Configuration Management Manual
Configuration Management Manual
Configuration Management Manual
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Configuration</strong> <strong>Management</strong> <strong>Manual</strong><br />
for<br />
using openSuSE-11.3 Linux in the Enterprise<br />
by W. Melz<br />
V 1.0<br />
2000 – 2011
Index<br />
1 Preface....................................................................................9<br />
1.1 About the Document...........................................................9<br />
1.2 Project-Homepage (coming soon)......................................9<br />
1.3 Audience.............................................................................9<br />
1.4 Enterprise Requirements..................................................10<br />
2 Planning the network.............................................................11<br />
2.1 Hardware-Components needed.......................................12<br />
2.2 Services............................................................................12<br />
2.2.1 Infrastructure Sevices...................................................12<br />
2.2.2 Operational Services.....................................................13<br />
2.2.3 Supporting Services......................................................13<br />
2.3 Backup and Restore.........................................................13<br />
2.4 Data Archive.....................................................................13<br />
3 <strong>Configuration</strong>-Elements........................................................14<br />
3.1 VirtualBox.........................................................................14<br />
3.2 Network.............................................................................15<br />
3.3 Hostname Schema...........................................................16<br />
3.4 Hardware..........................................................................17<br />
3.4.1 Router............................................................................19<br />
3.4.2 Cable.............................................................................19<br />
3.4.3 Switches........................................................................20<br />
3.4.4 Servers..........................................................................20<br />
3.4.5 Print-Servers.................................................................20<br />
3.4.6 Clients...........................................................................20<br />
3.5 Operating-Systems...........................................................21<br />
3.5.1 OpenSUSE-11.3............................................................21<br />
3.5.1.1 Samba configuration for my NAS-Server....................21<br />
3.6 SW-Services.....................................................................22<br />
3.7 NTP Time Server..............................................................22<br />
3.8 Master DNS-Server..........................................................25<br />
3.9 Slave DNS-Server............................................................31<br />
3.10 DHCP-Server....................................................................33<br />
3.11 DDNS................................................................................36<br />
3.12 Root CA............................................................................51<br />
2
3.13 CA by command line.........................................................65<br />
3.14 OpenLDAP-Server............................................................73<br />
3.14.1 N-Way/Multi-Master-Replication...................................73<br />
3.14.1.1 Delete old database....................................................73<br />
3.14.1.2 Edit slapd.conf file.......................................................74<br />
3.14.1.3 Edit client file /etc/openldap/ldap.conf.........................76<br />
3.14.1.4 Edit /etc/ldap.conf........................................................76<br />
3.14.1.5 Start service on vos21.................................................77<br />
3.14.1.6 The initial data file init.ldif............................................81<br />
3.14.1.7 Automatic starting slapd..............................................82<br />
3.14.2 LDAP-Client Login configuration...................................86<br />
3.15 LDAP-Master vos21.........................................................89<br />
3.15.1 Setup PDC /etc/openldap/slapd.conf:...........................90<br />
3.15.2 PDC /etc/openldap/lapd.conf:.......................................91<br />
3.15.3 PDC /etc/lapd.conf:.......................................................91<br />
3.15.4 init.ldif............................................................................92<br />
3.15.5 samba-base.ldif.............................................................92<br />
3.15.6 Testing...........................................................................93<br />
3.16 LDAP-Slave vos22...........................................................95<br />
3.16.1 Setup BDC /etc/openldap/slapd.conf:...........................95<br />
3.16.2 BDC /etc/openldap/lapd.conf:.......................................96<br />
3.16.3 BDC /etc/lapd.conf:.......................................................96<br />
3.17 Samba 3 ldapsam:editposix setup...................................97<br />
3.17.1 PDC vos21 /etc/samba/smb.conf:.................................97<br />
3.17.2 BDC vos22 /etc/samba/smb.conf:...............................101<br />
3.17.3 Server stored profiles and netlogon............................105<br />
3.18 Windows XP Client Domain join.....................................107<br />
3.19 Windows 7 Client Domain join........................................107<br />
3.20 Domain management with srvtools.exe.........................107<br />
3.21 Kerberos Server setup....................................................108<br />
3.22 Kerberos client setup......................................................113<br />
4 Conclusion...........................................................................116<br />
5 <strong>Management</strong> Summary.......................................................117<br />
6 Reference list......................................................................118<br />
7 Link-list................................................................................119<br />
8 Appendix.............................................................................119<br />
3
8.1 VirtualBox........................................................................119<br />
8.2 openSuSE-11.3 graphics DHCP-Client..........................133<br />
8.3 Install openSuSE-11.3 Server in Textmode....................159<br />
8.4 Installation Windows 7 client..........................................160<br />
8.5 Some console command-lines.......................................160<br />
Table Index<br />
Table 1: Member - Role Assignment.........................................10<br />
Table 2: Elements to configure..................................................14<br />
Table 3: Network address plan..................................................15<br />
Table 4: Hostname schema plan...............................................17<br />
Table 5: Router setup................................................................19<br />
Table 6: LDAP environment variables.......................................83<br />
Table 7: <strong>Management</strong> timeframe.............................................117<br />
4
Picture Index<br />
Picture 1: Physical Network Topology.......................................11<br />
Picture 2: Enable NTP...............................................................22<br />
Picture 3: Select server.............................................................23<br />
Picture 4: German server..........................................................23<br />
Picture 5: NTP-Servers configured...........................................24<br />
Picture 6: Netconfig variable for NTP servers...........................25<br />
Picture 7: DHCP & DNS packages...........................................26<br />
Picture 8: DNS startup screen..................................................26<br />
Picture 9: Add zones.................................................................27<br />
Picture 10: Set localnets...........................................................27<br />
Picture 11: Set nameservers for domain...................................28<br />
Picture 12: Set serial.................................................................28<br />
Picture 13: Set records.............................................................29<br />
Picture 14: Set basics...............................................................30<br />
Picture 15: Set nameservers.....................................................30<br />
Picture 16: Configure slave server............................................32<br />
Picture 17: Set master server...................................................32<br />
Picture 18: Selected nic............................................................34<br />
Picture 19: Global settings........................................................34<br />
Picture 20: Dynamic IP address range.....................................35<br />
Picture 21: Start service when booting the system...................35<br />
Picture 22: Create TSIG Key.....................................................36<br />
Picture 23: Select key to add....................................................37<br />
Picture 24: Error, two slashes in path.......................................37<br />
Picture 25: Correct path and keyname.....................................38<br />
Picture 26: Edit DHCP sysconfig variable.................................39<br />
Picture 27: Edit DNS sysconfig variable...................................39<br />
Picture 28: Copy master zone files...........................................45<br />
Picture 29: Copy slave zone files..............................................46<br />
Picture 30: DHCP-Client ..........................................................47<br />
Picture 31: Name resolving.......................................................48<br />
Picture 32: Check ip-lease with ifconfig....................................49<br />
Picture 33: Test nslookup..........................................................50<br />
Picture 34: Start CA management............................................51<br />
5
Picture 35: CA tree....................................................................52<br />
Picture 36: Step 1......................................................................52<br />
Picture 37: Basic settings..........................................................53<br />
Picture 38: Additional settings...................................................53<br />
Picture 39: Set password..........................................................54<br />
Picture 40: Summary.................................................................54<br />
Picture 41: Selected CA............................................................55<br />
Picture 42: Password................................................................55<br />
Picture 43: CA description.........................................................56<br />
Picture 44: Add server request..................................................56<br />
Picture 45: Edit server request..................................................57<br />
Picture 46: Set password..........................................................58<br />
Picture 47: Request list.............................................................58<br />
Picture 48: Sign request............................................................59<br />
Picture 49: Extensions..............................................................60<br />
Picture 50: Summary.................................................................60<br />
Picture 51: Signed certificate....................................................61<br />
Picture 52: Export to file............................................................61<br />
Picture 53: Export path..............................................................62<br />
Picture 54: Key export...............................................................62<br />
Picture 55: Common server certificate for vos22......................63<br />
Picture 56: Eport as file.............................................................64<br />
Picture 57: Export root certificate..............................................64<br />
Picture 58: Export file................................................................65<br />
Picture 59: Running slapd on vos21.........................................78<br />
Picture 60: Running slapd on vos22.........................................78<br />
Picture 61: Running slapd on vos21.........................................79<br />
Picture 62: Running slapd on vos22.........................................79<br />
Picture 63: Empty DIT...............................................................80<br />
Picture 64: Network parameter.................................................80<br />
Picture 65: Authentication.........................................................81<br />
Picture 66: Simple DIT..............................................................82<br />
Picture 67: Set dynamic configuration......................................84<br />
Picture 68: Runlevel..................................................................85<br />
Picture 69: Enable ldap service at startup................................86<br />
Picture 70: Security settings.....................................................87<br />
6
Picture 71: User and Group Administration..............................87<br />
Picture 72: Configure Authentication Settings..........................88<br />
Picture 73: Client configuration.................................................88<br />
Picture 74: Advanced client configuration.................................89<br />
Picture 75: Add two registry parameters.................................107<br />
Picture 76: Select packages...................................................108<br />
Picture 77: Use previous configured LDAP server.................109<br />
Picture 78: Realm and password............................................109<br />
Picture 79: LDAP settings.......................................................110<br />
Picture 80: Edit kadm5.acl.......................................................110<br />
Picture 81: Krb5 keytab path...................................................112<br />
Picture 82: PAM settings.........................................................113<br />
Picture 83: Configure client.....................................................114<br />
Picture 84: Pam settings.........................................................115<br />
Picture 85: Kerberos test.........................................................116<br />
Picture 86: Folder settings......................................................120<br />
Picture 87: New machine wizard.............................................121<br />
Picture 88: Choose VM name and os.....................................121<br />
Picture 89: Memory settings...................................................122<br />
Picture 90: Harddisk settings..................................................122<br />
Picture 91: New disk...............................................................123<br />
Picture 92: Hdd type................................................................123<br />
Picture 93: Disk size................................................................124<br />
Picture 94: Disk summary.......................................................124<br />
Picture 95: Virtual machine summary.....................................125<br />
Picture 96: Main window.........................................................126<br />
Picture 97: Motherboard settings............................................127<br />
Picture 98: Processor features................................................128<br />
Picture 99: Storage settings....................................................129<br />
Picture 100: Selected os image..............................................130<br />
Picture 101: Network adapters................................................131<br />
Picture 102: Main window.......................................................132<br />
Picture 103: Installer screen...................................................133<br />
Picture 104: Welcome screen.................................................134<br />
