1
# Esperanto translation for ubuntu-docs
2
# Copyright (c) 2009 Rosetta Contributors and Canonical Ltd 2009
3
# This file is distributed under the same license as the ubuntu-docs package.
4
# FIRST AUTHOR <EMAIL@ADDRESS>, 2009.
8
"Project-Id-Version: ubuntu-docs\n"
9
"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
10
"POT-Creation-Date: 2009-10-04 21:24+0100\n"
11
"PO-Revision-Date: 2009-05-08 11:10+0000\n"
12
"Last-Translator: Michael Moroni <haikara90@gmail.com>\n"
13
"Language-Team: Esperanto <eo@li.org>\n"
15
"Content-Type: text/plain; charset=UTF-8\n"
16
"Content-Transfer-Encoding: 8bit\n"
17
"X-Launchpad-Export-Date: 2009-10-16 07:27+0000\n"
18
"X-Generator: Launchpad (build Unknown)\n"
20
#: serverguide/C/serverguide-C.omf:6(creator) serverguide/C/serverguide-C.omf:7(maintainer)
21
msgid "ubuntu-doc@lists.ubuntu.com (Ubuntu Documentation Project)"
22
msgstr "ubuntu-doc@lists.ubuntu.com (Documentada projekto de Ubuntu)"
24
#: serverguide/C/serverguide-C.omf:8(title) serverguide/C/serverguide-C.omf:11(description) serverguide/C/serverguide.xml:14(title) serverguide/C/bookinfo.xml:13(title)
25
msgid "Ubuntu Server Guide"
28
#: serverguide/C/serverguide-C.omf:9(date)
30
msgstr "30-a de septembro 2007"
32
#: serverguide/C/windows-networking.xml:13(title)
33
msgid "Windows Networking"
36
#: serverguide/C/windows-networking.xml:15(para)
38
"Computer networks are often comprised of diverse systems, and while "
39
"operating a network made up entirely of Ubuntu desktop and server computers "
40
"would certainly be fun, some network environments must consist of both "
41
"Ubuntu and <trademark class=\"registered\">Microsoft</trademark><trademark "
42
"class=\"registered\">Windows</trademark> systems working together in "
43
"harmony. This section of the <phrase>Ubuntu</phrase> Server Guide introduces "
44
"principles and tools used in configuring your Ubuntu Server for sharing "
45
"network resources with Windows computers."
48
#: serverguide/C/windows-networking.xml:25(title) serverguide/C/virtualization.xml:397(title) serverguide/C/security.xml:412(title) serverguide/C/remote-administration.xml:22(title) serverguide/C/package-management.xml:20(title) serverguide/C/introduction.xml:13(title)
52
#: serverguide/C/windows-networking.xml:27(para)
54
"Successfully networking your Ubuntu system with Windows clients involves "
55
"providing and integrating with services common to Windows environments. Such "
56
"services assist the sharing of data and information about the computers and "
57
"users involved in the network, and may be classified under three major "
58
"categories of functionality:"
61
#: serverguide/C/windows-networking.xml:35(para)
63
"<emphasis role=\"bold\">File and Printer Sharing Services</emphasis>. Using "
64
"the Server Message Block (SMB) protocol to facilitate the sharing of files, "
65
"folders, volumes, and the sharing of printers throughout the network."
68
#: serverguide/C/windows-networking.xml:41(para)
70
"<emphasis role=\"bold\">Directory Services</emphasis>. Sharing vital "
71
"information about the computers and users of the network with such "
72
"technologies as the Lightweight Directory Access Protocol (LDAP) and "
73
"Microsoft <trademark class=\"registered\">Active Directory</trademark>."
76
#: serverguide/C/windows-networking.xml:48(para)
78
"<emphasis role=\"bold\">Authentication and Access</emphasis>. Establishing "
79
"the identity of a computer or user of the network and determining the "
80
"information the computer or user is authorized to access using such "
81
"principles and technologies as file permissions, group policies, and the "
82
"Kerberos authentication service."
85
#: serverguide/C/windows-networking.xml:56(para)
87
"Fortunately, your Ubuntu system may provide all such facilities to Windows "
88
"clients and share network resources among them. One of the principal pieces "
89
"of software your Ubuntu system includes for Windows networking is the Samba "
90
"suite of SMB server applications and tools."
93
#: serverguide/C/windows-networking.xml:62(para)
95
"This section of the <phrase>Ubuntu</phrase> Server Guide will introduce some "
96
"of the common Samba use cases, and how to install and configure the "
97
"necessary packages. Additional detailed documentation and information on "
98
"Samba can be found on the <ulink url=\"http://www.samba.org\">Samba "
102
#: serverguide/C/windows-networking.xml:70(title)
103
msgid "Samba File Server"
106
#: serverguide/C/windows-networking.xml:72(para)
108
"One of the most common ways to network Ubuntu and Windows computers is to "
109
"configure Samba as a File Server. This section covers setting up a "
110
"<application>Samba</application> server to share files with Windows clients."
113
#: serverguide/C/windows-networking.xml:77(para)
115
"The server will be configured to share files with any client on the network "
116
"without prompting for a password. If your environment requires stricter "
117
"Access Controls see <xref linkend=\"samba-fileprint-security\"/>"
120
#: serverguide/C/windows-networking.xml:83(title) serverguide/C/windows-networking.xml:282(title) serverguide/C/windows-networking.xml:1279(title) serverguide/C/web-servers.xml:41(title) serverguide/C/web-servers.xml:669(title) serverguide/C/web-servers.xml:804(title) serverguide/C/web-servers.xml:925(title) serverguide/C/vpn.xml:33(title) serverguide/C/virtualization.xml:62(title) serverguide/C/virtualization.xml:1341(title) serverguide/C/vcs.xml:28(title) serverguide/C/vcs.xml:86(title) serverguide/C/vcs.xml:402(title) serverguide/C/remote-administration.xml:52(title) serverguide/C/remote-administration.xml:220(title) serverguide/C/network-config.xml:603(title) serverguide/C/network-auth.xml:52(title) serverguide/C/network-auth.xml:1244(title) serverguide/C/network-auth.xml:1749(title) serverguide/C/network-auth.xml:2140(title) serverguide/C/monitoring.xml:42(title) serverguide/C/monitoring.xml:423(title) serverguide/C/mail.xml:40(title) serverguide/C/mail.xml:478(title) serverguide/C/mail.xml:651(title) serverguide/C/mail.xml:795(title) serverguide/C/mail.xml:1284(title) serverguide/C/lamp-applications.xml:108(title) serverguide/C/lamp-applications.xml:282(title) serverguide/C/lamp-applications.xml:398(title) serverguide/C/installation.xml:13(title) serverguide/C/installation.xml:908(title) serverguide/C/file-server.xml:342(title) serverguide/C/file-server.xml:454(title) serverguide/C/dns.xml:23(title) serverguide/C/databases.xml:40(title) serverguide/C/databases.xml:159(title) serverguide/C/chat.xml:37(title) serverguide/C/chat.xml:136(title) serverguide/C/backups.xml:593(title)
124
#: serverguide/C/windows-networking.xml:85(para)
126
"The first step is to install the <application>samba</application> package. "
127
"From a terminal prompt enter:"
130
#: serverguide/C/windows-networking.xml:90(command) serverguide/C/windows-networking.xml:294(command)
131
msgid "sudo apt-get install samba"
132
msgstr "sudo apt-get install samba"
134
#: serverguide/C/windows-networking.xml:93(para)
136
"That's all there is to it; you are now ready to configure Samba to share "
140
#: serverguide/C/windows-networking.xml:99(title) serverguide/C/windows-networking.xml:299(title) serverguide/C/web-servers.xml:61(title) serverguide/C/web-servers.xml:720(title) serverguide/C/web-servers.xml:815(title) serverguide/C/web-servers.xml:952(title) serverguide/C/web-servers.xml:1046(title) serverguide/C/vpn.xml:137(title) serverguide/C/virtualization.xml:1226(title) serverguide/C/virtualization.xml:1415(title) serverguide/C/vcs.xml:39(title) serverguide/C/vcs.xml:420(title) serverguide/C/remote-administration.xml:74(title) serverguide/C/remote-administration.xml:245(title) serverguide/C/package-management.xml:365(title) serverguide/C/network-config.xml:625(title) serverguide/C/network-auth.xml:88(title) serverguide/C/network-auth.xml:1788(title) serverguide/C/network-auth.xml:2161(title) serverguide/C/monitoring.xml:187(title) serverguide/C/monitoring.xml:449(title) serverguide/C/mail.xml:487(title) serverguide/C/mail.xml:661(title) serverguide/C/mail.xml:880(title) serverguide/C/mail.xml:1309(title) serverguide/C/lamp-applications.xml:128(title) serverguide/C/lamp-applications.xml:309(title) serverguide/C/lamp-applications.xml:428(title) serverguide/C/file-server.xml:355(title) serverguide/C/file-server.xml:480(title) serverguide/C/dns.xml:39(title) serverguide/C/databases.xml:84(title) serverguide/C/databases.xml:178(title) serverguide/C/clustering.xml:47(title) serverguide/C/chat.xml:57(title) serverguide/C/chat.xml:148(title) serverguide/C/backups.xml:616(title)
141
msgid "Configuration"
144
#: serverguide/C/windows-networking.xml:101(para)
146
"The main Samba configuration file is located in "
147
"<filename>/etc/samba/smb.conf</filename>. The default configuration file has "
148
"a significant amount of comments in order to document various configuration "
152
#: serverguide/C/windows-networking.xml:106(para)
154
"Not all the available options are included in the default configuration "
155
"file. See the <filename>smb.conf</filename><application>man</application> "
156
"page or the <ulink url=\"http://samba.org/samba/docs/man/Samba-HOWTO-"
157
"Collection/\">Samba HOWTO Collection</ulink> for more details."
160
#: serverguide/C/windows-networking.xml:116(para)
162
"First, edit the following key/value pairs in the "
163
"<emphasis>[global]</emphasis> section of "
164
"<filename>/etc/samba/smb.conf</filename>:"
167
#: serverguide/C/windows-networking.xml:121(programlisting) serverguide/C/windows-networking.xml:306(programlisting) serverguide/C/windows-networking.xml:761(programlisting) serverguide/C/windows-networking.xml:975(programlisting)
171
" workgroup = EXAMPLE\n"
176
#: serverguide/C/windows-networking.xml:127(para)
178
"The <emphasis>security</emphasis> parameter is farther down in the [global] "
179
"section, and is commented by default. Also, change "
180
"<emphasis>EXAMPLE</emphasis> to better match your environment."
183
#: serverguide/C/windows-networking.xml:135(para)
185
"Create a new section at the bottom of the file, or uncomment one of the "
186
"examples, for the directory to be shared:"
189
#: serverguide/C/windows-networking.xml:139(programlisting)
194
" comment = Ubuntu File Server Share\n"
195
" path = /srv/samba/share\n"
199
" create mask = 0755\n"
202
#: serverguide/C/windows-networking.xml:151(para)
204
"<emphasis>comment:</emphasis> a short description of the share. Adjust to "
208
#: serverguide/C/windows-networking.xml:156(para)
209
msgid "<emphasis>path:</emphasis> the path to the directory to share."
210
msgstr "<emphasis>pado:</emphasis> la pado de la kunhavenda dosierujo"
212
#: serverguide/C/windows-networking.xml:159(para)
214
"This example uses <filename>/srv/samba/sharename</filename> because, "
215
"according to the <emphasis>Filesystem Hierarchy Standard (FHS)</emphasis>, "
216
"<ulink url=\"http://www.pathname.com/fhs/pub/fhs-"
217
"2.3.html#SRVDATAFORSERVICESPROVIDEDBYSYSTEM\">/srv</ulink> is where site-"
218
"specific data should be served. Technically Samba shares can be placed "
219
"anywhere on the filesystem as long as the permissions are correct, but "
220
"adhering to standards is recommended."
223
#: serverguide/C/windows-networking.xml:168(para)
225
"<emphasis>browsable:</emphasis> enables Windows clients to browse the shared "
226
"directory using <application>Windows Explorer</application>."
229
#: serverguide/C/windows-networking.xml:174(para)
231
"<emphasis>guest ok:</emphasis> allows clients to connect to the share "
232
"without supplying a password."
235
#: serverguide/C/windows-networking.xml:179(para)
237
"<emphasis>read only:</emphasis> determines if the share is read only or if "
238
"write privileges are granted. Write privileges are allowed only when the "
239
"value is <emphasis>no</emphasis>, as is seen in this example. If the value "
240
"is <emphasis>yes</emphasis>, then access to the share is read only."
243
#: serverguide/C/windows-networking.xml:184(para)
245
"<emphasis>create mask:</emphasis> determines the permissions new files will "
249
#: serverguide/C/windows-networking.xml:193(para)
251
"Now that <application>Samba</application> is configured, the directory needs "
252
"to be created and the permissions changed. From a terminal enter:"
255
#: serverguide/C/windows-networking.xml:199(command)
256
msgid "sudo mkdir -p /srv/samba/share"
257
msgstr "sudo mkdir -p /srv/samba/share"
259
#: serverguide/C/windows-networking.xml:200(command)
260
msgid "sudo chown nobody.nogroup /srv/samba/share/"
261
msgstr "sudo chown nobody.nogroup /srv/samba/share/"
263
#: serverguide/C/windows-networking.xml:204(para)
265
"The <emphasis>-p</emphasis> switch tells mkdir to create the entire "
266
"directory tree if it doesn't exist. Change the share name to fit your "
270
#: serverguide/C/windows-networking.xml:213(para)
272
"Finally, restart the <application>samba</application> services to enable the "
276
#: serverguide/C/windows-networking.xml:218(command) serverguide/C/windows-networking.xml:326(command) serverguide/C/windows-networking.xml:458(command) serverguide/C/windows-networking.xml:557(command) serverguide/C/windows-networking.xml:922(command) serverguide/C/windows-networking.xml:1032(command) serverguide/C/windows-networking.xml:1142(command) serverguide/C/network-auth.xml:1523(command)
277
msgid "sudo /etc/init.d/samba restart"
278
msgstr "sudo /etc/init.d/samba restart"
280
#: serverguide/C/windows-networking.xml:225(para)
282
"Once again, the above configuration gives all access to any client on the "
283
"local network. For a more secure configuration see <xref linkend=\"samba-"
284
"fileprint-security\"/>."
287
#: serverguide/C/windows-networking.xml:231(para)
289
"From a Windows client you should now be able to browse to the Ubuntu file "
290
"server and see the shared directory. To check that everything is working try "
291
"creating a directory from Windows."
294
#: serverguide/C/windows-networking.xml:236(para)
296
"To create additional shares simply create new <emphasis>[dir]</emphasis> "
297
"sections in <filename>/etc/samba/smb.conf</filename>, and restart "
298
"<emphasis>Samba</emphasis>. Just make sure that the directory you want to "
299
"share actually exists and the permissions are correct."
302
#: serverguide/C/windows-networking.xml:243(title) serverguide/C/windows-networking.xml:336(title) serverguide/C/windows-networking.xml:686(title) serverguide/C/windows-networking.xml:1051(title) serverguide/C/windows-networking.xml:1253(title) serverguide/C/virtualization.xml:366(title) serverguide/C/virtualization.xml:1163(title) serverguide/C/remote-administration.xml:478(title) serverguide/C/network-config.xml:247(title) serverguide/C/network-config.xml:490(title) serverguide/C/network-auth.xml:1199(title) serverguide/C/network-auth.xml:1638(title) serverguide/C/network-auth.xml:2236(title) serverguide/C/network-auth.xml:2739(title) serverguide/C/installation.xml:848(title) serverguide/C/installation.xml:1124(title) serverguide/C/databases.xml:122(title) serverguide/C/databases.xml:268(title) serverguide/C/backups.xml:855(title)
306
#: serverguide/C/windows-networking.xml:247(para) serverguide/C/windows-networking.xml:340(para) serverguide/C/windows-networking.xml:690(para) serverguide/C/windows-networking.xml:1055(para)
308
"For in depth Samba configurations see the <ulink "
309
"url=\"http://samba.org/samba/docs/man/Samba-HOWTO-Collection/\">Samba HOWTO "
313
#: serverguide/C/windows-networking.xml:253(para) serverguide/C/windows-networking.xml:346(para) serverguide/C/windows-networking.xml:696(para) serverguide/C/windows-networking.xml:1061(para)
315
"The guide is also available in <ulink "
316
"url=\"http://www.amazon.com/exec/obidos/tg/detail/-/0131882228\">printed "
320
#: serverguide/C/windows-networking.xml:259(para) serverguide/C/windows-networking.xml:352(para)
323
"url=\"http://www.oreilly.com/catalog/9780596007690/\">Using Samba</ulink> is "
324
"another good reference."
327
#: serverguide/C/windows-networking.xml:269(title)
328
msgid "Samba Print Server"
331
#: serverguide/C/windows-networking.xml:271(para)
333
"Another common use of Samba is to configure it to share printers installed, "
334
"either locally or over the network, on an Ubuntu server. Similar to <xref "
335
"linkend=\"samba-fileserver\"/> this section will configure Samba to allow "
336
"any client on the local network to use the installed printers without "
337
"prompting for a username and password."
340
#: serverguide/C/windows-networking.xml:277(para)
342
"For a more secure configuration see <xref linkend=\"samba-fileprint-"
346
#: serverguide/C/windows-networking.xml:284(para)
348
"Before installing and configuring Samba it is best to already have a working "
349
"<application>CUPS</application> installation. See <xref linkend=\"cups\"/> "
353
#: serverguide/C/windows-networking.xml:289(para)
355
"To install the <application>samba</application> package, from a terminal "
358
"Por instali <application>samba</application>-n pakaĵon el terminalo, tajpi:"
360
#: serverguide/C/windows-networking.xml:300(para)
362
"After installing samba edit <filename>/etc/samba/smb.conf</filename>. Change "
363
"the <emphasis>workgroup</emphasis> attribute to what is appropriate for your "
364
"network, and change <emphasis>security</emphasis> to <emphasis "
365
"role=\"italic\">share</emphasis>:"
368
#: serverguide/C/windows-networking.xml:312(para)
370
"In the <emphasis>[printers]</emphasis> section change the <emphasis>guest "
371
"ok</emphasis> option to <emphasis role=\"italic\">yes</emphasis>:"
374
#: serverguide/C/windows-networking.xml:316(programlisting)
382
#: serverguide/C/windows-networking.xml:321(para)
383
msgid "After editing <filename>smb.conf</filename> restart Samba:"
386
#: serverguide/C/windows-networking.xml:329(para)
388
"The default Samba configuration will automatically share any printers "
389
"installed. Simply install the printer locally on your Windows clients."
392
#: serverguide/C/windows-networking.xml:358(para)
394
"Also, see the <ulink url=\"http://www.cups.org/\">CUPS Website</ulink> for "
395
"more information on configuring CUPS."
398
#: serverguide/C/windows-networking.xml:367(title)
399
msgid "Securing a Samba File and Print Server"
402
#: serverguide/C/windows-networking.xml:370(title)
403
msgid "Samba Security Modes"
406
#: serverguide/C/windows-networking.xml:372(para)
408
"There are two security levels available to the Common Internet Filesystem "
409
"(CIFS) network protocol <emphasis>user-level</emphasis> and <emphasis>share-"
410
"level</emphasis>. Samba's <emphasis>security mode</emphasis> implementation "
411
"allows more flexibility, providing four ways of implementing user-level "
412
"security and one way to implement share-level:"
415
#: serverguide/C/windows-networking.xml:381(para)
417
"<emphasis>security = user:</emphasis> requires clients to supply a username "
418
"and password to connect to shares. Samba user accounts are separate from "
419
"system accounts, but the <application>libpam-smbpass</application> package "
420
"will sync system users and passwords with the Samba user database."
423
#: serverguide/C/windows-networking.xml:388(para)
425
"<emphasis>security = domain:</emphasis> this mode allows the Samba server to "
426
"appear to Windows clients as a Primary Domain Controller (PDC), Backup "
427
"Domain Controller (BDC), or a Domain Member Server (DMS). See <xref "
428
"linkend=\"samba-dc\"/> for further information."
431
#: serverguide/C/windows-networking.xml:395(para)
433
"<emphasis>security = ADS:</emphasis> allows the Samba server to join an "
434
"Active Directory domain as a native member. See <xref linkend=\"samba-ad-"
435
"integration\"/> for details."
438
#: serverguide/C/windows-networking.xml:401(para)
440
"<emphasis>security = server:</emphasis> this mode is left over from before "
441
"Samba could become a member server, and due to some security issues should "
442
"not be used. See the <ulink url=\"http://samba.org/samba/docs/man/Samba-"
443
"HOWTO-Collection/ServerType.html#id349531\">Server Security</ulink> section "
444
"of the Samba guide for more details."
447
#: serverguide/C/windows-networking.xml:409(para)
449
"<emphasis>security = share:</emphasis> allows clients to connect to shares "
450
"without supplying a username and password."
453
#: serverguide/C/windows-networking.xml:416(para)
455
"The security mode you choose will depend on your environment and what you "
456
"need the Samba server to accomplish."
459
#: serverguide/C/windows-networking.xml:422(title)
460
msgid "Security = User"
463
#: serverguide/C/windows-networking.xml:424(para)
465
"This section will reconfigure the Samba file and print server, from <xref "
466
"linkend=\"samba-fileserver\"/> and <xref linkend=\"samba-printserver\"/>, to "
467
"require authentication."
470
#: serverguide/C/windows-networking.xml:429(para)
472
"First, install the <application>libpam-smbpass</application> package which "
473
"will sync the system users to the Samba user database:"
476
#: serverguide/C/windows-networking.xml:435(command)
477
msgid "sudo apt-get install libpam-smbpass"
480
#: serverguide/C/windows-networking.xml:439(para)
482
"If you chose the <emphasis>Samba Server</emphasis> task during installation "
483
"<application>libpam-smbpass</application> is already installed."
486
#: serverguide/C/windows-networking.xml:445(para)
488
"Edit <filename>/etc/samba/smb.conf</filename>, and in the "
489
"<emphasis>[share]</emphasis> section change:"
492
#: serverguide/C/windows-networking.xml:449(programlisting)
499
#: serverguide/C/windows-networking.xml:453(para)
500
msgid "Finally, restart Samba for the new settings to take effect:"
503
#: serverguide/C/windows-networking.xml:461(para)
505
"Now when connecting to the shared directories or printers you should be "
506
"prompted for a username and password."
509
#: serverguide/C/windows-networking.xml:466(para)
511
"If you choose to map a network drive to the share you can check the "
512
"<quote>Reconnect at Logon</quote> check box, which will require you to only "
513
"enter the username and password once, at least until the password changes."
516
#: serverguide/C/windows-networking.xml:474(title)
517
msgid "Share Security"
520
#: serverguide/C/windows-networking.xml:476(para)
522
"There are several options available to increase the security for each "
523
"individual shared directory. Using the <emphasis>[share]</emphasis> example, "
524
"this section will cover some common options."
527
#: serverguide/C/windows-networking.xml:482(title)
531
#: serverguide/C/windows-networking.xml:484(para)
533
"Groups define a collection of computers or users which have a common level "
534
"of access to particular network resources and offer a level of granularity "
535
"in controlling access to such resources. For example, if a group <emphasis "
536
"role=\"italic\">qa</emphasis> is defined and contains the users <emphasis "
537
"role=\"italic\">freda</emphasis>, <emphasis "
538
"role=\"italic\">danika</emphasis>, and <emphasis "
539
"role=\"italic\">rob</emphasis> and a second group <emphasis "
540
"role=\"italic\">support</emphasis> is defined and consists of users "
541
"<emphasis role=\"italic\">danika</emphasis>, <emphasis "
542
"role=\"italic\">jeremy</emphasis>, and <emphasis "
543
"role=\"italic\">vincent</emphasis> then certain network resources configured "
544
"to allow access by the <emphasis role=\"italic\">qa</emphasis> group will "
545
"subsequently enable access by freda, danika, and rob, but not jeremy or "
546
"vincent. Since the user <emphasis role=\"italic\">danika</emphasis> belongs "
547
"to both the <emphasis role=\"italic\">qa</emphasis> and <emphasis "
548
"role=\"italic\">support</emphasis> groups, she will be able to access "
549
"resources configured for access by both groups, whereas all other users will "
550
"have only access to resources explicitly allowing the group they are part of."
553
#: serverguide/C/windows-networking.xml:498(para)
555
"By default Samba looks for the local system groups defined in "
556
"<filename>/etc/group</filename> to determine which users belong to which "
557
"groups. For more information on adding and removing users from groups see "
558
"<xref linkend=\"adding-deleting-users\"/>."
561
#: serverguide/C/windows-networking.xml:504(para)
563
"When defining groups in the Samba configuration file, "
564
"<filename>/etc/samba/smb.conf</filename>, the recognized syntax is to "
565
"preface the group name with an \"@\" symbol. For example, if you wished to "
566
"define a group named <emphasis role=\"italic\">sysadmin</emphasis> in a "
567
"certain section of the <filename>/etc/samba/smb.conf</filename>, you would "
568
"do so by entering the group name as <emphasis "
569
"role=\"bold\">@sysadmin</emphasis>."
572
#: serverguide/C/windows-networking.xml:513(title)
573
msgid "File Permissions"
576
#: serverguide/C/windows-networking.xml:515(para)
578
"File Permissions define the explicit rights a computer or user has to a "
579
"particular directory, file, or set of files. Such permissions may be defined "
580
"by editing the <filename>/etc/samba/smb.conf</filename> file and specifying "
581
"the explicit permissions of a defined file share."
584
#: serverguide/C/windows-networking.xml:521(para)
586
"For example, if you have defined a Samba share called "
587
"<emphasis>share</emphasis> and wish to give <emphasis role=\"italic\">read-"
588
"only</emphasis> permissions to the group of users known as <emphasis "
589
"role=\"italic\">qa</emphasis>, but wanted to allow writing to the share by "
590
"the group called <emphasis role=\"italic\">sysadmin</emphasis> and the user "
591
"named <emphasis role=\"italic\">vincent</emphasis>, then you could edit the "
592
"<filename>/etc/samba/smb.conf</filename> file, and add the following entries "
593
"under the <emphasis>[share]</emphasis> entry:"
596
#: serverguide/C/windows-networking.xml:530(programlisting)
601
" write list = @sysadmin, vincent\n"
604
#: serverguide/C/windows-networking.xml:535(para)
606
"Another possible Samba permission is to declare "
607
"<emphasis>administrative</emphasis> permissions to a particular shared "
608
"resource. Users having administrative permissions may read, write, or modify "
609
"any information contained in the resource the user has been given explicit "
610
"administrative permissions to."
613
#: serverguide/C/windows-networking.xml:541(para)
615
"For example, if you wanted to give the user <emphasis "
616
"role=\"italic\">melissa</emphasis> administrative permissions to the "
617
"<emphasis role=\"italic\">share</emphasis> example, you would edit the "
618
"<filename>/etc/samba/smb.conf</filename> file, and add the following line "
619
"under the <emphasis>[share]</emphasis> entry:"
622
#: serverguide/C/windows-networking.xml:548(programlisting)
626
" admin users = melissa\n"
629
#: serverguide/C/windows-networking.xml:552(para)
631
"After editing <filename>/etc/samba/smb.conf</filename>, restart Samba for "
632
"the changes to take effect:"
635
#: serverguide/C/windows-networking.xml:561(para)
637
"For the <emphasis>read list</emphasis> and <emphasis>write list</emphasis> "
638
"to work the Samba security mode must <emphasis>not</emphasis> be set to "
639
"<emphasis role=\"italic\">security = share</emphasis>"
642
#: serverguide/C/windows-networking.xml:567(para)
644
"Now that Samba has been configured to limit which groups have access to the "
645
"shared directory, the filesystem permissions need to be updated."
648
#: serverguide/C/windows-networking.xml:572(para)
650
"Traditional Linux file permissions do not map well to Windows NT Access "
651
"Control Lists (ACLs). Fortunately POSIX ACLs are available on Ubuntu servers "
652
"providing more fine grained control. For example, to enable ACLs on "
653
"<filename>/srv</filename> an EXT3 filesystem, edit "
654
"<filename>/etc/fstab</filename> adding the <emphasis>acl</emphasis> option:"
657
#: serverguide/C/windows-networking.xml:579(programlisting)
661
"UUID=66bcdd2e-8861-4fb0-b7e4-e61c569fe17d /srv ext3 noatime,relatime,acl "
665
#: serverguide/C/windows-networking.xml:583(para)
666
msgid "Then remount the partition:"
669
#: serverguide/C/windows-networking.xml:588(command)
670
msgid "sudo mount -v -o remount /srv"
673
#: serverguide/C/windows-networking.xml:592(para)
675
"The above example assumes <filename>/srv</filename> on a separate partition. "
676
"If <filename>/srv</filename>, or wherever you have configured your share "
677
"path, is part of the <filename>/</filename> partition a reboot may be "
681
#: serverguide/C/windows-networking.xml:599(para)
683
"To match the Samba configuration above the <emphasis>sysadmin</emphasis> "
684
"group will be given read, write, and execute permissions to "
685
"<filename>/srv/samba/share</filename>, the <emphasis>qa</emphasis> group "
686
"will be given read and execute permissions, and the files will be owned by "
687
"the username <emphasis>melissa</emphasis>. Enter the following in a terminal:"
690
#: serverguide/C/windows-networking.xml:607(command)
691
msgid "sudo chown -R melissa /srv/samba/share/"
694
#: serverguide/C/windows-networking.xml:608(command)
695
msgid "sudo chgrp -R sysadmin /srv/samba/share/"
698
#: serverguide/C/windows-networking.xml:609(command)
699
msgid "sudo setfacl -R -m g:qa:rx /srv/samba/share/"
702
#: serverguide/C/windows-networking.xml:613(para)
704
"The <application>setfacl</application> command above gives "
705
"<emphasis>execute</emphasis> permissions to all files in the "
706
"<filename>/srv/samba/share</filename> directory, which you may or may not "
710
#: serverguide/C/windows-networking.xml:619(para)
712
"Now from a Windows client you should notice the new file permissions are "
713
"implemented. See the <application>acl</application> and "
714
"<application>setfacl</application> man pages for more information on POSIX "
718
#: serverguide/C/windows-networking.xml:627(title)
719
msgid "Samba AppArmor Profile"
722
#: serverguide/C/windows-networking.xml:629(para)
724
"Ubuntu comes with the <application>AppArmor</application> security module, "
725
"which provides mandatory access controls. The default AppArmor profile for "
726
"Samba will need to be adapted to your configuration. For more details on "
727
"using AppArmor see <xref linkend=\"apparmor\"/>."
730
#: serverguide/C/windows-networking.xml:635(para)
732
"There are default AppArmor profiles for <filename>/usr/sbin/smbd</filename> "
733
"and <filename>/usr/sbin/nmbd</filename>, the Samba daemon binaries, as part "
734
"of the <application>apparmor-profiles</application> packages. To install the "
735
"package, from a terminal prompt enter:"
738
#: serverguide/C/windows-networking.xml:642(command) serverguide/C/security.xml:978(command)
739
msgid "sudo apt-get install apparmor-profiles"
742
#: serverguide/C/windows-networking.xml:646(para)
743
msgid "This package contains profiles for several other binaries."
746
#: serverguide/C/windows-networking.xml:651(para)
748
"By default the profiles for <application>smbd</application> and "
749
"<application>nmbd</application> are in <emphasis>complain</emphasis> mode "
750
"allowing Samba to work without modifying the profile, and only logging "
751
"errors. To place the <application>smbd</application> profile into "
752
"<emphasis>enforce</emphasis> mode, and have Samba work as expected, the "
753
"profile will need to be modified to reflect any directories that are shared."
756
#: serverguide/C/windows-networking.xml:658(para)
758
"Edit <filename>/etc/apparmor.d/usr.sbin.smbd</filename> adding information "
759
"for <emphasis>[share]</emphasis> from the file server example:"
762
#: serverguide/C/windows-networking.xml:663(programlisting)
766
" /srv/samba/share/ r,\n"
767
" /srv/samba/share/** rwkix,\n"
770
#: serverguide/C/windows-networking.xml:668(para)
772
"Now place the profile into <emphasis>enforce</emphasis> and reload it:"
775
#: serverguide/C/windows-networking.xml:673(command)
776
msgid "sudo aa-enforce /usr/sbin/smbd"
779
#: serverguide/C/windows-networking.xml:674(command)
780
msgid "cat /etc/apparmor.d/usr.sbin.smbd | sudo apparmor_parser -r"
783
#: serverguide/C/windows-networking.xml:677(para)
785
"You should now be able to read, write, and execute files in the shared "
786
"directory as normal, and the <application>smbd</application> binary will "
787
"have access to only the configured files and directories. Be sure to add "
788
"entries for each directory you configure Samba to share. Also, any errors "
789
"will be logged to <filename>/var/log/syslog</filename>."
792
#: serverguide/C/windows-networking.xml:702(para) serverguide/C/windows-networking.xml:1067(para)
795
"url=\"http://www.oreilly.com/catalog/9780596007690/\">Using Samba</ulink> is "
796
"also a good reference."
799
#: serverguide/C/windows-networking.xml:708(para)
801
"<ulink url=\"http://samba.org/samba/docs/man/Samba-HOWTO-Collection/securing-"
802
"samba.html\">Chapter 18</ulink> of the Samba HOWTO Collection is devoted to "
806
#: serverguide/C/windows-networking.xml:714(para)
808
"For more information on Samba and ACLs see the <ulink "
809
"url=\"http://samba.org/samba/docs/man/Samba-HOWTO-"
810
"Collection/AccessControls.html#id397568\">Samba ACLs page </ulink>."
813
#: serverguide/C/windows-networking.xml:725(title)
814
msgid "Samba as a Domain Controller"
817
#: serverguide/C/windows-networking.xml:727(para)
819
"Although it cannot act as an Active Directory Primary Domain Controller "
820
"(PDC), a Samba server can be configured to appear as a Windows NT4-style "
821
"domain controller. A major advantage of this configuration is the ability to "
822
"centralize user and machine credentials. Samba can also use multiple "
823
"backends to store the user information."
826
#: serverguide/C/windows-networking.xml:734(title)
827
msgid "Primary Domain Controller"
830
#: serverguide/C/windows-networking.xml:736(para)
832
"This section covers configuring Samba as a Primary Domain Controller (PDC) "
833
"using the default smbpasswd backend."
836
#: serverguide/C/windows-networking.xml:743(para)
838
"First, install Samba, and <application>libpam-smbpass</application> to sync "
839
"the user accounts, by entering the following in a terminal prompt:"
842
#: serverguide/C/windows-networking.xml:749(command) serverguide/C/windows-networking.xml:965(command)
843
msgid "sudo apt-get install samba libpam-smbpass"
846
#: serverguide/C/windows-networking.xml:755(para)
848
"Next, configure Samba by editing <filename>/etc/samba/smb.conf</filename>. "
849
"The <emphasis>security</emphasis> mode should be set to <emphasis "
850
"role=\"italic\">user</emphasis>, and the <emphasis>workgroup</emphasis> "
851
"should relate to your organization:"
854
#: serverguide/C/windows-networking.xml:770(para)
856
"In the commented <quote>Domains</quote> section add or uncomment the "
860
#: serverguide/C/windows-networking.xml:774(programlisting)
864
" domain logons = yes\n"
865
" logon path = \\\\%N\\%U\\profile\n"
866
" logon drive = H:\n"
867
" logon home = \\\\%N\\%U\n"
868
" logon script = logon.cmd\n"
869
" add machine script = sudo /usr/sbin/useradd -N -g machines -c Machine -d "
870
"/var/lib/samba -s /bin/false %u\n"
873
#: serverguide/C/windows-networking.xml:785(para)
875
"<emphasis>domain logons:</emphasis> provides the netlogon service causing "
876
"Samba to act as a domain controller."
879
#: serverguide/C/windows-networking.xml:790(para)
881
"<emphasis>logon path:</emphasis> places the user's Windows profile into "
882
"their home directory. It is also possible to configure a "
883
"<emphasis>[profiles]</emphasis> share placing all profiles under a single "
887
#: serverguide/C/windows-networking.xml:796(para)
889
"<emphasis>logon drive:</emphasis> specifies the home directory local path."
892
#: serverguide/C/windows-networking.xml:801(para)
894
"<emphasis>logon home:</emphasis> specifies the home directory location."
897
#: serverguide/C/windows-networking.xml:806(para)
899
"<emphasis>logon script:</emphasis> determines the script to be run locally "
900
"once a user has logged in. The script needs to be placed in the "
901
"<emphasis>[netlogon]</emphasis> share."
904
#: serverguide/C/windows-networking.xml:812(para)
906
"<emphasis>add machine script:</emphasis> a script that will automatically "
907
"create the <emphasis>Machine Trust Account</emphasis> needed for a "
908
"workstation to join the domain."
911
#: serverguide/C/windows-networking.xml:816(para)
913
"In this example the <emphasis>machines</emphasis> group will need to be "
914
"created using the <application>addgroup</application> utility see <xref "
915
"linkend=\"adding-deleting-users\"/> for details."
918
#: serverguide/C/windows-networking.xml:824(para)
920
"If you wish to not use <emphasis>Roaming Profiles</emphasis> leave the "
921
"<emphasis>logon home</emphasis> and <emphasis>logon path</emphasis> options "
925
#: serverguide/C/windows-networking.xml:833(para)
927
"Uncomment the <emphasis>[homes]</emphasis> share to allow the <emphasis "
928
"role=\"italic\">logon home</emphasis> to be mapped:"
931
#: serverguide/C/windows-networking.xml:838(programlisting)
936
" comment = Home Directories\n"
939
" create mask = 0700\n"
940
" directory mask = 0700\n"
941
" valid users = %S\n"
944
#: serverguide/C/windows-networking.xml:851(para)
946
"When configured as a domain controller a <emphasis>[netlogon]</emphasis> "
947
"share needs to be configured. To enable the share, uncomment:"
950
#: serverguide/C/windows-networking.xml:856(programlisting)
955
" comment = Network Logon Service\n"
956
" path = /srv/samba/netlogon\n"
959
" share modes = no\n"
962
#: serverguide/C/windows-networking.xml:866(para)
964
"The original <emphasis>netlogon</emphasis> share path is "
965
"<filename>/home/samba/netlogon</filename>, but according to the Filesystem "
966
"Hierarchy Standard (FHS), <ulink url=\"http://www.pathname.com/fhs/pub/fhs-"
967
"2.3.html#SRVDATAFORSERVICESPROVIDEDBYSYSTEM\">/srv</ulink> is the correct "
968
"location for site-specific data provided by the system."
971
#: serverguide/C/windows-networking.xml:877(para)
973
"Now create the <filename role=\"directory\">netlogon</filename> directory, "
974
"and an empty (for now) <filename>logon.cmd</filename> script file:"
977
#: serverguide/C/windows-networking.xml:883(command)
978
msgid "sudo mkdir -p /srv/samba/netlogon"
981
#: serverguide/C/windows-networking.xml:884(command)
982
msgid "sudo touch /srv/samba/netlogon/logon.cmd"
985
#: serverguide/C/windows-networking.xml:887(para)
987
"You can enter any normal Windows logon script commands in "
988
"<filename>logon.cmd</filename> to customize the client's environment."
991
#: serverguide/C/windows-networking.xml:895(para)
993
"With <emphasis>root</emphasis> being disabled by default, in order to join a "
994
"workstation to the domain, a system group needs to be mapped to the Windows "
995
"<emphasis>Domain Admins</emphasis> group. Using the "
996
"<application>net</application> utility, from a terminal enter:"
999
#: serverguide/C/windows-networking.xml:902(command)
1001
"sudo net groupmap add ntgroup=\"Domain Admins\" unixgroup=sysadmin rid=512 "
1005
#: serverguide/C/windows-networking.xml:906(para)
1007
"Change <emphasis role=\"italic\">sysadmin</emphasis> to whichever group you "
1008
"prefer. Also, the user used to join the domain needs to be a member of the "
1009
"<emphasis>sysadmin</emphasis> group, as well as a member of the system "
1010
"<emphasis>admin</emphasis> group. The <emphasis>admin</emphasis> group "
1011
"allows <application>sudo</application> use."
1014
#: serverguide/C/windows-networking.xml:917(para)
1015
msgid "Finally, restart Samba to enable the new domain controller:"
1018
#: serverguide/C/windows-networking.xml:928(para)
1020
"You should now be able to join Windows clients to the Domain in the same "
1021
"manner as joining them to an NT4 domain running on a Windows server."
1024
#: serverguide/C/windows-networking.xml:938(title)
1025
msgid "Backup Domain Controller"
1028
#: serverguide/C/windows-networking.xml:940(para)
1030
"With a Primary Domain Controller (PDC) on the network it is best to have a "
1031
"Backup Domain Controller (BDC) as well. This will allow clients to "
1032
"authenticate in case the PDC becomes unavailable."
1035
#: serverguide/C/windows-networking.xml:945(para)
1037
"When configuring Samba as a BDC you need a way to sync account information "
1038
"with the PDC. There are multiple ways of accomplishing this "
1039
"<application>scp</application>, <application>rsync</application>, or by "
1040
"using <application>LDAP</application> as the <emphasis>passdb "
1041
"backend</emphasis>."
1044
#: serverguide/C/windows-networking.xml:951(para)
1046
"Using LDAP is the most robust way to sync account information, because both "
1047
"domain controllers can use the same information in real time. However, "
1048
"setting up a LDAP server may be overly complicated for a small number of "
1049
"user and computer accounts. See <xref linkend=\"samba-ldap\"/> for details."
1052
#: serverguide/C/windows-networking.xml:960(para)
1054
"First, install <application>samba</application> and <application>libpam-"
1055
"smbpass</application>. From a terminal enter:"
1058
#: serverguide/C/windows-networking.xml:971(para)
1060
"Now, edit <filename>/etc/samba/smb.conf</filename> and uncomment the "
1061
"following in the <emphasis>[global]</emphasis>:"
1064
#: serverguide/C/windows-networking.xml:984(para)
1065
msgid "In the commented <emphasis>Domains</emphasis> uncomment or add:"
1068
#: serverguide/C/windows-networking.xml:988(programlisting)
1072
" domain logons = yes\n"
1073
" domain master = no\n"
1076
#: serverguide/C/windows-networking.xml:996(para)
1078
"Make sure a user has rights to read the files in "
1079
"<filename>/var/lib/samba</filename>. For example, to allow users in the "
1080
"<emphasis>admin</emphasis> group to <application>scp</application> the "
1084
#: serverguide/C/windows-networking.xml:1002(command)
1085
msgid "sudo chgrp -R admin /var/lib/samba"
1088
#: serverguide/C/windows-networking.xml:1008(para)
1090
"Next, sync the user accounts, using <application>scp</application> to copy "
1091
"the <filename>/var/lib/samba</filename> directory from the PDC:"
1094
#: serverguide/C/windows-networking.xml:1014(command)
1095
msgid "sudo scp -r username@pdc:/var/lib/samba /var/lib"
1098
#: serverguide/C/windows-networking.xml:1018(para)
1100
"Replace <emphasis>username</emphasis> with a valid username and "
1101
"<emphasis>pdc</emphasis> with the hostname or IP Address of your actual PDC."
1104
#: serverguide/C/windows-networking.xml:1027(para)
1105
msgid "Finally, restart <application>samba</application>:"
1108
#: serverguide/C/windows-networking.xml:1038(para)
1110
"You can test that your Backup Domain controller is working by stopping the "
1111
"Samba daemon on the PDC, then trying to login to a Windows client joined to "
1115
#: serverguide/C/windows-networking.xml:1043(para)
1117
"Another thing to keep in mind is if you have configured the <emphasis>logon "
1118
"home</emphasis> option as a directory on the PDC, and the PDC becomes "
1119
"unavailable, access to the user's <emphasis>Home</emphasis> drive will also "
1120
"be unavailable. For this reason it is best to configure the <emphasis>logon "
1121
"home</emphasis> to reside on a separate file server from the PDC and BDC."
1124
#: serverguide/C/windows-networking.xml:1073(para)
1126
"<ulink url=\"http://samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-"
1127
"pdc.html\">Chapter 4</ulink> of the Samba HOWTO Collection explains setting "
1128
"up a Primary Domain Controller."
1131
#: serverguide/C/windows-networking.xml:1079(para)
1133
"<ulink url=\"http://us3.samba.org/samba/docs/man/Samba-HOWTO-"
1134
"Collection/samba-bdc.html\">Chapter 5</ulink> of the Samba HOWTO Collection "
1135
"explains setting up a Backup Domain Controller."
1138
#: serverguide/C/windows-networking.xml:1089(title)
1139
msgid "Samba Active Directory Integration"
1142
#: serverguide/C/windows-networking.xml:1092(title)
1143
msgid "Accessing a Samba Share"
1146
#: serverguide/C/windows-networking.xml:1094(para)
1148
"Another, use for Samba is to integrate into an existing Windows network. "
1149
"Once part of an Active Directory domain, Samba can provide file and print "
1150
"services to AD users."
1153
#: serverguide/C/windows-networking.xml:1099(para)
1155
"The simplest way to join an AD domain is to use <application>Likewise-"
1156
"open</application>. For detailed instructions see <xref linkend=\"likewise-"
1160
#: serverguide/C/windows-networking.xml:1104(para)
1161
msgid "Once part of the domain, install the following packages:"
1164
#: serverguide/C/windows-networking.xml:1109(command)
1165
msgid "sudo apt-get install samba smbfs smbclient"
1168
#: serverguide/C/windows-networking.xml:1112(para)
1170
"Since the <application>likewise-open</application> and "
1171
"<application>samba</application> packages use separate "
1172
"<filename>secrets.tdb</filename> files, a symlink will need to be created in "
1173
"<filename role=\"directory\">/var/lib/samba</filename>:"
1176
#: serverguide/C/windows-networking.xml:1118(command)
1177
msgid "sudo mv /var/lib/samba/secrets.tdb /var/lib/samba/secrets.tdb.orig"
1180
#: serverguide/C/windows-networking.xml:1119(command)
1181
msgid "sudo ln -s /etc/samba/secrets.tdb /var/lib/samba"
1184
#: serverguide/C/windows-networking.xml:1122(para)
1185
msgid "Next, edit <filename>/etc/samba/smb.conf</filename> changing:"
1188
#: serverguide/C/windows-networking.xml:1126(programlisting)
1192
" workgroup = EXAMPLE\n"
1195
" realm = EXAMPLE.COM\n"
1197
" idmap backend = lwopen\n"
1198
" idmap uid = 50-9999999999\n"
1199
" idmap gid = 50-9999999999\n"
1202
#: serverguide/C/windows-networking.xml:1137(para)
1204
"Restart <application>samba</application> for the new settings to take effect:"
1207
#: serverguide/C/windows-networking.xml:1145(para)
1209
"You should now be able to access any <application>Samba</application> shares "
1210
"from a Windows client. However, be sure to give the appropriate AD users or "
1211
"groups access to the share directory. See <xref linkend=\"samba-fileprint-"
1212
"security\"/> for more details."
1215
#: serverguide/C/windows-networking.xml:1153(title)
1216
msgid "Accessing a Windows Share"
1219
#: serverguide/C/windows-networking.xml:1155(para)
1221
"Now that the Samba server is part of the Active Directory domain you can "
1222
"access any Windows server shares:"
1225
#: serverguide/C/windows-networking.xml:1162(para)
1227
"To mount a Windows file share enter the following in a terminal prompt:"
1230
#: serverguide/C/windows-networking.xml:1166(command)
1231
msgid "mount.cifs //fs01.example.com/share mount_point"
1234
#: serverguide/C/windows-networking.xml:1169(para)
1236
"It is also possible to access shares on computers not part of an AD domain, "
1237
"but a username and password will need to be provided."
1240
#: serverguide/C/windows-networking.xml:1177(para)
1242
"To mount the share during boot place an entry in "
1243
"<filename>/etc/fstab</filename>, for example:"
1246
#: serverguide/C/windows-networking.xml:1181(programlisting)
1250
"//192.168.0.5/share /mnt/windows cifs auto,username=steve,password=secret,rw "
1254
#: serverguide/C/windows-networking.xml:1188(para)
1256
"Another way to copy files from a Windows server is to use the "
1257
"<application>smbclient</application> utility. To list the files in a Windows "
1261
#: serverguide/C/windows-networking.xml:1194(command)
1262
msgid "smbclient //fs01.example.com/share -k -c \"ls\""
1265
#: serverguide/C/windows-networking.xml:1200(para)
1266
msgid "To copy a file from the share, enter:"
1269
#: serverguide/C/windows-networking.xml:1205(command)
1270
msgid "smbclient //fs01.example.com/share -k -c \"get file.txt\""
1273
#: serverguide/C/windows-networking.xml:1208(para)
1275
"This will copy the <filename>file.txt</filename> into the current directory."
1278
#: serverguide/C/windows-networking.xml:1215(para)
1279
msgid "And to copy a file to the share:"
1282
#: serverguide/C/windows-networking.xml:1220(command)
1283
msgid "smbclient //fs01.example.com/share -k -c \"put /etc/hosts hosts\""
1286
#: serverguide/C/windows-networking.xml:1223(para)
1288
"This will copy the <filename>/etc/hosts</filename> to "
1289
"<filename>//fs01.example.com/share/hosts</filename>."
1292
#: serverguide/C/windows-networking.xml:1230(para)
1294
"The <emphasis>-c</emphasis> option used above allows you to execute the "
1295
"<application>smbclient</application> command all at once. This is useful for "
1296
"scripting and minor file operations. To enter the <emphasis>smb: \\"
1297
"></emphasis> prompt, a FTP like prompt where you can execute normal file "
1298
"and directory commands, simply execute:"
1301
#: serverguide/C/windows-networking.xml:1237(command)
1302
msgid "smbclient //fs01.example.com/share -k"
1305
#: serverguide/C/windows-networking.xml:1244(para)
1307
"Replace all instances of <emphasis>fs01.example.com/share</emphasis>, "
1308
"<emphasis>//192.168.0.5/share</emphasis>, "
1309
"<emphasis>username=steve,password=secret</emphasis>, and "
1310
"<emphasis>file.txt</emphasis> with your server's IP, hostname, share name, "
1311
"file name, and an actual username and password with rights to the share."
1314
#: serverguide/C/windows-networking.xml:1255(para)
1316
"For more <application>smbclient</application> options see the man page: "
1317
"<command>man smbclient</command>, also available <ulink "
1318
"url=\"http://manpages.ubuntu.com/manpages/jaunty/en/man1/smbclient.1.html\">o"
1322
#: serverguide/C/windows-networking.xml:1260(para)
1324
"The <application>mount.cifs</application><ulink "
1325
"url=\"http://manpages.ubuntu.com/manpages/jaunty/en/man8/mount.cifs.8.html\">"
1326
"man page</ulink> is also useful for more detailed information."
1329
#: serverguide/C/windows-networking.xml:1270(title)
1330
msgid "Likewise Open"
1333
#: serverguide/C/windows-networking.xml:1272(para)
1335
"<application>Likewise Open</application> simplifies the necessary "
1336
"configuration needed to authenticate a Linux machine to an Active Directory "
1337
"domain. Based on <application>winbind</application>, the "
1338
"<application>likewise-open</application> package takes the pain out of "
1339
"integrating Ubuntu authentication into an existing Windows network."
1342
#: serverguide/C/windows-networking.xml:1281(para)
1344
"There are two ways to use Likewise Open, <application>likewise-"
1345
"open</application> the command line utility and <application>likewise-open-"
1346
"gui</application>. This section focuses on the command line utility."
1349
#: serverguide/C/windows-networking.xml:1286(para)
1351
"To install the <application>likewise-open</application> package, open a "
1352
"terminal prompt and enter:"
1355
#: serverguide/C/windows-networking.xml:1291(command)
1356
msgid "sudo apt-get install likewise-open"
1359
#: serverguide/C/windows-networking.xml:1294(para)
1361
"With Ubuntu 9.04 <application>Likewise Open 5.0</application> is available "
1362
"in the <emphasis>Universe</emphasis> repository. However, since upgrading "
1363
"from <application>Likewise Open 4.1</application> currently requires the "
1364
"system to leave the domain and re-join, a separate package for version five "
1368
#: serverguide/C/windows-networking.xml:1300(para)
1369
msgid "To install <application>Likewise Open 5.0</application> enter:"
1372
#: serverguide/C/windows-networking.xml:1305(command)
1373
msgid "sudo apt-get install likewise-open5"
1376
#: serverguide/C/windows-networking.xml:1309(para)
1378
"Installing likewise-open5 over an existing likewise-open (4.1) installation "
1379
"will replace it. You will have to rejoin the domain after install."
1382
#: serverguide/C/windows-networking.xml:1317(title)
1383
msgid "Joining a Domain"
1386
#: serverguide/C/windows-networking.xml:1319(para)
1388
"The main executable file of the <application>likewise-open</application> "
1389
"package is <filename>/usr/bin/domainjoin-cli</filename>, which is used to "
1390
"join your computer to the domain. Before you join a domain you will need to "
1391
"make sure you have:"
1394
#: serverguide/C/windows-networking.xml:1327(para)
1396
"Access to an Active Directory user with appropriate rights to join the "
1400
#: serverguide/C/windows-networking.xml:1332(para)
1402
"The <emphasis>Fully Qualified Domain Name</emphasis> (FQDN) of the domain "
1403
"you want to join. If your AD domain does not match a valid domain such as "
1404
"<emphasis role=\"italic\">example.com</emphasis>, it is likely that it has "
1405
"the form of <emphasis>domainname.local</emphasis>."
1408
#: serverguide/C/windows-networking.xml:1339(para)
1410
"DNS for the domain setup properly. In a production AD environment this "
1411
"should be the case. Proper Microsoft DNS is needed so that client "
1412
"workstations can determine the Active Directory domain is available."
1415
#: serverguide/C/windows-networking.xml:1343(para)
1417
"If you don't have a Windows DNS server on your network, see <xref "
1418
"linkend=\"likewise-open-ms-dns\"/> for details."
1421
#: serverguide/C/windows-networking.xml:1350(para)
1422
msgid "To join a domain, from a terminal prompt enter:"
1425
#: serverguide/C/windows-networking.xml:1355(command)
1426
msgid "sudo domainjoin-cli join example.com Administrator"
1429
#: serverguide/C/windows-networking.xml:1359(para)
1431
"Replace <emphasis>example.com</emphasis> with your domain name, and "
1432
"<emphasis>Administrator</emphasis> with the appropriate user name."
1435
#: serverguide/C/windows-networking.xml:1365(para)
1437
"You will then be prompted for the user's password. If all goes well a "
1438
"<emphasis>SUCCESS</emphasis> message should be printed to the console."
1441
#: serverguide/C/windows-networking.xml:1371(para)
1443
"After joining the domain, it is necessary to reboot before attempting to "
1444
"authenticate against the domain."
1447
#: serverguide/C/windows-networking.xml:1377(para)
1449
"After successfully joining an Ubuntu machine to an Active Directory domain "
1450
"you can authenticate using any valid AD user. To login you will need to "
1451
"enter the user name as 'domain\\username'. For example to ssh to a server "
1452
"joined to the domain enter:"
1455
#: serverguide/C/windows-networking.xml:1384(command)
1456
msgid "ssh 'example\\steve'@hostname"
1459
#: serverguide/C/windows-networking.xml:1388(para)
1461
"If configuring a Desktop the user name will need to be prefixed with "
1462
"<emphasis role=\"italic\">domain\\</emphasis> in the graphical logon as well."
1465
#: serverguide/C/windows-networking.xml:1394(para)
1467
"To make likewise-open use a default domain, you can add the following "
1468
"statement to <filename>/etc/samba/lwiauthd.conf</filename>:"
1471
#: serverguide/C/windows-networking.xml:1398(programlisting)
1475
"winbind use default domain = yes\n"
1478
#: serverguide/C/windows-networking.xml:1402(para)
1479
msgid "Then restart the <application>likewise-open</application> daemons:"
1482
#: serverguide/C/windows-networking.xml:1407(command)
1483
msgid "sudo /etc/init.d/likewise-open restart"
1486
#: serverguide/C/windows-networking.xml:1411(para)
1488
"Once configured for a <emphasis>default domain</emphasis> the <emphasis "
1489
"role=\"italic\">'domain\\'</emphasis> is no longer required, users can login "
1490
"using only their username."
1493
#: serverguide/C/windows-networking.xml:1417(para)
1495
"The <application>domainjoin-cli</application> utility can also be used to "
1496
"leave the domain. From a terminal:"
1499
#: serverguide/C/windows-networking.xml:1422(command)
1500
msgid "sudo domainjoin-cli leave"
1503
#: serverguide/C/windows-networking.xml:1427(title) serverguide/C/security.xml:1830(title)
1504
msgid "Other Utilities"
1507
#: serverguide/C/windows-networking.xml:1429(para)
1509
"The <application>likewise-open</application> package comes with a few other "
1510
"utilities that may be useful for gathering information about the Active "
1511
"Directory environment. These utilities are used to join the machine to the "
1512
"domain, and are the same as those available in the <application>samba-"
1513
"common</application> and <application>winbind</application> packages:"
1516
#: serverguide/C/windows-networking.xml:1438(para)
1518
"<application>lwinet</application>: Returns information about the network and "
1522
#: serverguide/C/windows-networking.xml:1443(para)
1524
"<application>lwimsg</application>: Allows interaction with the "
1525
"<application>likewise-winbindd</application> daemon."
1528
#: serverguide/C/windows-networking.xml:1448(para)
1530
"<application>lwiinfo</application>: Displays information about various parts "
1534
#: serverguide/C/windows-networking.xml:1454(para)
1535
msgid "Please refer to each utility's man page specific for details."
1538
#: serverguide/C/windows-networking.xml:1460(title) serverguide/C/mail.xml:336(title) serverguide/C/mail.xml:1563(title) serverguide/C/dns.xml:338(title)
1539
msgid "Troubleshooting"
1542
#: serverguide/C/windows-networking.xml:1464(para)
1544
"If the client has trouble joining the domain, double check that the "
1545
"Microsoft DNS is listed first in <filename>/etc/resolv.conf</filename>. For "
1549
#: serverguide/C/windows-networking.xml:1469(programlisting)
1553
"nameserver 192.168.0.1\n"
1556
#: serverguide/C/windows-networking.xml:1474(para)
1558
"For more information when joining a domain, use the <emphasis>--loglevel "
1559
"verbose</emphasis> or <emphasis>--advanced</emphasis> option of the "
1560
"<application>domainjoin-cli</application> utility:"
1563
#: serverguide/C/windows-networking.xml:1480(command)
1564
msgid "sudo domainjoin-cli --loglevel verbose join example.com Administrator"
1567
#: serverguide/C/windows-networking.xml:1484(para)
1569
"If an Active Directory user has trouble logging in, check the "
1570
"<filename>/var/log/auth.log</filename> for details."
1573
#: serverguide/C/windows-networking.xml:1489(para)
1575
"When joining an Ubuntu Desktop workstation to a domain, you may need to edit "
1576
"<filename>/etc/nsswitch.conf</filename> if your AD domain uses the <emphasis "
1577
"role=\"italic\">.local</emphasis> syntax. In order to join the domain the "
1578
"<emphasis>\"mdns4\"</emphasis> entry from the <emphasis>hosts</emphasis> "
1579
"option. For example:"
1582
#: serverguide/C/windows-networking.xml:1495(programlisting)
1586
"hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4\n"
1589
#: serverguide/C/windows-networking.xml:1499(para)
1590
msgid "Change the above to:"
1593
#: serverguide/C/windows-networking.xml:1503(programlisting)
1597
"hosts: files dns [NOTFOUND=return]\n"
1600
#: serverguide/C/windows-networking.xml:1507(para)
1601
msgid "Then restart networking by entering:"
1604
#: serverguide/C/windows-networking.xml:1512(command) serverguide/C/network-config.xml:237(command)
1605
msgid "sudo /etc/init.d/networking restart"
1608
#: serverguide/C/windows-networking.xml:1515(para)
1609
msgid "You should now be able to join the Active Directory domain."
1612
#: serverguide/C/windows-networking.xml:1523(title)
1613
msgid "Microsoft DNS"
1616
#: serverguide/C/windows-networking.xml:1525(para)
1618
"The following are instructions for installing DNS on an Active Directory "
1619
"domain controller running Windows Server 2003, but the instructions should "
1620
"be similar for other versions:"
1623
#: serverguide/C/windows-networking.xml:1532(para)
1626
"<menuchoice><guimenuitem>Start</guimenuitem><guimenuitem>Administrative Tools"
1627
"</guimenuitem><guimenuitem>Manager Your Server</guimenuitem></menuchoice>. "
1628
"This will open the <application>Server Role Mangement</application> utility."
1631
#: serverguide/C/windows-networking.xml:1540(para)
1632
msgid "Click Add or remove a role"
1635
#: serverguide/C/windows-networking.xml:1541(para) serverguide/C/windows-networking.xml:1543(para) serverguide/C/windows-networking.xml:1546(para)
1639
#: serverguide/C/windows-networking.xml:1542(para)
1640
msgid "Select \"DNS Server\""
1643
#: serverguide/C/windows-networking.xml:1544(para)
1647
#: serverguide/C/windows-networking.xml:1545(para)
1648
msgid "Select \"Create a forward lookup zone\" if it is not selected."
1651
#: serverguide/C/windows-networking.xml:1547(para)
1653
"Make sure \"This server maintains the zone\" is selected and click Next."
1656
#: serverguide/C/windows-networking.xml:1548(para)
1657
msgid "Enter your domain name and click Next"
1660
#: serverguide/C/windows-networking.xml:1549(para) serverguide/C/windows-networking.xml:1550(para)
1661
msgid "Click Next to \"Allow only secure dynamic updates\""
1664
#: serverguide/C/windows-networking.xml:1552(para)
1666
"Enter the IP for DNS servers to forward queries to, or Select \"No, it "
1667
"should not forward queries\" and click Next."
1670
#: serverguide/C/windows-networking.xml:1556(para) serverguide/C/windows-networking.xml:1557(para)
1671
msgid "Click Finish"
1674
#: serverguide/C/windows-networking.xml:1559(para)
1676
"DNS is now installed and can be further configured using the "
1677
"<application>Microsoft Management Console</application> DNS snap-in."
1680
#: serverguide/C/windows-networking.xml:1567(para)
1684
#: serverguide/C/windows-networking.xml:1568(para)
1685
msgid "Control Panel"
1688
#: serverguide/C/windows-networking.xml:1569(para)
1689
msgid "Network Connections"
1692
#: serverguide/C/windows-networking.xml:1570(para)
1693
msgid "Right Click \"Local Area Connection\""
1696
#: serverguide/C/windows-networking.xml:1571(para)
1697
msgid "Click Properties"
1700
#: serverguide/C/windows-networking.xml:1572(para)
1701
msgid "Double click \"Internet Protocol (TCP/IP)\""
1704
#: serverguide/C/windows-networking.xml:1573(para)
1705
msgid "Enter the Server's IP Address as the \"Preferred DNS server\""
1708
#: serverguide/C/windows-networking.xml:1574(para)
1712
#: serverguide/C/windows-networking.xml:1575(para)
1713
msgid "Click Ok again to save the settings"
1716
#: serverguide/C/windows-networking.xml:1564(para)
1718
"Next, configure the Server to use itself for DNS queries: <placeholder-1/>"
1721
#: serverguide/C/windows-networking.xml:1582(title) serverguide/C/web-servers.xml:624(title) serverguide/C/web-servers.xml:766(title) serverguide/C/web-servers.xml:910(title) serverguide/C/web-servers.xml:1002(title) serverguide/C/web-servers.xml:1218(title) serverguide/C/vpn.xml:291(title) serverguide/C/virtualization.xml:1303(title) serverguide/C/virtualization.xml:1492(title) serverguide/C/vcs.xml:536(title) serverguide/C/security.xml:935(title) serverguide/C/security.xml:1264(title) serverguide/C/security.xml:1679(title) serverguide/C/security.xml:1870(title) serverguide/C/remote-administration.xml:203(title) serverguide/C/package-management.xml:432(title) serverguide/C/other-apps.xml:381(title) serverguide/C/network-config.xml:672(title) serverguide/C/monitoring.xml:391(title) serverguide/C/monitoring.xml:522(title) serverguide/C/mail.xml:444(title) serverguide/C/mail.xml:625(title) serverguide/C/mail.xml:772(title) serverguide/C/mail.xml:1189(title) serverguide/C/mail.xml:1611(title) serverguide/C/lamp-applications.xml:259(title) serverguide/C/lamp-applications.xml:369(title) serverguide/C/lamp-applications.xml:471(title) serverguide/C/file-server.xml:284(title) serverguide/C/file-server.xml:431(title) serverguide/C/file-server.xml:611(title) serverguide/C/dns.xml:572(title) serverguide/C/clustering.xml:234(title) serverguide/C/chat.xml:107(title) serverguide/C/chat.xml:216(title) serverguide/C/backups.xml:297(title)
1725
#: serverguide/C/windows-networking.xml:1584(para)
1727
"Please refer to the <ulink "
1728
"url=\"http://www.likewisesoftware.com/\">Likewise</ulink> home page for "
1729
"further information."
1732
#: serverguide/C/windows-networking.xml:1588(para)
1734
"For more <application>domainjoin-cli</application> options see the man page: "
1735
"<command>man domainjoin-cli</command>."
1738
#: serverguide/C/web-servers.xml:13(title)
1742
#: serverguide/C/web-servers.xml:14(para)
1744
"A Web server is a software responsible for accepting HTTP requests from "
1745
"clients, which are known as Web browsers, and serving them HTTP responses "
1746
"along with optional data contents, which usually are Web pages such as HTML "
1747
"documents and linked objects (images, etc.)."
1750
#: serverguide/C/web-servers.xml:19(title)
1751
msgid "HTTPD - Apache2 Web Server"
1754
#: serverguide/C/web-servers.xml:20(para)
1756
"Apache is the most commonly used Web Server on Linux systems. Web Servers "
1757
"are used to serve Web Pages requested by client computers. Clients typically "
1758
"request and view Web Pages using Web Browser applications such as "
1759
"<application>Firefox</application>, <application>Opera</application>, or "
1760
"<application>Mozilla</application>."
1763
#: serverguide/C/web-servers.xml:24(para)
1765
"Users enter a Uniform Resource Locator (URL) to point to a Web server by "
1766
"means of its Fully Qualified Domain Name (FQDN) and a path to the required "
1767
"resource. For example, to view the home page of the <ulink "
1768
"url=\"http://www.ubuntu.com\">Ubuntu Web site</ulink> a user will enter only "
1769
"the FQDN. To request specific information about <ulink "
1770
"url=\"http://www.ubuntu.com/support/paid\">paid support</ulink>, a user will "
1771
"enter the FQDN followed by a path."
1774
#: serverguide/C/web-servers.xml:29(para)
1776
"The most common protocol used to transfer Web pages is the Hyper Text "
1777
"Transfer Protocol (HTTP). Protocols such as Hyper Text Transfer Protocol "
1778
"over Secure Sockets Layer (HTTPS), and File Transfer Protocol (FTP), a "
1779
"protocol for uploading and downloading files, are also supported."
1782
#: serverguide/C/web-servers.xml:33(para)
1784
"Apache Web Servers are often used in combination with the "
1785
"<application>MySQL</application> database engine, the HyperText Preprocessor "
1786
"(<application>PHP</application>) scripting language, and other popular "
1787
"scripting languages such as <application>Python</application> and "
1788
"<application>Perl</application>. This configuration is termed LAMP (Linux, "
1789
"Apache, MySQL and Perl/Python/PHP) and forms a powerful and robust platform "
1790
"for the development and deployment of Web-based applications."
1793
#: serverguide/C/web-servers.xml:42(para)
1795
"The Apache2 web server is available in Ubuntu Linux. To install Apache2:"
1798
#: serverguide/C/web-servers.xml:48(para)
1799
msgid "At a terminal prompt enter the following command:"
1802
#: serverguide/C/web-servers.xml:53(command)
1803
msgid "sudo apt-get install apache2"
1806
#: serverguide/C/web-servers.xml:63(para)
1808
"Apache2 is configured by placing <emphasis>directives</emphasis> in plain "
1809
"text configuration files. The configuration files are separated between the "
1810
"following files and directories:"
1813
#: serverguide/C/web-servers.xml:71(para)
1815
"<emphasis>apache2.conf:</emphasis> the main Apache2 configuration file. "
1816
"Contains settings that are <emphasis>global</emphasis> to Apache2."
1819
#: serverguide/C/web-servers.xml:77(para)
1821
"<emphasis>conf.d:</emphasis> contains configuration files which apply "
1822
"<emphasis>globally</emphasis> to Apache. Other packages that use Apache2 to "
1823
"serve content may add files, or symlinks, to this directory."
1826
#: serverguide/C/web-servers.xml:83(para)
1828
"<emphasis>envvars:</emphasis> file where Apache2 "
1829
"<emphasis>environment</emphasis> variables are set."
1832
#: serverguide/C/web-servers.xml:88(para)
1834
"<emphasis>httpd.conf:</emphasis> historically the main Apache2 configuration "
1835
"file, named after the <application>httpd</application> daemon. The file can "
1836
"be used for <emphasis>user specific</emphasis> configuration options that "
1837
"globally effect Apache2."
1840
#: serverguide/C/web-servers.xml:95(para)
1842
"<emphasis>mods-available:</emphasis> this directory contains configuration "
1843
"files to both load <emphasis>modules</emphasis> and configure them. Not all "
1844
"modules will have specific configuration files, however."
1847
#: serverguide/C/web-servers.xml:101(para)
1849
"<emphasis>mods-enabled:</emphasis> holds <emphasis>symlinks</emphasis> to "
1850
"the files in <filename>/etc/apache2/mods-available</filename>. When a module "
1851
"configuration file is symlinked it will be enabled the next time "
1852
"<application>apache2</application> is restarted."
1855
#: serverguide/C/web-servers.xml:108(para)
1857
"<emphasis>ports.conf:</emphasis> houses the directives that determine which "
1858
"TCP ports Apache2 is listening on."
1861
#: serverguide/C/web-servers.xml:113(para)
1863
"<emphasis>sites-available:</emphasis> this directory has configuration files "
1864
"for Apache <emphasis>Virtual Hosts</emphasis>. Virtual Hosts allow Apache2 "
1865
"to be configured for multiple sites that have separate configurations."
1868
#: serverguide/C/web-servers.xml:119(para)
1870
"<emphasis>sites-enabled:</emphasis> like mods-enabled, <filename "
1871
"role=\"directory\">sites-enabled</filename> contains symlinks to the "
1872
"<filename>/etc/apache2/sites-available</filename> directory. Similarly when "
1873
"a configuration file in sites-available is symlinked it will be active once "
1874
"Apache is restarted."
1877
#: serverguide/C/web-servers.xml:127(para)
1879
"In addition, other configuration files may be added using the "
1880
"<emphasis>Include</emphasis> directive, and wildcards can be used to include "
1881
"many configuration files. Any directive may be placed in any of these "
1882
"configuration files. Changes to the main configuration files are only "
1883
"recognized by Apache2 when it is started or restarted."
1886
#: serverguide/C/web-servers.xml:136(para)
1888
"The server also reads a file containing mime document types; the filename is "
1889
"set by the <emphasis>TypesConfig</emphasis> directive, and is "
1890
"<filename>/etc/mime.types</filename> by default."
1893
#: serverguide/C/web-servers.xml:141(title)
1894
msgid "Basic Settings"
1897
#: serverguide/C/web-servers.xml:142(para)
1899
"This section explains Apache2 server essential configuration parameters. "
1900
"Refer to the <ulink url=\"http://httpd.apache.org/docs/2.2/\">Apache2 "
1901
"Documentation</ulink> for more details."
1904
#: serverguide/C/web-servers.xml:150(para)
1906
"Apache2 ships with a virtual-host-friendly default configuration. That is, "
1907
"it is configured with a single default virtual host (using the "
1908
"<emphasis>VirtualHost</emphasis> directive) which can modified or used as-is "
1909
"if you have a single site, or used as a template for additional virtual "
1910
"hosts if you have multiple sites. If left alone, the default virtual host "
1911
"will serve as your default site, or the site users will see if the URL they "
1912
"enter does not match the <emphasis>ServerName</emphasis> directive of any of "
1913
"your custom sites. To modify the default virtual host, edit the file "
1914
"<filename>/etc/apache2/sites-available/default</filename>."
1917
#: serverguide/C/web-servers.xml:163(para)
1919
"The directives set for a virtual host only apply to that particular virtual "
1920
"host. If a directive is set server-wide and not defined within the virtual "
1921
"host settings, the default setting is used. For example, you can define a "
1922
"Webmaster email address and not define individual email addresses for each "
1926
#: serverguide/C/web-servers.xml:171(para)
1928
"If you wish to configure a new virtual host or site, copy that file into the "
1929
"same directory with a name you choose. For example:"
1932
#: serverguide/C/web-servers.xml:177(command)
1934
"sudo cp /etc/apache2/sites-available/default /etc/apache2/sites-"
1935
"available/mynewsite"
1938
#: serverguide/C/web-servers.xml:180(para)
1940
"Edit the new file to configure the new site using some of the directives "
1944
#: serverguide/C/web-servers.xml:187(para)
1946
"The <emphasis>ServerAdmin</emphasis> directive specifies the email address "
1947
"to be advertised for the server's administrator. The default value is "
1948
"webmaster@localhost. This should be changed to an email address that is "
1949
"delivered to you (if you are the server's administrator). If your website "
1950
"has a problem, Apache2 will display an error message containing this email "
1951
"address to report the problem to. Find this directive in your site's "
1952
"configuration file in /etc/apache2/sites-available."
1955
#: serverguide/C/web-servers.xml:198(para)
1957
"The <emphasis>Listen</emphasis> directive specifies the port, and optionally "
1958
"the IP address, Apache2 should listen on. If the IP address is not "
1959
"specified, Apache2 will listen on all IP addresses assigned to the machine "
1960
"it runs on. The default value for the Listen directive is 80. Change this to "
1961
"127.0.0.1:80 to cause Apache2 to listen only on your loopback interface so "
1962
"that it will not be available to the Internet, to (for example) 81 to change "
1963
"the port that it listens on, or leave it as is for normal operation. This "
1964
"directive can be found and changed in its own file, "
1965
"<filename>/etc/apache2/ports.conf</filename>"
1968
#: serverguide/C/web-servers.xml:211(para)
1970
"The <emphasis>ServerName</emphasis> directive is optional and specifies what "
1971
"FQDN your site should answer to. The default virtual host has no ServerName "
1972
"directive specified, so it will respond to all requests that do not match a "
1973
"ServerName directive in another virtual host. If you have just acquired the "
1974
"domain name ubunturocks.com and wish to host it on your Ubuntu server, the "
1975
"value of the ServerName directive in your virtual host configuration file "
1976
"should be ubunturocks.com. Add this directive to the new virtual host file "
1977
"you created earlier (<filename>/etc/apache2/sites-"
1978
"available/mynewsite</filename>)."
1981
#: serverguide/C/web-servers.xml:223(para)
1983
"You may also want your site to respond to www.ubunturocks.com, since many "
1984
"users will assume the www prefix is appropriate. Use the "
1985
"<emphasis>ServerAlias</emphasis> directive for this. You may also use "
1986
"wildcards in the ServerAlias directive."
1989
#: serverguide/C/web-servers.xml:230(para)
1991
"For example, the following configuration will cause your site to respond to "
1992
"any domain request ending in <emphasis>.ubunturocks.com</emphasis>."
1995
#: serverguide/C/web-servers.xml:236(programlisting)
1999
"ServerAlias *.ubunturocks.com\n"
2002
#: serverguide/C/web-servers.xml:242(para)
2004
"The <emphasis>DocumentRoot</emphasis> directive specifies where Apache "
2005
"should look for the files that make up the site. The default value is "
2006
"/var/www. No site is configured there, but if you uncomment the "
2007
"<emphasis>RedirectMatch</emphasis> directive in "
2008
"<filename>/etc/apache2/apache2.conf</filename> requests will be redirected "
2009
"to /var/www/apache2-default where the default Apache2 site awaits. Change "
2010
"this value in your site's virtual host file, and remember to create that "
2011
"directory if necessary!"
2014
#: serverguide/C/web-servers.xml:254(para)
2016
"The /etc/apache2/sites-available directory is <emphasis role=\"bold\"> "
2017
"not</emphasis> parsed by Apache2. Symbolic links in /etc/apache2/sites-"
2018
"enabled point to \"available\" sites."
2021
#: serverguide/C/web-servers.xml:260(para)
2023
"Enable the new <emphasis>VirtualHost</emphasis> using the "
2024
"<application>a2ensite</application> utility and restart Apache:"
2027
#: serverguide/C/web-servers.xml:266(command)
2028
msgid "sudo a2ensite mynewsite"
2031
#: serverguide/C/web-servers.xml:267(command) serverguide/C/web-servers.xml:285(command) serverguide/C/web-servers.xml:538(command) serverguide/C/web-servers.xml:547(command) serverguide/C/web-servers.xml:606(command) serverguide/C/mail.xml:904(command) serverguide/C/lamp-applications.xml:228(command)
2032
msgid "sudo /etc/init.d/apache2 restart"
2035
#: serverguide/C/web-servers.xml:271(para)
2037
"Be sure to replace <emphasis>mynewsite</emphasis> with a more descriptive "
2038
"name for the VirtualHost. One method is to name the file after the "
2039
"<emphasis>ServerName</emphasis> directive of the VirtualHost."
2042
#: serverguide/C/web-servers.xml:278(para)
2044
"Similarly, use the <application>a2dissite</application> utility to disable "
2045
"sites. This is can be useful when troubleshooting configuration problems "
2046
"with multiple VirtualHosts:"
2049
#: serverguide/C/web-servers.xml:284(command)
2050
msgid "sudo a2dissite mynewsite"
2053
#: serverguide/C/web-servers.xml:290(title)
2054
msgid "Default Settings"
2057
#: serverguide/C/web-servers.xml:292(para)
2059
"This section explains configuration of the Apache2 server default settings. "
2060
"For example, if you add a virtual host, the settings you configure for the "
2061
"virtual host take precedence for that virtual host. For a directive not "
2062
"defined within the virtual host settings, the default value is used."
2065
#: serverguide/C/web-servers.xml:304(para)
2067
"The <emphasis>DirectoryIndex</emphasis> is the default page served by the "
2068
"server when a user requests an index of a directory by specifying a forward "
2069
"slash (/) at the end of the directory name."
2072
#: serverguide/C/web-servers.xml:311(para)
2074
"For example, when a user requests the page "
2075
"http://www.example.com/this_directory/, he or she will get either the "
2076
"DirectoryIndex page if it exists, a server-generated directory list if it "
2077
"does not and the Indexes option is specified, or a Permission Denied page if "
2078
"neither is true. The server will try to find one of the files listed in the "
2079
"DirectoryIndex directive and will return the first one it finds. If it does "
2080
"not find any of these files and if Options Indexes is set for that "
2081
"directory, the server will generate and return a list, in HTML format, of "
2082
"the subdirectories and files in the directory. The default value, found in "
2083
"<filename>/etc/apache2/apache2.conf</filename> is \" index.html index.cgi "
2084
"index.pl index.php index.xhtml\". Thus, if Apache2 finds a file in a "
2085
"requested directory matching any of these names, the first will be displayed."
2088
#: serverguide/C/web-servers.xml:332(para)
2090
"The <emphasis>ErrorDocument</emphasis> directive allows you to specify a "
2091
"file for Apache to use for specific error events. For example, if a user "
2092
"requests a resource that does not exist, a 404 error will occur, and per "
2093
"Apache2's default configuration, the file "
2094
"<filename>/usr/share/apache2/error/HTTP_NOT_FOUND.html.var </filename> will "
2095
"be displayed. That file is not in the server's DocumentRoot, but there is an "
2096
"Alias directive in <filename>/etc/apache2/apache2.conf</filename> that "
2097
"redirects requests to the /error directory to "
2098
"<filename>/usr/share/apache2/error/</filename>."
2101
#: serverguide/C/web-servers.xml:344(para)
2103
"To see a list of the default ErrorDocument directives, use this command:"
2106
#: serverguide/C/web-servers.xml:350(command)
2107
msgid "grep ErrorDocument /etc/apache2/apache2.conf"
2110
#: serverguide/C/web-servers.xml:355(para)
2112
"By default, the server writes the transfer log to the file "
2113
"<filename>/var/log/apache2/access.log</filename>. You can change this on a "
2114
"per-site basis in your virtual host configuration files with the "
2115
"<emphasis>CustomLog</emphasis> directive, or omit it to accept the default, "
2116
"specified in <filename> /etc/apache2/apache2.conf</filename>. You may also "
2117
"specify the file to which errors are logged, via the "
2118
"<emphasis>ErrorLog</emphasis> directive, whose default is "
2119
"<filename>/var/log/apache2/error.log</filename>. These are kept separate "
2120
"from the transfer logs to aid in troubleshooting problems with your Apache2 "
2121
"server. You may also specify the <emphasis>LogLevel</emphasis> (the default "
2122
"value is \"warn\") and the <emphasis>LogFormat</emphasis> (see <filename> "
2123
"/etc/apache2/apache2.conf</filename> for the default value)."
2126
#: serverguide/C/web-servers.xml:370(para)
2128
"Some options are specified on a per-directory basis rather than per-server. "
2129
"<emphasis>Options</emphasis> is one of these directives. A Directory stanza "
2130
"is enclosed in XML-like tags, like so:"
2133
#: serverguide/C/web-servers.xml:376(programlisting)
2137
"<Directory /var/www/mynewsite>\n"
2139
"</Directory>\n"
2142
#: serverguide/C/web-servers.xml:382(para)
2144
"The <emphasis>Options</emphasis> directive within a Directory stanza accepts "
2145
"one or more of the following values (among others), separated by spaces:"
2148
#: serverguide/C/web-servers.xml:394(para)
2150
"Most files should not be executed as CGI scripts. This would be very "
2151
"dangerous. CGI scripts should kept in a directory separate from and outside "
2152
"your DocumentRoot, and only this directory should have the ExecCGI option "
2153
"set. This is the default, and the default location for CGI scripts is "
2154
"<filename>/usr/lib/cgi-bin</filename>."
2157
#: serverguide/C/web-servers.xml:389(para)
2159
"<emphasis role=\"bold\">ExecCGI</emphasis> - Allow execution of CGI scripts. "
2160
"CGI scripts are not executed if this option is not chosen. <placeholder-1/>"
2163
#: serverguide/C/web-servers.xml:405(para)
2165
"<emphasis role=\"bold\">Includes</emphasis> - Allow server-side includes. "
2166
"Server-side includes allow an HTML file to <emphasis> include</emphasis> "
2167
"other files. This is not a common option. See <ulink "
2168
"url=\"http://httpd.apache.org/docs/2.2/howto/ssi.html\">the Apache2 SSI "
2169
"HOWTO</ulink> for more information."
2172
#: serverguide/C/web-servers.xml:414(para)
2174
"<emphasis role=\"bold\">IncludesNOEXEC</emphasis> - Allow server-side "
2175
"includes, but disable the <emphasis>#exec</emphasis> and "
2176
"<emphasis>#include</emphasis> commands in CGI scripts."
2179
#: serverguide/C/web-servers.xml:426(para)
2181
"For security reasons, this should usually not be set, and certainly should "
2182
"not be set on your DocumentRoot directory. Enable this option carefully on a "
2183
"per-directory basis only if you are certain you want users to see the entire "
2184
"contents of the directory."
2187
#: serverguide/C/web-servers.xml:421(para)
2189
"<emphasis role=\"bold\">Indexes</emphasis> - Display a formatted list of the "
2190
"directory's contents, if no <emphasis>DirectoryIndex</emphasis> (such as "
2191
"index.html) exists in the requested directory. <placeholder-1/>"
2194
#: serverguide/C/web-servers.xml:436(para)
2196
"<emphasis role=\"bold\">Multiview</emphasis> - Support content-negotiated "
2197
"multiviews; this option is disabled by default for security reasons. See the "
2199
"url=\"http://httpd.apache.org/docs/2.2/mod/mod_negotiation.html#multiviews\">"
2200
"Apache2 documentation on this option</ulink>."
2203
#: serverguide/C/web-servers.xml:444(para)
2205
"<emphasis role=\"bold\">SymLinksIfOwnerMatch</emphasis> - Only follow "
2206
"symbolic links if the target file or directory has the same owner as the "
2210
#: serverguide/C/web-servers.xml:456(title)
2211
msgid "httpd Settings"
2214
#: serverguide/C/web-servers.xml:458(para)
2216
"This section explains some basic <application>httpd</application> daemon "
2217
"configuration settings."
2220
#: serverguide/C/web-servers.xml:462(para)
2222
"<emphasis role=\"bold\">LockFile</emphasis> - The LockFile directive sets "
2223
"the path to the lockfile used when the server is compiled with either "
2224
"USE_FCNTL_SERIALIZED_ACCEPT or USE_FLOCK_SERIALIZED_ACCEPT. It must be "
2225
"stored on the local disk. It should be left to the default value unless the "
2226
"logs directory is located on an NFS share. If this is the case, the default "
2227
"value should be changed to a location on the local disk and to a directory "
2228
"that is readable only by root."
2231
#: serverguide/C/web-servers.xml:471(para)
2233
"<emphasis role=\"bold\">PidFile</emphasis> - The PidFile directive sets the "
2234
"file in which the server records its process ID (pid). This file should only "
2235
"be readable by root. In most cases, it should be left to the default value."
2238
#: serverguide/C/web-servers.xml:477(para)
2240
"<emphasis role=\"bold\">User</emphasis> - The User directive sets the userid "
2241
"used by the server to answer requests. This setting determines the server's "
2242
"access. Any files inaccessible to this user will also be inaccessible to "
2243
"your website's visitors. The default value for User is www-data."
2246
#: serverguide/C/web-servers.xml:484(para)
2248
"Unless you know exactly what you are doing, do not set the User directive to "
2249
"root. Using root as the User will create large security holes for your Web "
2253
#: serverguide/C/web-servers.xml:490(para)
2255
"The Group directive is similar to the User directive. Group sets the group "
2256
"under which the server will answer requests. The default group is also www-"
2260
#: serverguide/C/web-servers.xml:496(title)
2261
msgid "Apache Modules"
2264
#: serverguide/C/web-servers.xml:498(para)
2266
"Apache is a modular server. This implies that only the most basic "
2267
"functionality is included in the core server. Extended features are "
2268
"available through modules which can be loaded into Apache. By default, a "
2269
"base set of modules is included in the server at compile-time. If the server "
2270
"is compiled to use dynamically loaded modules, then modules can be compiled "
2271
"separately, and added at any time using the LoadModule directive. Otherwise, "
2272
"Apache must be recompiled to add or remove modules."
2275
#: serverguide/C/web-servers.xml:510(para)
2277
"Ubuntu compiles Apache2 to allow the dynamic loading of modules. "
2278
"Configuration directives may be conditionally included on the presence of a "
2279
"particular module by enclosing them in an "
2280
"<emphasis><IfModule></emphasis> block."
2283
#: serverguide/C/web-servers.xml:517(para)
2285
"You can install additional Apache2 modules and use them with your Web "
2286
"server. For example, run the following command from a terminal prompt to "
2287
"install the <emphasis>MySQL Authentication</emphasis> module:"
2290
#: serverguide/C/web-servers.xml:524(command)
2291
msgid "sudo apt-get install libapache2-mod-auth-mysql"
2294
#: serverguide/C/web-servers.xml:527(para)
2296
"See the <filename>/etc/apache2/mods-available</filename> directory, for "
2297
"additional modules."
2300
#: serverguide/C/web-servers.xml:531(para)
2302
"Use the <application>a2enmod</application> utility to enable a module:"
2305
#: serverguide/C/web-servers.xml:537(command)
2306
msgid "sudo a2enmod auth_mysql"
2309
#: serverguide/C/web-servers.xml:541(para)
2310
msgid "Similarly, <application>a2dismod</application> will disable a module:"
2313
#: serverguide/C/web-servers.xml:546(command)
2314
msgid "sudo a2dismod auth_mysql"
2317
#: serverguide/C/web-servers.xml:553(title)
2318
msgid "HTTPS Configuration"
2321
#: serverguide/C/web-servers.xml:555(para)
2323
"The <application>mod_ssl</application> module adds an important feature to "
2324
"the Apache2 server - the ability to encrypt communications. Thus, when your "
2325
"browser is communicating using SSL, the https:// prefix is used at the "
2326
"beginning of the Uniform Resource Locator (URL) in the browser navigation "
2330
#: serverguide/C/web-servers.xml:564(para)
2332
"The <application>mod_ssl</application> module is available in "
2333
"<application>apache2-common</application> package. Execute the following "
2334
"command from a terminal prompt to enable the "
2335
"<application>mod_ssl</application> module:"
2338
#: serverguide/C/web-servers.xml:571(command)
2339
msgid "sudo a2enmod ssl"
2342
#: serverguide/C/web-servers.xml:574(para)
2344
"There is a default HTTPS configuration file in <filename>/etc/apache2/sites-"
2345
"available/default-ssl</filename>. In order for "
2346
"<application>Apache</application> to provide HTTPS, a "
2347
"<emphasis>certificate</emphasis> and <emphasis>key</emphasis> file are also "
2348
"needed. The default HTTPS configuration will use a certificate and key "
2349
"generated by the <application>ssl-cert</application> package. They are good "
2350
"for testing, but the auto-generated certificate and key should be replaced "
2351
"by a certificate specific to the site or server. For information on "
2352
"generating a key and obtaining a certificate see <xref "
2353
"linkend=\"certificates-and-security\"/>"
2356
#: serverguide/C/web-servers.xml:584(para)
2358
"To configure <application>Apache</application> for HTTPS, enter the "
2362
#: serverguide/C/web-servers.xml:589(command)
2363
msgid "sudo a2ensite default-ssl"
2366
#: serverguide/C/web-servers.xml:593(para)
2368
"The directories <filename>/etc/ssl/certs</filename> and "
2369
"<filename>/etc/ssl/private</filename> are the default locations. If you "
2370
"install the certificate and key in another directory make sure to change "
2371
"<emphasis>SSLCertificateFile</emphasis> and "
2372
"<emphasis>SSLCertificateKeyFile</emphasis> appropriately."
2375
#: serverguide/C/web-servers.xml:600(para)
2377
"With Apache now configured for HTTPS, restart the service to enable the new "
2381
#: serverguide/C/web-servers.xml:611(para)
2383
"Depending on how you obtained your certificate you may need to enter a "
2384
"passphrase when <application>Apache</application> starts."
2387
#: serverguide/C/web-servers.xml:617(para)
2389
"You can access the secure server pages by typing https://your_hostname/url/ "
2390
"in your browser address bar."
2393
#: serverguide/C/web-servers.xml:628(para)
2395
"<ulink url=\"http://httpd.apache.org/docs/2.2/\">Apache2 "
2396
"Documentation</ulink> contains in depth information on Apache2 configuration "
2397
"directives. Also, see the <application>apache2-doc</application> package for "
2398
"the official Apache2 docs."
2401
#: serverguide/C/web-servers.xml:635(para)
2403
"See the <ulink url=\"http://www.modssl.org/docs/\">Mod SSL "
2404
"Documentation</ulink> site for more SSL related information."
2407
#: serverguide/C/web-servers.xml:641(para)
2409
"O'Reilly's <ulink url=\"http://oreilly.com/catalog/9780596001919/\">Apache "
2410
"Cookbook</ulink> is a good resource for accomplishing specific Apache2 "
2414
#: serverguide/C/web-servers.xml:647(para)
2416
"For Ubuntu specific Apache2 questions, ask in the <emphasis>#ubuntu-"
2417
"server</emphasis> IRC channel on <ulink "
2418
"url=\"http://freenode.net/\">freenode.net</ulink>."
2421
#: serverguide/C/web-servers.xml:658(title)
2422
msgid "PHP5 - Scripting Language"
2425
#: serverguide/C/web-servers.xml:659(para)
2427
"PHP is a general-purpose scripting language suited for Web development. The "
2428
"PHP script can be embedded into HTML. This section explains how to install "
2429
"and configure PHP5 in Ubuntu System with Apache2 and MySQL."
2432
#: serverguide/C/web-servers.xml:663(para)
2434
"This section assumes you have installed and configured Apache 2 Web Server "
2435
"and MySQL Database Server. You can refer to Apache 2 section and MySQL "
2436
"sections in this document to install and configure Apache 2 and MySQL "
2440
#: serverguide/C/web-servers.xml:670(para)
2441
msgid "The PHP5 is available in Ubuntu Linux."
2444
#: serverguide/C/web-servers.xml:672(para)
2446
"To install PHP5 you can enter the following command in the terminal prompt: "
2448
"<command>sudo apt-get install php5 libapache2-mod-php5</command>\n"
2452
#: serverguide/C/web-servers.xml:681(para)
2454
"You can run PHP5 scripts from command line. To run PHP5 scripts from command "
2455
"line you should install <application>php5-cli</application> package. To "
2456
"install <application>php5-cli</application> you can enter the following "
2457
"command in the terminal prompt: <screen>\n"
2458
"<command>sudo apt-get install php5-cli</command>\n"
2462
#: serverguide/C/web-servers.xml:690(para)
2464
"You can also execute PHP5 scripts without installing PHP5 Apache module. To "
2465
"accomplish this, you should install <application>php5-cgi</application> "
2466
"package. You can run the following command in a terminal prompt to install "
2467
"<application>php5-cgi</application> package: <screen>\n"
2468
"<command>sudo apt-get install php5-cgi</command>\n"
2472
#: serverguide/C/web-servers.xml:700(para)
2474
"To use <application>MySQL</application> with PHP5 you should install "
2475
"<application>php5-mysql</application> package. To install <application>php5-"
2476
"mysql</application> you can enter the following command in the terminal "
2477
"prompt: <screen>\n"
2478
"<command>sudo apt-get install php5-mysql</command>\n"
2482
#: serverguide/C/web-servers.xml:708(para)
2484
"Similarly, to use <application>PostgreSQL</application> with PHP5 you should "
2485
"install <application>php5-pgsql</application> package. To install "
2486
"<application>php5-pgsql</application> you can enter the following command in "
2487
"the terminal prompt: <screen>\n"
2488
"<command>sudo apt-get install php5-pgsql</command>\n"
2492
#: serverguide/C/web-servers.xml:721(para)
2494
"Once you install PHP5, you can run PHP5 scripts from your web browser. If "
2495
"you have installed <application>php5-cli</application> package, you can run "
2496
"PHP5 scripts from your command prompt."
2499
#: serverguide/C/web-servers.xml:728(para)
2501
"By default, the Apache 2 Web server is configured to run PHP5 scripts. In "
2502
"other words, the PHP5 module is enabled in Apache2 Web server automatically "
2503
"when you install the module. Please verify if the files "
2504
"<filename>/etc/apache2/mods-enabled/php5.conf</filename> and "
2505
"<filename>/etc/apache2/mods-enabled/php5.load</filename> exist. If they do "
2506
"not exists, you can enable the module using <command>a2enmod</command> "
2510
#: serverguide/C/web-servers.xml:739(para)
2512
"Once you install PHP5 related packages and enabled PHP5 Apache 2 module, you "
2513
"should restart Apache2 Web server to run PHP5 scripts. You can run the "
2514
"following command at a terminal prompt to restart your web server: "
2515
"<screen><command>sudo /etc/init.d/apache2 restart</command> </screen>"
2518
#: serverguide/C/web-servers.xml:747(title) serverguide/C/mail.xml:305(title) serverguide/C/mail.xml:1534(title) serverguide/C/dns.xml:343(title) serverguide/C/clustering.xml:184(title)
2522
#: serverguide/C/web-servers.xml:748(para)
2524
"To verify your installation, you can run following PHP5 phpinfo script:"
2527
#: serverguide/C/web-servers.xml:751(programlisting)
2536
#: serverguide/C/web-servers.xml:756(para)
2538
"You can save the content in a file <filename>phpinfo.php</filename> and "
2539
"place it under <command>DocumentRoot</command> directory of Apache2 Web "
2540
"server. When point your browser to "
2541
"<filename>http://hostname/phpinfo.php</filename>, it would display values of "
2542
"various PHP5 configuration parameters."
2545
#: serverguide/C/web-servers.xml:770(para)
2547
"For more in depth information see <ulink "
2548
"url=\"http://www.php.net/docs.php\">php.net</ulink> documentation."
2551
#: serverguide/C/web-servers.xml:775(para)
2553
"There are a plethora of books on PHP. Two good books from O'Reilly are "
2554
"<ulink url=\"http://oreilly.com/catalog/9780596005603/\">Learning PHP "
2555
"5</ulink> and the <ulink "
2556
"url=\"http://oreilly.com/catalog/9781565926813/\">PHP Cook Book</ulink>."
2559
#: serverguide/C/web-servers.xml:787(title)
2560
msgid "Squid - Proxy Server"
2563
#: serverguide/C/web-servers.xml:788(para)
2565
"Squid is a full-featured web proxy cache server application which provides "
2566
"proxy and cache services for Hyper Text Transport Protocol (HTTP), File "
2567
"Transfer Protocol (FTP), and other popular network protocols. Squid can "
2568
"implement caching and proxying of Secure Sockets Layer (SSL) requests and "
2569
"caching of Domain Name Server (DNS) lookups, and perform transparent "
2570
"caching. Squid also supports a wide variety of caching protocols, such as "
2571
"Internet Cache Protocol, (ICP) the Hyper Text Caching Protocol, (HTCP) the "
2572
"Cache Array Routing Protocol (CARP), and the Web Cache Coordination "
2576
#: serverguide/C/web-servers.xml:796(para)
2578
"The Squid proxy cache server is an excellent solution to a variety of proxy "
2579
"and caching server needs, and scales from the branch office to enterprise "
2580
"level networks while providing extensive, granular access control mechanisms "
2581
"and monitoring of critical parameters via the Simple Network Management "
2582
"Protocol (SNMP). When selecting a computer system for use as a dedicated "
2583
"Squid proxy, or caching servers, ensure your system is configured with a "
2584
"large amount of physical memory, as Squid maintains an in-memory cache for "
2585
"increased performance."
2588
#: serverguide/C/web-servers.xml:805(para)
2590
"At a terminal prompt, enter the following command to install the Squid "
2594
#: serverguide/C/web-servers.xml:810(command)
2595
msgid "sudo apt-get install squid"
2598
#: serverguide/C/web-servers.xml:816(para)
2600
"Squid is configured by editing the directives contained within the "
2601
"<filename>/etc/squid/squid.conf</filename> configuration file. The following "
2602
"examples illustrate some of the directives which may be modified to affect "
2603
"the behavior of the Squid server. For more in-depth configuration of Squid, "
2604
"see the References section."
