Configuration Management Manual

Configuration Management Manual 

for 

using openSuSE-11.3 Linux in the Enterprise 

by W. Melz 

V 1.0 

2000 – 2011

Index 

1 Preface....................................................................................9 

1.1 About the Document...........................................................9 

1.2 Project-Homepage (coming soon)......................................9 

1.3 Audience.............................................................................9 

1.4 Enterprise Requirements..................................................10 

2 Planning the network.............................................................11 

2.1 Hardware-Components needed.......................................12 

2.2 Services............................................................................12 

2.2.1 Infrastructure Sevices...................................................12 

2.2.2 Operational Services.....................................................13 

2.2.3 Supporting Services......................................................13 

2.3 Backup and Restore.........................................................13 

2.4 Data Archive.....................................................................13 

3 Configuration-Elements........................................................14 

3.1 VirtualBox.........................................................................14 

3.2 Network.............................................................................15 

3.3 Hostname Schema...........................................................16 

3.4 Hardware..........................................................................17 

3.4.1 Router............................................................................19 

3.4.2 Cable.............................................................................19 

3.4.3 Switches........................................................................20 

3.4.4 Servers..........................................................................20 

3.4.5 Print-Servers.................................................................20 

3.4.6 Clients...........................................................................20 

3.5 Operating-Systems...........................................................21 

3.5.1 OpenSUSE-11.3............................................................21 

3.5.1.1 Samba configuration for my NAS-Server....................21 

3.6 SW-Services.....................................................................22 

3.7 NTP Time Server..............................................................22 

3.8 Master DNS-Server..........................................................25 

3.9 Slave DNS-Server............................................................31 

3.10 DHCP-Server....................................................................33 

3.11 DDNS................................................................................36 

3.12 Root CA............................................................................51 

2

3.13 CA by command line.........................................................65 

3.14 OpenLDAP-Server............................................................73 

3.14.1 N-Way/Multi-Master-Replication...................................73 

3.14.1.1 Delete old database....................................................73 

3.14.1.2 Edit slapd.conf file.......................................................74 

3.14.1.3 Edit client file /etc/openldap/ldap.conf.........................76 

3.14.1.4 Edit /etc/ldap.conf........................................................76 

3.14.1.5 Start service on vos21.................................................77 

3.14.1.6 The initial data file init.ldif............................................81 

3.14.1.7 Automatic starting slapd..............................................82 

3.14.2 LDAP-Client Login configuration...................................86 

3.15 LDAP-Master vos21.........................................................89 

3.15.1 Setup PDC /etc/openldap/slapd.conf:...........................90 

3.15.2 PDC /etc/openldap/lapd.conf:.......................................91 

3.15.3 PDC /etc/lapd.conf:.......................................................91 

3.15.4 init.ldif............................................................................92 

3.15.5 samba-base.ldif.............................................................92 

3.15.6 Testing...........................................................................93 

3.16 LDAP-Slave vos22...........................................................95 

3.16.1 Setup BDC /etc/openldap/slapd.conf:...........................95 

3.16.2 BDC /etc/openldap/lapd.conf:.......................................96 

3.16.3 BDC /etc/lapd.conf:.......................................................96 

3.17 Samba 3 ldapsam:editposix setup...................................97 

3.17.1 PDC vos21 /etc/samba/smb.conf:.................................97 

3.17.2 BDC vos22 /etc/samba/smb.conf:...............................101 

3.17.3 Server stored profiles and netlogon............................105 

3.18 Windows XP Client Domain join.....................................107 

3.19 Windows 7 Client Domain join........................................107 

3.20 Domain management with srvtools.exe.........................107 

3.21 Kerberos Server setup....................................................108 

3.22 Kerberos client setup......................................................113 

4 Conclusion...........................................................................116 

5 Management Summary.......................................................117 

6 Reference list......................................................................118 

7 Link-list................................................................................119 

8 Appendix.............................................................................119 

3

8.1 VirtualBox........................................................................119 

8.2 openSuSE-11.3 graphics DHCP-Client..........................133 

8.3 Install openSuSE-11.3 Server in Textmode....................159 

8.4 Installation Windows 7 client..........................................160 

8.5 Some console command-lines.......................................160 

Table Index 

Table 1: Member - Role Assignment.........................................10 

Table 2: Elements to configure..................................................14 

Table 3: Network address plan..................................................15 

Table 4: Hostname schema plan...............................................17 

Table 5: Router setup................................................................19 

Table 6: LDAP environment variables.......................................83 

Table 7: Management timeframe.............................................117 

4

Picture Index 

Picture 1: Physical Network Topology.......................................11 

Picture 2: Enable NTP...............................................................22 

Picture 3: Select server.............................................................23 

Picture 4: German server..........................................................23 

Picture 5: NTP-Servers configured...........................................24 

Picture 6: Netconfig variable for NTP servers...........................25 

Picture 7: DHCP & DNS packages...........................................26 

Picture 8: DNS startup screen..................................................26 

Picture 9: Add zones.................................................................27 

Picture 10: Set localnets...........................................................27 

Picture 11: Set nameservers for domain...................................28 

Picture 12: Set serial.................................................................28 

Picture 13: Set records.............................................................29 

Picture 14: Set basics...............................................................30 

Picture 15: Set nameservers.....................................................30 

Picture 16: Configure slave server............................................32 

Picture 17: Set master server...................................................32 

Picture 18: Selected nic............................................................34 

Picture 19: Global settings........................................................34 

Picture 20: Dynamic IP address range.....................................35 

Picture 21: Start service when booting the system...................35 

Picture 22: Create TSIG Key.....................................................36 

Picture 23: Select key to add....................................................37 

Picture 24: Error, two slashes in path.......................................37 

Picture 25: Correct path and keyname.....................................38 

Picture 26: Edit DHCP sysconfig variable.................................39 

Picture 27: Edit DNS sysconfig variable...................................39 

Picture 28: Copy master zone files...........................................45 

Picture 29: Copy slave zone files..............................................46 

Picture 30: DHCP-Client ..........................................................47 

Picture 31: Name resolving.......................................................48 

Picture 32: Check ip-lease with ifconfig....................................49 

Picture 33: Test nslookup..........................................................50 

Picture 34: Start CA management............................................51 

5

Picture 35: CA tree....................................................................52 

Picture 36: Step 1......................................................................52 

Picture 37: Basic settings..........................................................53 

Picture 38: Additional settings...................................................53 

Picture 39: Set password..........................................................54 

Picture 40: Summary.................................................................54 

Picture 41: Selected CA............................................................55 

Picture 42: Password................................................................55 

Picture 43: CA description.........................................................56 

Picture 44: Add server request..................................................56 

Picture 45: Edit server request..................................................57 

Picture 46: Set password..........................................................58 

Picture 47: Request list.............................................................58 

Picture 48: Sign request............................................................59 

Picture 49: Extensions..............................................................60 

Picture 50: Summary.................................................................60 

Picture 51: Signed certificate....................................................61 

Picture 52: Export to file............................................................61 

Picture 53: Export path..............................................................62 

Picture 54: Key export...............................................................62 

Picture 55: Common server certificate for vos22......................63 

Picture 56: Eport as file.............................................................64 

Picture 57: Export root certificate..............................................64 

Picture 58: Export file................................................................65 

Picture 59: Running slapd on vos21.........................................78 




Picture 63: Empty DIT...............................................................80 

Picture 64: Network parameter.................................................80 

Picture 65: Authentication.........................................................81 

Picture 66: Simple DIT..............................................................82 

Picture 67: Set dynamic configuration......................................84 

Picture 68: Runlevel..................................................................85 

Picture 69: Enable ldap service at startup................................86 

Picture 70: Security settings.....................................................87 

6

Picture 71: User and Group Administration..............................87 

Picture 72: Configure Authentication Settings..........................88 

Picture 73: Client configuration.................................................88 

Picture 74: Advanced client configuration.................................89 

Picture 75: Add two registry parameters.................................107 

Picture 76: Select packages...................................................108 

Picture 77: Use previous configured LDAP server.................109 

Picture 78: Realm and password............................................109 

Picture 79: LDAP settings.......................................................110 

Picture 80: Edit kadm5.acl.......................................................110 

Picture 81: Krb5 keytab path...................................................112 

Picture 82: PAM settings.........................................................113 

Picture 83: Configure client.....................................................114 

Picture 84: Pam settings.........................................................115 

Picture 85: Kerberos test.........................................................116 

Picture 86: Folder settings......................................................120 

Picture 87: New machine wizard.............................................121 

Picture 88: Choose VM name and os.....................................121 

Picture 89: Memory settings...................................................122 

Picture 90: Harddisk settings..................................................122 

Picture 91: New disk...............................................................123 

Picture 92: Hdd type................................................................123 

Picture 93: Disk size................................................................124 

Picture 94: Disk summary.......................................................124 

Picture 95: Virtual machine summary.....................................125 

Picture 96: Main window.........................................................126 

Picture 97: Motherboard settings............................................127 

Picture 98: Processor features................................................128 

Picture 99: Storage settings....................................................129 

Picture 100: Selected os image..............................................130 

Picture 101: Network adapters................................................131 

Picture 102: Main window.......................................................132 

Picture 103: Installer screen...................................................133 

Picture 104: Welcome screen.................................................134 

Picture 105: Installation mode.................................................135 

Picture 106: Time zone...........................................................136 

7

Picture 107: Disk partition.......................................................137 

Picture 108: Select desktop....................................................137 

Picture 109: New user.............................................................138 

Picture 110: Password too simple dialog................................138 

Picture 111: Root user password............................................139 

Picture 112: Password too simple dialog................................139 

Picture 113: Installation settings.............................................140 

Picture 114: Confirm dialog.....................................................140 

Picture 115: Host- and domainname.......................................141 

Picture 116: Network configuration overview..........................142 

Picture 117: Remote administration........................................143 

Picture 118: Test internet connection......................................144 

Picture 119: Connection test...................................................145 

Picture 120: Download dialog.................................................145 

Picture 121: Online update.....................................................146 

Picture 122: Packages............................................................147 

Picture 123: Download finished..............................................148 

Picture 124: Restart dialog......................................................148 

Picture 125: Packages selected..............................................149 

Picture 126: Patch finished.....................................................150 

Picture 127: Reboot................................................................150 

Picture 128: Install TrueType fonts..........................................151 

Picture 129: Finish patch installation......................................152 

Picture 130: Release notes.....................................................153 

Picture 131: Hardware configuration.......................................154 

Picture 132: Installation completed.........................................155 

Picture 133: Login screen.......................................................156 

Picture 134: Cient screen........................................................157 

Picture 135: Terminal..............................................................158 

Picture 136: Video mode selection.........................................159 

Picture 137: Ntp query............................................................160 

8

1 Preface 

1.1 About the Document 

1 Preface 

This work is licensed by the author Wolfgang Melz under the 

Creative Commons Attribution-NoDerivs 3.0 Unported License. 

Feel free to translate in other language and publish under your 

name and credit this original creation. To view a copy of this 

license, visit http://creativecommons.org/licenses/by-nd/3.0/ or 

send a letter to Creative Commons, 171 Second Street, Suite 

300, San Francisco, California, 94105, USA. 

This document describes the configuration management 

process and the setup for required hard- and software to have a 

successful working effort in Software-Development and other 

enterprise duties. It also outlines the process model, the 

structure of the project, its tools used and how to work with its 

files. Its main goal is to support the daily work of the team 

members. Maybe not all chapters are in your interest, 

depending on your role or roles in the project. We also describe 

a timeline the effort needed to solve the process. If you detect 

some bugs or typos, feel free to contact me by eMail 

wm1@gmx.de or leave any other comments, suggestions and 

messages. 

1.2 Project-Homepage (coming soon) 

1.3 Audience 

This document is for System-Administrators, Software-Developers, 

Project-Managers and QA-Saff. It gives you all information 

you need about setting up the hardware and softwarecomponents 

used in the project. You can also define the roles 

of your project members here. Members can have one or 

multiple roles. You can use the following table to do so. 

Timeline: 1-2 hours 

9

1 Preface 

Role Member Name 

Project-Lead 

Project-Manager 

Assistant-Manager 

IT-Administrator 

Developer 

QA-Manager 

Tester 

Auditor 

CEO/CIO 

Table 1: Member - Role Assignment 

1.4 Enterprise Requirements 

The fundamental need in an enterprise is to have a reliable IT 

infrastructure. To reach this goal, a lot of things and services are 

needed. It starts with hardware, concepts, configuration, 

services and software. 

The configuration management process starts with planning a 

high availability network. As result of the plan we know what 

hardware and software to order and which services to setup 

and configure. The process ends with testing everything and 

operate the system. 

Backup and Restore is an other important business process 

which is developed, tested and operated after setting up and 

operate the server and storage infrastructure. 

At last we have an EOL business process of hard- and 

software. In it we define how and when to exchange 

components at their end of lifetime. Some companies exchange 

their hardware every 2-3 years. I think it is a waste of money, so 

i advise to exchange hardware when something broke down or 

in 5 to 8 years. 

10

1 Preface 

The company can save money when using Linux software what 

is available with source-code under the GPL- or Apache- 

License. A wide range of support is also available for these free 

software in the internet. Non oss-software is also available. 

2 Planning the network 

The first thing to think about is how much physically servers will 

be needed, how the company data is safely stored, how the 

local network is connected to the internet and how to connect 

satellites, branch offices and road warriors. 

I advise to use at least two physical servers with each one or 

two multi core server cpu's and at least 32GB of ram. For 

testing purposes one computer or laptop with multi-core cpu 

and 4GB of ram is also ok. 

As data storage i advise to have two Buffalo NAS or similar with 

four harddisks in a RAID-5 or RAID-10 disk array. 

The NAS-Storage is connected with the servers with Gigabit- 

Ethernet CAT6 cable via the switch in the internet router. 


Picture 1: Physical Network Topology 

11


2.1 Hardware-Components needed 

Like we see in the picture above we need the following 

hardware-Components: 

1 Router to the internet 

2 Servers 

2 NAS-Storage Server 

1 or more Notebooks 

1 or more Workstation PC's 

For testing purposes and proof of concept we will simulate our 

new network with Oracle VirtualBox software on a multi core 

computer. After successful testing you order the new physical 

servers and the NAS-Server Storage units. Keep in mind that 

this configuration is the absolutely minimum and not very 

secure. If an intruder passes the router nothing protects your 

hosts. 


2.2 Services 

We identify three different types of services. They are infrastructure 

sevices, operational services and supporting services. 

2.2.1 Infrastructure Sevices 

This service is for easily hooking up a new computer to the 

network and have basic services ready to work like internet 

access and eMail. For administrative things it is important to 

recognize the single pc by its name in the local network. So the 

first thing to develop is a hostname schema and how IP- 

Adresses are assigned to them. 

When we have a new client pc connected to the local network, 

it is necessary to authenticate the user who uses the newly 

connected pc enterprise wide. This is very important for each 

company. No unauthenticated user can get access to enterprise 

critical data and the data access can be monitored and logged. 

12


At least connection security from the internet to the enterprise 

servers is very important and done by encryption and certificates. 

No one else should read the information what is transported 

over the connection. 

2.2.2 Operational Services 

Medical, Government, Web-Shop, ERP, CRM, Database, SAP, 

SW-Development, hosting services to the Internet or customers 

outside the LAN but connected to the internet. 

2.2.3 Supporting Services 

Backup and Restore, Data Archive 

2.3 Backup and Restore 

You can use rsync or unison for this process. First develop a 

plan. 

2.4 Data Archive 

Develop a plan first. 

To work out more services and use-cases you need, set up a 

project time frame or separate projects. 

13

3 Configuration-Elements 


Overview 

Element Short Description 

VirtualBox Oracle VirtualBox Software 

Network Describes Network configuration 

Hostname 

Schema 

Describes the hostname and FQDN for the corresponding 

IP-Address and the domain names 

Hardware Describes required Hardware-Components of the Systems 

Operating 

Systems 

Describes required Operating Systems 

SW-Services Describes required services of the operating system 

Sourcecode Contains the whole sourcecode of the project, without 

module-tests 

3.1 VirtualBox 

Table 2: Elements to configure 

We use this software for simulating our new network before we 

set it up physically. In VirtualBox we install a standard 

openSuSE-11.3 operating system in text mode for each box. It 

has the smallest memory consumption. 

Configure static IP-Address, netmask, and gateway in 

/etc/network/interfaces 

Example for the vBox router: 

iface eth0 inet static 

address 192.168.0.20 

netmask 255.255.255.0 

gateway 192.168.0.1 

You can change almost every thing in yast, the setup and 

configuration tool in openSuSE. 

First, create the share and adjust user and mode. 

14


vos22:~ # mkdir /mnt/fileshare 

vos22:~ # chown user1.users /mnt/fileshare 

vos22:~ # chmod 777 /mnt/fileshare 

To connect to a samba-share on the local network, mount the 

share in /etc/fstab //192.168.0.2/fileshare 

/mnt/fileshare cifs 

username=user1,passwd=,uid=user1,gid=users, 

auto,rw,file_mode=0775,dir_mode=0775 0 0, for 

example. Mount with mount -a. Use your username from the 

samba-server and its password. Remember that the user 

password is saved in cleartext in the /etc/fstab file. Use 

/etc/fstab only for testing and development with plain text 

password, not for production environment. 

3.2 Network 

Name IP or Range 

IP-Range 192.168.0.0 - 192.168.0.255 

Physical servers and hardware 

equipment 

192.168.0.1 - 192.168.0.19 

Virtual servers 192.168.0.20 - 192.168.0.99 

Clients 192.168.0.100 - 192.168.0.149 

Free for reserve 192.168.0.150 – 192.168.0.254 

Netmask 255.255.255.0 

Default gateway 192.168.0.1 

DNS-Server (and Relay) 192.168.0.1, 192.168.0.2 

Virtual DNS-Server 192.168.0.21, 192.168.0.22 

Table 3: Network address plan 

You can also plan with different IP-Address ranges if you need 

more network segments or hosts. You can also obtain public 

IP's from your leased-line provider or the RIPE. Other private 

IP-Ranges are: 

15


Class A, 10.0.0.0 to 10.255.255.255, 1 private net with 

16.777.216 hosts, Class B, 172.16.0.0 to 172.31.255.255, 16 

private net with 65.536 hosts, Class C, 192.168.0.0 to 

192.168.255.255, 256 private net with 256 hosts 

You can do a basic final test with the following commands when 

you have all your virtual boxes ready: 

ping 192.168.0.1 

ping 192.168.0.2 

ping 192.168.0.20 

ping 192.168.0.21 

ping 192.168.0.22 

ping 192.168.0.23 

ping www.sun.de 

The result should look like this: 

slns1:~ # ping 192.168.0.1 

PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data. 

64 bytes from 192.168.0.1: icmp_seq=1 ttl=64 time=0.975 ms 



^C 

--- 192.168.0.1 ping statistics --- 

3 packets transmitted, 3 received, 0% packet loss, time 2001ms 

rtt min/avg/max/mdev = 0.884/0.919/0.975/0.040 ms 

slns1:~ # 


3.3 Hostname Schema 

The hostname schema is to plan the name resolution for IP-Addresses 

of the hosts for remote software deployments, remote 

maintenance and remote customer support. It is also used to 

setup the DNS-Server to reach every pc in the local network by 

its hostname instead of its IP-Address. The Domain-Name will 

be mynet.lan for internal DNS use and the NetBios Domain- 

Name is mynet, for example. 

16


Hostname FQDN IP Description 

mynet.lan DNS-Domain 

mynet NetBios Domain 

ls44n ls44n.mynet.lan 192.168.0.1 Internet-Router 

slns1 slns1.mynet.lan 192.168.0.2 Net-Storage- 

Infrastructure-Server 

hp-printer hp-printer.mynet.lan 192.168.0.19 Laser Printer 

vor20 vor20.mynet.lan 192.168.0.20 Virtual Router 

vos21 vos21.mynet.lan 192.168.0.21 Virtual Server 1 

vos22 vos22.mynet.lan 192.168.0.22 Virtual Server 2 

von23 von23.mynet.lan 192.168.0.23 Virtual NAS 1 

von24 von24.mynet.lan 192.168.0.24 Virtual NAS 2 

Table 4: Hostname schema plan 

If you plan to register a domain or renting web-space, your 

external domain-name on the internet can be mynet.biz or 

easybiz.com, what ever you like and is not in use by others. You 

will be found by your customers with the name you register. 


3.4 Hardware 

In every LAN the following Hardware-Infrastructure is used to 

set up a functional local network as an important part of the 

configuration management. The network starts with its router to 

the web, the cables, the switches used, the servers who offer 

services, the IP-Range used and the clients for working. Before 

you can setup and configure any hardware, you have to 

develop the IP-Address Range and hostname schema for your 

network to have all connected devices physically reached by 

unique IP's and names. We already did this development 

before. In a more secure LAN you use two routers. The first one 

connects to the internet and makes up your DMZ-Zone. In the 

DMZ you have your web-server, mail-server, secondary ca and 

17


so on for hosting services to your internet customers. 

The second router connects your LAN to the DMZ. You can 

configure a linux box with at least two nic interfaces as the LAN 

router. If you use tree nic interfaces, you can setup a very 

powerful and strong firewall on that host, one nic for Internet, 

one for DMZ and one for LAN. This configuration is highly 

recommended but not cheap and has to be maintaied by 

special and expensive staff. 

18

3.4.1 Router 

Specifications and setup 


Model Linksys WRVS4400N Wireless-N Gigabit 

Security Router with VPN 

Value 140,00 € 

Asset depreciation duration 1 month 

Lan-IP 192.168.0.1 

Username admin 

Password 

WLAN SSID mynet 

WLAN-Security mode WPA/WPA2 

PSK, Key 

Local Domain-name mynet.lan 

DNS-Relay activated 

DHCP-Server disabled 

IP-Range 192.168.0.100 to 192.168.0.199 

DHCP-Lease 1440 minutes 

Timezone GMT+01:00, Auto Daylight Saving 

NTP-Server Set the local time using Network Time Protocol 

(NTP) automatically 

Port-Forwarding Rule 

Webserver 

3.4.2 Cable 

HTTP->192.168.0.2, Port-Range/Port 80 

Table 5: Router setup 

I use standard network cable in quality of CAT6a SSTP (PIMF), 

CAT5e is minimum for Gigabit-Ethernet. 

19


3.4.3 Switches 

A Linksys WRVS4400N Wireless-N Gigabit Security Router with 

VPN is used. It has a build-in 4 port Gigabit switch and a 300 

MBit/s WiFi access point. 

3.4.4 Servers 

I use only one physical NAS-Server as NAS1 data storage unit. 

It's assembled by myself to have the highest quality, speed, 

flexibility and lowest power consumption for the best price. It 

has the IP 192.168.0.2, as Netmask 255.255.255.0, 

192.168.0.1 as default gateway (router) and 192.168.0.2 for 

itself as the local authoritative DNS-Server. Its hostname is 

slns1 and the FQDN is slns1.mynet.lan for example. 

Local name resolving for physical servers can also be made by 

the hosts file but is deprecated. As backup device i use my 

external 500GB usb-hdd. 

In a company environment you have at least two powerful dual 

CPU multicore physical servers for housing virtual servers 

which set up the company services infrastructure. A company 

should have at least two NAS-Server storage units configured 

its harddisks as RAID 5 or RAID 10 and syncing each other. 

3.4.5 Print-Servers 

For printing i use a multi-functional printer Epson DX 7000F 

connected to an USB-Port shared by the client. Additionally i 

use a network laser printer HP 4050 TN with duplex unit. Its IP 

is 192.168.0.19 with netmask 255.255.255.0 and no gateway, 

its share name is hp4050tn. In a company environment you 

have to do additionally planning on use of department or 

workgroup printers. 

3.4.6 Clients 

Clients will get their IP's by the DHCP-Server of the router for a 

lease time of 1440 minutes, equals with 24 hours. They also get 

20


the netmask, default gateway, ntp-Server and DNS-Server from 

the DHCP-Server. 

3.5 Operating-Systems 

Here we describe the configuration of the used operating 

systems and how to configure its physical network interface. 

You can use TightVNC on MS-Windows to remote control a xwindowed 

Linux-Box. Type in the IP-Adress or Domain-Name of 

the box to and you done. Alternatively you can use a Browser, 

then type http://192.168.0.2:5801 to connect to a openSuSE 

11.3 box. 

3.5.1 OpenSUSE-11.3 

I use this distribution because its documentation is very good. 

Software package installation and configuration with yast is also 

very easy. 

3.5.1.1 Samba configuration for my NAS-Server 

yast2/samba-server 

Start-Up=during boot 

Shares=add fileshare 

Identity=WORKGROUP, Not a DC 

in /etc/xinetd.d/swat comment this line # only_from = 

127.0.0.1 to use swat from other host than localhost:901 and 

add a user user1 with password. 

21


3.6 SW-Services 

Here we describe using and configuring the needed services on 

the virtual machines. A lot of services can use LDAP, so lets set 

it up first. After a minimal (textmode) openSuSE-11.3 installation 

you find manuals in the following file 

/usr/share/doc/manual/opensuse-manuals_en/manual/index.html 

The LDAP information is in the Security Guide. Prerequisites 

are OpenSSL or GnuTLS, Cyrus SASL, Kerberos and Berkeley 

DB. Kerberos has as prerequisites DNS-Server and NTP- 

Server configured and running. So we finally start with NTP, 

DNS, DHCP and Root CA installation. 

3.7 NTP Time Server 

The time servers are important to get the correct time from the 

atomic clock in Braunschweig/Germany for your network. 

In yast select Network Services/NTP Configuration. Check Now 

and on Boot and click Add like in the picture. 

Picture 2: Enable NTP 

In the new synchronisation screen select server and click next. 

Press select and choose public server. 

22

Picture 3: Select server 


Select country (Germany), ptbtime1.ptb.de, press ok twice. 

Picture 4: German server 

Redo Add for ptbtime2 to have a second one configured and 

delete Local Clock. 

23


When finished the configuration, it looks like this 

Press F10 to close, then quit yast. Redo the process for the 

second server vos22. 

At last change the variable in sysconfig, general, network 

NETCONFIG_NTP_STATIC_SERVERS like in the following 

picture. Set this variable on all hosts with static IP-Address. 

24 

Picture 5: NTP-Servers configured

Timeline: 1 hour 

3.8 Master DNS-Server 

Picture 6: Netconfig variable for NTP servers 


The DNS service works like a phone book. You give it a name 

like vos21.mynet.lan and it gives you the phone number, 

exactly the IP-Address 192.168.0.21, for example. This 

service is very important because humans can easily remember 

names istead of IP-Addresses. It makes the employees life 

easyer to find things like file and print services in the network. 

In yast select Software/Software Management, as filter select 

Patterns, scroll down and choose DHCP and DNS Server by 

pressing space. Do this on both machines, vos21 and vos22 

to set up DNS-Services. 

25


Press Accept and Ok to install the packages. Now restart yast, 

and select Network Services/DNS Server and you see the 

following screen. 

The forwarder list is from installing the system, press next. 

26 

Picture 7: DHCP & DNS packages 

Picture 8: DNS startup screen

Picture 9: Add zones 


Now we add two new zones our servers will be responsible for. 

Select mynet.lan and press edit, then select only localnets and 

press Alt-D to set NS Records. 

Picture 10: Set localnets 

27


Add the FQDN name of the two nameservers who are responsible 

for the domain. 

Type Alt-X if you have mailservers or Alt-S and reset serial to 1. 

28 

Picture 11: Set nameservers for domain 

Picture 12: Set serial


Finally add some records by pressing Alt-E. Enter the IP-Addresses 

like in table 4, then press ok. 

Picture 13: Set records 

Now we configure the reverse lookup zone by selecting 

0.168.192.in-addr.arpa and press Alt-I. In basics select 

localnets and automatically generate records from mynet.lan, 

like you see in the following picture. 

29


Now type Alt-D to add authoritative nameserver records. 

In SOA set the serial to 1 and press ok. Now the zone configuration 

is ready by pressing next. Finally setup the start-up 

behavior to on and press finish and then quit. 

30 

Picture 14: Set basics 

Picture 15: Set nameservers


Now let's test our installed master nameserver by typing 

nslookup : 

vos21:~ # nslookup ls44n 

Server: 127.0.0.1 

Address: 127.0.0.1#53 

** server can't find ls44n: NXDOMAIN 

vos21:~ # 

If you see the message above, the server is not started 

correctly. Enter vos21:~ # /etc/init.d/named restart to 

restart it correctly. Then you get the correct result. 


Server: 127.0.0.1 

Address: 127.0.0.1#53 

Name: ls44n.mynet.lan 

Address: 192.168.0.1 

vos21:~ # 


3.9 Slave DNS-Server 

The slave DNS-Server is used as a high availability failover and 

load balancing service. It serves the network when the master 

server is busy or down for any reason. If the master server is 

down, there are no dynamic DNS-Updates for the zone 

available. 

Now let's configure the slave DNS-Server on host vos22 by 

starting yast, selecting Network Services/DNS Server. At 

forwarders press next, then enter the two zones like in the 

master DNS-Server, but select slave. 

31


After pressing add, give the master DNS-Server IP, in this case 

192.168.0.21, for example. 

Do the same for the reverse zone 0.168.192.in-addr.arpa and 

press next. Set the start-up behavior to on and press finish. 

32 

Picture 16: Configure slave server 

Picture 17: Set master server

Now check the slave DNS-Server. 


Server: 127.0.0.1 

Address: 127.0.0.1#53 


Address: 192.168.0.1 

vos22:~ # /etc/init.d/named stop 

Shutting down name server BIND 

done 


Server: 192.168.0.21 

Address: 192.168.0.21#53 


Address: 192.168.0.1 

vos22:~ # 


Now you successfully finished setup the DNS services. 


3.10 DHCP-Server 

DHCP is an important service in your network. It assigns your 

connected clients an IP-Address, Netmask, Default-Gateway, 

Time-Servers, DNS-Servers, Netbios-Servers, Mail-Servers and 

so on. It can also register the hostname you give a client host at 

installation time to DNS. This makes the management of new 

pc clients in the network very easy. 

In yast select Network Services/DHCP Server, the server wizard 

starts. Press Alt-S to select the Network Card with interface 

eth0 where the service starts listening on. 

33


Press next to get to the global settings. Fill in domain, primary 

and secondary nameserver, default gateway and time server. 

Press next to set up the dynamic IP-Address range. We use the 

range from table 4, the hostname schema. 

34 

Picture 18: Selected nic 

Picture 19: Global settings


You can set the default lease time to 1 day. 

Picture 20: Dynamic IP address range 

Press next and select service start when booting, then press 

finish and quit. Then you test it with a client. 

Picture 21: Start service when booting the system 

35


To test it, boot a client what is configured to use DHCP to get its 

IP-Address. Now configure the second DHCP-Server on vos22 

in the same way. 


3.11 DDNS 

With DDNS you can easily setup DNS name resolution for client 

pc's what get their IP-Address, netmask, default gateway, name 

servers and time servers over DHCP. To use it, we have to 

create a TSIG-Key. It is necessary for authentication to 

dynamicly update the DNS-Zone files by the DHCP-Service. 

Both servers what host the DHCP- and DNS-Service have to 

share the same TSIG-Key. To create it, start yast and select 

Network Services/DNS Server, select TSIG Keys and hit enter. 

In the middle type marndc in the key id field, as filename type 

marndc.key, for example. Then press ok and go for a coffee. 

It takes a while until the key is created. When the key is ready 

you can choose add an existing TSIG key by pressing Alt-W to 

browse to the key. 

36 

Picture 22: Create TSIG Key

Picture 23: Select key to add 


Click ok to pick the key then check the filename that there are 

no two slashes after the named.d directory in front of the 

filename. Delete the second slash before press Alt-A to add it. 

Picture 24: Error, two slashes in path 

The next picture shows the correct path and key filename. 

37


Press ok and quit yast. 

After generating the key we have to tell sysconfig about it on 

server vos21 to use it for DHCP and DNS. So start yast, select 

System, /etc/sysconfig Editor, Network, DHCP, DHCP server, hit 

enter on DHCPD_CONF_INCLUDE_FILES and add the 

following path /etc/named.d/marndc.key. You don't have 

to add a second key like i did in the screen for testing purposes. 

Now copy the key /etc/named.d/marndc.key to the second 

server vos22 so the failover DHCP-Server can use it to update 

the DNS-Server on vos21. 

38 

Picture 25: Correct path and keyname

Picture 26: Edit DHCP sysconfig variable 


Then enter the same path to the key file for the DNS variable, 

located at Network, DNS, Name Server, 

NAMED_CONF_INCLUDE_FILES, like you see in the next 

screen. 

Picture 27: Edit DNS sysconfig variable 

39


After clicking finfish you are done with yast. 

Set the same two variables on the second server vos22 to use 

the previous copied key file there. 

Now you configured the two DHCP-Servers with yast, but it is 

not possible to configure one primary and one secondary 

DHCP-Server with yast, so we have to do it the hard way by 

editing the config files. These files are /etc/dhcpd.conf and 

/etc/named.conf on both machines. 

40


On vos21 /etc/dhcpd.conf 

option rfc3442-classless-static-routes code 121 = array of unsigned 

integer 8; 

option domain-name "mynet.lan"; 

option domain-name-servers 192.168.0.21, 192.168.0.22; 

option ntp-servers 192.168.0.21, 192.168.0.22; 

ddns-updates on; 

ddns-update-style interim; 

default-lease-time 600; 

max-lease-time 7200; 

one-lease-per-client true; 

authoritative ; 

log-facility local7; 

failover peer "mypeer" { 

primary ; 

address 192.168.0.21; 

peer address 192.168.0.22; 

port 519; 

peer port 519; 

max-response-delay 60; 

max-unacked-updates 10; 

load balance max seconds 3; 

split 128; 

mclt 600; 

} 

include "/etc/named.d/marndc.key"; 

zone mynet.lan. { 

primary 192.168.0.21; 

key marndc; 

} 

zone 0.168.192.in-addr.arpa. { 

primary 192.168.0.21; 

key marndc; 

} 

subnet 192.168.0.0 netmask 255.255.255.0 { 

pool { 

failover peer "mypeer"; 

range 192.168.0.100 192.168.0.149; 

deny dynamic bootp clients; 

allow unknown-clients; 

} 

option routers 192.168.0.1; 

option broadcast-address 192.168.0.255; 

option subnet-mask 255.255.255.0; 



} 

41


On vos21 /etc/named.conf 

options { 

directory "/var/lib/named"; 

dump-file "/var/log/named_dump.db"; 

statistics-file "/var/log/named.stats"; 

listen-on-v6 { any; }; 

notify no; 

disable-empty-zone 

"1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.A 

RPA"; 

include "/etc/named.d/forwarders.conf"; 

}; 

zone "." in { 

type hint; 

file "root.hint"; 

}; 

zone "localhost" in { 

type master; 

file "localhost.zone"; 

}; 

zone "0.0.127.in-addr.arpa" in { 

type master; 

file "127.0.0.zone"; 

}; 

zone 

"0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arp 

a" in { 

type master; 

file "127.0.0.zone"; 

}; 

controls { 

inet 127.0.0.1 allow { 

127.0.0.1; 

192.168.0.21; 

192.168.0.22; 

} 

keys { "marndc"; } ; 

}; 

include "/etc/named.conf.include"; 

zone "mynet.lan" in { 

allow-transfer { localnets; }; 

file "dyn/mynet.lan"; 

type master; 

allow-update { 

key marndc; 

}; 

}; 



file "dyn/0.168.192.in-addr.arpa"; 

type master; 

allow-update { 

key marndc; 

}; 

}; 

42


On vos22 /etc/dhcpd.conf 

option rfc3442-classless-static-routes code 121 = array of unsigned 

integer 8; 

option domain-name "mynet.lan"; 

option domain-name-servers 192.168.0.21, 192.168.0.22; 

option ntp-servers 192.168.0.21, 192.168.0.22; 

ddns-updates on; 

ddns-update-style interim; 



one-lease-per-client true; 

authoritative; 

log-facility local7; 

failover peer "mypeer" { 

secondary; 

address 192.168.0.22; 

peer address 192.168.0.21; 

port 519; 

peer port 519; 

max-response-delay 60; 

max-unacked-updates 10; 

load balance max seconds 3; 

} 

include "/etc/named.d/marndc.key"; 

zone mynet.lan. { 

primary 192.168.0.21; 

key marndc; 

} 

zone 0.168.192.in-addr.arpa. { 

primary 192.168.0.21; 

key marndc; 

} 

subnet 192.168.0.0 netmask 255.255.255.0 { 

pool { 

failover peer "mypeer"; 

range 192.168.0.100 192.168.0.149; 

deny dynamic bootp clients; 

allow unknown-clients; 

} 

option routers 192.168.0.1; 

option subnet-mask 255.255.255.0; 

option broadcast-address 192.168.0.255; 



} 

43


On vos22 /etc/named.conf 

options { 

directory "/var/lib/named"; 

dump-file "/var/log/named_dump.db"; 

statistics-file "/var/log/named.stats"; 

listen-on-v6 { any; }; 

notify no; 

disable-empty-zone 

"1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.A 

RPA"; 

include "/etc/named.d/forwarders.conf"; 

}; 

zone "." in { 

type hint; 

file "root.hint"; 

}; 

zone "localhost" in { 

type master; 

file "localhost.zone"; 

}; 


type master; 

file "127.0.0.zone"; 

}; 

zone 

"0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arp 

a" in { 

type master; 

file "127.0.0.zone"; 

}; 

controls { 

inet 127.0.0.1 allow { 

127.0.0.1; 

192.168.0.21; 

192.168.0.22; 

} 

keys { "marndc"; }; 

}; 

include "/etc/named.conf.include"; 

zone "mynet.lan" in { 


masters { 192.168.0.21; }; 

file "dyn/mynet.lan"; 

type slave; 

allow-update { key marndc; }; 

}; 



masters { 192.168.0.21; }; 

file "dyn/0.168.192.in-addr.arpa"; 

type slave; 

allow-update { key marndc; }; 

}; 

44


After setting up the config files, stop both services on both 

servers, /etc/init.d/dhcpd stop and 

/etc/init.d/named stop, to copy the zone files to the dyn 

directory. 

Picture 28: Copy master zone files 

On the slave server the zone files are in the slave directory. 

45


Now start the servers again, /etc/init.d/dhcpd start 

and /etc/init.d/named start, to check that everything 

works fine. You can also use the command rcnamed start, 

rcdhcpd start or rcnamed stop, rcdhcpd stop to start 

and stop the services. If you get an error message form named 

that it cannot write a *.jnl file, do a chown named.named 

/var/lib/named and then restart named. 

Finally lets test the setup. Boot a client what gets its network 

settings by DHCP. Then open a terminal window and type 

ifconfig and check the following result. 

46 

Picture 29: Copy slave zone files

Picture 30: DHCP-Client 


Now check name resolving. It should look like the next screen. 

47


Now shutdown the primary DNS-Server vos21 to simulate a 

hardware breakdown. Then on server vos22 the DHCP-Server 

and DNS-Server should serve the network after starting a client 

who gets its ip via DHCP. You see in the following two screens. 

48 

Picture 31: Name resolving

Picture 32: Check ip-lease with ifconfig 


Here you see that the client got an IP-Address even if the 

DHCP-Server on host vos21 is down. 

49


Here nslookup shows you the dynamic updated DNS-Hostnames 

and its per DHCP assigned IP-Addresses and the static 

address for the router ls44n. 

