Novell LINUX ENTERPRISE DESKTOP 10 SP2 - DEPLOYMENT GUIDE 08-05-2008 Deployment Manual

Table of Contents

Quick Links

Download this manual

SUSE Linux Enterprise

Desktop

10 SP2

May 08, 2008

Deployment Guide

www.novell.com

Table of Contents

Troubleshooting

Need help?

Do you have a question about the LINUX ENTERPRISE DESKTOP 10 SP2 - DEPLOYMENT GUIDE 08-05-2008 and is the answer not in the manual?

Questions and answers

Summary of Contents for Novell LINUX ENTERPRISE DESKTOP 10 SP2 - DEPLOYMENT GUIDE 08-05-2008

Page 1 SUSE Linux Enterprise Desktop 10 SP2 www.novell.com Deployment Guide May 08, 2008...
Page 2 The express authorization of Novell, Inc must be obtained prior to any other use of any manual or part thereof. For Novell trademarks, see the Novell Trademark and Service Mark list http://www.novell...
Page 3: Table Of Contents
Contents About This Guide xiii Part I Deployment 1 Planning for SUSE Linux Enterprise Desktop Hardware Requirements ..... . . Reasons to Use SUSE Linux Enterprise Desktop .
Page 4 4 Remote Installation Installation Scenarios for Remote Installation ... . . Setting Up the Server Holding the Installation Sources ..Preparing the Boot of the Target System ....Booting the Target System for Installation .
Page 5 9 Updating SUSE Linux Enterprise Updating SUSE Linux Enterprise ....Installing Service Packs ..... . Software Changes from Version 9 to Version 10 .
Page 6 13.4 Handling ACLs ......13.5 ACL Support in Applications ....13.6 For More Information .
Page 7 18.5 Creating Boot CDs ......18.6 The Graphical SUSE Screen ....18.7 Troubleshooting .
Page 8 2 3 The X Window System 23.1 Manually Configuring the X Window System ... . . 23.2 Installing and Configuring Fonts ....23.3 For More Information .
Page 9 2 9 Wireless Communication 29.1 Wireless LAN ......29.2 Bluetooth ......29.3 Infrared Data Transmission .
Page 10 35.2 Structure of an LDAP Directory Tree ....35.3 Configuring an LDAP Client with YaST ....35.4 Configuring LDAP Users and Groups in YaST .
Page 11 4 3 Confining Privileges with AppArmor 43.1 Installing Novell AppArmor ....43.2 Enabling and Disabling Novell AppArmor ....
Page 12 45.7 Package Documentation ..... 45.8 Usenet ......45.9 Standards and Specifications .
Page 13: About This Guide
About This Guide This guide is intended for use by professional network and system administrators during the actual planning, deployment, configuration, and operation of SUSE Linux Enter- prise®. As such, it is solely concerned with ensuring that SUSE Linux Enterprise is properly configured and that the required services on the network are available to allow it to function properly as initially installed.
Page 14: Additional Documentation
Security This edition of SUSE Linux Enterprise includes several security-related features. It ships with Novell® AppArmor, which enables you to protect your applications by restricting privileges. Secure login, firewalling, and file system encryption are covered as well. Troubleshooting SUSE Linux Enterprise includes a wealth of applications, tools, and documentation should you need them in case of trouble.
Page 15 Novell AppArmor Administration Guide An in-depth administration guide to Novell AppArmor that introduces application confinement for heightened security in your environment. For a documentation overview on the SUSE® Linux Enterprise Server product, refer to http://www.novell.com/documentation/sles10/index.html. The following manuals are exclusively available for SUSE Linux Enterprise Server: Start-Up Guide Basic information about installation types and work flows.
Page 16: Documentation Conventions
4 Documentation Conventions The following typographical conventions are used in this manual: • /etc/passwd: filenames and directory names • placeholder: replace placeholder with the actual value • PATH: the environment variable PATH • ls, --help: commands, options, and parameters • user: users or groups •...
Page 17: Part I Deployment
Part I. Deployment...
Page 19: Planning For Suse Linux Enterprise Desktop
Chapter 2, Deployment Strategies (page 7). How do you get software updates for your deployment? All patches provided by Novell for your product are available for download to registered users. Register and find the patch support database at http://www .novell.com/suselinuxportal.
Page 20: Hardware Requirements
1.1 Hardware Requirements SUSE Linux Enterprise Desktop requires certain minimum hardware requirements to be met before you can successfully install and run SUSE Linux Enterprise Desktop. A minimum installation of SUSE Linux Enterprise Desktop containing the most basic, essential software and a very minimalistic graphical user interface requires at least: •...
Page 21 Being backed by Novell and their networking Windows and Novell Networks expertise, SUSE Linux Enterprise Desktop naturally offers you support for Novell technologies, like GroupWise, Novell Client for Linux, and iPrint, and it also offers authentication support for Novell eDirectory services. Application Security with Novell AppArmor SUSE Linux Enterprise Desktop enables you to secure your applications by enforc- ing security profiles tailor-made for your applications.
Page 23: Deployment Strategies
Windows*-in-SLED setups. For more information about the virtualization technology available with SUSE Linux Enterprise, refer to http://www.novell.com/documentation/vmserver/index.html. 2.1 Deploying up to 10 Workstations If your deployment of SUSE Linux Enterprise only involves 1 to 10 workstations, the...
Page 24 Installing from a Network Server Using SLP (page 8) Consider this approach if you have a single workstation or a small number of workstations and if a network installation server announced via SLP is available. Installing from a Network Server (page 9) Consider this approach if you have a single workstation or a small number of workstations and if a network installation server is available.
Page 25: Deploying Up To 100 Workstations
Remotely Controlled Tasks None, but this method can be combined with VNC Details Section 3.1.3, “Installing from a Network Server Using SLP” (page 19) Table 2.3 Installing from a Network Server Installation Source Network installation server holding the SUSE Linux Enterprise installation media Tasks Requiring Manual •...
Page 26 Choose from the following options: Simple Remote Installation via VNC—Static Network Configuration (page 11) Consider this approach in a small to medium scenario with a static network setup. A network, network installation server, and VNC viewer application are required. Simple Remote Installation via VNC—Dynamic Network Configuration (page 11) Consider this approach in a small to medium scenario with dynamic network setup through DHCP.
Page 27 Rule-Based Autoinstallation (page 15) Consider this approach for large deployments to various types of hardware. If configured to use network booting, physical interaction with the target systems is not needed at all. A network, a network installation server, a remote controlling application such as a VNC viewer or an SSH client, and several AutoYaST confi- guration profiles as well as a rule setup for AutoYaST are required.
Page 28 Best Suited For Small to medium scenarios with varying hardware Drawbacks • Each machine must be set up individually • Physical access is needed for booting Details Section 4.1.2, “Simple Remote Installation via VNC—Dynamic Network Configuration” (page 41) Table 2.6 Remote Installation via VNC—PXE Boot and Wake on LAN Installation Source Network...
Page 29 • Booting from the installation media Control and Monitoring Remote: SSH Best Suited For • Small to medium scenarios with varying hardware • Low bandwidth connections to target Drawbacks • Each machine must be set up individually • Physical access is needed for booting Details Section 4.1.4, “Simple Remote Installation via SSH—Static Network Configuration”...
Page 30 Details Section 4.1.5, “Simple Remote Installation via SSH—Dynamic Network Configuration” (page 45) Table 2.9 Remote Installation via SSH—PXE Boot and Wake on LAN Installation Source Network Preparations • Setting up the installation source • Configuring DHCP, TFTP, PXE boot, and WOL •...
Page 31 • Setting up network boot (DHCP, TFTP, PXE, WOL) Booting the target from installation media Control and Monitoring Local or remote through VNC or SSH Best Suited For • Large scenarios • Identical hardware • No access to system (network boot) Drawbacks Applies only to machines with identical hardware Details...
Page 32: Deploying More Than 100 Workstations
Control and Monitoring Local or remote through SSH or VNC Best Suited For • Varying hardware • Cross-site deployments Drawbacks Complex rule setup Details Section 5.2, “Rule-Based Autoinstallation” (page 89) 2.3 Deploying More than 100 Workstations Most of the considerations brought up for medium installation scenarios in Section 2.1, “Deploying up to 10 Workstations”...
Page 33: Installation With Yast
Installation with YaST Install your SUSE Linux Enterprise® system with YaST, the central tool for installation and configuration of your system. YaST guides you through the installation process and the basic configuration of your system. During the installation and configuration process, YaST analyzes both, your current system settings and your hardware compo- nents and proposes installation settings based on this analysis.
Page 34: Boot Options
3.1.1 Boot Options Boot options other than CD or DVD exist and can be used if problems arise booting from CD or DVD. These options are described in Table 3.1, “Boot Options” (page 18). Table 3.1 Boot Options Boot Option Description DVD/CD-ROM This is the easiest boot option.
Page 35: The Installation Workflow
3.1.3 Installing from a Network Server Using If your network setup supports OpenSLP and your network installation source has been configured to announce itself via OpenSLP , boot the system from the media or with another boot option. In the boot screen, select the desired installation option. Press F3 and F4 then select SLP.
Page 36: The Boot Screen
the configuration. In this stage you set up users and passwords, and configure network and Internet access as well as hardware components such as printers. 3.3 The Boot Screen The boot screen displays a number of options for the installation procedure. Boot from Hard Disk boots the installed system and is selected default, because the CD/DVD is often left in the drive.
Page 37 Installation options from the menu disable only the most problematic functions. If you need to disable or set other functions, use the Boot Options prompt. Find detailed infor- mation about kernel parameters at http://en.opensuse.org/Linuxrc. Use the function keys indicated in the bar at the bottom of the screen to change the language, resolution of the monitor, or installation source or to add an additional driver from your hardware vendor: F1 Help...
Page 38 TIP: Installation without a Mouse If the installer does not detect your mouse correctly, use Tab for navigation, arrow keys to scroll, and Enter to confirm a selection. 3.3.1 Providing Data to Access a SMT Server If your network provides a SMT server to provide a local update source, you need to equip the client with the server's URL.
Page 39: Language
Interactive Use ask to open a pop-up menu during the installation where you can specify the path to the certificate. Do not use this option with AutoYaST. Example smtcert=ask Deactivate certificate installation Use done if either the certificate will be installed by an add-on product, or if you are using a certificate issued by an official certificate authority.
Page 40: License Agreement
The media check examines the integrity of a medium. To start the media check, select the drive in that contains the installation medium and click Start Check. The check can take some time. To test multiple media, wait until a result message appears in the dialog before changing the medium.
Page 41: Clock And Time Zone
Other Options This option provides an opportunity to abort installation and boot or repair an in- stalled system instead. To boot an already installed SUSE Linux Enterprise, select Boot Installed System. If you have problems booting an already installed SUSE Linux Enterprise, see Section 46.3, “Boot Problems”...
Page 42 TIP: Resetting the changes to default values You can reset all changes to the defaults by clicking Change > Reset to Defaults. YaST then shows the original proposal again. 3.9.1 Overview The options that sometimes need manual intervention in common installation situations are presented in the Overview tab.
Page 43 Figure 3.1 Possible Options for Windows Partitions If you select Delete Windows Completely, the Windows partition is marked for deletion and the space is used for the installation of SUSE Linux Enterprise. WARNING: Deleting Windows If you delete Windows, all data will be lost beyond recovery as soon as the formatting starts.
Page 44 Figure 3.2 Resizing the Windows Partition The first bar graph shows how much disk space is currently occupied by Windows and how much space is still available. The second bar graph shows how the space would be distributed after the resizing, according to YaST's current proposal. See Figure 3.2, “Resizing the Windows Partition”...
Page 45 Software SUSE Linux Enterprise contains a number of software packages for various application purposes. Click Software in the suggestion window to start the software selection and modify the installation scope according to your needs. Select your pattern from the list in the middle and see the description in the right part of the window.
Page 46: Performing The Installation
3.9.2 Expert If you are an advanced user and want to configure booting or change the time zone or default runlevel, select the Expert tab. It shows the following additional entries not contained on the Overview tab: System This dialog presents all the hardware information YaST could obtain about your computer.
Page 47: Configuration Of The Installed System
displayed. Click Accept to install the software. When not agreeing to the license, click I Disagree and the software will not be installed. The installation usually takes between 15 and 30 minutes, depending on the system performance and the software selected. During this procedure a slide show introduces the features of SUSE Linux Enterprise.
Page 48: Network Configuration
When typing passwords, the characters are replaced by dots, so you do not see the string you are typing. If you are unsure whether you typed the correct string, use the Test Keyboard Layout field for testing purposes. SUSE Linux Enterprise can use the DES, MD5, or Blowfish encryption algorithms for passwords.
Page 49 This configuration step also lets you configure the network devices of your system and make security settings, for example, for a firewall or proxy. To configure your network connection later, select Skip Configuration and click Next. Network hardware can also be configured after the system installation has been completed.
Page 50: Novell Customer Center
Configuration To get technical support and product updates, first register and activate your product. Novell Customer Center Configuration provides assistance for doing so. If you are offline or want to skip this step, select Configure Later. This also skips SUSE Linux Enterprise online update.
Page 51: Online Update
.com/support/products/desktop/. 3.11.5 Online Update If the Novell Customer Center Configuration was successful, select whether to perform a YaST online update. If there are any patched packages available on the servers, download and install them now to fix known bugs or security issues. Directives on how to perform an online update in the installed system are available at Section 8.3.5, “YaST...
Page 52 Windows Domain SMB authentication is often used in mixed Linux and Windows networks. Detailed information is available in Section 12.3, “Configuring a Linux Client for Active Directory” (page 309). eDirectory LDAP eDirectory authentication is used in Novell networks. Deployment Guide...
Page 53: Release Notes
NOTE: Content of the Authentication Menu If you use the custom package selection and one or more authentication methods are missing from the menu, the required packages probably are not installed. Along with the selected user administration method, you can use Kerberos authentication. This is essential for integrating your SUSE Linux Enterprise to an Active Directory domain, which is described in Chapter 12, Active Directory Support...
Page 54: Graphical Login
TIP: Resetting Hardware Configuration to Defaults You can cancel changes by clicking Change > Reset to Defaults. YaST then shows the original proposal again. 3.11.9 Completing the Installation After a successful installation, YaST shows the Installation Completed dialog. In this dialog, select whether to clone your newly installed system forAutoYaST.
Page 55: Remote Installation
Remote Installation SUSE Linux Enterprise® can be installed in several different ways. As well as the usual media installation covered in Chapter 3, Installation with YaST (page 17), you can choose from various network-based approaches or even take a completely hands- off approach to the installation of SUSE Linux Enterprise.
Page 56 IMPORTANT The configuration of the X Window System is not part of any remote installation process. After the installation has finished, log in to the target system as root, enter telinit 3, and start SaX2 to configure the graphics hardware. 4.1.1 Simple Remote Installation via VNC—Static Network Configuration This type of installation still requires some degree of physical access to the target system...
Page 57 2 Boot the target system using the first CD or DVD of the SUSE Linux Enterprise media kit. 3 When the boot screen of the target system appears, use the boot options prompt to set the appropriate VNC options and the address of the installation source. This is described in detail in Section 4.4, “Booting the Target System for Instal- lation”...
Page 58 • Controlling system with working network connection and VNC viewer software or Java-enabled browser (Firefox, Konqueror, Internet Explorer, or Opera) • Physical boot medium (CD, DVD, or custom boot disk) for booting the target system • Running DHCP server providing IP addresses To perform this kind of installation, proceed as follows: 1 Set up the installation source as described in Section 4.2, “Setting Up the Server...
Page 59 4.1.3 Remote Installation via VNC—PXE Boot and Wake on LAN This type of installation is completely hands-off. The target machine is started and booted remotely. User interaction is only needed for the actual installation. This approach is suitable for cross-site deployments. To perform this type of installation, make sure that the following requirements are met: •...
Page 60 5 Initiate the boot process of the target system using Wake on LAN. This is de- scribed in Section 4.3.7, “Wake on LAN” (page 67). 6 On the controlling workstation, open a VNC viewing application or Web browser and connect to the target system as described in Section 4.5.1, “VNC Installation”...
Page 61 To perform this kind of installation, proceed as follows: 1 Set up the installation source as described in Section 4.2, “Setting Up the Server Holding the Installation Sources” (page 48). Choose an NFS, HTTP, or FTP network server. For an SMB installation source, refer to Section 4.2.5, “Managing an SMB Installation Source”...
Page 62 For this type of installation, make sure that the following requirements are met: • Remote installation source: NFS, HTTP, FTP, or SMB with working network connection • Target system with working network connection • Controlling system with working network connection and working SSH client software •...
Page 63 4.1.6 Remote Installation via SSH—PXE Boot and Wake on LAN This type of installation is completely hands-off. The target machine is started and booted remotely. To perform this type of installation, make sure that the following requirements are met: • Remote installation source: NFS, HTTP, FTP, or SMB with working network connection •...
Page 64: Setting Up The Server Holding The Installation Sources
6 On the controlling workstation, start an SSH client and connect to the target system as described in Section 4.5.2, “SSH Installation” (page 75). 7 Perform the installation as described in Chapter 3, Installation with YaST (page 17). Reconnect to the target system after it reboots for the final part of the installation.
Page 65 3 Select the server type (HTTP, FTP, or NFS). The selected server service is started automatically every time the system starts. If a service of the selected type is already running on your system and you want to configure it manually for the server, deactivate the automatic configuration of the server service with Do Not Configure Any Network Services.
Page 66 Consider announcing your installation source via OpenSLP if your network setup supports this option. This saves you from entering the network in- stallation path on every target machine. The target systems are just booted using the SLP boot option and find the network installation source without any further configuration.
Page 67 Setting up an NFS source for installation is basically done in two steps. In the first step, create the directory structure holding the installation data and copy the installation media over to this structure. Second, export the directory holding the installation data to the network.
Page 68 3 Select Start and Open Port in Firewall and click Next. 4 Select Add Directory and browse for the directory containing the installation sources, in this case, productversion. 5 Select Add Host and enter the hostnames of the machines to which to export the installation data.
Page 69 1 Log in as root. 2 Enter the directory /etc/slp.reg.d/. 3 Create a configuration file called install.suse.nfs.reg containing the following lines: # Register the NFS Installation Server service:install.suse:nfs://$HOSTNAME/path_to_instsource/CD1,en,65535 description=NFS Installation Source Replace path_to_instsource with the actual path to the installation source on your server.
Page 70 2c Create a subdirectory holding the installation sources in the FTP root direc- tory: mkdir instsource Replace instsource with the product name. 2d Mount the contents of the installation repository into the change root envi- ronment of the FTP server: mount --bind path_to_instsource /srv/ftp/instsource Replace path_to_instsource and instsource with values matching your setup.
Page 71 1 Create a directory holding the installation sources as described in Section 4.2.2, “Setting Up an NFS Installation Source Manually” (page 50). 2 Configure the HTTP server to distribute the contents of your installation directory: 2a Install the Web server Apache. 2b Enter the root directory of the HTTP server (/srv/www/htdocs) and create a subdirectory that will hold the installation sources: mkdir instsource...
Page 72 Replace instsource with the actual path to the installation source on your server. The service: line should be entered as one continuous line. 3b Save this configuration file and start the OpenSLP daemon using rcslpd restart. 4.2.5 Managing an SMB Installation Source Using SMB, you can import the installation sources from a Microsoft Windows server and start your Linux deployment even with no Linux machine around.
Page 73 After you hit Enter , YaST starts and you can perform the installation. 4.2.6 Using ISO Images of the Installation Media on the Server Instead of copying physical media into your server directory manually, you can also mount the ISO images of the installation media into your installation server and use them as installation source.
Page 74: Preparing The Boot Of The Target System
4.3 Preparing the Boot of the Target System This section covers the configuration tasks needed in complex boot scenarios. It contains ready-to-apply configuration examples for DHCP, PXE boot, TFTP, and Wake on LAN. 4.3.1 Setting Up a DHCP Server There are two ways to set up a DHCP server. For SUSE Linux Enterprise Server 9 and higher, YaST provides a graphical interface to the process.
Page 75 5 In the Configured Declarations dialog, select the subnet in which the new system should be located and click Edit. 6 In the Subnet Configuration dialog select Add to add a new option to the subnet's configuration. 7 Select filename and enter pxelinux.0 as the value. 8 Add another option (next-server) and set its value to the address of the TFTP server.
Page 76 3 Restart the DHCP server by executing rcdhcpd restart. If you plan on using SSH for the remote control of a PXE and Wake on LAN installation, explicitly specify the IP address DHCP should provide to the installation target. To achieve this, modify the above-mentioned DHCP configuration according to the follow- ing example: group {...
Page 77 3 Click Enable to make sure that the server is started and included in the boot routines. No further action from your side is required to secure this. xinetd starts tftpd at boot time. 4 Click Open Port in Firewall to open the appropriate port in the firewall running on your machine.
Page 78 4c Save the file and restart xinetd with rcxinetd restart. 4.3.3 Using PXE Boot Some technical background information as well as PXE's complete specifications are available in the Preboot Execution Environment (PXE) Specification (http://www .pix.net/software/pxeboot/archive/pxespec.pdf). 1 Change to the directory of your installation repository and copy the linux, initrd, message, and memtest files to the /srv/tftpboot directory by entering the following: cp -a boot/loader/linux boot/loader/initrd...
Page 79 insmod=kernel module By means of this entry, enter the network kernel module needed to support network installation on the PXE client. Replace kernel module with the appropriate module name for your network device. netdevice=interface This entry defines the client's network interface that must be used for the network installation.
Page 80: Configuration File
# failsafe label failsafe kernel linux append initrd=initrd ramdisk_size=65536 ide=nodma apm=off acpi=off \ insmod=e100 install=nfs://ip_instserver/path_instsource/product/CD1 # apic label apic kernel linux append initrd=initrd ramdisk_size=65536 apic insmod=e100 \ install=nfs://ip_instserver/path_instsource/product/CD1 # manual label manual kernel linux append initrd=initrd ramdisk_size=65536 manual=1 # rescue label rescue kernel linux append initrd=initrd ramdisk_size=65536 rescue=1...
Page 81 DEFAULT kernel options... Sets the default kernel command line. If PXELINUX boots automatically, it acts as if the entries after DEFAULT had been typed in at the boot prompt, except the auto option is automatically added, indicating an automatic boot. If no configuration file is present or no DEFAULT entry is present in the configu- ration file, the default is the kernel name “linux”...
Page 82 APPEND - Append nothing. APPEND with a single hyphen as argument in a LABEL section can be used to override a global APPEND. LOCALBOOT type On PXELINUX, specifying LOCALBOOT 0 instead of a KERNEL option means invoking this particular label and causes a local disk boot instead of a kernel boot. Argument Description Perform a normal boot...
Page 83: Wake On Lan
Displays the indicated file on the screen when a function key is pressed at the boot prompt. This can be used to implement preboot online help (presumably for the kernel command line options). For backward compatibility with earlier releases, F10 can be also entered as F0 . Note that there is currently no way to bind filenames to F11 and F12 .
Page 84: Booting The Target System For Installation
to be sent as multicasts or remotely control a machine on that network segment to act as the sender of these requests. Users of SUSE Linux Enterprise Server 9 and higher can use a YaST module called WOL to easily configure Wake on LAN. Users of other versions of SUSE Linux-based operating systems can use a command line tool.
Page 85 and function keys or use the boot options prompt of the installation boot screen to pass any boot options that the installation kernel might need on this particular hardware. 4.4.1 Using the Default Boot Options The boot options are described in detail in Chapter 3, Installation with YaST (page 17).
Page 86 Purpose Available Options Default Value • ... Select the installation • CD-ROM or DVD CD-ROM or DVD source • SLP • FTP • HTTP • NFS • SMB • Hard Disk Apply driver update Driver None disk 4.4.3 Using Custom Boot Options Using the appropriate set of boot options helps facilitate your installation procedure.
Page 87 Table 4.2 Installation (Boot) Scenarios Used in This Chapter Installation Scenario Parameters Needed Boot Options for Booting Chapter 3, Installation None: system boots au- None needed with YaST (page 17) tomatically Section 4.1.1, “Simple • Location of the in- • install=(nfs,http, Remote Installation via stallation server ftp,smb):///path...
Page 88 Installation Scenario Parameters Needed Boot Options for Booting Section 4.1.4, “Simple • Location of the in- • install=(nfs,http, Remote Installation via stallation server ftp,smb):///path SSH—Static Network • Network device _to_instmedia Configuration” (page 44) • IP address • netdevice=some • Netmask _netdevice (only need- •...
Page 89: Monitoring The Installation Process
TIP: More Information about linuxrc Boot Options Find more information about the linuxrc boot options used for booting a Linux system in /usr/share/doc/packages/linuxrc/linuxrc.html. 4.5 Monitoring the Installation Process There are several options for remotely monitoring the installation process. If the proper boot options have been specified while booting for installation, either VNC or SSH can be used to control the installation and system configuration from a remote workstation.
Page 90 1 Start the KDE file and Web browser Konqueror. 2 Enter service://yast.installation.suse in the location bar. The target system then appears as an icon in the Konqueror screen. Clicking this icon launches the KDE VNC viewer in which to perform the installation. Alternatively, run your VNC viewer software with the IP address provided and add :1 at the end of the IP address for the display the installation is running on.
Page 91 1 Launch your preferred Web browser. 2 Enter the following at the address prompt: http://ip_address_of_target:5801 3 Enter your VNC password when prompted to do so. The browser window now displays the YaST screens as in a normal local installation. 4.5.2 SSH Installation Using SSH, you can remotely control the installation of your Linux machine using any SSH client software.
Page 92 4 When prompted for the password, enter the password that has been set with the SSH boot option. After you have successfully authenticated, a command line prompt for the installation target appears. 5 Enter yast to launch the installation program. A window opens showing the normal YaST screens as described in Chapter 3, Installation with YaST (page 17).
Page 93: Automated Installation
Automated Installation AutoYaST allows you to install SUSE® Linux Enterprise on a large number of machines in parallel. The AutoYaST technology offers great flexibility to adjust deployments to heterogeneous hardware. This chapter tells you how to prepare a simple automated in- stallation and lay out an advanced scenario involving different hardware types and in- stallation purposes.
Page 94 4 Determine and set up the boot scenario for autoinstallation as described in Sec- tion 5.1.4, “Setting Up the Boot Scenario” (page 83). 5 Pass the command line to the installation routines by adding the parameters manually or by creating an info file as described in Section 5.1.5, “Creating File”...
Page 95 3 Select Tools > Create Reference Control File to prepare AutoYaST to mirror the current system configuration into an AutoYaST profile. 4 As well as the default resources, like boot loader, partitioning, and software se- lection, you can add various other aspects of your system to the profile by checking the items in the list in Create a Reference Control File.
Page 96 Figure 5.1 Editing an AutoYaST Profile with the AutoYaST Front-End 5.1.2 Distributing the Profile and Determining the autoyast Parameter The AutoYaST profile can be distributed in several different ways. Depending on the protocol used to distribute the profile data, different AutoYaST parameters are used to make the profile location known to the installation routines on the client.
Page 97 Profile Lo- Parameter Description cation Device Makes the installation routines look for autoyast=device:// the control file on a storage device. Only /path the device name is needed—/dev/sda1 is wrong, use sda1 instead. Floppy Makes the installation routines look for autoyast=floppy:// the control file on a floppy in the floppy /path drive.
Page 98 AutoYaST includes a feature that allows binding certain profiles to the client's MAC address. Without having to alter the autoyast= parameter, you can have the same setup install several different instances using different profiles. To use this, proceed as follows: 1 Create separate profiles with the MAC address of the client as the filename and put them on the HTTP server that holds your AutoYaST profiles.
Page 99 5.1.3 Providing the Installation Data The installation data can be provided by means of the product CDs or DVDs or using a network installation source. If the product CDs are used as the installation source, physical access to the client to install is needed, because the boot process needs to be initiated manually and the CDs need to be changed.
Page 100 default linux # default label linux kernel linux append initrd=initrd ramdisk_size=65536 insmod=e100 \ install=http://192.168.0.22/install/suse-enterprise/ The same example for autoinstallation looks like this: default linux # default label linux kernel linux append initrd=initrd ramdisk_size=65536 insmod=e100 \ install=http://192.168.0.22/install/suse-enterprise/ \ autoyast=nfs://192.168.0.23/profiles/autoinst.xml Replace the example IP addresses and paths with the data used in your setup. Preparing to Boot from CD-ROM There are several ways in which booting from CD-ROM can come into play in Auto- YaST installations.
Page 101 Access to the boot prompt of the system to install where you manually enter the autoyast= parameter Boot and Install from SUSE Linux Enterprise Media, Get the Profile from a Floppy Use this approach if an entirely network-based installation scenario would not work.
Page 102 The following parameters are commonly used for linuxrc. For more information, refer to the AutoYaST package documentation under /usr/share/doc/packages/ autoyast. IMPORTANT: Separating Parameters and Values When passing parameters to linuxrc at the boot prompt, use = to separate parameter and value. When using an info file, separate parameter and value with :.
Page 103 If your autoinstallation scenario involves client configuration via DCHP and a network installation source and you want to monitor the installation process using VNC, your info would look like this: autoyast:profile_source install:install_source vnc:1 vncpassword:some_password If you prefer a static network setup at installation time, your info file would look like the following: autoyast:profile_source \ install:install_source \...
Page 104 vnc: 1 vncpassword: test autoyast: file:///info # end_linuxrc_conf # Do not remove the above comment ]]> </info_file> </init> ..</install> ..linuxrc loads the profile containing the boot parameters instead of the traditional info file. The install: parameter points to the location of the installation sources. vnc and vncpassword indicate the use of VNC for installation monitoring.
Page 105: Rule-Based Autoinstallation
5.2 Rule-Based Autoinstallation The following sections introduce the basic concept of rule-based installation using AutoYaST and provide an example scenario that enables you to create your own custom autoinstallation setup. 5.2.1 Understanding Rule-Based Autoinstallation Rule-based AutoYaST installation allows you to cope with heterogeneous hardware environments: •...
Page 106 • Create custom rules by running shell scripts and passing their output to the Auto- YaST framework. The number of custom rules is limited to five. NOTE For more information about rule creation and usage with AutoYaST, refer to the package's documentation under /usr/share/doc/packages/ autoyast2/html/index.html, Chapter Rules and Classes.
Page 107 5.2.2 Example Scenario for Rule-Based Autoinstallation To get a basic understanding of how rules are created, think of the following example, depicted in Figure 5.2, “AutoYaST Rules” (page 92). One run of AutoYaST installs the following setup: A Print Server This machine just needs a minimal installation without a desktop environment and a limited set of software packages.
Page 108 Figure 5.2 AutoYaST Rules AutoYaST Directory Enigineering Department Computers rules.xml File Rule 1 Eng. Profile Rule 2 Rule 3 Sales Profile Sales Department Laptops Merge Process Print Server Profile Print Server In a first step, use one of the methods outlined in Section 5.1.1, “Creating an AutoYaST Profile”...
Page 109 In the second step, create rules to distinguish the three hardware types from one another and to tell AutoYaST which profile to use. Use an algorithm similar to the following to set up the rules: 1. Does the machine have an IP of 192.168.27.11? Then make it the print server. 2.
Page 110: For More Information
<operator>and</operator> </rule> <rule> <haspcmcia> <match>0</match> <match_type>exact</match_type> </haspcmcia> <result> <profile>engineering.xml</profile> <continue config:type="boolean">false</continue> </result> </rule> </rules> </autoinstall> When distributing the rules file, make sure that the rules directory resides under the profiles directory specified in the autoyast=protocol:serverip/ profiles/ URL. AutoYaST looks for a rules subdirectory containing a file named rules.xml first then loads and merges the profiles specified in the rules file.
Page 111: Deploying Customized Preinstallations
Deploying Customized Preinstallations Rolling out customized preinstallations of SUSE Linux Enterprise to a large number of identical machines spares you from installing each one of them separately and provides a standardized installation experience for the end users. With YaST firstboot, create customized preinstallation images and determine the workflow for the final personal- ization steps that involve end user interaction.
Page 112: Preparing The Master Machine
6.1 Preparing the Master Machine To prepare a master machine for a firstboot workflow, proceed as follows: 1 Insert the installation media into the master machine. 2 Boot the machine. 3 Perform a normal installation including all necessary configuration steps and wait for the installed machine to boot.
Page 113 • Customizing messages to the user as described in Section 6.2.1, “Customizing YaST Messages” (page 97). • Customizing licenses and license actions as described in Section 6.2.2, “Customizing the License Action” (page 98). • Customizing the release notes to display as described in Section 6.2.3, “Customizing the Release Notes”...
Page 114 2a Set FIRSTBOOT_WELCOME_DIR to the directory path where you want to store the files containing the welcome message and the localized versions, for example: FIRSTBOOT_WELCOME_DIR="/usr/share/firstboot/" 2b If your welcome message has filenames other than welcome.txt and welcome_locale.txt (where locale matches the ISO 639 language codes such as “cs”...
Page 115 6.2.3 Customizing the Release Notes Depending on whether you have changed the instance of SUSE Linux Enterprise you are deploying with firstboot, you probably need to educate the end users about important aspects of their new operating system. A standard installation uses release notes, dis- played during one of the final stages of the installation, to provide important information to the users.
Page 116 • User Authentication Method • User Management • Hardware Configuration • Finish Setup This standard layout of a firstboot installation workflow is not mandatory. You can enable or disable certain components or hook your own modules into the workflow. To modify the firstboot workflow, manually edit the firstboot configuration file /etc/ YaST2/firstboot.xml.
Page 117 The stage of the installation process at which this proposal is invoked. Do not make any changes here. For a firstboot installation, this must be set to firstboot. The label to be displayed on the proposal. The container for all modules that are part of the proposal screen. One or more modules that are part of the proposal screen.
Page 118 archs Specify the hardware architectures on which this workflow should be used. Example 6.3 Configuring the List of Workflow Components <modules config:type="list"> <module> <label>Language</label> <enabled config:type="boolean">false</enabled> <name>firstboot_language</name> </module> <modules> The container for all components of the workflow. The module definition. The label displayed with the module.
Page 119 3 Apply your changes and close the configuration file. You can always change the workflow of the configuration steps when the default does not meet your needs. Enable or disable certain modules in the workflow or add your own custom ones. To toggle the status of a module in the firstboot workflow, proceed as follows: 1 Open the /etc/YaST2/firstboot.xml configuration file.
Page 120: Cloning The Master Installation
TIP: For More Information For more information about YaST development, refer to http://developer .novell.com/wiki/index.php/YaST. 6.2.5 Configuring Additional Scripts firstboot can be configured to execute additional scripts after the firstboot workflow has been completed. To add additional scripts to the firstboot sequence, proceed as...
Page 121: Personalizing The Installation
6.4 Personalizing the Installation As soon as the cloned disk image is booted, firstboot starts and the installation proceeds exactly as laid out in Section 6.2.4, “Customizing the Workflow” (page 99). Only the components included in the firstboot workflow configuration are started. Any other installation steps are skipped.
Page 123: Advanced Disk Setup
Advanced Disk Setup Sophisticated system configurations require particular disk setups. All common parti- tioning tasks can be done with YaST. To get persistent device naming with block devices, use the block devices below /dev/disk/by-id/. Logical Volume Management (LVM) is a disk partitioning scheme that is designed to be much more flexible than the physical partitioning used in standard setups.
Page 124 7.1.1 The Logical Volume Manager The Logical Volume Manager (LVM) enables flexible distribution of hard disk space over several file systems. It was developed because sometimes the need to change the segmentation of hard disk space arises only after the initial partitioning during installation has already been done.
Page 125 between different logical volumes need not be aligned with any partition border. See the border between LV 1 and LV 2 in this example. LVM features: • Several hard disks or partitions can be combined in a large logical volume. •...
Page 126 you to edit and delete existing partitions and create new ones that should be used with LVM. There, create an LVM partition by first clicking Create > Do not format then selecting 0x8E Linux LVM as the partition identifier. After creating all the partitions to use with LVM, click LVM to start the LVM configuration.
Page 127 If there are several volume groups, set the current volume group in the selection box to the upper left. The buttons in the upper right enable creation of additional volume groups and deletion of existing volume groups. Only volume groups that do not have any partitions assigned can be deleted.
Page 128 existing logical volumes are listed here. Add, Edit, and Remove logical volumes as needed until all space in the volume group has been exhausted. Assign at least one logical volume to each volume group. Figure 7.4 Logical Volume Management To create a new logical volume, click Add and fill out the pop-up that opens. As for partitioning, enter the size, file system, and mount point.
Page 129: Soft Raid Configuration
Figure 7.5 Creating Logical Volumes If you have already configured LVM on your system, the existing logical volumes can be entered now. Before continuing, assign appropriate mount points to these logical volumes too. With Next, return to the YaST Expert Partitioner and finish your work there.
Page 130: Raid Levels
rity, or both. Most RAID controllers use the SCSI protocol because it can address a larger number of hard disks in a more effective way than the IDE protocol and is more suitable for parallel processing of commands. There are some RAID controllers that support IDE or SATA hard disks.
Page 131 RAID 2 and RAID 3 These are not typical RAID implementations. Level 2 stripes data at the bit level rather than the block level. Level 3 provides byte-level striping with a dedicated parity disk and cannot service simultaneous multiple requests. Both levels are only rarely used.
Page 132 optimize the performance of RAID 0. After creating all the partitions to use with RAID, click RAID > Create RAID to start the RAID configuration. In the next dialog, choose between RAID levels 0, 1, and 5 (see Section 7.2.1, “RAID Levels”...
Page 133: Troubleshooting
Figure 7.7 File System Settings As with conventional partitioning, set the file system to use as well as encryption and the mount point for the RAID volume. Checking Persistent Superblock ensures that the RAID partitions are recognized as such when booting. After completing the confi- guration with Finish, see the /dev/md0 device and others indicated with RAID in the expert partitioner.
Page 134 • http://www.novell.com/documentation/sles10/stor_evms/ data/bookinfo.html • /usr/share/doc/packages/mdadm/Software-RAID.HOWTO.html • http://en.tldp.org/HOWTO/Software-RAID-HOWTO.html Linux RAID mailing lists are also available, such as http://marc.theaimsgroup .com/?l=linux-raid&r=1&w=2. Deployment Guide...
Page 135: System Configuration With Yast
System Configuration with YaST In SUSE Linux Enterprise, YaST handles both the installation and configuration of your system. This chapter describes the configuration of system components (hardware), network access, and security settings, and administration of users. Find a short introduc- tion to the text-based YaST interface in Section 8.12, “YaST in Text Mode”...
Page 136: Yast Language
To start YaST in text mode on another system, use ssh root@<system-to-configure> to open the connection. Then start YaST with yast. To save time, the individual YaST modules can be started directly. To start a module, enter yast2 module_name. View a list of all module names available on your system with yast2 -l or yast2 --list.
Page 137 The left frame of most modules displays the help text, which offers suggestions for configuration and explains the required entries. To get help in modules without a help frame, press F1 or choose Help. After selecting the desired settings, complete the pro- cedure by pressing Accept on the last page of the configuration dialog.
Page 138: Software
8.3 Software 8.3.1 Installing and Removing Software To install, uninstall, and update software on your machine, use Software > Software Management. This opens a package manager dialog as shown in Figure 8.2, “YaST Package Manager” (page 122). Figure 8.2 YaST Package Manager In SUSE®...
Page 139 uation, some of the possible status flags may not be available for selection. For example, a package that has not yet been installed cannot be set to “Delete.” View the available status flags with Help > Symbols. The font color used for various packages in the individual package window provides additional information.
Page 140 Click the status box at the beginning of a line to install or uninstall this pattern. Select a status directly by right-clicking the pattern and using the context menu. From the in- dividual package overview to the right, which displays the packages included in the current pattern, select and deselect individual packages.
Page 141: Removing Packages
Installing Source Packages A package containing the source files for the program is usually available. The sources are not needed for running the program, but you may want to install the sources to compile a custom version of the program. To install sources for selected program, mark the check box in the Source column.
Page 142: Installation Summary
Searching for Packages, Applications, and Files To find a specific package, use the Search filter. Enter a search string and click Search. By specifying various search criteria, you can restrict the search to display a few or even only one package. You can also define special search patterns using wild cards and regular expressions in Search Mode.
Page 143 Information about Packages Get information about the selected package with the tabs in the bottom right frame. If another version of the package is available, you get information about both versions. The Description tab with the description of the selected package is automatically active. To view information about package size, version, installation media, and other technical details, select Technical Data.
Page 144 If you click Check, located under the information window, the package manager checks if the current package selection results in any unresolved package dependencies or conflicts. In the event of unresolved dependencies, the required additional packages are selected automatically. For package conflicts, the package manager opens a dialog that shows the conflict and offers various options for solving the problem.
Page 145 Package Groups. TIP: Creating Custom Add-On Products Create your own add-on products with YaST Add-On Creator. Read about the YaST add-on creator at http://developer.novell.com/wiki/index .php/Creating_Add-On_Media_with_YaST. Find technical background information at http://developer.novell.com/wiki/index.php/ Creating_Add-Ons.
Page 146: Yast Online Update
To get technical support and product updates, your system must be registered and acti- vated. If you skipped the registration during installation, register with the help of the Novell Customer Center Configuration module from Software. This dialog is the same as that described in Section 3.11.4, “Novell Customer Center Configuration”...
Page 147: Definition Of Terms
already marked for installation. Clicking Accept automatically installs these patches. After the installation has completed, confirm with Finish. Your system is now up-to- date. Definition of Terms Package A package is a compressed file in rpm format that contains the files for a particular program.
Page 148 Figure 8.4 YaST Online Update The patch display lists the available patches for SUSE Linux Enterprise. The patches are sorted by security relevance. The color of the patch name, as well as a pop-up window under the mouse cursor, indicate the security status of the patch: Security (red), Recommended (blue), or Optional (black).
Page 149: Automatic Online Update
If you install an up-to-date package from a catalog other than the update catalog, the requirements of a patch for this package may be fulfilled with this installation. In this case a check mark is displayed in front of the patch summary. The patch will be visible in the list until you mark it for installation.
Page 150: Updating The System
8.3.7 Updating from a Patch CD The Patch CD Update module from the Software section installs patches from CD, not from an FTP server. The advantage lies in a much faster update with CD. After the patch CD is inserted, all patches on the CD are displayed in the dialog. Select the desired packages for installation from the list of patches.
Page 151 Packages Click Packages to start the package manager and select or deselect individual packages for update. Any package conflicts should be resolved with the consistency check. The use of the package manager is covered in detail in Section 8.3.1, “Installing and Remov- ing Software”...
Page 152: Hardware
8.3.9 Installing into a Directory This YaST module allows you to install packages into a directory specified by you. Select where to place the root directory, how to name directories, and the type of system and software to install. After entering this module, YaST determines the system settings and lists the default directory, installation instructions, and software to install.
Page 153 8.4.1 Bluetooth Configure Bluetooth devices with Hardware > Bluetooth. Click Enable Bluetooth Ser- vices to begin configuration. Bluetooth configuration is covered in detail in Section “Configuring Bluetooth with YaST” (page 575). 8.4.2 Infrared Device Configure an infrared device with Hardware > Infrared Device. Click Start IrDa to begin configuration.
Page 154: Hardware Information
WARNING: Configuration of the Hard Disk Controller It is advised to test the settings before making them permanent in the system. Incorrect settings can prevent the system from booting. 8.4.6 Hardware Information Display detected hardware and technical data using Hardware > Hardware Information. Click any node of the tree for more information about a device.
Page 155: Keyboard Layout
8.4.8 Joystick Configure a joystick connected to the sound card with Hardware > Joystick. Select your joystick type in the list provided. If your joystick is not listed, select Generic Analog Joystick. After selecting your joystick, make sure that it is connected then click Test to test the functionality.
Page 156 To configure your mouse for the text environment, use YaST in text mode. After entering text mode and selecting Hardware > Mouse Model, use the keyboard arrow keys to choose your mouse from the provided list. Then click Accept to save the settings and exit the module.
Page 157 If your scanner is not detected, the device is probably not supported. However, some- times even supported scanners are not detected. If this is the case, proceed with the manual scanner selection. If you can identify your scanner in the list of vendors and models, select it.
Page 158 8.4.12 TV and Radio Cards NOTE: USB TV Cards Supported DVB TV cards are not configured in the YaST. They are handled by hotplug. To start watching TV, connect your card to your computer and start your favorite TV program. Configure TV and radio cards with Hardware >...
Page 159 8.4.13 Sound Most sound cards are detected automatically and configured with reasonable values during initial installation. To install a card added later or modify settings, use Hardware > Sound. It is also possible to switch the sequence of the cards. Figure 8.5 Sound Configuration If YaST cannot detect your sound card automatically, proceed as follows: 1 Click Add to open a dialog in which to select a sound card vendor and model.
Page 160 Normal setup Adjust the output volume and play a test sound. Advanced setup with possibility to change options Customize all settings manually. In this dialog, there is also a shortcut to the joystick configuration. Click Joystick configuration and select the joystick type in the following dialog to configure a joystick.
Page 161: System
8.5 System This group of modules is designed to help you manage your system. All modules in this group are system-related and serve as valuable tools for ensuring that your system runs properly and your data is managed efficiently. 8.5.1 Backup Create a backup of both your system and data using System >...
Page 162: Boot Loader Configuration
8.5.3 Boot Loader Configuration To configure booting for systems installed on your computer, use the System > Boot Loader module. A detailed description of how to configure the boot loader with YaST is available in Section 18.3, “Configuring the Boot Loader with YaST” (page 416).
Page 163 Figure 8.6 The YaST Partitioner All existing or suggested partitions on all connected hard disks are displayed in the list of the YaST Expert Partitioner dialog. Entire hard disks are listed as devices without numbers, such as /dev/hda or /dev/sda. Partitions are listed as parts of these de- vices, such as /dev/hda1 or /dev/sda1.
Page 164 A primary partition simply consists of a continuous range of cylinders (physical disk areas) assigned to a particular operating system. With primary partitions only, you are limited to four partitions per hard disk, because more do not fit in the partition table. This is why extended partitions are used.
Page 165 Editing a Partition When you create a new partition or modify an existing partition, set various parameters. For new partitions, suitable parameters are set by YaST and usually do not require any modification. To edit your partition setup manually, proceed as follows: 1 Select the partition.
Page 166: Expert Options
Mount Point Specify the directory at which the partition should be mounted in the file system tree. Select from various YaST proposals or enter any other name. 3 Select OK > Apply to activate the partition. Expert Options Expert opens a menu containing the following commands: Reread Partition Table Rereads the partitioning from disk.
Page 167 Example 8.1 /etc/fstab: Partition Data /dev/sda1 /data1 auto noauto,user 0 0 /dev/sda5 /data2 auto noauto,user 0 0 /dev/sda6 /data3 auto noauto,user 0 0 The partitions, regardless of whether they are Linux or FAT partitions, are specified with the options noauto and user. This allows any user to mount or unmount these partitions as needed.
Page 168: Pci Device Drivers
8.5.6 PCI Device Drivers Each kernel driver contains a list of device IDs of all devices it supports. If a new device is not in any driver's database, the device is treated as unsupported, even if it can be used with an existing driver. With this YaST module from System section, you can add PCI IDs.
Page 169: Power Management
8.5.7 Power Management The System > Power Management module helps you work with saving energy technolo- gies. It is especially important on laptops to extend their operational time. Find detailed information about using this module in Section 28.6, “The YaST Power Management Module”...
Page 170: Time And Date Configuration
8.5.11 /etc/sysconfig Editor The directory /etc/sysconfig contains the files with the most important settings for SUSE Linux Enterprise. Use System > /etc/sysconfig Editor to modify the values and save them to the individual configuration files. Generally, manual editing is not necessary, because the files are automatically adapted when a package is installed or a service is configured.
Page 171: Network Devices
Figure 8.8 Setting the Language Select the main language to use for your system in Primary Language. To adjust the keyboard or time zone to this setting, enable Adapt Keyboard Layout or Adapt Time Zone. Set how locale variables are set for the root user with Details. Also use Details to set the primary language to a dialect not available in the main list.
Page 172: Network Services
select it from the list then click Edit. If your device has not been detected, click Add and select it manually. To edit an existing device, select it then click Edit. For more detailed information, see Section 30.4, “Configuring a Network Connection with YaST” (page 612).
Page 173 8.7.1 Mail Transfer Agent You can configure your mail settings in Network Services > Mail Transfer Agent if you send your e-mail with sendmail, postfix, or the SMTP server of your provider. You can fetch mail via the fetchmail program, for which you can also enter the details of the POP3 or IMAP server of your provider.
Page 174 DNS and Hostname Use this module to configure the hostname and DNS if these settings were not al- ready made while configuring the network devices. Also use it to change the host- name and domain name. If the provider has been configured correctly for DSL, modem, or ISDN access, the list of name servers contains the entries that were ex- tracted automatically from the provider data.
Page 175 Network Services (xinetd) Configure the network services (such as finger, talk, and ftp) to start when SUSE Linux Enterprise boots using Network Services. These services enable external hosts to connect to your computer. Various parameters can be configured for every service.
Page 176: Apparmor
8.8 AppArmor Novell AppArmor is designed to provide easy-to-use application security for both servers and workstations. Novell AppArmor is an access control system that lets you specify which files each program may read, write, and execute. To enable or disable Novell AppArmor on your system, use AppArmor Control Panel.
Page 177: User Management
8.9.1 User Management Create and edit users with Security and Users > User Management. It provides an overview of users in the system, including NIS, LDAP, Samba, and Kerberos users if requested. If you are part of an extensive network, click Set Filter to list all users cate- gorically.
Page 178 2 Click Delete. 3 Determine whether to delete or keep the home directory of the user to delete. 4 Click Yes to apply your settings. Changing the Login Configuration To change the login configuration, proceed as follows: 1 Select the user from the list. 2 Click Edit.
Page 179 4 Apply your settings with Accept. To disable the encryption of home directories, proceed as follows: 1 Select a user from the list and click Edit. 2 In the Details tab, disable Use Encrypted Home Directory. 3 Enter the password of the selected user. 4 Apply your settings with Accept.
Page 180 Login without a Password WARNING: Allowing Login without a Password Using the passwordless login feature on any system that can be physically ac- cessed by more than one person is a potential security risk. Any user accessing this system can manipulate the data on it. If your system contains confidential data, do not use this functionality.
Page 181 3 Apply your settings with Accept. Enforcing Password Policies On any system with multiple users, it is a good idea to enforce at least basic password security policies. Users should change their passwords regularly and use strong pass- words that cannot easily be exploited. For information about how to enforce stricter password rules, refer to Section 8.9.3, “Local Security”...
Page 182 2 Apply your changes to any or all of the following items: • Default Group • Secondary Groups • Default Login Shell • Path Prefix for Home Directory • Skeleton for Home Directory • Umask for Home Directory • Default Expiration Date •...
Page 183: Group Management
thentication method in the installed system, select Expert Options > Authentication and User Sources. The module provides a configuration overview and the option to configure the client. Advanced client configuration is also possible using this module. 8.9.2 Group Management To create and edit groups, select Security and Users > Group Management or click Groups in the user administration module.
Page 184 Boot Settings Set how the key combination Ctrl + Alt + Del should be interpreted by selecting the desired action. Normally, this combination, when entered in the text console, causes the system to reboot. Do not modify this setting unless your machine or server is publicly accessible and you are afraid someone could carry out this action without authorization.
Page 185: Virtualization
If you select Nobody, any user can find only the paths in the database that can be seen by any other (unprivileged) user. If root is selected, all local files are indexed, because the user root, as superuser, may access all directories. Make sure that the options Current Directory in root's Path and Current Directory in Path of Regular Users are deactivated.
Page 186: Miscellaneous
Creating Virtual Machines After you successfully installed the Xen hypervisor and tools, you can install virtual machines on your virtual server. To install a virtual machine, use Virtualization > Create Virtual Machines. 8.11 Miscellaneous The YaST Control Center has several modules that cannot easily be classified into the first six module groups.
Page 187: System Log
8.11.4 Start-Up Log View information concerning the start-up of the computer in Miscellaneous > Start-Up Log. This is one of the first places you might want to look when encountering problems with the system or when troubleshooting. It shows the boot log /var/log/boot .msg, which contains the screen messages displayed when the computer starts.
Page 188: Yast In Text Mode
/proc/modules This displays the individual modules. /proc/mounts This displays devices currently mounted. /proc/partitions This shows the partitioning of all hard disks. /proc/version This displays the current version of Linux. /var/log/YaST2/y2log This displays all YaST log messages. /var/log/boot.msg This displays information concerning the start-up of the system. /var/log/faillog This displays login failures.
Page 189 When YaST is started in text mode, the YaST Control Center appears first. See Fig- ure 8.9, “Main Window of YaST in Text Mode” (page 173). The main window consists of three areas. The left frame, which is surrounded by a thick white border, features the categories to which the various modules belong.
Page 190: Navigation In Modules
8.12.1 Navigation in Modules The following description of the control elements in the YaST modules assumes that all function keys and Alt key combinations work and are not assigned different global functions. Read Section 8.12.2, “Restriction of Key Combinations” (page 175) for infor- mation about possible exceptions.
Page 191: Restriction Of Key Combinations
Figure 8.10 The Software Installation Module 8.12.2 Restriction of Key Combinations If your window manager uses global Alt combinations, the Alt combinations in YaST might not work. Keys like Alt or Shift can also be occupied by the settings of the termi- nal.
Page 192: Managing Yast From The Command Line
8.13 Managing YaST from the Command Line When a task only needs to be done once, the graphical or ncurses interface is usually the best solution. If a task needs to be done repeatedly, it might be easier to use the YaST command line interface.
Page 193: Managing Users
GenProf, LogProf, SD_AddProfile, SD_DeleteProfile, SD_EditProfile, SD_Report, and subdomain These modules control or configure AppArmor. AppArmor has its own command line tools. 8.13.1 Managing Users The YaST commands for user management, unlike traditional commands, considers the configured authentication method and default user management settings of your system when creating, modifying, or removing users.
Page 194 Example 8.3 Removing Multiple Users #!/bin/bash # the home will be not deleted # to delete homes, use option delete_home for i in `cat /tmp/users.txt`; yast users delete username=$i done 8.13.2 Configuring the Network and Firewall Network and firewall configuration commands are often wanted in scripts. Use yast lan for network configuration and yast firewall.
Page 195: Update From The Command Line With Rug
8.14 Update from the Command Line with rug rug uses the zmd daemon to install, update, and remove software according to the commands given. It can either install software from local files, or from servers. You may use one or more remote servers, known as services. Supported services are mount for local files, and yum or ZENworks for servers.
Page 196: Installing And Removing Software
In case of an access denial to the update catalog you will see a warning message with a recommendation to visit the Novell Customer Center and check your subscription. The Novell Customer Center is available at http://www.novell...
Page 197 remove The user may remove software subscribe The user may change channel subscriptions trusted The user is considered as trusted, so he is able to install packages without package signatures upgrade The user may update software packages view This allows the user to see which software is installed on the machine and which software is in available channels.
Page 198: Sax2
However, you may not want the patches to be installed automatically, but may want to retrieve them and select the patches for installation at a later time. To download patches only, use the rug up -dy command. The up -dy option downloads the patches from your catalogs without confirmation and saves them to the rug cache.
Page 199 8.15.1 Card and Monitor Properties Adjust the settings for your graphics card and display device in Card and Monitor Properties. If you have more than one graphics card installed, each device is shown in a separate dialog reachable by a tab. At the top of the dialog, see the current settings for the selected graphics card and the monitor that is attached to it.
Page 200: Graphics Card
Graphics Card It is not possible to change the graphics card because only known models are supported and these are detected automatically. However, you can change many options that affect the behavior of the card. Normally, this should not be necessary because the system already has set them up appropriately during installation.
Page 201 Dual Head If you have a graphics card with two outputs installed in your computer, you can connect two screens to your system. Two screens that are attached to the same graphics card are referred to as dual head. SaX2 automatically detects multiple display devices in the system and prepares the configuration accordingly.
Page 202: Mouse Properties
TIP: Using a Beamer with Laptop Computers To connect a beamer to a laptop computer, activate dual head mode. In this case, SaX2 configures the external output with a resolution of 1024x768 and a refresh rate of 60 Hz. These values suit most beamers very well. Multihead If you have more than one graphics card installed in your computer, you can connect more than one screen to your system.
Page 203: Keyboard Properties
the documentation for your mouse for a description of the model. Click Change to select the vendor and model from two lists then click OK to confirm your selection. In the options part of the dialog, set various options for operating your mouse. Activate 3-Button Emulation If your mouse has only two buttons, a third button is emulated when you click both buttons simultaneously.
Page 204: Troubleshooting
8.15.4 Tablet Properties Use this dialog to configure a graphics tablet attached to your system. Click the Graphics Tablet tab to select vendor and model from the lists. Currently, only a limited number of graphics tablets is supported. To activate the tablet, check Activate This Tablet at the top of the dialog.
Page 205: For More Information
8.17 For More Information More information about YaST can be found on the following Web sites and directories: • /usr/share/doc/packages/yast2—Local YaST development documen- tation • http://www.opensuse.org/YaST_Development—The YaST project page in the openSUSE wiki • http://forge.novell.com/modules/xfmod/project/ ?yast—Another YaST project page System Configuration with YaST...
Page 207: Updating Suse Linux Enterprise
9.1 Updating SUSE Linux Enterprise Follow the steps outlined in this section, if you want to update from Novell Linux Desktop 9 to SUSE Linux Enterprise Desktop 10, for example. You can also follow these steps if you want to update from SUSE Linux Enterprise 10 SP1 to SUSE Linux Enterprise 10 SP2.
Page 208 applies to files stored in /etc as well as some of the directories and files in /var and /opt. You may also want to write the user data in /home (the HOME directories) to a backup medium. Back up this data as root. Only root has read permission for all local files.
Page 209 9.1.3 Updating with YaST Following the preparation procedure outlined in Section 9.1.1, “Preparations” (page 191), you can now update your system: 1 Optionally, prepare an installation server. For background information, see Sec- tion 4.2.1, “Setting Up an Installation Server Using YaST” (page 48).
Page 210: Installing Service Packs
9.2 Installing Service Packs Use Service Packs to update a SUSE Linux Enterprise installation. There are several different ways in which you can apply a Service Pack. You can either update the existing installation or start a whole new installation using the Service Pack media. Possible scenarios for updating the system and setting up a central network installation source are described here.
Page 211 Installing a SUSE Linux Enterprise Service Pack is very similar to installing the original SUSE Linux Enterprise media. As with the original installation, you can choose to install from a local CD or DVD drive or from a central network installation source. Installing from a Local CD or DVD Drive Before starting a new installation of a SUSE Linux Enterprise SP, ensure that all of the Service Pack installation media (CDs or DVD) are available.
Page 212 1 Insert the SUSE Linux Enterprise SP CD 1 or DVD 1 and boot your machine. A boot screen similar to the original installation of SUSE Linux Enterprise 10 is displayed. 2 Select Installation to boot the SP kernel from CD, then use F3 to enable Further Options, and finally F4 to select a type of network installation source (FTP, HTTP, NFS, or SMB).
Page 213 6 Click Yes, Install to start the installation. 7 Continue as usual with the installation (entering a password for root, completing the network configuration, testing your Internet connection, activating the Online Update service, selecting the user authentication method, and entering a username and password).
Page 214 • The system must be online throughout the entire update process, because this process requires access to the Novell Customer Center. • If your setup involves third party software or add-on software, test this procedure on another machine to make sure that the dependencies are not broken by the update.
Page 215 Figure 9.2 Update to Service Pack 2 NOTE During update migration using YaST Online Update, the ZMD stack is updated and the ZMD daemon is restarted, too. Therefore, it is advisable to avoid using any other software management tools such as rug, zen-updater, zen-installer and zen-remover.
Page 216 3 The Patch Download and Installation dialog tracks the progress log. When Total Progress reaches 100%, click Close. The Online Update will then restart auto- matically. 4 Once restarted, press Accept to apply all available updates together with a new kernel.
Page 217 Figure 9.3 Apply SLE10 SP2 Maintenance Stack Update 1 In a running SUSE Linux Enterprise system, start the zen-updater by clicking the updater icon at the bottom. TIP: Waking up ZMD If you see the ZMD not running message, check in a terminal as root with rczmd status whether ZMD is alive.
Page 218 4 In the restarted Software Updater, page down and select the optional move-to-sled10-sp2 patch and apply it. If you do not select it, your system will stay at the SP1 feature level and you will get bug fixes and security updates only for a limited time (six month after the availibility of SP2).
Page 219 SUSE Linux Enterprise GA to SP1 and SP2 NOTE The following steps are only relevant, if your system is still running at the GA patch level. Figure 9.4 Update to Service Pack 1 1 In a running SUSE Linux Enterprise system (GA), select Computer > YaST > Software >...
Page 220: Software Changes From Version 9 To Version 10
3 The Patch Download and Installation dialog tracks the progress log of the migra- tion patch installation. When Total Progress reaches 100%, click Finish. 4 Run the online update a second time. Once done, in the Patch Download and Installation click Close. During this second run YaST installs the kernel and all the other software.
Page 221 9.3.1 Multiple Kernels It is possible to install multiple kernels side by side. This feature is meant to allow ad- ministrators to upgrade from one kernel to another by installing the new kernel, verifying that the new kernel works as expected, then uninstalling the old kernel. While YaST does not yet support this feature, kernels can easily be installed and uninstalled from the shell using rpm -i package.rpm.
Page 222 • km_smartlink-softmodem—Smart Link Soft Modem 9.3.3 Stricter tar Syntax The tar usage syntax is stricter now. The tar options must come before the file or directory specifications. Appending options, like --atime-preserve or --numeric-owner, after the file or directory specification makes tar fail. Check your backup scripts.
Page 223 9.3.5 Hotplug Events Handled by the udev Daemon Hotplug events are now completely handled by the udev daemon (udevd). The event multiplexer system in /etc/hotplug.d and /etc/dev.d is no longer used. Instead, udevd calls all hotplug helper tools directly according to its rules. Udev rules and helper tools are provided by udev and various other packages.
Page 224 size and download time at the expense of higher CPU load for reassembling the final package. See /usr/share/doc/packages/deltarpm/README for technical details. 9.3.9 Print System Configuration At the end of the installation (proposal dialog), the ports needed for the print system must be open in the firewall configuration.
Page 225 9.3.11 X.Org Configuration File The configuration tool SaX2 writes the X.Org configuration settings into /etc/X11/ xorg.conf. During an installation from scratch, no compatibility link from XF86Config to xorg.conf is created. 9.3.12 XView and OpenLook Support Dropped The packages xview, xview-devel, xview-devel-examples, olvwm, and xtoolpl were dropped.
Page 226 Table 9.4 Wrapper /usr/X11R6/bin/OOo-calc /usr/bin/oocalc /usr/X11R6/bin/OOo-draw /usr/bin/oodraw /usr/X11R6/bin/OOo-impress /usr/bin/ooimpress /usr/X11R6/bin/OOo-math /usr/bin/oomath /usr/X11R6/bin/OOo-padmin /usr/sbin/oopadmin – /usr/X11R6/bin/OOo-setup /usr/X11R6/bin/OOo-template /usr/bin/oofromtemplate /usr/X11R6/bin/OOo-web /usr/bin/ooweb /usr/X11R6/bin/OOo-writer /usr/bin/oowriter /usr/X11R6/bin/OOo /usr/bin/ooffice /usr/X11R6/bin/OOo-wrapper /usr/bin/ooo-wrapper The wrapper now supports the option --icons-set for switching between KDE and GNOME icons. The following options are no longer supported: --default-configuration, --gui, --java-path, --skip-check, --lang (the language is now determined by means of locales), --messages-in-window, and --quiet.
Page 227 9.3.15 Sound Mixer kmix The sound mixer kmix is preset as the default. For high-end hardware, there are other mixers, like QAMix. KAMix, envy24control (only ICE1712), or hdspmixer (only RME Hammerfall). 9.3.16 DVD Burning In the past, a patch was applied to the cdrecord binary from the cdrecord package to support burning DVDs.
Page 228 9.3.20 PAM Configuration New Configuration Files (containing comments for more information) common-auth Default PAM configuration for auth section common-account Default PAM configuration for account section common-password Default PAM configuration for password changing common-session Default PAM configuration for session management You should include these default configuration files from within your application-spe- cific configuration file, because it is easier to modify and maintain one file instead of the approximately forty files that used to exist on the system.
Page 229 9.3.21 Becoming the Superuser Using su By default, calling su to become root does not set the PATH for root. Either call su - to start a login shell with the complete environment for root or set ALWAYS_SET_PATH to yes in /etc/default/su if you want to change the default behavior of su.
Page 230 • suspend to disk (ACPI S4, APM suspend) • suspend to ram (ACPI S3, APM suspend) • standby (ACPI S1, APM standby) 9.3.23 Powersave Configuration Variables Names of the powersave configuration variables are changed for consistency, but the sysconfig files are still the same. Find more information in Section 28.5.1, “Configuring the powersave Package”...
Page 231 9.3.26 NTP-Related Files Renamed For reasons of compatibility with LSB (Linux Standard Base), most configuration files and the init script were renamed from xntp to ntp. The new filenames are: • /etc/slp.reg.d/ntp.reg • /etc/init.d/ntp • /etc/logrotate.d/ntp • /usr/sbin/rcntp • /etc/sysconfig/ntp 9.3.27 File System Change Notification for GNOME Applications For proper functionality, GNOME applications depend on file system change notification...
Page 232 9.3.29 Firefox 1.5: The URL Open Command With Firefox 1.5, the method for applications to open a Firefox instance or window has changed. The new method was already partly available in former versions where the behavior was implemented in the wrapper script. If your application does not use mozilla-xremote-client or firefox -remote, you do not need to change anything.
Page 233: Part Ii Administration
Part II. Administration...
Page 235: 0 Gnome Configuration For Administrators
GNOME Configuration for Administrators This chapter discusses the following topics: • Section 10.1, “Using GConf for Defaults” (page 220) • Section 10.2, “Customizing Menus” (page 244) • Section 10.3, “Installing Themes” (page 257) • Section 10.4, “Configuring Fonts” (page 263) •...
Page 236: Using Gconf For Defaults
• Section 10.15, “Managing Profiles Using Sabayon” (page 284) • Section 10.16, “Adding Document Templates” (page 288) 10.1 Using GConf for Defaults GConf is a system for storing application preferences that simplifies the administration of user preferences. GConf lets system administrators do the following: •...
Page 237 10.1.1 GConf Repository Each preference in the GConf repository is expressed as a key-value pair. A GConf preference key is an element in the repository that corresponds to an application prefer- ence. For example, the /apps/gnome-session/options/show_splash_screen preference key corresponds to the Show Splash Screen on Login option in the Sessions preference tool. The GNOME Desktop user interface does not contain all of the preference keys in the GConf repository.
Page 238 NOTE When this guide refers to a preference key, the path to the key is added to the name of the key. For example, the font_name preference key in the /desktop/gnome/interface subdirectory is referred to as /desktop/gnome/interface/font_name. GConf Configuration Sources The GConf repository contains a series of storage locations that are called configuration sources.
Page 239 Table 10.1 Configuration Sources in the Path File Configuration Description Source Mandatory The permissions on this configuration source are set to Read Only. Users cannot overwrite the values in this source, so the preferences in the source are mandatory. User This configuration source is stored in the .gconf directory in the home directory of the user.
Page 240 Table 10.2 Other Configuration Sources Included Configuration Description Source Stores mandatory preference values for a particular /etc/opt/gnome/opt/ system. gnome/gconf/2/ local-mandatory.path Specifies the location of the configuration source ${HOME}/.gconf.path in the .gconf.pathfile in the user's home direc- tory. Stores default preference values for a particular /etc/opt/gnome/opt/ system.
Page 241 Item Description • A default value for the preference key • Brief documentation on the preference key The following are examples of a preference key, a schema key, and a schema object: Table 10.4 Preference Key, Schema Key, and Schema Object Examples Preference key: /desktop/gnome/interface/font_name Schema key:...
Page 242 GConf Schema Definition Files Schemas are generated from schema definition files. A schema definition file defines the characteristics of all of the keys in a particular application. Schema definition files have a .schemas extension. The schema definition files are included in the /etc/opt/gnome/opt/gnome/ gconf/schemas directory.
Page 243 2. If the value is found, return the value. 3. If the value is not found, search for the schema key that corresponds to the prefer- ence key in each configuration source, in the order specified in the path file. 4.
Page 244 Table 10.5 gconftool-2 Options Option Function Lists all subdirectories in a directory that you --all-dirs specify. Displays the values of all keys in a directory that --all-entries you specify. Use with the --direct option to specify a - - c o n f i g - s o u r c e = c o n f i g u r a t i o n - s o u r c e configuration source to use.
Page 245 Option Function Displays a help message about the gconftool-2 --help command and the options that you can use with Sets the values of preference keys in the current --load=filename directory in a configuration source to the values in the file that you specify. The file that you spec- ify must contain XML descriptions of the keys, in a <gconfentryfile>...
Page 246 Option Function You can also use it with the --direct option and the --config-source option to write a value to another configuration source. Sets the value of an attribute in a schema key and --set-schema writes the value to the default configuration source. Use it with the following options to specify the attribute that you want to update: •...
Page 247 Option Function • bool • float • int • list • pair • string Resets the value of a preference key from the user --unset setting to the setting in the default configuration source. Displays a brief help message about the --usage gconftool-2 command and the options that you can use with it.
Page 248 For example, to set wwwproxy.xyz.com as the mandatory HTTP proxy host, use the following command: gconftool-2 --direct --config-source xml:readwrite:/etc/opt/gnome/opt/gnome/gconf/gconf.xml.mandatory --type string --set /system/http_proxy/host wwwproxy.xyz.com The user cannot override this preference value. You can also use the gconftool-2 command to set default values. For example, to set the default number of workspaces to five, use the following command: gconftool-2 --direct --config-source xml:readwrite:/etc/opt/gnome/opt/gnome/gconf/gconf.xml.defaults --type int...
Page 249 gconftool-2 --direct --config-source xml:readwrite:/etc/opt/gnome/opt/gnome/gconf/gconf.xml.mandatory --type string --set /system/http_proxy/host proxy-name To set a default value for the HTTP proxy host, use the following command: gconftool-2 --direct --config-source xml:readwrite:/etc/opt/gnome/opt/gnome/gconf/gconf.xml.defaults --type string --set /system/http_proxy/host proxy-name You can also set other HTTP proxy-related preferences. For more information, see the system_http_proxy.schemas schema definition file.
Page 250 gconftool-2 --direct --config-source xml:readwrite:/etc/opt/gnome/gconf/gconf.xml.defaults --type int --set /apps/metacity/general/num_workspaces integer You can also set other window manager preferences. For more information, see the metacity.schemas schema definition file. Setting Keyboard Accessibility Preferences To set keyboard accessibility preferences, modify the values of the preference keys in the /desktop/gnome/accessibility/keyboard location.
