Summary of Contents for Novell OPEN ENTERPRISE SERVER - PLANNING AND IMPLEMENTATION GUIDE 12-2010
Page 1
AUTHORIZED DOCUMENTATION Planning and Implementation Guide Novell ® Open Enterprise Server 2 SP3 December 2010 www.novell.com...
Page 2
Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
We want to hear your comments and suggestions about this manual and the other documentation included with OES 2. Please use the User Comments feature at the bottom of each page of the online documentation, or go to www.novell.com/documentation/feedback.html and enter your comments there.
Page 14
Documentation Conventions The terms OES 2 and OES 2 SP3 are both used in this guide. Generally, OES 2 SP3 is used to differentiate something that is new or changed for the SP3 release of OES 2. Unless otherwise indicated, all statements that refer to OES 2 also apply to OES 2 SP3 unless otherwise indicated. In this documentation, a greater-than symbol (>) is used to separate actions within a step and items within a cross-reference path.
What’s New or Changed This section summarizes the new features for each release of Novell Open Enterprise Server (OES) Section 1.1, “Links to What's New Sections,” on page 15 Section 1.2, “New or Changed in OES 2 SP3,” on page 16 ...
Administration Guide QuickFinder 5 Administration Guide Samba (Linux) Administration Guide Server Health Monitoring This is now available in various Novell Remote Manager dialog boxes on both platforms. For more information, see “Health Monitoring Services” on page Shadow Volumes “Overview of Dynamic Storage Technology”...
(http://www.novell.com/documentation/edir88/edir88new/data/front.html). 1.3 New or Changed in OES 2 SP2 This section summarizes the new features introduced in Novell Open Enterprise Server (OES) 2 SP2 that either involve multiple services or are not covered in service-specific documentation. For information on service-specific new features, see Section 1.1, “Links to What's New Sections,”...
Section 1.4.2, “Novell AFP,” on page 20 Section 1.4.3, “Novell CIFS,” on page 20 Section 1.4.4, “Novell Domain Services for Windows,” on page 21 Section 1.4.5, “Migration Tool,” on page 21 1.4.1 YaST Install Changes The default behavior of the option to use eDirectory certificates for HTTPS services changed in OES 2 SP1.
OES 2 SP3: Novell AFP For Linux Administration Guide. 1.4.3 Novell CIFS Novell CIFS is now available on Linux to provide feature parity with the existing NetWare release. It offers the following features: Support for Windows 2000, XP, 2003, and Windows Vista 32-bit ...
Guide. 1.4.4 Novell Domain Services for Windows This service creates seamless cross-authentication capabilities between Microsoft Active Directory on Windows servers and Novell eDirectory on OES 2 SP2 servers, and offers the following functionality: Administrators with Windows networking environments can set up one or more “virtual”...
1.5.1 Dynamic Storage Technology OES 2 introduces Novell Dynamic Storage Technology, a unique storage solution that lets you combine a primary file tree and a shadow file tree so that they appear to NCP and Samba/CIFS users as one file tree. The primary and shadow trees can be located on NSS volumes on the same server or on different servers.
Welcome to Open Enterprise Server 2 Novell Open Enterprise Server 2 (OES 2) includes all the network services that organizations traditionally expect from Novell. OES 2 Overview Figure 2-1 Novell Services Novell Services • Novell Client Access • AFP • eDirectory •...
Page 24
OES 2 SP3: Planning and Implementation Guide...
NetWare 6.5 SP8 OES 2 Platform Differences / Migration Issues Access Control Lists In combination with NCP Server, Linux supports the Novell trustee model for file access on NSS volumes and NCP volumes on Linux. AFP (Apple* File Yes - NFAP...
Page 26
OES 2 SP3: NSS File System Administration Guide for Linux. CIFS (Windows File Yes - NFAP Yes - Novell Both NFAP and Novell CIFS are Novell Services) CIFS proprietary and tightly integrated with eDirectory and Novell Storage Services (NSS). Novell Samba...
Page 27
“Planning a DNS Strategy” in the 2 SP3: Novell DNS/DHCP Administration Guide “Planning a DNS Strategy” in the NW 6.5 SP8: Novell DNS/DHCP Services Administration Guide. Dynamic Storage DST runs on OES 2. An NSS volume on Technology NetWare is supported only as the secondary volume in a shadow pair.
Page 28
Guide, and “Overview” in the NW 6.5 SP8: iPrint Administration Guide. IPX (Internetwork Novell has no plans to port IPX to OES. Packet Exchange) from Novell iSCSI The iSCSI target for Linux does not support eDirectory access controls like the NetWare target does.
Page 29
SSH protocols. NetWare uses only NCP. These and other differences are summarized in “NetStorage” on page 179. NetWare Traditional Novell has no plans to port the NetWare File System Traditional File System to Linux. NetWare Traditional Volumes Yes - NFAP Yes - native to For NetWare, see “Working with UNIX...
Page 30
“Functions Unique to the NetWare Platform” in the NW 6.5 SP8: OpenSSH Administration Guide. PAM (Pluggable PAM is a Linux service that Novell Authentication leverages to provide eDirectory Modules) authentication. eDirectory authentication is native on NetWare. Pervasive.SQL Pervasive.SQL is available for Linux from the Web (http://www.pervasive.com/...
Page 31
For more information, see “Security Characteristics” and “Generating an Index For a Linux-Mounted NSS Volume” in the OES 2 SP3: Novell QuickFinder Server 5.0 Administration Guide. Yes - Novell Yes - OpenSLP For OES 2, see Section 12.5, “SLP,” on page 111.
Service NetWare 6.5 SP8 OES 2 Platform Differences / Migration Issues Virtual Office Virtual Office has been replaced by Novell (Collaboration) Teaming + Conferencing. A separate purchase is required. For more information, see the Novell Teaming + Conferencing Web Site (http://www.novell.com/products/ teaming/index.html).
Large networks usually have one or more servers dedicated to providing a single network service. For example, one or more servers might be designated to provide Novell iFolder file services to network users while other servers provide iPrint printing services for the same users.
3.9.5 Cluster Upgrades Must Be Planned Before Installing OES Because of differences between Novell Cluster Services on NetWare 6.5 SP8 and OES 2, there are important issues to consider before combining them into a mixed node cluster, as explained in the following sections.
OES 1 SP2 Linux or earlier. 3.9.6 Cross-Protocol File Locking Has Changed If you plan to use Novell CIFS, Novell AFP and/or NCP file services in combination with each other, be sure to read Section 1.3.5, “Cross-Protocol File Locking Change,” on page 3.9.7 Do Not Create Local (POSIX) Users...
“The OES 2 Solution: Standardizing the UIDs on all OES servers” on page 38 NetStorage, XTier, and Their System Users By default, certain OES services, such as NetStorage, rely on a background Novell service named XTier. To run on an OES server, XTier requires two system-created users (named...
Page 38
As long as the server only has Linux traditional file systems, such as Ext3, Reiser, or XFS, NetStorage runs without difficulties. However, if the server has NSS volumes, an additional requirement is introduced. NSS data can only be accessed by eDirectory users. Consequently, the local XTier users can’t access NSS data, and NetStorage can’t run properly.
Page 39
XTier users and the novlxtier group, then continue with Step You need these numbers to standardize the IDs on the server. 4 Download the following script file: (http://www.novell.com/documentation/oes2/scripts/ fix_xtier_ids.sh fix_xtier_ids.sh) 5 Customize the template file by replacing the variables marked with angle brackets (<>) as follows: ...
After eDirectory and the iManager plug-ins install successfully, the Novell DHCP configuration fails. You must then use iManager to change either the LDAP server configuration or the Novell DHCP configuration to support your preferred communication protocol.
Be Sure that OpenSLP on OES 2 Is Configured Properly Novell SLP (NetWare) and OpenSLP (Linux) can coexist, but there are differences between the services that you should understand before deciding which to use or before changing your existing SLP service configuration.
LDAP Servers: If the LDAP servers referenced in your installation are not running NetWare 6.5 SP3 or later, the servers might abend during a schema extension operation. 3.9.15 Novell Distributed Print Services Cannot Migrate to Linux NDPS clients are not supported on OES. You must therefore migrate any NDPS clients to iPrint before you migrate your print services to OES.
3.9.19 Unsupported Service Combinations Do not install any of the following service combinations on the same server. Although not all of the combinations shown in Table 3-2 cause pattern conflict warnings, Novell does not support any of them. Table 3-2 Unsupported Service Combinations...
Page 44
Service Unsupported on the Same Server Novell CIFS File Server (Samba) Novell Domain Services for Windows Novell Samba Xen Virtual Machine Host Server Novell Cluster Services (NCS) High Availability Novell Domain Services for Windows...
Page 45
Service Unsupported on the Same Server Novell Linux User Management (LUM) No restrictions Novell NCP Server / Dynamic Storage Technology Xen Virtual Machine Host Server Novell NetStorage Novell Domain Services for Windows Xen Virtual Machine Host Server ...
OES 2 integration process is as smooth as possible. Novell has invested considerable effort in identifying service coexistence and migration issues you might face. We understand, however, that we can’t anticipate every combination of services that you might have.
OES 2 Install Preparation Figure 3-1 Download the SLES 10 and OES 2 ISO image files. www.novell.com Or get the ISO files or physical media from a Novell Authorized Reseller. Novell Image files or Authorized physical media Reseller Decide whether to install...
CD/DVD Install: You can install SLES 10 SP1 by using CDs or a DVD and then install OES 2 from a CD, all of which can be either obtained from a Novell Authorized Reseller or created from downloaded ISO image files.
3.11.5 If You Want to Install NSS on a Single-Drive Linux Server Many are interested in Novell Storage Services (NSS) running on Linux. If you plan to experiment with NSS on a single-drive server, be sure to follow the instructions in “Installing with EVMS as the...
Page 50
OES 2 SP3: Planning and Implementation Guide...
“Understand Your Installation Options,” on page 4.1 Do You Have Upgrade Protection? If you have Novell Upgrade Protection, you can upgrade to OES 2 and the associated support packs, free of charge until your upgrade protection expires. After your protection expires, the OES 2 upgrade link disappears from your account page.
When you purchase OES 2, you receive two activation codes for OES 2 (one for OES 2 services and one for SUSE Linux Enterprise Server 10). Both codes are required for registering an OES 2 system in the Novell Customer Center. After it is registered, your server can receive online updates, including the latest support pack.
SP3 e-Media Kit link. 4 Click the proceed to download button (upper right corner of the first table). 5 If you are prompted to log in, type your Novell Account > username and password, then click login. 6 Accept the Export Agreement (required for first downloads only) and answer the survey questions about your download (optional).
53, you now have two activation/evaluation codes: one for OES 2 and another for SLES 10. As you install OES 2, you should register with the Novell Customer Center and use these codes to enable your server for online updates from the OES 2 and SLES 10 patch channels.
4.4.6 Installing Purchased Activation Codes after the Evaluation Period Expires After purchasing Open Enterprise Server, use the instructions in “Registering the Server in the Novell Customer Center (Command Line)” in the OES 2 SP3: Installation Guide to enter the purchased activation codes that you received with your purchase. After logging in as...
NetWare usage. You can also monitor usage of Novell Licensing Services-enabled products. 4.5.3 OES 2 Doesn’t Support NLS Novell Licensing Services (NLS) are not available on OES 2, nor does an OES 2 installation require a license/key file pair (* and * ).
2 and SLES 10 at the same time, making the installation of SLES 10 and OES 2 services a seamless process. To ensure a successful installation: 1. Read and follow all instructions in the OES 2 Readme (http://www.novell.com/documentation/ oes2/oes_readme/data/oes_readme.html#bsen7me). 2. Carefully follow the instructions in the OES 2 SP3: Installation Guide, especially those found ...
Enterprise Server (SLES) 10 SP3 VM host server, creating a VM, and then installing an OES 2 server (NetWare or Linux) in the VM. To get started with Xen virtualization in OES 2, see the following: “Introduction to Xen Virtualization (http://www.novell.com/documentation/sles10/xen_admin/ data/sec_xen_basics.html)” in the Virtualization with Xen (http://www.novell.com/ documentation/sles10/xen_admin/data/bookinfo.html)guide.
6.2 Avoiding POSIX and eDirectory Duplications OES 2 servers can be accessed by Local (POSIX) users that are created on the server itself. eDirectory users that are given local access through Linux User Manager (LUM). However, there are some issues you need to consider: ...
The users Group There is another default system-created group named that is not used by OES 2 services but is users nevertheless created on all SLES 10 (and therefore, OES 2) servers. Creating an eDirectory group named would seem logical to many administrators. And as with users the shadow group, nothing prevents you from using this name.
NOTE: The list of users and groups in Appendix I, “System User and Group Management in OES 2 SP3,” on page 259 is not exhaustive. For example, the group is not listed. users Create Only eDirectory Users and Groups For OES 2 services, the LUM technology eliminates the need for local users and groups. We recommend, therefore, that you avoid the problems discussed in this section by not creating local users and groups.
If you have an issue that you believe can only be resolved by uninstalling eDirectory, make sure you consult with Novell Technical Services before you attempt to do so. 6.7.2 Avoid Renaming Trees and Containers The configuration files for many OES services point to configuration data stored within eDirectory.
'cn=admin$name.o=container' 6.8 iFolder 3.8 Implementation caveats for iFolder 3.8 are documented in “Caveats for Implementing iFolder Services” in the Novell iFolder 3.8.4 Administration Guide. 6.9 iPrint iPrint has the following implementation caveats: Section 6.9.1, “Cluster Failover Between Mixed Platforms Not Supported,” on page 65 ...
However, installing the client on Linux workstations requires you to save the RPM package and then install it manually if a package manager is not already installed and configured as it is in the Novell Linux Desktop. For more information, see “Linux: iPrint Client”...
6.10 LDAP—Preventing “Bad XML” Errors If you are using Novell eDirectory 8.7.3x, time outs are possible when you search from iManager for eDirectory objects, such as NCP Server objects, Volume objects, and Cluster objects. This is because the Object Class attribute is not indexed by default. The LDAP sub-tree search can take over 30 seconds, which causes the query to time out.
6.12.1 iManager RBS Configuration with OES 2 “Installing RBS” in the Novell iManager 2.7.4 Administration Guide, you are instructed to run the iManager Configuration Wizard before using iManager. When iManager is installed in connection with OES 2, various roles and tasks are configured, as...
However, this doesn’t work, because NSS file attributes are only supported on NSS volumes. 6.14 Novell-tomcat Is for OES Use Only package is installed for Novell service use only. It is an embedded part of novell-tomcat Novell services, not a generic application platform.
6.18.2 Always Use Timesync Rather Than NTP Time synchronization problems have been observed when virtualized NetWare servers are running the XNTPD NLM. Therefore, Novell strongly recommends using Timesync and also configuring the service to communicate through NTP. Caveats for Implementing OES 2 Services...
6.18.4 Time Synchronization and Virtualized OES 2 eDirectory relies on time being synchronized and connections with eDirectory are lost if the system time varies in the host operating system. Be sure you understand and follow the instructions in Virtual Machine Clock Settings (http://www.novell.com/documentation/sles10/ book_virtualization_xen/data/sec_guest_suse.html#sec_xen_time) in the “Virtual Machine Clock...
7.1.3 OES 1 Linux to OES 2 Service Differences eGuide, Novell iFolder 2, and Virtual Office are not supported on OES 2. If you upgrade an OES 1 Linux server with any of these installed to OES 2 SP3, the services cease to function.
7.1.4 Only One eDirectory Instance Is Supported on OES Servers If your OES server has multiple instances of eDirectory running (multiple trees), any attempt to upgrade the server fails. You must remove all instances, except the one that uses port 524, prior to an upgrade. For more information, see Section 6.7.5, “One Instance Only,”...
Migrating and Consolidating Existing Servers and Data This section briefly outlines the following migration topics: Section 8.1, “Supported OES 2 SP3 Migration Paths,” on page 73 Section 8.2, “Migration Tools and Purposes,” on page 73 8.1 Supported OES 2 SP3 Migration Paths For a complete list of Open Enterprise Server SP3 migration scenarios and paths, see “Migration Scenarios”...
Page 74
OES 2 SP3: Planning and Implementation Guide...
SLES 10) 9.2 Why Install OES Services on Your VM Host? Novell supports three OES 2 services running on a Xen VM host server: Novell Linux User Management, Novell Storage Management Services, and Novell Cluster Services. Additionally, whenever you specify OES 2 as an add-on product, the YaST-based NetWare Response File Utility is automatically installed, whether you install any OES 2 services or not.
Storage Management Services (SMS): Lets you back up the VM host server and all of the VM guests. Novell Cluster Services (NCS): Lets you cluster the VM guests running on the VM host. NetWare Response File Utility: Lets you pre-answer the same questions as you would during a physical NetWare installation.
Page 77
Linux VM Host Linux VM Guest NetWare VM Guest NCP Server/Dynamic Storage Technology NetStorage Novell Remote Manager (NRM) Novell Storage Services (NSS) QuickFinder Samba IMPORTANT: Adding OES services to a Xen VM host requires that you boot the server with the regular kernel prior to adding the services.
Page 78
OES 2 SP3: Planning and Implementation Guide...
Clustering and High Availability Open Enterprise Server 2 includes support for a two-node Novell Cluster Services cluster. The full Novell Cluster Services product (available through a separate purchase) is a multinode clustering product that Can include up to 32 servers.
Page 80
OES 2 SP3: Planning and Implementation Guide...
Managing OES 2 This section includes the following topics: Section 11.1, “Overview of Management Interfaces and Services,” on page 81 Section 11.2, “Using OES 2 Welcome Pages,” on page 82 Section 11.3, “OES Utilities and Tools,” on page 83 ...
Run iManager, NRM, etc. Download applicable client software. 192.168.1.45 Go to important OES 2 pages on Novell.com. Start training on Linux. Get Migration help. This section explains OES Welcome Web Site features, and discusses: Section 11.2.1, “The Welcome Site Requires JavaScript, Apache, and Tomcat,” on page 82 ...
