Главная
/
Novell
/
LINUX ENTERPRISE SERVER 10 - INSTALLATION AND ADMINISTRATION 11-05-2007
/
Руководство по установке

Novell LINUX ENTERPRISE SERVER 10 - INSTALLATION AND ADMINISTRATION 11-05-2007, Руководство по установке

Поделиться

Страница: 907 / 982

Novell LINUX ENTERPRISE SERVER 10 - INSTALLATION AND ADMINISTRATION 11-05-2007 Скачать руководство пользователя страница 907

49.2 Some General Security Tips and

Tricks

To handle security competently, it is important to keep up with new developments and
stay informed about the latest security issues. One very good way to protect your systems
against problems of all kinds is to get and install the updated packages recommended
by security announcements as quickly as possible. SUSE security announcements are
published on a mailing list to which you can subscribe by following the link

http://

www.novell.com/linux/security/securitysupport.html

. The list

[email protected]

is a first-hand source of information re-

garding updated packages and includes members of SUSE's security team among its
active contributors.

The mailing list

[email protected]

is a good place to discuss any security

issues of interest. Subscribe to it on the same Web page.

[email protected]

is one of the best-known security mailing lists

worldwide. Reading this list, which receives between 15 and 20 postings per day, is
recommended. More information can be found at

http://www.securityfocus

.com

.

The following is a list of rules you may find useful in dealing with basic security con-
cerns:

• According to the rule of using the most restrictive set of permissions possible for

every job, avoid doing your regular jobs as

root

. This reduces the risk of getting

a cuckoo egg or a virus and protects you from your own mistakes.

• If possible, always try to use encrypted connections to work on a remote machine.

Using

ssh

(secure shell) to replace

telnet

,

ftp

,

rsh

, and

rlogin

should be

standard practice.

• Avoid using authentication methods based on IP addresses alone.

• Try to keep the most important network-related packages up-to-date and subscribe

to the corresponding mailing lists to receive announcements on new versions of
such programs (bind, sendmail, ssh, etc.). The same should apply to software rele-
vant to local security.

Security and Confidentiality

889

«
...
905
906
907
908
909
...
»

Содержание LINUX ENTERPRISE SERVER 10 - INSTALLATION AND ADMINISTRATION 11-05-2007

Страница 1: ...SUSE Linux Enterprise Server www novell com 10 May 11 2007 Installation and Administration...

Страница 2: ...That this manual specifically for the printed format is reproduced and or distributed for noncommercial use only The express authorization of Novell Inc must be obtained prior to any other use of any...

Страница 3: ...s 7 2 2 Deploying up to 100 Workstations 9 2 3 Deploying More than 100 Workstations 16 3 Installation with YaST 17 3 1 IBM System z System Start Up for Installation 17 3 2 System Start Up for Installa...

Страница 4: ...ing the Master Machine 100 6 2 Customizing the firstboot Installation 100 6 3 Cloning the Master Installation 108 6 4 Personalizing the Installation 109 7 Advanced Disk Setup 111 7 1 LVM Configuration...

Страница 5: ...234 11 3 For More Information 254 12 Mass Storage over IP Networks iSCSI 257 12 1 Setting Up an iSCSI Target 257 12 2 Configuring iSCSI Initiator 262 13 Oracle Cluster File System 2 267 13 1 Overview...

Страница 6: ...Information 328 16 9 Time and Date 329 17 Working with the Shell 331 17 1 Getting Started with the Bash Shell 332 17 2 Users and Access Permissions 343 17 3 Important Linux Commands 347 17 4 The vi E...

Страница 7: ...g the Virtualization Host Server 427 22 5 Managing Virtual Machines 428 22 6 Creating Virtual Machines 431 22 7 Windows Server 2003 Virtual Machines 432 22 8 For More Information 433 23 Printer Operat...

Страница 8: ...figuring the X Window System 481 26 2 Installing and Configuring Fonts 488 26 3 For More Information 493 27 Authentication with PAM 495 27 1 Structure of a PAM Configuration File 496 27 2 The PAM Conf...

Страница 9: ...ion with NTP 603 32 1 Configuring an NTP Client with YaST 603 32 2 Configuring xntp in the Network 607 32 3 Setting Up a Local Reference Clock 607 33 The Domain Name System 609 33 1 DNS Terminology 60...

Страница 10: ...rver in the Network with Active Directory 705 37 7 Migrating a Windows NT Server to Samba 707 37 8 For More Information 709 38 Sharing File Systems with NFS 711 38 1 Installing the Required Software 7...

Страница 11: ...n with Calamaris 797 41 9 For More Information 798 Part V Security 799 42 Managing X 509 Certification 801 42 1 The Principles of Digital Certification 801 42 2 YaST Modules for CA Management 806 43 M...

Страница 12: ...rberos 855 46 10 Configuring SSH for Kerberos Authentication 856 46 11 Using LDAP and Kerberos 857 47 Encrypting Partitions and Files 861 47 1 Setting Up an Encrypted File System with YaST 862 47 2 Us...

Страница 13: ...Documentation 902 50 8 Usenet 903 50 9 Standards and Specifications 903 51 Common Problems and Their Solutions 907 51 1 Finding and Gathering Information 907 51 2 Installation Problems 910 51 3 Boot P...

Страница 14: ......

Страница 15: ...eployment strategy and disk setup that is best suited for your scenario Learn how to install your system manually how to use network installation setups and how to perform an autoinstal lation Configu...

Страница 16: ...and suggestions about this manual and the other doc umentation included with this product Please use the User Comments feature at the bottom of each page of the online documentation and enter your com...

Страница 17: ...www novell com documentation sled10 index html The following manuals are exclusively available for SUSE Linux Enterprise Desktop GNOME User Guide A comprehensive guide to the GNOME desktop and its mos...

Страница 18: ...ey combination keys are shown in uppercase as on a keyboard File File Save As menu items buttons amd64 ipf This paragraph is only relevant for the specified architectures The arrows mark the beginning...

Страница 19: ...Part I Deployment...

Страница 20: ......

Страница 21: ...information see Chapter 22 Virtualization page 421 YaST Several new configuration options have been developed for YaST These are nor mally described in the chapters about the technology involved CIM M...

Страница 22: ...e Systems with NFS page 711 Oracle Cluster File System 2 OCFS2 is a general purpose journaling file system that is fully integrated in the Linux 2 6 kernel and later Find an overview of OCFS2 in Chapt...

Страница 23: ...r your local installation Novell provides training support and consulting for all topics around SUSE Linux Enterprise Find more information about this at http www novell com products linuxenterprisese...

Страница 24: ...tware installation you should consider training the end users of the systems as well as help desk staff 1 3 Running SUSE Linux Enterprise The SUSE Linux Enterprise operating system is a well tested an...

Страница 25: ...x Enterprise is a plain manual installation as featured in Chapter 3 Installation with YaST page 17 Manual installa tion can be done in several different ways depending on your requirements Installing...

Страница 26: ...talling from the SUSE Linux En terprise Media page 19 Details Table 2 2 Installing from a Network Server Using SLP Network installation server holding the SUSE Linux Enterprise installation media Inst...

Страница 27: ...manually There are many automated or semiautomated approaches as well as several options to perform an installation with minimal to no physical user interaction Before considering a fully automated a...

Страница 28: ...LAN page 13 Consider this approach in a small to medium scenario that should be installed via network and without physical interaction with the installation targets A network a network installation se...

Страница 29: ...y Physical access is needed for booting Section 4 1 1 Simple Remote Installation via VNC Static Network Configuration page 44 Details Table 2 5 Simple Remote Installation via VNC Dynamic Network Confi...

Страница 30: ...Small to medium scenarios with varying hardware Completely remote installs cross site deployment Each machine must be set up manually Drawbacks Section 4 1 3 Remote Installation via VNC PXE Boot and...

Страница 31: ...the installation source Booting from installation media Remote SSH Control and Monitoring Best Suited For Small to medium scenarios with varying hardware Low bandwidth connections to target Drawbacks...

Страница 32: ...ally Drawbacks Section 4 1 6 Remote Installation via SSH PXE Boot and Wake on LAN page 51 Details Table 2 10 Simple Mass Installation Preferably network Installation Source Preparations Gathering hard...

Страница 33: ...bly network Installation Source Preparations Gathering hardware information Creating AutoYaST profiles Creating AutoYaST rules Setting up the installation server Distributing the profile Setting up ne...

Страница 34: ...ever with a growing number of installation targets the benefits of a fully automated installation method outweigh its disadvantages It pays off to invest a considerable amount of time to create a soph...

Страница 35: ...s described in the Archi tecture Specific Information manual SUSE Linux Enterprise does not show a splash screen on these systems During the installation load the kernel initrd and parmfile manually Y...

Страница 36: ...e 18 Table 3 1 Boot Options Description Boot Option This is the easiest boot option This option can be used if the system has a local CD ROM drive that is supported by Linux CD ROM The images for gene...

Страница 37: ...P and configures the network connection with DHCP If the DHCP network configuration fails you are prompted to enter the appropriate parameters manually The installation then proceeds normally 3 2 4 In...

Страница 38: ...PI Dis abled or Installation Safe Settings Installation Safe Settings Boots the system with the DMA mode for CD ROM drives and power management functions disabled Experts can also use the command line...

Страница 39: ...s press Esc to see the messages and copyright notices At the end of the loading process the YaST installation program starts After a few more seconds the screen should display the graphical installer...

Страница 40: ...channels to display To filter the list according to such a range select Filter See Figure 3 1 IBM System z Selecting a DASD page 22 Figure 3 1 IBM System z Selecting a DASD Now specify the DASDs to u...

Страница 41: ...ZFCP disks available on the system In this dialog select Add to open another dialog in which to enter ZFCP parameters See Figure 3 3 IBM System z Overview of Available ZFCP Disks page 23 To make a ZFC...

Страница 42: ...n thoroughly If you agree to the terms choose Yes I Agree to the License Agreement and click Next to confirm your selection If you do not agree to the license agreement you cannot install SUSE Linux E...

Страница 43: ...ystem To include add on products during the installation of SUSE Linux Enterprise select Include Add On Products from Separate Media and click Next In the next dialog click Add to select the source fr...

Страница 44: ...egory to change After configuring any of the items presented in these dialogs you are always returned to the summary window which is updated accordingly TIP Resetting the Installation Summary to the D...

Страница 45: ...the next dialog For completely different partitioning select Create Custom Partition Setup In the next dialog choose the disk to partition or Custom Partitioning The YaST partitioner provides tools f...

Страница 46: ...prise is GNOME To install KDE click Software and select KDE Desktop Environment from Graphical Environments Figure 3 5 Installing and Removing Software with the YaST Package Manager 3 9 4 Language To...

Страница 47: ...add remove or modify add on products here if needed Booting zseries This module cannot be used to configure the boot loader zipl on the IBM System z platforms During installation YaST proposes a boot...

Страница 48: ...M System z IPLing the Installed System On the IBM System z platforms another IPL must be performed after installing the selected software packages However the procedure varies according to the type of...

Страница 49: ...apable browser enter the complete URL consisting of the IP address of the installed system along with the port number in the following fashion http IP of installed system 5801 Using X to Connect When...

Страница 50: ...working Internet connection you can perform an update of the system as part of the installation You can also configure an authentication server for centralized user administration in a local network...

Страница 51: ...address 127 0 0 2 to the name both with and without the domain To change hostname settings at any time after installation use YaST Network Devices Network Card For more information see Section 30 4 1...

Страница 52: ...s modified To adapt the auto matic settings to your own preferences click Change Firewall In the dialog that opens determine whether the firewall should be started If you do not want the firewall to b...

Страница 53: ...g online If you have multiple network interfaces in your system verify that the the desired card is used to connect to the Internet To do so click Change device 3 11 4 Customer Center To get technical...

Страница 54: ...tallation see Section 8 3 5 YaST Online Update page 136 If YaST was able to connect to the SUSE Linux Enterprise servers select whether to perform a YaST online update If there are any patched package...

Страница 55: ...manage a range of configuration files Typically an LDAP server handles user account data but with SUSE Linux Enterprise it can also be used for mail DHCP and DNS data By default an LDAP server is set...

Страница 56: ...if no network is available If YaST found a former version of SUSE Linux Enterprise or another system using etc passwd it offers the possibility to import local users To do so check Read User Data from...

Страница 57: ...3 11 9 Release Notes After completing the user authentication setup YaST displays the release notes Reading them is advised because they contain important up to date information that was not availabl...

Страница 58: ...es by clicking Change Reset to Defaults YaST then shows the original proposal again 3 11 11 Completing the Installation After a successful installation YaST shows the Installation Completed dialog In...

Страница 59: ...Linux Enterprise is now installed Unless you enabled the automatic login function or customized the default runlevel you should see the graphical login on your screen in which to enter a username and...

Страница 60: ......

Страница 61: ...installation scenarios NOTE In the following sections the system to hold your new SUSE Linux Enterprise installation is referred to as target system or installation target The term instal lation sour...

Страница 62: ...e sure that the following requirements are met Remote installation source NFS HTTP FTP or SMB with working network connection Target system with working network connection Controlling system with work...

Страница 63: ...er and connect to the target system as described in Section 4 5 1 VNC Installation page 77 5 Perform the installation as described in Chapter 3 Installation with YaST page 17 Reconnect to the target s...

Страница 64: ...ppears use the boot options prompt to set the appropriate VNC options and the address of the installation source This is described in detail in Section 4 4 Booting the Target System for Instal lation...

Страница 65: ...fox Konqueror Internet Explorer or Opera To perform this type of installation proceed as follows 1 Set up the installation source as described in Section 4 2 Setting Up the Server Holding the Installa...

Страница 66: ...boot for installation and to determine the IP address of the installation target The installation itself is entirely controlled from a remote workstation using SSH to connect to the installer User int...

Страница 67: ...ment giving the network address under which the graphical installation environment can be addressed by any SSH client 4 On the controlling workstation open a terminal window and connect to the target...

Страница 68: ...tem using the first CD or DVD of the SUSE Linux Enterprise media kit 3 When the boot screen of the target system appears use the boot options prompt to pass the appropriate parameters for network conn...

Страница 69: ...described in Section 4 2 Setting Up the Server Holding the Installation Sources page 52 Choose an NFS HTTP or FTP network server For the configuration of an SMB installation source refer to Section 4...

Страница 70: ...iguration The easiest way to set up an installation server is to use YaST on SUSE Linux Enterprise Server 9 or 10 orSUSE Linux 9 3 and higher On other versions of SUSE Linux Enter prise Server or SUSE...

Страница 71: ...in the previous step define wild cards and export options The NFS server will be accessible under nfs Server IP Name Details of NFS and exports can be found in Chapter 38 Sharing File Systems with NFS...

Страница 72: ...every time the system is started No further intervention is re quired You only need to configure and start this service correctly by hand if you have deactivated the automatic configuration of the se...

Страница 73: ...ion server di rectory cp a media path_to_your_CD ROM_drive Replace path_to_your_CD ROM_drive with the actual path under which your CD or DVD drive is addressed Depending on the type of drive used in y...

Страница 74: ...ile etc exports and enter the following line productversion ro root_squash sync This exports the directory productversion to any host that is part of this network or to any host that can connect to th...

Страница 75: ...ork page 599 4 2 3 Setting Up an FTP Installation Source Manually Creating an FTP installation source is very similar to creating an NFS installation source FTP installation sources can be announced o...

Страница 76: ...n Server service install suse ftp HOSTNAME srv ftp instsource CD1 en 65535 description FTP Installation Source Replace instsource with the actual name to the installation source direc tory on your ser...

Страница 77: ...uration file of the HTTP server etc apache2 default server conf to make it follow symbolic links Replace the following line Options None with Options Indexes FollowSymLinks 2e Reload the HTTP server c...

Страница 78: ...TALL for example 3 Export this share according the procedure outlined in your Windows documenta tion 4 Enter this share and create a subfolder called product Replace product with the actual product na...

Страница 79: ...nually page 57 or Section 4 2 4 Setting Up an HTTP Installation Source Manually page 58 4 Create subdirectories for each CD or DVD 5 To mount and unpack each ISO image to the final location issue the...

Страница 80: ...Setting Up a DHCP Server with YaST To announce the TFTP server s location to the network clients and specify the boot image file the installation target should use add two declarations to your DHCP se...

Страница 81: ...get machine 1 Log in as root to the machine hosting the DHCP server 2 Append the following lines to your DHCP server s configuration file located under etc dhcpd conf group PXE related stuff next serv...

Страница 82: ...you to connect to the system via SSH 4 3 2 Setting Up a TFTP Server Set up a TFTP server with YaST on SUSE Linux Enterprise Server and SUSE Linux Enterprise or set it up manually on any other Linux op...

Страница 83: ...te files needed for the boot image as described in Section 4 3 3 Using PXE Boot page 66 4 Modify the configuration of xinetd located under etc xinetd d to make sure that the TFTP server is started on...

Страница 84: ...ux pxelinux 0 file to the srv tftpboot directory by entering the following cp a usr share syslinux pxelinux 0 srv tftpboot 4 Change to the directory of your installation repository and copy the isolin...

Страница 85: ...installation routines such as SSH or VNC boot parameters append them to the install entry An overview of parameters and some examples are given in Section 4 4 Booting the Target System for Installatio...

Страница 86: ...ith the values used in your setup The following section serves as a short reference to the PXELINUX options used in this setup Find more information about the options available in the documen tation o...

Страница 87: ...of the file before the first LABEL command The default for image is the same as label and if no APPEND is given the default is to use the global entry if any Up to 128 LABEL entries are permitted Note...

Страница 88: ...s of 1 10 second The time out is canceled as soon as the user types anything on the keyboard assuming the user will complete the command begun A time out of zero disables the time out completely this...

Страница 89: ...to the installation Also note down the MAC address of the target system This data is needed to initiate Wake on LAN 4 3 7 Wake on LAN Wake on LAN allows a machine to be turned on by a special network...

Страница 90: ...ement and install the package netdiag 3 Open a terminal and enter the following command as root to wake the target ether wake mac_of_target Replace mac_of_target with the actual MAC address of the tar...

Страница 91: ...fers some advanced functionality needed in some setups Using the F keys you can specify additional options to pass to the installation routines without having to know the detailed syntax of these para...

Страница 92: ...ptions is easier In some automated setups the boot options can be provided with initrd or an info file The following table lists all installation scenarios mentioned in this chapter with the required...

Страница 93: ...k Gateway ed if several network de vices are available VNC enablement VNC password hostip some_ip netmask some _netmask gateway ip_gateway vnc 1 vncpassword some _password Section 4 1 2 Simple Remote...

Страница 94: ...d hostip some_ip netmask some _netmask gateway ip_gateway usessh 1 sshpassword some _password Section 4 1 5 Simple Remote Installation via install nfs http ftp smb path_to _instmedia Location of the i...

Страница 95: ...ll you need to do on the installation target to prepare for a VNC installation is to provide the appropriate boot options at the initial boot for installation see Section 4 4 3 Using Custom Boot Optio...

Страница 96: ...or Mac OS On a Linux machine make sure that the package tightvnc is installed On a Windows machine install the Windows port of this application which can be obtained at the TightVNC home page http ww...

Страница 97: ...ons to enable SSH for installation See Section 4 4 3 Using Custom Boot Options page 74 for details OpenSSH is installed by default on any SUSE Linux based operating system Connecting to the Installati...

Страница 98: ...ion After you have successfully authenticated a command line prompt for the installation target appears 5 Enter yast to launch the installation program A window opens showing the normal YaST screens a...

Страница 99: ...SUSE Linux Enterprise to a set of machines with exactly the same hardware configuration To prepare for an AutoYaST mass installation proceed as follows 1 Create an AutoYaST profile that contains the i...

Страница 100: ...s Clone a fresh installation from a reference machine to a set of identical machines Use the AutoYaST GUI to create and modify a profile to meet your requirements Use an XML editor and create a profil...

Страница 101: ...rite it to a new profile 6 To proceed choose one of the following If the profile is complete and matches your requirements select File Save as and enter a filename for the profile such as autoinst xml...

Страница 102: ...ake the profile location known to the installation routines on the client The location of the profile is passed to the installation routines by means of the boot prompt or an info file that is loaded...

Страница 103: ...riggers a search for the con trol file on any USB attached device autoyast usb path USB Flash Disk Has the installation routines retrieve the control file from an NFS server autoyast nfs server path N...

Страница 104: ...ine the location of the profile in the following way 1 YaST searches for the profile using its own IP address in uppercase hexadecimal for example 192 0 2 91 is C000025B 2 If this file is not found Ya...

Страница 105: ...and PXE the boot image and control file can be pulled in via TFTP and the installation sources from any network installation server Bootable CD ROM You can use the original SUSE Linux Enterprise medi...

Страница 106: ...several ways in which booting from CD ROM can come into play in Auto YaST installations Choose from the following scenarios Boot from SUSE Linux Enterprise Media Get the Profile over the Network Use...

Страница 107: ...ing both the installa tion data and the profile itself might prove a good idea especially if no network is available in your setup 5 1 5 Creating the info File The installation routines at the target...

Страница 108: ...ests Only needed if several network devices are available netdevice When empty the client sends a BOOTP request Otherwise the client is configured using the specified data hostip Netmask netmask Gatew...

Страница 109: ...ble to linuxrc in various different ways As a file in the root directory of a floppy that is in the client s floppy drive at instal lation time As a file in the root directory of the initial RAM disk...

Страница 110: ...ding on the scenario chosen for booting and monitoring the process physical interaction with the client may be needed If the client system boots from any kind of physical media either product media or...

Страница 111: ...le to match a heterogeneous scenario by merging several profiles into one Each rule describes one particular distinctive feature of your setup such as disk size and tells AutoYaST which profile to use...

Страница 112: ...5 2 2 Example Scenario for Rule Based Autoinstallation page 95 3 Determine the source of the AutoYaST profile and the parameter to pass to the installation routines as described in Section 5 1 2 Dist...

Страница 113: ...int Server This machine just needs a minimal installation without a desktop environment and a limited set of software packages Workstations in the Engineering Department These machines need a desktop...

Страница 114: ...s Eng Profile Sales Profile Print Server Profile Rule 1 Rule 2 Rule 3 Enigineering Department Computers Sales Department Laptops Print Server AutoYaST Directory Merge Process rules xml File 96 Install...

Страница 115: ...rtment software selection 3 If none of the above is true consider the machine a developer workstation and install accordingly Roughly sketched this translates into a rules xml file with the following...

Страница 116: ...y specified in the autoyast protocol serverip profiles URL AutoYaST looks for a rules subdirectory containing a file named rules xml first then loads and merges the profiles specified in the rules fil...

Страница 117: ...rsonalizing the final product involves the following steps 1 Prepare the master machine whose disk should be cloned to the client machines For more information refer to Section 6 1 Preparing the Maste...

Страница 118: ...5 page 100 5 Enable firstboot as root 5a Create an empty file etc reconfig_system to trigger firstboot s exe cution This file is deleted once the firstboot configuration has been success fully accompl...

Страница 119: ...etc sysconfig firstboot Configure various aspects of firstboot such as release notes scripts and license actions etc YaST2 firstboot xml Configure the installation workflow by enabling or disabling c...

Страница 120: ...ysconfig firstboot configuration file Proceed in a similar way to configure customized license and finish messages These variables are FIRSTBOOT_LICENSE_DIR and FIRSTBOOT_FINISH_FILE 6 2 2 Customizing...

Страница 121: ...n release notes file Use the RTF format as in the example file in usr share doc release notes and save the result as RELEASE NOTES lang rtf 2 Store optional localized version next to the original vers...

Страница 122: ...nstallation workflow In it see the basic syntax of the firstboot configuration file and how the key elements are configured Example 6 1 Configuring the Proposal Screens proposals config type list prop...

Страница 123: ...t workflow defaults enable_back yes enable_back enable_next yes enable_next archs all archs defaults stage firstboot stage label Configuration label mode installation mode list of modules modules work...

Страница 124: ...oot instal lation proceed as follows 1 Open the firstboot configuration file at etc YaST2 firstboot xml 2 Delete or add proposal screens or change the order of the existing ones To delete an entire pr...

Страница 125: ...me firstboot_timezone name module 3 Apply your changes and close the configuration file To add a custom made module to the workflow proceed as follows 1 Create your own YaST module and store the modul...

Страница 126: ...ts firstboot can be configured to execute additional scripts after the firstboot workflow has been completed To add additional scripts to the firstboot sequence proceed as follows 1 Open the etc sysco...

Страница 127: ...page 103 Only the components included in the firstboot workflow configuration are started Any other installation steps are skipped The end user adjusts language keyboard network and password settings...

Страница 128: ......

Страница 129: ...er also supports multipath I O For details see the chapter about multipath I O in Storage Ad ministration Guide Starting with SUSE Linux Enterprise 10 there is also the option to use iSCSI as a networ...

Страница 130: ...titioning can be found in Section Par tition Types page 151 and Section 8 5 7 Using the YaST Partitioner page 149 Figure 7 1 Physical Partitioning versus LVM PART PART PART PART PART DISK PART PART PA...

Страница 131: ...atabases music archives or user directories LVM is just the right thing for you This would allow file systems that are larger than the physical hard disk Another advantage of LVM is that up to 256 LVs...

Страница 132: ...stem yet you are prompted to add one see Fig ure 7 2 Creating a Volume Group page 114 It is possible to create additional groups with Add group but usually one single volume group is sufficient system...

Страница 133: ...olume groups Only volume groups that do not have any partitions assigned can be deleted All partitions that are assigned to a volume group are also referred to as a physical volumes PV Figure 7 3 Phys...

Страница 134: ...ume group Figure 7 4 Logical Volume Management To create a new logical volume click Add and fill out the pop up that opens As for partitioning enter the size file system and mount point Normally a fil...

Страница 135: ...have already configured LVM on your system the existing logical volumes can be entered now Before continuing assign appropriate mount points to these logical volumes too With Next return to the YaST...

Страница 136: ...ng the following storage resources Physical disks and logical devices on local media and SAN based media including iSCSI Software RAIDs 0 1 4 and 5 for high availability Cluster aware multipath I O fo...

Страница 137: ...in dev evms md To activate EVMS at boot time add boot evms to the boot scripts in the YaST runlevel editor See also Section 19 2 3 Configuring System Services Runlevel with YaST page 382 For More Info...

Страница 138: ...a RAID because it does not provide data backup but the name RAID 0 for this type of system has become the norm With RAID 0 two or more hard disks are pooled together The performance is very good but...

Страница 139: ...h RAID 5 no more than one hard disk can fail at the same time If one hard disk fails it must be replaced as soon as pos sible to avoid the risk of losing data Other RAID Levels Several other RAID leve...

Страница 140: ...is already assigned to a RAID volume the name of the RAID device for example dev md0 is shown in the list Unassigned partitions are indicated with Figure 7 6 RAID Partitions To add a previously unass...

Страница 141: ...roubleshooting Check the file proc mdstats to find out whether a RAID partition has been de stroyed In the event of a system failure shut down your Linux system and replace the defective hard disk wit...

Страница 142: ...ta bookinfo html usr share doc packages mdadm Software RAID HOWTO html http en tldp org HOWTO Software RAID HOWTO html Linux RAID mailing lists are also available such as http marc theaimsgroup com l...

Страница 143: ...start the YaST Control Center from the main menu Before YaST starts you are prompted to enter the root password because YaST needs system ad ministrator permissions to change the system files To start...

Страница 144: ...ble set to your preferred language Use a long language code in the format langcode_statecode For example for American English enter LANG en_US yast2 This command starts YaST using the specified langua...

Страница 145: ...ettings complete the pro cedure by pressing Accept on the last page of the configuration dialog The configuration is then saved Figure 8 1 The YaST Control Center 8 3 Software 8 3 1 Installing and Rem...

Страница 146: ...a symbol in a status box at the beginning of the line Change the status by clicking or selecting the desired status from the menu that opens when the item is right clicked Depending on the current sit...

Страница 147: ...kages To display all packages on your installation media use the filter Package Groups and select zzz All at the bottom of the tree SUSE Linux Enterprise contains a number of packages and it might tak...

Страница 148: ...ted source To restrict the list use a secondary filter To view a list of the all installed packages from the selected installation source select the filter Installation Sources then select Installatio...

Страница 149: ...alled packages is marked for deletion the package manager issues an alert with detailed information and alternative solutions Reinstalling Packages If you find damaged files that belong to package or...

Страница 150: ...program packages by subjects such as applications development and hardware in a tree structure to the left The more you expand the branches the more specific the selection is This means fewer packages...

Страница 151: ...tem and displays installed pack ages When you select to install and remove packages the package manager can auto matically check the dependencies and select any other required packages resolution of d...

Страница 152: ...w the suggestions of YaST when handling package conflicts because otherwise the stability and functionality of your system could be endangered by the existing conflict Figure 8 3 Conflict Management o...

Страница 153: ...developer novell com wiki index php Creating_Add On_Media_with_YaST Find technical background information at http developer novell com wiki index php Creating_Add Ons 8 3 3 Selecting the Installation...

Страница 154: ...logs use the Software Installation Source module described in Section 8 3 3 Selecting the Installation Source page 135 NOTE Before starting the update of SUSE Linux Enterprise configure the Novell Cus...

Страница 155: ...symbol and the patch name For a list of possible symbols press Shift F1 New patches that are not yet installed are marked with a small arrow in front of the symbol Patches that are already installed a...

Страница 156: ...to install patches that require interaction When Only Download Patches is checked the patches are downloaded at the specified time but not installed They must be installed manually The patches are do...

Страница 157: ...Installed Packages This option merely updates packages that already exist on the system No new features are installed Additionally you can use Delete Outdated Packages to remove packages that do not e...

Страница 158: ...adopt any personal settings of the installed packages In most cases YaST replaces old versions with new ones without problems A backup of the existing system should be performed prior to updating to e...

Страница 159: ...tomatically detected by YaST and the technical data is displayed If the automatic detection fails YaST offers a list of devices model vendor etc from which to select the suitable device Consult the do...

Страница 160: ...urrent settings work before they are saved permanently in the system WARNING Configuration of the Hard Disk Controller It is advised to test the settings before making them permanent in the system Inc...

Страница 161: ...s that your data can be transferred directly to the RAM bypassing the processor control 8 4 7 IBM System z DASD Devices To add a DASD to the installed system there are two possibilities YaST To add a...

Страница 162: ...e list provided If your joystick is not listed select Generic Analog Joystick After selecting your joystick make sure that it is connected then click Test to test the functionality Click Continue and...

Страница 163: ...eyboard Layout Find information about the graphical configuration in Section 8 14 3 Keyboard Properties page 190 8 4 11 Mouse Model When configuring the mouse for the graphical environment click Mouse...

Страница 164: ...hare doc packages alsa cards txt and at http www alsa project org alsa doc After making your se lection click Next 2 In Sound Card Configuration choose the configuration level in the first setup scree...

Страница 165: ...ck Other to customize one of the following options manually Volume Use this dialog for setting the volume Start Sequencer For playback of MIDI files check this option Set as Primary Card Click Set as...

Страница 166: ...dates and files not belonging to packages such as many of the configuration files in etc or the directories under home 8 5 2 Restoration With System System Restoration restore your system from a backu...

Страница 167: ...lume management system EVMS is like LVM a tool for custom partitioning and grouping of hard disks into virtual volumes It is flexible extensible and can be tailored using a plug in model to individual...

Страница 168: ...or sda for the first recognized device All existing or suggested partitions on all connected hard disks are displayed in the list of the YaST Expert Partitioner dialog Entire hard disks are listed as...

Страница 169: ...sists of a continuous range of cylinders physical disk areas assigned to a particular operating system With primary partitions only you are limited to four partitions per hard disk because more do not...

Страница 170: ...tup require them For details of the options available refer to Section Editing a Partition page 152 5 Click OK Apply to apply your partitioning setup and leave the partitioning module If you created t...

Страница 171: ...eed because the encryption takes some time More information about the encryption of file systems is provided in Chapter 47 Encrypting Partitions and Files page 861 Fstab Options Here specify various p...

Страница 172: ...re which is needed for executing programs from the location However to run programs from there you can enter this option manually This measure is necessary if you encounter system messages such as bad...

Страница 173: ...physical partition 8 5 8 PCI Device Drivers TIP IBM System z Continuing For IBM System z continue with Section 8 5 12 System Services Runlevel page 157 Each kernel driver contains a list of device ID...

Страница 174: ...p a PCI ID Click OK to save your changes To edit a PCI ID select the device driver from the list and click Edit Edit the information and click OK to save your changes To delete an ID select the driver...

Страница 175: ...evertheless this feature is useful even for stationary machines because it enables the use of various hardware components or test configura tions 8 5 12 System Services Runlevel Configure runlevels an...

Страница 176: ...stly use local time Set the current system time and date with Change In the dialog that opens modify the time and date by entering new values or adjusting them with the arrow buttons Press Apply to sa...

Страница 177: ...le in the main list These settings are written into the file etc sysconfig language 8 6 Network Devices All network devices connected to the system must be initialized before they can be used by a ser...

Страница 178: ...end your e mail with sendmail postfix or the SMTP server of your provider You can fetch mail via the fetchmail program for which you can also enter the details of the POP3 or IMAP server of your provi...

Страница 179: ...Configuration The mail server module of SUSE Linux Enterprise only works if the users groups and the DNS and DHCP services are managed with LDAP The mail server module allows configuration of SUSE Lin...

Страница 180: ...mail Vir tual mail addresses are set up in the user management module of YaST 8 7 3 Other Available Services Many other network modules are available in YaST Network Services DHCP Server Use this to...

Страница 181: ...on 46 6 Configuring a Kerberos Client with YaST page 849 LDAP Client If using LDAP for user authentication in the network configure the client in LDAP Client Information about LDAP and a detailed desc...

Страница 182: ...requires a lot of maintenance In this case administer user data on a central server and distribute it to the clients from there NIS is one option for this Detailed information about NIS and its confi...

Страница 183: ...a VNC client in Section 4 1 1 Simple Remote Installation via VNC Static Network Configu ration page 44 Allow remote administration by selecting Allow Remote Administration in Remote Administration Se...

Страница 184: ...nfiguration with YaST are described in Section 4 3 2 Setting Up a TFTP Server page 64 WOL WOL wake on LAN refers to the possibility of waking up a computer from standby mode over the network using spe...

Страница 185: ...pability Consequently several users can work independently on the same Linux system Each user has a user account identified by a login name and a personal password for logging in to the system All use...

Страница 186: ...assword expiration length and expiration warnings use the Password Settings tab 5 Write the user account configuration by clicking Accept The new user can immediately log in with the created login nam...

Страница 187: ...s with Accept To create an encrypted home for an existing user proceed as follows 1 Select a user from the list and click Edit 2 In the Details tab enable Use Encrypted Home Directory 3 Enter the pass...

Страница 188: ...s Then uncheck Auto Login and click OK Login without a Password WARNING Allowing Login without a Password Using the passwordless login feature on any system that can be physically ac cessed by more th...

Страница 189: ...Data 3 Apply your settings with Accept Enforcing Password Policies On any system with multiple users it is a good idea to enforce at least basic password security policies Users should change their p...

Страница 190: ...tion Date is given the user account never expires Changing the Default Settings for New Users When creating new local users several defaults settings are used by YaST You can change these default sett...

Страница 191: ...the user au thentication method in the installed system select Expert Options Authentication and User Sources The module provides a configuration overview and the option to configure the client Advan...

Страница 192: ...the key combination Ctrl Alt Del should be interpreted by selecting the desired action Normally this combination when entered in the text console causes the system to reboot Do not modify this setting...

Страница 193: ...launch the updatedb program if installed This pro gram which automatically runs on a daily basis or after booting generates a database locatedb in which the location of each file on your computer is s...

Страница 194: ...ation for the Xen virtualization system For detailed information about Xen see Chapter 22 Virtualization page 421 The following modules are available in the Virtualization section Installing Hyperviso...

Страница 195: ...Autoin stallation prepare profiles for this tool Find detailed information about automated in stallation with AutoYaST in Chapter 5 Automated Installation page 81 The informa tion about using the Aut...

Страница 196: ...Kernel messages sorted according to date and time are also recorded here View the status of certain system components using the box at the top The following options are possible from the system log an...

Страница 197: ...is displays all system warnings 8 11 8 Vendor Driver CD Install device drivers from a Linux driver CD that contains drivers for SUSE Linux Enterprise with Miscellaneous Vendor Driver CD When installin...

Страница 198: ...category Software is selected automati cally Use and to change the category To start a module from the selected category press The module selection now appears with a thick border Use and to select th...

Страница 199: ...his combination can also be used if using or would result in changing the active frame or the current selection list as in the Control Center Buttons Radio Buttons and Check Boxes To select buttons wi...

Страница 200: ...example Esc H replaces Alt H Backward and Forward Navigation with Ctrl F and Ctrl B If the Alt and Shift combinations are occupied by the window manager or the ter minal use the combinations Ctrl F f...

Страница 201: ...module_name command option value Some modules do not support the command line mode because command line tools with the same functionality already exist The modules concerned and the command line tools...

Страница 202: ...enter the username and password all other settings are made automatically in accordance with default configuration The functionality provided by the command line is the same as in the graphical inter...

Страница 203: ...o execute scripts again To display a configuration summary for the network use yast lan list The first item in the output of Example 8 4 Sample Output of yast lan list page 185 is a device ID To get m...

Страница 204: ...phics card and display device in Card and Monitor Properties If you have more than one graphics card installed each device is shown in a separate dialog reachable by a tab At the top of the dialog see...

Страница 205: ...log opens in which to adjust various monitor specific settings This dialog has several tabs for various aspects of monitor operation Select the first tab to manually select the vendor and model of the...

Страница 206: ...e screens in the dual head dialog The tabs in the row at the top of the dialog each correspond to a graphics card in your system Select the card to configure and set its multihead options in the dialo...

Страница 207: ...SaX2 configures a standard layout that follows the sequence of the detected graphics cards arranging all screens in a row from left to right The additional Arrangement tab allows for changing this la...

Страница 208: ...s in the opposite direction For touch pads this feature is sometimes useful Emulate Wheel with Mouse Button If your mouse does not have a scroll wheel but you want to use similar functional ity you ca...

Страница 209: ...e for your needs If your graphics tablet supports electronic pens configure them in Electronic Pens Add eraser and pen and set their properties after clicking Properties When you are satisfied with th...

Страница 210: ...tiple VNC Connections if more than one VNC client should connect to the X server at the same time Allow HTTP access by checking Activate HTTP Access and setting the port to be use in HTTP Port When yo...

Страница 211: ...in Section 3 11 4 Customer Center page 35 The back end daemon for the Novell ZENworks Linux Management Agent is the ZENworks Management Daemon ZMD ZMD performs software management func tions The daemo...

Страница 212: ...d services are mount for local files and yum or ZENworks for servers rug sorts software from services into catalogs also known as channels groups of similar software For example one catalog might cont...

Страница 213: ...moving Software with rug To install a package from any subscribed catalogs use rug in package_name To install from a selected catalog only add entire catalog and the catalog to install use to the comm...

Страница 214: ...o update the system use the command rug ua username upgrade Replace username with the name of the user To revoke the privileges of a user use command rug ud username To list users with their rights us...

Страница 215: ...g the updates send your username and password to the proxy server To do so use the commands rug set proxy url url_path rug set proxy username name rug set proxy password password Replace url_path with...

Страница 216: ...your system are available right click the application icon and choose Refresh to force an immediate check The Software Updater applet in the panel changes from a globe to an exclamation mark on an or...

Страница 217: ...staller The interface is almost identical to Software Updater see Sec tion 9 2 2 Obtaining and Installing Software Updates page 198 The only difference is a search panel you can use to search for pack...

Страница 218: ...ns Services Catalogs and Preferences Services and Catalogs Services are basically sources that provide software packages and information about these packages Each service can offer one or more catalog...

Страница 219: ...d ZENworks Opencarpet Red Carpet Enterprise or ZENworks services are only available if your company or organization has set up these services within your internal network This may for example be the c...

Страница 220: ...d to this catalog If you unsubscribe the packages from this catalog are still listed in the update window but you cannot install them Preferences On the Preferences tab specify whether Software Update...

Страница 221: ...on space with df before updating If you suspect you are running short of disk space secure your data before updating and repartition your system There is no general rule of thumb regarding how much sp...

Страница 222: ...Depending on your customizations some steps or the entire update procedure may fail and you must resort to copying back your backup data Check the following issues before starting the system update Ch...

Страница 223: ...nd to enhance your system check the packages offered in the Software Selection submenus or add support for additional languages 4a Click Update Options to update only software that is already installe...

Страница 224: ...10 SP x arch SLES 10 SP x arch or SLED 10 SP x arch where x is the number of the Service Pack and arch is the name of your hardware architecture and make it available via NFS HTTP or FTP 10 2 2 Insta...

Страница 225: ...th on the installation server and the target machine that includes a name service DHCP optional but needed for PXE boot and OpenSLP optional The SUSE Linux Enterprise SP CD 1 or DVD 1 to boot the targ...

Страница 226: ...r SUSE Linux Enterprise Service Pack for this and otherwise follow the instructions in Section 4 3 2 Setting Up a TFTP Server page 64 3 Prepare PXE boot and Wake on LAN on the target machine 4 Initiat...

Страница 227: ...nd choose Update as the installation mode in YaST For more detailed information and finishing the update see Section 10 1 3 Updating with YaST page 204 Starting with YaST Online Update Before initiati...

Страница 228: ...10 1 Update to Service Pack 1 page 210 In the pop up window click Accept to confirm the start of the update procedure to the service pack feature level 3 The Patch Download and Installation dialog tra...

Страница 229: ...r 10 SP1 refer to the release notes of the service pack View them in the installed system using the YaST release notes module 10 3 1 Multiple Kernels It is possible to install multiple kernels side by...

Страница 230: ...rds The following modules were not part of the distribution and will not be added in the future ati fglrx ATI FireGL Graphics Cards nvidia gfx NVIDIA gfx driver km_smartlink softmodem Smart Link Soft...

Страница 231: ...on makes tar fail Check your backup scripts Commands such as the following no longer work tar czf etc tar gz etc atime preserve See the tar info pages for more information 10 3 6 Apache 2 Replaced wit...

Страница 232: ...g Events Handled by the udev Daemon Hotplug events are now completely handled by the udev daemon udevd The event multiplexer system in etc hotplug d and etc dev d is no longer used Instead udevd calls...

Страница 233: ...Online Update now supports a special kind of RPM package that only stores the binary difference from a given base package This technique significantly reduces the package size and download time at th...

Страница 234: ...X2 writes the X Org configuration settings into etc X11 xorg conf During an installation from scratch no compatibility link from XF86Config to xorg conf is created 10 3 15 XView and OpenLook Support D...

Страница 235: ...ow installed in usr lib ooo 2 0 instead of opt OpenOffice org The default directory for user settings is now ooo 2 0 instead of OpenOffice org1 1 Wrapper There are some new wrappers for starting the O...

Страница 236: ...able in the OpenOffice_org kde and OpenOffice_org gnome packages 10 3 18 Sound Mixer kmix The sound mixer kmix is preset as the default For high end hardware there are other mixers like QAMix KAMix en...

Страница 237: ...g with JFS 10 3 22 AIDE as a Tripwire Replacement As an intrusion detection system use AIDE package name aide which is released under the GPL Tripwire is no longer available on SUSE Linux 10 3 23 PAM...

Страница 238: ...yp session required pam_unix2 so you can change it to PAM 1 0 auth include common auth account include common account password include common password session include common session 10 3 24 Becoming t...

Страница 239: ...etc sysconfig powersave events The names of sleep states have changed from suspend ACPI S4 APM suspend standby ACPI S3 APM standby To suspend to disk ACPI S4 APM suspend suspend to ram ACPI S3 APM su...

Страница 240: ...e systemwide etc X11 xinit xinitrc uses dbus launch to start the window manager If you have a local xinitrc file you must change it accordingly Otherwise ap plications like f spot banshee tomboy or Ne...

Страница 241: ...FAM is running you probably want remote notification which is supported only by FAM 10 3 31 Starting an FTP Server vsftpd By default xinetd no longer starts the vsftpd FTP server It is now a stand alo...

Страница 242: ...From the command line you can influence the behavior by using firefox new window url or firefox new tab url 224 Installation and Administration...

Страница 243: ...Part II Administration...

Страница 244: ......

Страница 245: ...management and Internet standard technologies developed to unify the management of enterprise computing environments WBEM provides the ability for the industry to deliver a well inte grated set of sta...

Страница 246: ...ore specifically an application that manages objects according to the CIM standard CIMOM providers are software that performs specific tasks within the CIMOM that are requested by client applications...

Страница 247: ...s a set of software components that help facilitate the deployment of the Distributed Manage ment Task Force DMTF CIM and WBEM technologies If you are not familiar with the DMTF and its technologies y...

Страница 248: ...k As root in a console shell enter rcowcimomd start Start owcimomd As root in a console shell enter rcowcimomd stop Stop owcimomd As root in a console shell enter rcowcimomd status Check owcimomd stat...

Страница 249: ...ficate use the following command Running this command replaces the current certificate so Novell recommends making a copy of the old certificate before generating a new one As root in a console shell...

Страница 250: ...ces Unse cure 5988 This setting is disabled by default With this setting all communications between the CIMOM and client applications are open for review when sent over the Internet between servers an...

Страница 251: ...nwbem authentication libpamauthentication so The OpenWBEM CIMOM is PAM enabled by default therefore the local root user can authenticate to the OpenWBEM CIMOM with local root user credentials 11 1 3 S...

Страница 252: ...ngs in the openwbem conf file This section discusses the following configuration settings Section 11 2 1 Changing the Authentication Configuration page 234 Section 11 2 2 Changing the Certificate Conf...

Страница 253: ...ow_anonymous page 239 Section owcimomd allowed_users page 240 Section owcimomd authentication_module page 241 Section simple_auth password_file page 241 http_server allow_local_authentication Purpose...

Страница 254: ...ntax http_server digest_password_file path_filename The following is the default path and filename for the digest password file etc openwbem digest_auth passwd Example http_server digest_password_file...

Страница 255: ...ing disabled This is the default setting Allows a trusted certificate to be authenticated no HTTP authen tication is necessary optional Also allows an untrusted certificate to pass the SSL handshake i...

Страница 256: ...you must set up the digest password file using owdigestgenpass Digest doesn t use the authentication module specified by the owcimomd authentica tion_module configuration setting Syntax http_server us...

Страница 257: ...red ACL processing is not enabled until the OpenWBEM_Acl1 0 mof file has been im ported Syntax owcimomd ACL_superuser username Example owcimomd ACL_superuser root owcimomd allow_anonymous Purpose Enab...

Страница 258: ...users option Description Option Specifies one or more users who are allowed to access the owci momd data username Separate each username with a space Allows all users to authenticate for example if yo...

Страница 259: ...ath and filename for the authentication modules usr lib openwbem authentication libpamauthentication so Example owcimomd authentication_module usr lib openwbem authentication libpamauthentication so s...

Страница 260: ...owing default location etc openwbem servercert pem etc openwbem serverkey pem Syntax http_server SSL_cert path_filename or http_server SSL_key path_filename NOTE Both the key and certificate can be in...

Страница 261: ...tion Option Specify the specific port for HTTP or HTTPS com munications Specific_port_number For HTTP the default port is 5988 For HTTPS the default port is 5989 Disables HTTP or HTTPS connections for...

Страница 262: ...page 246 Section log main level page 249 Section log main location page 250 Section log main max_backup_index page 250 Section log main max_file_size page 251 Section log main type page 251 If you wa...

Страница 263: ...el page 249 If specified in this option the predefined categories are not treated as levels but as independent categories No default is available and if a category is not set no categories are logged...

Страница 264: ...own components Specifies that all components are logged This is the default setting Example log main components owcimomd nssd log main format Purpose Specifies the format text mixed with printf style...

Страница 265: ...ound in the ctime header Message as XML CDATA This includes the CDATA and ending e Filename F Filename and line number For example file cpp 100 l Line number L Method name where the logging request wa...

Страница 266: ...ccording to the justification flag If the data item is larger than the minimum field width the field is expanded to accommodate the data The maximum field width modifier is designated by a period foll...

Страница 267: ...log outputs all predefined categories at and above the specified level Syntax log main level option Description Option Logs all Debug Info Error and Fatal error messages DEBUG Logs all Error and Fatal...

Страница 268: ...wcimomd log log main max_backup_index Purpose Specifies the amount of backup logs that are kept before the oldest is erased Syntax log main backup_index option Description Option Specifies the number...

Страница 269: ...certain size in KB unsigned _integer_in_KB Lets the log grow to an unlimited size 0 This is the default setting Example log main max_file_size 0 log main type Purpose Specifies the type of main log o...

Страница 270: ...h the following settings log debug categories log debug components log debug format t m log debug level log debug type stderr Debug Log with Color If you want a color version of the debug log use the...

Страница 271: ...0m yellow x1b 0 33 40m dark yellow x1b 1 34 40m blue x1b 0 34 40m dark blue x1b 1 35 40m purple x1b 0 35 40m dark purple x1b 1 36 40m cyan x1b 0 36 40m dark cyan x1b 1 37 40m white x1b 0 37 40m dark w...

Страница 272: ...g_name format log log_name level log log_name location log log_name max_backup_index log log_name max_file_size Example owcimomd additional_logs errorlog1 errorlog2 errorlog3 11 3 For More Information...

Страница 273: ...ool Solutions Article An Introduction to WBEM and OpenWBEM in SUSE Linux http www novell com coolsolutions feature 14625 html OpenWBEM Web site http www openwbem org DMTF Web site http www dmtf org Op...

Страница 274: ......

Страница 275: ...hat is commonly known as an iSCSI initiator The packages are then transferred to the corresponding iSCSI remote station also called iSCSI target Many storage solutions provide access over iSCSI but it...

Страница 276: ...cation set here is used for the discovery of services not for accessing the targets If you do not want to restrict the access to the discovery use No Authentication If authentication is needed there a...

Страница 277: ...c ietd conf All parameters in this file before the first Target declaration are global for the file Authentication information in this portion has a special meaning it is not global but is used for th...

Страница 278: ...0 iotype fileio path var lib xen images xen 1 There are many more options that control the behavior of the iSCSI target Find them in the manual page of ietd conf Active sessions are also displayed in...

Страница 279: ...delete active connections First check all active connections with the command cat proc net iet session This may look like cat proc net iet session tid 1 name iqn 2006 03 com example iserv system sid 2...

Страница 280: ...m are not permanent for the system These changes are lost at the next reboot if they are not added to the configuration file etc ietd conf Depending on the usage of iSCSI in your network this may lead...

Страница 281: ...n to activate the target You will be asked for authentication information to use the selected iSCSI target Next finishes the configura tion If everything went well the target now appears in Connected...

Страница 282: ...iadm creates all needed devices iscsiadm m node r bd0ac2 login The newly generated devices show up in the output of lsscsi and can now be accessed by mount 12 2 3 The iSCSI Client Databases All inform...

Страница 283: ...alizes set the variable node startup to the value automatic iscsiadm m node r bd0ac2 op update name node startup value automatic Remove obsolete data sets with the operation delete If the record bd0ac...

Страница 284: ...There is also some online documentation available See the manual pages of iscsiadm iscsid ietd conf and ietd and the example configuration file etc iscsid conf 266 Installation and Administration...

Страница 285: ...on devices in a SAN All nodes in a cluster have concurrent read and write access to the file system A distributed lock manager helps prevent file access conflicts OCFS2 supports up to 32 000 subdirec...

Страница 286: ...olume in the cluster All nodes can concurrently read and write directly to storage via the standard file system interface enabling easy management of applications that run across a cluster File access...

Страница 287: ...to manage OCFS2 services and volumes You can enable these modules to be loaded and mounted system boot For instructions see Section 13 2 2 Configuring OCFS2 Services page 274 Table 13 1 O2CB Cluster S...

Страница 288: ...slot assignment Each node reads the file and writes to its assigned block in the file at two second inter vals Changes to a node s time stamp indicates the node is alive A node is dead if it does not...

Страница 289: ...e node The cluster configuration file etc ocfs2 cluster conf resides on each node assigned to the cluster The ocfs2console utility is a GTK GUI based interface for managing the configu ration of the O...

Страница 290: ...reates a context dependent symbolic link CDSL for a specified filename file or directory for a node A CDSL filename has its own image for a specific node but has a common name in the OCFS2 ocfs2cdsl C...

Страница 291: ...ter named ocfs2 by offlining the cluster and unloading the O2CB modules and in memory file systems etc init d o2cb stop ocfs2 13 1 6 OCFS2 Packages The OCFS2 kernel module ocfs2 is installed automatic...

Страница 292: ...nting For example the Oracle RAC database volume requires the datavolume and nointr mounting options but the Oracle Home volume should never use these options Make sure that the ocfs2console and ocfs2...

Страница 293: ...none to clear ocfs2 prompt enter none This choice presumes that you are setting up OCFS2 for the first time or re setting the service You specify a cluster name in the next step when you set up the et...

Страница 294: ...box 5d In the Add Node dialog box specify the unique name of your primary node a unique IP address such as 192 168 1 1 and the port number optional default is 7777 then click OK The ocfs2console cons...

Страница 295: ...te and format the volume using one of the following methods In EVMSGUI go to the Volumes page select Make a file system OCFS2 then specify the configuration settings Use the mkfs ocfs2 utility For inf...

Страница 296: ...endian architectures such as x86 x86 64 and ia64 and big endian architectures such as ppc64 and s390x Node specific files are referred to as local files A node slot number is appended to the local fi...

Страница 297: ...OK Mount the volume from the command line using the mount command Mount the volume from the etc fstab file on system boot Mounting an OCFS2 volume takes about 5 seconds depending on how long it takes...

Страница 298: ...interruptions Ensures the IO is not interrupted by signals nointr 13 4 Additional Information For information about using OCFS2 see the OCFS2 User Guide http oss oracle com projects ocfs2 documentati...

Страница 299: ...scribed in this chapter follows these two standards as well They can be viewed at http wt xpilot org publications posix 1e 14 1 Traditional File Permissions The basics of traditional Linux file permis...

Страница 300: ...to which the direc tory belongs Consider the following example directory drwxrws 2 tux archive 48 Nov 19 17 12 backup You can see the s that denotes that the setgid bit is set for the group permissio...

Страница 301: ...realized without implementing complex permission models on the application level The advantages of ACLs are evident if you want to replace a Windows server with a Linux server Some of the connected wo...

Страница 302: ...group entry defines the permissions of the group specified in the entry s qualifier field Only the named user and named group entries have a qualifier field that is not empty The other entry defines t...

Страница 303: ...CL ACL Entries Compared to Permission Bits page 286 and Figure 14 2 Extended ACL ACL Entries Compared to Permission Bits page 286 illustrate the two cases of a minimum ACL and an extended ACL The figu...

Страница 304: ...mask entry This is shown in Figure 14 2 Extended ACL ACL Entries Compared to Permission Bits page 286 Figure 14 2 Extended ACL ACL Entries Compared to Permission Bits This mapping approach ensures the...

Страница 305: ...tion like file mydir owner tux group project3 user rwx group r x other The first three output lines display the name owner and owning group of the directory The next three lines contain the three ACL...

Страница 306: ...ACL for this item According to the output of the ls command the permissions for the mask entry include write access Traditionally such permission bits would mean that the owning group here project3 al...

Страница 307: ...ault ACL affects both subdirectories and files Effects of a Default ACL There are two ways in which the permissions of a directory s default ACL are passed to the files and subdirectories A subdirecto...

Страница 308: ...up mascots r x default mask r x default other getfacl returns both the access ACL and the default ACL The default ACL is formed by all lines that start with default Although you merely executed the se...

Страница 309: ...e ls l mydir myfile then shows rw r tux project3 mydir myfile The output of getfacl mydir myfile is file mydir myfile owner tux group project3 user rw group r x effective r group mascots r x effective...

Страница 310: ...result access granted Likewise if none of the suitable group entries contains the required permissions a randomly selected entry triggers the final result access denied 14 5 ACL Support in Application...

Страница 311: ...14 6 For More Information Detailed information about ACLs is available at http acl bestbits at Also see the man pages for getfacl 1 acl 5 and setfacl 1 Access Control Lists in Linux 293...

Страница 312: ......

Страница 313: ...nstallable RPM archives are packed in a special binary format These archives consist of the program files to install and certain meta information used during the installation by rpm to configure the s...

Страница 314: ...re no conflicts with other packages With an error message rpm requests those packages that need to be installed to meet dependency requirements In the background the RPM database ensures that no confl...

Страница 315: ...o a newer RPM rpmnew does not disclose any information as to whether the system administrator has made any changes to the configuration file A list of these files is available in var adm rpmconfigchec...

Страница 316: ...ee different versions of pine The installed version in the example is also listed so the patch can be installed Which files are replaced by the patch The files affected by a patch can easily be seen i...

Страница 317: ...elta RPM on an old RPM results in the complete new RPM It is not necessary to have a copy of the old RPM because a delta RPM can also work with an installed RPM The delta RPM packages are even smaller...

Страница 318: ...to query the RPM database of installed packages Several switches are available to specify the type of information required See Table 15 1 The Most Important RPM Query Options page 300 Table 15 1 The M...

Страница 319: ...re DSA SHA1 Sat 02 Oct 2004 03 59 56 AM CEST Key ID a84edae89c800aca Packager http www suse de feedback URL http wget sunsite dk Summary A tool for mirroring FTP and HTTP servers Description Wget enab...

Страница 320: ...n be made Initiate these with V y or verify With this option rpm shows all files in a package that have been changed since installation rpm uses eight character symbols to give some hints about the fo...

Страница 321: ...ry a src rpm extension source RPM TIP Source packages can be copied from the installation medium to the hard disk and unpacked with YaST They are not however marked as installed i in the package manag...

Страница 322: ...ges SOURCES wget 1 9 1 ipvmisc patch usr src packages SOURCES wget 1 9 1 brokentime patch usr src packages SOURCES wget 1 9 1 passive_ftp diff usr src packages SOURCES wget LFS 20040909 tar bz2 usr sr...

Страница 323: ...built To establish this chroot environment the build script must be provided with a complete package tree This tree can be made available on the hard disk via NFS or from DVD Set the position with bui...

Страница 324: ...opy parts of them It represents archives as virtual file systems offering all usual menu options of Midnight Commander Display the HEADER with F3 View the archive structure with the cursor keys and En...

Страница 325: ...gn prompt Omissions are indicated with square brackets and long lines are wrapped where necessary Line breaks for long lines are indicated by a backslash command x y output line 1 output line 2 output...

Страница 326: ...ynamic executable tester linux file bin sash bin sash ELF 32 bit LSB executable Intel 80386 version 1 SYSV for GNU Linux 2 6 4 statically linked for GNU Linux 2 6 4 stripped 16 1 2 Library Calls of a...

Страница 327: ...89696 0 mmap2 NULL 89696 PROT_READ MAP_PRIVATE 3 0 0xb7ef2000 close 3 0 open lib librt so 1 O_RDONLY 3 read 3 177ELF 1 1 1 0 0 0 0 0 0 0 0 0 3 0 3 0 1 0 0 0000 36 0 512 512 fstat64 3 st_mode S_IFREG 0...

Страница 328: ...inux 2 2 5 dynamically linked uses shared libs stripped The parameter f list specifies a file with a list of filenames to examine The z allows file to look inside compressed files tester linux file us...

Страница 329: ...K 252M 1 dev dev hda1 16M 6 6M 7 8M 46 boot dev hda4 27G 34M 27G 1 local Display the total size of all the files in a given directory and its subdirectories with the command du The parameter s suppres...

Страница 330: ...etc profile File etc profile Size 7930 Blocks 16 IO Block 4096 regular file Device 303h 771d Inode 40657 Links 1 Access 0644 rw r r Uid 0 root Gid 0 root Access 2006 01 06 16 45 43 000000000 0100 Modi...

Страница 331: ...dge rev 81 00 1f 0 ISA bridge Intel Corporation 82801DB DBL ICH4 ICH4 L LPC Interface Bridge rev 01 00 1f 1 IDE interface Intel Corporation 82801DB ICH4 IDE Controller rev 01 00 1f 3 SMBus Intel Corpo...

Страница 332: ...lash 2 0 Astone USB Drive Bus 004 Device 006 ID 04b4 6830 Cypress Semiconductor Corp USB 2 0 IDE Adapter Bus 004 Device 005 ID 05e3 0605 Genesys Logic Inc Bus 004 Device 001 ID 0000 0000 Bus 003 Devic...

Страница 333: ...grown table increases it might be a good idea to replace the hard disk 16 4 Networking 16 4 1 Show the Network Status netstat netstat shows network connections routing tables r interfaces i masquerade...

Страница 334: ...x2 trc netpoll ESTABLISHED 19422 s tcp 0 0 localhost ssh localhost 17828 ESTABLISHED In the following statistics for the TCP protocol are displayed tester linux netstat s t Tcp 2427 active connections...

Страница 335: ...042 2 0 XT PIC cascade 5 564535 XT PIC Intel 82801DB ICH4 7 1 XT PIC parport0 8 2 XT PIC rtc 9 1 XT PIC acpi uhci_hcd usb1 ehci_hcd usb4 10 0 XT PIC uhci_hcd usb3 11 71772 XT PIC uhci_hcd usb2 eth0 12...

Страница 336: ...s 0 2006 01 09 17 04 mem r r r 1 tester users 0 2006 01 09 17 04 mounts rw r r 1 tester users 0 2006 01 09 17 04 oom_adj r r r 1 tester users 0 2006 01 09 17 04 oom_score lrwxrwxrwx 1 tester users 0 2...

Страница 337: ...73024 Swap 658656 0 658656 Bootup Mon Jan 9 12 59 08 2006 Load average 0 10 0 04 0 05 1 86 5406 user 0 02 07 98 0 8 page in 442638 disk 1 20125r 134 nice 0 02 20 91 0 9 page out 134950 system 0 00 42...

Страница 338: ...66 192000 2 0x00000000 83984391 tester 666 282464 2 0x00000000 84738056 root 644 151552 2 dest Semaphore Arrays key semid owner perms nsems 0x4d038abf 0 tester 600 8 Message Queues key msqid owner per...

Страница 339: ...hd init pid 4813 Ss 0 00 sshd tester priv 4817 R 0 00 sshd tester pts 0 The process list can be formatted according to your needs The option L returns a list of all keywords Enter the following comman...

Страница 340: ...xmatrix kdesud kdm X kdm startkde kwrapper The parameter p adds the process ID to a given name To have the command lines displayed as well use the a parameter 16 6 4 Processes top The command top whic...

Страница 341: ...serfs 0 923 root 13 4 1712 552 344 S 0 0 0 1 0 00 67 udevd 1343 root 10 5 0 0 0 S 0 0 0 0 0 00 00 khubd 1587 root 20 0 0 0 0 S 0 0 0 0 0 00 00 shpchpd_event 1746 root 15 0 0 0 0 S 0 0 0 0 0 00 00 w1_c...

Страница 342: ...swap areas are shown tester linux free total used free shared buffers cached Mem 515584 501704 13880 0 73040 334592 buffers cache 94072 421512 Swap 658656 0 658656 The options b k m g show output in b...

Страница 343: ...ole 0 changed to on NET Registered protocol family 10 Disabled Privacy Extensions on device c0326ea0 lo IPv6 over IPv4 tunneling driver powernow This module only works with AMD K7 CPUs bootsplash stat...

Страница 344: ...B bash 5552 tester mem REG 3 3 97165 8828 lib ld 2 3 6 so bash 5552 tester 0u CHR 136 5 7 dev pts 5 bash 5552 tester 1u CHR 136 5 7 dev pts 5 bash 5552 tester 2u CHR 136 5 7 dev pts 5 bash 5552 tester...

Страница 345: ...138806692 add class scsi_generic sg1 UEVENT 1138806692 add class scsi_device 4 0 0 0 UDEV 1138806693 add devices pci0000 00 0000 00 1d 7 usb4 4 2 4 2 2 4 2 2 UDEV 1138806693 add class scsi_generic sg1...

Страница 346: ...54 9 1 30 31 42K 3K 45K SUSEWatche 4400000 2 11 1 30 34 34K 2K 36K 16489 kdesu 1a00000 255 7 0 42 11 19K 6K 26K KMix 3800000 2 14 1 34 37 21K 2K 24K 22242 knotify 1e00000 10 7 0 42 9 15K 624B 15K KPo...

Страница 347: ...etermine the time spent by commands with the time utility This utility is available in two versions as a shell built in and as a program usr bin time tester linux time find dev null real 0m4 051s user...

