3104_manual.pdf

7/24/2019 3104_manual.pdf

1/441

www.novel l .comNovell Training Services

A U T H O R I Z E D C O U R S E WA R E

SUSE Linux Enterprise Desktop 11AdministrationManual

3 1 0 4

Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW

7/24/2019 3104_manual.pdf

2/441

Legal Notices

Novell, Inc., makes no representations or warranties with respect to the contents

or use of this documentation, and specifically disclaims any express or implied

warranties of merchantability or fitness for any particular purpose. Further,

Novell, Inc., reserves the right to revise this publication and to make changes to

its content, at any time, without obligation to notify any person or entity of such

revisions or changes.

Further, Novell, Inc., makes no representations or warranties with respect to any

software, and specifically disclaims any express or implied warranties of

merchantability or fitness for any particular purpose. Further, Novell, Inc.,

reserves the right to make changes to any and all parts of Novel l software, at any

time, without any obligation to notify any person or entity of such changes.

Any products or technical information provided under this Agreement may be

subject to U.S. export controls and the trade laws of other countries. You agree to

comply with all export control regulations and to obtain any required licenses or

classification to export, re-export or import deliverables. You agree not to export

or re-export to entities on the current U.S. export exclusion lists or to any

embargoed or terrorist countries as specified in the U.S. export laws. You agree

to not use deliverables for prohibited nuclear, missile, or chemical biological

weaponry end uses. See theNovell International Trade Services Web page(http:/

/www.novell.com/info/exports/) for more information on exporting Novell

software. Novell assumes no responsibility for your failure to obtain any

necessary export approvals.

Copyright 2009 Novell, Inc. All rights reserved. No part of this publication

may be reproduced, photocopied, stored on a retrieval system, or transmitted

without the express written consent of the publisher.

Novell, Inc., has intellectual property rights relating to technology embodied in

the product that is described in this document. In particular, and without

limitation, these intellectual property rights may include one or more of the U.S.

patents listed on theNovell Legal Patents Web page(http://www.novell.com/

company/legal/patents/) and one or more additional patents or pending patent

applications in the U.S. and in other countries.

Novell, Inc.

404 Wyman Street, Suite 500

Waltham, MA 02451

U.S.A.

www.novell.com

Online Documentation:To access the latest online documentation for

this and other Novell products, see the Novell Documentation Web

page(http://www.novell.com/documentation).

Novell Trademarks

For Novell trademarks, see the Novell Trademark and Service Mark list(http://

www.novell.com/company/legal/trademarks/tmlist.html).

Third-Party Materials

All third-party trademarks are the property of their respective owners.

http://www.novell.com/info/exports/http://www.novell.com/company/legal/patents/http://www.novell.com/documentationhttp://www.novell.com/documentationhttp://www.novell.com/company/legal/trademarks/tmlist.htmlhttp://www.novell.com/company/legal/trademarks/tmlist.htmlhttp://www.novell.com/documentationhttp://www.novell.com/documentationhttp://www.novell.com/company/legal/patents/http://www.novell.com/info/exports/

7/24/2019 3104_manual.pdf

3/441

Contents

Copying all or part of this manual, or distributing such copies, is strictly prohibited.

To report suspected copying, please call 1-800-PIRATES.

3Version 1

Introduction 9

Student Kit Deliverables 9

Course Design 10

Course Objectives 10

Course Audience 10

Certification and Prerequisites 11

Classroom Agenda 11

Course Setup 12

Exercise Guidelines 12

VMware Virtualization and the Exercises 13

Exercise Conventions 13

Workbook 14

Course Feedback 14

SECTION 1 Customize the Graphical Interface on SUSE

Linux Enterprise Desktop 11 15

Objective 1 Configure X, Xgl, and Compiz 16

Configure X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Activate Compiz . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Exercise 1-1 Activate Compiz . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Objective 2 Customize the GNOME User Interface 24

User-Defined Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Default Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Exercise 1-2 Customize the GNOME User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Objective 3 Customize Applications 30

OpenOffice.org 3.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Firefox. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Exercise 1-3 Customize Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Summary 36

SECTION 2 Lock Down the SLE Desktop 37

Objective 1 Control Mounting of CD-ROM, DVD, and USB Devices 38

Exercise 2-1 Control Mounting of CD-ROM, DVD, and USB Devices. . . . . . . . . . . . . . . . . . . 42

Objective 2 Define Mandatory Settings with GConf and Desktop Profiles 43

gconf-editor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

gconftool-2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Exercise 2-2 Set Mandatory Values for Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46


7/24/2019 3104_manual.pdf

4/441

7/24/2019 3104_manual.pdf

5/441



5Version 1

Summary 112

SECTION 5 Integrate SLED 11 into an Active Directory Environment 113

Objective 1 Describe How SLED 11 Integrates with Active Directory 114

Benefits of Active Directory Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114How Windows Networking Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

How SLED 11 Integrates with an Active Directory Domain . . . . . . . . . . . . . . . . 119

Objective 2 Configure Active Directory Integration 124

Joining SLED 11 to an Active Directory Domain . . . . . . . . . . . . . . . . . . . . . . . . 124

Exercise 5-1 Join SLED 11 to an Active Directory Domain. . . . . . . . . . . . . . . . . . . . . . . . . . . 134

Logging In to an Active Directory Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

Managing Domain Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

Exercise 5-2 Log In to the Domain from SLED 11. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

Objective 3 Access Shared Domain Resources 139

Accessing Shared Folders. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Accessing Shared Printers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142Exercise 5-3 Access a Shared Folder. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

Summary 147

SECTION 6 Integrate SLED 11 into a Novell eDirectory Environment 149

Objective 1 Describe How the Novell Client for Linux Works 150

The Role and Function of Novell eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

The Role and Function of the Novell Client for Linux. . . . . . . . . . . . . . . . . . . . . 158

Objective 2 Install and Configure the Novell Client for Linux on SLED 11 160

Installing the Novell Client for Linux on SLED 11 . . . . . . . . . . . . . . . . . . . . . . . 160

Exercise 6-1 Install the Novell Client for Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

Configuring the Novell Client on SLED 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

Objective 3 Authenticate to an OES 2 Server Using the Novell Client for Linux 184

Authenticating to eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

Mapping Directories to Server Volumes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

Logging Out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

Troubleshooting SLP Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

Using Novell Client for Linux Shell Commands . . . . . . . . . . . . . . . . . . . . . . . . . 196

Exercise 6-2 Configure the Novell Client for Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

Configuring Integrated Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

Exercise 6-3 Configuring Integrated Login. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

Objective 4 Use Novell iPrint on SLED 11 204

How iPrint Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204Installing and Configuring the iPrint Client on Linux Workstations . . . . . . . . . . 209

Installing iPrint Printers and Sending Print Jobs . . . . . . . . . . . . . . . . . . . . . . . . . 210

Exercise 6-4 Install and Configure the iPrint Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213


