Doing IT With Linux

Starting Xorg from runlevel 3 as a regular user in openSuSE 11.4

2011-08-30T17:29:00.019-05:00

Recently I had the opportunity to play with SuSE Studio by creating a minimal X virtual machine. My choice of runlevel was 3. As such, I tried logging in to my desktop as a regular user. I kept receiving Xorg errors that hinted at changing Xorg to suid or adjust my permissions dot local file. After conducting some tests to try to understand what I wasn't doing properly and with unsuccessful results, I did some research.

The suid bit means to execute some file as the owner of that file.
I came across a nice article that helped me to understand how to use the suid bit. This says if the suid is going to applied, add the number 4 in front of the rest of the file permissions.

For example: "/usr/bin/Xorg" has a file permission of 755. Add the 4 in front of 755 to show as 4755. The suid has now been applied. The command would be: chmod 4755

Starting Xorg from runlevel 3 as a regular user is now possible.

I welcome any and all helpful ideas, questions, comments and suggestions.

--GeS

The Power of Social Networking

2009-07-03T05:26:00.058-05:00

Do you want to know somethings about a person? Do you want to learn about an individual's intimate details? Do you desire to understand you target's patterns?

Then continue to read...

Social networking (SN) websites are great places to make new friends that share similar interests. It is also a great place to get some ideas. Additionally, the fact that is is possible to be involved in various networks with others from all over the globe is an amazing feat in itself.

However, a much darker side of social networking exists...

The type of information that can be collected from these types of networks can range from the most basic information to the most detailed. For example, email addresses, phone numbers, resident location(s), work related details, family members and leisure activities. These examples can continue to make a rather long lists from just one member.

EXERCISE ONE

For those of you that play social networking games, such as, Mafia Wars by Zynga, typically require at some point to have, at most, 501 members to effectively play the game. Choose a member's profile page and gather as much information from what the individual has chose to share with the world and develop your own interpretation. The interpretation is either assumed or may contain a degree of accuracy.

-- End Exercise --

PHOTOS

Some profiles have become quite complacent over a period of time. Pictures can tell what an individual's interests are. Photos that are uploaded to these (SN) sites can be configured to show names, places, events and other significant information for anyone to obtain.

GENERAL INFORMATION

Some individuals choose to have their email address and phone numbers displayed as general information. Some have specific networks that they are a part of. For example, on Facebook, a network might suggest the city and state of an individual's residence, a place that their leisure time is spent or some other significant reason.

Profile the individual's profile...Get a feel of their personality, interests, hobbies, (extra) curricular activities and other variables...In essence, when profiling...become one with the profile (for information gathering purposes). This might look and/or sound silly, but target information leads to other information that could be advantageous.

APPLICATIONS

The reasons for social applications is to bring people to a higher plain that suggests communication with others on different levels. Some applications do this very well, while other applications might take a different approach, they are just as effective in their own way. These applications could suggest an individual's thoughts, desires and/or particular problems that they might be facing at the moment.

WALLS

The Wall, if not maintained, is the window through which gives all the information to a "would be" attacker. For example, the Wall holds all records of events that an individual conducts...when and whom friendships occur, the groups and/or pages that individuals are interested and really the list can continue on...

CONCLUSION

In conclusion, the information on these profiles are publicly available. Anyone can obtain this information which could be used in various ways against a member of the social networking community. Individuals are not the only victims that are vulnerable to this type of an attack, organizations can become vulnerable as well.

Attempt to secure your information that you choose to share with the world. If you don't know how, find someone that may be able to help you privatize you information.

We welcome any and all helpful ideas, questions, comments and suggestions.

--GeS

We Never Left

2009-01-26T05:47:00.013-06:00

After a long, anticipated and eventful think tank session, (vacation, leave of absence), call it what you will, the Doing IT With Linux Team has come back with a modified agenda. Our agenda will still include Linux network Solutions, but with added instances in business related networking, sharing and above all Network and System Security. Additionally, We value the knowledge and ideas from the community. So, if you feel like sharing your experiences, please, feel free to contact us at: info at doingitwithlinux dot com.

We welcome any and all helpful ideas, questions, comments and suggestions.

