Sei sulla pagina 1di 576

SUSE LINUX ® ®

Advanced Administration

Novell Training Services w w w. n o v e l l . c o m


COURSE 303 8
A U T HORIZE D C OU RS E WARE

100-004991-001
Version 1
Proprietary Statement Trademarks
Copyright © 2004 Novell, Inc. All rights reserved. Novell, Inc. has attempted to supply trademark information about
No part of this publication may be reproduced, photocopied, stored company names, products, and services mentioned in this manual.
on a retrieval system, or transmitted without the express prior The following list of trademarks was derived from various sources.
consent of the publisher. This manual, and any portion thereof, may
not be copied without the express written permission of Novell, Inc. Novell, Inc. Trademarks
Novell, Inc. Novell, the Novell logo, NetWare, BorderManager, ConsoleOne,
DirXML, GroupWise, iChain, ManageWise, NDPS, NDS, NetMail,
1800 South Novell Place
Provo, UT 84606-2399 Novell Directory Services, Novell iFolder, Novell SecretStore,
Ximian, Ximian Evolution and ZENworks are registered
trademarks; CDE, Certified Directory Engineer and CNE are
Disclaimer registered service marks; eDirectory, Evolution, exteNd, exteNd
Novell, Inc. makes no representations or warranties with respect to Composer, exteNd Directory, exteNd Workbench, Mono, NIMS,
the contents or use of this manual, and specifically disclaims any NLM, NMAS, Novell Certificate Server, Novell Client, Novell
express or implied warranties of merchantability or fitness for any Cluster Services, Novell Distributed Print Services, Novell Internet
particular purpose. Messaging System, Novell Storage Services, Nsure, Nsure
Further, Novell, Inc. reserves the right to revise this publication and Resources, Nterprise, Nterprise Branch Office, Red Carpet and Red
to make changes in its content at any time, without obligation to Carpet Enterprise are trademarks; and Certified Novell
notify any person or entity of such revisions or changes. Administrator, CNA, Certified Novell Engineer, Certified Novell
Further, Novell, Inc. makes no representations or warranties with Instructor, CNI, Master CNE, Master CNI, MCNE, MCNI, Novell
respect to any NetWare software, and specifically disclaims any Education Academic Partner, NEAP, Ngage, Novell Online
express or implied warranties of merchantability or fitness for any Training Provider, NOTP and Novell Technical Services are service
particular purpose. marks of Novell, Inc. in the United States and other countries. SUSE
Further, Novell, Inc. reserves the right to make changes to any and is a registered trademark of SUSE LINUX AG, a Novell company.
all parts of NetWare software at any time, without obligation to For more information on Novell trademarks, please visit
notify any person or entity of such changes. http://www.novell.com/company/legal/trademarks/tmlist.html.
This Novell Training Manual is published solely to instruct students
Other Trademarks
in the use of Novell networking software. Although third-party Adaptec is a registered trademark of Adaptec, Inc. AMD is a
application software packages are used in Novell training courses, trademark of Advanced Micro Devices. AppleShare and AppleTalk
this is for demonstration purposes only and shall not constitute an are registered trademarks of Apple Computer, Inc. ARCserv is a
endorsement of any of these software applications. registered trademark of Cheyenne Software, Inc. Btrieve is a
Further, Novell, Inc. does not represent itself as having any registered trademark of Pervasive Software, Inc. EtherTalk is a
particular expertise in these application software packages and any registered trademark of Apple Computer, Inc. Java is a trademark or
use by students of the same shall be done at the students’ own risk. registered trademark of Sun Microsystems, Inc. in the United States
and other countries. Linux is a registered trademark of Linus
Software Piracy Torvalds. LocalTalk is a registered trademark of Apple Computer,
Throughout the world, unauthorized duplication of software is Inc. Lotus Notes is a registered trademark of Lotus Development
subject to both criminal and civil penalties. Corporation. Macintosh is a registered trademark of Apple
Computer, Inc. Netscape Communicator is a trademark of Netscape
If you know of illegal copying of software, contact your local
Communications Corporation. Netscape Navigator is a registered
Software Antipiracy Hotline.
trademark of Netscape Communications Corporation. Pentium is a
For the Hotline number for your area, access Novell’s World Wide
registered trademark of Intel Corporation. Solaris is a registered
Web page at http://www.novell.com and look for the piracy page
trademark of Sun Microsystems, Inc. The Norton AntiVirus is a
under “Programs.”
trademark of Symantec Corporation. TokenTalk is a registered
Or, contact Novell’s anti-piracy headquarters in the U.S. at 800- trademark of Apple Computer, Inc. Tru64 is a trademark of Digital
PIRATES (747-2837) or 801-861-7101. Equipment Corp. UnitedLinux is a registered trademark of
UnitedLinux. UNIX is a registered trademark of the Open Group.
WebSphere is a trademark of International Business Machines
Corporation. Windows and Windows NT are registered trademarks
of Microsoft Corporation. All other third-party trademarks are the
property of their respective owners.
Contents

Introduction
Course Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Intro-1
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Intro-2
Certification and Prerequisites . . . . . . . . . . . . . . . . . . . . . . Intro-2
SLES 9 Support and Maintenance . . . . . . . . . . . . . . . . . . . Intro-4
SLES 9 Online Resources . . . . . . . . . . . . . . . . . . . . . . . . . Intro-4
Agenda . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Intro-5
Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Intro-6
Exercise Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . Intro-6

SECTION 1 Install SLES

Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
Objective 1 Perform the SLES 9 Base Installation . . . . . . . . . . . . . . . . . . . 1-3
Boot From the Installation Media . . . . . . . . . . . . . . . . . . . . . . 1-3
Select the System Language . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
Select the Installation Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
Understand and Change the Installation Proposal . . . . . . . . . . 1-9

Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. TOC-1
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Advanced Administration

Partition the Hard Disk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10


The Basics of Hard Drive Partitioning . . . . . . . . . . . . . . 1-11
The Basic Linux Partition Scheme . . . . . . . . . . . . . . . . . 1-12
Partitioning Schemes for Different Server Types . . . . . . 1-13
How to Change YaST’s Partitioning Proposal . . . . . . . . 1-14
How to Use the YaST Expert Partitioner . . . . . . . . . . . . 1-16
Create New Partitions . . . . . . . . . . . . . . . . . . . . . . . . 1-18
Edit Existing Partitions . . . . . . . . . . . . . . . . . . . . . . . 1-22
Delete Existing Partitions . . . . . . . . . . . . . . . . . . . . . 1-22
Resize Existing Partitions . . . . . . . . . . . . . . . . . . . . . 1-22
Manage LVM Volumes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-25
Manage EVMS Volumes. . . . . . . . . . . . . . . . . . . . . . . . . 1-33
Manage Soft RAID Setups . . . . . . . . . . . . . . . . . . . . . . . 1-33
Create Crypt File Partitions . . . . . . . . . . . . . . . . . . . . . . . 1-35
Perform Expert Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-35
Select the Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-36
Configure the Boot Loader . . . . . . . . . . . . . . . . . . . . . . . . . . 1-39
Start the Installation Process . . . . . . . . . . . . . . . . . . . . . . . . . 1-42
Objective 2 Configure the SLES 9 Installation . . . . . . . . . . . . . . . . . . . . . 1-43
Set the root Password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-43
Configure the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-45
Configure Network Interfaces . . . . . . . . . . . . . . . . . . . . . 1-46
Configure a Network Card Manually . . . . . . . . . . . . 1-47
Change an Existing Configuration . . . . . . . . . . . . . . 1-48
Test the Internet Connection . . . . . . . . . . . . . . . . . . . . . . . . . 1-49
Perform an Online Update . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-49
Configure Network Services . . . . . . . . . . . . . . . . . . . . . . . . . 1-50
Manage Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-51
Select the Authentication Method . . . . . . . . . . . . . . . . . . 1-51
Add Users to the Systems . . . . . . . . . . . . . . . . . . . . . . . . 1-52
Configure the Host as a NIS Client. . . . . . . . . . . . . . 1-53

TOC-2 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
Contents

Configure the System as LDAP Client . . . . . . . . . . . 1-54


Add Local Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-56
Configure Hardware. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-58
Configure the Graphics Card. . . . . . . . . . . . . . . . . . . . . . 1-59
Change the Monitor Settings . . . . . . . . . . . . . . . . . . 1-60
Change the Color Depth and Resolution Settings. . . 1-62
Finalize the Installation Process. . . . . . . . . . . . . . . . . . . . . . . 1-64
Objective 3 Troubleshoot the Installation Process . . . . . . . . . . . . . . . . . . 1-65
Exercise 1-1: Install SLES 9 . . . . . . . . . . . . . . . . . . . . . 1-67
Part I: Boot From the Installation Media. . . . . . . . . . . . . 1-67
Part II: Start the Installation Proposal . . . . . . . . . . . . . . . 1-68
Part III: Configure the Partitions for Your Hard Drive . . 1-68
Part IV: Add Compiler and Development
Tools to the Software Selection. . . . . . . . . . . . . . . . . . . . 1-70
Part V: Start the Installation Process . . . . . . . . . . . . . . . . 1-70
Part VI: Set the root Password . . . . . . . . . . . . . . . . . . . . 1-71
Part VII: Set Up the Network . . . . . . . . . . . . . . . . . . . . . 1-71
Part VIII: Set Up Services and Users . . . . . . . . . . . . . . . 1-73
Part IX: Configure Hardware Devices . . . . . . . . . . . . . . 1-73
Part X: Configure NTP . . . . . . . . . . . . . . . . . . . . . . . . . . 1-75
Part XI: Update Your SLES 9 Server With YOU . . . . . . 1-75
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-77

Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. TOC-3
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Advanced Administration

SECTION 2 Configure the Network Manually

Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2
Objective 1 Understand Linux Network Terms . . . . . . . . . . . . . . . . . . . . . 2-3
Objective 2 Set Up Network Devices With the ip Tool . . . . . . . . . . . . . . . 2-4
Display the Current Network Configuration . . . . . . . . . . . . . . 2-4
IP Address Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4
Display Device Attributes . . . . . . . . . . . . . . . . . . . . . . . . . 2-7
Display Device Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . 2-8
Change the Current Network Configuration . . . . . . . . . . . . . . 2-9
Assign an IP Address to a Device . . . . . . . . . . . . . . . . . . 2-10
Delete the IP Address from a Device . . . . . . . . . . . . . . . 2-10
Change Device Attributes . . . . . . . . . . . . . . . . . . . . . . . . 2-11
Objective 3 Save Device Settings to a Configuration File . . . . . . . . . . . . 2-12
Configure a Device Statically . . . . . . . . . . . . . . . . . . . . . . . . 2-13
Configure a Device Dynamically With DHCP . . . . . . . . . . . 2-14
Start and Stop Configured Devices . . . . . . . . . . . . . . . . . . . . 2-15
Objective 4 Set Up Routing With the ip Tool . . . . . . . . . . . . . . . . . . . . . . 2-16
View the Routing Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-16
Add Routes to the Routing Table. . . . . . . . . . . . . . . . . . . . . . 2-17
Set a Route to the Locally Connected Network . . . . . . . 2-18
Set a Route to a Different Network . . . . . . . . . . . . . . . . . 2-18
Set a Default Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-18
Delete Routes from the Routing Table . . . . . . . . . . . . . . . . . 2-18
Objective 5 Save Routing Settings to a Configuration File . . . . . . . . . . . 2-19
Objective 6 Configure Host Name and Name Resolution. . . . . . . . . . . . . 2-20
Set the Host and Domain Name. . . . . . . . . . . . . . . . . . . . . . . 2-20
Configure Name Resolution . . . . . . . . . . . . . . . . . . . . . . . . . 2-20

TOC-4 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
Contents

Objective 7 Test the Network Connection With Command Line Tools . . 2-21
Use ping to Test Network Connections . . . . . . . . . . . . . . . . . 2-21
Use traceroute to Trace Network Packets . . . . . . . . . . . . . . . 2-23
Exercise 2-1: Configure the Network Manually . . . . . . . 2-25
Part I: Note the Current Network Configuration. . . . . . . 2-25
Part II: Delete the Current Network Setup with YaST . . 2-26
Part III: Configure the Network Manually . . . . . . . . . . . 2-27
Part IV: Save the Network Connection to
Interface and Hardware Configuration Files . . . . . . . . . . 2-27
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-29

SECTION 3 Configure Network Services

Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2
Objective 1 Configure a DNS Server Using BIND . . . . . . . . . . . . . . . . . . 3-3
Understand the Domain Name System . . . . . . . . . . . . . . . . . . 3-4
How Name Resolution Worked in the Early
Days of the Internet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4
The Internet Domain Concept . . . . . . . . . . . . . . . . . . . . . . 3-5
Understand How Name Servers Work . . . . . . . . . . . . . . . 3-6
Understand How to Query DNS . . . . . . . . . . . . . . . . . . . . 3-8
Install and Configure the BIND Server Software . . . . . . . . . 3-10
Configure a Caching-Only DNS server . . . . . . . . . . . . . . . . . 3-10
Configure a Master Server for Your Domain . . . . . . . . . . . . 3-13
Adapt the Main Server Configuration File . . . . . . . . . . . 3-13
Create the Zone Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-15
Structure of the Files. . . . . . . . . . . . . . . . . . . . . . . . . 3-15
The File
/var/lib/named/master/digitalairlines.com.zone . . . . 3-17
The File /var/lib/named/master/10.0.0.zone . . . . . . . 3-19
The File /var/lib/named/master/localhost.zone. . . . . 3-21

Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. TOC-5
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Advanced Administration

The File /var/lib/named/master/127.0.0.zone . . . . . . 3-22


Create Additional Resource Records. . . . . . . . . . . . . . . . 3-22
Define Mail Servers for the Domain. . . . . . . . . . . . . 3-22
Assign Aliases for Computers . . . . . . . . . . . . . . . . . 3-23
Configure One or More Slave Servers. . . . . . . . . . . . . . . . . . 3-24
Configure the Client Computers to Use the DNS Server . . . 3-26
Use Command Line Tools to Query DNS Servers . . . . . . . . 3-28
host Command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-28
dig Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-29
Find More Information About DNS . . . . . . . . . . . . . . . . . . . 3-31
Exercise 3-1: Configure a DNS server . . . . . . . . . . . . . . 3-33
Part I: Install BIND . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-33
Part II: Configure a DNS Master Server . . . . . . . . . . . . . 3-34
Part III: Configure the DNS Slave Server . . . . . . . . . . . . 3-39
Objective 2 Deploy OpenLDAP on a SLES 9 Server . . . . . . . . . . . . . . . . 3-41
The Concept of a Directory Service. . . . . . . . . . . . . . . . . . . . 3-41
The Basics of LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-42
How to Install and Set Up an OpenLDAP Server . . . . . . . . . 3-44
Install the Required Software and Start the Server . . . . . 3-45
Edit the OpenLDAP Configuration Files . . . . . . . . . . . . 3-45
How to Add Entries to the LDAP Server. . . . . . . . . . . . . . . . 3-47
How to Query Information from the LDAP Server . . . . . . . . 3-51
How to Delete and Modify Entries of the LDAP Server . . . . 3-52

TOC-6 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
Contents

How to Use Graphical LDAP Applications. . . . . . . . . . . . . . 3-54


Search the Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-55
Browse the Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-56
Explore the Schema Definitions . . . . . . . . . . . . . . . . . . . 3-57
Exercise 3-2: Use the SLES 9 OpenLDAP server. . . . . . 3-58
Part I: Install GQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-58
Part II: Search the SLES 9 OpenLDAP server . . . . . . . . 3-58
Part III: Browse the SLES 9 OpenLDAP Server. . . . . . . 3-60
Part IV: Use an LDIF File to Add a User . . . . . . . . . . . . 3-61
Objective 3 Configure an Apache Web Server . . . . . . . . . . . . . . . . . . . . . 3-63
The Basic Functionality of a Web Server . . . . . . . . . . . . . . . 3-64
How to Install and Set Up a Basic Apache Web Server . . . . 3-64
Install the Required Software Packages . . . . . . . . . . . . . 3-65
Start and Test the Web Server . . . . . . . . . . . . . . . . . . . . . 3-65
Locate the DocumentRoot of the Web Server. . . . . . . . . 3-66
The Structure and the Basic Elements of the Apache
Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-67
Locate the Apache Configuration Files. . . . . . . . . . . . . . 3-67
Understand the Basic Rules of the Configuration Files . 3-68
The Basic Apache Configuration. . . . . . . . . . . . . . . . . . . . . . 3-69
How to Configure Virtual Hosts . . . . . . . . . . . . . . . . . . . . . . 3-70
The Concept of Virtual Hosts . . . . . . . . . . . . . . . . . . . . . 3-71
How to Configure a Virtual Host . . . . . . . . . . . . . . . . . . 3-72
How to Limit Access to the Web Server . . . . . . . . . . . . . . . . 3-74
Limit Access on an IP Address Basis . . . . . . . . . . . . . . . 3-74
Limit Access with User Authentication . . . . . . . . . . . . . 3-76
How to Configure OpenSSL for Connection Encryption . . . 3-78
The Basics of SSL Encryption . . . . . . . . . . . . . . . . . . . . 3-79
How to Create a Test Certificate . . . . . . . . . . . . . . . . . . . 3-81
Create an RSA Key Pair . . . . . . . . . . . . . . . . . . . . . . 3-81
Sign the Public Key to Create a Certificate . . . . . . . 3-82

Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. TOC-7
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Advanced Administration

How to Configure Apache to Use SSL . . . . . . . . . . . . . . 3-83


Configure the Main Server to Use
SSL Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-84
Configure a Virtual Host to Use SSL Encryption. . . 3-85
The Limitations of the SSL Configuration . . . . . . . . . . . 3-85
Exercise 3-3: Configure an Apache Web Server . . . . . . 3-87
Part I: Install Apache . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-87
Part II: Test the Installation . . . . . . . . . . . . . . . . . . . . . . . 3-88
Part III: Configure a Virtual Host for the
Accounting Department. . . . . . . . . . . . . . . . . . . . . . . . . . 3-88
Part IV: Configure User Authentication . . . . . . . . . . . . . 3-91
Part V: Configure SSL . . . . . . . . . . . . . . . . . . . . . . . . . . 3-92
Objective 4 Configure a Samba Server as a File Server . . . . . . . . . . . . . . 3-96
The Purpose and the Possibilities of Samba . . . . . . . . . . . . . 3-96
How to Install and Set Up a Basic Samba Server . . . . . . . . . 3-97
The Structure and Elements of the Samba
Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-98
Create a Section for the General
Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-98
Create a Section for the Files to be Shared . . . . . . . . . . 3-100
How to Use the Samba Tools to Access SMB Shares
from a Linux Computer . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-101
Use nmblookup for Name Resolution in a
NetBIOS Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-102
Use smbclient to Access SMB Shares. . . . . . . . . . . . . . 3-102
Browse the Shares Provided by a Server . . . . . . . . 3-103
Access Files Provided by an SMB Server . . . . . . . 3-104
Print on Printers Provided by an SMB Server . . . . 3-105
Mount SMB Shares into the Linux File System . . . . . . 3-105

TOC-8 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
Contents

How to Configure a File Server with


User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-106
Prepare the Server for User Authentication. . . . . . . . . . 3-106
Configure a Share That Is Accessible to
Only One User. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-107
Configure Shared Access for a Group of Users . . . . . . 3-108
Configure the Export of Home Directories . . . . . . . . . . 3-109
Additional Possibilities with Samba . . . . . . . . . . . . . . . . . . 3-110
Exercise 3-4: Configure a File Server With Samba. . . 3-111
Part I: Install Samba . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-111
Part II: Configure a Share for the User Geeko . . . . . . . 3-112
Part III: Access the Share of the User Geeko
With smbclient . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-113
Part IV: Mount Geeko's Share. . . . . . . . . . . . . . . . . . . . 3-114
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-115

SECTION 4 Secure a SLES 9 Server

Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2
Objective 1 Create a Security Concept . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3
Understand the Basics of a Security Concept . . . . . . . . . . . . . 4-4
Perform a Communication Analysis . . . . . . . . . . . . . . . . . . . . 4-4
Analyze the Protection Requirements . . . . . . . . . . . . . . . . . . . 4-6
Analyze the Current Situation and
Necessary Enhancements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8
Objective 2 Limit Physical Access to Server Systems . . . . . . . . . . . . . . . 4-16
Place the Server in a Separate, Locked Room . . . . . . . . . . . . 4-16
Secure the BIOS with a Password . . . . . . . . . . . . . . . . . . . . . 4-17
Secure the GRUB Boot Loader with a Password . . . . . . . . . 4-17

Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. TOC-9
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Advanced Administration

Objective 3 Limit the Installed Software Packages. . . . . . . . . . . . . . . . . . 4-19


Objective 4 Understand the Linux User Authentication . . . . . . . . . . . . . . 4-21
Understand How PAM Works . . . . . . . . . . . . . . . . . . . . . . . . 4-21
Understand PAM Configuration . . . . . . . . . . . . . . . . . . . . . . 4-23
Understand the Requirements for a Secure Password . . . . . . 4-27
Exercise 4-1: Change the PAM Configuration to
Disable the Graphical Root Login. . . . . . . . . . . . . . . . . 4-29
Objective 5 Ensure File System Security . . . . . . . . . . . . . . . . . . . . . . . . . 4-31
Understand the Basic Rule for User Write Access . . . . . . . . 4-31
Understand the Basic Rule for User Read Access . . . . . . . . . 4-32
Understand How Special File Permissions Affect the
Security of the System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-33
Objective 6 Use ACLs for Advanced Access Control . . . . . . . . . . . . . . . 4-35
Understand the Basics of ACLs . . . . . . . . . . . . . . . . . . . . . . . 4-35
Understand Important ACL Terms . . . . . . . . . . . . . . . . . . . . 4-36
Understand ACL Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-37
Understand How ACLs and Permission Bits
Map to Each Other . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-39
Use the ACL Command Line Tools . . . . . . . . . . . . . . . . . . . 4-40
Configure a Directory with an Access ACL . . . . . . . . . . . . . 4-42
Configure a Directory with a Default ACL . . . . . . . . . . . . . . 4-45
Understand the ACL Check Algorithm . . . . . . . . . . . . . . . . . 4-49
Understand How Applications Handle ACLs . . . . . . . . . . . . 4-49
Exercise 4-2: Use ACLs . . . . . . . . . . . . . . . . . . . . . . . . . 4-51
Part I: Configure the ACL of a Directory . . . . . . . . . 4-51
Part II: Configure a Default ACL for a Directory. . . 4-52
Part III: Delete an ACL. . . . . . . . . . . . . . . . . . . . . . . 4-53

TOC-10 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
Contents

Objective 7 Configure Security Settings with YaST. . . . . . . . . . . . . . . . . 4-55


Objective 8 Stay Informed About Security Issues . . . . . . . . . . . . . . . . . . 4-70
Exercise 4-3: Subscribe to the SUSE Security
Announcements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-71
Objective 9 Apply Security Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-72
Register Your Product . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-72
Use the YaST Online Update. . . . . . . . . . . . . . . . . . . . . . . . . 4-72
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-76

SECTION 5 Manage Backup and Recovery

Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2
Objective 1 Develop a Backup Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3
Choose a Backup Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3
Perform an Incremental Backup . . . . . . . . . . . . . . . . . . . . 5-4
Perform a Differential Backup . . . . . . . . . . . . . . . . . . . . . 5-5
Choose the Right Backup Media . . . . . . . . . . . . . . . . . . . . . . . 5-6
Objective 2 Create Backup Files With tar . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7
Create tar Archives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7
Unpack tar Archives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8
Exclude Files from Backup . . . . . . . . . . . . . . . . . . . . . . . . 5-9
Perform Incremental and Differential Backups. . . . . . . . . 5-9
Use a Snapshot File for Incremental Backups . . . . . . 5-9
Use the find Command to Search for
Files to Back Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-10
Use tar Command Line Options . . . . . . . . . . . . . . . . . . . 5-11
Exercise 5-1: Create Backup Files With tar . . . . . . . . . . 5-12
Part I: Create a Full Backup . . . . . . . . . . . . . . . . . . . . . . 5-12
Part II: Create an Incremental Backup . . . . . . . . . . . . . . 5-13

Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. TOC-11
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Advanced Administration

Objective 3 Work With Magnetic Tapes. . . . . . . . . . . . . . . . . . . . . . . . . . 5-15


Objective 4 Copy Data With the dd Command . . . . . . . . . . . . . . . . . . . . 5-18
Exercise 5-2: Create Drive Images with dd . . . . . . . . . . 5-20
Objective 5 Mirror Directories With the rsync Command . . . . . . . . . . . . 5-21
Perform Local Copying With rsync . . . . . . . . . . . . . . . . . . . . 5-21
Perform Remote Copying with rsync . . . . . . . . . . . . . . . . . . 5-23
Exercise 5-3: Create a Backup of a Home
Directory With rsync . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-24
Part I: Perform a Local Backup With rsync . . . . . . . . . . 5-24
Part II: Perform a Remote Backup with rsync. . . . . . . . . 5-25
Objective 6 Automate Data Backups With the cron Service. . . . . . . . . . . 5-26
Exercise 5-4: Configure a cron Job for Data Backups . . 5-27
Objective 7 Troubleshoot the Boot Process of a SLES 9
System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-28
Understand Issues During the System Boot Process . . . . . . . 5-28
Boot a Corrupted System Directly into a Shell . . . . . . . . . . . 5-29
Boot a Corrupted System With the Installation Media . . . . . 5-30
Start and Use the SLES 9 Rescue System . . . . . . . . . . . . . . . 5-30
Objective 8 Configure and Install the GRUB Boot
Loader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-32
The Basic Functionality of a Boot Loader . . . . . . . . . . . . . . . 5-32
The Basics of GRUB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-33
Configure the GRUB Boot Loader . . . . . . . . . . . . . . . . . . . . 5-33
Exercise 5-5: Boot to a Shell and Configure the
GRUB Boot Loader. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-36
Part I: Boot the Rescue System . . . . . . . . . . . . . . . . . . . . 5-36
Part II: Edit and Test the GRUB Configuration File. . . . 5-37
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-38

TOC-12 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
Contents

SECTION 6 Create Shell Scripts

Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2
Objective 1 Use Basic Script Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4
Create Flow Charts for Scripts. . . . . . . . . . . . . . . . . . . . . . . . . 6-4
Understand the Basic Rules of Shell Scripting . . . . . . . . . . . . 6-5
Exercise 6-1: Produce Output from a Script . . . . . . . . . . . 6-9
Develop Scripts That Read User Input . . . . . . . . . . . . . . . . . 6-10
Exercise 6-2: Read User Input . . . . . . . . . . . . . . . . . . . . 6-11
Perform Basic Script Operations with Variables . . . . . . . . . . 6-12
Exercise 6-3: Simple Operations with Variables . . . . . . 6-14
Use Command Substitution . . . . . . . . . . . . . . . . . . . . . . . . . . 6-15
Exercise 6-4: Use Command Substitution . . . . . . . . . . . 6-16
Use Arithmetic Operations . . . . . . . . . . . . . . . . . . . . . . . . . . 6-17
Exercise 6-5: Use Arithmetic Operations. . . . . . . . . . . . 6-19
Objective 2 Use Variable Substitution Operators . . . . . . . . . . . . . . . . . . . 6-20
Exercise 6-6: Use Variable Substitution. . . . . . . . . . . . . 6-22
Objective 3 Use Control Structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-23
Creat Basic Branches With the if Command . . . . . . . . . . . . . 6-23
Exercise 6-7: Use the if Command. . . . . . . . . . . . . . . . . 6-30
Build Multiple Branches With a case Statement . . . . . . . . . . 6-31
Exercise 6-8: Use the case Command . . . . . . . . . . . . . . 6-34
Create Loops Using the while and until Commands . . . . . . . 6-35
Exercise 6-9: Use the while and until Commands . . . . . 6-37
Process Lists with the for Loop . . . . . . . . . . . . . . . . . . . . . . . 6-38
Exercise 6-10: Use the for Loop. . . . . . . . . . . . . . . . . . . 6-40
Hints:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-40
Interrupt Loop Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-41
Exercise 6-11: Interrupt Loop Processing . . . . . . . . . . . 6-42

Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. TOC-13
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Advanced Administration

Objective 4 Use Advanced Scripting Techniques . . . . . . . . . . . . . . . . . . . 6-43


Use Shell Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-43
Exercise 6-12: Use Shell Functions . . . . . . . . . . . . . . . . 6-45
Read Options with getopts . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-47
Exercise 6-13: Use the getopts Command . . . . . . . . . . . 6-49
Objective 5 Learn About Useful Commands in Shell Scripts . . . . . . . . . 6-50
Use the cat Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-50
Use the cut Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-50
Use the date Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-51
Use the echo Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-52
Use the Commands grep and egrep . . . . . . . . . . . . . . . . . . . . 6-53
Use the sed Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-54
Use the test Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-57
Use the tr Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-60
Exercise Answers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-61
Solution for Exercise 6-1: . . . . . . . . . . . . . . . . . . . . . 6-61
Solution for Exercise 6-2: . . . . . . . . . . . . . . . . . . . . . 6-61
Solution for Exercise 6-3: . . . . . . . . . . . . . . . . . . . . . 6-62
Solution for Exercise 6-4: . . . . . . . . . . . . . . . . . . . . . 6-62
Solution for Exercise 6-5: . . . . . . . . . . . . . . . . . . . . . 6-63
Solution for Exercise 6-6: . . . . . . . . . . . . . . . . . . . . . 6-64
Solution for Exercise 6-7: . . . . . . . . . . . . . . . . . . . . . 6-64
Solution for Exercise 6-8: . . . . . . . . . . . . . . . . . . . . . 6-65
Solutions for Exercise 6-9: . . . . . . . . . . . . . . . . . . . . 6-65
Solution for Exercise 6-10: . . . . . . . . . . . . . . . . . . . . 6-66
Solution for Exercise 6-12: . . . . . . . . . . . . . . . . . . . . 6-67
Solution for Exercise 6-13: . . . . . . . . . . . . . . . . . . . . 6-68
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-69

TOC-14 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
Contents

SECTION 7 Compile Software from Source

Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2
Objective 1 Understand the Basics of C Programming. . . . . . . . . . . . . . . . 7-3
The Difference Between Source Code and an Executable . . . 7-3
The Structure of a Simple C Program . . . . . . . . . . . . . . . . . . . 7-5
How to Compile a Simple C Program . . . . . . . . . . . . . . . . . . . 7-8
Exercise 7-1: Compile a Simple C Program. . . . . . . . . . . 7-9
Objective 2 Understand the GNU Build Tool Chain. . . . . . . . . . . . . . . . . 7-10
Use configure to Prepare the Build Process. . . . . . . . . . . . . . 7-10
Use make to Compile the Source Code . . . . . . . . . . . . . . . . . 7-11
Use make install to Install the Compiled Program . . . . . . . . 7-13
Install the Required Packages for a Build Environment . . . . 7-13
Objective 3 Understand the Concept of Shared Libraries . . . . . . . . . . . . . 7-15
Objective 4 Perform a Standard Build Process . . . . . . . . . . . . . . . . . . . . 7-17
Exercise 7-2: Compile Software
from a Source Package . . . . . . . . . . . . . . . . . . . . . . . . . . 7-21
Part I: Compile a Source Package. . . . . . . . . . . . . . . 7-21
Part II: Run the Application . . . . . . . . . . . . . . . . . . . 7-22
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-23

SECTION 8 Perform a Health Check and Performance Tuning

Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2
Objective 1 Find Performance Bottlenecks . . . . . . . . . . . . . . . . . . . . . . . . . 8-3
Analyze Processes and Processor Utilization . . . . . . . . . . . . . 8-4
Analyze Memory Utilization and Performance . . . . . . . . . . . . 8-6

Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. TOC-15
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Advanced Administration

Analyze Storage Performance . . . . . . . . . . . . . . . . . . . . . . . . . 8-9


Analyze Network Utilization and Performance . . . . . . . . . . . 8-14
Exercise 8-1: Analyze System Performance . . . . . . . . . 8-17
Part I: Analyze Processor Utilization . . . . . . . . . . . . . . . 8-17
Part II: Analyze Memory Utilization. . . . . . . . . . . . . . . . 8-18
Part III: Analyze Hard Disk Utilization. . . . . . . . . . . . . . 8-19
Part IV: Analyze Network Utilization. . . . . . . . . . . . . . . 8-20
Objective 2 Reduce System and Memory Load . . . . . . . . . . . . . . . . . . . . 8-22
Analyze CPU Intensive Applications . . . . . . . . . . . . . . . . . . 8-22
Run Only Required Software. . . . . . . . . . . . . . . . . . . . . . . . . 8-23
Run a Server System without X . . . . . . . . . . . . . . . . . . . 8-23
Reduce the Number of Daemon Processes . . . . . . . . . . . 8-24
Keep Your Software Up to Date . . . . . . . . . . . . . . . . . . . . . . 8-25
Optimize Swap Partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-25
Change Hardware Components . . . . . . . . . . . . . . . . . . . . . . . 8-26
Upgrade the CPU . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-26
Upgrade the Memory . . . . . . . . . . . . . . . . . . . . . . . . 8-27
Exercise 8-2: Reduce Resource Utilization . . . . . . . . . . 8-28
Objective 3 Optimize the Storage System. . . . . . . . . . . . . . . . . . . . . . . . . 8-30
Configure IDE Drives with hdparm. . . . . . . . . . . . . . . . . . . . 8-30
Tune Kernel Parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-32
Tune the IO Scheduler. . . . . . . . . . . . . . . . . . . . . . . . . . . 8-33
Change the Read Ahead Parameter . . . . . . . . . . . . . . . . . 8-34
Change the Swappiness Parameter . . . . . . . . . . . . . . . . . 8-34
Tune File System Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-35
Disable atime Update . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-35
Implement File System Dependent Tuning Options . . . . 8-35
Mount a Reiser File System
With the notail Option . . . . . . . . . . . . . . . . . . . . . . . 8-36
Configure the Journaling Mode of Ext3 . . . . . . . . . . 8-36

TOC-16 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
Contents

Change Hardware Components . . . . . . . . . . . . . . . . . . . . . . . 8-37


Exercise 8-3: Tune an IDE Hard Drive With hdparm . . 8-38
Objective 4 Tune the Network Performance . . . . . . . . . . . . . . . . . . . . . . . 8-39
Change Kernel Network Parameters . . . . . . . . . . . . . . . . . . . 8-39
Change Your Network Environment . . . . . . . . . . . . . . . . . . . 8-41
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-43

SECTION 9 Manage Hardware and Component Changes

Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2
Objective 1 Understand the Differences Between
Devices and Interfaces9-3
Objective 2 Understand How Device Drivers Work . . . . . . . . . . . . . . . . . 9-4
Objective 3 Understand How Device Drivers Are Loaded . . . . . . . . . . . . . 9-6
Objective 4 Understand the sysfs File System . . . . . . . . . . . . . . . . . . . . . . 9-7
Objective 5 Understand How the SLES 9 Hotplug System Works. . . . . . . 9-9
Objective 6 Understand the hwup Command . . . . . . . . . . . . . . . . . . . . . . 9-13
Exercise 9-1: Trace How a Network Adapter Is
Set Up With hwup and ifup . . . . . . . . . . . . . . . . . . . . . . 9-16
Part I: Boot the System with Hot- and
Coldplug Disabled . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-16
Part II: Use hwup to Load a Driver Module . . . . . . . . . . 9-17
Part III: Use ifup to Set Up the Network Interface . . . . . 9-18
Objective 7 Add New Hardware to a SLES 9 System . . . . . . . . . . . . . . . 9-20
Add a New Drive to the System . . . . . . . . . . . . . . . . . . . . . . 9-20
Replace a Graphics Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-21
Add a New Network Adapter . . . . . . . . . . . . . . . . . . . . . 9-22
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-23

Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. TOC-17
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Advanced Administration

SECTION 10 Prepare for the Novell CLP Practicum

Scenario 1: Install and Configure SLES 9 . . . . . . . . . . . . . . 10-2


Scenario 2: Configure a DNS Server . . . . . . . . . . . . . . . . . . 10-3
Scenario 3: Configure a Web Server. . . . . . . . . . . . . . . . . . . 10-4
Scenario 4: Configure a Samba file server . . . . . . . . . . . . . . 10-5

Appendix A Novell CLP and LPI Requirements

TOC-18 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
Introduction

Introduction

In this course you learn advanced SUSE LINUX Enterprise Server


9 (SLES 9) administration skills. These, along with the skills taught
in the SUSE LINUX Fundamentals (3036) and SUSE LINUX
Administration (3037) courses, prepare you to take the Novell®
Certified Linux® Professional (Novell CLP) certification practicum
test.

Course Objectives
This course teaches you how to perform the following SUSE
LINUX advanced administration tasks for SLES 9:
1. Install SLES 9 with a custom partitioning
2. Configure the network manually
3. Configure network services
4. Secure a SLES 9 server
5. Manage backup and recovery
6. Create shell scripts
7. Compile software from source
8. Perform a health check and performance tuning
9. Manage hardware and component changes

These are advanced administrative skills common to an experienced


administrator in an enterprise environment.

The final day of class is reserved for a “Live Fire” exercise that tests
your advanced SLES 9 administration skills and prepares you to
take the Novell CLP Practicum.

Version 1 Copying all or part of this manual, Intro-1


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Audience
While the primary audience for this course is the current Novell
CNESM who has completed courses 3036 and 3038 in the CLP
curriculum, Linux professionals and administrators with experience
in other operating systems can also use this course to help prepare
for the Novell CLP Practicum.

Certification and Prerequisites


This course helps you prepare for the Novell Certified Linux
Professional (Novell CLP) Practical Test, called a practicum. The
Novell CLP is an entry-level certification for people interested in
becoming SUSE LINUX administrators.

As with all Novell certifications, course work is never required. You


only need only pass a Novell CLP Practicum (050-689) in order to
achieve the certification.

The Novell CLP Practicum is a hands-on, scenario-based exam


where you apply the knowledge you have learned to solve real-life
problems—demonstrating that you know what to do and how to do
it.

The practicum tests you on objectives in this course (SUSE LINUX


Advanced Administration - Course 3038) and the skills outlined in
the following Novell CLP courses:
■ SUSE LINUX Fundamentals - Course 3036
■ SUSE LINUX Administration - Course 3037

Intro-2 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Introduction

The following illustrates the training/testing path for Novell CLP:

Before attending this course, you should complete the prerequisites


which included in SUSE LINUX Administration (Course 3037) or
have experience managing SLES 9 servers in a networked
environment.

Version 1 Copying all or part of this manual, Intro-3


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

For more information about Novell certification programs and taking the
Novell CLP Practicum, see http://www.novell.com/education/certinfo.

SLES 9 Support and Maintenance


The copy of SUSE LINUX Enterprise Server 9 (SLES 9) you
receive in your student kit is a fully functioning copy of the SLES 9
product.

However, to receive official support and maintenance updates, you


need to do one of the following:
■ Register for a free registration/serial code that provides you
with 30 days of support and maintenance.
■ Purchase a copy of SLES 9 from Novell (or an authorized
dealer).

You can obtain your free 30-day support and maintenance code at
http://www.novell.com/products/linuxenterpriseserver/eval.html.

You will need to have or create a Novell login account to access the 30-day
evaluation.

SLES 9 Online Resources


Novell provides a variety of online resources to help you configure
and implement SLES 9.

These include the following:


■ http://www.novell.com/products/linuxenterpriseserver/
This is the Novell home page for SLES 9.
■ http://www.novell.com/documentation/sles9/index.html
This is the Novell Documentation web site for SLES 9.

Intro-4 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Introduction

■ http://support.novell.com/linux/
This is the home page for all Novell Linux support, and
includes links to support options such as the Knowledgebase,
downloads, and FAQs.
■ http://www.novell.com/coolsolutions
This Novell web site provides the latest implementation
guidelines and suggestions from Novell on a variety of
products, including SUSE LINUX.

Agenda
The following is the agenda for this 3-day course:

Section Duration
Day 1 Introduction 00:30
Section 1: Install SLES 9 03:30
Section 2: Configure the Network 02:00
Manually
Day 2 Section 3: Configure Network Services 04:00
Section 4: Secure a SLES 9 Server 02:00
Day 3 Section 4: Secure a SLES 9 Server 01:00
(cont.)
Section 5: Managing Backup and 01:00
Recovery
Section 6: Create Shell Scripts 02:30
Section 7: Compile Software from 01:30
Source
Day 4 Section 8: Perform a Health Check 03:00
and Performance Tuning

Version 1 Copying all or part of this manual, Intro-5


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Section Duration
Section 9: Manage Hardware and 02:00
Component Changes
Day 5 Live Fire Exercise 06:00

Scenario
The Digital Airlines management has made the decision to migrate
several back-end services to Linux servers running SLES 9. You
have already installed SLES 9 before and are familiar with
administering SLES 9 from YaST and from the command line.

To be able to implement the migration plan, you need additional


experience in the following areas:
■ System settings on the configuration file level
■ Network services configuration from the command line
■ Applying security solutions and deploying backup and recovery
■ Creating basic shell scripts and compiling software from source
packages

You decide to set up a test server in the lab to enhance your skills in
these areas.

Exercise Conventions
When working through an exercise, you will see conventions that
indicate information you need to enter that is specific to your server.

The following describes the most common conventions:


■ italicized/bolded text. This is a reference to your unique
situation, such as the host name of your server.

Intro-6 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Introduction

For example, if the host name of your server is DA50, and you
see the following,
hostname.digitalairlines.com
you would enter
DA50.digitalairlines.com
■ 10.0.0.xx. This is the IP address that is assigned to your SLES 9
server.
For example, if your IP address is 10.0.0.50, and you see the
following
10.0.0.xx
you would enter
10.0.0.50
■ Select. The word select is used in exercise steps to indicate a
variety of actions including clicking a button on the interface
and selecting a menu item.
■ Enter and Type. The words enter and type have distinct
meanings.
The word enter means to type text in a field or at a command
line and press the Enter key when necessary. The word type
means to type text without pressing the Enter key.
If you are directed to type a value, make sure you do not press
the Enter key or you might activate a process that you are not
ready to start.

Version 1 Copying all or part of this manual, Intro-7


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Intro-8 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Install SLES 9

SECTION 1 Install SLES 9

In this section, you install SUSE Linux Enterprise Server 9


(SLES 9). You also learn how to use advanced installation options
and to troubleshoot the installation process.

Objectives
1. Perform the SLES 9 Base Installation
2. Configure the SLES 9 Installation
3. Troubleshoot the Installation Process

Version 1 Copying all or part of this manual, 1-1


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Introduction
YaST presents an installation proposal (automatically generate)
during installation that you can accept to make installation simple
and quick.

However, you also need to understand the more advanced


installation options available. By changing the following installation
proposal options, you can install servers that meet a variety of
needs:
■ Installation mode
■ Partitioning scheme
■ Software selection
■ Authentication method
■ Hardware setup

This section describes these and other SLES 9 installation options.

1-2 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Install SLES 9

Objective 1 Perform the SLES 9 Base Installation


Installing SLES 9 consists of a base installation phase and a
configuration phase.

To perform the base installation do the following:


■ Boot From the Installation Media
■ Select the System Language
■ Select the Installation Mode
■ Understand and Change the Installation Proposal
■ Partition the Hard Disk
■ Select the Software
■ Configure the Boot Loader
■ Start the Installation Process

Boot From the Installation Media

To start the installation process, insert the SLES 9 CD 1 into the CD


drive and then reboot the computer to start the installation program.

To start the installation program, your computer needs to be configured to


start from a CD or DVD drive. You might need to change the boot drive
order in the BIOS setup of your system to boot from the drive.

Consult the manual shipped with your hardware for further information.

Version 1 Copying all or part of this manual, 1-3


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

When your system has started from the installation CD, the
following appears:

You can use the arrow keys to select one of the following options:
■ Boot from Hard Disk. Boots the system installed on the hard
disk (the system normally booted when the machine is started).
This is the default option.
■ Installation. Starts the normal installation process. All modern
hardware functions are enabled.
■ Installation - ACPI Disabled. Starts the installation process
with ACPI (Advanced Configuration and Power Interface)
disabled. If the normal installation fails, the system hardware
might not support ACPI. In this case, you can use this option to
install without ACPI support.

