SUSE Linux Enterprise Desktop Administration Chapter 13 Integrate SUSE Linux Enterprise Desktop 10...

SUSE Linux Enterprise Desktop Administration

Chapter 13Integrate SUSE Linux Enterprise

Desktop 10 into Existing Environments


Objectives

• Objective 1—Integrate SUSE Linux Enterprise Desktop 10 into an OpenLDAP Environment

• Objective 2—Integrate SUSE Linux Enterprise Desktop 10 into an Active Directory Environment

• Objective 3—Integrate SUSE Linux Enterprise Desktop 10 into a Novell eDirectory Environment

• Objective 4—Understand the Novell Client for Linux

• Objective 5—Install and Configure Novell iFolder

2


Objective 1—Integrate SUSE Linux Enterprise Desktop 10 into an

OpenLDAP Environment

3

• OpenLDAP• The most popular Open Source LDAP• Provides applications and tools to control and query

the server and to develop LDAP-based software• OpenLDAP authentication is frequently combined with

NFS (Network File System) for file access


LDAP Basics

• Directory– A specialized database that is optimized for reading,

browsing, and searching– Contains descriptive, attribute-based information, and

then supports sophisticated filtering

• Directory services are tuned to give quick response to high-volume lookup or search operations– Directory services can be local or global

• LDAP stores information in objects that can be associated to object classes

4


LDAP Basics (continued)

• Classes determine which attributes an object can or must have

• By including schemas, you are able to access predefined object classes

• Each object is a collection of attributes that has a globally unique distinguished name (DN)

• Attributes are typically mnemonic strings– The syntax of values depends on the attribute type

• In LDAP, objects are arranged in a hierarchical tree structure

5


LDAP Basics (continued)

• You can distinguish between two kinds of objects:– Container objects– Leaf objects

• If you use LDAP for user management, the structure (DIT, Directory Information Tree) normally reflects one of the following:– Organizational structure (See Figure 13-1)– Domain system (See Figure 13-2)

6

SUSE Linux Enterprise Desktop Administration 7

Figure 13-1 LDAP organizational structure


Figure 13-2 LDAP domain system


YaST LDAP Client Module

• YaST makes integrating clients into an existing LDAP structure very easy– Start YaST and select Network Services > LDAP

Client– See Figure 13-3

• When you select Finish, the configuration changes are written to several files on the system, including:– /etc/security/pam_unix2.conf, /etc/ldap.conf,

/etc/nsswitch.conf, and /etc/passwd

9


Figure 13-3 YaST LDAP Client Configuration dialog


Import File Systems Using NFS

• Network file system basics– NFS is designed for sharing files and directories over

a network• Requires configuration of an NFS server and NFS

clients

– Directories such as /home/, /opt/, and /usr/ are good candidates for export via NFS

– Using NFS for home directories only makes sense with central user management

– See Figure 13-4

11


Figure 13-4 Mounting the /home/ directory


Import File Systems Using NFS (continued)

• How NFS works– NFS is an RPC (Remote Procedure Call) service– An essential component of RPC services is the

portmapper• Manages the services and needs to be started first

– When an RPC service starts up, it binds to a port in the system

– NFS supports file locking, which means that only one user at a time has write access to files

13



• Configure NFS client access with YaST– NFS directories exported on a server can be mounted

in the file system tree of a client– The easiest way to do this is to use the YaST NFS

Client module– To use YaST to configure the NFS client, start the

YaST Control Center and then select Network Services >NFS Client

– See Figure 13-5

14


Figure 13-5 YaST NFS Client Configuration dialog



• Exercise 13-1: Import Network File System (NFS)– In this exercise, create an /import/sled10 directory and

use it as a mount point to import the /export/sled10 directory from da1 using NFS

– Create an /etc/fstab entry to mount the directory automatically at boot time

– You can use the command-line interface or YaST to do this

16



• Mount home directories automatically– The /usr/sbin/automount program

• Mounts directories when needed and unmounts them after some time when not needed any longer

– The primary configuration of automount is contained in /etc/auto.master

– The /etc/auto.misc file shows what can be configured– To start autofs, enter (as root) in a terminal window

the rcautofs start command– rcautofs status lists the configured and the active

mount points17



• Mount home directories automatically (continued)– The automounter creates the /misc directory when it is

started– The automounter can be used for home directories as

well

18


OpenLDAP and Automounter

• The automounter usually reads its information from the /etc/auto.master file– As well as the files referenced within that file

• Using files on clients is cumbersome when changes affecting many clients need to be made– The files on all clients have to be modified

• If the information is kept within the LDAP directory, the information must be updated in only one place

• The automounter queries the LDAP directory for automount information

19


Exercise 13-2: Integrate a SLED 10 into an LDAP Environment

• In this exercise, you integrate your SUSE Linux Enterprise Desktop 10 into an LDAP environment for authentication and activate the automounter

20


Objective 2—Integrate SUSE Linux Enterprise Desktop 10 into an Active

Directory Environment

• Microsoft Active Directory (AD)– A directory service based on LDAP, Kerberos, and

other services– Used by Microsoft Windows to manage resources,

services, and people– Provides information on these objects, restricts access

to them, and enforces policies

• Shares provided by Windows file servers use the Server Message Block (SMB) protocol– Can be accessed with the help of Samba

21

• Benefits of using SLED in an Active Directory environment– Offline authentication– Windows password change– Single-sign-on through Kerberized applications

• Background information for Linux AD support– The most common components needed are

shown in Figure 13-7


Use Active Directory to Authenticate Users

22


Figure 13-7 The most common components for Linux AD support

• Background information for Linux AD support (continued)– Protocols shared by the client with the server:

• LDAP• Kerberos

– Client components process account and authentication data:• Winbind• NSS (Name Service Switch)• PAM (Pluggable Authentication Modules)


Use Active Directory to Authenticate Users (continued)

24



• Join an Active Directory domain– During domain join, the server and the client establish a

secure relationship– The following tasks need to be performed:

• The Windows domain controller providing both LDAP and KDC (Key Distribution Center) services is located

• A machine account for the joining client is created in the directory service

• An initial ticket granting ticket (TGT) is obtained for the client and stored in its local Kerberos credential cache

• NSS and PAM configurations are adjusted to enable the client to authenticate against the domain controller

25



• Join an Active Directory Domain (continued)– Domain login and user homes

• The login managers of GNOME and KDE have been extended to allow the handling of AD domain login

• User authentication is mediated by a number of PAM modules

• The Windows error codes are translated into appropriate user-readable error messages

– Offline service and policy support• To enable users to log in to a disconnected machine,

extensive caching was integrated into the winbind daemon

26



• Configure a Linux client for Active Directory– Before your client can join an AD domain, you must

make some adjustments to your network setup• To ensure a flawless interaction of client and server

– These adjustments affect:• DNS

• NTP

• DHCP

• Firewall

• AD account

27



• Log in to an AD domain– If your machine has been configured to authenticate

against Active Directory and you have a valid Windows user identity:

• You can log in to your machine using the AD credentials

– Login is supported for both desktop environments (GNOME and KDE), the console, SSH, and any other PAM-aware application

28



• Change passwords– SLED 10 has the ability to help a user choose a

suitable new password• Must meet the corporate security policy

– The underlying PAM module retrieves the current password policy settings from the domain controller

– GDM and KDM provide feedback about password expiration and prompt for new passwords

– To change your Windows password, you can use the standard Linux utility, passwd

• Instead of having to manipulate this data on the server29


Exercise 13-3: Join an Active Directory Domain

• In this exercise, set your DNS name resolution to point to the Windows 2003 Server and join an Active Directory Domain using your SUSE Linux Enterprise Desktop 10 computer

30


Import File Systems Using Samba

• Understand Samba– Server Message Block (SMB) protocol

• A network protocol that provides file and print services in a Windows network

– Samba enables Linux to use SMB so that Linux can be integrated in a Windows environment

– SMB services are provided by the NetBIOS protocol– NetBIOS makes its own namespace available

• Can be accessed with the Universal Naming Convention (UNC) notation

31


Import File Systems Using Samba (continued)

• Understand Samba (continued)– You can use Samba for the following purposes:

• Browse shared files and folders with SMB

• Share files and folders with SMB

• Access and manipulate user data on the Windows Server

• Use Nautilus to access and create Samba shares– Use Nautilus to access Samba shares

• See Figure 13-10

32


Figure 13-10 Use Nautilus to access Samba shares



• Use Nautilus to access and create Samba shares (continued)– Use Nautilus to share directories using Samba

• Samba needs to run on the computer and the Samba configuration has to permit users to share directories

• To start Samba, enter rcnmb start; rcsmb start• Now a user can share directories that he or she owns

– See Figures 13-12 and 13-14

34


Figure 13-12 Sharing directories with the Nautilus file manager


Figure 13-14 Dialog informs you if changes to the permissions of the directory are necessary




• Use Nautilus to access and create Samba shares (continued)– Use Samba command-line tools to access shares

• Use nmblookup

– You can resolve NetBIOS names into IP addresses with the nmblookup tool

• Use smbclient

– You can access SMB shares on the network with the smbclient tool

– Browse shares provided by an SMB server

– Access files provided by an SMB server

37



• Use Nautilus to access and create Samba shares (continued)– Use Samba command-line tools to access shares

(continued)• Mount SMB shares into the Linux file system

– You can mount a share into the file system like a hard disk partition or a CD-ROM drive

– The basic mount command:mount -t cifs //Fileserver/data /mnt

38


Exercise 13-4: Mount Geeko’s Share

• In this exercise, you mount a Samba share on a Linux system

• Mount the home directory on da1 of Geeko to the /mnt directory on your computer

39


Objective 3—Integrate SUSE Linux Enterprise Desktop 10 into a Novell

eDirectory Environment

• You can use Novell Linux User Management (LUM) to configure SLED 10 workstations on your network – Users can log in to them using their Novell eDirectory

usernames and passwords

• Using LUM and eDirectory to manage user login information– Eliminates the need to create local users in the

/etc/passwd and /etc/shadow files

• The user account information stored in eDirectory lets users access file and printer resources

40


Set Up eDirectory Authentication

• Activate Linux User Management on workstations– Before users can use their eDirectory usernames and

passwords to log in• You must configure the SUSE Linux Enterprise Desktop

workstation with Linux User Management components

– See Figure 13-16

• Use Novell iManager to enable users for eDirectory Authentication– Use eDirectory and Novell iManager to specify which

users can access SUSE Linux Enterprise Desktop computers on the network

41


Figure 13-16 The User Authentication Method page


Set Up eDirectory Authentication (continued)

• Use Novell iManager to enable users for eDirectory authentication (continued)– Novell iManager

• The browser-based utility for managing eDirectory objects

• Runs in a network browser such as Mozilla Firefox, Netscape Navigator, or Internet Explorer

– When you create user or group accounts in Novell iManager

• You are prompted to ‘‘LUM enable’’ the User object or Group object

43


Turn Off eDirectory Authentication

• You can permanently turn off the ability to accept logins from eDirectory– By removing the LUM software from the workstation

• You can temporarily disable eDirectory authentication by stopping the namcd daemon

• To stop namcd, open a shell window and enter rcnamed stop

• To turn on eDirectory authentication and LUM, open a shell window and enter rcnamed start

44


Objective 4—Understand the Novell Client for Linux

• This section contains the following information:– Understanding the Novell Client for Linux Virtual File

System– Configuring the Novell Client for Linux– Using Configuration Files to Preconfigure the Novell

Client

45


Understanding the Novell Client for Linux Virtual File System

• The Novell Client for Linux has a Virtual File System – Consists of a kernel module (novfs.ko) that runs as

part of the Linux kernel and a daemon (novfsd) that runs in the user space

• Both components must be running on the workstation for the client to connect to the network

46


Using the Novell Client Tray Application

• Starting and stopping the Novell Client Tray application– Select to see the menu

47

Figure 13-17 Novell Client Tray menu


Using the Novell Client Tray Application (continued)

• Logging in to the network– When you log in to the network, you gain access to

directories and files• As well as other services provided by network servers

– See Figure 13-18

• Running Novell login scripts during login– When you successfully log in to the network, one or

more login scripts are executed– Login scripts can be used to automatically map drives

and search drives to directories, display messages, set environment variables, and execute programs

48


Figure 13-18 Novell Client for Linux login dialog



• Logging out of a network location (server or tree)– You can log out of a network location in either of the

following ways:• To log out of all existing connections, select >Novell

Logout >Logout

• If you are logged in to multiple trees and want to log out of a specific server or tree, select > Novell Connections, select the tree or server that you want to log out of, and then select Detach

• Viewing your network connections– Novell Connections allows you to see what servers

and trees you are logged in to50


Figure 13-19 Novell Connections



• Changing your network password– Select > Change Password

– In the Old Password field, type your current password

– In the New Password field, type your new password

– In the Confirm field, type the new password again

– Select OK

• Mapping network directories– When you map a directory, you create a symbolic link or

shortcut to a path on the network and assign it a name and location on your workstation