Picture 105: Installation mode.................................................135<br />
Picture 106: Time zone...........................................................136<br />
7
Picture 107: Disk partition.......................................................137<br />
Picture 108: Select desktop....................................................137<br />
Picture 109: New user.............................................................138<br />
Picture 110: Password too simple dialog................................138<br />
Picture 111: Root user password............................................139<br />
Picture 112: Password too simple dialog................................139<br />
Picture 113: Installation settings.............................................140<br />
Picture 114: Confirm dialog.....................................................140<br />
Picture 115: Host- and domainname.......................................141<br />
Picture 116: Network configuration overview..........................142<br />
Picture 117: Remote administration........................................143<br />
Picture 118: Test internet connection......................................144<br />
Picture 119: Connection test...................................................145<br />
Picture 120: Download dialog.................................................145<br />
Picture 121: Online update.....................................................146<br />
Picture 122: Packages............................................................147<br />
Picture 123: Download finished..............................................148<br />
Picture 124: Restart dialog......................................................148<br />
Picture 125: Packages selected..............................................149<br />
Picture 126: Patch finished.....................................................150<br />
Picture 127: Reboot................................................................150<br />
Picture 128: Install TrueType fonts..........................................151<br />
Picture 129: Finish patch installation......................................152<br />
Picture 130: Release notes.....................................................153<br />
Picture 131: Hardware configuration.......................................154<br />
Picture 132: Installation completed.........................................155<br />
Picture 133: Login screen.......................................................156<br />
Picture 134: Cient screen........................................................157<br />
Picture 135: Terminal..............................................................158<br />
Picture 136: Video mode selection.........................................159<br />
Picture 137: Ntp query............................................................160<br />
8
1 Preface<br />
1.1 About the Document<br />
1 Preface<br />
This work is licensed by the author Wolfgang Melz under the<br />
Creative Commons Attribution-NoDerivs 3.0 Unported License.<br />
Feel free to translate in other language and publish under your<br />
name and credit this original creation. To view a copy of this<br />
license, visit http://creativecommons.org/licenses/by-nd/3.0/ or<br />
send a letter to Creative Commons, 171 Second Street, Suite<br />
300, San Francisco, California, 94105, USA.<br />
This document describes the configuration management<br />
process and the setup for required hard- and software to have a<br />
successful working effort in Software-Development and other<br />
enterprise duties. It also outlines the process model, the<br />
structure of the project, its tools used and how to work with its<br />
files. Its main goal is to support the daily work of the team<br />
members. Maybe not all chapters are in your interest,<br />
depending on your role or roles in the project. We also describe<br />
a timeline the effort needed to solve the process. If you detect<br />
some bugs or typos, feel free to contact me by eMail<br />
wm1@gmx.de or leave any other comments, suggestions and<br />
messages.<br />
1.2 Project-Homepage (coming soon)<br />
1.3 Audience<br />
This document is for System-Administrators, Software-Developers,<br />
Project-Managers and QA-Saff. It gives you all information<br />
you need about setting up the hardware and softwarecomponents<br />
used in the project. You can also define the roles<br />
of your project members here. Members can have one or<br />
multiple roles. You can use the following table to do so.<br />
Timeline: 1-2 hours<br />
9
1 Preface<br />
Role Member Name<br />
Project-Lead<br />
Project-Manager<br />
Assistant-Manager<br />
IT-Administrator<br />
Developer<br />
QA-Manager<br />
Tester<br />
Auditor<br />
CEO/CIO<br />
Table 1: Member - Role Assignment<br />
1.4 Enterprise Requirements<br />
The fundamental need in an enterprise is to have a reliable IT<br />
infrastructure. To reach this goal, a lot of things and services are<br />
needed. It starts with hardware, concepts, configuration,<br />
services and software.<br />
The configuration management process starts with planning a<br />
high availability network. As result of the plan we know what<br />
hardware and software to order and which services to setup<br />
and configure. The process ends with testing everything and<br />
operate the system.<br />
Backup and Restore is an other important business process<br />
which is developed, tested and operated after setting up and<br />
operate the server and storage infrastructure.<br />
At last we have an EOL business process of hard- and<br />
software. In it we define how and when to exchange<br />
components at their end of lifetime. Some companies exchange<br />
their hardware every 2-3 years. I think it is a waste of money, so<br />
i advise to exchange hardware when something broke down or<br />
in 5 to 8 years.<br />
10
1 Preface<br />
The company can save money when using Linux software what<br />
is available with source-code under the GPL- or Apache-<br />
License. A wide range of support is also available for these free<br />
software in the internet. Non oss-software is also available.<br />
2 Planning the network<br />
The first thing to think about is how much physically servers will<br />
be needed, how the company data is safely stored, how the<br />
local network is connected to the internet and how to connect<br />
satellites, branch offices and road warriors.<br />
I advise to use at least two physical servers with each one or<br />
two multi core server cpu's and at least 32GB of ram. For<br />
testing purposes one computer or laptop with multi-core cpu<br />
and 4GB of ram is also ok.<br />
As data storage i advise to have two Buffalo NAS or similar with<br />
four harddisks in a RAID-5 or RAID-10 disk array.<br />
The NAS-Storage is connected with the servers with Gigabit-<br />
Ethernet CAT6 cable via the switch in the internet router.<br />
Timeline: 4-8 hours<br />
Picture 1: Physical Network Topology<br />
11
2 Planning the network<br />
2.1 Hardware-Components needed<br />
Like we see in the picture above we need the following<br />
hardware-Components:<br />
1 Router to the internet<br />
2 Servers<br />
2 NAS-Storage Server<br />
1 or more Notebooks<br />
1 or more Workstation PC's<br />
For testing purposes and proof of concept we will simulate our<br />
new network with Oracle VirtualBox software on a multi core<br />
computer. After successful testing you order the new physical<br />
servers and the NAS-Server Storage units. Keep in mind that<br />
this configuration is the absolutely minimum and not very<br />
secure. If an intruder passes the router nothing protects your<br />
hosts.<br />
Timeline: 1-8 hours<br />
2.2 Services<br />
We identify three different types of services. They are infrastructure<br />
sevices, operational services and supporting services.<br />
2.2.1 Infrastructure Sevices<br />
This service is for easily hooking up a new computer to the<br />
network and have basic services ready to work like internet<br />
access and eMail. For administrative things it is important to<br />
recognize the single pc by its name in the local network. So the<br />
first thing to develop is a hostname schema and how IP-<br />
Adresses are assigned to them.<br />
When we have a new client pc connected to the local network,<br />
it is necessary to authenticate the user who uses the newly<br />
connected pc enterprise wide. This is very important for each<br />
company. No unauthenticated user can get access to enterprise<br />
critical data and the data access can be monitored and logged.<br />
12
2 Planning the network<br />
At least connection security from the internet to the enterprise<br />
servers is very important and done by encryption and certificates.<br />
No one else should read the information what is transported<br />
over the connection.<br />
2.2.2 Operational Services<br />
Medical, Government, Web-Shop, ERP, CRM, Database, SAP,<br />
SW-Development, hosting services to the Internet or customers<br />
outside the LAN but connected to the internet.<br />
2.2.3 Supporting Services<br />
Backup and Restore, Data Archive<br />
2.3 Backup and Restore<br />
You can use rsync or unison for this process. First develop a<br />
plan.<br />
2.4 Data Archive<br />
Develop a plan first.<br />
To work out more services and use-cases you need, set up a<br />
project time frame or separate projects.<br />
13
3 <strong>Configuration</strong>-Elements<br />
3 <strong>Configuration</strong>-Elements<br />
Overview<br />
Element Short Description<br />
VirtualBox Oracle VirtualBox Software<br />
Network Describes Network configuration<br />
Hostname<br />
Schema<br />
Describes the hostname and FQDN for the corresponding<br />
IP-Address and the domain names<br />
Hardware Describes required Hardware-Components of the Systems<br />
Operating<br />
Systems<br />
Describes required Operating Systems<br />
SW-Services Describes required services of the operating system<br />
Sourcecode Contains the whole sourcecode of the project, without<br />
module-tests<br />
3.1 VirtualBox<br />
Table 2: Elements to configure<br />
We use this software for simulating our new network before we<br />
set it up physically. In VirtualBox we install a standard<br />
openSuSE-11.3 operating system in text mode for each box. It<br />
has the smallest memory consumption.<br />
Configure static IP-Address, netmask, and gateway in<br />
/etc/network/interfaces<br />
Example for the vBox router:<br />
iface eth0 inet static<br />
address 192.168.0.20<br />
netmask 255.255.255.0<br />
gateway 192.168.0.1<br />
You can change almost every thing in yast, the setup and<br />
configuration tool in openSuSE.<br />
First, create the share and adjust user and mode.<br />
14
3 <strong>Configuration</strong>-Elements<br />
vos22:~ # mkdir /mnt/fileshare<br />
vos22:~ # chown user1.users /mnt/fileshare<br />
vos22:~ # chmod 777 /mnt/fileshare<br />
To connect to a samba-share on the local network, mount the<br />
share in /etc/fstab //192.168.0.2/fileshare<br />
/mnt/fileshare cifs<br />
username=user1,passwd=,uid=user1,gid=users,<br />
auto,rw,file_mode=0775,dir_mode=0775 0 0, for<br />
example. Mount with mount -a. Use your username from the<br />
samba-server and its password. Remember that the user<br />
password is saved in cleartext in the /etc/fstab file. Use<br />
/etc/fstab only for testing and development with plain text<br />
password, not for production environment.<br />
3.2 Network<br />
Name IP or Range<br />
IP-Range 192.168.0.0 - 192.168.0.255<br />
Physical servers and hardware<br />
equipment<br />
192.168.0.1 - 192.168.0.19<br />
Virtual servers 192.168.0.20 - 192.168.0.99<br />
Clients 192.168.0.100 - 192.168.0.149<br />
Free for reserve 192.168.0.150 – 192.168.0.254<br />
Netmask 255.255.255.0<br />
Default gateway 192.168.0.1<br />
DNS-Server (and Relay) 192.168.0.1, 192.168.0.2<br />
Virtual DNS-Server 192.168.0.21, 192.168.0.22<br />
Table 3: Network address plan<br />
You can also plan with different IP-Address ranges if you need<br />
more network segments or hosts. You can also obtain public<br />
IP's from your leased-line provider or the RIPE. Other private<br />
IP-Ranges are:<br />
15
3 <strong>Configuration</strong>-Elements<br />
Class A, 10.0.0.0 to 10.255.255.255, 1 private net with<br />
16.777.216 hosts, Class B, 172.16.0.0 to 172.31.255.255, 16<br />
private net with 65.536 hosts, Class C, 192.168.0.0 to<br />
192.168.255.255, 256 private net with 256 hosts<br />
You can do a basic final test with the following commands when<br />
you have all your virtual boxes ready:<br />
ping 192.168.0.1<br />
ping 192.168.0.2<br />
ping 192.168.0.20<br />
ping 192.168.0.21<br />
ping 192.168.0.22<br />
ping 192.168.0.23<br />
ping www.sun.de<br />
The result should look like this:<br />
slns1:~ # ping 192.168.0.1<br />
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.<br />
64 bytes from 192.168.0.1: icmp_seq=1 ttl=64 time=0.975 ms<br />
64 bytes from 192.168.0.1: icmp_seq=2 ttl=64 time=0.884 ms<br />
64 bytes from 192.168.0.1: icmp_seq=3 ttl=64 time=0.898 ms<br />
^C<br />
--- 192.168.0.1 ping statistics ---<br />
3 packets transmitted, 3 received, 0% packet loss, time 2001ms<br />
rtt min/avg/max/mdev = 0.884/0.919/0.975/0.040 ms<br />
slns1:~ #<br />
Timeline: 1-2 hours<br />
3.3 Hostname Schema<br />
The hostname schema is to plan the name resolution for IP-Addresses<br />
of the hosts for remote software deployments, remote<br />
maintenance and remote customer support. It is also used to<br />
setup the DNS-Server to reach every pc in the local network by<br />
its hostname instead of its IP-Address. The Domain-Name will<br />
be mynet.lan for internal DNS use and the NetBios Domain-<br />
Name is mynet, for example.<br />
16
3 <strong>Configuration</strong>-Elements<br />
Hostname FQDN IP Description<br />
mynet.lan DNS-Domain<br />
mynet NetBios Domain<br />
ls44n ls44n.mynet.lan 192.168.0.1 Internet-Router<br />
slns1 slns1.mynet.lan 192.168.0.2 Net-Storage-<br />
Infrastructure-Server<br />
hp-printer hp-printer.mynet.lan 192.168.0.19 Laser Printer<br />
vor20 vor20.mynet.lan 192.168.0.20 Virtual Router<br />
vos21 vos21.mynet.lan 192.168.0.21 Virtual Server 1<br />
vos22 vos22.mynet.lan 192.168.0.22 Virtual Server 2<br />
von23 von23.mynet.lan 192.168.0.23 Virtual NAS 1<br />
von24 von24.mynet.lan 192.168.0.24 Virtual NAS 2<br />
Table 4: Hostname schema plan<br />
If you plan to register a domain or renting web-space, your<br />
external domain-name on the internet can be mynet.biz or<br />
easybiz.com, what ever you like and is not in use by others. You<br />
will be found by your customers with the name you register.<br />
Timeline: 1-2 hours<br />
3.4 Hardware<br />
In every LAN the following Hardware-Infrastructure is used to<br />
set up a functional local network as an important part of the<br />
configuration management. The network starts with its router to<br />
the web, the cables, the switches used, the servers who offer<br />
services, the IP-Range used and the clients for working. Before<br />
you can setup and configure any hardware, you have to<br />
develop the IP-Address Range and hostname schema for your<br />
network to have all connected devices physically reached by<br />
unique IP's and names. We already did this development<br />
before. In a more secure LAN you use two routers. The first one<br />
connects to the internet and makes up your DMZ-Zone. In the<br />
DMZ you have your web-server, mail-server, secondary ca and<br />
17
3 <strong>Configuration</strong>-Elements<br />
so on for hosting services to your internet customers.<br />
The second router connects your LAN to the DMZ. You can<br />
configure a linux box with at least two nic interfaces as the LAN<br />
router. If you use tree nic interfaces, you can setup a very<br />
powerful and strong firewall on that host, one nic for Internet,<br />
one for DMZ and one for LAN. This configuration is highly<br />
recommended but not cheap and has to be maintaied by<br />
special and expensive staff.<br />
18
3.4.1 Router<br />
Specifications and setup<br />
3 <strong>Configuration</strong>-Elements<br />
Model Linksys WRVS4400N Wireless-N Gigabit<br />
Security Router with VPN<br />
Value 140,00 €<br />
Asset depreciation duration 1 month<br />
Lan-IP 192.168.0.1<br />
Username admin<br />
Password <br />
WLAN SSID mynet<br />
WLAN-Security mode WPA/WPA2<br />
PSK, Key <br />
Local Domain-name mynet.lan<br />
DNS-Relay activated<br />
DHCP-Server disabled<br />
IP-Range 192.168.0.100 to 192.168.0.199<br />
DHCP-Lease 1440 minutes<br />
Timezone GMT+01:00, Auto Daylight Saving<br />
NTP-Server Set the local time using Network Time Protocol<br />
(NTP) automatically<br />
Port-Forwarding Rule<br />
Webserver<br />
3.4.2 Cable<br />