1-4 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Install SLES 9

■ Installation - Safe Settings. Starts the installation process with


the DMA mode and any interfering power management
functions disabled. Use this option if the installation fails with
the other options.
■ Manual Installation. When you select this installation mode,
you can load driver modules manually and change the advanced
installation settings.
■ Rescue System. Starts the SLES 9 rescue system. If you cannot
boot your installed Linux system, you can boot the computer
from the CD and select this option. This starts a minimal Linux
system without a graphical user interface to allow experts to
access disk partitions for troubleshooting and repairing an
installed system.
■ Memory Test. Starts a memory testing program, which tests
system RAM by using repeated read and write cycles. This is
done in an endless loop, because memory corruption often
shows up sporadically and many read and write cycles might be
necessary to detect it.
If you suspect that your RAM might be defective, start this test
and let it run for several hours. If no errors are detected, you
can assume that the memory is intact. Terminate the test by
rebooting the system.

Use the function keys, as indicated in the bar at the bottom of the
screen, to change a number of installation settings:
■ F1. Opens context-sensitive help for the currently selected
option of the boot screen.
■ F2. Select a graphical display modes (such as 640x480 or
1024X768) for the installation. You can select one of these or
select the text mode, which is useful if the graphical mode
causes display problems.
■ F3. Select an installation media type. Normally, you install from
the inserted installation disk, but in some cases you might want
to select another source, such as FTP or NFS.
■ F4. Select a installation language.

Version 1 Copying all or part of this manual, 1-5


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

■ F5. Select the debugging output level. By default, diagnostic


messages of the Linux kernel are not displayed during system
start up. To display these messages, select Native. For
maximum information, select Verbose.
■ F6. Add a driver update CD to the installation process. You are
asked to insert the update disk at the appropriate point in the
installation process.

Select the Installation option to start the installation process. If the


installation fails for some reason, try to install with the Installation
- ACPI Disabled option or the Installation - Safe Settings option.

After you select an installation option, a minimal Linux system


loads to run the YaST installation program.

Select the System Language

After YaST starts, the following appears:

1-6 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Install SLES 9

Almost all YaST installation dialogs use the same format:


■ The left side displays an overview of the installation status.
■ From the lower left side, you can select a help button to get
information about the current installation step.
■ The right side displays the current installation step.
■ The lower right side provides buttons for navigating to the
previous or next installation steps, or to abort the installation.
If the installation program does not detect your mouse, you can use the Tab
key to navigate through the dialog elements, the arrow keys to scroll in lists
and Enter to select buttons. You can change the mouse settings later in the
installation process.

From the language dialog, select the language of your choice, and
then select Accept to continue to the next step.

Select the Installation Mode

After you have selected the installation language, the following


appears:

Version 1 Copying all or part of this manual, 1-7


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

In this dialog, YaST asks you for the installation mode. Select one
of the following options:
■ New installation. Performs a normal new installation of SLES
9. This is the default option.
■ Update an existing system. Updates a previously installed
SLES 8 installation.
■ Repair Installed System. Repairs a previously installed SLES
9 installation.
■ Boot installed system. Boots a previously installed Linux
installation.
■ Abort Installation. Terminates the installation process.

For a normal installation, select New Installation and then select


OK to proceed to the next step.

1-8 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Install SLES 9

Understand and Change the Installation Proposal

After you select New Installation, YaST analyzes the system and
creates an installation proposal. The proposal is displayed as shown
in the following:

The proposal displays all installation settings that are necessary for
a base installation. You can change these settings by selecting the
following headlines (headings):
■ System. Restarts the hardware detection process and displays a
list of all available hardware components. You can select single
components, view details, or save the list to a file.
■ Mode. Changes the installation mode.
■ Keyboard layout. Changes the keyboard layout. YaST selects
the keyboard layout according to your language settings.
Change the keyboard settings if you prefer a different layout.

Version 1 Copying all or part of this manual, 1-9


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

■ Mouse. Changes the mouse settings. If your mouse does not


work correctly, you can select a different mouse type in this
block.
■ Partitioning. Changes the hard drive partitioning. If the
automatically generated partitioning scheme does not fit your
needs, you can change it by selecting this headline.
■ Software. Changes the software selection. You can select or
deselect software.
■ Booting. Changes the boot loader setting.
■ Time zone. Changes the time zone. YaST selects the time zone
of the installed system according to your language selection.
Change the time zone if you prefer a different one.

Of the settings described above, partitioning, software, and booting


are discussed next in more detail.

Partition the Hard Disk

In most cases, YaST proposes a reasonable partitioning scheme that


you can accept without change. However, you might need to change
the partitioning manually if
■ You want to optimize the partitioning scheme for a special
purpose server (such as a file server).
■ You have more than one hard drive and want to configure
RAID or LVM devices.
■ You want to delete existing operating systems so you have more
space available for your SLES 9 installation.

To partition the hard drive manually, you need to know the


following:
■ The Basics of Hard Drive Partitioning
■ The Basic Linux Partition Scheme
■ Partitioning Schemes for Different Server Types

1-10 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Install SLES 9

■ How to Change YaST´s Partitioning Proposal


■ How to Use the YaST Expert Partitioner

The Basics of Hard Drive Partitioning

Partitions divide the available space of a hard drive into smaller


portions. This lets you install more than one operating system on a
hard drive or to use different areas for programs and data.

Every hard disk has a partition table with space for four entries. An
entry in the partition table can correspond to a primary partition or
an extended partition. Only one extended partition entry is allowed.

A primary partition consists of a continuous range of cylinders


(physical disk areas) assigned to a particular operating system. If
you use only primary partitions, you are limited to 4 partitions per
hard disk (because the partition table can only hold 4 primary
partitions).

This is why extended partitions are used. Extended partitions are


also continuous ranges of disk cylinders, but can be subdivided into
logical partitions. Logical partitions do not require entries in the
main partition table. In other words, an extended partition is a
container for logical partitions.

If you need more than 4 partitions, create an extended partition


before you create the fourth partition. This extended partition
should include the entire remaining free cylinder range. Then create
multiple logical partitions within the extended partition. The
maximum number of logical partitions is fifteen on SCSI disks and
63 on (E)IDE disks.

It does not matter which type of partitions you use on Linux


systems; primary and logical partitions both work well.

Version 1 Copying all or part of this manual, 1-11


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The Basic Linux Partition Scheme

The optimal partition scheme for a server depends on the purpose of


the server.

A SLES 9 installation needs at least two partitions:


■ Swap partition. This partition is used by Linux to move
unused data from the main memory to the hard dive. Moving
unused data from the main memory to the hard drive helps
improve the performance of the system.
■ Root partition. This is the partition for the operating system
itself, and is mounted under / in the installed system.

No matter what partition scheme you choose, you always need a


swap partition and a root partition.

The following guidelines help you determine the size of your root
partition:
■ 500 MB. This allows for a minimal installation with no
graphical interface. With this configuration, you can only use
console applications.
■ 700 MB. This allows for an installation with a minimum
graphical interface. This includes the X window system and a
few graphical applications.
■ 1.5 GB. This is the default installation recommended proposed
by YaST. This configuration includes a modern desktop
environment (such as KDE or GNOME), and provides enough
space for large applications suites (such as Netscape or
Mozilla).
■ 2.5 GB. This allows for a full installation, including all
software packages shipped with SLES 9.

If your server hosts data (such as a web server or a file server) you
will probably need more space on the root partition.

1-12 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Install SLES 9

Partitioning Schemes for Different Server Types

It often makes sense to create more than the default Linux


partitions. The following list provides examples of partitions for
different server types:
■ File server. Hard disk performance is crucial for a file server.
Create an extra partition with enough space for the data that is
hosted by the server.
■ Web server. You should create an extra partition for the web
space hosted by the server. Make the partition large enough to
hold the expected amount of hosted data.
■ Compute server. A compute server carries out extensive
calculations in the network. Fast disk throughput is only needed
for the swap partitions. If possible, use more than one swap
partition and distribute swap partitions to multiple hard disks.
■ Desktop workstation. Create a separate partition for users'
home directories. This lets you reinstall the operating system
without losing user data.

Version 1 Copying all or part of this manual, 1-13


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

How to Change YaST´s Partitioning Proposal

To use YaST to change the partition scheme, select the Partitioning


headline in the installation proposal. The following appears:

In the top part of the dialog, YaST displays the automatically


generated partitioning proposal. The lower part of the dialog
provides the following options:
■ Accept proposal as is. Accepts the partitioning scheme and
returns to the main installation proposal.
■ Base partition setup on this proposal. Starts the YaST Expert
Partitioner with the partition proposal as base setup.

1-14 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Install SLES 9

■ Create custom partition setup. Displays the following:

In this dialog, you can select


■ Select a hard disk completely or in parts
■ Create a custom partitioning by using the YaST Expert
Partitioner

Version 1 Copying all or part of this manual, 1-15


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

How to Use the YaST Expert Partitioner

When you start the YaST Expert Partitioner, the following appears:

In the top part of the dialog, YaST lists details of the current
partition setup. Depending on your previous choice, the list contains
the current physical disk setup or the partitioning proposal created
by YaST.

Most of the changes made with the YaST Expert Partitioner are not written
to disk until the installation process is started. You can always discard your
changes by selecting Back or you can restart the Expert Partitioner to make
more changes.

1-16 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Install SLES 9

The following entries are displayed for every hard disk in your
system:
■ One entry for the hard disk itself, which has the corresponding
device name in the Device column (such as /dev/sda).
■ One entry for every partition on the hard disk with the
corresponding device name and the partition number in the
Device column (such as /dev/sda1).

If a hard disk is not partitioned yet, you see only the entry for the
hard disk itself.

Each entry in the list includes information in the following columns:


■ Device. Displays the device name for the hard disk or the
partition.
■ Size. Displays the size for the hard disk or partition.
■ F. When the character “F” is displayed in this column, the
partition will be formatted during the installation process.
■ Type. Displays the partition or hard disk type.
■ Mount. Displays the mount point of a partition. For swap
partitions, only the keyword swap is used.
■ Start. Displays the start cylinder of a hard disk or partition.
Hard disk entries starts always with 0.
■ End. Displays the end cylinder of a hard disk or partition.

The buttons in the lower part of the dialog let you


■ Create New Partitions
■ Edit Existing Partitions
■ Delete Existing Partitions
■ Resize Existing Partitions
■ These administrative tasks are covered in more detail below.

Version 1 Copying all or part of this manual, 1-17


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

In addition, you can do the following:


■ Manage LVM volumes
■ Manage EVMS volumes
■ Manage soft RAID setups
■ Create crypt file partitions
■ Perform expert tasks

Create New Partitions

Create a new partition by selecting Create. A dialog with one of the


following options appears (the options you see depend on your hard
disk setup):
■ If you have more than one disk in your system, you are asked to
select a disk for the new partition first.
■ If you do not have an extended partition, you are asked if you
want to create a primary or an extended partition.
■ If you have an extended partition, you are asked if you want to
create a primary or a logical partition.
■ If you have 3 primary partitions and an extended partition, you
can only create logical partitions.

You need enough space on your hard disk to create a new partition. You
learn later in this section how to delete existing partitions to free used disk
space.

1-18 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Install SLES 9

If you choose to create a primary or a logical partition, the


following appears:

This dialog provides the following options:


■ Format. This lets you choose one of the following options:
■ Do not format. Do not format the newly created partition.
Select this only if you need to change an existing partition
instead of creating a new one.
■ Format. Formats the new partition with the file system you
select from the File System drop-down list.
You can choose from the following file systems:
■ Ext2. Formats the partition with the Ext2 file system.
Ext2 is an old and proven file system, but it does not
include journaling.
■ Ext3. Formats the partition with the Ext3 file system.
Ext3 is the successor of Ext2 and offers a journaling
feature.
■ FAT. Formats the partition with the FAT file system.

Version 1 Copying all or part of this manual, 1-19


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

FAT is an older file system used in DOS and Windows.


You can use this option to create a data partition, which
is accessible from Windows and Linux. You must not
create a root partition with this file system.
■ JFS. Formats the partition with JFS, a journaling file
system developed by IBM.
■ Reiser. Formats the partition with ReiserFS, a modern
journaling file system. (This is the default option.)
■ XFS. Formats the partition with XFS, a journaling file
system originally developed by SGI.
■ Swap. Formats the partition as a swap partition.
If you are not sure which file system to choose, select
Reiser for root and data partitions and Swap for swap
partitions.
■ Options. By selecting Options, you can change parameters
for the file system you selected. You can use the default
parameters in most cases.
■ Encrypt file system. If you select this option, the partition
file system is encrypted. You should only use this option for
non-system partitions such as user home directories.
■ Size. Lets you configure the size of the new partition with the
following:
■ Start Cylinder. The start cylinder determines the first
cylinder of the new partition. YaST normally preselects the
first available free cylinder of the hard disk.
■ End. The end cylinder determines the size of the new
partition. To configure the end cylinder, do one of the
following:
■ Enter the cylinder number.
■ Enter a plus sign (+) followed by the amount of disk
space for the new partition. Use M for MB and GB for
GB. YaST calculates the last cylinder number.
For example, enter +5G for a partition size of 5 GB.

1-20 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Install SLES 9

■ Fstab Options. Select this option to edit the fstab entry for this
partition. The default setting should work in most cases.
■ Mount Point. Select the mount point of the new partition from
this drop-down list. You can also enter a mount point manually,
if it's not available in the list.

After changing the parameters, select OK to add the new partition


to the partition list.

If you chose to create an extended partition, the following appears:

You can enter the following:


■ Start cylinder. The start cylinder determines the first
cylinder of the new partition. YaST normally preselects the
first available free cylinder of the hard disk.
■ End. The end cylinder determines the size of the new
partition. To configure the end cylinder, do one of the
following:
■ Enter the cylinder number.

Version 1 Copying all or part of this manual, 1-21


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

■ Enter a plus sign (+) followed by the amount of disk


space for the new partition. Use M for MB and GB for
GB. YaST calculates the last cylinder number.
For example, enter +5G for a partition size of 5 GB.

After entering the size, select OK to add the new extended partition
to the partition list.

Edit Existing Partitions

Select a partition from the list and select Edit. You can edit only
primary and logical partitions with the Expert Partitioner. You
cannot edit extended partitions or the entry for the full hard disk.

If you edit a primary or logical partition, a dialog appears which is


very similar to the Create Partition dialog described above. You can
change all options except for the partition size.

After changing the partition parameters, select OK to save your


changes to the partition list.

Delete Existing Partitions

To delete a partition, select a partition from the list, select Delete,


and then select Yes in the confirmation dialog. The partition is
deleted from the partition list.

Remember that you also delete all logical partitions when you delete
an extended partition.

Resize Existing Partitions

Select a partition from the list and select Resize.

Although you can resize a partition without deleting it to increase free


space on the hard disk, you should always back up the data on the partition
before resizing it.

1-22 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Install SLES 9

If the selected partitions are formated with the FAT or NTFS file
system, do the following before resizing the partition:
■ FAT file system. To save time, first run Scan Disk and Defrag
to make sure the FAT partition is free of lost file fragments and
cross links and to move files to the beginning of the partition.
If you have optimized virtual memory settings for Windows so
that a contiguous swap file is used with the same initial
(minimum) and maximum size limit, disable them before
resizing and re-enable them after the resizing has been
completed.
If these virtual memory settings are enabled, the resizing might split
the swap file into many small parts scattered all over the FAT partition.
Also, the entire swap file would need to be moved during the resizing,
which makes the process rather slow.

■ NTFS file system. You must run Scan Disk and Defrag to
move the files to the beginning of the partition or the NTFS
partition cannot be resized.

Version 1 Copying all or part of this manual, 1-23


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

After you select Resize, the following appears:

This dialog includes the following:


■ Two bars representing the partition before and after the resizing
process
■ Now. In the Now bar, the used space is designated by dark
blue and the available space is designated by light blue.
■ After installation. In the After Installation bar the used
space is designated by dark blue and the free space is
designated by light blue. The space that is available for a
new partition is designated by white.
■ A slider to change the size of the partition
■ Two text fields that display the amount of free space on the
partition being resized and the space available for a new
partition after the resizing process

1-24 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Install SLES 9

■ A Do Not Resize button used to reset the partition to the


original size

To resize the partition, move the slider until enough unused disk
space is available for a new partition. When you select OK, the
partition size changes in the partition list.

Manage LVM Volumes

To manage LVM (Logical Volume Manager) volumes, select the


LVM button in the YaST Expert Partitioner.

SLES 9 supports only LVM version 2. Therefore, references to LVM in


this section always refer to LVM version 2.

Using LVM you can create logical volumes, which spread over
several physical disks and partitions. Do not confuse logical
volumes with physical, logical partitions in the extended partition of
a hard disk.

You can use a logical volume like a physical partition. You can
create a file system on the volume and mount it at a mount point of
your choice.

You can also use the YaST Expert Partitioner to create logical volumes
after installation. There are also command line tools for managing logical
volumes. We do not recommend that you use LVM for the root partition of
a system.

You need to understand the following terms connected with logical


volumes:
■ Logical volume group. A logical volume group is a group of
physical partitions. The physical partitions can be spread over
different hard disks.
■ Logical volume. A logical volume is a part of a logical volume
group. A logical volume can be formatted and mounted like a
physical partition.

Version 1 Copying all or part of this manual, 1-25


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

You can think of logical volume groups as logical hard disks and
logical volumes as partitions on those logical hard disks.

Before you can create a logical volume, you always need a logical
volume group.

The following shows the relationship of physical partitions, logical


volume groups, and logical volumes:

Logical volumes have the following advantages:


■ They can be resized more easily than a physical partition.
■ They can spread over multiple disks.
■ You can easily add new hard disks to logical volume groups.
■ You can create extremely large logical volumes.
■ They provide a snapshot functionality for consistent backups.

1-26 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Install SLES 9

If you select LVM in the YaST Expert Partitioner, the following


appears:

You use this dialog to create a new logical volume group by


entering the following:
■ Volume Group Name. Enter the name of your volume group.
■ Physical Extent Size. The physical extent size defines the
smallest unit of a logical volume group, and the maximum size
of a logical volume group. Entering a value 4 MB allows a
logical volume group of 256 GB.

If you are not sure which values to enter, use the default settings.

Version 1 Copying all or part of this manual, 1-27


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

After you select OK, the following appears:

You can use the following options this dialog to add physical
partitions to your logical volume group:
■ Volume Group. Select the volume group from the drop-down
list that you want to add partitions to.
■ Size. Displays the current size of the selected logical volume
group.
■ Remove Group. Deletes the currently selected volume group.
You can delete empty groups only.
■ Add Group. Add a logical volume group.
■ Partition List. Select the partition you want to add to the
volume group.
■ Add Volume. Add the selected partition to the volume group.

1-28 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Install SLES 9

■ Remove Volume. Remove the selected partition from the


volume group.

Add partitions to your logical volume group, and then select Next to
continue. The following appears:

You can use the following options in this dialog to create logical
volumes in your logical volume group:
■ Volume Group. Select the volume group from this drop-down
list that you want to create partitions in.
■ Space bar. Displays the available space of the selected volume
group.
■ Volume list. Displays physical partitions and logical volumes in
the system.

Version 1 Copying all or part of this manual, 1-29


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

■ View all mount points. When you select this option, all
partitions and volumes that have entries in /etc/fstab are
displayed. Otherwise, only the volumes in the selected volume
group are displayed.
■ Add. Adds a new logical volume to the volume group. When
you select Add, the following appears:

This dialog is similar to the Create Partition dialog in the Expert


Partitioner and includes the following options:
■ Format. Lets you choose one of the following options:
■ Do Not Format. Do not format the newly created
volume. Select this option only if you want to change
an existing volume instead of creating a new one.
■ Format. Formats the new volume with the file system
that you select from the drop-down list.

1-30 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Install SLES 9

You can choose one of the following file systems:


■ Ext2. Formats the volume with the Ext2 file system.
Ext2 is a dependable file system, but it doesn't include
journaling.
■ Ext3. Formats the volume with the Ext3 file system.
Ext3 is the successor of Ext2 and offers a journaling
feature.
■ FAT. Formats the volume with the FAT file system.
FAT is used by older versions of DOS and Windows.
You can use this option to create a data volume that is
accessible from both Windows and Linux.
■ JFS. Formats the volume with JFS, a journaling file
system developed by IBM.
■ Reiser. Formats the volume with ReiserFS, a modern
journaling file system. (This is the default option.)
■ XFS. Formats the volume with XFS, a journaling file
system originally developed by SGI.
■ Swap. Formats the volume as a swap volume.
If you are not sure which file system to choose, select
Reiser for root and data volumes and Swap for swap
volumes.
■ Options. Select this button to change parameters for
the selected file system. You can use the default
parameters in most cases.
■ Encrypt file system. Select this check box to encrypt
the file system of the volume. You should only use this
option for non-system volumes like user home
directories.
■ Logical volume name. Enter the name of the new logical
volume.
■ Size. Enter the size of the logical volume in this field. Use
M for MB and GB for GB. For example, enter 5G for a
volume size of 5 GB.

Version 1 Copying all or part of this manual, 1-31


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

■ Max. Set the size of the maximum available space of the


volume group.
■ Stripes. If you choose a value larger than 1 from this drop-
down list, every file written to the volume will be spread in
small pieces (stripes) over all physical devices in the
volume group.
This enhances disk performance by using all available
disks at the same time.
The number of stripes you select must not exceed the
number of physical disks in the system.
If you need more performance than a single disk can
deliver, this might be a good option for you. However, a
real hardware RAID system is normally a much better
choice.
■ Stripe Size. Select the size of a single stripe.
■ Fstab Options. Select this option to edit the fstab entry for
this volume. The default setting should work in most cases.
■ Mount Point. Select the mount point of the new volume
from this drop-down list. You can also enter a mount point
manually if the mount point you want is not available in the
list.
After selecting all options for the new volume, select OK to
add the volume.
■ Edit. Change the parameters of a selected volume.
The dialog to edit a volume has the same options as the dialog
to create volumes (already described). You can also edit logical
volumes directly from the Partition list in the Expert Partitioner.
■ Remove. Remove a selected volume. You can also remove
logical volumes directly from the Partition list in the Expert
Partitioner.

When you are finished with the logical volume setup, select Next to
save the settings and return to the Expert Partitioner.

1-32 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Install SLES 9

Manage EVMS Volumes

To manage EVMS (Enterprise Volume Management System)


volumes, select EVMS in the YaST Expert Partitioner.

EVMS is a similar approach to LVM. In the latest versions of


EVMS and LVM both use the device mapper of the kernel to
manage logical volumes. However, YaST´s configuration tools are
not as developed for EVMS as they are for LVM, so EVMS is not
covered in as much detail in this section.

The EVMS setup is very similar to the LVM setup with the
exception that logical volume groups are called containers in
EVMS.

After selecting EVMS in the YaST Expert Partitioner, you create a


container and add physical partitions to it. Then you can create
logical volumes in the container, format them with a file system, and
choose a mount point for them.

You can also use striping to enhance the performance of your


EVMS volumes.

Manage Soft RAID Setups

To manage soft RAID (Redundant Array of Inexpensive Disks)


setups, select RAID in the YaST Expert Partitioner.

The purpose of RAID is to combine several hard disk partitions into


one large virtual hard disk for optimizing performance and
improving data security.

There are 2 types of RAID configurations:


■ Hardware RAID. Hard disks are combined by the hard disk
controller. The operating system sees the combined hard disks
as one device. No additional RAID configuration is necessary
at the operating system level.

Version 1 Copying all or part of this manual, 1-33


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

■ Software RAID. Hard disks are combined by the operating


system. The operating system sees every single disk and needs
to be configured to use them as a RAID system.

Hardware RAID provides better performance and data security than


software RAID, but it is also much more expensive. Use software
RAID to enhance disk performance and security if you cannot
afford a hardware RAID solution.

In this section, you learn how to set up software RAID.

You combine hard disks according to RAID levels. Using YaST you
can set up RAID levels 0, 1, and 5 (RAID levels 2, 3, and 4 are not
available with software RAID):
■ RAID 0. This level improves the performance of your data
access. With RAID 0, 2 hard disks are pooled together. Disk
performance is very good, but the RAID system is vulnerable to
a single point of failure. If one of the 2 disks fails, the system is
destroyed and the data is lost.
■ RAID 1. This level provides enhanced security for your data
because the data is copied to both hard disks. This is also
known as hard disk mirroring. If one disk is destroyed, a copy
of its contents is available on the other disk.
■ RAID 5. RAID 5 is an optimized compromise between RAID 0
and RAID 1 in terms of performance and redundancy. The data
is distributed over the hard disks as with RAID 0, while one
partition saves a checksum of the written data.
If one hard disk fails, it must be replaced as soon as possible to
avoid the risk of losing data. If more than one hard disk fails at
the same time, the data on the disks is lost.

To create software RAID with YaST, do the following:


■ Partition your hard disks. For RAID 0 and RAID 1, at least 2
partitions on different disks are needed (RAID 1 requires 2
partitions; no more) RAID 5 requires at least 3 partitions. We
recommend that you use only partitions of the same size.

1-34 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Install SLES 9

■ Set up RAID. Select RAID in the YaST Expert Partitioner to


open a dialog to choose between the RAID levels 0, 1, and 5,
and then add partitions to the new RAID.
Choose a file system and a mount point for your RAID. By
changing the chunk size, you can fine tune the RAID
performance.
Select Persistent Superblock to ensure that the partitions are
recognized as RAID when booting.
After finishing the configuration, the RAID partitions appear in
the partition list of the Expert Partitioner.

Create Crypt File Partitions

By selecting Crypt File, you can create an encrypted file system


within a file. This file can be mounted and used like a normal
partition.

You can use a crypt file to securely store confidential data on your
computer.

We do not recommend that you create crypt files during the


installation process, as the file systems to create the crypt file on are
not yet available.

To create a crypt file, start the YaST Partitioning Module after the
installation process has finished.

Perform Expert Tasks

When you select Expert, the following options are available:


■ Reread the partition table. Resets the partition list to the
actual physical disk setup. All changes will be lost.
■ Import mount points from existing /etc/fstab. Scans the hard
disks for an /etc/fstab file. You can load this file and set the
mount points accordingly.

Version 1 Copying all or part of this manual, 1-35


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

■ Delete partition table and disk label. Deletes the partition


table and the disk label of the selected hard disk. All data on
that disk will be lost.

When you finish configuring settings in the Expert Partitioner,


return to the installation proposal by selecting Next.

Select the Software

SLES 9 contains a number of software packages for various


application purposes. Instead of selecting needed packages one by
one, you can select from four system types with various installation
scopes.

Depending on the available disk space, YaST selects one of the


following predefined systems and displays it in the installation
proposal:
■ Minimal System. (only recommended for special purposes).
This includes the core operating system with various services,
but without any graphical user interface. Select this system type
for servers that require little direct user interaction.
■ Minimal Graphical System. (without KDE) If you do not want
the KDE desktop or if there is insufficient disk space, install
this system type. The installed system includes the X windows
system and a basic window manager. You can use all programs
that have a graphical user interface.
■ Default System (with KDE). This system type includes the
KDE desktop, most of the KDE programs, and the CUPS print
server. If possible, YaST selects this system type by default.
■ Full Installation This system type is includes all packages that
ship SLES 9, except those that create dependency conflicts.

1-36 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Install SLES 9

You need to understand the following term to understand YaST


software management:
■ Package. An RPM file, which is available on the SLES 9
installation media. A package typically contains an application
and all additional files required to use the software.
Sometimes larger applications can be split into multiple
packages and several small applications can be bundled into a
single package.
■ Dependencies. Sometimes one software package needs another
one to run. These dependencies are stored in the RPM
packages. YaST can automatically select software packages
when another package requires them.

When you select Software in the installation proposal, a dialog


appears that lets you change the preselected system type to a
different one.

Select Detailed selection to start the YaST Package Manager:

Version 1 Copying all or part of this manual, 1-37


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

You can select the following options in this dialog to configure


software selections:
■ Filter. The Package Manager can display different views of the
available software packages. These views are displayed in the
area below the drop-down list and include the following:
■ Selection. Displays the packages in logical selections. All
packages in the selection can be installed by selecting the
check box.
■ Package Groups. Displays the packages in a hierarchical
tree view.
■ Search. Displays a search dialog to search for packages.
■ Installation Summary. Displays a summary of the
packages selected for installation.
■ Individual package list. Individual packages are listed on the
right side of the Package Manger window. The content of this
list depends on the filter selection.
You can install a package by selecting the check box for that
package.
Details for the currently selected package are displayed below
the package list.
■ Disk usage. The disk usage of the currently selected software
package is displayed in the lower left corner of the Package
Manager window.
■ Check Dependencies. Select this option to check the
dependencies of the selected packages. This check is also done
when you confirm the package selection dialog.
■ Autocheck. If this check box is selected, dependencies are
checked every time you select or deselect a package.

Confirm your package selection and return to the installation


proposal by selecting Accept.

1-38 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Install SLES 9

Configure the Boot Loader

During installation, YaST proposes a boot configuration for your


system. Normally, you should leave these settings unchanged.
However, if you need a custom setup, you can modify the proposal.

To change the configuration of the boot loader, select Booting in


the installation proposal to display the following:

This dialog lists the current boot loader configuration settings with
3 columns for each setting:
■ Ch. Indicates whether an entry has been changed.
■ Option. Displays the boot loader option.
■ Value. Displays the value of the option.

Version 1 Copying all or part of this manual, 1-39


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Below the list, there are several buttons:


■ Add. Adds an additional option.
■ Edit. Edits the selected option.
■ Delete. Deletes an option.
■ Reset. Provides the following options:
■ Propose New Configuration. Generates a new
configuration suggestion. Older Linux versions or other
installed operating systems are added to the boot menu.
■ Start from Scratch. Enables you to create the entire
configuration from scratch. No suggestions are generated.
■ Propose and Merge with Existing GRUB Menus. If
another Linux version is installed on the system, the boot
menu can be transfered from that installation. You cannot
do this if LILO is used as boot loader.

You can use Edit Configuration Files to edit the configuration files
in a text editor. When you finish, save your changes by selecting
OK.

For less experienced users, the configuration with YaST is easier


than editing the files directly. Select a boot loader option in the list
and select Edit to open a dialog to change the settings. Confirm the
changes and return to the Boot Loader Setup menu by selecting
OK.

The available options in the Boot Loader Setup dialog depend on


the boot loader used. The following introduces some options of the
default boot loader GRUB:
■ Boot Loader Type. Use this option to switch between GRUB
and LILO. You can also create a new configuration from
scratch or generate and edit a suggestion for a configuration.

1-40 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Install SLES 9

■ Boot Loader Location. Use this dialog to define where to


install the boot loader:
■ In the master boot record (MBR)
■ In the boot sector of the boot partition (if available)
■ In the the boot sector of the root partition
■ On a floppy disk
■ Use Others to manually specify a different location
■ Disk Order. If your computer has more than one hard disk,
specify the boot sequence of the disks as defined in the BIOS
setup of the machine.
■ Default Section. Sets the kernel or operating system that
should be booted by default. The selected system is booted after
a timeout. Select Edit to display a list of all boot menu entries.
Select an entry from the list and select Set as Default.
■ Available Sections. Lists all existing entries of the boot menu.
■ Activate Boot Loader Partition. Activates the partition whose
boot sector holds the boot loader.
■ Replace Code in MBR. Specifies whether to overwrite the
MBR. This might be necessary if you have changed the location
of the boot loader.
■ Back up Affected Disk Areas. Backs up the changed hard disk
areas.
■ Add Saved MBR to Boot Loader Menu. Adds the backed up
MBR to the Boot Loader menu.

Use Time-out to define how many seconds the boot loader should
wait for keyboard input before the default system is booted. You can
specify a number of other options with Add. However, these options
requires a thorough understanding of the boot loader and are not
covered here.

After finishing the boot loader configuration, return to the


installation proposal by selecting Finish.

Version 1 Copying all or part of this manual, 1-41


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Start the Installation Process

After customizing the installation proposal, select Accept. A dialog


appears asking you to confirm the proposal. Start the installation
process by selecting Yes, install; Return to the installation proposal
by selecting No.

Before installing software packages, YaST changes the hard disk


partitioning.

Depending on your software selection and the performance of your


system, the installation process takes 15–45 minutes.

During the installation, YaST asks you to change the installation


CDs. Insert the requested CD and continue the installation by
selecting OK.

After all software packages are installed, YaST reboots the


computer and lets you make configuration changes.

1-42 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Install SLES 9

Objective 2 Configure the SLES 9 Installation


In this part of the installation process, you use YaST perform the
following configuration tasks:
■ Set the root Password
■ Configure the Network
■ Test the Internet Connection
■ Perform an Online Update
■ Configure Network Services
■ Manage Users
■ Configure Hardware
■ Finalize the Installation Process

Set the root Password

root is the name of the superuser, the administrator of the system.


Unlike regular users, who might not have permission to do certain
things on the system, root has unlimited power to do anything,
including the following:
■ Access every file and device in the system
■ Change the system configuration
■ Install programs
■ Set up hardware

The root account should only be used for system administration,


maintenance, and repair. Logging in as root for daily work is risky:
a single mistake can lead to irretrievable loss of many system files.

Version 1 Copying all or part of this manual, 1-43


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

To let you set the root password during the installation process,
YaST displays the following dialog:

Enter the same password in both text fields of the dialog.

You should choose a password that cannot be guessed easily. Use


numbers, lowercase and uppercase characters to avoid wordbooks
(dictionary) attacks.

By selecting Expert Options, you can choose the password


encryption algorithm. In most cases, you use with the default
settings.

After entering the root password, continue to the next configuration


step by selecting Next.

1-44 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Install SLES 9

Configure the Network

To let you configure the network connection of your system, YaST


displays the following:

In the top part of the dialog, you can choose one of the following
options:
■ Skip Configuration. Skip the network configuration for now.
You can configure the network connection later in the installed
system.
■ Use Following Configuration. Use the network configuration
proposal displayed in the area below.

Version 1 Copying all or part of this manual, 1-45


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The network configuration proposal is similar to the installation


proposal at the beginning of the base installation, and includes the
following entries:
■ Network Interfaces. Displays the configuration of the network
interfaces (such as Ethernet or a Wireless-LAN adapter).
■ DSL Connections. Displays the the configuration of DSL
devices. These can be DSL modems connected with an Ethernet
adapter or internal DSL modems.
■ ISDN Adapters. Displays the configuration of ISDN devices.
■ Modems. Displays the configuration of analog modems.
■ Proxy. Displays the HTTP and FTP proxy settings.
■ VNC Remote Administration. Displays the configuration of
remote administration using VNC.

You can change a configuration by selecting the headline of the


entry or by selecting the entry from the Change drop-down list. This
menu lets you reset all settings to the defaults generated by YaST.

If you are not sure which settings to use, stay with the defaults
generated by YaST.

Configure Network Interfaces

After starting the network interface configuration, YaST displays a


general network configuration dialog. The top lists all network
cards which are detected but configured yet. Devices that could not
be detected are listed as Other (not detected).

The bottom part the dialog lists configured devices.

At this point, you can do one of the following:


■ Configure a Network Card Manually
■ Change an Existing Configuration

1-46 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Install SLES 9

Configure a Network Card Manually

If you want to configure a network card that was not automatically


detected, select Other (not detected) to display the following:

From this dialog, you can configure the following:


■ Device Type. Specifies the network device type and the device
number.
■ Kernel Module. If your network card is a PCMCIA or USB
device, select the corresponding check boxes and confirm
selecting Next.
Otherwise, select Select from List and select your network
card from the list. YaST automatically loads the appropriate
driver for the selected card. Confirm by selecting Next

Version 1 Copying all or part of this manual, 1-47


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

■ Wireless Settings. If you are within the reach of a wireless


network and your network card is designed for this wireless
network type, select Wireless Settings to set the operating
mode, the network name (ESSID), the network identifier
(NWID), the encryption key, and a nickname.
After setting these options, confirm by selecting OK.

When you are finished with this dialog, select Next.

Change an Existing Configuration

After configuring a network card manually, or selecting an


automatically detected card, the Network Setup dialog appears with
the following options:
■ Automatic Address Setup (via DHCP). If your network has a
DHCP server, you can set up your network address
automatically. You should also use this option if you are using a
DSL line with no static IP address assigned by the ISP.
If you decide to use DHCP, you can configure the details after
selecting DHCP Client Options from the Advanced drop-down
list. Specify whether the DHCP server should always broadcast
its responses and any identifier to use.
By default, DHCP servers use the network card's hardware
address to identify an interface. If you have a virtual host setup
where different hosts communicate through the same interface,
an identifier is necessary to distinguish them.
■ Static Address Setup. If your have a static address, select the
corresponding check box. Then enter the address and subnet
mask for your network. The preset subnet mask should match
the requirements of a typical home network.
■ Host name and name server. Select this option to set the host
name and the name server manually.
■ Routing. Select this option to configure routing manually.

1-48 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Install SLES 9

Confirm the network device setup and return to the network device
overview by selecting Next. Then save the network device setup
and return to the network configuration proposal by selecting
Finish.

After finishing the the Network Configuration, select Next.

Test the Internet Connection

YaST then asks you to test your connection to the Internet. Select
one of the following options:
■ Yes, Test Connection to the Internet. YaST tries to test the
Internet connection by downloading the latest release notes and
checking for available updates.
If you select this option, the results are displayed on the next
dialog.
■ No, Skip This Test. Skip the connection test. If you skip the
test, you can't update the system during installation.

Select one of the options and select Next.

Perform an Online Update

If the Internet connection test was successful, you can select


whether to perform a YaST online update. If there are any update
packages available on the SUSE update servers, you can download
and install them now to fix known bugs or security issues.

To perform the software update, select Perform Update Now, and


then and select OK. YaST's online update dialog opens up with a
list of available patches (if any). Select the patches you want to
install, and then start the update process by selecting Accept.

You can also select Skip Update to perform the update later in the
installed system.

Version 1 Copying all or part of this manual, 1-49


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Configure Network Services

In the next installation step, YaST displays the Service


Configuration dialog.

In the top part of the dialog, you can choose one of the following
options:
■ Skip Configuration. Skip this configuration step. You can
enable the services later in the installed system.
■ Use Following Configuration. Use the automatically
generated configuration displayed below this option or select
one of the following headlines to change the configuration:
■ CA Management. The purpose of a CA (certificate
authority) is to guarantee a trust relationship among all
network services that communicate with each other.
If you decide that you do not want to establish a CA, you
must secure server communications using SSL and TLS
separately for each individual service.
By default, a CA is created and enabled during the
installation.
■ LDAP Server. You can run an LDAP service on your host
to have a central facility managing a range of configuration
settings. Typically, an LDAP server handles user account
data, but with SLES 9, you can also use LDAP for mail,
DHCP, and DNS related data.
By default, an LDAP server is set up during installation. If
you decide not to use an LDAP server, the YaST mail
server module does not work because it depends on LDAP.
However, you can still set up a mail server on your system
using the Mail Transfer Agent module.

If you are not sure about the correct settings, keep the defaults
generated by YaST. You can change the configuration later in the
installed system.

When you are finished, select Next.

1-50 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Install SLES 9

Manage Users

To manage users during this configuration step, do the following:


■ Select the Authentication Method
■ Add Users to the Systems

Select the Authentication Method

YaST displays the following dialog to configure the authentication


method:

You can selecting one of the following options:


■ NIS. If you have a NIS server in your network, you can
configure your system as a NIS client.

Version 1 Copying all or part of this manual, 1-51


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

■ LDAP. If you have an LDAP server in your network, you can


configure your system as an LDAP client. You can also use the
previously started LDAP server on the local host.
■ Local (/etc/passwd). Select this option to configure the system
to use the traditional file-based authentication method.

If you are not sure which method to select, stay with LDAP, which
is the default for SLES 9.

After selecting an authentication method, select Next.

Add Users to the Systems

Depending on which authentication method you select, you use one


of the following to add users to the system:
■ Configure the Host as a NIS Client
■ Configure the System as LDAP Client
■ Add Local Users

1-52 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Install SLES 9

Configure the Host as a NIS Client

If you chose NIS as the authentication method, the following


appears:

From this dialog ,you can setup your system as NIS client with the
following options:
■ NIS client. Select whether the host has a fixed IP address or is
assigned an IP address DHCP. If you select DHCP, you cannot
specify an NIS domain or an NIS server address manually,
because these are provided by the DHCP server.
If a static IP address is used, specify the NIS domain and the
NIS server manually.
To search for NIS servers broadcasting in the network, select
Find.
For each domain, select Edit to specify several server addresses
or enable the broadcast function on a per-domain basis.

Version 1 Copying all or part of this manual, 1-53


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

■ Expert. Select this option to display the Expert Setting dialog.


Select Answer to the Local Host Only to prevent other
network hosts from being able to query which server your client
is using.
Select Broken Server to accept responses from servers on
unprivileged ports.
■ Start Automounter. If your NIS server provides information
about the automatic mounting of file systems (such as home
directories), you can start the automounter and use this
information for it.

After configuring the NIS client settings, select Finish.

Configure the System as LDAP Client

If you select LDAP as authentication method, the following


appears:

1-54 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Install SLES 9

From this dialog, you can configure your system as an LDAP client.
The default configuration uses the locally installed LDAP server.

You can change the configuration with the following options:


■ LDAP client. You can configure the following:
■ LDAP base DN. Enter the search base on the server.
■ Addresses of LDAP Servers. Enter the address of the
LDAP server.
■ LDAP TSL/SSL . Select this option to encrypt the
communication with the LDAP server.
■ LDAP Version2. Select this option if your LDAP server
only support LDAP version 2. By default, LDAP version 3
is used.
■ Start Automounter. If your LDAP server provides information
about the automatic mounting of file systems (such as home
directories), you can start the automounter and use the
automount information for the LDAP server.
■ Advanced Configuration. Selecting this option to change
advanced LDAP settings.

If you are not sure how to configure the LDAP setting and you want
to use the locally installed LDAP server, keep the default settings.

When finished the LDAP configuration, select Next.

A dialog appears to add a user to the local LDAP server, which


includes the same fields at the Add local users dialog.

Version 1 Copying all or part of this manual, 1-55


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Add Local Users

If you select Local as the authentication method, the following


appears:

You can use the following in this dialog to add local users to the
system (account information is stored in the files /etc/passwd and /
etc/shadow):
■ User Data. Enter the full user name, the login name, and the
password.
To provide effective security, a password should be 5-8
characters long. The maximum length for a password is 128
characters. However, if no special security modules are loaded,
only the first eight characters are used to discern the password.
Passwords are case-sensitive. Special characters are allowed,
but they might be hard to enter depending on the keyboard
layout. Other special characters (such as 7-bit ASCII) and
numbers 0-9 are allowed.

1-56 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Install SLES 9

■ Password Settings. Select this option to change advanced


password settings (such as password expiration). The default
settings are suitable in most cases.
■ Details. Select this option to edit details of the user account.
The default settings are suitable in most cases.
■ Receive System Mail. Select this option to forward all emails
to this user. Usually system notifications are only sent to the
root user.
■ Automatic Login. Select this option to enable automatic login
for this user. This option logs in the user automatically (without
requesting a password) when the system starts.
You should not enable this feature on a production system.
■ User Management. Select this option add more users (with the
YaST User Management module).

You can add other users later(after installation), but you should create at
least 1 user during installation so you don´t have to work as the user root
after the system has been set up.

After you enter all required information, select Next.

Version 1 Copying all or part of this manual, 1-57


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Configure Hardware

Next you configure the system hardware of the system from the
following:

The configuration proposal contains the following items:


■ Graphics Cards. Displays the graphic card and monitor setup.
■ Printers. Displays the printer and printer server settings.
■ Sound. Displays the configuration of the sound card.

To change the automatically generated configuration, select the


headline of the item you want to change, or select the corresponding
entry in the Change drop-down list.

You can also use the Change drop-down list to reset all settings to
the automatically generated configuration proposal.

1-58 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Install SLES 9

You can skip the hardware configuration at this time and configure
your devices later in the installed system. However, if the settings of
the graphics card in the configuration proposal are not correct, you
should change them now to avoid problems during the first system
start.

Configure the Graphics Card

If you select the headline Graphics Cards, YaST starts the SaX2
configuration tool to configure the graphics card settings. The
following appears:

Version 1 Copying all or part of this manual, 1-59


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

In the left navigation bar, the following main items are displayed:
■ Display. Configure your monitor, graphics card, color depth,
resolution, and the position and size of the screen.
■ Input Devices. Configure the keyboard, mouse, touchscreen
monitor, and graphics tablet.
■ Multihead. Configure multiple screens.
■ AccessX. Configure AccessX to control the mouse pointer with
the keyboard.

The first 3 items have subitems that are displayed on the right side
of the dialog, or you can access them by selecting the + character in
front of every item.