– You can use the symbolic link to access the resource

52


Figure 13-20 Novell Map directory



• Disconnecting a mapped directory– Select > Disconnect Novell Mapped Directory– Select the mapped directory that you want to

disconnect from; then select Disconnect

• Editing your login script– Edit or create the personal login script that runs when

you log in– Check with your network administrator before creating

or changing a login script

54


Figure 13-21 Edit a login script


Configuring the Novell Client for Linux

• Using the Novell Client Configuration Wizard– See Figure 13-22

• Configuring login settings– Use the Login Settings page in the Novell Client

Configuration Wizard– See Figure 13-23

• Configuring map settings– Use the Map Settings page in the Novell Client

Configuration Wizard– See Figure 13-24

56


Figure 13-22 Novell Client Configuration Wizard


Figure 13-23 Configuring Login Settings


Figure 13-24 Configuring Map Settings


Configuring the Novell Client for Linux (continued)

• Configuring protocol settings– Use the Protocol Settings page– See Figure 13-25

• Configuring tray application settings– Use the Tray Application Settings page– See Figure 13-26

• Configuring file browser settings– Use the File Browser Settings page– See Figure 13-27

60


Figure 13-25 Configuring Protocol Settings


Figure 13-26 Configuring Tray Application Settings


Figure 13-27 Configuring File Browser Settings


Configuring the Novell Client for Linux (continued)

• Configuring OpenSLP settings– Use the Service Location Protocol (OpenSLP)

Settings page– See Figure 13-28

64


Figure 13-28 Configuring OpenSLP Settings


Using Configuration Files to Preconfigure the Novell Client

• The Novell Client for Linux allows you to apply preconfigured client settings– Contained in one or more configuration (.conf) files

• Preconfiguring the Novell Client for Linux requires the novell-client-conf.spec file and the make_novell-client-conf_rpm Bash script– Located in the /add-on/novell-client-conf subdirectory

66


Using Configuration Files to Preconfigure the Novell Client

(continued)

67

Table 13-1 Configuration files


Exercise 13-5: Install and Configure the Novell Client for Linux

• In this exercise, you install and configure the Novell Client for Linux

68


Objective 5—Install and Configure Novell iFolder

• In this objective, you learn how to install, configure, and use Novell iFolder 3.x on SUSE Linux Enterprise Desktop 10

69


Overview of Novell iFolder

• Novell iFolder– A file-sharing application for Linux and Windows

clients

• You can share files in multiple Novell iFolders, each with a different group of users

• Benefits of Novell iFolder– Integrates with your native desktop environment– Highly scalable and flexible– Supports data encryption– Offers enhanced Web access console

70


Overview of Novell iFolder (continued)

• Benefits of Novell iFolder (continued)– Allows you to easily and selectively share personal

and business files– Allows you to control the access level of member

users– Transparently updates your files to member Novell

iFolders on multiple workstations– Offers offline logging and synchronization– Provides secure authentication of members– Offers an alternative to exchanging files via e-mail

71


Overview of Novell iFolder (continued)

• Key features of Novell iFolder– The Novell iFolder client– Novell iFolder account– Improved shared Novell iFolders– Novell iFolder access rights– File synchronization and data management– Encryption– Enhanced Web access– Synchronization log

72


Installing the Novell iFolder Client

• You can install the Novell iFolder client on your SUSE Linux Enterprise Desktop 10 computer– By using command-line instructions– Example: rpm -ivh *.rpm

73


Starting the Novell iFolder Client

• When Novell iFolder is running, the Novell iFolder Services icon appears in the Notification area of the taskbar

• Novell iFolder is integrated in the desktop environment– The Novell iFolder emblem (green ‘‘i’’) appears on

Novell iFolders when they are viewed in a file manager, on the desktop, or in the Novell iFolder browser

– The encrypted Novell iFolder is indicated by the locked folder emblem on the Novell iFolder

74


Starting the Novell iFolder Client (continued)

• Start Novell iFolder automatically on login– See Figure 13-32

• Start Novell iFolder on demand– Log in to your computer with the local Linux user

identity you want to use– Use one of the following to start Novell iFolder:

• In the taskbar, open the Applications menu, select More Applications, right-click Novell iFolder 3, and then select Start iFolder 3

• Open a terminal shell; then enter /opt/novell/ifolder3/bin/ifolder

75


Exiting the Novell iFolder Client

• To exit the Novell iFolder client, right-click the Novell iFolder Services icon in the Notification area– Then select Quit

