15.2 Linux User Management: Access to Linux for eDirectory Users

NOTE:OES 2015 SP1 includes a new service named the Novell Identity Translator (NIT) that is associated with Linux User Management.

NIT represents a new approach to the service that LUM provides and works seamlessly with LUM to provide access to Novell CIFS in OES 2015 SP1.

For more information about NIT, see Section 1.18, Novell Identity Translator (NIT).

Users and groups on NetWare servers are created in and managed through eDirectory; users and groups on Linux servers are usually created locally and managed according to the POSIX (Portable Operating System Interface) standard.

Because Open Enterprise Server provides services running on both Linux and NetWare, Novell has developed a technology that lets eDirectory users also function as “local” POSIX users on Linux servers. This technology is called Linux User Management or LUM.

The following sections outline the basic principles involved in Novell LUM and cover the following topics:

15.2.1 Overview

The topics in this section are designed to help you understand when LUM-enabled access is required so that your network services are accessible and work as expected. For more information about Linux User Management, see Overview in the OES 2015 SP1: Linux User Management Administration Guide.

A Graphical Preview of Linux User Management

Figure 15-1 illustrates how Linux User Management controls access to the OES server.

Figure 15-1 LUM Provides POSIX Access for eDirectory Users

The following table explains the information presented in Figure 15-1.

Table 15-1 Linux User Management

Valid POSIX Users

Authentication

eDirectory Authenticated Services

Some services on OES servers must be accessed by POSIX users.

eDirectory users can function as POSIX users if they are enabled for Linux access (LUM).

When the system receives an action request, it can authenticate both local POSIX users and users who have been enabled for Linux access.

Users can potentially access PAM-enabled services, Samba shares, and Novell Remote Manager as either local or eDirectory users.

By default, only the sfcb command (required for server management) is enabled for eDirectory access.

Linux Requires POSIX Users

Linux requires that all users be defined by standard POSIX attributes, such as username, user ID (UID), primary group ID (GID), password, and other similar attributes.

Linux Users Can Be Local or Remote

Users that access a Linux server can be created in two ways:

  • Locally (on the server): Local users are managed at a command prompt (using commands such as useradd) or in YaST. (See the useradd(8) man page and the YaST online help for more information.) These local users are stored in the /etc/passwd file. (See the passwd(5) man page for more information.)

    IMPORTANT:As a general rule on OES servers, the only local user account that should exist is root. All other user accounts should be created in eDirectory and then be enabled for Linux access (LUM). You should never create duplicate local and eDirectory user accounts.

    For more information, see Section 6.2, Avoiding POSIX and eDirectory Duplications.

  • Remotely (off the server): Remote users can be managed by other systems, such as LDAP-compliant directory services. Remote user access is enabled through the Pluggable Authentication Module (PAM) architecture on Linux.

The Linux POSIX-compliant interfaces can authenticate both kinds of users, independent of where they are stored and how they are managed.

The root User Is Never LUM-Enabled

The OES user management tools prevent you from creating an eDirectory user named root, thus replacing the root user on an OES server. If root were to be a LUM user and eDirectory became unavailable for some reason, there would be no root access to the system.

Even if eDirectory is not available, you can still log into the server through Novell Remote Manager and perform other system management tasks as the root user.

About Service Access on OES

Novell Linux User Management (LUM) lets you use eDirectory to centrally manage remote users for access to one or more OES servers.

In other words, LUM lets eDirectory users function as local (POSIX) users on an OES server. Access is enabled by leveraging the Linux Pluggable Authentication Module (PAM) architecture. PAM makes it possible for eDirectory users to authenticate with the OES server through LDAP.

In OES, the terms LUM-enabling and Linux-enabling are both used to describe the process that adds standard Linux (POSIX) attributes and values to eDirectory users and groups, thus enabling them to function as POSIX users and groups on the server.

You can use iManager to enable eDirectory users for Linux. For instructions, see About Enabling eDirectory Users for Linux Access.

OES Services That Require LUM-Enabled Access

Some services on an OES server require that eDirectory users be LUM-enabled to use them:

  • Novell Samba (CIFS) Shares on the Server: Windows workgroup users who need access to Samba shares defined on the server must be LUM-enabled eDirectory users who are configured to access the server. This is because Samba requires POSIX identification for access.

    By extension, NetStorage users who need access to Samba (CIFS) Storage Location objects that point to the server must also be LUM-enabled eDirectory users with access to the server.

    NOTE:Although Samba users must be enabled for LUM, Samba is not a PAM-enabled service. Logging in to an OES server through Samba does not create a home directory on the server.

  • Core Linux Utilities Enabled for LUM: These are the core utilities and other shell commands that you can specify during the OES install to be enabled for authentication through eDirectory LDAP. In Linux, these are known as PAM-enabled utilities or services.

    IMPORTANT:Before you accept the default PAM-enabled service settings, be sure you understand the security implications explained in Section 21.2.2, User Restrictions: Some OES Limitations.

