333
333
"virtual host file, and remember to create that directory if necessary!"
336
#: serverguide/C/web-servers.xml:265(para)
336
#: serverguide/C/web-servers.xml:278(para)
338
338
"Enable the new <emphasis>VirtualHost</emphasis> using the "
339
339
"<application>a2ensite</application> utility and restart Apache2:"
342
#: serverguide/C/web-servers.xml:271(command)
342
#: serverguide/C/web-servers.xml:284(command)
343
343
msgid "sudo a2ensite mynewsite"
344
344
msgstr "sudo a2ensite mynewsite"
346
#: serverguide/C/web-servers.xml:272(command) serverguide/C/web-servers.xml:290(command) serverguide/C/web-servers.xml:531(command) serverguide/C/web-servers.xml:540(command) serverguide/C/web-servers.xml:599(command) serverguide/C/mail.xml:935(command) serverguide/C/lamp-applications.xml:222(command)
346
#: serverguide/C/web-servers.xml:285(command) serverguide/C/web-servers.xml:303(command) serverguide/C/web-servers.xml:544(command) serverguide/C/web-servers.xml:553(command) serverguide/C/web-servers.xml:612(command) serverguide/C/mail.xml:994(command) serverguide/C/lamp-applications.xml:238(command) serverguide/C/lamp-applications.xml:339(command) serverguide/C/lamp-applications.xml:610(command)
347
347
msgid "sudo service apache2 restart"
348
348
msgstr "sudo service apache2 restart"
350
#: serverguide/C/web-servers.xml:276(para)
350
#: serverguide/C/web-servers.xml:289(para)
352
352
"Be sure to replace <emphasis>mynewsite</emphasis> with a more descriptive "
353
353
"name for the VirtualHost. One method is to name the file after the "
354
354
"<emphasis>ServerName</emphasis> directive of the VirtualHost."
357
#: serverguide/C/web-servers.xml:283(para)
357
#: serverguide/C/web-servers.xml:296(para)
359
359
"Similarly, use the <application>a2dissite</application> utility to disable "
360
360
"sites. This is can be useful when troubleshooting configuration problems "
361
361
"with multiple VirtualHosts:"
364
#: serverguide/C/web-servers.xml:289(command)
364
#: serverguide/C/web-servers.xml:302(command)
365
365
msgid "sudo a2dissite mynewsite"
366
366
msgstr "sudo a2dissite mynewsite"
368
#: serverguide/C/web-servers.xml:295(title)
368
#: serverguide/C/web-servers.xml:308(title)
369
369
msgid "Default Settings"
370
370
msgstr "Настройки по подразбиране"
372
#: serverguide/C/web-servers.xml:297(para)
372
#: serverguide/C/web-servers.xml:310(para)
374
374
"This section explains configuration of the Apache2 server default settings. "
375
375
"For example, if you add a virtual host, the settings you configure for the "
585
585
"<emphasis><IfModule></emphasis> block."
588
#: serverguide/C/web-servers.xml:510(para)
588
#: serverguide/C/web-servers.xml:523(para)
590
590
"You can install additional Apache2 modules and use them with your Web "
591
591
"server. For example, run the following command from a terminal prompt to "
592
592
"install the <emphasis>MySQL Authentication</emphasis> module:"
595
#: serverguide/C/web-servers.xml:517(command)
595
#: serverguide/C/web-servers.xml:530(command)
596
596
msgid "sudo apt-get install libapache2-mod-auth-mysql"
597
597
msgstr "sudo apt-get install libapache2-mod-auth-mysql"
599
#: serverguide/C/web-servers.xml:520(para)
599
#: serverguide/C/web-servers.xml:533(para)
601
601
"See the <filename>/etc/apache2/mods-available</filename> directory, for "
602
602
"additional modules."
605
#: serverguide/C/web-servers.xml:524(para)
605
#: serverguide/C/web-servers.xml:537(para)
607
607
"Use the <application>a2enmod</application> utility to enable a module:"
610
#: serverguide/C/web-servers.xml:530(command)
610
#: serverguide/C/web-servers.xml:543(command)
611
611
msgid "sudo a2enmod auth_mysql"
612
612
msgstr "sudo a2enmod auth_mysql"
614
#: serverguide/C/web-servers.xml:534(para)
614
#: serverguide/C/web-servers.xml:547(para)
615
615
msgid "Similarly, <application>a2dismod</application> will disable a module:"
618
#: serverguide/C/web-servers.xml:539(command)
618
#: serverguide/C/web-servers.xml:552(command)
619
619
msgid "sudo a2dismod auth_mysql"
620
620
msgstr "sudo a2dismod auth_mysql"
622
#: serverguide/C/web-servers.xml:546(title)
622
#: serverguide/C/web-servers.xml:559(title)
623
623
msgid "HTTPS Configuration"
624
624
msgstr "HTTPS настройка"
626
#: serverguide/C/web-servers.xml:548(para)
626
#: serverguide/C/web-servers.xml:561(para)
628
628
"The <application>mod_ssl</application> module adds an important feature to "
629
629
"the Apache2 server - the ability to encrypt communications. Thus, when your "
718
718
#: serverguide/C/web-servers.xml:641(command)
719
msgid "sudo find /var/www/html -type f -exec chmod g=rws \"{}\" \\;"
722
#: serverguide/C/web-servers.xml:632(para)
719
msgid "sudo find /var/www/html -type f -exec chmod g=rw \"{}\" \\;"
722
#: serverguide/C/web-servers.xml:643(para)
724
"These commands recursively set the group permission on all files and "
725
"directories in /var/www/html to read write and set user id. This has the "
726
"effect of having the files and directories inherit their group and "
727
"permission from their parrent. Many admins find this useful for allowing "
728
"multiple users to edit files in a directory tree."
731
#: serverguide/C/web-servers.xml:652(para)
724
733
"If access must be granted to more than one group per directory, enable "
725
734
"Access Control Lists (ACLs)."
728
#: serverguide/C/web-servers.xml:639(title) serverguide/C/web-servers.xml:789(title) serverguide/C/web-servers.xml:939(title) serverguide/C/web-servers.xml:1034(title) serverguide/C/web-servers.xml:1256(title) serverguide/C/vpn.xml:800(title) serverguide/C/virtualization.xml:2081(title) serverguide/C/vcs.xml:538(title) serverguide/C/security.xml:863(title) serverguide/C/security.xml:1197(title) serverguide/C/security.xml:1611(title) serverguide/C/security.xml:1797(title) serverguide/C/remote-administration.xml:196(title) serverguide/C/remote-administration.xml:762(title) serverguide/C/package-management.xml:466(title) serverguide/C/other-apps.xml:328(title) serverguide/C/network-config.xml:1035(title) serverguide/C/network-config.xml:1143(title) serverguide/C/monitoring.xml:392(title) serverguide/C/monitoring.xml:528(title) serverguide/C/mail.xml:453(title) serverguide/C/mail.xml:648(title) serverguide/C/mail.xml:800(title) serverguide/C/mail.xml:1220(title) serverguide/C/mail.xml:1688(title) serverguide/C/lamp-applications.xml:244(title) serverguide/C/lamp-applications.xml:373(title) serverguide/C/lamp-applications.xml:481(title) serverguide/C/file-server.xml:305(title) serverguide/C/file-server.xml:446(title) serverguide/C/file-server.xml:616(title) serverguide/C/file-server.xml:803(title) serverguide/C/dns.xml:605(title) serverguide/C/clustering.xml:232(title) serverguide/C/chat.xml:105(title) serverguide/C/chat.xml:214(title) serverguide/C/backups.xml:295(title)
737
#: serverguide/C/web-servers.xml:659(title) serverguide/C/web-servers.xml:809(title) serverguide/C/web-servers.xml:958(title) serverguide/C/web-servers.xml:1053(title) serverguide/C/web-servers.xml:1278(title) serverguide/C/vpn.xml:843(title) serverguide/C/vcs.xml:546(title) serverguide/C/security.xml:877(title) serverguide/C/security.xml:1217(title) serverguide/C/security.xml:1631(title) serverguide/C/security.xml:1817(title) serverguide/C/remote-administration.xml:196(title) serverguide/C/remote-administration.xml:802(title) serverguide/C/package-management.xml:479(title) serverguide/C/network-config.xml:1033(title) serverguide/C/network-config.xml:1141(title) serverguide/C/monitoring.xml:392(title) serverguide/C/monitoring.xml:528(title) serverguide/C/mail.xml:511(title) serverguide/C/mail.xml:706(title) serverguide/C/mail.xml:859(title) serverguide/C/mail.xml:1279(title) serverguide/C/mail.xml:1746(title) serverguide/C/lamp-applications.xml:260(title) serverguide/C/lamp-applications.xml:400(title) serverguide/C/lamp-applications.xml:518(title) serverguide/C/lamp-applications.xml:673(title) serverguide/C/file-server.xml:305(title) serverguide/C/file-server.xml:445(title) serverguide/C/file-server.xml:615(title) serverguide/C/file-server.xml:802(title) serverguide/C/dns.xml:614(title) serverguide/C/clustering.xml:232(title) serverguide/C/chat.xml:105(title) serverguide/C/chat.xml:214(title) serverguide/C/backups.xml:301(title)
729
738
msgid "References"
732
#: serverguide/C/web-servers.xml:656(para)
741
#: serverguide/C/web-servers.xml:663(para)
734
743
"<ulink url=\"http://httpd.apache.org/docs/2.4/\">Apache2 "
735
744
"Documentation</ulink> contains in depth information on Apache2 configuration "
737
746
"the official Apache2 docs."
740
#: serverguide/C/web-servers.xml:650(para)
749
#: serverguide/C/web-servers.xml:670(para)
742
751
"See the <ulink url=\"http://www.modssl.org/docs/\">Mod SSL "
743
752
"Documentation</ulink> site for more SSL related information."
746
#: serverguide/C/web-servers.xml:656(para)
755
#: serverguide/C/web-servers.xml:676(para)
748
757
"O'Reilly's <ulink url=\"http://oreilly.com/catalog/9780596001919/\">Apache "
749
758
"Cookbook</ulink> is a good resource for accomplishing specific Apache2 "
750
759
"configurations."
753
#: serverguide/C/web-servers.xml:662(para)
762
#: serverguide/C/web-servers.xml:682(para)
755
764
"For Ubuntu specific Apache2 questions, ask in the <emphasis>#ubuntu-"
756
765
"server</emphasis> IRC channel on <ulink "
757
766
"url=\"http://freenode.net/\">freenode.net</ulink>."
760
#: serverguide/C/web-servers.xml:668(para)
769
#: serverguide/C/web-servers.xml:688(para)
762
771
"Usually integrated with PHP and MySQL the <ulink "
763
772
"url=\"https://help.ubuntu.com/community/ApacheMySQLPHP\">Apache MySQL PHP "
764
773
"Ubuntu Wiki </ulink> page is a good resource."
767
#: serverguide/C/web-servers.xml:679(title)
776
#: serverguide/C/web-servers.xml:699(title)
768
777
msgid "PHP5 - Scripting Language"
771
#: serverguide/C/web-servers.xml:680(para)
780
#: serverguide/C/web-servers.xml:700(para)
773
782
"PHP is a general-purpose scripting language suited for Web development. The "
774
783
"PHP script can be embedded into HTML. This section explains how to install "
775
784
"and configure PHP5 in Ubuntu System with Apache2 and MySQL."
778
#: serverguide/C/web-servers.xml:684(para)
787
#: serverguide/C/web-servers.xml:704(para)
780
789
"This section assumes you have installed and configured Apache2 Web Server "
781
790
"and MySQL Database Server. You can refer to Apache2 section and MySQL "
967
976
"protect it from writing using the following commands:"
970
#: serverguide/C/web-servers.xml:870(command)
979
#: serverguide/C/web-servers.xml:877(command)
971
980
msgid "sudo cp /etc/squid3/squid.conf /etc/squid3/squid.conf.original"
974
#: serverguide/C/web-servers.xml:871(command)
983
#: serverguide/C/web-servers.xml:878(command)
975
984
msgid "sudo chmod a-w /etc/squid3/squid.conf.original"
978
#: serverguide/C/web-servers.xml:866(para)
987
#: serverguide/C/web-servers.xml:885(para)
980
989
"To set your Squid server to listen on TCP port 8888 instead of the default "
981
990
"TCP port 3128, change the http_port directive as such:"
984
#: serverguide/C/web-servers.xml:870(programlisting)
993
#: serverguide/C/web-servers.xml:889(programlisting)
988
997
"http_port 8888\n"
991
#: serverguide/C/web-servers.xml:875(para)
1000
#: serverguide/C/web-servers.xml:894(para)
993
1002
"Change the visible_hostname directive in order to give the Squid server a "
994
1003
"specific hostname. This hostname does not necessarily need to be the "
995
1004
"computer's hostname. In this example it is set to <emphasis>weezie</emphasis>"
998
#: serverguide/C/web-servers.xml:879(programlisting)
1007
#: serverguide/C/web-servers.xml:898(programlisting)
1002
1011
"visible_hostname weezie\n"
1005
#: serverguide/C/web-servers.xml:884(para)
1014
#: serverguide/C/web-servers.xml:903(para)
1007
1016
"Using Squid's access control, you may configure use of Internet services "
1008
1017
"proxied by Squid to be available only users with certain Internet Protocol "
1103
1112
"<application>MySQL</application> refer to <xref linkend=\"mysql\"/>."
1106
#: serverguide/C/web-servers.xml:966(para)
1115
#: serverguide/C/web-servers.xml:985(para)
1108
1117
"Once you have <application>Apache</application> and "
1109
1118
"<application>MySQL</application> packages installed, you are ready to "
1110
1119
"install <application>Ruby on Rails</application> package."
1113
#: serverguide/C/web-servers.xml:973(para)
1122
#: serverguide/C/web-servers.xml:992(para)
1115
1124
"To install the <application>Ruby</application> base packages and "
1116
1125
"<application>Ruby on Rails</application>, you can enter the following "
1117
1126
"command in the terminal prompt:"
1120
#: serverguide/C/web-servers.xml:979(command)
1129
#: serverguide/C/web-servers.xml:998(command)
1121
1130
msgid "sudo apt-get install rails"
1124
#: serverguide/C/web-servers.xml:997(para)
1133
#: serverguide/C/web-servers.xml:1004(para)
1126
1135
"Modify the <filename>/etc/apache2/sites-available/000-"
1127
1136
"default.conf</filename> configuration file to setup your domains."
1130
#: serverguide/C/web-servers.xml:989(para)
1139
#: serverguide/C/web-servers.xml:1008(para)
1132
1141
"The first thing to change is the <emphasis>DocumentRoot</emphasis> directive:"
1135
#: serverguide/C/web-servers.xml:993(programlisting)
1144
#: serverguide/C/web-servers.xml:1012(programlisting)
1139
1148
"DocumentRoot /path/to/rails/application/public\n"
1142
#: serverguide/C/web-servers.xml:996(para)
1151
#: serverguide/C/web-servers.xml:1015(para)
1144
1153
"Next, change the <Directory \"/path/to/rails/application/public\"> "
1148
#: serverguide/C/web-servers.xml:1000(programlisting)
1157
#: serverguide/C/web-servers.xml:1019(programlisting)
1177
1186
"used to run the <application>Apache</application> process:"
1180
#: serverguide/C/web-servers.xml:1025(command)
1189
#: serverguide/C/web-servers.xml:1044(command)
1181
1190
msgid "sudo chown -R www-data:www-data /path/to/rails/application/public"
1184
#: serverguide/C/web-servers.xml:1026(command)
1193
#: serverguide/C/web-servers.xml:1045(command)
1185
1194
msgid "sudo chown -R www-data:www-data /path/to/rails/application/tmp"
1188
#: serverguide/C/web-servers.xml:1029(para)
1197
#: serverguide/C/web-servers.xml:1048(para)
1190
1199
"That's it! Now you have your Server ready for your <application>Ruby on "
1191
1200
"Rails</application> applications."
1194
#: serverguide/C/web-servers.xml:1038(para)
1203
#: serverguide/C/web-servers.xml:1057(para)
1196
1205
"See the <ulink url=\"http://rubyonrails.org/\">Ruby on Rails</ulink> website "
1197
1206
"for more information."
1200
#: serverguide/C/web-servers.xml:1043(para)
1209
#: serverguide/C/web-servers.xml:1062(para)
1202
1211
"Also <ulink url=\"http://pragprog.com/titles/rails3/agile-web-development-"
1203
1212
"with-rails-third-edition\">Agile Development with Rails</ulink> is a great "
1207
#: serverguide/C/web-servers.xml:1049(para)
1216
#: serverguide/C/web-servers.xml:1068(para)
1209
1218
"Another place for more information is the <ulink "
1210
1219
"url=\"https://help.ubuntu.com/community/RubyOnRails\">Ruby on Rails Ubuntu "
1211
1220
"Wiki</ulink> page."
1214
#: serverguide/C/web-servers.xml:1060(title)
1223
#: serverguide/C/web-servers.xml:1079(title)
1215
1224
msgid "Apache Tomcat"
1218
#: serverguide/C/web-servers.xml:1061(para)
1227
#: serverguide/C/web-servers.xml:1080(para)
1220
1229
"Apache Tomcat is a web container that allows you to serve Java Servlets and "
1221
1230
"JSP (Java Server Pages) web applications."
1224
#: serverguide/C/web-servers.xml:1075(para)
1233
#: serverguide/C/web-servers.xml:1082(para)
1226
1235
"Ubuntu has supported packages for both Tomcat 6 and 7. Tomcat 6 is the "
1227
1236
"legacy version, and Tomcat 7 is the current version where new features are "
1296
#: serverguide/C/web-servers.xml:1106(title)
1305
#: serverguide/C/web-servers.xml:1128(title)
1297
1306
msgid "Changing JVM used"
1300
#: serverguide/C/web-servers.xml:1122(para)
1309
#: serverguide/C/web-servers.xml:1129(para)
1302
1311
"By default Tomcat will run preferably with OpenJDK JVMs, then try the Sun "
1303
1312
"JVMs, then try some other JVMs. You can force Tomcat to use a specific JVM "
1304
1313
"by setting JAVA_HOME in <filename>/etc/default/tomcat7</filename>:"
1307
#: serverguide/C/web-servers.xml:1111(programlisting)
1316
#: serverguide/C/web-servers.xml:1133(programlisting)
1311
1320
"JAVA_HOME=/usr/lib/jvm/java-6-sun\n"
1314
#: serverguide/C/web-servers.xml:1116(title)
1323
#: serverguide/C/web-servers.xml:1138(title)
1315
1324
msgid "Declaring users and roles"
1318
#: serverguide/C/web-servers.xml:1132(para)
1327
#: serverguide/C/web-servers.xml:1139(para)
1320
1329
"Usernames, passwords and roles (groups) can be defined centrally in a "
1321
1330
"Servlet container. This is done in the <filename>/etc/tomcat7/tomcat-"
1322
1331
"users.xml</filename> file:"
1325
#: serverguide/C/web-servers.xml:1120(programlisting)
1334
#: serverguide/C/web-servers.xml:1142(programlisting)
1352
1361
"command in the terminal prompt:"
1355
#: serverguide/C/web-servers.xml:1153(command)
1364
#: serverguide/C/web-servers.xml:1160(command)
1356
1365
msgid "sudo apt-get install tomcat7-docs"
1359
#: serverguide/C/web-servers.xml:1142(title)
1368
#: serverguide/C/web-servers.xml:1164(title)
1360
1369
msgid "Tomcat administration webapps"
1363
#: serverguide/C/web-servers.xml:1158(para)
1372
#: serverguide/C/web-servers.xml:1165(para)
1365
1374
"The <application>tomcat7-admin</application> package contains two webapps "
1366
1375
"that can be used to administer the Tomcat server using a web interface. You "
1367
1376
"can install them by entering the following command in the terminal prompt:"
1370
#: serverguide/C/web-servers.xml:1163(command)
1379
#: serverguide/C/web-servers.xml:1170(command)
1371
1380
msgid "sudo apt-get install tomcat7-admin"
1374
#: serverguide/C/web-servers.xml:1150(para)
1383
#: serverguide/C/web-servers.xml:1172(para)
1376
1385
"The first one is the <emphasis>manager</emphasis> webapp, which you can "
1377
1386
"access by default at http://yourserver:8080/manager/html. It is primarily "
1378
1387
"used to get server status and restart webapps."
1381
#: serverguide/C/web-servers.xml:1168(para)
1390
#: serverguide/C/web-servers.xml:1175(para)
1383
1392
"Access to the <emphasis>manager</emphasis> application is protected by "
1384
1393
"default: you need to define a user with the role \"manager-gui\" in "
1385
1394
"<filename>/etc/tomcat7/tomcat-users.xml</filename> before you can access it."
1388
#: serverguide/C/web-servers.xml:1157(para)
1397
#: serverguide/C/web-servers.xml:1179(para)
1390
1399
"The second one is the <emphasis>host-manager</emphasis> webapp, which you "
1391
1400
"can access by default at http://yourserver:8080/host-manager/html. It can be "
1392
1401
"used to create virtual hosts dynamically."
1395
#: serverguide/C/web-servers.xml:1176(para)
1404
#: serverguide/C/web-servers.xml:1183(para)
1397
1406
"Access to the <emphasis>host-manager</emphasis> application is also "
1398
1407
"protected by default: you need to define a user with the role \"admin-gui\" "
1447
1456
"system-installed libraries."
1450
#: serverguide/C/web-servers.xml:1200(para)
1459
#: serverguide/C/web-servers.xml:1222(para)
1452
1461
"It is possible to run the system-wide instance and the private instances in "
1453
1462
"parallel, as long as they do not use the same TCP ports."
1456
#: serverguide/C/web-servers.xml:1204(title)
1465
#: serverguide/C/web-servers.xml:1226(title)
1457
1466
msgid "Installing private instance support"
1460
#: serverguide/C/web-servers.xml:1205(para)
1469
#: serverguide/C/web-servers.xml:1227(para)
1462
1471
"You can install everything necessary to run private instances by entering "
1463
1472
"the following command in the terminal prompt:"
1466
#: serverguide/C/web-servers.xml:1223(command)
1475
#: serverguide/C/web-servers.xml:1230(command)
1467
1476
msgid "sudo apt-get install tomcat7-user"
1470
#: serverguide/C/web-servers.xml:1212(title)
1479
#: serverguide/C/web-servers.xml:1234(title)
1471
1480
msgid "Creating a private instance"
1474
#: serverguide/C/web-servers.xml:1213(para)
1483
#: serverguide/C/web-servers.xml:1235(para)
1476
1485
"You can create a private instance directory by entering the following "
1477
1486
"command in the terminal prompt:"
1480
#: serverguide/C/web-servers.xml:1231(command)
1489
#: serverguide/C/web-servers.xml:1238(command)
1481
1490
msgid "tomcat7-instance-create my-instance"
1484
#: serverguide/C/web-servers.xml:1218(para)
1493
#: serverguide/C/web-servers.xml:1240(para)
1486
1495
"This will create a new <filename>my-instance</filename> directory with all "
1487
1496
"the necessary subdirectories and scripts. You can for example install your "
1526
1535
"is already taken and that you should change it."
1529
#: serverguide/C/web-servers.xml:1247(para)
1538
#: serverguide/C/web-servers.xml:1269(para)
1531
1540
"You can stop your instance by entering the following command in the terminal "
1532
1541
"prompt (supposing your instance is located in the <filename>my-"
1533
1542
"instance</filename> directory):"
1536
#: serverguide/C/web-servers.xml:1251(command)
1545
#: serverguide/C/web-servers.xml:1273(command)
1537
1546
msgid "my-instance/bin/shutdown.sh"
1540
#: serverguide/C/web-servers.xml:1260(para)
1549
#: serverguide/C/web-servers.xml:1282(para)
1542
1551
"See the <ulink url=\"http://tomcat.apache.org/\">Apache Tomcat</ulink> "
1543
1552
"website for more information."
1546
#: serverguide/C/web-servers.xml:1280(para)
1555
#: serverguide/C/web-servers.xml:1287(para)
1548
1557
"<ulink url=\"http://shop.oreilly.com/product/9780596003180.do\">Tomcat: The "
1549
1558
"Definitive Guide</ulink> is a good resource for building web applications "
1553
#: serverguide/C/web-servers.xml:1271(para)
1562
#: serverguide/C/web-servers.xml:1293(para)
1555
1564
"For additional books see the <ulink "
1556
1565
"url=\"http://wiki.apache.org/tomcat/Tomcat/Books\">Tomcat Books</ulink> list "
1684
#: serverguide/C/vpn.xml:90(para)
1693
#: serverguide/C/vpn.xml:94(para)
1686
1695
"Enter the following to generate the master Certificate Authority (CA) "
1687
1696
"certificate and key:"
1690
#: serverguide/C/vpn.xml:95(command) serverguide/C/vpn.xml:143(command)
1699
#: serverguide/C/vpn.xml:99(command) serverguide/C/vpn.xml:147(command)
1691
1700
msgid "cd /etc/openvpn/easy-rsa/"
1694
#: serverguide/C/vpn.xml:96(command) serverguide/C/vpn.xml:144(command)
1703
#: serverguide/C/vpn.xml:100(command) serverguide/C/vpn.xml:148(command)
1695
1704
msgid "source vars"
1698
#: serverguide/C/vpn.xml:97(command)
1707
#: serverguide/C/vpn.xml:101(command)
1699
1708
msgid "./clean-all"
1702
#: serverguide/C/vpn.xml:98(command)
1711
#: serverguide/C/vpn.xml:102(command)
1703
1712
msgid "./build-ca"
1706
#: serverguide/C/vpn.xml:103(title)
1715
#: serverguide/C/vpn.xml:107(title)
1707
1716
msgid "Server Certificates"
1710
#: serverguide/C/vpn.xml:105(para)
1719
#: serverguide/C/vpn.xml:109(para)
1711
1720
msgid "Next, we will generate a certificate and private key for the server:"
1714
#: serverguide/C/vpn.xml:110(command)
1723
#: serverguide/C/vpn.xml:114(command)
1715
1724
msgid "./build-key-server myservername"
1718
#: serverguide/C/vpn.xml:113(para)
1727
#: serverguide/C/vpn.xml:117(para)
1720
1729
"As in the previous step, most parameters can be defaulted. Two other queries "
1721
1730
"require positive responses, \"Sign the certificate? [y/n]\" and \"1 out of 1 "
1722
1731
"certificate requests certified, commit? [y/n]\"."
1725
#: serverguide/C/vpn.xml:117(para)
1734
#: serverguide/C/vpn.xml:121(para)
1726
1735
msgid "Diffie Hellman parameters must be generated for the OpenVPN server:"
1729
#: serverguide/C/vpn.xml:122(command)
1738
#: serverguide/C/vpn.xml:126(command)
1730
1739
msgid "./build-dh"
1733
#: serverguide/C/vpn.xml:125(para)
1742
#: serverguide/C/vpn.xml:129(para)
1735
1744
"All certificates and keys have been generated in the subdirectory keys/. "
1736
1745
"Common practice is to copy them to /etc/openvpn/:"
1739
#: serverguide/C/vpn.xml:129(command)
1748
#: serverguide/C/vpn.xml:133(command)
1740
1749
msgid "cd keys/"
1759
#: serverguide/C/vpn.xml:145(command)
1768
#: serverguide/C/vpn.xml:149(command)
1760
1769
msgid "./build-key client1"
1763
#: serverguide/C/vpn.xml:148(para)
1772
#: serverguide/C/vpn.xml:152(para)
1764
1773
msgid "Copy the following files to the client using a secure method:"
1767
#: serverguide/C/vpn.xml:153(para)
1776
#: serverguide/C/vpn.xml:157(para)
1768
1777
msgid "/etc/openvpn/ca.crt"
1771
#: serverguide/C/vpn.xml:154(para)
1780
#: serverguide/C/vpn.xml:158(para)
1772
1781
msgid "/etc/openvpn/easy-rsa/keys/client1.crt"
1775
#: serverguide/C/vpn.xml:155(para)
1784
#: serverguide/C/vpn.xml:159(para)
1776
1785
msgid "/etc/openvpn/easy-rsa/keys/client1.key"
1779
#: serverguide/C/vpn.xml:158(para)
1788
#: serverguide/C/vpn.xml:162(para)
1781
1790
"As the client certificates and keys are only required on the client machine, "
1782
1791
"you should remove them from the server."
1785
#: serverguide/C/vpn.xml:166(title)
1794
#: serverguide/C/vpn.xml:170(title)
1786
1795
msgid "Simple Server Configuration"
1789
#: serverguide/C/vpn.xml:168(para)
1798
#: serverguide/C/vpn.xml:172(para)
1791
1800
"Along with your <application>OpenVPN</application> installation you got "
1792
1801
"these sample config files (and many more if if you check):"
1795
#: serverguide/C/vpn.xml:172(programlisting)
1804
#: serverguide/C/vpn.xml:176(programlisting)
2043
#: serverguide/C/vpn.xml:322(para)
2052
#: serverguide/C/vpn.xml:350(para)
2045
2054
"Can the client connect to the server machine? Maybe a firewall is blocking "
2046
2055
"access? Check syslog on server."
2049
#: serverguide/C/vpn.xml:325(para)
2058
#: serverguide/C/vpn.xml:353(para)
2051
2060
"Client and server must use same protocol and port, e.g. UDP port 1194, see "
2052
2061
"port and proto config option"
2055
#: serverguide/C/vpn.xml:328(para)
2064
#: serverguide/C/vpn.xml:356(para)
2057
2066
"Client and server must use same config regarding compression, see comp-lzo "
2058
2067
"config option"
2061
#: serverguide/C/vpn.xml:331(para)
2070
#: serverguide/C/vpn.xml:359(para)
2063
2072
"Client and server must use same config regarding bridged vs routed mode, see "
2064
2073
"server vs server-bridge config option"
2067
#: serverguide/C/databases.xml:168(title)
2076
#: serverguide/C/vpn.xml:366(title) serverguide/C/databases.xml:161(title)
2068
2077
msgid "Advanced configuration"
2071
#: serverguide/C/vpn.xml:342(title)
2080
#: serverguide/C/vpn.xml:369(title)
2072
2081
msgid "Advanced routed VPN configuration on server"
2075
#: serverguide/C/vpn.xml:344(para)
2084
#: serverguide/C/vpn.xml:371(para)
2077
2086
"The above is a very simple working VPN. The client can access services on "
2078
2087
"the VPN server machine through an encrypted tunnel. If you want to reach "
2162
2171
"push \"dhcp-option DNS 10.1.0.2\"\n"
2165
#: serverguide/C/vpn.xml:410(para)
2174
#: serverguide/C/vpn.xml:437(para)
2166
2175
msgid "Allow client to client communication."
2169
#: serverguide/C/vpn.xml:413(programlisting)
2178
#: serverguide/C/vpn.xml:440(programlisting)
2173
2182
"client-to-client\n"
2176
#: serverguide/C/vpn.xml:417(para)
2185
#: serverguide/C/vpn.xml:444(para)
2177
2186
msgid "Enable compression on the VPN link."
2180
#: serverguide/C/vpn.xml:420(programlisting)
2189
#: serverguide/C/vpn.xml:447(programlisting)
2187
#: serverguide/C/vpn.xml:424(para)
2196
#: serverguide/C/vpn.xml:451(para)
2189
"The keepalive directive causes ping-like messages to be sent back and forth "
2190
"over the link so that each side knows when the other side has gone down. "
2191
"Ping every 1 second, assume that remote peer is down if no ping received "
2192
"during a 3 second time period."
2198
"The <emphasis>keepalive</emphasis> directive causes ping-like messages to be "
2199
"sent back and forth over the link so that each side knows when the other "
2200
"side has gone down. Ping every 1 second, assume that remote peer is down if "
2201
"no ping received during a 3 second time period."
2195
#: serverguide/C/vpn.xml:433(programlisting)
2204
#: serverguide/C/vpn.xml:460(programlisting)
2199
2208
"keepalive 1 3\n"
2202
#: serverguide/C/vpn.xml:437(para)
2211
#: serverguide/C/vpn.xml:464(para)
2204
2213
"It's a good idea to reduce the OpenVPN daemon's privileges after "
2205
2214
"initialization."
2208
#: serverguide/C/vpn.xml:440(programlisting)
2217
#: serverguide/C/vpn.xml:467(programlisting)
2853
2862
#: serverguide/C/virtualization.xml:113(para)
2855
2864
"Yet another way to install an Ubuntu virtual machine is to use "
2856
"<application>uvtool</application>. This application, available as of 14.04 "
2865
"<application>uvtool</application>. This application, available as of 14.04, "
2857
2866
"allows you to set up specific VM options, execute custom post-install "
2858
"scripts, etc. For details see <xref linkend=\"cloud-images-and-uvtool\"/>"
2867
"scripts, etc. For details see <xref linkend=\"cloud-images-and-uvtool\"/>."
2861
#: serverguide/C/virtualization.xml:101(para)
2870
#: serverguide/C/virtualization.xml:119(para)
2863
2872
"Libvirt can also be configured work with <application>Xen</application>. For "
2864
2873
"details, see the Xen Ubuntu community page referenced below."
2867
#: serverguide/C/virtualization.xml:106(title)
2876
#: serverguide/C/virtualization.xml:125(title)
2868
2877
msgid "virt-install"
2871
#: serverguide/C/virtualization.xml:107(para)
2880
#: serverguide/C/virtualization.xml:127(para)
2873
2882
"<application>virt-install</application> is part of the "
2874
2883
"<application>virtinst</application> package. To install it, from a terminal "
2875
2884
"prompt enter:"
2878
#: serverguide/C/virtualization.xml:111(command)
2887
#: serverguide/C/virtualization.xml:132(command)
2879
2888
msgid "sudo apt-get install virtinst"
2882
#: serverguide/C/virtualization.xml:113(para)
2891
#: serverguide/C/virtualization.xml:135(para)
2884
2893
"There are several options available when using <application>virt-"
2885
2894
"install</application>. For example:"
2952
2961
"After launching <application>virt-install</application> you can connect to "
2953
2962
"the virtual machine's console either locally using a GUI (if your server has "
2954
"a GUI), or via a remote VNC client from a GUI based computer."
2963
"a GUI), or via a remote VNC client from a GUI-based computer."
2957
#: serverguide/C/virtualization.xml:179(title)
2966
#: serverguide/C/virtualization.xml:206(title)
2958
2967
msgid "virt-clone"
2961
#: serverguide/C/virtualization.xml:180(para)
2970
#: serverguide/C/virtualization.xml:208(para)
2963
2972
"The <application>virt-clone</application> application can be used to copy "
2964
2973
"one virtual machine to another. For example:"
2967
#: serverguide/C/virtualization.xml:184(command)
2976
#: serverguide/C/virtualization.xml:212(command)
2969
2978
"sudo virt-clone -o web_devel -n database_devel -f "
2970
2979
"/path/to/database_devel.img \\ --connect=qemu:///system"
2973
#: serverguide/C/virtualization.xml:189(para)
2982
#: serverguide/C/virtualization.xml:218(para)
2974
2983
msgid "<emphasis>-o:</emphasis> original virtual machine."
2977
#: serverguide/C/virtualization.xml:194(para)
2986
#: serverguide/C/virtualization.xml:222(para)
2978
2987
msgid "<emphasis>-n:</emphasis> name of the new virtual machine."
2981
#: serverguide/C/virtualization.xml:199(para)
2990
#: serverguide/C/virtualization.xml:227(para)
2983
2992
"<emphasis>-f:</emphasis> path to the file, logical volume, or partition to "
2984
2993
"be used by the new virtual machine."
2987
#: serverguide/C/virtualization.xml:204(para)
2996
#: serverguide/C/virtualization.xml:232(para)
2989
2998
"<emphasis>--connect:</emphasis> specifies which hypervisor to connect to."
2992
#: serverguide/C/virtualization.xml:209(para)
3001
#: serverguide/C/virtualization.xml:237(para)
2994
3003
"Also, use <emphasis>-d</emphasis> or <emphasis>--debug</emphasis> option to "
2995
3004
"help troubleshoot problems with <application>virt-clone</application>."
2998
#: serverguide/C/virtualization.xml:214(para)
3007
#: serverguide/C/virtualization.xml:242(para)
3000
3009
"Replace <emphasis>web_devel</emphasis> and "
3001
3010
"<emphasis>database_devel</emphasis> with appropriate virtual machine names."
3004
#: serverguide/C/virtualization.xml:220(title)
3013
#: serverguide/C/virtualization.xml:249(title)
3005
3014
msgid "Virtual Machine Management"
3008
#: serverguide/C/virtualization.xml:222(title)
3017
#: serverguide/C/virtualization.xml:252(title)
3012
#: serverguide/C/virtualization.xml:223(para)
3021
#: serverguide/C/virtualization.xml:254(para)
3014
3023
"There are several utilities available to manage virtual machines and "
3015
3024
"<application>libvirt</application>. The <application>virsh</application> "
3016
3025
"utility can be used from the command line. Some examples:"
3019
#: serverguide/C/virtualization.xml:229(para)
3028
#: serverguide/C/virtualization.xml:261(para)
3020
3029
msgid "To list running virtual machines:"
3023
#: serverguide/C/virtualization.xml:233(command)
3032
#: serverguide/C/virtualization.xml:264(command)
3024
3033
msgid "virsh -c qemu:///system list"
3027
#: serverguide/C/virtualization.xml:237(para)
3036
#: serverguide/C/virtualization.xml:269(para)
3028
3037
msgid "To start a virtual machine:"
3031
#: serverguide/C/virtualization.xml:241(command)
3040
#: serverguide/C/virtualization.xml:272(command)
3032
3041
msgid "virsh -c qemu:///system start web_devel"
3035
#: serverguide/C/virtualization.xml:245(para)
3044
#: serverguide/C/virtualization.xml:277(para)
3036
3045
msgid "Similarly, to start a virtual machine at boot:"
3039
#: serverguide/C/virtualization.xml:249(command)
3048
#: serverguide/C/virtualization.xml:280(command)
3040
3049
msgid "virsh -c qemu:///system autostart web_devel"
3043
#: serverguide/C/virtualization.xml:253(para)
3052
#: serverguide/C/virtualization.xml:285(para)
3044
3053
msgid "Reboot a virtual machine with:"
3047
#: serverguide/C/virtualization.xml:257(command)
3056
#: serverguide/C/virtualization.xml:288(command)
3048
3057
msgid "virsh -c qemu:///system reboot web_devel"
3051
#: serverguide/C/virtualization.xml:261(para)
3060
#: serverguide/C/virtualization.xml:293(para)
3053
3062
"The <emphasis>state</emphasis> of virtual machines can be saved to a file in "
3054
3063
"order to be restored later. The following will save the virtual machine "
3055
3064
"state into a file named according to the date:"
3058
#: serverguide/C/virtualization.xml:266(command)
3067
#: serverguide/C/virtualization.xml:299(command)
3059
3068
msgid "virsh -c qemu:///system save web_devel web_devel-022708.state"
3062
#: serverguide/C/virtualization.xml:268(para)
3071
#: serverguide/C/virtualization.xml:302(para)
3063
3072
msgid "Once saved the virtual machine will no longer be running."
3066
#: serverguide/C/virtualization.xml:273(para)
3075
#: serverguide/C/virtualization.xml:307(para)
3067
3076
msgid "A saved virtual machine can be restored using:"
3070
#: serverguide/C/virtualization.xml:277(command)
3079
#: serverguide/C/virtualization.xml:310(command)
3071
3080
msgid "virsh -c qemu:///system restore web_devel-022708.state"
3074
#: serverguide/C/virtualization.xml:281(para)
3083
#: serverguide/C/virtualization.xml:315(para)
3075
3084
msgid "To shutdown a virtual machine do:"
3078
#: serverguide/C/virtualization.xml:285(command)
3087
#: serverguide/C/virtualization.xml:318(command)
3079
3088
msgid "virsh -c qemu:///system shutdown web_devel"
3082
#: serverguide/C/virtualization.xml:289(para)
3091
#: serverguide/C/virtualization.xml:323(para)
3083
3092
msgid "A CDROM device can be mounted in a virtual machine by entering:"
3086
#: serverguide/C/virtualization.xml:293(command)
3095
#: serverguide/C/virtualization.xml:327(command)
3087
3096
msgid "virsh -c qemu:///system attach-disk web_devel /dev/cdrom /media/cdrom"
3090
#: serverguide/C/virtualization.xml:298(para)
3099
#: serverguide/C/virtualization.xml:333(para)
3092
3101
"In the above examples replace <emphasis>web_devel</emphasis> with the "
3093
3102
"appropriate virtual machine name, and <filename>web_devel-"
3094
3103
"022708.state</filename> with a descriptive file name."
3097
#: serverguide/C/virtualization.xml:305(title)
3106
#: serverguide/C/virtualization.xml:341(title)
3098
3107
msgid "Virtual Machine Manager"
3101
#: serverguide/C/virtualization.xml:306(para)
3110
#: serverguide/C/virtualization.xml:343(para)
3103
3112
"The <application>virt-manager</application> package contains a graphical "
3104
3113
"utility to manage local and remote virtual machines. To install virt-manager "
3108
#: serverguide/C/virtualization.xml:311(command)
3117
#: serverguide/C/virtualization.xml:348(command)
3109
3118
msgid "sudo apt-get install virt-manager"
3112
#: serverguide/C/virtualization.xml:313(para)
3121
#: serverguide/C/virtualization.xml:351(para)
3114
3123
"Since <application>virt-manager</application> requires a Graphical User "
3115
3124
"Interface (GUI) environment it is recommended to be installed on a "
3157
#: serverguide/C/virtualization.xml:343(para)
3166
#: serverguide/C/virtualization.xml:390(para)
3159
3168
"To install <application>virt-viewer</application> from a terminal enter:"
3162
#: serverguide/C/virtualization.xml:347(command)
3171
#: serverguide/C/virtualization.xml:394(command)
3163
3172
msgid "sudo apt-get install virt-viewer"
3166
#: serverguide/C/virtualization.xml:349(para)
3175
#: serverguide/C/virtualization.xml:397(para)
3168
3177
"Once a virtual machine is installed and running you can connect to the "
3169
3178
"virtual machine's console by using:"
3172
#: serverguide/C/virtualization.xml:353(command)
3181
#: serverguide/C/virtualization.xml:401(command)
3173
3182
msgid "virt-viewer -c qemu:///system web_devel"
3176
#: serverguide/C/virtualization.xml:355(para)
3185
#: serverguide/C/virtualization.xml:404(para)
3178
3187
"Similar to <application>virt-manager</application>, <application>virt-"
3179
3188
"viewer</application> can connect to a remote host using "
3180
3189
"<emphasis>SSH</emphasis> with key authentication, as well:"
3183
#: serverguide/C/virtualization.xml:360(command)
3192
#: serverguide/C/virtualization.xml:409(command)
3184
3193
msgid "virt-viewer -c qemu+ssh://virtnode1.mydomain.com/system web_devel"
3187
#: serverguide/C/virtualization.xml:362(para)
3196
#: serverguide/C/virtualization.xml:412(para)
3189
3198
"Be sure to replace <emphasis role=\"italic\">web_devel</emphasis> with the "
3190
3199
"appropriate virtual machine name."
3206
3215
"more details."
3209
#: serverguide/C/virtualization.xml:379(para)
3218
#: serverguide/C/virtualization.xml:430(para)
3211
3220
"For more information on <application>libvirt</application> see the <ulink "
3212
3221
"url=\"http://libvirt.org/\">libvirt home page</ulink>"
3215
#: serverguide/C/virtualization.xml:384(para)
3224
#: serverguide/C/virtualization.xml:436(para)
3217
"The <ulink url=\"http://virt-manager.et.redhat.com/\">Virtual Machine "
3218
"Manager</ulink> site has more information on <application>virt-"
3219
"manager</application> development."
3226
"The <ulink url=\"http://virt-manager.org/\">Virtual Machine Manager</ulink> "
3227
"site has more information on <application>virt-manager</application> "
3222
#: serverguide/C/virtualization.xml:390(para)
3231
#: serverguide/C/virtualization.xml:442(para)
3224
3233
"Also, stop by the <emphasis>#ubuntu-virt</emphasis> IRC channel on <ulink "
3225
3234
"url=\"http://freenode.net/\">freenode</ulink> to discuss virtualization "
3226
3235
"technology in Ubuntu."
3229
#: serverguide/C/virtualization.xml:396(para)
3238
#: serverguide/C/virtualization.xml:448(para)
3231
3240
"Another good resource is the <ulink "
3232
3241
"url=\"https://help.ubuntu.com/community/KVM\">Ubuntu Wiki KVM</ulink> page."
3235
#: serverguide/C/virtualization.xml:401(para)
3244
#: serverguide/C/virtualization.xml:454(para)
3237
3246
"For information on Xen, including using Xen with libvirt, please see the "
3238
3247
"<ulink url=\"https://help.ubuntu.com/community/Xen\">Ubuntu Wiki Xen</ulink> "
3243
3252
msgid "Cloud images and uvtool"
3246
#: serverguide/C/windows-networking.xml:23(title) serverguide/C/virtualization.xml:412(title) serverguide/C/security.xml:352(title) serverguide/C/remote-administration.xml:18(title) serverguide/C/package-management.xml:18(title) serverguide/C/introduction.xml:11(title) serverguide/C/installation.xml:1187(title)
3255
#: serverguide/C/virtualization.xml:467(title) serverguide/C/security.xml:367(title) serverguide/C/samba.xml:23(title) serverguide/C/remote-administration.xml:18(title) serverguide/C/package-management.xml:18(title) serverguide/C/introduction.xml:11(title) serverguide/C/installation.xml:1260(title)
3247
3256
msgid "Introduction"
3248
3257
msgstr "Въведение"
3250
3259
#: serverguide/C/virtualization.xml:469(para)
3252
"With Ubuntu being one of the most used operating systems on most of the "
3253
"cloud platforms, the availability of stable and secure cloud images has "
3254
"become very important. As of 12.04 the utilization of cloud images outside "
3255
"of a cloud infrastructure has been improved. It is now possible to use those "
3261
"With Ubuntu being one of the most used operating systems on many cloud "
3262
"platforms, the availability of stable and secure cloud images has become "
3263
"very important. As of 12.04 the utilization of cloud images outside of a "
3264
"cloud infrastructure has been improved. It is now possible to use those "
3256
3265
"images to create a virtual machine without the need of a complete "
3257
3266
"installation."
3260
#: serverguide/C/virtualization.xml:478(title)
3269
#: serverguide/C/virtualization.xml:477(title)
3261
3270
msgid "Creating virtual machines using uvtool"
3264
#: serverguide/C/virtualization.xml:480(para)
3273
#: serverguide/C/virtualization.xml:479(para)
3266
3275
"Starting with 14.04 LTS, a tool called uvtool greatly facilitates the task "
3267
3276
"of generating virtual machines (VM) using the cloud images. "
3269
3278
"synchronize cloud-images locally and use them to create new VMs in minutes."
3272
#: serverguide/C/virtualization.xml:487(title)
3281
#: serverguide/C/virtualization.xml:486(title)
3273
3282
msgid "Uvtool packages"
3276
#: serverguide/C/virtualization.xml:489(para)
3285
#: serverguide/C/virtualization.xml:488(para)
3278
"The following packages and their dependancies will be required in order to "
3287
"The following packages and their dependencies will be required in order to "
3282
#: serverguide/C/virtualization.xml:496(para)
3291
#: serverguide/C/virtualization.xml:495(para)
3286
#: serverguide/C/virtualization.xml:500(para)
3295
#: serverguide/C/virtualization.xml:499(para)
3287
3296
msgid "uvtool-libvirt"
3290
#: serverguide/C/virtualization.xml:505(para)
3292
"Installation of <application>uvtool</application> is done the same as for "
3293
"any other application by using apt-get:"
3299
#: serverguide/C/virtualization.xml:504(para)
3300
msgid "To install <application>uvtool</application>, run:"
3296
#: serverguide/C/virtualization.xml:507(programlisting)
3303
#: serverguide/C/virtualization.xml:505(programlisting)
3298
3305
msgid "$ apt-get -y install uvtool"
3301
#: serverguide/C/virtualization.xml:509(para)
3308
#: serverguide/C/virtualization.xml:507(para)
3302
3309
msgid "This will install uvtool's main commands:"
3305
#: serverguide/C/virtualization.xml:511(application)
3312
#: serverguide/C/virtualization.xml:509(application)
3306
3313
msgid "uvt-simplestreams-libvirt"
3309
#: serverguide/C/virtualization.xml:512(application)
3316
#: serverguide/C/virtualization.xml:510(application)
3310
3317
msgid "uvt-kvm"
3313
#: serverguide/C/virtualization.xml:517(title)
3320
#: serverguide/C/virtualization.xml:515(title)
3315
3322
"Get the Ubuntu Cloud Image with <application>uvt-simplestreams-"
3316
3323
"libvirt</application>"
3319
#: serverguide/C/virtualization.xml:519(para)
3326
#: serverguide/C/virtualization.xml:517(para)
3321
3328
"This is one of the major simplifications that "
3322
3329
"<application>uvtool</application> brings. It is aware of where to find the "
3348
3355
"release=trusty arch=amd64 label=beta1 (20140226.1)\n"
3351
#: serverguide/C/virtualization.xml:538(para)
3358
#: serverguide/C/virtualization.xml:536(para)
3353
3360
"In the case where you want to synchronize only one specific cloud-image, you "
3354
3361
"need to use the release= and arch= filters to identify which image needs to "
3355
3362
"be synchronized."
3358
#: serverguide/C/virtualization.xml:541(programlisting)
3365
#: serverguide/C/virtualization.xml:539(programlisting)
3360
3367
msgid "$ uvt-simplestreams-libvirt sync release=precise arch=amd64\n"
3363
#: serverguide/C/virtualization.xml:546(title)
3370
#: serverguide/C/virtualization.xml:544(title)
3364
3371
msgid "Create the VM using uvt-kvm"
3367
#: serverguide/C/virtualization.xml:548(para)
3374
#: serverguide/C/virtualization.xml:546(para)
3369
"In order to be able to connect to the virtual machine once it has been "
3370
"created, it is necessary to have a valid SSH key available for the ubuntu "
3371
"user. If your environment does not have a ssh key, you can easily create one "
3372
"using the following command:"
3376
"In order to connect to the virtual machine once it has been created, you "
3377
"must have a valid SSH key available for the Ubuntu user. If your environment "
3378
"does not have an SSH key, you can easily create one using the following "
3375
#: serverguide/C/virtualization.xml:552(programlisting)
3382
#: serverguide/C/virtualization.xml:548(programlisting)
3399
3406
"+-----------------+\n"
3409
#: serverguide/C/virtualization.xml:571(para)
3411
"To create of a new virtual machine using uvtool, run the following in a "
3415
#: serverguide/C/virtualization.xml:573(programlisting)
3417
msgid "$ uvt-kvm create firsttest"
3402
3420
#: serverguide/C/virtualization.xml:575(para)
3404
"The creation of a new virtual machine using uvtool is easy. In its simplest "
3405
"form, you only need to do:"
3408
#: serverguide/C/virtualization.xml:578(programlisting)
3410
msgid "$ uvt-kvm create firsttest"
3413
#: serverguide/C/virtualization.xml:580(para)
3415
3422
"This will create a VM named <emphasis role=\"bold\">firsttest</emphasis> "
3416
3423
"using the current LTS cloud image available locally. If you want to specify "
3417
3424
"a release to be used to create the VM, you need to use the <emphasis "
3418
"role=\"bold\">release=</emphasis> filter"
3425
"role=\"bold\">release=</emphasis> filter:"
3428
#: serverguide/C/virtualization.xml:578(programlisting)
3430
msgid "$ uvt-kvm create secondtest release=trusty"
3433
#: serverguide/C/virtualization.xml:580(para)
3435
"<application>uvt-kvm wait</application> can be used to wait until the "
3436
"creation of the VM has completed:"
3421
3439
#: serverguide/C/virtualization.xml:583(programlisting)
3423
msgid "$ uvt-kvm create secondtest release=trusty"
3426
#: serverguide/C/virtualization.xml:585(para)
3428
"The <application>uvt-kvm wait {name}</application> can be used to wait until "
3429
"the creation of the VM has completed"
3432
#: serverguide/C/virtualization.xml:588(programlisting)
3435
3442
"$ uvt-kvm wait secondttest --insecure\n"
3436
3443
"Warning: secure wait for boot-finished not yet implemented; use --insecure.\n"
3439
#: serverguide/C/virtualization.xml:593(title)
3446
#: serverguide/C/virtualization.xml:588(title)
3440
3447
msgid "Connect to the running VM"
3443
#: serverguide/C/virtualization.xml:594(para)
3450
#: serverguide/C/virtualization.xml:589(para)
3445
3452
"Once the virtual machine creation is completed, you can connect to it using "
3449
#: serverguide/C/virtualization.xml:597(programlisting)
3456
#: serverguide/C/virtualization.xml:592(programlisting)
3451
3458
msgid "$ uvt-kvm ssh secondtest --insecure"
3454
#: serverguide/C/virtualization.xml:599(para)
3461
#: serverguide/C/virtualization.xml:594(para)
3456
3463
"For the time being, the <emphasis role=\"bold\">--insecure</emphasis> is "
3457
"required so you should be using this mechanism to connect to your VM only if "
3458
"you completely trust your network infrastructure"
3464
"required, so use this mechanism to connect to your VM only if you completely "
3465
"trust your network infrastructure."
3461
#: serverguide/C/virtualization.xml:602(para)
3468
#: serverguide/C/virtualization.xml:596(para)
3463
"You can also connect to your VM using a regular ssh session using the IP "
3470
"You can also connect to your VM using a regular SSH session using the IP "
3464
3471
"address of the VM. The address can be queried using the following command:"
3467
#: serverguide/C/virtualization.xml:605(programlisting)
3474
#: serverguide/C/virtualization.xml:598(programlisting)
3498
#: serverguide/C/virtualization.xml:631(title)
3505
#: serverguide/C/virtualization.xml:624(title)
3499
3506
msgid "Get the list of running VMs"
3502
#: serverguide/C/virtualization.xml:632(para)
3503
msgid "You can get the list of VM running on your system with this command:"
3509
#: serverguide/C/virtualization.xml:625(para)
3510
msgid "You can get the list of VMs running on your system with this command:"
3506
#: serverguide/C/virtualization.xml:634(programlisting)
3513
#: serverguide/C/virtualization.xml:627(programlisting)
3509
3516
"$ uvt-kvm list\n"
3513
#: serverguide/C/virtualization.xml:639(title)
3520
#: serverguide/C/virtualization.xml:632(title)
3514
3521
msgid "Destroy your VM"
3517
#: serverguide/C/virtualization.xml:640(para)
3518
msgid "Once you are done with your VM, you can proceed to destroy it with:"
3524
#: serverguide/C/virtualization.xml:633(para)
3525
msgid "Once you are done with your VM, you can destroy it with:"
3521
#: serverguide/C/virtualization.xml:642(programlisting)
3528
#: serverguide/C/virtualization.xml:635(programlisting)
3523
3530
msgid "$ uvt-kvm destroy secondtest"
3526
#: serverguide/C/virtualization.xml:644(title)
3533
#: serverguide/C/virtualization.xml:637(title)
3527
3534
msgid "More uvt-kvm options"
3530
#: serverguide/C/virtualization.xml:646(para)
3537
#: serverguide/C/virtualization.xml:639(para)
3532
3539
"The following options can be used to change some of the characteristics of "
3533
"the virtual memory that you are creating"
3540
"the VM that you are creating:"
3543
#: serverguide/C/virtualization.xml:642(para)
3544
msgid "--memory : Amount of RAM in megabytes. Default: 512."
3547
#: serverguide/C/virtualization.xml:643(para)
3548
msgid "--disk : Size of the OS disk in gigabytes. Default: 8."
3551
#: serverguide/C/virtualization.xml:644(para)
3552
msgid "--cpu : Number of CPU cores. Default: 1."
3555
#: serverguide/C/virtualization.xml:647(para)
3557
"Some other parameters will have an impact on the cloud-init configuration:"
3560
#: serverguide/C/virtualization.xml:649(para)
3562
"--password password : Allow login to the VM using the Ubuntu account and "
3563
"this provided password."
3536
3566
#: serverguide/C/virtualization.xml:650(para)
3537
msgid "--memory : Amount of RAM in megabytes. Default: 512"
3540
#: serverguide/C/virtualization.xml:651(para)
3541
msgid "--disk : Size of the OS disk in gigabytes. Default: 8"
3544
#: serverguide/C/virtualization.xml:652(para)
3545
msgid "--cpu : Number of CPU cores. Default: 1"
3548
#: serverguide/C/virtualization.xml:655(para)
3550
"Some other parameters will have an impact on the cloud-init configuration"
3553
#: serverguide/C/virtualization.xml:657(para)
3555
"--password password : Allow login to the VM using the ubuntu account and "
3556
"this provided password"
3559
#: serverguide/C/virtualization.xml:658(para)
3561
3568
"--run-script-once script_file : Run script_file as root on the VM the first "
3562
3569
"time it is booted, but never again."