2607
#: serverguide/C/web-servers.xml:822(para)
2609
"Prior to editing the configuration file, you should make a copy of the "
2610
"original file and protect it from writing so you will have the original "
2611
"settings as a reference, and to re-use as necessary."
2614
#: serverguide/C/web-servers.xml:825(para)
2616
"Copy the <filename>/etc/squid/squid.conf</filename> file and protect it from "
2617
"writing with the following commands entered at a terminal prompt:"
2620
#: serverguide/C/web-servers.xml:830(command)
2621
msgid "sudo cp /etc/squid/squid.conf /etc/squid/squid.conf.original"
2624
#: serverguide/C/web-servers.xml:831(command)
2625
msgid "sudo chmod a-w /etc/squid/squid.conf.original"
2628
#: serverguide/C/web-servers.xml:837(para)
2630
"To set your Squid server to listen on TCP port 8888 instead of the default "
2631
"TCP port 3128, change the http_port directive as such:"
2634
#: serverguide/C/web-servers.xml:841(programlisting)
2641
#: serverguide/C/web-servers.xml:846(para)
2643
"Change the visible_hostname directive in order to give the Squid server a "
2644
"specific hostname. This hostname does not necessarily need to be the "
2645
"computer's hostname. In this example it is set to <emphasis>weezie</emphasis>"
2648
#: serverguide/C/web-servers.xml:850(programlisting)
2652
"visible_hostname weezie\n"
2655
#: serverguide/C/web-servers.xml:855(para)
2657
"Again, Using Squid's access control, you may configure use of Internet "
2658
"services proxied by Squid to be available only users with certain Internet "
2659
"Protocol (IP) addresses. For example, we will illustrate access by users of "
2660
"the 192.168.42.0/24 subnetwork only:"
2663
#: serverguide/C/web-servers.xml:860(para) serverguide/C/web-servers.xml:880(para)
2665
"Add the following to the <emphasis role=\"bold\">bottom</emphasis> of the "
2666
"ACL section of your <filename>/etc/squid/squid.conf</filename> file:"
2669
#: serverguide/C/web-servers.xml:863(programlisting)
2673
"acl fortytwo_network src 192.168.42.0/24\n"
2676
#: serverguide/C/web-servers.xml:866(para) serverguide/C/web-servers.xml:887(para)
2678
"Then, add the following to the <emphasis role=\"bold\">top</emphasis> of the "
2679
"http_access section of your <filename>/etc/squid/squid.conf</filename> file:"
2682
#: serverguide/C/web-servers.xml:870(programlisting)
2686
"http_access allow fortytwo_network\n"
2689
#: serverguide/C/web-servers.xml:875(para)
2691
"Using the excellent access control features of Squid, you may configure use "
2692
"of Internet services proxied by Squid to be available only during normal "
2693
"business hours. For example, we'll illustrate access by employees of a "
2694
"business which is operating between 9:00AM and 5:00PM, Monday through "
2695
"Friday, and which uses the 10.1.42.0/42 subnetwork:"
2698
#: serverguide/C/web-servers.xml:883(programlisting)
2702
"acl biz_network src 10.1.42.0/24\n"
2703
"acl biz_hours time M T W T F 9:00-17:00\n"
2706
#: serverguide/C/web-servers.xml:891(programlisting)
2710
"http_access allow biz_network biz_hours\n"
2713
#: serverguide/C/web-servers.xml:898(para)
2715
"After making changes to the <filename>/etc/squid/squid.conf</filename> file, "
2716
"save the file and restart the <application>squid</application> server "
2717
"application to effect the changes using the following command entered at a "
2721
#: serverguide/C/web-servers.xml:905(command)
2722
msgid "sudo /etc/init.d/squid restart"
2725
#: serverguide/C/web-servers.xml:912(ulink)
2726
msgid "Squid Website"
2729
#: serverguide/C/web-servers.xml:918(title)
2730
msgid "Ruby on Rails"
2733
#: serverguide/C/web-servers.xml:919(para)
2735
"Ruby on Rails is an open source web framework for developing database backed "
2736
"web applications. It is optimized for sustainable productivity of the "
2737
"programmer since it lets the programmer to write code by favouring "
2738
"convention over configuration."
2741
#: serverguide/C/web-servers.xml:926(para)
2743
"Before installing <application>Rails</application> you should install "
2744
"<application>Apache</application> and <application>MySQL</application>. To "
2745
"install the <application>Apache</application> package, please refer to <xref "
2746
"linkend=\"httpd\"/>. For instructions on installing "
2747
"<application>MySQL</application> refer to <xref linkend=\"mysql\"/>."
2750
#: serverguide/C/web-servers.xml:934(para)
2752
"Once you have <application>Apache</application> and "
2753
"<application>MySQL</application> packages installed, you are ready to "
2754
"install <application>Ruby on Rails</application> package."
2757
#: serverguide/C/web-servers.xml:941(para)
2759
"To install the <application>Ruby</application> base packages and "
2760
"<application>Ruby on Rails</application>, you can enter the following "
2761
"command in the terminal prompt:"
2764
#: serverguide/C/web-servers.xml:947(command)
2765
msgid "sudo apt-get install rails"
2768
#: serverguide/C/web-servers.xml:953(para)
2770
"Modify the <filename>/etc/apache2/sites-available/default</filename> "
2771
"configuration file to setup your domains."
2774
#: serverguide/C/web-servers.xml:957(para)
2776
"The first thing to change is the <emphasis>DocumentRoot</emphasis> directive:"
2779
#: serverguide/C/web-servers.xml:961(programlisting)
2783
"DocumentRoot /path/to/rails/application/public\n"
2786
#: serverguide/C/web-servers.xml:964(para)
2788
"Next, change the <Directory \"/path/to/rails/application/public\"> "
2792
#: serverguide/C/web-servers.xml:968(programlisting)
2796
"<Directory \"/path/to/rails/application/public\">\n"
2797
" Options Indexes FollowSymLinks MultiViews ExecCGI\n"
2798
" AllowOverride All\n"
2799
" Order allow,deny\n"
2801
" AddHandler cgi-script .cgi\n"
2802
"</Directory>\n"
2805
#: serverguide/C/web-servers.xml:978(para)
2807
"You should also enable the <application>mod_rewrite</application> module for "
2808
"Apache. To enable <application>mod_rewrite</application> module, please "
2809
"enter the following command in a terminal prompt:"
2812
#: serverguide/C/web-servers.xml:984(command)
2813
msgid "sudo a2enmod rewrite"
2816
#: serverguide/C/web-servers.xml:987(para)
2818
"Finally you will need to change the ownership of the "
2819
"<filename>/path/to/rails/application/public</filename> and "
2820
"<filename>/path/to/rails/application/tmp</filename> directories to the user "
2821
"used to run the <application>Apache</application> process:"
2824
#: serverguide/C/web-servers.xml:993(command)
2825
msgid "sudo chown -R www-data:www-data /path/to/rails/application/public"
2828
#: serverguide/C/web-servers.xml:994(command)
2829
msgid "sudo chown -R www-data:www-data /path/to/rails/application/tmp"
2832
#: serverguide/C/web-servers.xml:997(para)
2834
"That's it! Now you have your Server ready for your <application>Ruby on "
2835
"Rails</application> applications."
2838
#: serverguide/C/web-servers.xml:1006(para)
2840
"See the <ulink url=\"http://rubyonrails.org/\">Ruby on Rails</ulink> website "
2841
"for more information."
2844
#: serverguide/C/web-servers.xml:1011(para)
2846
"Also <ulink url=\"http://pragprog.com/titles/rails3/agile-web-development-"
2847
"with-rails-third-edition\">Agile Development with Rails</ulink> is a great "
2851
#: serverguide/C/web-servers.xml:1022(title)
2852
msgid "Apache Tomcat"
2855
#: serverguide/C/web-servers.xml:1023(para)
2857
"Apache Tomcat is a web container that allows you to serve Java Servlets and "
2858
"JSP (Java Server Pages) web applications."
2861
#: serverguide/C/web-servers.xml:1025(para)
2863
"The <application>Tomcat 6.0</application> packages in Ubuntu support two "
2864
"different ways of running Tomcat. You can install them as a classic unique "
2865
"system-wide instance, that will be started at boot time and will run as the "
2866
"tomcat6 unpriviledged user. But you can also deploy private instances that "
2867
"will run with your own user rights, and that you should start and stop by "
2868
"yourself. This second way is particularly useful in a development server "
2869
"context where multiple users need to test on their own private Tomcat "
2873
#: serverguide/C/web-servers.xml:1035(title)
2874
msgid "System-wide installation"
2877
#: serverguide/C/web-servers.xml:1036(para)
2879
"To install the <application>Tomcat</application> server, you can enter the "
2880
"following command in the terminal prompt:"
2883
#: serverguide/C/web-servers.xml:1039(command)
2884
msgid "sudo apt-get install tomcat6"
2887
#: serverguide/C/web-servers.xml:1041(para)
2889
"This will install a Tomcat server with just a default ROOT webapp that "
2890
"displays a minimal \"It works\" page by default."
2893
#: serverguide/C/web-servers.xml:1047(para)
2895
"Tomcat configuration files can be found in "
2896
"<filename>/etc/tomcat6</filename>. Only a few common configuration tweaks "
2897
"will be described here, please see <ulink "
2898
"url=\"http://tomcat.apache.org/tomcat-6.0-doc/index.html\">Tomcat 6.0 "
2899
"documentation</ulink> for more."
2902
#: serverguide/C/web-servers.xml:1053(title)
2903
msgid "Changing default ports"
2906
#: serverguide/C/web-servers.xml:1054(para)
2908
"By default Tomcat 6.0 runs a HTTP connector on port 8080 and an AJP "
2909
"connector on port 8009. You might want to change those default ports to "
2910
"avoid conflict with another server on the system. This is done by changing "
2911
"the following lines in <filename>/etc/tomcat6/server.xml</filename>:"
2914
#: serverguide/C/web-servers.xml:1059(programlisting)
2918
"<Connector port=\"8080\" protocol=\"HTTP/1.1\" \n"
2919
" connectionTimeout=\"20000\" \n"
2920
" redirectPort=\"8443\" />\n"
2922
"<Connector port=\"8009\" protocol=\"AJP/1.3\" redirectPort=\"8443\" "
2926
#: serverguide/C/web-servers.xml:1068(title)
2927
msgid "Changing JVM used"
2930
#: serverguide/C/web-servers.xml:1069(para)
2932
"By default Tomcat will run preferably with OpenJDK-6, then try Sun's JVM, "
2933
"then try some other JVMs. If you have various JVMs installed, you can set "
2934
"which should be used by setting JAVA_HOME in "
2935
"<filename>/etc/default/tomcat6</filename>:"
2938
#: serverguide/C/web-servers.xml:1073(programlisting)
2942
"JAVA_HOME=/usr/lib/jvm/java-6-sun\n"
2945
#: serverguide/C/web-servers.xml:1078(title)
2946
msgid "Declaring users and roles"
2949
#: serverguide/C/web-servers.xml:1079(para)
2951
"Usernames, passwords and roles (groups) can be defined centrally in a "
2952
"Servlet container. In Tomcat 6.0 this is done in the "
2953
"<filename>/etc/tomcat6/tomcat-users.xml</filename> file:"
2956
#: serverguide/C/web-servers.xml:1082(programlisting)
2960
"<role rolename=\"admin\"/>\n"
2961
"<user username=\"tomcat\" password=\"s3cret\" roles=\"admin\"/>\n"
2964
#: serverguide/C/web-servers.xml:1090(title)
2965
msgid "Using Tomcat standard webapps"
2968
#: serverguide/C/web-servers.xml:1091(para)
2970
"Tomcat is shipped with webapps that you can install for documentation, "
2971
"administration or demo purposes."
2974
#: serverguide/C/web-servers.xml:1094(title)
2975
msgid "Tomcat documentation"
2978
#: serverguide/C/web-servers.xml:1095(para)
2980
"The <application>tomcat6-docs</application> package contains Tomcat 6.0 "
2981
"documentation, packaged as a webapp that you can access by default at "
2982
"http://yourserver:8080/docs. You can install it by entering the following "
2983
"command in the terminal prompt:"
2986
#: serverguide/C/web-servers.xml:1100(command)
2987
msgid "sudo apt-get install tomcat6-docs"
2990
#: serverguide/C/web-servers.xml:1104(title)
2991
msgid "Tomcat administration webapps"
2994
#: serverguide/C/web-servers.xml:1105(para)
2996
"The <application>tomcat6-admin</application> package contains two webapps "
2997
"that can be used to administer the Tomcat server using a web interface. You "
2998
"can install them by entering the following command in the terminal prompt:"
3001
#: serverguide/C/web-servers.xml:1110(command)
3002
msgid "sudo apt-get install tomcat6-admin"
3005
#: serverguide/C/web-servers.xml:1112(para)
3007
"The first one is the <emphasis>manager</emphasis> webapp, which you can "
3008
"access by default at http://yourserver:8080/manager/html. It is primarily "
3009
"used to get server status and restart webapps."
3012
#: serverguide/C/web-servers.xml:1115(para)
3014
"Access to the <emphasis>manager</emphasis> application is protected by "
3015
"default: you need to define a user with the role \"manager\" in "
3016
"<filename>/etc/tomcat6/tomcat-users.xml</filename> before you can access it."
3019
#: serverguide/C/web-servers.xml:1119(para)
3021
"The second one is the <emphasis>host-manager</emphasis> webapp, which you "
3022
"can access by default at http://yourserver:8080/host-manager/html. It can be "
3023
"used to create virtual hosts dynamically."
3026
#: serverguide/C/web-servers.xml:1123(para)
3028
"Access to the <emphasis>host-manager</emphasis> application is also "
3029
"protected by default: you need to define a user with the role \"admin\" in "
3030
"<filename>/etc/tomcat6/tomcat-users.xml</filename> before you can access it."
3033
#: serverguide/C/web-servers.xml:1128(para)
3035
"For security reasons, the tomcat6 user cannot write to the "
3036
"<filename>/etc/tomcat6</filename> directory by default. Some features in "
3037
"these admin webapps (application deployment, virtual host creation) need "
3038
"write access to that directory. If you want to use these features execute "
3039
"the following, to give users in the tomcat6 group the necessary rights:"
3042
#: serverguide/C/web-servers.xml:1135(command)
3043
msgid "sudo chgrp -R tomcat6 /etc/tomcat6"
3046
#: serverguide/C/web-servers.xml:1136(command)
3047
msgid "sudo chmod -R g+w /etc/tomcat6"
3050
#: serverguide/C/web-servers.xml:1141(title)
3051
msgid "Tomcat examples webapps"
3054
#: serverguide/C/web-servers.xml:1142(para)
3056
"The <application>tomcat6-examples</application> package contains two webapps "
3057
"that can be used to test or demonstrate Servlets and JSP features, which you "
3058
"can access them by default at http://yourserver:8080/examples. You can "
3059
"install them by entering the following command in the terminal prompt:"
3062
#: serverguide/C/web-servers.xml:1148(command)
3063
msgid "sudo apt-get install tomcat6-examples"
3066
#: serverguide/C/web-servers.xml:1154(title)
3067
msgid "Using private instances"
3070
#: serverguide/C/web-servers.xml:1155(para)
3072
"Tomcat is heavily used in development and testing scenarios where using a "
3073
"single system-wide instance doesn't meet the requirements of multiple users "
3074
"on a single system. The Tomcat 6.0 packages in Ubuntu come with tools to "
3075
"help deploy your own user-oriented instances, allowing every user on a "
3076
"system to run (without root rights) separate private instances while still "
3077
"using the system-installed libraries."
3080
#: serverguide/C/web-servers.xml:1162(para)
3082
"It is possible to run the system-wide instance and the private instances in "
3083
"parallel, as long as they do not use the same TCP ports."
3086
#: serverguide/C/web-servers.xml:1166(title)
3087
msgid "Installing private instance support"
3090
#: serverguide/C/web-servers.xml:1167(para)
3092
"You can install everything necessary to run private instances by entering "
3093
"the following command in the terminal prompt:"
3096
#: serverguide/C/web-servers.xml:1170(command)
3097
msgid "sudo apt-get install tomcat6-user"
3100
#: serverguide/C/web-servers.xml:1174(title)
3101
msgid "Creating a private instance"
3104
#: serverguide/C/web-servers.xml:1175(para)
3106
"You can create a private instance directory by entering the following "
3107
"command in the terminal prompt:"
3110
#: serverguide/C/web-servers.xml:1178(command)
3111
msgid "tomcat6-instance-create my-instance"
3114
#: serverguide/C/web-servers.xml:1180(para)
3116
"This will create a new <filename>my-instance</filename> directory with all "
3117
"the necessary subdirectories and scripts. You can for example install your "
3118
"common libraries in the <filename>lib/</filename> subdirectory and deploy "
3119
"your webapps in the <filename>webapps/</filename> subdirectory. No webapps "
3120
"are deployed by default."
3123
#: serverguide/C/web-servers.xml:1188(title)
3124
msgid "Configuring your private instance"
3127
#: serverguide/C/web-servers.xml:1189(para)
3129
"You will find the classic Tomcat configuration files for your private "
3130
"instance in the <filename>conf/</filename> subdirectory. You should for "
3131
"example certainly edit the <filename>conf/server.xml</filename> file to "
3132
"change the default ports used by your private Tomcat instance to avoid "
3133
"conflict with other instances that might be running."
3136
#: serverguide/C/web-servers.xml:1197(title)
3137
msgid "Starting/stopping your private instance"
3140
#: serverguide/C/web-servers.xml:1198(para)
3142
"You can start your private instance by entering the following command in the "
3143
"terminal prompt (supposing your instance is located in the <filename>my-"
3144
"instance</filename> directory):"
3147
#: serverguide/C/web-servers.xml:1202(command)
3148
msgid "my-instance/bin/startup.sh"
3151
#: serverguide/C/web-servers.xml:1204(para)
3153
"You should check the <filename>logs/</filename> subdirectory for any error. "
3154
"If you have a <emphasis>java.net.BindException: Address already in "
3155
"use<null>:8080</emphasis> error, it means that the port you're using "
3156
"is already taken and that you should change it."
3159
#: serverguide/C/web-servers.xml:1209(para)
3161
"You can stop your instance by entering the following command in the terminal "
3162
"prompt (supposing your instance is located in the <filename>my-"
3163
"instance</filename> directory):"
3166
#: serverguide/C/web-servers.xml:1213(command)
3167
msgid "my-instance/bin/shutdown.sh"
3170
#: serverguide/C/web-servers.xml:1222(para)
3172
"See the <ulink url=\"http://tomcat.apache.org/\">Apache Tomcat</ulink> "
3173
"website for more information."
3176
#: serverguide/C/web-servers.xml:1227(para)
3178
"<ulink url=\"http://oreilly.com/catalog/9780596003180/\">Tomcat: The "
3179
"Definitive Guide</ulink> is a good resource for building web applications "
3183
#: serverguide/C/web-servers.xml:1233(para)
3185
"For additional books see the <ulink "
3186
"url=\"http://wiki.apache.org/tomcat/Tomcat/Books\">Tomcat Books</ulink> list "
3190
#: serverguide/C/vpn.xml:13(title)
3194
#: serverguide/C/vpn.xml:15(para)
3196
"A Virtual Private Network, or <emphasis>VPN</emphasis>, is an encrypted "
3197
"network connection between two or more networks. There are several ways to "
3198
"create a VPN using software as well as dedicated hardware appliances. This "
3199
"chapter will cover installing and configuring "
3200
"<application>OpenVPN</application> to create a VPN between two servers."
3203
#: serverguide/C/vpn.xml:23(title)
3207
#: serverguide/C/vpn.xml:25(para)
3209
"OpenVPN uses Public Key Infrastructure (PKI) to encrypt VPN traffic between "
3210
"nodes. A simple way of setting up a VPN with OpenVPN is to connect the "
3211
"clients through a bridge interface on the VPN server. This guide will assume "
3212
"that one VPN node, the server in this case, has a bridge interface "
3213
"configured. For more information on setting up a bridge see <xref "
3214
"linkend=\"bridging\"/>."
3217
#: serverguide/C/vpn.xml:35(para)
3218
msgid "To install <application>openvpn</application> in a terminal enter:"
3221
#: serverguide/C/vpn.xml:41(command)
3222
msgid "sudo apt-get install openvpn"
3225
#: serverguide/C/vpn.xml:45(title)
3226
msgid "Server Certificates"
3229
#: serverguide/C/vpn.xml:47(para)
3231
"Now that the <application>openvpn</application> package is installed, the "
3232
"certificates for the VPN server need to be created."
3235
#: serverguide/C/vpn.xml:52(para)
3237
"First, copy the <filename>easy-rsa</filename> directory to "
3238
"<filename>/etc/openvpn</filename>. This will ensure that any changes to the "
3239
"scripts will not be lost when the package is updated. From a terminal enter:"
3242
#: serverguide/C/vpn.xml:58(command)
3243
msgid "sudo mkdir /etc/openvpn/easy-rsa/"
3246
#: serverguide/C/vpn.xml:59(command)
3248
"sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /etc/openvpn/"
3251
#: serverguide/C/vpn.xml:62(para)
3253
"Next, edit <filename>/etc/openvpn/easy-rsa/vars</filename> adjusting the "
3254
"following to your environment:"
3257
#: serverguide/C/vpn.xml:66(programlisting)
3261
"export KEY_COUNTRY=\"US\"\n"
3262
"export KEY_PROVINCE=\"NC\"\n"
3263
"export KEY_CITY=\"Winston-Salem\"\n"
3264
"export KEY_ORG=\"Example Company\"\n"
3265
"export KEY_EMAIL=\"steve@example.com\"\n"
3268
#: serverguide/C/vpn.xml:74(para)
3269
msgid "Enter the following to create the server certificates:"
3272
#: serverguide/C/vpn.xml:79(command)
3273
msgid "cd /etc/openvpn/easy-rsa/easy-rsa"
3276
#: serverguide/C/vpn.xml:80(command) serverguide/C/vpn.xml:101(command)
3280
#: serverguide/C/vpn.xml:81(command)
3284
#: serverguide/C/vpn.xml:82(command)
3288
#: serverguide/C/vpn.xml:83(command)
3289
msgid "./pkitool --initca"
3292
#: serverguide/C/vpn.xml:84(command)
3293
msgid "./pkitool --server server"
3296
#: serverguide/C/vpn.xml:85(command)
3300
#: serverguide/C/vpn.xml:86(command)
3301
msgid "openvpn --genkey --secret ta.key"
3304
#: serverguide/C/vpn.xml:87(command)
3305
msgid "sudo cp server.crt server.key ca.crt dh1024.pem ta.key /etc/openvpn/"
3308
#: serverguide/C/vpn.xml:92(title)
3309
msgid "Client Certificates"
3312
#: serverguide/C/vpn.xml:94(para)
3314
"The VPN client will also need a certificate to authenticate itself to the "
3315
"server. To create the certificate, enter the following in a terminal:"
3318
#: serverguide/C/vpn.xml:100(command)
3319
msgid "cd /etc/openvpn/easy-rsa/"
3322
#: serverguide/C/vpn.xml:102(command)
3323
msgid "./pkitool hostname"
3326
#: serverguide/C/vpn.xml:106(para)
3328
"Replace <emphasis>hostname</emphasis> with the actual hostname of the "
3329
"machine connecting to the VPN."
3332
#: serverguide/C/vpn.xml:111(para)
3333
msgid "Copy the following files to the client:"
3336
#: serverguide/C/vpn.xml:116(para)
3337
msgid "/etc/openvpn/easy-rsa/hostname.ovpn"
3340
#: serverguide/C/vpn.xml:117(para)
3341
msgid "/etc/openvpn/easy-rsa/ca.crt"
3344
#: serverguide/C/vpn.xml:118(para)
3345
msgid "/etc/openvpn/easy-rsa/hostname.crt"
3348
#: serverguide/C/vpn.xml:119(para)
3349
msgid "/etc/openvpn/easy-rsa/hostname.key"
3352
#: serverguide/C/vpn.xml:120(para)
3353
msgid "/etc/openvpn/easy-rsa/ta.key"
3356
#: serverguide/C/vpn.xml:124(para)
3358
"Remember to adjust the above file names for your client machine's "
3359
"<emphasis>hostname</emphasis>."
3362
#: serverguide/C/vpn.xml:129(para)
3364
"It is best to use a secure method to copy the certificate and key files. The "
3365
"<application>scp</application> utility is a good choice, but copying the "
3366
"files to removable media then to the client, also works well."
3369
#: serverguide/C/vpn.xml:140(title) serverguide/C/vcs.xml:107(title)
3370
msgid "Server Configuration"
3373
#: serverguide/C/vpn.xml:142(para)
3375
"Now configure the <application>openvpn</application> server by creating "
3376
"<filename>/etc/openvpn/server.conf</filename> from the example file. In a "
3380
#: serverguide/C/vpn.xml:148(command)
3382
"sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz "
3386
#: serverguide/C/vpn.xml:149(command)
3387
msgid "sudo gzip -d /etc/openvpn/server.conf.gz"
3390
#: serverguide/C/vpn.xml:152(para)
3392
"Edit <filename>etc/openvpn/server.conf</filename> changing the following "
3396
#: serverguide/C/vpn.xml:156(programlisting)
3400
"local 172.18.100.101\n"
3402
"server-bridge 172.18.100.101 255.255.255.0 172.18.100.105 172.18.100.200\n"
3403
"push \"route 172.18.100.1 255.255.255.0\"\n"
3404
"push \"dhcp-option DNS 172.18.100.20\"\n"
3405
"push \"dhcp-option DOMAIN example.com\"\n"
3406
"tls-auth ta.key 0 # This file is secret\n"
3411
#: serverguide/C/vpn.xml:170(para)
3413
"<emphasis>local</emphasis>: is the IP address of the bridge interface."
3416
#: serverguide/C/vpn.xml:175(para)
3418
"<emphasis>server-bridge</emphasis>: needed when the configuration uses "
3419
"bridging. The <emphasis>172.18.100.101 255.255.255.0</emphasis> portion is "
3420
"the bridge interface and mask. The IP range <emphasis>172.18.100.105 "
3421
"172.18.100.200</emphasis> is the range of IP addresses that will be assigned "
3425
#: serverguide/C/vpn.xml:182(para)
3427
"<emphasis>push</emphasis>: are directives to add networking options for "
3431
#: serverguide/C/vpn.xml:187(para)
3433
"<emphasis>user and group</emphasis>: configure which user and group the "
3434
"<application>openvpn</application> daemon executes as."
3437
#: serverguide/C/vpn.xml:194(para)
3439
"Replace all IP addresses and domain names above with those of your network."
3442
#: serverguide/C/vpn.xml:199(para)
3444
"Next, create a couple of helper scripts to add the <emphasis>tap</emphasis> "
3445
"interface to the bridge. Create <filename>/etc/openvpn/up.sh</filename>:"
3448
#: serverguide/C/vpn.xml:203(programlisting)
3457
"/sbin/ifconfig $DEV mtu $MTU promisc up\n"
3458
"/usr/sbin/brctl addif $BR $DEV\n"
3461
#: serverguide/C/vpn.xml:213(para)
3462
msgid "And <filename>/etc/openvpn/down.sh</filename>:"
3465
#: serverguide/C/vpn.xml:217(programlisting)
3474
"/usr/sbin/brctl delif $BR $DEV\n"
3475
"/sbin/ifconfig $DEV down\n"
3478
#: serverguide/C/vpn.xml:227(para)
3479
msgid "Then make them executable:"
3482
#: serverguide/C/vpn.xml:232(command)
3483
msgid "sudo chmod 755 /etc/openvpn/down.sh"
3486
#: serverguide/C/vpn.xml:233(command)
3487
msgid "sudo chmod 755 /etc/openvpn/up.sh"
3490
#: serverguide/C/vpn.xml:236(para)
3492
"After configuring the server, restart <application>openvpn</application> by "
3496
#: serverguide/C/vpn.xml:241(command) serverguide/C/vpn.xml:281(command)
3497
msgid "sudo /etc/init.d/openvpn restart"
3500
#: serverguide/C/vpn.xml:246(title)
3501
msgid "Client Configuration"
3504
#: serverguide/C/vpn.xml:248(para)
3506
"With the server configured and the client certificates copied over, create a "
3507
"client configuration file by copying the example. In a terminal on the "
3508
"client machine enter:"
3511
#: serverguide/C/vpn.xml:254(command)
3513
"sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf "
3517
#: serverguide/C/vpn.xml:257(para)
3519
"Now edit <filename>/etc/openvpn/client.conf</filename> changing the "
3520
"following options:"
3523
#: serverguide/C/vpn.xml:261(programlisting)
3528
"remote vpn.example.com 1194\n"
3529
"cert hostname.crt\n"
3530
"key hostname.key\n"
3531
"tls-auth ta.key 1\n"
3534
#: serverguide/C/vpn.xml:270(para)
3536
"Replace <emphasis>vpn.example.com</emphasis> with the hostname of your VPN "
3537
"server, and <emphasis>hostname.*</emphasis> with the actual certificate and "
3541
#: serverguide/C/vpn.xml:276(para)
3542
msgid "Finally, restart <application>openvpn</application>:"
3545
#: serverguide/C/vpn.xml:284(para)
3546
msgid "You should now be able to connect to the remote LAN through the VPN."
3549
#: serverguide/C/vpn.xml:295(para)
3551
"See the <ulink url=\"http://openvpn.net/\">OpenVPN</ulink> website for "
3552
"additional information."
3555
#: serverguide/C/vpn.xml:300(para)
3557
"Also, Pakt's <ulink url=\"http://www.packtpub.com/openvpn/book\">OpenVPN: "
3558
"Building and Integrating Virtual Private Networks</ulink> is a good resource."
3561
#: serverguide/C/virtualization.xml:13(title)
3562
msgid "Virtualization"
3565
#: serverguide/C/virtualization.xml:14(para)
3567
"Virtualization is being adopted in many different environments and "
3568
"situations. If you are a developer, virtualization can provide you with a "
3569
"contained environment where you can safely do almost any sort of development "
3570
"safe from messing up your main working environment. If you are a systems "
3571
"administrator, you can use virtualization to more easily separate your "
3572
"services and move them around based on demand."
3575
#: serverguide/C/virtualization.xml:20(para)
3577
"The default virtualization technology supported in Ubuntu is "
3578
"<application>KVM</application>, a technology that takes advantage of "
3579
"virtualization extensions built into Intel and AMD hardware. For hardware "
3580
"without virtualization extensions <application>Xen</application> and "
3581
"<application>Qemu</application> are popular solutions."
3584
#: serverguide/C/virtualization.xml:27(title)
3588
#: serverguide/C/virtualization.xml:28(para)
3590
"The <application>libvirt</application> library is used to interface with "
3591
"different virtualization technologies. Before getting started with "
3592
"<application>libvirt</application> it is best to make sure your hardware "
3593
"supports the necessary virtualization extensions for "
3594
"<application>KVM</application>. Enter the following from a terminal prompt:"
3597
#: serverguide/C/virtualization.xml:34(command)
3598
msgid "egrep '(vmx|svm)' /proc/cpuinfo"
3601
#: serverguide/C/virtualization.xml:36(para)
3603
"If nothing is printed, it means that your cpu does <emphasis>not</emphasis> "
3604
"support hardware virtualization."
3607
#: serverguide/C/virtualization.xml:40(para)
3609
"On most computer whose processor supports virtualization, it is necessary to "
3610
"activate an option in the bios to enable it. The method described above does "
3611
"not show the status of it's activation."
3614
#: serverguide/C/virtualization.xml:47(title)
3615
msgid "Virtual Networking"
3618
#: serverguide/C/virtualization.xml:49(para)
3620
"There are a few different ways to allow a virtual machine access to the "
3621
"external network. The default virtual network configuration is "
3622
"<emphasis>usermode</emphasis> networking, which uses the SLIRP protocol and "
3623
"traffic is NATed through the host interface to the outside network."
3626
#: serverguide/C/virtualization.xml:54(para)
3628
"To enable external hosts to directly access services on virtual machines a "
3629
"<emphasis>bridge</emphasis> needs to be configured. This allows the virtual "
3630
"interfaces to connect to the outside network through the physical interface, "
3631
"making them appear as normal hosts to the rest of the network. For "
3632
"information on setting up a bridge see <xref linkend=\"bridging\"/>."
3635
#: serverguide/C/virtualization.xml:63(para)
3636
msgid "To install the necessary packages, from a terminal prompt enter:"
3639
#: serverguide/C/virtualization.xml:67(command)
3640
msgid "sudo apt-get install kvm libvirt-bin"
3643
#: serverguide/C/virtualization.xml:69(para)
3645
"After installing <application>libvirt-bin</application>, the user used to "
3646
"manage virtual machines will need to be added to the "
3647
"<emphasis>libvirtd</emphasis> group. Doing so will grant the user access to "
3648
"the advanced networking options."
3651
#: serverguide/C/virtualization.xml:73(para)
3652
msgid "In a terminal enter:"
3655
#: serverguide/C/virtualization.xml:77(command)
3656
msgid "sudo adduser $USER libvirtd"
3659
#: serverguide/C/virtualization.xml:80(para)
3661
"If the user chosen is the current user, you will need to log out and back in "
3662
"for the new group membership to take effect."
3665
#: serverguide/C/virtualization.xml:84(para)
3667
"You are now ready to install a <emphasis>Guest</emphasis> operating system. "
3668
"Installing a virtual machine follows the same process as installing the "
3669
"operating system directly on the hardware. You either need a way to automate "
3670
"the installation, or a keyboard and monitor will need to be attached to the "
3674
#: serverguide/C/virtualization.xml:89(para)
3676
"In the case of virtual machines a Graphical User Interface (GUI) is "
3677
"analogous to using a physical keyboard and mouse. Instead of installing a "
3678
"GUI the <application>virt-viewer</application> application can be used to "
3679
"connect to a virtual machine's console using <application>VNC</application>. "
3680
"See <xref linkend=\"libvirt-virt-viewer\"/> for more information."
3683
#: serverguide/C/virtualization.xml:94(para)
3685
"There are several ways to automate the Ubuntu installation process, for "
3686
"example using preseeds, kickstart, etc. Refer to the <ulink "
3687
"url=\"https://help.ubuntu.com/9.10/installation-guide/\">Ubuntu Installation "
3688
"Guide</ulink> for details."
3691
#: serverguide/C/virtualization.xml:98(para)
3693
"Yet another way to install an Ubuntu virtual machine is to use "
3694
"<application>ubuntu-vm-builder</application>. <application>ubuntu-vm-"
3695
"builder</application> allows you to setup advanced partitions, execute "
3696
"custom post-install scripts, etc. For details see <xref linkend=\"jeos-and-"
3700
#: serverguide/C/virtualization.xml:104(title)
3701
msgid "virt-install"
3704
#: serverguide/C/virtualization.xml:105(para)
3706
"<application>virt-install</application> is part of the <application>python-"
3707
"virtinst</application> package. To install it, from a terminal prompt enter:"
3710
#: serverguide/C/virtualization.xml:109(command)
3711
msgid "sudo apt-get install python-virtinst"
3714
#: serverguide/C/virtualization.xml:111(para)
3716
"There are several options available when using <application>virt-"
3717
"install</application>. For example:"
3720
#: serverguide/C/virtualization.xml:115(command)
3722
"sudo virt-install -n web_devel -r 256 -f web_devel.img \\ -s 4 -c jeos.iso --"
3723
"accelerate \\ --connect=qemu:///system --vnc \\ --noautoconsole -v"
3726
#: serverguide/C/virtualization.xml:122(para)
3728
"<emphasis>-n web_devel:</emphasis> the name of the new virtual machine will "
3729
"be <emphasis>web_devel</emphasis> in this example."
3732
#: serverguide/C/virtualization.xml:127(para)
3734
"<emphasis>-r 256:</emphasis> specifies the amount of memory the virtual "
3738
#: serverguide/C/virtualization.xml:132(para)
3740
"<emphasis>-f web_devel.img:</emphasis> indicates the path to the virtual "
3741
"disk which can be a file, partition, or logical volume. In this example a "
3742
"file named <filename>web_devel.img</filename>."
3745
#: serverguide/C/virtualization.xml:138(para)
3746
msgid "<emphasis>-s 4:</emphasis> the size of the virtual disk."
3749
#: serverguide/C/virtualization.xml:143(para)
3751
"<emphasis>-c jeos.iso:</emphasis> file to be used as a virtual CDROM. The "
3752
"file can be either an ISO file or the path to the host's CDROM device."
3755
#: serverguide/C/virtualization.xml:149(para)
3757
"<emphasis>--accelerate:</emphasis> enables the kernel's acceleration "
3761
#: serverguide/C/virtualization.xml:154(para)
3763
"<emphasis>--vnc:</emphasis> exports the guest's virtual console using VNC."
3766
#: serverguide/C/virtualization.xml:159(para)
3768
"<emphasis>--noautoconsole:</emphasis> will not automatically connect to the "
3769
"virtual machine's console."
3772
#: serverguide/C/virtualization.xml:164(para)
3773
msgid "<emphasis>-v:</emphasis> creates a fully virtualized guest."
3776
#: serverguide/C/virtualization.xml:169(para)
3778
"After launching <application>virt-install</application> you can connect to "
3779
"the virtual machine's console either locally using a GUI or with the "
3780
"<application>virt-viewer</application> utility."
3783
#: serverguide/C/virtualization.xml:175(title)
3787
#: serverguide/C/virtualization.xml:176(para)
3789
"The <application>virt-clone</application> application can be used to copy "
3790
"one virtual machine to another. For example:"
3793
#: serverguide/C/virtualization.xml:180(command)
3795
"sudo virt-clone -o web_devel -n database_devel -f "
3796
"/path/to/database_devel.img --connect=qemu:///system"
3799
#: serverguide/C/virtualization.xml:184(para)
3800
msgid "<emphasis>-o:</emphasis> original virtual machine."
3803
#: serverguide/C/virtualization.xml:189(para)
3804
msgid "<emphasis>-n:</emphasis> name of the new virtual machine."
3807
#: serverguide/C/virtualization.xml:194(para)
3809
"<emphasis>-f:</emphasis> path to the file, logical volume, or partition to "
3810
"be used by the new virtual machine."
3813
#: serverguide/C/virtualization.xml:199(para)
3815
"<emphasis>--connect:</emphasis> specifies which hypervisor to connect to."
3818
#: serverguide/C/virtualization.xml:204(para)
3820
"Also, use <emphasis>-d</emphasis> or <emphasis>--debug</emphasis> option to "
3821
"help troubleshoot problems with <application>virt-clone</application>."
3824
#: serverguide/C/virtualization.xml:209(para)
3826
"Replace <emphasis>web_devel</emphasis> and "
3827
"<emphasis>database_devel</emphasis> with appropriate virtual machine names."
3830
#: serverguide/C/virtualization.xml:215(title)
3831
msgid "Virtual Machine Management"
3834
#: serverguide/C/virtualization.xml:217(title)
3838
#: serverguide/C/virtualization.xml:218(para)
3840
"There are several utilities available to manage virtual machines and "
3841
"<application>libvirt</application>. The <application>virsh</application> "
3842
"utility can be used from the command line. Some examples:"
3845
#: serverguide/C/virtualization.xml:224(para)
3846
msgid "To list running virtual machines:"
3849
#: serverguide/C/virtualization.xml:228(command)
3850
msgid "virsh -c qemu:///system list"
3853
#: serverguide/C/virtualization.xml:232(para)
3854
msgid "To start a virtual machine:"
3857
#: serverguide/C/virtualization.xml:236(command)
3858
msgid "virsh -c qemu:///system start web_devel"
3861
#: serverguide/C/virtualization.xml:240(para)
3862
msgid "Similarly, to start a virtual machine at boot:"
3865
#: serverguide/C/virtualization.xml:244(command)
3866
msgid "virsh -c qemu:///system autostart web_devel"
3869
#: serverguide/C/virtualization.xml:248(para)
3870
msgid "Reboot a virtual machine with:"
3873
#: serverguide/C/virtualization.xml:252(command)
3874
msgid "virsh -c qemu:///system reboot web_devel"
3877
#: serverguide/C/virtualization.xml:256(para)
3879
"The <emphasis>state</emphasis> of virtual machines can be saved to a file in "
3880
"order to be restored later. The following will save the virtual machine "
3881
"state into a file named according to the date:"
3884
#: serverguide/C/virtualization.xml:261(command)
3885
msgid "virsh -c qemu:///system save web_devel web_devel-022708.state"
3888
#: serverguide/C/virtualization.xml:263(para)
3889
msgid "Once saved the virtual machine will no longer be running."
3892
#: serverguide/C/virtualization.xml:268(para)
3893
msgid "A saved virtual machine can be restored using:"
3896
#: serverguide/C/virtualization.xml:272(command)
3897
msgid "virsh -c qemu:///system restore web_devel-022708.state"
3900
#: serverguide/C/virtualization.xml:276(para)
3901
msgid "To shutdown a virtual machine do:"
3904
#: serverguide/C/virtualization.xml:280(command)
3905
msgid "virsh -c qemu:///system shutdown web_devel"
3908
#: serverguide/C/virtualization.xml:284(para)
3909
msgid "A CDROM device can be mounted in a virtual machine by entering:"
3912
#: serverguide/C/virtualization.xml:288(command)
3913
msgid "virsh -c qemu:///system attach-disk web_devel /dev/cdrom /media/cdrom"
3916
#: serverguide/C/virtualization.xml:293(para)
3918
"In the above examples replace <emphasis>web_devel</emphasis> with the "
3919
"appropriate virtual machine name, and <filename>web_devel-"
3920
"022708.state</filename> with a descriptive file name."
3923
#: serverguide/C/virtualization.xml:300(title)
3924
msgid "Virtual Machine Manager"
3927
#: serverguide/C/virtualization.xml:301(para)
3929
"The <application>virt-manager</application> package contains a graphical "
3930
"utility to manage local and remote virtual machines. To install virt-manager "
3934
#: serverguide/C/virtualization.xml:306(command)
3935
msgid "sudo apt-get install virt-manager"
3938
#: serverguide/C/virtualization.xml:308(para)
3940
"Since <application>virt-manager</application> requires a Graphical User "
3941
"Interface (GUI) environment it is recommended to be installed on a "
3942
"workstation or test machine instead of a production server. To connect to "
3943
"the local <application>libvirt</application> service enter:"
3946
#: serverguide/C/virtualization.xml:314(command)
3947
msgid "virt-manager -c qemu:///system"
3950
#: serverguide/C/virtualization.xml:316(para)
3952
"You can connect to the <application>libvirt</application> service running on "
3953
"another host by entering the following in a terminal prompt:"
3956
#: serverguide/C/virtualization.xml:320(command)
3957
msgid "virt-manager -c qemu+ssh://virtnode1.mydomain.com/system"
3960
#: serverguide/C/virtualization.xml:323(para)
3962
"The above example assumes that <application>SSH</application> connectivity "
3963
"between the management system and virtnode1.mydomain.com has already been "
3964
"configured, and uses SSH keys for authentication. SSH "
3965
"<emphasis>keys</emphasis> are needed because "
3966
"<application>libvirt</application> sends the password prompt to another "
3967
"process. For details on configuring <application>SSH</application> see <xref "
3968
"linkend=\"openssh-server\"/>"
3971
#: serverguide/C/virtualization.xml:333(title)
3972
msgid "Virtual Machine Viewer"
3975
#: serverguide/C/virtualization.xml:334(para)
3977
"The <application>virt-viewer</application> application allows you to connect "
3978
"to a virtual machine's console. <application>virt-viewer</application> does "
3979
"require a Graphical User Interface (GUI) to interface with the virtual "
3983
#: serverguide/C/virtualization.xml:338(para)
3985
"To install <application>virt-viewer</application> from a terminal enter:"
3988
#: serverguide/C/virtualization.xml:342(command)
3989
msgid "sudo apt-get install virt-viewer"
3992
#: serverguide/C/virtualization.xml:344(para)
3994
"Once a virtual machine is installed and running you can connect to the "
3995
"virtual machine's console by using:"
3998
#: serverguide/C/virtualization.xml:348(command)
3999
msgid "virt-viewer -c qemu:///system web_devel"
4002
#: serverguide/C/virtualization.xml:350(para)
4004
"Similar to <application>virt-manager</application>, <application>virt-"
4005
"viewer</application> can connect to a remote host using "
4006
"<emphasis>SSH</emphasis> with key authentication, as well:"
4009
#: serverguide/C/virtualization.xml:355(command)
4010
msgid "virt-viewer -c qemu+ssh://virtnode1.mydomain.com/system web_devel"
4013
#: serverguide/C/virtualization.xml:357(para)
4015
"Be sure to replace <emphasis role=\"italic\">web_devel</emphasis> with the "
4016
"appropriate virtual machine name."
4019
#: serverguide/C/virtualization.xml:360(para)
4021
"If configured to use a <emphasis>bridged</emphasis> network interface you "
4022
"can also setup <application>SSH</application> access to the virtual machine. "
4023
"See <xref linkend=\"openssh-server\"/> and <xref linkend=\"bridging\"/> for "
4027
#: serverguide/C/virtualization.xml:369(para)
4029
"See the <ulink url=\"http://kvm.qumranet.com/kvmwiki\">KVM</ulink> home page "
4033
#: serverguide/C/virtualization.xml:374(para)
4035
"For more information on <application>libvirt</application> see the <ulink "
4036
"url=\"http://libvirt.org/\">libvirt home page</ulink>"
4039
#: serverguide/C/virtualization.xml:379(para)
4041
"The <ulink url=\"http://virt-manager.et.redhat.com/\">Virtual Machine "
4042
"Manager</ulink> site has more information on <application>virt-"
4043
"manager</application> development."
4046
#: serverguide/C/virtualization.xml:385(para)
4048
"Also, stop by the <emphasis>#ubuntu-virt</emphasis> IRC channel on <ulink "
4049
"url=\"http://freenode.net/\">freenode</ulink> to discuss virtualization "
4050
"technology in Ubuntu."
4053
#: serverguide/C/virtualization.xml:394(title)
4054
msgid "JeOS and vmbuilder"
4057
#: serverguide/C/virtualization.xml:400(title)
4058
msgid "What is JeOS"
4061
#: serverguide/C/virtualization.xml:402(para)
4063
"Ubuntu <emphasis>JeOS</emphasis> (pronounced \"Juice\") is an efficient "
4064
"variant of the Ubuntu Server operating system, configured specifically for "
4065
"virtual appliances. No longer available as a CD-ROM ISO for download, but "
4066
"only as an option either:"
4069
#: serverguide/C/virtualization.xml:409(para)
4071
"While installing from the Server Edition ISO (pressing "
4072
"<emphasis>F4</emphasis> on the first screen will allow you to pick \"Minimal "
4073
"installation\", which is the package selection equivalent to JeOS)."
4076
#: serverguide/C/virtualization.xml:415(para)
4077
msgid "Or to be built using Ubuntu's vmbuilder, which is described here."
4080
#: serverguide/C/virtualization.xml:421(para)
4082
"JeOS is a specialized installation of Ubuntu Server Edition with a tuned "
4083
"kernel that only contains the base elements needed to run within a "
4084
"virtualized environment."
4087
#: serverguide/C/virtualization.xml:426(para)
4089
"Ubuntu JeOS has been tuned to take advantage of key performance technologies "
4090
"in the latest virtualization products from VMware. This combination of "
4091
"reduced size and optimized performance ensures that Ubuntu JeOS Edition "
4092
"delivers a highly efficient use of server resources in large virtual "
4096
#: serverguide/C/virtualization.xml:432(para)
4098
"Without unnecessary drivers, and only the minimal required packages, ISVs "
4099
"can configure their supporting OS exactly as they require. They have the "
4100
"peace of mind that updates, whether for security or enhancement reasons, "
4101
"will be limited to the bare minimum of what is required in their specific "
4102
"environment. In turn, users deploying virtual appliances built on top of "
4103
"JeOS will have to go through fewer updates and therefore less maintenance "
4104
"than they would have had to with a standard full installation of a server."
4107
#: serverguide/C/virtualization.xml:441(title)
4108
msgid "What is vmbuilder"
4111
#: serverguide/C/virtualization.xml:443(para)
4113
"With vmbuilder, there is no need to download a JeOS ISO anymore. vmbuilder "
4114
"will fetch the various package and build a virtual machine tailored for our "
4115
"need in about a minute for us. Vmbuilder is a Script that automates the "
4116
"process of creating a ready to use Linux based VM. The currently supported "
4117
"hypervisors are KVM and Xen."
4120
#: serverguide/C/virtualization.xml:449(para)
4122
"You can pass command line options to add extra packages, remove packages, "
4123
"choose which version of Ubuntu, which mirror etc. On recent hardware with "
4124
"plenty of RAM, tmpdir in <filename>/dev/shm</filename> or using a tmpfs, and "
4125
"a local mirror, you can bootstrap a VM in less than a minute."
4128
#: serverguide/C/virtualization.xml:455(para)
4130
"First introduced as a shell script in Ubuntu 8.04LTS, <application>ubuntu-vm-"
4131
"builder</application> started with little emphasis as a hack to help "
4132
"developers test their new code in a virtual machine without having to "
4133
"restart from scratch each time. As a few Ubuntu administrators started to "
4134
"notice this script, a few of them went on improving it and adapting it for "
4135
"so many use case that Soren Hansen (the author of the script and Ubuntu "
4136
"virtualization specialist, not the golf player) decided to rewrite it from "
4137
"scratch for Intrepid as a python script with a few new design goals:"
4140
#: serverguide/C/virtualization.xml:465(para)
4141
msgid "Develop it so that it can be reused by other distributions."
