manualshive.com logo in svg

Novell OPEN ENTERPRISE SERVER 2 SP2 - ADMINISTRATION, Руководство по внедрению, Страница: 267 / 288

Поделиться
Скачать
Novell OPEN ENTERPRISE SERVER 2 SP2 - ADMINISTRATION Скачать руководство пользователя страница 267

System User and Group Management in OES 2 SP2

267

n

ov

do

cx (e

n)

  22
 Ju

n

e 20
09

Further investigation revealed that the administrator credentials had been used to install OES 2 on 
multiple servers, and by default the credentials were therefore also used as the proxy user credentials 
for some of the OES services. Consequently, the credentials were stored in CASA for use when the 
OES services came up. 

Because the Admin password had changed, the CASA credentials had expired and service 
authentication requests were failing, resulting in the intruder detection lockout.

I.3.2  Proxy User Impacts on User Connection Licenses

From a licensing standpoint, each proxy user counts as a user on the OES network and consumes 
one user connection license.

It is not unreasonable to expect that the OES servers you install could average five to six proxy users 
a piece, meaning that an organization that has three to five OES servers installed with the default 
settings, can expect that 15 to 30 of its user connection licenses might be taken by proxy users. 

For large organizations with hundreds of servers, the user connections consumed by default 
installations would be substantial. Therefore, large organizations are especially interested in 
methods for limiting the number of proxy users on their network.  

I.3.3  Limiting the Number of Proxy Users in Your Tree

Table I-6

 outlines various options for limiting the number of proxy users in your tree and 

summarizes the licensing, security, and manageability considerations of each approach.

Table I-6   

Options for Limiting the Number of Proxy Users

Approach

Licensing Impact

Security Considerations

Manageability Considerations

Per Service per 
Server (default)

One for each 
service on each 
server

For AFP, CIFS, iFolder 3, NSS, 
and Samba this is the most 
secure option. Passwords for 
these are system-generated 
and not known by anyone. 

For LUM there is no option to 
have a system-generated 
password.

For DNS, DHCP, and 
NetStorage, the install admin’s 
credentials are used by default. 
This has separate security 
implications as outlined in 

“Avoid Assigning an Admin 
User As a Proxy User” on 
page 266

.

This approach requires no proxy 
user planning. 

Services are installed at the same 
time as the OES server.

This is a good option for small 
organizations or installations 
where only a few services are 
used.

This is not a good option if 
security policies dictate that all 
passwords must be reset 
periodically.

Содержание OPEN ENTERPRISE SERVER 2 SP2 - ADMINISTRATION

Страница 1: ...Novell www novell com novdocx en 22 June 2009 AUTHORIZED DOCUMENTATION OES 2 SP2 Planning and Implementation Guide Open Enterprise Server 2 SP2 November 10 2009 Planning and Implementation Guide...

Страница 2: ...t or re export to entities on the current U S export exclusion lists or to any embargoed or terrorist countries as specified in the U S export laws You agree to not use deliverables for prohibited nuc...

Страница 3: ...Trademarks For Novell trademarks see the Novell Trademark and Service Mark list http www novell com company legal trademarks tmlist html Third Party Materials All third party trademarks are the prope...

Страница 4: ...4 OES 2 SP2 Planning and Implementation Guide novdocx en 22 June 2009...

Страница 5: ...23 1 5 2 OES 2 Migration Tools 23 1 5 3 Xen Virtualization Technology 23 2 Welcome to Open Enterprise Server 2 25 3 Planning Your OES 2 Implementation 27 3 1 What Services Are Included in OES 2 27 3 2...

Страница 6: ...Getting and Preparing OES 2 Software 53 4 1 Do You Have Upgrade Protection 53 4 2 Do You Want 32 Bit or 64 Bit OES 53 4 3 Do You Want to Purchase OES 2 or Evaluate It 54 4 4 Evaluating OES 2 Software...

Страница 7: ...te Support 69 6 12 Novell tomcat Is for OES Use Only 70 6 13 NSS OES 2 70 6 13 1 Understanding Name Space Support 70 6 13 2 The Role of EVMS 70 6 14 OpenLDAP on OES 2 71 6 15 Samba 71 6 16 Virtualizat...

Страница 8: ...nd Migration of Time Synchronization Services 108 12 3 4 Implementing Time Synchronization 110 12 3 5 Configuring and Administering Time Synchronization 111 12 3 6 Daylight Saving Time 112 12 4 Discov...

Страница 9: ...4 3 Implementing DSfW on Your Network 146 15 Users and Groups 149 15 1 Creating Users and Groups 149 15 2 Linux User Management Access to Linux for eDirectory Users 149 15 2 1 Overview 150 15 2 2 Plan...

Страница 10: ...uring FTP 199 17 5 2 Path Formats 199 17 5 3 SITE Command 200 17 6 NCP Implementation and Maintenance 200 17 6 1 The Default NCP Volume 201 17 6 2 Creating NCP Home and Data Volume Pointers 201 17 6 3...

Страница 11: ...Auditing 217 21 1 3 Encryption NICI 218 21 1 4 General Security Issues 219 21 2 Planning for Security 219 21 2 1 Comparing the Linux and the Novell Trustee File Security Models 219 21 2 2 User Restric...

Страница 12: ...pport 249 G Client Workstation OS Support 251 H OES 2 Service Scripts 253 I System User and Group Management in OES 2 SP2 257 I 1 About System Users and Groups 257 I 1 1 Types of OES System Users and...

Страница 13: ...Tree with a Mix of File Access Services and Users from across the Tree 281 K 3 2 Example 2 Mutually Exclusive Users 282 K 4 Deployment Guidelines for Different Servers and Deployment Scenarios 283 K 4...

Страница 14: ...14 OES 2 SP2 Planning and Implementation Guide novdocx en 22 June 2009...

Страница 15: ...ion or go to www novell com documentation feedback html and enter your comments there Documentation Updates Changes to this guide are summarized in a Documentation Updates appendix at the end of this...

Страница 16: ...less otherwise indicated In this documentation a greater than symbol is used to separate actions within a step and items within a cross reference path A trademark symbol TM etc denotes a Novell tradem...

Страница 17: ...es in This Guide and Elsewhere Because many organizations are transitioning their network services from NetWare to OES information to assist with upgrading from NetWare to OES 2 is included in this gu...

Страница 18: ...sta Administration Guide Novell Cluster ServicesTM High Availability Administration Guide Novell iFolder 3 8 Administration Guide User Guide Novell Remote Manager Administration Guide Novell Storage S...

Страница 19: ...20 1 3 1 Auditing OES 2 SP2 includes support for third party developers to create auditing products For more information see Section 21 1 2 Auditing on page 217 1 3 2 Base Platform Is SLES 10 SP3 With...

Страница 20: ...ith an unmodified OES 2 SP2 node their CPL settings will conflict and one of the nodes must be modified For more information about cross protocol locking see Configuring Cross Protocol File Locks for...

Страница 21: ...users no LUM required Cross protocol file locking with NCPTM Novell AFP also offers the following features not available for NetWare DHX authentication mechanism Provides a secure way to transport pa...