7/24/2019 3104_manual.pdf

6/441

SUSE Linux Enterprise Desktop 11 Administration / Manual



Version 16

Objective 5 Use iFolder on SLED 11 214

How iFolder Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

Installing the iFolder Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

Configuring Your iFolder Account. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

Creating iFolders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224

Summary 229

SECTION 7 Integrate SUSE Linux Enterprise Desktop 11 into a UNIX

Environement233

Objective 1 Accessing NFS File Shares 234

Network File System Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234

NFS Internals. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

Configure NFS Client Access with YaST. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

Mount Home Directories Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

Mount Home Directories Automatically. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

Exercise 7-1 Import Network File System (NFS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

Objective 2 Authentication to LDAP 242

LDAP Basics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242

YaST LDAP Client Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245

OpenLDAP and Automounter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

Exercise 7-2 Integrate a SLED 11 into an LDAP Environment. . . . . . . . . . . . . . . . . . . . . . . . . 249

Objective 3 Printing to CUPS Printers 250

Configure CUPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250

Exercise 7-3 Change Your Printer Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268

Manage Print Jobs and Queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268

Understand How CUPS Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275

Exercise 7-4 Manage Printers from the Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281

Summary 282

SECTION 8 Access Remote Desktops Using Nomad 285

Objective 1 Describe How Nomad Works 286

How RDP Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286

How Nomad Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287

Objective 2 Install and Configure Nomad 291

Configure the Nomad Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291

Configure the Nomad Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295

Exercise 8-1 Install and Configure Nomad . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299

Objective 3 Access Desktops Remotely with Nomad 300Accessing Remote Desktops with rdesktop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300

Accessing Remote Desktops with tsclient . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302

Exercise 8-2 Access Remote Desktop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306


7/24/2019 3104_manual.pdf

7/441



7Version 1

Objective 4 Troubleshoot Common Nomad Problems 307

Verifying that xrdp is Running on the Sender . . . . . . . . . . . . . . . . . . . . . . . . . . . 307

Verifying that Port 3389 is Open . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307

Summary 308

SECTION 9 Use Multimedia on the SUSE Linux Enterprise Desktop 11 309

Objective 1 Use Banshee 310

Import Music. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311

Play Your Music . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313

Ripp Your Music . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314

Listen to Internet Radio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315

Listen to Podcasts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316

Exercise 9-1 Use Banshee . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318

Objective 2 Use Moonlight 319

Exercise 9-2 Use Moonlight . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

Summary 322

SECTION 10 Configure Email 323

Objective 1 Configure the Evolution Email Client on SLED 11 324

The Role and Function of Evolution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324

Configuring Evolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324

Using Evolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337

Exercise 10-1 Integrate Evolution with Microsoft Exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . 353

Objective 2 Configure the GroupWise Client on SLED 11 354

Installing Novell GroupWise Client for Linux. . . . . . . . . . . . . . . . . . . . . . . . . . . 354

Using the GroupWise Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358

Exercise 10-2 Install and Configure the GroupWise Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372

Summary 373

SECTION 11 Create Shell Scripts 375

Objective 1 Understand Bash Basics 376

Bash Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376

Bash Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378

Return Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379

Objective 2 Use Basic Script Elements 381

Elements of a Shell Script. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381

A Simple Backup Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382Debug Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384

Exercise 11-1 Create a Simple Shell Script. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385

Objective 3 Understand Variables and Command Substitution 386

Exercise 11-2 Use Variables and Command Substitution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389


7/24/2019 3104_manual.pdf

8/441




Version 18

Objective 4 Use Control Structures 390

Create Branches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390

Exercise 11-3 Use an if Control Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394

Create Loops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394

Exercise 11-4 Use a while Loop. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398

Objective 5 Use Arithmetic Operators 399

Exercise 11-5 Use Arithmetic Operators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401

Objective 6 Read User Input 402

Exercise 11-6 Read User Input. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404

Objective 7 Use Arrays 405

Exercise 11-7 Use Arrays. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407

Objective 8 Finalize the Course Project 408

Exercise 11-8 Use rsync to Keep Versions of Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410

Objective 9 Use Advanced Scripting Techniques 411

Use Shell Functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411Read Options with getopts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412

Exercise 11-9 Use Shell Functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414

Objective 10 Learn about Useful Commands in Shell Scripts 415

Use the cat Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415

Use the cut Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415

Use the date Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416

Use the grep and egrep Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416

Use the sed Command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417

Use the test Command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419

Use the tr Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421

Summary 423

SECTION 12 Deploy SUSE Linux Enterprise Desktop 11 427

Objective 1 Understand Autoinstallation Basics 428

Installation Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428

Deployment Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429

AutoYaST Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431

Objective 2 Create a Configuration File for AutoYaST 432

Exercise 12-1 Create an AutoYaST Control File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436

Objective 3 Use an Installation Server 437

Objective 4 Perform an Automated Installation 438

Provide the Control File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438

Boot and Install the System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438

Exercise 12-2 Perform an Automated Installation of SUSE Linux Enterprise Desktop . . . . . . . 440

Summary 441


7/24/2019 3104_manual.pdf

9/441



9Version 1

Introduction

Introduction

SUSE Linux Enterprise Desktop 11 Administration (Course 3104) focuses on the

routine system administration of SUSE Linux Enterprise Desktop 11(SLED 11).

This course covers basic Linux skills as well as common tasks a system administrator

of SLED 11 has to perform, such as configuring the desktop environment, printing,

integrating the product into existing environments, and rolling out a large number of

installations.

Before starting the course, review the following:

Student Kit Deliverables on page 9

Course Design on page 10

Exercise Guidelines on page 12

Course Feedback on page 14

Student Kit Deliverables

The contents of your student kit include the following:

SUSE Linux Enterprise Desktop 11 Administration Manual

SUSE Linux Enterprise Desktop 11 Administration Workbook

SUSE Linux Enterprise Desktop 11 Administration Course DVD (2 DVDs)

SUSE Linux Enterprise Desktop 11 SP1 Product DVD

SUSE Linux Enterprise Server 11 Product DVD

The SUSE Linux Enterprise Desktop 11 Administration CourseDVDs contain an image of a SUSE Linux Enterprise Desktop 11 installation and otherimages (a SUSE Linux Enterprise Server 11installation, an OpenEnterprise Serverinstallation, and an empty VMware machine in which youcan install Windows 2008 Server) that you can use to perform the exercises in theSUSE Linux Enterprise Desktop 11 Administration Workbook.The exercises in the Workbook help you to practice the skills tested in the Novell

Certified Linux Desktop Professional 11 (CLDP 11) exam (050-722).

NOTE: Instructions for setting up a self-study environment are in the setup directory on the Course

DVD.