Page 251 Setting Panel and Panel Object Preferences The panel-default-setup.entries file specifies the following details of the panels in the GNOME Desktop: • Number of panels • Types of the panels • Properties of the panels • Contents of the panels The configuration of individual panels and of panel objects is a complex task. You must first understand the structure of the panel-default-setup.entries file.
Page 252 The keys also assign identifiers to each panel, panel object, and applet. For example, the following sample from panel-default-setup.entries specifies that one panel ap- pears in the GNOME Desktop: <entry> <key>toplevel_id_list</key> <schema_key>/schemas/apps/panel/general/toplevel_id_list </schema_key> <value> <list type=”string”> <value> <string>bottom_panel</string> </value> </list> </value>...
Page 253 <schema_key>/schemas/apps/panel/objects/toplevel_id</schema_key> <value> <string>bottom_panel</string> </value> </entry> <entry> <key>position</key> <schema_key>/schemas/apps/panel/objects/position</schema_key> <value> <int>0</int> </value> </entry> </entrylist> 4. Keys that specify the applets, the applet preferences, and the panels where the ap- plets reside. For example, the following sample from panel-default-setup.entries specifies the Window List applet, in the bottom panel: <entrylist base=”/apps/panel/default_setup/applets/window_list”>...
Page 254 <entry> <key>bonobo_iid</key> <schema_key>/schemas/apps/panel/objects/bonobo_iid_type</schema_key> <value> <string>OAFIID:GNOME_WindowListApplet</string> </value> </entry> </entrylist> The OAFIID is a unique identifier for an applet. To find the OAFIID for a partic- ular applet, see the .server file for the applet in the /usr/lib/bonobo/ servers directory. For example, the following excerpt from GNOME_Wncklet _Factory.server shows the OAFIID for the Window List applet: <oaf_server iid=”OAFIID:GNOME_WindowListApplet”...
Page 255 <schema_key>/schemas/apps/panel/objects/launcher_location </schema_key> <value> <string>hadjaha-00adce02f7.desktop</string> </value> </entry> In the above example, you might want to change the reference to hadjaha-00adce02f7.desktop to another desktop entry file that is available globally. When you generate a panel configuration with the --dump option, the positions of the panel objects are absolute positions.
Page 256 Setting Font Preferences To set font preferences, modify the values of two preference keys. The following table shows the keys to modify and the part of the user interface that the keys correspond to: Table 10.6 Font Preference Keys GConf Location User Interface Component Font preference tool, Application font /desktop/gnome/interface/...
Page 257 You can also set other background preferences. For more information, see the desktop _gnome_background.schemas schema definition file. Setting Splash Image Preferences To set splash image preferences, modify the value of the preference keys in the /apps/ gnome-session/options/ location. For example, if you do not want users ever to see a splash image, set a mandatory value as follows: gconftool-2 --direct --config-source xml:readwrite:/etc/opt/gnome/gconf/gconf.xml.mandatory --type bool --set...
Page 258 1 Press Alt+F2 to open the Run Application dialog box. 2 Type gconf-editor, then click Run. Figure 10.1 Configuration Editor Window The Configuration Editor window contains the following panes: Tree Lets you navigate the directories and subdirectories in the GConf repository. Use this pane to display the keys that you want to modify in the modification pane.
Page 259 Documentation Displays documentation for the currently selected key. Use this pane to get more information about the GConf preference keys. You can copy the names of keys so that you can paste them into another application. You can also add bookmarks to keys. Modifying the Value of a Key 1 Use the tree pane to display the key that you want to modify in the modification pane.
Page 260: Customizing Menus
Deleting a Bookmark 1 Click Bookmarks > Edit Bookmarks. An Edit Bookmarks dialog is displayed. 2 Select a bookmark from the list on the left, then click Delete. 3 Click Close. 10.2 Customizing Menus SUSE Linux Enterprise10 lets you edit menus in either of the following ways: •...
Page 261 • Section “Starting Alacarte” (page 246) • Section “Editing the Menu” (page 247) • Section “Changing a System-Wide Menu” (page 252) • Section “Distributing a System-Wide Menu to Other Computers” (page 252) Installing Alacarte Alacarte is not installed when you install SUSE Linux Enterprise Desktop. To install Alacarte: 1 Click Computer Control Center System YaST.
Page 262 Starting Alacarte 1 Click Computer Control Center Look and Feel. 2 Click Main Menu Editor. There are two Main Menu Editor icons. Mouse over them to determine which is used for system-wide changes and which is used for your own local menu. Use the system-wide version if you are modifying a menu for all users on your system or want to distribute the menu to other computers.
Page 263 Editing the Menu This section describes the following ways you can edit the Main menu: • Section “Finding Menu Items” (page 247) • Section “Rearranging Menu Items” (page 248) • Section “Creating New Separators” (page 248) • Section “Showing or Hiding Menu Items” (page 249) •...
Page 264 submenu in the Menus list, select the group containing that item, then locate the item in the Items list. For example, to locate the Sound Recorder application: 1 Start Alacarte as described in Section “Starting Alacarte” (page 246). 2 Click the arrow next to the Audio & Video submenu in the Menus list, then select the Recording group.
Page 265 The new separator appears beneath the selected item in the Items list. You can drag the separator to a new location like you would any other menu item. To delete a separator, Section “Deleting Items from the Main Menu” (page 249). Showing or Hiding Menu Items To show or hide an item, locate the item in the Items list, then select or deselect the box next to that item.
Page 266 Changing an Item’s Generic Name A short descriptive name appears beneath the name of each item in the Main menu. This is known as the generic name. To change the generic name: 1 Locate the menu item whose generic name you want to change, as explained in Section “Finding Menu Items”...
Page 267 7 (Optional) To assign an icon to the new item, click No Icon, then select an icon for the item. If you do not select an icon, the item appears in the menu without an icon. 8 Click Close. After the item is added to the menu, you can move it to the place where you want it to appear in the menu, as described in Section “Rearranging Menu Items”...
Page 268 Changing a System-Wide Menu Alacarte enables you to edit the system-wide Main menu for all users on the system, and distribute it to other computers. These additional systems need not have an identical setup to use the new menu. NOTE Changing the system-wide menu requires administrative privileges for the computer whose menu you want to change.
Page 269 export XDG_CONFIG_DIRS=/etc/opt/gnome/alacarte_system:$XDG_CONFIG_DIRS #END SECTION ADDED BY ALACARTE 10.2.2 Customizing GNOME Menus Using Desktop and Directory Entry Files The way in which the GNOME Desktop implements menus enables you to do the fol- lowing: • Customize the menu hierarchy easily. The menu hierarchy is not based on the file system hierarchy.
Page 270 Categories=GNOME;Application;Utility; X-GNOME-DocPath=gcalctool/gcalctool.xml The following table describes the most important keys in desktop entry files. Table 10.7 Desktop Entry File Keys Desktop Entry Key Description Encoding Specifies the encoding of the desktop entry file. Name Specifies the name of the item. This name is displayed on the item in the menu.
Page 271 Desktop Entry Key Description dard category keywords, see the desktop menu specification at freedesktop.org [http://www.freedesktop.org] The vfolder information files map the keywords to menus. X-GNOME-DocPath Specifies the help file to display when you select Help on application-name from the menu item pop-up menu. For more information on the keys in desktop entry files, see the desktop entry specifi- cation at http://www.freedesktop.org.
Page 272 Table 10.8 Directory Entry File Keys Directory Entry Description Name Specifies the name of the menu, which is displayed on the menu. Comment Specifies a short description of the menu. The comment is displayed as a tooltip when you point to the menu. Icon Specifies the filename of an icon that represents the menu.
Page 273: Installing Themes
For more detailed information on adding and editing menu items, see the Desktop Menu Specification [http://standards.freedesktop.org/menu-spec/latest] Web site. 10.3 Installing Themes A theme is a group of coordinated settings that specifies the visual appearance of a part of the GNOME Desktop. Users can select themes to change the appearance of the GNOME Desktop.
Page 274 Name=High Contrast Large Name[es]=Alto contraste grande Comment=Large black-on-white text and icons Comment[es]=Textos e iconos grandes en negro sobre blanco Encoding=UTF-8 [X-GNOME-Metatheme] GtkTheme=HighContrastLargePrint IconTheme=HighContrast MetacityTheme=Atlanta ApplicationFont=sans 18 The following table describes the keys in theme index files: Table 10.10 Theme Index File Keys Index File Key Description Type...
Page 275 10.3.2 Installing a New Controls Option You can add a new option for the controls setting in the Theme preference tool. Controls options reside in the /opt/gnome/share/themes directory. The typical structure of a controls option in the file system is as follows. Option file /opt/gnome/share/themes/option-name/gtk-2.0/gtkrc Image files...
Page 276 Image files /opt/gnome/share/themes/option-name/metacity-1/*.* Typically, a new option for the window frame setting is supplied as a .tar.gz file. To install the new window frame option, unzip the .tar.gz file and then untar the .tar file into the /opt/gnome/share/themes directory. Users can install their own options for the window frame setting. If a user installs an option for the window frame setting, the option is stored in the $HOME/.themes di- rectory.
Page 277 10.3.5 Installing Icons for Themes The GNOME Desktop provides several themes that are designed for users with special visual needs. For example, some of the themes are designed for users with low vision. Several versions of icons might be required so that the icon can be displayed properly in each theme.
Page 278 For more information on how to create icons for application launchers and panels, see the Icon Themes [http://www.freedesktop.org/Standards/ icon-theme-spec]. 10.3.6 Creating a Custom Controls Option If the options for the controls setting are not suitable for the needs of your users, you can create a custom controls option.
Page 279: Configuring Fonts
10.4 Configuring Fonts The GNOME Desktop uses the fontconfig font configuration and customization library. The fontconfig library can use all kinds of fonts, including PostScript Type 1 fonts and TrueType* fonts. The fontconfig library provides a list of all the fonts available on a system.
Page 280: Mime Types
Typically, fonts are stored in the /opt/gnome/share/fonts/ directory. 2 (Conditional) The fontconfig library updates the list of fonts automatically. If the list of fonts is not updated, run the following command: fc-cache directory-name 10.4.3 Adding a Font for an Individual User 1 Copy the font file to the $HOME/.fonts directory of the user.
Page 281 It is sometimes necessary to work out the correct MIME type for a file. This is usually done by examining the file's name or contents and looking up the correct MIME type in a database. If you add a new application (that is, extend the database), you must make sure that other applications can recognize the files associated with the application.
Page 282: Setting Screensavers
You can also add extra elements if they are namespaced to avoid conflicts. For example: <desktop:can-edit-with>gimp.desktop</desktop:can-edit-with> This indicates that the named desktop entry file describes an application that can edit image/png files. Information added to the database should be static (for example, “The Gimp can edit PNG files.”), not configuration (for example, “The Gimp is the preferred editor for PNG files.”).
Page 283 the home directory of the user, in the $HOME/.xscreensaver file. For information on screensaver preferences, see the GNOME Desktop User Guide [http://www .gnome.org/learn/users-guide/2.6]. Users can also run the /usr/X11R6/bin/xscreensaver-demo command to open the XScreenSaver dialog. To set default screensaver preferences for all users, modify the XScreenSaver file. You can also use the XScreenSaver dialog to create a $HOME/.xscreensaver file, then copy the file to the location of the XScreenSaver file.
Page 284: Session Management
To disable a screensaver display, add a Minus sign (-) to the start of the command for the screensaver display in the preferences file. The following excerpt from a $HOME/ .xscreensaver file shows a disabled Qix (solid) screensaver display: “Qix (solid)” qix -root -solid -segments 100 10.7 Session Management A session occurs between the time that a user logs in to the GNOME Desktop and the...
Page 285: Improving Performance
To restore the default session settings for a user, delete the session file from the home directory of the user. If no user session file is present, the default settings in /opt/ gnome/share/gnome/default.session are used. To save the current session as the default session, users can run the gnome-session-save command.
Page 286 • Esco The following window frame options also use fewer CPU resources than Crux: • AgingGorilla • Bright • Metabox Metabox does not work well with inverse controls options such as HighCon- trastInverse. Use Atlanta with inverse controls options. To change the window frame theme option, use the following command: gconftool-2 --type string --set /apps/metacity/general/theme option-name For example, to use Atlanta, run the following command: gconftool-2 --type string --set /apps/metacity/general/theme Atlanta...
Page 287 Users can also use the Menus & Toolbars preference tool to deselect the Show Icons in Menus option. Turning Off the Splash Screen When users log in to the desktop environment, a splash screen is displayed by default. Icons are displayed on the splash screen while the user logs in. You can turn off the splash screen to reduce CPU usage during login.
Page 288 Table 10.12 Performance-related Preferences Value Description Performs the action for both local files and files on other file systems. always Performs the action for local files only. Using this value reduces CPU local_only usage. Never performs the action. Using this value reduces CPU usage and never network traffic.
Page 289 Preference Description gconftool-2 --type string --set /apps/nautilus/preferences/ show_directory_item_counts never Users can also perform the following steps: 1. Click Edit > Preferences in a file manager win- dow, then click Preview. 2. Select an option for the Count Number of Items preference.
Page 290 Preference Description 2. Select an option for the Preview Sound Files preference. Turning Off the Side Pane, Toolbar, and Location Bar The file manager includes preferences that let you turn off the side pane and the toolbar. Turning these off improves file manager performance. To turn off the side pane, use the following command: gconftool-2 --type bool --set /apps/nautilus/preferences/start_with_sidebar false...
Page 291 gconftool-2 --type bool --set /apps/nautilus/preferences/show_desktop false 10.8.2 Reducing X Window System Network Traffic There are some preferences that you can set to reduce X Window System network traffic on the GNOME Desktop. Using Theme Options That Create Less Network Traffic Remote display protocols do not transfer every pixel in a block of pixels if all pixels in the block are the same color.
Page 292 10.8.3 Reducing Color Usage and Improving Display Quality Many modern computer systems support 24-bit color (that is, 16,777,216 colors). However, many users still use systems that support only 8-bit color (256 colors). The GNOME Desktop uses the websafe color palette. This palette is a general-purpose palette of 216 colors which is designed to optimize the use of color on systems that support 8-bit color.
Page 293 For information on how to change theme options, see Section “Using Theme Options That Require Less CPU Resources” (page 269). Reducing Color Usage by Turning Off Display of Icons in Menus Some items in menus display an icon beside the item. If the icon contains colors that are not in the websafe color palette, this feature can increase the number of colors used.
Page 294: Hidden Directories
10.9 Hidden Directories The following table describes the hidden directories that the GNOME Desktop adds to the home directories of users. A hidden directory is a directory that has a name that begins with a period (.). Table 10.14 Hidden Directories Added to Users’ Home Directories Directory Description Contains the authentication cookie for the GNOME sound daemon,...
Page 295 Directory Description • Removable media volumes that are mounted. The file manager also contains a preference that enables users to use the home directory as the desktop directory, instead of .gnome-desktop. If a user selects this option, the contents of the home directory are displayed as desktop objects.
Page 296: Security Note On Configuring Smb Printers
Directory Description Contains image thumbnails for the user. The image thumbnails .thumbnails are used in the file manager. The file manager contains a prefer- ence that the user can select to stop generation of thumbnail im- ages. Contains screensaver configuration data and screensaver preference .xscreensaver data.
Page 297: Disabling Lock Screen And Log Out
You disable feature by setting GConf keys (see Section 10.1, “Using GConf for Defaults” (page 220)). You can also use the Configuration Editor application to set GConf keys in a user configuration source (see Section 10.1.8, “Configuration Editor” (page 241)). 10.11.1 Disabling Lock Screen and Log Out To disable the lock screen and log out functions, set the /apps/panel/global/disable_lock_screen key and the...
Page 298 • Actions menu in the Menu Bar applet • Any Run buttons on panels are disabled To disable command line operations, you must also remove menu items that start termi- nal applications. For example, you might want to remove menu items that contain the following commands: •...
Page 299: Starting Applications Automatically
• New Panel • The launcher popup menu is disabled. • The following items are removed from the Applet pop-up menu: • Remove from Panel • Lock • Move • The Main Menu pop-up menu is disabled. • The Launcher drag feature is disabled so that users cannot drag launchers to or from panels.
Page 300: Automounting And Managing Media Devices
10.13 Automounting and Managing Media Devices The GNOME Volume Manager (gnome-volume-manager) monitors volume-re- lated events and responds with a user-specified policy. You can use the GNOME Volume Manager to automatically mount hot-plugged drives and inserted removable media, automatically run programs, automatically play audio CDs and video DVDs, and auto- matically import photos from a digital camera.
Page 301: Creating A Profile
Profile definition is done through a graphical session similar to the one a user would be running, only inside a desktop window. You can change properties (such as the desktop background, toolbars, and available applets) in the usual way. Sabayon also detects changes to the default settings in most desktop applications.
Page 302 2 If you are not logged in as root, type the root password, then click Continue. 3 Click Add. 4 Specify a name for the profile, then click Add. 5 Select the profile, then click Edit. A new desktop session opens in an Xnest window. Deployment Guide...
Page 303 6 In the Xnest window, make the changes to the settings that you want. Each setting you change appears in the Xnest window. You can choose to make each setting mandatory (click Edit > Enforce Mandatory in the Xnest window), to ignore a setting (click Edit > Changes > Ignore), or make a setting the default (don’t select either Ignore or Mandatory).
Page 304: Adding Document Templates
4 Select the users you want to use this profile. To apply this profile to all users on this workstation, click Use this profile for all users. 5 Click Close. 10.16 Adding Document Templates To add document templates for users, fill in the Templates directory in a user's home directory.
Page 305: 1 Kde Configuration For Administrators
KDE Configuration for Administrators KDE is an extensively configurable desktop environment. In addition to being config- urable for the individual user, administrators have the possibility to create global con- figurations. This allows system administrators to provide custom default settings for their environments.
Page 306: Creating A New Profile
you assign them to groups and users. Kiosk also lets you automatically deploy profiles to a remote host. Start the Kiosk Admin Tool from the KDE main menu or with Alt + F2 and the command kiosktool. 11.1.1 Creating a New Profile To create a new profile, click Add New Profile.
Page 307 11.1.3 Assigning Profiles to Users and Groups When you create a profile, it is not “active” by default. First assign it to users or groups first. Assign Profiles opens a dialog where you can assign all existing profiles to distinct users or groups.
Page 308 It is also possible, although not recommended, to distribute profiles to different locations. Uncheck Store all profiles under the same directory in the configuration dialog. Having done so, you must specify the Directory for this profile when creating a profile. Deploying Profiles to a Remote Machine The KIOSK Admin Tool configuration (Settings >...
Page 309 Figure 11.1 Configuring the KIOSK Admin Tool 3 Open the Add New Profile dialog and create a new profile called myCompany. Figure 11.2 Adding a Profile KDE Configuration for Administrators...
Page 310 Click Finished to save the new profile. You are prompted for the root password before the files can be saved. 4 Clicking Setup Profile opens a dialog where you can configure the various aspects of KDE. Figure 11.3 Setting Up a Profile If you choose, for example, Theming then Setup Theming, the configuration dialog for the themes opens.
Page 311 Figure 11.4 Setting Up Themes After finishing setting up the profile, return to the main menu by clicking Finished. 5 Assign the profile to distinct users or groups by clicking Assign Profiles. KDE Configuration for Administrators...
Page 312 Figure 11.5 Assigning Profiles Return to the main menu by clicking Finished. 6 Now the profile is available on the local machine. Before deploying it to the re- mote host, you can test it. Start a new session by right-clicking the desktop and choosing Switch User >...
Page 313: Managing Profiles Manually
Figure 11.6 The Profile in Use Return to your own desktop by logging out as tester. If you need to make changes, start the setup procedure again. Otherwise leave the KIOSK Admin Tool. On exit, it deploys all profiles to testserver. You must enter the root password on testserver for this operation.
Page 314 11.2.1 File System Hierarchy KDE reads and stores files used by the KDE environment itself as well as by the KDE applications in fixed directory trees, also referred to as “profiles” in this context. By default, there are two such directories: /opt/kde3 and ~/.kde. The ~/.kde direc- tory contains the user-specific settings.
Page 315 share/applications .desktop files for all applications appearing in the KDE menu share/applnk The KDE menu structure share/config Configuration files for applications and components as well as the global configu- ration file kdeglobals share/icons Icons, categorized by theme, dimension, and usage category share/mimelnk .desktop files with mime types share/wallpapers...
Page 316 11.2.2 Configuration File Format KDE configurations are stored in text files in UTF-8 format. Each configuration option consists of a key and value pair and is placed inside a group: [Group 1] key=value key 2=value 2 White space at the beginning or end of keys and values are ignored. However, both may contain spaces as shown in the example above.
Page 317 [example group] Label=Language Label[de]=Sprache Label[ru]=Язык Configuration Entry Lock Down All configuration entries can be protected from being overwritten. You can lock down entire configuration files, groups, or individual keys. Do this by adding [Si] on a separate line at the beginning of a file, placing it behind the group name, or adding it behind a key.
Page 319: 2 Active Directory Support
Active Directory Support Active Directory* (AD) is a directory service based on LDAP, Kerberos, and other services that is used by Microsoft Windows to manage resources, services, and people. In an MS Windows network, AD provides information about these objects, restricts access to any of them, and enforces policies.
Page 320: Background Information For Linux Ad Support
Accessing and Manipulating User Data on the Windows Server Through Nautilus and Konqueror, users are able to access their Windows user data and can edit, create, and delete files and folders on the Windows server. Users can access their data without having to enter their password again and again. Offline Authentication Users are able to log in and access their local data on the Linux machine even if they are offline (for example, using a laptop) or the AD server is unavailable for...
Page 321 Figure 12.1 Active Directory Authentication Schema PAM aware applications kerberized apps (gdm, kdm, login) Kerberos Credential nscd pam_winbind Cache pam_unix2 nss_compat nss_winbind pam_mkhomedir Offline Cache winbindd Windows DC (Active Directory) To communicate with the directory service, the client needs to share at least two proto- cols with the server: LDAP LDAP is a protocol optimized for managing directory information.
Page 322 Kerberos Kerberos is a third-party trusted authentication service. All its clients trust Kerberos's judgment of another client's identity, enabling kerberized single-sign-on (SSO) solutions. Windows supports a Kerberos implementation, making Kerberos SSO possible even with Linux clients. To learn more about Kerberos in Linux, refer to Chapter 41, Network Authentication—Kerberos (page 749).
Page 323 1 The Windows domain controller providing both LDAP and KDC (Key Distribu- tion Center) services is located. 2 A machine account for the joining client is created in the directory service. 3 An initial ticket granting ticket (TGT) is obtained for the client and stored in its local Kerberos credential cache.
Page 324 Account disabled The user sees an error message stating that his account has been disabled and that he should contact the system administrator. Account locked out The user sees an error message stating that his account has been locked and that he should contact the system administrator.
Page 325: Configuring A Linux Client For Active Directory
SUSE Linux Enterprise supports local home directories for AD users. If configured through YaST as described in Section 12.3, “Configuring a Linux Client for Active Directory” (page 309), user homes are created at the first login of a Windows (AD) user into the Linux client.
Page 326 Configure your client machine to use a DNS server that can forward DNS requests to the AD DNS server. Alternatively, configure your machine to use the AD DNS server as the name service data source. To succeed with Kerberos authentication, the client must have have its time set accurately.
Page 327 NOTE Currently only a domain administrator account, such as Administrator, can join SUSE Linux Enterprise into Active Directory. To join an AD domain in a running system, proceed as follows: Procedure 12.1 Joining an AD Domain 1 Log in as root and start YaST. 2 Start Network Services >...
Page 328 4 Check Also Use SMB Information for Linux Authentication to use the SMB source for Linux authentication. 5 Check Create Home Directory on Login to automatically create a local home directory for your AD user on the Linux machine. 6 Check Offline Authentication to allow your domain users to log in even if the AD server is temporarily unavailable or you do not have a network connection.
Page 329: Logging In To An Ad Domain
12.4 Logging In to an AD Domain Provided your machine has been configured to authenticate against Active Directory and you have a valid Windows user identity, you can log in to your machine using the AD credentials. Login is supported for both desktop environments (GNOME and KDE), the console, SSH, and any other PAM-aware application.
Page 330: Changing Passwords
12.4.2 Console Login As well as logging in to the AD client machine using a graphical front-end, you can log in using the text-based console login or even remotely using SSH. To log in to your AD client from a console, enter DOMAIN\user at the login: prompt and provide the password.
Page 331 GDM and KDM provide feedback about password expiration and prompt for new passwords in an interactive mode. To change passwords in the display managers, just provide the password information when prompted to do so. To change your Windows password, you can use the standard Linux utility, passwd, instead of having to manipulate this data on the server.
Page 332 3 Click Password & User Account. 4 Click Change Password. 5 Enter your current password. 6 Enter and confirm the new password and apply your settings with OK. 7 Leave the Personal Settings with File > Quit. Deployment Guide...
Page 333: 3 Access Control Lists In Linux
Access Control Lists in Linux POSIX ACLs (access control lists) can be used as an expansion of the traditional per- mission concept for file system objects. With ACLs, permissions can be defined more flexibly than the traditional permission concept allows. The term POSIX ACL suggests that this is a true POSIX (portable operating system interface) standard.
Page 334 would not be able to change passwd, because it would be too dangerous to grant all users direct access to this file. A possible solution to this problem is the setuid mecha- nism. setuid (set user ID) is a special file attribute that instructs the system to execute programs marked accordingly under a specific user ID.
Page 335: Advantages Of Acls
13.2 Advantages of ACLs Traditionally, three permission sets are defined for each file object on a Linux system. These sets include the read (r), write (w), and execute (x) permissions for each of three types of users—the file owner, the group, and other users. In addition to that, it is pos- sible to set the set user id, the set group id, and the sticky bit.
Page 336: Handling Acls
default ACL Default ACLs can only be applied to directories. They determine the permissions a file system object inherits from its parent directory when it is created. ACL entry Each ACL consists of a set of ACL entries. An ACL entry contains a type, a qual- ifier for the user or group to which the entry refers, and a set of permissions.
Page 337 Table 13.1 ACL Entry Types Type Text Form owner user::rwx named user user:name:rwx owning group group::rwx named group group:name:rwx mask mask::rwx other other::rwx Table 13.2 Masking Access Permissions Entry Type Text Form Permissions named user user:geeko:r-x mask mask::rw- effective permissions: 13.4.1 ACL Entries and File Mode Permission Bits Figure 13.1, “Minimum ACL: ACL Entries Compared to Permission Bits”...
Page 338 ACL entry owner. Other class permissions are mapped to the respective ACL entry. However, the mapping of the group class permissions is different in the two cases. Figure 13.1 Minimum ACL: ACL Entries Compared to Permission Bits In the case of a minimum ACL—without mask—the group class permissions are mapped to the ACL entry owning group.
Page 339 Before creating the directory, use the umask command to define which access permis- sions should be masked each time a file object is created. The command umask 027 sets the default permissions by giving the owner the full range of permissions (0), denying the group write access (2), and giving other users no permissions at all (7).
Page 340 mask::rwx other::--- In addition to the entries initiated for the user geeko and the group mascots, a mask entry has been generated. This mask entry is set automatically so that all permissions are effective. setfacl automatically adapts existing mask entries to the settings modified, unless you deactivate this feature with -n.
Page 341 The output of the getfacl confirms this. This output includes a comment for all those entries in which the effective permission bits do not correspond to the original permis- sions, because they are filtered according to the mask entry. The original permissions can be restored at any time with chmod g+w mydir.
Page 342 The option -d of the setfacl command prompts setfacl to perform the fol- lowing modifications (option -m) in the default ACL. Take a closer look at the result of this command: getfacl mydir # file: mydir # owner: tux # group: project3 user::rwx user:geeko:rwx group::r-x...
Page 343 default:mask::r-x default:other::--- As expected, the newly-created subdirectory mysubdir has the permissions from the default ACL of the parent directory. The access ACL of mysubdir is an exact reflection of the default ACL of mydir. The default ACL that this directory will hand down to its subordinate objects is also the same.
Page 344: Acl Support In Applications
access is handled in accordance with the entry that best suits the process. Permissions do not accumulate. Things are more complicated if a process belongs to more than one group and would potentially suit several group entries. An entry is randomly selected from the suitable entries with the required permissions.
Page 345: System Monitoring Utilities
System Monitoring Utilities A number of programs and mechanisms, some of which are presented here, can be used to examine the status of your system. Also described are some utilities that are useful for routine work, along with their most important parameters. For each of the commands introduced, examples of the relevant outputs are presented.
Page 346: Debugging
14.1 Debugging 14.1.1 Specifying the Required Library: ldd Use the command ldd to find out which libraries would load the dynamic executable specified as argument. tux@mercury:~> ldd /bin/ls linux-gate.so.1 => (0xffffe000) librt.so.1 => /lib/librt.so.1 (0xb7f97000) libacl.so.1 => /lib/libacl.so.1 (0xb7f91000) libc.so.6 => /lib/libc.so.6 (0xb7e79000) libpthread.so.0 =>...
Page 347 14.1.3 System Calls of a Program Run: strace The utility strace enables you to trace all the system calls of a process currently running. Enter the command in the normal way, adding strace at the beginning of the line: tux@mercury:~> strace ls execve("/bin/ls", ["ls"], [/* 61 vars */]) = 0 uname({sys="Linux", node="mercury", ...}) = 0 brk(0)
Page 348: Files And File Systems
14.2 Files and File Systems 14.2.1 Determine the File Type: file The command file determines the type of a file or a list of files by checking /etc/ magic. tux@mercury:~> file /usr/bin/file /usr/bin/file: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), \ for GNU/Linux 2.2.5, dynamically linked (uses shared libs), stripped The parameter -f list specifies a file with a list of filenames to examine.
Page 349 Obtain information about total usage of the file systems with the command df. The parameter -h (or --human-readable) transforms the output into a form understand- able for common users. tux@mercury:~> df -h Filesystem Size Used Avail Use% Mounted on /dev/sda3 3.2G 6.9G 32% /...
Page 350: Hardware Information
14.2.4 File Properties: stat The command stat displays file properties: tux@mercury:~> stat /etc/profile File: `/etc/profile' Size: 8080 Blocks: 16 IO Block: 4096 regular file Device: 806h/2054d Inode: 64942 Links: 1 Access: (0644/-rw-r--r--) Uid: ( root) Gid: ( root) Access: 2007-07-16 23:28:18.000000000 +0200 Modify: 2006-09-19 14:45:01.000000000 +0200 Change: 2006-12-05 14:54:55.000000000 +0100 The parameter --filesystem produces details of the properties of the file system...
Page 351 Controller (rev 01) 00:1f.3 SMBus: Intel Corporation 82801DB/DBL/DBM (ICH4/ICH4-L/ICH4-M) \ SMBus Controller (rev 01) 00:1f.5 Multimedia audio controller: Intel Corporation 82801DB/DBL/DBM \ (ICH4/ICH4-L/ICH4-M) AC'97 Audio Controller (rev 01) 01:00.0 VGA compatible controller: Matrox Graphics, Inc. G400/G450 (rev 85) 02:08.0 Ethernet controller: Intel Corporation 82801DB PRO/100 VE (LOM) \ Ethernet Controller (rev 81) Using -v results in a more detailed listing: mercury:~ # lspci...
Page 352 14.3.3 Information about a SCSI Device: scsiinfo The command scsiinfo lists information about a SCSI device. With the option -l, list all SCSI devices known to the system (similar information is obtained via the command lsscsi). The following is the output of scsiinfo -i /dev/sda, which gives information about a hard disk.
Page 353: Networking
# netstat -t -p Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Pro 0 mercury:33513 www.novell.com:www-http ESTABLISHED 6862/fi 352 mercury:ssh mercury2.:trc-netpoll ESTABLISHED 19422/s 0 localhost:ssh localhost:17828 ESTABLISHED - In the following, statistics for the TCP protocol are displayed: tux@mercury:~>...
Page 354: The /Proc File System
26786 segments send out 54 segments retransmited 0 bad segments received. 6 resets sent [...] TCPAbortOnLinger: 0 TCPAbortFailed: 0 TCPMemoryPressures: 0 14.5 The /proc File System The /proc file system is a pseudo file system in which the kernel reserves important information in the form of virtual files.
Page 355 Some of the important files and their contents are: /proc/devices Available devices /proc/modules Kernel modules loaded /proc/cmdline Kernel command line /proc/meminfo Detailed information about memory usage /proc/config.gz gzip-compressed configuration file of the kernel currently running Further information is available in the text file /usr/src/linux/ Documentation/filesystems/proc.txt.
Page 356 The address assignment of executables and libraries is contained in the maps file: tux@mercury:~> cat /proc/self/maps 08048000-0804c000 r-xp 00000000 03:03 17753 /bin/cat 0804c000-0804d000 rw-p 00004000 03:03 17753 /bin/cat 0804d000-0806e000 rw-p 0804d000 00:00 0 [heap] b7d27000-b7d5a000 r--p 00000000 03:03 11867 /usr/lib/locale/en_GB.utf8/ b7d5a000-b7e32000 r--p 00000000 03:03 11868 /usr/lib/locale/en_GB.utf8/ b7e32000-b7e33000 rw-p b7e32000 00:00 0...
Page 357: Processes
0 rtc irq 82: 178717720 0 PCI-MSI 0 acpi irq169: 44352794 nvidia irq 12: irq233: 8209068 0 PCI-MSI To see all the information, use the parameter -a. The parameter -nN produces updates of the information every N seconds. In this case, terminate the program by pressing Q . By default, the cumulative values are displayed.
Page 358 To list all processes with user and command line information, use ps axu: tux@mercury:~> ps axu USER PID %CPU %MEM RSS TTY STAT START TIME COMMAND root 272 ? 12:59 0:01 init [5] root 12:59 0:00 [ksoftirqd root S< 12:59 0:00 [events [...] 4047...
Page 359 14.6.3 Process Tree: pstree The command pstree produces a list of processes in the form of a tree: tux@mercury:~> pstree init-+-NetworkManagerD |-acpid |-3*[automount] |-cron |-cupsd |-2*[dbus-daemon] |-dbus-launch |-dcopserver |-dhcpcd |-events/0 |-gpg-agent |-hald-+-hald-addon-acpi `-hald-addon-stor |-kded |-kdeinit-+-kdesu---su---kdesu_stub---yast2---y2controlcenter |-kio_file |-klauncher |-konqueror |-konsole-+-bash---su---bash `-bash `-kwin |-kdesktop---kdesktop_lock---xmatrix |-kdesud...
Page 360 tux@mercury:~> top -n 1 top - 17:06:28 up 2:10, 5 users, load average: 0.00, 0.00, 0.00 Tasks: 85 total, 1 running, 83 sleeping, 1 stopped, 0 zombie Cpu(s): 5.5% us, 0.8% sy, 0.8% ni, 91.9% id, 1.0% wa, 0.0% hi, 0.0% si Mem: 515584k total,...
Page 361: System Information
14.7 System Information 14.7.1 System Activity Information: sar To use sar, sadc (system activity data collector) needs to be running. Check its status or start it with rcsysstat {start|status}. sar can generate extensive reports on almost all important system activities, among them CPU, memory, IRQ usage, IO, or networking.
Page 362 Following termination of the less process, which was running on another terminal, the file system can successfully be unmounted. 14.7.4 Kernel Ring Buffer: dmesg The Linux kernel keeps certain messages in a ring buffer. To view these messages, enter the command dmesg: $ dmesg [...] end_request: I/O error, dev fd0, sector 0...
Page 363 bash 5552 tux 2375 11663 /usr/lib/locale/en_GB. bash 5552 tux 11736 /usr/lib/locale/en_GB. bash 5552 tux 11831 /usr/lib/locale/en_GB. bash 5552 tux 11862 /usr/lib/locale/en_GB. bash 5552 tux 11839 /usr/lib/locale/en_GB. bash 5552 tux 11664 /usr/lib/locale/en_GB. bash 5552 tux 11735 /usr/lib/locale/en_GB. bash 5552 tux 11866 /usr/lib/locale/en_GB. bash 5552 tux 21544...
Page 364 42013K total, Other: 206K total, All: 42219K total res-base Wins GCs Fnts Pxms Misc Pxm mem Other Total PID Identifier 3e00000 18161K 18175K NOVELL: SU 4600000 1 1182 4566K 4600K amaroK - S 1600000 3811K 3816K KDE Deskto 3400000 2816K...
Page 365: User Information
3200000 EMACS 2200000 SUSEWatche 4400000 36K 16489 kdesu 1a00000 KMix 3800000 24K 22242 knotify 1e00000 624B KPowersave 3600000 11K 22236 konqueror 2000000 klipper 3000000 888B KDE Wallet 14.8 User Information 14.8.1 Who Is Doing What: w With the command w, find out who is logged onto the system and what each user is doing.
Page 367: Working With The Shell
Working with the Shell When booting your Linux system, you are usually directed to a graphical user interface that guides you through the login process and the following interactions with the system. Although graphical user interfaces have become very important and user-friendly, using them is not the only way to communicate with your system.
Page 368: Getting Started With The Bash Shell
15.1 Getting Started with the Bash Shell In Linux, you can use the command line parallel to the graphical user interface and easily switch between them. To start a terminal window from the graphical user interface in KDE, click the Konsole icon in the panel. In GNOME, click the GNOME Terminal icon in the panel.
Page 369 IMPORTANT: No News Is Good News The shell is not verbose: in contrast to some graphical user interfaces, it usually does not provide confirmation messages when commands have been executed. Messages only appear in case of problems or errors. Also keep this in mind for commands to delete objects. Before entering a command like rm for removing a file, you should know if you really want to get rid of the object: it will be deleted irretrievably, without enquiry.
Page 370: Getting Help
and are prefixed with a hyphen. The ls -l command shows the contents of the same directory in full detail (long listing format): Figure 15.3 The ls -l Command On the left of each object name, information about the object is shown in several columns.
