Related Manuals for Novell OPEN ENTERPRISE SERVER 2 SP2 - PLANING AND IMPLEMENTATION GUIDE 11-10-2009
Summary of Contents for Novell OPEN ENTERPRISE SERVER 2 SP2 - PLANING AND IMPLEMENTATION GUIDE 11-10-2009
- Page 1 AUTHORIZED DOCUMENTATION Planning and Implementation Guide Novell ® Open Enterprise Server 2 SP2 November 10, 2009 www.novell.com OES 2 SP2: Planning and Implementation Guide...
-
Page 2: Legal Notices
Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes. - Page 3 Novell Trademarks For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/ trademarks/tmlist.html). Third-Party Materials All third-party trademarks are the property of their respective owners.
- Page 4 OES 2 SP2: Planning and Implementation Guide...
-
Page 5: Table Of Contents
Novell Domain Services for Windows ........ - Page 6 NetWare Caveats ........... 43 3.9.14 Novell Distributed Print Services Cannot Migrate to Linux ....44 3.9.15 NSS Caveats .
- Page 7 Novell-tomcat Is for OES Use Only ........
- Page 8 Comparing Novell SLP and OpenSLP........114...
- Page 9 13.3.1 MySQL ............135 13.3.2 OES 2 Options.
- Page 10 Maintaining Novell CIFS File Services........205...
- Page 11 Planning for Security ............219 21.2.1 Comparing the Linux and the Novell Trustee File Security Models ... . . 219 21.2.2 User Restrictions: Some OES 2 Limitations .
- Page 12 Links to Backup Partners ..........245 D.2.2 Novell Storage Management Services (SMS) ......245 D.2.3 SLES 10 Backup Services .
- Page 13 System Users ............. 272 System Groups .
- Page 14 OES 2 SP2: Planning and Implementation Guide...
-
Page 15: About This Guide
We want to hear your comments and suggestions about this manual and the other documentation included with OES 2. Please use the User Comments feature at the bottom of each page of the online documentation, or go to www.novell.com/documentation/feedback.html and enter your comments there. - Page 16 ® A trademark symbol ( , etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party trademark. When a single pathname can be written with a backslash for some platforms, or a forward slash for other platforms, the pathname is presented with a forward slash to reflect the Linux* convention.
-
Page 17: What's New Or Changed
What’s New or Changed ® This section summarizes the new features for each release of Novell Open Enterprise Server (OES) Section 1.1, “Where’s NetWare?,” on page 17 Section 1.2, “Links to What's New Sections,” on page 17 Section 1.3, “New or Changed in OES 2 SP2,” on page 19 Section 1.4, “New in OES 2 SP1,”... - Page 18 Administration Guide QuickFinder Administration Guide Samba (Linux) Administration Guide Server Health Monitoring This is now available in various Novell Remote Manager dialog boxes on both platforms. For more information, see “Health Monitoring Services” on page Shadow Volumes “Overview of Dynamic Storage Technology”...
-
Page 19: New Or Changed In Oes 2 Sp2
1.3 New or Changed in OES 2 SP2 ® This section summarizes the new features introduced in Novell Open Enterprise Server (OES) 2 SP2 that either involve multiple services or are not covered in service-specific documentation. For information on service-specific new features, see Section 1.2, “Links to What's New Sections,”... -
Page 20: New In Oes 2 Sp1
Section 1.4.1, “YaST Install Changes,” on page 20 Section 1.4.2, “Novell AFP,” on page 21 Section 1.4.3, “Novell CIFS,” on page 21 Section 1.4.4, “Novell Domain Services for Windows,” on page 22 Section 1.4.5, “Migration Tool,” on page 22 1.4.1 YaST Install Changes... -
Page 21: Novell Afp
OES 2 SP2: Novell AFP For Linux Administration Guide. 1.4.3 Novell CIFS Novell CIFS is now available on Linux to provide feature parity with the existing NetWare release. It offers the following features: Support for Windows* 2000, XP, 2003, and Windows Vista* 32-bit... -
Page 22: New In Oes 2 (Initial Release)
1.4.4 Novell Domain Services for Windows This service creates seamless cross-authentication capabilities between Microsoft* Active Directory* on Windows servers and Novell eDirectory on OES 2 SP2 servers, and offers the following functionality: Administrators with Windows networking environments can set up one or more “virtual”... -
Page 23: Dynamic Storage Technology
1.5.1 Dynamic Storage Technology OES 2 introduces Novell Dynamic Storage Technology, a unique storage solution that lets you combine a primary file tree and a shadow file tree so that they appear to NCP and Samba/CIFS users as one file tree. The primary and shadow trees can be located on different file systems, different servers, or even different types of storage. - Page 24 OES 2 SP2: Planning and Implementation Guide...
-
Page 25: Welcome To Open Enterprise Server
• CIFS • iPrint • Backup (SMS) • FTP • QuickFinder • Clustering (High Availability) • iFolder 3.x • Novell Storage Services (NSS) • DNS/DHCP • NetStorage • eDirectory • Novell Client Access running SUSE Linux Enterprise Server 10 SUSE Linux Enterprise Server 10 NOTE: For a list of OES 2 services, see Table 3-1, “Service Comparison Between NetWare 6.5 SP8... - Page 26 OES 2 SP2: Planning and Implementation Guide...
- Page 27 NSS volumes and NCP volumes on Linux. AFP (Apple* File Yes - NFAP Yes - Novell AFP services on NetWare and OES are Protocol) proprietary and tightly integrated with eDirectory and Novell Storage Services (NSS). Planning Your OES 2 Implementation...
- Page 28 (Linux)” in the OES 2 SP2: NSS File System Administration Guide. CIFS (Windows File Yes - NFAP Yes - Novell Both NFAP and Novell CIFS are Novell Services) CIFS proprietary and tightly integrated with eDirectory and Novell Storage Services (NSS). Novell Samba Samba is an open source product ®...
-
Page 29: Planning Your Oes 2 Implementation
Strategy” in the OES 2 SP2: Novell DNS/DHCP Administration Guide for Linux “Planning a DHCP Strategy” in the NW 6.5 SP8: Novell DNS/ DHCP Services Administration Guide. For a comparison between what is available on OES 2 and NetWare, see Section 12.2.1, “DNS Differences Between NetWare and... - Page 30 Guide, and “Overview” in the NW 6.5 SP8: iPrint Administration Guide. (Internetwork Novell has no plans to port IPX to OES. Packet Exchange from Novell iSCSI The iSCSI target for Linux does not support eDirectory access controls like the NetWare target does.
- Page 31 SSH protocols. NetWare uses only NCP. These and other differences are summarized in “NetStorage” on page 181. NetWare Traditional Novell has no plans to port the NetWare File System Traditional File System to Linux. NetWare Traditional Volumes Yes - NFAP Yes - native to For NetWare, see “Working with UNIX...
- Page 32 “Functions Unique to the NetWare Platform” in the NW 6.5 SP8: OpenSSH Administration Guide. PAM (Pluggable PAM is a Linux service that Novell Authentication leverages to provide eDirectory Modules) authentication. eDirectory authentication is native on NetWare. Pervasive.SQL* Pervasive.SQL is available for Linux from the Web (http://www.pervasive.com/...
- Page 33 Directory Agent scope information in eDirectory. This provides for sharing of scope information among DAs. Novell SLP is not available on Linux. OpenSLP on Linux is not customized to provide DA synchronization. Therefore, DA synchronization is only available for eDirectory on NetWare.
-
Page 34: Which Services Do I Need
“Administration Instance vs. Public Instance on NetWare” (http:// www.novell.com/documentation/oes2/ web_tomcat_nw/data/ ahdyran.html#ahdyran) Virtual Office Virtual Office has been replaced by Novell (Collaboration) Teaming + Conferencing. A separate purchase is required. For more information, see the Novell Teaming + Conferencing Web Site (http://www.novell.com/products/ teaming/index.html). -
Page 35: Prepare Your Existing Edirectory Tree For Oes 2
Large networks usually have one or more servers dedicated to providing a single network service. For example, one or more servers might be designated to provide Novell iFolder file services to network users while other servers provide iPrint printing services for the same users. -
Page 36: Understand User Restrictions And Linux User Management
Section 3.9.12, “Installing into an Existing eDirectory Tree,” on page 43 Section 3.9.13, “NetWare Caveats,” on page 43 Section 3.9.14, “Novell Distributed Print Services Cannot Migrate to Linux,” on page 44 Section 3.9.15, “NSS Caveats,” on page 44 Section 3.9.16, “Plan eDirectory Before You Install,” on page 45 Section 3.9.17, “Samba Enabling Disables SSH Access,”... -
Page 37: Adding A Linux Node To A Cluster Ends Adding More Netware Nodes
Novell AFP For Linux Administration Guide 3.9.3 Always Double-Check Service Configurations Before Installing It is critical and you double-check your service configurations on the Novell Open Enterprise Server Configuration summary page before proceeding with an installation. Two reasons for this are explained in Section 3.9.4, “Back Button Doesn’t Reset Configuration Settings,”... -
Page 38: Cluster Upgrades Must Be Planned Before Installing Oes 2
OES 2 server. Also be aware that not all OES services require that users are LUM-enabled. Novell Client users, for example, can access NCP and NSS volumes on OES 2 servers just as they do on NetWare without any additional configuration. -
Page 39: Do Not Upgrade To Edirectory 8.8 Separately
“The OES 2 Solution: Standardizing the UIDs on all OES servers” on page 40 NetStorage, XTier, and Their System Users By default, certain OES services, such as NetStorage, rely on a background Novell service named XTier. To run on an OES server, XTier requires two system-created users (named... - Page 40 For NetStorage to run, these XTier users and group must be able to read data on all volume types that exist on the OES server. As long as the server only has Linux traditional file systems, such as Ext3 and Reiser, NetStorage runs without difficulties.
- Page 41 XTier users and the novlxtier group, then continue with Step You need these numbers to standardize the IDs on the server. 4 Download the following script file: (http://www.novell.com/documentation/oes2/scripts/ fix_xtier_ids.sh fix_xtier_ids.sh) 5 Customize the template file by replacing the variables marked with angle brackets (<>) as follows: <server_name>: The name of the server object in eDirectory.
