Page 1 AUTHORIZED DOCUMENTATION Planning and Implementation Guide Novell ® Open Enterprise Server 2 SP3 December 2010 www.novell.com...
Page 2 Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
Page 3: Table Of Contents
Novell Domain Services for Windows ........
Page 4 NetWare Caveats ........... 41 3.9.15 Novell Distributed Print Services Cannot Migrate to Linux ....42 3.9.16 NSS Caveats .
Page 5 Novell-tomcat Is for OES Use Only ........
Page 6 Comparing Novell SLP and OpenSLP........112...
Page 7 Storage Options ........... . 124 13.1.6 NetWare Core Protocol Support (Novell Client Support) on Linux ... . . 126 13.2 Planning OES File Storage .
Page 8 Novell FTP (Pure-FTPd) and OES 2 ........
Page 9 Maintaining Novell CIFS File Services........206...
Page 10 Links to Backup Partners ..........247 D.2.2 Novell Storage Management Services (SMS) ......247 D.2.3 SLES 10 Backup Services .
Page 11 I.2.1 What Are Proxy Users? ..........262 I.2.2 Why Are Proxy Users Needed on OES? .
Page 12 OES 2 SP3: Planning and Implementation Guide...
Page 13: About This Guide
We want to hear your comments and suggestions about this manual and the other documentation included with OES 2. Please use the User Comments feature at the bottom of each page of the online documentation, or go to www.novell.com/documentation/feedback.html and enter your comments there.
Page 14 Documentation Conventions The terms OES 2 and OES 2 SP3 are both used in this guide. Generally, OES 2 SP3 is used to differentiate something that is new or changed for the SP3 release of OES 2. Unless otherwise indicated, all statements that refer to OES 2 also apply to OES 2 SP3 unless otherwise indicated. In this documentation, a greater-than symbol (>) is used to separate actions within a step and items within a cross-reference path.
Page 15: What's New Or Changed
What’s New or Changed This section summarizes the new features for each release of Novell Open Enterprise Server (OES)  Section 1.1, “Links to What's New Sections,” on page 15  Section 1.2, “New or Changed in OES 2 SP3,” on page 16 ...
Page 16: New Or Changed In Oes 2 Sp3
Administration Guide QuickFinder 5 Administration Guide Samba (Linux) Administration Guide Server Health Monitoring This is now available in various Novell Remote Manager dialog boxes on both platforms. For more information, see “Health Monitoring Services” on page Shadow Volumes “Overview of Dynamic Storage Technology”...
Page 17: Common Proxy
(http://www.novell.com/documentation/edir88/edir88new/data/front.html). 1.3 New or Changed in OES 2 SP2 This section summarizes the new features introduced in Novell Open Enterprise Server (OES) 2 SP2 that either involve multiple services or are not covered in service-specific documentation. For information on service-specific new features, see Section 1.1, “Links to What's New Sections,”...
Page 18: Auditing
 Section 1.3.6, “Domain Services for Windows Installation,” on page 19  Section 1.3.7, “Java Console for DNS/DHCP,” on page 19  Section 1.3.8, “Performance Increases,” on page 19  Section 1.3.9, “Pure-FTPd,” on page 19  Section 1.3.10, “Upgrading Online,” on page 19 ...
Page 19: Domain Services For Windows Installation
Section 1.4.2, “Novell AFP,” on page 20  Section 1.4.3, “Novell CIFS,” on page 20  Section 1.4.4, “Novell Domain Services for Windows,” on page 21  Section 1.4.5, “Migration Tool,” on page 21 1.4.1 YaST Install Changes The default behavior of the option to use eDirectory certificates for HTTPS services changed in OES 2 SP1.
Page 20: Novell Afp
OES 2 SP3: Novell AFP For Linux Administration Guide. 1.4.3 Novell CIFS Novell CIFS is now available on Linux to provide feature parity with the existing NetWare release. It offers the following features:  Support for Windows 2000, XP, 2003, and Windows Vista 32-bit ...
Page 21: Novell Domain Services For Windows
Guide. 1.4.4 Novell Domain Services for Windows This service creates seamless cross-authentication capabilities between Microsoft Active Directory on Windows servers and Novell eDirectory on OES 2 SP2 servers, and offers the following functionality:  Administrators with Windows networking environments can set up one or more “virtual”...
Page 22: Dynamic Storage Technology
1.5.1 Dynamic Storage Technology OES 2 introduces Novell Dynamic Storage Technology, a unique storage solution that lets you combine a primary file tree and a shadow file tree so that they appear to NCP and Samba/CIFS users as one file tree. The primary and shadow trees can be located on NSS volumes on the same server or on different servers.
Page 23: Welcome To Open Enterprise Server
Welcome to Open Enterprise Server 2 Novell Open Enterprise Server 2 (OES 2) includes all the network services that organizations traditionally expect from Novell. OES 2 Overview Figure 2-1 Novell Services Novell Services • Novell Client Access • AFP • eDirectory •...
Page 24 OES 2 SP3: Planning and Implementation Guide...
Page 25: Planning Your Oes 2 Implementation
NetWare 6.5 SP8 OES 2 Platform Differences / Migration Issues Access Control Lists In combination with NCP Server, Linux supports the Novell trustee model for file access on NSS volumes and NCP volumes on Linux. AFP (Apple* File Yes - NFAP...
Page 26 OES 2 SP3: NSS File System Administration Guide for Linux. CIFS (Windows File Yes - NFAP Yes - Novell Both NFAP and Novell CIFS are Novell Services) CIFS proprietary and tightly integrated with eDirectory and Novell Storage Services (NSS). Novell Samba...
Page 27 “Planning a DNS Strategy” in the 2 SP3: Novell DNS/DHCP Administration Guide “Planning a DNS Strategy” in the NW 6.5 SP8: Novell DNS/DHCP Services Administration Guide. Dynamic Storage DST runs on OES 2. An NSS volume on Technology NetWare is supported only as the secondary volume in a shadow pair.
Page 28 Guide, and “Overview” in the NW 6.5 SP8: iPrint Administration Guide. IPX (Internetwork Novell has no plans to port IPX to OES. Packet Exchange) from Novell iSCSI The iSCSI target for Linux does not support eDirectory access controls like the NetWare target does.
Page 29 SSH protocols. NetWare uses only NCP. These and other differences are summarized in “NetStorage” on page 179. NetWare Traditional Novell has no plans to port the NetWare File System Traditional File System to Linux. NetWare Traditional Volumes Yes - NFAP Yes - native to For NetWare, see “Working with UNIX...
Page 30 “Functions Unique to the NetWare Platform” in the NW 6.5 SP8: OpenSSH Administration Guide. PAM (Pluggable PAM is a Linux service that Novell Authentication leverages to provide eDirectory Modules) authentication. eDirectory authentication is native on NetWare. Pervasive.SQL Pervasive.SQL is available for Linux from the Web (http://www.pervasive.com/...
Page 31 For more information, see “Security Characteristics” and “Generating an Index For a Linux-Mounted NSS Volume” in the OES 2 SP3: Novell QuickFinder Server 5.0 Administration Guide. Yes - Novell Yes - OpenSLP For OES 2, see Section 12.5, “SLP,” on page 111.
Page 32: Which Services Do I Need
Service NetWare 6.5 SP8 OES 2 Platform Differences / Migration Issues Virtual Office Virtual Office has been replaced by Novell (Collaboration) Teaming + Conferencing. A separate purchase is required. For more information, see the Novell Teaming + Conferencing Web Site (http://www.novell.com/products/ teaming/index.html).
Page 33: Prepare Your Existing Edirectory Tree For Oes 2
Large networks usually have one or more servers dedicated to providing a single network service. For example, one or more servers might be designated to provide Novell iFolder file services to network users while other servers provide iPrint printing services for the same users.
Page 34: Understand User Restrictions And Linux User Management
Section 3.9.13, “Installing into an Existing eDirectory Tree,” on page 41  Section 3.9.14, “NetWare Caveats,” on page 41  Section 3.9.15, “Novell Distributed Print Services Cannot Migrate to Linux,” on page 42  Section 3.9.16, “NSS Caveats,” on page 42 ...
Page 35: Always Double-Check Service Configurations Before Installing
3.9.5 Cluster Upgrades Must Be Planned Before Installing OES Because of differences between Novell Cluster Services on NetWare 6.5 SP8 and OES 2, there are important issues to consider before combining them into a mixed node cluster, as explained in the following sections.
Page 36: Cross-Protocol File Locking Has Changed
OES 1 SP2 Linux or earlier. 3.9.6 Cross-Protocol File Locking Has Changed If you plan to use Novell CIFS, Novell AFP and/or NCP file services in combination with each other, be sure to read Section 1.3.5, “Cross-Protocol File Locking Change,” on page 3.9.7 Do Not Create Local (POSIX) Users...
Page 37: Do Not Upgrade To Edirectory 8.8 Separately
“The OES 2 Solution: Standardizing the UIDs on all OES servers” on page 38 NetStorage, XTier, and Their System Users By default, certain OES services, such as NetStorage, rely on a background Novell service named XTier. To run on an OES server, XTier requires two system-created users (named...
Page 38 As long as the server only has Linux traditional file systems, such as Ext3, Reiser, or XFS, NetStorage runs without difficulties. However, if the server has NSS volumes, an additional requirement is introduced. NSS data can only be accessed by eDirectory users. Consequently, the local XTier users can’t access NSS data, and NetStorage can’t run properly.
Page 39 XTier users and the novlxtier group, then continue with Step You need these numbers to standardize the IDs on the server. 4 Download the following script file:  (http://www.novell.com/documentation/oes2/scripts/ fix_xtier_ids.sh fix_xtier_ids.sh) 5 Customize the template file by replacing the variables marked with angle brackets (<>) as follows: ...
Page 40: Ifolder 3.8 Considerations
After eDirectory and the iManager plug-ins install successfully, the Novell DHCP configuration fails. You must then use iManager to change either the LDAP server configuration or the Novell DHCP configuration to support your preferred communication protocol.
Page 41: Installing Into An Existing Edirectory Tree
Be Sure that OpenSLP on OES 2 Is Configured Properly Novell SLP (NetWare) and OpenSLP (Linux) can coexist, but there are differences between the services that you should understand before deciding which to use or before changing your existing SLP service configuration.
Page 42: Novell Distributed Print Services Cannot Migrate To Linux
LDAP Servers: If the LDAP servers referenced in your installation are not running NetWare 6.5 SP3 or later, the servers might abend during a schema extension operation. 3.9.15 Novell Distributed Print Services Cannot Migrate to Linux NDPS clients are not supported on OES. You must therefore migrate any NDPS clients to iPrint before you migrate your print services to OES.
Page 43: Plan Edirectory Before You Install
3.9.19 Unsupported Service Combinations Do not install any of the following service combinations on the same server. Although not all of the combinations shown in Table 3-2 cause pattern conflict warnings, Novell does not support any of them. Table 3-2 Unsupported Service Combinations...
Page 44 Service Unsupported on the Same Server  Novell CIFS File Server (Samba)  Novell Domain Services for Windows  Novell Samba  Xen Virtual Machine Host Server  Novell Cluster Services (NCS) High Availability  Novell Domain Services for Windows...
Page 45 Service Unsupported on the Same Server Novell Linux User Management (LUM) No restrictions  Novell NCP Server / Dynamic Storage Technology Xen Virtual Machine Host Server  Novell NetStorage Novell Domain Services for Windows  Xen Virtual Machine Host Server ...
Page 46: Consider Coexistence And Migration Issues
OES 2 integration process is as smooth as possible. Novell has invested considerable effort in identifying service coexistence and migration issues you might face. We understand, however, that we can’t anticipate every combination of services that you might have.
Page 47: About Your Installation Options
OES 2 Install Preparation Figure 3-1 Download the SLES 10 and OES 2 ISO image files. www.novell.com Or get the ISO files or physical media from a Novell Authorized Reseller. Novell Image files or Authorized physical media Reseller Decide whether to install...
Page 48: Use Predefined Server Types (Patterns) When Possible
CD/DVD Install: You can install SLES 10 SP1 by using CDs or a DVD and then install OES 2 from a CD, all of which can be either obtained from a Novell Authorized Reseller or created from downloaded ISO image files.
Page 49: If You Want To Install Nss On A Single-Drive Linux Server
3.11.5 If You Want to Install NSS on a Single-Drive Linux Server Many are interested in Novell Storage Services (NSS) running on Linux. If you plan to experiment with NSS on a single-drive server, be sure to follow the instructions in “Installing with EVMS as the...
Page 50 OES 2 SP3: Planning and Implementation Guide...
Page 51: Getting And Preparing Oes 2 Software
“Understand Your Installation Options,” on page 4.1 Do You Have Upgrade Protection? If you have Novell Upgrade Protection, you can upgrade to OES 2 and the associated support packs, free of charge until your upgrade protection expires. After your protection expires, the OES 2 upgrade link disappears from your account page.
Page 52: Do You Want To Purchase Oes 2 Or Evaluate It
When you purchase OES 2, you receive two activation codes for OES 2 (one for OES 2 services and one for SUSE Linux Enterprise Server 10). Both codes are required for registering an OES 2 system in the Novell Customer Center. After it is registered, your server can receive online updates, including the latest support pack.
Page 53: Understanding Oes 2 Software Evaluation Basics
SP3 e-Media Kit link. 4 Click the proceed to download button (upper right corner of the first table). 5 If you are prompted to log in, type your Novell Account > username and password, then click login. 6 Accept the Export Agreement (required for first downloads only) and answer the survey questions about your download (optional).
Page 54: Preparing The Installation Media
53, you now have two activation/evaluation codes: one for OES 2 and another for SLES 10. As you install OES 2, you should register with the Novell Customer Center and use these codes to enable your server for online updates from the OES 2 and SLES 10 patch channels.
Page 55: Evaluating Oes 2
4.4.6 Installing Purchased Activation Codes after the Evaluation Period Expires After purchasing Open Enterprise Server, use the instructions in “Registering the Server in the Novell Customer Center (Command Line)” in the OES 2 SP3: Installation Guide to enter the purchased activation codes that you received with your purchase. After logging in as...
Page 56: Sles Licensing Entitlements In Oes 2
NetWare usage. You can also monitor usage of Novell Licensing Services-enabled products. 4.5.3 OES 2 Doesn’t Support NLS Novell Licensing Services (NLS) are not available on OES 2, nor does an OES 2 installation require a license/key file pair (* and * ).
Page 57: Installing Oes 2
2 and SLES 10 at the same time, making the installation of SLES 10 and OES 2 services a seamless process. To ensure a successful installation: 1. Read and follow all instructions in the OES 2 Readme (http://www.novell.com/documentation/ oes2/oes_readme/data/oes_readme.html#bsen7me). 2. Carefully follow the instructions in the OES 2 SP3: Installation Guide, especially those found ...
Page 58: Installing Oes 2 Servers In A Xen Vm
Enterprise Server (SLES) 10 SP3 VM host server, creating a VM, and then installing an OES 2 server (NetWare or Linux) in the VM. To get started with Xen virtualization in OES 2, see the following:  “Introduction to Xen Virtualization (http://www.novell.com/documentation/sles10/xen_admin/ data/sec_xen_basics.html)” in the Virtualization with Xen (http://www.novell.com/ documentation/sles10/xen_admin/data/bookinfo.html)guide.
Page 59: Caveats For Implementing Oes 2 Services
Section 6.12, “Management,” on page 66  Section 6.13, “NCP Doesn’t Equal NSS File Attribute Support,” on page 68  Section 6.14, “Novell-tomcat Is for OES Use Only,” on page 68  Section 6.15, “NSS (OES 2),” on page 68 ...
Page 60: Avoiding Posix And Edirectory Duplications
6.2 Avoiding POSIX and eDirectory Duplications OES 2 servers can be accessed by  Local (POSIX) users that are created on the server itself.  eDirectory users that are given local access through Linux User Manager (LUM). However, there are some issues you need to consider: ...
Page 61: Avoiding Duplication
The users Group There is another default system-created group named that is not used by OES 2 services but is users nevertheless created on all SLES 10 (and therefore, OES 2) servers. Creating an eDirectory group named would seem logical to many administrators. And as with users the shadow group, nothing prevents you from using this name.
Page 62: Cifs
NOTE: The list of users and groups in Appendix I, “System User and Group Management in OES 2 SP3,” on page 259 is not exhaustive. For example, the group is not listed. users Create Only eDirectory Users and Groups For OES 2 services, the LUM technology eliminates the need for local users and groups. We recommend, therefore, that you avoid the problems discussed in this section by not creating local users and groups.
Page 63: Edirectory
If you have an issue that you believe can only be resolved by uninstalling eDirectory, make sure you consult with Novell Technical Services before you attempt to do so. 6.7.2 Avoid Renaming Trees and Containers The configuration files for many OES services point to configuration data stored within eDirectory.
Page 64: Edirectory Not Restarting Automatically
'cn=admin$name.o=container' 6.8 iFolder 3.8 Implementation caveats for iFolder 3.8 are documented in “Caveats for Implementing iFolder Services” in the Novell iFolder 3.8.4 Administration Guide. 6.9 iPrint iPrint has the following implementation caveats:  Section 6.9.1, “Cluster Failover Between Mixed Platforms Not Supported,” on page 65 ...
Page 65: Cluster Failover Between Mixed Platforms Not Supported
However, installing the client on Linux workstations requires you to save the RPM package and then install it manually if a package manager is not already installed and configured as it is in the Novell Linux Desktop. For more information, see “Linux: iPrint Client”...
Page 66: Ldap-Preventing "Bad Xml" Errors
6.10 LDAP—Preventing “Bad XML” Errors If you are using Novell eDirectory 8.7.3x, time outs are possible when you search from iManager for eDirectory objects, such as NCP Server objects, Volume objects, and Cluster objects. This is because the Object Class attribute is not indexed by default. The LDAP sub-tree search can take over 30 seconds, which causes the query to time out.
Page 67: Imanager Rbs Configuration With Oes 2
6.12.1 iManager RBS Configuration with OES 2 “Installing RBS” in the Novell iManager 2.7.4 Administration Guide, you are instructed to run the iManager Configuration Wizard before using iManager. When iManager is installed in connection with OES 2, various roles and tasks are configured, as...
Page 68: Ncp Doesn't Equal Nss File Attribute Support
However, this doesn’t work, because NSS file attributes are only supported on NSS volumes. 6.14 Novell-tomcat Is for OES Use Only package is installed for Novell service use only. It is an embedded part of novell-tomcat Novell services, not a generic application platform.
Page 69: Openldap On Oes 2
6.18.2 Always Use Timesync Rather Than NTP Time synchronization problems have been observed when virtualized NetWare servers are running the XNTPD NLM. Therefore, Novell strongly recommends using Timesync and also configuring the service to communicate through NTP. Caveats for Implementing OES 2 Services...
Page 70: Backing Up A Xen Virtual Machine
6.18.4 Time Synchronization and Virtualized OES 2 eDirectory relies on time being synchronized and connections with eDirectory are lost if the system time varies in the host operating system. Be sure you understand and follow the instructions in Virtual Machine Clock Settings (http://www.novell.com/documentation/sles10/ book_virtualization_xen/data/sec_guest_suse.html#sec_xen_time) in the “Virtual Machine Clock...
Page 71: Upgrading To Oes 2
7.1.3 OES 1 Linux to OES 2 Service Differences eGuide, Novell iFolder 2, and Virtual Office are not supported on OES 2. If you upgrade an OES 1 Linux server with any of these installed to OES 2 SP3, the services cease to function.
Page 72: Only One Edirectory Instance Is Supported On Oes Servers
7.1.4 Only One eDirectory Instance Is Supported on OES Servers If your OES server has multiple instances of eDirectory running (multiple trees), any attempt to upgrade the server fails. You must remove all instances, except the one that uses port 524, prior to an upgrade. For more information, see Section 6.7.5, “One Instance Only,”...
Page 73: Supported Oes 2 Sp3 Migration Paths
Migrating and Consolidating Existing Servers and Data This section briefly outlines the following migration topics:  Section 8.1, “Supported OES 2 SP3 Migration Paths,” on page 73  Section 8.2, “Migration Tools and Purposes,” on page 73 8.1 Supported OES 2 SP3 Migration Paths For a complete list of Open Enterprise Server SP3 migration scenarios and paths, see “Migration Scenarios”...
Page 74 OES 2 SP3: Planning and Implementation Guide...
Page 75: Graphical Overview Of Virtualization In Oes 2
SLES 10) 9.2 Why Install OES Services on Your VM Host? Novell supports three OES 2 services running on a Xen VM host server: Novell Linux User Management, Novell Storage Management Services, and Novell Cluster Services. Additionally, whenever you specify OES 2 as an add-on product, the YaST-based NetWare Response File Utility is automatically installed, whether you install any OES 2 services or not.
Page 76: Services Supported On Vm Hosts And Guests
Storage Management Services (SMS): Lets you back up the VM host server and all of the VM guests.  Novell Cluster Services (NCS): Lets you cluster the VM guests running on the VM host.  NetWare Response File Utility: Lets you pre-answer the same questions as you would during a physical NetWare installation.
Page 77 Linux VM Host Linux VM Guest NetWare VM Guest NCP Server/Dynamic Storage Technology NetStorage Novell Remote Manager (NRM) Novell Storage Services (NSS) QuickFinder Samba IMPORTANT: Adding OES services to a Xen VM host requires that you boot the server with the regular kernel prior to adding the services.
Page 78 OES 2 SP3: Planning and Implementation Guide...
Page 79: Clustering And High Availability
Clustering and High Availability Open Enterprise Server 2 includes support for a two-node Novell Cluster Services cluster. The full Novell Cluster Services product (available through a separate purchase) is a multinode clustering product that  Can include up to 32 servers.
Page 80 OES 2 SP3: Planning and Implementation Guide...
Page 81: Overview Of Management Interfaces And Services
Managing OES 2 This section includes the following topics:  Section 11.1, “Overview of Management Interfaces and Services,” on page 81  Section 11.2, “Using OES 2 Welcome Pages,” on page 82  Section 11.3, “OES Utilities and Tools,” on page 83 ...
Page 82: Using Oes 2 Welcome
Run iManager, NRM, etc. Download applicable client software. 192.168.1.45 Go to important OES 2 pages on Novell.com. Start training on Linux. Get Migration help. This section explains OES Welcome Web Site features, and discusses:  Section 11.2.1, “The Welcome Site Requires JavaScript, Apache, and Tomcat,” on page 82 ...
Page 83: Accessing The Welcome Web Site
Administrators,” a reference that outlines the OES equivalents for most of the familiar CLI tools on NetWare. Novell OES 2 includes several administration utilities that let you manage everything in your network, from configuring and managing eDirectory to setting up network services and open source software.
Page 84 NRM on IP_Address:8008 NetWare. 2. Specify the eDirectory Admin For more information, see the username and OES 2 SP3: Novell Remote password, or on Manager for Linux Linux you can use Administration Guide. user and root Health Monitoring Services password if needed.
Page 85  Create and manage 2. Specify the For more information on users, groups, and eDirectory Admin using iManager, see the other objects. username and Novell iManager 2.7.4  password. Delegate Administration Guide. administration See also iManager through Role-Based Workstation.
Page 86 IP_or_DNS:8030/ instances of the directory service) rather than the entire eDirectory tree. 2. Specify the eDirectory Admin For more information, see username and “Using Novell iMonitor 2.4” in password. Novell eDirectory 8.8 Administration Guide.  iPrint Map Create a printer map 1.
Page 87 Access Method or URL/ Tool Tasks Notes Username  Novell Client Manage file system Use the Novell N icon to As an Admin user (or access. access these and other equivalent), you can set tasks. directory and user quotas for ...
Page 88 NetWare. 2. Specify either the eDirectory  Manage the NCP For more information, see the username and Server (Linux) OES 2 SP3: Novell Remote password or a Linux Manager for Linux  Manage NCP (POSIX) username Administration Guide. connections to NSS and password.
Page 89 Access Method or URL/ Tool Tasks Notes Username  OpenSSH (client Securely run Connect to the server On Linux, OpenSSH is access) commands on using your favorite SSH installed by default and is remote servers. client. accessed by eDirectory users as a LUM-enabled service.
Page 90  For more information on Monitor an your platform. SNMP for eDirectory, see eDirectory server. 2. Access SNMP for “SNMP Support for Novell  Track the status of eDirectory services eDirectory” in the Novell eDirectory to verify using the SNMP eDirectory 8.8 Administration...
Page 91: Ssh Services On Oes 2
Section 11.4.1, “Overview,” on page 91  Section 11.4.2, “Setting Up SSH Access for LUM-enabled eDirectory Users,” on page 93 11.4.1 Overview SSH (http://www.novell.com/company/glossary.html#4187) services on SLES 10 are provided by OpenSSH (http://www.openssh.org), a free version of SSH connectivity tools developed by the OpenBSD Project (http://www.openbsd.org/).
Page 92  “How SSH Access for eDirectory Users Works” on page 92  “SSH Security Considerations” on page 93 When Is SSH Access Required? SSH access is required for the following:  SSH administration access for eDirectory users: For eDirectory users to manage the server through an SSH connection, they must have SSH access as LUM-enabled users (eDirectory...
Page 93: Setting Up Ssh Access For Lum-Enabled Edirectory Users
2 On the OES 2 server, open the YaST Control Center; then, in the Open Enterprise Server group, click OES Install and Configuration. 3 Click Accept. 4 When the Novell Open Enterprise Server Configuration screen has loaded, click the Disabled link under Linux User Management. The option changes to Enabled and the configuration settings appear.
Page 94 “Managing User and Group Objects in eDirectory” in the OES 2 SP3: Novell Linux User Management Administration Guide. After you configure the server’s firewall to allow SSH, add SSH as an allowed service, and LUM- enable the eDirectory users you want to have SSH access, if those same users are not also enabled for Samba on the server, they now have SSH access to the server.
Page 95 Although the plug-in appears to deselect sshd as an allowed service, the service is still selected when group information is reloaded. Novell plans to address this issue in the near future. Managing OES 2...
Page 96 OES 2 SP3: Planning and Implementation Guide...
Page 97: Tcp/Ip
Network Services Network services as used in this section, are associated with protocols that provide the following:  Data packet transport on the network.  Management of IP addresses and DNS names.  Time synchronization to make sure that all network devices and eDirectory replicas and partitions have the same time.
Page 98: Dns Differences Between Netware And Oes 2
DNS: NetWare 6.5 SP8 vs. OES 2 Table 12-1 Feature or Command NetWare 6.5 SP8 OES 2 Auditing DNSMaint Fault Tolerance Filenames and paths:   sys:/system/named.nlm  /opt/novell/named/bin/ Server binary novell-named  .db  sys:/etc/dns  /etc/opt/novell/named/ file .jnl named.conf   /var/opt/novell/log/ Stat file, info file named/named.run...
Page 99: Dhcp Differences Between Netware And Oes 2
12.2.2 DHCP Differences Between NetWare and OES 2 As you plan to upgrade from NetWare to OES 2, consider the following differences between DHCP on NetWare and OES 2: Table 12-2 DHCP: NetWare 6.5 SP8 vs. OES 2 Feature or Command NetWare 6.5 SP8 OES 2 Auditing...
Page 100: Overview Of Time Synchronization
 Section 12.3.5, “Configuring and Administering Time Synchronization,” on page 109  Section 12.3.6, “Daylight Saving Time,” on page 110 12.3.1 Overview of Time Synchronization All servers in an eDirectory tree must have their times synchronized to ensure that updates and changes to eDirectory objects occur in the proper order.
Page 101 Figure 12-2 illustrates that OES 2 and NetWare 6.5 servers can freely interchange time synchronization information because NetWare 6.5 includes the following:  A TIMESYNC NLM that both consumes and provides NTP time packets in addition to Timesync packets.  An XNTPD NLM that can provide Timesync packets in addition to offering standard NTP functionality.
Page 102 Synchronizing Time on NetWare 5.0 and 4.2 Servers Figure 12-4 NTP packets Timesync packets TIMESYNC NLM TIMESYNC NLM NetWare NetWare Therefore, if you have NetWare 4.2 or 5.0 servers in your eDirectory tree, and you want to install an OES 2 server, you must have at least one NetWare 5.1 or later server to provide a “bridge” between NTP and Timesync time packets.
Page 103: Planning For Time Synchronization
OES 2 Servers as Time Consumers Figure 12-6 shows the time sources that OES 2 servers can use for synchronizing server time. IMPORTANT: Notice that NetWare 4.2 is not shown as a valid time source. OES 2 servers as Time Consumers Figure 12-6 External, reliable time source...
Page 104  “Time Synchronization for Trees with More Than Thirty Servers” on page 104  “Time Synchronization across Geographical Boundaries” on page 104 Time Synchronization for Trees with Fewer Than Thirty Servers If your tree will have fewer than thirty servers, the default installation settings for time synchronization should be sufficient for all of the servers except the first server installed in the tree.
Page 105 Planning a Time Synchronization Hierarchy before Installing OES The obvious goal for time synchronization is that all the network servers (and workstations, if desired) have the same time. This is best accomplished by planning a time synchronization hierarchy before installing the first OES 2 server, then configuring each server at install time so that you form a hierarchy similar to the one outlined in Figure 12-7.
Page 106: Coexistence And Migration Of Time Synchronization Services
6 (Conditional) If your network spans geographic locations, plan the connections for time-related traffic on the network and especially across WANs. For more information, see “Wide Area Configuration” in the NW 6.5 SP8: NTP Administration Guide. For more planning information, see the following documentation: ...
Page 107 Time Synchronization Compatibility Table 12-3 Module Compatibility TIMESYNC NLM (NetWare) Can consume time from  All previous versions of Timesync. However, the NetWare 4.2 TIMESYNC NLM should not be used as a time source.  Any TIMESYNC or NTP daemon. Can provide time to ...
Page 108: Implementing Time Synchronization
12.3.4 Implementing Time Synchronization As you plan to implement your time synchronization hierarchy, you should know how the NetWare and OES 2 product installations configure time synchronization on the network. Both installs look at whether you are creating a new tree or installing into an existing tree. ...
Page 109: Configuring And Administering Time Synchronization
Existing Tree When a server joins an existing eDirectory tree, both OES installations do approximately the same thing.  “OES 2” on page 109  “NetWare 6.5 SP8” on page 109 OES 2 If you are installing into an existing tree, the OES 2 install proposes to use the IP address of the eDirectory server (either NetWare or Linux) as the NTP time source.
Page 110: Daylight Saving Time
Some systems are designed to leverage only a single discovery technology. Others choose among the various providers. And some use different technologies in combination with each other.  Section 12.4.1, “Novell SLP and OpenSLP,” on page 110  Section 12.4.2, “WinSock and Discovery Is NetWare only,” on page 111 ...
Page 111: Winsock And Discovery Is Netware Only
Application Server. Starting with NetWare 6.5 SP3, the UDDI server component was removed from the list of products that could be installed. The Novell UDDI server has been released as open source software and is available for download on Novell Forge Web site (http://forge.novell.com/modules/xfmod/project/ showfiles.php?group_id=1025).
Page 112: Why Slp Is Needed
 Have eDirectory registered with the OpenSLP service running on the server. This requires SLP configuration either during the OES 2 installation or manually. 12.5.2 Comparing Novell SLP and OpenSLP SLP Solutions Table 12-4 Platform...
Page 113: Setting Up Openslp On Oes 2 Networks
You plan to install more than three servers into a new tree or a new eDirectory partition being created on an OES 2 server.  You either don’t have an existing Novell SLP service, or you don’t want to continue using Novell SLP. Network Services 113...
Page 114 Scopes group and organize the services on your network into logical categories. For example, the services that the Accounting group needs might be grouped into an Accounting scope. More information about scope planning is available in “SLP Scopes ” in the Novell eDirectory 8.8 Administration Guide and on the OpenSLP Web site (http://www.openslp.org/).
Page 115 “Configuring for DA Access Before or After Installing the OES 2 Server” on page 116 Configuring for DA Access During the OES 2 Installation As you install OES 2 by using the instructions in the “Novell eDirectory Services” section of the OES 2 SP3: Installation...
Page 116 Configuring NetWare Servers to Use the OpenSLP Service IMPORTANT: NetWare uses Novell SLP by default and will configure a server for that service if possible. Complete one of the following as it applies to your situation: ...