Страница 348: ......

Страница 349: ...slow network links or if you want to perform tasks as root on the command line For Linux newbies it might be rather unusual to enter commands in a shell but you will soon realize that the shell is not...

Страница 350: ...the hostname of your computer here knox and the current path in this case your home directory indicated by the tilde symbol When you are logged in on a remote computer this information always shows yo...

Страница 351: ...nts of a directory The command can be used with or without options En tering the plain ls command shows the contents of the current directory Figure 17 2 The ls Command Unlike in other operating syste...

Страница 352: ...rmissions and the user concept of Linux in Section 17 2 Users and Access Permissions page 343 The next column shows the file size in bytes Then date and time of the last change are displayed The last...

Страница 353: ...directories of the example users yxz linux and tux The home directory contains the directories in which the individual users can store their personal files NOTE Home Directory in a Network Environment...

Страница 354: ...ams and local distribution indepen dent extensions usr local usr usr local Generally accessible programs usr bin and reserved for the system administrator usr sbin usr bin usr sbin Various documentati...

Страница 355: ...To change directories use the cd command To switch to your home directory enter cd Refer to the current directory with a dot This is mainly useful for other com mands cp mv The next higher level in t...

Страница 356: ...mp test without changing the name of the file 2d Check this by entering ls l tmp test The file myfile txt should appear in the list of contents for tmp test To list the contents of home directories of...

Страница 357: ...type the first letters then press If the filename or path can be uniquely identified it is completed at once and the cursor moves to the end of the filename You can then enter the next option of the...

Страница 358: ...character is a number ls Testfile 1 9 or using classes ls Testfile digit Of the four types of wild cards the most inclusive one is the asterisk It could be used to copy all files contained in one dir...

Страница 359: ...existing file named file txt If the file does not exist it is created Sometimes it is also useful to use a file as the input for a command For example with the tr command you can replace characters r...

Страница 360: ...s on screen while creating the archive f for file Choose a filename for the archive file When creating an archive this option must always be given as the last one To pack the test directory with all i...

Страница 361: ...ry 17 1 6 Cleaning Up After this crash course you should be familiar with the basics of the Linux shell or command line You may want to clean up your home directory by deleting the various test files...

Страница 362: ...mber File Access The organization of permissions in the file system differs for files and directories File permission information can be displayed with the command ls l The output could appear as in E...

Страница 363: ...Directory Permissions drwxrwxr x 1 tux project3 35 Jun 21 15 15 ProjectData In Example 17 2 Sample Output Showing Directory Permissions page 345 the owner tux and the owning group project3 of the dir...

Страница 364: ...s he can do this by entering the command chmod go w ProjectData To prohibit all users from adding a new file to the folder ProjectData enter chmod w ProjectData Now not even the owner can create a new...

Страница 365: ...PgUp and PgDn Move between the beginning and the end of a document with Home and End End this viewing mode by pressing Q Learn more about the man command itself with man man In the following overview...

Страница 366: ...isting targetfile is overwritten rm options files Removes the specified files from the file system Directories are not removed by rm unless the option r is used r Deletes any existing subdirectories i...

Страница 367: ...the specified username R Changes files and directories in all subdirectories chgrp options groupname files Transfers the group ownership of a given file to the group with the specified group name The...

Страница 368: ...h 4 the write permission with 2 and the permission for executing a file is set with 1 The owner of a file would usually receive a 6 or a 7 for executable files gzip parameters files This program compr...

Страница 369: ...This command is only available if you have installed the findutils locate package The locate command can find in which directory a specified file is lo cated If desired use wild cards to specify filen...

Страница 370: ...specified files z Tries to look inside compressed files cat options files The cat command displays the contents of a file printing the entire contents to the screen without interruption n Numbers the...

Страница 371: ...es the output more readable File Systems mount options device mountpoint This command can be used to mount any data media such as hard disks CD ROM drives and other drives to a directory of the Linux...

Страница 372: ...on df options directory The df disk free command when used without any options displays information about the total disk space the disk space currently in use and the free space on all the mounted dri...

Страница 373: ...to access a page that briefly explains the main options for customizing the program ps options process ID If run without any options this command displays a table of all your own programs or processes...

Страница 374: ...twork link is basically functioning c number Determines the total number of packages to send and ends after they have been dispatched by default there is no limitation set f flood ping sends as many d...

Страница 375: ...ssword The password is not required from root because root is authorized to assume the identity of any user When using the command without specifying a username you are prompted for the root password...

Страница 376: ...ode On start up vi is normally set to the command mode The first thing to learn is how to switch between the modes Command Mode to Insert Mode There are many possibilities including A for append I for...

Страница 377: ...ed mode w stands for write and q for quit 17 4 2 vi in Action vi can be used as a normal editor In insert mode enter text and delete text with the and Del keys Use the arrow keys to move the cursor Ho...

Страница 378: ...rrent cursor position A Change to insert mode characters are added at the end of the line Shift A Change to replace mode overwrite the old text Shift R Replace the character under the cursor R Change...

Страница 379: ...book OPL pdf The Web pages of the vim project at http www vim org feature all kinds of news mailing lists and other documentation A number of vim sources are available on the Internet http www selflin...

Страница 380: ......

Страница 381: ...Part III System...

Страница 382: ......

Страница 383: ...about the kernel API and an explanation of how 32 bit applications can run under a 64 bit kernel NOTE 31 Bit Applications on IBM System z s390 on IBM System z uses a 31 bit environment References to...

Страница 384: ...nvironments All 64 bit libraries and object files are located in directories called lib64 The 64 bit object files you would normally expect to find under lib usr lib and usr X11R6 lib are now found un...

Страница 385: ...o linkers and assemblers A biarch development tool chain currently exists for amd64 supports development for x86 and amd64 instructions for s390x and for ppc64 32 bit objects are normally created on t...

Страница 386: ...archi tecture is a 32 bit architecture x86_64 or s390x you need the following RPMs libaio 32bit 32 bit runtime package libaio devel 32bit Headers and libraries for 32 bit development libaio 64 bit run...

Страница 387: ...o on come from usr lib LDFLAGS L usr lib 5 Determine that the libraries are stored in the lib subdirectory libdir usr lib 6 Determine that the 32 bit X libraries are used x libraries usr X11R6 lib Not...

Страница 388: ...ber of applications like lspci must be compiled on non ppc64 platforms as 64 bit pro grams to function properly On IBM System z not all ioctls are available in the 32 bit kernel ABI A 64 bit kernel ca...

Страница 389: ...ine does not access any mass storage media Subsequently the information about the current date time and the most important peripherals are loaded from the CMOS values When the first hard disk and its...

Страница 390: ...the root device 4 init on initramfs This program performs all actions needed to mount the proper root file system like providing kernel functionality for the needed file system and device drivers for...

Страница 391: ...e INITRD_MODULES in etc sysconfig kernel After installation this variable is automatically set to the correct value The modules are loaded in exactly the order in which they appear in INITRD_MODULES T...

Страница 392: ...led during the initial boot as part of the installation process its tasks differ from those mentioned earlier Finding the Installation Medium As you start the installation process your machine loads a...

Страница 393: ...d daemons are available in each of the levels Depending on the entries in etc inittab several scripts are run by init For reasons of clarity these scripts called init scripts all reside in the directo...

Страница 394: ...if your system mounts a partition like usr via NFS The system might behave unexpectedly if program files or libraries are missing because the NFS service is not available in runlevel 2 local multiuser...

Страница 395: ...6 The X Window System page 481 before the run level can be switched to 5 If this is done check whether the system works in the desired way by entering telinit 5 If everything turns out as expected you...

Страница 396: ...nit q 19 2 2 Init Scripts There are two types of scripts in etc init d Scripts Executed Directly by init This is the case only during the boot process or if an immediate system shutdown is initiated p...

Страница 397: ...runlevel specific subdirectory make it possible to associate scripts with different runlevels When installing or uninstalling packages these links are added and removed with the help of the program i...

Страница 398: ...fter first entering the root password Last executed is the script boot local boot local Here enter additional commands to execute at boot before changing into a runlevel It can be compared to AUTOEXEC...

Страница 399: ...ault Start 3 5 Default Stop 0 1 2 6 Description Start FOO to allow XY and provide YZ END INIT INFO In the first line of the INFO block after Provides specify the name of the program or service control...

Страница 400: ...when insserv is run later for some other service The manually added service will be removed with the next run of insserv 19 2 3 Configuring System Services Runlevel with YaST After starting this YaST...

Страница 401: ...individual services and daemons The table lists the services and daemons available shows whether they are currently enabled on your system and if so for which runlevels After selecting one of the rows...

Страница 402: ...to the file etc host conf as well because this is one of the files relevant for the network configuration This concept allows most configurations to be made in one central place without fiddling with...

Страница 403: ...selection and the current setting of this variable Below a third window displays a short description of the variable s purpose possible values the default value and the actual configuration file from...

Страница 404: ...el with a command like init default_runlevel Replace default_runlevel with the default run level of the system Choose 5 if you want to return to full multiuser with network and X or choose 3 if you pr...

Страница 405: ...ader directly impacts the start of the operating system The following terms appear frequently in this chapter and might need some explanation Master Boot Record The structure of the MBR is defined by...

Страница 406: ...If you update from an older SUSE Linux Enterprise version that uses LILO LILO is in stalled Information about the installation and configuration of LILO is available in the Support Database under the...

Страница 407: ...ly GRUB can be controlled in various ways Boot entries from an existing configuration can be selected from the graphical menu splash screen The configuration is loaded from the file menu lst In GRUB a...

Страница 408: ...played as a selectable option in the menu All commands up to the next title are executed when this menu item is selected The simplest case is the redirection to boot loaders of other operating systems...

Страница 409: ...differ from those used for normal Linux devices It more closely resembles the simple disk enumeration the BIOS does and the syntax is similar to that used in some BSD derivatives In GRUB the numberin...

Страница 410: ...tructure of a GRUB menu file The example instal lation has a Linux boot partition under dev hda5 a root partition under dev hda7 and a Windows installation under dev hda1 gfxmenu hd0 4 message color w...

Страница 411: ...nel parameters such as the root partition and VGA mode are appended here The root partition is specified according to the Linux naming convention dev hda7 because this information is read by the kerne...

Страница 412: ...edure is also useful for testing new settings without impairing the native system After activating the editing mode use the arrow keys to select the menu entry of the configuration to edit To make the...

Страница 413: ...various factors and Linux is not able to identify the mapping the sequence in the file device map can be set manually If you encounter problems when booting check if the sequence in this file corresp...

Страница 414: ...ader should be installed in the the extended partition container grub stage1 hd0 3 This is a slightly esoteric configuration but it is known to work in many cases stage2 should be loaded to the memory...

Страница 415: ...However users can still boot all operating systems from the boot menu 3 To prevent one or several operating systems from being booted from the boot menu add the entry lock to every section in menu ls...

Страница 416: ...1 Boot Loader Settings Use the Section Management tab to edit change and delete boot loader sections for the individual operating systems To add an option click Add To change the value of an existing...

Страница 417: ...ation Have YaST propose a new configuration Convert Current Configuration Have YaST convert the current configuration When converting the configu ration some settings may be lost Start New Configurati...

Страница 418: ...o change the location of the boot loader follow these steps Procedure 20 2 Changing the Boot Loader Location 1 Select the Boot Loader Installation tab then select one of the following options for Boot...

Страница 419: ...ot boot the default system immediately During the time out you can select the system to boot or write some kernel parameters To set the boot loader time out proceed as follows Procedure 20 4 Changing...

Страница 420: ...it had prior to the installation of Linux During the installation YaST automatically creates a backup copy of the original MBR and restores it on request To uninstall GRUB start the YaST boot loader...

Страница 421: ...p boot initrd iso boot cp boot message iso boot cp usr lib grub stage2_eltorito iso boot grub cp boot grub menu lst iso boot grub 4 Adjust the path entries in iso boot grub menu lst to make them point...

Страница 422: ...s to disable the SUSE screen if desired Disabling the SUSE Screen When Necessary Enter the command echo 0 proc splash on the command line to disable the graphical screen To activate it again enter ech...

Страница 423: ...tallation configuration and maintenance of LILO is available in the Support Database under the keyword LILO GRUB also returns this error message if Linux was installed on an additional hard disk that...

Страница 424: ...arted from the second hard disk For this purpose the logical order of the hard disks is changed with map This change does not affect the logic within the GRUB menu file Therefore the second hard disk...

Страница 425: ...by a section about language and country specific settings I18N and L10N 21 1 Information about Special Software Packages The programs bash cron logrotate locate ulimit and free and the file resolv co...

Страница 426: ...aditional tool to use cron is driven by specially formatted time tables Some of of them come with the system and users can write their own tables if needed The cron tables are located in var spool cro...

Страница 427: ...rity They are contained in the package aaa_base etc cron daily con tains for example the components suse de backup rpmdb suse de clean tmp or suse de cron local 21 1 3 Log Files Package logrotate Ther...

Страница 428: ...ate 0664 root utmp rotate 1 system specific logs may be also be configured here logrotate is controlled through cron and is called daily by etc cron daily logrotate IMPORTANT The create option reads a...

Страница 429: ...page 411 Table 21 1 ulimit Setting Resources for the User Maximum size of physical memory m Maximum size of virtual memory v Maximum size of the stack s Maximum size of the core files c Display of li...

Страница 430: ...ct knowledge of any applications or user data Instead it manages applications and user data in a page cache If memory runs short parts of it are written to the swap partition or to files from which th...

Страница 431: ...ividual users from etc skel emacs in turn reads the file etc skel gnu emacs To customize the program copy gnu emacs to the home directory with cp etc skel gnu emacs gnu emacs and make the desired sett...

Страница 432: ...multitasking system The advantages of these features can be appreciated even on a stand alone PC system In text mode there are six virtual consoles available Switch between them using Alt F1 to Alt F...

Страница 433: ...iled information about the input of Chinese Japanese and Korean CJK is available at Mike Fabian s page http www suse de mfabian suse cjk input html 21 4 Language and Country Specific Settings The syst...

Страница 434: ...onfig Editor page 384 The value of such a variable contains the language code country code encoding and modifier The individual components are connected by special characters LANG language _ COUNTRY E...

Страница 435: ...lso covers the Euro symbol It is only useful if an application does not support UTF 8 but ISO 8859 15 SuSEconfig reads the variables in etc sysconfig language and writes the necessary changes to etc S...

Страница 436: ...Nynorsk and Bokm l instead with additional fallback to no LANG nn_NO LANGUAGE nn_NO nb_NO no or LANG nb_NO LANGUAGE nb_NO nn_NO no Note that in Norwegian LC_TIME is also treated differently One proble...

Страница 437: ...kus Kuhn UTF 8 and Unicode FAQ for Unix Linux currently at http www cl cam ac uk mgk25 unicode html Unicode Howto by Bruno Haible usr share doc howto en html Unicode HOWTO html Special System Features...

Страница 438: ......

Страница 439: ...1 System and Software Requirements page 422 Section 22 2 Virtualization Infrastructure page 425 Section 22 3 Installing Virtualization Software page 426 Section 22 4 Starting the Virtualization Host S...

Страница 440: ...nts for the virtualization host server are the same as those for the SUSE Linux operating system but additional CPU disk memory and network requirements should be added to accomodate the resource dema...

Страница 441: ...ernel xenpae used instead of kernel xen this package is required to enable a 32 bit virtualization host server to access memory over 3 GB yast2 vm You should install the newest version available Updat...

Страница 442: ...t Table 22 2 Modified Operating Systems Tested to Run in Paravirtual Mode x86 64 bit x86 32 bit Operating System X X SUSE Linux Enterprise Server 10 SP1 X X SUSE Linux Enterprise Desktop 10 SP1 X Open...

Страница 443: ...aravirtual mode Full virtualization mode lets virtual machines run unmodified operating systems such as Windows Server 2003 but requires the computer running the virtualization host server to support...

Страница 444: ...dy running SUSE Linux NOTE Only applications and processes required for virtualization should be installed on the virtualization host server Virtualization software can be installed by using one of th...

Страница 445: ...the virtualization host server desktop and run the rpm U package_name command Restart the computer NOTE If you use the rpm command you can safely ignore any messages stating Cannot determine dependenc...

Страница 446: ...een updated 22 5 Managing Virtual Machines Virtual machines can be created and managed by using the Virtual Machine Manager 1 On the virtualization host server click YaST Virtualization Virtual Machin...

Страница 447: ...console for the selected virtual machine Delete completely removes the selected virtual machine Start a virtual machine by selecting it from the list click Open and then click Run Virtual Machine Man...

Страница 448: ...console of an already run ning virtual machine xm console vm_name Change the memory available to a virtual machine xm mem set vm_name MB_Memory Perform a normal shutdown of the virtual machine s opera...

Страница 449: ...2 Choose between installing an operating system or using a disk or disk image that already has an installed operating system The option to set up a virtual machine based on an existing disk or disk i...

Страница 450: ...e host operating system and the operating system of each virtual machine you plan to run simultaneously For example simultaneously running four Windows Server 2003 R2 Standard Edition virtual machines...

Страница 451: ...ation source can be launched from CD DVD or from ISO image files Virtual disks can be based on a file partition volume or other type of block device Virtual machines are managed using the Virtual Mach...

Страница 452: ......

Страница 453: ...like USB or parallel port that is available on your hardware and a suitable printer language Printers can be categorized on the basis of the following three classes of printer languages PostScript Pr...

Страница 454: ...mmon printer languages They use their own undocumented printer languages which are subject to change when a new edition of a model is released Usually only Windows drivers are available for these prin...

Страница 455: ...filter system makes sure that options selected by the user are enabled If you use a PostScript printer the filter system converts the data into printer specific PostScript This does not require a prin...

Страница 456: ...he installation of SUSE Linux Enterprise many PPD files are prein stalled to enable even printers without PostScript support to be used To configure a PostScript printer the best approach is to get a...

Страница 457: ...Manually page 439 If the manual configuration does not work communication between printer and computer is not possible Check the cable and the plugs to make sure that the printer is properly connected...

Страница 458: ...port to which the printer is connected usually USB or parallel port and choose the device in the next configuration screen It is recommended to Test the Printer Connection at this point If problems o...

Страница 459: ...ry contains the following entries which you can also modify with Edit Name and basic settings Printer Model and Connection let you change en tries made while following this procedure Refer to Section...

Страница 460: ...ing Database When downloading PPD files from linuxprint ing org keep in mind that it always shows the latest Linux support status which is not necessarily met by SUSE Linux Enterprise Choosing an Alte...

Страница 461: ...the printer port for example socket 192 168 0 202 9100 LPD Line Printer Daemon The proven LPD protocol is described in RFC 1179 Under this protocol some job related data such as the ID of the printer...

Страница 462: ...139 515 631 9100 10000 printerIP 23 5 1 Configuring Network Printers with YaST Network printers are not detected automatically They must be configured manually using the YaST printer module Depending...

Страница 463: ...ueues To add a print queue use the following syntax lpadmin p queue v device URI P PPD file E Then the device v is available as queue p using the specified PPD file P This means that you must know the...

Страница 464: ...oot settings are written to etc cups lpoptions 23 6 Graphical Printing Interfaces Tools such as xpp and the KDE program KPrinter provide a graphical interface for choosing queues and setting both CUPS...

Страница 465: ...Server and Firewall There are several ways to configure CUPS as the client of a network server 1 For every queue on the network server you can configure a local queue through which to forward all jobs...

Страница 466: ...aST page 822 for details of firewall configuration Alternatively the user can detect CUPS servers by actively scanning the local network hosts or configure all queues manually However this method is n...

Страница 467: ...rom 127 0 0 2 Allow From LOCAL Location In this way only LOCAL hosts can access cupsd on a CUPS server LOCAL hosts are hosts whose IP addresses belong to a non PPP interface interfaces whose IFF_POINT...

Страница 468: ...he vendor and model database For example if you only have PostScript printers normally you do not need the Foomatic PPD files in the cups drivers package or the Gimp Print PPD files in the cups driver...

Страница 469: ...uitable PPD file of the printer manufacturer because this file enables the use of all functions of the PostScript printer YaST prefers a PPD file from the manufacturer PPDs package if the following co...

Страница 470: ...1 Printers without Standard Printer Language Support These printers do not support any common printer language and can only be addressed with special proprietary control sequences Therefore they can o...

Страница 471: ...lopments in the print system 23 9 2 No Suitable PPD File Available for a PostScript Printer If the manufacturer PPDs package does not contain any suitable PPD file for a PostScript printer it should b...

Страница 472: ...Mode for the First Parallel Port page 454 Before ac tivating the interrupt mode check the file proc interrupts to see which interrupts are already in use Only the interrupts currently being used are d...

Страница 473: ...possible on the queue on host If you receive a response like that in Example 23 2 Error Message from lpd page 455 the problem is caused by the remote lpd Example 23 2 Error Message from lpd lpd your...

Страница 474: ...ometimes cause problems when they have to deal with a lot of print jobs Because this is caused by the spooler in the print server box there is nothing you can do about it As a work around circumvent t...

Страница 475: ...when the CUPS back end completes the data transfer to the recipient printer If the further processing on the recipient fails for example if the printer is not able to print the printer specific data t...

Страница 476: ...print job on the server can be deleted cancel h print server queue jobnnumber 23 9 8 Defective Print Jobs and Data Transfer Errors Print jobs remain in the queues and printing resumes if you switch th...

Страница 477: ...e precisely the parallel port 4 Reset the printer completely by switching it off for some time Then insert the paper and turn on the printer 23 9 9 Debugging the CUPS Print System Use the following ge...

Страница 478: ......

Страница 479: ...est and import additional data to evaluate during device handling 24 1 The dev Directory The device nodes in the dev directory provide access to the corresponding kernel devices With udev the dev dire...

