat services for certain other functions novell xregd is the init script for starting and stopping XTier s registry daemon It is part...

Page 257: ...configured NTP ntp This is the SLES 10 Network Time Protocol daemon OpenWBEM CIMOM owcimomd This is used to start the OpenWBEM CIMOM daemon which is an integral part of the iManager plug ins for LUM S...

Page 258: ...258 OES 2 SP3 Planning and Implementation Guide...

Page 259: ...7 System Users on page 280 Section I 8 System Groups on page 281 Section I 9 Auditing System Users on page 282 I 1 About System Users and Groups Regular network users rely on network services System...

Page 260: ...ername LUM_Proxy_user System Group Facilitate the management of system users Provide access rights to service data on the server or in the eDirectory tree DHCP DNSDHCP System User The daemons associat...

Page 261: ...ection I 2 4 What Rights Do Proxy Users Have on page 264 Iprint POSIX iprintgrp eDirectory System Group iPrint LUM proxy optional Proxy User Linux User Management named System User DNS ncsclient Syste...

Page 262: ...provides the Novell services that were previously only available on NetWare To make its services available on Linux Novell had to accommodate a fundamental difference between the way services run on...

Page 263: ...access DHCP objects in eDirectory DNS OESCommonProxy_hostname Or DNS_Proxy Lets the service access DNS objects in eDirectory iFolder 3 OESCommonProxy_hostname Or iFolderProxy IMPORTANT The Common Pro...

Page 264: ...ssage Server Read Not inheritable Root Group Membership Read Not inheritable Network Address Read Not inheritable In addition each proxy user is granted additional rights as summarized in Table I 4 NS...

Page 265: ...rship in the NCS_Management group to communicate with eDirectory on behalf of the clustering service DHCP DHCP_LDAP_Proxy No rights are assigned directly but membership in the DHCPGroup which does hav...

Page 266: ...Using a Common Proxy on page 268 Are There Important Limitations to Keep in Mind on page 269 NetStorage NetStorage_Proxy Additional eDirectory rights Entry Rights Browse LDAP ACL representation 1 sub...

Page 267: ...anual intervention required Prevent Password Expiration When proxy user passwords expire OES 2 services are interrupted leading to network user frustration and administrator headaches Automatic passwo...

Page 268: ...same as for the server for which the common proxy is created IMPORTANT If you specify a different context from the server the Organizational Unit that you specify must already exist in eDirectory Oth...

Page 269: ...Assigning the Common Proxy to Existing Services You can assign the common proxy user to any of the services listed in Services That Can Leverage the Common Proxy User on page 267 using the move_to_com...

Page 270: ...he following commands cd opt novell proxymgmt bin change_proxy_pwd sh A Yes By default the crontab job will run every 30 days I 4 Planning Your Proxy Users Because of the prominent role played by the...

Page 271: ...ding on which option you select Alternatively you can modify any of the defaults including the password Or if you have already created a proxy user you can specify that as well Clustering NCS OESCommo...

Page 272: ...as well The user must have the Read right to the LDAP service iFolder 3 OESCommonProxy_host name Or iFolderProxy IMPORTANT The Common Proxy user cannot be used if iFolder is running on a cluster node...

Page 273: ...ent proxy user you can specify that as well The user must have the Read right to the LDAP service NSS server_nameadmin This admin account must have full rights to administer NSS and must be unique to...

Page 274: ...hen admin users are assigned as proxy users Novell Support received a call from an administrator who was getting locked out due to intruder detection after changing the administrator password The lock...

Page 275: ...at a proxy user for the server is created before the server is installed If the Common Proxy User is not leveraged then for the first server in the tree eDirectory and iManager must be installed with...

Page 276: ...User As a Proxy User on page 274 Passwords Are Stored on the Server Of course all proxy user passwords are stored in eDirectory Table I 7 explains where they are stored on the server and how they can...

Page 277: ...mmon Proxy User passwords DHCP If the service specific proxy user is used the service specific password is stored in CASA if it is available If CASA is not available it is stored in the etc dhcpd conf...

Page 278: ...of when each password expires Before passwords expire change them in eDirectory and reset them on the server See the information in Table I 7 Changing Proxy Passwords Automatically You can configure...

Page 279: ...nd password while configuring the services on all of the OES servers in that tree I 5 2 Service Specific Proxy Users Do the following 1 Create a proxy user in the eDirectory tree for each type of OES...

Page 280: ...he user whenever the password is changed for that user However the DNS Proxy User is closely associated with DSfW and can leverage the Common Proxy User available in SP3 I 7 System Users SLES and OES...

Page 281: ...me and so the user has to be created in eDirectory as well named is used by default but any local user can be used ncsclient NCS Used by NCS to access the adminfs file system novell_nobody CIMOM This...

Page 282: ...NSS is installed on the Linux server this group is removed from the local system and created in eDirectory This is required because members of this group must have access to NSS data and all NSS acces...

Page 283: ...NMAS Events http www novell com documentation nmas33 admin data bwmt40o html Then refer to the Novell Sentinel Documentation http www novell com documentation sentinel6 for further instructions Privil...

Page 284: ...284 OES 2 SP3 Planning and Implementation Guide...

Page 285: ...default is Admin Container Admin eDirectory Admin User These administrators are usually responsible for administering within a partition or subtree They might be assigned only enough rights to instal...

Page 286: ...286 OES 2 SP3 Planning and Implementation Guide...

Page 287: ...ies that govern the users to ensure that they can access the different file services K 2 Concepts and Prerequisites Prerequisites for AFP CIFS and Samba access are explained in the following sections...

Page 288: ...s will be searched for during an authentication In a name mapped existing tree install if the context resides in a DSfW domain the context can be specified either in the domain name format Active Dire...

Page 289: ...ee but not a partition It is a container under the ou prv o widget partition OES NetWare Servers S1 S6 and S9 are OES servers S7 and S8 are NetWare servers File Services S1 S2 S3 and S4 are DSfW serve...

Page 290: ...ere the server is being installed This need not be the tree administrator K 3 2 Example 2 Mutually Exclusive Users File Services on page 290 Users on page 290 In this scenario the setup of the tree an...

Page 291: ...lation is the same as for the Forest Root Domain FRD The tree is named as per domain naming standards Samba is installed as part of DSFW installation Neither AFP nor Novell CIFS can be installed confi...

Page 292: ...decide whether these servers should be installed on a new domain or as additional domain controllers during capacity planning and deployment design Follow the OES 2 SP3 Domain Services for Windows Ad...

Page 293: ...4 4 Modifying User Password Policies after AFP CIFS Samba DSfW Is Installed After a new password policy is assigned to an AFP CIFS Samba or DSfW user rerun the YaST based configuration and select the...

Page 294: ...294 OES 2 SP3 Planning and Implementation Guide...

Page 295: ...is supported on NCP and POSIX volumes Although that functionality was initially planned and Novell hopes to add support for additional volume and file system types in a future release DST is currentl...

Page 296: ...two SLP services see Table 12 4 on page 112 they are completely compatible regarding the sharing of service information Chapter or Section Changed Summary of Changes Changing the Server s Address Conf...

Reviews: