3104_manual.pdf

Upload: mariosergiosl

Post on 22-Feb-2018

228 views

Category:

Documents


0 download

TRANSCRIPT

  • 7/24/2019 3104_manual.pdf

    1/441

    www.novel l .comNovell Training Services

    A U T H O R I Z E D C O U R S E WA R E

    SUSE Linux Enterprise Desktop 11AdministrationManual

    3 1 0 4

    Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW

  • 7/24/2019 3104_manual.pdf

    2/441

    Legal Notices

    Novell, Inc., makes no representations or warranties with respect to the contents

    or use of this documentation, and specifically disclaims any express or implied

    warranties of merchantability or fitness for any particular purpose. Further,

    Novell, Inc., reserves the right to revise this publication and to make changes to

    its content, at any time, without obligation to notify any person or entity of such

    revisions or changes.

    Further, Novell, Inc., makes no representations or warranties with respect to any

    software, and specifically disclaims any express or implied warranties of

    merchantability or fitness for any particular purpose. Further, Novell, Inc.,

    reserves the right to make changes to any and all parts of Novel l software, at any

    time, without any obligation to notify any person or entity of such changes.

    Any products or technical information provided under this Agreement may be

    subject to U.S. export controls and the trade laws of other countries. You agree to

    comply with all export control regulations and to obtain any required licenses or

    classification to export, re-export or import deliverables. You agree not to export

    or re-export to entities on the current U.S. export exclusion lists or to any

    embargoed or terrorist countries as specified in the U.S. export laws. You agree

    to not use deliverables for prohibited nuclear, missile, or chemical biological

    weaponry end uses. See theNovell International Trade Services Web page(http:/

    /www.novell.com/info/exports/) for more information on exporting Novell

    software. Novell assumes no responsibility for your failure to obtain any

    necessary export approvals.

    Copyright 2009 Novell, Inc. All rights reserved. No part of this publication

    may be reproduced, photocopied, stored on a retrieval system, or transmitted

    without the express written consent of the publisher.

    Novell, Inc., has intellectual property rights relating to technology embodied in

    the product that is described in this document. In particular, and without

    limitation, these intellectual property rights may include one or more of the U.S.

    patents listed on theNovell Legal Patents Web page(http://www.novell.com/

    company/legal/patents/) and one or more additional patents or pending patent

    applications in the U.S. and in other countries.

    Novell, Inc.

    404 Wyman Street, Suite 500

    Waltham, MA 02451

    U.S.A.

    www.novell.com

    Online Documentation:To access the latest online documentation for

    this and other Novell products, see the Novell Documentation Web

    page(http://www.novell.com/documentation).

    Novell Trademarks

    For Novell trademarks, see the Novell Trademark and Service Mark list(http://

    www.novell.com/company/legal/trademarks/tmlist.html).

    Third-Party Materials

    All third-party trademarks are the property of their respective owners.

    Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW

    http://www.novell.com/info/exports/http://www.novell.com/company/legal/patents/http://www.novell.com/documentationhttp://www.novell.com/documentationhttp://www.novell.com/company/legal/trademarks/tmlist.htmlhttp://www.novell.com/company/legal/trademarks/tmlist.htmlhttp://www.novell.com/documentationhttp://www.novell.com/documentationhttp://www.novell.com/company/legal/patents/http://www.novell.com/info/exports/
  • 7/24/2019 3104_manual.pdf

    3/441

    Contents

    Copying all or part of this manual, or distributing such copies, is strictly prohibited.

    To report suspected copying, please call 1-800-PIRATES.

    3Version 1

    Introduction 9

    Student Kit Deliverables 9

    Course Design 10

    Course Objectives 10

    Course Audience 10

    Certification and Prerequisites 11

    Classroom Agenda 11

    Course Setup 12

    Exercise Guidelines 12

    VMware Virtualization and the Exercises 13

    Exercise Conventions 13

    Workbook 14

    Course Feedback 14

    SECTION 1 Customize the Graphical Interface on SUSE

    Linux Enterprise Desktop 11 15

    Objective 1 Configure X, Xgl, and Compiz 16

    Configure X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

    Activate Compiz . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

    Exercise 1-1 Activate Compiz . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

    Objective 2 Customize the GNOME User Interface 24

    User-Defined Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

    Default Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

    Exercise 1-2 Customize the GNOME User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

    Objective 3 Customize Applications 30

    OpenOffice.org 3.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

    Firefox. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

    Exercise 1-3 Customize Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

    Summary 36

    SECTION 2 Lock Down the SLE Desktop 37

    Objective 1 Control Mounting of CD-ROM, DVD, and USB Devices 38

    Exercise 2-1 Control Mounting of CD-ROM, DVD, and USB Devices. . . . . . . . . . . . . . . . . . . 42

    Objective 2 Define Mandatory Settings with GConf and Desktop Profiles 43

    gconf-editor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

    gconftool-2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

    Exercise 2-2 Set Mandatory Values for Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

    Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW

  • 7/24/2019 3104_manual.pdf

    4/441

  • 7/24/2019 3104_manual.pdf

    5/441

    Copying all or part of this manual, or distributing such copies, is strictly prohibited.

    To report suspected copying, please call 1-800-PIRATES.

    5Version 1

    Summary 112

    SECTION 5 Integrate SLED 11 into an Active Directory Environment 113

    Objective 1 Describe How SLED 11 Integrates with Active Directory 114

    Benefits of Active Directory Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114How Windows Networking Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

    How SLED 11 Integrates with an Active Directory Domain . . . . . . . . . . . . . . . . 119

    Objective 2 Configure Active Directory Integration 124

    Joining SLED 11 to an Active Directory Domain . . . . . . . . . . . . . . . . . . . . . . . . 124

    Exercise 5-1 Join SLED 11 to an Active Directory Domain. . . . . . . . . . . . . . . . . . . . . . . . . . . 134

    Logging In to an Active Directory Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

    Managing Domain Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

    Exercise 5-2 Log In to the Domain from SLED 11. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

    Objective 3 Access Shared Domain Resources 139

    Accessing Shared Folders. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

    Accessing Shared Printers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142Exercise 5-3 Access a Shared Folder. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

    Summary 147

    SECTION 6 Integrate SLED 11 into a Novell eDirectory Environment 149

    Objective 1 Describe How the Novell Client for Linux Works 150

    The Role and Function of Novell eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

    The Role and Function of the Novell Client for Linux. . . . . . . . . . . . . . . . . . . . . 158

    Objective 2 Install and Configure the Novell Client for Linux on SLED 11 160

    Installing the Novell Client for Linux on SLED 11 . . . . . . . . . . . . . . . . . . . . . . . 160

    Exercise 6-1 Install the Novell Client for Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

    Configuring the Novell Client on SLED 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

    Objective 3 Authenticate to an OES 2 Server Using the Novell Client for Linux 184

    Authenticating to eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

    Mapping Directories to Server Volumes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

    Logging Out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

    Troubleshooting SLP Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

    Using Novell Client for Linux Shell Commands . . . . . . . . . . . . . . . . . . . . . . . . . 196

    Exercise 6-2 Configure the Novell Client for Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

    Configuring Integrated Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

    Exercise 6-3 Configuring Integrated Login. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

    Objective 4 Use Novell iPrint on SLED 11 204

    How iPrint Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204Installing and Configuring the iPrint Client on Linux Workstations . . . . . . . . . . 209

    Installing iPrint Printers and Sending Print Jobs . . . . . . . . . . . . . . . . . . . . . . . . . 210

    Exercise 6-4 Install and Configure the iPrint Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

    Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW

  • 7/24/2019 3104_manual.pdf

    6/441

    SUSE Linux Enterprise Desktop 11 Administration / Manual

    Copying all or part of this manual, or distributing such copies, is strictly prohibited.

    To report suspected copying, please call 1-800-PIRATES.

    Version 16

    Objective 5 Use iFolder on SLED 11 214

    How iFolder Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

    Installing the iFolder Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

    Configuring Your iFolder Account. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

    Creating iFolders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224

    Summary 229

    SECTION 7 Integrate SUSE Linux Enterprise Desktop 11 into a UNIX

    Environement233

    Objective 1 Accessing NFS File Shares 234

    Network File System Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234

    NFS Internals. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

    Configure NFS Client Access with YaST. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

    Mount Home Directories Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

    Mount Home Directories Automatically. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

    Exercise 7-1 Import Network File System (NFS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

    Objective 2 Authentication to LDAP 242

    LDAP Basics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242

    YaST LDAP Client Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245

    OpenLDAP and Automounter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

    Exercise 7-2 Integrate a SLED 11 into an LDAP Environment. . . . . . . . . . . . . . . . . . . . . . . . . 249

    Objective 3 Printing to CUPS Printers 250

    Configure CUPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250

    Exercise 7-3 Change Your Printer Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268

    Manage Print Jobs and Queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268

    Understand How CUPS Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275

    Exercise 7-4 Manage Printers from the Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281

    Summary 282

    SECTION 8 Access Remote Desktops Using Nomad 285

    Objective 1 Describe How Nomad Works 286

    How RDP Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286

    How Nomad Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287

    Objective 2 Install and Configure Nomad 291

    Configure the Nomad Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291

    Configure the Nomad Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295

    Exercise 8-1 Install and Configure Nomad . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299

    Objective 3 Access Desktops Remotely with Nomad 300Accessing Remote Desktops with rdesktop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300

    Accessing Remote Desktops with tsclient . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302

    Exercise 8-2 Access Remote Desktop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306

    Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW

  • 7/24/2019 3104_manual.pdf

    7/441

    Copying all or part of this manual, or distributing such copies, is strictly prohibited.

    To report suspected copying, please call 1-800-PIRATES.

    7Version 1

    Objective 4 Troubleshoot Common Nomad Problems 307

    Verifying that xrdp is Running on the Sender . . . . . . . . . . . . . . . . . . . . . . . . . . . 307

    Verifying that Port 3389 is Open . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307

    Summary 308

    SECTION 9 Use Multimedia on the SUSE Linux Enterprise Desktop 11 309

    Objective 1 Use Banshee 310

    Import Music. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311

    Play Your Music . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313

    Ripp Your Music . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314

    Listen to Internet Radio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315

    Listen to Podcasts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316

    Exercise 9-1 Use Banshee . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318

    Objective 2 Use Moonlight 319

    Exercise 9-2 Use Moonlight . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

    Summary 322

    SECTION 10 Configure Email 323

    Objective 1 Configure the Evolution Email Client on SLED 11 324

    The Role and Function of Evolution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324

    Configuring Evolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324

    Using Evolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337

    Exercise 10-1 Integrate Evolution with Microsoft Exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . 353

    Objective 2 Configure the GroupWise Client on SLED 11 354

    Installing Novell GroupWise Client for Linux. . . . . . . . . . . . . . . . . . . . . . . . . . . 354

    Using the GroupWise Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358

    Exercise 10-2 Install and Configure the GroupWise Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372

    Summary 373

    SECTION 11 Create Shell Scripts 375

    Objective 1 Understand Bash Basics 376

    Bash Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376

    Bash Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378

    Return Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379

    Objective 2 Use Basic Script Elements 381

    Elements of a Shell Script. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381

    A Simple Backup Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382Debug Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384

    Exercise 11-1 Create a Simple Shell Script. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385

    Objective 3 Understand Variables and Command Substitution 386

    Exercise 11-2 Use Variables and Command Substitution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389

    Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW

  • 7/24/2019 3104_manual.pdf

    8/441

    SUSE Linux Enterprise Desktop 11 Administration / Manual

    Copying all or part of this manual, or distributing such copies, is strictly prohibited.

    To report suspected copying, please call 1-800-PIRATES.

    Version 18

    Objective 4 Use Control Structures 390

    Create Branches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390

    Exercise 11-3 Use an if Control Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394

    Create Loops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394

    Exercise 11-4 Use a while Loop. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398

    Objective 5 Use Arithmetic Operators 399

    Exercise 11-5 Use Arithmetic Operators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401

    Objective 6 Read User Input 402

    Exercise 11-6 Read User Input. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404

    Objective 7 Use Arrays 405

    Exercise 11-7 Use Arrays. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407

    Objective 8 Finalize the Course Project 408

    Exercise 11-8 Use rsync to Keep Versions of Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410

    Objective 9 Use Advanced Scripting Techniques 411

    Use Shell Functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411Read Options with getopts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412

    Exercise 11-9 Use Shell Functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414

    Objective 10 Learn about Useful Commands in Shell Scripts 415

    Use the cat Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415

    Use the cut Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415

    Use the date Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416

    Use the grep and egrep Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416

    Use the sed Command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417

    Use the test Command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419

    Use the tr Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421

    Summary 423

    SECTION 12 Deploy SUSE Linux Enterprise Desktop 11 427

    Objective 1 Understand Autoinstallation Basics 428

    Installation Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428

    Deployment Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429

    AutoYaST Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431

    Objective 2 Create a Configuration File for AutoYaST 432

    Exercise 12-1 Create an AutoYaST Control File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436

    Objective 3 Use an Installation Server 437

    Objective 4 Perform an Automated Installation 438

    Provide the Control File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438

    Boot and Install the System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438

    Exercise 12-2 Perform an Automated Installation of SUSE Linux Enterprise Desktop . . . . . . . 440

    Summary 441

    Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW

  • 7/24/2019 3104_manual.pdf

    9/441

    Copying all or part of this manual, or distributing such copies, is strictly prohibited.

    To report suspected copying, please call 1-800-PIRATES.

    9Version 1

    Introduction

    Introduction

    SUSE Linux Enterprise Desktop 11 Administration (Course 3104) focuses on the

    routine system administration of SUSE Linux Enterprise Desktop 11(SLED 11).

    This course covers basic Linux skills as well as common tasks a system administrator

    of SLED 11 has to perform, such as configuring the desktop environment, printing,

    integrating the product into existing environments, and rolling out a large number of

    installations.

    Before starting the course, review the following:

    Student Kit Deliverables on page 9

    Course Design on page 10

    Exercise Guidelines on page 12

    Course Feedback on page 14

    Student Kit Deliverables

    The contents of your student kit include the following:

    SUSE Linux Enterprise Desktop 11 Administration Manual

    SUSE Linux Enterprise Desktop 11 Administration Workbook

    SUSE Linux Enterprise Desktop 11 Administration Course DVD (2 DVDs)

    SUSE Linux Enterprise Desktop 11 SP1 Product DVD

    SUSE Linux Enterprise Server 11 Product DVD

    The SUSE Linux Enterprise Desktop 11 Administration CourseDVDs contain an image of a SUSE Linux Enterprise Desktop 11 installation and otherimages (a SUSE Linux Enterprise Server 11installation, an OpenEnterprise Serverinstallation, and an empty VMware machine in which youcan install Windows 2008 Server) that you can use to perform the exercises in theSUSE Linux Enterprise Desktop 11 Administration Workbook.The exercises in the Workbook help you to practice the skills tested in the Novell

    Certified Linux Desktop Professional 11 (CLDP 11) exam (050-722).

    NOTE: Instructions for setting up a self-study environment are in the setup directory on the Course

    DVD.

    Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW

  • 7/24/2019 3104_manual.pdf

    10/441

    SUSE Linux Enterprise Desktop 11 Administration / Manual

    Copying all or part of this manual, or distributing such copies, is strictly prohibited.

    To report suspected copying, please call 1-800-PIRATES.

    Version 110

    Course Design

    The following provides information about the design of the course to help you

    evaluate whether or not this course provides the type of SLED 11 training you need

    (in a classroom environment or for self-study):

    Course Objectives on page 10

    Course Audience on page 10

    Certification and Prerequisites on page 11

    Classroom Agenda on page 11

    Course Setup on page 12

    Course Objectives

    This course teaches SUSE Linux Enterprise Desktop 11 theory as well as practical

    application with hands-on labs of the following SUSE Linux Enterprise Desktop 11

    Administration topics:1. Customize the Graphical Interface on SUSE Linux Enterprise Desktop 11

    2. Lock Down the SLE Desktop

    3. Use the NetworkManager to Configure the Network

    4. Activate and Use IPv6

    5. Integrate SLED 11 into an Active Directory Environment

    6. Integrate SLED 11 into a Novell eDirectory Environment

    7. Integrate SUSE Linux Enterprise Desktop 11 into a UNIX Environment

    8. Access Remote Desktops Using Nomad

    9. Use Multimedia on the SLE Desktop

    10. Configure Email

    11. Create Shell Scripts

    12. Deploy SUSE Linux Enterprise Desktop 11

    These are tasks a SUSE Linux Desktop administrator in an enterprise environment

    routinely has to deal with.

    Course Audience

    This course is addressed to administrators that are CLA11-certified (or those who

    have a comparable Linux administration knowledge) and who now want to gain in-

    depth knowledge on tasks a Linux administrator has to perform routinely on

    SLED11.

    Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW

  • 7/24/2019 3104_manual.pdf

    11/441

    Copying all or part of this manual, or distributing such copies, is strictly prohibited.

    To report suspected copying, please call 1-800-PIRATES.

    11Version 1

    Introduction

    Certification and Prerequisites

    This course helps you prepare for the following Novell Certified Linux Desktop

    Professional 11 (Novell CLDP 11) exams:

    CLDP 11 - Professional level (050-722)

    As with all Novell certifications, course work is recommended. To achieve the Novell

    CLDP 11 certification, you are required to pass the Novell CLDP 11 exam.

    The following illustrates the training and testing path for Novell CLDP11:

    Figure Intro-1 CLDP 11 Certification Path

    NOTE: For more information about Novell certification programs and certification exams, see

    Novells certification website(http://www.novell.com/training/certinfo/).

    Classroom Agenda

    This course is designed to be taught as a 5-day course with the following basic

    agenda:

    Table Intro-1 Course Agenda

    Module Duration (hh:mm)

    Day 1 Introduction 00:30

    Customize the GraphicalInterface on SUSE Linux

    EnterpriseDesktop 11

    02:30

    Lock Down the SLE Desktop 03:00

    Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW

    http://www.novell.com/training/certinfo/http://www.novell.com/training/certinfo/
  • 7/24/2019 3104_manual.pdf

    12/441

    SUSE Linux Enterprise Desktop 11 Administration / Manual

    Copying all or part of this manual, or distributing such copies, is strictly prohibited.

    To report suspected copying, please call 1-800-PIRATES.

    Version 112

    Course Setup

    The setup in this course are based on running a SLED 11 called DA-HOST. On DA-

    HOST runs a virtual server with four virtual machines:

    DA1.A SUSE Linux Enterprise Server 11. This virtual machine provides

    services you need for the exercises (like DNS).

    DA-SLED.A SLED 11 workstation. This virtual machine is used to test and use

    services during various exercises.

    DA-OES.A Novell Open Enterprise Server 2 server. It hosts the services

    covered in this course.

    DA-WIN.A Microsoft Windows Server 2008. This virtual machine provides

    Active Directory and an Exchange server.

    Exercise Guidelines

    The following information provides guidelines to help you make the most of theexercises provided in this course:

    VMware Virtualization and the Exercises on page 13

    Exercise Conventions on page 13

    Workbook on page 14

    Day 2 Use the NetworkManager toConfigure the Network

    04:30

    Activate and Use IPv6 02:00

    Day 3 Integrate SLED 11 into anActive Direcotory Enviroment

    03:00

    Integrate SLED 11 into aNovell eDirecotoryEnviroment

    03:30

    Day 4 Integrate SUSE Linux

    Enterprise Desktop 11 into aUNIX Enviroment

    03:00

    Access Remote Desktops 02:00

    Use Multimedia on the SLEDesktop

    00:30

    Configure Email 01:00

    Day 5 Create Shell Scripts 05:30

    Deploy SUSE Linux

    Enterprise Desktop 11

    01:00

    Module Duration (hh:mm)

    Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW

  • 7/24/2019 3104_manual.pdf

    13/441

    Copying all or part of this manual, or distributing such copies, is strictly prohibited.

    To report suspected copying, please call 1-800-PIRATES.

    13Version 1

    Introduction

    VMware Virtualization and the Exercises

    VMware virtualization technology allows you to create and run multiple virtual

    computers on one physical computer. The physical computer must be running player

    software to allow it to be a virtual machine server (or host).

    The VMware virtual machines used in this course are:

    DA1.A SUSE Linux Enterprise Server 11. This virtual machine provides

    services (like DNS) you need for the exercises.

    DA-SLED.A SUSE Linux Enterprise Desktop 11 workstation. This virtual

    machine is used to test and use services during various exercises.

    DA-OES-A.A Novell Open Enterprise Server 2 server. It hosts the services

    covered in this course.

    DA-WIN.A Microsoft Windows Server 2008. This virtual machine provides

    Active Directory and an Exchange server.

    Exercise Conventions

    The exercises use conventions that indicate information you need to enter that is

    specific to your server.

    The following describes the most common conventions:

    italicized/bolded text.This represents a variable value, such as the host name of

    your server.

    For example, if the host name of your server is DA3 and you see the following:

    hostname.da.com

    you would enter

    DA3.da.com

    172.17.8.xor DAx.This is the IP address or host name that is assigned to a

    server.

    For example, if your IP address is 172.17.12.101 and you see the following:

    172.17.12.x

    you would enter

    172.17.12.101

    Select.The word selectis used in exercise steps to indicate a variety of actions

    including clicking a button on the interface and selecting a menu item.

    Enter and Type.The words enterand typehave distinct meanings.

    The word enter means to type text in a field or type text at a command line

    prompt and press the Enter key. The word type means to type text without

    pressing the Enter key.

    If you are directed to type a value, make sure you do not press the Enter key or

    you might activate a process that you are not ready to start.

    Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW

  • 7/24/2019 3104_manual.pdf

    14/441

  • 7/24/2019 3104_manual.pdf

    15/441

    Copying all or part of this manual, or distributing such copies, is strictly prohibited.

    To report suspected copying, please call 1-800-PIRATES.

    15Version 1

    Customize the Graphical Interface on SUSE Linux Enterprise Desktop 11

    S E C T I O N 1 Customize the Graphical Interface on SUSELinux Enterprise Desktop 11

    In this section, you learn how to configure the graphical environment of your SUSE

    Linux Enterprise Desktop 11 (SLED 11). This includes the X configuration as well as

    the configuration of the GNOME environment.

    Section Objectives

    In this section, you learn how to do the following:

    1. Configure X, Xgl, and Compiz on page 16

    2. Customize the GNOME User Interface on page 243. Customize Applications on page 30

    Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW

  • 7/24/2019 3104_manual.pdf

    16/441

    SUSE Linux Enterprise Desktop 11 Administration / Manual

    Copying all or part of this manual, or distributing such copies, is strictly prohibited.

    To report suspected copying, please call 1-800-PIRATES.

    Version 116

    Objective 1 Configure X, Xgl, and Compiz

    Provided the computer is equipped with suitable graphics hardware (supported

    graphics adapter with good 3D performance),SUSE Linux EnterpriseDesktop 11provides an entirely new Linux desktop experience through its use of

    3D effects made possible by Xgl and Compiz .

    Figure 1-1 Switching to Another Virtural Desktop

    Xgl is a new Xserver architecture layered on top of OpenGL. Xgl can perform

    intricate graphical operations noticeably faster than other available Xservers that do

    not use OpenGL.

    More important than speed alone, Xgl accelerates complex composite operations,

    making possible new stunning visual effects on OpenGL-enhanced composition/

    window managers like Compiz, the compositor utility that was developed in

    conjunction with Xgl.

    Compiz is a combination of a window manager and a composite manager using

    OpenGL for rendering. A window manager allows the manipulation of the multiple

    applications and dialog windows that are presented on the screen. A compositemanager allows windows and other graphics to be combined to create composite

    images, such as those used to create transparency effects. Compiz achieves its

    stunning effects by performing both of these functions.

    When you activate Compiz, it replaces the window manager of your desktop

    environment (Metacity in GNOME and kwin in KDE).

    Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW

  • 7/24/2019 3104_manual.pdf

    17/441

  • 7/24/2019 3104_manual.pdf

    18/441

    SUSE Linux Enterprise Desktop 11 Administration / Manual

    Copying all or part of this manual, or distributing such copies, is strictly prohibited.

    To report suspected copying, please call 1-800-PIRATES.

    Version 118

    First, SaX2 checks the hardware; then the following dialog appears:

    Figure 1-3 SaX2 Proposes Screen Settings

    If you are satisfied with the configuration, select OK.

    If you need to change the configuration, select Change Configuration. Except for

    the window title, the dialog that opens up is the same as that of the YaST Graphics

    Card and Monitor module:

    Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW

  • 7/24/2019 3104_manual.pdf

    19/441

    Copying all or part of this manual, or distributing such copies, is strictly prohibited.

    To report suspected copying, please call 1-800-PIRATES.

    19Version 1

    Customize the Graphical Interface on SUSE Linux Enterprise Desktop 11

    Figure 1-4 SaX2s X11 Configuration Dialog

    In the Monitor section, you can change different aspects of the X configuration (such

    as graphics card details, monitor type, screen resolution, and number of colors

    displayed) that concern the graphics card and monitor.