Administrators,” a reference that outlines the OES equivalents for most of the familiar CLI tools on NetWare. Novell OES 2 includes several administration utilities that let you manage everything in your network, from configuring and managing eDirectory to setting up network services and open source software.
Page 84
NRM on IP_Address:8008 NetWare. 2. Specify the eDirectory Admin For more information, see the username and OES 2 SP3: Novell Remote password, or on Manager for Linux Linux you can use Administration Guide. user and root Health Monitoring Services password if needed.
Page 85
Create and manage 2. Specify the For more information on users, groups, and eDirectory Admin using iManager, see the other objects. username and Novell iManager 2.7.4 password. Delegate Administration Guide. administration See also iManager through Role-Based Workstation.
Page 86
IP_or_DNS:8030/ instances of the directory service) rather than the entire eDirectory tree. 2. Specify the eDirectory Admin For more information, see username and “Using Novell iMonitor 2.4” in password. Novell eDirectory 8.8 Administration Guide. iPrint Map Create a printer map 1.
Page 87
Access Method or URL/ Tool Tasks Notes Username Novell Client Manage file system Use the Novell N icon to As an Admin user (or access. access these and other equivalent), you can set tasks. directory and user quotas for ...
Page 88
NetWare. 2. Specify either the eDirectory Manage the NCP For more information, see the username and Server (Linux) OES 2 SP3: Novell Remote password or a Linux Manager for Linux Manage NCP (POSIX) username Administration Guide. connections to NSS and password.
Page 89
Access Method or URL/ Tool Tasks Notes Username OpenSSH (client Securely run Connect to the server On Linux, OpenSSH is access) commands on using your favorite SSH installed by default and is remote servers. client. accessed by eDirectory users as a LUM-enabled service.
Page 90
For more information on Monitor an your platform. SNMP for eDirectory, see eDirectory server. 2. Access SNMP for “SNMP Support for Novell Track the status of eDirectory services eDirectory” in the Novell eDirectory to verify using the SNMP eDirectory 8.8 Administration...
Section 11.4.1, “Overview,” on page 91 Section 11.4.2, “Setting Up SSH Access for LUM-enabled eDirectory Users,” on page 93 11.4.1 Overview SSH (http://www.novell.com/company/glossary.html#4187) services on SLES 10 are provided by OpenSSH (http://www.openssh.org), a free version of SSH connectivity tools developed by the OpenBSD Project (http://www.openbsd.org/).
Page 92
“How SSH Access for eDirectory Users Works” on page 92 “SSH Security Considerations” on page 93 When Is SSH Access Required? SSH access is required for the following: SSH administration access for eDirectory users: For eDirectory users to manage the server through an SSH connection, they must have SSH access as LUM-enabled users (eDirectory...
2 On the OES 2 server, open the YaST Control Center; then, in the Open Enterprise Server group, click OES Install and Configuration. 3 Click Accept. 4 When the Novell Open Enterprise Server Configuration screen has loaded, click the Disabled link under Linux User Management. The option changes to Enabled and the configuration settings appear.
Page 94
“Managing User and Group Objects in eDirectory” in the OES 2 SP3: Novell Linux User Management Administration Guide. After you configure the server’s firewall to allow SSH, add SSH as an allowed service, and LUM- enable the eDirectory users you want to have SSH access, if those same users are not also enabled for Samba on the server, they now have SSH access to the server.
Page 95
Although the plug-in appears to deselect sshd as an allowed service, the service is still selected when group information is reloaded. Novell plans to address this issue in the near future. Managing OES 2...
Page 96
OES 2 SP3: Planning and Implementation Guide...
Network Services Network services as used in this section, are associated with protocols that provide the following: Data packet transport on the network. Management of IP addresses and DNS names. Time synchronization to make sure that all network devices and eDirectory replicas and partitions have the same time.
12.2.2 DHCP Differences Between NetWare and OES 2 As you plan to upgrade from NetWare to OES 2, consider the following differences between DHCP on NetWare and OES 2: Table 12-2 DHCP: NetWare 6.5 SP8 vs. OES 2 Feature or Command NetWare 6.5 SP8 OES 2 Auditing...
Section 12.3.5, “Configuring and Administering Time Synchronization,” on page 109 Section 12.3.6, “Daylight Saving Time,” on page 110 12.3.1 Overview of Time Synchronization All servers in an eDirectory tree must have their times synchronized to ensure that updates and changes to eDirectory objects occur in the proper order.
Page 101
Figure 12-2 illustrates that OES 2 and NetWare 6.5 servers can freely interchange time synchronization information because NetWare 6.5 includes the following: A TIMESYNC NLM that both consumes and provides NTP time packets in addition to Timesync packets. An XNTPD NLM that can provide Timesync packets in addition to offering standard NTP functionality.
Page 102
Synchronizing Time on NetWare 5.0 and 4.2 Servers Figure 12-4 NTP packets Timesync packets TIMESYNC NLM TIMESYNC NLM NetWare NetWare Therefore, if you have NetWare 4.2 or 5.0 servers in your eDirectory tree, and you want to install an OES 2 server, you must have at least one NetWare 5.1 or later server to provide a “bridge” between NTP and Timesync time packets.
OES 2 Servers as Time Consumers Figure 12-6 shows the time sources that OES 2 servers can use for synchronizing server time. IMPORTANT: Notice that NetWare 4.2 is not shown as a valid time source. OES 2 servers as Time Consumers Figure 12-6 External, reliable time source...
Page 104
“Time Synchronization for Trees with More Than Thirty Servers” on page 104 “Time Synchronization across Geographical Boundaries” on page 104 Time Synchronization for Trees with Fewer Than Thirty Servers If your tree will have fewer than thirty servers, the default installation settings for time synchronization should be sufficient for all of the servers except the first server installed in the tree.
Page 105
Planning a Time Synchronization Hierarchy before Installing OES The obvious goal for time synchronization is that all the network servers (and workstations, if desired) have the same time. This is best accomplished by planning a time synchronization hierarchy before installing the first OES 2 server, then configuring each server at install time so that you form a hierarchy similar to the one outlined in Figure 12-7.
6 (Conditional) If your network spans geographic locations, plan the connections for time-related traffic on the network and especially across WANs. For more information, see “Wide Area Configuration” in the NW 6.5 SP8: NTP Administration Guide. For more planning information, see the following documentation: ...
Page 107
Time Synchronization Compatibility Table 12-3 Module Compatibility TIMESYNC NLM (NetWare) Can consume time from All previous versions of Timesync. However, the NetWare 4.2 TIMESYNC NLM should not be used as a time source. Any TIMESYNC or NTP daemon. Can provide time to ...
12.3.4 Implementing Time Synchronization As you plan to implement your time synchronization hierarchy, you should know how the NetWare and OES 2 product installations configure time synchronization on the network. Both installs look at whether you are creating a new tree or installing into an existing tree. ...
Existing Tree When a server joins an existing eDirectory tree, both OES installations do approximately the same thing. “OES 2” on page 109 “NetWare 6.5 SP8” on page 109 OES 2 If you are installing into an existing tree, the OES 2 install proposes to use the IP address of the eDirectory server (either NetWare or Linux) as the NTP time source.
Some systems are designed to leverage only a single discovery technology. Others choose among the various providers. And some use different technologies in combination with each other. Section 12.4.1, “Novell SLP and OpenSLP,” on page 110 Section 12.4.2, “WinSock and Discovery Is NetWare only,” on page 111 ...
Application Server. Starting with NetWare 6.5 SP3, the UDDI server component was removed from the list of products that could be installed. The Novell UDDI server has been released as open source software and is available for download on Novell Forge Web site (http://forge.novell.com/modules/xfmod/project/ showfiles.php?group_id=1025).
Have eDirectory registered with the OpenSLP service running on the server. This requires SLP configuration either during the OES 2 installation or manually. 12.5.2 Comparing Novell SLP and OpenSLP SLP Solutions Table 12-4 Platform...
You plan to install more than three servers into a new tree or a new eDirectory partition being created on an OES 2 server. You either don’t have an existing Novell SLP service, or you don’t want to continue using Novell SLP. Network Services 113...
Page 114
Scopes group and organize the services on your network into logical categories. For example, the services that the Accounting group needs might be grouped into an Accounting scope. More information about scope planning is available in “SLP Scopes ” in the Novell eDirectory 8.8 Administration Guide and on the OpenSLP Web site (http://www.openslp.org/).
Page 115
“Configuring for DA Access Before or After Installing the OES 2 Server” on page 116 Configuring for DA Access During the OES 2 Installation As you install OES 2 by using the instructions in the “Novell eDirectory Services” section of the OES 2 SP3: Installation...
Page 116
Configuring NetWare Servers to Use the OpenSLP Service IMPORTANT: NetWare uses Novell SLP by default and will configure a server for that service if possible. Complete one of the following as it applies to your situation: ...
12.5.4 Using Novell SLP on OES 2 Networks If you have a NetWare tree, you automatically have Novell SLP on your network and you can continue to use it as the SLP service during the upgrade to OES 2 until you are ready to switch to OpenSLP.
Page 118
Directory 3 In the Configured SLP Directory Agent field, type the IP address of an appropriate DA server. You can use Novell Remote Manager on a NetWare server if you aren’t sure which address to use. You can also list additional DA addresses, separated by commas.
Page 119
= Directory 4 Find the following line: ;net.slp.DAAddresses = myDa1,myDa2,myDa3 5 Modify the line by removing the semicolon and typing the actual IP address of the Novell SLP DA (using Novell Remote Manager if necessary). net.slp.DAAddresses = IP_Address 6 Save the file and close it.
12.5.5 SLP Changes in SP3 SLP Directory Agents are deployed across WAN and multi-casting is disabled across WAN. When multi-casting is disabled across WAN, SLP Service Agents are not able to listen to DA Advertisement from SLP Directory Agents. Service Agent cannot reregister the service details with SLP Directory Agent if it does not receive DAAdvt and OpenSLP stores the service information in memory.
Section 13.1.4, “Storage Basics by Platform,” on page 124 Section 13.1.5, “Storage Options,” on page 124 Section 13.1.6, “NetWare Core Protocol Support (Novell Client Support) on Linux,” on page 126 13.1.1 Databases See the topics in “databases” in the OES online documentation.
” in the OES online documentation. 13.1.3 File System Support in OES As shown in Figure 13-1, both OES 2 and NetWare support Novell Storage Services as well as their traditional file systems. File System Choices on OES 2 Servers Figure 13-1...
Page 123
File System Type Summary Link for More Information Novell Storage Services (NSS) NSS lets you manage your For an overview of NSS, see shared file storage for any size “Overview of NSS” in the OES 2 organization. SP3: NSS File System Administration Guide for Linux.
For more information on the various devices that NSS supports, see “Managing Devices” in the 2 SP3: NSS File System Administration Guide for Linux. 13.1.4 Storage Basics by Platform The following sections summarize storage basics for Linux and NetWare. “Linux and File Systems”...
Page 125
As shown in Figure 13-1 on page 122, you can install traditional volumes and Novell Storage System (NSS) volumes on both OES platforms. These devices can be installed within the server or attached directly to the server through an external SCSI bus.
Many organizations rely on Novell Client software and the NetWare Core Protocol (NCP) for highly secure file storage services. Novell Storage Services (NSS) volumes are NCP volumes by nature, and you can also define Linux POSIX volumes as NCP volumes. The main difference in access control between NSS volumes and Linux POSIX volumes that are defined as NCP volumes is that NSS extended file and directory attributes are not available on Linux POSIX volumes.
Page 128
POSIX The Novell Storage Services file system is used in NetWare 5.0 and above, and most recently is open sourced and included in the SUSE Linux Enterprise Server (SLES) 9 SP1 Linux distribution and later (used in the Novell Open Enterprise Server Linux product).
Page 129
Ext2 as explained in “Paravitual Mode and Journaling File /boot Systems” (http://www.novell.com/documentation/sles10/xen_admin/data/sec_xen_filesystem.html) in the Virtualization with Xen (http://www.novell.com/documentation/sles10/xen_admin/data/ bookinfo.html) guide. Ext3 Most popular Linux file system; limited scalability in size and number of files ...
Page 130
CIFS (Novell CIFS and Samba): The Common Internet File Services (CIFS) protocol is the protocol for Windows networking and file services. Novell CIFS is a ported version of the CIFS file service traditionally available only on NetWare but now available for OES 2.
Page 131
Reiser and NSS the best bets. Novell iFolder maintains its own ACL, so having an NSS file system that supports a rich ACL might be redundant.
Dynamic Storage Technology does not depend on a particular file system in principle; however, it is currently supported only on NSS volumes. Novell plans to add support for additional file systems in the future. When that happens, it will be important to remember that file systems cannot be mixed between volumes and shadow volumes.
You can install NCP Server for Linux to provide NetWare Core Protocol access to Linux POSIX file systems. This allows users running the Novell Client software to map drives to the Linux file system data, with access controls being enforced by NCP.
Users can access data storage on OES 2 servers through a number of methods. For more information, see “Overview of File Services” on page 177. 13.3.3 NetWare 6.5 SP8 Options NetWare 6.5 SP8 supports both the NetWare Traditional file system and Novell Storage Services (NSS). “NetWare Traditional File System” on page 134 ...
Page 135
Table 13-3 Category/Feature Description Link Archive and Version Use Archive and Version Services with OES 2 SP3: Novell Archive and Services NSS volumes to save interval-based Version Services 2.1 Administration copies of files that can be conveniently Guide restored by administrators and users.
Category/Feature Description Link Quotas Set space restrictions for users and “Managing Space Quotas for Volumes, directories to control storage usage. Directories, and Users” in the OES 2 SP3: NSS File System Administration Guide for Linux Salvage subsystem Use the salvage subsystem to make “Salvaging and Purging Deleted deleted files and directories available Volumes, Directories, and...
Storing and managing network identities in directory services is a fundamental expectation for networking. In the simplest terms, Novell eDirectory is a tree structure containing a list of objects (or identities) that represent network resources, such as the following: ...
OES 2 server OES 2 server eDirectory servers eDirectory servers 14.2 eDirectory Novell eDirectory is the central, key component of Novell Open Enterprise Server (OES) and provides the following: Centralized identity management The underlying infrastructure for managing your network servers and the services they provide ...
Novell eDirectory 8.8 What's New Guide. 14.2.3 eDirectory Coexistence and Migration Novell Directory Services (NDS) was introduced with NetWare 4.0. The successor to NDS, Novell eDirectory, is also available for Microsoft Windows, Red Hat , and SUSE versions of Linux, as well...
Users can work in a pure Windows desktop environment and still take advantage of some OES back-end services and technology, without the need for a Novell Client™ or even a matching local user account on the Windows workstation. ...
14.4.1 Graphical Overview of DSfW “File Access” on page 141 “User Management” on page 142 “Storage Management” on page 143 File Access DSfW File Access Overview Figure 14-2 Access Methods Authentication File Storage Services Windows Explorer eDirectory User Internet Explorer Could be on a...
Page 142
Windows Explorer (CIFS) or authentication through the provided by Samba to NSS Internet Explorer (WebDAV Web eDirectory server using common or traditional Linux file Folders). No Novell Client can be on the Windows authentication systems. machine. protocols, including Kerberos, For eDirectory users, NTLM, and SSL/TLS.
Page 143
DSfW User Management Table 14-2 Management Tools Users iManager manages DSfW users like DSfW users must have the Default Domain Password policy other eDirectory users. assigned and a valid Universal Password. MMC manages both AD users and DSfW users are automatically enabled for Samba and LUM. DSfW users as though they were AD users.
Universal Password in a Name-Mapped Scenario If you install DSfW into an existing tree and your users don’t currently have a Universal Password policy assigned, they won’t be able to log in without the Novell Client until the Universal Password has been set.
Page 145
Install DSfW on a New OES 2 Server When Possible Because of the service limitations mentioned in OES 2 Service Limitations, Novell strongly recommends that you install DSfW on a new server. DNS Configuration As you set up DNS, observe the following guidelines: ...
Page 146
146 OES 2 SP3: Planning and Implementation Guide...
“local” POSIX users on Linux servers. This technology is called Linux User Management or LUM. The following sections outline the basic principles involved in Novell LUM and cover the following topics: ...
The topics in this section are designed to help you understand when LUM-enabled access is required so that your network services are accessible and work as expected. For more information about Linux User Management, see “Overview” in the OES 2 SP3: Novell Linux User Management Administration Guide.
Page 149
Even if eDirectory is not available, you can still log into the server through Novell Remote Manager and perform other system management tasks as the user.
Page 150
About Service Access on OES 2 Novell Linux User Management (LUM) lets you use eDirectory to centrally manage remote users for access to one or more OES 2 servers. In other words, LUM lets eDirectory users function as local (POSIX) users on an OES 2 server.
Page 151
The assumption is that such users are accessing their data root on NSS or NCP volumes by using an NCP storage location object. In both cases, the Novell Trustee Model applies and POSIX ownership is irrelevant. If non-LUM NetStorage users are later enabled for Samba access (which includes LUM- enabling) and begin using Samba as a file service, their NetStorage uploaded files are not accessible through Samba until you change POSIX file ownership.
Page 152
Both Novell trustee assignments and POSIX file ownership are tracked correctly after users are LUM-enabled. Although NetStorage doesn’t require LUM-enabled access, the service itself runs as a POSIX- compliant system User (initially a local user on the OES 2 server) who functions on behalf of the end users that are accessing the service.
15.2.2 Planning The following sections summarize LUM planning considerations. “eDirectory Admin User Is Automatically Enabled for Linux Access” on page 153 “Planning Which Users to Enable for Access” on page 153 “Be Aware of System-Created Users and Groups” on page 153 eDirectory Admin User Is Automatically Enabled for Linux Access When you install Linux User Management on an OES 2 server, the Admin User object that installs LUM is automatically enabled for eDirectory LDAP authentication to the server.
Page 154
For nambulkadd more information, see the OES 2 SP3: Novell Linux User Management Administration Guide. “UNIX Workstation” and “Linux Workstation” Are the Same Thing When you use iManager to manage OES 2 access, you might notice some inconsistencies in naming.
Page 155
Using LUM Utilities at the Command Prompt Novell Linux User Management includes utilities for creating new LUM-enabled groups, and for enabling existing eDirectory groups for Linux access. The nambulkadd utility lets you use a text editor to create a list of groups you want enabled for Linux access.
If you use Novell Client software to provide network file and print services, you can now provide seamless file and print access to OES 2 servers by using the NCP server for Linux and iPrint services. For more information, see Section 17.6, “NCP Implementation and...
Identity Manager Bundle Edition. For more information on Activation issues, see “Activating the Bundle Edition” on page 158. 15.4.4 Getting Started The following sections from the Novell Identity Manager Administration Guide will help you plan, install, and configure your Identity Manager Bundle Edition. Overview (http://www.novell.com/documentation/idm36/install/data/alxkrnf.html) ...
15.4.5 Activating the Bundle Edition If you choose to purchase additional Identity Manager Integration Modules, you need to install the activation credential for those Integration Modules and also the credential for Novell Identity Manager. See Activating Identity Manager Products Using a Credential (http://www.novell.com/ documentation/idm36/install/data/brph5hb.html)
Page 159
Up a Connected System (http://www.novell.com/documentation/idm36/admin/data/bs35odr.html) for more information. In order to run Identity Manager on Solaris or AIX, you need to purchase Novell Identity Manager. My drivers stopped working. What happened? You might have installed the Bundle Edition on a non-OES server. The Bundle Edition must be installed on your Linux or NetWare server where OES exists.
Page 160
How do I know what’s activated? For information about how to view currently activated products, see Viewing Product Activations (http://www.novell.com/documentation/idm36/install/data/agfhtax.html). 160 OES 2 SP3: Planning and Implementation Guide...
“Access to OES 2 Services” on page 162 “Access Control Options in OES 2” on page 163 “The Traditional Novell Access Control Model” on page 164 “NSS Access Control on OES” on page 165 Access Control and Authentication...
Page 162
Windows workstations use the CIFS protocol for file services. Novell Client software for both Windows and Linux uses the NetWare Core Protocol (NCP) to provide the file services for which Novell is well known. 162 OES 2 SP3: Planning and Implementation Guide...
Page 163
169. Access Control Options in OES 2 Because OES 2 offers both traditional Novell access control and POSIX access control, you have a variety of approaches available to you, including combining the two models to serve various aspects of your network services.
Page 164
NSS offers. In the Novell access control model, eDirectory objects, such as users and groups, are assigned File System Trustee Rights to directories and files on NSS and NCP volumes. These trustee rights determine what the user or group can do with a directory or file, provided that the directory or file attributes allow the action.
Page 165
Access Rights Explanation Table 16-2 eDirectory File System Trustee Directory and File Directories and Files Objects Rights Attributes eDirectory File system trustee Each directory and The possible actions by the eDirectory objects (in rights govern access file has attributes users and group shown in this example most cases and usage by the associated with it.
Page 166
NSS volumes. Novell Client (NCP File Services) Access If you have not already determined whether to use the Novell Client on your network, we recommend that you consider the following information: “About the Novell Client” on page 166 ...
Differences between Linux and Windows There are some differences between the Linux and Windows clients. These are documented in “Understanding How the Novell Client for Linux Differs from the Novell Client for Windows 2000/ XP” in the Novell Client 2.0 SP3 for Linux Administration Guide.
Page 168
User space quotas Planning Print Service Access Novell iPrint has access control features that let you specify the access that each eDirectory User, Group, or container object has to your printing resources. You can also use iPrint to set up print services that don’t require authentication.
Page 169
Linux default protocol and applications Novell AFP CIFS Novell CIFS or Samba iPrint WebDAV Mac Win Internet Explorer to NetStorage, Novell CIFS, Samba Novell Client NetWare Core Protocol (NCP) (File) PDAs NetStorage only HTTP OES servers Access Control and Authentication 169...
Novell Client access. This means that Windows users with the Novell Client installed can now be seamlessly transitioned to file services on OES 2. And with the Novell Client for Linux, Windows users can be moved to SUSE Linux Enterprise Desktop with no disruption in NCP file services.
Page 171
Using the Novell Client to Change File and Directory Attributes and Trustee Rights You can use the Novell Client to change NSS file and directory attributes and to grant trustee rights to an NSS volume on an OES 2 server. For more information, see “NetWare File...
OES online documentation. NetIdentity Agent In OES 2, the NetIdentity Agent works with Novell eDirectory authentication to provide background eDirectory authentication to NetStorage through a secure identity “wallet” on the workstation. NetIdentity Agent browser authentication is supported only by Windows Internet Explorer.
Page 173
NetWare 6.5. Novell Modular Authentication Services (NMAS) Novell Modular Authentication Services (NMAS) lets you protect information on your network by providing various authentication methods to Novell eDirectory on NetWare, Windows, and UNIX networks. These login methods are based on three login factors: ...
Page 174
Novell Password Management 3.3.1 Administration Guide. All Novell products and services are being developed to work with extended character (UTF-8 encoded) passwords. For a current list of products and services that work with extended characters, Novell TID 3065822 (http://www.novell.com/support/ search.do?cmd=displayKC&docType=kc&externalId=3065822&sliceId=1&docTypeID=DT_TID_ 1_1&dialogID=77556590&stateId=0%200%2077560425).
Universal Password. Universal Password is not automatically enabled unless you install Novell AFP, Novell CIFS, Domain Services for Windows, or Novell Samba on an OES 2 server. You can optionally choose to have the Samba hash password stored separately.
Page 176
176 OES 2 SP3: Planning and Implementation Guide...
The file service components in OES are generally compatible. However you cannot run Novell Samba on the same OES 2 server as Novell AFP, Novell CIFS, or Domain Services for Windows, which is not reviewed as a file service, but does include an alternative Samba file service.
NetWare Core Protocol (NCP) is the technology beneath many of the network services for which NetWare is famous. In OES, NCP is also available on Linux. The Novell NCP Server for Linux provides the rich file services that Novell is known for. Windows and Linux users who run Novell Client software can now access data, manage files and folders, map drives, etc., using the same methods as they do on...
“Common Network File Storage Problems” on page 179 “Novell NetStorage on Linux” on page 180 NetStorage makes network files available anywhere, any time. Common Network File Storage Problems Network file access is often confusing and frustrating to users, as illustrated in Figure 17-2.
Page 180
Novell NetStorage on Linux NetStorage on Linux provides local and Web access to files on many systems without requiring the Novell Client (see Figure 17-3). 180 OES 2 SP3: Planning and Implementation Guide...
Page 181
How NetStorage Works on OES 2 Figure 17-3 Access Methods Authentication NetStorage Server Target Servers Windows Explorer CIFS share (NFAP) WebDAV CIFS share (Samba) Browser CIFS Windows servers HTTP NetStorage to manage Linux OES 2 traditional volume HTTP volume NetWare Traditional volume eDirectory/LDAP...
SSH Access Required?” on page 17.1.5 Novell AFP The Novell AFP service lets users on Macintosh workstations access and store files on OES 2 servers with NSS volumes without installing any additional software, such as the Novell Client (see Figure 17-4).
OES 2 server. 17.1.6 Novell CIFS The Novell CIFS service lets users on Windows workstations access and store files on OES 2 servers with NSS volumes without installing any additional software, such as the Novell Client (see Figure 17-4).
Files on the OES 2 server are accessed and maintained with the HTTP-WebDAV protocol. 17.1.7 Novell iFolder 3.8 Novell iFolder 3.8 supports multiple iFolders per user, user-controlled sharing, and a centralized network server for file storage and secure distribution (see Figure 17-6).
Page 185
Novell iFolder 3.8 Services Linux, Mac, and Windows workstation All file service access is Slave servers can be users who have the Novell iFolder Client controlled by LDAP- based added as needed, installed can access and modify their authentication through the providing the ability to files in one or more workstation folders.
17.1.8 Novell Samba Samba on an OES 2 server provides Windows (CIFS and HTTP-WebDAV) access to files stored on the OES 2 server (see Figure 17-7). How Samba on OES Works Figure 17-7 Access Methods Authentication File Storage Services CIFS...
OES File Services Feature Breakdown Table 17-8 Service Access Method Features Back-End Storage Features Security Features NCP Server Novell Client (NCP client) Any Linux volumes eDirectory (NetWare Core (including NSS) that are Authentication Protocol) defined as NCP volumes ...
Windows Explorer 17.2.2 Comparing Your CIFS File Service Options OES 2 SP3 offers three file services that use the CIFS protocol: Novell CIFS, Novell Samba, and Samba in Domain Services for Windows (DSfW). 188 OES 2 SP3: Planning and Implementation Guide...
Page 189
Comparing OES 2 CIFS Solutions Table 17-9 Item Novell CIFS Novell Samba Samba in DSfW Authentication A Password policy that A Samba-compatible The Domain Services allows the CIFS proxy Password policy is Password policy is required user to retrieve required for compatibility for DSfW users.