In most cases, you can use the automatically generated


configuration should be correct, although you might need to do the
following:
■ Change the Monitor Settings
■ Change the Color Depth and Resolution Settings

Change the Monitor Settings

If the installation does not detect your monitor, you can change the
monitor model.

Select Display on the left side of the dialog; then select Monitor on
the right side of the dialog. At the bottom of the dialog, change the
monitor settings by selecting Change Configuration.

1-60 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Install SLES 9

On the next dialog, select Properties. The following appears:

The dialog has three pages:


■ Monitor-Model. Select your monitor model on this page. If
your model is not listed, you can also select one of the VESA or
LCD standard settings.
■ Frequencies. The frequency settings are usually determined by
the chosen monitor model. If those settings are not correct, you
can change them manually.
Make sure that the frequency settings are within the limits of your
monitor. Your monitor could be ruined if you use inappropriate
settings.

■ Expert. You can change some expert settings like the Modeline
Algorithm or the Display size.

Version 1 Copying all or part of this manual, 1-61


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

After selecting the correct monitor model, return to the overview by


selecting OK and Finish.

Change the Color Depth and Resolution Settings

You can change the color or resolution settings by selecting


Desktop and Color and Resolution.

From the next dialog, select Properties. The following appears:

The dialog provides the following pages:


■ Colors. Select the color resolution from the drop-down list.
■ Resolution(s). Select one or more resolutions from the list. The
graphic engine always starts with the highest selected
resolution. You can change to lower selected resolutions during
runtime.
■ Expert. You can add user defined resolutions to the Resolutions
list. This can be useful for nonstandard sized displays or
monitors.
Make sure that your monitor can handle all of the selected resolutions.
Otherwise your monitor could be ruined when the graphic engine starts up.

1-62 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Install SLES 9

Change the color and resolution settings; then return to the


configuration overview by selecting OK and Finish.

Select Finalize after making all changes. Confirm the next dialog
by selecting Test.

The X Server starts up and the following appears:

You can use this dialog to fine tune the X Server settings such as
changing the position and the size of the displayed area.

When you are done, select Save.

Version 1 Copying all or part of this manual, 1-63


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Finalize the Installation Process

Confirm your hardware settings by selecting Next, and then select


Finish. The system starts the graphical login screen, where you can
log in with your previously created user.

SLES 9 is installed on your system.

1-64 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Install SLES 9

Objective 3 Troubleshoot the Installation Process


SLES 9 has been installed and tested on many different machines
and hardware platforms. However, sometimes problems can occur.

The following table contains an overview of the most common


installation problems, possible causes, and solutions:

Problem Cause Solution


The system The system is Enter the BIOS setup of the
does not start not configured system and choose the CD or
from the to boot from the DVD drive as the first boot drive.
installation CD or DVD Read the system manual for
media. drive. details about the BIOS setup

The CD or DVD Try to boot a different system with


drive is SLES 9 CD 1. If it works, the CD
defective. or DVD drive of the actual system
might be defective.

The installation If the installation CD does not


CD or DVD is boot on a different system, the
defective. CD or DVD itself could be
defective. Contact your reseller to
exchange the SLES 9 CD or DVD
set.
The installation Your system Select Installation – ACPI
program does does not Disabled. If that doesn't fix the
not start. support newer problem, select Installation –
hardware Save Settings from the Boot
features menu of the CD or DVD.
correctly.
Your system Install at least 256 MB of main
has less than memory and start the installation
256 MB of main again.
memory.

Version 1 Copying all or part of this manual, 1-65


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Problem Cause Solution


The installation Your system Select Installation – ACPI
process stops. does not Disabled. If that doesn't fix the
support newer problem, select Installation –
hardware Save Settings from the Boot
features menu of the CD or DVD.
correctly.
The installation If the installation process also
CD or DVD is stops on a different system, the
defective. CD or DVD could be defective.
Contact your reseller to exchange
the SLES 9 CD or DVD set.
The network There is no If you configured your network
connection test DHCP server in card to use DHCP, assign a static
or Online the network. IP address and configure routing
Update fails. and DNS settings manually.
There is no Set the default gateway correctly.
route to the
Internet.
The system is Set the right proxy configuration
using the in the network configuration
wrong Proxy dialog.
settings.
You can also skip the connection
test and the Online Update and
perform an Online Update in the
installed system.
The graphical You are using Change to a text terminal and
login does not the wrong X11 change to run level 3. Start SaX2
appear after configuration. from the command line and
the installation correct the X11 configuration.
is completed. Change back to run level 5 to get
a graphical login screen.

1-66 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Install SLES 9

Exercise 1-1: Install SLES 9

In this exercise, you install SLES 9 by doing the following:


■ Part I: Boot From the Installation Media
■ Part II: Start the Installation Proposal
■ Part III: Create an Extra Partition for the /srv Directory
■ Part IV: Add Compiler and Development Tools to the Software
Selection
■ Part V: Start the Installation Process
■ Part VI: Set the root Password
■ Part VII: Set Up the Network
■ Part VIII: Set Up Services and Users
■ Part IX: Configure Hardware Devices
■ Part X: Configure NTP
■ Part XI: Update Your SLES 9 Server With YOU

Part I: Boot From the Installation Media

Do the following:
1. Turn on the computer.
2. Insert the SLES 9 CD 1 into the CD-ROM drive.
3. Reboot the computer by selecting the Reset button or
by pressing Ctrl+Alt+Del.
4. (Conditional) If your computer does not boot from the
CD-ROM drive, adjust the BIOS settings and reboot the
computer.
5. When the GRUB installation screen appears, select Installation
with the arrow keys and press Enter.

Version 1 Copying all or part of this manual, 1-67


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Part II: Start the Installation Proposal

Do the following
1. When YaST displays the Novell Software License
Agreement, select I Agree.
2. From the language selection dialog, select your language; then
select Accept.
Although you can select any available language, the exercises in this
manual are written for English US.

3. (Conditional) If an installation mode dialog appears, select New


installation; then select OK.
An Installation Proposal dialog appears.
4. Scroll down to and select Keyboard layout.
5. Select your keyboard layout; then select Accept.
You are returned to the Installation Proposal dialog.
6. Scroll down to and select Time zone.
7. Select your region; then select your time zone.
8. Make sure that the hardware clock is set to UTC; then select
Accept.

Part III: Configure the Partitions for Your Hard Drive

Do the following:
1. Change the partitioning settings by scrolling to and selecting
Partitioning.
2. Select Create custom partition setup; then select Next.
3. Select Custom partitioning -- for experts; then select Next.

1-68 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Install SLES 9

4. Delete existing partitions:


a. From the Expert Partitioner dialog, check for any existing
partitions in the partition list.
b. If there are partitions, select the hard disk entry of the
corresponding partitions (such as hda or hdc).
c. Delete all existing partitions on the selected hard disk by
selecting Delete.
d. When you are asked to confirm the deletion, select Yes.
e. (Conditional) If there is more than one hard disk containing
partitions in the system, repeat Steps b, c, and d until only
the hard disk entries are left in the list.
5. Create a swap partition:
a. From the partition list, select the hard drive entry; then
select Create.
If you have more than one hard disk, select the larger disk.
b. Select Primary partition; then select OK.
c. In the End field of the size settings enter +512M.
d. From the File system drop-down list, select Swap.
e. Add the swap partition by selecting OK.
6. Create the root partition:
a. Select the same hard disk you used for the swap partition;
then select Create.
b. Select Primary partition; then select OK.
c. In the End field of the size settings enter +6GB.
d. Make sure that the following options are set:
• Reiser should be selected from the File system drop-
down list.
• / should be selected from the Mount Point
drop-down list.
e. Add the root partition by selecting OK.

Version 1 Copying all or part of this manual, 1-69


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

7. Create a partition for the directory /srv (used in the Apache and
Samba server exercises):
a. Select the same hard disk you used for the swap and root
partitions; then select Create.
b. Select Primary partition; then select OK.
Leave the size settings as suggested by YaST. The last
partition will use the rest of the available hard disk space.
c. Make sure that the File system drop-down list is set to
Reiser.
d. From the Mount Point drop-down list, select /srv.
e. Add the /srv partition by selecting OK.
8. Confirm the partitioning setup and return to the installation
proposal by selecting Next.

Part IV: Add Compiler and Development Tools to the


Software Selection

Do the following:
1. From the installation proposal dialog, scroll to and select
Software.
2. Select Detailed selection.
3. In the list on the left side of the package selection dialog, select
C/C++ Compiler and Tools.
4. Return to the installation proposal by selecting Accept.

Part V: Start the Installation Process

Do the following:
1. From the installation proposal, select Accept.
2. From the confirmation dialog, select Yes, install.
YaST asks you to change CDs during the installation process.

1-70 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Install SLES 9

3. Insert the requested CD and select OK.

Part VI: Set the root Password

Do the following:
1. In the first field, enter novell.
2. In the second field, enter novell.
You are warned that the password is too simple.
3. Continue by selecting Yes.
You are warned that you are using only lowercase letters.
4. Continue by selecting Yes.
5. Continue by selecting Next.

Part VII: Set Up the Network

Do the following:
1. Request the following information for your computer from your
instructor:
• IP address:
• Network mask:
• Host name:
• Domain name:
• Name server:
• Default gateway:
2. From the Network Configuration proposal, select Network
Interfaces.

Version 1 Copying all or part of this manual, 1-71


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

3. Do one of the following:


■ If your network card appears in the Network cards to
configure list, select Configure; then select the first
detected network card and select Configure.
or
■ If your network card appears in the Already configured
devices list, select Change; then select your network card
and select Edit.
4. Select Static address setup.
5. In the IP Address field, enter your IP address.
6. In the Subnet mask field, enter your subnet mask.
7. Configure the host name and name server:
a. Select Host name and name server.
b. Enter your host name.
c. Enter your domain name.
d. In the Name Server 1 field, enter the IP address of the
name server.
e. Return to the Network setup dialog by selecting OK.
8. Configure routing:
a. Select Routing.
b. In the Default Gateway field, enter the IP address of the
default gateway.
c. Return to the Network setup dialog by selecting OK.
9. Return to the Network Configuration dialog by selecting Next.
10. Continue with the installation by selecting Finish; then select
Next.
11. From the Test Internet Connection dialog, select No, Skip This
Test; then select Next.

1-72 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Install SLES 9

Part VIII: Set Up Services and Users

Do the following:
1. From the Service Configuration dialog, accept the default
settings by selecting Next.
2. For the authentication method, select LDAP; then select Next.
3. Accept the defaults in the LDAP Client Configuration dialog
by selecting Next.
4. Add a user:
a. First Name: Geeko
b. Last Name: Novell
c. User Login: geeko
d. Password: N0v3ll (a zero, not an uppercase O)
e. Verify password: N0v3ll
5. Create the user by selecting Next.

Part IX: Configure Hardware Devices

Do the following:
1. From the Release Notes dialog, select Next.
2. Adjust the monitor settings:
a. Review the information displayed below the Graphics
Cards entry of the Hardware Configuration proposal.
Make sure that the monitor model, the resolution, and the
refresh rate are appropriate for your hardware.
b. (Conditional) If the settings are correct, select Next and
skip the following steps for monitor configuration and go to
Step 3.
c. If the automatically generated settings are not appropriate,
select Graphics Cards.

Version 1 Copying all or part of this manual, 1-73


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

d. From the left side of the dialog, change the monitor model
by expanding Desktop; then select Monitor.
e. Select Change configuration.
f. From the next dialog, select Properties.
g. From the left side, select your vendor; from the right side,
select your model.
h. (Conditional) If your model is not in the list, select one of
the generic LDC or VESA entries. (You can also enter the
frequencies manually on the Frequencies page of the
dialog).
i. Continue by selecting OK.
j. Select Finish.
k. Change the color and resolution settings by selecting
Color and Resolution on the left; then select Change
configuration.
l. From the next dialog, select Properties.
m. From the drop-down list, select your desired color
resolution.
n. From the Resolutions page, select your desired display
resolution (deselect all other resolutions).
o. Continue by selecting OK.
p. Select Finish.
q. Finish the monitor setup by selecting Finalize.
r. Test the new settings by selecting Test.
If the screen does not display properly, press
Ctrl+Alt+Backspace, then repeat the above steps to adjust
the selected settings.
s. Adjust Size and Position.
t. When you are finished, select Save; then select OK.
3. From the Hardware Configuration dialog, select Next.
4. Complete the installation process by selecting Finish.

1-74 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Install SLES 9

Part X: Configure NTP

Do the following:

1. When the GUI login screen appears, log in as geeko with a


password of N0v3ll.

2. From the KDE desktop, select the YaST icon; then enter a
password of novell and select OK.

3. From the YaST Control Center, select Network Services > NTP
Client.

4. Select When Booting System.

5. In the NTP Server field, enter 10.0.0.254.

6. Select Finish.

Part XI: Update Your SLES 9 Server With YOU

As a post-installation procedure, you want to make sure you have


updated your installation with the latest patches available from
Novell SUSE LINUX.

In this part of the exercise, you update your SLES 9 installation


using a YOU server available on DA1.

Do the following:
1. From the YaST Control Center, select Software > Online
Update.
The Welcome to YaST Online Update dialog appears.
2. From the Installation source drop-down list, select User-Defined
Location.
3. In the Location field, enter http://DA1/YOU.
4. Continue by selecting Next.

Version 1 Copying all or part of this manual, 1-75


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The YOU update dialog appears with all the patches available.
From this dialog you can filter the patch list view and select or
deselect the patches you want to install.
5. From YaST Online Update Patch list, make sure the Optional
patches (black) are deselected.
6. Make sure all the Security (red) and Recommended (blue)
patches are selected.
7. Continue by selecting Accept.
One or more warning messages appear.
8. For each warning message, select Install Patch.
YaST downloads and installs the patches.
9. When process is complete (or during the process), select
Remove Source Packages after Update.
10. When the patches have been installed, update the system
configuration by selecting Finish.
11. Reboot the X windows server by pressing Ctrl+Alt+Del; then
select Logout.
After rebooting, you are returned to the GUI login interface.
12. Select Menu > Shutdown.
13. Select Restart computer and enter a password of novell; then
select OK.
14. After the system reboots, log back in to the KDE desktop as
geeko with a password of N0v3ll.

(End of Exercise)

1-76 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Install SLES 9

Summary
The following is the summary of the objectives.

Objective Summary
1) Perform the SLES 9 Base In the base installation, the hard
Installation disks are prepared and the
software packages are installed.
The following tasks belong to the
base installation step:
■ Boot from the installation
media
■ Select the language
■ Select the installation mode
■ Understand and change the
installation proposal
■ Perform hard disk partitioning
■ Configure LVM devices
■ Change the software selection
■ Configure the boot loader
■ Launch the installation process

Version 1 Copying all or part of this manual, 1-77


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Objective Summary
2) Configure the SLES 9 Installation In the configuration step, you
customize and configure the
installed system.
The following tasks belong to the
configuration step:
■ Sett the root password
■ Configure the network
■ Test the Internet connection
■ Perform the Online Update
■ Configure Network Services
■ Manage Users
■ Configure Hardware
■ Finalize the Installation
Process

1-78 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Install SLES 9

Objective Summary
3) Troubleshoot the Installation SLES 9 has been installed and
Process tested on many different
machines and hardware
platforms. However, sometimes
installation problems can occur.
The problems can be caused by
the following reasons:
■ The system is not configured
to boot from the CD or DVD
drive.
■ The CD or DVD drive is
defective.
■ The installation CD or DVD is
defective.
■ The system does not support
newer hardware features
(ACPI) correctly.
■ There is no DHCP server in
the network.
■ There is no route to the
Internet.
■ You are using the wrong Proxy
settings.
■ You are using the wrong X11
configuration.

Version 1 Copying all or part of this manual, 1-79


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

1-80 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure the Network Manually

SECTION 2 Configure the Network Manually

In this section, you learn how to configure network devices


manually. You also learn how to configure routing with command
line tools and how to save the network setup to configuration files.

Objectives
1. Understand Linux Network Terms
2. Set Up Network Devices with the ip Tool
3. Save Device Settings to a Configuration File
4. Set Up Routing with the ip Tool
5. Save Routing Settings to a Configuration File
6. Configure Host Name and Name Resolution
7. Test the Network Connection with Command Line Tools

Version 1 Copying all or part of this manual, 2-1


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Introduction
Although almost every step of a network configuration can be done
with YaST, it´s sometimes useful to configure the network settings
manually. For testing and troubleshooting, it´s much faster to
change the network setup from the command line.

2-2 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure the Network Manually

Objective 1 Understand Linux Network Terms


Before you can configure the network manually with ip, you need to
understand the following Linux networking terms:
■ Device. The network adapter built into the system. To use a
physical device, a software component creates an interface to
the device. This interface can be used by other software
applications.
■ The software component which creates the interface is also
called a driver.
In Linux, network interfaces use a standard naming scheme.
Interfaces to Ethernet adapters follow the naming scheme eth0,
eth1, eth2, and so on. For every adapter installed in the system,
an interface is created when the appropriate driver is loaded.
The command line tools for the network configuration use the
term device when they actually mean an interface. The term
device is used in this section for both physical devices and
software interfaces.
■ Link. The command line tool ip uses the term link to refer to
the connection of a device to the network.
■ Address. The IP address assigned to a device. The address can
be either an IPv4 or an IPv6 address. To use a device in a
network, you have to assign at least one address to it. However,
you can assign more than one address to a device.
■ Broadcast. The term broadcast refers the broadcast address of
a network. By sending a network packet to the broadcast
address, you can reach all hosts in the locally connected
network at the same time. When you assign an IP address to a
device, you can also set this broadcast address.
■ Route. The path an IP packet takes from the source to the
destination host. The term route also refers to an entry in the
routing table of the Linux kernel.

Version 1 Copying all or part of this manual, 2-3


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Objective 2 Set Up Network Devices With the ip Tool


You normally configure a network card with YaST during or after
installation. You can use the tool ip to change the network card
configuration quickly from the command line.

Changing the network card configuration at the command line is


especially useful for test purposes; but if you want a configuration
to be permanent, you must save it in a configuration file. These
configuration files are generated automatically when you set up a
network card with YaST.

You can use ip to perform the following tasks:


■ Display the Current Network Configuration
■ Change the Current Network Configuration

You can enter /sbin/ip as a normal user to display the current network
setup only. To change the network setup, you have to be logged in as root.

Display the Current Network Configuration

With the ip tool, you can display the following information:


■ IP Address Setup
■ Device Attributes
■ Device Statistics

IP Address Setup

To display the IP address setup of all devices, use the following


command:
ip address show

2-4 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure the Network Manually

Depending on your network setup, you see information similar to


the following:
DA1:~ # ip address show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd
00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host
lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,NOTRAILERS,UP> mtu
1500 qdisc pfifo_fast qlen 1000
link/ether 00:30:05:4b:98:85 brd
ff:ff:ff:ff:ff:ff
inet 10.0.0.2/24 brd 10.0.0.255 scope global eth0
inet6 fe80::230:5ff:fe4b:9885/64 scope link
valid_lft forever preferred_lft forever
3: sit0: <NOARP> mtu 1480 qdisc noqueue
link/sit 0.0.0.0 brd 0.0.0.0

The information is grouped by network devices. Every device entry


starts with a digit, called the interface index, with the device name
displayed below the interface index.

In the above example, there are 3 devices:


■ lo. The loopback device, which is available on every Linux
system, even when no network adapter is installed. Using this
virtual device, applications on the same machine can use the
network to communicate with each other.
For example, you can use the IP address of the loopback device
to access a locally installed web server by typing
http://127.0.0.1 in the address bar of your web browser.
■ eth0. The first Ethernet adapter of the computer in this
example. This is a physical device which is connected to the
local network. Ethernet devices are normally called eth0, eth1,
eth2, and so on.
■ sit0. This a special virtual device which can be used to
encapsulate IPv4 into IPv6 packets. It´s not used in a normal

Version 1 Copying all or part of this manual, 2-5


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

IPv4 network.

You always have the entries for the loopback and sit devices.
Depending on your hardware setup, you might have more Ethernet
devices in the ip output.

Several lines of information are displayed for every network device,


such as eth0 for the example above:
2: eth0: <BROADCAST,MULTICAST,NOTRAILERS,UP> mtu
1500 qdisc pfifo_fast qlen 1000

The most important information of the line in this example is the


device index (2) and the device name (eth0).

The other information shows additional attributes set for this device,
such as the hardware address of the Ethernet adapter
(00:30:05:4b:98:85):
link/ether 00:30:05:4b:98:85 brd
ff:ff:ff:ff:ff:ff

In the following line, the IPv4 setup of the device is displayed:


inet 10.0.0.2/24 brd 10.0.0.255 scope global eth0

The IP address (10.0.0.2) follows inet, and the broadcast address


(10.0.0.255) after brd. The length of the network mask is displayed
after the IP address, separated by a /. The length is displayed in bits
(24).

The following lines show the IPv6 configuration of the device:


inet6 fe80::230:5ff:fe4b:9885/64 scope link
valid_lft forever preferred_lft forever

The address shown here is automatically assigned, even though


IPv6 is not used in the network that is connected with the device.
The address is generated from the hardware address of the device.

Depending on the device type, the information can differ. However,


the most important information (such as assigned IP addresses) is
always shown.

2-6 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure the Network Manually

Display Device Attributes

If you are only interested in the device attributes and not in the IP
address setup, you can use the following command:
ip link show

The command produces an output similar to the following:


1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd
00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,NOTRAILERS,UP> mtu 1500
qdisc pfifo_fast qlen 1000
link/ether 00:30:05:4b:98:85 brd
ff:ff:ff:ff:ff:ff
3: sit0: <NOARP> mtu 1480 qdisc noqueue
link/sit 0.0.0.0 brd 0.0.0.0

The information is similar to the what you seen when entering


ip address show, but the information about the address setup is
missing. The device attributes are displayed in brackets right after
the device name.

The following is a list of possible attributes and their meanings:


■ UP. The device is turned on. It is ready to accept packets for
transmission and it´s ready to receive packets from the network.
■ LOOPBACK. The device is a loopback device.
■ BROADCAST. The device can send packets to all hosts
sharing the same network.
■ POINTOPOINT. The device is only connected to one other
device. All packets are sent to and received from the other
device.
■ MULTICAST. The device can send packets to a group of other
systems at the same time.

Version 1 Copying all or part of this manual, 2-7


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

■ PROMISC. The device listens to all packets on the network,


not only to those sent to the device's hardware address. This is
usually used for network monitoring.

Display Device Statistics

You can use the option -s with the command ip to display additional
statistics information about the devices. The command looks like
the following:
ip -s link show eth0

By giving the device name at the end of the command line, the
output is limited to one specific device. This can also be used to
display the address setup or the device attributes.

The following is an example of the information displayed for the


device eth0:
2: eth0: <BROADCAST,MULTICAST,NOTRAILERS,UP> mtu 1500
qdisc pfifo_fast qlen 1000
link/ether 00:30:05:4b:98:85 brd
ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
849172787 9304150 0 0 0 0
TX: bytes packets errors dropped carrier
collsns
875278145 1125639 0 0 0 0

Two additional sections with information are displayed for every


device. Each of the sections has a headline with a description of the
displayed information.

The section starting with RX displays information about received


packets, and the section starting with TX displays information about
sent packets.

The sections display the following information:


■ Bytes. The total number of bytes received or transmitted by the
device.

2-8 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure the Network Manually

■ Packets. The total number of packets received or transmitted by


the device.
■ Errors. The total number of receiver or transmitter errors.
■ Dropped. The total number of packets dropped due to a lack of
resources.
■ Overrun. The total number of receiver overruns resulting in
dropped packets.
■ As a rule, if a device is overrun, it means that there are serious
problems in the Linux kernel or that your computer is too slow
for the device.
■ Mcast. The total number of received multicast packets. This
option is supported by only a few devices.
■ Carrier. The total number of link media failures, because of a
lost carrier.
■ Collsns. The total number of collision events on Ethernet-like
media.
■ Compressed. The total number of compressed packets.

Change the Current Network Configuration

You can also use the ip tool to change the network configuration by
performing the following tasks:
■ Assign an IP Address to a Device
■ Delete the IP Address from a Device
■ Change Device Attributes

Version 1 Copying all or part of this manual, 2-9


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Assign an IP Address to a Device

To assign an address to a device, use a command similar to the


following:
ip address add 10.0.0.2/24 brd + dev eth0

In this example, the command assigns the IP address 10.0.0.2 to the


device eth0. The network mask is 24 bits long, as determined by the
/24 after the IP address. The brd + option sets the broadcast address
automatically as determined by the network mask.

You can enter the following command to verify the assigned IP


address:
ip address show dev eth0

The assigned IP address is displayed in the output of the command


line.

You can assign more than one IP address to a device.

Delete the IP Address from a Device

To delete the IP address from a device, use a command similar to


the following:
ip address del 10.0.0.2 dev eth0

In this example, the command deletes the IP address 10.0.0.2 from


the device eth0.

Use the following command to verify that the address was deleted:
ip address show eth0

2-10 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure the Network Manually

Change Device Attributes

You can also change device attributes with the ip tool. The
following is the basic command to set device attributes:
ip link set <device> <attribute>

The possible attributes are described in “Display Device Attributes.”


The most important attributes up and down. By setting these
attributes, you can enable or disable a network device.

To enable a network device (such as eth0), enter the following


command:
ip link set eth0 up

To disable a network device (such as eth0), enter the following


command:
ip link set eth0 down

Version 1 Copying all or part of this manual, 2-11


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Objective 3 Save Device Settings to a Configuration File


All device configuration changes you make with ip are lost when
the system is rebooted. To restore the device configuration
automatically when the system is started, the settings need to be
saved in configuration files.

The configuration files for network devices are located in the


directory /etc/sysconfig/network.

If the network devices are set up with YaST, one configuration file
is created for every device.

For Ethernet devices, the filenames consist of ifcfg-eth-id- and the


hardware address of the device. For a device with the hardware
address 00:30:05:4b:98:85, the filename would be ifcfg-eth-id-
00:30:05:4b:98:85.

We recommended that you set up a device with YaST first and make
changes in the configuration file. Setting up a device from scratch is
a very complex task, because the hardware driver also needs to be
configured manually.

If you have more than one network adapter in your system, it might
be difficult to find the corresponding configuration file for a device.

You can use the command ip link show to display the hardware
address for each Ethernet device. Because the hardware address is
part of the file name, you can identify the right configuration file.

The content of the configuration files depends on the configuration


of the device. To change the configuration file, you need to know
how to do the following:
■ Configure a Device Statically
■ Configure a Device Dynamically With DHCP
■ Start and Stop Configured Devices

2-12 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure the Network Manually

Configure a Device Statically

The content of a configuration file of a statically configured device


is similar to the following:
BOOTPROTO='static'
MTU=''
REMOTE_IPADDR=''
STARTMODE='onboot'
UNIQUE='oxTw.AKbXsqnOlA9'
_nm_name='bus-pci-0000:02:08.0'
BROADCAST='149.44.171.255'
IPADDR='10.0.0.2'
NETMASK='255.255.255.0'
NETWORK='10.0.0.0'

The configuration file includes several lines. Each line has an


option and a value assigned to that option, and is shown and then
explained below.
BOOTPROTO='static'

The option BOOTPROTO determines the way the device is


configured. There are 2 possible values:
■ Static. The device is configured with a static IP address.
■ DHCP. The device is configured automatically with an DHCP
server.
MTU=''

You can use the MTU option to specify a value for the MTU
(Maximum Transmission Unit). If you don´t specify a value, the
default value is used. For an Ethernet device, the default value is
1500 bytes.
REMOTE_IPADDR=''

You need to set the value for the REMOTE_IPADDR option only
if you are setting up a point-to-point connection.

Version 1 Copying all or part of this manual, 2-13


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

STARTMODE='onboot'

The STARTMODE option determines how the device is started.


The option can include following values:
■ onboot. The device is started at boot time.
■ manual. The device must be started manually.
■ hotplug. The device is started when it´s plugged in if your
system offers PCI hotplugging.
UNIQUE='oxTw.AKbXsqnOlA9'
_nm_name='bus-pci-0000:02:08.0'

These 2 lines contain options added by YaST when the device is


configured. They don´t affect the network configuration itself.
BROADCAST='149.44.171.255'
IPADDR='10.0.0.2'
NETMASK='255.255.255.0'
NETWORK='10.0.0.0'

These 4 lines contain the options for the network address


configuration. The options have the following meaning:
■ BROADCAST. The broadcast address of the network.
■ IPADDR. The IP address of the device.
■ NETMASK. The network mask.
■ NETWORK. The address of the network itself.

The file /etc/sysconfig/network/ifcfg.template contains a template


that you can use as a base for device configuration files.

Configure a Device Dynamically With DHCP

If you want to configure a device by using a DHCP server, you set


the BOOTPROTO option to dhcp as shown in the following:
BOOTPROTO='dhcp'

2-14 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure the Network Manually

When the device is configured by using DHCP, you don´t need to


set any options for the network address configuration in the file. If
there are any settings, they are overwritten by the settings of the
DHCP server.

Start and Stop Configured Devices

To apply changes to a configuration file, you need to stop and


restart the corresponding device. You can do this with the
commands ifdown and ifup.

For example, the following ifdown command disables the device


eth0:
ifdown eth0

The following ifup command enables eth0 again:


ifup eth0

When the device is restarted, the new configuration is read from the
configuration file.

Version 1 Copying all or part of this manual, 2-15


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Objective 4 Set Up Routing With the ip Tool


You can use the ip tool to configure the routing table of the Linux
kernel. The routing table determines the path IP packets use to reach
the destination system.

Because routing is a very complex topic, this objective only covers the
most common routing scenarios.

You can use the ip tool to perform the following tasks:


■ View the Routing Table
■ Add Routes to the Routing Table
■ Delete Routes From the Routing Table

View the Routing Table

To view the current routing table, use the following command:


ip route show

For most systems, the output looks similar to the following:


10.0.0.0/24 dev eth0 proto kernel scope link src \
10.0.0.2
169.254.0.0/16 dev eth0 scope link
127.0.0.0/8 dev lo scope link
default via 10.0.0.1 dev eth0

Every line represents an entry in the routing table. Each line in the
example is shown and explained below:
10.0.0.0/24 dev eth0 proto kernel scope link src \
10.0.0.2

This line represents an the route for the local network. All network
packets to a system in the same network are sent directly through
the device eth0.

2-16 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure the Network Manually

169.254.0.0/16 dev eth0 scope link

This line shows a network route for the 169.254.0.0 network. Hosts
can use this network for address auto configuration.

SLES 9 automatically assigns a free IP address from this network


when no other device configuration is present. The route to this
network is always set, especially when the system itself has no
assigned IP address from that network.
127.0.0.0/8 dev lo scope link

This is the route for the loopback device.


default via 10.0.0.1 dev eth0

This line is the entry for the default route. All network packets that
cannot be sent according to the previous entries of the routing table
are sent through the gateway defined in this entry.

Depending on the setup of your machine, the content of the routing


table varies. In most cases, you have at least 2 entries in the routing
table:
■ One route to the local network the system is connected to.
■ One route to the default gateway for all other packets.

Add Routes to the Routing Table

The following are the most common tasks you do when adding a
route:
■ Set a Route to the Locally Connected Network
■ Set a Route to a Different Network
■ Set a Default Route

Remember to substitute your own network and gateway addresses when


using the following examples in a production environment.

Version 1 Copying all or part of this manual, 2-17


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Set a Route to the Locally Connected Network

The following command sets a route to the locally connected


network:
ip route add 10.0.0.0/24 dev eth0

This system in this example is in the 10.0.0.0 network. The network


mask is 24 bits long (255.255.255.0). All packets to the local
network are sent directly through the device eth0.

Set a Route to a Different Network

The following command sets a route to different network:


ip route add 149.44.171.0/24 via 10.0.0.100

All packets for the network 149.44.171.0 are sent through the
gateway 10.0.0.100.

Set a Default Route

The following command sets a default route:


ip route add default via 10.0.0.1

Packets that cannot be sent according to previous entries in the


routing table are sent through the gateway 10.0.0.1

Delete Routes from the Routing Table

To delete an entry from the routing table, use a command similar to


the following:
ip route delete 149.44.171.0/24 dev eth0

This command deletes the route to the network 149.44.171.0


assigned to the device eth0.

2-18 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure the Network Manually

Objective 5 Save Routing Settings to a Configuration File


Routing settings made with the ip tool are lost when you reboot
your system. Settings have to be written to configuration files to be
restored at boot time.

Routes to the directly connected network are automatically set up


when a device is started. All other routes are saved in the
configuration file /etc/sysconfig/network/routes.

The following shows the content of of a typical configuration file:


149.44.171.0 10.0.0.100 255.255.255.0 eth-id-00:30:05:4b:98:85
default 10.0.0.8 - -

Each line of the configuration file represents an entry in the routing


table. Each line is shown and explained below.
149.44.171.0 10.0.0.100 255.255.255.0 eth-id-00:30:05:4b:98:85

All packets sent to the network 149.44.171.0 with the network mask
255.255.255.0 are sent through the gateway 10.0.0.100 through the
device with the id eth-id-00:30:05:4b:98:85. The id is the same as
used for the device configuration file.
Default 10.0.0.8 - -

This entry represents a default route. All packets that are not
affected by the previous entries of the routing table are sent through
the gateway 10.0.0.8. It´s not necessary to fill out the last 2 columns
of the line for a default route.

To apply changes to the routing configuration file, you need to


restart the affected network device with the ifdown and ifup
commands.

Version 1 Copying all or part of this manual, 2-19


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Objective 6 Configure Host Name and Name Resolution


The host name and the name resolution can also be set up manually.
In this objective, you learn how to do the following:
■ Set the Host and Domain Name
■ Configure Name Resolution

Set the Host and Domain Name

The host name is configured in the file /etc/HOSTNAME.

The content of the file is similar to the following:


da2.digitalairlines.com

The file contains the fully qualified domain name of the system, in
this case, da2.digitalairlines.com

Configure Name Resolution

The name resolution is configured in the file /etc/resolv.conf.

The content of the file is similar to the following:


search digitalairlines.com
nameserver 10.0.0.1
nameserver 10.10.0.1
nameserver 10.0.10.1

The file contains 2 types of entries:


■ search. The domain name in this option is used to complete
incomplete host names. For example, if you look up the host
name da3, the name is automatically completed to the fully
qualified domain name da3.digitalairlines.com.
■ nameserver. Every entry starting with nameserver is followed
by an IP address of a name server. You can configure up to 3
name servers. If the first name server fails, the next one is used.

2-20 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure the Network Manually

Objective 7 Test the Network Connection With Command


Line Tools
After the network is configured, you might want to test the network
connection by doing the following:
■ Use ping to Test Network Connections
■ Use traceroute to Trace Network Packets

Use ping to Test Network Connections

The tool ping lets you check network connections in a simple way
between two hosts. If the ping command works, then both the
physical and logical connections are correctly set up between the 2
hosts.

The ping command sends special network packets to the target


system and waits for a reply. In the simplest scenario, you enter ping
with an IP address:
ping 10.0.0.1

You can also use the host name of the target system instead of an IP
address. The output of ping looks similar to the following:
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=60 time=2.95
ms
64 bytes from 10.0.0.1: icmp_seq=2 ttl=60 time=2.16
ms
64 bytes from 10.0.0.1: icmp_seq=3 ttl=60 time=2.18
ms
64 bytes from 10.0.0.1: icmp_seq=4 ttl=60 time=2.08
ms

Each line of the output represents a packet sent by ping. Ping keeps
sending packets until it´s terminated by pressing Ctrl+C.

Version 1 Copying all or part of this manual, 2-21


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The output displays the following information:


■ The size of an ICMP datagram (64 bytes).
■ The IP address of the target system (from 10.0.0.1).
■ The sequence number of each datagram (seq=1).
■ The TTL (TTL, time to live) of the datagram (ttl=60).
■ The amount of time that passes between the transmission of a
packet and the time a corresponding answer is received
(time=2.95 ms). This time is also called the Round Trip Time.

If you get an answer from the target system, you can be sure that the
basic network device setup and routing to the target host works.

The following table provides some options for ping you can use for
advanced troubleshooting:

Option Descriptions
-c count The number of packets to be sent. After this
number has been reached, ping is terminated.
-I device_addr Specifies the network device to be used on a
computer with several network devices.
-i seconds Specifies the number of seconds to wait between
individual packet shipments. The default setting is
1 second.
-f (Flood ping) Packets are sent one after another at
the same rate as the respective replies arrive.
Only root can use this option. For normal users
the minimum time is 200 milliseconds.
-l preload Sends packets without waiting for a reply.
-n The numerical output of the IP address. Address
resolutions to host names are not carried out.
-t ttl Sets the Time To Live for packets to be sent.

2-22 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure the Network Manually

Option Descriptions
-w maxwait Specifies a timeout in seconds, before ping exits
regardless of how many packets have been sent
or received.
-b Sends packets to the broadcast address of the
network.

Use traceroute to Trace Network Packets

The diagnosis tool traceroute is primarily used to check the routing


between different networks. To achieve this task, traceroute sends
packets with an increasing TTL value to the destination host,
whereby three packets of each value are sent.

Traceroute also uses UDP packets, which are called datagrams.

First, three datagrams with a TTL=1 are sent to the host, then three
packets with a TTL=2, and so on. The TTL of a datagram is reduced
by one, every time it passes through a router.

When the TTL reaches zero, the datagram is discarded and a


message is sent to the sender. Because the TTL is increased by one
every three packets, traceroute can collect information about every
router on the way to the destination host.

You normally include a host name with the traceroute command:


traceroute pluto.example.com

It´s also possible to use an IP address instead of the host name. The
output of traceroute looks similar to the following:
traceroute to pluto.example.com (192.168.2.1), 30
hops max, 40 byte packets
1 sun.example.com (192.168.0.254) 0 ms 0 ms 0 ms
2 antares.example.com (192.168.1.254) 14 ms 18 ms 14
ms
3 pluto.example.com (192.168.2.1) 19 ms * 26 ms

Version 1 Copying all or part of this manual, 2-23


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The first line of the output displays general information about the
traceroute call. Each of the lines that follow represents a router on
the way to the destination host. Every router is displayed with the
host name and IP address.

Traceroute also displays information about the round trip times of


the 3 datagrams returned by every router. The last line of the output
represents the destination host itself.

2-24 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure the Network Manually

Exercise 2-1: Configure the Network Manually

In this exercise, you configure the network manually by doing the


following:
■ Part I: Note the Current Network Configuration
■ Part II: Delete the Current Network Setup with YaST
■ Part III: Configure the Network Manually
■ Part IV: Save the Network Connection to a File

Part I: Note the Current Network Configuration

Do the following:
1. Make sure you are logged in to the KDE Desktop as geeko with
a password of N0v3ll.
2. Open a terminal window and su (switch user) to root.
3. Enter ip address show eth0.
4. Find the line starting with inet, and record the IP address with
the subnet mask displayed in that line:

5. Enter ip route show.


6. Find the line starting with default and record the gateway IP
address of the gateway:

7. Enter ip link show eth0.


8. Find the line starting with link/ether and record the hardware
address of the device:

9. Change to the /etc/sysconfig/hardware directory by entering the


following:
cd /etc/sysconfig/hardware

Version 1 Copying all or part of this manual, 2-25


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

10. Enter ls -al; then look for one of the following files (depending
on your hardware configuration):
■ hwcfg-id-ethernet_controller_address
■ or
■ hwcfg-bus-pci-ethernet_controller_address
11. Record the name of the file:

12. Display the contents of the file by entering one of the


following:
■ cat hwcfg-id-ethernet_controller_address
■ or
■ cat hwcfg-bus-pci-ethernet_controller_address
13. Record the following parameters:
■ MODULE=
■ MODULE_OPTIONS=
■ STARTMODE=
You use these parameters and the hwcfg filename in Part IV to
manually create the file.

Part II: Delete the Current Network Setup with YaST

Do the following:
1. Start YaST and select Network Devices > Network Card.
2. In the lower part of the dialog, select Change.
3. Select the network device; then select Delete.
4. Select Finish.

2-26 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure the Network Manually

5. From the terminal window (as root), enter


rm /etc/sysconfig/network/routes.
6. Verify that the network connection is not working any more by
entering ping www.novell.com.

Part III: Configure the Network Manually

Do the following:
1. In the terminal window enter the following command:
ip address add your_ip_address/24 brd + dev eth0
2. To activate the network device, enter ip link set eth0 up.
3. To set a route to the local network enter the following:
ip route add 10.0.0.0/24 dev eth0
4. To set the default route enter the following:
ip route add default via gateway_ip_address
5. Verify that the network connection is working again by entering
ping www.novell.com.

If you are having problems with the network interface, you might need
to delete the network card configuration with YaST, save the change,
and then re-configure the network card with YaST.

This can happen if you have 2 network cards installed in your


computer.

Part IV: Save the Network Connection to Interface and


Hardware Configuration Files

Do the following:
1. From the terminal window, change to the directory
/etc/sysconfig/network.

Version 1 Copying all or part of this manual, 2-27


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

2. Make a copy of the network configuration template by entering


the following:
cp ifcfg.template ifcfg-eth-id-device_hardware_address
3. Open the copied file (ifcfg-eth-id-device_hardware_address)
with the vi editor.
4. Find the following options and enter the indicated values:
■ STARTMODE='onboot'
■ BOOTPROTO='static'
■ IPADDR='your_ip_address/24'
5. Save the file and exit vi (:wq).
6. Change to the directory /etc/sysconfig/hardware.
7. Create one of the following files with vi and enter the
parameters you recorded in Part I of this exercise:
■ hwcfg-id-ethernet_controller_address
■ or
■ hwcfg-bus-pci-ethernet_controller_address
8. When you finish, save the file and exit the editor.
9. Change to the /etc/sysconfig/network directory.
10. Create a new file with vi called routes.
11. Add the the following line to the file:
default default_gateway_ip_address - -
12. Save the file and exit vi.
13. Reboot your system (init 6) and log in as geeko with a
password of N0v3ll.
14. From a terminal window, verify that the network configuration
is loaded correctly by entering ping www.novell.com.

(End of Exercise)

2-28 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure the Network Manually

Summary
The following is the summary of the objectives.

Objective Summary
1. Understand Linux Network The following terms are used for
Terms the Linux network configuration:
■ Device
■ Interface
■ Link
■ Address
■ Broadcast
■ Route

2. Set Up Network Devices with You can perform the following


the ip Tool tasks with the ip tool:
■ Display the IP address setup
ip address show
■ Display device attributes
ip link show
■ Display device statistics
ip -s link show
■ Assign an IP address to a
device
ip address add <IP
address>/<netmask> brd + dev
<device name>
■ Delete an IP address of a
device
ip address del <IP address> dev
<device name>
■ Change device attributes
ip link set <device name>
<attribute>

Version 1 Copying all or part of this manual, 2-29


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Objective Summary
3. Save Device Settings to a ■ The configuration files for
Configuration File network devices are located
in /etc/sysconfig/network.
■ For Ethernet devices, the file
names consist of ifcfg-eth-id-
and the hardware address of
the device.
■ For a statically configured
device ,at least the following
options need to be set:
BOOTPROTO='static'
STARTMODE='onboot'
IPADDR='10.0.0.2/24'
■ For devices configured with
DHCP, the BOOTPROTO
option needs to be changed as
follows:
BOOTPROTO='dhcp'
■ Configured devices can be
enabled with ifup device name
and disabled with ifdown
device name.

4. Set Up Routing with the ip You can perform the following


Tool tasks with the ip tool:
■ View the routing table
ip route show
■ Add routes to the routing table
ip route add
<network>/<netmask> dev
<device name>
■ Delete routes from the routing
table
ip route del
<network>/<netmask> dev
<device name>

2-30 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure the Network Manually

Objective Summary
5. Save Routing Settings to a The configuration for routing table
Configuration File is located in the file
/etc/sysconfig/network/routes.
Each line represents an entry of
the routing table and has the
following columns:
■ Destination network address
■ Gateway address
■ Netmask
■ Device id
Default routes use default instead
of the network address and does
not require a netmask or device
id.
6. Configure Host Name and The host name is configured in
Name Resolution the file /etc/HOSTNAME.
The name resolution is
configured in the file
/etc/resolv.conf.
One line specifies the search
domain; the others list up to three
available name servers.

Version 1 Copying all or part of this manual, 2-31


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Objective Summary
7. Test the Network Connection Two command line tools are
with Command Line Tools available to test the network
connection:
■ ping
ping hostname
With ping you can test
whether another host is
reachable in the network.
■ traceroute
traceroute hostname
With traceroute you can test
the routing in the network.

2-32 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure Network Services

SECTION 3 Configure Network Services

In this section, you learn how to configure four of the most


important network services shipped with SLES 9 (BIND,
OpenLDAP, Apache, Samba).

Objectives
1. Configure a DNS Server Using BIND
2. Deploy OpenLDAP on a SLES 9 Server
3. Configure an Apache Web Server
4. Configure a Samba Server as a File Server

Version 1 Copying all or part of this manual, 3-1


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Introduction
In this section you learn how to install and configure four of the
most popular Linux network services at the command line:
■ BIND
■ OpenLDAP
■ Apache
■ Samba

Because configuring the services can be very complex, this section


covers only the basic functionality of the services.

The configuration is covered at the command-line level to show you


a more direct way to manipulate the behavior of the services.

The services as described in this section should be used within an


internal network. You should make the services accessible from the
Internet only if you have sufficient knowledge about network
security.

3-2 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure Network Services

Objective 1 Configure a DNS Server Using BIND


The Domain Name System (DNS) is one of the most important
network services. Without DNS, it would be difficult, if not
impossible, to work with networked computers.

To configure a DNS server (also called a name server) using the


most popular software BIND (Berkeley Internet Name Domain) you
need to do the following:
 Understand the Domain Name System
 Install and Configure the BIND Server Software
 Configure a Caching-Only Name Server
 Configure a Master Server for Your Domain
 Configure One or More Slave Servers
 Configure the Client Computers to Use the DNS Server
 Understand How to Query DNS Servers Using Command Line
Tools
 Find More Information About DNS

Version 1 Copying all or part of this manual, 3-3


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Understand the Domain Name System

To understand the basics of name resolution with DNS, you need to


know the following:
■ How Name Resolution Worked in the Early Days of the Internet
■ The Internet Domain Concept
■ How Name Servers Work
■ How to Query DNS

How Name Resolution Worked in the Early Days of the


Internet

Computers communicate with each other by using IP addresses, but


for humans it is more simple to address a computer by using its
name. This requires some kind of conversion that provides
computers with IP addresses when a user enters a computer name.

In the early days of the Internet, when there were relatively few
computers connected to each other, a file was maintained at the
Network Information Centre (NIC) of the Stanford Research
Institute in California that provided exactly this conversion.

Whenever system administrators added a new computer to the


Internet or changed the name of an already connected computer,
these changes were sent by email to the SRI-NIC where they were
written to a file called hosts.txt.

Every system administrator worldwide had to copy this file by FTP


and distribute it to all computers for which he was responsible.

In 1984, Paul Mockapetris created a powerful solution: the


Domain Name System (or DNS). DNS is a distributed database
system that allows local administration of areas and guarantees
unique computer names worldwide. Its hierarchical structure is very
similar to the tree structure of the Linux file system.

3-4 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure Network Services

The Internet Domain Concept

DNS consists of several domains that can be divided into


subdomains. The top level of this structure is the root domain. It is
represented simply by a dot (“.”).

There are over 13 computers worldwide that act as root name


servers. In the first layer beneath the root domain contains the top
level domains (TLDs).

In the early days of DNS there were 7 TLDs:


■ .com for commercial institutions (such as novell.com and
suse.com)
■ .edu for educational institutions and research institutes (such as
harvard.edu and stsci.edu)
■ .gov for institutions of the U.S. government (such as nasa.gov
and whitehouse.gov)
■ .int for international institutions (such as un.int and ecb.int)
■ .mil for military institutions (such as army.mil and navy.mil)
■ .net for institutions that provide and manage network
infrastructure (such as internic.net and att.net)
■ .org for noncommercial institutions (such as eso.org andeff.org)

.arpa was used as a TLD, while the ARPAnet transferred from host
files to DNS. All computers from the ARPAnet were later put into
the other TLDs. The .arpa TLD still has a special meaning which
will be explained later in this section.

These TLDs are also known as generic TLDs. Other TLDs for
individual countries were defined, such as .de for Germany, .uk for
the United Kingdom, and .ch for Switzerland.

Recently, TLDs such as .info or .biz have become operational. Each


of these TLDs is administered by its own institution (the Network
Information Center or NIC).

Version 1 Copying all or part of this manual, 3-5


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Part of the Internet namespace is shown in the following:

The complete computer name or fully qualified domain name


(FQDN) is made from the actual computer name, the domain name,
and the name of the TLD (one or more subdomains might be
included).

Examples of FQDNs are ns.suse.de, www.astro.physik.uni-


goettingen.de and mail.novell.com. To be precise, all these names
end with a dot (such as ns.suse.de) indicating the root domain. But
as a rule the dot normally is not used.

Understand How Name Servers Work

Domains are administered locally instead of using a global


authority. Each domain has its own administration point (in practice,
many domains are administered from one location).

For each domain there is one DNS server (or name server) defined
as being “in charge” of its domain. This server is known as the
master server, and it is the authority for this domain (providing
authoritative answers).

3-6 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure Network Services

This authoritative information is important because DNS servers


also temporarily store information on other domains in a cache and
can pass this information on, with the note that it is a non-
authoritative answer.

There are other DNS servers called slave servers for the domain
that distribute the load and serve as backups. Slave servers keep a
copy of the information on the master server and update this
information at regular intervals. This update is called zone transfer.

The following describe the DNS server types available:

Server Type Responsibility


Master server Has the main responsibility for a
domain. Gets its data from local
files.
Slave server Gets its data from the master server
using zone transfer.
Caching-only server Queries data from other DNS
servers and stores the information in
the cache until its expiration date. All
replies are nonauthoritative.
Forwarding server All queries the server cannot answer
authoritatively are forwarded to other
DNS servers.

Version 1 Copying all or part of this manual, 3-7


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Understand How to Query DNS

Various programs are involved in processing a request to the DNS


database. The first is the resolver. This is a set of library routines
used by various programs.

The resolver makes a request to a DNS server, interprets the answer


(real information or error message), and sends back this information
to the program that called it up.

If the DNS server receives a request from a resolver, one of 2 things


happens:
■ If the DNS server is the authority for the requested domain, the
DNS server provides the required information to the resolver
(the authoritative answer).
or
■ If the DNS server is not the authority for the required domain,
the DNS server queries the responsible authority for the request
domain and gives the result to the resolver.
The data is stored in the cache of the DNS server. If there is
another request for this data later, the DNS server can provide it
immediately (a non-authoritative answer). All data has a
timestamp, and information is deleted from the cache after a
certain time.

Assume that your DNS server wants to find the IP address of the
computer www.suse.de. To do this, the DNS server first makes a
request to one of the DNS servers of the root domain.

Each DNS server knows the authorities responsible for the TLDs.
The address for each authority required is passed onto the
requesting DNS server. For www.suse.de, this is a DNS server for
the TLD .de, that is, the computer dns2.denic.de.

Our DNS server then asks this for the authority for the domain
suse.de and as an answer is given the computer ns.suse.de.

3-8 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure Network Services

In a third step this DNS server is queried, and as an answer gives


the IP address of the SUSE web server. This answer is returned by
our DNS server to the requesting resolver.

This procedure is illustrated in the following figure:

The DNS servers for the root domain play a very important role in
name resolution. In order to alleviate the server load due to queries,
every DNS server stores the information received from other names
servers in its cache.

When queries are made, this information is sent without querying


the root DNS server anew. However, root DNS servers are very
busy despite this caching mechanism. Several thousand queries per
second are nothing unusual.

Version 1 Copying all or part of this manual, 3-9


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Install and Configure the BIND Server Software

To run a DNS server, you need to install the following packages:


■ bind. The BIND server software (version 9 in SLES 9)
■ bind-utils. Utilities to query and test BIND (included in
standard installation)

Before starting the DNS server, you have to make some basic
configuration changes. After finishing your configuration, you can
start the server using the following command:
rcnamed start

To stop a running server, use the following command:


rcnamed stop

To have the DNS server start automatically at boot time, use the
following command:
insserv named

This creates the necessary links in the runlevel directories.

Configure a Caching-Only DNS server

A caching-only DNS server does not manage its own databases but
merely accepts queries and forwards them to other DNS servers.
The supplied replies are saved in the cache.

A caching-only DNS server can be used on a workstation or a


gateway that has access to an external DNS server.

The DNS server configuration is defined in the file


/etc/named.conf. You can use the example file that is installed with
the DNS package as a configuration file for a caching-only server.

3-10 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure Network Services

The following example shows a simple configuration:


#
# /etc/named.conf: Configuration of the name server
(BIND9)
#
# Global options
#
options
{
#
# In which directory are the database files?
#
directory "/var/lib/named";
};

The global options are defined in the options block at the beginning
of the file. The directory containing the database files (or zone files)
is listed. Normally, this is /var/lib/named/.

All filenames that follow the /var/lib/named directory refer to the


directory. The directory is created when installing the server
package. It contains several preconfigured files. Other options can
also be defined in this file.

The Global options are followed by the definition of the database


files for the domains managed by the DNS server. Several entries
are needed for basic DNS server functions such as those provided
by a caching-only server.

Three entries are needed for every DNS server:


■ The entry for root DNS servers (not needed for BIND 9
because it has the list of root DNS servers compiled into the
software).
■ The forward resolution for localhost
■ The reverse resolution for the network 127.0.0.0 (localhost)

Version 1 Copying all or part of this manual, 3-11


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The following are examples of these entries:


## entry for root nameservers#
zone "." in { type hint;
file "root.hint";
};

#
# forward resolution for localhost
#
zone "localhost" in {
type master;
file "localhost.zone";
};

#
# reverse resolution for localhost
#
zone "0.0.127.in-addr.arpa" in {
type master;
file "127.0.0.zone";
};

The zone entry for the root DNS servers contains a reference to a
file containing the addresses of the root DNS servers. This file
(root.hint) is generated in the directory /var/lib/named/ during the
installation of the package bind.

The 2 files for the resolution of localhost are also generated during
the installation. The structure of these files is explained later.

These entries are used to forward queries to the DNS server directly
to the responsible DNS servers. However, this resolution method
can be very slow. This problem can be solved by using forwarders.

The DNS server has the addresses of other DNS servers in case it
cannot resolve a host name itself. You might be able to use the DNS
servers of an Internet provider for this purpose, as they usually have
a lot of information in their cache.

You can define these DNS servers in the options block in the file
/etc/named.conf, as in the following:

3-12 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure Network Services

options
{
directory "/var/lib/named";

forwarders
{
10.0.0.254;
};
};

You can enter up to 3 DNS server addresses. Queries that cannot be


resolved by the local DNS server are forwarded to one of the
specified DNS servers.

If these DNS servers cannot be reached, the queries are sent directly
to the root DNS servers.

Configure a Master Server for Your Domain

The following are the tasks you need to do to configure a master


DNS server for your domain:
■ Adapt the Main Server Configuration File
■ Create the Zone Files
■ Create Additional Resource Records

Adapt the Main Server Configuration File

You can adapt the configuration for the caching-only DNS server
for configuring a DNS server containing its own information files.

This configuration already contains the global entries for the


directory and the forwarders (which can be omitted) entries in the
options block. The file also contains the mandatory entries for the
root servers and the resolution of localhost.

Version 1 Copying all or part of this manual, 3-13


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The global options are followed by definitions for the database files
(or zone files) for the domains this DNS server serves. At least 2
files are necessary for each domain:
■ A file for forward resolution (allocating an IP address to a
computer name)
■ A file for reverse resolution (allocating a computer name to an
IP address)

If several subnets belong to a domain, then one file for each of these
networks must be created for reverse resolution.

Each definition begins with the instruction zone (this is why the
database files are also known as zone files), followed by the name
of this zone.

For forward resolution, this is always the domain name. For reverse
resolution, the network prefix of the IP address must be given in
reverse order (10.0.0.0 becomes 0.0.10.) to which the suffix in-
addr.arpa is added (0.0.10.in-addr.arpa).

The zone name is always followed by an “in” for Internet. (DNS


servers can administer information on different name spaces, not
only that of the Internet. Other name spaces are practically never
used).

The text in curly brackets defines the type of DNS server this is for
the corresponding zone (here it is always the type master; other
types are introduced later).

Finally, there is the name of the file in which the entries for this
zone are located.

3-14 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure Network Services

The entries for the Digital Airlines configuration look like the
following:
#
# forward resolution for the domain
digitalairlines.com
#
zone "digitalairlines.com" in
{
type master;
file "master/digitalairlines.com.zone";
};
#
# reverse resolution for the network 10.0.0.0
#
zone "0.0.10.in-addr.arpa" in
{
type master;
file "master/10.0.0.zone";
};

Create the Zone Files

The 2 files for the domain localhost and the file for the root DNS
servers are always included in the installation. You do not need to
change these files; however, you must create the files required for
the actual domain.

The subdirectory /var/lib/named/master/ is used for the database


files of a master server.

In these files, the semicolon is used as a comment sign.

Structure of the Files

Each of the database files consists of a series of entries, or resource


records. The syntax of these records is always as follows:

reference [TTL] class type value

Version 1 Copying all or part of this manual, 3-15


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The following describes each part of a record:


■ reference
■ The reference to which the record refers. This can be a domain
(or subdomain) or a standalone computer (name or IP address).
■ TTL
■ The Time To Live value for the record. If this expires, a default
TTL value is used.
■ class
■ The class of the record. For TCP/IP networks, this is always IN
(internet).
■ type
■ The type of the record. The most important types are listed in
the table below.
■ value
■ The value of the record. The value depends on the type of
record as listed in the following:

Record Type Meaning Value


SOA Start of Authority Parameter for the domain
(term for the
authority)
NS DNS server Name of one of the DNS
servers for this domain
MX Mail exchanger Name and priority of a
mail server for this
domain
A Address IP address of a computer
PTR Pointer Name of a computer
CNAME Canonical name Alias name for a
computer

3-16 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure Network Services

Individual entries must always start in the first column with the reference.
If an entry does not start in the first column, the reference is taken from the
previous entry.

The File /var/lib/named/master/digitalairlines.com.zone

Unlike earlier versions of BIND, BIND 9 requires you to specify a


default TTL for all information at the beginning. This value is used
whenever the TTL has not been explicitly given for an entry.

You define the TTL with the following instruction:


;
; definition of a standard time to live, here: two
days
;
$TTL 172800

In this example, the TTL is given in seconds. But it can be given in


other units, such as 2D for two days. Other units are M (minutes), H
(hours), and W (weeks).

This is followed by the definition of the SOA (Source of Authority)


entry, which specifies which DNS server has the authority for this
domain:
;
; SOA Entry
;
digitalairlines.com. IN SOA da1.digitalairlines.com. adm.digitalairlines.com. (
2004092601 ; serial number
1D ; refresh (one day)
2H ; retry (two hours)
1W ; expiry time (one week)
3H ; "negative" validity (three hours)
)

The domain to which this entry refers (here, digitalairlines.com) is


listed first. The domain name must end with a dot. If a name does
not have a dot at the end, the name of the domain is added on,
which could lead to an error here.

Version 1 Copying all or part of this manual, 3-17


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

After the SOA entry the name of the DNS server is listed (in this
example, da1.digitalairlines.com with a dot at the end).
Alternatively, you could write da1, and the domain name
digitalairlines.com would be added after the name.

Next comes the email address of the person who is responsible for
the administration of the DNS server. The “@” usually used in
email addresses must be replaced by a dot (so the email address in
this example is hostmaster.example.com). This is necessary
because @ has a special meaning as an abbreviation.

After this information, there is a serial number. Any number can be


used, but normally the date and a version number are used here.
After any change to the data in this file, the serial number has to be
increased.

Slave servers use this number to detect if they need to copy this
zone file or not. If the serial number on the master server is greater
than that on the slave server, the file is copied.

This is followed by the following time information (the first three


entries listed here are only important for slave servers):
■ The first entry causes a slave server to query a master server
after this length of time, to see if there is a new version of the
files (in the example, this is 1D or one day).
■ If the slave server cannot reach the master server, the next time
entry specifies at what intervals new attempts should be made
(in the example, this is 2H or two hours).
■ If the master server is not reached for a longer period of time,
the first time entry specifies when the slave server should
discard its information on this zone (in the example, this is 1W
or a week).
■ The basic idea here is that it is better not to pass on any
information than to pass on outdated information.

3-18 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure Network Services

■ The fourth entry defines for how long negative responses from
the DNS server are valid. Each requesting server stores
responses in its cache, even if a computer name could not be
resolved (in the example, this is 3H or 3 hours).

These time definitions are followed by the name of the computer


that is responsible for this domain as the DNS server. In all cases,
the master server must be entered here. If slave servers are used,
they should also be entered, as in the following:
;
; entry for the name server
;
digitalairlines.com. IN NS
da1.digitalairlines.com.

The name of the domain can be omitted at this point. Then the name
from the previous entry is taken (the SOA entry).

At the end of this file are the IP addresses that are allocated to
computer names. This is done with A (address) entries, as in the
following:
;
; Allocation of IP addresses to host names
;
da10 IN A 10.0.0.10
da12 IN A 10.0.0.12
da13 IN A 10.0.0.13

The File /var/lib/named/master/10.0.0.zone

The file for reverse resolution contains similar entries as the file for
forward resolution. At the beginning of the file there is the
definition of a default TTL and an SOA entry.

Version 1 Copying all or part of this manual, 3-19


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

In the SOA and NS entries, the IP address of the network is written


in reverse order:
; Database file for the domain digitalairlines.com:
; reverse resolution for the network
; 10.0.0.0
;
; Definition of a default TTL,here: two days
;

$TTL 172800
;
; SOA entry
;
0.0.10.in-addr.arpa. IN SOA da1.digitalairlines.com. adm.digitalairlines.com. (
2004092601 ; serial number
1D ; refresh (one day)
2H ; retry (two hours)
1W ; expiry time (one week)
3H ; "negative" validity(three hours)
)
;; Entry for the name server
;
IN NS da1.digitalairlines.com.

At the end of this file are the IP addresses that are allocated to
computer names, this time with the PTR (Pointer) entry, as in the
following:
;
; Allocation of host names to IP addresses
;
10 IN PTR da10.digitalairlines.com.
12 IN PTR da12.digitalairlines.com.
13 IN PTR da13.digitalairlines.com.
14 IN PTR da14.digitalairlines.com.

The following 2 files must exist for the local computer. These are
created automatically during installation and should not be
modified.

3-20 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure Network Services

The File /var/lib/named/master/localhost.zone

The following is an example of the file


/var/lib/named/master/localhost.zone:
$TTL 1W
@ IN SOA @ root (
42 ; serial (d.
adams)
2D ; refresh
4H ; retry
6W ; expiry
1W ) ; minimum

IN NS @
IN A 127.0.0.1

In this example, the “@” character is used as an abbreviation (for


this reason, it must be replaced by a dot in the email address in the
database files).

Using “@” instead of the domain name causes the file


/etc/named.conf to be read to see for which domain this file is
responsible.

In this case, it is localhost, which is also used for the name of the
DNS server (this is why “@” appears many times in the file).

Version 1 Copying all or part of this manual, 3-21


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The File /var/lib/named/master/127.0.0.zone

In this file, the abbreviation “@” is also used. But here the
computer name must be given explicitly with localhost (remember
the dot at the end):
$TTL 1W
@ IN SOA localhost. root.localhost.
(
42 ; serial (d. adams)
2D ; refresh
4H ; retry
6W ; expiry
1W ) ; minimum

IN NS localhost.
1 IN PTR localhost.

Create Additional Resource Records

Apart from the resource records already discussed (SOA, NS, A,


PTR), there are MX and CNAME resource records, which are used
to do the following:
■ Define Mail Servers for the Domain
■ Assign Aliases for Computers

Define Mail Servers for the Domain

To be able to use email addresses in the form


geeko@digitalairlines.com, the email server responsible for the
domain must be defined (the email cannot be sent directly to the
domain, but must be sent to a mail server).

To achieve this, an MX (Mail Exchange) entry must be made in the


database file for forward resolution, after the DNS server entry:
digitalairlines.com. IN MX 0 mail
IN MX 10 da1
IN MX 10 da5

3-22 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure Network Services

If an email is now sent to the address geeko@digitalairlines.com,


the computer sending the mail asks the DNS server which computer
is the mail server, and is sent the list of the MX entries in return.

Several mail servers can be given. On the basis of their priorities, it


is then decided to which computer the email is sent. The priority of
mail servers is defined by the number in front of the computer
name; the lower this number, the higher the priority.

In this example the computer mail.digitalairlines.com has the


highest priority (is therefore the primary mail server).
da1.digitalairlines.com and da5.digitalairlines.com both have the
same priority.

If the mail server with the highest priority cannot be reached, the
mail server with the second highest priority is used. If several mail
servers have the same priority, then one of them is chosen at
random. An address entry must be made for each mail server.

Assign Aliases for Computers

If you want a computer to be reached by more than one name (such


as addressing a computer as da30.digitalairlines.com and
www.digitalairlines.com), then corresponding aliases must be given.
These are the CNAME (canonical name) entries in the database file
for forward resolution:
da30 IN A 10.0.0.30
www IN CNAME da30

The names of the mail servers for the domain (MX entry) cannot be alias
names, since some mail servers cannot handle this correctly.

Version 1 Copying all or part of this manual, 3-23


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Configure One or More Slave Servers

To guarantee reliable operation, at least one more DNS server


besides the master server is required. This can take over part of the
load from the DNS master server. But it is especially important in
case the DNS master server is not available. This new DNS server is
set up as a DNS slave server.

The essential difference between the two types is that a slave server
receives copies of the zone files from the master server.
Modifications to the zone files are only made on the master server.

As soon as a slave server is started, it connects to the master server


and receives a copy of the zone files from it. This is called a zone
transfer.

Comparison of data between the servers takes place automatically.


On the one hand, the slave server queries the master server at
regular intervals and detects, using the serial number of the zone
files, whether anything has changed.

By default, the master server sends a message to all listed slave


servers (called notify) as soon as it has been restarted in order to
read in modified zone files.

In the configuration file /etc/named.conf for a slave server, there are


at least 2 entries that define it as the master server: the 2 zone
definitions for the loopback network (localhost).

There might also be a zone definition for the root DNS server. But a
zone definition is only necessary if the slave server will forward
requests to other DNS servers.

3-24 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure Network Services

The definitions for zones for which it should copy data from the
master server look like the following:
zone "digitalairlines.com" in
{
type slave;
file "slave/digitalairlines.com.zone";
masters
{
10.0.0.254;
};
};

The slave server gets data from the master server with the IP
address 10.0.0.254 and stores it in the directory
/var/lib/named/slave/. This directory is created when you install the
BIND package.

A similar configuration must be made for reverse resolution, as in


the following:
zone "0.0.10.in-addr.arpa" in
{
type slave;
file "slave/10.0.0.zone";
masters
{
10.0.0.254;
};
};

In the simplest configuration, the slave server gets information from


the master server at regular intervals. This can cause the slave server
to provide outdated information for a certain length of time.

This is why it is reasonable to instruct the master server to inform


the slave servers about modifications in the database files. The slave
servers then immediately carry out a zone transfer, which always
brings them up to date.

Version 1 Copying all or part of this manual, 3-25


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

In order for the master server to be able to communicate with the


slave servers, it must know about them. By default, the master
server automatically informs its slave servers. But this can also be
done in the options section of the file /etc/named.conf, as in the
following:
options
{
...
notify yes;
};

Subsequently, the slave servers must be entered as DNS servers in


the database files (of the forward and reverse resolution):
digitalairlines.com. IN NS
da8.digitalairlines.com.

IN NS
da8.digitalairlines.com.

This informs the slave server, da8.digitalairlines.com, about all


modifications.

Configure the Client Computers to Use the DNS Server

You can use YaST to configure a client computer during installation


to use the DNS server (configuration of the network) or later. You
simply have to enter the IP address of the DNS server and possibly
add some information about your domain.

This information is written to the file /etc/resolv.conf, as in the


following:
search digitalairlines.com
nameserver 10.0.0.254

3-26 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure Network Services

Normally, this file has the following 2 types of entries:


■ search
■ A list of the names of domains (or subdomains) is provided
after this keyword. Several domain names are entered on one
line. This allows only the host name to be used to resolve to the
correct IP address.
■ The host name is expanded by the domain names specified here
until a matching IP address is found.
■ For example, if you provide digitalairlines.com and
atl.digitalairlines.com as domain names, the host DNS server is
expanded to server.digitalairlines.com and
server.atl.digitalairlines.com to look for a corresponding IP
address. The first matching IP address is returned.
■ If both of these host names exist, you have to specify the FQDN
to resolve the IP address.
■ nameserver
■ The keyword nameserver specifies the IP address of a DNS
server to use. You can have up to 3 entries, but each of them
must only contain 1 server address. If several entries of this
type exist, the DNS servers are queried in this order.

There is another important file for the clients:


/etc/nsswitch.conf. This file applies to all programs that use the
resolver functions of the current GNU C Library (libc6). (The
predecessor of this file is /etc/host.conf, which applies to older
versions of the GNU C Library.)

This file configures the name service switch, which is responsible


for resolving host names, network names, users, and groups.

Version 1 Copying all or part of this manual, 3-27


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The relevant part for resolving host names looks like the following:
#
# /etc/nsswitch.conf
#
...
hosts: files dns
networks: files dns
...

Both entries shown here define that in the first attempt to resolve a
host name is done using the file /etc/hosts. If this fails, a DNS server
resolved the name. The same applies to the resolution of network
names, done using /etc/networks first.

Use Command Line Tools to Query DNS Servers

Several command line tools are available to query DNS server.


These include the following:
■ host Command
■ dig Command

host Command

The most important command line tool for querying a DNS server is
called host. The general syntax is as follows:

host computer nameserver

The following example shows how it is used:


da2:~ # host da50
da50.digitalairlines.com has address 10.0.0.50
da2:~ # host 10.0.0.49
49.0.0.10.in-addr.arpa domain name pointer da49.digitalairlines.com.

If a DNS server address is not provided, host contacts the servers


listed in /etc/resolv.conf. If you want to use another DNS server, you
have to provide its IP address with the command.

3-28 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure Network Services

By default, host returns the IP address or the host name, depending


on which information is given. If you want to query domain
information, you need to use the option -t with the type of
information required, as in the following:
da2:~ # host -t ns novell.com
novell.com name server ns.novell.com.
novell.com name server ns1.westnet.net.
novell.com name server ns.utah.edu.

In this example, the host names of the DNS servers for the domain
novell.com are requested.

dig Command

A more verbose command is dig, which is normally used to


troubleshoot DNS problems. The general syntax is as follows:

dig @nameserver computer type query_options

The options are listed in the following table:

Option Meaning
nameserver The IP address or name of the DNS
server that should be queried. If not
specified, dig checks all DNS
servers listed in /etc/resolv.conf.
computer The resource record to query about
(such as a host name, an IP
address, or a domain name).
type The type of resource record to be
returned, such as A (IP address), NS
(DNS server), MX (mail exchanger),
-x (pointer), or ANY (all information).

Version 1 Copying all or part of this manual, 3-29


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Option Meaning
query_options Defines how the query is done and
how the results are displayed. Each
query option starts with a plus sign
(+).

The most important difference between host and dig is that dig does
not use the domain list from /etc/resolv.conf by default to expand
the host name. This means that the FQDN or IP address of the host
must be specified. If the domain list should be used, you need to use
the query option +search.

The following example demonstrates the application:


da2:~ # dig ripe.net ns

; <<>> DiG 9.2.3 <<>> ripe.net ns


;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:
1315
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY:
0,
ADDITIONAL: 9

;; QUESTION SECTION:
;ripe.net. IN NS

;; ANSWER SECTION:
ripe.net. 158814 IN NS ns2.nic.fr.
ripe.net. 158814 IN NS
sunic.sunet.se.
ripe.net. 158814 IN NS
auth03.ns.uu.net.
ripe.net. 158814 IN NS
munnari.oz.au.
ripe.net. 158814 IN NS ns.ripe.net.

;; ADDITIONAL SECTION:
ns.ripe.net. 171939 IN A 193.0.0.193
ns.ripe.net. 171939 IN AAAA

3-30 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure Network Services

2001:610:240:0:53::193
ns2.nic.fr. 344302 IN A 192.93.0.4
ns2.nic.fr. 344302 IN AAAA
2001:660:3005:1::1:2
sunic.sunet.se. 172586 IN A 192.36.125.2
auth03.ns.uu.net.170436 IN A 198.6.1.83
munnari.oz.au. 170107 IN A 128.250.22.2
munnari.oz.au. 170107 IN A 128.250.1.21
munnari.oz.au. 21410 IN AAAA
2001:388:c02:4000::1:21

;; Query time: 51 msec


;; SERVER: 10.0.0.254#53(10.0.0.254)
;; WHEN: Mon Sep 27 15:27:01 2004
;; MSG SIZE rcvd: 329

The QUESTION SECTION shows what was queried and the


ANSWER SECTION shows the response: a list of DNS servers of
the domain ripe.net.

The IP addresses of certain DNS servers are listed under


ADDITIONAL SECTION. The address in the last line is an IPv6
address (2001:388:c02:4000::1:21).

Data about the query, such as the duration of the query (Query
time), the server that answered the query (SERVER), and the date
of the query (WHEN) are listed at the end of the output.

Find More Information About DNS

If there are syntax errors in one of the configuration or zone files,


BIND writes verbose messages to the file /var/log/messages. These
messages also contain information on the filename and the line in
which this error occurs.

If there is an error, the processing of the file is interrupted at this


point (that is,errors later in the file are not detected now).

Version 1 Copying all or part of this manual, 3-31


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

For more information about BIND and DNS, see DNS and BIND by Paul
Albitz and Cricket Liu and the BIND homepage at
http://www.isc.org/sw/bind/.

3-32 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure Network Services

Exercise 3-1: Configure a DNS server

In this exercise, you work with a partner to configure a DNS master


server and a DNS slave server for the domain digitalairlines.com.
You need to work as a team on all parts of the exercise.

Do the following:
■ Part I: Install BIND
■ Part II: Configure a DNS Master Server
■ Part III: Configure the DNS Slave Server on the Second
Machine

This exercise requires extensive typing to create your DNS files. To save
you some time, the files digitalairlines.com.zone and 10.0.0.zone are
included on your 3038 Course CD in the directory /exercises/section_3.

Part I: Install BIND

Do the following on both SLES 9 servers:

1. From the KDE menu, select System > YaST.

2. Enter the root password and select OK.

3. From the YaST Control Center, select Software > Install and
Remove Software.

4. From the filter drop-down menu, select Search.

5. In the Search field, enter bind; then select Search.

6. On the right, select the bind package.

7. Select Accept; then insert the requested SLES 9 CD.

8. When installation is complete, close the YaST Control Center.

Version 1 Copying all or part of this manual, 3-33


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Part II: Configure a DNS Master Server

Decide which SLES 9 server will be the DNS master server, then do
the following only on the master server:

1. Open a terminal window and su to root.

2. Open the file /etc/named.conf in a text editor.

3. Configure the forwarders line to match the following:


forwarders { 10.0.0.254; };
Make sure that you delete the comment character from the
beginning of the forwarders line.

4. Add the following 2 zone statements after the existing zone


statements:
zone "digitalairlines.com" in {
type master;
file "master/digitalairlines.com.zone";
};

zone "0.0.10.in-addr.arpa" in {
type master;
file "master/10.0.0.zone";
};

5. Save and close the file.

6. Create a new file digitalairlines.com.zone in the directory


/var/lib/named/master/.

3-34 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure Network Services

7. Enter the following zone configuration in the file:


$TTL 172800

digitalairlines.com. IN SOA your_FQHN.


root.digitalairlines.com. (
serial_number
1D
2H
1W
3H
)

digitalairlines.com. IN NS your_FQHN.

da10 IN A 10.0.0.10
da11 IN A 10.0.0.11
da12 IN A 10.0.0.12

The SOA record (including root.digitalairlines.com) should be


on a single line. Make sure you enter your FQHN (such as
da50.digitalairlines.com) in the SOA and NS records. Use the
current date and “01” as the serial number (such as
2005071501).

8. Save and close the file.

9. Create a new file 10.0.0.zone in the directory


/var/lib/named/master/.

Version 1 Copying all or part of this manual, 3-35


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

10. Enter the following zone configuration in the file:


$TTL 172800
0.0.10.in-addr.arpa. IN SOA your_FQHN.
root.digitalairlines.com. (
serial_number
1D
2H
1W
3H
)

IN NS your_FQHN.

10 IN PTR da10.digitalairlines.com.
11 IN PTR da11.digitalairlines.com.
12 IN PTR da12.digtialairlines.com.

The SOA record (including root.digitalairlines.com) should be


on a single line. Make sure you enter your FQHN (such as
da50.digitairlines.com) in the SOA and NS records. Use the
current date and “01” as the serial number (such as
2005071501).

11. Save and close the file.

12. Open a second terminal window and su to root.

13. Enter the following command:


tail -f /var/log/messages

14. Switch to the first terminal window and start bind with the
following command:
rcnamed start

15. From the second terminal window, watch the log output of bind
for any messages such as Unknown RR type or file not found.

16. If any errors occur, try to fix them and restart bind.

3-36 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure Network Services

One solution is to edit the digitalairlines.com.zone file by replacing


“digitalairlines.com. IN SOA...” with “@ IN SOA...” and to edit the
10.0.0.zone file by replacing “0.0.10.in-addr.arpa. IN SOA...” with “@
IN SOA...”.

17. From the first terminal window, start bind automatically when
the system is booted by entering the following:
insserv named

18. Open the file /etc/resolv.conf in a text editor.

19. Delete all existing nameserver entries.

20. Add the following entry:


nameserver your_ip_address

21. Save and close the file.

22. Verify that your DNS server works by entering the following
command:
host da10.digitalairlines.com

Version 1 Copying all or part of this manual, 3-37


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

23. Add a new DNS record for the slave server in the file
/var/lib/named/master/digitalairlines.com.zone:
$TTL 172800

digitalairlines.com. IN SOA your_FQHN.


root.digitalairlines.com. (
serial_number
1D
2H
1W
3H
)

digitalairlines.com. IN NS your_FQHN.
digitalairlines.com. IN NS slave_FQHN.

da10 IN A 10.0.0.10
da11 IN A 10.0.0.11
da12 IN A 10.0.0.12

24. Add a new DNS record for the slave server in the file
/var/lib/named/10.0.0.zone:
$TTL 172800
0.0.10.in-addr.arpa. IN SOA your_FQHN.
root.digitalairlines.com. (
serial_number
1D
2H
1W
3H
)

IN NS your_FQHN.
IN NS slave_FQHN.

10 IN PTR da10.digitalairlines.com.
11 IN PTR da11.digitalairlines.com.
12 IN PTR da12.digtialairlines.com.

3-38 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure Network Services

Part III: Configure the DNS Slave Server

From the DNS slave server, do the following:

1. Open a terminal window and su to root.

2. Open the file /etc/named.conf in a text editor.

3. Configure the forwarder by entering the following:


forwarders { 10.0.0.254; };
4. Enter the following two zone statements after the existing
statements:
zone "digitalairlines.com" in
{
type slave;
file "slave/digitalairlines.com.zone";
masters
{
master_server_ip_address;
};

};

zone "0.0.10.in-addr.arpa" in
{
type slave;
file "slave/10.0.0.zone";
masters
{
master_server_ip_address;
};

};

5. Save the changes and close the editor.

6. Open a second terminal window su to root.

Version 1 Copying all or part of this manual, 3-39


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

7. Enter the following command:


tail -f /var/log/messages
8. Switch to the first terminal window and start bind by entering
the following:
rcnamed start
9. From the second terminal window, watch the log output of bind
for any messages such as Unknown RR type or file not found.

10. If any errors occur, try to fix them and restart bind.

11. Start bind automatically when the system boots by entering the
following:
insserv named

12. Open the file /etc/resolv.conf in a text editor.

13. Delete all existing nameserver entries.

14. Add the following entry:


nameserver your_ip_address

15. Save and close the file.

16. Verify whether or not your DNS server works by entering the
following:
host da10.digitalairlines.com

(End of Exercise)

3-40 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure Network Services

Objective 2 Deploy OpenLDAP on a SLES 9 Server


OpenLDAP is the most popular open source LDAP suite. It
provides not only the LDAP server itself, but also applications and
tools to control and query the server and to develop LDAP-based
software.

To deploy an OpenLDAP server with SLES 9, you need to know the


following:
■ The Concept of a Directory Service
■ The Basics of LDAP
■ How to Install and Set Up an OpenLDAP Server
■ How to Add Entries to the LDAP Server
■ How to Query Information from the LDAP Server
■ How to Delete and Modify Entries of the LDAP Server
■ How to Use Graphical LDAP Applications

The Concept of a Directory Service

A directory is a specialized database that is optimized for reading,


browsing and searching. Directories contain descriptive, attribute-
based information and support sophisticated filtering.

Directories are tuned to give quick response to high-volume lookup


or search operations. They can replicate information widely in order
to increase availability and reliability, while reducing response time.

There are many different ways to provide a directory service.


Different methods allow different kinds of information to be stored
in the directory, place different requirements on how that
information can be referenced, queried and updated, and determine
how it is protected from unauthorized access.

Version 1 Copying all or part of this manual, 3-41


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Some directory services are local, providing service to a restricted


context (such as the finger service on a single machine). Other
services are global, providing service to a much broader context
(such as the entire Internet).

Directory services can be used for man different purposes. Very


often they are used as databases for user authentication. By default,
SLES 9 uses OpenLDAP for user management and some
configuration purposes.

The Basics of LDAP

LDAP stands for Lightweight Directory Access Protocol. As the


name suggests, it is a lightweight protocol for accessing directory
services. LDAP runs over TCP/IP or other connection-oriented
transfer services.

The LDAP information model is based on entries. An entry is a


collection of attributes that has a globally-unique distinguished
name (DN). The DN is used to refer to the entry. Each of the entry's
attributes has a type and one or more values.

The types are typically mnemonic strings, like "cn" for common
name, or "mail" for email addresses. The syntax of values depend
on the attribute type.

For example, a cn attribute might contain the value “Tux Penguin.”


A mail attribute might contain the value "tux@example.com." A
jpegPhoto attribute might contain a photograph in the JPEG
(binary) format.

In LDAP, directory entries are arranged in a hierarchical tree


structure. If you use LDAP for user management, the structure
normally reflects the organizational structure of the company or
organization.

Under the root of the tree are the country, organization,


organizational unit and leaf objects (such as users).

3-42 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure Network Services

The following illustrates a LDAP tree:

An entry of the tree is referenced by its DN, which is constructed by


taking the name of the entry itself (called the relative distinguished
name or RDN) and concatenating the names of its ancestor entries.

For example, the entry for Tux Penguin in the example above has a
DN of uid=tux,ou=Management,dc=example,dc=com.

In addition, LDAP allows you to control which attributes are


required and allowed through the use of objectClasses. The
following objectClasses are used when LDAP is used for Linux user
authentication.
■ posixAccount
■ shadowAccount
■ posixGroup

Version 1 Copying all or part of this manual, 3-43


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The following is an overview of some of the attributes used in these


object classes:

Attribute Abbreviation Description


uid Login of the user
uidNumber Numerical user ID
gid Group name
gidNumber Numerical group ID
homeDirectory Home directory
loginShell Login shell
shadowLastChange Date of the last password change

Object classes are defined in schema files. OpenLDAP ships with


some basic schema files located in the directory
/etc/openldap/schema.

To create the tree structure, you use container objects, which can
contain other objects. The following is a list of these objects:
■ Root. The root of the directory tree
■ c. Countries
■ o. Organizations
■ ou. Organizational units
■ dc. Domain components

How to Install and Set Up an OpenLDAP Server

To install and set up an OpenLDAP server, you need to do the


following:
■ Install the Required Software and Start the Server
■ Edit the OpenLDAP Configuration Files

3-44 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure Network Services

Install the Required Software and Start the Server

Normally, YaST sets up an OpenLDAP server during the installation


process of SLES 9.

However, if you chose not to install the server during installation,


you can set up an LDAP server by installing the following software
packages with YaST:
■ openldap2
■ openldap2-client

Edit the OpenLDAP Configuration Files

The configuration files for OpenLDAP are located in the directory /


etc/openldap/. The directory contains 2 configuration files:
■ slapd.conf. This file is the main configuration file for the
OpenLDAP server.
■ ldap.conf. This file contains the default configuration for
LDAP clients.

If you installed the LDAP server during SLES 9 installation, the


configuration file slapd.conf has already been set up. Otherwise,
you need to set the following options of the configuration file to
reflect your environment:
suffix "dc=your-domain,dc=com"

In this line you set the domain components “dc” according to your
domain name.
rootdn "cn=Manager,dc=example,dc=com"

This line sets the administrator of the the LDAP server. You can
also configure the domain components in this line.

Version 1 Copying all or part of this manual, 3-45


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

rootpw secret

This line specifies the password for the administrator. The default
password secret must be changed. For security reasons, the
password should be stored in an encrypted form. To create an
encrypted password, use the following command:
slappasswd -s <your_password>

The command outputs a string that has to be copied into the


configuration file. The entry for the command rootpw looks like the
following:
rootpw {SSHA}rawtcakVvoBls6J6wz2+yPa8H02Dprax

After finishing the configuration, you can start the server with the
following command:
rcldap start

If you want to start the LDAP server automatically when the server
boots, use the following command:
insserv ldap

After you change the server configuration file, you change the client
configuration file ldap.conf. You have to set add at least 2 lines:
host localhost

This line sets the default server that LDAP clients should connect
to.
base dc=suse,dc=de

This is the default directory search base that should be used by


LDAP clients.

The configuration shown above is for a SLES 9 authentication server.


Depending on your environment, you might need a different setup and tree
structure.

3-46 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure Network Services

How to Add Entries to the LDAP Server

OpenLDAP provides the command ldapadd to insert data that is in


LDIF format into the directory. You can use files in the LDIF format
to avoid specifying all values on the command line.

LDIF files contain the information that should be included into the
directory service in a plain text format.

You can create a different file for each user you would like to add,
but you can also multiple user records in one file. An LDIF file
contains the following entries:
■ dn. The distinguished name of the object you want to add.
■ objectclass. The object classes of the new entry.
■ attribute. An attribute of the entry. You normally add more
than one attribute at the same time.

If you installed an LDAP server during installation, the basic tree


structure for user authentication has already been created. If you set
up the server later, you need to create the structure manually with an
LDIF file like the following:
dn: dc=example,dc=com
dc: example
o: example
objectClass: organization
objectClass: dcObject

dn: ou=people,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: people

Version 1 Copying all or part of this manual, 3-47


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The file creates 2 entries in the directory tree:


■ The base entry with the DN dc=example,dc=com.
■ An entry below the base entry for the ou people. The dn for this
entry is ou=people,dc=example,dc=com.

Every entry in an LDIF file does the following:


■ Sets the distinguished name of the entry.
■ Lists the object classes used for the entry.
■ Lists the attributes and their corresponding values.

Make sure that there are no empty spaces or tabs at the beginning or end of
a line.

Because LDAP uses Unicode (UTF-8), special characters in LDIF


files have to be coded into UTF-8, or they might not be evaluated.
This means you need to edit the LDIF file with a Unicode editor, or
convert the file later. You can convert the file by entering the
following command:
recode lat1.utf8 <ldif_file>

The command to insert a data set that exists as an LDIF file looks
like the following:
ldapadd -x -D dn_of_the_administrator -W -f
file.ldif

You need to use the -x option because you haven't configured SASL
authentication yet.

Use the option -D to specify who can access the directory. This
should be rootdn, specified in the server configuration file.

Use the option -W to display a password prompt. Otherwise, you


must enter the password directly at the command line, where it will
be visible as plain text.

Finally, specify the LDIF file with the option -f.

3-48 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure Network Services

If the LDIF file is called example.ldif, ldapadd should be run as


follows:
ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f
example.ldif
Enter LDAP Password:
adding new entry "dc=example,dc=com"
adding new entry "cn=people,dc=example,dc=com"

After you have set up the basic tree structure (during or after
installation), you can add a user to the directory with an LDIF file
similar to the following:
dn: uid=geeko,ou=people,dc=suse,dc=de
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
uid: geeko
uidNumber: 1010
gidNumber: 100
cn: Geeko Chameleon
givenName: Geeko
sn: Chameleon
homeDirectory: /home/geeko
loginShell: /bin/bash
shadowMax: 99999
shadowWarning: 7
shadowInactive: -1
shadowMin: 0
shadowLastChange: 12609

This example LDIF file creates a user based on the default LDAP
setup of SLES 9. The attributes are shown below with an
explanation of each:
uid: geeko

This attribute sets the login name of the user.


uidNumber: 1010

This attribute sets the numerical ID of the user.