-
Page 42: Ifolder 3.8 Considerations
After eDirectory and the iManager plug-ins install successfully, the Novell DHCP configuration fails. You must then use iManager to change either the LDAP server configuration or the Novell DHCP configuration to support your preferred communication protocol. -
Page 43: Installing Into An Existing Edirectory Tree
101. Be Sure that OpenSLP on OES 2 Is Configured Properly Novell SLP (NetWare) and OpenSLP (Linux) can coexist, but there are differences between the services that you should understand before deciding which to use or before changing your existing SLP service configuration. -
Page 44: Novell Distributed Print Services Cannot Migrate To Linux
6.5 SP3 or later, installing an OES 2 server into the tree can cause the DA servers to abend. LDAP Servers: If the LDAP servers referenced in your installation are not running NetWare 6.5 SP3 or later, the servers might abend during a schema extension operation. 3.9.14 Novell Distributed Print Services Cannot Migrate to Linux ®... -
Page 45: Plan Edirectory Before You Install
3.9.18 Unsupported Service Combinations Do not install any of the following service combinations on the same server. Although not all of the combinations shown in Table 3-2 cause pattern conflict warnings, Novell does not support any of them. Planning Your OES 2 Implementation... - Page 46 Novell Domain Services for Windows Novell Samba There is an exception if NCP server is installed on the same server as Novell AFP. To support cross-protocol file locking between Novell AFP and NCP, Samba must be installed on the server, but it cannot be used for providing file services to CIFS or SMB clients.
- Page 47 Disables CUPS Printing on the OES 2 Server,” on page Xen Virtual Machine Host Server Novell Linux User Management (LUM) No restrictions Novell NCP Server / Dynamic Storage Technology Xen Virtual Machine Host Server Novell NetStorage Novell Domain Services for Windows Xen Virtual Machine Host Server...
-
Page 48: Vnc Install Fails To Set The Ip Address In /Etc/Hosts
Novell DNS Novell Domain Services for Windows Novell eDirectory Novell FTP Novell iFolder Novell iManager Novell iPrint Novell NCP Server / Dynamic Storage Technology Novell NetStorage Novell Pre-Migration Server Novell QuickFinder Novell Remote Manager (NRM) Novell Samba Novell Storage Services Print Server (CUPS) 3.9.19 VNC Install Fails to Set the IP Address in /etc/hosts... -
Page 49: Understand Your Installation Options
Novell has invested considerable effort in identifying service coexistence and migration issues you might face. We understand, however, that we can’t anticipate every combination of services that you might have. Therefore, we intend to continue developing coexistence and migration information. -
Page 50: About Your Installation Options
OES 2 Install Preparation Figure 3-1 Download the SLES 10 and OES 2 ISO image files. www.novell.com Or get the ISO files or physical media from a Novell Authorized Reseller. Novell Image files or Authorized physical media Reseller Decide whether to install... -
Page 51: Use Predefined Server Types (Patterns) When Possible
CD/DVD Install: You can install SLES 10 SP1 by using CDs or a DVD and then install OES 2 from a CD, all of which can be either obtained from a Novell Authorized Reseller or created from downloaded ISO image files. -
Page 52: If You Want To Install Nss On A Single-Drive Linux Server
3.11.5 If You Want to Install NSS on a Single-Drive Linux Server Many are interested in Novell Storage Services (NSS) running on Linux. If you plan to experiment with NSS on a single-drive server, be sure to follow the instructions in “Installing with EVMS as the... -
Page 53: Getting And Preparing Oes 2 Software
Novell Web Site (http://www.novell.com/ nps). 2 Click Customer Center and log in, using your Novell account username and password to access the Novell Customer Center home page. 3 Follow the instructions on the page to obtain the upgrade to Open Enterprise Server 2. -
Page 54: Do You Want To Purchase Oes 2 Or Evaluate It
When you purchase OES 2, you receive two activation codes for OES 2 (one for OES 2 services and one for SUSE Linux Enterprise Server 10). Both codes are required for registering an OES 2 system in the Novell Customer Center. After it is registered, your server can receive online updates, including the latest support pack. -
Page 55: Understanding Oes 2 Software Evaluation Basics
2 SP2 e-Media Kit link. 4 Click the proceed to download button (upper right corner of the first table). 5 If you are prompted to log in, type your Novell Account > username and password, then click login. 6 Accept the Export Agreement (required for first downloads only) and answer the survey questions about your download (optional). -
Page 56: Preparing The Installation Media
55, you now have two activation/evaluation codes: one for OES 2 and another for SLES 10. As you install OES 2, you should register with the Novell Customer Center and use these codes to enable your server for online updates from the OES 2 and SLES 10 patch channels. -
Page 57: Evaluating Oes 2
OES 2 product are limited to the rights set forth in the EULA. Violators of the Novell license agreements and intellectual property are prosecuted to the fullest extent of the law. Getting and Preparing OES 2 Software... -
Page 58: Sles Licensing Entitlements In Oes 2
NetWare usage. You can also monitor usage of Novell Licensing Services-enabled products. 4.5.3 OES 2 Doesn’t Support NLS Novell Licensing Services (NLS) are not available on OES 2, nor does an OES 2 installation require a license/key file pair (* and * ). -
Page 59: Installing Oes 2
2 and SLES 10 at the same time, making the installation of SLES 10 and OES 2 services a seamless process. To ensure a successful installation: 1. Read and follow all instructions in the OES 2 Readme (http://www.novell.com/documentation/ oes2/oes_readme/data/oes_readme.html#bsen7me). 2. Carefully follow the instructions in the OES 2 SP2: Installation Guide, especially those found “Preparing to Install OES 2... -
Page 60: Installing Oes 2 Servers In A Xen Vm
Linux Enterprise Server (SLES) 10 SP3 VM host server, creating a VM, and then installing an OES 2 server (NetWare or Linux) in the VM. To get started with Xen virtualization in OES 2, see the following: “Introduction to Xen Virtualization (http://www.novell.com/documentation/sles10/xen_admin/ data/sec_xen_basics.html)” in the Virtualization with Xen (http://www.novell.com/ documentation/sles10/xen_admin/data/bookinfo.html)guide. -
Page 61: Caveats For Implementing Oes 2 Services
Section 6.10, “Management,” on page 68 Section 6.11, “NCP Doesn’t Equal NSS File Attribute Support,” on page 69 Section 6.12, “Novell-tomcat Is for OES Use Only,” on page 70 Section 6.13, “NSS (OES 2),” on page 70 Section 6.14, “OpenLDAP on OES 2,” on page 71 Section 6.15, “Samba,”... -
Page 62: Avoiding Posix And Edirectory Duplications
6.2 Avoiding POSIX and eDirectory Duplications OES 2 servers can be accessed by Local (POSIX) users that are created on the server itself. eDirectory users that are given local access through Linux User Manager (LUM). However, there are some issues you need to consider: Section 6.2.1, “The Problem,”... -
Page 63: Avoiding Duplication
The users Group There is another default system-created group named that is not used by OES 2 services but is users nevertheless created on all SLES 10 (and therefore, OES 2) servers. Creating an eDirectory group named would seem logical to many administrators. And as with users the shadow group, nothing prevents you from using this name. -
Page 64: Cifs
NOTE: The list of users and groups in Appendix I, “System User and Group Management in OES 2 SP2,” on page 257 is not exhaustive. For example, the group is not listed. users Create Only eDirectory Users and Groups For OES 2 services, the LUM technology eliminates the need for local users and groups. We recommend, therefore, that you avoid the problems discussed in this section by not creating local users and groups. -
Page 65: Avoid Uninstalling Edirectory
If you have an issue that you believe can ony be resolved by uninstalling eDirectory, make sure you consult with Novell Technical Services before you attempt to do so. 6.6.2 Avoid Renaming Trees and Containers The configuration files for many OES services point to configuration data stored within eDirectory. -
Page 66: One Instance Only
Implementation caveats for iFolder 3.8 are documented in “Caveats for Implementing iFolder 3.7 and Later Services” in the Novell iFolder 3.8 Administration Guide. 6.8 iPrint iPrint has the following implementation caveats: Section 6.8.1, “Cluster Failover Between Mixed Platforms Not Supported,” on page 66 Section 6.8.2, “Printer Driver Uploading on OES 2 Might Require a CUPS Administrator... -
Page 67: Printer Driver Uploading On Oes 2 Might Require A Cups Administrator Credential
OES installation of iPrint. 6.9 LDAP—Preventing “Bad XML” Errors If you are using Novell eDirectory 8.7.3x, timeouts are possible when you search from iManager for eDirectory objects, such as NCP Server objects, Volume objects, and Cluster objects. This is because the Object Class attribute is not indexed by default. -
Page 68: Management
30 seconds to 10 to 50 milliseconds. For instructions, see “Creating an Index” in Novell eDirectory 8.8 Administration Guide. Building indexes speeds up the subtree search, even if some partitions being searched do not contain these types of objects. For example, searching for a Cluster object in a context that contains only users is not expected to return results;... -
Page 69: Storage Error In Imanager When Accessing A Virtual Server
Roles and Tasks Figure 6-1 For more information on iManager, see the Novell iManager 2.7.3 Administration Guide. 6.10.2 Storage Error in iManager When Accessing a Virtual Server iManager returns a when you access the Authentication tab for a virtual server Storage Error object. -
Page 70: Novell-Tomcat Is For Oes Use Only
However, this doesn’t work, because NSS file attributes are only supported on NSS volumes. 6.12 Novell-tomcat Is for OES Use Only package is installed for Novell service use only. It is an embedded part of novell-tomcat Novell services, not a generic application platform. -
Page 71: Openldap On Oes 2
6.16.2 Always Use Timesync Rather Than NTP Time synchronization problems have been observed when virtualized NetWare servers are running the XNTPD NLM . Therefore, Novell strongly recommends using Timesync and also configuring the service to communicate through NTP. 6.16.3 Backing Up a Xen Virtual Machine... -
Page 72: Nss Considerations
6.16.5 NSS Considerations Make sure you follow these guidelines for using NSS volumes in connection with OES 2 servers running in Xen VMs: Both Linux and NetWare Platforms: NSS pools and volumes must be created on only SCSI or Fibre Channel devices. You cannot use a file-based disk image, LVM-based disk image, or an SATA/IDE disk for the virtual machine. -
Page 73: Upgrading To Oes 2
If iManager 2.5 is installed on a NetWare server, and you upgrade it to NetWare 6.5 SP8, iManager and its associated plug-ins are automatically updated to version 2.7. For more information about iManager 2.7, see the Novell iManager 2.7.3 Administration Guide. If you are using iManager 2.02, iManager is not upgraded. -
Page 74: Only One Edirectory Instance Is Supported On Oes Servers
7.1.4 Only One eDirectory Instance Is Supported on OES Servers If your OES server has multiple instances of eDirectory running (multiple trees), any attempt to upgrade the server fails. You must remove all instances, except the one that uses port 524, prior to an upgrade. For more information, see Section 6.6.5, “One Instance Only,”... -
Page 75: Migrating And Consolidating Existing Servers And Data
Migrating and Consolidating Existing Servers and Data This section briefly outlines the following migration topics: Section 8.1, “Supported OES 2 SP2 Migration Paths,” on page 75 Section 8.2, “Migration Tools and Purposes,” on page 75 8.1 Supported OES 2 SP2 Migration Paths For a complete list of Open Enterprise Server 2 SP2 migration scenarios and paths, see “Migration Scenarios”... - Page 76 OES 2 SP2: Planning and Implementation Guide...