Страница 22: ...sing Samba shares NTFS files on Windows servers that use CIFS shares Shares in trusted Active Directory forests For more information see the OES 2 SP2 Domain Services for Windows Administration Guide...

Страница 23: ...Storage and File Systems on page 123 and the OES 2 SP2 Dynamic Storage Technology Administration Guide 1 5 2 OES 2 Migration Tools In addition to the legacy Server Consolidation and Migration Toolkit...

Страница 24: ...24 OES 2 SP2 Planning and Implementation Guide novdocx en 22 June 2009...

Страница 25: ...1 OES 2 Overview NOTE For a list of OES 2 services see Table 3 1 Service Comparison Between NetWare 6 5 SP8 and OES 2 SP2 Linux on page 27 is running on OES 2 AFP Backup SMS Clustering High Availabili...

Страница 26: ...26 OES 2 SP2 Planning and Implementation Guide novdocx en 22 June 2009...

Страница 27: ...Caveats to Consider Before You Install on page 36 Section 3 10 Consider Coexistence and Migration Issues on page 48 Section 3 11 Understand Your Installation Options on page 49 3 1 What Services Are...

Страница 28: ...dows File Services Yes NFAP Yes Novell CIFS and Novell Samba Both NFAP and Novell CIFS are Novell proprietary and tightly integrated with eDirectory and Novell Storage Services NSS Samba is an open so...

Страница 29: ...Yes DST runs on OES 2 An NSS volume on NetWare is supported only as the secondary volume in a shadow pair When using DST in a cluster each of the NSS volumes in a shadow pair must reside on OES 2 DST...

Страница 30: ...does not support eDirectory access controls like the NetWare target does Nor is the iSCSI initiator or target in OES 2 integrated with NetWare Remote Manager management You use YaST management tools...

Страница 31: ...NetWare Traditional File System to Linux NetWare Traditional Volumes Yes N A NFS Yes NFAP Yes native to Linux For NetWare see Working with UNIX Machines in the NW 6 5 SP8 AFP CIFS and NFS NFAP Adminis...

Страница 32: ...ource product Linux includes the open source product itself See Functions Unique to the NetWare Platform in the NW 6 5 SP8 OpenSSH Administration Guide PAM Pluggable Authentication Modules No Yes PAM...

Страница 33: ...ation edir87 edir87 data a2iiimc html NetWare uses Novell SLP which provides caching of Directory Agent scope information in eDirectory This provides for sharing of scope information among DAs Novell...

Страница 34: ...nto the tree The first server is important for two reasons You create the basic eDirectory tree structure during the first installation The first server permanently hosts the Certificate Authority for...

Страница 35: ...l as Group and User objects in eDirectory 3 5 Prepare Your Existing eDirectory Tree for OES 2 If you are installing OES 2 into an existing tree you must use Deployment Manager located on the NetWare 6...

Страница 36: ...ection 3 9 2 AFP File Locking Requires Samba on page 37 Section 3 9 3 Always Double Check Service Configurations Before Installing on page 37 Section 3 9 4 Back Button Doesn t Reset Configuration Sett...

Страница 37: ...e explained in Section 3 9 4 Back Button Doesn t Reset Configuration Settings on page 37 and 3 9 4 Back Button Doesn t Reset Configuration Settings During an installation after you configure eDirector...

Страница 38: ...nly NSS pool cluster resources that are created on a NetWare cluster node can be failed over between Linux and NetWare nodes NetWare NSS to Linux NSS failover requires that the Linux node be configure...

Страница 39: ...ystem User and Group Management in OES 2 SP2 on page 257 However as OES has evolved some initially defined conventions regarding system Users have needed adjustment Be sure to read the information and...

Страница 40: ...ier UIDs and GID on subsequently installed servers didn t match the XTier UIDs and GID in eDirectory NetStorage couldn t access the NSS volumes on the server The OES 1 Solution The nssid sh Script To...

Страница 41: ...ipt reads server myserver context This is the context of the XTier user and group objects Replace this variable with the fully distinguished name of the context where the objects reside For example if...

Страница 42: ...ing iFolder Server This is especially critical if you plan to use NSS for your iFolder 3 8 data volume 3 9 11 Incompatible TLS Configurations Give No Warning When you install a new eDirectory tree the...

Страница 43: ...already running eDirectory eDirectory must be installed in conjunction with the installation of OES services Be Sure That eDirectory Is Healthy Review and follow the guidelines in Keeping eDirectory...

Страница 44: ...OES servers If you have configured Role Based Services you need to make sure the licensing plug in is installed and added to the RBS collection For more information see Upgrading iManager in the Novel...

Страница 45: ...For example by default the tree Admin user and the server are installed in the same context Some administrators when they discover that the tree structure doesn t meet their needs assume they can rect...

Страница 46: ...providing file services to CIFS or SMB clients Xen Virtual Machine Host Server Novell Archive and Version Services Novell Domain Services for Windows DSfW Xen Virtual Machine Host Server Novell Backup...

Страница 47: ...ces for Windows Xen Virtual Machine Host Server Novell iManager Xen Virtual Machine Host Server Novell iPrint Print Server CUPS CUPS components are actually installed but CUPS printing is disabled For...

Страница 48: ...ur approach to implementing OES 2 In some cases there are specific paths to follow so that the OES 2 integration process is as smooth as possible Novell Samba File Server Samba Novell CIFS Novell Doma...

Страница 49: ...Installation Options Before installing OES you should be aware of the information in the following sections Section 3 11 1 OES 2 Installation Overview on page 49 Section 3 11 2 About Your Installatio...

Страница 50: ...he ISO files or physical media from a Novell Authorized Reseller Decide whether to install from files on the network or directly from physical media Network install path Physical media install path Cr...

Страница 51: ...options For more information see Installing Upgrading or Updating OES on a Xen based VM in the OES 2 SP2 Installation Guide Installing and Managing NetWare on a Xen based VM in the OES 2 SP2 Installa...

Страница 52: ...NSS on a Single Drive Linux Server Many are interested in Novell Storage Services NSS running on Linux If you plan to experiment with NSS on a single drive server be sure to follow the instructions in...

Страница 53: ...de protection expires After your protection expires the OES 2 upgrade link disappears from your account page For more information and to start the upgrade process do the following 1 Using your Novell...

Страница 54: ...u haven t already done so be sure to review the information in Section 3 11 Understand Your Installation Options on page 49 and then skip to Chapter 5 Installing OES 2 on page 59 4 4 Evaluating OES 2...

Страница 55: ...ave OES 2 SP2 product media CDs and DVDs skip to Section 4 4 4 Installing OES 2 for Evaluation Purposes on page 56 To download ISO image files from the Web 1 If you don t already have a Novell account...

Страница 56: ...s against the list you printed in Step 15 For example on a Linux system you can enter the following command md5sum filename where filename is the name of the iso file you are verifying For a Windows s...

Страница 57: ...ou will follow to fully leverage its network services 4 4 6 Installing Purchased Activation Codes after the Evaluation Period Expires After purchasing Open Enterprise Server use the instructions in Re...