Страница 480: ...ules and Devices The kernel bus drivers probe for devices For every detected device the kernel creates an internal device structure and the driver core sends a uevent to the udev daemon Bus devices id...

Страница 481: ...vents from the kernel after the root file system is available so the event for the USB mouse device just runs again Now it finds the kernel module on the mounted root file system and the USB mouse can...

Страница 482: ...M 1043 PHYSDEVPATH devices pci0000 00 0000 00 1d 1 usb2 2 2 2 2 1 0 PHYSDEVBUS usb PHYSDEVDRIVER usbhid PRODUCT 3 46d c03e 2000 NAME Logitech USB PS 2 Optical Mouse PHYS usb 0000 00 1d 1 2 input0 UNIQ...

Страница 483: ...appropriate block device the kernel creates is examined by tools with special knowledge about certain buses drive types or file systems Along with the dynamic kernel provided device node name udev ma...

Страница 484: ...the blacklist option in modprobe conf etc dev d Replaced by the udev rule RUN key etc hotplug d Replaced by the udev rule RUN key sbin hotplug Replaced by udevd listening to netlink only used in the i...

Страница 485: ...ion about udev keys rules and other important configuration is sues udevinfo udevinfo can be used to query device information from the udev database udevd Information about the udev event managing dae...

Страница 486: ......

Страница 487: ...ut the data Almost every file system has its own structure of metadata which is part of why the file systems show different performance characteristics It is extremely important to maintain metadata i...

Страница 488: ...chapter do not refer to the consistency of the user space data the data your application writes to its files Whether this data is consistent must be controlled by the application itself IMPORTANT Set...

Страница 489: ...cepts outlined in the Ext3 section Section 25 2 3 Ext3 page 472 The default mode is data ordered which ensures both data and metadata integrity but uses journaling only for metadata 25 2 2 Ext2 The o...

Страница 490: ...at Ext3 supports journaling In summary Ext3 has three major advantages to offer Easy and Highly Reliable Upgrades from Ext2 Because Ext3 is based on the Ext2 code and shares its on disk format as well...

Страница 491: ...ify something else Ext3 is run with the data ordered default 25 2 4 Converting an Ext2 File System into Ext3 To convert an Ext2 file system to Ext3 proceed as follows 1 Create an Ext3 journal by runni...

Страница 492: ...Naturally the concept of independent allocation groups suits the needs of multiprocessor systems High Performance through Efficient Management of Disk Space Free space and inodes are handled by B tree...

Страница 493: ...node man ager NM To monitor the availability of the nodes in a cluster OCFS2 includes a simple heartbeat implementation To avoid chaos arising from various nodes directly accessing the file system OCF...

Страница 494: ...so9660 This file system originated from academic projects on operating systems and was the first file system used in Linux Today it is used as a file system for floppy disks minix fat the file system...

Страница 495: ...fied to support file sizes larger than 2 GB when using a new set of in terfaces that applications must use Today almost all major file systems offer LFS support allowing you to perform high end comput...

Страница 496: ...s follows File Size On 32 bit systems files may not exceed the size of 2 TB 2 41 bytes File System Size File systems may be up to 2 73 bytes in size However this limit is still out of reach for the cu...

Страница 497: ...IBM de veloperWorks http www 106 ibm com developerworks library l fs html A very in depth comparison of file systems not only Linux file systems is available from the Wikipedia project http en wikiped...

Страница 498: ......

Страница 499: ...prise TIP IBM System z Configuring the Graphical User Interface IBM System z do not have any input and output devices supported by X Org Therefore none of the configuration procedures described in thi...

Страница 500: ...he primary configuration file for the X Window System Find all the settings here concerning your graphics card mouse and monitor IMPORTANT Using X configure Use X configure to configure your X setup i...

Страница 501: ...mally the server refuses any modeline that does not correspond with the specification of the monitor This prevents too high frequencies from being sent to the monitor by accident The modeline paramete...

Страница 502: ...ther information about the other sections can be found in the manual pages of X Org and xorg conf There can be several different Monitor and Device sections in xorg conf Even multiple Screen sections...

Страница 503: ...splay sections are specified Depth determines the color depth to use with this set of Display settings Possible values are 8 15 16 24 and 32 although not all of these are supported by all X server mod...

Страница 504: ...referenced in the following ServerLayout sec tion The lines Device and Monitor specify the graphics card and the monitor that belong to this definition These are just links to the Device and Monitor s...

Страница 505: ...g software Depending on the driver module there are various options available which can be found in the description files of the driver modules in the directory usr share doc package_name Generally va...

Страница 506: ...installation directory should be a subdirectory of the directories configured in etc fonts fonts conf see Sec tion 26 2 2 Xft page 490 or be included into this file with etc fonts suse font dirs conf...

Страница 507: ...systems 26 2 1 X11 Core Fonts Today the X11 core font system supports not only bitmap fonts but also scalable fonts like Type1 fonts TrueType and OpenType fonts Scalable fonts are only supported witho...

Страница 508: ...p iso10646 1 Nearly all Unicode fonts available in SUSE Linux Enterprise contain at least the glyphs needed for European languages formerly encoded as iso 8859 26 2 2 Xft From the outset the programme...

Страница 509: ...e fonts For example enter match target font edit name antialias mode assign bool false bool edit match to disable antialiasing for all fonts or match target font test name family string Luxi Mono stri...

Страница 510: ...eir style style their weight weight and the name of the files containing the fonts enter the following command fc list lang he scalable true family style weight The output of this command could look l...

Страница 511: ...e lang The font weight such as 80 for regular or 200 for bold weight The slant usually 0 for none and 100 for italic slant The name of the file containing the font file true for outline fonts or false...

Страница 512: ......

Страница 513: ...these drawbacks is to separate applications from the authentication mechanism and delegate authentication to centrally managed modules Whenever a newly required authentication scheme is needed it is...

Страница 514: ...les of this type check whether the user has general permission to use the re quested service As an example such a check should be performed to ensure that no one can log in under the username of an ex...

Страница 515: ...module with the required flag The failure of a module with the sufficient flag has no direct conse quences in the sense that any subsequent modules are processed in their respective order optional The...

Страница 516: ...installed Now the PAM configuration is made with central configuration files and all changes are automatically inherited by the PAM configuration of each service The first include file common auth cal...

Страница 517: ...assword Section password required pam_pwcheck so nullok password required pam_unix2 so nullok use_first_pass use_authtok password required pam_make so var yp Again the PAM configuration of sshd involv...

Страница 518: ...3 1 pam_unix2 conf The traditional password based authentication method is controlled by the PAM module pam_unix2 It can read the necessary data from etc passwd etc shadow NIS maps NIS tables or an L...

Страница 519: ...RIDE PAM_RHOST DISPLAY DEFAULT REMOTEHOST 0 0 OVERRIDE DISPLAY The first line sets the value of the REMOTEHOST variable to localhost which is used whenever pam_env cannot determine any other value The...

Страница 520: ...System Administrators Guide This document includes everything that a system administrator should know about PAM It discusses a range of topics from the syntax of configuration files to the security a...

Страница 521: ...ent only the hardware information and configuration tool ACPI is available on all modern computers laptops desktops and servers All power management technologies require suitable hardware and BIOS rou...

Страница 522: ...orresponds to the ACPI state S3 The support of this state is still under development and therefore largely depends on the hardware Hibernation suspend to disk In this operating mode the entire system...

Страница 523: ...BIOS itself On many laptops standby and suspend states can be activated with key combinations or by closing the lid without any special operating system function However to activate these modes with...

Страница 524: ...after shutdown bounce interval n Time in hundredths of a second after a suspend event during which additional suspend events are ignored idle threshold n System inactivity percentage from which the BI...

Страница 525: ...ameter acpi force may be necessary for some older machines The computer must support ACPI 2 0 or later Check the kernel boot messages in var log boot msg to see if ACPI was activated Subsequently a nu...

Страница 526: ...ir documentation are lo cated in the package pmtools For example acpidmp DSDT acpidisasm proc acpi ac_adapter AC state Shows whether the AC adapter is connected proc acpi battery BAT alarm info state...

Страница 527: ...ontrolled by a daemon the maximum limits can be specified here Some of the limits are deter mined by the system Some can be adjusted by the user proc acpi thermal_zone A separate subdirectory exists f...

Страница 528: ..._frequency causes the temper ature to be queried every X seconds Set X 0 to disable polling None of these settings information and events need to be edited manually This can be done with the Powersave...

Страница 529: ...more conservative policy is used The load of the system must be high for a specific amount of time before the CPU frequency is increased powersave governor The cpu frequency is statically set to the...

Страница 530: ...e CPU has little to do In SUSE Linux Enterprise these technologies are controlled by the powersave daemon The configuration is explained in Section 28 5 The powersave Package page 515 28 3 3 ACPI Tool...

Страница 531: ...em may not be caused by ACPI after booting If an error occurs while parsing an ACPI table the most important table the DS DT can be replaced with an improved version In this case the faulty DSDT of th...

Страница 532: ...Management Module page 524 The hdparm application can be used to modify various hard disk settings The option y instantly switches the hard disk to the standby mode Y puts it to sleep hdparm S x cause...

Страница 533: ...loped for mobile devices See usr src linux Documentation laptop mode txt for details Another important factor is the way active programs behave For example good editors regularly write hidden backups...

Страница 534: ...option listed there contains additional documentation about its functionality etc sysconfig powersave common This file contains general settings for the powersave daemon For example the amount of deb...

Страница 535: ...gout Saves the settings and logs out from GNOME KDE or other window managers wm_shutdown Saves the GNOME or KDE settings and shuts down the system set_disk_settings Executes the disk settings made in...

Страница 536: ...ical modules should be unloaded and which services should be stopped prior to a suspend or standby event When the system is resumed these modules are reloaded and the services are restarted You can ev...

Страница 537: ...ed in the usr sbin s2ram binary provided by the suspend package To modify the default parameters for example to generally disable the suspend to ram sleep mode or to force it even for machines not lis...

Страница 538: ...page 516 EVENT_BATTERY_NORMAL ignore EVENT_BATTERY_WARNING notify EVENT_BATTERY_LOW notify EVENT_BATTERY_CRITICAL wm_shutdown Adapting Power Consumption to Various Conditions The system behavior can b...

Страница 539: ..._BUTTON_POWER wm_shutdown When the power button is pressed the system responds by shutting down the re spective window manager KDE GNOME fvwm etc EVENT_BUTTON_SLEEP suspend_to_disk When the sleep butt...

Страница 540: ...urer to comply with the latest ACPI specification If the errors persist after the BIOS update proceed as follows to replace the faulty DSDT table in your BIOS with an updated DSDT 1 Download the DSDT...

Страница 541: ...revented the sleep mode The log files generated by the powersave daemon in var log suspend2ram log and var log suspend2disk log are very helpful in this regard If the computer does not enter the sleep...

Страница 542: ...jects_Powersave Project page in the openSUSE wiki 28 6 The YaST Power Management Module The YaST power management module can configure all power management settings already described When started from...

Страница 543: ...he existing schemes like that shown in Figure 28 2 Overview of Existing Schemes page 525 Figure 28 2 Overview of Existing Schemes In the scheme overview select the scheme to modify then click Edit To...

Страница 544: ...he noise level of the hard disk supported by few hard disks The Cooling Policy determines the cooling method to use Unfortunately this type of thermal control is rarely supported by the BIOS Read usr...

Страница 545: ...ty and Critical Capacity Specific actions are triggered when the charge level drops under these limits Usually the first two states merely trigger a notification to the user The third critical level t...

Страница 546: ...ystem response to pressing the power button pressing the sleep button and closing the laptop lid Click OK to complete the configuration and return to the start dialog Click Enable Suspend to enter a d...

Страница 547: ...come an indispensable aspect of mobile computing Today most laptops have built in WLAN cards The 802 11 standard for the wireless commu nication of WLAN cards was prepared by the IEEE organization Ori...

Страница 548: ...imes referred to as 802 11b However the popularity of cards using this standard is limited 29 1 1 Hardware 802 11 cards are not supported by SUSE Linux Enterprise Most cards using 802 11a 802 11b and...

Страница 549: ...are used to ensure fast high quality and secure connections Different operating types suit different setups It can be difficult to choose the right authentication method The available encryption meth...

Страница 550: ...During the authentication process both sides exchange the same information once in encrypted form and once in unen crypted form This makes it possible for the key to be reconstructed with suitable to...

Страница 551: ...tage a secure is established and in the second one the client authentication data is exchanged They require far less certification management overhead than TLS if any Encryption There are various encr...

Страница 552: ...ype Wireless in Network Address Setup and click Next In Wireless Network Card Configuration shown in Figure 29 1 YaST Configuring the Wireless Network Card page 534 make the basic settings for the WLA...

Страница 553: ...y page 538 for information Depending on the selected authentication method YaST prompts you to fine tune the settings in another dialog For Open there is nothing to configure because this setting impl...

Страница 554: ...he second stage of EAP TTLS or EAP PEAP communication If you selected TTLS in the previous dialog choose any MD5 GTC CHAP PAP MSCHAPv1 or MSCHAPv2 If you selected PEAP choose any MD5 GTC or MSCHAPv2 P...

Страница 555: ...lity as well as security aspects of your WLAN Stability and Speed The performance and reliability of a wireless network mainly depend on whether the participating stations receive a clean signal from...

Страница 556: ...than no encryption In enterprises with advanced security requirements wireless networks should only be operated with WPA 29 1 6 Troubleshooting If your WLAN card fails to respond check if you have do...

Страница 557: ...wireless LAN cards and drivers support WPA Some cards need a firmware update to enable WPA If you want to use WPA read usr share doc packages wireless tools README wpa 29 1 7 For More Information The...

Страница 558: ......

Страница 559: ...Part IV Services...

Страница 560: ......

Страница 561: ...otocol but a family of network protocols that offer various services The protocols listed in Table 30 1 Several Protocols in the TCP IP Protocol Family page 544 are provided for the purpose of exchang...

Страница 562: ...aranteed and data loss is a possibility UDP is suitable for record oriented appli cations It features a smaller latency period than TCP Internet Control Message Protocol Essentially this is not a prot...

Страница 563: ...s work on a packet oriented basis The data to transmit is packaged in packets because it cannot be sent all at once The maximum size of a TCP IP packet is approximately 64 KB Packets are normally quit...

Страница 564: ...ssed to the next layer The lowest layer is ultimately responsible for sending the data The entire procedure is reversed when data is received Like the layers of an onion in each layer the protocol hea...

Страница 565: ...in IP addresses indicate the hierarchical system Until the 1990s IP addresses were strictly categorized in classes However this system has proven too inflexible and was discontinued Now classless rou...

Страница 566: ...10111111 00001111 11001000 Netmask 255 255 255 0 11111111 11111111 11111111 00000000 Result of the link 11010101 10111111 00001111 00000000 In the decimal system 213 95 15 0 To give another example al...

Страница 567: ...he address 127 0 0 1 is assigned to the loopback device on each host A connection can be set up to your own machine with this address Local Host Because IP addresses must be unique all over the world...

Страница 568: ...ubnetwork with 256 IP addresses from which only 254 are usable because two IP addresses are needed for the structure of the subnetwork itself the broadcast and the base network address Under the curre...

Страница 569: ...address from the information made available by the neighboring routers relying on a pro tocol called the neighbor discovery ND protocol This method does not require any intervention on the administrat...

Страница 570: ...individually through unicasting Which hosts are addressed as a group may depend on the concrete application There are some predefined groups to ad dress all name servers the all name servers multicas...

Страница 571: ...Any leading zero bytes within a given field may be dropped but zeros within the field or at its end may not Another convention is that more than four consecutive zero bytes may be collapsed into a do...

Страница 572: ...2 or 3 as the first digit Currently there are the following address spaces 2001 16 production quality address space and 2002 16 6to4 address space Link local addresses Addresses with this prefix shou...

Страница 573: ...unspecified This address is used by the host as its source address when the interface is initialized for the first time when the address cannot yet be determined by other means 1 loopback The address...

Страница 574: ...For a host to go back and forth between different networks it needs at least two address es One of them the home address not only contains the interface ID but also an iden tifier of the home network...

Страница 575: ...often too labor intensive to use them for daily communication needs Therefore IPv6 provides for three different methods of dynamic tunneling 6over4 IPv6 packets are automatically encapsulated as IPv4...

Страница 576: ...x and gateways should be implemented The radvd program can be used to set up an IPv6 router This program informs the worksta tions which prefix to use for the IPv6 addresses and which routers Alternat...

Страница 577: ...tter ISO national codes are the standard In addition to that longer TLDs were introduced in 2000 that represent certain spheres of activity for example info name museum In the early days of the Intern...

Страница 578: ...twork configuration see Section 30 6 Configuring a Network Connection Manually page 580 During installation YaST can be used to configure automatically all interfaces that have been detected Additiona...

Страница 579: ...dialog shows a list with all the network cards available for configuration Any card properly detected is listed with its name To change the confi guration of the selected device click Edit Devices tha...

Страница 580: ...ting Advanced DHCP Options Specify whether the DHCP server should always honor broadcast requests and any identifier to use If you have a virtual host setup where different hosts communicate through t...

Страница 581: ...k configuration during installation and the wired card was available a hostname was automatically generated for your computer and DHCP was activated The same applies to the name service information yo...

Страница 582: ...tworks routing information must be given to make network traffic take the correct path If DHCP is used this information is automatically provided If a static setup is used this data must be added manu...

Страница 583: ...never To change device start up proceed as follows 1 Select a card from the list of detected cards in the YaST network card configura tion module and click Edit 2 In the General tab select the desired...

Страница 584: ...External Zone The firewall is run on this interface and fully protects it against other pre sumably hostile network traffic This is the default option 4 Click Next 5 Activate the configuration by cli...

Страница 585: ...configure the wireless connection in the next dialog Detailed information about wireless device confi guration is available in Section 29 1 Wireless LAN page 529 5 In the General tab set the Firewall...

Страница 586: ...rate and the modem initialization strings Only change these settings if your modem was not detected automatically or if it requires special settings for data transmission to work This is mainly the c...

Страница 587: ...sable this option and enter the DNS data manually Stupid Mode This option is enabled by default With it input prompts sent by the ISP s server are ignored to prevent them from interfering with the con...

Страница 588: ...ning of the card Figure 30 5 ISDN Configuration In the next dialog shown in Figure 30 5 ISDN Configuration page 570 select the protocol to use The default is Euro ISDN EDSS1 but for older or larger ex...

Страница 589: ...re 30 6 ISDN Interface Configuration The number to enter for My Phone Number depends on your particular setup ISDN Card Directly Connected to Phone Outlet A standard ISDN line provides three phone num...

Страница 590: ...permissions to activate or deactivate the interface select the User Controlled Details opens a dialog in which to implement more complex connection schemes which are not relevant for normal home users...

Страница 591: ...able subscriber usually gets a modem that is connected to the TV cable outlet on one side and to a computer network card on the other using a 10Base TG twisted pair cable The cable modem then provides...

Страница 592: ...ave not done so yet first configure the card by selecting Configure Network Cards see Sec tion 30 4 1 Configuring the Network Card with YaST page 560 In the case of a DSL link addresses may be assigne...

Страница 593: ...o far which is why they are only briefly mentioned in the following paragraphs For details on the available options read the detailed help available from the dialogs To use Dial on Demand on a stand a...

Страница 594: ...dress setup dialog specify the IP address and netmask for the new inter face and leave the network configuration by pressing Next and Finish The qeth ethernet Device To add a qeth ethernet IBM OSA Exp...

Страница 595: ...ns see the Linux for IBM System z Device Drivers Features and Commands manual for reference at http www ibm com developerworks linux linux390 index html your IP address and an appropriate netmask Leav...

Страница 596: ...a virtual system inside Xen You want to use SCPM for network configuration management To use SCPM and NetworkManager at the same time SCPM cannot control network resources You want to use more than on...

Страница 597: ...rivileges For this reason NetworkManager is the ideal solution for a mobile workstation Traditional configuration with ifup also provides some ways to switch stop or start the connection with or witho...

Страница 598: ...alization of the device with the script hwup When the network card is initialized as a new network interface the kernel generates another hotplug event that triggers the setup of the inter face with i...

Страница 599: ...terface The search for the most suitable configuration is handled by getcfg The output of getcfg delivers all information that can be used for describing a device Details regarding the specification o...

Страница 600: ...s automatically executed for the new interface via hotplug and the interface is set up if the start mode is onboot hotplug or auto and the network service was started Formerly the command ifup interfa...

Страница 601: ...configuration files and explains their purpose and the format used etc syconfig hardware hwcfg These files contain the hardware configurations of network cards and other devices They contain the need...

Страница 602: ...guration file etc sysconfig network ifroute Replace with the name of the inter face The entries in the routing configuration files look like this Destination Dummy Gateway Netmask Device 127 0 0 0 0 0...

Страница 603: ...erver nameserver 192 168 0 20 Some services like pppd wvdial ipppd isdn dhcp dhcpcd and dhclient pcmcia and hotplug modify the file etc resolv conf by means of the script modify_resolvconf If the file...

Страница 604: ...ere For each host enter a line consisting of the IP address the fully qualified hostname and the hostname into the file The IP address must be at the beginning of the line and the entries separated by...

Страница 605: ...he etc hosts file bind Accesses a name server nis Uses NIS Defines if a host entered in etc hosts can have multiple IP addresses multi on off These parameters influence the name server spoofing but ap...

Страница 606: ...ge 609 Example 30 9 etc nsswitch conf passwd compat group compat hosts files dns networks files dns services db files protocols db files netgroup files automount files nis The databases available over...