7/24/2019 3104_manual.pdf

10/441




Version 110

Course Design

The following provides information about the design of the course to help you

evaluate whether or not this course provides the type of SLED 11 training you need

(in a classroom environment or for self-study):

Course Objectives on page 10

Course Audience on page 10

Certification and Prerequisites on page 11

Classroom Agenda on page 11

Course Setup on page 12

Course Objectives

This course teaches SUSE Linux Enterprise Desktop 11 theory as well as practical

application with hands-on labs of the following SUSE Linux Enterprise Desktop 11

Administration topics:1. Customize the Graphical Interface on SUSE Linux Enterprise Desktop 11

2. Lock Down the SLE Desktop

3. Use the NetworkManager to Configure the Network

4. Activate and Use IPv6

5. Integrate SLED 11 into an Active Directory Environment

6. Integrate SLED 11 into a Novell eDirectory Environment

7. Integrate SUSE Linux Enterprise Desktop 11 into a UNIX Environment

8. Access Remote Desktops Using Nomad

9. Use Multimedia on the SLE Desktop

10. Configure Email

11. Create Shell Scripts

12. Deploy SUSE Linux Enterprise Desktop 11

These are tasks a SUSE Linux Desktop administrator in an enterprise environment

routinely has to deal with.

Course Audience

This course is addressed to administrators that are CLA11-certified (or those who

have a comparable Linux administration knowledge) and who now want to gain in-

depth knowledge on tasks a Linux administrator has to perform routinely on

SLED11.


7/24/2019 3104_manual.pdf

11/441



11Version 1

Introduction

Certification and Prerequisites

This course helps you prepare for the following Novell Certified Linux Desktop

Professional 11 (Novell CLDP 11) exams:

CLDP 11 - Professional level (050-722)

As with all Novell certifications, course work is recommended. To achieve the Novell

CLDP 11 certification, you are required to pass the Novell CLDP 11 exam.

The following illustrates the training and testing path for Novell CLDP11:

Figure Intro-1 CLDP 11 Certification Path

NOTE: For more information about Novell certification programs and certification exams, see

Novells certification website(http://www.novell.com/training/certinfo/).

Classroom Agenda

This course is designed to be taught as a 5-day course with the following basic

agenda:

Table Intro-1 Course Agenda

Module Duration (hh:mm)

Day 1 Introduction 00:30

Customize the GraphicalInterface on SUSE Linux

EnterpriseDesktop 11

02:30

Lock Down the SLE Desktop 03:00

http://www.novell.com/training/certinfo/http://www.novell.com/training/certinfo/

7/24/2019 3104_manual.pdf

12/441




Version 112

Course Setup

The setup in this course are based on running a SLED 11 called DA-HOST. On DA-

HOST runs a virtual server with four virtual machines:

DA1.A SUSE Linux Enterprise Server 11. This virtual machine provides

services you need for the exercises (like DNS).

DA-SLED.A SLED 11 workstation. This virtual machine is used to test and use

services during various exercises.

DA-OES.A Novell Open Enterprise Server 2 server. It hosts the services

covered in this course.

DA-WIN.A Microsoft Windows Server 2008. This virtual machine provides

Active Directory and an Exchange server.

Exercise Guidelines

The following information provides guidelines to help you make the most of theexercises provided in this course:

VMware Virtualization and the Exercises on page 13

Exercise Conventions on page 13

Workbook on page 14

Day 2 Use the NetworkManager toConfigure the Network

04:30

Activate and Use IPv6 02:00

Day 3 Integrate SLED 11 into anActive Direcotory Enviroment

03:00

Integrate SLED 11 into aNovell eDirecotoryEnviroment

03:30

Day 4 Integrate SUSE Linux

Enterprise Desktop 11 into aUNIX Enviroment

03:00

Access Remote Desktops 02:00

Use Multimedia on the SLEDesktop

00:30

Configure Email 01:00

Day 5 Create Shell Scripts 05:30

Deploy SUSE Linux

Enterprise Desktop 11

01:00

Module Duration (hh:mm)


7/24/2019 3104_manual.pdf

13/441



13Version 1

Introduction

VMware Virtualization and the Exercises

VMware virtualization technology allows you to create and run multiple virtual

computers on one physical computer. The physical computer must be running player

software to allow it to be a virtual machine server (or host).

The VMware virtual machines used in this course are:

DA1.A SUSE Linux Enterprise Server 11. This virtual machine provides

services (like DNS) you need for the exercises.

DA-SLED.A SUSE Linux Enterprise Desktop 11 workstation. This virtual

machine is used to test and use services during various exercises.

DA-OES-A.A Novell Open Enterprise Server 2 server. It hosts the services

covered in this course.

DA-WIN.A Microsoft Windows Server 2008. This virtual machine provides

Active Directory and an Exchange server.

Exercise Conventions

The exercises use conventions that indicate information you need to enter that is

specific to your server.

The following describes the most common conventions:

italicized/bolded text.This represents a variable value, such as the host name of

your server.

For example, if the host name of your server is DA3 and you see the following:

hostname.da.com

you would enter

DA3.da.com

172.17.8.xor DAx.This is the IP address or host name that is assigned to a

server.

For example, if your IP address is 172.17.12.101 and you see the following:

172.17.12.x

you would enter

172.17.12.101

Select.The word selectis used in exercise steps to indicate a variety of actions

including clicking a button on the interface and selecting a menu item.

Enter and Type.The words enterand typehave distinct meanings.

The word enter means to type text in a field or type text at a command line

prompt and press the Enter key. The word type means to type text without

pressing the Enter key.

If you are directed to type a value, make sure you do not press the Enter key or

you might activate a process that you are not ready to start.


7/24/2019 3104_manual.pdf

14/441

7/24/2019 3104_manual.pdf

15/441



15Version 1

Customize the Graphical Interface on SUSE Linux Enterprise Desktop 11

S E C T I O N 1 Customize the Graphical Interface on SUSELinux Enterprise Desktop 11

In this section, you learn how to configure the graphical environment of your SUSE

Linux Enterprise Desktop 11 (SLED 11). This includes the X configuration as well as

the configuration of the GNOME environment.

Section Objectives

In this section, you learn how to do the following:

1. Configure X, Xgl, and Compiz on page 16

2. Customize the GNOME User Interface on page 243. Customize Applications on page 30


7/24/2019 3104_manual.pdf

16/441




Version 116

Objective 1 Configure X, Xgl, and Compiz

Provided the computer is equipped with suitable graphics hardware (supported

graphics adapter with good 3D performance),SUSE Linux EnterpriseDesktop 11provides an entirely new Linux desktop experience through its use of

3D effects made possible by Xgl and Compiz .

Figure 1-1 Switching to Another Virtural Desktop

Xgl is a new Xserver architecture layered on top of OpenGL. Xgl can perform

intricate graphical operations noticeably faster than other available Xservers that do

not use OpenGL.

More important than speed alone, Xgl accelerates complex composite operations,

making possible new stunning visual effects on OpenGL-enhanced composition/

window managers like Compiz, the compositor utility that was developed in

conjunction with Xgl.

Compiz is a combination of a window manager and a composite manager using

OpenGL for rendering. A window manager allows the manipulation of the multiple

applications and dialog windows that are presented on the screen. A compositemanager allows windows and other graphics to be combined to create composite

images, such as those used to create transparency effects. Compiz achieves its

stunning effects by performing both of these functions.

When you activate Compiz, it replaces the window manager of your desktop

environment (Metacity in GNOME and kwin in KDE).