--GeS

SSH Collaboration Using Screen

2008-08-13T15:30:00.001-05:00

INTRODUCTION

Instances arise with in an organization that require remote collaboration. With the use of SSH (Secure SHell) and a neat little program called screen, loss of productivity can be minimized.

SCENARIO

Bob and Joe work in the same building. However, Bob is on the 48th floor logged into 'computer-a' and Joe is on the 42nd floor logged into 'computer-c'. Bob phones Joe with a software problem that requires immediate attention. Instead of Joe walking 5 miles to get to the 48th floor to do some magic, Joe shells into Bob's computer and uses screen to show Bob how fix the problem.

SOLUTION

NOTE: In order for this to work, both parties must be logged in as the same user.

Joe uses SSH to tunnel into Bob's computer:

ssh computer-a

NOTE: In order to ssh or shell into a computer using a host name rather than ip address on the same network or subnet, the /etc/hosts file must be configured. To do this, in terminal as root, type either vi /etc/hosts or gedit /etc/hosts. At the bottom of the file it reads:

127.0.0.2 computer-c.site computer-c

On the next line, enter the ip address of computer-a and the host name. For example:

192.168.1.12 computer-a.site computer-a

Once logged into computer-a via ssh, initiate a screen session by typing:

screen -S name-of-session

The program, screen is a virtual terminal manager. The -S option means the particular title of the session. It could be any name that is desired. In place of the name-of-session, give it some generic name.

Going back to the scenario, Joe instructs Bob to type:

screen -x name-of-session

The -x option means to attach to an existing screen session.

This will create a joined terminal session. This means that whatever is typed, both parties can see what is going on. In the scenario, Joe can actually show Bob how to fix the software problem without being physically at Bob's computer.
To detach the session to only return to at a later time, press the Ctrl+A+D keys at the same time. To return to the same session, retype the command in the terminal, screen -x name-of-session.

OTHER NON-WORK RELATED USES

If Joe wanted to talk with Ginger over at HR with out leaving his desk, Joe would initiate the same type of session with Ginger. Instead of seeing 'bash: hello: command not found' error every time a non-command is entered, just type:

cat > chat

This way, Joe and Ginger can yap it up, during their lunch break. Just remember to hit Ctrl + C when finished.

CONCLUSION

In this document, ssh has been used along with screen to initiate collaboration with another user on the network.

THANKS

This particular SSH tip came from Vallard Benincosa at IBM.

We welcome any and all helpful ideas, questions, comments and suggestions.

--GeS

SLES 10 NFS, HTTP and FTP Installation Server

2008-08-03T11:35:00.003-05:00

INTRODUCTION

Creating a local network based Linux installation server can save both time and bandwidth. Further more, adding an update repository on a local installation server could ensure package availability as well as an increase in productivity. This document will describe the set up of a NFS, HTTP and FTP methods of an installation server. In addition to these methods, the media sources will be in a dot iso (Linux-version.iso) format only.

REMOTE INSTALLATION REQUIREMENTS

Linux distribution (dvd.iso)
A network boot disk for that particular Linux distribution

This document uses Fedora 9 DVD distribution as well as the Fedora 9 network installation disk. Both of which can be retrieved from the Fedora Project. However the network boot disk can also be retrieved from the DVD as well.

INSTALLATION

The server in this example utilizes a 40GB hard drive with 512MB of ram and a cdrom. When installing the SLES 10 Server, 3 partitions were created (swap, root and custom). For example, the swap partition was created with 1024MB space or 1GB, the root partition was created with about a 12GB space and the custom partition, which was named with a /product label and was created with a 25GB space.
The software that was selected was the default selection. In addition to the default selection, include the software packages vsftp and apache2. Proceed with the installation until it is finished and then log into the system, preferably with a regular user name that can perform root functions. For example, the Admin user that was created in the LDAP configuration. Not root.

NFS CONFIGURATION

After the server has been secured by locking out root, it is time for the initial configuration of the NFS server. Begin by opening up a terminal and typing sudo or su - for root privileges. Since a 25GB partition called /product had been created, this is the starting point of the NFS configuration. Navigate to that partition or directory by typing 'cd /product'. Create a directory that is relative to the particular distribution. For example, this document will use the Fedora 9 DVD release. Type 'mkdir fedora9'. The directory that has just been created needs to exported for other hosts on the network to be able to have access to that directory for the NFS remote installation method. Using a text editor, for example vi or gedit, in the terminal, type either 'vi /etc/exports' or 'gedit /etc/exports' to open the exports file. In the file, type the following:

/product/fedora9 *(ro,root_squash,sync)

The "/product/fedora9" directory is the directory that needs to be exported.
* or asterisk symbol means that any and all hosts on the network for purposes of remote installation are allowed to access the "/product/fedora9" directory.
The "ro" means all files on the share to be read-only. This is the default behavior.
root_squash maps the root user to the nobody user. This has the effect of not allowing a root user on a client to gain root file access permissions on the server.
sync ensures data is written to disk before another request is serviced.

Save the file.

To start the NFS server, type in a terminal as root:

service nfsserver start

To have the NFS server start at run levels 3 and 5 or at boot time, type in a terminal as root:

chkconfig -s nfsserver 35
chkconfig -s nfsserver on

NOTE: the " -s " option in the command "chkconfig -s" means the service that is to be started.

FTP CONFIGURATION

In a terminal as root, type:

mkdir /srv/ftp/fedora9

To start the FTP server, type in a terminal as root:

service vsftpd start
chkconfig -s vsftpd 35
chkconfig -s vsftpd on

NOTE: Remember that the 3 and 5 in the "chkconfig -s service 35" are the particular run levels to have the service start at boot time.

HTTP CONFIGURATION

A directory needs to be made in the http directory that will contain the installation files. In a terminal as root, type the following:

mkdir /srv/www/htdocs/fedora9

service apache2 start
chkconfig -s apache2 35
chkconfig -s apache2 on

FIREWALL CONFIGURATION

To have this installation server be successful with regards to security, the firewall needs to be configured for NFS, HTTP and FTP services.
To do this, open YAST > Security and Users > Firewall. Select "Allowed Services" from the column on the left. In the "Allowed Services for Selected Zone" drop down list, ensure "External Zone" is selected. In the "Service to Allow" drop down list, select and add "NFS", "HTTP" and "FTP". Select the "Next" button and "Accept" to finish the configuration.

MOUNTING THE ISO

Mounting the ISO by itself as a loop device allows for the copying of the contents to another directory. This is done so that the remote system has access to the installation files and directories during the installation process. The directories called 'fedora9' have already been created in their prospective paths (FTP, HTTP and NFS). To do this, open a terminal and type as root:

'mount /product/fedora9dvd/*.iso /mnt -o loop'
'cd /mnt'

Verify the contents are in the /mnt directory.

'cp -a * /srv/www/htdocs/fedora9'
'cp -a * /srv/ftp/fedora9'
'cp -a * /product/fedora9'

After the contents have been copied, which might of taken a while, exit out of the /mnt directory and unmount the directory that the ISO is mount to. To do this, type the following in a terminal as root:

'umount /mnt'

Restart the services in relation to which the contents of the ISO have been copied. For example, If the contents of the ISO had been copied to the HTTP directory (/srv/www/htdocs/fedora9), restart apache2. If the contents were copied to either the FTP (/srv/ftp/fedora9) or the exported NFS directory (/product/fedora9) then restart those services by typing in a terminal as root:

'service apache2 reload' or 'service apache2 restart'
'service nfsserver restart'
'service vsftpd restart'

PERFORMING THE INSTALLATION

On the computer that, in this example, Fedora 9, is to be installed, insert the network installation cd.
The network installation cd can either be obtained directly from the Fedora 9 DVD or by downloading it from the index of Fedora releases. The particular network installation cd is called "netins.iso" or from the DVD.iso, copy the "boot.iso" that is located in the images directory, to a computer that can burn images to a cd and burn it.

Boot up the network installation cd. The method of installation depends where the installation files are located. The choices are either NFS or URL in regards to installing via a network.

NFS - refers to a local directory on the local network
URL - refers to a directory that uses a URL, such as "ftp://" or "http://"

NFS METHOD

If the method of a NFS installation will be used, choose the "NFS directory" option. In the next window labeled "Configure TCP/IP" The example in this document uses the manual IPv4 configuration. Use an ip address that is not in use. Next, use the network subnet that the installation server is on. Finally, use the gateway address.

NOTE: Leave the name server field blank. For the purposes of this document, a name server is not used.

The next window is the NFS setup. This field is the IP address of the installation server. The next field is the particular directory the installation files are located (/product/fedora9). After those fields are configured, proceed with the "OK" button.

FTP AND HTTP METHOD

Select the URL method of installation. Input the manual configuration of IPv4. The next window titled "URL Setup" is the field that requires either a HTTP address or a FTP address. For example, if a http or ftp installation is going to take place, all that needs typed is "http://ip.address/fedora9" or "ftp://ip.address/fedora9"

the actual installation over the network is the same as though installation were done directly from the media itself.

NOTE: Some older computers, no matter what has been done, will not be able to perform a remote Linux installation.

UPDATES AND SOFTWARE REPOSITORIES

After the installation has been completed, in this example, Fedora 9, the software and update repositories need to be configured. to do this, the NFS directory which is located on the installation server needs to be mounted. First, as root, created a directory called /f9 on the root partition. Open a terminal and as root type the following:

mkdir /f9

To mount the NFS directory:

mount -t nfs ip.address.of.installation.server:/product/fedora9 /f9

Next, the yum repository configuration files need to be modified. These files tell the system where to look for additional software and updates. The particular files are called "fedora.repo" and "fedora-updates.repo" . They are located in /etc/yum.repos.d directory on Fedora 9. In this example, these files need to be modified to read from the local installation server. After backing up these files, begin by opening a terminal and as root type:

vi /etc/yum.repos.d/fedora.repo

or

gedit /etc/yum.repos.d/fedora.repo

The 5th line down from the top is the line: mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-$releasever&arch=$basearch

Comment this line out by adding a pound or # sign in front of "mirrorlist. It should look like:
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-$releasever&arch=$basearch

Directly below this line, add the local software repository: baseurl=file:///f9 and save the file.
NOTE: Remember the "/f9" directory is where the remote NFS installation directory is mounted.

Finally, the the fedora-updates.repo file needs to be modified to receive the updates to the software.
Begin by opening a terminal and as root type:

vi /etc/yum.repos.d/fedora-updates.repo

or

gedit /etc/yum.repos.d/fedora-updates.repo

The 5th line down from the top is the line: mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f$releasever&arch=$basearch

Again, comment this line out by adding a pound or # sign in front of "mirrorlist. It should look like:
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f$releasever&arch=$basearch

Directly below this line, add the local software repository: baseurl=file:///f9/Updates/i386 and save the file.

Now, the Fedora 9 installation that has been performed is able to receive additional software and updates from the Network Installation Server.

CONCLUSION

With the use of a local network based Linux installation server, organizations can save both time and bandwidth. Further more, adding an update repository on a local installation server could ensure package availability as well as an increase in productivity
In this document, a Network Installation Server had been created using SLES 10. In addition, HTTP, FTP and NFS methods of installation have been configured and tested and repositories have been added.

ADDITIONAL INFORMATION

Installation Server Setup
A Tour of NFS

We welcome any and all helpful ideas, questions, comments and suggestions.

--GeS

SLES/SuSE Host Name Change

2008-07-11T11:43:00.037-05:00

Changing the host name on either an openSUSE, on a SLES Server or any distribution of Linux can be accomplished by the Command Line Interface (CLI). In addition to the command line, the GUI method for openSUSE and SLES will be discussed.

NOTE: This document is for computers that are not part of an existing Linux domain.