Version 1 Copying all or part of this manual, 3-49


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

gidNumber: 100

This attribute sets the default group ID of the user. The value 100
belongs to the group users in a SLES 9 installation.
cn: Geeko Chameleon

This attribute sets the full name of the user.


givenName: Geeko

This attribute sets the given name of the user.


sn: Chameleon

This attribute sets the surname of the user.


homeDirectory: /home/geeko

This attribute sets the path to the home directory of the user.
loginShell: /bin/bash

This attribute sets the login shell of the user. The default for SLES
9 is /bin/bash.
ShadowMax: 99999

This attribute sets the number of days before the password expires.
ShadowWarning: 7

Users can be warned before their passwords expire. This attribute


sets the number of days before the warning is issued. Set to -1 to
disable the warning.
ShadowInactive: -1

This attribute sets the number of days that a user can still log in
after the password expires. Set to -1 to set an unlimited number of
days.
ShadowMin: 0

This attribute sets the minimum number of days that need to pass
before a password can be changed.

3-50 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure Network Services

ShadowLastChange: 12609

This attribute sets the date of the last password change.

How to Query Information from the LDAP Server

You can use the command ldapsearch to read data from the LDAP
directory. The following command reads the entire tree:
ldapsearch -x

The -x option forces ldapsearch to use the simple authentication


method. This is necessary if the LDAP server is not yet configured
to use the SASL authentication method.

ldapsearch reads the search base for the query out of the
configuration file /etc/openldap/ldap.conf. The search base is the
entry in the directory where ldapsearch starts the the recursive
search process.

If the file ldap.conf file does not exist, or if you want to use a
different search base, you can specify it with the -b option, as in the
following:
ldapsearch -x -b "dc=example,dc=com"

If you have a lot of data in your LDAP tree, you might want to limit
the output of ldapsearch to specific entries. You can do that by
adding a filter expression to the ldapsearch command, as in the
following:
ldapsearch -x "(uid=g*)"

In this example, ldapsearch displays all entries that have a uid


attribute starting with g. You can use any attributes or objectClasses
as a search filter.

Version 1 Copying all or part of this manual, 3-51


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The output of ldapsearch looks like the following:


# geeko, people, suse.de
dn: uid=geeko,ou=people,dc=suse,dc=de
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
cn: Geeko Chameleon
gidNumber: 100
givenName: Geeko
homeDirectory: /home/geeko
loginShell: /bin/bash
shadowInactive: -1
shadowMax: 99999
shadowMin: 0
shadowWarning: 7
sn: Chameleon
uid: geeko
uidNumber: 1010
shadowLastChange: 12623

ldapsearch displays the result in LDIF format. That means you can
transfer the data to another LDAP server by redirecting the data into
a file and loading it with ldapadd on a different machine.

How to Delete and Modify Entries of the LDAP Server

The easiest way to modify data in the LDAP directory in SLES 9 is


to modify an LDIF file and apply the changes with the ldapmodify
tool.

3-52 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure Network Services

In the following example, the uidNumber of the user tux has been
changed to 1011:
# geeko, people, suse.de
dn: uid=geeko,ou=people,dc=suse,dc=de
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
cn: Geeko Chameleon
gidNumber: 100
givenName: Geeko
homeDirectory: /home/geeko
loginShell: /bin/bash
shadowInactive: -1
shadowMax: 99999
shadowMin: 0
shadowWarning: 7
sn: Chameleon
uid: geeko
uidNumber: 1011
shadowLastChange: 12623

To apply the changes, use the following command:


ldapmodify -x -D "cn=Manager,dc=example,dc=com" -W -f
geeko.ldif

Using the ldapmodify command is similar to using ldapadd.


ldapmodify compares the data in the directory with the data from
the LDIF file and applies the changes to the directory entries.

To delete an entry from the LDAP directory, use the following


command:
ldapdelete -D cn=Administrator,dc=example,dc=com -x
-W "cn=geeko, dc=example, dc=com"

In this example, the entry with the distinguished name "cn=geeko,


dc=example, dc=com" is deleted.

Version 1 Copying all or part of this manual, 3-53


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

How to Use Graphical LDAP Applications

Graphical applications are also available to access the LDAP server.


SLES 9 comes with the graphical LDAP browser GQ. Before you
can use GQ, you need to install the package gq because it is not part
of the default software selection.

After installation, you can access GQ from the KDE menu by


selecting System >GQ LDAP Client.

After starting GQ, the following appears:

GQ reads the file /etc/openldap/ldap.conf to get information about


the default LDAP server.

You can do the following with the LDAP directory:


■ Search the Directory
■ Browse the Directory
■ Explore the Schema Definitions

3-54 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure Network Services

Search the Directory

This is the default page that opens after you start GQ. At the top of
the page are the following text field:
■ Search filter. In this field you enter the search filter for your
query. The syntax is the same as that used for ldapsearch.
■ LDAP server. Choose an LDAP server from the drop-down
list.
■ If you want to add an additional server, you need to open the
Preferences dialog by selecting File > Preferences. On the
Servers page, specify a new LDAP server by selecting New.
■ Search base. In this field you specify the search base for your
query. The syntax for the search base is the same as that used
for ldapsearch.

After you have entered all necessary data, start the query by
selecting Find.

The result of the query is displayed in a list below the input fields.
Double-click an entry to display detailed information.

Version 1 Copying all or part of this manual, 3-55


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Browse the Directory

The following is the Browse page of GQ:

On the left side of the page is a tree menu you can use to browse the
directory. By selecting the arrow symbol before an entry, you can
expand the tree structure.

You can display the details of an entry on the right side of the page
by selecting the entry in the tree menu.

3-56 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure Network Services

Explore the Schema Definitions

The following is the Schema page of GQ:

On this page you can browse the schema definition available on the
LDAP server.

Version 1 Copying all or part of this manual, 3-57


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Exercise 3-2: Use the SLES 9 OpenLDAP server

In this exercise, you use the OpenLDAP server by doing the


following:
■ Part I: Install GQ
■ Part II: Search the SLES 9 OpenLDAP server
■ Part III: Browse the SLES 9 OpenLDAP server
■ Part IV: Add a User With an LDIF File

Part I: Install GQ

Do the following:

1. From the KDE menu, select System > YaST

2. Enter the root password and select OK.

3. From the YaST Control Center, select Software > Install and
Remove Software.

4. From the filter drop down menu, select Search.

5. In the Search field, enter gq; then select Search.

6. On the right, select the gq package.

7. Install the GQ application by selecting Accept.

8. When the installation is complete, close the YaST Control


Center.

Part II: Search the SLES 9 OpenLDAP server

Do the following:

1. From the KDE menu, select System > GQ LDAP Client.

3-58 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure Network Services

2. Make sure that the Search tab is selected.

3. In the left search field, enter uid=geeko.

4. In the right search field, enter dc=digitalairlines,dc=com.

5. Select Find.

A result line appears.

6. Double-click the result line.

The LDAP entry for the user geeko is displayed.

7. Scroll down and verify that you cannot see the password entry
for geeko.

8. Select Close.

9. From the menu bar, select File > Preferences.

10. From the configuration dialog, select the Servers tab.

11. Select the entry localhost; then select Edit.

12. From the server dialog, select Details.

13. In the Bind DN field enter the following:

cn=Administrator,dc=digitalairlines,dc=com

14. Close the server dialog by selecting OK.

15. Close the configuration dialog by selecting OK.

16. Make sure that the search fields still contain the previously
entered query.

17. Select Find.

18. When prompted for a password, enter novell.

Version 1 Copying all or part of this manual, 3-59


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

19. Double-click the result line.

20. Make sure that you can see the password entry for the user
geeko.
Notice that access to the password is not granted to anonymous
users, but to the authenticated administrator.

21. When you finish, select Close.

Part III: Browse the SLES 9 OpenLDAP Server

Do the following:

1. From the GQ application, select Browse.

2. On the left, expand localhost.

3. Expand dc=digitalairlines,dc=com.

4. Expand people.

All users of the system are displayed. At the moment, this only
includes geeko.

5. Select geeko.

The user information for geeko appears on the right.

6. Close the GQ window.

3-60 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure Network Services

Part IV: Use an LDIF File to Add a User

Do the following:

1. With a text editor, create a file with the following content.


dn:uid=tux,ou=people,dc=digitalairlines,dc=com
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
cn: Tux Penguin
gidNumber: 100
givenName: Tux
homeDirectory: /home/tux
loginShell: /bin/bash
shadowInactive: -1
shadowLastChange: 12609
shadowMax: 99999
shadowMin: 0
shadowWarning: 7
sn: Penguin
uid: tux
userPassword: {crypt}GpyJ3/OQgLxZE
uidNumber: 1010
You can also copy the LDIF file tux.ldif from the directory
/exercises/section_3 from your 3038 Course CD.

2. Save the file with the name tux.ldif in the directory /tmp.

3. From a terminal window (as root), add the user tux by entering
the following (all on one line):
ldapadd -x -D
"cn=Administrator,dc=digitalairlines,dc=com" -W -f
/tmp/tux.ldif

4. When prompted for a password, enter novell.

Version 1 Copying all or part of this manual, 3-61


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

If you are unsuccessful at authenticating as Administrator, try closing


the terminal window and opening a new terminal window. Repeat
steps 3 and 4.

You do not have to be root to enter the ldapadd command; however,


you need to be root for the commands that follow.

5. Create the home directory for the user tux by entering the
following :
cp -a /etc/skel/ /home/tux

6. Adjust the file system permissions by entering the following


commands:
chown -R tux:users /home/tux/

7. Log out as root by entering exit.

8. Switch to the user tux by entering the following:


su - tux
You can now log in to the tux user account by entering a
password of Novell.

9. Log out as tux by pressing Ctrl+D.

(End of Exercise)

3-62 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure Network Services

Objective 3 Configure an Apache Web Server


The Apache web server is the leading web server software. Apache
was developed as open source software and is shipped with SLES 9.

To set up an internal Apache web server, you need to know the


following:
■ The Basic Functionality of a Web Server
■ How to Install and Set Up a Basic Apache Web Server
■ The Structure and the Basic Elements of the Apache
Configuration Files
■ The Basic Apache Configuration
■ How to Configure Virtual Hosts
■ How to Limit Access to the Web Server
■ How to Configure OpenSSL for Connection Encryption

Version 1 Copying all or part of this manual, 3-63


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The Basic Functionality of a Web Server

A web server delivers data that is requested by a web browser. The


data can have different formats such as HTML files, image files,
Flash animations, or sound files.

Web browsers and web servers communicate using HTTP (Hyper


Text Transfer Protocol). The following diagram shows the
relationship between the browser, server, and HTTP:

Web Browser Web Server


HTTP

In addition to delivering data to the web browser, a web server can


perform tasks such as limiting access to specific web sites, logging
access to a file, and encrypting the connection between a server and
browser.

How to Install and Set Up a Basic Apache Web Server

To set up a basic Apache web server, you need to do the following:


■ Install the Required Software Packages
■ Start and Test the Web Server
■ Locate the DocumentRoot of the Web Server

3-64 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure Network Services

Install the Required Software Packages

To run a basic Apache web server, you need to install the following
packages with YaST:
■ apache2. The basic web server software.
■ apache2-prefork. An additional Apache package that
influences the multiprocessing behavior of the web server.
■ apache2-example-pages. Sample HTML pages.

SLES 9 ships with 2 Apache versions: Apache series 1 and Apache


series 2. This section covers Apache series 2 because this version
will continue to be developed.

When you install the packages listed above, YaST prompts you to
install also one or more additional packages required by Apache.
Confirm the additional package installation by selecting OK to
resolve all dependencies of the Apache packages.

Start and Test the Web Server

After installing the required software, you need to start the web
server. Do this as the root user by entering the following:
rcapache2 start

As with all services, enter the following to stop the web server:
rcapache2 stop

If you want the web server to start up at boot time, you need to enter
the following:
insserv apache2

To test whether the web server is properly installed, open a web


browser and enter the following address:
http://localhost

Version 1 Copying all or part of this manual, 3-65


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The browser displays the following page:

If your SLES 9 server is connected to a network, you (and other


hosts on the network) can remotely access the web server by
entering the following:
http://<ip_address_of_your_system

If your network provides a DNS server, you can use the hostname
instead of the IP address.

Locate the DocumentRoot of the Web Server

The default directory of the data provided by Apache is


/srv/www/htdocs.

This directory is also called the DocumentRoot of the web server.


After the installation, it contains the Apache example pages, which
are displayed above.

3-66 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure Network Services

You can replace the data in the DocumentRoot directory to display


your own web server content. Because the web server runs with the
user id wwwrun, you have to make sure that this user has read
access to files in the DocumentRoot directory.

If you create subdirectories in DocumentRoot, you can access those


subdirectories with the following web address scheme:
http://<your_server>/<name_of_subdirectory>

If no specific file is requested in the address, Apache looks for a file


with the name index.html. You can change the name of this default
file in the Apache configuration files.

The Structure and the Basic Elements of the Apache


Configuration Files

To configure the Apache web server with the configuration files,


you need to do the following:
■ Locate the Apache Configuration Files
■ Understand the Basic Rules of the Configuration Files

Locate the Apache Configuration Files

The configuration of the Apache web server is spread over several


configuration files located in the directory /etc/apache2.

The following is a list of the most important Apache configuration


files:
■ httpd.conf. This is the main Apache configuration file. All
other configuration files are included by this files.
■ default-server.conf. This file contains the basic web server
setup. However, all options set in this file can be overwritten by
other configuration files.
■ vhost.d/. This is a directory containing configuration files for

Version 1 Copying all or part of this manual, 3-67


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

virtual host setups. Learn more about virtual hosts later in this
section.
■ uid.conf. This configuration file sets the user and group id for
Apache. By default, Apache uses the user id wwwrun and the
group id www.
■ listen.conf. In this configuration file, you can specify the IP
addresses and TCP/IP ports Apache is listening to. By default,
Apache listens to all assigned interfaces on port 80.
■ server-tuning.conf. You can use this configuration file to fine
tune the performance of Apache. The default values should be
fine unless you are going to run a web server that has to handle
a lot of requests at the same time.
■ error.conf. In this file you configure the behavior of Apache
when a request cannot be performed correctly.
■ ssl-global.conf. Configure the connection encryption with SSL
in this configuration file.

Understand the Basic Rules of the Configuration Files

The options of the Apache configuration files are called directives.


Directives are case sensitive, which means that a word such as
“include” is not the same as “Include.”

Directives can be grouped so that they do not apply to the global


server configuration. In the following, the directives only apply to
the directory /srv/www/htdocs:
<Directory "/srv/www/htdocs">
Options None
AllowOverride None
Order allow,deny
Allow from all
</Directory>

The directives are grouped by <Directory "/srv/www/htdocs"> and


</Directory> which limits their validity to the directory
/srv/www/htdocs only.

3-68 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure Network Services

You can use the # character to indicate comments in the


configuration file. All lines starting with a # are ignored by the
Apache server.

Whenever you edit the Apache configuration files, you need to


reload the web server by entering the following:
rcapache2 reload

In some cases it´s not enough to reload Apache. You need to stop
and restart the web server by entering the following:
rcapache2 restart

If you are not sure that your changes use the correct syntax, you can
verify the syntax of the configuration files by entering the
following:
apache2ctl configtest

If the syntax is correct, the command displays the following


message:
Syntax OK

The Basic Apache Configuration

You do the main Apache web server configuration in the file


/etc/apache2/default-server.conf by using directives such as the
following:

Directive Meaning
DocumentRoot Specifies the DocumentRoot of the
web server.
Directory “dir_name” All directives used within this block,
/Directory apply only to the specified directory.

Version 1 Copying all or part of this manual, 3-69


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Directive Meaning
Options With this directive additional options
can applied to logical blocks like
directories.
AllowOverride Determines whether other directives
are allowed to be overwritten by a
configuration found in a .htaccess
file of a directory.
Alias “fakename” “realname” Allows you to create an alias to a
directory.
ScriptAlias Allows you to create an alias to a
directory containing scripts for
dynamic content generation.

In most cases the default settings are suitable and don't need to be
changed.

An overview of all Apache directives can be found at


http://httpd.apache.org/docs-2.0/mod/directives.html.

How to Configure Virtual Hosts

To use the virtual host feature of Apache, you need to know the
following:
■ The Concept of Virtual Hosts
■ How to Configure a Virtual Host

3-70 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure Network Services

The Concept of Virtual Hosts

With the default setup, the Apache server can be reached with a
browser using the following web addresses:
■ http://localhost (from the computer where the web server is
running)
■ http://IP_address_of_web_server
■ http://hostname_of_the_web_server

For all of these addresses, Apache serves the same files located in
the DocumentRoot directory.

To use this setup, you would need a dedicated computer for every
domain of the Internet. To avoid this, Apache lets you set up
multiple virtual web servers on one physical system. These virtual
web servers are called virtual hosts.

The physical system needs to have an entry in the DNS for every
virtual host of the Apache web server.

The following outlines the steps in the process of sending a request


to the virtual host www.example.com:

1. The web browser requests the IP address of the host


www.example.com.

2. The browser uses the IP address to request a file from the


Apache web server listening on the IP address of
www.example.com.

3. In the HTTP request, the browser includes the hostname of the


server it wants to reach.

4. Apaches uses the hostname to determine the right virtual host


and delivers the requested data from that host.

Version 1 Copying all or part of this manual, 3-71


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The following illustrates this process:

DNS Server

Requests IP for the same IP address for:


www.example.com www.example.com
www2.example.com
www3.example.com
www4.example.com

Web Browser Web Server


Uses the IP address to requests
data from the virtual Host Virtual Hosts for:
www.example.com www.example.com
www2.example.com
www3.example.com
www4.example.com

How to Configure a Virtual Host

For every virtual host you need to create a configuration file in the
directory /etc/apache2/vhosts.d/. The name of the configuration file
must end with .conf.

You can find a template file vhost.template in the directory


/etc/apache2/vhosts.d/ to use as a base for your configuration file.

You need to edit the following directives in the template:

Directive Meaning
ServerAdmin Enter the email address of the
Virtual Host administrator here.
ServerName Enter the hostname of the virtual
host as it´s configured in the DNS.

3-72 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure Network Services

Directive Meaning
DocumentRoot Set the DocumentRoot of the virtual
host. The directory and the files in
the directory must be readable by
the user wwwrun.
ErrorLog Enter a filename for the error log.
The file must be writable for the user
wwwrun.
CustomLog Enter a filename for the general log
file. The file must be writable for the
user wwwrun.
ScriptAlias Set the ScriptAlias to a directory of
your choice. The directory must not
be under the DocumentRoot of the
virtual host. If you don´t need scripts
for dynamic content creation, delete
this directive.
<Directory “script_dir”> If you set a ScriptAlias before, you
have adjust the settings for script
directory accordingly. If you are not
using a script directory, delete this
directory block.
<Directory “document_root”> You need to adjust the path name of
this directory directive to the path of
your DocumentRoot.

After customizing the template file, you need to reload the Apache
web server. You also need to make sure that the settings in DNS are
updated so that the hostname of your virtual host is resolved
correctly.

Version 1 Copying all or part of this manual, 3-73


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

How to Limit Access to the Web Server

Normally Apache delivers data to all hosts in the network that can
reach the web server. Sometimes it can be useful to restrict access to
the content delivered by Apache.

The following are the most common methods used:


■ Limit Access on an IP Address Basis
■ Limit Access With User Authentication

Limit Access on an IP Address Basis

Apache offers the following directives to limit access to the web


server on an IP address basis:

Directive Meaning
allow IP addresses or networks listed after
this directive are allowed to access
the web server.
deny IP addresses or networks listed after
this directive are not allowed to
access the web server.
order This directive sets the order in which
the allow and deny directives are
evaluated.

These directives must be used within a <Directory> block and


control the access to all data below that directory.

3-74 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure Network Services

The following example allows only hosts from the network


10.0.0.0/24 to access the data in the directory /srv/www/htdocs:
<Directory "/srv/www/htdocs">
Order deny,allow
Deny from all
Allow from 10.0.0.0/24
</Directory>

The following lists and describes the lines in the example:


<Directory "/srv/www/htdocs">

This directive starts the directory block. The directives that follow
apply to the directory /srv/www/htdocs only.
Order deny,allow

The Order directive determines in which order the allow and deny
directives are evaluated. You have the following options:
■ Deny,Allow. The deny directives are evaluated before the allow
directives. Access is allowed by default. Any client who does
not match a deny directive or does match an allow directive is
allowed access to the server.
■ Allow,Deny. The allow directives are evaluated before the deny
directives. Access is denied by default. Any client who does not
match an allow directive or does match a deny directive is
denied access to the server.
■ Mutual-failure. Only those hosts that appear in the Allow list
and do not appear on the Deny list are granted access. This has
the same effect as Order Allow,Deny and is deprecated in favor
of that configuration.
Deny from all

The Deny directive is evaluated first, and in this case access is


denied for all clients. You can use the following options with the
deny and the allow directives:
■ all. This option applies to all hosts.
■ A full IP address. This option applies to a specific IP address

Version 1 Copying all or part of this manual, 3-75


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

(such as 10.0.0.23).
■ A partial IP address. This option applies to IP addresses
starting with the given IP address fragment (such as 10.0.0).
■ A network/netmask pair. This option applies to IP addresses
matching to the given network/netmask pair (such as
10.0.0.0/255.255.255.0)
■ A network/nnn CIDR specification. This option applies to IP
addresses matching to the given CIDR expression (such as
10.0.0.0/24).
Allow from 10.0.0.0/24

This allow directive is evaluated after the deny directive. In this


case, the access is allowed for hosts in the network 10.0.0.0/24
</Directory>

This directive ends the directory block.

Limit Access with User Authentication

By limiting access to certain IP addresses, you can control the hosts


that access the web server, but you have no control of the over the
user that sits in front of the computer.

Apache offers another possibility of access control called basic


authentication. If you protect content on your web server with this
method, users are required to log in before they can access the data.

Before you can configure Apache to use basic authentication, you


first have to create user accounts for the web server. You can do this
by using the tool htpasswd2.

The following command creates a password file and an account for


the user tux.
htpasswd2 -c /etc/apache2/htpasswd tux

3-76 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure Network Services

After entering this command, htpasswd2 prompts you for a


password for the user you want to create. The passwords are stored
in the file /etc/apache2/htpasswd.

You can specify a different location for the password file, but you
have to make sure that it is readable for the user wwwrun and that it
is not located within the DocumentRoot of your server.

When you use a password file for the first time, you have to call
htpasswd2 with the -c option to create the file. If you want to add
more users later, use the following command:
htpasswd2 /etc/apache2/htpasswd <username>

To delete a user from the password file, use the following


command:
htpasswd2 -D /etc/apache2/htpasswd <username>

After you have created the user accounts, you need to configure
Apache to prompt for a password when accessing restricted data.
You need to add the following lines to the directory block of the
directory that should be restricted:
AuthType Basic
AuthName "Restricted Files"
AuthUserFile /etc/apache2/htpasswd
Require user tux

The following describes each line:


AuthType Basic

This directive sets the authentication method. For the type described
in this section, the value is Basic.
AuthName "Restricted Files"

With this directive, you have to choose a name for the restricted
directory of your web server. This name is used for the
authentication process between the browser and the web server.

Version 1 Copying all or part of this manual, 3-77


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

AuthUserFile /etc/apache2/htpasswd

This directive sets the password file used for the restricted directory.
Require user tux

This directive lists the user of the password file who is allowed to
access the directory. You can add more than one user by separating
the user names with spaces, or you can use the following directive:
Require user valid-user

In this case, access is granted to all users of the password file.

How to Configure OpenSSL for Connection Encryption

By default, the connection between the web browser and the web
server are not encrypted. Anyone who can listen to the network
packets exchanged between browser and server can access the
transfered information.

Apache can use the SSL (Secure Socket Layer) protocol to encrypt
the connection. To configure an SSL encryption with an Apache
web server, you need know the following:
■ The Basics of SSL Encryption
■ How to Create a Test Certificate
■ How to Configure Apache to Use SSL
■ The Limitations of the SSL Configuration

3-78 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure Network Services

The Basics of SSL Encryption

Most of the time data is transmitted across a network in encrypted


form by using RSA keys. This method is used by the encryption
software PGP (Pretty Good Privacy) to encrypt emails, by ssh
(Secure Shell) for encrypted data transfers between two computers,
and by Apache for secure data transmission between the web server
and the web browser.

This encryption is based on 2 different keys: a private key and a


public key. While the private key is known only to the owner, the
public key should be accessible to the public. The following shows
the encryption process:

Public and private keys can also be used to sign data. In principle,
when data is signed, an encrypted checksum is generated from the
data. The sender signs the data with his private key.

Version 1 Copying all or part of this manual, 3-79


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The signature can be checked by the recipient by using the public


key of the sender to determine whether the data is really from her or
whether the text has been modified by a third party.

The following illustrates the signing process:

A problem with the encryption procedure described above is that


you cannot determine who the owner of a public key is. The
solution to this problem is a Certificate Authority (CA) which signs
the public keys with its own private keys.

A public key that is signed by a CA is also called a Certificate.

CAs are well-known companies or organizations like VeriSign or


VISA. The public keys of these organizations are built into the web
browsers. By verifying the signature with the public key of the CA,
the browser can make sure that a public key of a web server is valid.

The following explains the process of using a CA with SSL


encryption for a web server:

1. The browser recognizes a web address starting with https://.

3-80 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure Network Services

This means that the connection to this server should be


encrypted. The default port for SSL connections is 443 instead
of port 80 (used for normal unencrypted HTTP connections).

2. The web browser asks the server for its public RSA key.

3. The web server sends the public key to the web browser.

4. The web browser verifies the key of the server with the public
key of the CA that signed the key.

5. If the key is valid, the web browser and web server establish a
secure connection.

You need an officially signed key to set up a secure web server. You
can sign a key by yourself, but this should only be done for test
purposes.

How to Create a Test Certificate

To set up a secure web server for test purposes, you can create a
certificate by yourself. You should never use such a certificate for a
production system.

To create a test certificate, you do the following:


■ Create a RSA Key Pair
■ Sign the Public Key to Create a Certificate

Create an RSA Key Pair

To create a key pair, you need a file with as many random numbers
as possible. You can generate this file with the following command:
cat /dev/random > /tmp/random

Stop this procedure after a few seconds by pressing Ctrl+C. The


file generated be at least a thousand bytes in size. You can now
generate the key pair with the following command:

Version 1 Copying all or part of this manual, 3-81


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

openssl genrsa -des3 -out server.key -rand


/tmp/random 1024

During the process, you are prompted to enter a password. This


password is used to secure the private key of the key pair.

The generated keys are saved together in the file server.key.

Sign the Public Key to Create a Certificate

Next you need to sign your public key to create a certificate by


using the following command:
openssl req -new -x509 -key server.key -out
server.crt

During the process, you are prompted for the following information:
Enter pass phrase for /tmp/server.key:

Enter the passphrase you chose for the server key.


Country Name (2 letter code) [AU]

Enter the country code of your country (such as DE for Germany).


State or Province Name (full name) [Some-State]:

Enter your state or province name. You can enter a period (.) to
leave this field blank.
Locality Name (eg, city) []:

Enter the name of your city.


Organization Name (eg, company) [Internet Widgits Pty
Ltd]:

Enter the name of your company.


Organizational Unit Name (eg, section) []:

Enter the name of your unit, or you can enter a period (.) to leave it
blank.

3-82 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure Network Services

Common Name (eg, YOUR name) []:

Enter the full hostname of your system (such as


www.example.com). The certificate will be valid for this hostname
only.
Email Address []:

Enter the email address of the administrator who is responsible for


the server.

After you have answered all questions, the server certificate is saved
into the file server.crt.

Now the files server.key and server.crt have to be copied to right


location:
■ Copy the file server.key to the directory /etc/apache2/ssl.key.
■ Copy the file server.crt to the directory /etc/apache2/ssl.crt.

How to Configure Apache to Use SSL

After you have generated the RSA key pair and the server
certificate, you have to configure Apache to use SSL. First, you
need to change two settings in the file /etc/sysconfig/apache2.

The settings in this file apply to the Apache startup script and do not
belong to the server configuration.

Set the following variables to the appropriate values:


APACHE_START_TIMEOUT="10"

This setting extends the start timeout of Apache so that you have
more time to enter the passphrase of the private RSA key.

Version 1 Copying all or part of this manual, 3-83


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

APACHE_SERVER_FLAGS="SSL"

The additional server flag SSL defines the SSL variable when
evaluating the Apache configuration files. This enables some
directives that are necessary for SSL encryption.

For example, it lets Apache listen on port 443 instead of only to port
80.

You also need to change the server configuration files to enable SSL
by doing one of the following:
■ Configure the Main Server to Use SSL Encryption
■ Configure a Virtual Host to Use SSL Encryption

Configure the Main Server to Use SSL Encryption

To configure the main server, you need to add the following


directives to the file /etc/apache2/default-server.conf:
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:
+EXP:+eNULL
SSLCertificateFile /etc/apache2/ssl.crt/server.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/server.key

Each line is listed and described below:


SSLEngine on

This directive enables the Apache SSL engine.


SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:
+EXP:+eNULL

This directive sets the details of the encryption method. The line
displayed above is the default configuration that comes with
Apache.

3-84 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure Network Services

For more information about this directive, go to


http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslciphersuite.

SSLCertificateFile /etc/apache2/ssl.crt/server.crt

This directive points to the server certificate file.


SSLCertificateKeyFile /etc/apache2/ssl.key/server.key

This directive points to the server key file.

After you make the described changes, you have to restart Apache.
Apache prompts you for the passphrase of the server key file.

The server might not start up correctly at boot time, because it


requires the passphrase for the server key. You should remove
Apache from the init process and start it manually after the system
starts up.

You can access the SSL host by using the address


https://name_of_your_host.

Configure a Virtual Host to Use SSL Encryption

You can also configure a virtual host instead of the main server to
use SSL. Place the directives described above in your virtual host
configuration and define you virtual host with a directive such as
the following:
<VirtualHost your_hostname:443>

The Limitations of the SSL Configuration

The SSL setup as described in this section is a very basic


configuration. To run Apache with SSL on a server that can be
reached from the Internet, you need a more thorough understanding
of SSL and the available configuration directives.

Version 1 Copying all or part of this manual, 3-85


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

For more information about this topic, go to


http://httpd.apache.org/docs-2.0/.

3-86 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure Network Services

Exercise 3-3: Configure an Apache Web Server

In this exercise, you configure an Apache web server by doing the


following:
■ Part I: Install Apache
■ Part II: Test the Installation
■ Part III: Configure a Virtual Host for the Accounting
Department
■ Part IV: Configure User Authentication
■ Part V: Configure SSL

The file accounting.conf you create in this exercise can be difficult to


modify properly. To help you understand what needs to be changed and
where parameters are placed, the file is available on your 3038 Course CD
in the directory /exercises/section_3.

Part I: Install Apache

Do the following:

1. From the KDE start menu, select System > YaST; then enter a
password of novell and select OK.

2. From the YaST Control Center, select Software > Install and
Remove Software.

3. From the search drop-down menu, select Search.

4. In the Search field, enter apache; then select Search.

5. On the right side, select the following packages.


■ apache2
■ apache2-example-pages
■ apache2-prefork

Version 1 Copying all or part of this manual, 3-87


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

6. Select Accept.

7. (Conditional) If YaST displays packet dependencies, confirm by


selecting Continue.

8. When prompted, insert the requested SLES 9 CDs in the drive.

9. Open a terminal window and su to root.

10. To start Apache at boot time, enter the following:


insserv apache2
11. To start the Apache daemon, enter the following:
rcapache2 start

Part II: Test the Installation

Do the following:

1. From the KDE menu, select Internet > Web Browser.

2. In the address bar of the web browser, enter the following:


http://localhost
If the Apache example page appears, the web server has been
installed and started correctly.
If you are having problems displaying the page, you need to
rename the file /srv/www/htdocs/index.html.en to
/srv/www/htdocs/index.html.

Part III: Configure a Virtual Host for the Accounting


Department

Do the following:

1. From a terminal window, su to root.

3-88 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure Network Services

2. Create a directory for the virtual host by entering the following:


mkdir /srv/www/accounting

3. Adjust the file system permissions by entering the following:


chown wwwrun /srv/www/accounting/

4. In the new directory, create a file index.html with the following


content:
<html>
<head>
<title>Accounting Intranet Server</title>
</head>
<body>
<h1>Accounting Intranet</h1>
No content yet ...
</body>
</html>
This file is also available on your 3038 Course CD in the directory
/exercises/section_3.

5. Adjust the file system permissions of the file by entering the


following:
chown wwwrun index.html

6. Change to the directory /etc/apache2/vhosts.d/ by entering the


following:
cd /etc/apache2/vhosts.d/

7. Copy the virtual host template file by entering the following:


cp vhost.template accounting.conf

Version 1 Copying all or part of this manual, 3-89


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

8. Open the file accounting.conf in a text editor and make the


following changes:
<VirtualHost accounting.da.com:80>
ServerName accounting.da.com
DocumentRoot /srv/www/accounting
ErrorLog /var/log/apache2/accounting.da.com-error_log
CustomLog /var/log/apache2/accounting.da.com-access_log
combined
UseCanonicalName On
ScriptAlias /cgi-bin/ "/srv/www/cgi-bin"
<Directory "/srv/www/cgi-bin">
AllowOverride None
Options +ExecCGI -Includes
Order allow,deny
Allow from all
</Directory>
<Directory "/srv/www/accounting/">
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>

9. For testing purposes, append “accounting.da.com” to the line


“127.0.0.1” in the file /etc/hosts:
127.0.0.1 localhost accounting.da.com

10. Test the syntax of your configuration file by entering the


following:
apache2ctl configtest

11. Reload Apache by entering the following:


rcapache2 reload

3-90 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure Network Services

12. Open a web browser and access the virtual host by entering the
following:
http://accounting.da.com
The accounting intranet page is displayed.

Part IV: Configure User Authentication

Do the following:

1. Open a terminal window and su to root.

2. Create the file htpasswd and add the user geeko to it by


entering the following:
htpasswd2 -c /etc/apache2/htpasswd geeko

3. When prompted for a password, enter novell (twice).

4. Open the virtual host configuration file


/etc/apache2/vhosts.d/accounting.conf in a text editor.

5. Find the following directory directive:


<Directory "/srv/www/accounting/">

6. Within this directory block, add the following lines:


AuthType Basic
AuthName "Accounting Intranet"
AuthUserFile /etc/apache2/htpasswd
Require user geeko

7. Check the syntax of the configuration file by entering the


following command:
apache2ctl configtest

8. Reload the Apache server by entering the following:


rcapache2 reload

Version 1 Copying all or part of this manual, 3-91


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

9. Open a web bowser and enter the following:


http://accounting.da.com

A password dialog appears.

10. Enter a user name of geeko and a password of novell.

11. Access the protected web site by selecting OK.

Part V: Configure SSL

Do the following:

1. From the terminal window (as root), create the file random by
entering the following:
cat /dev/random > /tmp/random

2. Press some keys on the keyboard to generate random events


which help to create the file.

3. Stop the process after about 15 seconds by pressing Ctrl+C.

4. Generate a server key by entering the following.


openssl genrsa -des3 -out /tmp/accounting.key -rand
/tmp/random 1024

5. When prompted for a password, enter novell (twice).

6. Sign the key by entering the following:


openssl req -new -x509 -key /tmp/accounting.key
-out /tmp/accounting.crt

3-92 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure Network Services

7. When prompted for a password, enter novell; then enter the


following information:

Option Value
Country Name US
State or Province Name Utah
Locality Name Provo
Organization Name Digital Airlines
Organizational Unit Name Accounting
Common Name accounting.da.com
Email Address webmaster@da.com

8. Copy the files by entering the following commands:


cp /tmp/accounting.key /etc/apache2/ssl.key/
cp /tmp/accounting.crt /etc/apache2/ssl.crt/

9. Delete the temporary files by entering the following:


rm /tmp/accounting*

10. Adjust the file system permissions by entering the following


commands:
chmod 400 /etc/apache2/ssl.key/accounting.key
chmod 400 /etc/apache2/ssl.crt/accounting.crt

11. Open the file /etc/apache2/vhosts.d/accounting.conf in a text


editor.

Version 1 Copying all or part of this manual, 3-93


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

12. Change the following lines:


<VirtualHost accounting.da.com:80>
to
<VirtualHost accounting.da.com:443>
and
ServerName accounting.da.com
to
ServerName accounting.da.com:443

13. Add the following lines after the ServerName directive:


SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+
LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/apache2/ssl.crt/accounting.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/accounting.key
The lines starting with SSLCipherSuite, ALL:, and LOW:
should be on one line.
These lines are available in the file servername in the directory /
exercises/section_3/servername on your 3038 Course CD.

14. Save and close the file.

15. Open the file /etc/sysconfig/apache2 in a text editor.

16. Change the following lines:


APACHE_SERVER_FLAGS="SSL"
APACHE_START_TIMEOUT="10"

17. Save and close the file.

3-94 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure Network Services

18. Check the syntax of the configuration file by entering the


following:
apache2ctl configtest

19. Restart Apache by entering the following:


rcapache2 restart

20. When prompted for the pass phrase, enter novell.


As the pass phrase has to be entered every time the server starts,
you can prevent the server from being started automatically at
boot by entering the following:
insserv -r apache2

21. Open a web browser and enter the following:


https://accounting.da.com/
As the certificate used in this exercises is self-signed, the
browser displays a warning.

22. In the warning dialogs, select Continue and Forever to view the
web site.

23. In the login dialog, enter a username of geeko with a password


of novell.

24. After the page displays, close the web browser.

(End of Exercise)

Version 1 Copying all or part of this manual, 3-95


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Objective 4 Configure a Samba Server as a File Server


Samba is a suite of applications used to integrate a Linux system
into a Windows network. Samba is most commonly used as a file
server for Windows hosts.

To configure a Samba file server, you need to know the following:


■ The Purpose and the Possibilities of Samba
■ How to Install and Set Up a Basic Samba Server
■ The Structure and Elements of the Samba Configuration File
■ How to Use the Samba Tools to Access SMB Shares from a
Linux Computer
■ How to Configure a File Server with User Authentication
■ Additional Possibilities with Samba

The Purpose and the Possibilities of Samba

The Server Message Block (SMB) protocol is a network protocol


that provides file and print services in a Windows network. Samba
enables Linux to use SMB so Linux can work in a Windows
environment.

You can use Samba for the following purposes:


■ Use the Samba server to provide file and print services for
Windows clients.
■ Use the Samba tools to access SMB file and print services on a
Linux system.
■ Use Samba as a domain controller for Windows clients.

SMB services are provided by the NetBIOS protocol. NetBIOS


makes its own name space available, which is completely different
from the domain name system.

3-96 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure Network Services

This name space can be accessed with the Unique Naming


Convention (UNC) notation: all services provided by a server are
addressed as \\Server\Servicename.

File or print services offered by a server are also called shares.

The server side of Samba consists of 2 parts:


■ nmbd. This daemon handles all NetBIOS-related tasks.
■ smbd. This daemon provides file and print services for clients
in the network.

To integrate Linux as client in a Windows environment, Samba


provides 2 tools:
■ nmblookup. This tool can be used for NetBIOS name
resolution and testing.
■ smbclient. This tool provides access to SMB file and print
services.

How to Install and Set Up a Basic Samba Server

To set up a basic Samba server, you need to install the following


packages with YaST:
■ samba. This is the main Samba package. It contains the Samba
server software.
■ samba-client. This package contains the Samba client tools.
■ samba-doc. This package provides additional documentation
about Samba.

After the packages have been installed, you can start the 2 Samba
daemons with the following commands:
rcnmb start
rcsmb start

Version 1 Copying all or part of this manual, 3-97


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

To start the Samba services automatically when the system is


booting, enter the following commands:
insserv nmb
insserv smb

The Structure and Elements of the Samba


Configuration File

The Samba services are configured in the file /etc/samba/smb.conf.

The options in the this file are grouped into different sections. Each
section starts with a keyword in square brackets.

To set up a simple file server with Samba, do the following:


■ Create a Section for the General Server Configuration
■ Create a Section for the Files to be Shared

Create a Section for the General Server Configuration

The section for the general server configuration starts with the
keyword [global]. The following is an example of a basic global
section.
[global]
workgroup = DigitalAirlines
netbios name = Fileserver
security = share

The entries of the global section in this example are shown and
described below:
workgroup = DigitalAirlines

This line sets the Windows workgroup of the Samba server (in this
case, DigitalAirlines).

3-98 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure Network Services

netbios name = Fileserver

This line sets the name of the system in the NetBIOS name space
(in this case, Fileserver).
security = share

This line determines how a client has to authenticate itself when


accessing a share. This option can have the following values:
■ share. The client does not need to provide a password when
initially connecting to the server. However, a password might
be necessary when the client tries to access a share.
■ user. The client needs to provide a user name and password
when connecting to the server. Samba validates the password
against the users available on the Linux system and its own
password file.
■ server. The client needs to provide a user name and password
when it connects to the server. Samba contacts another SMB
server in the network to validate the password.
■ domain. The client needs to provided a user name and
password when connecting to the server. Samba connects to the
domain controller and validates the password. This works only
if Samba joins a Windows domain.
■ ads. Samba acts as domain member of an ADS realm to
validate the user name and password.

You might need to configure additional settings for these options to work
correctly. For more information, see the man page of smb.conf.

Version 1 Copying all or part of this manual, 3-99


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Create a Section for the Files to be Shared

After the global section, you need to add a section for the share of
your file server. The following example is the simplest way to set up
for a share:
[data]
comment = Data
path = /export
read only = Yes
guest ok = Yes

The entries of the section in this example are shown and described
below:
[data]

This is the identifier for the share. The share can later be accessed
with the address \\Fileserver\data.
comment = Data

This option is a comment with additional information about the


share. The comment is displayed when you browse the network
with Windows Explorer.
path = /srv/data

This option sets the path to the exported data on the local file
system. You have to make sure that the local user who needs to
access the files of this share has sufficient file system rights.
read only = Yes

If this option is set to yes, the client accessing the share is not
allowed to modify, delete or create any files.
guest ok = Yes

If this option is set to Yes, a password is not required to access the


share.

There many more configuration options available than those discussed in


this section. For an overview of all options, see the man page of smb.conf.

3-100 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure Network Services

After you have created a smb.conf file, you should restart the
Samba server daemons.

Before you restart the daemons, you can test the syntax of the
Samba configuration file with the following command:
testparm

The output of the command looks like the following:


Load smb config files from /etc/samba/smb.conf
processing section "[data]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions

In this case, no errors are found. If there were any errors in the file,
the command would display the errors grouped by configuration
sections.

How to Use the Samba Tools to Access SMB Shares


from a Linux Computer

Although the main purpose of Samba is to provide services for


Windows clients, it also provides tools to access SMB shares from
Linux. It doesn't matter if these shares are provided by Samba or a
native Windows server.

You can perform 3 basic tasks with the Samba tools:


■ Use nmblookup for Name Resolution in a NetBIOS Network
■ Use smbclient to Access SMB Shares
■ Mount SMB Shares into the Linux File System

Version 1 Copying all or part of this manual, 3-101


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Use nmblookup for Name Resolution in a NetBIOS Network

With the tool nmblookup, you can resolve NetBIOS names into IP
addresses. In the following example, the IP address for the Samba
server with the NetBIOS name Fileserver is looked up:
nmblookup Fileserver

The output of the command looks like the following:


querying Fileserver on 10.0.0.255
10.0.0.1 Fileserver<00>

In the first line, nmblookup states that it queries the IP address with
a broadcast to the address 10.0.0.255. In the second line, it displays
the result of the query, in this case, address 10.0.0.1 for the system
with the NetBIOS name Fileserver.

If the system you are querying is not in the same subnet as yours, the name
cannot be resolved with a broadcast query. Instead nmblookup, uses a
WINS server to resolve the name.

For more information, see the man page for nmblookup.

Use smbclient to Access SMB Shares

With the smbclient tool, you can access SMB shares on the
network. It's also a very useful tool to test a Samba server
configuration.

You can perform 3 basic tasks with smbclient.


■ Browse the Shares Provided by a Server
■ Access Files Provided by a SMB Server
■ Print on Printers Provides by a SMB Server

3-102 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure Network Services

Browse the Shares Provided by a Server

To display the shares offered by an SMB server, enter a command


such as the following.
smbclient -L //Fileserver

When smbclient asks for a password, press Enter to proceed.

The output of smbclient looks like the following:


Domain=[DigitalAirlines] OS=[Unix] Server=[Samba
3.0.4-SUSE]
Sharename Type Comment
--------- ---- -------
data Disk Data
IPC$ IPC IPC Service
ADMIN$ IPC IPC Service
Domain=[DigitalAirlines] OS=[Unix] Server=[Samba
3.0.4-SUSE]
Server Comment
--------- -------
Workgroup Master
--------- -------
DigitalAirlines Fileserver

smbclient first displays all available shares of the SMB server.


Beside the shares you have configured in the smb.conf file, an SMB
server always offers at least 2 other shares:
■ IPC$. This share provides information about the other shares
available on the SMB server.
■ ADMIN$. On a Windows computer this share points to the
directory where Windows itself is installed. This can be useful
for administrative tasks. When Samba tries to emulate a
Windows server, it also offers this share. However, it is not
needed to administer a Linux server.

The lower part of the smbclient output gives some information


about the workgroup of the system.

Version 1 Copying all or part of this manual, 3-103


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

This command can also very be valuable for testing purposes. After
you have set up a share, you can check the availability of the share
with smbclient.

Some shares are not browsable without authentication. In this case,


you can pass a user name to smbclient, as in the following:
smbclient -L //Fileserver -U tux

In the example, smbclient connects to the server with the user name
tux and prompt for the corresponding password.

Access Files Provided by an SMB Server

The command to access a share on a server is similar to the


command used to browse for available shares, but instead of
supplying just the server name, the full path to the share needs to be
supplied without the -L option.

In the following example, smbclient connects to the share data on


the server Fileserver:
smbclient //Fileserver/data

In this case, it is not necessary to supply a user name because the


share data is configured with the guest ok = yes option. A user name
can be supplied with the -U option.

After smbclient has connected to a share, it displays the following


prompt:
Smb: \>

Smbclient can be used like a command-line FTP client. The most


important commands are the following:
■ ls. Displays the content of the current directory.
■ cd. Changes to a directory.
■ get. Copies a file from the share to the current working
directory.

3-104 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure Network Services

■ put. Copies a file to the share. The share must be writable to


use this command.

Print on Printers Provided by an SMB Server

You can use smbclient to print on shared network printers. The


basic syntax of a print command is shown in the following:
smbclient //Printserver/laser -c 'print letter.ps'

In this example, the file letter.ps is printed on a network printer


accessed through the share laser of the SMB server Printserver.

You can also use the command print on the smbclient command line
after you have connected to the server. The -c option performs the
given command automatically after the connection to the server has
been established.

Mount SMB Shares into the Linux File System

Instead of accessing shared files with smbclient, you can mount a


share into the file system like a hard disk partition or a CD-ROM
drive.

The basic mount command is shown in the following:


mount -t smbfs //Fileserver/data /mnt

In this example, the share data of the SMB server Fileserver is


mounted into the directory /mnt. The option -t smbfs is necessary to
specify that the resource to be mounted is an SMB share.

If the share requires authentication, you can supply a username and


password, as in the following:
mount -t smbfs -o username=tux,password=novell
//Fileserver/data /mnt

Version 1 Copying all or part of this manual, 3-105


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

How to Configure a File Server with User


Authentication

In the previous example, the Samba share is accessible with


supplying a user name and password. In most cases, this type of
accessibility in not recommended.

The following shows you how to configure Samba to require


authentication with a user name and password:
■ Prepare the Server for User Authentication
■ Configure a Share That is Accessible for Only One User
■ Configure Shared Access for a Group of Users
■ Configure the Export of Home Directories

Prepare the Server for User Authentication

The first task is to change the security option in the smb.conf file to
the following:
security = user

The value user for the option security forces user authentication
when the client attempts to connect to the server.

In the following examples, the configuration is based on User Level


Security. In this security level, the Windows-compatible encrypted
password file is stored in the file /etc/samba/smbpasswd (by
default).

Users who want to access SMB shares must first be created as


Linux users. Then an SMB password needs to be set using the
smbpasswd tool.

The following example sets a SMB password for the user tux:
smbpasswd -a tux

3-106 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure Network Services

Smbpasswd prompts you to enter the password twice and confirms


the setting of the password by displaying the following message:
New SMB password: novell
Reenter smb password: novell
Added user tux

If smbpasswd is called without any parameters, the current user can


change his SMB password. If smbpasswd is called with the -x
option followed by a user name, that user is deleted from the
smbpasswd file.

Configure a Share That Is Accessible to Only One User

The following example configures a share that is accessible only for


the user tux.
[tux-dir]
comment = Tux Directory
path = /srv/share
valid users = tux
read only = no

Each line of this share is listed and described below:


comment = Tux Directory

This option sets the comment for the share.


path = /srv/share

This option sets the path to the share.


valid users = tux

This option lists all user who are allowed to connect to this share.
User names have to be separated by commas. You can add an entire
UNIX group with the syntax @group_name. However, all the users
of the UNIX group need accounts in the smbpasswd file.

Version 1 Copying all or part of this manual, 3-107


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

read only = no

This option makes the share writable by setting the read only option
to no.

Configure Shared Access for a Group of Users

The following example creates a share that is readable and writable


for all users of the UNIX group accounting:
[accounting]
comment = Accounting department
path = /srv/share
valid users = @accounting
force user = tux
....force group = accounting
read only = no

Compared to the previous example, the following lines are new or


have changed:
valid users = @accounting

This line allows all users who are in the UNIX group accounting to
access the shared folder.
force user = tux

This line forces the Samba server to perform all file operations in
the shared folder as user tux. This ensures that all files in the shared
folder are readable and writable for every user who is allowed to
access the share.
....force group

This line forces the Samba server to perform all file operations with
the group accounting.

3-108 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure Network Services

Configure the Export of Home Directories

The following example exports the home directory of all UNIX


users of the Samba server. You need to add the users to the
smbpasswd file before the setup works:
[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No

In this example, you must name the share homes. If Samba finds a
share with this name in the configuration file, it is treated in a
special way.

When a share is requested, Samba first scans the existing sections of


the configuration file. If no section is found, Samba uses the
requested share name as a user name and looks up the user in the
local password file.

If the user is found and the the correct password is supplied, Samba
automatically creates a share for the home directory of the user.

The following shows and describes the lines in the example:


valid users = %S

The %S macro sets the value of the valid users option to the name
of the requested share.
read only = No

The exported home directory should be readable and writable for


the authenticated user.
browseable = No

For security reasons, the share is not browsable.

To access an exported home directory, use the address


//server_name/user_name.

Version 1 Copying all or part of this manual, 3-109


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Additional Possibilities with Samba

This section explained only the basic usage of Samba. Many more
features and configuration options are available to help you
customize Samba for your environment.

For example, you could


■ Use Samba as member server of a Windows domain.
■ Use Samba as domain controller.

You can find more information about Samba and the possible
configurations from the following:
■ The samba-doc package in the directory
/usr/share/doc/packages/samba/
■ The man page of smb.conf
■ The Samba project site at http://www.samba.org/

3-110 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure Network Services

Exercise 3-4: Configure a File Server With Samba.

In this exercise, you configure a file server with Samba by doing the
following:
■ Part I: Install Samba
■ Part II: Configure a Share for the User Geeko
■ Part III: Access the Share of the User Geeko With smbclient
■ Part IV: Mount Geeko' Share

Part I: Install Samba

Do the following:

1. From the KDE start menu, select System > YaST.

2. When prompted for the root password, enter novell.

3. From the YaST Control Center, select


Software > Install and Remove Software.

4. From the filter drop-down menu, select Search.

5. In the search field, enter samba; then select Search.

6. On the right, select the following packages:


■ samba
■ samba-client (if not already selected)

7. Install the selected packages by selecting Accept.

Version 1 Copying all or part of this manual, 3-111


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Part II: Configure a Share for the User Geeko

Do the following:

1. From a terminal window, su to root.

2. Change to the directory /etc/samba.

3. Save the default Samba configuration file by entering the


following:
mv smb.conf smb.save

4. Create the file smb.conf with a text editor.

5. Add the following lines to the configuration file:


[global]
workgroup = Accounting
netbios name = Fileserver_your_host_name
security = user

[geeko-dir]
comment = Geeko Directory
path = /srv/samba/geeko
valid users = geeko
read only = no
This file is available on your 3038 Course CD in the directory
/exercises/section_3.

6. Save and close the file.

7. Create the directory to export by entering the following


commands:
mkdir /srv/samba/
mkdir /srv/samba/geeko

8. Create a test file in the directory by entering the following:


touch /srv/samba/geeko/my_file

3-112 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure Network Services

9. Adjust the directory permissions by entering the following


commands:
chown geeko /srv/samba/geeko
chown geeko /srv/samba/geeko/my_file

10. Add geeko to the file smbpasswd file by entering the following:
smbpasswd -a geeko

11. When prompted for a password, enter novell (twice).

12. Check the syntax of the configuration file by entering the


following:
testparm

13. Start the Samba servers by entering the following commands:


rcsmb start
rcnmb start

Part III: Access the Share of the User Geeko With smbclient

Do the following:

1. Open a terminal window as a normal user.

2. Access Geeko's share by entering the following:


smbclient -U geeko //localhost/geeko-dir

3. When prompted for a password, enter novell.

4. Display all available commands of smbclient by entering the


following:
help

5. List the content of the share by entering the following:


ls

Version 1 Copying all or part of this manual, 3-113


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

6. Copy the file my_file to the current directory by entering the


following:
get my_file

7. Exit smbclient by pressing Ctrl+D.

8. Verify that the file my_file has been copied.

Part IV: Mount Geeko's Share

Do the following:

1. From the terminal window, su to root.

2. Mount geeko's share in the directory /mnt by entering the


following:
mount -t smbfs -o username=geeko,password=novell
//localhost/geeko-dir /mnt

3. Display the content of the mounted share by entering the


following:
ls /mnt/
You should see the file my_file.

4. Umount the share by entering the following:


umount /mnt

(End of Exercise)

3-114 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure Network Services

Summary
The following is the summary of the objectives.

Objective Summary
1. Configure a DNS Server Using ■ DNS translates host names
BIND into IP addresses.
■ DNS is a distributed database.
■ Under SLES 9 you can use the
BIND software to set up your
own DNS server.
■ A caching-only DNS server is
not responsible for its own
domain, it just forwards
requests to other name
servers and caches the result
for later requests.
■ A master server is responsible
for its domain. It also provides
resource information to host
entries like the IP address of
the mail server.
■ DNS server information is
stored in zone files.
■ A slave DNS server receives
copies of the domain zone files
from the master server. Using
slave servers enhances the
reliability of the DNS.
■ On a client, the name
resolution is configured in the
files /etc/resolve.conf and /
etc/nsswitch.conf.
■ To query DNS from the
command line, you can use the
host and the dig commands.

Version 1 Copying all or part of this manual, 3-115


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Objective Summary
2. Deploy OpenLDAP on a SLES 9 ■ Directory services are tree-like
Server structured databases that
contain entry-based
information.
■ OpenLDAP is the most popular
open source LDAP directory
and is used for user
authentication in SLES 9.
■ If you did not configure an
OpenLDAP server during the
installation, you need to install
the following software
packages.
■ openldap2
■ openldap2-client
■ The configuration of the
OpenLDAP server is located in
the file
/etc/openldap/slapd.conf.
■ You can create passwords for
the administrator entry of the
configuration file with the
command slappasswd.
■ The default configuration file
for LDAP clients is
/etc/openldap/ldap.conf.
■ Use ldapadd to insert data
from LDIF files into the
directory.

3-116 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure Network Services

Objective Summary
■ Make sure that LDIF files
conform to Unicode.
■ Use ldapsearch to query
information from the directory.
■ Use ldapmodify to change
entries in the directory.
■ Use ldapdelete to delete
directory entries.
■ You can use the graphical
program GQ to browse and
query the directory.
3. Configure an Apache Web Server ■ Apache is the leading web
server software.
■ Apache delivers data to a web
browser using the HTTP
protocol.
■ For a basic web server, you
need to install the following
packages:
■ apache2
■ apache2-prefork
■ apache2-example-pages
■ The locally running web server
can be accessed using the
address http://localhost.
■ The default document root of
the web server is
/etc/www/htdocs.
■ The Apache configuration files
are located in the directory
/etc/apache2.
■ The options of the Apache
configuration files are called
directives.

Version 1 Copying all or part of this manual, 3-117


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Objective Summary
■ You can check the syntax of
the configuration file with the
command apache2ctl
configtest.
■ By configuring virtual hosts you
can host multiple domains on
one physical machine.
■ You need to create a
configuration file in the
directory
/etc/apache2/vhosts.d/ for
every virtual host.
■ You can limit the access to the
Apache web server
■ On an IP address basis
■ Based on user
authentication
■ To encrypt the connection
between the browser and
server, you can configure
Apache to use SSL.
■ To run a production system
under SSL, you need a
certificate signed by a CA.
■ To access an SSL-enabled
system, use an address
starting with https://.

3-118 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Configure Network Services

Objective Summary
4. Configure a Samba Server as a ■ Samba can be used to
File Server integrate a Linux system into a
Windows environment.
■ Windows services are
delivered using the SMB
protocol.
■ The network protocol NetBIOS
is used in a Windows
environment.
■ NetBIOS creates its own name
space independently from
DNS.
■ An SMB share can be
accessed with the address
schema
\\server_name\service_name.
■ Samba can be used for the
following purposes:
■ As a file and print server
■ To access SMB shares
■ As a domain controller
■ The Samba server is
configured in the file
/etc/samba/smb.conf.
■ The Samba configuration file is
structured in sections.
■ You can check the syntax of
the configuration file with the
command testparm.

Version 1 Copying all or part of this manual, 3-119


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Objective Summary
■ Use nmblookup to resolve
NetBIOS names to IP
addresses.
■ Use smbclient to access
shares from the command line.
■ Use mount -t smbfs to mount
SMB shares into the Linux file
system.
■ You can limit access to a
Samba server with user
authentication.

3-120 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Secure a SLES 9 Server

SECTION 4 Secure a SLES 9 Server

In this section, you learn how to create a general security policy and
how to secure a SLES 9 server against local attacks.

Objectives
1. Create a Security Concept
2. Limit Physical Access to Server Systems
3. Limit the Installed Software Packages
4. Understand the Linux User Authentication
5. Ensure File System Security
6. Use ACLs for Advanced Access Control
7. Configure Security Settings with YaST
8. Stay Informed About Security Issues
9. Apply Security Updates

Version 1 Copying all or part of this manual, 4-1


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Introduction
Given the number of press reports about attacks on computers, it is
not surprising that computer security is being taken more seriously.

Despite the increased interest in security not all administrators and


decision makers understand what security IT means and why this is
important to them.

An entire branch of the IT industry is concerned with security.


Many security products have been created in recent years. Firewall
solutions and antivirus software have become bestsellers, and yet an
important component of every security concept–perhaps even the
most important component–is being neglected. This is know-how.

Without the appropriate knowledge you cannot recognize and


understand security-critical issues in complex IT infrastructures.

This section begins with a general overview of security concepts.


This is because every aspect of security needs to be seen in the
context of the environment. It does not make sense to secure one
server when the same data can be stolen or manipulated on other
systems.

After the introduction, you will learn details about local security.
Local security covers every threat that can be caused by users of the
local system.

This section does not cover topics that belong to the area of network
security. Topics such as firewalls and packet filtering are beyond the
scope of this course.

4-2 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Secure a SLES 9 Server

Objective 1 Create a Security Concept


“It is easy to run a secure computer system. You merely have to
disconnect all dial-up connections and permit only direct wired
terminals, put the machine and its terminals in a shielded room and
post a guard at the door.”

F.T. Grampp and R.H. Morris

It might be possible to operate a computer system in this secure


manner, but it's not practical. To deal with network problems in the
real world, a different security concept is required.

This objective does not provide sample solutions that can be


adapted to your own problem solving. Instead, you learn how to
create your own security concepts.

The process of creating a security concept consists of the following


parts:
■ Understand the Basics of a Security Concept
■ Perform a Communication Analysis
■ Analyze the Protection Requirements
■ Analyze the Current Situation and Necessary Enhancements

Version 1 Copying all or part of this manual, 4-3


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Understand the Basics of a Security Concept

First, you must know what you are protecting your system from. A
security concept for a computer used by multiple users at different
times is different from a security concept for an environment in
which many different users use multiple computers at the same
time.

If users work on different computers and use common resources,


such as disk space or printers, then a security concept pertaining to
a network must be considered.

The formal method of creating a security concept presented in this


section has been tried and proven in practice. It helps to detect
errors and sources of danger that are not obvious and provides good
documentation of the concept.

Perform a Communication Analysis

Creating a security concept begins with a communication analysis.


This includes analyzing the security situation and evaluating the
dangers.

Resources are differentiated according to what a user needs and


how the access to these resources are controlled.

If users should not have access to certain resources, you can assign
different access rights. For example, you can determine which user
groups can use a resource or if the user groups can only access the
resource during a certain time period.

4-4 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Secure a SLES 9 Server

By answering the following questions, you can learn valuable


information to use in developing a structured overall picture of your
security needs.
■ What information will be exchanged across which barriers
and in which direction?
A barrier can be the virtual barrier between the home
directories of two users in a UNIX system or a firewall between
two networks.
■ Which data packets will be transported with which
protocols to which hosts in the network?
The fewer protocols you use, the better security you will have,
simply because there are fewer sources of error.
■ What resources are available to individual users and with
which access rights?
Consider the resources users will need: printers, files on storage
media, the storage media themselves (such as CD-ROM
drives), sound cards, modems, fax cards, ISDN cards, network
services (such as FTP or HTTP), and the computing capacity of
CPUs.
■ Which resources must be available in each work area?
Even in small companies, different departments require
different resources.
■ Which data must users have access to and in which way?
It does not make sense to organize access to data for each
specific user individually. It is better to structure access rights
for user groups.
■ Which external users have external access to company
resources, what resources do they use, and how is access
controlled?
Pay special attention to the authenticating external users.

Version 1 Copying all or part of this manual, 4-5


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

■ Which external resources does the company provide?


Usually this means web and mail servers and other Internet
services.
■ Should users be charged for resources?
Many organizations charge users or departments for expensive
resources (such as Internet bandwidth).
■ Which tasks must external service providers be involved in?
Determine if it is necessary to exchange any security-relevant
data with the external service provider?
■ How do security restrictions affect users, and how open are
users to these restrictions?
Users are more willing to live with restrictions if they
understand why the restrictions are needed.
■ Will you filter transmitted or stored information on
gateways between networks or on computers?
This applies to virus control, which should take place where the
viruses can be reliably detected, on workstations and file
servers.
■ How available do individual resources need to be?
Not every file server in the company needs to have a high
availability setup. This is why it is important to calculate
exactly what costs are incurred if a resource fails.

Analyze the Protection Requirements

After you have determined the communication demands, you need


to analyze the protection requirements for the data.

The expense of securing individual resources is determined by the


amount of potential damage that could be caused by an attack, a
faulty operation, or a natural catastrophe.

4-6 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Secure a SLES 9 Server

You should estimate the frequency of the occurrence of possible


damage to use in your calculations.

To determine your protection needs, ask yourself the following


questions:
■ Which groups of people can access which information?
Is there information reserved for management, while other
information is available to all employees?
■ Where is protected data located?
The degree of data protection needed determines the degree of
protection for each individual computer in the corresponding
network.
■ Which zones exist and what security needs do they have?
You should create corresponding security zones for computers
belonging to the same protection class.
■ What might happen to security zones if security barriers
are breached?
This question is not difficult to answer if the security zones
have previously been clearly defined.
■ Who are potential attackers?
You also need to estimate the financial and technical means of
the potential attackers.
■ What information is of special interest to others?
This question helps you group zones with different security
needs.
■ What are the remaining risks when the security concept is
implemented?
This question can only be asked at the end of the analysis.
Consider all questions asked, the relevant answers, and the
technical and organizational implementation of the security
concept.

Version 1 Copying all or part of this manual, 4-7


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Important parts of the communication analysis can be represented in


tables, also known as access matrices.

The following table shows a simple access matrix:

Proxy Server Web Server Mail Server


Workstation Office 8080

WorkstationWeb ssh
Designer 8080

Workstation Sysad 8080 ssh ssh


Mail Server Intranet smtp

It is often useful to have 2 columns for individual protocols,


matching the two transport directions (IN or OUT).

Besides application level gateways, routers with activated packet


filtering also count as firewalls.

Analyze the Current Situation and Necessary


Enhancements

A company-wide security policy should guarantee the


confidentiality, data integrity, availability, and transparency of a
company's business processes and prevent damage.

The security policy determines what security demands are required


for specific data and resources. The security policy should include
the analysis of the remaining risk. Risks that cannot be removed or
can only partially be removed by taking appropriate protective
measures should be highlighted.

The security policy always also describes the current actual state of
security. For this, information is needed on who is required to do
what to achieve the desired security level.

4-8 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Secure a SLES 9 Server

The following table shows what topics need to be covered in the


security policy. The table also includes the physical access to the IT
infrastructure.

Security of How the components and their physical storage


network areas are secured against unauthorized
components access?
Actual state The network cabinets are freely accessible so
that each member of staff can patch his own
network connections.
Target state Technical rooms are locked, so only system
administrators have access.
Task The locks must be checked and keys assigned
to system administrators.
Date 2005-02-02
Responsible Jenny Doe, head of System Administration
Person department.
Estimated expense Approximately 5 days and $1200.
Done/checked 2005-03-01 Henry Boardman, Assistant to the
Board.

The reasons given in the description of the actual state show that:
■ Members of the staff need to be told why they can no longer
patch their network connections themselves.
■ Administrators must be made available to patch the network
connections in the future.

Version 1 Copying all or part of this manual, 4-9


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The following table covers dial-up to and from the internal network:

Security of Do connections to other networks or dial-up


network possibilities to the internal network exist? How
components are these accesses protected?
Actual state In the departments of the U.S. branches, there
is an undefined number of Internet accesses
through a local provider. It is not known if the
computers used for the dial-up are connected to
the internal network. A number of administrators
are using Windows NT RAS access to
administer from home. The NT RAS is operated
using Chap and Callback. The situation at the
other locations is not known.
Target state There is no local Internet access. Members of
staff who require Internet access can obtain this
using the central firewall.
Task All worldwide locations are connected by VPN
to the headquarters in the U.S. in accordance
with a board decision. A 2 MB Internet access is
used in the headquarters, secured by a three-
level firewall with an application level gateway.
Local Internet access is removed.
Date 2005-03-30
Responsible Jenny Doe, head of System Administration
Person department. Management provides Ms. Doe
with appropriate powers.
Estimated expense Approximately 15 days and approximately
$200,000.
Done/checked 2005-03-30 Henry Boardman, Assistant to the
Board.

4-10 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Secure a SLES 9 Server

The following tables cover other data security measures you should
consider:

Further security How are the servers protected against power


measures failure?
Actual state In all technical rooms, a UPS is installed so
servers automatically shut down in case of
power failure. The UPS and server connecting
cables are checked regularly.
Target state All servers are connected to a functioning UPS.
Actual state reflects target state.
Task
Date
Responsible
Person
Estimated expense
Done/checked 2005-01-12 Henry Boardman, Assistant to the
Board.

Further security What firefighting means are available?


measures
Actual state Suitable fire extinguishers are installed in front
of all technical rooms. Suitable fire detectors are
installed in all technical rooms. The large
technical rooms at the U.S. headquarters are
equipped with automatic fire extinguishing
equipment.
Target state Technical rooms are equipped with fire
detectors and extinguishers outside the doors to
the rooms. U.S. headquarters technical rooms
have automatic sprinklers installed. Actual state
reflects target state.
Task

Version 1 Copying all or part of this manual, 4-11


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Further security What firefighting means are available?


measures
Date
Responsible
Person
Estimated expense
Done/checked 2005-01-14 Henry Boardman, Assistant to the
Board.

Further security How is data security controlled? How are checks


measures made to determine whether the data stored is
usable?
Actual state Important servers and workplace machines are
equipped with tape drives. Backups take place
daily. Responsibility for data backups lies with
those members of staff in the technical
departments who have been briefed for this.
Target state At each location, backups are made on tape
libraries by means of network backup software.
The tapes are cloned, regularly recycled, and
stored in fireproof safes.
Task A data backup concept must be drawn up and
implemented. An external consultant should be
hired.
Date 2005-04-22
Responsible Jenny Doe, head of System Administration
Person department. Management provides Ms. Doe with
appropriate powers.
Estimated A cost estimate will be made by an external
expense consultant.
Done/checked 2005-01-14 Florian Sailer, Co-Assistant to the
Board.

4-12 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Secure a SLES 9 Server

Further security How can we guarantee that available software


measures updates to close known security loopholes are
tested and installed?
Actual state Installing software updates is left to the
judgment of the appropriate administrator, but
this is discussed in detail with colleagues and
suppliers or vendors.
Target state Software updates will be recorded, tested, and
released company-wide by two accountable
members of staff. Security-relevant software
updates will be installed especially on systems
in the demilitarized zone. Only in exceptional
cases, justified in writing, will software updates
in the DMZ be delayed. In such cases, the head
of System Administration must determine if
other kinds of protective measures can be used.
Task The head of the System Administration
department will name two system administrators
who will design a software update concept and
who will then be responsible for software
updates.
Date 2005-03-30
Responsible Jenny Doe, head of System Administration
Person department
Estimated expense Approximately 4 days for designing the concept.
The running costs will be included in the
concept.
Done/Checked 2005-03-30 Henry Boardman, Assistant to the
Board.

Version 1 Copying all or part of this manual, 4-13


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The next table covers the virus protection of the IT systems:

Further security How are the systems protected from malicious


measures software viruses?
Actual state Virus scanners are only installed on certain
workplace computers.
Target state Virus scanners with a frequent update service
are installed on all file servers and workstations.
Current virus signatures can be downloaded at
any time from the Internet from the server of the
virus scanner vendor. The virus scanners on
workstations obtain the virus signatures from a
central server, so new virus signatures only
need to be installed once. To monitor the file
servers, the product of a different vendor than
the product monitoring the workstations is used.
Overall, an efficient, two-level virus defense
concept is implemented.
Task The head of the System Administration
department names two accountable persons
who will design a virus defense concept and
who will later on be responsible for the
operation of the virus defense.
Date 2005-03-30
Responsible Jenny Doe, head of System Administration
Person department.
Estimated expense Approximately 10 days for the product
evaluation and concept design. Operating costs
will be included in the concept.
Done/checked 2005-03-30 Florian Sailer, Co-Assistant to the
Board.

4-14 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Secure a SLES 9 Server

The following table covers the documentation of the IT


infrastructure:

Further security How is the system configuration documented?


measures
Actual state Everyone who has configured a machine on the
network writes down or remembers the
configuration data.
Target state All system configurations (hardware and
software) are documented centrally in electronic
form at the corresponding location. System
administrators at the U.S. headquarters can
access the documentation from all locations.
Task The head of the System Administration
department shall name two system
administrators who will draw up documentation
guidelines.
Date 2005-03-30
Responsible Jenny Doe, head of System Administration
Person department.
Estimated expense Approximately 20 days to design a concept. The
estimated cost of implementing this will be
included in the concept.
Done/checked 2005-03-30 Henry Boardman, Assistant to the
Board.

The examples shown above should not be considered as a template for


your own security policy. Every company has its own demands and issues
to be solved. The tables should give you an idea of ways to enhance the IT
security in your company.

Version 1 Copying all or part of this manual, 4-15


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Objective 2 Limit Physical Access to Server Systems


If a server is not protected from unauthorized physical access, even
the best software configuration cannot prevent someone from
misusing it. By rebooting a system from a floppy or CD, or by
passing boot parameters to the Linux kernel, someone can access
the server without knowing the password.

To prevent unauthorized users from physically accessing the server,


do the following:
■ Place the Server in a Separate, Locked Room
■ Secure the BIOS with a Password
■ Secure the GRUB Boot Loader with a Password

Place the Server in a Separate, Locked Room

The best way to prevent physical access to a server is to lock the


server in a dedicated server room. We highly recommended that you
do this for every production system.

The server room should be locked with a solid door, and only
system administrators should have access. The room should be
protected against fire and be equipped with an automatic fire
extinguishing system.

What can be done depends on the size of the company and on the
available financial resources. At the least, a separated locked room
for all servers is recommended.

4-16 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Secure a SLES 9 Server

Secure the BIOS with a Password

For test systems or workstations that are not placed in a secure


room, there are some things you can do to make it more difficult to
access a system without an account.

One of these is to set a password for the BIOS setup.

The BIOS represents the lowest level of software and lies


underneath the operating system. Modern BIOS versions give you
the option of protecting the boot process with a password. You can
also protect the BIOS settings and prevent the system from booting
from media like floppies or CDs.

The exact procedure for protecting the BIOS depends on the BIOS vendor
and version. For more details on this, please consult your vendor
documentation.

By preventing the system from booting from a different media, only


the installed system can be started. This system is password
protected and cannot be accessed without any further effort.
However, a BIOS password is never a replacement for a dedicated
server room.

Secure the GRUB Boot Loader with a Password

Another way to misuse physical access to a Linux system is to


reboot and pass additional parameters to the kernel. This makes it
possible to start and access the system without entering a password.

The boot loader GRUB can be configured to prompt for a password


before any parameters can be entered. To do this, you need to create
an encrypted password with the following parameter.
grub-md5-crypt

GRUB asks for a password that needs to be confirmed once and


outputs an encrypted string. This string looks like the following:
$1$SEVCU0$S.7WQL05kHiK4VKDsKtfI0

Version 1 Copying all or part of this manual, 4-17


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Then the password needs to be added to the GRUB configuration


file as follows:
/boot/grub/menu.lst

You can find the global section at the beginning of the configuration
file. The password needs to be placed into that section as shown in
the following example:
color white/blue black/light-gray
default 0
timeout 8
gfxmenu (hd0,5)/boot/message
password --md5 $1$h8GCU0$Vt3impL0.Cr0nkGQY1jjJ1

4-18 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Secure a SLES 9 Server

Objective 3 Limit the Installed Software Packages


Every software package that is installed on a system, but is not
needed by that system, should be removed from a production sever.

The more software is installed, the more possible security problems


can occur. For example, it does not make sense to install an X
Server and graphical applications on a system that is exclusively
used as web server.

To set up a production system, you can use the minimal system as a


base for the software selection during the installation. Then you can
manually add just those software packages that are needed.

This rule is especially true for network daemons. A server should


never offer any network services that are not needed. For example,
if a server is used as a dedicated file server, it is not necessary to run
a postfix mail server on the same system.

You can use the the following command to check which services are
configured to start and their run levels:
chkconfig -l

The command displays a line for every service installed on the


system. The following line shows the configuration of the Samba
server:
smb 0:off 1:off 2:off 3:on 4:off 5:on 6:off

After the service name, the configuration for all six default run
levels is displayed. On means the service is configured to be started
in the corresponding run level; off means the service will not be
started.

You can use the following command to remove a service from its
default run levels:
insserv -r <service_name>

Version 1 Copying all or part of this manual, 4-19


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Removing a service from the run level configuration does not stop an
already running daemon. A daemon that is already running needs to be
stopped manually or the system needs to be rebooted to start with the new
run-level configuration.

4-20 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Secure a SLES 9 Server

Objective 4 Understand the Linux User Authentication


User authentication plays a central role in IT security. Users are
almost always granted access to programs and data based on
password authentication.

Even the best mechanisms for administering and setting user


permissions would be useless if a normal user could log in to a
system as the system administrator.

Authentication on a Linux system is based on Pluggable


Authentication Modules (PAM). To understand and use PAM
properly, you need to do the following:
■ Understand How PAM Works
■ Understand PAM Configuration
■ Understand the Requirements for a Secure Password

Understand How PAM Works

The Pluggable Authentication Modules (PAM) for Linux is a


collection of software modules that handle the authentication
process. A Linux system administrator can use these modules to
configure the way programs should authenticate users.

For example, if a user logs into a Linux system on a virtual terminal,


a program called login is usually involved in this process.

Login requires a user's login name and the password. The password
is encrypted and then compared with the encrypted password stored
in an authentication database. If the encrypted passwords are
identical, login grants the user access to the system by starting the
user´s login shell.

This is sufficient if authentication is done using Linux or UNX


passwords. If other authentication procedures are used, such as chip
cards instead of passwords, all programs that perform user
authentication must be able to work together with these chip cards.

Version 1 Copying all or part of this manual, 4-21


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Before PAM was introduced, login and all other applications that
handle authentication like FTP, SSH, or the KDM Display Manager
had to be extended to support a chip card reader.

PAM makes things easier. PAM creates a software level with clearly
defined interfaces between applications (such as login) and the
current authentication mechanism. Instead of modifying every
program, a new PAM module just needs to be added to enable
authentication with a chip card reader.

The following graphic illustrates the role of PAM:

Applications that handle authentication


login SSH FTP ...

PAM

passwd LDAP SmartCard ...


Authentication mechanisms

4-22 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Secure a SLES 9 Server

Understand PAM Configuration

The PAM modules are located in the directory:


/lib/security

Every filename of a module starts with the prefix pam_.

PAM configuration is done in the following directory:


/etc/pam.d/

This directory contains a configuration file for every application


that uses PAM. The name of the configuration file usually
corresponds to the name of the application. For example, the name
of the configuration file for the application login is also login.

There is one special configuration file with the name other. This file
contains the default configuration if no application-specific file is
found.

Every line in a configuration file enables a PAM module. Each line


consists from the left to the right of the following entries:
■ module-type. One of four PAM module types. The four types
are as follows:
■ auth. These modules provide two ways of authenticating
the user. First, it establishes that the user is who he claims
to be by instructing the application to prompt the user for a
password or other means of identification. Second, the
module can grant group membership or other privileges
through its credential granting properties.
■ account. These modules perform nonauthentication based
account management. It is typically used to restrict or
permit access to a service based on the time of day,
currently available system resources (maximum number of
users) or perhaps the location of the applicant user (for
example, to limit `root' login to the console).

Version 1 Copying all or part of this manual, 4-23


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

■ session. These modules are associated with performing


tasks that need to be done for the user before she can be
given access to a service or after a service is provided to
her. Such things include logging information concerning
mounting directories and the opening and closing of some
data exchange with another user.
■ password. This last module type is required for updating
the authentication token associated with the user. Typically,
there is one module for each challenge/response-based
authentication (auth) module type.
Some PAM modules (such as pam_unix2.so) can be used for
different module type settings listed below:
■ control-flag. The control-flag indicates how PAM will react to
the success or failure of the module it is associated with. Since
modules can be stacked (modules of the same type execute in a
series, one after another), the control-flags determine the
relative importance of each module.
The Linux-PAM library interprets these keywords in the
following manner:
■ required. This indicates that the success of the module is
required for the module-type facility to succeed. Failure of
this module is not apparent to the user until all of the
remaining modules (of the same module-type) have been
executed.
■ requisite. Like required, however, in the case that such a
module returns a failure, control is directly returned to the
application. The return value is associated with the first
required or requisite module to fail.
■ sufficient. The success of this module is deemed
“sufficient” to satisfy the Linux-PAM library that this
module-type has succeeded in its purpose. If no previous
required module has failed, no more “stacked” modules of
this type are invoked. Even if this module type fails, the
application can be satisfied that the module type has
succeeded.

4-24 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Secure a SLES 9 Server

■ optional. As its name suggests, this control-flag marks the


module as not being critical to the success or failure of the
user's application for service.
■ module-path. The pathname to the module itself. If the first
character of the module path is /, it is assumed to be a complete
path. If this is not the case, the given module path is appended
to the default module path /lib/security.
■ args. The args are a list of tokens that are passed to the module
when it is invoked, much like arguments to a typical Linux shell
command. Valid arguments are usually optional and are specific
to any given module.

The following is the default configuration file for the login program
on SLES 9:
auth requisite pam_unix2.so nullok
auth required pam_securetty.so
auth required pam_nologin.so
auth required pam_env.so
auth required pam_mail.so
account required pam_unix2.so
password required pam_pwcheck.so nullok
password required pam_unix2.so nullok
use_first_pass use_authtok
session required pam_unix2.so none
session required pam_limits.so

The configured modules perform the following tasks:


auth requisite pam_unix2.so nullok

The module pam_unix2.so is used during the authentication process


to validate the login and password provided by the user. The control
flag is set to requisite; that means that a failure of this module (such
as a wrong password) stops the whole authentication process.

Version 1 Copying all or part of this manual, 4-25


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

auth required pam_securetty.so

This module checks the file /etc/securetty for a list of valid login
terminals. If a terminal is not listed in that file, the login is denied
from that terminal. This concerns only the root user.
auth required pam_nologin.so

This module checks whether a file /etc/nologin exists. If such a file


is found, login is denied for all but the root user.
auth required pam_env.so

This module can be used to set additional environment variables.


The variables can be configured in the file
/etc/security/pam_env.conf
auth required pam_mail.so

This module displays a message if any new mail is in the user's mail
box. It also sets an environment variable pointing to the
user´s mail directory.
account required pam_unix2.so

In this entry the pam_unix2.so module is used again, but in this case
it checks whether the password of the user is still valid or if the user
needs to create a new one.
password required pam_pwcheck.so nullok

This is an entry for a module of the type password. It is used when a


user attempts to change the password. In this case, the module
pam_pwcheck.so is used to check if a new password is secure
enough.
password required pam_unix2.so nullok
use_first_pass use_authtok

The pam_unix2.so module is also necessary when changing a


password. It takes the new password, encrypts it, and writes it to the
authentication database.

4-26 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Secure a SLES 9 Server

session required pam_unix2.so none

Here the session component of the pam_unix2.so module is used. It


uses the syslog daemon to log the user's login.
session required pam_limits.so

The pam_limits.so sets resource limits for the users that can be
configured in the file /etc/security/limits.conf.

For an overview of the default PAM modules and their configuration


options consult the PAM documentation under
/usr/share/doc/packages/pam.

Third party vendors can supply other PAM modules to enable specific
authentication features for their products, such as the PAM modules that
enable Novell´s Linux User Management (LUM) authentication with
eDirectory.

Understand the Requirements for a Secure Password

Even the best security setup for a system can be defeated if users
choose easy to guess passwords. With today's computing power, a
simple computer can be used to crack an easy password within
seconds. These attacks are also called dictionary attacks, as the
password cracking program just tries one word after another from a
dictionary file.

Therefore, a password should never be a word which could be


found in a dictionary. A good, secure password should always
contain some numbers and uppercase characters.

To check whether user passwords fulfill this requirement, you can


enable a special PAM module cto test a password first before a user
can set it. The PAM module is called pam_pwcheck.so and uses the
cracklib library to test the security of passwords.

By default, this PAM module is enabled on SLES 9.

Version 1 Copying all or part of this manual, 4-27


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

If a user enters a password that is not secure enough, the following


message is displayed:
Bad password: too simple

and the user is prompted enter a different one.

There are also dedicated password check programs available like


John the Ripper (http://www.openwall.com/john/).

You can also force users to change their passwords after a specific
period of time.

4-28 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Secure a SLES 9 Server

Exercise 4-1: Change the PAM Configuration to Disable the


Graphical Root Login

In this exercise, you change the PAM configuration by doing the


following:

1. Log out from the KDE desktop environment.

2. When the KDM login screen appears, log in with the following:
■ Username: root
■ Password: novell

Notice that you can log in as root without a root entry in the
login screen.

3. Log out again from the KDE desktop environment.

4. Log in as geeko with a password of N0v3ll.

5. Open a terminal window and su to root.

6. Open the file /etc/pam.d/xdm in a text editor.

7. Add the following as the second line of the file:


auth required pam_securetty.so

8. Save and close the file.

9. Log out and try to log in as root user at the KDM login screen
again.

The root login is denied.

10. Log in as geeko again.

If you cannot log in as geeko, restart the X server using


Ctrl+Alt+Backspace and try again. You might also need to reboot
your server.

11. Open a terminal window and su to root.

Version 1 Copying all or part of this manual, 4-29


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

12. Open the file /etc/pam.d/xdm in a text editor and remove or


comment out the following line (the line you added):
auth required pam_securetty.so

13. Save and close the file.

14. Log out and try to log in as root at the KDM login screen again.

You can now log in as root.

If you cannot log in as root, restart the X-server using


Ctrl+Alt+Backspace and try again.

(End of Exercise)

4-30 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Secure a SLES 9 Server

Objective 5 Ensure File System Security


After a user has logged in to the system, what he can and can't do is
mainly determined by the security settings of the file system.

In UNIX systems like Linux, file system security is especially


important as every resource available on the system is represented
as a file. For example, when a user tries to access the sound card to
play back audio data, the access rights of the sound card are
determined by the permission settings of the corresponding device
file in the /dev directory.

To ensure a basic file system security, do the following:


■ Understand the Basic Rule for User Write Access
■ Understand the Basic Rule for User Read Access
■ Understand How Special File Permissions Affect the Security
of the System

Understand the Basic Rule for User Write Access

The file systems used in Linux are structurally UNIX file systems.
They support the typical file access permissions (read, write,
execute, sticky bit, SUID, SGID, etc.). Apart from additional
standard functionalities, such as various time stamps, the access
permissions can be administered separately for file owners, user
groups, and the rest of the world (user, group, other).

As a general rule, a normal user should only have write access in


the following directories:
■ The home directory of the user
■ The /tmp directory to store temporary files

Depending on the purpose of a computer other directories can be


writable by users. For example, if you install a Samba file server, a
writable share needs a directory that is also writable for the UNIX
user the connection is mapped to.

Version 1 Copying all or part of this manual, 4-31


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Some device files (like those for sound cards) might also be
writable for users since applications need to send data to the
corresponding devices.

Understand the Basic Rule for User Read Access

Some files in the system should be protected from user read access.
This is important for files that store passwords.

No normal user account should be able to read the content of such


files. Even when the passwords in a file are encrypted, the files
must be protected from any unauthorized access.

The following lists some files containing passwords on a Linux


system.
■ /etc/shadow. This file contains user passwords in an encrypted
form. Even when LDAP is used for user authentication, this file
contains at least the root password.
■ /etc/samba/smbpasswd. This file contains the passwords for
Samba users.
■ Files with Apache passwords. The location of these files
depend on your configuration. They contain passwords for the
authorized access to the web server.
■ /etc/openldap/slapd.conf. This file contains the root password
for the openLDAP server.
■ /boot/grub/menu.lst. This file can contain the password for the
GRUB boot loader.

This list is not complete. There can be more password files on your system,
depending on your system configuration and your software selection.

Some password files can be readable for a nonroot account. This is


normally the account under which user ID a service daemon is
running. For example, the Apache web server runs under the user id
of the user wwwrun. Therefore the password files must be readable
for the user wwwrun.

4-32 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Secure a SLES 9 Server

In this case you have to make sure that only this daemon account
can read the file and not any other user.

Understand How Special File Permissions Affect the


Security of the System

There are three file system rights that influence the security in a
special way:
■ The SUID bit. If the SUID bit is set for an executable, the
program is started under the user ID of the owner of the file. In
most cases, this is used to allow normal users to run application
with the rights of the root users.
This bit should only be set for applications that are well tested
and in cases where no other way can be used to grant access to
a specific task.
An attacker could get access to the root account by exploiting
an application that runs under the UID of root.
■ The SGID bit. If this bit is set, it lets a program run under the
GID of the group the executable file belongs to. It should be
used as carefully as the SUID bit.
■ The sticky bit. The sticky bit can influence the security of a
system in a positive way. In a globally writable directory, it
prevents users from deleting each others files that are stored in
these directories.
Typical application areas for the sticky bit include directories
for temporary storage (such as /tmp and /var/tmp). Such a
directory must be writable by all users of a system. However,
the write permissions for a directory do not only include the
permission to create files and subdirectories, but also the
permission to delete these, regardless of whether the user has
access to these files and subdirectories.
If the sticky bit is set for such a writable directory, deleting or
renaming files in this directory is only possible if one of the
following conditions is fulfilled:

Version 1 Copying all or part of this manual, 4-33


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

■ The effective UID of the deleting or renaming process is


that of the file owner.
■ The effective UID of the deleting or renaming process is
that of the owner of the writable directory marked with the
sticky bit.
■ The superuser root is allowed to do anything.