    Selecting one of the categories on the left opens different dialogs that allow you to

    change the respective settings.When you are done with the configuration, select OK. In the next dialog, you can

    choose to test the configuration, to save it, or to cancel the changes.

    Figure 1-5 Test the Graphics Configuration

    Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW

  • 7/24/2019 3104_manual.pdf

    20/441

    SUSE Linux Enterprise Desktop 11 Administration / Manual

    Copying all or part of this manual, or distributing such copies, is strictly prohibited.

    To report suspected copying, please call 1-800-PIRATES.

    Version 120

    We recommend testing the configuration before saving it. A dialog to adjust the size

    and position of the screen appears.

    Figure 1-6 Adjust the Screen

    Normally it is not necessary to change something here.

    Save your settings and exit SaX2.

    Activate Compiz

    The packages needed to activate Compiz are part of the GNOME pattern used during

    a default installation. These include the following:

    compiz

    xgl

    xgl-hardware-list

    gnome-session

    libwnck

    Once 3D acceleration has been activated, log in as a normal user to GNOME and

    activate Compiz.

    Select the Computericon in the lower left corner of the desktop, open the Control

    Center, and start the Desktop Effectscontrol panel in section Look and Feel.

    Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW

  • 7/24/2019 3104_manual.pdf

    21/441

    Copying all or part of this manual, or distributing such copies, is strictly prohibited.

    To report suspected copying, please call 1-800-PIRATES.

    21Version 1

    Customize the Graphical Interface on SUSE Linux Enterprise Desktop 11

    Figure 1-7 Enable Desktop Effects

    Mark Enable desktop effectsto activate Compiz.

    The following table lists the more frequently used controls:

    Key Combination Effect

    Ctrl+Alt+Left Rotate cube to the left.

    Ctrl+Alt+Shift+Left Rotate cube to the left, with active window.

    Ctrl+Alt+Right Rotate cube to the right.

    Ctrl+Alt+Shift+Right Rotate cube to the right, with active window.

    Ctrl+Alt+Mouse Button 1 Rotate cube using the mouse.

    Ctrl+Alt+Down Unfold the cube; then use left and right arrow

    key to move.

    Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW

  • 7/24/2019 3104_manual.pdf

    22/441

    SUSE Linux Enterprise Desktop 11 Administration / Manual

    Copying all or part of this manual, or distributing such copies, is strictly prohibited.

    To report suspected copying, please call 1-800-PIRATES.

    Version 122

    NOTE: More information on xgl can be found at the OpenSUSE website(http://en.opensuse.org/

    Xgl).

    More information on Compiz can be found at the OpenSUSE website (http://en.opensuse.org/

    Compiz).

    Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW

    http://en.opensuse.org/Xglhttp://en.opensuse.org/Compizhttp://en.opensuse.org/Compizhttp://en.opensuse.org/Xgl
  • 7/24/2019 3104_manual.pdf

    23/441

    Copying all or part of this manual, or distributing such copies, is strictly prohibited.

    To report suspected copying, please call 1-800-PIRATES.

    23Version 1

    Customize the Graphical Interface on SUSE Linux Enterprise Desktop 11

    Exercise 1-1 Activate Compiz

    In this exercise, you configure Compiz, provided the hardware supports it.

    In the first part, using YaST, verify that 3D support is enabled for your graphics

    adapter.

    If 3D support is enabled, activate Compiz for the Gnome desktop in the second part.

    You will find this exercise in the workbook.

    (End of Exercise)

    Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW

  • 7/24/2019 3104_manual.pdf

    24/441

    SUSE Linux Enterprise Desktop 11 Administration / Manual

    Copying all or part of this manual, or distributing such copies, is strictly prohibited.

    To report suspected copying, please call 1-800-PIRATES.

    Version 124

    Objective 2 Customize the GNOME User Interface

    You can customize the GNOME user interface in various ways: For example, you can

    add or remove icons, change the background image, or add items to the panel. The

    administrator can set system-wide defaults. Users can configure their own desktops.

    The system used for storing application preferences in GNOME is GConf. GConf

    provides a preferences database, similar to a simple file system.

    Keys are organized into a directory hierarchy. Each key is either a directory

    containing more keys, or it has a value which is contained in the %gconf.xmlfilein a key directory.

    This directory structure is below /etc/gconf/for system-wide entries, whileuser-specific settings are contained in subdirectories of ~/.gconf/.

    The %gconf.xmlfile can contain many key-value pairs. E.g., in ~geeko/.gconf/apps/nautilus/preferences/%gconf.xml :

    800x550+400+38

    NOTE: This file is only available if you started Nautilus once before.

    A per-user daemon, gconfd-2, controls these settings. It reads the current settings

    from various sources when a user logs in, notes any changes the user makes to the

    settings, and informs the affected applications. In this way, changed settings take

    effect immediately. Changes are written to the file system at regular intervals.

    NOTE: A more detailed description of the GConf repository structure is contained in the GNOME

    Desktop System Administration Guide(http://library.gnome.org/admin/system-admin-guide/stable/

    ).

    To understand how the user environment is configured, you need to know the

    following:

    User-Defined Settings on page 24

    Default Values on page 26

    User-Defined Settings

    When a user defines the settings for his or her workstation, using the preference

    dialogs of GNOME applications or the gconf-editor tool, the settings are written to a

    %gconf.xmlfile in a directory beneath~/.gconf.

    To see how a user-defined setting is stored, suppose a user decided to change the

    default double-click used to launch applications to a single click.

    Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW

    http://library.gnome.org/admin/system-admin-guide/stable/http://library.gnome.org/admin/system-admin-guide/stable/http://library.gnome.org/admin/system-admin-guide/stable/http://library.gnome.org/admin/system-admin-guide/stable/
  • 7/24/2019 3104_manual.pdf

    25/441

    Copying all or part of this manual, or distributing such copies, is strictly prohibited.

    To report suspected copying, please call 1-800-PIRATES.

    25Version 1

    Customize the Graphical Interface on SUSE Linux Enterprise Desktop 11

    To change this default behavior, start Nautilus by double-clicking the folder icon

    representing the home directory. Select Edit > Preferences > Behavior > Single

    Click to Activate Items. This change takes effect immediately.

    The setting is stored in ~/.gconf/apps/nautilus/preferences/

    %gconf.xml: single

    ...

    The same effect can be achieved with gconf-editor. Open a terminal window, typegconf-editor, and press Enter. The various options available are displayed in a

    tree-like structure:Figure 1-8 The gconf-editor

    To change the value of a key, double-click the key in the right part of the window and

    change its value in the dialog that appears.

    Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW

  • 7/24/2019 3104_manual.pdf

    26/441

    SUSE Linux Enterprise Desktop 11 Administration / Manual

    Copying all or part of this manual, or distributing such copies, is strictly prohibited.

    To report suspected copying, please call 1-800-PIRATES.

    Version 126

    Depending on the application, gconf-editor might offer more settings than the

    preference dialog of the respective application itself.

    You can also use the gconftool-2command line tool to change the GConfsettings. To change the default click policy to single, enter the following on the

    command line:geeko@da10:~> gconftool-2 --set --type string /apps/nautilus/preferences/click_policy single

    The /apps/nautilus/preferences/click_policy key corresponds to the tree structure in

    gconf-editor. The --setand --type stringoptions indicate that this key willtake the new singlestring value. The type depends on the key and is defined in the

    schema file for that key. Schemas are covered in Default Values on page 26.

    You can also use gconftool-2 to view the current value of a key:

    geeko@da10:~> gconftool-2 --get /apps/nautilus/preferences/click_policysinglegeeko@da10:~>

    Default Values

    Default values are used for any preferences that are not set specifically by the user.

    When looking for the value of a variable, GConf scans a couple of files in /etc/gconf

    before looking in the users configuration file. The names of the files and the order

    can be seen in the /etc/gconf/2/path file.

    The sequence of the configuration sources in the path file ensures that mandatory

    preference settings override user preference settings. The sequence also ensures that

    user preference settings override default preference settings. That is, GConf applies

    preferences in the following order of priority:

    1. Mandatory preferences

    2. User-specified preferences

    3. Default preferences

    GConf also uses schema files which are contained in files in /etc/gconf/schemas/. Schemas list the possible preferences for applications or desktopsettings. For the GNOME desktop background, the respective file is called

    desktop_gnome_background.schemas:

    /schemas/desktop/gnome/sound/default_mixer_device /desktop/gnome/sound/default_mixer_device gnome string Default mixer device

    Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW

  • 7/24/2019 3104_manual.pdf

    27/441

    Copying all or part of this manual, or distributing such copies, is strictly prohibited.

    To report suspected copying, please call 1-800-PIRATES.

    27Version 1

    Customize the Graphical Interface on SUSE Linux Enterprise Desktop 11

    The default mixer device used by the multimedia keybindings.

    ...

    This file contains keys, their type (integer, boolean, string, float, or list), default

    value, and descriptions in several languages.

    You can change the system-wide default values using either gconf-editororgconftool-2.

    Change Defaults Using gconf-editor

    To use gconf-editorfor this purpose, make sure you are logged in as root whenyou start it. You can right-click a key and select Set as Defaultor Set as Mandatory

    from the pop-up menu.

    Figure 1-9 Set as Default or as Mandatory

    To see all default settings, select File > New Defaults Window. To see all mandatory

    settings, select File > New Mandatory Window. A new window opens and lets you

    change settings as explained in User-Defined Settings on page 24.

    To remove a key from the default or mandatory configuration, right-click the key and

    select Unset Keyin the New Mandatory Window.

    Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW

  • 7/24/2019 3104_manual.pdf

    28/441

    SUSE Linux Enterprise Desktop 11 Administration / Manual

    Copying all or part of this manual, or distributing such copies, is strictly prohibited.

    To report suspected copying, please call 1-800-PIRATES.

    Version 128

    Change Defaults Using gconftool-2

    To change system-wide defaults with gconftool-2, you must be logged in as root.You must specify the repository you want to change. Otherwise, by default, changes

    apply to the ~/.gconf/directory in the users home directory. They will not apply

    to the directories beneath /etc/gconf/gconf.xml.defaults . You also haveto make sure gconfd-2is not running.

    The command to change the default for the background image file looks similar to the

    following example (the gconftool-2command line needs to be entered in oneline):

    da10:/etc/gconf # killall gconfd-2da10:/etc/gconf # gconftool-2 --direct --config-source xml_readwrite:/etc/gconf/gconf.xml.defaults --set --type string /desktop/gnome/background/picture_filename /usr/share/wallpapers/SpringFlowers.jpg

    In the example, --directindicates that the configuration repository is altereddirectly without using gconfd-2, and --config-source specifies the source to

    change.

    The command changes the /etc/gconf/gconf.xml.defaults/desktop/gnome/background/%gconf.xml file, which now lists the new default value:

    /usr/share/wallpapers/SpringFlowers.jpg

    Users who do not have an entry in their ~/.gconf/directory trees defining adifferent background image will see the new background image the next time they

    log in. They are still able to change their own background images.

    Setting preferences that cannot be changed by the user is covered in Configure X,

    Xgl, and Compiz on page 16.

    Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW

  • 7/24/2019 3104_manual.pdf

    29/441

  • 7/24/2019 3104_manual.pdf

    30/441

  • 7/24/2019 3104_manual.pdf

    31/441

  • 7/24/2019 3104_manual.pdf

    32/441

    SUSE Linux Enterprise Desktop 11 Administration / Manual

    Copying all or part of this manual, or distributing such copies, is strictly prohibited.

    To report suspected copying, please call 1-800-PIRATES.

    Version 132

    Figure 1-11 Configure the Paths Used by OpenOffice.org

    To add or delete template directories, select Editand make the changes in the dialog

    that appears.

    Figure 1-12 Edit the Path of Your Templates

    You can copy a sample .ooo3directory with company-specific OpenOffice.orgsettings to /etc/skel/to make all configuration settings and templates in thatdirectory available to new users.

    NOTE: A helpful resource for OpenOffice.org is the OpenOffice.org Forum (http://

    www.oooforum.org/).

    Firefox

    Firefox can be configured extensively via Edit > Preferences. Several tabs cover

    various aspects of the configuration.

    Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW

    http://www.oooforum.org/http://www.oooforum.org/
  • 7/24/2019 3104_manual.pdf

    33/441

    Copying all or part of this manual, or distributing such copies, is strictly prohibited.

    To report suspected copying, please call 1-800-PIRATES.

    33Version 1

    Customize the Graphical Interface on SUSE Linux Enterprise Desktop 11

    Figure 1-13 Firefox Preferences

    You can access the preferences listed above, as well as additional preferences, atabout:config. After the warning dialog, you can select an entry with a double-click to open a dialog to change the value of the respective parameter:

    Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW

  • 7/24/2019 3104_manual.pdf

    34/441

    SUSE Linux Enterprise Desktop 11 Administration / Manual

    Copying all or part of this manual, or distributing such copies, is strictly prohibited.

    To report suspected copying, please call 1-800-PIRATES.

    Version 134

    Figure 1-14 List of the Firefox Preferences

    Changed values are stored in the home directory of the user in ~/.mozilla/firefox/xxxxxxxx.default/prefs.js. To make them available for allusers, copy the file to /usr/lib/firefox/defaults/profile/prefs.js. Users can still make their own changes and override the values in thesystem-wide file.

    Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW

  • 7/24/2019 3104_manual.pdf

    35/441

    Copying all or part of this manual, or distributing such copies, is strictly prohibited.

    To report suspected copying, please call 1-800-PIRATES.

    35Version 1

    Customize the Graphical Interface on SUSE Linux Enterprise Desktop 11

    Exercise 1-3 Customize Applications

    In this exercise, you create an OpenOffice.org template.

    In the first task, create a header of letters. In the second task, create a new letter using

    the header, you created in task I.

    You will find this exercise in the workbook.

    (End of Exercise)

    Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW

  • 7/24/2019 3104_manual.pdf

    36/441

    SUSE Linux Enterprise Desktop 11 Administration / Manual

    Copying all or part of this manual, or distributing such copies, is strictly prohibited.

    To report suspected copying, please call 1-800-PIRATES.

    Version 136

    Summary

    The following is a summary of what you learned in the course objectives.

    Objective What You Learned

    Configure X, Xgl, and Compiz The installation is controlled by an XML file.SUSE Linux Enterprise Desktop 11 supports

    XGL and Compiz, providing a new desktopexperience on Linux.

    Customize the GNOME User Interface The user preferences for GNOME settings arestored as keys in the GConf repository,

    system-wide in /etc/opt/gnome/gconf/, or inthe users home directory in ~/.gcon/f. Tochange settings within GNOME applications,

    use

    The graphical tool gconf-editor

    The command line tool gconftool-2

    Customize Applications Applications store their configuration settings,usually in hidden directories or files (startingwith a .) in the home directory of the user

    who sets them.

    In some cases, it is useful for the desktopadministrator to distribute sample

    configurations, e.g., for OpenOffice.org orFirefox.

    Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW

  • 7/24/2019 3104_manual.pdf

    37/441

    Copying all or part of this manual, or distributing such copies, is strictly prohibited.

    To report suspected copying, please call 1-800-PIRATES.

    37Version 1

    Lock Down the SLE Desktop

    S E C T I O N 2 Lock Down the SLE Desktop

    If the user only sees what he is allowed to access, system security is increased. In this

    section different methods of locking down SUSE Linux EnterpriseDesktop 11(SLED 11) are described.

    Encrypted file systems can also improve security.

    Section Objectives

    In this section, you learn how to do the following:

    1. Control Mounting of CD-ROM, DVD, and USB Devices on page 38

    2. Define Mandatory Settings with GConf and Desktop Profiles on page 433. Use PolicyKit to Configure Application Policies on page 47

    4. Use File System Encryption on page 58

    Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW

  • 7/24/2019 3104_manual.pdf

    38/441

    SUSE Linux Enterprise Desktop 11 Administration / Manual

    Copying all or part of this manual, or distributing such copies, is strictly prohibited.

    To report suspected copying, please call 1-800-PIRATES.

    Version 138

    Objective 1 Control Mounting of CD-ROM, DVD, and USB Devices

    By default, removable media like CD-ROMs, DVDs, and USB storage devices are

    automatically mounted. The program providing this functionality is the HAL

    daemon. Three GNOME tools use HAL and read settings from GConf:

    gnome-mount

    gnome-umount(same as gnome-mount --umount)

    gnome-eject(same as gnome-mount --eject)

    Depending on company policy or the use of the workstation, you might have to

    prevent users from reading from or writing to removable media or mounting

    removable devices such as USB drives or sticks.

    There are various ways to configure this. Which one you choose depends mainly on

    how difficult you want to make it for any user who tries to circumvent the restrictions

    you impose.

