Novell Open Enterprise Server 11 SP3 Administration Guide

Brand: Novell

Model: Open Enterprise Server 11 SP3

Category: Software

Type: Administration Guide

www.novell.com/documentation

Linux User Management

Administration Guide

Open Enterprise Server 11 SP2

January 2014

Legal Notices

Novell,Inc.,makesnorepresentationsorwarrantieswithrespecttothecontentsoruseofthisdocumentation,andspecifically

disclaimsanyexpressorimpliedwarrantiesofmerchantabilityorfitnessforanyparticularpurpose.Further,Novell,Inc.,

reservestherighttorevisethispublicationandtomakechangestoitscontent,at

anytime,withoutobligationtonotifyany

personorentityofsuchrevisionsorchanges.

Further,Novell,Inc.,makesnorepresentationsorwarrantieswithrespecttoanysoftware,andspecificallydisclaimsany

expressorimpliedwarrantiesofmerchantabilityorfitnessforanyparticularpurpose.Further,Novell,Inc.,reservestheright

makechangestoanyandallpartsofNovellsoftware,atanytime,withoutanyobligationtonotifyanypersonorentityof

suchchanges.

AnyproductsortechnicalinformationprovidedunderthisAgreementmaybesubjecttoU.S.exportcontrolsandthetrade

lawsofothercountries.Youagreeto

complywithallexportcontrolregulationsandtoobtainanyrequiredlicensesor

classificationtoexport,re‐exportorimportdeliverables.Youagreenottoexportorre‐exporttoentitiesonthecurrentU.S.

exportexclusionlistsortoanyembargoedorterroristcountriesasspecifiedintheU.S.

exportlaws.Youagreetonotuse

deliverablesforprohibitednuclear,missile,orchemicalbiologicalweaponryenduses.SeetheNovellInternationalTrade

ServicesWebpage(http://www.novell.com/info/exports/)formoreinformationonexportingNovellsoftware.Novellassumes

noresponsibilityforyourfailuretoobtainanynecessaryexportapprovals.

Inc.Allrightsreserved.Nopartofthispublicationmaybereproduced,photocopied,stored

onaretrievalsystem,ortransmittedwithouttheexpresswrittenconsentofthepublisher.

Novell, Inc.

1800 South Novell Place

Provo, UT 84606

U.S.A.

www.novell.com

OnlineDocumentation:ToaccessthelatestonlinedocumentationforthisandotherNovellproducts,seetheNovell

DocumentationWebpage(http://www.novell.com/documentation/oes11).

Novell Trademarks

ForNovelltrademarks,seetheNovellTrademarkandServiceMarklist(http://www.novell.com/company/legal/trademarks/

tmlist.html).

Third-Party Materials

Allthird‐partytrademarksarethepropertyoftheirrespectiveowners.

Contents 3

Contents

About This Guide 7

1 Overview 9

1.1 Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9

1.1.1 Administrator Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

1.1.2 User Benefits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

1.2 Understanding Linux User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10

1.2.1 User Name and User ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10

1.2.2 Password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10

1.2.3 Primary Group Name and Group ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

1.2.4 Secondary Group Names and Group IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

1.2.5 Home Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

1.2.6 Preferred Shell. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

1.3 Understanding eDirectory Objects and Linux. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

1.3.1 User Accounts in eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

1.3.2 Group Objects in eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

1.3.3 Source Workstations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

1.3.4 Linux/UNIX Workstation Objects in eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

1.3.5 The Linux/UNIX Config Object in eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

1.4 Putting It All Together. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

1.5 What's Next . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

2 What’s New or Changed in Linux User Management 17

2.1 What’s New (OES 11 SP2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

2.2 What’s New (OES 11 SP1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

2.3 What’s New (OES 11) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18

3 Setting Up Linux User Management 19

3.1 Setting Up Linux Computers to Use eDirectory Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

3.2 Using iManager to Enable Users for Linux Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22

3.2.1 Running iManager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22

3.2.2 Determining if a Computer Is Running Linux User Management . . . . . . . . . . . . . . . . . . . .23

3.2.3 Enabling eDirectory Users to Log In to Linux Computers . . . . . . . . . . . . . . . . . . . . . . . . . .24

3.3 Turning Off Linux User Management and eDirectory Authentication. . . . . . . . . . . . . . . . . . . . . . . . . 25

4 Setting Up Linux User Management for Domain Services for Windows 27

5 Linux User Management Technology 29

5.1 Tips and Technologies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29

5.2 Understanding Linux User Management Methods for Enabling User Access . . . . . . . . . . . . . . . . . . 30

5.3 Files Modified by Linux User Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31

5.3.1 The namcd Linux User Management Caching Daemon . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

5.3.2 Starting and Stopping namcd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

5.4 Linux User Management and the Pluggable Authentication Module . . . . . . . . . . . . . . . . . . . . . . . . . 32

4 OES 11 SP2: Novell Linux User Management Administration Guide

6 Using the Command Line to Configure Linux User Management 33

6.1 Using namconfig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33

6.1.1 namconfig Command Line Parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33