4-34 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Secure a SLES 9 Server

Objective 6 Use ACLs for Advanced Access Control


To use ACLs for advanced file system access control you do the
following:
■ Understand the Basics of ACLs
■ Understand Important ACL Terms
■ Understand ACL Types
■ Understand How ACLs and Permission Bits Map to Each Other
■ Use the ACL Command Line Tools
■ Configure a Directory with an Access ACL
■ Configure a Directory with a Default ACL
■ Understand the ACL Check Algorithm
■ Understand How Applications Handle ACLs

Understand the Basics of ACLs

Traditionally, three sets of permissions are defined for each file


object on a Linux system. These sets include the read (r), write (w),
and execute (x) permissions for each of three types of users the file
owner, the group, and other users.

This concept is adequate for most practical cases. In the past


however, for more complex scenarios or advanced applications,
system administrators had to use a number of tricks to circumvent
the limitations of the traditional permission concept.

ACLs (Access Control Lists) provide an extension of the traditional


file permission concept. They allow you to assign permissions to
individual users or groups even if these do not correspond to the
original owner or the owning group.

Version 1 Copying all or part of this manual, 4-35


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

ACLs are a feature of the Linux kernel and are supported by the
ReiserFS, Ext2, Ext3, JFS, and XFS file systems. Using ACLs, you
can create complex scenarios without implementing complex
permission models on the application level.

The advantages of ACLs are clearly evident in situations like


replacing a Windows server with a Linux server providing file and
print services with Samba.

Since Samba supports ACLs, user permissions can be configured


both on the Linux server and in Windows with a graphical user
interface (only on Windows NT and later).

With winbindd, it is even possible to assign permissions to users


that only exist in the Windows domain without any account on the
Linux server.

Understand Important ACL Terms

The following list defines terms concerning ACLs:


■ user class. The conventional POSIX permission concept uses
three classes of users for assigning permissions in the file
system: the owner, the owning group, and other users.
Three permission bits can be set for each user class, giving
permission to read (r), write (w), and execute (x).
■ access ACL. The user and group access permissions for all
kinds of file system objects (files and directories) are
determined by access ACLs.
■ default ACL. Default ACLs can only be applied to directories.
They determine the permissions a file system object inherits
from its parent directory when it is created.
■ ACL entry. Each ACL consists of a set of ACL entries. An
ACL entry contains a type, a qualifier for the user or group to
which the entry refers, and a set of permissions. For some entry
types, the qualifier for the group or users is undefined.

4-36 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Secure a SLES 9 Server

Understand ACL Types

There are two basic classes of ACLs:


■ A minimum ACL comprises the entries for the types owner,
owning group, and other, which correspond to the conventional
permission bits for files and directories.
■ An extended ACL goes beyond this. It contains a mask entry
and can contain several entries of the named user and named
group types.

ACLs extend the classic Linux file permission by the following


permission types:
■ named user. With this type, you can assign permissions to one
or more users.
■ named group. With this type, you can assign permissions to
one or more groups.
■ mask. With this type, you can limit the permissions of named
users or groups.
The following is an overview of all possible ACL types:

Type Text Form


owner user::rwx
named user user:name:rwx
owning group group::rwx
named group group:name:rwx
mask mask::rwx
other other::rwx

The permissions defined in the entries owner and other are always
effective. Except for the mask entry, all other entries (named user,
owning group, and named group) can be either effective or masked.

Version 1 Copying all or part of this manual, 4-37


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

If permissions exist in the named user, owning group, or named


group entries as well as in the mask, they are effective. Permissions
contained only in the mask or only in the actual entry are not
effective.

This means that the entries for named user, owning group, and
named group are combined by a logical AND with the mask entry.

The following example determines the effective permissions for the


user jane.

Entry Type Text Form Permissions


named user user:jane:r-x r-x
mask mask::rw- rw
Effective permissions: r--

The ACL contains two entries, one for the named user jane and one
mask entry. Jane has permissions to read and execute the
corresponding file, but the mask only contains permissions for
reading and writing. Because of the AND combination, the effective
rights allow jane to read the file only.

4-38 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Secure a SLES 9 Server

Understand How ACLs and Permission Bits Map to


Each Other

When you assign an ACL to a file or directory, the permissions set


in the ACL are mapped to the standard UNIX permissions.

The following figure illustrates the mapping of a minimum ACL:

The figure is structured in three blocks:


■ The left block shows the type specifications of the ACL entries.
■ The center block displays an example ACL.
■ The right block shows the respective permission bits according
to the conventional permission concept as displayed by ls -l, for
example.

The following is an example of an extended ACL:

Version 1 Copying all or part of this manual, 4-39


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

In both cases, the owner class permissions are mapped to the ACL
entry owner. Other class permissions are mapped to their respective
ACL entries. However, the mapping of the group class permissions
is different in the second case.

In the case of a minimum ACL without a mask, the group class


permissions are mapped to the ACL entry owning group. In the case
of an extended ACL with a mask, the group class permissions are
mapped to the mask entry.

This mapping approach ensures the smooth interaction of


applications, regardless of whether they have ACL support.

The access permissions that were assigned by permission bits


represent the upper limit for all other adjustments made by ACLs.

Any permissions not reflected here are either not in the ACL or are
not effective. Changes made to the permission bits are reflected by
the ACL and vice versa.

Use the ACL Command Line Tools

To manage the ACL settings, you can use the following command
line tools:
■ getfacl. The command getfacl can be used to display the ACL
of a file.
■ setfacl. The command setfacl can be used to change the ACL of
a file.

4-40 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Secure a SLES 9 Server

The following are the most important options for the setfacl
command:

Option Meaning
-m Adds or modifies an ACL entry.
-x Removes an ACL entry.
-d Sets a default ACL.
-b Removes all extended ACL entries.

The options -m and -x expect an ACL definition on the command


line. The following are the definitions for the extended ACL types:
■ named user. The following is an example entry for the user
tux:
setfacl -m u:tux:rx my_file
The user tux gets read and execute permissions for the file
my_file.
■ named groups. The following is an example entry for the
group accounting:
setfacl -m g:accounting:rw my_file
The group accounting gets read and write permissions for the
file my_file.
■ mask. Sets the ACL mask:
setfacl -m m:rx
Sets the mask for the read and execute permissions.

Version 1 Copying all or part of this manual, 4-41


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Configure a Directory with an Access ACL

To configure a directory with ACL access, do the following:

1. Before you create the directory, use the umask command to


define which access permissions should be masked each time a
file object is created.
The command umask 027 sets the default permissions by giving
the owner the full range of permissions (0), denying the group
write access (2), and giving other users no permissions at all
(7).
umask actually masks the corresponding permission bits or
turns them off.

For more information about umask, see the corresponding man page
man umask.

The command mkdir mydir should create the mydir directory


with the default permissions as set by umask. Enter the
following command to check if all permissions were assigned
correctly:
ls -dl mydir
drwxr-x--- ... tux project3 ... mydir

2. Check the initial state of the ACL by entering the following


command:
getfacl mydir.
The output of the command looks like the following:
# file: mydir
# owner: tux
# group: project3
user::rwx
group::r-x
other::---

4-42 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Secure a SLES 9 Server

The output of getfacl precisely reflects the mapping of


permission bits and ACL entries as described before. The first
three output lines display the name, owner, and owning group
of the directory.
The next three lines contain the three ACL. In fact, in the case
of this minimum ACL, the getfacl command does not produce
any information you could not have obtained with ls.
Your first modification of the ACL is the assignment of read,
write, and execute permissions to an additional user jane and an
additional group jungle:
setfacl -m user:jane:rwx,group:jungle:rwx mydir
The option -m prompts setfacl to modify the existing ACL. The
following argument indicates the ACL entries to modify
(several entries are separated by commas). The final part
specifies the name of the directory to which these modifications
should be applied.
Use the getfacl command to take a look at the resulting ACL:
getfacl mydir
# file: mydir
# owner: tux
# group: project3
user::rwx
user:jane:rwx
group::r-x
group:jungle:rwx
mask::rwx
other::---
In addition to the entries initiated for the user jane and the
group jungle, a mask entry has been generated.
This mask entry is set automatically to reduce all entries in the
group class to a common denominator. Furthermore, setfacl
automatically adapts existing mask entries to the settings you
modified, provided you do not deactivate this feature with -n.

Version 1 Copying all or part of this manual, 4-43


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The mask type defines the maximum effective access


permissions for all entries in the group class. This includes
named user, named group, and owning group.
The group class permission bits that would be displayed by
ls -dl mydir now correspond to the mask entry:
drwxrwx---+ ... tux project3 ... mydir
The first column of the output now contains an additional + to
indicate that there is an extended ACL for this item.

3. According to the output of the ls command, the permissions for


the mask entry include write access. Traditionally, such
permission bits would mean that the owning group (in this
example project3) also has write access to the directory mydir.
However, the effective access permissions for the owning group
correspond to the overlapping portion of the permissions
defined for the owning group and for the mask, which is r-x in
the example.
As far as the effective permissions of the owning group are
concerned, nothing has changed even after adding the ACL
entries.
In the following example, the write permission for the owning
group is removed with the chmod command.
chmod g-w mydir
ls -dl mydir
drwxr-x---+ ... tux project3 ... mydir
getfacl mydir
# file: mydir
# owner: tux
# group: project3
user::rwx
user:jane:rwx # effective: r-x
group::r-x
group:jungle:rwx # effective: r-x
mask::r-x
other::---

4-44 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Secure a SLES 9 Server

After executing the chmod command to remove the write


permission from the group class bits, the output of the ls
command is sufficient to see that the mask bits have changed
accordingly: write permission is again limited to the owner of
mydir.
The output of the getfacl confirms this. This output includes a
comment for all those entries in which the effective permission
bits do not correspond to the original permissions because they
are filtered according to the mask entry.
The original permissions can be restored at any time with
chmod:
chmod g+w mydir
ls -dl mydir
drwxrwx---+ ... tux project3 ... mydir
getfacl mydir
# file: mydir
# owner: tux
# group: project3
user::rwx
user:jane:rwx
group::r-x g
group:jungle:rwx
mask::rwx
other::---

Configure a Directory with a Default ACL

Directories can have a default ACL, which is a special kind of ACL


that defines the access permissions that objects under the directory
inherit when they are created. A default ACL affects subdirectories
as well as files.

Version 1 Copying all or part of this manual, 4-45


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

There are two different ways in which the permissions of a


directory's default ACL are passed to the files and subdirectories in
it:
■ A subdirectory inherits the default ACL of the parent directory
both as its own default ACL and as an access ACL.
■ A file inherits the default ACL as its own access ACL.

All system functions that create file system objects use a mode
parameter that defines the access permissions for the newly created
file system object.

If the parent directory does not have a default ACL, the permission
bits as defined by the umask are subtracted from the permissions as
passed by the mode parameter, with the result being assigned to the
new object.

If a default ACL exists for the parent directory, the permission bits
assigned to the new object correspond to the overlapping portion of
the permissions of the mode parameter and those that are defined in
the default ACL. The umask command is disregarded in this case.

The following three examples show the main operations for


directories and default ACLs:
■ Add a default ACL to the existing directory mydir with the
following command:
setfacl -d -m group:jungle:r-x mydir
The option -d of the setfacl command prompts setfacl to
perform the following modifications (option -m) in the default
ACL.
Take a closer look at the result of this command:
getfacl mydir

# file: mydir
# owner: tux
# group: project3
user::rwx

4-46 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Secure a SLES 9 Server

user:jane:rwx
group::r-x
group:jungle:rwx
mask::rwx
other::---
default:user::rwx
default:group::r-x
default:group:jungle:r-x
default:mask::r-x
default:other::---
getfacl returns both the access ACL and the default ACL. The
default ACL is formed by all lines that start with default.
Although you merely executed the setfacl command with an
entry for the jungle group for the default ACL, setfacl
automatically copied all other entries from the access ACL to
create a valid default ACL.
Default ACLs do not have an immediate effect on access
permissions. They only come into play when file system objects
are created. These new objects inherit permissions only from
the default ACL of their parent directory.

 In the next example, use mkdir to create a subdirectory in mydir,


which inherits the default ACL.
mkdir mydir/mysubdir
getfacl mydir/mysubdir
# file: mydir/mysubdir
# owner: tux
# group: project3
user::rwx
group::r-x
group:jungle:r-x
mask::r-x
other::---
default:user::rwx
default:group::r-x
default:group:jungle:r-x
default:mask::r-x
default:other::---

Version 1 Copying all or part of this manual, 4-47


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

As expected, the newly-created subdirectory mysubdir has


permissions from the default ACL of the parent directory.
The access ACL of mysubdir is an exact reflection of the
default ACL of mydir, as is the default ACL that this directory
hands down to its subordinate objects.

 Use touch to create a file in the mydir directory:


touch mydir/myfile
ls -l mydir/myfile
-rw-r-----+ ... tux project3 ... mydir/myfile
getfacl mydir/myfile
# file: mydir/myfile
# owner: tux
# group: project3
user::rwgroup:: r-x # effective:r--
group:jungle:r-x # effective:r--
mask::r--
other::---
touch passes a mode with the value 0666, which means that
new files are created with read and write permissions for all
user classes, provided no other restrictions exist in umask or in
the default ACL.
In effect, this means that all access permissions not contained in
the mode value are removed from the respective ACL entries.
Although no permissions were removed from the ACL entry of
the group class, the mask entry was modified to mask
permissions not set using mode.
This approach ensures the smooth interaction of applications,
such as compilers, with ACLs. You can create files with
restricted access permissions and subsequently assign them as
executable. The mask mechanism guarantees that the right users
and groups can execute them as desired.

4-48 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Secure a SLES 9 Server

Understand the ACL Check Algorithm

A check algorithm is applied before any process or application is


granted access to an ACL-protected file system object.

As a basic rule, the ACL entries are examined in the following


sequence: owner, named user, owning group or named group, and
other. The access is handled in accordance with the entry that best
suits the process. Permissions do not accumulate.

Things are more complicated if a process belongs to more than one


group and belongs to several group entries. An entry is randomly
selected from the suitable entries with the required permissions.

It is irrelevant which of the entries triggers the final result, which is


access granted . Likewise, if none of the suitable group entries
contains the correct permissions, a randomly selected entry triggers
the final result, which is access denied .

Understand How Applications Handle ACLs

As described in the preceding sections, you can use ACLs to


implement very complex permission scenarios that meet the
requirements of applications.

The traditional permission concept and ACLs can be combined in a


smart manner. However, some important applications still lack ACL
support. Except for the star archiver, there are currently no backup
applications that guarantee the full preservation of ACLs.

The basic file commands (cp, mv, ls, and so on) support ACLs, but
many editors and file managers (such as Konqueror) do not.

For example, when you copy files with Konqueror, the ACLs of
these files are lost. When you modify files with an editor, the ACLs
of files are sometimes preserved, sometimes not, depending on the
backup mode of the editor used.

Version 1 Copying all or part of this manual, 4-49


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

If the editor writes the changes to the original file, the access ACL is
preserved. If the editor saves the updated contents to a new file that
is subsequently renamed to the old filename, the ACLs might be
lost, unless the editor supports ACLs.

For more information about ACLs go to http: //


sdb.suse.de/en/sdb/html/81_acl.html and http://acl.bestbits.at/. Also see the
man pages for getfacl, acl(5), and setfacl(1).

4-50 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Secure a SLES 9 Server

Exercise 4-2: Use ACLs

In this exercise, you practice using ACLs by doing the following:


■ Part I: Configure the ACL of a Directory
■ Part II: Configure a Default ACL for a Directory
■ Part III: Delete an ACL

Part I: Configure the ACL of a Directory

Do the following:

1. Open a terminal window and su to root.

2. Change to the directory /tmp by entering the following:


cd /tmp

3. Create a test directory by entering the following:


mkdir acl_test

4. Limit the file system permissions for the directory by entering


the following:
chmod 700 acl_test

5. Open a second terminal window as the user geeko.

6. Try changing to the test directory by entering the following:


cd /tmp/acl_test/
The command fails because geeko (who is not the owner of the
directory) has no permission to read the directory.

7. Switch to the root terminal.

8. Display the minimum ACL of the directory by entering the


following:
getfacl acl_test

Version 1 Copying all or part of this manual, 4-51


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

9. Add an extended ACL by entering the following:


setfacl -m u:geeko:rwx acl_test/

10. Switch to the geeko terminal and try to access the directory
again by entering the following:
cd /tmp/acl_test
Because of the extended ACL, you can view the directory.

11. Switch to the root terminal and display the extended ACL of the
directory by entering the following:
getfacl /tmp/acl_test/

Part II: Configure a Default ACL for a Directory

Do the following:

1. Open a terminal window and su to root.

2. Change to the directory acl_test by entering the following:


cd /tmp/acl_test

3. Create a file by entering the following:


touch without_default_acl

4. Display the ACL of the new file by entering the following:


getfacl without_default_acl
As there is no default ACL for the parent directory, the new file
does not have an extended ACL either.

5. Set a default ACL for the directory acl_test by entering the


following:
setfacl -d -m u:geeko:rw /tmp/acl_test/

6. Create another test file by entering the following:


touch with_default_acl

4-52 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Secure a SLES 9 Server

7. Display the ACL of the new file by entering the following:


getfacl with_default_acl
As this file was created after the default ACL of the parent
directory was set, the new file inherited the ACL.

Part III: Delete an ACL

Do the following:

1. From a root terminal window, change to the directory acl_test


by entering the following:
cd /tmp/acl_test

2. Display the ACL of the file with_default_acl by entering the


following:
getfacl with_default_acl

3. Remove the ACL by entering the following:


setfacl -x u:geeko with_default_acl

4. Display the ACL again by entering the following:


getfacl with_default_acl
As you can see, the ACL for the user geeko has been removed.
If there were ACLs for other users, they would remain
unaffected.

5. View the file attributes of with_default_acl by entering the


following:
ls -l with_default_acl
There are still extended attributes (such as the mask “+”) in the
output.

Version 1 Copying all or part of this manual, 4-53


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

6. Remove all ACLs by entering the following:


setfacl -b with_default_acl

7. Display the ACL again by entering the following commands:


getfacl with_default_acl
ls -l with_default_acl
Notice that the ACL has been removed.

(End of Exercise)

4-54 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Secure a SLES 9 Server

Objective 7 Configure Security Settings with YaST


YaST offers a module to configure certain system settings that affect
the local security. The module can be found under
Security and Users > Security settings.

With the module you can easily change the following settings of the
system configuration:
■ The password settings
■ The boot behavior of the system
■ The login behavior
■ The user ID limitations
■ General file system security

When you start the module, the following appears:

Version 1 Copying all or part of this manual, 4-55


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

In the dialog you can choose between four different levels of local
security:

Level Meaning
Level 1 (Home Workstation) This option represents the lowest
level of local security. It should
only be used on a home
workstation that is not connected
to any kind of network.
Level 2 (Networked Workstation) This option provides an
intermediate level of local
security. It is suitable for
workstations that are connected
to a network.
Level 3 (Network Server) This option enables a high level
of local security. Systems that are
used as a network server should
be run with this setting.
Custom Settings This option lets you create your
own level of local security.

By selecting one of the three predefined security levels and


selecting Next, the chosen security level is applied. By selecting
Details, you can change the the settings for the security level you
have selected.

If you choose the Customs Settings and then select Next, you can
directly change the details of the security configuration.

The dialogs for the detail settings look the same for every security
level, but the preselected options are different. In the following you
can see the settings for Level 3 (Network Server).

4-56 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Secure a SLES 9 Server

In this dialog you can change the default password requirements


that are accepted by the systems.

Version 1 Copying all or part of this manual, 4-57


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

You have the following options:

Option Meaning
Checks This option enables the checking of
newly created passwords. The
following two methods can be
enabled:
■ Checking New Passwords: New
passwords will be checked to see
if they can be found in a dictionary.
■ Plausibility Test For Passwords:
Passwords will be checked to see
if they contain a mixture of different
kind of characters (such as
lowercase and uppercase
characters).
For a server system, you should at
least enable Checking New
Passwords.
Password Encryption Method You can choose between different
kinds of password encryption
methods. This option sets the
maximum length of the password.
The default option DES supports only
passwords with a length up to 8
characters.
MD5 and blowfish support longer
passwords but are not well supported
by older systems and applications.
Unless your system does not need to
meet very high security demands,
you can stay with the default DES.

4-58 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Secure a SLES 9 Server

Option Meaning
Number Of Significant This option corresponds to the
Characters In The Password previous one. You can only choose a
value higher than 8 if you have
chosen a different encryption method
than DES.
For normal security demands, a
value of 8 is sufficient.
Minimum Acceptable This value determines the minimum
Password Length length of a password. The shorter a
password is, the easier it is to crack
it.
A password should never be shorter
than 6 characters.
Days To Password Change The name of this option is a little bit
Warnings misleading. There are two values to
be set:
■ Minimum: The number of days
after a user can change the
password.
■ Maximum: The number of days
after a user must change the
password.

Days Before Password This option determines how many


Expires Warning days before a password has to be
changed, a warning should be given
to the user.

After adapting the options to your needs, select Next to proceed to


the next dialog.

Version 1 Copying all or part of this manual, 4-59


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The following dialog appears:

In this dialog you can configure how the system can be rebooted.

4-60 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Secure a SLES 9 Server

You have the following options:

Option Meaning
Interpretation Of Crtl+Alt+Del This option determines how the Key
Combination Crtl+Alt+Del is
evaluated. You can choose between
the following possibilities:
■ Ignore: The key combination is
ignored; nothing happens.
■ Reboot: When the combination is
pressed, the system reboots.
■ Halt: The can be halted by
pressing the key combination.
On a server you should always
choose Ignore because otherwise
someone could halt or reboot the
system even without being logged in.

Version 1 Copying all or part of this manual, 4-61


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Option Meaning
Shutdown Behavior Of KDM This option determines how the
system can be halted with the
graphical login manager KDM. You
have the following choices:
■ Only Root: To halt the system, the
root password has to be entered.
■ All users: Everyone, even
remotely connected users, can halt
the system using KDM.
■ Nobody: Nobody can halt the
system with KDM.
■ Local Users: Only locally
connected users can halt the
system with KDM.
■ Automatic: The system is halted
automatically after log out.
For a server system you should use
Only Root or Nobody to prevent
normal or even remote users from
halting the system.

4-62 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Secure a SLES 9 Server

After selecting Next, the following appears:

In this dialog you can configure the login behavior of the system.

Version 1 Copying all or part of this manual, 4-63


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

You have the following options:

Option Meaning
Delay After Incorrect Login The value of this option determines
Attempts the number of seconds the next login
try will be delayed after a failed login
attempt.
This is useful to prevent attackers
from trying various passwords very
quickly.
The default value 3 is sufficient in
most cases.
Record Failed Login Attempts If this option is checked, failed login
attempts are logged.
This option should be enabled.
Record Successful Login If this option is checked, successful
Attempts login attempts are logged.
This option should also be enabled.
Allow Remote Graphical The display manager KDM lets you
Login. log in remotely to the X-Window
system.
If this option is selected, remote login
is allowed.
For a server system, you should not
enable this option unless it is needed
for purpose of the server (for
example, the system is a terminal
server.)

After adjusting the settings in this dialog, select Next to proceed to


the next dialog.

4-64 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Secure a SLES 9 Server

The next dialog looks as follows:

In this dialog you can adjust the Minimum and the Maximum value
for User and Group IDs. The default values should be acceptable
for most purposes.

Select Next to proceed to the next dialog.

Version 1 Copying all or part of this manual, 4-65


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The following appears:

This the last page of the security configuration.

4-66 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Secure a SLES 9 Server

You have the following options:

Option Meaning
Setting Of File Permissions From this menu, you can choose
between three different presets for
file system permissions.
You have the following options:
■ Easy: Most configuration files are
readable for normal users.
■ Secure: Certain system files (like
/var/log/messages) can only be
viewed by root. Some programs
can only launched by root or by
daemons.
■ Paranoid: This is the preset with
the highest level of file system
security. Access rights are even
more restricted than with the
Secure setting.
The security settings for every preset
are read from configuration files
following the naming scheme
/etc/permissions.<level>.
For example, the configuration for the
Secure level is read from the file
/etc/permissions.secure
Each file contains a description of the
file syntax and purpose of the
preset.
You can also add your own rules to
the file /etc/permissions.local.

Version 1 Copying all or part of this manual, 4-67


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Option Meaning
User Launching Updatedb This option determines under which
user ID the command updatedb is
executed by cron.
The updatedb program indexes all
files in the file system. The generated
database can be queried with the
locate command.
The choices of this option are:
■ nobody: The command is
launched under the user ID of the
system user nobody.
This way only files that are
accessible for the user nobody
are indexed.
■ root: The command is executed
under the user ID of the root user.
This way all files in the file system
can be indexed.
For security reasons you should use
the user nobody. This way no files
are indexed that should not be
accessible for normal users.
Current Directory In Root If this option is selected, the current
Path directory is added to the search path
of root.
This could lead to security problems
if an attacker places an executable
with a common name like ls into a
directory.
If root enters ls in that directory, the
executable of the attacker could be
launched instead of the normal ls
command.
Never select this option.

4-68 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Secure a SLES 9 Server

Option Meaning
Current Directory In Path Of If this option is selected, the current
Regular Users directory is added to the search path
of normal users.
In a security sensitive environment,
this option should not be enabled.
Enable Magic SysRq Keys This option enables special key
combinations that give you some
control over the system even in the
case of a system crash.
This is useful for debugging purposes
but should be disabled on production
systems.

After confirming this dialog with Finish, the changes are saved and
applied to the system.

In most cases it should be sufficient to choose one of the


preconfigured security levels.

Version 1 Copying all or part of this manual, 4-69


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Objective 8 Stay Informed About Security Issues


One of the most important security tasks for an administrator is to
stay informed about current security issues.

Damage can be prevented only when security patches are installed


as quickly as possible.

You can use the following resources to gather information about


Linux-related security issues:
■ http://www.suse.de/en/business/security.html: This web site
is the central security information site of SUSE. All security
issues affecting the SUSE products are announced here.
You will also find information about security and OpenSource
software and the SUSE security team.
■ http://www.suse.de/en/business/mailinglists.html: This web
site offers an overview of all SUSE related mailing lists.
There are two security related mailing lists that you can
subscribe to for further security information.
■ suse-security: This mailing list is intended for security-
relevant discussions.
■ suse-security-announce: This mailing list announces
security issues and fixes. This mailing list is read only. For
discussions please use suse-security.
To subscribe to a mailing list, select the check boxes by the
name of the list, enter your mail address at the bottom of the
page, and then click OK.
■ http://www.securityfocus.com/: This web site is about general
IT security. It also offers various security-relevant mailing lists.

4-70 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Secure a SLES 9 Server

Exercise 4-3: Subscribe to the SUSE Security Announcements

In this exercise, you subscribe to the SUSE security mailing list.


This means that Novell/SUSE will inform you by email about
current security issues of SUSE Linux Products.

If you don't want to receive these messages, skip this exercise.

Do the following:

1. From the KDE start menu, select Internet > Web Browser.

2. In the address bar of the browser, enter the following:


http://www.suse.com/us/business/mailinglists.html

3. Scroll down to the entry suse-security-announce; then select


the check box for that entry .

4. Scroll down to the bottom of that page and in the email address
field enter your email address.

5. Subscribe to the list by selecting OK.

(End of Exercise)

Version 1 Copying all or part of this manual, 4-71


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Objective 9 Apply Security Updates


SLES 9 is usually delivered with system maintenance. This system
maintenance includes updates and security patches.

Software updates can be managed with YaST Online Update


(YOU). This YaST module downloads and installs software updates
and security patches.

To apply security updates, you need to do the following:


■ Register your Product
■ Use the YaST Online Update

Register Your Product

To access the update packages you need to enter a user name and a
password. To get these credentials, you need to create an account
for the SUSE support portal.

The SUSE support portal can be accessed at http://portal.suse.com.

After you have created an account, you need to register your


product in the portal with the registration code delivered with the
SLES 9 CDs.

Only registered products can be updated with the YOU module.

Use the YaST Online Update

The following is a quick guide to applying software updates with


YOU.

First you need to start the YOU module from the YaST Control
Center under Software > Online Update.

4-72 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Secure a SLES 9 Server

The following appears:

Select Next to start the update process. There are some additional
configuration options but the defaults are sufficient unless you want
to run your own YOU server.

Version 1 Copying all or part of this manual, 4-73


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

In the next step, YOU asks you for your account at the SUSE
support portal. Enter your login name and password in the
following dialog:

Select Login to proceed to the next step. YOU retrieves information


about the available patches and displays the following dialog:

4-74 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Secure a SLES 9 Server

On the top left side of the dialog all available patches are displayed.
Security relevant patches are indicated by red characters.

By selecting the check box by an entry, the corresponding update is


installed in the next step. Normally YOU autoselects the updates
that are relevant for your system.

By selecting an entry itself, details for the corresponding update are


displayed on the right side of the dialog.

By selecting Accept, the selected updates are downloaded and


installed.

During the process YOU displays the following dialog:

You can display additional information for some updates. These


dialogs need to be confirmed to install the corresponding software
package.

Version 1 Copying all or part of this manual, 4-75


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Summary
The following is the summary of the objectives.

Objective Summary
1. Create a Security Concept The security of a system must
always be seen in the context of
the whole IT environment.
We highly recommended that you
create a security concept for the
company.
The process of creating a
security concept includes the
following steps.
■ Understand the basics of a
security concept.
■ Perform a communication
analysis.
■ Analyze the protection
requirements.
■ Analyze the current situation
and necessary enhancements.

4-76 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Secure a SLES 9 Server

Objective Summary
2. Limit Physical Access to Server If a server is not protected from
Systems unauthorized physical access,
even the best software
configuration cannot prevent
someone from misusing a
system.
To make the server as secure as
possible, do the following:
■ Place the server in a separated
and locked server room.
■ Secure the BIOS with a
password.
■ Secure the GRUB boot loader
with a password.
3. Limit the Installed Software You should install only those
Packages software packages that are
needed to fulfill the purpose of a
server.
To set up a production system,
minimize the software selections
you install and add only
packages which are definitely
needed.
It is important that no network
services are installed that are not
needed on a server.

Version 1 Copying all or part of this manual, 4-77


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Objective Summary
4. Understand the Linux User User authentication is the base
Authentication for every kind of access control.
The user authentication of a
modern Linux system is based on
PAM, the Pluggable
Authentication Modules.
PAM creates a software layer
between the applications,
handling user authentication, and
the currently used authentication
mechanism.
PAM is configured in the directory
/etc/pam.d/
This directory contains a
configuration file for every
application that uses PAM.
Every line of a configuration file
enables a PAM module for the
corresponding application.
Another important aspect of user
authentication is the
requirements for a secure
password.
A password should never be a
word from a dictionary and
should always contain some
uppercase characters and
numbers.

4-78 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Secure a SLES 9 Server

Objective Summary
5. Ensure File System Security The permission settings in the
files system have an important
meaning to the overall system
security.
You should always follow some
basic rules about file system
security.
■ A user should only have write
access in the home and the
/tmp directory.
■ Users should never have read
access to configuration files
that contain passwords.
■ The following special file
permissions affect the security
of a system:
■ The SUID bit
■ The SGID bit
■ The sticky bit
6. Use ACLs for Advanced Access ACLs extend the classic Linux file
Control system permissions.
They let you assign permissions
to named users and named
groups.
ACLs also provide a mask entry,
which basically limits the
permissions of named users and
names groups.
The ACL entries are managed
with getfacl and setfacl.
Directories can have a default
ACL that is inherited by newly
created files or subdirectories.

Version 1 Copying all or part of this manual, 4-79


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Objective Summary
7. Configure Security Settings with YaST offers a module that can be
YaST used to configure various security
relevant system settings.
The module can be found in the
YaST Control Center under
Security and Users > Security
Settings.
You can change the following
settings:
■ The password settings
■ The boot behavior
■ The login behavior
■ The user and group ID
imitations
■ The file system security
8. Stay Informed About Security It is very important to be informed
Issues about the current security issues.
The following resources can be
used to gather security relevant
information:
■ http://www.suse.de/en/
business/security.html
■ http://www.suse.de/en/
business/mailinglists.html
■ http://www.securityfocus.
com/

4-80 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Secure a SLES 9 Server

Objective Summary
9. Apply Security Updates To get and apply security updates
for SLES 9, you need to do the
following:
■ Register SLES 9 at the SUSE
support portal at
http://portal.suse.com.
■ Download and apply updates
with YOU, the YaST Online
Update.
The YOU module can be
found in the YaST Control
Center under Software >
Online Update.

Version 1 Copying all or part of this manual, 4-81


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

4-82 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Manage Backup and Recovery

SECTION 5 Manage Backup and Recovery

In this section, you learn how to develop a backup strategy and how
to use the backup tools shipped with SLES 9. You also learn about
possible problems you might encounter during the boot process and
how to configure the GRUB boot loader.

Objectives
1. Develop a Backup Strategy
2. Creat3 Backup Files With tar
3. Work With Magnetic Tapes
4. Copy Data With the dd Command
5. Mirror Directories With the rsync Command
6. Automate Data Backups With the cron Service
7. Troubleshoot the Boot Process of a SLES 9 System
8. Configure and Install the GRUB Boot Loader

Version 1 Copying all or part of this manual, 5-1


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Introduction
Even the best security measures cannot guarantee that data will
never be lost. There is always the possibility that
■ A hard disk failure will fail, destroying data on the affected
disk.
■ Users will delete files by accident.
■ A virus will delete important files on a desktop computer.
■ A notebook will be lost or destroyed.
■ An attacker will delete data on a server.
■ Natural influences like thunderstorms will destroy storage
systems.

It is very important to ensure that you have a reliable backup of


important data.

In this section you learn how to develop a backup strategy and how
to use the standard UNIX backup tools tar, rsync, and dd.

You will learn about possible issues during the boot process and
how to configure the GRUB boot loader.

5-2 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Manage Backup and Recovery

Objective 1 Develop a Backup Strategy


Backing up data is one of the most important tasks of a system
administrator. But before you can actually back up data, you need to
develop a backup strategy by doing the following:
■ Choose a Backup Method
■ Choose the Right Backup Media

Choose a Backup Method

The best possible method of data backup is the full backup.

In a full backup, all system data is copied to a backup media once a


day. To restore the data, the most current backup media is copied
back to the system´s hard disk.

The disadvantage of this method is the backup window. The backup


window is the time frame available to perform backups.

Backups should be performed when the system is not used, to avoid


data changes on the disk during the backup. These data changes
would lead to inconsistent data on the backup media.

Therefore, a backup is normally performed at night when systems


are not needed.

In some cases, especially in larger companies, because the backup


window might be too small to perform a full backup every day.

This can happen for the following reasons:


■ The amount of data to be backed up is so large, it takes too long
to copy all data to a backup media during the backup window.
■ The affected systems have to be available around the clock, so
the backup window is very small.

In most cases, a combination of both reasons prevents you from


using a full backup.

Version 1 Copying all or part of this manual, 5-3


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

To circumvent this problem, you can use a backup method other


than full backup. The following are 2 basic backup alternatives:
■ Perform an Incremental Backup
■ Perform a Differential Backup

Perform an Incremental Backup

In an incremental backup, you normally perform a full backup once


a week (such as on the weekend). Then you perform a backup every
day that copies only files that have changed since the backup the
day before.

For example, if you might perform a full backup on Sunday, while


on Monday you just backup the files which have changed since
Sunday. On Tuesday you back up the files which have changed
since Monday, and so on.

Before performing an incremental backup, you need to understand


the following advantage and disadvantage of this method:
■ Advantage. Because you only back up files that have changed
since the last backup, the backup window can be much smaller
than the one you need for a daily full backup.
■ Disadvantage. The recovery time is longer. For example, you
have perform a full backup on Sunday and incremental backups
on Monday, Tuesday and Wednesday. On Thursday the server
crashes and all data is lost.
To restore the server you now need all incremental backups and
the full backup since last Sunday. All these backups need to be
copied to the server in the correct order.

5-4 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Manage Backup and Recovery

Perform a Differential Backup

In an incremental backup, you perform a full backup once a week,


then you perform backups every day to record the files that have
changed since the last full backup.

For example, suppose you perform a full backup on Sunday. On


Monday you back up the files that have changed since Sunday, on
Tuesday you also back up the files that have changed since Sunday,
and so on.

Before performing a differential backup, you need to understand the


following advantage and disadvantage of the method:
■ Advantage. To restore data from a differential backup, you
need just 2 backup media:, the last full backup and the last
differential backup. This makes the average time needed to
restore a system shorter.
■ Disadvantage. The amount of data to be backed up grows
every day. At the end of the backup cycle, the amount of data
might be too large for the available backup window.

The following illustrates the difference between incremental and


differential backups:

Version 1 Copying all or part of this manual, 5-5


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Choose the Right Backup Media

You must choose the right backup media for the amount of data to
be backed up and the backup method.

Tape drives are used most often because they still have the best
price-to-capacity ratio. Normally these are SCSI drives, so that all
kinds of tape drives can be accessed in the same way (such as DAT,
EXABYTE, and DLT). In addition, tapes can be reused.

Other media for data backup include writable CDs or DVDs,


removable hard drives, and magnetic-optical (MO) drives.

More and more frequently, Storage Area Networks (SANs) are


used. With a SAN, a storage network is set up to exclusively back
up data from different computers on a central backup server. But
even a SAN often uses magnetic tapes to store the data.

Backup media should always be stored separately from the backed


up systems. This prevents the backups from being lost in case of a
fire in the server room. Sensitive backup media should be stored
safely offsite.

5-6 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Manage Backup and Recovery

Objective 2 Create Backup Files With tar


The tar (tape archiver) tool is the most commonly used application
for data backup on Linux systems. It archives files in a special
format, either directly on a backup medium (such as magnetic tape
or floppy disk), or to an archive file.

The following are tasks you perform when backing up files with tar:
■ Create tar Archives
■ Unpack tar Archives
■ Exclude Files from Backup
■ Perform Incremental and Differential Backups
■ Use tar Command Line Options

Create tar Archives

The tar format is a container format for files and directory


structures. By convention, the extension of the archive files end in
.tar.

tar archives can be saved to a file to store them on a file system, or


they can be written directly to a backup tape.

Normally the data in the archive files is not compressed, but you
can enable compression with additional compression commands. If
archive files are compressed (usually with the command gzip), then
the extension of the filename is either .tar.gz or .tgz.

The tar command first expects an option, then the name of the
archive to be written (or the device file of a tape recorder), and the
name of the directory to be backed up. All directories and files
under this directory are also saved.

Directories are typically backed up with a command such as


tar -cvf /backup/etc.tar /etc

Version 1 Copying all or part of this manual, 5-7


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

In this example, the tar command backs up the complete contents of


the directory /etc to the file /backup/etc.tar.

The option -c (create) creates the archive. The option -v (verbose)


displays a more detailed output of the backup process. The name of
the archive to be created entered after the option -f (file).

This can either be a normal file or a device file (such as a tape


drive), as in the following:
tar -cvf /dev/st0 /home

In this example, the /home directory is backed up to the tape


recorder /dev/st0.

When an archive is created, absolute paths are made relative by


default. This means that the leading / is removed, as in the
following:
tar: Removing leading / from member names

You can view the contents of an archive by entering the following:


tar -tvf /backup/etc.tar

Unpack tar Archives

To unpack files from an archive, use the following command:


tar -xvf /dev/st0

This writes all files in the archive to the current directory. Due to the
relative path specifications in the tar archive, the directory structure
of the archive is created here.

If you want to extract to another directory, this can be done with the
option -C, followed by the directory name.

If you want to extract just one file, you can specify the name of the
file with the -C option, as in the following:
tar -xvf /test1/backup.tar -C /home/user1/.bashrc

5-8 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Manage Backup and Recovery

Exclude Files from Backup

If you want to exclude specific files from the backup, a list of these
files must be written in an exclude file, line by line, as in the
following:
/home/user1/.bashrc
/home/user2/Text*

In this example, the file /home/user1/.bashrc from user1 and all files
that begin with Text in the home directory of user2 will be excluded
from the backup.

This list is then passed to tar with the option -X, as in the following:
tar -cvf /dev/st0 /home -X exclude.files

Perform Incremental and Differential Backups

In an incremental or differential backup, only files that have been


changed or newly created since a specific date must be backed up.

The following are 2 methods you can use to accomplish the same
thing with tar:
■ Use a Snapshot File for Incremental Backups
■ Use the find Command to Search for Files to Back Up

Use a Snapshot File for Incremental Backups

Tar lets you use a snapshot file that contains information about the
last backup process. This file needs to be specified with the -g
option.

First, you need to make a full backup with a tar command, as in the
following:
tar -cz -g /backup/snapshot_file
-f /backup/backup_full.tar.gz /home

Version 1 Copying all or part of this manual, 5-9


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

In this example, the directory /home is backed up to the file


/backup/backup_full.tar.gz. The snapshot file
/backup/snapshot_file does not exist and is created.

The next time, you can perform an incremental backup with the
following command:
tar -cz -g /backup/snapshot_file
-f /backup/backup_mon.tar.gz /home

In this example, tar uses the snapshot file to determine which files
or directories have changed since the last backup. Only changed
files are included in the new backup /backup/backup_mon.tar.gz.

Use the find Command to Search for Files to Back Up

You can also use the find command to find files that need to be
backed up as a differential backup.

First, you use the following command to make a full backup:


tar -czf /backup/backup_full.tar.gz /home

In this example, the /home directory is backed up into the file


/backup/backup_full.tar.gz. Then you can use the following
command to back up all files that are newer than the full backup:
find /home -type f -newer /backup/backup_full.tar.gz
\ -print0 | tar --null -cvf /backup/backup_mon.tar.gz
-T -

In this example, all files (-type f) in the directory /home that are
newer than the file /backup/backup_mon.tar.gz are archived.

The options -print0 and --null ensure that files with spaces in their
names are also archived. The option -T determines that files piped
to stdin are included in the archive.

5-10 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Manage Backup and Recovery

Use tar Command Line Options

The following are some useful tar options:

Option Meaning
-c Creates an archive.
-C Changes to the specified directory.
-d Compares files in the archive with those in the file system.
-f Uses the specified archive file or device.
-j Directly compresses or decompresses the tar archive
using bzip2, a modern efficient compression program.
-r Appends files to an archive.
-u Only includes files in an archive that are newer than the
version in the archive (update).
-v Displays the files, which are being processed (verbose
mode).
-x Extracts files from an archive.
-X Excludes files listed in a file.
-z Directly compresses or decompresses the tar archive
using gzip.

For more information about tar, consult the man page for tar.

Version 1 Copying all or part of this manual, 5-11


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Exercise 5-1: Create Backup Files With tar

In this exercise, you use tar to do the following:


■ Part I: Create a Full Backup
■ Part II: Create an Incremental Backup

In this exercise, you copy backup files to the directory /tmp. This is only
done to demonstrate using backup methods. You should never make an
actual backup to the directory /tmp.

Part I: Create a Full Backup

Do the following:

1. Open a terminal window and su to root.

2. Change to the directory /srv/www by entering the following:


cd /srv/www/

3. Create a tar archive of the directory htdocs by entering the


following:
tar czf /tmp/htdocs.tar.gz htdocs

4. Delete the directory htdocs by entering the following:


rm -r htdocs

5. Copy the backup archive to the directory /srv/www by entering


the following:
cp /tmp/htdocs.tar.gz /srv/www

6. Restore the directory htdocs by entering the following:


tar xzf htdocs.tar.gz

7. View the content of the restored directory by entering ls.

5-12 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Manage Backup and Recovery

Part II: Create an Incremental Backup

Do the following:

1. From the root terminal window, change to the directory


/srv/www by entering the following:
cd /srv/www

2. Create a full backup by entering the following command:


tar czv -g /tmp/snapshot_file -f /tmp/htdocs_full.tar.gz
htdocs

3. Create a new file in the directory htdocs by entering the


following:
touch htdocs/incremental.html

4. Perform an incremental backup by entering the following


command:
tar czv -g /tmp/snapshot_file -f
/tmp/htdocs_incremental.tar.gz htdocs
Note that tar backs up the file incrementally.