-
Page 77: Virtualization In Oes 2
(OES 2 SP2 Linux or SLES 10 SP3) 9.2 Why Install OES Services on Your VM Host? Novell supports three OES 2 services running on a Xen VM host server: Novell Linux User Management, Novell Storage Management Services, and Novell Cluster Services . Additionally, whenever you specify OES 2 as an add-on product, the YaST-based NetWare Response File Utility is automatically installed, whether you install any OES 2 services or not. -
Page 78: Services Supported On Vm Hosts And Guests
Storage Management Services (SMS): Lets you back up the VM host server and all of the VM guests. Novell Cluster Services (NCS): Lets you cluster the VM guests running on the VM host. NetWare Response File Utility: Lets you pre-answer the same questions as you would during a physical NetWare installation. - Page 79 OES 2 Service Linux VM Host Linux VM Guest NetWare VM Guest NCP Server/Dynamic Storage Technology NetStorage Novell Remote Manager (NRM) Novell Storage Services (NSS) QuickFinder Samba IMPORTANT: Adding OES services to a Xen VM host requires that you boot the server with the regular kernel prior to adding the services.
- Page 80 OES 2 SP2: Planning and Implementation Guide...
-
Page 81: Clustering And High Availability
® Open Enterprise Server 2 includes support for a two-node Novell Cluster Services cluster. The full Novell Cluster Services product (available through a separate purchase) is a multinode clustering product that Can include up to 32 servers. ® Is supported for both NetWare and Linux. - Page 82 OES 2 SP2: Planning and Implementation Guide...
-
Page 83: Managing Oes 2
Managing OES 2 This section includes the following topics: Section 11.1, “Overview of Management Interfaces and Services,” on page 83 Section 11.2, “Using OES 2 Welcome Pages,” on page 84 Section 11.3, “OES Utilities and Tools,” on page 85 Section 11.4, “SSH Services on OES 2,” on page 93 11.1 Overview of Management Interfaces and Services As shown in... -
Page 84: Using Oes 2 Welcome
Figure 11-2. The Default OES Welcome Page Figure 11-2 192.168.1.45 Run iManager, NRM, etc. Novell Open Enterprise Server 2 SP2 Novell Open Enterprise Server 2 SP2 Access installed Web services Download applicable client software. Read about OES 2 and the Novell Open Workgroup Suite. -
Page 85: Accessing The Welcome Web Site
Administrators,” a reference that outlines the OES equivalents for most of the familiar CLI tools on NetWare. ® Novell OES 2 includes several administration utilities that let you manage everything in your network, from configuring and managing eDirectory to setting up network services and open source software. - Page 86 NRM on IP_Address:8008 NetWare. 2. Specify the eDirectory Admin For more information, see the username and OES 2 SP2: Novell Remote password, or on Manager for Linux Linux you can use Administration Guide. user and root Health Monitoring Services password if needed.
- Page 87 IP_or_DNS/ Create and manage iManager.html For more information on users, groups, and 2. Specify the using iManager, see the other objects. eDirectory Admin Novell iManager 2.7.3 username and Delegate Administration Guide. password. administration See also iManager through Role-Based Workstation.
- Page 88 IP_or_DNS:8030/ instances of the directory service) rather than the entire eDirectory tree. 2. Specify the eDirectory Admin For more information, see username and “Using Novell iMonitor 2.4” in password. Novell eDirectory 8.8 Administration Guide. iPrint Map Create a printer map 1.
- Page 89 Access Method or URL/ Tool Tasks Notes Username Novell Client Manage file system Use the Novell N icon to As an Admin user (or access. access these and other equivalent), you can set tasks. directory and user quotas for Manage File System NSS data volumes.
- Page 90 NetWare. NetWare. 2. Specify either the eDirectory Manage the NCP For more information, see the username and Server (Linux) OES 2 SP2: Novell Remote password or a Linux Manager for Linux Manage NCP (POSIX) username Administration Guide. connections to NSS and password.
- Page 91 Access Method or URL/ Tool Tasks Notes Username OpenSSH (client Securely run Connect to the server On Linux, OpenSSH is access) commands on using your favorite SSH installed by default and is remote servers. client. accessed by eDirectory users as a LUM-enabled service. Securely copy files For more information, see and directories to...
- Page 92 For more information on Monitor an your platform. SNMP for eDirectory, see eDirectory server. 2. Access SNMP for “SNMP Support for Novell Track the status of eDirectory services eDirectory” in the Novell eDirectory to verify using the SNMP eDirectory 8.8 Administration...
-
Page 93: Ssh Services On Oes 2
Section 11.4.1, “Overview,” on page 93 Section 11.4.2, “Setting Up SSH Access for LUM-enabled eDirectory Users,” on page 95 11.4.1 Overview SSH (http://www.novell.com/company/glossary.html#4187) services on SLES 10 are provided by OpenSSH (http://www.openssh.org), a free version of SSH connectivity tools developed by the OpenBSD Project (http://www.openbsd.org/). - Page 94 “How SSH Access for eDirectory Users Works” on page 94 “SSH Security Considerations” on page 95 When Is SSH Access Required? SSH access is required for the following: SSH administration access for eDirectory users: For eDirectory users to manage the server through an SSH connection, they must have SSH access as LUM-enabled users (eDirectory...
-
Page 95: Setting Up Ssh Access For Lum-Enabled Edirectory Users
2 On the OES 2 server, open the YaST Control Center; then, in the Open Enterprise Server group, click OES Install and Configuration. 3 Click Accept. 4 When the Novell Open Enterprise Server Configuration screen has loaded, click the Disabled link under Linux User Management. The option changes to Enabled and the configuration settings appear. - Page 96 “Managing User and Group Objects in eDirectory” in the OES 2 SP2: Novell Linux User Management Technology Guide. After you configure the server’s firewall to allow SSH, add SSH as an allowed service, and LUM- enable the eDirectory users you want to have SSH access, if those same users are not also enabled for Samba on the server, they now have SSH access to the server.
- Page 97 Although the plug-in appears to deselect sshd as an allowed service, the service is still selected when group information is reloaded. Novell plans to address this issue in the near future. Managing OES 2...
- Page 98 OES 2 SP2: Planning and Implementation Guide...
-
Page 99: Network Services
Network Services Network services as used in this section, are associated with protocols that provide the following: Data packet transport on the network. Management of IP addresses and DNS names. Time synchronization to make sure that all network devices and eDirectory replicas and partitions have the same time. -
Page 100: Dns Differences Between Netware And Oes 2
DNS: NetWare 6.5 SP8 vs. OES 2 Table 12-1 Feature or Command NetWare 6.5 SP8 OES 2 Auditing DNSMaint Fault Tolerance Filenames and paths: Server binary sys:/system/named.nlm /opt/novell/named/bin/ novell-named file .jnl sys:/etc/dns /etc/opt/novell/named/ named.conf Stat file, info file /var/opt/novell/log/ named/named.run Console commands:... -
Page 101: Dhcp Differences Between Netware And Oes 2
12.2.2 DHCP Differences Between NetWare and OES 2 As you plan to upgrade from NetWare to OES 2, consider the following differences between DHCP on NetWare and OES 2: DHCP: NetWare 6.5 SP8 vs. OES 2 Table 12-2 Feature or Command NetWare 6.5 SP8 OES 2 Auditing... -
Page 102: Overview Of Time Synchronization
Section 12.3.5, “Configuring and Administering Time Synchronization,” on page 111 Section 12.3.6, “Daylight Saving Time,” on page 112 12.3.1 Overview of Time Synchronization All servers in an eDirectory tree must have their times synchronized to ensure that updates and changes to eDirectory objects occur in the proper order. eDirectory gets its time from the server operating system of the OES 2 server where it is installed. - Page 103 Figure 12-2 illustrates that OES 2 and NetWare 6.5 servers can freely interchange time synchronization information because NetWare 6.5 includes the following: A TIMESYNC NLM that both consumes and provides NTP time packets in addition to Timesync packets. An XNTPD NLM that can provide Timesync packets in addition to offering standard NTP functionality.
- Page 104 Synchronizing Time on NetWare 5.0 and 4.2 Servers Figure 12-4 NTP packets Timesync packets TIMESYNC NLM TIMESYNC NLM NetWare NetWare Therefore, if you have NetWare 4.2 or 5.0 servers in your eDirectory tree, and you want to install an OES 2 server, you must have at least one NetWare 5.1 or later server to provide a “bridge” between NTP and Timesync time packets.
-
Page 105: Planning For Time Synchronization
OES 2 Servers as Time Consumers Figure 12-6 shows the time sources that OES 2 servers can use for synchronizing server time. IMPORTANT: Notice that NetWare 4.2 is not shown as a valid time source. OES 2 servers as Time Consumers Figure 12-6 External, reliable time source... - Page 106 “Time Synchronization for Trees with More Than Thirty Servers” on page 106 “Time Synchronization across Geographical Boundaries” on page 106 Time Synchronization for Trees with Fewer Than Thirty Servers If your tree will have fewer than thirty servers, the default installation settings for time synchronization should be sufficient for all of the servers except the first server installed in the tree.