Page 371 15.1.2 Linux Directory Structure Because the shell does not offer a graphical overview of directories and files like the tree view in a file manager, it is useful to have some basic knowlegde of the default directory structure in a Linux system. You can think of directories as electronic folders in which files, programs, and subdirectories are stored.
Page 372 Table 15.1 Overview of a Standard Directory Tree Root directory, starting point of the directory tree Personal directories of users /home Important files for system configuration /etc Programs needed early in the boot process (/bin) and /bin, /sbin for the administrator (/sbin) All application programs and local, distribution-indepen- /usr, /usr/local dent extensions (/usr/local)
Page 373 NOTE: Linux Is Case-Sensitive Linux distinguishes between uppercase and lowercase in the file system. For example, entering test.txt or Test.txt makes a difference in Linux. Keep this in mind when entering filenames or paths. To change directories, use the cd command. •...
Page 374 2a Enter touch myfile.txt. The touch command with the myfile.txt option creates a new, empty file named myfile.txt in your current direc- tory. 2b Check this by entering ls -l. The new file should appear in the list of contents. 2c Enter cp myfile.txt ../tmp/test.
Page 375: Wild Cards
mand appears at the prompt. Press ↓ to move forward through the list of previously entered commands. Use Ctrl + R to search in the history. You can edit the selected command, for example, changing the name of a file, before you execute the command by pressing Enter .
Page 376 Assuming that your test directory contains the files Testfile, Testfile1, Testfile2, and datafile. • The command ls Testfile? lists the files Testfile1 and Testfile2. • The command ls Testfile? lists the files Testfile1 and Testfile2. • With ls Test*, the list also includes Testfile. •...
Page 377 command to a file (output redirection) or use a file as input for a command (input redirection). For example, if you want to write the output of a command such as ls to a file, enter ls -l > file.txt. This creates a file named file.txt that contains the list of contents of your current directory as generated by the ls command.
Page 378 (for table) Display the contents of an archive. (for extract) Unpack the archive. (for verbose) Show all files on screen while creating the archive. (for file) Choose a filename for the archive file. When creating an archive, this option must always be given as the last one. To pack the test directory with all its files and subdirectories into an archive named testarchive.tar, do the following: 1 Open a shell.
Page 379: Users And Access Permissions
which results in the file testarchive.tar, which then needs to be extracted or untarred with tar -xvf testarchive.tar. You can also unzip and extract a compressed archive in one step with tar -xvf testarchive.tar.gz (adding the -z option is no longer required). With ls, you can see that a new test directory has been created with the same contents as your test directory in your home directory.
Page 380 in a Linux system is a member of at least one proprietary group, normally users. There can be as many groups in a system as needed, but only root is able to add groups. Every user can find out, with the command groups, of which groups he is a member.
Page 381 to this file. Other permissions can be assigned by means of ACLs (access control lists). Directory Permissions Access permissions for directories have the type d. For directories, the individual permissions have a slightly different meaning. Example 15.2 Sample Output Showing Directory Permissions drwxrwxr-x 1 tux project3 35 Jun 21 15:15 ProjectData Example 15.2, “Sample Output Showing Directory Permissions”...
Page 382 2. A character for deletion (–), setting (=), or insertion (+) 3. The abbreviations • r—read • w—write • x—execute 4. Filename or filenames separated by spaces If, for example, the user tux in Example 15.2, “Sample Output Showing Directory Permissions”...
Page 383: Important Linux Commands
15.3 Important Linux Commands This section gives insight into the most important commands. There are many more commands than listed in this chapter. Along with the individual commands, parameters are listed and, where appropriate, a typical sample application is introduced. To learn more about the various commands, use the manual pages, accessed with man followed by the name of the command, for example, man ls.
Page 384 cp [options] source target Copies source to target. Waits for confirmation, if necessary, before an existing target is overwritten Copies recursively (includes subdirectories) mv [options] source target Copies source to target then deletes the original source. Creates a backup copy of the source before moving Waits for confirmation, if necessary, before an existing targetfile is overwritten rm [options] files...
Page 385 mkdir [options] directory Creates a new directory. rmdir [options] directory Deletes the specified directory if it is already empty. chown [options] username[:[group]] files Transfers ownership of a file to the user with the specified username. Changes files and directories in all subdirectories chgrp [options] groupname files Transfers the group ownership of a given file to the group with the specified group name.
Page 386 Execute—executing files or changing to the directory Setuid bit—the application or program is started as if it were started by the owner of the file As an alternative, a numeric code can be used. The four digits of this code are composed of the sum of the values 4, 2, and 1—the decimal result of a binary mask.
Page 387 Outputs the contents of an archive Adds files, but only if they are newer than the files already contained in the archive Unpacks files from an archive (extraction) Packs the resulting archive with gzip Compresses the resulting archive with bzip2 Lists files processed The archive files created by tar end with .tar.
Page 388 find [options] With find, search for a file in a given directory. The first argument specifies the directory in which to start the search. The option -name must be followed by a search string, which may also include wild cards. Unlike locate, which uses a database, find scans the actual directory.
Page 389 Only lists the files in which searchstring does not occur diff [options] file1 file2 The diff command compares the contents of any two files. The output produced by the program lists all lines that do not match. This is frequently used by program- mers who need only send their program alterations and not the entire source code.
Page 390 15.3.2 System Commands The following section lists a few of the most important commands needed for retrieving system information and controlling processes and the network. System Information df [options] [directory] The df (disk free) command, when used without any options, displays information about the total disk space, the disk space currently in use, and the free space on all the mounted drives.
Page 391 Output in kilobytes Output in megabytes date [options] This simple program displays the current system time. If run as root, it can also be used to change the system time. Details about the program are available in the date(1) man page. Processes top [options] top provides a quick overview of the currently running processes.
Page 392 Network ping [options] hostname or IP address The ping command is the standard tool for testing the basic functionality of TCP/IP networks. It sends a small data packet to the destination host, requesting an imme- diate reply. If this works, ping displays a message to that effect, which indicates that the network link is basically functioning.
Page 393: The Vi Editor
Miscellaneous passwd [options] [username] Users may change their own passwords at any time using this command. The ad- ministrator root can use the command to change the password of any user on the system. su [options] [username] The su command makes it possible to log in under a different username from a running session.
Page 394: Operating Modes
15.4.1 Operating Modes NOTE: Display of Keys In the following, find several commands that you can enter in vi by just pressing keys. These appear in uppercase as on a keyboard. If you need to enter a key in uppercase, this is stated explicitly by showing a key combination including the Shift key.
Page 395 1. Exit without saving: To terminate the editor without saving the changes, enter : – Q – ! in command mode. The exclamation mark (!) causes vi to ignore any changes. 2. Save and exit: There are several possibilities to save your changes and terminate the editor.
Page 396 Table 15.2 Simple Commands of the vi Editor Change to command mode Change to insert mode (characters appear at the current cursor position) Change to insert mode (characters are inserted after the current cursor position) Shift + A Change to insert mode (characters are added at the end of the line) Shift + R Change to replace mode (overwrite the old text)
Page 397 15.4.3 For More Information vi supports a wide range of commands. It enables the use of macros, shortcuts, named buffers, and many other useful features. A detailed description of the various options would exceed the scope of this manual. SUSE Linux Enterprise comes with vim (vi improved), an improved version of vi.
Page 399: Part Iii System
Part III. System...
Page 401: Bit And 64-Bit Applications In A 64-Bit System Environment
32-Bit and 64-Bit Applications in a 64-Bit System Environment SUSE Linux Enterprise® is available for 64-bit platforms. This does not necessarily mean that all the applications included have already been ported to 64-bit platforms. SUSE Linux Enterprise supports the use of 32-bit applications in a 64-bit system envi- ronment.
Page 402: Software Development
To be executed correctly, every application requires a range of libraries. Unfortunately, the names for the 32-bit and 64-bit versions of these libraries are identical. They must be differentiated from each other in another way. To retain compatibility with the 32-bit version, the libraries are stored at the same place in the system as in the 32-bit environment.
Page 403: Software Compilation On Biarch Platforms
16.3 Software Compilation on Biarch Platforms To develop binaries for the other architecture on a biarch architecture, the respective libraries for the second architecture must additionally be installed. These packages are called rpmname-32bit. You also need the respective headers and libraries from the rpmname-devel packages and the development libraries for the second architecture from rpmname-devel-32bit.
Page 404: Kernel Specifications
Some applications require separate kernel-loadable modules. If you intend to use such a 32-bit application in a 64-bit system environment, contact the provider of this application and Novell to make sure that the 64-bit version of the kernel-loadable module and the 32-bit compiled version of the kernel API are available for this module.
Page 405: Booting And Configuring A Linux System
Booting and Configuring a Linux System Booting a Linux system involves various different components. The hardware itself is initialized by the BIOS, which starts the kernel by means of a boot loader. After this point, the boot process with init and the runlevels is completely controlled by the oper- ating system.
Page 406 information about GRUB, the Linux boot loader, can be found in Chapter 18, The Boot Loader (page 405). 3. Kernel and initramfs To pass system control, the boot loader loads both the kernel and an initial RAM–based file system (initramfs) into memory. The contents of the initramfs can be used by the kernel directly.
Page 407 changing the root file system, it is necessary to regenerate the devices. This is done by boot.udev with the command udevtrigger. If you need to change hardware (e.g. hard disks) in an installed system and this hardware requires different drivers to be present in the kernel at boot time, you must update the initramfs file.
Page 408 Managing RAID and LVM Setups If you configured your system to hold the root file system under RAID or LVM, init sets up LVM or RAID to enable access to the root file system later. Find infor- mation about RAID in Section 7.2, “Soft RAID Configuration”...
Page 409: The Init Process
17.2 The init Process The program init is the process with process ID 1. It is responsible for initializing the system in the required way. init is started directly by the kernel and resists signal 9, which normally kills processes. All other programs are either started directly by init or by one of its child processes.
Page 410 Runlevel Description Full multiuser mode with network Not used Full multiuser mode with network and X display manag- er—KDM, GDM, or XDM System reboot IMPORTANT: Avoid Runlevel 2 with a Partition Mounted via NFS You should not use runlevel 2 if your system mounts a partition like /usr via NFS.
Page 411 telinit 6 or shutdown -r now The system halts then reboots. Runlevel 5 is the default runlevel in all SUSE Linux Enterprise standard installations. Users are prompted for login with a graphical interface or the default user is logged in automatically.
Page 412 When changing into the same runlevel as the current runlevel, init only checks /etc/ inittab for changes and starts the appropriate steps, for example, for starting a getty on another interface. The same functionality may be achieved with the command telinit q.
Page 413 Option Description If the service is running, stop it then restart it. If it is not restart running, start it. Reload the configuration without stopping and restarting reload the service. Reload the configuration if the service supports this. force-reload Otherwise, do the same as if restart had been given. Show the current status of service.
Page 414 The script boot is also responsible for starting all the scripts in /etc/init.d/ boot.d with a name that starts with S. There, the file systems are checked and loop devices are configured if needed. The system time is also set. If an error occurs while automatically checking and repairing the file system, the system administrator can intervene after first entering the root password.
Page 415 need to enhance the script with your own parts, so the correct actions are triggered by the init procedure. The INIT INFO block at the top is a required part of the script and must be edited. Example 17.1, “A Minimal INIT INFO Block” (page 399).
Page 416 Do not set these links manually. If something is wrong in the INFO block, problems will arise when insserv is run later for some other service. The manually-added service will be removed with the next run of insserv for this script. 17.2.3 Configuring System Services (Runlevel) with YaST After starting this YaST module with YaST >...
Page 417: System Configuration Via /Etc/Sysconfig
top. Normally, the default runlevel of a SUSE Linux Enterprise system is runlevel 5 (full multiuser mode with network and X). A suitable alternative might be runlevel 3 (full multiuser mode with network). This YaST dialog allows the selection of one of the runlevels (as listed in Table 17.1, “Available Runlevels”...
Page 418 17.3.1 Changing the System Configuration Using the YaST sysconfig Editor The YaST sysconfig editor provides an easy-to-use front-end to system configuration. Without any knowledge of the actual location of the configuration variable you need to change, you can just use the built-in search function of this module, change the value of the configuration variable as needed, and let YaST take care of applying these changes, updating configurations that depend on the values set in sysconfig and restarting services.
Page 419 The YaST sysconfig dialog is split into three parts. The left part of the dialog shows a tree view of all configurable variables. When you select a variable, the right part displays both the current selection and the current setting of this variable. Below, a third window displays a short description of the variable's purpose, possible values, the default value, and the actual configuration file from which this variable originates.
Page 420 but you may still do so to make absolutely sure that all the programs concerned are correctly restarted. TIP: Configuring Automated System Configuration To disable the automated system configuration by SuSEconfig, set the variable ENABLE_SUSECONFIG in /etc/sysconfig/suseconfig to no. Do not disable SuSEconfig if you want to use the SUSE installation support.
Page 421 The Boot Loader This chapter describes how to configure GRUB, the boot loader used in SUSE Linux Enterprise®. A special YaST module is available for performing all settings. If you are not familiar with the subject of booting in Linux, read the following sections to acquire some background information.
Page 422: Selecting A Boot Loader
Boot Sectors Boot sectors are the first sectors of hard disk partitions with the exception of the extended partition, which merely serves as a “container” for other partitions. These boot sectors have 512 bytes of space for code used to boot an operating system in- stalled in the respective partition.
Page 423 access file systems of supported BIOS disk devices (floppy disks or hard disks, CD drives, and DVD drives detected by the BIOS). Therefore, changes to the GRUB con- figuration file (menu.lst) do not require a reinstallation of the boot manager. When the system is booted, GRUB reloads the menu file with the valid paths and partition data of the kernel or the initial RAM disk (initrd) and locates these files.
Page 424 18.2.1 The GRUB Boot Menu The graphical splash screen with the boot menu is based on the GRUB configuration file /boot/grub/menu.lst, which contains all information about all partitions or operating systems that can be booted by the menu. Every time the system is booted, GRUB loads the menu file from the file system. For this reason, GRUB does not need to be reinstalled after every change to the file.
Page 425 The command root simplifies the specification of kernel and initrd files. The only argument of root is a device or a partition. This device is used for all kernel, initrd, or other file paths for which no device is explicitly specified until the next root com- mand.
Page 426 the file device.map, which can be edited if necessary. Information about the file device.map is available in Section 18.2.2, “The File device.map” (page 413). A complete GRUB path consists of a device name written in parentheses and the path to the file in the file system in the specified partition. The path begins with a slash. For example, the bootable kernel could be specified as follows on a system with a single IDE hard disk containing Linux in its first partition: (hd0,0)/boot/vmlinuz...
Page 427 color white/blue black/light-gray Color scheme: white (foreground), blue (background), black (selection), and light gray (background of the selection). The color scheme has no effect on the splash screen, only on the customizable GRUB menu that you can access by exiting the splash screen with Esc .
Page 428 Editing Menu Entries during the Boot Procedure In the graphical boot menu, select the operating system to boot with the arrow keys. If you select a Linux system, you can enter additional boot parameters at the boot prompt. To edit individual menu entries directly, press Esc to exit the splash screen and get to the GRUB text-based menu then press E .
Page 429 18.2.2 The File device.map The file device.map maps GRUB and BIOS device names to Linux device names. In a mixed system containing IDE and SCSI hard disks, GRUB must try to determine the boot sequence by a special procedure, because GRUB may not have access to the BIOS information on the boot sequence.
Page 430: Setting A Boot Password
18.2.3 The File /etc/grub.conf The third most important GRUB configuration file after menu.lst and device.map is /etc/grub.conf. This file contains the commands, parameters, and options the GRUB shell needs for installing the boot loader correctly: root (hd0,4) install /grub/stage1 (hd0,3) /grub/stage2 0x8000 (hd0,4)/grub/menu.lst quit Meaning of the individual entries: root (hd0,4)
Page 431 As the user root, proceed as follows to set a boot password: 1 At the root prompt, encrypt the password using grub-md5-crypt: # grub-md5-crypt Password: **** Retype password: **** Encrypted: $1$lS2dv/$JOYcdxIn7CJk9xShzzJVw/ 2 Paste the encrypted string into the global section of the file menu.lst: gfxmenu (hd0,4)/message color white/blue black/light-gray default 0...
Page 432: Configuring The Boot Loader With Yast
18.3 Configuring the Boot Loader with YaST The easiest way to configure the boot loader in your SUSE Linux Enterprise system is to use the YaST module. In the YaST Control Center, select System > Boot Loader. As Figure 18.1, “Boot Loader Settings” (page 416), this shows the current boot loader configuration of your system and allows you to make changes.
Page 433 Section 18.2, “Booting with GRUB” (page 406) for details). You can also delete the existing configuration and Start from Scratch or let YaST Propose a New Configuration. It is also possible to write the configuration to disk or reread the configuration from the disk.
Page 434 During the conversion, the old GRUB configuration is saved to disk. To use it, simply change the boot loader type back to GRUB and choose Restore Configuration Saved before Conversion. This action is available only on an installed system. NOTE: Custom Boot Loader To use a boot loader other than GRUB or LILO, select Do Not Install Any Boot Loader.
Page 435: Security Settings
18.3.3 Default System To change the system that is booted by default, proceed as follows: Procedure 18.3 Setting the Default System 1 Open the Section Management tab. 2 Select the desired entry from the list. 3 Click Set as Default. 4 Click Finish to activate these changes.
Page 436: Creating Boot Cds
Procedure 18.5 Setting a Boot Loader Password 1 Open the Boot Loader Installation tab. 2 Click Boot Loader Options. 3 Set your password in Password for the Menu Interface. 4 Click OK. 5 Click Finish to save the changes. 18.4 Uninstalling the Linux Boot Loader YaST can be used to uninstall the Linux boot loader and restore the MBR to the state it had prior to the installation of Linux.
Page 437: The Graphical Suse Screen
2 Create a subdirectory for GRUB: mkdir -p iso/boot/grub 3 Copy the kernel, the files stage2_eltorito, initrd, menu.lst, and message to iso/boot/: cp /boot/vmlinuz iso/boot/ cp /boot/initrd iso/boot/ cp /boot/message iso/boot/ cp /usr/lib/grub/stage2_eltorito iso/boot/grub cp /boot/grub/menu.lst iso/boot/grub 4 Adjust the path entries in iso/boot/grub/menu.lst to make them point to a CD-ROM device.
Page 438: Troubleshooting
This section lists some of the problems frequently encountered when booting with GRUB and a short description of possible solutions. Some of the problems are covered in articles in the Knowledge base at http://support.novell.com/. Use the search dialog to search for keywords like GRUB, boot, and boot loader.
Page 439 about the installation, configuration, and maintenance of LILO is available in the Support Database under the keyword LILO. GRUB also returns this error message if Linux was installed on an additional hard disk that is not registered in the BIOS. stage1 of the boot loader is found and loaded correctly, but stage2 is not found.
Page 440: For More Information
Extensive information about GRUB is available at http://www.gnu.org/ software/grub/. Also refer to the grub info page. You can also search for the keyword “GRUB” in the Technical Information Search at http://www.novell to get information about special issues. .com/support Deployment Guide...
Page 441: Special System Features
Special System Features This chapter starts with information about various software packages, the virtual con- soles, and the keyboard layout. We talk about software components like bash, cron, and logrotate, because they were changed or enhanced during the last release cycles. Even if they are small or considered of minor importance, users may want to change their default behavior, because these components are often closely coupled with the system.
Page 442 2. ~/.profile 3. /etc/bash.bashrc 4. ~/.bashrc Make custom settings in ~/.profile or ~/.bashrc. To ensure the correct process- ing of these files, it is necessary to copy the basic settings from /etc/skel/ .profile or /etc/skel/.bashrc into the home directory of the user. It is rec- ommended to copy the settings from /etc/skel after an update.
Page 443 run-crons is run every 15 minutes from the main table (/etc/crontab). This guarantees that processes that may have been neglected can be run at the proper time. To run the hourly, daily, or other periodic maintenance scripts at custom times, remove the time stamp files regularly using /etc/crontab entries (see Example 19.2, “/etc/crontab: Remove Time Stamp Files”...
Page 444 Example 19.3 Example for /etc/logrotate.conf # see "man logrotate" for details # rotate log files weekly weekly # keep 4 weeks worth of backlogs rotate 4 # create new (empty) log files after rotating old ones create # uncomment this if you want your log files compressed #compress # RPM packages drop log rotation information into this directory include /etc/logrotate.d...
Page 445 19.1.5 The ulimit Command With the ulimit (user limits) command, it is possible to set limits for the use of system resources and to have these displayed. ulimit is especially useful for limiting the memory available for applications. With this, an application can be prevented from using too much memory on its own, which could bring the system to a standstill.
Page 446 IMPORTANT Not all shells support ulimit directives. PAM (for instance, pam_limits) offers comprehensive adjustment possibilities if you depend on encompassing settings for these restrictions. 19.1.6 The free Command The free command is somewhat misleading if your goal is to find out how much RAM is currently being used.
Page 447 19.1.8 Man Pages and Info Pages For some GNU applications (such as tar), the man pages are no longer maintained. For these commands, use the --help option to get a quick overview of the info pages, which provide more in-depth instructions. info is GNU's hypertext system. Read an introduction to this system by entering info info.
Page 448: Virtual Consoles
The components of Emacs are divided into several packages: • The base package emacs. • emacs-x11 (usually installed): the program with X11 support. • emacs-nox: the program without X11 support. • emacs-info: online documentation in info format. • emacs-el: the uncompiled library files in Emacs Lisp. These are not required at runtime.
Page 449: Language And Country-Specific Settings
/etc/termcap /usr/lib/terminfo/x/xterm /usr/share/X11/app-defaults/XTerm /usr/share/emacs/VERSION/site-lisp/term/*.el These changes only affect applications that use terminfo entries or whose configu- ration files are changed directly (vi, less, etc.). Applications not shipped with the system should be adapted to these defaults. Under X, the compose key (multikey) can be accessed using Ctrl + Shift (right). Also see the corresponding entry in /etc/X11/Xmodmap.
Page 450 RC_LC_MESSAGES, RC_LC_CTYPE, RC_LC_COLLATE, RC_LC_TIME, RC_LC_NUMERIC, RC_LC_MONETARY These variables are passed to the shell without the RC_ prefix and represent the listed categories. The shell profiles concerned are listed below. The current setting can be shown with the command locale. RC_LC_ALL This variable, if set, overwrites the values of the variables already mentioned.
Page 451 localedef -i en_US -f UTF-8 en_US.UTF-8 LANG=en_US.UTF-8 This is the default setting if American English is selected during installation. If you selected another language, that language is enabled but still with UTF-8 as the character encoding. LANG=en_US.ISO-8859-1 This sets the language to English, country to United States, and the character set to ISO-8859-1.
Page 452 19.4.3 Settings for Language Support Files in the category Messages are, as a rule, only stored in the corresponding language directory (like en) to have a fallback. If you set LANG to en_US and the message file in /usr/share/locale/en_US/LC_MESSAGES does not exist, it falls back to /usr/share/locale/en/LC_MESSAGES.
Page 453 • Markus Kuhn, UTF-8 and Unicode FAQ for Unix/Linux, currently at http:// www.cl.cam.ac.uk/~mgk25/unicode.html. • Unicode-Howto, by Bruno Haible: /usr/share/doc/howto/en/html/ Unicode-HOWTO.html. Special System Features...
Page 455: Printer Operation
Printer Operation SUSE Linux Enterprise® supports printing with many types of printers, including remote network printers. Printers can be configured with YaST or manually. Both graphical and command line utilities are available for starting and managing print jobs. If your printer does not work as expected, refer to Section 20.9, “Troubleshooting”...
Page 456 print system can convert PostScript jobs to the respective printer language with the help of Ghostscript. This processing stage is referred to as interpreting. The best- known languages are PCL, which is mostly used by HP printers and their clones, and ESC/P, which is used by Epson printers.
Page 457: The Workflow Of The Printing System
20.1 The Workflow of the Printing System The user creates a print job. The print job consists of the data to print plus information for the spooler, such as the name of the printer or the name of the printer queue, and, optionally, information for the filter, such as printer-specific options.
Page 458: Installing The Software
WARNING: Changing Cable Connections in a Running System When connecting the printer to the machine, do not forget that only USB de- vices can be plugged in or unplugged during operation. To avoid damaging your system or printer, shut down the system before changing any connections that are not USB.
Page 459: Setting Up A Printer
20.4 Setting Up a Printer YaST can be used to configure a local printer that is directly connected to your machine (normally with USB or parallel port) or to set up printing over the network. It is also possible to add PPD (PostScript Printer Description) files for your printer with YaST. 20.4.1 Configuring Local Printers If an unconfigured local printer is detected, YaST starts automatically to configure it.
Page 460 printer detection. If more than one printer is connected to the machine or more than one queue is configured for a printer, you can mark the active entry as the default. CUPS Expert Settings and Change IPP Listen are advanced configuration options— refer to Chapter 20, Printer Operation (page 439) for details.
Page 461 which language your printer understands). If this does not work, refer to Section “Adding PPD Files with YaST” (page 446) for another possible solution. 7 The Configuration screen lists a summary of the printer setup. This dialog is also shown when editing an existing printer configuration from the start screen of this YaST module.
Page 462 • With State and banner settings you can, for example, deactivate the printer by changing its state and specify whether a page with a Starting Banner or Ending Banner is printed before or after each job (the default is not to print them).
Page 463: Network Printers
20.4.2 Configuring Network Printers with YaST Network printers are not detected automatically. They must be configured manually using the YaST printer module. Depending on your network setup, you can print to a print server (CUPS, LPD, SMB, or IPX) or directly to a network printer (preferably via TCP).
Page 464 socket Socket refers to a connection in which the data is sent to an Internet socket without first performing a data handshake. Some of the socket port numbers that are com- monly used are 9100 or 35. The device URI (uniform resource identifier) syntax is socket://IP.of.the.printer:port, for example, socket://192.168.2.202:9100/.
Page 465 20.5.1 Configuring CUPS with Command Line Tools Apart from setting CUPS options with YaST when configuring a network printer, CUPS can be configured with command line tools like lpadmin and lpoptions. You need a device URI consisting of a back-end, such as USB, and parameters, like /dev/usb/ lp0.
Page 466: Graphical Printing Interfaces
The activated default option is identified by a preceding asterisk (*). 2 Change the option with lpadmin: lpadmin -p queue -o Resolution=600dpi 3 Check the new setting: lpoptions -p queue -l Resolution/Output Resolution: 150dpi 300dpi *600dpi When a normal user runs lpoptions, the settings are written to ~/.lpoptions. However, root settings are written to /etc/cups/lpoptions.
Page 467: Special Features In Suse Linux Enterprise
20.8 Special Features in SUSE Linux Enterprise A number of CUPS features have been adapted for SUSE Linux Enterprise. Some of the most important changes are covered here. 20.8.1 CUPS and Firewall After having performed a default installation of SUSE Linux Enterprise, SuSEfirewall2 is active and the external network devices are configured to be in the External Zone which blocks incoming traffic.
Page 468 20.8.2 Changes in the CUPS Print Service Generalized Functionality for BrowseAllow and BrowseDeny The access permissions set for BrowseAllow and BrowseDeny apply to all kinds of packages sent to cupsd. The default settings in /etc/cups/cupsd.conf are as follows: BrowseAllow @LOCAL BrowseDeny All <Location />...
Page 469 tection with the vendors and models in all PPD files available in /usr/share/cups/ model on the system. For this purpose, the YaST printer configuration generates a database from the vendor and model information extracted from the PPD files. When you select a printer from the list of vendors and models, receive the PPD files matching the vendor and model.
Page 470 Gimp-Print PPD Files in the cups-drivers-stp Package Instead of foomatic-rip, the CUPS filter rastertoprinter from Gimp-Print can be used for many non-PostScript printers. This filter and suitable Gimp-Print PPD files are available in the cups-drivers-stp package. The Gimp-Print PPD files are located in /usr/share/cups/model/stp/ and have the entries *NickName: ...
Page 471: Troubleshooting
printer is too slow because its processor is too weak. Furthermore, the printer may not support PostScript by default, for example, because PostScript support is only available as an optional module. If a PPD file from the manufacturer-PPDs package is suitable for a PostScript printer, but YaST cannot configure it for these reasons, select the respective printer model manually in YaST.
Page 472: Parallel Ports
printers that support a standard printer language do not depend on a special print system version or a special hardware platform. Instead of spending time trying to make a proprietary Linux driver work, it may be more cost-effective to purchase a supported printer. This would solve the driver problem once and for all, eliminating the need to install and configure special driver software and obtain driver updates that may be required due to new developments in the print system.
Page 473 If the printer cannot be addressed on the parallel port despite these settings, enter the I/O address explicitly in accordance with the setting in the BIOS in the form 0x378 in /etc/modprobe.conf. If there are two parallel ports that are set to the I/O ad- dresses 378 and 278 (hexadecimal), enter these in the form 0x378,0x278.
Page 474 Checking a Remote lpd Use the following command to test if a TCP connection can be established to lpd (port 515) on host: netcat -z host 515 && echo ok || echo failed If the connection to lpd cannot be established, lpd may not be active or there may be basic network problems.
Page 475 If the connection to cupsd cannot be established, cupsd may not be active or there may be basic network problems. lpstat -h host -l -t returns a (possibly very long) status report for all queues on host, provided the respective cupsd is active and the host accepts queries.
Page 476 echo -en "\rHello\r\f" | netcat -w 1 IP-address port cat file | netcat -w 1 IP-address port to send character strings or files directly to the respective port to test if the printer can be addressed on this port. 20.9.5 Defective Printouts without Error Message For the print system, the print job is completed when the CUPS back-end completes the data transfer to the recipient (printer).
Page 477 To delete the print job on the server, use a command such as lpstat -h cups.example.com -o to determine the job number on the server, provided the server has not already completed the print job (that is, sent it completely to the printer). Using this job number, the print job on the server can be deleted: cancel -h cups.example.com queue-jobnnumber 20.9.8 Defective Print Jobs and Data...
Page 478 20.9.9 Debugging the CUPS Print System Use the following generic procedure to locate problems in the CUPS print system: 1 Set LogLevel debug in /etc/cups/cupsd.conf. 2 Stop cupsd. 3 Remove /var/log/cups/error_log* to avoid having to search through very large log files. 4 Start cupsd.
Page 479: Dynamic Kernel Device Management With Udev
Dynamic Kernel Device Management with udev Since version 2.6, the kernel is capable of adding or removing almost any device in the running system. Changes in device state (whether a device is plugged in or removed) need to be propagated to userspace. Devices need to be configured as soon as they are plugged in and discovered.
Page 480: Kernel Uevents And Udev
21.2 Kernel uevents and udev The required device information is exported by the sysfs file system. For every device the kernel has detected and initialized, a directory with the device name is created. It contains attribute files with device-specific properties. Every time a device is added or removed, the kernel sends a uevent to notify udev of the change.
Page 481: Booting And Initial Device Setup
aliases provided by the modules. If a matching entry is found, that module is loaded. All this is triggered by udev and happens automatically. 21.4 Booting and Initial Device Setup All device events happening during the boot process before the udev daemon is running are lost, because the infrastructure to handle these events lives on the root file system and is not available at that time.
Page 482: Influencing Kernel Device Event Handling With Udev Rules
The UEVENT lines show the events the kernel has sent over netlink. The UDEV lines show the finished udev event handlers. The timing is printed in microseconds. The time between UEVENT and UDEV is the time udev took to process this event or the udev daemon has delayed its execution to synchronize this event with related and already running events.
Page 483: Persistent Device Naming
Every line in the rules file contains at least one key value pair. There are two kinds of keys, match and assignment keys. If all match keys match their values, the rule is applied and the assignment keys are assigned the specified value. A matching rule may specify the name of the device node, add symlinks pointing to the node, or run a specified program as part of the event handling.
Page 484: The Replaced Hotplug Package
21.8 The Replaced hotplug Package The formerly used hotplug package is entirely replaced by udev and the udev-related kernel infrastructure. The following parts of the former hotplug infrastructure have been made obsolete or had their functionality taken over by udev: /etc/hotplug/*.agent No longer needed or moved to /lib/udev /etc/hotplug/*.rc...
Page 485: For More Information
/lib/udev/* Helper programs called from udev rules 21.9 For More Information For more information about the udev infrastructure, refer to the following man pages: udev General information about udev, keys, rules, and other important configuration is- sues. udevinfo udevinfo can be used to query device information from the udev database. udevd Information about the udev event managing daemon.
Page 487: File Systems In Linux
File Systems in Linux SUSE Linux Enterprise® ships with a number of different file systems, including Rei- serFS, Ext2, Ext3, and XFS, from which to choose at installation time. Each file system has its own advantages and disadvantages that can make it more suited to a scenario. Professional high-performance setups may require a different choice of file system than a home user's setup.
Page 488: Major File Systems In Linux
it obsoletes the lengthy search process that checks the entire file system at system start-up. Instead, only the journal is replayed. 22.2 Major File Systems in Linux Unlike two or three years ago, choosing a file system for a Linux system is no longer a matter of a few seconds (Ext2 or ReiserFS?).
Page 489 directly in the B tree leaf nodes instead of being stored elsewhere and just main- taining a pointer to the actual disk location. In addition to that, storage is not allo- cated in chunks of 1 or 4 KB, but in portions of the exact size needed. Another benefit lies in the dynamic allocation of inodes.
Page 490 +found). In contrast to journaling file systems, e2fsck analyzes the entire file system and not just the recently modified bits of metadata. This takes significantly longer than checking the log data of a journaling file system. Depending on file system size, this procedure can take half an hour or more. Therefore, it is not desir- able to choose Ext2 for any server that needs high availability.
Page 491 Ext3 in the data=journal mode offers maximum security (data integrity), but can slow down the system because both metadata and data are journaled. A rela- tively new approach is to use the data=ordered mode, which ensures both data and metadata integrity, but uses journaling only for metadata. The file system driver collects all data blocks that correspond to one metadata update.
Page 492 22.2.5 XFS Originally intended as the file system for their IRIX OS, SGI started XFS development in the early 1990s. The idea behind XFS was to create a high-performance 64-bit jour- naling file system to meet the extreme computing challenges of today. XFS is very good at manipulating large files and performs well on high-end hardware.
Page 493: Some Other Supported File Systems
DOS, is today used by msdos various operating systems. File system for mounting Novell volumes over networks. ncpfs Network File System: Here, data can be stored on any machine in a network and access may be granted via a network.
Page 494: Large File Support In Linux
UNIX on MSDOS: Applied on top of a normal fat file system, umsdos achieves UNIX functionality (permissions, links, long filenames) by creating special files. Virtual FAT: Extension of the fat file system (supports long vfat filenames). Windows NT file system, read-only. ntfs 22.4 Large File Support in Linux Originally, Linux supported a maximum file size of 2 GB.
Page 495: For More Information
File System File Size (Bytes) File System Size (Bytes) (8 EB) (8 EB) NFSv2 (client side) (2 GB) (8 EB) NFSv3 (client side) (8 EB) (8 EB) IMPORTANT: Linux Kernel Limits Table 22.2, “Maximum Sizes of File Systems (On-Disk Format)” (page 478) de- scribes the limitations regarding the on-disk format.
Page 496 A comprehensive multipart tutorial about Linux file systems can be found at IBM de- veloperWorks: http://www-106.ibm.com/developerworks/library/ l-fs.html. A very in-depth comparison of file systems (not only Linux file systems) is available from the Wikipedia project http://en.wikipedia.org/wiki/ Comparison_of_file_systems#Comparison. Deployment Guide...