Page 117: Using Novell Slp On Oes 2 Networks
12.5.4 Using Novell SLP on OES 2 Networks If you have a NetWare tree, you automatically have Novell SLP on your network and you can continue to use it as the SLP service during the upgrade to OES 2 until you are ready to switch to OpenSLP.
Page 118 Directory 3 In the Configured SLP Directory Agent field, type the IP address of an appropriate DA server. You can use Novell Remote Manager on a NetWare server if you aren’t sure which address to use. You can also list additional DA addresses, separated by commas.
Page 119 = Directory 4 Find the following line: ;net.slp.DAAddresses = myDa1,myDa2,myDa3 5 Modify the line by removing the semicolon and typing the actual IP address of the Novell SLP DA (using Novell Remote Manager if necessary). net.slp.DAAddresses = IP_Address 6 Save the file and close it.
Page 120: Slp Changes In Sp3
12.5.5 SLP Changes in SP3 SLP Directory Agents are deployed across WAN and multi-casting is disabled across WAN. When multi-casting is disabled across WAN, SLP Service Agents are not able to listen to DA Advertisement from SLP Directory Agents. Service Agent cannot reregister the service details with SLP Directory Agent if it does not receive DAAdvt and OpenSLP stores the service information in memory.
Page 121: Storage And File Systems
Section 13.1.4, “Storage Basics by Platform,” on page 124  Section 13.1.5, “Storage Options,” on page 124  Section 13.1.6, “NetWare Core Protocol Support (Novell Client Support) on Linux,” on page 126 13.1.1 Databases See the topics in “databases” in the OES online documentation.
Page 122: Iscsi
” in the OES online documentation. 13.1.3 File System Support in OES As shown in Figure 13-1, both OES 2 and NetWare support Novell Storage Services as well as their traditional file systems. File System Choices on OES 2 Servers Figure 13-1...
Page 123 File System Type Summary Link for More Information Novell Storage Services (NSS) NSS lets you manage your For an overview of NSS, see shared file storage for any size “Overview of NSS” in the OES 2 organization. SP3: NSS File System Administration Guide for Linux.
Page 124: Storage Basics By Platform
For more information on the various devices that NSS supports, see “Managing Devices” in the 2 SP3: NSS File System Administration Guide for Linux. 13.1.4 Storage Basics by Platform The following sections summarize storage basics for Linux and NetWare.  “Linux and File Systems”...
Page 125 As shown in Figure 13-1 on page 122, you can install traditional volumes and Novell Storage System (NSS) volumes on both OES platforms. These devices can be installed within the server or attached directly to the server through an external SCSI bus.
Page 126: Netware Core Protocol Support (Novell Client Support) On Linux
Many organizations rely on Novell Client software and the NetWare Core Protocol (NCP) for highly secure file storage services. Novell Storage Services (NSS) volumes are NCP volumes by nature, and you can also define Linux POSIX volumes as NCP volumes. The main difference in access control between NSS volumes and Linux POSIX volumes that are defined as NCP volumes is that NSS extended file and directory attributes are not available on Linux POSIX volumes.
Page 127: General Requirements For Data Storage
- iFolder 3.8 - iFolder 3.8 - iFolder 3.8 - NetStorage - NetStorage - NetStorage - NetStorage - Novell Client (NCP) - Novell Client (NCP) - Novell AFP - Novell AFP - Samba - Samba - Novell CIFS - Novell CIFS...
Page 128 POSIX The Novell Storage Services file system is used in NetWare 5.0 and above, and most recently is open sourced and included in the SUSE Linux Enterprise Server (SLES) 9 SP1 Linux distribution and later (used in the Novell Open Enterprise Server Linux product).
Page 129 Ext2 as explained in “Paravitual Mode and Journaling File /boot Systems” (http://www.novell.com/documentation/sles10/xen_admin/data/sec_xen_filesystem.html) in the Virtualization with Xen (http://www.novell.com/documentation/sles10/xen_admin/data/ bookinfo.html) guide. Ext3  Most popular Linux file system; limited scalability in size and number of files ...
Page 130 CIFS (Novell CIFS and Samba): The Common Internet File Services (CIFS) protocol is the protocol for Windows networking and file services. Novell CIFS is a ported version of the CIFS file service traditionally available only on NetWare but now available for OES 2.
Page 131 Reiser and NSS the best bets. Novell iFolder maintains its own ACL, so having an NSS file system that supports a rich ACL might be redundant.
Page 132: Nss Planning Considerations
Dynamic Storage Technology does not depend on a particular file system in principle; however, it is currently supported only on NSS volumes. Novell plans to add support for additional file systems in the future. When that happens, it will be important to remember that file systems cannot be mixed between volumes and shadow volumes.
Page 133: Mysql
You can install NCP Server for Linux to provide NetWare Core Protocol access to Linux POSIX file systems. This allows users running the Novell Client software to map drives to the Linux file system data, with access controls being enforced by NCP.
Page 134: Netware 6.5 Sp8 Options
Users can access data storage on OES 2 servers through a number of methods. For more information, see “Overview of File Services” on page 177. 13.3.3 NetWare 6.5 SP8 Options NetWare 6.5 SP8 supports both the NetWare Traditional file system and Novell Storage Services (NSS).  “NetWare Traditional File System” on page 134 ...
Page 135 Table 13-3 Category/Feature Description Link Archive and Version Use Archive and Version Services with OES 2 SP3: Novell Archive and Services NSS volumes to save interval-based Version Services 2.1 Administration copies of files that can be conveniently Guide restored by administrators and users.
Page 136: Optimizing Storage Performance
Category/Feature Description Link Quotas Set space restrictions for users and “Managing Space Quotas for Volumes, directories to control storage usage. Directories, and Users” in the OES 2 SP3: NSS File System Administration Guide for Linux Salvage subsystem Use the salvage subsystem to make “Salvaging and Purging Deleted deleted files and directories available Volumes, Directories, and...
Page 137: Edirectory, Ldap, And Domain Services For Windows
Storing and managing network identities in directory services is a fundamental expectation for networking. In the simplest terms, Novell eDirectory is a tree structure containing a list of objects (or identities) that represent network resources, such as the following: ...
Page 138: Edirectory
OES 2 server OES 2 server eDirectory servers eDirectory servers 14.2 eDirectory Novell eDirectory is the central, key component of Novell Open Enterprise Server (OES) and provides the following:  Centralized identity management  The underlying infrastructure for managing your network servers and the services they provide ...
Page 139: Planning Your Edirectory Tree
Novell eDirectory 8.8 What's New Guide. 14.2.3 eDirectory Coexistence and Migration Novell Directory Services (NDS) was introduced with NetWare 4.0. The successor to NDS, Novell eDirectory, is also available for Microsoft Windows, Red Hat , and SUSE versions of Linux, as well...
Page 140: Overview Of Edirectory Ldap Services
 Users can work in a pure Windows desktop environment and still take advantage of some OES back-end services and technology, without the need for a Novell Client™ or even a matching local user account on the Windows workstation. ...
Page 141: Graphical Overview Of Dsfw
14.4.1 Graphical Overview of DSfW  “File Access” on page 141  “User Management” on page 142  “Storage Management” on page 143 File Access DSfW File Access Overview Figure 14-2 Access Methods Authentication File Storage Services Windows Explorer eDirectory User Internet Explorer Could be on a...
Page 142 Windows Explorer (CIFS) or authentication through the provided by Samba to NSS Internet Explorer (WebDAV Web eDirectory server using common or traditional Linux file Folders). No Novell Client can be on the Windows authentication systems. machine. protocols, including Kerberos, For eDirectory users, NTLM, and SSL/TLS.
Page 143 DSfW User Management Table 14-2 Management Tools Users iManager manages DSfW users like DSfW users must have the Default Domain Password policy other eDirectory users. assigned and a valid Universal Password. MMC manages both AD users and DSfW users are automatically enabled for Samba and LUM. DSfW users as though they were AD users.
Page 144: Planning Your Dsfw Implementation
Universal Password in a Name-Mapped Scenario If you install DSfW into an existing tree and your users don’t currently have a Universal Password policy assigned, they won’t be able to log in without the Novell Client until the Universal Password has been set.
Page 145 Install DSfW on a New OES 2 Server When Possible Because of the service limitations mentioned in OES 2 Service Limitations, Novell strongly recommends that you install DSfW on a new server. DNS Configuration As you set up DNS, observe the following guidelines: ...
Page 146 146 OES 2 SP3: Planning and Implementation Guide...
Page 147: Users And Groups
“local” POSIX users on Linux servers. This technology is called Linux User Management or LUM. The following sections outline the basic principles involved in Novell LUM and cover the following topics: ...
Page 148: Overview
The topics in this section are designed to help you understand when LUM-enabled access is required so that your network services are accessible and work as expected. For more information about Linux User Management, see “Overview” in the OES 2 SP3: Novell Linux User Management Administration Guide.
Page 149 Even if eDirectory is not available, you can still log into the server through Novell Remote Manager and perform other system management tasks as the user.
Page 150 About Service Access on OES 2 Novell Linux User Management (LUM) lets you use eDirectory to centrally manage remote users for access to one or more OES 2 servers. In other words, LUM lets eDirectory users function as local (POSIX) users on an OES 2 server.
Page 151 The assumption is that such users are accessing their data root on NSS or NCP volumes by using an NCP storage location object. In both cases, the Novell Trustee Model applies and POSIX ownership is irrelevant. If non-LUM NetStorage users are later enabled for Samba access (which includes LUM- enabling) and begin using Samba as a file service, their NetStorage uploaded files are not accessible through Samba until you change POSIX file ownership.
Page 152 Both Novell trustee assignments and POSIX file ownership are tracked correctly after users are LUM-enabled. Although NetStorage doesn’t require LUM-enabled access, the service itself runs as a POSIX- compliant system User (initially a local user on the OES 2 server) who functions on behalf of the end users that are accessing the service.
Page 153: Planning
15.2.2 Planning The following sections summarize LUM planning considerations.  “eDirectory Admin User Is Automatically Enabled for Linux Access” on page 153  “Planning Which Users to Enable for Access” on page 153  “Be Aware of System-Created Users and Groups” on page 153 eDirectory Admin User Is Automatically Enabled for Linux Access When you install Linux User Management on an OES 2 server, the Admin User object that installs LUM is automatically enabled for eDirectory LDAP authentication to the server.