Страница 58: ...ensing eula oes oes_2_english pdf on the Web After installing OES 2 you can use Novell iManager to install and manage license certificates in your eDirectory tree and to monitor NetWare usage You can...

Страница 59: ...aring to Install OES 2 SP2 Installing OES 2 SP2 3 Make sure you always download the latest patches as part of the Customer Center configuration during the install This ensures the most stable configur...

Страница 60: ...ver SLES 10 SP3 VM host server creating a VM and then installing an OES 2 server NetWare or Linux in the VM To get started with Xen virtualization in OES 2 see the following Introduction to Xen Virtua...

Страница 61: ...ge 64 Section 6 6 eDirectory on page 64 Section 6 7 iFolder 3 8 on page 66 Section 6 8 iPrint on page 66 Section 6 9 LDAP Preventing Bad XML Errors on page 67 Section 6 10 Management on page 68 Sectio...

Страница 62: ...as well Unless you are aware of the users and groups in both systems especially those that are system created you might easily create an invalid configuration on an OES 2 server 6 2 2 Three Examples...

Страница 63: ...other creates a LUM enabled group in eDirectory with the same name Again the LUM enabled users who are members of the eDirectory group won t have access through POSIX This is why we recommend that as...

Страница 64: ...ause JClient Errors ConsoleOne support is now limited to management of GroupWise and ZENworks for Desktops 7 If you need to use ConsoleOne to manage either of these supported products on OES 2 make su...

Страница 65: ...f your OES services will break If you need to rename a container or tree make sure that you 1 Identify all of the configuration files for your OES services 2 Assess whether the changes that you are pl...

Страница 66: ...e you can either escape the character or place single quotes around the value For example cn admin name o container or cn admin name o container 6 7 iFolder 3 8 Implementation caveats for iFolder 3 8...

Страница 67: ...ins are different for each server platform Therefore if you have both OES 2 and NetWare 6 5 SP8 servers running iPrint services you need two instances of iManager to manage iPrint one on each platfor...

Страница 68: ...nefits from having an index present The subtree search performance issue is resolved in the eDirectory 8 8 x release with the addition of the AncestorID feature 6 10 Management Section 6 10 1 iManager...

Страница 69: ...inal Prompt Use the actual filenames instead of names such as filena 1 txt during file operations from the command prompt 6 11 NCP Doesn t Equal NSS File Attribute Support NSS file attributes and NCPT...

Страница 70: ...ding Name Space Support on page 70 Section 6 13 2 The Role of EVMS on page 70 6 13 1 Understanding Name Space Support NSS stores LONG UNIX DOS and AFP name spaces for all files The default name space...

Страница 71: ...nes are not affected Leaving VMM open can affect the system resources available to the VMs 6 16 2 Always Use Timesync Rather Than NTP Time synchronization problems have been observed when virtualized...

Страница 72: ...ines for using NSS volumes in connection with OES 2 servers running in Xen VMs Both Linux and NetWare Platforms NSS pools and volumes must be created on only SCSI or Fibre Channel devices You cannot u...

Страница 73: ...ve installed are treated differently by default when you upgrade an OES server depending on the version of the server you are upgrading OES 1 Applications are deleted by default during an upgrade OES...

Страница 74: ...and virtual to virtual upgrades are supported For complete upgrade instructions see Upgrading to OES 2 SP2 in the OES 2 SP2 Installation Guide In addition to upgrading the server itself data and serv...

Страница 75: ...SP2 Migration Tool The OES 2 SP2 Migration Tool lets you migrate and or consolidate data and services from one or more NetWare OES 1 or OES 2 source servers to an OES 2 SP2 target server The source s...

Страница 76: ...76 OES 2 SP2 Planning and Implementation Guide novdocx en 22 June 2009...

Страница 77: ...ailable only to OES 2 registered customers 9 1 Graphical Overview of Virtualization in OES 2 Figure 9 1 illustrates how a single VM host server can support multiple VM guest servers that in turn provi...

Страница 78: ...nning on the VM host NetWare Response File Utility Lets you pre answer the same questions as you would during a physical NetWare installation When the time comes to run the NetWare Install program the...

Страница 79: ...prior to adding the services See the instructions in the Important note in Installing or Configuring OES Services on an Existing Server in the OES 2 SP2 Installation Guide NCP Server Dynamic Storage T...

Страница 80: ...80 OES 2 SP2 Planning and Implementation Guide novdocx en 22 June 2009...

Страница 81: ...eparate purchase is a multinode clustering product that Can include up to 32 servers Is supported for both NetWare and Linux Is eDirectoryTM enabled for single point ease of management Supports failov...

Страница 82: ...82 OES 2 SP2 Planning and Implementation Guide novdocx en 22 June 2009...

Страница 83: ...d interfaces that help you implement and maintain your network Access to most of these management interfaces is controlled through eDirectoryTM However a few interfaces such as YaST on SUSE Linux Ente...

Страница 84: ...te Requires JavaScript Apache and Tomcat Browsers accessing the Welcome site must have JavaScript enabled to function correctly Additionally it is possible to install OES 2 on either supported platfor...

Страница 85: ...For additional information see Verifying That the Installation Was Successful in the OES 2 SP2 Installation Guide 11 2 3 The Welcome Web Site Is Available to All Users Although the Welcome Web site i...

Страница 86: ...d prompt on the Linux server For more information or help understanding and using bash search the Web for any of the numerous articles and tutorials on using the shell Health Monitoring Services Monit...

Страница 87: ...ager Workstation iManager Workstation formerly Mobile iManager Manage eDirectory Create and manage users groups and other objects Manage OES 2 services Access various other management tools and plug i...

Страница 88: ...4 in the Novell eDirectory 8 8 Administration Guide iPrint Map Designer Create a printer map to aid in printer selection installation Edit an existing printer map 1 In a supported Web browser enter th...

Страница 89: ...volumes And you can salvage and purge deleted files For more information see Managing File Security and Passwords in the Novell Client 4 91 SP5 for Windows XP 2003 Installation and Administration Gui...

Страница 90: ...e and password or a Linux POSIX username and password Functionality is limited for non Admin or non root users on both platforms NRM on Linux doesn t include all the functionality of NRM on NetWare Fo...

Страница 91: ...firewall must allow for SSH access eDirectory users must be enabled for SSH access For more information see Section 11 4 SSH Services on OES 2 on page 93 OpenWBEM Perform tasks instrumented by specif...

Страница 92: ...ion Guide Remote Manager See Novell Remote Manager SNMP for eDirectory Lets you use standard SNMP tools to Monitor an eDirectory server Track the status of eDirectory to verify normal operations Spot...

Страница 93: ...ng Utilities Manage the Linux server and standard Linux services from the command prompt Enter the desired command at the command prompt For more information see System Monitoring Utilities http www n...

Страница 94: ...r provides Web access to directories and files on other servers or on itself Typically either an NCP or a CIFS connection is used for connecting the NetStorage server with storage targets However an S...