6.1.2 Configuring a Failover Mechanism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34

6.1.3 Configuring a Workstation with Linux User Management . . . . . . . . . . . . . . . . . . . . . . . . . .34

6.1.4 Configuring Linux User Management with LDAP SSL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

6.1.5 Removing Linux User Management Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35

6.1.6 Setting or Getting Linux User Management Configuration Parameters. . . . . . . . . . . . . . . .35

6.1.7 Using namconfig to Import an SSL Certificate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36

6.2 Editing the nam.conf File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

7 Managing User and Group Objects in eDirectory 41

7.1 Using Novell iManager for Linux User Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

7.1.1 Running iManager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41

7.1.2 Creating a New Group Object for Linux User Management Users . . . . . . . . . . . . . . . . . . . 42

7.1.3 Enabling an Existing Group Object for Linux User Management . . . . . . . . . . . . . . . . . . . . 43

7.1.4 Creating a User Object for Linux User Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

7.1.5 Enabling an Existing User Object for Linux User Management. . . . . . . . . . . . . . . . . . . . . . 46

7.1.6 Enabling Multiple Users for Linux in a LUM Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

7.1.7 Enabling Multiple Users for Linux in a Container. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

7.1.8 Modifying a UNIX Config Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49

7.1.9 Modifying a UNIX Workstation Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51

7.1.10 Disabling LUM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51

7.2 Using Command Line Utilities to Manage Users and Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52

7.2.1 Security Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52

7.2.2 nambulkadd. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52

7.2.3 namdiagtool. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55

7.2.4 namuseradd. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56

7.2.5 namgroupadd. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

7.2.6 namusermod . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59

7.2.7 namgroupmod . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

7.2.8 namuserdel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

7.2.9 namgroupdel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63

7.2.10 namuserlist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64

7.2.11 namgrouplist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64

8 Running LUM in a Virtualized Environment 67

9 Troubleshooting 69

9.1 Troubleshooting Linux User Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69

9.1.1 Incorrect Syntax of alternate-ldap-server-list Parameter Leads to Spaces in LDAP

Certificate File Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70

9.1.2 LUM User Fails to Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70

9.1.3 namdiagtool Fails to Report User Conflict . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70

9.1.4 LUM-Enabling Using iManager Fails During Custom User Selection . . . . . . . . . . . . . . . . .70

9.1.5 Reuse Group and User ID Feature of LUM (UCO) Does Not Work if the

LUM-Enabled Group or User is Deleted Using iManager . . . . . . . . . . . . . . . . . . . . . . . . . .70

9.1.6 namcd Fails to Come Up When Anonymous Binds are Disabled on the LDAP Server. . . . 71

9.1.7 Root Login to a LUM-enabled Service logs a Message in the /var/log/message File . . . . .71

9.1.8 LUM Users and Groups Are Not Displayed in the Permissions Tab of the File

Browser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71

9.1.9 The ls-l Command Hangs if Large Number of Users Are LUM-Enabled . . . . . . . . . . . . . . .71

9.1.10 Linux User Management Returns an Invalid UID and GID for Users and Groups. . . . . . . .72

9.1.11 namconfig Fails . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

9.1.12 namcd Indicates That a Certificate Is Not Found. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

9.1.13 Duplication of UIDs and GIDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72

Contents 5

9.1.14 A User Cannot Log In . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73

9.1.15 Password Expiration Information for the User Is Not Available . . . . . . . . . . . . . . . . . . . . . 73

9.1.16 ID Command Not Giving the Desired Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

9.1.17 namcd Not Coming Up after a System Reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

9.1.18 Log Files for Linux User Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

9.1.19 Missing Mandatory Attribute Error When Adding a User to a Linux User

Management Group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

9.1.20 SUSE Linux Enterprise Desktops Configured as UNIX Workstation Objects . . . . . . . . . . . 74

9.2 Making Home Directories Private . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74

9.3 Troubleshooting Account Redirection Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

9.4 Changing the Name of the Original Container Passed to namconfig. . . . . . . . . . . . . . . . . . . . . . . . .75

10 Security Considerations 77

10.1 Configuring Linux User Management for Domain Services for Windows. . . . . . . . . . . . . . . . . . . . . . 77

10.2 Ensuring Unique UIDs and GIDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77

11 Other Issues and Considerations 79

11.1 LUM Configuration Fails With an Unknown Error. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79

11.2 LUM-Enabled Services for a Workstation Object Are Not Displayed in iManager. . . . . . . . . . . . . . . 79

11.3 Missing Details on a LUM Group in iManager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79

11.4 Allocating User IDs and Group IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80

11.5 RFC 2307 Schema Extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

11.6 Running Linux User Management in a Virtualized Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . .80

11.7 Configuring Linux User Management for Novell Cluster Services . . . . . . . . . . . . . . . . . . . . . . . . . . .80