Keep in mind when the master server vos21 is down you have 

no DDNS working and you should not connect new clients to 

the network what use DHCP. Their hostnames will not be 

uptated in the DNS-Zone files. Now you have all prerequisities 

for Kerberos setup. 


50 

Picture 33: Test nslookup

3.12 Root CA 


We need the Root CA to have our own SSL certificates for TLS 

security. It gives us a secure, encrypted client-server connection 

over the network. In yast select Software/Software 

Management, in Search Phrase type ca-cert and hit return. 

Install the first three packages by hitting spacebar on each. 

Choose the next one by typing the Tab key. Finally press Alt+A 

to accept the selection. Now go to Security and Users and 

choose CA Management on the right panel of yast, hit return. 

Picture 34: Start CA management 

In the next screen you can select a CA from the tree, if you 

already have a CA. If you have no CA, type Alt+C to create a 

new one. Alternatively you can import a CA by pressing Alt+I, 

for example. 

51


After pressing Alt+C you create a CA in three steps. 

Fill in CA name, common name, e-mail and hit Add like you see 

in the next picture. 

52 

Picture 35: CA tree 

Picture 36: Step 1

Picture 37: Basic settings 


Now fill out the additionally settings like you see in the next 

screen. 

Picture 38: Additional settings 

Hit next to go to step two. Set the password for the CA. 

53


Now click next to get the summary about the CA. 

Press Alt+T to create the CA with settings above. Now you have 

one entry in the CA selection screen. 

54 

Picture 39: Set password 

Picture 40: Summary

Picture 41: Selected CA 


Now type Alt+E to enter the newly created CA. You will be 

prompted for the password. 

Picture 42: Password 

After typing the password and hit ok you get the description 

screen like you see in the next picture. 

55


To create server and client certificates, start with Requests, so 

press Alt+Q to get the next screen. Press Alt+A for a new 

request and select Add Server Request. 

As the common name type in the fully qualified domain name, 

56 

Picture 43: CA description 

Picture 44: Add server request


in this case vos21.mynet.lan, for example. As email type 

root@mynet.lan and click Add. Edit or leave the other entries 

how you like it. Then press next to set the password. 

Picture 45: Edit server request 

Select use CA password and press next. 

57


At the summary screen press Alt+T to create the certificate 

request. Then you will see a list of all certificate requests. 

Now type Alt+U and select sign. Then select as server certificate 

and hit return. 

58 

Picture 46: Set password 

Picture 47: Request list

Picture 48: Sign request 


In the description you see the servers common name. In the 

valid period you can change the number of days or keep it. 

In the requested extensions you can select X509v3 Basic 

constraints: CA:FALSE, then press next. 

59


You will see the summary and press Alt+S to sign it. 

Close the sign dialog by pressing ok. After signing the request 

your certificate is ready and you see it in the certificates list by 

pressing Alt+E. 

60 

Picture 49: Extensions 

Picture 50: Summary

Picture 51: Signed certificate 


Now export the certificate as a common server certificate by 

pressing Alt+X. 

Picture 52: Export to file 

61


Enter the password, then hit ok. 

Hit ok to finish the export of the common server certificates. 

62 

Picture 53: Export path 

Picture 54: Key export


Press ok, and Alt+Q for starting over to create an other server 

certificate for the second server vos22.mynet.lan. After finishing 

the server certificate for vos22, you get this screen. 

Picture 55: Common server certificate for vos22 

Export it to a file on a network share or USB-Stick to copy it to 

the other host. You need to select the export format. Choose 

Like PKCS12 and Include the CA Chain. Then enter the certificate 

password and give a new password. Set the filename 

where to copy it and press ok to copy. 

63


Hit ok twice and Alt+S to finish the export. Now export the Root 

CA certificate in the same way. It must be shared on all hosts in 

your network. Type Alt+A to export the root certificate. 

Choose a filename where to export the file. It can be an USB- 

64 

Picture 56: Eport as file 

Picture 57: Export root certificate

Stick or a network share. 

Press ok twice to finish export and close yast. 


Now you have the Root CA ready to operate, to create and 

manage certificates for your clients and servers. 


3.13 CA by command line 

At first setup your /etc/ssl/openssl.cnf file: 

# 

# OpenSSL example configuration file. 

# This is mostly being used for generation of certificate requests. 

# 

# This definition stops the following lines choking if HOME isn't 

# defined. 

HOME = . 

RANDFILE = $ENV::HOME/.rnd 

# Extra OBJECT IDENTIFIER info: 

#oid_file = $ENV::HOME/.oid 

oid_section = new_oids 

Picture 58: Export file 

65


# To use this configuration file with the "-extfile" option of the 

# "openssl x509" utility, name here the section containing the 

# X.509v3 extensions to use: 

# extensions = 

# (Alternatively, use a configuration file that has only 

# X.509v3 extensions in its main [= default] section.) 

[ new_oids ] 

# We can add new OIDs in here for use by 'ca' and 'req'. 

# Add a simple OID like this: 

# testoid1=1.2.3.4 

# Or use config file substitution like this: 

# testoid2=${testoid1}.5.6 

#################################################################### 

[ ca ] 

default_ca = CA_default # The default ca section 

#################################################################### 

[ CA_default ] 

dir = ./demoCA # Where everything is kept 

certs = $dir/certs # Where the issued certs are kept 

crl_dir = $dir/crl # Where the issued crl are kept 

database = $dir/index.txt # database index file. 

#unique_subject = no # Set to 'no' to allow creation of 

# several ctificates with same subject. 

new_certs_dir = $dir/newcerts # default place for new certs. 

certificate = $dir/cacert.pem # The CA certificate 

serial = $dir/serial # The current serial number 

#crlnumber = $dir/crlnumber # the current crl number 

# must be commented out to leave a V1 CRL 

crl = $dir/crl.pem # The current CRL 

private_key = $dir/private/cakey.pem# The private key 

RANDFILE = $dir/private/.rand # private random number file 

x509_extensions = usr_cert # The extentions to add to the cert 

# Comment out the following two lines for the "traditional" 

# (and highly broken) format. 

name_opt = ca_default # Subject Name options 

cert_opt = ca_default # Certificate field options 

# Extension copying option: use with caution. 

# copy_extensions = copy 

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs 

# so this is commented out by default to leave a V1 CRL. 

# crlnumber must also be commented out to leave a V1 CRL. 

# crl_extensions = crl_ext 

66


default_days = 365 # how long to certify for 

default_crl_days= 30 # how long before next CRL 

default_md = sha1 # which md to use. 

preserve = no # keep passed DN ordering 

# A few difference way of specifying how similar the request should look 

# For type CA, the listed attributes must be the same, and the optional 

# and supplied fields are just that :-) 

policy = policy_match 

# For the CA policy 

[ policy_match ] 

# countryName = match 

domainComponent = match 

stateOrProvinceName = match 

organizationName = match 

organizationalUnitName = optional 

commonName = supplied 

emailAddress = optional 

# For the 'anything' policy 

# At this point in time, you must list all acceptable 'object' 

# types. 

[ policy_anything ] 

# countryName = optional 

domainComponent = optional 

stateOrProvinceName = optional 

localityName = optional 

organizationName = optional 

organizationalUnitName = optional 

commonName = supplied 

emailAddress = optional 

#################################################################### 

[ req ] 

default_bits = 1024 

default_keyfile = privkey.pem 

distinguished_name = req_distinguished_name 

attributes = req_attributes 

x509_extensions = v3_ca # The extentions to add to the self signed cert 

# Passwords for private keys if not present they will be prompted for 

# input_password = secret 

# output_password = secret 

# This sets a mask for permitted string types. There are several options. 

# default: PrintableString, T61String, BMPString. 

# pkix : PrintableString, BMPString. 

# utf8only: only UTF8Strings. 

# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). 

# MASK:XXXX a literal mask value. 

# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings 

# so use this option with caution! 

string_mask = nombstr 

67


# req_extensions = v3_req # The extensions to add to a certificate request 

[ req_distinguished_name ] 

# countryName = Country Name (2 letter code) 

# countryName_default = AU 

# countryName_min = 2 

# countryName_max = 2 

0.domainComponent = TLD Domaenen-Komponente (dc=lan) 

0.domainComponent_default = lan 

1.domainComponent = Zweite Domaenen-Komponente (dc=mynet) 

1.domainComponent_default = mynet 

stateOrProvinceName = State or Province Name (full name) 

stateOrProvinceName_default = Deutschland 

localityName = Locality Name (eg, city) 

localityName_default = Mes 

organizationName = Organization Name (eg, company) 

organizationName_default = Mynet-Lan Organisation 

# we can do this but it is not needed normally :-) 

#1.organizationName = Second Organization Name (eg, company) 

#1.organizationName_default = World Wide Web Pty Ltd 

organizationalUnitName = Organizational Unit Name (eg, section) 

organizationalUnitName_default = my ou 

commonName = Common Name (eg, YOUR name) 

commonName_max = 64 

commonName_default = vor20.mynet.lan 

emailAddress = Email Address 

emailAddress_max = 64 

emailAddress_default = root@mynet.lan 

# SET-ex3 = SET extension number 3 

[ req_attributes ] 

challengePassword = A challenge password 

challengePassword_min = 4 

challengePassword_max = 20 

unstructuredName = An optional company name 

[ usr_cert ] 

# These extensions are added when 'ca' signs a request. 

# This goes against PKIX guidelines but some CAs do it and some software 

# requires this to avoid interpreting an end user certificate as a CA. 

68

asicConstraints=CA:FALSE 

# Here are some examples of the usage of nsCertType. If it is omitted 

# the certificate can be used for anything *except* object signing. 

# This is OK for an SSL server. 

# nsCertType = server 

# For an object signing certificate this would be used. 

# nsCertType = objsign 

# For normal client use this is typical 

# nsCertType = client, email 

# and for everything including object signing: 

# nsCertType = client, email, objsign 

# This is typical in keyUsage for a client certificate. 

# keyUsage = nonRepudiation, digitalSignature, keyEncipherment 

# This will be displayed in Netscape's comment listbox. 

nsComment = "OpenSSL Generated Certificate" 

# PKIX recommendations harmless if included in all certificates. 

subjectKeyIdentifier=hash 

authorityKeyIdentifier=keyid,issuer:always 

# This stuff is for subjectAltName and issuerAltname. 

# Import the email address. 

# subjectAltName=email:copy 

# An alternative to produce certificates that aren't 

# deprecated according to PKIX. 

# subjectAltName=email:move 

# Copy subject details 

# issuerAltName=issuer:copy 

#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 

#nsBaseUrl 

#nsRevocationUrl 

#nsRenewalUrl 

#nsCaPolicyUrl 

#nsSslServerName 

[ v3_req ] 

# Extensions to add to a certificate request 

basicConstraints = CA:FALSE 

keyUsage = nonRepudiation, digitalSignature, keyEncipherment 

[ v3_ca ] 


69


# Extensions for a typical CA 

# PKIX recommendation. 

subjectKeyIdentifier=hash 

authorityKeyIdentifier=keyid:always,issuer:always 

# This is what PKIX recommends but some broken software chokes on critical 

# extensions. 

#basicConstraints = critical,CA:true 

# So we do this instead. 

basicConstraints = CA:true 

# Key usage: this is typical for a CA certificate. However since it will 

# prevent it being used as an test self-signed certificate it is best 

# left out by default. 

# keyUsage = cRLSign, keyCertSign 

# Some might want this also 

# nsCertType = sslCA, emailCA 

# Include email address in subject alt name: another PKIX recommendation 

# subjectAltName=email:copy 

# Copy issuer details 


# DER hex encoding of an extension: beware experts only! 

# obj=DER:02:03 

# Where 'obj' is a standard or added object 

# You can even override a supported extension: 

# basicConstraints= critical, DER:30:03:01:01:FF 

[ crl_ext ] 

# CRL extensions. 

# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. 


authorityKeyIdentifier=keyid:always,issuer:always 

Create random number, if needed 

dd if=/dev/urandom of=/etc/ssl/.rnd bs=1 count=2048 

Create Root-CA only the first time, create private key 

openssl genrsa -des3 -out demoCA/private/cakey.pem -rand 

.rnd 2048 

2048 semi-random bytes loaded 

Generating RSA private key, 2048 bit long modulus 

.................+++ 

70


........................................+++ 

e is 65537 (0x10001) 

Enter pass phrase for demoCA/private/cakey.pem: 

Verifying - Enter pass phrase for 

demoCA/private/cakey.pem: 

vor20:/etc/ssl # 

Enter linux as password. 

Create root certificate 

openssl req -new -x509 -days 730 -key 

demoCA/private/cakey.pem -out demoCA/cacert.pem 

Enter pass phrase for demoCA/private/cakey.pem: 

You are about to be asked to enter information that will 

be incorporated into your certificate request. What you 

are about to enter is what is called a Distinguished 

Name or a DN. There are quite a few fields but you can 

leave some blank. For some fields there will be a 

default value, If you enter '.', the field will be left 

blank. 

TLD Domaenen-Komponente (dc=site) [site]: 

Zweite Domaenen-Komponente (dc=local) [local]: 

State or Province Name (full name) [Deutschland]: 

Locality Name (eg, city) [Dortmund]: 

Organization Name (eg, company) [Brainstorm]: 

Organizational Unit Name (eg, section) []: 

Common Name (eg, YOUR name) [ldapmaster.local.site]: 

Email Address []: 

vor20:/etc/ssl # 

View certificate 

openssl x509 -in demoCA/cacert.pem -text | less 

Create vos21key and req 

openssl genrsa -des3 -out vos21keyenc.pem -rand .rnd 

2048 

openssl req -new -key vos21keyenc.pem -out vos21req.pem 

Sign vos21 certificate 

openssl ca -name CA_default -keyfile 

demoCA/private/cakey.pem -in vos21req.pem -out vos21cert.pem 

Remove password from key file 

71


openssl rsa -in vos21keyenc.pem -out vos21key.pem 

Create vos22 key and req 

openssl genrsa -des3 -out vos22keyenc.pem -rand .rnd 

2048 

openssl req -new -key vos22keyenc.pem -out vos22req.pem 

Sign vos22 certificate 


demoCA/private/cakey.pem -in vos22req.pem -out vos22cert.pem 


openssl rsa -in vos22keyenc.pem -out vos22key.pem 

Create ckent key and req 

openssl genrsa -des3 -out ckentkeyenc.pem -rand .rnd 

2048 

openssl req -new -key ckentkeyenc.pem -out ckentreq.pem 

Sign ckent certificate 


demoCA/private/cakey.pem -in ckentreq.pem -out ckentcert.pem 


openssl rsa -in ckentkeyenc.pem -out ckentkey.pem 

Create replicator key and req 

openssl genrsa -des3 -out replicatorkeyenc.pem -rand 

.rnd 2048 

openssl req -new -key replicatorkeyenc.pem -out replicatorreq.pem 

Sign replicator certificate 


demoCA/private/cakey.pem -in replicatorreq.pem -out 

replicatorcert.pem 


openssl rsa -in replicatorkeyenc.pem -out replicatorkey.pem 

72


3.14 OpenLDAP-Server 


With yast install the following packages openldap2, openldap2back-meta, 

openldap2-back-perl, openldap2-client, 

pam_ldap, nss_ldap, yast2-ldap, yast2-ldap, yast2-ldap-client, 

yast2-ldap-server to configure your LDAP 

directory tree. Admin informaton is here 

/usr/share/doc/packages/openldap2/guide/admin/guide.html 

and there are a lot of man pages like slapd-config. 

3.14.1 N-Way/Multi-Master-Replication 

The traffic increases in this configuration calculated by the 

following formula: 

n²-n where n is the number of LDAP-Servers. 

So it is recommended to use two servers as a minimum for high 

availability but not more than three servers as a maximum. If 

you need more than two Multi-Master-Replication servers then 

setup more Delta-Syncrepl-Consumer servers and use the 

overlay chain to make them behave as writeable provider 

servers. With the overlay chain you delegate write requests to 

one of the master servers and they replicate it to the other 

master and consumer servers. This setup is only recommended 

for big companies with a few thousand employees. 

For a small company and easy setup a 2-Way/Multi-Master-Replication 

is fine for high availability. In the next steps i show you 

how to set it up. 

3.14.1.1 Delete old database 

At first we look in the directory /etc/openldap/slapd.d and we 

delete all files inside. Then we look in the directory 

/var/lib/ldap and delete all files except the DB_CONFIG* files. 

We do this on both servers, vos21 and vos22 to make shure that 

no old database left over from installation. 

73


3.14.1.2 Edit slapd.conf file 

If all old databases are deleted on both servers, we edit the 

main server config file /etc/openldap/slapd.conf and use it for 

the online configuration feature of the LDAP-Server. It should 

look like the following file for both servers: 

include /etc/openldap/schema/core.schema 

include /etc/openldap/schema/cosine.schema 

include /etc/openldap/schema/nis.schema 

include /etc/openldap/schema/inetorgperson.schema 

pidfile /var/run/slapd/slapd.pid 

argsfile /var/run/slapd/slapd.args 

access to dn.base="" 

by * read 

access to dn.base="cn=Subschema" 

by * read 

access to attrs=userPassword,userPKCS12 

by self write 

by * auth 

access to attrs=shadowLastChange 

by self write 

by * read 

access to * 

by * read 

ServerID 1 "ldap://vos21.mynet.lan" 

ServerID 2 "ldap://vos22.mynet.lan" 

database config 

rootdn cn=config 

rootpw {SSHA}4PvZLcpQ7s1CyQG+yworyl5DcrFTn78q 

syncrepl rid=003 

provider="ldap://vos21.mynet.lan" 

searchbase="cn=config" 

type=refreshAndPersist 

retry="5 +" 

bindmethod=simple 

binddn="cn=config" 

credentials="linux" 

filter="(!(olcDatabase={0}config))" 



searchbase="cn=config" 


retry="5 +" 

74



binddn="cn=config" 


filter="(!(olcDatabase={0}config))" 

overlay syncprov 

MirrorMode On 

database hdb 

suffix "dc=mynet,dc=lan" 

rootdn "cn=admin,dc=mynet,dc=lan" 

rootpw {SSHA}iLwhoppdqOjJ+0HUroiScDJ3cpbOgo4u 

directory /var/lib/ldap 

index objectClass eq 

index entryUUID,entryCSN eq 


syncprov-checkpoint 10 1 

syncprov-sessionlog 100 

limits dn.exact="cn=replicator,dc=mynet,dc=lan" 

size=unlimited time=unlimited 

access to * 

by dn.exact="cn=replicator,dc=mynet,dc=lan" read 

by * break 




retry="5 +" 

searchbase="dc=mynet,dc=lan" 


binddn="cn=replicator,dc=mynet,dc=lan" 





retry="5 +" 





MirrorMode On 

After copying or editing this file on both servers make shure that 

it is chmod 640 and chown root.ldap, like all files in the 

/etc/openldap directory. 

75


3.14.1.3 Edit client file /etc/openldap/ldap.conf 

All clients who have to use the LDAP-Servers have to have this 

file in their /etc/openldap directory. It has the following content 

for server vos21: 

BASE dc=mynet,dc=lan 

URI ldap://vos21.mynet.lan ldap://vos22.mynet.lan 

And on server vos22 it look like this: 



Make shure this file is chmod 644 and chown root.root. 

On 50% of your clients you use the first one and on the other 

50% you use the second file. With this configuration you get 

high availability, hot standby failover and load balancing. If the 

first URI is not available, the client will use the second URI as 

failover. The client will always connect to the first URI, so you 

have a simple load balancing when you put these files in a 

50/50 ratio on your clients. If one server is offline for any 

reason, a login to your network is still possible for your LDAP- 

Users. Now you know why LDAP is a very important infrastructure 

service in your network. 

3.14.1.4 Edit /etc/ldap.conf 

This is the last config file you have to edit on every host. In the 

first line you type the hostname of your LDAP-Servers, 

separated by spaces. For load balancing you can exchange the 

order of the two servers like you did in the file before. So the 

first line looks like this: 

host vos21.mynet.lan vos22.mynet.lan on 50% of your hosts 

or like: 

host vos22.mynet.lan vos21.mynet.lan on the other 50%. 

76


The second and third line look like this: 

base dc=mynet,dc=lan 

ldap_version 3 

There is no need to change anything else in this file now. Save 

it and you can go on to start the service on both machines. 

3.14.1.5 Start service on vos21 

Before you can run the service, you have to create a directory 

on both machines. Type mkdir /var/run/slapd to create the 

directory. Now set the correct file permission and owner by 

typing chmod 755 /var/run/slapd and chown ldap.ldap 

/var/run/slapd on the command line. 

At the first time you start the LDAP-Server on a machine, you 

need to convert the slapd.conf file to the database online configuration. 

You do this by typing 

/usr/lib/openldap/slapd -f /etc/openldap/slapd.conf 

-F /etc/openldap/slapd.d -u ldap -g ldap -d 4 

at the command line. The first path of the command line is for 

calling the LDAP-Server service file. The second parameter 

-f /... is the path to the config file what is to convert for online 

configuration. The third parameter -F /... is the path to the 

database where the online configuration is stored. The fourth 

and fifth parameter -u and -g is for the user and group the 

service is running with. The last parameter -d 4 is the debug 

level. You can look in the man page man slapd.conf for all 

debug levels. 

Everything works fine if you get the next two screens shown on 

the next page. 

77


The error messages are normal until the service is started on 

both servers. Then you get an other error message like you see 

in the next two pictures on the next page but this is also normal. 

78 

Picture 59: Running slapd on vos21 

Picture 60: Running slapd on vos22




When the slapd service is running on both machines vos21 and 

vos22, we can check with Apache Directory Studio or JXplorer 

for correct working of the service. The following screen will 

show you an empty but fully functional directory information tree 

(DIT). 

79


To configure the connection, right click on vos21-mynet and 

select properties. You get the following two screens. 

Over here you give a name to the connection, an IP-Address, a 

port number and select no encryption from the last drop-down 

box. You can click on the big button Check Network Parameter 

to see if it works. 

80 

Picture 63: Empty DIT 

Picture 64: Network parameter


Over here select Simple Authentication in the first drop-down 

box and type the Bind DN in the second drop-down box. As Bind 

Password you type linux. You can test the authentication by 

clicking the big button Check Authentication, for example. 

Right now we have a working LDAP service on both machines 

but we have no DIT to serve and no user for syncrepl to 

replicate between both servers. So let's get in some initial data. 

3.14.1.6 The initial data file init.ldif 

This file has the following content: 

dn: dc=mynet,dc=lan 

objectClass: dcObject 

objectClass: Organization 

dc: mynet 

o: Mynet-Lan Organisation 

Picture 65: Authentication 

dn: cn=admin,dc=mynet,dc=lan 

objectClass: organizationalRole 

cn: admin 

dn: cn=replicator,dc=mynet,dc=lan 


objectClass: simpleSecurityObject 

cn: replicator 

userPassword: {SSHA}Kq2vTqyFSopY7N1MRGBBtLrY1U2EPwri 

81


This file defines a simple DIT and two administrative users, 

admin and replicator, for example. To add this file to your 

server, type ldapadd -xWD cn=admin,dc=mynet,dc=lan -f 

/etc/openldap/init.ldif on the command line. Then enter the 

password linux when asked for on the command line. Finally 

you have a simple DIT up and running highly available on both 

servers vos21 and vos22. 

3.14.1.7 Automatic starting slapd 

To have the LDAP-Server running when starting the machine 

we need to set some environment variable. Now type yast on 

the command line, then select System, /etc/sysconfig Editor, 

select Network/LDAP and set the variables in the following 

table. 

82 

Picture 66: Simple DIT

Variable name Value 

OPENLDAP_START_LDAP yes 

OPENLDAP_START_LDAPS no 

OPENLDAP_START_LDAPI no 

OPENLDAP_SLAPD_PARAMS 

OPENLDAP_USER ldap 

OPENLDAP_GROUP ldap 

OPENLDAP_CHOWN_DIRS yes 

OPENLDAP_LDAP_INTERFACES 

OPENLDAP_LDAPS_INTERFACES 

OPENLDAP_LDAPI_INTERFACES 

OPENLDAP_REGISTER_SLP no 

OPENLDAP_KRB5_KEYTAB 

OPENLDAP_CONFIG_BACKEND ldap 

Table 6: LDAP environment variables 


The table shows the settings for the server vos21. On the 

second machine vos22 use the same settings for correct 

startup. 

Finally press Alt+F to finish like you see in the next picture. 

Then type Alt+Q to quit yast. 

83


Now you have to edit two ldif-files to set the correct URI. Maybe 

this is no more necessary in future versions.You can also read 

the advice on this website 

http://www.openldap.org/lists/openldaptechnical/201008/msg00274.html. 

Open the file 

olcDatabase={0}config.ldif in the directory 

/etc/openldap/slapd.d/cn=config in your favourite text editor. 

Find the line olcSyncrepl: rid=003 

provider=ldap://vos21.mynet.lan uri="" and change it to 

olcSyncrepl: rid=003 provider=ldap://vos21.mynet.lan 

uri="ldap://vos21.mynet.lan", for example. Now find the next 

line olcSyncrepl: rid=004 provider=ldap://vos22.mynet.lan 

uri="" and change it also to olcSyncrepl: rid=004 

provider=ldap://vos22.mynet.lan 

uri="ldap://vos22.mynet.lan", then save the file. Do the same 

for the next file olcDatabase={1}hdb.ldif in same directory. 

Search for the line olcSyncrepl: rid=001 and copy the provider 

value to the uri value to look like this olcSyncrepl: rid=001 

provider=ldap://vos21.mynet.lan 

uri="ldap://vos21.mynet.lan. Now find the last line to change 

84 

Picture 67: Set dynamic configuration


olcSyncrepl: rid=002 and edit it like this 

olcSyncrepl: rid=002 provider=ldap://vos22.mynet.lan 

uri="ldap://vos22.mynet.lan save it and you are done with 

the first machine vos21. Now do the same changes on the 

second machine vos22, then your LDAP-Server will start up. 

Now select System Services (Runlevel) in yast to start slapd on 

both machines vos21 and vos22. 

Picture 68: Runlevel 

Scroll down to ldap and press Alt+E to enable the service at 

startup in the correct runlevel. 

85


Press ok to finish the configuration, then press quit. Finally 

reboot both machines vos21 and vos22 to check that both 

services work properly. 


3.14.2 LDAP-Client Login configuration 

To use our LDAP-Server for centralized logins, we have to 

configure it with yast. In yast select Security and Users/User 

and Group Management, likeyou see in the next screen. 

86 

Picture 69: Enable ldap service at startup

Picture 70: Security settings 


In the next screen you change the Authentication Settings. 

Picture 71: User and Group Administration 

Now type Alt+E to edit the Authentication Settings. You will get 

the following screen. 

87


Type Alt+N and select LDAP in the popup window, you get the 


In this screen select Use LDAP, fill in addresses and Base DN, 

select Create Home Directory on Login, then press Alt+A and 

88 

Picture 72: Configure Authentication Settings 

Picture 73: Client configuration

you will get to the following screen. 


Fill out Naming Contexts, Password Change Protocol, Group 

Member Attribute and press ok three times, then Alt+Q to quit 

yast. Now you can add users to your LDAP-Server and authenticate 

them on every machine where you configured this LDAP- 

Client Login configuration. 


3.15 LDAP-Master vos21 

Picture 74: Advanced client configuration 

Before you can setup any secure connection between clients 

and servers, you need to setup a certificate authority (CA). 

Then create server and user X.509 certificates described in 

chapter 3.15 CA by command line for each server and user and 

place them in the apropriate place. For both ldap-servers in 

/etc/openldap/certs for users in their home directory. Client 

users also need a .ldaprc file in their home directory what 

contains the actual absolute path to their cert and key file, for 

example: 

TLS_CERT /home/ckent/ckentcert.pem 

89


TLS_KEY /home/ckent/ckentkey.pem 

This setup is required by TLS encryption. 

3.15.1 Setup PDC /etc/openldap/slapd.conf: 





include /etc/openldap/schema/samba3.schema 



authz-regexp 

"cn=vos22.mynet.lan,o=Mynet-Lan 

Organisation,st=deutschland,dc=mynet,dc=lan" 

"cn=replicator,dc=mynet,dc=lan" 


by * read 


by * read 


by self write 

by * auth 


by self write 

by * read 

access to * 

by * read 

TLSCertificateFile /etc/openldap/certs/vos21cert.pem 

TLSCertificateKeyFile /etc/openldap/certs/vos21key.pem 

TLSCACertificateFile /etc/openldap/certs/cacert.pem 

TLSVerifyClient allow 

#TLSVerifyClient demand 

################################################# 




################################################# 

# BDB database definitions 

################################################# 

database hdb 


checkpoint 1024 5 

cachesize 10000 

90





# Indices to maintain 

index objectClass,uid,memberUid eq 

index entryUUID,entryCSN,uidNumber,gidNumber eq 

index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq 

access to * 

by dn.exact="cn=replicator,dc=mynet,dc=lan" read 

by * break 


syncprov-checkpoint 10 1 

syncprov-sessionlog 100 

3.15.2 PDC /etc/openldap/lapd.conf: 



TLS_CACERT /etc/openldap/certs/cacert.pem 

TLS_REQCERT allow 

#TLS_REQCERT demand 

3.15.3 PDC /etc/lapd.conf: 

host vos21.mynet.lan vos22.mynet.lan 


bind_policy soft 

pam_lookup_policy yes 

pam_password exop 

nss_initgroups_ignoreusers root,ldap 

nss_schema rfc2307bis 

nss_map_attribute uniqueMember member 

ssl no 


tls_cacertdir /etc/openldap/certs 

tls_cacertfile /etc/openldap/certs/cacert.pem 

pam_filter objectClass=posixAccount 

91


3.15.4 init.ldif 

dn: dc=mynet,dc=lan 

objectClass: dcObject 

objectClass: Organization 

dc: mynet 

o: Mynet-Lan Organisation 

dn: cn=admin,dc=mynet,dc=lan 


cn: admin 

dn: cn=replicator,dc=mynet,dc=lan 


objectClass: simpleSecurityObject 

cn: replicator 

userPassword: {SSHA}Kq2vTqyFSopY7N1MRGBBtLrY1U2EPwri 

3.15.5 samba-base.ldif 

dn: ou=users,dc=mynet,dc=lan 

objectClass: organizationalUnit 

ou: users 

dn: ou=groups,dc=mynet,dc=lan 


ou: groups 

dn: ou=idmap,dc=mynet,dc=lan 


ou: idmap 

dn: ou=computers,dc=mynet,dc=lan 


ou: computers 

92

3.15.6 Testing 

Available SASL Mechs 

pluginviewer 

Simple amnonymous connect via TLS 

ldapsearch -x -ZZ uid=skiu 


ldap_start_tls: Connect error (-11) 

additional info: A TLS packet with unexpected 

length was received. 

Here the user has no .ldaprc file in his home directory what 

points to his cert- and key-file. Without these files SASLMech 

EXTERNAL does not work. 

SASLMech EXTERNAL available 

ldapsearch -x -ZZ -s base -b "" supportedSASLMechanisms 

supportedSASLMechanisms: LOGIN 

supportedSASLMechanisms: NTLM 

supportedSASLMechanisms: GSSAPI 

supportedSASLMechanisms: DIGEST-MD5 

supportedSASLMechanisms: CRAM-MD5 

supportedSASLMechanisms: PLAIN 

supportedSASLMechanisms: EXTERNAL 

Connection and Handshake 

ldapsearch -Y EXTERNAL -d 1 -ZZ 

SASL/EXTERNAL authentication started 

ldap_err2string 

ldap_sasl_interactive_bind_s: Unknown authentication 

method (-6) 

additional info: SASL(-4): no mechanism available: 

Here the user also has no .ldaprc file in his home directory what 

points to his cert- and key-file. 

Connect via TLS and Mech EXTERNAL 

ldapsearch -Y EXTERNAL -ZZ -LLL uid=ckent 

SASL/EXTERNAL authentication started 

ldap_sasl_interactive_bind_s: Unknown authentication 

method (-6) 

additional info: SASL(-4): no mechanism available: 

93


Here the user also has no .ldaprc file in his home directory what 

points to his cert- and key-file. 

As user root now we check with tcpdump that everything is 

encrypted. 

tcpdump -xXs 10000 -i lo dst port 389 

Now open a second session as root with no .ldaprc in his home 

and do an ldapsearch. 

ldapsearch -xWD cn=admin,dc=mynet,dc=lan uid=skiu 

As result you will find the admin password linux in cleartext. 

14:14:34.841090 IP vos21.mynet.lan.47651 > 

vos21.mynet.lan.ldap: Flags [P.], seq 0:43, ack 1, win 

1025, options [nop,nop,TS val 3142807 ecr 3142803], 

length 43 

0x0000: 4500 005f 940d 4000 4006 2511 c0a8 0015 

E.._..@.@.%..... 

0x0010: c0a8 0015 ba23 0185 da78 6099 db39 f2f2 

.....#...x`..9.. 

0x0020: 8018 0401 81cc 0000 0101 080a 002f f497 

............./.. 

0x0030: 002f f493 3029 0201 0160 2402 0103 0418 

./..0)...`$..... 

0x0040: 636e 3d61 646d 696e 2c64 633d 6d79 6e65 

cn=admin,dc=myne 

0x0050: 742c 6463 3d6c 616e 8005 6c69 6e75 78 

t,dc=lan..linux 

14:14:34.856953 IP vos21.mynet.lan.47651 > 

vos21.mynet.lan.ldap: Flags [.], ack 

Now become user ckent and do the same ldapsearch. 

su ckent 

ldapsearch -Y EXTERNAL -ZZ -LLL uid=skiu 

Here you can read only the certificates, so it is more secure. 


94

3.16 LDAP-Slave vos22 


The LDAP-Slave consumer server vos22 is a special case. 

When its syncrepl acts as a client for the provider, it also needs 

a .ldaprc file in the /etc/openldap directory what contains the 

absolute path to its server cert and key file, for example: 

TLS_CERT /etc/openldap/certs/vos22cert.pem 

TLS_KEY /etc/openldap/certs/vos22key.pem 

3.16.1 Setup BDC /etc/openldap/slapd.conf: 





include /etc/openldap/schema/samba3.schema 




by * read 


by * read 


by self write 

by * auth 


by self write 

by * read 

access to * 

by * read 

TLSCertificateFile /etc/openldap/certs/vos22cert.pem 

TLSCertificateKeyFile /etc/openldap/certs/vos22key.pem 

TLSCACertificateFile /etc/openldap/certs/cacert.pem 

TLSVerifyClient allow 

#TLSVerifyClient demand 

####################################################### 




####################################################### 

# BDB database definitions 

####################################################### 

database hdb 

95



checkpoint 1024 5 

cachesize 10000 




index objectClass,uid,memberUid eq 

index entryUUID,entryCSN,uidNumber,gidNumber eq 

index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq 





retry="15 +" 




starttls=yes 

# bindmethod=sasl 

# saslmech=EXTERNAL 

# starttls=yes 

# starttls=critical 

3.16.2 BDC /etc/openldap/lapd.conf: 



TLS_CACERT /etc/openldap/certs/cacert.pem 

TLS_REQCERT allow 

#TLS_REQCERT demand 

3.16.3 BDC /etc/lapd.conf: 

host vos22.mynet.lan vos21.mynet.lan 


bind_policy soft 

pam_lookup_policy yes 

pam_password exop 

nss_initgroups_ignoreusers root,ldap 

nss_schema rfc2307bis 

nss_map_attribute uniqueMember member 

ssl no 


tls_cacertdir /etc/openldap/certs 

96


tls_cacertfile /etc/openldap/certs/cacert.pem 

pam_filter objectClass=posixAccount 

You can test your installation like in chpter 3.17.4 with an offline 

PDC server. 


3.17 Samba 3 ldapsam:editposix setup 

3.17.1 PDC vos21 /etc/samba/smb.conf: 

# smb.conf is the main Samba configuration file. You 

find a full commented 

# version at 

/usr/share/doc/packages/samba/examples/smb.conf.SUSE if 

the 

# samba-doc package is installed. 

# Date: 2010-09-15 

[global] 

workgroup = MYNET 

realm = MYNET.LAN 

password server = vos21.mynet.lan 

; client use spnego = yes 

; use kerberos keytab = yes 

netbios name = vos21 

domain logons = yes 

domain master = yes 

local master = yes 

preferred master = yes 

security = user 

# This enables MS Distributed File System. 

; host msdfs = Yes 

time server = Yes 

# debuglevel = 3 tdb:10 printdriver:10 lanman:10 

smb:10 rpc_parse:10 rpc_srv:10 rpc_cli:10 passdb:10 

sam:10 auth:10 winbind:10 vfs:10 

# debuglevel = 10 

os level = 85 

log level = 3 

# This entry use only the first time for setup, the 

second entry is for 

# load balancing in production environment after 

successful setup 

97


passdb backend = ldapsam:ldap://vos21.mynet.lan 

# passdb backend = ldapsam:"ldap://vos21.mynet.lan 

ldap://vos22.mynet.lan" 

ldapsam:trusted = yes 

ldapsam:editposix = yes 

ldap admin dn = cn=admin,dc=mynet,dc=lan 

ldap suffix = dc=mynet,dc=lan 

ldap passwd sync = yes 

ldap machine suffix = ou=computers 

ldap user suffix = ou=users 

ldap group suffix = ou=groups 

ldap idmap suffix = ou=idmap 

ldap ssl = off 

idmap uid = 10000-20000 

idmap gid = 10000-20000 

idmap config MYNET:default = yes 

idmap config MYNET:backend = ldap 

idmap config MYNET:ldap_base_dn = 

ou=idmap,dc=mynet,dc=lan 

idmap config MYNET:ldap_user_dn = 

cn=admin,dc=mynet,dc=lan 

idmap config MYNET:ldap_url = 

ldap://vos21.mynet.lan 

idmap config MYNET:range = 10000 - 59999 

idmap alloc backend = ldap 

idmap alloc config:ldap_base_dn = 


idmap alloc config:ldap_user_dn = 


idmap alloc config:ldap_url = 


idmap alloc config:range = 10000 - 59999 

printing = cups 

printcap name = cups 

printcap cache time = 750 

cups options = raw 

map to guest = Bad User 

logon script = scripts\logon.bat 

logon path = \\%L\profiles\%U\%a 

; logon path = \\%L\profiles\.msprofile 

# Next two lines for Win NT and Win95 behavior 

; logon home = \\%L\%U\.9xprofile 

; logon drive = P: 

# Next two lines to disable server stored profiles 

98


; logon path = 

; logon home = 

usershare max shares = 10 

usershare allow guests = Yes 

[homes] 

; mapped to Windows drive letter z: 

comment = Home Directories 

valid users = %S, %D%w%S 

browseable = Yes 

read only = No 

inherit acls = Yes 

[profiles] 

comment = Network Profiles Service 

; path = %H 

path = /var/lib/samba/profiles 


store dos attributes = Yes 

create mask = 0600 

directory mask = 0700 

browseable = no 

guest ok = no 

printable = no 

hide files = 

/desktop.ini/outlook*.lnk/*Briefcase*/ 

; store logon scripts in /var/lib/samba/netlogon/scripts 

; store policy file NTConfig.POL in 

/var/lib/samba/netlogon 

[netlogon] 

comment = User netlogon scripts 

path = /var/lib/samba/netlogon 

admin users = root, Administrator 

browseable = No 

; all users have rw permissions for their home dir and 

; all users have read permission to all users home dirs 

; on this share (users) 