5. View the content of the incremented backup file by entering the


following:
tar -tzf /tmp/htdocs_incremental.tar.gz

6. Remove the directory htdocs by entering the following:


rm -r htdocs

7. To restore the directory, begin by unpacking the backup by


entering the following:
tar xzf /tmp/htdocs_full.tar.gz

Version 1 Copying all or part of this manual, 5-13


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

8. Unpack the incremental backup by entering the following


command:
tar xzf /tmp/htdocs_incremental.tar.gz

(End of Exercise)

5-14 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Manage Backup and Recovery

Objective 3 Work With Magnetic Tapes


To work with magnetic tapes in SLES 9, use the command mt. With
this command, you can position tapes, switch compression on or off
(with some SCSI-2 tape drives), and query the tape status.

Magnetic tape drives used under Linux are always SCSI devices
and can be accessed with the following device names:
■ /dev/st0. Refers to the first tape drive.
■ /dev/nst0. Addresses the same tape drive in the no rewind
mode. This means that after writing or reading, the tape remains
at that position and is not rewound back to the beginning.

For reasons of compatibility with other UNIX versions, 2 symbolic


links exist: /dev/rmt0 and /dev/nrmt0.

You can query the status of the tape by entering the following
command:
mt -f /dev/st0 status

In this example, the -f option is used to indicate the device name of


the tape drive. The command status displays the status of the tape
drive.

The output of the command looks like the following:


drive type = Generic SCSI-2 tape drive
status = 620756992
sense key error = 0
residue count = 0
file number = 0
block number = 0
Tape block size 0 bytes. Density code 0x25 (unknown).
Soft error count since last status=0
General status bits on (41010000):
BOT ONLINE IM_REP_EN

The most important information in this example is the file number


(file number, starting at 0) and the block numbers (block number,
starting at 0).

Version 1 Copying all or part of this manual, 5-15


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

These parameters determine the position of the tape. In this


example, the tape is positioned at the beginning of the first file.

The file count starts with 0.

To position the tape at the beginning of the next file, use the
following command:
mt -f /dev/nst0 fsf 1

In this example, the command fsf forwards the tape by the given
number of files, and the tape will start before the first block of the
second file.

This can be verified with the status command, as in the following:


mt -f /dev/nst0 status
drive type = Generic SCSI-2 tape drive
status = 620756992
sense key error = 0
residue count = 0
file number = 1
block number = 0
Tape block size 0 bytes.
Density code 0x25 (unknown).
Soft error count since last status=0
General status bits on (81010000):
EOF ONLINE IM_REP_EN

Now the file number is set to 1, and the final line of the output
contains EOF (end of file) instead of BOT (beginning of tape).

With the option bsf, the tape can be repositioned back by a


corresponding number of files.

In general, when positioning the tape, you should use a


nonrewinding device file like /dev/nst0.

If you want the tape to be spooled back to the beginning after the
reading or writing process, enter the following command:
mt -f /dev/nst0 rewind

5-16 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Manage Backup and Recovery

If you want to eject the tape from the drive, then enter the following
command:
mt -f /dev/nst0 offline

Normally, tapes should always be written without compression,


because otherwise you cannot recover the subsequent data in case of
a write or read error.

To check whether data compression is switched on or off, enter the


following command:
mt -f /dev/st0 datcompression

The command shows whether data compression is switched on or


off.

If the parameter on or off is specified at the end of the command,


then data compression will be switched on or off. By default,
compression is switched on.

Version 1 Copying all or part of this manual, 5-17


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Objective 4 Copy Data With the dd Command


You can use the command dd to convert and copy files byte-wise.
Normally dd reads from the standard input and writes the result to
the standard output. But with the corresponding parameters, files
can also be addressed directly.

You can copy all kinds of data with this command, including entire
hard disk partitions. Exact copies of an installed system (or just
parts of it) can be created very simply.

In the simplest case, a file can be copied with the following


command:
dd if=/etc/protocols of=protocols.org

The output of dd during the copying process looks like following:


12+1 records in
12+1 records out

Use the option if= (input file) to specify the file to be copied, and
the option of= (output file) to specify the name of the copy.

Copying files in this way is done using records. The standard size
for a record is 512 bytes. The output shown above indicates that 12
complete records of the standard size and an incomplete record (that
is, less than 512 bytes) were copied.

If the record size is now modified by the option bs=block size, then
the output will also be modified:
dd if=/etc/protocols of=protocols.old bs=1
6561+0 records in
6561+0 records out

A file listing shows that their sizes are identical:


ls -l protocols*
-rw-r--r-- 1 root root 6561 Apr 30 11:28 protocols
-rw-r--r-- 1 root root 6561 Apr 30 11:30
protocols.old

5-18 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Manage Backup and Recovery

If you want to copy a complete partition, then the corresponding


device file of the partition should be given as the input, as in the
following:
dd if=/dev/sda1 of=boot.partition

In this example, the whole partition /dev/sda1 is written to the file


boot.partition.

You can also use dd to create a backup copy of the MBR (master
boot record), as in the following:
dd if=/dev/sda of=/tmp/mbr_copy bs=512 count=1

In this example, a copy of the MBR is created from the hard disk
/dev/sda and is written to the file /tmp/mbr_copy.

Version 1 Copying all or part of this manual, 5-19


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Exercise 5-2: Create Drive Images with dd

In this exercise, you use dd to create a drive image by doing the


following:

1. From a root terminal window, display the content of the file


/etc/fstab by entering the following:
cat /etc/fstab

2. Find an entry /media/dvd or /media/cdrom and note the


corresponding device name (listed in the first column of the
output).

3. Insert the the 3038 Course CD in the CD or DVD drive.

4. Copy an image of the CD to the hard disk by entering the


following command:
dd if=/dev/CD/DVD_device of=/tmp/course_cd.iso

5. When the copy process is complete, mount the image file by


entering the following command:
mount -o loop /tmp/course_cd.iso /mnt/

6. Change to the directory /mnt/ by entering cd /mnt.

7. Display the content of the image file by entering ls.


Note that the content of the image file is identical to the original
media.

8. Change to your home directory and unmount the image file by


entering the following commands:
cd
umount /mnt

9. Delete the image file by entering the following:


rm /tmp/course_cd.iso

(End of Exercise)

5-20 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Manage Backup and Recovery

Objective 5 Mirror Directories With the rsync Command


The command rsync (remote synchronization) is actually intended
to create copies of complete directories across a network to a
different computer.

When coping data, rsync compares the source and the target
directory and transfers only data that has changed or been created.

rsync is the ideal tool to mirror the content of directories or to back


up data across a network.

You can use rsync in 2 different ways:


■ Perform Local Copying With rsync
■ Perform Remote Copying With rsync

Perform Local Copying With rsync

You can mirror all home directories by entering the following:


rsync -a /home /shadow

In this example, the mirroring is made to the directory /shadow.

The directory /home is first created in the directory /shadow, and


then the actual home directories of the users are created under
/home.

If you want to mirror the content of a directory and not the directory
itself, you can use a command such as the following:
rsync -a /home/. /shadow

By adding a /. to the end of the source directory, only the data under
/home is copied.

If you run the same command again, only files that have changed or
that are new will be transfered.

Version 1 Copying all or part of this manual, 5-21


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The option -a used in the examples puts rsync into archive mode.
Archive mode is a combination of various other options (namely
rlptgoD) and ensures that the characteristics of the copied files are
identical to the originals.

The following describes these options:


■ Symbolic links (option l)
■ Access permissions (option p)
■ Owners (option o)
■ Group membership (option g)
■ Time stamp (option t)

The option -r ensures that directories are copied recursively.

The following are some useful rsync options:

Option Description
-a Puts rsync into the archive mode.
-x Saves files on one file system only, which means
that rsync does not follow symbolic links to other file
systems.
-v Enables the verbose mode. Use verbose mode to
outputs information about the transfered files and
the progress of the copying process.
-z Compresses the data during the transfer. This is
especially useful for remote synchronization.
--delete Deletes files that no longer exist in the original
directory from the mirrored directory.
--exclude-from Does not back up files listed in an exclude file.

The last option can be used as follows:


rsync -a --exclude-from=/home/exclude /home/. /
shadow/home

5-22 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Manage Backup and Recovery

In this example, all files listed in the file /home/exclude are not
backed up. Empty lines or lines beginning with ; or # are ignored.

Perform Remote Copying with rsync

With rsync and SSH, you can log in to other systems and perform
data synchronization remotely over the network.

The following command copies the home directory of the user tux
to a backup server:
rsync -ave ssh root@DA1:/home/tux /backup/home/

In this example, the option -e specifies the remote shell (ssh) that
should be used for the transmission. The source directory is
specified by the expression root@DA1:/home/tux. This means that
rsync should log in to DA1 as root and transfer the directory
/home/tux.

Of course, this also works in the other direction. In the following


example, the backup of the home directory is copied back to the
DA1 system:
rsync -ave ssh /backup/home/tux root@DA1:/home/

rsync must be installed on both the source and the target computer.

There is also another way to perform remote synchronization with


rsync by running an rsync server. This way you can enable remote
synchronization without allowing an SSH login.

For more information, consult the rsync documentation at


http://samba.anu.edu.au/rsync/.

Version 1 Copying all or part of this manual, 5-23


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Exercise 5-3: Create a Backup of a Home Directory With rsync

In this exercise, you do the following:


■ Part I: Perform a Local Backup With rsync
■ Part II: Perform a Remote Backup With rsync

Part I: Perform a Local Backup With rsync

Do the following:

1. Open a terminal window and su to root.

2. Create a test backup directory by entering the following:


mkdir /tmp/rsync_test

3. Copy geeko's home directory to the backup directory by


entering the following:
rsync -av /home/geeko /tmp/rsync_test

4. Open another terminal window as user geeko.

5. Create a new file by entering the following:


touch new_file

6. Switch to the root terminal window and enter the same rsync
command again:
rsync -av /home/geeko /tmp/rsync_test
Notice that rsync transfers only the new file and the
corresponding directory.

5-24 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Manage Backup and Recovery

Part II: Perform a Remote Backup with rsync

Wait until a partner has completed the previous steps in the


exercise, and then do the following:

1. From the root terminal window, perform a remote backup of


your partner's geeko home directory by entering the following
command:
rsync -ave ssh root@partner_ip_address:/home/geeko
/tmp/rsync_test/remote

2. Ask your partner to create a new file in the geeko home


directory by entering the following:
touch new_file2

3. Enter the rsync command again:


rsync -ave ssh root@partner_ip_address:/home/geeko
/tmp/rsync_test/remote

Notice that only the new file is copied by rsync.

4. Clean up the backup directory by entering the following:


rm -r /tmp/rsync_test/*

(End of Exercise)

Version 1 Copying all or part of this manual, 5-25


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Objective 6 Automate Data Backups With the cron Service


Backing up data is a task that you should perform on a regular basis.
You can automate backups in Linux with the cron service.

System jobs are controlled with the file /etc/crontab and the files in
the directory /etc/cron.d. They are defined with the scripts in the
directories /etc/cron.hourly, /etc/cron.daily, /etc/cron.weekly, and
/etc/cron.monthly.

Specifying which users can create cron jobs is done through the
files /var/spool/cron/allow and /var/spool/cron/deny, which are
evaluated in this order. If both files do not exist, then only root can
define jobs.

The jobs of individual users are stored in files in the directory


/var/spool/cron/tabs with names matching the user names. These
files are processed with the command crontab.

The following is an example of a cron job:


0 22 * * 5 /root/bin/backup

In this example, the script /root/bin/backup is started every Friday at


10 P.M. The format for the line is described in man crontab.

5-26 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Manage Backup and Recovery

Exercise 5-4: Configure a cron Job for Data Backups

In this exercise, you use cron for data backup by doing the
following:

1. Open a terminal window and su to root.

2. Change to the directory /usr/local/bin/ by entering the


following:
cd /usr/local/bin

3. Create the file home_backup.sh in the directory by entering the


following commands in the file:
#!/bin/bash
rsync -av /home/geeko /tmp/rsync_test

4. Save the file and close the editor.

5. Make the file executable by entering the following:


chmod 744 home_backup.sh

6. Open the file /etc/crontab in the crontab editor by entering


crontab -e.

7. Add the following at the end of the file:


30 15 * * * root /usr/local/bin/home_backup.sh

8. Check after 3:30 pm (or tomorrow) to see if the backup has


been completed by entering the following:
ls /tmp/rsync_test

9. (Optional) Try changing the time of the backup job.

(End of Exercise)

Version 1 Copying all or part of this manual, 5-27


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Objective 7 Troubleshoot the Boot Process of a SLES 9


System
Sometimes a Linux system cannot start up correctly. Another task of
system recovery is to access a corrupted system and to fix the
problem that prevents the normal boot process.

To perform basic troubleshooting of the boot process, you need to


know the following:
■ Understand Issues During the System Boot Process
■ How to Boot a Corrupted System Directly into a Shell
■ How to Boot a Corrupted System With the Installation Media
■ How to Start and Use the SLES 9 Rescue System

Understand Issues During the System Boot Process

The boot process of a modern Linux system can be very complex,


and its possible to encounter problems during the boot process.

The following are some of the most common problems:


■ The system cannot boot due to a misconfigured boot loader.
■ The system cannot boot because of file system corruption.
■ An init script has malfunctioned and is blocking the boot
process.
■ The system does not start correctly because of hardware
changes.

In all of these cases you must access the file system of the corrupted
system to detect and fix the problem.

In this objective, you learn how to access a system which is not


booting any longer.

5-28 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Manage Backup and Recovery

Boot a Corrupted System Directly into a Shell

The boot screen of the GRUB boot loader lets you pass parameters
that modify the Linux kernel before the kernel is actually loaded.

At the bottom of the GRUB boot screen is a Boot Options field.


When you select an operating system in the boot screen, the boot
options for that operating system are displayed in the field.

To add a boot option, select an operating system and type the


additional boot option in the Boot Options field.

One way to access a system that is not booting anymore is to set a


different program for the init process. Normally, the Linux kernel
tries to find a program with the name init and starts this program as
the first process. All other processes are then started by init.

With the boot parameter init=new_init_program, you can change


the first program loaded by the kernel. For example, by entering the
the boot parameter init=/bin/bash, the system is started directly into
a bash shell.

You can use this bash file to access the file system and to fix a
misconfiguration.

The file systems are mounted read-only after booting into a shell. To
change configuration files, you need to remount the file system with the
following command:

mount -o remount,rw,sync -t filesystem_type device_name mount_point

Version 1 Copying all or part of this manual, 5-29


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Boot a Corrupted System With the Installation Media

You can use the SUSE LINUX installation media to boot a system
with a misconfigured boot loader. To boot the system, you need to
do the following:
1. Insert SLES 9 CD 1 into the CD-ROM drive and reboot the
system.
Make sure that the system boots from the drive.
2. Select Installation; then press Enter.
Wait until the installation program starts.
3. When YaST displays the language selection dialog, select
Accept.
4. In the next dialog, select Boot installed system; then select OK.
YaST analyzes the the hard disk and displays all Linux root
partitions.
5. Select the root partition of the system you would like to boot;
then select Boot.
The selected system is now booted.

After the system has started, you can log in as root user and fix the
boot loader problem.

Start and Use the SLES 9 Rescue System

Another way to access a corrupted system is to use the SLES 9


Rescue System. The Rescue System is a Linux system that can be
booted directly from the installation media.

When this system is running, you can mount partitions from the
corrupted system and fix problems.

To start the Rescue System, do the following:


1. Insert SLES 9 CD 1 into the CD-ROM drive and reboot the
system.

5-30 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Manage Backup and Recovery

Make sure that the system boots from the drive.


2. From the boot menu, select Rescue System; then press Enter.
3. From the language selection dialog, select your language; then
press Enter.
4. At the prompt Rescue login, enter root.
5. Press the Enter key.
You are now logged into the Rescue System as root.

To access the file system of the corrupted system, you need to


mount the corresponding partition, as in the following:
mount -t reiserfs /dev/hda6 /mnt

In this example, the partition /dev/hda6 is mounted into the


directory /mnt.

Now you can access the file system, fix any errors, or copy data to
another media.

Version 1 Copying all or part of this manual, 5-31


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Objective 8 Configure and Install the GRUB Boot


Loader
To boot the system, you need a program, called the boot loader,
which loads the operating system kernel and starts the system.

In SLES 9 (by default) this task is handled by the boot manager


GRUB (GRand Unified Boot Loader).

To configure the GRUB boot loader, you need to know the


following:
■ The Basic Functionality of a Boot Loader
■ The Basics of GRUB
■ How to Configure the GRUB Boot Loader

The Basic Functionality of a Boot Loader

The following are the 2 basic tasks of a boot loader:


■ Boot various operating systems
■ Pass boot parameters to the Linux kernel

The boot loader performs these tasks in the following 2 stages:


■ Stage 1. The program code for the first stage of a boot loader is
usually installed in the master boot record (MBR) of the hard
disk.
■ Because the space in the MBR is limited to 446 bytes, this
program code merely contains the information for loading the
next stage. Stage 1 can be installed in the boot sector of a
partition or on a floppy disk.
■ Stage 2. This stage usually contains the actual boot loader. The
files of the boot loader are located in the directory /boot.

5-32 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Manage Backup and Recovery

The Basics of GRUB

GRUB is the standard boot loader of SLES 9 and includes the


following features:
■ Stage 2 File System Drivers. Stage 2 of GRUB includes file
system drivers for ReiserFS, ext2, ext3, Minix, JFS, XFS, FAT,
and FFS (BSD).
This means that GRUB can be used to access files by means of
filenames even before the operating system is loaded. This
feature is used to search for kernel and initrd images.
■ GRUB Shell. GRUB has its own shell that enables interactive
control of the boot manager.

Configure the GRUB Boot Loader

You configure GRUB by editing the file /boot/grub/menu.lst. The


following is the general structure of the file:
■ First, the general options such as the background color of the
boot manager menu are listed:
color white/blue black/light-gray
■ This is followed by options for the various operating systems
that can be booted with the boot manager. Each entry for an
operating system begins with a command title, as in the
following:
title linux
kernel (hd0,0)/boot/vmlinuz root=/dev/hda1
initrd (hd0,0)/boot/initrd

Version 1 Copying all or part of this manual, 5-33


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The following is an example of a simple GRUB configuration file:


default 0
timeout 8

title linux
kernel (hd0,0)/boot/vmlinuz
root=/dev/hda1
initrd (hd0,0)/boot/initrd

Each line in this example is shown and described below:


default 0

The first entry (numbering from 0) is the default boot entry that
starts automatically if no other entry is selected with the keyboard.
timeout 8

The default boot entry is started automatically after 8 seconds.


title linux

This is the first entry in the boot menu. By default, this entry is
started.
kernel (hd0,0)/boot/vmlinuz

This entry describes the kernel location (in this example, the first
partition of the first hard disk).

Note the following regarding the designations for hard disks and
partitions:
■ GRUB does not distinguish between IDE and SCSI hard disks.
The hard disk that is recognized by the BIOS as the first hard
disk is designated as hd0, the second hard disk as hd1, and so
on.
■ The first partition on the first hard disk is called hd0,0, the
second partition hd0,1, and so on.

5-34 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Manage Backup and Recovery

root=/dev/hda1

The root= option specifies the root partition of the system. This can
be followed by other kernel parameters.
initrd (hd0,0)/boot/initrd

This entry sets the location of the initial ramdisk (initrd). The initrd
contains hardware drivers that are needed before the kernel can
access the hard disk (such as a driver for the IDE or SCSI
controller).

Another GRUB configuration file is /etc/grub.conf. It contains


information on how and where the components of the GRUB boot
manager are supposed to be installed (for example, whether GRUB
should reside in the MBR or in the boot record of a partition).

This file is read only once when the boot loader is first installed.

Version 1 Copying all or part of this manual, 5-35


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Exercise 5-5: Boot to a Shell and Configure the GRUB Boot Loader

Your SLES 9 system is corrupted and no longer booting. To access


the file system and configure the GRUB boot loader with an option
to boot to runlevel 3, you do the following:
■ Part I: Boot the Rescue System
■ Part II: Edit and Test the GRUB Configuration File

This exercise demonstrates booting from the Rescue System and editing
the GRUB configuration file for learning purposes, and does not
necessarily reflect what you might do in an emergency situation.

For example, you can boot the Rescue System and enter a 3 in the boot
options field to boot into runlevel 3 without editing the GRUB
configuration file.

Part I: Boot the Rescue System

Do the following:

1. Open a terminal window and su to root.

2. Enter mount; then look for a file system which is mounted on


root (/) and note the corresponding device name.

3. Insert the SLES 9 CD 1 in the CD-ROM drive; then reboot the


system.
Make sure that your system boots from the CD-ROM drive. If not, you
might need to adjust the BIOS settings.

4. At the boot screen, highlight Rescue System; then press Enter.


5. From the language selection dialog, highlight your language;
then press Enter.

6. When the rescue system starts, log in by entering root.

5-36 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Manage Backup and Recovery

Part II: Edit and Test the GRUB Configuration File

Do the following:

1. After logging in to the rescue system, mount the root partition


of the system by entering the following:
mount root_partition /mnt

2. Open the GRUB configuration file of the installed system with


vi by entering the following:
vi /mnt/boot/grub/menu.lst

3. Duplicate all 3 lines which belong to the first entry (title


Linux) in the configuration file.

4. When you have duplicated the entry, change the title of the
copy to the following:
title Linux-Runlevel 3

5. Add a 3 (preceded by a space) at the end of the line with the


kernel parameters.

6. Save and close the GRUB configuration file.

7. Unmount the root partition by entering umount /mnt.

8. Remove the SLES 9 CD 1 from the drive.

9. Restart the computer by entering reboot.

10. At the boot prompt, highlight the entry Linux-Runlevel 3 and


press Enter.
You can also boot to runlevel 3 by entering 3 in the Boot Options
field.

11. When the the system boots to runlevel 3, log in as root; then
access the graphical login by entering init 5.

Version 1 Copying all or part of this manual, 5-37


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Summary
The following is the summary of the objectives.

Objective Summary
1. Develop a Backup Strategy To develop a backup strategy,
you need to complete the
following steps:
■ Choose a backup method
■ Choose a backup media
There are 3 basic backup
strategies:
■ Full backup. All data is
backed up every day.
■ Incremental backup. Only the
data that has been changed
since the last Incremental or
full backup is saved every day.
■ Differential backup. Only the
data that has been changed
since the last full backup is
saved every day.
Which method you use depends
on the backup window.
The backup window is the time
period in which a system is not
used and is available for a
backup.

5-38 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Manage Backup and Recovery

Objective Summary
2. Create Backup Files With the tar tar is a commonly-used tool for
Command performing data backups under
Linux.
tar can write data directly to a
backup media or to an archive
file.
Archive files normally end in .tar,
if they are compressed in .tar.gz
or .tgz.
The following is the basic syntax
to create a tar archive:
tar -cvf home.tar /home
To unpack a tar archive, use the
following command:
tar -xvf /home.tar
If you want to use tar with gzip for
compression, you need to add
the option z to the tar command.
Archives can also be written
directly to tape drives.
In this case, the device name of
the tape drive must be used
instead of a filename.
tar can also be used for
incremental or differential
backups.

Version 1 Copying all or part of this manual, 5-39


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Objective Summary
3. Work with Magnetic Tapes mt is the Linux standard tool to
work with magnetic tapes.
Use the following command to
query the status of the drive:
mt -f /dev/st0 status
The following command moves
the tape to the beginning of the
next file:
mt -f /dev/nst0 fsf 1
To rewind the tape by a certain
amount of files, use the bsf
command.
To rewind the tape to the
beginning, use the following:
mt -f /dev/nst0 rewind
The following command ejects
the tape from the drive:
mt -f /dev/nst0 offline
4. Copy Data With the dd Command With the command dd files can
be converted and copied byte-
wise.
To copy a file, use the following
command:
dd if=/etc/protocols
of=protocols.org
To copy an entire partition into a
file, use the following command:
dd if=/dev/sda1
of=boot.partition

5-40 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Manage Backup and Recovery

Objective Summary
5. Mirror Directories With the rsync The command rsync is used to
service synchronize the content of
directories, locally or remotely,
over the network.
rsync uses special algorithms to
ensure that only those files are
transferred that are new or have
been changed since the last
synchronization.
The basic command to
synchronize the content of two
local directories is the following:
rsync -a /home /shadow
To perform a remote
synchronization, use a command
like the following:
rsync -ave ssh
root@DA1:/home/tux /
backup/home/
6. Automate Data Backups with cron Because backups are recurring
tasks, they can be automated
with the cron daemon.
System jobs are controlled using
the file /etc/crontab and the files
in the directory /etc/cron.d.
The jobs are defined by the
scripts in the directories
/etc/cron.hourly, /etc/cron.daily,
/etc/cron.weekly and
/etc/cron.monthly.
The following is an example of a
job entry:
0 22 * * 5 /bin/backup

Version 1 Copying all or part of this manual, 5-41


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Objective Summary
7. Troubleshoot the Boot Process of A SLES 9 installation can be
a SLES 9 System prevented from booting normally
if
■ The system cannot boot due to
a misconfigured boot loader.
■ The system cannot boot
because of a file system
corruption.
■ An init script malfunctioned
and is blocking the boot
process.
■ The system does not start
correctly because of hardware
changes.
When a system is not booting
any more, you can do the
following to access the file
system of the corrupted system:
■ Boot a corrupted system
directly into a shell.
■ Boot a corrupted system with
the installation media.
■ Start and use the SLES 9
Rescue System.

5-42 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Manage Backup and Recovery

Objective Summary
8. Configure and Install the GRUB The most important configuration
Boot Loader file for GRUB is
/boot/grub/menu.lst.
The file contains a general
section at the beginning and a
section for every operating
system.
A section for a Linux operating
system contains at least the
following options:
title
This is the title of the system that
is displayed in the boot menu.
Kernel
This option specifies the location
of the Linux kernel.
Root
This option sets the root partition
of the system.
Initrd
This option points to the initrd file
of the system.

Version 1 Copying all or part of this manual, 5-43


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

5-44 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Create Shell Scripts

SECTION 6 Create Shell Scripts

In this section, you learn about the basic scripting elements and
structures of the shell programing language.

Objectives
1. Use Basic Script Elements
2. Use Variable Substitution Operators
3. Use Control Structures
4. Use Advanced Scripting Techniques
5. Learn About Useful Commands in Shell Scripts

Version 1 Copying all or part of this manual, 6-1


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Introduction
The Linux shell can control the system with commands and perform
file operations or start applications. You can also create a file that
includes several shell commands and start this file like a
application.

This type of file is called a shell script. The following are several
reasons why you need to understand and create shell scripts:
■ You can automate many daily tasks with shell scripts. In many
cases this increases speed and convenience in everyday work.
■ The boot procedure and many other system functions are
controlled by shell scripts. To understand and manipulate the
system behavior, you need a basic understanding of shell
programming.
■ Shell programming is relatively easy to learn compared to other
programming languages.
■ A shell script runs on almost every UNIX-like operating system
and does not need to be adapted to other platforms.

There are also some disadvantages to using shell scripts:


■ Shell scripts are rather slow compared with other scripting
languages.
■ Shell scripts can use a lot of CPU power.

However, in most cases these disadvantages are not significant.

As you might have noticed, a Linux system offers different shell


types. Shell scripts that are developed for one shell can sometimes
be executed with a different shell, but this cannot be guaranteed.

For this reason, this section focuses on the Bash shell, which is the
default shell in SLES 9.

As with all programing languages, shell scripting is learned best by


actually writing code.

6-2 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Create Shell Scripts

The exercises in this section include a description of a script that


needs to be written. At the end of the section are the solutions to the
exercises. We recommend attempting to create the script, and then
comparing your script to the solution to understand the scripting
concepts covered.

You can find all these scripts on the 3038 Course CD in the
directory /exercises/section_6. By using these scripts as a template,
you can customize them to meet the needs of your production
environment.

Although shell programing can be difficult at first, it becomes easier


as you using the shell scripting language to automate tasks on your
own system.

Normally, there is not enough time during instructor-led training for


students to complete all scripting exercises.

For classroom instruction, we recommend that students perform selected


exercises that are the most beneficial, then let the students complete the
remainder on their own outside of class.

Version 1 Copying all or part of this manual, 6-3


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Objective 1 Use Basic Script Elements


The shell programming language is a powerful and complete
programing language. Before you can start to create scripts, you
need to become familiar with basic scripting techniques and
elements.

In this objective, you learn the following about the basics of the
shell programming language and how to create simple shell scripts.

This includes the following:


■ Create Flow Charts for Scripts
■ Understand the Basic Rules of Shell Scripting
■ Create Scripts That Read User Input
■ Perform Basic Script Operations with Variables
■ Use Command Substitution
■ Use Arithmetic Operations

Create Flow Charts for Scripts

Programming elements of a script are often visualized by using


program flow charts. Illustrating a program through a flow chart
provides the following benefits:
■ They force the author to lay down the steps the script should
perform to achieve the desired goal, making it clearer which
constructs need to be used.
■ They provide a clear symbolic outline of the algorithm, which
can be used as a guide during the programming process.

6-4 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Create Shell Scripts

The following are typical symbols used to create flow charts:

Understand the Basic Rules of Shell Scripting

Before writing your first shell script, you should consider a few
points about scripting in general.

A shell script is basically an ASCII text file containing commands to


be executed in sequence. To allow this, it is important that
permissions for the script file are set to “r” (readable) and “x”
(executable) for the user that run its.

However, the execute permission is not granted by default to newly


created file. To assign this permission, you need to use a command
such as the following:
chmod +x script.sh

Version 1 Copying all or part of this manual, 6-5


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

You can also run the script from another shell with a command such
as the following:
sh script.sh

In this example, it is not necessary to make the script executable.


On SLES 9, /bin/sh is a link to /bin/bash. It doesn't really matter
whether you call the script with sh script.sh or bash script.sh.

Another important point is that the directory where the script is


located must actually be in the user´s search path for executables.

A good way to deal with this is to create a /bin directory for scripts
under each user´s home directory. Then you can add this directory
to the user's search path by adding a line such as the following to
your ~.bashrc:
export PATH=$PATH:~/bin

Otherwise, shell scripts must be started with the full pathname.

When naming script files, it is a good idea to add an .sh extension to


the filename. This ensures that the file can easily be recognized as a
shell script.

If you do not add the suffix, you need to make sure the filename is
not identical to existing commands. For example, a common
mistake is to name a script test.

The basic structure of a shell script can be illustrated with a simple


program that does nothing more than print the message “Hello
world.”

6-6 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Create Shell Scripts

The following is the flow chart for the script:

The script consists of three elements:


■ The program start
■ The action to print out “Hello world”
■ The program stop

The following illustrates the 3 elements with the corresponding


script code on the right:

Before looking closer at each of the 3 elements, you need to


understand that the general rules for creating shell scripts, as
explained in this section, can be applied to any conceivable script.

Version 1 Copying all or part of this manual, 6-7


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

The following describes the 3 elements of the script:


■ Start. The first line of any shell script must be the shebang
(such as #!/bin/bash). This line specifies the shell program to
be called to execute the script. As with any other program, a
subshell is started to run the script.
The script´s start section should also include a comment
describing what the script does. A comment is introduced with a
# character in shell scripts.
It is also a good idea to include the name of the author, the date,
and the version number of the script. Also, any variables and
functions used in the script should be defined at the top of the
script.
■ Commands. The sample script above includes the echo
command as the only one executed (to print the “Hello world”
greeting). Shell scripts in general rely on the echo command as
the most common solution to display information on the screen.
■ Stop. Before the script ends, it might be necessary to do some
cleanup. For example, you might want to remove any temporary
files created by the script.
As the very last step, you should define the script´s exit status
with an exit value. This informs the parent process how the
script was terminated. The exit status as returned by the script
can be queried afterward with echo $?.

Every script that you write should use this basic structure.

6-8 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Create Shell Scripts

Exercise 6-1: Produce Output from a Script

Do the following:

1. Write a script that outputs “Hello world.” Use the following


command in the script:
echo -e "\aHello\nworld"

2. Find out the purpose of the \a, the \n and the -e options (try
accessing the man pages).

3. Compare your solution with the script at the end of the section.

This script is also available as hello.sh in the directory


/exercises/section_6 on your 3038 Course CD.

(End of Exercise)

Version 1 Copying all or part of this manual, 6-9


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Develop Scripts That Read User Input

One way create scripts that read user input is to use the read
command. The read command takes a variable as an argument and
stores the read input in the variable. The variable can then be used
to process the user input.

The following example reads user input into the variable with the
name VARIABLE:
read VARIABLE

The script pauses at this point, waiting for user input until the Enter
key is pressed. To tell the user to enter something, you need to print
(echo) a line with some information, such as the following:
echo "Please enter a value for the variable:"
read VARIABLE

The following flow chart illustrates the structure of a script that


reads user input:

First, the script produces some output with echo to ask the user to
enter something. Then the read command waits until the input is
provided to store it in the variable VARIABLE. At the end the
content, the variable is printed out with echo.

6-10 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Create Shell Scripts

Exercise 6-2: Read User Input

Do the following:

1. Create a simple shell script that prompts the user to enter her
first and last name, and then greets the user with her full name.

2. Compare your solution with the script at the end of the section.

This script is also available as name1.sh in the directory


/exercises/section_6 on your 3038 Course CD.

(End of Exercise)

Version 1 Copying all or part of this manual, 6-11


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Perform Basic Script Operations with Variables

In this part of the section, you learn how to uses variables in shell
scripts.

The following flowchart and script show how a string value can be
assigned to a variable:

You want to read the user´s first and last name and then print both
names to the screen. However, this time you create a variable called
NAME, which holds both the first and the last name.

6-12 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Create Shell Scripts

The following is an interesting line in the script:


NAME=”$FIRSTNAME $LASTNAME”

This line shows how you can combine two variables, in this case,
FIRSTNAME and LASTNAME, and assign the combined value to
another variable, in this case, NAME.

In this example, you can also see another rule of the variable
handling in shell scripts. If you assign a value to a variable, you use
just the name of the variable, in this case, NAME=.

If you want to use the value of a variable, put a $ before the name,
in this case, $FIRSTNAME.

It is often useful to assign a default value to a variable. This might


prevent errors, if the user has entered a value that cannot be
interpreted in a meaningful way.

If the variable FIRSTNAME is empty, the default value FLORIAN


is used instead, as in the following:
NAME=${FIRSTNAME:=”FLORIAN”}

Version 1 Copying all or part of this manual, 6-13


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Exercise 6-3: Simple Operations with Variables

Do the following:

1. Modify your script from Exercise 6-2 so that it reads the user's
first and last name, combines both in one variable, and outputs
the variable.

2. Compare your solution with the script at the end of the section.

This script is also available as name2.sh in the directory


/exercises/section_6 on your 3038 Course CD.

(End of Exercise)

6-14 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Create Shell Scripts

Use Command Substitution

The term command substitution basically means that the output of a


command is used in a shell command line or a shell script.

In the following example, the output of the command date is used to


generate the output of the current date.
#!/bin/bash

echo "Today is `date +%m/%d/%Y`"

An important thing to remember is that the command date +%m/%


d/%Y is included in backticks (` ... `).

Instead of printing the output of a command to the screen with echo,


it can also be assigned to a variable, as in the following:
#!/bin/bash

TODAY=`date +%m/%d/%Y`
echo "Today is $TODAY"

In this case, the output of date is assigned to the variable TODAY,


and then TODAY is printed to the screen with echo. Make sure that
there are no spaces before or after the equal sign.

Version 1 Copying all or part of this manual, 6-15


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Exercise 6-4: Use Command Substitution

Do the following:

1. Create a shell script that outputs the current login name and the
current working directory.
The output of the commands whoami and pwd should be read
into variables with the variables printed to the screen.

2. Compare your solution with the script at the end of the section.

This script is also available as info.sh in the directory


/exercises/section_6 on your 3038 Course CD.

(End of Exercise)

6-16 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Create Shell Scripts

Use Arithmetic Operations

Shell scripts often use values assigned to variables for calculation.


There are several ways to implement this.

The Bourne shell is limited in this regard, but it can perform such
operations by relying on external commands (such as expr).

The Bash shell comes with built-in support for arithmetic


operations, but there are some limitations to this as well.
Specifically, the arithmetic capabilities of Bash are limited in the
following ways:
■ Only operations with whole numbers (integers) can be
performed.
■ All values are signed 64-bit values. Thus, possible values range
from -263 to +263 -1.

So even when using Bash, you might need to use external


commands, such as bc for floating-point calculations.

The following paragraphs list all the possible methods and formats
for arithmetic operations. All of them use this sample operation:
A=B+10

■ Use the external command expr (Bourne shell compatible)


A=`expr $B + 10`

Since an external command is used, this method will also work


with the Bourne shell. Scripts using external commands will
always perform slower than those relying on built-in
commands.
■ Use the Bash built-in command let
let A="$B + 10"

In Bash, you can use the let command to perform an arithmetic


expression.

Version 1 Copying all or part of this manual, 6-17


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

■ Use arithmetic expressions inside parentheses or brackets


(two different formats)
A=$((B + 10))

A=$[B + 10]

Arithmetic expressions can be enclosed in double parentheses


or in brackets for expansion by Bash. Both $((. . .)) and $[. . .]
are possible, but the latter is considered deprecated and should
be avoided.
■ Use the built-in command declare
declare -i A
declare -i B
A=B+10

This declares a variable as an integer.


If all the variables involved in a calculation have previously
been declared as integers through declare -i, arithmetic
evaluation of these variables happens automatically when a
value is assigned to them.
This means that the variable B, for instance, does not have to be
prefixed with the $ to be evaluated.

With the expr command, only the following five operators are
available: + , - , * , / , and %. Additional operators (which are
identical to those of the C programming language) can be used with
all of the above Bash formats.

For a complete list, consult the man page for bash.

It makes sense to limit yourself to using one of the described


possibilities. As far as Bash is concerned, a good choice might be to
only use the declare command, since it makes the best use of the
available features.

6-18 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Create Shell Scripts

Exercise 6-5: Use Arithmetic Operations

Do the following:

1. Review the following flowchart:

2. Write a shell script that reflects the above flowchart.

3. Modify the script to use the other fundamental arithmetic


operations (subtraction, multiplication, division).

4. Find out what happens if


■ The user enters a word for each number.
■ The user enters nothing (presses Enter) at each prompt.

5. Compare your solution with the script at the end of the section.

This script is also available as sum.sh in the directory


/exercises/section_6 on your 3038 Course CD.

(End of Exercise)

Version 1 Copying all or part of this manual, 6-19


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Objective 2 Use Variable Substitution Operators


In Bash, you can use special variable substitution operators to
assign different values to variables without having to rely on
external commands.

For example, these special substitution operators allow changing


variables by deleting certain patterns in their values and returning
the rest.

They also allow you to set a default for a variable for situations
where no value can be assigned to it.

The following variable substitutions are possible:

Substitution Operator Description


${variable-value} Returns value if the variable
does not exist.
${variable=value} Assigns value to the variable
and returns value if the variable
does not exist.
${variable+value} Returns value if the variable
exists.
${#variable} Returns the number of
characters in the value of
variable.
${variable#pattern} Deletes the shortest part
matched by pattern from the
beginning of the variable's value
and returns the rest.
${variable##pattern} Deletes the longest part
matched by pattern from the
beginning of the variable's value
and returns the rest.

6-20 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Create Shell Scripts

Substitution Operator Description


${variable%pattern} Deletes the shortest part
matched by pattern from the end
of the variable's value and
returns the rest.
${variable%%pattern} Deletes the longest part
matched by pattern from the end
of the variable's value and
returns the rest.

The substitution operators returning or setting a default value (- , = ,


and +) can also be prefixed with a colon so that substitution
happens if the variable does not exist of if it exists but has a null
value (is empty).

The following are some examples of how to use the substitution


operators:
tux@DA1:~> echo $VAR

tux@DA1:~> echo ${VAR-value}


value

tux@DA1:~> echo $VAR

tux@DA1:~> echo ${VAR=value}


value

tux@DA1:~> echo $VAR


value

tux@DA1:~> VAR=
tux@DA1:~> echo ${VAR=value}

tux@DA1:~> echo ${VAR:=value}


value

tux@DA1:~> echo $VAR


value

tux@DA1:~> echo ${VAR+VaLue}


VaLue

Version 1 Copying all or part of this manual, 6-21


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Exercise 6-6: Use Variable Substitution

Do the following:

1. Write a script that asks the user for a filename, and then
performs a search for that filename using the command find.

Use a variable substitution to assign a default value for the


filename (such as *.bak) in case the user enters nothing.

2. Compare your solution with the script at the end of the section.

This script is also available as find.sh in the directory


/exercises/section_6 on your 3038 Course CD.

(End of Exercise)

6-22 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Create Shell Scripts

Objective 3 Use Control Structures


Using the scripting techniques you have learned so far, you can only
develop scripts that run sequentially from the beginning to the end.

In this objective, you learn how to use control structures to make the
execution of parts of your script dependent on certain conditions or
to repeat script parts.

To use control structures, you need to know how to do the


following:
■ Create Basic Branches With the if Command
■ Build Multiple Branches With the case Command
■ Create Loops Using the while and until Commands
■ Process Lists With the for Command
■ Interrupt Loop Processing

Creat Basic Branches With the if Command

You can use the if command to perform certain actions in your


script that depend on a condition.

The following is the basic usage of the if command:


if condition
then
commands
fi

The if statement can be extended with an optional else statement, as


in the following:
if condition
then
command1
else
command2
fi

Version 1 Copying all or part of this manual, 6-23


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

In a program flow chart, a branch created with an if statement can


be represented like the following:

A branch of this type must begin with if and end with fi. Command1
is only executed if the condition is true.

If the return code of a command is used as condition, the exit code


zero (success) represents true. If the exit status is not zero or the
condition is not true, the shell goes to the end of the branch or, if an
else statement is present, to the else statement.

When you use these control structures in a shell script, individual


commands (such as if, then, and fi) must follow immediately after a
command separator.

In the above case, the separator is a new line. The separator could
also be a semicolon, which would allow you to enter the same if
statement as one command, as in the following:
if condition; then commands; fi

6-24 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Create Shell Scripts

The following example uses a sample script to explain how an if


branch works:

This script asks the user to enter his date of birth; if that happens to
be today, the script congratulates him on his birthday. It does
nothing if his birthday is another day.

There are a number of items to consider when writing this script.


From the flow chart, it should be obvious that the script consists of
2 basic steps:
■ Prompt the user to enter the date of birth.
■ Compare the date as entered by the user with the current date. If
the dates are the same, the user sees “congratulations.” If they
are not equal, nothing appears.

The branch is the actual mechanism that compares the current date
and the date of birth.

Version 1 Copying all or part of this manual, 6-25


or distributing such copies, is strictly prohibited.
SUSE LINUX Advanced Administration

Before the comparison can be performed, both dates must be


available in the same format. The user should be asked to specify
the date of birth in a suitable format.

You need to know the format in which the system obtains the
current date. The obvious choice to get a date string is with the
command date.

The command date + %m-%d returns the current date in the form
month-day, as in the following:
date + %m-%d
06-21

This format should also be used for the birth date the user is
requested to enter:
echo "Please enter your date of birth (YYYY-MM-DD, for
instance 1978-06-21): "
read BIRTHDAY

The second part of the listing consists of several items. To check if


the user´s birthday is today, 2 dates must be compared: the birthday
and the current date.

The user´s birthday is stored in the variable BIRTHDAY. The


current date must also be stored in a variable for the comparison.
This can be done using command substitution, as in the following:
TODAY=`date + %m-%d`

A closer examination of the comparison reveals that the values in


the variables cannot be compared with each other (BIRTHDAY:
1973-12-21, TODAY: 09-24). Therefore, the dates must be
compared without the year.

To do this, the variable substitutions of the Bash shell can be used to


truncate the year from the date. The first part of the script should
look like the following:
#!/bin/bash
echo "Please enter your date of birth (YYYY-MM-DD, for
instance 1978-06-21): "
read BIRTHDAY
BIRTHDAY=${BIRTHDAY#*-}
TODAY= date + %m-%d

6-26 Copying all or part of this manual, Version 1


or distributing such copies, is strictly prohibited.
Create Shell Scripts

Now you can compare the two values with the help of an if branch.
Most variables are compared using the test command. The test
command is followed by a string condition such as
test $VARIABLE1 = $VARIABLE2.

If the condition is met (if the value of VARIABLE1 is identical to


the value of VARIABLE2), test returns a zero to indicate success.

So the second part of the shell script could look like this:
if test "$BIRTHDAY" = "$TODAY"
then
echo "Tada! Happy birthday to you! Nice presents
awaiting you ..."
else
echo "Sorry to disappoint you, no presents today ..."

fi

Finally, you want the script to use the exit command to finish with a
certain exit status, which depends on whether today is the user