INTRODUCTION

The info pages or the man pages, in the Linux Programmer's Manual, for 'hostname' describe the definitions as well as the commands and their switches or options. The definitions of these commands are as follows:

hostname - will show or set the computer's host name
domainname - shows or sets the computer's NIS/YP domain name
dnsdomainname - shows the computer's DNS domain name
nodename - shows or sets the computer's DECnet node name

NOTE: The definition for the acronym "YP" - Yellow Pages(TM), a registered trademark in the UK of British Telecom plc.
Source: linux-nis.org

COMMAND LINE

The usage for the command 'hostname' is:
hostname name
For example, to set the host name of a computer which already has a host name of computer1, execute the command:
'hostname computer2' or 'hostname -v computer2'
The '-v' in this example means verbose. If the '-v' option is used, the output will look similar to what is below:

computer1~# hostname -v computer2
Setting hostname to `computer2'
computer1~#

Exit out of the terminal and restart the terminal again. The terminal now reads:

computer2~#

However, with the above example, it might not be a global change with in your Linux system.

/etc/HOSTNAME

On an openSUSE system, the '/etc' directory houses a file name "HOSTNAME". By opening this file with an editor, the current host name of the computer is displayed contrasted by the name that was sent to the 'hostname' command. To change the name of the computer, the dns name and have the HOSTNAME file display this change, issue the command as root:

computer1~# dnsdomainname
computer1~# site
computer1~# echo computer2.suse > /etc/HOSTNAME

Either issue the command 'hostname' and issue the command 'dnsdomainname' from a terminal to view the changes, issue the command 'cat /etc/HOSTNAME' or reboot the computer.

CHANGING THE HOST NAME THROUGH YAST

This method is specific to SUSE Linux. Open the YAST control center.
Navigate to Network Services > DNS and Hostname.
The Hostname and Name Server Configuration window appears. Under the Hostname field, change the host name to a desired name and click the finish button.
Reboot the computer.

LDAP HOSTNAME AND DOMAIN NAME CHANGE

Generally, it is not recommended that such a process be executed on a live directory server. If a decision is made to change the host name and/or the domain name of a Linux LDAP machine, it might be easier to completely rebuild the directory service from the start.

CONCLUSION

First, the 'hostname' and related commands have been defined. Next, the host name and domain name name have been changed by issuing the echo command. Finally, an GUI method using YAST has been discussed.

We welcome any and all helpful ideas, questions, comments and suggestions.

--GeS

SLES 9 Basic Security Configuration - Part I

2008-06-22T15:29:00.072-05:00

INTRODUCTION

This segment will explain some basic techniques and configuration to secure the LDAP Server that was created earlier. Security is an ongoing process. It does not stop nor is there a "one setting" solution. The goal to securing our LDAP server is to provide both tight security measures as well as to provide network functionality.

CREATING THE SUDO ACCOUNT

We must create an account to serve as root and to have the privileges to perform the administrative functions. When we created the LDAP server, we also created an 'admin account'. This user account will be configured to be the substitute root or SUDO.
In the /etc directory, open the sudoers configuration file using the vi editor. For example, issue the command from a terminal as root: visudo . In the example below, remove the pound sign from the second 'wheel' entry and save the file. The vi editor must be used in order complete the process.

# Uncomment to allow people in group wheel to run all commands
# %wheel ALL=(ALL) ALL

# Same thing without a password
%wheel ALL=(ALL) NOPASSWD: ALL

To add the user admin to the wheel group, which is the group for root privileges, issue the command as from the terminal as root: usermod -G wheel admin . To verify the the user admin has been added to the wheel group, issue the command in a terminal from the shell as root: groups admin . At that point, the command shows all the groups the user admin belongs to.

LOCKING OUT ROOT

NOTE: Before editing any configuration file, it is good practice to back the particular file that is to be edited.
The first task is to disable 'root' from logging in the machine through the GDM or KDM. For purposes of this document, the GDM configuration is discussed. The GDM configuration is located in '/etc/opt/gnome/gdm' and is titled as gdm.conf. About a third of the way down shows the entry for root as 'AllowRoot=true' change the true statement to false and save the file. I used vi to edit and save the file. Test the configuration by rebooting the machine.

The next task is to lock out all console access that root can use. This file is in the /etc directory and is named securetty. issue the command: cat securetty to see the console and various terminal entries that root is able to use. Backup the file and then issue the command: echo > /etc/securetty . This will erase or blank out the contents of the securetty file to prevent root from logging in the machine using a terminal or console.