Page 154 For nambulkadd more information, see the OES 2 SP3: Novell Linux User Management Administration Guide. “UNIX Workstation” and “Linux Workstation” Are the Same Thing When you use iManager to manage OES 2 access, you might notice some inconsistencies in naming.
Page 155 Using LUM Utilities at the Command Prompt Novell Linux User Management includes utilities for creating new LUM-enabled groups, and for enabling existing eDirectory groups for Linux access.  The nambulkadd utility lets you use a text editor to create a list of groups you want enabled for Linux access.
Page 156: Identity Management Services
 If you use Novell Client software to provide network file and print services, you can now provide seamless file and print access to OES 2 servers by using the NCP server for Linux and iPrint services. For more information, see Section 17.6, “NCP Implementation and...
Page 157: What Am I Entitled To Use
Identity Manager Bundle Edition. For more information on Activation issues, see “Activating the Bundle Edition” on page 158. 15.4.4 Getting Started The following sections from the Novell Identity Manager Administration Guide will help you plan, install, and configure your Identity Manager Bundle Edition.  Overview (http://www.novell.com/documentation/idm36/install/data/alxkrnf.html) ...
Page 158: Activating The Bundle Edition
15.4.5 Activating the Bundle Edition If you choose to purchase additional Identity Manager Integration Modules, you need to install the activation credential for those Integration Modules and also the credential for Novell Identity Manager. See Activating Identity Manager Products Using a Credential (http://www.novell.com/ documentation/idm36/install/data/brph5hb.html)
Page 159 Up a Connected System (http://www.novell.com/documentation/idm36/admin/data/bs35odr.html) for more information. In order to run Identity Manager on Solaris or AIX, you need to purchase Novell Identity Manager. My drivers stopped working. What happened? You might have installed the Bundle Edition on a non-OES server. The Bundle Edition must be installed on your Linux or NetWare server where OES exists.
Page 160 How do I know what’s activated? For information about how to view currently activated products, see Viewing Product Activations (http://www.novell.com/documentation/idm36/install/data/agfhtax.html). 160 OES 2 SP3: Planning and Implementation Guide...
Page 161: Access Control And Authentication
“Access to OES 2 Services” on page 162  “Access Control Options in OES 2” on page 163  “The Traditional Novell Access Control Model” on page 164  “NSS Access Control on OES” on page 165 Access Control and Authentication...
Page 162 Windows workstations use the CIFS protocol for file services.  Novell Client software for both Windows and Linux uses the NetWare Core Protocol (NCP) to provide the file services for which Novell is well known. 162 OES 2 SP3: Planning and Implementation Guide...
Page 163 169. Access Control Options in OES 2 Because OES 2 offers both traditional Novell access control and POSIX access control, you have a variety of approaches available to you, including combining the two models to serve various aspects of your network services.
Page 164 NSS offers. In the Novell access control model, eDirectory objects, such as users and groups, are assigned File System Trustee Rights to directories and files on NSS and NCP volumes. These trustee rights determine what the user or group can do with a directory or file, provided that the directory or file attributes allow the action.
Page 165 Access Rights Explanation Table 16-2 eDirectory File System Trustee Directory and File Directories and Files Objects Rights Attributes eDirectory File system trustee Each directory and The possible actions by the eDirectory objects (in rights govern access file has attributes users and group shown in this example most cases and usage by the associated with it.
Page 166 NSS volumes. Novell Client (NCP File Services) Access If you have not already determined whether to use the Novell Client on your network, we recommend that you consider the following information:  “About the Novell Client” on page 166 ...
Page 167: Planning For Service Access
Differences between Linux and Windows There are some differences between the Linux and Windows clients. These are documented in “Understanding How the Novell Client for Linux Differs from the Novell Client for Windows 2000/ XP” in the Novell Client 2.0 SP3 for Linux Administration Guide.
Page 168 User space quotas Planning Print Service Access Novell iPrint has access control features that let you specify the access that each eDirectory User, Group, or container object has to your printing resources. You can also use iPrint to set up print services that don’t require authentication.
Page 169 Linux default protocol and applications Novell AFP CIFS Novell CIFS or Samba iPrint WebDAV Mac Win Internet Explorer to NetStorage, Novell CIFS, Samba Novell Client NetWare Core Protocol (NCP) (File) PDAs NetStorage only HTTP OES servers Access Control and Authentication 169...
Page 170: Coexistence And Migration Of Access Services
Novell Client access. This means that Windows users with the Novell Client installed can now be seamlessly transitioned to file services on OES 2. And with the Novell Client for Linux, Windows users can be moved to SUSE Linux Enterprise Desktop with no disruption in NCP file services.
Page 171 Using the Novell Client to Change File and Directory Attributes and Trustee Rights You can use the Novell Client to change NSS file and directory attributes and to grant trustee rights to an NSS volume on an OES 2 server. For more information, see “NetWare File...
Page 172: Authentication Services
OES online documentation. NetIdentity Agent In OES 2, the NetIdentity Agent works with Novell eDirectory authentication to provide background eDirectory authentication to NetStorage through a secure identity “wallet” on the workstation. NetIdentity Agent browser authentication is supported only by Windows Internet Explorer.
Page 173 NetWare 6.5. Novell Modular Authentication Services (NMAS) Novell Modular Authentication Services (NMAS) lets you protect information on your network by providing various authentication methods to Novell eDirectory on NetWare, Windows, and UNIX networks. These login methods are based on three login factors: ...
Page 174 Novell Password Management 3.3.1 Administration Guide. All Novell products and services are being developed to work with extended character (UTF-8 encoded) passwords. For a current list of products and services that work with extended characters, Novell TID 3065822 (http://www.novell.com/support/ search.do?cmd=displayKC&docType=kc&externalId=3065822&sliceId=1&docTypeID=DT_TID_ 1_1&dialogID=77556590&stateId=0%200%2077560425).
Page 175: Planning For Authentication
Universal Password. Universal Password is not automatically enabled unless you install Novell AFP, Novell CIFS, Domain Services for Windows, or Novell Samba on an OES 2 server. You can optionally choose to have the Samba hash password stored separately.
Page 176 176 OES 2 SP3: Planning and Implementation Guide...
Page 177: File Services
The file service components in OES are generally compatible. However you cannot run Novell Samba on the same OES 2 server as Novell AFP, Novell CIFS, or Domain Services for Windows, which is not reviewed as a file service, but does include an alternative Samba file service.
Page 178: Using The File Services Overviews
NetWare Core Protocol (NCP) is the technology beneath many of the network services for which NetWare is famous. In OES, NCP is also available on Linux. The Novell NCP Server for Linux provides the rich file services that Novell is known for. Windows and Linux users who run Novell Client software can now access data, manage files and folders, map drives, etc., using the same methods as they do on...
Page 179: Netstorage
 “Common Network File Storage Problems” on page 179  “Novell NetStorage on Linux” on page 180 NetStorage makes network files available anywhere, any time. Common Network File Storage Problems Network file access is often confusing and frustrating to users, as illustrated in Figure 17-2.
Page 180 Novell NetStorage on Linux NetStorage on Linux provides local and Web access to files on many systems without requiring the Novell Client (see Figure 17-3). 180 OES 2 SP3: Planning and Implementation Guide...
Page 181 How NetStorage Works on OES 2 Figure 17-3 Access Methods Authentication NetStorage Server Target Servers Windows Explorer CIFS share (NFAP) WebDAV CIFS share (Samba) Browser CIFS Windows servers HTTP NetStorage to manage Linux OES 2 traditional volume HTTP volume NetWare Traditional volume eDirectory/LDAP...
Page 182: Novell Afp
SSH Access Required?” on page 17.1.5 Novell AFP The Novell AFP service lets users on Macintosh workstations access and store files on OES 2 servers with NSS volumes without installing any additional software, such as the Novell Client (see Figure 17-4).
Page 183: Novell Cifs
OES 2 server. 17.1.6 Novell CIFS The Novell CIFS service lets users on Windows workstations access and store files on OES 2 servers with NSS volumes without installing any additional software, such as the Novell Client (see Figure 17-4).
Page 184: Novell Ifolder 3.8
Files on the OES 2 server are accessed and maintained with the HTTP-WebDAV protocol. 17.1.7 Novell iFolder 3.8 Novell iFolder 3.8 supports multiple iFolders per user, user-controlled sharing, and a centralized network server for file storage and secure distribution (see Figure 17-6).
Page 185 Novell iFolder 3.8 Services Linux, Mac, and Windows workstation All file service access is Slave servers can be users who have the Novell iFolder Client controlled by LDAP- based added as needed, installed can access and modify their authentication through the providing the ability to files in one or more workstation folders.
Page 186: Novell Samba
17.1.8 Novell Samba Samba on an OES 2 server provides Windows (CIFS and HTTP-WebDAV) access to files stored on the OES 2 server (see Figure 17-7). How Samba on OES Works Figure 17-7 Access Methods Authentication File Storage Services CIFS...
Page 187: Planning For File Services
OES File Services Feature Breakdown Table 17-8 Service Access Method Features Back-End Storage Features Security Features   NCP Server Novell Client (NCP client) Any Linux volumes eDirectory (NetWare Core (including NSS) that are Authentication Protocol) defined as NCP volumes ...
Page 188: Comparing Your Cifs File Service Options
Windows Explorer 17.2.2 Comparing Your CIFS File Service Options OES 2 SP3 offers three file services that use the CIFS protocol: Novell CIFS, Novell Samba, and Samba in Domain Services for Windows (DSfW). 188 OES 2 SP3: Planning and Implementation Guide...
Page 189 Comparing OES 2 CIFS Solutions Table 17-9 Item Novell CIFS Novell Samba Samba in DSfW Authentication A Password policy that A Samba-compatible The Domain Services allows the CIFS proxy Password policy is Password policy is required user to retrieve required for compatibility for DSfW users.
Page 190: Planning Your File Services
NetStorage: There are no disk space requirements because NetStorage provides access only to other file storage services.  Novell AFP: Allocate enough disk space for the partition containing the /home directories to meet your users’ file storage needs.  Novell CIFS: Allocate enough disk space for the partition containing the /home directories to meet your users’...