3565
#: serverguide/C/virtualization.xml:659(para)
3572
#: serverguide/C/virtualization.xml:651(para)
3567
3574
"--packages package_list : Install the comma-separated packages specified in "
3568
3575
"package_list on first boot."
3571
#: serverguide/C/virtualization.xml:662(para)
3578
#: serverguide/C/virtualization.xml:654(para)
3573
3580
"A complete description of all available modifiers is available in the "
3574
"manpage of uvt-kvm"
3581
"manpage of uvt-kvm."
3577
#: serverguide/C/virtualization.xml:1073(para)
3584
#: serverguide/C/virtualization.xml:661(para)
3579
3586
"If you are interested in learning more, have questions or suggestions, "
3580
3587
"please contact the Ubuntu Server Team at:"
3583
#: serverguide/C/virtualization.xml:1078(para)
3590
#: serverguide/C/virtualization.xml:666(para)
3584
3591
msgid "IRC: #ubuntu-server on freenode"
3587
#: serverguide/C/virtualization.xml:1083(para)
3594
#: serverguide/C/virtualization.xml:670(para)
3589
3596
"Mailing list: <ulink url=\"https://lists.ubuntu.com/mailman/listinfo/ubuntu-"
3590
3597
"server\">ubuntu-server at lists.ubuntu.com</ulink>"
3593
#: serverguide/C/virtualization.xml:2121(title)
3600
#: serverguide/C/virtualization.xml:679(title)
3594
3601
msgid "Ubuntu Cloud"
3597
#: serverguide/C/virtualization.xml:2122(para)
3604
#: serverguide/C/virtualization.xml:681(para)
3599
3606
"<application>Cloud computing</application> is a computing model that allows "
3600
3607
"vast pools of resources to be allocated on-demand. These resources such as "
3618
3625
"concerning installation and configuration."
3621
#: serverguide/C/virtualization.xml:2452(title)
3628
#: serverguide/C/virtualization.xml:703(title)
3622
3629
msgid "Support and Troubleshooting"
3625
#: serverguide/C/virtualization.xml:2453(para)
3632
#: serverguide/C/virtualization.xml:705(para)
3626
3633
msgid "Community Support"
3629
#: serverguide/C/virtualization.xml:2457(ulink)
3636
#: serverguide/C/virtualization.xml:709(ulink)
3630
3637
msgid "OpenStack Mailing list"
3633
#: serverguide/C/virtualization.xml:2462(ulink)
3640
#: serverguide/C/virtualization.xml:714(ulink)
3634
3641
msgid "The OpenStack Wiki search"
3637
#: serverguide/C/virtualization.xml:2468(ulink)
3644
#: serverguide/C/virtualization.xml:719(ulink)
3638
3645
msgid "Launchpad bugs area"
3641
#: serverguide/C/virtualization.xml:2472(para)
3648
#: serverguide/C/virtualization.xml:724(para)
3642
3649
msgid "Join the IRC channel #openstack on freenode."
3645
#: serverguide/C/virtualization.xml:2486(ulink)
3652
#: serverguide/C/virtualization.xml:735(ulink)
3646
3653
msgid "Cloud Computing - Service models"
3649
#: serverguide/C/virtualization.xml:2491(ulink)
3656
#: serverguide/C/virtualization.xml:741(ulink)
3650
3657
msgid "OpenStack Compute"
3653
#: serverguide/C/virtualization.xml:2496(ulink)
3660
#: serverguide/C/virtualization.xml:747(ulink)
3654
3661
msgid "OpenStack Image Service"
3657
#: serverguide/C/virtualization.xml:2501(ulink)
3664
#: serverguide/C/virtualization.xml:753(ulink)
3658
3665
msgid "OpenStack Object Storage Administration Guide"
3661
#: serverguide/C/virtualization.xml:2506(ulink)
3668
#: serverguide/C/virtualization.xml:759(ulink)
3662
3669
msgid "Installing OpenStack Object Storage on Ubuntu"
3665
#: serverguide/C/virtualization.xml:2511(ulink)
3672
#: serverguide/C/virtualization.xml:765(ulink)
3666
3673
msgid "http://cloudglossary.com/"
3669
#: serverguide/C/virtualization.xml:2586(title)
3676
#: serverguide/C/virtualization.xml:775(title)
3673
#: serverguide/C/virtualization.xml:785(para)
3680
#: serverguide/C/virtualization.xml:777(para)
3675
3682
"Containers are a lightweight virtualization technology. They are more akin "
3676
3683
"to an enhanced chroot than to full virtualization like Qemu or VMware, both "
3693
3700
"there are peculiarities which can cause confusion."
3696
#: serverguide/C/virtualization.xml:804(para)
3703
#: serverguide/C/virtualization.xml:796(para)
3698
3705
"In this document we will mainly describe the <application>lxc</application> "
3699
3706
"package. Use of libvirt-lxc is not generally recommended due to a lack of "
3700
3707
"Apparmor protection for libvirt-lxc containers."
3703
#: serverguide/C/virtualization.xml:2618(para)
3710
#: serverguide/C/virtualization.xml:801(para)
3704
3711
msgid "In this document, a container name will be shown as CN, C1, or C2."
3707
#: serverguide/C/virtualization.xml:2624(para)
3714
#: serverguide/C/virtualization.xml:807(para)
3708
3715
msgid "The <application>lxc</application> package can be installed using"
3711
#: serverguide/C/virtualization.xml:2629(command)
3718
#: serverguide/C/virtualization.xml:811(command)
3712
3719
msgid "sudo apt-get install lxc"
3715
#: serverguide/C/virtualization.xml:824(para)
3722
#: serverguide/C/virtualization.xml:816(para)
3717
3724
"This will pull in the required and recommended dependencies, as well as set "
3718
3725
"up a network bridge for containers to use. If you wish to use unprivileged "
3917
#: serverguide/C/virtualization.xml:1015(para)
3924
#: serverguide/C/virtualization.xml:1007(para)
3919
3926
"<filename>default.conf</filename> specifies configuration which every newly "
3920
3927
"created container should contain. This usually contains at least a network "
3921
3928
"section, and, for unprivileged users, an id mapping section"
3924
#: serverguide/C/virtualization.xml:1022(para)
3931
#: serverguide/C/virtualization.xml:1014(para)
3926
3933
"<filename>lxc-usernet.conf</filename> specifies how unprivileged users may "
3927
3934
"connect their containers to the host-owned network."
3930
#: serverguide/C/virtualization.xml:1002(para)
3937
#: serverguide/C/virtualization.xml:994(para)
3932
3939
"The following configuration files are consulted by LXC. For privileged use, "
3933
3940
"they are found under <filename>/etc/lxc</filename>, while for unprivileged "
3934
3941
"use they are under <filename>~/.config/lxc</filename>. <placeholder-1/>"
3937
#: serverguide/C/virtualization.xml:1028(para)
3944
#: serverguide/C/virtualization.xml:1020(para)
3939
"<filename>lxc.conf</filename> and <filename>default.conf</filename> are "
3940
"exist both under <filename>/etc/lxc</filename> and "
3946
"<filename>lxc.conf</filename> and <filename>default.conf</filename> are both "
3947
"under <filename>/etc/lxc</filename> and "
3941
3948
"<filename>$HOME/.config/lxc</filename>, while <filename>lxc-"
3942
3949
"usernet.conf</filename> is only host-wide."
3945
#: serverguide/C/virtualization.xml:1033(para)
3952
#: serverguide/C/virtualization.xml:1025(para)
3947
3954
"By default, containers are located under /var/lib/lxc for the root user, and "
3948
3955
"$HOME/.local/share/lxc otherwise. The location can be specified for all lxc "
3949
3956
"commands using the \"-P|--lxcpath\" argument."
3952
#: serverguide/C/virtualization.xml:1210(para) serverguide/C/virtualization.xml:1272(para) serverguide/C/network-config.xml:11(title)
3959
#: serverguide/C/virtualization.xml:1034(title) serverguide/C/network-config.xml:11(title)
3953
3960
msgid "Networking"
3956
#: serverguide/C/virtualization.xml:1043(para)
3963
#: serverguide/C/virtualization.xml:1035(para)
3958
3965
"By default LXC creates a private network namespace for each container, which "
3959
3966
"includes a layer 2 networking stack. Containers usually connect to the "
4211
4218
"dangerous paths, and from mounting most filesystems."
4214
#: serverguide/C/virtualization.xml:1275(para)
4221
#: serverguide/C/virtualization.xml:1267(para)
4216
4223
"Programs in a container cannot be further confined - for instance, MySQL "
4217
4224
"runs under the container profile (protecting the host) but will not be able "
4218
4225
"to enter the MySQL profile (to protect the container)."
4221
#: serverguide/C/virtualization.xml:2926(para)
4228
#: serverguide/C/virtualization.xml:1272(para)
4223
4230
"<command>lxc-execute</command> does not enter an Apparmor profile, but the "
4224
4231
"container it spawns will be confined."
4227
#: serverguide/C/virtualization.xml:1283(title)
4234
#: serverguide/C/virtualization.xml:1275(title)
4228
4235
msgid "Customizing container policies"
4231
#: serverguide/C/virtualization.xml:2879(para)
4238
#: serverguide/C/virtualization.xml:1276(para)
4233
4240
"If you find that <command>lxc-start</command> is failing due to a legitimate "
4234
4241
"access which is being denied by its Apparmor policy, you can disable the lxc-"
4235
4242
"start profile by doing:"
4238
#: serverguide/C/virtualization.xml:2885(screen)
4245
#: serverguide/C/virtualization.xml:1280(screen)
4346
4354
"i/o, guarantee minimum cpu shares, and to lock containers to specific cpus."
4349
#: serverguide/C/virtualization.xml:1377(para)
4357
#: serverguide/C/virtualization.xml:1369(para)
4351
"By default, a privileged container CN will be assigned a cgroup called "
4359
"By default, a privileged container CN will be assigned to a cgroup called "
4352
4360
"<filename>/lxc/CN</filename>. In the case of name conflicts (which can occur "
4353
4361
"when using custom lxcpaths) a suffix \"-n\", where n is an integer starting "
4354
4362
"at 0, will be appended to the cgroup name."
4357
#: serverguide/C/virtualization.xml:1383(para)
4365
#: serverguide/C/virtualization.xml:1375(para)
4359
"By default, a privileged container CN will be assigned a cgroup called "
4367
"By default, a privileged container CN will be assigned to a cgroup called "
4360
4368
"<filename>CN</filename> under the cgroup of the task which started the "
4361
4369
"container, for instance <filename>/usr/1000.user/1.session/CN</filename>. "
4362
4370
"The container root will be given group ownership of the directory (but not "
4363
4371
"all files) so that it is allowed to create new child cgroups."
4366
#: serverguide/C/virtualization.xml:1390(para)
4374
#: serverguide/C/virtualization.xml:1382(para)
4368
4376
"As of Ubuntu 14.04, LXC uses the cgroup manager (cgmanager) to administer "
4369
4377
"cgroups. The cgroup manager receives D-Bus requests over the Unix socket "
4370
"<filename>/sys/fs/cgroup/cgmanager/sock</filename>. To fascilitate safe "
4378
"<filename>/sys/fs/cgroup/cgmanager/sock</filename>. To facilitate safe "
4371
4379
"nested containers, the line <screen>\n"
4373
4381
"lxc.mount.auto = cgroup\n"
4423
4431
"container, and to only use its snapshots."
4426
#: serverguide/C/virtualization.xml:1446(para)
4434
#: serverguide/C/virtualization.xml:1438(para)
4427
4435
msgid "Given an existing container called C1, a copy can be created using:"
4430
#: serverguide/C/virtualization.xml:3274(command)
4438
#: serverguide/C/virtualization.xml:1442(command)
4431
4439
msgid "sudo lxc-clone -o C1 -n C2"
4434
#: serverguide/C/virtualization.xml:1455(para)
4435
msgid "A snapshot can be created using"
4442
#: serverguide/C/virtualization.xml:1447(para)
4443
msgid "A snapshot can be created using:"
4438
#: serverguide/C/virtualization.xml:3288(command)
4446
#: serverguide/C/virtualization.xml:1449(command)
4439
4447
msgid "sudo lxc-clone -s -o C1 -n C2"
4442
#: serverguide/C/virtualization.xml:1461(para)
4450
#: serverguide/C/virtualization.xml:1453(para)
4443
4451
msgid "See the lxc-clone manpage for more information."
4446
#: serverguide/C/virtualization.xml:1464(title)
4454
#: serverguide/C/virtualization.xml:1456(title)
4447
4455
msgid "Snapshots"
4450
#: serverguide/C/virtualization.xml:1465(para)
4458
#: serverguide/C/virtualization.xml:1457(para)
4452
4460
"To more easily support the use of snapshot clones for iterative container "
4453
4461
"development, LXC supports <emphasis>snapshots</emphasis>. When working on a "
4505
4513
"page for more options."
4508
#: serverguide/C/virtualization.xml:1527(title)
4516
#: serverguide/C/virtualization.xml:1519(title)
4509
4517
msgid "Lifecycle management hooks"
4512
#: serverguide/C/virtualization.xml:1529(para)
4520
#: serverguide/C/virtualization.xml:1521(para)
4514
4522
"Beginning with Ubuntu 12.10, it is possible to define hooks to be executed "
4515
4523
"at specific points in a container's lifetime:"
4518
#: serverguide/C/virtualization.xml:1534(para)
4526
#: serverguide/C/virtualization.xml:1526(para)
4520
4528
"Pre-start hooks are run in the host's namespace before the container ttys, "
4521
4529
"consoles, or mounts are up. If any mounts are done in this hook, they should "
4522
4530
"be cleaned up in the post-stop hook."
4525
#: serverguide/C/virtualization.xml:1541(para)
4533
#: serverguide/C/virtualization.xml:1533(para)
4527
4535
"Pre-mount hooks are run in the container's namespaces, but before the root "
4528
4536
"filesystem has been mounted. Mounts done in this hook will be automatically "
4529
4537
"cleaned up when the container shuts down."
4532
#: serverguide/C/virtualization.xml:1548(para)
4540
#: serverguide/C/virtualization.xml:1540(para)
4534
4542
"Mount hooks are run after the container filesystems have been mounted, but "
4535
4543
"before the container has called <command>pivot_root</command> to change its "
4536
4544
"root filesystem."
4539
#: serverguide/C/virtualization.xml:1555(para)
4547
#: serverguide/C/virtualization.xml:1547(para)
4541
4549
"Start hooks are run immediately before executing the container's init. Since "
4542
4550
"these are executed after pivoting into the container's filesystem, the "
4543
4551
"command to be executed must be copied into the container's filesystem."
4546
#: serverguide/C/virtualization.xml:1562(para)
4554
#: serverguide/C/virtualization.xml:1554(para)
4547
4555
msgid "Post-stop hooks are executed after the container has been shut down."
4550
#: serverguide/C/virtualization.xml:1567(para)
4558
#: serverguide/C/virtualization.xml:1559(para)
4552
4560
"If any hook returns an error, the container's run will be aborted. Any "
4553
4561
"<emphasis>post-stop</emphasis> hook will still be executed. Any output "
4554
4562
"generated by the script will be logged at the debug priority."
4557
#: serverguide/C/virtualization.xml:1572(para)
4565
#: serverguide/C/virtualization.xml:1564(para)
4559
4567
"Please see the lxc.container.conf manual page for the configuration file "
4560
4568
"format with which to specify hooks. Some sample hooks are shipped with the "
4561
4569
"lxc package to serve as an example of how to write and use such hooks."
4564
#: serverguide/C/virtualization.xml:3452(title)
4572
#: serverguide/C/virtualization.xml:1571(title)
4565
4573
msgid "Consoles"
4568
#: serverguide/C/virtualization.xml:1581(para)
4576
#: serverguide/C/virtualization.xml:1573(para)
4570
4578
"Containers have a configurable number of consoles. One always exists on the "
4571
4579
"container's <filename>/dev/console</filename>. This is shown on the terminal "
4812
4820
"to the use of containers."
4815
#: serverguide/C/virtualization.xml:4398(para)
4823
#: serverguide/C/virtualization.xml:1795(para)
4817
4825
"The <ulink url=\"http://www.ibm.com/developerworks/linux/library/l-lxc-"
4818
4826
"security/index.html\"> Secure Containers Cookbook</ulink> demonstrated the "
4819
4827
"use of security modules to make containers more secure."
4822
#: serverguide/C/virtualization.xml:1810(para) serverguide/C/cgroups.xml:202(para)
4830
#: serverguide/C/virtualization.xml:1802(para) serverguide/C/cgroups.xml:202(para)
4823
4831
msgid "Manual pages referenced above can be found at:"
4826
#: serverguide/C/virtualization.xml:4407(ulink)
4834
#: serverguide/C/virtualization.xml:1804(ulink)
4827
4835
msgid "capabilities"
4830
#: serverguide/C/virtualization.xml:4408(ulink)
4838
#: serverguide/C/virtualization.xml:1805(ulink)
4831
4839
msgid "lxc.conf"
4834
#: serverguide/C/virtualization.xml:1818(para)
4842
#: serverguide/C/virtualization.xml:1810(para)
4836
4844
"The upstream LXC project is hosted at <ulink "
4837
4845
"url=\"http://linuxcontainers.org\">linuxcontainers.org</ulink>."
4840
#: serverguide/C/virtualization.xml:4420(para)
4848
#: serverguide/C/virtualization.xml:1815(para)
4842
4850
"LXC security issues are listed and discussed at <ulink "
4843
4851
"url=\"http://wiki.ubuntu.com/LxcSecurity\">the LXC Security wiki page</ulink>"
4846
#: serverguide/C/virtualization.xml:1829(para)
4854
#: serverguide/C/virtualization.xml:1821(para)
4848
4856
"For more on namespaces in Linux, see: S. Bhattiprolu, E. W. Biederman, S. E. "
4849
4857
"Hallyn, and D. Lezcano. Virtual Servers and Check- point/Restart in "
4943
4951
"access or a central server."
4946
#: serverguide/C/vcs.xml:88(para)
4954
#: serverguide/C/vcs.xml:95(para)
4948
4956
"The <application>git</application> version control system is installed with "
4949
4957
"the following command"
4952
#: serverguide/C/vcs.xml:92(command)
4960
#: serverguide/C/vcs.xml:99(command)
4953
4961
msgid "sudo apt-get install git"
4956
#: serverguide/C/vcs.xml:97(para)
4964
#: serverguide/C/vcs.xml:104(para)
4958
4966
"Every git user should first introduce himself to git, by running these two "
4962
#: serverguide/C/vcs.xml:99(command)
4970
#: serverguide/C/vcs.xml:106(command)
4963
4971
msgid "git config --global user.email \"you@example.com\""
4966
#: serverguide/C/vcs.xml:100(command)
4974
#: serverguide/C/vcs.xml:107(command)
4967
4975
msgid "git config --global user.name \"Your Name\""
4970
#: serverguide/C/vcs.xml:105(para)
4978
#: serverguide/C/vcs.xml:112(para)
4972
4980
"The above is already sufficient to use git in a distributed and secure way, "
4973
4981
"provided users have access to the machine assuming the server role via SSH. "
4974
"On the server machine, creating a new repository can be done with"
4982
"On the server machine, creating a new repository can be done with:"
4977
#: serverguide/C/vcs.xml:108(command)
4985
#: serverguide/C/vcs.xml:119(command)
4978
4986
msgid "git init --bare /path/to/repository"
4981
#: serverguide/C/vcs.xml:110(para)
4989
#: serverguide/C/vcs.xml:121(para)
4983
4991
"This creates a bare repository, that cannot be used to edit files directly. "
4984
4992
"If you would rather have a working copy of the contents of the repository on "
4985
4993
"the server, ommit the <emphasis>--bare</emphasis> option."
4988
#: serverguide/C/vcs.xml:111(para)
4996
#: serverguide/C/vcs.xml:122(para)
4990
"Any client with ssh access to the machine can from then on clone the "
4998
"Any client with SSH access to the machine can then clone the repository with:"
4994
#: serverguide/C/vcs.xml:113(command)
5001
#: serverguide/C/vcs.xml:127(command)
4995
5002
msgid "git clone username@hostname:/path/to/repository"
4998
#: serverguide/C/vcs.xml:115(para)
5005
#: serverguide/C/vcs.xml:129(para)
5000
5007
"Once cloned to the client's machine, the client can edit files, then commit "
5001
5008
"and share them with:"
5004
#: serverguide/C/vcs.xml:119(command)
5011
#: serverguide/C/vcs.xml:133(command)
5005
5012
msgid "cd /path/to/repository"
5008
#: serverguide/C/vcs.xml:120(command)
5015
#: serverguide/C/vcs.xml:134(command)
5009
5016
msgid "#(edit some files"
5012
#: serverguide/C/vcs.xml:121(command)
5019
#: serverguide/C/vcs.xml:135(command)
5014
5021
"git commit -a # Commit all changes to the local version of the repository"
5017
#: serverguide/C/vcs.xml:122(command)
5024
#: serverguide/C/vcs.xml:136(command)
5019
5026
"git push origin master # Push changes to the server's version of the "
5023
#: serverguide/C/vcs.xml:127(title)
5030
#: serverguide/C/vcs.xml:141(title)
5024
5031
msgid "Installing a gitolite server"
5027
#: serverguide/C/vcs.xml:128(para)
5034
#: serverguide/C/vcs.xml:142(para)
5029
5036
"While the above is sufficient to create, clone and edit repositories, users "
5030
5037
"wanting to install git on a server will most likely want to have git work "
5095
5102
"configuration repository:"
5098
#: serverguide/C/vcs.xml:169(command)
5105
#: serverguide/C/vcs.xml:183(command)
5102
#: serverguide/C/vcs.xml:170(command)
5109
#: serverguide/C/vcs.xml:184(command)
5103
5110
msgid "git clone git@$IP_ADDRESS:gitolite-admin.git"
5106
#: serverguide/C/vcs.xml:171(command)
5113
#: serverguide/C/vcs.xml:185(command)
5107
5114
msgid "cd gitolite-admin"
5110
#: serverguide/C/vcs.xml:173(para)
5117
#: serverguide/C/vcs.xml:187(para)
5112
5119
"The gitolite-admin contains two subdirectories, \"conf\" and \"keydir\". The "
5113
5120
"configuration files are in the conf dir, and the keydir directory contains "
5114
5121
"the list of user's public SSH keys."
5117
#: serverguide/C/vcs.xml:176(title)
5124
#: serverguide/C/vcs.xml:190(title)
5118
5125
msgid "Managing gitolite users and repositories"
5121
#: serverguide/C/vcs.xml:177(para)
5128
#: serverguide/C/vcs.xml:191(para)
5123
5130
"Adding new users to gitolite is simple: just obtain their public SSH key and "
5124
5131
"add it to the keydir directory as $DESIRED_USER_NAME.pub. Note that the "
5158
5165
" R = denise\n"
5161
#: serverguide/C/vcs.xml:195(title)
5168
#: serverguide/C/vcs.xml:209(title)
5162
5169
msgid "Using your server"
5165
#: serverguide/C/vcs.xml:196(para)
5172
#: serverguide/C/vcs.xml:210(para)
5167
5174
"To use the newly created server, users have to have the gitolite admin "
5168
5175
"import their public key into the gitolite configuration repository, they can "
5169
5176
"then access any project they have access to with the following command:"
5172
#: serverguide/C/vcs.xml:198(command)
5179
#: serverguide/C/vcs.xml:212(command)
5173
5180
msgid "git clone git@$SERVER_IP:$PROJECT_NAME.git"
5176
#: serverguide/C/vcs.xml:200(para)
5183
#: serverguide/C/vcs.xml:214(para)
5178
5185
"Or add the server's project as a remote for an existing git repository:"
5181
#: serverguide/C/vcs.xml:202(command)
5188
#: serverguide/C/vcs.xml:216(command)
5182
5189
msgid "git remote add gitolite git@$SERVER_IP:$PROJECT_NAME.git"
5185
#: serverguide/C/vcs.xml:79(title)
5192
#: serverguide/C/vcs.xml:221(title)
5186
5193
msgid "Subversion"
5189
#: serverguide/C/vcs.xml:80(para)
5196
#: serverguide/C/vcs.xml:222(para)
5191
5198
"Subversion is an open source version control system. Using Subversion, you "
5192
5199
"can record the history of source files and documents. It manages files and "
5206
5213
"section to install and configure the digital certificate."
5209
#: serverguide/C/vcs.xml:94(para)
5216
#: serverguide/C/vcs.xml:236(para)
5211
5218
"To install Subversion, run the following command from a terminal prompt:"
5214
#: serverguide/C/vcs.xml:227(command)
5221
#: serverguide/C/vcs.xml:241(command)
5215
5222
msgid "sudo apt-get install subversion apache2 libapache2-svn"
5218
#: serverguide/C/vcs.xml:105(title)
5225
#: serverguide/C/vcs.xml:247(title)
5219
5226
msgid "Server Configuration"
5222
#: serverguide/C/vcs.xml:106(para)
5229
#: serverguide/C/vcs.xml:248(para)
5224
5231
"This step assumes you have installed above mentioned packages on your "
5225
5232
"system. This section explains how to create a Subversion repository and "
5226
5233
"access the project."
5229
#: serverguide/C/vcs.xml:109(title)
5236
#: serverguide/C/vcs.xml:251(title)
5230
5237
msgid "Create Subversion Repository"
5233
#: serverguide/C/vcs.xml:110(para)
5240
#: serverguide/C/vcs.xml:252(para)
5235
5242
"The Subversion repository can be created using the following command from a "
5236
5243
"terminal prompt:"
5239
#: serverguide/C/vcs.xml:114(command)
5246
#: serverguide/C/vcs.xml:256(command)
5240
5247
msgid "svnadmin create /path/to/repos/project"
5243
#: serverguide/C/vcs.xml:119(title)
5250
#: serverguide/C/vcs.xml:261(title)
5244
5251
msgid "Importing Files"
5247
#: serverguide/C/vcs.xml:120(para)
5254
#: serverguide/C/vcs.xml:262(para)
5249
5256
"Once you create the repository you can <emphasis>import</emphasis> files "
5250
5257
"into the repository. To import a directory, enter the following from a "
5266
5273
"schemes map to the available access methods."
5269
#: serverguide/C/vcs.xml:144(para)
5276
#: serverguide/C/vcs.xml:286(para)
5273
#: serverguide/C/vcs.xml:145(para)
5280
#: serverguide/C/vcs.xml:287(para)
5274
5281
msgid "Access Method"
5277
#: serverguide/C/vcs.xml:150(para)
5284
#: serverguide/C/vcs.xml:292(para)
5278
5285
msgid "file://"
5281
#: serverguide/C/vcs.xml:151(para)
5288
#: serverguide/C/vcs.xml:293(para)
5282
5289
msgid "direct repository access (on local disk)"
5285
#: serverguide/C/vcs.xml:154(para)
5292
#: serverguide/C/vcs.xml:296(para)
5286
5293
msgid "http://"
5289
#: serverguide/C/vcs.xml:155(para)
5296
#: serverguide/C/vcs.xml:297(para)
5290
5297
msgid "Access via WebDAV protocol to Subversion-aware Apache2 web server"
5293
#: serverguide/C/vcs.xml:158(para)
5300
#: serverguide/C/vcs.xml:300(para)
5294
5301
msgid "https://"
5297
#: serverguide/C/vcs.xml:159(para)
5304
#: serverguide/C/vcs.xml:301(para)
5298
5305
msgid "Same as http://, but with SSL encryption"
5301
#: serverguide/C/vcs.xml:162(para)
5308
#: serverguide/C/vcs.xml:304(para)
5305
#: serverguide/C/vcs.xml:163(para)
5312
#: serverguide/C/vcs.xml:305(para)
5306
5313
msgid "Access via custom protocol to an svnserve server"
5309
#: serverguide/C/vcs.xml:166(para)
5316
#: serverguide/C/vcs.xml:308(para)
5310
5317
msgid "svn+ssh://"
5313
#: serverguide/C/vcs.xml:167(para)
5320
#: serverguide/C/vcs.xml:309(para)
5314
5321
msgid "Same as svn://, but through an SSH tunnel"
5317
#: serverguide/C/vcs.xml:173(para)
5324
#: serverguide/C/vcs.xml:315(para)
5319
5326
"In this section, we will see how to configure Subversion for all these "
5320
5327
"access methods. Here, we cover the basics. For more advanced usage details, "
5321
5328
"refer to the <ulink url=\"http://svnbook.red-bean.com/\">svn book</ulink>."
5324
#: serverguide/C/vcs.xml:180(title)
5331
#: serverguide/C/vcs.xml:322(title)
5325
5332
msgid "Direct repository access (file://)"
5328
#: serverguide/C/vcs.xml:181(para)
5335
#: serverguide/C/vcs.xml:323(para)
5330
5337
"This is the simplest of all access methods. It does not require any "
5331
5338
"Subversion server process to be running. This access method is used to "
5333
5340
"at a terminal prompt, is as follows:"
5336
#: serverguide/C/vcs.xml:188(command)
5343
#: serverguide/C/vcs.xml:330(command)
5337
5344
msgid "svn co file:///path/to/repos/project"
5340
#: serverguide/C/vcs.xml:191(para)
5347
#: serverguide/C/vcs.xml:333(para)
5344
#: serverguide/C/vcs.xml:194(command)
5351
#: serverguide/C/vcs.xml:336(command)
5345
5352
msgid "svn co file://localhost/path/to/repos/project"
5348
#: serverguide/C/vcs.xml:198(para)
5355
#: serverguide/C/vcs.xml:340(para)
5350
5357
"If you do not specify the hostname, there are three forward slashes (///) -- "
5351
5358
"two for the protocol (file, in this case) plus the leading slash in the "
5352
5359
"path. If you specify the hostname, you must use two forward slashes (//)."
5355
#: serverguide/C/vcs.xml:200(para)
5362
#: serverguide/C/vcs.xml:342(para)
5357
5364
"The repository permissions depend on filesystem permissions. If the user has "
5358
5365
"read/write permission, he can checkout from and commit to the repository."
5361
#: serverguide/C/vcs.xml:203(title)
5368
#: serverguide/C/vcs.xml:345(title)
5362
5369
msgid "Access via WebDAV protocol (http://)"
5365
#: serverguide/C/vcs.xml:332(para)
5372
#: serverguide/C/vcs.xml:346(para)
5367
5374
"To access the Subversion repository via WebDAV protocol, you must configure "
5368
5375
"your Apache 2 web server. Add the following snippet between the "
5433
5440
"the first user):"
5436
#: serverguide/C/vcs.xml:254(command)
5443
#: serverguide/C/vcs.xml:403(command)
5437
5444
msgid "sudo htpasswd -c /etc/subversion/passwd user_name"
5440
#: serverguide/C/vcs.xml:257(para)
5447
#: serverguide/C/vcs.xml:406(para)
5442
5449
"To add additional users omit the <emphasis>\"-c\"</emphasis> option as this "
5443
5450
"option replaces the old file. Instead use this form:"
5446
#: serverguide/C/vcs.xml:262(command)
5453
#: serverguide/C/vcs.xml:411(command)
5447
5454
msgid "sudo htpasswd /etc/subversion/passwd user_name"
5450
#: serverguide/C/vcs.xml:266(para)
5457
#: serverguide/C/vcs.xml:415(para)
5452
5459
"This command will prompt you to enter the password. Once you enter the "
5453
5460
"password, the user is added. Now, to access the repository you can run the "
5454
5461
"following command:"
5457
#: serverguide/C/vcs.xml:267(command)
5464
#: serverguide/C/vcs.xml:416(command)
5458
5465
msgid "svn co http://servername/svn"
5461
#: serverguide/C/vcs.xml:269(para)
5468
#: serverguide/C/vcs.xml:418(para)
5463
5470
"The password is transmitted as plain text. If you are worried about password "
5464
5471
"snooping, you are advised to use SSL encryption. For details, please refer "
5465
5472
"next section."
5468
#: serverguide/C/vcs.xml:275(title)
5475
#: serverguide/C/vcs.xml:424(title)
5469
5476
msgid "Access via WebDAV protocol with SSL encryption (https://)"
5472
#: serverguide/C/vcs.xml:411(para)
5479
#: serverguide/C/vcs.xml:425(para)
5474
5481
"Accessing Subversion repository via WebDAV protocol with SSL encryption "
5475
5482
"(https://) is similar to http:// except that you must install and configure "
5507
5514
"following lines in the configuration file:"
5510
#: serverguide/C/vcs.xml:308(programlisting)
5517
#: serverguide/C/vcs.xml:457(programlisting)
5513
5520
"# [general]\n"
5514
5521
"# password-db = passwd"
5517
#: serverguide/C/vcs.xml:311(para)
5524
#: serverguide/C/vcs.xml:460(para)
5519
5526
"After uncommenting the above lines, you can maintain the user list in the "
5520
5527
"passwd file. So, edit the file <filename>passwd </filename> in the same "
5521
5528
"directory and add the new user. The syntax is as follows:"
5524
#: serverguide/C/vcs.xml:317(programlisting)
5531
#: serverguide/C/vcs.xml:466(programlisting)
5526
5533
msgid "username = password"
5529
#: serverguide/C/vcs.xml:318(para)
5536
#: serverguide/C/vcs.xml:467(para)
5530
5537
msgid "For more details, please refer to the file."
5533
#: serverguide/C/vcs.xml:322(para)
5540
#: serverguide/C/vcs.xml:471(para)
5535
5542
"Now, to access Subversion via the svn:// custom protocol, either from the "
5536
5543
"same machine or a different machine, you can run svnserver using svnserve "
5537
5544
"command. The syntax is as follows:"
5540
#: serverguide/C/vcs.xml:327(programlisting)
5547
#: serverguide/C/vcs.xml:476(programlisting)
5543
5550
"$ svnserve -d --foreground -r /path/to/repos\n"
5612
5619
"following command syntax:"
5615
#: serverguide/C/vcs.xml:515(command)
5622
#: serverguide/C/vcs.xml:529(command)
5616
5623
msgid "svn co svn+ssh://ssh_username@hostname/path/to/repos/project"
5619
#: serverguide/C/vcs.xml:384(para)
5626
#: serverguide/C/vcs.xml:533(para)
5621
5628
"You must use the full path (/path/to/repos/project) to access the Subversion "
5622
5629
"repository using this access method."
5625
#: serverguide/C/vcs.xml:387(para)
5632
#: serverguide/C/vcs.xml:536(para)
5627
5634
"Based on server configuration, it prompts for password. You must enter the "
5628
5635
"password you use to login via ssh. Once you are authenticated, it checks out "
5629
5636
"the code from the Subversion repository."
5632
#: serverguide/C/vcs.xml:539(ulink)
5639
#: serverguide/C/vcs.xml:551(ulink)
5633
5640
msgid "Bazaar Home Page"
5636
#: serverguide/C/vcs.xml:540(ulink)
5643
#: serverguide/C/vcs.xml:556(ulink)
5637
5644
msgid "Launchpad"
5640
#: serverguide/C/vcs.xml:547(ulink)
5647
#: serverguide/C/vcs.xml:561(ulink)
5641
5648
msgid "Git homepage"
5644
#: serverguide/C/vcs.xml:552(ulink)
5651
#: serverguide/C/vcs.xml:566(ulink)
5645
5652
msgid "Gitolite"
5648
#: serverguide/C/vcs.xml:541(ulink)
5655
#: serverguide/C/vcs.xml:571(ulink)
5649
5656
msgid "Subversion Home Page"
5652
#: serverguide/C/vcs.xml:542(ulink)
5659
#: serverguide/C/vcs.xml:576(ulink)
5653
5660
msgid "Subversion Book"
5656
#: serverguide/C/vcs.xml:545(ulink)
5663
#: serverguide/C/vcs.xml:581(ulink)
5657
5664
msgid "Easy Bazaar Ubuntu Wiki page"
5660
#: serverguide/C/vcs.xml:546(ulink)
5667
#: serverguide/C/vcs.xml:586(ulink)
5661
5668
msgid "Ubuntu Wiki Subversion page"
5818
5825
msgid "Configurations with root passwords are not supported."
5821
#: serverguide/C/security.xml:37(command)
5828
#: serverguide/C/security.xml:42(command)
5822
5829
msgid "sudo passwd"
5825
#: serverguide/C/security.xml:39(para)
5832
#: serverguide/C/security.xml:44(para)
5827
5834
"Sudo will prompt you for your password, and then ask you to supply a new "
5828
5835
"password for root as shown below:"
5831
#: serverguide/C/security.xml:42(computeroutput)
5838
#: serverguide/C/security.xml:47(computeroutput)
5833
5840
msgid "[sudo] password for username:"
5836
#: serverguide/C/security.xml:42(userinput)
5843
#: serverguide/C/security.xml:47(userinput)
5838
5845
msgid "(enter your own password)"
5841
#: serverguide/C/security.xml:43(computeroutput)
5848
#: serverguide/C/security.xml:48(computeroutput)
5843
5850
msgid "Enter new UNIX password:"
5846
#: serverguide/C/security.xml:43(userinput)
5853
#: serverguide/C/security.xml:48(userinput)
5848
5855
msgid "(enter a new password for root)"
5851
#: serverguide/C/security.xml:44(computeroutput)
5858
#: serverguide/C/security.xml:49(computeroutput)
5853
5860
msgid "Retype new UNIX password:"
5856
#: serverguide/C/security.xml:44(userinput)
5863
#: serverguide/C/security.xml:49(userinput)
5858
5865
msgid "(repeat new password for root)"
5861
#: serverguide/C/security.xml:45(computeroutput)
5868
#: serverguide/C/security.xml:50(computeroutput)
5863
5870
msgid "passwd: password updated successfully"
5901
5908
"<emphasis>sudo</emphasis> group."
5904
#: serverguide/C/security.xml:71(title)
5911
#: serverguide/C/security.xml:82(title)
5905
5912
msgid "Adding and Deleting Users"
5908
#: serverguide/C/security.xml:72(para)
5915
#: serverguide/C/security.xml:83(para)
5910
"The process for managing local users and groups is straight forward and "
5917
"The process for managing local users and groups is straightforward and "
5911
5918
"differs very little from most other GNU/Linux operating systems. Ubuntu and "
5912
"other Debian based distributions, encourage the use of the \"adduser\" "
5919
"other Debian based distributions encourage the use of the \"adduser\" "
5913
5920
"package for account management."
5916
#: serverguide/C/security.xml:77(para)
5923
#: serverguide/C/security.xml:88(para)
5918
5925
"To add a user account, use the following syntax, and follow the prompts to "
5919
"give the account a password and identifiable characteristics such as a full "
5926
"give the account a password and identifiable characteristics, such as a full "
5920
5927
"name, phone number, etc."
5923
#: serverguide/C/security.xml:81(command)
5930
#: serverguide/C/security.xml:92(command)
5924
5931
msgid "sudo adduser username"
5927
#: serverguide/C/security.xml:85(para)
5934
#: serverguide/C/security.xml:96(para)
5929
5936
"To delete a user account and its primary group, use the following syntax:"
5932
#: serverguide/C/security.xml:89(command)
5939
#: serverguide/C/security.xml:100(command)
5933
5940
msgid "sudo deluser username"
5936
#: serverguide/C/security.xml:91(para)
5943
#: serverguide/C/security.xml:102(para)
5938
5945
"Deleting an account does not remove their respective home folder. It is up "
5939
5946
"to you whether or not you wish to delete the folder manually or keep it "
5940
5947
"according to your desired retention policies."
5943
#: serverguide/C/security.xml:94(para)
5950
#: serverguide/C/security.xml:105(para)
5945
5952
"Remember, any user added later on with the same UID/GID as the previous "
5946
5953
"owner will now have access to this folder if you have not taken the "
5947
5954
"necessary precautions."
5950
#: serverguide/C/security.xml:97(para)
5957
#: serverguide/C/security.xml:108(para)
5952
5959
"You may want to change these UID/GID values to something more appropriate, "
5953
5960
"such as the root account, and perhaps even relocate the folder to avoid "
5954
5961
"future conflicts:"
5957
#: serverguide/C/security.xml:101(command)
5964
#: serverguide/C/security.xml:112(command)
5958
5965
msgid "sudo chown -R root:root /home/username/"
5961
#: serverguide/C/security.xml:102(command)
5968
#: serverguide/C/security.xml:113(command)
5962
5969
msgid "sudo mkdir /home/archived_users/"
5965
#: serverguide/C/security.xml:103(command)
5972
#: serverguide/C/security.xml:114(command)
5966
5973
msgid "sudo mv /home/username /home/archived_users/"
5969
#: serverguide/C/security.xml:107(para)
5976
#: serverguide/C/security.xml:118(para)
5971
5978
"To temporarily lock or unlock a user account, use the following syntax, "
5972
5979
"respectively:"
5975
#: serverguide/C/security.xml:111(command)
5982
#: serverguide/C/security.xml:122(command)
5976
5983
msgid "sudo passwd -l username"
5979
#: serverguide/C/security.xml:112(command)
5986
#: serverguide/C/security.xml:123(command)
5980
5987
msgid "sudo passwd -u username"
5983
#: serverguide/C/security.xml:116(para)
5990
#: serverguide/C/security.xml:127(para)
5985
5992
"To add or delete a personalized group, use the following syntax, "
5986
5993
"respectively:"
5989
#: serverguide/C/security.xml:120(command)
5996
#: serverguide/C/security.xml:131(command)
5990
5997
msgid "sudo addgroup groupname"
5993
#: serverguide/C/security.xml:121(command)
6000
#: serverguide/C/security.xml:132(command)
5994
6001
msgid "sudo delgroup groupname"
5997
#: serverguide/C/security.xml:125(para)
6004
#: serverguide/C/security.xml:136(para)
5998
6005
msgid "To add a user to a group, use the following syntax:"
6001
#: serverguide/C/security.xml:129(command)
6008
#: serverguide/C/security.xml:140(command)
6002
6009
msgid "sudo adduser username groupname"
6005
#: serverguide/C/security.xml:136(title)
6012
#: serverguide/C/security.xml:147(title)
6006
6013
msgid "User Profile Security"
6009
#: serverguide/C/security.xml:137(para)
6016
#: serverguide/C/security.xml:148(para)
6011
6018
"When a new user is created, the adduser utility creates a brand new home "
6012
"directory named <filename class=\"directory\">/home/username</filename>, "
6013
"respectively. The default profile is modeled after the contents found in the "
6014
"directory of <filename class=\"directory\">/etc/skel</filename>, which "
6015
"includes all profile basics."
6019
"directory named <filename class=\"directory\">/home/username</filename>. The "
6020
"default profile is modeled after the contents found in the directory of "
6021
"<filename class=\"directory\">/etc/skel</filename>, which includes all "
6018
#: serverguide/C/security.xml:140(para)
6025
#: serverguide/C/security.xml:151(para)
6020
6027
"If your server will be home to multiple users, you should pay close "
6021
6028
"attention to the user home directory permissions to ensure confidentiality. "
6025
6032
"your environment."
6028
#: serverguide/C/security.xml:145(para)
6035
#: serverguide/C/security.xml:156(para)
6030
"To verify your current users home directory permissions, use the following "
6037
"To verify your current user home directory permissions, use the following "
6034
#: serverguide/C/security.xml:149(command) serverguide/C/security.xml:181(command)
6041
#: serverguide/C/security.xml:160(command) serverguide/C/security.xml:192(command)
6035
6042
msgid "ls -ld /home/username"
6038
#: serverguide/C/security.xml:151(para)
6045
#: serverguide/C/security.xml:162(para)
6040
6047
"The following output shows that the directory <filename "
6041
"class=\"directory\">/home/username</filename> has world readable permissions:"
6048
"class=\"directory\">/home/username</filename> has world-readable permissions:"
6044
#: serverguide/C/security.xml:154(computeroutput)
6051
#: serverguide/C/security.xml:165(computeroutput)
6046
6053
msgid "drwxr-xr-x 2 username username 4096 2007-10-02 20:03 username"
6049
#: serverguide/C/security.xml:158(para)
6056
#: serverguide/C/security.xml:169(para)
6051
"You can remove the world readable permissions using the following syntax:"
6058
"You can remove the world readable-permissions using the following syntax:"
6054
#: serverguide/C/security.xml:162(command)
6061
#: serverguide/C/security.xml:173(command)
6055
6062
msgid "sudo chmod 0750 /home/username"
6058
#: serverguide/C/security.xml:165(para)
6065
#: serverguide/C/security.xml:176(para)
6060
6067
"Some people tend to use the recursive option (-R) indiscriminately which "
6061
6068
"modifies all child folders and files, but this is not necessary, and may "
6145
#: serverguide/C/security.xml:212(para)
6152
#: serverguide/C/security.xml:223(para)
6147
6154
"Basic password entropy checks and minimum length rules do not apply to the "
6148
6155
"administrator using sudo level commands to setup a new user."
6151
#: serverguide/C/security.xml:218(title)
6158
#: serverguide/C/security.xml:229(title)
6152
6159
msgid "Password Expiration"
6155
#: serverguide/C/security.xml:219(para)
6162
#: serverguide/C/security.xml:230(para)
6157
6164
"When creating user accounts, you should make it a policy to have a minimum "
6158
6165
"and maximum password age forcing users to change their passwords when they "
6162
#: serverguide/C/security.xml:224(para)
6169
#: serverguide/C/security.xml:235(para)
6164
6171
"To easily view the current status of a user account, use the following "
6168
#: serverguide/C/security.xml:228(command) serverguide/C/security.xml:261(command)
6175
#: serverguide/C/security.xml:239(command) serverguide/C/security.xml:272(command)
6169
6176
msgid "sudo chage -l username"
6172
#: serverguide/C/security.xml:230(para)
6179
#: serverguide/C/security.xml:241(para)
6174
6181
"The output below shows interesting facts about the user account, namely that "
6175
6182
"there are no policies applied:"
6178
#: serverguide/C/security.xml:233(computeroutput)
6185
#: serverguide/C/security.xml:244(computeroutput)
6181
"Last password change : Jan 20, 2008\n"
6188
"Last password change : Jan 20, 2015\n"
6182
6189
"Password expires : never\n"
6183
6190
"Password inactive : never\n"
6184
6191
"Account expires : never\n"
6187
6194
"Number of days of warning before password expires : 7"
6190
#: serverguide/C/security.xml:243(para)
6197
#: serverguide/C/security.xml:254(para)
6192
6199
"To set any of these values, simply use the following syntax, and follow the "
6193
6200
"interactive prompts:"
6196
#: serverguide/C/security.xml:247(command)
6203
#: serverguide/C/security.xml:258(command)
6197
6204
msgid "sudo chage username"
6200
#: serverguide/C/security.xml:249(para)
6207
#: serverguide/C/security.xml:260(para)
6202
6209
"The following is also an example of how you can manually change the explicit "
6203
"expiration date (-E) to 01/31/2008, minimum password age (-m) of 5 days, "
6210
"expiration date (-E) to 01/31/2015, minimum password age (-m) of 5 days, "
6204
6211
"maximum password age (-M) of 90 days, inactivity period (-I) of 5 days after "
6205
6212
"password expiration, and a warning time period (-W) of 14 days before "
6206
"password expiration."
6209
#: serverguide/C/security.xml:253(command)
6210
msgid "sudo chage -E 01/31/2011 -m 5 -M 90 -I 30 -W 14 username"
6213
#: serverguide/C/security.xml:257(para)
6213
"password expiration:"
6216
#: serverguide/C/security.xml:264(command)
6217
msgid "sudo chage -E 01/31/2015 -m 5 -M 90 -I 30 -W 14 username"
6220
#: serverguide/C/security.xml:268(para)
6214
6221
msgid "To verify changes, use the same syntax as mentioned previously:"
6217
#: serverguide/C/security.xml:263(para)
6224
#: serverguide/C/security.xml:274(para)
6219
6226
"The output below shows the new policies that have been established for the "
6223
#: serverguide/C/security.xml:266(computeroutput)
6230
#: serverguide/C/security.xml:277(computeroutput)
6226
"Last password change : Jan 20, 2008\n"
6227
"Password expires : Apr 19, 2008\n"
6228
"Password inactive : May 19, 2008\n"
6229
"Account expires : Jan 31, 2008\n"
6233
"Last password change : Jan 20, 2015\n"
6234
"Password expires : Apr 19, 2015\n"
6235
"Password inactive : May 19, 2015\n"
6236
"Account expires : Jan 31, 2015\n"
6230
6237
"Minimum number of days between password change : 5\n"
6231
6238
"Maximum number of days between password change : 90\n"
6232
6239
"Number of days of warning before password expires : 14"
6235
#: serverguide/C/security.xml:282(title)
6242
#: serverguide/C/security.xml:293(title)
6236
6243
msgid "Other Security Considerations"
6239
#: serverguide/C/security.xml:283(para)
6246
#: serverguide/C/security.xml:294(para)
6241
6248
"Many applications use alternate authentication mechanisms that can be easily "
6242
6249
"overlooked by even experienced system administrators. Therefore, it is "
6244
6251
"to services and applications on your server."
6247
#: serverguide/C/security.xml:288(title)
6254
#: serverguide/C/security.xml:299(title)
6248
6255
msgid "SSH Access by Disabled Users"
6251
#: serverguide/C/security.xml:289(para)
6258
#: serverguide/C/security.xml:300(para)
6253
6260
"Simply disabling/locking a user account will not prevent a user from logging "
6254
6261
"into your server remotely if they have previously set up RSA public key "
6255
6262
"authentication. They will still be able to gain shell access to the server, "
6256
6263
"without the need for any password. Remember to check the users home "
6257
6264
"directory for files that will allow for this type of authenticated SSH "
6258
"access. e.g. <filename>/home/username/.ssh/authorized_keys</filename>."
6265
"access, e.g. <filename>/home/username/.ssh/authorized_keys</filename>."
6261
#: serverguide/C/security.xml:292(para)
6268
#: serverguide/C/security.xml:303(para)
6263
6270
"Remove or rename the directory <filename "
6264
6271
"class=\"directory\">.ssh/</filename> in the user's home folder to prevent "
6265
6272
"further SSH authentication capabilities."
6268
#: serverguide/C/security.xml:295(para)
6275
#: serverguide/C/security.xml:306(para)
6270
6277
"Be sure to check for any established SSH connections by the disabled user, "
6271
6278
"as it is possible they may have existing inbound or outbound connections. "
6296
6303
"the file <filename>/etc/ssh/sshd_config</filename>."
6299
#: serverguide/C/security.xml:301(programlisting)
6306
#: serverguide/C/security.xml:316(programlisting)
6303
6310
"AllowGroups sshlogin\n"
6306
#: serverguide/C/security.xml:304(para)
6313
#: serverguide/C/security.xml:319(para)
6308
6315
"Then add your permitted SSH users to the group \"sshlogin\", and restart the "
6312
#: serverguide/C/security.xml:308(command)
6319
#: serverguide/C/security.xml:323(command)
6313
6320
msgid "sudo adduser username sshlogin"
6316
#: serverguide/C/security.xml:309(command)
6323
#: serverguide/C/security.xml:324(command) serverguide/C/remote-administration.xml:144(command)
6317
6324
msgid "sudo service ssh restart"
6320
#: serverguide/C/security.xml:313(title)
6327
#: serverguide/C/security.xml:328(title)
6321
6328
msgid "External User Database Authentication"
6324
#: serverguide/C/security.xml:314(para)
6331
#: serverguide/C/security.xml:329(para)
6326
6333
"Most enterprise networks require centralized authentication and access "
6327
6334
"controls for all system resources. If you have configured your server to "
6328
6335
"authenticate users against external databases, be sure to disable the user "
6329
"accounts both externally and locally, this way you ensure that local "
6336
"accounts both externally and locally. This way you ensure that local "
6330
6337
"fallback authentication is not possible."
6333
#: serverguide/C/security.xml:323(title)
6340
#: serverguide/C/security.xml:338(title)
6334
6341
msgid "Console Security"
6337
#: serverguide/C/security.xml:324(para)
6344
#: serverguide/C/security.xml:339(para)
6339
6346
"As with any other security barrier you put in place to protect your server, "
6340
6347
"it is pretty tough to defend against untold damage caused by someone with "
6346
6353
"basic precautions with regard to console security."
6349
#: serverguide/C/security.xml:327(para)
6356
#: serverguide/C/security.xml:342(para)
6351
6358
"The following instructions will help defend your server against issues that "
6352
6359
"could otherwise yield very serious consequences."
6355
#: serverguide/C/security.xml:332(title)
6362
#: serverguide/C/security.xml:347(title)
6356
6363
msgid "Disable Ctrl+Alt+Delete"
6359
#: serverguide/C/security.xml:333(para)
6366
#: serverguide/C/security.xml:348(para)
6361
"First and foremost, anyone that has physical access to the keyboard can "
6368
"Anyone that has physical access to the keyboard can simply use the "
6363
6369
"<keycombo><keycap>Ctrl</keycap><keycap>Alt</keycap><keycap>Delete</keycap></k"
6364
6370
"eycombo> key combination to reboot the server without having to log on. "
6365
"Sure, someone could simply unplug the power source, but you should still "
6366
"prevent the use of this key combination on a production server. This forces "
6367
"an attacker to take more drastic measures to reboot the server, and will "
6371
"While someone could simply unplug the power source, you should still prevent "
6372
"the use of this key combination on a production server. This forces an "
6373
"attacker to take more drastic measures to reboot the server, and will "
6368
6374
"prevent accidental reboots at the same time."
6371
#: serverguide/C/security.xml:338(para)
6377
#: serverguide/C/security.xml:353(para)
6373
6379
"To disable the reboot action taken by pressing the "
6374
6380
"<keycombo><keycap>Ctrl</keycap><keycap>Alt</keycap><keycap>Delete</keycap></k"
6375
6381
"eycombo> key combination, comment out the following line in the file "
6376
"<filename>/etc/init/control-alt-delete.conf</filename>."
6382
"<filename>/etc/init/control-alt-delete.conf</filename>:"
6379
#: serverguide/C/security.xml:341(programlisting)
6385
#: serverguide/C/security.xml:356(programlisting)
6383
6389
"#exec shutdown -r now \"Control-Alt-Delete pressed\"\n"
6386
#: serverguide/C/security.xml:350(title)
6392
#: serverguide/C/security.xml:365(title)
6387
6393
msgid "Firewall"
6390
#: serverguide/C/security.xml:353(para)
6396
#: serverguide/C/security.xml:368(para)
6392
6398
"The Linux kernel includes the <emphasis>Netfilter</emphasis> subsystem, "
6393
6399
"which is used to manipulate or decide the fate of network traffic headed "
6395
6401
"system for packet filtering."
6398
#: serverguide/C/security.xml:358(para)
6404
#: serverguide/C/security.xml:373(para)
6400
6406
"The kernel's packet filtering system would be of little use to "
6401
6407
"administrators without a userspace interface to manage it. This is the "
6402
"purpose of iptables. When a packet reaches your server, it will be handed "
6408
"purpose of iptables: When a packet reaches your server, it will be handed "
6403
6409
"off to the Netfilter subsystem for acceptance, manipulation, or rejection "
6404
6410
"based on the rules supplied to it from userspace via iptables. Thus, "
6405
"iptables is all you need to manage your firewall if you're familiar with it, "
6406
"but many frontends are available to simplify the task."
6411
"iptables is all you need to manage your firewall, if you're familiar with "
6412
"it, but many frontends are available to simplify the task."
6409
#: serverguide/C/security.xml:368(title)
6415
#: serverguide/C/security.xml:383(title)
6410
6416
msgid "ufw - Uncomplicated Firewall"
6413
#: serverguide/C/security.xml:369(para)
6419
#: serverguide/C/security.xml:384(para)
6415
6421
"The default firewall configuration tool for Ubuntu is "
6416
6422
"<application>ufw</application>. Developed to ease iptables firewall "
6417
"configuration, <application>ufw</application> provides a user friendly way "
6423
"configuration, <application>ufw</application> provides a user-friendly way "
6418
6424
"to create an IPv4 or IPv6 host-based firewall."
6421
#: serverguide/C/security.xml:373(para)
6427
#: serverguide/C/security.xml:388(para)
6423
6429
"<application>ufw</application> by default is initially disabled. From the "
6424
6430
"<application>ufw</application> man page:"
6427
#: serverguide/C/security.xml:377(quote)
6433
#: serverguide/C/security.xml:392(quote)
6429
6435
"ufw is not intended to provide complete firewall functionality via its "
6430
6436
"command interface, but instead provides an easy way to add or remove simple "
6431
6437
"rules. It is currently mainly used for host-based firewalls."