; you can mount it to a dos drive letter in logon.bat 

[users] 

comment = All users 

path = /home 



veto files = /aquota.user/groups/shares/ 

99


; all users have rw permissions to this dir on this 

share (groups) 


[groups] 

comment = All groups 

path = /home/groups 



[pdf] 

comment = PDF creator 

path = /var/tmp 

printable = Yes 

print command = /usr/bin/smbprngenpdf -J '%J' -c 

%c -s %s -u '%u' -z %z 


# The following share gives all users access to the 

Server's CD drive, 

# assuming it is mounted under /media/cdrom. 

;[cdrom] 

; comment = Linux CD-ROM 

; path = /media/cdrom 

; locking = No 

# With the next two lines you could automatically mount 

or umount the CD if a 

# connection to the share is established or closed. 

; preexec = /bin/mount /media/cdrom 

; postexec = /bin/umount /media/cdrom 

[printers] 

comment = All Printers 


; guest ok = Yes 




[print$] 

comment = Printer Drivers 

path = /var/lib/samba/drivers 


write list = @ntadmin root 

force group = ntadmin 


100


; testshare 

;[samba] 

; path = /samba 

; readonly = no 

3.17.2 BDC vos22 /etc/samba/smb.conf: 


# smb.conf is the main Samba configuration file. You 

find a full commented 

# version at 

/usr/share/doc/packages/samba/examples/smb.conf.SUSE if 

the 

# samba-doc package is installed. 

# Date: 2010-09-15 

[global] 

workgroup = MYNET 

realm = MYNET.LAN 

password server = vos21.mynet.lan 

; client use spnego = yes 

; use kerberos keytab = yes 

netbios name = vos22 

domain logons = yes 

domain master = no 

local master = no 

; local master = Yes 

preferred master = no 

security = user 

# This enables MS Distributed File System.. 

; host msdfs = Yes 

time server = Yes 

# debuglevel = 3 tdb:10 printdriver:10 lanman:10 

smb:10 rpc_parse:10 rpc_s 

# debuglevel = 10 

os level = 32 

log level = 3 

passdb backend = ldapsam:"ldap://vos21.mynet.lan 

ldap://vos22.mynet.lan" 

ldapsam:trusted = yes 

ldapsam:editposix = yes 

ldap admin dn = cn=admin,dc=mynet,dc=lan 

ldap suffix = dc=mynet,dc=lan 

ldap passwd sync = yes 

101


ldap machine suffix = ou=computers 

ldap user suffix = ou=users 

ldap group suffix = ou=groups 

ldap idmap suffix = ou=idmap 

ldap ssl = off 

idmap uid = 10000-20000 

idmap gid = 10000-20000 

idmap config MYNET:default = yes 

idmap config MYNET:backend = ldap 

idmap config MYNET:ldap_base_dn = 


idmap config MYNET:ldap_user_dn = 


idmap config MYNET:ldap_url = 


idmap config MYNET:range = 10000 - 59999 

idmap alloc backend = ldap 

idmap alloc config:ldap_base_dn = 


idmap alloc config:ldap_user_dn = 


idmap alloc config:ldap_url = 


idmap alloc config:range = 10000 - 59999 

printing = cups 

printcap name = cups 

printcap cache time = 750 

cups options = raw 

map to guest = Bad User 

logon script = scripts\logon.bat 

logon path = \\%L\profiles\%U\%a 

; logon path = \\%L\profiles\.msprofile 

# Next two lines for Win NT and Win95 behavior 

; logon home = \\%L\%U\.9xprofile 

; logon drive = P: 

# Next two lines to disable server stored profiles 

; logon path = 

; logon home = 

usershare max shares = 10 

usershare allow guests = Yes 

[homes] 

; mapped to Windows drive letter z: 

comment = Home Directories 

valid users = %S, %D%w%S 

102


browseable = Yes 



[profiles] 

comment = Network Profiles Service 

; path = %H 

path = /var/lib/samba/profiles 


store dos attributes = Yes 



browseable = no 

guest ok = no 

printable = no 

hide files = 

/desktop.ini/outlook*.lnk/*Briefcase*/ 

; store logon scripts in /var/lib/samba/netlogon/scripts 

; store policy file NTConfig.POL in 

/var/lib/samba/netlogon 

[netlogon] 

comment = User netlogon scripts 

path = /var/lib/samba/netlogon 

admin users = root, Administrator 


; all users have rw permissions for their home dir and 

; all users have read permission to all users home dirs 

; on this share (users) 


[users] 

comment = All users 

path = /home 



veto files = /aquota.user/groups/shares/ 

; all users have rw permissions to this dir on this 

share (groups) 


[groups] 

comment = All groups 

path = /home/groups 


103



[pdf] 

comment = PDF creator 



print command = /usr/bin/smbprngenpdf -J '%J' -c 

%c -s %s -u '%u' -z %z 


# The following share gives all users access to the 

Server's CD drive, 

# assuming it is mounted under /media/cdrom. 

;[cdrom] 

; comment = Linux CD-ROM 

; path = /media/cdrom 

; locking = No 

# With the next two lines you could automatically mount 

or umount the CD if a 

# connection to the share is established or closed. 

; preexec = /bin/mount /media/cdrom 

; postexec = /bin/umount /media/cdrom 

[printers] 

comment = All Printers 






[print$] 

comment = Printer Drivers 

path = /var/lib/samba/drivers 


write list = @ntadmin root 

force group = ntadmin 



; testshare 

;[samba] 

; path = /samba 

; readonly = no 

104

Set samba master password: smbpasswd -w linux 

Set winbind-idmap_ldap passwords: 

net idmap secret MYNET linux 

net idmap secret alloc linux 

Start winbind: rcwinbind start 

PDC provisioning: net sam provision 


PDC set Samba Domain Administrator password: 

smbpasswd Administrator, enter linux as password. 

BDC check sid's: net getlocalsid && net rpc info, use 

password linux. if they are different, use net rpc getsid on 

the BDC. 

Start samba daemons: rcsmb start && rcnmb start 

PDC enable User- and Machine-Account management for the 

Samba Domain Administrator: 

net rpc rights grant Administrator SeAddUsersPrivilege 

-U Administrator 

net rpc rights grant Administrator SeMachineAccountPrivilege 

-U Administrator 

To add a user to the LDAP powered samba domain type 

pdbedit -a -u ckent -f "Clark Kent" 

-p=“\\\\vos21.mynet.lan\\profiles\\ckent“ 

You can left the -p parameter if you do not need a server stored 

profile for the user. Instead of pdbedit you can use smbpasswd, 

for example, but check the parameters in the man pages. 

Add an other user with a display name pdbedit -a -u skiu -f 

"Susi Kiu" and delete an user pdbedit -x -u hulk, for 

example. For using TLS you can generate X.509 certificates for 

these users like we did in chapter 3.15 CA by command line. 

3.17.3 Server stored profiles and netlogon 

At first create a profiles dir to store the profiles on the server, 

/var/lib/samba/profiles, for example. Make it chroot 755 

105


profiles and chown root.users profiles. Do the same for the 

netlogon dir. In netlogon create a folder scripts with same 

permissions and owner what holds the logon.bat logon script. 

Do this setup on both machines PDC and BDC. 

logon.bat: 

@echo off 

echo running logon.bat 

echo here you can connect dos drive letters to network 

shares 

echo example: net use f: \\server.example.com\sharedfolder 

/persistent:no 

@echo off 

echo mount groups to g: everyone has read/write access 

net use g: \\vos21.mynet.lan\groups /persistent:no 

@echo off 

echo mount all users home dirs to u: with read access 

net use u: \\vos21.mynet.lan\users /persistent:no 

pause 


106


3.18 Windows XP Client Domain join 

Use regedit to change the following key: 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Net 

logon\Parameters\requiresignorseal [0] 

Change requiresignorseal from [1] to [0] and you can join 

your samba domain. 

3.19 Windows 7 Client Domain join 

Use regedit to add two parameters to the registry in the 

following key: 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Lan 

manWorkstation\Parameters 

Add a DWORD DomainCompatibilityMode = 1 

Add a DWORD DNSNameResolutionRequired = 0 

Picture 75: Add two registry parameters 

3.20 Domain management with srvtools.exe 

You can use Microsoft srvtools.exe to manage your domain, 

download it here: 

http://support.microsoft.com/kb/173673/en-us/ 

Timeline: 1 hour, but depend on the amount of your clients. 

107


3.21 Kerberos Server setup 

If you like to have a single sign on system you need kerberos, 

otherwise for a normal PDC/BDC you dont need it. If you use 

Kerberos, it is strongly advised to run it on a separate machine 

in a secure location. You also not running any other services on 

the Kerberos machine. At first, install the packages that make 

up a Kerberos server, yast2-kerberos-server, krb5, 

krb5-appl-server, krb5-client, krb5-server, 

pam_krb5, krb5-doc, krb5-plugin-kdb-ldap and 

krb5-appl-clients. Start yast, select Software\Software 

Management and hit enter. In the search phrase type krb5 to 

find the apropriate packages. 

Select the above packages and type Alt+A to install. After 

finishing the installation, go to Network Services/Kerberos 

Server in yast. In the following screen press Alt + U to use the 

existing openLDAP setup. Then press Alt+N for the next screen. 

108 

Picture 76: Select packages

Picture 77: Use previous configured LDAP server 


Now edit the Basic Kerberos Settings. Enter the Realm, 

password linux and confirm it. Then press next. 

Picture 78: Realm and password 

In the next screen enter the LDAP settings 

109


Now press next to finish the Kerberos server setup. 

To have remote access with the kadmin tool, edit 

/var/lib/kerberos/krb5kdc/kadm5.acl like you see in the 


110 

Picture 79: LDAP settings 

Picture 80: Edit kadm5.acl


To verify the result, use the kadmin.local, listprincs command. 

Kerberos has three different kind of principals: 

User principals (kadmin: addprinc username, give password) 

Host principals (kadmin: addprinc -randkey FQDN) 

Service principals (kadmin: addprinc -randkey service/FQDN) 

Host and Service principals have a random password what has 

to be added to the keytab file /etc/krb5.keytab to authenticate. 

Now create two Kerberos principals, one normal and one for 

administrative work related to Kerberos. At the kadmin.local: 

prompt type addprinc ckent with password ckent and addprinc 

root/admin with password linux. Now let's create a service 

principal to use with kerberos. Type addprinc -randkey 

host/vos21.mynet.lan and hit return. This principal has no 

interactive password to authenticate because its a service. We 

also have to add it to the local keytab file /etc/krb5.keytab to 

authenticate. At the kadmin prompt type ktadd 

host/vos21.mynet.lan, for example. Each machine and each 

service what will be used with Kerberos has to have a principal. 

Now create user principals for the samba domain admin and for 

skiu, type at kadmin prompt: 

addprinc skiu (give password skiu) 

addprinc Administrator/admin (give password linux) 

Now create service and host principals: 

addprinc -randkey ldap/vos21.mynet.lan 

addprinc -randkey vos21.mynet.lan 

ktadd ldap/vos21.mynet.lan 

ktadd vos21.mynet.lan 

Then type quit to close kadmin and you will be done. 

Make sure that KDC and kadmind are started by default when 

the server machine is rebooted with the yast runlvel editor. In 

yast select System/System Services (Runlevel) and hit enter. 

Scroll down to krb5kdc and press Alt+E to enable it. Then 

scroll up to kadmind and press Alt+E again. Now check that 

111


openLDAP can find the kerberos keytab. In yast check 

System /etc/sysconfig Editor, expand Network by pressing plus 

(+) key, select LDAP and press plus key, then select 

OPENLDAP_KRB5_KEYTAB like you see in the next screen. 

Finally press finish and quit. 

Now one last thing is to do. We have to tell PAM to use 

Kerberos for authentication. In a terminal window on the 

command line type pam-config --add --krb5 and pam-config 

--add --ldap to have a backup authentication if you vorgot to 

create a kerberos pricipal for the domain user. To check that 

everything is fine, your /etc/pam.d/common-auth-pc file looks 

like in the following screen on both machines, PDC and BDC. 

112 

Picture 81: Krb5 keytab path


You add the debug option by typing pam-config --add --krb5debug, 

for example. To delete the debug option, type pam-config 

--del --krb5, for example. 


Picture 82: PAM settings 

3.22 Kerberos client setup 

As user root start yast and select Network Services/Kerberos 

Client. Click on use Kerberos and check default domain and 

default realm. 

113


Click the advanced settings button and enter the following information 

if not predefined. In Clock Skew type 300, the default 

value. 

114 

Picture 83: Configure client

Picture 84: Pam settings 


After clicking ok twice click install in the opening dialog to load 

the required packages on the client. 

To check that Kerberos works on the client and server, login as 

ckent, open a terminal on the client and type klist and you get 

the following screen. 

115


Now you are shure that Kerberos is configured successfully. 


4 Conclusion 

Up to now i finished the fundamental work to set up a reliable 

network and it is time for the first publishing of this book. The 

rest will come up soon. The Infrastructure Services in chapter 

2.2.1 also almost finished. Only eMail is left, but coming soon 

with the Operational Services (see chapter 2.2.2). So you can 

be excited waiting for the next publishing. 