4144
#: serverguide/C/virtualization.xml:470(para)
4146
"Use a plugin mechanisms for all virtualization interactions so that others "
4147
"can easily add logic for other virtualization environments."
4150
#: serverguide/C/virtualization.xml:475(para)
4152
"Provide an easy to maintain web interface as an option to the command line "
4156
#: serverguide/C/virtualization.xml:481(para)
4157
msgid "But the general principles and commands remain the same."
4160
#: serverguide/C/virtualization.xml:488(title)
4161
msgid "Initial Setup"
4164
#: serverguide/C/virtualization.xml:490(para)
4166
"It is assumed that you have installed and configured "
4167
"<application>libvirt</application> and <application>KVM</application> "
4168
"locally on the machine you are using. For details on how to perform this, "
4172
#: serverguide/C/virtualization.xml:502(para)
4174
"The <ulink url=\"https://help.ubuntu.com/community/KVM\">KVM</ulink> Wiki "
4178
#: serverguide/C/virtualization.xml:508(para)
4180
"We also assume that you know how to use a text based text editor such as "
4181
"nano or vi. If you have not used any of them before, you can get an overview "
4182
"of the various text editors available by reading the <ulink "
4183
"url=\"https://help.ubuntu.com/community/PowerUsersTextEditors\">PowerUsersTex"
4184
"tEditors</ulink> page. This tutorial has been done on KVM, but the general "
4185
"principle should remain on other virtualization technologies."
4188
#: serverguide/C/virtualization.xml:516(title)
4189
msgid "Install vmbuilder"
4192
#: serverguide/C/virtualization.xml:518(para)
4194
"The name of the package that we need to install is <application>python-vm-"
4195
"builder</application>. In a terminal prompt enter:"
4198
#: serverguide/C/virtualization.xml:523(command)
4199
msgid "sudo apt-get install python-vm-builder"
4202
#: serverguide/C/virtualization.xml:527(para)
4204
"If you are running Hardy, you can still perform most of this using the older "
4205
"version of the package named <application>ubuntu-vm-builder</application>, "
4206
"there are only a few changes to the syntax of the tool."
4209
#: serverguide/C/virtualization.xml:536(title)
4210
msgid "Defining Your Virtual Machine"
4213
#: serverguide/C/virtualization.xml:538(para)
4215
"Defining a virtual machine with Ubuntu's vmbuilder is quite simple, but here "
4216
"are a few thing to consider:"
4219
#: serverguide/C/virtualization.xml:544(para)
4221
"If you plan on shipping a virtual appliance, do not assume that the end-user "
4222
"will know how to extend disk size to fit their need, so either plan for a "
4223
"large virtual disk to allow for your appliance to grow, or explain fairly "
4224
"well in your documentation how to allocate more space. It might actually be "
4225
"a good idea to store data on some separate external storage."
4228
#: serverguide/C/virtualization.xml:551(para)
4230
"Given that RAM is much easier to allocate in a VM, RAM size should be set to "
4231
"whatever you think is a safe minimum for your appliance."
4234
#: serverguide/C/virtualization.xml:557(para)
4236
"The <application>vmbuilder</application> command has 2 main parameters: the "
4237
"<emphasis>virtualization technology (hypervisor)</emphasis> and the targeted "
4238
"<emphasis>distribution</emphasis>. Optional parameters are quite numerous "
4239
"and can be found using the following command:"
4242
#: serverguide/C/virtualization.xml:563(command)
4243
msgid "vmbuilder --help"
4246
#: serverguide/C/virtualization.xml:567(title)
4247
msgid "Base Parameters"
4250
#: serverguide/C/virtualization.xml:569(para)
4252
"As this example is based on <application>KVM</application> and Ubuntu 9.10 "
4253
"(Karmic Koala), and we are likely to rebuild the same virtual machine "
4254
"multiple time, we'll invoke vmbuilder with the following first parameters:"
4257
#: serverguide/C/virtualization.xml:575(command)
4259
"sudo vmbuilder kvm ubuntu --suite karmic --flavour virtual --arch i386 -o --"
4260
"libvirt qemu:///system"
4263
#: serverguide/C/virtualization.xml:578(para)
4265
"The <emphasis>--suite</emphasis> defines the Ubuntu release, the <emphasis>--"
4266
"flavour</emphasis> specifies that we want to use the virtual kernel (that's "
4267
"the one used to build a JeOS image), the <emphasis>--arch</emphasis> tells "
4268
"that we want to use a 32 bit machine, the <emphasis>-o</emphasis> tells "
4269
"vmbuilder to overwrite the previous version of the VM and the <emphasis>--"
4270
"libvirt</emphasis> tells to inform the local virtualization environment to "
4271
"add the resulting VM to the list of available machines."
4274
#: serverguide/C/virtualization.xml:586(para)
4278
#: serverguide/C/virtualization.xml:592(para)
4280
"Because of the nature of operations performed by vmbuilder, it needs to have "
4281
"root privilege, hence the use of sudo."
4284
#: serverguide/C/virtualization.xml:597(para)
4286
"If your virtual machine needs to use more than 3Gb of ram, you should build "
4287
"a 64 bit machine (--arch amd64)."
4290
#: serverguide/C/virtualization.xml:602(para)
4292
"Until Ubuntu 8.10, the virtual kernel was only built for 32 bit "
4293
"architecture, so if you want to define an amd64 machine on Hardy, you should "
4294
"use <emphasis>--flavour</emphasis> server instead."
4297
#: serverguide/C/virtualization.xml:610(title)
4298
msgid "JeOS Installation Parameters"
4301
#: serverguide/C/virtualization.xml:613(title)
4302
msgid "JeOS Networking"
4305
#: serverguide/C/virtualization.xml:616(title)
4306
msgid "Assigning a fixed IP address"
4309
#: serverguide/C/virtualization.xml:618(para)
4311
"As a virtual appliance that may be deployed on various very different "
4312
"networks, it is very difficult to know what the actual network will look "
4313
"like. In order to simplify configuration, it is a good idea to take an "
4314
"approach similar to what network hardware vendors usually do, namely "
4315
"assigning an initial fixed IP address to the appliance in a private class "
4316
"network that you will provide in your documentation. An address in the range "
4317
"192.168.0.0/255 is usually a good choice."
4320
#: serverguide/C/virtualization.xml:625(para)
4321
msgid "To do this we'll use the following parameters:"
4324
#: serverguide/C/virtualization.xml:631(para)
4326
"<emphasis>--ip ADDRESS</emphasis>: IP address in dotted form (defaults to "
4327
"dhcp if not specified)"
4330
#: serverguide/C/virtualization.xml:636(para)
4332
"<emphasis>--mask VALUE</emphasis>: IP mask in dotted form (default: "
4336
#: serverguide/C/virtualization.xml:641(para)
4337
msgid "<emphasis>--net VALUE</emphasis>: IP net address (default: X.X.X.0)"
4340
#: serverguide/C/virtualization.xml:646(para)
4341
msgid "<emphasis>--bcast VALUE</emphasis>: IP broadcast (default: X.X.X.255)"
4344
#: serverguide/C/virtualization.xml:651(para)
4345
msgid "<emphasis>--gw ADDRESS</emphasis>: Gateway address (default: X.X.X.1)"
4348
#: serverguide/C/virtualization.xml:656(para)
4350
"<emphasis>--dns ADDRESS</emphasis>: Name server address (default: X.X.X.1)"
4353
#: serverguide/C/virtualization.xml:662(para)
4355
"We assume for now that default values are good enough, so the resulting "
4356
"invocation becomes:"
4359
#: serverguide/C/virtualization.xml:667(command)
4361
"sudo vmbuilder kvm ubuntu --suite karmic --flavour virtual --arch i386 -o --"
4362
"libvirt qemu:///system --ip 192.168.0.100"
4365
#: serverguide/C/virtualization.xml:672(title)
4366
msgid "Modifying the libvirt Template to use Bridging"
4369
#: serverguide/C/virtualization.xml:674(para)
4371
"Because our appliance will be likely to need to be accessed by remote hosts, "
4372
"we need to configure libvirt so that the appliance uses bridge networking. "
4373
"To do this we use vmbuilder template mechanism to modify the default one."
4376
#: serverguide/C/virtualization.xml:679(para)
4378
"In our working directory we create the template hierarchy and copy the "
4382
#: serverguide/C/virtualization.xml:684(command)
4383
msgid "mkdir -p VMBuilder/plugins/libvirt/templates"
4386
#: serverguide/C/virtualization.xml:685(command)
4387
msgid "cp /etc/vmbuilder/libvirt/* VMBuilder/plugins/libvirt/templates/"
4390
#: serverguide/C/virtualization.xml:688(para)
4393
"<filename>VMBuilder/plugins/libvirt/templates/libvirtxml.tmpl</filename> to "
4397
#: serverguide/C/virtualization.xml:692(programlisting)
4401
" <interface type='network'>\n"
4402
" <source network='default'/>\n"
4403
" </interface>\n"
4406
#: serverguide/C/virtualization.xml:698(para)
4410
#: serverguide/C/virtualization.xml:702(programlisting)
4414
" <interface type='bridge'>\n"
4415
" <source bridge='br0'/>\n"
4416
" </interface>\n"
4419
#: serverguide/C/virtualization.xml:712(title) serverguide/C/installation.xml:407(title)
4420
msgid "Partitioning"
4423
#: serverguide/C/virtualization.xml:714(para)
4425
"Partitioning of the virtual appliance will have to take into consideration "
4426
"what you are planning to do with is. Because most appliances want to have a "
4427
"separate storage for data, having a separate <filename>/var</filename> would "
4431
#: serverguide/C/virtualization.xml:719(para)
4433
"In order to do this vmbuilder provides us with <emphasis>--part</emphasis>:"
4436
#: serverguide/C/virtualization.xml:723(programlisting)
4441
" Allows to specify a partition table in partfile each line of partfile "
4444
" mountpoint size\n"
4445
" where size is in megabytes. You can have up to 4 virtual disks, a new "
4446
"disk starts on a\n"
4447
" line with ’---’. ie :\n"
4456
#: serverguide/C/virtualization.xml:738(para)
4458
"In our case we will define a text file name "
4459
"<filename>vmbuilder.partition</filename> which will contain the following:"
4462
#: serverguide/C/virtualization.xml:742(programlisting)
4472
#: serverguide/C/virtualization.xml:750(para)
4474
"Note that as we are using virtual disk images, the actual sizes that we put "
4475
"here are maximum sizes for these volumes."
4478
#: serverguide/C/virtualization.xml:755(para)
4479
msgid "Our command line now looks like:"
4482
#: serverguide/C/virtualization.xml:760(command)
4484
"sudo vmbuilder kvm ubuntu --suite karmic --flavour virtual --arch i386 \\ -o "
4485
"--libvirt qemu:///system --ip 192.168.0.100 --part vmbuilder.partition"
4488
#: serverguide/C/virtualization.xml:765(para)
4490
"Using a \"\\\" in a command will allow long command strings to wrap to the "
4494
#: serverguide/C/virtualization.xml:772(title)
4495
msgid "User and Password"
4498
#: serverguide/C/virtualization.xml:774(para)
4500
"Again setting up a virtual appliance, you will need to provide a default "
4501
"user and password that is generic so that you can include it in your "
4502
"documentation. We will see later on in this tutorial how we will provide "
4503
"some security by defining a script that will be run the first time a user "
4504
"actually logs in the appliance, that will, among other things, ask him to "
4505
"change his password. In this example I will use <emphasis>'user'</emphasis> "
4506
"as my user name, and <emphasis>'default'</emphasis> as the password."
4509
#: serverguide/C/virtualization.xml:782(para)
4510
msgid "To do this we use the following optional parameters:"
4513
#: serverguide/C/virtualization.xml:788(para)
4515
"<emphasis>--user USERNAME:</emphasis> Sets the name of the user to be added. "
4519
#: serverguide/C/virtualization.xml:793(para)
4521
"<emphasis>--name FULLNAME:</emphasis> Sets the full name of the user to be "
4522
"added. Default: Ubuntu."
4525
#: serverguide/C/virtualization.xml:798(para)
4527
"<emphasis>--pass PASSWORD:</emphasis> Sets the password for the user. "
4531
#: serverguide/C/virtualization.xml:804(para)
4532
msgid "Our resulting command line becomes:"
4535
#: serverguide/C/virtualization.xml:809(command)
4537
"sudo vmbuilder kvm ubuntu --suite intrepid --flavour virtual --arch i386 \\ -"
4538
"o --libvirt qemu:///system --ip 192.168.0.100 --part vmbuilder.partition \\ -"
4539
"-user user --name user --pass default"
4542
#: serverguide/C/virtualization.xml:817(title)
4543
msgid "Installing Required Packages"
4546
#: serverguide/C/virtualization.xml:819(para)
4548
"In this example we will be installing a package "
4549
"<application>(Limesurvey)</application> that accesses a "
4550
"<application>MySQL</application> database and has a web interface. We will "
4551
"therefore require our OS to provide us with:"
4554
#: serverguide/C/virtualization.xml:826(para)
4558
#: serverguide/C/virtualization.xml:827(para)
4562
#: serverguide/C/virtualization.xml:828(para) serverguide/C/databases.xml:19(trademark) serverguide/C/databases.xml:31(title)
4566
#: serverguide/C/virtualization.xml:829(para) serverguide/C/remote-administration.xml:20(title)
4567
msgid "OpenSSH Server"
4570
#: serverguide/C/virtualization.xml:830(para)
4571
msgid "Limesurvey (as an example application that we have packaged)"
4574
#: serverguide/C/virtualization.xml:833(para)
4576
"This is done using vmbuilder by specifying the --addpkg command multiple "
4580
#: serverguide/C/virtualization.xml:837(programlisting)
4585
" Install PKG into the guest (can be specfied multiple times)\n"
4588
#: serverguide/C/virtualization.xml:842(para)
4590
"However, due to the way vmbuilder operates, packages that have to ask "
4591
"questions to the user during the post install phase are not supported and "
4592
"should instead be installed while interactivity can occur. This is the case "
4593
"of Limesurvey, which we will have to install later, once the user logs in."
4596
#: serverguide/C/virtualization.xml:848(para)
4598
"Other packages that ask simple debconf question, such as <application>mysql-"
4599
"server</application> asking to set a password, the package can be installed "
4600
"immediately, but we will have to reconfigure it the first time the user logs "
4604
#: serverguide/C/virtualization.xml:854(para)
4606
"If some packages that we need to install are not in main, we need to enable "
4607
"the additional repositories using --comp and --ppa:"
4610
#: serverguide/C/virtualization.xml:858(programlisting)
4614
"--components COMP1,COMP2,...,COMPN\n"
4615
" A comma separated list of distro components to include (e.g. "
4616
"main,universe). This defaults\n"
4618
"--ppa=PPA Add ppa belonging to PPA to the vm's sources.list.\n"
4621
#: serverguide/C/virtualization.xml:865(para)
4623
"Limesurvey not being part of the archive at the moment, we'll specify it's "
4624
"PPA (personal package archive) address so that it is added to the VM "
4625
"<filename>/etc/apt/source.list</filename>, so we add the following options "
4626
"to the command line:"
4629
#: serverguide/C/virtualization.xml:871(command)
4631
"--addpkg apache2 --addpkg apache2-mpm-prefork --addpkg apache2-utils --"
4632
"addpkg apache2.2-common \\ --addpkg dbconfig-common --addpkg libapache2-mod-"
4633
"php5 --addpkg mysql-client --addpkg php5-cli \\ --addpkg php5-gd --addpkg "
4634
"php5-ldap --addpkg php5-mysql --addpkg wwwconfig-common \\ --addpkg mysql-"
4635
"server --ppa nijaba"
4638
#: serverguide/C/virtualization.xml:878(title)
4642
#: serverguide/C/virtualization.xml:880(para)
4644
"Another convenient tool that we want to have on our appliance is OpenSSH, as "
4645
"it will allow our admins to access the appliance remotely. However, pushing "
4646
"in the wild an appliance with a pre-installed OpenSSH server is a big "
4647
"security risk as all these server will share the same secret key, making it "
4648
"very easy for hackers to target our appliance with all the tools they need "
4649
"to crack it open in a breeze. As for the user password, we will instead rely "
4650
"on a script that will install OpenSSH the first time a user logs in so that "
4651
"the key generated will be different for each appliance. For this we'll use a "
4652
"<emphasis>--firstboot</emphasis> script, as it does not need any user "
4656
#: serverguide/C/virtualization.xml:892(title)
4657
msgid "Speed Considerations"
4660
#: serverguide/C/virtualization.xml:895(title)
4661
msgid "Package Caching"
4664
#: serverguide/C/virtualization.xml:897(para)
4666
"When vmbuilder creates builds your system, it has to go fetch each one of "
4667
"the packages that composes it over the network to one of the official "
4668
"repositories, which, depending on your internet connection speed and the "
4669
"load of the mirror, can have a big impact on the actual build time. In order "
4670
"to reduce this, it is recommended to either have a local repository (which "
4671
"can be created using <application>apt-mirror</application>) or using a "
4672
"caching proxy such as <application>apt-cache</application>. The later option "
4673
"being much simpler to implement and requiring less disk space, it is the one "
4674
"we will pick in this tutorial. To install it, simply type:"
4677
#: serverguide/C/virtualization.xml:907(command)
4678
msgid "sudo apt-get install apt-proxy"
4681
#: serverguide/C/virtualization.xml:910(para)
4683
"Once this is complete, your (empty) proxy is ready for use on "
4684
"http://mirroraddress:9999 and will find ubuntu repository under /ubuntu. For "
4685
"vmbuilder to use it, we'll have to use the <emphasis>--mirror</emphasis> "
4689
#: serverguide/C/virtualization.xml:915(programlisting)
4693
"--mirror=URL Use Ubuntu mirror at URL instead of the default, which\n"
4694
" is http://archive.ubuntu.com/ubuntu for official\n"
4695
" arches and http://ports.ubuntu.com/ubuntu-ports\n"
4699
#: serverguide/C/virtualization.xml:922(para)
4700
msgid "So we add to the command line:"
4703
#: serverguide/C/virtualization.xml:927(command)
4704
msgid "--mirror http://mirroraddress:9999/ubuntu"
4707
#: serverguide/C/virtualization.xml:931(para)
4709
"The mirror address specified here will also be used in the "
4710
"<filename>/etc/apt/source.list</filename> of the newly created guest, so it "
4711
"is usefull to specify here an address that can be resolved by the guest or "
4712
"to plan on reseting this address later on, such as in a <emphasis>--"
4713
"firstboot</emphasis> script."
4716
#: serverguide/C/virtualization.xml:940(title)
4717
msgid "Install a Local Mirror"
4720
#: serverguide/C/virtualization.xml:942(para)
4722
"If we are in a larger environment, it may make sense to setup a local mirror "
4723
"of the Ubuntu repositories. The package apt-mirror provides you with a "
4724
"script that will handle the mirroring for you. You should plan on having "
4725
"about 20 gigabyte of free space per supported release and architecture."
4728
#: serverguide/C/virtualization.xml:948(para)
4730
"By default, <application>apt-mirror</application> uses the configuration "
4731
"file in <filename>/etc/apt/mirror.list</filename>. As it is set up, it will "
4732
"replicate only the architecture of the local machine. If you would like to "
4733
"support other architectures on your mirror, simply duplicate the lines "
4734
"starting with “deb”, replacing the deb keyword by /deb-{arch} where arch can "
4735
"be i386, amd64, etc... For example, on an amd64 machine, to have the i386 "
4736
"archives as well, you will have:"
4739
#: serverguide/C/virtualization.xml:955(programlisting)
4743
"deb http://archive.ubuntu.com/ubuntu karmic main restricted universe "
4745
"/deb-i386 http://archive.ubuntu.com/ubuntu karmic main restricted universe "
4748
"deb http://archive.ubuntu.com/ubuntu karmic-updates main restricted "
4749
"universe multiverse \n"
4750
"/deb-i386 http://archive.ubuntu.com/ubuntu karmic-updates main restricted "
4751
"universe multiverse \n"
4753
"deb http://archive.ubuntu.com/ubuntu/ karmic-backports main restricted "
4754
"universe multiverse \n"
4755
"/deb-i386 http://archive.ubuntu.com/ubuntu karmic-backports main restricted "
4756
"universe multiverse \n"
4758
"deb http://security.ubuntu.com/ubuntu karmic-security main restricted "
4759
"universe multiverse \n"
4760
"/deb-i386 http://security.ubuntu.com/ubuntu karmic-security main restricted "
4761
"universe multiverse \n"
4763
"deb http://archive.ubuntu.com/ubuntu karmic main/debian-installer "
4764
"restricted/debian-installer universe/debian-installer multiverse/debian-"
4766
"/deb-i386 http://archive.ubuntu.com/ubuntu karmic main/debian-installer "
4767
"restricted/debian-installer universe/debian-installer multiverse/debian-"
4771
#: serverguide/C/virtualization.xml:972(para)
4773
"Notice that the source packages are not mirrored as they are seldom used "
4774
"compared to the binaries and they do take a lot more space, but they can be "
4775
"easily added to the list."
4778
#: serverguide/C/virtualization.xml:977(para)
4780
"Once the mirror has finished replicating (and this can be quite long), you "
4781
"need to configure Apache so that your mirror files (in "
4782
"<filename>/var/spool/apt-mirror</filename> if you did not change the "
4783
"default), are published by your Apache server. For more information on "
4784
"Apache see <xref linkend=\"httpd\"/>."
4787
#: serverguide/C/virtualization.xml:986(title)
4788
msgid "Installing in a RAM Disk"
4791
#: serverguide/C/virtualization.xml:988(para)
4793
"As you can easily imagine, writing to RAM is a <emphasis>LOT</emphasis> "
4794
"faster than writing to disk. If you have some free memory, letting vmbuilder "
4795
"perform its operation in a RAMdisk will help a lot and the option <emphasis>-"
4796
"-tmpfs</emphasis> will help you do just that:"
4799
#: serverguide/C/virtualization.xml:994(programlisting)
4803
"--tmpfs OPTS Use a tmpfs as the working directory, specifying its\n"
4804
" size or \"-\" to use tmpfs default (suid,dev,size=1G).\n"
4807
#: serverguide/C/virtualization.xml:999(para)
4809
"So adding <command>--tmpfs -</command> sounds like a very good idea if you "
4810
"have 1G of free ram."
4813
#: serverguide/C/virtualization.xml:1006(title)
4814
msgid "Package the Application"
4817
#: serverguide/C/virtualization.xml:1008(para)
4818
msgid "Two option are available to us:"
4821
#: serverguide/C/virtualization.xml:1014(para)
4823
"The recommended method to do so is to make a <emphasis>Debian</emphasis> "
4824
"package. Since this is outside of the scope of this tutorial, we will not "
4825
"perform this here and invite the reader to read the documentation on how to "
4826
"do this in the <ulink url=\"https://wiki.ubuntu.com/PackagingGuide\">Ubuntu "
4827
"Packaging Guide</ulink>. In this case it is also a good idea to setup a "
4828
"repository for your package so that updates can be conveniently pulled from "
4829
"it. See the <ulink url=\"http://www.debian-"
4830
"administration.org/articles/286\">Debian Administration</ulink> article for "
4831
"a tutorial on this."
4834
#: serverguide/C/virtualization.xml:1023(para)
4836
"Manually install the application under <filename>/opt</filename> as "
4837
"recommended by the <ulink url=\"http://www.pathname.com/fhs/\">FHS "
4838
"guidelines</ulink>."
4841
#: serverguide/C/virtualization.xml:1030(para)
4843
"In our case we'll use <application>Limesurvey</application> as example web "
4844
"application for which we wish to provide a virtual appliance. As noted "
4845
"before, we've made a version of the package available in a PPA (Personal "
4849
#: serverguide/C/virtualization.xml:1037(title)
4850
msgid "Finishing Install"
4853
#: serverguide/C/virtualization.xml:1040(title)
4857
#: serverguide/C/virtualization.xml:1042(para)
4859
"As we mentioned earlier, the first time the machine boots we'll need to "
4860
"install <application>openssh-server</application> so that the key generated "
4861
"for it is unique for each machine. To do this, we'll write a script called "
4862
"<filename>boot.sh</filename> as follows:"
4865
#: serverguide/C/virtualization.xml:1048(programlisting)
4869
"# This script will run the first time the virtual machine boots\n"
4870
"# It is ran as root.\n"
4873
"apt-get install -qqy --force-yes openssh-server\n"
4876
#: serverguide/C/virtualization.xml:1056(para)
4878
"And we add the <command>--firstboot boot.sh</command> option to our command "
4882
#: serverguide/C/virtualization.xml:1062(title)
4886
#: serverguide/C/virtualization.xml:1064(para)
4888
"Mysql and Limesurvey needing some user interaction during their setup, we'll "
4889
"set them up the first time a user logs in using a script named login.sh. "
4890
"We'll also use this script to let the user specify:"
4893
#: serverguide/C/virtualization.xml:1070(para)
4894
msgid "His own password"
4897
#: serverguide/C/virtualization.xml:1071(para)
4898
msgid "Define the keyboard and other locale info he wants to use"
4901
#: serverguide/C/virtualization.xml:1074(para)
4902
msgid "So we'll define <filename>login.sh</filename> as follows:"
4905
#: serverguide/C/virtualization.xml:1078(programlisting)
4909
"# This script is ran the first time a user logs in\n"
4911
"echo \"Your appliance is about to be finished to be set up.\"\n"
4912
"echo \"In order to do it, we'll need to ask you a few questions,\"\n"
4913
"echo \"starting by changing your user password.\"\n"
4917
"#give the opportunity to change the keyboard\n"
4918
"sudo dpkg-reconfigure console-setup\n"
4920
"#configure the mysql server root password\n"
4921
"sudo dpkg-reconfigure mysql-server-5.0\n"
4923
"#install limesurvey\n"
4924
"sudo apt-get install -qqy --force-yes limesurvey\n"
4926
"echo \"Your appliance is now configured. To use it point your\"\n"
4927
"echo \"browser to http://serverip/limesurvey/admin\"\n"
4930
#: serverguide/C/virtualization.xml:1100(para)
4932
"And we add the <command>--firstlogin login.sh</command> option to our "
4936
#: serverguide/C/virtualization.xml:1107(title)
4937
msgid "Useful Additions"
4940
#: serverguide/C/virtualization.xml:1110(title)
4941
msgid "Configuring Automatic Updates"
4944
#: serverguide/C/virtualization.xml:1112(para)
4946
"To have your system be configured to update itself on a regular basis, we "
4947
"will just install <application>unattended-upgrades</application>, so we add "
4948
"the following option to our command line:"
4951
#: serverguide/C/virtualization.xml:1118(command)
4952
msgid "--addpkg unattended-upgrades"
4955
#: serverguide/C/virtualization.xml:1121(para)
4957
"As we have put our application package in a PPA, the process will update not "
4958
"only the system, but also the application each time we update the version in "
4962
#: serverguide/C/virtualization.xml:1128(title)
4963
msgid "ACPI Event Handling"
4966
#: serverguide/C/virtualization.xml:1130(para)
4968
"For your virtual machine to be able to handle restart and shutdown events it "
4969
"is being sent, it is a good idea to install the acpid package as well. To do "
4970
"this we just add the following option:"
4973
#: serverguide/C/virtualization.xml:1136(command)
4974
msgid "--addpkg acpid"
4977
#: serverguide/C/virtualization.xml:1142(title)
4978
msgid "Final Command"
4981
#: serverguide/C/virtualization.xml:1144(para)
4982
msgid "Here is the command with all the options discussed above:"
4985
#: serverguide/C/virtualization.xml:1149(command)
4987
"sudo vmbuilder kvm ubuntu --suite intrepid --flavour virtual --arch i386 -o "
4988
"\\ --libvirt qemu:///system --ip 192.168.0.100 --part vmbuilder.partition --"
4989
"user user \\ --name user --pass default --addpkg apache2 --addpkg apache2-"
4990
"mpm-prefork \\ --addpkg apache2-utils --addpkg apache2.2-common --addpkg "
4991
"dbconfig-common \\ --addpkg libapache2-mod-php5 --addpkg mysql-client --"
4992
"addpkg php5-cli \\ --addpkg php5-gd --addpkg php5-ldap --addpkg php5-mysql --"
4993
"addpkg wwwconfig-common \\ --addpkg mysql-server --addpkg unattended-"
4994
"upgrades --addpkg acpid --ppa nijaba \\ --mirror "
4995
"http://mirroraddress:9999/ubuntu --tmpfs - --firstboot boot.sh \\ --"
4996
"firstlogin login.sh es"
4999
#: serverguide/C/virtualization.xml:1164(para)
5001
"If you are interested in learning more, have questions or suggestions, "
5002
"please contact the Ubuntu Server Team at:"
5005
#: serverguide/C/virtualization.xml:1169(para)
5006
msgid "IRC: #ubuntu-server on freenode"
5009
#: serverguide/C/virtualization.xml:1174(para)
5011
"Mailing list: <ulink url=\"https://lists.ubuntu.com/mailman/listinfo/ubuntu-"
5012
"server\">ubuntu-server at lists.ubuntu.com</ulink>"
5015
#: serverguide/C/virtualization.xml:1182(title)
5019
#: serverguide/C/virtualization.xml:1185(title) serverguide/C/network-auth.xml:1683(title) serverguide/C/monitoring.xml:15(title) serverguide/C/lamp-applications.xml:17(title) serverguide/C/installation.xml:879(title) serverguide/C/dns.xml:64(title) serverguide/C/chat.xml:17(title) serverguide/C/backups.xml:541(title)
5023
#: serverguide/C/virtualization.xml:1187(para)
5025
"<emphasis>Eucalyptus</emphasis> is an open-source software infrastructure "
5026
"for implementing \"cloud computing\" on your own clusters. "
5027
"<emphasis>Eucalyptus</emphasis> allows you to create your own cloud "
5028
"computing environment in order to maximize computing resources and provide a "
5029
"cloud computing environment to your users."
5032
#: serverguide/C/virtualization.xml:1193(para)
5034
"This section will cover setting up a Cloud Computing environment using "
5035
"<application>Eucalyptus</application> with <application>KVM</application>. "
5036
"For more information on KVM see <xref linkend=\"libvirt\"/>."
5039
#: serverguide/C/virtualization.xml:1198(para)
5041
"The Cloud Computing environment will consist of three components, typically "
5042
"installed on at least two separate machines (termed the 'front-end' and "
5043
"'node(s)' for the rest of this document):"
5046
#: serverguide/C/virtualization.xml:1205(para)
5048
"<emphasis>One Front-End:</emphasis> hosts one Cloud Controller, a Java based "
5049
"Web configuration interface, and a Cluster Controller, which determines "
5050
"where virtual machines (VMs) will be housed and manages cluster level VM "
5054
#: serverguide/C/virtualization.xml:1211(para)
5056
"<emphasis>One or more Compute Nodes:</emphasis> runs the Node Controller "
5057
"component of Eucalyptus, which allows the machine to be part of the cloud as "
5061
#: serverguide/C/virtualization.xml:1218(para)
5063
"The simple <emphasis>System</emphasis> networking option will be used by "
5064
"default. This network method allows virtual machine instances, to obtain IP "
5065
"addresses from the local LAN, assuming that a DHCP server is properly "
5066
"configured on the LAN to hand out IPs dynamically to VMs that request them. "
5067
"Each node will be configured for bridge networking. For more details see "
5068
"<xref linkend=\"bridging\"/>."
5071
#: serverguide/C/virtualization.xml:1228(para)
5073
"First, on the <emphasis>Front-End</emphasis> install the appropriate "
5074
"packages. In a terminal prompt on the Front-End enter:"
5077
#: serverguide/C/virtualization.xml:1233(command)
5078
msgid "sudo apt-get install eucalyptus-cloud eucalyptus-cc"
5081
#: serverguide/C/virtualization.xml:1236(para)
5083
"Next, on the each <emphasis>Compute Node</emphasis> install the node "
5084
"controller package. In a terminal prompt on each Compute Node enter:"
5087
#: serverguide/C/virtualization.xml:1241(command)
5088
msgid "sudo apt-get install eucalyptus-nc"
5091
#: serverguide/C/virtualization.xml:1244(para)
5093
"Once the installation is complete, and it may take a while, in a browser go "
5094
"to <emphasis>https://front-end:8443</emphasis> and login to the "
5095
"administration interface using the default username and password of "
5096
"<emphasis>admin</emphasis>. You will then be prompted to change the "
5097
"password, configure an email address for the admin user, and set the storage "
5101
#: serverguide/C/virtualization.xml:1250(para)
5103
"In the web interface's <emphasis>\"Configuration\"</emphasis> tab, add a "
5104
"cluster under the <emphasis>\"Clusters\"</emphasis> heading (in this "
5105
"configuration, the cluster controller is on the same system as the cloud "
5106
"controller, so entering 'localhost' as the cluster hostname is correct). "
5107
"Once the form is filled out click the <emphasis>\"Add Cluster\"</emphasis> "
5111
#: serverguide/C/virtualization.xml:1256(para)
5113
"Now, back on the <emphasis>Front-End</emphasis>, add the nodes to the "
5117
#: serverguide/C/virtualization.xml:1261(command)
5118
msgid "sudo euca_conf -addnode hostname_of_node"
5121
#: serverguide/C/virtualization.xml:1264(para)
5123
"You will then be prompted to log into your Node, install the "
5124
"<application>eucalyptus-nc</application> package, and add the "
5125
"<emphasis>eucalyptus</emphasis> user's ssh key to the node's "
5126
"<filename>authorized_keys</filename> file, and confirm authenticity of the "
5127
"host's OpenSSH RSA key fingerprint. Finally, the command will complete by "
5128
"synchronizing the eucalyptus component keys and node registration is "
5132
#: serverguide/C/virtualization.xml:1270(para)
5134
"On the Node, the <filename>/etc/eucalyptus/eucalyptus.conf</filename> "
5135
"configuration file will need editing to use your node's bridge interface "
5136
"(assuming here that the interface is named <emphasis>'br0'</emphasis>):"
5139
#: serverguide/C/virtualization.xml:1275(programlisting)
5143
"VNET_INTERFACE=\"br0\"\n"
5145
"VNET_BRIDGE=\"br0\"\n"
5148
#: serverguide/C/virtualization.xml:1281(para)
5149
msgid "Finally, restart <application>eucalyptus-nc</application>:"
5152
#: serverguide/C/virtualization.xml:1286(command)
5153
msgid "sudo /etc/init.d/eucalyptus-nc restart"
5156
#: serverguide/C/virtualization.xml:1291(para)
5158
"Be sure to replace <emphasis>nodecontroller</emphasis>, "
5159
"<emphasis>node01</emphasis>, and <emphasis>node02</emphasis> with actual "
5163
#: serverguide/C/virtualization.xml:1297(para)
5165
"<application>Eucalyptus</application> is now ready to host images on the "
5169
#: serverguide/C/virtualization.xml:1307(para)
5171
"See the <ulink url=\"http://eucalyptus.cs.ucsb.edu/\">Eucalyptus "
5172
"website</ulink> for more information."
5175
#: serverguide/C/virtualization.xml:1312(para)
5177
"For information on loading instances see the <ulink "
5178
"url=\"https://help.ubuntu.com/community/Eucalyptus\">Eucalyptus Wiki</ulink> "
5182
#: serverguide/C/virtualization.xml:1317(para)
5184
"You can also find help in the <emphasis>#ubuntu-virt</emphasis>, "
5185
"<emphasis>#eucalyptus</emphasis>, and <emphasis>#ubuntu-server</emphasis> "
5186
"IRC channels on <ulink url=\"http://freenode.net\">Freenode</ulink>."
5189
#: serverguide/C/virtualization.xml:1327(title)
5193
#: serverguide/C/virtualization.xml:1329(para)
5195
"<application>OpenNebula</application> allows virtual machines to be placed "
5196
"and re-placed dynamically on a pool of physical resources. This allows a "
5197
"virtual machine to be hosted from any location available."
5200
#: serverguide/C/virtualization.xml:1334(para)
5202
"This section will detail configuring an OpenNebula cluster using three "
5203
"machines: one <emphasis>Front-End</emphasis> host, and two <emphasis>Compute "
5204
"Nodes</emphasis> used to run the virtual machines. The Compute Nodes will "
5205
"also need a bridge configured to allow the virtual machines access to the "
5206
"local network. For details see <xref linkend=\"bridging\"/>."
5209
#: serverguide/C/virtualization.xml:1343(para)
5210
msgid "First, from a terminal on the Front-End enter:"
5213
#: serverguide/C/virtualization.xml:1348(command)
5214
msgid "sudo apt-get install opennebula"
5217
#: serverguide/C/virtualization.xml:1351(para)
5218
msgid "On each Compute Node install:"
5221
#: serverguide/C/virtualization.xml:1356(command)
5222
msgid "sudo apt-get install opennebula-node"
5225
#: serverguide/C/virtualization.xml:1359(para)
5227
"In order to copy SSH keys, the <emphasis>oneadmin</emphasis> user will need "
5228
"to have a password. On each machine execute:"
5231
#: serverguide/C/virtualization.xml:1364(command)
5232
msgid "sudo passwd oneadmin"
5235
#: serverguide/C/virtualization.xml:1367(para)
5237
"Next, copy the <emphasis>oneadmin</emphasis> user's SSH key to the Compute "
5238
"Nodes, and to the Front-End's <filename>authorized_keys</filename> file:"
5241
#: serverguide/C/virtualization.xml:1372(command)
5243
"sudo scp /var/lib/one/.ssh/id_rsa.pub "
5244
"oneadmin@node01:/var/lib/one/.ssh/authorized_keys"
5247
#: serverguide/C/virtualization.xml:1373(command)
5249
"sudo scp /var/lib/one/.ssh/id_rsa.pub "
5250
"oneadmin@node02:/var/lib/one/.ssh/authorized_keys"
5253
#: serverguide/C/virtualization.xml:1374(command)
5255
"sudo sh -c \"cat /var/lib/one/.ssh/id_rsa.pub >> "
5256
"/var/lib/one/.ssh/authorized_keys\""
5259
#: serverguide/C/virtualization.xml:1377(para)
5261
"The SSH key for the Compute Nodes needs to be added to the "
5262
"<filename>/etc/ssh/ssh_known_hosts</filename> file on the Front-End host. To "
5263
"accomplish this <application>ssh</application> to each Compute Node as a "
5264
"user other than <emphasis>oneadmin</emphasis>. Then exit from the SSH "
5265
"session, and execute the following to copy the SSH key from "
5266
"<filename>~/.ssh/known_hosts</filename> to "
5267
"<filename>/etc/ssh/ssh_known_hosts</filename>:"
5270
#: serverguide/C/virtualization.xml:1384(command)
5272
"sudo sh -c \"ssh-keygen -f .ssh/known_hosts -F node01 1>> "
5273
"/etc/ssh/ssh_known_hosts\""
5276
#: serverguide/C/virtualization.xml:1385(command)
5278
"sudo sh -c \"ssh-keygen -f .ssh/known_hosts -F node02 1>> "
5279
"/etc/ssh/ssh_known_hosts\""
5282
#: serverguide/C/virtualization.xml:1389(para)
5284
"Replace <emphasis>node01</emphasis> and <emphasis>node02</emphasis> with the "
5285
"appropriate host names."
5288
#: serverguide/C/virtualization.xml:1394(para)
5290
"This allows the <emphasis>oneadmin</emphasis> to use "
5291
"<application>scp</application>, without a password or manual intervention, "
5292
"to deploy an image to the Compute Nodes."
5295
#: serverguide/C/virtualization.xml:1399(para)
5297
"On the Front-End create a directory to store the VM images, giving the "
5298
"<emphasis>oneadmin</emphasis> user access to the directory:"
5301
#: serverguide/C/virtualization.xml:1404(command)
5302
msgid "sudo mkdir /var/lib/one/images"
5305
#: serverguide/C/virtualization.xml:1405(command)
5306
msgid "sudo chown oneadmin /var/lib/one/images/"
5309
#: serverguide/C/virtualization.xml:1408(para)
5311
"Finally, copy a virtual machine disk file into "
5312
"<filename>/var/lib/one/images</filename>. You can create an Ubuntu virtual "
5313
"machine using <application>vmbuilder</application>, see <xref linkend=\"jeos-"
5314
"and-vmbuilder\"/> for details."
5317
#: serverguide/C/virtualization.xml:1417(para)
5319
"The <emphasis>OpenNebula Cluster</emphasis> is now ready to be configured, "
5320
"and virtual machines added to the cluster."
5323
#: serverguide/C/virtualization.xml:1421(para)
5324
msgid "From a terminal prompt enter:"
5327
#: serverguide/C/virtualization.xml:1426(command)
5328
msgid "onehost create node01 im_kvm vmm_kvm tm_ssh"
5331
#: serverguide/C/virtualization.xml:1427(command)
5332
msgid "onehost create node02 im_kvm vmm_kvm tm_ssh"
5335
#: serverguide/C/virtualization.xml:1430(para)
5337
"Next, create a <emphasis>Virtual Network</emphasis> template file named "
5338
"<filename>vnet01.template</filename>:"
5341
#: serverguide/C/virtualization.xml:1434(programlisting)
5348
"NETWORK_SIZE = C\n"
5349
"NETWORK_ADDRESS = 192.168.0.0\n"
5352
#: serverguide/C/virtualization.xml:1443(para)
5354
"Be sure to change <emphasis>192.168.0.0</emphasis> to your local network."
5357
#: serverguide/C/virtualization.xml:1448(para)
5359
"Using the <application>onevnet</application> utility, add the virtual "
5360
"network to OpenNebula:"
5363
#: serverguide/C/virtualization.xml:1453(command)
5364
msgid "onevnet create vnet01.template"
5367
#: serverguide/C/virtualization.xml:1456(para)
5369
"Now create a <emphasis>VM Template</emphasis> file named "
5370
"<filename>vm01.template</filename>:"
5373
#: serverguide/C/virtualization.xml:1460(programlisting)
5381
"OS = [ BOOT = hd ]\n"
5384
" source = \"/var/lib/one/images/vm01.qcow2\",\n"
5385
" target = \"hda\",\n"
5386
" readonly = \"no\" ]\n"
5388
"NIC = [ NETWORK=\"LAN\" ]\n"
5390
"GRAPHICS = [type=\"vnc\",listen=\"127.0.0.1\",port=\"-1\"]\n"
5393
#: serverguide/C/virtualization.xml:1477(para)
5394
msgid "Start the virtual machine using <application>onevm</application>:"
5397
#: serverguide/C/virtualization.xml:1482(command)
5398
msgid "onevm submit vm01.template"
5401
#: serverguide/C/virtualization.xml:1485(para)
5403
"Use the <application>onevm list</application> option to view information "
5404
"about virtual machines. Also, the <application>onevm show vm01</application> "
5405
"option will display more details about a specific virtual machine."
5408
#: serverguide/C/virtualization.xml:1496(para)
5411
"url=\"http://www.opennebula.org/doku.php?id=start\">OpenNebula website</ulink"
5412
"> for more information."
5415
#: serverguide/C/virtualization.xml:1501(para)
5417
"You can also find help in the <emphasis>#ubuntu-virt</emphasis> and "
5418
"<emphasis>#ubuntu-server</emphasis> IRC channels on <ulink "
5419
"url=\"http://freenode.net\">Freenode</ulink>."
5422
#: serverguide/C/vcs.xml:13(title)
5423
msgid "Version Control System"
5426
#: serverguide/C/vcs.xml:14(para)
5428
"Version control is the art of managing changes to information. It has long "
5429
"been a critical tool for programmers, who typically spend their time making "
5430
"small changes to software and then undoing those changes the next day. But "
5431
"the usefulness of version control software extends far beyond the bounds of "
5432
"the software development world. Anywhere you can find people using computers "
5433
"to manage information that changes often, there is room for version control."
5436
#: serverguide/C/vcs.xml:17(title)
5440
#: serverguide/C/vcs.xml:18(para)
5442
"Bazaar is a new version control system sponsored by Canonical, the "
5443
"commercial company behind Ubuntu. Unlike Subversion and CVS that only "
5444
"support a central repository model, Bazaar also supports "
5445
"<emphasis>distributed version control</emphasis>, giving people the ability "
5446
"to collaborate more efficiently. In particular, Bazaar is designed to "
5447
"maximize the level of community participation in open source projects."
5450
#: serverguide/C/vcs.xml:29(para)
5452
"At a terminal prompt, enter the following command to install "
5453
"<application>bzr</application>: <screen>\n"
5454
"<command>sudo apt-get install bzr</command>\n"
5458
#: serverguide/C/vcs.xml:40(para)
5460
"To introduce yourself to <application>bzr</application>, use the "
5461
"<emphasis>whoami</emphasis> command like this: <screen>\n"
5462
"<command>$ bzr whoami 'Joe Doe <joe.doe@gmail.com>'</command>\n"
5466
#: serverguide/C/vcs.xml:49(title)
5467
msgid "Learning Bazaar"
5470
#: serverguide/C/vcs.xml:50(para)
5472
"Bazaar comes with bundled documentation installed into "
5473
"<application>/usr/share/doc/bzr/html</application> by default. The tutorial "
5474
"is a good place to start. The <application>bzr</application> command also "
5475
"comes with built-in help: <screen>\n"
5476
"<command>$ bzr help</command>\n"
5480
#: serverguide/C/vcs.xml:60(para)
5482
"To learn more about the <emphasis>foo</emphasis> command: <screen>\n"
5483
"<command>$ bzr help foo</command>\n"
5487
#: serverguide/C/vcs.xml:68(title)
5488
msgid "Launchpad Integration"
5491
#: serverguide/C/vcs.xml:69(para)
5493
"While highly useful as a stand-alone system, Bazaar has good, optional "
5494
"integration with <ulink url=\"https://launchpad.net/\">Launchpad</ulink>, "
5495
"the collaborative development system used by Canonical and the broader open "
5496
"source community to manage and extend Ubuntu itself. For information on how "
5497
"Bazaar can be used with Launchpad to collaborate on open source projects, "
5498
"see <ulink url=\"http://bazaar-vcs.org/LaunchpadIntegration/\"> "
5499
"http://bazaar-vcs.org/LaunchpadIntegration</ulink>."
5502
#: serverguide/C/vcs.xml:81(title)
5506
#: serverguide/C/vcs.xml:82(para)
5508
"Subversion is an open source version control system. Using Subversion, you "
5509
"can record the history of source files and documents. It manages files and "
5510
"directories over time. A tree of files is placed into a central repository. "
5511
"The repository is much like an ordinary file server, except that it "
5512
"remembers every change ever made to files and directories."
5515
#: serverguide/C/vcs.xml:87(para)
5517
"To access Subversion repository using the HTTP protocol, you must install "
5518
"and configure a web server. Apache2 is proven to work with Subversion. "
5519
"Please refer to the HTTP subsection in the Apache2 section to install and "
5520
"configure Apache2. To access the Subversion repository using the HTTPS "
5521
"protocol, you must install and configure a digital certificate in your "
5522
"Apache 2 web server. Please refer to the HTTPS subsection in the Apache2 "
5523
"section to install and configure the digital certificate."
5526
#: serverguide/C/vcs.xml:96(para)
5528
"To install Subversion, run the following command from a terminal prompt:"
5531
#: serverguide/C/vcs.xml:101(command)
5532
msgid "sudo apt-get install subversion libapache2-svn"
5535
#: serverguide/C/vcs.xml:108(para)
5537
"This step assumes you have installed above mentioned packages on your "
5538
"system. This section explains how to create a Subversion repository and "
5539
"access the project."
5542
#: serverguide/C/vcs.xml:111(title)
5543
msgid "Create Subversion Repository"
5546
#: serverguide/C/vcs.xml:112(para)
5548
"The Subversion repository can be created using the following command from a "
5552
#: serverguide/C/vcs.xml:116(command)
5553
msgid "svnadmin create /path/to/repos/project"
5556
#: serverguide/C/vcs.xml:121(title)
5557
msgid "Importing Files"
5560
#: serverguide/C/vcs.xml:122(para)
5562
"Once you create the repository you can <emphasis>import</emphasis> files "
5563
"into the repository. To import a directory, enter the following from a "
5564
"terminal prompt: <screen>\n"
5565
"<command>svn import /path/to/import/directory "
5566
"file:///path/to/repos/project</command>\n"
5570
#: serverguide/C/vcs.xml:134(title) serverguide/C/vcs.xml:139(title)
5571
msgid "Access Methods"
5574
#: serverguide/C/vcs.xml:135(para)
5576
"Subversion repositories can be accessed (checked out) through many different "
5577
"methods --on local disk, or through various network protocols. A repository "
5578
"location, however, is always a URL. The table describes how different URL "
5579
"schemes map to the available access methods."