6434
#: serverguide/C/security.xml:381(para)
6440
#: serverguide/C/security.xml:396(para)
6436
6442
"The following are some examples of how to use <application>ufw</application>:"
6439
#: serverguide/C/security.xml:386(para)
6445
#: serverguide/C/security.xml:401(para)
6441
6447
"First, <application>ufw</application> needs to be enabled. From a terminal "
6442
6448
"prompt enter:"
6445
#: serverguide/C/security.xml:390(command)
6451
#: serverguide/C/security.xml:405(command)
6446
6452
msgid "sudo ufw enable"
6449
#: serverguide/C/security.xml:394(para)
6450
msgid "To open a port (ssh in this example):"
6455
#: serverguide/C/security.xml:409(para)
6456
msgid "To open a port (SSH in this example):"
6453
#: serverguide/C/security.xml:398(command)
6459
#: serverguide/C/security.xml:413(command)
6454
6460
msgid "sudo ufw allow 22"
6457
#: serverguide/C/security.xml:402(para)
6463
#: serverguide/C/security.xml:417(para)
6458
6464
msgid "Rules can also be added using a <emphasis>numbered</emphasis> format:"
6461
#: serverguide/C/security.xml:406(command)
6467
#: serverguide/C/security.xml:421(command)
6462
6468
msgid "sudo ufw insert 1 allow 80"
6465
#: serverguide/C/security.xml:410(para)
6471
#: serverguide/C/security.xml:425(para)
6466
6472
msgid "Similarly, to close an opened port:"
6469
#: serverguide/C/security.xml:414(command)
6475
#: serverguide/C/security.xml:429(command)
6470
6476
msgid "sudo ufw deny 22"
6473
#: serverguide/C/security.xml:418(para)
6479
#: serverguide/C/security.xml:433(para)
6474
6480
msgid "To remove a rule, use delete followed by the rule:"
6477
#: serverguide/C/security.xml:422(command)
6483
#: serverguide/C/security.xml:437(command)
6478
6484
msgid "sudo ufw delete deny 22"
6481
#: serverguide/C/security.xml:426(para)
6487
#: serverguide/C/security.xml:441(para)
6483
6489
"It is also possible to allow access from specific hosts or networks to a "
6484
"port. The following example allows ssh access from host 192.168.0.2 to any "
6485
"ip address on this host:"
6490
"port. The following example allows SSH access from host 192.168.0.2 to any "
6491
"IP address on this host:"
6488
#: serverguide/C/security.xml:431(command)
6494
#: serverguide/C/security.xml:446(command)
6489
6495
msgid "sudo ufw allow proto tcp from 192.168.0.2 to any port 22"
6492
#: serverguide/C/security.xml:433(para)
6498
#: serverguide/C/security.xml:448(para)
6494
"Replace 192.168.0.2 with 192.168.0.0/24 to allow ssh access from the entire "
6500
"Replace 192.168.0.2 with 192.168.0.0/24 to allow SSH access from the entire "
6498
#: serverguide/C/security.xml:439(para)
6504
#: serverguide/C/security.xml:454(para)
6500
6506
"Adding the <emphasis>--dry-run</emphasis> option to a "
6501
6507
"<emphasis>ufw</emphasis> command will output the resulting rules, but not "
6533
6539
"Rules updated"
6536
#: serverguide/C/security.xml:473(para)
6542
#: serverguide/C/security.xml:488(para)
6537
6543
msgid "<application>ufw</application> can be disabled by:"
6540
#: serverguide/C/security.xml:477(command)
6546
#: serverguide/C/security.xml:492(command)
6541
6547
msgid "sudo ufw disable"
6544
#: serverguide/C/security.xml:481(para)
6550
#: serverguide/C/security.xml:496(para)
6545
6551
msgid "To see the firewall status, enter:"
6548
#: serverguide/C/security.xml:485(command)
6554
#: serverguide/C/security.xml:500(command)
6549
6555
msgid "sudo ufw status"
6552
#: serverguide/C/security.xml:489(para)
6558
#: serverguide/C/security.xml:504(para)
6553
6559
msgid "And for more verbose status information use:"
6556
#: serverguide/C/security.xml:493(command)
6562
#: serverguide/C/security.xml:508(command)
6557
6563
msgid "sudo ufw status verbose"
6560
#: serverguide/C/security.xml:497(para)
6566
#: serverguide/C/security.xml:512(para)
6561
6567
msgid "To view the <emphasis>numbered</emphasis> format:"
6564
#: serverguide/C/security.xml:501(command)
6570
#: serverguide/C/security.xml:516(command)
6565
6571
msgid "sudo ufw status numbered"
6568
#: serverguide/C/security.xml:506(para)
6574
#: serverguide/C/security.xml:521(para)
6570
6576
"If the port you want to open or close is defined in "
6571
6577
"<filename>/etc/services</filename>, you can use the port name instead of the "
6592
6598
"the default ports have been changed."
6595
#: serverguide/C/security.xml:529(para)
6601
#: serverguide/C/security.xml:544(para)
6597
6603
"To view which applications have installed a profile, enter the following in "
6601
#: serverguide/C/security.xml:534(command)
6607
#: serverguide/C/security.xml:549(command)
6602
6608
msgid "sudo ufw app list"
6605
#: serverguide/C/security.xml:540(para)
6611
#: serverguide/C/security.xml:555(para)
6607
6613
"Similar to allowing traffic to a port, using an application profile is "
6608
6614
"accomplished by entering:"
6611
#: serverguide/C/security.xml:545(command)
6617
#: serverguide/C/security.xml:560(command)
6612
6618
msgid "sudo ufw allow Samba"
6615
#: serverguide/C/security.xml:551(para)
6621
#: serverguide/C/security.xml:566(para)
6616
6622
msgid "An extended syntax is available as well:"
6619
#: serverguide/C/security.xml:556(command)
6625
#: serverguide/C/security.xml:571(command)
6620
6626
msgid "ufw allow from 192.168.0.0/24 to any app Samba"
6623
#: serverguide/C/security.xml:559(para)
6629
#: serverguide/C/security.xml:574(para)
6625
6631
"Replace <emphasis>Samba</emphasis> and <emphasis>192.168.0.0/24</emphasis> "
6626
6632
"with the application profile you are using and the IP range for your network."
6629
#: serverguide/C/security.xml:565(para)
6635
#: serverguide/C/security.xml:580(para)
6631
6637
"There is no need to specify the <emphasis>protocol</emphasis> for the "
6632
6638
"application, because that information is detailed in the profile. Also, note "
6707
6713
"<emphasis>DEFAULT_FORWARD_POLICY</emphasis> to <quote>ACCEPT</quote>:"
6710
#: serverguide/C/security.xml:631(programlisting)
6716
#: serverguide/C/security.xml:646(programlisting)
6714
6720
"DEFAULT_FORWARD_POLICY=\"ACCEPT\"\n"
6717
#: serverguide/C/security.xml:634(para)
6723
#: serverguide/C/security.xml:649(para)
6718
6724
msgid "Then edit <filename>/etc/ufw/sysctl.conf</filename> and uncomment:"
6721
#: serverguide/C/security.xml:637(programlisting)
6727
#: serverguide/C/security.xml:652(programlisting)
6725
6731
"net/ipv4/ip_forward=1\n"
6728
#: serverguide/C/security.xml:640(para)
6734
#: serverguide/C/security.xml:655(para)
6729
6735
msgid "Similarly, for IPv6 forwarding uncomment:"
6732
#: serverguide/C/security.xml:643(programlisting)
6738
#: serverguide/C/security.xml:658(programlisting)
6736
6742
"net/ipv6/conf/default/forwarding=1\n"
6739
#: serverguide/C/security.xml:648(para)
6745
#: serverguide/C/security.xml:663(para)
6741
"Now we will add rules to the <filename>/etc/ufw/before.rules</filename> "
6742
"file. The default rules only configure the <emphasis>filter</emphasis> "
6743
"table, and to enable masquerading the <emphasis>nat</emphasis> table will "
6744
"need to be configured. Add the following to the top of the file just after "
6745
"the header comments:"
6747
"Now add rules to the <filename>/etc/ufw/before.rules</filename> file. The "
6748
"default rules only configure the <emphasis>filter</emphasis> table, and to "
6749
"enable masquerading the <emphasis>nat</emphasis> table will need to be "
6750
"configured. Add the following to the top of the file just after the header "
6748
#: serverguide/C/security.xml:653(programlisting)
6754
#: serverguide/C/security.xml:668(programlisting)
6812
6818
"forward</emphasis> chain."
6815
#: serverguide/C/security.xml:705(title)
6821
#: serverguide/C/security.xml:720(title)
6816
6822
msgid "iptables Masquerading"
6819
#: serverguide/C/security.xml:706(para)
6825
#: serverguide/C/security.xml:721(para)
6821
6827
"<application>iptables</application> can also be used to enable Masquerading."
6824
#: serverguide/C/security.xml:711(para)
6830
#: serverguide/C/security.xml:726(para)
6826
6832
"Similar to <application>ufw</application>, the first step is to enable IPv4 "
6827
6833
"packet forwarding by editing <filename>/etc/sysctl.conf</filename> and "
6828
"uncomment the following line"
6834
"uncomment the following line:"
6831
#: serverguide/C/security.xml:715(programlisting)
6837
#: serverguide/C/security.xml:730(programlisting)
6835
6841
"net.ipv4.ip_forward=1\n"
6838
#: serverguide/C/security.xml:718(para)
6844
#: serverguide/C/security.xml:733(para)
6839
6845
msgid "If you wish to enable IPv6 forwarding also uncomment:"
6842
#: serverguide/C/security.xml:721(programlisting)
6848
#: serverguide/C/security.xml:736(programlisting)
6846
6852
"net.ipv6.conf.default.forwarding=1\n"
6849
#: serverguide/C/security.xml:726(para)
6855
#: serverguide/C/security.xml:741(para)
6851
6857
"Next, execute the <application>sysctl</application> command to enable the "
6852
6858
"new settings in the configuration file:"
6855
#: serverguide/C/security.xml:730(command)
6861
#: serverguide/C/security.xml:745(command)
6856
6862
msgid "sudo sysctl -p"
6859
#: serverguide/C/security.xml:734(para)
6865
#: serverguide/C/security.xml:749(para)
6861
6867
"IP Masquerading can now be accomplished with a single iptables rule, which "
6862
6868
"may differ slightly based on your network configuration:"
6865
#: serverguide/C/security.xml:737(screen)
6871
#: serverguide/C/security.xml:752(screen)
6869
6875
"sudo iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o ppp0 -j MASQUERADE\n"
6872
#: serverguide/C/security.xml:740(para)
6878
#: serverguide/C/security.xml:755(para)
6874
6880
"The above command assumes that your private address space is 192.168.0.0/16 "
6875
6881
"and that your Internet-facing device is ppp0. The syntax is broken down as "
6879
#: serverguide/C/security.xml:745(para)
6885
#: serverguide/C/security.xml:760(para)
6880
6886
msgid "-t nat -- the rule is to go into the nat table"
6883
#: serverguide/C/security.xml:746(para)
6889
#: serverguide/C/security.xml:761(para)
6885
6891
"-A POSTROUTING -- the rule is to be appended (-A) to the POSTROUTING chain"
6888
#: serverguide/C/security.xml:747(para)
6894
#: serverguide/C/security.xml:762(para)
6890
6896
"-s 192.168.0.0/16 -- the rule applies to traffic originating from the "
6891
6897
"specified address space"
6894
#: serverguide/C/security.xml:748(para)
6900
#: serverguide/C/security.xml:763(para)
6896
6902
"-o ppp0 -- the rule applies to traffic scheduled to be routed through the "
6897
6903
"specified network device"
6900
#: serverguide/C/security.xml:750(para)
6906
#: serverguide/C/security.xml:765(para)
6902
6908
"-j MASQUERADE -- traffic matching this rule is to \"jump\" (-j) to the "
6903
6909
"MASQUERADE target to be manipulated as described above"
6906
#: serverguide/C/security.xml:758(para)
6912
#: serverguide/C/security.xml:773(para)
6908
6914
"Also, each chain in the filter table (the default table, and where most or "
6909
6915
"all packet filtering occurs) has a default <emphasis>policy</emphasis> of "
6922
6928
"--state ESTABLISHED,RELATED -i ppp0 -j ACCEPT\n"
6925
#: serverguide/C/security.xml:770(para)
6931
#: serverguide/C/security.xml:785(para)
6927
6933
"The above commands will allow all connections from your local network to the "
6928
6934
"Internet and all traffic related to those connections to return to the "
6929
6935
"machine that initiated them."
6932
#: serverguide/C/security.xml:777(para)
6938
#: serverguide/C/security.xml:792(para)
6934
6940
"If you want masquerading to be enabled on reboot, which you probably do, "
6935
6941
"edit <filename>/etc/rc.local</filename> and add any commands used above. For "
6936
6942
"example add the first command with no filtering:"
6939
#: serverguide/C/security.xml:781(screen)
6945
#: serverguide/C/security.xml:796(screen)
6943
6949
"iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o ppp0 -j MASQUERADE\n"
6946
#: serverguide/C/security.xml:789(title)
6952
#: serverguide/C/security.xml:804(title)
6950
#: serverguide/C/security.xml:790(para)
6956
#: serverguide/C/security.xml:805(para)
6952
6958
"Firewall logs are essential for recognizing attacks, troubleshooting your "
6953
6959
"firewall rules, and noticing unusual activity on your network. You must "
7021
7027
"or <application>lire</application>."
7024
#: serverguide/C/security.xml:837(title)
7030
#: serverguide/C/security.xml:851(title)
7025
7031
msgid "Other Tools"
7028
#: serverguide/C/security.xml:838(para)
7034
#: serverguide/C/security.xml:852(para)
7030
7036
"There are many tools available to help you construct a complete firewall "
7031
7037
"without intimate knowledge of iptables. For the GUI-inclined:"
7034
#: serverguide/C/security.xml:844(para)
7040
#: serverguide/C/security.xml:858(para)
7036
7042
"<ulink url=\"http://www.fwbuilder.org/\">fwbuilder</ulink> is very powerful "
7037
7043
"and will look familiar to an administrator who has used a commercial "
7038
7044
"firewall utility such as <application>Checkpoint FireWall-1</application>."
7041
#: serverguide/C/security.xml:850(para)
7047
#: serverguide/C/security.xml:864(para)
7043
7049
"If you prefer a command-line tool with plain-text configuration files:"
7046
#: serverguide/C/security.xml:855(para)
7052
#: serverguide/C/security.xml:869(para)
7048
7054
"<ulink url=\"http://www.shorewall.net/\">Shorewall</ulink> is a very "
7049
7055
"powerful solution to help you configure an advanced firewall for any network."
7052
#: serverguide/C/security.xml:866(para)
7058
#: serverguide/C/security.xml:880(para)
7054
7060
"The <ulink url=\"https://wiki.ubuntu.com/UncomplicatedFirewall\">Ubuntu "
7055
7061
"Firewall</ulink> wiki page contains information on the development of "
7056
7062
"<application>ufw</application>."
7059
#: serverguide/C/security.xml:872(para)
7065
#: serverguide/C/security.xml:886(para)
7061
7067
"Also, the <application>ufw</application> manual page contains some very "
7062
7068
"useful information: <command>man ufw</command>."
7065
#: serverguide/C/security.xml:877(para)
7071
#: serverguide/C/security.xml:891(para)
7067
7073
"See the <ulink url=\"http://www.netfilter.org/documentation/HOWTO/packet-"
7068
7074
"filtering-HOWTO.html\">packet-filtering-HOWTO</ulink> for more information "
7069
7075
"on using <application>iptables</application>."
7072
#: serverguide/C/security.xml:883(para)
7078
#: serverguide/C/security.xml:897(para)
7074
7080
"The <ulink url=\"http://www.netfilter.org/documentation/HOWTO/NAT-"
7075
7081
"HOWTO.html\">nat-HOWTO</ulink> contains further details on masquerading."
7078
#: serverguide/C/security.xml:889(para)
7084
#: serverguide/C/security.xml:903(para)
7080
7086
"The <ulink url=\"https://help.ubuntu.com/community/IptablesHowTo\">IPTables "
7081
7087
"HowTo</ulink> in the Ubuntu wiki is a great resource."
7084
#: serverguide/C/security.xml:897(title)
7090
#: serverguide/C/security.xml:911(title)
7085
7091
msgid "AppArmor"
7088
#: serverguide/C/security.xml:898(para)
7094
#: serverguide/C/security.xml:912(para)
7090
7096
"<application>AppArmor</application> is a Linux Security Module "
7091
7097
"implementation of name-based mandatory access controls. AppArmor confines "
7138
7144
"#1304134</ulink>) and instructions will not work as advertised."
7141
#: serverguide/C/security.xml:930(para)
7147
#: serverguide/C/security.xml:950(para)
7143
7149
"The <application>apparmor-utils</application> package contains command line "
7144
7150
"utilities that you can use to change the <application>AppArmor</application> "
7145
7151
"execution mode, find the status of a profile, create new profiles, etc."
7148
#: serverguide/C/security.xml:936(para)
7154
#: serverguide/C/security.xml:956(para)
7150
7156
"<application>apparmor_status</application> is used to view the current "
7151
7157
"status of AppArmor profiles."
7154
#: serverguide/C/security.xml:940(command)
7160
#: serverguide/C/security.xml:960(command)
7155
7161
msgid "sudo apparmor_status"
7158
#: serverguide/C/security.xml:944(para)
7164
#: serverguide/C/security.xml:964(para)
7160
7166
"<application>aa-complain</application> places a profile into "
7161
7167
"<emphasis>complain</emphasis> mode."
7164
#: serverguide/C/security.xml:948(command)
7170
#: serverguide/C/security.xml:968(command)
7165
7171
msgid "sudo aa-complain /path/to/bin"
7168
#: serverguide/C/security.xml:952(para)
7174
#: serverguide/C/security.xml:972(para)
7170
7176
"<application>aa-enforce</application> places a profile into "
7171
7177
"<emphasis>enforce</emphasis> mode."
7174
#: serverguide/C/security.xml:956(command)
7180
#: serverguide/C/security.xml:976(command)
7175
7181
msgid "sudo aa-enforce /path/to/bin"
7178
#: serverguide/C/security.xml:960(para)
7184
#: serverguide/C/security.xml:980(para)
7180
7186
"The <filename>/etc/apparmor.d</filename> directory is where the AppArmor "
7181
7187
"profiles are located. It can be used to manipulate the "
7182
7188
"<emphasis>mode</emphasis> of all profiles."
7185
#: serverguide/C/security.xml:964(para)
7191
#: serverguide/C/security.xml:984(para)
7186
7192
msgid "Enter the following to place all profiles into complain mode:"
7189
#: serverguide/C/security.xml:968(command)
7195
#: serverguide/C/security.xml:988(command)
7190
7196
msgid "sudo aa-complain /etc/apparmor.d/*"
7193
#: serverguide/C/security.xml:970(para)
7199
#: serverguide/C/security.xml:990(para)
7194
7200
msgid "To place all profiles in enforce mode:"
7197
#: serverguide/C/security.xml:974(command)
7203
#: serverguide/C/security.xml:994(command)
7198
7204
msgid "sudo aa-enforce /etc/apparmor.d/*"
7201
#: serverguide/C/security.xml:978(para)
7207
#: serverguide/C/security.xml:998(para)
7203
7209
"<application>apparmor_parser</application> is used to load a profile into "
7204
7210
"the kernel. It can also be used to reload a currently loaded profile using "
7205
7211
"the <emphasis>-r</emphasis> option. To load a profile:"
7208
#: serverguide/C/security.xml:983(command) serverguide/C/security.xml:1015(command)
7214
#: serverguide/C/security.xml:1003(command) serverguide/C/security.xml:1035(command)
7209
7215
msgid "cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a"
7212
#: serverguide/C/security.xml:985(para)
7218
#: serverguide/C/security.xml:1005(para)
7213
7219
msgid "To reload a profile:"
7216
#: serverguide/C/security.xml:989(command)
7222
#: serverguide/C/security.xml:1009(command)
7217
7223
msgid "cat /etc/apparmor.d/profile.name | sudo apparmor_parser -r"
7223
7229
"<emphasis>reload</emphasis> all profiles:"
7226
#: serverguide/C/network-auth.xml:964(command)
7232
#: serverguide/C/security.xml:1017(command) serverguide/C/network-auth.xml:971(command)
7227
7233
msgid "sudo service apparmor reload"
7230
#: serverguide/C/security.xml:1001(para)
7236
#: serverguide/C/security.xml:1021(para)
7232
7238
"The <filename>/etc/apparmor.d/disable</filename> directory can be used along "
7233
7239
"with the <application>apparmor_parser -R</application> option to "
7234
7240
"<emphasis>disable</emphasis> a profile."
7237
#: serverguide/C/security.xml:1006(command)
7243
#: serverguide/C/security.xml:1026(command)
7238
7244
msgid "sudo ln -s /etc/apparmor.d/profile.name /etc/apparmor.d/disable/"
7241
#: serverguide/C/security.xml:1007(command)
7247
#: serverguide/C/security.xml:1027(command)
7242
7248
msgid "sudo apparmor_parser -R /etc/apparmor.d/profile.name"
7245
#: serverguide/C/security.xml:1009(para)
7251
#: serverguide/C/security.xml:1029(para)
7247
7253
"To <emphasis>re-enable</emphasis> a disabled profile remove the symbolic "
7248
7254
"link to the profile in <filename>/etc/apparmor.d/disable/</filename>. Then "
7249
7255
"load the profile using the <emphasis>-a</emphasis> option."
7252
#: serverguide/C/security.xml:1014(command)
7258
#: serverguide/C/security.xml:1034(command)
7253
7259
msgid "sudo rm /etc/apparmor.d/disable/profile.name"
7256
#: serverguide/C/security.xml:1019(para)
7262
#: serverguide/C/security.xml:1039(para)
7258
7264
"<application>AppArmor</application> can be disabled, and the kernel module "
7259
7265
"unloaded by entering the following:"
7343
#: serverguide/C/security.xml:1088(para)
7349
#: serverguide/C/security.xml:1108(para)
7345
7351
"<emphasis>#include <tunables/global>:</emphasis> include statements "
7346
7352
"from other files. This allows statements pertaining to multiple applications "
7347
7353
"to be placed in a common file."
7350
#: serverguide/C/security.xml:1094(para)
7356
#: serverguide/C/security.xml:1114(para)
7352
7358
"<emphasis>/bin/ping flags=(complain):</emphasis> path to the profiled "
7353
7359
"program, also setting the mode to <emphasis>complain</emphasis>."
7356
#: serverguide/C/security.xml:1100(para)
7362
#: serverguide/C/security.xml:1120(para)
7358
7364
"<emphasis>capability net_raw,:</emphasis> allows the application access to "
7359
7365
"the CAP_NET_RAW Posix.1e capability."
7362
#: serverguide/C/security.xml:1105(para)
7368
#: serverguide/C/security.xml:1125(para)
7364
7370
"<emphasis>/bin/ping mixr,:</emphasis> allows the application read and "
7365
7371
"execute access to the file."
7368
#: serverguide/C/security.xml:1111(para)
7374
#: serverguide/C/security.xml:1131(para)
7370
7376
"After editing a profile file the profile must be reloaded. See <xref "
7371
7377
"linkend=\"apparmor-usage\"/> for details."
7374
#: serverguide/C/security.xml:1116(title)
7380
#: serverguide/C/security.xml:1136(title)
7375
7381
msgid "Creating a Profile"
7378
#: serverguide/C/security.xml:1119(para)
7384
#: serverguide/C/security.xml:1139(para)
7380
7386
"<emphasis>Design a test plan:</emphasis> Try to think about how the "
7381
7387
"application should be exercised. The test plan should be divided into small "
7383
7389
"steps to follow."
7386
#: serverguide/C/security.xml:1123(para)
7392
#: serverguide/C/security.xml:1143(para)
7387
7393
msgid "Some standard test cases are:"
7390
#: serverguide/C/security.xml:1128(para)
7396
#: serverguide/C/security.xml:1148(para)
7391
7397
msgid "Starting the program."
7394
#: serverguide/C/security.xml:1133(para)
7400
#: serverguide/C/security.xml:1153(para)
7395
7401
msgid "Stopping the program."
7398
#: serverguide/C/security.xml:1138(para)
7404
#: serverguide/C/security.xml:1158(para)
7399
7405
msgid "Reloading the program."
7402
#: serverguide/C/security.xml:1143(para)
7408
#: serverguide/C/security.xml:1163(para)
7403
7409
msgid "Testing all the commands supported by the init script."
7406
#: serverguide/C/security.xml:1150(para)
7412
#: serverguide/C/security.xml:1170(para)
7408
7414
"<emphasis>Generate the new profile:</emphasis> Use <application>aa-"
7409
7415
"genprof</application> to generate a new profile. From a terminal:"
7412
#: serverguide/C/security.xml:1155(command)
7418
#: serverguide/C/security.xml:1175(command)
7413
7419
msgid "sudo aa-genprof executable"
7416
#: serverguide/C/security.xml:1157(para)
7422
#: serverguide/C/security.xml:1177(para)
7417
7423
msgid "For example:"
7420
#: serverguide/C/security.xml:1161(command)
7426
#: serverguide/C/security.xml:1181(command)
7421
7427
msgid "sudo aa-genprof slapd"
7424
#: serverguide/C/security.xml:1165(para)
7430
#: serverguide/C/security.xml:1185(para)
7426
7432
"To get your new profile included in the <application>apparmor-"
7427
7433
"profiles</application> package, file a bug in <emphasis>Launchpad</emphasis> "
7498
7504
"the private key."
7501
#: serverguide/C/security.xml:1239(para)
7507
#: serverguide/C/security.xml:1259(para)
7503
7509
"A common use for public-key cryptography is encrypting application traffic "
7504
7510
"using a Secure Socket Layer (SSL) or Transport Layer Security (TLS) "
7505
"connection. For example, configuring Apache to provide "
7511
"connection. One example: configuring Apache to provide "
7506
7512
"<emphasis>HTTPS</emphasis>, the HTTP protocol over SSL. This allows a way to "
7507
7513
"encrypt traffic using a protocol that does not itself provide encryption."
7510
#: serverguide/C/security.xml:1244(para)
7516
#: serverguide/C/security.xml:1264(para)
7512
7518
"A <emphasis>Certificate</emphasis> is a method used to distribute a "
7513
7519
"<emphasis>public key</emphasis> and other information about a server and the "
7514
7520
"organization who is responsible for it. Certificates can be digitally signed "
7515
"by a <emphasis>Certification Authority</emphasis> or CA. A CA is a trusted "
7521
"by a <emphasis>Certification Authority</emphasis>, or CA. A CA is a trusted "
7516
7522
"third party that has confirmed that the information contained in the "
7517
7523
"certificate is accurate."
7520
#: serverguide/C/security.xml:1251(title)
7526
#: serverguide/C/security.xml:1271(title)
7521
7527
msgid "Types of Certificates"
7524
#: serverguide/C/security.xml:1252(para)
7530
#: serverguide/C/security.xml:1272(para)
7526
7532
"To set up a secure server using public-key cryptography, in most cases, you "
7527
7533
"send your certificate request (including your public key), proof of your "
7588
7594
"your friends or colleagues, or purely on monetary factors."
7591
#: serverguide/C/security.xml:1317(para)
7597
#: serverguide/C/security.xml:1337(para)
7593
7599
"Once you have decided upon a CA, you need to follow the instructions they "
7594
7600
"provide on how to obtain a certificate from them."
7597
#: serverguide/C/security.xml:1322(para)
7603
#: serverguide/C/security.xml:1342(para)
7599
7605
"When the CA is satisfied that you are indeed who you claim to be, they send "
7600
7606
"you a digital certificate."
7603
#: serverguide/C/security.xml:1326(para)
7609
#: serverguide/C/security.xml:1346(para)
7605
7611
"Install this certificate on your secure server, and configure the "
7606
7612
"appropriate applications to use the certificate."
7609
#: serverguide/C/security.xml:1335(title)
7615
#: serverguide/C/security.xml:1355(title)
7610
7616
msgid "Generating a Certificate Signing Request (CSR)"
7613
#: serverguide/C/security.xml:1337(para)
7619
#: serverguide/C/security.xml:1357(para)
7615
7621
"Whether you are getting a certificate from a CA or generating your own self-"
7616
7622
"signed certificate, the first step is to generate a key."
7619
#: serverguide/C/security.xml:1342(para)
7625
#: serverguide/C/security.xml:1362(para)
7621
7627
"If the certificate will be used by service daemons, such as Apache, Postfix, "
7622
"Dovecot, etc, a key without a passphrase is often appropriate. Not having a "
7628
"Dovecot, etc., a key without a passphrase is often appropriate. Not having a "
7623
7629
"passphrase allows the services to start without manual intervention, usually "
7624
7630
"the preferred way to start a daemon."
7627
#: serverguide/C/security.xml:1348(para)
7633
#: serverguide/C/security.xml:1368(para)
7629
7635
"This section will cover generating a key with a passphrase, and one without. "
7630
7636
"The non-passphrase key will then be used to generate a certificate that can "
7631
7637
"be used with various service daemons."
7634
#: serverguide/C/security.xml:1354(para)
7640
#: serverguide/C/security.xml:1374(para)
7636
7642
"Running your secure service without a passphrase is convenient because you "
7637
7643
"will not need to enter the passphrase every time you start your secure "
7668
7674
"in a dictionary. Also remember that your passphrase is case-sensitive."
7671
#: serverguide/C/security.xml:1386(para)
7677
#: serverguide/C/security.xml:1406(para)
7673
7679
"Re-type the passphrase to verify. Once you have re-typed it correctly, the "
7674
7680
"server key is generated and stored in the <filename>server.key</filename> "
7678
#: serverguide/C/security.xml:1392(para)
7684
#: serverguide/C/security.xml:1412(para)
7680
7686
"Now create the insecure key, the one without a passphrase, and shuffle the "
7684
#: serverguide/C/security.xml:1398(command)
7690
#: serverguide/C/security.xml:1418(command)
7685
7691
msgid "openssl rsa -in server.key -out server.key.insecure"
7688
#: serverguide/C/security.xml:1399(command)
7694
#: serverguide/C/security.xml:1419(command)
7689
7695
msgid "mv server.key server.key.secure"
7692
#: serverguide/C/security.xml:1400(command)
7698
#: serverguide/C/security.xml:1420(command)
7693
7699
msgid "mv server.key.insecure server.key"
7696
#: serverguide/C/security.xml:1403(para)
7702
#: serverguide/C/security.xml:1423(para)
7698
7704
"The insecure key is now named <filename>server.key</filename>, and you can "
7699
7705
"use this file to generate the CSR without passphrase."
7702
#: serverguide/C/security.xml:1408(para)
7708
#: serverguide/C/security.xml:1428(para)
7703
7709
msgid "To create the CSR, run the following command at a terminal prompt:"
7706
#: serverguide/C/security.xml:1413(command)
7712
#: serverguide/C/security.xml:1433(command)
7707
7713
msgid "openssl req -new -key server.key -out server.csr"
7710
#: serverguide/C/security.xml:1416(para)
7716
#: serverguide/C/security.xml:1436(para)
7712
7718
"It will prompt you enter the passphrase. If you enter the correct "
7713
7719
"passphrase, it will prompt you to enter Company Name, Site Name, Email Id, "
7715
7721
"be stored in the <filename>server.csr</filename> file."
7718
#: serverguide/C/security.xml:1424(para)
7724
#: serverguide/C/security.xml:1444(para)
7720
7726
"You can now submit this CSR file to a CA for processing. The CA will use "
7721
7727
"this CSR file and issue the certificate. On the other hand, you can create "
7722
7728
"self-signed certificate using this CSR."
7725
#: serverguide/C/security.xml:1432(title)
7731
#: serverguide/C/security.xml:1452(title)
7726
7732
msgid "Creating a Self-Signed Certificate"
7729
#: serverguide/C/security.xml:1433(para)
7735
#: serverguide/C/security.xml:1453(para)
7731
7737
"To create the self-signed certificate, run the following command at a "
7732
7738
"terminal prompt:"
7735
#: serverguide/C/security.xml:1438(command)
7741
#: serverguide/C/security.xml:1458(command)
7737
7743
"openssl x509 -req -days 365 -in server.csr -signkey server.key -out "
7741
#: serverguide/C/security.xml:1441(para)
7747
#: serverguide/C/security.xml:1461(para)
7743
7749
"The above command will prompt you to enter the passphrase. Once you enter "
7744
7750
"the correct passphrase, your certificate will be created and it will be "
7745
7751
"stored in the <filename>server.crt</filename> file."
7748
#: serverguide/C/security.xml:1446(para)
7754
#: serverguide/C/security.xml:1466(para)
7750
7756
"If your secure server is to be used in a production environment, you "
7751
7757
"probably need a CA-signed certificate. It is not recommended to use self-"
7752
7758
"signed certificate."
7755
#: serverguide/C/security.xml:1454(title)
7761
#: serverguide/C/security.xml:1474(title)
7756
7762
msgid "Installing the Certificate"
7759
#: serverguide/C/security.xml:1456(para)
7765
#: serverguide/C/security.xml:1476(para)
7761
7767
"You can install the key file <filename>server.key</filename> and certificate "
7762
7768
"file <filename>server.crt</filename>, or the certificate file issued by your "
7763
7769
"CA, by running following commands at a terminal prompt:"
7766
#: serverguide/C/security.xml:1462(command)
7772
#: serverguide/C/security.xml:1482(command)
7767
7773
msgid "sudo cp server.crt /etc/ssl/certs"
7770
#: serverguide/C/security.xml:1463(command)
7776
#: serverguide/C/security.xml:1483(command)
7771
7777
msgid "sudo cp server.key /etc/ssl/private"
7774
#: serverguide/C/security.xml:1465(para)
7780
#: serverguide/C/security.xml:1485(para)
7776
7782
"Now simply configure any applications, with the ability to use public-key "
7777
7783
"cryptography, to use the <emphasis>certificate</emphasis> and "
7930
#: serverguide/C/security.xml:1614(para)
7936
#: serverguide/C/security.xml:1634(para)
7932
7938
"For more detailed instructions on using cryptography see the <ulink "
7933
7939
"url=\"http://tldp.org/HOWTO/SSL-Certificates-HOWTO/index.html\">SSL "
7934
"Certificates HOWTO</ulink> by tldp.org"
7940
"Certificates HOWTO</ulink> by tldp.org:"
7937
#: serverguide/C/security.xml:1620(para)
7943
#: serverguide/C/security.xml:1640(para)
7939
7945
"The Wikipedia <ulink "
7940
"url=\"http://en.wikipedia.org/wiki/Https\">HTTPS</ulink> page has more "
7946
"url=\"http://en.wikipedia.org/wiki/HTTPS\">HTTPS</ulink> page has more "
7941
7947
"information regarding HTTPS."
7944
#: serverguide/C/security.xml:1625(para)
7950
#: serverguide/C/security.xml:1645(para)
7946
7952
"For more information on <emphasis>OpenSSL</emphasis> see the <ulink "
7947
7953
"url=\"http://www.openssl.org/\">OpenSSL Home Page</ulink>."
7950
#: serverguide/C/security.xml:1630(para)
7956
#: serverguide/C/security.xml:1650(para)
7952
7958
"Also, O'Reilly's <ulink "
7953
7959
"url=\"http://oreilly.com/catalog/9780596002701/\">Network Security with "
7954
"OpenSSL</ulink> is a good in depth reference."
7960
"OpenSSL</ulink> is a good in-depth reference."
7957
#: serverguide/C/security.xml:1639(title)
7963
#: serverguide/C/security.xml:1659(title)
7958
7964
msgid "eCryptfs"
7966
7972
"filesystem, partition type, etc."
7969
#: serverguide/C/security.xml:1647(para)
7975
#: serverguide/C/security.xml:1667(para)
7971
7977
"During installation there is an option to encrypt the <filename "
7972
7978
"role=\"directory\">/home</filename> partition. This will automatically "
7973
7979
"configure everything needed to encrypt and mount the partition."
7976
#: serverguide/C/security.xml:1652(para)
7982
#: serverguide/C/security.xml:1672(para)
7978
7984
"As an example, this section will cover configuring <filename "
7979
7985
"role=\"directory\">/srv</filename> to be encrypted using "
7980
7986
"<emphasis>eCryptfs</emphasis>."
7983
#: serverguide/C/security.xml:1657(title)
7989
#: serverguide/C/security.xml:1677(title)
7984
7990
msgid "Using eCryptfs"
7987
#: serverguide/C/security.xml:1659(para)
7993
#: serverguide/C/security.xml:1679(para)
7988
7994
msgid "First, install the necessary packages. From a terminal prompt enter:"
7991
#: serverguide/C/security.xml:1664(command)
7997
#: serverguide/C/security.xml:1684(command)
7992
7998
msgid "sudo apt-get install ecryptfs-utils"
7995
#: serverguide/C/security.xml:1667(para)
8001
#: serverguide/C/security.xml:1687(para)
7996
8002
msgid "Now mount the partition to be encrypted:"
7999
#: serverguide/C/security.xml:1672(command)
8005
#: serverguide/C/security.xml:1692(command)
8000
8006
msgid "sudo mount -t ecryptfs /srv /srv"
8003
#: serverguide/C/security.xml:1675(para)
8009
#: serverguide/C/security.xml:1695(para)
8005
8011
"You will then be prompted for some details on how "
8006
8012
"<application>ecryptfs</application> should encrypt the data."
8009
#: serverguide/C/security.xml:1679(para)
8015
#: serverguide/C/security.xml:1699(para)
8011
8017
"To test that files placed in <filename>/srv</filename> are indeed encrypted "
8012
8018
"copy the <filename>/etc/default</filename> folder to "
8013
8019
"<filename>/srv</filename>:"
8016
#: serverguide/C/security.xml:1685(command) serverguide/C/clustering.xml:190(command)
8022
#: serverguide/C/security.xml:1705(command) serverguide/C/clustering.xml:190(command)
8017
8023
msgid "sudo cp -r /etc/default /srv"
8020
#: serverguide/C/security.xml:1688(para)
8026
#: serverguide/C/security.xml:1708(para)
8021
8027
msgid "Now unmount <filename>/srv</filename>, and try to view a file:"
8024
#: serverguide/C/security.xml:1693(command) serverguide/C/installation.xml:1118(command) serverguide/C/clustering.xml:198(command)
8030
#: serverguide/C/security.xml:1713(command) serverguide/C/clustering.xml:198(command)
8025
8031
msgid "sudo umount /srv"
8028
#: serverguide/C/security.xml:1694(command)
8034
#: serverguide/C/security.xml:1714(command)
8029
8035
msgid "cat /srv/default/cron"
8032
#: serverguide/C/security.xml:1697(para)
8038
#: serverguide/C/security.xml:1717(para)
8034
8040
"Remounting <filename>/srv</filename> using "
8035
8041
"<application>ecryptfs</application> will make the data viewable once again."
8038
#: serverguide/C/security.xml:1703(title)
8044
#: serverguide/C/security.xml:1723(title)
8039
8045
msgid "Automatically Mounting Encrypted Partitions"
8042
#: serverguide/C/security.xml:1705(para)
8048
#: serverguide/C/security.xml:1725(para)
8044
8050
"There are a couple of ways to automatically mount an "
8045
8051
"<application>ecryptfs</application> encrypted filesystem at boot. This "
8122
8128
"other users on the system."
8125
#: serverguide/C/security.xml:1772(para)
8131
#: serverguide/C/security.xml:1792(para)
8127
"<emphasis>ecryptfs-mount-private and ecryptfs-umount-private:</emphasis> "
8128
"will mount and unmount respectively, a users <filename>~/Private</filename> "
8133
"<emphasis>ecryptfs-mount-private</emphasis> and <emphasis> ecryptfs-umount-"
8134
"private</emphasis> will mount and unmount a user's "
8135
"<filename>~/Private</filename> directory."
8132
#: serverguide/C/security.xml:1778(para)
8138
#: serverguide/C/security.xml:1798(para)
8134
8140
"<emphasis>ecryptfs-add-passphrase:</emphasis> adds a new passphrase to the "
8135
8141
"kernel keyring."
8138
#: serverguide/C/security.xml:1783(para)
8144
#: serverguide/C/security.xml:1803(para)
8140
8146
"<emphasis>ecryptfs-manager:</emphasis> manages "
8141
8147
"<application>eCryptfs</application> objects such as keys."
8144
#: serverguide/C/security.xml:1788(para)
8150
#: serverguide/C/security.xml:1808(para)
8146
8152
"<emphasis>ecryptfs-stat:</emphasis> allows you to view the "
8147
8153
"<application>ecryptfs</application> meta information for a file."
8150
#: serverguide/C/security.xml:1801(para)
8156
#: serverguide/C/security.xml:1821(para)
8152
8158
"For more information on <emphasis>eCryptfs</emphasis> see the <ulink "
8153
8159
"url=\"https://launchpad.net/ecryptfs\">Launchpad project page</ulink>."
8156
#: serverguide/C/security.xml:1806(para)
8162
#: serverguide/C/security.xml:1826(para)
8158
8164
"There is also a <ulink "
8159
8165
"url=\"http://www.linuxjournal.com/article/9400\">Linux Journal</ulink> "
8380
8386
"is <emphasis>yes</emphasis>, then access to the share is read only."
8383
#: serverguide/C/windows-networking.xml:181(para)
8389
#: serverguide/C/samba.xml:181(para)
8385
8391
"<emphasis>create mask:</emphasis> determines the permissions new files will "
8386
8392
"have when created."
8389
#: serverguide/C/windows-networking.xml:190(para)
8395
#: serverguide/C/samba.xml:190(para)
8391
8397
"Now that <application>Samba</application> is configured, the directory needs "
8392
8398
"to be created and the permissions changed. From a terminal enter:"
8395
#: serverguide/C/windows-networking.xml:196(command)
8401
#: serverguide/C/samba.xml:196(command)
8396
8402
msgid "sudo mkdir -p /srv/samba/share"
8399
#: serverguide/C/windows-networking.xml:197(command)
8405
#: serverguide/C/samba.xml:197(command)
8400
8406
msgid "sudo chown nobody:nogroup /srv/samba/share/"
8403
#: serverguide/C/windows-networking.xml:201(para)
8409
#: serverguide/C/samba.xml:201(para)
8405
8411
"The <emphasis>-p</emphasis> switch tells mkdir to create the entire "
8406
8412
"directory tree if it doesn't exist."
8409
#: serverguide/C/windows-networking.xml:209(para)
8415
#: serverguide/C/samba.xml:209(para)
8411
8417
"Finally, restart the <application>samba</application> services to enable the "
8412
8418
"new configuration:"
8415
#: serverguide/C/windows-networking.xml:214(command) serverguide/C/windows-networking.xml:336(command) serverguide/C/windows-networking.xml:474(command) serverguide/C/windows-networking.xml:574(command) serverguide/C/windows-networking.xml:925(command) serverguide/C/windows-networking.xml:1080(command) serverguide/C/windows-networking.xml:1187(command) serverguide/C/network-auth.xml:2533(command)
8421
#: serverguide/C/samba.xml:214(command) serverguide/C/samba.xml:336(command) serverguide/C/samba.xml:474(command) serverguide/C/samba.xml:574(command) serverguide/C/samba.xml:925(command) serverguide/C/samba.xml:1080(command) serverguide/C/samba.xml:1187(command) serverguide/C/network-auth.xml:2532(command) serverguide/C/network-auth.xml:4114(command)
8416
8422
msgid "sudo restart smbd"
8419
#: serverguide/C/windows-networking.xml:215(command) serverguide/C/windows-networking.xml:337(command) serverguide/C/windows-networking.xml:475(command) serverguide/C/windows-networking.xml:575(command) serverguide/C/windows-networking.xml:926(command) serverguide/C/windows-networking.xml:1081(command) serverguide/C/windows-networking.xml:1188(command) serverguide/C/network-auth.xml:2534(command)
8425
#: serverguide/C/samba.xml:215(command) serverguide/C/samba.xml:337(command) serverguide/C/samba.xml:475(command) serverguide/C/samba.xml:575(command) serverguide/C/samba.xml:926(command) serverguide/C/samba.xml:1081(command) serverguide/C/samba.xml:1188(command) serverguide/C/network-auth.xml:2533(command) serverguide/C/network-auth.xml:4115(command)
8420
8426
msgid "sudo restart nmbd"
8423
#: serverguide/C/windows-networking.xml:222(para)
8429
#: serverguide/C/samba.xml:222(para)
8425
8431
"Once again, the above configuration gives all access to any client on the "
8426
8432
"local network. For a more secure configuration see <xref linkend=\"samba-"
8427
8433
"fileprint-security\"/>."
8430
#: serverguide/C/windows-networking.xml:228(para)
8436
#: serverguide/C/samba.xml:228(para)
8432
8438
"From a Windows client you should now be able to browse to the Ubuntu file "
8433
8439
"server and see the shared directory. If your client doesn't show your share "
8454
8460
"<filename>/srv/samba/qa</filename>."
8457
#: serverguide/C/windows-networking.xml:252(para) serverguide/C/windows-networking.xml:351(para) serverguide/C/windows-networking.xml:708(para) serverguide/C/windows-networking.xml:1104(para)
8463
#: serverguide/C/samba.xml:252(para) serverguide/C/samba.xml:351(para) serverguide/C/samba.xml:708(para) serverguide/C/samba.xml:1104(para)
8459
8465
"For in depth Samba configurations see the <ulink "
8460
8466
"url=\"http://samba.org/samba/docs/man/Samba-HOWTO-Collection/\">Samba HOWTO "
8461
8467
"Collection</ulink>"
8464
#: serverguide/C/windows-networking.xml:258(para) serverguide/C/windows-networking.xml:357(para) serverguide/C/windows-networking.xml:714(para) serverguide/C/windows-networking.xml:1110(para)
8470
#: serverguide/C/samba.xml:258(para) serverguide/C/samba.xml:357(para) serverguide/C/samba.xml:714(para) serverguide/C/samba.xml:1110(para)
8466
8472
"The guide is also available in <ulink "
8467
8473
"url=\"http://www.amazon.com/exec/obidos/tg/detail/-/0131882228\">printed "
8468
8474
"format</ulink>."
8471
#: serverguide/C/windows-networking.xml:264(para) serverguide/C/windows-networking.xml:363(para)
8477
#: serverguide/C/samba.xml:264(para) serverguide/C/samba.xml:363(para)
8473
8479
"O'Reilly's <ulink "
8474
8480
"url=\"http://www.oreilly.com/catalog/9780596007690/\">Using Samba</ulink> is "
8475
8481
"another good reference."
8478
#: serverguide/C/windows-networking.xml:270(para) serverguide/C/windows-networking.xml:374(para) serverguide/C/windows-networking.xml:739(para) serverguide/C/windows-networking.xml:1134(para) serverguide/C/windows-networking.xml:1312(para)
8484
#: serverguide/C/samba.xml:270(para) serverguide/C/samba.xml:374(para) serverguide/C/samba.xml:739(para) serverguide/C/samba.xml:1134(para) serverguide/C/samba.xml:1312(para)
8480
8486
"The <ulink url=\"https://help.ubuntu.com/community/Samba\">Ubuntu Wiki Samba "
8481
8487
"</ulink> page."
8484
#: serverguide/C/network-config.xml:908(para)
8490
#: serverguide/C/samba.xml:279(title) serverguide/C/network-config.xml:904(para)
8485
8491
msgid "Print Server"
8488
#: serverguide/C/windows-networking.xml:281(para)
8494
#: serverguide/C/samba.xml:281(para)
8490
8496
"Another common use of Samba is to configure it to share printers installed, "
8491
8497
"either locally or over the network, on an Ubuntu server. Similar to <xref "
8600
8606
"of the Samba guide for more details."
8603
#: serverguide/C/windows-networking.xml:425(para)
8609
#: serverguide/C/samba.xml:425(para)
8605
8611
"<emphasis>security = share:</emphasis> allows clients to connect to shares "
8606
8612
"without supplying a username and password."
8609
#: serverguide/C/windows-networking.xml:432(para)
8615
#: serverguide/C/samba.xml:432(para)
8611
8617
"The security mode you choose will depend on your environment and what you "
8612
8618
"need the Samba server to accomplish."
8615
#: serverguide/C/windows-networking.xml:438(title)
8621
#: serverguide/C/samba.xml:438(title)
8616
8622
msgid "Security = User"
8619
#: serverguide/C/windows-networking.xml:440(para)
8625
#: serverguide/C/samba.xml:440(para)
8621
8627
"This section will reconfigure the Samba file and print server, from <xref "
8622
8628
"linkend=\"samba-fileserver\"/> and <xref linkend=\"samba-printserver\"/>, to "
8623
8629
"require authentication."
8626
#: serverguide/C/windows-networking.xml:445(para)
8632
#: serverguide/C/samba.xml:445(para)
8628
8634
"First, install the <application>libpam-smbpass</application> package which "
8629
8635
"will sync the system users to the Samba user database:"
8632
#: serverguide/C/windows-networking.xml:451(command)
8638
#: serverguide/C/samba.xml:451(command)
8633
8639
msgid "sudo apt-get install libpam-smbpass"
8636
#: serverguide/C/windows-networking.xml:455(para)
8642
#: serverguide/C/samba.xml:455(para)
8638
8644
"If you chose the <emphasis>Samba Server</emphasis> task during installation "
8639
8645
"<application>libpam-smbpass</application> is already installed."
8642
#: serverguide/C/windows-networking.xml:461(para)
8648
#: serverguide/C/samba.xml:461(para)
8644
8650
"Edit <filename>/etc/samba/smb.conf</filename>, and in the "
8645
8651
"<emphasis>[share]</emphasis> section change:"
8648
#: serverguide/C/windows-networking.xml:465(programlisting)
8654
#: serverguide/C/samba.xml:465(programlisting)
8652
8658
" guest ok = no\n"
8655
#: serverguide/C/windows-networking.xml:469(para)
8661
#: serverguide/C/samba.xml:469(para)
8656
8662
msgid "Finally, restart Samba for the new settings to take effect:"
8659
#: serverguide/C/windows-networking.xml:478(para)
8665
#: serverguide/C/samba.xml:478(para)
8661
8667
"Now when connecting to the shared directories or printers you should be "
8662
8668
"prompted for a username and password."
8665
#: serverguide/C/windows-networking.xml:483(para)
8671
#: serverguide/C/samba.xml:483(para)
8667
8673
"If you choose to map a network drive to the share you can check the "
8668
8674
"<quote>Reconnect at Logon</quote> check box, which will require you to only "
8669
8675
"enter the username and password once, at least until the password changes."
8672
#: serverguide/C/windows-networking.xml:491(title)
8678
#: serverguide/C/samba.xml:491(title)
8673
8679
msgid "Share Security"
8676
#: serverguide/C/windows-networking.xml:493(para)
8682
#: serverguide/C/samba.xml:493(para)
8678
8684
"There are several options available to increase the security for each "
8679
8685
"individual shared directory. Using the <emphasis>[share]</emphasis> example, "
8680
8686
"this section will cover some common options."
8683
#: serverguide/C/windows-networking.xml:499(title)
8689
#: serverguide/C/samba.xml:499(title)
8687
#: serverguide/C/windows-networking.xml:501(para)
8693
#: serverguide/C/samba.xml:501(para)
8689
8695
"Groups define a collection of computers or users which have a common level "
8690
8696
"of access to particular network resources and offer a level of granularity "
8775
8781
"under the <emphasis>[share]</emphasis> entry:"
8778
#: serverguide/C/windows-networking.xml:565(programlisting)
8784
#: serverguide/C/samba.xml:565(programlisting)
8782
8788
" admin users = melissa\n"
8785
#: serverguide/C/windows-networking.xml:569(para)
8791
#: serverguide/C/samba.xml:569(para)
8787
8793
"After editing <filename>/etc/samba/smb.conf</filename>, restart Samba for "
8788
8794
"the changes to take effect:"
8791
#: serverguide/C/windows-networking.xml:579(para)
8797
#: serverguide/C/samba.xml:579(para)
8793
8799
"For the <emphasis>read list</emphasis> and <emphasis>write list</emphasis> "
8794
8800
"to work the Samba security mode must <emphasis>not</emphasis> be set to "
8795
8801
"<emphasis role=\"italic\">security = share</emphasis>"
8798
#: serverguide/C/windows-networking.xml:585(para)
8804
#: serverguide/C/samba.xml:585(para)
8800
8806
"Now that Samba has been configured to limit which groups have access to the "
8801
8807
"shared directory, the filesystem permissions need to be updated."
8804
#: serverguide/C/windows-networking.xml:590(para)
8810
#: serverguide/C/samba.xml:590(para)
8806
8812
"Traditional Linux file permissions do not map well to Windows NT Access "
8807
8813
"Control Lists (ACLs). Fortunately POSIX ACLs are available on Ubuntu servers "
8979
8985
"backends to store the user information."
8982
#: serverguide/C/windows-networking.xml:757(title)
8988
#: serverguide/C/samba.xml:757(title)
8983
8989
msgid "Primary Domain Controller"
8986
#: serverguide/C/windows-networking.xml:759(para)
8992
#: serverguide/C/samba.xml:759(para)
8988
8994
"This section covers configuring Samba as a Primary Domain Controller (PDC) "
8989
8995
"using the default smbpasswd backend."
8992
#: serverguide/C/windows-networking.xml:766(para)
8998
#: serverguide/C/samba.xml:766(para)
8994
9000
"First, install Samba, and <application>libpam-smbpass</application> to sync "
8995
9001
"the user accounts, by entering the following in a terminal prompt:"
8998
#: serverguide/C/windows-networking.xml:772(command) serverguide/C/windows-networking.xml:1013(command)
9004
#: serverguide/C/samba.xml:772(command) serverguide/C/samba.xml:1013(command)
8999
9005
msgid "sudo apt-get install samba libpam-smbpass"
9002
#: serverguide/C/windows-networking.xml:778(para)
9008
#: serverguide/C/samba.xml:778(para)
9004
9010
"Next, configure Samba by editing <filename>/etc/samba/smb.conf</filename>. "
9005
9011
"The <emphasis>security</emphasis> mode should be set to <emphasis "
9050
#: serverguide/C/windows-networking.xml:827(para)
9056
#: serverguide/C/samba.xml:827(para)
9052
9058
"<emphasis>logon drive:</emphasis> specifies the home directory local path."
9055
#: serverguide/C/windows-networking.xml:832(para)
9061
#: serverguide/C/samba.xml:832(para)
9057
9063
"<emphasis>logon home:</emphasis> specifies the home directory location."
9060
#: serverguide/C/windows-networking.xml:837(para)
9066
#: serverguide/C/samba.xml:837(para)
9062
9068
"<emphasis>logon script:</emphasis> determines the script to be run locally "
9063
9069
"once a user has logged in. The script needs to be placed in the "
9064
9070
"<emphasis>[netlogon]</emphasis> share."
9067
#: serverguide/C/windows-networking.xml:843(para)
9073
#: serverguide/C/samba.xml:843(para)
9069
9075
"<emphasis>add machine script:</emphasis> a script that will automatically "
9070
9076
"create the <emphasis>Machine Trust Account</emphasis> needed for a "
9071
9077
"workstation to join the domain."
9074
#: serverguide/C/windows-networking.xml:847(para)
9080
#: serverguide/C/samba.xml:847(para)
9076
9082
"In this example the <emphasis>machines</emphasis> group will need to be "
9077
9083
"created using the <application>addgroup</application> utility see <xref "
9078
9084
"linkend=\"adding-deleting-users\"/> for details."
9081
#: serverguide/C/windows-networking.xml:858(para)
9087
#: serverguide/C/samba.xml:858(para)
9083
9089
"Uncomment the <emphasis>[homes]</emphasis> share to allow the <emphasis "
9084
9090
"role=\"italic\">logon home</emphasis> to be mapped:"
9087
#: serverguide/C/windows-networking.xml:863(programlisting)
9093
#: serverguide/C/samba.xml:863(programlisting)
9124
9130
"location for site-specific data provided by the system."
9127
#: serverguide/C/windows-networking.xml:902(para)
9133
#: serverguide/C/samba.xml:902(para)
9129
9135
"Now create the <filename role=\"directory\">netlogon</filename> directory, "
9130
9136
"and an empty (for now) <filename>logon.cmd</filename> script file:"
9133
#: serverguide/C/windows-networking.xml:908(command)
9139
#: serverguide/C/samba.xml:908(command)
9134
9140
msgid "sudo mkdir -p /srv/samba/netlogon"
9137
#: serverguide/C/windows-networking.xml:909(command)
9143
#: serverguide/C/samba.xml:909(command)
9138
9144
msgid "sudo touch /srv/samba/netlogon/logon.cmd"
9141
#: serverguide/C/windows-networking.xml:912(para)
9147
#: serverguide/C/samba.xml:912(para)
9143
9149
"You can enter any normal Windows logon script commands in "
9144
9150
"<filename>logon.cmd</filename> to customize the client's environment."
9147
#: serverguide/C/windows-networking.xml:920(para)
9153
#: serverguide/C/samba.xml:920(para)
9148
9154
msgid "Restart Samba to enable the new domain controller:"
9151
#: serverguide/C/windows-networking.xml:932(para)
9157
#: serverguide/C/samba.xml:932(para)
9153
9159
"Lastly, there are a few additional commands needed to setup the appropriate "
9157
#: serverguide/C/windows-networking.xml:936(para)
9163
#: serverguide/C/samba.xml:936(para)
9159
9165
"With <emphasis>root</emphasis> being disabled by default, in order to join a "
9160
9166
"workstation to the domain, a system group needs to be mapped to the Windows "
9189
#: serverguide/C/windows-networking.xml:963(para)
9195
#: serverguide/C/samba.xml:963(para)
9191
9197
"Also, rights need to be explicitly provided to the <emphasis>Domain "
9192
9198
"Admins</emphasis> group to allow the <emphasis>add machine script</emphasis> "
9193
9199
"(and other admin functions) to work. This is achieved by executing:"
9196
#: serverguide/C/windows-networking.xml:968(command)
9202
#: serverguide/C/samba.xml:968(command)
9198
9204
"net rpc rights grant -U sysadmin \"EXAMPLE\\Domain Admins\" "
9199
9205
"SeMachineAccountPrivilege \\ SePrintOperatorPrivilege SeAddUsersPrivilege "
9200
9206
"SeDiskOperatorPrivilege \\ SeRemoteShutdownPrivilege"
9203
#: serverguide/C/windows-networking.xml:976(para)
9209
#: serverguide/C/samba.xml:976(para)
9205
9211
"You should now be able to join Windows clients to the Domain in the same "
9206
9212
"manner as joining them to an NT4 domain running on a Windows server."
9209
#: serverguide/C/windows-networking.xml:986(title)
9215
#: serverguide/C/samba.xml:986(title)
9210
9216
msgid "Backup Domain Controller"
9213
#: serverguide/C/windows-networking.xml:988(para)
9219
#: serverguide/C/samba.xml:988(para)
9215
9221
"With a Primary Domain Controller (PDC) on the network it is best to have a "
9216
9222
"Backup Domain Controller (BDC) as well. This will allow clients to "
9217
9223
"authenticate in case the PDC becomes unavailable."
9220
#: serverguide/C/windows-networking.xml:993(para)
9226
#: serverguide/C/samba.xml:993(para)
9222
9228
"When configuring Samba as a BDC you need a way to sync account information "
9223
9229
"with the PDC. There are multiple ways of accomplishing this "
9266
9272
"files, enter:"
9269
#: serverguide/C/windows-networking.xml:1050(command)
9275
#: serverguide/C/samba.xml:1050(command)
9270
9276
msgid "sudo chgrp -R admin /var/lib/samba"
9273
#: serverguide/C/windows-networking.xml:1056(para)
9279
#: serverguide/C/samba.xml:1056(para)
9275
9281
"Next, sync the user accounts, using <application>scp</application> to copy "
9276
9282
"the <filename>/var/lib/samba</filename> directory from the PDC:"
9279
#: serverguide/C/windows-networking.xml:1062(command)
9285
#: serverguide/C/samba.xml:1062(command)
9280
9286
msgid "sudo scp -r username@pdc:/var/lib/samba /var/lib"
9283
#: serverguide/C/windows-networking.xml:1066(para)
9289
#: serverguide/C/samba.xml:1066(para)
9285
9291
"Replace <emphasis>username</emphasis> with a valid username and "
9286
9292
"<emphasis>pdc</emphasis> with the hostname or IP Address of your actual PDC."
9289
#: serverguide/C/windows-networking.xml:1075(para)
9295
#: serverguide/C/samba.xml:1075(para)
9290
9296
msgid "Finally, restart <application>samba</application>:"
9293
#: serverguide/C/windows-networking.xml:1087(para)
9299
#: serverguide/C/samba.xml:1087(para)
9295
9301
"You can test that your Backup Domain controller is working by stopping the "
9296
9302
"Samba daemon on the PDC, then trying to login to a Windows client joined to "
9300
#: serverguide/C/windows-networking.xml:1092(para)
9306
#: serverguide/C/samba.xml:1092(para)
9302
9308
"Another thing to keep in mind is if you have configured the <emphasis>logon "
9303
9309
"home</emphasis> option as a directory on the PDC, and the PDC becomes "
9385
9391
"security\"/> for more details."
9388
#: serverguide/C/windows-networking.xml:1199(title)
9394
#: serverguide/C/samba.xml:1199(title)
9389
9395
msgid "Accessing a Windows Share"
9392
#: serverguide/C/windows-networking.xml:1201(para)
9398
#: serverguide/C/samba.xml:1201(para)
9394
9400
"Now that the Samba server is part of the Active Directory domain you can "
9395
9401
"access any Windows server shares:"
9398
#: serverguide/C/windows-networking.xml:1208(para)
9404
#: serverguide/C/samba.xml:1208(para)
9400
9406
"To mount a Windows file share enter the following in a terminal prompt:"
9403
#: serverguide/C/windows-networking.xml:1212(command)
9409
#: serverguide/C/samba.xml:1212(command)
9404
9410
msgid "mount.cifs //fs01.example.com/share mount_point"
9407
#: serverguide/C/windows-networking.xml:1215(para)
9413
#: serverguide/C/samba.xml:1215(para)
9409
9415
"It is also possible to access shares on computers not part of an AD domain, "
9410
9416
"but a username and password will need to be provided."
9413
#: serverguide/C/windows-networking.xml:1223(para)
9419
#: serverguide/C/samba.xml:1223(para)
9415
9421
"To mount the share during boot place an entry in "
9416
9422
"<filename>/etc/fstab</filename>, for example:"
9419
#: serverguide/C/windows-networking.xml:1227(programlisting)
9425
#: serverguide/C/samba.xml:1227(programlisting)
9427
#: serverguide/C/windows-networking.xml:1234(para)
9433
#: serverguide/C/samba.xml:1234(para)
9429
9435
"Another way to copy files from a Windows server is to use the "
9430
9436
"<application>smbclient</application> utility. To list the files in a Windows "
9434
#: serverguide/C/windows-networking.xml:1240(command)
9440
#: serverguide/C/samba.xml:1240(command)
9435
9441
msgid "smbclient //fs01.example.com/share -k -c \"ls\""
9438
#: serverguide/C/windows-networking.xml:1246(para)
9444
#: serverguide/C/samba.xml:1246(para)
9439
9445
msgid "To copy a file from the share, enter:"
9442
#: serverguide/C/windows-networking.xml:1251(command)
9448
#: serverguide/C/samba.xml:1251(command)
9443
9449
msgid "smbclient //fs01.example.com/share -k -c \"get file.txt\""
9446
#: serverguide/C/windows-networking.xml:1254(para)
9452
#: serverguide/C/samba.xml:1254(para)
9448
9454
"This will copy the <filename>file.txt</filename> into the current directory."
9451
#: serverguide/C/windows-networking.xml:1261(para)
9457
#: serverguide/C/samba.xml:1261(para)
9452
9458
msgid "And to copy a file to the share:"
9455
#: serverguide/C/windows-networking.xml:1266(command)
9461
#: serverguide/C/samba.xml:1266(command)
9456
9462
msgid "smbclient //fs01.example.com/share -k -c \"put /etc/hosts hosts\""
9459
#: serverguide/C/windows-networking.xml:1269(para)
9465
#: serverguide/C/samba.xml:1269(para)
9461
9467
"This will copy the <filename>/etc/hosts</filename> to "
9462
9468
"<filename>//fs01.example.com/share/hosts</filename>."
9465
#: serverguide/C/windows-networking.xml:1276(para)
9471
#: serverguide/C/samba.xml:1276(para)
9467
9473
"The <emphasis>-c</emphasis> option used above allows you to execute the "
9468
9474
"<application>smbclient</application> command all at once. This is useful for "
10434
10440
"<application>Microsoft Active Directory</application> domain."
10437
#: serverguide/C/remote-administration.xml:509(para)
10443
#: serverguide/C/remote-administration.xml:549(para)
10439
10445
"zentyal-squid: configures <application>Squid</application> and "
10440
10446
"<application>Dansguardian</application> for speeding up browsing thanks to "
10441
10447
"the caching capabilities and content filtering."
10444
#: serverguide/C/remote-administration.xml:516(para)
10450
#: serverguide/C/remote-administration.xml:556(para)
10446
10452
"zentyal-samba: allows <application>Samba</application> configuration and "
10447
10453
"integration with existing LDAP. From the same interface you can define "
10448
10454
"password policies, create shared resources and assign permissions."
10451
#: serverguide/C/remote-administration.xml:524(para)
10457
#: serverguide/C/remote-administration.xml:564(para)
10453
10459
"zentyal-printers: integrates <application>CUPS</application> with "
10454
10460
"<application>Samba</application> and allows not only to configure the "
10455
10461
"printers but also give them permissions based on LDAP users and groups."
10458
#: serverguide/C/remote-administration.xml:533(para)
10464
#: serverguide/C/remote-administration.xml:573(para)
10460
10466
"To install <application>Zentyal</application>, in a terminal on the "
10461
10467
"<emphasis>server</emphasis> enter (where <zentyal-module> is any of "
10462
10468
"the modules from the previous list):"
10465
#: serverguide/C/remote-administration.xml:540(command)
10471
#: serverguide/C/remote-administration.xml:580(command)
10466
10472
msgid "sudo apt-get install <zentyal-module>"
10469
#: serverguide/C/remote-administration.xml:544(para)
10475
#: serverguide/C/remote-administration.xml:584(para)
10471
10477
"<application>Zentyal</application> publishes one major stable release once a "
10472
10478
"year (in September) based on latest Ubuntu LTS release. Stable releases "
10486
10492
"Personal Package Archive (PPA)</ulink>."
10489
#: serverguide/C/remote-administration.xml:566(para)
10495
#: serverguide/C/remote-administration.xml:606(para)
10491
10497
"Not present on Ubuntu Universe repositories, but on <ulink "
10492
10498
"url=\"https://launchpad.net/~zentyal/\">Zentyal Team PPA</ulink> you will "
10493
10499
"find these other modules:"
10496
#: serverguide/C/remote-administration.xml:573(para)
10502
#: serverguide/C/remote-administration.xml:613(para)
10498
10504
"zentyal-antivirus: integrates <application>ClamAV</application> antivirus "
10499
10505
"with other modules like the proxy, file sharing or mailfilter."
10502
#: serverguide/C/remote-administration.xml:580(para)
10508
#: serverguide/C/remote-administration.xml:620(para)
10504
10510
"zentyal-asterisk: configures <application>Asterisk</application> to provide "
10505
10511
"a simple PBX with LDAP based authentication."
10508
#: serverguide/C/remote-administration.xml:586(para)
10514
#: serverguide/C/remote-administration.xml:626(para)
10510
10516
"zentyal-bwmonitor: allows to monitor bandwith usage of your LAN clients."
10513
#: serverguide/C/remote-administration.xml:592(para)
10519
#: serverguide/C/remote-administration.xml:632(para)
10515
10521
"zentyal-captiveportal: integrates a captive portal with the firewall and "
10516
10522
"LDAP users and groups."
10519
#: serverguide/C/remote-administration.xml:598(para)
10525
#: serverguide/C/remote-administration.xml:638(para)
10521
10527
"zentyal-ebackup: allows to make scheduled backups of your server using the "
10522
10528
"popular <application>duplicity</application> backup tool."
10525
#: serverguide/C/remote-administration.xml:604(para)
10531
#: serverguide/C/remote-administration.xml:644(para)
10526
10532
msgid "zentyal-ftp: configures a FTP server with LDAP based authentication."
10529
#: serverguide/C/remote-administration.xml:609(para)
10535
#: serverguide/C/remote-administration.xml:649(para)
10530
10536
msgid "zentyal-ids: integrates a network intrusion detection system."
10533
#: serverguide/C/remote-administration.xml:614(para)
10539
#: serverguide/C/remote-administration.xml:654(para)
10535
10541
"zentyal-ipsec: allows to configure IPsec tunnels using "
10536
10542
"<application>OpenSwan</application>."
10539
#: serverguide/C/remote-administration.xml:620(para)
10545
#: serverguide/C/remote-administration.xml:660(para)
10541
10547
"zentyal-jabber: integrates <application>ejabberd</application> XMPP server "
10542
10548
"with LDAP users and groups."
10545
#: serverguide/C/remote-administration.xml:626(para)
10551
#: serverguide/C/remote-administration.xml:666(para)
10547
10553
"zentyal-thinclients: a <application>LTSP</application> based thin clients "
10551
#: serverguide/C/remote-administration.xml:632(para)
10557
#: serverguide/C/remote-administration.xml:672(para)
10553
10559
"zentyal-mail: a full mail stack including <application>Postfix "
10554
10560
"</application> and <application>Dovecot</application> with LDAP backend."
10557
#: serverguide/C/remote-administration.xml:639(para)
10563
#: serverguide/C/remote-administration.xml:679(para)
10559
10565
"zentyal-mailfilter: configures <application>amavisd</application> with mail "
10560
10566
"stack to filter spam and attached virus."
10563
#: serverguide/C/remote-administration.xml:645(para)
10569
#: serverguide/C/remote-administration.xml:685(para)
10565
10571
"zentyal-monitor: integrates <application>collectd</application> to monitor "
10566
10572
"server performance and running services."
10569
#: serverguide/C/remote-administration.xml:651(para)
10575
#: serverguide/C/remote-administration.xml:691(para)
10571
10577
"zentyal-pptp: configures a <application>PPTP</application> VPN server."
10574
#: serverguide/C/remote-administration.xml:656(para)
10580
#: serverguide/C/remote-administration.xml:696(para)
10576
10582
"zentyal-radius: integrates <application>FreeRADIUS</application> with LDAP "
10577
10583
"users and groups."
10580
#: serverguide/C/remote-administration.xml:662(para)
10586
#: serverguide/C/remote-administration.xml:702(para)
10582
10588
"zentyal-software: simple interface to manage installed "
10583
10589
"<application>Zentyal</application> modules and system updates."
10586
#: serverguide/C/remote-administration.xml:668(para)
10592
#: serverguide/C/remote-administration.xml:708(para)
10588
10594
"zentyal-trafficshaping: configures traffic limiting rules to do bandwidth "
10589
10595
"throttling and improve latency."
10592
#: serverguide/C/remote-administration.xml:674(para)
10598
#: serverguide/C/remote-administration.xml:714(para)
10594
10600
"zentyal-usercorner: allows users to edit their own LDAP attributes using a "
10595
10601
"web browser."
10598
#: serverguide/C/remote-administration.xml:680(para)
10604
#: serverguide/C/remote-administration.xml:720(para)
10600
10606
"zentyal-virt: simple interface to create and manage virtual machines based "
10601
10607
"on <application>libvirt</application>."
10604
#: serverguide/C/remote-administration.xml:686(para)
10610
#: serverguide/C/remote-administration.xml:726(para)
10606
10612
"zentyal-webmail: allows to access your mail using the popular "
10607
10613
"<application>Roundcube</application> webmail."
10610
#: serverguide/C/remote-administration.xml:692(para)
10616
#: serverguide/C/remote-administration.xml:732(para)
10612
10618
"zentyal-webserver: configures <application>Apache</application> webserver to "
10613
10619
"host different sites on your machine."
10616
#: serverguide/C/remote-administration.xml:698(para)
10622
#: serverguide/C/remote-administration.xml:738(para)
10618
10624
"zentyal-zarafa: integrates <application>Zarafa</application> groupware suite "
10619
10625
"with <application>Zentyal</application> mail stack and LDAP."
10622
#: serverguide/C/remote-administration.xml:710(title)
10628
#: serverguide/C/remote-administration.xml:750(title)
10623
10629
msgid "First steps"
10626
#: serverguide/C/remote-administration.xml:712(para)
10632
#: serverguide/C/remote-administration.xml:752(para)
10628
10634
"Any system account belonging to the sudo group is allowed to log into "
10629
10635
"<application>Zentyal</application> web interface. If you are using the user "
10630
10636
"created during the installation, this should be in the sudo group by default."
10633
#: serverguide/C/remote-administration.xml:720(para)
10639
#: serverguide/C/remote-administration.xml:760(para)
10634
10640
msgid "If you need to add another user to the sudo group, just execute:"
10637
#: serverguide/C/remote-administration.xml:725(command)
10643
#: serverguide/C/remote-administration.xml:765(command)
10638
10644
msgid "sudo adduser username sudo"
10641
#: serverguide/C/remote-administration.xml:729(para)
10647
#: serverguide/C/remote-administration.xml:769(para)
10643
10649
"To access <application>Zentyal</application> web interface, browse into "
10644
10650
"https://localhost/ (or the IP of your remote server). As Zentyal creates its "
11052
#: serverguide/C/package-management.xml:246(para)
11058
#: serverguide/C/package-management.xml:263(para)
11053
11059
msgid "<emphasis role=\"bold\">i</emphasis>: Installed package"
11056
#: serverguide/C/package-management.xml:251(para)
11062
#: serverguide/C/package-management.xml:268(para)
11058
11064
"<emphasis role=\"bold\">c</emphasis>: Package not installed, but package "
11059
11065
"configuration remains on system"
11062
#: serverguide/C/package-management.xml:255(para)
11068
#: serverguide/C/package-management.xml:272(para)
11063
11069
msgid "<emphasis role=\"bold\">p</emphasis>: Purged from system"
11066
#: serverguide/C/package-management.xml:259(para)
11072
#: serverguide/C/package-management.xml:276(para)
11067
11073
msgid "<emphasis role=\"bold\">v</emphasis>: Virtual package"
11070
#: serverguide/C/package-management.xml:263(para)
11076
#: serverguide/C/package-management.xml:280(para)
11071
11077
msgid "<emphasis role=\"bold\">B</emphasis>: Broken package"
11074
#: serverguide/C/package-management.xml:267(para)
11080
#: serverguide/C/package-management.xml:284(para)
11076
11082
"<emphasis role=\"bold\">u</emphasis>: Unpacked files, but package not yet "
11080
#: serverguide/C/package-management.xml:271(para)
11086
#: serverguide/C/package-management.xml:288(para)
11082
11088
"<emphasis role=\"bold\">C</emphasis>: Half-configured - Configuration failed "
11083
11089
"and requires fix"
11086
#: serverguide/C/package-management.xml:275(para)
11092
#: serverguide/C/package-management.xml:292(para)
11088
11094
"<emphasis role=\"bold\">H</emphasis>: Half-installed - Removal failed and "
11089
11095
"requires fix"
11092
#: serverguide/C/package-management.xml:243(para)
11098
#: serverguide/C/package-management.xml:260(para)
11094
11100
"The first column of information displayed in the package list in the top "
11095
11101
"pane, when actually viewing packages lists the current state of the package, "
11726
11732
msgid "sudo etckeeper commit \"added new host\""
11729
#: serverguide/C/other-apps.xml:258(para)
11735
#: serverguide/C/other-apps.xml:298(para)
11731
11737
"For more information on <application>bzr</application> see <xref "
11732
11738
"linkend=\"bazaar\"/>."
11735
#: serverguide/C/other-apps.xml:345(para)
11738
"url=\"http://kitenet.net/~joey/code/etckeeper/\">etckeeper</ulink> site for "
11739
"more details on using <application>etckeeper</application>."
11742
#: serverguide/C/other-apps.xml:351(para)
11744
"The <ulink url=\"https://help.ubuntu.com/community/etckeeper\">etckeeper "
11745
"Ubuntu Wiki</ulink> page."
11748
#: serverguide/C/other-apps.xml:356(para)
11741
#: serverguide/C/other-apps.xml:310(para)
11743
"See the <ulink url=\"http://etckeeper.branchable.com/\">etckeeper</ulink> "
11744
"site for more details on using <application>etckeeper</application>."
11747
#: serverguide/C/other-apps.xml:317(para)
11750
11749
"For the latest news and information about <application>bzr</application> see "
11751
11750
"the <ulink url=\"http://bazaar-vcs.org/\">bzr</ulink> web site."
11754
#: serverguide/C/other-apps.xml:264(title)
11753
#: serverguide/C/other-apps.xml:329(title)
11755
11754
msgid "Byobu"
11758
#: serverguide/C/other-apps.xml:337(para)
11757
#: serverguide/C/other-apps.xml:331(para)
11760
11759
"One of the most useful applications for any system administrator is an xterm "
11761
11760
"multiplexor such as <application>screen</application> or "
11767
11766
"changed by the user."
11770
#: serverguide/C/other-apps.xml:344(para)
11769
#: serverguide/C/other-apps.xml:338(para)
11771
11770
msgid "Invoke it simply with:"
11774
#: serverguide/C/other-apps.xml:349(command)
11773
#: serverguide/C/other-apps.xml:343(command)
11775
11774
msgid "byobu"
11778
#: serverguide/C/other-apps.xml:352(para)
11777
#: serverguide/C/other-apps.xml:346(para)
11780
11779
"Now bring up the configuration menu. By default this is done by pressing the "
11781
11780
"<emphasis>F9</emphasis> key. This will allow you to:"
11784
#: serverguide/C/other-apps.xml:279(para)
11783
#: serverguide/C/other-apps.xml:351(para)
11785
11784
msgid "View the Help menu"
11788
#: serverguide/C/other-apps.xml:280(para)
11787
#: serverguide/C/other-apps.xml:352(para)
11789
11788
msgid "Change Byobu's background color"
11792
#: serverguide/C/other-apps.xml:281(para)
11791
#: serverguide/C/other-apps.xml:353(para)
11793
11792
msgid "Change Byobu's foreground color"
11796
#: serverguide/C/other-apps.xml:282(para)
11795
#: serverguide/C/other-apps.xml:354(para)
11797
11796
msgid "Toggle status notifications"
11800
#: serverguide/C/other-apps.xml:283(para)
11799
#: serverguide/C/other-apps.xml:355(para)
11801
11800
msgid "Change the key binding set"
11804
#: serverguide/C/other-apps.xml:284(para)
11803
#: serverguide/C/other-apps.xml:356(para)
11805
11804
msgid "Change the escape sequence"
11808
#: serverguide/C/other-apps.xml:285(para)
11807
#: serverguide/C/other-apps.xml:357(para)
11809
11808
msgid "Create new windows"
11812
#: serverguide/C/other-apps.xml:286(para)
11811
#: serverguide/C/other-apps.xml:358(para)
11813
11812
msgid "Manage the default windows"
11816
#: serverguide/C/other-apps.xml:287(para)
11815
#: serverguide/C/other-apps.xml:359(para)
11817
11816
msgid "Byobu currently does not launch at login (toggle on)"
11820
#: serverguide/C/other-apps.xml:290(para)
11819
#: serverguide/C/other-apps.xml:362(para)
11822
11821
"The <emphasis>key bindings</emphasis> determine such things as the escape "
11823
11822
"sequence, new window, change window, etc. There are two key binding sets to "
11850
11849
"commands. Here is a quick list of movement commands:"
11853
#: serverguide/C/other-apps.xml:314(para)
11852
#: serverguide/C/other-apps.xml:386(para)
11854
11853
msgid "<emphasis>h</emphasis> - Move the cursor left by one character"
11857
#: serverguide/C/other-apps.xml:315(para)
11856
#: serverguide/C/other-apps.xml:387(para)
11858
11857
msgid "<emphasis>j</emphasis> - Move the cursor down by one line"
11861
#: serverguide/C/other-apps.xml:316(para)
11860
#: serverguide/C/other-apps.xml:388(para)
11862
11861
msgid "<emphasis>k</emphasis> - Move the cursor up by one line"
11865
#: serverguide/C/other-apps.xml:317(para)
11864
#: serverguide/C/other-apps.xml:389(para)
11866
11865
msgid "<emphasis>l</emphasis> - Move the cursor right by one character"
11869
#: serverguide/C/other-apps.xml:318(para)
11868
#: serverguide/C/other-apps.xml:390(para)
11870
11869
msgid "<emphasis>0</emphasis> - Move to the beginning of the current line"
11873
#: serverguide/C/other-apps.xml:319(para)
11872
#: serverguide/C/other-apps.xml:391(para)
11874
11873
msgid "<emphasis>$</emphasis> - Move to the end of the current line"
11877
#: serverguide/C/other-apps.xml:320(para)
11876
#: serverguide/C/other-apps.xml:392(para)
11879
11878
"<emphasis>G</emphasis> - Moves to the specified line (defaults to the end of "
11880
11879
"the buffer)"
11883
#: serverguide/C/other-apps.xml:321(para)
11882
#: serverguide/C/other-apps.xml:393(para)
11884
11883
msgid "<emphasis>/</emphasis> - Search forward"
11887
#: serverguide/C/other-apps.xml:322(para)
11886
#: serverguide/C/other-apps.xml:394(para)
11888
11887
msgid "<emphasis>?</emphasis> - Search backward"
11891
#: serverguide/C/other-apps.xml:401(para)
11890
#: serverguide/C/other-apps.xml:395(para)
11893
11892
"<emphasis>n</emphasis> - Moves to the next match, either forward or backward"
11896
#: serverguide/C/other-apps.xml:361(para)
11895
#: serverguide/C/other-apps.xml:403(para)
11898
11897
"For more information on <application>screen</application> see the <ulink "
11899
11898
"url=\"http://www.gnu.org/software/screen/\">screen web site</ulink>."
11902
#: serverguide/C/other-apps.xml:366(para)
11901
#: serverguide/C/other-apps.xml:408(para)
11904
11903
"And the <ulink url=\"https://help.ubuntu.com/community/Screen\">Ubuntu Wiki "
11905
11904
"screen</ulink> page."
11908
#: serverguide/C/other-apps.xml:371(para)
11907
#: serverguide/C/other-apps.xml:413(para)
11910
11909
"Also, see the <application>byobu</application><ulink "
11911
11910
"url=\"https://launchpad.net/byobu\">project page</ulink> for more "
12261
12260
"iface eth0 inet dhcp\n"
12264
#: serverguide/C/network-config.xml:257(para)
12263
#: serverguide/C/network-config.xml:261(para)
12266
12265
"By adding an interface configuration as shown above, you can manually enable "
12267
12266
"the interface through the <application>ifup</application> command which "
12268
12267
"initiates the DHCP process via <application>dhclient</application>."
12271
#: serverguide/C/network-config.xml:263(command) serverguide/C/network-config.xml:298(command)
12270
#: serverguide/C/network-config.xml:267(command) serverguide/C/network-config.xml:302(command)
12272
12271
msgid "sudo ifup eth0"
12275
#: serverguide/C/network-config.xml:265(para)
12274
#: serverguide/C/network-config.xml:269(para)
12277
12276
"To manually disable the interface, you can use the "
12278
12277
"<application>ifdown</application> command, which in turn will initiate the "
12279
12278
"DHCP release process and shut down the interface."
12282
#: serverguide/C/network-config.xml:271(command) serverguide/C/network-config.xml:305(command)
12281
#: serverguide/C/network-config.xml:275(command) serverguide/C/network-config.xml:309(command)
12283
12282
msgid "sudo ifdown eth0"
12286
#: serverguide/C/network-config.xml:276(title)
12285
#: serverguide/C/network-config.xml:280(title)
12287
12286
msgid "Static IP Address Assignment"
12290
#: serverguide/C/network-config.xml:277(para)
12289
#: serverguide/C/network-config.xml:281(para)
12292
12291
"To configure your system to use a static IP address assignment, add the "
12293
12292
"<emphasis role=\"italic\">static</emphasis> method to the inet address "
12312
12311
"gateway 10.0.0.1\n"
12315
#: serverguide/C/network-config.xml:293(para)
12314
#: serverguide/C/network-config.xml:297(para)
12317
12316
"By adding an interface configuration as shown above, you can manually enable "
12318
12317
"the interface through the <application>ifup</application> command."
12321
#: serverguide/C/network-config.xml:300(para)
12320
#: serverguide/C/network-config.xml:304(para)
12323
12322
"To manually disable the interface, you can use the "
12324
12323
"<application>ifdown</application> command."
12327
#: serverguide/C/network-config.xml:310(title)
12326
#: serverguide/C/network-config.xml:314(title)
12328
12327
msgid "Loopback Interface"
12331
#: serverguide/C/network-config.xml:311(para)
12330
#: serverguide/C/network-config.xml:315(para)
12333
12332
"The loopback interface is identified by the system as <emphasis "
12334
12333
"role=\"italic\">lo</emphasis> and has a default IP address of 127.0.0.1. It "
12335
12334
"can be viewed using the ifconfig command."
12338
#: serverguide/C/network-config.xml:316(command)
12337
#: serverguide/C/network-config.xml:320(command)
12339
12338
msgid "ifconfig lo"
12342
#: serverguide/C/network-config.xml:317(computeroutput)
12341
#: serverguide/C/network-config.xml:321(computeroutput)
12345
12344
"lo Link encap:Local Loopback \n"
12459
12458
" dns-nameservers 192.168.3.45 192.168.8.10\n"
12462
#: serverguide/C/network-config.xml:402(para)
12461
#: serverguide/C/network-config.xml:406(para)
12464
12463
"If you try to ping a host with the name of <emphasis "
12465
12464
"role=\"italic\">server1</emphasis>, your system will automatically query DNS "
12466
12465
"for its Fully Qualified Domain Name (FQDN) in the following order:"
12469
#: serverguide/C/network-config.xml:409(para)
12468
#: serverguide/C/network-config.xml:413(para)
12470
12469
msgid "server1<emphasis role=\"bold\">.example.com</emphasis>"
12473
#: serverguide/C/network-config.xml:414(para)
12472
#: serverguide/C/network-config.xml:418(para)
12474
12473
msgid "server1<emphasis role=\"bold\">.sales.example.com</emphasis>"
12477
#: serverguide/C/network-config.xml:419(para)
12476
#: serverguide/C/network-config.xml:423(para)
12478
12477
msgid "server1<emphasis role=\"bold\">.dev.example.com</emphasis>"
12481
#: serverguide/C/network-config.xml:424(para)
12480
#: serverguide/C/network-config.xml:428(para)
12483
12482
"If no matches are found, the DNS server will provide a result of <emphasis "
12484
12483
"role=\"italic\">notfound</emphasis> and the DNS query will fail."
12487
#: serverguide/C/network-config.xml:431(title)
12486
#: serverguide/C/network-config.xml:435(title)
12488
12487
msgid "Static Hostnames"
12491
#: serverguide/C/network-config.xml:432(para)
12490
#: serverguide/C/network-config.xml:436(para)
12493
12492
"Static hostnames are locally defined hostname-to-IP mappings located in the "
12494
12493
"file <filename>/etc/hosts</filename>. Entries in the "
13012
13011
"DHCP server, and the configuration is transparent to the computer's user."
13015
#: serverguide/C/network-config.xml:880(para)
13014
#: serverguide/C/network-config.xml:876(para)
13017
13016
"The most common settings provided by a DHCP server to DHCP clients include:"
13020
#: serverguide/C/network-config.xml:885(para)
13019
#: serverguide/C/network-config.xml:881(para)
13021
13020
msgid "IP address and netmask"
13024
#: serverguide/C/network-config.xml:888(para)
13023
#: serverguide/C/network-config.xml:884(para)
13025
13024
msgid "IP address of the default-gateway to use"
13028
#: serverguide/C/network-config.xml:891(para)
13027
#: serverguide/C/network-config.xml:887(para)
13029
13028
msgid "IP adresses of the DNS servers to use"
13032
#: serverguide/C/network-config.xml:894(para)
13031
#: serverguide/C/network-config.xml:890(para)
13034
13033
"However, a DHCP server can also supply configuration properties such as:"
13037
#: serverguide/C/network-config.xml:899(para)
13036
#: serverguide/C/network-config.xml:895(para)
13038
13037
msgid "Host Name"
13041
#: serverguide/C/network-config.xml:902(para)
13040
#: serverguide/C/network-config.xml:898(para)
13042
13041
msgid "Domain Name"
13045
#: serverguide/C/network-config.xml:905(para)
13044
#: serverguide/C/network-config.xml:901(para)
13046
13045
msgid "Time Server"
13049
#: serverguide/C/network-config.xml:911(para)
13048
#: serverguide/C/network-config.xml:907(para)
13051
13050
"The advantage of using DHCP is that changes to the network, for example a "
13052
13051
"change in the address of the DNS server, need only be changed at the DHCP "
13119
13118
"and configure and will be automatically started at system boot."
13122
#: serverguide/C/network-config.xml:976(para)
13121
#: serverguide/C/network-config.xml:974(para)
13124
13123
"At a terminal prompt, enter the following command to install "
13125
13124
"<application>dhcpd</application>:"
13128
#: serverguide/C/network-config.xml:981(command)
13127
#: serverguide/C/network-config.xml:979(command)
13129
13128
msgid "sudo apt-get install isc-dhcp-server"
13132
#: serverguide/C/network-config.xml:983(para)
13131
#: serverguide/C/network-config.xml:981(para)
13134
13133
"You will probably need to change the default configuration by editing "
13135
13134
"/etc/dhcp/dhcpd.conf to suit your needs and particular configuration."
13138
#: serverguide/C/network-config.xml:987(para)
13137
#: serverguide/C/network-config.xml:985(para)
13140
13139
"You also may need to edit /etc/default/isc-dhcp-server to specify the "
13141
13140
"interfaces dhcpd should listen to."
13144
#: serverguide/C/network-config.xml:991(para)
13143
#: serverguide/C/network-config.xml:989(para)
13146
13145
"NOTE: dhcpd's messages are being sent to syslog. Look there for diagnostics "
13150
#: serverguide/C/network-config.xml:998(para)
13149
#: serverguide/C/network-config.xml:996(para)
13152
13151
"The error message the installation ends with might be a little confusing, "
13153
13152
"but the following steps will help you configure the service:"
13156
#: serverguide/C/network-config.xml:1002(para)
13155
#: serverguide/C/network-config.xml:1000(para)
13158
13157
"Most commonly, what you want to do is assign an IP address randomly. This "
13159
13158
"can be done with settings as follows:"
13162
#: serverguide/C/network-config.xml:1006(programlisting)
13161
#: serverguide/C/network-config.xml:1004(programlisting)
13364
13363
"The Lightweight Directory Access Protocol, or LDAP, is a protocol for "
13365
13364
"querying and modifying a X.500-based directory service running over TCP/IP. "
13366
13365
"The current LDAP version is LDAPv3, as defined in <ulink "
13367
"url=\"http://tools.ietf.org/html/rfc4510\">RFC4510</ulink>, and the its "
13368
"implementation used in Ubuntu is from OpenLDAP."
13366
"url=\"http://tools.ietf.org/html/rfc4510\">RFC4510</ulink>, and the "
13367
"implementation in Ubuntu is OpenLDAP.\""
13371
#: serverguide/C/network-auth.xml:27(para)
13370
#: serverguide/C/network-auth.xml:29(para)
13373
13372
"So the LDAP protocol accesses LDAP directories. Here are some key concepts "
13377
#: serverguide/C/network-auth.xml:34(para)
13376
#: serverguide/C/network-auth.xml:36(para)
13379
13378
"A LDAP directory is a tree of data <emphasis>entries</emphasis> that is "
13380
13379
"hierarchical in nature and is called the Directory Information Tree (DIT)."
13383
#: serverguide/C/network-auth.xml:41(para)
13382
#: serverguide/C/network-auth.xml:43(para)
13384
13383
msgid "An entry consists of a set of <emphasis>attributes</emphasis>."
13387
#: serverguide/C/network-auth.xml:47(para)
13386
#: serverguide/C/network-auth.xml:49(para)
13389
13388
"An attribute has a <emphasis>type</emphasis> (a name/description) and one or "
13390
13389
"more <emphasis>values</emphasis>."
13393
#: serverguide/C/network-auth.xml:53(para)
13392
#: serverguide/C/network-auth.xml:55(para)
13395
13394
"Every attribute must be defined in at least one "
13396
13395
"<emphasis>objectClass</emphasis>."
13399
#: serverguide/C/network-auth.xml:59(para)
13398
#: serverguide/C/network-auth.xml:61(para)
13401
13400
"Attributes and objectclasses are defined in <emphasis>schemas</emphasis> (an "
13402
13401
"objectclass is actually considered as a special kind of attribute)."
13405
#: serverguide/C/network-auth.xml:66(para)
13404
#: serverguide/C/network-auth.xml:68(para)
13407
13406
"Each entry has a unique identifier: its <emphasis>Distinguished "
13408
13407
"Name</emphasis> (DN or dn). This, in turn, consists of a <emphasis>Relative "
13409
13408
"Distinguished Name</emphasis> (RDN) followed by the parent entry's DN."
13412
#: serverguide/C/network-auth.xml:73(para)
13411
#: serverguide/C/network-auth.xml:75(para)
13414
13413
"The entry's DN is not an attribute. It is not considered part of the entry "
13418
#: serverguide/C/network-auth.xml:81(para)
13417
#: serverguide/C/network-auth.xml:83(para)
13420
13419
"The terms <emphasis>object</emphasis>, <emphasis>container</emphasis>, and "
13421
13420
"<emphasis>node</emphasis> have certain connotations but they all essentially "
13494
13493
"a line similar to this:"
13497
#: serverguide/C/network-auth.xml:155(programlisting)
13496
#: serverguide/C/network-auth.xml:157(programlisting)
13501
13500
"127.0.1.1 hostname.example.com\thostname\n"
13504
#: serverguide/C/network-auth.xml:159(para)
13503
#: serverguide/C/network-auth.xml:161(para)
13505
13504
msgid "You can revert the change after package installation."
13508
#: serverguide/C/network-auth.xml:164(para)
13507
#: serverguide/C/network-auth.xml:166(para)
13510
13509
"This guide will use a database suffix of "
13511
13510
"<emphasis>dc=example,dc=com</emphasis>."
13514
#: serverguide/C/network-auth.xml:169(para)
13513
#: serverguide/C/network-auth.xml:171(para)
13515
13514
msgid "Proceed with the install:"
13518
#: serverguide/C/network-auth.xml:174(command)
13517
#: serverguide/C/network-auth.xml:176(command)
13519
13518
msgid "sudo apt-get install slapd ldap-utils"
13522
#: serverguide/C/network-auth.xml:177(para)
13521
#: serverguide/C/network-auth.xml:179(para)
13524
13523
"Since Ubuntu 8.10 slapd is designed to be configured within slapd itself by "
13525
13524
"dedicating a separate DIT for that purpose. This allows one to dynamically "
13642
13641
"dn: olcDatabase={1}hdb,cn=config\n"
13645
#: serverguide/C/network-auth.xml:281(para) serverguide/C/network-auth.xml:372(para)
13644
#: serverguide/C/network-auth.xml:288(para) serverguide/C/network-auth.xml:379(para)
13646
13645
msgid "Explanation of entries:"
13649
#: serverguide/C/network-auth.xml:288(para)
13648
#: serverguide/C/network-auth.xml:295(para)
13650
13649
msgid "<emphasis>cn=config</emphasis>: global settings"
13653
#: serverguide/C/network-auth.xml:294(para)
13652
#: serverguide/C/network-auth.xml:301(para)
13655
13654
"<emphasis>cn=module{0},cn=config</emphasis>: a dynamically loaded module"
13658
#: serverguide/C/network-auth.xml:300(para)
13657
#: serverguide/C/network-auth.xml:307(para)
13660
13659
"<emphasis>cn=schema,cn=config</emphasis>: contains hard-coded system-level "
13664
#: serverguide/C/network-auth.xml:306(para)
13663
#: serverguide/C/network-auth.xml:313(para)
13666
13665
"<emphasis>cn={0}core,cn=schema,cn=config</emphasis>: the hard-coded core "
13670
#: serverguide/C/network-auth.xml:312(para)
13669
#: serverguide/C/network-auth.xml:319(para)
13672
13671
"<emphasis>cn={1}cosine,cn=schema,cn=config</emphasis>: the cosine schema"
13675
#: serverguide/C/network-auth.xml:318(para)
13674
#: serverguide/C/network-auth.xml:325(para)
13676
13675
msgid "<emphasis>cn={2}nis,cn=schema,cn=config</emphasis>: the nis schema"
13679
#: serverguide/C/network-auth.xml:324(para)
13678
#: serverguide/C/network-auth.xml:331(para)
13681
13680
"<emphasis>cn={3}inetorgperson,cn=schema,cn=config</emphasis>: the "
13682
13681
"inetorgperson schema"
13685
#: serverguide/C/network-auth.xml:330(para)
13684
#: serverguide/C/network-auth.xml:337(para)
13687
13686
"<emphasis>olcBackend={0}hdb,cn=config</emphasis>: the 'hdb' backend storage "
13691
#: serverguide/C/network-auth.xml:336(para)
13690
#: serverguide/C/network-auth.xml:343(para)
13693
13692
"<emphasis>olcDatabase={-1}frontend,cn=config</emphasis>: frontend database, "
13694
13693
"default settings for other databases"
13697
#: serverguide/C/network-auth.xml:342(para)
13696
#: serverguide/C/network-auth.xml:349(para)
13699
13698
"<emphasis>olcDatabase={0}config,cn=config</emphasis>: slapd configuration "
13700
13699
"database (cn=config)"
13703
#: serverguide/C/network-auth.xml:348(para)
13702
#: serverguide/C/network-auth.xml:355(para)
13705
13704
"<emphasis>olcDatabase={1}hdb,cn=config</emphasis>: your database instance "
13706
13705
"(dc=examle,dc=com)"
13709
#: serverguide/C/network-auth.xml:359(para)
13708
#: serverguide/C/network-auth.xml:366(para)
13710
13709
msgid "This is what the dc=example,dc=com DIT looks like:"
13713
#: serverguide/C/network-auth.xml:364(command)
13712
#: serverguide/C/network-auth.xml:371(command)
13714
13713
msgid "ldapsearch -x -LLL -H ldap:/// -b dc=example,dc=com dn"
13717
#: serverguide/C/network-auth.xml:365(computeroutput)
13716
#: serverguide/C/network-auth.xml:372(computeroutput)
13723
13722
"dn: cn=admin,dc=example,dc=com\n"
13726
#: serverguide/C/network-auth.xml:379(para)
13725
#: serverguide/C/network-auth.xml:386(para)
13727
13726
msgid "<emphasis>dc=example,dc=com</emphasis>: base of the DIT"
13730
#: serverguide/C/network-auth.xml:385(para)
13729
#: serverguide/C/network-auth.xml:392(para)
13732
13731
"<emphasis>cn=admin,dc=example,dc=com</emphasis>: administrator (rootDN) for "
13733
13732
"this DIT (set up during package install)"
13736
#: serverguide/C/network-auth.xml:399(title)
13735
#: serverguide/C/network-auth.xml:406(title)
13737
13736
msgid "Modifying/Populating your Database"
13740
#: serverguide/C/network-auth.xml:401(para)
13739
#: serverguide/C/network-auth.xml:408(para)
13742
13741
"Let's introduce some content to our database. We will add the following:"
13745
#: serverguide/C/network-auth.xml:408(para)
13744
#: serverguide/C/network-auth.xml:415(para)
13746
13745
msgid "a node called <emphasis>People</emphasis> (to store users)"
13749
#: serverguide/C/network-auth.xml:414(para)
13748
#: serverguide/C/network-auth.xml:421(para)
13750
13749
msgid "a node called <emphasis>Groups</emphasis> (to store groups)"
13753
#: serverguide/C/network-auth.xml:420(para)
13752
#: serverguide/C/network-auth.xml:427(para)
13754
13753
msgid "a group called <emphasis>miners</emphasis>"
13757
#: serverguide/C/network-auth.xml:426(para)
13756
#: serverguide/C/network-auth.xml:433(para)
13758
13757
msgid "a user called <emphasis>john</emphasis>"
13761
#: serverguide/C/network-auth.xml:433(para)
13760
#: serverguide/C/network-auth.xml:440(para)
13763
13762
"Create the following LDIF file and call it "
13764
13763
"<filename>add_content.ldif</filename>:"
13767
#: serverguide/C/network-auth.xml:437(programlisting)
13766
#: serverguide/C/network-auth.xml:444(programlisting)
13851
13850
"gidNumber: 5000\n"
13854
#: serverguide/C/network-auth.xml:508(para)
13853
#: serverguide/C/network-auth.xml:515(para)
13855
13854
msgid "Explanation of switches:"
13858
#: serverguide/C/network-auth.xml:515(para)
13857
#: serverguide/C/network-auth.xml:522(para)
13860
13859
"<emphasis>-x:</emphasis> \"simple\" binding; will not use the default SASL "
13864
#: serverguide/C/network-auth.xml:521(para)
13863
#: serverguide/C/network-auth.xml:528(para)
13865
13864
msgid "<emphasis>-LLL:</emphasis> disable printing extraneous information"
13868
#: serverguide/C/network-auth.xml:527(para)
13867
#: serverguide/C/network-auth.xml:534(para)
13869
13868
msgid "<emphasis>uid=john:</emphasis> a \"filter\" to find the john user"
13872
#: serverguide/C/network-auth.xml:533(para)
13871
#: serverguide/C/network-auth.xml:540(para)
13874
13873
"<emphasis>cn gidNumber:</emphasis> requests certain attributes to be "
13875
13874
"displayed (the default is to show all attributes)"
13878
#: serverguide/C/network-auth.xml:543(title)
13877
#: serverguide/C/network-auth.xml:550(title)
13879
13878
msgid "Modifying the slapd Configuration Database"
13882
#: serverguide/C/network-auth.xml:545(para)
13881
#: serverguide/C/network-auth.xml:552(para)
13884
13883
"The slapd-config DIT can also be queried and modified. Here are a few "
13888
#: serverguide/C/network-auth.xml:552(para)
13887
#: serverguide/C/network-auth.xml:559(para)
13890
13889
"Use <application>ldapmodify</application> to add an \"Index\" (DbIndex "
13891
13890
"attribute) to your <application>{1}hdb,cn=config</application> database "
13936
13935
"olcDbIndex: uid eq,pres,sub\n"
13939
#: serverguide/C/network-auth.xml:591(para)
13938
#: serverguide/C/network-auth.xml:598(para)
13941
13940
"Let's add a schema. It will first need to be converted to LDIF format. You "
13942
13941
"can find unconverted schemas in addition to converted ones in the <filename "
13943
13942
"role=\"directory\">/etc/ldap/schema</filename> directory."
13946
#: serverguide/C/network-auth.xml:599(para)
13945
#: serverguide/C/network-auth.xml:606(para)
13948
13947
"It is not trivial to remove a schema from the slapd-config database. "
13949
13948
"Practice adding schemas on a test system."
13952
#: serverguide/C/network-auth.xml:605(para)
13951
#: serverguide/C/network-auth.xml:612(para)
13954
13953
"Before adding any schema, you should check which schemas are already "
13955
13954
"installed (shown is a default, out-of-the-box output):"
13958
#: serverguide/C/network-auth.xml:611(command)
13957
#: serverguide/C/network-auth.xml:618(command)
13960
13959
"sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b \\ cn=schema,cn=config dn"
13963
#: serverguide/C/network-auth.xml:613(computeroutput)
13962
#: serverguide/C/network-auth.xml:620(computeroutput)
14005
14004
"include /etc/ldap/schema/pmi.schema\n"
14008
#: serverguide/C/network-auth.xml:662(para)
14007
#: serverguide/C/network-auth.xml:669(para)
14009
14008
msgid "Create the output directory <filename>ldif_output</filename>."
14012
#: serverguide/C/network-auth.xml:668(para) serverguide/C/network-auth.xml:2317(para)
14011
#: serverguide/C/network-auth.xml:675(para) serverguide/C/network-auth.xml:2324(para)
14013
14012
msgid "Determine the index of the schema:"
14016
#: serverguide/C/network-auth.xml:673(command)
14015
#: serverguide/C/network-auth.xml:680(command)
14018
14017
"slapcat -f schema_convert.conf -F ldif_output -n 0 | grep corba,cn=schema"
14021
#: serverguide/C/network-auth.xml:674(computeroutput)
14020
#: serverguide/C/network-auth.xml:681(computeroutput)
14025
14024
"cn={1}corba,cn=schema,cn=config\n"
14028
#: serverguide/C/network-auth.xml:685(para)
14027
#: serverguide/C/network-auth.xml:687(para)
14030
14029
"When slapd ingests objects with the same parent DN it will create an "
14031
14030
"<emphasis>index</emphasis> for that object. An index is contained within "
14032
14031
"braces: <application>{X}</application>."
14035
#: serverguide/C/network-auth.xml:689(para)
14034
#: serverguide/C/network-auth.xml:696(para)
14036
14035
msgid "Use <application>slapcat</application> to perform the conversion:"
14039
#: serverguide/C/network-auth.xml:694(command)
14038
#: serverguide/C/network-auth.xml:701(command)
14041
14040
"slapcat -f schema_convert.conf -F ldif_output -n0 -H \\ "
14042
14041
"ldap:///cn={1}corba,cn=schema,cn=config -l cn=corba.ldif"
14045
#: serverguide/C/network-auth.xml:698(para)
14044
#: serverguide/C/network-auth.xml:705(para)
14046
14045
msgid "The converted schema is now in <filename>cn=corba.ldif</filename>"
14049
#: serverguide/C/network-auth.xml:704(para)
14048
#: serverguide/C/network-auth.xml:711(para)
14051
14050
"Edit <filename>cn=corba.ldif</filename> to arrive at the following "
14052
14051
"attributes:"
14055
#: serverguide/C/network-auth.xml:708(programlisting)
14054
#: serverguide/C/network-auth.xml:715(programlisting)
14078
14077
"modifyTimestamp: 20110829165435Z\n"
14081
#: serverguide/C/network-auth.xml:728(para) serverguide/C/network-auth.xml:2367(para)
14080
#: serverguide/C/network-auth.xml:735(para) serverguide/C/network-auth.xml:2374(para)
14082
14081
msgid "Your attribute values will vary."
14085
#: serverguide/C/network-auth.xml:734(para)
14084
#: serverguide/C/network-auth.xml:741(para)
14087
14086
"Finally, use <application>ldapadd</application> to add the new schema to the "
14088
14087
"slapd-config DIT:"
14091
#: serverguide/C/network-auth.xml:739(command)
14090
#: serverguide/C/network-auth.xml:746(command)
14092
14091
msgid "sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f cn\\=corba.ldif"
14095
#: serverguide/C/network-auth.xml:740(computeroutput)
14094
#: serverguide/C/network-auth.xml:747(computeroutput)
14099
14098
"adding new entry \"cn=corba,cn=schema,cn=config\"\n"
14102
#: serverguide/C/network-auth.xml:748(para)
14101
#: serverguide/C/network-auth.xml:755(para)
14103
14102
msgid "Confirm currently loaded schemas:"
14106
#: serverguide/C/network-auth.xml:753(command)
14105
#: serverguide/C/network-auth.xml:760(command)
14108
14107
"sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn"
14111
#: serverguide/C/network-auth.xml:754(computeroutput)
14110
#: serverguide/C/network-auth.xml:761(computeroutput)
14335
14334
"/var/lib/ldap/** rwk,\n"
14338
#: serverguide/C/network-auth.xml:957(para)
14337
#: serverguide/C/network-auth.xml:964(para)
14340
14339
"Create a directory, set up a databse config file, and reload the apparmor "
14344
#: serverguide/C/network-auth.xml:962(command)
14343
#: serverguide/C/network-auth.xml:969(command)
14345
14344
msgid "sudo -u openldap mkdir /var/lib/ldap/accesslog"
14348
#: serverguide/C/network-auth.xml:963(command)
14347
#: serverguide/C/network-auth.xml:970(command)
14349
14348
msgid "sudo -u openldap cp /var/lib/ldap/DB_CONFIG /var/lib/ldap/accesslog"
14352
#: serverguide/C/network-auth.xml:970(para)
14351
#: serverguide/C/network-auth.xml:977(para)
14354
14353
"Add the new content and, due to the apparmor change, restart the daemon:"
14357
#: serverguide/C/network-auth.xml:975(command)
14356
#: serverguide/C/network-auth.xml:982(command)
14358
14357
msgid "sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f provider_sync.ldif"
14361
#: serverguide/C/network-auth.xml:976(command) serverguide/C/network-auth.xml:1498(command) serverguide/C/network-auth.xml:1683(command) serverguide/C/network-auth.xml:3912(command)
14360
#: serverguide/C/network-auth.xml:983(command) serverguide/C/network-auth.xml:1505(command) serverguide/C/network-auth.xml:1690(command) serverguide/C/network-auth.xml:3911(command)
14362
14361
msgid "sudo service slapd restart"
14365
#: serverguide/C/network-auth.xml:983(para)
14364
#: serverguide/C/network-auth.xml:990(para)
14366
14365
msgid "The Provider is now configured."
14369
#: serverguide/C/network-auth.xml:990(title)
14368
#: serverguide/C/network-auth.xml:997(title)
14370
14369
msgid "Consumer Configuration"
14373
#: serverguide/C/network-auth.xml:992(para)
14372
#: serverguide/C/network-auth.xml:999(para)
14374
14373
msgid "And now configure the <emphasis>Consumer</emphasis>."
14377
#: serverguide/C/network-auth.xml:999(para)
14376
#: serverguide/C/network-auth.xml:1006(para)
14379
14378
"Install the software by going through <xref linkend=\"openldap-server-"
14380
14379
"installation\"/>. Make sure the slapd-config databse is identical to the "
14415
14414
"olcUpdateRef: ldap://ldap01.example.com\n"
14418
#: serverguide/C/network-auth.xml:1031(para)
14417
#: serverguide/C/network-auth.xml:1038(para)
14419
14418
msgid "Ensure the following attributes have the correct values:"
14422
#: serverguide/C/network-auth.xml:1036(para)
14421
#: serverguide/C/network-auth.xml:1043(para)
14424
14423
"<emphasis>provider</emphasis> (Provider server's hostname -- "
14425
14424
"ldap01.example.com in this example -- or IP address)"
14428
#: serverguide/C/network-auth.xml:1037(para)
14427
#: serverguide/C/network-auth.xml:1044(para)
14429
14428
msgid "<emphasis>binddn</emphasis> (the admin DN you're using)"
14432
#: serverguide/C/network-auth.xml:1038(para)
14431
#: serverguide/C/network-auth.xml:1045(para)
14433
14432
msgid "<emphasis>credentials</emphasis> (the admin DN password you're using)"
14436
#: serverguide/C/network-auth.xml:1039(para)
14435
#: serverguide/C/network-auth.xml:1046(para)
14437
14436
msgid "<emphasis>searchbase</emphasis> (the database suffix you're using)"
14440
#: serverguide/C/network-auth.xml:1040(para)
14439
#: serverguide/C/network-auth.xml:1047(para)
14442
14441
"<emphasis>olcUpdateRef</emphasis> (Provider server's hostname or IP address)"
14445
#: serverguide/C/network-auth.xml:1041(para)
14444
#: serverguide/C/network-auth.xml:1048(para)
14447
14446
"<emphasis>rid</emphasis> (Replica ID, an unique 3-digit that identifies the "
14448
14447
"replica. Each consumer should have at least one rid)"
14451
#: serverguide/C/network-auth.xml:1050(para)
14450
#: serverguide/C/network-auth.xml:1057(para)
14452
14451
msgid "Add the new content:"
14455
#: serverguide/C/network-auth.xml:1055(command)
14454
#: serverguide/C/network-auth.xml:1062(command)
14456
14455
msgid "sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f consumer_sync.ldif"
14459
#: serverguide/C/network-auth.xml:1062(para)
14458
#: serverguide/C/network-auth.xml:1069(para)
14461
14460
"You're done. The two databases (suffix: dc=example,dc=com) should now be "
14462
14461
"synchronizing."
14465
#: serverguide/C/network-auth.xml:1071(para)
14464
#: serverguide/C/network-auth.xml:1078(para)
14466
14465
msgid "Once replication starts, you can monitor it by running"
14469
#: serverguide/C/network-auth.xml:1081(command)
14468
#: serverguide/C/network-auth.xml:1083(command)
14471
14470
"ldapsearch -z1 -LLLQY EXTERNAL -H ldapi:/// -s base -b dc=example,dc=com "
14475
#: serverguide/C/network-auth.xml:1077(computeroutput)
14474
#: serverguide/C/network-auth.xml:1084(computeroutput)
14815
14814
"cert_signing_key\n"
14818
#: serverguide/C/network-auth.xml:1370(para)
14817
#: serverguide/C/network-auth.xml:1377(para)
14819
14818
msgid "Create the self-signed CA certificate:"
14822
#: serverguide/C/network-auth.xml:1375(command)
14821
#: serverguide/C/network-auth.xml:1382(command)
14824
14823
"sudo certtool --generate-self-signed \\ --load-privkey "
14825
14824
"/etc/ssl/private/cakey.pem \\ --template /etc/ssl/ca.info \\ --outfile "
14826
14825
"/etc/ssl/certs/cacert.pem"
14829
#: serverguide/C/network-auth.xml:1384(para)
14828
#: serverguide/C/network-auth.xml:1391(para)
14830
14829
msgid "Make a private key for the server:"
14833
#: serverguide/C/network-auth.xml:1389(command)
14832
#: serverguide/C/network-auth.xml:1396(command)
14835
14834
"sudo certtool --generate-privkey \\ --bits 1024 \\ --outfile "
14836
14835
"/etc/ssl/private/ldap01_slapd_key.pem"
14839
#: serverguide/C/network-auth.xml:1395(para)
14838
#: serverguide/C/network-auth.xml:1402(para)
14841
14840
"Replace <emphasis>ldap01</emphasis> in the filename with your server's "
14842
14841
"hostname. Naming the certificate and key for the host and service that will "
14843
14842
"be using them will help keep things clear."
14846
#: serverguide/C/network-auth.xml:1404(para)
14845
#: serverguide/C/network-auth.xml:1411(para)
14848
14847
"Create the <filename>/etc/ssl/ldap01.info</filename> info file containing:"
14851
#: serverguide/C/network-auth.xml:1408(programlisting)
14850
#: serverguide/C/network-auth.xml:1415(programlisting)
14932
14931
"over TCP port 636."
14935
#: serverguide/C/network-auth.xml:1482(para)
14934
#: serverguide/C/network-auth.xml:1489(para)
14936
14935
msgid "Tighten up ownership and permissions:"
14939
#: serverguide/C/network-auth.xml:1487(command) serverguide/C/network-auth.xml:1604(command)
14938
#: serverguide/C/network-auth.xml:1494(command) serverguide/C/network-auth.xml:1611(command)
14940
14939
msgid "sudo adduser openldap ssl-cert"
14943
#: serverguide/C/network-auth.xml:1488(command)
14942
#: serverguide/C/network-auth.xml:1495(command)
14944
14943
msgid "sudo chgrp ssl-cert /etc/ssl/private/ldap01_slapd_key.pem"
14947
#: serverguide/C/network-auth.xml:1489(command)
14946
#: serverguide/C/network-auth.xml:1496(command)
14948
14947
msgid "sudo chmod g+r /etc/ssl/private/ldap01_slapd_key.pem"
14951
#: serverguide/C/network-auth.xml:1490(command)
14950
#: serverguide/C/network-auth.xml:1497(command)
14952
14951
msgid "sudo chmod o-r /etc/ssl/private/ldap01_slapd_key.pem"
14955
#: serverguide/C/network-auth.xml:1493(para)
14954
#: serverguide/C/network-auth.xml:1500(para)
14956
14955
msgid "Restart OpenLDAP:"
14959
#: serverguide/C/network-auth.xml:1501(para)
14958
#: serverguide/C/network-auth.xml:1508(para)
14961
14960
"Check your host's logs (/var/log/syslog) to see if the server has started "
14965
#: serverguide/C/network-auth.xml:1508(title)
14964
#: serverguide/C/network-auth.xml:1515(title)
14966
14965
msgid "Replication and TLS"
14969
#: serverguide/C/network-auth.xml:1510(para)
14968
#: serverguide/C/network-auth.xml:1517(para)
14971
14970
"If you have set up replication between servers, it is common practice to "
14972
14971
"encrypt (StartTLS) the replication traffic to prevent evesdropping. This is "
14994
14993
"material over to the Consumer."
14997
#: serverguide/C/network-auth.xml:1532(para) serverguide/C/network-auth.xml:1689(para)
14996
#: serverguide/C/network-auth.xml:1539(para) serverguide/C/network-auth.xml:1696(para)
14998
14997
msgid "On the Provider,"
15001
#: serverguide/C/network-auth.xml:1536(para)
15000
#: serverguide/C/network-auth.xml:1543(para)
15003
15002
"Create a holding directory (which will be used for the eventual transfer) "
15004
15003
"and then the Consumer's private key:"
15007
#: serverguide/C/network-auth.xml:1541(command)
15006
#: serverguide/C/network-auth.xml:1548(command)
15008
15007
msgid "mkdir ldap02-ssl"
15011
#: serverguide/C/network-auth.xml:1542(command)
15010
#: serverguide/C/network-auth.xml:1549(command)
15012
15011
msgid "cd ldap02-ssl"
15015
#: serverguide/C/network-auth.xml:1543(command)
15014
#: serverguide/C/network-auth.xml:1550(command)
15017
15016
"sudo certtool --generate-privkey \\ --bits 1024 \\ --outfile "
15018
15017
"ldap02_slapd_key.pem"
15021
#: serverguide/C/network-auth.xml:1548(para)
15020
#: serverguide/C/network-auth.xml:1555(para)
15023
15022
"Create an info file, <filename>ldap02.info</filename>, for the Consumer "
15024
15023
"server, adjusting its values accordingly:"
15027
#: serverguide/C/network-auth.xml:1552(programlisting)
15026
#: serverguide/C/network-auth.xml:1559(programlisting)
15048
15047
"ldap02_slapd_cert.pem"
15051
#: serverguide/C/network-auth.xml:1574(para)
15050
#: serverguide/C/network-auth.xml:1581(para)
15052
15051
msgid "Get a copy of the CA certificate:"
15055
#: serverguide/C/network-auth.xml:1579(command)
15054
#: serverguide/C/network-auth.xml:1586(command)
15056
15055
msgid "cp /etc/ssl/certs/cacert.pem ."
15059
#: serverguide/C/network-auth.xml:1582(para)
15058
#: serverguide/C/network-auth.xml:1589(para)
15061
15060
"We're done. Now transfer the <filename>ldap02-ssl</filename> directory to "
15062
15061
"the Consumer. Here we use scp (adjust accordingly):"
15065
#: serverguide/C/network-auth.xml:1587(command)
15064
#: serverguide/C/network-auth.xml:1594(command)
15066
15065
msgid "cd .."
15069
#: serverguide/C/network-auth.xml:1588(command)
15068
#: serverguide/C/network-auth.xml:1595(command)
15070
15069
msgid "scp -r ldap02-ssl user@consumer:"
15073
#: serverguide/C/network-auth.xml:1594(para) serverguide/C/network-auth.xml:1642(para)
15072
#: serverguide/C/network-auth.xml:1601(para) serverguide/C/network-auth.xml:1649(para)
15074
15073
msgid "On the Consumer,"
15077
#: serverguide/C/network-auth.xml:1598(para)
15076
#: serverguide/C/network-auth.xml:1605(para)
15078
15077
msgid "Configure TLS authentication:"
15081
#: serverguide/C/network-auth.xml:1603(command)
15080
#: serverguide/C/network-auth.xml:1610(command)
15082
15081
msgid "sudo apt-get install ssl-cert"
15085
#: serverguide/C/network-auth.xml:1605(command)
15084
#: serverguide/C/network-auth.xml:1612(command)
15086
15085
msgid "sudo cp ldap02_slapd_cert.pem cacert.pem /etc/ssl/certs"
15089
#: serverguide/C/network-auth.xml:1606(command)
15088
#: serverguide/C/network-auth.xml:1613(command)
15090
15089
msgid "sudo cp ldap02_slapd_key.pem /etc/ssl/private"
15093
#: serverguide/C/network-auth.xml:1607(command)
15092
#: serverguide/C/network-auth.xml:1614(command)
15094
15093
msgid "sudo chgrp ssl-cert /etc/ssl/private/ldap02_slapd_key.pem"
15097
#: serverguide/C/network-auth.xml:1608(command)
15096
#: serverguide/C/network-auth.xml:1615(command)
15098
15097
msgid "sudo chmod g+r /etc/ssl/private/ldap02_slapd_key.pem"
15101
#: serverguide/C/network-auth.xml:1609(command)
15100
#: serverguide/C/network-auth.xml:1616(command)
15102
15101
msgid "sudo chmod o-r /etc/ssl/private/ldap02_slapd_key.pem"
15105
#: serverguide/C/network-auth.xml:1612(para)
15104
#: serverguide/C/network-auth.xml:1619(para)
15107
15106
"Create the file <filename>/etc/ssl/certinfo.ldif</filename> with the "
15108
15107
"following contents (adjust accordingly):"
15111
#: serverguide/C/network-auth.xml:1616(programlisting)
15110
#: serverguide/C/network-auth.xml:1623(programlisting)
15223
15222
"assist you in the configuration step. Install this package now:"
15226
#: serverguide/C/network-auth.xml:1725(command)
15225
#: serverguide/C/network-auth.xml:1732(command)
15227
15226
msgid "sudo apt-get install libnss-ldap"
15230
#: serverguide/C/network-auth.xml:1728(para)
15229
#: serverguide/C/network-auth.xml:1735(para)
15232
15231
"You will be prompted for details of your LDAP server. If you make a mistake "
15233
15232
"you can try again using:"
15236
#: serverguide/C/network-auth.xml:1733(command)
15235
#: serverguide/C/network-auth.xml:1740(command)
15237
15236
msgid "sudo dpkg-reconfigure ldap-auth-config"
15240
#: serverguide/C/network-auth.xml:1736(para)
15239
#: serverguide/C/network-auth.xml:1743(para)
15242
15241
"The results of the dialog can be seen in "
15243
15242
"<filename>/etc/ldap.conf</filename>. If your server requires options not "
15244
15243
"covered in the menu edit this file accordingly."
15247
#: serverguide/C/network-auth.xml:1741(para)
15246
#: serverguide/C/network-auth.xml:1748(para)
15248
15247
msgid "Now configure the LDAP profile for NSS:"
15251
#: serverguide/C/network-auth.xml:1746(command)
15250
#: serverguide/C/network-auth.xml:1753(command)
15252
15251
msgid "sudo auth-client-config -t nss -p lac_ldap"
15255
#: serverguide/C/network-auth.xml:1749(para)
15254
#: serverguide/C/network-auth.xml:1756(para)
15256
15255
msgid "Configure the system to use LDAP for authentication:"
15259
#: serverguide/C/network-auth.xml:1754(command)
15258
#: serverguide/C/network-auth.xml:1761(command)
15260
15259
msgid "sudo pam-auth-update"
15263
#: serverguide/C/network-auth.xml:1757(para)
15262
#: serverguide/C/network-auth.xml:1764(para)
15265
15264
"From the menu, choose LDAP and any other authentication mechanisms you need."
15268
#: serverguide/C/network-auth.xml:1761(para)
15267
#: serverguide/C/network-auth.xml:1768(para)
15269
15268
msgid "You should now be able to log in using LDAP-based credentials."
15272
#: serverguide/C/network-auth.xml:1765(para)
15271
#: serverguide/C/network-auth.xml:1772(para)
15274
15273
"LDAP clients will need to refer to multiple servers if replication is in "
15275
15274
"use. In <filename>/etc/ldap.conf</filename> you would have something like:"
15278
#: serverguide/C/network-auth.xml:1770(programlisting)
15277
#: serverguide/C/network-auth.xml:1777(programlisting)
15282
15281
"uri ldap://ldap01.example.com ldap://ldap02.example.com\n"
15285
#: serverguide/C/network-auth.xml:1774(para)
15284
#: serverguide/C/network-auth.xml:1781(para)
15287
15286
"The request will time out and the Consumer (ldap02) will attempt to be "
15288
15287
"reached if the Provider (ldap01) becomes unresponsive."
15291
#: serverguide/C/network-auth.xml:1778(para)
15290
#: serverguide/C/network-auth.xml:1785(para)
15293
15292
"If you are going to use LDAP to store Samba users you will need to configure "
15294
15293
"the Samba server to authenticate using LDAP. See <xref linkend=\"samba-"
15295
15294
"ldap\"/> for details."
15298
#: serverguide/C/network-auth.xml:1784(para)
15297
#: serverguide/C/network-auth.xml:1791(para)
15300
15299
"An alternative to the <application>libnss-ldap</application> package is the "
15301
15300
"<application>libnss-ldapd</application> package. This, however, will bring "
15346
15345
"MIDSTART=10000\n"
15349
#: serverguide/C/network-auth.xml:1827(para)
15348
#: serverguide/C/network-auth.xml:1834(para)
15351
15350
"Now, create the <filename>ldapscripts.passwd</filename> file to allow rootDN "
15352
15351
"access to the directory:"
15355
#: serverguide/C/network-auth.xml:1832(command)
15354
#: serverguide/C/network-auth.xml:1839(command)
15357
15356
"sudo sh -c \"echo -n 'secret' > /etc/ldapscripts/ldapscripts.passwd\""
15360
#: serverguide/C/network-auth.xml:1833(command)
15359
#: serverguide/C/network-auth.xml:1840(command)
15361
15360
msgid "sudo chmod 400 /etc/ldapscripts/ldapscripts.passwd"
15364
#: serverguide/C/network-auth.xml:1837(para)
15363
#: serverguide/C/network-auth.xml:1844(para)
15366
15365
"Replace <quote>secret</quote> with the actual password for your database's "
15367
15366
"rootDN user."
15370
#: serverguide/C/network-auth.xml:1842(para)
15369
#: serverguide/C/network-auth.xml:1849(para)
15372
15371
"The scripts are now ready to help manage your directory. Here are some "
15373
15372
"examples of how to use them:"
15376
#: serverguide/C/network-auth.xml:1849(para)
15375
#: serverguide/C/network-auth.xml:1856(para)
15377
15376
msgid "Create a new user:"
15380
#: serverguide/C/network-auth.xml:1854(command)
15379
#: serverguide/C/network-auth.xml:1861(command)
15381
15380
msgid "sudo ldapadduser george example"
15384
#: serverguide/C/network-auth.xml:1857(para)
15383
#: serverguide/C/network-auth.xml:1864(para)
15386
15385
"This will create a user with uid <emphasis role=\"italic\">george</emphasis> "
15387
15386
"and set the user's primary group (gid) to <emphasis "
15388
15387
"role=\"italic\">example</emphasis>"
15391
#: serverguide/C/network-auth.xml:1864(para)
15390
#: serverguide/C/network-auth.xml:1871(para)
15392
15391
msgid "Change a user's password:"
15395
#: serverguide/C/network-auth.xml:1869(command)
15394
#: serverguide/C/network-auth.xml:1876(command)
15396
15395
msgid "sudo ldapsetpasswd george"
15399
#: serverguide/C/network-auth.xml:1870(computeroutput)
15398
#: serverguide/C/network-auth.xml:1877(computeroutput)
15401
15400
msgid "Changing password for user uid=george,ou=People,dc=example,dc=com"
15404
#: serverguide/C/network-auth.xml:1871(userinput)
15403
#: serverguide/C/network-auth.xml:1878(userinput)
15406
15405
msgid "New Password: "
15409
#: serverguide/C/network-auth.xml:1872(userinput)
15408
#: serverguide/C/network-auth.xml:1879(userinput)
15411
15410
msgid "New Password (verify): "
15414
#: serverguide/C/network-auth.xml:1878(para)
15413
#: serverguide/C/network-auth.xml:1885(para)
15415
15414
msgid "Delete a user:"
15418
#: serverguide/C/network-auth.xml:1883(command)
15417
#: serverguide/C/network-auth.xml:1890(command)
15419
15418
msgid "sudo ldapdeleteuser george"
15422
#: serverguide/C/network-auth.xml:1889(para)
15421
#: serverguide/C/network-auth.xml:1896(para)
15423
15422
msgid "Add a group:"
15426
#: serverguide/C/network-auth.xml:1894(command)
15425
#: serverguide/C/network-auth.xml:1901(command)
15427
15426
msgid "sudo ldapaddgroup qa"
15430
#: serverguide/C/network-auth.xml:1900(para)
15429
#: serverguide/C/network-auth.xml:1907(para)
15431
15430
msgid "Delete a group:"
15434
#: serverguide/C/network-auth.xml:1905(command)
15433
#: serverguide/C/network-auth.xml:1912(command)
15435
15434
msgid "sudo ldapdeletegroup qa"
15438
#: serverguide/C/network-auth.xml:1911(para)
15437
#: serverguide/C/network-auth.xml:1918(para)
15439
15438
msgid "Add a user to a group:"
15442
#: serverguide/C/network-auth.xml:1916(command)
15441
#: serverguide/C/network-auth.xml:1923(command)
15443
15442
msgid "sudo ldapaddusertogroup george qa"
15446
#: serverguide/C/network-auth.xml:1919(para)
15445
#: serverguide/C/network-auth.xml:1926(para)
15448
15447
"You should now see a <emphasis>memberUid</emphasis> attribute for the "
15449
15448
"<emphasis role=\"italic\">qa</emphasis> group with a value of <emphasis "
15450
15449
"role=\"italic\">george</emphasis>."
15453
#: serverguide/C/network-auth.xml:1926(para)
15452
#: serverguide/C/network-auth.xml:1933(para)
15454
15453
msgid "Remove a user from a group:"
15457
#: serverguide/C/network-auth.xml:1931(command)
15456
#: serverguide/C/network-auth.xml:1938(command)
15458
15457
msgid "sudo ldapdeleteuserfromgroup george qa"
15461
#: serverguide/C/network-auth.xml:1934(para)
15460
#: serverguide/C/network-auth.xml:1941(para)
15463
15462
"The <emphasis>memberUid</emphasis> attribute should now be removed from the "
15464
15463
"<emphasis role=\"italic\">qa</emphasis> group."
15467
#: serverguide/C/network-auth.xml:1941(para)
15466
#: serverguide/C/network-auth.xml:1948(para)
15469
15468
"The <application>ldapmodifyuser</application> script allows you to add, "
15470
15469
"remove, or replace a user's attributes. The script uses the same syntax as "
15471
15470
"the <application>ldapmodify</application> utility. For example:"
15474
#: serverguide/C/network-auth.xml:1947(command)
15473
#: serverguide/C/network-auth.xml:1954(command)
15475
15474
msgid "sudo ldapmodifyuser george"
15478
#: serverguide/C/network-auth.xml:1948(computeroutput)
15477
#: serverguide/C/network-auth.xml:1955(computeroutput)
15481
15480
"# About to modify the following entry :\n"
15564
15563
"title: Employee\n"
15567
#: serverguide/C/network-auth.xml:2016(para)
15566
#: serverguide/C/network-auth.xml:2023(para)
15569
15568
"Notice the <emphasis><ask></emphasis> option used for the "
15570
15569
"<emphasis>sn</emphasis> attribute. This will make "
15571
15570
"<application>ldapadduser</application> prompt you for its value."
15574
#: serverguide/C/network-auth.xml:2024(para)
15573
#: serverguide/C/network-auth.xml:2031(para)
15576
15575
"There are utilities in the package that were not covered here. Here is a "
15577
15576
"complete list:"
15580
#: serverguide/C/network-auth.xml:2029(ulink)
15579
#: serverguide/C/network-auth.xml:2036(ulink)
15581
15580
msgid "ldaprenamemachine"
15584
#: serverguide/C/network-auth.xml:2030(ulink)
15583
#: serverguide/C/network-auth.xml:2037(ulink)
15585
15584
msgid "ldapadduser"
15588
#: serverguide/C/network-auth.xml:2031(ulink)
15587
#: serverguide/C/network-auth.xml:2038(ulink)
15589
15588
msgid "ldapdeleteuserfromgroup"
15592
#: serverguide/C/network-auth.xml:2032(ulink)
15591
#: serverguide/C/network-auth.xml:2039(ulink)
15593
15592
msgid "ldapfinger"
15596
#: serverguide/C/network-auth.xml:2033(ulink)
15595
#: serverguide/C/network-auth.xml:2040(ulink)
15597
15596
msgid "ldapid"
15600
#: serverguide/C/network-auth.xml:2034(ulink)
15599
#: serverguide/C/network-auth.xml:2041(ulink)
15601
15600
msgid "ldapgid"
15604
#: serverguide/C/network-auth.xml:2035(ulink)
15603
#: serverguide/C/network-auth.xml:2042(ulink)
15605
15604
msgid "ldapmodifyuser"
15608
#: serverguide/C/network-auth.xml:2036(ulink)
15607
#: serverguide/C/network-auth.xml:2043(ulink)
15609
15608
msgid "ldaprenameuser"
15612
#: serverguide/C/network-auth.xml:2037(ulink)
15611
#: serverguide/C/network-auth.xml:2044(ulink)
15613
15612
msgid "lsldap"
15616
#: serverguide/C/network-auth.xml:2038(ulink)
15615
#: serverguide/C/network-auth.xml:2045(ulink)
15617
15616
msgid "ldapaddusertogroup"
15620
#: serverguide/C/network-auth.xml:2039(ulink)
15619
#: serverguide/C/network-auth.xml:2046(ulink)
15621
15620
msgid "ldapsetpasswd"
15624
#: serverguide/C/network-auth.xml:2040(ulink)
15623
#: serverguide/C/network-auth.xml:2047(ulink)
15625
15624
msgid "ldapinit"
15628
#: serverguide/C/network-auth.xml:2041(ulink)
15627
#: serverguide/C/network-auth.xml:2048(ulink)
15629
15628
msgid "ldapaddgroup"
15632
#: serverguide/C/network-auth.xml:2042(ulink)
15631
#: serverguide/C/network-auth.xml:2049(ulink)
15633
15632
msgid "ldapdeletegroup"
15636
#: serverguide/C/network-auth.xml:2043(ulink)
15635
#: serverguide/C/network-auth.xml:2050(ulink)
15637
15636
msgid "ldapmodifygroup"
15640
#: serverguide/C/network-auth.xml:2044(ulink)
15639
#: serverguide/C/network-auth.xml:2051(ulink)
15641
15640
msgid "ldapdeletemachine"
15644
#: serverguide/C/network-auth.xml:2045(ulink)
15643
#: serverguide/C/network-auth.xml:2052(ulink)
15645
15644
msgid "ldaprenamegroup"
15648
#: serverguide/C/network-auth.xml:2046(ulink)
15647
#: serverguide/C/network-auth.xml:2053(ulink)
15649
15648
msgid "ldapaddmachine"
15652
#: serverguide/C/network-auth.xml:2047(ulink)
15651
#: serverguide/C/network-auth.xml:2054(ulink)
15653
15652
msgid "ldapmodifymachine"
15656
#: serverguide/C/network-auth.xml:2048(ulink)
15655
#: serverguide/C/network-auth.xml:2055(ulink)
15657
15656
msgid "ldapsetprimarygroup"
15660
#: serverguide/C/network-auth.xml:2049(ulink)
15659
#: serverguide/C/network-auth.xml:2056(ulink)
15661
15660
msgid "ldapdeleteuser"
15664
#: serverguide/C/network-auth.xml:2055(title)
15663
#: serverguide/C/network-auth.xml:2062(title)
15665
15664
msgid "Backup and Restore"
15668
#: serverguide/C/network-auth.xml:2057(para)
15667
#: serverguide/C/network-auth.xml:2064(para)
15670
15669
"Now we have ldap running just the way we want, it is time to ensure we can "
15671
15670
"save all of our work and restore it as needed."
15674
#: serverguide/C/network-auth.xml:2062(para)
15673
#: serverguide/C/network-auth.xml:2069(para)
15676
15675
"What we need is a way to backup the ldap database(s), specifically the "
15677
15676
"backend (cn=config) and frontend (dc=example,dc=com). If we are going to "
15722
15721
"45 22 * * * root /usr/local/bin/ldapbackup\n"
15725
#: serverguide/C/network-auth.xml:2109(para)
15724
#: serverguide/C/network-auth.xml:2116(para)
15726
15725
msgid "Now the files are created, they should be copied to a backup server."
15729
#: serverguide/C/network-auth.xml:2114(para)
15728
#: serverguide/C/network-auth.xml:2121(para)
15731
15730
"Assuming we did a fresh reinstall of ldap, the restore process could be "
15732
15731
"something like this:"
15735
#: serverguide/C/network-auth.xml:2120(command)
15734
#: serverguide/C/network-auth.xml:2127(command)
15736
15735
msgid "sudo service slapd stop"
15739
#: serverguide/C/network-auth.xml:2121(command)
15738
#: serverguide/C/network-auth.xml:2128(command)
15740
15739
msgid "sudo mkdir /var/lib/ldap/accesslog"
15743
#: serverguide/C/network-auth.xml:2122(command)
15742
#: serverguide/C/network-auth.xml:2129(command)
15744
15743
msgid "sudo slapadd -F /etc/ldap/slapd.d -n 0 -l /export/backup/config.ldif"
15747
#: serverguide/C/network-auth.xml:2123(command)
15746
#: serverguide/C/network-auth.xml:2130(command)
15749
15748
"sudo slapadd -F /etc/ldap/slapd.d -n 1 -l /export/backup/domain.com.ldif"
15752
#: serverguide/C/network-auth.xml:2124(command)
15751
#: serverguide/C/network-auth.xml:2131(command)
15753
15752
msgid "sudo slapadd -F /etc/ldap/slapd.d -n 2 -l /export/backup/access.ldif"
15756
#: serverguide/C/network-auth.xml:2125(command)
15755
#: serverguide/C/network-auth.xml:2132(command)
15757
15756
msgid "sudo chown -R openldap:openldap /etc/ldap/slapd.d/"
15760
#: serverguide/C/network-auth.xml:2126(command)
15759
#: serverguide/C/network-auth.xml:2133(command)
15761
15760
msgid "sudo chown -R openldap:openldap /var/lib/ldap/"
15764
#: serverguide/C/network-auth.xml:2127(command)
15763
#: serverguide/C/network-auth.xml:2134(command)
15765
15764
msgid "sudo service slapd start"
15768
#: serverguide/C/network-auth.xml:2138(para)
15767
#: serverguide/C/network-auth.xml:2145(para)
15770
15769
"The primary resource is the upstream documentation: <ulink "
15771
15770
"url=\"http://www.openldap.org/\">www.openldap.org</ulink>"
15774
#: serverguide/C/network-auth.xml:2144(para)
15773
#: serverguide/C/network-auth.xml:2151(para)
15776
15775
"There are many man pages that come with the slapd package. Here are some "
15777
15776
"important ones, especially considering the material presented in this guide:"
15780
#: serverguide/C/network-auth.xml:2150(ulink)
15779
#: serverguide/C/network-auth.xml:2157(ulink)
15781
15780
msgid "slapd"
15784
#: serverguide/C/network-auth.xml:2151(ulink)
15783
#: serverguide/C/network-auth.xml:2158(ulink)
15785
15784
msgid "slapd-config"
15788
#: serverguide/C/network-auth.xml:2152(ulink)
15787
#: serverguide/C/network-auth.xml:2159(ulink)
15789
15788
msgid "slapd.access"
15792
#: serverguide/C/network-auth.xml:2153(ulink)
15791
#: serverguide/C/network-auth.xml:2160(ulink)
15793
15792
msgid "slapo-syncprov"
15796
#: serverguide/C/network-auth.xml:2159(para)
15795
#: serverguide/C/network-auth.xml:2166(para)
15797
15796
msgid "Other man pages:"
15800
#: serverguide/C/network-auth.xml:2164(ulink)
15799
#: serverguide/C/network-auth.xml:2171(ulink)
15801
15800
msgid "auth-client-config"
15804
#: serverguide/C/network-auth.xml:2165(ulink)
15803
#: serverguide/C/network-auth.xml:2172(ulink)
15805
15804
msgid "pam-auth-update"
15808
#: serverguide/C/network-auth.xml:2171(para)
15807
#: serverguide/C/network-auth.xml:2178(para)
15810
15809
"Zytrax's <ulink url=\"http://www.zytrax.com/books/ldap/\">LDAP for Rocket "
15811
15810
"Scientists</ulink>; a less pedantic but comprehensive treatment of LDAP"
15814
#: serverguide/C/network-auth.xml:2177(para)
15813
#: serverguide/C/network-auth.xml:2184(para)
15816
15815
"A Ubuntu community <ulink "
15817
15816
"url=\"https://help.ubuntu.com/community/OpenLDAPServer\">OpenLDAP "
15818
15817
"wiki</ulink> page has a collection of notes"
15821
#: serverguide/C/network-auth.xml:2183(para)
15820
#: serverguide/C/network-auth.xml:2190(para)
15823
15822
"O'Reilly's <ulink url=\"http://www.oreilly.com/catalog/ldapsa/\">LDAP System "
15824
15823
"Administration</ulink> (textbook; 2003)"
15827
#: serverguide/C/network-auth.xml:2189(para)
15826
#: serverguide/C/network-auth.xml:2196(para)
15829
15828
"Packt's <ulink url=\"http://www.packtpub.com/OpenLDAP-Developers-Server-Open-"
15830
15829
"Source-Linux/book\">Mastering OpenLDAP</ulink> (textbook; 2007)"
15833
#: serverguide/C/network-auth.xml:2200(title)
15832
#: serverguide/C/network-auth.xml:2207(title)
15834
15833
msgid "Samba and LDAP"
15837
#: serverguide/C/network-auth.xml:2202(para)
15836
#: serverguide/C/network-auth.xml:2209(para)
15839
15838
"This section covers the integration of Samba with LDAP. The Samba server's "
15840
15839
"role will be that of a \"standalone\" server and the LDAP directory will "
15866
15865
"install it."
15869
#: serverguide/C/network-auth.xml:2223(para)
15868
#: serverguide/C/network-auth.xml:2230(para)
15870
15869
msgid "Install these packages now:"
15873
#: serverguide/C/network-auth.xml:2228(command)
15872
#: serverguide/C/network-auth.xml:2235(command)
15874
15873
msgid "sudo apt-get install samba samba-doc smbldap-tools"
15877
#: serverguide/C/network-auth.xml:2234(title)
15876
#: serverguide/C/network-auth.xml:2241(title)
15878
15877
msgid "LDAP Configuration"
15881
#: serverguide/C/network-auth.xml:2236(para)
15880
#: serverguide/C/network-auth.xml:2243(para)
15883
15882
"We will now configure the LDAP server so that it can accomodate Samba data. "
15884
15883
"We will perform three tasks in this section:"
15887
#: serverguide/C/network-auth.xml:2243(para)
15886
#: serverguide/C/network-auth.xml:2250(para)
15888
15887
msgid "Import a schema"
15891
#: serverguide/C/network-auth.xml:2247(para)
15890
#: serverguide/C/network-auth.xml:2254(para)
15892
15891
msgid "Index some entries"
15895
#: serverguide/C/network-auth.xml:2251(para)
15894
#: serverguide/C/network-auth.xml:2258(para)
15896
15895
msgid "Add objects"
15899
#: serverguide/C/network-auth.xml:2257(title)
15898
#: serverguide/C/network-auth.xml:2264(title)
15900
15899
msgid "Samba schema"
15903
#: serverguide/C/network-auth.xml:2259(para)
15902
#: serverguide/C/network-auth.xml:2266(para)
15905
15904
"In order for OpenLDAP to be used as a backend for Samba, logically, the DIT "
15906
15905
"will need to use attributes that can properly describe Samba data. Such "
15911
#: serverguide/C/network-auth.xml:2265(para)
15910
#: serverguide/C/network-auth.xml:2272(para)
15913
15912
"For more information on schemas and their installation see <xref "
15914
15913
"linkend=\"openldap-configuration\"/>."
15917
#: serverguide/C/network-auth.xml:2273(para)
15916
#: serverguide/C/network-auth.xml:2280(para)
15919
15918
"The schema is found in the now-installed <application>samba-"
15920
15919
"doc</application> package. It needs to be unzipped and copied to the "
15921
15920
"<filename>/etc/ldap/schema</filename> directory:"
15924
#: serverguide/C/network-auth.xml:2279(command)
15923
#: serverguide/C/network-auth.xml:2286(command)
15926
15925
"sudo cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz "
15927
15926
"/etc/ldap/schema"
15930
#: serverguide/C/network-auth.xml:2280(command)
15929
#: serverguide/C/network-auth.xml:2287(command)
15931
15930
msgid "sudo gzip -d /etc/ldap/schema/samba.schema.gz"
15934
#: serverguide/C/network-auth.xml:2286(para)
15933
#: serverguide/C/network-auth.xml:2293(para)
15936
15935
"Have the configuration file <filename>schema_convert.conf</filename> that "
15937
15936
"contains the following lines:"
15940
#: serverguide/C/network-auth.xml:2290(programlisting)
15939
#: serverguide/C/network-auth.xml:2297(programlisting)
15958
15957
"include /etc/ldap/schema/samba.schema\n"
15961
#: serverguide/C/network-auth.xml:2311(para)
15960
#: serverguide/C/network-auth.xml:2318(para)
15962
15961
msgid "Have the directory <filename>ldif_output</filename> hold output."
15965
#: serverguide/C/network-auth.xml:2322(command)
15964
#: serverguide/C/network-auth.xml:2329(command)
15967
15966
"slapcat -f schema_convert.conf -F ldif_output -n 0 | grep samba,cn=schema"
15970
#: serverguide/C/network-auth.xml:2323(computeroutput)
15969
#: serverguide/C/network-auth.xml:2330(computeroutput)
15974
15973
"dn: cn={14}samba,cn=schema,cn=config\n"
15977
#: serverguide/C/network-auth.xml:2331(para)
15976
#: serverguide/C/network-auth.xml:2338(para)
15978
15977
msgid "Convert the schema to LDIF format:"
15981
#: serverguide/C/network-auth.xml:2336(command)
15980
#: serverguide/C/network-auth.xml:2343(command)
15983
15982
"slapcat -f schema_convert.conf -F ldif_output -n0 -H \\ "
15984
15983
"ldap:///cn={14}samba,cn=schema,cn=config -l cn=samba.ldif"
15987
#: serverguide/C/network-auth.xml:2343(para)
15986
#: serverguide/C/network-auth.xml:2350(para)
15989
15988
"Edit the generated <filename>cn=samba.ldif</filename> file by removing index "
15990
15989
"information to arrive at:"
15993
#: serverguide/C/network-auth.xml:2347(programlisting)
15992
#: serverguide/C/network-auth.xml:2354(programlisting)
16016
16015
"modifyTimestamp: 20080827045234Z\n"
16019
#: serverguide/C/network-auth.xml:2373(para)
16018
#: serverguide/C/network-auth.xml:2380(para)
16020
16019
msgid "Add the new schema:"
16023
#: serverguide/C/network-auth.xml:2378(command)
16022
#: serverguide/C/network-auth.xml:2385(command)
16024
16023
msgid "sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f cn\\=samba.ldif"
16027
#: serverguide/C/network-auth.xml:2381(para)
16026
#: serverguide/C/network-auth.xml:2388(para)
16028
16027
msgid "To query and view this new schema:"
16031
#: serverguide/C/network-auth.xml:2386(command)
16030
#: serverguide/C/network-auth.xml:2393(command)
16033
16032
"sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config "
16034
16033
"'cn=*samba*'"
16037
#: serverguide/C/network-auth.xml:2396(title)
16036
#: serverguide/C/network-auth.xml:2403(title)
16038
16037
msgid "Samba indices"
16041
#: serverguide/C/network-auth.xml:2398(para)
16040
#: serverguide/C/network-auth.xml:2405(para)
16043
16042
"Now that slapd knows about the Samba attributes, we can set up some indices "
16044
16043
"based on them. Indexing entries is a way to improve performance when a "
16045
16044
"client performs a filtered search on the DIT."
16048
#: serverguide/C/network-auth.xml:2403(para)
16047
#: serverguide/C/network-auth.xml:2410(para)
16050
16049
"Create the file <filename>samba_indices.ldif</filename> with the following "
16054
#: serverguide/C/network-auth.xml:2407(programlisting)
16053
#: serverguide/C/network-auth.xml:2414(programlisting)
16072
16071
"olcDbIndex: default sub\n"
16075
#: serverguide/C/network-auth.xml:2425(para)
16074
#: serverguide/C/network-auth.xml:2432(para)
16077
16076
"Using the <application>ldapmodify</application> utility load the new indices:"
16080
#: serverguide/C/network-auth.xml:2430(command)
16079
#: serverguide/C/network-auth.xml:2437(command)
16081
16080
msgid "sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f samba_indices.ldif"
16084
#: serverguide/C/network-auth.xml:2433(para)
16083
#: serverguide/C/network-auth.xml:2440(para)
16086
16085
"If all went well you should see the new indices using "
16087
16086
"<application>ldapsearch</application>:"
16090
#: serverguide/C/network-auth.xml:2438(command)
16089
#: serverguide/C/network-auth.xml:2445(command)
16092
16091
"sudo ldapsearch -Q -LLL -Y EXTERNAL -H \\ ldapi:/// -b cn=config "
16093
16092
"olcDatabase={1}hdb olcDbIndex"
16096
#: serverguide/C/network-auth.xml:2445(title)
16095
#: serverguide/C/network-auth.xml:2452(title)
16097
16096
msgid "Adding Samba LDAP objects"
16100
#: serverguide/C/network-auth.xml:2452(para)
16099
#: serverguide/C/network-auth.xml:2454(para)
16102
16101
"Next, configure the <application>smbldap-tools</application> package to "
16103
16102
"match your environment. The package is supposed to come with a configuration "
16108
16107
"smbldap-tools')."
16111
#: serverguide/C/network-auth.xml:2459(para)
16110
#: serverguide/C/network-auth.xml:2461(para)
16113
16112
"To manually configure the package, you need to create and edit the files "
16114
16113
"<filename>/etc/smbldap-tools/smbldap.conf</filename> and "
16115
16114
"<filename>/etc/smbldap-tools/smbldap_bind.conf</filename>."
16118
#: serverguide/C/network-auth.xml:2464(para)
16117
#: serverguide/C/network-auth.xml:2466(para)
16120
16119
"The <application>smbldap-populate</application> script will then add the "
16121
16120
"LDAP objects required for Samba. It is a good idea to first make a backup of "
16122
16121
"your DIT using <application>slapcat</application>:"
16125
#: serverguide/C/network-auth.xml:2473(command)
16124
#: serverguide/C/network-auth.xml:2472(command)
16126
16125
msgid "sudo slapcat -l backup.ldif"
16129
#: serverguide/C/network-auth.xml:2476(para)
16128
#: serverguide/C/network-auth.xml:2475(para)
16130
16129
msgid "Once you have a backup proceed to populate your directory:"
16133
#: serverguide/C/network-auth.xml:2481(command)
16132
#: serverguide/C/network-auth.xml:2480(command)
16134
16133
msgid "sudo smbldap-populate"
16137
#: serverguide/C/network-auth.xml:2484(para)
16136
#: serverguide/C/network-auth.xml:2483(para)
16139
16138
"You can create a LDIF file containing the new Samba objects by executing "
16140
16139
"<command>sudo smbldap-populate -e samba.ldif</command>. This allows you to "
16210
16209
"<application>libnss-ldap</application>):"
16213
#: serverguide/C/network-auth.xml:2553(command)
16212
#: serverguide/C/network-auth.xml:2552(command)
16214
16213
msgid "sudo smbpasswd -a username"
16217
#: serverguide/C/network-auth.xml:2556(para)
16216
#: serverguide/C/network-auth.xml:2555(para)
16219
16218
"You will prompted to enter a password. It will be considered as the new "
16220
16219
"password for that user. Making it the same as before is reasonable."
16223
#: serverguide/C/network-auth.xml:2560(para)
16222
#: serverguide/C/network-auth.xml:2559(para)
16225
16224
"To manage user, group, and machine accounts use the utilities provided by "
16226
16225
"the <application>smbldap-tools</application> package. Here are some examples:"
16229
#: serverguide/C/network-auth.xml:2568(para)
16228
#: serverguide/C/network-auth.xml:2567(para)
16230
16229
msgid "To add a new user:"
16233
#: serverguide/C/network-auth.xml:2573(command)
16232
#: serverguide/C/network-auth.xml:2572(command)
16234
16233
msgid "sudo smbldap-useradd -a -P username"
16237
#: serverguide/C/network-auth.xml:2576(para)
16236
#: serverguide/C/network-auth.xml:2575(para)
16239
16238
"The <emphasis>-a</emphasis> option adds the Samba attributes, and the "
16240
16239
"<emphasis>-P</emphasis> option calls the <application>smbldap-"
16242
16241
"a password for the user."
16245
#: serverguide/C/network-auth.xml:2583(para)
16244
#: serverguide/C/network-auth.xml:2582(para)
16246
16245
msgid "To remove a user:"
16249
#: serverguide/C/network-auth.xml:2588(command)
16248
#: serverguide/C/network-auth.xml:2587(command)
16250
16249
msgid "sudo smbldap-userdel username"
16253
#: serverguide/C/network-auth.xml:2591(para)
16252
#: serverguide/C/network-auth.xml:2590(para)
16255
16254
"In the above command, use the <emphasis>-r</emphasis> option to remove the "
16256
16255
"user's home directory."
16259
#: serverguide/C/network-auth.xml:2597(para)
16258
#: serverguide/C/network-auth.xml:2596(para)
16260
16259
msgid "To add a group:"
16263
#: serverguide/C/network-auth.xml:2602(command)
16262
#: serverguide/C/network-auth.xml:2601(command)
16264
16263
msgid "sudo smbldap-groupadd -a groupname"
16267
#: serverguide/C/network-auth.xml:2605(para)
16266
#: serverguide/C/network-auth.xml:2604(para)
16269
16268
"As for <application>smbldap-useradd</application>, the <emphasis>-"
16270
16269
"a</emphasis> adds the Samba attributes."
16273
#: serverguide/C/network-auth.xml:2611(para)
16272
#: serverguide/C/network-auth.xml:2610(para)
16274
16273
msgid "To make an existing user a member of a group:"
16277
#: serverguide/C/network-auth.xml:2616(command)
16276
#: serverguide/C/network-auth.xml:2615(command)
16278
16277
msgid "sudo smbldap-groupmod -m username groupname"
16281
#: serverguide/C/network-auth.xml:2619(para)
16280
#: serverguide/C/network-auth.xml:2618(para)
16283
16282
"The <emphasis>-m</emphasis> option can add more than one user at a time by "
16284
16283
"listing them in comma-separated format."
16287
#: serverguide/C/network-auth.xml:2625(para)
16286
#: serverguide/C/network-auth.xml:2624(para)
16288
16287
msgid "To remove a user from a group:"
16291
#: serverguide/C/network-auth.xml:2630(command)
16290
#: serverguide/C/network-auth.xml:2629(command)
16292
16291
msgid "sudo smbldap-groupmod -x username groupname"
16295
#: serverguide/C/network-auth.xml:2636(para)
16294
#: serverguide/C/network-auth.xml:2635(para)
16296
16295
msgid "To add a Samba machine account:"
16299
#: serverguide/C/network-auth.xml:2641(command)
16298
#: serverguide/C/network-auth.xml:2640(command)
16300
16299
msgid "sudo smbldap-useradd -t 0 -w username"
16303
#: serverguide/C/network-auth.xml:2644(para)
16302
#: serverguide/C/network-auth.xml:2643(para)
16305
16304
"Replace <emphasis>username</emphasis> with the name of the workstation. The "
16306
16305
"<emphasis>-t 0</emphasis> option creates the machine account without a "
16310
16309
"<application>smbldap-useradd</application>."
16313
#: serverguide/C/network-auth.xml:2653(para)
16312
#: serverguide/C/network-auth.xml:2652(para)
16315
16314
"There are utilities in the <application>smbldap-tools</application> package "
16316
16315
"that were not covered here. Here is a complete list:"
16318
#: serverguide/C/network-auth.xml:2657(ulink)
16319
msgid "smbldap-groupadd"
16319
16322
#: serverguide/C/network-auth.xml:2658(ulink)
16320
msgid "smbldap-groupadd"
16323
msgid "smbldap-groupdel"
16323
16326
#: serverguide/C/network-auth.xml:2659(ulink)
16324
msgid "smbldap-groupdel"
16327
msgid "smbldap-groupmod"
16327
16330
#: serverguide/C/network-auth.xml:2660(ulink)
16328
msgid "smbldap-groupmod"
16331
msgid "smbldap-groupshow"
16331
16334
#: serverguide/C/network-auth.xml:2661(ulink)
16332
msgid "smbldap-groupshow"
16335
msgid "smbldap-passwd"
16335
16338
#: serverguide/C/network-auth.xml:2662(ulink)
16336
msgid "smbldap-passwd"
16339
msgid "smbldap-populate"
16339
16342
#: serverguide/C/network-auth.xml:2663(ulink)
16340
msgid "smbldap-populate"
16343
msgid "smbldap-useradd"
16343
16346
#: serverguide/C/network-auth.xml:2664(ulink)
16344
msgid "smbldap-useradd"
16347
msgid "smbldap-userdel"
16347
16350
#: serverguide/C/network-auth.xml:2665(ulink)
16348
msgid "smbldap-userdel"
16351
msgid "smbldap-userinfo"
16351
16354
#: serverguide/C/network-auth.xml:2666(ulink)
16352
msgid "smbldap-userinfo"
16355
msgid "smbldap-userlist"
16355
16358
#: serverguide/C/network-auth.xml:2667(ulink)
16356
msgid "smbldap-userlist"
16359
msgid "smbldap-usermod"
16359
16362
#: serverguide/C/network-auth.xml:2668(ulink)
16360
msgid "smbldap-usermod"
16363
#: serverguide/C/network-auth.xml:2669(ulink)
16364
16363
msgid "smbldap-usershow"
16367
#: serverguide/C/network-auth.xml:2677(para)
16366
#: serverguide/C/network-auth.xml:2679(para)
16369
16368
"For more information on installing and configuring Samba see <xref "
16370
16369
"linkend=\"samba\"/> of this Ubuntu Server Guide."
16373
#: serverguide/C/network-auth.xml:2686(para)
16372
#: serverguide/C/network-auth.xml:2685(para)
16375
16374
"There are multiple places where LDAP and Samba is documented in the upstream "
16376
16375
"<ulink url=\"http://samba.org/samba/docs/man/Samba-HOWTO-Collection/\">Samba "
16377
16376
"HOWTO Collection</ulink>."
16380
#: serverguide/C/network-auth.xml:2693(para)
16379
#: serverguide/C/network-auth.xml:2692(para)
16382
16381
"Regarding the above, see specifically the <ulink "
16383
16382
"url=\"http://samba.org/samba/docs/man/Samba-HOWTO-"
16384
16383
"Collection/passdb.html\">passdb section</ulink>."
16387
#: serverguide/C/network-auth.xml:2699(para)
16386
#: serverguide/C/network-auth.xml:2698(para)
16389
16388
"Although dated (2007), the <ulink url=\"http://download.gna.org/smbldap-"
16390
16389
"tools/docs/samba-ldap-howto/\">Linux Samba-OpenLDAP HOWTO</ulink> contains "
16391
16390
"valuable notes."
16394
#: serverguide/C/network-auth.xml:2705(para)
16393
#: serverguide/C/network-auth.xml:2704(para)
16396
16395
"The main page of the <ulink "
16397
16396
"url=\"https://help.ubuntu.com/community/Samba#samba-ldap\">Samba Ubuntu "
16412
16411
"network environment one step closer to being Single Sign On (SSO)."
16415
#: serverguide/C/network-auth.xml:2726(para)
16414
#: serverguide/C/network-auth.xml:2725(para)
16417
16416
"This section covers installation and configuration of a Kerberos server, and "
16418
16417
"some example client configurations."
16421
#: serverguide/C/virtualization.xml:1099(title) serverguide/C/virtualization.xml:2132(title) serverguide/C/network-auth.xml:2731(title) serverguide/C/monitoring.xml:13(title) serverguide/C/lamp-applications.xml:15(title) serverguide/C/installation.xml:903(title) serverguide/C/dns.xml:62(title) serverguide/C/dm-multipath.xml:135(title) serverguide/C/chat.xml:15(title) serverguide/C/backups.xml:545(title)
16420
#: serverguide/C/network-auth.xml:2730(title) serverguide/C/monitoring.xml:13(title) serverguide/C/lamp-applications.xml:15(title) serverguide/C/installation.xml:910(title) serverguide/C/dns.xml:62(title) serverguide/C/dm-multipath.xml:135(title) serverguide/C/chat.xml:15(title) serverguide/C/cgroups.xml:38(title) serverguide/C/backups.xml:551(title)
16422
16421
msgid "Overview"
16425
#: serverguide/C/network-auth.xml:2733(para)
16424
#: serverguide/C/network-auth.xml:2732(para)
16427
16426
"If you are new to Kerberos there are a few terms that are good to understand "
16428
16427
"before setting up a Kerberos server. Most of the terms will relate to things "
16429
16428
"you may be familiar with in other environments:"
16432
#: serverguide/C/network-auth.xml:2740(para)
16431
#: serverguide/C/network-auth.xml:2739(para)
16434
16433
"<emphasis>Principal:</emphasis> any users, computers, and services provided "
16435
16434
"by servers need to be defined as Kerberos Principals."
16438
#: serverguide/C/network-auth.xml:2745(para)
16437
#: serverguide/C/network-auth.xml:2744(para)
16440
16439
"<emphasis>Instances:</emphasis> are used for service principals and special "
16441
16440
"administrative principals."
16444
#: serverguide/C/network-auth.xml:2750(para)
16443
#: serverguide/C/network-auth.xml:2749(para)
16446
16445
"<emphasis>Realms:</emphasis> the unique realm of control provided by the "
16447
16446
"Kerberos installation. Think of it as the domain or group your hosts and "
16496
16495
"entering another username and password."
16499
#: serverguide/C/network-auth.xml:2798(title)
16498
#: serverguide/C/network-auth.xml:2797(title)
16500
16499
msgid "Kerberos Server"
16503
#: serverguide/C/network-auth.xml:2802(para)
16502
#: serverguide/C/network-auth.xml:2801(para)
16505
16504
"For this discussion, we will create a MIT Kerberos domain with the following "
16506
16505
"features (edit them to fit your needs):"
16509
#: serverguide/C/network-auth.xml:2809(para)
16508
#: serverguide/C/network-auth.xml:2808(para)
16510
16509
msgid "<emphasis>Realm:</emphasis> EXAMPLE.COM"
16513
#: serverguide/C/network-auth.xml:2814(para)
16512
#: serverguide/C/network-auth.xml:2813(para)
16514
16513
msgid "<emphasis>Primary KDC:</emphasis> kdc01.example.com (192.168.0.1)"
16517
#: serverguide/C/network-auth.xml:2819(para)
16516
#: serverguide/C/network-auth.xml:2818(para)
16518
16517
msgid "<emphasis>Secondary KDC:</emphasis> kdc02.example.com (192.168.0.2)"
16521
#: serverguide/C/network-auth.xml:2824(para)
16520
#: serverguide/C/network-auth.xml:2823(para)
16522
16521
msgid "<emphasis>User principal:</emphasis> steve"
16525
#: serverguide/C/network-auth.xml:2829(para)
16524
#: serverguide/C/network-auth.xml:2828(para)
16526
16525
msgid "<emphasis>Admin principal:</emphasis> steve/admin"
16529
#: serverguide/C/network-auth.xml:2836(para)
16528
#: serverguide/C/network-auth.xml:2835(para)
16531
16530
"It is <emphasis>strongly</emphasis> recommended that your network-"
16532
16531
"authenticated users have their uid in a different range (say, starting at "
16533
16532
"5000) than that of your local users."
16536
#: serverguide/C/network-auth.xml:2842(para)
16535
#: serverguide/C/network-auth.xml:2841(para)
16538
16537
"Before installing the Kerberos server a properly configured DNS server is "
16539
16538
"needed for your domain. Since the Kerberos Realm by convention matches the "
16552
16551
"setting up NTP see <xref linkend=\"NTP\"/>."
16555
#: serverguide/C/network-auth.xml:2856(para)
16554
#: serverguide/C/network-auth.xml:2855(para)
16557
16556
"The first step in creating a Kerberos Realm is to install the "
16558
16557
"<application>krb5-kdc</application> and <application>krb5-admin-"
16559
16558
"server</application> packages. From a terminal enter:"
16562
#: serverguide/C/network-auth.xml:2862(command) serverguide/C/network-auth.xml:3069(command)
16561
#: serverguide/C/network-auth.xml:2861(command) serverguide/C/network-auth.xml:3068(command)
16563
16562
msgid "sudo apt-get install krb5-kdc krb5-admin-server"
16566
#: serverguide/C/network-auth.xml:2865(para)
16565
#: serverguide/C/network-auth.xml:2864(para)
16568
16567
"You will be asked at the end of the install to supply the hostname for the "
16569
16568
"Kerberos and Admin servers, which may or may not be the same server, for the "
16573
#: serverguide/C/network-auth.xml:2872(para)
16572
#: serverguide/C/network-auth.xml:2871(para)
16574
16573
msgid "By default the realm is created from the KDC's domain name."
16577
#: serverguide/C/network-auth.xml:2877(para)
16576
#: serverguide/C/network-auth.xml:2876(para)
16579
16578
"Next, create the new realm with the <application>kdb5_newrealm</application> "
16583
#: serverguide/C/network-auth.xml:2882(command)
16582
#: serverguide/C/network-auth.xml:2881(command)
16584
16583
msgid "sudo krb5_newrealm"
16587
#: serverguide/C/network-auth.xml:2889(para)
16586
#: serverguide/C/network-auth.xml:2888(para)
16589
16588
"The questions asked during installation are used to configure the "
16590
16589
"<filename>/etc/krb5.conf</filename> file. If you need to adjust the Key "
16679
16678
"<emphasis>kadm5.acl</emphasis> man page for details."
16682
#: serverguide/C/network-auth.xml:2959(para)
16681
#: serverguide/C/network-auth.xml:2958(para)
16684
16683
"Now restart the <application>krb5-admin-server</application> for the new ACL "
16685
16684
"to take affect:"
16688
#: serverguide/C/network-auth.xml:2961(command)
16687
#: serverguide/C/network-auth.xml:2963(command)
16689
16688
msgid "sudo service krb5-admin-server restart"
16692
#: serverguide/C/network-auth.xml:2970(para)
16691
#: serverguide/C/network-auth.xml:2969(para)
16694
16693
"The new user principal can be tested using the <application>kinit "
16695
16694
"utility</application>:"
16698
#: serverguide/C/network-auth.xml:2975(command)
16697
#: serverguide/C/network-auth.xml:2974(command)
16699
16698
msgid "kinit steve/admin"
16702
#: serverguide/C/network-auth.xml:2976(computeroutput)
16701
#: serverguide/C/network-auth.xml:2975(computeroutput)
16704
16703
msgid "steve/admin@EXAMPLE.COM's Password:"
16707
#: serverguide/C/network-auth.xml:2979(para)
16706
#: serverguide/C/network-auth.xml:2978(para)
16709
16708
"After entering the password, use the <application>klist</application> "
16710
16709
"utility to view information about the Ticket Granting Ticket (TGT):"
16713
#: serverguide/C/network-auth.xml:2985(command) serverguide/C/network-auth.xml:3362(command)
16712
#: serverguide/C/network-auth.xml:2984(command) serverguide/C/network-auth.xml:3361(command)
16714
16713
msgid "klist"
16717
#: serverguide/C/network-auth.xml:2986(computeroutput)
16716
#: serverguide/C/network-auth.xml:2985(computeroutput)
16720
16719
"Credentials cache: FILE:/tmp/krb5cc_1000\n"
16795
16794
"of those networks."
16798
#: serverguide/C/network-auth.xml:3064(para)
16797
#: serverguide/C/network-auth.xml:3063(para)
16800
16799
"First, install the packages, and when asked for the Kerberos and Admin "
16801
16800
"server names enter the name of the Primary KDC:"
16804
#: serverguide/C/network-auth.xml:3075(para)
16803
#: serverguide/C/network-auth.xml:3074(para)
16806
16805
"Once you have the packages installed, create the Secondary KDC's host "
16807
16806
"principal. From a terminal prompt, enter:"
16810
#: serverguide/C/network-auth.xml:3080(command)
16809
#: serverguide/C/network-auth.xml:3079(command)
16811
16810
msgid "kadmin -q \"addprinc -randkey host/kdc02.example.com\""
16814
#: serverguide/C/network-auth.xml:3084(para)
16813
#: serverguide/C/network-auth.xml:3083(para)
16816
16815
"After, issuing any <application>kadmin</application> commands you will be "
16817
16816
"prompted for your <emphasis>username/admin@EXAMPLE.COM</emphasis> principal "
16821
#: serverguide/C/network-auth.xml:3093(para)
16820
#: serverguide/C/network-auth.xml:3092(para)
16822
16821
msgid "Extract the <emphasis>keytab</emphasis> file:"
16825
#: serverguide/C/network-auth.xml:3098(command)
16824
#: serverguide/C/network-auth.xml:3097(command)
16826
16825
msgid "kadmin -q \"ktadd -norandkey -k keytab.kdc02 host/kdc02.example.com\""
16829
#: serverguide/C/network-auth.xml:3104(para)
16828
#: serverguide/C/network-auth.xml:3103(para)
16831
16830
"There should now be a <filename>keytab.kdc02</filename> in the current "
16832
16831
"directory, move the file to <filename>/etc/krb5.keytab</filename>:"
16835
#: serverguide/C/network-auth.xml:3110(command)
16834
#: serverguide/C/network-auth.xml:3109(command)
16836
16835
msgid "sudo mv keytab.kdc02 /etc/krb5.keytab"
16839
#: serverguide/C/network-auth.xml:3114(para)
16838
#: serverguide/C/network-auth.xml:3113(para)
16841
16840
"If the path to the <filename>keytab.kdc02</filename> file is different "
16842
16841
"adjust accordingly."
16845
#: serverguide/C/network-auth.xml:3119(para)
16844
#: serverguide/C/network-auth.xml:3118(para)
16847
16846
"Also, you can list the principals in a Keytab file, which can be useful when "
16848
16847
"troubleshooting, using the <application>klist</application> utility:"
16851
#: serverguide/C/network-auth.xml:3125(command)
16850
#: serverguide/C/network-auth.xml:3124(command)
16852
16851
msgid "sudo klist -k /etc/krb5.keytab"
16855
#: serverguide/C/network-auth.xml:3128(para)
16854
#: serverguide/C/network-auth.xml:3127(para)
16857
16856
"The <application>-k</application> option indicates the file is a keytab file."
16860
#: serverguide/C/network-auth.xml:3135(para)
16859
#: serverguide/C/network-auth.xml:3134(para)
16862
16861
"Next, there needs to be a <filename>kpropd.acl</filename> file on each KDC "
16863
16862
"that lists all KDCs for the Realm. For example, on both primary and "
16864
16863
"secondary KDC, create <filename>/etc/krb5kdc/kpropd.acl</filename>:"
16867
#: serverguide/C/network-auth.xml:3140(programlisting)
16866
#: serverguide/C/network-auth.xml:3139(programlisting)
16872
16871
"host/kdc02.example.com@EXAMPLE.COM\n"
16875
#: serverguide/C/network-auth.xml:3148(para)
16874
#: serverguide/C/network-auth.xml:3147(para)
16876
16875
msgid "Create an empty database on the <emphasis>Secondary KDC</emphasis>:"
16879
#: serverguide/C/network-auth.xml:3153(command)
16878
#: serverguide/C/network-auth.xml:3152(command)
16880
16879
msgid "sudo kdb5_util -s create"
16883
#: serverguide/C/network-auth.xml:3159(para)
16882
#: serverguide/C/network-auth.xml:3158(para)
16885
16884
"Now start the <application>kpropd</application> daemon, which listens for "
16886
16885
"connections from the <application>kprop</application> utility. "
16887
16886
"<application>kprop</application> is used to transfer dump files:"
16890
#: serverguide/C/network-auth.xml:3166(command)
16889
#: serverguide/C/network-auth.xml:3165(command)
16891
16890
msgid "sudo kpropd -S"
16894
#: serverguide/C/network-auth.xml:3172(para)
16893
#: serverguide/C/network-auth.xml:3171(para)
16896
16895
"From a terminal on the <emphasis>Primary KDC</emphasis>, create a dump file "
16897
16896
"of the principal database:"
16900
#: serverguide/C/network-auth.xml:3177(command)
16899
#: serverguide/C/network-auth.xml:3176(command)
16901
16900
msgid "sudo kdb5_util dump /var/lib/krb5kdc/dump"
16904
#: serverguide/C/network-auth.xml:3183(para)
16903
#: serverguide/C/network-auth.xml:3182(para)
16906
16905
"Extract the Primary KDC's <emphasis>keytab</emphasis> file and copy it to "
16907
16906
"<filename>/etc/krb5.keytab</filename>:"
16909
#: serverguide/C/network-auth.xml:3187(command)
16910
msgid "kadmin -q \"ktadd -k keytab.kdc01 host/kdc01.example.com\""
16910
16913
#: serverguide/C/network-auth.xml:3188(command)
16911
msgid "kadmin -q \"ktadd -k keytab.kdc01 host/kdc01.example.com\""
16914
#: serverguide/C/network-auth.xml:3189(command)
16915
16914
msgid "sudo mv keytab.kdc01 /etc/krb5.keytab"
16918
#: serverguide/C/network-auth.xml:3193(para)
16917
#: serverguide/C/network-auth.xml:3192(para)
16920
16919
"Make sure there is a <emphasis>host</emphasis> for "
16921
16920
"<emphasis>kdc01.example.com</emphasis> before extracting the Keytab."
16924
#: serverguide/C/network-auth.xml:3201(para)
16923
#: serverguide/C/network-auth.xml:3200(para)
16926
16925
"Using the <application>kprop</application> utility push the database to the "
16927
16926
"Secondary KDC:"
16930
#: serverguide/C/network-auth.xml:3206(command)
16929
#: serverguide/C/network-auth.xml:3205(command)
16931
16930
msgid "sudo kprop -r EXAMPLE.COM -f /var/lib/krb5kdc/dump kdc02.example.com"
16934
#: serverguide/C/network-auth.xml:3210(para)
16933
#: serverguide/C/network-auth.xml:3209(para)
16936
16935
"There should be a <emphasis>SUCCEEDED</emphasis> message if the propagation "
16937
16936
"worked. If there is an error message check "
17076
17075
"minimum_uid=5000/' \\ /etc/pam.d/$i done"
17079
#: serverguide/C/network-auth.xml:3341(para)
17078
#: serverguide/C/network-auth.xml:3340(para)
17081
17080
"This will avoid being asked for the (non-existent) Kerberos password of a "
17082
17081
"locally authenticated user when changing its password using "
17083
17082
"<command>passwd</command>."
17086
#: serverguide/C/network-auth.xml:3348(para)
17085
#: serverguide/C/network-auth.xml:3347(para)
17088
17087
"You can test the configuration by requesting a ticket using the "
17089
17088
"<application>kinit</application> utility. For example:"
17092
#: serverguide/C/network-auth.xml:3353(command)
17091
#: serverguide/C/network-auth.xml:3352(command)
17093
17092
msgid "kinit steve@EXAMPLE.COM"
17096
#: serverguide/C/network-auth.xml:3354(computeroutput)
17095
#: serverguide/C/network-auth.xml:3353(computeroutput)
17098
17097
msgid "Password for steve@EXAMPLE.COM:"
17101
#: serverguide/C/network-auth.xml:3357(para)
17100
#: serverguide/C/network-auth.xml:3356(para)
17103
17102
"When a ticket has been granted, the details can be viewed using "
17104
17103
"<application>klist</application>:"
17107
#: serverguide/C/network-auth.xml:3363(computeroutput)
17106
#: serverguide/C/network-auth.xml:3362(computeroutput)
17110
17109
"Ticket cache: FILE:/tmp/krb5cc_1000\n"
17119
17118
"klist: You have no tickets cached"
17122
#: serverguide/C/network-auth.xml:3375(para)
17121
#: serverguide/C/network-auth.xml:3374(para)
17124
17123
"Next, use the <application>auth-client-config</application> to configure the "
17125
17124
"<application>libpam-krb5</application> module to request a ticket during "
17129
#: serverguide/C/network-auth.xml:3381(command)
17128
#: serverguide/C/network-auth.xml:3380(command)
17130
17129
msgid "sudo auth-client-config -a -p kerberos_example"
17133
#: serverguide/C/network-auth.xml:3384(para)
17132
#: serverguide/C/network-auth.xml:3383(para)
17135
17134
"You will should now receive a ticket upon successful login authentication."
17138
#: serverguide/C/network-auth.xml:3395(para)
17137
#: serverguide/C/network-auth.xml:3394(para)
17140
17139
"For more information on MIT's version of Kerberos, see the <ulink "
17141
17140
"url=\"http://web.mit.edu/Kerberos/\">MIT Kerberos</ulink> site."
17144
#: serverguide/C/network-auth.xml:3400(para)
17143
#: serverguide/C/network-auth.xml:3399(para)
17146
17145
"The <ulink url=\"https://help.ubuntu.com/community/Kerberos\">Ubuntu Wiki "
17147
17146
"Kerberos</ulink> page has more details."
17150
#: serverguide/C/network-auth.xml:3405(para)
17149
#: serverguide/C/network-auth.xml:3404(para)
17152
17151
"O'Reilly's <ulink "
17153
17152
"url=\"http://oreilly.com/catalog/9780596004033/\">Kerberos: The Definitive "
17154
17153
"Guide</ulink> is a great reference when setting up Kerberos."
17157
#: serverguide/C/network-auth.xml:3411(para)
17156
#: serverguide/C/network-auth.xml:3410(para)
17159
17158
"Also, feel free to stop by the <emphasis>#ubuntu-server</emphasis> and "
17160
17159
"<emphasis>#kerberos</emphasis> IRC channels on <ulink "
17161
17160
"url=\"http://freenode.net/\">Freenode</ulink> if you have Kerberos questions."
17164
#: serverguide/C/network-auth.xml:3423(title)
17163
#: serverguide/C/network-auth.xml:3422(title)
17165
17164
msgid "Kerberos and LDAP"
17168
#: serverguide/C/network-auth.xml:3425(para)
17167
#: serverguide/C/network-auth.xml:3424(para)
17170
17169
"Most people will not use Kerberos by itself; once an user is authenticated "
17171
17170
"(Kerberos), we need to figure out what this user can do (authorization). And "
17172
17171
"that would be the job of programs such as <application>LDAP</application>."
17175
#: serverguide/C/network-auth.xml:3432(para)
17174
#: serverguide/C/network-auth.xml:3431(para)
17177
17176
"Replicating a Kerberos principal database between two servers can be "
17178
17177
"complicated, and adds an additional user database to your network. "
17201
17200
"information on setting up OpenLDAP see <xref linkend=\"openldap-server\"/>."
17204
#: serverguide/C/network-auth.xml:3456(para)
17203
#: serverguide/C/network-auth.xml:3455(para)
17206
17205
"It is also required to configure OpenLDAP for TLS and SSL connections, so "
17207
17206
"that traffic between the KDC and LDAP server is encrypted. See <xref "
17208
17207
"linkend=\"openldap-tls\"/> for details."
17211
#: serverguide/C/network-auth.xml:3462(para)
17210
#: serverguide/C/network-auth.xml:3461(para)
17213
17212
"<filename>cn=admin,cn=config</filename> is a user we created with rights to "
17214
17213
"edit the ldap database. Many times it is the RootDN. Change its value to "
17215
17214
"reflect your setup."
17218
#: serverguide/C/network-auth.xml:3471(para)
17217
#: serverguide/C/network-auth.xml:3470(para)
17220
17219
"To load the schema into LDAP, on the LDAP server install the "
17221
17220
"<application>krb5-kdc-ldap</application> package. From a terminal enter:"
17224
#: serverguide/C/network-auth.xml:3477(command)
17223
#: serverguide/C/network-auth.xml:3476(command)
17225
17224
msgid "sudo apt-get install krb5-kdc-ldap"
17228
#: serverguide/C/network-auth.xml:3482(para)
17227
#: serverguide/C/network-auth.xml:3481(para)
17229
17228
msgid "Next, extract the <filename>kerberos.schema.gz</filename> file:"
17231
#: serverguide/C/network-auth.xml:3486(command)
17232
msgid "sudo gzip -d /usr/share/doc/krb5-kdc-ldap/kerberos.schema.gz"
17232
17235
#: serverguide/C/network-auth.xml:3487(command)
17233
msgid "sudo gzip -d /usr/share/doc/krb5-kdc-ldap/kerberos.schema.gz"
17236
#: serverguide/C/network-auth.xml:3488(command)
17238
17237
"sudo cp /usr/share/doc/krb5-kdc-ldap/kerberos.schema /etc/ldap/schema/"
17241
#: serverguide/C/network-auth.xml:3494(para)
17240
#: serverguide/C/network-auth.xml:3493(para)
17243
17242
"The <emphasis>kerberos</emphasis> schema needs to be added to the "
17244
17243
"<emphasis>cn=config</emphasis> tree. The procedure to add a new schema to "
17272
17271
"include /etc/ldap/schema/kerberos.schema\n"
17275
#: serverguide/C/network-auth.xml:3527(para)
17274
#: serverguide/C/network-auth.xml:3526(para)
17276
17275
msgid "Create a temporary directory to hold the LDIF files:"
17279
#: serverguide/C/network-auth.xml:3531(command)
17278
#: serverguide/C/network-auth.xml:3530(command)
17280
17279
msgid "mkdir /tmp/ldif_output"
17283
#: serverguide/C/network-auth.xml:3537(para)
17282
#: serverguide/C/network-auth.xml:3536(para)
17285
17284
"Now use <application>slapcat</application> to convert the schema files:"
17288
#: serverguide/C/network-auth.xml:3542(command)
17287
#: serverguide/C/network-auth.xml:3541(command)
17290
17289
"slapcat -f schema_convert.conf -F /tmp/ldif_output -n0 -s \\ "
17291
17290
"\"cn={12}kerberos,cn=schema,cn=config\" > /tmp/cn=kerberos.ldif"
17294
#: serverguide/C/network-auth.xml:3546(para)
17293
#: serverguide/C/network-auth.xml:3545(para)
17296
17295
"Change the above file and path names to match your own if they are different."
17299
#: serverguide/C/network-auth.xml:3553(para)
17298
#: serverguide/C/network-auth.xml:3552(para)
17301
17300
"Edit the generated <filename>/tmp/cn\\=kerberos.ldif</filename> file, "
17302
17301
"changing the following attributes:"
17305
#: serverguide/C/network-auth.xml:3557(programlisting)
17304
#: serverguide/C/network-auth.xml:3556(programlisting)
17328
17327
"modifyTimestamp: 20090111203515Z\n"
17331
#: serverguide/C/network-auth.xml:3577(para)
17330
#: serverguide/C/network-auth.xml:3576(para)
17333
17332
"The attribute values will vary, just be sure the attributes are removed."
17336
#: serverguide/C/network-auth.xml:3584(para)
17335
#: serverguide/C/network-auth.xml:3583(para)
17337
17336
msgid "Load the new schema with <application>ldapadd</application>:"
17340
#: serverguide/C/network-auth.xml:3589(command)
17339
#: serverguide/C/network-auth.xml:3588(command)
17341
17340
msgid "ldapadd -x -D cn=admin,cn=config -W -f /tmp/cn\\=kerberos.ldif"
17344
#: serverguide/C/network-auth.xml:3595(para)
17343
#: serverguide/C/network-auth.xml:3594(para)
17346
17345
"Add an index for the <emphasis>krb5principalname</emphasis> attribute:"
17349
#: serverguide/C/network-auth.xml:3600(command) serverguide/C/network-auth.xml:3617(command)
17348
#: serverguide/C/network-auth.xml:3599(command) serverguide/C/network-auth.xml:3616(command)
17350
17349
msgid "ldapmodify -x -D cn=admin,cn=config -W"
17353
#: serverguide/C/network-auth.xml:3602(userinput)
17352
#: serverguide/C/network-auth.xml:3601(userinput)
17356
17355
"dn: olcDatabase={1}hdb,cn=config\n"
17396
17395
"modifying entry \"olcDatabase={1}hdb,cn=config\"\n"
17399
#: serverguide/C/network-auth.xml:3639(para)
17398
#: serverguide/C/network-auth.xml:3638(para)
17401
17400
"That's it, your LDAP directory is now ready to serve as a Kerberos principal "
17405
#: serverguide/C/network-auth.xml:3645(title)
17404
#: serverguide/C/network-auth.xml:3644(title)
17406
17405
msgid "Primary KDC Configuration"
17409
#: serverguide/C/network-auth.xml:3647(para)
17408
#: serverguide/C/network-auth.xml:3646(para)
17411
17410
"With <application>OpenLDAP</application> configured it is time to configure "
17415
#: serverguide/C/network-auth.xml:3653(para)
17414
#: serverguide/C/network-auth.xml:3652(para)
17416
17415
msgid "First, install the necessary packages, from a terminal enter:"
17419
#: serverguide/C/network-auth.xml:3658(command) serverguide/C/network-auth.xml:3817(command)
17418
#: serverguide/C/network-auth.xml:3657(command) serverguide/C/network-auth.xml:3816(command)
17420
17419
msgid "sudo apt-get install krb5-kdc krb5-admin-server krb5-kdc-ldap"
17423
#: serverguide/C/network-auth.xml:3664(para)
17422
#: serverguide/C/network-auth.xml:3663(para)
17425
17424
"Now edit <filename>/etc/krb5.conf</filename> adding the following options to "
17426
17425
"under the appropriate sections:"
17429
#: serverguide/C/network-auth.xml:3668(programlisting)
17428
#: serverguide/C/network-auth.xml:3667(programlisting)
17505
17504
"<filename>/etc/krb5.conf</filename>:"
17508
#: serverguide/C/network-auth.xml:3740(command) serverguide/C/network-auth.xml:3879(command)
17507
#: serverguide/C/network-auth.xml:3739(command) serverguide/C/network-auth.xml:3878(command)
17510
17509
"sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com stashsrvpw -f \\ "
17511
17510
"/etc/krb5kdc/service.keyfile cn=admin,dc=example,dc=com"
17514
#: serverguide/C/network-auth.xml:3747(para)
17513
#: serverguide/C/network-auth.xml:3746(para)
17515
17514
msgid "Copy the CA certificate from the LDAP server:"
17517
#: serverguide/C/network-auth.xml:3751(command)
17518
msgid "scp ldap01:/etc/ssl/certs/cacert.pem ."
17518
17521
#: serverguide/C/network-auth.xml:3752(command)
17519
msgid "scp ldap01:/etc/ssl/certs/cacert.pem ."
17522
#: serverguide/C/network-auth.xml:3753(command)
17523
17522
msgid "sudo cp cacert.pem /etc/ssl/certs"
17526
#: serverguide/C/network-auth.xml:3756(para)
17525
#: serverguide/C/network-auth.xml:3755(para)
17528
17527
"And edit <filename>/etc/ldap/ldap.conf</filename> to use the certificate:"
17531
#: serverguide/C/network-auth.xml:3760(programlisting)
17530
#: serverguide/C/network-auth.xml:3759(programlisting)
17535
17534
"TLS_CACERT /etc/ssl/certs/cacert.pem\n"
17538
#: serverguide/C/network-auth.xml:3765(para)
17537
#: serverguide/C/network-auth.xml:3764(para)
17540
17539
"The certificate will also need to be copied to the Secondary KDC, to allow "
17541
17540
"the connection to the LDAP servers using LDAPS."
17544
#: serverguide/C/network-auth.xml:3774(para)
17543
#: serverguide/C/network-auth.xml:3773(para)
17546
17545
"You can now add Kerberos principals to the LDAP database, and they will be "
17547
17546
"copied to any other LDAP servers configured for replication. To add a "
17548
17547
"principal using the <application>kadmin.local</application> utility enter:"
17551
#: serverguide/C/network-auth.xml:3782(userinput)
17550
#: serverguide/C/network-auth.xml:3781(userinput)
17553
17552
msgid "addprinc -x dn=\"uid=steve,ou=people,dc=example,dc=com\" steve"
17556
#: serverguide/C/network-auth.xml:3781(computeroutput)
17555
#: serverguide/C/network-auth.xml:3780(computeroutput)
17559
17558
"Authenticating as principal root/admin@EXAMPLE.COM with password.\n"
17573
17572
"utilities to test that the user is indeed issued a ticket."
17576
#: serverguide/C/network-auth.xml:3796(para)
17575
#: serverguide/C/network-auth.xml:3795(para)
17578
17577
"If the user object is already created the <emphasis>-x dn=\"...\"</emphasis> "
17579
17578
"option is needed to add the Kerberos attributes. Otherwise a new "
17580
17579
"<emphasis>principal</emphasis> object will be created in the realm subtree."
17583
#: serverguide/C/network-auth.xml:3804(title)
17582
#: serverguide/C/network-auth.xml:3803(title)
17584
17583
msgid "Secondary KDC Configuration"
17587
#: serverguide/C/network-auth.xml:3806(para)
17586
#: serverguide/C/network-auth.xml:3805(para)
17589
17588
"Configuring a Secondary KDC using the LDAP backend is similar to configuring "
17590
17589
"one using the normal Kerberos database."
17593
#: serverguide/C/network-auth.xml:3812(para)
17592
#: serverguide/C/network-auth.xml:3811(para)
17594
17593
msgid "First, install the necessary packages. In a terminal enter:"
17597
#: serverguide/C/network-auth.xml:3823(para)
17596
#: serverguide/C/network-auth.xml:3822(para)
17599
17598
"Next, edit <filename>/etc/krb5.conf</filename> to use the LDAP backend:"
17602
#: serverguide/C/network-auth.xml:3827(programlisting)
17601
#: serverguide/C/network-auth.xml:3826(programlisting)
17663
#: serverguide/C/network-auth.xml:3892(command)
17664
msgid "sudo scp /etc/krb5kdc/.k5.EXAMPLE.COM steve@kdc02.example.com:~"
17664
17667
#: serverguide/C/network-auth.xml:3893(command)
17665
msgid "sudo scp /etc/krb5kdc/.k5.EXAMPLE.COM steve@kdc02.example.com:~"
17668
#: serverguide/C/network-auth.xml:3894(command)
17669
17668
msgid "sudo mv .k5.EXAMPLE.COM /etc/krb5kdc/"
17672
#: serverguide/C/network-auth.xml:3898(para)
17671
#: serverguide/C/network-auth.xml:3897(para)
17674
17673
"Again, replace <emphasis>EXAMPLE.COM</emphasis> with your actual realm."
17677
#: serverguide/C/network-auth.xml:3906(para)
17676
#: serverguide/C/network-auth.xml:3905(para)
17679
17678
"Back on the <emphasis>Secondary KDC</emphasis>, (re)start the ldap server "
17683
#: serverguide/C/network-auth.xml:3918(para)
17682
#: serverguide/C/network-auth.xml:3917(para)
17684
17683
msgid "Finally, start the <application>krb5-kdc</application> daemon:"
17687
#: serverguide/C/network-auth.xml:3929(para)
17686
#: serverguide/C/network-auth.xml:3928(para)
17688
17687
msgid "Verify the two ldap servers (and kerberos by extension) are in sync."
17691
#: serverguide/C/network-auth.xml:3936(para)
17690
#: serverguide/C/network-auth.xml:3935(para)
17693
17692
"You now have redundant KDCs on your network, and with redundant LDAP servers "
17694
17693
"you should be able to continue to authenticate users if one LDAP server, one "
17695
17694
"Kerberos server, or one LDAP and one Kerberos server become unavailable."
17698
#: serverguide/C/network-auth.xml:3948(para)
17697
#: serverguide/C/network-auth.xml:3947(para)
17700
17699
"The <ulink url=\"http://web.mit.edu/Kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-"
17701
17700
"admin.html#Configuring-Kerberos-with-OpenLDAP-back_002dend\"> Kerberos Admin "
17702
17701
"Guide</ulink> has some additional details."
17705
#: serverguide/C/network-auth.xml:3951(para)
17704
#: serverguide/C/network-auth.xml:3953(para)
17707
17706
"For more information on <application>kdb5_ldap_util</application> see <ulink "
17708
17707
"url=\"http://web.mit.edu/Kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-"
17741
17740
"requires no modifications to the AD structure."
17744
#: serverguide/C/network-auth.xml:3978(title)
17743
#: serverguide/C/network-auth.xml:3980(title)
17745
17744
msgid "Prerequisites, Assumptions, and Requirements"
17748
#: serverguide/C/network-auth.xml:3981(para)
17747
#: serverguide/C/network-auth.xml:3983(para)
17750
17749
"This guide does not explain Active Directory, how it works, how to set one "
17751
17750
"up, or how to maintain it. It may not provide “best practices” for your "
17752
17751
"environment."
17755
#: serverguide/C/network-auth.xml:3983(para)
17754
#: serverguide/C/network-auth.xml:3985(para)
17757
17756
"This guide assumes that a working Active Directory domain is already "
17758
17757
"configured."
17761
#: serverguide/C/network-auth.xml:3985(para)
17760
#: serverguide/C/network-auth.xml:3987(para)
17763
17762
"The domain controller is acting as an authoritative DNS server for the "
17767
#: serverguide/C/network-auth.xml:3987(para)
17766
#: serverguide/C/network-auth.xml:3989(para)
17769
17768
"The domain controller is the primary DNS resolver as specified in "
17770
17769
"<filename>/etc/resolv.conf</filename>."
17773
#: serverguide/C/network-auth.xml:3990(para)
17772
#: serverguide/C/network-auth.xml:3992(para)
17775
17774
"The appropriate <emphasis>_kerberos</emphasis>, <emphasis>_ldap</emphasis>, "
17776
17775
"<emphasis>_kpasswd</emphasis>, etc. entries are configured in the DNS zone "
17777
17776
"(see Resources section for external links)."
17780
#: serverguide/C/network-auth.xml:3992(para)
17779
#: serverguide/C/network-auth.xml:3994(para)
17782
17781
"System time is synchronized on the domain controller (necessary for "
17786
#: serverguide/C/network-auth.xml:3994(para)
17785
#: serverguide/C/network-auth.xml:3996(para)
17788
17787
"The domain used in this example is <emphasis>myubuntu.example.com</emphasis> "
17792
#: serverguide/C/network-auth.xml:3999(para)
17791
#: serverguide/C/network-auth.xml:4001(para)
17794
17793
"The following packages are needed: <emphasis>krb5-user</emphasis>, "
17795
17794
"<emphasis>samba</emphasis>, <emphasis>sssd</emphasis>, and "
17945
17944
"# enumerate = true\n"
17948
#: serverguide/C/network-auth.xml:4080(para)
17947
#: serverguide/C/network-auth.xml:4082(para)
17950
17949
"After saving this file, set the ownership to root and the file permissions "
17954
#: serverguide/C/network-auth.xml:4081(command)
17953
#: serverguide/C/network-auth.xml:4083(command)
17955
17954
msgid "sudo chown root:root /etc/sssd/sssd.conf"
17958
#: serverguide/C/network-auth.xml:4082(command)
17957
#: serverguide/C/network-auth.xml:4084(command)
17959
17958
msgid "sudo chmod 600 /etc/sssd/sssd.conf"
17962
#: serverguide/C/network-auth.xml:4084(para)
17961
#: serverguide/C/network-auth.xml:4086(para)
17964
17963
"If the ownership or permissions are not correct, sssd will refuse to start."
17967
#: serverguide/C/network-auth.xml:4088(title)
17966
#: serverguide/C/network-auth.xml:4090(title)
17968
17967
msgid "Verify nsswitch.conf Configuration"
17971
#: serverguide/C/network-auth.xml:4089(para)
17970
#: serverguide/C/network-auth.xml:4091(para)
17973
17972
"The post-install script for the sssd package makes some modifications to "
17974
17973
"/etc/nsswitch.conf automatically. It should look something like this:"
17977
#: serverguide/C/network-auth.xml:4091(programlisting)
17976
#: serverguide/C/network-auth.xml:4093(programlisting)
17985
17984
"sudoers: files sss\n"
17988
#: serverguide/C/network-auth.xml:4101(title)
17987
#: serverguide/C/network-auth.xml:4103(title)
17989
17988
msgid "Modify /etc/hosts"
17992
#: serverguide/C/network-auth.xml:4102(para)
17991
#: serverguide/C/network-auth.xml:4104(para)
17994
17993
"Add an alias to the localhost entry in /etc/hosts specifying the FQDN. For "
17998
#: serverguide/C/network-auth.xml:4103(programlisting)
17997
#: serverguide/C/network-auth.xml:4105(programlisting)
18000
17999
msgid "192.168.1.10 myserver myserver.myubuntu.example.com"
18003
#: serverguide/C/network-auth.xml:4105(para)
18002
#: serverguide/C/network-auth.xml:4107(para)
18004
18003
msgid "This is useful in conjunction with dynamic DNS updates."
18007
#: serverguide/C/network-auth.xml:4109(title)
18006
#: serverguide/C/network-auth.xml:4111(title)
18008
18007
msgid "Join the Active Directory"
18011
#: serverguide/C/network-auth.xml:4110(para)
18010
#: serverguide/C/network-auth.xml:4112(para)
18012
18011
msgid "Now, restart ntp and samba and start sssd."
18015
#: serverguide/C/virtualization.xml:2208(command)
18014
#: serverguide/C/network-auth.xml:4113(command)
18016
18015
msgid "sudo service ntp restart"
18019
#: serverguide/C/network-auth.xml:4114(command)
18018
#: serverguide/C/network-auth.xml:4116(command)
18020
18019
msgid "sudo start sssd"
18023
#: serverguide/C/network-auth.xml:4116(para)
18022
#: serverguide/C/network-auth.xml:4118(para)
18024
18023
msgid "Test the configuration by obtaining a Kerberos ticket:"
18027
#: serverguide/C/network-auth.xml:4118(command)
18026
#: serverguide/C/network-auth.xml:4120(command)
18028
18027
msgid "sudo kinit Administrator"
18031
#: serverguide/C/network-auth.xml:4120(para)
18030
#: serverguide/C/network-auth.xml:4122(para)
18032
18031
msgid "Verify the ticket with:"
18035
#: serverguide/C/network-auth.xml:4121(command)
18034
#: serverguide/C/network-auth.xml:4123(command)
18036
18035
msgid "sudo klist"
18039
#: serverguide/C/network-auth.xml:4123(para)
18038
#: serverguide/C/network-auth.xml:4125(para)
18041
18040
"If there is a ticket with an expiration date listed, then it is time to join "
18042
18041
"the domain:"
18045
#: serverguide/C/network-auth.xml:4125(command)
18044
#: serverguide/C/network-auth.xml:4127(command)
18046
18045
msgid "sudo net ads join -k"
18049
#: serverguide/C/network-auth.xml:4127(para)
18048
#: serverguide/C/network-auth.xml:4129(para)
18051
18050
"A warning about \"No DNS domain configured. Unable to perform DNS Update.\" "
18052
18051
"probably means that there is no (correct) alias in "
18070
18069
"Some of the changes appear to be asynchronous."
18073
#: serverguide/C/network-auth.xml:4133(para)
18072
#: serverguide/C/network-auth.xml:4135(para)
18074
18073
msgid "Verification option #1:"
18077
#: serverguide/C/network-auth.xml:4134(para)
18076
#: serverguide/C/network-auth.xml:4136(para)
18079
18078
"Check the default Organizational Unit for computer accounts in the Active "
18080
18079
"Directory to verify that the computer account was created. (Organizational "
18081
18080
"Units in Active Directory is a topic outside the scope of this guide)."
18084
#: serverguide/C/network-auth.xml:4136(para)
18083
#: serverguide/C/network-auth.xml:4138(para)
18085
18084
msgid "Verification option #2"
18088
#: serverguide/C/network-auth.xml:4137(para)
18087
#: serverguide/C/network-auth.xml:4139(para)
18089
18088
msgid "Execute this command for a specific AD user (e.g. administrator)"
18092
#: serverguide/C/network-auth.xml:4138(command)
18091
#: serverguide/C/network-auth.xml:4140(command)
18093
18092
msgid "getent passwd username"
18096
#: serverguide/C/network-auth.xml:4140(para)
18095
#: serverguide/C/network-auth.xml:4142(para)
18098
18097
"If <emphasis>enumerate = true</emphasis> is set in "
18099
18098
"<filename>sssd.conf</filename>, <emphasis>getent passwd</emphasis> with no "
19892
19891
"smtpd_tls_key_file = /etc/ssl/private/ssl-mail.key\n"
19895
#: serverguide/C/mail.xml:304(para)
19894
#: serverguide/C/mail.xml:349(para)
19896
19895
msgid "Then restart Postfix:"
19899
#: serverguide/C/mail.xml:315(para)
19898
#: serverguide/C/mail.xml:360(para)
19901
19900
"SMTP-AUTH configuration is complete. Now it is time to test the setup."
19904
#: serverguide/C/mail.xml:318(para)
19903
#: serverguide/C/mail.xml:363(para)
19905
19904
msgid "To see if SMTP-AUTH and TLS work properly, run the following command:"
19908
#: serverguide/C/mail.xml:323(command)
19907
#: serverguide/C/mail.xml:368(command)
19909
19908
msgid "telnet mail.example.com 25"
19912
#: serverguide/C/mail.xml:325(para)
19911
#: serverguide/C/mail.xml:370(para)
19914
19913
"After you have established the connection to the postfix mail server, type:"
19917
#: serverguide/C/mail.xml:329(screen)
19916
#: serverguide/C/mail.xml:374(screen)
19921
19920
"ehlo mail.example.com\n"
19924
#: serverguide/C/mail.xml:332(para)
19923
#: serverguide/C/mail.xml:377(para)
19926
19925
"If you see the following lines among others, then everything is working "
19927
19926
"perfectly. Type <command>quit</command> to exit."
19930
#: serverguide/C/mail.xml:336(programlisting)
19929
#: serverguide/C/mail.xml:381(programlisting)
19937
19936
"250 8BITMIME\n"
19940
#: serverguide/C/mail.xml:346(para)
19939
#: serverguide/C/mail.xml:391(para)
19942
19941
"This section introduces some common ways to determine the cause if problems "
19946
#: serverguide/C/mail.xml:350(title)
19945
#: serverguide/C/mail.xml:395(title)
19947
19946
msgid "Escaping chroot"
19950
#: serverguide/C/mail.xml:351(para)
19949
#: serverguide/C/mail.xml:396(para)
19952
19951
"The Ubuntu <application>postfix</application> package will by default "
19953
19952
"install into a <emphasis>chroot</emphasis> environment for security reasons. "
19954
19953
"This can add greater complexity when troubleshooting problems."
19957
#: serverguide/C/mail.xml:355(para)
19956
#: serverguide/C/mail.xml:400(para)
19959
19958
"To turn off the chroot operation locate for the following line in the "
19960
19959
"<filename>/etc/postfix/master.cf</filename> configuration file:"
19963
#: serverguide/C/mail.xml:359(screen)
19962
#: serverguide/C/mail.xml:404(screen)
19967
19966
"smtp inet n - - - - smtpd\n"
19970
#: serverguide/C/mail.xml:362(para)
19969
#: serverguide/C/mail.xml:407(para)
19971
19970
msgid "and modify it as follows:"
19974
#: serverguide/C/mail.xml:365(screen)
19973
#: serverguide/C/mail.xml:410(screen)
19978
19977
"smtp inet n - n - - smtpd\n"
19981
#: serverguide/C/mail.xml:368(para)
19980
#: serverguide/C/mail.xml:413(para)
19983
19982
"You will then need to restart Postfix to use the new configuration. From a "
19984
19983
"terminal prompt enter:"
20019
20018
"<filename>/var/log/mail.warn</filename> respectively."
20022
#: serverguide/C/mail.xml:382(para)
20021
#: serverguide/C/mail.xml:440(para)
20024
20023
"To see messages entered into the logs in real time you can use the "
20025
20024
"<application>tail -f</application> command:"
20028
#: serverguide/C/mail.xml:387(command)
20027
#: serverguide/C/mail.xml:445(command)
20029
20028
msgid "tail -f /var/log/mail.err"
20032
#: serverguide/C/mail.xml:389(para)
20031
#: serverguide/C/mail.xml:447(para)
20034
20033
"The amount of detail that is recorded in the logs can be increased. Below "
20035
20034
"are some configuration options for increasing the log level for some of the "
20036
20035
"areas covered above."
20039
#: serverguide/C/mail.xml:395(para)
20038
#: serverguide/C/mail.xml:453(para)
20041
20040
"To increase <emphasis>TLS</emphasis> activity logging set the "
20042
20041
"<emphasis>smtpd_tls_loglevel</emphasis> option to a value from 1 to 4."
20045
#: serverguide/C/mail.xml:399(command)
20044
#: serverguide/C/mail.xml:457(command)
20046
20045
msgid "sudo postconf -e 'smtpd_tls_loglevel = 4'"
20049
#: serverguide/C/mail.xml:403(para)
20048
#: serverguide/C/mail.xml:461(para)
20051
20050
"If you are having trouble sending or receiving mail from a specific domain "
20052
20051
"you can add the domain to the <emphasis>debug_peer_list</emphasis> parameter."
20055
#: serverguide/C/mail.xml:408(command)
20054
#: serverguide/C/mail.xml:466(command)
20056
20055
msgid "sudo postconf -e 'debug_peer_list = problem.domain'"
20059
#: serverguide/C/mail.xml:412(para)
20058
#: serverguide/C/mail.xml:470(para)
20061
20060
"You can increase the verbosity of any <application>Postfix</application> "
20062
20061
"daemon process by editing the <filename>/etc/postfix/master.cf</filename> "
20186
20185
"in one file you can configure accordingly in this user interface."
20189
#: serverguide/C/mail.xml:514(para)
20188
#: serverguide/C/mail.xml:572(para)
20191
20190
"All the parameters you configure in the user interface are stored in "
20192
"<filename>/etc/exim4/update-exim4.conf</filename> file. If you wish to re-"
20193
"configure, either you re-run the configuration wizard or manually edit this "
20194
"file using your favorite editor. Once you configure, you can run the "
20191
"<filename>/etc/exim4/update-exim4.conf.conf</filename> file. If you wish to "
20192
"re-configure, either you re-run the configuration wizard or manually edit "
20193
"this file using your favorite editor. Once you configure, you can run the "
20195
20194
"following command to generate the master configuration file:"
20198
#: serverguide/C/mail.xml:525(command) serverguide/C/mail.xml:609(command)
20197
#: serverguide/C/mail.xml:583(command) serverguide/C/mail.xml:667(command)
20199
20198
msgid "sudo update-exim4.conf"
20202
#: serverguide/C/mail.xml:527(para)
20201
#: serverguide/C/mail.xml:585(para)
20204
20203
"The master configuration file, is generated and it is stored in "
20205
20204
"<filename>/var/lib/exim4/config.autogenerated</filename>."
20208
#: serverguide/C/mail.xml:533(para)
20207
#: serverguide/C/mail.xml:591(para)
20210
20209
"At any time, you should not edit the master configuration file, "
20211
20210
"<filename>/var/lib/exim4/config.autogenerated</filename> manually. It is "
20212
20211
"updated automatically every time you run <command>update-exim4.conf</command>"
20215
#: serverguide/C/mail.xml:541(para)
20214
#: serverguide/C/mail.xml:599(para)
20217
20216
"You can run the following command to start <application>Exim4</application> "
20222
20221
msgid "sudo service exim4 start"
20225
#: serverguide/C/mail.xml:551(para)
20224
#: serverguide/C/mail.xml:609(para)
20227
20226
"This section covers configuring Exim4 to use SMTP-AUTH with TLS and SASL."
20230
#: serverguide/C/mail.xml:554(para)
20229
#: serverguide/C/mail.xml:612(para)
20232
20231
"The first step is to create a certificate for use with TLS. Enter the "
20233
20232
"following into a terminal prompt:"
20236
#: serverguide/C/mail.xml:558(command)
20235
#: serverguide/C/mail.xml:616(command)
20237
20236
msgid "sudo /usr/share/doc/exim4-base/examples/exim-gencert"
20240
#: serverguide/C/mail.xml:560(para)
20239
#: serverguide/C/mail.xml:618(para)
20242
20241
"Now Exim4 needs to be configured for TLS by editing "
20243
20242
"<filename>/etc/exim4/conf.d/main/03_exim4-config_tlsoptions</filename> add "
20244
20243
"the following:"
20247
#: serverguide/C/mail.xml:564(programlisting)
20246
#: serverguide/C/mail.xml:622(programlisting)
20251
20250
"MAIN_TLS_ENABLE = yes\n"
20254
#: serverguide/C/mail.xml:567(para)
20253
#: serverguide/C/mail.xml:625(para)
20256
20255
"Next you need to configure <application>Exim4</application> to use the "
20257
20256
"<application>saslauthd</application> for authentication. Edit "
20318
20317
msgid "sudo service exim4 restart"
20321
#: serverguide/C/mail.xml:615(para)
20320
#: serverguide/C/mail.xml:673(para)
20323
20322
"This section provides details on configuring the saslauthd to provide "
20324
20323
"authentication for <application>Exim4</application>."
20327
#: serverguide/C/mail.xml:618(para)
20326
#: serverguide/C/mail.xml:676(para)
20329
20328
"The first step is to install the sasl2-bin package. From a terminal prompt "
20330
20329
"enter the following:"
20333
#: serverguide/C/mail.xml:622(command)
20332
#: serverguide/C/mail.xml:680(command)
20334
20333
msgid "sudo apt-get install sasl2-bin"
20337
#: serverguide/C/mail.xml:624(para)
20336
#: serverguide/C/mail.xml:682(para)
20339
20338
"To configure saslauthd edit the /etc/default/saslauthd configuration file "
20340
20339
"and set START=no to:"
20343
#: serverguide/C/mail.xml:630(para)
20342
#: serverguide/C/mail.xml:688(para)
20345
20344
"Next the <emphasis>Debian-exim</emphasis> user needs to be part of the "
20346
20345
"<emphasis>sasl</emphasis> group in order for Exim4 to use the saslauthd "
20350
#: serverguide/C/mail.xml:635(command)
20349
#: serverguide/C/mail.xml:693(command)
20351
20350
msgid "sudo adduser Debian-exim sasl"
20354
#: serverguide/C/mail.xml:637(para)
20353
#: serverguide/C/mail.xml:695(para)
20355
20354
msgid "Now start the <application>saslauthd</application> service:"
20359
20358
msgid "sudo service saslauthd start"
20362
#: serverguide/C/mail.xml:643(para)
20361
#: serverguide/C/mail.xml:701(para)
20364
20363
"<application>Exim4</application> is now configured with SMTP-AUTH using TLS "
20365
20364
"and SASL authentication."
20368
#: serverguide/C/mail.xml:652(para)
20367
#: serverguide/C/mail.xml:710(para)
20370
20369
"See <ulink url=\"http://www.exim.org/\">exim.org</ulink> for more "
20371
20370
"information."
20374
#: serverguide/C/mail.xml:657(para)
20373
#: serverguide/C/mail.xml:715(para)
20376
20375
"There is also an <ulink url=\"http://www.uit.co.uk/content/exim-smtp-mail-"
20377
20376
"server\">Exim4 Book</ulink> available."
20380
#: serverguide/C/mail.xml:662(para)
20379
#: serverguide/C/mail.xml:720(para)
20382
20381
"Another resource is the <ulink "
20383
20382
"url=\"https://help.ubuntu.com/community/Exim4\">Exim4 Ubuntu Wiki </ulink> "
20387
#: serverguide/C/mail.xml:671(title)
20386
#: serverguide/C/mail.xml:729(title)
20388
20387
msgid "Dovecot Server"
20391
#: serverguide/C/mail.xml:672(para)
20390
#: serverguide/C/mail.xml:730(para)
20393
20392
"<application>Dovecot</application> is a Mail Delivery Agent, written with "
20394
20393
"security primarily in mind. It supports the major mailbox formats: mbox or "
20395
20394
"Maildir. This section explain how to set it up as an imap or pop3 server."
20398
#: serverguide/C/mail.xml:680(para)
20397
#: serverguide/C/mail.xml:738(para)
20400
20399
"To install <application>dovecot</application>, run the following command in "
20401
20400
"the command prompt:"
20404
#: serverguide/C/mail.xml:685(command)
20403
#: serverguide/C/mail.xml:743(command)
20405
20404
msgid "sudo apt-get install dovecot-imapd dovecot-pop3d"
20408
#: serverguide/C/mail.xml:690(para)
20407
#: serverguide/C/mail.xml:748(para)
20410
20409
"To configure <application>dovecot</application>, you can edit the file "
20411
20410
"<filename>/etc/dovecot/dovecot.conf</filename>. You can choose the protocol "
20513
20512
"<filename>/etc/dovecot/conf.d/10-ssl.conf</filename> configuration file."
20516
#: serverguide/C/mail.xml:786(title)
20515
#: serverguide/C/mail.xml:845(title)
20517
20516
msgid "Firewall Configuration for an Email Server"
20520
#: serverguide/C/mail.xml:792(para)
20519
#: serverguide/C/mail.xml:851(para)
20521
20520
msgid "IMAP - 143"
20524
#: serverguide/C/mail.xml:793(para)
20523
#: serverguide/C/mail.xml:852(para)
20525
20524
msgid "IMAPS - 993"
20528
#: serverguide/C/mail.xml:794(para)
20527
#: serverguide/C/mail.xml:853(para)
20529
20528
msgid "POP3 - 110"
20532
#: serverguide/C/mail.xml:795(para)
20531
#: serverguide/C/mail.xml:854(para)
20533
20532
msgid "POP3S - 995"
20536
#: serverguide/C/mail.xml:787(para)
20535
#: serverguide/C/mail.xml:846(para)
20538
20537
"To access your mail server from another computer, you must configure your "
20539
20538
"firewall to allow connections to the server on the necessary ports. "
20540
20539
"<placeholder-1/>"
20543
#: serverguide/C/mail.xml:804(para)
20542
#: serverguide/C/mail.xml:863(para)
20545
20544
"See the <ulink url=\"http://www.dovecot.org/\">Dovecot website</ulink> for "
20546
20545
"more information."
20549
#: serverguide/C/mail.xml:809(para)
20548
#: serverguide/C/mail.xml:868(para)
20551
20550
"Also, the <ulink url=\"https://help.ubuntu.com/community/Dovecot\">Dovecot "
20552
20551
"Ubuntu Wiki</ulink> page has more details."
20555
#: serverguide/C/mail.xml:818(title) serverguide/C/mail.xml:893(title) serverguide/C/mail.xml:1116(title)
20554
#: serverguide/C/mail.xml:877(title) serverguide/C/mail.xml:952(title) serverguide/C/mail.xml:1175(title)
20556
20555
msgid "Mailman"
20559
#: serverguide/C/mail.xml:819(para)
20558
#: serverguide/C/mail.xml:878(para)
20561
20560
"Mailman is an open source program for managing electronic mail discussions "
20562
20561
"and e-newsletter lists. Many open source mailing lists (including all the "
20565
20564
"and maintain."
20568
#: serverguide/C/mail.xml:829(para)
20567
#: serverguide/C/mail.xml:888(para)
20570
20569
"Mailman provides a web interface for the administrators and users, using an "
20571
20570
"external mail server to send and receive emails. It works perfectly with the "
20572
20571
"following mail servers:"
20575
#: serverguide/C/mail.xml:840(application)
20574
#: serverguide/C/mail.xml:899(application)
20579
#: serverguide/C/mail.xml:843(application)
20578
#: serverguide/C/mail.xml:902(application)
20580
20579
msgid "Sendmail"
20583
#: serverguide/C/mail.xml:846(application)
20582
#: serverguide/C/mail.xml:905(application)
20584
20583
msgid "Qmail"
20587
#: serverguide/C/mail.xml:851(para)
20586
#: serverguide/C/mail.xml:910(para)
20589
20588
"We will see how to install and configure Mailman with, the Apache web "
20590
20589
"server, and either the Postfix or Exim mail server. If you wish to install "
20591
20590
"Mailman with a different mail server, please refer to the references section."
20594
#: serverguide/C/mail.xml:858(para)
20593
#: serverguide/C/mail.xml:917(para)
20596
20595
"You only need to install one mail server and "
20597
20596
"<application>Postfix</application> is the default Ubuntu Mail Transfer Agent."
20600
#: serverguide/C/mail.xml:863(title) serverguide/C/mail.xml:920(title)
20599
#: serverguide/C/mail.xml:922(title) serverguide/C/mail.xml:979(title)
20601
20600
msgid "Apache2"
20604
#: serverguide/C/mail.xml:864(para)
20603
#: serverguide/C/mail.xml:923(para)
20606
20605
"To install apache2 you refer to <xref linkend=\"http-installation\"/> for "
20610
#: serverguide/C/mail.xml:870(para)
20609
#: serverguide/C/mail.xml:929(para)
20612
20611
"For instructions on installing and configuring Postfix refer to <xref "
20613
20612
"linkend=\"postfix\"/>"
20616
#: serverguide/C/mail.xml:876(para)
20615
#: serverguide/C/mail.xml:935(para)
20617
20616
msgid "To install Exim4 refer to <xref linkend=\"exim4\"/>."
20620
#: serverguide/C/mail.xml:879(para)
20619
#: serverguide/C/mail.xml:938(para)
20622
20621
"Once exim4 is installed, the configuration files are stored in the "
20623
20622
"<filename>/etc/exim4</filename> directory. In Ubuntu, by default, the exim4 "
20695
20694
"available/mailman.conf</filename> file if you wish to change this behavior."
20698
#: serverguide/C/mail.xml:948(para)
20697
#: serverguide/C/mail.xml:1007(para)
20700
20699
"For <application>Postfix</application> integration, we will associate the "
20701
20700
"domain lists.example.com with the mailing lists. Please replace "
20702
20701
"<emphasis>lists.example.com</emphasis> with the domain of your choosing."
20705
#: serverguide/C/mail.xml:952(para)
20704
#: serverguide/C/mail.xml:1011(para)
20707
20706
"You can use the postconf command to add the necessary configuration to "
20708
20707
"<filename>/etc/postfix/main.cf</filename>:"
20711
#: serverguide/C/mail.xml:956(command)
20710
#: serverguide/C/mail.xml:1015(command)
20712
20711
msgid "sudo postconf -e 'relay_domains = lists.example.com'"
20715
#: serverguide/C/mail.xml:957(command)
20714
#: serverguide/C/mail.xml:1016(command)
20716
20715
msgid "sudo postconf -e 'transport_maps = hash:/etc/postfix/transport'"
20719
#: serverguide/C/mail.xml:958(command)
20718
#: serverguide/C/mail.xml:1017(command)
20720
20719
msgid "sudo postconf -e 'mailman_destination_recipient_limit = 1'"
20723
#: serverguide/C/mail.xml:960(para)
20722
#: serverguide/C/mail.xml:1019(para)
20725
20724
"In <filename>/etc/postfix/master.cf</filename> double check that you have "
20726
20725
"the following transport:"
20729
#: serverguide/C/mail.xml:963(programlisting)
20728
#: serverguide/C/mail.xml:1022(programlisting)
20735
20734
" ${nexthop} ${user}\n"
20738
#: serverguide/C/mail.xml:968(para)
20737
#: serverguide/C/mail.xml:1027(para)
20740
20739
"It calls the <emphasis>postfix-to-mailman.py</emphasis> script when a mail "
20741
20740
"is delivered to a list."
20744
#: serverguide/C/mail.xml:971(para)
20743
#: serverguide/C/mail.xml:1030(para)
20746
20745
"Associate the domain lists.example.com to the Mailman transport with the "
20747
20746
"transport map. Edit the file <filename>/etc/postfix/transport</filename>:"
20750
#: serverguide/C/mail.xml:974(programlisting)
20749
#: serverguide/C/mail.xml:1033(programlisting)
20754
20753
"lists.example.com mailman:\n"
20757
#: serverguide/C/mail.xml:977(para)
20756
#: serverguide/C/mail.xml:1036(para)
20759
20758
"Now have <application>Postfix</application> build the transport map by "
20760
20759
"entering the following from a terminal prompt:"
20763
#: serverguide/C/mail.xml:981(command)
20762
#: serverguide/C/mail.xml:1040(command)
20764
20763
msgid "sudo postmap -v /etc/postfix/transport"
20767
#: serverguide/C/mail.xml:983(para)
20766
#: serverguide/C/mail.xml:1042(para)
20768
20767
msgid "Then restart Postfix to enable the new configurations:"
20771
#: serverguide/C/mail.xml:992(para)
20770
#: serverguide/C/mail.xml:1051(para)
20773
20772
"Once Exim4 is installed, you can start the Exim server using the following "
20774
20773
"command from a terminal prompt:"
20777
#: serverguide/C/mail.xml:1008(para) serverguide/C/mail.xml:1023(title)
20776
#: serverguide/C/mail.xml:1067(para) serverguide/C/mail.xml:1082(title)
20781
#: serverguide/C/mail.xml:1011(para) serverguide/C/mail.xml:1063(title)
20780
#: serverguide/C/mail.xml:1070(para) serverguide/C/mail.xml:1122(title)
20782
20781
msgid "Transport"
20785
#: serverguide/C/mail.xml:1014(para) serverguide/C/mail.xml:1086(title)
20784
#: serverguide/C/mail.xml:1073(para) serverguide/C/mail.xml:1145(title)
20786
20785
msgid "Router"
20789
#: serverguide/C/mail.xml:999(para)
20788
#: serverguide/C/mail.xml:1058(para)
20791
20790
"In order to make mailman work with Exim4, you need to configure Exim4. As "
20792
20791
"mentioned earlier, by default, Exim4 uses multiple configuration files of "
21056
21055
"spf</application>."
21059
#: serverguide/C/mail.xml:1251(para)
21058
#: serverguide/C/mail.xml:1310(para)
21061
21060
"<application>Amavisd-new</application> is a wrapper program that can call "
21062
21061
"any number of content filtering programs for spam detection, antivirus, etc."
21065
#: serverguide/C/mail.xml:1257(para)
21064
#: serverguide/C/mail.xml:1316(para)
21067
21066
"<application>Spamassassin</application> uses a variety of mechanisms to "
21068
21067
"filter email based on the message content."
21071
#: serverguide/C/mail.xml:1262(para)
21070
#: serverguide/C/mail.xml:1321(para)
21073
21072
"<application>ClamAV</application> is an open source antivirus application."
21076
#: serverguide/C/mail.xml:1267(para)
21075
#: serverguide/C/mail.xml:1326(para)
21078
21077
"<application>opendkim</application> implements a Sendmail Mail Filter "
21079
21078
"(Milter) for the DomainKeys Identified Mail (DKIM) standard."
21082
#: serverguide/C/mail.xml:1273(para)
21081
#: serverguide/C/mail.xml:1332(para)
21084
21083
"<application>python-policyd-spf</application> enables Sender Policy "
21085
21084
"Framework (SPF) checking with <application>Postfix</application>."
21088
#: serverguide/C/mail.xml:1278(para)
21087
#: serverguide/C/mail.xml:1337(para)
21089
21088
msgid "This is how the pieces fit together:"
21092
#: serverguide/C/mail.xml:1283(para)
21091
#: serverguide/C/mail.xml:1342(para)
21093
21092
msgid "An email message is accepted by <application>Postfix</application>."
21096
#: serverguide/C/mail.xml:1288(para)
21095
#: serverguide/C/mail.xml:1347(para)
21098
21097
"The message is passed through any external filters "
21099
21098
"<application>opendkim</application> and <application>python-policyd-"
21100
21099
"spf</application> in this case."
21103
#: serverguide/C/mail.xml:1294(para)
21102
#: serverguide/C/mail.xml:1353(para)
21104
21103
msgid "<application>Amavisd-new</application> then processes the message."
21107
#: serverguide/C/mail.xml:1299(para)
21106
#: serverguide/C/mail.xml:1358(para)
21109
21108
"<application>ClamAV</application> is used to scan the message. If the "
21110
21109
"message contains a virus <application>Postfix</application> will reject the "
21114
#: serverguide/C/mail.xml:1305(para)
21113
#: serverguide/C/mail.xml:1364(para)
21116
21115
"Clean messages will then be analyzed by "
21117
21116
"<application>Spamassassin</application> to find out if the message is spam. "
21132
#: serverguide/C/mail.xml:1319(para)
21131
#: serverguide/C/mail.xml:1378(para)
21134
21133
"See <xref linkend=\"postfix\"/> for instructions on installing and "
21135
21134
"configuring Postfix."
21138
#: serverguide/C/mail.xml:1322(para)
21137
#: serverguide/C/mail.xml:1381(para)
21140
21139
"To install the rest of the applications enter the following from a terminal "
21144
#: serverguide/C/mail.xml:1326(command)
21143
#: serverguide/C/mail.xml:1385(command)
21145
21144
msgid "sudo apt-get install amavisd-new spamassassin clamav-daemon"
21148
#: serverguide/C/mail.xml:1327(command)
21147
#: serverguide/C/mail.xml:1386(command)
21149
21148
msgid "sudo apt-get install opendkim postfix-policyd-spf-python"
21152
#: serverguide/C/mail.xml:1329(para)
21151
#: serverguide/C/mail.xml:1388(para)
21154
21153
"There are some optional packages that integrate with "
21155
21154
"<application>Spamassassin</application> for better spam detection:"
21158
#: serverguide/C/mail.xml:1333(command)
21157
#: serverguide/C/mail.xml:1392(command)
21159
21158
msgid "sudo apt-get install pyzor razor"
21162
#: serverguide/C/mail.xml:1335(para)
21161
#: serverguide/C/mail.xml:1394(para)
21164
21163
"Along with the main filtering applications compression utilities are needed "
21165
21164
"to process some email attachments:"
21168
#: serverguide/C/mail.xml:1339(command)
21167
#: serverguide/C/mail.xml:1398(command)
21170
21169
"sudo apt-get install arj cabextract cpio lha nomarch pax rar unrar unzip zip"
21173
#: serverguide/C/mail.xml:1342(para)
21172
#: serverguide/C/mail.xml:1401(para)
21175
21174
"If some packages are not found, check that the "
21176
21175
"<emphasis>multiverse</emphasis> repository is enabled in "
21177
21176
"<filename>/etc/apt/sources.list</filename>"
21180
#: serverguide/C/mail.xml:1343(para)
21179
#: serverguide/C/mail.xml:1402(para)
21182
21181
"If you make changes to the file, be sure to run <command>sudo apt-get "
21183
21182
"update</command> before trying to install again."
21186
#: serverguide/C/mail.xml:1348(para)
21185
#: serverguide/C/mail.xml:1407(para)
21187
21186
msgid "Now configure everything to work together and filter email."
21190
#: serverguide/C/mail.xml:1352(title)
21189
#: serverguide/C/mail.xml:1411(title)
21191
21190
msgid "ClamAV"
21194
#: serverguide/C/mail.xml:1353(para)
21193
#: serverguide/C/mail.xml:1412(para)
21196
21195
"The default behaviour of <application>ClamAV</application> will fit our "
21197
21196
"needs. For more ClamAV configuration options, check the configuration files "
21198
21197
"in <filename>/etc/clamav</filename>."
21201
#: serverguide/C/mail.xml:1358(para)
21200
#: serverguide/C/mail.xml:1417(para)
21203
21202
"Add the <emphasis>clamav</emphasis> user to the <emphasis>amavis</emphasis> "
21204
21203
"group in order for <application>Amavisd-new</application> to have the "
21205
21204
"appropriate access to scan files:"
21208
#: serverguide/C/mail.xml:1363(command)
21207
#: serverguide/C/mail.xml:1422(command)
21209
21208
msgid "sudo adduser clamav amavis"
21212
#: serverguide/C/mail.xml:1364(command)
21211
#: serverguide/C/mail.xml:1423(command)
21213
21212
msgid "sudo adduser amavis clamav"
21216
#: serverguide/C/mail.xml:1368(title)
21215
#: serverguide/C/mail.xml:1427(title)
21217
21216
msgid "Spamassassin"
21220
#: serverguide/C/mail.xml:1369(para)
21219
#: serverguide/C/mail.xml:1428(para)
21222
21221
"Spamassassin automatically detects optional components and will use them if "
21223
21222
"they are present. This means that there is no need to configure "
21224
21223
"<application>pyzor</application> and <application>razor</application>."
21227
#: serverguide/C/mail.xml:1373(para)
21226
#: serverguide/C/mail.xml:1432(para)
21229
21228
"Edit <filename>/etc/default/spamassassin</filename> to activate the "
21230
21229
"<application>Spamassassin</application> daemon. Change "
21231
21230
"<emphasis>ENABLED=0</emphasis> to:"
21234
#: serverguide/C/mail.xml:1377(programlisting)
21233
#: serverguide/C/mail.xml:1436(programlisting)
21238
21237
"ENABLED=1\n"
21241
#: serverguide/C/mail.xml:1380(para)
21240
#: serverguide/C/mail.xml:1439(para)
21242
21241
msgid "Now start the daemon:"
21366
21365
"<filename>/etc/amavis/conf.d/40-policy_banks</filename>."
21369
#: serverguide/C/mail.xml:1470(para)
21368
#: serverguide/C/mail.xml:1528(para)
21370
21369
msgid "There are multiple ways to configure the Whitelist for a domain:"
21373
#: serverguide/C/mail.xml:1476(para)
21372
#: serverguide/C/mail.xml:1534(para)
21375
21374
"<emphasis>'example.com' => 'WHITELIST',</emphasis>: will whitelist any "
21376
21375
"address from the \"example.com\" domain."
21379
#: serverguide/C/mail.xml:1481(para)
21378
#: serverguide/C/mail.xml:1539(para)
21381
21380
"<emphasis>'.example.com' => 'WHITELIST',</emphasis>: will whitelist any "
21382
21381
"address from any <emphasis>subdomains</emphasis> of \"example.com\" that "
21383
21382
"have a valid signature."
21386
#: serverguide/C/mail.xml:1487(para)
21385
#: serverguide/C/mail.xml:1545(para)
21388
21387
"<emphasis>'.example.com/@example.com' => 'WHITELIST',</emphasis>: will "
21389
21388
"whitelist subdomains of \"example.com\" that use the signature of <emphasis "
21390
21389
"role=\"italic\">example.com</emphasis> the parent domain."
21393
#: serverguide/C/mail.xml:1493(para)
21392
#: serverguide/C/mail.xml:1551(para)
21395
21394
"<emphasis>'./@example.com' => 'WHITELIST',</emphasis>: adds addresses "
21396
21395
"that have a valid signature from \"example.com\". This is usually used for "
21397
21396
"discussion groups that sign their messages."
21400
#: serverguide/C/mail.xml:1500(para)
21399
#: serverguide/C/mail.xml:1558(para)
21402
21401
"A domain can also have multiple Whitelist configurations. After editing the "
21403
21402
"file, restart <application>amavisd-new</application>:"
21406
#: serverguide/C/mail.xml:1510(para)
21405
#: serverguide/C/mail.xml:1568(para)
21408
21407
"In this context, once a domain has been added to the Whitelist the message "
21409
21408
"will not receive any anti-virus or spam filtering. This may or may not be "
21410
21409
"the intended behavior you wish for a domain."
21413
#: serverguide/C/mail.xml:1520(para)
21412
#: serverguide/C/mail.xml:1578(para)
21415
21414
"For <application>Postfix</application> integration, enter the following from "
21416
21415
"a terminal prompt:"
21419
#: serverguide/C/mail.xml:1524(command)
21418
#: serverguide/C/mail.xml:1582(command)
21420
21419
msgid "sudo postconf -e 'content_filter = smtp-amavis:[127.0.0.1]:10024'"
21423
#: serverguide/C/mail.xml:1526(para)
21422
#: serverguide/C/mail.xml:1584(para)
21425
21424
"Next edit <filename>/etc/postfix/master.cf</filename> and add the following "
21426
21425
"to the end of the file:"
21628
21627
"back to normal."
21631
#: serverguide/C/mail.xml:1689(para)
21630
#: serverguide/C/mail.xml:1747(para)
21632
21631
msgid "For more information on filtering mail see the following links:"
21635
#: serverguide/C/mail.xml:1695(ulink)
21634
#: serverguide/C/mail.xml:1753(ulink)
21636
21635
msgid "Amavisd-new Documentation"
21639
#: serverguide/C/mail.xml:1699(para)
21638
#: serverguide/C/mail.xml:1757(para)
21641
21640
"<ulink url=\"http://www.clamav.net/doc/latest/html/\">ClamAV "
21642
21641
"Documentation</ulink> and <ulink "
21643
21642
"url=\"http://wiki.clamav.net/Main/WebHome\">ClamAV Wiki</ulink>"
21646
#: serverguide/C/mail.xml:1706(ulink)
21645
#: serverguide/C/mail.xml:1764(ulink)
21647
21646
msgid "Spamassassin Wiki"
21650
#: serverguide/C/mail.xml:1711(ulink)
21649
#: serverguide/C/mail.xml:1769(ulink)
21651
21650
msgid "Pyzor Homepage"
21654
#: serverguide/C/mail.xml:1716(ulink)
21653
#: serverguide/C/mail.xml:1774(ulink)
21655
21654
msgid "Razor Homepage"
21658
#: serverguide/C/mail.xml:1721(ulink)
21657
#: serverguide/C/mail.xml:1779(ulink)
21659
21658
msgid "DKIM.org"
21662
#: serverguide/C/mail.xml:1726(ulink)
21661
#: serverguide/C/mail.xml:1784(ulink)
21663
21662
msgid "Postfix Amavis New"
21666
#: serverguide/C/mail.xml:1730(para)
21665
#: serverguide/C/mail.xml:1788(para)
21668
21667
"Also, feel free to ask questions in the <emphasis>#ubuntu-server</emphasis> "
21669
21668
"IRC channel on <ulink url=\"http://freenode.net\">freenode</ulink>."
21912
21910
#: serverguide/C/lamp-applications.xml:214(para)
21911
msgid "The version in the above example is determined by running:"
21914
#: serverguide/C/lamp-applications.xml:218(programlisting)
21918
"$ moin --version\n"
21921
#: serverguide/C/lamp-applications.xml:222(para)
21922
msgid "If the output shows version 1.9.7, your second line should be:"
21925
#: serverguide/C/lamp-applications.xml:226(programlisting)
21929
"alias /moin_static197 \"/usr/share/moin/htdocs\"\n"
21932
#: serverguide/C/lamp-applications.xml:230(para)
21914
21934
"Once you configure the <application>apache2</application> web server and "
21915
"make it ready for your Wiki application, you should restart it. You can run "
21935
"make it ready for your wiki application, you should restart it. You can run "
21916
21936
"the following command to restart the <application>apache2</application> web "
21920
#: serverguide/C/lamp-applications.xml:227(title) serverguide/C/installation.xml:1242(title)
21940
#: serverguide/C/lamp-applications.xml:243(title) serverguide/C/installation.xml:1315(title)
21921
21941
msgid "Verification"
21924
#: serverguide/C/lamp-applications.xml:229(para)
21944
#: serverguide/C/lamp-applications.xml:245(para)
21926
21946
"You can verify the Wiki application and see if it works by pointing your web "
21927
21947
"browser to the following URL:"
21930
#: serverguide/C/lamp-applications.xml:233(programlisting)
21950
#: serverguide/C/lamp-applications.xml:249(programlisting)
21934
21954
"http://localhost/mywiki\n"
21937
#: serverguide/C/lamp-applications.xml:237(para)
21957
#: serverguide/C/lamp-applications.xml:253(para)
21939
21959
"For more details, please refer to the <ulink "
21940
21960
"url=\"http://moinmo.in/\">MoinMoin</ulink> web site."
21943
#: serverguide/C/lamp-applications.xml:248(para)
21963
#: serverguide/C/lamp-applications.xml:264(para)
21945
21965
"For more information see the <ulink url=\"http://moinmo.in/\">moinmoin "
21946
21966
"Wiki</ulink>."
21949
#: serverguide/C/lamp-applications.xml:253(para)
21969
#: serverguide/C/lamp-applications.xml:269(para)
21951
21971
"Also, see the <ulink "
21952
21972
"url=\"https://help.ubuntu.com/community/MoinMoin\">Ubuntu Wiki "
21953
21973
"MoinMoin</ulink> page."
21956
#: serverguide/C/lamp-applications.xml:262(title)
21976
#: serverguide/C/lamp-applications.xml:278(title)
21957
21977
msgid "MediaWiki"
21960
#: serverguide/C/lamp-applications.xml:264(para)
21980
#: serverguide/C/lamp-applications.xml:280(para)
21962
21982
"MediaWiki is an web based Wiki software written in the PHP language. It can "
21963
21983
"either use <application>MySQL</application> or "
21964
21984
"<application>PostgreSQL</application> Database Management System."
21967
#: serverguide/C/lamp-applications.xml:274(para)
21987
#: serverguide/C/lamp-applications.xml:290(para)
21969
21989
"Before installing <application>MediaWiki</application> you should also "
21970
21990
"install <application>Apache2</application>, the "
22031
22051
"config/index.php</ulink> if your server has no GUI.)"
22034
#: serverguide/C/lamp-applications.xml:334(para)
22054
#: serverguide/C/lamp-applications.xml:350(para)
22036
22056
"Please read the <quote>Environmental checks</quote> section of the "
22037
22057
"configuration page. You should be able to fix many issues by carefully "
22038
22058
"reading this section."
22041
#: serverguide/C/lamp-applications.xml:330(para)
22061
#: serverguide/C/lamp-applications.xml:357(para)
22043
22063
"Once the configuration is complete, you should copy the "
22044
22064
"<filename>LocalSettings.php</filename> file to "
22045
22065
"<filename>/etc/mediawiki</filename> directory:"
22048
#: serverguide/C/lamp-applications.xml:337(command)
22068
#: serverguide/C/lamp-applications.xml:364(command)
22049
22069
msgid "sudo mv /var/lib/mediawiki/config/LocalSettings.php /etc/mediawiki/"
22052
#: serverguide/C/lamp-applications.xml:340(para)
22072
#: serverguide/C/lamp-applications.xml:367(para)
22054
22074
"You may also want to edit "
22055
22075
"<filename>/etc/mediawiki/LocalSettings.php</filename> in order to set the "
22056
22076
"memory limit (disabled by default):"
22059
#: serverguide/C/lamp-applications.xml:345(programlisting)
22079
#: serverguide/C/lamp-applications.xml:372(programlisting)
22063
22083
"ini_set( 'memory_limit', '64M' );\n"
22066
#: serverguide/C/lamp-applications.xml:352(title)
22086
#: serverguide/C/lamp-applications.xml:379(title)
22067
22087
msgid "Extensions"
22070
#: serverguide/C/lamp-applications.xml:353(para)
22090
#: serverguide/C/lamp-applications.xml:380(para)
22072
22092
"The extensions add new features and enhancements for the MediaWiki "
22073
22093
"application. The extensions give wiki administrators and end users the "
22074
22094
"ability to customize MediaWiki to their requirements."
22077
#: serverguide/C/lamp-applications.xml:359(para)
22097
#: serverguide/C/lamp-applications.xml:386(para)
22079
22099
"You can download MediaWiki extensions as an archive file or checkout from "
22080
22100
"the Subversion repository. You should copy it to "
22083
22103
"<filename>/etc/mediawiki/LocalSettings.php</filename>."
22086
#: serverguide/C/lamp-applications.xml:367(programlisting)
22106
#: serverguide/C/lamp-applications.xml:394(programlisting)
22090
22110
"require_once \"$IP/extensions/ExtentionName/ExtentionName.php\";\n"
22093
#: serverguide/C/lamp-applications.xml:377(para)
22113
#: serverguide/C/lamp-applications.xml:404(para)
22095
22115
"For more details, please refer to the <ulink "
22096
22116
"url=\"http://www.mediawiki.org\">MediaWiki</ulink> web site."
22099
#: serverguide/C/lamp-applications.xml:394(para)
22119
#: serverguide/C/lamp-applications.xml:410(para)
22101
22121
"The <ulink url=\"http://www.packtpub.com/Mediawiki/book\">MediaWiki "
22102
22122
"Administrators' Tutorial Guide</ulink> contains a wealth of information for "
22103
22123
"new MediaWiki administrators."
22106
#: serverguide/C/lamp-applications.xml:389(para)
22126
#: serverguide/C/lamp-applications.xml:416(para)
22108
22128
"Also, the <ulink url=\"https://help.ubuntu.com/community/MediaWiki\">Ubuntu "
22109
22129
"Wiki MediaWiki</ulink> page is a good resource."
22112
#: serverguide/C/lamp-applications.xml:399(title)
22132
#: serverguide/C/lamp-applications.xml:426(title)
22113
22133
msgid "phpMyAdmin"
22116
#: serverguide/C/lamp-applications.xml:401(para)
22136
#: serverguide/C/lamp-applications.xml:428(para)
22118
22138
"<application>phpMyAdmin</application> is a LAMP application specifically "
22119
22139
"written for administering <application>MySQL</application> servers. Written "
22188
22208
"remote database."
22191
#: serverguide/C/lamp-applications.xml:462(para)
22211
#: serverguide/C/lamp-applications.xml:489(para)
22193
22213
"Once configured, log out of <application>phpMyAdmin</application> and back "
22194
22214
"in, and you should be accessing the new server."
22197
#: serverguide/C/lamp-applications.xml:466(para)
22217
#: serverguide/C/lamp-applications.xml:493(para)
22199
22219
"The <filename>config.header.inc.php</filename> and "
22200
22220
"<filename>config.footer.inc.php</filename> files are used to add a HTML "
22201
22221
"header and footer to <application>phpMyAdmin</application>."
22204
#: serverguide/C/lamp-applications.xml:471(para)
22224
#: serverguide/C/lamp-applications.xml:498(para)
22206
22226
"Another important configuration file is "
22207
22227
"<filename>/etc/phpmyadmin/apache.conf</filename>, this file is symlinked to "
22208
"<filename>/etc/apache2/conf.d/phpmyadmin.conf</filename>, and is used to "
22209
"configure <application>Apache2</application> to serve the "
22210
"<application>phpMyAdmin</application> site. The file contains directives for "
22211
"loading <application>PHP</application>, directory permissions, etc. For more "
22212
"information on configuring <application>Apache2</application> see <xref "
22213
"linkend=\"httpd\"/>."
22216
#: serverguide/C/lamp-applications.xml:485(para)
22228
"<filename>/etc/apache2/conf-available/phpmyadmin.conf</filename>, and, once "
22229
"enabled, is used to configure <application>Apache2</application> to serve "
22230
"the <application>phpMyAdmin</application> site. The file contains directives "
22231
"for loading <application>PHP</application>, directory permissions, etc. From "
22235
#: serverguide/C/lamp-applications.xml:506(command)
22237
"sudo ln -s /etc/phpmyadmin/apache.conf /etc/apache2/conf-"
22238
"available/phpmyadmin.conf"
22241
#: serverguide/C/lamp-applications.xml:507(command)
22242
msgid "sudo a2enconf phpmyadmin.conf"
22245
#: serverguide/C/lamp-applications.xml:511(para)
22247
"For more information on configuring <application>Apache2</application> see "
22248
"<xref linkend=\"httpd\"/>."
22251
#: serverguide/C/lamp-applications.xml:522(para)
22218
22253
"The <application>phpMyAdmin</application> documentation comes installed with "
22219
22254
"the package and can be accessed from the <emphasis>phpMyAdmin "
22222
22257
"url=\"http://www.phpmyadmin.net/home_page/docs.php\">phpMyAdmin</ulink> site."
22225
#: serverguide/C/lamp-applications.xml:492(para)
22260
#: serverguide/C/lamp-applications.xml:529(para)
22227
22262
"Also, <ulink url=\"http://www.packtpub.com/phpmyadmin-3rd-"
22228
22263
"edition/book\">Mastering phpMyAdmin</ulink> is a great resource."
22231
#: serverguide/C/lamp-applications.xml:497(para)
22266
#: serverguide/C/lamp-applications.xml:534(para)
22233
22268
"A third resource is the <ulink "
22234
22269
"url=\"https://help.ubuntu.com/community/phpMyAdmin\">phpMyAdmin Ubuntu "
22235
22270
"Wiki</ulink> page."
22238
#: serverguide/C/lamp-applications.xml:517(title)
22273
#: serverguide/C/lamp-applications.xml:543(title)
22239
22274
msgid "WordPress"
22242
#: serverguide/C/lamp-applications.xml:518(para)
22277
#: serverguide/C/lamp-applications.xml:544(para)
22244
22279
"Wordpress is a blog tool, publishing platform and CMS implemented in PHP and "
22245
22280
"licensed under the GNU GPLv2."
22248
#: serverguide/C/lamp-applications.xml:524(para)
22283
#: serverguide/C/lamp-applications.xml:550(para)
22250
22285
"To install <application>WordPress</application>, run the following comand in "
22251
22286
"the command prompt:"
22254
#: serverguide/C/lamp-applications.xml:529(command)
22289
#: serverguide/C/lamp-applications.xml:555(command)
22255
22290
msgid "sudo apt-get install wordpress"
22258
#: serverguide/C/lamp-applications.xml:532(para)
22293
#: serverguide/C/lamp-applications.xml:558(para)
22260
22295
"You should also install <application>apache2</application> web server and "
22261
22296
"<application>mysql</application> server. For installing "
22437
22472
#: serverguide/C/introduction.xml:31(para)
22439
22474
"There are a couple of different ways that Ubuntu Server Edition is "
22440
"supported, commercial support and community support. The main commercial "
22441
"support (and development funding) is available from Canonical Ltd. They "
22442
"supply reasonably priced support contracts on a per desktop or per server "
22475
"supported: commercial support and community support. The main commercial "
22476
"support (and development funding) is available from Canonical, Ltd. They "
22477
"supply reasonably- priced support contracts on a per desktop or per server "
22443
22478
"basis. For more information see the <ulink "
22444
"url=\"http://www.canonical.com/services/support\">Canonical Services</ulink> "
22479
"url=\"http://www.ubuntu.com/management\">Ubuntu Advantage</ulink> page."
22448
#: serverguide/C/introduction.xml:38(para)
22482
#: serverguide/C/introduction.xml:40(para)
22450
"Community support is also provided by dedicated individuals, and companies, "
22484
"Community support is also provided by dedicated individuals and companies "
22451
22485
"that wish to make Ubuntu the best distribution possible. Support is provided "
22452
22486
"through multiple mailing lists, IRC channels, forums, blogs, wikis, etc. The "
22453
22487
"large amount of information available can be overwhelming, but a good search "
22696
22730
msgid "Next, the installer asks for the system's hostname."
22699
#: serverguide/C/installation.xml:195(para)
22733
#: serverguide/C/installation.xml:184(para)
22701
22735
"A new user is set up; this user will have <emphasis>root</emphasis> access "
22702
22736
"through the <application>sudo</application> utility."
22705
#: serverguide/C/installation.xml:201(para)
22739
#: serverguide/C/installation.xml:190(para)
22707
"After the user settings have been completed, you will be asked to encrypt "
22708
"your <filename role=\"directory\">home</filename> directory."
22741
"After the user settings have been completed, you will be asked if you want "
22742
"to encrypt your <filename role=\"directory\">home</filename> directory."
22711
22745
#: serverguide/C/installation.xml:196(para)
22712
22746
msgid "Next, the installer asks for the system's Time Zone."
22715
#: serverguide/C/installation.xml:182(para)
22749
#: serverguide/C/installation.xml:201(para)
22717
22751
"You can then choose from several options to configure the hard drive layout. "
22718
"Afterwards you are asked for which disk to install to. You may get "
22719
"confirmation prompts before rewriting the partition table or setting up LVM "
22720
"depending on disk layout. If you choose LVM, you will be asked for the size "
22721
"of the root logical volume. For advanced disk options see <xref "
22722
"linkend=\"advanced-installation\"/>."
22752
"Afterwards you are asked which disk to install to. You may get confirmation "
22753
"prompts before rewriting the partition table or setting up LVM depending on "
22754
"disk layout. If you choose LVM, you will be asked for the size of the root "
22755
"logical volume. For advanced disk options see <xref linkend=\"advanced-"
22756
"installation\"/>."
22725
#: serverguide/C/installation.xml:190(para)
22759
#: serverguide/C/installation.xml:209(para)
22726
22760
msgid "The Ubuntu base system is then installed."
22729
#: serverguide/C/installation.xml:207(para)
22763
#: serverguide/C/installation.xml:214(para)
22731
22765
"The next step in the installation process is to decide how you want to "
22732
22766
"update the system. There are three options:"
22735
#: serverguide/C/installation.xml:213(para)
22769
#: serverguide/C/installation.xml:220(para)
22737
22771
"<emphasis>No automatic updates</emphasis>: this requires an administrator to "
22738
22772
"log into the machine and manually install updates."
22741
#: serverguide/C/installation.xml:219(para)
22775
#: serverguide/C/installation.xml:226(para)
22743
22777
"<emphasis>Install security updates automatically</emphasis>: this will "
22744
22778
"install the <application>unattended-upgrades</application> package, which "
22787
22821
"Installation Guide</ulink>."
22790
#: serverguide/C/installation.xml:265(title)
22824
#: serverguide/C/installation.xml:272(title)
22791
22825
msgid "Package Tasks"
22794
#: serverguide/C/installation.xml:266(para)
22828
#: serverguide/C/installation.xml:273(para)
22796
22830
"During the Server Edition installation you have the option of installing "
22797
22831
"additional packages from the CD. The packages are grouped by the type of "
22798
22832
"service they provide."
22801
#: serverguide/C/installation.xml:272(para)
22835
#: serverguide/C/installation.xml:279(para)
22802
22836
msgid "DNS server: Selects the BIND DNS server and its documentation."
22805
#: serverguide/C/installation.xml:277(para)
22839
#: serverguide/C/installation.xml:284(para)
22806
22840
msgid "LAMP server: Selects a ready-made Linux/Apache/MySQL/PHP server."
22809
#: serverguide/C/installation.xml:282(para)
22843
#: serverguide/C/installation.xml:289(para)
22811
22845
"Mail server: This task selects a variety of packages useful for a general "
22812
22846
"purpose mail server system."
22815
#: serverguide/C/installation.xml:287(para)
22849
#: serverguide/C/installation.xml:294(para)
22816
22850
msgid "OpenSSH server: Selects packages needed for an OpenSSH server."
22819
#: serverguide/C/installation.xml:292(para)
22853
#: serverguide/C/installation.xml:299(para)
22821
22855
"PostgreSQL database: This task selects client and server packages for the "
22822
22856
"PostgreSQL database."
22825
#: serverguide/C/installation.xml:297(para)
22859
#: serverguide/C/installation.xml:304(para)
22826
22860
msgid "Print server: This task sets up your system to be a print server."
22829
#: serverguide/C/installation.xml:302(para)
22863
#: serverguide/C/installation.xml:309(para)
22831
22865
"Samba File server: This task sets up your system to be a Samba file server, "
22832
22866
"which is especially suitable in networks with both Windows and Linux systems."
22835
#: serverguide/C/installation.xml:308(para)
22869
#: serverguide/C/installation.xml:315(para)
22836
22870
msgid "Tomcat Java server: Installs Apache Tomcat and needed dependencies."
22839
#: serverguide/C/installation.xml:313(para)
22873
#: serverguide/C/installation.xml:320(para)
22841
22875
"Virtual Machine host: Includes packages needed to run KVM virtual machines."
22844
#: serverguide/C/installation.xml:318(para)
22878
#: serverguide/C/installation.xml:325(para)
22846
22880
"Manually select packages: Executes <application>aptitude</application> "
22847
22881
"allowing you to individually select packages."
22850
#: serverguide/C/installation.xml:323(para)
22884
#: serverguide/C/installation.xml:330(para)
22852
22886
"Installing the package groups is accomplished using the "
22853
22887
"<application>tasksel</application> utility. One of the important differences "
22904
#: serverguide/C/installation.xml:359(para)
22938
#: serverguide/C/installation.xml:366(para)
22906
22940
"If you did not install one of the tasks during the installation process, but "
22907
22941
"for example you decide to make your new LAMP server a DNS server as well, "
22908
22942
"simply insert the installation CD and from a terminal:"
22911
#: serverguide/C/installation.xml:364(command)
22945
#: serverguide/C/installation.xml:371(command)
22912
22946
msgid "sudo tasksel install dns-server"
22915
#: serverguide/C/installation.xml:369(title)
22949
#: serverguide/C/installation.xml:376(title)
22916
22950
msgid "Upgrading"
22919
#: serverguide/C/installation.xml:370(para)
22953
#: serverguide/C/installation.xml:377(para)
22921
22955
"There are several ways to upgrade from one Ubuntu release to another. This "
22922
22956
"section gives an overview of the recommended upgrade method."
22925
#: serverguide/C/installation.xml:374(title) serverguide/C/installation.xml:389(command)
22959
#: serverguide/C/installation.xml:381(title) serverguide/C/installation.xml:396(command)
22926
22960
msgid "do-release-upgrade"
22929
#: serverguide/C/installation.xml:375(para)
22963
#: serverguide/C/installation.xml:382(para)
22931
22965
"The recommended way to upgrade a Server Edition installation is to use the "
22932
22966
"<application>do-release-upgrade</application> utility. Part of the "
22942
22976
"system configuration changes sometimes needed between releases."
22945
#: serverguide/C/installation.xml:385(para)
22979
#: serverguide/C/installation.xml:392(para)
22946
22980
msgid "To upgrade to a newer release, from a terminal prompt enter:"
22949
#: serverguide/C/installation.xml:391(para)
22983
#: serverguide/C/installation.xml:398(para)
22951
22985
"It is also possible to use <application>do-release-upgrade</application> to "
22952
22986
"upgrade to a development version of Ubuntu. To accomplish this use the "
22953
22987
"<emphasis>-d</emphasis> switch:"
22956
#: serverguide/C/installation.xml:396(command)
22990
#: serverguide/C/installation.xml:403(command)
22957
22991
msgid "do-release-upgrade -d"
22960
#: serverguide/C/installation.xml:399(para)
22994
#: serverguide/C/installation.xml:406(para)
22962
22996
"Upgrading to a development release is <emphasis>not</emphasis> recommended "
22963
22997
"for production environments."
22966
#: serverguide/C/installation.xml:406(title)
23000
#: serverguide/C/installation.xml:413(title)
22967
23001
msgid "Advanced Installation"
22970
#: serverguide/C/installation.xml:409(title)
23004
#: serverguide/C/installation.xml:416(title)
22971
23005
msgid "Software RAID"
22974
#: serverguide/C/installation.xml:411(para)
23008
#: serverguide/C/installation.xml:418(para)
22976
23010
"Redundant Array of Independent Disks \"RAID\" is a method of using multiple "
22977
23011
"disks to provide different balances of increasing data reliability and/or "
22992
23026
"another for <emphasis>swap</emphasis>."
22995
#: serverguide/C/virtualization.xml:716(title) serverguide/C/installation.xml:427(title)
23029
#: serverguide/C/installation.xml:434(title)
22996
23030
msgid "Partitioning"
22999
#: serverguide/C/installation.xml:429(para) serverguide/C/installation.xml:951(para)
23033
#: serverguide/C/installation.xml:436(para) serverguide/C/installation.xml:958(para)
23001
23035
"Follow the installation steps until you get to the <emphasis>Partition "
23002
23036
"disks</emphasis> step, then:"
23005
#: serverguide/C/installation.xml:436(para)
23039
#: serverguide/C/installation.xml:443(para)
23006
23040
msgid "Select <emphasis>Manual</emphasis> as the partition method."
23009
#: serverguide/C/installation.xml:443(para)
23043
#: serverguide/C/installation.xml:450(para)
23011
23045
"Select the first hard drive, and agree to <emphasis>\"Create a new empty "
23012
23046
"partition table on this device?\"</emphasis>."
23015
#: serverguide/C/installation.xml:447(para)
23049
#: serverguide/C/installation.xml:454(para)
23017
23051
"Repeat this step for each drive you wish to be part of the RAID array."
23020
#: serverguide/C/installation.xml:454(para)
23054
#: serverguide/C/installation.xml:461(para)
23022
23056
"Select the <emphasis>\"FREE SPACE\"</emphasis> on the first drive then "
23023
23057
"select <emphasis>\"Create a new partition\"</emphasis>."
23026
#: serverguide/C/installation.xml:461(para)
23060
#: serverguide/C/installation.xml:468(para)
23028
23062
"Next, select the <emphasis>Size</emphasis> of the partition. This partition "
23029
23063
"will be the <emphasis>swap</emphasis> partition, and a general rule for swap "
23069
23103
"<emphasis>\"Done setting up partition\"</emphasis>."
23072
#: serverguide/C/installation.xml:511(para)
23106
#: serverguide/C/installation.xml:518(para)
23073
23107
msgid "Repeat steps three through eight for the other disk and partitions."
23076
#: serverguide/C/installation.xml:520(title)
23110
#: serverguide/C/installation.xml:527(title)
23077
23111
msgid "RAID Configuration"
23080
#: serverguide/C/installation.xml:522(para)
23114
#: serverguide/C/installation.xml:529(para)
23081
23115
msgid "With the partitions setup the arrays are ready to be configured:"
23084
#: serverguide/C/installation.xml:529(para)
23118
#: serverguide/C/installation.xml:536(para)
23086
23120
"Back in the main \"Partition Disks\" page, select <emphasis>\"Configure "
23087
23121
"Software RAID\"</emphasis> at the top."
23090
#: serverguide/C/installation.xml:536(para)
23124
#: serverguide/C/installation.xml:543(para)
23091
23125
msgid "Select <emphasis>\"yes\"</emphasis> to write the changes to disk."
23094
#: serverguide/C/installation.xml:543(para)
23128
#: serverguide/C/installation.xml:550(para)
23095
23129
msgid "Choose <emphasis>\"Create MD device\"</emphasis>."
23098
#: serverguide/C/installation.xml:550(para)
23132
#: serverguide/C/installation.xml:557(para)
23100
23134
"For this example, select <emphasis>\"RAID1\"</emphasis>, but if you are "
23101
23135
"using a different setup choose the appropriate type (RAID0 RAID1 RAID5)."
23104
#: serverguide/C/installation.xml:556(para)
23138
#: serverguide/C/installation.xml:563(para)
23106
23140
"In order to use <emphasis>RAID5</emphasis> you need at least "
23107
23141
"<emphasis>three</emphasis> drives. Using RAID0 or RAID1 only "
23108
23142
"<emphasis>two</emphasis> drives are required."
23111
#: serverguide/C/installation.xml:565(para)
23145
#: serverguide/C/installation.xml:572(para)
23113
23147
"Enter the number of active devices <emphasis>\"2\"</emphasis>, or the amount "
23114
23148
"of hard drives you have, for the array. Then select "
23115
23149
"<emphasis>\"Continue\"</emphasis>."
23118
#: serverguide/C/installation.xml:573(para)
23152
#: serverguide/C/installation.xml:580(para)
23120
23154
"Next, enter the number of spare devices <emphasis>\"0\"</emphasis> by "
23121
23155
"default, then choose <emphasis>\"Continue\"</emphasis>."
23124
#: serverguide/C/installation.xml:580(para)
23158
#: serverguide/C/installation.xml:587(para)
23126
23160
"Choose which partitions to use. Generally they will be sda1, sdb1, sdc1, "
23127
23161
"etc. The numbers will usually match and the different letters correspond to "
23128
23162
"different hard drives."
23131
#: serverguide/C/installation.xml:585(para)
23165
#: serverguide/C/installation.xml:592(para)
23133
23167
"For the <emphasis>swap</emphasis> partition choose <emphasis>sda1</emphasis> "
23134
23168
"and <emphasis>sdb1</emphasis>. Select <emphasis>\"Continue\"</emphasis> to "
23135
23169
"go to the next step."
23138
#: serverguide/C/installation.xml:593(para)
23172
#: serverguide/C/installation.xml:600(para)
23140
23174
"Repeat steps <emphasis>three</emphasis> through <emphasis>seven</emphasis> "
23141
23175
"for the <emphasis>/</emphasis> partition choosing <emphasis>sda2</emphasis> "
23142
23176
"and <emphasis>sdb2</emphasis>."
23145
#: serverguide/C/installation.xml:601(para)
23179
#: serverguide/C/installation.xml:608(para)
23146
23180
msgid "Once done select <emphasis>\"Finish\"</emphasis>."
23149
#: serverguide/C/installation.xml:611(title)
23183
#: serverguide/C/installation.xml:618(title)
23150
23184
msgid "Formatting"
23153
#: serverguide/C/installation.xml:613(para)
23187
#: serverguide/C/installation.xml:620(para)
23155
23189
"There should now be a list of hard drives and RAID devices. The next step is "
23156
23190
"to format and set the mount point for the RAID devices. Treat the RAID "
23157
23191
"device as a local hard drive, format and mount accordingly."
23160
#: serverguide/C/installation.xml:621(para)
23194
#: serverguide/C/installation.xml:628(para)
23162
23196
"Select <emphasis>\"#1\"</emphasis> under the <emphasis>\"RAID1 device "
23163
23197
"#0\"</emphasis> partition."
23166
#: serverguide/C/installation.xml:628(para)
23200
#: serverguide/C/installation.xml:635(para)
23168
23202
"Choose <emphasis>\"Use as:\"</emphasis>. Then select <emphasis>\"swap "
23169
23203
"area\"</emphasis>, then <emphasis>\"Done setting up partition\"</emphasis>."
23172
#: serverguide/C/installation.xml:636(para)
23206
#: serverguide/C/installation.xml:643(para)
23174
23208
"Next, select <emphasis>\"#1\"</emphasis> under the <emphasis>\"RAID1 device "
23175
23209
"#1\"</emphasis> partition."
23178
#: serverguide/C/installation.xml:643(para)
23212
#: serverguide/C/installation.xml:650(para)
23180
23214
"Choose <emphasis>\"Use as:\"</emphasis>. Then select <emphasis>\"Ext4 "
23181
23215
"journaling file system\"</emphasis>."
23184
#: serverguide/C/installation.xml:650(para)
23218
#: serverguide/C/installation.xml:657(para)
23186
23220
"Then select the <emphasis>\"Mount point\"</emphasis> and choose "
23187
23221
"<emphasis>\"/ - the root file system\"</emphasis>. Change any of the other "
23189
23223
"partition\"</emphasis>."
23192
#: serverguide/C/installation.xml:658(para)
23226
#: serverguide/C/installation.xml:665(para)
23194
23228
"Finally, select <emphasis>\"Finish partitioning and write changes to "
23195
23229
"disk\"</emphasis>."
23198
#: serverguide/C/installation.xml:665(para)
23232
#: serverguide/C/installation.xml:672(para)
23200
23234
"If you choose to place the root partition on a RAID array, the installer "
23201
23235
"will then ask if you would like to boot in a <emphasis>degraded</emphasis> "
23202
23236
"state. See <xref linkend=\"raid-degraded\"/> for further details."
23205
#: serverguide/C/installation.xml:670(para)
23239
#: serverguide/C/installation.xml:677(para)
23206
23240
msgid "The installation process will then continue normally."
23209
#: serverguide/C/installation.xml:676(title)
23243
#: serverguide/C/installation.xml:683(title)
23210
23244
msgid "Degraded RAID"
23213
#: serverguide/C/installation.xml:678(para)
23247
#: serverguide/C/installation.xml:685(para)
23215
23249
"At some point in the life of the computer a disk failure event may occur. "
23216
23250
"When this happens, using Software RAID, the operating system will place the "
23217
23251
"array into what is known as a <emphasis>degraded</emphasis> state."
23220
#: serverguide/C/installation.xml:683(para)
23254
#: serverguide/C/installation.xml:690(para)
23222
23256
"If the array has become degraded, due to the chance of data corruption, by "
23223
23257
"default Ubuntu Server Edition will boot to <emphasis>initramfs</emphasis> "
23249
23283
"behavior, and can also be manually edited:"
23252
#: serverguide/C/installation.xml:713(programlisting)
23286
#: serverguide/C/installation.xml:720(programlisting)
23256
23290
"BOOT_DEGRADED=true\n"
23259
#: serverguide/C/installation.xml:718(para)
23293
#: serverguide/C/installation.xml:725(para)
23260
23294
msgid "The configuration file can be overridden by using a Kernel argument."
23263
#: serverguide/C/installation.xml:726(para)
23297
#: serverguide/C/installation.xml:733(para)
23265
23299
"Using a Kernel argument will allow the system to boot to a degraded array as "
23269
#: serverguide/C/installation.xml:732(para)
23303
#: serverguide/C/installation.xml:739(para)
23271
23305
"When the server is booting press <keycap>Shift</keycap> to open the "
23272
23306
"<application>Grub</application> menu."
23275
#: serverguide/C/installation.xml:737(para)
23309
#: serverguide/C/installation.xml:744(para)
23276
23310
msgid "Press <keycap>e</keycap> to edit your kernel command options."
23279
#: serverguide/C/installation.xml:742(para)
23313
#: serverguide/C/installation.xml:749(para)
23280
23314
msgid "Press the <keycap>down</keycap> arrow to highlight the kernel line."
23283
#: serverguide/C/installation.xml:747(para)
23317
#: serverguide/C/installation.xml:754(para)
23285
23319
"Add <emphasis>\"bootdegraded=true\"</emphasis> (without the quotes) to the "
23286
23320
"end of the line."
23289
#: serverguide/C/installation.xml:752(para)
23323
#: serverguide/C/installation.xml:759(para)
23291
23325
"Press <keycombo><keycap>Ctrl</keycap><keycap>x</keycap></keycombo> to boot "
23292
23326
"the system."
23295
#: serverguide/C/installation.xml:761(para)
23329
#: serverguide/C/installation.xml:768(para)
23297
23331
"Once the system has booted you can either repair the array see <xref "
23298
23332
"linkend=\"raid-maintenance\"/> for details, or copy important data to "
23299
23333
"another machine due to major hardware failure."
23302
#: serverguide/C/installation.xml:768(title)
23336
#: serverguide/C/installation.xml:775(title)
23303
23337
msgid "RAID Maintenance"
23306
#: serverguide/C/installation.xml:770(para)
23340
#: serverguide/C/installation.xml:777(para)
23308
23342
"The <application>mdadm</application> utility can be used to view the status "
23309
23343
"of an array, add disks to an array, remove disks, etc:"
23312
#: serverguide/C/installation.xml:777(para)
23346
#: serverguide/C/installation.xml:784(para)
23313
23347
msgid "To view the status of an array, from a terminal prompt enter:"
23316
#: serverguide/C/installation.xml:781(command)
23350
#: serverguide/C/installation.xml:788(command)
23317
23351
msgid "sudo mdadm -D /dev/md0"
23320
#: serverguide/C/installation.xml:784(para)
23354
#: serverguide/C/installation.xml:791(para)
23322
23356
"The <emphasis>-D</emphasis> tells <application>mdadm</application> to "
23323
23357
"display <emphasis>detailed</emphasis> information about the "
23325
23359
"with the appropriate RAID device."
23328
#: serverguide/C/installation.xml:790(para)
23362
#: serverguide/C/installation.xml:797(para)
23329
23363
msgid "To view the status of a disk in an array:"
23332
#: serverguide/C/installation.xml:794(command)
23366
#: serverguide/C/installation.xml:801(command)
23333
23367
msgid "sudo mdadm -E /dev/sda1"
23336
#: serverguide/C/installation.xml:796(para)
23370
#: serverguide/C/installation.xml:803(para)
23338
23372
"The output if very similar to the <command>mdadm -D</command> command, "
23339
23373
"adjust <filename>/dev/sda1</filename> for each disk."
23342
#: serverguide/C/installation.xml:801(para)
23376
#: serverguide/C/installation.xml:808(para)
23343
23377
msgid "If a disk fails and needs to be removed from an array enter:"
23346
#: serverguide/C/installation.xml:805(command)
23380
#: serverguide/C/installation.xml:812(command)
23347
23381
msgid "sudo mdadm --remove /dev/md0 /dev/sda1"
23350
#: serverguide/C/installation.xml:807(para)
23384
#: serverguide/C/installation.xml:814(para)
23352
23386
"Change <filename>/dev/md0</filename> and <filename>/dev/sda1</filename> to "
23353
23387
"the appropriate RAID device and disk."
23356
#: serverguide/C/installation.xml:812(para)
23390
#: serverguide/C/installation.xml:819(para)
23357
23391
msgid "Similarly, to add a new disk:"
23360
#: serverguide/C/installation.xml:816(command)
23394
#: serverguide/C/installation.xml:823(command)
23361
23395
msgid "sudo mdadm --add /dev/md0 /dev/sda1"
23364
#: serverguide/C/installation.xml:821(para)
23398
#: serverguide/C/installation.xml:828(para)
23366
23400
"Sometimes a disk can change to a <emphasis>faulty</emphasis> state even "
23367
23401
"though there is nothing physically wrong with the drive. It is usually "
23417
#: serverguide/C/installation.xml:858(command)
23451
#: serverguide/C/installation.xml:865(command)
23418
23452
msgid "sudo grub-install /dev/md0"
23421
#: serverguide/C/installation.xml:861(para)
23455
#: serverguide/C/installation.xml:868(para)
23423
23457
"Replace <filename>/dev/md0</filename> with the appropriate array device name."
23426
#: serverguide/C/installation.xml:869(para)
23460
#: serverguide/C/installation.xml:876(para)
23428
23462
"The topic of RAID arrays is a complex one due to the plethora of ways RAID "
23429
23463
"can be configured. Please see the following links for more information:"
23432
#: serverguide/C/installation.xml:876(para)
23466
#: serverguide/C/installation.xml:883(para)
23434
23468
"<ulink url=\"https://help.ubuntu.com/community/Installation#raid\">Ubuntu "
23435
23469
"Wiki Articles on RAID</ulink>."
23438
#: serverguide/C/installation.xml:882(ulink)
23472
#: serverguide/C/installation.xml:889(ulink) serverguide/C/installation.xml:1164(ulink)
23439
23473
msgid "Software RAID HOWTO"
23442
#: serverguide/C/installation.xml:887(ulink)
23476
#: serverguide/C/installation.xml:894(ulink)
23443
23477
msgid "Managing RAID on Linux"
23446
#: serverguide/C/installation.xml:894(title)
23480
#: serverguide/C/installation.xml:901(title)
23447
23481
msgid "Logical Volume Manager (LVM)"
23450
#: serverguide/C/installation.xml:896(para)
23484
#: serverguide/C/installation.xml:903(para)
23452
23486
"Logical Volume Manger, or <emphasis>LVM</emphasis>, allows administrators to "
23453
23487
"create <emphasis>logical</emphasis> volumes out of one or multiple physical "
23456
23490
"giving greater flexibility to systems as requirements change."
23459
#: serverguide/C/installation.xml:905(para)
23493
#: serverguide/C/installation.xml:912(para)
23461
23495
"A side effect of LVM's power and flexibility is a greater degree of "
23462
23496
"complication. Before diving into the LVM installation process, it is best to "
23463
23497
"get familiar with some terms."
23466
#: serverguide/C/installation.xml:912(para)
23500
#: serverguide/C/installation.xml:919(para)
23468
23502
"<emphasis>Physical Volume (PV):</emphasis> physical hard disk, disk "
23469
23503
"partition or software RAID partition formatted as LVM PV."
23472
#: serverguide/C/installation.xml:918(para)
23506
#: serverguide/C/installation.xml:925(para)
23474
23508
"<emphasis>Volume Group (VG):</emphasis> is made from one or more physical "
23475
23509
"volumes. A VG can can be extended by adding more PVs. A VG is like a virtual "
23476
23510
"disk drive, from which one or more logical volumes are carved."
23479
#: serverguide/C/installation.xml:924(para)
23513
#: serverguide/C/installation.xml:931(para)
23481
23515
"<emphasis>Logical Volume (LV):</emphasis> is similar to a partition in a non-"
23482
23516
"LVM system. A LV is formatted with the desired file system (EXT3, XFS, JFS, "
23483
23517
"etc), it is then available for mounting and data storage."
23486
#: serverguide/C/installation.xml:935(para)
23520
#: serverguide/C/installation.xml:942(para)
23488
23522
"As an example this section covers installing Ubuntu Server Edition with "
23489
23523
"<filename role=\"directory\">/srv</filename> mounted on a LVM volume. During "
23565
23599
"select <emphasis>\"Done setting up the partition\"</emphasis>."
23568
#: serverguide/C/installation.xml:1024(para)
23602
#: serverguide/C/installation.xml:1031(para)
23570
23604
"Finally, select <emphasis>\"Finish partitioning and write changes to "
23571
23605
"disk\"</emphasis>. Then confirm the changes and continue with the rest of "
23572
23606
"the installation."
23575
#: serverguide/C/installation.xml:1032(para)
23609
#: serverguide/C/installation.xml:1039(para)
23576
23610
msgid "There are some useful utilities to view information about LVM:"
23579
#: serverguide/C/installation.xml:1037(para)
23613
#: serverguide/C/installation.xml:1044(para)
23581
23615
"<emphasis>pvdisplay:</emphasis> shows information about Physical Volumes."
23584
#: serverguide/C/installation.xml:1038(para)
23618
#: serverguide/C/installation.xml:1045(para)
23586
23620
"<emphasis>vgdisplay:</emphasis> shows information about Volume Groups."
23589
#: serverguide/C/installation.xml:1039(para)
23623
#: serverguide/C/installation.xml:1046(para)
23591
23625
"<emphasis>lvdisplay:</emphasis> shows information about Logical Volumes."
23594
#: serverguide/C/installation.xml:1044(title)
23628
#: serverguide/C/installation.xml:1051(title)
23595
23629
msgid "Extending Volume Groups"
23598
#: serverguide/C/installation.xml:1046(para)
23632
#: serverguide/C/installation.xml:1053(para)
23600
23634
"Continuing with <emphasis>srv</emphasis> as an LVM volume example, this "
23601
23635
"section covers adding a second hard disk, creating a Physical Volume (PV), "
23607
23641
"partitions and use them as different physical volumes)"
23610
#: serverguide/C/installation.xml:1054(para)
23644
#: serverguide/C/installation.xml:1061(para)
23612
23646
"Make sure you don't already have an existing <filename>/dev/sdb</filename> "
23613
23647
"before issuing the commands below. You could lose some data if you issue "
23614
23648
"those commands on a non-empty disk."
23617
#: serverguide/C/installation.xml:1062(para)
23651
#: serverguide/C/installation.xml:1069(para)
23618
23652
msgid "First, create the physical volume, in a terminal execute:"
23621
#: serverguide/C/installation.xml:1067(command)
23655
#: serverguide/C/installation.xml:1074(command)
23622
23656
msgid "sudo pvcreate /dev/sdb"
23625
#: serverguide/C/installation.xml:1073(para)
23659
#: serverguide/C/installation.xml:1080(para)
23626
23660
msgid "Now extend the Volume Group (VG):"
23629
#: serverguide/C/installation.xml:1078(command)
23663
#: serverguide/C/installation.xml:1085(command)
23630
23664
msgid "sudo vgextend vg01 /dev/sdb"
23633
#: serverguide/C/installation.xml:1084(para)
23667
#: serverguide/C/installation.xml:1091(para)
23635
23669
"Use <application>vgdisplay</application> to find out the free physical "
23636
23670
"extents - Free PE / size (the size you can allocate). We will assume a free "
23664
23698
"first is compulsory)."
23667
#: serverguide/C/installation.xml:1112(para)
23701
#: serverguide/C/installation.xml:1119(para)
23669
23703
"The following commands are for an <emphasis>EXT3</emphasis> or "
23670
23704
"<emphasis>EXT4</emphasis> filesystem. If you are using another filesystem "
23671
23705
"there may be other utilities available."
23674
#: serverguide/C/installation.xml:1119(command)
23675
msgid "sudo e2fsck -f /dev/vg01/srv"
23678
#: serverguide/C/installation.xml:1122(para)
23680
"The <emphasis>-f</emphasis> option of <application>e2fsck</application> "
23681
"forces checking even if the system seems clean."
23684
#: serverguide/C/installation.xml:1129(para)
23685
msgid "Finally, resize the filesystem:"
23688
#: serverguide/C/installation.xml:1134(command)
23689
msgid "sudo resize2fs /dev/vg01/srv"
23692
#: serverguide/C/installation.xml:1140(para)
23708
#: serverguide/C/installation.xml:1127(para) serverguide/C/installation.xml:1130(para) serverguide/C/installation.xml:1133(para)
23693
23709
msgid "Now mount the partition and check its size."
23696
#: serverguide/C/installation.xml:1145(command)
23712
#: serverguide/C/installation.xml:1136(para)
23714
"asldkjf sdkja;lkjfeoi dfkjsljfe;lij sfljsefisjoij skfm;lwemf;e msdlfsadlkf;k."
23717
#: serverguide/C/installation.xml:1141(command)
23697
23718
msgid "mount /dev/vg01/srv /srv && df -h /srv"
23700
#: serverguide/C/installation.xml:1157(para)
23721
#: serverguide/C/installation.xml:1153(para)
23702
23723
"See the <ulink "
23703
23724
"url=\"https://help.ubuntu.com/community/Installation#lvm\">Ubuntu Wiki LVM "
23704
23725
"Articles</ulink>."
23707
#: serverguide/C/installation.xml:1162(para)
23728
#: serverguide/C/installation.xml:1158(para)
23709
23730
"See the <ulink url=\"http://tldp.org/HOWTO/LVM-HOWTO/index.html\">LVM "
23710
23731
"HOWTO</ulink> for more information."
23713
#: serverguide/C/installation.xml:1167(para)
23715
"Another good article is <ulink "
23716
"url=\"http://www.linuxdevcenter.com/pub/a/linux/2006/04/27/managing-disk-"
23717
"space-with-lvm.html\">Managing Disk Space with LVM</ulink> on O'Reilly's "
23718
"linuxdevcenter.com site."
23721
#: serverguide/C/installation.xml:1181(para)
23723
"For more information on <application>fdisk</application> see the <ulink "
23724
"url=\"http://manpages.ubuntu.com/manpages/trusty/en/man8/fdisk.8.html\">fdisk"
23725
" man page</ulink>."
23728
#: serverguide/C/installation.xml:1185(title)
23734
#: serverguide/C/installation.xml:1171(title)
23738
#: serverguide/C/installation.xml:1174(para)
23739
msgid "bla bla 4 para."
23742
#: serverguide/C/installation.xml:1179(para)
23743
msgid "bla bla 5 para."
23746
#: serverguide/C/installation.xml:1184(para)
23747
msgid "list item 1."
23750
#: serverguide/C/installation.xml:1189(para)
23751
msgid "list item 2."
23754
#: serverguide/C/installation.xml:1194(para)
23755
msgid "list item 3."
23758
#: serverguide/C/installation.xml:1199(para)
23759
msgid "bla bla para"
23762
#: serverguide/C/installation.xml:1204(para)
23763
msgid "bla bla 6 para."
23766
#: serverguide/C/installation.xml:1209(para)
23767
msgid "bla bla 7 para."
23770
#: serverguide/C/installation.xml:1214(para)
23771
msgid "bla bla 8 para."
23774
#: serverguide/C/installation.xml:1219(para)
23775
msgid "bla bla 9 para."
23778
#: serverguide/C/installation.xml:1226(title)
23782
#: serverguide/C/installation.xml:1229(title)
23786
#: serverguide/C/installation.xml:1232(title)
23790
#: serverguide/C/installation.xml:1235(title)
23794
#: serverguide/C/installation.xml:1238(title)
23798
#: serverguide/C/installation.xml:1241(title)
23802
#: serverguide/C/installation.xml:1244(title)
23806
#: serverguide/C/installation.xml:1247(title)
23810
#: serverguide/C/installation.xml:1250(title)
23814
#: serverguide/C/installation.xml:1253(title)
23818
#: serverguide/C/installation.xml:1258(title)
23729
23819
msgid "Kernel Crash Dump"
23732
#: serverguide/C/installation.xml:1192(para)
23822
#: serverguide/C/installation.xml:1265(para)
23733
23823
msgid "Kernel Panic"
23736
#: serverguide/C/installation.xml:1193(para)
23826
#: serverguide/C/installation.xml:1266(para)
23737
23827
msgid "Non Maskable Interrupts (NMI)"
23740
#: serverguide/C/installation.xml:1194(para)
23830
#: serverguide/C/installation.xml:1267(para)
23741
23831
msgid "Machine Check Exceptions (MCE)"
23744
#: serverguide/C/installation.xml:1195(para)
23834
#: serverguide/C/installation.xml:1268(para)
23745
23835
msgid "Hardware failure"
23748
#: serverguide/C/installation.xml:1196(para)
23838
#: serverguide/C/installation.xml:1269(para)
23749
23839
msgid "Manual intervention"
23752
#: serverguide/C/installation.xml:1188(para)
23842
#: serverguide/C/installation.xml:1261(para)
23754
23844
"A Kernel Crash Dump refers to a portion of the contents of volatile memory "
23755
23845
"(RAM) that is copied to disk whenever the execution of the kernel is "
23776
23866
"untouched in order to safely copy its contents to storage."
23779
#: serverguide/C/installation.xml:1216(para)
23869
#: serverguide/C/installation.xml:1289(para)
23781
23871
"The kernel crash dump utility is installed with the following command:"
23784
#: serverguide/C/installation.xml:1221(command)
23874
#: serverguide/C/installation.xml:1294(command)
23785
23875
msgid "sudo apt-get install linux-crashdump"
23788
#: serverguide/C/installation.xml:1230(programlisting)
23878
#: serverguide/C/installation.xml:1303(programlisting)
23792
23882
"USE_KDUMP=1\n"
23795
#: serverguide/C/installation.xml:1228(para)
23885
#: serverguide/C/installation.xml:1301(para)
23797
"Edit <filename>/etc/default/kdump-tool</filename> by including the following "
23798
"line: <placeholder-1/>"
23887
"Edit <filename>/etc/default/kdump-tools</filename> by including the "
23888
"following line: <placeholder-1/>"
23801
#: serverguide/C/installation.xml:1235(para)
23891
#: serverguide/C/installation.xml:1308(para)
23802
23892
msgid "A reboot is then needed."
23805
#: serverguide/C/installation.xml:1244(para)
23895
#: serverguide/C/installation.xml:1317(para)
23807
23897
"To confirm that the kernel dump mechanism is enabled, there are a few things "
23808
23898
"to verify. First, confirm that the <emphasis>crashkernel</emphasis> boot "
23835
#: serverguide/C/installation.xml:1258(para)
23925
#: serverguide/C/installation.xml:1331(para)
23837
23927
"The <emphasis>crashkernel</emphasis> parameter has the following syntax: "
23838
23928
"<placeholder-1/>"
23841
#: serverguide/C/installation.xml:1268(programlisting)
23931
#: serverguide/C/installation.xml:1341(programlisting)
23845
23935
"crashkernel=384M-2G:64M,2G-:128M\n"
23848
#: serverguide/C/installation.xml:1266(para)
23938
#: serverguide/C/installation.xml:1339(para)
23850
23940
"So for the crashkernel parameter found in <filename>/proc/cmdline</filename> "
23851
23941
"we would have : <placeholder-1/>"
23854
#: serverguide/C/installation.xml:1273(para)
23944
#: serverguide/C/installation.xml:1346(para)
23855
23945
msgid "The above value means:"
23858
#: serverguide/C/installation.xml:1275(para)
23948
#: serverguide/C/installation.xml:1348(para)
23860
23950
"if the RAM is smaller than 384M, then don't reserve anything (this is the "
23861
23951
"\"rescue\" case)"
23864
#: serverguide/C/installation.xml:1277(para)
23954
#: serverguide/C/installation.xml:1350(para)
23865
23955
msgid "if the RAM size is between 386M and 2G (exclusive), then reserve 64M"
23868
#: serverguide/C/installation.xml:1278(para)
23958
#: serverguide/C/installation.xml:1351(para)
23869
23959
msgid "if the RAM size is larger than 2G, then reserve 128M"
23872
#: serverguide/C/installation.xml:1281(para)
23962
#: serverguide/C/installation.xml:1354(para)
23874
23964
"Second, verify that the kernel has reserved the requested memory area for "
23875
23965
"the kdump kernel by doing:"
23878
#: serverguide/C/installation.xml:1286(command)
23968
#: serverguide/C/installation.xml:1359(command)
23879
23969
msgid "dmesg | grep -i crash"
23882
#: serverguide/C/installation.xml:1287(computeroutput)
23972
#: serverguide/C/installation.xml:1360(computeroutput)
24522
24612
"your vendor documentation to configure your specific iSCSI target."
24525
#: serverguide/C/file-server.xml:471(title)
24615
#: serverguide/C/file-server.xml:470(title)
24526
24616
msgid "iSCSI Initiator Install"
24529
#: serverguide/C/file-server.xml:473(para)
24619
#: serverguide/C/file-server.xml:472(para)
24531
24621
"To configure Ubuntu Server as an iSCSI initiator install the "
24532
24622
"<application>open-iscsi</application> package. In a terminal enter:"
24535
#: serverguide/C/file-server.xml:478(command)
24625
#: serverguide/C/file-server.xml:477(command)
24536
24626
msgid "sudo apt-get install open-iscsi"
24539
#: serverguide/C/file-server.xml:483(title)
24629
#: serverguide/C/file-server.xml:482(title)
24540
24630
msgid "iSCSI Initiator Configuration"
24543
#: serverguide/C/file-server.xml:485(para)
24633
#: serverguide/C/file-server.xml:484(para)
24545
24635
"Once the <application>open-iscsi</application> package is installed, edit "
24546
24636
"<filename>/etc/iscsi/iscsid.conf</filename> changing the following:"
24549
#: serverguide/C/file-server.xml:489(programlisting)
24639
#: serverguide/C/file-server.xml:488(programlisting)
24553
24643
"node.startup = automatic\n"
24556
#: serverguide/C/file-server.xml:493(para)
24646
#: serverguide/C/file-server.xml:492(para)
24558
24648
"You can check which targets are available by using the "
24559
24649
"<application>iscsiadm</application> utility. Enter the following in a "
24563
#: serverguide/C/file-server.xml:498(command)
24653
#: serverguide/C/file-server.xml:497(command)
24564
24654
msgid "sudo iscsiadm -m discovery -t st -p 192.168.0.10"
24657
#: serverguide/C/file-server.xml:501(para)
24659
"<emphasis>-m:</emphasis> determines the mode that iscsiadm executes in."
24567
24662
#: serverguide/C/file-server.xml:502(para)
24569
"<emphasis>-m:</emphasis> determines the mode that iscsiadm executes in."
24663
msgid "<emphasis>-t:</emphasis> specifies the type of discovery."
24572
24666
#: serverguide/C/file-server.xml:503(para)
24573
msgid "<emphasis>-t:</emphasis> specifies the type of discovery."
24576
#: serverguide/C/file-server.xml:504(para)
24577
24667
msgid "<emphasis>-p:</emphasis> option indicates the target IP address."
24580
#: serverguide/C/file-server.xml:508(para)
24670
#: serverguide/C/file-server.xml:507(para)
24582
24672
"Change example <emphasis>192.168.0.10</emphasis> to the target IP address on "
24583
24673
"your network."
24586
#: serverguide/C/file-server.xml:513(para)
24676
#: serverguide/C/file-server.xml:512(para)
24588
24678
"If the target is available you should see output similar to the following:"
24591
#: serverguide/C/file-server.xml:518(computeroutput)
24681
#: serverguide/C/file-server.xml:517(computeroutput)
24595
24685
"192.168.0.10:3260,1 iqn.1992-05.com.emc:sl7b92030000520000-2\n"
24598
#: serverguide/C/file-server.xml:524(para)
24688
#: serverguide/C/file-server.xml:523(para)
24600
24690
"The <emphasis>iqn</emphasis> number and IP address above will vary depending "
24601
24691
"on your hardware."
24604
#: serverguide/C/file-server.xml:529(para)
24694
#: serverguide/C/file-server.xml:528(para)
24606
24696
"You should now be able to connect to the iSCSI target, and depending on your "
24607
24697
"target setup you may have to enter user credentials. Login to the iSCSI node:"
24610
#: serverguide/C/file-server.xml:535(command)
24700
#: serverguide/C/file-server.xml:534(command)
24611
24701
msgid "sudo iscsiadm -m node --login"
24614
#: serverguide/C/file-server.xml:538(para)
24704
#: serverguide/C/file-server.xml:537(para)
24616
24706
"Check to make sure that the new disk has been detected using "
24617
24707
"<application>dmesg</application>:"
24620
#: serverguide/C/file-server.xml:543(command)
24710
#: serverguide/C/file-server.xml:542(command)
24621
24711
msgid "dmesg | grep sd"
24624
#: serverguide/C/file-server.xml:544(computeroutput)
24714
#: serverguide/C/file-server.xml:543(computeroutput)
24650
24740
"[ 2486.964862] sd 4:0:0:3: [sdb] Attached SCSI disk\n"
24653
#: serverguide/C/file-server.xml:568(para)
24743
#: serverguide/C/file-server.xml:567(para)
24655
24745
"In the output above <emphasis>sdb</emphasis> is the new iSCSI disk. Remember "
24656
24746
"this is just an example; the output you see on your screen will vary."
24659
#: serverguide/C/file-server.xml:573(para)
24749
#: serverguide/C/file-server.xml:572(para)
24661
24751
"Next, create a partition, format the file system, and mount the new iSCSI "
24662
24752
"disk. In a terminal enter:"
24755
#: serverguide/C/file-server.xml:577(command)
24756
msgid "sudo fdisk /dev/sdb"
24665
24759
#: serverguide/C/file-server.xml:578(command)
24666
msgid "sudo fdisk /dev/sdb"
24669
24763
#: serverguide/C/file-server.xml:579(command)
24673
24767
#: serverguide/C/file-server.xml:580(command)
24677
24771
#: serverguide/C/file-server.xml:581(command)
24681
#: serverguide/C/file-server.xml:582(command)
24685
#: serverguide/C/file-server.xml:586(para)
24775
#: serverguide/C/file-server.xml:585(para)
24687
24777
"The above commands are from inside the <application>fdisk</application> "
24688
24778
"utility; see <command>man fdisk</command> for more detailed instructions. "
24693
#: serverguide/C/file-server.xml:592(para)
24783
#: serverguide/C/file-server.xml:591(para)
24695
24785
"Now format the file system and mount it to <filename>/srv</filename> as an "
24789
#: serverguide/C/file-server.xml:596(command)
24790
msgid "sudo mkfs.ext4 /dev/sdb1"
24699
24793
#: serverguide/C/file-server.xml:597(command)
24700
msgid "sudo mkfs.ext4 /dev/sdb1"
24703
#: serverguide/C/file-server.xml:598(command)
24704
24794
msgid "sudo mount /dev/sdb1 /srv"
24707
#: serverguide/C/file-server.xml:602(para)
24797
#: serverguide/C/file-server.xml:601(para)
24709
24799
"Finally, add an entry to <filename>/etc/fstab</filename> to mount the iSCSI "
24710
24800
"drive during boot:"
24713
#: serverguide/C/file-server.xml:606(programlisting)
24803
#: serverguide/C/file-server.xml:605(programlisting)
24717
24807
"/dev/sdb1 /srv ext4 defaults,auto,_netdev 0 0\n"
24720
#: serverguide/C/file-server.xml:610(para)
24810
#: serverguide/C/file-server.xml:609(para)
24722
24812
"It is a good idea to make sure everything is working as expected by "
24723
24813
"rebooting the server."
24726
#: serverguide/C/file-server.xml:619(ulink)
24816
#: serverguide/C/file-server.xml:618(ulink)
24727
24817
msgid "Open-iSCSI Website"
24730
#: serverguide/C/file-server.xml:622(ulink) serverguide/C/file-server.xml:808(ulink)
24820
#: serverguide/C/file-server.xml:621(ulink) serverguide/C/file-server.xml:807(ulink)
24731
24821
msgid "Debian Open-iSCSI page"
24734
#: serverguide/C/file-server.xml:629(title)
24824
#: serverguide/C/file-server.xml:628(title)
24735
24825
msgid "CUPS - Print Server"
24738
#: serverguide/C/file-server.xml:630(para)
24828
#: serverguide/C/file-server.xml:629(para)
24740
24830
"The primary mechanism for Ubuntu printing and print services is the "
24741
24831
"<emphasis role=\"bold\">Common UNIX Printing System</emphasis> (CUPS). This "
24798
24888
"initially will be presented here."
24801
#: serverguide/C/file-server.xml:683(para)
24891
#: serverguide/C/file-server.xml:682(para)
24803
24893
"Prior to editing the configuration file, you should make a copy of the "
24804
24894
"original file and protect it from writing, so you will have the original "
24805
24895
"settings as a reference, and to reuse as necessary."
24808
#: serverguide/C/file-server.xml:687(para)
24898
#: serverguide/C/file-server.xml:686(para)
24810
24900
"Copy the <filename>/etc/cups/cupsd.conf</filename> file and protect it from "
24811
24901
"writing with the following commands, issued at a terminal prompt:"
24904
#: serverguide/C/file-server.xml:692(command)
24905
msgid "sudo cp /etc/cups/cupsd.conf /etc/cups/cupsd.conf.original"
24814
24908
#: serverguide/C/file-server.xml:693(command)
24815
msgid "sudo cp /etc/cups/cupsd.conf /etc/cups/cupsd.conf.original"
24818
#: serverguide/C/file-server.xml:694(command)
24819
24909
msgid "sudo chmod a-w /etc/cups/cupsd.conf.original"
24822
#: serverguide/C/file-server.xml:699(para)
24912
#: serverguide/C/file-server.xml:698(para)
24824
24914
"<emphasis role=\"bold\">ServerAdmin</emphasis>: To configure the email "
24825
24915
"address of the designated administrator of the CUPS server, simply edit the "
24874
24964
"<emphasis>socrates</emphasis> as such:"
24877
#: serverguide/C/file-server.xml:746(screen)
24967
#: serverguide/C/file-server.xml:745(screen)
24881
24971
"Listen socrates:631 # Listen on all interfaces for the hostname 'socrates'\n"
24884
#: serverguide/C/file-server.xml:750(para)
24974
#: serverguide/C/file-server.xml:749(para)
24886
24976
"or by omitting the Listen directive and using <emphasis>Port</emphasis> "
24887
24977
"instead, as in:"
24890
#: serverguide/C/file-server.xml:752(screen)
24980
#: serverguide/C/file-server.xml:751(screen)
24894
24984
"Port 631 # Listen on port 631 on all interfaces\n"
24897
#: serverguide/C/file-server.xml:759(para)
24987
#: serverguide/C/file-server.xml:758(para)
24899
24989
"For more examples of configuration directives in the CUPS server "
24900
24990
"configuration file, view the associated system manual page by entering the "
24901
24991
"following command at a terminal prompt:"
24904
#: serverguide/C/file-server.xml:766(command)
24994
#: serverguide/C/file-server.xml:765(command)
24905
24995
msgid "man cupsd.conf"
24908
#: serverguide/C/file-server.xml:770(para)
24998
#: serverguide/C/file-server.xml:769(para)
24910
25000
"Whenever you make changes to the <filename>/etc/cups/cupsd.conf</filename> "
24911
25001
"configuration file, you'll need to restart the CUPS server by typing the "
25182
25272
"ns IN A 192.168.1.10\n"
25185
#: serverguide/C/dns.xml:177(para)
25275
#: serverguide/C/dns.xml:181(para)
25187
25277
"You must increment the <emphasis>Serial Number</emphasis> every time you "
25188
25278
"make changes to the zone file. If you make multiple changes before "
25189
25279
"restarting BIND9, simply increment the Serial once."
25192
#: serverguide/C/dns.xml:181(para)
25282
#: serverguide/C/dns.xml:185(para)
25194
25284
"Now, you can add DNS records to the bottom of the zone file. See <xref "
25195
25285
"linkend=\"dns-record-types\"/> for details."
25198
#: serverguide/C/dns.xml:185(para)
25288
#: serverguide/C/dns.xml:189(para)
25200
25290
"Many admins like to use the last date edited as the serial of a zone, such "
25201
25291
"as <emphasis>2012010100</emphasis> which is yyyymmddss (where "
25202
25292
"<emphasis>ss</emphasis> is the Serial Number)"
25205
#: serverguide/C/dns.xml:190(para)
25295
#: serverguide/C/dns.xml:194(para)
25207
25297
"Once you have made changes to the zone file <application>BIND9</application> "
25208
25298
"needs to be restarted for the changes to take effect:"
25211
#: serverguide/C/dns.xml:199(title)
25301
#: serverguide/C/dns.xml:203(title)
25212
25302
msgid "Reverse Zone File"
25215
#: serverguide/C/dns.xml:200(para)
25305
#: serverguide/C/dns.xml:204(para)
25217
25307
"Now that the zone is setup and resolving names to IP Adresses a "
25218
25308
"<emphasis>Reverse zone</emphasis> is also required. A Reverse zone allows "
25219
25309
"DNS to resolve an address to a name."
25222
#: serverguide/C/dns.xml:204(para)
25312
#: serverguide/C/dns.xml:208(para)
25223
25313
msgid "Edit /etc/bind/named.conf.local and add the following:"
25226
#: serverguide/C/dns.xml:207(programlisting)
25316
#: serverguide/C/dns.xml:211(programlisting)
25476
25566
"to RESOLVCONF=yes."
25479
#: serverguide/C/dns.xml:389(para)
25569
#: serverguide/C/dns.xml:398(para)
25481
25571
"You should also add the IP Address of the Secondary nameserver in case the "
25482
25572
"Primary becomes unavailable."
25485
#: serverguide/C/dns.xml:395(title)
25575
#: serverguide/C/dns.xml:404(title)
25489
#: serverguide/C/dns.xml:396(para)
25579
#: serverguide/C/dns.xml:405(para)
25491
25581
"If you installed the <application>dnsutils</application> package you can "
25492
25582
"test your setup using the DNS lookup utility <application>dig</application>:"
25495
#: serverguide/C/dns.xml:402(para)
25585
#: serverguide/C/dns.xml:411(para)
25497
25587
"After installing <application>BIND9</application> use "
25498
25588
"<application>dig</application> against the loopback interface to make sure "
25499
25589
"it is listening on port 53. From a terminal prompt:"
25502
#: serverguide/C/dns.xml:407(command)
25592
#: serverguide/C/dns.xml:416(command)
25503
25593
msgid "dig -x 127.0.0.1"
25506
#: serverguide/C/dns.xml:409(para)
25596
#: serverguide/C/dns.xml:418(para)
25507
25597
msgid "You should see lines similar to the following in the command output:"
25510
#: serverguide/C/dns.xml:412(programlisting)
25600
#: serverguide/C/dns.xml:421(programlisting)
25515
25605
";; SERVER: 192.168.1.10#53(192.168.1.10)\n"
25518
#: serverguide/C/dns.xml:418(para)
25608
#: serverguide/C/dns.xml:427(para)
25520
25610
"If you have configured <application>BIND9</application> as a "
25521
25611
"<emphasis>Caching</emphasis> nameserver \"dig\" an outside domain to check "
25522
25612
"the query time:"
25525
#: serverguide/C/dns.xml:423(command)
25615
#: serverguide/C/dns.xml:432(command)
25526
25616
msgid "dig ubuntu.com"
25529
#: serverguide/C/dns.xml:425(para)
25619
#: serverguide/C/dns.xml:434(para)
25530
25620
msgid "Note the query time toward the end of the command output:"
25533
#: serverguide/C/dns.xml:428(programlisting)
25623
#: serverguide/C/dns.xml:437(programlisting)
25537
25627
";; Query time: 49 msec\n"
25540
#: serverguide/C/dns.xml:431(para)
25630
#: serverguide/C/dns.xml:440(para)
25541
25631
msgid "After a second dig there should be improvement:"
25544
#: serverguide/C/dns.xml:434(programlisting)
25634
#: serverguide/C/dns.xml:443(programlisting)
25548
25638
";; Query time: 1 msec\n"
25551
#: serverguide/C/dns.xml:441(title)
25641
#: serverguide/C/dns.xml:450(title)
25555
#: serverguide/C/dns.xml:443(para)
25645
#: serverguide/C/dns.xml:452(para)
25557
25647
"Now to demonstrate how applications make use of DNS to resolve a host name "
25558
25648
"use the <application>ping</application> utility to send an ICMP echo "
25559
25649
"request. From a terminal prompt enter:"
25562
#: serverguide/C/dns.xml:449(command)
25652
#: serverguide/C/dns.xml:458(command)
25563
25653
msgid "ping example.com"
25566
#: serverguide/C/dns.xml:451(para)
25656
#: serverguide/C/dns.xml:460(para)
25568
25658
"This tests if the nameserver can resolve the name "
25569
25659
"<emphasis>ns.example.com</emphasis> to an IP Address. The command output "
25570
25660
"should resemble:"
25573
#: serverguide/C/dns.xml:455(programlisting)
25663
#: serverguide/C/dns.xml:464(programlisting)
25709
#: serverguide/C/dns.xml:556(para)
25799
#: serverguide/C/dns.xml:565(para)
25711
25801
"Note: the <emphasis>debug</emphasis> option can be set from 1 to 3. If a "
25712
25802
"level isn't specified level 1 is the default."
25715
#: serverguide/C/dns.xml:562(para)
25805
#: serverguide/C/dns.xml:571(para)
25717
25807
"Since the <emphasis>named daemon</emphasis> runs as the "
25718
25808
"<emphasis>bind</emphasis> user the <filename>/var/log/query.log</filename> "
25719
25809
"file must be created and the ownership changed:"
25722
#: serverguide/C/dns.xml:567(command)
25812
#: serverguide/C/dns.xml:576(command)
25723
25813
msgid "sudo touch /var/log/query.log"
25726
#: serverguide/C/dns.xml:568(command)
25816
#: serverguide/C/dns.xml:577(command)
25727
25817
msgid "sudo chown bind /var/log/query.log"
25730
#: serverguide/C/dns.xml:572(para)
25820
#: serverguide/C/dns.xml:581(para)
25732
25822
"Before <application>named</application> daemon can write to the new log file "
25733
25823
"the <application>AppArmor</application> profile must be updated. First, edit "
25734
25824
"<filename>/etc/apparmor.d/usr.sbin.named</filename> and add:"
25737
#: serverguide/C/dns.xml:576(programlisting)
25827
#: serverguide/C/dns.xml:585(programlisting)
25741
25831
"/var/log/query.log w,\n"
25744
#: serverguide/C/dns.xml:579(para)
25834
#: serverguide/C/dns.xml:588(para)
25745
25835
msgid "Next, reload the profile:"
25748
#: serverguide/C/dns.xml:583(command)
25838
#: serverguide/C/dns.xml:592(command)
25749
25839
msgid "cat /etc/apparmor.d/usr.sbin.named | sudo apparmor_parser -r"
25752
#: serverguide/C/dns.xml:585(para)
25842
#: serverguide/C/dns.xml:594(para)
25754
25844
"For more information on <application>AppArmor</application> see <xref "
25755
25845
"linkend=\"apparmor\"/>"
25758
#: serverguide/C/dns.xml:590(para)
25848
#: serverguide/C/dns.xml:599(para)
25760
25850
"Now restart <application>BIND9</application> for the changes to take effect:"
25763
#: serverguide/C/dns.xml:598(para)
25853
#: serverguide/C/dns.xml:607(para)
25765
25855
"You should see the file <filename>/var/log/query.log</filename> fill with "
25766
25856
"query information. This is a simple example of the "
25768
25858
"options see <xref linkend=\"dns-more-info\"/>."
25771
#: serverguide/C/dns.xml:607(title)
25861
#: serverguide/C/dns.xml:616(title)
25772
25862
msgid "Common Record Types"
25775
#: serverguide/C/dns.xml:608(para)
25865
#: serverguide/C/dns.xml:617(para)
25776
25866
msgid "This section covers some of the most common DNS record types."
25779
#: serverguide/C/dns.xml:613(para)
25869
#: serverguide/C/dns.xml:622(para)
25781
25871
"<emphasis>A</emphasis> record: This record maps an IP Address to a hostname."
25784
#: serverguide/C/dns.xml:616(programlisting)
25874
#: serverguide/C/dns.xml:625(programlisting)
25788
25878
"www IN A 192.168.1.12\n"
25791
#: serverguide/C/dns.xml:621(para)
25881
#: serverguide/C/dns.xml:630(para)
25793
25883
"<emphasis>CNAME</emphasis> record: Used to create an alias to an existing A "
25794
25884
"record. You cannot create a CNAME record pointing to another CNAME record."
25797
#: serverguide/C/dns.xml:624(programlisting)
25887
#: serverguide/C/dns.xml:633(programlisting)
25801
25891
"web IN CNAME www\n"
25804
#: serverguide/C/dns.xml:629(para)
25894
#: serverguide/C/dns.xml:638(para)
25806
25896
"<emphasis>MX</emphasis> record: Used to define where email should be sent "
25807
25897
"to. Must point to an A record, not a CNAME."
25810
#: serverguide/C/dns.xml:632(programlisting)
25900
#: serverguide/C/dns.xml:641(programlisting)
26046
26136
"Components</link> describes the components of the DM-Multipath package."
26049
#: serverguide/C/dm-multipath.xml:184(title)
26139
#: serverguide/C/dm-multipath.xml:183(title)
26050
26140
msgid "DM-Multipath Setup Overview"
26053
#: serverguide/C/dm-multipath.xml:191(para)
26143
#: serverguide/C/dm-multipath.xml:190(para)
26055
26145
"Install the <emphasis role=\"bold\">multipath-tools</emphasis> and <emphasis "
26056
26146
"role=\"bold\">multipath-tools-boot</emphasis> packages"
26059
#: serverguide/C/dm-multipath.xml:197(para)
26149
#: serverguide/C/dm-multipath.xml:196(para)
26061
26151
"Create an empty config file, <filename>/etc/multipath.conf</filename>, that "
26062
26152
"re-defines the <link linkend=\"multipath-skel-config\">following</link>"
26065
#: serverguide/C/dm-multipath.xml:203(para)
26155
#: serverguide/C/dm-multipath.xml:202(para)
26067
26157
"If necessary, edit the <emphasis role=\"bold\">multipath.conf</emphasis> "
26068
26158
"configuration file to modify default values and save the updated file."
26071
#: serverguide/C/dm-multipath.xml:209(para)
26161
#: serverguide/C/dm-multipath.xml:208(para)
26072
26162
msgid "Start the multipath daemon"
26075
#: serverguide/C/dm-multipath.xml:213(para)
26165
#: serverguide/C/dm-multipath.xml:212(para)
26076
26166
msgid "Update initial ramdisk"
26079
#: serverguide/C/dm-multipath.xml:186(para)
26169
#: serverguide/C/dm-multipath.xml:185(para)
26081
26171
"DM-Multipath includes compiled-in default settings that are suitable for "
26082
26172
"common multipath configurations. Setting up DM-multipath is often a simple "
26186
#: serverguide/C/dm-multipath.xml:313(para)
26276
#: serverguide/C/dm-multipath.xml:312(para)
26187
26277
msgid "Set up all of the multipath devices on one machine."
26190
#: serverguide/C/dm-multipath.xml:317(para) serverguide/C/dm-multipath.xml:354(para)
26280
#: serverguide/C/dm-multipath.xml:316(para) serverguide/C/dm-multipath.xml:353(para)
26192
26282
"Disable all of your multipath devices on your other machines by running the "
26193
26283
"following commands:"
26196
#: serverguide/C/dm-multipath.xml:320(screen) serverguide/C/dm-multipath.xml:357(screen)
26286
#: serverguide/C/dm-multipath.xml:319(screen) serverguide/C/dm-multipath.xml:356(screen)
26199
26289
"# service multipath-tools stop\n"
26200
26290
"# multipath -F\n"
26203
#: serverguide/C/dm-multipath.xml:326(para)
26293
#: serverguide/C/dm-multipath.xml:325(para)
26205
26295
"Copy the <filename>/etc/multipath/bindings</filename> file from the first "
26206
26296
"machine to all the other machines in the cluster."
26209
#: serverguide/C/dm-multipath.xml:332(para) serverguide/C/dm-multipath.xml:368(para)
26299
#: serverguide/C/dm-multipath.xml:331(para) serverguide/C/dm-multipath.xml:367(para)
26211
26301
"Re-enable the multipathd daemon on all the other machines in the cluster by "
26212
26302
"running the following command:"
26215
#: serverguide/C/dm-multipath.xml:335(screen) serverguide/C/dm-multipath.xml:371(screen)
26305
#: serverguide/C/dm-multipath.xml:334(screen) serverguide/C/dm-multipath.xml:370(screen)
26217
26307
msgid "# service multipath-tools start"
26220
#: serverguide/C/dm-multipath.xml:339(para)
26310
#: serverguide/C/dm-multipath.xml:338(para)
26221
26311
msgid "If you add a new device, you will need to repeat this process."
26224
#: serverguide/C/dm-multipath.xml:342(para)
26314
#: serverguide/C/dm-multipath.xml:341(para)
26226
26316
"Similarly, if you configure an alias for a device that you would like to be "
26227
26317
"consistent across the nodes in the cluster, you should ensure that the "
26310
26400
"Perform:<screen>update-initramfs -u -k all</screen><placeholder-1/>"
26313
#: serverguide/C/dm-multipath.xml:436(title)
26403
#: serverguide/C/dm-multipath.xml:435(title)
26314
26404
msgid "Setting up DM-Multipath Overview"
26317
#: serverguide/C/dm-multipath.xml:438(para)
26407
#: serverguide/C/dm-multipath.xml:437(para)
26319
26409
"This section provides step-by-step example procedures for configuring DM-"
26320
26410
"Multipath. It includes the following procedures:"
26323
#: serverguide/C/dm-multipath.xml:443(para)
26413
#: serverguide/C/dm-multipath.xml:442(para)
26324
26414
msgid "Basic DM-Multipath setup"
26327
#: serverguide/C/dm-multipath.xml:447(para)
26417
#: serverguide/C/dm-multipath.xml:446(para)
26328
26418
msgid "Ignoring local disks"
26331
#: serverguide/C/dm-multipath.xml:451(para)
26421
#: serverguide/C/dm-multipath.xml:450(para)
26332
26422
msgid "Adding more devices to the configuration file"
26335
#: serverguide/C/dm-multipath.xml:456(title)
26425
#: serverguide/C/dm-multipath.xml:455(title)
26336
26426
msgid "Setting Up DM-Multipath"
26339
#: serverguide/C/dm-multipath.xml:458(para)
26429
#: serverguide/C/dm-multipath.xml:457(para)
26341
26431
"Before setting up DM-Multipath on your system, ensure that your system has "
26342
26432
"been updated and includes the <emphasis role=\"bold\"><application>multipath-"
26626
26716
"can leave them commented out, as they are in the initial file."
26629
#: serverguide/C/dm-multipath.xml:724(para)
26719
#: serverguide/C/dm-multipath.xml:723(para)
26630
26720
msgid "The configuration file allows regular expression description syntax."
26633
#: serverguide/C/dm-multipath.xml:727(para)
26723
#: serverguide/C/dm-multipath.xml:726(para)
26635
26725
"An annotated version of the configuration file can be found in "
26636
26726
"<filename><filename>/usr/share/doc/multipath-"
26637
26727
"tools/examples/multipath.conf.annotated.gz</filename></filename>."
26640
#: serverguide/C/dm-multipath.xml:731(title)
26730
#: serverguide/C/dm-multipath.xml:730(title)
26641
26731
msgid "Configuration File Overview"
26644
#: serverguide/C/dm-multipath.xml:733(para)
26734
#: serverguide/C/dm-multipath.xml:732(para)
26646
26736
"The multipath configuration file is divided into the following sections:"
26649
#: serverguide/C/dm-multipath.xml:738(emphasis)
26739
#: serverguide/C/dm-multipath.xml:737(emphasis)
26650
26740
msgid "blacklist"
26653
#: serverguide/C/dm-multipath.xml:741(para)
26743
#: serverguide/C/dm-multipath.xml:740(para)
26655
26745
"Listing of specific devices that will not be considered for multipath."
26658
#: serverguide/C/dm-multipath.xml:747(emphasis)
26748
#: serverguide/C/dm-multipath.xml:746(emphasis)
26659
26749
msgid "blacklist_exceptions"
26662
#: serverguide/C/dm-multipath.xml:750(para)
26752
#: serverguide/C/dm-multipath.xml:749(para)
26664
26754
"Listing of multipath candidates that would otherwise be blacklisted "
26665
26755
"according to the parameters of the blacklist section."
26668
#: serverguide/C/dm-multipath.xml:757(emphasis)
26758
#: serverguide/C/dm-multipath.xml:756(emphasis)
26669
26759
msgid "defaults"
26672
#: serverguide/C/dm-multipath.xml:760(para)
26762
#: serverguide/C/dm-multipath.xml:759(para)
26673
26763
msgid "General default settings for DM-Multipath."
26676
#: serverguide/C/dm-multipath.xml:768(para)
26766
#: serverguide/C/dm-multipath.xml:767(para)
26678
26768
"Settings for the characteristics of individual multipath devices. These "
26679
26769
"values overwrite what is specified in the <emphasis "
26697
#: serverguide/C/dm-multipath.xml:789(para)
26787
#: serverguide/C/dm-multipath.xml:788(para)
26699
26789
"When the system determines the attributes of a multipath device, first it "
26700
26790
"checks the multipath settings, then the per devices settings, then the "
26701
26791
"multipath system defaults."
26704
#: serverguide/C/dm-multipath.xml:795(title)
26794
#: serverguide/C/dm-multipath.xml:794(title)
26705
26795
msgid "Configuration File Blacklist"
26708
#: serverguide/C/dm-multipath.xml:797(para)
26798
#: serverguide/C/dm-multipath.xml:796(para)
26710
26800
"The blacklist section of the multipath configuration file specifies the "
26711
26801
"devices that will not be used when the system configures multipath devices. "
26712
26802
"Devices that are blacklisted will not be grouped into a multipath device."
26715
#: serverguide/C/dm-multipath.xml:804(para)
26805
#: serverguide/C/dm-multipath.xml:803(para)
26717
26807
"If you do need to blacklist devices, you can do so according to the "
26718
26808
"following criteria:"
26721
#: serverguide/C/dm-multipath.xml:809(para)
26811
#: serverguide/C/dm-multipath.xml:808(para)
26723
26813
"By WWID, as described <xref endterm=\"config-blacklist-by-wwid-title\" "
26724
26814
"linkend=\"multipath-config-blacklist-by-wwid\"/>"
26727
#: serverguide/C/dm-multipath.xml:815(para)
26817
#: serverguide/C/dm-multipath.xml:814(para)
26729
26819
"By device name, as described in <xref endterm=\"config-blacklist-by-device-"
26730
26820
"name-title\" linkend=\"multipath-config-blacklist-by-device-name\"/>"
26733
#: serverguide/C/dm-multipath.xml:821(para)
26823
#: serverguide/C/dm-multipath.xml:820(para)
26735
26825
"By device type, as described in <xref endterm=\"config-blacklist-by-device-"
26736
26826
"type-title\" linkend=\"multipath-config-blacklist-by-device-type\"/>"
26739
#: serverguide/C/dm-multipath.xml:827(para)
26829
#: serverguide/C/dm-multipath.xml:826(para)
26741
26831
"By default, a variety of device types are blacklisted, even after you "
26742
26832
"comment out the initial blacklist section of the configuration file. For "
27197
27287
"files found in <filename>/usr/share/doc/multipath-tools/examples:</filename>"
27200
#: serverguide/C/dm-multipath.xml:1326(screen)
27290
#: serverguide/C/dm-multipath.xml:1325(screen)
27202
27292
msgid "# echo 'show config' | multipathd -k"
27205
#: serverguide/C/dm-multipath.xml:1331(title)
27295
#: serverguide/C/dm-multipath.xml:1330(title)
27206
27296
msgid "DM-Multipath Administration and Troubleshooting"
27209
#: serverguide/C/dm-multipath.xml:1334(title)
27299
#: serverguide/C/dm-multipath.xml:1333(title)
27210
27300
msgid "Resizing an Online Multipath Device"
27213
#: serverguide/C/dm-multipath.xml:1336(para)
27303
#: serverguide/C/dm-multipath.xml:1335(para)
27215
27305
"If you need to resize an online multipath device, use the following procedure"
27218
#: serverguide/C/dm-multipath.xml:1341(para)
27308
#: serverguide/C/dm-multipath.xml:1340(para)
27219
27309
msgid "Resize your physical device. This is storage platform specific."
27222
#: serverguide/C/dm-multipath.xml:1346(para)
27312
#: serverguide/C/dm-multipath.xml:1345(para)
27223
27313
msgid "Use the following command to find the paths to the LUN:"
27226
#: serverguide/C/dm-multipath.xml:1348(screen)
27316
#: serverguide/C/dm-multipath.xml:1347(screen)
27228
27318
msgid "# multipath -l"
27231
#: serverguide/C/dm-multipath.xml:1352(para)
27321
#: serverguide/C/dm-multipath.xml:1351(para)
27233
27323
"Resize your paths. For SCSI devices, writing 1 to the "
27234
27324
"<filename>rescan</filename> file for the device causes the SCSI driver to "
27235
27325
"rescan, as in the following command:"
27238
#: serverguide/C/dm-multipath.xml:1356(screen)
27328
#: serverguide/C/dm-multipath.xml:1355(screen)
27240
27330
msgid "# echo 1 > /sys/block/device_name/device/rescan"
27243
#: serverguide/C/dm-multipath.xml:1360(para)
27333
#: serverguide/C/dm-multipath.xml:1359(para)
27245
27335
"Resize your multipath device by running the multipathd resize command:"
27248
#: serverguide/C/dm-multipath.xml:1363(screen)
27338
#: serverguide/C/dm-multipath.xml:1362(screen)
27250
27340
msgid "# multipathd -k 'resize map mpatha'"
27253
#: serverguide/C/dm-multipath.xml:1367(para)
27343
#: serverguide/C/dm-multipath.xml:1366(para)
27254
27344
msgid "Resize the file system (assuming no LVM or DOS partitions are used):"
27257
#: serverguide/C/dm-multipath.xml:1370(screen)
27347
#: serverguide/C/dm-multipath.xml:1369(screen)
27259
27349
msgid "# resize2fs /dev/mapper/mpatha"
27262
#: serverguide/C/dm-multipath.xml:1376(title)
27352
#: serverguide/C/dm-multipath.xml:1375(title)
27264
27354
"Moving root File Systems from a Single Path Device to a Multipath Device"
27267
#: serverguide/C/dm-multipath.xml:1379(para)
27357
#: serverguide/C/dm-multipath.xml:1378(para)
27269
27359
"This is dramatically simplified by the use of UUIDs to identify devices as "
27270
27360
"an intrinsic label. Simply install <emphasis role=\"bold\">multipath-tools-"
27551
#: serverguide/C/dm-multipath.xml:1614(title)
27641
#: serverguide/C/dm-multipath.xml:1613(title)
27552
27642
msgid "Useful multipath Command Options"
27555
#: serverguide/C/dm-multipath.xml:1623(entry)
27645
#: serverguide/C/dm-multipath.xml:1622(entry)
27556
27646
msgid "Option"
27559
#: serverguide/C/dm-multipath.xml:1630(emphasis)
27649
#: serverguide/C/dm-multipath.xml:1629(emphasis)
27563
#: serverguide/C/dm-multipath.xml:1632(emphasis) serverguide/C/dm-multipath.xml:1639(emphasis)
27653
#: serverguide/C/dm-multipath.xml:1631(emphasis) serverguide/C/dm-multipath.xml:1638(emphasis)
27564
27654
msgid "sysfs"
27567
#: serverguide/C/dm-multipath.xml:1631(entry)
27657
#: serverguide/C/dm-multipath.xml:1630(entry)
27569
27659
"Display the current multipath configuration gathered from <placeholder-1/> "
27570
27660
"and the device mapper."
27573
#: serverguide/C/dm-multipath.xml:1637(emphasis)
27663
#: serverguide/C/dm-multipath.xml:1636(emphasis)
27577
#: serverguide/C/dm-multipath.xml:1638(entry)
27667
#: serverguide/C/dm-multipath.xml:1637(entry)
27579
27669
"Display the current multipath configuration gathered from <placeholder-1/>, "
27580
27670
"the device mapper, and all other available components on the system."
27583
#: serverguide/C/dm-multipath.xml:1644(emphasis)
27673
#: serverguide/C/dm-multipath.xml:1643(emphasis)
27584
27674
msgid "-f device"
27587
#: serverguide/C/dm-multipath.xml:1645(entry)
27677
#: serverguide/C/dm-multipath.xml:1644(entry)
27588
27678
msgid "Remove the named multipath device."
27591
#: serverguide/C/dm-multipath.xml:1649(emphasis)
27681
#: serverguide/C/dm-multipath.xml:1648(emphasis)
27595
#: serverguide/C/dm-multipath.xml:1650(entry)
27685
#: serverguide/C/dm-multipath.xml:1649(entry)
27596
27686
msgid "Remove all unused multipath devices."
27599
#: serverguide/C/dm-multipath.xml:1658(title)
27689
#: serverguide/C/dm-multipath.xml:1657(title)
27600
27690
msgid "Determining Device Mapper Entries with dmsetup Command"
27603
#: serverguide/C/dm-multipath.xml:1660(para)
27693
#: serverguide/C/dm-multipath.xml:1659(para)
27605
27695
"You can use the <emphasis role=\"bold\">dmsetup</emphasis> command to find "
27606
27696
"out which device mapper entries match the <emphasis "
27607
27697
"role=\"bold\">multipathed</emphasis> devices."
27610
#: serverguide/C/dm-multipath.xml:1664(para)
27700
#: serverguide/C/dm-multipath.xml:1663(para)
27612
27702
"The following command displays all the device mapper devices and their major "
27613
27703
"and minor numbers. The minor numbers determine the name of the dm device. "
27740
27830
msgid "To install MySQL, run the following command from a terminal prompt:"
27743
#: serverguide/C/virtualization.xml:2215(command) serverguide/C/databases.xml:42(command)
27833
#: serverguide/C/databases.xml:42(command)
27744
27834
msgid "sudo apt-get install mysql-server"
27747
#: serverguide/C/databases.xml:51(para)
27837
#: serverguide/C/databases.xml:44(para)
27749
27839
"During the installation process you will be prompted to enter a password for "
27750
27840
"the MySQL root user."
27753
#: serverguide/C/databases.xml:55(para)
27843
#: serverguide/C/databases.xml:48(para)
27755
27845
"Once the installation is complete, the MySQL server should be started "
27756
27846
"automatically. You can run the following command from a terminal prompt to "
27757
27847
"check whether the MySQL server is running:"
27760
#: serverguide/C/databases.xml:62(command)
27850
#: serverguide/C/databases.xml:55(command)
27761
27851
msgid "sudo netstat -tap | grep mysql"
27764
#: serverguide/C/vcs.xml:477(para) serverguide/C/databases.xml:65(para)
27854
#: serverguide/C/databases.xml:58(para)
27766
27856
"When you run this command, you should see the following line or something "
27770
#: serverguide/C/databases.xml:69(programlisting)
27860
#: serverguide/C/databases.xml:62(programlisting)
27793
27883
"<emphasis>bind-address</emphasis> directive to the server's IP address:"
27796
#: serverguide/C/databases.xml:87(programlisting)
27886
#: serverguide/C/databases.xml:80(programlisting)
27800
27890
"bind-address = 192.168.0.5\n"
27803
#: serverguide/C/databases.xml:91(para)
27893
#: serverguide/C/databases.xml:84(para)
27804
27894
msgid "Replace 192.168.0.5 with the appropriate address."
27807
#: serverguide/C/databases.xml:95(para)
27897
#: serverguide/C/databases.xml:88(para)
27809
27899
"After making a change to <filename>/etc/mysql/my.cnf</filename> the MySQL "
27810
27900
"daemon will need to be restarted:"
27813
#: serverguide/C/databases.xml:102(para)
27903
#: serverguide/C/databases.xml:95(para)
27815
27905
"If you would like to change the MySQL <emphasis>root</emphasis> password, in "
27816
27906
"a terminal enter:"
27819
#: serverguide/C/databases.xml:107(command)
27909
#: serverguide/C/databases.xml:100(command)
27820
27910
msgid "sudo dpkg-reconfigure mysql-server-5.5"
27823
#: serverguide/C/databases.xml:109(para)
27913
#: serverguide/C/databases.xml:102(para)
27825
27915
"The MySQL daemon will be stopped, and you will be prompted to enter a new "
27829
#: serverguide/C/databases.xml:114(title)
27919
#: serverguide/C/databases.xml:107(title)
27830
27920
msgid "Database Engines"
27833
#: serverguide/C/databases.xml:115(para)
27923
#: serverguide/C/databases.xml:108(para)
27835
27925
"Whilst the default configuration of MySQL provided by the Ubuntu packages is "
27836
27926
"perfectly functional and performs well there are things you may wish to "
27837
27927
"consider before you proceed."
27840
#: serverguide/C/databases.xml:119(para)
27930
#: serverguide/C/databases.xml:112(para)
27842
27932
"MySQL is designed to allow data to be stored in different ways. These "
27843
27933
"methods are referred to as either database or storage engines. There are two "
29160
29250
#: serverguide/C/backups.xml:153(para)
29162
29252
"The simplest way of executing the above backup script is to copy and paste "
29163
"the contents into a file. <filename>backup.sh</filename> for example. Then "
29164
"from a terminal prompt:"
29253
"the contents into a file. <filename>backup.sh</filename> for example. The "
29254
"file must be made executable:"
29167
29257
#: serverguide/C/backups.xml:158(command)
29168
msgid "sudo bash backup.sh"
29258
msgid "chmod u+x backup.sh"
29171
29261
#: serverguide/C/backups.xml:160(para)
29262
msgid "Then from a terminal prompt:"
29265
#: serverguide/C/backups.xml:164(command)
29266
msgid "sudo ./backup.sh"
29269
#: serverguide/C/backups.xml:166(para)
29173
29271
"This is a great way to test the script to make sure everything works as "
29177
#: serverguide/C/backups.xml:165(title)
29275
#: serverguide/C/backups.xml:171(title)
29178
29276
msgid "Executing with cron"
29181
#: serverguide/C/backups.xml:166(para)
29279
#: serverguide/C/backups.xml:172(para)
29183
29281
"The <application>cron</application> utility can be used to automate the "
29184
29282
"script execution. The <application>cron</application> daemon allows the "
29185
29283
"execution of scripts, or commands, at a specified time and date."
29188
#: serverguide/C/backups.xml:170(para)
29286
#: serverguide/C/backups.xml:176(para)
29190
29288
"<application>cron</application> is configured through entries in a "
29191
29289
"<filename>crontab</filename> file. <filename>crontab</filename> files are "
29192
29290
"separated into fields:"
29195
#: serverguide/C/backups.xml:174(programlisting)
29293
#: serverguide/C/backups.xml:180(programlisting)
29199
29297
"# m h dom mon dow command\n"
29202
#: serverguide/C/backups.xml:179(para)
29300
#: serverguide/C/backups.xml:185(para)
29204
29302
"<emphasis>m:</emphasis> minute the command executes on, between 0 and 59."
29207
#: serverguide/C/backups.xml:184(para)
29305
#: serverguide/C/backups.xml:190(para)
29209
29307
"<emphasis>h:</emphasis> hour the command executes on, between 0 and 23."
29212
#: serverguide/C/backups.xml:189(para)
29310
#: serverguide/C/backups.xml:195(para)
29213
29311
msgid "<emphasis>dom:</emphasis> day of month the command executes on."
29216
#: serverguide/C/backups.xml:194(para)
29314
#: serverguide/C/backups.xml:200(para)
29218
29316
"<emphasis>mon:</emphasis> the month the command executes on, between 1 and "
29222
#: serverguide/C/backups.xml:199(para)
29320
#: serverguide/C/backups.xml:205(para)
29224
29322
"<emphasis>dow:</emphasis> the day of the week the command executes on, "
29225
29323
"between 0 and 7. Sunday may be specified by using 0 or 7, both values are "
29229
#: serverguide/C/backups.xml:204(para)
29327
#: serverguide/C/backups.xml:210(para)
29230
29328
msgid "<emphasis>command:</emphasis> the command to execute."
29233
#: serverguide/C/backups.xml:209(para)
29331
#: serverguide/C/backups.xml:215(para)
29235
29333
"To add or change entries in a <filename>crontab</filename> file the "
29236
29334
"<application>crontab -e</application> command should be used. Also, the "
29283
29381
"simply change the script path appropriately."
29286
#: serverguide/C/backups.xml:242(para)
29384
#: serverguide/C/backups.xml:248(para)
29288
29386
"For more in-depth <application>crontab</application> options see <xref "
29289
29387
"linkend=\"backup-shellscript-references\"/>."
29292
#: serverguide/C/backups.xml:248(title)
29390
#: serverguide/C/backups.xml:254(title)
29293
29391
msgid "Restoring from the Archive"
29296
#: serverguide/C/backups.xml:249(para)
29394
#: serverguide/C/backups.xml:255(para)
29298
29396
"Once an archive has been created it is important to test the archive. The "
29299
29397
"archive can be tested by listing the files it contains, but the best test is "
29300
29398
"to <emphasis>restore</emphasis> a file from the archive."
29303
#: serverguide/C/backups.xml:255(para)
29401
#: serverguide/C/backups.xml:261(para)
29305
29403
"To see a listing of the archive contents. From a terminal prompt type:"
29308
#: serverguide/C/backups.xml:259(command)
29406
#: serverguide/C/backups.xml:265(command)
29309
29407
msgid "tar -tzvf /mnt/backup/host-Monday.tgz"
29312
#: serverguide/C/backups.xml:263(para)
29410
#: serverguide/C/backups.xml:269(para)
29313
29411
msgid "To restore a file from the archive to a different directory enter:"
29316
#: serverguide/C/backups.xml:267(command)
29414
#: serverguide/C/backups.xml:273(command)
29317
29415
msgid "tar -xzvf /mnt/backup/host-Monday.tgz -C /tmp etc/hosts"
29320
#: serverguide/C/backups.xml:269(para)
29418
#: serverguide/C/backups.xml:275(para)
29322
29420
"The <emphasis>-C</emphasis> option to <application>tar</application> "
29323
29421
"redirects the extracted files to the specified directory. The above example "
29326
29424
"recreates the directory structure that it contains."
29329
#: serverguide/C/backups.xml:274(para)
29427
#: serverguide/C/backups.xml:280(para)
29331
29429
"Also, notice the leading <emphasis>\"/\"</emphasis> is left off the path of "
29332
29430
"the file to restore."
29335
#: serverguide/C/backups.xml:279(para)
29433
#: serverguide/C/backups.xml:285(para)
29336
29434
msgid "To restore all files in the archive enter the following:"
29339
#: serverguide/C/backups.xml:283(command)
29437
#: serverguide/C/backups.xml:289(command)
29343
#: serverguide/C/backups.xml:284(command)
29441
#: serverguide/C/backups.xml:290(command)
29344
29442
msgid "sudo tar -xzvf /mnt/backup/host-Monday.tgz"
29347
#: serverguide/C/backups.xml:289(para)
29445
#: serverguide/C/backups.xml:295(para)
29348
29446
msgid "This will overwrite the files currently on the file system."
29351
#: serverguide/C/backups.xml:298(para)
29449
#: serverguide/C/backups.xml:304(para)
29353
29451
"For more information on shell scripting see the <ulink "
29354
29452
"url=\"http://tldp.org/LDP/abs/html/\">Advanced Bash-Scripting Guide</ulink>"
29357
#: serverguide/C/backups.xml:303(para)
29455
#: serverguide/C/backups.xml:309(para)
29359
29457
"The book <ulink url=\"http://safari.samspublishing.com/0672323583\">Teach "
29360
29458
"Yourself Shell Programming in 24 Hours</ulink> is available online and a "
29361
29459
"great resource for shell scripting."
29364
#: serverguide/C/backups.xml:309(para)
29462
#: serverguide/C/backups.xml:315(para)
29366
29464
"The <ulink url=\"https://help.ubuntu.com/community/CronHowto\">CronHowto "
29367
29465
"Wiki Page</ulink> contains details on advanced "
29368
29466
"<application>cron</application> options."
29371
#: serverguide/C/backups.xml:316(para)
29469
#: serverguide/C/backups.xml:322(para)
29373
29471
"See the <ulink url=\"http://www.gnu.org/software/tar/manual/index.html\">GNU "
29374
29472
"tar Manual</ulink> for more <application>tar</application> options."
29377
#: serverguide/C/backups.xml:322(para)
29475
#: serverguide/C/backups.xml:328(para)
29379
29477
"The Wikipedia <ulink "
29380
29478
"url=\"http://en.wikipedia.org/wiki/Backup_rotation_scheme\">Backup Rotation "
29381
29479
"Scheme</ulink> article contains information on other backup rotation schemes."
29384
#: serverguide/C/backups.xml:328(para)
29482
#: serverguide/C/backups.xml:334(para)
29386
29484
"The shell script uses <application>tar</application> to create the archive, "
29387
29485
"but there many other command line utilities that can be used. For example:"
29390
#: serverguide/C/backups.xml:334(para)
29488
#: serverguide/C/backups.xml:340(para)
29392
29490
"<ulink url=\"http://www.gnu.org/software/cpio/\">cpio</ulink>: used to copy "
29393
29491
"files to and from archives."
29396
#: serverguide/C/backups.xml:339(para)
29494
#: serverguide/C/backups.xml:345(para)
29398
29496
"<ulink url=\"http://www.gnu.org/software/coreutils/\">dd</ulink>: part of "
29399
29497
"the <application>coreutils</application> package. A low level utility that "
29400
29498
"can copy data from one format to another."
29403
#: serverguide/C/backups.xml:345(para)
29501
#: serverguide/C/backups.xml:351(para)
29405
29503
"<ulink url=\"http://www.rsnapshot.org/\">rsnapshot</ulink>: a file system "
29406
29504
"snapshot utility used to create copies of an entire file system."
29409
#: serverguide/C/backups.xml:351(para)
29507
#: serverguide/C/backups.xml:357(para)
29411
29509
"<ulink url=\"http://www.samba.org/ftp/rsync/rsync.html\">rsync</ulink>: a "
29412
29510
"flexible utility used to create incremental copies of files."
29415
#: serverguide/C/backups.xml:362(title)
29513
#: serverguide/C/backups.xml:368(title)
29416
29514
msgid "Archive Rotation"
29419
#: serverguide/C/backups.xml:363(para)
29517
#: serverguide/C/backups.xml:369(para)
29421
29519
"The shell script in <xref linkend=\"backup-shellscripts\"/> only allows for "
29422
29520
"seven different archives. For a server whose data doesn't change often, this "
29424
29522
"rotation scheme should be used."
29427
#: serverguide/C/backups.xml:369(title)
29525
#: serverguide/C/backups.xml:375(title)
29428
29526
msgid "Rotating NFS Archives"
29431
#: serverguide/C/backups.xml:370(para)
29529
#: serverguide/C/backups.xml:376(para)
29433
29531
"In this section, the shell script will be slightly modified to implement a "
29434
29532
"grandfather-father-son rotation scheme (monthly-weekly-daily):"
29437
#: serverguide/C/backups.xml:376(para)
29535
#: serverguide/C/backups.xml:382(para)
29439
29537
"The rotation will do a <emphasis>daily</emphasis> backup Sunday through "
29443
#: serverguide/C/backups.xml:381(para)
29541
#: serverguide/C/backups.xml:387(para)
29445
29543
"On Saturday a <emphasis>weekly</emphasis> backup is done giving you four "
29446
29544
"weekly backups a month."
29449
#: serverguide/C/backups.xml:386(para)
29547
#: serverguide/C/backups.xml:392(para)
29451
29549
"The <emphasis>monthly</emphasis> backup is done on the first of the month "
29452
29550
"rotating two monthly backups based on if the month is odd or even."
29455
#: serverguide/C/backups.xml:392(para)
29553
#: serverguide/C/backups.xml:398(para)
29456
29554
msgid "Here is the new script:"
29459
#: serverguide/C/backups.xml:395(programlisting)
29557
#: serverguide/C/backups.xml:401(programlisting)
29645
29743
"network wide solution."
29648
#: serverguide/C/backups.xml:546(para)
29746
#: serverguide/C/backups.xml:552(para)
29650
29748
"<application>Bacula</application> is made up of several components and "
29651
29749
"services used to manage which files to backup and backup locations:"
29654
#: serverguide/C/backups.xml:551(para)
29752
#: serverguide/C/backups.xml:557(para)
29656
29754
"<application>Bacula Director:</application> a service that controls all "
29657
29755
"backup, restore, verify, and archive operations."
29660
#: serverguide/C/backups.xml:556(para)
29758
#: serverguide/C/backups.xml:562(para)
29662
29760
"<application>Bacula Console:</application> an application allowing "
29663
29761
"communication with the Director. There are three versions of the Console:"
29666
#: serverguide/C/backups.xml:561(para)
29764
#: serverguide/C/backups.xml:567(para)
29667
29765
msgid "Text based command line version."
29670
#: serverguide/C/backups.xml:562(para)
29768
#: serverguide/C/backups.xml:568(para)
29671
29769
msgid "Gnome based GTK+ Graphical User Interface (GUI) interface."
29674
#: serverguide/C/backups.xml:563(para)
29772
#: serverguide/C/backups.xml:569(para)
29675
29773
msgid "wxWidgets GUI interface."
29678
#: serverguide/C/backups.xml:567(para)
29776
#: serverguide/C/backups.xml:573(para)
29680
29778
"<application>Bacula File:</application> also known as the "
29681
29779
"<application>Bacula Client</application> program. This application is "
29697
29795
"different databases MySQL, PostgreSQL, and SQLite."
29700
#: serverguide/C/backups.xml:584(para)
29798
#: serverguide/C/backups.xml:590(para)
29702
29800
"<application>Bacula Monitor:</application> allows the monitoring of the "
29703
29801
"Director, File daemons, and Storage daemons. Currently the Monitor is only "
29704
29802
"available as a GTK+ GUI application."
29707
#: serverguide/C/backups.xml:590(para)
29805
#: serverguide/C/backups.xml:596(para)
29709
29807
"These services and applications can be run on multiple servers and clients, "
29710
29808
"or they can be installed on one machine if backing up a single disk or "
29714
#: serverguide/C/backups.xml:598(para)
29812
#: serverguide/C/backups.xml:604(para)
29716
29814
"If using MySQL or PostgreSQL as your database, you should already have the "
29717
29815
"services available. <application>Bacula</application> will not install them "
29721
#: serverguide/C/backups.xml:603(para)
29819
#: serverguide/C/backups.xml:609(para)
29723
29821
"There are multiple packages containing the different "
29724
29822
"<application>Bacula</application> components. To install Bacula, from a "
29725
29823
"terminal prompt enter:"
29728
#: serverguide/C/backups.xml:608(command)
29826
#: serverguide/C/backups.xml:614(command)
29729
29827
msgid "sudo apt-get install bacula"
29732
#: serverguide/C/backups.xml:610(para)
29830
#: serverguide/C/backups.xml:616(para)
29734
29832
"By default installing the <application>bacula</application> package will use "
29735
29833
"a <application>MySQL</application> database for the Catalog. If you want to "