116 

Picture 85: Kerberos test

5 Management Summary 

Process Timeframe in hours 

1.3 Audience 1-2 

2 Planning the network 4-8 

2.1 Hardware-Components 1-8 

3.2 Network 1-2 

3.3 Hostname Schema 1-2 

3.7 NTP Time Server 1 

3.8 Master DNS-Server 1-2 

3.9 Slave DNS-Server 1-2 

3.10 DHCP-Server 1-2 

3.11 DDNS 2-3 

3.12 Root CA 3-4 

3.13 CA by command line 2-3 

3.14.1 N-Way/Multi-Master 3-4 

3.14.2 LDAP-Client Login 1-2 

3.15 LDAP-Master vos21 3-4 

3.16 LDAP-Slave vos22 3-4 

3.17 Samba 3 ldapsam:editposix 3-4 

3.18 Windows Clients (XP, Win 7) 1 

3.21 Kerberos Server setup 2-3 

3.20 Kerberos client setup 1 

Sum 36-63 

Table 7: Management timeframe 

5 Management Summary 

117

6 Reference list 

6 Reference list 

Gunther Popp: Konfigurationsmanagement mit Subversion, 

Maven und Redmine, dpunkt 2009 

Stefan Edlich & Jörg Staudemeyer: Ant kurz & gut, O'Reilly 

2006 

Chris Rupp: Systemanalyse kompakt, Spektrum 2008 

Pascal Mangold: IT-Projektmanagement kompakt, Spektrum 

2009 

Thomas Allweyer: BPMN 2.0, Books on Demand GmbH 2009 

Mario Fischer: Website Boosting 2.0, mitp 2009 

Michael Herczeg: Software-Ergonomie, Oldenbourg 2009 

Hans W. Wieczorrek, Peter Mertens: Management von IT-Projekten, 

Springer 2008 

Apache Maven User Guide, The Apache Software Foundation 

2009 

Oliver Liebel, John Martin Ungar: OpenLDAP 2.4 Das 

Praxisbuch, Galileo Computing 2009 

Oliver Liebel: Linux Hochverfügbarkeit 

118

7 Link-list 

http://www.virtualbox.org/ 

http://www.debian.org/ 

http://www.opensuse.org/ 

http://www.ubuntu.com/ 

http://wiki.debian.org/ 

http://linuxwiki.de/ 

http://wiki.samba.org/index.php/Main_Page 

7 Link-list 

http://wiki.samba.org/index.php/Samba_%26_Windows_Profiles 

http://wiki.samba.org/index.php/Implementing_System_Policies 

_with_Samba 

http://samba.org/ 

http://www.openldap.org/ 

http://www.isc.org/software 

http://opensuse.swerdna.org/ 

8 Appendix 

Installation documentation 

8.1 VirtualBox 

At first i describe the installation of VirtualBox on a Windows 7 

computer. After downloading the file VirtualBox-3.2.12-68302- 

Win.exe double click on it to start installation. Then set the 

installation path or accept the default. After finishing the installation, 

you have a new icon on the desktop, a new Network 

Interface Card called VirtualBox Host-Only Network and a new 

119

8 Appendix 

configuration file in 

C:\Users\%username%\.VirtualBox\VirtualBox.xml if everything 

finished correctly. Now start it to configure. At first click 

File/Preferences, click on General tab, to change the default 

harddisk folder and the default machine folder, if you like, but 

first you have to create the folders. I put my on a network share. 

For a new installation of a virtual client click the new button in 

the toolbar. The New Virtual Machine Wizard comes up. 

120 

Picture 86: Folder settings

Picture 87: New machine wizard 

8 Appendix 

Type in the name of the new machine. Its hostname will be a 

good choice. Then select the operating system and version and 

press next. 

Picture 88: Choose VM name and os 

Now set the memory size and press next, the default is ok. 

121

8 Appendix 

In this screen select the virtual harddisk, the defaults will be ok. 

The Create New Virtual Disk Wizard will show up, so press 

next. 

122 

Picture 89: Memory settings 

Picture 90: Harddisk settings

Picture 91: New disk 

Now keep the default storage type and click next. 

Picture 92: Hdd type 

Now set the size of the virtual disk to 4GB and click next. 

8 Appendix 

123

8 Appendix 

Click finish on the summary window. 

Click finish again to get back to the main VirtualBox window. 

124 

Picture 93: Disk size 

Picture 94: Disk summary

Picture 95: Virtual machine summary 

8 Appendix 

In the main window of VirtualBox press settings icon to change 

some default settings. 

125

8 Appendix 

In the System window on the motherboard tab, at boot order, 

deselect floppy and in extended features deselect enable 

absolute pointing device, then select the processor 

tab. 

126 

Picture 96: Main window

Picture 97: Motherboard settings 

8 Appendix 

In the processor tab select enable PAE/NX, then select storage. 

127

8 Appendix 

In the Storage window, select IDE Controller/Empty and press 

the folder symbol on the right to open the media manager. 

128 

Picture 98: Processor features

Picture 99: Storage settings 

8 Appendix 

Now select or add your previous downloaded openSuSE-11.3 

iso file and press select. You should use 32 Bit operating 

systems. If you consider to use more than 3.5 GB of Ram in a 

virtual machine, you have to use a 64 Bit operating system. 

Then click Network on the left. 

129

8 Appendix 

In the Network settings select Bridged Adapter from the 

dropdown box, then press ok to finish your configuration. 

130 

Picture 100: Selected os image

Picture 101: Network adapters 

8 Appendix 

Now you are ready to press the start button in the main window. 

131

8 Appendix 

After clicking the start button the installation of the os software 

starts from the selected image. Then go on in the next chapter. 

132 

Picture 102: Main window

8 Appendix 

8.2 openSuSE-11.3 graphics DHCP-Client 

After pressing the start button in VirtualBox you get the 

following screen after a few seconds. 

Picture 103: Installer screen 

Here you select installation. With F2 you can select your 

preferred language and with F3 you can select the video mode. 

I choose a graphics screen resolution of 800x600 pixels, for 

server installations you should use text mode in this menu. Now 

it takes some minutes until the openSuSE-11.3 setup goes on. 

You will see the welcome screen. Now select your preferred 

language and your keyboard layout. You should also read the 

License Agreement what you can get in different languages. 

133

8 Appendix 

Now press the next button to continue setup. The os is doing 

now some system analysis. After some minutes you get the 

installation mode screen. As select mode use new installation 

and deselect use automatic configuration to set up a minimal 

graphics system. 

134 

Picture 104: Welcome screen

Picture 105: Installation mode 

Now press next to select the time zone. 

8 Appendix 

135

8 Appendix 

I select Europe and Germany and you can change the date and 

time here. Keep hardware clock set to UTC selected and press 

next to go to the desktop selection. Select other, XFCE 

Desktop. 

136 

Picture 106: Time zone

Picture 108: 107: Select Disk partition 

desktop 

8 Appendix 

Click next to go to the disk configuration. You can accept the 

defaults for your virtual disk.Click next to go to the user settings. 

Here you fill out a normal user and set its password. Deselect 

use this password for system administrator and automatic login 

to disable these functions. In a production environment it is 

strongly recommended to set strong passwords containing 

lower- and upper-case letters, numbers and special characters 

like these !§$&'#%, for example. 

For simple test use you can choose a password same as the 

username for not forgetting it. 

137

8 Appendix 

Click next. If you use username=password you will get the 

password is too simple window. Click yes to use the simple 

password. 

Now set the password for the system administrator, the root 

user. I use username=password for simplicity. 

138 

Picture 109: New user 

Picture 110: Password too simple dialog

Picture 111: Root user password 

8 Appendix 

After clicking next, you will get the password too simple dialog 

again. If you want to use the simple password in your test 

environment, click yes. But remember, dont use simple 

passwords in production environment. 

Picture 112: Password too simple dialog 

After clicking yes it takes a minute to get the installation settings 

screen. Please scroll down and deselect installation from image 

by clicking on the link disable. 

139

8 Appendix 

Then scroll down again to firewall and ssh. Click on the second 

SSH link enable and open. Then scroll down again to firewall 

and ssh and click on the first link disable. Then scroll down 

again to check that the last two links show enable.Now click 

install and confirm your selection. 

Click install and go for lunch. It takes about 90 to 120 minutes 

140 

Picture 113: Installation settings 

Picture 114: Confirm dialog

8 Appendix 

to install the system, depending on your hardware. When the 

installation is ready you will see the configuration screen for the 

hostname and domain name. Here you give the same name as 

hostname as you give your virtual box to recognize it. Also give 

your preferred domain name and deselect the other options. 

Picture 115: Host- and domainname 

Click next to continue to the network configuration. Click on the 

link VNC Remote Administration to enable it. If you do so, you 

can remote control this client with your favourite browser with 

this link http://vslc2.mynet.lan:5801/ if you have DDNS set up 

correctly and running, otherwhise use the assigned IP-Address 

instead of the hostname. 

141

8 Appendix 

Select allow remote administration and press ok. 

142 

Picture 116: Network configuration overview

Picture 117: Remote administration 

8 Appendix 

After pressing ok press next to get the test internet connection 

screen. 

143

8 Appendix 

Press next to test the connection. You will see the result screen. 

144 

Picture 118: Test internet connection

Picture 119: Connection test 

8 Appendix 

Press next to go to the online update screen. You will see the 

downloading dialog. 

Picture 120: Download dialog 

When finished downloading, you get the online update screen. 

You can choose skip update but i recommend to run the update 

by pressing next. 

145

8 Appendix 

After pressing next you will get the package manager. Click 

accept to continue and you can go for a cup of coffee or to 

eating. The patch download and installation takes some 

minutes depending on your hardware machine and your 

internet connection speed and quality. 

146 

Picture 121: Online update

Picture 122: Packages 

When the download finished, you get the following screen. 

8 Appendix 

147

8 Appendix 

Click next to get the restart dialog. 

After the system comes up again the installation will be go on 

with the package select screen. 

148 

Picture 123: Download finished 

Picture 124: Restart dialog

Picture 125: Packages selected 

8 Appendix 

Click accept to proceed with end user agreement, press accept 

and continue again to go on. Now you can go for a cup of coffee 

or to eat, it takes about 30 to 90 minutes depending on your 

hardware, the internet connection speed and quality. 

149

8 Appendix 

Click next and you get the restart dialog again. 

After the system comes up press return twice, the first for boot 

from harddisk, the second to boot the selected system. If you 

don't hit return, it takes some minutes longer until the system 

comes up again. Then the installation will go on with the 

package manager. Select to download and install the microsoft 

truetype fonts and press accept. 

150 

Picture 126: Patch finished 

Picture 127: Reboot

Picture 128: Install TrueType fonts 

Click next to finish patch installation. 

8 Appendix 

151

8 Appendix 

Now you can read the release notes in different languages. 

152 

Picture 129: Finish patch installation

Picture 130: Release notes 

8 Appendix 

Click next to proceed to the hardware configuration screen. 

153

8 Appendix 

Click next to get the installation completed screen. 

154 

Picture 131: Hardware configuration

Picture 132: Installation completed 

After clicking finish you get the login screen. 

8 Appendix 

155

8 Appendix 

Here enter root as username, then press return. Enter root user 

password and return to get the desktop window. If you get an 

error message, click continue. Now you have a fresh installed 

Linux client. 

156 

Picture 133: Login screen

Picture 134: Cient screen 

8 Appendix 

Now open a terminal window and type ifconfig in it. You find 

it on the lower left beside the openSUSE icon. You will see a 

screen like the next one what shows the IP-Address assigned 

by the DHCP-Server vos21.mynet.lan and you done with the 

installation. 

157

8 Appendix 

To turn off your system, click on the exit button on the lower 

right or type halt in the terminal window. Enjoy your system. 


158 

Picture 135: Terminal

8 Appendix 

8.3 Install openSuSE-11.3 Server in Textmode 

The server installation is almost the same like the client installation 

except some settings in the first screen. Here you press 

F3 and select the text mode. 

Then some screens later in the desktop selection screen you 

select minimal server selection. 

Then press next to proceed. Later when you at the network 

screen, you have to setup static IP-Address, Netmask, DNS- 

Hostname and Gateway by clicking on the link network 

interface like in your plan. 

The text mode setup screen will appear in blue with white and 

yellow text color for selected text. 


Picture 136: Video mode selection 

159

8 Appendix 

8.4 Installation Windows 7 client 

8.5 Some console command-lines 

Here you will find some useful command-line commands 

man -t `man -w ps2pdf` | ps2pdf – man-ps2pdf.pdf 

man -t ps2pdf | ps2pdf - man-ps2pdf.pdf 

man -t `man -w 1 man` | ps2pdf - man1-man.pdf 

man -t `man -w 7 man` | ps2pdf - man7-man.pdf 

The first two lines give the same result. They print the first man 

page they found. The last two lines will print out the special 

categories of a man page. 

ntpq -p vos21 vos22 

This line gives you a table and shows if the time synchronizes. 

A message ntpq: read: Connection refused means the 

service is not running. If you see the number 377 in the reach 

column, the time servers can be reached. 

hwclock --systohc 

This command writes the synced time to the build in hardware 

CMOS-Clock. 

160 

Picture 137: Ntp query

Configuration Management Manual

Create successful ePaper yourself

Delete template?

Save as template?