4.1 Configuring a Linux Server for ZENworks File Access

When you use a Linux server as the “back end” for ZENworks file storage and access, you need to configure it (either prior to installing the ZENworks Desktop Management Server or after that installation is complete) so that ZENworks can later access the files stored there.

NOTE:Setting up the Linux server for file access is optional; you can set up NetWare® or Windows servers to provide file access while still using your Linux back end server.

This section includes information about configuring SUSE® Linux Enterprise Server (SLES) servers for ZENworks file access rather than configuring Novell Open Enterprise Server (OES) servers for that purpose. OES Linux already includes Novell eDirectory™ and provides Novell Storage Services (NSS) access to its file system. Therefore, policy or application files stored on the OES Linux server can simply use the UNC-style path (that is, \\OES_server_name/sys/public/....), making further configuration for ZENworks file access unnecessary.

Configuring a SLES server to enable file access requires that you configure Samba server software to obtain authentication information either from the Active Directory* domain or the eDirectory tree, and then create one or more Samba shares on the server. This allows the share to be managed by the directory.

The intent of this section is to present a basic method showing how to accomplish the required authentication. There are many ways to configure Samba; for more information, see the Samba Documentation Collection.

The following information is included in this section:

4.1.1 Configuring a Linux Server in an Active Directory Environment

If you plan to use Active Directory on the SLES 9 or SLES 10 server where you want to install the ZENworks Management Server, you need to enable directory-based CIFS access to the applications and other files you want to store on that server for use by ZENworks.

IMPORTANT:Although it is not recommended, users can access an OES server/Samba share from a Windows workstation where the Novell Client™ is installed, but you need to configure Samba to provide a netBIOS name that is not the same as the OES server name.

This section includes the following information.

Configuring Samba to Use Kerberos

Use the following steps to configure the SLES 9 server to use Kerberos* for authentication:

  1. Edit the Kerberos (heimdal-lib version 0.6 or later) configuration file to indicate the name of the Active Directory domain you want to join.

    1. Using a text editor, open /etc/krb5.conf on the Linux server.

    2. Find the following lines in the file:

      [libdefaults]
           default_realm = YOUR.KERBEROS.REALM
      
      
      [realms]
           YOUR.KERBEROS.REALMS = {
           kdc = your.kerberos.server
           }
      
    3. Revise these lines as follows:

      [libdefaults]
           default_realm = DOMAIN_NAME
      
      
      [realms]
           DOMAIN_NAME = {
           kdc = wins_name
           admin_server = wins_name
           kpasswd_server = wins_name
           }
      

      The DOMAIN_NAME value shown in the sample is the fully qualified name of the Active Directory domain you want to join (for example, RESEARCH.MYLOCATION.DIGITALAIRLINES.COM). Make sure you enter this name using uppercase characters.

      The wins_name value shown in the revised kdc line, and in the newly added admin_server and kpasswd_server lines is the primary domain controller or any domain controller in the domain (for example, DC1).

  2. Edit the Samba server configuration file to indicate that Kerberos will be used to authenticate users to the Active Directory domain.

    1. Using a text editor, open /etc/samba/smb.conf on the Linux server.

    2. Find the following line in the Global section of the file:

      security = user
      
    3. Revise this line and add more lines as follows:

      security = ADS
      realm = YOUR.KERBEROS.REALM
      encrypt passwords = yes
      netbios name = advertised_name
      

      The YOUR.KERBEROS.REALM value shown in the sample is the domain name specified in the krb5.conf file (see Step 1.c).

      The advertised_name value shown in the netbios name line is the advertised network name of your Samba server, as well as its name in Active Directory (for example, myserver_smb).

  3. Put the name of the server into an Active Directory container:

    1. At the Linux server command line, type the following command:

      kinit administrator@YOUR.KERBEROS.REALM
      

      The YOUR.KERBEROS.REALM value shown in this example is the domain name specified in the krb5.conf file.

    2. At the Linux server command line, enter the following command:

      net ads join
      

Setting Up a Samba Share

It is necessary to create a Samba share in order for Windows workstations to access files on the SLES 9 or SLES 10 server.

  1. Using a text editor, open /etc/samba/smb.conf on the Linux server then add the following lines to the file:

    [sharename]
    path = local_directory
    guest ok = no
    read only = no
    

    The sharename value shown in the first line is the advertised network name of the Samba share (for example, zenfiles).

    The local_directory value shown in the second line is the local directory on the server where you want the share to reside.

  2. Map all users who will access the share to a single Linux account.

    1. At the Linux server command line, type the following command:

      /usr/sbin/useradd new_account_name
      

      The new_account_name parameter is the Linux account you are creating (for example, smbuser).

    2. Find the /etc/samba/smbusers file on the Linux server.

    3. Add the following line to the file:

      new_account_name = *
      

      The new_account_name value in this line is the account name you created in Step 2.a.

  3. At the Linux server command line, type the following commands to change the ownership of the path to the share:

    mkdir -p directory_name
    
    chown -R Linux_account_name directory_name
    
    chmod 755 directory_name
    

    The directory_name value is the path to the local directory that you specified in Step 1.