11.8 Usernames for Linux User Management Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

A Documentation Updates 81

A.1 January 2014 (OES 11 SP2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

A.1.1 What’s New or Changed in Linux User Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

A.1.2 New Parameter in nam.conf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

A.2 April 2012 (OES 11 SP1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

A.2.1 What’s New or Changed in Linux User Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

A.2.2 Enabling Multiple Users for Linux in a LUM Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82

A.2.3 Enabling Multiple Users for Linux in a Container. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82

6 OES 11 SP2: Novell Linux User Management Administration Guide

About This Guide 7

About This Guide

ThisguideexplainsanddescribeshowtouseNovellLinuxUserManagement(LUM),adirectory‐

enabledapplicationthatsimplifiesandunifiesthemanagementofuserprofilesonLinuxplatforms.

LinuxUserManagementleveragesallthescalability,utility,andextensibilityofNetIQeDirectory

andaddscrucialintegrationcapability.WithLinuxUserManagement,

youcaneliminatemanyofthe

complexitiesofadministeringamixed‐platformnetworkwhilesmoothingovercompatibilityissues.

Thisguideisdividedintothefollowingsections:

 Chapter 1,“Overview,”onpage 9

 Chapter 2,“What’sNeworChangedinLinuxUserManagement,”onpage 17

 Chapter 3,“SettingUpLinuxUserManagement,”onpage 19

 Chapter 4,“Setting

UpLinuxUserManagementforDomainServicesforWindows,”onpage 27

 Chapter 5,“LinuxUserManagementTechnology,”onpage 29

 Chapter 6,“UsingtheCommandLinetoConfigureLinuxUserManagement,”onpage 33

 Chapter 7,“ManagingUserandGroupObjectsineDirectory,”onpage 41

 Chapter 8,“RunningLUMinaVirtualizedEnvironment,”onpage 67

 Chapter 9,

“Troubleshooting,”onpage 69

 Chapter 10,“SecurityConsiderations,”onpage 77

 Chapter 11,“OtherIssuesandConsiderations,”onpage 79

 Appendix A,“DocumentationUpdates,”onpage 81

Audience

Thisguideisintendedfornetworkadministratorsresponsibleforintegratingandmanagingusersin

aLinuxandeDirectoryenvironment.

Feedback

Wewanttohearyourcommentsandsuggestionsaboutthismanualand theotherdocumentation

includedwiththisproduct.PleaseusetheUserCommentsfeatureatthebottomofeachpageofthe

onlinedocumentation.

Documentation Updates

ThemostrecentversionofLinuxUserManagementAdministrationGuideisavailableontheNovell

documentationWebsite(http://www.novell.com/documentation/oes11).

8 OES 11 SP2: Novell Linux User Management Administration Guide

Overview 9

Overview

LinuxUserManagementletsyouconfigureLinuxworkstationsandserversonthenetworksousers

canlogintothembyusinguserlogininformationstoredineDirectoryinsteadofuserlogin

informationstoredoneachcomputer.

 Section 1.1,“Benefits,”onpage 9

 Section 1.2,“UnderstandingLinuxUserAccounts,”onpage 10

 Section 1.3,“Understanding

eDirectoryObjectsandLinux,”onpage 11

 Section 1.4,“PuttingItAllTogether,”onpage 14

 Section 1.5,“WhatʹsNext,”onpage 15

1.1 Benefits

LinuxUserManagementandeDirectoryworktogethertosimplifyadministrationandprovideusers

withaccesstonetworkresources.

 Section 1.1.1,“A d m i n i s t r a t o r Benefits,”onpage 9

 Section 1.1.2,“UserBenefits,”onpage 9

1.1.1 Administrator Benefits

UsingLinuxUserManagementandeDirectorytomanageuserlogininformationeliminatestheneed

tocreatelocalusersinthe

/etc/passwd

and

/etc/shadow

filesoneachLinuxcomputer.Itsimplifies

useraccountmanagementbyconsolidatinguseraccountsintoacentralpointofadministration.

YoucanuseeDirectorytoolsandtechnologiestomanageaccesstoLinuxresourcesonthenetwork.

Afterauthenticating,usershavetherightsandprivilegesasspecifiedineDirectory.Theseare

the

samerightsandprivilegesthatwouldtypicallyneedtobestoredinalocalaccountorredirectedto

otherauthenticationmethods,suchasNIS(NetworkInformationService).Theuseraccount

informationstoredineDirectoryletsusersaccessfileandprinterresourcesonthenetwork.