Finally, the sshd_config file needs to be edited to provide a more strict ssh environment. In the /etc/ssh directory, open the sshd_config using an editor of choice. For purposes of this document, the default port of 22 will be kept. However, it can easily be changed to a non-standard port for better security. The default protocol version for ssh is version 2 and version 1. In the following description of the sshd_config file example, edit the protocol to read 2 only as below.

#Port 22
Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

In the next example of editing the sshd_config file:

# Authentication:

LoginGraceTime 1m
PermitRootLogin no

Remove the pound signs from the entries as noted above and edit the default ' 'LoginGraceTime' from 2m to 1m. Edit the default PermitRootLogin' from yes to no. Save the file and either restart the sshd service by issuing the command as root, service sshd restart or reboot the machine.

ONLY ALLOW ROOT TO ACCESS CRON

The cron deamon is used to schedule processes. The crontab command is used to create personal crontab entries for users or the root account. To enhance the security of the cron scheduler, establish the cron.deny and cron.allow files to control the use of the crontab. The following commands will establish root as the only user with permissions to add cron jobs. In a terminal as either SUDO or root type:

cd /etc
/bin/rm -f cron.deny at.deny
echo root > cron.allow
echo root > at.allow
/bin/chown root:root cron.allow at.allow
/bin/chmod 400 cron.allow at.allow

SECURITY ON KEY FILES

Certain key files in the /etc directory should not be world readable. Users should not be able to either read these filesnor have access to them. Set ownership and permissions for the /etc/fstab, /etc/passwd, /etc/group and /etc/shadow files. Issue the following commands in a terminal:

/bin/chown root:root /etc/fstab
/bin/chown 644 /etc/fstab
/bin/chown root:root /etc/passwd /etc/shadow /etc/group
/bin/chmod 644 /etc/passwd /etc/group
/bin/chmod 400 /etc/shadow

SUMMARY

In this document, a SUDO account has been established to perform administrative functions of the server. The GDM has been configured to deny root login. All console and terminal access has been removed from root access. The service ssh has been configured to allow only version 2 as well as denying root from directly logging in through ssh. The cron scheduler has been configured to allow only root to access to control the usage of cron tables. Finally, some key file ownership and permissions in the /etc directory have been established.

We welcome any and all helpful ideas, questions, comments and suggestions.

--GeS

SLES 9 - LDAP, NFS and Samba

2008-04-03T10:23:00.135-05:00

The following is a basic LDAP setup using SuSE Linux Enterprise Server 9.

This is the installation of the Lightweight Directory Access Protocol or (LDAP), Network File System or (NFS) and Samba. In short, we will create a Linux domain structure for Linux and Windows clients.
Begin by obtaining SuSE Linux Enterprise Server 9 and the service packs from SLES 9. The LDAP documentation is located at the following website for you convenience: LDAP Setup.

This post assumes that you might have some experience with either SuSE Linux or any other Linux distribution. This outline is specific to SLES 9.

I used a 40 GB hard drive and 512MB RAM. I formatted the swap partition with 1.0GB and the root or '/' took up the rest of the space on the hard drive. I also chose to format the partition as ext3.

Next, I selected all the software, resolve the dependency conflicts and begin the installation. After the software installation completes and the machine reboots itself, type in the root password and move to the network section of the remaining configuration processes.

Set the IP address of the NIC card to static a static IP. Keep the address in the same IP addressing scheme. Next, set the host name and the site DNS.

For the host name, I chose ldap. Choose a domain name, for example, example.com or whatever you like.

The next configuration step is the Certificate Authority. Accept the default CA and click next. At this point, the actual configuration of the ldap server begins.

In the following modules, the following will be configured:

LDAP Server:
LDAP Client
User Settings

LDAP Server

The default source of user authentication in the next module is LDAP. This is how users will be authenticated. Accept the default selection of (LDAP). The next module is the LDAP client configuration.

LDAP Client

In this module, users will be authenticated using OpenLDAP. The default setting in this module are as follows:

The use LDAP radio button is selcted
The LDAP TLS/SSL check box is checked
The Start Automounter check box is unchecked

Accept the default settings in this module. Select the Advanced Configuration button.