Страница 607: ...protocols 5 man page protocols Remote procedure call names and addresses used by getrpcbyname and similar functions rpc Network services used by getservent services Shadow passwords of users used by...

Страница 608: ...without the domain name attached This file is read by several scripts while the machine is booting It may only contain one line in which the hostname is set 30 6 2 Testing the Configuration Before you...

Страница 609: ...the state of a device with the command ip link set device_name command For example to deactivate device eth0 enter ip link seteth0 down To activate it again use ip link seteth0 up After activating a...

Страница 610: ...data packet ECHO_REQUEST datagram to the destination host requesting an immediate reply If this works ping displays a message to that effect which indicates that the network link is basically function...

Страница 611: ...es it is sometimes useful to send the ping through a specific interface address To do so use the I option with the name of the selected device for example ping I wlan1 192 168 0 For more options and i...

Страница 612: ...addr 00 0E 2E 52 3B 1D inet addr 192 168 2 4 Bcast 192 168 2 255 Mask 255 255 255 0 inet6 addr fe80 20e 2eff fe52 3b1d 64 Scope Link UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU 1500 Metric 1 RX pack...

Страница 613: ...nlevels Some of these scripts are de scribed in Table 30 9 Some Start Up Scripts for Network Programs page 595 Table 30 9 Some Start Up Scripts for Network Programs This script handles the configurati...

Страница 614: ...grams the required pppd or ipppd and controls its dial up properties Second it makes various providers available to the user programs and transmits information about the current status of the connecti...

Страница 615: ...8 and smpppd conf 5 man pages 30 7 2 Configuring KInternet cinternet and qinternet for Remote Use KInternet cinternet and qinternet can be used to control a local or remote smpppd cinternet is the com...

Страница 616: ...Insert the password selected for smpppd If smpppd is active you can now try to access it for example with cinternet verbose interface list If you experience difficulties at this point refer to the smp...

Страница 617: ...th integrated support for SLP YaST and Konqueror both have appropriate front ends for SLP You can use SLP to provide net worked clients with central functions such as an installation server file serve...

Страница 618: ...ation YaST SLP Browser YaST contains a separate SLP browser that lists all services in the local network announced by SLP in a tree diagram Find it as Network Services SLP Browser Konqueror When used...

Страница 619: ...on the server HOSTNAME is automatically replaced with the full hostname The name of the TCP port on which the relevant service can be found follows separated by a colon Then enter the language in whi...

Страница 620: ...RFC 2608 generally deals with the definition of SLP RFC 2609 deals with the syntax of the service URLs used in greater detail and RFC 2610 deals with DHCP via SLP http www openslp org The home page o...

Страница 621: ...for ex ample a backward leap can cause malfunction of critical applications Within a network it is usually necessary to synchronize the system time of all machines but manual time adjustment is a bad...

Страница 622: ...di alog in which to select a suitable time server for your network Figure 32 1 YaST Configuring an NTP Client In the detailed server selection dialog determine whether to implement time synchro nizati...

Страница 623: ...Complex NTP Configuration In Complex NTP Configuration determine whether xntpd should be started in a chroot jail By default Run NTP Daemon in Chroot Jail is activated This increases the secu rity in...

Страница 624: ...is a machine to which a symmetric relationship is established it acts both as a time server and as a client To use a peer in the same network instead of a server enter the address of the system The re...

Страница 625: ...ait for NTP broadcasts sent out by broadcast time servers in the network This approach has the disadvantage that the quality of the server is unknown and a server sending out wrong information can cau...

Страница 626: ...The Conrad DCF77 receiver module for example has mode 5 To use this clock as a preferred reference specify the keyword prefer The complete server line for a Conrad DCF77 receiver module would be serv...

Страница 627: ...xample section or zone of the org domain DNS server The DNS server is a server that maintains the name and IP information for a domain You can have a primary DNS server for master zone a secondary ser...

Страница 628: ...sing DNS to synchronize data between multiple comput ers 33 2 Configuration with YaST You can use the DNS module of YaST to configure a DNS server for your local network To configure a Samba server st...

Страница 629: ...ally Figure 33 1 DNS Server Installation Forwarder Settings 2 The DNS Zones dialog consists of several parts and is responsible for the man agement of zone files described in Section 33 5 Zone Files p...

Страница 630: ...n open the DNS port in the firewall by clicking Open Port in Firewall Then decide whether or not the DNS server should be started On or Off You can also activate LDAP support See Figure 33 3 DNS Serve...

Страница 631: ...em or manually To start the DNS server immediately select Start DNS Server Now To stop the DNS server select Stop DNS Server Now To save the current settings select Save Settings and Restart DNS Serve...

Страница 632: ...e additionally specify a name the maximum file size in megabytes and the number of versions of log files to store Further options are available under Additional Logging Enabling Log All DNS Queries ca...

Страница 633: ...Secure Transactions page 631 To generate a TSIG key enter a distinctive name in the field labeled Key ID and specify the file where the key should be stored Filename Confirm your choices with Add To u...

Страница 634: ...s Basic the one opened first NS Records MX Records SOA and Records The basic dialog shown in Figure 33 6 DNS Server Zone Editor Basic page 617 lets you define settings for dynamic DNS and access optio...

Страница 635: ...u to define alternative name servers for the zones specified Make sure that your own name server is included in the list To add a record enter its name under Name Server to Add then confirm with Add S...

Страница 636: ...X Records To add a mail server for the current zone to the existing list enter the corresponding address and priority value After doing so confirm by selecting Add See Fig ure 33 8 DNS Server Zone Edi...

Страница 637: ...s page allows you to create SOA start of authority records For an explanation of the individual options refer to Example 33 6 File var lib named world zone page 627 Changing SOA records is not support...

Страница 638: ...rkeley Internet name domain comes preconfigured so it can be started right after installation without any problem If you already have a functioning Internet connection and have entered 127 0 0 1 as th...

Страница 639: ...een started successfully Test the name server immediately on the local system with the host or dig programs which should return localhost as the default server with the address 127 0 0 1 If this is no...

Страница 640: ...ime by entering rcnamed stop 33 4 The Configuration File etc named conf All the settings for the BIND name server itself are stored in the file etc named conf However the zone data for the domains to...

Страница 641: ...stly of the provider to which DNS requests should be forwarded if they cannot be resolved directly Replace ip address with an IP address like 10 0 0 1 forward first Causes DNS requests to be forwarded...

Страница 642: ...e netmask in this case 255 255 255 0 allow transfer Controls which hosts can request zone transfers In the example such requests are completely denied with Without this entry zone transfers can be req...

Страница 643: ...tries Example 33 4 Zone Entry for my domain de zone my domain de in type master file my domain zone notify no After zone specify the name of the domain to administer my domain de followed by in and a...

Страница 644: ...se this data is fetched from another name server To differentiate master and slave files use the directory slave for the slave files masters server ip address This entry is only needed for slave zones...

Страница 645: ...teway root world cosmos 2003072441 serial 1D refresh 2H retry 1W expiry 2D minimum IN NS gateway IN MX 10 sun gateway IN A 192 168 0 1 IN A 192 168 1 1 sun IN A 192 168 0 2 moon IN A 192 168 0 3 earth...

Страница 646: ...e interval at which the secondary name servers verify the zone serial number In this case one day Line 5 The retry rate specifies the time interval at which a secondary name server in case of error at...

Страница 647: ...AAAA If the ad dress is an IPv6 address the entry is marked with AAAA 0 The previous token for IPv6 addresses was only AAAA which is now obsolete NOTE IPv6 Syntax A IPv6 record has a slightly differe...

Страница 648: ...ine 2 The configuration file should activate reverse lookup for the network 192 168 1 0 Given that the zone is called 1 168 192 in addr arpa should not be added to the hostnames Therefore all hostname...

Страница 649: ...f this command check the manual page for nsupdate man 8 nsupdate For security reasons any such update should be performed using TSIG keys as described in Section 33 7 Secure Transactions page 631 33 7...

Страница 650: ...an extra file with specially limited permissions which is then included from etc named conf To include an external file use include filename Replace filename with an absolute path to your file with k...

Страница 651: ...ne set which must then be transferred to the parent zone in a secure manner On the parent the set is signed with dnssec signkey The files generated by this command are then used to sign the zones with...

Страница 652: ......

Страница 653: ...work cards These cards are the only ones with a MAC which is required for the DHCP autoconfiguration features One way to configure a DHCP server is to identify each client using the hardware address o...

Страница 654: ...er configuration locally on the host that runs the DHCP server or to have its configuration data managed by an LDAP server The YaST DHCP module allows you to set up your own DHCP server for the local...

Страница 655: ...lds provide the network specifics for all clients the DHCP server should manage These specifics are the domain name address of a time server addresses of the primary and secondary name server addresse...

Страница 656: ...DHCP clients All these addresses must be covered by the same netmask Also specify the lease time during which a client may keep its IP address without needing to request an extension of the lease Opti...

Страница 657: ...start the DHCP server automatically when the system is booted or manually when needed for example for test purposes Click Finish to complete the configuration of the server See Figure 34 4 DHCP Serve...

Страница 658: ...e entry fields provided in the lower part to specify a list of the clients to manage in this way Specifically provide the Name and the IP Address to give to such a client the Hardware Address and the...

Страница 659: ...un in a chroot environment or chroot jail to secure the server host If the DHCP server should ever be compromised by an outside attack the attacker will still be behind bars in the chroot jail which p...

Страница 660: ...CP server are made up of a number of declarations This dialog lets you set the declaration types Subnet Host Shared Network Group Pool of Addresses and Class This example shows the selection of a new...

Страница 661: ...ration This dialog allows you specify a new subnet with its IP address and netmask In the middle part of the dialog modify the DHCP server start options for the selected subnet using Add Edit and Dele...

Страница 662: ...in the previous dialog you can now con figure the key management for a secure zone transfer Selecting OK takes you to another dialog in which to configure the interface for dynamic DNS see Fig ure 34...

Страница 663: ...ettings enable the automatic update and adjustment of the global DHCP server settings according to the dynamic DNS environment Finally define which forward and reverse zones should be updated per dyna...

Страница 664: ...isplayed select one or more that should be attended by the the DHCP server If clients in all of the subnets should be able to communicate with the server and the server host also runs a firewall adjus...

Страница 665: ...onsortium On the client side choose between two different DHCP client programs dhcp client also from ISC and the DHCP client daemon in the dhcpcd package SUSE Linux Enterprise installs dhcpcd by defau...

Страница 666: ...range 192 168 1 100 192 168 1 200 This simple configuration file should be sufficient to get the DHCP server to assign IP addresses in the network Make sure that a semicolon is inserted at the end of...

Страница 667: ...168 1 20 as well as 192 168 1 100 and 192 168 1 200 After editing these few lines you should be able to activate the DHCP daemon with the command rcdhcpd start It will be ready for use immediately Us...

Страница 668: ...st line and the MAC address in the second line On Linux hosts find the MAC address with the command ip link show followed by the network device for example eth0 The output should contain something lik...

Страница 669: ...s like etc ppp ip up However there should be no need to worry about this if the configuration file only specifies IP addresses instead of host names If your configuration includes additional files tha...

Страница 670: ......

Страница 671: ...roup across networks NIS can also be used for other purposes making the contents of files like etc hosts or etc services available for example but this is beyond the scope of this introduction People...

Страница 672: ...erver 2 If you need just one NIS server in your network or if this server is to act as the master for further NIS slave servers select Install and set up NIS Master Server YaST installs the required p...

Страница 673: ...nges to GECOS Field and Allow Changes to Login Shell available GECOS means that the users can also change their names and address settings with the command ypchfn SHELL al lows users to change their d...

Страница 674: ...ur settings and return to the previous screen Figure 35 3 Changing the Directory and Synchronizing Files for a NIS Server 4 If you previously enabled Active Slave NIS Server Exists enter the hostnames...

Страница 675: ...ton Specify from which networks requests can be sent to the NIS server Normally this is your internal network In this case there should be the following two entries 255 0 0 0 127 0 0 0 0 0 0 0 0 0 0 0...

Страница 676: ...llows 1 Start YaST Network Services NIS Server 2 Select Install and set up NIS Slave Server and click Next TIP If NIS server software is already installed on your machine initiate the creation of a NI...

Страница 677: ...the module NIS Client to configure a workstation to use NIS Select whether the host has a static IP address or receives one issued by DHCP DHCP can also provide the NIS domain and the NIS server For...

Страница 678: ...ing Broken Server the client is enabled to receive replies from a server communicating through an unprivileged port For further information see man ypbind After you have made your settings click Finis...

Страница 679: ...archable form In the ideal case a central server keeps the data in a directory and distributes it to all clients using a certain protocol The data is structured in a way that allows a wide range of ap...

Страница 680: ...echanisms All applications accessing this service should gain access quickly and easily 36 1 LDAP versus NIS The Unix system administrator traditionally uses the NIS service for name resolution and da...

Страница 681: ...t is called distinguished name or DN A single node along the path to this entry is called relative distinguished name or RDN Objects can generally be assigned to one of two possible types container Th...

Страница 682: ...llowing a scheme The type of an object is determined by the object class The object class de termines what attributes the concerned object must or can be assigned A scheme therefore must contain defin...

Страница 683: ...2 DESC RFC2256 organizational unit this object belongs to 3 SUP name 4 objectclass 2 5 6 5 NAME organizationalUnit 5 DESC RFC2256 an organizational unit 6 SUP top STRUCTURAL 7 MUST ou 8 MAY userPassw...

Страница 684: ...types that are permitted in conjunction with this object class A very good introduction to the use of schemes can be found in the documentation of OpenLDAP When installed find it in usr share doc pac...

Страница 685: ...thenticated users read access Allow anonymous users to authenticate access to dn by read access to by self write by users read by anonymous auth if no access controls are present the default is Allow...

Страница 686: ...determined with what Regular expressions may be used slapd again aborts the evaluation of who after the first match so more specific rules should be listed before the more general ones The entries sh...

Страница 687: ...conf Example for Access Control access to dn regex ou dc example dc com by dn regex cn Administrator ou 1 dc example dc com write by user read by none This rule declares that only its respective admin...

Страница 688: ...slapd conf 5 for details Use of strong authentication encouraged rootpw secret The database directory MUST exist prior to running slapd AND should only be accessible by the slapd tools Mode 700 recom...

Страница 689: ...cy_hash_cleartext specifies that clear text passwords present in add and modify requests are hashed before being stored in the database When this option is used it is recommended to deny compare searc...

Страница 690: ...rting Data into an LDAP Directory Once the configuration of your LDAP server in etc openldap slapd conf is correct and ready to go it features appropriate entries for suffix directory rootdn rootpw an...

Страница 691: ...of Emacs Other wise avoid umlauts and other special characters or use recode to recode the input to UTF 8 Save the file with the ldif suffix then pass it to the server with the following com mand lda...

Страница 692: ...il tux example com uid tux telephoneNumber 49 1234 567 8 An LDIF file can contain an arbitrary number of objects It is possible to pass entire directory branches to the server at once or only parts of...

Страница 693: ...dapmodify x D cn Administrator dc example dc com W Enter LDAP password 2 Enter the changes while carefully complying with the syntax in the order presented below dn cn Tux Linux ou devel dc example dc...

Страница 694: ...ify that all entries have been recorded correctly and the server responds as desired Find more information about the use of ldapsearch in the corresponding man page ldapsearch 1 36 4 4 Deleting Data f...

Страница 695: ...its services via SLP check Register at an SLP Daemon 5 Select Configure to configure General Settings and Databases To configure the Global Settings of your LDAP server proceed as follows 1 Accept or...

Страница 696: ...nnect without authentication anonymously using a DN but no password update_anon Enabling this option allows nonauthenticated anonymous update operations Access is restricted according to ACLs and othe...

Страница 697: ...orithm to use to secure the password of Root DN Choose crypt smd5 ssha or sha The dialog also includes a plain option to enable the use of plain text passwords but enabling this is not recommend ed fo...

Страница 698: ...server password 2 Configure the password change policies 2a Determine the number of passwords stored in the password history Saved passwords may not be reused by the user 2b Determine whether users ca...

Страница 699: ...right part of the window YaST displays a dialog similar to the one used for the creation of a new database with the main difference that the base DN entry is grayed out and cannot be changed After le...

Страница 700: ...on file corresponding to the service in etc pam d Configuration files already adapted to individual services can be found in usr share doc packages pam_ldap pam d Copy appropriate files to etc pam d g...

Страница 701: ...d in Section Basic Configuration page 683 Use the YaST LDAP client to further configure the YaST group and user configuration modules This includes manipulating the default settings for new users and...

Страница 702: ...Enter the IP address of the LDAP server to use 3 Enter the LDAP base DN to select the search base on the LDAP server To retrieve the base DN automatically click Fetch DN YaST then checks for any LDAP...

Страница 703: ...onfiguration The following dialog is split in two tabs See Figure 36 4 YaST Advanced Configuration page 685 1 In the Client Settings tab adjust the following settings to your needs 1a If the search ba...

Страница 704: ...istrator 2c Check Create Default Configuration Objects to create the basic configuration objects on the server to enable user management via LDAP 2d If your client machine should act as a file server...

Страница 705: ...for user and group management The registered data is stored as LDAP objects on the server Figure 36 5 YaST Module Configuration The dialog for module configuration Figure 36 5 YaST Module Configuratio...

Страница 706: ...of the module Clicking Delete deletes the currently selected module 4 After you click Accept the new module is added to the selection menu The YaST modules for group and user administration embed temp...

Страница 707: ...values for an attribute can be created from other attributes by using a variable instead of an absolute value For example when creating a new user cn sn givenName is created automatically from the att...

Страница 708: ...y username login and password in the User Data tab 3b Check the Details tab for the group membership login shell and home di rectory of the new user If necessary change the default to values that bett...

Страница 709: ...ser administration offers LDAP Options This gives the pos sibility to apply LDAP search filters to the set of available users or go to the module for the configuration of LDAP users and groups by sele...

Страница 710: ...stratorDN and the password for the RootDN of this server if you need both to read and write the data stored on the server Alternatively choose Anonymous Access and do not provide the password to gain...

Страница 711: ...de the RootDN password when prompted 6 Leave the LDAP browser with Close 36 9 For More Information More complex subjects like SASL configuration or establishment of a replicating LDAP server that dist...

Страница 712: ...ll important aspects of LDAP configuration including access controls and encryption See http www openldap org doc admin22 or on an installed system usr share doc packages openldap2 admin guide index h...

Страница 713: ...ol that is based on the NetBIOS services Due to pressure from IBM Microsoft released the protocol so other soft ware manufacturers could establish connections to a Microsoft domain network With Samba...

Страница 714: ...names that correspond to DNS hostnames to make administration easier This is the default used by Samba Samba server Samba server is a server that provides SMB CIFS services and NetBIOS over IP naming...

Страница 715: ...convenience of the YaST GUI 37 3 1 Configuring a Samba Server with YaST To configure a Samba server start YaST and select Network Services Samba Server When starting the module for the first time the...

Страница 716: ...network interfaces select the network interface for Samba services by clicking Firewall Details selecting the interfaces and clicking OK Shares In the Shares tab determine the Samba shares to activat...

Страница 717: ...lation SWAT is not activated To activate it open Network Services Network Services xinetd in YaST enable the network services configuration select swat from the table and click Toggle Status On or Off...

Страница 718: ...ch as a Windows NT or 2000 server and you want the Samba server to keep a list of all systems present in the local environment set the os level to a higher value for example 65 Your Samba server is th...

Страница 719: ...twork An additional comment can be added to further describe the share path media cdrom path exports the directory media cdrom By means of a very restrictive default configuration this kind of share i...

Страница 720: ...isible in the network environment read only No By default Samba prohibits write access to any exported share by means of the read only Yes parameter To make a share writable set the value read only No...

Страница 721: ...xpects an additional parameter password server The selection of share user or server level security applies to the entire server It is not possible to offer individual shares of a server configuration...

Страница 722: ...an input format 37 5 Samba as Login Server In networks where predominantly Windows clients are found it is often preferable that users may only register with a valid account and password In a Windows...

Страница 723: ...dd g nogroup c NT Machine Account s bin false m To make sure that Samba can execute this script correctly choose a Samba user with the required administrator permissions To do so select one user and a...

Страница 724: ...ip 3 Enter the domain to join at Domain or Workgroup in the Windows Domain Membership screen Alternately use Browse to get a list of all available domains and select one Figure 37 1 Determining Window...

Страница 725: ...should be the configuration of the LDAP server You need to add base DN information and entries for accounts of your software clients with passwords Detailed information about LDAP configuration is pro...

Страница 726: ...rd are essential to add or modify accounts stored in the LDAP directory 37 7 3 Migrating the Windows Profiles For every profile to migrate complete these steps Procedure 37 1 Migrating a Profile 1 On...

Страница 727: ...ixgroup root net groupmap modify ntgroup Domain Users unixgroup users net groupmap modify ntgroup Domain Guests unixgroup nobody Our domain global groups net groupmap add ntgroup Operation unixgroup o...

Страница 728: ...hecking your configuration You can find Samba HOWTO Collection in usr share doc packages samba Samba HOWTO Collection pdf after installing the package samba doc Find detailed information about LDAP an...

Страница 729: ...using IP addresses only To avoid time outs however you should have a working DNS system This is necessary at least for logging purposes because the mountd daemon does reverse lookups 38 1 Installing t...

Страница 730: ...to open the firewall to allow access to the service from remote computers The firewall status is displayed next to the check box Clicking Finish to saves your changes See Figure 38 1 NFS Client Confi...

Страница 731: ...start Use rcidmapd status to check the status of idmapd The idmapd services stores its parameters in the etc idmapd conf file Leave the value of the Domain parameter as localdomain Ensure that the va...