Страница 95: ...95 Enabling Users for LUM on page 96 Restricting SSH Access to Only Certain LUM Enabled Users on page 96 Providing SSH Access for Samba Users on page 97 Allowing SSH Access Through the Firewall 1 On...

Страница 96: ...ss to the server On the other hand if you have installed Samba on the server or if you install Samba in the future the users who are configured for Samba access will have SSH access disabled To restor...

Страница 97: ...ns for providing SSH access to users who have been enabled for Samba access You can remove the user from the server_name W SambaUserGroup IMPORTANT This presupposes that the user is a member of a diff...

Страница 98: ...98 OES 2 SP2 Planning and Implementation Guide novdocx en 22 June 2009...

Страница 99: ...establish point to point connections so that nodes can send messages to each other and have the packets arrive intact and in the correct order The transport protocol also specifies how nodes are iden...

Страница 100: ...DNSMaint Yes No Fault Tolerance Yes Yes Filenames and paths Server binary sys system named nlm opt novell named bin novell named db jnl file sys etc dns etc opt novell named named conf Stat file info...

Страница 101: ...Section 12 3 4 Implementing Time Synchronization on page 110 Feature or Command NetWare 6 5 SP8 OES 2 Auditing Yes No Filenames and paths Conf file N A etc dhcpd conf Leases Stored in eDirectory var l...

Страница 102: ...ization modules that each operating system uses and how these modules can interact with each other OES 2 vs NetWare 6 5 on page 102 OES 2 Servers Use the Network Time Protocol NTP to Communicate on pa...

Страница 103: ...me Synchronization Modules Compatibility with Earlier Versions of NetWare Earlier versions of NetWare version 4 2 through version 6 0 do not include an NTP time module Their time synchronization optio...

Страница 104: ...a NetWare 6 5 server IMPORTANT As shown in Figure 12 4 we recommend that NetWare 4 2 servers not be used as a time source OES 2 Servers as Time Providers Figure 12 5 shows how OES 2 servers can funct...

Страница 105: ...ore detailed planning information refer to the following resources How Timesync Works in the NW 6 5 SP8 Network Time Synchronization Administration Guide Network Time Protocol in the NW 6 5 SP8 NTP Ad...

Страница 106: ...ommunicate with other servers in peer to peer relationships to ensure that they are synchronized Basic planning steps are summarized in Planning a Time Synchronization Hierarchy before Installing OES...

Страница 107: ...t should ultimately obtain time from a public NTP server If your network doesn t currently employ time synchronization refer to the list of public NTP servers published on the ntp org Web site http nt...

Страница 108: ...OES 2 servers can be introduced into an existing network environment without disrupting any of the products and services that are in place This section discusses the issues involved in the coexistence...

Страница 109: ...tWare on page 103 Upgrading from NetWare to OES 2 The OES 2 SP21 Migration Tool can migrate time synchronization services from NetWare to Linux For more information see Migrating Timesync NTP from Net...

Страница 110: ...2 install prompts you for the IP address or DNS name of an NTP v3 compatible time server If you are installing the first server in a new eDirectory tree you have two choices You can enter the IP addre...

Страница 111: ...al time sources to ensure fault tolerance For more information see Changing Time Synchronization Settings on a SLES 10 Server on page 112 NetWare 6 5 SP8 If you are installing into an existing tree th...

Страница 112: ...rmation about daylight saving time DST see the DST Master TID on the Novell Support site http www novell com support php search do cmd displayKC docType kc externalId 3094409 12 4 Discovery Services V...

Страница 113: ...as open source software and is available for download on the Novell Forge Web site http forge novell com modules xfmod project showfiles php group_id 1025 12 4 4 CIMOM and Discovery The current OpenW...

Страница 114: ...ncluding RFC 2614 SLP version 2 0 It is the default SLP service installed on SLES 10 In OES 2 OpenSLP is available for those applications that require it The default discovery mechanism is actually DN...

Страница 115: ...That way you can point to the SLP service during the installation Setting up SLP services on every OES 2 server is recommended Setting Up an OpenSLP DA Server If you need OpenSLP and you don t already...

Страница 116: ...lp conf Scopes group and organize the services on your network into logical categories For example the services that the Accounting group needs might be grouped into an Accounting scope More informati...

Страница 117: ...rver you defined in Setting Up an OpenSLP DA Server on page 115 You can also list additional DA addresses separated by commas 4 Return to the Novell eDirectory Services instructions in the OES 2 SP2 I...

Страница 118: ...DA Access During the NetWare Server Installation 1 In the dialog box where you set up IP addresses for network boards click Advanced 2 Click the SLP tab 3 Specify the IP address of the OES 2 DA serve...

Страница 119: ...hould complete one of the following procedures as it applies to your situation Configuring for DA Access During the OES 2 Installation on page 119 Configuring for DA Access Before or After Installing...

Страница 120: ...This is a problem especially if one of the later names becomes the first name in a subsequent SLP configuration and the leading space is ignored If you use the scope names given in the example remove...

Страница 121: ...the DA IP addresses are listed If you know the scope names check for the proper scope name configuration by using the SET SLP SCOPE LIST command Use the DISPLAY SLP SERVICES command to list all of the...

Страница 122: ...122 OES 2 SP2 Planning and Implementation Guide novdocx en 22 June 2009...

Страница 123: ...plementing storage services in OES Section 13 1 Overview of OES 2 Storage on page 123 Section 13 2 Planning OES File Storage on page 128 Section 13 3 Coexistence and Migration of Storage Services on p...

Страница 124: ...mary Link for More Information Linux POSIX File Systems SLES 10 includes a number of different file systems the most common of which are Ext3 and ReiserFS OES 2 services are supported on Ext3 ReiserFS...

Страница 125: ...uide NSS Linux vs NSS NetWare Comparison of NSS on NetWare and NSS on Linux NSS Linux vs Linux POSIX Comparison of NSS on Linux and NCP Volumes on Linux POSIX File Systems NSS Netware vs NetWare Tradi...

Страница 126: ...folders to organize data NetWare file systems support directory paths fake root directories Directory Map objects and drive mappings For more information see Understanding Directory Structures for the...

Страница 127: ...As shown in Figure 13 1 on page 124 you can install traditional volumes and Novell Storage System NSS volumes on both OES platforms These devices can be installed within the server or attached directl...

Страница 128: ...OES 2 SP2 Novell Cluster Services 1 8 7 for Linux Administration Guide 13 1 6 NetWare Core Protocol Support Novell Client Support on Linux Many organizations rely on Novell ClientTM software and the N...

Страница 129: ...ild efficient scalable and cost effective solutions This section discusses issues to consider when planning your file systems on OES 2 servers and includes the following topics The Workgroup Environme...

Страница 130: ...ing new models of protecting and storing employee generated data that is in LAN systems It is important to apply correct regulatory requirements only on those users to which they must be applied and t...

Страница 131: ...lability with one important exception If the server is running as a Xen VM guest you should format the boot partition with Ext2 as explained in Paravitual Mode and Journaling File Systems http www nov...