    The Linux_account_name value is the “new account name” you assigned in Step 2.a.

  4. At the Linux server command line, enter the following command to restart the Samba server so that the configuration file is executed with its new parameters:

    /etc/init.d/smb restart
    

4.1.2 Configuring a Linux Server in an eDirectory Environment

If you plan to use eDirectory on the SLES 9 or SLES 10 server where you want to install the ZENworks Management Server, you need to enable directory-based CIFS access to the applications and other files you want to store on that server for use by ZENworks.

This section includes information that you need to know for configuring the SLES 9 or SLES 10 server for use with ZENworks Desktop Management in an eDirectory environment:

Configuring Linux to Authenticate to eDirectory Using LDAP

This section describes the steps necessary to configure a SLES 9 or SLES 10 server (which acts as the LDAP client) and Novell eDirectory (which acts as the LDAP server) to provide authentication redirection over LDAP to Novell eDirectory. The content assumes that Novell eDirectory 8.7.3 (or later) has already been installed on the SLES 9 or SLES 10 server.

When the server is configured, any user can log in to a SLES 9 or SLES 10 server using his or her eDirectory credentials.

Use the following procedures in the order listed below:

Extending the eDirectory Schema for Linux Account Authentication

Configuring the SLES 9 or SLES 10 server for eDirectory authentication requires extension of the existing eDirectory schema (the schema on an OES server is already extended by the ZENworks installation).

Extending the schema can be accomplished using either the ndsschema utility or the ICE utility. Both of these utilities reside on the SLES 9 or SLES 10 server. Command line syntax for both utilities is provided in this section.

IMPORTANT:Prior to using the ICE utility, you need to make sure to use ConsoleOne to check the properties of the LDAP Group object in the eDirectory tree you will be using.

Right-click the LDAP Group object, click Properties, click General, then deselect Require TLS For Simple Binds With Password.

The schema defined for Linux account authentication is defined in RFC 2307. Novell offers schema import files in traditional eDirectory schema format and in Lightweight Data Interchange Format (LDIF) to be used for extending the Novell eDirectory schema.

Use the following steps to extend the eDirectory schema in your environment:

  1. Log in to the Linux server running Novell eDirectory as the root user.

  2. At the bash prompt, enter cd /usr/lib/nds-schema.

  3. Run a utility to extend the schema.

    • ndsschema method: At the bash prompt, enter the following command to extend the schema:

      ndssch cn=admin_name.o=admin_container_name rfc2307-usergroup.sch
      
    • ICE method: At the bash prompt, enter the following command to extend the schema:

      ice -S LDIF -f rfc2307-usergroup.ldif -D LDAP -s localhost -d cn=admin_name,o=admin_container_name -W
      
Extending the eDirectory Schema for Samba
  1. At the bash prompt, enter the following command:

    cd /usr/share/doc/packages/samba/examples/LDAP
    

    This location is provided by the samba-doc RPM package. Alternatively, you can use the following command to find the schema file in the samba-client RPM package:

    cd /usr/share/samba/LDAP
    
  2. Enter the following command to use the ICE utility to extend the eDirectory schema for Samba:

    ice -S LDIF -f samba-nds.schema -D LDAP -s localhost -d cn=admin_name,o=admin_container_name -W
    
Creating a Proxy User for Anonymous Binds

Use the following steps to set up a proxy user in eDirectory for anonymous binds:

  1. In ConsoleOne, create a new user account and set the password to null. Do not click Cancel when prompted; instead, click OK so that Public/Private keys are generated.

  2. Right-click the new User object, click Properties, click Password Restrictions, then deselect Allow User to Change Password.

  3. At the Root object of the tree, right-click the object, select Trustees of this Object, grant the new user Browse entry rights, then grant the new user Read and Compare property rights on the following attributes:

    • CN
    • Description
    • O
    • OU
    • Object Class
    • dc
    • gecos
    • gidNumber
    • homeDirectory
    • loginShell
    • memberUid
    • uidNumber
    • uniqueID

    Make sure that Inheritable is selected for each of these attributes as you configure them.

  4. Remove [All Attributes Rights] from the list of attributes for this User object.

  5. Right-click the LDAP Group object, click Properties, click General, then select this new user as the proxy user.

    HINT:You cannot access the General tab from the version of ConsoleOne included on the ZENworks 7 Companion 1 CD. To use ZENworks Desktop Management properly, you need to download the ZENworks 7 Desktop Management snap-ins for ConsoleOne 1.3.6 from the Novell Downloads Web site.

    Follow the instructions at the download site to install the snap-ins.

  6. Right-click the LDAP Server object, click Properties, click General, then select Refresh NLDAP Server Now.

Configuring the SLES 9 or SLES 10 Server (LDAP Client)
  1. Start the YaST2 Control Center.

    1. Run /sbin/yast2

    2. Enter menu.

  2. From the menu, select Network Services, select LDAP Client, then select Use LDAP.

    As an alternative to Steps 1 and 2 above, you can simply run /sbin/yast2 ldap from the command line to open the LDAP client configuration window.

