Novell Open Enterprise Server Planning and Implementation Guide

Download

Planning and Implementation Guide

Novell®

Open Enterprise Server

novdocx (en) 22 June 2009

AUTHORIZED DOCUMENTATION

2 SP2

November 10, 2009

www.novell.com

OES 2 SP2: Planning and Implementation Guide

Legal Notices

Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.

Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.

Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the

Novell International Trade Services Web page (http://www.novell.com/info/exports/) for more information on

exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.

novdocx (en) 22 June 2009

Copyright © 2009 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.

Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed on the Novell Legal Patents Web page (http://www.novell.com/company/legal/patents/) and one or more additional patents or pending patent applications in the U.S. and in other countries.

Novell, Inc. 404 Wyman Street, Suite 500 Waltham, MA 02451 U.S.A. www.novell.com

Online Documentation: To access the latest online documentation for this and other Novell products, see

the Novell Documentation Web page (http://www.novell.com/documentation).

Novell Trademarks

For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/

trademarks/tmlist.html).

Third-Party Materials

All third-party trademarks are the property of their respective owners.

novdocx (en) 22 June 2009

4 OES 2 SP2: Planning and Implementation Guide

Contents

About This Guide 15

1 What’s New or Changed 17

1.1 Where’s NetWare?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

1.1.1 NetWare References in This Guide and Elsewhere . . . . . . . . . . . . . . . . . . . . . . . . . 17

1.1.2 NetWare Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

1.2 Links to What's New Sections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

1.3 New or Changed in OES 2 SP2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

1.3.1 Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

1.3.2 Base Platform Is SLES 10 SP3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

1.3.3 CIFS DFS Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

1.3.4 Create EVMS Proposal Option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

1.3.5 Cross-Protocole File Locking Change . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

1.3.6 Domain Services for Windows Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

1.3.7 Performance Increases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

1.3.8 PureFTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

1.3.9 Upgrading Online. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

1.4 New in OES 2 SP1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

1.4.1 YaST Install Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

1.4.2 Novell AFP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

1.4.3 Novell CIFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

1.4.4 Novell Domain Services for Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

1.4.5 Migration Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

1.5 New in OES 2 (Initial Release). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

1.5.1 Dynamic Storage Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

1.5.2 OES 2 Migration Tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

1.5.3 Xen Virtualization Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

novdocx (en) 22 June 2009

2 Welcome to Open Enterprise Server 2 25

3 Planning Your OES 2 Implementation 27

3.1 What Services Are Included in OES 2? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

3.2 Which Services Do I Need? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

3.3 Exploring OES 2 services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

3.4 Plan for eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

3.5 Prepare Your Existing eDirectory Tree for OES 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

3.6 Identify a Purpose for Each Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

3.7 Understand Server Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

3.8 Understand User Restrictions and Linux User Management . . . . . . . . . . . . . . . . . . . . . . . . . . 36

3.9 Caveats to Consider Before You Install . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

3.9.1 Adding a Linux Node to a Cluster Ends Adding More NetWare Nodes . . . . . . . . . . . 37

3.9.2 AFP File Locking Requires Samba . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

3.9.3 Always Double-Check Service Configurations Before Installing . . . . . . . . . . . . . . . . 37

3.9.4 Back Button Doesn’t Reset Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . 37

3.9.5 Cluster Upgrades Must Be Planned Before Installing OES 2 . . . . . . . . . . . . . . . . . . 38

3.9.6 Do Not Create Local (POSIX) Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

3.9.7 Do Not Upgrade to eDirectory 8.8 Separately . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

3.9.8 Follow the Instructions for Your Chosen Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Contents 5

3.9.9 If You’ve Ever Had OES 1 Linux Servers with LUM and NSS Installed. . . . . . . . . . . 39

3.9.10 iFolder 3.8 Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

3.9.11 Incompatible TLS Configurations Give No Warning . . . . . . . . . . . . . . . . . . . . . . . . . 42

3.9.12 Installing into an Existing eDirectory Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

3.9.13 NetWare Caveats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

3.9.14 Novell Distributed Print Services Cannot Migrate to Linux . . . . . . . . . . . . . . . . . . . . 44

3.9.15 NSS Caveats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

3.9.16 Plan eDirectory Before You Install. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

3.9.17 Samba Enabling Disables SSH Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

3.9.18 Unsupported Service Combinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

3.9.19 VNC Install Fails to Set the IP Address in /etc/hosts . . . . . . . . . . . . . . . . . . . . . . . . . 48

3.10 Consider Coexistence and Migration Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

3.11 Understand Your Installation Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

3.11.1 OES 2 Installation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

3.11.2 About Your Installation Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

3.11.3 Use Predefined Server Types (Patterns) When Possible . . . . . . . . . . . . . . . . . . . . . 51

3.11.4 If You Want to Install in a Lab First . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

3.11.5 If You Want to Install NSS on a Single-Drive Linux Server . . . . . . . . . . . . . . . . . . . . 52

4 Getting and Preparing OES 2 Software 53

novdocx (en) 22 June 2009

4.1 Do You Have Upgrade Protection? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

4.2 Do You Want 32-Bit or 64-Bit OES? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

4.3 Do You Want to Purchase OES 2 or Evaluate It? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

4.4 Evaluating OES 2 Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

4.4.1 Understanding OES 2 Software Evaluation Basics . . . . . . . . . . . . . . . . . . . . . . . . . . 55

4.4.2 Downloading OES 2 SP2 Software from the Novell Web Site. . . . . . . . . . . . . . . . . . 55

4.4.3 Preparing the Installation Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

4.4.4 Installing OES 2 for Evaluation Purposes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

4.4.5 Evaluating OES 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

4.4.6 Installing Purchased Activation Codes after the Evaluation Period Expires . . . . . . . 57

4.5 Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

4.5.1 The OES 2 Licensing Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

4.5.2 SLES Licensing Entitlements in OES 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

4.5.3 OES 2 Doesn’t Support NLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

5 Installing OES 2 59

5.1 Installing OES 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

5.1.1 What's Next . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

5.2 Installing OES 2 Servers in a Xen VM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

6 Caveats for Implementing OES 2 Services 61

6.1 AFP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

6.1.1 Anti-Virus Solutions and AFP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

6.2 Avoiding POSIX and eDirectory Duplications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

6.2.1 The Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

6.2.2 Three Examples. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

6.2.3 Avoiding Duplication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

6.3 CIFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

6.3.1 Changing the Server IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

6.4 ConsoleOne Can Cause JClient Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

6.5 CUPS on OES 2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

6.6 eDirectory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

6.6.1 Avoid Uninstalling eDirectory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

6 OES 2 SP2: Planning and Implementation Guide

6.6.2 Avoid Renaming Trees and Containers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

6.6.3 Default Static Cache Limit Might Be Inadequate . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

6.6.4 eDirectory Fails to Start Automatically After a Command Prompt Install. . . . . . . . . . 65

6.6.5 One Instance Only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

6.6.6 Special Characters in Usernames and Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . 66

6.7 iFolder 3.8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

6.8 iPrint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

6.8.1 Cluster Failover Between Mixed Platforms Not Supported . . . . . . . . . . . . . . . . . . . . 66

6.8.2 Printer Driver Uploading on OES 2 Might Require a CUPS Administrator Credential 67

6.8.3 Printer Driver Uploading Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

6.8.4 iManager Plug-Ins Are Platform-Specific. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

6.8.5 iPrint Client for Linux Doesn't Install Automatically . . . . . . . . . . . . . . . . . . . . . . . . . . 67

6.8.6 iPrint Disables CUPS Printing on the OES 2 Server . . . . . . . . . . . . . . . . . . . . . . . . . 67

6.9 LDAP—Preventing “Bad XML” Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

6.10 Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

6.10.1 iManager RBS Configuration with OES 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

6.10.2 Storage Error in iManager When Accessing a Virtual Server . . . . . . . . . . . . . . . . . . 69

6.10.3 Truncated DOS-Compatible Short Filenames Are Not Supported at a Terminal

Prompt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

6.11 NCP Doesn’t Equal NSS File Attribute Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

6.12 Novell-tomcat Is for OES Use Only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

6.13 NSS (OES 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

6.13.1 Understanding Name Space Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

6.13.2 The Role of EVMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

6.14 OpenLDAP on OES 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

6.15 Samba . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

6.16 Virtualization Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

6.16.1 Always Close Virtual Machine Manager When Not in Use . . . . . . . . . . . . . . . . . . . . 71

6.16.2 Always Use Timesync Rather Than NTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

6.16.3 Backing Up a Xen Virtual Machine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

6.16.4 Time Synchronization and Virtualized OES 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

6.16.5 NSS Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

novdocx (en) 22 June 2009

7 Upgrading to OES 2 73

7.1 Caveats to Consider Before Upgrading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

7.1.1 About Previously Installed Packages (RPMs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

7.1.2 iManager 2.5 Replaced by iManager 2.7 on NetWare. . . . . . . . . . . . . . . . . . . . . . . . 73

7.1.3 OES 1 Linux to OES 2 Service Differences. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

7.1.4 Only One eDirectory Instance Is Supported on OES Servers . . . . . . . . . . . . . . . . . . 74

7.2 OES 2 SP2 Upgrade Paths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

7.3 NetWare 6.5 SP8 Upgrade Paths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

8 Migrating and Consolidating Existing Servers and Data 75

8.1 Supported OES 2 SP2 Migration Paths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

8.2 Migration Tools and Purposes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

8.2.1 OES 2 SP2 Migration Tool. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

8.2.2 Migrate Windows Shares Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

9 Virtualization in OES 2 77

9.1 Graphical Overview of Virtualization in OES 2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

9.2 Why Install OES Services on Your VM Host? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

9.3 Services Supported on VM Hosts and Guests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Contents 7

10 Clustering and High Availability 81

11 Managing OES 2 83

11.1 Overview of Management Interfaces and Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

11.2 Using OES 2 Welcome Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

11.2.1 The Welcome Site Requires JavaScript, Apache, and Tomcat . . . . . . . . . . . . . . . . . 84

11.2.2 <<<Accessing the Welcome Web Site. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

11.2.3 The Welcome Web Site Is Available to All Users . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

11.2.4 Administrative Access from the Welcome Web Site . . . . . . . . . . . . . . . . . . . . . . . . . 85

11.3 OES Utilities and Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

11.4 SSH Services on OES 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

11.4.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

11.4.2 Setting Up SSH Access for LUM-enabled eDirectory Users . . . . . . . . . . . . . . . . . . . 95

12 Network Services 99

12.1 TCP/IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

12.1.1 Coexistence and Migration Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

12.2 DNS and DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

12.2.1 DNS Differences Between NetWare and OES 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

12.2.2 DHCP Differences Between NetWare and OES 2. . . . . . . . . . . . . . . . . . . . . . . . . . 101

12.3 Time Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

12.3.1 Overview of Time Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

12.3.2 Planning for Time Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

12.3.3 Coexistence and Migration of Time Synchronization Services . . . . . . . . . . . . . . . . 108

12.3.4 Implementing Time Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

12.3.5 Configuring and Administering Time Synchronization . . . . . . . . . . . . . . . . . . . . . . . 111

12.3.6 Daylight Saving Time. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

12.4 Discovery Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

12.4.1 Novell SLP and OpenSLP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

12.4.2 WinSock and Discovery Is NetWare only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

12.4.3 UDDI and Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

12.4.4 CIMOM and Discovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

12.5 SLP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

12.5.1 Why SLP Is Needed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

12.5.2 Comparing Novell SLP and OpenSLP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

12.5.3 Setting Up OpenSLP on OES 2 Networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

12.5.4 Using Novell SLP on OES 2 Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

novdocx (en) 22 June 2009

13 Storage and File Systems 123

13.1 Overview of OES 2 Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

13.1.1 Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

13.1.2 iSCSI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

13.1.3 File System Support in OES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

13.1.4 Storage Basics by Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

13.1.5 Storage Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

13.1.6 NetWare Core Protocol Support (Novell Client Support) on Linux . . . . . . . . . . . . . 128

13.2 Planning OES File Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

13.2.1 Directory Structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

13.2.2 File Service Support Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

13.2.3 General Requirements for Data Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

13.2.4 OES 2 Storage Planning Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

13.2.5 NSS Planning Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

13.3 Coexistence and Migration of Storage Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

8 OES 2 SP2: Planning and Implementation Guide

13.3.1 MySQL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

13.3.2 OES 2 Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

13.3.3 NetWare 6.5 SP8 Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

13.4 Configuring and Maintaining Storage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

13.4.1 Managing Directories and Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

13.4.2 Managing NSS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

13.4.3 Optimizing Storage Performance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

14 eDirectory, LDAP, and Domain Services for Windows 139

14.1 Overview of Directory Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

14.2 eDirectory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

14.2.1 Installing and Managing eDirectory on OES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

14.2.2 Planning Your eDirectory Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

14.2.3 eDirectory Coexistence and Migration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

14.3 LDAP (eDirectory) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

14.3.1 Overview of eDirectory LDAP Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

14.3.2 Planning eDirectory LDAP Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

14.3.3 Migration of eDirectory LDAP Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

14.3.4 eDirectory LDAP Implementation Suggestions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

14.4 Domain Services for Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

14.4.1 Graphical Overview of DSfW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

14.4.2 Planning Your DSfW Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

14.4.3 Implementing DSfW on Your Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

novdocx (en) 22 June 2009

15 Users and Groups 149

15.1 Creating Users and Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

15.2 Linux User Management: Access to Linux for eDirectory Users . . . . . . . . . . . . . . . . . . . . . . 149

15.2.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

15.2.2 Planning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

15.2.3 LUM Implementation Suggestions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

15.3 Identity Management Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

15.4 Using the Identity Manager 3.6.1 Bundle Edition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

15.4.1 What Am I Entitled to Use? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

15.4.2 System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

15.4.3 Installation Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

15.4.4 Getting Started. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

15.4.5 Activating the Bundle Edition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

16 Access Control and Authentication 163

16.1 Controlling Access to Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

16.1.1 Overview of Access Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

16.1.2 Planning for Service Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

16.1.3 Coexistence and Migration of Access Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

16.1.4 Access Implementation Suggestions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

16.1.5 Configuring and Administering Access to Services . . . . . . . . . . . . . . . . . . . . . . . . . 172

16.2 Authentication Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

16.2.1 Overview of Authentication Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

16.2.2 Planning for Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

16.2.3 Authentication Coexistence and Migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

16.2.4 Configuring and Administering Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

Contents 9

17 File Services 179

17.1 Overview of File Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

17.1.1 Using the File Services Overviews . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

17.1.2 FTP Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

17.1.3 NetWare Core Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

17.1.4 NetStorage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

17.1.5 Novell AFP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

17.1.6 Novell CIFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185

17.1.7 Novell iFolder 3.8. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

17.1.8 Novell Samba . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

17.2 Planning for File Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

17.2.1 Deciding Which Components Match Your Needs . . . . . . . . . . . . . . . . . . . . . . . . . . 189

17.2.2 Comparing Your CIFS File Service Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

17.2.3 Planning Your File Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

17.3 Coexistence and Migration of File Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

17.3.1 Novell Client (NCP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

17.3.2 NetStorage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

17.3.3 Novell AFP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

17.3.4 Novell CIFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

17.3.5 Novell iFolder 3.8. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

17.3.6 Samba . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

17.4 Aligning NCP and POSIX File Access Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

17.4.1 Managing Access Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

17.4.2 Providing a Private Work Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

17.4.3 Providing a Group Work Area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

17.4.4 Providing a Public Work Area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

17.4.5 Setting Up Rights Inheritance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

17.5 PureFTP Remote Access Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

17.5.1 Configuring FTP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

17.5.2 Path Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

17.5.3 SITE Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

17.6 NCP Implementation and Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

17.6.1 The Default NCP Volume . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

17.6.2 Creating NCP Home and Data Volume Pointers . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

17.6.3 Assigning File Trustee Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

17.6.4 NCP Caveats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

17.6.5 NCP Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

17.7 NetStorage Implementation and Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

17.7.1 About Automatic Access and Storage Locations. . . . . . . . . . . . . . . . . . . . . . . . . . . 202

17.7.2 About SSH Storage Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

17.7.3 Assigning User and Group Access Rights. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

17.7.4 Authenticating to Access Other Target Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

17.7.5 NetStorage Authentication Is Not Persistent by Default . . . . . . . . . . . . . . . . . . . . . 203

17.7.6 NetStorage Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

17.8 Novell AFP Implementation and Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

17.8.1 Implementing Novell AFP File Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

17.8.2 Maintaining Novell AFP File Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

17.9 Novell CIFS Implementation and Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

17.9.1 Implementing Novell CIFS File Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

17.9.2 Maintaining Novell CIFS File Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

17.10 Novell iFolder 3.8 Implementation and Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

17.10.1 Managing Novell iFolder 3.8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

17.10.2 Configuring Novell iFolder 3.8 Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

17.10.3 Creating and Enabling Novell iFolder 3.8 Users . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

17.10.4 Novell iFolder 3.8 Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

17.11 Samba Implementation and Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

novdocx (en) 22 June 2009

10 OES 2 SP2: Planning and Implementation Guide

17.11.1 Implementing Samba File Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

17.11.2 Maintaining Samba File Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

18 Search Engine (QuickFinder) 207

19 Print Services 209

19.1 Overview of Print Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

19.1.1 Using This Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

19.1.2 iPrint Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

19.1.3 iPrint Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

19.2 Planning for Print Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

19.3 Coexistence and Migration of Print Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

19.4 Print Services Implementation Suggestions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

19.4.1 Initial Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

19.4.2 Implementation Caveats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

19.4.3 Other Implementation Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

19.5 Print Services Maintenance Suggestions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

20 Web Services 215

novdocx (en) 22 June 2009

21 Security 217

21.1 Overview of OES Security Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

21.1.1 Application Security (AppArmor) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

21.1.2 Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

21.1.3 Encryption (NICI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

21.1.4 General Security Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

21.2 Planning for Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

21.2.1 Comparing the Linux and the Novell Trustee File Security Models . . . . . . . . . . . . . 219

21.2.2 User Restrictions: Some OES 2 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

21.3 Configuring and Administering Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

21.4 Links to Product Security Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

21.5 Links to Anti-Virus Partners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223

22 Certificate Management 225

22.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225

22.1.1 SLES Default Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225

22.1.2 OES 2 Certificate Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

22.1.3 Multiple Trees Sharing a Common Root . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228

22.2 Setting Up Certificate Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228

22.2.1 Setting Up Automatic Certificate Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228

22.2.2 Eliminating Browser Certificate Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228

22.3 If You Don’t Want to Use eDirectory Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

A Adding Services to OES 2 Servers 233

B Changing an OES 2 Server’s IP Address 235

B.1 Caveats and Disclaimers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

B.2 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

B.2.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

B.2.2 iPrint. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

Contents 11

B.2.3 Clustering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

B.3 Changing the Server’s Address Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

B.4 Reconfiguring the OES Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

B.5 Repairing the eDirectory Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

B.6 Completing the Server Reconfiguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

B.6.1 QuickFinder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238

B.6.2 DHCP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238

B.6.3 DSfW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238

B.6.4 iPrint. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240

B.6.5 NetStorage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

B.7 Modifying a Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

B.8 Reconfiguring Services on Other Servers That Point to This Server . . . . . . . . . . . . . . . . . . . 241

C Updating/Patching OES 2 Servers 243

D Backup Services 245

D.1 Services for End Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245

D.2 System-Wide Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245

D.2.1 Links to Backup Partners. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245

D.2.2 Novell Storage Management Services (SMS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245

D.2.3 SLES 10 Backup Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246

novdocx (en) 22 June 2009

E Quick Reference to OES 2 User Services 247

F OES 2 SP2 Browser Support 249

G Client/Workstation OS Support 251

H OES 2 Service Scripts 253

I System User and Group Management in OES 2 SP2 257

I.1 About System Users and Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257

I.1.1 Types of OES System Users and Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257

I.1.2 OES System Users and Groups by Name. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258

I.2 Understanding Proxy Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259

I.2.1 What Are Proxy Users? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260

I.2.2 Why Are Proxy Users Needed on OES? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260

I.2.3 Which Services Require Proxy Users and Why?. . . . . . . . . . . . . . . . . . . . . . . . . . . 260

I.2.4 What Rights Do Proxy Users Have? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

I.3 Planning Your Proxy Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264

I.3.1 About Proxy User Creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264

I.3.2 Proxy User Impacts on User Connection Licenses . . . . . . . . . . . . . . . . . . . . . . . . . 267

I.3.3 Limiting the Number of Proxy Users in Your Tree . . . . . . . . . . . . . . . . . . . . . . . . . . 267

I.3.4 Proxy Users and Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269

I.4 Implementing Your Proxy User Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271

I.4.1 Tree-Wide Proxy Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271

I.4.2 Service-Specific Proxy Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272

I.4.3 Partition-Wide Proxy Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272

I.4.4 Server-Wide Proxy User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272

I.4.5 Individual Proxy User Per-Server-Per-Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272

I.5 Proxy Users and Domain Services for Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272

12 OES 2 SP2: Planning and Implementation Guide

I.6 System Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272

I.7 System Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274

I.8 Auditing System Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275

J Administrative Users in OES 2 SP2 277

K Coordinating Password Policies Among Multiple File Services 279

K.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279

K.2 Concepts and Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279

K.2.1 Prerequisites for File Service Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279

K.2.2 eDirectory contexts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280

K.2.3 Password Policies and Assignments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280

K.3 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281

K.3.1 Example 1: Complex Mixed Tree with a Mix of File Access Services and Users from

across the Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281

K.3.2 Example 2: Mutually Exclusive Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282

K.4 Deployment Guidelines for Different Servers and Deployment Scenarios. . . . . . . . . . . . . . . 283

K.4.1 Deployment Scenario 1: Complex Mixed Scenario with a Mix of File Access

Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284

K.4.2 Deployment Scenario 2: Mutually /Exclusive Users . . . . . . . . . . . . . . . . . . . . . . . . 286

K.4.3 Deployment Scenario 3: Simple deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286

K.4.4 Modifying User Password Policies after AFP/CIFS/Samba/DSfW Is Installed . . . . 286

K.4.5 Adding New User eDirectory Contexts to AFP/CIFS after AFP/CIFS/Samba/DSfW Is

Installed. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287

K.4.6 Enabling File Access for DSfW Servers Across Domains . . . . . . . . . . . . . . . . . . . . 287

novdocx (en) 22 June 2009

Contents 13

novdocx (en) 22 June 2009

14 OES 2 SP2: Planning and Implementation Guide

About This Guide

Purpose

This guide provides:

 Planning and implementation instructions

 Service overviews

 Links to detailed information in other service-specific guides.

Audience

This guide is designed to help network administrators

 Understand Open Enterprise Server 2 services prior to installing them.

 Make pre-installation planning decisions.

 Understand installation options for each platform.

novdocx (en) 22 June 2009

 Implement the services after they are installed.

Feedback

We want to hear your comments and suggestions about this manual and the other documentation included with OES 2. Please use the User Comments feature at the bottom of each page of the online documentation, or go to www.novell.com/documentation/feedback.html and enter your comments there.

Documentation Updates

Changes to this guide are summarized in a Documentation Updates appendix at the end of this guide. The lack of such an appendix indicates that no changes have been made since the initial product release.

Additional Documentation

The OES 2 SP2: Lab Guide for Linux and Virtualized NetWare is the hands-on counterpart to this guide and helps network administrators:

 Set up a basic lab with an OES 2 server, a virtualized NetWare

objects that represent the different types of users in OES 2.

 Use the exercises in the guide to explore how OES 2 services work.

 Continue exploring to gain a sound understanding of how OES 2 can benefit their organization.

server, a test tree, and user

Additional documentation is also found on the OES 2 Documentation Web site (http://

www.novell.com/documentation/oes2).

About This Guide 15

Documentation Conventions

The terms OES 2 and OES 2 SP2 are both used in this guide. Generally, OES 2 SP2 is used to differentiate something that is new or changed for the SP2 release of OES 2. Unless otherwise indicated, all statements that refer to OES 2 also apply to OES 2 SP2 unless otherwise indicated.

In this documentation, a greater-than symbol (>) is used to separate actions within a step and items within a cross-reference path.

A trademark symbol (

, TM, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party

trademark.

When a single pathname can be written with a backslash for some platforms, or a forward slash for other platforms, the pathname is presented with a forward slash to reflect the Linux* convention. Users of platforms that require a backslash, such as NetWare, should use backslashes as required by the software.

novdocx (en) 22 June 2009

16 OES 2 SP2: Planning and Implementation Guide

What’s New or Changed

This section summarizes the new features for each release of Novell® Open Enterprise Server (OES)

 Section 1.1, “Where’s NetWare?,” on page 17

 Section 1.2, “Links to What's New Sections,” on page 17

 Section 1.3, “New or Changed in OES 2 SP2,” on page 19

 Section 1.4, “New in OES 2 SP1,” on page 20

 Section 1.5, “New in OES 2 (Initial Release),” on page 22

1.1 Where’s NetWare?

Novell® Open Enterprise Server 2 SP2 does not include NetWare®. Anyone who wants to test NetWare in an OES 2 SP2 environment should download NetWare 6.5 SP8 from the Novell

download site (http://download.novell.com/Download?buildid=dpIR3H1ymhk~).

novdocx (en) 22 June 2009

1.1.1 NetWare References in This Guide and Elsewhere

Because many organizations are transitioning their network services from NetWare to OES, information to assist with upgrading from NetWare to OES 2 is included in this guide and in the OES 2 SP2 documentation set—especially in the OES 2 SP2: Upgrading to OES—Planning and

Implementation Guide.

1.1.2 NetWare Documentation

For NetWare documentation, including installation and configuration instructions, see the NetWare

6.5 SP8 Online Documentation Web site (http://www.novell.com/documentation/nw65).

1.2 Links to What's New Sections

The following table provides links to the What’s New sections in the documentation for all OES 2 products.

Table 1-1 What’s New

Product Link to What's New Section

Archive and Version Services 2.1 Linux Administration Guide

User Guide

DHCP Administration Guide

Distributed File Services Administration Guide

DNS Administration Guide

What’s New or Changed

Product Link to What's New Section

Domain Services for Windows Administration Guide

Dynamic Storage Technology Administration Guide

Identity Manager 3.6 Getting Started Guide (http://www.novell.com/

documentation/idm36/idm_install/data/ be1l5dw.html)

iManager 2.7 Administration Guide

Installation Installation Guide

iPrint Administration Guide

Migration Tool Administration Guide

NCP Server for OES 2 Administration Guide

NetStorage Administration Guide

Novell AFP Administration Guide

novdocx (en) 22 June 2009

Novell CIFS Administration Guide

Novell Client

Linux

Windows XP/2003 Administration Guide

Windows Vista* Administration Guide

Novell Cluster Services

Novell iFolder

3.8 Administration Guide

(High Availability) Administration Guide

User Guide

Novell Remote Manager Administration Guide

Novell Storage Services (NSS) Administration Guide

Nsure

Audit Administration Guide

OES 2 Installation Guide

OpenWBEM Administration Guide

QuickFinder

5 Administration Guide

Samba (Linux) Administration Guide

Server Health Monitoring This is now available in various Novell Remote

Manager dialog boxes on both platforms.

Shadow Volumes See “Overview of Dynamic Storage Technology” in

Storage Management Services (SMS) Administration Guide

Virtualization (Xen*) Virtualization Overview

18 OES 2 SP2: Planning and Implementation Guide

For more information, see “Health Monitoring

Services” on page 86.

the OES 2 SP2: Dynamic Storage Technology

Administration Guide.

1.3 New or Changed in OES 2 SP2

This section summarizes the new features introduced in Novell® Open Enterprise Server (OES) 2 SP2 that either involve multiple services or are not covered in service-specific documentation. For information on service-specific new features, see Section 1.2, “Links to What's New Sections,” on

page 17.

 Section 1.3.1, “Auditing,” on page 19

 Section 1.3.2, “Base Platform Is SLES 10 SP3,” on page 19

 Section 1.3.3, “CIFS DFS Support,” on page 19

 Section 1.3.4, “Create EVMS Proposal Option,” on page 19

 Section 1.3.5, “Cross-Protocole File Locking Change,” on page 20

 Section 1.3.6, “Domain Services for Windows Installation,” on page 20

 Section 1.3.7, “Performance Increases,” on page 20

 Section 1.3.8, “PureFTP,” on page 20

 Section 1.3.9, “Upgrading Online,” on page 20

novdocx (en) 22 June 2009

1.3.1 Auditing

OES 2 SP2 includes support for third-party developers to create auditing products. For more information, see Section 21.1.2, “Auditing,” on page 217.

1.3.2 Base Platform Is SLES 10 SP3

 With the release of OES 2 SP2, the Linux platform on which OES services run is changed from

SUSE

Linux Enterprise Server (SLES) 10 SP2 to SLES 10 SP3 and includes Tomcat 5.5.

1.3.3 CIFS DFS Support

This has been added in OES 2 SP2.

1.3.4 Create EVMS Proposal Option

The Partitioner in the YaST Install offers an option to “Create an EVMS Proposal.”

For unpartitioned devices over 20 GB in size, this option creates a boot partition and a container for

swap

the device as unpartitioned free space. The default larger, depending on the amount of RAM the server has.

and / (root) volumes in up to the first 20 GB, and leaves the remainder of the space on the

partition size is 10 GB. The swap size is 1 GB or

IMPORTANT: This option applies only if you are installing an NSS volume on the same disk as your Linux root (/) partition.

What’s New or Changed 19

1.3.5 Cross-Protocole File Locking Change

Starting with OES 2 SP2, cross-protocol file locking (CPL) is enabled by default as follows:

 All new servers with NCP installed have CPL turned on.

 If an upgraded server was not configured for CPL priot to the upgrade, CPL will be turned on.

 If an upgraded server was configured for CPL priot to the upgrade, the CPL setting

immediately preceding the upgrade is retained.

If a server is only accessed through NCP (AFP and CIFS are not installed), you can achieve an NCP performance gain of about 10%. However, there is a critical caveat. If you later install AFP or CIFS and you forget to re-enable CPL, data corruption can occur.

There are also obvious implications for clustering because the CPL settings for clustered nodes must match. For example, if an unmodified OES 2 SP1 node is clustered with an unmodified OES 2 SP2 node, their CPL settings will conflict and one of the nodes must be modified.

For more information about cross-protocol locking, see “Configuring Cross-Protocol File Locks for

NCP Server” in the OES 2 SP2: NCP Server for Linux Administration Guide.

novdocx (en) 22 June 2009

1.3.6 Domain Services for Windows Installation

The DSfW installation has been rearchitected with a focus on usability and simplicity.

1.3.7 Performance Increases

AFP, NCP, and Samba all have improved performance in OES 2 SP2.

1.3.8 PureFTP

Gateway parity with NetWare.

1.3.9 Upgrading Online

Support for upgrading through the SP Channel is included. For more information, see “Upgrading

Using the Patch Channel (Online)” in the OES 2 SP2: Installation Guide.

1.4 New in OES 2 SP1

 Section 1.4.1, “YaST Install Changes,” on page 20

 Section 1.4.2, “Novell AFP,” on page 21

 Section 1.4.3, “Novell CIFS,” on page 21

 Section 1.4.4, “Novell Domain Services for Windows,” on page 22

 Section 1.4.5, “Migration Tool,” on page 22

1.4.1 YaST Install Changes

The default behavior of the option to use eDirectoryTM certificates for HTTPS services changed in OES 2 SP1.

20 OES 2 SP2: Planning and Implementation Guide

In OES 2, eDirectory certificates were only used by default if you were installing a new server.

In OES 2 SP1, eDirectory certificates are used by default in all installation and upgrade scenarios, except when you are upgrading to SP1 from OES 2. For an upgrade, the option that you selected for the initial installation is retained.

For a brief summary of what happens in each scenario, see Table 22-2 on page 230.

1.4.2 Novell AFP

Novell® AFP is now available on the Linux platform to provide feature parity with NetWare®.

 Support for AFP v3.1 and AFP v3.2, providing network file services for Mac* OS X* and

classic Mac OS workstations

 Support for Universal Password greater than 8 characters

 Integration with Novell eDirectory

 Integration with the Novell Storage Services

 Support for Unicode* filenames

 Integration with the Novell Trustee Model for file access

(NSS) file system

novdocx (en) 22 June 2009

 Support for regular eDirectory users (no LUM required)

 Cross-protocol file locking with NCP

Novell AFP also offers the following features not available for NetWare:

 DHX authentication mechanism: Provides a secure way to transport passwords of up to 64

characters to the server.

 Management: You can use iManager to administer and configure the AFP server on OES 2.

iManager support for AFP on NetWare is unchanged and includes only starting and stopping the server.

 Auditing: You can audit the AFP server to check on the authentication process and any

changes that occur to the configuration parameters of the server.

For more information, see the OES 2 SP2: Novell AFP For Linux Administration Guide.

1.4.3 Novell CIFS

Novell CIFS is now available on Linux to provide feature parity with the existing NetWare release. It offers the following features:

 Support for Windows* 2000, XP, 2003, and Windows Vista* 32-bit

 Support for Universal Password greater than 8 characters

 Support for NTLMv1 authentication mode

 Integration with Novell eDirectory

 Integration with the Novell Storage Services (NSS) file system

 Support for Unicode filenames

 Integration with the Novell Trustee Model for file access

What’s New or Changed 21

 Support for regular eDirectory users (no LUM required)

 Cross-protocol file locking is planned for a future release

For more information, see the OES 2 SP2: Novell CIFS for Linux Administration Guide.

1.4.4 Novell Domain Services for Windows

This service creates seamless cross-authentication capabilities between Microsoft* Active Directory* on Windows servers and Novell eDirectory on OES 2 SP2 servers, and offers the following functionality:

 Administrators with Windows networking environments can set up one or more “virtual”

Active Directory domains in an eDirectory tree.

 Administrators can manage users and groups through MMC or iManager.

 eDirectory users can authenticate to the virtual domain from a Windows workstation without

the Novell Client™ for Windows being installed.

 eDirectory users can also access file services on

 Novell Storage Services (NSS) volumes on Linux servers by using Samba shares.

 NTFS files on Windows servers that use CIFS shares.

 Shares in trusted Active Directory forests.

novdocx (en) 22 June 2009

For more information, see the OES 2 SP2: Domain Services for Windows Administration Guide.

1.4.5 Migration Tool

The new OES 2 SP2 Migration Tool uses a plug-in architecture and comprises multiple Linux command line utilities and a GUI wrapper.

The Migration Tool supports:

 A single, enhanced GUI interface for migrating all OES services

 Service migrations from either a single source server or multiple source servers (consolidation)

to a target server.

 Transfer ID (server ID swap) migrations—transferring the services and identity from one

server to another server.

For more information, see the OES 2 SP2: Migration Tool Administration Guide.

1.5 New in OES 2 (Initial Release)

Novell Open Enterprise Server 2 included the following major features and enhancements that were not included in OES 1. All features are retained in SP1 unless otherwise noted in Section 1.4, “New

in OES 2 SP1,” on page 20.

 Section 1.5.1, “Dynamic Storage Technology,” on page 23

 Section 1.5.2, “OES 2 Migration Tools,” on page 23

 Section 1.5.3, “Xen Virtualization Technology,” on page 23

22 OES 2 SP2: Planning and Implementation Guide

1.5.1 Dynamic Storage Technology

OES 2 introduces Novell Dynamic Storage Technology, a unique storage solution that lets you combine a primary file tree and a shadow file tree so that they appear to NCP and Samba/CIFS users as one file tree. The primary and shadow trees can be located on different file systems, different servers, or even different types of storage.

This lets you manage storage costs in new and efficient ways that were not previously possible.

For more information, see the related sections in Chapter 13, “Storage and File Systems,” on

page 123 and the OES 2 SP2: Dynamic Storage Technology Administration Guide.

1.5.2 OES 2 Migration Tools

In addition to the legacy Server Consolidation and Migration Toolkit, OES 2 includes new migration tools for migrating data and services from NetWare to OES 2.

For more information, see Chapter 8, “Migrating and Consolidating Existing Servers and Data,” on

page 75.

novdocx (en) 22 June 2009

1.5.3 Xen Virtualization Technology

Both OES 2 and NetWare 6.5 SP8 can run in virtual machines on either an OES 2 or a SUSE® Linux Enterprise Server 10 SP1 or later server. This is especially valuable to those organizations that are deploying new hardware that doesn’t run NetWare as a physical installation.

For more information, see Chapter 9, “Virtualization in OES 2,” on page 77.

What’s New or Changed 23

novdocx (en) 22 June 2009

24 OES 2 SP2: Planning and Implementation Guide

SUSE Linux Enterprise Server 10

Novell Services

Welcome to Open Enterprise

novdocx (en) 22 June 2009

Server 2

Novell® Open Enterprise Server 2 (OES 2) includes all the network services that organizations traditionally expect from Novell.

Figure 2-1 OES 2 Overview

OES 2

Novell Services

• AFP

• Backup (SMS)

• Clustering (High Availability)

• DNS/DHCP

• eDirectory

• CIFS

• FTP

• iFolder 3.x

• NetStorage

• Novell Client Access

running

• Management Tools

• iPrint

• QuickFinder

• Novell Storage Services (NSS)

SUSE Linux Enterprise Server 10

NOTE: For a list of OES 2 services, see Table 3-1, “Service Comparison Between NetWare 6.5 SP8

and OES 2 SP2 Linux,” on page 27.

Welcome to Open Enterprise Server 2

novdocx (en) 22 June 2009

26 OES 2 SP2: Planning and Implementation Guide

Planning Your OES 2

novdocx (en) 22 June 2009

Implementation

As you plan which OES services to install, you probably have a number of questions. The following sections are designed to help answer your questions and alert you to the steps you should follow for a successful OES implementation.

 Section 3.1, “What Services Are Included in OES 2?,” on page 27

 Section 3.2, “Which Services Do I Need?,” on page 34

 Section 3.3, “Exploring OES 2 services,” on page 34

 Section 3.4, “Plan for eDirectory,” on page 34

 Section 3.5, “Prepare Your Existing eDirectory Tree for OES 2,” on page 35

 Section 3.6, “Identify a Purpose for Each Server,” on page 35

 Section 3.7, “Understand Server Requirements,” on page 35

 Section 3.8, “Understand User Restrictions and Linux User Management,” on page 36

 Section 3.9, “Caveats to Consider Before You Install,” on page 36

 Section 3.10, “Consider Coexistence and Migration Issues,” on page 48

 Section 3.11, “Understand Your Installation Options,” on page 49

3.1 What Services Are Included in OES 2?

Table 3-1 summarizes OES services and the differences in the way these services are provided.

Although extensive, this list is not exhaustive. If you are interested in a service or technology not listed, or for documentation for listed services, see the OES Documentation Web site (http://

www.novell.com/documentation/oes2).

Table 3-1 Service Comparison Between NetWare 6.5 SP8 and OES 2 SP2 Linux

Service NetWare 6.5 SP8 OES 2 Platform Differences / Migration Issues

Access Control Lists Yes Yes In combination with NCPTM Server, Linux

supports the Novell access on NSS volumes and NCP volumes on Linux.

AFP (Apple* File Protocol)

Yes - NFAP Yes - Novell

AFP

AFP services on NetWare and OES are proprietary and tightly integrated with eDirectory (NSS).

trustee model for file

and Novell Storage Services

Planning Your OES 2 Implementation

Service NetWare 6.5 SP8 OES 2 Platform Differences / Migration Issues

novdocx (en) 22 June 2009

Apache Web Server Yes - NetWare®

port of open source product

Archive and Version Services (Novell)

Backup (SMS)

Yes Yes Setup varies slightly, but there are no

Yes Yes SMS provides backup applications with a

 SMS

 NSS-Xattr

CIFS (Windows File Services)

Yes - NFAP Yes - Novell

Yes - Standard Linux

CIFS

and

Novell Samba

Administration Instance vs. Public Instance on NetWare (http://www.novell.com/ documentation/oes2/web_apache_nw/data/ aipcu6x.html#aipcu6x).

What’s Different about Apache on NetWare (http://www.novell.com/documentation/ oes2/web_apache_nw/data/ail8hvj.html) .

functional differences.

framework to develop complete backup and restore solutions. For information, see the

OES 2 SP2: Storage Management Services Administration Guide.

NSS provides extended attribute handling options for NSS on Linux. For information, see “Using Extended Attributes (xAttr)

Commands (Linux)” in the OES 2 SP2: NSS

File System Administration Guide.

Both NFAP and Novell CIFS are Novell proprietary and tightly integrated with eDirectory and Novell Storage Services (NSS).

Samba is an open source product distributed with SUSE Server (SLES).

Linux Enterprise

Novell Samba is enhanced by Novell with configuration settings for eDirectory LDAP authentication via Linux User Management (LUM). Novell Samba is not tightly integrated with NSS on Linux and works with any of the supported file systems.

Clustering Yes Yes “Product Features” in the OES 2 SP2:

Novell Cluster Services 1.8.7 for Linux Administration Guide.

“Product Features” in the NW6.5 SP8:

Novell Cluster Services 1.8.5 Administration Guide.

DFS (Novell Distributed File Services)

Yes Yes In combination with NCP Server, DFS

supports junctions and junction targets for NSS volumes on Linux and NetWare. DFS also supports junction targets for NCP volumes on non-NSS file systems such as Reiser and Ext3. The VLDB command offers additional options to manage entries in the VLDB for NCP volumes.

28 OES 2 SP2: Planning and Implementation Guide

Service NetWare 6.5 SP8 OES 2 Platform Differences / Migration Issues

DHCP Yes Yes For a comparison between what is available

on OES 2 and NetWare, see Section 12.2.2,

“DHCP Differences Between NetWare and OES 2,” on page 101.

To plan your DHCP implementations, see “Planning a DHCP Strategy” in the OES 2

SP2: Novell DNS/DHCP Administration Guide for Linux and “Planning a DHCP Strategy” in the NW 6.5 SP8: Novell DNS/ DHCP Services Administration Guide.

DNS Yes Yes For a comparison between what is available

on OES 2 and NetWare, see Section 12.2.1,

“DNS Differences Between NetWare and OES 2,” on page 100.

See “Planning a DNS Strategy” in the OES

2 SP2: Novell DNS/DHCP Administration Guide for Linux and “Planning a DNS Strategy” in the NW 6.5 SP8: Novell DNS/ DHCP Services Administration Guide.

novdocx (en) 22 June 2009

Dynamic Storage Technology

eDirectory 8.8 Yes Yes No functional differences.

eDirectory Certificate Server

eGuide (White Pages) Yes No This functionality is now part of the Identity

FTP Server Yes Yes Support for eDirectory LDAP authentication

No Yes DST runs on OES 2. An NSS volume on

NetWare is supported only as the secondary volume in a shadow pair. When using DST in a cluster, each of the NSS volumes in a shadow pair must reside on OES 2. DST also supports NCP volumes as shadow pairs and Linux POSIX* volumes as shadow pairs.

Yes Yes No functional differences.

Manager 3.6 User Application. For more information, see the Identity Manager 3.6

Documentation Web Site. (http:// www.novell.com/documentation/idm36/ index.html).

has been added to PureFTP on OES 2. The FTP/SFTP gateway available on NetWare is not currently available on Linux. See

Section 17.1.2, “FTP Services,” on page 180.

See “Features of the NetWare FTP Server” in the NW 6.5 SP8: Novell FTP

Administration Guide.

Planning Your OES 2 Implementation 29

Service NetWare 6.5 SP8 OES 2 Platform Differences / Migration Issues

novdocx (en) 22 June 2009

Health Monitoring Services

Yes Yes The Health Monitoring Server, which was

included in OES 1, has been removed in OES 2.

This is now available in various Novell Remote Manager dialog boxes on both platforms.

For more information, see “Health

Monitoring Services” on page 86.

Identity Manager 3.6.1

Yes Yes No functional differences.

Bundle Edition

iPrint Yes Yes See “Overview” in the OES 2 SP2: iPrint for

Linux Administration Guide, and “Overview”

in the NW 6.5 SP8: iPrint Administration

Guide.

(Internetwork

IPX

Yes No Novell has no plans to port IPX to OES. Packet ExchangeTM) from Novell

iSCSI Yes Yes The iSCSI target for Linux does not support

eDirectory access controls like the NetWare target does. Nor is the iSCSI initiator or target in OES 2 integrated with NetWare Remote Manager management. You use YaST management tools instead.

LDAP Server for

Yes Yes No functional differences. eDirectory

Multipath Device

Yes Yes NetWare uses NSS multipath I/O. Linux Management

MySQL* Yes - NetWare

port of open

source product

Yes - Standard Linux

On the other hand, the iSCSI implementation for Linux is newer and performs better.

See Linux-iSCSI Project on the Web (http://

linux-iscsi.sourceforge.net).

See “Overview” in the NW 6.5 SP8: iSCSI

1.1.3 Administration Guide.

uses Device Mapper - Multipath that runs underneath other device management services.

See MySQL.com on the Web (http://

www.mysql.com).

See “Overview: MySQL” in the NW 6.5 SP8:

Novell MySQL Administration Guide.

30 OES 2 SP2: Planning and Implementation Guide

Service NetWare 6.5 SP8 OES 2 Platform Differences / Migration Issues

NCP Volumes No Yes NCP Server on Linux supports creating

NCP volumes on Linux POSIX file systems such as Reiser and Ext3.

For information, see “Managing NCP

Volum es” in the OES 2 SP2: NCP Server for

Linux Administration Guide.

NCP Server Yes Yes NCP services are native to NetWare 6.5

and NSS volumes; to have NCP services on OES, the NCP Server must be installed.

See “Benefits of NCP Server” in the OES 2

SP2: NCP Server for Linux Administration Guide.

NetStorage Yes Yes NetStorage on Linux offers connectivity to

storage locations through the CIFS, NCP, and SSH protocols. NetWare uses only NCP.

novdocx (en) 22 June 2009

These and other differences are summarized in “NetStorage” on page 181.

NetWare Traditional File System

NetWare Traditional

Yes No Novell has no plans to port the NetWare

Traditional File System to Linux.

Yes N/A Vol umes

NFS Yes - NFAP Yes - native to

Linux

For NetWare, see “Working with UNIX

Machines” in the NW 6.5 SP8: AFP, CIFS,

and NFS (NFAP) Administration Guide.

NICI (Novell

Yes Yes No functional differences. International Cryptography Infrastructure)

NMAS

(Novell

Yes Yes No functional differences. Modular Authentication Services)

Novell Audit Yes No Novell Audit is not included with OES.

However, the Novell Audit 2.0 Starter pack is available for download at no cost on

Novell.com (http://www.novell.com/ downloads).

Novell Client Windows and Linux

for

Yes Yes Novell Client connectivity to OES 2 requires

that the NCP Server be installed.

support

Novell Cluster Services

Yes Yes See “Product Features” in the OES 2 SP2:

Novell Cluster Services 1.8.7 for Linux Administration Guide.

See “Product Features” in the NW6.5 SP8:

Novell Cluster Services 1.8.5 Administration Guide.

Planning Your OES 2 Implementation 31

Service NetWare 6.5 SP8 OES 2 Platform Differences / Migration Issues

Novell iFolder® 2.x Yes No For migration information, see “Migrating

iFolder 2.x” in the OES 2 SP2: Migration

Tool Administration Guide

Novell iFolder 3.8 No Yes OES 2 SP2 includes Linux, Macintosh*, and

Windows clients.

novdocx (en) 22 June 2009

Novell Licensing Services

NSS (Novell Storage Services

)

Yes No See Section 4.5.3, “OES 2 Doesn’t Support

NLS,” on page 58.

Yes Yes Most NSS services are available on both

platforms. For a list of NSS features that are not used on Linux, see “Cross-Platform

Issues for NSS” in the OES 2 SP2: NSS File

System Administration Guide.

NTPv3 Yes Yes The

ntpd.conf

file on NetWare can replace an OES server’s NTP configuration file without modification.

OpenSSH Yes Yes Netware includes a port of the open source

product. Linux includes the open source product itself.

See “Functions Unique to the NetWare

Platform” in the NW 6.5 SP8: OpenSSH

Administration Guide.

PAM (Pluggable Authentication Modules)

No Yes PAM is a Linux service that Novell

leverages to provide eDirectory authentication. eDirectory authentication is native on NetWare.

Pervasive.SQL* Yes No Pervasive.SQL is available for Linux from

the Web (http://www.pervasive.com/ support/technical/online_manuals.asp).

PKI (Public Key

Yes Yes No functional differences.

Infrastructure)

Printing Yes Yes See iPrint.

QuickFinder

Yes Yes See Search.

RADIUS Yes Yes See the information on forge.novell.com

Samba No Yes Samba is an open source technology

32 OES 2 SP2: Planning and Implementation Guide

(http://forge.novell.com/modules/xfmod/ project/?edirfreeradius).

available on OES. Novell provides automatic configuration for authentication through eDirectory. For more information, see the OES2 SP2: Samba Administration

Guide.

Service NetWare 6.5 SP8 OES 2 Platform Differences / Migration Issues

Search (QuickFinder) Yes Yes When indexing a file system, the

QuickFinder engine indexes only what it has rights to see.

On NetWare, it has full access to all mounted volumes. On Linux, it has rights to only the files that the novlwww user in the www group has rights to see.

For more information, see “Security

Characteristics” and “Generating an Index For a Linux-Mounted NSS Volume” in the

OES 2: Novell QuickFinder Server 5.0 Administration Guide.

novdocx (en) 22 June 2009

SLP Yes - Novell

SLP

Software RAIDS (NSS volumes)

Storage Management

Services

(SMS)

Yes (0, 1, 5, 10,

15)

Yes Yes No functional differences, except that the

Yes - OpenSLP For OES 2, see “SLP Services in the

Network” (http://www.novell.com/ documentation/sles10/sles_admin/data/ cha_slp.html) in the SLES 10 SP3: Installation and Administration Guide (http:// www.novell.com/documentation/sles10/ sles_admin/data/sles_admin.html) and

“Implementing the Service Location

Protocol” (http://www.novell.com/ documentation/edir87/edir87/data/ a2iiimc.html).

NetWare uses Novell SLP, which provides caching of Directory Agent scope information in eDirectory. This provides for sharing of scope information among DAs.

Novell SLP is not available on Linux. OpenSLP on Linux is not customized to provide DA synchronization. Therefore, DA synchronization is only available for eDirectory on NetWare.

Yes (0, 1, 5) See “Understanding Software RAID

Devices” in the OES 2 SP2: NSS File

System Administration Guide.

SBCON backup engine is not supported on Linux.

The nbackup engine is available for exploring SMS capabilities, but in a production environment, you should use a third-party, full-featured backup engine.

TCP/IP Yes Yes No functional differences.

Timesync NLM

Yes No Timesync will not be ported to Linux.

However, NTPv3 is available on both Linux and NetWare.

See “Time Services” on page 101.

Planning Your OES 2 Implementation 33

Service NetWare 6.5 SP8 OES 2 Platform Differences / Migration Issues

Tomcat Yes Yes NetWare includes Tomcat 4 and a Tomcat 5

servlet container for iManager 2.7. OES 2 includes Tomcat 5. There is no impact to any of the OES 2 administration tools, which are tested and supported on both platforms.

See “Administration Instance vs. Public

Instance on NetWare” (http:// www.novell.com/documentation/oes2/ web_tomcat_nw/data/ ahdyran.html#ahdyran)

novdocx (en) 22 June 2009

Virtual Office (Collaboration)

WAN Traffic Manager Yes No

Xen Virtualization Guest

Xen Virtualization Host Server

Yes No Virtual Office has been replaced by Novell

Teaming + Conferencing. A separate purchase is required. For more information, see the Novell Teaming + Conferencing

Web Site (http://www.novell.com/products/ teaming/index.html).

Yes Yes NetWare 6.5 SP8 (and NetWare 6.5 SP 7)

can run on a paravirtualized machine. OES 2 can run on a paravirtualized machine or fully virtualized machine.

N/A Yes

3.2 Which Services Do I Need?

We recommend that you review the brief overviews included at the beginning of each service section in this guide to get a full picture of the solutions that OES 2 offers. It is not uncommon that administrators discover capabilities in OES that they didn’t know existed.

3.3 Exploring OES 2 services

We also recommend that you explore commonly used OES services by following the step-by-step instructions provided in the OES 2 SP2: Lab Guide for Linux and Virtualized NetWare.

3.4 Plan for eDirectory

eDirectory is the heart of OES network services and security.

If you are installing into an existing tree, be sure you understand the information in Section 14.2.3,

“eDirectory Coexistence and Migration,” on page 141.

If you are creating a new eDirectory tree on your network, you must do some additional planning before you install the first server into the tree. The first server is important for two reasons:

 You create the basic eDirectory tree structure during the first installation

 The first server permanently hosts the Certificate Authority for your organization

34 OES 2 SP2: Planning and Implementation Guide

To ensure that your eDirectory tree meets your needs, take time to plan the following:

 Structure of the eDirectory tree: A well-designed tree provides containers for servers, users,

printers, etc. It is also optimized for efficient data transfer between geographically dispersed locations. For more information, see “Designing Your Novell eDirectory Network” in the

Novell eDirectory 8.8 Administration Guide.

 Time synchronization: eDirectory requires that all OES 2 servers, both NetWare and Linux,

be time synchronized. For more information, see Chapter 12.3, “Time Services,” on page 101.

 Partitions and replicas: eDirectory allows the tree to be partitioned for scalability. Replicas

(copies) of the partitions provide fault tolerance within the tree. The first three servers installed into an eDirectory tree automatically receive replicas of the tree’s root partition. You might want to create additional partitions and replicas. For more information, see “Managing

Partitions and Replicas” in the Novell eDirectory 8.8 Administration Guide.

For information on these and other eDirectory planning tasks, see the Novell eDirectory 8.8

Administration Guide.

The OES 2 SP2: Lab Guide for Linux and Virtualized NetWare provides a basic introduction to creating container objects as well as Group and User objects in eDirectory.

novdocx (en) 22 June 2009

3.5 Prepare Your Existing eDirectory Tree for OES 2

If you are installing OES 2 into an existing tree, you must use Deployment Manager (located on the NetWare 6.5 SP8 DVD) to see whether your tree requires any updates.

For instructions on running Deployment Manager, see “Preparing to Install NetWare 6.5 SP8” in the

NW65 SP8: Installation Guide.

3.6 Identify a Purpose for Each Server

Large networks usually have one or more servers dedicated to providing a single network service. For example, one or more servers might be designated to provide Novell iFolder file services to network users while other servers provide iPrint printing services for the same users.

For smaller organizations, it is often not practical or cost effective to dedicate servers to providing a single service. For example, the same server might provide both file and print services to network users.

Prior to installing a new server on your network, you should identify the service or services that it will provide and see how it will integrate into your overall network service infrastructure.

3.7 Understand Server Requirements

OES 2 and NetWare 6.5 SP8 both have specific hardware and software requirements.

Prior to installing OES, make sure your server machine and network environment meet the requirements outlined in the following sections:

 OES 2 Server (Physical): “Preparing to Install OES 2 SP2” in the OES 2 SP2: Installation

Guide.

 OES 2 Server (Virtual): “System Requirements” in the OES 2 SP2: Installation Guide.

Planning Your OES 2 Implementation 35

 NetWare 6.5 SP8 Server (Physical): “Meeting System Requirements” in the NW65 SP8:

Installation Guide.

 NetWare 6.5 SP8 Server (Virtual): “Planning for NetWare VM Guest Servers” in the OES 2

SP2: Installation Guide.

3.8 Understand User Restrictions and Linux User Management

If you plan to use Linux User Management, be sure you understand the security implications before you accept the default PAM-enabled service settings. The implications are explained in

Section 21.2.2, “User Restrictions: Some OES 2 Limitations,” on page 221.

3.9 Caveats to Consider Before You Install

IMPORTANT: As support packs are released, there are sometimes new caveats identified. Be sure to always check the OES Readme (http://www.novell.com/documentation/oes2/oes_readme/data/

readme.html) for items specific to each support pack.

novdocx (en) 22 June 2009

This section discusses the following installation/migration caveats:

 Section 3.9.1, “Adding a Linux Node to a Cluster Ends Adding More NetWare Nodes,” on

page 37

 Section 3.9.2, “AFP File Locking Requires Samba,” on page 37

 Section 3.9.3, “Always Double-Check Service Configurations Before Installing,” on page 37

 Section 3.9.4, “Back Button Doesn’t Reset Configuration Settings,” on page 37

 Section 3.9.5, “Cluster Upgrades Must Be Planned Before Installing OES 2,” on page 38

 Section 3.9.6, “Do Not Create Local (POSIX) Users,” on page 38

 Section 3.9.7, “Do Not Upgrade to eDirectory 8.8 Separately,” on page 39

 Section 3.9.8, “Follow the Instructions for Your Chosen Platforms,” on page 39

 Section 3.9.9, “If You’ve Ever Had OES 1 Linux Servers with LUM and NSS Installed,” on

page 39

 Section 3.9.10, “iFolder 3.8 Considerations,” on page 42

 Section 3.9.11, “Incompatible TLS Configurations Give No Warning,” on page 42

 Section 3.9.12, “Installing into an Existing eDirectory Tree,” on page 43

 Section 3.9.13, “NetWare Caveats,” on page 43

 Section 3.9.14, “Novell Distributed Print Services Cannot Migrate to Linux,” on page 44

 Section 3.9.15, “NSS Caveats,” on page 44

 Section 3.9.16, “Plan eDirectory Before You Install,” on page 45

 Section 3.9.17, “Samba Enabling Disables SSH Access,” on page 45

 Section 3.9.18, “Unsupported Service Combinations,” on page 45

 Section 3.9.19, “VNC Install Fails to Set the IP Address in /etc/hosts,” on page 48

36 OES 2 SP2: Planning and Implementation Guide

3.9.1 Adding a Linux Node to a Cluster Ends Adding More NetWare Nodes

After you add a Linux node to a cluster, you cannot add more NetWare nodes. For more information, see “Converting NetWare 6.5 Clusters to OES 2 Linux” in the OES 2 SP2: Novell Cluster Services

1.8.7 for Linux Administration Guide.

3.9.2 AFP File Locking Requires Samba

Cross-protocol file locking between AFP and NCP connections on an OES 2 server requires that you install Samba on the server, even though Samba file services cannot be run concurrently with AFP on the same server. (See “Novell AFP” on page 46.) For more information, see the OES 2 SP2:

Novell AFP For Linux Administration Guide

3.9.3 Always Double-Check Service Configurations Before Installing

It is critical and you double-check your service configurations on the Novell Open Enterprise Server Configuration summary page before proceeding with an installation. Two reasons for this are explained in Section 3.9.4, “Back Button Doesn’t Reset Configuration Settings,” on page 37 and

novdocx (en) 22 June 2009

3.9.4 Back Button Doesn’t Reset Configuration Settings

During an installation, after you configure eDirectory and reach the Novell Open Enterprise Server Configuration summary screen, service configuration settings have been “seeded” from the eDirectory configuration.

If you discover at that point that something in the eDirectory configuration needs to change, you can change the settings by clicking the eDirectory link on the summary page or by clicking the Back button.

In both cases when you return to the summary page, the eDirectory configuration has changed, but the individual service configurations have the same eDirectory settings you originally entered. These must each be changed manually.

For example, if you specified the wrong server context while initially configuring eDirectory, the NSS and LUM configurations still have the wrong context. You must select each service individually and change the server context in them.

Unless you manually change the services affected by changes to eDirectory, your services will at best not work as expected and at worst completely fail.

Planning Your OES 2 Implementation 37

3.9.5 Cluster Upgrades Must Be Planned Before Installing OES 2

Because of differences between Novell Cluster Services on NetWare 6.5 SP8 and OES 2, there are important issues to consider before combining them into a mixed node cluster, as explained in the following sections.

 “Service Failover in a Mixed Cluster” on page 38

 “Working with Mixed Node Clusters” on page 38

Service Failover in a Mixed Cluster

The only cluster-enabled service that can fail over cross-platform (run on either OES 2 or NetWare

6.5 SP8) is cluster-enabled NSS pools. All other services (iPrint, iFolder, etc.) can only fail over between servers that are the same platform. For example, an iPrint service that is running on an OES 2 server can fail over to another OES 2 server in the cluster, but the service cannot fail over to an NetWare 6.5 SP8 server.

Working with Mixed Node Clusters

novdocx (en) 22 June 2009

The following points apply to working with mixed NetWare and OES clusters:

 You cannot uses EVMSGUI to create a Linux POSIX file system as a cluster resource until the

entire cluster is migrated to Linux.

 You cannot migrate or fail over a Linux POSIX file system cluster resource to a NetWare

cluster node.

 Only NSS pool cluster resources that are created on a NetWare cluster node can be failed over

between Linux and NetWare nodes.

 NetWare NSS to Linux NSS failover requires that the Linux node be configured for NSS and

that the version of NSS supports the NSS media format and features being used by the NSS pool cluster resource.

 The new NSS media format in OES 2 is not available for OES 1 SP2 Linux and earlier. After a

volume has been upgraded to the new media format, you cannot fail it over to a node that is running OES 1 SP2 Linux or earlier.

3.9.6 Do Not Create Local (POSIX) Users

During the OES 2 install you are prompted by the SLES portion of the install to create at least one

root

user besides

Creating local users is not recommended on OES 2 servers because user management in OES 2 is managed entirely in eDirectory. The only local user you need on the server is the other local users can, in fact, cause unnecessary confusion and result in service-access problems that are difficult to troubleshoot.

and you are warned if you bypass the prompt.

root

user. Creating

eDirectory users are enabled for POSIX access through the Linux User Management (LUM) technology installed by default on every OES 2 server.

Also be aware that not all OES services require that users are LUM-enabled. Novell Client users, for example, can access NCP and NSS volumes on OES 2 servers just as they do on NetWare without any additional configuration.

38 OES 2 SP2: Planning and Implementation Guide

For more information about this topic, see Section 15.2, “Linux User Management: Access to Linux

for eDirectory Users,” on page 149.

3.9.7 Do Not Upgrade to eDirectory 8.8 Separately

If you are running OES 1 SP2, do not upgrade to eDirectoryTM 8.8 independently of upgrading to OES 2 SP2.

For example, do not upgrade from eDirectory 8.7.3 to eDirectory 8.8.2 through the oes-edir88 patch channel prior to upgrading to OES 2 SP2. Doing so causes configuration problems that the OES 2 SP2 install is not designed to handle.

3.9.8 Follow the Instructions for Your Chosen Platforms

Although installing OES 2 services on Linux or NetWare is a straightforward process, the installation processes are platform-specific, requiring different sets of media and different installation programs.

novdocx (en) 22 June 2009

3.9.9 If You’ve Ever Had OES 1 Linux Servers with LUM and NSS Installed

Having NSS volumes on OES servers requires certain system-level modifications, most of which are automatic. For more information, see Appendix I, “System User and Group Management in OES 2

SP2,” on page 257.

However, as OES has evolved, some initially defined conventions regarding system Users have needed adjustment. Be sure to read the information and follow the instructions in this section if your network has ever included an OES 1 Linux server with both LUM and NSS installed.

 “NetStorage, XTier, and Their System Users” on page 39

 “An NSS Complication” on page 39

 “eDirectory Solves the Basic Problem” on page 40

 “ID Mismatches on OES 1” on page 40

 “The OES 1 Solution: The nssid.sh Script” on page 40

 “OES 2 SP1 or Later Requires a New Approach” on page 40

 “The OES 2 Solution: Standardizing the UIDs on all OES servers” on page 40

NetStorage, XTier, and Their System Users

By default, certain OES services, such as NetStorage, rely on a background Novell service named XTier.

To run on an OES server, XTier requires two system-created users (named

novlxregd

An NSS Complication

The two system users and their group are created on the local system when XTier is installed. For example, they are created when you install NetStorage, and their respective UIDs and GID are used to establish ownership of the service’s directories and files.

) and one system-created group that the users belong to (named

novlxsrvd

novlxtier

Planning Your OES 2 Implementation 39

and

For NetStorage to run, these XTier users and group must be able to read data on all volume types that exist on the OES server.

As long as the server only has Linux traditional file systems, such as Ext3 and Reiser, NetStorage runs without difficulties.

However, if the server has NSS volumes, an additional requirement is introduced. NSS data can only be accessed by eDirectory users. Consequently, the local XTier users can’t access NSS data, and NetStorage can’t run properly.

eDirectory Solves the Basic Problem

Therefore, when NSS volumes are created on the server, the XTier users are moved to eDirectory and enabled for Linux User Management (LUM). See Section 15.2, “Linux User Management:

Access to Linux for eDirectory Users,” on page 149.

After the move to eDirectory, they can function as both eDirectory and POSIX users, and they no longer exist on the local system.

ID Mismatches on OES 1

novdocx (en) 22 June 2009

Problems with OES 1 occurred when additional OES NetStorage servers with NSS volumes were installed in the same eDirectory container. Because the UIDs and GID were assigned by the Linux system, unless the installation process was exactly the same for each OES 1 Linux server, the UIDs and GID didn’t match server-to-server.

When the local XTier UIDs and GID on subsequently installed servers didn’t match the XTier UIDs and GID in eDirectory, NetStorage couldn’t access the NSS volumes on the server.

The OES 1 Solution: The nssid.sh Script

To solve this problem, the OES 1 installation program looked for XTier ID conflicts, and if the IDs on a newly installed server didn’t match the IDs in eDirectory, the program generated a script file named

nssid.sh

a newly installed server, and if the file was found, to run it. The

. The documentation instructed installers to always check for an

nssid.sh

script synchronized all of

nssid.sh

file on

the XTier IDs with those that had already been stored in eDirectory.

This solution remained viable through the first release of OES 2.

OES 2 SP1 or Later Requires a New Approach

Unfortunately, system-level changes in SUSE Linux Enterprise Server 10 SP2 invalidated the

nssid.sh

script solution for OES 2 SP1. Synchronizing the XTier IDs with an OES 1 installation can now cause instability in other non-OES components. Therefore, starting with OES 2 SP1, you should standardize all XTier IDs on existing servers before installing a new OES 2 server with XTier-dependent services.

The OES 2 Solution: Standardizing the UIDs on all OES servers

If your eDirectory tree has ever contained an OES 1 Linux server with NSS and LUM installed, do the following on each server (including OES 2) that has NSS and LUM installed:

root

1 Log in as

id novlxregd

40 OES 2 SP2: Planning and Implementation Guide

and open a terminal prompt. Then enter the following commands:

id novlxsrvd

novdocx (en) 22 June 2009

The standardized XTier IDs are UID 81 for

novlxtier

for

novlxregd

, UID 82 for

novlxsrvd

, and GID 81

2 (Conditional) If you see the following ID information, the XTier IDs are standardized and you

can start over with Step 1 for the next server:

uid=81(novlxregd) gid=81(novlxtier) groups=81(novlxtier) uid=82(novlxsrvd) gid=81(novlxtier) groups=81(novlxtier),8(www)

3 (Conditional) If you see different IDs than those listed above, such as 101, 102, 103, etc.,

record the numbers for both XTier users and the novlxtier group, then continue with Step 4.

You need these numbers to standardize the IDs on the server.

4 Download the following script file:



fix_xtier_ids.sh

(http://www.novell.com/documentation/oes2/scripts/

fix_xtier_ids.sh)

5 Customize the template file by replacing the variables marked with angle brackets (<>) as

follows:

 <server_name>: The name of the server object in eDirectory.

This variable is listed on line 38 in the file. Replace it with the server name.

For example, if the server name is myserver, replace <server_name> with myserver so that the line in the settings section of the script reads

server=myserver

 <context>: This is the context of the XTier user and group objects.

Replace this variable with the fully distinguished name of the context where the objects reside.

For example, if the objects are an Organizational Unit object named servers, replace ou=servers,o=company with the fully distinguished name.

 <admin fdn>: The full context of an eDirectory admin user, such as the Tree Admin, who

has rights to modify the XTier user and group objects.

Replace this variable with the admin name and context, specified with comma-delimited syntax.

For example, if the tree admin is in an Organization container named company, the full context is cn=admin,o=company and the line in the settings section of the script reads

admin_fdn=”cn=admin,o=company”

 <novlxregd_uid>: This is the UID that the system assigned to the local

It might or might not be the same on each server, depending on whether the

novlxregd

nssid.sh

user.

script ran successfully.

Replace this variable with the UID reported for the novlxregd user on this server as listed in Step 1 on page 40.

For example, if the UID for the novlxregd user is 101, change the line to read

novlxregd_uid=101

 <novlxsrvd_uid>: This is the UID that the system assigned to the local novlxsrvd user. It

might or might not be the same on each server, depending on whether the

nssid.sh

script

ran successfully.

Planning Your OES 2 Implementation 41

Replace this variable with the UID reported for the novlxsrvd user on this server as listed when you ran the commands in Step 1 on page 40.

For example, if the UID for novlxsrvd_uid is 102, change the line to read

novlxsrvd_uid=102

 <novlxtier_gid>: This is the GID that the system assigned to the local novlxtier group. It

might or might not be the same on each server, depending on whether the ran successfully.

Replace this variable with the GID reported for the novlxtier group on this server as listed when you ran the commands in Step 1 on page 40.

For example, if the GID for novlxtier_gid is 101, change the line to read

novlxtier_gid=101

6 Make the script executable and then run it on the server.

IMPORTANT: Changes to the XTier files are not reported on the terminal.

Error messages are reported, but you can safely ignore them. The script the entire file system, and some files are locked because the system is running.

nssid.sh

novdocx (en) 22 June 2009

script

7 Repeat from Step 1 for each of the other servers in the same context.

3.9.10 iFolder 3.8 Considerations

For best results, be sure you read and carefully follow the instructions in the Novell iFolder 3.8

Administration Guide, starting with “Deploying iFolder Server .” This is especially critical if you

plan to use NSS for your iFolder 3.8 data volume.

3.9.11 Incompatible TLS Configurations Give No Warning

When you install a new eDirectory tree, the eDirectory Configuration - New or Existing Tree screen has the Require TLS for Simple Binds with Password option selected by default. If you keep this configuration setting, the eDirectory LDAP server requires that all communications come through the secure LDAP port that you specified on the eDirectory Configuration - Local Server Configuration screen. By default, this is port 636.

Unfortunately, the OES install doesn’t display a warning if you subsequently configure OES services to use non-TLS (non-secure) LDAP communications (port 389). The installation proceeds normally but the service configuration fails.

For example, if you accept the TLS default, then configure Novell DHCP to use non-secure communications (by deselecting the Use secure channel for configuration option), the OES install doesn't warn that you have created an incompatible configuration.

After eDirectory and the iManager plug-ins install successfully, the Novell DHCP configuration fails. You must then use iManager to change either the LDAP server configuration or the Novell DHCP configuration to support your preferred communication protocol.

Simply enabling non-TLS LDAP communications doesn’t disable TLS. It merely adds support for non-secure communications with the LDAP server.

42 OES 2 SP2: Planning and Implementation Guide

3.9.12 Installing into an Existing eDirectory Tree

Novell Support has reported a significant number of installation incidents related to eDirectory health and time synchronization. To avoid such problems, do the following prior to installing OES:

 “Consider Coexistence and Migration Issues” on page 43

 “Do Not Add OES to a Server That Is Already Running eDirectory” on page 43

 “Be Sure That eDirectory Is Healthy” on page 43

 “Be Sure That Network Time Is Synchronized” on page 43

 “Be Sure that OpenSLP on OES 2 Is Configured Properly” on page 43

Consider Coexistence and Migration Issues

If you are installing a new OES 2 server into an existing eDirectory tree, be sure to read and follow the instructions in “Preparing eDirectory for OES 2 SP2” in the OES 2 SP2: Installation Guide.

Do Not Add OES to a Server That Is Already Running eDirectory

novdocx (en) 22 June 2009

Although you can add OES to an existing SLES 10 server if needed, you cannot install OES on a SLES 10 server that is already running eDirectory.

eDirectory must be installed in conjunction with the installation of OES services.

Be Sure That eDirectory Is Healthy

Review and follow the guidelines in “Keeping eDirectory Healthy” in the Novell eDirectory 8.8

Administration Guide.

Be Sure That Network Time Is Synchronized

OES2 Linux and NetWare 6.5 SP8 servers can receive network time from either an existing eDirectory server or from an NTP time source. The critical point is that the entire tree must be synchronized to the same time source. For example, do not set your new OES 2 server to receive time from an NTP source unless the whole tree is synchronized to the same NTP source.

For an in-depth explanation of OES time synchronization, see Chapter 12.3, “Time Services,” on

page 101.

Be Sure that OpenSLP on OES 2 Is Configured Properly

Novell SLP (NetWare) and OpenSLP (Linux) can coexist, but there are differences between the services that you should understand before deciding which to use or before changing your existing SLP service configuration. For more information, see Section 12.5, “SLP,” on page 113.

3.9.13 NetWare Caveats

 “NetWare Licenses and OES 2 Trees” on page 44

 “NetWare 6.5 Servers Must Be Running SP3 or Later” on page 44

Planning Your OES 2 Implementation 43

NetWare Licenses and OES 2 Trees

OES doesn’t use Novell Licensing Services (Section 4.5, “Licensing,” on page 57). As a result, OES servers don’t need a license container in eDirectory as part of the server installation.

In a mixed OES 2 and NetWare eDirectory tree, at least one NetWare server must hold a replica for each partition where there is a NetWare server object. Without this configuration, It is impossible to install licenses or to service requests from NetWare servers to consume those licenses.

If you need to install a NetWare server in an OES tree, you must do the following after installing the first NetWare server in a partition:

1 Install iManager on the NetWare server, or use iManager Workstation.

You can do this during initial installation or later as described in “Installing iManager” in the

Novell iManager 2.7 Installation Guide.

2 Add a Read/Write replica to the server as described in “Adding a Replica” in the Novell

eDirectory 8.8 Administration Guide.

3 Install the NetWare license as described in “Installing and Removing License Certificates” in

the NW 6.5 SP8: Licensing Services Administration Guide.

The iManager Licensing plug-in is not installed on OES servers. If you have configured RoleBased Services, you need to make sure the licensing plug-in is installed and added to the RBS collection. For more information, see “Upgrading iManager” in the Novell iManager 2.7

Installation Guide.

novdocx (en) 22 June 2009

NetWare 6.5 Servers Must Be Running SP3 or Later

If you are installing OES 2 servers into a tree containing NetWare 6.5 servers, be sure that the following server types have been updated to SP3 or later prior to installing OES 2:

 SLP Directory Agents: If the SLP Directory Agents on your network are not running NetWare

6.5 SP3 or later, installing an OES 2 server into the tree can cause the DA servers to abend.

 LDAP Servers: If the LDAP servers referenced in your installation are not running NetWare

6.5 SP3 or later, the servers might abend during a schema extension operation.

3.9.14 Novell Distributed Print Services Cannot Migrate to Linux

NDPS® clients are not supported on OES. You must therefore migrate any NDPS clients to iPrint before you migrate your print services to OES. For more information, see “Migrating NDPS Printers

to iPrint” in the NW 6.5 SP8: iPrint Administration Guide.

3.9.15 NSS Caveats

 “About New Media Support and Clusters” on page 44

 “Removable Media Cannot Be Mounted on OES 2” on page 45

About New Media Support and Clusters

The new media support for hard links on OES 2 NSS volumes was not available for OES 1 SP2 Linux and earlier, but it was available for NetWare 6.5 SP4 and later.

44 OES 2 SP2: Planning and Implementation Guide

If you've already upgraded the media format of the volume, you cannot fail over to a node that is running OES 1 SP2 until you have upgraded the node to OES 2.

Removable Media Cannot Be Mounted on OES 2

CD and DVD media and image files cannot be mounted as NSS volumes on OES; instead, they are mounted as Linux POSIX file systems.

For more details about NSS compatibility, see “Cross-Platform Issues for NSS Volumes” in the OES

2 SP2: NSS File System Administration Guide.

3.9.16 Plan eDirectory Before You Install

Although the default eDirectory settings work for simple trees, they are not usually practical for a production implementation. For example, by default the tree Admin user and the server are installed in the same context.

Some administrators, when they discover that the tree structure doesn't meet their needs, assume they can rectify the situation by uninstalling and then reinstalling eDirectory. This simply cannot be done.

novdocx (en) 22 June 2009

In fact, OES services cannot be uninstalled. For more information, see “Disabling OES 2 Services” in the OES 2 SP2: Installation Guide.

3.9.17 Samba Enabling Disables SSH Access

Enabling users for Samba automatically disables SSH access for them. However, this default configuration can be changed. For more information, see Section 11.4, “SSH Services on OES 2,”

on page 93.

3.9.18 Unsupported Service Combinations

Do not install any of the following service combinations on the same server. Although not all of the combinations shown in Table 3-2 cause pattern conflict warnings, Novell does not support any of them.

Planning Your OES 2 Implementation 45

Table 3-2 Unsupported Service Combinations

Service Unsupported on the Same Server

Novell AFP  File Server (Samba)

 Netatalk

 Novell Domain Services for Windows

 Novell Samba

There is an exception if NCP server is installed on the same server as Novell AFP.

To support cross-protocol file locking between Novell AFP and NCP, Samba must be installed on the server, but it cannot be used for providing file services to CIFS or SMB clients.

 Xen Virtual Machine Host Server

novdocx (en) 22 June 2009

Novell Archive and Version Services

 Novell Domain Services for Windows (DSfW)

 Xen Virtual Machine Host Server

Novell Backup / Storage Management Services No restrictions

Novell CIFS

 File Server (Samba)

 Novell Domain Services for Windows

 Novell Samba

 Xen Virtual Machine Host Server

Novell Cluster Services (NCS)

 High Availability

 Novell Domain Services for Windows

DSfW can actually be installed and run on the same server as NCS, but DSfW cannot run as a clustered service.

Novell DHCP

Novell DNS

 Xen Virtual Machine Host Server

 DHCP and DNS Server

 Xen Virtual Machine Host Server

46 OES 2 SP2: Planning and Implementation Guide

Service Unsupported on the Same Server

Novell Domain Services for Windows  File Server (Samba)

 Novell AFP

 Novell Archive and Version Services

 Novell CIFS

 Novell Cluster Services (NCS)

NCS can actually be installed and run on the

server, but DSfW cannot run as a clustered service.

 Novell FTP

 Novell iFolder

 Novell NetStorage

 Novell Pre-Migration Server

 Novell QuickFinder

 Novell Samba

 Xen Virtual Machine Host Server

novdocx (en) 22 June 2009

Novell eDirectory

 Directory Server (LDAP)

 Xen Virtual Machine Host Server

Novell FTP

 Novell Domain Services for Windows

 Xen Virtual Machine Host Server

Novell iFolder

 Novell Domain Services for Windows

 Xen Virtual Machine Host Server

Novell iManager

Novell iPrint

 Xen Virtual Machine Host Server

 Print Server (CUPS)

CUPS components are actually installed, but

CUPS printing is disabled. For more information, see Section 6.8.6, “iPrint

Disables CUPS Printing on the OES 2 Server,” on page 67.

 Xen Virtual Machine Host Server

Novell Linux User Management (LUM) No restrictions

Novell NCP Server / Dynamic Storage Technology  Xen Virtual Machine Host Server

Novell NetStorage

 Novell Domain Services for Windows

 Xen Virtual Machine Host Server

Novell Pre-Migration Server

 Novell Domain Services for Windows

 Xen Virtual Machine Host Server

Novell QuickFinder

Novell Remote Manager (NRM)

 Novell Domain Services for Windows

 Xen Virtual Machine Host Server

Planning Your OES 2 Implementation 47

Service Unsupported on the Same Server

Novell Samba  File Server (Samba)

 Novell CIFS

 Novell Domain Services for Windows

 Xen Virtual Machine Host Server

novdocx (en) 22 June 2009

Novell Storage Services (NSS)

Xen Virtual Machine Host Server

 Xen Virtual Machine Host Server

 File Server (Samba)

 Novell AFP

 Novell Archive and Version Services

 Novell CIFS

 Novell DHCP

 Novell DNS

 Novell Domain Services for Windows

 Novell eDirectory

 Novell FTP

 Novell iFolder

 Novell iManager

 Novell iPrint

 Novell NCP Server / Dynamic Storage

Technology

 Novell NetStorage

 Novell Pre-Migration Server

 Novell QuickFinder

 Novell Remote Manager (NRM)

 Novell Samba

 Novell Storage Services

 Print Server (CUPS)

3.9.19 VNC Install Fails to Set the IP Address in /etc/hosts

If you install through a VNC connection, the assigned to the hostname. This can cause problems with services.

Using a text editor, modify

/etc/hosts

address.

3.10 Consider Coexistence and Migration Issues

You probably have a network that is already providing services to network users. In many cases, the services you are currently running will influence your approach to implementing OES 2. In some cases, there are specific paths to follow so that the OES 2 integration process is as smooth as possible.

48 OES 2 SP2: Planning and Implementation Guide

/etc/hosts

file is configured with a loopback address

so that the hostname is associated with its actual IP

Novell has invested considerable effort in identifying service coexistence and migration issues you might face. We understand, however, that we can’t anticipate every combination of services that you might have. Therefore, we intend to continue developing coexistence and migration information.

For information about coexistence of OES 2 servers with existing NetWare and Linux networks, see

Chapter 8, “Migrating and Consolidating Existing Servers and Data,” on page 75.

3.11 Understand Your Installation Options

Before installing OES, you should be aware of the information in the following sections:

 Section 3.11.1, “OES 2 Installation Overview,” on page 49

 Section 3.11.2, “About Your Installation Options,” on page 50

 Section 3.11.3, “Use Predefined Server Types (Patterns) When Possible,” on page 51

 Section 3.11.4, “If You Want to Install in a Lab First,” on page 51

 Section 3.11.5, “If You Want to Install NSS on a Single-Drive Linux Server,” on page 52

3.11.1 OES 2 Installation Overview

novdocx (en) 22 June 2009

The software and network preparation processes required to install OES 2 are outlined in Figure 3-1.

NOTE: Chapter 4, “Getting and Preparing OES 2 Software,” on page 53 contains instructions for

obtaining the ISO image files referred to in the following illustration.

Planning Your OES 2 Implementation 49

Figure 3-1 OES 2 Install Preparation

www.novell.com

Novell Authorized Reseller

Network

install path

OES 2 OES 2

Image files or

physical media

Decide whether to install from files on the network or directly from physical media.

Download the SLES 10 and OES 2 ISO image files. Or get the ISO files or physical media from a Novell Authorized Reseller.

Physical media

install path

novdocx (en) 22 June 2009

Prepare an installation source server as instructed in the OES2: Linux Installation Guide.

You can also install OES 2

OrOr

automatically by using AutoYaST as described in the installation guide.

Install OES 2 Linux.

Are you installing into an existing eDirectory tree?

(new tree)

OES 2 Linux

Yes

(existing tree)

Create physical media from the downloaded ISO files as instructed.

Run the Deployment Manage > eDirectory Preparation option.

(Requires access to the [root] partition.)

For detailed instructions, see “Setting Up an Installation Source” in the OES 2 SP2: Installation

Guide.

3.11.2 About Your Installation Options

As illustrated in the previous section, OES 2 lets you install from either physical media or from files on the network.

 “OES 2 Options” on page 51

 “Virtual Machine Installation Options” on page 51

50 OES 2 SP2: Planning and Implementation Guide

OES 2 Options

OES 2 includes numerous installation options as documented in the OES 2 SP2: Installation Guide.

 CD/DVD Install: You can install SLES 10 SP1 by using CDs or a DVD and then install OES 2

from a CD, all of which can be either obtained from a Novell Authorized Reseller or created from downloaded ISO image files.

See “Preparing Physical Media for a New Server Installation or an Upgrade ” in the OES 2

SP2: Installation Guide.

 Network Install: You can install from the network by using the NFS, FTP, or HTTP protocol.

Installing from the network saves you from swapping CDs on the server during the installation.

See “Preparing a Network Installation Source” in the OES 2 SP2: Installation Guide.

 Automated Install: You can install from the network by using an AutoYaST file.

This lets you install without providing input during the installation process. It is especially useful for installing multiple servers with similar configurations.

See “Using AutoYaST to Install and Configure Multiple OES Servers” in the OES 2 SP2:

Installation Guide.

novdocx (en) 22 June 2009

Virtual Machine Installation Options

Virtual machine installations offer additional options. For more information, see

 “Installing, Upgrading, or Updating OES on a Xen-based VM” in the OES 2 SP2: Installation

Guide

 “Installing and Managing NetWare on a Xen-based VM” in the OES 2 SP2: Installation Guide

3.11.3 Use Predefined Server Types (Patterns) When Possible

Both OES 2 and NetWare 6.5 SP8 include predefined server installation options that install only the components required to provide a specific set of network services. In the OES 2, these server types are called patterns.

For example, if you want to install an OES 2 server that provides enterprise level print services, you should select the Novell iPrint Server pattern during the installation.

You should always choose a predefined server type if one fits the intended purpose of your server. If not, you can choose to install a customized OES 2 server with only the service components you need.

More information about server patterns is available in the installation guides:

 OES 2: “OES Services Pattern Descriptions” in the OES 2 SP2: Installation Guide

 NetWare 6.5 SP8: “Choosing a Server Pattern” in the NW65 SP8: Installation Guide

3.11.4 If You Want to Install in a Lab First

Many organizations prefer to install products on smaller servers for testing in a lab prior to full deployment. The OES 2 SP2: Lab Guide for Linux and Virtualized NetWare walks you through installing and exploring all the basic OES 2 services.

Planning Your OES 2 Implementation 51

3.11.5 If You Want to Install NSS on a Single-Drive Linux Server

Many are interested in Novell Storage Services (NSS) running on Linux. If you plan to experiment with NSS on a single-drive server, be sure to follow the instructions in “Installing with EVMS as the

Volume Manager of the System Device” in the OES 2 SP2: Installation Guide.

novdocx (en) 22 June 2009

52 OES 2 SP2: Planning and Implementation Guide

Getting and Preparing OES 2

novdocx (en) 22 June 2009

Software

This section contains instructions for getting and preparing Open Enterprise Server 2 software and discusses the following topics:

 Section 4.1, “Do You Have Upgrade Protection?,” on page 53

 Section 4.2, “Do You Want 32-Bit or 64-Bit OES?,” on page 53

 Section 4.3, “Do You Want to Purchase OES 2 or Evaluate It?,” on page 54

 Section 4.4, “Evaluating OES 2 Software,” on page 54

 Section 4.5, “Licensing,” on page 57

If you have not already done so, we recommend that you review the information in Section 3.11,

“Understand Your Installation Options,” on page 49.

4.1 Do You Have Upgrade Protection?

If you have Novell® Upgrade Protection, you can upgrade to OES 2 and the associated support packs, free of charge until your upgrade protection expires. After your protection expires, the OES 2 upgrade link disappears from your account page.

For more information and to start the upgrade process, do the following:

1 Using your Novell account information, log in to the Novell Web Site (http://www.novell.com/

nps).

2 Click Customer Center and log in, using your Novell account username and password to access

the Novell Customer Center home page.

3 Follow the instructions on the page to obtain the upgrade to Open Enterprise Server 2.

4.2 Do You Want 32-Bit or 64-Bit OES?

Compatibility is the first thing to consider as you start planning which software to download and install.

OES 2 is a set of services or an “add-on product” that runs on SUSE (SLES 10) and is available in both 32-bit and 64-bit versions. These two versions are required for compatibility with SLES 10 and the server hardware that it runs on. Having two versions of OES introduces a little more complexity into your planning, as illustrated in Table 4-1.

Linux Enterprise Server

Getting and Preparing OES 2 Software

Table 4-1 OES 2, SLES 10, and Server Hardware Compatibility Matrix

novdocx (en) 22 June 2009

OES 2 SP2 Ver si on

32-bit (i386) 32-bit (i386) 32-bit

64-bit (x86_64) 64-bit (x86_64) 64-bit The 64-bit version of OES 2 SP2 requires the 64-

SLES 10 SP3 Server Hardware Notes

The 32-bit version of OES 2 SP2 requires the 32bit version of SLES 10 SP3.

64-bit

If you plan to install 64-big SLES, you should also install 64-bit OES. Attempting to install the 32-bit version of OES as an add-on product to the 64bit version of SLES 10 generates numerous dependency errors and is not supported.

32-bit software (OES and SLES) can be installed on either 32-bit or 64-bit hardware.

bit version of SLES 10 SP3, and they can only be installed on 64-bit hardware.

4.3 Do You Want to Purchase OES 2 or Evaluate It?

If you want to evaluate OES prior to purchasing it, skip to the next section, Evaluating OES 2

Software.

If you have decided to purchase OES 2, visit the Novell How to Buy OES 2 Web page (http://

www.novell.com/products/openenterpriseserver/howtobuy.html).

When you purchase OES 2, you receive two activation codes for OES 2 (one for OES 2 services and one for SUSE Linux Enterprise Server 10). Both codes are required for registering an OES 2 system in the Novell Customer Center. After it is registered, your server can receive online updates, including the latest support pack.

As part of the purchase process, it is important that you understand the OES 2 licensing model. For a brief description, see Section 4.5, “Licensing,” on page 57.

After completing your purchase, the installation process goes more smoothly if you understand your installation options. If you haven’t already done so, be sure to review the information in

Section 3.11, “Understand Your Installation Options,” on page 49 and then skip to Chapter 5, “Installing OES 2,” on page 59.

4.4 Evaluating OES 2 Software

This section walks you through the OES 2 software evaluation process and discusses the following topics:

 Section 4.4.1, “Understanding OES 2 Software Evaluation Basics,” on page 55

 Section 4.4.2, “Downloading OES 2 SP2 Software from the Novell Web Site,” on page 55

 Section 4.4.3, “Preparing the Installation Media,” on page 56

 Section 4.4.4, “Installing OES 2 for Evaluation Purposes,” on page 56

54 OES 2 SP2: Planning and Implementation Guide

 Section 4.4.5, “Evaluating OES 2,” on page 57

 Section 4.4.6, “Installing Purchased Activation Codes after the Evaluation Period Expires,” on

page 57

4.4.1 Understanding OES 2 Software Evaluation Basics

You can evaluate the full OES 2 product. The evaluation software is the complete, fully functional OES 2 product.

As you install each server, you are required to accept an end user license agreement (EULA). Your rights to evaluate and use the OES 2 product are limited to the rights set forth in the EULA.

Briefly, the evaluation period for OES 2 servers is 60 days. To receive software updates during this time, you must have or create an account with the Customer Center, receive evaluation codes for OES 2 and SLES 10 while downloading the software, and use these codes to register your server. No software updates can be downloaded after the 60-day evaluation period expires until you purchase the product.

4.4.2 Downloading OES 2 SP2 Software from the Novell Web

novdocx (en) 22 June 2009

Site

If you already have OES 2 SP2 ISO image files, skip to Section 4.4.3, “Preparing the Installation

Media,” on page 56.

If you have OES 2 SP2 product media (CDs and DVDs), skip to Section 4.4.4, “Installing OES 2 for

Evaluation Purposes,” on page 56.

To download ISO image files from the Web:

1 If you don’t already have a Novell account, register for one on the Web (https://secure-

www.novell.com/selfreg/jsp/createAccount.jsp?).

2 Access the Novell Downloads Web page (http://download.novell.com).

3 Do a keyword search for Open Enterprise Server 2 SP2, then click the Open Enterprise Server

2 SP2 e-Media Kit link.

4 Click the proceed to download button (upper right corner of the first table).

5 If you are prompted to log in, type your Novell Account > username and password, then click

6 Accept the Export Agreement (required for first downloads only) and answer the survey

questions about your download (optional).

7 Print the download page. You need the listed MD5 verification numbers to verify your

downloads.

8 Scroll down to the Download Instructions section and click the Download Instructions link.

9 Print the Download Instructions page for future reference.

10 Use the information on the Download Instructions page to decide which files you need to

download for the platforms you plan to evaluate, then mark them on the MD5 verification list on the page you printed in Step 7.

11 On the download page, start downloading the files you need by clicking the download button

for each file.

Getting and Preparing OES 2 Software 55

12 If you have purchased OES 2 previously and received purchased OES 2 and SLES 10

activation codes, skip to Step 15.

Otherwise, in the Evaluating Open Enterprise Server 2 section, click the Get Activation Codes link in the Novell Open Enterprise Server 2—Linux paragraph.

60-day evaluation codes are sent in separate e-mail messages to the e-mail address associated with your Novell account.

13 Access your e-mail account and print the messages or write down the activation codes.

Both the OES 2 and the SLES codes are required for product registration and downloading software updates.

14 Click Back to return to the download page.

15 In the download table at the top of the page, click the Install Instructions > View link at the end

of the list of files to download.

Although you might have printed this file earlier, the online version is required for the steps that follow.

16 Scroll past the download decision tables; while you wait for the downloads, read through the

brief installation instructions, clicking the links for more information.

17 Verify the integrity of each downloaded file by running an MD5-based checksum utility on it

and comparing the values against the list you printed in Step 15.

novdocx (en) 22 June 2009

For example, on a Linux system you can enter the following command:

md5sum filename

where filename is the name of the

For a Windows system, you need to obtain a Windows-compatible MD5-based checksum utility from the Web and follow its usage instructions.

18 (Optional) If you plan to install OES 2 from files on your network, see the instructions in

“Preparing a Network Installation Source” in the OES 2 SP2: Installation Guide.

.iso

file you are verifying.

4.4.3 Preparing the Installation Media

IMPORTANT: If you have downloaded the integrity of each file as explained in Step 17 on page 56. Failure to verify file integrity can result in failed installations, especially in errors that report missing files.

Instructions for preparing installation media are located in “Setting Up an Installation Source” in the

OES 2 SP2: Installation Guide.

.iso

image files from the Web, it is critical that you verify

4.4.4 Installing OES 2 for Evaluation Purposes

If you followed the instructions in Section 4.4.2, “Downloading OES 2 SP2 Software from the

Novell Web Site,” on page 55, you now have two activation/evaluation codes: one for OES 2 and

another for SLES 10. As you install OES 2, you should register with the Novell Customer Center and use these codes to enable your server for online updates from the OES 2 and SLES 10 patch channels.

IMPORTANT: Always download the current patches during an installation.

56 OES 2 SP2: Planning and Implementation Guide

Instructions for using the activation codes during an installation are found in “To register the server

during the installation:” in the OES 2 SP2: Installation Guide.

The evaluation period begins when the codes are issued. Use the same activation codes for each OES 2 server you install during the evaluation period.

4.4.5 Evaluating OES 2

During the evaluation period, we recommend that you fully explore the many services available in OES 2.

To help you get started with the process, we have prepared a lab guide for OES 2 that explores both OES 2 and virtualized NetWare on a second OES 2 virtual machine host server. The sections in this guide introduce eDirectory can complete to get started using OES 2 Services. After completing the exercises in the guide, you can use the lab setup to further explore OES 2 and learn about its many powerful services.

For more information, see the OES 2 SP2: Lab Guide for Linux and Virtualized NetWare.

After working through the lab guide, we recommend that you review all of the information in this guide to gain a comprehensive overview of OES 2 and the planning and implementation processes you will follow to fully leverage its network services.

, walk you through server installations, and provide brief exercises you

novdocx (en) 22 June 2009

4.4.6 Installing Purchased Activation Codes after the Evaluation Period Expires

After purchasing Open Enterprise Server, use the instructions in “Registering the Server in the

Novell Customer Center (Command Line)” in the OES 2 SP2: Installation Guide to enter the

root

purchased activation codes that you received with your purchase. After logging in as the step where you enter the activation codes, replacing the evaluation codes with the purchased codes.

, complete

4.5 Licensing

This section explains the following:

 Section 4.5.1, “The OES 2 Licensing Model,” on page 57

 Section 4.5.2, “SLES Licensing Entitlements in OES 2,” on page 58

 Section 4.5.3, “OES 2 Doesn’t Support NLS,” on page 58

4.5.1 The OES 2 Licensing Model

The only OES 2 licensing restriction is the number of user connections allowed to use OES 2 services on your network. You are authorized to install as many OES 2 servers as you need to provide OES 2 services to those users.

For example, if your OES 2 license is for 100 user connections, you can install as many OES 2 servers as desired. Up to 100 users can then connect to and use the services provided by those OES 2 servers. When you install OES 2, you must accept an end user license agreement (EULA). Your rights to use the OES 2 product are limited to the rights set forth in the EULA. Violators of the Novell license agreements and intellectual property are prosecuted to the fullest extent of the law.

Getting and Preparing OES 2 Software 57

To report piracy and infringement violations, please call 1-800-PIRATES (800-747-2837) or send email to pirates@novell.com.

For more information on OES 2 licensing, see the OES 2 Licensing page on the Novell Web site

(http://www.novell.com/licensing/oes_licensing.html).

4.5.2 SLES Licensing Entitlements in OES 2

SUSE Linux Enterprise Server (SLES) entitlements in OES 2 have changed. For more information, refer to the EULA (http://www.novell.com/licensing/eula/oes/oes_2_english.pdf) on the Web.

After installing OES 2, you can use Novell iManager to install and manage license certificates in your eDirectory tree and to monitor NetWare usage. You can also monitor usage of Novell Licensing Services-enabled products.

4.5.3 OES 2 Doesn’t Support NLS

Novell Licensing Services (NLS) are not available on OES 2, nor does an OES 2 installation require

.nlf

and *

.nfk

a license/key file pair (* tree, at least one NetWare server must hold a replica for each partition where there is a NetWare server object. For more information about licensing for NetWare servers in OES trees, see “NetWare

Licenses and OES 2 Trees” on page 44.

). Therefore, in a mixed OES 2 and NetWare eDirectory

novdocx (en) 22 June 2009

58 OES 2 SP2: Planning and Implementation Guide

Installing OES 2

IMPORTANT: Before you install Open Enterprise Server 2, be sure to review the information in

Chapter 3, “Planning Your OES 2 Implementation,” on page 27, especially Section 3.9, “Caveats to Consider Before You Install,” on page 36.

This section briefly covers the following:

 Section 5.1, “Installing OES 2,” on page 59

 Section 5.2, “Installing OES 2 Servers in a Xen VM,” on page 60

5.1 Installing OES 2

The OES 2 installation leverages the SUSE® Linux YaST graphical user interface. You can install OES 2 services on an existing SUSE Linux Enterprise Server 10 server, or you can install both OES 2 and SLES 10 at the same time, making the installation of SLES 10 and OES 2 services a seamless process.

novdocx (en) 22 June 2009

To ensure a successful installation:

1. Read and follow all instructions in the OES 2 Readme (http://www.novell.com/documentation/

oes2/oes_readme/data/oes_readme.html#bsen7me).

2. Carefully follow the instructions in the OES 2 SP2: Installation Guide, especially those found in

 “Preparing to Install OES 2 SP2”

 “Installing OES 2 SP2”

3. Make sure you always download the latest patches as part of the Customer Center configuration during the install. This ensures the most stable configuration and installation process and prevents some issues that are documented in the product Readme.

4. After updating the server, red text appears under the CA Management section, indicating that the CA must be configured before proceeding.

root

This happens because the server reboots as part of the upgrade process and the is no longer in memory.

Click CA Management, type and confirm the Next. The installation proceeds.

5. During the installation, you have the option to disable each service for later configuration. However, we recommend that you configure all services at install time simply because the process is more streamlined.

For more information on configuring services later, see “Installing/Configuring OES 2 SP2 on

an Existing Server” in the OES 2 SP2: Installation Guide.

root

password in the indicated fields, then click

password

5.1.1 What's Next

After installing OES 2 and before starting to use your new OES 2 server, be sure to review the information in Chapter 6, “Caveats for Implementing OES 2 Services,” on page 61.

Installing OES 2

The various service sections in this guide contain information about completing your OES 2 services implementation. See the sections for the services you have installed, beginning with Chapter 11,

“Managing OES 2,” on page 83.

5.2 Installing OES 2 Servers in a Xen VM

Installing OES 2 servers on a Xen virtual machine involves installing an OES 2 SP2 or SUSE® Linux Enterprise Server (SLES) 10 SP3 VM host server, creating a VM, and then installing an OES 2 server (NetWare or Linux) in the VM.

To get started with Xen virtualization in OES 2, see the following:

 “Introduction to Xen Virtualization (http://www.novell.com/documentation/sles10/xen_admin/

data/sec_xen_basics.html)” in the Virtualization with Xen (http://www.novell.com/ documentation/sles10/xen_admin/data/bookinfo.html)guide.

 “Installing OES as a Xen VM Host Server” in the OES 2 SP2: Installation Guide.

 “Installing, Upgrading, or Updating OES on a Xen-based VM” in the OES 2 SP2: Installation

Guide.

 “Installing and Managing NetWare on a Xen-based VM” in the OES 2 SP2: Installation Guide.

novdocx (en) 22 June 2009

60 OES 2 SP2: Planning and Implementation Guide

Caveats for Implementing OES 2

novdocx (en) 22 June 2009

Services

This section presents a few pointers for avoiding common Open Enterprise Server 2 implementation problems.

The list that follows is not comprehensive. Rather, it simply outlines some of the more common problems reported by network administrators. To ensure successful service implementations, you should always follow the instructions in the documentation for the services you are implementing.

 Section 6.1, “AFP,” on page 61

 Section 6.2, “Avoiding POSIX and eDirectory Duplications,” on page 62

 Section 6.3, “CIFS,” on page 64

 Section 6.4, “ConsoleOne Can Cause JClient Errors,” on page 64

 Section 6.5, “CUPS on OES 2,” on page 64

 Section 6.6, “eDirectory,” on page 64

 Section 6.7, “iFolder 3.8,” on page 66

 Section 6.8, “iPrint,” on page 66

 Section 6.9, “LDAP—Preventing “Bad XML” Errors,” on page 67

 Section 6.10, “Management,” on page 68

 Section 6.11, “NCP Doesn’t Equal NSS File Attribute Support,” on page 69

 Section 6.12, “Novell-tomcat Is for OES Use Only,” on page 70

 Section 6.13, “NSS (OES 2),” on page 70

 Section 6.14, “OpenLDAP on OES 2,” on page 71

 Section 6.15, “Samba,” on page 71

 Section 6.16, “Virtualization Issues,” on page 71

6.1 AFP

 Section 6.1.1, “Anti-Virus Solutions and AFP,” on page 61

6.1.1 Anti-Virus Solutions and AFP

The Apple Filing Protocol (AFP) support for NSS files on OES 2 SP2 is implemented via a technology that bypasses the real-time scanning employed by most anti-virus solutions for OES.

NSS files shared through an AFP connection can be protected by on-demand scanning on the OES 2 server or by real-time and on-demand scanning on the Apple* client.

Caveats for Implementing OES 2 Services

6.2 Avoiding POSIX and eDirectory Duplications

OES 2 servers can be accessed by

 Local (POSIX) users that are created on the server itself.

 eDirectory users that are given local access through Linux User Manager (LUM).

However, there are some issues you need to consider:

 Section 6.2.1, “The Problem,” on page 62

 Section 6.2.2, “Three Examples,” on page 62

 Section 6.2.3, “Avoiding Duplication,” on page 63

6.2.1 The Problem

There is no cross-checking between POSIX and eDirectoryTM to prevent the creation of users or groups with duplicate names.

When duplicate names occur, the resulting problems are very difficult to troubleshoot because everything on both the eDirectory side and the POSIX side appears to be configured correctly. The most common problem is that LUM-enabled users can’t access data and services as expected but other errors could surface as well.

novdocx (en) 22 June 2009

Unless you are aware of the users and groups in both systems, especially those that are systemcreated, you might easily create an invalid configuration on an OES 2 server.

6.2.2 Three Examples

The following examples illustrate the issue.

 “The shadow Group” on page 62

 “The users Group” on page 63

 “Other Non-System Groups” on page 63

The shadow Group

There is a default system-created group named

including the OES 2 QuickFinder

server, but it has no relationship with Dynamic Storage

Technology (DST) and shadow volumes.

Because

shadow

is a local POSIX group, there is nothing to prevent you from creating a LUMenabled second group in eDirectory that is also named choice for many administrators in conjunction with setting up shadow volume access for Samba/ CIFS users.

However, using this group name results in LUM-enabled users being denied access by POSIX, which looks first to the local eDirectory for a group named

shadow

group when determining access rights and only checks

shadow

if no local group is found.

shadow

that is used by certain Web-related services,

shadow

. In fact, this could be a logical name

62 OES 2 SP2: Planning and Implementation Guide

The users Group

novdocx (en) 22 June 2009

There is another default system-created group named

users

that is not used by OES 2 services but is

nevertheless created on all SLES 10 (and therefore, OES 2) servers.

users

Creating an eDirectory group named

would seem logical to many administrators. And as with

the shadow group, nothing prevents you from using this name.

users

Unfortunately, having a LUM-enabled eDirectory group named

users

for services requiring POSIX access. The local

users

enabled

group in eDirectory won’t be seen by POSIX.

group is always checked first, and the LUM-

is not a viable configuration

NOTE: Do not confuse eDirectory Group objects with Organizational Unit (OU) container objects.

Creating an OU container in eDirectory named

users

is a valid option and does not create conflicts

with POSIX.

Other Non-System Groups

Conflicts between group and user names also occur when administrators create local and eDirectory groups with the same name.

For example, one administrator creates a group named

myusers

on the local system and another creates a LUM-enabled group in eDirectory with the same name. Again, the LUM-enabled users who are members of the eDirectory group won’t have access through POSIX.

This is why we recommend that, as a general rule, administrators should not create local users or groups on OES 2 servers. You should only make exceptions when you have determined that using LUM-enabled users and groups is not a viable option and that objects with the same names as the POSIX users and groups will not be created in eDirectory in the future.

6.2.3 Avoiding Duplication

Having duplicate users and groups is easily avoided by following these guidelines:

 “Use YaST to List All System-Created Users and Groups” on page 63

 “Create Only eDirectory Users and Groups” on page 64

Use YaST to List All System-Created Users and Groups

We recommend that you use the YaST Group Management/User Management module to check for names you might duplicate by mistake.

1. Open the YaST Control Center.

2. Click either Group Management or User Management.

3. Click Set Filter > Customize Filter.

4. Select both options (Local and System), then click OK.

All users or groups as displayed, including those that exist only in eDirectory and are LUMenabled.

5. To avoid duplication, keep this list in mind as you create eDirectory users and groups.

Caveats for Implementing OES 2 Services 63

NOTE: The list of users and groups in Appendix I, “System User and Group Management in OES 2

SP2,” on page 257 is not exhaustive. For example, the

Create Only eDirectory Users and Groups

For OES 2 services, the LUM technology eliminates the need for local users and groups. We recommend, therefore, that you avoid the problems discussed in this section by not creating local users and groups.

users

group is not listed.

6.3 CIFS

 Section 6.3.1, “Changing the Server IP Address,” on page 64

6.3.1 Changing the Server IP Address

Reconfiguring CIFS in YaST might not take effect if the server IP address was changed on the server but not in the OES LDAP server configuration.

novdocx (en) 22 June 2009

To work around this:

1 Reconfigure the LDAP server IP address with the IP address changes.

2 Then change the CIFS IP address configuration.

6.4 ConsoleOne Can Cause JClient Errors

ConsoleOne support is now limited to management of GroupWise and ZENworks for Desktops 7.

If you need to use ConsoleOne® to manage either of these supported products on OES 2, make sure you have installed version 1.3.6h or later.

Earlier versions of ConsoleOne cause JClient errors in iManager.

6.5 CUPS on OES 2

iPrint is the print solution for OES 2 and offers more robust and scalable print services than a CUPS installation can. iPrint actually uses CUPS to render print jobs prior to sending them to the printer, but for scalability and performance, printing from the server itself is disabled during iPrint installation.

If you plan to use iPrint, deselect Print Server in the Primary Functions category during the install and don’t configure CUPS on the OES 2 server.

6.6 eDirectory

 Section 6.6.1, “Avoid Uninstalling eDirectory,” on page 65

 Section 6.6.2, “Avoid Renaming Trees and Containers,” on page 65

 Section 6.6.3, “Default Static Cache Limit Might Be Inadequate,” on page 65

 Section 6.6.4, “eDirectory Fails to Start Automatically After a Command Prompt Install,” on

page 65

64 OES 2 SP2: Planning and Implementation Guide

 Section 6.6.5, “One Instance Only,” on page 66

 Section 6.6.6, “Special Characters in Usernames and Passwords,” on page 66

6.6.1 Avoid Uninstalling eDirectory

OES services are tightly integrated with eDirectory and do not function without it.

Although the eDirectory 8.8 documentation describes how to remove and reinstall eDirectory, the processes described do not cleanly decouple OES services, nor do they restore service connections. As a result, not only does uninstalling eDirectory break OES services, reinstalling eDirectory does not restore them.

If you have an issue that you believe can ony be resolved by uninstalling eDirectory, make sure you consult with Novell Technical Services before you attempt to do so.

6.6.2 Avoid Renaming Trees and Containers

The configuration files for many OES services point to configuration data stored within eDirectory.

novdocx (en) 22 June 2009

Although eDirectory tracks all changes internally, OES services do not. Therefore, if you rename your eDirectory tree or one of the containers below [Root], you should expect that one or more of your OES services will break.

If you need to rename a container or tree, make sure that you

1. Identify all of the configuration files for your OES services.

2. Assess whether the changes that you are planning impact any of your service configurations.

3. Understand and articulate the changes that are required to restore your services after renaming.

There are no automated tools in OES for resolving the configuration errors and other problems that are caused by renaming a tree or its containers.

6.6.3 Default Static Cache Limit Might Be Inadequate

The eDirectory install in OES 2 SP2 sets a default static cache of 64 MB if an

dib

not present in the

To improve performance, you can adjust the cache parameter in the to meet your eDirectory performance requirements, depending on the database size and available system RAM. We recommend setting the cache to 200 MB on a 2 GB RAM system and 512 MB on 4 GB RAM system.

directory.

_ndsdb.ini

file after the install

file is

6.6.4 eDirectory Fails to Start Automatically After a Command Prompt Install

Although it is somewhat rare, if you install and configure eDirectory as an OES component at the command prompt rather than through YaST, eDirectory might fail to start. If this happens, enter the following command at the command prompt:

chkconfig -a ndsd

Caveats for Implementing OES 2 Services 65

6.6.5 One Instance Only

OES 2 supports only one instance of eDirectory (meaning one tree instance) per server.

If you need two or more instances running on a single server, you must install them on a non-OES server, such as SLES 10.

6.6.6 Special Characters in Usernames and Passwords

Using special characters in usernames and passwords can create problems when the values are passed during an eDirectory installation or schema extension.

If the username or password contains special characters, such as $, #, and so on, escape the character by preceding it with a backslash (\). For example, an administrator username of

cn=admin$name.o=container

must be passed as

cn=admin\$name.o=container

novdocx (en) 22 June 2009

When entering parameter values at the command line, you can either escape the character or place single quotes around the value. For example:

cn=admin\$name.o=container

'cn=admin$name.o=container'

6.7 iFolder 3.8

Implementation caveats for iFolder 3.8 are documented in “Caveats for Implementing iFolder 3.7

and Later Services” in the Novell iFolder 3.8 Administration Guide.

6.8 iPrint

iPrint has the following implementation caveats:

 Section 6.8.1, “Cluster Failover Between Mixed Platforms Not Supported,” on page 66

 Section 6.8.2, “Printer Driver Uploading on OES 2 Might Require a CUPS Administrator

Credential,” on page 67

 Section 6.8.3, “Printer Driver Uploading Support,” on page 67

 Section 6.8.4, “iManager Plug-Ins Are Platform-Specific,” on page 67

 Section 6.8.5, “iPrint Client for Linux Doesn't Install Automatically,” on page 67

 Section 6.8.6, “iPrint Disables CUPS Printing on the OES 2 Server,” on page 67

6.8.1 Cluster Failover Between Mixed Platforms Not Supported

Clustered iPrint services can only fail over to the same platform, eitherOES 2 or NetWare.

66 OES 2 SP2: Planning and Implementation Guide

6.8.2 Printer Driver Uploading on OES 2 Might Require a CUPS Administrator Credential

A PPD is the Linux equivalent of a printer driver on Windows.

There are two versions of the iPrint Client: high security and low security. By default, end users and administrators install the high-security client when using the iPrint Printer List Web page.

This means that administrators are prompted for a CUPS administrator credential when uploading PPDs. However, the prompt doesn’t specify that a CUPS administrator credential is needed and the

root

user credential does not work.

6.8.3 Printer Driver Uploading Support

Uploading PPD printer drivers from a Linux workstation requires a Mozilla*-based browser. Only the Add From System button works for uploading drivers. Non-Mozilla-based browsers, such as Konqueror, cannot be used to upload drivers.

Uploading PPD printer drivers from a Windows workstation requires Internet Explorer* 5.5 or later. Other browsers running on Windows do not work for uploading drivers.

novdocx (en) 22 June 2009

Windows printer drivers cannot be uploaded by using Mozilla-based or other browsers on any platform.

6.8.4 iManager Plug-Ins Are Platform-Specific

The iManager plug-ins are different for each server platform. Therefore, if you have both OES 2 and NetWare 6.5 SP8 servers running iPrint services, you need two instances of iManager to manage iPrint—one on each platform.

6.8.5 iPrint Client for Linux Doesn't Install Automatically

Users who are used to installing the Windows iPrint Client expect to choose an Open option and have the client install automatically. However, installing the client on Linux workstations requires you to save the RPM package and then install it manually if a package manager is not already installed and configured as it is in the Novell Linux Desktop. For more information, see “Linux:

iPrint Client” in the OES 2 SP2: iPrint for Linux Administration Guide.

6.8.6 iPrint Disables CUPS Printing on the OES 2 Server

iPrint uses CUPS to render print jobs before sending the print job to the Print Manager. For performance and scalability, printing from the server itself is disabled during the OES installation of iPrint.

6.9 LDAP—Preventing “Bad XML” Errors

If you are using Novell eDirectory 8.7.3x, timeouts are possible when you search from iManager for eDirectory objects, such as NCP because the Object Class attribute is not indexed by default. The LDAP sub-tree search can take over 30 seconds, which causes the query to time out. For example, a Cluster objects search from the Cluster Options page returns the error:

Server objects, Volume objects, and Cluster objects. This is

Caveats for Implementing OES 2 Services 67

Bad XML found during parsing when accessing cluster options

We recommend that you create a value index on the objects’ Object Class attribute. (Object Class is considered an attribute for indexing purposes.) This helps to reduce the time needed for the subtree search from over 30 seconds to 10 to 50 milliseconds. For instructions, see “Creating an Index” in the Novell eDirectory 8.8 Administration Guide.

Building indexes speeds up the subtree search, even if some partitions being searched do not contain these types of objects. For example, searching for a Cluster object in a context that contains only users is not expected to return results; however, the Object Class search is still performed, and benefits from having an index present.

The subtree search performance issue is resolved in the eDirectory 8.8.x release with the addition of the AncestorID feature.

6.10 Management

 Section 6.10.1, “iManager RBS Configuration with OES 2,” on page 68

 Section 6.10.2, “Storage Error in iManager When Accessing a Virtual Server,” on page 69

novdocx (en) 22 June 2009

 Section 6.10.3, “Truncated DOS-Compatible Short Filenames Are Not Supported at a Terminal

Prompt,” on page 69

6.10.1 iManager RBS Configuration with OES 2

In “Installing RBS” in the Novell iManager 2.7.3 Administration Guide, you are instructed to run the iManager Configuration Wizard before using iManager.

When iManager is installed in connection with OES 2, various roles and tasks are configured, as shown in Figure 6-1.

These roles and tasks are available to all the users you create until you run the configuration wizard. After that, the roles and tasks are available only to the Admin user and other users or groups you specifically designate.

68 OES 2 SP2: Planning and Implementation Guide

Figure 6-1 iManager Roles and Tasks

novdocx (en) 22 June 2009

For more information on iManager, see the Novell iManager 2.7.3 Administration Guide.

6.10.2 Storage Error in iManager When Accessing a Virtual Server

iManager returns a object. This is working as designed.

Storage Error

when you access the Authentication tab for a virtual server

6.10.3 Truncated DOS-Compatible Short Filenames Are Not Supported at a Terminal Prompt

Use the actual filenames instead of names such as command prompt.

filena~1.txt

during file operations from the

6.11 NCP Doesn’t Equal NSS File Attribute Support

NSS file attributes and NCPTM services tend to get mixed together in the minds of NetWare administrators. It is important to remember that file and directory attributes are supported and enforced by the file system that underlies an NCP volume, not by the NCP server.

For example, even though the Rename Inhibit attribute appears to be settable in the NCP client interface, if the underlying file system is Linux POSIX (Reiser, etc.) there is no support for the attribute and it cannot be set.

Caveats for Implementing OES 2 Services 69

Salvage (undelete) and Purge are other features that are available only on NSS and only where the Salvage attribute has been set (the NSS default). They can be managed in the NCP client and through NetStorage, but they are not available on NCP volumes where the underlying file system is Linux POSIX.

Some administrators assume they can provide NSS attribute support by copying or migrating files, directories, and metadata from an NSS volume to a defined NCP volume on a Linux POSIX partition. However, this doesn’t work, because NSS file attributes are only supported on NSS volumes.

6.12 Novell-tomcat Is for OES Use Only

The

novell-tomcat

Novell services, not a generic application platform.

If you want to deploy a Web application on Tomcat on an OES server, install and use the Tomcat package that comes with SLES 10, not the

package is installed for Novell service use only. It is an embedded part of

novell-tomcat

package.

6.13 NSS (OES 2)

novdocx (en) 22 June 2009

 Section 6.13.1, “Understanding Name Space Support,” on page 70

 Section 6.13.2, “The Role of EVMS,” on page 70

6.13.1 Understanding Name Space Support

NSS stores LONG, UNIX, DOS, and AFP name spaces for all files. The default name space sets which name space will be exposed.

In OES 2 the LONG name space was made the default to help performance of NCP, CIFS, and Samba file services. If your primary use is for GroupWise, we recommend changing the default name space to UNIX.

6.13.2 The Role of EVMS

EVMS is the only supported volume manager for NSS volumes on OES 2.

Although some administrators have successfully created NSS volumes on hard disks managed by non-EVMS volume managers, there are serious management and configuration limitations associated with this unsupported implementation. For more information, see “Using NSS on

Devices Managed by Non-EVMS Volume Managers (Linux)” in the OES 2 SP2: NSS File System

Administration Guide.

NOTE: EVMS support is automatic and requires no manual configuration unless NSS is being

/boot

installed on the device that contains the boot ( that case only you must follow the instructions in “Installing with EVMS as the Volume Manager of

the System Device” in the OES 2 SP2: Installation Guide.

) and root (/) partitions (the system device). In

70 OES 2 SP2: Planning and Implementation Guide

6.14 OpenLDAP on OES 2

You cannot run OpenLDAP on an OES 2 server with eDirectory installed. eDirectory LDAP is required for OES 2 services and uses the same ports as OpenLDAP.

6.15 Samba

For Samba implementation caveats, see “Samba Caveats” in the OES2 SP2: Samba Administration

Guide.

6.16 Virtualization Issues

The following are caveats for setting up OES 2 server in Xen VMs:

 Section 6.16.1, “Always Close Virtual Machine Manager When Not in Use,” on page 71

 Section 6.16.2, “Always Use Timesync Rather Than NTP,” on page 71

 Section 6.16.3, “Backing Up a Xen Virtual Machine,” on page 71

 Section 6.16.4, “Time Synchronization and Virtualized OES 2,” on page 71

novdocx (en) 22 June 2009

 Section 6.16.5, “NSS Considerations,” on page 72

6.16.1 Always Close Virtual Machine Manager When Not in Use

You should always close Virtual Machine Manager (VMM) when you are not actively using it. Virtual Machines are not affected.

Leaving VMM open can affect the system resources available to the VMs.

6.16.2 Always Use Timesync Rather Than NTP

Time synchronization problems have been observed when virtualized NetWare servers are running the XNTPD NLM the service to communicate through NTP.

. Therefore, Novell strongly recommends using Timesync and also configuring

6.16.3 Backing Up a Xen Virtual Machine

When backing up a Xen virtual machine running virtualized NetWare, we recommend using a remote backup source rather than a local tape device because of limitations in detecting a local tape device.

6.16.4 Time Synchronization and Virtualized OES 2

eDirectory relies on time being synchronized and connections with eDirectory are lost if the system time varies in the host operating system. Be sure you understand and follow the instructions in

Virtual Machine Clock Settings (http://www.novell.com/documentation/sles10/ book_virtualization_xen/data/sec_guest_suse.html#sec_xen_time) in the “Virtual Machine Clock Settings” (http://www.novell.com/documentation/sles10/book_virtualization_xen/data/ book_virtualization_xen.html) guide.

Caveats for Implementing OES 2 Services 71

6.16.5 NSS Considerations

Make sure you follow these guidelines for using NSS volumes in connection with OES 2 servers running in Xen VMs:

 Both Linux and NetWare Platforms: NSS pools and volumes must be created on only SCSI

or Fibre Channel devices. You cannot use a file-based disk image, LVM-based disk image, or an SATA/IDE disk for the virtual machine.

 OES 2: Data shredding is not supported.

novdocx (en) 22 June 2009

72 OES 2 SP2: Planning and Implementation Guide

Upgrading to OES 2

This section provides information and links for upgrading to Open Enterprise Server.

 Section 7.1, “Caveats to Consider Before Upgrading,” on page 73

 Section 7.2, “OES 2 SP2 Upgrade Paths,” on page 74

 Section 7.3, “NetWare 6.5 SP8 Upgrade Paths,” on page 74

7.1 Caveats to Consider Before Upgrading

Be aware of the following caveats when upgrading an OES server:

 Section 7.1.1, “About Previously Installed Packages (RPMs),” on page 73

 Section 7.1.2, “iManager 2.5 Replaced by iManager 2.7 on NetWare,” on page 73

 Section 7.1.3, “OES 1 Linux to OES 2 Service Differences,” on page 73

novdocx (en) 22 June 2009

 Section 7.1.4, “Only One eDirectory Instance Is Supported on OES Servers,” on page 74

7.1.1 About Previously Installed Packages (RPMs)

Other Novell® products, such as GroupWise®, and third-party applications that you have installed are treated differently by default when you upgrade an OES server, depending on the version of the server you are upgrading:

 OES 1: Applications are deleted by default during an upgrade.

 OES 2: Applications installed on an OES 2 server are retained, but might not work after

upgrading.

To learn more and for instructions on manually changing these options, see “Planning for the

Upgrade to OES 2 SP2” in the OES 2 SP2: Installation Guide.

7.1.2 iManager 2.5 Replaced by iManager 2.7 on NetWare

If iManager 2.5 is installed on a NetWare server, and you upgrade it to NetWare 6.5 SP8, iManager and its associated plug-ins are automatically updated to version 2.7. For more information about iManager 2.7, see the Novell iManager 2.7.3 Administration Guide.

If you are using iManager 2.02, iManager is not upgraded.

7.1.3 OES 1 Linux to OES 2 Service Differences

eGuide, Novell iFolder® 2, and Virtual Office are not supported on OES 2. If you upgrade an OES 1 Linux server with any of these installed to OES 2 SP2, the services cease to function.

Upgrading to OES 2

7.1.4 Only One eDirectory Instance Is Supported on OES Servers

If your OES server has multiple instances of eDirectoryTM running (multiple trees), any attempt to upgrade the server fails.

You must remove all instances, except the one that uses port 524, prior to an upgrade.

For more information, see Section 6.6.5, “One Instance Only,” on page 66.

7.2 OES 2 SP2 Upgrade Paths

The following are supported upgrade paths for OES 2 SP2:

Table 7-1 Supported OES 2 SP2 Upgrade Paths

Source Destination

novdocx (en) 22 June 2009

OES 1 SP2 32-bit (Latest Patch Level) (Physical only)

OES 2 32-bit (Physical or virtual) OES 2 SP2 32-bit (Physical or virtual)

OES 2 64-bit (Physical or virtual) OES 2 SP2 64-bit (Physical or virtual)

OES 2 SP1 32-bit (Physical or virtual) OES 2 SP2 32-bit (Physical or virtual)

OES 2 SP1 64-bit (Physical or virtual) OES 2 SP2 64-bit (Physical or virtual)

NOTE: Physical installations cannot be upgraded to virtual installations, and the reverse is also true. Only physical to physical and virtual to virtual upgrades are supported.

For complete upgrade instructions, see “Upgrading to OES 2 SP2” in the OES 2 SP2: Installation

Guide.

In addition to upgrading the server itself, data and service migrations from OES 1 to OES 2 are also supported. For more information, see the OES 2 SP2: Migration Tool Administration Guide.

OES 2 SP2 32-bit (Physical only)

7.3 NetWare 6.5 SP8 Upgrade Paths

For help upgrading from NetWare to OES 2, see the OES 2 SP2: Upgrading to OES—Planning and

Implementation Guide.

74 OES 2 SP2: Planning and Implementation Guide

Migrating and Consolidating

novdocx (en) 22 June 2009

Existing Servers and Data

This section briefly outlines the following migration topics:

 Section 8.1, “Supported OES 2 SP2 Migration Paths,” on page 75

 Section 8.2, “Migration Tools and Purposes,” on page 75

8.1 Supported OES 2 SP2 Migration Paths

For a complete list of Open Enterprise Server 2 SP2 migration scenarios and paths, see “Migration

Scenarios” in the OES 2 SP2: Migration Tool Administration Guide.

8.2 Migration Tools and Purposes

The following sections briefly explain the migration tools included in OES 2 SP2:

 Section 8.2.1, “OES 2 SP2 Migration Tool,” on page 75

 Section 8.2.2, “Migrate Windows Shares Utility,” on page 75

8.2.1 OES 2 SP2 Migration Tool

The OES 2 SP2 Migration Tool lets you migrate and/or consolidate data and services from one or more NetWare, OES 1, or OES 2 source servers to an OES 2 SP2 target server. The source servers must each be running the same platform. Cross-platform consolidations are not directly supported, but can be facilitated as explained in “Cross-Platform Data Consolidations” in the OES 2 SP2:

Migration Tool Administration Guide.

You can also transfer a complete server identity, including its IP address, hostname, eDirectory identity, NICI keys, and certificates. For more information, see “Transfer ID ” in the OES 2 SP2:

Migration Tool Administration Guide.

8.2.2 Migrate Windows Shares Utility

OES 2 SP2 includes the Migrate Windows Shares utility to help you migrate data from Windows NT*, 2000, or 2003 servers to OES 2 SP2.

For more information, see “Migrating Data from Windows to OES 2 SP2 Linux” in the OES 2 SP2:

Migration Tool Administration Guide.

Migrating and Consolidating Existing Servers and Data

novdocx (en) 22 June 2009

76 OES 2 SP2: Planning and Implementation Guide

Virtualization in OES 2

In Open Enterprise Server 2, you can host multiple OES 2 and NetWare servers on Xen virtual machines (VMs) on a single Xen host server.

For information about installing and running OES 2 services on Xen-based virtual machines, see the links on the Virtualization page of the OES 2 Online Documentation.

 Section 9.1, “Graphical Overview of Virtualization in OES 2,” on page 77

 Section 9.2, “Why Install OES Services on Your VM Host?,” on page 77

 Section 9.3, “Services Supported on VM Hosts and Guests,” on page 78

IMPORTANT: Support for Xen virtualization of NetWare 6.5 SP7 and later is an OES 2 product feature and is available only to OES 2 registered customers.

novdocx (en) 22 June 2009

9.1 Graphical Overview of Virtualization in OES 2

Figure 9-1 illustrates how a single VM host server can support multiple VM guest servers that in

turn provide OES services.

Figure 9-1 Xen-Based Virtualization in OES 2

NetWare 6.5 SP7

Guest Server

Virtual Machine

OES 2 Linux

Guest Server

Virtualization Host Server

(OES 2 SP2 Linux or

SLES 10 SP3)

Virtual Machine

NetWare 6.5 SP8

Guest Server

Virtual MachineVirtual Machine

OES 2 SP2 Linux

Guest Server

9.2 Why Install OES Services on Your VM Host?

Novell supports three OES 2 services running on a Xen VM host server: Novell Linux User Management, Novell Storage Management Services, and Novell Cluster Services whenever you specify OES 2 as an add-on product, the YaST-based NetWare Response File Utility is automatically installed, whether you install any OES 2 services or not.

. Additionally,

Virtualization in OES 2

Having these components installed on a Xen VM host server provides the following benefits:

novdocx (en) 22 June 2009

 Linux User Management (LUM): Lets you SSH into the server for management purposes by

using an eDirectory

user account.

This functionality requires that you

 Enable SSH communications through any firewalls that are running on the server

 Configure LUM to allow SSH as a LUM-enabled service. For more information see “SSH

Services on OES 2” in the OES 2 SP2: Planning and Implementation Guide

 Storage Management Services (SMS): Lets you back up the VM host server and all of the

VM guests.

 Novell Cluster Services (NCS): Lets you cluster the VM guests running on the VM host.

 NetWare Response File Utility: Lets you pre-answer the same questions as you would during

a physical NetWare installation. When the time comes to run the NetWare Install program, the installation reads your responses from the file and proceeds without requiring further intervention.

9.3 Services Supported on VM Hosts and Guests

As you plan your virtualization configurations, you will want to consider which services are supported where Table 9-1 and which combinations of services are supported (see Section 3.9.18,

“Unsupported Service Combinations,” on page 45).

Table 9-1 Services Supported on VM Hosts and Guests

OES 2 Service Linux VM Host Linux VM Guest NetWare VM Guest

AFP (Novell AFP)

Backup/SMS

CIFS (Novell CIFS)

Cluster Services (non-NSS and Xen

templates only)

DHCP

DNS

Domain Services for Windows (DSfW)

eDirectory

FTP

Novell iFolder

iManager

iPrint

Linux User Management

(3.7) (2.1x)

78 OES 2 SP2: Planning and Implementation Guide

OES 2 Service Linux VM Host Linux VM Guest NetWare VM Guest

NCP Server/Dynamic Storage Technology

NetStorage

Novell Remote Manager (NRM)

novdocx (en) 22 June 2009

Novell Storage

Services

QuickFinder

(NSS)

Samba

IMPORTANT: Adding OES services to a Xen VM host requires that you boot the server with the regular kernel prior to adding the services. See the instructions in the Important note in “Installing or

Configuring OES Services on an Existing Server” in the OES 2 SP2: Installation Guide.

Virtualization in OES 2 79

novdocx (en) 22 June 2009

80 OES 2 SP2: Planning and Implementation Guide

Clustering and High Availability

Open Enterprise Server 2 includes support for a two-node Novell® Cluster ServicesTM cluster.

The full Novell Cluster Services product (available through a separate purchase) is a multinode clustering product that

 Can include up to 32 servers.

 Is supported for both NetWare

 Is eDirectory

 Supports failover, failback, and migration (load balancing) of individually managed cluster

resources.

 Supports shared SCSI, iSCSI, and Fibre Channel storage area networks.

For more information, see the topics in “clustering (high availability)” in the OES 2 online documentation.

enabled for single-point ease of management.

and Linux.

novdocx (en) 22 June 2009

Clustering and High Availability

novdocx (en) 22 June 2009

82 OES 2 SP2: Planning and Implementation Guide

Managing OES 2

This section includes the following topics:

 Section 11.1, “Overview of Management Interfaces and Services,” on page 83

 Section 11.2, “Using OES 2 Welcome Pages,” on page 84

 Section 11.3, “OES Utilities and Tools,” on page 85

 Section 11.4, “SSH Services on OES 2,” on page 93

11.1 Overview of Management Interfaces and Services

As shown in Figure 11-1, Open Enterprise Server provides a rich set of service-management and server-management tools, including browser-based and server-based interfaces that help you implement and maintain your network. Access to most of these management interfaces is controlled through eDirectory 10 servers, require local authentication.

. However, a few interfaces, such as YaST on SUSE® Linux Enterprise Server

novdocx (en) 22 June 2009

For more information, see Section 11.3, “OES Utilities and Tools,” on page 85.

Figure 11-1 Management Interfaces and Services

Users ToolsAuthentication Services and Servers

OES 2 Services

(except eDirectory)

root userroot user

Admin user

Linux/POSIX

authentication

eDirectory

authentication

nsscon, nssmu, ncpcon,

DFS and NSS utilities, NRM,

YaST, and native

Linux tools

Browser-based tools

(both platforms)

NetWare console

(NetWare only)

OES 2 Linux

servers

All OES 2 Services

OES 2

servers

Managing OES 2

11.2 Using OES 2 Welcome Pages

Novell Open Enterprise Server 2 SP2

After you install an OES 2 server, anyone with browser access to the server can access its Welcome Web site, which is a collection of dynamic Web pages that provides the features illustrated and explained in Figure 11-2.

Figure 11-2 The Default OES Welcome Page

192.168.1.45

Run iManager, NRM, etc.

Access installed Web services

Download applicable client software.

Go to important OES 2 pages on Novell.com.

Novell Open Enterprise Server 2 SP2

Read about OES 2 and the Novell Open Workgroup Suite.

novdocx (en) 22 June 2009

Learn about Virtualization

Get Migration help.

Start training on Linux.

This section explains OES Welcome Web Site features, and discusses:

 Section 11.2.1, “The Welcome Site Requires JavaScript, Apache, and Tomcat,” on page 84

 Section 11.2.2, “<<<Accessing the Welcome Web Site,” on page 85

 Section 11.2.3, “The Welcome Web Site Is Available to All Users,” on page 85

 Section 11.2.4, “Administrative Access from the Welcome Web Site,” on page 85

11.2.1 The Welcome Site Requires JavaScript, Apache, and Tomc at

Browsers accessing the Welcome site must have JavaScript* enabled to function correctly.

Additionally, it is possible to install OES 2 on either supported platform without including the Apache Web Server or the Tomcat Servlet Container. For example, the Apache server and Tomcat container are included with many of the OES 2 server patterns, but not all of them.

If you are unable to access the Welcome Web site, your server is probably missing one or both of these required components. To make the site available, you need to add the components to the OES 2 server.

84 OES 2 SP2: Planning and Implementation Guide

11.2.2 <<<Accessing the Welcome Web Site

Anyone with browser access to an OES 2 server can access the Welcome site by doing the following:

1 Open a supported Web browser that has a TCP connection to the network where the OES 2

server is installed.

2 Enter the URL to the server, using HTTP.

For example:

http://server.example.com/welcome

http://192.168.1.206/welcome

IMPORTANT: By default, the Welcome site is accessible by entering only the DNS name or IP address without the path to /welcome as the URL. However, this behavior changes as follows:

On NetWare, the

Welcome site page. If the file is changed, then the behavior reflects the changes made.

sys:/apache2/htdocs/index.html

file redirects requests to the

novdocx (en) 22 June 2009

On Linux, the Welcome site displays only when there is no

htdocs

says “It Works!” and the Welcome site is not displayed.

If the Welcome page disappears, include /welcome in the access URL.

For additional information, see “Verifying That the Installation Was Successful” in the OES 2

SP2: Installation Guide.

