3104 Manual PDF

SUSE Linux Enterprise Desktop 11
Administration
Manual
3104
Novell Training Services
www.novell.com
AU THO RIZED CO UR SEWARE
Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOWED
Legal Notices
Novell, Inc., makes no representations or warranties with respect to the contents
or use of this documentation, and specifically disclaims any express or implied
warranties of merchantability or fitness for any particular purpose. Further,
Novell, Inc., reserves the right to revise this publication and to make changes to
its content, at any time, without obligation to notify any person or entity of such
revisions or changes.
Further, Novell, Inc., makes no representations or warranties with respect to any
software, and specifically disclaims any express or implied warranties of
merchantability or fitness for any particular purpose. Further, Novell, Inc.,
reserves the right to make changes to any and all parts of Novell software, at any
time, without any obligation to notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be
subject to U.S. export controls and the trade laws of other countries. You agree to
comply with all export control regulations and to obtain any required licenses or
classification to export, re-export or import deliverables. You agree not to export
or re-export to entities on the current U.S. export exclusion lists or to any
embargoed or terrorist countries as specified in the U.S. export laws. You agree
to not use deliverables for prohibited nuclear, missile, or chemical biological
weaponry end uses. See the Novell International Trade Services Web page (http:/
/www.novell.com/info/exports/) for more information on exporting Novell
software. Novell assumes no responsibility for your failure to obtain any
necessary export approvals.
Copyright 2009 Novell, Inc. All rights reserved. No part of this publication
may be reproduced, photocopied, stored on a retrieval system, or transmitted
without the express written consent of the publisher.
Novell, Inc., has intellectual property rights relating to technology embodied in
the product that is described in this document. In particular, and without
limitation, these intellectual property rights may include one or more of the U.S.
patents listed on the Novell Legal Patents Web page (http://www.novell.com/
company/legal/patents/) and one or more additional patents or pending patent
applications in the U.S. and in other countries.
Novell, Inc.
404 Wyman Street, Suite 500
Waltham, MA 02451
U.S.A.
www.novell.com
Online Documentation: To access the latest online documentation for
this and other Novell products, see the Novell Documentation Web
page (http://www.novell.com/documentation).
Novell Trademarks
For Novell trademarks, see the Novell Trademark and Service Mark list (http://
www.novell.com/company/legal/trademarks/tmlist.html).
Third-Party Materials
All third-party trademarks are the property of their respective owners.
Contents
Introduction
Student Kit Deliverables
Course Design
Course Objectives
10
Course Audience
10
Certification and Prerequisites
11
Classroom Agenda
11
Course Setup
12
Exercise Guidelines
SECTION 1
Objective 1
Exercise 1-1
Objective 2
Exercise 1-2
Objective 3
Exercise 1-3
SECTION 2
Objective 1
Exercise 2-1
Objective 2
Exercise 2-2
Version 1
10
12
VMware Virtualization and the Exercises
13
Exercise Conventions
13
Workbook
14
Course Feedback
14
Customize the Graphical Interface on SUSE

Linux Enterprise Desktop 11
15
Configure X, Xgl, and Compiz
16
Configure X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Activate Compiz . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Activate Compiz . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Customize the GNOME User Interface
24
User-Defined Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Default Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Customize the GNOME User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Customize Applications
30
OpenOffice.org 3.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Firefox. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Customize Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Summary
36
Lock Down the SLE Desktop
37
Control Mounting of CD-ROM, DVD, and USB Devices
38
Control Mounting of CD-ROM, DVD, and USB Devices . . . . . . . . . . . . . . . . . . . 42

Define Mandatory Settings with GConf and Desktop Profiles
43
gconf-editor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
gconftool-2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Set Mandatory Values for Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Copying all or part of this manual, or distributing such copies, is strictly prohibited.
To report suspected copying, please call 1-800-PIRATES.
SUSE Linux Enterprise Desktop 11 Administration / Manual
Objective 3
Exercise 2-3
Objective 4
Exercise 2-4
Use PolicyKit to Configure Application Policies
47
Understand the PolicyKit Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Use the Authorization Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Manage Authorizations at the Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Use PolicyKit to Configure Application Policies . . . . . . . . . . . . . . . . . . . . . . . . . .
Use File System Encryption
47
48
52
57
58
Using YaST Partitioner to Encrypt a Partition . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Mount an Encrypted File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Encrypt a Partition Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Use File System Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
58
61
63
65
Summary
66
Use the NetworkManager to Configure the Network
69
Objective 1
Understand NetworkManager Basics
70
Objective 2
Access Wired Networks
SECTION 3
Exercise 3-1
73
Connect to Wired Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Specify Connection Details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Access Wired Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Objective 3
Access Wireless Networks
Objective 4
Configure VPN
Exercise 3-2
Objective 5
79
Connect to a Wireless Network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Configure Your Wireless Card as an Access Point. . . . . . . . . . . . . . . . . . . . . . . . . 81
83
Connect to a VPN Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Configure Mobile Broadband Connections
87
Configure GSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Configure CDMA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Objective 6
SECTION 4
91
Summary
93
Configure and Use IPv6
95
Objective 1
Understand IPv6 Theory
Objective 2
Configure IPv6 on SUSE Linux Enterprise 11
Exercise 4-1
Configure DSL
96
IPv6 Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
IPv6 Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
IPv6 Address Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
101
IPv6 Autoconfiguration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting an IPv6 Address Using YaST . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Managing IPv6 Addresses Using the Command Line Tools . . . . . . . . . . . . . . . .
Connecting to Other IPv6 Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
101
102
105
105
111
Version 1
SECTION 5
Objective 1
Summary
112
Integrate SLED 11 into an Active Directory Environment
113
Describe How SLED 11 Integrates with Active Directory
114
Benefits of Active Directory Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

How Windows Networking Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
How SLED 11 Integrates with an Active Directory Domain . . . . . . . . . . . . . . . . 119
Objective 2
Exercise 5-1
Exercise 5-2
Objective 3
Exercise 5-3
SECTION 6
Objective 1
Configure Active Directory Integration
Joining SLED 11 to an Active Directory Domain . . . . . . . . . . . . . . . . . . . . . . . .

Join SLED 11 to an Active Directory Domain . . . . . . . . . . . . . . . . . . . . . . . . . . .
Logging In to an Active Directory Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Managing Domain Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Log In to the Domain from SLED 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Access Shared Domain Resources
124
124
134
134
136
138
139
Accessing Shared Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Accessing Shared Printers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Access a Shared Folder. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Summary
147
Integrate SLED 11 into a Novell eDirectory Environment
149
Describe How the Novell Client for Linux Works
150
The Role and Function of Novell eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

The Role and Function of the Novell Client for Linux. . . . . . . . . . . . . . . . . . . . . 158
Objective 2
Exercise 6-1
Objective 3
Exercise 6-2
Exercise 6-3
Objective 4
Exercise 6-4
Version 1
Install and Configure the Novell Client for Linux on SLED 11
160
Installing the Novell Client for Linux on SLED 11 . . . . . . . . . . . . . . . . . . . . . . . 160
Install the Novell Client for Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Configuring the Novell Client on SLED 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Authenticate to an OES 2 Server Using the Novell Client for Linux
Authenticating to eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Mapping Directories to Server Volumes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Logging Out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Troubleshooting SLP Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Using Novell Client for Linux Shell Commands . . . . . . . . . . . . . . . . . . . . . . . . .
Configure the Novell Client for Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Integrated Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Integrated Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Use Novell iPrint on SLED 11
How iPrint Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Installing and Configuring the iPrint Client on Linux Workstations . . . . . . . . . .
Installing iPrint Printers and Sending Print Jobs . . . . . . . . . . . . . . . . . . . . . . . . .
Install and Configure the iPrint Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
184
184
186
191
192
196
198
198
203
204
204
209
210
213
Objective 5
Use iFolder on SLED 11
214
How iFolder Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Installing the iFolder Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Your iFolder Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Creating iFolders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Summary
SECTION 7
Objective 1
Exercise 7-1
Objective 2
Exercise 7-2
Objective 3
Exercise 7-3
Exercise 7-4
SECTION 8
Objective 1
214
216
217
224
229
Integrate SUSE Linux Enterprise Desktop 11 into a UNIX

Environement233
Accessing NFS File Shares
234
Network File System Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

NFS Internals. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure NFS Client Access with YaST. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Mount Home Directories Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Mount Home Directories Automatically. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Import Network File System (NFS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Authentication to LDAP
234
235
235
237
239
241
242
LDAP Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
YaST LDAP Client Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
OpenLDAP and Automounter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Integrate a SLED 11 into an LDAP Environment. . . . . . . . . . . . . . . . . . . . . . . . .
Printing to CUPS Printers
242
245
247
249
250
Configure CUPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Change Your Printer Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Manage Print Jobs and Queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Understand How CUPS Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Manage Printers from the Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
250
268
268
275
281
Summary
282
Access Remote Desktops Using Nomad
285
Describe How Nomad Works
286
How RDP Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286

How Nomad Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Objective 2
Exercise 8-1
Objective 3
Exercise 8-2
Install and Configure Nomad
291
Configure the Nomad Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291

Configure the Nomad Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Install and Configure Nomad . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Access Desktops Remotely with Nomad
300
Accessing Remote Desktops with rdesktop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300

Accessing Remote Desktops with tsclient . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Access Remote Desktop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
Version 1
Objective 4
Troubleshoot Common Nomad Problems
307
Verifying that xrdp is Running on the Sender . . . . . . . . . . . . . . . . . . . . . . . . . . . 307

Verifying that Port 3389 is Open . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
SECTION 9
Objective 1
Exercise 9-1
Objective 2
Exercise 9-2
SECTION 10
Objective 1
Exercise 10-1
Objective 2
Exercise 10-2
SECTION 11
Objective 1
Summary
308
Use Multimedia on the SUSE Linux Enterprise Desktop 11
309
Use Banshee
310
Import Music. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Play Your Music . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Ripp Your Music . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Listen to Internet Radio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Listen to Podcasts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Use Banshee . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Use Moonlight
311
313
314
315
316
318
319
Use Moonlight . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

Summary
322
Configure Email
323
Configure the Evolution Email Client on SLED 11
324
The Role and Function of Evolution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Configuring Evolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Using Evolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Integrate Evolution with Microsoft Exchange . . . . . . . . . . . . . . . . . . . . . . . . . . .
324
324
337
353
Configure the GroupWise Client on SLED 11
354
Installing Novell GroupWise Client for Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Using the GroupWise Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Install and Configure the GroupWise Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Summary
373
Create Shell Scripts
375
Understand Bash Basics
376
Bash Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376

Bash Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
Return Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
Objective 2
Exercise 11-1
Objective 3
Exercise 11-2
Version 1
Use Basic Script Elements
Elements of a Shell Script. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

A Simple Backup Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Debug Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Create a Simple Shell Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Understand Variables and Command Substitution
381
381
382
384
385
386
Use Variables and Command Substitution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
Objective 4
Exercise 11-3
Exercise 11-4
Objective 5
Exercise 11-5
Objective 6
Exercise 11-6
Objective 7
Exercise 11-7
Objective 8
Exercise 11-8
Objective 9
Exercise 11-9
Objective 10
Use Control Structures
390
Create Branches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Use an if Control Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Create Loops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Use a while Loop. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Use Arithmetic Operators
399
Use Arithmetic Operators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401

Read User Input
402
Read User Input. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404

Use Arrays
405
Use Arrays. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407

Finalize the Course Project
408
Use rsync to Keep Versions of Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410

Use Advanced Scripting Techniques
411
Use Shell Functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411

Read Options with getopts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
Use Shell Functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
Learn about Useful Commands in Shell Scripts
415
Use the cat Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Use the cut Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Use the date Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Use the grep and egrep Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Use the sed Command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Use the test Command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Use the tr Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SECTION 12
Objective 1
390
394
394
398
415
415
416
416
417
419
421
Summary
423
Deploy SUSE Linux Enterprise Desktop 11
427
Understand Autoinstallation Basics
428
Installation Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428

Deployment Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
AutoYaST Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
Objective 2
Exercise 12-1
Create a Configuration File for AutoYaST
Create an AutoYaST Control File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
Objective 3
Use an Installation Server
437
Objective 4
Perform an Automated Installation
438
Exercise 12-2
Provide the Control File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438

Boot and Install the System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
Perform an Automated Installation of SUSE Linux Enterprise Desktop . . . . . . . 440
Summary
432
441
Version 1
Introduction
Introduction
SUSE Linux Enterprise Desktop 11 Administration (Course 3104) focuses on the

routine system administration of SUSE Linux Enterprise Desktop 11
(SLED 11).
This course covers basic Linux skills as well as common tasks a system administrator
of SLED 11 has to perform, such as configuring the desktop environment, printing,
integrating the product into existing environments, and rolling out a large number of
installations.
Before starting the course, review the following:
Student Kit Deliverables on page 9
Course Design on page 10
Exercise Guidelines on page 12
Course Feedback on page 14
Student Kit Deliverables

The contents of your student kit include the following:
SUSE Linux Enterprise Desktop 11 Administration Manual
SUSE Linux Enterprise Desktop 11 Administration Workbook
SUSE Linux Enterprise Desktop 11 Administration Course DVD (2 DVDs)
SUSE Linux Enterprise Desktop 11 SP1 Product DVD
SUSE Linux Enterprise Server 11 Product DVD
The SUSE Linux Enterprise Desktop 11 Administration Course

DVDs contain an image of a SUSE Linux Enterprise Desktop 11 installation and other
images (a SUSE Linux Enterprise Server 11 installation, an Open
Enterprise Server installation, and an empty VMware machine in which you
can install Windows 2008 Server) that you can use to perform the exercises in the
SUSE Linux Enterprise Desktop 11 Administration Workbook.
The exercises in the Workbook help you to practice the skills tested in the Novell
Certified Linux Desktop Professional 11 (CLDP 11) exam (050-722).
NOTE: Instructions for setting up a self-study environment are in the setup directory on the Course
DVD.
Version 1
Course Design
The following provides information about the design of the course to help you
evaluate whether or not this course provides the type of SLED 11 training you need
(in a classroom environment or for self-study):
Course Objectives on page 10
Course Audience on page 10
Certification and Prerequisites on page 11
Classroom Agenda on page 11
Course Setup on page 12
Course Objectives
This course teaches SUSE Linux Enterprise Desktop 11 theory as well as practical
application with hands-on labs of the following SUSE Linux Enterprise Desktop 11
Administration topics:
1.
Customize the Graphical Interface on SUSE Linux Enterprise Desktop 11
2.
3.
4.
Activate and Use IPv6
5.
6.
7.
Integrate SUSE Linux Enterprise Desktop 11 into a UNIX Environment
8.
9.
Use Multimedia on the SLE Desktop
10. Configure Email

11. Create Shell Scripts
12. Deploy SUSE Linux Enterprise Desktop 11
These are tasks a SUSE Linux Desktop administrator in an enterprise environment

routinely has to deal with.
Course Audience
This course is addressed to administrators that are CLA11-certified (or those who
have a comparable Linux administration knowledge) and who now want to gain indepth knowledge on tasks a Linux administrator has to perform routinely on
SLED11.
10
Version 1
Introduction
Certification and Prerequisites

This course helps you prepare for the following Novell Certified Linux Desktop
Professional 11 (Novell CLDP 11) exams:
CLDP 11 - Professional level (050-722)
As with all Novell certifications, course work is recommended. To achieve the Novell
CLDP 11 certification, you are required to pass the Novell CLDP 11 exam.
The following illustrates the training and testing path for Novell CLDP11:
Figure Intro-1
CLDP 11 Certification Path
NOTE: For more information about Novell certification programs and certification exams, see
Novells certification website (http://www.novell.com/training/certinfo/).
Classroom Agenda
This course is designed to be taught as a 5-day course with the following basic
agenda:
Table Intro-1
Course Agenda
Day 1
Version 1
Module
Duration (hh:mm)
Introduction
00:30
Customize the Graphical

Interface on SUSE Linux
EnterpriseDesktop 11
02:30
03:00
11
Day 2
Day 3
Day 4
Day 5
Module
Duration (hh:mm)
Use the NetworkManager to

Configure the Network
04:30
Activate and Use IPv6
02:00
Integrate SLED 11 into an

Active Direcotory Enviroment
03:00
Integrate SLED 11 into a

Novell eDirecotory
Enviroment
03:30
Integrate SUSE Linux

Enterprise Desktop 11 into a
UNIX Enviroment
03:00
Access Remote Desktops
02:00
Use Multimedia on the SLE

Desktop
00:30
Configure Email
01:00
05:30
Deploy SUSE Linux

Enterprise Desktop 11
01:00
Course Setup
The setup in this course are based on running a SLED 11 called DA-HOST. On DAHOST runs a virtual server with four virtual machines:
DA1. A SUSE Linux Enterprise Server 11. This virtual machine provides
services you need for the exercises (like DNS).
DA-SLED. A SLED 11 workstation. This virtual machine is used to test and use
services during various exercises.
DA-OES. A Novell Open Enterprise Server 2 server. It hosts the services

covered in this course.
DA-WIN. A Microsoft Windows Server 2008. This virtual machine provides

Active Directory and an Exchange server.
Exercise Guidelines
The following information provides guidelines to help you make the most of the
exercises provided in this course:
12
VMware Virtualization and the Exercises on page 13
Exercise Conventions on page 13
Workbook on page 14
Version 1
Introduction
VMware Virtualization and the Exercises

VMware virtualization technology allows you to create and run multiple virtual
computers on one physical computer. The physical computer must be running player
software to allow it to be a virtual machine server (or host).
The VMware virtual machines used in this course are:
DA1. A SUSE Linux Enterprise Server 11. This virtual machine provides
services (like DNS) you need for the exercises.
DA-SLED. A SUSE Linux Enterprise Desktop 11 workstation. This virtual

machine is used to test and use services during various exercises.
DA-OES-A. A Novell Open Enterprise Server 2 server. It hosts the services

covered in this course.
DA-WIN. A Microsoft Windows Server 2008. This virtual machine provides

Active Directory and an Exchange server.
Exercise Conventions
The exercises use conventions that indicate information you need to enter that is
specific to your server.
The following describes the most common conventions:
italicized/bolded text. This represents a variable value, such as the host name of
your server.
For example, if the host name of your server is DA3 and you see the following:
hostname.da.com
you would enter
DA3.da.com
172.17.8.x or DAx. This is the IP address or host name that is assigned to a

server.
For example, if your IP address is 172.17.12.101 and you see the following:
172.17.12.x
you would enter
172.17.12.101
Select. The word select is used in exercise steps to indicate a variety of actions
including clicking a button on the interface and selecting a menu item.
Enter and Type. The words enter and type have distinct meanings.
The word enter means to type text in a field or type text at a command line
prompt and press the Enter key. The word type means to type text without
pressing the Enter key.
If you are directed to type a value, make sure you do not press the Enter key or
you might activate a process that you are not ready to start.
Version 1
13
Workbook
The SUSE Linux Enterprise Desktop 11 Administration
Workbook provides all the exercises in the course, as well as instructions for setting
up the SUSE Linux Enterprise Desktop 11 host computer and VMware virtual
machines you need to complete the exercises.
Course Feedback
Your feedback is valuable to Novell Training Services. To provide feedback on the
course materials, use the web services tool (http://www.novell.com/training/
contactus.html).
14
Version 1
SECTION 1
Customize the Graphical Interface on SUSE

Linux Enterprise Desktop 11
In this section, you learn how to configure the graphical environment of your SUSE
Linux Enterprise Desktop 11 (SLED 11). This includes the X configuration as well as
the configuration of the GNOME environment.
Section Objectives
In this section, you learn how to do the following:
Version 1
1.
Configure X, Xgl, and Compiz on page 16
2.
Customize the GNOME User Interface on page 24
3.
Customize Applications on page 30
15
Objective 1

Provided the computer is equipped with suitable graphics hardware (supported
graphics adapter with good 3D performance), SUSE Linux Enterprise
Desktop 11 provides an entirely new Linux desktop experience through its use of
3D effects made possible by Xgl and Compiz .
Figure 1-1
Switching to Another Virtural Desktop
Xgl is a new Xserver architecture layered on top of OpenGL. Xgl can perform
intricate graphical operations noticeably faster than other available Xservers that do
not use OpenGL.
More important than speed alone, Xgl accelerates complex composite operations,
making possible new stunning visual effects on OpenGL-enhanced composition/
window managers like Compiz, the compositor utility that was developed in
conjunction with Xgl.
Compiz is a combination of a window manager and a composite manager using
OpenGL for rendering. A window manager allows the manipulation of the multiple
applications and dialog windows that are presented on the screen. A composite
manager allows windows and other graphics to be combined to create composite
images, such as those used to create transparency effects. Compiz achieves its
stunning effects by performing both of these functions.
When you activate Compiz, it replaces the window manager of your desktop
environment (Metacity in GNOME and kwin in KDE).
16
Version 1
To enable these desktop effects, you have to
Configure X on page 17
Activate Compiz on page 20
Configure X
In most cases, X is automatically configured during installation by YaST. If you want
to change the configuration, you can use either of the following:
YaST Graphics Card and Monitor Module on page 17
SaX2 on page 17
YaST Graphics Card and Monitor Module
The YaST Graphics Card and Monitor Module uses SaX2 for the X configuration. To
be able to use Compiz, activate 3D acceleration by checking the Activate 3D
Acceleration option, as shown at the bottom in the following dialog:
Figure 1-2
YaST Graphics Card and Monitor Module
SaX2
It is also possible to use SaX2 directly, without YaST. You should start SaX2 from a
text terminal in runlevel 3 to avoid any possible interference with the currently
running X session.
Enter sax2 when you are logged in as root.
Version 1
17
First, SaX2 checks the hardware; then the following dialog appears:
Figure 1-3
SaX2 Proposes Screen Settings
If you are satisfied with the configuration, select OK.

If you need to change the configuration, select Change Configuration. Except for
the window title, the dialog that opens up is the same as that of the YaST Graphics
Card and Monitor module:
18
Version 1
Figure 1-4
SaX2s X11 Configuration Dialog
In the Monitor section, you can change different aspects of the X configuration (such
as graphics card details, monitor type, screen resolution, and number of colors
displayed) that concern the graphics card and monitor.
Selecting one of the categories on the left opens different dialogs that allow you to
change the respective settings.
When you are done with the configuration, select OK. In the next dialog, you can
choose to test the configuration, to save it, or to cancel the changes.
Figure 1-5
Version 1
Test the Graphics Configuration
19
We recommend testing the configuration before saving it. A dialog to adjust the size
and position of the screen appears.
Figure 1-6
Adjust the Screen
Normally it is not necessary to change something here.

Save your settings and exit SaX2.
Activate Compiz
The packages needed to activate Compiz are part of the GNOME pattern used during
a default installation. These include the following:
compiz
xgl
xgl-hardware-list
gnome-session
libwnck
Once 3D acceleration has been activated, log in as a normal user to GNOME and
activate Compiz.
Select the Computer icon in the lower left corner of the desktop, open the Control
Center, and start the Desktop Effects control panel in section Look and Feel.
20
Version 1
Figure 1-7
Enable Desktop Effects
Mark Enable desktop effects to activate Compiz.

The following table lists the more frequently used controls:
Version 1
Key Combination
Effect
Ctrl+Alt+Left
Rotate cube to the left.
Ctrl+Alt+Shift+Left
Rotate cube to the left, with active window.
Ctrl+Alt+Right
Rotate cube to the right.
Ctrl+Alt+Shift+Right
Rotate cube to the right, with active window.
Ctrl+Alt+Mouse Button 1
Rotate cube using the mouse.
Ctrl+Alt+Down
Unfold the cube; then use left and right arrow

key to move.
21
NOTE: More information on xgl can be found at the OpenSUSE website (http://en.opensuse.org/
Xgl).
More information on Compiz can be found at the OpenSUSE website (http://en.opensuse.org/
Compiz).
22
Version 1
Exercise 1-1
Activate Compiz
In this exercise, you configure Compiz, provided the hardware supports it.
In the first part, using YaST, verify that 3D support is enabled for your graphics
adapter.
If 3D support is enabled, activate Compiz for the Gnome desktop in the second part.
You will find this exercise in the workbook.
(End of Exercise)
Version 1
23
Objective 2

You can customize the GNOME user interface in various ways: For example, you can
add or remove icons, change the background image, or add items to the panel. The
administrator can set system-wide defaults. Users can configure their own desktops.
The system used for storing application preferences in GNOME is GConf. GConf
provides a preferences database, similar to a simple file system.
Keys are organized into a directory hierarchy. Each key is either a directory
containing more keys, or it has a value which is contained in the %gconf.xml file
in a key directory.
This directory structure is below /etc/gconf/ for system-wide entries, while
user-specific settings are contained in subdirectories of ~/.gconf/.
The %gconf.xml file can contain many key-value pairs. E.g., in ~geeko/
.gconf/apps/nautilus/preferences/%gconf.xml:
<entry name="navigation_window_saved_geometry"
mtime="1233673738" type="
string">
<stringvalue>800x550+400+38</stringvalue>
</entry>
NOTE: This file is only available if you started Nautilus once before.
A per-user daemon, gconfd-2, controls these settings. It reads the current settings
from various sources when a user logs in, notes any changes the user makes to the
settings, and informs the affected applications. In this way, changed settings take
effect immediately. Changes are written to the file system at regular intervals.
NOTE: A more detailed description of the GConf repository structure is contained in the GNOME
Desktop System Administration Guide (http://library.gnome.org/admin/system-admin-guide/stable/
).
To understand how the user environment is configured, you need to know the
following:
User-Defined Settings on page 24
Default Values on page 26
User-Defined Settings
When a user defines the settings for his or her workstation, using the preference
dialogs of GNOME applications or the gconf-editor tool, the settings are written to a
%gconf.xml file in a directory beneath ~/.gconf.
To see how a user-defined setting is stored, suppose a user decided to change the
default double-click used to launch applications to a single click.
24
Version 1
To change this default behavior, start Nautilus by double-clicking the folder icon
representing the home directory. Select Edit > Preferences > Behavior > Single
Click to Activate Items. This change takes effect immediately.
The setting is stored in ~/.gconf/apps/nautilus/preferences/
%gconf.xml:
<?xml version="1.0"?>
<gconf>
<entry name="click_policy" mtime="1233756154" type="string">
<stringvalue>single</stringvalue>
</entry>
...
</gconf>
The same effect can be achieved with gconf-editor. Open a terminal window, type
gconf-editor, and press Enter. The various options available are displayed in a
tree-like structure:
Figure 1-8
The gconf-editor
To change the value of a key, double-click the key in the right part of the window and
change its value in the dialog that appears.
Version 1
25
Depending on the application, gconf-editor might offer more settings than the
preference dialog of the respective application itself.
You can also use the gconftool-2 command line tool to change the GConf
settings. To change the default click policy to single, enter the following on the
command line:
geeko@da10:~> gconftool-2 --set --type string /apps/nautilus/
preferences/click_policy single
The /apps/nautilus/preferences/click_policy key corresponds to the tree structure in

gconf-editor. The --set and --type string options indicate that this key will
take the new single string value. The type depends on the key and is defined in the
schema file for that key. Schemas are covered in Default Values on page 26.
You can also use gconftool-2 to view the current value of a key:
geeko@da10:~> gconftool-2 --get /apps/nautilus/preferences/
click_policy
single
geeko@da10:~>
Default Values
Default values are used for any preferences that are not set specifically by the user.
When looking for the value of a variable, GConf scans a couple of files in /etc/gconf
before looking in the users configuration file. The names of the files and the order
can be seen in the /etc/gconf/2/path file.
The sequence of the configuration sources in the path file ensures that mandatory
preference settings override user preference settings. The sequence also ensures that
user preference settings override default preference settings. That is, GConf applies
preferences in the following order of priority:
1.
Mandatory preferences
2.
User-specified preferences
3.
Default preferences
GConf also uses schema files which are contained in files in /etc/gconf/
schemas/. Schemas list the possible preferences for applications or desktop
settings. For the GNOME desktop background, the respective file is called
desktop_gnome_background.schemas:
<gconfschemafile>
<schemalist>
<schema>
<key>/schemas/desktop/gnome/sound/default_mixer_device</key>
<applyto>/desktop/gnome/sound/default_mixer_device</applyto>
<owner>gnome</owner>
<type>string</type>
<default></default>
<locale name="C">
<short>Default mixer device</short>
26
Version 1
<long>The default mixer device used by the multimedia key

bindings.</long>
</locale>
<locale name="ar">
...
This file contains keys, their type (integer, boolean, string, float, or list), default
value, and descriptions in several languages.
You can change the system-wide default values using either gconf-editor or
gconftool-2.
Change Defaults Using gconf-editor
To use gconf-editor for this purpose, make sure you are logged in as root when
you start it. You can right-click a key and select Set as Default or Set as Mandatory
from the pop-up menu.
Figure 1-9
Set as Default or as Mandatory
To see all default settings, select File > New Defaults Window. To see all mandatory
settings, select File > New Mandatory Window. A new window opens and lets you
change settings as explained in User-Defined Settings on page 24.
To remove a key from the default or mandatory configuration, right-click the key and
select Unset Key in the New Mandatory Window.
Version 1
27
Change Defaults Using gconftool-2
To change system-wide defaults with gconftool-2, you must be logged in as root.

You must specify the repository you want to change. Otherwise, by default, changes
apply to the ~/.gconf/ directory in the users home directory. They will not apply
to the directories beneath /etc/gconf/gconf.xml.defaults. You also have
to make sure gconfd-2 is not running.
The command to change the default for the background image file looks similar to the
following example (the gconftool-2 command line needs to be entered in one
line):
da10:/etc/gconf # killall gconfd-2
da10:/etc/gconf # gconftool-2 --direct --config-source xml_readwrite:/
etc/gconf/gconf.xml.defaults --set --type string /desktop/gnome/
background/picture_filename /usr/share/wallpapers/SpringFlowers.jpg
In the example, --direct indicates that the configuration repository is altered

directly without using gconfd-2, and --config-source specifies the source to
change.
The command changes the /etc/gconf/gconf.xml.defaults/desktop/
gnome/background/%gconf.xml file, which now lists the new default value:
<gconf>
<entry name="picture_filename" mtime="1233858334"
type="string">
<stringvalue>/usr/share/wallpapers/SpringFlowers.jpg</
stringvalue>
</entry>
</gconf>
Users who do not have an entry in their ~/.gconf/ directory trees defining a
different background image will see the new background image the next time they
log in. They are still able to change their own background images.
Setting preferences that cannot be changed by the user is covered in Configure X,
Xgl, and Compiz on page 16.
28
Version 1
Exercise 1-2

In this exercise, you set the preference for the mouse click to single click to launch
programs that have an icon on the desktop and change the default for the background
image.
In the first part, start the Nautilus file manager and set the preferences for the mouse
click to single.
In the second part, you undo that change using gconftool-2.
As user root you set a new default for the background image using gconf-editor
in the third part.
(End of Exercise)
Version 1
29
Objective 3
Due to the number of applications available on SLED 11, it is not possible within this
course to go into any great detail on customizing them. Some, like OpenOffice.org,
are so comprehensive they deserve a course of their own.
However, as desktop administrator, you should understand how applications usually
store their configurations and you should be able to provide users with useful
configuration defaults.
The /etc/skel/ directory contains all the files that are copied to a new users
home directory when the account is created.
By default, this directory already contains various configuration files (such as
.bashrc) or directories (such as Desktop, bin, or public_html). As an
administrator, you can add files or directories to /etc/skel/ that you want to see
in the home directories of new users.
Configuration files or directories are usually hidden, which means that their name
starts with a .. These files are ASCII files, which can be edited with any text editor.
However, it is preferable to use the respective application to write the configuration
and to use the resulting file as a template. This template is then copied to /etc/
skel/ or to the home directory of another user.
NOTE: /etc/skel/ can not be used for user-specific configurations.
This objective covers two examples of configuration settings that can be made
available to all users:
OpenOffice.org 3.0 on page 30
Firefox on page 32
Other applications, like Evolution, require a configuration on a per-user basis that

does not lend itself to this approach.
OpenOffice.org 3.0
The following topics are covered for OpenOffice 3.0:
Language Settings on page 30
Templates on page 31
Language Settings
Depending on the users language, you might want to change OpenOffice.orgs menu
language. Many different languages are available, but they are contained in separate
packages that you have to install. German, for example, is contained in the
OpenOffice_org-I10n-de package, while French is in OpenOffice_org-I10n-fr.
To install a language, open a terminal window and enter, as root, yast2 sw_single,
search for Office, and select the package for the desired language. If spell check
30
Version 1
dictionaries are available for the selected language, they are installed automatically as
well.
Within a users home directory, the configuration directory for OpenOffice.org on
SUSE Linux Enterprise Desktop 11 is ~/.ooo-3. The above settings are written to
the Setup.xcu and Office/Linguistic.xcu files in the ~/.ooo-3/
user/registry/data/org/openoffice/ directory.
Templates
Companies usually develop their own templates for business letters, presentations,
forms, or other company-specific documents. It is easy to make these available to
OpenOffice.org users.
OpenOffice.org looks for templates in subdirectories of the system wide /usr/
lib/ooo3/basis3.0/share/template/language/ directory and in the
users home directory in ~/.ooo3/user/template/.
As system administrator, you can store the templates in a Companyname directory
in the system-wide OpenOffice.org template directory.
Users can store any templates they need in the template directory in their home
directories. If a user selects File > New > Templates and Documents > Templates,
the user will find the company templates in a directory (e.g., Digitalairlines), while
those in the users home directory are accessible via the entry My Templates:
Figure 1-10
Select a Template in OpenOffice.org
Templates can be stored in any other directory as well. To make them available within
OpenOffice.org, select Tools > Options > OpenOffice.org > Paths > Templates.
Version 1
31
Figure 1-11
Configure the Paths Used by OpenOffice.org
To add or delete template directories, select Edit and make the changes in the dialog
that appears.
Figure 1-12
Edit the Path of Your Templates
You can copy a sample .ooo3 directory with company-specific OpenOffice.org

settings to /etc/skel/ to make all configuration settings and templates in that
directory available to new users.
NOTE: A helpful resource for OpenOffice.org is the OpenOffice.org Forum (http://
www.oooforum.org/).
Firefox
Firefox can be configured extensively via Edit > Preferences. Several tabs cover
various aspects of the configuration.
32
Version 1
Figure 1-13
Firefox Preferences
You can access the preferences listed above, as well as additional preferences, at
about:config. After the warning dialog, you can select an entry with a doubleclick to open a dialog to change the value of the respective parameter:
Version 1
33
Figure 1-14
List of the Firefox Preferences
Changed values are stored in the home directory of the user in ~/.mozilla/
firefox/xxxxxxxx.default/prefs.js. To make them available for all
users, copy the file to /usr/lib/firefox/defaults/profile/
prefs.js. Users can still make their own changes and override the values in the
system-wide file.
34
Version 1
Exercise 1-3
In this exercise, you create an OpenOffice.org template.
In the first task, create a header of letters. In the second task, create a new letter using
the header, you created in task I.
(End of Exercise)
Version 1
35
Summary
The following is a summary of what you learned in the course objectives.
Objective
What You Learned
The installation is controlled by an XML file.

SUSE Linux Enterprise Desktop 11 supports
XGL and Compiz, providing a new desktop
experience on Linux.
The user preferences for GNOME settings are

stored as keys in the GConf repository,
system-wide in /etc/opt/gnome/gconf/, or in
the users home directory in ~/.gcon/f. To
change settings within GNOME applications,
use
The graphical tool gconf-editor
The command line tool gconftool-2
Applications store their configuration settings,

usually in hidden directories or files (starting
with a .) in the home directory of the user
who sets them.
In some cases, it is useful for the desktop
administrator to distribute sample
configurations, e.g., for OpenOffice.org or
Firefox.
36
Version 1
SECTION 2
If the user only sees what he is allowed to access, system security is increased. In this
section different methods of locking down SUSE Linux Enterprise
Desktop 11 (SLED 11) are described.
Encrypted file systems can also improve security.
Section Objectives
Version 1
1.
Control Mounting of CD-ROM, DVD, and USB Devices on page 38
2.
Define Mandatory Settings with GConf and Desktop Profiles on page 43
3.
Use PolicyKit to Configure Application Policies on page 47
4.
Use File System Encryption on page 58
37
Objective 1

By default, removable media like CD-ROMs, DVDs, and USB storage devices are
automatically mounted. The program providing this functionality is the HAL
daemon. Three GNOME tools use HAL and read settings from GConf:
gnome-mount
gnome-umount (same as gnome-mount --umount)
gnome-eject (same as gnome-mount --eject)
Depending on company policy or the use of the workstation, you might have to
prevent users from reading from or writing to removable media or mounting
removable devices such as USB drives or sticks.
There are various ways to configure this. Which one you choose depends mainly on
how difficult you want to make it for any user who tries to circumvent the restrictions
you impose.
Using GConf and /etc/fstab

Use gconftool-2 or gconf-editor to set the media_automount key in /apps/
nautilus/preferences in the mandatory GConf repository to false.
While this prevents automatic mounting, the user can still mount the drive by
selecting the desktop icon that appears when a CDROM is inserted.
You can add an entry in /etc/fstab (like the following) to prevent mounting
of CD-ROMs or DVDs by unprivileged users (assuming that /dev/dvd
represents the CDROM/DVD drive):
/dev/dvd
/media/dvd
auto
noauto,defaults
0 0
Now an error message will appear when a user inserts a CDROM.

Users Are Not Able To Mount a CD/DVD
Figure 2-1
NOTE: More about GConf you will learn in Configure X, Xgl, and Compiz on page 16.
Using kernel modules

The usb_storage kernel module is needed to read from USB storage devices. You
can prevent the module from being loaded by adding the following line in /
etc/modprobe.conf.local:
38
Version 1
install usb_storage /usr/bin/true
You can use other programs instead of /usr/bin/true as well. The following
example (in one line in /etc/modprobe.conf.local) will cause an email
notice to be sent when someone inserts such a device:
install usb_storage /usr/bin/mail -s "USB-Stick inserted on
$HOSTNAME" desktopadmin@digitalairlines.com
NOTE: You could disable USB completely by adding similar lines for usbcore and other USB
modules (use lsmod to find which ones). But this might not be practical because that would
disable a USB keyboard and mouse as well.
You could rename or remove the USB kernel modules. However, the next kernel
update would bring them back and enable USB storage again.
Configure udev rules

In the past, the /dev/ directory contained a device file for hundreds of devices,
even if the hardware was not present. With udev this has changed; device files
are created only for devices that are actually present.
The command udevadm monitor can be used to monitor the udev system
messages. When you plug in a USB stick, a messages similar to the followings
should appear.
UDEV [1243464970.656655] add
/devices/pci0000:000000:00:1d.2/
usb7/7-2/7-2:1.0/host6/target6:0:0/6:0:0:0/block/sdb (block)
UDEV [1243464971.499426] add
/devices/pci0000:000000:00:1d.2/
usb7/7-2/7-2:1.0/host6/target6:0:0/6:0:0:0/block/sdb/sdb1 (block)
Block devices are created. In this example one for the new device (sdb) and one
for the partition (sdb1).
When removing the USB stick the block devices should be removed like in the
following.
UDEV [1243465458.031639] remove
/devices/pci0000:000000:00:1d.2/
usb7/7-2/7-2:1.0/host6/target6:0:0/6:0:0:0/block/sdb/sdb1 (block)
...
UDEV [1243465458.035093] remove
/devices/pci0000:000000:00:1d.2/
usb7/7-2/7-2:1.0/host6/target6:0:0/6:0:0:0/block/sdb (block)
udev is very flexible and can be configured by writing rules to *.rules files in
the /etc/udev/rules.d/ directory.
NOTE: More udev rules you can find in /lib/udev/rules.d/.
You can create your own rules in /etc/udev/rules.d/. To ensure that your
rules are used, the filename should start with a smaller number than the other
files in the directory (e.g., 10-local.rules)
A rule to disable devices that require the usb_storage module could look like the
following:
Version 1
39
# Disable USB storage

DRIVER=="usb-storage", OPTIONS+="ignore_device last_rule"
The ignore_device option will ensure that no action is taken and, thereforee,
no device file is created to access the device. The last_rule option prevents
later rules from changing this rule.
Much more fine-grained control than shown above is possible. You could, for
instance, write rules allowing a specific USB device based on its serial number,
and ignoring other devices.
NOTE: The manual page for udev and the udev HOWTO (http://www.reactivated.net/
writing_udev_rules.html) provide more information on how to write udev rules.
Using PolicyKit
PolicyKit is an application-level toolkit for defining and handling the policy that
allows unprivileged processes to speak to privileged processes: It is a framework
for centralizing the decision-making process with respect to granting access to
privileged operations for unprivileged applications.
PolicyKit is covered in detail in Use PolicyKit to Configure Application
Policies on page 47.
To prevent users from mounting removable medias (like DVDs or USB sticks),
you have to add the following line to your local rules in the /etc/polkitdefault-privs.local file.
org.freedesktop.hal.storage.mount-removable auth_admin_keep_always
The new settings are activated by the set_polkit_default_privs

command.
da10:~ # set_polkit_default_privs
setting org.freedesktop.hal.storage.mount-removable to
auth_admin_keep_always:auth_admin_keep_always:auth_admin_keep_alwa
ys
(wrong setting
auth_admin_keep_always:auth_admin_keep_always:yes)
When the user inserts a DVD or USB stick, an authentication dialog appears:
40
Version 1
Authentication Is Needed to Mount Removable Medias
Figure 2-2
Remove the hardware

Physically remove CDROM and DVD drives as well as USB ports. This also
prevents the computer from being booted from bootable CDs.
Version 1
41
Exercise 2-1

In this exercise, you prevent users from mounting DVDs and USB devices.
In the first part, notify user root by email when a user plugs in an USB stick. In the
second part, deactivate automounting of CDs using GConf.
You will need an USB stick to do this exercise.
(End of Exercise)
42
Version 1
Objective 2
Define Mandatory Settings with GConf and Desktop Profiles

It is sometimes desirable from the desktop administrators point of view to limit what
users can configure or change on their desktops. Reasons for this could be corporate
policies or an effort to reduce help desk calls because of misconfiguration caused by
users.
Even greater restraints are frequently imposed on desktops used in public places like
trade shows.
As covered in Customize the GNOME User Interface on page 24, GConf is used to
store user-defined preferences or to set system-wide defaults. It can also be used by
the administrator to set preferences that cannot be changed by the user.
gconf-editor
To set or change mandatory settings, you must be logged in as root when you use
gconf-editor. The steps you take depend on what you need to do:
Set Preferences as Mandatory for the First Time on page 43
Change Existing Mandatory Preferences on page 44
Set Preferences as Mandatory for the First Time
As root user, start gconf-editor. The left part of the window lists the available keys.
Version 1
43
Figure 2-3
GConf Configuration Editor
Browse the tree to the key you want to set as mandatory and set it to the desired
value. Then select the entry with the right mouse button; in the submenu, select Set as
Mandatory.
If you select on the entry to change it again, an error message tells you that this is not
possible.
Change Existing Mandatory Preferences
As root user, start gconf-editor; then select File > New Mandatory Window. The left
part of the window lists those mandatory settings that have already been set in the /
etc/gconf/gconf.xml.mandatory/ repository tree. You can change them as
explained in Change Defaults Using gconf-editor on page 27.
To remove a key from the mandatory preferences, right-click the entry and select
Unset Key.
Values that have not been set to a mandatory value previously do not show up in the
repository tree on the left of this gconf-editor dialog.
44
Version 1
Figure 2-4
Key is Not Writable
gconftool-2
You can also use the gconftool-2 command line tool to set preferences to a mandatory
value. (When you use gconftool-2, the gconf-editor can be helpful to browse the
configuration repository tree to find the correct key and its path.)
Lets assume that the security policy of the company requires the screens of desktops
to be locked after 5 minutes of inactivity. As administrator, it is your task to configure
the workstations accordingly and to make sure this policy is followed by all users.
Using gconf-editor as a normal user, you browse the repository tree and find out that
the keys for this purpose are /apps/gnome-screensaver/lock_enabled
and /apps/gnome-screensaver/idle_delay. To set these to mandatory
values, log in as root and use the following commands:
killall gconfd-2
da10:~ # gconftool-2 --direct --config-source xml:readwrite:/etc/
gconf/gconf.xml.mandatory --set --type bool /apps/gnome-screensaver/
lock_enabled true
Resolved address "xml:readwrite:/etc/gconf/gconf.xml.mandatory" to a
writable configuration source at position 0
da10:~ # gconftool-2 --direct --config-source xml:readwrite:/etc/
gconf/gconf.xml.mandatory --set --type int /apps/gnome-screensaver/
idle_delay 5
Resolved address "xml:readwrite:/etc/gconf/gconf.xml.mandatory" to a
writable configuration source at position 0
The next time a user logs in and tries to change the respective screensaver settings in
the GNOME Control Center, the user will not be able to change these values.
NOTE: Not all key-value pairs that can be set seem to have the desired effect. For example, setting
the /apps/firefox/general/homepage_url key to a certain value does not seem to have
any effect on the default home page of the firefox browser. Other such key-value pairs might not
behave as expected either. Thereforee, you should test your settings to make sure they have the
desired effect and cannot be changed by the user before you rely on your settings.
Version 1
45
Exercise 2-2
Set Mandatory Values for Preferences

In this exercise, you use the Desktop Profile Editor and gconftool-2 to manage
mandatory preferences.
In task I, you use gconf-editor to disable access to the command line on the GNOME
desktop.
In task II, you use gconftool-2 to undo the setting you made in task I, because you
will need the command line later in this course.
In task III, you undo the settings you made in the previous exercise to allow mounting
CDs/DVDs. Use gconf-editor for this.
(End of Exercise)
46
Version 1
Objective 3

Using PolicyKit, you can start applications with user permission and assign them root
permission later. You can allow users to execute system management tasks without
making them root.
To use PolicyKit, you should know the following:
Understand the PolicyKit Architecture on page 47
Use the Authorization Dialog on page 48
Manage Authorizations at the Command Line on page 52
NOTE: The documentation of PolicyKit is available on the freedesktop.org Website (http://

hal.freedesktop.org/docs/PolicyKit).
Understand the PolicyKit Architecture

PolicyKit assumes that a program has two parts:
Mechanism. Runs privileged (with no user interface elements).
Policy Agent. Runs unprivileged.
The two parts of the program are in different processes and communicate through
some IPC mechanism such as pipes or the system message bus (D-Bus). In some
instances the Mechanism can be seen as part of the OS and the policy agent as part of
the desktop stack.
The Mechanism should never trust any application that tries to use it. First the
Mechanism has to evaluate all data and requests passed to it from the application.
An example where this model is used are HAL and NetworkManager:
Figure 2-5
HAL and NetworkManager
The entities that a Mechanism cares about can be split into three groups:
Version 1
Subject. The entity requesting the Action (e.g., an unprivileged application).
47
Object. Some canonical representation of the object; (e.g., device file, a network
connection, a reference to the power management subsystem).
Action. What the subject is attempting to do to the object (e.g., mounting a block
device, establishing a dial-up connection, putting the system into a suspended
state, changing the time zone, gaining access to a webcam).
The Mechanism identifies the subject, using ConsoleKit, and collects all the relevant
information about the subject. This information includes:
User ID
Process ID
An identifier for the desktop session and whether the session is active (e.g.,
currently showing on a display), whether it's local and if it's remote, the address
of the remote display
Optional OS-specific attributes (such as the SELinux security context)
Second, the Mechanism creates an object that represents the action that the subject
wants to be executed. One example of such an object is
org.freedesktop.hal.storage.mount-removable, what represents the action of
mounting a removable device.
Based on this information request, the authorization database decides whether the
action can be executed, executed after another required authentication, or not
executed.
Use the Authorization Dialog

A graphical tool is available in GNOME to manage your authorizations. You can start
it by selecting More Applications > Tools > Authorizations or entering polkitgnome-authorization at a terminal.
48
Version 1
Figure 2-6
The Authorization Dialog
In the left frame you see a tree structure where all possible actions are listed and
grouped. The right frame has three parts:
Action. Identifier, Description, and Vendor of the software module are shown
here.
Implicit Authorizations. Shows the authorizations that based for all users that
fulfill certain criteria (they are on a local console, for example). Implicit
Authorizations are stored in /var/lib/PolicyKit-public/.
Explicit Authorizations. Shows the authorizations that are set for single users.
Explicit Authorizations are stored in /var/lib/PolicyKit/. (You can
define explicit authorizations only for users that have an account on the system.)
In the Authorizations dialog, you can configure two kinds of authorization:
Version 1
Implicit Authorization on page 50
Explicit Authorization on page 51
49
Implicit Authorization
PolicyKit recognizes three basic types of users:
Anyone. All users.
Console. All users that are logged in to a console (active and inactive sessions).
Active Console. All users that are logged in to an active console (e.g., currently
showing on a display).
NOTE: The ConsoleKit daemon determines whether a session is active or inactive, or local or not.
ConsoleKit is a framework for defining and tracking users, login sessions, and seats. For more
information see the freedesktop.org-wiki (http://www.freedesktop.org/wiki/Software/ConsoleKit).
If you want to change the implicit authorizations, select Edit and another dialog
appears.
Figure 2-7
Edit Implicit Authorizations
Each menu has the following options:
50
No. Access denied.
Admin Authentication (one shot). Access denied, but authentication of the

caller as an administrative user will grant access to only that caller and only once.
The authorization will be revoked.
Admin Authentication. Access denied, but authentication of the caller as an

administrative user will grant access to only that caller.
Admin Authentication (keep session). Access denied, but authentication of the

caller as administrative user will grant access to any caller in the session the
caller belongs to.
Admin Authentication (keep indefinitely). Access denied, but authentication

of the caller as administrative user will grant access to any caller with the given
UID in the future.
Version 1
Authentication (one shot). Access denied, but authentication of the caller as

himself will grant access to only that caller and only once. The authorization will
be revoked.
Authentication. Access denied, but authentication of the caller as himself will

grant access to only that caller.
Authentication (keep session). Access denied, but authentication of the caller as

himself will grant access to any caller in the session the caller belongs to.
Authentication (keep indefinitely). Access denied, but authentication of the

caller as himself will grant access to any caller with the given UID in the future.
Yes. Access granted.
Explicit Authorization
In this part, you can authorize or prevent the execution of a task by system users. Use
the Grant button to specify the users that are allowed to execute the task. Block
allows you to specify the users that are not allowed to execute the task.
The dialog that appears is the same for Grant and Block so the following shows how
to authorize users.
Figure 2-8
Version 1
Edit (Grant) Explicit Authorization
51
In the Beneficiary part, you can select a user that will receive the authorization. Select
Show system users to display system users (like root and bin) in the pull-down
menu.
In the lower part of the dialog, you can determine constraints:
None.
Must be in active session.
Must be on local console.
Must be in active session on local console.
select Grant to activate the authorization.

Once you have created at least one grant or block rule, the Revoke button becomes
active in the Authorizations dialog (see Figure 2-6 on page 49) and you can remove
the selected rule.
The Show authorizations from all users option shows the list of the given explicit
authorizations. If you are running the authentication tool as normal user, you have to
authenticate as root before they are shown.
Manage Authorizations at the Command Line

The configuration of PolicyKit and the defined permissions are included in the /
etc/PolicyKit/PolicyKit.conf file. This is an XML file.
NOTE: The man page of PolicyKit.conf can be viewed by man 5 PolicyKit.conf.
You can edit the file directly using a text editor. You can also use some command line
tools to edit PolicyKit.conf. The most important are
polkit-action. Lists and modifies registered PolicyKit actions.
polkit-auth. Manages the authorizations.
polkit-config-file-validate. Validates the PolicyKit.conf file.
polkit-policy-file-validate. Validates a PolicyKit policy file.
set_polkit_default_privs. Installs default settings for privileges that

are granted automatically to locally logged-in users.
polkit-action
polkit-action is used to list and modify the PolicyKit actions that are registered
on the system. To list the registered PolicyKit action, use polkit-action without
any parameter:
da10:~ # polkit-action
org.gnome.clockapplet.mechanism.settimezone
org.gnome.clockapplet.mechanism.settime
org.gnome.clockapplet.mechanism.configurehwclock
org.freedesktop.hal.lock
52
Version 1
org.opensuse.yast.scr.read
org.opensuse.yast.scr.write
org.opensuse.yast.scr.execute
org.opensuse.yast.scr.dir
...
The most important options of polkit-action are
--reset-defaults action. Reset the defaults for the specified action to

the factory defaults. The authorization needed to do this is
org.freedesktop.policykit.modify-defaults.
--show-overrides. Prints all actions by which the defaults are overridden.
--set-defaults-any action value. Override the any stanza for the

given action with the supplied value. The authorization needed to do this is
--set-defaults-inactive action value. Override the inactive

stanza for the given action with the supplied value. The authorization needed to
do this is org.freedesktop.policykit.modify-defaults.
--set-defaults-active action value. Override the active stanza

for the given action with the supplied value. The authorization needed to do this
is org.freedesktop.policykit.modify-defaults.
Valid values for value of the three --set-defaults-* parameter are
no
auth_admin_one_shot
auth_admin
auth_admin_keep_session
auth_admin_keep_always
auth_self_one_shot
auth_self
auth_self_keep_session
auth_self_keep_always
yes
The meaning of these options is described in Implicit Authorization on page 50.

The authorization needed to use the three --set-defaults-* parameter is
polkit-auth
polkit-auth is used to inspect, obtain, grant and revoke explicit PolicyKit

authorizations. If invoked without any options, the authorizations of the calling
process will be printed.
Version 1
53
With the --show-obtainable option, all actions that can be obtained via
authentication and for which an authorization does not exist are listed.
da10:~ # polkit-auth --show-obtainable
org.gnome.clockapplet.mechanism.settimezoneac
org.gnome.clockapplet.mechanism.configurehwclock
org.freedesktop.hal.lock
org.freedesktop.hal.dockstation.undock
org.gnome.gconf.defaults.set-system
org.gnome.gconf.defaults.set-mandatory
...
To authorize a user to perform an action, use the --user user --grant

action option. For example (all in one line):
da10:~ # polkit-auth --user geeko --grant
To prevent a user from executing an action, use --block action. For example
(all in one line):
da10:~ # polkit-auth --user geeko --block
To revoke all authorizations for an action, use --revoke action. For example
(all in one line):
da10:~ # polkit-auth --user geeko --revoke
Adding --user user to --grant, --block, or --revoke means that the

authorization is explicit for the specified user. Without --user, the options -grant, --block, and --revoke are valid for all system users.
Another option that allows you to specify a user is --explicit which shows all
explicit authorizations.
da10:~ # polkit-auth --user geeko --explicit
To get more detailed information, use --explicit-detail option:

da10:~ # polkit-auth --user geeko --explicit-detail
Authorized: No
Scope:
Indefinitely
Obtained:
Thu Feb 5 10:25:37 2009 from root (uid 0)
54
Version 1
You can also add contraints to --grant and --block. Thereforee, add the -constraint constraints option. The following values for constraints
are the most important ones:
--constraint local. The caller must be in a session on a local console

attached to the system.
--constraint active. The caller must be in an active session.
Typically the active contraint is used together with a local constraint to ensure that the
caller is only authorized if his session is in the foreground. This is typically used for
fast user switching (multiple sessions on the same console) to prevent inactive
sessions from performing privileged operations like spying (using a webcam or a
sound card) on the current active session.
polkit-config-file-validate
polkit-config-file-validate is used to verify that a given PolicyKit

configuration file is valid. If no path to a config file is given, the default /etc/
PolicyKit/PolicyKit.conf file will be verified.
The typical role of this tool is to verify a configuration file before deploying it on one
or more machines.
polkit-policy-file-validate
polkit-policy-file-validate is used to verify that one or more PolicyKit

.policy files are valid.
Normally this tool is used in the software release process and during software
installation.
set_polkit_default_privs
The set_polkit_default_privs program installs default settings for

privileges that are granted automatically to locally logged-in users by PolicyKit.
The default settings are stored in the following files:
/etc/polkit-default-privs.local
/etc/polkit-default-privs.standard
/etc/polkit-default-privs.restrictive
In the /etc/sysconfig/security file, you can specify whether you want to

use the standard or the restrictive default settings. Thereforee, the
POLKIT_DEFAULT_PRIV variable can be set to standard or restrictive.
The file polkit-default-privs.local is executed in all cases.
The /etc/polkit-default-privs.* files are line based and space delimited.
Lines starting with # are comments.
Version 1
55
The first column lists the privilege names. The second column lists the PolicyKit
default setting. A default setting consists of three values separated by colons, as in the
following:
org.freedesktop.hal.device-access.cdrom auth_admin_keep_always:yes:yes
The meanings from left to right are:
Any user (here: auth_admin_keep_always)
User not on the active console (here: yes)
User on the active console (here: yes)
If all three values are the same, only one value may be specified without a colon to
shorten the line, as in the following:
org.freedesktop.hal.device-access.modem
auth_admin_keep_always
SuSEconfig can check PolicyKit default privileges. Setting the

CHECK_POLKIT_PRIVS variable in /etc/sysconfig/security to
set will change privileges that don't match the default. If you change the variable to
warn, a warning is printed when running SuSEconfig, no disables this feature.
56
Version 1
Exercise 2-3

In this exercise you will allow user geeko to set the sytem time. In Task I, you use the
graphical authorization dialog to do this. In Task II, you use the command line.
(End of Exercise)
Version 1
57
Objective 4

If you lose your laptop or your workstation is stolen, it can be a risk for your
company if the finder (or the thief) can access business data stored on your hard
drive. The costs for internal information in the wrong hands are even higher than the
costs of the lost hardware.
A BIOS password can be bypassed by master passwords available in the Internet. A
user password (and also the root password) can be reset by using live Linux versions
also available in the Internet.
The only way to protect sensible data is to encrypt the file or, better, the whole
filesystem, where your personal data is stored. You have to know about the following:
Using YaST Partitioner to Encrypt a Partition on page 58
Mount an Encrypted File System on page 61
Encrypt a Partition Manually on page 63
Using YaST Partitioner to Encrypt a Partition

You can change the partitioning of your hard drives during the installation of SUSE
Linux Enterprise Desktop 11 or later using YaST > System > Partitioner.
Figure 2-9
58
Expert Partitioner
Version 1
When you add a new partition or edit an existing partition, you can activate file
system encryption. Therefore you have to (re-)format the partition.
Figure 2-10
Edit a Partition
When you activate Encrypt file system and selecting Finish, you are prompted to
enter a password that is used later for the decryption.
Version 1
59
Figure 2-11
Enter the Password to Decrypt the Partition Later
The password has to have at least eight characters.

NOTE: If you forget the password you entered here, all data on the partition will be lost.
In the Expert partitioner dialog, an encryped partition is marked with C in the

Format column (labeled with F).
Figure 2-12
60
The Third Partition Is Marked as Encrypted
Version 1
Mount an Encrypted File System

A file system can be mounted in two ways:
Mount Automatically During the System Boot
Mount Manually
Mount Automatically During the System Boot
When you activate the partition that is mounted automatically during the system boot,
you are prompted to enter the decryption password during the boot process:
Figure 2-13
Boot Process Prompts for the Key to Mount an Encrypted File System
Responsible for this is are the two start scripts /etc/init.d/boot.crypto and
/etc/init.d/boot.crypto-early.
When the system is running and you entered the decryption password correctly, there
is an entry in the /etc/fstab file similar to the follwing.
/dev/mapper/cr_sda3
/data
ext3
acl,user_xattr,noauto
0 0
A mapper device is generated in /dev/mapper/ that is used to decrypt the

encrypted partition.
Also a /etc/crypttab file is available. It includes static information about
encrypted filesystems. For example:
cr_sda3
/dev/sda3
none
none
Each line in this file has four colums:
The first entry specifies the mapped device name (cr_sda3).
The second column specifies the special block device that should hold the
encrypted data (/dev/sda3).
The third column specifies a file containing the raw binary key to use for
decrypting (none).
If this is none, the key (e.g., password) will be read interactively from the
console.
The fourth column specifies setup options associated with the encryption process
(none).
NOTE: /etc/cypttab and the mapper device are not generated when you deactivate the mount
option in the YaST Expert Partitioner.
Version 1
61
To mount the encrypted partition during system boot, you have to make sure that the
start script boot.crypto is available in /etc/init.d/. If not, create it by
entering insserv boot.crypto.
Mount Manually
To understand what is going on in the automatic mount process, you have to know
how to mount an encrypted file system manually.
If you try to mount an encrypted file system manually, an error message appears:
da10:~ # mount /dev/sda3 /mnt
mount: unknown filesystem type 'crypto_LUKS'
da10:~ #
The technology used to mount encrypted file systems is called dm-crypt (dm
means device mapper). This technology has been available in the Linux kernel
since version 2.6.
In SUSE Linux Enterprise 11 a technology called LUKS is used that allows you to
use multiple passphrases for the partition.
There are two steps to mount an encryped partition:
1.
Create a Device Mapper

The tool you can use to create a device mapper is cryptsetup. This is used to
conveniently set up dm-crypt managed device-mapper mappings.
To create a devicemapper using LUKS, enter
cryptsetup luksOpen /dev/encrypted_partition dm_name
For example:
da10:~ # cryptsetup luksOpen /dev/sda3 cr_sda3
Enter LUKS passphrase:
key slot 0 unlocked.
Command successful.
da10:~ #
You are prompted to enter the password for the file system encryption.
If the password is correct, you can see the device mapper file in /dev/
mapper/.
da10:~ # ls /dev/mapper/
control cr_sda3
da10:~ #
2.
Mount the Mapper Device

Once you have the device mapper created, you can use mount to mount the
device mapper. For example:
da10:~ # mount /dev/mapper/cr_sda3 /data
da10:~ #
62
Version 1
To unmount an encrypted partition, you can use umount. For example:

da10:~ # umount /data/
da10:~ #
If you do not do anything else, you are able to remount the patition again at any time
without being prompted for the password.
To securely unmount an encrypted partition, you have to remove the device mapper
after the umount command. Therefore you also use cryptsetup with the
following syntax:
cryptsetup luksClose dm_name
For example:
da10:~
da10:~
mount:
da10:~
# cryptsetup luksClose cr_sda3

# mount /dev/mapper/cr_sda3 /data
special device /dev/mapper/cr_sda3 does not exist
#
Encrypt a Partition Manually

The cryptsetup command can be used to create an encrypted file system on a
partition. The syntax is
cryptsetup -y luksFormat /dev/partition
The parameter -y lets cryptsetup query for a password twice. This makes sense to
avoid typing errors. This option is set by default on SLED 11.
da10:~ # cryptsetup -y luksFormat /dev/sda3
WARNING!
========
This will overwrite data on /dev/sda3 irrevocably.
Are you sure? (Type uppercase yes): YES
Verify passphrase:
Command successful.
da10:~ #
Once the partition is formatted, you can create the device mapper now.
da10:~ # cryptsetup luksOpen /dev/sda3 cr_sda3
key slot 0 unlocked.
Command successful.
da10:~ #
Now you can create a file system on the encrypted partition. For example:
Version 1
63
da10:~ # mkfs.ext3 /dev/mapper/cr_sda3

mke2fs 1.41.1 (01-Sep-2008)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
33120 inodes, 132407 blocks
6620 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=138412032
5 block groups
32768 blocks per group, 32768 fragments per group
6624 inodes per group
Superblock backups stored on blocks:
32768, 98304
Writing inode tables: done
Creating journal (4096 blocks): done
Writing superblocks and filesystem accounting information: done
This filesystem will be automatically checked every 30 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.
da10:~ #
Then you are able to mount the new encrypted file system.
da10:~ # mount /dev/mapper/cr_sda3 /mnt
da10:~ #
NOTE: For more information about cryptsetup, read the manual page (man 8
cryptsetup).
64
Version 1
Exercise 2-4

On your DA-SLED virtual machnine, there is a unused partition. In this exercise, you
set up an encrypted file system on this partition using command line tools.
In task I, you view the current partitioning. In task II, you create an encrypted file
system on the free partition sda3. In task III, you enable mounting of the encrypted
partition during system boot.
(End of Exercise)
Version 1
65
Summary
Objective
What You Learned
Control Mounting of CD-ROM, DVD, and USB Removable media are usually mounted
Devices
automatically. You can disable this automatic
mounting by
Define Mandatory Settings with GConf and

Desktop Profiles
Using gconf and editing /etc/fstab
Using kernel modules
Using udev
Removing hardware
The system used for storing application

preferences in GNOME is GConf. GConf
provides a preferences database, similar to a
simple file system.
To change data in the databank, you can use
gconf-editor
gconftool-2
The gconf-editor interface lists keys to lock

down the desktop in the tree on the left under
Desktop > Gnome > Lockdown.
66
Version 1
Objective
What You Learned
Use PolicyKit to Configure Application

Policies
PolicyKit assumes that a program has two

parts:
Mechanism. Runs privileged (with no user

interface elements).
Authentication Agent. Runs unprivileged.
You can start the graphical tool to manage

your authorizations by selecting More
Applications > Tool > Authorizations or
entering polkit-gnome-authorization
in a terminal.
You can edit the file directly using a text editor.
But there are also some command line tools
available that can be used to edit
PolicyKit.conf. The most important are
polkit-action. Lists and modifies

registered PolicyKit actions.
polkit-auth. Manages the

authorizations.
polkit-config-file-validate.
Validates the PolicyKit.conf file.
polkit-policy-file-validate.
Validates a PolicyKit policy file.
set_polkit_default_privs. Installs
default settings for privileges that are
granted automatically to locally logged-in
users.
The only way to protect sensitve data is to

encrypt the file or better the whole file system,
where your personal data is stored.
The YaST Partitioner can create encrypted
partitions.
When you activate the partition that is
mounted automatically during the system
boot, you are prompted to enter the
decryption password during the boot process.
The mapper device generated in /dev/
mapper/ is used to decrypt the encrypted
partition.
You can use cryptsetup tool to
Version 1
Create a device mapper
Delete a device mapper
Format a partiton for encryption
67
68
Version 1
SECTION 3
Use the NetworkManager to Configure the

Network
NetworkManager is the ideal solution for a mobile workstation. With

NetworkManager, you do not need to worry about configuring network interfaces and
switching between networks when you are moving. NetworkManager can
automatically connect to known WLAN networks. If you have two or more
connection possibilities, it can connect to the faster one.
NetworkManager can also manage several network connections in parallel. The
fastest connection is then used as default. Furthermore, you can switch between
available networks manually and manage your network connection using an applet or
widget in the system tray.
Figure 3-1
NetworkManager Connected to a Wired Network
Figure 3-2
NetworkManager Connected to a Wireless Network
Section Objectives
Version 1
1.
Understand NetworkManager Basics on page 70
2.
Access Wired Networks on page 73
3.
Access Wireless Networks on page 79
4.
Configure VPN on page 83
5.
Configure Mobile Broadband Connections on page 87
6.
Configure DSL on page 91
69
Objective 1

If you want to manage your network connection with NetworkManager, enable
NetworkManager in YaST > Network Devices > Network Settings.
Figure 3-3
Choose Between NetworkManager and ifup in YaST
However, NetworkManager is not a suitable solution for all cases, so you can still
choose between the traditional method for managing network connections (ifup) and
NetworkManager.
On SLED 11, NetworkManager is enabled by default.
Some differences between ifup and NetworkManager include:
root Privileges. If you use NetworkManager for network setup, you can easily
switch, stop, or start your network connection at any time from within your
desktop environment using an applet. NetworkManager also makes it possible to
change and configure wireless card connections without requiring root
privileges. For this reason, NetworkManager is the ideal solution for a mobile
workstation.
Traditional configuration with ifup also provides some ways to switch, stop, or
start the connection with or without user intervention, like user-managed devices,
but it always requires root privileges to change or configure a network device.
This is often a problem for mobile computing, where it is not possible to
preconfigure all connection possibilities.
Types of Network Connections. Both traditional configuration and

NetworkManager can handle network connections with a wireless network (with
WEP, WPA-PSK, and WPA-Enterprise access), dial-up, and wired networks
using DHCP and static configuration. They also support connection through
VPN.
NetworkManager tries to keep your computer connected at all times using the
best connection available. If the network cable is accidentally disconnected, it
tries to reconnect. It can find the network with the best signal strength from the
list of your wireless connections and automatically use it to connect. To get the
same functionality with ifup, a great deal of configuration effort is required.
70
Version 1
After having enabled NetworkManager in YaST, configure your network connections

in a dialog available in GNOME.
Figure 3-4
GNOME Network Connection Dialog for NetworkManager
You can start this dialog in two ways:
From the GNOME Control Center by selecting System > Network Connections
or
By right-clicking the NetworkManager icon in the system tray and selecting Edit
Connections.
NOTE: If your system tray does not display the GNOME NetworkManager applet, the applet is
probably not started. You can start it manually by entering nm-applet at the command line.
The GNOME dialog shows tabs for all types of network connections:
Wired
Wireless
Mobile Broadband
VPN
DSL
NOTE: NetworkManager also supports connections to 802.1X protected networks (see section
802.1x Security on page 74).
Version 1
71
NetworkManager recognizes two types of connections:
72
User connections are connections that become available to NetworkManager

when the first user logs in. Any required credentials are provided by the user and
when the user logs out, the connections are disconnected and removed from
NetworkManager.
System connections can be shared by all users and are made available right after
NetworkManager is startedbefore any users log in. In case of system
connections, all credentials must be provided at the time the connection is
created. Such system connections can be used to automatically connect to
networks that require authorization.
Version 1
Objective 2

To add a new wired connection, select the Wired tab and then select Add. A dialog
appears.
Figure 3-5
Add a Wired Connection
Enter a connection name and your connection details in the 802.1x Security and
IPv4 Settings tabs (see Specify Connection Details on page 74). If more than one
physical device per connection type is available (for example, your machine is
equipped with two ethernet cards or two wireless cards), specify the MAC address of
the device in order to tie the connection to this device.
When editing each connection, you can also define if NetworkManager should
automatically use this connection (activate Connect Automatically) or
should use this connection system-wide (activate Available to all users).
Such system connections can be shared by all users and are made available right after
NetworkManager is startedbefore any users log in.
Version 1
73
Click Apply to confirm your settings. To create and edit system connections, root
permission is required and you have to authenticate. The newly configured network
connection now appears in the list of available networks you get by left-clicking the
NetworkManager applet.
In the following, we will have a closer look at:
Connect to Wired Network on page 74
Specify Connection Details on page 74
Access Wired Networks on page 78
Connect to Wired Network

If your computer is connected to an existing network with a network cable, use the
NetworkManager applet to choose the network connection.
Left-click the applet icon to show a menu with available networks. The currently
used connection is selected in the menu.
Figure 3-6
Available Connections
To switch to another network, select it from the list. To switch off all network
connections (both wired and wireless), right-click the applet icon and uncheck
Enable Networking.
Specify Connection Details

Specify your connection details on the following tabs:
802.1x Security on page 74
IPv4 Settings on page 76
802.1x Security
IEEE 802.1x is an authorization standard for computer networks. At net entry point
(e.g., a physical port in a LAN), an Authenticator is responsible for the users
authentication. The Authenticator proofs the users authentication information by
requesting an authentication server. Based on the result, the Authenticator allows or
denies access to the offered services (LAN, VLAN oder WLAN).
74
Version 1
Figure 3-7
802.1x Settings for a Wired Connection
If your network is protected by 802.1x, you can activate the Use 802.1X
security for this connection option and specify the needed information.
The following authentication methods can be used:
TLS
Tunneled TLS
Protected EAP (PEAP)
Depending on the selected authentication method, you have to specify more

information.
Version 1
75
IPv4 Settings
In this tab, you can specify DHCP, DNS, and routes information.
Figure 3-8
IPv4 Settings for a Wired Connection
From the Method menu, you can select one of the following methods:
76
Automatic (DHCP). You want to get IP address and DNS server information
from a DHCP server available in your network.
Automatic (DHCP) addresses only. A DHCP server is available in your

network, but you just want to get an IP address from it. You specify the DNS
information manually.
Manual. You have to specify the IP address and the DNS information manually.
Link-Local Only. Your computer is not connected to a network and you need
only the internal virtual network.
Shared to other computers. This option is useful if you have at least two
network devices and one is already configured to access the Internet. You can
Version 1
create a network connection for the second device and share your Internet
connection with the other computers connected to this shared device.
The internet connection appears in the list of available connections on the clients.
This option configures a private network with NAT, allowes forwarding, and runs
a light DHCP server on it.
To enter your IP address(es) manually, select Add. Then you can enter IP Address,
Netmask, and Gateway in the Addresses list.
To configure DNS, enter the IP address of your DNS server in the textbox labeled
DNS Servers. In Search Domains you can specify the domains the DNS server is
responsible for.
The DHCP Client ID is an arbitrary identifier sent to the DHCP server to reserve a
specific IP address for your machineusually the MAC address or some other
unique ID is used.
Click Routes if you want to configure the routes manually. A dialog appears.
Figure 3-9
Configure the Network Routes Manually
To enter your routes manually, select Add. Than you can enter IP Address,
Netmask, Gateway and Metric values in the left frame.
Activate Ignore automatically obtained routes if you want the routes
provided via DHCP to be ignored.
Version 1
77
Exercise 3-1

In this exercise, you switch the network of DA-SLED from Host-Only to NAT
(End of Exercise)
78
Version 1
Objective 3

NetworkManager distinguishes two types of wireless connections, trusted and
untrusted.
A trusted connection is any network that you explicitly selected in the past. All others
are untrusted. Trusted connections are identified by the name and MAC address of
the access point. Using the MAC address ensures that you cannot use a different
access point with the name of your trusted connection.
NetworkManager periodically scans for available wireless networks. If multiple
trusted networks are found, the most recently used is automatically selected.
NetworkManager waits for your selection if all networks are untrusted.
If the encryption setting changes but the name and MAC address remain the same,
NetworkManager attempts to connect, but first you are asked to confirm the new
encryption settings and provide any updates, such as a new key.
Available visible wireless networks are listed in the GNOME NetworkManager
applet menu under Wireless Networks. The signal strength of each network is also
shown in the menu. Encrypted wireless networks are marked with a shield icon.
Two things you have to know:
Connect to a Wireless Network on page 79
Configure Your Wireless Card as an Access Point on page 81
Connect to a Wireless Network

To connect to a wireless network, left-click the applet icon and choose an entry from
the list of available wireless networks.
Version 1
79
Figure 3-10
Select a WLAN
If the network is encrypted, a dialog opens. Choose the type of Wireless Security the
network uses and enter the appropriate password.
Figure 3-11
Authenticate to Access the WLAN
To connect to a network that does not broadcast its service set identifier (SSID) and,
thereforee cannot be detected automatically, left-click the NetworkManager icon and
choose Connect to Other Wireless Network.
In the dialog that opens, enter the SSID and set encryption parameters if necessary.
80
Version 1
To disable wireless networking, right-click the applet icon and uncheck Enable
Wireless. This can be very useful if you are on a plane or in any other environment
where wireless networking is not allowed.
You also can configure your WLAN access in the Network Connections dialog.
Figure 3-12
Configure Wireless Network
If you switch to offline mode from using a wireless connection, NetworkManager

blanks the ESSID. This ensures that the card is disconnected.
Configure Your Wireless Card as an Access Point

If your wireless card supports access point mode, you can use NetworkManager for
configuration.
Select Add in the Wireless tab in the Network Connections dialog. Add the network
name and set the encryption in the Wireless Security dialog.
Version 1
81
Figure 3-13
Select WLAN Security
Depending on the selected security, you have to specify some more parameters.
NOTE: Unprotected wireless networks are a security risk
If you set Wireless Security to None, everybody can connect to your network, reuse
your connectivity, and intercept your network connection. To restrict access to your
access point and to secure your connection, use encryption. You can choose between
various WEP and WPAbased encryptions.
The IPv4 Settings tab is similar to the same tab in the wired connection configuration
dialog (see section IPv4 Settings on page 76).
82
Version 1
Objective 4
Configure VPN
NetworkManager supports several Virtual Private Network (VPN) technologies:
NovellVPNpackage NetworkManager-novellvpn
OpenVPNpackage NetworkManager-openvpn
vpnc (Cisco)package NetworkManager-vpnc
PPTP (Point-to-Point Tunneling Protocol)package NetworkManager-pptp
To use VPN with NetworkManager, install the appropriate VPN packages first. You
need two packages for each VPN technology: one of the packages above (providing
the generic support for NetworkManager), and the respective desktop-specific
package for your applet.
For GNOME, choose one of the following:
NovellVPN support for GNOME NetworkManager appletpackage

NetworkManager-novellvpn-gnome
OpenVPN support for GNOME NetworkManager appletpackage

NetworkManager-openvpn-gnome
vpnc (Cisco) support for GNOME NetworkManager appletpackage

NetworkManager-vpnc-gnome
PPTP (Point-to-Point Tunneling Protocol) support for GNOME

NetworkManager appletpackage NetworkManager-pptp-gnome
By default, OpenVPN and vpnc are installed on SUSE Linux Enterprise

Desktop 11.
When you select the VPN tab in the Network Configuration dialog (see Figure 3-4 on
page 71), the following dialog appears:
Figure 3-14
Version 1
Specify the VPN Connection Type
83
The next dialog depends on your section. For OpenVPN it looks like this:
Figure 3-15
Add an OpenVPN Connection
At Gateway, enter the IP address of the VPN server you want to connect to.
You can select between four authentication types:
Certificates (TLS). Specify the files of the user certificate, the certificate of the
Certification Authority (CA), and the clients private key.
You also have to enter the password for the private key. If you activate Show
passwords, the entered password is displayed.
84
Password. Enter your user name on the VPN server and your password, and
specify the file of the CA certificate.
Version 1
Password with Certificates (TLS). Combination of the first two options. All
described inforation has to be entered.
Static Key. Specify the key file and the local IP address.
If you want to connect to a VPN server, select the NetworkManager icon in the
system tray; then select the connection from the VPN Connections menu.
Figure 3-16
Connect to a VPN Server
The icon in the system tray changes, when the connection is established.
Figure 3-17
Connected to an VPN Server
Also use this menu to disconnect the server.

The connection is cut automatically after some time of inactivity.
Version 1
85
Exercise 3-2
Connect to a VPN Server

In this exercise, you install a simple OpenVPN server on DA1 and connect then you
create a VPN tunnel using NetworkManager to connect DA-SLED and DA1.
(End of Exercise)
86
Version 1
Objective 5

NetworkManager also allows Internet connections using mobile broadband.
In the Network Configuration dialog (see Figure 3-4 on page 71), select the Mobile
Broadband tab to configure your mobile connection. When you select Add, the
following dialog appears:
Figure 3-18
Choose Your Mobile Standard
Two mobile standards can be used:
Configure GSM on page 87
Configure CDMA on page 89
Configure GSM
GSM (Global System for Mobile Communications) is a standard for fully digital
mobile connections. Mostly used for mobile telephone calls but also for data transfer.
When you create a GSM connection in NetworkManager, you have to fill out the
following dialog:
Version 1
87
Figure 3-19
Configure a GSM Connection
You have to enter the following information:
Number. The phone number of your service provider.
Usename. Your account name at your service provider.
Password. Your password.
The next options are not required:
APN. The Access Point Name of the provider.
Network. Name of the providers network.
Type. Type of mobile standard.

You can select one of the following:
88
Any. Detect the type of available net automatically.
3G (UMTS/HSPA)
2G (GPRS/EDGE)
Version 1
Prefer 3G (UMTS/HSPA). Prefer the 3G net if both a 3G and a 2G net are

available.
Prefer 2G (GPRS/EDGE). Prefer the 2G net if both a 3G and a 2G net are
available.
Band. Frequency band.
PIN. If your phone card is locked with a PIN, you can specify the PIN here.
PUK. If your phone card is locked with a PUK, you can specify the PIN here.
Configure CDMA
CDMA (Code Division Multiple Access) allows you to transfer various information
on one frequency at the same time.
The American 3G standard cdma2000 is based on CDMA.
When you select the option to create CDMA, the following dialog appears:
Figure 3-20
Version 1
Configure a CDMA Connection
89
90
Usename. Your account name.
Version 1
Objective 6
Configure DSL
To configure a DSL connection with NetworkManager, select the DSL tab in the
Network Connection dialog (see Figure 3-4 on page 71); then select Add.
Figure 3-21
Configure DSL Connection
Usename. Your account name.
If you have more than one DSL card in your computer, you can specify the MAC
address of the card you want to use in the Wired tab.
Version 1
91
Figure 3-22
92
Advanced DSL Settings
Version 1
Summary
Objective
What You Learned
If you want to manage your network

connection with NetworkManager, enable
NetworkManager in the YaST > Network
Devices > Network Settings.
NetworkManager also makes it possible to
change and configure wireless card
connections without requiring root privileges.
NetworkManager tries to keep your computer
connected at all times using the best
connection available.
The GNOME dialog shows tabs for all types of
network connections:
Wired
Wireless
Mobile Broadband
VPN
DSL
When editing each connection, you can also

define if NetworkManager should
automatically use this connection (activate
Connect Automatically) or should use
this connection systemwide (activate
Available to all users).
You can select one of the following methods:
Automatic (DHCP)
Automatic (DHCP) addresses only
Manual
Link-Local Only
Shared to other computers
NetworkManager distinguishes two types of

wireless connections, trusted and untrusted.
NetworkManager periodically scans for
available wireless networks.
To disable wireless networking, right-click the
applet icon and uncheck Enable Wireless.
If you set Wireless Security to None,
everybody can connect to your network, reuse
your connection and intercept your network
connection.
Version 1
93
Objective
What You Learned
Configure VPN
NetworkManager supports several Virtual

Private Network (VPN) technologies:
NovellVPNpackage NetworkManagernovellvpn
OpenVPNpackage NetworkManageropenvpn
vpnc (Cisco)package NetworkManagervpnc
PPTP (Point-to-Point Tunneling

Protocol)package NetworkManager-pptp
If you want to connect to a VPN server, select

the NetworkManager icon in the system tray
and then select the connection in the VPN
Connections menu.
Configure DSL
94
Two mobile standards can be used:
GSM
CDMA
To configure DSL, you need the following

information:
Number. The phone number of your

service provider.
Usename. Your account name at your

service provider.
Version 1
SECTION 4
IPv6 (Internet Protocol Version 6) was designed by the Internet Engineering Task
Force (IETF) to replace the current Internet Protocol version, IPv4. IPv6 not only
overcomes the most obvious shortcoming of IPv4, the imminent shortage of available
IP addresses, but also adds improvements in other areas, like routing and network
autoconfiguration.
This section explains IPv6 and its configuration on SUSE Linux Enterprise Desktop
11.
Objectives
Version 1
1.
Understand IPv6 Theory on page 96
2.
Configure IPv6 on SUSE Linux Enterprise 11 on page 101
95
Objective 1

During recent years, the end of IPv4 has often been predicted, but IPv4 has proven
remarkably resilient. The use of private address ranges within private and company
networks made it possible to use the remaining IPv4 addresses in a more efficient
manner, and classless interdomain routing (CIDR) helped to slow the growth of the
size of routing tables.
However, as more and more devices become able to connect to the internet, the
limitations of IPv4 become more and more relevant. It is not a question of if the shift
to IPv6 has to happen, it is only a question of when.
Within the context of IPv6, you need to understand:
IPv6 Features on page 96
IPv6 Addresses on page 96
IPv6 Address Types on page 97
IPv6 Features
IPv6 addresses the shortcomings of IPv4 with features that include the following:
Increased address space. In IPv4, an IP address is 32 bits long, which is

equivalent to approximately four billion addresses. In IPv6, an IP address is 128
bits long, which allows for a really huge number of addresses:
340,282,366,920,938,463,463,374,607,431,768,211,456 (or approximately
3.4 * 1038 or, in the US system, 340 undecillions).
To give you some idea of what this number means, it in theory allows about
650 * 1021 addresses for every square meter of the surface of earth. For practical
purposes, as not every address will be used for hosts, certainly more than 1,500
addresses remain for every square meter of earths surface.
Improvements in routing capabilities.
Simplified header.
Quality of Service (QoS) capabilities.
Authentication and privacy capabilities.
Flexible transition from IPv4 to IPv6 over a longer period of time.
IPv6 Addresses
IPv6 addresses consist of 128 zeroes and ones, which is very unwieldy for humans.
To make them somewhat easier to deal with, they are represented in hexadecimal
format, with four bits (a nibble) represented by digits or characters from 0-9 and af (10-15). To improve readability, a colon is inserted after every four hexadecimal
values (representing 16 bits):
ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
A possible address could look like the following:
96
Version 1
fe80:0000:0000:0000:0211:11ff:fec2:35f4
For simplification, leading zeroes in each block can be omitted, and one sequence of
16 bit blocks containing only zeroes can be replaced by ::. The above address
could, thereforee, be written as follows:
fe80::211:11ff:fec2:35f4
As another example, the localhost address

0000:0000:0000:0000:0000:0000:0000:0001
can be shortened to
::1
IPv6 Address Types

IPv6 addresses can serve different purposes, such as multicast or unicast addresses.
Different leading bits, such as fe80 in one of the examples above, indicate different
types of addresses.
One interface can have more than one IPv6 address.
Similar to IPv4 addresses, IPv6 addresses can be split into network and host parts
using subnet masks. The notation is similar to the CIDR notation used with IPv4:
fe80::211:11ff:fec2:35f4/64
The corresponding network address is

fe80:0000:0000:0000:0000:0000:0000:0000
with a netmask of:

ffff:ffff:ffff:ffff:0000:0000:0000:0000
To be able to differentiate the different IPv6 address types, you need to understand
the following:
Addresses without a Specific Network Prefix on page 97
Network Addresses on page 98
Host Addresses on page 99
Addresses without a Specific Network Prefix
Addresses without a specific network prefix comprise the following:
Localhost on page 97
Unspecified Address on page 98
Localhost
The address for the loopback interface, similar to 127.0.0.1 in IPv4, is

0000:0000:0000:0000:0000:0000:0000:0001
Version 1
97
Packets with this address as source or destination are not supposed to leave the
machine.
Unspecified Address
This is the IPv6 equivalent to 0.0.0.0 (or any) in IPv4:

0000:0000:0000:0000:0000:0000:0000:0000
or in short:
::
This address is, for instance, seen in the output of netstat:

da10:~ # netstat -atun
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address
Foreign Address
tcp
0
0 :::80
:::*
tcp
0
0 :::22
:::*
State
LISTEN
LISTEN
The third colon in the output above separates the address from the port number.
Network Addresses
The network addresses are used to distinguish the following categories:
Link Local Addresses on page 98
Globally Unique Local IPv6 Unicast Addresses on page 98
Global Address Type global unicast on page 99
Link Local Addresses
Link local addresses are valid only on a link of an interface. A packet with a link local
address would not pass a router. They begin with the following (x is any hex
character, but usually 0):
fe8x
fe9x
feax
febx
(this is the only one currently in use)
Such an address can be found on each IPv6-enabled interface after stateless

autoconfiguration. It is used for link communications, for instance, to find out if
anyone else is on this link or to locate a router.
Globally Unique Local IPv6 Unicast Addresses
This address type begins with fdxx. (It could also begin with fcxx, but currently this
prefix is not used.)
A part of the prefix (40 bits) is generated using a pseudo-random algorithm
(described in RFC 4193). While it is not impossible that two generated prefixes could
98
Version 1
be equal, it is improbable. Thereforee, connecting networks that were formerly

independent is not likely to cause problems, because their prefixes will be different.
The Global ID is followed by a 16-bit Subnet ID as an identifier within a site. The
following illustration, taken from RFC 4193, shows the different parts of a globally
unique local IPv6 Unicast address:
| 7 bits |1| 40 bits
| 16 bits |
64 bits
|
+--------+-+------------+-----------+--------------------+
| Prefix |L| Global ID | Subnet ID |
Interface ID
|
+--------+-+------------+-----------+--------------------+
NOTE: There used to be a site local address type, starting with fecx, fedx, feex, or fefx. However,
its use is deprecated in RFC 3879 and it is replaced by the above.
Global Address Type global unicast
Addresses delegated to Internet Service Providers (ISP) currently begin with

2001:
The following addresses are reserved for examples and documentation and should be
filtered on border routers to the Internet:
3fff:ffff::/32
2001:0DB8::/32
Addresses for tunneling IPv6 packets in IPv4 packets begin with

2002:
Multicast addresses start with ffxy, where x is hex number and y indicates the scope
(such as y=1: node local; y=2: link local; y=3: site local).
Depending on the host part of the address, different multicast types are addressed
(RFC 4291 / IP Version 6 Addressing Architecture):
All Nodes Address: 1. Addresses all hosts on the local node (ff01:0:0:0:0:0:0:1)
or the connected link (ff02:0:0:0:0:0:0:1).
All Routers Address: 2. Addresses all routers on the local node

(ff01:0:0:0:0:0:0:2), the connected link (ff02:0:0:0:0:0:0:2), or the local site
(ff05:0:0:0:0:0:0:2).
Other types, such as anycast addresses, are not covered in this course.
Host Addresses
The host address can be computed automatically or set manually.
Version 1
Automatically Computed Host Address on page 100
Manually Set Host Address on page 100
99
Automatically Computed Host Address
When automatically computed, the MAC address is used and expanded according to
the IEEE-Tutorial Extended Unique Identifier EUI-64 (http://standards.ieee.org/
regauth/oui/tutorials/EUI64.html).
For instance, with a MAC address of 00:11:11:C2:35:D4, the resulting 64-bit
interface identifier is 0211:11ff:fec2:35d4. Together with a network prefix (for
instance, one used for Globally Unique Local IPv6 Unicast Addresses), the following
IPv6 address results:
fd7b:5c7e:40bf:1234:0211:11ff:fec2:35d4
NOTE: The above way of creating the interface identifier has some privacy implications, especially
for mobile devices. When connecting to the Internet using different providers, the network part of
the address changes, while the interface identifier remains the same. This can allow tracking of the
mobile device. RFC 4941 describes ways to mitigate this issue.
Manually Set Host Address
Simpler addresses might be easier to remember. You might want such an address. It is
possible to assign an additional address for some servers to the interface, such as
fd7b:5c7e:40bf:1234::1
In the automatically set address, the seventh most significant bit (with the count
starting with 1) of the host address is set to 1 when calculating the automatic address.
You must set this bit to 0 when setting a host address manually. The reason for this is
convenience; otherwise, the above address would be
fd7b:5c7e:40bf:1234:0200::1
instead of
fd7b:5c7e:40bf:1234::1
Also some other bit combinations are reserved for anycast addresses, such as all host
bits set to 0 for the subnet router.
NOTE: The Linux IPv6 HOWTO (http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO/ (http://
www.tldp.org/HOWTO/Linux+IPv6-HOWTO/)) contains more information on IPv6.
100
Version 1
Objective 2
Configure IPv6 on SUSE Linux Enterprise 11

From the kernel to various applications, SLES 11 and SLED 11 support IPv6.
To configure IPv6 on SLE 11, you need to understand the following:
IPv6 Autoconfiguration on page 101
Setting an IPv6 Address Using YaST on page 102
Managing IPv6 Addresses Using the Command Line Tools on page 105
Connecting to Other IPv6 Addresses on page 105
Configure IPv6 on page 111
IPv6 Autoconfiguration
One design goal of IPv6 was to make IP autoconfiguration easier. Even without a
DHCP server, interfaces can obtain a valid IP address.
In the context of IPv6 autoconfiguration, you need to understand the following:
Link Local Autoconfiguration on page 101
Stateless Autoconfiguration on page 102
Link Local Autoconfiguration
By default, a link local address is configured automatically for every network

interface in SLE 11:
da10:~ # ip address show dev eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP qlen 100
link/ether 00:19:d1:9f:17:f4 brd ff:ff:ff:ff:ff:ff
inet6 fe80::219:d1ff:fe9f:17f4/64 scope link
valid_lft forever preferred_lft forever
You can use this address to test the link using ping6:
da10:~ # ping6 -I eth0 fe80::219:d1ff:fe9f:1787
PING fe80::219:d1ff:fe9f:1787(fe80::219:d1ff:fe9f:1787) from
fe80::219:d1ff:fe9f:17f4 eth0: 56 data bytes
64 bytes from fe80::219:d1ff:fe9f:1787: icmp_seq=1 ttl=64 time=5.47
ms
When pinging a link local address, the -I interface option is required, because
every interface has a link local address and the kernel doesnt know which one to use.
You can detect IPv6 active hosts by using ping6 to ping the link local, all-node
multicast address:
Version 1
101
da10:~ # ping6 -I eth0 ff02::1

PING ff02::1(ff02::1) from fe80::219:d1ff:fe9f:17f4 eth0: 56 data
bytes
64 bytes from fe80::219:d1ff:fe9f:17f4: icmp_seq=1 ttl=64 time=0.020
ms
64 bytes from fe80::219:d1ff:fe9f:1787: icmp_seq=1 ttl=64 time=5.09
ms (DUP!)
Unlike in IPv4, where replies to a ping to the broadcast address can be disabled using
the /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts file, this behavior cannot be
disabled currently in IPv6, except by local IPv6 firewalling.
Stateless Autoconfiguration
To access the Internet, a host needs an IPv6 address with global scope. The steps to
obtain such an address are as follows:
1.
Using its link-local address, the host sends a Solicitation Message to the ff02::2
multicast address (all routers on the local link), asking for an IPv6 prefix.
2.
The router answers this Solicitation Message with an Advertisement Message

containing an address prefix for this network.
3.
Using this prefix and its MAC address, the host creates an IPv6 address.
4.
Using Duplicate Address Detection (DAD, RFC 4862), the host checks if the
address is already in use in the network.
If the address is unused, the host assigns the address to the NIC and activates it.
5.
The client can now contact other hosts within the local network using its IPv6
addresses and, depending on the network topology, hosts outside the local
network as well.
The router distributes the network prefix and information on the default route only.
Information that goes beyond this, such as information on DNS or other routes, needs
to be added manually to the configuration or distributed using DHCP6.
Setting an IPv6 Address Using YaST

To set an IPv6 address manually (which is necessary, for instance, on a router), you
use the same dialog in YaST that is used to set IPv4 addresses. The following shows
the dialog that appears during installation:
102
Version 1
Figure 4-1
Network Card Setup
Type the IPv6 address in its usual format and the netmask in the CIDR notation, such
as /64, as shown in the figure above.
Version 1
103
Select Next. The data you typed appears in the Network Settings Overview:
Figure 4-2
Network Settings Overview
Select OK to close the dialog. YaST writes the configuration information to files in /
etc/sysconfig/network/, such as the ifcfg-eth0 file.
After installation, you can reach the same dialogs by selecting Computer > YaST >
Network Devices > Network Settings.
The settings are written to the /etc/sysconfig/network/ifcfg-ethx file,
as shown below:
BOOTPROTO='static'
BROADCAST=''
ETHTOOL_OPTIONS=''
IPADDR='fd7b:5c7e:40bf:1234::2/64'
MTU=''
NAME='82566DM Gigabit Network Connection'
NETWORK=''
REMOTE_IPADDR=''
STARTMODE='auto'
USERCONTROL='no'
NETMASK=''
104
Version 1
Managing IPv6 Addresses Using the Command Line Tools

The ip command can be used for both IPv4 and IPv6 addresses. The following
examples demonstrate the use of the ip command for IPv6. Use the following
command to add an IPv6 address:
da10:~ # ip -6 addr add fd7b:5c7e:40bf:1234::2/64
dev eth0
The current configuration is displayed using the ip address show command

(address and show can be shortened to their first letter). Adding the option -6
limits the output to IPv6 addresses:
da10:~ # ip -6 a s
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 100
inet6 fd7b:5c7e:40bf:1234::2/64 scope global
inet6 fe80::219:d1ff:fe9f:17f4/64 scope link
To delete an address, use ip address delete:

da10:~ # ip -6 add del fd7b:5c7e:40bf:1234::2/64
dev eth0
The ip command is also used to view, set, and delete routes.

ip -6 route show displays the current routing table:
da10:~ # ip -6 ro sh dev eth0
fd7b:5c7e:40bf:1234::/64 proto kernel metric 256 mtu 1500 advmss
1440 hoplimit 4294967295
fe80::/64 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit
4294967295
Connecting to Other IPv6 Addresses

If your Internet Service Provider (ISP) supplies you with an IPv4 as well as an IPv6
address, you can connect to both worlds without problems.
If you get an IPv4 address only, there are two possible approaches to connect to IPv6
addresses:
6to4-Tunneling on page 105
6in4-Tunneling Using Tunnel Broker on page 110
6to4-Tunneling
ISPs do not yet provide IPv6 addresses as a general practice. However, because one
of the design goals of IPv6 was to make a smooth transition from IPv4 to IPv6
possible, you start using IPv6 immediately even if you get only an IPv4 address from
your ISP.
Version 1
105
Following the method outlined in RFC 3056, a site with a globally unique IPv4
address can be assigned a globally unique IPv6 address based on its IPv4 address.
This is considered an interim solution until the ISP assigns a native IPv6 prefix.
IPv6 addresses used for this purpose have the following format (taken from RFC
3056):
| 3 | 13 |
32
|
16
|
64 bits
|
+---+------+-----------+--------+--------------------+
|FP | TLA |IPv4 Addr | SLA ID |
Interface ID
|
|001|0x0002|
|
|
|
+---+------+-----------+--------+--------------------+
All such addresses, thereforee, start with 2002. The abbreviations used above have
the following meaning:
FP: Format prefix
TLA: Top level aggregator
IPv4 Addr: Globally unique IPv4 address (converted to Hex format)
SLA ID: Site level aggregator ID
The other end of the tunnel needs to be capable of dealing with the packetstaking
the IPv6 packet out of the IPv4 packet and then routing it within the IPv6 network.
To facilitate the use of IPv6, the IPv4 anycast address 192.88.99.1 is used to reach the
nearest 6to4 relay router.
Depending on your network topology, you need to do one of the following:
Configure a 6to4 Tunnel on a Host on page 106
Connect the Network behind your 6to4 Gateway on page 108
Install and Configure radvd on page 108
Add a Route to Your 6to4 Gateway on page 109
Configure a 6to4 Tunnel on a Host
Assuming a unique IPv4 address of 1.2.3.4, the steps to configure a 6to4 tunnel are as
follows:
1.
106
Make sure there is a sit0 device visible in the output of ip link show; if not,
load the sit kernel module:
Version 1
da10:~ # ip link show

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
qlen 1000
link/ether 00:11:11:c2:35:f4 brd ff:ff:ff:ff:ff:ff
da10:~ # modprobe sit
da10:~ # ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
qlen 1000
link/ether 00:11:11:c2:35:f4 brd ff:ff:ff:ff:ff:ff
3: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
2.
Calculate the IPv6 address corresponding to your IPv4 address.