1.1.2 User Benefits

UserscanlogintoLinuxcomputersbyusingaccessmethodssuchaslogin,FTP,SSH,su,rsh,rlogin,

andgdm(GNOME).TheysimplyentertheirfamiliareDirectorycredentials.Thereisnoneedto

rememberafullcontext.LinuxUserManagementfindsthecorrectuserineDirectory.

Userscanlogin

once,usingasingleusernameandpassword,andhaveseamlessaccesstoalltheir

networkresourcesregardlessofplatform.

10 OES 11 SP2: Novell Linux User Management Administration Guide

1.2 Understanding Linux User Accounts

SettingupandusingeDirectorytomanageLinuxaccessrequiresyoutounderstandhowtheLinux

operatingsystemmanagesuserlogins.

UserswhowanttologintoaLinuxcomputermusthaveanexistinguseraccount,whichconsistsof

propertiesthatallowausertoaccessfilesandfoldersstored

onthecomputer.Thisaccount

informationcanbecreatedandstoredonthecomputeritselforonanothercomputeronthenetwork.

Accountsstoredonthecomputerarecalledlocaluseraccounts.AccountsstoredineDirectoryare

calledeDirectoryuseraccounts,regardlessofwhethertheyarestoredonthesame

computeroranother

computer.AtypicalaccountusedtologintoaLinuxcomputerconsistsofthefollowinginformation:

 UsernameanduserID(UID)

 Password

 PrimarygroupnameandgroupID(GID)

 SecondarygroupnamesandgroupIDs

 Locationofthehomedirectory

 Preferredshell

Whenalocaluseraccount

iscreated,Linuxrecordstheuser’slogininformationandstoresthevalues

inthe

/etc/passwd

fileonthecomputeritself.The

passwd

filecanbeviewedandeditedwithany

texteditor.Eachuseraccounthasanentryrecordedinthefollowingformat:

username:password:UID:GID:name:home directory:shell

1.2.1 User Name and User ID

TheusernameanduserID(UID)identifytheuseronthesystem.Whenauseraccountiscreated,itis

givenanameandassignedaUIDfromapredeterminedrangeofnumbers.TheUIDmustbea

positivenumberandisusuallyabove500foruseraccounts.Systemaccountsusually

havenumbers

below100.

1.2.2 Password

Eachuseraccounthasitsownpassword,whichisencryptedandstoredonthecomputeritselforon

anothercomputeronthenetwork.Localpasswordsarestoredinthe

/etc/passwd

fileor

/etc/

shadow

file.Whentheuserlogsinbyenteringausernameandpassword,Linuxtakestheentered

password,encryptsit,andthencomparestheencryptedvaluetothevalueofthepasswordstoredin

theuseraccount.Iftheenteredvalueisthesameasthevaluestoredinthepassword

fieldonthe

computer,theuserisgrantedaccess.

Administratorsoftenusethe

/etc/passwd

filetoholduseraccountinformationbutstorethe

encryptedpasswordinthe

/etc/shadow

file.Whenthismethodisused,the

passwd

fileentryhasan

xinthepasswordfield.

Overview 11

1.2.3 Primary Group Name and Group ID

Groupsareusedtoadministerandorganizeuseraccounts.Whenrightsandpermissionsare

assignedtoagroup,alluseraccountsthatarepartofthegroupinheritthesamerightsand

permissions.Thegrouphasauniquenameandidentificationnumber(GID).TheprimaryGIDand

groupnamearestored

asentriesinthe

/etc/passwd

fileonthecomputerwhereuseraccountsare

createdorineDirectory.

Eachuserhasadesignatedprimary(ordefault)groupandcanalsobeamemberofadditional

groupscalledsecondarygroups.Whenuserscreatefilesorlaunchprograms,thosefilesandprograms

areassociatedwithaprimaryor

secondarygroup.Auserwhoisapartofthegroupcanaccessthese

fileandprogramsifnecessarypermissionsareavailable.

1.2.4 Secondary Group Names and Group IDs

Althoughnotstrictlypartoftheuseraccount,secondarygroupsarealsoapartoftheuserlogin

experience.GroupsandGIDsareusedtomanagerightsandpermissionstootherfilesandfolders.

Secondarygroupsforeachuserarelistedasentriesin

/etc/group

onthecomputeritself.

NOTE:Whenyouusethe

commandtoshowuserIDsandgroups,ifcase‐sensitivityissetto

,

youmustentertheexactcasetodisplaysecondarygroups.Ifyouenteradifferentcase,youseeonly

theprimarygroups.