    Using GConf and /etc/fstab

    Use gconftool-2 or gconf-editor to set the media_automount key in /apps/

    nautilus/preferences in the mandatory GConf repository to false.

    While this prevents automatic mounting, the user can still mount the drive by

    selecting the desktop icon that appears when a CDROM is inserted.

    You can add an entry in /etc/fstab(like the following) to prevent mountingof CD-ROMs or DVDs by unprivileged users (assuming that /dev/dvdrepresents the CDROM/DVD drive):

    /dev/dvd /media/dvd auto noauto,defaults 0 0

    Now an error message will appear when a user inserts a CDROM.

    Figure 2-1 Users Are Not Able To Mount a CD/DVD

    NOTE: More about GConf you will learn in Configure X, Xgl, and Compiz on page 16.

    Using kernel modules

    The usb_storage kernel module is needed to read from USB storage devices. You

    can prevent the module from being loaded by adding the following line in /etc/modprobe.conf.local :

    Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW

  • 7/24/2019 3104_manual.pdf

    39/441

    Copying all or part of this manual, or distributing such copies, is strictly prohibited.

    To report suspected copying, please call 1-800-PIRATES.

    39Version 1

    Lock Down the SLE Desktop

    install usb_storage /usr/bin/true

    You can use other programs instead of /usr/bin/trueas well. The followingexample (in one line in /etc/modprobe.conf.local ) will cause an emailnotice to be sent when someone inserts such a device:

    install usb_storage /usr/bin/mail -s "USB-Stick inserted on$HOSTNAME" [email protected]

    NOTE: You could disable USB completely by adding similar lines for usbcore and other USB

    modules (use lsmodto find which ones). But this might not be practical because that woulddisable a USB keyboard and mouse as well.

    You could rename or remove the USB kernel modules. However, the next kernel

    update would bring them back and enable USB storage again.

    Configure udev rules

    In the past, the /dev/directory contained a device file for hundreds of devices,

    even if the hardware was not present. With udev this has changed; device filesare created only for devices that are actually present.

    The command udevadm monitorcan be used to monitor the udev systemmessages. When you plug in a USB stick, a messages similar to the followings

    should appear.

    UDEV [1243464970.656655] add /devices/pci0000:000000:00:1d.2/usb7/7-2/7-2:1.0/host6/target6:0:0/6:0:0:0/block/sdb (block)UDEV [1243464971.499426] add /devices/pci0000:000000:00:1d.2/usb7/7-2/7-2:1.0/host6/target6:0:0/6:0:0:0/block/sdb/sdb1 (block)

    Block devices are created. In this example one for the new device (sdb) and one

    for the partition (sdb1).

    When removing the USB stick the block devices should be removed like in the

    following.

    UDEV [1243465458.031639] remove /devices/pci0000:000000:00:1d.2/usb7/7-2/7-2:1.0/host6/target6:0:0/6:0:0:0/block/sdb/sdb1 (block)...UDEV [1243465458.035093] remove /devices/pci0000:000000:00:1d.2/usb7/7-2/7-2:1.0/host6/target6:0:0/6:0:0:0/block/sdb (block)

    udev is very flexible and can be configured by writing rules to *.rulesfiles inthe /etc/udev/rules.d/ directory.

    NOTE: More udev rules you can find in /lib/udev/rules.d/.

    You can create your own rules in /etc/udev/rules.d/ . To ensure that yourrules are used, the filename should start with a smaller number than the other

    files in the directory (e.g., 10-local.rules)

    A rule to disable devices that require the usb_storage module could look like the

    following:

    Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW

  • 7/24/2019 3104_manual.pdf

    40/441

    SUSE Linux Enterprise Desktop 11 Administration / Manual

    Copying all or part of this manual, or distributing such copies, is strictly prohibited.

    To report suspected copying, please call 1-800-PIRATES.

    Version 140

    # Disable USB storageDRIVER=="usb-storage", OPTIONS+="ignore_device last_rule"

    The ignore_deviceoption will ensure that no action is taken and, thereforee,no device file is created to access the device. The last_ruleoption preventslater rules from changing this rule.

    Much more fine-grained control than shown above is possible. You could, for

    instance, write rules allowing a specific USB device based on its serial number,

    and ignoring other devices.

    NOTE: The manual page for udev and the udev HOWTO(http://www.reactivated.net/

    writing_udev_rules.html) provide more information on how to write udev rules.

    Using PolicyKit

    PolicyKit is an application-level toolkit for defining and handling the policy that

    allows unprivileged processes to speak to privileged processes: It is a framework

    for centralizing the decision-making process with respect to granting access toprivileged operations for unprivileged applications.

    PolicyKit is covered in detail in Use PolicyKit to Configure Application

    Policies on page 47.

    To prevent users from mounting removable medias (like DVDs or USB sticks),

    you have to add the following line to your local rules in the /etc/polkit-default-privs.local file.

    org.freedesktop.hal.storage.mount-removable auth_admin_keep_always

    The new settings are activated by the set_polkit_default_privs command.

    da10:~ # set_polkit_default_privssetting org.freedesktop.hal.storage.mount-removable toauth_admin_keep_always:auth_admin_keep_always:auth_admin_keep_always (wrong settingauth_admin_keep_always:auth_admin_keep_always:yes)

    When the user inserts a DVD or USB stick, an authentication dialog appears:

    Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW

    http://www.reactivated.net/writing_udev_rules.htmlhttp://www.reactivated.net/writing_udev_rules.html
  • 7/24/2019 3104_manual.pdf

    41/441

    Copying all or part of this manual, or distributing such copies, is strictly prohibited.

    To report suspected copying, please call 1-800-PIRATES.

    41Version 1

    Lock Down the SLE Desktop

    Figure 2-2 Authentication Is Needed to Mount Removable Medias

    Remove the hardware

    Physically remove CDROM and DVD drives as well as USB ports. This also

    prevents the computer from being booted from bootable CDs.

    Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW

  • 7/24/2019 3104_manual.pdf

    42/441

  • 7/24/2019 3104_manual.pdf

    43/441

    Copying all or part of this manual, or distributing such copies, is strictly prohibited.

    To report suspected copying, please call 1-800-PIRATES.

    43Version 1

    Lock Down the SLE Desktop

    Objective 2 Define Mandatory Settings with GConf and Desktop Profiles

    It is sometimes desirable from the desktop administrators point of view to limit what

    users can configure or change on their desktops. Reasons for this could be corporate

    policies or an effort to reduce help desk calls because of misconfiguration caused by

    users.

    Even greater restraints are frequently imposed on desktops used in public places like

    trade shows.

    As covered in Customize the GNOME User Interface on page 24, GConf is used to

    store user-defined preferences or to set system-wide defaults. It can also be used by

    the administrator to set preferences that cannot be changed by the user.

    gconf-editor

    To set or change mandatory settings, you must be logged in as root when you use

    gconf-editor. The steps you take depend on what you need to do:

    Set Preferences as Mandatory for the First Time on page 43

    Change Existing Mandatory Preferences on page 44

    Set Preferences as Mandatory for the First Time

    As root user, start gconf-editor. The left part of the window lists the available keys.

    Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW

  • 7/24/2019 3104_manual.pdf

    44/441

    SUSE Linux Enterprise Desktop 11 Administration / Manual

    Copying all or part of this manual, or distributing such copies, is strictly prohibited.

    To report suspected copying, please call 1-800-PIRATES.

    Version 144

    Figure 2-3 GConf Configuration Editor

    Browse the tree to the key you want to set as mandatory and set it to the desired

    value. Then select the entry with the right mouse button; in the submenu, select Set as

    Mandatory.

    If you select on the entry to change it again, an error message tells you that this is not

    possible.

    Change Existing Mandatory Preferences

    As root user, start gconf-editor; then select File > New Mandatory Window. The left

    part of the window lists those mandatory settings that have already been set in the/etc/gconf/gconf.xml.mandatory/ repository tree. You can change them asexplained in Change Defaults Using gconf-editor on page 27.

    To remove a key from the mandatory preferences, right-click the entry and select

    Unset Key.

    Values that have not been set to a mandatory value previously do not show up in the

    repository tree on the left of this gconf-editor dialog.

    Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW

  • 7/24/2019 3104_manual.pdf

    45/441

    Copying all or part of this manual, or distributing such copies, is strictly prohibited.

    To report suspected copying, please call 1-800-PIRATES.