The following command can be used:
da10:~ # ipv4="1.2.3.4"; printf \

"2002:%02x%02x:%02x%02x::1" ècho $ipv4 | tr "." " "`
2002:0102:0304::1
3.
Create a new tunnel device.

In the example below it is called tun6to4, but you could use some other name for
it as well:
da10:~ # ip tunnel add tun6to4 mode sit ttl 63 remote any \

local 1.2.3.4
4.
Bring the interface up and set the MTU:
da10:~ # ip link set dev tun6to4 mtu 1280 up

5.
Add your local IPv6 address to the tunnel interface using a prefix length of 16:
da10:~ # ip -6 addr add 2002:0102:0304::1/16 dev tun6to4

6.
Add a route to the global IPv6 network using the IPv4 anycast address for all
6to4 routers:
da10:~ # ip -6 route add 2000::/3 via ::192.88.99.1 dev tun6to4

7.
Version 1
Test the connection using ping6 to an IPv6-enabled site.
107
The website of ipv6.org (http://www.ipv6.org/) has a link to a list with such sites.
(At the time of this writing, www.ipv6.org itself also has an IPv6 address.)
Connect the Network behind your 6to4 Gateway
If you have a second NIC on your host acting as your 6to4 gateway and want to IPv6enable the network connected to that NIC, there are a few additional steps you need
to take:
Install and Configure radvd
Add a Route to Your 6to4 Gateway
Install and Configure radvd
When you connect a network to the second NIC of your 6to4 gateway, that host takes
the function of a router. The Router Advertisement Daemon (radvd) distributes the
autoconfiguration information that the clients need to configure their IPv6 addresses
automatically.
The Router Advertisement Daemon is contained in the radvd package, which can be
installed with the yast -i radvd command. Its configuration is contained in the
/etc/radvd.conf file and looks similar to the following:
interface eth0
{
AdvSendAdvert on;
#
#
#
#
These settings cause advertisements to be sent every 3-10

seconds. This range is good for 6to4 with a dynamic IPv4
address, but can be greatly increased when not using 6to4
prefixes.
MinRtrAdvInterval 3;
MaxRtrAdvInterval 10;
#
#
#
#
#
You can use AdvDefaultPreference setting to advertise the

preference of the router for the purposes of default
router determination. NOTE: This feature is still being
specified and is not widely supported!
AdvDefaultPreference low;
# Disable Mobile IPv6 support

#
AdvHomeAgentFlag off;
# example of a standard prefix
#
prefix 2002:0102:0304:1234:/64
{
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr off;
};
};
108
Version 1
The above example is suitable for a fixed IPv4 address. The configuration file that is
contained in the radvd package also includes an example on how to deal with
dynamic IP addresses that change every time a new connection is established with the
ISP.
Before starting radvd, it is necessary to turn on IPv6 forwarding. This is done with the
following command:
da10:~ # echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
If you want IPv6 forwarding to be turned on every time the system boots, set the
variable IPV6_FORWARD in the /etc/sysconfig/sysctl file to yes:
## Type:
yesno
## Default:
no
#
# Runtime-configurable parameter: forward IPv6 packets.
#
IPV6_FORWARD="yes"
After IPv6 forwarding is turned on, you can start radvd using the rcradvd start
command.
Add a Route to Your 6to4 Gateway
For packets to be routed properly, the following route has to be set on your gateway
host:
da10:~ # ip -6 route add 2002:0102:0304:1234:/64 dev eth0
In the above command (and in the radvd.conf file) 1234 is the site level
aggregator; you can choose this according to your local networking needs.
NOTE: After the above steps are complete, all machines in your network can access IPv6 hosts in
the Internet and all machines in your network are accessible from the Internet using IPv6. You
should set appropriate ip6tables filter rules to prevent attacks on the hosts within your network.
If you are connected to the Internet using a DSL connection, edit the /etc/
radvd.conf file according to the comments in that file that cover dynamic Internet
connections.
When using DSL, you can include the commands to set up the 6to4 tunnel in the /
etc/ppp/ip-up.local file:
# /etc/ppp/ip-up.local
# Build IPv6 Tunnel
/sbin/modprobe sit
# $4 contains the local IP on the ppp interface.
/sbin/ip tunnel add tun6to4 mode sit ttl 63 remote any \ local $4
/sbin/ip link set dev tun6to4 mtu 1280 up
# $4 contains the local IP on the ppp interface.
/sbin/ip -6 addr add $(printf \ "2002:%02x%02x:%02x%02x::1/16" ècho
Version 1
109
$4 | tr "." " "`) \ dev tun6to4

/sbin/ip -6 route add 2000::/3 via ::192.88.99.1 dev \ tun6to4
# Reload Router Advertisement Daemon to make it advertise
# the new prefix.
/usr/sbin/rcradvd reload
# Set IPv6 route accordingly.
ip -6 route add $(printf "2002:%02x%02x:%02x%02x:1234::/64" ècho $4 |
tr "." " "`) dev eth0
The /etc/ppp/ip-down.local file would include the commands to take the

tunnel down when the DSL connection is disconnected:
# /etc/ppp/ip-down.local
# Take down the tun6to4 tunnel
/sbin/ip -6 route flush dev tun6to4
/sbin/ip link set dev tun6to4 down
/sbin/ip tunnel del tun6to4
6in4-Tunneling Using Tunnel Broker
Another approach to access IPv6-based Internet hosts is to enlist the services of a

tunnel broker. In this case, a point-to-point connection is established with the IPv6
network using an IPv4 UDP-based tunnel. The advantages of this method are that no
unique IPv4 address is required and it works from behind a NAT gateway as well.
A non-profit provider that offers IPv6 tunnels and the needed software for various
operating systems including Linux to interested end users is SixXS (http://
www.sixxs.net/).
Other providers offer a similar service.
6in4 tunneling is not covered in this course. Before you use it, make sure that you
have the agreement of your network administrator, because building tunnels through
firewalls often violates existing security policy.
110
Version 1
Exercise 4-1
Configure IPv6
In this exercise, you configure and use different aspects of IPv6.
In the first part you ping6 da1 from da-sled, using the link local IPv6 address. In the
second part, you set a globally unique IPv6 address and configure the router
advertisement daemon to distribute your IPv6 prefix to other machines.
(End of Exercise)
Version 1
111
Summary
Objective
Summary
IPv6 addresses are 128 bits long.

Depending on the network prefix, different kinds of
address types exist, such as link local or global unicast
addresses.
The host part of the address can be set automatically,
using the MAC address of the NIC, or manually.
Configure IPv6 on SUSE Linux

Enterprise 11
SLE 11 supports IPv6.

In a private network, radvd allows easy assignment of
IPv6 addresses.
Even if your ISP does not assign you a native IPv6
address, 6to4 tunneling allows you to access IPv6
addresses.
112
Version 1
SECTION 5
Integrate SLED 11 into an Active Directory

Environment
In this section, you learn how to configure SLED 11 to participate in an Active

Directory environment. You learn how to configure SLED 11 authentication using
Windows domain accounts. You also learn how to access shared domain resources
from SLED 11.
Section Objectives
Version 1
1.
Describe How SLED 11 Integrates with Active Directory on page 114
2.
Configure Active Directory Integration on page 124
3.
Access Shared Domain Resources on page 139
113
Objective 1
Describe How SLED 11 Integrates with Active Directory

A SLED 11 desktop system can be added to an Active Directory (AD) domain. You
can join existing AD domains and integrate your Linux machine into a Windows
environment. In this configuration, users can authenticate using domain user accounts
and access shared domain resources.
In this objective, you learn how SLED 11 integrates with Active Directory. The
following topics are addressed:
Benefits of Active Directory Integration on page 114
How Windows Networking Works on page 114
How SLED 11 Integrates with an Active Directory Domain on page 119
Benefits of Active Directory Integration

Active Directory (AD) is a directory service based on LDAP and Kerberos and used
by Microsoft Windows networks to manage resources, services, and users. AD
represents these network resources as objects within the directory service. It stores
information about these objects, manages access, and enforces policies.
With SLED 11 configured as an AD client and joined to a domain, you can take
advantage of the following benefits:
Browsing Shared Files and Folders with the Server Message Block (SMB)
Protocol: Users can use Nautilus or Konqueror file managers to browse shared
network resources through SMB.
Sharing Files and Folders with SMB: Users can use Nautilus or Konqueror to
share folders and files.
Accessing and Manipulating User Data on the Windows Server: Users can
access data on Windows servers. They can create, modify, and delete files and
folders.
Offline Authentication: Users can log in to the local Linux system even if they
are offline (when using a laptop, for example) or if the domain controller is
unreachable.
Windows Password Change: The AD integration components in SLED 11

support password policies stored in Active Directory. You can use Linux utilities,
such as passwd, to manage your Windows password.
Single-Sign-On Through Kerberized Applications: Many Linux and Windows

applications are Kerberos-enabled. This allows them to transparently handle
authentication for the user without the need for password re-entry.
How Windows Networking Works

Before discussing how to integrate SLED 11 into an AD domain, you first need to
have a basic understanding of how Windows networking works.
NOTE: A full discussion of Windows networking topics is beyond the scope of this course.
114
Version 1
The following topics are addressed here:
The SMB Protocol on page 115
Workgroups on page 117
Domains on page 118
Domain Controllers on page 118
The SMB Protocol
The earliest version of the SMB protocol was developed by IBM in the 1980s. The
protocol was later integrated natively into the Windows desktop and server operating
systems. SMB support has also been integrated into Linux as well. Using the Samba
package, a Linux server or desktop can participate in a Windows network using the
SMB protocol.
SMB uses sharing. Shared resources, such as directories and printers, are referenced
using the Universal Naming Convention (UNC). UNC uses the following syntax to
identify a share:
\\server_name\share_name
For example, if you had a Windows server named DA-W2K3, you could create a
directory named C:\shared as a place for network users to store their files. Using
SMB, you could share this directory as Shared. To reference the share, you would
use a UNC of \\DA-W2K3\Shared.
You can also use a URL to reference an SMB share, as shown below:
smb://server_name/share_name
SMB operates at the Application and Presentation layers of the OSI model. SMB
provides clients with access to the file system and printers on a server. SMB uses the
internal security of the server file system to determine what the client can and cannot
do.
Because its an upper-layer protocol, SMB cant operate alone. It must be
implemented in conjunction with a middle-layer protocol. A common
implementation is to use SMB in conjunction with the Network Basic Input/Output
System (NetBIOS) protocol on top of IP.
NetBIOS was original developed in the mid-1980s and is used as the basic
networking protocol for the Windows operating system. NetBIOS operates at the
Session layer of the OSI model. As such, it has no routing capabilities. To make
NetBIOS routable, you have to use it in conjunction with a Network-layer protocol,
such as IPX or IP. This relationship is shown in the figure below:
Version 1
115
Figure 5-1
The Relationship Between SMB, NetBIOS, TCP, and IP
When you attempt to open an SMB connection, the NetBIOS protocol is used to
establish a connection at the Session layer between the sending and receiving
systems. Once a NetBIOS session has been established, clients and servers
communicate with each other at the upper layers of the OSI model with the SMB
protocol, using Server Message Blocks (SMBs).
NetBIOS uses a 16-byte, 15-character alpha-numeric name to uniquely identify
network hosts. The very last byte of a NetBIOS name (called the NetBIOS Suffix) is
not used for the name value. Instead, it is used to identify the type of host. A
workstation will have a value of 00 (hex). A server will have a hex value of 20. A
primary domain controller (PDC) or a backup domain controller (BDC) will have a
hex value of 1C.
Any given system can have both a NetBIOS name and a host name. These two names
are completely separate. Because NetBIOS works on top of IP, you need to be able to
resolve NetBIOS names into IP addresses, just as you need to resolve host names and
DNS names into IP addresses.
116
Version 1
In NetBIOS, name resolution is done using a Windows Internet Naming Service

(WINS) server. A WINS server works much like a DNS server. When a NetBIOS
computer is booted on the network, it does the following:
If a WINS server is detected on the network, the NetBIOS computer registers

itself with the server on startup.
If its NetBIOS name is not already in use, the WINS server puts the systems
name and IP address in its database. All other NetBIOS hosts can send queries to
the WINS server to resolve the NetBIOS name into an IP address.
If a WINS server is not detected, the NetBIOS computer will simply broadcast its
NetBIOS name on the network when it boots.
If another system is already using that NetBIOS name, an error will be generated,
indicating that a name conflict exists.
Hosts still need to be able to resolve NetBIOS names into IP addresses. To do this
without a WINS server, a NetBIOS host that needs to contact another host sends
out a broadcast. The host with the requested NetBIOS name responds back with
its IP address.
Workgroups
A workgroup is a logical organization of hosts that have been loosely grouped

together on a network. A workgroup is usually confined to the network hosts on a
single network segment.
To create a workgroup, configure the same workgroup name on all the workstations
and servers that will be members. Once configured, users can browse shared
resources provided by the hosts that are members of the workgroup.
This browsing functionality makes Windows networking much easier for users.
Instead of supplying a UNC path to a shared resource, users can browse through the
workgroup to a particular host and select the desired resource.
NOTE: Browsing works with Windows domains as well as workgroups.
Workgroups dont require a server, although they arent prevented from participating
in a workgroup. Windows 9x, ME, NT, 2000, XP, Server 2003, Vista, and Server
2008 systems can all share resources in a workgroup.
In addition, a Samba server or client on Linux can participate in a Windows
workgroup. The other Windows systems in the workgroup dont know the difference
between a Linux Samba system and other Windows hosts.
However, workgroups have a major shortcoming that limits their usefulness. Each
computer system has to maintain its own separate set of user accounts. If users want
to access resources on another system in the workgroup, they must have a user
account configured on the remote system. If users need to use resources located on
multiple systems, they must authenticate separately to each host.
Version 1
117
If the user passwords are the same on all hosts, this process works relatively well.
However, if different usernames or passwords are used on each system, access is
denied. Keeping user accounts synchronized in a large workgroup can quickly
become a difficult administrative task.
In addition, because of the way NetBIOS uses broadcasts, it can be difficult to
implement a workgroup on a routed network.
Domains
For the reasons listed above, workgroups usually arent implemented in large
organizations. Instead, most large Windows networks are configured to use domains.
A Windows domain is a logical grouping of computer systems on a network, much
like a workgroup.
Unlike a workgroup, however, a domain uses a central database of user accounts
which all systems that are members of the domain use for authentication. One or
more servers are configured with the user account database (the domain).
Domains overcome the weaknesses associated with workgroups. First, domains can
span multiple network segments. In addition, domains also create a single point of
administration.
Domains also eliminate the need for multiple user logins. Because access to all
resources in the domain is controlled by the domain database, users need to
authenticate only once to the domain. After they are authenticated, they can access
whatever domain resources they have access to.
Domain Controllers
The system that hosts the domain database is called the domain controller. The
domain controller is a server that runs a service called the Security Account Manager
(SAM).
Every domain must have one or more domain controllers. On a Windows network,
one server is configured as a primary domain controller (PDC). The PDC is the
authoritative source of domain data.
Each domain can have only one PDC. However, for fault-tolerance purposes, more
than one domain controller should be configured. For redundancy purposes, a
Windows network can be configured with a backup domain controller (BDC). A
BDC has a copy of the domain database from the PDC. If the PDC goes down, the
BDC jumps in and takes over, ensuring that the network keeps working. A domain
can have multiple BDCs.
A BDC is non-authoritative in a Windows network. You cant directly update the
domain database on a BDC. Instead, you make all changes to the PDC domain
database. The PDC then synchronizes the domain with all BDCs in the domain at
periodic intervals. A user can use either a PDC or a BDC to authenticate to the
domain.
118
Version 1
Its also possible for a server to exist in a domain without being a PDC or a BDC. Its
called a member server.
How SLED 11 Integrates with an Active Directory Domain

Now that you understand how Windows networking works, you need to learn how
SLED 11 systems can be integrated into an AD domain. The following will be
discussed in this part of this objective:
Active Directory Integration Components on page 119
How the Domain Join Process Works on page 121
Login Support on page 121
Home Directory Support on page 122
Offline Authentication Support on page 123
Active Directory Integration Components
To communicate with the Active Directory service, the SLED 11 client must have the
following protocols configured:
LDAP: LDAP is used to access directory information. An AD domain controller

can use the LDAP protocol to exchange directory information with clients.
Kerberos: Kerberos is a third-party trusted authentication service, enabling

single-sign-on solutions.
To integrate SLED 11 with Active Directory many components must be configured to

work together. These components are shown in the figure below:
Version 1
119
Figure 5-2
Active Directory Integration Components
The following components on the Linux client are used to authenticate to an AD

domain:
120
winbind: The winbind daemon is the key component required for AD

authentication. The winbind daemon is a part of the Samba service and handles
all communication with the AD server.
Name Service Switch (NSS): NSS provides name service information using
nss_winbind. This module interacts directly with the winbind daemon.
Version 1
Pluggable Authentication Modules (PAM): The following PAM modules are

used to enable AD integration:
pam_unix2: Manages authentication of AD users.

pam_mkhomedir: Manages the creation of home directories for AD users
on the Linux client system.
pam_winbind: Interacts directly with the winbind daemon.
PAM-Aware Applications: PAM-aware applications, such as login routines and

the GNOME and KDE display managers, interact with the PAM modules and
NSS layer to authenticate to the AD domain controller.
Applications supporting Kerberos authentication, such as file managers, Web
browsers, or email clients, use the Kerberos credential cache to access users'
Kerberos tickets, making them part of the SSO framework.
How the Domain Join Process Works
You join a domain using the YaST Domain Membership module. You can join a
domain during installation of the SLED 11 workstation or after the system has been
installed.
When you join a domain, the Windows server and the Linux client establish a secure
relationship. On the client, the following tasks need to be completed to integrate into
the LDAP and Kerberos SSO environment provided by the AD domain controller:
1.
The AD domain controller providing both LDAP and Key Distribution Center
(KDC) services is located.
2.
A machine account for the joining client is created in Active Directory.
3.
An initial ticket granting ticket (TGT) is obtained for the SLED 11 client and
stored in its local Kerberos credential cache. The client needs this TGT to get
further tickets allowing it to contact other AD services.
4.
NSS and PAM are reconfigured to enable the SLED 11 client to authenticate
against the domain controller.
5.
During client boot, the winbind daemon is started and retrieves the initial
Kerberos ticket for the machine account.
6.
The winbind daemon automatically refreshes the machine's ticket to keep it

valid.
7.
The winbind daemon periodically queries the domain controller to keep track of
the current account policies.
Login Support
The GNOME and KDE login managers both support AD domain logins. Users can
choose to log in to the primary domain the SLED 11 client has joined or to a trusted
domain.
Version 1
121
User authentication is managed by the PAM modules discussed earlier. The

pam_winbind module is used to authenticate clients against Active Directory or NT4
domains. It supports Windows error conditions that might prohibit a user's login.
The Windows error codes are translated into the appropriate user-readable error
messages that PAM displays at login through any of the supported methods (GDM,
KDM, console, and SSH). The following error messages are supported:
Password Has Expired: A message is displayed indicating the password has

expired and needs to be changed.
The system prompts the user for a new password and warns the user if the new
password does not comply with corporate password policies (for example, the
password is too short, too simple, or already in the history).
Account Disabled: A message is displayed indicating the users account has

been disabled and that the user should contact the system administrator.
Account Locked Out: A message is displayed indicating the users account has
been locked and that the user should contact the system administrator.
Password Has To Be Changed: The user is allowed to log in, but a warning is
displayed indicating that the user's password needs to be changed soon. This
warning is sent three days before that password expires. After expiration, the user
cannot log in again.
Invalid Workstation: This message is displayed when a user is only allowed to

log in from specified workstations and the SLED 11 client is not in the
authorized list. A message is displayed indicating the user cannot log in from this
workstation.
Invalid Logon Hours: This message is displayed when a user is only allowed to
log in during specified hours and tries to log in outside those hours. A message is
displayed indicating login is not currently possible.
Account Expired: This message is displayed when you have set an expiration
time for a user account. If the user tries to log in after that time has passed, the
user sees a message indicating the account has expired.
SUSE Linux Enterprise Desktop supports local home directories for AD users. If
configured through YaST as described in Joining SLED 11 to an Active Directory
Domain on page 124, user homes are created at the first login of a Windows (AD)
user into the Linux client. These home directories look and feel entirely the same as
standard Linux user home directories and work independently of the AD domain
controller.
Home Directory Support
SLED 11 supports the creation of local home directories for users in the AD domain.
If configured using YaST, user home directories are created the first time an AD user
logs in from the SLED 11 client. These home directories function in exactly the same
manner as standard Linux users home directories. They are independent of the AD
domain controller.
122
Version 1
Using local home directories, its possible for users to access their data on the SLED
11 workstation, even if the AD server is not reachable. To make this work, however,
the SLED 11 client has to be configured to support offline authentication.
NOTE: Configuring offline authentication is discussed in the next objective in this section.
Offline Authentication Support
Users in a corporate environment frequently need the ability to roam. For example,
they may need to switch networks or even work disconnected for some time.
To enable users to log in to a disconnected machine, extensive caching has been
integrated into the winbind daemon. The winbind daemon continues to enforce
password policies even in the offline state. It tracks the number of failed login
attempts and reacts according to the policies configured in Active Directory.
Offline authentication is disabled by default and must be explicitly enabled in the
YaST Domain Membership module.
Even if the domain controller is unreachable, users can still access network resources
(other than those on the domain controller server itself) with valid Kerberos tickets
that were acquired before losing the connection. However, password changes cannot
be processed until the domain controller is back online.
When the domain controller is available again, the SLED 11 client acquires a new
Kerberos ticket the next time the user locks and then unlocks the desktop (for
example, using the desktop screen saver).
Version 1
123
Objective 2

With this background in mind, youre ready to join a SLED 11 workstation to an AD
domain. In this objective, you learn how to do this. The following topics are
addressed:
Joining SLED 11 to an Active Directory Domain on page 124
Join SLED 11 to an Active Directory Domain on page 134
Logging In to an Active Directory Domain on page 134
Managing Domain Passwords on page 136
Log In to the Domain from SLED 11 on page 138
Joining SLED 11 to an Active Directory Domain

Before you can join your SLED 11 workstation to an AD domain, you must make
several adjustments to your networking configuration. Check the following:
DNS: Configure your SLED 11 client to use one of the following:
A DNS server that can forward DNS requests to the AD DNS server
The AD DNS server
WARNING: The AD DNS server must be configured as the first DNS server in your SLED 11
workstations list of name servers.
NTP: To authenticate via Kerberos, the SLED 11 client must have its time set
accurately. We recommend you use a central NTP time server for this purpose;
however, you can also use the NTP service running on your AD domain
controller.
If the time difference between your SLED 11 workstation and the domain
controller exceeds a certain limit, Kerberos authentication will fail and the client
will be logged in using weaker NTLM (NT LAN Manager) authentication.
124
DHCP. If your SLED 11 client uses dynamic network configuration via DHCP,
you should configure DHCP to provide the same IP address and hostname to the
client each time.
Firewall. To browse your network neighborhood, you must do one of the

following:
Disable the host firewall entirely.
Configure the network interface as part of the internal zone.
AD Account. You cannot log in to an AD domain until the AD administrator has

created a valid user account for you in the domain. Use your AD username and
password to log in to the domain from your SLED 11 client.
AD Administrator Account. Currently, only a domain administrator can join a

SLED 11 workstation in to an AD domain.
Version 1
To join a SLED 11 workstation to an AD domain, complete the following steps:

1.
Start YaST on the SLED 11 workstation you want to add to the AD domain by
selecting Computer > YaST.
2.
When prompted, enter your root users password.
3.
Select Network Services > Windows Domain Membership.

The following is displayed:
Configuring Windows Domain Membership
Figure 5-3
4.
In the Domain or Workgroup field, enter the name of the domain you want to
join.
If the DNS settings on your workstation point to the Windows DNS server, enter
the AD domain name using DNS syntax. If you enter the short name of your
domain, YaST must rely on NetBIOS name resolution instead of DNS to find the
correct domain controller.
Version 1
5.
Select Also Use SMB Information for Linux Authentication to use the domain
controller for Linux authentication.
6.
Select Create Home Directory on Login to automatically create local home

directories for AD users on the SLED 11 workstation.
125
7.
Select Offline Authentication to allow your domain users to log in even if the
domain controller is unreachable.
NOTE: For offline authentication to work, users must log in successfully at least once.
8.
(Optional) If you want to allow users to share their directories, select Allow
Users to Share Their Directories.
This allows users who are members of the group listed in the Permitted Group
field to share the directories they own with other users. You can limit the number
of shares users can create by entering the appropriate figure in the Maximum
Number of Shares field.
You can also permit access shares on the SLED workstation without
authentication by selecting Allow Guest Access.
9.
Configure your NTP settings by doing the following:

a.
Select NTP Configuration.

Configuring NTP Settings
Figure 5-4
b.
126
Select Now and On Boot.
Version 1
c.
In the list of NTP time providers, select Add.

Configuring the NTP Time Provider Type
Figure 5-5
d.
Version 1
Select Server; then select Next. The following is displayed:
127
Configuring Time Provider Settings
Figure 5-6
e.
In the Address field, enter the DNS name or IP address of your domains
NTP time provider.
In the figure above, the NTP service on the domain controller itself was
automatically detected and entered.
f.
Test the time provider configuration by selecting Test.

You should see a message indicating the server was reachable and responded
properly, as shown below:
128
Version 1
Verifying Communications with the Time Provider
Figure 5-7
g.
Select OK > OK.

You should see the new server added to the list of time providers.
h.
Select the Security Settings tab.

You should see a screen similar to the following:
Version 1
129
Configuring NTP Security Settings
Figure 5-8
i.
Verify that Open Port in Firewall is selected.
j.
Select OK.
You are returned to the Windows Domain Membership screen.
10. Select OK to start the domain join process.
You are prompted that the workstation is not a member of the domain, as shown
below:
130
Version 1
Figure 5-9
Joining the Domain
11. Select Yes to join the domain.
You are prompted to authenticate as the Administrator user in the domain, as

shown below:
Version 1
131
Figure 5-10
Authenticating to the Domain
12. Enter your Administrator password; then select OK.
Wait while the SLED workstation is added to the domain. When complete, you
should be prompted that the domain join was successful, as shown below:
132
Version 1
Figure 5-11
Domain Join Complete
13. Select OK.

14. You may be prompted to install the samba-winbind and krb5-client packages. If
so, do the following:

a.
If necessary, insert your SLED 11 installation media into your optical drive.
b.
Select Install.
Wait while the packages are installed and the system configuration is written.
15. When prompted to reboot, select OK.

16. Reboot your workstation.
Version 1
133
Exercise 5-1
Join SLED 11 to an Active Directory Domain

In this exercise, you join your SLED 11 workstation to an Active Directory domain
hosted on a Windows server.
You find this exercise in the workbook
(End of Exercise)
Logging In to an Active Directory Domain

After you have joined the SLED 11 workstation to the AD domain, you can log in to
the domain from the GNOME or KDE desktop login screens, from the shell prompt,
and from any other PAM-aware application.
To authenticate to the domain from GNOME, do the following:
1.
In the Login menu at the bottom of the screen, select your domain from the list
displayed.
An example is shown below:
Selecting a Domain For Login
Figure 5-12
2.
Type your domain username in the Username field and press Enter.
3.
Enter your domain users password in the Password field.

You are logged in as the domain user. In the figure below, the tuxpenguin user
account in the DIGITALAIRLINES domain has been used to authenticate to the
SLED workstation.
134
Version 1
Figure 5-13
Authenticating as a Domain User
Notice in the figure above that a new home directory was created for the tuxpenguin
user because the Create Home Directory on Login option was marked when the
workstation was added to the domain.
In this configuration, all domain users have their home directories created within the
/home/domain_name directory when they first authenticate to the system. In the
example above, the tuxpenguin domain users home directory is created in /home/
DIGITALAIRLINES/tuxpenguin, as shown below:
Figure 5-14
Domain Users Home Directories
NOTE: The process for logging in to the domain from the KDE desktop is similar.
Version 1
135
In addition to logging in from GNOME and KDE, you can also authenticate to the
domain from the login: prompt. To do this, enter domain_name\user_name at the
login: prompt and then provide the domain users password.
You can also log into the SLED 11 workstation remotely as a domain user via SSH.
On the remote system, enter ssh domain_name\\user@hostname at the shell prompt,
followed by the domain users password.
Managing Domain Passwords

After joining a domain, you can use the standard password management utilities on
your SLED 11 workstation to manage your users domain password. The domainenabled PAM module retrieves the current password policy settings from the domain
controller and enforces them. Domain password policies typically include the
following:
Password history settings
Minimum password length
Minimum password age
Password complexity settings
The password change will not be successful unless all requirements configured in the
domain and/or domain controller security policies have been met.
To change your password from the shell prompt, do the following:
1.
At the shell prompt, enter passwd.
2.
Enter your current password when prompted.
3.
Enter the new password when prompted.
4.
Re-enter the new password when prompted.
If your new password does not comply with the domain security policies, an error
message is displayed and you are prompted to use a different password.
You can also change your domain password from within the GNOME desktop. Do
the following:
1.
Select Computer > Control Center.
2.
Select Personal > Change Password.

136
Version 1
Changing Your Domain Users Password
Figure 5-15
Version 1
3.
Enter your old password in the field provided.
4.
Enter your new password in the fields provided.
5.
Select OK.
137
Exercise 5-2
Log In to the Domain from SLED 11

In this exercise, you log in to your SLED 11 workstation using a user account in the
Active Directory domain.
This exercise is in your workbook.
(End of Exercise)
138
Version 1
Objective 3

Once youve integrated your SLED 11 workstation into an Active Directory domain,
you can then access shared resources within the domain. In this objective, you learn
how to do this. The following topics are addressed:
Accessing Shared Folders on page 139
Accessing Shared Printers on page 142
Access a Shared Folder on page 146
Accessing Shared Folders

With SLED 11 integrated into the Active Directory domain, you can access shared
folders in the domain from your workstation. This can be done in two ways:
Mounting Shared Folders from the Shell Prompt on page 139
Browsing Shared Folders from GNOME on page 140
Mounting Shared Folders from the Shell Prompt
Using the Samba service on your SLED 11 workstation, you can mount a shared
folder from the Windows domain into the file system of your workstation. To do this,
complete the following:
1.
Open a terminal window and switch to your root user account using the su command.
2.
At the shell prompt, use the mkdir command to create the local directory where
you want to mount the remote share (if necessary).
3.
At the shell prompt, mount the remote share using the following command:
mount -t cifs //server_name/share_name /point_point
For example, if a remote share named data resides on a server named da1 and
you want to mount it in the /mnt directory, you would enter the following:
mount -t cifs //da1/data /mnt/samba
NOTE: For a list of options you can use when using the mount command to mount a Windows
share, enter man mount.cifs at the shell prompt of your SLED 11 workstation.
4.
Enter mount at the shell prompt to verify that the remote share was mounted.
You can also use the smbclient command to view the shared resources available
on a Samba/Windows server. This is done by entering smbclient -L
server_address at the shell prompt.
You can use the gvfs-mount command to mount a remote Samba/Windows share in
much the same manner as you use mount. Enter gvfs-mount smb://
server_address/share at the shell prompt. When you do, the remote file
Version 1
139
system will be mounted in a subdirectory of the ~/.gvfs directory and an icon will
be created for you automatically on your GNOME desktop.
Browsing Shared Folders from GNOME
You can also browse shared folders in the domain and mount them from within the
GNOME File Browser. Do the following:
1.
Select Computer > Nautilus.
2.
On the left, select Network.
3.
Double-click Windows Network.

A list of domains and workgroups is displayed, as shown below:
Browsing Domains and Workgroups
Figure 5-16
4.
Double-click your domain.

A list of hosts in your domain is displayed.
5.
Double-click the server where the shared folder you want to access resides.
A list of shares on the server is displayed, as shown below:
140
Version 1
Browsing Shared Folders on a Windows Server
Figure 5-17
6.
Right-click the share you want to access; then select Mount Volume.
When you do, a shortcut is added to your desktop that you can use to access the
share, as shown below:
Version 1
141
Link to Shared Folder on the Desktop
Figure 5-18
7.
To access the share, double-click the link on the desktop.
8.
If you want to disconnect from the share, right-click the link on the desktop; then
select Unmount Volume.
Accessing Shared Printers

In addition to accessing shared folders in the domain, you can also access shared
printers. To do this, complete the following:
1.
Start YaST on the SLED 11 workstation by selecting Computer > YaST.
2.
3.
Select Hardware > Printer.
4.
On the left, select Print Via Network.
5.
Under Use Another Print Server or Use a Network Printer Directly, select
Connection Wizard.
6.
On the left under Print Via Print Server Machine, select Microsoft Windows/
SAMBA (SMB/CIFS).
142
Version 1
Connecting to a Shared Printer in the Domain
Figure 5-19
7.
8.
Enter the following information in the dialog presented:
Server (NetBIOS Host Name). Enter your print servers NetBIOS name.
Printer (Share Name). Enter the name of the shared printer.
Workgroup (Domain Name). Enter your domain name.
User. Enter your domain user name.
Password. Enter your domain users password.
Printer Manufacturer. Select the shared printers manufacturer.
Select Test Connection.

If you configured your shared printer correctly, you should see a message
indicating the connection was tested correctly, as shown below:
Version 1
143
Testing the Shared Printer Connection
Figure 5-20
9.
Select OK.
10. Select OK to connect to the shared printer.
The Add New Printer Configuration screen is displayed:

Figure 5-21
Configuring the Shared Printer
11. Select the appropriate driver for your shared printer from the list displayed.
144
Version 1
12. In the Set Name field, enter a queue name for your printer. You can use letters,
numbers, and underscores in the queue name. It must start with a letter.
13. Select OK.
The printer is added to your list of configured printers:

Figure 5-22
Viewing a Shared Printer
14. (Optional) Test the configuration by selecting Print Test Page.

15. When satisfied with your shared printer configuration, select OK.
16. Close YaST.
Version 1
145
Exercise 5-3
Access a Shared Folder

In this exercise, you mount a shared folder in your SLED 11 workstations file
system.
This exercise is in your workbook.
(End of Exercise)
146
Version 1
Summary
Objective
Summary
Describe How SLED 11 Integrates with Active With SLED 11, you can join existing Active
Directory
Directory (AD) domains and integrate your
Linux machine into a Windows environment.
Users can authenticate using domain user
accounts and access shared domain
resources.
Active Directory is a directory service based
on LDAP and Kerberos used by Microsoft
Windows networks to manage resources,
services, and users.
AD represents these network resources as
objects within the directory service. It stores
information about these objects, manages
access, and enforces policies.
With SLED 11 configured as an AD client and
joined to a domain, you can take advantage of
the following benefits:
Browsing shared files and folders
Sharing files and folders
Accessing and manipulating user data on

the Windows server
Offline authentication
Windows password change
Single-Sign-On through Kerberized

applications
Before you can join your SLED 11 workstation

to an AD domain, you must make several
adjustments to your networking configuration.
Check the following:
DNS
NTP
DHCP
Firewall
AD account
AD Administrator account
Once the prerequisites are met, you can join a

Windows domain using the YaST Domain
Membership module.
Version 1
147
148
Objective
Summary
With the SLED 11 workstation integrated into

the AD domain, you can access shared
domain resources, including
Shared folders
Shared printers
Version 1
SECTION 6
Integrate SLED 11 into a Novell eDirectory

Environment
In this section, you learn how to integrate SLED 11 into a Novell eDirectory
environment.
Section Objectives
Version 1
1.
Describe How the Novell Client for Linux Works on page 150
2.
Install and Configure the Novell Client for Linux on SLED 11 on page 160
3.
Authenticate to an OES 2 Server Using the Novell Client for Linux on

page 184
4.
Use Novell iPrint on SLED 11 on page 204
5.
Use iFolder on SLED 11 on page 214
149
Objective 1
Describe How the Novell Client for Linux Works

Before discussing how to install and configure the Novell Client for Linux, its
important that you understand what it is and how it works. In this objective, the
following topics are addressed:
The Role and Function of Novell eDirectory on page 150
The Role and Function of the Novell Client for Linux on page 158
The Role and Function of Novell eDirectory

Novell eDirectory is the foundation for the world's largest identity management
deployments. It is a high-end Directory service that allows businesses to manage
identities and security access for employees, customers, and partners.
Novell eDirectory is a secure identity management solution that runs across multiple
NOS platforms. It is Internet-scalable and extensible.
eDirectory is a hierarchical, distributed database that provides the basic foundation
for the Directory service, along with replication and partitioning capabilities.
Companies use eDirectory as a means for managing users and all their network
hardware and applications.
It also provides the following benefits:
Central management of network information, resources, and services
A standard method of managing, viewing, and accessing network information,

resources, and services
A logical organization of network resources that is independent of the physical

characteristics or layout of the network
Dynamic mapping between an object and the physical resource it refers to
When working with eDirectory, you need to be familiar with the following:
eDirectory Components on page 150
eDirectory Objects on page 151
eDirectory Context on page 155
eDirectory Naming on page 156
eDirectory Components
You need to be familiar with the following eDirectory components:
150
Tree: The eDirectory tree is a hierarchical structure that stores and organizes
objects. It includes the tree object as well as container objects. The eDirectory
tree lets you view the logical organization of network resources in the Directory
database.
Version 1
Schema: The schema defines the types of objects that can be created in your tree
(such as users, printers, and groups) and what information is required or optional
at the time an object is created.
Objects: An object (also referred to as an entry) is a unit of information about a

resource, comparable to a record in a conventional database. eDirectory
represents each network resource as an object in the Directory. Different types or
categories of objects exist. An object can represent a physical resource (such as a
workstation), an eDirectory resource (such as a user or group), or an
organizational resource (such as a container). Several sample objects are shown
in the figure below:
Sample eDirectory Objects
Figure 6-1
Properties: A property (also referred to as an attribute) is a category of

information associated with an object. Each eDirectory object consists of
properties that are used to store information about the resource. A collection of
properties defines or makes up the class of an object. For example, a workstation
object differs from a user object in the properties it contains and, therefore, in
how the object can be used. Object classes and properties are defined and
controlled by the eDirectory schema.
Values: A value is the data contained within a property. For example, a user
object has an attribute (or property) called Last Name which, in turn, has a
value, such as Johnson.
eDirectory Objects
A directory object is defined by a class. This definition is known as an object class.

For instance, user and organization are both object classes. Each class of objects has
certain properties. A user object, for example, has Login Name, Password, and Last
Name, as well as many other properties.
Version 1
151
The schema defines the object classes and properties, along with the rules of
containment, which specify which containers can contain which object types.
eDirectory object classes can be divided into three categories: Tree, Container, and
Leaf, as shown in the following figure:
Figure 6-2
Tree, Container, and Leaf Objects

DA-TREE
Tree Root
DA
Container
eDirectory
Object
Types
SLC
Leaf
The tree object (also called the tree root) is created when you install the first
eDirectory server in your network. As the top-most object in the tree, it can hold only
organization objects, country objects, or alias objects. There is only one tree object
per eDirectory instance. The name of the tree object is also the name of the
eDirectory tree itself.
Container objects contain leaf or additional container objects. They are used to
logically group and organize the objects of your Directory. They can represent
countries, locations within countries, companies, departments, responsibility centers,
workgroups, or shared resources. The following figure shows several classes of
container objects:
152
Version 1
Figure 6-3
eDirectory Container Objects

Country
Domain
License Container
Organization
Organizational Unit
Security Container
The table below describes some of the more commonly used container objects:
Table 6-1
Commonly Used eDirectory Container Objects

Container
Description
Country (C)
Country objects are optional. They designate the countries

where your network resides, and organizes other directory
objects within the country.
Country objects are named using valid 2-character country
abbreviations. They reside only within the tree object.
Version 1
Domain (DC)
Domain objects represent DNS domain components.

Domain objects exist in the tree object or under organization,
organizational unit, and country objects.
Organization (O)
Organization objects help you organize other objects in the

directory. The organization object resides in either the tree
object or within a country object. It organizes objects by
organizational groups, such as company, university, or
department. You must include at least one organization
object in your eDirectory tree.
Organizational Unit (OU)
Organizational unit objects help you further organize other

objects in the directory. They organize objects by subunit
groups, such as division, business unit, project team, or
department. They exist in country, organization, and other
organizational unit objects. Organizational unit objects are
optional.
153
Leaf objects represent network resources, such as users, workstations, servers, and
volumes. Several classes of leaf objects are shown below:
Figure 6-4
eDirectory Leaf Objects

Alias
Server
Application
Organizational Role
Directory Map
Printer
(Non-NDPS)
Group
Print Server
(Non-NDPS)
LDAP Group
Profile
LDAP Server
Unknown
License Certificate
User
NDPS Broker
NDPS Manager
Volume
NDPS Printer
Workstation
The following table lists some of the most commonly used eDirectory leaf objects:
Table 6-2
Commonly Used eDirectory Leaf Objects

Leaf Objects
Description
Alias
An alias object points to another object in the tree.