Страница 132: ...ba The Common Internet File Services CIFS protocol is the protocol for Windows networking and file services Novell CIFS is a ported version of the CIFS file service traditionally available only on Net...

Страница 133: ...ood choices in this environment For file serving to end user workstations the access control and security management capabilities of the NSS file systems with CIFS and NCP file access protocols are im...

Страница 134: ...file systems from node to node For example if you are using NSS on one node you need to use NSS on the failover node as well Dynamic Storage Technology Dynamic Storage Technology does not depend on a...

Страница 135: ...on such as boot for Grub and system partition such as for the swap and system volumes are managed by Logical Volume Manager 2 LVM2 Any disk managed by LVM2 cannot be managed by EVMS which makes the di...

Страница 136: ...ditional volumes with NetWare 6 5 SP8 you will want to consider upgrading them to NSS to support a data migration to OES 2 NSS Volumes NSS volumes are cross compatible between NetWare and Linux server...

Страница 137: ...stration Guide Distributed File Services DFS Use DFS junctions to transparently redirect data requests split volumes while maintaining transparent access and quickly move volume data to another volume...

Страница 138: ...g and Purging Deleted Volumes Directories and Files in the OES 2 SP2 NSS File System Administration Guide Tools Learn about the various tools available to manage NSS volumes the tool capabilities and...

Страница 139: ...ies in directory services is a fundamental expectation for networking In the simplest terms Novell eDirectoryTM is a tree structure containing a list of objects or identities that represent network re...

Страница 140: ...4 2 3 eDirectory Coexistence and Migration on page 141 14 2 1 Installing and Managing eDirectory on OES The tools you can use to install and manage eDirectory on OES are outlined in the following sect...

Страница 141: ...Directory see Designing Your Novell eDirectory Network in the Novell eDirectory 8 8 Installation Guide To learn what s new in eDirectory 8 8 see the Novell eDirectory 8 8 Whats New Guide 14 2 3 eDirec...

Страница 142: ...vell eDirectory Management Utilities in the Novell eDirectory 8 8 Administration Guide 14 3 4 eDirectory LDAP Implementation Suggestions For help with setting up and using LDAP for eDirectory refer to...

Страница 143: ...ment on page 145 File Access Figure 14 2 DSfW File Access Overview Could be on a seperate OES 2 server in or out of the domain Could be on a separate Windows server eDirectory DSfW server eDirectory U...

Страница 144: ...users can also access files through a normal NCPTM connection For eDirectory users file service access is controlled by authentication through the eDirectory server using common Windows authentication...

Страница 145: ...nages DSfW users like other eDirectory users MMC manages both AD users and DSfW users as though they were AD users DSfW users must have the Default Domain Password policy assigned and a valid Universa...

Страница 146: ...Password policy assigned they won t be able to log in without the Novell Client until the Universal Password has been set Therefore you should consider implementing Universal Password and giving users...

Страница 147: ...ng the First DSfW Server in a New eDirectory Tree in the OES 2 SP2 Domain Services for Windows Administration Guide Install DSfW on a New OES 2 Server When Possible Because of the service limitations...

Страница 148: ...148 OES 2 SP2 Planning and Implementation Guide novdocx en 22 June 2009...

Страница 149: ...ganization resources you can manage through eDirectory The Lab Guide for OES 2 provides basic instructions for creating container objects as well as Group and User objects in eDirectory For more infor...

Страница 150: ...OES 2 That Require LUM Enabled Access on page 152 Services That Do Not Require LUM Enabled Access But Have Some LUM Requirements on page 154 Services That Do Not Require LUM enabled Access on page 154...

Страница 151: ...directory services Remote user access is enabled through the Pluggable Authentication Module PAM architecture on Linux The Linux POSIX compliant interfaces can authenticate both kinds of users indepen...

Страница 152: ...tory users who are configured to access the server This is because Samba requires POSIX identification for access By extension NetStorage users who need access to Samba CIFS Storage Location objects t...

Страница 153: ...can access SMS utilities as The root user with rights to see everything on the Linux server A local Linux user with access governed by POSIX access rights Having local users in addition to root is no...

Страница 154: ...tory access is always controlled by POSIX The Novell Trustee Model doesn t apply to Samba Both Novell trustee assignments and POSIX file ownership are tracked correctly after users are LUM enabled Alt...

Страница 155: ...s eDirectory Admin User Is Automatically Enabled for Linux Access on page 155 Planning Which Users to Enable for Access on page 155 Be Aware of System Created Users and Groups on page 155 eDirectory A...

Страница 156: ...iple OES 2 Servers on page 156 Samba users are also enabled for Linux access as part of the Samba enabling process nambulkadd If you have eDirectory users and groups that need to be enabled for Linux...

Страница 157: ...User Management includes utilities for creating new LUM enabled groups and for enabling existing eDirectory groups for Linux access The nambulkadd utility lets you use a text editor to create a list o...

Страница 158: ...Management Services Providing network users with a network identity is a fundamental expectation for networking but it can also become confusing when users need to track multiple identities to use net...

Страница 159: ...ty Manager Driver for Active Directory Other Identity Manager Integration Modules drivers are included in the software distribution You can install and use these additional Integration Modules for 90...

Страница 160: ...w novell com documentation idm35 idm_log data bookinfo html For information about customizing your implementation Policy Builder and Driver Customization Guide http www novell com documentation idm35...

Страница 161: ...et on that server I installed the Bundle Edition on Linux or NetWare but it s not activated Why is this You must install the Bundle Edition on the server where OES exists If you install it on a non OE...

Страница 162: ...r OES purchase you are entitled to use the Bundle Edition products If you want to add new Integration Modules you also need to purchase Novell Identity Manager The Integration Module cannot activate u...

Страница 163: ...services you offer and the ways your configure those services This section can help you understand access control at a high level so that you can plan implement and control access to services More det...

Страница 164: ...pport for the HTTP protocol Each workstation type has file access protocols associated with it Linux uses NFS as its native protocol for file services access Macintosh workstations communicate using A...

Страница 165: ...ttp www novell com documentation sles10 sles_admin data sles_admin html Aligning NCP and POSIX access rights How to approximate the NCP or NetWare access control model on POSIX file systems Section 17...

Страница 166: ...roup can do with a directory or file provided that the directory or file attributes allow the action This is illustrated in Figure 16 2 Figure 16 2 Directory and File Access under the NetWare Access C...

Страница 167: ...Attributes can be set by any trustee that has the Modify trustee right to the directory or file The possible actions by the eDirectory users and group shown in this example are as follows Nancy has t...

Страница 168: ...l Client Right for Your Network Although Novell offers services that don t require Novell Client such as NetStorage Novell iFolder 3 8 and iPrint many network administrators continue to prefer the Nov...

Страница 169: ...gy The impact of this on you as the network administrator is that these users and groups must be enabled for eDirectory LDAP authentication to the local server For more information see Linux User Mana...

Страница 170: ...to your printing resources You can also use iPrint to set up print services that don t require authentication NOTE Access control for printers is supported only on the Windows iPrint Client For more...