In the Advanced Configuration section of the LDAP Client Module, under the User and Group sub-heading, the check boxes that include File Server (home directories are stored here) and Enable LDAP Users to Log In are checked by default. Keep those settings as they are. Under the Access to LDAP Server, the Base DN and the Administrator DN should be automatically set. For example, in the Base DN it should read ou=ldapconfig,dc=your-domain-name, dc=top-level-domain (.com, .net, ....) and in the Administrator DN it should read cn=Administrator,dc=your-domain-name,dc=top-level domain (.com, .net, ...). Deselect the check box that is labeled

Create Default Configuration Objects and click the Configure User Management Settings button.

User Management Settings

Group Configuration:

In the User Management panel, select the new button to begin configuring management settings. Upon selecting the new button, start by selecting the *groupconfiguration radio button. Type in the space provided groupconfiguration and enter. Accept the default settings for the group configuration.

User Configuration:

Select the new button again to configure user management settings. Upon selecting the button, select the new*userconfiguration radio button. Type in the space provided userconfiguration and enter. Edit the suseminuniqueid and the susemaxuniqueid fields from 1000 to 10000. From there, select the configure template button. Under the Default Values for New Objects heading, edit the home directory value to read /users/%uid. At this point, the User Configuration portion of the setup is complete. Click through to finish the installation process.

NOTE: Choose a LDAP user such as Admin to administer the LDAP server. Log in as that user to configure the rest of the server.

NFS Server Configuration

NFS Server:

Begin the NFS Server configuration by going to Yast > Network Services > NFS Server. Choose the radio button start the NFS server and click the next button. In the configuration window, choose the add directory button to export a directory to the other Linux clients. At the beginning of the LDAP setup procedure, a directory called "users" had been created to be the home directory for all LDAP users. This is the directory that needs to be exported. After this particular directory has been added, a new window will automatically appear
that requests which host or hosts can have access to that exported directory. The configuration will read * ro,root_squash,sync. Change the read only (ro) portion to read write (rw). Click the finish button.
In addition to this change, an entry must be provided in the /etc/fstab that reads as follows:

users /users rw,root_squash,sync

Samba Server Configuration

Samba Server:
Begin the Samba Server Configuration module by going to Yast > Network Services > Samba Server.
Under the Start Up tab, choose to enable the services when booting radio button.
Under the Shares tab, edit the entry that is labeled "Enable users". In the next window, edit the users path, which by default is /home, change the path to read /users. Click the OK button.
Under the Identity tab, change the default workgroup or domain name to the name of the domain that has been created. For example, EXAMPLE. Do not include the (.com) or top level domain. In the NetBIOS Host Name section, enter the name of the computer or host. For example, ldap, as mentioned previously. Select User Authentication Sources in the Advanced Settings drop down button.
User Authentication Sources:
Select the Add button > select the LDAP radio buton > the select Add to add LDAP to the list. Move the LDAP entry to the top of the list. The reason is that users will primarily log on as a LDAP user. After the entry is listed, select the OK button. Select LDAP Settings in the Advanced Settings drop down button. Set the Administration Password which is usually the root password. Click through to finish the Samba Server set up.

Creating Users and Groups

Groups:
Add users and groups by going to Yast > Security and Users > Edit and Create Users. First, the LDAP password will be required to add, edit and/or remove groups and users. Upon entering the LDAP password, select the groups radio button located at the top of the window. Near the bottom is the filter drop down button. Select LDAP Groups and begin adding some groups. I chose to leave the password field for the group I had just created - blank.
Click Next and add that group to Manage Samba Group Parameters. Click next until returned to the User and Group Administration window. Repeat the same procedure for each group added.

Users:

Filter the users by LDAP and create the user. After the name and password have been created, select the Details button to add that user to some groups. Notice the groups that have been recently created. Add the newly created user to some of the LDAP groups and click the Next button.
In the next window, Additional User Settings, highlight the Edit Remaining Attributes of LDAP User and click the Launch button. After editing some fields, click Next, which will take you back to the previous window.
Highlight the Edit Samba Account Parameters, click the Add or Remove Plugin button. When it is added, a check mark will appear next to the setting. Click the Launch button for additional configuration fields.
Samba Attributes: Edit the home drive field by deselecting the Use Default Values check box. Edit the home drive field by selecting a drive letter that is not in use by the Windows Operating System, such as: U: or Z: or whatever drive letter that you choose. Edit the home path field. The naming convention is \\netbios-name\user . As mentioned earlier, the name of the LDAP server is ldap. The home path in the Samba Attributes would be \\ldap\user (the user name of the user account).
Click next and until finished.