7/24/2019 3104_manual.pdf

17/441

7/24/2019 3104_manual.pdf

18/441




Version 118

First, SaX2 checks the hardware; then the following dialog appears:

Figure 1-3 SaX2 Proposes Screen Settings

If you are satisfied with the configuration, select OK.

If you need to change the configuration, select Change Configuration. Except for

the window title, the dialog that opens up is the same as that of the YaST Graphics

Card and Monitor module:


7/24/2019 3104_manual.pdf

19/441



19Version 1


Figure 1-4 SaX2s X11 Configuration Dialog

In the Monitor section, you can change different aspects of the X configuration (such

as graphics card details, monitor type, screen resolution, and number of colors

displayed) that concern the graphics card and monitor.

Selecting one of the categories on the left opens different dialogs that allow you to

change the respective settings.When you are done with the configuration, select OK. In the next dialog, you can

choose to test the configuration, to save it, or to cancel the changes.

Figure 1-5 Test the Graphics Configuration


7/24/2019 3104_manual.pdf

20/441




Version 120

We recommend testing the configuration before saving it. A dialog to adjust the size

and position of the screen appears.

Figure 1-6 Adjust the Screen

Normally it is not necessary to change something here.

Save your settings and exit SaX2.

Activate Compiz

The packages needed to activate Compiz are part of the GNOME pattern used during

a default installation. These include the following:

compiz

xgl

xgl-hardware-list

gnome-session

libwnck

Once 3D acceleration has been activated, log in as a normal user to GNOME and

activate Compiz.

Select the Computericon in the lower left corner of the desktop, open the Control

Center, and start the Desktop Effectscontrol panel in section Look and Feel.


7/24/2019 3104_manual.pdf

21/441



21Version 1


Figure 1-7 Enable Desktop Effects

Mark Enable desktop effectsto activate Compiz.

The following table lists the more frequently used controls:

Key Combination Effect

Ctrl+Alt+Left Rotate cube to the left.

Ctrl+Alt+Shift+Left Rotate cube to the left, with active window.

Ctrl+Alt+Right Rotate cube to the right.

Ctrl+Alt+Shift+Right Rotate cube to the right, with active window.

Ctrl+Alt+Mouse Button 1 Rotate cube using the mouse.

Ctrl+Alt+Down Unfold the cube; then use left and right arrow

key to move.


7/24/2019 3104_manual.pdf

22/441




Version 122

NOTE: More information on xgl can be found at the OpenSUSE website(http://en.opensuse.org/

Xgl).

More information on Compiz can be found at the OpenSUSE website (http://en.opensuse.org/

Compiz).

http://en.opensuse.org/Xglhttp://en.opensuse.org/Compizhttp://en.opensuse.org/Compizhttp://en.opensuse.org/Xgl

7/24/2019 3104_manual.pdf

23/441



23Version 1


Exercise 1-1 Activate Compiz

In this exercise, you configure Compiz, provided the hardware supports it.

In the first part, using YaST, verify that 3D support is enabled for your graphics

adapter.

If 3D support is enabled, activate Compiz for the Gnome desktop in the second part.

You will find this exercise in the workbook.

(End of Exercise)


7/24/2019 3104_manual.pdf

24/441




Version 124

Objective 2 Customize the GNOME User Interface

You can customize the GNOME user interface in various ways: For example, you can

add or remove icons, change the background image, or add items to the panel. The

administrator can set system-wide defaults. Users can configure their own desktops.

The system used for storing application preferences in GNOME is GConf. GConf

provides a preferences database, similar to a simple file system.

Keys are organized into a directory hierarchy. Each key is either a directory

containing more keys, or it has a value which is contained in the %gconf.xmlfilein a key directory.

This directory structure is below /etc/gconf/for system-wide entries, whileuser-specific settings are contained in subdirectories of ~/.gconf/.

The %gconf.xmlfile can contain many key-value pairs. E.g., in ~geeko/.gconf/apps/nautilus/preferences/%gconf.xml :

800x550+400+38

NOTE: This file is only available if you started Nautilus once before.

A per-user daemon, gconfd-2, controls these settings. It reads the current settings

from various sources when a user logs in, notes any changes the user makes to the

settings, and informs the affected applications. In this way, changed settings take

effect immediately. Changes are written to the file system at regular intervals.

NOTE: A more detailed description of the GConf repository structure is contained in the GNOME

Desktop System Administration Guide(http://library.gnome.org/admin/system-admin-guide/stable/

).

To understand how the user environment is configured, you need to know the

following:

User-Defined Settings on page 24

Default Values on page 26

User-Defined Settings

When a user defines the settings for his or her workstation, using the preference

dialogs of GNOME applications or the gconf-editor tool, the settings are written to a

%gconf.xmlfile in a directory beneath~/.gconf.

To see how a user-defined setting is stored, suppose a user decided to change the

default double-click used to launch applications to a single click.

http://library.gnome.org/admin/system-admin-guide/stable/http://library.gnome.org/admin/system-admin-guide/stable/http://library.gnome.org/admin/system-admin-guide/stable/http://library.gnome.org/admin/system-admin-guide/stable/

7/24/2019 3104_manual.pdf

25/441



25Version 1


To change this default behavior, start Nautilus by double-clicking the folder icon

representing the home directory. Select Edit > Preferences > Behavior > Single

Click to Activate Items. This change takes effect immediately.

The setting is stored in ~/.gconf/apps/nautilus/preferences/

%gconf.xml: single

...

The same effect can be achieved with gconf-editor. Open a terminal window, typegconf-editor, and press Enter. The various options available are displayed in a

tree-like structure:Figure 1-8 The gconf-editor

To change the value of a key, double-click the key in the right part of the window and

change its value in the dialog that appears.


7/24/2019 3104_manual.pdf

26/441




Version 126

Depending on the application, gconf-editor might offer more settings than the

preference dialog of the respective application itself.

You can also use the gconftool-2command line tool to change the GConfsettings. To change the default click policy to single, enter the following on the

command line:geeko@da10:~> gconftool-2 --set --type string /apps/nautilus/preferences/click_policy single

The /apps/nautilus/preferences/click_policy key corresponds to the tree structure in

gconf-editor. The --setand --type stringoptions indicate that this key willtake the new singlestring value. The type depends on the key and is defined in the

schema file for that key. Schemas are covered in Default Values on page 26.

You can also use gconftool-2 to view the current value of a key:

geeko@da10:~> gconftool-2 --get /apps/nautilus/preferences/click_policysinglegeeko@da10:~>

Default Values

Default values are used for any preferences that are not set specifically by the user.

When looking for the value of a variable, GConf scans a couple of files in /etc/gconf

before looking in the users configuration file. The names of the files and the order

can be seen in the /etc/gconf/2/path file.