- Page 107 Planning a Time Synchronization Hierarchy before Installing OES The obvious goal for time synchronization is that all the network servers (and workstations, if desired) have the same time. This is best accomplished by planning a time synchronization hierarchy before installing the first OES 2 server, then configuring each server at install time so that you form a hierarchy similar to the one outlined in Figure 12-7.
-
Page 108: Coexistence And Migration Of Time Synchronization Services
6 (Conditional) If your network spans geographic locations, plan the connections for time-related traffic on the network and especially across WANs. For more information, see “Wide Area Configuration” in the NW 6.5 SP8: NTP Administration Guide. For more planning information, see the following documentation: NW 6.5 SP8: Network Time Synchronization Administration Guide NW 6.5 SP8: NTP Administration Guide NTP information found on the OES 2 server in /usr/share/doc/packages/xntp and on the... - Page 109 Time Synchronization Compatibility Table 12-3 Module Compatibility TIMESYNC NLM (NetWare) Can consume time from All previous versions of Timesync. However, the NetWare 4.2 TIMESYNC NLM should not be used as a time source. Any TIMESYNC or NTP daemon. Can provide time to All previous versions of Timesync.
-
Page 110: Implementing Time Synchronization
12.3.4 Implementing Time Synchronization As you plan to implement your time synchronization hierarchy, you should know how the NetWare and OES 2 product installations configure time synchronization on the network. Both installs look at whether you are creating a new tree or installing into an existing tree. “New Tree”... -
Page 111: Configuring And Administering Time Synchronization
Existing Tree When a server joins an existing eDirectory tree, both OES installations do approximately the same thing. “OES 2” on page 111 “NetWare 6.5 SP8” on page 111 OES 2 If you are installing into an existing tree, the OES 2 install proposes to use the IP address of the eDirectory server (either NetWare or Linux) as the NTP time source. -
Page 112: Daylight Saving Time
Some systems are designed to leverage only a single discovery technology. Others choose among the various providers. And some use different technologies in combination with each other. Section 12.4.1, “Novell SLP and OpenSLP,” on page 112 Section 12.4.2, “WinSock and Discovery Is NetWare only,” on page 113 Section 12.4.3, “UDDI and Discovery,”... -
Page 113: Winsock And Discovery Is Netware Only
Application Server. Starting with NetWare 6.5 SP3, the UDDI server component was removed from the list of products that could be installed. The Novell UDDI server has been released as open source software and is available for download on Novell Forge Web site (http://forge.novell.com/modules/xfmod/project/ showfiles.php?group_id=1025). -
Page 114: Comparing Novell Slp And Openslp
Also, when a Novell SLP DA starts up, it immediately populates its cache with the latest service information stored in eDirectory. NOTE: Novell SLP DAs do not directly share information with each other as many administrators have assumed. -
Page 115: Setting Up Openslp On Oes 2 Networks
You plan to install more than three servers into a new tree or a new eDirectory partition being created on an OES 2 server. You either don’t have an existing Novell SLP service, or you don’t want to continue using Novell SLP. - Page 116 Scopes group and organize the services on your network into logical categories. For example, the services that the Accounting group needs might be grouped into an Accounting scope. More information about scope planning is available in “SLP Scopes ” in the Novell eDirectory 8.8 Administration Guide and on the OpenSLP Web site (http://www.openslp.org/).
- Page 117 “Configuring for DA Access Before or After Installing the OES 2 Server” on page 117 Configuring for DA Access During the OES 2 Installation As you install OES 2 by using the instructions in the “Novell eDirectory Services” section of the OES 2 SP2: Installation...
- Page 118 Configuring NetWare Servers to Use the OpenSLP Service IMPORTANT: NetWare uses Novell SLP by default and will configure a server for that service if possible. Complete one of the following as it applies to your situation: “Configuring for DA Access During the NetWare Server Installation” on page 118 “Configuring for DA Access After Installing the NetWare Server”...
-
Page 119: Using Novell Slp On Oes 2 Networks
12.5.4 Using Novell SLP on OES 2 Networks If you have a NetWare tree, you automatically have Novell SLP on your network and you can continue to use it as the SLP service during the upgrade to OES 2 until you are ready to switch to OpenSLP. - Page 120 = Directory 4 Find the following line: ;net.slp.DAAddresses = myDa1,myDa2,myDa3 5 Modify the line by removing the semicolon and typing the actual IP address of the Novell SLP DA (using Novell Remote Manager if necessary). net.slp.DAAddresses = IP_Address 6 Save the file and close it.
- Page 121 9 If you did this after installing OES 2, enter the following name to verify that the tree is found: slptool findsrvs service:ndap.novell Checking the Status of Novell SLP Services There are several ways to check the status of Novell SLP services. If you know the IP addresses of the DAs, check the file on non-DA SYS:\etc\slp.cfg...
- Page 122 122 OES 2 SP2: Planning and Implementation Guide...
-
Page 123: Storage And File Systems
Section 13.1.3, “File System Support in OES,” on page 124 Section 13.1.4, “Storage Basics by Platform,” on page 126 Section 13.1.5, “Storage Options,” on page 126 Section 13.1.6, “NetWare Core Protocol Support (Novell Client Support) on Linux,” on page 128 13.1.1 Databases See the topics in “databases”... -
Page 124: Iscsi
” in the OES online documentation. 13.1.3 File System Support in OES ® As shown in Figure 13-1, both OES 2 and NetWare support Novell Storage Services as well as their traditional file systems. File System Choices on OES 2 Servers... - Page 125 File System Type Summary Link for More Information Novell Storage Services (NSS) NSS lets you manage your For an overview of NSS, see shared file storage for any size “Overview of NSS” in the OES 2 organization. SP2: NSS File System Administration Guide.
-
Page 126: Storage Basics By Platform
NSS and Storage Devices NSS supports both physical devices (such as hard disks) and virtual devices (such as software RAIDs and iSCSI devices). For more information on the various devices that NSS supports, see “Managing Devices” in the 2 SP2: NSS File System Administration Guide. - Page 127 A separate, dedicated data network consisting of servers and storage media that are connected through high-speed interconnects, such as Fibre Channel. Novell iSCSI You can create a SAN using Novell iSCSI, which uses Novell eDirectory to manage iSCSI resources, including granting trustee rights and user file access. For information, NW 6.5 SP8: iSCSI 1.1.3 Administration...
-
Page 128: Netware Core Protocol Support (Novell Client Support) On Linux
(NCP) for highly secure file storage services. Novell Storage Services (NSS) volumes are NCP volumes by nature, and you can also define Linux POSIX volumes as NCP volumes. The main difference in access control between NSS volumes and Linux POSIX volumes that are defined as NCP volumes is that NSS extended file and directory attributes are not available on Linux POSIX volumes. -
Page 129: File Service Support Considerations
- iFolder 3.8 - iFolder 3.8 - iFolder 3.8 - NetStorage - NetStorage - NetStorage - NetStorage - Novell Client (NCP) - Novell Client (NCP) - Novell AFP - Novell AFP - Samba - Samba - Novell CIFS - Novell CIFS... - Page 130 Novell Trustee Model and NSS directory and file attributes (such as Rename Inhibit) provide access control that is much richer than POSIX The Novell Storage Services file system is used in NetWare 5.0 and above, and most recently is open ®...
- Page 131 It is designed to manage access control (using a unique model, called the Novell Trustee Model, that scales to hundreds of thousands of different users accessing the same storage securely) in enterprise file sharing environments.
- Page 132 CIFS (Novell CIFS and Samba): The Common Internet File Services (CIFS) protocol is the protocol for Windows networking and file services. Novell CIFS is a ported version of the CIFS file service traditionally available only on NetWare but now available for OES 2.
- Page 133 OES 2 Workloads Each file system has its strengths and weaknesses depending on the workload the file system supports. This section gives some guidelines for picking and building the right file system for a given workload. In determining which file system to use for a particular workload, consider your environment and the following explanation of each workload to determine which file system best meets your workload environment.
-
Page 134: Nss Planning Considerations
Reiser and NSS the best bets. Novell iFolder maintains its own ACL, so having an NSS file system that supports a rich ACL might be redundant. -
Page 135: Coexistence And Migration Of Storage Services
NOTE: The more powerful PostgreSQL* database server comes with SUSE Linux Enterprise Server 10. 13.3.2 OES 2 Options OES 2 provides support for Novell Storage Services (NSS) as well as Linux POSIX file systems. “NSS Volumes” on page 135 “Linux POSIX File Systems” on page 136 NSS Volumes NSS volumes are cross-compatible between NetWare and Linux. -
Page 136: Netware 6.5 Sp8 Options
You can install NCP Server for Linux to provide NetWare Core Protocol access to Linux POSIX file systems. This allows users running the Novell Client software to map drives to the Linux file system data, with access controls being enforced by NCP. -
Page 137: Managing Directories And Files
Table 13-3 Category/Feature Description Link Archive and Version Use Archive and Version Services with OES 2 SP2: Novell Archive and Services NSS volumes to save interval-based Version Services 2.1 for Linux copies of files that can be conveniently Administration Guide restored by administrators and users. -
Page 138: Optimizing Storage Performance
Category/Feature Description Link Partitions Manage partitions on NSS volumes. “Managing Partitions” in the OES 2 SP2: NSS File System Administration Guide Pools Create and manage NSS pools. “Managing NSS Pools” in the OES 2 SP2: NSS File System Administration Guide Quotas Set space restrictions for users and “Managing Space Quotas for Volumes,... -
Page 139: Edirectory, Ldap, And Domain Services For Windows
Storing and managing network identities in directory services is a fundamental expectation for networking. ® In the simplest terms, Novell eDirectory is a tree structure containing a list of objects (or identities) that represent network resources, such as the following:... -
Page 140: Edirectory
OES 2 server eDirectory servers eDirectory servers 14.2 eDirectory Novell eDirectory is the central, key component of Novell Open Enterprise Server (OES) and provides the following: Centralized identity management The underlying infrastructure for managing your network servers and the services they provide... -
Page 141: Planning Your Edirectory Tree
NetWare 4.x to 5.x involved not only upgrading NDS, but also moving from IPX to TCP/IP. This transition brought significant changes to the core schema and security-related components. Novell has consistently provided the migration tools and support required to migrate to new eDirectory versions. -
Page 142: Overview Of Edirectory Ldap Services
Users can work in a pure Windows desktop environment and still take advantage of some OES back-end services and technology, without the need for a Novell Client™ or even a matching local user account on the Windows workstation. -
Page 143: Graphical Overview Of Dsfw
14.4.1 Graphical Overview of DSfW “File Access” on page 143 “User Management” on page 144 “Storage Management” on page 145 File Access DSfW File Access Overview Figure 14-2 Access Methods Authentication File Storage Services Windows Explorer eDirectory User Internet Explorer Could be on a eDirectory seperate OES 2 server... -
Page 144: User Management
Windows Explorer (CIFS) or authentication through the provided by Samba to NSS Internet Explorer (WebDAV Web eDirectory server using common or trandtional Linux file Folders). No Novell Client can be on the Windows authentication systems. machine. protocols, including Kerberos*, For eDirectory users, NTLM, and SSL/TLS. -
Page 145: Storage Management
DSfW User Management Table 14-2 Management Tools Users iManager manages DSfW users like DSfW users must have the Default Domain Password policy other eDirectory users. assigned and a valid Universal Password. MMC manages both AD users and DSfW users are automatically enabled for Samba and LUM. DSfW users as though they were AD users. -
Page 146: Planning Your Dsfw Implementation
Universal Password in a Name-Mapped Scenario If you install DSfW into an existing tree and your users don’t currently have a Universal Password policy assigned, they won’t be able to log in without the Novell Client until the Universal Password has been set. - Page 147 Install DSfW on a New OES 2 Server When Possible Because of the service limitations mentioned in OES 2 Service Limitations, Novell strongly recommends that you install DSfW on a new server. DNS Configuration As you set up DNS, observe the following guidelines: First DSfW Server (FRD): This should point to itself as the primary DNS server, and to the network DNS server as the secondary DNS server (if applicable).