1.2.5 Home Directory

Thehomedirectoryisafolderusedtostoreauser’spersonaldocuments.Inamulti‐user

environment,eachuserisassignedaspecificdirectorythatisaccessibleonlybytheuserandthe

systemadministrator.Inaddition,thehomedirectoryoffersaplacetostoreconfigurationfiles

uniquetothe

user.Therefore,ausercanloginandfindhisorherenvironmentwiththesamesettings

thatwereusedbefore,evenifanotheruserhasusedthecomputer.Typically ,mostcomputers haveall

homedirectoriesat

/home

,andthenindividualdirectorieslistedbyloginname(forexample,

/home/

jsmith

).The

root

user’shomedirectoryisanexception.Itistraditionallylocatedat

or

/root

.

Placinghomedirectoriesunder

/home

isnotrequired,butitmakesorganizationalsense.Some

administratorsdividethe

/home

directorybyfunctionordepartmentandthensubdividethe

/home



directorywithusersinthatdepartment(forexample,

/home/engineering/jsmith

1.2.6 Preferred Shell

Shellisacommandlanguageinterpreterthatexecutescommandsreadfromthestandardinput

device(keyboard)orfromafile.Shellisnotpartofsystemkernel,butusesthesys temkernelfor

operationssuchasexecutingprogramsorcreatingfiles.ItissimilartotheDOScommand.com

commandinterpreter.Several

standardshellsareavailablewithLi nux.Thedefaultisusually

/bin/

bash

1.3 Understanding eDirectory Objects and Linux

eDirectoryandLinuxUserManagementtechnologiesworkintandemtoprovideasolutionfor

managinguseraccesstonetworkresources.eDirectoryuserlogininformationisstoredasaproperty

oftheUserobject.ItisviewedandmodifiedbyusingNovelliManager.

12 OES 11 SP2: Novell Linux User Management Administration Guide

Figure 1-1 TheNovelliManagerWindow

WhenauserlogsintoaLinuxcomputerrunningLinuxUserManagement,therequestisredirected

toeDirectoryandcheckedagainstinformationineDirectory.Forthistowork,thecomputersand

eDirectorymustbeconfiguredasfollows:

 ThetargetworkstationmustberunningLinuxUserManagementsoftwareandmustpoint

to

theLinux/UNIXConfigobjectonthenetwork.

 ThetargetworkstationmusthavearepresentativeLinux/UNIXWorkstationobjectin

eDirectory,created whenLinuxUserManagementcomponentsareinstalled.

 TheusermustbeenabledforLinux,whichmeansthattheusermustbeamemberofagroup

enabledforLinux

andstoredinthepropertiesofLinux/UNIXWorkstationobject.TheLinux/

UNIXConfigobjectmustspecifythecontextoftheLinuxWorkst ationobject.

 Section 1.3.1,“UserAccountsineDirectory,”onpage 13

 Section 1.3.2,“GroupObjectsineDirectory,”onpage 13

 Section 1.3.3,“SourceWorkstations,”onpage 13

 Section 1.3.4,“Linux/UNIXWorkstationObjectsineDirectory,”onpage 13

 Section 1.3.5,

“TheLinux/UNIXConfigObjectineDirectory,”onpage 14

Overview 13

1.3.1 User Accounts in eDirectory

UseraccountsresidingontheLinuxcomputeraresaidtobelocaluseraccountsandarestoredas

entriesinthe

/etc/passwd

file.UseraccountsineDirectoryarerepresentedbyUserobjectsstoredin

theeDirectorytree.

AneDirectoryUserobjecthasarichsetofpropertiesandfieldstoholduser‐loginproperties.When

aneDirectoryUserobjectisextendedtoholdLinuxuserloginproperties,itissaidtobe

LUM‐enabled

orenabledforLinux.WhentheyareenabledforLinux,userscanaccesstheLinuxcomputer(byusing

Telnet,SSH,oranothersupportedmethod)andsimplyenterausernameandpassword.Theaccess

requestisredirectedtofindtheappropriateusernameandlogininformationstoredineDirectory.

When

itisextendedforLinux,theeDirectoryUserobjectholdsLinux‐relatedproperties,suchasthe

userID,primarygroupID,primarygroupname,locationofthe homedirectory,andpreferredshell.

1.3.2 Group Objects in eDirectory

WhenagroupisenabledforLinux,thegroupIDisstoredasapropertyofaLinux/UNIX 

Workstationobject.WhentheuserattemptstologintoaLinuxcomputer,heorsheonlyneedsto

enterausernameandpassword.Nocontextisrequired.TheLinuxcomputerchecksits



correspondingLinux/UNIXWorkstation objectineDirectoryforthelistofgroupsapprovedtologin.

Eachapprovedgroupissearchedfortheusernameoftheuserrequestingaccess.Whenthefirst

matchingusernameisfound,theloginisallowedbyusingtheUID,GID,password,andotherlog in

informationstored

ineDirectory.Iftheusernameisnotfoundinanyofthegroups,theloginisnot

allowed.

NOTE:WhenyouLinux‐enableaGroupobject,youcanchoosetoenableallmembersofthegroupor

youcanenablespecificusers.Usersbeingenabledforthe firsttimereceivethegroupIDastheir

primaryID.UserspreviouslyenabledforLinuxreceivetheGIDasasecondaryGID.