HTTP->192.168.0.2, Port-Range/Port 80<br />
Table 5: Router setup<br />
I use standard network cable in quality of CAT6a SSTP (PIMF),<br />
CAT5e is minimum for Gigabit-Ethernet.<br />
19
3 <strong>Configuration</strong>-Elements<br />
3.4.3 Switches<br />
A Linksys WRVS4400N Wireless-N Gigabit Security Router with<br />
VPN is used. It has a build-in 4 port Gigabit switch and a 300<br />
MBit/s WiFi access point.<br />
3.4.4 Servers<br />
I use only one physical NAS-Server as NAS1 data storage unit.<br />
It's assembled by myself to have the highest quality, speed,<br />
flexibility and lowest power consumption for the best price. It<br />
has the IP 192.168.0.2, as Netmask 255.255.255.0,<br />
192.168.0.1 as default gateway (router) and 192.168.0.2 for<br />
itself as the local authoritative DNS-Server. Its hostname is<br />
slns1 and the FQDN is slns1.mynet.lan for example.<br />
Local name resolving for physical servers can also be made by<br />
the hosts file but is deprecated. As backup device i use my<br />
external 500GB usb-hdd.<br />
In a company environment you have at least two powerful dual<br />
CPU multicore physical servers for housing virtual servers<br />
which set up the company services infrastructure. A company<br />
should have at least two NAS-Server storage units configured<br />
its harddisks as RAID 5 or RAID 10 and syncing each other.<br />
3.4.5 Print-Servers<br />
For printing i use a multi-functional printer Epson DX 7000F<br />
connected to an USB-Port shared by the client. Additionally i<br />
use a network laser printer HP 4050 TN with duplex unit. Its IP<br />
is 192.168.0.19 with netmask 255.255.255.0 and no gateway,<br />
its share name is hp4050tn. In a company environment you<br />
have to do additionally planning on use of department or<br />
workgroup printers.<br />
3.4.6 Clients<br />
Clients will get their IP's by the DHCP-Server of the router for a<br />
lease time of 1440 minutes, equals with 24 hours. They also get<br />
20
3 <strong>Configuration</strong>-Elements<br />
the netmask, default gateway, ntp-Server and DNS-Server from<br />
the DHCP-Server.<br />
3.5 Operating-Systems<br />
Here we describe the configuration of the used operating<br />
systems and how to configure its physical network interface.<br />
You can use TightVNC on MS-Windows to remote control a xwindowed<br />
Linux-Box. Type in the IP-Adress or Domain-Name of<br />
the box to and you done. Alternatively you can use a Browser,<br />
then type http://192.168.0.2:5801 to connect to a openSuSE<br />
11.3 box.<br />
3.5.1 OpenSUSE-11.3<br />
I use this distribution because its documentation is very good.<br />
Software package installation and configuration with yast is also<br />
very easy.<br />
3.5.1.1 Samba configuration for my NAS-Server<br />
yast2/samba-server<br />
Start-Up=during boot<br />
Shares=add fileshare<br />
Identity=WORKGROUP, Not a DC<br />
in /etc/xinetd.d/swat comment this line # only_from =<br />
127.0.0.1 to use swat from other host than localhost:901 and<br />
add a user user1 with password.<br />
21
3 <strong>Configuration</strong>-Elements<br />
3.6 SW-Services<br />
Here we describe using and configuring the needed services on<br />
the virtual machines. A lot of services can use LDAP, so lets set<br />
it up first. After a minimal (textmode) openSuSE-11.3 installation<br />
you find manuals in the following file<br />
/usr/share/doc/manual/opensuse-manuals_en/manual/index.html<br />
The LDAP information is in the Security Guide. Prerequisites<br />
are OpenSSL or GnuTLS, Cyrus SASL, Kerberos and Berkeley<br />
DB. Kerberos has as prerequisites DNS-Server and NTP-<br />
Server configured and running. So we finally start with NTP,<br />
DNS, DHCP and Root CA installation.<br />
3.7 NTP Time Server<br />
The time servers are important to get the correct time from the<br />
atomic clock in Braunschweig/Germany for your network.<br />
In yast select Network Services/NTP <strong>Configuration</strong>. Check Now<br />
and on Boot and click Add like in the picture.<br />
Picture 2: Enable NTP<br />
In the new synchronisation screen select server and click next.<br />
Press select and choose public server.<br />
22
Picture 3: Select server<br />
3 <strong>Configuration</strong>-Elements<br />
Select country (Germany), ptbtime1.ptb.de, press ok twice.<br />
Picture 4: German server<br />
Redo Add for ptbtime2 to have a second one configured and<br />
delete Local Clock.<br />
23
3 <strong>Configuration</strong>-Elements<br />
When finished the configuration, it looks like this<br />
Press F10 to close, then quit yast. Redo the process for the<br />
second server vos22.<br />
At last change the variable in sysconfig, general, network<br />
NETCONFIG_NTP_STATIC_SERVERS like in the following<br />
picture. Set this variable on all hosts with static IP-Address.<br />
24<br />
Picture 5: NTP-Servers configured
Timeline: 1 hour<br />
3.8 Master DNS-Server<br />
Picture 6: Netconfig variable for NTP servers<br />
3 <strong>Configuration</strong>-Elements<br />
The DNS service works like a phone book. You give it a name<br />
like vos21.mynet.lan and it gives you the phone number,<br />
exactly the IP-Address 192.168.0.21, for example. This<br />
service is very important because humans can easily remember<br />
names istead of IP-Addresses. It makes the employees life<br />
easyer to find things like file and print services in the network.<br />
In yast select Software/Software <strong>Management</strong>, as filter select<br />
Patterns, scroll down and choose DHCP and DNS Server by<br />
pressing space. Do this on both machines, vos21 and vos22<br />
to set up DNS-Services.<br />
25
3 <strong>Configuration</strong>-Elements<br />
Press Accept and Ok to install the packages. Now restart yast,<br />
and select Network Services/DNS Server and you see the<br />
following screen.<br />
The forwarder list is from installing the system, press next.<br />
26<br />
Picture 7: DHCP & DNS packages<br />
Picture 8: DNS startup screen
Picture 9: Add zones<br />
3 <strong>Configuration</strong>-Elements<br />
Now we add two new zones our servers will be responsible for.<br />
Select mynet.lan and press edit, then select only localnets and<br />
press Alt-D to set NS Records.<br />
Picture 10: Set localnets<br />
27
3 <strong>Configuration</strong>-Elements<br />
Add the FQDN name of the two nameservers who are responsible<br />
for the domain.<br />
Type Alt-X if you have mailservers or Alt-S and reset serial to 1.<br />
28<br />
Picture 11: Set nameservers for domain<br />
Picture 12: Set serial
3 <strong>Configuration</strong>-Elements<br />
Finally add some records by pressing Alt-E. Enter the IP-Addresses<br />
like in table 4, then press ok.<br />
Picture 13: Set records<br />
Now we configure the reverse lookup zone by selecting<br />
0.168.192.in-addr.arpa and press Alt-I. In basics select<br />
localnets and automatically generate records from mynet.lan,<br />
like you see in the following picture.<br />
29
3 <strong>Configuration</strong>-Elements<br />
Now type Alt-D to add authoritative nameserver records.<br />
In SOA set the serial to 1 and press ok. Now the zone configuration<br />
is ready by pressing next. Finally setup the start-up<br />
behavior to on and press finish and then quit.<br />
30<br />
Picture 14: Set basics<br />
Picture 15: Set nameservers
3 <strong>Configuration</strong>-Elements<br />
Now let's test our installed master nameserver by typing<br />
nslookup :<br />
vos21:~ # nslookup ls44n<br />
Server: 127.0.0.1<br />
Address: 127.0.0.1#53<br />
** server can't find ls44n: NXDOMAIN<br />
vos21:~ #<br />
If you see the message above, the server is not started<br />
correctly. Enter vos21:~ # /etc/init.d/named restart to<br />
restart it correctly. Then you get the correct result.<br />
vos21:~ # nslookup ls44n<br />
Server: 127.0.0.1<br />
Address: 127.0.0.1#53<br />
Name: ls44n.mynet.lan<br />
Address: 192.168.0.1<br />
vos21:~ #<br />
Timeline: 1-2 hours<br />
3.9 Slave DNS-Server<br />
The slave DNS-Server is used as a high availability failover and<br />
load balancing service. It serves the network when the master<br />
server is busy or down for any reason. If the master server is<br />
down, there are no dynamic DNS-Updates for the zone<br />
available.<br />
Now let's configure the slave DNS-Server on host vos22 by<br />
starting yast, selecting Network Services/DNS Server. At<br />
forwarders press next, then enter the two zones like in the<br />
master DNS-Server, but select slave.<br />
31
3 <strong>Configuration</strong>-Elements<br />
After pressing add, give the master DNS-Server IP, in this case<br />
192.168.0.21, for example.<br />
Do the same for the reverse zone 0.168.192.in-addr.arpa and<br />
press next. Set the start-up behavior to on and press finish.<br />
32<br />
Picture 16: Configure slave server<br />
Picture 17: Set master server
Now check the slave DNS-Server.<br />
vos22:~ # nslookup ls44n<br />
Server: 127.0.0.1<br />
Address: 127.0.0.1#53<br />
Name: ls44n.mynet.lan<br />
Address: 192.168.0.1<br />
vos22:~ # /etc/init.d/named stop<br />
Shutting down name server BIND<br />
done<br />
vos22:~ # nslookup ls44n<br />
Server: 192.168.0.21<br />
Address: 192.168.0.21#53<br />
Name: ls44n.mynet.lan<br />
Address: 192.168.0.1<br />
vos22:~ #<br />
3 <strong>Configuration</strong>-Elements<br />
Now you successfully finished setup the DNS services.<br />
Timeline: 1-2 hours<br />
3.10 DHCP-Server<br />
DHCP is an important service in your network. It assigns your<br />
connected clients an IP-Address, Netmask, Default-Gateway,<br />
Time-Servers, DNS-Servers, Netbios-Servers, Mail-Servers and<br />
so on. It can also register the hostname you give a client host at<br />
installation time to DNS. This makes the management of new<br />
pc clients in the network very easy.<br />
In yast select Network Services/DHCP Server, the server wizard<br />
starts. Press Alt-S to select the Network Card with interface<br />
eth0 where the service starts listening on.<br />
33
3 <strong>Configuration</strong>-Elements<br />
Press next to get to the global settings. Fill in domain, primary<br />
and secondary nameserver, default gateway and time server.<br />
Press next to set up the dynamic IP-Address range. We use the<br />
range from table 4, the hostname schema.<br />
34<br />
Picture 18: Selected nic<br />
Picture 19: Global settings
3 <strong>Configuration</strong>-Elements<br />
You can set the default lease time to 1 day.<br />
Picture 20: Dynamic IP address range<br />
Press next and select service start when booting, then press<br />
finish and quit. Then you test it with a client.<br />
Picture 21: Start service when booting the system<br />
35
3 <strong>Configuration</strong>-Elements<br />
To test it, boot a client what is configured to use DHCP to get its<br />
IP-Address. Now configure the second DHCP-Server on vos22<br />
in the same way.<br />
Timeline: 1-2 hours<br />
3.11 DDNS<br />
With DDNS you can easily setup DNS name resolution for client<br />
pc's what get their IP-Address, netmask, default gateway, name<br />
servers and time servers over DHCP. To use it, we have to<br />
create a TSIG-Key. It is necessary for authentication to<br />
dynamicly update the DNS-Zone files by the DHCP-Service.<br />
Both servers what host the DHCP- and DNS-Service have to<br />
share the same TSIG-Key. To create it, start yast and select<br />
Network Services/DNS Server, select TSIG Keys and hit enter.<br />
In the middle type marndc in the key id field, as filename type<br />
marndc.key, for example. Then press ok and go for a coffee.<br />
It takes a while until the key is created. When the key is ready<br />
you can choose add an existing TSIG key by pressing Alt-W to<br />
browse to the key.<br />
36<br />
Picture 22: Create TSIG Key
Picture 23: Select key to add<br />
3 <strong>Configuration</strong>-Elements<br />
Click ok to pick the key then check the filename that there are<br />
no two slashes after the named.d directory in front of the<br />
filename. Delete the second slash before press Alt-A to add it.<br />
Picture 24: Error, two slashes in path<br />
The next picture shows the correct path and key filename.<br />
37
3 <strong>Configuration</strong>-Elements<br />
Press ok and quit yast.<br />
After generating the key we have to tell sysconfig about it on<br />
server vos21 to use it for DHCP and DNS. So start yast, select<br />
System, /etc/sysconfig Editor, Network, DHCP, DHCP server, hit<br />
enter on DHCPD_CONF_INCLUDE_FILES and add the<br />
following path /etc/named.d/marndc.key. You don't have<br />
to add a second key like i did in the screen for testing purposes.<br />
Now copy the key /etc/named.d/marndc.key to the second<br />
server vos22 so the failover DHCP-Server can use it to update<br />
the DNS-Server on vos21.<br />
38<br />
Picture 25: Correct path and keyname
Picture 26: Edit DHCP sysconfig variable<br />
3 <strong>Configuration</strong>-Elements<br />
Then enter the same path to the key file for the DNS variable,<br />
located at Network, DNS, Name Server,<br />
NAMED_CONF_INCLUDE_FILES, like you see in the next<br />
screen.<br />
Picture 27: Edit DNS sysconfig variable<br />
39
3 <strong>Configuration</strong>-Elements<br />
After clicking finfish you are done with yast.<br />
Set the same two variables on the second server vos22 to use<br />
the previous copied key file there.<br />
Now you configured the two DHCP-Servers with yast, but it is<br />
not possible to configure one primary and one secondary<br />
DHCP-Server with yast, so we have to do it the hard way by<br />
editing the config files. These files are /etc/dhcpd.conf and<br />
/etc/named.conf on both machines.<br />
40
3 <strong>Configuration</strong>-Elements<br />
On vos21 /etc/dhcpd.conf<br />
option rfc3442-classless-static-routes code 121 = array of unsigned<br />
integer 8;<br />
option domain-name "mynet.lan";<br />
option domain-name-servers 192.168.0.21, 192.168.0.22;<br />
option ntp-servers 192.168.0.21, 192.168.0.22;<br />
ddns-updates on;<br />
ddns-update-style interim;<br />
default-lease-time 600;<br />
max-lease-time 7200;<br />
one-lease-per-client true;<br />
authoritative ;<br />
log-facility local7;<br />
failover peer "mypeer" {<br />
primary ;<br />
address 192.168.0.21;<br />
peer address 192.168.0.22;<br />
port 519;<br />
peer port 519;<br />
max-response-delay 60;<br />
max-unacked-updates 10;<br />
load balance max seconds 3;<br />
split 128;<br />
mclt 600;<br />
}<br />
include "/etc/named.d/marndc.key";<br />
zone mynet.lan. {<br />
primary 192.168.0.21;<br />
key marndc;<br />
}<br />
zone 0.168.192.in-addr.arpa. {<br />
primary 192.168.0.21;<br />
key marndc;<br />
}<br />
subnet 192.168.0.0 netmask 255.255.255.0 {<br />
pool {<br />
failover peer "mypeer";<br />
range 192.168.0.100 192.168.0.149;<br />
deny dynamic bootp clients;<br />
allow unknown-clients;<br />
}<br />
option routers 192.168.0.1;<br />
option broadcast-address 192.168.0.255;<br />
option subnet-mask 255.255.255.0;<br />
default-lease-time 86400;<br />
max-lease-time 172800;<br />
}<br />
41
3 <strong>Configuration</strong>-Elements<br />
On vos21 /etc/named.conf<br />
options {<br />
directory "/var/lib/named";<br />
dump-file "/var/log/named_dump.db";<br />
statistics-file "/var/log/named.stats";<br />
listen-on-v6 { any; };<br />
notify no;<br />
disable-empty-zone<br />
"1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.A<br />
RPA";<br />
include "/etc/named.d/forwarders.conf";<br />
};<br />
zone "." in {<br />
type hint;<br />
file "root.hint";<br />
};<br />
zone "localhost" in {<br />
type master;<br />
file "localhost.zone";<br />
};<br />
zone "0.0.127.in-addr.arpa" in {<br />
type master;<br />
file "127.0.0.zone";<br />
};<br />
zone<br />
"0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arp<br />
a" in {<br />
type master;<br />
file "127.0.0.zone";<br />
};<br />
controls {<br />
inet 127.0.0.1 allow {<br />
127.0.0.1;<br />
192.168.0.21;<br />
192.168.0.22;<br />
}<br />
keys { "marndc"; } ;<br />
};<br />
include "/etc/named.conf.include";<br />
zone "mynet.lan" in {<br />
allow-transfer { localnets; };<br />
file "dyn/mynet.lan";<br />
type master;<br />
allow-update {<br />
key marndc;<br />
};<br />
};<br />
zone "0.168.192.in-addr.arpa" in {<br />
allow-transfer { localnets; };<br />
file "dyn/0.168.192.in-addr.arpa";<br />
type master;<br />
allow-update {<br />
key marndc;<br />
};<br />
};<br />
42
3 <strong>Configuration</strong>-Elements<br />
On vos22 /etc/dhcpd.conf<br />
option rfc3442-classless-static-routes code 121 = array of unsigned<br />
integer 8;<br />
option domain-name "mynet.lan";<br />
option domain-name-servers 192.168.0.21, 192.168.0.22;<br />
option ntp-servers 192.168.0.21, 192.168.0.22;<br />
ddns-updates on;<br />
ddns-update-style interim;<br />
default-lease-time 600;<br />
max-lease-time 7200;<br />
one-lease-per-client true;<br />
authoritative;<br />
log-facility local7;<br />
failover peer "mypeer" {<br />
secondary;<br />
address 192.168.0.22;<br />
peer address 192.168.0.21;<br />
port 519;<br />
peer port 519;<br />
max-response-delay 60;<br />
max-unacked-updates 10;<br />
load balance max seconds 3;<br />
}<br />
include "/etc/named.d/marndc.key";<br />
zone mynet.lan. {<br />
primary 192.168.0.21;<br />
key marndc;<br />
}<br />
zone 0.168.192.in-addr.arpa. {<br />
primary 192.168.0.21;<br />
key marndc;<br />
}<br />
subnet 192.168.0.0 netmask 255.255.255.0 {<br />
pool {<br />
failover peer "mypeer";<br />
range 192.168.0.100 192.168.0.149;<br />
deny dynamic bootp clients;<br />
allow unknown-clients;<br />
}<br />
option routers 192.168.0.1;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.0.255;<br />
default-lease-time 86400;<br />
max-lease-time 172800;<br />
}<br />
43
3 <strong>Configuration</strong>-Elements<br />
On vos22 /etc/named.conf<br />
options {<br />
directory "/var/lib/named";<br />
dump-file "/var/log/named_dump.db";<br />
statistics-file "/var/log/named.stats";<br />
listen-on-v6 { any; };<br />
notify no;<br />
disable-empty-zone<br />
"1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.A<br />
RPA";<br />
include "/etc/named.d/forwarders.conf";<br />
};<br />
zone "." in {<br />
type hint;<br />
file "root.hint";<br />
};<br />
zone "localhost" in {<br />
type master;<br />
file "localhost.zone";<br />
};<br />
zone "0.0.127.in-addr.arpa" in {<br />
type master;<br />
file "127.0.0.zone";<br />
};<br />
zone<br />
"0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arp<br />
a" in {<br />
type master;<br />
file "127.0.0.zone";<br />
};<br />
controls {<br />
inet 127.0.0.1 allow {<br />
127.0.0.1;<br />
192.168.0.21;<br />
192.168.0.22;<br />
}<br />
keys { "marndc"; };<br />
};<br />
include "/etc/named.conf.include";<br />
zone "mynet.lan" in {<br />
allow-transfer { localnets; };<br />
masters { 192.168.0.21; };<br />
file "dyn/mynet.lan";<br />
type slave;<br />
allow-update { key marndc; };<br />
};<br />
zone "0.168.192.in-addr.arpa" in {<br />
allow-transfer { localnets; };<br />
masters { 192.168.0.21; };<br />
file "dyn/0.168.192.in-addr.arpa";<br />
type slave;<br />
allow-update { key marndc; };<br />
};<br />
44
3 <strong>Configuration</strong>-Elements<br />
After setting up the config files, stop both services on both<br />
servers, /etc/init.d/dhcpd stop and<br />
/etc/init.d/named stop, to copy the zone files to the dyn<br />
directory.<br />
Picture 28: Copy master zone files<br />
On the slave server the zone files are in the slave directory.<br />
45
3 <strong>Configuration</strong>-Elements<br />
Now start the servers again, /etc/init.d/dhcpd start<br />
and /etc/init.d/named start, to check that everything<br />
works fine. You can also use the command rcnamed start,<br />
rcdhcpd start or rcnamed stop, rcdhcpd stop to start<br />
and stop the services. If you get an error message form named<br />
that it cannot write a *.jnl file, do a chown named.named<br />
/var/lib/named and then restart named.<br />
Finally lets test the setup. Boot a client what gets its network<br />
settings by DHCP. Then open a terminal window and type<br />
ifconfig and check the following result.<br />
46<br />
Picture 29: Copy slave zone files
Picture 30: DHCP-Client<br />
3 <strong>Configuration</strong>-Elements<br />
Now check name resolving. It should look like the next screen.<br />
47
3 <strong>Configuration</strong>-Elements<br />
Now shutdown the primary DNS-Server vos21 to simulate a<br />
hardware breakdown. Then on server vos22 the DHCP-Server<br />
and DNS-Server should serve the network after starting a client<br />
who gets its ip via DHCP. You see in the following two screens.<br />
48<br />
Picture 31: Name resolving
Picture 32: Check ip-lease with ifconfig<br />
3 <strong>Configuration</strong>-Elements<br />
Here you see that the client got an IP-Address even if the<br />
DHCP-Server on host vos21 is down.<br />
49
3 <strong>Configuration</strong>-Elements<br />
Here nslookup shows you the dynamic updated DNS-Hostnames<br />
and its per DHCP assigned IP-Addresses and the static<br />
address for the router ls44n.<br />
Keep in mind when the master server vos21 is down you have<br />
no DDNS working and you should not connect new clients to<br />
the network what use DHCP. Their hostnames will not be<br />
uptated in the DNS-Zone files. Now you have all prerequisities<br />
for Kerberos setup.<br />
Timeline: 2-3 hours<br />
50<br />
Picture 33: Test nslookup
3.12 Root CA<br />
3 <strong>Configuration</strong>-Elements<br />
We need the Root CA to have our own SSL certificates for TLS<br />
security. It gives us a secure, encrypted client-server connection<br />
over the network. In yast select Software/Software<br />
<strong>Management</strong>, in Search Phrase type ca-cert and hit return.<br />
Install the first three packages by hitting spacebar on each.<br />
Choose the next one by typing the Tab key. Finally press Alt+A<br />
to accept the selection. Now go to Security and Users and<br />
choose CA <strong>Management</strong> on the right panel of yast, hit return.<br />
Picture 34: Start CA management<br />
In the next screen you can select a CA from the tree, if you<br />
already have a CA. If you have no CA, type Alt+C to create a<br />
new one. Alternatively you can import a CA by pressing Alt+I,<br />
for example.<br />
51
3 <strong>Configuration</strong>-Elements<br />
After pressing Alt+C you create a CA in three steps.<br />
Fill in CA name, common name, e-mail and hit Add like you see<br />
in the next picture.<br />
52<br />
Picture 35: CA tree<br />
Picture 36: Step 1
Picture 37: Basic settings<br />
3 <strong>Configuration</strong>-Elements<br />
Now fill out the additionally settings like you see in the next<br />
screen.<br />
Picture 38: Additional settings<br />
Hit next to go to step two. Set the password for the CA.<br />
53
3 <strong>Configuration</strong>-Elements<br />
Now click next to get the summary about the CA.<br />
Press Alt+T to create the CA with settings above. Now you have<br />
one entry in the CA selection screen.<br />
54<br />
Picture 39: Set password<br />
Picture 40: Summary
Picture 41: Selected CA<br />
3 <strong>Configuration</strong>-Elements<br />
Now type Alt+E to enter the newly created CA. You will be<br />
prompted for the password.<br />
Picture 42: Password<br />
After typing the password and hit ok you get the description<br />
screen like you see in the next picture.<br />
55
3 <strong>Configuration</strong>-Elements<br />
To create server and client certificates, start with Requests, so<br />
press Alt+Q to get the next screen. Press Alt+A for a new<br />
request and select Add Server Request.<br />
As the common name type in the fully qualified domain name,<br />
56<br />
Picture 43: CA description<br />
Picture 44: Add server request
3 <strong>Configuration</strong>-Elements<br />
in this case vos21.mynet.lan, for example. As email type<br />
root@mynet.lan and click Add. Edit or leave the other entries<br />
how you like it. Then press next to set the password.<br />
Picture 45: Edit server request<br />
Select use CA password and press next.<br />
57
3 <strong>Configuration</strong>-Elements<br />
At the summary screen press Alt+T to create the certificate<br />
request. Then you will see a list of all certificate requests.<br />
Now type Alt+U and select sign. Then select as server certificate<br />
and hit return.<br />
58<br />
Picture 46: Set password<br />
Picture 47: Request list
Picture 48: Sign request<br />
3 <strong>Configuration</strong>-Elements<br />
In the description you see the servers common name. In the<br />
valid period you can change the number of days or keep it.<br />
In the requested extensions you can select X509v3 Basic<br />
constraints: CA:FALSE, then press next.<br />
59
3 <strong>Configuration</strong>-Elements<br />
You will see the summary and press Alt+S to sign it.<br />
Close the sign dialog by pressing ok. After signing the request<br />
your certificate is ready and you see it in the certificates list by<br />
pressing Alt+E.<br />
60<br />
Picture 49: Extensions<br />
Picture 50: Summary
Picture 51: Signed certificate<br />
3 <strong>Configuration</strong>-Elements<br />
Now export the certificate as a common server certificate by<br />
pressing Alt+X.<br />
Picture 52: Export to file<br />
61
3 <strong>Configuration</strong>-Elements<br />
Enter the password, then hit ok.<br />
Hit ok to finish the export of the common server certificates.<br />
62<br />
Picture 53: Export path<br />
Picture 54: Key export
3 <strong>Configuration</strong>-Elements<br />
Press ok, and Alt+Q for starting over to create an other server<br />
certificate for the second server vos22.mynet.lan. After finishing<br />
the server certificate for vos22, you get this screen.<br />
Picture 55: Common server certificate for vos22<br />
Export it to a file on a network share or USB-Stick to copy it to<br />
the other host. You need to select the export format. Choose<br />
Like PKCS12 and Include the CA Chain. Then enter the certificate<br />
password and give a new password. Set the filename<br />
where to copy it and press ok to copy.<br />
63
3 <strong>Configuration</strong>-Elements<br />
Hit ok twice and Alt+S to finish the export. Now export the Root<br />
CA certificate in the same way. It must be shared on all hosts in<br />
your network. Type Alt+A to export the root certificate.<br />
Choose a filename where to export the file. It can be an USB-<br />
64<br />
Picture 56: Eport as file<br />
Picture 57: Export root certificate
Stick or a network share.<br />
Press ok twice to finish export and close yast.<br />
3 <strong>Configuration</strong>-Elements<br />
Now you have the Root CA ready to operate, to create and<br />
manage certificates for your clients and servers.<br />
Timeline: 3-4 hours<br />
3.13 CA by command line<br />
At first setup your /etc/ssl/openssl.cnf file:<br />
#<br />
# OpenSSL example configuration file.<br />
# This is mostly being used for generation of certificate requests.<br />
#<br />
# This definition stops the following lines choking if HOME isn't<br />
# defined.<br />
HOME = .<br />
RANDFILE = $ENV::HOME/.rnd<br />
# Extra OBJECT IDENTIFIER info:<br />
#oid_file = $ENV::HOME/.oid<br />
oid_section = new_oids<br />
Picture 58: Export file<br />
65
3 <strong>Configuration</strong>-Elements<br />
# To use this configuration file with the "-extfile" option of the<br />
# "openssl x509" utility, name here the section containing the<br />
# X.509v3 extensions to use:<br />
# extensions =<br />
# (Alternatively, use a configuration file that has only<br />
# X.509v3 extensions in its main [= default] section.)<br />
[ new_oids ]<br />
# We can add new OIDs in here for use by 'ca' and 'req'.<br />
# Add a simple OID like this:<br />
# testoid1=1.2.3.4<br />
# Or use config file substitution like this:<br />
# testoid2=${testoid1}.5.6<br />
####################################################################<br />
[ ca ]<br />
default_ca = CA_default # The default ca section<br />
####################################################################<br />
[ CA_default ]<br />
dir = ./demoCA # Where everything is kept<br />
certs = $dir/certs # Where the issued certs are kept<br />
crl_dir = $dir/crl # Where the issued crl are kept<br />
database = $dir/index.txt # database index file.<br />
#unique_subject = no # Set to 'no' to allow creation of<br />
# several ctificates with same subject.<br />
new_certs_dir = $dir/newcerts # default place for new certs.<br />
certificate = $dir/cacert.pem # The CA certificate<br />
serial = $dir/serial # The current serial number<br />
#crlnumber = $dir/crlnumber # the current crl number<br />
# must be commented out to leave a V1 CRL<br />
crl = $dir/crl.pem # The current CRL<br />
private_key = $dir/private/cakey.pem# The private key<br />
RANDFILE = $dir/private/.rand # private random number file<br />
x509_extensions = usr_cert # The extentions to add to the cert<br />
# Comment out the following two lines for the "traditional"<br />
# (and highly broken) format.<br />
name_opt = ca_default # Subject Name options<br />
cert_opt = ca_default # Certificate field options<br />
# Extension copying option: use with caution.<br />
# copy_extensions = copy<br />
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs<br />
# so this is commented out by default to leave a V1 CRL.<br />
# crlnumber must also be commented out to leave a V1 CRL.<br />
# crl_extensions = crl_ext<br />
66
3 <strong>Configuration</strong>-Elements<br />
default_days = 365 # how long to certify for<br />
default_crl_days= 30 # how long before next CRL<br />
default_md = sha1 # which md to use.<br />
preserve = no # keep passed DN ordering<br />
# A few difference way of specifying how similar the request should look<br />
# For type CA, the listed attributes must be the same, and the optional<br />
# and supplied fields are just that :-)<br />
policy = policy_match<br />
# For the CA policy<br />
[ policy_match ]<br />
# countryName = match<br />
domainComponent = match<br />
stateOrProvinceName = match<br />
organizationName = match<br />
organizationalUnitName = optional<br />
commonName = supplied<br />
emailAddress = optional<br />
# For the 'anything' policy<br />
# At this point in time, you must list all acceptable 'object'<br />
# types.<br />
[ policy_anything ]<br />
# countryName = optional<br />
domainComponent = optional<br />
stateOrProvinceName = optional<br />
localityName = optional<br />
organizationName = optional<br />
organizationalUnitName = optional<br />
commonName = supplied<br />
emailAddress = optional<br />
####################################################################<br />
[ req ]<br />
default_bits = 1024<br />
default_keyfile = privkey.pem<br />
distinguished_name = req_distinguished_name<br />
attributes = req_attributes<br />
x509_extensions = v3_ca # The extentions to add to the self signed cert<br />
# Passwords for private keys if not present they will be prompted for<br />
# input_password = secret<br />
# output_password = secret<br />
# This sets a mask for permitted string types. There are several options.<br />
# default: PrintableString, T61String, BMPString.<br />
# pkix : PrintableString, BMPString.<br />
# utf8only: only UTF8Strings.<br />
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).<br />
# MASK:XXXX a literal mask value.<br />
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings<br />
# so use this option with caution!<br />
string_mask = nombstr<br />
67
3 <strong>Configuration</strong>-Elements<br />
# req_extensions = v3_req # The extensions to add to a certificate request<br />
[ req_distinguished_name ]<br />
# countryName = Country Name (2 letter code)<br />
# countryName_default = AU<br />
# countryName_min = 2<br />
# countryName_max = 2<br />
0.domainComponent = TLD Domaenen-Komponente (dc=lan)<br />
0.domainComponent_default = lan<br />
1.domainComponent = Zweite Domaenen-Komponente (dc=mynet)<br />
1.domainComponent_default = mynet<br />
stateOrProvinceName = State or Province Name (full name)<br />
stateOrProvinceName_default = Deutschland<br />
localityName = Locality Name (eg, city)<br />
localityName_default = Mes<br />
organizationName = Organization Name (eg, company)<br />
organizationName_default = Mynet-Lan Organisation<br />
# we can do this but it is not needed normally :-)<br />
#1.organizationName = Second Organization Name (eg, company)<br />
#1.organizationName_default = World Wide Web Pty Ltd<br />
organizationalUnitName = Organizational Unit Name (eg, section)<br />
organizationalUnitName_default = my ou<br />
commonName = Common Name (eg, YOUR name)<br />
commonName_max = 64<br />
commonName_default = vor20.mynet.lan<br />
emailAddress = Email Address<br />
emailAddress_max = 64<br />
emailAddress_default = root@mynet.lan<br />
# SET-ex3 = SET extension number 3<br />
[ req_attributes ]<br />
challengePassword = A challenge password<br />
challengePassword_min = 4<br />
challengePassword_max = 20<br />
unstructuredName = An optional company name<br />
[ usr_cert ]<br />
# These extensions are added when 'ca' signs a request.<br />
# This goes against PKIX guidelines but some CAs do it and some software<br />
# requires this to avoid interpreting an end user certificate as a CA.<br />
68
asicConstraints=CA:FALSE<br />
# Here are some examples of the usage of nsCertType. If it is omitted<br />
# the certificate can be used for anything *except* object signing.<br />
# This is OK for an SSL server.<br />
# nsCertType = server<br />
# For an object signing certificate this would be used.<br />
# nsCertType = objsign<br />
# For normal client use this is typical<br />
# nsCertType = client, email<br />
# and for everything including object signing:<br />
# nsCertType = client, email, objsign<br />
# This is typical in keyUsage for a client certificate.<br />
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment<br />
# This will be displayed in Netscape's comment listbox.<br />
nsComment = "OpenSSL Generated Certificate"<br />
# PKIX recommendations harmless if included in all certificates.<br />
subjectKeyIdentifier=hash<br />
authorityKeyIdentifier=keyid,issuer:always<br />
# This stuff is for subjectAltName and issuerAltname.<br />
# Import the email address.<br />
# subjectAltName=email:copy<br />
# An alternative to produce certificates that aren't<br />
# deprecated according to PKIX.<br />
# subjectAltName=email:move<br />
# Copy subject details<br />
# issuerAltName=issuer:copy<br />
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem<br />
#nsBaseUrl<br />
#nsRevocationUrl<br />
#nsRenewalUrl<br />
#nsCaPolicyUrl<br />
#nsSslServerName<br />
[ v3_req ]<br />
# Extensions to add to a certificate request<br />
basicConstraints = CA:FALSE<br />
keyUsage = nonRepudiation, digitalSignature, keyEncipherment<br />
[ v3_ca ]<br />
3 <strong>Configuration</strong>-Elements<br />
69
3 <strong>Configuration</strong>-Elements<br />
# Extensions for a typical CA<br />
# PKIX recommendation.<br />
subjectKeyIdentifier=hash<br />
authorityKeyIdentifier=keyid:always,issuer:always<br />
# This is what PKIX recommends but some broken software chokes on critical<br />
# extensions.<br />
#basicConstraints = critical,CA:true<br />
# So we do this instead.<br />
basicConstraints = CA:true<br />
# Key usage: this is typical for a CA certificate. However since it will<br />
# prevent it being used as an test self-signed certificate it is best<br />
# left out by default.<br />
# keyUsage = cRLSign, keyCertSign<br />
# Some might want this also<br />
# nsCertType = sslCA, emailCA<br />
# Include email address in subject alt name: another PKIX recommendation<br />
# subjectAltName=email:copy<br />
# Copy issuer details<br />
# issuerAltName=issuer:copy<br />
# DER hex encoding of an extension: beware experts only!<br />
# obj=DER:02:03<br />
# Where 'obj' is a standard or added object<br />
# You can even override a supported extension:<br />
# basicConstraints= critical, DER:30:03:01:01:FF<br />
[ crl_ext ]<br />
# CRL extensions.<br />
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.<br />
# issuerAltName=issuer:copy<br />
authorityKeyIdentifier=keyid:always,issuer:always<br />
Create random number, if needed<br />
dd if=/dev/urandom of=/etc/ssl/.rnd bs=1 count=2048<br />
Create Root-CA only the first time, create private key<br />
openssl genrsa -des3 -out demoCA/private/cakey.pem -rand<br />
.rnd 2048<br />
2048 semi-random bytes loaded<br />
Generating RSA private key, 2048 bit long modulus<br />
.................+++<br />
70
3 <strong>Configuration</strong>-Elements<br />
........................................+++<br />
e is 65537 (0x10001)<br />
Enter pass phrase for demoCA/private/cakey.pem:<br />
Verifying - Enter pass phrase for<br />
demoCA/private/cakey.pem:<br />
vor20:/etc/ssl #<br />
Enter linux as password.<br />
Create root certificate<br />
openssl req -new -x509 -days 730 -key<br />
demoCA/private/cakey.pem -out demoCA/cacert.pem<br />
Enter pass phrase for demoCA/private/cakey.pem:<br />
You are about to be asked to enter information that will<br />
be incorporated into your certificate request. What you<br />
are about to enter is what is called a Distinguished<br />
Name or a DN. There are quite a few fields but you can<br />
leave some blank. For some fields there will be a<br />
default value, If you enter '.', the field will be left<br />
blank.<br />
TLD Domaenen-Komponente (dc=site) [site]:<br />
Zweite Domaenen-Komponente (dc=local) [local]:<br />
State or Province Name (full name) [Deutschland]:<br />
Locality Name (eg, city) [Dortmund]:<br />
Organization Name (eg, company) [Brainstorm]:<br />
Organizational Unit Name (eg, section) []:<br />
Common Name (eg, YOUR name) [ldapmaster.local.site]:<br />
Email Address []:<br />
vor20:/etc/ssl #<br />
View certificate<br />
openssl x509 -in demoCA/cacert.pem -text | less<br />
Create vos21key and req<br />
openssl genrsa -des3 -out vos21keyenc.pem -rand .rnd<br />
2048<br />
openssl req -new -key vos21keyenc.pem -out vos21req.pem<br />
Sign vos21 certificate<br />
openssl ca -name CA_default -keyfile<br />
demoCA/private/cakey.pem -in vos21req.pem -out vos21cert.pem<br />
Remove password from key file<br />
71
3 <strong>Configuration</strong>-Elements<br />
openssl rsa -in vos21keyenc.pem -out vos21key.pem<br />
Create vos22 key and req<br />
openssl genrsa -des3 -out vos22keyenc.pem -rand .rnd<br />
2048<br />
openssl req -new -key vos22keyenc.pem -out vos22req.pem<br />
Sign vos22 certificate<br />
openssl ca -name CA_default -keyfile<br />
demoCA/private/cakey.pem -in vos22req.pem -out vos22cert.pem<br />
Remove password from key file<br />
openssl rsa -in vos22keyenc.pem -out vos22key.pem<br />
Create ckent key and req<br />
openssl genrsa -des3 -out ckentkeyenc.pem -rand .rnd<br />
2048<br />
openssl req -new -key ckentkeyenc.pem -out ckentreq.pem<br />
Sign ckent certificate<br />
openssl ca -name CA_default -keyfile<br />
demoCA/private/cakey.pem -in ckentreq.pem -out ckentcert.pem<br />
Remove password from key file<br />
openssl rsa -in ckentkeyenc.pem -out ckentkey.pem<br />
Create replicator key and req<br />
openssl genrsa -des3 -out replicatorkeyenc.pem -rand<br />
.rnd 2048<br />
openssl req -new -key replicatorkeyenc.pem -out replicatorreq.pem<br />
Sign replicator certificate<br />
openssl ca -name CA_default -keyfile<br />
demoCA/private/cakey.pem -in replicatorreq.pem -out<br />
replicatorcert.pem<br />
Remove password from key file<br />
openssl rsa -in replicatorkeyenc.pem -out replicatorkey.pem<br />
72
Timeline: 2-3 hours<br />
3.14 OpenLDAP-Server<br />
3 <strong>Configuration</strong>-Elements<br />
With yast install the following packages openldap2, openldap2back-meta,<br />
openldap2-back-perl, openldap2-client,<br />
pam_ldap, nss_ldap, yast2-ldap, yast2-ldap, yast2-ldap-client,<br />
yast2-ldap-server to configure your LDAP<br />
directory tree. Admin informaton is here<br />
/usr/share/doc/packages/openldap2/guide/admin/guide.html<br />
and there are a lot of man pages like slapd-config.<br />
3.14.1 N-Way/Multi-Master-Replication<br />
The traffic increases in this configuration calculated by the<br />
following formula:<br />
n²-n where n is the number of LDAP-Servers.<br />
So it is recommended to use two servers as a minimum for high<br />
availability but not more than three servers as a maximum. If<br />
you need more than two Multi-Master-Replication servers then<br />
setup more Delta-Syncrepl-Consumer servers and use the<br />
overlay chain to make them behave as writeable provider<br />
servers. With the overlay chain you delegate write requests to<br />
one of the master servers and they replicate it to the other<br />
master and consumer servers. This setup is only recommended<br />
for big companies with a few thousand employees.<br />
For a small company and easy setup a 2-Way/Multi-Master-Replication<br />
is fine for high availability. In the next steps i show you<br />
how to set it up.<br />
3.14.1.1 Delete old database<br />
At first we look in the directory /etc/openldap/slapd.d and we<br />
delete all files inside. Then we look in the directory<br />
/var/lib/ldap and delete all files except the DB_CONFIG* files.<br />
We do this on both servers, vos21 and vos22 to make shure that<br />
no old database left over from installation.<br />
73
3 <strong>Configuration</strong>-Elements<br />
3.14.1.2 Edit slapd.conf file<br />
If all old databases are deleted on both servers, we edit the<br />
main server config file /etc/openldap/slapd.conf and use it for<br />
the online configuration feature of the LDAP-Server. It should<br />
look like the following file for both servers:<br />
include /etc/openldap/schema/core.schema<br />
include /etc/openldap/schema/cosine.schema<br />
include /etc/openldap/schema/nis.schema<br />
include /etc/openldap/schema/inetorgperson.schema<br />
pidfile /var/run/slapd/slapd.pid<br />
argsfile /var/run/slapd/slapd.args<br />
access to dn.base=""<br />
by * read<br />
access to dn.base="cn=Subschema"<br />
by * read<br />
access to attrs=userPassword,userPKCS12<br />
by self write<br />
by * auth<br />
access to attrs=shadowLastChange<br />
by self write<br />
by * read<br />
access to *<br />
by * read<br />
ServerID 1 "ldap://vos21.mynet.lan"<br />
ServerID 2 "ldap://vos22.mynet.lan"<br />
database config<br />
rootdn cn=config<br />
rootpw {SSHA}4PvZLcpQ7s1CyQG+yworyl5DcrFTn78q<br />
syncrepl rid=003<br />
provider="ldap://vos21.mynet.lan"<br />
searchbase="cn=config"<br />
type=refreshAndPersist<br />
retry="5 +"<br />
bindmethod=simple<br />
binddn="cn=config"<br />
credentials="linux"<br />
filter="(!(olcDatabase={0}config))"<br />
syncrepl rid=004<br />
provider="ldap://vos22.mynet.lan"<br />
searchbase="cn=config"<br />
type=refreshAndPersist<br />
retry="5 +"<br />
74
3 <strong>Configuration</strong>-Elements<br />
bindmethod=simple<br />
binddn="cn=config"<br />
credentials="linux"<br />
filter="(!(olcDatabase={0}config))"<br />
overlay syncprov<br />
MirrorMode On<br />
database hdb<br />
suffix "dc=mynet,dc=lan"<br />
rootdn "cn=admin,dc=mynet,dc=lan"<br />
rootpw {SSHA}iLwhoppdqOjJ+0HUroiScDJ3cpbOgo4u<br />
directory /var/lib/ldap<br />
index objectClass eq<br />
index entryUUID,entryCSN eq<br />
overlay syncprov<br />
syncprov-checkpoint 10 1<br />
syncprov-sessionlog 100<br />
limits dn.exact="cn=replicator,dc=mynet,dc=lan"<br />
size=unlimited time=unlimited<br />
access to *<br />
by dn.exact="cn=replicator,dc=mynet,dc=lan" read<br />
by * break<br />
syncrepl rid=001<br />
provider="ldap://vos21.mynet.lan"<br />
type=refreshAndPersist<br />
retry="5 +"<br />
searchbase="dc=mynet,dc=lan"<br />
bindmethod=simple<br />
binddn="cn=replicator,dc=mynet,dc=lan"<br />
credentials="linux"<br />
syncrepl rid=002<br />
provider="ldap://vos22.mynet.lan"<br />
type=refreshAndPersist<br />
retry="5 +"<br />
searchbase="dc=mynet,dc=lan"<br />
bindmethod=simple<br />
binddn="cn=replicator,dc=mynet,dc=lan"<br />
credentials="linux"<br />
MirrorMode On<br />
After copying or editing this file on both servers make shure that<br />
it is chmod 640 and chown root.ldap, like all files in the<br />
/etc/openldap directory.<br />
75
3 <strong>Configuration</strong>-Elements<br />
3.14.1.3 Edit client file /etc/openldap/ldap.conf<br />
All clients who have to use the LDAP-Servers have to have this<br />
file in their /etc/openldap directory. It has the following content<br />
for server vos21:<br />
BASE dc=mynet,dc=lan<br />
URI ldap://vos21.mynet.lan ldap://vos22.mynet.lan<br />
And on server vos22 it look like this:<br />
BASE dc=mynet,dc=lan<br />
URI ldap://vos22.mynet.lan ldap://vos21.mynet.lan<br />
Make shure this file is chmod 644 and chown root.root.<br />
On 50% of your clients you use the first one and on the other<br />
50% you use the second file. With this configuration you get<br />
high availability, hot standby failover and load balancing. If the<br />
first URI is not available, the client will use the second URI as<br />
failover. The client will always connect to the first URI, so you<br />
have a simple load balancing when you put these files in a<br />
50/50 ratio on your clients. If one server is offline for any<br />
reason, a login to your network is still possible for your LDAP-<br />
Users. Now you know why LDAP is a very important infrastructure<br />
service in your network.<br />
3.14.1.4 Edit /etc/ldap.conf<br />
This is the last config file you have to edit on every host. In the<br />
first line you type the hostname of your LDAP-Servers,<br />
separated by spaces. For load balancing you can exchange the<br />
order of the two servers like you did in the file before. So the<br />
first line looks like this:<br />
host vos21.mynet.lan vos22.mynet.lan on 50% of your hosts<br />
or like:<br />
host vos22.mynet.lan vos21.mynet.lan on the other 50%.<br />
76
3 <strong>Configuration</strong>-Elements<br />
The second and third line look like this:<br />
base dc=mynet,dc=lan<br />
ldap_version 3<br />
There is no need to change anything else in this file now. Save<br />
it and you can go on to start the service on both machines.<br />
3.14.1.5 Start service on vos21<br />
Before you can run the service, you have to create a directory<br />
on both machines. Type mkdir /var/run/slapd to create the<br />
directory. Now set the correct file permission and owner by<br />
typing chmod 755 /var/run/slapd and chown ldap.ldap<br />
/var/run/slapd on the command line.<br />
At the first time you start the LDAP-Server on a machine, you<br />
need to convert the slapd.conf file to the database online configuration.<br />
You do this by typing<br />
/usr/lib/openldap/slapd -f /etc/openldap/slapd.conf<br />
-F /etc/openldap/slapd.d -u ldap -g ldap -d 4<br />
at the command line. The first path of the command line is for<br />
calling the LDAP-Server service file. The second parameter<br />
-f /... is the path to the config file what is to convert for online<br />
configuration. The third parameter -F /... is the path to the<br />
database where the online configuration is stored. The fourth<br />
and fifth parameter -u and -g is for the user and group the<br />
service is running with. The last parameter -d 4 is the debug<br />
level. You can look in the man page man slapd.conf for all<br />
debug levels.<br />
Everything works fine if you get the next two screens shown on<br />
the next page.<br />
77
3 <strong>Configuration</strong>-Elements<br />
The error messages are normal until the service is started on<br />
both servers. Then you get an other error message like you see<br />
in the next two pictures on the next page but this is also normal.<br />
78<br />
Picture 59: Running slapd on vos21<br />
Picture 60: Running slapd on vos22
Picture 61: Running slapd on vos21<br />
Picture 62: Running slapd on vos22<br />
3 <strong>Configuration</strong>-Elements<br />
When the slapd service is running on both machines vos21 and<br />
vos22, we can check with Apache Directory Studio or JXplorer<br />
for correct working of the service. The following screen will<br />
show you an empty but fully functional directory information tree<br />
(DIT).<br />
79
3 <strong>Configuration</strong>-Elements<br />
To configure the connection, right click on vos21-mynet and<br />
select properties. You get the following two screens.<br />
Over here you give a name to the connection, an IP-Address, a<br />
port number and select no encryption from the last drop-down<br />
box. You can click on the big button Check Network Parameter<br />
to see if it works.<br />
80<br />
Picture 63: Empty DIT<br />
Picture 64: Network parameter
3 <strong>Configuration</strong>-Elements<br />
Over here select Simple Authentication in the first drop-down<br />
box and type the Bind DN in the second drop-down box. As Bind<br />
Password you type linux. You can test the authentication by<br />
clicking the big button Check Authentication, for example.<br />
Right now we have a working LDAP service on both machines<br />
but we have no DIT to serve and no user for syncrepl to<br />
replicate between both servers. So let's get in some initial data.<br />
3.14.1.6 The initial data file init.ldif<br />
This file has the following content:<br />
dn: dc=mynet,dc=lan<br />
objectClass: dcObject<br />
objectClass: Organization<br />
dc: mynet<br />
o: Mynet-Lan Organisation<br />
Picture 65: Authentication<br />
dn: cn=admin,dc=mynet,dc=lan<br />
objectClass: organizationalRole<br />
cn: admin<br />
dn: cn=replicator,dc=mynet,dc=lan<br />
objectClass: organizationalRole<br />
objectClass: simpleSecurityObject<br />
cn: replicator<br />
userPassword: {SSHA}Kq2vTqyFSopY7N1MRGBBtLrY1U2EPwri<br />
81
3 <strong>Configuration</strong>-Elements<br />
This file defines a simple DIT and two administrative users,<br />
admin and replicator, for example. To add this file to your<br />
server, type ldapadd -xWD cn=admin,dc=mynet,dc=lan -f<br />
/etc/openldap/init.ldif on the command line. Then enter the<br />
password linux when asked for on the command line. Finally<br />
you have a simple DIT up and running highly available on both<br />
servers vos21 and vos22.<br />
3.14.1.7 Automatic starting slapd<br />
To have the LDAP-Server running when starting the machine<br />
we need to set some environment variable. Now type yast on<br />
the command line, then select System, /etc/sysconfig Editor,<br />
select Network/LDAP and set the variables in the following<br />
table.<br />
82<br />
Picture 66: Simple DIT
Variable name Value<br />
OPENLDAP_START_LDAP yes<br />
OPENLDAP_START_LDAPS no<br />
OPENLDAP_START_LDAPI no<br />
OPENLDAP_SLAPD_PARAMS<br />
OPENLDAP_USER ldap<br />
OPENLDAP_GROUP ldap<br />
OPENLDAP_CHOWN_DIRS yes<br />
OPENLDAP_LDAP_INTERFACES<br />
OPENLDAP_LDAPS_INTERFACES<br />
OPENLDAP_LDAPI_INTERFACES<br />
OPENLDAP_REGISTER_SLP no<br />
OPENLDAP_KRB5_KEYTAB<br />
OPENLDAP_CONFIG_BACKEND ldap<br />
Table 6: LDAP environment variables<br />
3 <strong>Configuration</strong>-Elements<br />
The table shows the settings for the server vos21. On the<br />
second machine vos22 use the same settings for correct<br />
startup.<br />
Finally press Alt+F to finish like you see in the next picture.<br />
Then type Alt+Q to quit yast.<br />
83
3 <strong>Configuration</strong>-Elements<br />
Now you have to edit two ldif-files to set the correct URI. Maybe<br />
this is no more necessary in future versions.You can also read<br />
the advice on this website<br />
http://www.openldap.org/lists/openldaptechnical/201008/msg00274.html.<br />
Open the file<br />
olcDatabase={0}config.ldif in the directory<br />
/etc/openldap/slapd.d/cn=config in your favourite text editor.<br />
Find the line olcSyncrepl: rid=003<br />
provider=ldap://vos21.mynet.lan uri="" and change it to<br />
olcSyncrepl: rid=003 provider=ldap://vos21.mynet.lan<br />
uri="ldap://vos21.mynet.lan", for example. Now find the next<br />
line olcSyncrepl: rid=004 provider=ldap://vos22.mynet.lan<br />
uri="" and change it also to olcSyncrepl: rid=004<br />
provider=ldap://vos22.mynet.lan<br />
uri="ldap://vos22.mynet.lan", then save the file. Do the same<br />
for the next file olcDatabase={1}hdb.ldif in same directory.<br />
Search for the line olcSyncrepl: rid=001 and copy the provider<br />
value to the uri value to look like this olcSyncrepl: rid=001<br />
provider=ldap://vos21.mynet.lan<br />
uri="ldap://vos21.mynet.lan. Now find the last line to change<br />
84<br />
Picture 67: Set dynamic configuration
3 <strong>Configuration</strong>-Elements<br />
olcSyncrepl: rid=002 and edit it like this<br />
olcSyncrepl: rid=002 provider=ldap://vos22.mynet.lan<br />
uri="ldap://vos22.mynet.lan save it and you are done with<br />
the first machine vos21. Now do the same changes on the<br />
second machine vos22, then your LDAP-Server will start up.<br />
Now select System Services (Runlevel) in yast to start slapd on<br />
both machines vos21 and vos22.<br />
Picture 68: Runlevel<br />
Scroll down to ldap and press Alt+E to enable the service at<br />
startup in the correct runlevel.<br />
85
3 <strong>Configuration</strong>-Elements<br />
Press ok to finish the configuration, then press quit. Finally<br />
reboot both machines vos21 and vos22 to check that both<br />
services work properly.<br />
Timeline: 3-4 hours<br />
3.14.2 LDAP-Client Login configuration<br />
To use our LDAP-Server for centralized logins, we have to<br />
configure it with yast. In yast select Security and Users/User<br />
and Group <strong>Management</strong>, likeyou see in the next screen.<br />
86<br />
Picture 69: Enable ldap service at startup
Picture 70: Security settings<br />
3 <strong>Configuration</strong>-Elements<br />
In the next screen you change the Authentication Settings.<br />
Picture 71: User and Group Administration<br />
Now type Alt+E to edit the Authentication Settings. You will get<br />
the following screen.<br />
87
3 <strong>Configuration</strong>-Elements<br />
Type Alt+N and select LDAP in the popup window, you get the<br />
following screen.<br />
In this screen select Use LDAP, fill in addresses and Base DN,<br />
select Create Home Directory on Login, then press Alt+A and<br />
88<br />
Picture 72: Configure Authentication Settings<br />
Picture 73: Client configuration
you will get to the following screen.<br />
3 <strong>Configuration</strong>-Elements<br />
Fill out Naming Contexts, Password Change Protocol, Group<br />
Member Attribute and press ok three times, then Alt+Q to quit<br />
yast. Now you can add users to your LDAP-Server and authenticate<br />
them on every machine where you configured this LDAP-<br />
Client Login configuration.<br />
Timeline: 1-2 hours<br />
3.15 LDAP-Master vos21<br />
Picture 74: Advanced client configuration<br />
Before you can setup any secure connection between clients<br />
and servers, you need to setup a certificate authority (CA).<br />
Then create server and user X.509 certificates described in<br />
chapter 3.15 CA by command line for each server and user and<br />
place them in the apropriate place. For both ldap-servers in<br />
/etc/openldap/certs for users in their home directory. Client<br />
users also need a .ldaprc file in their home directory what<br />
contains the actual absolute path to their cert and key file, for<br />
example:<br />
TLS_CERT /home/ckent/ckentcert.pem<br />
89
3 <strong>Configuration</strong>-Elements<br />
TLS_KEY /home/ckent/ckentkey.pem<br />
This setup is required by TLS encryption.<br />
3.15.1 Setup PDC /etc/openldap/slapd.conf:<br />
include /etc/openldap/schema/core.schema<br />
include /etc/openldap/schema/cosine.schema<br />
include /etc/openldap/schema/nis.schema<br />
include /etc/openldap/schema/inetorgperson.schema<br />
include /etc/openldap/schema/samba3.schema<br />
pidfile /var/run/slapd/slapd.pid<br />
argsfile /var/run/slapd/slapd.args<br />
authz-regexp<br />
"cn=vos22.mynet.lan,o=Mynet-Lan<br />
Organisation,st=deutschland,dc=mynet,dc=lan"<br />
"cn=replicator,dc=mynet,dc=lan"<br />
access to dn.base=""<br />
by * read<br />
access to dn.base="cn=Subschema"<br />
by * read<br />
access to attrs=userPassword,userPKCS12<br />
by self write<br />
by * auth<br />
access to attrs=shadowLastChange<br />
by self write<br />
by * read<br />
access to *<br />
by * read<br />
TLSCertificateFile /etc/openldap/certs/vos21cert.pem<br />
TLSCertificateKeyFile /etc/openldap/certs/vos21key.pem<br />
TLSCACertificateFile /etc/openldap/certs/cacert.pem<br />
TLSVerifyClient allow<br />
#TLSVerifyClient demand<br />
#################################################<br />
database config<br />
rootdn cn=config<br />
rootpw {SSHA}4PvZLcpQ7s1CyQG+yworyl5DcrFTn78q<br />
#################################################<br />
# BDB database definitions<br />
#################################################<br />
database hdb<br />
suffix "dc=mynet,dc=lan"<br />
checkpoint 1024 5<br />
cachesize 10000<br />
90
3 <strong>Configuration</strong>-Elements<br />
rootdn "cn=admin,dc=mynet,dc=lan"<br />
rootpw {SSHA}iLwhoppdqOjJ+0HUroiScDJ3cpbOgo4u<br />
directory /var/lib/ldap<br />
# Indices to maintain<br />
index objectClass,uid,memberUid eq<br />
index entryUUID,entryCSN,uidNumber,gidNumber eq<br />
index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq<br />
access to *<br />
by dn.exact="cn=replicator,dc=mynet,dc=lan" read<br />
by * break<br />
overlay syncprov<br />
syncprov-checkpoint 10 1<br />
syncprov-sessionlog 100<br />
3.15.2 PDC /etc/openldap/lapd.conf:<br />
BASE dc=mynet,dc=lan<br />
URI ldap://vos21.mynet.lan ldap://vos22.mynet.lan<br />
TLS_CACERT /etc/openldap/certs/cacert.pem<br />
TLS_REQCERT allow<br />
#TLS_REQCERT demand<br />
3.15.3 PDC /etc/lapd.conf:<br />
host vos21.mynet.lan vos22.mynet.lan<br />
base dc=mynet,dc=lan<br />
bind_policy soft<br />
pam_lookup_policy yes<br />
pam_password exop<br />
nss_initgroups_ignoreusers root,ldap<br />
nss_schema rfc2307bis<br />
nss_map_attribute uniqueMember member<br />
ssl no<br />
ldap_version 3<br />
tls_cacertdir /etc/openldap/certs<br />
tls_cacertfile /etc/openldap/certs/cacert.pem<br />
pam_filter objectClass=posixAccount<br />
91
3 <strong>Configuration</strong>-Elements<br />
3.15.4 init.ldif<br />
dn: dc=mynet,dc=lan<br />
objectClass: dcObject<br />
objectClass: Organization<br />
dc: mynet<br />
o: Mynet-Lan Organisation<br />
dn: cn=admin,dc=mynet,dc=lan<br />
objectClass: organizationalRole<br />
cn: admin<br />
dn: cn=replicator,dc=mynet,dc=lan<br />
objectClass: organizationalRole<br />
objectClass: simpleSecurityObject<br />
cn: replicator<br />
userPassword: {SSHA}Kq2vTqyFSopY7N1MRGBBtLrY1U2EPwri<br />
3.15.5 samba-base.ldif<br />
dn: ou=users,dc=mynet,dc=lan<br />
objectClass: organizationalUnit<br />
ou: users<br />
dn: ou=groups,dc=mynet,dc=lan<br />
objectClass: organizationalUnit<br />
ou: groups<br />
dn: ou=idmap,dc=mynet,dc=lan<br />
objectClass: organizationalUnit<br />
ou: idmap<br />
dn: ou=computers,dc=mynet,dc=lan<br />
objectClass: organizationalUnit<br />
ou: computers<br />
92
3.15.6 Testing<br />
Available SASL Mechs<br />
pluginviewer<br />
Simple amnonymous connect via TLS<br />
ldapsearch -x -ZZ uid=skiu<br />
3 <strong>Configuration</strong>-Elements<br />
ldap_start_tls: Connect error (-11)<br />
additional info: A TLS packet with unexpected<br />
length was received.<br />
Here the user has no .ldaprc file in his home directory what<br />
points to his cert- and key-file. Without these files SASLMech<br />
EXTERNAL does not work.<br />
SASLMech EXTERNAL available<br />
ldapsearch -x -ZZ -s base -b "" supportedSASLMechanisms<br />
supportedSASLMechanisms: LOGIN<br />
supportedSASLMechanisms: NTLM<br />
supportedSASLMechanisms: GSSAPI<br />
supportedSASLMechanisms: DIGEST-MD5<br />
supportedSASLMechanisms: CRAM-MD5<br />
supportedSASLMechanisms: PLAIN<br />
supportedSASLMechanisms: EXTERNAL<br />
Connection and Handshake<br />
ldapsearch -Y EXTERNAL -d 1 -ZZ<br />
SASL/EXTERNAL authentication started<br />
ldap_err2string<br />
ldap_sasl_interactive_bind_s: Unknown authentication<br />
method (-6)<br />
additional info: SASL(-4): no mechanism available:<br />
Here the user also has no .ldaprc file in his home directory what<br />
points to his cert- and key-file.<br />
Connect via TLS and Mech EXTERNAL<br />
ldapsearch -Y EXTERNAL -ZZ -LLL uid=ckent<br />
SASL/EXTERNAL authentication started<br />
ldap_sasl_interactive_bind_s: Unknown authentication<br />
method (-6)<br />
additional info: SASL(-4): no mechanism available:<br />
93
3 <strong>Configuration</strong>-Elements<br />
Here the user also has no .ldaprc file in his home directory what<br />
points to his cert- and key-file.<br />
As user root now we check with tcpdump that everything is<br />
encrypted.<br />
tcpdump -xXs 10000 -i lo dst port 389<br />
Now open a second session as root with no .ldaprc in his home<br />
and do an ldapsearch.<br />
ldapsearch -xWD cn=admin,dc=mynet,dc=lan uid=skiu<br />
As result you will find the admin password linux in cleartext.<br />
14:14:34.841090 IP vos21.mynet.lan.47651 ><br />
vos21.mynet.lan.ldap: Flags [P.], seq 0:43, ack 1, win<br />
1025, options [nop,nop,TS val 3142807 ecr 3142803],<br />
length 43<br />
0x0000: 4500 005f 940d 4000 4006 2511 c0a8 0015<br />
E.._..@.@.%.....<br />
0x0010: c0a8 0015 ba23 0185 da78 6099 db39 f2f2<br />
.....#...x`..9..<br />
0x0020: 8018 0401 81cc 0000 0101 080a 002f f497<br />
............./..<br />
0x0030: 002f f493 3029 0201 0160 2402 0103 0418<br />
./..0)...`$.....<br />
0x0040: 636e 3d61 646d 696e 2c64 633d 6d79 6e65<br />
cn=admin,dc=myne<br />
0x0050: 742c 6463 3d6c 616e 8005 6c69 6e75 78<br />
t,dc=lan..linux<br />
14:14:34.856953 IP vos21.mynet.lan.47651 ><br />
vos21.mynet.lan.ldap: Flags [.], ack<br />
Now become user ckent and do the same ldapsearch.<br />
su ckent<br />
ldapsearch -Y EXTERNAL -ZZ -LLL uid=skiu<br />
Here you can read only the certificates, so it is more secure.<br />
Timeline: 3-4 hours<br />
94
3.16 LDAP-Slave vos22<br />
3 <strong>Configuration</strong>-Elements<br />
The LDAP-Slave consumer server vos22 is a special case.<br />
When its syncrepl acts as a client for the provider, it also needs<br />
a .ldaprc file in the /etc/openldap directory what contains the<br />
absolute path to its server cert and key file, for example:<br />
TLS_CERT /etc/openldap/certs/vos22cert.pem<br />
TLS_KEY /etc/openldap/certs/vos22key.pem<br />
3.16.1 Setup BDC /etc/openldap/slapd.conf:<br />
include /etc/openldap/schema/core.schema<br />
include /etc/openldap/schema/cosine.schema<br />
include /etc/openldap/schema/nis.schema<br />
include /etc/openldap/schema/inetorgperson.schema<br />
include /etc/openldap/schema/samba3.schema<br />
pidfile /var/run/slapd/slapd.pid<br />
argsfile /var/run/slapd/slapd.args<br />
access to dn.base=""<br />
by * read<br />
access to dn.base="cn=Subschema"<br />
by * read<br />
access to attrs=userPassword,userPKCS12<br />
by self write<br />
by * auth<br />
access to attrs=shadowLastChange<br />
by self write<br />
by * read<br />
access to *<br />
by * read<br />
TLSCertificateFile /etc/openldap/certs/vos22cert.pem<br />
TLSCertificateKeyFile /etc/openldap/certs/vos22key.pem<br />
TLSCACertificateFile /etc/openldap/certs/cacert.pem<br />
TLSVerifyClient allow<br />
#TLSVerifyClient demand<br />
#######################################################<br />
database config<br />
rootdn cn=config<br />
rootpw {SSHA}4PvZLcpQ7s1CyQG+yworyl5DcrFTn78q<br />
#######################################################<br />
# BDB database definitions<br />
#######################################################<br />
database hdb<br />
95
3 <strong>Configuration</strong>-Elements<br />
suffix "dc=mynet,dc=lan"<br />
checkpoint 1024 5<br />
cachesize 10000<br />
rootdn "cn=admin,dc=mynet,dc=lan"<br />
rootpw {SSHA}iLwhoppdqOjJ+0HUroiScDJ3cpbOgo4u<br />
directory /var/lib/ldap<br />
index objectClass,uid,memberUid eq<br />
index entryUUID,entryCSN,uidNumber,gidNumber eq<br />
index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq<br />
syncrepl rid=001<br />
provider="ldap://vos21.mynet.lan"<br />
searchbase="dc=mynet,dc=lan"<br />
type=refreshAndPersist<br />
retry="15 +"<br />
binddn="cn=replicator,dc=mynet,dc=lan"<br />
bindmethod=simple<br />
credentials="linux"<br />
starttls=yes<br />
# bindmethod=sasl<br />
# saslmech=EXTERNAL<br />
# starttls=yes<br />
# starttls=critical<br />
3.16.2 BDC /etc/openldap/lapd.conf:<br />
BASE dc=mynet,dc=lan<br />
URI ldap://vos22.mynet.lan ldap://vos21.mynet.lan<br />
TLS_CACERT /etc/openldap/certs/cacert.pem<br />
TLS_REQCERT allow<br />
#TLS_REQCERT demand<br />
3.16.3 BDC /etc/lapd.conf:<br />
host vos22.mynet.lan vos21.mynet.lan<br />
base dc=mynet,dc=lan<br />
bind_policy soft<br />
pam_lookup_policy yes<br />
pam_password exop<br />
nss_initgroups_ignoreusers root,ldap<br />
nss_schema rfc2307bis<br />
nss_map_attribute uniqueMember member<br />
ssl no<br />
ldap_version 3<br />
tls_cacertdir /etc/openldap/certs<br />
96
3 <strong>Configuration</strong>-Elements<br />
tls_cacertfile /etc/openldap/certs/cacert.pem<br />
pam_filter objectClass=posixAccount<br />
You can test your installation like in chpter 3.17.4 with an offline<br />
PDC server.<br />
Timeline: 3-4 hours<br />
3.17 Samba 3 ldapsam:editposix setup<br />
3.17.1 PDC vos21 /etc/samba/smb.conf:<br />
# smb.conf is the main Samba configuration file. You<br />
find a full commented<br />
# version at<br />
/usr/share/doc/packages/samba/examples/smb.conf.SUSE if<br />
the<br />
# samba-doc package is installed.<br />
# Date: 2010-09-15<br />
[global]<br />
workgroup = MYNET<br />
realm = MYNET.LAN<br />
password server = vos21.mynet.lan<br />
; client use spnego = yes<br />
; use kerberos keytab = yes<br />
netbios name = vos21<br />
domain logons = yes<br />
domain master = yes<br />
local master = yes<br />
preferred master = yes<br />
security = user<br />
# This enables MS Distributed File System.<br />
; host msdfs = Yes<br />
time server = Yes<br />
# debuglevel = 3 tdb:10 printdriver:10 lanman:10<br />
smb:10 rpc_parse:10 rpc_srv:10 rpc_cli:10 passdb:10<br />
sam:10 auth:10 winbind:10 vfs:10<br />
# debuglevel = 10<br />
os level = 85<br />
log level = 3<br />
# This entry use only the first time for setup, the<br />
second entry is for<br />
# load balancing in production environment after<br />
successful setup<br />
97
3 <strong>Configuration</strong>-Elements<br />
passdb backend = ldapsam:ldap://vos21.mynet.lan<br />
# passdb backend = ldapsam:"ldap://vos21.mynet.lan<br />
ldap://vos22.mynet.lan"<br />
ldapsam:trusted = yes<br />
ldapsam:editposix = yes<br />
ldap admin dn = cn=admin,dc=mynet,dc=lan<br />
ldap suffix = dc=mynet,dc=lan<br />
ldap passwd sync = yes<br />
ldap machine suffix = ou=computers<br />
ldap user suffix = ou=users<br />
ldap group suffix = ou=groups<br />
ldap idmap suffix = ou=idmap<br />
ldap ssl = off<br />
idmap uid = 10000-20000<br />
idmap gid = 10000-20000<br />
idmap config MYNET:default = yes<br />
idmap config MYNET:backend = ldap<br />
idmap config MYNET:ldap_base_dn =<br />
ou=idmap,dc=mynet,dc=lan<br />
idmap config MYNET:ldap_user_dn =<br />
cn=admin,dc=mynet,dc=lan<br />
idmap config MYNET:ldap_url =<br />
ldap://vos21.mynet.lan<br />
idmap config MYNET:range = 10000 - 59999<br />
idmap alloc backend = ldap<br />
idmap alloc config:ldap_base_dn =<br />
ou=idmap,dc=mynet,dc=lan<br />
idmap alloc config:ldap_user_dn =<br />
cn=admin,dc=mynet,dc=lan<br />
idmap alloc config:ldap_url =<br />
ldap://vos21.mynet.lan<br />
idmap alloc config:range = 10000 - 59999<br />
printing = cups<br />
printcap name = cups<br />
printcap cache time = 750<br />
cups options = raw<br />
map to guest = Bad User<br />
logon script = scripts\logon.bat<br />
logon path = \\%L\profiles\%U\%a<br />
; logon path = \\%L\profiles\.msprofile<br />
# Next two lines for Win NT and Win95 behavior<br />
; logon home = \\%L\%U\.9xprofile<br />
; logon drive = P:<br />
# Next two lines to disable server stored profiles<br />
98
3 <strong>Configuration</strong>-Elements<br />
; logon path =<br />
; logon home =<br />
usershare max shares = 10<br />
usershare allow guests = Yes<br />
[homes]<br />
; mapped to Windows drive letter z:<br />
comment = Home Directories<br />
valid users = %S, %D%w%S<br />
browseable = Yes<br />
read only = No<br />
inherit acls = Yes<br />
[profiles]<br />
comment = Network Profiles Service<br />
; path = %H<br />
path = /var/lib/samba/profiles<br />
read only = No<br />
store dos attributes = Yes<br />
create mask = 0600<br />
directory mask = 0700<br />
browseable = no<br />
guest ok = no<br />
printable = no<br />
hide files =<br />
/desktop.ini/outlook*.lnk/*Briefcase*/<br />
; store logon scripts in /var/lib/samba/netlogon/scripts<br />
; store policy file NTConfig.POL in<br />
/var/lib/samba/netlogon<br />
[netlogon]<br />
comment = User netlogon scripts<br />
path = /var/lib/samba/netlogon<br />
admin users = root, Administrator<br />
browseable = No<br />
; all users have rw permissions for their home dir and<br />
; all users have read permission to all users home dirs<br />
; on this share (users)<br />
; you can mount it to a dos drive letter in logon.bat<br />
[users]<br />
comment = All users<br />
path = /home<br />
read only = No<br />
inherit acls = Yes<br />
veto files = /aquota.user/groups/shares/<br />
99
3 <strong>Configuration</strong>-Elements<br />
; all users have rw permissions to this dir on this<br />
share (groups)<br />
; you can mount it to a dos drive letter in logon.bat<br />
[groups]<br />
comment = All groups<br />
path = /home/groups<br />
read only = No<br />
inherit acls = Yes<br />
[pdf]<br />
comment = PDF creator<br />
path = /var/tmp<br />
printable = Yes<br />
print command = /usr/bin/smbprngenpdf -J '%J' -c<br />
%c -s %s -u '%u' -z %z<br />
create mask = 0600<br />
# The following share gives all users access to the<br />
Server's CD drive,<br />
# assuming it is mounted under /media/cdrom.<br />
;[cdrom]<br />
; comment = Linux CD-ROM<br />
; path = /media/cdrom<br />
; locking = No<br />
# With the next two lines you could automatically mount<br />
or umount the CD if a<br />
# connection to the share is established or closed.<br />
; preexec = /bin/mount /media/cdrom<br />
; postexec = /bin/umount /media/cdrom<br />
[printers]<br />
comment = All Printers<br />
path = /var/tmp<br />
; guest ok = Yes<br />
printable = Yes<br />
create mask = 0600<br />
browseable = No<br />
[print$]<br />
comment = Printer Drivers<br />
path = /var/lib/samba/drivers<br />
; guest ok = Yes<br />
write list = @ntadmin root<br />
force group = ntadmin<br />
create mask = 0664<br />
100
directory mask = 0775<br />
; testshare<br />
;[samba]<br />
; path = /samba<br />
; readonly = no<br />
3.17.2 BDC vos22 /etc/samba/smb.conf:<br />
3 <strong>Configuration</strong>-Elements<br />
# smb.conf is the main Samba configuration file. You<br />
find a full commented<br />
# version at<br />
/usr/share/doc/packages/samba/examples/smb.conf.SUSE if<br />
the<br />
# samba-doc package is installed.<br />
# Date: 2010-09-15<br />
[global]<br />
workgroup = MYNET<br />
realm = MYNET.LAN<br />
password server = vos21.mynet.lan<br />
; client use spnego = yes<br />
; use kerberos keytab = yes<br />
netbios name = vos22<br />
domain logons = yes<br />
domain master = no<br />
local master = no<br />
; local master = Yes<br />
preferred master = no<br />
security = user<br />
# This enables MS Distributed File System..<br />
; host msdfs = Yes<br />
time server = Yes<br />
# debuglevel = 3 tdb:10 printdriver:10 lanman:10<br />
smb:10 rpc_parse:10 rpc_s<br />
# debuglevel = 10<br />
os level = 32<br />
log level = 3<br />
passdb backend = ldapsam:"ldap://vos21.mynet.lan<br />
ldap://vos22.mynet.lan"<br />
ldapsam:trusted = yes<br />
ldapsam:editposix = yes<br />
ldap admin dn = cn=admin,dc=mynet,dc=lan<br />
ldap suffix = dc=mynet,dc=lan<br />
ldap passwd sync = yes<br />
101
3 <strong>Configuration</strong>-Elements<br />
ldap machine suffix = ou=computers<br />
ldap user suffix = ou=users<br />
ldap group suffix = ou=groups<br />
ldap idmap suffix = ou=idmap<br />
ldap ssl = off<br />
idmap uid = 10000-20000<br />
idmap gid = 10000-20000<br />
idmap config MYNET:default = yes<br />
idmap config MYNET:backend = ldap<br />
idmap config MYNET:ldap_base_dn =<br />
ou=idmap,dc=mynet,dc=lan<br />
idmap config MYNET:ldap_user_dn =<br />
cn=admin,dc=mynet,dc=lan<br />
idmap config MYNET:ldap_url =<br />
ldap://vos21.mynet.lan<br />
idmap config MYNET:range = 10000 - 59999<br />
idmap alloc backend = ldap<br />
idmap alloc config:ldap_base_dn =<br />
ou=idmap,dc=mynet,dc=lan<br />
idmap alloc config:ldap_user_dn =<br />
cn=admin,dc=mynet,dc=lan<br />
idmap alloc config:ldap_url =<br />
ldap://vos21.mynet.lan<br />
idmap alloc config:range = 10000 - 59999<br />
printing = cups<br />
printcap name = cups<br />
printcap cache time = 750<br />
cups options = raw<br />
map to guest = Bad User<br />
logon script = scripts\logon.bat<br />
logon path = \\%L\profiles\%U\%a<br />
; logon path = \\%L\profiles\.msprofile<br />
# Next two lines for Win NT and Win95 behavior<br />
; logon home = \\%L\%U\.9xprofile<br />
; logon drive = P:<br />
# Next two lines to disable server stored profiles<br />
; logon path =<br />
; logon home =<br />
usershare max shares = 10<br />
usershare allow guests = Yes<br />
[homes]<br />
; mapped to Windows drive letter z:<br />
comment = Home Directories<br />
valid users = %S, %D%w%S<br />
102
3 <strong>Configuration</strong>-Elements<br />
browseable = Yes<br />
read only = No<br />
inherit acls = Yes<br />
[profiles]<br />
comment = Network Profiles Service<br />
; path = %H<br />
path = /var/lib/samba/profiles<br />
read only = No<br />
store dos attributes = Yes<br />
create mask = 0600<br />
directory mask = 0700<br />
browseable = no<br />
guest ok = no<br />
printable = no<br />
hide files =<br />
/desktop.ini/outlook*.lnk/*Briefcase*/<br />
; store logon scripts in /var/lib/samba/netlogon/scripts<br />
; store policy file NTConfig.POL in<br />
/var/lib/samba/netlogon<br />
[netlogon]<br />
comment = User netlogon scripts<br />
path = /var/lib/samba/netlogon<br />
admin users = root, Administrator<br />
browseable = No<br />
; all users have rw permissions for their home dir and<br />
; all users have read permission to all users home dirs<br />
; on this share (users)<br />
; you can mount it to a dos drive letter in logon.bat<br />
[users]<br />
comment = All users<br />
path = /home<br />
read only = No<br />
inherit acls = Yes<br />
veto files = /aquota.user/groups/shares/<br />
; all users have rw permissions to this dir on this<br />
share (groups)<br />
; you can mount it to a dos drive letter in logon.bat<br />
[groups]<br />
comment = All groups<br />
path = /home/groups<br />
read only = No<br />
103
3 <strong>Configuration</strong>-Elements<br />
inherit acls = Yes<br />
[pdf]<br />
comment = PDF creator<br />
path = /var/tmp<br />
printable = Yes<br />
print command = /usr/bin/smbprngenpdf -J '%J' -c<br />
%c -s %s -u '%u' -z %z<br />
create mask = 0600<br />
# The following share gives all users access to the<br />
Server's CD drive,<br />
# assuming it is mounted under /media/cdrom.<br />
;[cdrom]<br />
; comment = Linux CD-ROM<br />
; path = /media/cdrom<br />
; locking = No<br />
# With the next two lines you could automatically mount<br />
or umount the CD if a<br />
# connection to the share is established or closed.<br />
; preexec = /bin/mount /media/cdrom<br />
; postexec = /bin/umount /media/cdrom<br />
[printers]<br />
comment = All Printers<br />
path = /var/tmp<br />
; guest ok = Yes<br />
printable = Yes<br />
create mask = 0600<br />
browseable = No<br />
[print$]<br />
comment = Printer Drivers<br />
path = /var/lib/samba/drivers<br />
; guest ok = Yes<br />
write list = @ntadmin root<br />
force group = ntadmin<br />
create mask = 0664<br />
directory mask = 0775<br />
; testshare<br />
;[samba]<br />
; path = /samba<br />
; readonly = no<br />
104
Set samba master password: smbpasswd -w linux<br />
Set winbind-idmap_ldap passwords:<br />
net idmap secret MYNET linux<br />
net idmap secret alloc linux<br />
Start winbind: rcwinbind start<br />
PDC provisioning: net sam provision<br />
3 <strong>Configuration</strong>-Elements<br />
PDC set Samba Domain Administrator password:<br />
smbpasswd Administrator, enter linux as password.<br />
BDC check sid's: net getlocalsid && net rpc info, use<br />
password linux. if they are different, use net rpc getsid on<br />
the BDC.<br />
Start samba daemons: rcsmb start && rcnmb start<br />
PDC enable User- and Machine-Account management for the<br />
Samba Domain Administrator:<br />
net rpc rights grant Administrator SeAddUsersPrivilege<br />
-U Administrator<br />
net rpc rights grant Administrator SeMachineAccountPrivilege<br />
-U Administrator<br />
To add a user to the LDAP powered samba domain type<br />
pdbedit -a -u ckent -f "Clark Kent"<br />
-p=“\\\\vos21.mynet.lan\\profiles\\ckent“<br />
You can left the -p parameter if you do not need a server stored<br />
profile for the user. Instead of pdbedit you can use smbpasswd,<br />
for example, but check the parameters in the man pages.<br />
Add an other user with a display name pdbedit -a -u skiu -f<br />
"Susi Kiu" and delete an user pdbedit -x -u hulk, for<br />
example. For using TLS you can generate X.509 certificates for<br />
these users like we did in chapter 3.15 CA by command line.<br />
3.17.3 Server stored profiles and netlogon<br />
At first create a profiles dir to store the profiles on the server,<br />
/var/lib/samba/profiles, for example. Make it chroot 755<br />
105
3 <strong>Configuration</strong>-Elements<br />
profiles and chown root.users profiles. Do the same for the<br />
netlogon dir. In netlogon create a folder scripts with same<br />
permissions and owner what holds the logon.bat logon script.<br />
Do this setup on both machines PDC and BDC.<br />
logon.bat:<br />
@echo off<br />
echo running logon.bat<br />
echo here you can connect dos drive letters to network<br />
shares<br />
echo example: net use f: \\server.example.com\sharedfolder<br />
/persistent:no<br />
@echo off<br />
echo mount groups to g: everyone has read/write access<br />
net use g: \\vos21.mynet.lan\groups /persistent:no<br />
@echo off<br />
echo mount all users home dirs to u: with read access<br />
net use u: \\vos21.mynet.lan\users /persistent:no<br />
pause<br />
Timeline: 3-4 hours<br />
106
3 <strong>Configuration</strong>-Elements<br />
3.18 Windows XP Client Domain join<br />
Use regedit to change the following key:<br />
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Net<br />
logon\Parameters\requiresignorseal [0]<br />
Change requiresignorseal from [1] to [0] and you can join<br />
your samba domain.<br />
3.19 Windows 7 Client Domain join<br />
Use regedit to add two parameters to the registry in the<br />
following key:<br />
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Lan<br />
manWorkstation\Parameters<br />
Add a DWORD DomainCompatibilityMode = 1<br />
Add a DWORD DNSNameResolutionRequired = 0<br />
Picture 75: Add two registry parameters<br />
3.20 Domain management with srvtools.exe<br />
You can use Microsoft srvtools.exe to manage your domain,<br />
download it here:<br />
http://support.microsoft.com/kb/173673/en-us/<br />
Timeline: 1 hour, but depend on the amount of your clients.<br />
107
3 <strong>Configuration</strong>-Elements<br />
3.21 Kerberos Server setup<br />
If you like to have a single sign on system you need kerberos,<br />
otherwise for a normal PDC/BDC you dont need it. If you use<br />
Kerberos, it is strongly advised to run it on a separate machine<br />
in a secure location. You also not running any other services on<br />
the Kerberos machine. At first, install the packages that make<br />
up a Kerberos server, yast2-kerberos-server, krb5,<br />
krb5-appl-server, krb5-client, krb5-server,<br />
pam_krb5, krb5-doc, krb5-plugin-kdb-ldap and<br />
krb5-appl-clients. Start yast, select Software\Software<br />
<strong>Management</strong> and hit enter. In the search phrase type krb5 to<br />
find the apropriate packages.<br />
Select the above packages and type Alt+A to install. After<br />
finishing the installation, go to Network Services/Kerberos<br />
Server in yast. In the following screen press Alt + U to use the<br />
existing openLDAP setup. Then press Alt+N for the next screen.<br />
108<br />
Picture 76: Select packages
Picture 77: Use previous configured LDAP server<br />
3 <strong>Configuration</strong>-Elements<br />
Now edit the Basic Kerberos Settings. Enter the Realm,<br />
password linux and confirm it. Then press next.<br />
Picture 78: Realm and password<br />
In the next screen enter the LDAP settings<br />
109
3 <strong>Configuration</strong>-Elements<br />
Now press next to finish the Kerberos server setup.<br />
To have remote access with the kadmin tool, edit<br />
/var/lib/kerberos/krb5kdc/kadm5.acl like you see in the<br />
following screen.<br />
110<br />
Picture 79: LDAP settings<br />
Picture 80: Edit kadm5.acl
3 <strong>Configuration</strong>-Elements<br />
To verify the result, use the kadmin.local, listprincs command.<br />
Kerberos has three different kind of principals:<br />
User principals (kadmin: addprinc username, give password)<br />
Host principals (kadmin: addprinc -randkey FQDN)<br />
Service principals (kadmin: addprinc -randkey service/FQDN)<br />
Host and Service principals have a random password what has<br />
to be added to the keytab file /etc/krb5.keytab to authenticate.<br />
Now create two Kerberos principals, one normal and one for<br />
administrative work related to Kerberos. At the kadmin.local:<br />
prompt type addprinc ckent with password ckent and addprinc<br />
root/admin with password linux. Now let's create a service<br />
principal to use with kerberos. Type addprinc -randkey<br />
host/vos21.mynet.lan and hit return. This principal has no<br />
interactive password to authenticate because its a service. We<br />
also have to add it to the local keytab file /etc/krb5.keytab to<br />
authenticate. At the kadmin prompt type ktadd<br />
host/vos21.mynet.lan, for example. Each machine and each<br />
service what will be used with Kerberos has to have a principal.<br />
Now create user principals for the samba domain admin and for<br />
skiu, type at kadmin prompt:<br />
addprinc skiu (give password skiu)<br />
addprinc Administrator/admin (give password linux)<br />
Now create service and host principals:<br />
addprinc -randkey ldap/vos21.mynet.lan<br />
addprinc -randkey vos21.mynet.lan<br />
ktadd ldap/vos21.mynet.lan<br />
ktadd vos21.mynet.lan<br />
Then type quit to close kadmin and you will be done.<br />
Make sure that KDC and kadmind are started by default when<br />
the server machine is rebooted with the yast runlvel editor. In<br />
yast select System/System Services (Runlevel) and hit enter.<br />
Scroll down to krb5kdc and press Alt+E to enable it. Then<br />
scroll up to kadmind and press Alt+E again. Now check that<br />
111
3 <strong>Configuration</strong>-Elements<br />
openLDAP can find the kerberos keytab. In yast check<br />
System /etc/sysconfig Editor, expand Network by pressing plus<br />
(+) key, select LDAP and press plus key, then select<br />
OPENLDAP_KRB5_KEYTAB like you see in the next screen.<br />
Finally press finish and quit.<br />
Now one last thing is to do. We have to tell PAM to use<br />
Kerberos for authentication. In a terminal window on the<br />
command line type pam-config --add --krb5 and pam-config<br />
--add --ldap to have a backup authentication if you vorgot to<br />
create a kerberos pricipal for the domain user. To check that<br />
everything is fine, your /etc/pam.d/common-auth-pc file looks<br />
like in the following screen on both machines, PDC and BDC.<br />
112<br />
Picture 81: Krb5 keytab path
3 <strong>Configuration</strong>-Elements<br />
You add the debug option by typing pam-config --add --krb5debug,<br />
for example. To delete the debug option, type pam-config<br />
--del --krb5, for example.<br />