The sequence of the configuration sources in the path file ensures that mandatory

preference settings override user preference settings. The sequence also ensures that

user preference settings override default preference settings. That is, GConf applies

preferences in the following order of priority:

1. Mandatory preferences

2. User-specified preferences

3. Default preferences

GConf also uses schema files which are contained in files in /etc/gconf/schemas/. Schemas list the possible preferences for applications or desktopsettings. For the GNOME desktop background, the respective file is called

desktop_gnome_background.schemas:

/schemas/desktop/gnome/sound/default_mixer_device /desktop/gnome/sound/default_mixer_device gnome string Default mixer device


7/24/2019 3104_manual.pdf

27/441



27Version 1


The default mixer device used by the multimedia keybindings.

...

This file contains keys, their type (integer, boolean, string, float, or list), default

value, and descriptions in several languages.

You can change the system-wide default values using either gconf-editororgconftool-2.

Change Defaults Using gconf-editor

To use gconf-editorfor this purpose, make sure you are logged in as root whenyou start it. You can right-click a key and select Set as Defaultor Set as Mandatory

from the pop-up menu.

Figure 1-9 Set as Default or as Mandatory

To see all default settings, select File > New Defaults Window. To see all mandatory

settings, select File > New Mandatory Window. A new window opens and lets you

change settings as explained in User-Defined Settings on page 24.

To remove a key from the default or mandatory configuration, right-click the key and

select Unset Keyin the New Mandatory Window.


7/24/2019 3104_manual.pdf

28/441




Version 128

Change Defaults Using gconftool-2

To change system-wide defaults with gconftool-2, you must be logged in as root.You must specify the repository you want to change. Otherwise, by default, changes

apply to the ~/.gconf/directory in the users home directory. They will not apply

to the directories beneath /etc/gconf/gconf.xml.defaults . You also haveto make sure gconfd-2is not running.

The command to change the default for the background image file looks similar to the

following example (the gconftool-2command line needs to be entered in oneline):

da10:/etc/gconf # killall gconfd-2da10:/etc/gconf # gconftool-2 --direct --config-source xml_readwrite:/etc/gconf/gconf.xml.defaults --set --type string /desktop/gnome/background/picture_filename /usr/share/wallpapers/SpringFlowers.jpg

In the example, --directindicates that the configuration repository is altereddirectly without using gconfd-2, and --config-source specifies the source to

change.

The command changes the /etc/gconf/gconf.xml.defaults/desktop/gnome/background/%gconf.xml file, which now lists the new default value:

/usr/share/wallpapers/SpringFlowers.jpg

Users who do not have an entry in their ~/.gconf/directory trees defining adifferent background image will see the new background image the next time they

log in. They are still able to change their own background images.

Setting preferences that cannot be changed by the user is covered in Configure X,

Xgl, and Compiz on page 16.


7/24/2019 3104_manual.pdf

29/441

7/24/2019 3104_manual.pdf

30/441

7/24/2019 3104_manual.pdf

31/441

7/24/2019 3104_manual.pdf

32/441




Version 132

Figure 1-11 Configure the Paths Used by OpenOffice.org

To add or delete template directories, select Editand make the changes in the dialog

that appears.

Figure 1-12 Edit the Path of Your Templates

You can copy a sample .ooo3directory with company-specific OpenOffice.orgsettings to /etc/skel/to make all configuration settings and templates in thatdirectory available to new users.

NOTE: A helpful resource for OpenOffice.org is the OpenOffice.org Forum (http://

www.oooforum.org/).

Firefox

Firefox can be configured extensively via Edit > Preferences. Several tabs cover

various aspects of the configuration.

http://www.oooforum.org/http://www.oooforum.org/

7/24/2019 3104_manual.pdf

33/441



33Version 1


Figure 1-13 Firefox Preferences

You can access the preferences listed above, as well as additional preferences, atabout:config. After the warning dialog, you can select an entry with a double-click to open a dialog to change the value of the respective parameter:


7/24/2019 3104_manual.pdf

34/441




Version 134

Figure 1-14 List of the Firefox Preferences

Changed values are stored in the home directory of the user in ~/.mozilla/firefox/xxxxxxxx.default/prefs.js. To make them available for allusers, copy the file to /usr/lib/firefox/defaults/profile/prefs.js. Users can still make their own changes and override the values in thesystem-wide file.


7/24/2019 3104_manual.pdf

35/441



35Version 1


Exercise 1-3 Customize Applications

In this exercise, you create an OpenOffice.org template.

In the first task, create a header of letters. In the second task, create a new letter using

the header, you created in task I.


(End of Exercise)


7/24/2019 3104_manual.pdf

36/441




Version 136

Summary

The following is a summary of what you learned in the course objectives.

Objective What You Learned

Configure X, Xgl, and Compiz The installation is controlled by an XML file.SUSE Linux Enterprise Desktop 11 supports

XGL and Compiz, providing a new desktopexperience on Linux.

Customize the GNOME User Interface The user preferences for GNOME settings arestored as keys in the GConf repository,

system-wide in /etc/opt/gnome/gconf/, or inthe users home directory in ~/.gcon/f. Tochange settings within GNOME applications,

use

The graphical tool gconf-editor

The command line tool gconftool-2

Customize Applications Applications store their configuration settings,usually in hidden directories or files (startingwith a .) in the home directory of the user

who sets them.

In some cases, it is useful for the desktopadministrator to distribute sample

configurations, e.g., for OpenOffice.org orFirefox.


7/24/2019 3104_manual.pdf

37/441



37Version 1

Lock Down the SLE Desktop

S E C T I O N 2 Lock Down the SLE Desktop

If the user only sees what he is allowed to access, system security is increased. In this

section different methods of locking down SUSE Linux EnterpriseDesktop 11(SLED 11) are described.

Encrypted file systems can also improve security.

Section Objectives

In this section, you learn how to do the following:

1. Control Mounting of CD-ROM, DVD, and USB Devices on page 38

2. Define Mandatory Settings with GConf and Desktop Profiles on page 433. Use PolicyKit to Configure Application Policies on page 47

4. Use File System Encryption on page 58


7/24/2019 3104_manual.pdf

38/441




Version 138

Objective 1 Control Mounting of CD-ROM, DVD, and USB Devices

By default, removable media like CD-ROMs, DVDs, and USB storage devices are

automatically mounted. The program providing this functionality is the HAL

daemon. Three GNOME tools use HAL and read settings from GConf:

gnome-mount

gnome-umount(same as gnome-mount --umount)

gnome-eject(same as gnome-mount --eject)

Depending on company policy or the use of the workstation, you might have to

prevent users from reading from or writing to removable media or mounting

removable devices such as USB drives or sticks.

There are various ways to configure this. Which one you choose depends mainly on

how difficult you want to make it for any user who tries to circumvent the restrictions

you impose.

Using GConf and /etc/fstab

Use gconftool-2 or gconf-editor to set the media_automount key in /apps/

nautilus/preferences in the mandatory GConf repository to false.

While this prevents automatic mounting, the user can still mount the drive by

selecting the desktop icon that appears when a CDROM is inserted.