It represents another object, which can be a container, user
object, or any other object in the tree.
154
Group
A group object represents a group of user objects in the tree.

Groups are useful when a number of user objects each need
the same level of access in the eDirectory tree. Using a group
allows you to manage a single object (the group) instead of to
each individual user.
Organizational role
An organizational role object defines a position or role within an

organization where the users who occupy the position might
change, but the positions responsibilities do not change.
Print server
A print server object represents a network print server.
Printer
A printer object represents a network printing device.
Profile
A profile object is used to store a login script used by a group of

users who need to share common login script commands.
Version 1
Leaf Objects
Description
Server
A server object represents a server running any operating

system. A server object is created in the tree when you install
eDirectory on a server in your network.
Template
A template object contains standard user object properties that

can be applied to new user objects.
User
A user object represents a person who uses your network. A

user object is required for logging in. When you install the first
server into a tree, a user object named Admin is automatically
created.
Volume
A volume object represents a physical volume on the network.

When you create a physical volume on a server, an associated
volume object is created in the tree.
eDirectory Context
In eDirectory, context can be defined as an objects position in the eDirectory tree or a

position you navigate to in the eDirectory tree after logging in.
When used to define an objects position in the eDirectory tree, the context is a list of
container objects leading from the object to the tree object. Locating an object
through the context is similar to locating a file using the directory path.
An eDirectory tree cannot have multiple leaf objects with the same name in the same
container. However, an eDirectory tree can have multiple leaf objects with the same
name in different containers (because their context is different).
For example, in the following figure, the difference between the two BJohnson user
objects is their context. The user object on the left is in the SLC container; the user
object on the right is in the DA container.
Figure 6-5
Understanding eDirectory Context
Login BJohnson?
DA
SLC
BJohnson
BJohnson
The context for the BJohnson object on the left is BJohnson.SLC.DA. The context
for the BJohnson object on the right is BJohnson.DA.
The term context can also refer to your current position in the eDirectory tree. When
you navigate to a location in the eDirectory tree, your context is your current position,
or current context, in the tree. It does not refer to where your user object resides in the
eDirectory tree.
Version 1
155
eDirectory Naming
eDirectory uses naming conventions to allow you to precisely identify and locate
objects in your tree. You must provide eDirectory with enough information to locate
the object in the eDirectory tree. You specify this information in the object name.
For example, in the following figure, two user objects named BJohnson exist in
separate containers in the Directory. If you log in as BJohnson, which user object
should eDirectory use?
Figure 6-6
eDirectory Naming Conventions
Login BJohnson?
DA
SLC
BJohnson
BJohnson
An object name identifies an object in the eDirectory tree. In the figure above, the
object names contain information that uniquely identifies each object and their
location in the eDirectory tree.
The name of each object you create in the eDirectory tree consists of the following:
Name attribute type
Name value
The attribute type of the object name determines if the object will be accessed as a
container or leaf object in the eDirectory tree. The name value of the object is the
name you enter for the object when you create it.
The following name attribute types are assigned to the most common eDirectory
objects:
C. Country (for example C=IR for Ireland)
O. Organization name (for example, O=DA)
OU. Organizational unit name (for example, OU=SLC)
CN. Common name of leaf objects (for example, CN=BJohnson)
An objects distinguished name is a combination of its common name and its context.
This identifies the object all the way to the top, or root, of the tree. An object is
exactly identified with a distinguished name. Two objects in the same tree cannot
have the same distinguished name.
A distinguished name starts with a leading period. The objects in the name are
separated by periods. The names of all objects, from the tree object to the object
being named, are included in the distinguished name.
156
Version 1
In the figure below, the distinguished name for the user object BJohnson in the
organizational unit SLC in the organization DA is .CN=BJohnson.OU=SLC.O=DA.
The distinguished name for the user object BJohnson in the organization DA is
.CN=BJohnson.O=DA.
Figure 6-7
Using Distinguished Names
O=DA
OU=SLC
CN=BJohnson
CN=BJohnson
.CN=BJohnson.OU=SLC.O=DA
.CN=BJohnson.O=DA
A relative distinguished name, on the other hand, lists the path of objects leading
from the object being named to the container representing the current context, or
current location, in the eDirectory tree. A relative distinguished name does not start
with a leading period, but does use periods to separate objects in the name.
For example, if your current context is O=DA, you could refer to each BJohnson user
object as shown in the following:
Figure 6-8
Using Relative Distinguished Names

Current Context
O=DA
OU=SLC
CN=BJohnson
CN=BJohnson
Valid Names
CN=BJohnson.OU=SLC
Version 1
CN=BJohnson
157
When you use a relative distinguished name, eDirectory must build a distinguished
name from it. This is accomplished by appending the relative distinguished name to
the current context:
Relative Distinguished Name + Current Context = Distinguished Name
eDirectory naming can also be either typeful or typeless. A typeful name uses
attribute type abbreviations (such as CN or OU) to distinguish between the different
container types and leaf objects in an objects distinguished or relative distinguished
name. Although not mandatory, using types helps avoid confusion that can occur
when using typeless naming. For example, .CN=BJohnson.O=DA is a typeful name.
A typeless name does not include the object attribute type. For example, the typeless
distinguished name for .CN=BJohnson.OU=SLC.O=DA is .BJohnson.SLC.DA.
The Role and Function of the Novell Client for Linux

In order for a workstation to authenticate to an eDirectory tree and access the
resources that it manages, you must first install and configure the Novell Client. The
Novell Client can be installed on both Windows and Linux workstations.
The Novell Client for Linux allows Linux users to access and use the services
available on servers running Novell eDirectory, including NetWare and Open
Enterprise Server (OES) systems.
Once installed on a workstation, the Novell Client enables users to enjoy the full
range of Novell services, such as authentication via Novell's eDirectory, network
browsing, service name resolution, and secure file system access.
To install the Novell Client, your workstation must be running one of the following
Linux distributions:
SUSE Linux Enterprise Desktop 10: Novell Client for Linux 1.2
SUSE Linux 10: Novell Client for Linux 1.1
SUSE Linux Enterprise Desktop 10 SP1 (32- and 64-bit versions): Novell
Client for Linux 2.0
SUSE Linux Enterprise Desktop 10 SP2 (32- and 64-bit versions): Novell
Client for Linux 2.0 SP1
openSUSE 10.3 (32-bit or 64-bit): Novell Client for Linux 2.0 SP1
openSUSE 11 (32-bit or 64-bit): Novell Client for Linux 2.0 SP1
SUSE Linux Enterprise Desktop 11: Novell Client for Linux 2.0 SP2
openSUSE 11.1 (32-bit or 64-bit): Novell Client for Linux 2.0 SP2
IMPORTANT: Do not install the 32-bit version of the Novell Client Linux onto a 64-bit operating
system. If you do so, you will lose the ability to log in to the GUI credential provider. You will see
the error message Authentication Failed and will be unable to log in.
158
Version 1
The Novell Client for Linux has been modified from the Windows version to enable
it to function on the Linux platform. In Windows, the Novell Client loads a single
binary that works on multiple operating system platforms without modifications.
The Novell Client for Linux, on the other hand, uses a virtual file system that consists
of the following components:
A module (novfs.ko) that is compiled into the Linux kernel
A daemon (novfsd) that runs in the user space
Both components must be running on the workstation for the client to connect to the
network. The daemon can run on any of the supported Linux platforms without
modification. The kernel module, however, is dependent on the kernel version and
must be compiled to match the kernel on the workstation.
When the Novell Client is installed, it compiles the kernel module during the
installation process. If this process fails, the kernel module cannot load and it
attempts to recompile when the workstation is restarted.
Version 1
159
Objective 2
Install and Configure the Novell Client for Linux on SLED 11

Before you can integrate your Linux workstation into an eDirectory environment,
you must first install and configure the Novell Client for Linux. In this objective, you
learn how to install the Novell Client for Linux 2.0 SP2 on a SLED 11 workstation.
The following topics are addressed:
Installing the Novell Client for Linux on SLED 11 on page 160
Install the Novell Client for Linux on page 170
Configuring the Novell Client on SLED 11 on page 170
Installing the Novell Client for Linux on SLED 11

To install the Novell Client for Linux on SLED 11, you must first obtain the
installation software. This is done by first accessing the Novell Downloads (http://
download.novell.com) and downloading the latest Novell Client for Linux 2.0 SP2
ISO file, as shown below:
Figure 6-9
Downloading the Novell Client
Once the download is complete, use one of the following options to install the Novell
Client for Linux:
160
Installing the Novell Client from the Shell Prompt on page 161
Installing the Novell Client Using YaST on page 166
Version 1
Installing the Novell Client from the Shell Prompt
The first option for installing the Novell Client for Linux is to run an installation
script at the shell prompt of the workstation.
An installation script named ncl_install is provided in the Novell Client for
Linux installation media. The ncl_install script is located at the root of the install
media files, as shown in the figure below:
Figure 6-10
Locating the ncl_install Script
The script /opt/novell/ncl/bin can be used to install, update, verify, display

information about, and uninstall the Novell Client directly from a shell prompt. This
script is copied to the directory during the installation of the Client. You can use this
copy of the script later on to verify or uninstall the Novell Client.
IMPORTANT: You must be logged in as root to run the ncl_install script.
You can use the options shown in the following table with the ncl_install script:
Table 6-3
Version 1
ncl_install Script Options

Command
Description
ncl_install install
Installs the Novell Client for Linux.
ncl_install install force
Forces the installation of all Novell Client for Linux packages.
ncl_install upgrade
Upgrades the Novell Client for Linux.
ncl_install upgrade force
Forces the upgrade of all Novell Client for Linux packages.
ncl_install uninstall
Uninstalls all Novell Client for Linux packages.
ncl_install verify
Verifies the installation of all installed Novell Client for Linux

packages.
ncl_install information
Displays summary information for all installed Novell Client for

Linux packages.
ncl_install files
Displays a list of all files contained in Novell Client for Linux

packages.
161
To install the Novell Client for Linux 2.0 SP2 on SLED 11, you need to complete the
following steps:
1.
Mount the Novell Client for Linux ISO file in a directory in your SLED
workstations file system, such as /mnt. A sample command for doing this is
shown below:
mount -o loop /tmp/novell-client-2.0-sp2.sle11-i586.iso /mnt
2.
Insert your SLED 11 installation media in your workstations optical drive.
3.
Open a terminal session on your workstation.

If youre using the KDE desktop manager, select the Application Launcher
icon > Applications > System > Terminal.
If youre using the Gnome desktop manager, right-click on the desktop and select
Terminal.
4.
At the shell prompt, switch to your root user account by entering su - at the
shell prompt; then enter your root users password.
5.
At the shell prompt, use the cd command to switch to the directory where your
Novell Client for Linux 2.0 SP2 ISO image is mounted.
For example: cd /mnt
6.
At the shell prompt, enter ./ncl_install install.

After a few minutes, you are prompted to confirm the amount of disk space that
will be used by the Novell Client, as shown below:
Starting the Novell Client Install
Figure 6-11
7.
162
When prompted, enter YES.
Version 1
Wait while the packages are installed.

8.
You are again prompted to confirm the size of the download. Enter YES.
Wait while the packages are installed. This may take up to 5 minutes to complete,
depending upon your workstation hardware.
After a few minutes, you are prompted to install the Novell Konqueror plugin, as
shown below:
Installing the Novell Konqueror Plugin
Figure 6-12
9.
When prompted, enter y to install the Konqueror plugin.
10. When prompted to confirm the size of the plugin installation, enter YES.
After a few minutes, you are prompted to install the Novell Nautilus plugin, as
shown below:
Version 1
163
Figure 6-13
Installing the Novell Nautilus Plugin
11. When prompted, enter y to install the Nautilus plugin.

12. When prompted to confirm the size of the plugin installation, enter YES.
13. When the installation is complete, you have two options for starting the Novell
Client for Linux on the workstation:
Restart the workstation: This is the best way to ensure that the Novell
Client for Linux is installed and started correctly. To do this, enter init 6
(while still logged in as root) at the shell prompt.
Manually start the Novell Client: To manually start the Novell Client, enter
/opt/novell/ncl/bin/ncl_control start (while still logged in
as root) at the shell prompt. This command loads all the Novell Client
daemons.
14. Once the installation is complete and the client has been started, you can verify
that the Client was installed correctly by doing the following:
164
a.
If necessary, open a terminal session and switch to your root user account
using the su - command.
b.
At the shell prompt, enter /opt/novell/ncl/bin/ncl_install

verify.
c.
Wait while the files are verified.
d.
If prompted to verify the installation of the Konqueror and Nautilus plugins,

enter y, as shown below:
Version 1
Figure 6-14
Verifying the Client Installation
When complete, you should see a Novell Client icon

in the system tray. To access
the functions of the Novell Client, simply click on the Novell Client icon in the
system tray. When you do, the following menu is displayed:
Figure 6-15
Accessing the Novell Client Icon in the System Tray
Select Novell Login.

When you do, the Novell Client for Linux login screen is displayed, as shown below:
Version 1
165
Figure 6-16
Using the Novell Client for Linux to Log In
Installing the Novell Client Using YaST
In addition to installing the Novell Client for Linux from the shell prompt, you can
also install it using a graphical user interface from YaST. To do this, complete the
following:
1.
Insert your SLED 11 installation media in your systems optical drive.
2.
On your Linux workstation, start YaST by doing one of the following:
Open a terminal session, switch to root using the su - command, and then
enter yast2 at the shell prompt.
From within the KDE desktop environment, select Application Launcher

icon > Computer > YaST.
From within the Gnome desktop environment, select Computer > YaST.
3.
4.
Select Software > Add-On Products.

166
Version 1
Adding the Novell Client as an Add-On Product
Figure 6-17
5.
Select Add.
6.
In the Media Type screen, select Local ISO Image; then select Next.
7.
In the Path to ISO Image field, browse to and select the Novell Client for Linux
ISO file you downloaded from Novell Download (http://download.novell.com).
8.
When prompted to insert the add-on CD, select Continue.

After a minute, the License Agreement screen is displayed, as shown below:
Version 1
167
The Novell Client License Agreement
Figure 6-18
9.
Accept the license agreement; then select Next.
10. In the Software Manager screen, select Patterns from the filter drop-down list.
11. In the left frame, scroll down to and double-click the Novell Client for Linux
pattern, as shown below:
168
Version 1
Figure 6-19
Selecting the Novell Client for Linux for Installation
12. Double-click the novell-client package.

13. Select Apply.
14. If prompted that some packages are unsupported, select OK.
15. Wait while the Client is installed.
16. When complete, select OK.
17. When the installation is complete, you have two options for starting the Novell
Client for Linux on the workstation:
Restart the workstation: This is the best way to ensure that the Novell
Client for Linux is installed and started correctly.
Manually start the Novell Client: To manually start the Novell Client, open
a terminal session, switch to your root user account using the su - command,
and then enter /opt/novell/ncl/bin/ncl_control start at the
shell prompt.
When complete, you should see a Novell Client icon

in the system tray. To access
the functions of the Novell Client, simply select the Novell Client icon in the system
tray, as discussed previously.
Version 1
169
Exercise 6-1
Install the Novell Client for Linux

In this exercise, you install the Novell Client for Linux on your SLED 11
workstation.
(End of Exercise)
Configuring the Novell Client on SLED 11

Once the Novell Client for Linux has been installed on your workstation, you need to
configure it.
The Novell Client for Linux includes the Novell Client Configuration Wizard, which
you can use to configure the Novell Client on your workstation. To do this, complete
the following:
1.
2.
Launch the Novell Client Configuration Wizard by doing one of the following:
In the System Tray, select the N icon; then select System Settings.
In YaST, select Network Services > Novell Client.

170
Version 1
Starting the Novell Client Configuration Wizard
Figure 6-20
3.
4.
Version 1
Select the configuration pages that contain the settings you want to configure.
You can select from the following:
Login
Map
Protocol
Tray Application
File Browser
SLP
Select Start Wizard. If you selected Login in the Introduction screen, the Login
Settings screen is displayed, as shown in the following:
171
Figure 6-21
Configuring Client Login Settings
You can use this wizard page to specify the settings that will be available to users
in the Novell Login dialog box:
172
NMAS Authentication: Enables or disables Novell Modular Authentication

Services (NMAS) during login. This option is enabled by default.
Allow Dots in User Name: Allows periods (.) to be used in the User Name
field.
Clear Previous User Name: Clears the previous username from the User
Name field every time you open the login dialog in the Client.
Advanced Button: Enables or disables the Advanced button in the Login

dialog. This option is enabled by default.
Integrated Login: Enables the integrated login feature for the entire system.
This is set by the administrator and cannot be overridden by the user.
Display Integrated Login Results: Enables or disables the login results

window. When this option is disabled, login scripts are processed but run
silently and the script results window is not displayed.
Version 1
5.
Delete Integrated Login Profiles: Removes the existing login profiles for
all users on this workstation.
Default Tree: Specifies the default tree when logging in.
Default Context: Specifies the default user context when logging in.
Default Server: Specifies the default server when logging in.
Mark the appropriate options in the Login Settings screen; then select Next.
If you marked Map in the first wizard screen, the Map Settings screen is
displayed, as shown below:
Figure 6-22
Configuring Client Map Settings
You use the Map Settings page to specify the directory on the local workstation
where symbolic links to network resources are created. You can also select the
first drive letter to use when creating these links.
Version 1
173
You configure the following settings in this page:
Map Link Default Location: Specifies the path to the directory where Map
creates symbolic links to network resources on the server. The default value
of %HOME creates symbolic links in the users home directory.
First Network Drive: Specifies the first drive letter for Map to use when
creating symbolic links to network resources on the server if a specific drive
letter is not included in a users login script.
NOTE: The Novell Client for Linux creates a symbolic link to server volumes when the
Map command is called in a login script. The link appears as a directory named with a
drive letter. In the Windows version of the client, server volumes are mapped to specific
drive letters. Even though the Linux file system does not use the concept of drive letters,
the term is still used to maintain continuity between the Windows and Linux versions of
the Client.
6.
Configure your drive mapping settings; then select Next.

If you selected Protocol in the first wizard screen, the Protocol Settings window
is displayed, as shown below:
174
Version 1
Figure 6-23
Configuring Client Protocol Settings
You use the Protocol Settings page to configure the following:
Version 1
Name Resolution Providers: Specifies the name resolution providers the

Client will use to locate network resources. You can select one or all of the
following:
DNS
NCP
SLP
NCP Signature Level: Specifies the level of security required by the client,
including the use of a message digest algorithm and a per connection/per
request session state. You can select one of the following levels:
0: Disabled
1: Enabled, but not preferred
2: Preferred
3: Required
175
The default value is 1. You can change this to a higher security level (2 or 3)
but doing so will slightly impact performance.
DHCP Settings: If your DHCP server has been configured to deliver Novell
Client login settings as DHCP options, you can enable the Client to use these
settings by marking one or more of the following:
Tree
Context
Server
File Caching: Enables or disables the caching of network files on the local
workstation. This option is enabled by default.
Receive Broadcast Messages: Enables or disables the reception of network

broadcast messages.
NOTE: If you make any changes in this wizard page, you must reboot the workstation for the
changes to take effect.
7.
Configure your protocol settings as appropriate; then select Next.

If you marked Tray Application in the first wizard screen, the Tray Application
Settings screen is displayed, as shown below:
176
Version 1
Figure 6-24
Configuring Novell Client Tray Application Settings
You use the Tray Application Settings page to configure the Novell Client Tray
Application to automatically launch when the system starts and to determine
which options on the Tray Application menu are available to users.
This page contains the following options:
Version 1
Launch Tray Application: Specifies that the Novell Client Tray

Application is automatically launched when the workstation is started.
Tray Application Menu Options: Enables or disables options on the Tray

Application menu:
Novell Login
Novell Logout
Novell Connections
Change Password
Novell Map Directory
177
8.
Disconnect Novell Mapped Directory
Novell Utilities
User Administration
System Settings
Novell Client for Linux Documentation
Select the appropriate Tray Application settings; then select Next.

If you selected File Browser in the first wizard screen, the File Browser Settings
page is displayed, as shown below:
Figure 6-25
Configuring Client File Browser Settings
You use the File Browser Settings page to specify which Novell Client options
are available to users when they right-click server directories or files in a file
manager, and which tabs are available on the Novell File, Folder, and Volume
Properties pages.
178
Version 1
This page contains the following options:
Navigation Panel Icon (KDE only): Enables or disables the File Browser
Navigation Panel icon. This icon is displayed only in KDE.
Novell Properties: Enables or disables the Novell Properties menu option

when users right-click a server directory or file in a file manager.
Purge Novell Files: Enables or disables the Purge Novell Files menu option
when users right-click a server directory or file in a file manager.
Salvage Novell Files: Enables or disables the Salvage Novell Files menu
option when users right-click a server directory or file in a file manager.
File and Folder Information: Enables or disables the File Information and
Folder Information tabs on the File and Folder Properties pages.
NOTE: These pages are available when users right-click a server directory or file in a
file manager and then select Novell Properties.
9.
Novell Rights: Enables or disables the Novell Rights tab on the File and
Folder Properties pages.
Volume Information: Enables or disables the Volume Information tab on

the Volume Properties page.
Volume Statistics: Enables or disables the Volume Statistics tab on the

Volume Properties page.
Select the appropriate settings; then select Next.

If you marked OpenSLP in the first wizard screen, the Service Location Protocol
(OpenSLP) Settings page is displayed, as shown below:
Version 1
179
Figure 6-26
Configuring Client SLP Settings
You use the Service Location Protocol (OpenSLP) Settings page to specify where
and how the Client locates network services.
In an IP-only network, the Novell Client needs a way to locate the IP address of
network services, such as eDirectory trees and servers, prior to authenticating to
the network.
To do this, the Client must be able to resolve the tree and server names you enter
in the Client login screen into IP addresses.
NOTE: After authentication, the Client uses addressing information in the eDirectory tree to
locate network resources.
Without an advertisement or discovery mechanism on the network, users would

have to know the IP address or DNS name of the server hosting the tree to log in.
180
Version 1
NOTE: Alternatively, you could manually configure an entry in each workstations hosts file.
While this may be possible on a small network, it really isnt feasible on a large network.
To address these issues, Novell helped develop the Service Location Protocol
(SLP) standard. On Linux, SLP is provided by the OpenSLP service.
NOTE: The SLP standard is defined in RFC 2165 (SLP version 1) and RFC 2608 (version 2).
With SLP, services register their availability with an SLP agent when they are
brought up. The agent keeps track of which services are available and where they
are located. When a service is shut down, it deregisters itself with the agent.
From a high-level viewpoint, the information that SLP maintains about a service
is simply the service name and the IP address of the host (normally a server) that
is running this service.
SLP uses the following components to represent and discover services on the
network:
Service Agent (SA). The SA is a software entity that works on behalf of the
services running on its server. The SA replies to UAs who request services
that are running on its server. The SA can register its services with DAs.
User Agent (UA). The UA is a software entity working on behalf of an

application. The UA understands the service and resource needs of the
application and retrieves that service information from an SA or a DA.
Directory Agent (DA). The DA is a software entity that acts as a centralized

repository for service location information. If DAs have been implemented
on a network, all SAs register the services they know about with a DA.
Scopes. A scope is a defined group of network services. Scopes are

supported by UAs, SAs, and DAs.
The Novell Client can use SLP in two different ways:
Version 1
The UA on the client workstation can send multicast requests to all network
hosts configured to listen on the multicast address when it needs to locate a
particular resource. If a host has the resource being requested, it responds to
the requesting system with the appropriate address information, as shown
below:
181
Using SLP Without a DA
Figure 6-27
Multicast Request
UA
SA
SA
SA
Unicast Response
The UA on the local workstation can send unicast requests directly to a

Directory Agent (DA), which registers all of the available services on the
network. The DA responds to the requesting system with the appropriate
address information, as shown in the figure below:
Using SLP with a DA
Figure 6-28
Service Location Information Transferred
SA
SA
DA
SA
Unicast
Request
Unicast
Response
UA
You use the Service Location Protocol (OpenSLP) Settings page in the Client
wizard to specify how SLP will be configured on the workstation. You have the
following options:
Scope List: Specifies the scopes that the UA on the workstation is allowed to
use to locate network resources.
Directory Agent List: Specifies the DAs on the network that the UA on the
workstation must use to locate services. If this setting is not used, dynamic
DA discovery is used to determine which DAs to use.
Broadcast Only: Specifies that the UA on the workstation use broadcasts

instead of multicasting.
NOTE: This setting is not usually necessary because OpenSLP automatically reverts to
broadcasts if multicasting is unavailable. In addition, broadcasts are usually limited to the
local LAN segment.
182
Maximum Results: Specifies the maximum number of results to accumulate

and return for a synchronous request before time-out.
Version 1
NOTE: If you make changes to the Service Location Protocol (OpenSLP) Settings page, you
must reboot the workstation for those changes to take effect.
10. Make the appropriate changes to your SLP configuration; then select Next.
When you do, the summary page is displayed in the wizard, as shown below:
11. Select Finish.

12. When prompted to save your changes, select Yes.
Version 1
183
Objective 3
Authenticate to an OES 2 Server Using the Novell Client for

Linux
With the Novell Client for Linux installed on your workstation, you can now use it to
authenticate to an eDirectory tree and access its resources. In this objective, you learn
how to do this. The following topics are addressed:
Authenticating to eDirectory on page 184
Mapping Directories to Server Volumes on page 186
Logging Out on page 191
Troubleshooting SLP Issues on page 192
Using Novell Client for Linux Shell Commands on page 196
Configure the Novell Client for Linux on page 198
Configuring Integrated Login on page 198
Configuring Integrated Login on page 203
Authenticating to eDirectory
To authenticate to eDirectory using the Novell Client for Linux, do the following:
1.
Log in to your SLED 11 workstation using a Linux user account and password.
2.
Select the N in the system tray.
3.

The Novell Login Dialog
Figure 6-29
4.
Enter your eDirectory username and password; then select Advanced.

184
Version 1
Entering Your Authentication Credentials
Figure 6-30
5.
Enter the following as appropriate for your network:
Tree name
Context
Server
6.
Select OK.
7.
Verify that you are logged in correctly by selecting the N icon; then select Novell
Connections.
You should see the name of the tree, server, and user that you used to
authenticate, as shown in the following:
Version 1
185
Verifying the Novell Connection
Figure 6-31
8.
Select Close.
Mapping Directories to Server Volumes

Once you have authenticated to the eDirectory tree, you can use the Novell Client
map directories (symbolic links) in your local Linux workstations file system to
access volumes on your network servers. By default, the Novell Client creates these
mapped directories in your users home directory (for example, /home/geeko/).
When you switch to a mapped folder in your local workstations file system, the
Novell Client automatically redirects all file operations to the server where the
directory has been mapped to.
For example, you could map a folder to your eDirectory users home directory on an
OES server. You could also map a folder to a shared directory on a server.
To do this, complete the following:
1.
186
Select the N icon in the system tray; then select Novell Map Directory. The
following is displayed:
Version 1
Mapping a Directory to a Server Volume
Figure 6-32
Version 1
2.
In the Workstation File System field, enter the path to where you want the
mapped folder to reside. By default, your users home directory is displayed.
3.
In the Enter a Name... field, enter a name for the mapped folder or select a drive
letter from the drop-down list.
4.
In the Novell File System field, browse to and select the server, volume, and
directory that the mapped folder should point to. This is shown in the following:
187
Selecting the Server, Volume, and Directory
Figure 6-33
188
5.
(Optional) If you want the folder to be mapped every time you log in, mark Map
This Drive At Startup.
6.
Select Map.
7.
When prompted that the mapped directory has been created, select OK. You can
also select Browse to view the newly mapped directory. In the following figure,
the DATA_on_DA3 folder in the geeko users home directory has been mapped
to the DATA volume on the DA3 server:
Version 1
Figure 6-34
Viewing the Mapped Folder
If you double-click the mapped folder, you should see the contents of the path on the
server volume that the folder points to, as shown in the following:
Version 1
189
Figure 6-35
Viewing the Contents of a Mapped Folder
What you can do with files and directories within the mapped folder is controlled by
the file system rights that have been assigned to your user object in the eDirectory
tree.
If you need to disconnect a mapped folder, do the following:
1.
Select the N icon in the system tray; then select Disconnect Novell Mapped
Directory.
A screen similar to the following is displayed:
190
Version 1
Disconnecting a Mapped Folder
Figure 6-36
2.
Select the mapped directory you want to disconnect; then select Disconnect.
3.
Select Close.
Logging Out
To log out from the eDirectory tree, do the following:
1.
Select the N icon in the system tray; then select Novell Logout.
A screen similar to the following is displayed:
Logging Out
Figure 6-37
2.
Version 1
Select Logout.
191
Troubleshooting SLP Issues

For SLP to work on your SLED 11 workstation, the OpenSLP package must be
installed and configured. In addition, the host firewall on the workstation must be
configured to allow SLP traffic through.
If the firewall is not configured properly, you will see an error message similar to the
following when you try to browse for network resources in the Novell Client Login
dialog:
Figure 6-38
SLP Browse Error
If you see this error, first verify that OpenSLP has been installed and configured on
your workstation. You can verify that the package has been installed by opening a
terminal session, switching to root with the su - command, and then entering rpm
-q openslp at the shell prompt. You should see results similar to the following if
the package has been installed:
Figure 6-39
Verifying that OpenSLP Has Been Installed
You should then verify that SLP has been configured properly. This is done using the
Novell Client for Linux Wizard, as discussed earlier in this course. You can access
the wizard by selecting Configure SLP in the error window shown in the figure
above or by selecting the N icon in the system tray and selecting System Settings.
192
Version 1
Next, you need to verify that the host firewall on the workstation has been configured
to allow SLP traffic through it. The procedure you need to complete depends upon
your SLP configuration.
If you are using UAs and SAs without DAs, then you need to configure your host
firewall to allow multicast traffic. Complete the following:
1.
Open the Firewall module in YaST. This can be done in several ways:
Select Configure Firewall in the Warning window shown on the previous

page and enter your root users password.
Start YaST, enter your root users password, and then select Security and
Users > Firewall.
When you do, the following is displayed:

Accessing the YaST Firewall Module
Figure 6-40
Version 1
2.
Select Interfaces.
3.
Select Advanced.
4.
Double-click your network interface.
193
5.
In the Interface Zone drop-down list, select Internal Zone, as shown below:
6.
Select Broadcast.
Changing the Interface Zone
Figure 6-41
7.
Select OK.
WARNING: You should do this only if your network is protected from the Internet by a
separate firewall. The internal interface zone has a lower level of security than the external
interface zone. You should not do this if the workstation is connected directly to the Internet.
8.
Select Next > Finish.
9.
Close YaST.
At this point, you should be able to browse for network resources using SLP
multicasts. For example, to view a list of eDirectory trees on your network, select
Trees in the Novell Login dialog. After a few seconds, a list of available eDirectory
trees is displayed, as shown below:
194
Version 1
Figure 6-42
Browsing the Network Using SLP Multicasts
If your network has been set up with UAs, SAs, and DAs, then you need to open the
SLP ports for unicasts in your host firewall. Do the following:
1.
Open the Firewall module in YaST.
2.
Select Allowed Services.
3.
Select Advanced.
4.
In the TCP Ports and UDP Ports fields, enter 427 197 113 39.
5.
Select OK.
6.
Select Broadcast.
7.
Select Add.
8.
In the Service drop-down list, select SLP Browsing; then select Add.
This is shown below:
Version 1
195
Enabling SLP Multicasts in the Firewall Configuration
Figure 6-43
9.
10. Close YaST.
Using Novell Client for Linux Shell Commands

In addition to the GUI utilities and functions discussed previously in this objective,
you can also manage the Novell Client for Linux using commands at the shell
prompt. The table below lists several of the more commonly used commands:
Table 6-4
196
Novell Client Shell Commands

Command
Description
ncl_tray
Loads the Novell Client for Linux tray application and

allows customization of the tray interface.
nwconnections
Lists active connections for the currently logged-in user.
nwcopy
Copies files and directories to and from Novell file

systems.
Version 1
Command
Description
nwflag
Displays or modifies the attributes of files and directories

on Novell file systems.
nwlogin
Logs a user in to a Novell file server or an eDirectory

tree.
nwlogout
Logs the user out of a Novell or eDirectory tree.
map
Creates a mapping (mount) from a local file system to a

remote file system on a Novell file server.
nwrights
Displays or modifies a users trustee assignments or

inherited rights filter for volumes, directories, or files.
To view the syntax for using any of these commands, open a terminal window and
enter man command_name at the shell prompt.
Version 1
197
Exercise 6-2
Configure the Novell Client for Linux

In this exercise, you configure the Novell Client for Linux on your SLED 11
workstation and use it to log into an OES 2 for Linux server.
(End of Exercise)
Configuring Integrated Login

The Novell Client 2.0 for Linux provides a single, synchronized login to the SLED 11
desktop and your Novell network. You enter your username and password only once
to access all the resources you are authorized to use.
NOTE: The integrated login feature is not available if you log in as root. It is also unavailable if
you have the workstation configured to automatically log in as a particular Linux user account.
To configure integrated login, you need to do the following:
Enable CASA on page 198
Configure Integrated Login on page 200
Enable CASA
For integrated login to work, the Novell Common Authentication Services Adapter
(CASA) must be installed and enabled on the workstation. CASA is a common
authentication and security package that provides a set of libraries for application and
service developers to enable single sign-on to the network.
WARNING: Before you can enable CASA, you must first update the Mono packages on your
SLED 11 workstation to the latest versions. Otherwise, integrated login wont work on your system.
To install CASA on your workstation, do the following:
198
1.
On your SLED 11 workstation, start YaST.
2.
3.
In YaST, select Software > Software Management.
4.
In the Search field, enter CASA.
5.
In the Packages Listing field, identify the CASA packages, as shown below:
Version 1
Installing CASA
Figure 6-44
6.
Select the following packages for installation:
CASA
CASA-kwallet
CASA-gui
CASA_auth_token_client
yast2-CASA
7.
Select Apply.
8.
If prompted that the CASA packages are unsupported, select OK to continue the
installation.
9.
Once done, you need to enable CASA. Complete the following:

1.
Version 1
In YaST, select Security and Users; then select CASA.
199

Enabling CASA
Figure 6-45
2.
Select Enable CASA.
3.
When prompted that CASA was enabled, select OK.
4.
Select Finish.
5.
Close YaST.
Configure Integrated Login
Once CASA has been enabled, you need to configure the workstation to use
integrated login.
To do this, you first need to enable integrated login system-wide on the SLED 11
workstation by doing the following:
200
1.
Launch the Novell Client Configuration wizard.
2.
3.
Select Login; then select Start Wizard.
Version 1
4.
On the Login Settings page, select Integrated Login.

This enables the integrated login feature for the entire system. This cannot be
overridden by the user.
5.
Select Display Integrated Login Results to display the Integrated Login Script
Results window when the user desktop is launched.
If this option is disabled, all login scripts are run silently and the Integrated Login
Script Results window is not displayed, but login scripts are still processed.
NOTE: You can also delete stored profiles by selecting Delete Integrated Login Profiles.
6.
Select Next.
7.
Select Finish > Yes.
Next, you need to configure integrated login in the Novell Client Login dialog. Do
the following:
1.
Select the N icon in the system tray of your SLED 11 workstation.
2.
3.
Enter your eDirectory username and password; then select Advanced.

Figure 6-46
Version 1
Entering Your Authentication Credentials
201
4.
5.
Enter the following as appropriate for your network:
Tree name
Context
Server
Select the Startup tab.

Configuring Integrated Login in the Novell Login Dialog
Figure 6-47
6.
Select Save Profile After Successful Login.

NOTE: The User Name, Password, Tree, and Context fields on the eDirectory tab must be
populated to save your profile. Integrated login does not work without a saved profile.
7.
Verify that Run Novell Client Login at Session Startup is selected.
8.
Select OK to log in.
9.
When prompted that the login profile has been saved, select OK.
Now, the next time you log in to your SLED 11 workstation, you will also
automatically log in to the eDirectory tree as the user you specified.
202
Version 1
Exercise 6-3
Configuring Integrated Login

In this exercise, you configure the Novell Client for Linux on your SLED 11
workstation and use it to log into an OES 2 for Linux server.
(End of Exercise)
Version 1
203
Objective 4

In addition to mapping drives to server volumes, you can also use the Novell Client
for Linux to send print jobs to Novell iPrint printers. In this objective, you learn how
to do this. The following topics are addressed:
How iPrint Works on page 204
Installing and Configuring the iPrint Client on Linux Workstations on

page 209
Installing iPrint Printers and Sending Print Jobs on page 210
Install and Configure the iPrint Client on page 213
How iPrint Works

iPrint lets mobile employees, business partners, and customers access printers from a
variety of remote locations using existing Internet connections. Whether users are
working in an office building, telecommuting from home, or attending a sales
meeting in another country, iPrint ensures that they can print documents quickly,
easily, and reliably.
Using a web browser, users point to a web page that displays the printers available for
installation. When the user selects a printer, the iPrint client is installed (if not
installed previously), the printers driver is downloaded, and a printer is created on
the users workstation. The following illustrates this process:
Figure 6-48
How iPrint Works
Using iPrint, mobile users no longer need to contact the Help Desk to request a
printers name and context, and the required printer driver. Instead, mobile users
work within a familiar web browser to locate nearby printers using iPrints Printer
List web page or maps created by the system administrator.
Companies can also lower communication costs by reducing the need to fax
documents between offices. Instead, companies can use their existing Internet
connections to print documents to remote printers.
204
Version 1
iPrint uses the Internet Printing Protocol (IPP), an industry standard, to eliminate the
complexities of printing over the Internet and to make location-based printing a
reality. The benefits of IPP include the following:
It uses the IP protocol.
It provides broad vendor support.
It works over local networks as well as the Internet.
It provides for print data encryption (SSL, TLS).
It provides a standard print protocol for all platforms (such as Linux, Macintosh,
and Windows).
In addition to the benefits of IPP, Novells implementation of iPrint adds the

following value:
Printer driver download and installation
Location-based printing
Browser-enabled printer installation interface
Customizable user interface
Secure information transfer
For secure printing needs, iPrint integrates with eDirectory to ensure that only
authorized users can access the printer. Users are required to authenticate with their
eDirectory username and password. Print data is also encrypted to ensure that
sensitive print data is kept secure and unaltered.
iPrint on an OES 2 Linux server consists of three main components: the Print
Manager, the Driver Store, and the iPrint Client. Other supporting components
include Apache Web Server, Novell iManager, and eDirectory.
Version 1
205
Figure 6-49
iPrint Components
The following describes each iPrint component:
Print Manager on page 206
Driver Store on page 207
iPrint Client on page 207
Apache Web Server on page 208
iManager on page 209
Print Manager
The Print Manager is an object in the eDirectory tree as well as software that runs on
an OES server. The Print Manager provides a platform for Printer Agents to reside on
the server. Printer Agents are representations of actual printers. Print jobs are
submitted to the Print Manager; the print job is then forwarded to a printer when the
printer is ready.
206
Version 1
Figure 6-50
Sending a Print Job
A single Print Manager can handle print jobs for multiple printers. Depending on
your network configuration (for example, remote locations), you can create
additional Print Managers on other servers, but only one Print Manager can exist on
any one server.
Driver Store
The Driver Store is an eDirectory object. It is a repository of printer drivers for your
print system. Only one Driver Store is required on a network, but you can create
additional Driver Stores if required.
When the first user of a printer installs that printer, the Print Manager requests the
associated printer driver from the Driver Store, and the Print Manager saves the
printer driver to disk for future use.
iPrint Client
To send jobs to an iPrint printer, the iPrint Client must first be installed on the users
workstation. iPrint Clients are available for Linux, Windows, and Macintosh
workstations.
The Linux iPrint client includes the following components:
Browser plug-in. The iPrint client contains a browser plug-in for Mozilla-based
browsers. This plug-in lets you install printers through your web browser.
Console utility. The Linux iPrint client includes the iprntcmd utility that lets you
install printers, print test pages, and upload drivers to a Driver Store from a
console prompt.
CUPS Integrator. The client integrates with the CUPS back end and uses the
CUPS local spooler to send print jobs to the Print Manager.
The Linux iPrint Client is packaged in two different installations that control access
to the print system. The following table explains the differences between the two
clients:
Version 1
207
Table 6-5
iPrint Client Versions

iPrint Client
Workstation
Access
Description
novell-iprint-xclient-sh-version.i586.rpm
Security high.
Limited access to
the print system.
This client requires

workstation users to be
defined with lppasswd to
install, delete, or administer
printers on the workstation.
When performing one of these
print operations, the user is
challenged for a password.
novell-iprint-xclient-sl-version.i586.rpm
Security low.
This client allows all users of
Unlimited access
the workstation to install,
to the print system. delete, or administer printers
and print jobs on the
workstation, including printers
and print jobs of other users.
By default, the iPrint Printer
List Web page installs this
RPM.
The security level of the above clients does not affect installation of the iPrint Client,
just access to the workstation print system. To install either iPrint Client, you still
need root permissions.
When installing a secure iPrint printer, you might be prompted twice for your
username and password. First, you are prompted to provide your network credentials
to verify that you have access to the printer; it would be no use installing a printer that
would not allow you to print. The second prompt is for CUPS printers to ensure you
have rights to install printers on the client machine. You need to provide the root
password or be defined in the CUPS lppasswd file.
Printing to secure printers is supported only when you are logged in to the desktop. If
for any reason the CUPS iPrint back end cannot deliver the job to a secure printer, the
job is requeued to the client with a hold. You can then see the held job and release it
after you log in to the desktop.
The iPrint Client does not support printing from terminal screens unless the GUI is
running on the host workstation.
Apache Web Server
iPrint uses the Apache 2.0 Web server. The Web server serves up HTML pages,
handles secure (SSL/TLS) and nonsecure requests, and utilizes LDAP for
authentication. iPrint can use any port specified on Apache; however, iPrint defaults
to two primary ports:
208
Port 443. All secure printing occurs over port 443 using SSL.
Port 631. All non-secure printing occurs over port 631.
Version 1
The iPrint client also supports TLS. If your system, including the client, is configured
to use TLS, all secure and non-secure printing occurs over port 631.
During the OES 2 for Linux installation of the iPrint software, the CUPS back-end
components are disabled on the server to avoid port 631 conflicts. Because iPrint uses
CUPS to render print jobs before sending the print job to the Print Manager, printing
from the server itself using CUPS or iPrint is not available.
iManager
You use Novell iManager to create, configure, and manage your iPrint system. For
complete management, including uploading printer drivers and PPD files, you need
to access iManager from a workstation with the iPrint client installed.
Installing and Configuring the iPrint Client on Linux Workstations

Before you can send print jobs to an iPrint printer, you need to install and configure
the iPrint Client on your workstation. You can download and install the iPrint Client
from the iPrint Printer List Web page that resides on the server where the Print
Manager is loaded. Do the following:
1.
Open a web browser and navigate to http://server_address/ipp.

When you do, a screen similar to the following is displayed:
Accessing the iPrint Client Download Page
Figure 6-51
2.
Version 1
Select Install iPrint Client.
209
3.
In the iPrint Client Installation page, select Install the iPrint Client.
4.
Save the file to your desktop.
5.
Close your browser window.

NOTE: This forces Firefox to reload the new iPrint plugin the next time you start the browser.
6.
Open a terminal window.
7.
Change to your root user account by entering su - at the shell prompt followed
by your root users password.
8.
Change to your users desktop directory by entering cd /home/user_name/

Desktop at the shell prompt.
9.
Install the iPrint Client software at the shell prompt, by entering rpm -Uhv ./
novell-iprint-xclient-security_levelversion.architecture.rpm.
Installing iPrint Printers and Sending Print Jobs

Once youve installed the iPrint Client, you can now install iPrint printers on your
workstation. To do this, complete the following:
1.
Open a web browser and navigate to http://server_address/ipp.

Figure 6-52
210
Installing an iPrint Printer
Version 1
2.
Select the printer from the list provided, you want to install.
Selecting a Printer for Installation
Figure 6-53
3.
(Optional) Select Set Printer As Default if you want the printer to be your
default printer.
4.
Select Yes to install the printer.
5.
Select OK when prompted that the printer is installed.
Once done, you can then send print jobs to the printer using your applications
standard print dialog, just as you would for a locally-connected printer. For example,
the Firefox browsers print dialog is used below to send a print job to the DAPrinter
iPrint printer.
Version 1
211
Figure 6-54
212
Sending a Print Job to an iPrint Printer
Version 1
Exercise 6-4
Install and Configure the iPrint Client

In this exercise, you install and configure the iPrint Client on your SLED 11
workstation and then use it to install an iPrint printer.
(End of Exercise)
Version 1
213
Objective 5

In addition to iPrint, you can also configure a SLED 11 workstation to work with a
Novell iFolder server. In this objective, you learn the following:
How iFolder Works on page 214
Installing the iFolder Client on page 216
Configuring Your iFolder Account on page 217
Creating iFolders on page 224
How iFolder Works

Novell iFolder is a service that allows files from users local file system to
automatically follow them across computers. Users can share files in multiple
iFolders. They can also share each iFolder with a different group of users.
Typically, when users work in multiple locations or in collaboration with others, they
must manually manage file versions. With iFolder, the most recent version of a users
files can follow the user to any computer where the iFolder client is installed and a
shared iFolder is set up.
iFolder also allows users to share multiple iFolders and their separate content with
other users of the iFolder system. Users decide who participates in each shared
iFolder and their level of access. Similarly, users can participate in shared iFolders
that are owned by others in the collaboration environment.
The iFolder service itself is composed of the following components:
iFolder Enterprise Server: The iFolder enterprise server is a central repository

for storing iFolders and synchronizing files for enterprise users.
Web Admin Console: The Web Admin Console is an administrative tool used to
manage the iFolder system, user accounts, and user iFolders.
Web Access Console: The Web Access console provides remote access to
iFolders on the iFolder enterprise server.
The iFolder Client: The iFolder Client integrates with the users operating
system to provide iFolder services in a native desktop environment.
An iFolder session begins when the user logs in to their iFolder account and ends
when the user logs out of the account or exits the iFolder client. iFolder synchronizes
files with the enterprise server only when a session is active and the computer has an
active connection to the network or Internet.
Users can access data in their local iFolders at any time; it does not matter if they are
logged in to their server accounts or if they are connected to the network or Internet.
Consider the following example: Suppose a user named Ulrik owns an iFolder named
Denmark and shares it via his iFolder enterprise account with three other users named
Nigel, Luc, and Alice.
214
Version 1
Nigel travels frequently, so he also set up the iFolder on his laptop. Any iFolder
member can upload and download files from the Denmark iFolder from anywhere,
using the iFolder Web Access server.
In addition, Alice shares a non-work iFolder named Scooters with her friend Ulrik.
Figure 6-55
iFolder Example
The iFolders are stored centrally for all iFolder members. The iFolder server
synchronizes the most recent version of documents to all authorized users of the
shared iFolder. All that the iFolder owner and iFolder members need is an active
network connection and the iFolder client.
Novell iFolder provides the following benefits:
Version 1
It guards against local data loss by automatically backing up local files to the
iFolder server and multiple workstations.
It prevents unauthorized network access to sensitive iFolder files.
It allows multiple servers to participate in a single iFolder domain so as to allow

scale up the number of users and data transfer bandwidth.
It transparently updates a users iFolder files to the iFolder enterprise server and
multiple member workstations with the iFolder client.
It tracks and logs changes made to iFolder files while users work offline, and
synchronizes those changes when they go online.
It provides access to user files on the iFolder server from any workstation
without the iFolder client using a Web browser and an active Internet or network
connection.
215
It protects data as it travels across the wire using SSL encryption.
Makes files on the iFolder server available for your regularly-scheduled backup.
Installing the iFolder Client

To integrate your SLED 11 workstation with an iFolder server, you need to install the
iFolder Client software.
The iFolder client requires 5-10 MB of free space on your hard drive to download and
install the iFolder client. You also need a network adapter installed. However, the
network connection only needs to be active when synchronizing files. You need to
have 265 MB RAM (or more) installed in the system and you need enough free space
hard disk space for files synchronized from the iFolder server. You also need to have
the Mono framework, the xsp package, and the dbus-1-mono package installed on
your system.
The iFolder client is available for download on the Welcome page of your iFolder
server. To install it, do the following:
1.
On your workstation, open a supported browser and access http://

iFolder_server_address.
2.
Select Client Software.