Userobjectsnot

enabledforLinuxcannotlogintoaLinuxcomputer,eveniftheybelongtoaLinux‐enabledgroup.

InadditiontothetypicalLinux‐relatedproperties(forexample,GroupID),theeDirectoryGroup

objectextendedforLinuxholdssomeadditionalproperties:

 UamPosixWorkstationList:ListstheUNIXWorkstationobjectsthatthegroup

haspermissions

toaccess.

 Description:Displaysanalternativedescription.

1.3.3 Source Workstations

Thesourceworkstationisthecomputerthattheuseraccessesthetargetworkstationfrom.Itisnot

representedasanobjectineDirectory.Itcanberunninganytypeofoperatingsystem,desktop,or

serverthatsupportsloginaccessprotocolssuchasFTP,SSH,rlogin,andrsh.Tologinto

atarget

workstation,theuserlaunchesaprogramthatprovidesoneofthesupportedloginaccessprotocols

andthenenterstheaddressofthetargetworkstation.

1.3.4 Linux/UNIX Workstation Objects in eDirectory

IneDirectory,theLinux/UNIX Workstationobjectrepresentstheactualcomputertheuserlogsinto.

Thecomputer,alsoknownasthetargetcomputer,musthavethefollowingcharacteristics:

 ItisrunningLinuxaseitheraserverorworkstation.

14 OES 11 SP2: Novell Linux User Management Administration Guide

 ItisrunningPluggableAuthenticationModule(PAM)alongwithNovellLinuxUser

ManagementtechnologytoredirectloginrequeststoeDirectory(seethe

/etc/pam.d

directory).

 ItstoresthelocationoftheUNIXConfigobjectonthenetwork(seethe

nam.conf

file).

ALinux/UNIXWorkstationobjectiscreatedwhenLinuxUserManagementcomponentsare

installedonthetargetcomputer.TheobjectcanbeplacedinanyOrganization(O)orOrganizational

Unit(OU)containerintheeDirectorytree.

Whenloggingintoatargetworkstation,theuserneedstoenteronly theusername

andpassword.

ThetargetworkstationreceivestheloginrequestandusesLinuxUserManagementandPAMto

redirectauthenticationtoeDirectoryandthe Linux/UNIXConfigobjectonthenetwork.TheLinux/

UNIXConfigobjectdirectstherequesttothetargetcomputerʹsrepresentativeLinux/UNIX

Workstationobject,wherethegroups,usernames,and

fullcontextsaredetermined.

TheLinux/UNIXWorkstationobjectholdsthefollowingsetofproperties:

 Targetworkstationname.ThenameisLinux/UNIXWorkstationappendedwiththehostname

ofthetargetworkstation(forexample,Linux/UNIXWorkstation‐Server1).

 ListofeDirectorygroups(namesand contexts)thathaveaccesstothetargetworkstation.

1.3.5 The Linux/UNIX Config Object in eDirectory

TheLinux/UNIXConfigobjectisanobjectineDirectorythatstoresalistofthelocations(contexts)

indicatingwhereLinux/UNIXWorkstationobjectsresideonthenetwork(ineDirectory).Italso

controlstherangeofnumberstobeassignedasUIDsandGIDswhenUserandGroupobjectsare

created.Geographicallydispersed

networksmightrequiremultipleLinux/UNIXConfigobjectsina

singletree,butbasicnetworksneedonlyoneLinux/UNIXConfigobjectintheeDirectorytree.The

objectiscreatedduringtheLinuxOperatingSysteminstallation(byselectingLinuxUser

Management)andshouldbeplacedintheuppercontainersoftheeDirectory

tree.

1.4 Putting It All Together

Whenproperlyconfigured,eDirectoryobjectsandLinuxUserManagementtechnologyletyou

manageaccesstoLinuxresourcesonthenetwork.Hereʹshowitworks:

1. Atasourceworkstation,theuserlaunchesaprogram(suchasSSHorFTP)thatprovideslogin

accesstoanothercomputer.

2. Whenpromptedbytheloginprogram,

theuserentershisorherusernameandidentifiesthe

nameoraddressofatargetworkstation.Forexample,theusermightlaunchSSH,enter

tom

as

theusername,andtheaddressofatargetworkstation withthefollowingcommand:

ssh -l tom 10.10.1.1

3. Thetargetworkstationreceivestheloginrequest,butbeforegrantingaccess,itmustfindthe

requesterʹsfullcontextusernameandverifythatthepasswordiscorrect.Thislogininformation

isstoredineDirectoryinsteadofonthetargetworkstation.