You can add an entry in /etc/fstab(like the following) to prevent mountingof CD-ROMs or DVDs by unprivileged users (assuming that /dev/dvdrepresents the CDROM/DVD drive):

/dev/dvd /media/dvd auto noauto,defaults 0 0

Now an error message will appear when a user inserts a CDROM.

Figure 2-1 Users Are Not Able To Mount a CD/DVD

NOTE: More about GConf you will learn in Configure X, Xgl, and Compiz on page 16.

Using kernel modules

The usb_storage kernel module is needed to read from USB storage devices. You

can prevent the module from being loaded by adding the following line in /etc/modprobe.conf.local :


7/24/2019 3104_manual.pdf

39/441



39Version 1


install usb_storage /usr/bin/true

You can use other programs instead of /usr/bin/trueas well. The followingexample (in one line in /etc/modprobe.conf.local ) will cause an emailnotice to be sent when someone inserts such a device:

install usb_storage /usr/bin/mail -s "USB-Stick inserted on$HOSTNAME" [email protected]

NOTE: You could disable USB completely by adding similar lines for usbcore and other USB

modules (use lsmodto find which ones). But this might not be practical because that woulddisable a USB keyboard and mouse as well.

You could rename or remove the USB kernel modules. However, the next kernel

update would bring them back and enable USB storage again.

Configure udev rules

In the past, the /dev/directory contained a device file for hundreds of devices,

even if the hardware was not present. With udev this has changed; device filesare created only for devices that are actually present.

The command udevadm monitorcan be used to monitor the udev systemmessages. When you plug in a USB stick, a messages similar to the followings

should appear.

UDEV [1243464970.656655] add /devices/pci0000:000000:00:1d.2/usb7/7-2/7-2:1.0/host6/target6:0:0/6:0:0:0/block/sdb (block)UDEV [1243464971.499426] add /devices/pci0000:000000:00:1d.2/usb7/7-2/7-2:1.0/host6/target6:0:0/6:0:0:0/block/sdb/sdb1 (block)

Block devices are created. In this example one for the new device (sdb) and one

for the partition (sdb1).

When removing the USB stick the block devices should be removed like in the

following.

UDEV [1243465458.031639] remove /devices/pci0000:000000:00:1d.2/usb7/7-2/7-2:1.0/host6/target6:0:0/6:0:0:0/block/sdb/sdb1 (block)...UDEV [1243465458.035093] remove /devices/pci0000:000000:00:1d.2/usb7/7-2/7-2:1.0/host6/target6:0:0/6:0:0:0/block/sdb (block)

udev is very flexible and can be configured by writing rules to *.rulesfiles inthe /etc/udev/rules.d/ directory.

NOTE: More udev rules you can find in /lib/udev/rules.d/.

You can create your own rules in /etc/udev/rules.d/ . To ensure that yourrules are used, the filename should start with a smaller number than the other

files in the directory (e.g., 10-local.rules)

A rule to disable devices that require the usb_storage module could look like the

following:


7/24/2019 3104_manual.pdf

40/441




Version 140

# Disable USB storageDRIVER=="usb-storage", OPTIONS+="ignore_device last_rule"

The ignore_deviceoption will ensure that no action is taken and, thereforee,no device file is created to access the device. The last_ruleoption preventslater rules from changing this rule.

Much more fine-grained control than shown above is possible. You could, for

instance, write rules allowing a specific USB device based on its serial number,

and ignoring other devices.

NOTE: The manual page for udev and the udev HOWTO(http://www.reactivated.net/

writing_udev_rules.html) provide more information on how to write udev rules.

Using PolicyKit

PolicyKit is an application-level toolkit for defining and handling the policy that

allows unprivileged processes to speak to privileged processes: It is a framework

for centralizing the decision-making process with respect to granting access toprivileged operations for unprivileged applications.

PolicyKit is covered in detail in Use PolicyKit to Configure Application

Policies on page 47.

To prevent users from mounting removable medias (like DVDs or USB sticks),

you have to add the following line to your local rules in the /etc/polkit-default-privs.local file.

org.freedesktop.hal.storage.mount-removable auth_admin_keep_always

The new settings are activated by the set_polkit_default_privs command.

da10:~ # set_polkit_default_privssetting org.freedesktop.hal.storage.mount-removable toauth_admin_keep_always:auth_admin_keep_always:auth_admin_keep_always (wrong settingauth_admin_keep_always:auth_admin_keep_always:yes)

When the user inserts a DVD or USB stick, an authentication dialog appears:

http://www.reactivated.net/writing_udev_rules.htmlhttp://www.reactivated.net/writing_udev_rules.html

7/24/2019 3104_manual.pdf

41/441



41Version 1


Figure 2-2 Authentication Is Needed to Mount Removable Medias

Remove the hardware

Physically remove CDROM and DVD drives as well as USB ports. This also

prevents the computer from being booted from bootable CDs.


7/24/2019 3104_manual.pdf

42/441

7/24/2019 3104_manual.pdf

43/441



43Version 1


Objective 2 Define Mandatory Settings with GConf and Desktop Profiles

It is sometimes desirable from the desktop administrators point of view to limit what

users can configure or change on their desktops. Reasons for this could be corporate

policies or an effort to reduce help desk calls because of misconfiguration caused by

users.

Even greater restraints are frequently imposed on desktops used in public places like

trade shows.

As covered in Customize the GNOME User Interface on page 24, GConf is used to

store user-defined preferences or to set system-wide defaults. It can also be used by

the administrator to set preferences that cannot be changed by the user.

gconf-editor

To set or change mandatory settings, you must be logged in as root when you use

gconf-editor. The steps you take depend on what you need to do:

Set Preferences as Mandatory for the First Time on page 43

Change Existing Mandatory Preferences on page 44

Set Preferences as Mandatory for the First Time

As root user, start gconf-editor. The left part of the window lists the available keys.


7/24/2019 3104_manual.pdf

44/441




Version 144

Figure 2-3 GConf Configuration Editor

Browse the tree to the key you want to set as mandatory and set it to the desired

value. Then select the entry with the right mouse button; in the submenu, select Set as

Mandatory.

If you select on the entry to change it again, an error message tells you that this is not

possible.

Change Existing Mandatory Preferences

As root user, start gconf-editor; then select File > New Mandatory Window. The left

part of the window lists those mandatory settings that have already been set in the/etc/gconf/gconf.xml.mandatory/ repository tree. You can change them asexplained in Change Defaults Using gconf-editor on page 27.

To remove a key from the mandatory preferences, right-click the entry and select

Unset Key.

Values that have not been set to a mandatory value previously do not show up in the

repository tree on the left of this gconf-editor dialog.


7/24/2019 3104_manual.pdf

45/441



45Version 1


Figure 2-4 Key is Not Writable

gconftool-2

You can also use the gconftool-2 command line tool to set preferences to a mandatory

value. (When you use gconftool-2, the gconf-editor can be helpful to browse theconfiguration repository tree to find the correct key and its path.)

Lets assume that the security policy of the company requires the screens of desktops

to be locked after 5 minutes of inactivity. As administrator, it is your task to configure

the workstations accordingly and to make sure this policy is followed by all users.