  3. Add the LDAP server in the server field and the search base of where users are located. For example:

    Base DN: ou=users, ou=novell

    Addresses of LDAP Servers: 127.0.0.1

  4. Select LDAP TLS/SSL, then click Finish to save your changes.

Configuring eDirectory Accounts for Linux Authentication

Use the following steps to add the posixAccount auxiliary class to a user account and set the required fields:

  1. In ConsoleOne, select and right-click a User account.

  2. Select Extensions of this Object.

  3. Click Add Extension.

  4. In the list, select posixAccount, then click OK.

  5. In the Generic Editing dialog box, click OK.

  6. In the New posixAccount dialog box, fill in the fields. The following table shows the field names, their purpose, and an example of the data you would fill in.

    Field Name

    Purpose

    Example

    Name

    The name of this extension

    posixAccount

    homeDirectory

    The user home directory

    /home/tjones

    uniqueID

    The unique ID of the user

    tjones

    Common Name

    The Linux gecos field

    Trevor Jones

    gidNumber

    The GID in Linux

    515

    uidNumber

    The GID in Linux

    515

    Other attributes that are required and that can be added on the Other page of the User object include the following:

    Field Name

    Purpose

    Example

    loginShell

    Sets the user's shell.The loginShell attribute is required by SUSE Linux for proper X login.

    /bin/bash

  7. Click OK to save the changes.

Creating Samba Credentials for Any User

The Samba credentials for any managed user are maintained separately from standard Linux credentials. Use the following steps to add Samba credentials for any user account.

  1. Log in as Root at the SLES 9 or SLES 10 server, then enter the following command at the bash prompt:

    smbpasswd -a username
    

    This configuration prompts users who are logging in to the server for the Samba password for the server. In this syntax, username is the user's eDirectory user name. Users need to be in the context specified as the base DN when they configure to an LDAP client. For more information, see Configuring the SLES 9 or SLES 10 Server (LDAP Client).

    NOTE:This is a basic method for Samba account creation. There are many utilities and methods you can use for maintaining both the Linux and Samba passwords with one command. For more information, see the Samba Documentation Collection.

Setting Up a Samba Share

It is necessary to create a Samba share in order for Windows workstations to access files on the SLES 9 or SLES 10 server.

  1. Using a text editor, open /etc/samba/smb.conf on the Linux server, then add the following lines to the file:

    [sharename]
    path = local_directory
    guest ok = no
    read only = no
    

    The sharename value shown in the first line is the advertised network name of the Samba share (for example, zenfiles).

    The local_directory value shown in the second line is the local directory on the server where you want the share to reside.

  2. At the Linux server command line, enter the following commands to change the ownership of the path to the share:

    mkdir -p directory_name
    
    chown -R admin_user_name
    
    chmod 755 directory_name
    

    The admin_user_name value is the username that you use when you create policies and applications in ZENworks. This username is used to access the Samba share.

    The directory_name value represents the path to the local directory that you specified in Step 1.

  3. At the Linux server command line, enter the following command to restart the Samba server so that the configuration file is executed with its new parameters:

    /etc/init.d/smb restart
    

Accessing Workstation-Associated ZENworks Files on a SLES 9 Server (Option A)

If you need to access workstation-associated policy and application files on a SLES 9 server using the eDirectory method, the Samba share must be marked to allow Guest access. Use the following steps to mark the Samba share:

  1. Using a text editor, open /etc/samba/smb.conf on the server.

  2. Find the following line in the [sharename] section of the file:

    guest ok = no

    The sharename value is the advertised network name of the Samba share (for example, zenfiles).

  3. Modify the line as follows:

    guest ok = yes

Accessing Workstation Associated ZENworks Files on a SLES 9 or SLES 10 Server (Option B)

If you using a Windows Middle Tier Server to access workstation-associated policy and application files on a SLES 9 or SLES 10 server using the eDirectory method, the Samba share does not need to be marked “World-read” (see Step 3 above) to allow Guest access. Use the following steps to allow access to the files:

  1. Ensure that the Windows Middle Tier Server (share credentials) are entered when you create the Middle tier during the installation. These could also be configured on the Middle Tier using the NSAdmin utility (LMAUTH credentials).

  2. Make sure that the Middle Tier Server has the same credentials locally.

Even if you have a firewall, the Middle Tier can access the ZENworks files on behalf of the workstation.

Defining Restricted Users

You can modify the smb.conf file to allow you to define the users for whom you want to restrict file modification rights. Use the following steps to define restricted users.

  1. Using a text editor, open /etc/samba/smb.conf on the server.

  2. Find the following line in the [sharename] section of the file:

    read only = no

    The sharename value is the advertised network name of the Samba share (for example, zenfiles).

  3. Modify the line as follows:

    read only = yes

  4. At the bash prompt, enter the following command:

    write list = admin_user_name

NOTE:The admin_user_name value is the username (or a comma-delimited list of usernames) that has only Read rights to the files on the Samba share.