- Page 148 148 OES 2 SP2: Planning and Implementation Guide...
-
Page 149: Users And Groups
“local” POSIX users on Linux servers. This technology is called Linux User Management or LUM. The following sections outline the basic principles involved in Novell LUM and cover the following topics: Section 15.2.1, “Overview,”... -
Page 150: Overview
The topics in this section are designed to help you understand when LUM-enabled access is required so that your network services are accessible and work as expected. For more information about Linux User Management, see “Overview” in the OES 2 SP2: Novell Linux User Management Technology Guide. - Page 151 Even if eDirectory is not available, you can still log into the server through Novell Remote Manager and perform other system management tasks as the user.
- Page 152 About Service Access on OES 2 Novell Linux User Management (LUM) lets you use eDirectory to centrally manage remote users for access to one or more OES 2 servers. In other words, LUM lets eDirectory users function as local (POSIX) users on an OES 2 server.
- Page 153 NOTE: Logging in to the OES 2 server through a PAM-enabled service for the first time causes the creation of a home directory on the server. Novell Remote Manager on Linux: You can access Novell Remote Manager as the following: user with rights to see everything on the Linux server.
- Page 154 Samba until you change POSIX file ownership. Although the Novell implementation of Samba leverages eDirectory for authentication, Samba file and directory access is always controlled by POSIX. The Novell Trustee Model doesn’t apply to Samba. Both Novell trustee assignments and POSIX file ownership are tracked correctly after users are LUM-enabled.
-
Page 155: Planning
“Enabling Users to Access Multiple OES 2 Servers” on page 156. For more information on LUM, see the OES 2 SP2: Novell Linux User Management Technology Guide. 15.2.2 Planning The following sections summarize LUM planning considerations. “eDirectory Admin User Is Automatically Enabled for Linux Access” on page 155 “Planning Which Users to Enable for Access”... -
Page 156: Lum Implementation Suggestions
For nambulkadd more information, see the OES 2 SP2: Novell Linux User Management Technology Guide. “UNIX Workstation” and “Linux Workstation” Are the Same Thing When you use iManager to manage OES 2 access, you might notice some inconsistencies in naming. - Page 157 7 Click Next, click Finish, then click OK. Using LUM Utilities at the Command Prompt Novell Linux User Management includes utilities for creating new LUM-enabled groups, and for enabling existing eDirectory groups for Linux access. The nambulkadd utility lets you use a text editor to create a list of groups you want enabled for Linux access.
-
Page 158: Identity Management Services
If you currently store and manage all your users and groups in eDirectory, you can continue to do so. If you use Novell Client software to provide network file and print services, you can now provide seamless file and print access to OES 2 servers by using the NCP server for Linux and iPrint services. -
Page 159: Using The Identity Manager 3.6.1 Bundle Edition
Manager. 15.4.3 Installation Considerations Novell Identity Manager Bundle Edition contains components that can be installed within your environment on multiple systems and platforms. Depending on your system configuration, you might need to run the installation program several times to install Identity Manager components on the appropriate systems. -
Page 160: Getting Started
Identity Manager Bundle Edition. For more information on Activation issues, see “Activating the Bundle Edition” on page 160. 15.4.4 Getting Started The following sections from the Novell Identity Manager Administration Guide will help you plan, install, and configure your Identity Manager Bundle Edition. Overview (http://www.novell.com/documentation/idm35/install/data/alxkrnf.html) Planning Your Implementation (http://www.novell.com/documentation/idm35/install/data/ anhomxn.html) Installing Identity Manager (http://www.novell.com/documentation/idm35/install/data/... - Page 161 Metadirectory Engine and a remote driver (on the Solaris or AIX server.) See Setting Up a Connected System (http://www.novell.com/documentation/idm35/admin/data/bs35odr.html) for more information. In order to run Identity Manager on Solaris or AIX, you need to purchase Novell Identity Manager. Users and Groups 161...
- Page 162 Integration Modules, you also need to purchase Novell Identity Manager. The Integration Module cannot activate until you purchase Novell Identity Manager. If I purchase a license for Novell Identity Manager and a license for an additional Integration Module, do I need to re-install the software? No, you just need to install the activation credentials associated with your purchase.
-
Page 163: Access Control And Authentication
The following sections present overviews of methods for accessing Open Enterprise Server 2 services. “Access to OES 2 Services” on page 164 “Access Control Options in OES 2” on page 165 “The Traditional Novell Access Control Model” on page 166 “NSS Access Control on OES” on page 167 Access Control and Authentication... - Page 164 Windows workstations use the CIFS protocol for file services. ® Novell Client software for both Windows and Linux uses the NetWare Core Protocol (NCP ) to provide the file services for which Novell is well known. 164 OES 2 SP2: Planning and Implementation Guide...
- Page 165 171. Access Control Options in OES 2 Because OES 2 offers both traditional Novell access control and POSIX access control, you have a variety of approaches available to you, including combining the two models to serve various aspects of your network services.
- Page 166 NSS offers. In the Novell access control model, eDirectory objects, such as users and groups, are assigned File System Trustee Rights to directories and files on NSS and NCP volumes. These trustee rights determine what the user or group can do with a directory or file, provided that the directory or file attributes allow the action.
- Page 167 Access Rights Explanation Table 16-2 eDirectory File System Trustee Directory and File Directories and Files Objects Rights Attributes eDirectory File system trustee Each directory and The possible actions by the eDirectory objects (in rights govern access file has attributes users and group shown in this example most cases and usage by the associated with it.
- Page 168 NSS volumes. Novell Client (NCP File Services) Access If you have not already determined whether to use the Novell Client on your network, we recommend that you consider the following information: “About the Novell Client” on page 168 “Is the Novell Client Right for Your Network?”...
-
Page 169: Planning For Service Access
Differences between Linux and Windows There are some differences between the Linux and Windows clients. These are documented in “Understanding How the Novell Client for Linux Differs from the Novell Client for Windows 2000/ XP” in the Novell Client 2.0 SP2 for Linux Administration Guide. - Page 170 User space quotas Planning Print Service Access Novell iPrint has access control features that let you specify the access that each eDirectory User, Group, or container object has to your printing resources. You can also use iPrint to set up print services that don’t require authentication.
- Page 171 File system browsers Linux default protocol and applications Novell AFP Novell CIFS or Samba CIFS iPrint WebDAV Internet Explorer to NetStorage, Novell CIFS, Samba Mac Win Novell Client NetWare Core Protocol (NCP) (File) PDAs HTTP NetStorage only OES servers Access Control and Authentication 171...
-
Page 172: Coexistence And Migration Of Access Services
NCP Server for Linux enables support for login scripts, mapping drives to OES 2 servers, and other services commonly associated with Novell Client access. This means that Windows users with the Novell Client installed can now be seamlessly transitioned to file services on OES 2. And with the ®... - Page 173 Using the Novell Client to Change File and Directory Attributes and Trustee Rights You can use the Novell Client to change NSS file and directory attributes and to grant trustee rights to an NSS volume on an OES 2 server. For more information, see “NetWare File...
-
Page 174: Authentication Services
OES online documentation. NetIdentity Agent In OES 2, the NetIdentity Agent works with Novell eDirectory authentication to provide background eDirectory authentication to NetStorage through a secure identity “wallet” on the workstation. NetIdentity Agent browser authentication is supported only by Windows Internet Explorer. - Page 175 The Novell Client provides authentication credentials to NetIdentity, but it does not obtain authentication credentials from NetIdentity because it is not a Web-based application. NetIdentity Agent requires XTier (NetStorage) on the OES 2 server presented in the URL for the Web-based applications.
- Page 176 Novell Password Management 3.2 Administration Guide. All Novell products and services are being developed to work with extended character (UTF-8 encoded) passwords. For a current list of products and services that work with extended characters, Novell TID 3065822 (http://www.novell.com/support/ search.do?cmd=displayKC&docType=kc&externalId=3065822&sliceId=1&docTypeID=DT_TID_ 1_1&dialogID=77556590&stateId=0%200%2077560425).
-
Page 177: Planning For Authentication
Universal Password. Universal Password is not automatically enabled unless you install Novell AFP, Novell CIFS, Domain Services for Windows, or Novell Samba on an OES 2 server. You can optionally choose to have the Samba hash password stored separately. - Page 178 178 OES 2 SP2: Planning and Implementation Guide...