5582
#: serverguide/C/vcs.xml:146(para)
5586
#: serverguide/C/vcs.xml:147(para)
5587
msgid "Access Method"
5590
#: serverguide/C/vcs.xml:152(para)
5594
#: serverguide/C/vcs.xml:153(para)
5595
msgid "direct repository access (on local disk)"
5598
#: serverguide/C/vcs.xml:156(para)
5602
#: serverguide/C/vcs.xml:157(para)
5603
msgid "Access via WebDAV protocol to Subversion-aware Apache2 web server"
5606
#: serverguide/C/vcs.xml:160(para)
5610
#: serverguide/C/vcs.xml:161(para)
5611
msgid "Same as http://, but with SSL encryption"
5614
#: serverguide/C/vcs.xml:164(para)
5618
#: serverguide/C/vcs.xml:165(para)
5619
msgid "Access via custom protocol to an svnserve server"
5622
#: serverguide/C/vcs.xml:168(para)
5626
#: serverguide/C/vcs.xml:169(para)
5627
msgid "Same as svn://, but through an SSH tunnel"
5630
#: serverguide/C/vcs.xml:175(para)
5632
"In this section, we will see how to configure Subversion for all these "
5633
"access methods. Here, we cover the basics. For more advanced usage details, "
5634
"refer to the <ulink url=\"http://svnbook.red-bean.com/\">svn book</ulink>."
5637
#: serverguide/C/vcs.xml:182(title)
5638
msgid "Direct repository access (file://)"
5641
#: serverguide/C/vcs.xml:183(para)
5643
"This is the simplest of all access methods. It does not require any "
5644
"Subversion server process to be running. This access method is used to "
5645
"access Subversion from the same machine. The syntax of the command, entered "
5646
"at a terminal prompt, is as follows:"
5649
#: serverguide/C/vcs.xml:190(command)
5650
msgid "svn co file:///path/to/repos/project"
5653
#: serverguide/C/vcs.xml:193(para)
5657
#: serverguide/C/vcs.xml:196(command)
5658
msgid "svn co file://localhost/path/to/repos/project"
5661
#: serverguide/C/vcs.xml:200(para)
5663
"If you do not specify the hostname, there are three forward slashes (///) -- "
5664
"two for the protocol (file, in this case) plus the leading slash in the "
5665
"path. If you specify the hostname, you must use two forward slashes (//)."
5668
#: serverguide/C/vcs.xml:202(para)
5670
"The repository permissions depend on filesystem permissions. If the user has "
5671
"read/write permission, he can checkout from and commit to the repository."
5674
#: serverguide/C/vcs.xml:205(title)
5675
msgid "Access via WebDAV protocol (http://)"
5678
#: serverguide/C/vcs.xml:206(para)
5680
"To access the Subversion repository via WebDAV protocol, you must configure "
5681
"your Apache 2 web server. You must add the following snippet in your "
5682
"<filename>/etc/apache2/apache2.conf</filename> file:"
5685
#: serverguide/C/vcs.xml:208(programlisting)
5689
" <Location /svn>\n"
5691
" SVNParentPath /home/svn\n"
5693
" AuthName \"Your repository name\"\n"
5694
" AuthUserFile /etc/subversion/passwd\n"
5695
" Require valid-user\n"
5696
" </Location> \n"
5699
#: serverguide/C/vcs.xml:219(para)
5701
"The above configuration snippet assumes that Subversion repositories are "
5702
"created under <filename>/home/svn/</filename> directory using "
5703
"<command>svnadmin</command> command. They can be accessible using "
5704
"<command>htpp://hostname/svn/repos_name</command> url."
5707
#: serverguide/C/vcs.xml:225(para)
5709
"To import or commit files to your Subversion repository over HTTP, the "
5710
"repository should be owned by the HTTP user. In Ubuntu systems, normally the "
5711
"HTTP user is <command>www-data</command>. To change the ownership of the "
5712
"repository files enter the following command from terminal prompt:"
5715
#: serverguide/C/vcs.xml:234(command)
5716
msgid "sudo chown -R www-data:www-data /path/to/repos"
5719
#: serverguide/C/vcs.xml:237(para)
5721
"By changing the ownership of repository as <command>www-data</command> you "
5722
"will not be able to import or commit files into the repository by running "
5723
"<command>svn import file:///</command> command as any user other than "
5724
"<command>www-data</command>."
5727
#: serverguide/C/vcs.xml:246(para)
5729
"Next, you must create the <filename>/etc/subversion/passwd</filename> file "
5730
"that will contain user authentication details. To create a file issue the "
5731
"following command at a command prompt (which will create the file and add "
5735
#: serverguide/C/vcs.xml:252(command)
5736
msgid "sudo htpasswd -c /etc/subversion/passwd user_name"
5739
#: serverguide/C/vcs.xml:255(para)
5741
"To add additional users omit the <emphasis>\"-c\"</emphasis> option as this "
5742
"option replaces the old file. Instead use this form:"
5745
#: serverguide/C/vcs.xml:260(command)
5746
msgid "sudo htpasswd /etc/subversion/password user_name"
5749
#: serverguide/C/vcs.xml:264(para)
5751
"This command will prompt you to enter the password. Once you enter the "
5752
"password, the user is added. Now, to access the repository you can run the "
5753
"following command:"
5756
#: serverguide/C/vcs.xml:265(command)
5757
msgid "svn co http://servername/svn"
5760
#: serverguide/C/vcs.xml:267(para)
5762
"The password is transmitted as plain text. If you are worried about password "
5763
"snooping, you are advised to use SSL encryption. For details, please refer "
5767
#: serverguide/C/vcs.xml:273(title)
5768
msgid "Access via WebDAV protocol with SSL encryption (https://)"
5771
#: serverguide/C/vcs.xml:274(para)
5773
"Accessing Subversion repository via WebDAV protocol with SSL encryption "
5774
"(https://) is similar to http:// except that you must install and configure "
5775
"the digital certificate in your Apache2 web server. To use SSL with "
5776
"Subversion add the above Apache2 configuration to "
5777
"<filename>/etc/apache2/sites-available/default-ssl</filename>. For more "
5778
"information on setting up Apache2 with SSL see <xref linkend=\"https-"
5779
"configuration\"/>."
5782
#: serverguide/C/vcs.xml:283(para)
5784
"You can install a digital certificate issued by a signing authority. "
5785
"Alternatively, you can install your own self-signed certificate."
5788
#: serverguide/C/vcs.xml:288(para)
5790
"This step assumes you have installed and configured a digital certificate in "
5791
"your Apache 2 web server. Now, to access the Subversion repository, please "
5792
"refer to the above section! The access methods are exactly the same, except "
5793
"the protocol. You must use https:// to access the Subversion repository."
5796
#: serverguide/C/vcs.xml:298(title)
5797
msgid "Access via custom protocol (svn://)"
5800
#: serverguide/C/vcs.xml:299(para)
5802
"Once the Subversion repository is created, you can configure the access "
5803
"control. You can edit the <filename> "
5804
"/path/to/repos/project/conf/svnserve.conf</filename> file to configure the "
5805
"access control. For example, to set up authentication, you can uncomment the "
5806
"following lines in the configuration file:"
5809
#: serverguide/C/vcs.xml:306(programlisting)
5813
"# password-db = passwd"
5816
#: serverguide/C/vcs.xml:309(para)
5818
"After uncommenting the above lines, you can maintain the user list in the "
5819
"passwd file. So, edit the file <filename>passwd </filename> in the same "
5820
"directory and add the new user. The syntax is as follows:"
5823
#: serverguide/C/vcs.xml:315(programlisting)
5825
msgid "username = password"
5828
#: serverguide/C/vcs.xml:316(para)
5829
msgid "For more details, please refer to the file."
5832
#: serverguide/C/vcs.xml:320(para)
5834
"Now, to access Subversion via the svn:// custom protocol, either from the "
5835
"same machine or a different machine, you can run svnserver using svnserve "
5836
"command. The syntax is as follows:"
5839
#: serverguide/C/vcs.xml:325(programlisting)
5842
"$ svnserve -d --foreground -r /path/to/repos\n"
5843
"# -d -- daemon mode\n"
5844
"# --foreground -- run in foreground (useful for debugging)\n"
5845
"# -r -- root of directory to serve\n"
5847
"For more usage details, please refer to:\n"
5851
#: serverguide/C/vcs.xml:333(para)
5853
"Once you run this command, Subversion starts listening on default port "
5854
"(3690). To access the project repository, you must run the following command "
5855
"from a terminal prompt:"
5858
#: serverguide/C/vcs.xml:336(command)
5859
msgid "svn co svn://hostname/project project --username user_name"
5862
#: serverguide/C/vcs.xml:339(para)
5864
"Based on server configuration, it prompts for password. Once you are "
5865
"authenticated, it checks out the code from Subversion repository. To "
5866
"synchronize the project repository with the local copy, you can run the "
5867
"<command>update</command> sub-command. The syntax of the command, entered at "
5868
"a terminal prompt, is as follows:"
5871
#: serverguide/C/vcs.xml:347(command)
5872
msgid "cd project_dir ; svn update"
5875
#: serverguide/C/vcs.xml:350(para)
5877
"For more details about using each Subversion sub-command, you can refer to "
5878
"the manual. For example, to learn more about the co (checkout) command, "
5879
"please run the following command from a terminal prompt:"
5882
#: serverguide/C/vcs.xml:354(command)
5886
#: serverguide/C/vcs.xml:358(title)
5887
msgid "Access via custom protocol with SSL encryption (svn+ssh://)"
5890
#: serverguide/C/vcs.xml:359(para)
5892
"The configuration and server process is same as in the svn:// method. For "
5893
"details, please refer to the above section. This step assumes you have "
5894
"followed the above step and started the Subversion server using "
5895
"<application>svnserve</application> command."
5898
#: serverguide/C/vcs.xml:365(para)
5900
"It is also assumed that the ssh server is running on that machine and that "
5901
"it is allowing incoming connections. To confirm, please try to login to that "
5902
"machine using ssh. If you can login, everything is perfect. If you cannot "
5903
"login, please address it before continuing further."
5906
#: serverguide/C/vcs.xml:371(para)
5908
"The svn+ssh:// protocol is used to access the Subversion repository using "
5909
"SSL encryption. The data transfer is encrypted using this method. To access "
5910
"the project repository (for example with a checkout), you must use the "
5911
"following command syntax:"
5914
#: serverguide/C/vcs.xml:378(command)
5915
msgid "svn co svn+ssh://hostname/var/svn/repos/project"
5918
#: serverguide/C/vcs.xml:382(para)
5920
"You must use the full path (/path/to/repos/project) to access the Subversion "
5921
"repository using this access method."
5924
#: serverguide/C/vcs.xml:385(para)
5926
"Based on server configuration, it prompts for password. You must enter the "
5927
"password you use to login via ssh. Once you are authenticated, it checks out "
5928
"the code from the Subversion repository."
5931
#: serverguide/C/vcs.xml:396(title)
5935
#: serverguide/C/vcs.xml:397(para)
5937
"CVS is a version control system. You can use it to record the history of "
5941
#: serverguide/C/vcs.xml:403(para)
5943
"To install <application>CVS</application>, run the following command from a "
5944
"terminal prompt: <screen>\n"
5945
"<command>sudo apt-get install cvs</command>\n"
5946
"</screen> After you install <application>cvs</application>, you should "
5947
"install <application>xinetd</application> to start/stop the cvs server. At "
5948
"the prompt, enter the following command to install "
5949
"<application>xinetd</application>: <screen>\n"
5950
"<command>sudo apt-get install xinetd</command>\n"
5954
#: serverguide/C/vcs.xml:436(programlisting)
5958
"service cvspserver\n"
5961
" socket_type = stream\n"
5965
" type = UNLISTED\n"
5966
" server = /usr/bin/cvs\n"
5967
" server_args = -f --allow-root /var/lib/cvs pserver\n"
5972
#: serverguide/C/vcs.xml:452(para)
5974
"Be sure to edit the repository if you have changed the default repository "
5975
"(<application>/var/lib/cvs</application>) directory."
5978
#: serverguide/C/vcs.xml:421(para)
5980
"Once you install cvs, the repository will be automatically initialized. By "
5981
"default, the repository resides under the "
5982
"<application>/var/lib/cvs</application> directory. You can change this path "
5983
"by running following command: <screen>\n"
5984
"<command>cvs -d /your/new/cvs/repo init</command>\n"
5985
"</screen> Once the initial repository is set up, you can configure "
5986
"<application>xinetd</application> to start the CVS server. You can copy the "
5987
"following lines to the <filename> /etc/xinetd.d/cvspserver</filename> file. "
5988
"<placeholder-1/><placeholder-2/> Once you have configured "
5989
"<application>xinetd</application> you can start the cvs server by running "
5990
"following command: <screen>\n"
5991
"<command>sudo /etc/init.d/xinetd restart</command>\n"
5995
#: serverguide/C/vcs.xml:465(para)
5997
"You can confirm that the CVS server is running by issuing the following "
6001
#: serverguide/C/vcs.xml:472(command)
6002
msgid "sudo netstat -tap | grep cvs"
6005
#: serverguide/C/vcs.xml:476(para) serverguide/C/databases.xml:65(para)
6007
"When you run this command, you should see the following line or something "
6011
#: serverguide/C/vcs.xml:481(programlisting)
6015
"tcp 0 0 *:cvspserver *:* LISTEN \n"
6018
#: serverguide/C/vcs.xml:485(para)
6020
"From here you can continue to add users, add new projects, and manage the "
6024
#: serverguide/C/vcs.xml:490(para)
6026
"CVS allows the user to add users independently of the underlying OS "
6027
"installation. Probably the easiest way is to use the Linux Users for CVS, "
6028
"although it has potential security issues. Please refer to the CVS manual "
6032
#: serverguide/C/vcs.xml:500(title)
6033
msgid "Add Projects"
6036
#: serverguide/C/vcs.xml:512(para)
6038
"You can use the CVSROOT environment variable to store the CVS root "
6039
"directory. Once you export the CVSROOT environment variable, you can avoid "
6040
"using -d option in the above cvs command."
6043
#: serverguide/C/vcs.xml:524(para)
6045
"When you add a new project, the CVS user you use must have write access to "
6046
"the CVS repository (<application>/var/lib/cvs</application>). By default, "
6047
"the <application>src</application> group has write access to the CVS "
6048
"repository. So, you can add the user to this group, and he can then add and "
6049
"manage projects in the CVS repository."
6052
#: serverguide/C/vcs.xml:501(para)
6054
"This section explains how to add new project to the CVS repository. Create "
6055
"the directory and add necessary document and source files to the directory. "
6056
"Now, run the following command to add this project to CVS repository: "
6058
"<command>cd your/project</command>\n"
6059
"<command>cvs -d :pserver:username@hostname.com:/var/lib/cvs import -m "
6060
"\"Importing my project to CVS repository\" . new_project start</command>\n"
6061
"</screen><placeholder-1/> The string <emphasis>new_project</emphasis> is a "
6062
"vendor tag, and <emphasis>start</emphasis> is a release tag. They serve no "
6063
"purpose in this context, but since CVS requires them, they must be present. "
6067
#: serverguide/C/vcs.xml:537(ulink)
6068
msgid "Bazaar Home Page"
6071
#: serverguide/C/vcs.xml:538(ulink)
6075
#: serverguide/C/vcs.xml:539(ulink)
6076
msgid "Subversion Home Page"
6079
#: serverguide/C/vcs.xml:540(ulink)
6080
msgid "Subversion Book"
6083
#: serverguide/C/vcs.xml:542(ulink)
6087
#: serverguide/C/serverguide.xml:3(title) serverguide/C/bookinfo.xml:3(title)
6088
msgid "Credits and License"
6091
#: serverguide/C/serverguide.xml:4(para) serverguide/C/bookinfo.xml:4(para)
6093
"This document is maintained by the Ubuntu documentation team "
6094
"(https://wiki.ubuntu.com/DocumentationTeam). For a list of contributors, see "
6095
"the <ulink url=\"../../libs/C/contributors.xml\">contributors page</ulink>"
6098
#: serverguide/C/serverguide.xml:5(para) serverguide/C/bookinfo.xml:5(para)
6100
"This document is made available under the Creative Commons ShareAlike 2.5 "
6101
"License (CC-BY-SA)."
6104
#: serverguide/C/serverguide.xml:6(para) serverguide/C/bookinfo.xml:6(para)
6106
"You are free to modify, extend, and improve the Ubuntu documentation source "
6107
"code under the terms of this license. All derivative works must be released "
6108
"under this license."
6111
#: serverguide/C/serverguide.xml:8(para) serverguide/C/bookinfo.xml:8(para)
6113
"This documentation is distributed in the hope that it will be useful, but "
6114
"WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY "
6115
"or FITNESS FOR A PARTICULAR PURPOSE AS DESCRIBED IN THE DISCLAIMER."
6118
#: serverguide/C/serverguide.xml:11(para) serverguide/C/bookinfo.xml:11(para)
6120
"A copy of the license is available here: <ulink url=\"/usr/share/ubuntu-"
6121
"docs/libs/C/ccbysa.xml\">Creative Commons ShareAlike License</ulink>."
6124
#: serverguide/C/serverguide.xml:14(year) serverguide/C/bookinfo.xml:14(year)
6128
#: serverguide/C/serverguide.xml:15(ulink) serverguide/C/bookinfo.xml:15(ulink)
6129
msgid "Ubuntu Documentation Project"
6132
#: serverguide/C/serverguide.xml:15(holder) serverguide/C/bookinfo.xml:15(holder)
6133
msgid "Canonical Ltd. and members of the <placeholder-1/>"
6136
#: serverguide/C/serverguide.xml:18(publishername) serverguide/C/bookinfo.xml:18(publishername)
6137
msgid "The Ubuntu Documentation Project"
6140
#: serverguide/C/serverguide.xml:17(para)
6142
"Welcome to the <emphasis>Ubuntu Server Guide</emphasis>! It contains "
6143
"information on how to install and configure various server applications on "
6144
"your Ubuntu system to fit your needs. It is a step-by-step, task-oriented "
6145
"guide for configuring and customizing your system."
6148
#: serverguide/C/security.xml:13(title)
6152
#: serverguide/C/security.xml:14(para)
6154
"Security should always be considered when installing, deploying, and using "
6155
"any type of computer system. Although a fresh installation of Ubuntu is "
6156
"relatively safe for immediate use on the Internet, it is important to have a "
6157
"balanced understanding of your systems security posture based on how it will "
6158
"be used after deployment."
6161
#: serverguide/C/security.xml:17(para)
6163
"This chapter provides an overview of security related topics as they pertain "
6164
"to Ubuntu 9.10 Server Edition, and outlines simple measures you may use to "
6165
"protect your server and network from any number of potential security "
6169
#: serverguide/C/security.xml:21(title)
6170
msgid "User Management"
6173
#: serverguide/C/security.xml:22(para)
6175
"User management is a critical part of maintaining a secure system. "
6176
"Ineffective user and privilege management often lead many systems into being "
6177
"compromised. Therefore, it is important that you understand how you can "
6178
"protect your server through simple and effective user account management "
6182
#: serverguide/C/security.xml:26(title)
6183
msgid "Where is root?"
6186
#: serverguide/C/security.xml:27(para)
6188
"Ubuntu developers made a conscientious decision to disable the "
6189
"administrative root account by default in all Ubuntu installations. This "
6190
"does not mean that the root account has been deleted or that it may not be "
6191
"accessed. It merely has been given a password which matches no possible "
6192
"encrypted value, therefore may not log in directly by itself."
6195
#: serverguide/C/security.xml:30(para)
6197
"Instead, users are encouraged to make use of a tool by the name of "
6198
"<application>sudo</application> to carry out system administrative duties. "
6199
"<application>Sudo</application> allows an authorized user to temporarily "
6200
"elevate their privileges using their own password instead of having to know "
6201
"the password belonging to the root account. This simple yet effective "
6202
"methodology provides accountability for all user actions, and gives the "
6203
"administrator granular control over which actions a user can perform with "
6207
#: serverguide/C/security.xml:35(para)
6209
"If for some reason you wish to enable the root account, simply give it a "
6213
#: serverguide/C/security.xml:39(command)
6217
#: serverguide/C/security.xml:41(para)
6219
"Sudo will prompt you for your password, and then ask you to supply a new "
6220
"password for root as shown below:"
6223
#: serverguide/C/security.xml:44(userinput)
6225
msgid "(enter your own password)"
6228
#: serverguide/C/security.xml:45(userinput)
6230
msgid "(enter a new password for root)"
6233
#: serverguide/C/security.xml:46(userinput)
6235
msgid "(repeat new password for root)"
6238
#: serverguide/C/security.xml:44(computeroutput)
6241
"[sudo] password for username: <placeholder-1/>\n"
6242
"Enter new UNIX password: <placeholder-2/>\n"
6243
"Retype new UNIX password: <placeholder-3/>\n"
6244
"passwd: password updated successfully"
6247
#: serverguide/C/security.xml:51(para)
6248
msgid "To disable the root account, use the following passwd syntax:"
6251
#: serverguide/C/security.xml:55(command)
6252
msgid "sudo passwd -l root"
6255
#: serverguide/C/security.xml:59(para)
6257
"You should read more on <application>Sudo</application> by checking out it's "
6261
#: serverguide/C/security.xml:63(command)
6265
#: serverguide/C/security.xml:67(para)
6267
"By default, the initial user created by the Ubuntu installer is a member of "
6268
"the group \"admin\" which is added to the file "
6269
"<filename>/etc/sudoers</filename> as an authorized sudo user. If you wish to "
6270
"give any other account full root access through "
6271
"<application>sudo</application>, simply add them to the admin group."
6274
#: serverguide/C/security.xml:73(title)
6275
msgid "Adding and Deleting Users"
6278
#: serverguide/C/security.xml:74(para)
6280
"The process for managing local users and groups is straight forward and "
6281
"differs very little from most other GNU/Linux operating systems. Ubuntu and "
6282
"other Debian based distributions, encourage the use of the \"adduser\" "
6283
"package for account management."
6286
#: serverguide/C/security.xml:79(para)
6288
"To add a user account, use the following syntax, and follow the prompts to "
6289
"give the account a password and identifiable characteristics such as a full "
6290
"name, phone number, etc."
6293
#: serverguide/C/security.xml:83(command)
6294
msgid "sudo adduser username"
6297
#: serverguide/C/security.xml:87(para)
6299
"To delete a user account and its primary group, use the following syntax:"
6302
#: serverguide/C/security.xml:91(command)
6303
msgid "sudo deluser username"
6306
#: serverguide/C/security.xml:93(para)
6308
"Deleting an account does not remove their respective home folder. It is up "
6309
"to you whether or not you wish to delete the folder manually or keep it "
6310
"according to your desired retention policies."
6313
#: serverguide/C/security.xml:96(para)
6315
"Remember, any user added later on with the same UID/GID as the previous "
6316
"owner will now have access to this folder if you have not taken the "
6317
"necessary precautions."
6320
#: serverguide/C/security.xml:99(para)
6322
"You may want to change these UID/GID values to something more appropriate, "
6323
"such as the root account, and perhaps even relocate the folder to avoid "
6327
#: serverguide/C/security.xml:103(command)
6328
msgid "sudo chown -R root:root /home/username/"
6331
#: serverguide/C/security.xml:104(command)
6332
msgid "sudo mkdir /home/archived_users/"
6335
#: serverguide/C/security.xml:105(command)
6336
msgid "sudo mv /home/username /home/archived_users/"
6339
#: serverguide/C/security.xml:109(para)
6341
"To temporarily lock or unlock a user account, use the following syntax, "
6345
#: serverguide/C/security.xml:113(command)
6346
msgid "sudo passwd -l username"
6349
#: serverguide/C/security.xml:114(command)
6350
msgid "sudo passwd -u username"
6353
#: serverguide/C/security.xml:118(para)
6355
"To add or delete a personalized group, use the following syntax, "
6359
#: serverguide/C/security.xml:122(command)
6360
msgid "sudo addgroup groupname"
6363
#: serverguide/C/security.xml:123(command)
6364
msgid "sudo delgroup groupname"
6367
#: serverguide/C/security.xml:127(para)
6368
msgid "To add a user to a group, use the following syntax:"
6371
#: serverguide/C/security.xml:131(command)
6372
msgid "sudo adduser username groupname"
6375
#: serverguide/C/security.xml:138(title)
6376
msgid "User Profile Security"
6379
#: serverguide/C/security.xml:139(para)
6381
"When a new user is created, the adduser utility creates a brand new home "
6382
"directory named <filename class=\"directory\">/home/username</filename>, "
6383
"respectively. The default profile is modeled after the contents found in the "
6384
"directory of <filename class=\"directory\">/etc/skel</filename>, which "
6385
"includes all profile basics."
6388
#: serverguide/C/security.xml:142(para)
6390
"If your server will be home to multiple users, you should pay close "
6391
"attention to the user home directory permissions to ensure confidentiality. "
6392
"By default, user home directories in Ubuntu are created with world "
6393
"read/execute permissions. This means that all users can browse and access "
6394
"the contents of other users home directories. This may not be suitable for "
6398
#: serverguide/C/security.xml:147(para)
6400
"To verify your current users home directory permissions, use the following "
6404
#: serverguide/C/security.xml:151(command) serverguide/C/security.xml:183(command)
6405
msgid "ls -ld /home/username"
6408
#: serverguide/C/security.xml:153(para)
6410
"The following output shows that the directory <filename "
6411
"class=\"directory\">/home/username</filename> has world readable permissions:"
6414
#: serverguide/C/security.xml:156(computeroutput)
6416
msgid "drwxr-xr-x 2 username username 4096 2007-10-02 20:03 username"
6419
#: serverguide/C/security.xml:160(para)
6421
"You can remove the world readable permissions using the following syntax:"
6424
#: serverguide/C/security.xml:164(command)
6425
msgid "sudo chmod 0750 /home/username"
6428
#: serverguide/C/security.xml:167(para)
6430
"Some people tend to use the recursive option (-R) indiscriminately which "
6431
"modifies all child folders and files, but this is not necessary, and may "
6432
"yield other undesirable results. The parent directory alone is sufficient "
6433
"for preventing unauthorized access to anything below the parent."
6436
#: serverguide/C/security.xml:171(para)
6438
"A much more efficient approach to the matter would be to modify the "
6439
"<application>adduser</application> global default permissions when creating "
6440
"user home folders. Simply edit the file "
6441
"<filename>/etc/adduser.conf</filename> and modify the "
6442
"<varname>DIR_MODE</varname> variable to something appropriate, so that all "
6443
"new home directories will receive the correct permissions."
6446
#: serverguide/C/security.xml:174(programlisting)
6453
#: serverguide/C/security.xml:179(para)
6455
"After correcting the directory permissions using any of the previously "
6456
"mentioned techniques, verify the results using the following syntax:"
6459
#: serverguide/C/security.xml:185(para)
6461
"The results below show that world readable permissions have been removed:"
6464
#: serverguide/C/security.xml:188(computeroutput)
6466
msgid "drwxr-x--- 2 username username 4096 2007-10-02 20:03 username"
6469
#: serverguide/C/security.xml:195(title)
6470
msgid "Password Policy"
6473
#: serverguide/C/security.xml:196(para)
6475
"A strong password policy is one of the most important aspects of your "
6476
"security posture. Many successful security breaches involve simple brute "
6477
"force and dictionary attacks against weak passwords. If you intend to offer "
6478
"any form of remote access involving your local password system, make sure "
6479
"you adequately address minimum password complexity requirements, maximum "
6480
"password lifetimes, and frequent audits of your authentication systems."
6483
#: serverguide/C/security.xml:200(title)
6484
msgid "Minimum Password Length"
6487
#: serverguide/C/security.xml:201(para)
6489
"By default, Ubuntu requires a minimum password length of 4 characters, as "
6490
"well as some basic entropy checks. These values are controlled in the file "
6491
"<filename>/etc/pam.d/common-password</filename>, which is outlined below."
6494
#: serverguide/C/security.xml:204(programlisting)
6498
"password required pam_unix.so nullok obscure min=4 max=8 md5\n"
6501
#: serverguide/C/security.xml:207(para)
6503
"If you would like to adjust the minimum length to 6 characters, change the "
6504
"appropriate variable to min=6. The modification is outlined below."
6507
#: serverguide/C/security.xml:210(programlisting)
6511
"password required pam_unix.so nullok obscure min=6 max=8 md5\n"
6514
#: serverguide/C/security.xml:214(para)
6516
"The <varname>max=8</varname> variable does not represent the maximum length "
6517
"of a password. It only means that complexity requirements will not be "
6518
"checked on passwords over 8 characters. You may want to look at the "
6519
"<application>libpam-cracklib</application> package for additional password "
6520
"entropy assistance."
6523
#: serverguide/C/security.xml:220(title)
6524
msgid "Password Expiration"
6527
#: serverguide/C/security.xml:221(para)
6529
"When creating user accounts, you should make it a policy to have a minimum "
6530
"and maximum password age forcing users to change their passwords when they "
6534
#: serverguide/C/security.xml:226(para)
6536
"To easily view the current status of a user account, use the following "
6540
#: serverguide/C/security.xml:230(command) serverguide/C/security.xml:263(command)
6541
msgid "sudo chage -l username"
6544
#: serverguide/C/security.xml:232(para)
6546
"The output below shows interesting facts about the user account, namely that "
6547
"there are no policies applied:"
6550
#: serverguide/C/security.xml:235(computeroutput)
6553
"Last password change : Jan 20, 2008\n"
6554
"Password expires : never\n"
6555
"Password inactive : never\n"
6556
"Account expires : never\n"
6557
"Minimum number of days between password change : 0\n"
6558
"Maximum number of days between password change : 99999\n"
6559
"Number of days of warning before password expires : 7"
6562
#: serverguide/C/security.xml:245(para)
6564
"To set any of these values, simply use the following syntax, and follow the "
6565
"interactive prompts:"
6568
#: serverguide/C/security.xml:249(command)
6569
msgid "sudo chage username"
6572
#: serverguide/C/security.xml:251(para)
6574
"The following is also an example of how you can manually change the explicit "
6575
"expiration date (-E) to 01/31/2008, minimum password age (-m) of 5 days, "
6576
"maximum password age (-M) of 90 days, inactivity period (-I) of 5 days after "
6577
"password expiration, and a warning time period (-W) of 14 days before "
6578
"password expiration."
6581
#: serverguide/C/security.xml:255(command)
6582
msgid "sudo chage -E 01/31/2008 -m 5 -M 90 -I 30 -W 14 username"
6585
#: serverguide/C/security.xml:259(para)
6586
msgid "To verify changes, use the same syntax as mentioned previously:"
6589
#: serverguide/C/security.xml:265(para)
6591
"The output below shows the new policies that have been established for the "
6595
#: serverguide/C/security.xml:268(computeroutput)
6598
"Last password change : Jan 20, 2008\n"
6599
"Password expires : Apr 19, 2008\n"
6600
"Password inactive : May 19, 2008\n"
6601
"Account expires : Jan 31, 2008\n"
6602
"Minimum number of days between password change : 5\n"
6603
"Maximum number of days between password change : 90\n"
6604
"Number of days of warning before password expires : 14"
6607
#: serverguide/C/security.xml:284(title)
6608
msgid "Other Security Considerations"
6611
#: serverguide/C/security.xml:285(para)
6613
"Many applications use alternate authentication mechanisms that can be easily "
6614
"overlooked by even experienced system administrators. Therefore, it is "
6615
"important to understand and control how users authenticate and gain access "
6616
"to services and applications on your server."
6619
#: serverguide/C/security.xml:290(title)
6620
msgid "SSH Access by Disabled Users"
6623
#: serverguide/C/security.xml:291(para)
6625
"Simply disabling/locking a user account will not prevent a user from logging "
6626
"into your server remotely if they have previously set up RSA public key "
6627
"authentication. They will still be able to gain shell access to the server, "
6628
"without the need for any password. Remember to check the users home "
6629
"directory for files that will allow for this type of authenticated SSH "
6630
"access. e.g. <filename>/home/username/.ssh/authorized_keys</filename>."
6633
#: serverguide/C/security.xml:294(para)
6635
"Remove or rename the directory <filename "
6636
"class=\"directory\">.ssh/</filename> in the user's home folder to prevent "
6637
"further SSH authentication capabilities."
6640
#: serverguide/C/security.xml:297(para)
6642
"Be sure to check for any established SSH connections by the disabled user, "
6643
"as it is possible they may have existing inbound or outbound connections. "
6644
"Kill any that are found."
6647
#: serverguide/C/security.xml:300(para)
6649
"Restrict SSH access to only user accounts that should have it. For example, "
6650
"you may create a group called \"sshlogin\" and add the group name as the "
6651
"value associated with the <varname>AllowGroups</varname> variable located in "
6652
"the file <filename>/etc/ssh/sshd_config</filename>."
6655
#: serverguide/C/security.xml:303(programlisting)
6659
"AllowGroups sshlogin\n"
6662
#: serverguide/C/security.xml:306(para)
6664
"Then add your permitted SSH users to the group \"sshlogin\", and restart the "
6668
#: serverguide/C/security.xml:310(command)
6669
msgid "sudo adduser username sshlogin"
6672
#: serverguide/C/security.xml:311(command) serverguide/C/remote-administration.xml:150(command)
6673
msgid "sudo /etc/init.d/ssh restart"
6676
#: serverguide/C/security.xml:315(title)
6677
msgid "External User Database Authentication"
6680
#: serverguide/C/security.xml:316(para)
6682
"Most enterprise networks require centralized authentication and access "
6683
"controls for all system resources. If you have configured your server to "
6684
"authenticate users against external databases, be sure to disable the user "
6685
"accounts both externally and locally, this way you ensure that local "
6686
"fallback authentication is not possible."
6689
#: serverguide/C/security.xml:325(title)
6690
msgid "Console Security"
6693
#: serverguide/C/security.xml:326(para)
6695
"As with any other security barrier you put in place to protect your server, "
6696
"it is pretty tough to defend against untold damage caused by someone with "
6697
"physical access to your environment, for example, theft of hard drives, "
6698
"power or service disruption and so on. Therefore, console security should be "
6699
"addressed merely as one component of your overall physical security "
6700
"strategy. A locked \"screen door\" may deter a casual criminal, or at the "
6701
"very least slow down a determined one, so it is still advisable to perform "
6702
"basic precautions with regard to console security."
6705
#: serverguide/C/security.xml:329(para)
6707
"The following instructions will help defend your server against issues that "
6708
"could otherwise yield very serious consequences."
6711
#: serverguide/C/security.xml:334(title)
6712
msgid "Disable Ctrl+Alt+Delete"
6715
#: serverguide/C/security.xml:335(para)
6717
"First and foremost, anyone that has physical access to the keyboard can "
6719
"<keycombo><keycap>Ctrl</keycap><keycap>Alt</keycap><keycap>Delete</keycap></k"
6720
"eycombo> key combination to reboot the server without having to log on. "
6721
"Sure, someone could simply unplug the power source, but you should still "
6722
"prevent the use of this key combination on a production server. This forces "
6723
"an attacker to take more drastic measures to reboot the server, and will "
6724
"prevent accidental reboots at the same time."
6727
#: serverguide/C/security.xml:340(para)
6729
"To disable the reboot action taken by pressing the "
6730
"<keycombo><keycap>Ctrl</keycap><keycap>Alt</keycap><keycap>Delete</keycap></k"
6731
"eycombo> key combination, comment out the following line in the file "
6732
"<filename>/etc/event.d/control-alt-delete</filename>."
6735
#: serverguide/C/security.xml:343(programlisting)
6739
"#exec /sbin/shutdown -r now \"Control-Alt-Delete pressed\"\n"
6742
#: serverguide/C/security.xml:350(title)
6743
msgid "GRUB Password Security"
6746
#: serverguide/C/security.xml:351(para)
6748
"Ubuntu installs GNU GRUB as its default boot loader, which allows for great "
6749
"flexibility and recovery options. For example, when you install additional "
6750
"kernel images, these are automatically added as available boot options in "
6751
"the <application>grub</application> menu. Also, by default, alternate boot "
6752
"options are available for each kernel entry that may be used for system "
6753
"recovery, aptly labeled (recovery mode). Recovery mode simply boots the "
6754
"corresponding kernel image into single user mode (init 1), which lands the "
6755
"administrator at a root prompt without the need for any password."
6758
#: serverguide/C/security.xml:354(para)
6760
"Therefore, it is important to control who may edit the "
6761
"<application>grub</application> menu items which, would otherwise allow for "
6762
"someone to perform the following dangerous actions:"
6765
#: serverguide/C/security.xml:359(para)
6766
msgid "Pass kernel options at boot up."
6769
#: serverguide/C/security.xml:364(para)
6770
msgid "Boot the server into single user mode."
6773
#: serverguide/C/security.xml:369(para)
6775
"You can prevent these actions by adding a password to GRUB's configuration "
6776
"file of <filename>/boot/grub/menu.lst</filename>, which will be required to "
6777
"unlock GRUB's more advanced features prior to use."
6780
#: serverguide/C/security.xml:374(para)
6782
"To add a password for use with <application>grub</application>, first you "
6783
"must generate an md5 password hash using the <application>grub-md5-"
6784
"crypt</application> utility:"
6787
#: serverguide/C/security.xml:378(command)
6788
msgid "grub-md5-crypt"
6791
#: serverguide/C/security.xml:380(para)
6793
"The command will ask you to enter a password and offer a resulting hash "
6794
"value as shown below:"
6797
#: serverguide/C/security.xml:383(userinput)
6799
msgid "(enter new password)"
6802
#: serverguide/C/security.xml:384(userinput)
6804
msgid "(repeat password)"
6807
#: serverguide/C/security.xml:383(computeroutput)
6810
"Password: <placeholder-1/>\n"
6811
"Retype password: <placeholder-2/>\n"
6812
"$1$s3YiK$M3lxAbqA6JLm2FbDWnClQ0"
6815
#: serverguide/C/security.xml:389(para)
6817
"Add the resulting hash value to the file "
6818
"<filename>/boot/grub/menu.lst</filename> in the following format:"
6821
#: serverguide/C/security.xml:392(programlisting)
6823
msgid "password --md5 $1$s3YiK$M3lxAbqA6JLm2FbDWnClQ0"
6826
#: serverguide/C/security.xml:395(para)
6828
"To require use of the password for entering single user mode, change the "
6829
"value of the <varname>lockalternative</varname> variable in the file "
6830
"<filename>/boot/grub/menu.lst</filename> to <varname>true</varname>, as "
6831
"shown in the following example."
6834
#: serverguide/C/security.xml:398(programlisting)
6836
msgid "# lockalternative=true"
6839
#: serverguide/C/security.xml:402(para)
6841
"This does not prevent someone from booting the server from alternate media. "
6842
"A determined attacker would simply boot into an alternate environment, "
6843
"overwrite your master boot record, mount or copy your physical volumes, "
6844
"destroy your data, or anything else they can imagine. Please explore other "
6845
"countermeasures that may help you with these types of attacks."
6848
#: serverguide/C/security.xml:410(title)
6852
#: serverguide/C/security.xml:413(para)
6854
"The Linux kernel includes the <emphasis>Netfilter</emphasis> subsystem, "
6855
"which is used to manipulate or decide the fate of network traffic headed "
6856
"into or through your server. All modern Linux firewall solutions use this "
6857
"system for packet filtering."
6860
#: serverguide/C/security.xml:418(para)
6862
"The kernel's packet filtering system would be of little use to "
6863
"administrators without a userspace interface to manage it. This is the "
6864
"purpose of iptables. When a packet reaches your server, it will be handed "
6865
"off to the Netfilter subsystem for acceptance, manipulation, or rejection "
6866
"based on the rules supplied to it from userspace via iptables. Thus, "
6867
"iptables is all you need to manage your firewall if you're familiar with it, "
6868
"but many frontends are available to simplify the task."
6871
#: serverguide/C/security.xml:428(title)
6872
msgid "ufw - Uncomplicated Firewall"
6875
#: serverguide/C/security.xml:429(para)
6877
"The default firewall configuration tool for Ubuntu is "
6878
"<application>ufw</application>. Developed to ease iptables firewall "
6879
"configuration, <application>ufw</application> provides a user friendly way "
6880
"to create an IPv4 or IPv6 host-based firewall."
6883
#: serverguide/C/security.xml:433(para)
6885
"<application>ufw</application> by default is initially disabled. From the "
6886
"<application>ufw</application> man page:"
6889
#: serverguide/C/security.xml:437(quote)
6891
"ufw is not intended to provide complete firewall functionality via its "
6892
"command interface, but instead provides an easy way to add or remove simple "
6893
"rules. It is currently mainly used for host-based firewalls."
6896
#: serverguide/C/security.xml:441(para)
6898
"The following are some examples of how to use <application>ufw</application>:"
6901
#: serverguide/C/security.xml:446(para)
6903
"First, <application>ufw</application> needs to be enabled. From a terminal "
6907
#: serverguide/C/security.xml:450(command)
6908
msgid "sudo ufw enable"
6911
#: serverguide/C/security.xml:454(para)
6912
msgid "To open a port (ssh in this example):"
6915
#: serverguide/C/security.xml:458(command)
6916
msgid "sudo ufw allow 22"
6919
#: serverguide/C/security.xml:462(para)
6920
msgid "Rules can also be added using a <emphasis>numbered</emphasis> format:"
6923
#: serverguide/C/security.xml:466(command)
6924
msgid "sudo ufw insert 1 allow 80"
6927
#: serverguide/C/security.xml:470(para)
6928
msgid "Similarly, to close an opened port:"
6931
#: serverguide/C/security.xml:474(command)
6932
msgid "sudo ufw deny 22"
6935
#: serverguide/C/security.xml:478(para)
6936
msgid "To remove a rule, use delete followed by the rule:"
6939
#: serverguide/C/security.xml:482(command)
6940
msgid "sudo ufw delete deny 22"
6943
#: serverguide/C/security.xml:486(para)
6945
"It is also possible to allow access from specific hosts or networks to a "
6946
"port. The following example allows ssh access from host 192.168.0.2 to any "
6947
"ip address on this host:"
6950
#: serverguide/C/security.xml:491(command)
6951
msgid "sudo ufw allow proto tcp from 192.168.0.2 to any port 22"
6954
#: serverguide/C/security.xml:493(para)
6956
"Replace 192.168.0.2 with 192.168.0.0/24 to allow ssh access from the entire "
6960
#: serverguide/C/security.xml:499(para)
6962
"Adding the <emphasis>--dry-run</emphasis> option to a "
6963
"<emphasis>ufw</emphasis> command will output the resulting rules, but not "
6964
"apply them. For example, the following is what would be applied if opening "
6968
#: serverguide/C/security.xml:505(command)
6969
msgid "sudo ufw --dry-run allow http"
6972
#: serverguide/C/security.xml:509(computeroutput)
6976
":ufw-user-input - [0:0]\n"
6977
":ufw-user-output - [0:0]\n"
6978
":ufw-user-forward - [0:0]\n"
6979
":ufw-user-limit - [0:0]\n"
6980
":ufw-user-limit-accept - [0:0]\n"
6983
"### tuple ### allow tcp 80 0.0.0.0/0 any 0.0.0.0/0\n"
6984
"-A ufw-user-input -p tcp --dport 80 -j ACCEPT\n"
6986
"### END RULES ###\n"
6987
"-A ufw-user-input -j RETURN\n"
6988
"-A ufw-user-output -j RETURN\n"
6989
"-A ufw-user-forward -j RETURN\n"
6990
"-A ufw-user-limit -m limit --limit 3/minute -j LOG --log-prefix \"[UFW "
6992
"-A ufw-user-limit -j REJECT\n"
6993
"-A ufw-user-limit-accept -j ACCEPT\n"
6998
#: serverguide/C/security.xml:533(para)
6999
msgid "<application>ufw</application> can be disabled by:"
7002
#: serverguide/C/security.xml:537(command)
7003
msgid "sudo ufw disable"
7006
#: serverguide/C/security.xml:541(para)
7007
msgid "To see the firewall status, enter:"
7010
#: serverguide/C/security.xml:545(command)
7011
msgid "sudo ufw status"
7014
#: serverguide/C/security.xml:549(para)
7015
msgid "And for more verbose status information use:"
7018
#: serverguide/C/security.xml:553(command)
7019
msgid "sudo ufw status verbose"
7022
#: serverguide/C/security.xml:557(para)
7023
msgid "To view the <emphasis>numbered</emphasis> format:"
7026
#: serverguide/C/security.xml:561(command)
7027
msgid "sudo ufw status numbered"
7030
#: serverguide/C/security.xml:566(para)
7032
"If the port you want to open or close is defined in "
7033
"<filename>/etc/services</filename>, you can use the port name instead of the "
7034
"number. In the above examples, replace <emphasis>22</emphasis> with "
7035
"<emphasis>ssh</emphasis>."
7038
#: serverguide/C/security.xml:572(para)
7040
"This is a quick introduction to using <application>ufw</application>. Please "
7041
"refer to the <application>ufw</application> man page for more information."
7044
#: serverguide/C/security.xml:578(title)
7045
msgid "ufw Application Integration"
7048
#: serverguide/C/security.xml:580(para)
7050
"Applications that open ports can include an <application>ufw</application> "
7051
"profile, which details the ports needed for the application to function "
7052
"properly. The profiles are kept in <filename "
7053
"role=\"directory\">/etc/ufw/applications.d</filename>, and can be edited if "
7054
"the default ports have been changed."
7057
#: serverguide/C/security.xml:589(para)
7059
"To view which applications have installed a profile, enter the following in "
7063
#: serverguide/C/security.xml:594(command)
7064
msgid "sudo ufw app list"
7067
#: serverguide/C/security.xml:600(para)
7069
"Similar to allowing traffic to a port, using an application profile is "
7070
"accomplished by entering:"
7073
#: serverguide/C/security.xml:605(command)
7074
msgid "sudo ufw allow Samba"
7077
#: serverguide/C/security.xml:611(para)
7078
msgid "An extended syntax is available as well:"
7081
#: serverguide/C/security.xml:616(command)
7082
msgid "ufw allow from 192.168.0.0/24 to any app Samba"
7085
#: serverguide/C/security.xml:619(para)
7087
"Replace <emphasis>Samba</emphasis> and <emphasis>192.168.0.0/24</emphasis> "
7088
"with the application profile you are using and the IP range for your network."
7091
#: serverguide/C/security.xml:625(para)
7093
"There is no need to specify the <emphasis>protocol</emphasis> for the "
7094
"application, because that information is detailed in the profile. Also, note "
7095
"that the <emphasis>app</emphasis> name replaces the "
7096
"<emphasis>port</emphasis> number."
7099
#: serverguide/C/security.xml:634(para)
7101
"To view details about which ports, protocols, etc are defined for an "
7102
"application, enter:"
7105
#: serverguide/C/security.xml:639(command)
7106
msgid "sudo ufw app info Samba"
7109
#: serverguide/C/security.xml:645(para)
7111
"Not all applications that require opening a network port come with "
7112
"<application>ufw</application> profiles, but if you have profiled an "
7113
"application and want the file to be included with the package, please file a "
7114
"bug against the package in <ulink "
7115
"url=\"https://launchpad.net/\">Launchpad</ulink>."
7118
#: serverguide/C/security.xml:654(title)
7119
msgid "IP Masquerading"
7122
#: serverguide/C/security.xml:655(para)
7124
"The purpose of IP Masquerading is to allow machines with private, non-"
7125
"routable IP addresses on your network to access the Internet through the "
7126
"machine doing the masquerading. Traffic from your private network destined "
7127
"for the Internet must be manipulated for replies to be routable back to the "
7128
"machine that made the request. To do this, the kernel must modify the "
7129
"<emphasis>source</emphasis> IP address of each packet so that replies will "
7130
"be routed back to it, rather than to the private IP address that made the "
7131
"request, which is impossible over the Internet. Linux uses "
7132
"<emphasis>Connection Tracking</emphasis> (conntrack) to keep track of which "
7133
"connections belong to which machines and reroute each return packet "
7134
"accordingly. Traffic leaving your private network is thus \"masqueraded\" as "
7135
"having originated from your Ubuntu gateway machine. This process is referred "
7136
"to in Microsoft documentation as Internet Connection Sharing."
7139
#: serverguide/C/security.xml:671(title)
7140
msgid "ufw Masquerading"
7143
#: serverguide/C/security.xml:672(para)
7145
"IP Masquerading can be achieved using custom <application>ufw</application> "
7146
"rules. This is possible because the current back-end for "
7147
"<application>ufw</application> is <application>iptables-"
7148
"restore</application> with the rules files located in "
7149
"<filename>/etc/ufw/*.rules</filename>. These files are a great place to add "
7150
"legacy iptables rules used without <application>ufw</application>, and rules "
7151
"that are more network gateway or bridge related."
7154
#: serverguide/C/security.xml:678(para)
7156
"The rules are split into two different files, rules that should be executed "
7157
"before <application>ufw</application> command line rules, and rules that are "
7158
"executed after <application>ufw</application> command line rules."
7161
#: serverguide/C/security.xml:684(para)
7163
"First, packet forwarding needs to be enabled in "
7164
"<application>ufw</application>. Two configuration files will need to be "
7165
"adjusted, in <filename>/etc/default/ufw</filename> change the "
7166
"<emphasis>DEFAULT_FORWARD_POLICY</emphasis> to <quote>ACCEPT</quote>:"
7169
#: serverguide/C/security.xml:688(programlisting)
7173
"DEFAULT_FORWARD_POLICY=\"ACCEPT\"\n"
7176
#: serverguide/C/security.xml:691(para)
7177
msgid "Then edit <filename>/etc/ufw/sysctl.conf</filename> and uncomment:"
7180
#: serverguide/C/security.xml:694(programlisting)
7184
"net/ipv4/ip_forward=1\n"
7187
#: serverguide/C/security.xml:697(para)
7188
msgid "Similarly, for IPv6 forwarding uncomment:"
7191
#: serverguide/C/security.xml:700(programlisting)
7195
"net/ipv6/conf/default/forwarding=1\n"
7198
#: serverguide/C/security.xml:705(para)
7200
"Now we will add rules to the <filename>/etc/ufw/before.rules</filename> "
7201
"file. The default rules only configure the <emphasis>filter</emphasis> "
7202
"table, and to enable masquerading the <emphasis>nat</emphasis> table will "
7203
"need to be configured. Add the following to the top of the file just after "
7204
"the header comments:"
7207
#: serverguide/C/security.xml:710(programlisting)
7211
"# nat Table rules\n"
7213
":POSTROUTING ACCEPT [0:0]\n"
7215
"# Forward traffic from eth1 through eth0.\n"
7216
"-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE\n"
7218
"# don't delete the 'COMMIT' line or these nat table rules won't be "
7223
#: serverguide/C/security.xml:721(para)
7225
"The comments are not strictly necessary, but it is considered good practice "
7226
"to document your configuration. Also, when modifying any of the "
7227
"<emphasis>rules</emphasis> files in <filename "
7228
"class=\"directory\">/etc/ufw</filename>, make sure these lines are the last "
7229
"line for each table modified:"
7232
#: serverguide/C/security.xml:727(programlisting)
7236
"# don't delete the 'COMMIT' line or these rules won't be processed\n"
7240
#: serverguide/C/security.xml:732(para)
7242
"For each <emphasis>Table</emphasis> a corresponding "
7243
"<emphasis>COMMIT</emphasis> statement is required. In these examples only "
7244
"the <emphasis>nat</emphasis> and <emphasis>filter</emphasis> tables are "
7245
"shown, but you can also add rules for the <emphasis>raw</emphasis> and "
7246
"<emphasis>mangle</emphasis> tables."
7249
#: serverguide/C/security.xml:739(para)
7251
"In the above example replace <emphasis>eth0</emphasis>, "
7252
"<emphasis>eth1</emphasis>, and <emphasis>192.168.0.0/24</emphasis> with the "
7253
"appropriate interfaces and IP range for your network."
7256
#: serverguide/C/security.xml:747(para)
7258
"Finally, disable and re-enable <application>ufw</application> to apply the "
7262
#: serverguide/C/security.xml:751(command)
7263
msgid "sudo ufw disable && sudo ufw enable"
7266
#: serverguide/C/security.xml:755(para)
7268
"IP Masquerading should now be enabled. You can also add any additional "
7269
"FORWARD rules to the <filename>/etc/ufw/before.rules</filename>. It is "
7270
"recommended that these additional rules be added to the <emphasis>ufw-before-"
7271
"forward</emphasis> chain."
7274
#: serverguide/C/security.xml:762(title)
7275
msgid "iptables Masquerading"
7278
#: serverguide/C/security.xml:763(para)
7280
"<application>iptables</application> can also be used to enable masquerading."
7283
#: serverguide/C/security.xml:768(para)
7285
"Similar to <application>ufw</application>, the first step is to enable IPv4 "
7286
"packet forwarding by editing <filename>/etc/sysctl.conf</filename> and "
7287
"uncomment the following line"
7290
#: serverguide/C/security.xml:772(programlisting)
7294
"net.ipv4.ip_forward=1\n"
7297
#: serverguide/C/security.xml:775(para)
7298
msgid "If you wish to enable IPv6 forwarding also uncomment:"
7301
#: serverguide/C/security.xml:778(programlisting)
7305
"net.ipv6.conf.default.forwarding=1\n"
7308
#: serverguide/C/security.xml:783(para)
7310
"Next, execute the <application>sysctl</application> command to enable the "
7311
"new settings in the configuration file:"
7314
#: serverguide/C/security.xml:787(command)
7315
msgid "sudo sysctl -p"
7318
#: serverguide/C/security.xml:791(para)
7320
"IP Masquerading can now be accomplished with a single iptables rule, which "
7321
"may differ slightly based on your network configuration:"
7324
#: serverguide/C/security.xml:794(screen)
7328
"sudo iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o ppp0 -j MASQUERADE\n"
7331
#: serverguide/C/security.xml:797(para)
7333
"The above command assumes that your private address space is 192.168.0.0/16 "
7334
"and that your Internet-facing device is ppp0. The syntax is broken down as "
7338
#: serverguide/C/security.xml:802(para)
7339
msgid "-t nat -- the rule is to go into the nat table"
7342
#: serverguide/C/security.xml:803(para)
7344
"-A POSTROUTING -- the rule is to be appended (-A) to the POSTROUTING chain"
7347
#: serverguide/C/security.xml:804(para)
7349
"-s 192.168.0.0/16 -- the rule applies to traffic originating from the "
7350
"specified address space"
7353
#: serverguide/C/security.xml:805(para)
7355
"-o ppp0 -- the rule applies to traffic scheduled to be routed through the "
7356
"specified network device"
7359
#: serverguide/C/security.xml:807(para)
7361
"-j MASQUERADE -- traffic matching this rule is to \"jump\" (-j) to the "
7362
"MASQUERADE target to be manipulated as described above"
7365
#: serverguide/C/security.xml:815(para)
7367
"Also, each chain in the filter table (the default table, and where most or "
7368
"all packet filtering occurs) has a default <emphasis>policy</emphasis> of "
7369
"ACCEPT, but if you are creating a firewall in addition to a gateway device, "
7370
"you may have set the policies to DROP or REJECT, in which case your "
7371
"masqueraded traffic needs to be allowed through the FORWARD chain for the "
7372
"above rule to work:"
7375
#: serverguide/C/security.xml:822(screen)
7379
"sudo iptables -A FORWARD -s 192.168.0.0/16 -o ppp0 -j ACCEPT\n"
7380
"sudo iptables -A FORWARD -d 192.168.0.0/16 -m state --state "
7381
"ESTABLISHED,RELATED -i ppp0 -j ACCEPT\n"
7384
#: serverguide/C/security.xml:826(para)
7386
"The above commands will allow all connections from your local network to the "
7387
"Internet and all traffic related to those connections to return to the "
7388
"machine that initiated them."
7391
#: serverguide/C/security.xml:833(para)
7393
"If you want masquerading to be enabled on reboot, which you probably do, "
7394
"edit <filename>/etc/rc.local</filename> and add any commands used above. For "
7395
"example add the first command with no filtering:"
7398
#: serverguide/C/security.xml:837(screen)
7402
"iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o ppp0 -j MASQUERADE\n"
7405
#: serverguide/C/security.xml:845(title)
7409
#: serverguide/C/security.xml:846(para)
7411
"Firewall logs are essential for recognizing attacks, troubleshooting your "
7412
"firewall rules, and noticing unusual activity on your network. You must "
7413
"include logging rules in your firewall for them to be generated, though, and "
7414
"logging rules must come before any applicable terminating rule (a rule with "
7415
"a target that decides the fate of the packet, such as ACCEPT, DROP, or "
7419
#: serverguide/C/security.xml:853(para)
7421
"If you are using <application>ufw</application>, you can turn on logging by "
7422
"entering the following in a terminal:"
7425
#: serverguide/C/security.xml:857(command)
7426
msgid "sudo ufw logging on"
7429
#: serverguide/C/security.xml:859(para)
7431
"To turn logging off in <application>ufw</application>, simply replace "
7432
"<emphasis role=\"italic\">on</emphasis> with <emphasis "
7433
"role=\"italic\">off</emphasis> in the above command."
7436
#: serverguide/C/security.xml:862(para)
7438
"If using <application>iptables</application> instead of "
7439
"<application>ufw</application>, enter:"
7442
#: serverguide/C/security.xml:865(screen)
7446
"sudo iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j LOG --log-"
7447
"prefix \"NEW_HTTP_CONN: \"\n"
7450
#: serverguide/C/security.xml:868(para)
7452
"A request on port 80 from the local machine, then, would generate a log in "
7453
"dmesg that looks like this:"
7456
#: serverguide/C/security.xml:873(programlisting)
7459
"[4304885.870000] NEW_HTTP_CONN: IN=lo OUT= "
7460
"MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 "
7461
"LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=58288 DF PROTO=TCP SPT=53981 DPT=80 "
7462
"WINDOW=32767 RES=0x00 SYN URGP=0"
7465
#: serverguide/C/security.xml:875(para)
7467
"The above log will also appear in <filename>/var/log/messages</filename>, "
7468
"<filename>/var/log/syslog</filename>, and "
7469
"<filename>/var/log/kern.log</filename>. This behavior can be modified by "
7470
"editing <filename>/etc/syslog.conf</filename> appropriately or by installing "
7471
"and configuring <application>ulogd</application> and using the ULOG target "
7472
"instead of LOG. The <application>ulogd</application> daemon is a userspace "
7473
"server that listens for logging instructions from the kernel specifically "
7474
"for firewalls, and can log to any file you like, or even to a "
7475
"<application>PostgreSQL</application> or <application>MySQL</application> "
7476
"database. Making sense of your firewall logs can be simplified by using a "
7477
"log analyzing tool such as <application>fwanalog</application>, "
7478
"<application> fwlogwatch</application>, or <application>lire</application>."
7481
#: serverguide/C/security.xml:890(title)
7485
#: serverguide/C/security.xml:891(para)
7487
"There are many tools available to help you construct a complete firewall "
7488
"without intimate knowledge of iptables. For the GUI-inclined:"
7491
#: serverguide/C/security.xml:897(para)
7493
"<ulink url=\"http://www.fs-security.com/\">Firestarter</ulink> is quite "
7494
"popular and easy to use."
7497
#: serverguide/C/security.xml:902(para)
7499
"<ulink url=\"http://www.fwbuilder.org/\">fwbuilder</ulink> is very powerful "
7500
"and will look familiar to an administrator who has used a commercial "
7501
"firewall utility such as <application>Checkpoint FireWall-1</application>."
7504
#: serverguide/C/security.xml:908(para)
7506
"If you prefer a command-line tool with plain-text configuration files:"
7509
#: serverguide/C/security.xml:913(para)
7511
"<ulink url=\"http://www.shorewall.net/\">Shorewall</ulink> is a very "
7512
"powerful solution to help you configure an advanced firewall for any network."
7515
#: serverguide/C/security.xml:919(para)
7517
"<ulink url=\"http://www.linuxkungfu.org/\">ipkungfu</ulink> should give you "
7518
"a working firewall \"out of the box\" with zero configuration, and will "
7519
"allow you to easily set up a more advanced firewall by editing simple, well-"
7520
"documented configuration files."
7523
#: serverguide/C/security.xml:926(para)
7525
"<ulink url=\"http://fireflier.sourceforge.net/\">fireflier</ulink> is "
7526
"designed to be a desktop firewall application. It is made up of a server "
7527
"(fireflier-server) and your choice of GUI clients (GTK or QT), and behaves "
7528
"like many popular interactive firewall applications for Windows."
7531
#: serverguide/C/security.xml:938(para)
7533
"The <ulink url=\"https://wiki.ubuntu.com/UbuntuFirewall\">Ubuntu "
7534
"Firewall</ulink> wiki page contains information on the development of "
7535
"<application>ufw</application>."
7538
#: serverguide/C/security.xml:944(para)
7540
"Also, the <application>ufw</application> manual page contains some very "
7541
"useful information: <command>man ufw</command>."
7544
#: serverguide/C/security.xml:949(para)
7546
"See the <ulink url=\"http://www.netfilter.org/documentation/HOWTO/packet-"
7547
"filtering-HOWTO.html\">packet-filtering-HOWTO</ulink> for more information "
7548
"on using <application>iptables</application>."
7551
#: serverguide/C/security.xml:955(para)
7553
"The <ulink url=\"http://www.netfilter.org/documentation/HOWTO/NAT-"
7554
"HOWTO.html\">nat-HOWTO</ulink> contains further details on masquerading."
7557
#: serverguide/C/security.xml:964(title)
7561
#: serverguide/C/security.xml:965(para)
7563
"<application>AppArmor</application> is a Linux Security Module "
7564
"implementation of name-based mandatory access controls. AppArmor confines "
7565
"individual programs to a set of listed files and posix 1003.1e draft "
7569
#: serverguide/C/security.xml:969(para)
7571
"<application>AppArmor</application> is installed and loaded by default. It "
7572
"uses <emphasis>profiles</emphasis> of an application to determine what files "
7573
"and permissions the application requires. Some packages will install their "
7574
"own profiles, and additional profiles can be found in the "
7575
"<application>apparmor-profiles</application> package."
7578
#: serverguide/C/security.xml:974(para)
7580
"To install the <application>apparmor-profiles</application> package from a "
7584
#: serverguide/C/security.xml:980(para)
7585
msgid "AppArmor profiles have two modes of execution:"
7588
#: serverguide/C/security.xml:985(para)
7590
"Complaining/Learning: profile violations are permitted and logged. Useful "
7591
"for testing and developing new profiles."
7594
#: serverguide/C/security.xml:990(para)
7596
"Enforced/Confined: enforces profile policy as well as logging the violation."
7599
#: serverguide/C/security.xml:996(title)
7600
msgid "Using AppArmor"
7603
#: serverguide/C/security.xml:997(para)
7605
"The <application>apparmor-utils</application> package contains command line "
7606
"utilities that you can use to change the <application>AppArmor</application> "
7607
"execution mode, find the status of a profile, create new profiles, etc."
7610
#: serverguide/C/security.xml:1003(para)
7612
"<application>apparmor_status</application> is used to view the current "
7613
"status of AppArmor profiles."
7616
#: serverguide/C/security.xml:1007(command)
7617
msgid "sudo apparmor_status"
7620
#: serverguide/C/security.xml:1011(para)
7622
"<application>aa-complain</application> places a profile into "
7623
"<emphasis>complain</emphasis> mode."
7626
#: serverguide/C/security.xml:1015(command)
7627
msgid "sudo aa-complain /path/to/bin"
7630
#: serverguide/C/security.xml:1019(para)
7632
"<application>aa-enforce</application> places a profile into "
7633
"<emphasis>enforce</emphasis> mode."
7636
#: serverguide/C/security.xml:1023(command)
7637
msgid "sudo aa-enforce /path/to/bin"
7640
#: serverguide/C/security.xml:1027(para)
7642
"The <filename>/etc/apparmor.d</filename> directory is where the AppArmor "
7643
"profiles are located. It can be used to manipulate the "
7644
"<emphasis>mode</emphasis> of all profiles."
7647
#: serverguide/C/security.xml:1031(para)
7648
msgid "Enter the following to place all profiles into complain mode:"
7651
#: serverguide/C/security.xml:1035(command)
7652
msgid "sudo aa-complain /etc/apparmor.d/*"
7655
#: serverguide/C/security.xml:1037(para)
7656
msgid "To place all profiles in enforce mode:"
7659
#: serverguide/C/security.xml:1041(command)
7660
msgid "sudo aa-enforce /etc/apparmor.d/*"
7663
#: serverguide/C/security.xml:1045(para)
7665
"<application>apparmor_parser</application> is used to load a profile into "
7666
"the kernel. It can also be used to reload a currently loaded profile using "
7667
"the <emphasis>-r</emphasis> option. To load a profile:"
7670
#: serverguide/C/security.xml:1050(command) serverguide/C/security.xml:1082(command)
7671
msgid "cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a"
7674
#: serverguide/C/security.xml:1052(para)
7675
msgid "To reload a profile:"
7678
#: serverguide/C/security.xml:1056(command)
7679
msgid "cat /etc/apparmor.d/profile.name | sudo apparmor_parser -r"
7682
#: serverguide/C/security.xml:1060(para)
7684
"<filename>/etc/init.d/apparmor</filename> can be used to "
7685
"<emphasis>reload</emphasis> all profiles:"
7688
#: serverguide/C/security.xml:1064(command)
7689
msgid "sudo /etc/init.d/apparmor reload"
7692
#: serverguide/C/security.xml:1068(para)
7694
"The <filename>/etc/apparmor.d/disable</filename> directory can be used along "
7695
"with the <application>apparmor_parser -R</application> option to "
7696
"<emphasis>disable</emphasis> a profile."
7699
#: serverguide/C/security.xml:1073(command)
7700
msgid "sudo ln -s /etc/apparmor.d/profile.name /etc/apparmor.d/disable/"
7703
#: serverguide/C/security.xml:1074(command)
7704
msgid "sudo apparmor_parser -R /etc/apparmor.d/profile.name"
7707
#: serverguide/C/security.xml:1076(para)
7709
"To <emphasis>re-enable</emphasis> a disabled profile remove the symbolic "
7710
"link to the profile in <filename>/etc/apparmor.d/disable/</filename>. Then "
7711
"load the profile using the <emphasis>-a</emphasis> option."
7714
#: serverguide/C/security.xml:1081(command)
7715
msgid "sudo rm /etc/apparmor.d/disable/profile.name"
7718
#: serverguide/C/security.xml:1086(para)
7720
"<application>AppArmor</application> can be disabled, and the kernel module "
7721
"unloaded by entering the following:"
7724
#: serverguide/C/security.xml:1090(command)
7725
msgid "sudo /etc/init.d/apparmor stop"
7728
#: serverguide/C/security.xml:1091(command)
7729
msgid "sudo update-rc.d -f apparmor remove"
7732
#: serverguide/C/security.xml:1095(para)
7733
msgid "To re-enable <application>AppArmor</application> enter:"
7736
#: serverguide/C/security.xml:1099(command)
7737
msgid "sudo /etc/init.d/apparmor start"
7740
#: serverguide/C/security.xml:1100(command)
7741
msgid "sudo update-rc.d apparmor defaults"
7744
#: serverguide/C/security.xml:1105(para)
7746
"Replace <emphasis>profile.name</emphasis> with the name of the profile you "
7747
"want to manipulate. Also, replace <filename>/path/to/bin/</filename> with "
7748
"the actual executable file path. For example for the "
7749
"<application>ping</application> command use <filename>/bin/ping</filename>"
7752
#: serverguide/C/security.xml:1113(title)
7756
#: serverguide/C/security.xml:1114(para)
7758
"<application>AppArmor</application> profiles are simple text files located "
7759
"in <filename>/etc/apparmor.d/</filename>. The files are named after the full "
7760
"path to the executable they profile replacing the \"/\" with \".\". For "
7761
"example <filename>/etc/apparmor.d/bin.ping</filename> is the AppArmor "
7762
"profile for the <filename>/bin/ping</filename> command."
7765
#: serverguide/C/security.xml:1120(para)
7766
msgid "There are two main type of rules used in profiles:"
7769
#: serverguide/C/security.xml:1125(para)
7771
"<emphasis>Path entries:</emphasis> which detail which files an application "
7772
"can access in the file system."
7775
#: serverguide/C/security.xml:1130(para)
7777
"<emphasis>Capability entries:</emphasis> determine what privileges a "
7778
"confined process is allowed to use."
7781
#: serverguide/C/security.xml:1135(para)
7783
"As an example take a look at <filename>/etc/apparmor.d/bin.ping</filename>:"
7786
#: serverguide/C/security.xml:1138(programlisting)
7790
"#include <tunables/global>\n"
7791
"/bin/ping flags=(complain) {\n"
7792
" #include <abstractions/base>\n"
7793
" #include <abstractions/consoles>\n"
7794
" #include <abstractions/nameservice>\n"
7796
" capability net_raw,\n"
7797
" capability setuid,\n"
7798
" network inet raw,\n"
7800
" /bin/ping mixr,\n"
7801
" /etc/modules.conf r,\n"
7805
#: serverguide/C/security.xml:1155(para)
7807
"<emphasis>#include <tunables/global>:</emphasis> include statements "
7808
"from other files. This allows statements pertaining to multiple applications "
7809
"to be placed in a common file."
7812
#: serverguide/C/security.xml:1161(para)
7814
"<emphasis>/bin/ping flags=(complain):</emphasis> path to the profiled "
7815
"program, also setting the mode to <emphasis>complain</emphasis>."
7818
#: serverguide/C/security.xml:1167(para)
7820
"<emphasis>capability net_raw,:</emphasis> allows the application access to "
7821
"the CAP_NET_RAW Posix.1e capability."
7824
#: serverguide/C/security.xml:1172(para)
7826
"<emphasis>/bin/ping mixr,:</emphasis> allows the application read and "
7827
"execute access to the file."
7830
#: serverguide/C/security.xml:1178(para)
7832
"After editing a profile file the profile must be reloaded. See <xref "
7833
"linkend=\"apparmor-usage\"/> for details."
7836
#: serverguide/C/security.xml:1183(title)
7837
msgid "Creating a Profile"
7840
#: serverguide/C/security.xml:1186(para)
7842
"<emphasis>Design a test plan:</emphasis> Try to think about how the "
7843
"application should be exercised. The test plan should be divided into small "
7844
"test cases. Each test case should have a small description and list the "
7848
#: serverguide/C/security.xml:1190(para)
7849
msgid "Some standard test cases are:"
7852
#: serverguide/C/security.xml:1195(para)
7853
msgid "Starting the program."
7856
#: serverguide/C/security.xml:1200(para)
7857
msgid "Stopping the program."
7860
#: serverguide/C/security.xml:1205(para)
7861
msgid "Reloading the program."
7864
#: serverguide/C/security.xml:1210(para)
7865
msgid "Testing all the commands supported by the init script."
7868
#: serverguide/C/security.xml:1217(para)
7870
"<emphasis>Generate the new profile:</emphasis> Use <application>aa-"
7871
"genprof</application> to generate a new profile. From a terminal:"
7874
#: serverguide/C/security.xml:1222(command)
7875
msgid "sudo aa-genprof executable"
7878
#: serverguide/C/security.xml:1224(para)
7879
msgid "For example:"
7882
#: serverguide/C/security.xml:1228(command)
7883
msgid "sudo aa-genprof slapd"
7886
#: serverguide/C/security.xml:1232(para)
7888
"To get your new profile included in the <application>apparmor-"
7889
"profiles</application> package, file a bug in <emphasis>Launchpad</emphasis> "
7890
"against the <ulink "
7891
"url=\"https://bugs.launchpad.net/ubuntu/+source/apparmor/+filebug\">AppArmor<"
7895
#: serverguide/C/security.xml:1239(para)
7896
msgid "Include your test plan and test cases."
7899
#: serverguide/C/security.xml:1244(para)
7900
msgid "Attach your new profile to the bug."
7903
#: serverguide/C/security.xml:1253(title)
7904
msgid "Updating Profiles"
7907
#: serverguide/C/security.xml:1254(para)
7909
"When the program is misbehaving, audit messages are sent to the log files. "
7910
"The program <application>aa-logprof</application> can be used to scan log "
7911
"files for <application>AppArmor</application> audit messages, review them "
7912
"and update the profiles. From a terminal:"
7915
#: serverguide/C/security.xml:1259(command)
7916
msgid "sudo aa-logprof"
7919
#: serverguide/C/security.xml:1267(para)
7922
"url=\"http://www.novell.com/documentation/apparmor/apparmor201_sp10_admin/ind"
7923
"ex.html?page=/documentation/apparmor/apparmor201_sp10_admin/data/book_apparmo"
7924
"r_admin.html\">AppArmor Administration Guide</ulink> for advanced "
7925
"configuration options."
7928
#: serverguide/C/security.xml:1274(para)
7930
"For details using AppArmor with other Ubuntu releases see the <ulink "
7931
"url=\"https://help.ubuntu.com/community/AppArmor\"> AppArmor Community "
7932
"Wiki</ulink> page."
7935
#: serverguide/C/security.xml:1282(para)
7937
"The <ulink url=\"http://en.opensuse.org/AppArmor\">OpenSUSE AppArmor</ulink> "
7938
"page is another introduction to AppArmor."
7941
#: serverguide/C/security.xml:1289(para)
7943
"A great place to ask for <application>AppArmor</application> assistance, and "
7944
"get involved with the Ubuntu Server community, is the <emphasis>#ubuntu-"
7945
"server</emphasis> IRC channel on <ulink "
7946
"url=\"http://freenode.net\">freenode</ulink>."
7949
#: serverguide/C/security.xml:1299(title)
7950
msgid "Certificates"
7953
#: serverguide/C/security.xml:1300(para)
7955
"One of the most common forms of cryptography today is <emphasis>public-"
7956
"key</emphasis> cryptography. Public-key cryptography utilizes a "
7957
"<emphasis>public key</emphasis> and a <emphasis>private key</emphasis>. The "
7958
"system works by <emphasis>encrypting</emphasis> information using the public "
7959
"key. The information can then only be <emphasis>decrypted</emphasis> using "
7963
#: serverguide/C/security.xml:1306(para)
7965
"A common use for public-key cryptography is encrypting application traffic "
7966
"using a Secure Socket Layer (SSL) or Transport Layer Security (TLS) "
7967
"connection. For example, configuring Apache to provide "
7968
"<emphasis>HTTPS</emphasis>, the HTTP protocol over SSL. This allows a way to "
7969
"encrypt traffic using a protocol that does not itself provide encryption."
7972
#: serverguide/C/security.xml:1311(para)
7974
"A <emphasis>Certificate</emphasis> is a method used to distribute a "
7975
"<emphasis>public key</emphasis> and other information about a server and the "
7976
"organization who is responsible for it. Certificates can be digitally signed "
7977
"by a <emphasis>Certification Authority</emphasis> or CA. A CA is a trusted "
7978
"third party that has confirmed that the information contained in the "
7979
"certificate is accurate."
7982
#: serverguide/C/security.xml:1318(title)
7983
msgid "Types of Certificates"
7986
#: serverguide/C/security.xml:1319(para)
7988
"To set up a secure server using public-key cryptography, in most cases, you "
7989
"send your certificate request (including your public key), proof of your "
7990
"company's identity, and payment to a CA. The CA verifies the certificate "
7991
"request and your identity, and then sends back a certificate for your secure "
7992
"server. Alternatively, you can create your own <emphasis>self-"
7993
"signed</emphasis> certificate."
7996
#: serverguide/C/security.xml:1329(para)
7998
"Note, that self-signed certificates should not be used in most production "
8002
#: serverguide/C/security.xml:1333(para)
8004
"Continuing the HTTPS example, a CA-signed certificate provides two important "
8005
"capabilities that a self-signed certificate does not:"
8008
#: serverguide/C/security.xml:1340(para)
8010
"Browsers (usually) automatically recognize the certificate and allow a "
8011
"secure connection to be made without prompting the user."
8014
#: serverguide/C/security.xml:1347(para)
8016
"When a CA issues a signed certificate, it is guaranteeing the identity of "
8017
"the organization that is providing the web pages to the browser."
8020
#: serverguide/C/security.xml:1355(para)
8022
"Most Web browsers, and computers, that support SSL have a list of CAs whose "
8023
"certificates they automatically accept. If a browser encounters a "
8024
"certificate whose authorizing CA is not in the list, the browser asks the "
8025
"user to either accept or decline the connection. Also, other applications "
8026
"may generate an error message when using a self-singed certificate."
8029
#: serverguide/C/security.xml:1363(para)
8031
"The process of getting a certificate from a CA is fairly easy. A quick "
8032
"overview is as follows:"
8035
#: serverguide/C/security.xml:1370(para)
8036
msgid "Create a private and public encryption key pair."
8039
#: serverguide/C/security.xml:1373(para)
8041
"Create a certificate request based on the public key. The certificate "
8042
"request contains information about your server and the company hosting it."
8045
#: serverguide/C/security.xml:1378(para)
8047
"Send the certificate request, along with documents proving your identity, to "
8048
"a CA. We cannot tell you which certificate authority to choose. Your "
8049
"decision may be based on your past experiences, or on the experiences of "
8050
"your friends or colleagues, or purely on monetary factors."
8053
#: serverguide/C/security.xml:1384(para)
8055
"Once you have decided upon a CA, you need to follow the instructions they "
8056
"provide on how to obtain a certificate from them."
8059
#: serverguide/C/security.xml:1389(para)
8061
"When the CA is satisfied that you are indeed who you claim to be, they send "
8062
"you a digital certificate."
8065
#: serverguide/C/security.xml:1393(para)
8067
"Install this certificate on your secure server, and configure the "
8068
"appropriate applications to use the certificate."
8071
#: serverguide/C/security.xml:1402(title)
8072
msgid "Generating a Certificate Signing Request (CSR)"
8075
#: serverguide/C/security.xml:1404(para)
8077
"Whether you are getting a certificate from a CA or generating your own self-"
8078
"signed certificate, the first step is to generate a key."
8081
#: serverguide/C/security.xml:1409(para)
8083
"If the certificate will be used by service daemons, such as Apache, Postfix, "
8084
"Dovecot, etc, a key without a passphrase is often appropriate. Not having a "
8085
"passphrase allows the services to start without manual intervention, usually "
8086
"the preferred way to start a daemon."
8089
#: serverguide/C/security.xml:1415(para)
8091
"This section will cover generating a key with a passphrase, and one without. "
8092
"The non-passphrase key will then be used to generate a certificate that can "
8093
"be used with various service daemons."
8096
#: serverguide/C/security.xml:1421(para)
8098
"Running your secure service without a passphrase is convenient because you "
8099
"will not need to enter the passphrase every time you start your secure "
8100
"service. But it is insecure and a compromise of the key means a compromise "
8101
"of the server as well."
8104
#: serverguide/C/security.xml:1428(para)
8106
"To generate the <emphasis>keys</emphasis> for the Certificate Signing "
8107
"Request (CSR) run the following command from a terminal prompt:"
8110
#: serverguide/C/security.xml:1434(command)
8111
msgid "openssl genrsa -des3 -out server.key 1024"
8114
#: serverguide/C/security.xml:1437(programlisting)
8118
"Generating RSA private key, 1024 bit long modulus\n"
8119
".....................++++++\n"
8120
".................++++++\n"
8121
"unable to write 'random state'\n"
8122
"e is 65537 (0x10001)\n"
8123
"Enter pass phrase for server.key:\n"
8126
#: serverguide/C/security.xml:1446(para)
8128
"You can now enter your passphrase. For best security, it should at least "
8129
"contain eight characters. The minimum length when specifying -des3 is four "
8130
"characters. It should include numbers and/or punctuation and not be a word "
8131
"in a dictionary. Also remember that your passphrase is case-sensitive."
8134
#: serverguide/C/security.xml:1454(para)
8136
"Re-type the passphrase to verify. Once you have re-typed it correctly, the "
8137
"server key is generated and stored in the <filename>server.key</filename> "
8141
#: serverguide/C/security.xml:1460(para)
8143
"Now create the insecure key, the one without a passphrase, and shuffle the "
8147
#: serverguide/C/security.xml:1466(command)
8148
msgid "openssl rsa -in server.key -out server.key.insecure"
8151
#: serverguide/C/security.xml:1467(command)
8152
msgid "mv server.key server.key.secure"
8155
#: serverguide/C/security.xml:1468(command)
8156
msgid "mv server.key.insecure server.key"
8159
#: serverguide/C/security.xml:1471(para)
8161
"The insecure key is now named <filename>server.key</filename>, and you can "
8162
"use this file to generate the CSR without passphrase."
8165
#: serverguide/C/security.xml:1476(para)
8166
msgid "To create the CSR, run the following command at a terminal prompt:"
8169
#: serverguide/C/security.xml:1481(command)
8170
msgid "openssl req -new -key server.key -out server.csr"
8173
#: serverguide/C/security.xml:1484(para)
8175
"It will prompt you enter the passphrase. If you enter the correct "
8176
"passphrase, it will prompt you to enter Company Name, Once you enter all "
8177
"these details, your CSR will be created and it will be stored in the "
8178
"<filename>server.csr</filename> file. Site Name, Email Id, etc."
8181
#: serverguide/C/security.xml:1492(para)
8183
"You can now submit this CSR file to a CA for processing. The CA will use "
8184
"this CSR file and issue the certificate. On the other hand, you can create "
8185
"self-signed certificate using this CSR."
8188
#: serverguide/C/security.xml:1500(title)
8189
msgid "Creating a Self-Signed Certificate"
8192
#: serverguide/C/security.xml:1501(para)
8194
"To create the self-signed certificate, run the following command at a "
8198
#: serverguide/C/security.xml:1506(command)
8200
"openssl x509 -req -days 365 -in server.csr -signkey server.key -out "
8204
#: serverguide/C/security.xml:1509(para)
8206
"The above command will prompt you to enter the passphrase. Once you enter "
8207
"the correct passphrase, your certificate will be created and it will be "
8208
"stored in the <filename>server.crt</filename> file."
8211
#: serverguide/C/security.xml:1514(para)
8213
"If your secure server is to be used in a production environment, you "
8214
"probably need a CA-signed certificate. It is not recommended to use self-"
8215
"signed certificate."
8218
#: serverguide/C/security.xml:1522(title)
8219
msgid "Installing the Certificate"
8222
#: serverguide/C/security.xml:1524(para)
8224
"You can install the key file <filename>server.key</filename> and certificate "
8225
"file <filename>server.crt</filename>, or the certificate file issued by your "
8226
"CA, by running following commands at a terminal prompt:"
8229
#: serverguide/C/security.xml:1530(command)
8230
msgid "sudo cp server.crt /etc/ssl/certs"
8233
#: serverguide/C/security.xml:1531(command)
8234
msgid "sudo cp server.key /etc/ssl/private"
8237
#: serverguide/C/security.xml:1533(para)
8239
"Now simply configure any applications, with the ability to use public-key "
8240
"cryptography, to use the <emphasis>certificate</emphasis> and "
8241
"<emphasis>key</emphasis> files. For example, "
8242
"<application>Apache</application> can provide HTTPS, "
8243
"<application>Dovecot</application> can provide IMAPS and POP3S, etc."
8246
#: serverguide/C/security.xml:1540(title)
8247
msgid "Certification Authority"
8250
#: serverguide/C/security.xml:1542(para)
8252
"If the services on your network require more than a few self-signed "
8253
"certificates it may be worth the additional effort to setup your own "
8254
"internal <emphasis>Certification Authority (CA)</emphasis>. Using "
8255
"certificates signed by your own CA, allows the various services using the "
8256
"certificates to easily trust other services using certificates issued from "
8260
#: serverguide/C/security.xml:1552(para)
8262
"First, create the directories to hold the CA certificate and related files:"
8265
#: serverguide/C/security.xml:1557(command)
8266
msgid "sudo mkdir /etc/ssl/CA"
8269
#: serverguide/C/security.xml:1558(command)
8270
msgid "sudo mkdir /etc/ssl/newcerts"
8273
#: serverguide/C/security.xml:1564(para)
8275
"The CA needs a few additional files to operate, one to keep track of the "
8276
"last serial number used by the CA, each certificate must have a unique "
8277
"serial number, and another file to record which certificates have been "
8281
#: serverguide/C/security.xml:1571(command)
8282
msgid "sudo sh -c \"echo '01' > /etc/ssl/CA/serial\""
8285
#: serverguide/C/security.xml:1572(command)
8286
msgid "sudo touch /etc/ssl/CA/index.txt"
8289
#: serverguide/C/security.xml:1578(para)
8291
"The third file is a CA configuration file. Though not strictly necessary, it "
8292
"is very convenient when issuing multiple certificates. Edit "
8293
"<filename>/etc/ssl/openssl.cnf</filename>, and in the <emphasis>[ CA_default "
8294
"]</emphasis> change:"
8297
#: serverguide/C/security.xml:1584(programlisting)
8301
"dir = /etc/ssl/ # Where everything is kept\n"
8302
"database = $dir/CA/index.txt # database index file.\n"
8303
"certificate = $dir/certs/cacert.pem # The CA certificate\n"
8304
"serial = $dir/CA/serial # The current serial number\n"
8305
"private_key = $dir/private/cakey.pem# The private key\n"
8308
#: serverguide/C/security.xml:1595(para)
8309
msgid "Next, create the self-singed root certificate:"
8312
#: serverguide/C/security.xml:1600(command)
8314
"openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -"
8318
#: serverguide/C/security.xml:1603(para)
8319
msgid "You will then be asked to enter the details about the certificate."
8322
#: serverguide/C/security.xml:1610(para)
8323
msgid "Now install the root certificate and key:"
8326
#: serverguide/C/security.xml:1615(command)
8327
msgid "sudo mv cakey.pem /etc/ssl/private/"
8330
#: serverguide/C/security.xml:1616(command)
8331
msgid "sudo mv cacert.pem /etc/ssl/certs/"
8334
#: serverguide/C/security.xml:1622(para)
8336
"You are now ready to start signing certificates. The first item needed is a "
8337
"Certificate Signing Request (CSR), see <xref linkend=\"generating-a-csr\"/> "
8338
"for details. Once you have a CSR, enter the following to generate a "
8339
"certificate signed by the CA:"
8342
#: serverguide/C/security.xml:1629(command)
8343
msgid "sudo openssl ca -in server.csr -config /etc/ssl/openssl.cnf"
8346
#: serverguide/C/security.xml:1632(para)
8348
"After entering the password for the CA key, you will be prompted to sign the "
8349
"certificate, and again to commit the new certificate. You should then see a "
8350
"somewhat large amount of output related to the certificate creation."
8353
#: serverguide/C/security.xml:1641(para)
8355
"There should now be a new file, "
8356
"<filename>/etc/ssl/newcerts/01.pem</filename>, containing the same output. "
8357
"Copy and paste everything between the <emphasis>-----BEGIN CERTIFICATE-----"
8358
"</emphasis> and <emphasis>----END CERTIFICATE-----</emphasis> lines to a "
8359
"file named after the hostname of the server where the certificate will be "
8360
"installed. For example <filename>mail.example.com.crt</filename>, is a nice "
8364
#: serverguide/C/security.xml:1649(para)
8366
"Subsequent certificates will be named <filename>02.pem</filename>, "
8367
"<filename>03.pem</filename>, etc."
8370
#: serverguide/C/security.xml:1654(para)
8372
"Replace <emphasis>mail.example.com.crt</emphasis> with your own descriptive "
8376
#: serverguide/C/security.xml:1662(para)
8378
"Finally, copy the new certificate to the host that needs it, and configure "
8379
"the appropriate applications to use it. The default location to install "
8380
"certificates is <filename role=\"directory\">/etc/ssl/certs</filename>. This "
8381
"enables multiple services to use the same certificate without overly "
8382
"complicated file permissions."
8385
#: serverguide/C/security.xml:1668(para)
8387
"For applications that can be configured to use a CA certificate, you should "
8388
"also copy the <filename>/etc/ssl/certs/cacert.pem</filename> file to the "
8389
"<filename role=\"directory\">/etc/ssl/certs/</filename> directory on each "
8393
#: serverguide/C/security.xml:1682(para)
8395
"For more detailed instructions on using cryptography see the <ulink "
8396
"url=\"http://tldp.org/HOWTO/SSL-Certificates-HOWTO/index.html\">SSL "
8397
"Certificates HOWTO</ulink> by tlpd.org"
8400
#: serverguide/C/security.xml:1688(para)
8402
"<ulink url=\"http://www.pki-page.org/\">The PKI Page</ulink> contains a list "
8403
"of Certificate Authorities."
8406
#: serverguide/C/security.xml:1693(para)
8408
"The Wikipedia <ulink "
8409
"url=\"http://en.wikipedia.org/wiki/Https\">HTTPS</ulink> page has more "
8410
"information regarding HTTPS."
8413
#: serverguide/C/security.xml:1698(para)
8415
"For more information on <emphasis>OpenSSL</emphasis> see the <ulink "
8416
"url=\"http://www.openssl.org/\">OpenSSL Home Page</ulink>."
8419
#: serverguide/C/security.xml:1703(para)
8421
"Also, O'Reilly's <ulink "
8422
"url=\"http://oreilly.com/catalog/9780596002701/\">Network Security with "
8423
"OpenSSL</ulink> is a good in depth reference."
8426
#: serverguide/C/security.xml:1712(title)
8430
#: serverguide/C/security.xml:1714(para)
8432
"<emphasis>eCryptfs</emphasis> is a POSIX-compliant enterprise-class stacked "
8433
"cryptographic filesystem for Linux. Layering on top of the filesystem layer "
8434
"<emphasis>eCryptfs</emphasis> protects files no matter the underlying "
8435
"filesystem, partition type, etc."
8438
#: serverguide/C/security.xml:1720(para)
8440
"During installation there is an option to encrypt the <filename "
8441
"role=\"directory\">/home</filename> partition. This will automatically "
8442
"configure everything needed to encrypt and mount the partition."
8445
#: serverguide/C/security.xml:1725(para)
8447
"As an example, this section will cover configuring <filename "
8448
"role=\"directory\">/srv</filename> to be encrypted using eCryptfs."
8451
#: serverguide/C/security.xml:1730(title)
8452
msgid "Using eCryptfs"
8455
#: serverguide/C/security.xml:1732(para)
8456
msgid "First, install the necessary packages. From a terminal prompt enter:"
8459
#: serverguide/C/security.xml:1737(command)
8460
msgid "sudo apt-get install ecryptfs-utils"
8463
#: serverguide/C/security.xml:1740(para)
8464
msgid "Now mount the partition to be encrypted:"
8467
#: serverguide/C/security.xml:1745(command)
8468
msgid "sudo mount -t ecryptfs /srv /srv"
8471
#: serverguide/C/security.xml:1748(para)
8473
"You will then be prompted for some details on how "
8474
"<application>ecryptfs</application> should encrypt the data."
8477
#: serverguide/C/security.xml:1752(para)
8479
"To test that files placed in <filename>/srv</filename> are indeed encrypted "
8480
"copy the <filename>/etc/default</filename> folder to "
8481
"<filename>/srv</filename>:"
8484
#: serverguide/C/security.xml:1758(command) serverguide/C/clustering.xml:192(command)
8485
msgid "sudo cp -r /etc/default /srv"
8488
#: serverguide/C/security.xml:1761(para)
8489
msgid "Now unmount <filename>/srv</filename>, and try to view a file:"
8492
#: serverguide/C/security.xml:1766(command) serverguide/C/installation.xml:1089(command) serverguide/C/clustering.xml:200(command)
8493
msgid "sudo umount /srv"
8496
#: serverguide/C/security.xml:1767(command)
8497
msgid "cat /srv/default/cron"
8500
#: serverguide/C/security.xml:1770(para)
8502
"Remounting <filename>/srv</filename> using "
8503
"<application>ecryptfs</application> will make the data viewable once again."
8506
#: serverguide/C/security.xml:1776(title)
8507
msgid "Automatically Mounting Encrypted Partitions"
8510
#: serverguide/C/security.xml:1778(para)
8512
"There are a couple of ways to automatically mount an "
8513
"<application>ecryptfs</application> encrypted filesystem at boot. This "
8514
"example will use a <filename>/root/.ecryptfsrc</filename> file containing "
8515
"mount options, along with a passphrase file residing on a USB key."
8518
#: serverguide/C/security.xml:1784(para)
8519
msgid "First, create <filename>/root/.ecryptfsrc</filename> containing:"
8522
#: serverguide/C/security.xml:1788(programlisting)
8526
"key=passphrase:passphrase_passwd_file=/mnt/usb/passwd_file.txt\n"
8527
"ecryptfs_sig=5826dd62cf81c615\n"
8528
"ecryptfs_cipher=aes\n"
8529
"ecryptfs_key_bytes=16\n"
8530
"ecryptfs_passthrough=n\n"
8531
"ecryptfs_enable_filename_crypto=n\n"
8534
#: serverguide/C/security.xml:1798(para)
8536
"Adjust the <emphasis>ecryptfs_sig</emphasis> to the signature in "
8537
"<filename>/root/.ecryptfs/sig-cache.txt</filename>."
8540
#: serverguide/C/security.xml:1803(para)
8542
"Next, create the <filename>/mnt/usb/passwd_file.txt</filename> passphrase "
8546
#: serverguide/C/security.xml:1807(programlisting)
8550
"passphrase_passwd=[secrets]\n"
8553
#: serverguide/C/security.xml:1811(para)
8554
msgid "Now add the necessary lines to <filename>/etc/fstab</filename>:"
8557
#: serverguide/C/security.xml:1815(programlisting)
8561
"/dev/sdb1 /mnt/usb ext3 ro 0 0\n"
8562
"/srv /srv ecryptfs defaults 0 0\n"
8565
#: serverguide/C/security.xml:1820(para)
8566
msgid "Make sure the USB drive is mounted before the encrypted partition."
8569
#: serverguide/C/security.xml:1824(para)
8571
"Finally, reboot and the <filename>/srv</filename> should be mounted using "
8575
#: serverguide/C/security.xml:1832(para)
8577
"The <application>ecryptfs-utils</application> package includes several other "
8581
#: serverguide/C/security.xml:1838(para)
8583
"<emphasis>ecryptfs-setup-private:</emphasis> creates a "
8584
"<filename>~/Private</filename> directory to contain encrypted information. "
8585
"This utility can be run by unprivileged users to keep data private from "
8586
"other users on the system."
8589
#: serverguide/C/security.xml:1845(para)
8591
"<emphasis>ecryptfs-mount-private and ecryptfs-umount-private:</emphasis> "
8592
"will mount and unmount respectively, a users <filename>~/Private</filename> "
8596
#: serverguide/C/security.xml:1851(para)
8598
"<emphasis>ecryptfs-add-passphrase:</emphasis> adds a new passphrase to the "
8602
#: serverguide/C/security.xml:1856(para)
8604
"<emphasis>ecryptfs-manager:</emphasis> manages "
8605
"<application>eCryptfs</application> objects such as keys."
8608
#: serverguide/C/security.xml:1861(para)
8610
"<emphasis>ecryptfs-stat:</emphasis> allows you to view the "
8611
"<application>ecryptfs</application> meta information for a file."
8614
#: serverguide/C/security.xml:1874(para)
8616
"For more information on eCryptfs see the <ulink "
8617
"url=\"https://launchpad.net/ecryptfs\">Launch Pad project page</ulink>"
8620
#: serverguide/C/security.xml:1879(para)
8622
"There is also a <ulink "
8623
"url=\"http://www.linuxjournal.com/article/9400\">Linux Journal</ulink> "
8624
"article covering eCryptfs."
8627
#: serverguide/C/security.xml:1884(para)
8629
"Also, for more <application>ecryptfs</application> options see the <ulink "
8630
"url=\"http://manpages.ubuntu.com/manpages/jaunty/en/man7/ecryptfs.7.html\">ec"
8631
"ryptfs man page</ulink>."
8634
#: serverguide/C/remote-administration.xml:13(title)
8635
msgid "Remote Administration"
8638
#: serverguide/C/remote-administration.xml:14(para)
8640
"There are many ways to remotely administer a Linux server. This chapter will "
8641
"cover one of the most popular <application>SSH</application> as well as "
8642
"<application>eBox</application>, a web based administration framework."
8645
#: serverguide/C/remote-administration.xml:23(para)
8647
"This section of the Ubuntu Server Guide introduces a powerful collection of "
8648
"tools for the remote control of networked computers and transfer of data "
8649
"between networked computers, called <emphasis>OpenSSH</emphasis>. You will "
8650
"also learn about some of the configuration settings possible with the "
8651
"OpenSSH server application and how to change them on your Ubuntu system."
8654
#: serverguide/C/remote-administration.xml:30(para)
8656
"OpenSSH is a freely available version of the Secure Shell (SSH) protocol "
8657
"family of tools for remotely controlling a computer or transferring files "
8658
"between computers. Traditional tools used to accomplish these functions, "
8659
"such as <application>telnet</application> or <application>rcp</application>, "
8660
"are insecure and transmit the user's password in cleartext when used. "
8661
"OpenSSH provides a server daemon and client tools to facilitate secure, "
8662
"encrypted remote control and file transfer operations, effectively replacing "
8666
#: serverguide/C/remote-administration.xml:39(para)
8668
"The OpenSSH server component, <application>sshd</application>, listens "
8669
"continuously for client connections from any of the client tools. When a "
8670
"connection request occurs, <application>sshd</application> sets up the "
8671
"correct connection depending on the type of client tool connecting. For "
8672
"example, if the remote computer is connecting with the "
8673
"<application>ssh</application> client application, the OpenSSH server sets "
8674
"up a remote control session after authentication. If a remote user connects "
8675
"to an OpenSSH server with <application>scp</application>, the OpenSSH server "
8676
"daemon initiates a secure copy of files between the server and client after "
8677
"authentication. OpenSSH can use many authentication methods, including plain "
8678
"password, public key, and <application>Kerberos</application> tickets."
8681
#: serverguide/C/remote-administration.xml:53(para)
8683
"Installation of the OpenSSH client and server applications is simple. To "
8684
"install the OpenSSH client applications on your Ubuntu system, use this "
8685
"command at a terminal prompt:"
8688
#: serverguide/C/remote-administration.xml:59(command)
8689
msgid "sudo apt-get install openssh-client"
8692
#: serverguide/C/remote-administration.xml:61(para)
8694
"To install the OpenSSH server application, and related support files, use "
8695
"this command at a terminal prompt:"
8698
#: serverguide/C/remote-administration.xml:66(command)
8699
msgid "sudo apt-get install openssh-server"
8702
#: serverguide/C/remote-administration.xml:68(para)
8704
"The <application>openssh-server</application> package can also be selected "
8705
"to install during the Server Edition installation process."
8708
#: serverguide/C/remote-administration.xml:75(para)
8710
"You may configure the default behavior of the OpenSSH server application, "
8711
"<application>sshd</application>, by editing the file "
8712
"<filename>/etc/ssh/sshd_config</filename>. For information about the "
8713
"configuration directives used in this file, you may view the appropriate "
8714
"manual page with the following command, issued at a terminal prompt:"
8717
#: serverguide/C/remote-administration.xml:83(command)
8718
msgid "man sshd_config"
8721
#: serverguide/C/remote-administration.xml:85(para)
8723
"There are many directives in the <application>sshd</application> "
8724
"configuration file controlling such things as communication settings and "
8725
"authentication modes. The following are examples of configuration directives "
8726
"that can be changed by editing the <filename>/etc/ssh/sshd_config</filename> "
8730
#: serverguide/C/remote-administration.xml:92(para)
8732
"Prior to editing the configuration file, you should make a copy of the "
8733
"original file and protect it from writing so you will have the original "
8734
"settings as a reference and to reuse as necessary."
8737
#: serverguide/C/remote-administration.xml:96(para)
8739
"Copy the <filename>/etc/ssh/sshd_config</filename> file and protect it from "
8740
"writing with the following commands, issued at a terminal prompt:"
8743
#: serverguide/C/remote-administration.xml:101(command)
8744
msgid "sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.original"
8747
#: serverguide/C/remote-administration.xml:102(command)
8748
msgid "sudo chmod a-w /etc/ssh/sshd_config.original"
8751
#: serverguide/C/remote-administration.xml:104(para)
8753
"The following are examples of configuration directives you may change:"
8756
#: serverguide/C/remote-administration.xml:109(para)
8758
"To set your OpenSSH to listen on TCP port 2222 instead of the default TCP "
8759
"port 22, change the Port directive as such:"
8762
#: serverguide/C/remote-administration.xml:113(para)
8766
#: serverguide/C/remote-administration.xml:118(para)
8768
"To have <application>sshd</application> allow public key-based login "
8769
"credentials, simply add or modify the line:"
8772
#: serverguide/C/remote-administration.xml:122(para)
8773
msgid "PubkeyAuthentication yes"
8776
#: serverguide/C/remote-administration.xml:125(para)
8778
"In the <filename>/etc/ssh/sshd_config</filename> file, or if already "
8779
"present, ensure the line is not commented out."
8782
#: serverguide/C/remote-administration.xml:131(para)
8784
"To make your OpenSSH server display the contents of the "
8785
"<filename>/etc/issue.net</filename> file as a pre-login banner, simply add "
8786
"or modify the line:"
8789
#: serverguide/C/remote-administration.xml:136(para)
8790
msgid "Banner /etc/issue.net"
8793
#: serverguide/C/remote-administration.xml:139(para)
8794
msgid "In the <filename>/etc/ssh/sshd_config</filename> file."
8797
#: serverguide/C/remote-administration.xml:144(para)
8799
"After making changes to the <filename>/etc/ssh/sshd_config</filename> file, "
8800
"save the file, and restart the <application>sshd</application> server "
8801
"application to effect the changes using the following command at a terminal "
8805
#: serverguide/C/remote-administration.xml:153(para)
8807
"Many other configuration directives for <application>sshd</application> are "
8808
"available for changing the server application's behavior to fit your needs. "
8809
"Be advised, however, if your only method of access to a server is "
8810
"<application>ssh</application>, and you make a mistake in configuring "
8811
"<application>sshd</application> via the "
8812
"<filename>/etc/ssh/sshd_config</filename> file, you may find you are locked "
8813
"out of the server upon restarting it, or that the "
8814
"<application>sshd</application> server refuses to start due to an incorrect "
8815
"configuration directive, so be extra careful when editing this file on a "
8819
#: serverguide/C/remote-administration.xml:168(title)
8823
#: serverguide/C/remote-administration.xml:169(para)
8825
"SSH <emphasis>keys</emphasis> allow authentication between two hosts without "
8826
"the need of a password. SSH key authentication uses two keys a "
8827
"<emphasis>private</emphasis> key and a <emphasis>public</emphasis> key."
8830
#: serverguide/C/remote-administration.xml:173(para)
8831
msgid "To generate the keys, from a terminal prompt enter:"
8834
#: serverguide/C/remote-administration.xml:177(command)
8835
msgid "ssh-keygen -t dsa"
8838
#: serverguide/C/remote-administration.xml:179(para)
8840
"This will generate the keys using a <emphasis>DSA</emphasis> authentication "
8841
"identity of the user. During the process you will be prompted for a "
8842
"password. Simply hit <emphasis>Enter</emphasis> when prompted to create the "
8846
#: serverguide/C/remote-administration.xml:183(para)
8848
"By default the <emphasis>public</emphasis> key is saved in the file "
8849
"<filename>~/.ssh/id_dsa.pub</filename>, while "
8850
"<filename>~/.ssh/id_dsa</filename> is the <emphasis>private</emphasis> key. "
8851
"Now copy the <filename>id_dsa.pub</filename> file to the remote host and "
8852
"append it to <filename>~/.ssh/authorized_keys</filename> by entering:"
8855
#: serverguide/C/remote-administration.xml:189(command)
8856
msgid "ssh-copy-id username@remotehost"
8859
#: serverguide/C/remote-administration.xml:191(para)
8861
"Finally, double check the permissions on the "
8862
"<filename>authorized_keys</filename> file, only the authenticated user "
8863
"should have read and write permissions. If the permissions are not correct "
8867
#: serverguide/C/remote-administration.xml:196(command)
8868
msgid "chmod 644 .ssh/authorized_keys"
8871
#: serverguide/C/remote-administration.xml:198(para)
8873
"You should now be able to SSH to the host without being prompted for a "
8877
#: serverguide/C/remote-administration.xml:205(ulink)
8878
msgid "OpenSSH Website"
8881
#: serverguide/C/remote-administration.xml:208(ulink)
8882
msgid "Advanced OpenSSH Wiki Page"
8885
#: serverguide/C/remote-administration.xml:213(title)
8889
#: serverguide/C/remote-administration.xml:214(para)
8891
"<application>eBox</application> is a web framework used to manage server "
8892
"application configuration. The modular design of eBox allows you to pick and "
8893
"choose which services you want to configure using eBox."
8896
#: serverguide/C/remote-administration.xml:221(para)
8898
"The different <application>eBox</application> modules are split into "
8899
"different packages, allowing you to only install those necessary. One way to "
8900
"view the available packages is to enter the following from a terminal:"
8903
#: serverguide/C/remote-administration.xml:227(command)
8904
msgid "apt-cache rdepends ebox | uniq"
8907
#: serverguide/C/remote-administration.xml:229(para)
8909
"To install the <application>ebox</application> package, which contains the "
8910
"default modules, enter the following:"
8913
#: serverguide/C/remote-administration.xml:234(command)
8914
msgid "sudo apt-get install ebox"
8917
#: serverguide/C/remote-administration.xml:237(para)
8919
"During the installation you will be asked to supply a password for the ebox "
8920
"user. After installing eBox the web interface can be accessed from: "
8921
"<emphasis>https://yourserver/ebox</emphasis>."
8924
#: serverguide/C/remote-administration.xml:246(para)
8926
"An important thing to remember when using <application>eBox</application> is "
8927
"that when configuring most modules there is a <emphasis>Change</emphasis> "
8928
"button that implements the new configuration. After clicking the Change "
8929
"button most, but not all, modules will then need to be "
8930
"<emphasis>Saved</emphasis>. To save the new configuration click on the "
8931
"<quote>Save changes</quote> link in the top right hand corner."
8934
#: serverguide/C/remote-administration.xml:254(para)
8936
"Once you make a change that requires a Save, the link will change from green "
8940
#: serverguide/C/remote-administration.xml:260(title)
8941
msgid "eBox Modules"
8944
#: serverguide/C/remote-administration.xml:261(para)
8946
"By default all eBox <emphasis>Modules</emphasis> are not enabled, and when a "
8947
"new module is installed it will not be automatically enabled."
8950
#: serverguide/C/remote-administration.xml:265(para)
8952
"To enable a disabled module click on the <emphasis>Module status</emphasis> "
8953
"link in the left hand menu. Then <emphasis role=\"italic\">check</emphasis> "
8954
"which modules you would like to enable and click the <quote>Save</quote> "
8958
#: serverguide/C/remote-administration.xml:271(title)
8959
msgid "Default Modules"
8962
#: serverguide/C/remote-administration.xml:272(para)
8964
"This section provides a quick summary of the default "
8965
"<application>eBox</application> modules."
8968
#: serverguide/C/remote-administration.xml:278(para)
8970
"<emphasis>System:</emphasis> contains options allowing configuration of "
8971
"general eBox items."
8974
#: serverguide/C/remote-administration.xml:284(para)
8976
"<emphasis>General:</emphasis> allows you to set the language, port number, "
8977
"and contains a change password form."
8980
#: serverguide/C/remote-administration.xml:290(para)
8982
"<emphasis>Disk Usage:</emphasis> displays a graph detailing information "
8986
#: serverguide/C/remote-administration.xml:296(para)
8988
"<emphasis>Backup:</emphasis> is used to backup "
8989
"<application>eBox</application> configuration information, and the "
8990
"<emphasis>Full Backup</emphasis> option allows you to save all eBox "
8991
"information not included in the <emphasis>Configuration</emphasis> option "
8992
"such as log files."
8995
#: serverguide/C/remote-administration.xml:304(para)
8997
"<emphasis>Halt/Reboot:</emphasis> will shutdown the system or reboot it."
9000
#: serverguide/C/remote-administration.xml:309(para)
9002
"<emphasis>Bug Report:</emphasis> creates a file containing details helpful "
9003
"when reporting bugs to the eBox developers."
9006
#: serverguide/C/remote-administration.xml:317(para)
9008
"<emphasis>Logs:</emphasis> allows <application>eBox</application> logs to be "
9009
"queried depending on the purge time configured."
9012
#: serverguide/C/remote-administration.xml:323(para)
9014
"<emphasis>Events:</emphasis> this module has the ability to send alerts "
9015
"through rss, jabber, and log file."
9018
#: serverguide/C/remote-administration.xml:330(emphasis)
9019
msgid "Available Events:"
9022
#: serverguide/C/remote-administration.xml:334(para)
9024
"<emphasis>Free Storage Space:</emphasis> will send alert if free disk space "
9025
"drops below a configured percentage, 10% by default."
9028
#: serverguide/C/remote-administration.xml:340(para)
9030
"<emphasis>Log Observer:</emphasis> unfortunately this event does not work "
9031
"with the <application>eBox</application> version shipped with Ubuntu 7.10."
9034
#: serverguide/C/remote-administration.xml:346(para)
9036
"<emphasis>RAID:</emphasis> will monitor the RAID system and send alerts if "
9040
#: serverguide/C/remote-administration.xml:352(para)
9042
"<emphasis>Service:</emphasis> sends alerts if a service restarts multiple "
9043
"times in a short time period."
9046
#: serverguide/C/remote-administration.xml:358(para)
9048
"<emphasis>State:</emphasis> alerts on the state of "
9049
"<application>eBox</application>, either up or down."
9052
#: serverguide/C/remote-administration.xml:367(emphasis)
9053
msgid "Dispatchers:"
9056
#: serverguide/C/remote-administration.xml:371(para)
9058
"<emphasis>Log:</emphasis> this dispatcher will send event messages to the "
9059
"<application>eBox</application> log file "
9060
"<filename>/var/log/ebox/ebox.log</filename>."
9063
#: serverguide/C/remote-administration.xml:378(para)
9065
"<emphasis>Jabber:</emphasis> before enabling this dispatcher you must first "
9066
"configure it by clicking on the <quote>Configure</quote> icon."
9069
#: serverguide/C/remote-administration.xml:384(para)
9071
"<emphasis>RSS:</emphasis> once this dispatcher is configured you can "
9072
"subscribe to the link in order to view event alerts."
9075
#: serverguide/C/remote-administration.xml:397(title)
9076
msgid "Additional Modules"
9079
#: serverguide/C/remote-administration.xml:398(para)
9081
"Here is a quick description of other available "
9082
"<application>eBox</application> modules:"
9085
#: serverguide/C/remote-administration.xml:403(para)
9087
"<emphasis>Network:</emphasis> allows configuration of the server's network "
9088
"options through eBox."
9091
#: serverguide/C/remote-administration.xml:409(para)
9093
"<emphasis>Firewall:</emphasis> configures firewall options for the eBox host."
9096
#: serverguide/C/remote-administration.xml:414(para)
9098
"<emphasis>UsersandGroups:</emphasis> this module will manage users and "
9099
"groups contained in an <application>OpenLDAP</application> LDAP directory."
9102
#: serverguide/C/remote-administration.xml:420(para)
9104
"<emphasis>DHCP:</emphasis> provides an interface for configuring a DHCP "
9108
#: serverguide/C/remote-administration.xml:425(para)
9110
"<emphasis>DNS:</emphasis> provides <application>BIND9</application> DNS "
9111
"server configuration options."
9114
#: serverguide/C/remote-administration.xml:431(para)
9116
"<emphasis>Objects:</emphasis> allow configuration of eBox <emphasis>Network "
9117
"Objects</emphasis>, which allow you to assign a name to an IP address or "
9121
#: serverguide/C/remote-administration.xml:438(para)
9123
"<emphasis>Services:</emphasis> displays configuration information for "
9124
"services that are available to the network."
9127
#: serverguide/C/remote-administration.xml:444(para)
9129
"<emphasis>Squid:</emphasis> configuration options for the "
9130
"<application>Squid</application> proxy server."
9133
#: serverguide/C/remote-administration.xml:450(para)
9135
"<emphasis>CA:</emphasis> configures a Certificate Authority for the server."
9138
#: serverguide/C/remote-administration.xml:455(para)
9139
msgid "<emphasis>NTP:</emphasis> set Network Time Protocol options."
9142
#: serverguide/C/remote-administration.xml:460(para)
9143
msgid "<emphasis>Printers:</emphasis> allows the configuration of printers."
9146
#: serverguide/C/remote-administration.xml:465(para)
9147
msgid "<emphasis>Samba:</emphasis> configuration options for Samba."
9150
#: serverguide/C/remote-administration.xml:470(para)
9152
"<emphasis>OpenVPN:</emphasis> setup options for OpenVPN Virtual Private "
9153
"Network application."
9156
#: serverguide/C/remote-administration.xml:481(para)
9158
"For more information see the <ulink url=\"http://ebox-platform.com/\">eBox "
9159
"Home Page</ulink>."
9162
#: serverguide/C/package-management.xml:13(title)
9163
msgid "Package Management"
9166
#: serverguide/C/package-management.xml:14(para)
9168
"Ubuntu features a comprehensive package management system for the "
9169
"installation, upgrade, configuration, and removal of software. In addition "
9170
"to providing access to an organized base of over 24,000 software packages "
9171
"for your Ubuntu computer, the package management facilities also feature "
9172
"dependency resolution capabilities and software update checking."
9175
#: serverguide/C/package-management.xml:16(para)
9177
"Several tools are available for interacting with Ubuntu's package management "
9178
"system, from simple command-line utilities which may be easily automated by "
9179
"system administrators, to a simple graphical interface which is easy to use "
9180
"by those new to Ubuntu."
9183
#: serverguide/C/package-management.xml:21(para)
9185
"Ubuntu's package management system is derived from the same system used by "
9186
"the Debian GNU/Linux distribution. The package files contain all of the "
9187
"necessary files, meta-data, and instructions to implement a particular "
9188
"functionality or software application on your Ubuntu computer."
9191
#: serverguide/C/package-management.xml:24(para)
9193
"Debian package files typically have the extension '.deb', and typically "
9194
"exist in <emphasis role=\"italics\">repositories</emphasis> which are "
9195
"collections of packages found on various media, such as CD-ROM discs, or "
9196
"online. Packages are normally of the pre-compiled binary format; thus "
9197
"installation is quick and requires no compiling of software."
9200
#: serverguide/C/package-management.xml:27(para)
9202
"Many complex packages use the concept of <emphasis "
9203
"role=\"italics\">dependencies</emphasis>. Dependencies are additional "
9204
"packages required by the principal package in order to function properly. "
9205
"For example, the speech synthesis package "
9206
"<application>Festival</application> depends upon the package "
9207
"<application>libasound2</application>, which is a package supplying the "
9208
"<application>ALSA</application> sound library needed for audio playback. In "
9209
"order for <application>Festival</application> to function, it and all of its "
9210
"dependencies must be installed. The software management tools in Ubuntu will "
9211
"do this automatically."
9214
#: serverguide/C/package-management.xml:32(title)
9218
#: serverguide/C/package-management.xml:34(para)
9220
"<application>dpkg</application> is a package manager for "
9221
"<emphasis>Debian</emphasis> based systems. It can install, remove, and build "
9222
"packages, but unlike other package management system's it can not "
9223
"automatically download and install packages and their dependencies. This "
9224
"section covers using <application>dpkg</application> to manage locally "
9225
"installed packages:"
9228
#: serverguide/C/package-management.xml:43(para)
9230
"To list all packages installed on the system, from a terminal prompt enter:"
9233
#: serverguide/C/package-management.xml:48(command)
9237
#: serverguide/C/package-management.xml:54(para)
9239
"Depending on the amount of packages on your system, this can generate a "
9240
"large amount of output. Pipe the output through "
9241
"<application>grep</application> to see if a specific package is installed:"
9244
#: serverguide/C/package-management.xml:60(command)
9245
msgid "dpkg -l | grep apache2"
9248
#: serverguide/C/package-management.xml:63(para)
9250
"Replace <emphasis>apache2</emphasis> with any package name, part of a "
9251
"package name, or other regular expression."
9254
#: serverguide/C/package-management.xml:70(para)
9256
"To list the files installed by a package, in this case the "
9257
"<application>ufw</application> package, enter:"
9260
#: serverguide/C/package-management.xml:75(command)
9264
#: serverguide/C/package-management.xml:81(para)
9266
"If you are not sure which package installed a file, <application>dpkg -"
9267
"S</application> may be able to tell you. For example:"
9270
#: serverguide/C/package-management.xml:87(command)
9271
msgid "dpkg -S /etc/host.conf"
9274
#: serverguide/C/package-management.xml:88(computeroutput)
9276
msgid "base-files: /etc/host.conf"
9279
#: serverguide/C/package-management.xml:91(para)
9281
"The output shows that the <filename>/etc/host.conf</filename> belongs to the "
9282
"<application>base-files</application> package."
9285
#: serverguide/C/package-management.xml:96(para)
9287
"Many files are automatically generated during the package install process, "
9288
"and even though they are on the filesystem <command>dpkg -S</command> may "
9289
"not know which package they belong to."
9292
#: serverguide/C/package-management.xml:105(para)
9293
msgid "You can install a local <emphasis>.deb</emphasis> file by entering:"
9296
#: serverguide/C/package-management.xml:110(command)
9297
msgid "sudo dpkg -i zip_2.32-1_i386.deb"
9300
#: serverguide/C/package-management.xml:113(para)
9302
"Change <filename>zip_2.32-1_i386.deb</filename> to the actual file name of "
9303
"the local .deb file."
9306
#: serverguide/C/package-management.xml:120(para)
9307
msgid "Uninstalling a package can be accomplished by:"
9310
#: serverguide/C/package-management.xml:125(command)
9311
msgid "sudo dpkg -r zip"
9314
#: serverguide/C/package-management.xml:129(para)
9316
"Uninstalling packages using <application>dpkg</application>, in most cases, "
9317
"is <emphasis>NOT</emphasis> recommended. It is better to use a package "
9318
"manager that handles dependencies, to ensure that the system is in a "
9319
"consistent state. For example using <command>dpkg -r</command> you can "
9320
"remove the <application>zip</application> package, but any packages that "
9321
"depend on it will still be installed and may no longer function correctly."
9324
#: serverguide/C/package-management.xml:140(para)
9326
"For more <application>dpkg</application> options see the man page: "
9327
"<command>man dpkg</command>."
9330
#: serverguide/C/package-management.xml:146(title)
9334
#: serverguide/C/package-management.xml:147(para)
9336
"The <application>apt-get</application> command is a powerful command-line "
9337
"tool used to work with Ubuntu's <emphasis>Advanced Packaging Tool</emphasis> "
9338
"(APT) performing such functions as installation of new software packages, "
9339
"upgrade of existing software packages, updating of the package list index, "
9340
"and even upgrading the entire Ubuntu system."
9343
#: serverguide/C/package-management.xml:150(para)
9345
"Being a simple command-line tool, <application>apt-get</application> has "
9346
"numerous advantages over other package management tools available in Ubuntu "
9347
"for server administrators. Some of these advantages include ease of use over "
9348
"simple terminal connections (SSH) and the ability to be used in system "
9349
"administration scripts, which can in turn be automated by the "
9350
"<application>cron</application> scheduling utility."
9353
#: serverguide/C/package-management.xml:157(para)
9355
"<emphasis role=\"bold\">Install a Package</emphasis>: Installation of "
9356
"packages using the <application>apt-get</application> tool is quite simple. "
9357
"For example, to install the network scanner <emphasis "
9358
"role=\"italics\">nmap</emphasis>, type the following: <screen>\n"
9359
"<command>sudo apt-get install nmap</command>\n"
9363
#: serverguide/C/package-management.xml:165(para)
9365
"<emphasis role=\"bold\">Remove a Package</emphasis>: Removal of a package or "
9366
"packages is also a straightforward and simple process. To remove the nmap "
9367
"package installed in the previous example, type the following: <screen>\n"
9368
"<command>sudo apt-get remove nmap</command>\n"
9372
#: serverguide/C/package-management.xml:172(para)
9374
"<emphasis role=\"bold\">Multiple Packages</emphasis>: You may specify "
9375
"multiple packages to be installed or removed, separated by spaces."
9378
#: serverguide/C/package-management.xml:175(para)
9380
"Also, adding the <emphasis>--purge</emphasis> options to <command>apt-get "
9381
"remove</command> will remove the package configuration files as well. This "
9382
"may or may not be the desired effect so use with caution."
9385
#: serverguide/C/package-management.xml:181(para)
9387
"<emphasis role=\"bold\">Update the Package Index</emphasis>: The APT package "
9388
"index is essentially a database of available packages from the repositories "
9389
"defined in the <filename>/etc/apt/sources.list</filename> file. To update "
9390
"the local package index with the latest changes made in repositories, type "
9391
"the following: <screen>\n"
9392
"<command>sudo apt-get update</command>\n"
9396
#: serverguide/C/package-management.xml:189(para)
9398
"<emphasis role=\"bold\">Upgrade Packages</emphasis>: Over time, updated "
9399
"versions of packages currently installed on your computer may become "
9400
"available from the package repositories (for example security updates). To "
9401
"upgrade your system, first update your package index as outlined above, and "
9402
"then type: <screen>\n"
9403
"<command>sudo apt-get upgrade</command>\n"
9407
#: serverguide/C/package-management.xml:195(para)
9409
"For information on upgrading to a new Ubuntu release see <xref "
9410
"linkend=\"installing-upgrading\"/>."
9413
#: serverguide/C/package-management.xml:153(para)
9415
"Some examples of popular uses for the <application>apt-get</application> "
9416
"utility: <placeholder-1/>"
9419
#: serverguide/C/package-management.xml:201(para)
9421
"Actions of the <application>apt-get</application> command, such as "
9422
"installation and removal of packages, are logged in the /var/log/dpkg.log "
9426
#: serverguide/C/package-management.xml:204(para)
9428
"For further information about the use of <application>APT</application>, "
9429
"read the comprehensive <ulink url=\"http://www.debian.org/doc/user-"
9430
"manuals#apt-howto\">Debian APT User Manual</ulink> or type: <screen>apt-get "
9434
#: serverguide/C/package-management.xml:208(title)
9438
#: serverguide/C/package-management.xml:209(para)
9440
"<application>Aptitude</application> is a menu-driven, text-based front-end "
9441
"to the <emphasis>Advanced Packaging Tool</emphasis> (APT) system. Many of "
9442
"the common package management functions, such as installation, removal, and "
9443
"upgrade, are performed in <application>Aptitude</application> with single-"
9444
"key commands, which are typically lowercase letters."
9447
#: serverguide/C/package-management.xml:212(para)
9449
"<application>Aptitude</application> is best suited for use in a non-"
9450
"graphical terminal environment to ensure proper functioning of the command "
9451
"keys. You may start <application>Aptitude</application> as a normal user "
9452
"with the following command at a terminal prompt: <screen>\n"
9453
"<command>sudo aptitude</command>\n"
9457
#: serverguide/C/package-management.xml:219(para)
9459
"When <application>Aptitude</application> starts, you will see a menu bar at "
9460
"the top of the screen and two panes below the menu bar. The top pane "
9461
"contains package categories, such as <emphasis role=\"italics\">New "
9462
"Packages</emphasis> and <emphasis role=\"italics\">Not Installed "
9463
"Packages</emphasis>. The bottom pane contains information related to the "
9464
"packages and package categories."
9467
#: serverguide/C/package-management.xml:222(para)
9469
"Using <application>Aptitude</application> for package management is "
9470
"relatively straightforward, and the user interface makes common tasks simple "
9471
"to perform. The following are examples of common package management "
9472
"functions as performed in <application>Aptitude</application>:"
9475
#: serverguide/C/package-management.xml:226(para)
9477
"<emphasis role=\"bold\">Install Packages</emphasis>: To install a package, "
9478
"locate the package via the Not Installed Packages package category, for "
9479
"example, by using the keyboard arrow keys and the <keycap>ENTER</keycap> "
9480
"key, and highlight the package you wish to install. After highlighting the "
9481
"package you wish to install, press the <keycap>+</keycap> key, and the "
9482
"package entry should turn <emphasis role=\"italics\">green</emphasis>, "
9483
"indicating it has been marked for installation. Now press <keycap>g</keycap> "
9484
"to be presented with a summary of package actions. Press <keycap>g</keycap> "
9485
"again, and you will be prompted to become root to complete the installation. "
9486
"Press <keycap>ENTER</keycap> which will result in a Password: prompt. Enter "
9487
"your user password to become root. Finally, press <keycap>g</keycap> once "
9488
"more and you'll be prompted to download the package. Press "
9489
"<keycap>ENTER</keycap> on the <emphasis role=\"italics\">Continue</emphasis> "
9490
"prompt, and downloading and installation of the package will commence."
9493
#: serverguide/C/package-management.xml:230(para)
9495
"<emphasis role=\"bold\">Remove Packages</emphasis>: To remove a package, "
9496
"locate the package via the Installed Packages package category, for example, "
9497
"by using the keyboard arrow keys and the <keycap>ENTER</keycap> key, and "
9498
"highlight the package you wish to remove. After highlighting the package you "
9499
"wish to install, press the <keycap>-</keycap> key, and the package entry "
9500
"should turn <emphasis role=\"italics\">pink</emphasis>, indicating it has "
9501
"been marked for removal. Now press <keycap>g</keycap> to be presented with a "
9502
"summary of package actions. Press <keycap>g</keycap> again, and you will be "
9503
"prompted to become root to complete the installation. Press "
9504
"<keycap>ENTER</keycap> which will result in a Password: prompt. Enter your "
9505
"user password to become root. Finally, press <keycap>g</keycap> once more, "
9506
"and you'll be prompted to download the package. Press <keycap>ENTER</keycap> "
9507
"on the <emphasis role=\"italics\">Continue</emphasis> prompt, and removal of "
9508
"the package will commence."
9511
#: serverguide/C/package-management.xml:234(para)
9513
"<emphasis role=\"bold\">Update Package Index</emphasis>: To update the "
9514
"package index, simply press the <keycap>u</keycap> key and you will be "
9515
"prompted to become root to complete the update. Press <keycap>ENTER</keycap> "
9516
"which will result in a Password: prompt. Enter your user password to become "
9517
"root. Updating of the package index will commence. Press "
9518
"<keycap>ENTER</keycap> on the OK prompt when the download dialog is "
9519
"presented to complete the process."
9522
#: serverguide/C/package-management.xml:238(para)
9524
"<emphasis role=\"bold\">Upgrade Packages</emphasis>: To upgrade packages, "
9525
"perform the update of the package index as detailed above, and then press "
9526
"the <keycap>U</keycap> key to mark all packages with updates. Now press "
9527
"<keycap>g</keycap> whereby you'll be presented with a summary of package "
9528
"actions. Press <keycap>g</keycap> again, and you will be prompted to become "
9529
"root to complete the installation. Press <keycap>ENTER</keycap> which will "
9530
"result in a Password: prompt. Enter your user password to become root. "
9531
"Finally, press <keycap>g</keycap> once more, and you'll be prompted to "
9532
"download the packages. Press <keycap>ENTER</keycap> on the <emphasis "
9533
"role=\"italics\">Continue</emphasis> prompt, and upgrade of the packages "
9537
#: serverguide/C/package-management.xml:245(para)
9538
msgid "<emphasis role=\"bold\">i</emphasis>: Installed package"
9541
#: serverguide/C/package-management.xml:250(para)
9543
"<emphasis role=\"bold\">c</emphasis>: Package not installed, but package "
9544
"configuration remains on system"
9547
#: serverguide/C/package-management.xml:254(para)
9548
msgid "<emphasis role=\"bold\">p</emphasis>: Purged from system"
9551
#: serverguide/C/package-management.xml:258(para)
9552
msgid "<emphasis role=\"bold\">v</emphasis>: Virtual package"
9555
#: serverguide/C/package-management.xml:262(para)
9556
msgid "<emphasis role=\"bold\">B</emphasis>: Broken package"
9559
#: serverguide/C/package-management.xml:266(para)
9561
"<emphasis role=\"bold\">u</emphasis>: Unpacked files, but package not yet "
9565
#: serverguide/C/package-management.xml:270(para)
9567
"<emphasis role=\"bold\">C</emphasis>: Half-configured - Configuration failed "
9571
#: serverguide/C/package-management.xml:274(para)
9573
"<emphasis role=\"bold\">H</emphasis>: Half-installed - Removal failed and "
9577
#: serverguide/C/package-management.xml:242(para)
9579
"The first column of information displayed in the package list in the top "
9580
"pane, when actually viewing packages lists the current state of the package, "
9581
"and uses the following key to describe the state of the package: "
9585
#: serverguide/C/package-management.xml:280(para)
9587
"To exit Aptitude, simply press the <keycap>q</keycap> key and confirm you "
9588
"wish to exit. Many other functions are available from the Aptitude menu by "
9589
"pressing the <keycap>F10</keycap> key."
9592
#: serverguide/C/package-management.xml:285(title)
9593
msgid "Automatic Updates"
9596
#: serverguide/C/package-management.xml:287(para)
9598
"The <application>unattended-upgrades</application> package can be used to "
9599
"automatically install updated packages, and can be configured to update all "
9600
"packages or just install security updates. First, install the package by "
9601
"entering the following in a terminal:"
9604
#: serverguide/C/package-management.xml:293(command)
9605
msgid "sudo apt-get install unattended-upgrades"
9608
#: serverguide/C/package-management.xml:296(para)
9610
"To configure <application>unattended-upgrades</application>, edit "
9611
"<filename>/etc/apt/apt.conf.d/50unattended-upgrades</filename> and adjust "
9612
"the following to fit your needs:"
9615
#: serverguide/C/package-management.xml:301(programlisting)
9619
"Unattended-Upgrade::Allowed-Origins {\n"
9620
" \"Ubuntu karmic-security\";\n"
9621
"// \"Ubuntu karmic-updates\";\n"
9625
#: serverguide/C/package-management.xml:308(para)
9627
"Certain packages can also be <emphasis>blacklisted</emphasis> and therefore "
9628
"will not be automatically updated. To blacklist a package, add it to the "
9632
#: serverguide/C/package-management.xml:313(programlisting)
9636
"Unattended-Upgrade::Package-Blacklist {\n"
9639
"// \"libc6-dev\";\n"
9640
"// \"libc6-i686\";\n"
9644
#: serverguide/C/package-management.xml:323(para)
9646
"The double <emphasis><quote>//</quote></emphasis> serve as comments, so "
9647
"whatever follows \"//\" will not be evaluated."
9650
#: serverguide/C/package-management.xml:328(para)
9652
"The results of <application>unattended-upgrades</application> will be logged "
9653
"to <filename>/var/log/unattended-upgrades</filename>."
9656
#: serverguide/C/package-management.xml:333(title)
9657
msgid "Notifications"
9660
#: serverguide/C/package-management.xml:335(para)
9662
"Configuring <emphasis>Unattended-Upgrade::Mail</emphasis> in "
9663
"<filename>/etc/apt/apt.conf.d/50unattended-upgrades</filename> will enable "
9664
"<application>unattended-upgrades</application> to email an administrator "
9665
"detailing any packages that need upgrading or have problems."
9668
#: serverguide/C/package-management.xml:340(para)
9670
"Another useful package is <application>apticron</application>. "
9671
"<application>apticron</application> will configure a "
9672
"<application>cron</application> job to email an administrator information "
9673
"about any packages on the system that need updated as well as a summary of "
9674
"changes in each package."
9677
#: serverguide/C/package-management.xml:346(para)
9679
"To install the <application>apticron</application> package, in a terminal "
9683
#: serverguide/C/package-management.xml:351(command)
9684
msgid "sudo apt-get install apticron"
9687
#: serverguide/C/package-management.xml:354(para)
9689
"Once the package is installed edit "
9690
"<filename>/etc/apticron/apticron.conf</filename>, to set the email address "
9691
"and other options:"
9694
#: serverguide/C/package-management.xml:358(programlisting)
9698
"EMAIL=\"root@example.com\"\n"
9701
#: serverguide/C/package-management.xml:367(para)
9703
"Configuration of the <emphasis>Advanced Packaging Tool</emphasis> (APT) "
9704
"system repositories is stored in the /etc/apt/sources.list configuration "
9705
"file. An example of this file is referenced here, along with information on "
9706
"adding or removing repository references from the file."
9709
#: serverguide/C/package-management.xml:373(para)
9711
"<ulink url=\"../sample/sources.list\">Here</ulink> is a simple example of a "
9712
"typical <filename>/etc/apt/sources.list</filename> file."
9715
#: serverguide/C/package-management.xml:377(para)
9717
"You may edit the file to enable repositories or disable them. For example, "
9718
"to disable the requirement of inserting the Ubuntu CD-ROM whenever package "
9719
"operations occur, simply comment out the appropriate line for the CD-ROM, "
9720
"which appears at the top of the file:"
9723
#: serverguide/C/package-management.xml:382(screen)
9727
"# no more prompting for CD-ROM please\n"
9728
"# deb cdrom:[Ubuntu 9.10_Karmic_Koala - Release i386 (20070419.1)]/ karmic "
9732
#: serverguide/C/package-management.xml:388(title)
9733
msgid "Extra Repositories"
9736
#: serverguide/C/package-management.xml:389(para)
9738
"In addition to the officially supported package repositories available for "
9739
"Ubuntu, there exist additional community-maintained repositories which add "
9740
"thousands more potential packages for installation. Two of the most popular "
9741
"are the <emphasis>Universe</emphasis> and <emphasis>Multiverse</emphasis> "
9742
"repositories. These repositories are not officially supported by Ubuntu, but "
9743
"because they are maintained by the community they generally provide packages "
9744
"which are safe for use with your Ubuntu computer."
9747
#: serverguide/C/package-management.xml:392(para)
9749
"Packages in the <emphasis>Multiverse</emphasis> repository often have "
9750
"licensing issues that prevent them from being distributed with a free "
9751
"operating system, and they may be illegal in your locality."
9754
#: serverguide/C/package-management.xml:394(para)
9756
"Be advised that neither the <emphasis>Universe</emphasis> or "
9757
"<emphasis>Multiverse</emphasis> repositories contain officially supported "
9758
"packages. In particular, there may not be security updates for these "
9762
#: serverguide/C/package-management.xml:398(para)
9764
"Many other package sources are available, sometimes even offering only one "
9765
"package, as in the case of package sources provided by the developer of a "
9766
"single application. You should always be very careful and cautious when "
9767
"using non-standard package sources, however. Research the source and "
9768
"packages carefully before performing any installation, as some package "
9769
"sources and their packages could render your system unstable or non-"
9770
"functional in some respects."
9773
#: serverguide/C/package-management.xml:401(para)
9775
"By default, the <emphasis>Universe</emphasis> and "
9776
"<emphasis>Multiverse</emphasis> repositories are enabled but if you would "
9777
"like to disable them edit <filename>/etc/apt/sources.list</filename> and "
9778
"comment the following lines:"
9781
#: serverguide/C/package-management.xml:408(programlisting)
9785
"deb http://archive.ubuntu.com/ubuntu karmic universe multiverse\n"
9786
"deb-src http://archive.ubuntu.com/ubuntu karmic universe multiverse\n"
9788
"deb http://us.archive.ubuntu.com/ubuntu/ karmic universe\n"
9789
"deb-src http://us.archive.ubuntu.com/ubuntu/ karmic universe\n"
9790
"deb http://us.archive.ubuntu.com/ubuntu/ karmic-updates universe\n"
9791
"deb-src http://us.archive.ubuntu.com/ubuntu/ karmic-updates universe\n"
9793
"deb http://us.archive.ubuntu.com/ubuntu/ karmic multiverse\n"
9794
"deb-src http://us.archive.ubuntu.com/ubuntu/ karmic multiverse\n"
9795
"deb http://us.archive.ubuntu.com/ubuntu/ karmic-updates multiverse\n"
9796
"deb-src http://us.archive.ubuntu.com/ubuntu/ karmic-updates multiverse\n"
9798
"deb http://security.ubuntu.com/ubuntu karmic-security universe\n"
9799
"deb-src http://security.ubuntu.com/ubuntu karmic-security universe\n"
9800
"deb http://security.ubuntu.com/ubuntu karmic-security multiverse\n"
9801
"deb-src http://security.ubuntu.com/ubuntu karmic-security multiverse\n"
9804
#: serverguide/C/package-management.xml:434(para)
9806
"Most of the material covered in this chapter is available in "
9807
"<application>man</application> pages, many of which are available online."
9810
#: serverguide/C/package-management.xml:441(para)
9812
"For more <application>dpkg</application> details see the <ulink "
9813
"url=\"http://manpages.ubuntu.com/manpages/jaunty/en/man1/dpkg.1.html\">dpkg "
9817
#: serverguide/C/package-management.xml:447(para)
9819
"The <ulink url=\"http://www.debian.org/doc/manuals/apt-howto/\">APT "
9820
"HOWTO</ulink> and <ulink "
9821
"url=\"http://manpages.ubuntu.com/manpages/jaunty/en/man8/apt-"
9822
"get.8.html\">apt-get man page</ulink> contain useful information regarding "
9823
"<application>apt-get</application> usage."
9826
#: serverguide/C/package-management.xml:454(para)
9829
"url=\"http://manpages.ubuntu.com/manpages/jaunty/man8/aptitude.8.html\">aptit"
9830
"ude man page</ulink> for more <application>aptitude</application> options."
9833
#: serverguide/C/package-management.xml:460(para)
9836
"url=\"https://help.ubuntu.com/community/Repositories/Ubuntu\">Adding "
9837
"Repositories HOWTO (Ubuntu Wiki)</ulink> page contains more details on "
9838
"adding repositories."
9841
#: serverguide/C/other-apps.xml:13(title)
9842
msgid "Other Useful Applications"
9845
#: serverguide/C/other-apps.xml:15(para)
9847
"There are many very useful applications developed by the Ubuntu Server Team, "
9848
"and others that are well integrated with Ubuntu Server Edition, that might "
9849
"not be well known. This chapter will showcase some useful applications that "
9850
"can make administering an Ubuntu server, or many Ubuntu servers, that much "
9854
#: serverguide/C/other-apps.xml:23(title)
9858
#: serverguide/C/other-apps.xml:25(para)
9860
"When logging into an Ubuntu server you may have noticed the informative "
9861
"Message Of The Day (MOTD). This information is obtained and displayed using "
9862
"a couple of packages:"
9865
#: serverguide/C/other-apps.xml:32(para)
9867
"<emphasis>landscape-common:</emphasis> provides the core libraries of "
9868
"<application>landscape-client</application>, which can be used to manage "
9869
"systems using the web based <emphasis>Landscape</emphasis> application. The "
9870
"package includes the <application>/usr/bin/landscape-sysinfo</application> "
9871
"utility which is used to gather the information displayed in the MOTD."
9874
#: serverguide/C/other-apps.xml:40(para)
9876
"<emphasis>update-motd:</emphasis> is used to automatically update the MOTD "
9877
"via <application>cron</application>."
9880
#: serverguide/C/other-apps.xml:46(para)
9882
"The <application>update-motd</application> utility has several options to "
9883
"further customize the MOTD:"
9886
#: serverguide/C/other-apps.xml:52(para)
9888
"<emphasis>--disable:</emphasis> prevents automatic updates of the MOTD. "
9889
"Using this option creates the <filename>/var/lib/update-"
9890
"motd/disabled</filename> file, which if present stops <application>update-"
9891
"motd</application> from modifying <filename>/etc/motd</filename>."
9894
#: serverguide/C/other-apps.xml:59(para)
9896
"<emphasis>--enable:</emphasis> enables the automatic MOTD updates. If "
9897
"<filename>/var/lib/update-motd</filename> is present it will be removed."
9900
#: serverguide/C/other-apps.xml:65(para)
9902
"<emphasis>--force:</emphasis> does a one time update of "
9903
"<filename>/etc/motd</filename>, overriding <application>update-"
9904
"motd</application> if it has been disabled."
9907
#: serverguide/C/other-apps.xml:71(para)
9909
"<emphasis>d, hourly, weekly, monthly:</emphasis> option will run the scripts "
9910
"in <filename>/etc/update-motd.d/</filename> (default), <filename>/etc/update-"
9911
"motd.d/hourly</filename>, <filename>/etc/update-motd.d/weekly</filename>, or "
9912
"<filename>/etc/update-motd.d/monthly</filename> respectively."
9915
#: serverguide/C/other-apps.xml:79(para)
9917
"<application>update-motd</application> executes the scripts in "
9918
"<filename>/etc/update-motd.d</filename> in order based on the number "
9919
"prepended to the script. Separate <application>cron</application> scripts "
9920
"execute every ten minutes, hourly, weekly, and monthly running the "
9921
"corresponding scripts in <filename>/etc/update-motd.d</filename>. The output "
9922
"of the scripts is written to <filename>/var/run/update-motd/</filename>, "
9923
"keeping the numerical order, then concatenated with "
9924
"<filename>/etc/motd.tail</filename> and written to "
9925
"<filename>/etc/motd</filename>."
9928
#: serverguide/C/other-apps.xml:87(para)
9930
"You can add your own dynamic information to the MOTD. For example, to add "
9931
"local weather information:"
9934
#: serverguide/C/other-apps.xml:93(para)
9935
msgid "First, install the <application>weather-util</application> package:"
9938
#: serverguide/C/other-apps.xml:98(command)
9939
msgid "sudo apt-get install weather-util"
9942
#: serverguide/C/other-apps.xml:103(para)
9944
"The <application>weather</application> utility uses METAR data from the "
9945
"National Oceanic and Atmospheric Administration and forecasts from the "
9946
"National Weather Service. In order to find local information you will need "
9947
"the 4-character ICAO location indicator. This can be determined by browsing "
9948
"to the <ulink url=\"http://www.weather.gov/tg/siteloc.shtml\">National "
9949
"Weather Service</ulink> site."
9952
#: serverguide/C/other-apps.xml:110(para)
9954
"Although the National Weather Service is a United States government agency "
9955
"there are weather stations available world wide. However, local weather "
9956
"information for all locations outside the U.S. may not be available."
9959
#: serverguide/C/other-apps.xml:116(para)
9961
"Create <filename>/usr/local/bin/local-weather</filename>, a simple shell "
9962
"script to use <application>weather</application> with your local ICAO "
9966
#: serverguide/C/other-apps.xml:121(programlisting)
9971
"##########################################################################\n"
9973
"# Prints the local weather to /var/run/update-motd/60-local-weather \n"
9974
"# for update-motd.\n"
9976
"##########################################################################\n"
9978
"# Replace KINT with your local weather station.\n"
9979
"# Local stations can be found here: http://www.weather.gov/tg/siteloc.shtml\n"
9981
"echo \"\" > /var/run/update-motd/60-local-weather\n"
9982
"weather -i KINT >> /var/run/update-motd/60-local-weather\n"
9986
#: serverguide/C/other-apps.xml:139(para)
9987
msgid "Make the script executable:"
9990
#: serverguide/C/other-apps.xml:144(command)
9991
msgid "sudo chmod 755 /usr/local/bin/local-weather"
9994
#: serverguide/C/other-apps.xml:148(para)
9996
"Next, create a symlink to <filename>/etc/update-motd.d/60-local-"
9997
"weather</filename>:"
10000
#: serverguide/C/other-apps.xml:153(command)
10002
"sudo ln -s /usr/local/bin/local-weather /etc/update-motd.d/60-local-weather"
10005
#: serverguide/C/other-apps.xml:157(para)
10006
msgid "Finally, update the MOTD:"
10009
#: serverguide/C/other-apps.xml:162(command)
10010
msgid "sudo update-motd"
10013
#: serverguide/C/other-apps.xml:167(para)
10015
"You should now be greeted with some useful information, and some information "
10016
"about the local weather that may not be quite so useful. Hopefully the "
10017
"<application>local-weather</application> example demonstrates the "
10018
"flexibility of <application>update-motd</application>."
10021
#: serverguide/C/other-apps.xml:175(title)
10025
#: serverguide/C/other-apps.xml:177(para)
10027
"<application>etckeeper</application> allows the contents of <filename "
10028
"role=\"directory\">/etc</filename> be easily stored in Version Control "
10029
"System (VCS) repository. It hooks into <application>apt</application> to "
10030
"automatically commit changes to <filename>/etc</filename> when packages are "
10031
"installed or upgraded. Placing <filename>/etc</filename> under version "
10032
"control is considered an industry best practice, and the goal of "
10033
"<application>etckeeper</application> is to make this process as painless as "
10037
#: serverguide/C/other-apps.xml:185(para)
10039
"Install <application>etckeeper</application> by entering the following in a "
10043
#: serverguide/C/other-apps.xml:190(command)
10044
msgid "sudo apt-get install etckeeper"
10047
#: serverguide/C/other-apps.xml:193(para)
10049
"The main configuration file, "
10050
"<filename>/etc/etckeeper/etckeeper.conf</filename>, is fairly simple. The "
10051
"main option is which VCS to use. By default "
10052
"<application>etckeeper</application> is configured to use "
10053
"<application>bzr</application> for version control. The repository is "
10054
"automatically initialized (and committed for the first time) during package "
10055
"installation. It is possible to undo this by entering the following command:"
10058
#: serverguide/C/other-apps.xml:203(command)
10059
msgid "sudo etckeeper uninit"
10062
#: serverguide/C/other-apps.xml:206(para)
10064
"By default, etckeeper will commit uncommitted changes made to /etc daily. "
10065
"This can be disabled using the AVOID_DAILY_AUTOCOMMITS configuration option. "
10066
"It will also automatically commit changes before and after package "
10067
"installation. For a more precise tracking of changes, it is recommended to "
10068
"commit your changes manually, together with a commit message, using:"
10071
#: serverguide/C/other-apps.xml:215(command)
10072
msgid "sudo etckeeper commit \"..Reason for configuration change..\""
10075
#: serverguide/C/other-apps.xml:218(para)
10077
"Using the VCS commands you can view log information about files in "
10078
"<filename>/etc</filename>:"
10081
#: serverguide/C/other-apps.xml:223(command)
10082
msgid "sudo bzr log /etc/passwd"
10085
#: serverguide/C/other-apps.xml:226(para)
10087
"To demonstrate the integration with the package management system, install "
10088
"<application>postfix</application>:"
10091
#: serverguide/C/other-apps.xml:231(command) serverguide/C/mail.xml:45(command)
10092
msgid "sudo apt-get install postfix"
10095
#: serverguide/C/other-apps.xml:234(para)
10097
"When the installation is finished, all the "
10098
"<application>postfix</application> configuration files should be committed "
10099
"to the repository:"
10102
#: serverguide/C/other-apps.xml:240(computeroutput)
10105
"Committing to: /etc/\n"
10106
"added aliases.db\n"
10108
"modified group-\n"
10109
"modified gshadow\n"
10110
"modified gshadow-\n"
10111
"modified passwd\n"
10112
"modified passwd-\n"
10114
"added resolvconf\n"
10115
"added rsyslog.d\n"
10116
"modified shadow\n"
10117
"modified shadow-\n"
10118
"added init.d/postfix\n"
10119
"added network/if-down.d/postfix\n"
10120
"added network/if-up.d/postfix\n"
10121
"added postfix/dynamicmaps.cf\n"
10122
"added postfix/main.cf\n"
10123
"added postfix/master.cf\n"
10124
"added postfix/post-install\n"
10125
"added postfix/postfix-files\n"
10126
"added postfix/postfix-script\n"
10127
"added postfix/sasl\n"
10128
"added ppp/ip-down.d\n"
10129
"added ppp/ip-down.d/postfix\n"
10130
"added ppp/ip-up.d/postfix\n"
10131
"added rc0.d/K20postfix\n"
10132
"added rc1.d/K20postfix\n"
10133
"added rc2.d/S20postfix\n"
10134
"added rc3.d/S20postfix\n"
10135
"added rc4.d/S20postfix\n"
10136
"added rc5.d/S20postfix\n"
10137
"added rc6.d/K20postfix\n"
10138
"added resolvconf/update-libc.d\n"
10139
"added resolvconf/update-libc.d/postfix\n"
10140
"added rsyslog.d/postfix.conf\n"
10141
"added ufw/applications.d/postfix\n"
10142
"Committed revision 2."