    The core utilities available for PAM-enablement are summarized in Table 15-2.

    Table 15-2 PAM-enabled Services Controlled by LUM

    Command

    Where Executed

    Task

    ftp

    Another host

    Transfer files to and from the OES server which, in this case, is a remote host.

    gdm

    • Local host

    • Remote host

    Run and manage the X servers using XDMCP.

    gnomesu-pam

    Local host

    Required for GNOME applications that need superuser access.

    login

    • OES server

    • SSH session with OES server

    Log in to the OES server, either directly or in an SSH session with the server.

    sfcb

    Local host

    Required for iPrint, NSS, SMS, Novell Remote Manager, and iManager.

    sshd

    Another host

    Establish a secure encrypted connection with the OES server which, in this case, is a remote host.

    su

    • OES server

    • SSH session with OES server

    Temporarily become another user.

    This is most often used to temporarily become the root user, who is not a LUM user and is, therefore, not affected by LUM.

    NOTE:Logging in to the OES server through a PAM-enabled service for the first time causes the creation of a home directory in /home on the server.

  • Novell Remote Manager on Linux: You can access Novell Remote Manager as the following:

    • The root user with rights to see everything on the Linux server.

    • A local Linux user with access governed by POSIX access rights. (Having local users in addition to root is not recommended on OES servers.)

    • A LUM-enabled eDirectory user, such as the Admin user created during the install.

  • Novell Storage Management Services (SMS) on Linux: You can access SMS utilities as

    • The root user, who has rights to see everything on the Linux server, including NSS volumes.

    • A local Linux user with access governed by POSIX access rights. (Having local users in addition to root is not recommended on OES servers.)

    • A LUM-enabled eDirectory user, such as the Admin user created during the install.

OES Services That Do Not Require LUM-Enabled Access But Have Some LUM Requirements

Some services do not require eDirectory users to be LUM-enabled for service access:

  • NetStorage: NetStorage users don’t generally need to be LUM-enabled. However, salvaging and purging files through NetStorage on an NSS volume can only be done by users who are enabled for Linux.

    IMPORTANT:Files that are uploaded by non-LUM users via NetStorage are owned, from a POSIX perspective, by the root user. The assumption is that such users are accessing their data on NSS or NCP volumes by using an NCP storage location object. In both cases, the Novell Trustee Model applies and POSIX ownership is irrelevant.

    If non-LUM NetStorage users are later enabled for Samba access (which means they are then LUM-enabled), and they begin using Samba as a file service, their NetStorage uploaded files are not accessible through Samba until you make them the file owners from a POSIX perspective. Although the Novell implementation of Samba leverages eDirectory for authentication, Samba file and directory access is always controlled by POSIX. The Novell Trustee Model doesn’t apply to Samba.

    Both Novell trustee assignments and POSIX file ownership are tracked correctly after users are LUM-enabled.

    Although NetStorage doesn’t require LUM-enabled access, the service itself runs as a POSIX-compliant system (proxy) User (initially a local user on the OES server) who functions on behalf of the end users that are accessing the service.

    If NetStorage must access NSS volumes, this local system user must be moved to eDirectory and LUM-enabled because only eDirectory users can access NSS volumes. The OES 2015 SP1 installation program configures this correctly by default.

    For more information, see Section H.0, System User and Group Management in OES 2015 SP1.

  • NSS: eDirectory users that access NSS volumes directly through NCP (the Novell Client) are not required to be LUM-enabled.

    However, because Novell Samba accesses NSS through the virtual file system layer that makes NSS appear to be a POSIX-compliant file system, Samba users must be LUM–enabled to access an NSS volume.

OES Services That Do Not Require LUM-enabled Access

The following end user services do not require LUM-enabled access:

  • iFolder 3.9.2

  • iPrint

  • NCP Client to an NCP Volume

  • NCP Client to an NSS Volume

  • Novell AFP

  • Novell CIFS

LUM-Enabling Does Not Provide Global Access to ALL OES Servers

As you plan to LUM-enable users for access to the services that require it, keep in mind that each OES server being accessed must be associated with a LUM-enabled group that the accessing users belong to.

In other words, it is not sufficient to LUM-enable users for access to a single OES server if they need access to multiple servers. An association between the LUM-enabled groups that the users belong to and the eDirectory UNIX Workstation object associated with each server must be formed by using iManager. This can be accomplished for multiple servers by using the process described in Enabling eDirectory Groups and Users for Linux Access.

For more information on LUM, see the OES 2015 SP1: Linux User Management Administration Guide.

LUM-Enabling Required for Full Administrative Access

The current LUM architecture requires that administrators, administrator equivalents, partition administrators, and RBS-enabled managers be LUM-enabled to have full management capabilities.

15.2.2 LUM Changes

In response to customer requests for improved LDAP performance, persistent searching for new Linux-enabled users and groups has been disabled in OES 2 SP3 and later.