4. Tofindtherequesterʹslogininformation,thetargetworkstation(configured

withLinuxUser

Management)performsthefollowingactions:

a. FindsthelocationoftheLinux/UNIXWorkstationobjectineDirectoryaslistedinthelocal

nam.conf

file.

b. SearchesthegroupsapprovedforaccesslistedintheLinux/UNIXWorkstation objectto

findtherequesterʹsusername.

Overview 15

Forexample,iftheloginrequestisfromausernamedTom,thelistofgroupsissearched

untilaUserobjectwiththeusernameTomisfound.

c. Submitstherequesterʹspasswordforverificationagainsttheuserinformationstoredin

eDirectory.

d. GrantstheloginrequestbyusingeDirectorylog ininformation,such

asUID,GID,home

directory,andpreferredshell.

ThefollowingillustrationshowshowLinuxUserManagement,eDirectory,and PAMallwork

togethertoletuserslogintotargetworkstationsonthenetwork.

Figure 1-2 LoggingIntoTarge tWorkstations

1.5 What's Next

ToinstallandsetupLinuxUserManagementinyournetworkenvironment,seeChapter 3,“Setting

UpLinuxUserManagement,”onpage 19.

16 OES 11 SP2: Novell Linux User Management Administration Guide

What’s New or Changed in Linux User Management 17

What’s New or Changed in Linux User

Management

ThissectiondescribesthechangesmadetoLinuxUserManagementsincetheNovellOpen

EnterpriseServer(OES)11release.

 Section 2.1,“What’sNew(OES11SP2),”onpage 17

 Section 2.2,“What’sNew(OES11SP1),”onpage 17

 Section 2.3,“What’sNew(OES11),”onpage 18

2.1 What’s New (OES 11 SP2)

LinuxUserManagementinOES11SP2hasbeenmodifiedtorunon64‐bitSUSELinuxEnterprise

Server(SLES)11 SP3.Inadditiontobugfixes,LinuxUserManagementprovidesthefollowing

enhancementandbehaviorchangeintheOES11SP2release:

Changes to the LUM Configuration

TheLUMconfigurationnowincludestwonewparameters:

dont-deny-pamservice

and

non-

posix-members

.Formoreinformation,see“Editingthenam.confFile”intheOES11SP2:Novell

LinuxUserManagementAdministrationGuide.

Adding External LDAP Servers

LUMnowenablesyoutoadd externalLDAPserversduringLUMconfiguration.Formore

information,see“Se ttingUpLinuxComputerstoUseeDirectoryAuthentication”intheOES11SP2:

NovellLinuxUserManagementAdministrationGuide.

2.2 What’s New (OES 11 SP1)

LinuxUserManagementinOES11SP1hasbeenmodifiedtorunon64‐bitSUSELinuxEnterprise

Server(SLES)11 SP2.Inadditiontobugfixes,LinuxUserManagementprovidesthefollowing

enhancementsandbehaviorchangesintheOES11SP1release:

 EnablingMultipleUsersforLinuxinaLUM

Group:TheLUMiManagerplug‐inprovidesa

newtabthatallowsyoutolinux‐enablemultipleusersinagroupinasimplifiedmanner.For

moreinformation,see“EnablingMultipleUsersforLinuxinaLUMGroup”(http://

www.novell.com/documentation/oes11/acc_linux_svcs_lx/index.html?page=/documentation/

oes11/acc_linux_svcs_lx/data/bv1u9ka.html#bzv3vj6.)intheOES11SP1:NovellLinuxUser

Management

AdministrationGuide(http://www.novell.com/documentation/oes11/

acc_linux_svcs_lx/?page=/documentation/oes11/acc_linux_svcs_lx/data/bookinfo.html).

18 OES 11 SP2: Novell Linux User Management Administration Guide

 EnablingMultipleUsersforLinuxinaContainer:YoucannowLinux‐enablemultipleusersin

acontainer.TheLUMiManagerplug‐inprovidesanewtabthatallowsyoutolinux‐enable

multipleusersinacontainer.Formoreinformation,see“EnablingMultipleUsersforLinuxina

Container”

(http://www.novell.com/documentation/oes11/acc_linux_svcs_lx/?page=/

documentation/oes11/acc_linux_svcs_lx/data/bv1u9ka.html)intheOES11SP1:NovellLinux

UserManagementAdministrationGuide(http://www.novell.com/documentation/oes11/

acc_linux_svcs_lx/?page=/documentation/oes11/acc_linux_svcs_lx/data/bookinfo.html).

Youcanlinux‐enablemultipleusersusingthecommandlineaswell.The

namuseradd

command

providesthe‐Aoptionthatallowsyoutoenableallnon‐LUMusersinthespecifiedcontext.For

moreinformation,seethenamuseraddutility(http://www.novell.com/documentation/oes11/

acc_linux_svcs_lx/?page=/documentation/oes11/acc_linux_svcs_lx/data/bv1u77n.html)inthe

OES11SP1:NovellLinuxUserManagementAdministrationGuide(http://www.novell.com/

documentation/oes11/acc_linux_svcs_lx/?page=/documentation/oes11/acc_linux_svcs_ lx/data/

bookinfo.html).