Using gconf-editor as a normal user, you browse the repository tree and find out that

the keys for this purpose are /apps/gnome-screensaver/lock_enabled and /apps/gnome-screensaver/idle_delay . To set these to mandatoryvalues, log in as root and use the following commands:

killall gconfd-2da10:~ # gconftool-2 --direct --config-source xml:readwrite:/etc/

gconf/gconf.xml.mandatory --set --type bool /apps/gnome-screensaver/lock_enabled trueResolved address "xml:readwrite:/etc/gconf/gconf.xml.mandatory" to awritable configuration source at position 0da10:~ # gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --set --type int /apps/gnome-screensaver/idle_delay 5Resolved address "xml:readwrite:/etc/gconf/gconf.xml.mandatory" to awritable configuration source at position 0

The next time a user logs in and tries to change the respective screensaver settings in

the GNOME Control Center, the user will not be able to change these values.

NOTE:Not all key-value pairs that can be set seem to have the desired effect. For example, settingthe /apps/firefox/general/homepage_urlkey to a certain value does not seem to haveany effect on the default home page of the firefox browser. Other such key-value pairs might not

behave as expected either. Thereforee, you should test your settings to make sure they have the

desired effect and cannot be changed by the user before you rely on your settings.


7/24/2019 3104_manual.pdf

46/441




Version 146

Exercise 2-2 Set Mandatory Values for Preferences

In this exercise, you use the Desktop Profile Editor and gconftool-2 to manage

mandatory preferences.

In task I, you use gconf-editor to disable access to the command line on the GNOME

desktop.

In task II, you use gconftool-2 to undo the setting you made in task I, because you

will need the command line later in this course.

In task III, you undo the settings you made in the previous exercise to allow mounting

CDs/DVDs. Use gconf-editor for this.


(End of Exercise)


7/24/2019 3104_manual.pdf

47/441



47Version 1


Objective 3 Use PolicyKit to Configure Application Policies

Using PolicyKit, you can start applications with user permission and assign them root

permission later. You can allow users to execute system management tasks without

making them root.

To use PolicyKit, you should know the following:

Understand the PolicyKit Architecture on page 47

Use the Authorization Dialog on page 48

Manage Authorizations at the Command Line on page 52

NOTE: The documentation of PolicyKit is available on the freedesktop.org Website(http://

hal.freedesktop.org/docs/PolicyKit).

Understand the PolicyKit Architecture

PolicyKit assumes that a program has two parts:

Mechanism.Runs privileged (with no user interface elements).

Policy Agent.Runs unprivileged.

The two parts of the program are in different processes and communicate through

some IPC mechanism such as pipes or the system message bus (D-Bus). In some

instances the Mechanism can be seen as part of the OS and the policy agent as part of

the desktop stack.

The Mechanism should never trust any application that tries to use it. First the

Mechanism has to evaluate all data and requests passed to it from the application.

An example where this model is used are HAL and NetworkManager:Figure 2-5 HAL and NetworkManager

The entities that a Mechanism cares about can be split into three groups:

Subject. The entity requesting the Action (e.g., an unprivileged application).

http://hal.freedesktop.org/docs/PolicyKithttp://hal.freedesktop.org/docs/PolicyKit

7/24/2019 3104_manual.pdf

48/441




Version 148

Object.Some canonical representation of the object; (e.g., device file, a network

connection, a reference to the power management subsystem).

Action.What the subject is attempting to do to the object (e.g., mounting a block

device, establishing a dial-up connection, putting the system into a suspended

state, changing the time zone, gaining access to a webcam).

The Mechanism identifies the subject, using ConsoleKit, and collects all the relevant

information about the subject. This information includes:

User ID

Process ID

An identifier for the desktop session and whether the session is active (e.g.,

currently showing on a display), whether it's local and if it's remote, the address

of the remote display

Optional OS-specific attributes (such as the SELinux security context)

Second, the Mechanism creates an object that represents the action that the subject

wants to be executed. One example of such an object is

org.freedesktop.hal.storage.mount-removable, what represents the action of

mounting a removable device.

Based on this information request, the authorization database decides whether the

action can be executed, executed after another required authentication, or not

executed.

Use the Authorization Dialog

A graphical tool is available in GNOME to manage your authorizations. You can start

it by selecting More Applications > Tools > Authorizationsor entering polkit-gnome-authorization at a terminal.


7/24/2019 3104_manual.pdf

49/441



49Version 1


Figure 2-6 The Authorization Dialog

In the left frame you see a tree structure where all possible actions are listed and

grouped. The right frame has three parts:

Action.Identifier, Description, and Vendor of the software module are shown

here.

Implicit Authorizations.Shows the authorizations that based for all users that

fulfill certain criteria (they are on a local console, for example). Implicit

Authorizations are stored in /var/lib/PolicyKit-public/ .

Explicit Authorizations.Shows the authorizations that are set for single users.

Explicit Authorizations are stored in /var/lib/PolicyKit/ . (You candefine explicit authorizations only for users that have an account on the system.)

In the Authorizations dialog, you can configure two kinds of authorization:

Implicit Authorization on page 50

Explicit Authorization on page 51


7/24/2019 3104_manual.pdf

50/441




Version 150

Implicit Authorization

PolicyKit recognizes three basic types of users:

Anyone.All users.

Console.All users that are logged in to a console (active and inactive sessions). Active Console.All users that are logged in to an active console (e.g., currently

showing on a display).

NOTE: The ConsoleKit daemon determines whether a session is active or inactive, or local or not.

ConsoleKit is a framework for defining and tracking users, login sessions, and seats. For more

information see the freedesktop.org-wiki (http://www.freedesktop.org/wiki/Software/ConsoleKit).

If you want to change the implicit authorizations, select Editand another dialog

appears.

Figure 2-7 Edit Implicit Authorizations

Each menu has the following options:

No.Access denied.

Admin Authentication (one shot).Access denied, but authentication of the

caller as an administrative user will grant access to only that caller and only once.

The authorization will be revoked.

Admin Authentication.Access denied, but authentication of the caller as an

administrative user will grant access to only that caller.

Admin Authentication (keep session).Access denied, but authentication of the

caller as administrative user will grant access to any caller in the session the

caller belongs to.

Admin Authentication (keep indefinitely).Access denied, but authentication

of the caller as administrative user will grant access to any caller with the given

UID in the future.

http://www.freedesktop.org/wiki/Software/ConsoleKithttp://www.freedesktop.org/wiki/Software/ConsoleKit

7/24/2019 3104_manual.pdf

51/441



51Version 1


Authentication (one shot).Access denied, but authentication of the caller as

himself will grant access to only that caller and only once. The authorization will

be revoked.

Authentication.Access denied, but authentication of the caller as himself will

grant access to only that caller.

Authentication (keep session).Access denied, but authentication of the caller as

himself will grant access to any caller in the session the caller belongs to.