Page 497: Manually Configuring The X Window System
The X Window System The X Window System (X11) is the de facto standard for graphical user interfaces in UNIX. X is network-based, enabling applications started on one host to be displayed on another host connected over any kind of network (LAN or Internet). This chapter describes the setup and optimization of the X Window System environment, and provides background information about the use of fonts in SUSE Linux Enterprise®.
Page 498 The command sax2 creates the /etc/X11/xorg.conf file. This is the primary configuration file of the X Window System. Find all the settings here concerning your graphics card, mouse, and monitor. IMPORTANT: Using X -configure Use X -configure to configure your X setup if previous tries with SUSE Linux Enterprise's SaX2 have failed.
Page 499 Type Meaning The monitor used. Important elements of this section are the Monitor Identifier, which is referred to later in the Screen defini- tion, the refresh rate VertRefresh, and the synchronization frequency limits (HorizSync and VertRefresh). Settings are given in MHz, kHz, and Hz. Normally, the server refuses any modeline that does not correspond with the specification of the monitor.
Page 500: Screen Section
There can be several different Monitor and Device sections in xorg.conf. Even multiple Screen sections are possible. The ServerLayout section determines which of these sections is used. 23.1.1 Screen Section The screen section combines a monitor with a device section and determines the reso- lution and color depth to use.
Page 501: Device Section
The Modes section comprises a list of possible screen resolutions. The list is checked by the X server from left to right. For each resolution, the X server searches for a suitable Modeline in the Modes section. The Modeline depends on the capability of both the monitor and the graphics card.
Page 502 Section "Device" BoardName "MGA2064W" BusID "0:19:0" Driver "mga" Identifier "Device[0]" VendorName "Matrox" Option "sw_cursor" EndSection The BusID refers to the PCI or AGP slot in which the graphics card is installed. This matches the ID displayed by the command lspci. The X server needs details in decimal form, but lspci displays these in hexadecimal form.
Page 503: Installing And Configuring Fonts
the X server calculates appropriate values from the general synchronization values. The server layout section specifies which Monitor section is relevant. Monitor definitions should only be set by experienced users. The modelines are an important part of the Monitor sections. Modelines set horizontal and vertical timings for the respective resolution.
Page 504  <dir>/usr/share/fonts</dir> <dir>/usr/X11R6/lib/X11/fonts</dir> <dir>/opt/kde3/share/fonts</dir> <dir>/usr/local/share/fonts</dir> <dir>~/.fonts</dir> <dir>~/.fonts/kde-override</dir> <include ignore_missing="yes">suse-font-dirs.conf</include> /etc/fonts/suse-font-dirs.conf is automatically generated to pull in fonts that ship with (mostly third party) applications like OpenOffice.org, Java or Adobe Acrobat Reader. Some typical entries of /etc/fonts/suse-font-dirs.conf would look like the following: <dir>/usr/lib/ooo-2.0/share/fonts</dir>...
Page 505 23.2.1 X11 Core Fonts Today, the X11 core font system supports not only bitmap fonts but also scalable fonts, like Type1 fonts, TrueType, and OpenType fonts. Scalable fonts are only supported without antialiasing and subpixel rendering and the loading of large scalable fonts with glyphs for many languages may take a long time.
Page 506 23.2.2 Xft From the outset, the programmers of Xft made sure that scalable fonts including an- tialiasing are supported well. If Xft is used, the fonts are rendered by the application using the fonts, not by the X server as in the X11 core font system. In this way, the re- spective application has access to the actual font files and full control of how the glyphs are rendered.
Page 507 <match target="font"> <test name="family"> <string>Luxi Mono</string> <string>Luxi Sans</string> </test> <edit name="antialias" mode="assign"> <bool>false</bool> </edit> </match> to disable antialiasing for specific fonts. By default, most applications use the font names sans-serif (or the equivalent sans), serif, or monospace. These are not real fonts but only aliases that are re- solved to a suitable font, depending on the language setting.
Page 508 fc-list ":lang=he:scalable=true" family style weight The output of this command could look like the following: FreeSansBold.ttf: FreeSans:style=Bold:weight=200 FreeMonoBoldOblique.ttf: FreeMono:style=BoldOblique:weight=200 FreeSerif.ttf: FreeSerif:style=Medium:weight=80 FreeSerifBoldItalic.ttf: FreeSerif:style=BoldItalic:weight=200 FreeSansOblique.ttf: FreeSans:style=Oblique:weight=80 FreeSerifItalic.ttf: FreeSerif:style=Italic:weight=80 FreeMonoOblique.ttf: FreeMono:style=Oblique:weight=80 FreeMono.ttf: FreeMono:style=Medium:weight=80 FreeSans.ttf: FreeSans:style=Medium:weight=80 FreeSerifBold.ttf: FreeSerif:style=Bold:weight=200 FreeSansBoldOblique.ttf: FreeSans:style=BoldOblique:weight=200 FreeMonoBold.ttf: FreeMono:style=Bold:weight=200 Important parameters that can be queried with fc-list: Table 23.2 Parameters of fc-list Parameter...
Page 509: For More Information
Parameter Meaning and Possible Values true for bitmap fonts or false for other fonts. bitmap Font size in pixels. In connection with fc-list, this option pixelsize only makes sense for bitmap fonts. 23.3 For More Information Install the packages xorg-x11-doc and howtoenh to get more in-depth information on X11.
Page 511: Authentication With Pam
Authentication with PAM Linux uses PAM (pluggable authentication modules) in the authentication process as a layer that mediates between user and application. PAM modules are available on a systemwide basis, so they can be requested by any application. This chapter describes how the modular authentication mechanism works and how it is configured.
Page 512 24.1 Structure of a PAM Configuration File Each line in a PAM configuration file contains a maximum of four columns: <Type of module> <Control flag> <Module path> <Options> PAM modules are processed as stacks. Different types of modules have different pur- poses, for example, one module checks the password, another one verifies the location from which the system is accessed, and yet another one reads user-specific settings.
Page 513: The Pam Configuration Of Sshd
modules with the same flag are processed before the user receives a message about the failure of the authentication attempt. requisite Modules having this flag must also be processed successfully, in much the same way as a module with the required flag. However, in case of failure a module with this flag gives immediate feedback to the user and no further modules are processed.
Page 514 Example 24.1 PAM Configuration for sshd #%PAM-1.0 auth include common-auth auth required pam_nologin.so account include common-account password include common-password session include common-session # Enable the following line to get resmgr support for # ssh sessions (see /usr/share/doc/packages/resmgr/README.SuSE) #session optional pam_resmgr.so fake_ttyname The typical PAM configuration of an application (sshd, in this case) contains four include statements referring to the configuration files of four module types: common-auth, common-account, common-password, and common-session.
Page 515 modules is not successful, the entire module stack is still processed and only then is sshd notified about the negative result. As soon as all modules of the auth type have been successfully processed, another include statement is processed, in this case, that in Example 24.3, “Default Configuration for the account Section”...
Page 516: Configuration Of Pam Modules
.conf. The pam_limits module loads the file /etc/security/limits.conf, which may define limits on the use of certain system resources. The session modules are called a second time when the user logs out. 24.3 Configuration of PAM Modules Some of the PAM modules are configurable. The corresponding configuration files are located in /etc/security.
Page 517 24.3.2 pam_env.conf This file can be used to define a standardized environment for users that is set whenever the pam_env module is called. With it, preset environment variables using the following syntax: VARIABLE [DEFAULT=[value]] [OVERRIDE=[value]] VARIABLE Name of the environment variable to set. [DEFAULT=[value]] Default value the administrator wants set.
Page 518: For More Information
Example 24.8 pam_pwcheck.conf password: nullok 24.3.4 limits.conf System limits can be set on a user or group basis in the file limits.conf, which is read by the pam_limits module. The file allows you to set hard limits, which may not be exceeded at all, and soft limits, which may be exceeded temporarily. To learn about the syntax and the available options, read the comments included in the file.
Page 519: Mobile Computing With Linux
Mobile Computing with Linux Mobile computing is mostly associated with laptops, PDAs, and cellular phones and the data exchange between them. Mobile hardware components, such as external hard disks, flash drives, or digital cameras, can be connected to laptops or desktop systems. A number of software components are involved in mobile computing scenarios and some applications are tailor-made for mobile use.
Page 520 25.1.1 Power Conservation The inclusion of energy-optimized system components when manufacturing laptops contributes to their suitability for use without access to the electrical power grid. Their contribution towards conservation of power is at least as important as that of the oper- ating system.
Page 521 25.1.2 Integration in Changing Operating Environments Your system needs to adapt to changing operating environments when used for mobile computing. A lot of services depend on the environment and the underlying clients must be reconfigured. SUSE Linux Enterprise handles this task for you. Figure 25.1 Integrating a Laptop in a Network Printing Mail...
Page 522 E-Mail and Proxies As with printing, the list of the corresponding servers must be current. If your laptop is temporarily connected to a beamer or an external monitor, the different display configurations must be available. SUSE Linux Enterprise offers several ways of integrating a laptop into existing operating environments: SCPM SCPM (system configuration profile management) allows storage of arbitrary...
Page 523 Table 25.1 Use Cases for NetworkManager My computer… Use NetworkManager is a laptop is sometimes attached to different networks provides network services (such as DNS or DHCP) only uses a static IP address Use the YaST tools to configure networking whenever NetworkManager should not handle network configuration.
Page 524: Software Options
25.1.3 Software Options There are various special task areas in mobile use that are covered by dedicated software: system monitoring (especially the battery charge), data synchronization, and wireless communication with peripherals and the Internet. The following sections cover the most important applications that SUSE Linux Enterprise provides for each task.
Page 525: Synchronizing Data
Figure 25.2 Monitoring the Battery State with KSysguard In the GNOME desktop, use the panel applet GNOME ACPI and the application System Monitor. Synchronizing Data When switching between working on a mobile machine disconnected from the network and working at a networked workstation in an office, it is necessary to keep processed data synchronized across all instances.
Page 526: Wireless Communication
Synchronizing Files and Directories There are several utilities suitable for synchronizing data between a laptop and a workstation. For detailed information, refer to Chapter 38, File Synchronization (page 717). Wireless Communication As well as connecting to a home or office network with a cable, a laptop can also wirelessly connect to other computers, peripherals, cellular phones, or PDAs.
Page 527: Mobile Hardware
wireless transmission of printing jobs in the office. Find more information about IrDA in Section 29.3, “Infrared Data Transmission” (page 584). 25.1.4 Data Security Ideally, you protect data on your laptop against unauthorized access in multiple ways. Possible security measures can be taken in the following areas: Protection against Theft Always physically secure your system against theft whenever possible.
Page 528: Cellular Phones And Pdas
handling of mobile hardware items. To unmount any of these media safely, use the Eject feature of either file manager. These are described in more detail in the GNOME User Guide and KDE User Guide. External Hard Disks (USB and FireWire) As soon as an external hard disk has been correctly recognized by the system, its icon appears in My Computer (KDE) or Computer (GNOME) in the list of mounted drives.
Page 529: For More Information
The support for synchronizing with handheld devices manufactured by Palm, Inc., is already built into Evolution and Kontact. Initial connection with the device is, in both cases, easily performed with the assistance of a wizard. Once the support for Palm Pilots is configured, it is necessary to determine which type of data should be synchronized (addresses, appointments, etc.).
Page 531 PCMCIA PCMCIA is often used to refer the hardware itself, although the term originates from the organization that standardized all possible types of PC cards, the PC Memory Card International Association. In the beginning, PCMCIA only included PC cards (using a 16-bit bus like ISA cards), but later on CardBus cards (using a 32-bit bus) were in- cluded.
Page 532 26.1 Controlling PCMCIA Cards Using pccardctl Card management is normally handled by udev and hotplug without requiring any user interaction at all. The command pccardctl offers manual control of the card in case the automated process does not work flawlessly. The following is a list of the most important pccardctl commands.
Page 533 1. The PCMCIA bridge (or socket) must be set up properly as described in Sec- tion 26.2.1, “Bridge Initialization” (page 517). Prerequisites are: • an appropriate driver for the bridge • additional I/O and memory ranges for PC cards 2. After the bridge is properly set up, the bridge driver detects the presence of a card and triggers its initialization as described in Section 26.2.2, “Card Initialization”...
Page 534 a. The pcmcia_socket events trigger udev to call /sbin/hwup and load the pcmcia kernel module. b. All I/O and memory ranges specified in /etc/pcmcia/config.opts are added to the socket. c. The card services in the kernel check these ranges. If the memory ranges in /etc/pcmcia/config.opts are wrong, this step may crash your machine.
Page 535: Troubleshooting
to be defective. The default setting is yes. To disable CIS loading from disk, set this variable to no. PCMCIA_ALLOW_FUNC_MATCH Linux device drivers contain a device ID table that tells drivers which devices to handle. This means that only those devices whose IDs are known to the kernel are supported.
Page 536 26.3.1 Machine Crashes on PCMCIA Your machine crashes when PCMCIA is started on boot. To find out what caused your machine to crash, set it up manually as described below. In carefully setting up PCMCIA manually, you can clearly identify the step or component that crashed your machine. Once the culprit has been identified, you can circumvent the problematic step or com- ponent.
Page 537 _mem. IMPORTANT: Identifying Faulty Default Settings If you find a faulty range in the default configuration file (/etc/pcmcia/ config.opts) shipped with this product, file a bug against it in http:// bugzilla.novell.com, so that developers can look into this issue. PCMCIA...
Page 538 26.3.2 General Suspend Issues with PCMCIA Whenever suspending your system (suspend to disk, suspend to RAM, or standby), do not plug or unplug any hardware items while the system is in suspend mode. Otherwise, the system might not resume properly. To automatically eject PCMCIA cards on suspend, proceed as follows: 1 Log in as root.
Page 539: System Configuration Profile Management
System Configuration Profile Management With the help of SCPM (system configuration profile management), adapt the configu- ration of your computer to different operating environments or hardware configurations. SCPM manages a set of system profiles for the different scenarios. It enables easy switching between system profiles, eliminating the need for manually reconfiguring the system.
Page 540: Terminology
27.1 Terminology The following are some terms used in SCPM documentation and in the YaST module. system configuration The complete configuration of the computer. It covers all fundamental settings, such as the use of hard disk partitions, network settings, time zone selection, and keyboard mappings.
Page 541: Setting Up Scpm
27.2 Setting Up SCPM The following sections introduce SCPM configuration by means of a real life example: a mobile computer that is run in several different networks. The major challenges faced in this scenario are: • Varying network environments, like wireless LAN at home and an ethernet at work •...
Page 542: Graphical User Interface
27.3 Configuring SCPM Using a Graphical User Interface The following sections introduce the graphical tools used for controlling your profile settings. 27.3.1 Configuring the Profile Chooser Panel Applet Before you can use Profile Chooser to control your system configuration, configure it to be started automatically on login: •...
Page 543 5 Set the boot mode and determine whether changes to the current profile should be saved or discarded with profile switching triggered at boot time. 6 Make sure that all resource groups needed are covered by the active selection, displayed in the Resource Groups section. If you need additional resource groups, adjust the resources with Configure Resources.
Page 544 5 For each user, specify whether to grant switch permissions only or whether this user should be allowed to switch, modify, and create profiles. 6 Click Finish to apply your settings and close YaST. Figure 27.2 YaST: Configure SCPM Users 27.3.3 Creating a New Profile After you have enabled SCPM, you have a profile named default that contains your current system configuration.
Page 545 If you selected Yes, SCPM switches to the new profile immediately after it has been created. For this example, do the following: 1 In your home setup, enable SCPM. 2 Rename the default profile to a more descriptive name by starting SUMF and selecting Profiles >...
Page 546: Editing A Profile
3 Select the desired profile in the menu that opens using the arrow keys and hit Enter . SCPM runs a check for modified resources and prompts you for a confir- mation of the switch. If changes have been made to the system configuration before the switch, select whether to keep them or discard them when switching to another profile.
Page 547 2 In the System Configuration Profile Management dialog, click Configure in the Resource Groups part of the dialog. All resource groups available on your system are listed as shown in Figure 27.3, “Configuring Resource Groups” (page 531). 3 To add or edit a resource group: 3a Set or edit Resource Group and Description.
Page 548 27.4 Configuring SCPM Using the Command Line This section introduces the command line configuration of SCPM. Learn how to start it, configure it, and work with profiles. 27.4.1 Starting SCPM and Defining Resource Groups SCPM must be activated before use. Activate SCPM with scpm enable. When run for the first time, SCPM is initialized, which takes a few seconds.
Page 549 27.4.2 Creating and Managing Profiles A profile named default already exists after SCPM has been activated. Get a list of all available profiles with scpm list. This one existing profile is also the active one, which can be verified with scpm active. The profile default is a basic configu- ration from which the other profiles are derived.
Page 550 Checking for dependencies Restoring profile default SCPM then compares the current system configuration with the profile to which to switch. In this phase, SCPM evaluates which system services need to be stopped or restarted due to mutual dependencies or to reflect the changes in configuration. This is like a partial system reboot that concerns only a small part of the system while the rest continues operating without change.
Page 551: Troubleshooting
WARNING: Integrating a Custom Script Additional scripts to be executed by SCPM must be made readable and exe- cutable for the superuser (root). Access to these files must be blocked for all other users. Enter the commands chmod 700 filename and chown root:root filename to give root exclusive permissions to the files.
Page 552: For More Information
27.5.2 Termination During the Switch Process Sometimes SCPM stops working during a switch procedure. This may be caused by some outside effect, such as a user abort, a power failure, or even an error in SCPM itself. If this happens, an error message stating SCPM is locked appears the next time you start SCPM.
Page 553: Power Management
Power Management Power management is especially important on laptop computers, but is also useful on other systems. Two technologies are available: APM (advanced power management) and ACPI (advanced configuration and power interface). In addition to these, it is also possible to control CPU frequency scaling to save power or decrease noise. These options can be configured manually or using a special YaST module.
Page 554 Standby This operating mode turns off the display. On some computers, the processor per- formance is throttled. This function corresponds to the ACPI state S1 or S2. Suspend (to memory) This mode writes the entire system state to the RAM. Subsequently, the entire system except the RAM is put to sleep.
Page 555 putting the processor to sleep (C states). Depending on the operating mode of the computer, these methods can also be combined. 28.2 APM Some of the power saving functions are performed by the APM BIOS itself. On many laptops, standby and suspend states can be activated with key combinations or by closing the lid without any special operating system function.
Page 556: Acpi
(no-)power-off Power system off after shutdown. bounce-interval=n Time in hundredths of a second after a suspend event during which additional suspend events are ignored. idle-threshold=n System inactivity percentage from which the BIOS function idle is executed (0=always, 100=never). idle-period=n Time in hundredths of a second after which the system activity is measured. The APM daemon (apmd) is no longer used.
Page 557 Subsequently, a number of modules must be loaded. This is done by the start script of acpid. If any of these modules cause problems, the respective module can be excluded from loading or unloading in /etc/sysconfig/powersave/common. The system log (/var/log/messages) contains the messages of the modules, enabling you to see which components were detected.
Page 558 /proc/acpi/ac_adapter/AC/state Shows whether the AC adapter is connected. /proc/acpi/battery/BAT*/{alarm,info,state} Detailed information about the battery state. The charge level is read by comparing the last full capacity from info with the remaining capacity from state. A more comfortable way to do this is to use one of the special pro- grams introduced in Section 28.3.3, “ACPI Tools”...
Page 559 /proc/acpi/thermal_zone/ A separate subdirectory exists for every thermal zone. A thermal zone is an area with similar thermal properties whose number and names are designated by the hardware manufacturer. However, many of the possibilities offered by ACPI are rarely implemented. Instead, the temperature control is handled conventionally by the BIOS.
Page 560 28.3.2 Controlling the CPU Performance The CPU can save energy in three ways. Depending on the operating mode of the computer, these methods can be combined. Saving energy also means that the system heats up less and the fans are activated less frequently. Frequency and Voltage Scaling PowerNow! and Speedstep are the designations AMD and Intel use for this tech- nology.
Page 561 performance governor The cpu frequency is statically set to the highest possible. Throttling the Clock Frequency This technology omits a certain percentage of the clock signal impulses for the CPU. At 25% throttling, every fourth impulse is omitted. At 87.5%, only every eighth impulse reaches the processor.
Page 562 28.3.3 ACPI Tools The range of more or less comprehensive ACPI utilities includes tools that merely display information, like the battery charge level and the temperature (acpi, klaptopdaemon, wmacpimon, etc.), tools that facilitate the access to the structures in /proc/acpi or that assist in monitoring changes (akpi, acpiw, gtkacpiw), and tools for editing the ACPI tables in the BIOS (package pmtools).
Page 563: Rest For The Hard Disk
Monitor the boot messages of the system with the command dmesg | grep -2i acpi (or all messages, because the problem may not be caused by ACPI) after booting. If an error occurs while parsing an ACPI table, the most important table—the DS- DT—can be replaced with an improved version.
Page 564 The hdparm application can be used to modify various hard disk settings. The option -y instantly switches the hard disk to the standby mode. -Y puts it to sleep. hdparm -S x causes the hard disk to be spun down after a certain period of inactivity. Replace x as follows: 0 disables this mechanism, causing the hard disk to run continuously.
Page 565: The Powersave Package
28.5 The powersave Package The powersave package cares about all the previously-mentioned power saving functions. Due to the increasing demand for lower energy consumption in general, some of its features are also important on workstations and servers, such as suspend, standby, or CPU frequency scaling.
Page 566 • dethrottle • suspend_to_disk • suspend_to_ram • standby • do_suspend_to_disk • do_suspend_to_ram • do_standby • notify • screen_saver • reread_cpu_capabilities throttle slows down the processor by the value defined in MAX_THROTTLING. This value depends on the current scheme. dethrottle sets the processor to full performance.
Page 567 If, for example, the variable EVENT_GLOBAL_SUSPEND2DISK="prepare_suspend_to_disk do_suspend_to_disk" is set, the two scripts or actions are processed in the specified order as soon as the user gives powersaved the command for the sleep mode suspend to disk. The daemon runs the external script /usr/lib/ powersave/scripts/prepare_suspend_to_disk.
Page 568 /etc/sysconfig/powersave/disk This configuration file controls the actions and settings made regarding the hard disk. /etc/sysconfig/powersave/scheme_* These are the various schemes that adapt the power consumption to certain deploy- ment scenarios. A number of schemes are preconfigured and can be used as they are.
Page 569 Make sure that the following default options are set in the file /etc/sysconfig/ powersave/events for the correct processing of suspend, standby, and resume (default settings following the installation of SUSE Linux Enterprise): EVENT_GLOBAL_SUSPEND2DISK= "prepare_suspend_to_disk screen_saver do_suspend_to_disk" EVENT_GLOBAL_SUSPEND2RAM= "prepare_suspend_to_ram screen_saver do_suspend_to_ram" EVENT_GLOBAL_STANDBY= "prepare_standby screen_saver do_standby"...
Page 570 The actions to execute when the computer is disconnected from or connected to the AC power supply are defined in /etc/sysconfig/powersave/events. Select the schemes to use in /etc/sysconfig/powersave/common: AC_SCHEME="performance" BATTERY_SCHEME="powersave" The schemes are stored in files in /etc/sysconfig/powersave. The filenames are in the format scheme_name-of-the-scheme.
Page 571 Further throttling of the CPU performance is possible if the CPU load does not exceed a specified limit for a specified time. Specify the load limit in PROCESSOR_IDLE_LIMIT and the time-out in CPU_IDLE_TIMEOUT. If the CPU load stays below the limit longer than the time-out, the event configured in EVENT_PROCESSOR_IDLE is activated.
Page 572 3 Copy the file DSDT.aml to any location (/etc/DSDT.aml is recommended). Edit /etc/sysconfig/kernel and adapt the path to the DSDT file accord- ingly. Start mkinitrd (package mkinitrd). Whenever you install the kernel and use mkinitrd to create an initrd, the modified DSDT is integrated and loaded when the system is booted.
Page 573: The Yast Power Management Module
variable. If an application accesses the remotely mounted file system prior to a suspend or standby, the service cannot be stopped correctly and the file system cannot be un- mounted properly. After resuming the system, the file system may be corrupt and must be remounted.
Page 574 Figure 28.1 Scheme Selection In this dialog, select the schemes to use for battery operation and AC operation. To add or modify the schemes, click Edit Schemes, which opens an overview of the existing schemes like that shown in Figure 28.2, “Overview of Existing Schemes” (page 558).
Page 575 In the scheme overview, select the scheme to modify then click Edit. To create a new scheme, click Add. The dialog that opens is the same in both cases and is shown in Figure 28.3, “Configuring a Scheme” (page 559). Figure 28.3 Configuring a Scheme First, enter a suitable name and description for the new or edited scheme.
Page 576 Figure 28.4 Battery Charge Level The BIOS of your system notifies the operating system whenever the charge level drops under certain configurable limits. In this dialog, define three limits: Warning Capacity, Low Capacity, and Critical Capacity. Specific actions are triggered when the charge level drops under these limits.
Page 577 Figure 28.5 ACPI Settings Access the dialog for configuring the ACPI buttons using ACPI Settings. It is shown Figure 28.5, “ACPI Settings” (page 561). The settings for the ACPI buttons determine how the system should respond to certain switches. Configure the system response to pressing the power button, pressing the sleep button, and closing the laptop lid.
Page 579: Wireless Communication
Wireless Communication There are several possibilities for using your Linux system to communicate with other computers, cellular phones, or peripheral devices. WLAN (wireless LAN) can be used to network laptops. Bluetooth can be used to connect individual system components (mouse, keyboard), peripheral devices, cellular phones, PDAs, and individual computers with each other.
Page 580 Table 29.1 Overview of Various WLAN Standards Name Band (GHz) Maximum Trans- Note mission Rate (Mbit/s) 802.11 Outdated; virtually no end devices available 802.11b Widespread 802.11a Less common 802.11g Backward-compatible with Additionally, there are proprietary standards, like the 802.11b variation of Texas Instru- ments with a maximum transmission rate of 22 Mbit/s (sometimes referred to as 802.11b+).
Page 581: Operating Mode
• Texas Instruments ACX100, ACX111 • ZyDAS zd1201 A number of older cards that are rarely used and no longer available are also supported. An extensive list of WLAN cards and the chips they use is available at the Web site of AbsoluteValue Systems at http://www.linux-wlan.org/docs/wlan _adapters.html.gz.
Page 582 However, because WEP has proven to be insecure (see Section “Security” (page 572)), the WLAN industry (joined under the name Wi-Fi Alliance) has defined a new extension called WPA, which is supposed to eliminate the weaknesses of WEP. The later IEEE 802.11i standard (also referred to as WPA2, because WPA is based on a draft version 802.11i) includes WPA and some other authentication and encryption methods.
Page 583 terprises. In private networks, it is scarcely used. For this reason, WPA-EAP is sometimes referred to as WPA “Enterprise”. WPA-EAP needs a Radius server to authenticate users. EAP offers three different methods for connecting and authenticating to the server: TLS (Transport Layer Security), TTLS (Tunneled Transport Layer Security), and PEAP (Protected Exten- sible Authentication Protocol).
Page 584 CCMP (defined in IEEE 802.11i) CCMP describes the key management. Usually, it is used in connection with WPA- EAP, but it can also be used with WPA-PSK. The encryption takes place according to AES and is stronger than the RC4 encryption of the WEP standard. 29.1.3 Configuration with YaST To configure your wireless network card, start the YaST Network Card module.
Page 585 Network Name (ESSID) All stations in a wireless network need the same ESSID for communicating with each other. If nothing is specified, the card automatically selects an access point, which may not be the one you intended to use. Authentication Mode Select a suitable authentication method for your network: Open, Shared Key, WPA- PSK, or WPA-EAP.
Page 586 cording to the length previously specified. ASCII requests an input of 5 characters for a 64-bit key and 13 characters for a 128-bit key. For Hexadecimal, enter 10 characters for a 64-bit key or 26 characters for a 128-bit key in hexadecimal notation. WPA-PSK To enter a key for WPA-PSK, select the input method Passphrase or Hexadecimal.
Page 587 system tries to use the highest possible data transmission rate. Some WLAN cards do not support the setting of bit rates. Access Point In an environment with several access points, one of them can be preselected by specifying the MAC address. 29.1.4 Utilities hostap (package hostap) is used to run a WLAN card as an access point.
Page 588 Security If you want to set up a wireless network, remember that anybody within the transmission range can easily access it if no security measures are implemented. Therefore, be sure to activate an encryption method. All WLAN cards and access points support WEP encryption.
Page 589: Bluetooth
to use WPA, read /usr/share/doc/packages/wireless-tools/README .prism2. WPA support is quite new in SUSE Linux Enterprise and still under development. Thus, YaST does not support the configuration of all WPA authentication methods. Not all wireless LAN cards and drivers support WPA. Some cards need a firmware update to enable WPA.
Page 590 29.2.1 Basics The following sections outline the basic principles of how Bluetooth works. Learn which software requirements need to be met, how Bluetooth interacts with your system, and how Bluetooth profiles work. Software To be able to use Bluetooth, you need a Bluetooth adapter (either a built-in adapter or an external device), drivers, and a Bluetooth protocol stack.
Page 591 the respective daemons are started. Bluetooth adapters are probed upon installation. If one or more are found, Bluetooth is enabled. Otherwise the Bluetooth system is deacti- vated. Any Bluetooth device added later must be enabled manually. Profiles In Bluetooth, services are defined by means of profiles, such as the file transfer profile, the basic printing profile, and the personal area network profile.
Page 592 Figure 29.2 YaST Bluetooth Configuration In the first step of the configuration, determine whether Bluetooth services should be started on your system. If you have enabled the Bluetooth services, two things can be configured. First, the Device Name. This is the name other devices display when your computer has been discovered.
Page 593 to open a dialog in which to specify additional arguments for the selected service (daemon). Do not change anything unless you are familiar with the service. After completing the configuration of the daemons, exit this dialog by clicking OK. Back in the main dialog, click Security Options to enter the security dialog and specify encryption, authentication, and scan settings.
Page 594 A PIN number provides basic protection against unwanted connections. Mobile phones usually query the PIN when establishing the first contact (or when setting up a device contact on the phone). For two devices to be able to communicate, both must identify themselves with the same PIN.
Page 595 tivate both hcid and sdpd can with rcbluetooth start. This command must be executed as root. The following paragraphs briefly describe the most important shell tools that can be used for working with Bluetooth. Although various graphical components are now available for controlling Bluetooth, it can be worthwhile to check these programs.
Page 596 sdptool Use sdptool to check which services are made available by a specific device. The command sdptool browse device_address returns all services of a device. Use sdptool search service_code to search for a specific service. This command scans all accessible devices for the requested service. If one of the devices offers the service, the program prints the full service name returned by the device to- gether with a brief description.
Page 597 focuses on the Bluetooth-specific actions and does not provide a detailed explanation of the network command ip. Enter pand -s to start pand on the host H1. Subsequently, establish a connection on the host H2 with pand -c baddr1. If you enter ip link show on one of the hosts to list the available network interfaces, the output should contain an entry like the following: bnep0: <BROADCAST,MULTICAST>...
Page 598 opd daemon from the bluez-utils package. Start the daemon with the following command: opd --mode OBEX --channel 10 --daemonize --path /tmp --sdp Two important parameters are used: --sdp registers the service with sdpd and --path /tmp instructs the program where to save the received data—in this case to /tmp. You can also specify any other directory to which you have write access.
Page 599 Does your Bluetooth adapter need a firmware file? If it does, install bluez-bluefw and restart the Bluetooth system with rcbluetooth restart. Does the output of hcitool inq return other devices? Test this command more than once. The connection may have interferences, because the frequency band of Bluetooth is also used by other devices.
Page 600: Infrared Data Transmission
If you have installed the bluez-hcidump package, you can use hcidump -X to check what is sent between the devices. Sometimes the output helps give a hint where the problem is, but be aware of the fact that it is only partly in “clear text.” 29.2.7 For More Information Some additional (last-minute) documentation can be found in /usr/share/doc/ packages/bluez-utils/ (German and English versions available).
Page 601 29.3.1 Software The necessary kernel modules are included in the kernel package. The package irda provides the necessary helper applications for supporting the infrared interface. Find the documentation at /usr/share/doc/packages/irda/README after the in- stallation of the package. 29.3.2 Configuration The IrDA system service is not started automatically when the system is booted. Use the YaST IrDA module for activation.
Page 602 manually doing the following: Click Add > Directly Connected Printers. Select IrDA Printer and click Next to configure the printer device. Usually, irlpt0 is the right connection. Click Finish to apply your settings. Details about operating printers in Linux are available in Chapter 20, Printer Operation (page 439).
Page 603: Managing Umts/3G Network Connections
sometimes used. These settings can be checked and modified in the BIOS setup menu of almost every laptop. A simple video camera can also help in determining whether the infrared LED lights up at all. Most video cameras can see infrared light; the human eye cannot. 29.4 Managing UMTS/3G Network Connections Universal Mobile Telecommunications System (UMTS), also known as 3G, is a cell...
Page 604 Figure 29.3 UMTSmon Main Window If you do not want to enter your PIN each time, you can also disable the PIN protection for your card. To do so, select PIN-Settings > Disable PIN and enter your PIN to confirm. If you need or want to change the PIN, select PIN-Settings >...
Page 605 3 Enter the APN (Access Point Name), Username and Password you got from your provider and click Save. 4 If you have created several profiles, select one from the list and Set As Active. 5 To remove a profile from the list, select it and click Delete Profile. You can also define or limit the type of connections to be used (UMTS/GSM/GPRS).
Page 606 29.4.2 Monitoring UMTS/3G Network Connections To connect to an existing network, select Connection > Connect or click the Connect with default profile icon in the toolbar. After the connection has been established, the UMTSmon main window shows the signal strength and the traffic, depending on the type of card you use.
Page 607 Note that the current user needs to be in the dialout group to be able to connect to a network. After restarting UMTSmon, the user should now be able to establish a network connection. Does /etc/sysconfig/network contain a file named ifcfg-raw0? This file is needed to establish a connection with smpppd.
Page 609: Part Iv Services
Part IV. Services...
Page 611: Basic Networking
Basic Networking Linux offers the necessary networking tools and features for integration into all types of network structures. The customary Linux protocol, TCP/IP, has various services and special features, which are discussed here. Network access using a network card, modem, or other device can be configured with YaST.
Page 612 Table 30.1 Several Protocols in the TCP/IP Protocol Family Protocol Description Transmission Control Protocol: A connection-oriented secure protocol. The data to transmit is first sent by the application as a stream of data then converted by the operating system to the appropriate format. The data arrives at the respective application on the destination host in the original data stream format in which it was initially sent.
Page 613 Figure 30.1 Simplified Layer Model for TCP/IP Host sun Host earth Application Layer Applications Application Layer Transport Layer TCP, UDP Transport Layer Network Layer Network Layer Data Link Layer Ethernet, FDDI, ISDN Data Link Layer Physical Layer Physical Layer Cable, Fiberglass Data Transfer The diagram provides one or two examples for each layer.
Page 614: Ip Addresses And Routing
located at the end of the packet, not at the beginning. This simplifies things for the network hardware. Figure 30.2 TCP/IP Ethernet Packet Usage Data (maximum 1460 bytes) TCP (Layer 4) Protocol Header (approx. 20 bytes) IP (Layer 3) Protocol Header (approx. 20 bytes) Ethernet (Layer 2) Protocol Header (approx.
Page 615 30.1.1 IP Addresses Every computer on the Internet has a unique 32-bit address. These 32 bits (or 4 bytes) are normally written as illustrated in the second row in Example 30.1, “Writing IP Addresses” (page 599). Example 30.1 Writing IP Addresses IP Address (binary): 11000000 10101000 00000000 00010100 IP Address (decimal):...
Page 616 Example 30.2 Linking IP Addresses to the Netmask IP address (192.168.0.20): 11000000 10101000 00000000 00010100 Netmask (255.255.255.0): 11111111 11111111 11111111 00000000 --------------------------------------------------------------- Result of the link: 11000000 10101000 00000000 00000000 In the decimal system: 192. 168. IP address (213.95.15.200): 11010101 10111111 00001111 11001000 Netmask (255.255.255.0): 11111111 11111111 11111111 00000000 ---------------------------------------------------------------...
Page 617 Address Type Description ample therefore results in 192.168.0.255. This address cannot be assigned to any hosts. Local Host The address 127.0.0.1 is assigned to the “loopback device” on each host. A connection can be set up to your own machine with this address.