Downloading the iFolder Client Software
Figure 6-56
216
3.
Select iFolder Client for Linux.
4.
Open a terminal session and change to your root users account using the su command.
5.
Copy the file you just downloaded to the /tmp directory.
6.
Change to the /tmp directory by entering cd /tmp at the shell prompt.
Version 1
7.
Extract the files from the compressed tar archive by entering tar -zxvf ./
ifolder3-version.tar.gz at the shell prompt.
8.
At the shell prompt, enter cd /tmp/ifolder3-version.

Within this directory are two subdirectories. The rpms in the i586 directory are
for workstations that use 32-bit CPUs. The rpms in the x86_64 directory are for
workstations that use a 64-bit CPU.
9.
Use the cd command at the shell prompt to switch to the directory appropriate
for your workstations architecture.
10. At the shell prompt, enter rpm -Uhv *.rpm.

11. Reboot your system.
Configuring Your iFolder Account

Once the iFolder Client software is installed, you can start it and configure your
iFolder Account. To do this, complete the following:
1.
Start the iFolder Client by doing one of the following:
At the shell prompt of the workstation, enter /opt/novell/ifolder3/

bin/ifolder.
Select Computer > More Applications > System > iFolder 3.

NOTE: You can configure iFolder to start automatically when you log in by rightclicking the iFolder 3 icon and then selecting Add to Startup Programs.
The first time you start your iFolder client software, you are prompted to
configure your iFolder account, as shown below:
Version 1
217
Configuring the iFolder Client
Figure 6-57
2.
In the Welcome page, select Forward.

218
Version 1
Specifying the iFolder Server Address
Figure 6-58
3.
In the Server Address field, enter the DNS name or IP address of your iFolder
server; then select Forward.
Version 1
219
Configuring the iFolder Username and Password
Figure 6-59
4.
In the Identity page, enter the following:
User Name: Enter your iFolder user name.
Password: Enter your iFolder users password.
Remember My Password: Mark this option if you want to be automatically

logged in each time iFolder starts.
5.
Select Forward.
6.
In the Verify and Connect screen, review the information you entered.
If correct, select Connect.
7.
If prompted, accept the iFolder servers security certificate by selecting Yes.

220
Version 1
Creating a Default iFolder
Figure 6-60
8.
If you want to create an iFolder folder, mark Download Default iFolder; then
enter the appropriate path to be used as an iFolder in the Location field.
The default path is /home/linux_user/iFolder/iFolder_user/
Default.
9.

A list of iFolders configured on your computer is displayed:
Version 1
221
iFolders on this Computer
Figure 6-61
You can configure your iFolder client preferences after it is installed by doing the
following:
1.
With the iFolder client software running, right-click the iFolder icon in the
system tray; then select Preferences.
222
Version 1
Configuring iFolder Client Preferences
Figure 6-62
2.
Version 1
Configure the following options, as appropriate:
223
Table 6-6
iFolder Configuration Options

Option
Description
Show Confirmation Dialog When Creating

iFolders
Mark this option to receive a confirmation

message each time you create an iFolder.
Notify of Shared iFolders
Mark this option to enable a pop-up

message whenever you receive a new
invitation to share an iFolder.
Invitations are retrieved based on the
Synchronization Interval you specify in
iFolder Preferences. The interval controls
the synchronization of files, iFolder share
invitations, and the list of users.
3.
Notify of Conflicts

message whenever a conflict occurs when
synchronizing files.
Notify When a User Joins

message whenever a user accepts an
invitation to share an iFolder.
Synchronization
Select from the following:
Automatically Synchronize iFolders:

Mark this check box to enable
synchronization for all iFolders for the
current user.
Synchronize iFolders Every: Specify

the minimum interval to use for
synchronizing iFolders.
Select Close.
Creating iFolders
In addition to the default iFolder that you can create during the initial client
installation, you can also create your own iFolders. In this part of this objective, you
learn how to do the following tasks:
Creating an iFolder on page 224
Configuring iFolder Properties on page 226
Creating an iFolder
You can create an iFolder using a file manager such as Nautilus. To do this, complete
the following:
224
1.
Locate or create the folder you want to convert to an iFolder using Nautilus.
2.
Right-click the folder and select Convert to an iFolder, as shown below:
Version 1
Creating a New iFolder
Figure 6-63
3.
In the Convert to an iFolder screen, select OK.

The new iFolder is added to your list of iFolders, as shown below:
Version 1
225
New iFolder Added
Figure 6-64
Configuring iFolder Properties
After an iFolder has been created, you can customize how it functions by configuring
its properties. Do the following:
1.
With the iFolder client started, right-click on the iFolder icon in the system tray
and select iFolders.
2.
Select the iFolder you want to customize, then select Properties.

226
Version 1
Configuring iFolder Properties
Figure 6-65
3.
If you want to synchronize the folder immediately, select Synchronize Now.
4.
If you want to share the iFolder with other users, do the following:
a.
Select the Sharing tab.

NOTE: You can also right-click the folder in Nautilus and select Share iFolder With....
Version 1
227
Configuring Sharing
Figure 6-66
228
b.
Select Add.
c.
Select the user you want to share the iFolder with; then select Add.
d.
Select OK > Close.
Version 1
Summary
The following is a summary of what you learned in this section.
Objective
What You Learned
Describe How the Novell Client for Linux

Works
eDirectory is a hierarchical, distributed

database that provides the basic foundation
for the Directory service along with replication
and partitioning capabilities. Companies use
eDirectory as a means for managing users
and all their network hardware and
applications.
When working with eDirectory, you need to be
familiar with
eDirectory Components
eDirectory Objects
eDirectory Context
eDirectory Naming
In order for a workstation to authenticate to an

eDirectory tree and access the resources that
it manages, you must first install and
configure the Novell Client. The Novell Client
can be installed on both Windows and Linux
workstations.
The Novell Client for Linux allows Linux users
to access and use the services available on
servers running Novell eDirectory, including
NetWare and Open Enterprise Server (OES)
systems.
Once installed on a workstation, the Novell
Client enables users to enjoy the full range of
Novell services, such as authentication via
Novell's eDirectory, network browsing, service
name resolution, and secure file system
access.
Install and Configure the Novell Client for
Linux on SLED 11
The first option for installing the Novell Client

for Linux is to run an installation script at the
shell prompt of the workstation.
An installation script named ncl_install is
provided in the Novell Client for Linux
installation media.
The ncl_install script is located at the root of
the install media files.
In addition to installing the Novell Client for
Linux from the shell prompt, you can also
install using a graphical user interface from
YaST.
Version 1
229
Objective
What You Learned
Authenticate to an OES 2 Server Using the

Novell Client for Linux
In this objective, you learned how to do the

following:
Authenticating to eDirectory
Configuring integrated login
Mapping directories to server volumes
Logging out
Troubleshooting SLP issues
Using Novell Client for Linux shell

commands
iPrint lets mobile employees, business

partners, and customers access printers from
a variety of remote locations using existing
Internet connections. Whether users are
working in an office building, telecommuting
from home, or attending a sales meeting in
another country, iPrint ensures that they can
print documents quickly, easily, and reliably.
Using a web browser, users point to a web
page that displays the printers available for
installation. When the user selects a printer,
the iPrint client is installed (if not installed
previously), the printers driver is downloaded,
and a printer is created on the users
workstation.
Before you can send print jobs to an iPrint
printer, you need to install and configure the
iPrint Client on your workstation. You can
download and install the iPrint Client from the
iPrint Printer List Web page that resides on
the server where the Print Manager is loaded.
230
Version 1
Objective
What You Learned
Novell iFolder is a service that allows files

from users local file system to automatically
follow them across computers and share data
with other users.
With iFolder, the most recent version of a
users files can follow the user to any
computer where the iFolder client is installed
and a shared iFolder is set up.
iFolder also allows users to share multiple
iFolders and their separate content with other
users of the iFolder system. Users decide who
participates in each shared iFolder and their
level of access. Similarly, users can
participate in shared iFolders that are owned
by others in the collaboration environment.
The iFolder service itself is composed of the
following components:
iFolder Enterprise Server
Web Admin Console
Web Access Console
The iFolder Client
iFolder synchronizes files with the server only

when a session is active and the computer
has an active connection to the network or
Internet.
Version 1
231
232
Version 1
Integrate SUSE Linux Enterprise Desktop 11 into a UNIX Environement
SECTION 7
Integrate SUSE Linux Enterprise Desktop 11

into a UNIX Environement
This section explains how to access files stored on a Unix server with your SUSE
Linux Enterprise Desktop 11 (SLED 11). The technology used for this is
NFS.
In a Unix world for authentication, LDAP is used for printing CUPS. It also explain,
how to configure these services.
This course focuses on the client side. Server configuration for these services is
covered in detail in SUSE Linux Enterprise Server 11
Administration (Course 3103).
Section Objectives
Version 1
1.
Accessing NFS File Shares on page 234
2.
Authentication to LDAP on page 242
3.
Printing to CUPS Printers on page 250
233
Objective 1

NFS is designed for sharing files and directories over a network. It requires
configuration of an NFS server where the files and directories are located and NFS
clients (computers that access the files and directories remotely).
To configure the client, you need to understand the following:
Network File System Basics on page 234
NFS Internals on page 235
Configure NFS Client Access with YaST on page 235
Mount Home Directories Manually on page 237
Mount Home Directories Automatically on page 239
Network File System Basics

File systems are exported by an NFS server and appear and behave on an NFS client
as if they were located on a local machine.
For example, with NFS, each users home directory can be exported by an NFS
server and imported to a client, so the same home directories are accessible from
every workstation on the network.
Directories such as /home/, /opt/, and /usr/ are good candidates for export via
NFS. However, other directories, including /bin/, /boot/, /dev/, /etc/, /
lib/, /root/, /sbin/, /tmp/, and /var/, should be available only on the
local hard drive.
Using NFS for home directories only makes sense with central user management
(provided for example by OpenLDAP).
The following is an example of mounting the /home/ directory (exported by the
NFS Server da1) on the da10 computer:
234
Version 1
Figure 7-1
Mount the /home Directory
A computer can be both an NFS server and an NFS client. It can supply file systems
over the network (export) and mount file systems from other hosts (import).
NFS Internals
NFS is an RPC (Remote Procedure Call) service. An essential component of RPC
services is the portmapper that manages the services and has to be started first. The
portmap daemon is activated by default on SUSE Linux Enterprise Desktop 11.
When an RPC service starts up, it binds to a port in the system (just like any other
network service), but it also registers this port and the service it offers (such as NFS)
with the portmapper.
Because every RPC program must be registered by the portmapper when the RPC
program is started, RPC programs must be restarted after the portmapper.
NFS supports file locking, which means that only one user at a time has write access
to files. The NFS lock manager (NLM) kernel module is responsible for file locking
and is loaded on the server side when starting the NFS server and on the client side
when mounting a directory exported on the server using NFS.
Configure NFS Client Access with YaST

NFS directories exported to a server can be mounted in the file system tree of a client.
The easiest way to do this is to use the YaST NFS Client module.
To use YaST to configure the NFS client, start the YaST Control Center; then select
Network Services > NFS Client. You can also start the NFS Client module directly;
enter, as root, yast2 nfs in a terminal window.
Version 1
235
Figure 7-2
YaST NFS Client Module
Add a directory to the list by selecting Add. The following appears.

Figure 7-3
236
Add a NFS Directory
Version 1
From this dialog, you can configure the directory to mount in your file system tree.
Configure the directory by doing the following:
1.
In the NFS Server Hostname field, enter the NFS servers host name or find and
select the NFS server from a list of NFS servers on your network by selecting
Choose.
2.
In the Remote File System field, enter the name of the exported directory on the
NFS server you want to mount or find and select the available directory by
selecting Select.
3.
In the Mount Point (local) field, enter the mount point in your local file tree to
mount the exported directory or browse to and select the mount point by
selecting Browse.
4.
In the Options field, enter any options you would normally use with the mount
command. For a list of these options, enter man mount.
5.
After these steps, select OK. You are returned to the NFS Client Configuration
dialog.
Save the NFS client settings by selecting OK. The settings are saved in /etc/
fstab, services are restarted, and the exported directories are mounted in your local
file system tree.
Mount Home Directories Manually

You can import a directory manually from an NFS server by using the command
mount. The only prerequisite is a running rpcbind (portmapper), which you can start
by entering (as root) the command rcrpcbind start.
The command mount automatically tries to recognize the file system (such as ext2,
ext3, or ReiserFS). However, you can also use the mount option -t to indicated the
file system type. For NFS version 3 and lower, the file system type is nfs, for NFS
version 4 it is nfs4.
In the following example, the file system type nfs is specified:
mount -t nfs -o options host:/directory /mountpoint
Instead of a device file, the name of the NFS server together with the directory to
import is used within the mount command.
Version 1
237
The following are the most important mount options (-o) used with NFS:
soft (opposite: hard). If the attempt to access the NFS server extends beyond the
default number of tries (or the value set with the retrans= option), the mount
attempt will be aborted.
If the hard option (or neither soft nor hard) is specified, the client attempts to
mount the exported directory until it receives feedback from the server that the
attempt was successful.
If a system tries to mount an NFS file system at boot time, the hard option can
cause the boot process to hang because the process will stop at this point when it
attempts to mount the NFS directory.
For directories that are not essential for the system to function, you can use the
option soft. For directories that must be mounted (such as home directories), you
can use the option hard.
bg (default: fg). If you use the bg option and the first attempt is unsuccessful, all
further mount attempts are run in the background.
This prevents the boot process from hanging when NFS exports are
automatically mounted, with attempts to mount the directories continuing in the
background.
rsize=n. Sets the number of bytes (n, positive integral multiple of 1024,
maximum 1,048,576) that NFS reads from the NFS server at one time.
If this value is not set, client and server negotiate the highest possible value that
both client and server support.
The negotiated value is shown in /proc/mounts.
wsize=n. Sets the number of bytes (n, positive integral multiple of 1024,
maximum 1,048,576) that can be written to the NFS server.
If this value is not set, client and server negotiate the highest possible value that
both client and server support.
The negotiated value is shown in /proc/mounts.
retry=n. Sets the number of minutes (n) an attempt can take to mount a directory
through NFS. The default value for foreground mounts is 2 minutes; for
background mounts, it is 10,000 minutes (approximately one week).
nosuid. Disables any interpretation of the SUID and SGID bits on the
corresponding file system.
For security reasons, always use this option for any file system that might be
susceptible to tampering.
If you do not use this option, there is a possibility that a user can obtain root
access to the local file system by putting a SUID root executable on the imported
file system.
238
nodev. Disables any interpretation of device files in the imported file system. We
recommend that you use this option for security reasons.
Version 1
Without setting this option, someone could create a device such as /dev/hda
on the NFS export, then use it to obtain write permissions for the hard disk as
soon as the file is accessed from the client side.
exec (opposite: noexec). Permits or does not allow the execution of binaries on
the mounted file system.
You can use the command umount to unmount a file system. However, you can
only do this if the file system is currently not being accessed.
NOTE: For additional information on nfs, mount options, and on the file /etc/fstab, enter man
5 nfs, man 8 mount, or man 5 fstab.
Mount Home Directories Automatically

Sometimes statically mounting directories from an NFS server using an entry in /
etc/fstab is not flexible enough.
This could be the case when you want to offer users their usual environment no
matter from where they log in, but not all users have their home directories on a
single file server. In this case, you have to mount the home directory from the correct
server, depending on who logs in.
The solution is to mount directories when needed and to unmount them after some
time when they are not needed any longer. This is done by the /usr/sbin/
automount program that is contained in the autofs package.
The primary configuration of automount is contained in /etc/auto.master. It
lists mount points and files that contain the configuration for that mount point:
# Sample auto.master file
# This is an automounter map and it has the following format
# key [ -mount-options-separated-by-comma ] location
# For details of the format look at autofs(5).
#/misc /etc/auto.misc --timeout=60
#/smb
/etc/auto.smb
/misc /etc/auto.misc
#/net
/etc/auto.net
The /etc/auto.misc file (contained in the autofs package) shows what can be
configured:
# This is an automounter map and it has the following format
# key [ -mount-options-separated-by-comma ] location
# Details may be found in the autofs(5) manpage
cd
-fstype=iso9660,ro,nosuid,nodev :/dev/cdrom
# the following entries are samples to pique your imagination

#linux
-ro,soft,intr
ftp.example.org:/pub/linux
#boot
-fstype=ext2
:/dev/hda1
Version 1
239
#floppy
#floppy
#e2floppy
#jaz
#removable
-fstype=auto
-fstype=ext2
-fstype=ext2
-fstype=ext2
-fstype=ext2
:/dev/fd0
:/dev/fd0
:/dev/fd0
:/dev/sdc1
:/dev/hdd
To start autofs, you need to enter in a terminal window as root the rcautofs
start command; rcautofs status lists the configured and the active mount
points, as in the following example:
da10:~ # rcautofs status
Checking for service autofs:
running
Configured Mount Points:
-----------------------/usr/sbin/automount /misc file /etc/auto.misc
Active Mount Points:
-------------------/usr/sbin/automount /misc file /etc/auto.misc
Using the above configuration, the automounter creates the /misc directory when it
is started. This directory will be empty at first, but if you enter ls /misc/cd, you
will see the content of the CDROM drive as it is automatically mounted:
da10:~ # ls /misc
da10:~ # ls /misc/cd
ARCHIVES.gz content.key
...
da10:~ # ls /misc
cd
da10:~ #
COPYRIGHT.de
After some time (the default is five minutes), /misc/cd is unmounted

automatically and /misc appears to be empty again.
The automounter can be used for home directories as well. The corresponding /
etc/auto.home could look like this. As NFS is the default, it is not really
necessary to include it in this case:
tux
geeko
-fstype=nfs
-fstype=nfs
da2:/home/tux
da3:/home/geeko
When tux logs in now, his home directory, /home/tux, on da2 is mounted to /
home on this machine. When geeko logs in, his home directory is mounted from da3.
To avoid having to enter a line for every user, automounter also supports wildcards,
like in the following example:
*
-fstype=nfs
da2:/home/&
When someone tries to access /home/whatever on the computer where the

automounter is running, the automounter will try to mount /home/whatever from
da2 to /home.
Using automounter is very useful when you use it in combination with a centralized
user management such as NIS or LDAP.
240
Version 1
Exercise 7-1
Import Network File System (NFS)

In this exercise, create a /import/sled11 directory and use it as mount point to
import the /export/ directory from DA1 using NFS. Create an /etc/fstab
entry to mount the directory automatically at boot time.
You can use the command line interface or YaST to do this. The following step-bystep description uses YaST.
You can find this exercise in the workbook.
(End of Exercise)
Version 1
241
Objective 2
Authentication to LDAP
OpenLDAP is the most popular open source LDAP (Lightweight Directory Access
Protocol) suite. It provides not only the LDAP server itself but also applications and
tools to control and query the server and to develop LDAP-based software.
This objective covers the LDAP client configuration used to integrate the SLED 11
for user authentication into an existing LDAP infrastructure.
OpenLDAP authentication is frequently combined with NFS (Network File System)
for file access.
The following is described:
LDAP Basics on page 242
YaST LDAP Client Module on page 245
OpenLDAP and Automounter on page 247
Integrate a SLED 11 into an LDAP Environment on page 249
LDAP Basics
A directory is a specialized database that is optimized for reading, browsing, and
searching. Directories contain descriptive, attribute-based information, and then
support sophisticated filtering. Directories can be used for many different purposes.
Very often they are used as databases for user authentication.
Directory services are tuned to give quick response to high-volume lookup or search
operations. They can replicate information widely in order to increase availability
and reliability, while reducing response time.
There are many different ways to provide a directory service. Different methods
allow different kinds of information to be stored in the directory; place different
requirements on how that information can be referenced, queried, and updated; and
determine how the information is protected from unauthorized access.
Some directory services are local, providing service to a restricted context (such as
the finger service on a single machine). Other services are global, providing service
to a much broader context (such as the entire Internet).
LDAP that is a commonly used directory service stores information in objects that
can be associated to object classes. The classes determine which attributes an object
can or must have. By including schemas, you are able to access pre-defined object
classes.
Frequently used object classes are include the following:
242
alias
country
locality
organization
organizationalUnit
Version 1
organizationalRole
person
Each object is a collection of attributes that has a globally unique distinguished

name (DN). The DN is used to refer to the entry. Each of the entry's attributes has a
type and one or more values.
The attributes are typically mnemonic strings, such as cn for common names, or
mail for email addresses. The syntax of values depends on the attribute type.
For example, a cn attribute might contain the value Geeko Novell. A mail attribute
might contain the value geeko@digitalairlines.com. A jpegPhoto attribute might
contain a photograph in the JPEG (binary) format.
Some attributes of these classes include the following:
dn. (distinguished name). Unique name for the object.
objectClass. Class the object belongs to.
cn. (common name). Name (for example, username).
sn. (surname).
o. (organization name). Name of an organization (for example, company name).
ou. (organizational unit). Name of an organizational unit (for example, name of a

department).
description. Description of the object.
Object classes that LDAP uses for user authentication include the following
posixAccount
shadowAccount
posixGroup
Some of the attributes that are used in these classes include the following:
Version 1
uid. Login of the user.
uidNumber. Numerical user ID.
gid. Group name.
gidNumber. Numerical group ID.
homeDirectory. Path of the home directory.
loginShell. Path of the login shell.
shadowLastChange. Date of the last changing of the password.
243
In LDAP, objects are arranged in a hierarchical tree structure. You can distinguish
between two kinds of objects:
Container objects. Container objects are objects that can have subordinate
objects. Five classes of container objects are used:
Root
c (country)
o (organization)
ou (organizational unit)
dc (domain component)
Leaf objects. Leaf objects cannot have any subordinate objects. They are the end
of a tree branch. For example
cn (common name)
uid (user ID)
If you use LDAP for user management, the structure (DIT, Directory Information
Tree) normally reflects one of the following:
The organizational structure of the company or organization

Organizational Structure
Figure 7-4
The country, organization, organizational unit, and leaf objects (such as users)
are under the root of the tree.
244
The domain system
Version 1
Figure 7-5
Domain Stytem
The domain components like com, digitalairlines, and then organizational unit
and leaf objects (such as users) are under the root of the tree.
An object of the tree is referenced by its DN that is constructed by taking the name of
the entry itself (called the relative distinguished name or RDN) and concatenating the
names of its ancestor objects.
For example, the entry for Geeko Chameleon in the preceding example has a DN of
cn=geeko,ou=slc,dc=digitalairlines,dc=com.
YaST LDAP Client Module

YaST makes integrating clients into an existing LDAP structure very easy. Start YaST
and select Network Services > LDAP Client. The following dialog appears:
Version 1
245
Figure 7-6
YaST LDAP Client Module
In this dialog, activate the use of LDAP and enter information on which server to
contact and the base DN (distinguished name) to use. Because the LDAP protocol
transmits passwords in clear text, the communication between client and server needs
to be protected using TLS/SSL. You should not use an LDAP server for
authentication without TLS/SSL.
You can select Start Automounter to activate the autofs daemon that is used to
automatically mount home directories for users logging in on this computer.
Checking this option adds ldap to the automount line in /etc/
nsswitch.conf; the configuration of the automounter itself has to exist already,
either in the /etc/auto.master and /etc/auto.home files (see Mount
Home Directories Automatically on page 239) or within the LDAP directory (see
OpenLDAP and Automounter on page 247).
Select Create Home Directory on Login when the home directories are not provided
by a central file server.
When you click OK, the configuration changes are written to several files on the
system, including /etc/security/pam_unix2.conf, /etc/ldap.conf, /
etc/nsswitch.conf, and /etc/passwd.
246
Version 1
OpenLDAP and Automounter

The automounter usually reads its information from the /etc/auto.master file
and the files referenced within that file. However, using files on clients is
cumbersome when changes affecting many clients need to be made because the files
on all clients have to be modified.
If the information is kept within the LDAP directory, the information must be
updated in only one place. The clients get the new information the next time they
connect to the directory (for example, when a user logs onto a desktop).
When selecting Start Automounter in the YaST LDAP Client dialog (Figure 7-6 on
page 246), the /etc/nsswitch.conf file is changed so that the line beginning
with automount looks like the following:
...
automount: files nis ldap
...
This means that automount information is searched for in the following sequence:
files (/etc/auto.*) are checked for the autofs configuration first; NIS is checked
next, and then LDAP is checked. To avoid possible confusion, you should remove
any /etc/auto.* files, because they might conflict with the configuration stored
in the LDAP directory.
The automounter queries the LDAP directory for automount information. The needed
schema files are already included in the OpenLDAP server package used on SUSE
Linux Enterprise 11. The automount information is included in the /etc/
openldap/schema/rfc2307bis.schema file on SUSE Linux Enterprise 11.
The information that is otherwise available in the /etc/auto.* files now has to
exist within the LDAP directory. In the following sample LDIF file, a Services
organizational unit is created that holds the information needed by the automounter:
# Organizational Unit Services
dn: ou=Services,dc=digitalairlines,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Services
Then the entries for auto.master and auto.home can be created using the following
LDIF files:
# auto.master
dn: nisMapName=auto.master,ou=Services,dc=digitalairlines,dc=com
objectclass: top
objectclass: nisMap
nismapname: auto.master
dn: cn=/
home,nisMapName=auto.master,ou=Services,dc=digitalairlines,dc=com
nismapname: auto.master
objectclass: top
objectclass: nisObject
nismapentry: ldap:172.17.8.101:nismapname=auto.home,ou=Services,
Version 1
247
dc=digitalairlines, dc=com
cn: /home
# auto.home
dn: nisMapName=auto.home,ou=Services,dc=digitalairlines,dc=com
objectclass: top
objectclass: nisMap
nismapname: auto.home
dn: cn=/,nisMapName=auto.home,ou=Services,dc=digitalairlines,dc=com
objectclass: nisObject
cn: /
nismapentry: 172.17.8.101:/home/&
nismapname: auto.home
Assuming the above LDIF information is contained in the /root/automount.ldif file,

the information contained in the file can be added to the LDAP directory with the
following command:
da4:~ # ldapadd -x -D "cn=Administrator,dc=digitalairlines,dc=com" -W
-f /root/automount.ldif -c
After you enter the root password for the LDAP directory, the information is added to
the directory.
248
Version 1
Exercise 7-2
Integrate a SLED 11 into an LDAP Environment

In this exercise, you integrate your SLED 11 into an LDAP environment for
authentication and activate the automounter.
You can find this exercise in the workbook.
(End of Exercise)
Version 1
249
Objective 3

The default printing system for SLED 11 is CUPS (Common UNIX Printing System).
CUPS is based on the Internet Printing Protocol (IPP). This protocol is supported by
most printer manufacturers and operating systems. IPP is a standardized printer
protocol that enables authentication and access control.
In this objective, you learn how to configure printing on the local machine, using
either a locally connected printer or a printer available on the local network.
Configure CUPS on page 250
Manage Print Jobs and Queues on page 268
Understand How CUPS Works on page 275
Configure CUPS
YaST provides printer installation and configuration functionality. To configure a
printer, you need to know the following:
When to Configure a Printer on page 250
Required Printing Software on page 252
Add a Printer with YaST on page 253
Add a Printer from the Command Line on page 266
When to Configure a Printer
You can configure your printer at the following times:
250
During installation. If you are at the Hardware Configuration dialog during

installation (see the following figure) and your automatic detection is not correct,
select the Printer link or use the Change drop-down list.
Version 1
Figure 7-7
Configure Printers During the Installation
NOTE: Note that during installation, only locally connected printers are detected
automatically and listed under Printer.
However, after selecting Printer, the complete YaST printer configuration

options are at your disposal to configure local and remote printers or to configure
CUPS:
Version 1
251
Printer Configuration Options
Figure 7-8
After installation. You can change your printer configuration settings from the
YaST Control Center by selecting Hardware > Printer.
You can also start the YaST printer configuration module directly from a terminal
window with the yast2 printer command.
Required Printing Software
The following packages are needed to set up a print server:

Table 7-1
CUPS Packages
Package
Content
cups
Provides the cupsd printer daemon.
cups-client
Provides the command-line printing tools.
cups-libs
Should always be installed, because a number

of programs (such as Samba) are linked against
the CUPS libraries.
cups-drivers
Provides the PPD files for print queues.
These files are installed automatically if YaST is used for printer configuration.
YaST also creates the symbolic links in runlevel directories to ensure that the CUPS
daemon is started automatically when booting.
252
Version 1
Other packages required by the printing system, such as ghostscript-library, are

automatically selected during a standard installation.
Add a Printer with YaST
The Printer Configuration dialog used to configure your printer is the same during
and after installation. You can access the dialog either by selecting YaST >
Hardware > Printer or by entering in a terminal window as root yast2 printer.
The following dialog appears:
Figure 7-9
Printer Configuration Dialog
In the left part of the dialog, you can select different aspects of the printer
configuration. The right part of the dialog shows the configuration options available
for your selection.
The left part offers the following selections:
Version 1
Printer Configurations on page 254
Print via Network on page 260
Share Printers on page 263
253
Policies on page 264
Autoconfig Settings on page 265
Printer Configurations
The Printer Configurations dialog gives you an overview over the configured printers
and allows you to add, edit, or delete existing print queues.
To add a printer that does not show up in the Printer Configuration dialog, select
Add. The following appears:
Figure 7-10
Add New Printer Configuration Dialog
NOTE: If you want to change the suggested name of the new print queue, you have to do it at this
point in the Set Name box.
When you click More Connections, the local connections are scanned again and any
newly detected printers are added to the page. Click OK to add them to the list of
configured printers.
254
Version 1
Figure 7-11
List of Configured Printers
You can add the same printer more than once. This might be useful if you want to
have queues for the same printer with different settings. Select the new entry and
click Edit to change the settings for this queue. Should you have no use for the new
entry, select it and click Delete.
A click on Connection Wizard in the Add New Printer Configuration dialog opens
the following dialog:
Version 1
255
Figure 7-12
Connection Wizard
Selecting an item on the left opens a dialog on the right where you can enter the
specific parameters for your choice.
Selecting an item under Directly Connected Device on the left and then clicking OK
leads to the Add New Printer Configuration Dialog (see Figure 7-10 on page 254).
The dialogs that belongs to the items under Directly Connected Device look very
similar to each other.
256
Version 1
Figure 7-13
Connection at Parallel Port
Depending on what type of network printer you select on the left, the dialog on the
right lists the parameters needed to access that type of printer. The following shows
the dialog for the TCP port Connection Settings.
Version 1
257
Figure 7-14
IP Address and TCP Port
Enter the IP address of the printer and its manufacturer. To test the connection, you
can click the Test Connection button. Click OK to continue.
You are returned to the Add New Printer Configuration dialog, but when configuring
a network printer, you have to manually select a driver from the list of available
drivers, as shown in the following:
Select the driver for your printer and click OK. You are returned to the initial Printer
Configuration dialog with your new printer listed.
To access a printer that is connected to a print server, in the Connection Wizard
dialog, select the type of print server your printer is connected to.
The dialog on the right allows you to enter the configuration values needed to access
the printer. The following shows the dialog to access a CUPS server with some values
already entered manually:
258
Version 1
Figure 7-15
Access a CUPS Server
A click on OK returns you to the Add New Printer Configuration dialog where you
can select a driver and change the queue name. Clicking OK once more returns you
to the Printer Configuration dialog with the new printer listed as a local printer.
CUPS supports the IPP, LPD, SMB, IPX, and socket protocols. After selecting the
entry Specify Arbitrary Device URI, you can enter the device URI (Universal
Resource Identifier) to access printers using these protocols (see Add a Printer from
the Command Line on page 266).
SMB (Standard Message Block). CUPS supports printing from printers

connected to Windows shares. The protocol used for this purpose is SMB.
SMB uses port numbers 137, 138, and 139.
Device URI examples the following
smb://user:password@workgroup/server/printer
smb://user:password@host/printer
smb://server/printer
LPD (Line Printer Daemon). The LPD protocol is described in RFC 1179
(Requests For Comments (http://www.ietf.org/rfc.html)).
Because some job-related data, such as the printer queue, is sent before the actual
print data, a printer queue must be specified when configuring the LPD protocol
for data transmission.
The implementations of most printer manufacturers are flexible enough to accept
any name as the printer queue. The printer manual might indicate which name to
use (such as LPT, LPT1, or LP1).
Version 1
259
An LPD queue can also be configured on a different Linux or UNIX host in a

network that uses the CUPS system. The port number for an LPD service is 515.
Device URI example: lpd://host-printer/LPT1
IPP (Internet Printing Protocol). IPP is a relatively new protocol (since 1999)
that is based on the HTTP protocol. Compared to other protocols, you will find it
possible to transmit much more job-related data.
CUPS uses IPP for the internal data transmission. This is the preferred protocol
for a forwarding queue between CUPS servers.
The port number for IPP is 631.
Device URI example: ipp://cupsserver/printers/printqueue.
IPX. This protocol is used to print via a Novell NetWare Server.
socket. This protocol is used to connect to a printer equipped with a network

port, as HPs JetDirect technology. The socket port numbers that are commonly
used include 9100 or 35.
Device URI example: socket://host-printer:9100/
Print via Network
The entry Print via Network in the main Printer Configurations window allows you
to connect to other CUPS servers in the network.
260
Version 1
Figure 7-16
Print Via Network
CUPS servers can communicate to the available printers using a mechanism called
browsing. The CUPS server that has printers connected sends out broadcast packets
at regular intervals publishing the available printers. A local CUPS server makes
these printers available to the local users.
Version 1
261
Figure 7-17
CUPS Browsing
If this function is enabled, the server broadcasts the printer information every 30
seconds. This printer information typically uses only 80 bytes per printer; therefore,
you can add a large number of servers and printers.
The box Use CUPS to Print Via Network has the following options:
Do not Receive Printer Information from Remote CUPS Servers. When this
option is selected, printers that are published by other CUPS servers using the
browsing mechanism are not made available locally.
Any printers you want to use have to be set up as described in Printer
Configurations on page 254.
Receive Printer Information from Remote CUPS Servers. When this option is
selected, the local CUPS server uses the browsing information broadcasted
within the network to make printers available locally. Using the drop-down menu
under Accept Information from the Following Servers, you can limit the
servers from which browsing information is accepted.
This option is probably the most conveniant as any printers that other CUPS
servers advertise using the broadcast mechanism are available automatically.
262
Do All Your Printing Directly Via One Remote CUPS Server. When this
option is selected, no local CUPS server is running. All print jobs are sent to the
single print server you enter in the Hostname/IP Address field.
Version 1
The server name is written to the /etc/cups/client.conf file.

This choice is only useful when all printing is done via exactly one remote CUPS
server.
Clicking the Connection Wizard button opens the same dialog as described in
Printer Configurations on page 254.
Share Printers
The entry Share Printers in the main Printer Configurations window allows you to
determine how the CUPS server can be accessed from the network and whether or not
it advertises its available printers to the clients using browsing.
Figure 7-18
Version 1
Share Printers
263
Two main options are available:
Deny Remote Access. When this option is selected, the CUPS server binds only
to localhost (127.0.0.1) and is not accessible from any attached network.
Allow Remote Access. Here you can decide if you only want to allow remote
access, or if you additionally want to turn on browsing.
For computers within the local network. Selecting this option (and no
other) allows access on all local interfaces (eth0, eth1, ...) but does not turn
on browsing.
Publish printers by default in the local network. This includes the
previous choice but turns on browsing on all local interfaces as well.
Via network interfaces specified below. Instead of allowing access with or
without browsing on all local interfaces as above, you can make this choice
separately for each interface by selecting Add.
Select the interface and check Publish printers by default via the interface
below if you want to activate browsing on this interface. Then select OK.
For Experts. Here you can define more specific limitations based on IP
addresses or networks for access and browsing.
The settings are written to the /etc/cups/cupsd.conf file.

NOTE: The configuration of single printers is stored in /etc/cups/printers.
Policies
The Policies page allows you to set the following
264
Operation Policies. These are the rules used for each operation in CUPS.
Error Policies. These are the policies used when CUPS fails to send a print job
to the printer device.
Version 1
Figure 7-19
CUPS Policies
Three error policies are available:
Stop the printer and keep the job for future printing
Re-send the job from the beginning after waiting some time
Abort and delete the job and proceed with the next job
Three operation policies are available:
Default
Easy
Paranoid
Autoconfig Settings
The settings you make on this page determine how CUPS deals with printers when
they are connected to a USB port.
Version 1
265
Figure 7-20
Autoconfig Settings
Add a Printer from the Command Line
Besides using YaST, you can also configure CUPS with command line tools. After
collecting the information you need (such as the PPD (Postscript Printer Description)
file and the name of the device), use the lpadmin command to add a printer
lpadmin
-p
queue
-v
device-URI
-P
PPD-file
-E
The -p option specifies the print queue name of the printer, the -v option sets the
device URI attribute of the printer queue, and the -P option is used to specify the
PPD file.
Do not use -E as the first option. For all CUPS commands, -E as the first argument
implies the use of an encrypted connection, and -E at the end enables the printer to
accept print jobs.
For example, to enable a parallel printer, enter a command similar to the following
(on one line):
lpadmin -p ps -v parallel:/dev/lp0 -P
/usr/share/cups/model/Postscript.ppd.gz -E
To enable a network printer, enter a command similar to the following (on one line):
266
Version 1
lpadmin -p ps -v socket://10.0.0.200:9100/
/usr/share/cups/model/Postscript-level1.ppd.gz
Version 1
-P
-E
267
Exercise 7-3
Change Your Printer Configuration

In this exercise, you will add a local printer and print to a remote queue. For the
purpose of this exercise, it is not necessary for a printer to be connected to your
computer.
The exercise has two tasks.
In the first task, use YaST to add a printer to your printer configuration. Configure a
parallel printer model HP Laserjet 4 with hplj4 as the name of the print queue.
Configure the printer to use Letter the default paper size.
In the second task, configure a queue on the host DA-SLED called colorlaserjet.
Access this queue from your DA-HOST.
(End of Exercise)
Manage Print Jobs and Queues

CUPS comes with several command line tools to start, stop, and modify print queues.
The command line tools for the CUPS printing system and their man pages are
included in the package cups-client.
The manual pages are also accessible using the CUPS web interface at http://
localhost:631/help/?TOPIC=Man+Pages. For an overview of the
available documentation, visit http://localhost:631/help/.
The CUPS tools allow you to use commands according to two different styles or
conventions. Theses are called the following:
Berkeley style (Berkeley style commands are identical to those used with the
LPRng printing system)
System V style
Compared with Berkely style, System V provides a somewhat more extensive range
of features for printer administration.
To manage printer queues, you need to know how to do the following:
268
Generate a Print Job on page 269
Display Information on Print Jobs on page 270
Cancel Print Job on page 271
Manage Queues on page 271
Configure Queues on page 272
Start and Stop CUPS on page 274
Version 1
Generate a Print Job
Use the following commands to generate a print job:
Berkeley: lpr -P queue file
System V: lp -d queue file
For example
geeko@da10:~ # lpr -P color chart.ps
or
geeko@da10:~ # lp -d color chart.ps
With these commands, the file chart.ps is submitted to the color queue.
If no queue is specified, the job is printed to the default queue.
The -o parameter needs to be used whenever any additional print options are
specified.
geeko@da10:~ # lpr -P lp -o duplex=none order.ps
or
geeko@da10:~ # lp -d lp -o duplex=none order.ps
This submits the order.ps file to the lp queue and also disables duplex printing for
the corresponding device (duplex=none). To view possible options, enter
lpoptions -l -d queue (see Configure Queues on page 272).
You have to give the command in a slightly different form to print through a remote
queue.
Berkeley: lpr -P queue@server file
System V: lp -d queue -h server file
For example
geeko@da10:~ # lpr -P lp -H da10.digitalairlines.com /etc/motd
or
geeko@da10:~ # lp -d lp -h da10.digitalairlines.com /etc/motd
This submits the /etc/motd file to the lp queue located on the print server
da10.digitalairlines.com.
NOTE: For more information on these command line tools, enter man lpr and man lp,
Version 1
269
Display Information on Print Jobs
Use the following commands to display print job information:
Berkeley: lpq -P queue
System V: lpstat -o queue -p printer
To display active print jobs of the default queue, use the lpq command as shown in
the following:
geeko@da10:~ # lpq
draft is ready and printing
Rank
Owner
Job
File(s)
active root
14
fstab
Total Size
1024 bytes
To list the same information in a slightly different format, use lpq -l.
To display the print jobs of another queue, enter the -P queue as shown in the
following:
geeko@da10:~ # lpq -P printer
printer is ready
no entries
To display the active print jobs of all available queues, enter lpq -a as shown in the
following:
geeko@da10:~ # lpq -a
no entries
To actualize the output in a fixed interval, enter

lpq -P queue +seconds
The following shows the output of lpstat -o queue -p queue:
da10:~ # lpstat -o draft -p draft
draft-6
root
1024
Wed Feb 4 16:06:53 2009
printer draft now printing draft-0. enabled since Wed Feb
2009
Connected to host, sending print job...
4 16:06:53
The lpstat -a command shows information on the accepting state.

geeko@da10:~ # lpstat -a
draft accepting requests since Tue Feb 3 14:11:08 2009
ps accepting requests since Wed Feb 4 16:19:43 2009
geeko@da10:~ #
NOTE: For more information on these commands, enter man lpq and man lpstat.
270
Version 1
Cancel Print Job
Use the following commands to cancel a print job:
Berkeley: lprm -P queue jobnumber
System V: cancel [-h server] queue-jobnumber
NOTE: For more information on these commands, enter man lprm and man cancel.
Manage Queues
In addition to controlling single jobs in a queue, you can also control the queue as
such:
Disable printing on a queue while jobs can still be sent to it by entering

cupsdisable destination.
Queues that are disabled still accept jobs for printing but won't actually print any
files until they are enabled again.
Disabling a print queue is useful if a printer malfunctions, and you need time to
fix the problem.
Start printing again on a queue that is disabled by entering cupsenable

destination.
If there are any queued print jobs, they are printed after the printer is enabled.
Stop accepting print jobs on a queue by entering /usr/sbin/reject

destination
With the /usr/sbin/reject command, the printer finishes the print jobs in
the queue but rejects any new print jobs.
This command is useful for times when you need to perform maintenance on a
printer, and the printer will not be available for a significant period of time.
NOTE: lpstat -a shows information on the accepting state of the queues.
Accept print jobs again on a queue that rejected them by entering /usr/sbin/
accept destination.
By using this command, you can reset the print queue to begin accepting new
print jobs.
NOTE: If the queue is also disabled, actual printing starts only after enabling the queue again.
Version 1
271
Configure Queues
Printer-specific options that affect the physical aspects of the output are stored in the
PPD (PostScript Printer Description) file for each queue in the following directory:
/etc/cups/ppd/
PPD is the computer language that describes the properties (such as resolution) and
options (such as duplex unit) of PostScript printers. These descriptions are necessary
to use the various printer options in CUPS.
During the installation of SUSE Linux Enterprise 11, a lot of PPD files are
preinstalled. In this way, even printers that do not have built-in PostScript support can
be used.
If a PostScript printer is configured, the best approach is to get a suitable PPD file and
store it in the /usr/share/cups/model/ directory. You can then select the PPD
file during the installation. If the model does not show up, select Add Driver in the
Add New Printer Configuration dialog (Figure 7-10 on page 254) and follow the
simple steps to add the PPD file to the database.
Users can see the current settings of a local queue by entering
lpoptions -p queue -l
NOTE: The sequence of options is important. If you specify -l first, the settings of the default
queue are listed, no matter what you specify after -p.
The output of this command has the following structure:

option/string: value value value ...
The following is an example:
da10:~ # lpoptions -l
HalftoningAlgorithm/Halftoning Algorithm: Accurate *Standard WTS
REt/REt Setting: Dark Light *Medium Off
TonerDensity/Toner Density: 1 2 *3 4 5
Duplex/Double-Sided Printing: *DuplexNoTumble DuplexTumble None
Manualfeed/Manual Feed of Paper: Off On
InputSlot/Media Source: *Default Tray1 Tray2 Tray3 Tray4 Envelope
Manual Auto
Copies/Number of Copies: *1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 ...
PageSize/Page Size: *A4 Letter 11x17 A3 A5 B5 Env10 EnvC5 EnvDL
EnvISOB5 EnvMonarch Executive Legal
PageRegion/PageRegion: A4 Letter 11x17 A3 A5 B5 Env10 EnvC5 EnvDL
EnvISOB5 EnvMonarch Executive Legal
Resolution/Resolution: 75x75dpi *150x150dpi 300x300dpi 600x600dpi
Economode/Toner Saving: *Off On
LowToner/Behaviour when Toner Low: *Continue Stop
272
Version 1
The * symbol in front of a value indicates the currently active setting. The
significance of some of these options is as follows:
REt/REt Setting. (Resolution Enhancement) Three modes to improve the

quality of dark, light, and medium print jobs are available.
Generally the difference in print quality is small.
TonerDensity/Toner Density. This option specifies the quantity of toner

(1=little, 5=much).
Duplex/Double-Sided Printing. This option disables or enables double-sided

printing, assuming that your printer supports duplex printing.
InputSlot/Media Source. This option allows you to select the tray for your print
job if your printer has different paper trays.
Copies/Number of Copies. This option specifies the number of copies printed.
PageSize/Page Size. This option specifies the physical size of the paper in the
selected paper tray.
PageRegion/PageRegion. This option is normally equal to the page size.