Timeline: 2-3 hours<br />
Picture 82: PAM settings<br />
3.22 Kerberos client setup<br />
As user root start yast and select Network Services/Kerberos<br />
Client. Click on use Kerberos and check default domain and<br />
default realm.<br />
113
3 <strong>Configuration</strong>-Elements<br />
Click the advanced settings button and enter the following information<br />
if not predefined. In Clock Skew type 300, the default<br />
value.<br />
114<br />
Picture 83: Configure client
Picture 84: Pam settings<br />
3 <strong>Configuration</strong>-Elements<br />
After clicking ok twice click install in the opening dialog to load<br />
the required packages on the client.<br />
To check that Kerberos works on the client and server, login as<br />
ckent, open a terminal on the client and type klist and you get<br />
the following screen.<br />
115
3 <strong>Configuration</strong>-Elements<br />
Now you are shure that Kerberos is configured successfully.<br />
Timeline: 1 hour<br />
4 Conclusion<br />
Up to now i finished the fundamental work to set up a reliable<br />
network and it is time for the first publishing of this book. The<br />
rest will come up soon. The Infrastructure Services in chapter<br />
2.2.1 also almost finished. Only eMail is left, but coming soon<br />
with the Operational Services (see chapter 2.2.2). So you can<br />
be excited waiting for the next publishing.<br />
116<br />
Picture 85: Kerberos test
5 <strong>Management</strong> Summary<br />
Process Timeframe in hours<br />
1.3 Audience 1-2<br />
2 Planning the network 4-8<br />
2.1 Hardware-Components 1-8<br />
3.2 Network 1-2<br />
3.3 Hostname Schema 1-2<br />
3.7 NTP Time Server 1<br />
3.8 Master DNS-Server 1-2<br />
3.9 Slave DNS-Server 1-2<br />
3.10 DHCP-Server 1-2<br />
3.11 DDNS 2-3<br />
3.12 Root CA 3-4<br />
3.13 CA by command line 2-3<br />
3.14.1 N-Way/Multi-Master 3-4<br />
3.14.2 LDAP-Client Login 1-2<br />
3.15 LDAP-Master vos21 3-4<br />
3.16 LDAP-Slave vos22 3-4<br />
3.17 Samba 3 ldapsam:editposix 3-4<br />
3.18 Windows Clients (XP, Win 7) 1<br />
3.21 Kerberos Server setup 2-3<br />
3.20 Kerberos client setup 1<br />
Sum 36-63<br />
Table 7: <strong>Management</strong> timeframe<br />
5 <strong>Management</strong> Summary<br />
117
6 Reference list<br />
6 Reference list<br />
Gunther Popp: Konfigurationsmanagement mit Subversion,<br />
Maven und Redmine, dpunkt 2009<br />
Stefan Edlich & Jörg Staudemeyer: Ant kurz & gut, O'Reilly<br />
2006<br />
Chris Rupp: Systemanalyse kompakt, Spektrum 2008<br />
Pascal Mangold: IT-Projektmanagement kompakt, Spektrum<br />
2009<br />
Thomas Allweyer: BPMN 2.0, Books on Demand GmbH 2009<br />
Mario Fischer: Website Boosting 2.0, mitp 2009<br />
Michael Herczeg: Software-Ergonomie, Oldenbourg 2009<br />
Hans W. Wieczorrek, Peter Mertens: <strong>Management</strong> von IT-Projekten,<br />
Springer 2008<br />
Apache Maven User Guide, The Apache Software Foundation<br />
2009<br />
Oliver Liebel, John Martin Ungar: OpenLDAP 2.4 Das<br />
Praxisbuch, Galileo Computing 2009<br />
Oliver Liebel: Linux Hochverfügbarkeit<br />
118
7 Link-list<br />
http://www.virtualbox.org/<br />
http://www.debian.org/<br />
http://www.opensuse.org/<br />
http://www.ubuntu.com/<br />
http://wiki.debian.org/<br />
http://linuxwiki.de/<br />
http://wiki.samba.org/index.php/Main_Page<br />
7 Link-list<br />
http://wiki.samba.org/index.php/Samba_%26_Windows_Profiles<br />
http://wiki.samba.org/index.php/Implementing_System_Policies<br />
_with_Samba<br />
http://samba.org/<br />
http://www.openldap.org/<br />
http://www.isc.org/software<br />
http://opensuse.swerdna.org/<br />
8 Appendix<br />
Installation documentation<br />
8.1 VirtualBox<br />
At first i describe the installation of VirtualBox on a Windows 7<br />
computer. After downloading the file VirtualBox-3.2.12-68302-<br />
Win.exe double click on it to start installation. Then set the<br />
installation path or accept the default. After finishing the installation,<br />
you have a new icon on the desktop, a new Network<br />
Interface Card called VirtualBox Host-Only Network and a new<br />
119
8 Appendix<br />
configuration file in<br />
C:\Users\%username%\.VirtualBox\VirtualBox.xml if everything<br />
finished correctly. Now start it to configure. At first click<br />
File/Preferences, click on General tab, to change the default<br />
harddisk folder and the default machine folder, if you like, but<br />
first you have to create the folders. I put my on a network share.<br />
For a new installation of a virtual client click the new button in<br />
the toolbar. The New Virtual Machine Wizard comes up.<br />
120<br />
Picture 86: Folder settings
Picture 87: New machine wizard<br />
8 Appendix<br />
Type in the name of the new machine. Its hostname will be a<br />
good choice. Then select the operating system and version and<br />
press next.<br />
Picture 88: Choose VM name and os<br />
Now set the memory size and press next, the default is ok.<br />
121
8 Appendix<br />
In this screen select the virtual harddisk, the defaults will be ok.<br />
The Create New Virtual Disk Wizard will show up, so press<br />
next.<br />
122<br />
Picture 89: Memory settings<br />
Picture 90: Harddisk settings
Picture 91: New disk<br />
Now keep the default storage type and click next.<br />
Picture 92: Hdd type<br />
Now set the size of the virtual disk to 4GB and click next.<br />
8 Appendix<br />
123
8 Appendix<br />
Click finish on the summary window.<br />
Click finish again to get back to the main VirtualBox window.<br />
124<br />
Picture 93: Disk size<br />
Picture 94: Disk summary
Picture 95: Virtual machine summary<br />
8 Appendix<br />
In the main window of VirtualBox press settings icon to change<br />
some default settings.<br />
125
8 Appendix<br />
In the System window on the motherboard tab, at boot order,<br />
deselect floppy and in extended features deselect enable<br />
absolute pointing device, then select the processor<br />
tab.<br />
126<br />
Picture 96: Main window
Picture 97: Motherboard settings<br />
8 Appendix<br />
In the processor tab select enable PAE/NX, then select storage.<br />
127
8 Appendix<br />
In the Storage window, select IDE Controller/Empty and press<br />
the folder symbol on the right to open the media manager.<br />
128<br />
Picture 98: Processor features
Picture 99: Storage settings<br />
8 Appendix<br />
Now select or add your previous downloaded openSuSE-11.3<br />
iso file and press select. You should use 32 Bit operating<br />
systems. If you consider to use more than 3.5 GB of Ram in a<br />
virtual machine, you have to use a 64 Bit operating system.<br />
Then click Network on the left.<br />
129
8 Appendix<br />
In the Network settings select Bridged Adapter from the<br />
dropdown box, then press ok to finish your configuration.<br />
130<br />
Picture 100: Selected os image
Picture 101: Network adapters<br />
8 Appendix<br />
Now you are ready to press the start button in the main window.<br />
131
8 Appendix<br />
After clicking the start button the installation of the os software<br />
starts from the selected image. Then go on in the next chapter.<br />
132<br />
Picture 102: Main window
8 Appendix<br />
8.2 openSuSE-11.3 graphics DHCP-Client<br />
After pressing the start button in VirtualBox you get the<br />
following screen after a few seconds.<br />
Picture 103: Installer screen<br />
Here you select installation. With F2 you can select your<br />
preferred language and with F3 you can select the video mode.<br />
I choose a graphics screen resolution of 800x600 pixels, for<br />
server installations you should use text mode in this menu. Now<br />
it takes some minutes until the openSuSE-11.3 setup goes on.<br />
You will see the welcome screen. Now select your preferred<br />
language and your keyboard layout. You should also read the<br />
License Agreement what you can get in different languages.<br />
133
8 Appendix<br />
Now press the next button to continue setup. The os is doing<br />
now some system analysis. After some minutes you get the<br />
installation mode screen. As select mode use new installation<br />
and deselect use automatic configuration to set up a minimal<br />
graphics system.<br />
134<br />
Picture 104: Welcome screen
Picture 105: Installation mode<br />
Now press next to select the time zone.<br />
8 Appendix<br />
135
8 Appendix<br />
I select Europe and Germany and you can change the date and<br />
time here. Keep hardware clock set to UTC selected and press<br />
next to go to the desktop selection. Select other, XFCE<br />
Desktop.<br />
136<br />
Picture 106: Time zone
Picture 108: 107: Select Disk partition<br />
desktop<br />
8 Appendix<br />
Click next to go to the disk configuration. You can accept the<br />
defaults for your virtual disk.Click next to go to the user settings.<br />
Here you fill out a normal user and set its password. Deselect<br />
use this password for system administrator and automatic login<br />
to disable these functions. In a production environment it is<br />
strongly recommended to set strong passwords containing<br />
lower- and upper-case letters, numbers and special characters<br />
like these !§$&'#%, for example.<br />
For simple test use you can choose a password same as the<br />
username for not forgetting it.<br />
137
8 Appendix<br />
Click next. If you use username=password you will get the<br />
password is too simple window. Click yes to use the simple<br />
password.<br />
Now set the password for the system administrator, the root<br />
user. I use username=password for simplicity.<br />
138<br />
Picture 109: New user<br />
Picture 110: Password too simple dialog
Picture 111: Root user password<br />
8 Appendix<br />
After clicking next, you will get the password too simple dialog<br />
again. If you want to use the simple password in your test<br />
environment, click yes. But remember, dont use simple<br />
passwords in production environment.<br />
Picture 112: Password too simple dialog<br />
After clicking yes it takes a minute to get the installation settings<br />
screen. Please scroll down and deselect installation from image<br />
by clicking on the link disable.<br />
139
8 Appendix<br />
Then scroll down again to firewall and ssh. Click on the second<br />
SSH link enable and open. Then scroll down again to firewall<br />
and ssh and click on the first link disable. Then scroll down<br />
again to check that the last two links show enable.Now click<br />
install and confirm your selection.<br />
Click install and go for lunch. It takes about 90 to 120 minutes<br />
140<br />
Picture 113: Installation settings<br />
Picture 114: Confirm dialog
8 Appendix<br />
to install the system, depending on your hardware. When the<br />
installation is ready you will see the configuration screen for the<br />
hostname and domain name. Here you give the same name as<br />
hostname as you give your virtual box to recognize it. Also give<br />
your preferred domain name and deselect the other options.<br />
Picture 115: Host- and domainname<br />
Click next to continue to the network configuration. Click on the<br />
link VNC Remote Administration to enable it. If you do so, you<br />
can remote control this client with your favourite browser with<br />
this link http://vslc2.mynet.lan:5801/ if you have DDNS set up<br />
correctly and running, otherwhise use the assigned IP-Address<br />
instead of the hostname.<br />
141
8 Appendix<br />
Select allow remote administration and press ok.<br />
142<br />
Picture 116: Network configuration overview
Picture 117: Remote administration<br />
8 Appendix<br />
After pressing ok press next to get the test internet connection<br />
screen.<br />
143
8 Appendix<br />
Press next to test the connection. You will see the result screen.<br />
144<br />
Picture 118: Test internet connection
Picture 119: Connection test<br />
8 Appendix<br />
Press next to go to the online update screen. You will see the<br />
downloading dialog.<br />
Picture 120: Download dialog<br />
When finished downloading, you get the online update screen.<br />
You can choose skip update but i recommend to run the update<br />
by pressing next.<br />
145
8 Appendix<br />
After pressing next you will get the package manager. Click<br />
accept to continue and you can go for a cup of coffee or to<br />
eating. The patch download and installation takes some<br />
minutes depending on your hardware machine and your<br />
internet connection speed and quality.<br />
146<br />
Picture 121: Online update
Picture 122: Packages<br />
When the download finished, you get the following screen.<br />
8 Appendix<br />
147
8 Appendix<br />
Click next to get the restart dialog.<br />
After the system comes up again the installation will be go on<br />
with the package select screen.<br />
148<br />
Picture 123: Download finished<br />
Picture 124: Restart dialog
Picture 125: Packages selected<br />
8 Appendix<br />
Click accept to proceed with end user agreement, press accept<br />
and continue again to go on. Now you can go for a cup of coffee<br />
or to eat, it takes about 30 to 90 minutes depending on your<br />
hardware, the internet connection speed and quality.<br />
149
8 Appendix<br />
Click next and you get the restart dialog again.<br />
After the system comes up press return twice, the first for boot<br />
from harddisk, the second to boot the selected system. If you<br />
don't hit return, it takes some minutes longer until the system<br />
comes up again. Then the installation will go on with the<br />
package manager. Select to download and install the microsoft<br />
truetype fonts and press accept.<br />
150<br />
Picture 126: Patch finished<br />
Picture 127: Reboot
Picture 128: Install TrueType fonts<br />
Click next to finish patch installation.<br />
8 Appendix<br />
151
8 Appendix<br />
Now you can read the release notes in different languages.<br />
152<br />
Picture 129: Finish patch installation
Picture 130: Release notes<br />
8 Appendix<br />
Click next to proceed to the hardware configuration screen.<br />
153
8 Appendix<br />
Click next to get the installation completed screen.<br />
154<br />
Picture 131: Hardware configuration
Picture 132: Installation completed<br />
After clicking finish you get the login screen.<br />
8 Appendix<br />
155
8 Appendix<br />
Here enter root as username, then press return. Enter root user<br />
password and return to get the desktop window. If you get an<br />
error message, click continue. Now you have a fresh installed<br />
Linux client.<br />
156<br />
Picture 133: Login screen
Picture 134: Cient screen<br />
8 Appendix<br />
Now open a terminal window and type ifconfig in it. You find<br />
it on the lower left beside the openSUSE icon. You will see a<br />
screen like the next one what shows the IP-Address assigned<br />
by the DHCP-Server vos21.mynet.lan and you done with the<br />
installation.<br />
157
8 Appendix<br />
To turn off your system, click on the exit button on the lower<br />
right or type halt in the terminal window. Enjoy your system.<br />
Timeline: 3-4 hours<br />
158<br />
Picture 135: Terminal
8 Appendix<br />
8.3 Install openSuSE-11.3 Server in Textmode<br />
The server installation is almost the same like the client installation<br />
except some settings in the first screen. Here you press<br />
F3 and select the text mode.<br />
Then some screens later in the desktop selection screen you<br />
select minimal server selection.<br />
Then press next to proceed. Later when you at the network<br />
screen, you have to setup static IP-Address, Netmask, DNS-<br />
Hostname and Gateway by clicking on the link network<br />
interface like in your plan.<br />
The text mode setup screen will appear in blue with white and<br />
yellow text color for selected text.<br />
Timeline: 1 hour<br />
Picture 136: Video mode selection<br />
159
8 Appendix<br />
8.4 Installation Windows 7 client<br />
8.5 Some console command-lines<br />
Here you will find some useful command-line commands<br />
man -t `man -w ps2pdf` | ps2pdf – man-ps2pdf.pdf<br />
man -t ps2pdf | ps2pdf - man-ps2pdf.pdf<br />
man -t `man -w 1 man` | ps2pdf - man1-man.pdf<br />
man -t `man -w 7 man` | ps2pdf - man7-man.pdf<br />
The first two lines give the same result. They print the first man<br />
page they found. The last two lines will print out the special<br />
categories of a man page.<br />
ntpq -p vos21 vos22<br />
This line gives you a table and shows if the time synchronizes.<br />
A message ntpq: read: Connection refused means the<br />
service is not running. If you see the number 377 in the reach<br />
column, the time servers can be reached.<br />
hwclock --systohc<br />
This command writes the synced time to the build in hardware<br />
CMOS-Clock.<br />
160<br />
Picture 137: Ntp query