    45Version 1

    Lock Down the SLE Desktop

    Figure 2-4 Key is Not Writable

    gconftool-2

    You can also use the gconftool-2 command line tool to set preferences to a mandatory

    value. (When you use gconftool-2, the gconf-editor can be helpful to browse theconfiguration repository tree to find the correct key and its path.)

    Lets assume that the security policy of the company requires the screens of desktops

    to be locked after 5 minutes of inactivity. As administrator, it is your task to configure

    the workstations accordingly and to make sure this policy is followed by all users.

    Using gconf-editor as a normal user, you browse the repository tree and find out that

    the keys for this purpose are /apps/gnome-screensaver/lock_enabled and /apps/gnome-screensaver/idle_delay . To set these to mandatoryvalues, log in as root and use the following commands:

    killall gconfd-2da10:~ # gconftool-2 --direct --config-source xml:readwrite:/etc/

    gconf/gconf.xml.mandatory --set --type bool /apps/gnome-screensaver/lock_enabled trueResolved address "xml:readwrite:/etc/gconf/gconf.xml.mandatory" to awritable configuration source at position 0da10:~ # gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --set --type int /apps/gnome-screensaver/idle_delay 5Resolved address "xml:readwrite:/etc/gconf/gconf.xml.mandatory" to awritable configuration source at position 0

    The next time a user logs in and tries to change the respective screensaver settings in

    the GNOME Control Center, the user will not be able to change these values.

    NOTE:Not all key-value pairs that can be set seem to have the desired effect. For example, settingthe /apps/firefox/general/homepage_urlkey to a certain value does not seem to haveany effect on the default home page of the firefox browser. Other such key-value pairs might not

    behave as expected either. Thereforee, you should test your settings to make sure they have the

    desired effect and cannot be changed by the user before you rely on your settings.

    Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW

  • 7/24/2019 3104_manual.pdf

    46/441

    SUSE Linux Enterprise Desktop 11 Administration / Manual

    Copying all or part of this manual, or distributing such copies, is strictly prohibited.

    To report suspected copying, please call 1-800-PIRATES.

    Version 146

    Exercise 2-2 Set Mandatory Values for Preferences

    In this exercise, you use the Desktop Profile Editor and gconftool-2 to manage

    mandatory preferences.

    In task I, you use gconf-editor to disable access to the command line on the GNOME

    desktop.

    In task II, you use gconftool-2 to undo the setting you made in task I, because you

    will need the command line later in this course.

    In task III, you undo the settings you made in the previous exercise to allow mounting

    CDs/DVDs. Use gconf-editor for this.

    You will find this exercise in the workbook.

    (End of Exercise)

    Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW

  • 7/24/2019 3104_manual.pdf

    47/441

    Copying all or part of this manual, or distributing such copies, is strictly prohibited.

    To report suspected copying, please call 1-800-PIRATES.

    47Version 1

    Lock Down the SLE Desktop

    Objective 3 Use PolicyKit to Configure Application Policies

    Using PolicyKit, you can start applications with user permission and assign them root

    permission later. You can allow users to execute system management tasks without

    making them root.

    To use PolicyKit, you should know the following:

    Understand the PolicyKit Architecture on page 47

    Use the Authorization Dialog on page 48

    Manage Authorizations at the Command Line on page 52

    NOTE: The documentation of PolicyKit is available on the freedesktop.org Website(http://

    hal.freedesktop.org/docs/PolicyKit).

    Understand the PolicyKit Architecture

    PolicyKit assumes that a program has two parts:

    Mechanism.Runs privileged (with no user interface elements).

    Policy Agent.Runs unprivileged.

    The two parts of the program are in different processes and communicate through

    some IPC mechanism such as pipes or the system message bus (D-Bus). In some

    instances the Mechanism can be seen as part of the OS and the policy agent as part of

    the desktop stack.

    The Mechanism should never trust any application that tries to use it. First the

    Mechanism has to evaluate all data and requests passed to it from the application.

    An example where this model is used are HAL and NetworkManager:Figure 2-5 HAL and NetworkManager

    The entities that a Mechanism cares about can be split into three groups:

    Subject. The entity requesting the Action (e.g., an unprivileged application).

    Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW

    http://hal.freedesktop.org/docs/PolicyKithttp://hal.freedesktop.org/docs/PolicyKit
  • 7/24/2019 3104_manual.pdf

    48/441

    SUSE Linux Enterprise Desktop 11 Administration / Manual

    Copying all or part of this manual, or distributing such copies, is strictly prohibited.

    To report suspected copying, please call 1-800-PIRATES.

    Version 148

    Object.Some canonical representation of the object; (e.g., device file, a network

    connection, a reference to the power management subsystem).

    Action.What the subject is attempting to do to the object (e.g., mounting a block

    device, establishing a dial-up connection, putting the system into a suspended

    state, changing the time zone, gaining access to a webcam).

    The Mechanism identifies the subject, using ConsoleKit, and collects all the relevant

    information about the subject. This information includes:

    User ID

    Process ID

    An identifier for the desktop session and whether the session is active (e.g.,

    currently showing on a display), whether it's local and if it's remote, the address

    of the remote display

    Optional OS-specific attributes (such as the SELinux security context)

    Second, the Mechanism creates an object that represents the action that the subject

    wants to be executed. One example of such an object is

    org.freedesktop.hal.storage.mount-removable, what represents the action of

    mounting a removable device.

    Based on this information request, the authorization database decides whether the

    action can be executed, executed after another required authentication, or not

    executed.

    Use the Authorization Dialog

    A graphical tool is available in GNOME to manage your authorizations. You can start

    it by selecting More Applications > Tools > Authorizationsor entering polkit-gnome-authorization at a terminal.

    Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW

  • 7/24/2019 3104_manual.pdf

    49/441

    Copying all or part of this manual, or distributing such copies, is strictly prohibited.

    To report suspected copying, please call 1-800-PIRATES.

    49Version 1

    Lock Down the SLE Desktop

    Figure 2-6 The Authorization Dialog

    In the left frame you see a tree structure where all possible actions are listed and

    grouped. The right frame has three parts:

    Action.Identifier, Description, and Vendor of the software module are shown

    here.

    Implicit Authorizations.Shows the authorizations that based for all users that

    fulfill certain criteria (they are on a local console, for example). Implicit

    Authorizations are stored in /var/lib/PolicyKit-public/ .

    Explicit Authorizations.Shows the authorizations that are set for single users.

    Explicit Authorizations are stored in /var/lib/PolicyKit/ . (You candefine explicit authorizations only for users that have an account on the system.)

    In the Authorizations dialog, you can configure two kinds of authorization:

    Implicit Authorization on page 50

    Explicit Authorization on page 51

    Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW

  • 7/24/2019 3104_manual.pdf

    50/441

    SUSE Linux Enterprise Desktop 11 Administration / Manual

    Copying all or part of this manual, or distributing such copies, is strictly prohibited.

    To report suspected copying, please call 1-800-PIRATES.

    Version 150

    Implicit Authorization

    PolicyKit recognizes three basic types of users:

    Anyone.All users.

    Console.All users that are logged in to a console (active and inactive sessions). Active Console.All users that are logged in to an active console (e.g., currently

    showing on a display).

    NOTE: The ConsoleKit daemon determines whether a session is active or inactive, or local or not.

    ConsoleKit is a framework for defining and tracking users, login sessions, and seats. For more

    information see the freedesktop.org-wiki (http://www.freedesktop.org/wiki/Software/ConsoleKit).

    If you want to change the implicit authorizations, select Editand another dialog

    appears.

    Figure 2-7 Edit Implicit Authorizations

    Each menu has the following options:

    No.Access denied.

    Admin Authentication (one shot).Access denied, but authentication of the

    caller as an administrative user will grant access to only that caller and only once.

    The authorization will be revoked.

    Admin Authentication.Access denied, but authentication of the caller as an

    administrative user will grant access to only that caller.

    Admin Authentication (keep session).Access denied, but authentication of the

    caller as administrative user will grant access to any caller in the session the

    caller belongs to.

    Admin Authentication (keep indefinitely).Access denied, but authentication

    of the caller as administrative user will grant access to any caller with the given

    UID in the future.

    Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW

    http://www.freedesktop.org/wiki/Software/ConsoleKithttp://www.freedesktop.org/wiki/Software/ConsoleKit
  • 7/24/2019 3104_manual.pdf

    51/441

    Copying all or part of this manual, or distributing such copies, is strictly prohibited.

    To report suspected copying, please call 1-800-PIRATES.

    51Version 1

    Lock Down the SLE Desktop

    Authentication (one shot).Access denied, but authentication of the caller as

    himself will grant access to only that caller and only once. The authorization will

    be revoked.