This option is read by the PostScript interpreter.
Resolution/Resolution. This option specifies the resolution used for the print
queue.
Economode/Toner Saving. This option is used to enable economode to save

toner, but the quality of prints degrades.
LowToner/Behaviour when Toner Low. This option defines if the printer

continues or stops printing when the toner gets low.
To change any of the options for a local queue, enter a command with the following
syntax:
lpoptions -p queue -o option=value
The following command changes the page size of the lp queue to Letter:
da10:~ # lpoptions -p lp -o PageSize=Letter
However, the range of users affected by the new settings varies, depending on which
user has actually changed the settings:
If a normal user (such as geeko) enters the previous command, the changes only
apply to that user and are stored in the ~/.lpoptions file (in the users home
directory).
If root enters the command, changes apply to all users on the corresponding host,
they are then used as default and stored in the /etc/cups/lpoptions file.
The PPD file of the queue, however, is not modified by this.
A way for root to change the defaults in the PPD file of any local queue exists. Such
changes would apply network wide to all users submitting print jobs to the
corresponding queue.
Version 1
273
To achieve this, enter (as root)

lpadmin -p queue -o option=value
For example, to set the default page size for the lp queue, enter
da10:~ # lpadmin -p lp -o PageSize=Letter
CUPS provides collections of printers called printer classes. Jobs sent to a class are
forwarded to the first available printer in the class. You can also use the lpadmin
command to
Define classes of printers or queues.
Edit such classes (by adding a queue to a class or deleting a queue from a class).
Delete classes.
For example, to add a queue to a class, enter

lpadmin -p queue -c class
If the class does not exist yet, it will be automatically created.
To remove a queue from a class, enter
lpadmin -p queue -r class
If the class is empty (with no other queues left in it) as a result of such a command, it
will be automatically deleted.
To see which queues belong to which class on a given host, look at the /etc/
cups/classes.conf file.
NOTE: For more information on all the available options of lpadmin, enter
man lpadmin.
NOTE: You can also get information on the commands covered above in a browser using the URL
http://localhost:631/help/ and selecting Man Pages.
Start and Stop CUPS
As the root user, you can start or stop cupsd manually with the following commands:
/etc/init.d/cups start or rccups start
/etc/init.d/cups stop or rccups stop
If you make changes manually to the /etc/cups/cupsd.conf file, you need to

restart the daemon by entering /etc/init.d/cups restart or rccups
restart.
274
Version 1
Understand How CUPS Works

To understand how CUPS works, you need to understand the following:
Steps of the Printing Process on page 275
Print Queues on page 276
Log Files on page 278
Steps of the Printing Process
The printing process involves the following steps:

1.
A print job is submitted by a user or by a program.
2.
The file destined for the printer is stored in a print queue, which creates two files
per print job in the following directory: /var/spool/cups/
One of the files contain the actual data to print. The other one contains
information about the print job; for example, it might contain the identity of the
user who created the print job and the printer to use.
3.
The cupsd printer daemon acts as the print spooler. It is responsible for watching
all print queues and for starting the filters required to convert data into the
printer-specific format.
4.
The conversion of print data is done in the following way:

a.
The data type is determined using the entries in /etc/cups/

mime.types
b.
Data is subsequently converted into PostScript using the program specified

in /etc/cups/mime.convs
c.
The pstops program (/usr/lib/cups/filter/pstops) is used to

determine the number of pages that is written to /var/log/cups/
page_log after that
d.
CUPS uses other filtering capabilities of pstops as needed, depending on the

options set for the print job.
For instance, the psselect option of pstops makes it possible to limit the
printout to a certain selection of pages, while the ps-n-up option of
pstops allows several pages to be printed on one sheet.
e.
Cupsd will start the appropriate filter to convert data into the printer-specific
format if the selected printer is not a PostScript printer
One of these filter programs is /usr/lib/cups/filter/
cupsomatic that, in turn, relies on ghostscript for conversion.
Filters are responsible for processing all printer-specific options, including
resolution, paper size, and others.
f.
Version 1
CUPS uses another type of filter, or back end, depending on how the printer
is connected to the host, for the actual transfer of the data stream to the
printer device.
275
da10:~
canon
epson
hp
5.
# ls /usr/lib/cups/backend/
hpfax lpd
serial socket
http
parallel smb
usb
ipp
scsi
snmp
Once the print job has been transferred to the printer, the print spooler deletes the
job from the queue and starts processing the next job. When the job is deleted,
the print data file in /var/spool/cups/ is removed.
The file that has information about the print job is not deleted. The filename for
the first print job is labeled c00001. The number in each of the following print
jobs is increased by one.
Figure 7-21
Schematic Representation of the Filtering Process
Print Queues
With CUPS, printer devices are addressed using print queues. Rather than being sent
directly to the printer, print jobs are sent to a print queue associated with the device.
On a print server, each print queue is registered with its name in the /etc/cups/
printers.conf file.
Among other things, this file defines through which queues the printer is addressed,
how it is connected, and which interface it is connected to.
Several print queues can be defined for one printer, as in the following example:
# Printer configuration file for CUPS v1.3.9
# Written by cupsd on 2009-02-05 14:06
<DefaultPrinter hp_draft>
Info HP LaserJet 6mp Foomatic/hpijs, hpijs 2.8.7.3
DeviceURI parallel:/dev/lp0
State Idle
StateTime 1233839191
Accepting Yes
Shared Yes
JobSheets none none
QuotaPeriod 0
PageLimit 0
KLimit 0
OpPolicy default
ErrorPolicy stop-printer
276
Version 1
</Printer>
<Printer hp_normal>
Info HP LaserJet 6mp Foomatic/hpijs, hpijs 2.8.7.3
DeviceURI parallel:/dev/lp0
State Idle
StateTime 1233839040
Accepting Yes
Shared Yes
JobSheets none none
QuotaPeriod 0
PageLimit 0
KLimit 0
OpPolicy default
ErrorPolicy stop-printer
</Printer>
...
For instance, in the case of color printers, it can be useful to have two queues, one for
black-and-white printing of text documents and one for color printing.
The following explains some entries in /etc/cups/printers.conf:
<DefaultPrinter queuename>. The entry for the default printer.
<Printer hp_draft> and <DefaultPrinter hp_normal>. The queues as defined

for the printer HP LaserJet 6mp.
State Idle. Currently, this print queue does not have any print jobs.
Accepting Yes. The queue is accepting print jobs.
JobSheets none none. Starting and ending banner will not be printed.
Each existing queue has its own configuration file that is stored on the print server in
the /etc/cups/ppd/ directory.
These files contain settings to configure the paper size, the resolution, and the other
settings.
By contrast, on the client side, the names of queues are registered in the /etc/
printcap file:
da10:~ # cat /etc/printcap
# This file was automatically generated by cupsd(8) from
# the /etc/cups/printers.conf file. All changes to this
# file will be lost.
hp_normal|HP LaserJet 6mp Foomatic/hpijs, hpijs
2.8.7.3:rm=da10.digitalairlines.com:rp=hp_normal:
hp_draft|HP LaserJet 6mp Foomatic/hpijs, hpijs
2.8.7.3:rm=da10.digitalairlines.com:rp=hp_draft:
In fact, /etc/printcap is a link to /etc/cups/printcap. This file is

generated and updated automatically by cupsd and is relevant for a number of
applications (such as OpenOffice.org) that use the entries in it to list the available
printers in their printer selection dialogs.
You should not change the /etc/printcap file manually.
Version 1
277
Log Files
The log files of CUPS are stored in the /var/log/cups/ directory.

CUPS has three log files:
The access_log File on page 278
The error_log File on page 279
The page_log File on page 279
For troubleshooting CUPS issues, you need to know how to
Set the Log Level to Record Error on page 280
The access_log File
The access_log file lists each HTTP resource that is accessed by a web browser
or CUPS/IPP client.
Lines in the log file look like the following:
localhost - - [05/Feb/2009:14:18:22 +0100]
CUPS-Get-Printers successful-ok
localhost - - [05/Feb/2009:14:18:22 +0100]
CUPS-Get-Classes successful-ok
localhost - - [05/Feb/2009:14:18:22 +0100]
CUPS-Get-Default successful-ok
localhost - - [05/Feb/2009:14:18:22 +0100]
HTTP/1.1" 200 982 Print-Job successful-ok
"POST / HTTP/1.1" 200 416

"POST / HTTP/1.1" 200 416
"POST / HTTP/1.1" 200 75
"POST /printers/hp_normal
The parts of a line are (from left to right):
The host field contains the name of the host (in the example, localhost).
The group field always contains - in CUPS.
The user field contains the authenticated user name of the requesting user.
If a user name and password are not supplied for the request, this field contains a
dash sign ().
The date-time field shows the date and time of the request in local time (for
example, [05/Feb/2009:14:18:22 +0100]).
The format is [DD/MON/YYYY:HH:MM:SS +ZZZZ] where ZZZZ is the time
zone offset in hours and minutes from coordinated universal time (UTC).
278
The method field is the HTTP method used (such as, GET, PUT, and
POST)
The resource field is the filename of the requested resource. Possible resources
are
/admin/
/printers/
/jobs/
Version 1
The version field is the HTTP version used by the client.

For CUPS clients, this is always HTTP/1.1.
The status field contains the HTTP result status of the request.
Usually it is 200, but other HTTP status codes are possible. For example,
401 indicates unauthorized access.
The bytes field contains the number of bytes in the request.

For POST requests, the bytes field contains the number of bytes that were
received from the client.
The error_log File
The error_log file lists messages from the scheduler (such as errors and
warnings).
I [05/Feb/2009:14:18:22 +0100]
"none".
I [05/Feb/2009:14:18:22 +0100]
I [05/Feb/2009:14:18:22 +0100]
by "root".
I [05/Feb/2009:14:18:22 +0100]
"root".
I [05/Feb/2009:14:18:22 +0100]
filter/texttops (PID 28773)
I [05/Feb/2009:14:18:22 +0100]
filter/pstops (PID 28774)
I [05/Feb/2009:14:18:22 +0100]
filter/foomatic-rip-hplip (PID
I [05/Feb/2009:14:18:22 +0100]
backend/parallel (PID 28776)
I [05/Feb/2009:14:18:24 +0100]
[Job 14] Adding start banner page

[Job 14] Adding end banner page "none".
[Job 14] File of type text/plain queued
[Job 14] Queued on "hp_normal" by
[Job 14] Started filter /usr/lib/cups/
28775)
[Job 14] Started backend /usr/lib/cups/
[Job 14] Completed successfully.
Following is an explanation of the entries in the lines (from left to right):
The level field contains the type of message:
E. An error occurred.
W. The server was unable to perform an action.
I. Informational message.
D. Debugging message.
The date-time field contains the date and time of the entry, for example, when a
page started printing.
The format of this field is identical to the date-time field in the access_log
file.
The message field contains a free-form text message.
The page_log File
The page_log file lists each page that is sent to a printer.
Version 1
279
hp_normal root 14 [05/Feb/2009:14:18:23 +0100] 1 1 - localhost
The printer field contains the name of the printer that printed the page (in this
example, hp_normal).
If you send a job to a printer class, this field contains the name of the printer that
was assigned the job.
The user field contains the name of the user that submitted this file for printing.
The job-id field contains the job number of the page being printed (in this
example, 14).
The date-time field contains the date and time the page started printing.
The format of this field is identical to the date-time field in the access_log file.
The page-number field contains the number of pages (in this example, 1).
The num-pages field contains the number of copies (in this example, 1).
For printers that cannot produce copies on their own, the num-pages field will
always be 1.
The job-billing field contains a copy of the job-billing attribute provided with
the IPP create-job or print-job requests or (if none was provided).
The hostname field contains the name of the host that originated the print job (in
this example, localhost).
Set the Log Level to Record Error
Messages from cupsd are written to the /var/log/cups/error_log file. With

the default log level info, only requests and status changes are logged to the file.
If you want errors recorded, you need to change the LogLevel option in the cupsd /
etc/cups/cupsd.conf configuration file.
# Log general information in error_log - change "info" to "debug" for
# troubleshooting...
LogLevel info
For debugging and troubleshooting, set the log level to debug or debug2. After
changing the configuration, restart CUPS by entering rccups restart.
280
Version 1
Exercise 7-4
Manage Printers from the Command Line

In this exercise, you practice managing printer queues from the command line.
Use the lpr and lp commands to print the /etc/hosts file to the queue hplj4.
View the jobs using lpq and lpstat. Delete the first job using lprm.
(End of Exercise)
Version 1
281
Summary
Objective
What You Learned
File systems exported by NFS appear and

behave on an NFS client as if they were
located on a local machine.
NFS is an Remote Procedure Call (RPC)
service.
NFS directories exported on a server can be
mounted in the file system tree of a client. The
easiest way to do this is to use the YaST NFS
Client module (Network Services > NFS
Client).
You can import a directory manually from an
NFS server by using the command mount.
The only prerequisite is a running rpcbind
(portmapper).
To mount directories when needed and to
unmount them after some time when not
needed any longer, use the /usr/sbin/
automount program that is contained in the
autofs package.
LDAP that is a commonly used directory

service, stores information in objects that can
be associated to object classes. The classes
determine which attributes an object can or
must have. By including schemas, you are
able to access pre-defined object classes.
YaST makes integrating clients into an
existing LDAP structure very easy (Network
Services > LDAP Client).
The automounter queries the LDAP directory
for automount information.
282
Version 1
Objective
What You Learned
CUPS is based on the Internet Printing

Protocol (IPP).
You can access the YaST Printer
Configuration dialog by selecting YaST >
Hardware > Printer.
To manage printer queues on the command
line, you learned the following:
Version 1
Generate a Print Job on page 269
Display Information on Print Jobs on

page 270
Cancel Print Job on page 271
Manage Queues on page 271
Configure Queues on page 272
Start and Stop CUPS on page 274
283
284
Version 1
SECTION 8
You can remotely access the desktop of a SUSE Linux Enterprise 11 system using
Novell Open Mobile Agile Desktop (Nomad). In this section, you learn how to install
and configure Nomad on SLED 11 workstations.
Section Objectives
Version 1
1.
Describe How Nomad Works on page 286
2.
Install and Configure Nomad on page 291
3.
Access Desktops Remotely with Nomad on page 300
4.
Troubleshoot Common Nomad Problems on page 307
285
SUSE Linux Enterprise Desktop 11 Administration / BETA Manual
Objective 1

Before installing and configuring Nomad on SLED, you need to understand how it
works. In this objective, the following topics are addressed:
How RDP Works on page 286
How Nomad Works on page 287
How RDP Works

The Nomad product is based on the Remote Desktop Protocol (RDP). RDP provides
remote display and input functions over a network connection, much like Virtual
Network Computing (VNC).
Essentially, it allows you to view the desktop of another computer locally on your
computer. Your local computer can send keyboard and mouse events over the
network connection to the remote system. The remote system, in return, sends back a
continuously updated desktop display and (optionally) sound events to your local
computer. This is shown below:
Figure 8-1
How RDP Works
RDP is a multi-channel, client-server protocol that runs on TCP port 3389. It provides
separate virtual channels that carry presentation data from the RDP server as well as
encrypted client mouse and keyboard events from the RDP client. RDP supports up
to 64,000 separate channels for data transmission.
The RDP server uses its own video driver to render display information into network
packets using RDP protocol and then sends them over the network to the RDP client.
The RDP client receives the rendering data through its network interface and
reconstructs the packets into the corresponding graphics API calls.
Mouse and keyboard events from the RDP client are redirected to the RDP server.
The server then uses its own keyboard and mouse drivers to process these events.
286
Version 1
In an RDP session, the desktop environment, including color depth, wallpaper

settings, and so on, are determined by the connection settings.
The RDP protocol offers several advantages over other remote access solutions, such
as VNC:
Encryption: RDP uses RSA encryption to secure network transmissions.
Compression and caching: To reduce bandwidth usage, RDP compresses data

transmissions. It also caches bitmaps in RAM to dramatically improve
performance over low-bandwidth connections.
Clipboard: You can copy and paste data between an RDP session and local
applications.
Printer support: You can send print jobs from the RDP session to locally
connected printers.
Color depth: RDP sessions can support up to 24-bit color depth.
Sound support: Sounds generated on the RDP server can be sent to the sound
board on the RDP client.
How Nomad Works

Novell includes the Nomad product in SLED 11. Nomad provides remote desktop
services using the RDP protocol.
Nomad lets you remotely access desktops from various physical locations, allowing
you to remotely control and administer the system. Nomad can also share desktops
for collaboration or training purposes. The end user can see and use the remote
desktop as if he or she were sitting at the console of the remote computer.
A sample remote desktop session on SLED 11 is shown below.
Version 1
287
Figure 8-2
Viewing a Remote Desktop with Nomad
Nomad runs desktop sessions detached from the graphics hardware. It consists of the
following core components:
288
Proxy X Server: The proxy X server supports modern X extensions like

Composite, XVideo, and RANDR.
Session Manager: The session manager is responsible for spawning and keeping
track of desktop sessions that can be accessed remotely.
Connection Handler: The connection handler uses the Remote Desktop

Protocol (RDP) as a transport and security layer.
Client Program: The client program is a special RDP client used by SLED 11. It
implements Nomad-specific extensions for X11 protocol forwarding and the
ability to composite remote desktops locally when appropriate compositing
manager plug-ins are loaded.
Compositing Manager Extensions: Compositing allows for advanced visual

effects of application windows, such as transparency, fading, scaling, contorting,
shuffling, and redirecting.
Version 1
Because Nomad is based on the RDP protocol, it operates in a client-server

relationship. Systems participating in a Nomad implementation fill one of two roles:
Receiver: This is the local RDP client system where the remote desktop is
displayed. The receiver can be a server, desktop, thin-client, or notebook system.
Sender: This is the remote RDP server system where the desktop and
applications actually run. The sender can be a server, desktop, or notebook
system. It can be a server in a data-center, an instance in a cloud, or even a virtual
machine.
As discussed earlier, the RDP protocol supports virtual channels. A virtual channel
can carry any kind of data; for example, forwarding storage devices and clipboard
data. When establishing an RDP connection, the sender and the receiver will
determine the channels that can be supported.
Nomad uses virtual channel called rdpx11. This channel provides X forwarding that
is very similar to the X forwarding used by the SSH service.
Some of the advantages of Nomad over other remote access solutions (such as VNC)
include the following:
Linux RDP receivers can connect to any RDP server, including Windows servers.
Any RDP client, including Windows workstations, can connect to a Linux RDP
sender.
Unlike VNC, RDP encrypts transmissions. You can set the encryption level to
low, medium, or high in the /etc/xrdp/xrdp.ini file, as shown in the following.
[globals]
bitmap_cache=yes
bitmap_compression=yes
port=3389
crypt_level=low
channel_code=1
[xsessions]
path=/usr/share/xsessions
lib=libdmx.so
username=ask
password=ask
ip=127.0.0.1
port=-1
[failsafe]
name=Failsafe Terminal
exec=xterm
lib=libvnc.so
username=ask
password=ask
ip=127.0.0.1
port=-1
These encryption levels configure the following:
Version 1
low. Specifies 40-bit client to server encryption
289
290
medium. Specifies 40-bit two-way encryption
high. Specifies 128-bit two-way encryption
Version 1
Objective 2

Now that you understand how RDP and Nomad work, you are ready to install and
configure it on your SLED 11 system. In this objective, you learn how to do the
following:
Configure the Nomad Server on page 291
Configure the Nomad Client on page 295
NOTE: The RDP packages on the SLED 11 Gold Master still have some open bugs. There should
be an update available in the meantime.
Configure the Nomad Server

You can configure Nomad on SLED 11 in one of two ways:
Installing and Configuring Nomad Manually on page 291
Installing and Configuring Nomad with YaST on page 295
Installing and Configuring Nomad Manually
To install and configure Nomad manually, do the following:

1.
Install the Nomad packages on the system that will function as the RDP server.
Complete the following:
a.
Start YaST by selecting Computer > YaST on the system that will be the
RDP server.
b.
Enter your root users password when prompted.
c.
Select Software > Software Management.
d.
Select All.
e.
In the search field, enter compiz.

Depending upon how your system was initially installed, the compiz
packages may or may not have already been installed on your system.
These packages are required if you want to use 3D desktop effects. They also
significantly improve performance when you use an RDP client that supports
virtual channels.
By enabling desktop effects on both the local and remote desktop, the local
compositing manager will be able to apply effects to the elements coming
from the remote desktop.
If you intend to use desktop effects on the remote desktop, make sure the
compiz-plugins-dmx package is installed on both systems, the system that
provides the remote desktop as well as local system accessing the remote
desktop.
f.
Verify that the following packages have been installed:
Version 1
compiz
291
compiz-plugins-dmx
compiz-gnome
compiz-fusion-plugins-main
compiz-fusion-plugins-extra
compiz-branding-SLE

Installing compiz Packages
Figure 8-3
292
g.
If any of these packages have not been installed, double click them to specify
that they be installed.
h.
Enter xrdp, in the search field.
i.
Double click the xrdp package to mark it for installation, as shown in the
following:
Version 1
Installing the xrdp Package
Figure 8-4
j.
Repeat the above steps to mark the following packages for installation:
xorg-x11-server-dmx
xorg-x11-server-rdp
k.
Select Apply.
l.
m. Close YaST, when complete.

2.
3.
Version 1
Configure the xrdp daemon to automatically start at runlevel 5 by doing the

following:
a.
Open a terminal session and switch to your root user account using the su command.
b.
Enter chkconfig xrdp on command at the shell prompt.
Restart the X11 display system. The easiest way to do this is to restart the system.
293
Once the system has been rebooted, the xrdp daemon should have been
automatically started. You can also manually manage the daemon using the
following commands at the shell prompt:
4.
rcxrdp start: Starts the xrdp daemon.
rcxrdp stop: Stops the xrdp daemon.
rcxrdp restart: Restarts the xrdp daemon.
If necessary, configure your RDP servers host firewall to allow connections to

TCP port 3389. This port is used for RDP connections.
Do the following:
a.
Start YaST by selecting Computer > YaST on the system that will be the
RDP server.
b.
c.
Select Security and Users > Firewall.
d.
Select Allowed Services.
e.
Select Remote Desktop Protocol in the Service to Allow drop-down list;

then select Add. This is shown below:
Configuring the Firewall to Allow RDP
Figure 8-5
f.
294
Select Next.
Version 1
g.
Select Finish.
h.
Close YaST.
Installing and Configuring Nomad with YaST
On SLED 11, you can also enable the RDP daemon on your sending system using
YaST. Start YaST and then select Network Devices > Remote Administration
(RDP). The following is displayed:
Figure 8-6
Enabling RDP in YaST
Mark Allow Remote Administration and open the RDP port in the host firewall.
When done, select Finish.
Configure the Nomad Client

With the Nomad server configured, you next need to configure the Nomad client.
Complete the following:
1.
Version 1
Start YaST by selecting Computer > YaST on the system that will be the RDP
client.
295
2.
Enter your root users password when prompted.
3.
4.
Select All.
5.
Enter rdesktop in the search field.

The local machine where the remote desktop will be displayed must have the
rdesktop package installed. Beyond this, it doesnt require any special
configuration. As soon as the rdesktop package is installed, you can use the
rdesktop command to connect to the remote sender that provides the desktop.
If you prefer to use a graphical front end for the rdesktop utility, you can install
the Terminal Server Client (tsclient) package. This package is a GNOME frontend for rdesktop as well as other remote access tools (such as Xnest and
vncviewer).
6.
Verify that the following packages have been installed.
rdesktop
tsclient
296
Version 1
Installing the rdesktop Client Packages
Figure 8-7
7.
Enter compiz in the search field.
8.
Verify that the following packages have been installed:
compiz
compiz-plugins-dmx
compiz-gnome
compiz-fusion-plugins-main
compiz-fusion-plugins-extra
compiz-branding-SLE
This is shown in the following:
Version 1
297
Installing compiz Packages
Figure 8-8
9.
298
If any of these packages are missing, double click them and select Apply. If no
packages are missing, select Cancel.
Version 1
Exercise 8-1

In this exercise, you configure Nomad on your DA-HOST workstation.
(End of Exercise)
Version 1
299
Objective 3

As soon as xrpd is running and port 3389 is open on the RDP server, you can use an
RDP client to establish a remote connection from your local computer. This can be
done using two different utilities on SLED 11:
Accessing Remote Desktops with rdesktop on page 300
Accessing Remote Desktops with tsclient on page 302
Accessing Remote Desktops with rdesktop

The first option you have for accessing a remote desktop from your Nomad server is
the rdesktop utility. This utility is run from the shell prompt and uses the following
syntax:
rdesktop options server_address
You can set a number of options when establishing the connection. For example, you
can choose full-screen mode, choose a certain keyboard layout, or adjust the display
geometry. Some common options used with rdesktop include the following:
-u username: Specifies a username for authentication to the sender.
-p password: Specifies the password to authenticate with.

NOTE: If you specify a password on the command line, it may be visible to other users if they
use tools such as ps. Use -p - to configure rdesktop to request a password at startup.
-g geometry: Specifies the desktop geometry (specified as widthxheight). The

geometry can also be specified as a percentage of the whole screen, such as -g
80%.
-f: Enables full-screen mode. Full-screen mode can be toggled at any time by
pressing Ctrl+Alt+Enter.
-a color_depth: Sets the color depth for the connection. You can enter a value of
8, 15, 16 or 24 bits per pixel. The color depth may be limited by the senders
configuration. The default value is the depth of the root window.
-z: Enables compression of the RDP datastream.
-x bandwidth_level: Changes the performance level of the RDP protocol.

Modem-level bandwidth is used by default, which disables all options. You can
use the following values with this parameter:
300
b: Specifies broadband-level bandwidth. This setting enables menu

animations and full window dragging.
l: Specifies lan-level bandwidth. This setting enables all of the broadband
options plus the desktop wallpaper.
m: Specifies modem-level bandwidth. This setting disables all options.
-r sound:[local | off | remote]: Redirects sound generated on the sender to the

receiver.
Version 1
For example, to establish a connection to an RDP server named

da1.digitalairlines.com in compressed mode as a user named geeko, you would enter
the following command at the shell prompt:
rdesktop -u geeko -z da1.digitalairlines.com
When you do, a login screen is displayed for the specified user where he or she can
log into the remote desktop:
Figure 8-9
Establishing a Remote Desktop Session with rdesktop
At this point, you can enter the password for the user and select your window
manager, such as GNOME, IceWM, TWM, etc.
After selecting OK, the remote desktop is displayed in an rdesktop window, as shown
below:
Version 1
301
Figure 8-10
Viewing the Remote Desktop Session with rdesktop
RDP desktop sessions are independent and do not conflict with regular display
managers such as GDM or KDM.
NOTE: To learn more about the various rdesktop options available, enter man rdesktop at the shell
prompt.
Accessing Remote Desktops with tsclient

In addition, you can also use the tsclient utility to provide a graphical front end to
rdesktop. To connect using tsclient, you need to complete the following:
1.
At the shell prompt, enter tsclient.

302
Version 1
Running tsclient
Figure 8-11
2.
Select Add Connection > Windows Terminal Service.

Figure 8-12
Version 1
Creating a tsclient Connection to the RDP Server
303
3.
In the Name field, enter a name for the connection.
4.
In the Host field, enter the IP address or DNS name of the RDP server you want
to connect to.
5.
In the Username field, enter the username on the remote system you want to
connect as.
6.
In the Password field, enter the users password.
7.
In the size fields, specify the window size you want to use. You can select from
the following:
8.
Fullscreen
Custom Size (specify the screen geometry in the fields provided)
In the Advanced Options, expand.

Configuring Advanced tsclient Options
Figure 8-13
9.
In the Connection Type drop-down list, specify your bandwidth. You can select
from the following:
Default
Modem
Broadband
LAN
10. In the Color Depth drop-down list, specify the color depth to be used by the
remote desktop. You can select from the following bits-per-pixel settings:
15
16
24
11. Select OK.
The remote desktop connection is added to the Terminal Server Client window,
as follows:
304
Version 1
Figure 8-14
New tsclient Connection
At this point, you can open the remote connection by double clicking the icon in the
Terminal Server Client window. When you do, the remote desktop is displayed in an
rdesktop window, as shown below:
Figure 8-15
Version 1
RDP Session Created with tsclient
305
Exercise 8-2
Access Remote Desktop

In this exercise, you will establish an RDP connection between your host workstation
and the DA-SLED workstation.
(End of Exercise)
306
Version 1
Objective 4

From time to time, you may run into issues with Nomad that you need to
troubleshoot. Most of the issues experienced with Nomad are related to two issues:
Verifying that xrdp is Running on the Sender on page 307
Verifying that Port 3389 is Open on page 307
Verifying that xrdp is Running on the Sender

If you experience difficulties establishing an RDP connection, first verify that the
xrdp daemon is running on the sender. Do the following:
1.
Verify that the xrdp package is installed on the server system providing the
remote desktop.
2.
Verify that the xrdp daemon is running on the server by entering rcxrdp status at
the shell prompt.
If the daemon isnt running, start it manually by running rcxrdp start as root at
the shell prompt.
3.
Notice that two processes should be running after starting the xrdp service:
xrdp
xrdp-sesman
If one of them fails to start, you can try starting these processes manually in the
foreground. This will allow you to view error messages that will likely tell you
what is wrong.
To start the processes manually, run the following commands at the shell prompt
as root:
/usr/sbin/xrdp-sesman -n
/usr/sbin/xrdp -nodaemon
4.
Check the xrdp-sesman output in the /var/log/xrdp-sesman.log file and the xrdp
output in the /var/log/messages file for error messages.
Verifying that Port 3389 is Open

Another common issue is a firewall that is not configured to allow traffic through on
port 3389. Check your firewall configuration and make sure TCP port 3389 is open.
Version 1
307
Summary
Objective
What You Learned
Nomad lets you remotely access system

desktops from various physical locations,
allowing you to remotely control and
administer the system. Nomad can also share
desktops for collaboration or training
purposes.
Nomad ships with SUSE Linux Enterprise
Server 11. It consists of the following core
components:
Proxy X Server
Session Manager
Connection Handle
Client Program
Compositing Manager Extensions
The system providing the remote desktop

needs to have the xrdp package installed.
The system where the remote desktop will be
displayed needs to have the rdesktop
package installed.
As soon as xrpd is running and port 3389 is

open on the RDP server, you can use an RDP
client to establish a remote connection from
your local computer. This can be done using
two different utilities on SLED 11:
rdesktop
tsclient
Most of the issues experienced with Nomad

are related to two issues:
308
Verifying that xrdp is running on the sender

Verifying that port 3389 is open
Version 1
SECTION 9
Use Multimedia on the SUSE Linux

Enterprise Desktop 11
This section explains introduces some multimedia features of SUSE Linux Enterprise
Desktop 11. Some desktop administrators are also responsible for help desk tasks. So
it is good to know about this.
Section Objectives
Version 1
1.
Use Banshee on page 310
2.
Use Moonlight on page 319
309
Objective 1
Use Banshee
Banshee is a GNOME media management and playback application that lets you:
Import CDs
Sync your music and video collection to an iPod or other digital audio player
Play music directly from an iPod (or other digital audio player)
Create playlists with songs from your library
Create audio and MP3 CDs from subsets of your library
Subscribe to, download, and listen to your favorite podcasts
Banshee also supports streaming audio through its Internet Radio plug-in.
The first time you open Banshee, the Musik Library window opens ready to import
music and videos, or add Internet radio stations.
NOTE: Free and open music you can find for example at Open Music Contest.org (http://
www.openmusiccontest.org/) or at on the partnersites of the Open Music Source project (http://
www.openmusicsource.net/partnersites/).
Figure 9-1
Banshee Media Player
In this objective you will learn how to
310
Import Music on page 311
Play Your Music on page 313
Version 1
Ripp Your Music on page 314
Listen to Internet Radio on page 315
Listen to Podcasts on page 316
Use Banshee on page 318
Import Music
Banshee can import music from a file, folder, CD, or an alternate music source (such
as a digital audio player). In the File menu there are two import entries:
Import Media on page 311
Import Playlist on page 312
Import Media
When selecting Media > Import Media a dialog appears.

Figure 9-2
Import Media
You can choose one of three import sources:
Local Folder
Local Files
Home Directory
If you have an iPod (or another digital audio player) connected, this will also appear
in the pull-down menu.
When you click Import Media Source, you can select the folders or files, you want to
import. The files appear in your music library.
Version 1
311
Figure 9-3
Banshee with Imported Files
Import Playlist
Once you have music files imported to your music library, you can create a playlist
by selecting Media > New Playlist. A entry New Playlist appears in the Music
Library folder in the left Banshee frame.
Audio files can be added to a playlist by rightclicking the file and selecting Add to
Playlist.
When you right-click a playlist in the left frame, you can rename the playlist and you
can export the playlist.
Figure 9-4
Export a Playlist
An exported playlist can be imported via Media > Import Playlist.
312
Version 1
Play Your Music

To play a song, simply select the song in the library and click the play button in the
upper left corner. Alternatively, you can double-click the song entry.
To play a playlist or a album, select the playlist (or album) and click the play button.
Figure 9-5
Navigation Buttons
Use the other buttons in the upper left corner to pause a song or play the next or
previous song. You can also use the items on the Playback menu to repeat or shuffle
songs. Use the loudspeaker button on the right to adjust the volume.
Figure 9-6
Volume Control Icon
Banshee also has an integrated CD player. When you insert a music CD, your CD title
appears in the left panel. Select the title and click the play button to play your full CD.
The following features are usefull when listening music:
Notification Area Icon on page 313
Music Recommendations on page 314
Notification Area Icon
You can keep Banshee hidden in the system tray when you are not interacting with it
by minimizing the Banshee window. You will only see pop-up bubbles identifying
the current song when track changes happen.
If you move the mouse pointer over the icon, you get some song information
displayed.
Version 1
313
Figure 9-7
Banshee Icon in System Tray
If you do not want to see these pop-ups, select Edit > Preferences > Extensions >
Notification Area Icon > Disable.
Music Recommendations
Banshee automatically recommends music that you might like, based on the currently
playing song. It finds artists and popular songs that people with similar musical tastes
enjoy.
Figure 9-8
Banshees Recommendations
If you do not want to receive recommendations, click View, then deselect Show
Recommendations.
Ripp Your Music

To rip music from a CD and add it to your library, insert a CD into your CD or DVD
drive. Banshee automatically lists the CD as a source on the left sidebar.
Figure 9-9
Banshee Discovered the French Audio CD Dans ma chair
Select the CD title in the source list on the left, then click Import CD in the upper
right corner.
314
Version 1
Figure 9-10
Import an Audio CD
Listen to Internet Radio

You can use Banshee to listen to Internet radio stations and streaming audio.
The configured Internet radio stations are shown under Radio in the left frame.
To add an Internet radio station right-click Radio in the left frame and select Add
Station from the pop-up menu. A dialog appears.
Figure 9-11
Add a New Internet Radio Station
At least, you have to enter the folowing:
Genre
Name
URL
Enter this information in the Add New Radio Station dialog, then click Save.
Version 1
315
Listen to Podcasts
Banshee lets you subscribe, download, and listen to your favorite Podcasts.
Podcasting is a form of audio blogging where users subscribe to a feed of shows, and
the shows's episodes are downloaded and managed for offline listening.
The configured Podcasts are shown under Podcasts in the left frame.
To add an Podcast, right click Podcasts in the left frame and select Subscribe to
Podcast from the pop-up menu. A dialog appears.
Figure 9-12
Subscribe to a Podcast
Enter the URL of the podcast you want to subscribe to.

Select from the pull-down menu what happens when new episodes of this podcast are
available. Possible options are the following:
Download all episodes
Download the most recent episode
Let me decide which episodes to download
Click Subscribe, and the new podcast is added to your list.

To listen to a podcast, select Podcasts in the left frame; then double-click the podcast
you want to listen to.
To update a podcast, right click Podcast in the left frame and select Update Podcasts.
316
Version 1
Figure 9-13
Update All Podcasts
NOTE: Novells Podcasts are called Novell Open Radio (http://www.novell.com/company/

podcasts/) .
Version 1
317
Exercise 9-1
Use Banshee
In task I of this exercise you add some audio files to your music library. In task II you
create your personal playlist, and in task III you subscribe to an Novell Open Radio
Podcast.
(End of Exercise)
318
Version 1
Objective 2
Use Moonlight
Moonlight is an open source implementation of Microsofts Silverlight (http://
silverlight.net/). The goal of Silverlight is to run Silverlight applications on Linux
and to provide a Linux Software development kit for Silverlight.
Microsoft Silverlight is a cross-platform Web browser plug-in for .NET based
multimedia and interactive Web applications.
Moonlight is part of the Mono Project (http://www.mono-project.com/Moonlight).
SLED 11 includes Moonlight 1.0 that is compatible to Silverlight 1.0 and scriptable
with the Web browser JavaScript. Moonlight 1.0 is the first Moonlight release that
uses Microsoft's Media Pack 1.0 for playing back video and audio.
NOTE: Microsoft is already offering Silverlight 2, and the Moonlight team plans to be compatible
with Silverlight 2 by the end of year 2009.
Once you enter a Web page including video or audio content created with Silverlight,
you will be prompted by Moonlight to install the Microsoft Media Pack for
Moonlight available from Microsoft.
Figure 9-14
Install Microsoft Media Pack
After clicking Install Codecs, you have to accept the license of the Microsoft Media
Pack.
Version 1
319
Figure 9-15
License of the Microsoft Media Pack
If no errors occur, the following message will appear.

Figure 9-16
320
Successfull Installation of Microsoft Media Pack
Version 1
Exercise 9-2
Use Moonlight
In this exercise, you test the Moonlight capabilities and install the Microsoft Media
Pack to test Moonlight.
In Task I you test the Moonlight capabilities. In Task II you install Microsoft Meda
Pack to view Silverlight videos.
(End of Exercise)
Version 1
321
Summary
Objective
What You Learned
Use Banshee
In this objective you learned how to
Import Music on page 311
Play Your Music on page 313
Ripp Your Music on page 314
Listen to Internet Radio on page 315
Listen to Podcasts on page 316
Novells Podcasts are called Novell Open

Radio (http://www.novell.com/company/
podcasts/).
Use Moonlight
Moonlight is an open source implementation

of Microsoft Silverlight.
Microsoft Silverlight is a cross-platform Web
browser plug-in for .NET based multimedia
and interactive Web applications.
Moonlight is part of the Mono Project.
SLED 11 includes Moonlight 1.0 which is
compatible to Silverlight 1.0.
Moonlight 1.0 uses Microsoft's Media Pack
1.0 for playing back video and audio.
322
Version 1
Configure Email
SECTION 10
Configure Email
In this section, you learn how to configure email client software on SLED 11 to work
with several popular email servers.
Section Objectives
Version 1
1.
Configure the Evolution Email Client on SLED 11 on page 324
2.
Configure the GroupWise Client on SLED 11 on page 354
323
Objective 1
Configure the Evolution Email Client on SLED 11

In this objective, you learn how the Evolution email client works and how to
configure it to work with several popular mail servers. The following topics are
addressed:
The Role and Function of Evolution on page 324
Configuring Evolution on page 324
Using Evolution on page 337
Integrate Evolution with Microsoft Exchange on page 353
The Role and Function of Evolution

Evolution is a powerful email client included with SLED 11. Evolution makes
storing, organizing, and retrieving your personal and business communications easy,
allowing you to work and collaborate effectively with others.
Evolution is a highly evolved groupware program. It handles email, contacts, and
calendars. It also includes advanced features such as search folders. Search folders
look like ordinary email folders, but they allow you to save searches instead.
Evolution can be configured to work with a variety of different mail and news
servers. Some of these are listed below:
Novell GroupWise
Microsoft Exchange
POP3/IMAP-compatible mail servers
Local delivery
USENET News
Configuring Evolution
Before you can use the Evolution client to manage your communications, you must
first configure it to work with your mail server. The first time you run Evolution, the
Setup Assistant is displayed. This utility allows you to do the following:
Configure how Evolution will operate.
Set up email accounts.
Import data from other applications.
When you configure Evolution, it creates a new hidden directory in your home
directory named .evolution. This is the directory where Evolution stores all of its
local data.
If you need to modify an account in Evolution after completing the Setup Assistant,
you can select Edit > Preferences > Mail Accounts in the Evolution window. Select
the account you want to change and then select Edit.
324
Version 1
Configure Email
To configure Evolution, do the following:

1.
Log into your SLED 11 workstation with your user account.
2.
Start the Evolution client by selecting Computer > Evolution.

You can also start Evolution by entering evolution at the shell prompt.
3.
In the Welcome screen, select Forward.

Restoring Evolution from Backup
Figure 10-1
4.
Version 1
Do one of the following:
If you want to restore Evolution from a backup file, mark Restore Evolution
from the Backup File, then select the appropriate Evolution archive from
the drop down list.
If you are setting up a new Evolution account, select Forward.
325
Configuring Your Identity
Figure 10-2
5.
6.
In the Identity screen, enter the following information:
Full name: Enter your name.
Email Address: Enter your email address.
(Optional) Make This My Default Account
(Optional) Reply-To: Enter your reply-to email address.
(Optional) Organization: Enter your organization name.
Select Forward.
326
Version 1
Configure Email
Configuring the Email Server
Figure 10-3
7.
In the Server Type drop-down list, select your email server.

You can select from the following:
Novell GroupWise: Select this option if you want to connect to a Novell

GroupWise server.
Microsoft Exchange: Select this option if you want to connect to a

Microsoft Exchange server. You can use this option to connect to Microsoft
Exchange 2000 or 2003.
NOTE: To use Evolution with an Exchange 2007 server, select Exchange MAPI from
the Server Type drop-down list.
Version 1
IMAP: Select this option if your email server supports the IMAP protocol.
IMAP allows you to leave your messages on the mail server.
IMAP4rev1: Select this option if your email server supports the IMAPrev1
protocol.
POP: Select this option if your email server supports the POP3 protocol.
POP downloads your messages to your local system and deletes them from
the server.
327
USENET News: Select this option if you want to connect to a news server
and download a list of available news digests.
Local Delivery: Select this option if you want to move messages from your
local mail spool and store it in your home directory. If you select this option,
you need to provide the path to the mail spool you want to use.
NOTE: If you want to leave mail in your systems spool files, use the Standard Unix
Mbox Spool option instead.
MH Format Mail Directories: Select this option if you want to download

your email using mh or another MH-style program. If you select this option,
you need to provide the path to the mail directory you want to use.
Maildir Format Mail Directories: Select this option if you download your
mail using Qmail or another maildir-style program. You need to provide the
path to the mail directory you want to use.
Standard Unix Mbox Spool or Directory: Select this option if you want to
read and store mail in the mail spool on your local system. If you choose this
option, you need to provide the path to the mail spool you want to use.
None: Select this option if you do not plan to access mail with this account.
No configuration options exist.
The next screen displayed will vary based on the server type you selected.
8.
328
If you selected Novell GroupWise, the following screen is displayed:
Version 1
Configure Email
Configuring GroupWise Server Settings
Figure 10-4
Configure the following parameters:
9.
Version 1
Server: Enter your GroupWise servers IP address or DNS name.
Username: Enter your GroupWise username.
Use Secure Connection: Select one of the following, as appropriate for your
network:
No Encryption
TLS Encryption
SSL Encryption
If you selected Microsoft Exchange, the following screen is displayed:
329
Figure 10-5
Configuring Exchange Settings
Configure the following settings:
Username: Enter your Exchange username.
OWA URL: Enter your Outlook Web Access (OWA) URL.
Mailbox: If the mail box path is different from the username, enter the
mailbox path also.
10. If you selected IMAP or POP, the following screen is displayed:
330
Version 1
Configure Email
Figure 10-6
Configuring POP or IMAP Settings
Configure the following parameters:
Server: Enter your POP or IMAP servers IP address or DNS name.
Username: Enter your username.
Use Secure Connection: Select one of the following, as appropriate for your
server:
No Encryption
TLS Encryption
SSL Encryption
11. After configuring the settings specific to your server type, select Forward.
The screen displayed next depends upon which server type you selected. For
example, if you selected Microsoft Exchange, the following is displayed:
Version 1
331
Figure 10-7
Configuring Exchange Receiving Options
If youre connecting to an Exchange server, configure the following

receiving options:
332
(Optional) Specify whether you want Evolution to automatically check

for new mail. If you select this option, you also need to specify how
often Evolution should check for new messages.
(Optional) Specify the Global Catalog server name in the Global
Catalog Server Name field.
Specify whether you want to limit the number of Global Address Lists
(GAL) responses.
Specify your authentication type.
Specify if you want to allow browsing of the GAL until the download
limit is reached.
If you want to enable the password expire warning period, specify how
often Evolution should send the password expire message.
Specify whether you want to automatically synchronize the account
locally.
Version 1
Configure Email
Specify whether you want to apply filters to new messages in the inbox.
Specify whether you want to check new messages for Junk contents.
If youre connecting to a Novell GroupWise server, configure the following

receiving options:
Specify whether you want to check for new messages in all folders.
Specify whether you want to apply filters to new messages in the Inbox
on the server.
Specify whether you want to check new messages for Junk content.
Specify whether you want to only check for Junk messages in the Inbox
folder.
Specify whether you want to automatically synchronize remote mail
locally.
Enter your POA SOAP port in the Post Office Agent SOAP Port field.
If youre connecting to the mail server via IMAP, configure the following
receiving options:
Specify whether you want Evolution to automatically check for new

mail. If you select this option, you also need to specify how often
Evolution should check for new messages.
Specify whether you want Evolution to show only subscribed folders.
Select if you want Evolution to override server-supplied folder
namespaces.
Specify whether you want to apply filters to new messages in the Inbox.
Specify whether you want to check new messages for Junk content.