Page 191: Coexistence And Migration Of File Services
Novell Client 2.0 SP3 for Linux Administration Guide. Because NCP is now available on Linux, Novell Client users can attach to OES 2 servers as easily as they have been able to attach to NetWare servers. The NCP Server for Linux enables support for login script, mapping drives to OES 2 servers, and other services commonly associated with Novell Client access.
Page 192: Novell Afp
OES 2 includes Samba software to provide Microsoft CIFS and HTTP-WebDAV access to files on the server. Like Novell CIFS, this is useful to those who don’t want to use the Novell Client. There is no migration path from Novell CIFS (NFAP) to Samba.
Page 193: Managing Access Rights
For more information on ACLs, see “Access Control Lists” (http://www.novell.com/documentation/sles10/sles_admin/data/cha_acls.html) in the SLES 10 SP3: Installation and Administration Guide (http://www.novell.com/documentation/sles10/sles_admin/ data/sles_admin.html). The Linux command lets you change the file owner and/or group to a LUM user or a LUM- chown enabled group.
Page 194: Providing A Private Work Directory
Those familiar with the binary number system find this method an easy way to remember what each number represents. For example, the command would grant read, write and execute rights (7) to chmod 777 /home owner, group, and other for the /home directory, while would grant the three chmod 700 /home rights to only the directory owner, with group and other having no rights.
Page 195: Providing A Public Work Area
where group is the group name, path is the file path to the work area, and group_dir is the group work directory. The option applies the action to all subdirectories and files in group_dir. 2 Grant the group read, write, and execute rights (. . . rwx . . .). (Owner and other permissions are represented by dots because their settings are irrelevant.) For example, you could enter chmod -R 770 /path/group_dir...
Page 196: Setting Up Rights Inheritance
OES 2 SP3: NCP Server for Linux Administration Guide. 17.5 Novell FTP (Pure-FTPd) and OES 2 FTP file services on OES 2 servers are provided by Pure-FTPd, a free (BSD), secure, production- quality and standard-conformant FTP server. The OES implementation includes support for eDirectory LDAP authentication and the same FTP/SFTP gateway functionality as on NetWare.
Page 197: Administering And Managing Pure-Ftpd On An Oes 2 Server
/etc/pure-ftpd/pure-ftpd.conf file to and move it to pure-ftpd1.conf /etc/opt/novell/pure-ftpd1.conf 2 Modify the following settings in the configuration file to avoid IP address or port conflicts between the instances:  PIDFile: Points to the full path of the PID file created by the pure-ftpd instance. PID file is used for unloading a particular instance of pure-ftpd.
Page 198 Bind 10.1.1.1,21 and Bind 10.1.1.2,21. 3 Load the new instance using /usr/sbin/pure-config.pl <Full path of the config file> For example: /usr/sbin/pure-config.pl /etc/opt/novell/pureftpd-confs/pure- loads an instance using the config file ftpd1.conf /etc/opt/novell/pureftpd-confs/ pure-ftpd1.conf Verifying the Load of a New Instance Use the following methods to verify that the new instance of pure-ftpd is successfully loaded: ...
Page 199 Workstation running FTP client software A user uses FTP to connect to the local Linux FTP Server. Linux OES/NetWare server running NetWare 4.1 or later without the FTP service Local Linux server The user can now After logging in to running the access files on the the FTP server, the...
Page 200 Entry Value Reason Why ChrootEveryone Option yes restricts users to login only to his home directory and cannot navigate to other directories including remote OES servers. ChrootEveryone Option yes restricts users to login only to his home directory and cannot navigate to other directories including remote OES servers. AnonymousOnly Option yes allows only anonymous logins.
Page 201: Cluster Enabling Pure-Ftpd In An Oes 2 Environment
NSS volume. Configuring Active/Active Mode 1 Install pure-ftpd on all the cluster nodes by selecting Novell FTP in the OES install. Upgrade pure-ftpd on all the nodes with the test RPM. 2 Enable hard links on the shared NSS volumes.
Page 202: Troubleshooting Pureftpd
17.6 NCP Implementation and Maintenance If you have installed the NCP server for OES, eDirectory/Novell Client users can access files on the OES 2 server with no additional configuration. The implementation information in the following sections can help you get started with NCP on OES 2 servers.
Page 203: Assigning File Trustee Rights
You can use the same methods for assigning file trustee rights on NCP volumes on OES 2 servers that you use when assigning them on NetWare. For example, the Novell Client can be used by anyone with the Access Control right on the volume, or the root user can use the ncpcon utility >...
Page 204: About Automatic Access And Storage Locations
17.7.1 About Automatic Access and Storage Locations The inherent value of NetStorage lies in its ability to connect users with various servers and file systems. Some connections are created automatically depending on the OES platform where NetStorage is installed. Other connections must be created by the network administrator. In summary, NetStorage provides automatic access to: ...
Page 205: Netstorage Authentication Is Not Persistent By Default
Guide. 17.8 Novell AFP Implementation and Maintenance To use the Novell implementation of AFP file services on your OES 2 server, you must install the service by using the instructions in the OES 2 SP3: Installation Guide (for a new installation) or install it after the initial OES installation, as explained in “Installing AFP after the OES2 SP 3...
Page 206: Implementing Novell Afp File Services
Guide. 17.9 Novell CIFS Implementation and Maintenance To use the Novell implementation of CIFS file services on your OES 2 server, you must install the service by using the instructions in the OES 2 SP3: Installation Guide (for a new installation) or install it after the initial OES installation, as explained in “Installing and Configuring a CIFS Server...
Page 207: Managing Novell Ifolder 3.8
Novell iFolder 3.8.4 Administration Guide. 17.10.2 Configuring Novell iFolder 3.8 Servers Before you let users log in to the Novell iFolder 3.8 server, be sure you complete all the setup tasks “Installing and Configuring iFolder Services” (including “Configuring iFolder Web Admin”...
Page 208: Implementing Samba File Services
17.11.1 Implementing Samba File Services All users whose accounts have been enabled for Samba access can access the OES 2 server as they would any Windows server. For instructions on implementing Samba, see “Installing Samba for OES 2” in the OES2 SP3: Samba Administration Guide.
Page 209: Search Engine (Quickfinder)
Search Engine (QuickFinder) Open Enterprise Server 2 includes the Novell QuickFinder Server. QuickFinder lets you add search functionality to any Web site or internal intranet. It can index and find matches within a wide variety of data types. It also supports rights-based searches so that users see only what they have rights to see, depending on the type of index created and the file system indexed.
Page 210 210 OES 2 SP3: Planning and Implementation Guide...
Page 211: Print Services
Print to installed printers from any location (including the Web) through an IP connection. The information in this section provides a high-level overview of Novell iPrint print services. It is designed to acquaint you with basic iPrint functionality so you understand the configuration steps you need to perform to provide iPrint print services, and understand how iPrint functions from the user’s perspective.
Page 212: Iprint Components
19.1.2 iPrint Components A Novell iPrint installation consists of various components, most of which are represented by objects in your eDirectory tree:  Print Driver Store (Linux): This is a repository that stores the drivers on an OES 2 server for your network printers.
Page 213: Planning For Print Services
How iPrint Works Figure 19-1 Authentication Access Printing Services (Windows only) Browser on Linux, Macintosh, or Windows Print page (browser) iPrint server HTTP (OES server) Install Install a printer, using the native printer installation method for the Linux, Macintosh, platform. Driver Store (Linux) or Windows workstation Broker (NetWare)
Page 214: Coexistence And Migration Of Print Services
Although the Common UNIX Printing System (CUPS) software is also installed with SLES 10, CUPS is disabled to avoid port 631 conflicts. For information on upgrading from NetWare queue-based printing, Novell Distributed Print Services (NDPS), or previous versions of iPrint, see “Installing iPrint...
Page 215: Implementation Caveats
2 Add a printer driver to the Driver Store or Broker for each printer/platform combination needed. For example, If you have Windows XP, Windows 2000, and Novell Linux Desktop (NLD) workstations on your network and you have four different printer types, you need to add four printer drivers for each platform (a total of 12 printer drivers) to the Driver Store or Broker.
Page 216: Print Services Maintenance Suggestions
19.5 Print Services Maintenance Suggestions As you add printers to your network or move them to different locations, be sure to update your iPrint installation to reflect these changes. After your installation is completed and users are printing, you can monitor print performance by using the information located in “Using the Print Manager Health Monitor”...
Page 217: Web Services
Web Services The Web and application services in Open Enterprise Server 2 support the creation and deployment of Web sites and Web applications that leverage the widespread availability of Internet-based protocols and tools. With the proper Web components in place, a server can host dynamic Web sites where the content changes according to selections made by the user.
Page 218 218 OES 2 SP3: Planning and Implementation Guide...
Page 219: Security
OES 2 SP3 includes the NSS Auditing Engine, which is installed by default with NSS. The auditing engine provides an interface for auditing client applications, such as Novell Sentinel and various third-party products to access. Information about the auditing engine SDK is available...
Page 220: Encryption (Nici)
 inherited rights modified Novell Sentinel Log Manager 90-Day Free Trial Novell Sentinel Log Manager runs on a 64-bit SLES 11 host. You can download the suite from the Novell Download Web site (http://download.novell.com/Download?buildid=o8BgsbCidWg~). For installation and usage instructions, see the Novell Log Management Readme and Release Notes included as a link on the download page.
Page 221: General Security Issues
Section 21.2.2, “User Restrictions: Some OES 2 Limitations,” on page 223 21.2.1 Comparing the Linux and the Novell Trustee File Security Models The Novell Trustee and Linux (POSIX) security models are quite different, as presented in Table 21- Table 21-1 POSIX vs.
Page 222 Feature POSIX / Linux Novell Trustee Model on OES 2 Default accessibility Users have permissions to see most of the Users can see only the file system. directories and files for which they are trustees (or members of The contents of a few directories, such as a group that is a trustee).
Page 223: User Restrictions: Some Oes 2 Limitations