Страница 171: ...protocols each interface supports 3 In the right column view the services available to the interfaces via the protocols Figure 16 3 Access Interfaces and Services and the Protocols That Connect Them...

Страница 172: ...e clear access instructions to your network users For a summary of access methods see Appendix E Quick Reference to OES 2 User Services on page 247 16 1 5 Configuring and Administering Access to Servi...

Страница 173: ...tees for directories and files on NSS volumes but you can t change them by using a WebDAV connection to NetStorage Using the Novell Client to Change File and Directory Attributes and Trustee Rights Yo...

Страница 174: ...and is also documented in Trustee Rights Utility for Linux in the OES 2 SP2 File Systems Management Guide 16 2 Authentication Services This section briefly discusses the following topics Section 16 2...

Страница 175: ...log in through a password a fingerprint scan a token a smart card a certificate a proximity card etc You can have users log in through a combination of methods to provide a higher level of security S...

Страница 176: ...by default The same policy can be used for both services as shown in Creating a UP Policy to Support Both AFP and CIFS in the OES 2 SP2 Lab Guide for Linux and Virtualized NetWare More information abo...

Страница 177: ...n iManager by the Secure Password Manager SPM a component of the NMAS module installed on OES 2 servers All password restrictions and policies expiration minimum length etc are supported All the exist...

Страница 178: ...178 OES 2 SP2 Planning and Implementation Guide novdocx en 22 June 2009...

Страница 179: ...transfer files to and from OES 2 servers NetWare Core Protocol page 180 Provides NetWare Core ProtocolTM NCPTM access to NCP volumes including NSS volumes that you define on OES 2 server partitions Ne...

Страница 180: ...use You can also migrate an existing FTP server configuration from a NetWare server to OES 2 For migration instructions and a brief FAQ see Migrating FTP from NetWare to OES 2 Linux in the OES 2 SP2 M...

Страница 181: ...ms Network file access is often confusing and frustrating to users as illustrated in Figure 17 2 Access Methods Authentication NCP Services Access is through an NCP client specifically the Novell Clie...

Страница 182: ...cess is critical to those who must travel However access method support varies widely among file service providers Authentication helps protect information assets but having diverse authentication met...

Страница 183: ...on illustrated in Figure 17 3 Windows Explorer Browser PDA Access Methods Authentication NetStorage Server eDirectory LDAP OES 2 NetStorage on OES 2 NSS volume NCP volume NetWare Traditional volume CI...

Страница 184: ...anted through login script drive mapping NCP server required or through Storage Location Objects File service access is controlled by LDAP based authentication through the eDirectory LDAP server Altho...

Страница 185: ...cess to the OES 2 server All file service access is controlled by LDAP based authentication through the eDirectory LDAP server Although shown separately eDirectory could be installed on the OES 2 serv...

Страница 186: ...options CIFS Client Access Windows Explorer users can access and modify files on the OES 2 server just as they would on any workgroup server share Web Folder Users can create Web Folders in Windows E...

Страница 187: ...led by LDAP based authentication through the eDirectory LDAP server Although shown separately eDirectory could be installed on the OES 2 server Files can be encrypted for transport using SSL connectio...

Страница 188: ...e Figure 17 7 Figure 17 7 How Samba on OES Works The following table explains the information illustrated in Figure 17 7 eDirectory LDAP server Samba users are enabled for Linux User Management LUM An...

Страница 189: ...kdown Access Methods Authentication File Storage Services eDirectory users on Windows workstations have two native Windows file access options if their eDirectory accounts have been enabled for LUM an...

Страница 190: ...sh Chooser NSS volumes Secure LDAP Authentication Novell CIFS Any CIFS client Remote access Web Folders in the Internet Explorer browser Windows Explorer NSS volumes Secure LDAP Authentication Novell...

Страница 191: ...r iManager or the nssmu utility to create an NSS volume on an OES 2 server For instructions on how to set up an NSS volume see Managing NSS Volumes in the OES 2 SP2 File Systems Management Guide LUM a...

Страница 192: ...nly to other file storage services Novell AFP Allocate enough disk space for the partition containing the home directories to meet your users file storage needs Novell CIFS Allocate enough disk space...

Страница 193: ...ss the full range of Novell services such as authentication to eDirectory network browsing and service resolution and secure file system access It supports traditional Novell protocols such as NCP RSA...

Страница 194: ...the same basic CIFS connectivity that was previously available only on NetWare No Novell Client softward is required For information on migrating CIFS services from NetWare to OES 2 see Migrating CIF...

Страница 195: ...atically navigate to the assigned area and exercise whatever access privileges you have assigned at that level and below You can assign as many trustees with different access privileges as you need On...

Страница 196: ...rivate work area on a Linux POSIX volume 1 Make the user is the directory owner For example you could use the chown command to change the owner user chown R user path user_dir where user is the eDirec...

Страница 197: ...you could enter chmod R 770 path group_dir where path is the file path to the work area and group_dir is the group work directory The second 7 grants rwx to the group The example assumes that the owne...

Страница 198: ...se areas inherit the same permissions as their parent directory For instructions see Configuring Inherit POSIX Permissions for an NCP Volume in the OES 2 SP2 NCP Server for Linux Administration Guide...

Страница 199: ...erver navigation for the Pure FTPd server disallow_list_oes_server yes Disables SITE SLIST command for listing OES machines edir_ldap_port 389 eDirectory LDAP port Entry Value Reason Why ChrootEveryon...

Страница 200: ...e description Table 17 11 Linux FTP SITE command NOTE All the FTP users needs to be LUM enabled on the FTP server 17 6 NCP Implementation and Maintenance If you have installed the NCP server for OES e...

Страница 201: ...hen a Novell Client attaches to the OES 2 server the HOME volume appears along with the SYS volume created by the installation For new eDirectory users If you create an NCP or NSS volume on the server...

Страница 202: ...and file systems Some connections are created automatically depending on the OES platform where NetStorage is installed Other connections must be created by the network administrator In summary NetSt...

Страница 203: ...le systems is often controlled by other authentication domains For example you might create a storage location on the OES 2 server that points to a legacy NetWare server that resides in a different eD...

Страница 204: ...SP2 Lab Guide for Linux and Virtualized NetWare for an introduction to creating and working with eDirectory objects and OES 2 file services including Novell AFP All eDirectory users can access the AFP...

Страница 205: ...205 Section 17 10 4 Novell iFolder 3 8 Maintenance on page 206 17 10 1 Managing Novell iFolder 3 8 You manage Novell iFolder through the iFolder Management Console which you can access directly or thr...

Страница 206: ...ice by using the instructions in the OES 2 SP2 Installation Guide for a new installation or install it after the initial OES installation as explained in Installing Samba for OES 2 in the OES2 SP2 Sam...

Страница 207: ...was available in NetWare 6 5 SP3 and earlier When you upgrade a NetWare server running NetWare Web Search Server to NetWare 6 5 Web Search Server is automatically upgraded to QuickFinder The upgrade...

Страница 208: ...208 OES 2 SP2 Planning and Implementation Guide novdocx en 22 June 2009...