• Files are synchronized with your Novell iFolder server account– Only when you are connected to the Novell iFolder

server

• You can stop synchronization by logging out of an account

76


Configuring a Novell iFolder Account

• Use the Novell iFolder Account Assistant to add and configure a new account

• You can create only one account for any given Novell iFolder host service– But you may have multiple accounts

• Multiple users with different local login identities can have Novell iFolders on the same computer

77


Configuring a Novell iFolder Account (continued)

78

Figure 13-34 Configuring a Novell iFolder account


Table 13-2 Values used to configure a Novell iFolder account


Logging in to a Novell iFolder Account

• You can work locally with files in the Novell iFolder directories at any time

• You must be logged in to a Novell iFolder account to synchronize it

• You can log in separately and be logged in concurrently to multiple accounts

• Use one of the following login methods for each account:– Log in automatically– Log in as needed

80


Logging out of a Novell iFolder Account

• Right-click the Novell iFolder Services icon in the Notification area– Then open the Novell iFolder Preferences dialog from

the Accounts tab by selecting Account Settings

• Locate the account you want to manage– Then disconnect from the Novell iFolder server by

deselecting the Online check box

• Close the Novell iFolders Preferences dialog box by selecting Close

81


Viewing and Modifying Novell iFolder Account Settings

• Right-click the Novell iFolder Services icon in the Notification area– Then open Novell iFolder Preferences from the

Accounts tab by selecting Account Settings

• In the Accounts report, you can manage the parameters in Table 13-3 for each account

82


Table 13-3 Parameters for each Novell iFolder account


Deleting a Novell iFolder Account

• If you remove a Novell iFolder account only from your computer:– The local Novell iFolders for this account are reverted

to normal folders– You can continue to access the Novell iFolders from

other computers with the Novell iFolder client– When the Novell iFolder client is used with a Novell

iFolder 3.x enterprise server, you can also access files from anywhere with Novell iFolder 3.x Web access

84


Deleting a Novell iFolder Account (continued)

• If you remove your Novell iFolder account from the server:– All of the Novell iFolders you own are unshared– The local copies of Novell iFolders on member

computers are reverted to normal folders– The Novell iFolder and its contents are removed from

the server– You are removed as a member of Novell iFolders that

others shared with you– The account is removed from the local computer

85


Deleting a Novell iFolder Account (continued)

• To delete a Novell iFolder account:– Right-click the Novell iFolder Services icon ( ) in the

Notification area• Then open Novell iFolder Preferences from the

Accounts tab by selecting Account Settings

– Select the Novell iFolder account you want to delete; then select Delete

– A message prompts you to determine the extent of the delete action

86


Configuring Novell iFolder Preferences for the Client

• Right-click the Novell iFolder Services icon in the Notification area– Then open Novell iFolder Preferences from the

General tab by selecting Preferences

• Specify your preferences

• When you are done, close the Novell iFolder Preferences dialog box

87


Exercise 13-6: Set Up and Use the Novell iFolder Client on the SLED 10

Workstation• In this exercise, you set up and use the Novell

iFolder client on your DAxx SUSE Linux Enterprise Desktop 10 workstation

88


Summary

• The cross-platform LDAP directory service allows network users to query information for a wide range of uses

• LDAP resources are organized into a hierarchical tree structure

• YaST can be used to configure a client connection to an LDAP service

• An NFS server shares directories to NFS clients using RPCs and the portmapper service

• You can configure your computer to connect to remote NFS shared directories using YaST

89


Summary (continued)

• The Automounter service can be used to automatically mount home directories

• Windows networks typically use the Active Directory service to provide centralized authentication and resource access using LDAP and Kerberos

• You can configure your SUSE Linux system to use Active Directory using YaST

• You can share file and printer resources with Windows computers using Samba

• Most shared resources on Windows computers are accessed by NetBIOS name using UNCs

90


Summary (continued)

• Nautilus can be used to create Samba shares as well as access Windows shares on the network

• Novell networks typically use the eDirectory service to provide centralized authentication and resource access using LDAP

• To access all eDirectory services, you must configure the Novell Client for Linux

• You can access the Novell Client for Linux by clicking on the Novell Client tray application

• Novell iFolder can be used to share files on Linux and Windows systems

91

SUSE Linux Enterprise Desktop Administration Chapter 13 Integrate SUSE Linux Enterprise Desktop 10...

Documents

Transcript of SUSE Linux Enterprise Desktop Administration Chapter 13 Integrate SUSE Linux Enterprise Desktop 10...