Page 618 number of addresses available in your subnet is two to the power of the number of bits, minus two. A subnetwork has, for example, 2, 6, or 14 addresses available. To connect 128 hosts to the Internet, for example, you need a subnetwork with 256 IP addresses, from which only 254 are usable, because two IP addresses are needed for the structure of the subnetwork itself: the broadcast and the base network address.
Page 619 any intervention on the administrator's part and there is no need to maintain a central server for address allocation—an additional advantage over IPv4, where automatic address allocation requires a DHCP server. Mobility IPv6 makes it possible to assign several addresses to one network interface at the same time.
Page 620 30.2.2 Address Types and Structure As mentioned, the current IP protocol is lacking in two important aspects: there is an increasing shortage of IP addresses and configuring the network and maintaining the routing tables is becoming a more complex and burdensome task. IPv6 solves the first problem by expanding the address space to 128 bits.
Page 621 shorthand notation is shown in Example 30.3, “Sample IPv6 Address” (page 605), where all three lines represent the same address. Example 30.3 Sample IPv6 Address fe80 : 0000 : 0000 : 0000 : 0000 : 10 : 1000 : 1a4 fe80 : 0 : 10 : 1000 : 1a4 fe80 :...
Page 622 Prefix (hex) Definition Link-local addresses. Addresses with this prefix should not be fe80::/10 routed and should therefore only be reachable from within the same subnetwork. Site-local addresses. These may be routed, but only within the fec0::/10 network of the organization to which they belong. In effect, they are the IPv6 equivalent of the current private network address space, such as 10.x.x.x.
Page 623 ::1 (loopback) The address of the loopback device. IPv4 Compatible Addresses The IPv6 address is formed by the IPv4 address and a prefix consisting of 96 zero bits. This type of compatibility address is used for tunneling (see Section 30.2.3, “Coexistence of IPv4 and IPv6”...
Page 624 For a host to go back and forth between different networks, it needs at least two address- es. One of them, the home address, not only contains the interface ID but also an iden- tifier of the home network to which it normally belongs (and the corresponding prefix). The home address is a static address and, as such, it does not normally change.
Page 625 6over4 IPv6 packets are automatically encapsulated as IPv4 packets and sent over an IPv4 network capable of multicasting. IPv6 is tricked into seeing the whole network (Internet) as a huge local area network (LAN). This makes it possible to determine the receiving end of the IPv4 tunnel automatically.
Page 626: Name Resolution
30.2.5 For More Information The above overview does not cover the topic of IPv6 comprehensively. For a more in- depth look at the new protocol, refer to the following online documentation and books: http://www.ipv6.org/ The starting point for everything about IPv6. http://www.ipv6day.org All information needed to start your own IPv6 network.
Page 627 TLD assignment has become quite confusing for historical reasons. Traditionally, three- letter domain names are used in the USA. In the rest of the world, the two-letter ISO national codes are the standard. In addition to that, longer TLDs were introduced in 2000 that represent certain spheres of activity (for example, .info, .name, .museum).
Page 628 30.4 Configuring a Network Connection with YaST There are many supported networking types on Linux. Most of them use different device names and the configuration files are spread over several locations in the file system. For a detailed overview of the aspects of manual network configuration, see Section 30.6, “Configuring a Network Connection Manually”...
Page 629 Figure 30.3 Configuring a Network Card Changing the Configuration of a Network Card To change the configuration of a network card, select a card from the list of the detected cards in the YaST network card configuration module and click Edit. The Network Address Setup dialog appears in which to adjust the card configuration using the Address and General tabs.
Page 630 DHCP is a good choice for client configuration but it is not ideal for server configuration. To set a static IP address, proceed as follows: 1 Select a card from the list of detected cards in the YaST network card configura- tion module and click Edit.
Page 631 Configuring Hostname and DNS If you did not change the network configuration during installation and the wired card was available, a hostname was automatically generated for your computer and DHCP was activated. The same applies to the name service information your host needs to integrate into a network environment.
Page 632 1 Select a card from the list of detected cards in the YaST network card configura- tion module and click Edit. 2 In the Address tab, click Routing. 3 Enter the IP of the Default Gateway. 4 Click OK. 5 Click Next. 6 To activate the configuration, click Finish.
Page 633 Starting the Device If you use the traditional method with ifup, you can configure your device to start during boot, on cable connection, on card detection, manually, or never. To change device start-up, proceed as follows: 1 Select a card from the list of detected cards in the YaST network card configura- tion module and click Edit.
Page 634 from the internal network and from the Internet, but cannot access the internal network. External Zone The firewall is run on this interface and fully protects it against other (pre- sumably hostile) network traffic. This is the default option. 4 Click Next. 5 Activate the configuration by clicking Finish.
Page 635 If you selected Wireless as the device type of the interface, configure the wireless connection in the next dialog. Detailed information about wireless device confi- guration is available in Section 29.1, “Wireless LAN” (page 563). 5 In the General tab, set the Firewall Zone and Device Activation. With User Controlled, grant connection control to ordinary users.
Page 636 Figure 30.4 Modem Configuration If behind a private branch exchange (PBX), you may need to enter a dial prefix. This is often a zero. Consult the instructions that came with the PBX to find out. Also select whether to use tone or pulse dialing, whether the speaker should be on, and whether the modem should wait until it detects a dial tone.
Page 637 In the last dialog, specify additional connection options: Dial on Demand If you enable dial on demand, set at least one name server. Modify DNS when Connected This option is enabled by default, with the effect that the name server address is updated each time you connect to the Internet.
Page 638 30.4.3 ISDN Use this module to configure one or several ISDN cards for your system. If YaST did not detect your ISDN card, click Add and manually select it. Multiple interfaces are possible, but several ISPs can be configured for one interface. In the subsequent dialogs, set the ISDN options necessary for the proper functioning of the card.
Page 639 In the next dialog, specify the interface type for your ISDN card and add ISPs to an existing interface. Interfaces may be either the SyncPPP or the RawIP type, but most ISPs operate in the SyncPPP mode, which is described below. Figure 30.6 ISDN Interface Configuration The number to enter for My Phone Number depends on your particular setup: ISDN Card Directly Connected to Phone Outlet...
Page 640 Use one of the internal numbers as your MSN. You should be able to use at least one of the exchange's MSNs that have been enabled for direct outward dialing. If this does not work, try a single zero. For further information, consult the documentation that came with your phone exchange.
Page 641 after which the connection should be automatically terminated. Confirm your settings with Next. YaST displays a summary of the configured interfaces. To make all these settings active, select Finish. 30.4.4 Cable Modem In some countries, such as Austria and the US, it is quite common to access the Internet through the TV cable network.
Page 642 tion 30.4.1, “Configuring the Network Card with YaST” (page 612)). In the case of a DSL link, addresses may be assigned automatically but not via DHCP, which is why you should not enable the option Automatic address setup (via DHCP). Instead, enter a static dummy address for the interface, such as 192.168.22.1.
Page 643: Managing Network Connections With Networkmanager
following paragraphs. For details on the available options, read the detailed help available from the dialogs. To use Dial on Demand on a stand-alone workstation, also specify the name server (DNS server). Most ISPs support dynamic DNS—the IP address of a name server is sent by the ISP each time you connect.
Page 644 • Your computer is a Xen server or your system is a virtual system inside Xen. • You want to use SCPM for network configuration management. To use SCPM and NetworkManager at the same time, SCPM cannot control network resources. See Section 27.5.1, “SCPM and NetworkManager”...
Page 645 connections without requiring root privileges. For this reason, NetworkManager is the ideal solution for a mobile workstation. Traditional configuration with ifup also provides some ways to switch, stop, or start the connection with or without user intervention, like user-managed devices, but it always requires root privileges to change or configure a network device.
Page 646: Configuring A Network Connection Manually
30.6 Configuring a Network Connection Manually Manual configuration of the network software should always be the last alternative. Using YaST is recommended. However, this background information about the network configuration can also assist your work with YaST. All built-in network cards and hotplug network cards (PCMCIA, USB, some PCI cards) are detected and configured via hotplug.
Page 647 To assign a certain network configuration to any card of a certain type (of which only one is inserted at a time) instead of a certain card, select less specific configuration names. For example, bus-pcmcia would be used for all PCMCIA cards. On the other hand, the names can be limited by a preceding interface type.
Page 648 ifup requires an existing interface, because it does not initialize the hardware. The initialization of the hardware is handled by the command hwup (executed by hotplug or coldplug). When a device is initialized, ifup is automatically executed for the new interface via hotplug and the interface is set up if the start mode is onboot, hotplug, or auto and the network service was started.
Page 649: Configuration Files
30.6.1 Configuration Files This section provides an overview of the network configuration files and explains their purpose and the format used. /etc/syconfig/hardware/hwcfg-* These files contain the hardware configurations of network cards and other devices. They contain the needed parameters, such as the kernel module, start mode, and script associations.
Page 650 # Destination Dummy/Gateway Netmask Device 127.0.0.0 0.0.0.0 255.255.255.0 204.127.235.0 0.0.0.0 255.255.255.0 eth0 default 204.127.235.41 0.0.0.0 eth0 207.68.156.51 207.68.145.45 255.255.255.255 eth1 192.168.0.0 207.68.156.51 255.255.0.0 eth1 The route's destination is in the first column. This column may contain the IP address of a network or host or, in the case of reachable name servers, the fully qualified network or hostname.
Page 651 Example 30.5 /etc/resolv.conf # Our domain search example.com # We use sun (192.168.0.20) as nameserver nameserver 192.168.0.20 Some services, like pppd (wvdial), ipppd (isdn), dhcp (dhcpcd and dhclient), pcmcia, and hotplug, modify the file /etc/resolv.conf by means of the script modify_resolvconf. If the file /etc/resolv.conf has been temporarily modified by this script, it contains a predefined comment giving in- formation about the service that modified it, the location where the original file has been backed up, and how to turn off the automatic modification mechanism.
Page 652 Example 30.6 /etc/hosts 127.0.0.1 localhost 192.168.0.20 sun.example.com sun 192.168.0.1 earth.example.com earth /etc/networks Here, network names are converted to network addresses. The format is similar to that of the hosts file, except the network names precede the addresses. See Example 30.7, “/etc/networks”...
Page 653 multi on/off Defines if a host entered in /etc/hosts can have multiple IP addresses. nospoof on These parameters influence the name server spoofing, but, spoofalert on/off apart from that, do not exert any influence on the network configuration. trim domainname The specified domain name is separated from the hostname after hostname resolution (as long as the hostname includes the domain name).
Page 654 Example 30.9 /etc/nsswitch.conf passwd: compat group: compat hosts: files dns networks: files dns services: db files protocols: db files netgroup: files automount: files nis The “databases” available over NSS are listed in Table 30.7, “Databases Available via /etc/nsswitch.conf” (page 638). In addition, automount, bootparams, netmasks, and publickey are expected in the near future.
Page 655 Network protocols, used by getprotoent; see the protocols protocols(5) man page. Remote procedure call names and addresses, used by getrpcbyname and similar functions. Network services, used by getservent. services Shadow passwords of users, used by getspnam; see the shadow shadow(5) man page. Table 30.8 Configuration Options for NSS “Databases”...
Page 656 /etc/HOSTNAME This contains the hostname without the domain name attached. This file is read by several scripts while the machine is booting. It may only contain one line in which the hostname is set. 30.6.2 Testing the Configuration Before you write your configuration to the configuration files, you can test it. To set up a test configuration, use the ip command.
Page 657 maddress This object represents a multicast address. mroute This object represents a multicast routing cache entry. tunnel This object represents a tunnel over IP. If no command is given, the default command is used, usually list. Change the state of a device with the command ip link set device_name command.
Page 658 to the destination host, requesting an immediate reply. If this works, ping displays a message to that effect, which indicates that the network link is basically functioning. ping does more than test only the function of the connection between two computers: it also provides some basic information about the quality of the connection.
Page 659 Configuring the Network with ifconfig ifconfig is a traditional network configuration tool. In contrast to ip, you can use it only for interface configuration. If you want to configure routing, use route. NOTE: ifconfig and ip The program ifconfig is obsolete. Use ip instead. Without arguments, ifconfig displays the status of the currently active interfaces.
Page 660 Configuring Routing with route route is a program for manipulating the IP routing table. You can use it to view your routing configuration and add or remove of routes. NOTE: route and ip The program route is obsolete. Use ip instead. route is especially useful if you need quick and comprehensible information about your routing configuration to determine problems with routing.
Page 661: Smpppd As Dial-Up Assistant
no network interfaces are implemented when they are inserted via hotplug. Starts xinetd. xinetd can be used to make server ser- /etc/init.d/inetd vices available on the system. For example, it can start vsftpd whenever an FTP connection is initiated. Starts the portmapper needed for the RPC server, such /etc/init.d/portmap as an NFS server.
Page 662 also be controlled by way of the network, it is suitable for controlling dial-up connections to the Internet from a workstation in a private subnetwork. 30.7.1 Configuring smpppd The connections provided by smpppd are automatically configured by YaST. The actual dial-up programs KInternet and cinternet are also preconfigured.
Page 663 30.7.2 Configuring KInternet, cinternet, and qinternet for Remote Use KInternet, cinternet, and qinternet can be used to control a local or remote smpppd. cinternet is the command-line counterpart of the graphical KInternet. qinternet is basi- cally the same as KInternet, but does not use the KDE libraries, so it can be used without KDE and must be installed separately.
Page 665: Slp Services In The Network
SLP Services in the Network The service location protocol (SLP) was developed to simplify the configuration of networked clients within a local network. To configure a network client, including all required services, the administrator traditionally needs detailed knowledge of the servers available in the network.
Page 666: Providing Services With Slp
rcslpd start as root to start it and rcslpd stop to stop it. Perform a restart or status check with restart or status. If slpd should be active by default, enable slpd in YaST System > System Services (Runlevel) or run the insserv slpd command once as root.
Page 667 Static Registration with /etc/slp.reg.d Create a separate registration file for each new service. The following is an example of a file for registering a scanner service: ## Register a saned service on this system ## en means english language ## 65535 disables the timeout, so the service registration does ## not need refreshes service:scanner.sane://$HOSTNAME:6566,en,65535 watch-port-tcp=6566...
Page 668: For More Information
31.4 For More Information The following sources provide further information about SLP: RFC 2608, 2609, 2610 RFC 2608 generally deals with the definition of SLP. RFC 2609 deals with the syntax of the service URLs used in greater detail and RFC 2610 deals with DHCP via SLP.
Page 669: Time Synchronization With Ntp
Time Synchronization with The NTP (network time protocol) mechanism is a protocol for synchronizing the system time over the network. First, a machine can obtain the time from a server that is a reliable time source. Second, a machine can itself act as a time source for other computers in the network.
Page 670: Configuring An Ntp Client With Yast
32.1 Configuring an NTP Client with YaST xntp is preset to use the local computer clock as a time reference. Using the (BIOS) clock, however, only serves as a fallback for the case that no time source of greater precision is available. YaST facilitates the configuration of an NTP client. For a system that is not running a firewall, use either the quick or advanced configuration.
Page 671 In the detailed server selection dialog, determine whether to implement time synchro- nization using a time server from your local network (Local NTP Server) or an Internet- based time server that takes care of your time zone (Public NTP Server). For a local time server, click Lookup to start an SLP query for available time servers in your net- work.
Page 672 mising the entire system. Configure NTP Daemon via DHCP sets up the NTP client to get a list of the NTP servers available in your network via DHCP. Enable Open Port in Firewall if SuSEfirewall is active, which it is by default. If you leave the port closed, it is not possible to establish a connection to the time server.
Page 673: Configuring Xntp In The Network
Incoming Broadcast If you want your client to receive its information via broadcast, enter the address from which the respective packets should be accepted in this fields. 32.2 Configuring xntp in the Network The easiest way to use a time server in the network is to set server parameters. For ex- ample, if a time server called ntp.example.com is reachable from the network, add its name to the file /etc/ntp.conf by adding the following line: server ntp.example.com...
Page 674 with a number. In xntp, the actual configuration takes place by means of pseudo IP addresses. The clocks are entered in the file /etc/ntp.conf as though they existed in the network. For this purpose, they are assigned special IP addresses in the form 127.127.t.u.
Page 675: Configuring Nis Clients
Using NIS As soon as multiple UNIX systems in a network want to access common resources, it becomes important that all user and group identities are the same for all machines in that network. The network should be transparent to users: whatever machines they use, they always find themselves in exactly the same environment.
Page 676 You can also specify multiple servers by entering their addresses in Addresses of NIS servers and separating them by spaces. Depending on your local installation, you may also want to activate the automounter. This option also installs additional software if required. In the expert settings, disable Answer Remote Hosts if you do not want other hosts to be able to query which server your client is using.
Page 677: Configuring Edirectory Authentication
SUSE Linux Enterprise Desktop workstation for eDirectory authentication and enabling users on the eDirectory server. For more detailed information on LUM and on config- uring your eDirectory 8.6. x, 8.7. x, or 8.8. x server to use LUM, see the Novell Linux Configuring eDirectory Authentication...
Page 678: Setting Up Workstations To Use Edirectory Authentication
User Management Technology Guide [http://www.novell.com/ documentation/oes/lumadgd/data/bookinfo.html]. 34.1 Setting Up Workstations to Use eDirectory Authentication Before users can use their eDirectory usernames and passwords to log in, the SUSE Linux Enterprise Desktop workstation must be configured with Linux User Management components. You can set up eDirectory Authentication during the installation, or you can use YaST to set it up anytime after installation.
Page 679 3 If eDirectory is running on a remote system, specify the remote system's IP address. 4 Optionally, provide the eDirectory Admin Name with Context, and the Admin Password. The admin name and context must be entered in LDAP syntax, which uses a comma instead of a period (for example: cn=admin,o=novell). Configuring eDirectory Authentication...
Page 680 IMPORTANT If you do not have rights to create objects in the eDirectory tree, leave these fields blank. Contact your eDirectory administrator, give him the host name of your client, and ask him to create a LUM Workstation object with your host name. Ask where you can get a copy of the CA certificate for the LDAP server and place this certificate in the /var/ nam directory.
Page 681 User and Group objects are created. This object is created when LUM is configured on the eDirectory server, and is usually located in an upper container of the eDirectory tree (for example, o=novell). Contact your eDirec- tory administrator for the context.
Page 682: Using Imanager To Enable Users For Edirectory Authentication
10 Click Finish. Installing and configuring LUM technology sets up the SUSE Linux Enterprise Desktop workstation to validate login requests against user account information stored in eDirectory. Before users can log in, they must have eDirectory user accounts created with iManager and extended for LUM, and their User objects must be associated with the workstation they will log in to.
Page 683 IP address or domain name of the eDirectory server. You are prompted to provide the full context of the admin user (for example, admin.novell) and password. 2 Make sure you are in the Roles and Tasks view by clicking Roles and Tasks Icon on the top button bar, then select Linux User Management in the navigation panel on the left.
Page 684 methods (see Step 9 (page 665)) and enter a username and password. The access request is redirected to find the appropriate username and login information stored in eDirectory. When extended for Linux, the eDirectory User object holds Linux-related prop- erties, such as user ID, primary group ID, primary group name, location of home directory, and preferred shell.
Page 685: Turning Off Lum And Edirectory Authentication
34.3 Turning Off LUM and eDirectory Authentication There might be times when you want to turn off a workstation's ability to accept logins from eDirectory. You can permanently turn off this ability by removing the LUM software from the workstation. You can temporarily disable eDirectory authentication by stopping the namcd daemon.
Page 687 LDAP—A Directory Service The Lightweight Directory Access Protocol (LDAP) is a set of protocols designed to access and maintain information directories. LDAP can be used for numerous purposes, such as user and group management, system configuration management, or address management. This chapter provides a basic understanding of how OpenLDAP works and how to manage LDAP data with YaST.
Page 688: Ldap Versus Nis
• Because write accesses can only be executed in a restricted fashion, a directory service is used to administer mostly unchanging, static information. Data in a con- ventional database typically changes very often (dynamic data). Phone numbers in a company directory do not change nearly as often as, for example, the figures ad- ministered in accounting.
Page 689: Structure Of An Ldap Directory Tree
• Mail routing (postfix, sendmail) • Address books for mail clients, like Mozilla, Evolution, and Outlook • Administration of zone descriptions for a BIND9 name server • User authentication with Samba in heterogeneous networks This list can be extended because LDAP is extensible, unlike NIS. The clearly-defined hierarchical structure of the data eases the administration of large amounts of data, be- cause it can be searched more easily.
Page 690 leaf These objects sit at the end of a branch and have no subordinate objects. Examples are person, InetOrgPerson, or groupofNames. The top of the directory hierarchy has a root element root. This can contain c (country), dc (domain component), or o (organization) as subordinate elements. The relations within an LDAP directory tree become more evident in the following example, shown Figure 35.1, “Structure of an LDAP Directory”...
Page 691 is, however, possible to create custom schemes or to use multiple schemes complement- ing each other if this is required by the environment in which the LDAP server should operate. Table 35.1, “Commonly Used Object Classes and Attributes” (page 675) offers a small overview of the object classes from core.schema and inetorgperson.schema used in the example, including required attributes and valid attribute values.
Page 692 Example 35.1 Excerpt from schema.core #1 attributetype (2.5.4.11 NAME ( 'ou' 'organizationalUnitName') DESC 'RFC2256: organizational unit this object belongs to' SUP name ) #4 objectclass ( 2.5.6.5 NAME 'organizationalUnit' DESC 'RFC2256: an organizational unit' SUP top STRUCTURAL MUST ou #8 MAY (userPassword $ searchGuide $ seeAlso $ businessCategory $ x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber...
Page 693: Configuring An Ldap Client With Yast
35.3 Configuring an LDAP Client with YaST YaST includes a module to set up LDAP-based user management. If you did not enable this feature during the installation, start the module by selecting Network Services > LDAP Client. YaST automatically enables any PAM and NSS related changes as required by LDAP and installs the necessary files.
Page 694: Basic Configuration
Example 35.3 Adaptations in nsswitch.conf passwd: compat group: compat passwd_compat: ldap group_compat: ldap These lines order the resolver library of glibc first to evaluate the corresponding files in /etc and additionally access the LDAP server as sources for authentication and user data.
Page 695 Figure 35.2 YaST: Configuration of the LDAP Client To authenticate users of your machine against an OpenLDAP server and enable user management via OpenLDAP, proceed as follows: 1 Click Use LDAP to enable the use of LDAP. Select Use LDAP but Disable Logins instead if you want to use LDAP for authentication, but do not want other users to log in to this client.
Page 696 6 Select Start Automounter to mount remote directories on your client, such as a remotely managed /home. 7 Select Create Home Directory on Login to have a user's home automatically created on the first user login. 8 Click Finish to apply your settings. Figure 35.3 YaST: Advanced Configuration To modify data on the server as administrator, click Advanced Configuration.
Page 697 by crypt are used. For details on this and other options, refer to the pam_ldap man page. 1c Specify the LDAP group to use with Group Member Attribute. The default value for this is member. 2 In Administration Settings, adjust the following settings: 2a Set the base for storing your user management data via Configuration Base 2b Enter the appropriate value for Administrator DN.
Page 698 Configuring the YaST Group and User Administration Modules Use the YaST LDAP client to adapt the YaST modules for user and group administration and to extend them as needed. Define templates with default values for the individual attributes to simplify the data registration. The presets created here are stored as LDAP objects in the LDAP directory.
Page 699 2 Choose a name for the new template. The content view then features a table listing all attributes allowed in this module with their assigned values. Apart from all set attributes, the list also contains all other attributes allowed by the current schema but currently not used.
Page 700 Figure 35.5 YaST: Configuration of an Object Template Connect the template to its module by setting the susedefaulttemplate attribute value of the module to the DN of the adapted template. The default values for an attribute can be created from other attributes by using a variable instead of an absolute value.
Page 701: Configuring Ldap Users And Groups In Yast
35.4 Configuring LDAP Users and Groups in YaST The actual registration of user and group data differs only slightly from the procedure when not using LDAP. The following brief instructions relate to the administration of users. The procedure for administering groups is analogous. 1 Access the YaST user administration with Security &...
Page 702 Figure 35.6 YaST: Additional LDAP Settings The initial input form of user administration offers LDAP Options. This gives the pos- sibility to apply LDAP search filters to the set of available users or go to the module for the configuration of LDAP users and groups by selecting LDAP User and Group Configuration.
Page 703: Browsing The Ldap Directory Tree
35.5 Browsing the LDAP Directory Tree To browse the LDAP directory tree and all its entries conveniently, use the YaST LDAP Browser: 1 Log in as root. 2 Start YaST > Network Services > LDAP Browser. 3 Enter the address of the LDAP server, the AdministratorDN, and the password for the RootDN of this server if you need both to read and write the data stored on the server.
Page 704: For More Information
4 To view any of the entries in detail, select it in the LDAP Tree view and open the Entry Data tab. All attributes and values associated with this entry are displayed. Figure 35.8 Browsing the Entry Data 5 To change the value of any of these attributes, select the attribute, click Edit, enter the new value, click Save, and provide the RootDN password when prompted.
Page 705 OpenLDAP Faq-O-Matic A very rich question and answer collection concerning installation, configuration, and use of OpenLDAP. Find it at http://www.openldap.org/faq/data/ cache/1.html. Quick Start Guide Brief step-by-step instructions for installing your first LDAP server. Find it at or on http://www.openldap.org/doc/admin22/quickstart.html an installed system in /usr/share/doc/packages/openldap2/ admin-guide/quickstart.html.
Page 707: Terminology
Samba Using Samba, a Unix machine can be configured as a file and print server for DOS, Windows, and OS/2 machines. Samba has developed into a fully-fledged and rather complex product. Configure Samba with YaST, SWAT (a Web interface), or the confi- guration file.
Page 708 An implementation that works relatively closely with network hardware is called NetBEUI, but this is often referred to as NetBIOS. Network protocols implemented with NetBIOS are IPX from Novell (NetBIOS via TCP/IP) and TCP/IP. The NetBIOS names sent via TCP/IP have nothing in common with the names used in /etc/hosts or those defined by DNS.
Page 709: Starting And Stopping Samba
36.2 Starting and Stopping Samba You can start or stop the Samba server automatically during boot or manually. Starting and stopping policy is a part of the YaST Samba server configuration described in Section 36.3.1, “Configuring a Samba Server with YaST” (page 693).
Page 710: Starting The Server
Advanced Samba Configuration with YaST During first start of Samba server module the Samba Server Configuration dialog appears directly after Samba Server Installation dialog. Use it to adjust your Samba server configuration. After editing your configuration, click Finish to close the configuration. Starting the Server In the Start Up tab, configure the start of the Samba server.
Page 711 in as user root. If you do not have a special Samba root account, use the system root account. NOTE: Activating SWAT After Samba server installation, SWAT is not activated. To activate it, open Network Services > Network Services (xinetd) in YaST, enable the network services configuration, select swat from the table, and click Toggle Status (On or Off).
Page 712 BROWSING.txt and BROWSING-Config.txt under the textdocs subdi- rectory of the package documentation. If no other SMB server is present in your network (such as a Windows NT or 2000 server) and you want the Samba server to keep a list of all systems present in the local environment, set the os level to a higher value (for example, 65).
Page 713 [cdrom] and comment The entry [cdrom] is the name of the share that can be seen by all SMB clients on the network. An additional comment can be added to further describe the share. path = /media/cdrom path exports the directory /media/cdrom. By means of a very restrictive default configuration, this kind of share is only made available to the users present on this system.
Page 714 browseable = No This setting makes the share invisible in the network environment. read only = No By default, Samba prohibits write access to any exported share by means of the read only = Yes parameter. To make a share writable, set the value read only = No, which is synonymous with writable = Yes.
Page 715: Configuring Clients
and others with user level security. However, you can run a separate Samba server for each configured IP address on a system. More information about this subject can be found in the Samba HOWTO Collection. For multiple servers on one system, pay attention to the options interfaces and bind interfaces only.
Page 716: Samba As Login Server
36.5 Samba as Login Server In networks where predominantly Windows clients are found, it is often preferable that users may only register with a valid account and password. In a Windows-based network, this task is handled by a primary domain controller (PDC). You can use a Windows NT server configured as PDC, but this task can also be done with the help of a Samba server.
Page 717: For More Information
To make sure that Samba can execute this script correctly, choose a Samba user with the required administrator permissions. To do so, select one user and add it to the ntadmin group. After that, all users belonging to this Linux group can be assigned Domain Admin status with the command: net groupmap add ntgroup="Domain Admins"...
Page 719: Sharing File Systems With Nfs
Sharing File Systems with NFS Distributing and sharing file systems over a network is a common task in corporate environments. NFS is a proven system that also works together with the yellow pages protocol NIS. For a more secure protocol that works together with LDAP and may also be kerberized, check NFSv4.
Page 720: Importing File Systems With Yast
37.2 Importing File Systems with YaST Users authorized to do so can mount NFS directories from an NFS server into their own file trees. This can be achieved using the YaST module NFS Client. Just enter the hostname of the NFS server, the directory to import, and the mount point at which to mount this directory locally.
Page 721: Importing File Systems Manually
37.3 Importing File Systems Manually File systems can also be imported manually from an NFS server. The prerequisite for this is a running RPC port mapper, which can be started by entering rcportmap start as root. Once this prerequisite is met, remote exported file systems can be mounted in the file system just like local hard disks using the mount command in the following manner: mount host:remote-path local-path...
Page 722 system is given. This is a concept called pseudo file system, which is explained in Sec- tion 37.4.1, “Exporting for NFSv4 Clients” (page 708). 37.3.2 Using the Automount Service As well as the regular local device mounts, the autofs daemon can be used to mount remote file systems automatically too.
Page 723: Exporting File Systems With Yast
37.4 Exporting File Systems with YaST With YaST, turn a host in your network into an NFS server—a server that exports di- rectories and files to all hosts granted access to it. This could be done to provide appli- cations to all members of a group without installing them locally on each and every host.
Page 724 and IP networks. For a more thorough explanation of these options, refer to exports man page. Click Finish to complete the configuration. Figure 37.3 Configuring an NFS Server with YaST IMPORTANT: Automatic Firewall Configuration If a firewall is active on your system (SuSEfirewall2), YaST adapts its configuration for the NFS server by enabling the nfs service when Open Ports in Firewall is selected.
Page 725 (the default) if you do not have special requirements. For more information, see Sec- tion 37.7, “For More Information” (page 715). Click Next. The dialog that follows has two sections. The upper half consists of two columns named Directories and Bind mount targets. Directories is a directly editable column that lists the directories to export.
Page 726 In the small dialog that opens, enter the host wild card. There are four possible types of host wild cards that can be set for each host: a single host (name or IP address), net- groups, wild cards (such as * indicating all machines can access the server), and IP networks.
Page 727 Figure 37.5 Exporting Directories with NFSv2 and v3 37.4.3 Coexisting v3 and v4 Exports Both NFSv3 and NFSv4 exports can coexist on a server. After enabling the support for NFSv4 in the initial configuration dialog, those exports for which fsid=0 and bind=/target/path are not included in the option list are considered v3 exports.
Page 728: Exporting File Systems Manually
37.5 Exporting File Systems Manually The configuration files for the NFS export service are /etc/exports and /etc/ sysconfig/nfs. In addition to these files, /etc/idmapd.conf is needed for the NFSv4 server configuration. To start or restart the services, run the commands rcnfsserver restart and rcidmapd restart.
Page 729 binds to an existing subdirectory (/export/data) of the pseudo file system /export. The pseudo file system is the top level directory under which all file systems that need to be NFSv4 exported take their places. For a client or set of clients, there can only be one directory on the server configured as the pseudo root for export.
Page 730: Starting And Stopping Services
Do not change these parameters unless you are sure of what you are doing. For further reference, read the man page of idmapd and idmapd.conf; man idmapd, man idmapd.conf . Starting and Stopping Services After changing /etc/exports or /etc/sysconfig/nfs, start or restart the NFS server service with rcnfsserver restart.
Page 731: Nfs With Kerberos
37.6 NFS with Kerberos To use Kerberos authentication for NFS, GSS security must be enabled. To do so, select Enable GSS Security in the initial YaST dialog. Additionally complete the following steps: • Make sure that both the server and the client are in the same Kerberos domain. This means that they access the same KDC (Key Distribution Center) server and share their krb5.keytab file (the default location on any machine is /etc/krb5 .keytab).
Page 733: File Synchronization
File Synchronization Today, many people use several computers—one computer at home, one or several computers at the workplace, and possibly a laptop or PDA on the road. Many files are needed on all these computers. You may want to be able to work with all computers and modify the files and subsequently have the latest version of the data available on all computers.
Page 734 WARNING: Risk of Data Loss Before you start managing your data with a synchronization system, you should be well acquainted with the program used and test its functionality. A backup is indispensable for important files. The time-consuming and error-prone task of manually synchronizing data can be avoided by using one of the programs that use various methods to automate this job.
Page 735: Determining Factors For Selecting A Program
38.2 Determining Factors for Selecting a Program There are some important factors to consider when deciding which program to use. 38.2.1 Client-Server versus Peer-to-Peer Two different models are commonly used for distributing data. In the first model, all clients synchronize their files with a central server. The server must be accessible by all clients at least occasionally.
Page 736 There is no conflict handling in rsync. The user is responsible for not accidentally overwriting files and manually resolving all possible conflicts. To be on safe side, a versioning system like RCS can be additionally employed. 38.2.5 Selecting and Adding Files In CVS, new directories and files must be added explicitly using the command cvs add.
Page 737 38.2.9 User Friendliness rsync is rather easy to use and is also suitable for newcomers. CVS is somewhat more difficult to operate. Users should understand the interaction between the repository and local data. Changes to the data should first be merged locally with the repository. This is done with the command cvs update.
Page 738: Introduction To Cvs
rsync File Sel. Sel./file, dir. Dir. History Hard Disk Space Difficulty Attacks + (ssh) +(ssh) Data Loss 38.3 Introduction to CVS CVS is suitable for synchronization purposes if individual files are edited frequently and are stored in a file format, such as ASCII text or program source text. The use of CVS for synchronizing data in other formats, such as JPEG files, is possible, but leads to large amounts of data, because all variants of a file are stored permanently on the CVS server.
Page 739 CVS_RSH=ssh CVSROOT=tux@server:/serverdir The command cvs init can be used to initialize the CVS server from the client side. This needs to be done only once. Finally, the synchronization must be assigned a name. Select or create a directory on the client exclusively to contain files to manage with CVS (the directory can also be empty).
Page 740 Start the synchronization with the server with cvs update. Update individual files or directories as in cvs update file1 directory1. To see the difference between the current files and the versions stored on the server, use the command cvs diff or cvs diff file1 directory1.
Page 741: Introduction To Rsync