For more information, see Section 6.10, LUM Cache Refresh No Longer Persistent and What’s New or Changed in Linux User Management in the OES 2015 SP1: Linux User Management Administration Guide.

15.2.3 Planning

The following sections summarize LUM planning considerations.

eDirectory Admin User Is Automatically Enabled for Linux Access

When you install Linux User Management on an OES server, the Admin User object that installs LUM is automatically enabled for eDirectory LDAP authentication to the server.

Planning Which Users to Enable for Access

You need to identify the eDirectory users (and groups) who need access to services on OES servers that require LUM-enabled users.

This can be easily determined by doing the following:

  1. Review the information in OES Services That Require LUM-Enabled Access.

  2. Identify the servers that will run the services mentioned.

  3. Note the users and groups that need access and then configure their objects and the target servers/services for that access.

Be Aware of System-Created Users and Groups

You should also be aware of the system-created users and groups that are LUM-enabled when NSS is installed. For more information, see Section H.0, System User and Group Management in OES 2015 SP1.

15.2.4 LUM Implementation Suggestions

The following sections summarize LUM implementation considerations.

About Enabling eDirectory Users for Linux Access

You can enable eDirectory users for Linux User Management by using either iManager 2.7 or the nambulkadd command.

  • iManager: You can enable existing eDirectory users for Linux access by using the Linux User Management tasks in iManager.

    You can enable multiple users in the same operation as long as they can be assigned to the same primary LUM-enabled group. The enabling process also lets you associate the group with one or more OES servers or Linux workstations.

    Samba users are also enabled for Linux access as part of the Samba-enabling process.

UNIX Workstation and Linux Workstation Are the Same Thing

When you use iManager to manage OES access, you might notice some inconsistencies in naming.

When OES servers are created, a UNIX Workstation - server_name object is created in eDirectory, where server_name is the DNS name of the OES server. In some places the iManager help refers to these server objects as Linux Workstation objects.

Both UNIX Workstation and Linux Workstation refer to the same eDirectory objects.

Enabling eDirectory Groups and Users for Linux Access

IMPORTANT:Users gain server access through their LUM-enabled group assignment rather than through a direct assignment to the UNIX Workstation objects themselves.

You can enable users for access to multiple OES servers by associating the LUM-enabled groups to which the users belong with the UNIX Workstation objects you want users to have access to.

There are four methods for enabling eDirectory groups and users for Linux access:

Using iManager to Enable Groups and any Users Assigned to Them

The following steps assume that the eDirectory Group objects already exist and that any User objects you want to enable for Linux at the same time also exist and have been assigned to the groups.

  1. Log in to iManager as the eDirectory Admin user or equivalent.

  2. Click Linux User Management > Enable Groups for Linux.

  3. Browse to and select one or more Group objects, then click OK.

  4. If you want all users assigned to the groups to be enabled for Linux, make sure the Linux-Enable All Users in These Groups option is selected.

  5. Click Next.

  6. If the groups contain users, click Next to confirm that you want them enabled.

  7. Browse to and select a UNIX Workstation (OES server) object, then click OK.

  8. Browse to and select the Unix Config Object for the workstation, then click OK.

  9. Click Next, click Finish, then click OK.

Using iManager to Bulk-Enable Users in a LUM Group

The following steps assume that the eDirectory LUM-enabled Group objects already exist and that they have assigned non-LUM-enabled User objects that you want to enable for Linux access.

  1. Log in to iManager as the eDirectory Admin user or equivalent.

  2. Click Linux User Management > Bulk-Enable Users in a LUM Group.

  3. Browse to and select one or more LUM-enabled Group objects, then click OK.

  4. Browse to and select the Unix Config Object, then click OK.

  5. Click Next.

  6. Click Finish to confirm that you want the listed users enabled for Linux.

  7. Click OK.

Using iManager to Bulk-Enable Users in a Container

The following steps assume that eDirectory non-LUM-enabled User objects exist inside an eDirectory container (OU object) and that you want to enable these User objects for Linux access.

  1. Log in to iManager as the eDirectory Admin user or equivalent.

  2. Click Linux User Management > Bulk-Enable Users in a Container.

  3. Browse to and select the Container (OU) object, then click OK.

  4. Browse to and select the Unix Config Object, then click OK.

  5. Browse to and select the LUM-enabled group that you want the users associated with for Linux access.

  6. Click Next.

  7. Observe that all user objects in the container are listed for assignment to the group you have selected as the primary group. If you don’t want already enabled user objects that are currently assigned to a different primary group to have that assignment changed, you must deselect them at this point.

  8. Click Finish to confirm that you want the selected users enabled for Linux (if not already) and assigned to the select group.

  9. Click OK.

Using LUM Utilities at the Command Prompt

Novell Linux User Management includes utilities for creating new LUM-enabled groups, and for enabling existing eDirectory groups for Linux access.