Страница 732: ...nt fstype nfs4 server2 Activate the settings with rcautofs start For this example nfsmounts localdata the data directory of server1 is then mounted with NFS and nfsmounts nfs4mount from server2 is mou...

Страница 733: ...e NFSv4 domain name Click Enable GSS Security if you need secure access to the server A prerequisite for this is to have Kerberos installed in your domain and both the server and the clients are kerbe...

Страница 734: ...NFSv4 Clients Activate Enable NFSv4 to support NFSv4 clients Clients with NFSv3 can still access the server s exported directories if they are exported appropriately This is explained in detail in Sec...

Страница 735: ...file system This pseudo file system acts as a base point under which all file systems exported for the same client set take their place For a client or set of clients only one directory on the server...

Страница 736: ...for this make sure that bind exports data is in the list and that exports data is an already existing subdirectory of exports Any change in the option bind target path whether addition deletion or cha...

Страница 737: ...sidered v3 exports Consider the example in Figure 38 4 Exporting Directories with NFSv4 page 717 If you add another directory such as data2 using Add Directory then in the corre sponding options list...

Страница 738: ...ates a directory that is shared and how it is shared A typical entry in etc exports consists of shared directory host option_list For example export 192 168 1 2 rw fsid 0 sync data 192 168 1 2 rw bind...

Страница 739: ...pd conf Every user on a Linux machine has a name and ID idmapd does the name to ID mapping for NFSv4 requests to the server and replies to the client This must be running on both server and client for...

Страница 740: ...Exporting File Systems with NFSv4 page 720 for exporting with NFSv4 Exporting file systems with NFS involves two configuration files etc exports and etc sysconfig nfs A typical etc exports file entry...

Страница 741: ...rther information about configuring kerberized NFS refer to the links in Sec tion 38 7 For More Information page 723 38 7 For More Information As well as the man pages of exports nfs and mount informa...

Страница 742: ......

Страница 743: ...is case use a network file system like NFS and store the files on a server enabling all hosts to access the same data via the network This approach is impossible if the network connection is poor or n...

Страница 744: ...hanges that are performed locally are committed to the repository and can be retrieved from other computers by means of an update Both procedures must be initiated by the user CVS is very resilient to...

Страница 745: ...can also act as a server 39 2 2 Portability CVS and rsync are also available for many other operating systems including various Unix and Windows systems 39 2 3 Interactive versus Automatic In CVS the...

Страница 746: ...based on the content and the remarks This is a valuable aid for theses and program texts 39 2 7 Data Volume and Hard Disk Requirements A sufficient amount of free space for all distributed data is re...

Страница 747: ...n and ma nipulation CVS and rsync can easily be used via ssh secure shell providing security against attacks of this kind Running CVS via rsh remote shell should be avoided Accessing CVS with the pser...

Страница 748: ...bilities of CVS cannot be used The use of CVS for synchronizing files is only possible if all workstations can access the same server 39 3 1 Configuring a CVS Server The server is the host on which al...

Страница 749: ...he comment in advance on the com mand line such as in the following example cvs import m this is a test synchome tux wilber 39 3 2 Using CVS The synchronization repository can now be checked out from...

Страница 750: ...server C The local file conflicts with current version in the repository This file does not exist in CVS The status M indicates a locally modified file Either commit the local copy to the server or r...

Страница 751: ...on to provide directories to the network The basic mode of operation of rsync does not require any special configuration rsync directly allows mirroring complete directories onto another system As an...

Страница 752: ...le listing all connections This file is stored in var log rsyncd log It is then possible to test the transfer from a client system Do this with the following command rsync avz sun FTP This command lis...

Страница 753: ...rence about the operating principles of rsync is featured in usr share doc packages rsync tech_report ps Find the latest news about rsync on the project Web site at http rsync samba org If you want Su...

Страница 754: ......

Страница 755: ...2 2 In this chapter learn how to install configure and set up a Web server how to use SSL CGI and additional modules and how to troubleshoot Apache 40 1 Quick Start With the help of this section quic...

Страница 756: ...ages to finish the installation process Apache is installed with a standard predefined configuration that runs out of the box The installation includes the multiprocessing module apache2 prefork as we...

Страница 757: ...wo different ways with YaST or manually Manual configuration offers a higher level of detail but lacks the convenience of the YaST GUI IMPORTANT Configuration Changes Changes to most configuration val...

Страница 758: ...configuration needs etc apache2 etc apache2 hosts all configuration files for Apache In the following the purpose of each file is explained Each file includes several configuration options also referr...

Страница 759: ...irtual hosts edit this file Otherwise overwrite these directives in your virtual host con figurations extra conf The upstream configuration files delivered with the original package by the Apache Soft...

Страница 760: ...roperly test your Web server when making changes here ssl global conf and ssl Global SSL configuration and SSL certificate data Refer to Section 40 6 Setting Up a Secure Web Server with SSL page 766 f...

Страница 761: ...st template or vhost ssl template for a virtual host with SSL support TIP Always Create a Virtual Host Configuration It is recommended to always create a virtual host configuration file even if your W...

Страница 762: ...ddress and the port number to receive re quests on all interfaces IPv6 addresses must be enclosed in square brackets Example 40 1 Variations of Name Based VirtualHost Entries NameVirtualHost IP addres...

Страница 763: ...ma chine One instance of Apache hosts several domains each of which is assigned a dif ferent IP The physical server must have one IP address for each IP based virtual host If the machine does not have...

Страница 764: ...tc apache2 vhosts d vhost template for more options ServerName The fully qualified domain name under which the host should be addressed DocumentRoot Path to the directory from which Apache should serv...

Страница 765: ...refore explicitly unlock the DocumentRoot directory in which you have placed the files Apache should serve Directory srv www example com_htdocs Order allow deny Allow from all Directory The complete c...

Страница 766: ...ion of existing network interfaces and their respec tive IP addresses Ports from all three ranges well known ports registered ports and dynamic or private ports that are not reserved by other services...

Страница 767: ...s choose the appropriate entry in the table then click Edit To add new directives click Add To delete a directive select it and click Delete Figure 40 1 HTTP Server Wizard Default Host Here is list of...

Страница 768: ...ctory containing the configuration files that come with external modules By default all files in this directory conf are included etc apache2 conf d apache2 manual conf is the directory containing all...

Страница 769: ...ptions are explained in Section Default Host page 749 Clicking Next advances to the second part of the virtual host configuration dialog In part two of the virtual host configuration you can specify w...

Страница 770: ...og described in Section HTTP Server Configuration page 752 Figure 40 2 HTTP Server Wizard Summary HTTP Server Configuration The HTTP Server Configuration dialog also lets you make even more adjustment...

Страница 771: ...y With Log Files watch either the access log or the error log This is useful if you want to test your configuration The log file opens in a separate window from which you can also restart or reload th...

Страница 772: ...and Section Virtual Hosts page 751 40 3 Starting and Stopping Apache If configured with YaST see Section 40 2 2 Configuring Apache with YaST page 748 Apache is started at boot time in runlevels 3 and...

Страница 773: ...only if it has been running before reload or graceful Stops the Web server by advising all forked Apache processes to first finish their requests before shutting down As each process dies it is repla...

Страница 774: ...sks is handled by modules This has progressed so far that even HTTP is processed by a module http_core Apache modules can be compiled into the Apache binary at build time or dynamically loaded at runt...

Страница 775: ...ocessing module Prefork MPM and the external modules mod_php5 and mod_python You can install additional external modules by starting YaST and choosing Software Software Management Now choose Filter Se...

Страница 776: ...rtain MIME type such as application pdf a file with a specific extension like rpm or a certain request method such as GET is requested This module is enabled by default mod_alias Provides Alias and Re...

Страница 777: ...lt It also provides an automatic redirect to the correct URl when a directory request does not contain a trailing slash This module is enabled by de fault mod_env Controls the environment that is pass...

Страница 778: ...rules request headers and more mod_setenvif Sets environment variables based on details of the client s request such as the browser string the client sends or the client s IP address This module is e...

Страница 779: ...atic requests cannot affect others avoiding a lockup of the Web server While providing stability with this process based approach the prefork MPM consumes more system resources than its counterpart th...

Страница 780: ...t of all external modules shipped with SUSE Linux Enterprise Server here Find the module s documentation in the listed directory mod apparmor Adds support to Apache to provide Novell AppArmor confinem...

Страница 781: ...nal modules for Apache apxs2 enables the compilation and installation of modules from source code including the required changes to the configuration files which creates dynamic shared objects DSOs th...

Страница 782: ...ti vated mod_alias is also needed Both modules are enabled by default Refer to Sec tion 40 4 2 Activation and Deactivation page 757 for details on activating modules WARNING CGI Security Allowing the...

Страница 783: ...ed by a MIME Type header such as Content type text html This header is sent to the client so it understands what kind of content it receives Secondly the script s output must be something the client u...

Страница 784: ...CGI directory and execute the ls l test cgi Its output should start with rwxr xr x 1 root root Make sure that the script does not contain programming errors If you have not changed test cgi this shoul...

Страница 785: ...with Apache is that URLs are prefixed with https instead of http 40 6 1 Creating an SSL Certificate In order to use SSL TSL with the Web server you need to create an SSL certificate This certificate...

Страница 786: ...a defined circle of users it might be sufficient if you sign a certificate with your own certificate authority CA Creating a self signed certificate is an interactive nine step process Change into the...

Страница 787: ...ate key for SERVER 1024 bit No interaction needed 6 Generating X 509 certificate signing request for SERVER Create the distinguished name for the server key here Questions are almost identical to the...

Страница 788: ...etc sysconfig apache2 Otherwise you do not have enough time to enter the passphrase before the attempt to start the server is stopped unsuccessfully The script s result page presents a list of certif...

Страница 789: ...country name or organization name Enter valid data everything you enter here later shows up in the certificate and is checked You do not need to answer every question If one does not apply to you or...

Страница 790: ...nfiguration page 743 for the general virtual host configuration To get started it should be sufficient to adjust the values for the following directives DocumentRoot ServerName ServerAdmin ErrorLog Tr...

Страница 791: ...nd group root You should not change these permissions If the directories were writable for all any user could place files into them These files might then be executed by Apache with the permissions of...

Страница 792: ...suEXEC lets you run CGI scripts under a different user and group 40 7 5 User Directories When enabling user directories with mod_userdir or mod_rewrite you should strongly consider not allowing htacc...

Страница 793: ...a separate option available to take care of this specific issue see Section 40 2 2 Configuring Apache with YaST page 748 If you are configuring Apache manually open firewall ports for HTTP and HTTPS...

Страница 794: ...owing locations mod apparmor http en opensuse org AppArmor mod_perl http perl apache org mod_php5 http www php net manual en install unix apache2 php mod_python http www modpython org 40 9 3 Developme...

Страница 795: ...che in SUSE Linux Enterprise Server take a look at the Technical Information Search at http www novell com support The history of Apache is provided at http httpd apache org ABOUT _APACHE html This pa...

Страница 796: ......

Страница 797: ...the same object can be served from the hard disk cache This enables clients to receive the data much faster than from the Internet This procedure also reduces the network traffic Along with the actua...

Страница 798: ...d can be configured to exchange objects between them This reduces the total system load and increases the chances of finding an object already existing in the local network It is also possible to conf...

Страница 799: ...red in the cache should stay there To determine this all objects in the cache are assigned one of various possible states Web and proxy servers find out the status of an object by adding headers to th...

Страница 800: ...d days to fill the cache The easiest way to determine the needed cache size is to consider the maximum transfer rate of the connection With a 1 Mbit s connection the maximum transfer rate is 125 KB s...

Страница 801: ...rk should be configured in a way that at least one name server and the Internet can be reached Problems can arise if a dial up connection is used with a dynamic DNS configuration In this case at least...

Страница 802: ...e deleted If Squid dies after a short period of time even though it was started successfully check whether there is a faulty name server entry or whether the etc resolv conf file is missing Squid logs...

Страница 803: ...he sysconfig variable MODIFY_NAMED_CONF_DYNAMICALLY to YES Static DNS With static DNS no automatic DNS adjustments take place while establishing a connection so there is no need to change any sysconfi...

Страница 804: ...on which Squid listens for client requests The default port is 3128 but 8080 is also common If desired specify several port numbers separated by blank spaces cache_peer hostname type proxy port icp po...

Страница 805: ...re_log var log squid store log These three entries specify the paths where Squid logs all its actions Normally nothing is changed here If Squid is experiencing a heavy usage burden it might make sense...

Страница 806: ...h as this change the minutes to seconds then after clicking Reload in the browser the dial up process should be reengaged after a few seconds never_direct allow acl_name To prevent Squid from taking r...

Страница 807: ...d above which can deny or allow access via deny or allow A list containing any number of http_access entries can be created processed from top to bottom and depending on which occurs first access is a...

Страница 808: ...QUIRED http_access allow password http_access deny all The REQUIRED after proxy_auth can be replaced with a list of permitted usernames or with the path to such a list ident_lookup_access allow acl_na...

Страница 809: ...t the existing clients should retain their old configuration In all these cases a transparent proxy may be used The principle is very easy the proxy intercepts and answers the requests of the Web brow...

Страница 810: ...NT eth0 Define ports and services see etc services on the firewall that are accessed from untrusted external networks such as the Internet In this example only Web services are offered to the outside...

Страница 811: ...l port to which these requests are sent and finally the port to which all these requests are redirected Because Squid supports protocols other than HTTP redirect requests from other ports to the proxy...

Страница 812: ...art to start Apache with the SUSE Linux Enterprise Server default settings The last step to set it up is to copy the file cachemgr cgi to the Apache directory cgi bin cp usr share doc packages squid s...

Страница 813: ...w manager webserver http_access deny manager Configure a password for the manager for access to more options like closing the cache remotely or viewing more information about the cache For this config...

Страница 814: ...ess to some listed or blacklisted Web servers or URLs for some users Block access to URLs matching a list of regular expressions or words for some users Redirect blocked URLs to an intelligent CGI bas...

Страница 815: ...d to set more than four processes because the allocation of these processes would consume an excessive amount of memory redirect_children 4 Last have Squid load the new configuration by running rcsqui...

Страница 816: ...SARG Squid Analysis Report Gener ator More information about this is available at http sarg sourceforge net 41 9 For More Information Visit the home page of Squid at http www squid cache org Here find...

Страница 817: ...Part V Security...

Страница 818: ......

Страница 819: ...modules for certification which offer basic management functions for digital X 509 certificates The following sections explain the basics of digital certi fication and how to use YaST to create and a...

Страница 820: ...tificates An infras tructure of this kind is generally referred to as a public key infrastructure or PKI One familiar PKI is the OpenPGP standard in which users publish their certificates them selves...

Страница 821: ...to be able to evaluate an extension if it is identified as critical If an application does not recognize a critical extension it must reject the certificate Some extensions are only useful for a spec...

Страница 822: ...list CRL These lists are supplied by the CA to public CRL distribution points CDPs at regular intervals The CDP can optionally be named as an extension in the certificate so a checker can fetch a cur...

Страница 823: ...ice page 661 Chapter 40 The Apache HTTP Server page 737 contains information about the HTTP server 42 1 5 Proprietary PKI YaST contains modules for the basic management of X 509 certificates This main...

Страница 824: ...hen setting up a PKI is to create a root CA Do the following 1 Start YaST and go to Security and Users CA Management 2 Click Create Root CA 3 Enter the basic data for the CA in the first dialog shown...

Страница 825: ...a sub CA or generating certificates The text fields have the following meaning Key Length Key Length contains a meaningful default and does not generally need to be changed unless an application cann...

Страница 826: ...A A sub CA is created in exactly the same way as a root CA Do the following 1 Start YaST and open the CA module 2 Select the required CA and click Enter CA NOTE The validity period for a sub CA must b...

Страница 827: ...creation of CRLs is described in Section 42 2 5 Creating CRLs page 813 7 Finish with Ok 42 2 3 Creating or Revoking User Certificates Creating client and server certificates is very similar to the on...

Страница 828: ...Start YaST and open the CA module 2 Select the required CA and click Enter CA 3 Enter the password if entering a CA for the first time YaST displays the CA key information in the Description tab 4 Cli...

Страница 829: ...s page 813 explains how to create CRLs Revoked certificates can be completely removed after publica tion in a CRL with Delete 42 2 4 Changing Default Values The previous sections explained how to crea...

Страница 830: ...Figure 42 4 YaST CA Module Extended Settings 5 Change the associated value on the right side and set or delete the critical setting with critical 6 Click Next to see a short summary 7 Finish your cha...

Страница 831: ...mary of the last CRL of this CA 4 Create a new CRL with Generate CRL if you have revoked new sub CAs or certificates since its creation 5 Specify the period of validity for the new CRL default 30 days...

Страница 832: ...T LDAP client the fields are already partly completed Otherwise enter all the data manually Entries are made in LDAP in a separate tree with the attribute caCertificate Exporting a Certificate to LDAP...

Страница 833: ...ilename The cer tificate is stored at the required location after you click OK TIP You can select any storage location in the file system This option can also be used to save CA objects on a transport...

Страница 834: ...tificate do the following 1 Start YaST and open Common Server Certificate under Security and Users 2 View the data for the current certificate in the description field after YaST has been started 3 Se...

Страница 835: ...3 1 Packet Filtering with iptables The components netfilter and iptables are responsible for the filtering and manipulation of network packets as well as for network address translation NAT The filter...

Страница 836: ...Paths Routing Routing in the local system Processes outgoing packet incoming packet filter nat mangle POSTROUTING PREROUTING nat mangle FORWARD mangle filter INPUT mangle filter OUTPUT nat mangle Thes...

Страница 837: ...f NAT network address translation It can be used to connect a small LAN where hosts use IP addresses from the private range see Section 30 1 2 Netmasks and Routing page 547 with the Internet where off...

Страница 838: ...ble so the entry cannot be used by another connection As a consequence of all this you might experience some problems with a number of application protocols such as ICQ cucme IRC DCC CTCP and FTP in P...

Страница 839: ...firewalling read the Firewall HOWTO included in the howto package If this package is installed read the HOWTO with less usr share doc howto en txt Firewall HOWTO gz 43 4 SuSEfirewall2 SuSEfirewall2 is...

Страница 840: ...ewall Configuration After the installation YaST automatically starts a firewall on all configured in terfaces If a server is configured and activated on the system YaST can modify the automatically ge...

Страница 841: ...etwork seem to be issued by the masquerading server when seen externally If special services of an internal machine need to be available to the external network add special redirect rules for the serv...

Страница 842: ...inked to the Internet For a modem connection enter ppp0 For an ISDN link use ippp0 DSL connections use dsl0 Specify auto to use the in terface that corresponds to the default route FW_DEV_INT firewall...

Страница 843: ...ake it available to the outside The services that use UDP include include DNS servers IPsec TFTP DHCP and others In that case enter the UDP ports to use FW_SERVICES_INT_TCP firewall With this variable...

Страница 844: ...of nessus resides in the directory usr share doc packages nessus core after installing the respective package 43 5 For More Information The most up to date information and other documentation about t...

Страница 845: ...e are other unprotected communication channels like the traditional FTP protocol and some remote copying programs The SSH suite provides the necessary protection by encrypting the authentication strin...

Страница 846: ...The program output is displayed on the local terminal of the host earth ssh otherplanet uptime mkdir tmp Password 1 21pm up 2 17 9 users load average 0 15 0 04 0 02 Quotation marks are necessary here...

Страница 847: ...running in the background listening for connections on TCP IP port 22 The daemon generates three key pairs when starting for the first time Each key pair consist of a private and a public key Therefo...

Страница 848: ...can decrypt the session key using its private keys see man usr share doc packages openssh RFC nroff This initial connection phase can be watched closely by turning on the verbose debugging option v o...

Страница 849: ...the example to the re mote machine and save it to ssh authorized_keys You will be asked to authenticate yourself with your passphrase the next time you establish a connection If this does not occur v...

Страница 850: ...c ssh sshd_config or the user s ssh config ssh can also be used to redirect TCP IP connections In the examples below SSH is told to redirect the SMTP and the POP3 port respectively ssh L 25 sun 25 ear...

Страница 851: ...e that no one can take the identity of someone else Make sure that each network server also proves its identity Otherwise an attacker might be able to impersonate the server and obtain sensitive infor...

Страница 852: ...which it is re questing a service An authenticator can only be used once unlike a ticket A client can build an authenticator itself principal A Kerberos principal is a unique entity a user or service...

Страница 853: ...and ticket granting server on a dedicated machine Make sure that only the administrator can access this machine physically and over the network Reduce the networking services run on it to the absolute...

Страница 854: ...authenticator An authenticator consists of the following components The client s principal The client s IP address The current time A checksum chosen by the client All this information is encrypted u...

Страница 855: ...plements a mecha nism to obtain tickets for individual servers This service is called the ticket granting service The ticket granting service is a service just like any other service mentioned before...

Страница 856: ...Ideally a user s one and only contact with Kerberos happens during login at the work station The login process includes obtaining a ticket granting ticket At logout a user s Kerberos tickets are autom...

Страница 857: ...twork applications in Kerberos V5 UNIX User s Guide at http web mit edu kerberos 45 4 For More Information The official site of the MIT Kerberos is http web mit edu kerberos There find links to any ot...

Страница 858: ......

Страница 859: ...It is also a good idea to use your DNS domain name or a subdomain such as ACCOUNTING FOOBAR COM As shown below your life as an administrator can be much easier if you configure your Kerberos clients...

Страница 860: ...as a locked server room to which only a very few people have access 2 Do not run any network applications on it except the KDC This includes servers and clients for example the KDC should not import a...

Страница 861: ...with a central time source A simple way to do so is by installing an NTP time server on one machine and having all clients synchronize their clocks with this server Do this either by running an NTP d...