Страница 209: ...nt Services Novell iPrint lets Linux Macintosh and Windows users Quickly locate network printers through a Web browser Easily install and configure a located printer through a native printer installat...

Страница 210: ...the Driver Store and Broker and are not represented by objects in eDirectory Printer Objects These are eDirectory objects you create that store information about the printers available through iPrint...

Страница 211: ...thentication for Windows users if needed The option to require authentication is not available for Linux and Macintosh users Although shown separately eDirectory could be installed on the OES 2 server...

Страница 212: ...alling and Setting Up iPrint on Your Server in the OES 2 SP2 iPrint for Linux Administration Guide In OES SP2 migrating iPrint services from a NetWare server to an OES 2 server is supported by the OES...

Страница 213: ...Creating a Printer in the OES 2 SP2 iPrint for Linux Administration Guide 5 Optional Create location based customized printing Web pages By default each iPrint installation includes the creation of a...

Страница 214: ...pdate your iPrint installation to reflect these changes After your installation is completed and users are printing you can monitor print performance by using the information located in Using the Prin...

Страница 215: ...so run any of the hundreds of free Web applications that can be downloaded from the Internet Web and application services make it easy to build your own dynamic Web content and create customized Web d...

Страница 216: ...216 OES 2 SP2 Planning and Implementation Guide novdocx en 22 June 2009...

Страница 217: ...ine documentation 21 1 1 Application Security AppArmor Novell AppArmor provides easy to use application security for both servers and workstations You specify which files a program can read write and...

Страница 218: ...vell partners are currently developing applications for use with the NSS Auditing Engine Blue Lance NetVision Symantec Nsure Audit Starter Pack The Novell Audit 2 0 Starter Pack is supported on OES 2...

Страница 219: ...ever delete the NICI configuration files unless they are directly told to do so by a member of the NICI development team And in that rare case they should be sure to back up the files before doing so...

Страница 220: ...s and files for which they are trustees or members of a group that is a trustee Home directories an example of default accessibility By default all users can see the names of directories and files in...

Страница 221: ...h other access protocols for example HTTP or CIFS have no concurrent connection or address restrictions imposed For this reason you probably want to consider not enabling services such as SSH and FTP...

Страница 222: ...x Administration Guide Domain Services for Windows Novell DSfW Security Guide Dynamic Storage Technology Security Considerations in the OES 2 SP2 Dynamic Storage Technology Administration Guide eDirec...

Страница 223: ...and Security Considerations in the OES 2 SP2 NSS File System Administration Guide Novell iFolder 3 8 Novell iFolder 3 8 Administration Guide OES 2 Installation Security Considerations in the OES 2 SP...

Страница 224: ...224 OES 2 SP2 Planning and Implementation Guide novdocx en 22 June 2009...

Страница 225: ...o Open Enterprise Server 2 includes solutions that address each of these issues at no additional expense This section discusses the certificate management enhancements available in OES 2 and how simpl...

Страница 226: ...What Is Installed Where Key and certificate files are installed in the following locations Table 22 1 File Locations Location Details etc ssl certs This is the default location of trusted root certif...

Страница 227: ...rtificate Self Provisioning in the Novell Certificate Server 3 3 2 Administration Guide PKI Health Check The PKI health check runs whenever the certificate server starts If you have enabled Server Sel...

Страница 228: ...er Self Provisioning be enabled as follows 1 On the server you are configuring in iManager Roles and Tasks click the Novell Certificate Access Configure Certificate Authority option 2 Click Enable ser...

Страница 229: ...7 Click Next 8 Click Save the Exported Certificate and save the file to the local disk noting the filename and location if they are indicated 9 Click Close OK 10 Find the file you just saved By defau...

Страница 230: ...rusts certificates from the servers in the tree 22 3 If You Don t Want to Use eDirectory Certificates For most organizations the eDirectory certificate solution in OES 2 is an ideal way to eliminate t...

Страница 231: ...l HTTPS services are configured to use eDirectory certificates The current service certificates and configurations are retained Upgrade from OES 2 or OES 2 SP1 The same option is used as when OES 2 wa...

Страница 232: ...232 OES 2 SP2 Planning and Implementation Guide novdocx en 22 June 2009...

Страница 233: ...ed OES 2 is a set of services that can be either added to an existing server or installed at the same time as SUSE Linux Enterprise Server 10 SP1 After OES 2 services are added we refer to the server...

Страница 234: ...234 OES 2 SP2 Planning and Implementation Guide novdocx en 22 June 2009...

Страница 235: ...sume that only the IP address of the server is changing They do not cover changing the DNS hostname of the server B 2 Prerequisites Section B 2 1 General on page 235 Section B 2 2 iPrint on page 236 S...

Страница 236: ...he root partition of the server you are reconfiguring 3 Open the YaST Control Center 4 In Network Devices select Network Card 5 Confirm that the Old IP address you listed in Section B 2 1 General on p...

Страница 237: ...ll OES services 3 Type the Admin password when prompted You might need to wait a few minutes for the LDAP server to restart 4 When the script finishes restart the server by entering the following comm...

Страница 238: ...de 2 Regenerate the QuickFinderTM index by completing the instructions in see Creating Indexes in the OES 2 Novell QuickFinder Server 5 0 Administration Guide B 6 2 DHCP 1 Make sure the DHCP configura...

Страница 239: ...rch This is the domain name whose IP address is to be changed In this example it is the A record 2a Specify the Host Name using the search feature 2b Select the record and click Modify to change the I...

Страница 240: ...136 the new name of the Reverse Lookup object will be 136_103_92_100_in addr_arpa OESSystemObjects nmfrd 3c Click iManager Directory Administration Modify Object Search and select the Reverse Lookup...

Страница 241: ...torage 1 At a terminal prompt enter the following commands opt novell xtier bin xsrvcfg D opt novell xtier bin xsrvcfg d newip c AuthenticationContext where newip is the new IP address used throughout...

Страница 242: ...242 OES 2 SP2 Planning and Implementation Guide novdocx en 22 June 2009...

Страница 243: ...software up to date on all servers and workstations You can install product updates as they are made available through the ZENworks Linux Management update channel For instructions on setting up the Z...

Страница 244: ...244 OES 2 SP2 Planning and Implementation Guide novdocx en 22 June 2009...

Страница 245: ...t group of users Users control who can participate in an iFolder and their access rights to the files in it Users can also participate in iFolders that others share with them Salvage and Purge By defa...

Страница 246: ...ew functionality for OES Most of the SMS coexistence and migration issues are of concern only to backup application developers However administrators should be aware that SMS based applications must b...

Страница 247: ...ge The WebDAV URL is case sensitive Novell ClientTM 1 Install the Novell Client on a supported Windows workstation 2 Log in to eDirectoryTM 3 Access NCPTM volumes on NetWare or Linux that you have the...

Страница 248: ...248 OES 2 SP2 Planning and Implementation Guide novdocx en 22 June 2009...

Страница 249: ...rop down lists in Firefox Also iManager plug ins might not work properly if the highest priority Language setting for your Web browser is set to a language other than one of iManager s support languag...