• CVS: http://www.cvshome.org • Rsync: http://www.gnu.org/manual 38.4 Introduction to rsync rsync is useful when large amounts of data need to be transmitted regularly while not changing too much. This is, for example, often the case when creating backups. Another application concerns staging servers. These are servers that store complete directory trees of Web servers that are regularly mirrored onto a Web server in a DMZ.
Page 742 gid = nobody uid = nobody read only = true use chroot = no transfer logging = true log format = %h %o %f %l %b log file = /var/log/rsyncd.log [FTP] path = /srv/ftp comment = An Example Then start rsyncd with rcrsyncd start. rsyncd can also be started automatically during the boot process.
Page 743 A technical reference about the operating principles of rsync is featured in /usr/share/doc/packages/rsync/tech_report.ps. Find the latest news about rsync on the project Web site at http://rsync.samba.org/. If you want Subversion or other tools, download the the SDK. Find it at http:// developer.novell.com/wiki/index.php/SUSE_LINUX_SDK. File Synchronization...
Page 745: Part V Security
Part V. Security...
Page 747: Masquerading And Firewalls
Masquerading and Firewalls Whenever Linux is used in a networked environment, you can use the kernel functions that allow the manipulation of network packets to maintain a separation between internal and external network areas. The Linux netfilter framework provides the means to estab- lish an effective firewall that keeps different networks apart.
Page 748 This table defines any changes to the source and target addresses of packets. Using these functions also allows you to implement masquerading, which is a special case of NAT used to link a private network with the Internet. mangle The rules held in this table make it possible to manipulate values stored in IP headers (such as the type of service).
Page 749 Figure 39.1 iptables: A Packet's Possible Paths PREROUTING incoming packet mangle INPUT mangle Routing filter FORWARD Processes mangle in the local system filter OUTPUT Routing mangle filter POSTROUTING mangle outgoing packet These tables contain several predefined chains to match packets: Masquerading and Firewalls...
Page 750: Masquerading Basics
PREROUTING This chain is applied to incoming packets. INPUT This chain is applied to packets destined for the system's internal processes. FORWARD This chain is applied to packets that are only routed through the system. OUTPUT This chain is applied to packets originating from the system itself. POSTROUTING This chain is applied to all outgoing packets.
Page 751 hosts in the local network connected to the network card (such as eth0) of the router, they can send any packets not destined for the local network to their default gateway or router. IMPORTANT: Using the Correct Network Mask When configuring your network, make sure both the broadcast address and the netmask are the same for all local hosts.
Page 752: Firewalling Basics
39.3 Firewalling Basics Firewall is probably the term most widely used to describe a mechanism that provides and manages a link between networks while also controlling the data flow between them. Strictly speaking, the mechanism described in this section is called a packet filter. A packet filter regulates the data flow according to certain criteria, such as protocols, ports, and IP addresses.
Page 753 External Zone Given that there is no way to control what is happening on the external network, the host needs to be protected from it. In most cases, the external network is the Internet, but it could be another insecure network, such as a WLAN. Internal Zone This refers to the private network, in most cases the LAN.
Page 754 for activating additional services and ports. The YaST firewall configuration module can be used to activate, deactivate, or reconfigure the firewall. The YaST dialogs for the graphical configuration can be accessed from the YaST Control Center. Select Security and Users > Firewall. The configuration is divided into seven sections that can be accessed directly from the tree structure on the left side.
Page 755 The logging of broadcasts that are not accepted can be enabled here. This may be problematic, because Windows hosts use broadcasts to know about each other and so generate many packets that are not accepted. IPsec Support Configure whether the IPsec service should be available to the external network in this dialog.
Page 756 FW_DEV_INT (firewall, masquerading) The device linked to the internal, private network (such as eth0). Leave this blank if there is no internal network and the firewall protects only the host on which it runs. FW_ROUTE (firewall, masquerading) If you need the masquerading function, set this to yes. Your internal hosts will not be visible to the outside, because their private network addresses (e.g., 192.168.x.x) are ignored by Internet routers.
Page 757: For More Information
FW_SERVICES_INT_TCP (firewall) With this variable, define the services available for the internal network. The nota- tion is the same as for FW_SERVICES_EXT_TCP, but the settings are applied to the internal network. The variable only needs to be set if FW_PROTECT_FROM_INT is set to yes. FW_SERVICES_INT_UDP (firewall) See FW_SERVICES_INT_TCP.
Page 759: Ssh: Secure Network Operations
SSH: Secure Network Operations With more and more computers installed in networked environments, it often becomes necessary to access hosts from a remote location. This normally means that a user sends login and password strings for authentication purposes. As long as these strings are transmitted as plain text, they could be intercepted and misused to gain access to that user account without the authorized user even knowing about it.
Page 760: The Ssh Program
40.2 The ssh Program Using the ssh program, it is possible to log in to remote systems and work interactively. It replaces both telnet and rlogin. The slogin program is just a symbolic link pointing to ssh. For example, log in to the host sun with the command ssh sun. The host then prompts for the password on sun.
Page 761 scp also provides a recursive copying feature for entire directories. The command scp -r src/ sun:backup/ copies the entire contents of the directory src includ- ing all subdirectories to the backup directory on the host sun. If this subdirectory does not exist yet, it is created automatically.
Page 762: Ssh Authentication Mechanisms
For the communication between SSH server and SSH client, OpenSSH supports ver- sions 1 and 2 of the SSH protocol. Version 2 of the SSH protocol is used by default. Override this to use version 1 of the protocol with the -1 switch. To continue using version 1 after a system update, follow the instructions in /usr/share/doc/ packages/openssh/README.SuSE.
Page 763 that is also easy to use. Because it is meant to replace rsh and rlogin, SSH must also be able to provide an authentication method appropriate for daily use. SSH accomplishes this by way of another key pair, which is generated by the user. The SSH package provides a helper program for this: ssh-keygen.
Page 764: X, Authentication, And Forwarding Mechanisms
40.7 X, Authentication, and Forwarding Mechanisms Beyond the previously described security-related improvements, SSH also simplifies the use of remote X applications. If you run ssh with the option -X, the DISPLAY variable is automatically set on the remote machine and all X output is exported to the remote machine over the existing SSH connection.
Page 765: Kerberos Terminology
Network Authentication—Kerberos An open network provides no means to ensure that a workstation can identify its users properly except the usual password mechanisms. In common installations, the user must enter the password each time a service inside the network is accessed. Kerberos provides an authentication method with which a user registers once then is trusted in the complete network for the rest of the session.
Page 766 credential Users or clients need to present some kind of credentials that authorize them to re- quest services. Kerberos knows two kinds of credentials—tickets and authenticators. ticket A ticket is a per-server credential used by a client to authenticate at a server from which it is requesting a service.
Page 767: How Kerberos Works
replay Almost all messages sent in a network can be eavesdropped, stolen, and resent. In the Kerberos context, this would be most dangerous if an attacker manages to obtain your request for a service containing your ticket and authenticator. He could then try to resend it (replay) to impersonate you.
Page 768 • The client's IP address • The newly-generated session key This ticket is then sent back to the client together with the session key, again in encrypted form, but this time the private key of the client is used. This private key is only known to Kerberos and the client, because it is derived from your user password.
Page 769 41.2.3 Mutual Authentication Kerberos authentication can be used in both directions. It is not only a question of the client being the one it claims to be. The server should also be able to authenticate itself to the client requesting its service. Therefore, it sends some kind of authenticator itself. It adds one to the checksum it received in the client's authenticator and encrypts it with the session key, which is shared between it and the client.
Page 770: Users' View Of Kerberos
• The newly-generated session key The new ticket is assigned a lifetime, which is the lesser of the remaining lifetime of the ticket-granting ticket and the default for the service. The client receives this ticket and the session key, which are sent by the ticket-granting service, but this time the answer is encrypted with the session key that came with the original ticket-granting ticket.
Page 771: For More Information
• rsh, rcp, rshd • ftp, ftpd You no longer have to enter your password for using these applications because Kerberos has already proven your identity. ssh, if compiled with Kerberos support, can even forward all the tickets acquired for one workstation to another one. If you use ssh to log in to another workstation, ssh makes sure that the encrypted contents of the tickets are adjusted to the new situation.
Page 773: Encrypting Partitions And Files
Encrypting Partitions and Files Every user has some confidential data that third parties should not be able to access. The more you rely on mobile computing and on working in different environments and networks, the more carefully you should handle your data. The encryption of files or entire partitions is recommended if others have network or physical access to your system.
Page 774: Using Vi To Encrypt Single Ascii Text Files
mounted and the contents are made available to the user. Refer to Section 42.2, “Using Encrypted Home Directories” (page 761) for more information. Encrypting Single ASCII Text Files If you only have a small number of ASCII text files that hold sensitive or confiden- tial data, you can encrypt them individually and protect them with a password using the vi editor.
Page 775: During Installation
42.1.1 Creating an Encrypted Partition during Installation WARNING: Password Input Make sure to memorize the password for your encrypted partitions well. Without that password you cannot access or restore the encrypted data. The YaST expert dialog for partitioning offers the options needed for creating an en- crypted partition.
Page 776 password when prompted for it. After you are done with working on this partition, un- mount it with umount name_of_partition to protect it from access by other users. When you are installing your system on a machine where several partitions already exist, you can also decide to encrypt an existing partition during installation.
Page 777: Using Encrypted Home Directories
The advantage of encrypted container files over encrypted partitions is that they can be added without repartitioning the hard disk. They are mounted with the help of a loop device and behave just like normal partitions. 42.1.4 Encrypting the Content of Removable Media YaST treats removable media like external hard disks or USB flash drives the same as any other hard disk.
Page 778 LOGIN.key The image key, protected with the user's login password. On login the home directory automatically gets decrypted. Internally, it is provided by means of the pam module pam_mount. If you need to add an additional login method that provides encrypted home directories, you have to add this module to the respective Chapter 24, Au- configuration file in /etc/pam.d/.
Page 779: Confining Privileges With Apparmor
Effective hardening of a computer system requires minimizing the number of programs that mediate privilege then securing the programs as much as possible. With Novell AppArmor, you only need to profile the programs that are exposed to attack in your environment, which drastically reduces the amount of work required to harden your computer.
Page 780: Installing Novell Apparmor
Guide. 43.1 Installing Novell AppArmor Novell AppArmor is installed and running by default on any installation of SUSE Linux Enterprise® regardless of what patterns are installed. The packages listed below are needed for a fully functional instance of AppArmor •...
Page 781 Using Novell AppArmor Control Panel Toggle the status of Novell AppArmor in a running system by switching it off or on using the YaST Novell AppArmor Control Panel. Changes made here are applied instantaneously. The Control Panel triggers a stop or start event for AppArmor and removes or adds its boot script in the system's boot sequence.
Page 782: Choosing The Applications To Profile
43.3 Getting Started with Profiling Applications Prepare a successful deployment of Novell AppArmor on your system by carefully considering the following items: 1 Determine the applications to profile. Read more on this in Section 43.3.1, “Choosing the Applications to Profile”...
Page 783: Building And Modifying Profiles
There are two ways of managing profiles. One is to use the graphical front-end provided by the YaST Novell AppArmor modules and the other is to use the command line tools provided by the AppArmor suite itself. Both methods basically work the same way.
Page 784 Outline the basic profile by running YaST > Novell AppArmor > Add Profile Wizard and specifying the complete path of the application to profile. A basic profile is outlined and AppArmor is put into learning mode, which means that it logs any activity of the program you are executing but does not yet restrict 2 Run the full range of the application's actions to let AppArmor get a very specific picture of its activities.
Page 785 For more information about profile building and modification, refer to Chap- ter 2, Profile Components and Syntax (↑Novell AppArmor Administration Guide), Chapter 3, Building and Managing Profiles with YaST (↑Novell AppArmor Ad- ministration Guide), and Chapter 4, Building Profiles from the Command Line (↑Novell AppArmor Administration Guide).
Page 786 43.3.3 Configuring Novell AppArmor Event Notification and Reports Set up event notification in Novell AppArmor so you can review security events. Event Notification is an Novell AppArmor feature that informs a specified e-mail recipient when systemic Novell AppArmor activity occurs under the chosen severity level. This feature is currently available in the YaST interface.
Page 787: Updating Your Profiles
Delete unneeded reports or add new ones. TIP: For More Information For more information about configuring event notification in Novell AppArmor, refer to Section “Configuring Security Event Notification” (Chapter 6, Managing Profiled Applications, ↑Novell AppArmor Administration Guide). Find more in- formation about report configuration in Section “Configuring Reports”...
Page 788 TIP: For More Information For more information about updating your profiles from the system logs, refer to Section “Updating Profiles from Log Entries” (Chapter 3, Building and Man- aging Profiles with YaST, ↑Novell AppArmor Administration Guide). Deployment Guide...
Page 789: Security And Confidentiality
Security and Confidentiality One of the main characteristics of a Linux or UNIX system is its ability to handle sev- eral users at the same time (multiuser) and to allow these users to perform several tasks (multitasking) on the same computer simultaneously. Moreover, the operating system is network transparent.
Page 790 44.1 Local Security and Network Security There are several ways of accessing data: • personal communication with people who have the desired information or access to the data on a computer • directly from the console of a computer (physical access) •...
Page 791 Serial terminals connected to serial ports are still used in many places. Unlike network interfaces, they do not rely on a network protocol to communicate with the host. A simple cable or an infrared port is used to send plain characters back and forth between the devices.
Page 792 In the seventies, it was argued that this method would be more secure than others due to the relative slowness of the algorithm used, which took a few seconds to encrypt just one password. In the meantime, however, PCs have become powerful enough to do several hundred thousand or even millions of encryptions per second.
Page 793 The permissions of all files included in the SUSE Linux Enterprise distribution are carefully chosen. A system administrator who installs additional software or other files should take great care when doing so, especially when setting the permission bits. Ex- perienced and security-conscious system administrators always use the -l option with the command ls to get an extensive file list, which allows them to detect any incorrect file permissions immediately.
Page 794 is written beyond the end of that buffer area, which, under certain circumstances, makes it possible for a program to execute program sequences influenced by the user (and not by the programmer), rather than just processing user data. A bug of this kind may have serious consequences, especially if the program is being executed with special privileges (see Section 44.1.4, “File Permissions”...
Page 795 them. Viruses are a typical sign that the administrator or the user lacks the required se- curity awareness, putting at risk even a system that should be highly secure by its very design. Viruses should not be confused with worms, which belong to the world of networks entirely.
Page 796 In the case of cookie-based access control, a character string is generated that is only known to the X server and to the legitimate user, just like an ID card of some kind. This cookie (the word goes back not to ordinary cookies, but to Chinese fortune cookies, which contain an epigram) is stored on login in the file .Xauthority in the user's home directory and is available to any X client wanting to use the X server to display a window.
Page 797 exploit these newly-found security holes—are often posted on the security mailing lists. They can be used to target the vulnerability without knowing the details of the code. Over the years, experience has shown that the availability of exploit codes has contribut- ed to more secure operating systems, obviously due to the fact that operating system makers were forced to fix the problems in their software.
Page 798 not secured against hijacking through encryption, which only perform a simple authen- tication procedure upon establishing the connection, makes it easier for attackers. Spoofing is an attack where packets are modified to contain counterfeit source data, usually the IP address. Most active forms of attack rely on sending out such fake packets—something that, on a Linux machine, can only be done by the superuser (root).
Page 799: Some General Security Tips And Tricks
44.2 Some General Security Tips and Tricks To handle security competently, it is important to keep up with new developments and stay informed about the latest security issues. One very good way to protect your systems against problems of all kinds is to get and install the updated packages recommended by security announcements as quickly as possible.
Page 800 • Change the /etc/permissions file to optimize the permissions of files crucial to your system's security. If you remove the setuid bit from a program, it might well be that it cannot do its job anymore in the intended way. On the other hand, consider that, in most cases, the program will also have ceased to be a potential security risk.
Page 801: Using The Central Security Reporting Address
SUSE's pgp key is: ID:3D25D3D9 1999-03-06 SUSE Security Team <security@suse.de> Key fingerprint = 73 5F 2E 99 DF DB 94 C4 8F 5A A3 AE AF 22 F2 D5 This key is also available for download from http://www.novell.com/linux/ security/securitysupport.html. Security and Confidentiality...
Page 803: Part Vi Troubleshooting
Part VI. Troubleshooting...
Page 805: Help And Documentation
Help and Documentation SUSE Linux Enterprise® comes with various sources of information and documentation. The SUSE Help Center provides central access to the most important documentation resources on your system in searchable form. These resources include online help for installed applications, manual pages, info pages, databases on hardware and software topics, and all manuals delivered with your product.
Page 806 configuration of the search function in the Search tab are presented in Section 45.1.2, “The Search Function” (page 791). The Contents tab presents a tree view of all available and currently installed information sources. Click the book icons to open and browse the individual categories.
Page 807 45.1.1 Contents The SUSE Help Center provides access to useful information from various sources. It contains special documentation for SUSE Linux Enterprise (Start-Up, KDE User Guide, GNOME User Guide, and Reference), all available information sources for your workstation environment, online help for the installed programs, and help texts for other applications.
Page 808 Figure 45.3 Generating a Search Index To limit the search base and the hit list as precisely as possible, use the three drop-down menus to determine the number of displayed hits and the selection area of sources to search. The following options are available for determining the selection area: Default A predefined selection of sources is searched.
Page 809: Man Pages
45.2 Man Pages Man pages are an essential part of any Linux system. They explain the usage of a command and all available options and parameters. Man pages are sorted in categories as shown in Table 45.1, “Man Pages—Categories and Descriptions” (page 793) (taken from the man page for man itself).
Page 810: Info Pages
Another possibility to display a man page is to use Konqueror. Start Konqueror and type, for example, man:/ls. If there are different categories for a command, Konqueror displays them as links. 45.3 Info Pages Info pages are another important source of information on your system. Usually they are more verbose than man pages.
Page 811: Wikipedia: The Free Online Encyclopedia
45.5 Wikipedia: The Free Online Encyclopedia Wikipedia is “a multilingual encyclopedia designed to be read and edited by anyone” (see http://en.wikipedia.org). The content of Wikipedia is created by its users and is published under a free license (GFDL). Any visitors can edit articles, which gives the danger of vandalism, but this does not repel visitors.
Page 812: Package Documentation
45.7 Package Documentation If you install a package in your system, a directory /usr/share/doc/ packages/packagename is created. You can find files from the package maintainer as well as additional information from SUSE. Sometimes there are also examples, configuration files, additional scripts, or other things available. Usually you can find the following files, but they are not standard and sometimes not all files are available.
Page 813: Usenet
45.8 Usenet Created in 1979 before the rise of the Internet, Usenet is one of the oldest computer networks and still in active use. The format and transmission of Usenet articles is very similar to e-mail, but is developed for a many-to-many communication. Usenet is organized into seven topical categories: comp.* for computer-related discus- sions, misc.* for miscellaneous topics, news.* for newsgroup-related matters, rec.* for recreation and entertainment, sci.* for science-related discussions, soc.*...
Page 814 concentrates on standardizing Web technologies. W3C promotes the dissemination of open, license-free, and manufacturer-independent specifications, such as HTML, XHTML, and XML. These Web standards are developed in a four-stage process in working groups and are presented to the public as W3C recommendations (REC). http://www.oasis-open.org OASIS (Organization for the Advancement of Structured Information Standards) is an international consortium specializing in the development of standards for Web...
Page 815 The association brings together manufacturers, consumers, trade professionals, service companies, scientists and others who have an interest in the establishment of standards. The standards are subject to a fee and can be ordered using the DIN home page. Help and Documentation...
Page 817: Common Problems And Their Solutions
Common Problems and Their Solutions This chapter offers a range of common problems that can arise with an intention of covering as many of the various types of potential problems as possible. That way, even if your precise situation is not listed here, there might be one similar enough to offer hints as to the solution.
Page 818 Table 46.1 Log Files Log File Description Messages from the kernel during the boot process. /var/log/boot.msg Messages from the mail system. /var/log/mail.* Ongoing messages from the kernel and system log /var/log/messages daemon when running. Log file from NetworkManager to collect problems /var/log/ with network connectivity NetworkManager...
Page 819 Table 46.2 System Information File Description This displays processor information, including its /proc/cpuinfo type, make, model, and performance. This shows which DMA channels are currently being /proc/dma used. This shows which interrupts are in use and how /proc/interrupts many of each have been in use. This displays the status of I/O (input/output) memo- /proc/iomem This shows which I/O ports are in use at the moment.
Page 820: Installation Problems
46.2 Installation Problems Installation problems are situations when a machine fails to install. It may fail entirely or it may not be able to start the graphical installer. This section highlights some of the typical problems you might run into and offers possible solutions or workarounds for this kind of situations.
Page 821 Booting from a Floppy Disk Create a boot floppy and boot from floppy disk instead of CD or DVD. Using an External Boot Device If it is supported by the machine's BIOS and the installation kernel, boot for instal- lation from external CD or DVD drives. Network Boot via PXE If a machines lacks a CD or DVD drive, but provides a working ethernet connection, perform a completely network-based installation.
Page 822 verbose 1 in syslinux.cfg for the boot loader to display which action is currently being per- formed. If the machine does not boot from the floppy disk, you may need to change the boot sequence in the BIOS to A,C,CDROM. External Boot Devices Most CD-ROM drives are supported.
Page 823 appears, look for a line, usually below the counter or somewhere at the bottom, men- tioning the key to press to access the BIOS setup. Usually the key to press is Del , F1 , or Esc . Press this key until the BIOS setup screen appears. Procedure 46.1 Changing the BIOS Boot Sequence 1 Enter the BIOS using the proper key as announced by the boot routines and wait for the BIOS screen to appear.
Page 824 7 Exit this screen and confirm with Yes to boot the computer. Regardless of what language and keyboard layout your final installation will be using, most BIOS configurations use the US keyboard layout as depicted in the following figure: Figure 46.1 US Keyboard Layout 46.2.5 Fails to Boot Some hardware types, mainly fairly old or very recent ones, fail to install.
Page 825 If this fails, proceed as above, but choose Installation--Safe Settings instead. This option disables ACPI and DMA support. Most hardware should boot with this option. If both of these options fail, use the boot options prompt to pass any additional param- eters needed to support this type of hardware to the installation kernel.
Page 826 notsc Disable the time stamp counter. This option can be used to work around timing problems on your systems. It is a new feature, if you see regressions on your ma- chine, especially time related or even total hangs, this option is worth a try. nohz=off Disable the nohz feature.
Page 827 To perform an installation in text mode, proceed as follows: 1 Boot for installation. 2 Press F3 twice and select Text Mode. 3 Select Installation and proceed with the installation as described in Chapter 3, Installation with YaST (page 17). To perform a VNC installation, proceed as follows: 1 Boot for installation.
Page 828: Boot Problems
If you use any kind of VNC viewer on your preferred operating system, enter the IP address and password when prompted to do so. A window opens, displaying the installation dialogs. Proceed with the installation as usual. 46.2.7 Only Minimalistic Boot Screen Started You inserted the first CD or DVD into the drive, the BIOS routines are finished, but the system does not start with the graphical boot screen.
Page 829 46.3.1 Fails to Load the GRUB Boot Loader If the hardware is functioning properly, it is possible that the boot loader has become corrupted and Linux cannot start on the machine. In this case, it is necessary to reinstall the boot loader. To reinstall the boot loader, proceed as follows: 1 Insert the installation media into the drive.
Page 830 46.3.2 No Login or Prompt Appears This behavior typically occurs after a failed kernel upgrade and it is known as a kernel panic because of the type of error on the system console that sometimes can be seen at the final stage of the process. If, in fact, the machine has just been rebooted following a software update, the immediate goal is to reboot it using the old, proven version of the Linux kernel and associated files.
Page 831: Login Problems
The returned line indicates that the machine's default runlevel (initdefault) is set to 5 and that it should boot to the graphical desktop. If the runlevel is set to any other number, use the YaST Runlevel Editor module to set it to 5. IMPORTANT Do not edit the runlevel configuration manually.
Page 832 these machines. The following are some common reasons why a machine might appear functional but be unable to process logins correctly: • The network is not working. For further directions on this, turn to Section 46.5, “Network Problems” (page 822). •...
Page 833 46.4.2 Valid Username and Password Not Accepted This is by far the most common problem users encounter, because there are many reasons this can occur. Depending on whether you use local user management and authentication or network authentication, login failures occur for different reasons. Local user management can fail for the following reasons: •...
Page 834 5 If graphical login still fails, do a console login with Ctrl + Alt + F1 . Try to start an X session on another display—the first one (:0) is already in use: startx -- :1 This should bring up a graphical screen and your desktop. If it does not, check the log files of the X Window System (/var/log/Xorg.displaynumber .log) or the log file for your desktop applications (.xsession-errors in the user's home directory) for any irregularities.
Page 835 2 Determine the directory server the machine relies on for authentication and make sure that it is up and running and properly communicating with the other machines. 3 Determine that the user's username and password work on other machines to make sure that his authentication data exists and is properly distributed.
Page 836 46.4.3 Login Successful but GNOME Desktop Fails If this is true for a particular user, it is likely that the user's GNOME configuration files have become corrupted. Some symptoms might include the keyboard failing to work, the screen geometry becoming distorted, or even the screen coming up as a bare gray field.
Page 837 46.4.4 Login Successful but KDE Desktop Fails There are several reasons why a KDE desktop would not allow users to login. Corrupted cache data can cause login problems as well as corrupt KDE desktop configuration files. Cache data is used at desktop start-up to increase performance. If this data is corrupted, start-up is slowed down or fails entirely.
Page 838: Network Problems
6 After the desktop has started successfully, copy the user's own configurations back into place: cp -a .kde-ORIG-RECOVER/share .kde/share IMPORTANT If the user's own adjustments caused the login to fail and continue to do so, repeat the procedure as described above, but do not copy the .kde/ share directory.
Page 839 DNS (Name Service) A broken or malfunctioning name service affects the network's functioning in many ways. If the local machine relies on any network servers for authen- tication and these servers cannot be found due to name resolution issues, users would not even be able to log in. Machines in the network managed by a broken name server would not be able to “see”...
Page 840 IMPORTANT The debugging procedure described below only applies to a simple net- work server/client setup that does not involve any internal routing. It assumes both server and client are members of the same subnet without the need for additional routing. 4a Use ping hostname (replace hostname with the hostname of the server) to check whether each one of them is up and responding to the net- work.
Page 841 /etc/resolv.conf This file is used to keep track of the name server and domain you are currently using. It can be modified manually or automatically adjusted by YaST or DHCP. Automatic adjustment is preferable. However, make sure that this file has the following structure and all network addresses and domain names are correct: search fully_qualified_domain_name nameserver ipaddress_of_nameserver...
Page 842 Use the command ifconfig network_device (executed as root) to check whether this device was properly configured. Make sure that both inet address and Mask are configured correctly. An error in the IP address or a missing bit in your network mask would render your network configuration unusable.
Page 843: Data Problems
For more information about NetworkManager, refer to Section 30.5, “Managing Network Connections with NetworkManager” (page 627). 46.6 Data Problems Data problems are when the machine might or might not boot properly but, in either case, it is clear that there is data corruption on the system and that the system needs to be recovered.
Page 844 Use Expert to enter a dialog for the backup of entire hard disk areas. Current- ly, this option only applies to the Ext2 file system. 2f Finally, set the search constraints to exclude certain system areas from the backup area that do not need to be backed up, such as lock files or cache files.
Page 845 1 Start YaST > System > System Restoration. 2 Enter the location of the backup file. This could be a local file, a network mounted file, or a file on a removable device, such as a floppy or a CD. Then click Next.
Page 846 Automatic Repair If your system failed due to an unknown cause and you basically do not know which part of the system is to blame for the failure, use Automatic Repair. An ex- tensive automated check will be performed on all components of your installed system.
Page 847 6 In System Analysis, select Other > Repair Installed System. 7 Select Automatic Repair. YaST now launches an extensive analysis of the installed system. The progress of the procedure is displayed at the bottom of the screen with two progress bars. The upper bar shows the progress of the currently running test.
Page 848 Entries in the File /etc/fstab The entries in the file are checked for completeness and consistency. All valid partitions are mounted. Boot Loader Configuration The boot loader configuration of the installed system (GRUB or LILO) is checked for completeness and coherence. Boot and root devices are examined and the availability of the initrd modules is checked.
Page 849 7 Select Customized Repair. Choosing Customized Repair shows a list of test runs that are all marked for ex- ecution at first. The total range of tests matches that of automatic repair. If you already know where no damage is present, unmark the corresponding tests. Clicking Next starts a narrower test procedure that probably has a significantly shorter running time.
Page 850: Using The Rescue System
Expert tools provides the following options to repair your faulty system: Install New Boot Loader This starts the YaST boot loader configuration module. Find details in Section 18.3, “Configuring the Boot Loader with YaST” (page 416). Start Partitioning Tool This starts the expert partitioning tool in YaST. Repair File System This checks the file systems of your installed system.
Page 851 • Manipulate any type of configuration file. • Check the file system for defects and start automatic repair processes. • Access the installed system in a “change root” environment • Check, modify, and reinstall the boot loader configuration • Resize partitions using the parted command. Find more information about this tool at the Web site of GNU Parted (http://www.gnu.org/software/parted/ parted.html).
Page 852 A shell and many other useful utilities, such as the mount program, are available in the /bin directory. The sbin directory contains important file and network utilities for reviewing and repairing the file system. This directory also contains the most important binaries for system maintenance, such as fdisk, mkfs, mkswap, mount, mount, init, and shutdown, and ifconfig, ip, route, and netstat for maintaining the network.
Page 853 Repairing and Checking File Systems Generally, file systems cannot be repaired on a running system. If you encounter serious problems, you may not even be able to mount your root file system and the system boot may end with a kernel panic. In this case, the only way is to repair the system from the outside.
Page 854 WARNING: Limitations Although you have full access to the files and applications of the installed sys- tem, there are some limitations. The kernel that is running is the one that was booted with the rescue system. It only supports essential hardware and it is not possible to add kernel modules from the installed system unless the kernel versions are exactly the same (which is unlikely).
Page 855 4 Unmount the partitions, log out from the “change root” environment, and reboot the system: umount -a exit reboot Common Problems and Their Solutions...
Page 857: Index
features, 358 Index pipes, 360 profile, 425 wild cards, 359 Symbols BIOS 64-bit Linux, 385 boot sequence, 806 kernel specifications, 388 Bluetooth, 510, 573 runtime support, 385 hciconfig, 579 software development, 386 hcitool, 579 network, 577 opd, 581 access permissions (see permissions) pand, 580 ACLs, 317-328 sdptool, 580...
Page 858 chgrp, 366, 369 mv, 368 chmod, 365, 369 nslookup, 376 chown, 366, 369 passwd, 377 CJK, 433 ping, 376, 641 clear, 377 ps, 375 commands, 367-377 reboot, 377 bzip2, 362 rm, 368 cat, 372 rmdir, 369 cd, 368 route, 644 chgrp, 366, 369 scp, 744 chmod, 365, 369...
Page 859 inittab, 393, 395, 432 e-mail, 157 inputrc, 433 fax systems, 156 irda, 585 firewalls, 169 kernel, 391 graphics cards, 182 language, 433, 435 groups, 167 logrotate.conf, 427 GRUB, 406, 414 menu.lst, 408 hard disk controllers, 137 modprobe.d/sound, 144 hard disks network, 633 DMA, 138 networks, 636...
Page 860 TV, 142 mounting, 373 users, 161 unmounting, 373 wireless cards, 155 du, 374 consoles assigning, 432 graphical, 421 e-mail switching, 432 configuring, 157 core files, 429 synchronizing, 509 cp, 368 editors cpuspeed, 549 Emacs, 431-432 cron, 426 vi, 377 CVS, 718, 722-725 Emacs, 431-432 .emacs, 431 default.el, 431...
Page 861 NTFS, 28 ReiserFS, 472-473 GNOME repairing, 837 shell, 352 selecting, 472 graphics supported, 477-478 cards terms, 471 drivers, 486 XFS, 476 grep, 372 files groups archiving, 361, 370 managing, 167 comparing, 373 GRUB, 405-424 compressing, 361, 370 boot menu, 408 copying, 368 boot password, 414 deleting, 368...
Page 862 hciconfig, 579 ISDN, 622 hcitool, 579 KInternet, 647 help, 789-792 qinternet, 647 books, 795 smpppd, 645-647 FAQs, 794 TDSL, 627 guides, 795 IP addresses, 598 HOWTOs, 794 classes, 599 info pages, 431, 794 IPv6, 601 Linux documentation (TLDP), 794 configuring, 609 man pages, 367, 431, 793 masquerading, 734 manuals, 795...
Page 863 Asian characters, 433 license agreement, 24 configuring, 139 Lightweight Directory Access Protocol layout, 432 (see LDAP) mapping, 432 Linux compose, 433 networks and, 595 multikey, 433 sharing files with another OS, 691 X Keyboard Extension, 433 uninstalling, 420 XKB, 433 linuxrc kill, 375 manual installation, 211...
Page 864 FireWire (IEEE1394), 511 gateway, 615 laptops, 503 hostname, 615 PDAs, 512 IP address, 613 USB, 511 starting, 617 modems NFS, 703 cable, 625 clients, 158, 704 YaST, 619 exporting, 712 more, 360 importing, 705 mount, 373 mounting, 705 mouse servers, 707 configuring, 139 NIS, 659-660 mv, 368...
Page 865 reformatting, 149 powersave, 549 resizing Windows, 26 configuring, 549 types, 147 printing, 439 passwd, 377 command line, 450 passwords configuration with YaST, 443-447 changing, 377 local printers, 443 paths, 356 network printers, 447 absolute, 356 CUPS, 450 relative, 356 GDI printers, 455 PCI device IrDA, 585 drivers, 152...
Page 866 starting from network source, 835 display settings, 183 RFCs, 595 dual head, 185 rm, 368 graphics card, 184 rmdir, 369 graphics tablet, 188 routing, 160, 598, 633-634 keyboard settings, 187 masquerading, 734 mouse settings, 186 netmasks, 599 multihead, 186 routes, 633 resolution and color depth, 184 static, 633 touchscreen, 188...
Page 867 sdptool, 580 soft RAID (see RAID) security, 773-785 software attacks, 781-782 installing, 122-129 booting, 774, 776 removing, 122-129 bugs and, 777, 780 sound configuring, 160-169 configuring in YaST, 143 DNS, 782 mixers, 211 encrypted file system, 511 SSH, 743-748 engineering, 774 authentication mechanisms, 746 firewalls, 169, 731 daemon, 745...
Page 868 flash drives, 511 hard disks, 511 tar, 361, 370 users TCP/IP, 595 /etc/passwd, 498, 678 ICMP, 596 managing, 161 IGMP, 596 layer model, 596 packets, 597, 598 variables TCP, 596 environment, 434 UDP, 596 telnet, 376 administration, 159 time zones, 154 TLDP, 794 top, 375 Tripwire...
Page 869 security, 779 default system, 419 SSH and, 748 security, 419 touchscreen, 188 time-out, 419 TrueType fonts, 487 boot loader virtual screen, 485 location, 418 X11 core fonts, 489 password, 419 xft, 487 type, 417 Xft, 490 cable modem, 625 xorg.conf, 482 command line, 176 X Keyboard Extension (see keyboard, configuring, 119-172...
Page 870 NFS clients, 158 text mode, 172-175 NIS clients, 659 time zone, 25, 154 Novell AppArmor, 160 TV cards, 142 Novell Customer Center, 130 updating, 134, 193 NTP client, 158 user management, 161 online update, 130-133 virtualization, 169 partitioning, 26, 146...