-
Page 179: File Services
The file service components in OES are generally compatible. However you cannot run Novell Samba on the same OES 2 server as Novell AFP, Novell CIFS, or Domain Services for Windows, which is not reviewed as a file service, but does include an alternative Samba file service. -
Page 180: Using The File Services Overviews
NetWare Core Protocol (NCP) is the technology beneath many of the network services for which NetWare is famous. In OES, NCP is also available on Linux. The Novell NCP Server for Linux provides the rich file services that Novell is known for. Windows and Linux users who run Novell Client software can now access data, manage files and folders, map drives, etc., using the same methods as they do on... -
Page 181: Netstorage
Linux and NetWare. 17.1.4 NetStorage “Common Network File Storage Problems” on page 181 “Novell NetStorage on Linux” on page 182 NetStorage makes network files available anywhere, any time. Common Network File Storage Problems Network file access is often confusing and frustrating to users, as illustrated in Figure 17-2. - Page 182 Novell NetStorage on Linux NetStorage on Linux provides local and Web access to files on many systems without requiring the Novell Client (see Figure 17-3). 182 OES 2 SP2: Planning and Implementation Guide...
- Page 183 How NetStorage Works on OES 2 Figure 17-3 Access Methods Authentication NetStorage Server Target Servers Windows Explorer CIFS share (NFAP) WebDAV CIFS share (Samba) Browser CIFS Windows servers HTTP NetStorage to manage Linux OES 2 traditional volume HTTP volume NetWare Traditional volume eDirectory/LDAP...
-
Page 184: Novell Afp
SSH Access Required?” on page 17.1.5 Novell AFP The Novell AFP service lets users on Macintosh workstations access and store files on OES 2 servers with NSS volumes without installing any additional software, such as the Novell Client (see Figure 17-4). -
Page 185: Novell Cifs
OES 2 server. 17.1.6 Novell CIFS The Novell CIFS service lets users on Windows workstations access and store files on OES 2 servers with NSS volumes without installing any additional software, such as the Novell Client (see Figure 17-4). -
Page 186: Novell Ifolder 3.8
Files on the OES 2 server are accessed and maintained with the HTTP-WebDAV protocol. 17.1.7 Novell iFolder 3.8 Novell iFolder 3.8 supports multiple iFolders per user, user-controlled sharing, and a centralized network server for file storage and secure distribution (see Figure 17-6). - Page 187 Novell iFolder 3.8 Services Linux, Mac, and Windows workstation All file service access is Slave servers can be users who have the Novell iFolder Client controlled by LDAP- based added as needed, installed can access and modify their authentication through the providing the ability to files in one or more workstation folders.
-
Page 188: Novell Samba
17.1.8 Novell Samba Samba on an OES 2 server provides Windows (CIFS and HTTP-WebDAV) access to files stored on the OES 2 server (see Figure 17-7). How Samba on OES Works Figure 17-7 Access Methods Authentication File Storage Services CIFS... -
Page 189: Planning For File Services
OES File Services Feature Breakdown Table 17-8 Service Access Method Features Back-End Storage Features Security Features NCP Server Novell Client (NCP client) Any Linux volumes eDirectory (NetWare Core (including NSS) that are Authentication Protocol) defined as NCP... -
Page 190: Comparing Your Cifs File Service Options
Windows Explorer 17.2.2 Comparing Your CIFS File Service Options OES 2 SP2 offers three file services that use the CIFS protocol: Novell CIFS, Novell Samba, and Samba in Domain Services for Windows (DSfW). 190 OES 2 SP2: Planning and Implementation Guide... - Page 191 Comparing OES 2 CIFS Solutions Table 17-9 Item Novell CIFS Novell Samba Samba in DSfW Authentication A Password policy that A Samba-compatible The Domain Services allows the CIFS proxy Password policy is Password policy is required user to retrieve required for compatibility for DSfW users.
-
Page 192: Planning Your File Services
NetStorage: There are no disk space requirements because NetStorage provides access only to other file storage services. Novell AFP: Allocate enough disk space for the partition containing the /home directories to meet your users’ file storage needs. Novell CIFS: Allocate enough disk space for the partition containing the /home directories to meet your users’... -
Page 193: Coexistence And Migration Of File Services
Novell Client 2.0 SP2 for Linux Administration Guide. Because NCP is now available on Linux, Novell Client users can attach to OES 2 servers as easily as they have been able to attach to NetWare servers. The NCP Server for Linux enables support for login script, mapping drives to OES 2 servers, and other services commonly associated with Novell Client access. -
Page 194: Netstorage
OES 2 includes Samba software to provide Microsoft CIFS and HTTP-WebDAV access to files on the server. Like Novell CIFS, this is useful to those who don’t want to use the Novell Client. There is no migration path from Novell CIFS (NFAP) to Samba. -
Page 195: Aligning Ncp And Posix File Access Rights
However, because of the differences in the NetWare Core Protocol (NCP) and POSIX file security models (see Section 21.2.1, “Comparing the Linux and the Novell Trustee File Security Models,” on page 219) that is not the case by default on POSIX file systems. -
Page 196: Providing A Private Work Directory
Number Setting Binary Representation - - - 0 0 0 - - x 0 0 1 - w - 0 1 0 - w x 0 1 1 r - - 1 0 0 r - x 1 0 1 r w - 1 1 0 r w x... -
Page 197: Providing A Group Work Area
The reason for checking directories is that in the parent directories the directory owners are “other” users and they need to be able to see the path down to their own private directories. Because r-x is the default for most directories on Linux, you probably won’t need to change the permissions. -
Page 198: Setting Up Rights Inheritance
where path is the file path to the work area, and group_dir is the group work directory. The third 7 grants rwx to the group. (The example assumes that the owner of the directory should also retain all rights and that the group setting is irrelevant.) 2 Check each parent directory in the path up to the directory, making sure that all users root (/) -
Page 199: Configuring Ftp
For example: get //remote_server_name/volume/directory path/filename The double slash (//) indicates that the user wants to access a remote server. After the double slash, the first entry must be the name of the remote server. 17.5.1 Configuring FTP Configuration file: /etc/pure-ftpd/pure-ftpd.conf The configuration parameters for remote server navigation are as follows: Entry Value... -
Page 200: Site Command
NOTE: All the FTP users needs to be LUM-enabled on the FTP server. 17.6 NCP Implementation and Maintenance If you have installed the NCP server for OES, eDirectory/Novell Client users can access files on the OES 2 server with no additional configuration. -
Page 201: The Default Ncp Volume
You can use the same methods for assigning file trustee rights on NCP volumes on OES 2 servers that you use when assigning them on NetWare. For example, the Novell Client can be used by anyone with the Access Control right on the volume, or the root user can use the ncpcon utility >... -
Page 202: Ncp Maintenance
17.6.5 NCP Maintenance Because NCP provides Novell Client access to files on NetWare and OES 2 servers, the service is covered by maintenance tasks that apply to file systems on these servers. For information on maintaining file services, see the “storage and file... -
Page 203: Authenticating To Access Other Target Systems
For example: eDirectory users must exist in the eDirectory tree where the OES server resides and have access rights to the files and directories on the OES server. Windows users must exist on the Windows systems and have the required access rights to the files and directories on those systems. -
Page 204: Netstorage Maintenance
Guide. 17.8 Novell AFP Implementation and Maintenance To use the Novell implementation of AFP file services on your OES 2 server, you must install the service by using the instructions in the OES 2 SP2: Installation Guide (for a new installation) or install it after the initial OES installation, as explained in “Installing AFP after the OES 2 SP 2... -
Page 205: Maintaining Novell Cifs File Services
Novell iFolder 3.8 Administration Guide. 17.10.2 Configuring Novell iFolder 3.8 Servers Before you let users log in to the Novell iFolder 3.8 server, be sure you complete all the setup tasks “Installing and Configuring iFolder Services” (including “Configuring the iFolder Web Admin Server”... -
Page 206: Novell Ifolder 3.8 Maintenance
OES 2 online documentation. 17.11 Samba Implementation and Maintenance To use the Novell implementation of Samba file services on your OES 2 server, you must install the service by using the instructions in the OES 2 SP2: Installation Guide... -
Page 207: Search Engine (Quickfinder)
Search Engine (QuickFinder) ® Open Enterprise Server 2 includes the Novell QuickFinder Server. QuickFinder lets you add search functionality to any Web site or internal intranet. It can index and find matches within a wide variety of data types. It also supports rights-based searches so that users see only what they have rights to see, depending on the type of index created and the file system indexed. - Page 208 208 OES 2 SP2: Planning and Implementation Guide...
-
Page 209: Print Services
Print to installed printers from any location (including the Web) through an IP connection. The information in this section provides a high-level overview of Novell iPrint print services. It is designed to acquaint you with basic iPrint functionality so you understand the configuration steps you need to perform to provide iPrint print services, and understand how iPrint functions from the user’s perspective. -
Page 210: Iprint Components
19.1.2 iPrint Components A Novell iPrint installation consists of various components, most of which are represented by objects in your eDirectory tree: Print Driver Store (Linux): This is a repository that stores the drivers on an OES 2 server for your network printers. -
Page 211: Planning For Print Services
How iPrint Works Figure 19-1 Authentication Access Printing Services (Windows only) Browser on Linux, Macintosh, or Windows Print page (browser) iPrint server HTTP (OES server) Install Install a printer, using the native printer installation method for the Linux, Macintosh, platform. Driver Store (Linux) or Windows workstation Broker (NetWare) -
Page 212: Coexistence And Migration Of Print Services
Although the Common UNIX Printing System (CUPS) software is also installed with SLES 10, CUPS is disabled to avoid port 631 conflicts. For information on upgrading from NetWare queue-based printing, Novell Distributed Print Services (NDPS), or previous versions of iPrint, see “Installing iPrint... -
Page 213: Implementation Caveats
2 Add a printer driver to the Driver Store or Broker for each printer/platform combination needed. For example, If you have Windows XP, Windows 2000, and Novell Linux Desktop (NLD) workstations on your network and you have four different printer types, you need to add four printer drivers for each platform (a total of 12 printer drivers) to the Driver Store or Broker. -
Page 214: Print Services Maintenance Suggestions
19.5 Print Services Maintenance Suggestions As you add printers to your network or move them to different locations, be sure to update your iPrint installation to reflect these changes. After your installation is completed and users are printing, you can monitor print performance by using the information located in “Using the Print Manager Health Monitor”... -
Page 215: Web Services
Web Services The Web and application services in Open Enterprise Server 2 support the creation and deployment of Web sites and Web applications that leverage the widespread availability of Internet-based protocols and tools. With the proper Web components in place, a server can host dynamic Web sites where the content changes according to selections made by the user. - Page 216 216 OES 2 SP2: Planning and Implementation Guide...