Security section in the OES online documentation. 21.4 Links to Product Security Considerations The following product documentation contains additional security information: Security Consideration Links Table 21-2 Product/Technology Security Considerations Section Link AppArmor Novell AppArmor Administration Guide (http:// www.novell.com/documentation/apparmor/ apparmor201_sp10_admin/data/ book_apparmor_admin.html) Security 223...
Page 224 “Security Considerations for Archive and Version Services” in the OES 2 SP3: Novell Archive and Version Services 2.1 Administration Guide Domain Services for Windows OES 2 SP3: Novell Domain Services for Windows Security Guide Dynamic Storage Technology “Security Considerations” in the...
Page 225: Links To Anti-Virus Partners
QuickFinder Server 5.0 Administration Guide SuSEfirewall2 “Masquerading and Firewalls” (http:// www.novell.com/documentation/sles10/ book_sle_reference/data/cha_fire.html) in the SLES 10 SP3 Installation and Administration guide (http://www.novell.com/documentation/sles10/ book_sle_reference/data/book_sle_reference.html) 21.5 Links to Anti-Virus Partners See the Partners and Communities page on Novell.com (http://www.novell.com/products/ openenterpriseserver/partners_communities.html). Security 225...
Page 226 226 OES 2 SP3: Planning and Implementation Guide...
Page 227: Certificate Management
 serverkey.pem: This contains the server’s raw private key.  servercert.pem: This contains the server’s certificates. OES 2 services, such as Apache, OpenWBEM, and Novell Remote Manager, are also configured to use these certificates. Certificate Management...
Page 228: Oes 2 Certificate Management
 “Installation of eDirectory Certificates” on page 228  “What Is Installed Where” on page 228  “Novell Certificate Server” on page 229  “Server Self-Provisioning” on page 229  “PKI Health Check” on page 229 Installation of eDirectory Certificates As you install eDirectory and OES 2, by default all HTTPS services are configured to use eDirectory certificates.
Page 229 This certificate server provides public key cryptography services that are natively integrated into Novell eDirectory. You use the server to can mint, issue, and manage both user and server certificates to protect confidential data transmissions over public communications channels such as the Internet.
Page 230: Multiple Trees Sharing A Common Root
Automatic maintenance requires that Server Self-Provisioning be enabled as follows: 1 On the server you are configuring, in iManager > Roles and Tasks, click the Novell Certificate Access > Configure Certificate Authority option.
Page 231 1 Launch Novell iManager. 2 Log into the eDirectory tree as the Admin user. 3 Select the Roles and Tasks menu, then click Novell Certificate Server > Configure Certificate Authority. 4 Click the Certificates tab, then select the self-signed certificate.
Page 232: If You Don't Want To Use Edirectory Certificates
6 Browse to the certificate file you downloaded in “Exporting the CA’s Self-Signed Certificate” on page 231 and click Open. 7 Select Trust this CA to identify Web sites, then click OK > OK > OK. Firefox now trusts certificates from the servers in the tree. Importing the CA Certificate into Internet Explorer 6 and 7 on Windows 1 Launch Internet Explorer.
Page 233 Certificate Option Scenario Default Result If you Change the Default Setting Setting Add-on to Selected All HTTPS services on the The current service certificates SLES 10 or server are configured to use and configurations are retained. post-install eDirectory certificates. Upgrade from Selected All HTTPS services are The current service certificates...
Page 234 234 OES 2 SP3: Planning and Implementation Guide...
Page 235: A Adding Services To Oes 2 Servers
Adding Services to OES 2 Servers You can add services to Open Enterprise Server 2 servers after they are installed. OES 2 is a set of services that can be either added to an existing server or installed at the same time as SUSE Linux Enterprise Server 10 SP1.
Page 236 236 OES 2 SP3: Planning and Implementation Guide...
Page 237: Caveats And Disclaimers
Changing an OES 2 Server’s IP Address The instructions in this section let you change the IP address assigned to an OES 2 SP3 server and the services it hosts.  Section B.1, “Caveats and Disclaimers,” on page 237  Section B.2, “Prerequisites,”...
Page 238: Iprint
If the server is running Novell Cluster Services: 1 Check your plans against the prerequisites for clusters in “IP Address Requirements” in the OES 2 SP3: Novell Cluster Services 1.8.8 Administration Guide for Linux. 2 Follow the instructions in “Changing the IP Addresses of Cluster Resources”...
Page 239: Repairing The Edirectory Certificates
2 In the Login dialog box, type the Admin username and password, type the newmasterip address in the Tree field, then click Login. 3 Click Novell Certificate Server > Repair Default Certificates. 4 In Create Server Certificate > Step 1 of 3, browse to and select the server object for the server you are changing.
Page 240: Quickfinder
“Deleting a Virtual Search Server” and “Creating a Virtual Search Server” in the OES 2 SP3: Novell QuickFinder Server 5.0 Administration Guide. 2 Regenerate the QuickFinder index by completing the instructions in see “Creating Indexes” in OES 2 SP3: Novell QuickFinder Server 5.0 Administration Guide.
Page 241 2 Select the domain name from the drop-down list, then click Search. This is the domain name whose IP address is to be changed (In this example, it is the ‘A’ record). 2a Specify the Host Name using the search feature. 2b Select the '@ ' record and click Modify to change the IP address with the new IP address.
Page 242: Iprint
2c Click Done. A message indicates that the A record has been successfully modified. 3 Execute the following steps to rename and move the Reverse Lookup object: 3a Click iManager > Directory Administration >Rename Object. Search and select the Reverse Lookup object from eDirectory. 3b In the New Object Name field, specify the name of the Reverse Lookup object with the new IP address.
Page 243: Netstorage
B.7 Modifying a Cluster If the server is running Novell Cluster Services, complete the instructions in “Modifying the Cluster Configuration Information” in the OES 2 SP3: Novell Cluster Services 1.8.8 Administration Guide Linux.
Page 244 244 OES 2 SP3: Planning and Implementation Guide...
Page 245: C Updating/Patching Oes 2 Servers
Updating/Patching OES 2 Servers One of a network administrator’s biggest challenges is keeping installed software up-to-date on all servers and workstations. You can install product updates as they are made available through the ZENworks Linux Management update channel. For instructions on setting up the ZENworks Linux Management update channel for each OES 2 server and running the patch process, see “Updating (Patching) an OES 2 SP3...
Page 246 246 OES 2 SP3: Planning and Implementation Guide...
Page 247: D Backup Services
Purge Delay setting times out or space is needed on the volume. D.2 System-Wide Services OES 2 offers both Novell Storage Management Services and services that are available as part of the SUSE Linux Enterprise Server 10 distribution. ...
Page 248: Sles 10 Backup Services
In OES 2, the SMS API framework is available on SLES 10 so that there is a single consistent interface to back up file systems on NetWare, file systems on Linux, and Novell applications such as GroupWise and Novell iFolder. The API set has been enhanced to include new functionality for OES.
Page 249 For WebDAV access, use: http: or https://server_ip_or_dns/oneNet/NetStorage Novell 1. Install the Novell Client on a supported Windows Client workstation. 2. Log in to eDirectory. 3. Access NCP volumes on NetWare or Linux that you have the appropriate file trustee rights to.
Page 250 250 OES 2 SP3: Planning and Implementation Guide...
Page 251 Microsoft Internet Explorer 6 (latest SP)  Microsoft Internet Explorer 7 (latest SP)  Apple Safari 3.1 ® Table F-1 provides service-specific links and information about browser support in Novell OES. Browser Support in OES Table F-1 Management Tool Supported Browser Information Link ...
Page 252 Management Tool Supported Browser Information Link  Tomcat Manager “Managing Tomcat with Tomcat Admin” in the NW 6.5 SP8: Tomcat Administration Guide 252 OES 2 SP3: Planning and Implementation Guide...
Page 253 Client/Workstation OS Support As a general rule, Open Enterprise Server 2 services can be accessed and administered from workstations running the following operating systems:  SUSE Linux Enterprise Desktop 10 SP2  Microsoft Windows XP SP2 and SP3  Microsoft Windows Vista Business SP1 ...
Page 254 254 OES 2 SP3: Planning and Implementation Guide...
Page 255 OES 2 Service Scripts Novell Open Enterprise Server 2 services rely on specific service scripts located in /etc/init.d The scripts used by OES 2, some of which are standard Linux scripts, are listed in Table H-1. IMPORTANT: For managing OES 2 services, we strongly recommend using the browser-based tools outlined in Section 11.1, “Overview of Management Interfaces and Services,”...
Page 256 NetStorage runs inside the novell-xsrvd XTier Web Services daemon, and also novell-xsrvd utilizes Tomcat services for certain other functions. novell-xregd is the init script for starting and stopping XTier’s registry daemon. It is part of the RPM and is novell-xtier-base enabled by default for run levels 2, 3, and 5.
Page 257 CIMOM daemon, which is an integral part of the iManager plug-ins for LUM, Samba, NSS, SMS, and NCS. iPrint and NRM also use OpenWBEM. Novell Remote Manager on OES 2 gets its server health information from CIMOM. Patching novell-zmd This is the GUI patch updater daemon.
Page 258 258 OES 2 SP3: Planning and Implementation Guide...
Page 259: About System Users And Groups
System User and Group Management in OES 2 SP3 This section discusses the users and groups that are used by Open Enterprise Server. Administrative users are discussed in Appendix J, “Administrative Users in OES 2 SP3,” on page 285.  Section I.1, “About System Users and Groups,”...
Page 260: Oes System Users And Groups By Name
Types of System Users and Groups with Examples Table I-1 System User or Group Type Purpose Examples  Proxy User Perform very specific service- cifsProxyUser-servername related functions, such as  LUM_Proxy_user  Retrieving passwords and service attributes  Writing Service information in eDirectory.
Page 261: Understanding Proxy Users
XTier novlxtier System Group XTier OESCommonProxy_hostname System User CIFS, DNS, DHCP, iFolder, NetStorage, Clustering (NCS), Linux User Management (optional) server_name-SambaProxy Proxy User Samba (Novell) server_name-W-SambaUserGroup System Group Samba (Novell) server_nameadmin Proxy User System Group Apache Tomcat QuickFinder wwwrun System User Apache I.2 Understanding Proxy Users...
Page 262: What Are Proxy Users
OES provides the Novell services that were previously only available on NetWare. To make its services available on Linux, Novell had to accommodate a fundamental difference between the way services run on NetWare and the way they run on Linux.
Page 263 For more information, “OES Common Proxy User in eDirectory 8.8.6” in the OES 2 SP3: Novell Cluster Services 1.8.8 Administration Guide for Linux. DHCP OESCommonProxy_hostname Lets the service access DHCP objects in eDirectory.
Page 264: What Rights Do Proxy Users Have