Страница 862: ...rators You need at least one administrative principal to run and administer Kerberos This principal must be added before starting the KDC 6 Start the Kerberos Daemon Once the KDC software is installed...

Страница 863: ...Password It is important that you NOT FORGET this password Enter KDC database master key Type the master password Re enter KDC database master key to verify Type it again To verify that it did anythin...

Страница 864: ...ation in the etc krb5 conf file or dynamic configuration with DNS With DNS configuration Kerberos applications try to locate the KDC services using DNS records With static configuration add the hostna...

Страница 865: ...ction Also add a statement to this file that tells applications how to map hostnames to a realm For example when connecting to a remote host the Kerberos library needs to know in which realm this host...

Страница 866: ...obably do not need any of this so it is okay to set these to zero MIT Kerberos currently looks up the following names when looking for services _kerberos This defines the location of the KDC daemon th...

Страница 867: ...with YaST As an alternative to the manual configuration described above use YaST to configure a Kerberos client Proceed as follows 1 Log in as root and select Network Services Kerberos Client 2 Select...

Страница 868: ...hosts select For wardable Enable the transfer of certain tickets by selecting Proxiable Keep tickets available with a PAM module even after a session has ended by en abling Retained Enable Kerberos a...

Страница 869: ...igure 46 2 YaST Advanced Configuration of a Kerberos Client 46 7 Remote Kerberos Administration To be able to add and remove principals from the Kerberos database without accessing the KDC s console d...

Страница 870: ...ave The list shown above is the full set of privileges As an example modify the principal newbie kadmin p newbie admin Authenticating as principal newbie admin EXAMPLE COM with password Password for n...

Страница 871: ...ros www krb5 1 4 krb5 1 4 doc krb5 admin html Kadmin 20Options or look at man 8 kadmin 46 8 Creating Kerberos Host Principals In addition to making sure every machine on your network knows which Kerbe...

Страница 872: ...licy specified for host test example com EXAMPLE COM defaulting to no policy Principal host test example com EXAMPLE COM created Instead of setting a password for the new principal the randkey flag te...

Страница 873: ...e_krb5 password use_krb5 nullok session none After that all programs evaluating the entries in this file use Kerberos for user authen tication For a user that does not have a Kerberos principal pam_un...

Страница 874: ...for protocol version 1 KerberosAuthentication yes KerberosTicketCleanup yes These are for version 2 better to use this GSSAPIAuthentication yes GSSAPICleanupCredentials yes Then restart your SSH daem...

Страница 875: ...LDAP server create a principal ldap earth example com and add that to the keytab By default the LDAP server slapd runs as user and group ldap while the keytab file is readable by root only Therefore e...

Страница 876: ...to use a different keytab file change the following variable in etc sysconfig openldap OPENLDAP_KRB5_KEYTAB etc openldap ldap keytab Finally restart the LDAP server using rcldap restart 46 11 1 Using...

Страница 877: ...er to modify the login shell attribute of their LDAP user record Assuming you have a schema where the LDAP entry of user joe is located at uid joe ou people dc example dc com set up the following acce...

Страница 878: ...ured it checks the DN formed from the SASL information using the first argument as a regular expression If this regular expression matches the name is replaced with the second argument of the authz re...

Страница 879: ...ing installation or in an already installed system See Section 47 1 1 Creating an Encrypted Partition during In stallation page 863 and Section 47 1 2 Creating an Encrypted Partition on a Running Syst...

Страница 880: ...it However encrypted media is useful for cases such as loss or theft of your computer or to prevent unauthorized individuals from reading your confidential data 47 1 Setting Up an Encrypted File Syst...

Страница 881: ...ot to mount during boot the operating system requests the password while booting before mounting the partition The partition is available to all users once it has been mounted To skip mounting the enc...

Страница 882: ...on page 863 47 1 3 Creating an Encrypted File as a Container Instead of using a partition it is possible to create an encrypted file of a certain size that can then hold other files or folders contain...

Страница 883: ...han FAT change the ownership explicitly for users other than root to read or write files on the device 47 2 Using Encrypted Home Directories To protect data in home directories against theft and hard...

Страница 884: ...s YaST offers you can use the cryptconfig command line tool for some special tasks For example as a safety for users that may lose their key files you can create and add an additional key to the image...

Страница 885: ...encrypted mode Use vi x filename to edit a new file vi prompts you to set a password after which it encrypts the content of the file Whenever you access this file vi requests the correct password For...

Страница 886: ......

Страница 887: ...e With Novell AppArmor you only need to profile the programs that are exposed to attack in your environment which drastically reduces the amount of work required to harden your computer AppArmor profi...

Страница 888: ...r this kind of behavior This guide outlines the basic tasks that need to be performed with AppArmor to effec tively harden a system For more in depth information refer to Novell AppArmor Ad ministrati...

Страница 889: ...ed as follows 1 Log in as root and start YaST 2 Select System System Services Runlevel 3 Select Expert Mode 4 Select boot apparmor and click Set Reset Disable the service 5 Exit the YaST Runlevel tool...

Страница 890: ...es or you need to react to security events logged by AppArmor s reporting tool Refer to Section 48 3 4 Updating Your Profiles page 878 48 3 1 Choosing the Applications to Profile You only need to prot...

Страница 891: ...o Section 1 2 Determining Programs to Immunize Chapter 1 Immunizing Programs Novell AppArmor Administration Guide 48 3 2 Building and Modifying Profiles Novell AppArmor on SUSE Linux Enterprise ships...

Страница 892: ...file is completed AppArmor scans the logs it recorded during the application s run and asks you to set the access rights for each event that was logged Either set them for each file or use globbing 4...

Страница 893: ...talled and auditd is running AppArmor events are logged as follows type APPARMOR msg audit 1140325305 502 1407 REJECTING w access to usr lib firefox update test firefox bin 9469 profile usr lib firefo...

Страница 894: ...rity level This feature is currently available in the YaST interface To set up event notification in YaST proceed as follows 1 Make sure that a mail server is running on your system to deliver the eve...

Страница 895: ...on frequency e mail address export format and location of the reports by selecting Edit and providing the requested data 4 To run a report of the selected type click Run Now 5 Browse through the archi...

Страница 896: ...ofile Wizard To update your profile set proceed as follows 1 Log in as root and start YaST 2 Start Novell AppArmor Update Profile Wizard 3 Adjust access or execute rights to any resource or for any ex...

Страница 897: ...teed Data security was already an important issue even before computers could be linked through networks Just like today the most im portant concern was the ability to keep data available in spite of...

Страница 898: ...own bits and pieces to win the confidence of that person by using clever rhetoric The victim could be led to reveal gradually more information maybe without even becoming aware of it Among hackers thi...

Страница 899: ...s or the identity of another This is a general rule to be observed but it is especially true for the user root who holds the supreme power on the system root can take on the identity of any other loca...

Страница 900: ...e following safe password TNotRbUE9 In contrast passwords like beerbud dy or jasmine76 are easily guessed even by someone who has only some casual knowledge about you 49 1 3 The Boot Procedure Configu...

Страница 901: ...es or for files the setuser ID bit programs with the setuser ID bit set do not run with the permissions of the user that has launched it but with the permissions of the file owner in most cases root A...

Страница 902: ...d over a network link Accordingly buffer overflows and format string bugs should be classified as being relevant for both local and network security 49 1 6 Viruses Contrary to what some people say the...

Страница 903: ...s feature in an impressive way With X it is basically no problem to log in at a remote host and start a graphical program that is then sent over the network to be displayed on your computer When an X...

Страница 904: ...X server on the server side and setting a DISPLAY variable for the shell on the remote host Further details about SSH can be found in Chapter 44 SSH Secure Network Op erations page 827 WARNING If you...

Страница 905: ...niffing TCP connection hijacking spoofing and DNS poisoning 49 1 11 Man in the Middle Sniffing Hijacking Spoofing In general any remote attack performed by an attacker who puts himself between the com...

Страница 906: ...r hostnames The attacker needs a good understanding of the actual structure of the trust relationships among hosts to disguise itself as one of the trusted hosts Usually the attacker analyzes some pac...

Страница 907: ...us com is one of the best known security mailing lists worldwide Reading this list which receives between 15 and 20 postings per day is recommended More information can be found at http www securityfo...

Страница 908: ...a host without the explicit approval of the administrator Finally remember that it is important not only to scan TCP ports but also UDP ports options sS and sU To monitor the integrity of the files o...

Страница 909: ...cess Use SuSEfirewall to enhance the security provided by tcpd tcp_wrapper Design your security measures to be redundant a message seen twice is much better than no message at all 49 3 Using the Centr...

Страница 910: ......

Страница 911: ...Part VI Troubleshooting...

Страница 912: ......

Страница 913: ...elp Center page 896 is displayed The dialog window consists of three main areas Menu Bar and Toolbar The menu bar provides the main editing navigation and configuration options File contains the optio...

Страница 914: ...ook icons to open and browse the individual categories View Window The view window always displays the currently selected contents such as online manuals search results or Web pages Figure 50 1 The Ma...

Страница 915: ...once a search index has been generated 50 1 2 The Search Function To search all installed information sources of SUSE Linux Enterprise generate a search index and set a number of search parameters To...

Страница 916: ...for determining the selection area Default A predefined selection of sources is searched All All sources are searched None No sources selected for the search Custom Determine the sources to search by...

Страница 917: ...ually found in dev 4 File formats and conventions etc fstab 5 Games 6 Miscellaneous including macro packages and conventions for example man 7 groff 7 7 System administration commands usually only for...

Страница 918: ...ion Project The Linux Documentation Project TLDP is run by a team of volunteers who write Linux and Linux related documentation see http www tldp org The set of documents contains tutorials for beginn...

Страница 919: ...e provide HTML and PDF versions of our books in different languages The PDF file is available on the DVD in the direc tory docu For HTML install the package opensuse manual_LANG replace LANG with your...

Страница 920: ...ackage Usually also a link to a Bugzilla Web page where you can search all bugs CHANGES ChangeLog Summary of changes from version to version Usually interesting for developers because it is very detai...

Страница 921: ...s and exchanges articles with them Not all news groups may be available on your news server Interesting newsgroups for Linux users are comp os linux apps comp os linux questions and comp os linux hard...

Страница 922: ...ree of charge There are six types of RFC proposed standards draft standards Internet standards experimental protocols information documents and historic standards Only the first three proposed draft a...

Страница 923: ...cturers consumers trade professionals service companies scientists and others who have an interest in the establishment of standards The standards are subject to a fee and can be ordered using the DIN...

Страница 924: ......

Страница 925: ...are several places to look when you have problems with your system most of which are standard to Linux systems in gen eral and some of which are peculiar to SUSE Linux Enterprise systems Most log fil...

Страница 926: ...All messages from the kernel and system log daemon assigned WARNING level or higher var log warn Binary file containing user login records for the current machine session View it with last var log wt...

Страница 927: ...l modules proc modules This displays devices currently mounted proc mounts This shows the partitioning of all hard disks proc partitions This displays the current version of Linux proc version Linux c...

Страница 928: ...heck the MD5 checksum of the medium This may take several minutes If errors are detected do not use this medium for installation 51 2 2 Hardware Information Display detected hardware and technical dat...

Страница 929: ...NUX enables the selection of a kernel during the boot procedure and the specification of any parameters needed for the hardware used The program linuxrc supports the loading of kernel modules for your...

Страница 930: ...to read the boot image on CD 1 In this case use CD 2 to boot the system CD 2 contains a conventional 2 88 MB boot image that can be read even by unsupported drives and allows you to perform the insta...

Страница 931: ...en set to something like C A or A C In the former case the ma chine first searches the hard disk C then the floppy drive A to find a bootable medium Change the settings by pressing PgUp or PgDown unti...

Страница 932: ...type of hardware is missing from the installation kernel or due to certain functionality included in this kernel such as ACPI that still cause problems on some hardware If your system fails to install...

Страница 933: ...boot prompt prior to booting for installation acpi off This parameter disables the complete ACPI subsystem on your computer This may be useful if your computer cannot handle ACPI at all or if you thi...

Страница 934: ...alogs Select Text Mode for installation Do a remote installation via VNC using the graphical installer To change to another screen resolution for installation proceed as follows 1 Boot for installatio...

Страница 935: ...e 5801 A dialog opens in the browser window prompting you for the VNC password Enter it and proceed with the installation as described in Chapter 3 Installation with YaST page 17 IMPORTANT Installatio...

Страница 936: ...n Section 51 2 5 Fails to Boot page 914 To launch the installation process press Enter Screen Resolutions Use the F keys to determine the screen resolution for installation If you need to boot in text...

Страница 937: ...as not enabled your system might install properly but fail to boot when access to the hard disk is required 51 3 2 No Graphical Login If the machine comes up but does not boot into the graphical login...

Страница 938: ...ed in on the console If that does not work it should log errors to the console For more information about the X Window system configuration refer to Chapter 26 The X Window System page 481 51 4 Login...

Страница 939: ...ring of directives For additional background information about PAM and the syntax of the configu ration files involved refer to Chapter 27 Authentication with PAM page 495 In all cases that do not inv...

Страница 940: ...sful the blame cannot be put on PAM because it is possible to authenticate this user on this machine Try to locate any problems with the X Window System or the desktop GNOME or KDE For more informatio...

Страница 941: ...to log in to that host The machine cannot reach the authentication server or directory server that contains that user s information There might be problems with the X Window System authenticating this...

Страница 942: ...y to start an X session on another display the first one 0 is already in use startx 1 This should bring up a graphical screen and your desktop If it does not check the log files of the X Window System...

Страница 943: ...s causes the login problems attempt to recover only the critical application data and reconfigure the remainder of the applications 51 4 4 Login Successful but KDE Desktop Fails There are several reas...

Страница 944: ...text console by pressing Ctrl Alt F1 2 Log in with your username 3 Move the KDE configuration directory and the skel files to a temporary loca tion mv kde kde ORIG RECOVER mv skel skel ORIG RECOVER 4...

Страница 945: ...network servers needed in your setup Either look them up in the appropriate YaST module or ask your system administrator The following list gives some of the typical net work servers involved in a set...

Страница 946: ...ether the network servers are running and whether your network setup allows you to establish a connection IMPORTANT The debugging procedure described below only applies to a simple net work server cli...

Страница 947: ...ing If the host command fails check all network configura tion files relating to name and address resolution on your host etc resolv conf This file is used to keep track of the name server and domain...

Страница 948: ...Make sure that both inet address and Mask are configured correctly An error in the IP address or a missing bit in your network mask would render your network configuration unusable If necessary perfor...

Страница 949: ...ata Problems Data problems are when the machine might or might not boot properly but in either case it is clear that there is data corruption on the system and that the system needs to be recovered Th...

Страница 950: ...entire hard disk areas Current ly this option only applies to the Ext2 file system 2f Finally set the search constraints to exclude certain system areas from the backup area that do not need to be ba...

Страница 951: ...CD Then click Next The following dialog displays a summary of the archive properties such as the filename date of creation type of backup and optional comments 3 Review the archived content by clickin...

Страница 952: ...system is to blame for the failure use Automatic Repair An ex tensive automated check will be performed on all components of your installed system For a detailed description of this procedure refer to...

Страница 953: ...ext 6 In System Analysis select Other Repair Installed System 7 Select Automatic Repair YaST now launches an extensive analysis of the installed system The progress of the procedure is displayed at th...

Страница 954: ...sake of a higher system repair speed File Systems All detected file systems are subjected to a file system specific check Entries in the File etc fstab The entries in the file are checked for complet...

Страница 955: ...oots Customized Repair To launch the Customized Repair mode and selectively check certain components of your installed system proceed as follows 1 Insert the first installation medium of SUSE Linux En...

Страница 956: ...have a very clear idea of what needs to be repaired in your system directly apply the tools skipping the system analysis To make use of the Expert Tools feature of the YaST System Repair module procee...

Страница 957: ...le cases Save System Settings to Floppy This option saves important system files to a floppy disk If one of these files become damaged it can be restored from disk Verify Installed Software This check...

Страница 958: ...tallation 1 Enter the configuration of your PXE boot setup and replace install protocol instsource with rescue protocol instsource As with a normal installation protocol stands for any of the supporte...

Страница 959: ...ted under mnt 3 Change the directory to the mounted root file system cd mnt 4 Open the problematic configuration file in the vi editor Adjust and save the configuration 5 Unmount the root file system...

Страница 960: ...ent based on the installed system proceed as fol lows 1 First mount the root partition from the installed system and the device file system mount dev sda6 mnt mount bind dev mnt dev 2 Now you can chan...

Страница 961: ...cause the boot loader configuration is corrupted The start up routines cannot for example translate physical drives to the actual locations in the Linux file system without a working boot loader To ch...

Страница 962: ...am can be executed to update the IPL record 51 7 1 IPLing the Rescue System IMPORTANT Making the Installation Data Available For this method to work the SUSE Linux Enterprise Server for IBM System z i...

Страница 963: ...ing DASDs 1 Configure DASDs with the following command dasd_configure 0 0 0150 1 0 0 0 0150 is the channel to which the DASD is connected The 1 means activate the disk a 0 at this place would deactiva...

Страница 964: ...root device is on the second partition of the DASD device dev dasda2 the corresponding command is mount dev dasda2 mnt IMPORTANT File System Consistency If the installed system has not been shut down...

Страница 965: ...ing Kernel Image boot kernel image located at 0x00010000 adding Ramdisk boot initrd located at 0x00800000 adding Parmline boot zipl parmfile located at 0x00001000 Bootloader for ECKD type devices with...

Страница 966: ...the rescue system with the halt command The SUSE Linux Enterprise Server system can now be IPLed as described in Section 3 10 1 IBM System z IPLing the Installed System page 30 948 Installation and Ad...

Страница 967: ...talling 738 modules 756 764 available 758 building 763 external 762 installing 757 multiprocessing 761 quick start 737 security 772 Squid 794 SSL 766 772 configure Apache with SSL 771 creating an SSL...

Страница 968: ...53 du 354 file 352 find 352 fonts config 489 free 355 412 getfacl 287 grep 352 grub 388 gzip 343 350 halt 357 help 334 ifconfig 593 ip 590 kadmin 845 kill 355 killall 356 kinit 852 ktadd 854 ldapadd 6...

Страница 969: ...nf 621 631 784 network 584 networks 586 nscd conf 590 nsswitch conf 588 682 openldap 857 pam_unix2 conf 682 855 passwd 204 permissions 890 powersave 507 powersave conf 221 profile 407 411 417 resolv c...

Страница 970: ...tem services 164 T DSL 576 time zone 158 users 167 wireless cards 159 ZFCP 144 consoles assigning 414 graphical 404 switching 414 core files 411 cp 348 cpuspeed 515 cron 408 CVS 726 730 733 D date 355...

Страница 971: ...reter 154 permission denied 154 F file 352 file servers 164 file systems 469 479 ACLs 281 293 changing 153 cryptofs 861 encrypting 861 Ext2 471 472 Ext3 472 473 LFS 477 limitations 477 OCFS2 267 280 4...

Страница 972: ...5 uninstalling 402 gunzip 343 gzip 343 350 H halt 357 hard disks DMA 142 hardware DASD 143 graphics cards 186 hard disk controllers 142 information 142 910 ISDN 570 monitor 186 ZFCP 144 help 895 898 b...

Страница 973: ...clock synchronization 843 configuring clients 846 848 credentials 834 installing 841 860 KDC 842 846 administering 851 nsswitch conf 842 starting 846 keytab 854 LDAP and 857 860 master key 844 PAM su...

Страница 974: ...haring files with another OS 695 uninstalling 402 linuxrc manual installation 219 ln 348 local APIC disabling 20 localization 415 locate 351 410 log files 174 409 boot msg 178 507 messages 178 621 825...

Страница 975: ...ounting 713 servers 164 715 NIS 653 660 clients 164 659 masters 653 659 servers 164 slaves 653 659 nslookup 356 NSS 588 databases 588 NTP client 164 O OpenLDAP see LDAP OpenSSH see SSH OpenWBEM 227 25...

Страница 976: ...nfiguring 516 printing 435 command line 447 configuration with YaST 439 local printers 439 network printers 444 CUPS 446 GDI printers 452 kprinter 446 network 454 Samba 696 troubleshooting network 454...

Страница 977: ...inters 696 printing 704 security 703 server 696 servers 166 697 703 shares 696 701 SMB 695 starting 697 stopping 697 swat 699 TCP IP and 695 SaX2 display device 187 display settings 186 dual head 188...

Страница 978: ...nqueror 600 providing services 601 registering services 601 slptool 600 SMB see Samba smpd 695 soft RAID see RAID software compiling 303 installing 127 134 removing 127 134 sound configuring in YaST 1...

Страница 979: ...CP IP 543 ICMP 544 IGMP 544 layer model 544 packets 545 546 TCP 544 UDP 544 telnet 356 time zones 158 TLDP 900 top 355 Tripwire replaced by AIDE 219 U ulimit 411 options 411 umount 354 uninstalling GR...

Страница 980: ...03 principles 801 repository 805 revocation list 804 YaST 801 X Org 481 Xft 490 xinetd 164 XKB see keyboard XKB xorg conf color depth 485 Depth 485 Device 486 Display 485 Files 483 InputDevice 483 Mod...

Страница 981: ...k card 560 network configuration 33 159 167 NFS clients 163 NFS server 164 NIS clients 659 Novell AppArmor 167 Novell Customer Center 136 NTP client 164 online update 136 138 partitioning 27 149 PCI d...

Страница 982: ...09 certification 801 certificates 809 changing default values 811 creating CRLs 813 exporting CA objects as a file 815 exporting CA objects to LDAP 813 importing general server certificates 815 root C...

Отзывы:

Нет отзывов

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды