3104_manual.pdf
TRANSCRIPT
-
7/24/2019 3104_manual.pdf
1/441
www.novel l .comNovell Training Services
A U T H O R I Z E D C O U R S E WA R E
SUSE Linux Enterprise Desktop 11AdministrationManual
3 1 0 4
Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW
-
7/24/2019 3104_manual.pdf
2/441
Legal Notices
Novell, Inc., makes no representations or warranties with respect to the contents
or use of this documentation, and specifically disclaims any express or implied
warranties of merchantability or fitness for any particular purpose. Further,
Novell, Inc., reserves the right to revise this publication and to make changes to
its content, at any time, without obligation to notify any person or entity of such
revisions or changes.
Further, Novell, Inc., makes no representations or warranties with respect to any
software, and specifically disclaims any express or implied warranties of
merchantability or fitness for any particular purpose. Further, Novell, Inc.,
reserves the right to make changes to any and all parts of Novel l software, at any
time, without any obligation to notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be
subject to U.S. export controls and the trade laws of other countries. You agree to
comply with all export control regulations and to obtain any required licenses or
classification to export, re-export or import deliverables. You agree not to export
or re-export to entities on the current U.S. export exclusion lists or to any
embargoed or terrorist countries as specified in the U.S. export laws. You agree
to not use deliverables for prohibited nuclear, missile, or chemical biological
weaponry end uses. See theNovell International Trade Services Web page(http:/
/www.novell.com/info/exports/) for more information on exporting Novell
software. Novell assumes no responsibility for your failure to obtain any
necessary export approvals.
Copyright 2009 Novell, Inc. All rights reserved. No part of this publication
may be reproduced, photocopied, stored on a retrieval system, or transmitted
without the express written consent of the publisher.
Novell, Inc., has intellectual property rights relating to technology embodied in
the product that is described in this document. In particular, and without
limitation, these intellectual property rights may include one or more of the U.S.
patents listed on theNovell Legal Patents Web page(http://www.novell.com/
company/legal/patents/) and one or more additional patents or pending patent
applications in the U.S. and in other countries.
Novell, Inc.
404 Wyman Street, Suite 500
Waltham, MA 02451
U.S.A.
www.novell.com
Online Documentation:To access the latest online documentation for
this and other Novell products, see the Novell Documentation Web
page(http://www.novell.com/documentation).
Novell Trademarks
For Novell trademarks, see the Novell Trademark and Service Mark list(http://
www.novell.com/company/legal/trademarks/tmlist.html).
Third-Party Materials
All third-party trademarks are the property of their respective owners.
Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW
http://www.novell.com/info/exports/http://www.novell.com/company/legal/patents/http://www.novell.com/documentationhttp://www.novell.com/documentationhttp://www.novell.com/company/legal/trademarks/tmlist.htmlhttp://www.novell.com/company/legal/trademarks/tmlist.htmlhttp://www.novell.com/documentationhttp://www.novell.com/documentationhttp://www.novell.com/company/legal/patents/http://www.novell.com/info/exports/ -
7/24/2019 3104_manual.pdf
3/441
Contents
Copying all or part of this manual, or distributing such copies, is strictly prohibited.
To report suspected copying, please call 1-800-PIRATES.
3Version 1
Introduction 9
Student Kit Deliverables 9
Course Design 10
Course Objectives 10
Course Audience 10
Certification and Prerequisites 11
Classroom Agenda 11
Course Setup 12
Exercise Guidelines 12
VMware Virtualization and the Exercises 13
Exercise Conventions 13
Workbook 14
Course Feedback 14
SECTION 1 Customize the Graphical Interface on SUSE
Linux Enterprise Desktop 11 15
Objective 1 Configure X, Xgl, and Compiz 16
Configure X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Activate Compiz . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Exercise 1-1 Activate Compiz . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Objective 2 Customize the GNOME User Interface 24
User-Defined Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Default Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Exercise 1-2 Customize the GNOME User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Objective 3 Customize Applications 30
OpenOffice.org 3.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Firefox. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Exercise 1-3 Customize Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Summary 36
SECTION 2 Lock Down the SLE Desktop 37
Objective 1 Control Mounting of CD-ROM, DVD, and USB Devices 38
Exercise 2-1 Control Mounting of CD-ROM, DVD, and USB Devices. . . . . . . . . . . . . . . . . . . 42
Objective 2 Define Mandatory Settings with GConf and Desktop Profiles 43
gconf-editor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
gconftool-2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Exercise 2-2 Set Mandatory Values for Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW
-
7/24/2019 3104_manual.pdf
4/441
-
7/24/2019 3104_manual.pdf
5/441
Copying all or part of this manual, or distributing such copies, is strictly prohibited.
To report suspected copying, please call 1-800-PIRATES.
5Version 1
Summary 112
SECTION 5 Integrate SLED 11 into an Active Directory Environment 113
Objective 1 Describe How SLED 11 Integrates with Active Directory 114
Benefits of Active Directory Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114How Windows Networking Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
How SLED 11 Integrates with an Active Directory Domain . . . . . . . . . . . . . . . . 119
Objective 2 Configure Active Directory Integration 124
Joining SLED 11 to an Active Directory Domain . . . . . . . . . . . . . . . . . . . . . . . . 124
Exercise 5-1 Join SLED 11 to an Active Directory Domain. . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Logging In to an Active Directory Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Managing Domain Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Exercise 5-2 Log In to the Domain from SLED 11. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Objective 3 Access Shared Domain Resources 139
Accessing Shared Folders. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Accessing Shared Printers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142Exercise 5-3 Access a Shared Folder. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Summary 147
SECTION 6 Integrate SLED 11 into a Novell eDirectory Environment 149
Objective 1 Describe How the Novell Client for Linux Works 150
The Role and Function of Novell eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
The Role and Function of the Novell Client for Linux. . . . . . . . . . . . . . . . . . . . . 158
Objective 2 Install and Configure the Novell Client for Linux on SLED 11 160
Installing the Novell Client for Linux on SLED 11 . . . . . . . . . . . . . . . . . . . . . . . 160
Exercise 6-1 Install the Novell Client for Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Configuring the Novell Client on SLED 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Objective 3 Authenticate to an OES 2 Server Using the Novell Client for Linux 184
Authenticating to eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Mapping Directories to Server Volumes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Logging Out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Troubleshooting SLP Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Using Novell Client for Linux Shell Commands . . . . . . . . . . . . . . . . . . . . . . . . . 196
Exercise 6-2 Configure the Novell Client for Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Configuring Integrated Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Exercise 6-3 Configuring Integrated Login. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Objective 4 Use Novell iPrint on SLED 11 204
How iPrint Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204Installing and Configuring the iPrint Client on Linux Workstations . . . . . . . . . . 209
Installing iPrint Printers and Sending Print Jobs . . . . . . . . . . . . . . . . . . . . . . . . . 210
Exercise 6-4 Install and Configure the iPrint Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW
-
7/24/2019 3104_manual.pdf
6/441
SUSE Linux Enterprise Desktop 11 Administration / Manual
Copying all or part of this manual, or distributing such copies, is strictly prohibited.
To report suspected copying, please call 1-800-PIRATES.
Version 16
Objective 5 Use iFolder on SLED 11 214
How iFolder Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Installing the iFolder Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Configuring Your iFolder Account. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Creating iFolders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Summary 229
SECTION 7 Integrate SUSE Linux Enterprise Desktop 11 into a UNIX
Environement233
Objective 1 Accessing NFS File Shares 234
Network File System Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
NFS Internals. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Configure NFS Client Access with YaST. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Mount Home Directories Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Mount Home Directories Automatically. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Exercise 7-1 Import Network File System (NFS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Objective 2 Authentication to LDAP 242
LDAP Basics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
YaST LDAP Client Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
OpenLDAP and Automounter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Exercise 7-2 Integrate a SLED 11 into an LDAP Environment. . . . . . . . . . . . . . . . . . . . . . . . . 249
Objective 3 Printing to CUPS Printers 250
Configure CUPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Exercise 7-3 Change Your Printer Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Manage Print Jobs and Queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Understand How CUPS Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Exercise 7-4 Manage Printers from the Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Summary 282
SECTION 8 Access Remote Desktops Using Nomad 285
Objective 1 Describe How Nomad Works 286
How RDP Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
How Nomad Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Objective 2 Install and Configure Nomad 291
Configure the Nomad Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Configure the Nomad Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Exercise 8-1 Install and Configure Nomad . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Objective 3 Access Desktops Remotely with Nomad 300Accessing Remote Desktops with rdesktop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Accessing Remote Desktops with tsclient . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Exercise 8-2 Access Remote Desktop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW
-
7/24/2019 3104_manual.pdf
7/441
Copying all or part of this manual, or distributing such copies, is strictly prohibited.
To report suspected copying, please call 1-800-PIRATES.
7Version 1
Objective 4 Troubleshoot Common Nomad Problems 307
Verifying that xrdp is Running on the Sender . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Verifying that Port 3389 is Open . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Summary 308
SECTION 9 Use Multimedia on the SUSE Linux Enterprise Desktop 11 309
Objective 1 Use Banshee 310
Import Music. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Play Your Music . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Ripp Your Music . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
Listen to Internet Radio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Listen to Podcasts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Exercise 9-1 Use Banshee . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Objective 2 Use Moonlight 319
Exercise 9-2 Use Moonlight . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Summary 322
SECTION 10 Configure Email 323
Objective 1 Configure the Evolution Email Client on SLED 11 324
The Role and Function of Evolution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Configuring Evolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Using Evolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Exercise 10-1 Integrate Evolution with Microsoft Exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Objective 2 Configure the GroupWise Client on SLED 11 354
Installing Novell GroupWise Client for Linux. . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Using the GroupWise Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Exercise 10-2 Install and Configure the GroupWise Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Summary 373
SECTION 11 Create Shell Scripts 375
Objective 1 Understand Bash Basics 376
Bash Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
Bash Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
Return Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
Objective 2 Use Basic Script Elements 381
Elements of a Shell Script. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
A Simple Backup Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382Debug Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
Exercise 11-1 Create a Simple Shell Script. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
Objective 3 Understand Variables and Command Substitution 386
Exercise 11-2 Use Variables and Command Substitution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW
-
7/24/2019 3104_manual.pdf
8/441
SUSE Linux Enterprise Desktop 11 Administration / Manual
Copying all or part of this manual, or distributing such copies, is strictly prohibited.
To report suspected copying, please call 1-800-PIRATES.
Version 18
Objective 4 Use Control Structures 390
Create Branches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
Exercise 11-3 Use an if Control Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
Create Loops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
Exercise 11-4 Use a while Loop. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
Objective 5 Use Arithmetic Operators 399
Exercise 11-5 Use Arithmetic Operators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
Objective 6 Read User Input 402
Exercise 11-6 Read User Input. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
Objective 7 Use Arrays 405
Exercise 11-7 Use Arrays. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
Objective 8 Finalize the Course Project 408
Exercise 11-8 Use rsync to Keep Versions of Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
Objective 9 Use Advanced Scripting Techniques 411
Use Shell Functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411Read Options with getopts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
Exercise 11-9 Use Shell Functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
Objective 10 Learn about Useful Commands in Shell Scripts 415
Use the cat Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
Use the cut Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
Use the date Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
Use the grep and egrep Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
Use the sed Command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
Use the test Command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
Use the tr Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
Summary 423
SECTION 12 Deploy SUSE Linux Enterprise Desktop 11 427
Objective 1 Understand Autoinstallation Basics 428
Installation Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428
Deployment Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
AutoYaST Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
Objective 2 Create a Configuration File for AutoYaST 432
Exercise 12-1 Create an AutoYaST Control File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
Objective 3 Use an Installation Server 437
Objective 4 Perform an Automated Installation 438
Provide the Control File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
Boot and Install the System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
Exercise 12-2 Perform an Automated Installation of SUSE Linux Enterprise Desktop . . . . . . . 440
Summary 441
Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW
-
7/24/2019 3104_manual.pdf
9/441
Copying all or part of this manual, or distributing such copies, is strictly prohibited.
To report suspected copying, please call 1-800-PIRATES.
9Version 1
Introduction
Introduction
SUSE Linux Enterprise Desktop 11 Administration (Course 3104) focuses on the
routine system administration of SUSE Linux Enterprise Desktop 11(SLED 11).
This course covers basic Linux skills as well as common tasks a system administrator
of SLED 11 has to perform, such as configuring the desktop environment, printing,
integrating the product into existing environments, and rolling out a large number of
installations.
Before starting the course, review the following:
Student Kit Deliverables on page 9
Course Design on page 10
Exercise Guidelines on page 12
Course Feedback on page 14
Student Kit Deliverables
The contents of your student kit include the following:
SUSE Linux Enterprise Desktop 11 Administration Manual
SUSE Linux Enterprise Desktop 11 Administration Workbook
SUSE Linux Enterprise Desktop 11 Administration Course DVD (2 DVDs)
SUSE Linux Enterprise Desktop 11 SP1 Product DVD
SUSE Linux Enterprise Server 11 Product DVD
The SUSE Linux Enterprise Desktop 11 Administration CourseDVDs contain an image of a SUSE Linux Enterprise Desktop 11 installation and otherimages (a SUSE Linux Enterprise Server 11installation, an OpenEnterprise Serverinstallation, and an empty VMware machine in which youcan install Windows 2008 Server) that you can use to perform the exercises in theSUSE Linux Enterprise Desktop 11 Administration Workbook.The exercises in the Workbook help you to practice the skills tested in the Novell
Certified Linux Desktop Professional 11 (CLDP 11) exam (050-722).
NOTE: Instructions for setting up a self-study environment are in the setup directory on the Course
DVD.
Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW
-
7/24/2019 3104_manual.pdf
10/441
SUSE Linux Enterprise Desktop 11 Administration / Manual
Copying all or part of this manual, or distributing such copies, is strictly prohibited.
To report suspected copying, please call 1-800-PIRATES.
Version 110
Course Design
The following provides information about the design of the course to help you
evaluate whether or not this course provides the type of SLED 11 training you need
(in a classroom environment or for self-study):
Course Objectives on page 10
Course Audience on page 10
Certification and Prerequisites on page 11
Classroom Agenda on page 11
Course Setup on page 12
Course Objectives
This course teaches SUSE Linux Enterprise Desktop 11 theory as well as practical
application with hands-on labs of the following SUSE Linux Enterprise Desktop 11
Administration topics:1. Customize the Graphical Interface on SUSE Linux Enterprise Desktop 11
2. Lock Down the SLE Desktop
3. Use the NetworkManager to Configure the Network
4. Activate and Use IPv6
5. Integrate SLED 11 into an Active Directory Environment
6. Integrate SLED 11 into a Novell eDirectory Environment
7. Integrate SUSE Linux Enterprise Desktop 11 into a UNIX Environment
8. Access Remote Desktops Using Nomad
9. Use Multimedia on the SLE Desktop
10. Configure Email
11. Create Shell Scripts
12. Deploy SUSE Linux Enterprise Desktop 11
These are tasks a SUSE Linux Desktop administrator in an enterprise environment
routinely has to deal with.
Course Audience
This course is addressed to administrators that are CLA11-certified (or those who
have a comparable Linux administration knowledge) and who now want to gain in-
depth knowledge on tasks a Linux administrator has to perform routinely on
SLED11.
Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW
-
7/24/2019 3104_manual.pdf
11/441
Copying all or part of this manual, or distributing such copies, is strictly prohibited.
To report suspected copying, please call 1-800-PIRATES.
11Version 1
Introduction
Certification and Prerequisites
This course helps you prepare for the following Novell Certified Linux Desktop
Professional 11 (Novell CLDP 11) exams:
CLDP 11 - Professional level (050-722)
As with all Novell certifications, course work is recommended. To achieve the Novell
CLDP 11 certification, you are required to pass the Novell CLDP 11 exam.
The following illustrates the training and testing path for Novell CLDP11:
Figure Intro-1 CLDP 11 Certification Path
NOTE: For more information about Novell certification programs and certification exams, see
Novells certification website(http://www.novell.com/training/certinfo/).
Classroom Agenda
This course is designed to be taught as a 5-day course with the following basic
agenda:
Table Intro-1 Course Agenda
Module Duration (hh:mm)
Day 1 Introduction 00:30
Customize the GraphicalInterface on SUSE Linux
EnterpriseDesktop 11
02:30
Lock Down the SLE Desktop 03:00
Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW
http://www.novell.com/training/certinfo/http://www.novell.com/training/certinfo/ -
7/24/2019 3104_manual.pdf
12/441
SUSE Linux Enterprise Desktop 11 Administration / Manual
Copying all or part of this manual, or distributing such copies, is strictly prohibited.
To report suspected copying, please call 1-800-PIRATES.
Version 112
Course Setup
The setup in this course are based on running a SLED 11 called DA-HOST. On DA-
HOST runs a virtual server with four virtual machines:
DA1.A SUSE Linux Enterprise Server 11. This virtual machine provides
services you need for the exercises (like DNS).
DA-SLED.A SLED 11 workstation. This virtual machine is used to test and use
services during various exercises.
DA-OES.A Novell Open Enterprise Server 2 server. It hosts the services
covered in this course.
DA-WIN.A Microsoft Windows Server 2008. This virtual machine provides
Active Directory and an Exchange server.
Exercise Guidelines
The following information provides guidelines to help you make the most of theexercises provided in this course:
VMware Virtualization and the Exercises on page 13
Exercise Conventions on page 13
Workbook on page 14
Day 2 Use the NetworkManager toConfigure the Network
04:30
Activate and Use IPv6 02:00
Day 3 Integrate SLED 11 into anActive Direcotory Enviroment
03:00
Integrate SLED 11 into aNovell eDirecotoryEnviroment
03:30
Day 4 Integrate SUSE Linux
Enterprise Desktop 11 into aUNIX Enviroment
03:00
Access Remote Desktops 02:00
Use Multimedia on the SLEDesktop
00:30
Configure Email 01:00
Day 5 Create Shell Scripts 05:30
Deploy SUSE Linux
Enterprise Desktop 11
01:00
Module Duration (hh:mm)
Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW
-
7/24/2019 3104_manual.pdf
13/441
Copying all or part of this manual, or distributing such copies, is strictly prohibited.
To report suspected copying, please call 1-800-PIRATES.
13Version 1
Introduction
VMware Virtualization and the Exercises
VMware virtualization technology allows you to create and run multiple virtual
computers on one physical computer. The physical computer must be running player
software to allow it to be a virtual machine server (or host).
The VMware virtual machines used in this course are:
DA1.A SUSE Linux Enterprise Server 11. This virtual machine provides
services (like DNS) you need for the exercises.
DA-SLED.A SUSE Linux Enterprise Desktop 11 workstation. This virtual
machine is used to test and use services during various exercises.
DA-OES-A.A Novell Open Enterprise Server 2 server. It hosts the services
covered in this course.
DA-WIN.A Microsoft Windows Server 2008. This virtual machine provides
Active Directory and an Exchange server.
Exercise Conventions
The exercises use conventions that indicate information you need to enter that is
specific to your server.
The following describes the most common conventions:
italicized/bolded text.This represents a variable value, such as the host name of
your server.
For example, if the host name of your server is DA3 and you see the following:
hostname.da.com
you would enter
DA3.da.com
172.17.8.xor DAx.This is the IP address or host name that is assigned to a
server.
For example, if your IP address is 172.17.12.101 and you see the following:
172.17.12.x
you would enter
172.17.12.101
Select.The word selectis used in exercise steps to indicate a variety of actions
including clicking a button on the interface and selecting a menu item.
Enter and Type.The words enterand typehave distinct meanings.
The word enter means to type text in a field or type text at a command line
prompt and press the Enter key. The word type means to type text without
pressing the Enter key.
If you are directed to type a value, make sure you do not press the Enter key or
you might activate a process that you are not ready to start.
Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW
-
7/24/2019 3104_manual.pdf
14/441
-
7/24/2019 3104_manual.pdf
15/441
Copying all or part of this manual, or distributing such copies, is strictly prohibited.
To report suspected copying, please call 1-800-PIRATES.
15Version 1
Customize the Graphical Interface on SUSE Linux Enterprise Desktop 11
S E C T I O N 1 Customize the Graphical Interface on SUSELinux Enterprise Desktop 11
In this section, you learn how to configure the graphical environment of your SUSE
Linux Enterprise Desktop 11 (SLED 11). This includes the X configuration as well as
the configuration of the GNOME environment.
Section Objectives
In this section, you learn how to do the following:
1. Configure X, Xgl, and Compiz on page 16
2. Customize the GNOME User Interface on page 243. Customize Applications on page 30
Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW
-
7/24/2019 3104_manual.pdf
16/441
SUSE Linux Enterprise Desktop 11 Administration / Manual
Copying all or part of this manual, or distributing such copies, is strictly prohibited.
To report suspected copying, please call 1-800-PIRATES.
Version 116
Objective 1 Configure X, Xgl, and Compiz
Provided the computer is equipped with suitable graphics hardware (supported
graphics adapter with good 3D performance),SUSE Linux EnterpriseDesktop 11provides an entirely new Linux desktop experience through its use of
3D effects made possible by Xgl and Compiz .
Figure 1-1 Switching to Another Virtural Desktop
Xgl is a new Xserver architecture layered on top of OpenGL. Xgl can perform
intricate graphical operations noticeably faster than other available Xservers that do
not use OpenGL.
More important than speed alone, Xgl accelerates complex composite operations,
making possible new stunning visual effects on OpenGL-enhanced composition/
window managers like Compiz, the compositor utility that was developed in
conjunction with Xgl.
Compiz is a combination of a window manager and a composite manager using
OpenGL for rendering. A window manager allows the manipulation of the multiple
applications and dialog windows that are presented on the screen. A compositemanager allows windows and other graphics to be combined to create composite
images, such as those used to create transparency effects. Compiz achieves its
stunning effects by performing both of these functions.
When you activate Compiz, it replaces the window manager of your desktop
environment (Metacity in GNOME and kwin in KDE).
Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW
-
7/24/2019 3104_manual.pdf
17/441
-
7/24/2019 3104_manual.pdf
18/441
SUSE Linux Enterprise Desktop 11 Administration / Manual
Copying all or part of this manual, or distributing such copies, is strictly prohibited.
To report suspected copying, please call 1-800-PIRATES.
Version 118
First, SaX2 checks the hardware; then the following dialog appears:
Figure 1-3 SaX2 Proposes Screen Settings
If you are satisfied with the configuration, select OK.
If you need to change the configuration, select Change Configuration. Except for
the window title, the dialog that opens up is the same as that of the YaST Graphics
Card and Monitor module:
Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW
-
7/24/2019 3104_manual.pdf
19/441
Copying all or part of this manual, or distributing such copies, is strictly prohibited.
To report suspected copying, please call 1-800-PIRATES.
19Version 1
Customize the Graphical Interface on SUSE Linux Enterprise Desktop 11
Figure 1-4 SaX2s X11 Configuration Dialog
In the Monitor section, you can change different aspects of the X configuration (such
as graphics card details, monitor type, screen resolution, and number of colors
displayed) that concern the graphics card and monitor.
Selecting one of the categories on the left opens different dialogs that allow you to
change the respective settings.When you are done with the configuration, select OK. In the next dialog, you can
choose to test the configuration, to save it, or to cancel the changes.
Figure 1-5 Test the Graphics Configuration
Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW
-
7/24/2019 3104_manual.pdf
20/441
SUSE Linux Enterprise Desktop 11 Administration / Manual
Copying all or part of this manual, or distributing such copies, is strictly prohibited.
To report suspected copying, please call 1-800-PIRATES.
Version 120
We recommend testing the configuration before saving it. A dialog to adjust the size
and position of the screen appears.
Figure 1-6 Adjust the Screen
Normally it is not necessary to change something here.
Save your settings and exit SaX2.
Activate Compiz
The packages needed to activate Compiz are part of the GNOME pattern used during
a default installation. These include the following:
compiz
xgl
xgl-hardware-list
gnome-session
libwnck
Once 3D acceleration has been activated, log in as a normal user to GNOME and
activate Compiz.
Select the Computericon in the lower left corner of the desktop, open the Control
Center, and start the Desktop Effectscontrol panel in section Look and Feel.
Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW
-
7/24/2019 3104_manual.pdf
21/441
Copying all or part of this manual, or distributing such copies, is strictly prohibited.
To report suspected copying, please call 1-800-PIRATES.
21Version 1
Customize the Graphical Interface on SUSE Linux Enterprise Desktop 11
Figure 1-7 Enable Desktop Effects
Mark Enable desktop effectsto activate Compiz.
The following table lists the more frequently used controls:
Key Combination Effect
Ctrl+Alt+Left Rotate cube to the left.
Ctrl+Alt+Shift+Left Rotate cube to the left, with active window.
Ctrl+Alt+Right Rotate cube to the right.
Ctrl+Alt+Shift+Right Rotate cube to the right, with active window.
Ctrl+Alt+Mouse Button 1 Rotate cube using the mouse.
Ctrl+Alt+Down Unfold the cube; then use left and right arrow
key to move.
Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW
-
7/24/2019 3104_manual.pdf
22/441
SUSE Linux Enterprise Desktop 11 Administration / Manual
Copying all or part of this manual, or distributing such copies, is strictly prohibited.
To report suspected copying, please call 1-800-PIRATES.
Version 122
NOTE: More information on xgl can be found at the OpenSUSE website(http://en.opensuse.org/
Xgl).
More information on Compiz can be found at the OpenSUSE website (http://en.opensuse.org/
Compiz).
Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW
http://en.opensuse.org/Xglhttp://en.opensuse.org/Compizhttp://en.opensuse.org/Compizhttp://en.opensuse.org/Xgl -
7/24/2019 3104_manual.pdf
23/441
Copying all or part of this manual, or distributing such copies, is strictly prohibited.
To report suspected copying, please call 1-800-PIRATES.
23Version 1
Customize the Graphical Interface on SUSE Linux Enterprise Desktop 11
Exercise 1-1 Activate Compiz
In this exercise, you configure Compiz, provided the hardware supports it.
In the first part, using YaST, verify that 3D support is enabled for your graphics
adapter.
If 3D support is enabled, activate Compiz for the Gnome desktop in the second part.
You will find this exercise in the workbook.
(End of Exercise)
Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW
-
7/24/2019 3104_manual.pdf
24/441
SUSE Linux Enterprise Desktop 11 Administration / Manual
Copying all or part of this manual, or distributing such copies, is strictly prohibited.
To report suspected copying, please call 1-800-PIRATES.
Version 124
Objective 2 Customize the GNOME User Interface
You can customize the GNOME user interface in various ways: For example, you can
add or remove icons, change the background image, or add items to the panel. The
administrator can set system-wide defaults. Users can configure their own desktops.
The system used for storing application preferences in GNOME is GConf. GConf
provides a preferences database, similar to a simple file system.
Keys are organized into a directory hierarchy. Each key is either a directory
containing more keys, or it has a value which is contained in the %gconf.xmlfilein a key directory.
This directory structure is below /etc/gconf/for system-wide entries, whileuser-specific settings are contained in subdirectories of ~/.gconf/.
The %gconf.xmlfile can contain many key-value pairs. E.g., in ~geeko/.gconf/apps/nautilus/preferences/%gconf.xml :
800x550+400+38
NOTE: This file is only available if you started Nautilus once before.
A per-user daemon, gconfd-2, controls these settings. It reads the current settings
from various sources when a user logs in, notes any changes the user makes to the
settings, and informs the affected applications. In this way, changed settings take
effect immediately. Changes are written to the file system at regular intervals.
NOTE: A more detailed description of the GConf repository structure is contained in the GNOME
Desktop System Administration Guide(http://library.gnome.org/admin/system-admin-guide/stable/
).
To understand how the user environment is configured, you need to know the
following:
User-Defined Settings on page 24
Default Values on page 26
User-Defined Settings
When a user defines the settings for his or her workstation, using the preference
dialogs of GNOME applications or the gconf-editor tool, the settings are written to a
%gconf.xmlfile in a directory beneath~/.gconf.
To see how a user-defined setting is stored, suppose a user decided to change the
default double-click used to launch applications to a single click.
Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW
http://library.gnome.org/admin/system-admin-guide/stable/http://library.gnome.org/admin/system-admin-guide/stable/http://library.gnome.org/admin/system-admin-guide/stable/http://library.gnome.org/admin/system-admin-guide/stable/ -
7/24/2019 3104_manual.pdf
25/441
Copying all or part of this manual, or distributing such copies, is strictly prohibited.
To report suspected copying, please call 1-800-PIRATES.
25Version 1
Customize the Graphical Interface on SUSE Linux Enterprise Desktop 11
To change this default behavior, start Nautilus by double-clicking the folder icon
representing the home directory. Select Edit > Preferences > Behavior > Single
Click to Activate Items. This change takes effect immediately.
The setting is stored in ~/.gconf/apps/nautilus/preferences/
%gconf.xml: single
...
The same effect can be achieved with gconf-editor. Open a terminal window, typegconf-editor, and press Enter. The various options available are displayed in a
tree-like structure:Figure 1-8 The gconf-editor
To change the value of a key, double-click the key in the right part of the window and
change its value in the dialog that appears.
Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW
-
7/24/2019 3104_manual.pdf
26/441
SUSE Linux Enterprise Desktop 11 Administration / Manual
Copying all or part of this manual, or distributing such copies, is strictly prohibited.
To report suspected copying, please call 1-800-PIRATES.
Version 126
Depending on the application, gconf-editor might offer more settings than the
preference dialog of the respective application itself.
You can also use the gconftool-2command line tool to change the GConfsettings. To change the default click policy to single, enter the following on the
command line:geeko@da10:~> gconftool-2 --set --type string /apps/nautilus/preferences/click_policy single
The /apps/nautilus/preferences/click_policy key corresponds to the tree structure in
gconf-editor. The --setand --type stringoptions indicate that this key willtake the new singlestring value. The type depends on the key and is defined in the
schema file for that key. Schemas are covered in Default Values on page 26.
You can also use gconftool-2 to view the current value of a key:
geeko@da10:~> gconftool-2 --get /apps/nautilus/preferences/click_policysinglegeeko@da10:~>
Default Values
Default values are used for any preferences that are not set specifically by the user.
When looking for the value of a variable, GConf scans a couple of files in /etc/gconf
before looking in the users configuration file. The names of the files and the order
can be seen in the /etc/gconf/2/path file.
The sequence of the configuration sources in the path file ensures that mandatory
preference settings override user preference settings. The sequence also ensures that
user preference settings override default preference settings. That is, GConf applies
preferences in the following order of priority:
1. Mandatory preferences
2. User-specified preferences
3. Default preferences
GConf also uses schema files which are contained in files in /etc/gconf/schemas/. Schemas list the possible preferences for applications or desktopsettings. For the GNOME desktop background, the respective file is called
desktop_gnome_background.schemas:
/schemas/desktop/gnome/sound/default_mixer_device /desktop/gnome/sound/default_mixer_device gnome string Default mixer device
Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW
-
7/24/2019 3104_manual.pdf
27/441
Copying all or part of this manual, or distributing such copies, is strictly prohibited.
To report suspected copying, please call 1-800-PIRATES.
27Version 1
Customize the Graphical Interface on SUSE Linux Enterprise Desktop 11
The default mixer device used by the multimedia keybindings.
...
This file contains keys, their type (integer, boolean, string, float, or list), default
value, and descriptions in several languages.
You can change the system-wide default values using either gconf-editororgconftool-2.
Change Defaults Using gconf-editor
To use gconf-editorfor this purpose, make sure you are logged in as root whenyou start it. You can right-click a key and select Set as Defaultor Set as Mandatory
from the pop-up menu.
Figure 1-9 Set as Default or as Mandatory
To see all default settings, select File > New Defaults Window. To see all mandatory
settings, select File > New Mandatory Window. A new window opens and lets you
change settings as explained in User-Defined Settings on page 24.
To remove a key from the default or mandatory configuration, right-click the key and
select Unset Keyin the New Mandatory Window.
Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW
-
7/24/2019 3104_manual.pdf
28/441
SUSE Linux Enterprise Desktop 11 Administration / Manual
Copying all or part of this manual, or distributing such copies, is strictly prohibited.
To report suspected copying, please call 1-800-PIRATES.
Version 128
Change Defaults Using gconftool-2
To change system-wide defaults with gconftool-2, you must be logged in as root.You must specify the repository you want to change. Otherwise, by default, changes
apply to the ~/.gconf/directory in the users home directory. They will not apply
to the directories beneath /etc/gconf/gconf.xml.defaults . You also haveto make sure gconfd-2is not running.
The command to change the default for the background image file looks similar to the
following example (the gconftool-2command line needs to be entered in oneline):
da10:/etc/gconf # killall gconfd-2da10:/etc/gconf # gconftool-2 --direct --config-source xml_readwrite:/etc/gconf/gconf.xml.defaults --set --type string /desktop/gnome/background/picture_filename /usr/share/wallpapers/SpringFlowers.jpg
In the example, --directindicates that the configuration repository is altereddirectly without using gconfd-2, and --config-source specifies the source to
change.
The command changes the /etc/gconf/gconf.xml.defaults/desktop/gnome/background/%gconf.xml file, which now lists the new default value:
/usr/share/wallpapers/SpringFlowers.jpg
Users who do not have an entry in their ~/.gconf/directory trees defining adifferent background image will see the new background image the next time they
log in. They are still able to change their own background images.
Setting preferences that cannot be changed by the user is covered in Configure X,
Xgl, and Compiz on page 16.
Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW
-
7/24/2019 3104_manual.pdf
29/441
-
7/24/2019 3104_manual.pdf
30/441
-
7/24/2019 3104_manual.pdf
31/441
-
7/24/2019 3104_manual.pdf
32/441
SUSE Linux Enterprise Desktop 11 Administration / Manual
Copying all or part of this manual, or distributing such copies, is strictly prohibited.
To report suspected copying, please call 1-800-PIRATES.
Version 132
Figure 1-11 Configure the Paths Used by OpenOffice.org
To add or delete template directories, select Editand make the changes in the dialog
that appears.
Figure 1-12 Edit the Path of Your Templates
You can copy a sample .ooo3directory with company-specific OpenOffice.orgsettings to /etc/skel/to make all configuration settings and templates in thatdirectory available to new users.
NOTE: A helpful resource for OpenOffice.org is the OpenOffice.org Forum (http://
www.oooforum.org/).
Firefox
Firefox can be configured extensively via Edit > Preferences. Several tabs cover
various aspects of the configuration.
Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW
http://www.oooforum.org/http://www.oooforum.org/ -
7/24/2019 3104_manual.pdf
33/441
Copying all or part of this manual, or distributing such copies, is strictly prohibited.
To report suspected copying, please call 1-800-PIRATES.
33Version 1
Customize the Graphical Interface on SUSE Linux Enterprise Desktop 11
Figure 1-13 Firefox Preferences
You can access the preferences listed above, as well as additional preferences, atabout:config. After the warning dialog, you can select an entry with a double-click to open a dialog to change the value of the respective parameter:
Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW
-
7/24/2019 3104_manual.pdf
34/441
SUSE Linux Enterprise Desktop 11 Administration / Manual
Copying all or part of this manual, or distributing such copies, is strictly prohibited.
To report suspected copying, please call 1-800-PIRATES.
Version 134
Figure 1-14 List of the Firefox Preferences
Changed values are stored in the home directory of the user in ~/.mozilla/firefox/xxxxxxxx.default/prefs.js. To make them available for allusers, copy the file to /usr/lib/firefox/defaults/profile/prefs.js. Users can still make their own changes and override the values in thesystem-wide file.
Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW
-
7/24/2019 3104_manual.pdf
35/441
Copying all or part of this manual, or distributing such copies, is strictly prohibited.
To report suspected copying, please call 1-800-PIRATES.
35Version 1
Customize the Graphical Interface on SUSE Linux Enterprise Desktop 11
Exercise 1-3 Customize Applications
In this exercise, you create an OpenOffice.org template.
In the first task, create a header of letters. In the second task, create a new letter using
the header, you created in task I.
You will find this exercise in the workbook.
(End of Exercise)
Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW
-
7/24/2019 3104_manual.pdf
36/441
SUSE Linux Enterprise Desktop 11 Administration / Manual
Copying all or part of this manual, or distributing such copies, is strictly prohibited.
To report suspected copying, please call 1-800-PIRATES.
Version 136
Summary
The following is a summary of what you learned in the course objectives.
Objective What You Learned
Configure X, Xgl, and Compiz The installation is controlled by an XML file.SUSE Linux Enterprise Desktop 11 supports
XGL and Compiz, providing a new desktopexperience on Linux.
Customize the GNOME User Interface The user preferences for GNOME settings arestored as keys in the GConf repository,
system-wide in /etc/opt/gnome/gconf/, or inthe users home directory in ~/.gcon/f. Tochange settings within GNOME applications,
use
The graphical tool gconf-editor
The command line tool gconftool-2
Customize Applications Applications store their configuration settings,usually in hidden directories or files (startingwith a .) in the home directory of the user
who sets them.
In some cases, it is useful for the desktopadministrator to distribute sample
configurations, e.g., for OpenOffice.org orFirefox.
Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW
-
7/24/2019 3104_manual.pdf
37/441
Copying all or part of this manual, or distributing such copies, is strictly prohibited.
To report suspected copying, please call 1-800-PIRATES.
37Version 1
Lock Down the SLE Desktop
S E C T I O N 2 Lock Down the SLE Desktop
If the user only sees what he is allowed to access, system security is increased. In this
section different methods of locking down SUSE Linux EnterpriseDesktop 11(SLED 11) are described.
Encrypted file systems can also improve security.
Section Objectives
In this section, you learn how to do the following:
1. Control Mounting of CD-ROM, DVD, and USB Devices on page 38
2. Define Mandatory Settings with GConf and Desktop Profiles on page 433. Use PolicyKit to Configure Application Policies on page 47
4. Use File System Encryption on page 58
Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW
-
7/24/2019 3104_manual.pdf
38/441
SUSE Linux Enterprise Desktop 11 Administration / Manual
Copying all or part of this manual, or distributing such copies, is strictly prohibited.
To report suspected copying, please call 1-800-PIRATES.
Version 138
Objective 1 Control Mounting of CD-ROM, DVD, and USB Devices
By default, removable media like CD-ROMs, DVDs, and USB storage devices are
automatically mounted. The program providing this functionality is the HAL
daemon. Three GNOME tools use HAL and read settings from GConf:
gnome-mount
gnome-umount(same as gnome-mount --umount)
gnome-eject(same as gnome-mount --eject)
Depending on company policy or the use of the workstation, you might have to
prevent users from reading from or writing to removable media or mounting
removable devices such as USB drives or sticks.
There are various ways to configure this. Which one you choose depends mainly on
how difficult you want to make it for any user who tries to circumvent the restrictions
you impose.
Using GConf and /etc/fstab
Use gconftool-2 or gconf-editor to set the media_automount key in /apps/
nautilus/preferences in the mandatory GConf repository to false.
While this prevents automatic mounting, the user can still mount the drive by
selecting the desktop icon that appears when a CDROM is inserted.
You can add an entry in /etc/fstab(like the following) to prevent mountingof CD-ROMs or DVDs by unprivileged users (assuming that /dev/dvdrepresents the CDROM/DVD drive):
/dev/dvd /media/dvd auto noauto,defaults 0 0
Now an error message will appear when a user inserts a CDROM.
Figure 2-1 Users Are Not Able To Mount a CD/DVD
NOTE: More about GConf you will learn in Configure X, Xgl, and Compiz on page 16.
Using kernel modules
The usb_storage kernel module is needed to read from USB storage devices. You
can prevent the module from being loaded by adding the following line in /etc/modprobe.conf.local :
Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW
-
7/24/2019 3104_manual.pdf
39/441
Copying all or part of this manual, or distributing such copies, is strictly prohibited.
To report suspected copying, please call 1-800-PIRATES.
39Version 1
Lock Down the SLE Desktop
install usb_storage /usr/bin/true
You can use other programs instead of /usr/bin/trueas well. The followingexample (in one line in /etc/modprobe.conf.local ) will cause an emailnotice to be sent when someone inserts such a device:
install usb_storage /usr/bin/mail -s "USB-Stick inserted on$HOSTNAME" [email protected]
NOTE: You could disable USB completely by adding similar lines for usbcore and other USB
modules (use lsmodto find which ones). But this might not be practical because that woulddisable a USB keyboard and mouse as well.
You could rename or remove the USB kernel modules. However, the next kernel
update would bring them back and enable USB storage again.
Configure udev rules
In the past, the /dev/directory contained a device file for hundreds of devices,
even if the hardware was not present. With udev this has changed; device filesare created only for devices that are actually present.
The command udevadm monitorcan be used to monitor the udev systemmessages. When you plug in a USB stick, a messages similar to the followings
should appear.
UDEV [1243464970.656655] add /devices/pci0000:000000:00:1d.2/usb7/7-2/7-2:1.0/host6/target6:0:0/6:0:0:0/block/sdb (block)UDEV [1243464971.499426] add /devices/pci0000:000000:00:1d.2/usb7/7-2/7-2:1.0/host6/target6:0:0/6:0:0:0/block/sdb/sdb1 (block)
Block devices are created. In this example one for the new device (sdb) and one
for the partition (sdb1).
When removing the USB stick the block devices should be removed like in the
following.
UDEV [1243465458.031639] remove /devices/pci0000:000000:00:1d.2/usb7/7-2/7-2:1.0/host6/target6:0:0/6:0:0:0/block/sdb/sdb1 (block)...UDEV [1243465458.035093] remove /devices/pci0000:000000:00:1d.2/usb7/7-2/7-2:1.0/host6/target6:0:0/6:0:0:0/block/sdb (block)
udev is very flexible and can be configured by writing rules to *.rulesfiles inthe /etc/udev/rules.d/ directory.
NOTE: More udev rules you can find in /lib/udev/rules.d/.
You can create your own rules in /etc/udev/rules.d/ . To ensure that yourrules are used, the filename should start with a smaller number than the other
files in the directory (e.g., 10-local.rules)
A rule to disable devices that require the usb_storage module could look like the
following:
Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW
-
7/24/2019 3104_manual.pdf
40/441
SUSE Linux Enterprise Desktop 11 Administration / Manual
Copying all or part of this manual, or distributing such copies, is strictly prohibited.
To report suspected copying, please call 1-800-PIRATES.
Version 140
# Disable USB storageDRIVER=="usb-storage", OPTIONS+="ignore_device last_rule"
The ignore_deviceoption will ensure that no action is taken and, thereforee,no device file is created to access the device. The last_ruleoption preventslater rules from changing this rule.
Much more fine-grained control than shown above is possible. You could, for
instance, write rules allowing a specific USB device based on its serial number,
and ignoring other devices.
NOTE: The manual page for udev and the udev HOWTO(http://www.reactivated.net/
writing_udev_rules.html) provide more information on how to write udev rules.
Using PolicyKit
PolicyKit is an application-level toolkit for defining and handling the policy that
allows unprivileged processes to speak to privileged processes: It is a framework
for centralizing the decision-making process with respect to granting access toprivileged operations for unprivileged applications.
PolicyKit is covered in detail in Use PolicyKit to Configure Application
Policies on page 47.
To prevent users from mounting removable medias (like DVDs or USB sticks),
you have to add the following line to your local rules in the /etc/polkit-default-privs.local file.
org.freedesktop.hal.storage.mount-removable auth_admin_keep_always
The new settings are activated by the set_polkit_default_privs command.
da10:~ # set_polkit_default_privssetting org.freedesktop.hal.storage.mount-removable toauth_admin_keep_always:auth_admin_keep_always:auth_admin_keep_always (wrong settingauth_admin_keep_always:auth_admin_keep_always:yes)
When the user inserts a DVD or USB stick, an authentication dialog appears:
Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW
http://www.reactivated.net/writing_udev_rules.htmlhttp://www.reactivated.net/writing_udev_rules.html -
7/24/2019 3104_manual.pdf
41/441
Copying all or part of this manual, or distributing such copies, is strictly prohibited.
To report suspected copying, please call 1-800-PIRATES.
41Version 1
Lock Down the SLE Desktop
Figure 2-2 Authentication Is Needed to Mount Removable Medias
Remove the hardware
Physically remove CDROM and DVD drives as well as USB ports. This also
prevents the computer from being booted from bootable CDs.
Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW
-
7/24/2019 3104_manual.pdf
42/441
-
7/24/2019 3104_manual.pdf
43/441
Copying all or part of this manual, or distributing such copies, is strictly prohibited.
To report suspected copying, please call 1-800-PIRATES.
43Version 1
Lock Down the SLE Desktop
Objective 2 Define Mandatory Settings with GConf and Desktop Profiles
It is sometimes desirable from the desktop administrators point of view to limit what
users can configure or change on their desktops. Reasons for this could be corporate
policies or an effort to reduce help desk calls because of misconfiguration caused by
users.
Even greater restraints are frequently imposed on desktops used in public places like
trade shows.
As covered in Customize the GNOME User Interface on page 24, GConf is used to
store user-defined preferences or to set system-wide defaults. It can also be used by
the administrator to set preferences that cannot be changed by the user.
gconf-editor
To set or change mandatory settings, you must be logged in as root when you use
gconf-editor. The steps you take depend on what you need to do:
Set Preferences as Mandatory for the First Time on page 43
Change Existing Mandatory Preferences on page 44
Set Preferences as Mandatory for the First Time
As root user, start gconf-editor. The left part of the window lists the available keys.
Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW
-
7/24/2019 3104_manual.pdf
44/441
SUSE Linux Enterprise Desktop 11 Administration / Manual
Copying all or part of this manual, or distributing such copies, is strictly prohibited.
To report suspected copying, please call 1-800-PIRATES.
Version 144
Figure 2-3 GConf Configuration Editor
Browse the tree to the key you want to set as mandatory and set it to the desired
value. Then select the entry with the right mouse button; in the submenu, select Set as
Mandatory.
If you select on the entry to change it again, an error message tells you that this is not
possible.
Change Existing Mandatory Preferences
As root user, start gconf-editor; then select File > New Mandatory Window. The left
part of the window lists those mandatory settings that have already been set in the/etc/gconf/gconf.xml.mandatory/ repository tree. You can change them asexplained in Change Defaults Using gconf-editor on page 27.
To remove a key from the mandatory preferences, right-click the entry and select
Unset Key.
Values that have not been set to a mandatory value previously do not show up in the
repository tree on the left of this gconf-editor dialog.
Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW
-
7/24/2019 3104_manual.pdf
45/441
Copying all or part of this manual, or distributing such copies, is strictly prohibited.
To report suspected copying, please call 1-800-PIRATES.
45Version 1
Lock Down the SLE Desktop
Figure 2-4 Key is Not Writable
gconftool-2
You can also use the gconftool-2 command line tool to set preferences to a mandatory
value. (When you use gconftool-2, the gconf-editor can be helpful to browse theconfiguration repository tree to find the correct key and its path.)
Lets assume that the security policy of the company requires the screens of desktops
to be locked after 5 minutes of inactivity. As administrator, it is your task to configure
the workstations accordingly and to make sure this policy is followed by all users.
Using gconf-editor as a normal user, you browse the repository tree and find out that
the keys for this purpose are /apps/gnome-screensaver/lock_enabled and /apps/gnome-screensaver/idle_delay . To set these to mandatoryvalues, log in as root and use the following commands:
killall gconfd-2da10:~ # gconftool-2 --direct --config-source xml:readwrite:/etc/
gconf/gconf.xml.mandatory --set --type bool /apps/gnome-screensaver/lock_enabled trueResolved address "xml:readwrite:/etc/gconf/gconf.xml.mandatory" to awritable configuration source at position 0da10:~ # gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --set --type int /apps/gnome-screensaver/idle_delay 5Resolved address "xml:readwrite:/etc/gconf/gconf.xml.mandatory" to awritable configuration source at position 0
The next time a user logs in and tries to change the respective screensaver settings in
the GNOME Control Center, the user will not be able to change these values.
NOTE:Not all key-value pairs that can be set seem to have the desired effect. For example, settingthe /apps/firefox/general/homepage_urlkey to a certain value does not seem to haveany effect on the default home page of the firefox browser. Other such key-value pairs might not
behave as expected either. Thereforee, you should test your settings to make sure they have the
desired effect and cannot be changed by the user before you rely on your settings.
Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW
-
7/24/2019 3104_manual.pdf
46/441
SUSE Linux Enterprise Desktop 11 Administration / Manual
Copying all or part of this manual, or distributing such copies, is strictly prohibited.
To report suspected copying, please call 1-800-PIRATES.
Version 146
Exercise 2-2 Set Mandatory Values for Preferences
In this exercise, you use the Desktop Profile Editor and gconftool-2 to manage
mandatory preferences.
In task I, you use gconf-editor to disable access to the command line on the GNOME
desktop.
In task II, you use gconftool-2 to undo the setting you made in task I, because you
will need the command line later in this course.
In task III, you undo the settings you made in the previous exercise to allow mounting
CDs/DVDs. Use gconf-editor for this.
You will find this exercise in the workbook.
(End of Exercise)
Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW
-
7/24/2019 3104_manual.pdf
47/441
Copying all or part of this manual, or distributing such copies, is strictly prohibited.
To report suspected copying, please call 1-800-PIRATES.
47Version 1
Lock Down the SLE Desktop
Objective 3 Use PolicyKit to Configure Application Policies
Using PolicyKit, you can start applications with user permission and assign them root
permission later. You can allow users to execute system management tasks without
making them root.
To use PolicyKit, you should know the following:
Understand the PolicyKit Architecture on page 47
Use the Authorization Dialog on page 48
Manage Authorizations at the Command Line on page 52
NOTE: The documentation of PolicyKit is available on the freedesktop.org Website(http://
hal.freedesktop.org/docs/PolicyKit).
Understand the PolicyKit Architecture
PolicyKit assumes that a program has two parts:
Mechanism.Runs privileged (with no user interface elements).
Policy Agent.Runs unprivileged.
The two parts of the program are in different processes and communicate through
some IPC mechanism such as pipes or the system message bus (D-Bus). In some
instances the Mechanism can be seen as part of the OS and the policy agent as part of
the desktop stack.
The Mechanism should never trust any application that tries to use it. First the
Mechanism has to evaluate all data and requests passed to it from the application.
An example where this model is used are HAL and NetworkManager:Figure 2-5 HAL and NetworkManager
The entities that a Mechanism cares about can be split into three groups:
Subject. The entity requesting the Action (e.g., an unprivileged application).
Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW
http://hal.freedesktop.org/docs/PolicyKithttp://hal.freedesktop.org/docs/PolicyKit -
7/24/2019 3104_manual.pdf
48/441
SUSE Linux Enterprise Desktop 11 Administration / Manual
Copying all or part of this manual, or distributing such copies, is strictly prohibited.
To report suspected copying, please call 1-800-PIRATES.
Version 148
Object.Some canonical representation of the object; (e.g., device file, a network
connection, a reference to the power management subsystem).
Action.What the subject is attempting to do to the object (e.g., mounting a block
device, establishing a dial-up connection, putting the system into a suspended
state, changing the time zone, gaining access to a webcam).
The Mechanism identifies the subject, using ConsoleKit, and collects all the relevant
information about the subject. This information includes:
User ID
Process ID
An identifier for the desktop session and whether the session is active (e.g.,
currently showing on a display), whether it's local and if it's remote, the address
of the remote display
Optional OS-specific attributes (such as the SELinux security context)
Second, the Mechanism creates an object that represents the action that the subject
wants to be executed. One example of such an object is
org.freedesktop.hal.storage.mount-removable, what represents the action of
mounting a removable device.
Based on this information request, the authorization database decides whether the
action can be executed, executed after another required authentication, or not
executed.
Use the Authorization Dialog
A graphical tool is available in GNOME to manage your authorizations. You can start
it by selecting More Applications > Tools > Authorizationsor entering polkit-gnome-authorization at a terminal.
Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW
-
7/24/2019 3104_manual.pdf
49/441
Copying all or part of this manual, or distributing such copies, is strictly prohibited.
To report suspected copying, please call 1-800-PIRATES.
49Version 1
Lock Down the SLE Desktop
Figure 2-6 The Authorization Dialog
In the left frame you see a tree structure where all possible actions are listed and
grouped. The right frame has three parts:
Action.Identifier, Description, and Vendor of the software module are shown
here.
Implicit Authorizations.Shows the authorizations that based for all users that
fulfill certain criteria (they are on a local console, for example). Implicit
Authorizations are stored in /var/lib/PolicyKit-public/ .
Explicit Authorizations.Shows the authorizations that are set for single users.
Explicit Authorizations are stored in /var/lib/PolicyKit/ . (You candefine explicit authorizations only for users that have an account on the system.)
In the Authorizations dialog, you can configure two kinds of authorization:
Implicit Authorization on page 50
Explicit Authorization on page 51
Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW
-
7/24/2019 3104_manual.pdf
50/441
SUSE Linux Enterprise Desktop 11 Administration / Manual
Copying all or part of this manual, or distributing such copies, is strictly prohibited.
To report suspected copying, please call 1-800-PIRATES.
Version 150
Implicit Authorization
PolicyKit recognizes three basic types of users:
Anyone.All users.
Console.All users that are logged in to a console (active and inactive sessions). Active Console.All users that are logged in to an active console (e.g., currently
showing on a display).
NOTE: The ConsoleKit daemon determines whether a session is active or inactive, or local or not.
ConsoleKit is a framework for defining and tracking users, login sessions, and seats. For more
information see the freedesktop.org-wiki (http://www.freedesktop.org/wiki/Software/ConsoleKit).
If you want to change the implicit authorizations, select Editand another dialog
appears.
Figure 2-7 Edit Implicit Authorizations
Each menu has the following options:
No.Access denied.
Admin Authentication (one shot).Access denied, but authentication of the
caller as an administrative user will grant access to only that caller and only once.
The authorization will be revoked.
Admin Authentication.Access denied, but authentication of the caller as an
administrative user will grant access to only that caller.
Admin Authentication (keep session).Access denied, but authentication of the
caller as administrative user will grant access to any caller in the session the
caller belongs to.
Admin Authentication (keep indefinitely).Access denied, but authentication
of the caller as administrative user will grant access to any caller with the given
UID in the future.
Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW
http://www.freedesktop.org/wiki/Software/ConsoleKithttp://www.freedesktop.org/wiki/Software/ConsoleKit -
7/24/2019 3104_manual.pdf
51/441
Copying all or part of this manual, or distributing such copies, is strictly prohibited.
To report suspected copying, please call 1-800-PIRATES.
51Version 1
Lock Down the SLE Desktop
Authentication (one shot).Access denied, but authentication of the caller as
himself will grant access to only that caller and only once. The authorization will
be revoked.
Authentication.Access denied, but authentication of the caller as himself will
grant access to only that caller.
Authentication (keep session).Access denied, but authentication of the caller as
himself will grant access to any caller in the session the caller belongs to.
Authentication (keep indefinitely).Access denied, but authentication of the
caller as himself will grant access to any caller with the given UID in the future.
Yes.Access granted.
Explicit Authorization
In this part, you can authorize or prevent the execution of a task by system users. Use
the Grantbutton to specify the users that are allowed to execute the task. Block
allows you to specify the users that are notallowed to execute the task.
The dialog that appears is the same for Grantand Blockso the following shows how
to authorize users.
Figure 2-8 Edit (Grant) Explicit Authorization
Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW
-
7/24/2019 3104_manual.pdf
52/441
SUSE Linux Enterprise Desktop 11 Administration / Manual
Copying all or part of this manual, or distributing such copies, is strictly prohibited.
To report suspected copying, please call 1-800-PIRATES.
Version 152
In the Beneficiary part, you can select a user that will receive the authorization. Select
Show system usersto display system users (like root and bin) in the pull-down
menu.
In the lower part of the dialog, you can determine constraints:
None.
Must be in active session.
Must be on local console.
Must be in active session on local console.
select Grantto activate the authorization.
Once you have created at least one grant or block rule, the Revokebutton becomes
active in the Authorizations dialog (see Figure 2-6 on page 49) and you can remove
the selected rule.
The Show authorizations from all usersoption shows the list of the given explicit
authorizations. If you are running the authentication tool as normal user, you have toauthenticate as root before they are shown.
Manage Authorizations at the Command Line
The configuration of PolicyKit and the defined permissions are included in the /etc/PolicyKit/PolicyKit.conf file. This is an XML file.
NOTE: The man page of PolicyKit.conf can be viewed byman 5 PolicyKit.conf.
You can edit the file directly using a text editor. You can also use some command line
tools to edit PolicyKit.conf. The most important are
polkit-action. Lists and modifies registered PolicyKit actions.
polkit-auth. Manages the authorizations.
polkit-config-file-validate. Validates the PolicyKit.conf file.
polkit-policy-file-validate. Validates a PolicyKit policy file.
set_polkit_default_privs . Installs default settings for privileges that
are granted automatically to locally logged-in users.
polkit-action
polkit-actionis used to list and modify the PolicyKit actions that are registeredon the system. To list the registered PolicyKit action, use polkit-actionwithoutany parameter:
da10:~ # polkit-actionorg.gnome.clockapplet.mechanism.settimezoneorg.gnome.clockapplet.mechanism.settimeorg.gnome.clockapplet.mechanism.configurehwclockorg.freedesktop.hal.lock
Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW
-
7/24/2019 3104_manual.pdf
53/441
Copying all or part of this manual, or distributing such copies, is strictly prohibited.
To report suspected copying, please call 1-800-PIRATES.
53Version 1
Lock Down the SLE Desktop
org.opensuse.yast.scr.readorg.opensuse.yast.scr.writeorg.opensuse.yast.scr.executeorg.opensuse.yast.scr.dir...
The most important options of polkit-action are
--reset-defaults action. Reset the defaults for the specified action tothe factory defaults. The authorization needed to do this is
org.freedesktop.policykit.modify-defaults.
--show-overrides . Prints all actions by which the defaults are overridden.
--set-defaults-any action value. Override the anystanza for thegiven action with the supplied value. The authorization needed to do this is
org.freedesktop.policykit.modify-defaults.
--set-defaults-inactive action value. Override the inactivestanza for the given action with the supplied value. The authorization needed to
do this is org.freedesktop.policykit.modify-defaults. --set-defaults-active action value. Override the activestanza
for the given action with the supplied value. The authorization needed to do this
is org.freedesktop.policykit.modify-defaults.
Valid values for valueof the three --set-defaults-*parameter are
no
auth_admin_one_shot
auth_admin
auth_admin_keep_session
auth_admin_keep_always
auth_self_one_shot
auth_self
auth_self_keep_session
auth_self_keep_always
yes
The meaning of these options is described in Implicit Authorization on page 50.
The authorization needed to use the three --set-defaults-* parameter is
org.freedesktop.policykit.modify-defaults.
polkit-auth
polkit-authis used to inspect, obtain, grant and revoke explicit PolicyKitauthorizations. If invoked without any options, the authorizations of the calling
process will be printed.
Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW
-
7/24/2019 3104_manual.pdf
54/441
SUSE Linux Enterprise Desktop 11 Administration / Manual
Copying all or part of this manual, or distributing such copies, is strictly prohibited.
To report suspected copying, please call 1-800-PIRATES.
Version 154
With the --show-obtainable option, all actions that can be obtained viaauthentication and for which an authorization does not exist are listed.
da10:~ # polkit-auth --show-obtainable
org.gnome.clockapplet.mechanism.settimezoneacorg.gnome.clockapplet.mechanism.settimeorg.gnome.clockapplet.mechanism.configurehwclockorg.freedesktop.hal.lockorg.freedesktop.hal.dockstation.undockorg.gnome.gconf.defaults.set-systemorg.gnome.gconf.defaults.set-mandatory...
To authorize a user to perform an action, use the --user user--grantactionoption. For example (all in one line):
da10:~ # polkit-auth --user geeko --grantorg.gnome.clockapplet.mechanism.settime
To prevent a user from executing an action, use --block action. For example(all in one line):
da10:~ # polkit-auth --user geeko --blockorg.gnome.clockapplet.mechanism.settime
To revoke all authorizations for an action, use --revoke action. For example(all in one line):
da10:~ # polkit-auth --user geeko --revokeorg.gnome.clockapplet.mechanism.settime
Adding --user userto --grant, --block, or --revokemeans that theauthorization is explicit for the specified user. Without --user, the options --grant, --block, and --revokeare valid for all system users.
Another option that allows you to specify a user is --explicitwhich shows allexplicit authorizations.
da10:~ # polkit-auth --user geeko --explicitorg.gnome.clockapplet.mechanism.settime
To get more detailed information, use --explicit-detail option:
da10:~ # polkit-auth --user geeko --explicit-detailorg.gnome.clockapplet.mechanism.settime Authorized: No Scope: Indefinitely
Obtained: Thu Feb 5 10:25:37 2009 from root (uid 0)
Novell, Inc. Copyright 2009-CNI USE ONLY. 1 HARDCOPY ALLOWED-NO OTHER PRINTING OR DISTRIBUTION ALLOW
-
7/24/2019 3104_manual.pdf
55/441
Copying all or part of this manual, or distributing such copies, is strictly prohibited.
To report suspected copying, please call 1-800-PIRATES.
55Version 1
Lock Down the SLE Desktop
You can also add contraints to --grantand --block. Thereforee, add the --constraint constraintsoption. The following values for constraintsare the most important ones:
--constraint local.The caller must be in a session on a local console
attached to the system.
--constraint active.The caller must be in an active session.
Typically the active contraint is used together with a local constraint to ensure that the
caller is only authorized if his session is in the foreground. This is typically used for
fast user switching (multiple sessions on the same console) to prevent inactive
sessions from performing privileged operations like spying (using a webcam or a
sound card) on the current active session.
polkit-config-file-validate
polkit-config-file-validate is used to verify that a given PolicyKit
configuration file is valid. If no path to a config file is given, the default /etc/PolicyKit/PolicyKit.conf file will be verified.
The typical role of this tool is to verify a configuration file before deploying it on one
or more machines.
polkit-policy-file-validate
polkit-policy-file-validate is used to verify that one or more PolicyKit.policyfiles are valid.
Normally this tool is used in the software release process and during software
installation.
set_polkit_default_privs
The set_polkit_default_privs program installs default settings forprivileges that are granted automatically to locally logged-in users by PolicyKit.
The default settings are stored in the following files:
/etc/polkit-default-privs.local
/etc/polkit-default-privs.standard
/etc/polkit-default-privs.restrictive
In the /etc/sysconfig/security file, you can specify whether you want touse the standard or the restrictive default settings. Thereforee, thePOLKIT_DEFAULT_PRIVvariable can be set to standardor restrictive.
The file polkit-default-privs.local is executed in all cases.
Th