Specify whether you want to check for Junk messages in the Inbox
folder.
Specify whether you want to automatically synchronize remote mail
locally.
If youre connecting to the mail server via POP, configure the following:

Specify whether you want to leave messages on the server.
Specify whether you want to disable support for all POP3 extensions
(support for POP3).
12. When youre done configuring your receiving options, select Forward.
Version 1
333
Figure 10-8
Configuring the Account Name
13. When you have completed Step 1 to Step 12, enter an account name of your
choosing in the Name field; then select Forward.
334
Version 1
Configure Email
Figure 10-9
Setting Your Time Zone
14. After you have selected Forward, select your time zone from the drop-down list
displayed; then select Next.

15. Select Apply to complete your mail client configuration.
When you do, the Evolution client opens and logs into your server, as shown in
the following:
Version 1
335
Figure 10-10
Viewing Your Inbox in Evolution
If you need to add another account in Evolution after completing the Setup Assistant,
select Edit > Preferences > Mail Accounts in the Evolution window. The following
is displayed:
336
Version 1
Configure Email
Figure 10-11
Viewing Evolution Accounts
Select Add. When you do, the Evolution Account Assistant is displayed, allowing
you to add a new account in the same manner as discussed previously.
Using Evolution
Once youre done creating your mail accounts in Evolution, you are ready to use it to
manage your communications. Evolution is similar to other email clients. For
example:
Version 1
Evolution can send and receive email in HTML or as plain text and makes it easy
to send and receive multiple file attachments.
Evolution supports multiple email server types including GroupWise, Exchange,

IMAP, and POP3 as well as local mbox or mh spools and files created by other
email programs.
Evolution can sort and organize your email in a wide variety of ways with
folders, searches, and filters.
Evolution lets you guard your privacy with encryption.
337
However, Evolution differs from other email programs in essential ways. First, its
built to handle very large amounts of mail. The junk email, message filtering, and
searching functions are designed for speed and efficiency.
In addition, Evolution includes search folders that provide you with an advanced
organizational feature not found in most email clients. If you get a lot of email or if
you need to retain every message you receive, youll find this feature especially
useful.
In this part of this objective, the following topics are addressed:
The Evolution Interface on page 338
Managing Email on page 339
Managing Folders on page 341
Managing Your Calendar on page 344
Managing Contacts on page 347
Managing Tasks on page 349
The Evolution Interface
The Evolution interface is composed of the following elements:

Figure 10-12
The Evolution Interface
These elements are described in the following:
338
Menu Bar: Gives you access to nearly all of Evolution features.
Version 1
Configure Email
Folder List: Gives you a list of the available folders for each account. To see the
contents of a folder, select the folder name, and the contents are displayed in the
message list.
Toolbar: Gives you fast access to frequently used features.
Search Tool: Lets you search for items in either the current account or in all
accounts. You can filter emails, contacts, calendar entries, and tasks using
different criteria. The Search Tool can also save frequently used searches in a
search folder.
Message List: Displays a list of messages you have received. To view an item in
the preview pane, select it in the message list.
Preview Pane: Displays the contents of the item selected in the message list.
Shortcut Bar: Lets you switch between folders. At the bottom of the shortcut bar
you will find tool buttons that let you switch tools; and above that you will find a
list of all the available folders for the current tool. If you have the Evolution
Connector for Microsoft Exchange installed, you have an Exchange button in
addition to buttons for the other tools.
Managing Email
Evolution allows you to send and receive email messages. To send a new message, do
the following:
1.
Select the down-arrow next to New; then select Mail Message.

Version 1
339
Creating a New Message
Figure 10-13
2.
3.
Enter the following:
To: Enter the address of the recipient.
Subject: Enter a subject line for the message.
Body: Enter the text of the message.
Select Send.
To read a received message, select the appropriate folder; then select the message
from the displayed. An example is shown below:
340
Version 1
Configure Email
Figure 10-14
Reading Received Mail
Managing Folders
Evolution allows you to sort and manage your mail items using folders. To manage
your folders, simply right click an existing folder; then select from the following
options:
New Folder: Creates a new folder or subfolder in the same location.
Copy: Copies the folder to a different location. Evolution offers a choice of

locations to copy the folder to.
Move: Moves the folder to another location.
Delete: Deletes the folder and all contents.
Mark Messages As Read: Marks all the messages in the folder as read.
Rename: Lets you change the name of the folder.
Refresh: Refreshes the folder.
Disable: Disables the folder.
Properties: Displays the number of total and unread messages in a folder. If the
folder is a remote folder, you can also copy the folder to your local system for
offline access.
These options are shown below:
Version 1
341
Figure 10-15
Managing Folders in Evolution
You can also rearrange folders and messages by dragging and dropping them. Like
other mail clients, a folders label is displayed in bold any time new mail arrives
displaying the number of new messages.
You can also save a search in a search folder. To do this, do the following:
1.
Enter your search terms in the Search field.
2.
Select Search > Create Search Folder From Search.

342
Version 1
Configure Email
Creating a Search Folder
Figure 10-16
3.
Enter name in the Rule Name field.
4.
Configure your rule criteria. For example, you could specify that the subject
contains a certain user name or the subject contain a certain term. Rule elements
Email element (e.g., Sender, Subject, Message Body)
Relation (e.g., contains, is, starts with)
String
You can add additional rule criteria. You can specify that any or all criteria must
evaluate as true for the rule to be applied.
5.
Specify which folders should be searched.
6.
Select OK.
The new search folder is added to your list of search folders, and its contents are
automatically generated, as shown below:
Version 1
343
Figure 10-17
Using Search Folders
Managing Your Calendar
In addition to managing email, you can also use Evolution to manage your calendar.
To begin using the calendar, select Calendars. By default, your personal calendar is
displayed with todays date selected, as shown below:
344
Version 1
Configure Email
Figure 10-18
Viewing Calendars in Evolution
The Calendar interface is composed of the following elements:
Appointment List: Displays all your scheduled appointments.
Month Pane: Displays a small calendar. You can also click and drag to select a
range of days in the month pane to display a custom range of days in the
appointment list.
Tasks: Displays your tasks. Tasks are similar to appointments in that they are
assigned to a user. However, unlike an appointment, tasks generally dont have a
time or date associated with them. You can see a larger view of your task list by
selecting Tasks in the shortcut bar.
Memos: Displays a list of notes in the form of memos. Memos, like tasks, dont
have time or dates associated with them. You can see a larger view of your Memo
list by selecting Memos in the shortcut bar.
To create a new calendar item, do the following:

1.
Select New; then select one of the following:
Appointment: Select this option to set up a personal appointment.
Meeting: Select this option to set up an appointment with yourself and other
users.
Version 1
345
Creating a New Meeting
Figure 10-19
2.
Add the desired attendees from your address book. Note that you can assign
attendees to the following roles:
Chair Person
Required Participant
Optional Participant
Resources
3.
Enter a summary for the meeting.
4.
Specify the location of the meeting.
5.
Specify the date and time of the meeting.
6.
Enter a description of the meeting.
7.
Select Save > Send.
The appointment is added to your calendar, as shown below:
346
Version 1
Configure Email
Figure 10-20
Viewing Appointments in the Calendar
Managing Contacts
Evolution is also a powerful contact manager. The Evolution Contacts tool provides
address book functionality. Evolution can synchronize with Palm OS devices and use
LDAP address books across the network.
To use the Contacts tool, select Contacts in the shortcut bar. The following is
displayed:
Version 1
347
Figure 10-21
Managing Contacts
By default, all of your contacts are displayed in alphabetical order using a minicardstyle view. You can select other views, such as List View or By Company, from the
View menu. You search contacts in the same way that you search mail folders using
the Search tool on the right side of the toolbar.
You can create a new contact by right clicking the list of contacts and selecting New
Contact. The following is displayed:
348
Version 1
Configure Email
Figure 10-22
Adding a New Contact
Fill out the appropriate fields, then select OK. You can also create a new contact by
opening a sent or received item in a folder and right clicking on it.
Managing Tasks
Evolution can also be used to manage tasks. To view your tasklist, select Tasks in the
shortcut bar. The following is displayed:
Version 1
349
Figure 10-23
Viewing Tasks
To create new tasks, do the following:

1.
350
Select New; then select one of the following:
Task: Select this option to create a personal task.
Assigned Task: Select this option to create a task for another user.
Version 1
Configure Email
Creating a New Task
Figure 10-24
2.
Add the desired users from your address book. Note that you can assign users to
the following roles:
Chair Person
Required Participant
Optional Participant
Resources
3.
Enter a summary for the task.
4.
Specify the date and time for the task.
5.
Enter a description of the task.
6.
Select Save > Send.
The task is added to your list of tasks, as shown below:
Version 1
351
Figure 10-25
352
Viewing Tasks
Version 1
Configure Email
Exercise 10-1
Integrate Evolution with Microsoft Exchange

In this exercise, you configure the Evolution client on your SLED 11 workstation to
work with an Exchange server.
This exercise is found in your workbook.
(End of Exercise)
Version 1
353
Objective 2

In addition to Evolution, you can also install and configure the Novell GroupWise 8
Client on SLED 11.
Novell GroupWise is a robust, dependable messaging and collaboration system that
connects you to your universal mailbox anytime and anywhere. Novell provides
versions of the GroupWise client for the following workstation operating systems:
Windows
Linux
Macintosh
In this objective, you learn how to install and configure the GroupWise 8 Client on
SLED 11. The following topics are addressed:
Installing Novell GroupWise Client for Linux on page 354
Using the GroupWise Client on page 358
Installing Novell GroupWise Client for Linux

To install the GroupWise client on SLED 11, you need to complete the following
tasks:
Meet GroupWise Linux Client System Requirements on page 354
Access the Installation Files on page 354
Install the GroupWise Linux Client on page 355
Meet GroupWise Linux Client System Requirements
To install the GroupWise Linux Client software, your workstation must meet the
following system requirements:
Operating System: SUSE Linux Enterprise Desktop 10 or later
Desktop Manager: KDE or GNOME
Java: Java Virtual Machine (JVM) 1.5 or later
Disk Space: 200 MB of free disk space
Access the Installation Files
Next, you need to access to the GroupWise Linux Client installation files. This can be
done in a variety of ways.
354
Version 1
Configure Email
For example, you can install the GroupWise Linux Client directly from the
installation media. Consider the following options:
Download the GroupWise 8 Linux Client archive file (tar.gz) from http://
download.novell.com. At the time this course was written, the following files
were available:
gw800_client_linux_multi.tar.gz
gw800_client_linux_en.tar.gz
Use the GroupWise 8 installation media.
Install from the SLED 11 distribution media using YaST.
You can also install the GroupWise Linux Client from the software distribution
directory on your GroupWise server. This is /opt/novell/groupwise/software by
default on a Linux GroupWise Server. You can provide users with access to the
software distribution directory by doing one of the following:
Create an NFS export for your software distribution directory. You can
expose your software distribution directory to end users running Linux
workstations by creating an NFS export.
Create a Samba share for your software distribution directory. You can also
expose your software distribution directory to end users running Linux
workstations by creating an Samba share.
Define an NCP volume for your software distribution directory. If your

GroupWise server is running OES 2 for Linux, you can define an NCP volume
for your software distribution directory. To access the volume, your users must
have the Novell Client for Linux installed on the workstations.
Install the GroupWise Linux Client
While the GroupWise Client can be installed from many types of installation sources,
were going to focus on installing it with YaST from the SLED 11 installation media.
Do the following:
Version 1
1.
Start YaST.
2.
3.
Enter groupwise in the Search field.
4.
Double click the novell-groupwise-gwclient package to mark it for installation

as in the following:
355
Installing GroupWise
Figure 10-26
5.
Select Apply.
Wait while the GroupWise Client is installed.
6.
356
You should see the GroupWise icon added to the Communicate menu when
completed, as shown below:
Version 1
Configure Email
GroupWise Client Installed
Figure 10-27
7.
Close YaST.
8.
Start the GroupWise Client by selecting the GroupWise icon.
9.
Enter the following when prompted:
GroupWise User ID
Password
GroupWise Server Address
An example is shown below:
Version 1
357
Logging in to GroupWise
Figure 10-28
10. Log in; your users GroupWise mailbox is displayed, as shown in the following:
The GroupWise Mailbox
Figure 10-29
Using the GroupWise Client

With the GroupWise client installed, you can now use it to manage your
communications. The following will be discussed in this part of this objective:
358
Using the Home View on page 359
Managing Your Messages on page 362
Managing Your Calendar on page 364
Managing Your Contacts on page 366
Managing Your Tasks on page 368
Version 1
Configure Email
Using the Home View
Your main work area in the GroupWise Client is called the Home View, as shown in
the following figure:
Figure 10-30
The Home View
From the Home View, you can do the following:
Read your messages.
Schedule appointments.
View your calendar.
Manage contacts.
Change your GroupWise mode.
Open folders and open documents.
Three panels are displayed by default in the Home view:
Today's calendar
Your tasklist
A list of unread items in your mailbox
A panel is an area of the screen reserved for selected data along with the display
settings for the data. The three default panels are shown:
Version 1
359
Figure 10-31
Default Panels in the Home View
Starting with the default layout, you can easily customize your Home View. For
example, you can resize the existing panels or move them by dragging and dropping
them. For more powerful customization options, select the drop-down list in the
upper right corner of any panel:
Figure 10-32
Editing a Panel
When you select Edit in the drop-down list, the following is displayed:
360
Version 1
Configure Email
Figure 10-33
Editing a Panel
You can use this screen to do the following:
Configure the name of the panel and the folder displayed in the panel on the
General tab.
Configure display settings for the panel on the Display tab. This tab allows you
to specify the folder view, sort order, column display, item types, date range, and
other settings.
Configure the filter for the panel on the Filter tab. This tab allows you to restrict
the list of items displayed by sender, recipients, subject line, item text,
attachments, category, or other criteria for the panel.
In addition to editing your existing panels, you can also add panels to your Home
View by selecting Add Panel in the drop-down list to add a new panel. The following
is displayed:
Version 1
361
Figure 10-34
Adding a Panel
You can add the following panel types:
Predefined. Predefined panels include the following:
Unread Items
Calendar
Summary Calendar
Tasklist
Recent Activity
Other panels you have previously defined
Custom. You can also add a custom panel that you define yourself.
Web: You can add a Web panel that displays a web page within a panel.
Managing Your Messages
As with other email clients, you use the GroupWise Client to send and receive mail
messages. To create a new message, do the following:
1.
362
Select New Message. The following is displayed:
Version 1
Configure Email
Creating a New Message
Figure 10-35
2.
3.
Enter the following:
To: Enter the recipient address.
Subject: Enter a subject line.
Enter the body of the message.
Select Send.
To read a received item, double click on the item in the appropriate folder.
You can assign categories to items in your mailbox to organize and sort them. Four
default categories are available for you to immediately assign to items:
Follow-Up
Low Priority
Personal
Urgent
You can modify or delete any of the default categories. You can also create and
customize your own categories. As you do, you can assign each category a unique,
identifying color. When you assign an item to a particular category, the item is
displayed in the color you specified. If you assign one of the default GroupWise 8
categories to an item you are sending, the item arrives in the recipients Mailbox with
that category assigned.
Version 1
363
If, on the other hand, you assign a custom category to an item you are sending, the
item arrives in the recipients Mailbox with no category assigned. You can also assign
more than one category to an item and specify which category is the primary one. The
color of the primary category is used to identify the item. When you reply to an item
that has been assigned a category, the same category is assigned to the reply message.
You can assign a category to an item in two ways. First, you can select the items
icon; then select a category from the list displayed, as in the following:
Figure 10-36
Assigning a Category to an Item
The ten most recently used categories are listed. They are displayed alphabetically by
default.
The second option for assigning a category is as follows:
1.
Right click an item; then select Categories.
2.
Select a category from the list displayed.
3.
(Conditional) If the category you want isnt listed, do the following:

a.
Select More to display the Edit Categories dialog box.
b.
Select the category; then select OK.
Once applied, you can use categories to search for and sort your items.
Managing Your Calendar
You can also use the GroupWise client to manage your schedule. If you select the
Home view or the Calendar view, your calendar is displayed, as follows:
364
Version 1
Configure Email
Figure 10-37
Viewing Your Calendar
In GroupWise 8, you can view your schedule in a variety of views or formats,

including the following:
Day
Week
Month
Year
Tasklist
Project planner
Multi-user
To create a new Calendar item, do the following:

1.
Select the drop down arrow next to New Appt.
2.
Select one of the following:
Posted Appointment: Use this option to create a personal appointment for

yourself.
Appointment: Use this option to create an appointment for yourself and

another users.
Version 1
365
Creating a New Calendar Item
Figure 10-38
3.
4.
Enter the following information:
To: Enter the addresses of the contact you want to send the appointment to.
Place: Enter the location of the appointment.
Start Date: Enter the start date and time of the appointment.
Duration: Configure the duration of the appointment.
Subject: Enter a subject for the appointment.
Message Body: Enter a description of the appointment.
Select Send.
Managing Your Contacts
The GroupWise 8 Client can also be used to manage your contacts, both business and
personal.
A Contacts folder provides a convenient view of your address book information. The
Frequent Contacts folder is created automatically for you and is associated with your
Frequent Contacts address book.
When you create a new address book, the new address book is automatically added as
a new Contacts folder. Likewise, when you create a new Contacts folder, a
corresponding personal address book is created automatically.
366
Version 1
Configure Email
Any modification you make in a Contacts folder is also made in the corresponding
address book. For example, when you add a new contact to a Contacts folder, it is
added to the corresponding address book.
Two ways to add a new contact exist:
By manually adding a new contact.
By dragging and dropping an item from someone new into a Contacts folder. A
contact record for that person is automatically created.
To manually add a new contact to a Contacts folder, do the following:

1.
In the Folder List, select the Contacts folder where you want to add the contact.
2.
Select New Contact on the toolbar. The following is displayed:

Adding a New Contact
Figure 10-39
Version 1
3.
Right click the new Contacts folder; then select Properties.
4.
Enter the appropriate contact information for the contact.
5.
Select OK.
367
Managing Your Tasks
GroupWise can be used to send, receive, and manage tasks as well as email messages
and calendar items. You can post a task for yourself or accept a task from another
person.
After it is accepted, the task appears on the Calendar on its start date and carries over
to each succeeding day. When the due date is past, the task is displayed in red on the
Calendar. After you finish a task, you can mark it as complete.
If you are the originator of an assigned task, you can have GroupWise send you a
notification when the task is marked as complete. A Completed status, including the
date and time the task was marked as complete, is placed in the Properties window
for the task.
The Tasklist folder is a system folder that is used to keep track of GroupWise tasks
and other items that require action. Think of it as a master list for all of your tasks. A
typical Tasklist folder is shown below:
Figure 10-40
Viewing Tasks in the Tasklist Folder
When you post or accept a task, it automatically appears in the Tasklist folder. In
addition, any email, appointment, task, reminder note, or phone message can also be
placed in the Tasklist folder. For example, you can place an email message in the
Tasklist folder to remind you to act on it.
Items in the Tasklist folder may or may not appear on your Calendar. Only items with
a due date appear on the Calendar. If you want an item in the Tasklist folder to appear
on your Calendar, you must assign that item a due date.
After you have placed an item in the Tasklist folder, you can
368
Change its position in the Tasklist.
Assign it a due date.
Track its progress by specifying the percent completed.
Mark it as complete.
Version 1
Configure Email
To create a new item in the Tasklist folder, do the following:

1.
Open the Tasklist folder.
2.
(Optional) Select the position in the Tasklist where you want to add a new item.
For example, if you want the new item to appear after the third Tasklist item,
select the existing third item.
3.
To create a new task that you will assign to another user, select New Task.
To create a posted task for yourself, select the down arrow next to New Task
and select Posted Task.
To create a Tasklist item, right click in the Tasklist folder; then select New >
Tasklist Item.

Creating a New Task
Figure 10-41
Version 1
4.
(Optional) To create a new task, enter the recipients who will receive the task.
5.
Specify the start and due dates for the task.
6.
Enter a subject and description for the task.
7.
Select Send.
369
In addition, you can also place items in the Tasklist folder by moving items from
other folders. For example, you might receive an appointment for a meeting where
you will give a presentation. You can drag the meeting appointment to your Tasklist
folder to remind you that you need to prepare your presentation.
You can also mark an item to be displayed in the Tasklist folder. If you do this, the
item stays in its original folder, but also appears in the Tasklist folder where you can
Arrange items in the order you want.
Assign due dates.
Mark items as complete.
To mark an item to appear in the Tasklist folder, right click the item and select Show
in Tasklist. You can then mark these items as complete in either the original folder or
the Tasklist folder.
You can also track progress by specifying a completion percentage for any item in
your Tasklist folder. Do the following:
1.
Open the desired item in the Tasklist folder.
2.
Select the Tasklist tab. The following is displayed:

Specifying a Percentage Complete
Figure 10-42
370
3.
Enter the completion percentage in the % Complete field.
4.
Mark Completed if the item is complete.
Version 1
Configure Email
The completion percentage is automatically saved when you close the item. You can
show completion percentages for items in your Tasklist folder. However, the
percentage complete column is not displayed (by default). To display the % Complete
column, do the following:
1.
Open the Tasklist folder.
2.
Right click the column headers in the Tasklist folder and select More Columns.
3.
Mark % Complete in the Available Columns list; then select Add.
4.
Select Up or Down to move the column to the position you prefer.
5.
Select Smaller or Larger to adjust the column width.
6.
Select OK.
The column now appears in your Tasklist folder.
Version 1
371
Exercise 10-2
Install and Configure the GroupWise Client

In this exercise, you install and configure the GroupWise Client on your SLED 11
workstation.
This exercise is found in your workbook.
(End of Exercise)
372
Version 1
Configure Email
Summary
Objective
What You Learned
Configure the Evolution Email Client on SLED Evolution is a powerful email client included
11
with SLED 11. Evolution makes storing,
organizing, and retrieving your personal and
business communications easy, allowing you
to work and collaborate effectively with others.
Evolution is a highly evolved groupware
program. It handles email, contacts, and
calendars. It also includes advanced features
such as search folders. Search folders look
like ordinary email folders, but they allow you
to save searches instead.
Evolution can be configured to work with a
variety of different mail and news servers.
Some of these are listed below:
Novell GroupWise
Microsoft Exchange
POP3/IMAP-compatible mail servers
Local delivery
USENET News
Before you can use the Evolution client to

manage your communications, you must first
configure it to work with your mail server. The
first time you run Evolution, the Setup
Assistant is displayed. This utility allows you
to do the following:
Version 1
Configure how Evolution will operate.
Set up email accounts.
Import data from other applications.
373
Objective
What You Learned
In addition to Evolution, you can also install

and configure the Novell GroupWise 8 Client
on SLED 11.
Novell GroupWise is a robust, dependable
messaging and collaboration system that
connects you to your universal mailbox
anytime and anywhere. Novell provides
versions of the GroupWise client for the
following workstation operating systems:
Windows
Linux
Macintosh
To install the GroupWise Client on SLED 11,

you need to complete the following tasks:
Meet GroupWise Linux Client system

requirements.
Access to the installation files. This can be

done in the following ways:
374
Download the GroupWise 8 Linux

Client archive file (tar.gz) from http://
download.novell.com.
Install from the SLED 11 distribution

media using YaST.
Install the GroupWise Linux Client from

the software distribution directory on
your GroupWise server. This is /opt/
novell/groupwise/software by
default.
Install the GroupWise Linux Client.
Version 1
SECTION 11
Bash scripts play a key role in the administration of SUSE Linux Enterprise 11. All
start scripts in the /etc/init.d/ directory, for instance, are Bash scripts.
As a Linux system administrator, you are often faced with recurring tasks that consist
of commands that have to be called in a certain order. By combining these commands
into a script, you can make your job a lot easier.
This section covers the basic elements of shell scripts to help you understand existing
shell scripts in your Linux system and to help you write shell scripts of your own that
fit your needs.
When writing shell scripts, you usually have many different options to solve a
problem. Please note that our project will not necessarily use the most efficient way
of coding. The purpose here is, first of all, to introduce the elements of Bash scripting
and to use examples that are easily understood.
Objectives
1.
Understand Bash Basics on page 376
2.
Use Basic Script Elements on page 381
3.
Understand Variables and Command Substitution on page 386
4.
Use Control Structures on page 390
5.
Use Arithmetic Operators on page 399
6.
Read User Input on page 402
7.
Use Arrays on page 405
8.
Finalize the Course Project on page 408
9.
Use Advanced Scripting Techniques on page 411
10. Learn about Useful Commands in Shell Scripts on page 415
Version 1
375
Objective 1

The default Linux shell Bash (Bourne Again SHell) can control the system with
commands, perform file operations, or start applications. You can use it interactively
on the command line, or you can create a file that includes several shell commands
and start this file like an application.
Before diving into shell scripting, lets review some of the features of Bash:
Bash Command Line on page 376
Bash Variables on page 378
Return Values on page 379
All the elements covered in this objective for interactive use of Bash can be employed
within shell scripts as well.
Bash Command Line

A command entered on the command line consists of the command and optional
arguments:
geeko@da10:~> cp -a Photos /tmp
geeko@da10:~>
On the left the command prompt, geeko@da10:~> is found. The command cp is

followed by argumentsin this case, the option -a and the parameters Photos and
/tmp. After pressing Enter, the command is executed. If no error message exists, the
command was successful.
Each element in the precedingcommand line is called a word. A word (also called a
token) is a sequence of characters considered as a single unit by the shell. Words are
separated from each other by spaces, tabs, or one of the following characters: | &
; ( ) < >.
Depending on the type of command or its options, some messages appear on the
screen. Messages that indicate normal or expected behavior are written to the file
descriptor 1, Standard Out (stdout), that in interactive use of Bash, is connected to
the terminal where you entered the command:
geeko@da10:~> cp -av Photos /tmp
"Photos/vacation/beach.jpg" -> "/tmp/Photos/vacation/beach.jpg"
...
When an error message appears, this message is written to the file descriptor 2,
Standard Error (stderr), that in interactive use is also connected to the terminal
where you entered the command:
geeko@da10:~> cp -av Fotos /tmp
cp: cannot stat `Fotos': No such file or directory
geeko@da10:~>
While within a terminal, stdout and stderr look the same, but they are indeed
different, as you can see when you redirect them to a file. To redirect stdout to a file,
you use the > operator (or >> to append to a file):
376
Version 1
geeko@da10:~> cp -av Photos /tmp > output.txt

geeko@da10:~> cat output.txt
"Photos/vacation/beach.jpg" -> "/tmp/Photos/vacation/beach.jpg"
...
It is also possible to redirect stderr to a file. This is especially useful if there are a lot
of error messages or some error messages in a lot of normal output. Redirecting stderr
allows you to view the messages using a pager like less. To redirect stderr, you use
the 2> operator:
geeko@da10:~> cp -av Fotos /tmp 2> error.txt
geeko@da10:~> cat error.txt
cp: cannot stat Fotos: No such file or directory
geeko@da10:~>
As you can see in both examples, when stdout and stderr are redirected, no output is
written to the terminal.
You can also redirect stdout and stderr to separate files in one command line:
geeko@da10:~> cp -av Fotos Photos /tmp > output.txt 2> error.txt
geeko@da10:~>
It is also possible to redirect stdout and stderr to one file, using the 2>&1 operator
that has to appear after the redirection of stdout on the command line:
geeko@da10:~> cp -av Fotos Photos /tmp > out-err.txt 2>&1
geeko@da10:~>
In addition to stdout and stderr, by default there is a third file descriptor, Standard In
(stdin, file descriptor 0). In interactive use, this is usually connected to the keyboard.
But it can be redirected to a file as well, and the operator to redirect stdin is <:
geeko@da10:~> mail -s "Output and Errors" geeko < out-err.txt
geeko@da10:~>
In Linux, a typical program will open these three file descriptors when it begins:
Standard In, file descriptor 0
Standard Out, file descriptor 1
Standard Error, file descriptor 2
If you want to process the output of one command by another command, you could
write the output of the first program to a file and use that file as input for the second
command, as shown in the preceding example for the mail command. However, you
can use the output of one command directly as the input for another command using
the pipe operator |:
geeko@da10:~> cp -av Fotos Photos /tmp
Errors" geeko
geeko@da10:~>
2>&1 | mail -s "Output and
Instead of reading from a file, the shell can be instructed to read from the current
source with a so-called here document, using the << redirector, as illustrated in the
following example:
Version 1
377
geeko@da10:~> cat << EOF

> This is printed after
> writing EOF in a single line.
> EOF
This is printed after
writing EOF in a single line.
The text after the cat << EOF line is printed once the same string (EOF in the
example above) appears in a line with no trailing whitespace. This syntax is often
used in scripts to write several lines to the screen.
NOTE: For a full explanation of redirection, see man bash and search for redirection.
Bash Variables
A variable is a label assigned to a location in computer memory that holds an item of
data. Bash variables are not typed. They are essentially character strings, but some
arithmetic operations are possible when the variable contains only digits.
Variables can serve different purposes. The following types of variables exist,
although the differentiation is to some extent arbitrary; because positional
parameters, for instance, they could also be included under shell variables:
Shell Variables on page 378
Positional Parameters on page 378
Environment Variables on page 379
Shell Variables
Shell variables are used to control the behavior of the shell itself. Some of them are
assigned default values by Bash, and some can be assigned values by the startup
scripts Bash reads when it starts (such as /etc/profile or ~/.bashrc). These
IFS: Internal Field Separator. A list of characters that separate fields and are used
to determine the beginning and end of a word (token).
PS1: Primary Prompt String. The string that determines how your normal prompt
in a terminal window looks like.
BASH: The full path name used to execute the current instance of Bash.
HISTSIZE: The maximum number of commands kept in the history list.
NOTE: For a full explanation of shell variables, see man bash and search for Shell Variables.
Positional Parameters
When a command or script is called, the $0 parameter is assigned the command or

script name. The first parameter after this is $1, the second $2, and so on. If you
378
Version 1
want to refer to all positional parameters, you would use $* (all positional parameters
seen as one single word) or $@ (all positional parameters seen as separate words).
The following should give you an idea how they can be used:
geeko@da10:~> cat script.sh
echo The command itself: "$0"
echo The first parameter: "$1"
echo The second parameter: "$2"
echo All parameters '($*)': "$*"
echo All parameters '($@)': "$@"
geeko@da10:~> ./script.sh first second
The command itself: ./script.sh
The first parameter: first
The second parameter: second
All parameters ($*): first second
All parameters ($@): first second
geeko@da10:~>
Environment Variables
Every process has an environment that consists of variables it may reference and use
by the process to influence its execution. This is true for the shell as well.
Environment variables can be used to regulate the behavior of Bash. They are usually
set by the scripts Bash reads when it starts, including /etc/profile, ~/
.bashrc and others. Environment variables include the following:
USER: User who invoked the shell.
MANDIR: Directories to search for manual pages
LS_COLORS: Colors used for the output of the ls command.
By default, various environment variables are set. You can view them and their
content with the export and set commands.
Return Values
Every command returns a value to the calling shell that indicates whether the
program terminated normally (return value 0) or errors (return value not 0) were
present.
The return value of the last process run by Bash is stored in the $? variable. Using
the echo command, you can view the content of this variable:
Version 1
379
geeko@da10:~> ls -ld Desktop

drwxr-xr-x 2 geeko users 440 13. Jan 15:57 Desktop
geeko@da10:~> echo $?
0
geeko@da10:~> ls -ld abcd
ls: cannot access abcd: No such file or directory
geeko@da10:~> echo $?
2
geeko@da10:~>
Using the return value, you can make the execution of a second command dependant
on the outcome of the first. The operators to use are && (the second command is
executed if the first one returns 0) or || (second command is executed if the first
command returns a value different from 0).
This command displays the content of the message.txt file if it exists:
test -f message.txt && cat message.txt
This command installs the package sysstat if it is not installed:
rpm -q sysstat || yast2 -i sysstat
Within a script, decisions on how to proceed are frequently based on the return value
of a command.
380
Version 1
Objective 2

An important but sometimes neglected task is the backing up of files. As shell
scripting is best understood and learned by actually writing scripts, we will develop
in this section a Bash script to back up your home directory.
Usually backups are written to external media like external hard drives or tape drives.
As you probably dont have such a drive at your disposal in your study environment,
in the script we will back up the files to different directories on your hard drive. Once
you have understood the scripting basics covered in this section, you should be able
to adapt what you have learned to other environments, such as your personal backups
at home or the backups in your company to safeguard company information.
To write a simple shell script, you have to understand the following:
Elements of a Shell Script on page 381
A Simple Backup Script on page 382
Debug Options on page 384
Create a Simple Shell Script on page 385
Elements of a Shell Script

A shell script is basically an ASCII text file containing commands to be executed in
sequence. To allow this, it is important that permissions for the script file are set to r
(readable) and x (executable) for the user that runs it.
However, the execute permission is not granted by default to newly created files. To
assign this permission, you need to use a command such as the following:
chmod +x script.sh
NOTE: You can also execute the script from another shell with a command such as the following:
bash script.sh
In this example, it is not necessary to make the script executable.
On SUSE Linux Enterprise 11, /bin/sh is a link to /bin/bash. When invoked as sh
script.sh, some Bash features are not available and your script might not work as intended if it
relies on some of these features.
If you want to be able to run the script by using its name alone, the directory where
the script is located must be listed in the $PATH variable. If there is a bin directory
in the home directory of a user, this directory is included in $PATH by default in
SUSE Linux Enterprise 11.
Shell scripts in a directory that is not listed in $PATH must be started with the full
path name or a relative path name such as ./script.sh.
When naming script files, you should add an .sh extension to the filename. Linux
doesnt require it, but it ensures that the file can easily be recognized by the system
administrator as a shell script.
Version 1
381
If you do not add the suffix, you need to make sure the filename is not identical to
existing commands. For example, a common mistake is to name a script test
which interferes with the test command line tool.
Within a script, empty lines and lines starting with a # character are ignored. The #
character is used to add comments to your script. As a general practice, you should
add a comment in the beginning giving a brief overview what the script is supposed
to do and also add comments throughout your script to explain what a line or section
does. This makes understanding the script easier when you later get back to modify it.
The first line of a script defines the shell used to execute the script. This line is
sometimes referred to as the she-bang line. Only this first line is interpreted despite
the fact it starts with a # character. It has the following syntax:
#!/bin/bash
All subsequent lines of the script are either comments (starting with a # character) or
actual commands.
A Simple Backup Script

The core command that we will use to make the backups is rsync. The command
rsync allows to efficiently copy files from one directory to another or from one
machine over the network to another. Its main advantage is that when updating a
backup, only the differences between files are copied, not the entire files, speeding up
the update remarkably.
The command rsync can be controlled with various options. Thereforee, even if our
script contains only one command, it can save some typing as you will not need to
type the options each time it is invoked.
What the script is supposed to do is to copy the users home directory to the /
backup directory.
The elements you need are the she-bang line, a comment that explains what the script
does, and the rsync command itself. The script could look like the following:
#!/bin/bash
#
# simple-backup1.sh
# Back up geekos home directory to /backup using rsync
rsync -a --no-whole-file /home/geeko /backup
The -a (archive) option ensures the permissions are kept and directories are copied
recursively. The --no-whole-file option makes sure only the changed parts of
the files are updated, not the whole files copied. This does not only make a difference
on the initial copy, but also speeds up updates.
When you execute this script, you might get an error similar to the following:
382
Version 1
geeko@da10:~/bin> simple-backup1.sh
rsync: writefd_unbuffered failed to write 4 bytes [sender]: Broken
pipe (32)
rsync: mkdir "/backup" failed: Permission denied (13)
rsync error: error in file IO (code 11) at main.c(576)
[receiver=3.0.4]
rsync: connection unexpectedly closed (9 bytes received so far)
[sender]
rsync error: error in rsync protocol data stream (code 12) at io.c(632)
[sender=3.0.4]
The reason is that the directory /backup doesnt exist, and, as a normal user, you
are not allowed to create files or directories in /. We will integrate some error
handling later; for now, just create (as root) the directory /backup with the
command
mkdir -m 1777 /backup
and run the script again as a normal user.
When you execute the script, no output that is consistent with the usual behavior of
Linux command line programs of no message = success. However, if you want to
see some information, you can add a message to the script:
#!/bin/bash
#
# simple-backup2.sh
# Backup geekos home directory to /backup using rsync
echo "Backing up /home/geeko to /backup/"
rsync -a --no-whole-file /home/geeko /backup
The echo command can be used to output text to the terminal that is enclosed in
double quotes. The option -e lets echo interpret backslash sequences. These can be
used to format the output to some extent.
The following is a list of other backslash sequences that can be used with echo and
what they output:
Version 1
\\ Backslash
\a Alert (beep tone)
\b Backspace
\c Trailing new line
\f Form feed
\n New line
\r Carriage return
\t Horizontal tab
\v Vertical tab
383
Debug Options
It is probably more the exception than the rule that a script does exactly what you
want it to do at once. If it does not do what you want you have to find the error.
There are several ways you can instruct the shell to output more information that
helps you to find the error:
384
#!/bin/bash -x: Add -x to the first line of your script.
bash -x script.sh: Start the script in a separate shell with the -x option. The
advantage of this approach is that you dont have to change the script itself.
set -x: Using set -x in the current shell turns on the additional output for all
scripts started from this shell. You can turn this off again with set +x. No
changes to the script itself are necessary.
Version 1
Exercise 11-1
Create a Simple Shell Script

In this exercise, you create your first shell script.
(End of Exercise)
Version 1
385
Objective 3
Understand Variables and Command Substitution

Variables are important components of all programming languages. You can
understand variables as containers that hold data. Instead of the data itself, the
variable is used in the program code.
Look at the following example:
#!/bin/bash
#
# variables1.sh
NAME="Geeko"
echo "Hello, my name is $NAME"
The string Geeko is assigned to the variable NAME. Then the variable NAME,
with a $ character in front, is used in the echo command.
There are a few things to be aware of:
When you assign a variable, you use just the name of the variable. When you
access the data of a variable, you put a $ before the variable name.
When you assign data to a variable, no spaces are used between the variable
name, the = character, and the data.
If the string you assign to the variable contains spaces you need to enclose the
string in quotation marks (). To ensure proper processing of the spaces you
should enclose the variable ($NAME in the example above) in quotation marks
as well. If you forget that, you can get unexpected results, as your string might
get processed as several words although you didnt intend that.
The following is the output of the upper example script:

geeko@da10:~/bin> variables1.sh
Hello, my name is Geeko
We use $NAME in the echo line, and the variable is replaced with its content.
The advantage of the use of variables is that you define them at one point and then
use them throughout the rest of the script. If you have to change the variable, you
change it at one point not throughout the script. With this, you can improve the
backup script by using a variable to hold the users name, as shown in the following:
#!/bin/bash
#
# variables2.sh
# Back up someone's home directory to /backup using rsync
USERNAME="geeko"
echo -e "Backing up /home/$USERNAME to /backup/"
rsync -a --no-whole-file /home/$USERNAME /backup
386
Version 1
Variables can contain not only strings but also numbers. By default, a variable in a
shell script can hold any kind of data. However, it is possible to limit a variable to a
specific type (for example, a string) with the declare command.
So far, we have assigned only static values to variables, but its also possible to assign
the output of a command to a variable or to use a command directly where the output
is needed. This is called command substitution.
This basically means that the output of a command is used in a shell command line or
a shell script.
In the following example, the output of the date command is used to generate the
output of the current date:
#!/bin/bash
#
#command_subs1.sh
echo "Today's date is $(date +%m/%d/%Y)"
An alternate syntax for the last line includes the use of backticks (` ... `), as shown
below; however, the version using $(...) is the recommended one.
echo "Today's date is `date +%m/%d/%Y`"
Instead of printing the output of a command to the screen with echo, it can also be
assigned to a variable, as in the following:
#!/bin/bash
#
#command_subs2.sh
TODAY="$(date +%m/%d/%Y)"
echo "Today's date is $TODAY"
In this case, the output of date is assigned to the variable TODAY; then the content
of the TODAY variable is printed to the screen with echo. Again, make sure that no
spaces are entered before or after the equal sign.
The output is the same in both cases:
geeko@da10:~/bin> command_subs1.sh
Today's date is 03/12/2009
geeko@da10:~/bin> command_subs2.sh
Today's date is 03/12/2009
NOTE: Try command_subs2.sh without the quotes when assigning the value to the TODAY
variable, and spaces instead of the slashes, as in the following: TODAY=$(date +%m %d %Y). You
will see that the quotes do make a difference.
Now improve your backup script with what you have learned. Change the script so
that a log file that contains the filenames of the backed-up files is written every time
the script is run. The log file contains date and time as part of its filename.
Version 1
387
The script could look like the following:

#!/bin/bash
#
# command_subs3.sh
#
# Back up someone's home directory to /backup using rsync
#
# Write a log file in the format backup-log_YYYYMMDD-hhmm
# that contains the names of the files backed
#
#
# Variables:
#
USERNAME="geeko"
NOW="$(date +%Y%m%d-%H%M)"
#
# The backup:
#
rsync -av --no-whole-file /home/$USERNAME /backup > \
/backup/backup-log_$NOW
NOTE: Instead of setting USERNAME within the script, you could use the $USER environment
variable in the echo and rsync commands. This would make the script more flexible, as the user
calling the script would back up his home directory, without having to edit the script.
388
Version 1
Exercise 11-2
Use Variables and Command Substitution

In this exercise, you use variables and command substitution.
(End of Exercise)
Version 1
389
Objective 4

With the scripting techniques, you have learned so far, you can develop only scripts
that run sequentially from the beginning to the end.
In this objective, you learn how to use control structures to make the execution of
parts of your script dependent on certain conditions or to repeat script parts.
In this objective we will cover the following;
Create Branches on page 390
Use an if Control Structure on page 394
Create Loops on page 394
Use a while Loop on page 398
Create Branches
A branch in a script means that a part of your script is executed only under a certain
condition. The two control structures used for this purpose are the following:
The if Control Structure on page 390
The case Control Structure on page 392
The if Control Structure
A very common control structure for this uses the if command:

if commandA
then
commands
fi
If commandA returns true (0), then one or more commands are executed. In many
cases, commandA is a test for some condition, but it can be any command. Note the
closing fi word which ends the if control structure.
The if statement can be extended with an optional else statement, as shown in the
following example:
if commandA
then
command1
else
command2
fi
In this case command2 is executed when the if condition is not true (i.e. the return
value of commandA is not 0).
Now add an if structure to our backup script. Test for the return value of the rsync
command, and if it is non-zero, have the script send a mail to geeko. This is
especially useful for scripts that are executed regularly by the cron daemon, because
390
Version 1
errors (such as no space left on the backup device) can remain unnoticed if the user is
not informed of the failure.
The script could look like the following:
#!/bin/bash
#
# control_struc1.sh
#
# This script does the following:
# - Back up someone's home directory to /backup using rsync
# - Write a log file in the format backup-log_YYYYMMDD-hhmm
#
and that contains the names of the files backed
# - Send log files per mail
#
# Variables:
#
USERNAME="geeko"
#
# The backup:
#
rsync -av --no-whole-file /home/$USERNAME /backup > /backup/backuplog_$NOW 2>/backup/backup-errorlog_$NOW
#
# Send log files per mail to user
#
if test "$?" -eq 0
then
mail -s "Backup successful" $USERNAME < /backup/backup-log_$NOW
else
mail -s "Some error occurred during backup" $USERNAME < /backup/
backup-errorlog_$NOW
fi
The test command is used to check if the return value of the previous command is
equal to 0. If this is true, test returns the value 0; otherwise, the value is 1.
Almost all command line tools have a return value. The 0 always means something
like true or everything is OK. Otherwise a value different from 0 is returned. An
if condition is true when the program used for testing returns 0.
test can also be used for many things other than checking if one number is equal to
another. The following is an overview of the most important the test options:
Version 1
test STRING1 = STRING2. Strings are equal
test STRING1 != STRING2. Strings are not equal
test INTEGER1 -eq INTEGER2. INTEGER1 is equal to INTEGER2
391
test INTEGER1 -lt INTEGER2. INTEGER1 is less than INTEGER2
test INTEGER1 -gt INTEGER2. INTEGER1 is greater than INTEGER2
test -e FILE. FILE exists
NOTE: For a complete list of all test options, see the test man page.
When you look at scripts written by someone else, you will also see a different syntax
for test. Instead of test "$?" -eq 0, you can also leave out the test command
and put the expression in square brackets like [ "$?" -eq 0 ]. Please note the
space after the [ bracket and the space before the ] bracket. Without these spaces,
you get an error message when executing the script.
One other thing you might have noticed is that the lines after then and else are
indented. This is not required but is a very common method to identify logical blocks
and to make the code more readable.
With if you can create even more complex structures in your script using an optional
elif statement, as shown in the following example:
if commandA
then
command1
elif commandB
then
command2
else
command3
fi
With elif, you add more conditions in case the one in the initial if statement is not
true.
In this case, command2 is executed in case the return value of commandA is false
(not 0) and the return value of commandB is true. The command3 is executed only if
commandA and commandB have a non-zero return value.
You can have several elif sections within an if control structure.
The case Control Structure
Another way to create multiple branches is to use case. In a case statement, the
expression contained in a variable is compared with a number of expressions.
Commands are executed for the first expression that matches.
A case statement has the following syntax:
case $variable in
expression1) command1;;
expression2) command2;;
esac
392
Version 1
case statements are often easier to understand than if/elif/else statements, but they can
have the same functionality, as shown in the following two examples:
if [ "$number" -eq 10 ]
then echo "The value is 10"
elif [ "$number" -eq 20 ]
then echo "The value is 10"
else
echo "I don't know"
fi
case "$number" in
10) echo "The value is 10";;
20) echo "The value is 20";;
*) echo "I don't know";;
esac
The variable $number is compared with 10, 20 and *. * matches for every value and
is, therefore, the default action of the case statement.
Version 1
393
Exercise 11-3
Use an if Control Structure

In this exercise, you expand the backup script with the use of an if control structure.
(End of Exercise)
Create Loops
Another common control structure is the loop. A loop is often used when a certain
task has to be repeated more than once. Instead of repeating the same code in the
script, a loop structure can be implemented.
Several options for implementing a loop in shell scripts exist.
The for Loop
The syntax of the for loop looks like the following:

for variable in element1 element2 element3
do
commands
done
The line starting with for defines how many times the code between do and
done has to be executed. For each pass of the loop, the variable variable has one
of the values defined in the list after in.
Here is an example:
#!/bin/bash
#
# for_loop1.sh
for i in 1 2 3
do
echo "$i"
done
The list after in contains three elements: the numbers 1, 2, and 3 separated by
spaces. This means that the code between do and done is executed three times,
and each time the variable i has a different value from 1 to 3. When you run this
script, it simply outputs 1 2 3.
geeko@da10:~/bin> for_loop1.sh
1
2
3
The list defined after in is not necessarily static. The for loop is very often used to
go through a list of files. An easy way to do this is to use * after in.
394
Version 1
#!/bin/bash
#
# for_loop2.sh
for i in *
do
lower="$(echo $i | tr [:upper:] [:lower:])"
echo mv $i $lower
done
This script loops through all files in the current working directory and (after
removing the echo in front of mv which is included to test the script without actually
affecting any files) renames the files from upper to lower case. * is expanded to a list
of all these files by the shell.
For every pass of the loop, the variable $i contains one filename. The filename is
converted to lower case and stored in the variable lower. Then the original file is
renamed with mv to lower case.
NOTE: This is just a demo script. For a production script, you would have to add some code that
makes sure that an existing lowercase file is not accidentally overwritten.
Another way of creating a list is a command substitution:

#!/bin/bash
#
# for_loop3.sh
for i in $(find -name "*.mp3")
do
echo rm $i
done
This script uses find to create a list of all .mp3 files in the current directory and all
subdirectories. These files are deleted in the for loop (after removing the echo
included for testing purposes).
A special syntax can be used with for in case you want to iterate through the loop a
specific number of times:
#!/bin/bash
#
# for_loop4.sh
for ((i=1;i<=10;i++))
do
echo $i
done
With syntax, the variable i is set to 1 (i=1) for the first run through the loop; then
increased by one (i++) on each subsequent run. This is done as long as the condition
in the middle (i<=10) is true.
The while and until Loops
The while loop has the following syntax:
Version 1
395
while condition
do
commands
done
Very similar to the while loop is the until loop.

until condition
do
commands
done
Both loop types depend on a condition. In a while loop the commands are executed
as long as the condition is true; in an until loop, the commands are executed until
the condition becomes true.
We will use a while loop to allow the user to add additional directories or files he
wants to back up in addition to his home directory.
One way to iterate through the positional parameters $1, $2, etc., from the command
line is to use the shift command. After calling shift, $2 becomes $1, $3 becomes $2,
and so on.
One possible way to solve the task is shown in the following script:
#!/bin/bash
#
# while_loop1.sh
# - Back up directories or files listed on the command line
#
#
# Variables:
#
USERNAME="geeko"
#
# The backup of the directories listed on the command line
#
while test -n "$1"
do
echo -e "\nBacking up $1 to /backup/"
rsync -av --no-whole-file $1 /backup
shift
done
#
# The backup of the home directory:
#
396
Version 1
echo "Backing up /home/$USERNAME to /backup/"

rsync -av --no-whole-file /home/$USERNAME /backup > /backup/backuplog_$NOW 2>/backup/backup-errorlog_$NOW
...
The test command checks if the value of the $1 parameter has a non-zero string
length. If so, then the commands between do and done are executed. The shift
command moves $2 to $1, and the new $1 value is tested. If there is no $2 value, the
new $1 is empty and the processing of the loop is stopped.
If you omit the shift command, an endless loop is created; in this case, you have to
interrupt the processing of the script with Ctrl+C.
It is possible to nest an if control structure between do and done and leave the
while loop in case a certain condition is met. The command to interrupt the
processing of the while loop is break, as shown in the following:
while conditionA
do
commands
if conditionB
then
break
fi
done
It is also possible to skip further processing of the loop and to enter the next iteration,
using the continue command, as shown in the following:
while conditionA
do
commands
if conditionB
then
continue
fi
more commands
done
Version 1
397
Exercise 11-4
Use a while Loop

In this exercise, you use a while loop to iterate through the positional parameters
included on the command line.
(End of Exercise)
398
Version 1
Objective 5

Shell scripts often use values assigned to variables for calculation. Several ways to
implement this exist.
The Bash shell comes with built-in support for arithmetic operations, but we find
some limitations to this. Specifically, the arithmetic capabilities of Bash are limited in
the following ways:
Only operations with whole numbers (integers) can be performed.