-
Page 217: Security
OES 2 SP2 includes the NSS Auditing Engine, which is installed by default with NSS. The auditing engine provides an interface for auditing client applications, such as Novell Sentinel and various third-party products to access. Information about the auditing engine SDK is available... -
Page 218: Encryption (Nici)
Blue Lance NetVision Symantec Nsure Audit Starter Pack The Novell Audit 2.0 Starter Pack is supported on OES 2 and is available for download at no cost from the Novell Download Site (http://www.novell.com/downloads). Documentation for Novell Audit 2.0 is available on the Novell Documentation Web site (http://www.novell.com/... -
Page 219: Planning For Security
Section 21.2.2, “User Restrictions: Some OES 2 Limitations,” on page 221 21.2.1 Comparing the Linux and the Novell Trustee File Security Models The Novell Trustee and Linux (POSIX) security models are quite different, as presented in Table 21- Security 219... - Page 220 POSIX vs. NSS/NCP File Security Models Table 21-1 Feature POSIX / Linux Novell Trustee Model on OES 2 Administrative Permissions are individually controlled and Trustee assignments are made to principles managed for each file and subdirectory. directories and files and flow...
-
Page 221: User Restrictions: Some Oes 2 Limitations
Feature POSIX / Linux Novell Trustee Model on OES 2 Subdirectory and file Permissions granted to a file or directory When users are given a trustee visibility apply to only the file or directory. Users assignment to a file or directory,... -
Page 222: Configuring And Administering Security
Archive and Version Services “Security Considerations for Archive and Version Services” in the NW 6.5 SP8: Novell Archive and Version Services 2.1 Administration Guide “Security Considerations for Archive and Version Services” in the OES 2 SP2: Novell Archive and Version Services 2.1 for Linux Administration Guide... -
Page 223: Links To Anti-Virus Partners
Product/Technology Security Considerations Section Link Novell Client for Windows “Managing File Security and Passwords” in the Novell Client 4.91 SP5 for Windows XP/2003 Installation and Administration Guide Novell Client for Linux “Managing File Security” in the Novell Client 2.0 SP2 for Linux Administration Guide Novell Remote Manager for OES 2 “Security... - Page 224 224 OES 2 SP2: Planning and Implementation Guide...
-
Page 225: Certificate Management
This contains the server’s raw private key. servercert.pem: This contains the server’s certificates. OES 2 services, such as Apache, OpenWBEM, and Novell Remote Manager, are also configured to use these certificates. Certificate Management... -
Page 226: Oes 2 Certificate Management
OES 2 enhances certificate management as follows: “Installation of eDirectory Certificates” on page 226 “What Is Installed Where” on page 226 “Novell Certificate Server” on page 227 “Server Self-Provisioning” on page 227 “PKI Health Check” on page 227 Installation of eDirectory Certificates... - Page 227 This certificate server provides public key cryptography services that are natively integrated into Novell eDirectory. You use the server to can mint, issue, and manage both user and server certificates to protect confidential data transmissions over public communications channels such as the Internet.
-
Page 228: Setting Up Certificate Management
Automatic maintenance requires that Server Self-Provisioning be enabled as follows: 1 On the server you are configuring, in iManager > Roles and Tasks, click the Novell Certificate Access > Configure Certificate Authority option. - Page 229 1 Launch Novell iManager. 2 Log into the eDirectory tree as the Admin user. 3 Select the Roles and Tasks menu, then click Novell Certificate Server > Configure Certificate Authority. 4 Click the Certificates tab, then select the self-signed certificate.
-
Page 230: If You Don't Want To Use Edirectory Certificates
6 Browse to the certificate file you downloaded in “Exporting the CA’s Self-Signed Certificate” on page 229 and click Open. 7 Select Trust this CA to identify Web sites, then click OK > OK > OK. Firefox now trusts certificates from the servers in the tree. Importing the CA Certificate into Internet Explorer 6 and 7 on Windows 1 Launch Internet Explorer. - Page 231 Certificate Option Scenario Default Result If you Change the Default Setting Setting Add-on to Selected All HTTPS services on the The current service certificates SLES 10 or server are configured to use and configurations are retained. post-install eDirectory certificates. Upgrade from Selected All HTTPS services are The current service certificates...
- Page 232 232 OES 2 SP2: Planning and Implementation Guide...
-
Page 233: A Adding Services To Oes 2 Servers
Adding Services to OES 2 Servers You can add services to Open Enterprise Server 2 servers after they are installed. OES 2 is a set of services that can be either added to an existing server or installed at the same time ®... - Page 234 234 OES 2 SP2: Planning and Implementation Guide...
-
Page 235: Caveats And Disclaimers
Changing an OES 2 Server’s IP Address The instructions in this section let you change the IP address assigned to an OES 2 SP2 server and the services it hosts. Section B.1, “Caveats and Disclaimers,” on page 235 Section B.2, “Prerequisites,” on page 235 Section B.3, “Changing the Server’s Address Configuration,”... -
Page 236: Iprint
If the server is running Novell Cluster Services: 1 Check your plans against the prerequisites for clusters in “Configuration Requirements” in the OES 2 SP2: Novell Cluster Services 1.8.7 for Linux Administration Guide. 2 Follow the instructions in “Changing the IP Addresses of Cluster Resources”... -
Page 237: Repairing The Edirectory Certificates
2 In the Login dialog box, type the Admin username and password, type the newmasterip address in the Tree field, then click Login. 3 Click Novell Certificate Server > Repair Default Certificates. 4 In Create Server Certificate > Step 1 of 3, browse to and select the server object for the server you are changing. -
Page 238: Quickfinder
For instructions, see “Deleting a Virtual Search Server” and “Creating a Virtual Search Server” in the OES 2: Novell QuickFinder Server 5.0 Administration Guide. 2 Regenerate the QuickFinder index by completing the instructions in see “Creating Indexes” in the OES 2: Novell QuickFinder Server 5.0 Administration... - Page 239 2 Select the domain name from the drop-down list, then click Search. This is the domain name whose IP address is to be changed (In this example, it is the ‘A’ record). 2a Specify the Host Name using the search feature. 2b Select the '@ ' record and click Modify to change the IP address with the new IP address.
-
Page 240: Iprint
2c Click Done. A message indicates that the A record has been successfully modified. 3 Execute the following steps to rename and move the Reverse Lookup object: 3a Click iManager > Directory Administration >Rename Object. Search and select the Reverse Lookup object from eDirectory. 3b In the New Object Name field, specify the name of the Reverse Lookup object with the new IP address. -
Page 241: Netstorage
If the server is running Novell Cluster Services , complete the instructions in “Modifying the Cluster Configuration Information” in the the OES 2 SP2: Novell Cluster Services 1.8.7 for Linux Administration Guide. B.8 Reconfiguring Services on Other Servers That Point to This Server If you have services on other servers that point to the old IP address for this server, be sure to reconfigure those services to point to the new IP address. - Page 242 242 OES 2 SP2: Planning and Implementation Guide...
-
Page 243: C Updating/Patching Oes 2 Servers
Updating/Patching OES 2 Servers One of a network administrator’s biggest challenges is keeping installed software up-to-date on all servers and workstations. ® You can install product updates as they are made available through the ZENworks Linux Management update channel. For instructions on setting up the ZENworks Linux Management update channel for each OES 2 server and running the patch process, see “Updating (Patching) an OES 2 SP2... - Page 244 244 OES 2 SP2: Planning and Implementation Guide...
-
Page 245: D Backup Services
SUSE Linux Enterprise Server 10 distribution. Section D.2.1, “Links to Backup Partners,” on page 245 Section D.2.2, “Novell Storage Management Services (SMS),” on page 245 Section D.2.3, “SLES 10 Backup Services,” on page 246 D.2.1 Links to Backup Partners See the Partners and Communities page on Novell.com (http://www.novell.com/products/... -
Page 246: Sles 10 Backup Services
SMS Coexistence and Migration Issues In OES 2, the SMS API framework is available on SLES 10 so that there is a single consistent interface to back up file systems on NetWare, file systems on Linux, and Novell applications such as ®... - Page 247 The WebDAV URL is case sensitive. http: or https://server_ip_or_dns/netstorage For WebDAV access, use: http: or https://server_ip_or_dns/oneNet/NetStorage Novell 1. Install the Novell Client on a supported Windows Client workstation. 2. Log in to eDirectory 3. Access NCP volumes on NetWare or Linux that you have the appropriate file trustee rights to.
- Page 248 248 OES 2 SP2: Planning and Implementation Guide...
- Page 249 Microsoft Internet Explorer 6 (latest SP) Microsoft Internet Explorer 7 (latest SP) Apple Safari* 3.1 ® Table F-1 provides service-specific links and information about browser support in Novell OES. Browser Support in OES Table F-1 Management Tool Supported Browser Information Link iManager 2.7...
- Page 250 Management Tool Supported Browser Information Link Tomcat Manager “Managing Tomcat with Tomcat Admin” in the NW 6.5 SP8: Tomcat Administration Guide 250 OES 2 SP2: Planning and Implementation Guide...
- Page 251 Client/Workstation OS Support As a general rule, Open Enterprise Server 2 services can be accessed and administered from workstations running the following operating systems: ® SUSE Linux Enterprise Desktop 10 SP2 Microsoft Windows XP SP2 and SP3 Microsoft Windows Vista Business SP1 Microsoft Windows Vista Business 64-bit SP1 Microsoft Windows Vista Ultimate SP1 Microsoft Windows Vista Ultimate 64-bit SP1...
- Page 252 252 OES 2 SP2: Planning and Implementation Guide...
- Page 253 This lets you load and unload the LDAP library that Novell eDirectory uses to provide LDAP support. It is not actually a service. pure-ftpd This is used by the Novell FTP Pattern. iPrint cups novell-idsd novell-ipsmd OES 2 Service Scripts...
- Page 254 NetStorage runs inside the novell-xsrvd XTier Web Services daemon, and also novell-xsrvd utilizes Tomcat services for certain other functions. novell-xregd is the init script for starting and stopping XTier’s registry daemon. It is part of the novell-xtier-base RPM and is enabled by default for run levels 2, 3, and 5.