. For example, installing the Web and LAMP Server pattern installs a page that

index.html

file in

/srv/www/

11.2.3 The Welcome Web Site Is Available to All Users

Although the Welcome Web site is designed primarily for administrators, it can also be accessed and used by end users. For example, if iPrint is installed on the server, users can install the iPrint Client by clicking the Client Software link and selecting the appropriate client.

11.2.4 Administrative Access from the Welcome Web Site

Administrators can access any of the administrative tools installed on the server by clicking the Management Services link, selecting the tool they want to use, and entering the required authentication information.

11.3 OES Utilities and Tools

TIP: NetWare administrators who are new to Linux will also be interested in “OES2 SP2: Linux

Tips for NetWare Administrators,” a reference that outlines the OES equivalents for most of the

familiar CLI tools on NetWare.

Novell network, from configuring and managing eDirectory to setting up network services and open source software. This section lists and briefly explains the most common utilities.

OES 2 includes several administration utilities that let you manage everything in your

Managing OES 2 85

Whenever possible, we recommend that all OES management be performed by using browser-based tools. This ensures that all the system commands required to execute various tasks are performed in proper order and that none of them is skipped by mistake.

Table 11 - 1 is a quick reference for accessing information about the OES management tools. Specific

instructions for the tasks listed are located in the administration guides and other documentation for the services that each tool manages.

Table 11- 1 OES Management Tool Quick Reference

novdocx (en) 22 June 2009

Tool Tasks

bash  Manage the Linux

server.

 Manage many

services running on the server.

Health Monitoring Services

 Monitor the health of

OES servers.

Access Method or URL/ Username

Access a command prompt on the Linux server.

1. In a supported Web

browser, access

Novell Remote Manager by entering http:// IP_Address:8008

2. Specify the eDirectory Admin username and password, or on Linux you can use

root

the password if needed.

3. Click Health Monitor under Diagnose Server.

user and

Notes

For more information or help understanding and using bash, search the Web for any of the numerous articles and tutorials on using the shell.

Functionality is limited for

root

non-Admin or nonusers on both platforms.

NRM on Linux doesn't include all the functionality of NRM on NetWare.

For more information, see the

OES 2 SP2: Novell Remote Manager for Linux Administration Guide.

Health Monitoring Services on OES 2 use a Common Information Model (CIM) provided by the Web-Based Enterprise Management (WBEM) Initiative. For more information on WBEM, visit the DMTF Web site (http://

www.dmtf.org/standards/ wbem).

86 OES 2 SP2: Planning and Implementation Guide

novdocx (en) 22 June 2009

Tool Tasks

iManager 2.7  Access various other

management tools and plug-ins.

 Configure OES

network services.

 Create and manage

users, groups, and other objects.

 Delegate

administration through Role-Based Services (RBS).

 Manage eDirectory

objects, schema, partitions, and replicas.

 Manage OES 2

services

 Set up and manage

your Novell eDirectory tree.

Access Method or URL/ Username

1. In a supported Web

browser, enter the

following URL:

http:// IP_or_DNS/ iManager.html

2. Specify the eDirectory Admin username and password.

Notes

Requires an SSL connection (HTTPS).

Both HTTP and HTTPS requests establish the SSL connection.

For more information on using iManager, see the

Novell iManager 2.7.3 Administration Guide.

11.4 SSH Services on OES 2

This section documents the following topics:

 Section 11.4.1, “Overview,” on page 93

 Section 11.4.2, “Setting Up SSH Access for LUM-enabled eDirectory Users,” on page 95

11.4.1 Overview

SSH (http://www.novell.com/company/glossary.html#4187) services on SLES 10 are provided by OpenSSH (http://www.openssh.org), a free version of SSH connectivity tools developed by the OpenBSD Project (http://www.openbsd.org/).

Linux administrators often use SSH to remotely access a server for management purposes, such as executing shell commands, transferring files, etc. Because many OES 2 services can be managed at a command prompt via an SSH session, it is important to understand how SSH access is controlled in OES 2.

This section discusses the following topics:

 “When Is SSH Access Required?” on page 94

Managing OES 2 93

 “How SSH Access for eDirectory Users Works” on page 94

 “SSH Security Considerations” on page 95

When Is SSH Access Required?

SSH access is required for the following:

 SSH administration access for eDirectory users: For eDirectory users to manage the server

through an SSH connection, they must have SSH access as LUM-enabled users (eDirectory users configured for access to Linux services).

novdocx (en) 22 June 2009

NOTE: The standard Linux

root

user is a local user, not an eDirectory user. The

root

user

always has SSH access as long as the firewall allows it.

 Access to NSS Volume Management in NetStorage: When an OES 2 server has NSS

volumes, eDirectory contains an object named nssvolumes that provides management access to the volumes through the File Access (NetStorage) iManager plug-in. Using the plug-in to manage NSS volumes, assign trustee rights, salvage and purge files, etc. requires SSH access to the server.

Although eDirectory administrators can create Storage Location Objects to the NSS volumes without SSH access, providing that they know the path to the volume on the POSIX file system and other volume information, having SSH access makes administering NSS volumes in NetStorage much easier.

 Access to any NetStorage Storage Location Objects based on SSH: The NetStorage server

provides Web access to directories and files on other servers (or on itself).

Typically, either an NCP or a CIFS connection is used for connecting the NetStorage server with storage targets. However, an SSH connection can also be used, and if it is, the users accessing data through the connection must have SSH access to the data on the target servers.

How SSH Access for eDirectory Users Works

For eDirectory users, the following work together to control SSH access:

 Firewall: As mentioned, the default firewall configuration on an OES 2 server doesn’t allow

root

SSH connections with the server. This restricts the

user as well. Therefore, the first

requirement for SSH access is configuring the firewall to allow SSH services.

 Linux User Management (LUM) must allow SSH as a service: In OES 2, access to SSH

and other Linux services is controlled through Linux User Management (LUM), and each service must be explicitly included in the LUM configuration on each server.

 LUM-enabling: After SSH is included as a LUM-enabled service on a server, at least one

group and its users must be enabled for LUM. Only LUM-enabled eDirectory users can have SSH access.

 All eDirectory Groups must allow access: SSH access is inherited from the LUM-enabled

groups that a user belongs to, and access is only granted when all of the groups to which a user belongs allow it.

 The Samba connection: Users who are enabled for Samba (CIFS) file services are added by

default to an OES-created Samba group that:

 Is LUM-enabled.

 Doesn’t specify SSH as an allowed service.

94 OES 2 SP2: Planning and Implementation Guide

Therefore, because SSH access requires that all of a user’s groups must all allow access, Samba users are denied SSH access unless

 The user is removed from the Samba group.

 The Samba group is modified to allow SSH access for all Samba users.

SSH Security Considerations

Remember that SSH access lets users browse and view most directories and files on a Linux server. Even though users might be prevented from modifying settings or effecting other changes, there are serious security and confidentiality issues to consider before granting SSH access to anyone.

11.4.2 Setting Up SSH Access for LUM-enabled eDirectory Users

If you need to grant SSH access to an eDirectory user, complete the instructions in the following sections in order, as they apply to your situation.

novdocx (en) 22 June 2009

 “Allowing SSH Access Through the Firewall” on page 95

 “Adding SSH as an Allowed Service in LUM” on page 95

 “Enabling Users for LUM” on page 96

 “Restricting SSH Access to Only Certain LUM-Enabled Users” on page 96

 “Providing SSH Access for Samba Users” on page 97

Allowing SSH Access Through the Firewall

1 On the OES 2 server you are granting access to, open the YaST Control Center and click

Security and Users > Firewall.

2 In the left navigation frame, click Allowed Services.

3 In the Allowed Services drop-down list, select SSH.

4 Click Add > Next > Accept.

The firewall is now configured to allow SSH connections with the server.

Adding SSH as an Allowed Service in LUM

1 If SSH is already an allowed service for Linux User Management on the server, skip to

“Enabling Users for LUM” on page 96.

If SSH is not an allowed service for Linux User Management on the server, continue with

Step 2.

2 On the OES 2 server, open the YaST Control Center; then, in the Open Enterprise Server

group, click OES Install and Configuration.

3 Click Accept.

4 When the Novell Open Enterprise Server Configuration screen has loaded, click the Disabled

link under Linux User Management.

The option changes to Enabled and the configuration settings appear.

Managing OES 2 95

5 Click Linux User Management.

6 Type the eDirectory Admin password in the appropriate field, then click OK > Next.

7 In the list of allowed services, click sshd.

8 Click Next > Next > Finish.

Each LUM-enabled group in eDirectory, except the system-created Samba group, now shows SSH as an allowed service. The Samba group shows the service as not allowed (or literally speaking, sshd is not checked).

Enabling Users for LUM

There are numerous ways to enable users for LUM.

For example, in iManager > Linux User Management there are options for enabling users (and choosing a Group in the process) or enabling groups (and enabling users in the process). Linux enabling is part of the process required for Samba access. And finally, there are also command line options.

For specific instructions, refer to “Managing User and Group Objects in eDirectory” in the OES 2

SP2: Novell Linux User Management Technology Guide.

novdocx (en) 22 June 2009

After you configure the server’s firewall to allow SSH, add SSH as an allowed service, and LUMenable the eDirectory users you want to have SSH access, if those same users are not also enabled for Samba on the server, they now have SSH access to the server.

On the other hand, if you have installed Samba on the server, or if you install Samba in the future, the users who are configured for Samba access will have SSH access disabled.

To restore access for users impacted by Samba, see “Providing SSH Access for Samba Users” on

page 97.

Of course, many network administrators limit SSH access to only those who have administrative responsibilities. They don’t want every LUM-enabled user to have SSH access to the server.

If you need to limit SSH access to only certain LUM-enabled users, continue with “Restricting SSH

Access to Only Certain LUM-Enabled Users” on page 96.

Restricting SSH Access to Only Certain LUM-Enabled Users

SSH Access is easily restricted for one or more users by making them members of a LUM-enabled group and then disabling SSH access for that group. All other groups assignments that enable SSH access are then overridden.

1 Open iManager in a browser using its access URL:

http://IP_Address/iManager.html

where IP_Address is the IP address of an OES 2 server with iManager 2.7 installed.

2 In the Roles and Tasks list, click Groups > Create Group.

3 Type a group name, for example NoSSHGroup, and select a context, such as the container

where your other Group and User objects are located. Then click OK.

4 In the Roles and Tasks list, click Directory Administration > Modify Object.

5 Browse to the group you just created and click OK.

96 OES 2 SP2: Planning and Implementation Guide

6 Click the Linux Profile tab.

7 Select the Enable Linux Profile option.

8 In the Add UNIX Workstation dialog box, browse to and select the UNIX Workstation objects

for the servers you are restricting SSH access to, then click OK > OK.

9 Click Apply > OK.

10 In the Roles and Tasks list, click Modify Object, browse to the group again, then click OK.

11 Click the Other sub-tab.

12 In the Unvalued Attributes list, select uamPosixPAMServiceExcludeList, then click the

left-arrow to move the attribute to the Valued Attributes list.

13 In the Add Attribute dialog box, click the plus sign (+) next to the empty drop-down list.

sshd

14 In the Add item field, type

, then click OK > OK.

15 Click the Members tab.

16 Browse to and select the User objects that shouldn’t have SSH access, then click OK.

17 Click Apply > OK.

novdocx (en) 22 June 2009

Providing SSH Access for Samba Users

There are two options for providing SSH access to users who have been enabled for Samba access:

 You can remove the user from the server_name-W-SambaUserGroup.

IMPORTANT: This presupposes that the user is a member of a different LUM-enabled group that also provides access to the server. If the user was enabled for LUM only as part of a Samba configuration, then removing the user from the Samba group breaks access to Samba and the user does not have SSH access.

 You can change access for the entire Samba group by moving the

uamPosicPAMServiceExcludeList attribute from the Valued Attributes list to the Unvalued Attributes list, using the instructions in “Restricting SSH Access to Only Certain LUM-Enabled

Users” on page 96 as a general guide.

NOTE: Although the option to disable SSH access through the Modify Group iManager plug- in is much more simple and straightforward, that option is not working as of this writing. Although the plug-in appears to deselect sshd as an allowed service, the service is still selected when group information is reloaded. Novell plans to address this issue in the near future.

Managing OES 2 97

novdocx (en) 22 June 2009

98 OES 2 SP2: Planning and Implementation Guide

Network Services

Network services as used in this section, are associated with protocols that provide the following:

 Data packet transport on the network.

 Management of IP addresses and DNS names.

 Time synchronization to make sure that all network devices and eDirectory

partitions have the same time.

 Discovery of network devices and services, such as eDirectory, printers, and so on as required

by certain applications, clients, and other services.

This section discusses the following:

 Section 12.1, “TCP/IP,” on page 99

 Section 12.2, “DNS and DHCP,” on page 99

 Section 12.3, “Time Services,” on page 101

replicas and

novdocx (en) 22 June 2009

 Section 12.4, “Discovery Services,” on page 112

 Section 12.5, “SLP,” on page 113

For links to more information and tasks, see the “Network Protocols” page in the OES 2 online documentation.

12.1 TCP/IP

Network nodes must support a common protocol in order to exchange packets. Transport protocols establish point-to-point connections so that nodes can send messages to each other and have the packets arrive intact and in the correct order. The transport protocol also specifies how nodes are identified with unique network addresses and how packets are routed to the intended receiver.

Open Enterprise Server 2 includes the standard Linux TCP/IP support on SUSE Server 10.

12.1.1 Coexistence and Migration Issues

Internetwork Packet ExchangeTM (IPXTM) was the foundational protocol for NetWare from the 1980s until the release of NetWare 5.0, when support for pure TCP/IP became standard.

To aid with migrations from NetWare to OES, coexistence between IPX and TCP/IP networks is still supported on NetWare, but IPX is not supported on Linux.

Linux Enterprise

12.2 DNS and DHCP

Domain Name Service (DNS) is the standard naming service in TCP/IP-based networks. It converts IP addresses, such as 192.168.1.1, to human-readable domain names, such as myserver.example.com, and it reverses the conversion process as required.

The Dynamic Host Configuration Protocol (DHCP) assigns IP addresses and configuration parameters to hosts and network devices.

Network Services

OES 2 includes a ported version of the NetWare DNS service, and an eDirectory integration with ISC DHCP as explained in the sections that follow.

 Section 12.2.1, “DNS Differences Between NetWare and OES 2,” on page 100

 Section 12.2.2, “DHCP Differences Between NetWare and OES 2,” on page 101

12.2.1 DNS Differences Between NetWare and OES 2

As you plan to upgrade from NetWare to OES 2, consider the following differences between DNS on NetWare and OES 2:

Table 12-1 DNS: NetWare 6.5 SP8 vs. OES 2

Feature or Command NetWare 6.5 SP8 OES 2

Auditing Yes No

DNSMaint Yes No

novdocx (en) 22 June 2009

Fault Tolerance Yes Yes

Filenames and paths:

 Server binary 



.db, .jnl

file 

sys:/system/named.nlm

sys:/etc/dns

 Stat file, info file 

Console commands:

 Start the server 

 Stop the server 

 Check Status 

 Unsupported

command parameters

Journal log size Specify at the command prompt by

named

named stop

named status

 N/A  [-dc categories]

Specify by using the iManager plug-in

using the jsize argument.

> max-journal-size field.



/opt/novell/named/bin/ novell-named



/etc/opt/novell/named/ named.conf

/var/opt/novell/log/ named/named.run



rcnovell-named named



rcnovell-named stop



rcnovell-named status

novell-

 [-mstats]

 [-nno_of_cpus]

 [-qstats]

Management iManager

Command Line Interface

SNMP Support Yes No

100 OES 2 SP2: Planning and Implementation Guide

iManager Command Line Interface

Unlike the Netware implementation, command line parameters cannot be passed when loading and unloading.

Novell Open Enterprise Server Planning and Implementation Guide

Specifications and Main Features

Frequently Asked Questions

User Manual

OES 2 SP2: Planning and Implementation Guide

About This Guide

What’s New or Changed

1.1 Where’s NetWare?

1.1.1 NetWare References in This Guide and Elsewhere

1.1.2 NetWare Documentation

1.2 Links to What's New Sections

1.3 New or Changed in OES 2 SP2

1.3.1 Auditing

1.3.2 Base Platform Is SLES 10 SP3

1.3.3 CIFS DFS Support

1.3.4 Create EVMS Proposal Option

1.3.5 Cross-Protocole File Locking Change

1.3.6 Domain Services for Windows Installation

1.3.7 Performance Increases

1.3.8 PureFTP

1.3.9 Upgrading Online

1.4 New in OES 2 SP1

1.4.1 YaST Install Changes

1.4.2 Novell AFP

1.4.3 Novell CIFS

1.4.4 Novell Domain Services for Windows

1.4.5 Migration Tool

1.5 New in OES 2 (Initial Release)

1.5.1 Dynamic Storage Technology

1.5.2 OES 2 Migration Tools

1.5.3 Xen Virtualization Technology

Welcome to Open Enterprise Server 2

3.1 What Services Are Included in OES 2?

Planning Your OES 2 Implementation

3.2 Which Services Do I Need?

3.3 Exploring OES 2 services

3.4 Plan for eDirectory

3.5 Prepare Your Existing eDirectory Tree for OES 2

3.6 Identify a Purpose for Each Server

3.7 Understand Server Requirements

3.8 Understand User Restrictions and Linux User Management

3.9 Caveats to Consider Before You Install

3.9.1 Adding a Linux Node to a Cluster Ends Adding More NetWare Nodes

3.9.2 AFP File Locking Requires Samba

3.9.3 Always Double-Check Service Configurations Before Installing

3.9.4 Back Button Doesn’t Reset Configuration Settings

3.9.5 Cluster Upgrades Must Be Planned Before Installing OES 2

3.9.6 Do Not Create Local (POSIX) Users

3.9.7 Do Not Upgrade to eDirectory 8.8 Separately

3.9.8 Follow the Instructions for Your Chosen Platforms

3.9.9 If You’ve Ever Had OES 1 Linux Servers with LUM and NSS Installed

3.9.10 iFolder 3.8 Considerations

3.9.11 Incompatible TLS Configurations Give No Warning

3.9.12 Installing into an Existing eDirectory Tree

3.9.13 NetWare Caveats

3.9.14 Novell Distributed Print Services Cannot Migrate to Linux

3.9.15 NSS Caveats

3.9.16 Plan eDirectory Before You Install

3.9.17 Samba Enabling Disables SSH Access

3.9.18 Unsupported Service Combinations

3.9.19 VNC Install Fails to Set the IP Address in /etc/hosts

3.10 Consider Coexistence and Migration Issues

3.11 Understand Your Installation Options

3.11.1 OES 2 Installation Overview

3.11.2 About Your Installation Options

3.11.3 Use Predefined Server Types (Patterns) When Possible

3.11.4 If You Want to Install in a Lab First

3.11.5 If You Want to Install NSS on a Single-Drive Linux Server

4.1 Do You Have Upgrade Protection?

4.2 Do You Want 32-Bit or 64-Bit OES?

Getting and Preparing OES 2 Software

4.3 Do You Want to Purchase OES 2 or Evaluate It?

4.4 Evaluating OES 2 Software

4.4.1 Understanding OES 2 Software Evaluation Basics

4.4.3 Preparing the Installation Media

4.4.4 Installing OES 2 for Evaluation Purposes

4.4.5 Evaluating OES 2

4.4.6 Installing Purchased Activation Codes after the Evaluation Period Expires

4.5 Licensing

4.5.1 The OES 2 Licensing Model