Server Summary: So far, the LDAP server has be installed and configured, a NFS server has been configured to accept clients and a Samba server has been configured. LDAP groups and users have been created and configured with Samba.
Next, the configuration of the Linux and Windows clients.

Linux Client

In Suse 10.2, go to the Yast control panel. Yast > Network Services > LDAP Client. In the LDAP Client Configuration window, Configure the following:

User Authentication: select the use LDAP radio button.
Address of LDAP Server: Type in the IP address of the physical server.
LDAP Base DN: dc=example,dc=com

Ensure the LDAP TLS/SSL and the Start Automounter check boxes are checked. Select the Finish button to finalize the LDAP client configuration.

NFS Client

Open the NFS Client Configuration module. Yast > Network Services > NFS Client. In the NFS Client Configuration window, configure the following:
Select the Add button to add the NFS server. In the server configuration window, add the server's static IP address. In this outline, we decided to use the directory /users. In the remote file system and the local mount point, add /users. The options field, is kept as defaults. After the ok button is selected and in the main configuration window, check the box that states Open Port in Firewall. Click finish.

After the configuration is finished, the NFS share ought to be made available. The Admin user credentials that had been created earlier in this outline can be used to log in the NFS share when a dialog prompts for a user name and password.

Now the Linux client configuration is completed.

Windows Client

Using Windows XP, right click on the "My Computer" icon or from the start menu or Desktop, right click "My Computer" and select properties. In the System Properties window, select the Computer Name tab. To rename the computer or join a domain, click the change button. Select the "Domain" radio button. Type in the domain name. For example, in ldap.example.com, the domain name is example.com. The domain name, example would need to be typed in the domain name field, not "example.com" and click OK. A window will appear that will prompt for the user name and password of the authorized user to allow the client to join the name. This will be the root user name and root's password. After clicking the OK button, wait a few seconds and an dialog box will appear that welcomes the client to the domain. At that point, the computer needs rebooted. Log in with your Windows client user name and password and select the domain that the client is logging on to.

ADDENDUM

Now, the burning question that is in every heart and soul of the world's citizens:
Q: How can I install an application on the Linux LDAP to save space on my Windows machine?
A: Map the network drive. To do this, using Windows XP Professional, right click my computer and select 'Map Network Drive'. Next, Select the drive by browsing to the specific user directory on the Linux LDAP machine. A dialog will appear that prompts for the Linux LDAP's root's user name and password.
The application that is to be installed on this new mapped drive will need to be pointed to the mapped drive during the application's installation process.

Summary

In this outline, a Linux domain using Suse Linux Enterprise Server 9 Service Pack 4 has been configured. Users and groups were established. Client and server connectivity has been accomplished as well as central management for Linux clients.

(notes on) Central Management

Linux central management can be conducted with the use of a program called Kiosk Admin Tool. Log on as admin from the client machine. Start the Kiosk Admin Tool and start configuring the Linux users.

Unfortunately, central management for Windows clients through a Linux domain is complex and difficult. That was my experience. By default, Windows clients will not be able to perform any administrative functions or use programs that require administrative rights while logged on a Linux domain. I am not aware of how to accomplish such a task.

We welcome any and all helpful ideas, questions, comments and suggestions.

--GeS

We Have A New Domain

2008-03-22T18:34:00.010-05:00

Doing IT With Linux is proud to announce that we have obtained a domain name. We are now located at blog.doingitwithlinux.com .
What this means for us is that we can expand our operations in a more efficient manner. What this means for you is that you can get more information, more ideas and more know how for your Linux infrastructure and your Linux projects.
We will be redesigning the website as well as re-categorizing the information for easier reference with-in the days to come.
Thanks to everyone that has helped in the progress and the future of Doing IT With Linux.

----
Doing IT With Linux Team