- Page 255 CIMOM daemon, which is an integral part of the iManager plug-ins for LUM, Samba, NSS, SMS, and NCS. iPrint and NRM also use OpenWBEM. Novell Remote Manager on OES 2 gets its server health information from CIMOM. Patching novell-zmd This is the GUI patch updater daemon.
- Page 256 256 OES 2 SP2: Planning and Implementation Guide...
-
Page 257: About System Users And Groups
System User and Group Management in OES 2 SP2 This section discusses the users and groups that are used by Open Enterprise Server. Administrative users are discussed in Appendix J, “Administrative Users in OES 2 SP2,” on page 277. Section I.1, “About System Users and Groups,” on page 257 Section I.2, “Understanding Proxy Users,”... -
Page 258: Oes System Users And Groups By Name
Types of System Users and Groups with Examples Table I-1 System User or Group Type Purpose Examples Proxy User Perform very specific service- afpProxyUser-servername related functions, such as cifsProxyUser-servername Retrieving passwords and LUM_Proxy_user service attributes Writing Service information in eDirectory. Providing a user ID (uid) that the associated service daemon uses to run. -
Page 259: Understanding Proxy Users
System Group CIMOM novlxregd System User XTier novlxsrvd System User XTier novlxtier System Group XTier server_name-SambaProxy Proxy User Samba (Novell) server_name-W-SambaUserGroup System Group Samba (Novell) server_nameadmin Proxy User System Group Apache Tomcat QuickFinder wwwrun System User Apache I.2 Understanding Proxy Users The subject of OES proxy users is somewhat complex. -
Page 260: What Are Proxy Users
OES provides the Novell services that were previously only available on NetWare. To make its services available on Linux, Novell had to accommodate a fundamental difference between the way services run on NetWare and the way they run on Linux. -
Page 261: What Rights Do Proxy Users Have
However, unlike other OES services that can share proxy users, NSS requires a unique proxy user for each server. Samba (Novell) server_name-SambaProxy Searches the LDAP tree (eDirectory) for Samba users. I.2.4 What Rights Do Proxy Users Have? Each OES service’s YaST installation automatically adds the required rights to the proxy user... -
Page 262: Associated Service Example Proxy User Name
Unless otherwise specified, each of the following users has the standard set of user rights in eDirectory: Self: Login Script: Read Write, Not inheritable Print Job Configuration: Read Write, Not inheritable [All Attribute Rights]: Read, Inheritable [Public] Message Server: Read, Not inheritable [Root] Group Membership Read, Not inheritable... -
Page 263: Ifolder 3
LDAP ACL representation: 3#subtree#NetStorage_Proxy# server_nameadmin Additional eDirectory rights: Supervisor right to the container it was created Samba (Novell) server_name-SambaProxy The Universal Password policy associated with the Samba users grants this proxy user the right to retrieve user passwords. Additional eDirectory rights: Rights to itself –... -
Page 264: Planning Your Proxy Users
I.3 Planning Your Proxy Users Because of the prominent role played by the proxy users on your OES network, it is important that you understand your implementation options and the implications for each option. You can then plan an overall proxy user implementation strategy. Section I.3.1, “About Proxy User Creation,”... -
Page 265: Nss Server_Nameadmin
Associated Service Default Proxy User Name Creation Information CIFS CifsProxyUser- By default, the CIFS YaST install automatically servername Creates a proxy user named cifsProxyUser- servername in the same context as the server. Creates a Universal Password Policy that you can assign to CIFS users after the install. - Page 266 The following is a real-life example of risks that can occur when admin users are assigned as proxy users: Novell Support received a call from an administrator who was getting locked out due to intruder detection after changing the administrator password. The lockout happened several times each day and seemed to be coming from the OES 2 servers.
-
Page 267: Proxy User Impacts On User Connection Licenses
Further investigation revealed that the administrator credentials had been used to install OES 2 on multiple servers, and by default the credentials were therefore also used as the proxy user credentials for some of the OES services. Consequently, the credentials were stored in CASA for use when the OES services came up. - Page 268 Approach Licensing Impact Security Considerations Manageability Considerations Per Server One for each This confines any security This requires that a proxy user for server vulnerabilities to individual the server is created before the servers. server is installed. For the first server in the tree, eDirectory and iManager must be installed with the server.
-
Page 269: Proxy Users And Passwords
Approach Licensing Impact Security Considerations Manageability Considerations Per Tree One license This exposes all OES services This requires that a proxy user for and servers in the tree to any the tree is created before any security vulnerabilities. OES services are installed in the tree. - Page 270 IMPORTANT: Although the YaST based install can sometimes be used successfully to reconfigure some OES services, Novell neither recommends nor supports that practice. Avoid Password Expiration Problems Many organizations require that all network users have password policies to enforce regular password expiration and change.
-
Page 271: Implementing Your Proxy User Plan
These problems can be avoided by: Not assigning proxy users a password policy that enforces password expiration. Not using real user credentials for proxy users. See “Avoid Assigning an Admin User As a Proxy User” on page 266. If password expiration policies cannot be avoided, or a security policy dictates that proxy user passwords must be changed periodically, you can do the following. -
Page 272: Service-Specific Proxy Users
I.4.2 Service-Specific Proxy Users Do the following: 1. Create a proxy user in the eDirectory tree for each type of OES service and set the passwords. Consider naming the user to reflect its purpose. For example, name the AFP proxy user, afp_proxy_user. - Page 273 This user is created by CIMOM but is not currently used. novlxregd XTier The XTier Registry Daemon (novell-xregd) runs as this user. When NSS is installed on the Linux server, this user is removed from the local system and created as LUM-enabled user in eDirectory.
-
Page 274: System Groups
This is required because members of this group must have access to NSS data, and all NSS access is controlled through eDirectory. server_name-W- Samba (Novell) All users granted Samba access are originally SambaUserGroup assigned to this group, which disables SSH access for them on the server. -
Page 275: Auditing System Users
Due to this fact, some organizations choose to monitor the activities of privileged users. If you are interested in monitoring such activities, two Novell products can assist you. Novell Sentinel: Universal Password events can be monitored using Novell Sentinel. You enable this by modifying the NMAS Login Policy Object. - Page 276 276 OES 2 SP2: Planning and Implementation Guide...
-
Page 277: J Administrative Users In Oes 2 Sp2
Administrative Users in OES 2 SP2 Every OES network requires at least one administrative-level user to manage regular network users and system users. Administrative Users and Groups Table J-1 Administrative User or Associated Service Object Type Purpose Group Admin eDirectory Admin User The eDirectory administrator that has all rights to manage the Tree. - Page 278 278 OES 2 SP2: Planning and Implementation Guide...
-
Page 279: K Coordinating Password Policies Among Multiple File Services
DSfW is not classified as a file service, but it includes a customized version of Samba that is different from Novell Samba. Each of these services requires that users who access them have Password policies that meet specific requirements. Users can be governed by only one Password policy at a time, so if any of your network users require access to more than one of the file services, you need to coordinate the Password policies that govern the users to ensure that they can access the different file services. -
Page 280: Edirectory Contexts
NetWare servers with a lone writable replica of a AFP or CIFS user, NMAS should be ® upgraded by upgrading to the Novell Security Services 2.0.6 on eDirectory 8.7.3 SP10 or eDirectory 8.8.2. The file access services will provide access/visibility to the users as per the trustee rights they have on the volumes and files. -
Page 281: Examples
K.3 Examples Section K.3.1, “Example 1: Complex Mixed Tree with a Mix of File Access Services and Users from across the Tree,” on page 281 Section K.3.2, “Example 2: Mutually Exclusive Users,” on page 282 K.3.1 Example 1: Complex Mixed Tree with a Mix of File Access Services and Users from across the Tree “Tree Setup”... -
Page 282: Example 2: Mutually Exclusive Users
S9 serves its volumes over AFP, Samba, and NCP NOTE: Although Novell CIFS and Samba can both be installed on the same machine, they cannot run together because of a port conflict. The administrator can configure either Samba or Novell CIFS on a single machine, but not both. -
Page 283: Deployment Guidelines For Different Servers And Deployment Scenarios
Example 2 Figure K-2 File Services S1, S2, S3, and S4 are DSfW servers and serve their volumes over Samba and NCP S5, S6, and S7 serve their volumes over AFP and NCP S8 and S9 serves their volumes over CIFS and NCP Users For example, u1 is a user under the container ou=prv,o=widget and is expected to access AFP services on S5, S6, and S7. -
Page 284: Deployment Scenario 1: Complex Mixed Scenario With A Mix Of File Access Services
Non-DSFW Server If the first server in the tree is a non-DSFW server, then any combination of AFP, Novell CIFS, or Samba can be installed on this server. Because the tree is being newly created, the users, the proxy users (system users), and the Password policies will not be present. - Page 285 Universal Password. They need to either use a plain text authentication method, or log in ® passwords to the Universal Password. through NCP (Novell Client) to synchronize their NDS AFP can auto-synchronize the Universal Password if the default DHX authentication method is used.
-
Page 286: Deployment Scenario 2: Mutually /Exclusive Users
K.4.2 Deployment Scenario 2: Mutually /Exclusive Users In some trees, AFP, CIFS, and Samba might be employed, but the users are partitioned in such a way that each user has access to AFP, to CIFS or to Samba, but not to all of them. S1, S2, S3, S4 DSfW servers with Samba. -
Page 287: Adding New User Edirectory Contexts To Afp/Cifs After Afp/Cifs/Samba/Dsfw Is Installed
K.4.5 Adding New User eDirectory Contexts to AFP/CIFS after AFP/CIFS/Samba/DSfW Is Installed. After a new user context is created, rerun the YaST–based configuration and select the new eDirectory context. K.4.6 Enabling File Access for DSfW Servers Across Domains DSfW requires that users be LUM-enabled to access NSS file services through Samba. For a user to access a DSfW server in a different domain, the user needs to be a LUM-enabled user on the other server. - Page 288 288 OES 2 SP2: Planning and Implementation Guide...
Need help?
Do you have a question about the OPEN ENTERPRISE SERVER 2 SP2 - PLANING AND IMPLEMENTATION GUIDE 11-10-2009 and is the answer not in the manual?
Questions and answers