Страница 250: ...SP2 Planning and Implementation Guide novdocx en 22 June 2009 Tomcat Manager Managing Tomcat with Tomcat Admin in the NW 6 5 SP8 Tomcat Administration Guide Management Tool Supported Browser Informat...

Страница 251: ...iness SP1 Microsoft Windows Vista Business 64 bit SP1 Microsoft Windows Vista Ultimate SP1 Microsoft Windows Vista Ultimate 64 bit SP1 Microsoft Windows Vista Enterprise SP1 Microsoft Windows Vista En...

Страница 252: ...252 OES 2 SP2 Planning and Implementation Guide novdocx en 22 June 2009...

Страница 253: ...d restart the Apache Web Server rather than referencing the init script directly Archive and Version Services novell ark This lets you to start stop restart and display the status of the Archive and V...

Страница 254: ...e runs inside the novell xsrvd XTier Web Services daemon and also utilizes Tomcat services for certain other functions novell xregd is the init script for starting and stopping XTier s registry daemon...

Страница 255: ...ications as configured NTP ntp This is the SLES 10 Network Time Protocol daemon OpenWBEM CIMOM owcimomd This is used to start the OpenWBEM CIMOM daemon which is an integral part of the iManager plug i...

Страница 256: ...256 OES 2 SP2 Planning and Implementation Guide novdocx en 22 June 2009...

Страница 257: ...s on page 272 Section I 7 System Groups on page 274 Section I 8 Auditing System Users on page 275 I 1 About System Users and Groups Regular network users rely on network services System users and grou...

Страница 258: ...servername LUM_Proxy_user System Group Facilitate the management of system users Provide access rights to service data on the server or in the eDirectory tree DHCP DNSDHCP System User The daemons ass...

Страница 259: ...ection I 2 3 Which Services Require Proxy Users and Why on page 260 Section I 2 4 What Rights Do Proxy Users Have on page 261 Iprint POSIX iprintgrp eDirectory System Group iPrint LUM proxy optional P...

Страница 260: ...l services that were previously only available on NetWare To make its services available on Linux Novell had to accommodate a fundamental difference between the way services run on NetWare and the way...

Страница 261: ...nName member Linux User Management LUM_proxy Searches the tree for LUM users NetStorage NetStorage_Proxy The LDAP Admin user is specified by default but another user can be created prior to installing...

Страница 262: ...d Service Example Proxy User Name Default Rights Granted AFP AfpProxyUser servername The Universal Password policy associated with the AFP users grants this proxy user the right to retrieve AFP user p...

Страница 263: ...hts Browse LDAP ACL representation 1 subtree NetStorage_Proxy All Attributes Rights Read Compare LDAP ACL representation 3 subtree NetStorage_Proxy NSS server_nameadmin Additional eDirectory rights Su...

Страница 264: ...Proxy User on page 266 Creation Options Table I 2 presents information about the creation options for each OES proxy user Table I 5 Proxy User Creation Options Associated Service Default Proxy User Na...

Страница 265: ...ult the admin account that installs the server is assigned as the DNS proxy user If you want to assign an alternate user account it must already exist in the tree and have Read Write and Browse rights...

Страница 266: ...s are assigned as proxy users Novell Support received a call from an administrator who was getting locked out due to intruder detection after changing the administrator password The lockout happened s...

Страница 267: ...consumed by default installations would be substantial Therefore large organizations are especially interested in methods for limiting the number of proxy users on their network I 3 3 Limiting the Num...

Страница 268: ...ers in a single partition and cross partition access of users to services is rare This is a good approach for organizations where eDirectory administration is done at a partition level This requires t...

Страница 269: ...ve and Versioning DNS DHCP LUM and NetStorage this is the only available option and it applies to the other OES services in all but the default per service per server installation scenario It requires...

Страница 270: ...se the script provided by Archive and Versioning Services to change the password on the server CIFS This password is stored in either CASA or in an encrypted file depending on the configuration option...

Страница 271: ...nding on your needs IMPORTANT The brief instructions that follow assume that you are installing into an existing tree For new trees you will need to install and configure eDirectory on the first serve...

Страница 272: ...r Wide Proxy User Do the following 1 Create one proxy user object per OES server preferably in the same container as the server and set the password 2 Use this proxy user and password as the proxy use...

Страница 273: ...luster Heartbeat This user is created by Heartbeat but it not used by Heartbeat nor by Novell Cluster Services iprint iPrint The iPrint daemons run as this user If iPrint is moved to NSS this user is...

Страница 274: ...SIX iprintgrp eDirectory iPrint The iPrint daemons use the group ID gid of this group to run If iPrint is moved to NSS the iprintgrp group is created in eDirectory ncsgroup NCS ncsclient is a member o...

Страница 275: ...mentation sentinel6 for further instructions Privileged User Manager This product lets you monitor root user activities on the OES server by collecting data analyzing keystrokes and creating indelible...

Страница 276: ...276 OES 2 SP2 Planning and Implementation Guide novdocx en 22 June 2009...

Страница 277: ...the Tree The default is Admin Container Admin eDirectory Admin User These administrators are usually responsible for administering within a partition or subtree They might be assigned only enough righ...

Страница 278: ...278 OES 2 SP2 Planning and Implementation Guide novdocx en 22 June 2009...

Страница 279: ...ssword policies that govern the users to ensure that they can access the different file services K 2 Concepts and Prerequisites Prerequisites for AFP CIFS and Samba access are explained in the followi...

Страница 280: ...These are the contexts under which the user objects will be searched for during an authentication In a name mapped existing tree install if the context resides in a DSfW domain the context can be spe...

Страница 281: ...ers on page 281 File Services on page 282 User Access to Services on page 282 Rights Required for Installation and Administration on page 282 Figure K 1 Example 1 Tree Setup The WIDGETS_INC tree has t...

Страница 282: ...ces Users from all over the tree can access services running on S1 S9 In order for users to be able to access AFP CIFS services the search contexts eDirectory contexts for these services should be con...

Страница 283: ...o widget and is expected to access CIFS services on S8 and S9 K 4 Deployment Guidelines for Different Servers and Deployment Scenarios Section K 4 1 Deployment Scenario 1 Complex Mixed Scenario with a...

Страница 284: ...kstation object that represents the domain controller Winbind translates user principles to UIDs for non NSS volumes LUM enabling is not required for non NSS volume access Non DSFW Server If the first...

Страница 285: ...ct from the AFP Samba users S7 Use the same procedure as for S5 and S6 To avoid confusion do not use the AFP or CIFS default policy as the Password policy for your common AFP CIFS users If the users a...

Страница 286: ...he default password policy provided by CIFS for all the users in this subtree You can create and use a single proxy user password under ou prv o widgets for all the services providing CIFS K 4 3 Deplo...

Страница 287: ...enabled to access NSS file services through Samba For a user to access a DSfW server in a different domain the user needs to be a LUM enabled user on the other server DSfW provisioning establishes sh...

Страница 288: ...288 OES 2 SP2 Planning and Implementation Guide novdocx en 22 June 2009...

Отзывы:

Нет отзывов