NetStorage: There are no disk space requirements because NetStorage provides access only to other file storage services. Novell AFP: Allocate enough disk space for the partition containing the /home directories to meet your users’ file storage needs. Novell CIFS: Allocate enough disk space for the partition containing the /home directories to meet your users’...
Novell Client 2.0 SP3 for Linux Administration Guide. Because NCP is now available on Linux, Novell Client users can attach to OES 2 servers as easily as they have been able to attach to NetWare servers. The NCP Server for Linux enables support for login script, mapping drives to OES 2 servers, and other services commonly associated with Novell Client access.
OES 2 includes Samba software to provide Microsoft CIFS and HTTP-WebDAV access to files on the server. Like Novell CIFS, this is useful to those who don’t want to use the Novell Client. There is no migration path from Novell CIFS (NFAP) to Samba.
For more information on ACLs, see “Access Control Lists” (http://www.novell.com/documentation/sles10/sles_admin/data/cha_acls.html) in the SLES 10 SP3: Installation and Administration Guide (http://www.novell.com/documentation/sles10/sles_admin/ data/sles_admin.html). The Linux command lets you change the file owner and/or group to a LUM user or a LUM- chown enabled group.
Those familiar with the binary number system find this method an easy way to remember what each number represents. For example, the command would grant read, write and execute rights (7) to chmod 777 /home owner, group, and other for the /home directory, while would grant the three chmod 700 /home rights to only the directory owner, with group and other having no rights.
where group is the group name, path is the file path to the work area, and group_dir is the group work directory. The option applies the action to all subdirectories and files in group_dir. 2 Grant the group read, write, and execute rights (. . . rwx . . .). (Owner and other permissions are represented by dots because their settings are irrelevant.) For example, you could enter chmod -R 770 /path/group_dir...
OES 2 SP3: NCP Server for Linux Administration Guide. 17.5 Novell FTP (Pure-FTPd) and OES 2 FTP file services on OES 2 servers are provided by Pure-FTPd, a free (BSD), secure, production- quality and standard-conformant FTP server. The OES implementation includes support for eDirectory LDAP authentication and the same FTP/SFTP gateway functionality as on NetWare.
/etc/pure-ftpd/pure-ftpd.conf file to and move it to pure-ftpd1.conf /etc/opt/novell/pure-ftpd1.conf 2 Modify the following settings in the configuration file to avoid IP address or port conflicts between the instances: PIDFile: Points to the full path of the PID file created by the pure-ftpd instance. PID file is used for unloading a particular instance of pure-ftpd.
Page 198
Bind 10.1.1.1,21 and Bind 10.1.1.2,21. 3 Load the new instance using /usr/sbin/pure-config.pl <Full path of the config file> For example: /usr/sbin/pure-config.pl /etc/opt/novell/pureftpd-confs/pure- loads an instance using the config file ftpd1.conf /etc/opt/novell/pureftpd-confs/ pure-ftpd1.conf Verifying the Load of a New Instance Use the following methods to verify that the new instance of pure-ftpd is successfully loaded: ...
Page 199
Workstation running FTP client software A user uses FTP to connect to the local Linux FTP Server. Linux OES/NetWare server running NetWare 4.1 or later without the FTP service Local Linux server The user can now After logging in to running the access files on the the FTP server, the...
Page 200
Entry Value Reason Why ChrootEveryone Option yes restricts users to login only to his home directory and cannot navigate to other directories including remote OES servers. ChrootEveryone Option yes restricts users to login only to his home directory and cannot navigate to other directories including remote OES servers. AnonymousOnly Option yes allows only anonymous logins.
NSS volume. Configuring Active/Active Mode 1 Install pure-ftpd on all the cluster nodes by selecting Novell FTP in the OES install. Upgrade pure-ftpd on all the nodes with the test RPM. 2 Enable hard links on the shared NSS volumes.
17.6 NCP Implementation and Maintenance If you have installed the NCP server for OES, eDirectory/Novell Client users can access files on the OES 2 server with no additional configuration. The implementation information in the following sections can help you get started with NCP on OES 2 servers.
You can use the same methods for assigning file trustee rights on NCP volumes on OES 2 servers that you use when assigning them on NetWare. For example, the Novell Client can be used by anyone with the Access Control right on the volume, or the root user can use the ncpcon utility >...
17.7.1 About Automatic Access and Storage Locations The inherent value of NetStorage lies in its ability to connect users with various servers and file systems. Some connections are created automatically depending on the OES platform where NetStorage is installed. Other connections must be created by the network administrator. In summary, NetStorage provides automatic access to: ...
Guide. 17.8 Novell AFP Implementation and Maintenance To use the Novell implementation of AFP file services on your OES 2 server, you must install the service by using the instructions in the OES 2 SP3: Installation Guide (for a new installation) or install it after the initial OES installation, as explained in “Installing AFP after the OES2 SP 3...
Guide. 17.9 Novell CIFS Implementation and Maintenance To use the Novell implementation of CIFS file services on your OES 2 server, you must install the service by using the instructions in the OES 2 SP3: Installation Guide (for a new installation) or install it after the initial OES installation, as explained in “Installing and Configuring a CIFS Server...
Novell iFolder 3.8.4 Administration Guide. 17.10.2 Configuring Novell iFolder 3.8 Servers Before you let users log in to the Novell iFolder 3.8 server, be sure you complete all the setup tasks “Installing and Configuring iFolder Services” (including “Configuring iFolder Web Admin”...
17.11.1 Implementing Samba File Services All users whose accounts have been enabled for Samba access can access the OES 2 server as they would any Windows server. For instructions on implementing Samba, see “Installing Samba for OES 2” in the OES2 SP3: Samba Administration Guide.
Search Engine (QuickFinder) Open Enterprise Server 2 includes the Novell QuickFinder Server. QuickFinder lets you add search functionality to any Web site or internal intranet. It can index and find matches within a wide variety of data types. It also supports rights-based searches so that users see only what they have rights to see, depending on the type of index created and the file system indexed.
Page 210
210 OES 2 SP3: Planning and Implementation Guide...
Print to installed printers from any location (including the Web) through an IP connection. The information in this section provides a high-level overview of Novell iPrint print services. It is designed to acquaint you with basic iPrint functionality so you understand the configuration steps you need to perform to provide iPrint print services, and understand how iPrint functions from the user’s perspective.
19.1.2 iPrint Components A Novell iPrint installation consists of various components, most of which are represented by objects in your eDirectory tree: Print Driver Store (Linux): This is a repository that stores the drivers on an OES 2 server for your network printers.
How iPrint Works Figure 19-1 Authentication Access Printing Services (Windows only) Browser on Linux, Macintosh, or Windows Print page (browser) iPrint server HTTP (OES server) Install Install a printer, using the native printer installation method for the Linux, Macintosh, platform. Driver Store (Linux) or Windows workstation Broker (NetWare)
Although the Common UNIX Printing System (CUPS) software is also installed with SLES 10, CUPS is disabled to avoid port 631 conflicts. For information on upgrading from NetWare queue-based printing, Novell Distributed Print Services (NDPS), or previous versions of iPrint, see “Installing iPrint...
2 Add a printer driver to the Driver Store or Broker for each printer/platform combination needed. For example, If you have Windows XP, Windows 2000, and Novell Linux Desktop (NLD) workstations on your network and you have four different printer types, you need to add four printer drivers for each platform (a total of 12 printer drivers) to the Driver Store or Broker.
19.5 Print Services Maintenance Suggestions As you add printers to your network or move them to different locations, be sure to update your iPrint installation to reflect these changes. After your installation is completed and users are printing, you can monitor print performance by using the information located in “Using the Print Manager Health Monitor”...
Web Services The Web and application services in Open Enterprise Server 2 support the creation and deployment of Web sites and Web applications that leverage the widespread availability of Internet-based protocols and tools. With the proper Web components in place, a server can host dynamic Web sites where the content changes according to selections made by the user.
Page 218
218 OES 2 SP3: Planning and Implementation Guide...
OES 2 SP3 includes the NSS Auditing Engine, which is installed by default with NSS. The auditing engine provides an interface for auditing client applications, such as Novell Sentinel and various third-party products to access. Information about the auditing engine SDK is available...
inherited rights modified Novell Sentinel Log Manager 90-Day Free Trial Novell Sentinel Log Manager runs on a 64-bit SLES 11 host. You can download the suite from the Novell Download Web site (http://download.novell.com/Download?buildid=o8BgsbCidWg~). For installation and usage instructions, see the Novell Log Management Readme and Release Notes included as a link on the download page.
Section 21.2.2, “User Restrictions: Some OES 2 Limitations,” on page 223 21.2.1 Comparing the Linux and the Novell Trustee File Security Models The Novell Trustee and Linux (POSIX) security models are quite different, as presented in Table 21- Table 21-1 POSIX vs.
Page 222
Feature POSIX / Linux Novell Trustee Model on OES 2 Default accessibility Users have permissions to see most of the Users can see only the file system. directories and files for which they are trustees (or members of The contents of a few directories, such as a group that is a trustee).
Security section in the OES online documentation. 21.4 Links to Product Security Considerations The following product documentation contains additional security information: Security Consideration Links Table 21-2 Product/Technology Security Considerations Section Link AppArmor Novell AppArmor Administration Guide (http:// www.novell.com/documentation/apparmor/ apparmor201_sp10_admin/data/ book_apparmor_admin.html) Security 223...
Page 224
“Security Considerations for Archive and Version Services” in the OES 2 SP3: Novell Archive and Version Services 2.1 Administration Guide Domain Services for Windows OES 2 SP3: Novell Domain Services for Windows Security Guide Dynamic Storage Technology “Security Considerations” in the...
QuickFinder Server 5.0 Administration Guide SuSEfirewall2 “Masquerading and Firewalls” (http:// www.novell.com/documentation/sles10/ book_sle_reference/data/cha_fire.html) in the SLES 10 SP3 Installation and Administration guide (http://www.novell.com/documentation/sles10/ book_sle_reference/data/book_sle_reference.html) 21.5 Links to Anti-Virus Partners See the Partners and Communities page on Novell.com (http://www.novell.com/products/ openenterpriseserver/partners_communities.html). Security 225...
Page 226
226 OES 2 SP3: Planning and Implementation Guide...
serverkey.pem: This contains the server’s raw private key. servercert.pem: This contains the server’s certificates. OES 2 services, such as Apache, OpenWBEM, and Novell Remote Manager, are also configured to use these certificates. Certificate Management...
“Installation of eDirectory Certificates” on page 228 “What Is Installed Where” on page 228 “Novell Certificate Server” on page 229 “Server Self-Provisioning” on page 229 “PKI Health Check” on page 229 Installation of eDirectory Certificates As you install eDirectory and OES 2, by default all HTTPS services are configured to use eDirectory certificates.
Page 229
This certificate server provides public key cryptography services that are natively integrated into Novell eDirectory. You use the server to can mint, issue, and manage both user and server certificates to protect confidential data transmissions over public communications channels such as the Internet.
Automatic maintenance requires that Server Self-Provisioning be enabled as follows: 1 On the server you are configuring, in iManager > Roles and Tasks, click the Novell Certificate Access > Configure Certificate Authority option.
Page 231
1 Launch Novell iManager. 2 Log into the eDirectory tree as the Admin user. 3 Select the Roles and Tasks menu, then click Novell Certificate Server > Configure Certificate Authority. 4 Click the Certificates tab, then select the self-signed certificate.
6 Browse to the certificate file you downloaded in “Exporting the CA’s Self-Signed Certificate” on page 231 and click Open. 7 Select Trust this CA to identify Web sites, then click OK > OK > OK. Firefox now trusts certificates from the servers in the tree. Importing the CA Certificate into Internet Explorer 6 and 7 on Windows 1 Launch Internet Explorer.
Page 233
Certificate Option Scenario Default Result If you Change the Default Setting Setting Add-on to Selected All HTTPS services on the The current service certificates SLES 10 or server are configured to use and configurations are retained. post-install eDirectory certificates. Upgrade from Selected All HTTPS services are The current service certificates...
Page 234
234 OES 2 SP3: Planning and Implementation Guide...
Adding Services to OES 2 Servers You can add services to Open Enterprise Server 2 servers after they are installed. OES 2 is a set of services that can be either added to an existing server or installed at the same time as SUSE Linux Enterprise Server 10 SP1.
Page 236
236 OES 2 SP3: Planning and Implementation Guide...
Changing an OES 2 Server’s IP Address The instructions in this section let you change the IP address assigned to an OES 2 SP3 server and the services it hosts. Section B.1, “Caveats and Disclaimers,” on page 237 Section B.2, “Prerequisites,”...
If the server is running Novell Cluster Services: 1 Check your plans against the prerequisites for clusters in “IP Address Requirements” in the OES 2 SP3: Novell Cluster Services 1.8.8 Administration Guide for Linux. 2 Follow the instructions in “Changing the IP Addresses of Cluster Resources”...
2 In the Login dialog box, type the Admin username and password, type the newmasterip address in the Tree field, then click Login. 3 Click Novell Certificate Server > Repair Default Certificates. 4 In Create Server Certificate > Step 1 of 3, browse to and select the server object for the server you are changing.
“Deleting a Virtual Search Server” and “Creating a Virtual Search Server” in the OES 2 SP3: Novell QuickFinder Server 5.0 Administration Guide. 2 Regenerate the QuickFinder index by completing the instructions in see “Creating Indexes” in OES 2 SP3: Novell QuickFinder Server 5.0 Administration Guide.
Page 241
2 Select the domain name from the drop-down list, then click Search. This is the domain name whose IP address is to be changed (In this example, it is the ‘A’ record). 2a Specify the Host Name using the search feature. 2b Select the '@ ' record and click Modify to change the IP address with the new IP address.
2c Click Done. A message indicates that the A record has been successfully modified. 3 Execute the following steps to rename and move the Reverse Lookup object: 3a Click iManager > Directory Administration >Rename Object. Search and select the Reverse Lookup object from eDirectory. 3b In the New Object Name field, specify the name of the Reverse Lookup object with the new IP address.
B.7 Modifying a Cluster If the server is running Novell Cluster Services, complete the instructions in “Modifying the Cluster Configuration Information” in the OES 2 SP3: Novell Cluster Services 1.8.8 Administration Guide Linux.
Page 244
244 OES 2 SP3: Planning and Implementation Guide...
Updating/Patching OES 2 Servers One of a network administrator’s biggest challenges is keeping installed software up-to-date on all servers and workstations. You can install product updates as they are made available through the ZENworks Linux Management update channel. For instructions on setting up the ZENworks Linux Management update channel for each OES 2 server and running the patch process, see “Updating (Patching) an OES 2 SP3...
Page 246
246 OES 2 SP3: Planning and Implementation Guide...
Purge Delay setting times out or space is needed on the volume. D.2 System-Wide Services OES 2 offers both Novell Storage Management Services and services that are available as part of the SUSE Linux Enterprise Server 10 distribution. ...
In OES 2, the SMS API framework is available on SLES 10 so that there is a single consistent interface to back up file systems on NetWare, file systems on Linux, and Novell applications such as GroupWise and Novell iFolder. The API set has been enhanced to include new functionality for OES.
Page 249
For WebDAV access, use: http: or https://server_ip_or_dns/oneNet/NetStorage Novell 1. Install the Novell Client on a supported Windows Client workstation. 2. Log in to eDirectory. 3. Access NCP volumes on NetWare or Linux that you have the appropriate file trustee rights to.
Page 250
250 OES 2 SP3: Planning and Implementation Guide...
Page 251
Microsoft Internet Explorer 6 (latest SP) Microsoft Internet Explorer 7 (latest SP) Apple Safari 3.1 ® Table F-1 provides service-specific links and information about browser support in Novell OES. Browser Support in OES Table F-1 Management Tool Supported Browser Information Link ...
Page 252
Management Tool Supported Browser Information Link Tomcat Manager “Managing Tomcat with Tomcat Admin” in the NW 6.5 SP8: Tomcat Administration Guide 252 OES 2 SP3: Planning and Implementation Guide...
Page 253
Client/Workstation OS Support As a general rule, Open Enterprise Server 2 services can be accessed and administered from workstations running the following operating systems: SUSE Linux Enterprise Desktop 10 SP2 Microsoft Windows XP SP2 and SP3 Microsoft Windows Vista Business SP1 ...
Page 254
254 OES 2 SP3: Planning and Implementation Guide...
Page 255
OES 2 Service Scripts Novell Open Enterprise Server 2 services rely on specific service scripts located in /etc/init.d The scripts used by OES 2, some of which are standard Linux scripts, are listed in Table H-1. IMPORTANT: For managing OES 2 services, we strongly recommend using the browser-based tools outlined in Section 11.1, “Overview of Management Interfaces and Services,”...
Page 256
NetStorage runs inside the novell-xsrvd XTier Web Services daemon, and also novell-xsrvd utilizes Tomcat services for certain other functions. novell-xregd is the init script for starting and stopping XTier’s registry daemon. It is part of the RPM and is novell-xtier-base enabled by default for run levels 2, 3, and 5.
Page 257
CIMOM daemon, which is an integral part of the iManager plug-ins for LUM, Samba, NSS, SMS, and NCS. iPrint and NRM also use OpenWBEM. Novell Remote Manager on OES 2 gets its server health information from CIMOM. Patching novell-zmd This is the GUI patch updater daemon.
Page 258
258 OES 2 SP3: Planning and Implementation Guide...
System User and Group Management in OES 2 SP3 This section discusses the users and groups that are used by Open Enterprise Server. Administrative users are discussed in Appendix J, “Administrative Users in OES 2 SP3,” on page 285. Section I.1, “About System Users and Groups,”...
Types of System Users and Groups with Examples Table I-1 System User or Group Type Purpose Examples Proxy User Perform very specific service- cifsProxyUser-servername related functions, such as LUM_Proxy_user Retrieving passwords and service attributes Writing Service information in eDirectory.
XTier novlxtier System Group XTier OESCommonProxy_hostname System User CIFS, DNS, DHCP, iFolder, NetStorage, Clustering (NCS), Linux User Management (optional) server_name-SambaProxy Proxy User Samba (Novell) server_name-W-SambaUserGroup System Group Samba (Novell) server_nameadmin Proxy User System Group Apache Tomcat QuickFinder wwwrun System User Apache I.2 Understanding Proxy Users...
OES provides the Novell services that were previously only available on NetWare. To make its services available on Linux, Novell had to accommodate a fundamental difference between the way services run on NetWare and the way they run on Linux.
Page 263
For more information, “OES Common Proxy User in eDirectory 8.8.6” in the OES 2 SP3: Novell Cluster Services 1.8.8 Administration Guide for Linux. DHCP OESCommonProxy_hostname Lets the service access DHCP objects in eDirectory.
However, unlike other OES services that can share proxy users, NSS requires a unique proxy user for each server. Samba (Novell) server_name-SambaProxy Searches the LDAP tree (eDirectory) for Samba users. I.2.4 What Rights Do Proxy Users Have? Each OES service’s YaST installation automatically adds the required rights to the proxy user...
Page 265
Proxy Users Rights Table I-4 Associated Service Example Proxy User Name Default Rights Granted Starting with SP3, AFP no longer requires a proxy user. Archive Versioning Archive Versioning Proxy This user has Read and Write rights to the archived volume. ...
“Why Would I Want to Specify Common Proxy Users?” on page 267 “Why Has a Proxy User Been Added to Novell Cluster Services?” on page 267 “Which Services Leverage the Common Proxy User?” on page 267 ...
Page 267
Automatic password management for common proxy users ensures that services are never disrupted because of an expired password. Why Has a Proxy User Been Added to Novell Cluster Services? For SP3 the eDirectory communication functionality that was previously performed by the designated NCS administrator, has been separated out so that it can now be performed by a system user if so desired.
Page 268
Novell Cluster Services Linux User Management (proxy user is optional) Services that Cannot Leverage the Common Proxy User The following services that use proxy users do not leverage the Common Proxy user for the reasons listed: Service Reason Archive and Version Services This service uses the installing administrator as in the past.
Your Admin password is 123abc. You want to create a common proxy user and assign it as the common proxy for the Novell DNS and DHCP services running on the server. Therefore, you enter the following commands: cd /opt/novell/proxymgmt/bin move_to_common_proxy.sh -d cn=admin.o=novell -w 123abc -i 10.10.10.1 -p...
User cn=OESCommonProxy_myserver.o=novell is created with a system-generated password and assigned the Common Proxy Policy password policy. The DNS and DHCP services are configured to be serviced by the Common Proxy user. Changing Proxy Passwords Automatically You can configure your server so that your proxy users are regularly assigned new system-generated...
Page 271
Proxy User Creation Options Table I-5 Service Proxy User Name if Associated Service Creation Information Applicable Beginning with OES 2 SP3, the need for an AFP proxy user has been eliminated. Archive Versioning admin The admin account that installs the server is automatically assigned as the Archive and Versioning proxy user.
Page 272
Service Proxy User Name if Associated Service Creation Information Applicable OESCommonProxy_host Common Proxy User: If a Common Proxy User is name specified, DNS will be automatically configured to use it by default, but you have the option to change this.
Page 273
Base Context for Samba Users and is named servername-sambaProxyUser. You specify the password for this user when you configure Novell Samba. You can specify another eDirectory user as the Samba proxy user. If you do, be aware of the following: ...
The following is a real-life example of risks that can occur when admin users are assigned as proxy users: Novell Support received a call from an administrator who was getting locked out due to intruder detection after changing the administrator password. The lockout happened several times each day and seemed to be coming from the OES 2 servers.
Page 275
Options for Limiting the Number of Proxy Users Table I-6 Approach Security Considerations Manageability Considerations Per Service per For CIFS, iFolder 3, NSS, This approach requires no proxy user planning. Server (default) and Samba this is the most Services are installed at the same time as the OES secure option.
Approach Security Considerations Manageability Considerations Per Service This confines any security For example, you might have one proxy user for CIFS, vulnerabilities to individual one for DNS/DHCP, one for iFolder, one for iPrint etc. services. This is useful in trees where the users and servers are It also ensures that proxy not co-located, and different services are administered user rights are not...
Page 277
IMPORTANT: Although the YaST based install can sometimes be used successfully to reconfigure some OES services, Novell neither recommends nor supports that practice. Avoid Password Expiration Problems Many organizations require that all network users have password policies to enforce regular password expiration and change.
For example you might insert the following entries: cn=OESCommonProxyUser_myserver.o=novell cn=myproxy.o=novell 3 Save the file. 4 Enter the following commands: cd /opt/novell/proxymgmt/bin change_proxy_pwd.sh -A Yes I.5 Implementing Your Proxy User Plan The proxy users in OES can be configured at different levels within eDirectory, depending on your needs.
After the server is installed and you have created the required proxy users and passwords, then you can install the OES services and configure them to use the proxy users you have created. The exception to this is installing all services without changing the default configuration settings (see Table I-5 on page 271).
Do the following: 1. Create one proxy user object per OES server (preferably in the same container as the server) and set the password. 2. Use this proxy user and password as the proxy user for all the services on that particular OES server.
This user is created by CIMOM but is not currently used. novlxregd XTier The XTier Registry Daemon (novell-xregd) runs as this user. When NSS is installed on the Linux server, this user is removed from the local system and created as LUM-enabled user in eDirectory.
This is required because members of this group must have access to NSS data, and all NSS access is controlled through eDirectory. server_name-W- Samba (Novell) All users granted Samba access are originally SambaUserGroup assigned to this group, which disables SSH access for them on the server.
Page 283
If you are interested in monitoring such activities, two Novell products can assist you. Novell Sentinel: Universal Password events can be monitored using Novell Sentinel. You enable this by modifying the NMAS Login Policy Object. For instructions, see Auditing NMAS Events (http://www.novell.com/documentation/nmas33/admin/data/bwmt40o.html).
Page 284
284 OES 2 SP3: Planning and Implementation Guide...
Administrative Users in OES 2 SP3 Every OES network requires at least one administrative-level user to manage regular network users and system users. Administrative Users and Groups Table J-1 Administrative User or Group Associated Service Object Type Purpose Admin eDirectory Admin User The eDirectory administrator that has all rights to manage the Tree.
Page 286
286 OES 2 SP3: Planning and Implementation Guide...
DSfW is not classified as a file service, but it includes a customized version of Samba that is different from Novell Samba. Each of these services requires that users who access them have Password policies that meet specific requirements. Users can be governed by only one Password policy at a time, so if any of your network users require access to more than one of the file services, you need to coordinate the Password policies that govern the users to ensure that they can access the different file services.
8.8.2 installed. On OES 1 and NetWare servers with a lone writable replica of a AFP or CIFS user, NMAS should be upgraded by upgrading to the Novell Security Services 2.0.6 on eDirectory 8.7.3 SP10 or eDirectory 8.8.2.
Page 289
S9 serves its volumes over AFP, Samba, and NCP NOTE: Although Novell CIFS and Samba can both be installed on the same machine, they cannot run together because of a port conflict. The administrator can configure either Samba or Novell CIFS on a single machine, but not both.
User Access to Services Users from all over the tree can access services running on S1-S9. In order for users to be able to access AFP/CIFS services, the search contexts (eDirectory contexts) for these services should be configured to the subtrees under which those users can be found. Rights Required for Installation and Administration Installation and configuration in iManager must be done by an OES administrator.
Non-DSFW Server If the first server in the tree is a non-DSFW server, then any combination of AFP, Novell CIFS, or Samba can be installed on this server. Because the tree is being newly created, the users, the proxy users (system users), and the Password policies will not be present.
Page 292
3 Use iManager to create a system user (proxy user) to be used for the OES services. 4 Use the Yast install to configure the Novell AFP and Novell CIFS services as follows: 4a Use an auto-generated common proxy user for all the services.
Use the same procedure as for S5. Either use a common proxy user for all the services (AFP), or allow auto-generation of the proxy user/password for each AFP. K.4.2 Deployment Scenario 2: Mutually /Exclusive Users In some trees, AFP, CIFS, and Samba might be employed, but the users are partitioned in such a way that each user has access to AFP, to CIFS or to Samba, but not to all of them.
Page 294
294 OES 2 SP3: Planning and Implementation Guide...
Documentation Updates This section summarizes the changes made to this manual since the initial release of Novell Open Enterprise Server 2. December 2010 Chapter or Section Changed Summary of Changes Entire guide General updates for SP3. July 15, 2010 Chapter or Section Changed Summary of Changes Section 1.5.1, “Dynamic Storage...
Page 296
Summary of Changes “SLP” on page 111. Removed all information and instructions that refer to incompatibilities between Novell SLP and OpenSLP. This information was outdated. Although there are differences in the two SLP services (see Table 12-4 on page 112), they are completely compatible regarding the sharing of service information.