    Authentication.Access denied, but authentication of the caller as himself will

    grant access to only that caller.

    Authentication (keep session).Access denied, but authentication of the caller as

    himself will grant access to any caller in the session the caller belongs to.

    Authentication (keep indefinitely).Access denied, but authentication of the

    caller as himself will grant access to any caller with the given UID in the future.

    Yes.Access granted.

    Explicit Authorization

    In this part, you can authorize or prevent the execution of a task by system users. Use

    the Grantbutton to specify the users that are allowed to execute the task. Block

    allows you to specify the users that are notallowed to execute the task.

    The dialog that appears is the same for Grantand Blockso the following shows how

    to authorize users.

    Figure 2-8 Edit (Grant) Explicit Authorization

    Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW

  • 7/24/2019 3104_manual.pdf

    52/441

    SUSE Linux Enterprise Desktop 11 Administration / Manual

    Copying all or part of this manual, or distributing such copies, is strictly prohibited.

    To report suspected copying, please call 1-800-PIRATES.

    Version 152

    In the Beneficiary part, you can select a user that will receive the authorization. Select

    Show system usersto display system users (like root and bin) in the pull-down

    menu.

    In the lower part of the dialog, you can determine constraints:

    None.

    Must be in active session.

    Must be on local console.

    Must be in active session on local console.

    select Grantto activate the authorization.

    Once you have created at least one grant or block rule, the Revokebutton becomes

    active in the Authorizations dialog (see Figure 2-6 on page 49) and you can remove

    the selected rule.

    The Show authorizations from all usersoption shows the list of the given explicit

    authorizations. If you are running the authentication tool as normal user, you have toauthenticate as root before they are shown.

    Manage Authorizations at the Command Line

    The configuration of PolicyKit and the defined permissions are included in the /etc/PolicyKit/PolicyKit.conf file. This is an XML file.

    NOTE: The man page of PolicyKit.conf can be viewed byman 5 PolicyKit.conf.

    You can edit the file directly using a text editor. You can also use some command line

    tools to edit PolicyKit.conf. The most important are

    polkit-action. Lists and modifies registered PolicyKit actions.

    polkit-auth. Manages the authorizations.

    polkit-config-file-validate. Validates the PolicyKit.conf file.

    polkit-policy-file-validate. Validates a PolicyKit policy file.

    set_polkit_default_privs . Installs default settings for privileges that

    are granted automatically to locally logged-in users.

    polkit-action

    polkit-actionis used to list and modify the PolicyKit actions that are registeredon the system. To list the registered PolicyKit action, use polkit-actionwithoutany parameter:

    da10:~ # polkit-actionorg.gnome.clockapplet.mechanism.settimezoneorg.gnome.clockapplet.mechanism.settimeorg.gnome.clockapplet.mechanism.configurehwclockorg.freedesktop.hal.lock

    Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW

  • 7/24/2019 3104_manual.pdf

    53/441

    Copying all or part of this manual, or distributing such copies, is strictly prohibited.

    To report suspected copying, please call 1-800-PIRATES.

    53Version 1

    Lock Down the SLE Desktop

    org.opensuse.yast.scr.readorg.opensuse.yast.scr.writeorg.opensuse.yast.scr.executeorg.opensuse.yast.scr.dir...

    The most important options of polkit-action are

    --reset-defaults action. Reset the defaults for the specified action tothe factory defaults. The authorization needed to do this is

    org.freedesktop.policykit.modify-defaults.

    --show-overrides . Prints all actions by which the defaults are overridden.

    --set-defaults-any action value. Override the anystanza for thegiven action with the supplied value. The authorization needed to do this is

    org.freedesktop.policykit.modify-defaults.

    --set-defaults-inactive action value. Override the inactivestanza for the given action with the supplied value. The authorization needed to

    do this is org.freedesktop.policykit.modify-defaults. --set-defaults-active action value. Override the activestanza

    for the given action with the supplied value. The authorization needed to do this

    is org.freedesktop.policykit.modify-defaults.

    Valid values for valueof the three --set-defaults-*parameter are

    no

    auth_admin_one_shot

    auth_admin

    auth_admin_keep_session

    auth_admin_keep_always

    auth_self_one_shot

    auth_self

    auth_self_keep_session

    auth_self_keep_always

    yes

    The meaning of these options is described in Implicit Authorization on page 50.

    The authorization needed to use the three --set-defaults-* parameter is

    org.freedesktop.policykit.modify-defaults.

    polkit-auth

    polkit-authis used to inspect, obtain, grant and revoke explicit PolicyKitauthorizations. If invoked without any options, the authorizations of the calling

    process will be printed.

    Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW

  • 7/24/2019 3104_manual.pdf

    54/441

    SUSE Linux Enterprise Desktop 11 Administration / Manual

    Copying all or part of this manual, or distributing such copies, is strictly prohibited.

    To report suspected copying, please call 1-800-PIRATES.

    Version 154

    With the --show-obtainable option, all actions that can be obtained viaauthentication and for which an authorization does not exist are listed.

    da10:~ # polkit-auth --show-obtainable

    org.gnome.clockapplet.mechanism.settimezoneacorg.gnome.clockapplet.mechanism.settimeorg.gnome.clockapplet.mechanism.configurehwclockorg.freedesktop.hal.lockorg.freedesktop.hal.dockstation.undockorg.gnome.gconf.defaults.set-systemorg.gnome.gconf.defaults.set-mandatory...

    To authorize a user to perform an action, use the --user user--grantactionoption. For example (all in one line):

    da10:~ # polkit-auth --user geeko --grantorg.gnome.clockapplet.mechanism.settime

    To prevent a user from executing an action, use --block action. For example(all in one line):

    da10:~ # polkit-auth --user geeko --blockorg.gnome.clockapplet.mechanism.settime

    To revoke all authorizations for an action, use --revoke action. For example(all in one line):

    da10:~ # polkit-auth --user geeko --revokeorg.gnome.clockapplet.mechanism.settime

    Adding --user userto --grant, --block, or --revokemeans that theauthorization is explicit for the specified user. Without --user, the options --grant, --block, and --revokeare valid for all system users.

    Another option that allows you to specify a user is --explicitwhich shows allexplicit authorizations.

    da10:~ # polkit-auth --user geeko --explicitorg.gnome.clockapplet.mechanism.settime

    To get more detailed information, use --explicit-detail option:

    da10:~ # polkit-auth --user geeko --explicit-detailorg.gnome.clockapplet.mechanism.settime Authorized: No Scope: Indefinitely

    Obtained: Thu Feb 5 10:25:37 2009 from root (uid 0)

    Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW

  • 7/24/2019 3104_manual.pdf

    55/441

    Copying all or part of this manual, or distributing such copies, is strictly prohibited.

    To report suspected copying, please call 1-800-PIRATES.

    55Version 1

    Lock Down the SLE Desktop

    You can also add contraints to --grantand --block. Thereforee, add the --constraint constraintsoption. The following values for constraintsare the most important ones:

    --constraint local.The caller must be in a session on a local console

    attached to the system.

    --constraint active.The caller must be in an active session.

    Typically the active contraint is used together with a local constraint to ensure that the

    caller is only authorized if his session is in the foreground. This is typically used for

    fast user switching (multiple sessions on the same console) to prevent inactive

    sessions from performing privileged operations like spying (using a webcam or a

    sound card) on the current active session.

    polkit-config-file-validate

    polkit-config-file-validate is used to verify that a given PolicyKit

    configuration file is valid. If no path to a config file is given, the default /etc/PolicyKit/PolicyKit.conf file will be verified.

    The typical role of this tool is to verify a configuration file before deploying it on one

    or more machines.

    polkit-policy-file-validate

    polkit-policy-file-validate is used to verify that one or more PolicyKit.policyfiles are valid.

    Normally this tool is used in the software release process and during software

    installation.

    set_polkit_default_privs

    The set_polkit_default_privs program installs default settings forprivileges that are granted automatically to locally logged-in users by PolicyKit.

    The default settings are stored in the following files:

    /etc/polkit-default-privs.local

    /etc/polkit-default-privs.standard

    /etc/polkit-default-privs.restrictive

    In the /etc/sysconfig/security file, you can specify whether you want touse the standard or the restrictive default settings. Thereforee, thePOLKIT_DEFAULT_PRIVvariable can be set to standardor restrictive.

    The file polkit-default-privs.local is executed in all cases.

    Th