 OptiontoSelectadministratorgroupinYaST:TheLUM

configurationinYaSTalwaysaddsthe

administratortoagroupcalledtheadmingroup.LUMconfigurationinYaSTnowprovidesan

optiontobrowseandspecifyanalreadyexistinggroupinsteadofcreatinganewadmingroup.

2.3 What’s New (OES 11)

TheLUMservicehasbeenmodifiedtorunonOES11.TherearenofeaturechangesintheOES11

releaseofLUM.

Setting Up Linux User Management 19

Setting Up Linux User Management

ThefollowinginformationcanhelpyouinstallandsetupLinuxUserManagementtechnologyon

yournetworktogaintheadvantagesofeDirectoryforuserauthentication.iManagercanbeusedfor

basicsetup,butyoumightneedtouseacommandlineinterfacetoaccomplishsomespecifictasks.

Formoreinformation

onusingthecommandlinetoconfigureLUM,refertoChapter 6,“Usingthe

CommandLinetoConfigureLinuxUserManagement,”onpage 33.Ineithercase,youneedtosetup

thecomputertouseeDirectoryauthenticationandcreateandcorrectlyconfiguretheeDirectory

objects.

 Section 3.1,“SettingUpLinuxComputers

toUseeDirectoryAuthentication,”onpage 19

 Section 3.2,“UsingiManagertoEnableUsersforLinuxAccess,”onpage 22

 Section 3.3,“TurningOffLinuxUserManagementandeDirectoryAuthentication,”onpage 25

3.1 Setting Up Linux Computers to Use eDirectory

Authentication

BeforeuserscanuseeDirectorylogininformationtologin,thetargetworkstationorservermustbe

configuredwithLinuxUserManagementcomponents.YouarepromptedtosetupLinuxUser

Managementwhileinstallingtheoperatingsystem.YoucanalsosetitupafterwardsbyusingYaST.

IMPORTANT:SettingupLinuxUserManagementrequiresadministratorrightstothecontainer

wheretheLinuxUserManagementobjectsarecreated.Formoreinformationonrights,referto

“RightsRequiredforSubcontainerAdministrators”intheOES11SP2:InstallationGuide.

TouseYaSTtoinstallandconfigureLinuxUserManagementonaworkstationorserverthatis

alreadyrunning:

1 Followtheinstructionsforyourplatformforaddingservicestoanexistingserveror

workstation.Formoreinformation,seetheOES11SP2:InstallationGuide.

2 FromtheOESServicesoption,selectNovellLUM.ClickAccept.

3 Specifytheadminpassword.

4 Specifythefollowingvalues:

20 OES 11 SP2: Novell Linux User Management Administration Guide

4a TheDirectoryServerAddressfielddisplaysthedefaultLDAPserverforthisservice.Ifyou

wanttospecifyanLDAPserverotherthanthedefaultLDAPserver,selectanLDAPserver

fromtheDirectoryServerAddresslist.

4b BrowseorentertheUnixConfigcontextintheUnixConfigContextfield.

TheUnixConfigobjectholdsalistofthelocations(contexts)ofUnixWo rkstationobjectsin

eDirectory.

4c BrowseorentertheUnixWorkstationcontextintheUnixWorkstationContextfield.

ComputersrunningLinuxUserManagement(LUM)arerepresentedbyUnixWorkstation

objectsineDirectory.Theobjectholdsthesetofpropertiesandinformationassociatedwith

thetargetcomputer,suchasthetargetworkstationnameoralistof

eDirectorygroupsthat

haveaccesstothetargetworkstation.

4d BrowseorspecifytheAdmingroupnamewithcontextintheAdmingroupnamewithcontext

field.

4e (Optional)BrowseorspecifyauserwithrightstosearchtheLDAPtreeforLUMobjectsin

theProxyUserName withContextfield.

4f SpecifyapasswordfortheProxyuserintheProxyuserpasswordfield.

ThisfieldisdisabledifyouselectedtheUseOESCommonProxyUsercheckbox.

4g (Optional)SelecttheUseOESCommonProxyUseroptionifyouwanttouseanOES

commonproxyuser.Donotchangethecommonproxyuserpassword.

Thisoptionisdisabledbydefault.

Page is loading ...

Novell Open Enterprise Server 11 SP3 Administration Guide

Brand: Novell

Model: Open Enterprise Server 11 SP3

Category: Software

Type: Administration Guide

Download PDF

report

Novell Open Enterprise Server 11 SP3 Administration Guide

Novell Open Enterprise Server 11 SP3 Administration Guide

Related papers

Other documents