All values are signed 64-bit values. Thus possible values range from -263 to
+263-1.
So when using Bash, you might need to use external commands, such as bc, for
floating-point calculations.
The following paragraphs list all possible methods and formats for arithmetic
operations. All of them are based on this sample operation:
B=5 A=B+10
Use the external command expr (Bourne shell compatible).

A=$(expr $B + 10)
Since an external command is used, this method will also work with the
traditional Bourne shell. Scripts using external commands will always perform
slower than those relying on built-in commands.
Use the Bash built-in command let.

let A="$B + 10"
In Bash, you can use the let command to perform an arithmetic expression.
Use arithmetic expressions inside parentheses or brackets (two different

formats).
A=$((B + 10))
or
A=$[B + 10]
Arithmetic expressions can be enclosed in double parentheses or in brackets for

expansion by Bash. Both $((...)) and $[...] are possible, but the latter is
considered deprecated and should be avoided.
Use the built-in command declare.

declare -i A
declare -i B
A=B+10
This declares a variable as an integer.
Version 1
399
If all variables involved in a calculation have previously been declared as

integers through declare -i, arithmetic evaluation of these variables happens
automatically when a value is assigned to them.
This means that the variable B, for example, does not have to be prefixed with
the $ to be evaluated.
With the expr command, only the following five operators are available: + - * /
and % (modulo, remainder of a division). Additional operators that are identical to
those of the C programming language can be used with all of the above Bash formats.
NOTE: For a complete list, consult the man page for Bash.
We can use an arithmetic operator to modify the backup script to change the
condition of the while loop. Instead of testing for the content of $1, we can count
down the number of positional parameters until all are processed. The while loop in
the script could look like the following:
count=1
PARAMNUM="$#"
#
# The backup of the directories listed on the command line
#
while test "$count" -le "$PARAMNUM"
do
echo -e "\nBacking up $1 to /backup/"
rsync -av --no-whole-file "$1" /backup
count=$(($count + 1))
shift
done
We create the count variable and assign the value 1 to it. The variable PARAMNUM
is set to the number of parameters included on the command line ($#). In the while
loop, the value of count is increased by one each time the loop is run through. When
the value of count is greater than PARAMNUM, the processing of the loop ends.
Instead of
count=$(($count + 1))
the following syntax could be used as well:

((count++))
400
Version 1
Exercise 11-5

In this exercise, you use arithmetic operators.
(End of Exercise)
Version 1
401
Objective 6
Read User Input

One way to read user input is to use the read command. The read command takes a
variable as an argument and stores the read input in the variable. The variable can
then be used to process the user input.
The following example reads user input into the variable with the name VARIABLE:
read VARIABLE
The script pauses at this point, waiting for user input, until the Enter key is pressed.
To tell the user to enter something, you need to print (echo) a line with some
information, such as the following:
echo "Please enter a value for the variable:"
read VARIABLE
If you do not add a variable name after read, the user input is assigned to the
variable REPLY. You can also specify more than one variable, like in the following
example:
read FIRST SECOND REST
In this example, the first word entered is assigned to the variable FIRST, the second
to the variable SECOND, and all subsequent words to the variable REST. If only one
word is entered, the variables SECOND and REST are assigned empty values.
If you want to change the backup script to inform the user that he can back up
additional directories and ask for them instead of expecting them on the command
line, a possible solution could look like this:
#!/bin/bash
#
# read_input1.sh
#
# - Back up directories or files entered by user
#
#
# Variables:
#
USERNAME="geeko"
DIRECTORIES=""
#
# Get input from user
#
cat <<EOF
This script backs up the /home/$USERNAME directory to /backup,
402
Version 1
as well as any files and directories you specify here.

Type their names separated by spaces, then press Enter.
If you do not want to back up additional directories,
just press Enter.
EOF
read DIRECTORIES
#
# Back up the directories entered by user
#
for i in $DIRECTORIES
do
echo -e "\nBacking up $i to /backup/"
rsync -av --no-whole-file "$i" /backup
done
...
The for loop is entered for each element contained in the DIRECTORIES variable
(which may not be enclosed in quotation marks in the line starting with for, to keep
the directories entered by the user as separate directories). If the variable is empty, the
for loop is not run through.
NOTE: This approach does not work for files or directories with spaces in their names.
Version 1
403
Exercise 11-6
Read User Input

In this exercise, you read user input and process the input in your script.
(End of Exercise)
404
Version 1
Objective 7
Use Arrays
Arrays are basically variables that can hold more than one value. To identify a value
in an array, a numerical index is used. The index is written in square brackets after the
array name.
lines[0]="Hello World"
This line assigns the string Hello World to the index 0 of the array with the name
lines.
To access a value in an array, you have to specify an index and put braces around the
array name:
echo ${lines[0]}
Arrays are very useful to store list data like a list of files, names, or similar data.
We can use an array to store the files or directories the user wants to back up. He
enters one after the other that makes it easier to deal, for instance, with space
characters.
The first part would be to fill an array with the filenames; the second part would be to
back up those files.
Look at the following modifications of the back-up script. (From now on we will list
only those parts of the code that have been modified).
DIRECTORY=""
counter=0
#
# Get input from user
#
cat <<EOF
This script backs up the /home/$USERNAME directory to /backup,
as well as any files and directories you specify here.
Type the name of a directory or file name you want to
back up, then press enter.
Repeat for each directory or file name you want to back up.
When done (or if you do not want to back up additional
files or directories) just press Enter.
EOF
read DIRECTORY
# Check if $DIRECTORY is empty, if so do nothing,
# as user pressed enter as first action
if [ -z "$DIRECTORY" ]
then
:
else
Version 1
405
# Process user input, then prompt again

while test -n "$DIRECTORY"
do
TOBACKUP[$counter]="$DIRECTORY"
((counter++))
DIRECTORY=""
read DIRECTORY
done
fi
#
# Back up the directories entered by user
#
for i in ${TOBACKUP[@]}
do
echo -e "\nBacking up $i to /backup"
rsync -av --no-whole-file "$i" /backup
done
#
#
# The same, a bit more complicated:
#
#for ((i=0;i<${#TOBACKUP[@]};i++))
#do
# echo -e "\nBacking up ${TOBACKUP[$i]} to /backup"
# rsync -av --no-whole-file "${TOBACKUP[$i]}" /backup
#done
In the while loop, the requests are stored into the array TOBACKUP. The variable
counter that is initialized at the start of the script and is used as an index is
incremented in every cycle of the while loop.
In the for loop, the content of the array is integrated into an rsync command.
In the second example (lines starting with a comment character) a different syntax for
the for loop is used that is similar to the for loop in the C programming language.
for ((i=1;i<${#TOBACKUP[@]};i++)) means that the loop runs as long as
the variable i is less than (<) the number of elements in the array TOBACKUP.
${#TOBACKUP[@]} is a way to access the number of elements in an array.
The index variable i is initially set to 0 and incremented with every cycle of the for
loop.
406
Version 1
Exercise 11-7
Use Arrays
In this exercise, you use arrays.
(End of Exercise)
Version 1
407
Objective 8

Sometimes you do not need the last version of a file but rather the version of the file
from a day, a week, or a month ago. You could, of course, simply make a separate full
backup of your home directory every few hours, but that would consume a lot of
storage space.
rsync has a feature that is probably not so well known that allows to create backups
to different directoriesbut instead of creating a copy of an unchanged file, only a
hard link to the file in the earlier backup is created. This feature allows you to keep
many earlier versions of files, as only those files actually changed or added get
copied, saving storage space.
You will need the following:
An initial first backup

This can be done with the rsync command we used so far; however, you should
use a directory name for your backup that is based on date and time.
#
# If there is no directory /backup/YYYYMMDD-hhdd then this is
# probably the first run of the script.
#
# Creation of the first backup:
ls -d /backup/20??????-???? > /dev/null 2>&1 || rsync -a \
/home/"$USERNAME" /backup/"$NOW"
A rsync command that creates a backup in a separate directory with links

against the previous backup.
#
# Establish the last backup directory
#
LAST_BACKUP_DIR="$(basename $(ls -d /backup/20*-* | sort | \
tail -1))"
#
# Backup linked against the previous backup
#
rsync -aA --link-dest=/backup/"$LAST_BACKUP_DIR" \
/home/"$USERNAME" /backup/"$NOW"
408
A command that deletes the oldest version of the backups.
Version 1
#
# Remove past backup directories
#
cd /backup || exit 2
# Let's keep a maximum of 100 past backups/versions
if [ "$(ls -d 20*-* | wc -l)" -gt 100 ] ; then
rm -r $(ls -d 20*-* | sort | head -1)
fi
A cron job that runs the backup as often as you need it, such as every two hours
during work hours, daily, or weekly. Using the crontab -e command, you could
define the following cron job:
10 */2 * * * /home/geeko/bin/versioned-backup1.sh
With the topics covered in this section, you could add several additional features to
the script:
Version 1
A list of files that should not be backed up, such as those in the browser cache
directory, for instance, using a here document to write a temporary file from the
script, using the --exclude-from= option of rsync, and deleting the file at
the end of the script.
Use of the trap command to delete the temporary file despite the fact the user
ended the script with Ctrl+C.
Log files and mail messages as covered previously.
409
Exercise 11-8
Use rsync to Keep Versions of Files

In this exercise, you use rsync to keep past versions of your files.
(End of Exercise)
410
Version 1
Objective 9
Use Advanced Scripting Techniques

In this objective, you learn about the following advanced scripting techniques that
will help you solve common script development problems:
Use Shell Functions on page 411
Read Options with getopts on page 412
Use Shell Functions on page 414
Use Shell Functions

Sometime you need to perform a task multiple times in a shell script. Instead of
writing the same code again and again, you can use functions.
Shell functions act like script modules because they make an entire script section
available under a single name. Shell functions are normally defined at the beginning
of a script. You can store several functions in a separate file and include this file
whenever the functions are needed in your current script using the command
source /path/filename
Two ways are available to declare a function in a script. The following is the basic
syntax of a function:
functionname () {
commands
commands
}
The following generates a function with the function command:

function functionname {
commands
commands
}
The name of the function can be composed of any regular character string.
The following is a simple function that creates a directory and then changes to that
directory:
# mcd: mkdir + cd; creates a new directory and
# changes into that new directory right away
mcd (){
mkdir $1
cd $1
}
After having been created, this function can be called in a shell script, as in the
following:
...
mcd /tmp/new_directory
...
Version 1
411
The parameter /tmp/new_directory is called an argument. Within a function,

arguments can be accessed with the variables $1, $2, $3, and so on, depending on the
number of arguments passed to the function.
The following function can be used to create a pause in a script. The script resumes
only after the Enter key is pressed:
# pause: causes a script to take a break
pause (){
echo "To continue, hit RETURN."
read q
}
You can also create functions that stop their processing from within, similar to exiting
a loop (iteration) with the break and continue commands.
To exit a function, use the return command. If return is called without an
argument, the return value of the function is identical to the exit status of the last
command executed in that function.
Otherwise, the return value is identical to the one supplied as an argument to return.
NOTE: The command typeset -f shows the functions defined in the current shell.
Read Options with getopts

With the shell built-in command getopts, you can extract the options supplied to a
script on the command line. The shell interprets command line arguments as
command options only if they are prefixed with a - (the default when using the shell
interactively).
This makes it possible to place options in different positions on the command line and
to supply them in an arbitrary order.
This means that the command:
cp -dpR *.txt texts/
achieves the same thing as the command
cp -R *.txt -d texts/ -p
A getopts recognizes options in the same way. The following is the getopts syntax:
getopts optionstring variable
The optionstring describes all options to be recognized. For instance, getopts abc
declares a, b, and c as the options to be processed.
If a parameter is expected for the option (such as -m maxvalue), the corresponding
option must be followed by a : in the string (as in getopts m:).
The option string is followed by a variable which all the command line options
specified are assigned to as a list.
412
Version 1
The getopts command is most frequently used in a while loop together with case to
define which command to execute for a given option, as in the following:
while getopts abc:d:e variable
do
case $variable in
a ) echo "The option -a was
b ) echo "The option -b was
c ) option_c="$OPTARG"
echo "Option c has been
d ) option_d="$OPTARG"
echo "Option d has been
e ) echo "the option -e was
esac
done
echo
used." ;;
used." ;;
set to $option_c." ;;
set to $option_d." ;;
used." ;;
If the option -a , -b, or -e is used, the script prints out a message that the
corresponding option was used. If the option -c value is used, the value is
assigned to the variable option_c and printed on the screen, same with option -d
and the variable option_d.
The parameter of an option can be accessed with the variable OPTARG.
NOTE: When no parameter is supplied to an option that expects one, the result can be unexpected.
For instance, if the user enters -d -e in the above example, the OPTARG variable for -d contains
-e, and -e is not recognized as an option of its own.
Version 1
413
Exercise 11-9
Use Shell Functions

In this exercise, you learn how to use shell functions.
(End of Exercise)
414
Version 1
Objective 10
Learn about Useful Commands in Shell Scripts

This objective gives you an overview of useful commands that are frequently used in
shell scripts.
This objective discusses the following:
Use the cat Command on page 415
Use the cut Command on page 415
Use the date Command on page 416
Use the grep and egrep Commands on page 416
Use the sed Command on page 417
Use the test Command on page 419
Use the tr Command on page 421
Use the cat Command

When combined with the here operator (<<), the cat command is a good choice to
output several lines of text from a script. In interactive use, the command is mostly
run with a filename as an argument; in this case cat prints the file contents on
standard output.
Use the cut Command

The cut command is used to cut out sections of lines from a file so that only the
specified section is printed on standard output.
The command is applied to each line of text as available in a file or on standard input.
You can use cut -f to cut out text fields. The cut -c works with the specified
characters.
You can specify single sections (characters or fields) or several sections. The default
delimiter to separate fields from each other is a tab, but you can specify a different
field separator with the -d option.
The following are some examples of using cut:
geeko@da10:~> cut -d : -f1 /etc/passwd
root
bin
daemon
lp
mail
news
The preceding command specifies that the field separator should be a colon. In every
line of /etc/passwd, the field that comes before the first colon is taken and
printed to stdout:
Version 1
415
geeko@da10:~> ls -l somedir/ | cut -c 27- | sort -n

687 Sep 20 17:06 file2
2199 Sep 20 17:05 file1
6593 Sep 20 17:06 file3
The above command takes the output of the ls command and cuts out everything
from the twenty-seventh character. This is piped to sort, so the final output is sorted
according to file size.
Use the date Command

You can use the date command whenever you need to obtain a date or time string
for further processing by a script. Without any options specified, the commands
output looks like the following:
geeko@da10:~> date
Sat Mar 14 15:58:46 CET 2009
The date command lets you change the output format in almost every detail. With the
-I option, as in the following, date prints the date and time in ISO format. (That is
the same as if the options had been +%Y-%m-%d):
geeko@da10:~> date -I
2009-03-14
geeko@da10:~> date "+%m-%d %H:%M"
03-14 16:01
geeko@da10:~> date date "+%D, %r"
03/14/09, 04:02:34 PM
geeko@da10:~> date +%d.%m.%y
14.03.09
geeko@da10:~> date +%d.%m.%Y
14.03.2009
geeko@da10:~> date "+%e.%-m.%y, %l.%M %p"
14.3.09, 4.05 PM
geeko@da10:~> date "+%A, %e. %B %Y"
Saturday, 14. March 2009
geeko@da10:~> date
To view a list with all the possible format options for date, see man date. You
should be able to customize the output to exactly match the requirements of your
script.
Use the grep and egrep Commands

The command grep and its variant egrep are used to search files for certain
patterns, and they use the following syntax:
grep searchpattern filename ...
The command prints lines that contain the given search pattern. You can specify
several files, from which grep will print the matching line and the corresponding
filenames.
Several options are available to specify that only the line number should be printed,
for instance, or that the matching line should be printed together with leading and
trailing context lines.
416
Version 1
Search patterns can be supplied in the form of regular expressions, although the grep
command is limited in this regard.
To search for more complex patterns, use the egrep command that accepts extended
regular expressions. As a simple way to deal with the difference between the two
variants, make sure you use egrep in all of your shell scripts.
The regular expressions used with egrep need to be in accordance with the standard
regex syntax.
To avoid having special characters in search patterns interpreted by the shell, enclose
the pattern in quotation marks, as in the following:
geeko@da10:~> egrep (b|B)lurb file*
bash: syntax error near unexpected token
geeko@da10:~> egrep "(b|B)lurb" file*
file1:blurb
file2:Blurb
Use the sed Command

The sed program is a stream editor, used from the command line rather than
interactively. The sed command performs text transformations on a line-by-line
basis.
You can specify sed commands either directly on the command line or in a special
command script loaded by the program on execution.
The following is the syntax for the sed command:
sed editing-command filename
The available editing commands include single-character arguments such as the
following:
d: Delete
s: Substitute (replace)
p: Output line
a: Append after
As with other commands, the output of sed normally goes to standard output, but it
can also be redirected to a file.
Apart from the single-character commands for text transformations, you can also
specify options to influence the overall behavior of the sed program.
The following are some important command line options for sed:
Version 1
-n, --quiet, --silent. By default, sed will print all lines on standard output after
they have been processed. This option suppresses the output so sed prints only
those lines for which the p editing command has been given to explicitly reenable printing.
417
-e command1 -e command2 ... This option is necessary when specifying two or

more editing commands. It must be inserted before each additional editing
command.
-f filename. With this option, you can specify a script file from which sed should
read its editing commands.
Each sed command must be preceded by an exact address or address range specifying
the lines to which the editing command applies. One of the more frequently used
address labels is $ that stands for the last line.
The following are two examples of the sed command:
sed -n
1,9p somefile
This command prints only lines 1 through 9 on stdout.
sed 10,$d somefile

This command deletes everything from line 10 to the end of the file and also
prints the first 9 lines of somefile.
You can use a regular expression to define the address or address range for an editing
command. Regular expressions must be enclosed in forward slashes. If an address is
defined with such an expression, sed processes every line that includes the given
pattern.
The following is an example of using regular expressions:
sed -n /Murphy.*/p somefile
This example prints all lines that have the pattern Murphy.* in them.
If you want sed to perform several editing commands for the same address, you need
to enclose the commands in braces, as in the following:
sed 1,10{command1 ; command2}
The following lists the most important editing commands available for sed:
Table 11-1
418
sed Commands
Command
Example
Editing Action
sed a\text\text file
Insert text before the specified line.
sed 2000,$c\text file
Replace specified lines with the text.
sed 10,$d file
Delete line.
sed i\text\text file
Replace specified lines with the text.
sed s/x/y/option
Search and replace. The search pattern x is

replaced with pattern y. The search and the
replacement pattern are regular expressions in
most cases, and the search and replace behavior
can be influenced through various options.
Version 1
Command
Example
Editing Action
sed y/abc/xyz/
Replace every character from the set of source

characters with the character that has the same
position in the set of destination characters.
You can use the following options with the s command (search and replace):
I: Do not distinguish between uppercase and lowercase letters.
g: Replace globally wherever the search pattern is found in the line instead of
replacing only the first instance.
n: Replace the nth matching pattern only.
p: Print the line after replacing.
w: Write the resulting text to the specified file rather than printing it on stdout.
The following are some examples of using the s command:
sed s/:/ / /etc/passwd

This replaces the first colon in each line with a space.
sed s/:/ /g /etc/passwd

This replaces all colons in all lines with a space.
sed s/:/ /2 /etc/passwd

This replaces only the second colon in each line with a space.
sed -n s/$[aeiou]$/\1\1/Igp
This replaces all single vowels with double vowels. The example shows how
matched patterns can be referenced with \1 if the search pattern is given in
parentheses that have to be escaped. The I option ensures that sed ignores the
case.
The g option causes characters to be replaced globally. The p option tells sed to
print all lines processed in this way.
Use the test Command

The test command exists both as a built-in command and as an external command.
It is used to compare values and to check for files and their properties whether a file
exists, whether it is executable, and so on.
If a tested condition is true, test returns an exit status of 0; if the condition is not true,
the exit status is 1. In shell scripts, test is used mainly to declare conditions to
influence the operation of loops, branches, and other statements.
The following is the test syntax:
test condition or [ condition ]
You can use the test command to do the following:
Version 1
Test whether a file exists. Following are some of the available options:
419
test Options for Files
Table 11-2
Description
-d
File exists and is a directory
-e
File exists
-f
File exists and is a regular file
-x
File exists and is an executable file
Compare two files. Following are some of the available operators:

test Options for Files
Table 11-3
Option
Description
-ef
Refers to the same inode (such as a hard link)
-nt
Newer than
-ot
Older than
Compare two integers. The available operators are:

test Options for Integers
Table 11-4
420
Option
Option
Description
-eq
Equal to
-ge
Greater than or equal to
-gt
Greater than
-le
Less than or equal to
-lt
Less than
-ne
Not equal to
Test strings. Following are some of the available operators:
Version 1
test Options for Strings
Table 11-5
Option
Description
test -z string
Exit status is 0 (true) if the string has zero

length (is empty)
test string
Exit status is 0 (true) if the string has

nonzero length (consists of at least one
character)
(same as test -n string)
Table 11-6
test string1 = string2
Exit status is 0 (true) if the strings are

equal
test string1 != string2
Exit status is 0 (true) if the strings are not

equal
Combine tests. Following are some of the available operators:

test options for Conditions
Option
Description
test ! condition
Exit status is 0 (true) if the

condition is not true.
test condition1 -a condition2
Exit status is 0 (true) if both

conditions are true.
test condition1 -o condition2
Exit status is 0 (true) if either

condition is true.
NOTE: For more detailed information about test, in a terminal window enter help test or man
test. The built-in test command and the external one have identical features.
Use the tr Command

The tr command translates (replaces) or deletes characters. It reads from standard
input and prints the result on standard output. With tr, you can replace regular
characters or sequences of such characters and special characters like \t (horizontal
tab) or \r (return).
A complete list of all special characters handled by tr is included in the man page of
the program.
The following is the standard syntax of tr:
tr set1 set2
The characters included in set1 are replaced with the characters included in set2.
The following is an example of using the tr command:
cat text-file | tr a-z A-Z
Version 1
421
This command causes all lowercase characters in a file to be changed to uppercase,

and the result is printed to stdout.
You can use tr to delete characters from the first set by entering the following:
tr -d set1
This will not translate anything; it only deletes the characters included in set1,
printing the rest to standard output.
The following is another example of using the tr command:
VAR=echo $VAR | tr -d %
In this example, tr deletes the percent sign from the original value of VAR and the
result is assigned as a new value to the same variable.
By entering a command like
tr -s set1 char
you can also use tr to replace a set of characters with a single character.
422
Version 1
Summary
Objective
Summary
The Bourne Again SHell (Bash) is the default shell in

SUSE Linux Enterprise 11.
On the command line, you enter the command and
optional parameters.
The output of a command can be redirected to a file
using the > (or >>) operator. Error messages can be
redirected to a file using the 2> operator. Use 2>&1 to
redirect error messages to file descriptor 1 instead of 2.
The output of one command can be used as input of
another command using the pipe (|) operator.
Variables are used to store and access data in memory
during the execution of a program.
Based on the return value of a program, decisions can
be made regarding the next steps to be taken within a
script.
A shell script is basically an ASCII text file containing

commands to be executed in sequence. To allow this,
permissions for the script file are set to r (readable) and
x (executable) for the user that runs it.
Any command you use at the command line can also
be used in a shell script.
A shell script always starts with a line like #!/bin/
bash to indicate the interpreter of the script.
Understand Variables and

Command Substitution
Variables are an important component of all

programming languages. You can consider variables as
containers that hold data. Instead of the data itself, the
variable is used in the program code.
When you assign a variable, you use just the name of
the variable. When you access the data of a variable,
you put a $ before the variable name.
The term command substitution basically means that
the output of a command is used in a shell command
line or a shell script.
The commands are included in $(...).
Control structures are used to make the execution of

parts of a script dependent on certain conditions or to
repeat parts of a script.
Branches can be created with if or case. Loops are
implemented with while, until, or for.
Version 1
423
Objective
Summary
Shell scripts often use values assigned to variables for

calculation. Several ways to implement this exist.
The Bash shell comes with built-in support for
arithmetic operations, but we found some limitations to
this. The arithmetic capabilities of Bash are limited in
the following ways:
Only operations with whole numbers (integers) can

be performed.
All values are signed 64-bit values. Thus, possible

values range from -263 to +263 -1.
For floating point operations, you need to use external

commands, such as bc, when working with bash.
Read User Input
One way to read user input is to use the read

command. The read command takes one or several
variables as arguments and stores the read input in the
variable or variables. The variables can then be used to
process the user input.
The following example reads user input into the variable
with the name VARIABLE.
read VARIABLE
Use Arrays
Arrays are basically variables that can hold more than

one value. To identify a value in an array, a numerical
index is used. The index is written in square brackets
after the array name.
lines[1]=Hello World
This line assigns the string Hello World to the index 1
of the array with the name lines.
To access a value in an array, you have to put braces
around the array name.
echo ${lines[1]}
In this objective, you created a backup script that keeps

versions of files.
Use Advanced Scripting Techniques In this objective, you learned how to create and use
shell functions and how to evaluate command line
options.
424
Version 1
Version 1
Objective
Summary
Learn about Useful Commands in

Shell Scripts
Useful commands that can be used in shell scripts

cat
cut
date
grep
sed
test
tr
425
426
Version 1
SECTION 12
This section explains how to deploy SUSE Linux Enterprise Desktop 11.
(SLED 11) Which deployment method you choose will depend to a large degree on
the number of workstations you want to deploy. The installation of hundreds of
machines requires a different approach than the installation of just a few.
Section Objectives
Version 1
1.
Understand Autoinstallation Basics on page 428
2.
Create a Configuration File for AutoYaST on page 432
3.
Use an Installation Server on page 437
4.
Perform an Automated Installation on page 438
427
Objective 1

If you are installing a single machine, a manual installation using the installation
DVD is the best option. However, alternatives are needed when the number of
machines you plan to install increases.
You can start the installation using the SLED 11 DVD, a USB stick, or a PXE capable
network card. The installation source can be the DVD or an installation server in the
network. The supported protocols for accessing the repository on the installation
server are NFS, HTTP, FTP, and SMB/CIFS.
To find the optimum solution for your network, you need to understand the
following:
Installation Options on page 428
Deployment Strategies on page 429
AutoYaST Basics on page 431
Installation Options
Before you decide which method you will use to install SLED 11, you need to
consider the following:
Boot Media on page 428
Installation Source on page 429
Configuration on page 429
Boot Media
To install a machine, you have to choose a boot medium to boot the machine.
Installation DVD
The installation DVD is bootable and can be used to start the installation or to
boot a rescue system.
Different kernel parameters can be set if you have trouble with the default
parameters. For example, you can disable ACPI or local APIC, or use safe
settings.
USB stick
Modern hardware allows to boot from a USB device.
PXE-capable network card

If the machine is equipped with a PXE-capable network card, it can load the boot
image from a TFTP server in the network. If the network card also supports
Wake on Lan, a completely remote installation is possible.
428
Version 1
Installation Source
You can use different installation sources.
Installation DVD
The installation DVD contains all files needed to install SLED 11.
Installation Server
The files needed for installation can be stored on a server in the network.
Protocols available are HTTP, FTP, NFS, or SMB/CIFS. SLP can be used to
advertise the installation server in the network.
Configuration
You can use one of the following approaches to configure the newly installed
computer.
Local
This is usually used when booting and installing from DVD. The administrator is
present in front of the machine and types all information required (such as hard
disk partitioning, IP address, and hostname) when prompted by YaST during
installation.
Remote (VNC or SSH)

The administrator does not have to be present at the machine being installed, but
uses VNC or SSH from his or her workstation to connect to the machine. The
administrator still has to enter the required information into the dialogs during
installation.
AutoYaST
The configuration information is contained in a control file in XML format. The
file can be created in a way that renders manual intervention during the
installation process completely unnecessary.
The file can be made available to the system being installed via USB device, or
the network.
You learn how to create an AutoYaST control file later in this section.
Boot media, installation source, and configuration methods can be combined

according to your needs. You could boot from DVD, use an installation server, and
configure the machine via VNC; or you could boot using PXE, and use an installation
server and an AutoYaST control file available on the installation server. These are
only two examples; other combinations are possible as well.
Deployment Strategies
Your strategy will depend to a large degree on the number of machines you need to
deploy. Lets consider three different orders of magnitude.
Version 1
Deploy Up to 10 Workstations on page 430
429
Deploy Up to 100 Workstations on page 430
Deploy More than 100 Workstations on page 430
Deploy Up to 10 Workstations
If you have to deploy only a few workstations, it might not be worth the effort to set
up an installation server, much less to create an AutoYaST control file.
The approach that takes the least preparation is a manual installation using the
installation DVD. Because an installation server is very convenient and does not take
long to set up, you might still consider using one. Additional installations are
facilitated and, when you need to add software to existing installations later, you do
not require the installation DVD to be at hand.
Setting up an installation server is covered in SUSE Linux Enterprise
Server 11 Administration (Course 3103).
Deploy Up to 100 Workstations
If you have to deploy more than 10 workstations, you will find that an installation
server and the remote installation capabilities of SLED 11 greatly facilitate the task.
While physical access to the machines is still required to boot them, you do not need
to sit in front of each machine during the whole installation. Using remote access via
VNC or SSH, you can control the installation of multiple machines at the same time
from your workstation.
Setting up DHCP and TFTP servers in addition to the installation server makes it
unnecessary to physically access the machines to boot them, provided the hardware
allows booting from the network as well as Wake on Lan. Without AutoYaST, you
would still have to configure the workstations manually via the network.
The more machines you have to install, the more worthwhile it becomes to avoid the
manual configuration. The effort to create and test workable AutoYaST control files
is outweighed by the reduced time spent on configuring individual machines.
Deploy More than 100 Workstations
If you are installing more than 100 machines, walking from machine to machine to
install them is no longer an option. Even remote configuration becomes cumbersome.
The rollout of a large number of machines is facilitated by AutoYaST. AutoYaST
controls the installation with an XML file that contains the machine specific
information, such as IP address, hostname, and partitioning. Manual intervention
during the installation process is unnecessary.
AutoYaST allows you to create profiles containing all configuration information.
Because YaST hardware detection is used during installation, the same file can be
used to install machines with non-identical hardware.
430
Version 1
If the differences in hardware are significant (for example, SCSI disks versus IDE
disks), you can create rules that determine which of several AutoYaST files should be
used for the hardware found.
In addition to the hardware, other parameters, such as IP addresses, can also serve as
criteria. You could create different profiles for development workstations and for
workstations used in HR and base the decision of which profile to use for installation
on the IP address the workstation gets via DHCP.
AutoYaST Basics
AutoYaST is used for automated installations on SLED 11. All information needed
during installation, such as partitioning or software selection, is provided by a control
file in XML format. No manual intervention is necessary during the installation
process.
If you have to install several systems with the same setup, you can save time by
automating the installation. Depending on your requirements, you can ensure all
systems are set up with the same configuration, or you can configure systems
individually with specific control files.
You should not confuse auto installation with cloning or imaging. An automated
installation is a regular installation where answers to questions asked during the
installation are contained in the control file. The hardware detection is still done so
that the same control file can be used on diverse hardware. Imaging or cloning
generally requires the source and target of the image to have identical hardware.
AutoYaST is optimally used in conjunction with an installation server that is also
providing a TFTP and a DHCP server. This setup has the following advantages:
To start the installation, you only have to insert a suitable boot disk. If you are
using PXE boot-enabled network interface cards, not even a boot disk is
required.
The computer receives all information necessary for the installation via the
network.
Even on-site attendance of an administrator is unnecessary for the installation if

the network card supports Wake on Lan.
The installation server can be accessed via the NFS, HTTP, and FTP protocols.
This results in a highly simplified installation of a large number of individually
configured computers.
AutoYaST can also be used to copy additional files to the installed system and can
include scripts that are executed at the end of the installation.
You can create a control file at installation time. In the last menu of the installation
process, you can check the box Clone This System. This will create an
autoinst.xml file in the home directory of the root user (/root). The creation
of an AutoYaST control file using the YaST AutoYaST module is covered later in this
section.
Version 1
431
Objective 2

The easiest way to create a configuration file for AutoYaST is to use the YaST
Autoinstallation module. Select Computer > Yast > Miscellaneous >
Autoinstallation, or log in as root and enter yast2 autoyast in a terminal
window.
This module starts with the following dialog:
Figure 12-1
The YaST Autoinstallation Dialog
The left part of the window contains the YaST groups you know from the left frame
of the YaST dialog. The center frame contains the YaST modules available in the
group. The right frame lists the settings made in this module for the autoinstallation.
NOTE: At the beginning, default values based on the current system configuration are listed in the
right frame.
NOTE: You do not need to configure every single aspect of the machines to be installed because
the automated installation makes use of the hardware detection capabilities of YaST. For example,
432
Version 1
you do not need to provide the type of network card because the hardware detection will take care of
this.
Clicking Edit opens the same YaST configuration dialogs as those you see when
installing or administering SLED 11. However, the configuration information is
written to the AutoYaST control file. Nothing is changed on the installation you work
on.
You would usually define disk layout, software selection, language settings, network
parameters, and root password. Depending on your needs, you can specify other
items, such as users and their passwords, NFS client configuration, or printer
configuration.
If you want to perform completely unattended installations, select Edit in the General
Options module in the System group of AutoYaST. Click Next in the mouse
configuration dialog and uncheck Confirm Installation in the dialog labeled Other
Options. The default is to confirm installation to avoid recursive installs when the
system schedules a reboot after initial system setup. You should also be aware that
this might cause inadvertent installations under certain circumstances.
After you have completed the configuration, select File > Save as. A dialog box is
shown with the default directory for AutoYaST configuration files, /var/lib/
autoinstall/repository/. Enter a name for the file (hostname.xml, for
example).
You can change the default directory for AutoYaST configuration files via the File >
Settings menu.
If you do not want to begin from scratch, you can use the current machine as a
template. Select Tools > Create Reference Profile. The following dialog appears:
Version 1
433
Figure 12-2
Create a Reference Control File
The reference profile is created by reading information from the system you work on.
By default, an exact copy of the configuration for all basic resources is created.
To add other necessary information for your machine, use the check boxes in the
main window.
NOTE: Be sure to examine any resulting control file carefully before using it to autoinstall a new
system.
To view the configuration created, select View > Source.
434
Version 1
Figure 12-3
View an AutoYaST Source File
After you have completed your configuration, save it by selecting File > Save as as
described above.
You can also create the control file using an editor of your choice. The advantage of
the YaST module is that it saves a lot of typing, and the XML syntax of the resulting
file is correct. Another approach is to create a control file with YaST; then use an
editor for minor changes and additions.
NOTE: More information on AutoYaST can be found in /usr/share/doc/packages/
autoyast2/html/index.html.
Version 1
435
Exercise 12-1
Create an AutoYaST Control File

In this exercise, you create an AutoYaST control file based on the current
configuration of your SLED 11.
(End of Exercise)
436
Version 1
Objective 3

To use the installation server, you have to specify the server when the initial boot
screen shows up. With the Down key, move to Installation; press F3 and then F4. In
the menu, select the installation server type you want to use.
Figure 12-4
Boot Via NFS
In the dialog that appears, enter the hostname of the server and the directory on the
server. Depending on the server type, you might need to enter additional parameters.
Instead of choosing NFS in the menu and entering the IP address and path in the
dialog, you can type install=nfs://IP_address/path/ in the Boot
Options line.
After you press Enter, the installation system connects to the installation server and
loads all files needed for installation over the network.
Version 1
437
Objective 4

To start the automated installation, make the AutoYaST control file available on the
machine to be installed. This can be combined with any installation method, be it
from the installation media or an installation server in the network.
To perform automated installations, you need to
Provide the Control File on page 438
Boot and Install the System on page 438
Perform an Automated Installation of SUSE Linux Enterprise Desktop on

page 440
Provide the Control File

Various ways exist to make the control file available.
One is to copy the file to a USB stick containing a FAT file system format.
NOTE: Do not use a USB stick with Ext2 file system format.
If you name the file on the USB stick autoinst.xml and insert the USB stick, it
will be automatically used. If you use a different name, you have to add the following
to the kernel command line at the boot prompt of the installation:
autoyast=usb:///myconfig.xml
Another way to make the control file available is via the network. That is especially
useful in combination with an installation server. In this case, the kernel command
line would look similar to the following:
autoyast=nfs://10.0.0.254/srv/install-repo/sled11/ay/myconfig.xml
Boot and Install the System

Once you have your control file created and tested, you have several options to install
machines with it:
Boot and Install from DVD on page 438
Boot from DVD, Install from an Installation Server on page 439
Boot via PXE, Install from an Installation Server on page 439
Boot and Install from DVD
Use a control file on a USB stick or on an exported file system in combination with
the installation DVD to boot and install the computer.
However, for larger deployment, this is not really efficient. While it saves the typing
of configuration information, you still have to walk from computer to computer,
insert the media and start the installation manually. Later you have to come back to
remove the installation media again.
438
Version 1
Boot from DVD, Install from an Installation Server
Even when using the DVD or USB stick to boot, an installation server has the
advantage that you can remove the boot media as soon as the actual installation has
started.
Provided you have a DHCP server running which provides all network information
during installation, the steps are as follows:
1.
Insert the installation DVD into your machine and start the boot process.
2.
Select Installation, on the first boot screen. Be sure to do this within 10 seconds;
otherwise, the system starts from harddisk.
3.
Provide the necessary information for an automated installation with AutoYaST.

At the boot prompt, enter the following parameters. We assume here that the
installation repository is available via NFS from 10.0.0.254/srv/
install-repo/sled11/, and that the control file is available at the same
location.
autoyast=nfs://10.0.0.254/srv/install-repo/sled11/ay/autoinst.xml
install=nfs://10.0.0.254/srv/install-repo/sled10
splash=verbose
The last parameter switches to the detailed display during the boot process, so
you can easily look at the boot messages.
After a short time, YaST starts. At this point, you can remove the boot medium.
The installation proceeds as usual, but because of the control file, no user
interaction is necessary. After some checks, the packages are copied from the
NFS server.
The system is rebooted at the end of the installation process. After the reboot,
you may log in as root without a password if no password was set in the
AutoYaST configuration file. In this case, you should immediately set a
password for root.
Boot via PXE, Install from an Installation Server
The advantage of using PXE for installation is that you do not have to bring a
separate boot medium to the computer. With a suitable configuration, you can offer a
menu to select what to install.
In fact, if the network card supports Wake on Lan, you do not even have to walk to
the machine at all.
The setup to support booting via the network is not covered in this course.
Information can be found in the documentation in /usr/share/doc/
packages/autoyast2/html/.
Version 1
439
Exercise 12-2
Perform an Automated Installation of SUSE Linux Enterprise

Desktop
In this exercise, you perform an automated installation of SLED 11.
(End of Exercise)
440
Version 1
Summary
Objective
What You Learned
SLED 11 can be deployed using manual

installation with the installation media or an
installation server, or automated installation
with an AutoYaST control file.
To boot the computer for installation, you can
use the DVD, boot floppies, or PXE-capable
network cards in conjunction with a boot
loader image distributed via TFTP.
To create a configuration file for AutoYaST,

use the YaST Autoinstallation module.
YaST > Miscellaneous >

Autoinstallation or
yast2 autoyast
The default directory for AutoYaST

configuration files is /var/lib/autoinstall/
repository/.
Setting up an installation server consists of

copying the content of the installation DVD to
a directory and configuring NFS to provide
access to that directory to clients.
The control file for automated installation can

be made available by various means,
including a USB device, or a network share.
A DHCP server that provides all network
information and an installation server
simplifies the installation.
If combined with PXE completely, unattended
installations are possible.
Version 1
441
442
Version 1

3104 Manual PDF

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

3104 Manual PDF

Încărcat de

Drepturi de autor:

Formate disponibile

SUSE Linux Enterprise Desktop 11

Novell Training Services

AU THO RIZED CO UR SEWARE

Student Kit Deliverables

Certification and Prerequisites

VMware Virtualization and the Exercises

Customize the Graphical Interface on SUSE

Configure X, Xgl, and Compiz

Lock Down the SLE Desktop

Control Mounting of CD-ROM, DVD, and USB Devices

Control Mounting of CD-ROM, DVD, and USB Devices . . . . . . . . . . . . . . . . . . . 42

SUSE Linux Enterprise Desktop 11 Administration / Manual

Use PolicyKit to Configure Application Policies

Understand the PolicyKit Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Using YaST Partitioner to Encrypt a Partition . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Use the NetworkManager to Configure the Network

Understand NetworkManager Basics

Access Wired Networks

Access Wireless Networks

Connect to a VPN Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Configure and Use IPv6

Understand IPv6 Theory

Configure IPv6 on SUSE Linux Enterprise 11

Integrate SLED 11 into an Active Directory Environment

Describe How SLED 11 Integrates with Active Directory

Benefits of Active Directory Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Configure Active Directory Integration

Joining SLED 11 to an Active Directory Domain . . . . . . . . . . . . . . . . . . . . . . . .

Accessing Shared Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Integrate SLED 11 into a Novell eDirectory Environment

Describe How the Novell Client for Linux Works

The Role and Function of Novell eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Install and Configure the Novell Client for Linux on SLED 11

Authenticate to an OES 2 Server Using the Novell Client for Linux

How iPrint Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

SUSE Linux Enterprise Desktop 11 Administration / Manual

Use iFolder on SLED 11

How iFolder Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Integrate SUSE Linux Enterprise Desktop 11 into a UNIX

Network File System Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Access Remote Desktops Using Nomad

Describe How Nomad Works

How RDP Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286

Install and Configure Nomad

Configure the Nomad Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291

Accessing Remote Desktops with rdesktop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300

Troubleshoot Common Nomad Problems

Verifying that xrdp is Running on the Sender . . . . . . . . . . . . . . . . . . . . . . . . . . . 307

Use Multimedia on the SUSE Linux Enterprise Desktop 11

Use Moonlight . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

Configure the Evolution Email Client on SLED 11

The Role and Function of Evolution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Configure the GroupWise Client on SLED 11

Create Shell Scripts

Understand Bash Basics

Bash Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376

Use Basic Script Elements

Elements of a Shell Script. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Use Variables and Command Substitution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389

SUSE Linux Enterprise Desktop 11 Administration / Manual

Use Control Structures

Use Arithmetic Operators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401