This manual is also suitable for:

Linux enterprise desktop 10 sp2

Novell LINUX ENTERPRISE DESKTOP 10 SP2 - DEPLOYMENT GUIDE 08-05-2008 Deployment Manual

About this Guide

Part I Deployment

1 Planning for SUSE Linux Enterprise Desktop

2 Deployment Strategies

3 Installation with Yast

4 Remote Installation

5 Automated Installation

6 Deploying Customized Preinstallations

7 Advanced Disk Setup

8 System Configuration with Yast

9 Updatingsuselinuxenterprise

Part II Administration

10 GNOME Configuration for Administrators

1 KDE Configuration for Administrators

2 Active Directory Support

3 Access Control Lists in Linux

15 Working with the Shell

Part III System

16 Bit and 64-Bit Applications in a 64-Bit System Environment

17 Booting and Configuring a Linux System

18 Thebootloader

19 Special System Features

20 Printer Operation

21 Dynamic Kernel Device Management with Udev

22 File Systems in Linux

23 Thexwindowsystem

24 Authentication with PAM

25 Mobile Computing with Linux

14 System Monitoring

29 Wireless Communication

27 System Configuration Profile Management

36 Samba

28 Power Management

Part IV Services

30 Basic Networking

31 SLP Services in the Network

32 Time Synchronization with NTP

33 Usingnis

34 Configuring Edirectory Authentication

35 LDAP-Adirectoryservice

37 Sharing File Systems with NFS

Quick Links

Troubleshooting

Need help?

Questions and answers

Related Manuals for Novell LINUX ENTERPRISE DESKTOP 10 SP2 - DEPLOYMENT GUIDE 08-05-2008

Summary of Contents for Novell LINUX ENTERPRISE DESKTOP 10 SP2 - DEPLOYMENT GUIDE 08-05-2008