However, unlike other OES services that can share proxy users, NSS requires a unique proxy user for each server. Samba (Novell) server_name-SambaProxy Searches the LDAP tree (eDirectory) for Samba users. I.2.4 What Rights Do Proxy Users Have? Each OES service’s YaST installation automatically adds the required rights to the proxy user...
Page 265 Proxy Users Rights Table I-4 Associated Service Example Proxy User Name Default Rights Granted Starting with SP3, AFP no longer requires a proxy user.  Archive Versioning Archive Versioning Proxy This user has Read and Write rights to the archived volume. ...
Page 266: Common Proxy User - New In Sp3
 “Why Would I Want to Specify Common Proxy Users?” on page 267  “Why Has a Proxy User Been Added to Novell Cluster Services?” on page 267  “Which Services Leverage the Common Proxy User?” on page 267 ...
Page 267 Automatic password management for common proxy users ensures that services are never disrupted because of an expired password. Why Has a Proxy User Been Added to Novell Cluster Services? For SP3 the eDirectory communication functionality that was previously performed by the designated NCS administrator, has been separated out so that it can now be performed by a system user if so desired.
Page 268  Novell Cluster Services  Linux User Management (proxy user is optional) Services that Cannot Leverage the Common Proxy User The following services that use proxy users do not leverage the Common Proxy user for the reasons listed: Service Reason Archive and Version Services This service uses the installing administrator as in the past.
Page 269: Managing Common Proxy Users
 Your Admin password is 123abc.  You want to create a common proxy user and assign it as the common proxy for the Novell DNS and DHCP services running on the server.  Therefore, you enter the following commands: cd /opt/novell/proxymgmt/bin move_to_common_proxy.sh -d cn=admin.o=novell -w 123abc -i 10.10.10.1 -p...
Page 270: Planning Your Proxy Users
User cn=OESCommonProxy_myserver.o=novell is created with a system-generated password and assigned the Common Proxy Policy password policy. The DNS and DHCP services are configured to be serviced by the Common Proxy user. Changing Proxy Passwords Automatically You can configure your server so that your proxy users are regularly assigned new system-generated...
Page 271 Proxy User Creation Options Table I-5 Service Proxy User Name if Associated Service Creation Information Applicable Beginning with OES 2 SP3, the need for an AFP proxy user has been eliminated. Archive Versioning admin The admin account that installs the server is automatically assigned as the Archive and Versioning proxy user.
Page 272 Service Proxy User Name if Associated Service Creation Information Applicable  OESCommonProxy_host Common Proxy User: If a Common Proxy User is name specified, DNS will be automatically configured to use it by default, but you have the option to change this.
Page 273 Base Context for Samba Users and is named servername-sambaProxyUser. You specify the password for this user when you configure Novell Samba. You can specify another eDirectory user as the Samba proxy user. If you do, be aware of the following: ...
Page 274: There Are No Proxy User Impacts On User Connection Licenses
The following is a real-life example of risks that can occur when admin users are assigned as proxy users: Novell Support received a call from an administrator who was getting locked out due to intruder detection after changing the administrator password. The lockout happened several times each day and seemed to be coming from the OES 2 servers.
Page 275 Options for Limiting the Number of Proxy Users Table I-6 Approach Security Considerations Manageability Considerations Per Service per For CIFS, iFolder 3, NSS, This approach requires no proxy user planning. Server (default) and Samba this is the most Services are installed at the same time as the OES secure option.
Page 276: Password Management And Proxy Users
Approach Security Considerations Manageability Considerations Per Service This confines any security For example, you might have one proxy user for CIFS, vulnerabilities to individual one for DNS/DHCP, one for iFolder, one for iPrint etc. services. This is useful in trees where the users and servers are It also ensures that proxy not co-located, and different services are administered user rights are not...
Page 277 IMPORTANT: Although the YaST based install can sometimes be used successfully to reconfigure some OES services, Novell neither recommends nor supports that practice. Avoid Password Expiration Problems Many organizations require that all network users have password policies to enforce regular password expiration and change.
Page 278: Implementing Your Proxy User Plan
For example you might insert the following entries: cn=OESCommonProxyUser_myserver.o=novell cn=myproxy.o=novell 3 Save the file. 4 Enter the following commands: cd /opt/novell/proxymgmt/bin change_proxy_pwd.sh -A Yes I.5 Implementing Your Proxy User Plan The proxy users in OES can be configured at different levels within eDirectory, depending on your needs.
Page 279: Tree-Wide Proxy Users
After the server is installed and you have created the required proxy users and passwords, then you can install the OES services and configure them to use the proxy users you have created. The exception to this is installing all services without changing the default configuration settings (see Table I-5 on page 271).
Page 280: Individual Proxy User Per-Server-Per-Service
Do the following: 1. Create one proxy user object per OES server (preferably in the same container as the server) and set the password. 2. Use this proxy user and password as the proxy user for all the services on that particular OES server.
Page 281: System Groups
This user is created by CIMOM but is not currently used. novlxregd XTier The XTier Registry Daemon (novell-xregd) runs as this user. When NSS is installed on the Linux server, this user is removed from the local system and created as LUM-enabled user in eDirectory.
Page 282: Auditing System Users
This is required because members of this group must have access to NSS data, and all NSS access is controlled through eDirectory. server_name-W- Samba (Novell) All users granted Samba access are originally SambaUserGroup assigned to this group, which disables SSH access for them on the server.
Page 283 If you are interested in monitoring such activities, two Novell products can assist you.  Novell Sentinel: Universal Password events can be monitored using Novell Sentinel. You enable this by modifying the NMAS Login Policy Object. For instructions, see Auditing NMAS Events (http://www.novell.com/documentation/nmas33/admin/data/bwmt40o.html).
Page 284 284 OES 2 SP3: Planning and Implementation Guide...
Page 285: J Administrative Users In Oes 2 Sp3
Administrative Users in OES 2 SP3 Every OES network requires at least one administrative-level user to manage regular network users and system users. Administrative Users and Groups Table J-1 Administrative User or Group Associated Service Object Type Purpose Admin eDirectory Admin User The eDirectory administrator that has all rights to manage the Tree.
Page 286 286 OES 2 SP3: Planning and Implementation Guide...
Page 287: K Coordinating Password Policies Among Multiple File Services
DSfW is not classified as a file service, but it includes a customized version of Samba that is different from Novell Samba. Each of these services requires that users who access them have Password policies that meet specific requirements. Users can be governed by only one Password policy at a time, so if any of your network users require access to more than one of the file services, you need to coordinate the Password policies that govern the users to ensure that they can access the different file services.
Page 288: Edirectory Contexts
8.8.2 installed. On OES 1 and NetWare servers with a lone writable replica of a AFP or CIFS user, NMAS should be upgraded by upgrading to the Novell Security Services 2.0.6 on eDirectory 8.7.3 SP10 or eDirectory 8.8.2.
Page 289 S9 serves its volumes over AFP, Samba, and NCP NOTE: Although Novell CIFS and Samba can both be installed on the same machine, they cannot run together because of a port conflict. The administrator can configure either Samba or Novell CIFS on a single machine, but not both.
Page 290: Example 2: Mutually Exclusive Users
User Access to Services Users from all over the tree can access services running on S1-S9. In order for users to be able to access AFP/CIFS services, the search contexts (eDirectory contexts) for these services should be configured to the subtrees under which those users can be found. Rights Required for Installation and Administration Installation and configuration in iManager must be done by an OES administrator.
Page 291: Deployment Guidelines For Different Servers And Deployment Scenarios
Non-DSFW Server If the first server in the tree is a non-DSFW server, then any combination of AFP, Novell CIFS, or Samba can be installed on this server. Because the tree is being newly created, the users, the proxy users (system users), and the Password policies will not be present.
Page 292 3 Use iManager to create a system user (proxy user) to be used for the OES services. 4 Use the Yast install to configure the Novell AFP and Novell CIFS services as follows: 4a Use an auto-generated common proxy user for all the services.
Page 293: Deployment Scenario 2: Mutually /Exclusive Users
 Use the same procedure as for S5.  Either use a common proxy user for all the services (AFP), or allow auto-generation of the proxy user/password for each AFP. K.4.2 Deployment Scenario 2: Mutually /Exclusive Users In some trees, AFP, CIFS, and Samba might be employed, but the users are partitioned in such a way that each user has access to AFP, to CIFS or to Samba, but not to all of them.
Page 294 294 OES 2 SP3: Planning and Implementation Guide...
Page 295: Documentation Updates
Documentation Updates This section summarizes the changes made to this manual since the initial release of Novell Open Enterprise Server 2. December 2010 Chapter or Section Changed Summary of Changes Entire guide General updates for SP3. July 15, 2010 Chapter or Section Changed Summary of Changes Section 1.5.1, “Dynamic Storage...
Page 296 Summary of Changes “SLP” on page 111. Removed all information and instructions that refer to incompatibilities between Novell SLP and OpenSLP. This information was outdated. Although there are differences in the two SLP services (see Table 12-4 on page 112), they are completely compatible regarding the sharing of service information.

This manual is also suitable for:

Open enterprise server 2 sp3

Novell OPEN ENTERPRISE SERVER - PLANNING AND IMPLEMENTATION GUIDE 12-2010 Implementation Manual

About this Guide

1 What's New or Changed

2 Welcome to Open Enterprise Server

3 Planning Your OES 2 Implementation

4 Getting and Preparing OES 2 Software

5 Installing OES 2

6 Caveats for Implementing OES 2 Services

7 Upgrading to OES 2

8 Migrating and Consolidating Existing Servers and Data

9 Virtualization in OES 2

10 Clustering and High Availability

11 Managing OES 2

12 Network Services

13 Storage and File Systems

14 Edirectory, LDAP, and Domain Services for Windows

15 Users and Groups

16 Access Control and Authentication

17 File Services

Quick Links

Related Manuals for Novell OPEN ENTERPRISE SERVER - PLANNING AND IMPLEMENTATION GUIDE 12-2010

Summary of Contents for Novell OPEN ENTERPRISE SERVER - PLANNING AND IMPLEMENTATION GUIDE 12-2010