Authentication (keep indefinitely).Access denied, but authentication of the

caller as himself will grant access to any caller with the given UID in the future.

Yes.Access granted.

Explicit Authorization

In this part, you can authorize or prevent the execution of a task by system users. Use

the Grantbutton to specify the users that are allowed to execute the task. Block

allows you to specify the users that are notallowed to execute the task.

The dialog that appears is the same for Grantand Blockso the following shows how

to authorize users.

Figure 2-8 Edit (Grant) Explicit Authorization


7/24/2019 3104_manual.pdf

52/441




Version 152

In the Beneficiary part, you can select a user that will receive the authorization. Select

Show system usersto display system users (like root and bin) in the pull-down

menu.

In the lower part of the dialog, you can determine constraints:

None.

Must be in active session.

Must be on local console.

Must be in active session on local console.

select Grantto activate the authorization.

Once you have created at least one grant or block rule, the Revokebutton becomes

active in the Authorizations dialog (see Figure 2-6 on page 49) and you can remove

the selected rule.

The Show authorizations from all usersoption shows the list of the given explicit

authorizations. If you are running the authentication tool as normal user, you have toauthenticate as root before they are shown.

Manage Authorizations at the Command Line

The configuration of PolicyKit and the defined permissions are included in the /etc/PolicyKit/PolicyKit.conf file. This is an XML file.

NOTE: The man page of PolicyKit.conf can be viewed byman 5 PolicyKit.conf.

You can edit the file directly using a text editor. You can also use some command line

tools to edit PolicyKit.conf. The most important are

polkit-action. Lists and modifies registered PolicyKit actions.

polkit-auth. Manages the authorizations.

polkit-config-file-validate. Validates the PolicyKit.conf file.

polkit-policy-file-validate. Validates a PolicyKit policy file.

set_polkit_default_privs . Installs default settings for privileges that

are granted automatically to locally logged-in users.

polkit-action

polkit-actionis used to list and modify the PolicyKit actions that are registeredon the system. To list the registered PolicyKit action, use polkit-actionwithoutany parameter:

da10:~ # polkit-actionorg.gnome.clockapplet.mechanism.settimezoneorg.gnome.clockapplet.mechanism.settimeorg.gnome.clockapplet.mechanism.configurehwclockorg.freedesktop.hal.lock


7/24/2019 3104_manual.pdf

53/441



53Version 1


org.opensuse.yast.scr.readorg.opensuse.yast.scr.writeorg.opensuse.yast.scr.executeorg.opensuse.yast.scr.dir...

The most important options of polkit-action are

--reset-defaults action. Reset the defaults for the specified action tothe factory defaults. The authorization needed to do this is

org.freedesktop.policykit.modify-defaults.

--show-overrides . Prints all actions by which the defaults are overridden.

--set-defaults-any action value. Override the anystanza for thegiven action with the supplied value. The authorization needed to do this is


--set-defaults-inactive action value. Override the inactivestanza for the given action with the supplied value. The authorization needed to

do this is org.freedesktop.policykit.modify-defaults. --set-defaults-active action value. Override the activestanza

for the given action with the supplied value. The authorization needed to do this

is org.freedesktop.policykit.modify-defaults.

Valid values for valueof the three --set-defaults-*parameter are

no

auth_admin_one_shot

auth_admin

auth_admin_keep_session

auth_admin_keep_always

auth_self_one_shot

auth_self

auth_self_keep_session

auth_self_keep_always

yes

The meaning of these options is described in Implicit Authorization on page 50.

The authorization needed to use the three --set-defaults-* parameter is


polkit-auth

polkit-authis used to inspect, obtain, grant and revoke explicit PolicyKitauthorizations. If invoked without any options, the authorizations of the calling

process will be printed.


7/24/2019 3104_manual.pdf

54/441




Version 154

With the --show-obtainable option, all actions that can be obtained viaauthentication and for which an authorization does not exist are listed.

da10:~ # polkit-auth --show-obtainable

org.gnome.clockapplet.mechanism.settimezoneacorg.gnome.clockapplet.mechanism.settimeorg.gnome.clockapplet.mechanism.configurehwclockorg.freedesktop.hal.lockorg.freedesktop.hal.dockstation.undockorg.gnome.gconf.defaults.set-systemorg.gnome.gconf.defaults.set-mandatory...

To authorize a user to perform an action, use the --user user--grantactionoption. For example (all in one line):

da10:~ # polkit-auth --user geeko --grantorg.gnome.clockapplet.mechanism.settime

To prevent a user from executing an action, use --block action. For example(all in one line):

da10:~ # polkit-auth --user geeko --blockorg.gnome.clockapplet.mechanism.settime

To revoke all authorizations for an action, use --revoke action. For example(all in one line):

da10:~ # polkit-auth --user geeko --revokeorg.gnome.clockapplet.mechanism.settime

Adding --user userto --grant, --block, or --revokemeans that theauthorization is explicit for the specified user. Without --user, the options --grant, --block, and --revokeare valid for all system users.

Another option that allows you to specify a user is --explicitwhich shows allexplicit authorizations.

da10:~ # polkit-auth --user geeko --explicitorg.gnome.clockapplet.mechanism.settime

To get more detailed information, use --explicit-detail option:

da10:~ # polkit-auth --user geeko --explicit-detailorg.gnome.clockapplet.mechanism.settime Authorized: No Scope: Indefinitely

Obtained: Thu Feb 5 10:25:37 2009 from root (uid 0)


7/24/2019 3104_manual.pdf

55/441



55Version 1


You can also add contraints to --grantand --block. Thereforee, add the --constraint constraintsoption. The following values for constraintsare the most important ones:

--constraint local.The caller must be in a session on a local console

attached to the system.

--constraint active.The caller must be in an active session.

Typically the active contraint is used together with a local constraint to ensure that the

caller is only authorized if his session is in the foreground. This is typically used for

fast user switching (multiple sessions on the same console) to prevent inactive

sessions from performing privileged operations like spying (using a webcam or a

sound card) on the current active session.

polkit-config-file-validate

polkit-config-file-validate is used to verify that a given PolicyKit

configuration file is valid. If no path to a config file is given, the default /etc/PolicyKit/PolicyKit.conf file will be verified.

The typical role of this tool is to verify a configuration file before deploying it on one

or more machines.

polkit-policy-file-validate

polkit-policy-file-validate is used to verify that one or more PolicyKit.policyfiles are valid.

Normally this tool is used in the software release process and during software

installation.

set_polkit_default_privs

The set_polkit_default_privs program installs default settings forprivileges that are granted automatically to locally logged-in users by PolicyKit.

The default settings are stored in the following files:

/etc/polkit-default-privs.local

/etc/polkit-default-privs.standard

/etc/polkit-default-privs.restrictive

In the /etc/sysconfig/security file, you can specify whether you want touse the standard or the restrictive default settings. Thereforee, thePOLKIT_DEFAULT_PRIVvariable can be set to standardor restrictive.

The file polkit-default-privs.local is executed in all cases.

Th

3104_manual.pdf

Documents