10145
#: serverguide/C/other-apps.xml:280(para)
10147
"For an example of how <application>etckeeper</application> tracks manual "
10148
"changes, add new a host to <filename>/etc/hosts</filename>. Using "
10149
"<application>bzr</application> you can see which files have been modified:"
10152
#: serverguide/C/other-apps.xml:286(command)
10153
msgid "sudo bzr status /etc/"
10156
#: serverguide/C/other-apps.xml:287(computeroutput)
10163
#: serverguide/C/other-apps.xml:291(para)
10164
msgid "Now commit the changes:"
10167
#: serverguide/C/other-apps.xml:296(command)
10168
msgid "sudo etckeeper commit \"new host\""
10171
#: serverguide/C/other-apps.xml:299(para)
10173
"For more information on <application>bzr</application> see <xref "
10174
"linkend=\"bazaar\"/>."
10177
#: serverguide/C/other-apps.xml:305(title)
10178
msgid "Screen Profiles"
10181
#: serverguide/C/other-apps.xml:307(para)
10183
"One of the most useful applications for any system administrator is "
10184
"<application>screen</application>. It allows the execution of multiple "
10185
"shells in one terminal. To make some of the advanced "
10186
"<application>screen</application> features more user friendly, and provide "
10187
"some useful information about the system, the <application>screen-"
10188
"profiles</application> package was created."
10191
#: serverguide/C/other-apps.xml:314(para)
10193
"When executing <application>screen</application> for the first time you will "
10194
"be presented with the <application>screen-profiles-helper</application> "
10195
"menu. This menu will allow you to:"
10198
#: serverguide/C/other-apps.xml:320(para)
10199
msgid "View the Help menu"
10202
#: serverguide/C/other-apps.xml:321(para)
10203
msgid "Change the key binding set"
10206
#: serverguide/C/other-apps.xml:322(para)
10207
msgid "Change screen profiles"
10210
#: serverguide/C/other-apps.xml:323(para)
10211
msgid "Change the escape sequence"
10214
#: serverguide/C/other-apps.xml:324(para)
10215
msgid "Create new screen windows"
10218
#: serverguide/C/other-apps.xml:325(para)
10219
msgid "Manage the default windows"
10222
#: serverguide/C/other-apps.xml:326(para)
10223
msgid "Install screen by default at login"
10226
#: serverguide/C/other-apps.xml:329(para)
10228
"The <emphasis>key bindings</emphasis> determine such things as the escape "
10229
"sequence, new window, change window, etc. There are two key binding sets to "
10230
"choose from <emphasis>common</emphasis> and <emphasis>none</emphasis>. If "
10231
"you wish to use the original key bindings choose the "
10232
"<emphasis>none</emphasis> set."
10235
#: serverguide/C/other-apps.xml:335(para)
10237
"The Ubuntu <application>screen-profiles</application> provide a menu which "
10238
"displays the Ubuntu release, processor information, memory information, and "
10239
"the time and date. The effect is similar to a desktop menu. When a profile "
10240
"is selected it will be symlinked to <filename>~/.screenrc</filename>. The "
10241
"<application>select-screen-profile</application> utility can also be used to "
10242
"change profiles, in a terminal enter:"
10245
#: serverguide/C/other-apps.xml:343(command)
10246
msgid "select-screen-profile -s ubuntu-light"
10249
#: serverguide/C/other-apps.xml:346(para)
10251
"The <emphasis>plain</emphasis> profile will change "
10252
"<application>screen</application> back to the defaults, which does not "
10253
"include the information menu at the bottom."
10256
#: serverguide/C/other-apps.xml:351(para)
10258
"Using the <emphasis>\"Install screen by default at login\"</emphasis> option "
10259
"will cause screen to be executed any time a terminal is opened. Changes made "
10260
"to <application>screen</application> are on a per user basis, and will not "
10261
"affect other users on the system."
10264
#: serverguide/C/other-apps.xml:356(para)
10266
"One difference when using screen is the <emphasis>scrollback</emphasis> "
10267
"mode. If you are using one of the Ubuntu profiles press the "
10268
"<emphasis>F7</emphasis>, or <emphasis>Ctrl+a+[</emphasis> if not, to enter "
10269
"scrollback mode. Scrollback mode allows you to navigate past output using "
10270
"<emphasis>vi</emphasis> like commands. Here is a quick list of movement "
10274
#: serverguide/C/other-apps.xml:363(para)
10275
msgid "<emphasis>h</emphasis> - Move the cursor left by one character"
10278
#: serverguide/C/other-apps.xml:364(para)
10279
msgid "<emphasis>j</emphasis> - Move the cursor down by one line"
10282
#: serverguide/C/other-apps.xml:365(para)
10283
msgid "<emphasis>k</emphasis> - Move the cursor up by one line"
10286
#: serverguide/C/other-apps.xml:366(para)
10287
msgid "<emphasis>l</emphasis> - Move the cursor right by one character"
10290
#: serverguide/C/other-apps.xml:367(para)
10291
msgid "<emphasis>0</emphasis> - Move to the beginning of the current line"
10294
#: serverguide/C/other-apps.xml:368(para)
10295
msgid "<emphasis>$</emphasis> - Move to the end of the current line"
10298
#: serverguide/C/other-apps.xml:369(para)
10300
"<emphasis>G</emphasis> - Moves to the specified line (defaults to the end of "
10304
#: serverguide/C/other-apps.xml:370(para)
10305
msgid "<emphasis>C-u</emphasis> - Scrolls a half page up"
10308
#: serverguide/C/other-apps.xml:371(para)
10309
msgid "<emphasis>C-b</emphasis> - Scrolls a full page up"
10312
#: serverguide/C/other-apps.xml:372(para)
10313
msgid "<emphasis>C-d</emphasis> - Scrolls a half page down"
10316
#: serverguide/C/other-apps.xml:373(para)
10317
msgid "<emphasis>C-f</emphasis> - Scrolls the full page down"
10320
#: serverguide/C/other-apps.xml:374(para)
10321
msgid "<emphasis>/</emphasis> - Search forward"
10324
#: serverguide/C/other-apps.xml:375(para)
10325
msgid "<emphasis>?</emphasis> - Search backward"
10328
#: serverguide/C/other-apps.xml:376(para)
10330
"<emphasis>n</emphasis> - Moves to the next match, either forward or backword"
10333
#: serverguide/C/other-apps.xml:385(para)
10336
"url=\"http://manpages.ubuntu.com/manpages/jaunty/en/man1/update-"
10337
"motd.1.html\">update-motd man page</ulink> for more options available to "
10338
"<application>update-motd</application>."
10341
#: serverguide/C/other-apps.xml:391(para)
10343
"The Debian Package of the Day <ulink "
10344
"url=\"http://debaday.debian.net/2007/10/04/weather-check-weather-conditions-"
10345
"and-forecasts-on-the-command-line/\">weather</ulink> article has more "
10346
"details about using the <application>weather</application>utility."
10349
#: serverguide/C/other-apps.xml:398(para)
10352
"url=\"http://kitenet.net/~joey/code/etckeeper/\">etckeeper</ulink> site for "
10353
"more details on using <application>etckeeper</application>."
10356
#: serverguide/C/other-apps.xml:404(para)
10358
"For the latest news and information about <application>bzr</application> see "
10359
"the <ulink url=\"http://bazaar-vcs.org/\">bzr</ulink> web site."
10362
#: serverguide/C/other-apps.xml:409(para)
10364
"For more information on <application>screen</application> see the <ulink "
10365
"url=\"http://www.gnu.org/software/screen/\">screen web site</ulink>."
10368
#: serverguide/C/other-apps.xml:414(para)
10370
"Also, see the <application>screen-profiles</application><ulink "
10371
"url=\"https://launchpad.net/screen-profiles\">project page</ulink> for more "
10375
#: serverguide/C/network-config.xml:13(title)
10379
#: serverguide/C/network-config.xml:14(para)
10381
"Networks consist of two or more devices, such as computer systems, printers, "
10382
"and related equipment which are connected by either physical cabling or "
10383
"wireless links for the purpose of sharing and distributing information among "
10384
"the connected devices."
10387
#: serverguide/C/network-config.xml:20(para)
10389
"This section provides general and specific information pertaining to "
10390
"networking, including an overview of network concepts and detailed "
10391
"discussion of popular network protocols."
10394
#: serverguide/C/network-config.xml:26(title)
10395
msgid "Network Configuration"
10398
#: serverguide/C/network-config.xml:27(para)
10400
"Ubuntu ships with a number of graphical utilities to configure your network "
10401
"devices. This document is geared toward server administrators and will focus "
10402
"on managing your network on the command line."
10405
#: serverguide/C/network-config.xml:33(title)
10409
#: serverguide/C/network-config.xml:34(para)
10411
"Most Ethernet configuration is centralized in a single file, "
10412
"<filename>/etc/network/interfaces</filename>. If you have no Ethernet "
10413
"devices, only the loopback interface will appear in this file, and it will "
10414
"look something like this:"
10417
#: serverguide/C/network-config.xml:40(programlisting)
10421
"# This file describes the network interfaces available on your system\n"
10422
"# and how to activate them. For more information, see interfaces(5).\n"
10424
"# The loopback network interface\n"
10426
"iface lo inet loopback\n"
10427
"address 127.0.0.1\n"
10428
"netmask 255.0.0.0\n"
10431
#: serverguide/C/network-config.xml:50(para)
10433
"If you have only one Ethernet device, eth0, and it gets its configuration "
10434
"from a DHCP server, and it should come up automatically at boot, only two "
10435
"additional lines are required:"
10438
#: serverguide/C/network-config.xml:55(programlisting)
10443
"iface eth0 inet dhcp\n"
10446
#: serverguide/C/network-config.xml:59(para)
10448
"The first line specifies that the eth0 device should come up automatically "
10449
"when you boot. The second line means that interface (<quote>iface</quote>) "
10450
"eth0 should have an IPv4 address space (replace <quote>inet</quote> with "
10451
"<quote>inet6</quote> for an IPv6 device) and that it should get its "
10452
"configuration automatically from DHCP. Assuming your network and DHCP server "
10453
"are properly configured, this machine's network should need no further "
10454
"configuration to operate properly. The DHCP server will provide the default "
10455
"gateway (implemented via the <application>route</application> command), the "
10456
"device's IP address (implemented via the <application>ifconfig</application> "
10457
"command), and DNS servers used on the network (implemented in the "
10458
"<filename>/etc/resolv.conf</filename> file.)"
10461
#: serverguide/C/network-config.xml:72(para)
10463
"To configure your Ethernet device with a static IP address and custom "
10464
"configuration, some more information will be required. Suppose you want to "
10465
"assign the IP address 192.168.0.2 to the device eth1, with the typical "
10466
"netmask of 255.255.255.0. Your default gateway's IP address is 192.168.0.1. "
10467
"You would enter something like this into "
10468
"<filename>/etc/network/interfaces</filename>:"
10471
#: serverguide/C/network-config.xml:79(programlisting)
10475
"iface eth1 inet static\n"
10476
"\taddress 192.168.0.2\n"
10477
"\tnetmask 255.255.255.0\n"
10478
"\tgateway 192.168.0.1\n"
10481
#: serverguide/C/network-config.xml:85(para)
10483
"In this case, you will need to specify your DNS servers manually in "
10484
"<filename>/etc/resolv.conf</filename>, which should look something like this:"
10487
#: serverguide/C/network-config.xml:89(programlisting)
10491
"search mydomain.example\n"
10492
"nameserver 192.168.0.1\n"
10493
"nameserver 4.2.2.2\n"
10496
#: serverguide/C/network-config.xml:94(para)
10498
"The <emphasis role=\"italics\">search</emphasis> directive will append "
10499
"mydomain.example to hostname queries in an attempt to resolve names to your "
10500
"network. For example, if your network's domain is mydomain.example and you "
10501
"try to ping the host <quote>mybox</quote>, the DNS query will be modified to "
10502
"<quote>mybox.mydomain.example</quote> for resolution. The <emphasis "
10503
"role=\"italics\">nameserver</emphasis> directives specify DNS servers to be "
10504
"used to resolve hostnames to IP addresses. If you use your own nameserver, "
10505
"enter it here. Otherwise, ask your Internet Service Provider for the primary "
10506
"and secondary DNS servers to use, and enter them into "
10507
"<filename>/etc/resolv.conf</filename> as shown above."
10510
#: serverguide/C/network-config.xml:106(para)
10512
"Many more configurations are possible, including dialup PPP interfaces, IPv6 "
10513
"networking, VPN devices, etc. Refer to <application>man 5 "
10514
"interfaces</application> for more information and supported options. "
10515
"Remember that <filename>/etc/network/interfaces</filename> is used by the "
10516
"<application>ifup</application>/<application>ifdown</application> scripts as "
10517
"a higher level configuration scheme than may be used in some other Linux "
10518
"distributions, and that the traditional, lower level utilities such as "
10519
"<application>ifconfig</application>, <application>route</application>, and "
10520
"<application>dhclient</application> are still available to you for ad hoc "
10524
#: serverguide/C/network-config.xml:120(title)
10525
msgid "Managing DNS Entries"
10528
#: serverguide/C/network-config.xml:121(para)
10530
"This section explains how to configure which nameserver to use when "
10531
"resolving IP addresses to hostnames and vice versa. It does not explain how "
10532
"to configure the system as a name server."
10535
#: serverguide/C/network-config.xml:126(para)
10537
"To manage DNS entries, you can add, edit, or remove DNS names from the "
10538
"<filename>/etc/resolv.conf</filename> file. A sample file is given below:"
10541
#: serverguide/C/network-config.xml:130(programlisting)
10546
"nameserver 204.11.126.131\n"
10547
"nameserver 64.125.134.133\n"
10548
"nameserver 64.125.134.132\n"
10549
"nameserver 208.185.179.218\n"
10552
#: serverguide/C/network-config.xml:138(para)
10554
"The <application>search</application> key specifies the string which will be "
10555
"appended to an incomplete hostname. Here, we have configured it to "
10556
"<application>com</application>. So, when we run: <command>ping "
10557
"ubuntu</command> it would be interpreted as <command>ping "
10558
"ubuntu.com</command>."
10561
#: serverguide/C/network-config.xml:146(para)
10563
"The <application>nameserver</application> key specifies the nameserver IP "
10564
"address. It will be used to resolve a given IP address or hostname. This "
10565
"file can have multiple nameserver entries. The nameservers will be used by "
10566
"the network query in the same order."
10569
#: serverguide/C/network-config.xml:155(para)
10571
"If the DNS server names are retrieved dynamically from DHCP or PPPoE "
10572
"(retrieved from your ISP), do not add nameserver entries in this file. It "
10573
"will be overwritten."
10576
#: serverguide/C/network-config.xml:164(title)
10577
msgid "Managing Hosts"
10580
#: serverguide/C/network-config.xml:165(para)
10582
"To manage hosts, you can add, edit, or remove hosts from "
10583
"<filename>/etc/hosts</filename> file. The file contains IP addresses and "
10584
"their corresponding hostnames. When your system tries to resolve a hostname "
10585
"to an IP address or determine the hostname for an IP address, it refers to "
10586
"the <filename>/etc/hosts</filename> file before using the name servers. If "
10587
"the IP address is listed in the <filename>/etc/hosts</filename> file, the "
10588
"name servers are not used. This behavior can be modified by editing "
10589
"<filename>/etc/nsswitch.conf</filename> at your peril."
10592
#: serverguide/C/network-config.xml:178(para)
10594
"If your network contains computers whose IP addresses are not listed in DNS, "
10595
"it is recommended that you add them to the <filename>/etc/hosts</filename> "
10599
#: serverguide/C/network-config.xml:186(title)
10603
#: serverguide/C/network-config.xml:188(para)
10605
"Bridging multiple interfaces is a more advanced configuration, but is very "
10606
"useful in multiple scenarios. One scenario is setting up a bridge with "
10607
"multiple network interfaces, then using a firewall to filter traffic between "
10608
"two network segments. Another scenario is using bridge on a system with one "
10609
"interface to allow virtual machines direct access to the outside network. "
10610
"The following example covers the latter scenario."
10613
#: serverguide/C/network-config.xml:195(para)
10615
"Before configuring a bridge you will need to install the <application>bridge-"
10616
"utils</application> package. To install the package, in a terminal enter:"
10619
#: serverguide/C/network-config.xml:201(command)
10620
msgid "sudo apt-get install bridge-utils"
10623
#: serverguide/C/network-config.xml:204(para)
10625
"Next, configure the bridge by editing "
10626
"<filename>/etc/network/interfaces</filename>:"
10629
#: serverguide/C/network-config.xml:208(programlisting)
10634
"iface lo inet loopback\n"
10637
"iface br0 inet static\n"
10638
" address 192.168.0.10\n"
10639
" network 192.168.0.0\n"
10640
" netmask 255.255.255.0\n"
10641
" broadcast 192.168.0.255\n"
10642
" gateway 192.168.0.1\n"
10643
" bridge_ports eth0\n"
10645
" bridge_hello 2\n"
10646
" bridge_maxage 12\n"
10647
" bridge_stp off\n"
10650
#: serverguide/C/network-config.xml:227(para)
10651
msgid "Enter the appropriate values for your physical interface and network."
10654
#: serverguide/C/network-config.xml:232(para)
10655
msgid "Now restart networking to enable the bridge interface:"
10658
#: serverguide/C/network-config.xml:239(para)
10660
"The new bridge interface should now be up and running. The "
10661
"<application>brctl</application> provides useful information about the state "
10662
"of the bridge, controls which interfaces are part of the bridge, etc. See "
10663
"<command>man brctl</command> for more information."
10666
#: serverguide/C/network-config.xml:255(para)
10669
"url=\"http://manpages.ubuntu.com/manpages/karmic/en/man5/interfaces.5.html\">"
10670
"interfaces man page</ulink> has details on more options for "
10671
"<filename>/etc/network/interfaces</filename>."
10674
#: serverguide/C/network-config.xml:261(para)
10676
"For more information on DNS client configuration see the <ulink "
10677
"url=\"http://manpages.ubuntu.com/manpages/jaunty/en/man5/resolver.5.html\">re"
10678
"solver man page</ulink>. Also, Chapter 6 of O'Reilly's <ulink "
10679
"url=\"http://oreilly.com/catalog/linag2/book/ch06.html\">Linux Network "
10680
"Administrator's Guide</ulink> is a good source of resolver and name service "
10681
"configuration information."
10684
#: serverguide/C/network-config.xml:269(para)
10686
"For more information on <emphasis>bridging</emphasis> see the <ulink "
10687
"url=\"http://manpages.ubuntu.com/manpages/jaunty/en/man8/brctl.8.html\">brctl"
10688
" man page</ulink> and the Linux Foundation's <ulink "
10689
"url=\"http://www.linuxfoundation.org/en/Net:Bridge\">Net:Bridge</ulink> page."
10692
#: serverguide/C/network-config.xml:280(title)
10696
#: serverguide/C/network-config.xml:281(para)
10698
"The Transmission Control Protocol and Internet Protocol (TCP/IP) is a "
10699
"standard set of protocols developed in the late 1970s by the Defense "
10700
"Advanced Research Projects Agency (DARPA) as a means of communication "
10701
"between different types of computers and computer networks. TCP/IP is the "
10702
"driving force of the Internet, and thus it is the most popular set of "
10703
"network protocols on Earth."
10706
#: serverguide/C/network-config.xml:289(title)
10707
msgid "TCP/IP Introduction"
10710
#: serverguide/C/network-config.xml:290(para)
10712
"The two protocol components of TCP/IP deal with different aspects of "
10713
"computer networking. <emphasis>Internet Protocol</emphasis>, the \"IP\" of "
10714
"TCP/IP is a connectionless protocol which deals only with network packet "
10715
"routing using the <emphasis role=\"italics\">IP Datagram</emphasis> as the "
10716
"basic unit of networking information. The IP Datagram consists of a header "
10717
"followed by a message. The <emphasis> Transmission Control "
10718
"Protocol</emphasis> is the \"TCP\" of TCP/IP and enables network hosts to "
10719
"establish connections which may be used to exchange data streams. TCP also "
10720
"guarantees that the data between connections is delivered and that it "
10721
"arrives at one network host in the same order as sent from another network "
10725
#: serverguide/C/network-config.xml:303(title)
10726
msgid "TCP/IP Configuration"
10729
#: serverguide/C/network-config.xml:304(para)
10731
"The TCP/IP protocol configuration consists of several elements which must be "
10732
"set by editing the appropriate configuration files, or deploying solutions "
10733
"such as the Dynamic Host Configuration Protocol (DHCP) server which in turn, "
10734
"can be configured to provide the proper TCP/IP configuration settings to "
10735
"network clients automatically. These configuration values must be set "
10736
"correctly in order to facilitate the proper network operation of your Ubuntu "
10740
#: serverguide/C/network-config.xml:316(para)
10742
"<emphasis role=\"bold\">IP address</emphasis> The IP address is a unique "
10743
"identifying string expressed as four decimal numbers ranging from zero (0) "
10744
"to two-hundred and fifty-five (255), separated by periods, with each of the "
10745
"four numbers representing eight (8) bits of the address for a total length "
10746
"of thirty-two (32) bits for the whole address. This format is called "
10747
"<emphasis>dotted quad notation</emphasis>."
10750
#: serverguide/C/network-config.xml:326(para)
10752
"<emphasis role=\"bold\">Netmask</emphasis> The Subnet Mask (or simply, "
10753
"<emphasis>netmask</emphasis>) is a local bit mask, or set of flags which "
10754
"separate the portions of an IP address significant to the network from the "
10755
"bits significant to the <emphasis>subnetwork</emphasis>. For example, in a "
10756
"Class C network, the standard netmask is 255.255.255.0 which masks the first "
10757
"three bytes of the IP address and allows the last byte of the IP address to "
10758
"remain available for specifying hosts on the subnetwork."
10761
#: serverguide/C/network-config.xml:337(para)
10763
"<emphasis role=\"bold\">Network Address</emphasis> The Network Address "
10764
"represents the bytes comprising the network portion of an IP address. For "
10765
"example, the host 12.128.1.2 in a Class A network would use 12.0.0.0 as the "
10766
"network address, where twelve (12) represents the first byte of the IP "
10767
"address, (the network part) and zeroes (0) in all of the remaining three "
10768
"bytes to represent the potential host values. A network host using the "
10769
"private IP address 192.168.1.100 would in turn use a Network Address of "
10770
"192.168.1.0, which specifies the first three bytes of the Class C 192.168.1 "
10771
"network and a zero (0) for all the possible hosts on the network."
10774
#: serverguide/C/network-config.xml:350(para)
10776
"<emphasis role=\"bold\">Broadcast Address</emphasis> The Broadcast Address "
10777
"is an IP address which allows network data to be sent simultaneously to all "
10778
"hosts on a given subnetwork rather than specifying a particular host. The "
10779
"standard general broadcast address for IP networks is 255.255.255.255, but "
10780
"this broadcast address cannot be used to send a broadcast message to every "
10781
"host on the Internet because routers block it. A more appropriate broadcast "
10782
"address is set to match a specific subnetwork. For example, on the private "
10783
"Class C IP network, 192.168.1.0, the broadcast address is 192.168.1.255. "
10784
"Broadcast messages are typically produced by network protocols such as the "
10785
"Address Resolution Protocol (ARP) and the Routing Information Protocol (RIP)."
10788
#: serverguide/C/network-config.xml:363(para)
10790
"<emphasis role=\"bold\">Gateway Address</emphasis> A Gateway Address is the "
10791
"IP address through which a particular network, or host on a network, may be "
10792
"reached. If one network host wishes to communicate with another network "
10793
"host, and that host is not located on the same network, then a "
10794
"<emphasis>gateway</emphasis> must be used. In many cases, the Gateway "
10795
"Address will be that of a router on the same network, which will in turn "
10796
"pass traffic on to other networks or hosts, such as Internet hosts. The "
10797
"value of the Gateway Address setting must be correct, or your system will "
10798
"not be able to reach any hosts beyond those on the same network."
10801
#: serverguide/C/network-config.xml:374(para)
10803
"<emphasis role=\"bold\">Nameserver Address</emphasis> Nameserver Addresses "
10804
"represent the IP addresses of Domain Name Service (DNS) systems, which "
10805
"resolve network hostnames into IP addresses. There are three levels of "
10806
"Nameserver Addresses, which may be specified in order of precedence: The "
10807
"<emphasis>Primary</emphasis> Nameserver, the <emphasis>Secondary</emphasis> "
10808
"Nameserver, and the <emphasis>Tertiary</emphasis> Nameserver. In order for "
10809
"your system to be able to resolve network hostnames into their corresponding "
10810
"IP addresses, you must specify valid Nameserver Addresses which you are "
10811
"authorized to use in your system's TCP/IP configuration. In many cases these "
10812
"addresses can and will be provided by your network service provider, but "
10813
"many free and publicly accessible nameservers are available for use, such as "
10814
"the Level3 (Verizon) servers with IP addresses from 4.2.2.1 to 4.2.2.6."
10817
#: serverguide/C/network-config.xml:388(para)
10819
"The IP address, Netmask, Network Address, Broadcast Address, and Gateway "
10820
"Address are typically specified via the appropriate directives in the file "
10821
"<filename>/etc/network/interfaces</filename>. The Nameserver Addresses are "
10822
"typically specified via <emphasis>nameserver</emphasis> directives in the "
10823
"file <filename>/etc/resolv.conf</filename>. For more information, view the "
10824
"system manual page for <filename>interfaces</filename> or "
10825
"<filename>resolv.conf</filename> respectively, with the following commands "
10826
"typed at a terminal prompt:"
10829
#: serverguide/C/network-config.xml:395(para)
10831
"Access the system manual page for <filename>interfaces</filename> with the "
10832
"following command:"
10835
#: serverguide/C/network-config.xml:400(command)
10836
msgid "man interfaces"
10839
#: serverguide/C/network-config.xml:403(para)
10841
"Access the system manual page for <filename>resolv.conf</filename> with the "
10842
"following command:"
10845
#: serverguide/C/network-config.xml:407(command)
10846
msgid "man resolv.conf"
10849
#: serverguide/C/network-config.xml:312(para)
10851
"The common configuration elements of TCP/IP and their purposes are as "
10852
"follows: <placeholder-1/>"
10855
#: serverguide/C/network-config.xml:414(title)
10859
#: serverguide/C/network-config.xml:415(para)
10861
"IP routing is a means of specifying and discovering paths in a TCP/IP "
10862
"network along which network data may be sent. Routing uses a set of "
10863
"<emphasis>routing tables</emphasis> to direct the forwarding of network data "
10864
"packets from their source to the destination, often via many intermediary "
10865
"network nodes known as <emphasis>routers</emphasis>. There are two primary "
10866
"forms of IP routing: <emphasis>Static Routing</emphasis> and "
10867
"<emphasis>Dynamic Routing.</emphasis>"
10870
#: serverguide/C/network-config.xml:424(para)
10872
"Static routing involves manually adding IP routes to the system's routing "
10873
"table, and this is usually done by manipulating the routing table with the "
10874
"<application>route</application> command. Static routing enjoys many "
10875
"advantages over dynamic routing, such as simplicity of implementation on "
10876
"smaller networks, predictability (the routing table is always computed in "
10877
"advance, and thus the route is precisely the same each time it is used), and "
10878
"low overhead on other routers and network links due to the lack of a dynamic "
10879
"routing protocol. However, static routing does present some disadvantages as "
10880
"well. For example, static routing is limited to small networks and does not "
10881
"scale well. Static routing also fails completely to adapt to network outages "
10882
"and failures along the route due to the fixed nature of the route."
10885
#: serverguide/C/network-config.xml:434(para)
10887
"Dynamic routing depends on large networks with multiple possible IP routes "
10888
"from a source to a destination and makes use of special routing protocols, "
10889
"such as the Router Information Protocol (RIP), which handle the automatic "
10890
"adjustments in routing tables that make dynamic routing possible. Dynamic "
10891
"routing has several advantages over static routing, such as superior "
10892
"scalability and the ability to adapt to failures and outages along network "
10893
"routes. Additionally, there is less manual configuration of the routing "
10894
"tables, since routers learn from one another about their existence and "
10895
"available routes. This trait also eliminates the possibility of introducing "
10896
"mistakes in the routing tables via human error. Dynamic routing is not "
10897
"perfect, however, and presents disadvantages such as heightened complexity "
10898
"and additional network overhead from router communications, which does not "
10899
"immediately benefit the end users, but still consumes network bandwidth."
10902
#: serverguide/C/network-config.xml:448(title)
10903
msgid "TCP and UDP"
10906
#: serverguide/C/network-config.xml:449(para)
10908
"TCP is a connection-based protocol, offering error correction and guaranteed "
10909
"delivery of data via what is known as <emphasis>flow control</emphasis>. "
10910
"Flow control determines when the flow of a data stream needs to be stopped, "
10911
"and previously sent data packets should to be re-sent due to problems such "
10912
"as <emphasis>collisions</emphasis>, for example, thus ensuring complete and "
10913
"accurate delivery of the data. TCP is typically used in the exchange of "
10914
"important information such as database transactions."
10917
#: serverguide/C/network-config.xml:457(para)
10919
"The User Datagram Protocol (UDP), on the other hand, is a "
10920
"<emphasis>connectionless</emphasis> protocol which seldom deals with the "
10921
"transmission of important data because it lacks flow control or any other "
10922
"method to ensure reliable delivery of the data. UDP is commonly used in such "
10923
"applications as audio and video streaming, where it is considerably faster "
10924
"than TCP due to the lack of error correction and flow control, and where the "
10925
"loss of a few packets is not generally catastrophic."
10928
#: serverguide/C/network-config.xml:467(title)
10932
#: serverguide/C/network-config.xml:468(para)
10934
"The Internet Control Messaging Protocol (ICMP) is an extension to the "
10935
"Internet Protocol (IP) as defined in the Request For Comments (RFC) #792 and "
10936
"supports network packets containing control, error, and informational "
10937
"messages. ICMP is used by such network applications as the "
10938
"<application>ping</application> utility, which can determine the "
10939
"availability of a network host or device. Examples of some error messages "
10940
"returned by ICMP which are useful to both network hosts and devices such as "
10941
"routers, include <emphasis>Destination Unreachable</emphasis> and "
10942
"<emphasis>Time Exceeded</emphasis>."
10945
#: serverguide/C/network-config.xml:478(title)
10949
#: serverguide/C/network-config.xml:479(para)
10951
"Daemons are special system applications which typically execute continuously "
10952
"in the background and await requests for the functions they provide from "
10953
"other applications. Many daemons are network-centric; that is, a large "
10954
"number of daemons executing in the background on an Ubuntu system may "
10955
"provide network-related functionality. Some examples of such network daemons "
10956
"include the <emphasis>Hyper Text Transport Protocol Daemon</emphasis> "
10957
"(httpd), which provides web server functionality; the <emphasis>Secure SHell "
10958
"Daemon</emphasis> (sshd), which provides secure remote login shell and file "
10959
"transfer capabilities; and the <emphasis>Internet Message Access Protocol "
10960
"Daemon</emphasis> (imapd), which provides E-Mail services."
10963
#: serverguide/C/network-config.xml:494(para)
10965
"There are man pages for <ulink "
10966
"url=\"http://manpages.ubuntu.com/manpages/jaunty/en/man7/tcp.7.html\">TCP</ul"
10968
"url=\"http://manpages.ubuntu.com/manpages/jaunty/man7/ip.7.html\">IP</ulink> "
10969
"that contain more useful information."
10972
#: serverguide/C/network-config.xml:500(para)
10974
"Also, see the <ulink "
10975
"url=\"http://www.redbooks.ibm.com/abstracts/gg243376.html\">TCP/IP Tutorial "
10976
"and Technical Overview</ulink> IBM Redbook."
10979
#: serverguide/C/network-config.xml:506(para)
10981
"Another resource is O'Reilly's <ulink "
10982
"url=\"http://oreilly.com/catalog/9780596002978/\">TCP/IP Network "
10983
"Administration</ulink>."
10986
#: serverguide/C/network-config.xml:515(title)
10987
msgid "Dynamic Host Configuration Protocol (DHCP)"
10990
#: serverguide/C/network-config.xml:516(para)
10992
"The Dynamic Host Configuration Protocol (DHCP) is a network service that "
10993
"enables host computers to be automatically assigned settings from a server "
10994
"as opposed to manually configuring each network host. Computers configured "
10995
"to be DHCP clients have no control over the settings they receive from the "
10996
"DHCP server, and the configuration is transparent to the computer's user."
10999
#: serverguide/C/network-config.xml:523(para)
11001
"The most common settings provided by a DHCP server to DHCP clients include:"
11004
#: serverguide/C/network-config.xml:528(para)
11005
msgid "IP-Address and Netmask"
11008
#: serverguide/C/network-config.xml:531(para)
11012
#: serverguide/C/network-config.xml:534(para)
11016
#: serverguide/C/network-config.xml:537(para)
11018
"However, a DHCP server can also supply configuration properties such as:"
11021
#: serverguide/C/network-config.xml:542(para)
11025
#: serverguide/C/network-config.xml:545(para)
11026
msgid "Domain Name"
11029
#: serverguide/C/network-config.xml:548(para)
11030
msgid "Default Gateway"
11033
#: serverguide/C/network-config.xml:551(para)
11034
msgid "Time Server"
11037
#: serverguide/C/network-config.xml:554(para)
11038
msgid "Print Server"
11041
#: serverguide/C/network-config.xml:557(para)
11043
"The advantage of using DHCP is that changes to the network, for example a "
11044
"change in the address of the DNS server, need only be changed at the DHCP "
11045
"server, and all network hosts will be reconfigured the next time their DHCP "
11046
"clients poll the DHCP server. As an added advantage, it is also easier to "
11047
"integrate new computers into the network, as there is no need to check for "
11048
"the availability of an IP address. Conflicts in IP address allocation are "
11052
#: serverguide/C/network-config.xml:565(para)
11053
msgid "A DHCP server can provide configuration settings using two methods:"
11056
#: serverguide/C/network-config.xml:570(term)
11057
msgid "MAC Address"
11060
#: serverguide/C/network-config.xml:572(para)
11062
"This method entails using DHCP to identify the unique hardware address of "
11063
"each network card connected to the network and then continually supplying a "
11064
"constant configuration each time the DHCP client makes a request to the DHCP "
11065
"server using that network device."
11068
#: serverguide/C/network-config.xml:581(term)
11069
msgid "Address Pool"
11072
#: serverguide/C/network-config.xml:583(para)
11074
"This method entails defining a pool (sometimes also called a range or scope) "
11075
"of IP addresses from which DHCP clients are supplied their configuration "
11076
"properties dynamically and on a \"first come, first served\" basis. When a "
11077
"DHCP client is no longer on the network for a specified period, the "
11078
"configuration is expired and released back to the address pool for use by "
11079
"other DHCP Clients."
11082
#: serverguide/C/network-config.xml:594(para)
11084
"Ubuntu is shipped with both DHCP server and client. The server is "
11085
"<application>dhcpd</application> (dynamic host configuration protocol "
11086
"daemon). The client provided with Ubuntu is "
11087
"<application>dhclient</application> and should be installed on all computers "
11088
"required to be automatically configured. Both programs are easy to install "
11089
"and configure and will be automatically started at system boot."
11092
#: serverguide/C/network-config.xml:604(para)
11094
"At a terminal prompt, enter the following command to install "
11095
"<application>dhcpd</application>:"
11098
#: serverguide/C/network-config.xml:609(command)
11099
msgid "sudo apt-get install dhcp3-server"
11102
#: serverguide/C/network-config.xml:611(para)
11104
"You will probably need to change the default configuration by editing "
11105
"/etc/dhcp3/dhcpd.conf to suit your needs and particular configuration."
11108
#: serverguide/C/network-config.xml:615(para)
11110
"You also need to edit /etc/default/dhcp3-server to specify the interfaces "
11111
"dhcpd should listen to. By default it listens to eth0."
11114
#: serverguide/C/network-config.xml:619(para)
11116
"NOTE: dhcpd's messages are being sent to syslog. Look there for diagnostics "
11120
#: serverguide/C/network-config.xml:626(para)
11122
"The error message the installation ends with might be a little confusing, "
11123
"but the following steps will help you configure the service:"
11126
#: serverguide/C/network-config.xml:630(para)
11128
"Most commonly, what you want to do is assign an IP address randomly. This "
11129
"can be done with settings as follows:"
11132
#: serverguide/C/network-config.xml:634(programlisting)
11136
"# Sample /etc/dhcpd.conf\n"
11137
"# (add your comments here) \n"
11138
"default-lease-time 600;\n"
11139
"max-lease-time 7200;\n"
11140
"option subnet-mask 255.255.255.0;\n"
11141
"option broadcast-address 192.168.1.255;\n"
11142
"option routers 192.168.1.254;\n"
11143
"option domain-name-servers 192.168.1.1, 192.168.1.2;\n"
11144
"option domain-name \"mydomain.example\";\n"
11146
"subnet 192.168.1.0 netmask 255.255.255.0 {\n"
11147
"range 192.168.1.10 192.168.1.100;\n"
11148
"range 192.168.1.150 192.168.1.200;\n"
11152
#: serverguide/C/network-config.xml:650(para)
11154
"This will result in the DHCP server giving a client an IP address from the "
11155
"range 192.168.1.10-192.168.1.100 or 192.168.1.150-192.168.1.200. It will "
11156
"lease an IP address for 600 seconds if the client doesn't ask for a specific "
11157
"time frame. Otherwise the maximum (allowed) lease will be 7200 seconds. The "
11158
"server will also \"advise\" the client that it should use 255.255.255.0 as "
11159
"its subnet mask, 192.168.1.255 as its broadcast address, 192.168.1.254 as "
11160
"the router/gateway and 192.168.1.1 and 192.168.1.2 as its DNS servers."
11163
#: serverguide/C/network-config.xml:659(para)
11165
"If you need to specify a WINS server for your Windows clients, you will need "
11166
"to include the netbios-name-servers option, e.g."
11169
#: serverguide/C/network-config.xml:663(programlisting)
11173
"option netbios-name-servers 192.168.1.1; \n"
11176
#: serverguide/C/network-config.xml:666(para)
11178
"Dhcpd configuration settings are taken from the DHCP mini-HOWTO, which can "
11180
"url=\"http://www.tldp.org/HOWTO/DHCP/index.html\">here</ulink>."
11183
#: serverguide/C/network-config.xml:676(para)
11185
"For more <filename>/etc/dhcp3/dchpd.conf</filename> options see the <ulink "
11186
"url=\"http://manpages.ubuntu.com/manpages/jaunty/en/man5/dhcpd.conf.5.html\">"
11187
"dhcpd.conf man page</ulink>."
11190
#: serverguide/C/network-config.xml:682(para)
11192
"Also see the <ulink url=\"http://www.dhcp-handbook.com/dhcp_faq.html\">DHCP "
11196
#: serverguide/C/network-config.xml:692(title)
11197
msgid "Time Synchronisation with NTP"
11200
#: serverguide/C/network-config.xml:693(para)
11202
"This page describes methods for keeping your computer's time accurate. This "
11203
"is useful for servers, but is not necessary (or desirable) for desktop "
11207
#: serverguide/C/network-config.xml:696(para)
11209
"NTP is a TCP/IP protocol for synchronising time over a network. Basically a "
11210
"client requests the current time from a server, and uses it to set its own "
11214
#: serverguide/C/network-config.xml:699(para)
11216
"Behind this simple description, there is a lot of complexity - there are "
11217
"tiers of NTP servers, with the tier one NTP servers connected to atomic "
11218
"clocks (often via GPS), and tier two and three servers spreading the load of "
11219
"actually handling requests across the Internet. Also the client software is "
11220
"a lot more complex than you might think - it has to factor out communication "
11221
"delays, and adjust the time in a way that does not upset all the other "
11222
"processes that run on the server. But luckily all that complexity is hidden "
11226
#: serverguide/C/network-config.xml:702(para)
11228
"Ubuntu has two ways of automatically setting your time: ntpdate and ntpd."
11231
#: serverguide/C/network-config.xml:707(title)
11235
#: serverguide/C/network-config.xml:708(para)
11237
"Ubuntu comes with ntpdate as standard, and will run it once at boot time to "
11238
"set up your time according to Ubuntu's NTP server. However, a server's clock "
11239
"is likely to drift considerably between reboots, so it makes sense to "
11240
"correct the time occasionally. The easiest way to do this is to get cron to "
11241
"run ntpdate every day. With your favorite editor, as root, create a file "
11242
"<code>/etc/cron.daily/ntpdate</code> containing:"
11245
#: serverguide/C/network-config.xml:713(screen)
11247
msgid "ntpdate ntp.ubuntu.com\n"
11250
#: serverguide/C/network-config.xml:715(para)
11252
"The file <code>/etc/cron.daily/ntpdate</code> must also be executable."
11255
#: serverguide/C/network-config.xml:718(screen)
11257
msgid "sudo chmod 755 /etc/cron.daily/ntpdate\n"
11260
#: serverguide/C/network-config.xml:722(title)
11264
#: serverguide/C/network-config.xml:723(para)
11266
"ntpdate is a bit of a blunt instrument - it can only adjust the time once a "
11267
"day, in one big correction. The ntp daemon ntpd is far more subtle. It "
11268
"calculates the drift of your system clock and continuously adjusts it, so "
11269
"there are no large corrections that could lead to inconsistent logs for "
11270
"instance. The cost is a little processing power and memory, but for a modern "
11271
"server this is negligible."
11274
#: serverguide/C/network-config.xml:726(para)
11275
msgid "To set up ntpd:"
11278
#: serverguide/C/network-config.xml:727(screen)
11280
msgid "sudo apt-get install ntp\n"
11283
#: serverguide/C/network-config.xml:732(title)
11284
msgid "Changing Time Servers"
11287
#: serverguide/C/network-config.xml:733(para)
11289
"In both cases above, your system will use Ubuntu's NTP server at "
11290
"<code>ntp.ubuntu.com</code> by default. This is OK, but you might want to "
11291
"use several servers to increase accuracy and resilience, and you may want to "
11292
"use time servers that are geographically closer to you. to do this for "
11293
"ntpdate, change the contents of <code>/etc/cron.daily/ntpdate</code> to:"
11296
#: serverguide/C/network-config.xml:740(screen)
11298
msgid "ntpdate ntp.ubuntu.com pool.ntp.org \n"
11301
#: serverguide/C/network-config.xml:742(para)
11303
"And for ntpd edit <code>/etc/ntp.conf</code> to include additional server "
11307
#: serverguide/C/network-config.xml:747(screen)
11310
"server ntp.ubuntu.com\n"
11311
"server pool.ntp.org\n"
11314
#: serverguide/C/network-config.xml:750(para)
11316
"You may notice <code>pool.ntp.org</code> in the examples above. This is a "
11317
"really good idea which uses round-robin DNS to return an NTP server from a "
11318
"pool, spreading the load between several different servers. Even better, "
11319
"they have pools for different regions - for instance, if you are in New "
11320
"Zealand, so you could use <code>nz.pool.ntp.org</code> instead of "
11321
"<code>pool.ntp.org</code> . Look at <ulink "
11322
"url=\"http://www.pool.ntp.org/\">http://www.pool.ntp.org/</ulink> for more "
11326
#: serverguide/C/network-config.xml:761(para)
11328
"You can also Google for NTP servers in your region, and add these to your "
11329
"configuration. To test that a server works, just type <code>sudo ntpdate "
11330
"ntp.server.name</code> and see what happens."
11333
#: serverguide/C/network-config.xml:769(title)
11334
msgid "Related Pages"
11337
#: serverguide/C/network-config.xml:773(ulink)
11338
msgid "NTP Support"
11341
#: serverguide/C/network-config.xml:778(ulink)
11342
msgid "The NTP FAQ and HOWTO"
11345
#: serverguide/C/network-auth.xml:13(title)
11346
msgid "Network Authentication"
11349
#: serverguide/C/network-auth.xml:15(para)
11350
msgid "This section explains various Network Authentication protocols."
11353
#: serverguide/C/network-auth.xml:19(title)
11354
msgid "OpenLDAP Server"
11357
#: serverguide/C/network-auth.xml:20(para)
11359
"LDAP is an acronym for Lightweight Directory Access Protocol, it is a "
11360
"simplified version of the X.500 protocol. The directory setup in this "
11361
"section will be used for authentication. Nevertheless, LDAP can be used in "
11362
"numerous ways: authentication, shared directory (for mail clients), address "
11366
#: serverguide/C/network-auth.xml:28(para)
11368
"To describe LDAP quickly, all information is stored in a tree structure. "
11369
"With <application>OpenLDAP</application> you have freedom to determine the "
11370
"directory arborescence (the Directory Information Tree: the DIT) yourself. "
11371
"We will begin with a basic tree containing two nodes below the root:"
11374
#: serverguide/C/network-auth.xml:37(para)
11375
msgid "\"People\" node where your users will be stored"
11378
#: serverguide/C/network-auth.xml:40(para)
11379
msgid "\"Groups\" node where your groups will be stored"
11382
#: serverguide/C/network-auth.xml:44(para)
11384
"Before beginning, you should determine what the root of your LDAP directory "
11385
"will be. By default, your tree will be determined by your Fully Qualified "
11386
"Domain Name (FQDN). If your domain is example.com (which we will use in this "
11387
"example), your root node will be dc=example,dc=com."
11390
#: serverguide/C/network-auth.xml:54(para)
11392
"First, install the <application>OpenLDAP</application> server daemon "
11393
"<application>slapd</application> and <application>ldap-utils</application>, "
11394
"a package containing LDAP management utilities:"
11397
#: serverguide/C/network-auth.xml:60(command)
11398
msgid "sudo apt-get install slapd ldap-utils"
11401
#: serverguide/C/network-auth.xml:63(para)
11403
"The installation process will prompt you for the LDAP directory admin "
11404
"password and confirmation."
11407
#: serverguide/C/network-auth.xml:68(para)
11409
"By default the directory suffix will match the domain name of the server. "
11410
"For example, if the machine's Fully Qualified Domain Name (FQDN) is "
11411
"ldap.example.com, the default suffix will be "
11412
"<emphasis>dc=example,dc=com</emphasis>. If you require a different suffix, "
11413
"the directory can be reconfigured using <application>dpkg-"
11414
"reconfigure</application>. Enter the following in a terminal prompt:"
11417
#: serverguide/C/network-auth.xml:78(command)
11418
msgid "sudo dpkg-reconfigure slapd"
11421
#: serverguide/C/network-auth.xml:81(para)
11423
"You will then be taken through a menu based configuration dialog, allowing "
11424
"you to configure various <application>slapd</application> options."
11427
#: serverguide/C/network-auth.xml:90(para)
11429
"<application>OpenLDAP</application> uses a separate database which contains "
11430
"the <emphasis>cn=config</emphasis> Directory Information Tree (DIT). The "
11431
"<emphasis>cn=config</emphasis> DIT is used to dynamically configure the "
11432
"<application>slapd</application> daemon, allowing the modification of schema "
11433
"definitions, indexes, ACLs, etc without stopping the service."
11436
#: serverguide/C/network-auth.xml:98(para)
11438
"The <emphasis>cn=config</emphasis> tree can be manipulated using the "
11439
"utilities in the <application>ldap-utils</application> package. For example:"
11442
#: serverguide/C/network-auth.xml:106(para)
11444
"Use <application>ldapsearch</application> to view the tree, entering the "
11445
"admin password set during installation or reconfiguration:"
11448
#: serverguide/C/network-auth.xml:112(command)
11450
"ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W olcDatabase={1}hdb"
11453
#: serverguide/C/network-auth.xml:116(computeroutput)
11456
"Enter LDAP Password: \n"
11457
"dn: olcDatabase={1}hdb,cn=config\n"
11458
"objectClass: olcDatabaseConfig\n"
11459
"objectClass: olcHdbConfig\n"
11460
"olcDatabase: {1}hdb\n"
11461
"olcDbDirectory: /var/lib/ldap\n"
11462
"olcSuffix: dc=example,dc=com\n"
11463
"olcAccess: {0}to attrs=userPassword,shadowLastChange by "
11464
"dn=\"cn=admin,dc=exampl\n"
11465
" e,dc=com\" write by anonymous auth by self write by * none\n"
11466
"olcAccess: {1}to dn.base=\"\" by * read\n"
11467
"olcAccess: {2}to * by dn=\"cn=admin,dc=example,dc=com\" write by * read\n"
11468
"olcLastMod: TRUE\n"
11469
"olcDbCheckpoint: 512 30\n"
11470
"olcDbConfig: {0}set_cachesize 0 2097152 0\n"
11471
"olcDbConfig: {1}set_lk_max_objects 1500\n"
11472
"olcDbConfig: {2}set_lk_max_locks 1500\n"
11473
"olcDbConfig: {3}set_lk_max_lockers 1500\n"
11474
"olcDbIndex: objectClass eq\n"
11477
#: serverguide/C/network-auth.xml:137(para)
11479
"The output above is the current configuration options for the "
11480
"<emphasis>hdb</emphasis> backend database. Which in this case containes the "
11481
"<emphasis>dc=example,dc=com</emphasis> suffix."
11484
#: serverguide/C/network-auth.xml:146(para)
11486
"Refine the search by supplying a <emphasis "
11487
"role=\"italic\">filter</emphasis>, in this case only show which attributes "
11491
#: serverguide/C/network-auth.xml:152(command)
11493
"ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W olcDatabase={1}hdb "
11497
#: serverguide/C/network-auth.xml:156(computeroutput)
11500
"Enter LDAP Password: \n"
11501
"dn: olcDatabase={1}hdb,cn=config\n"
11502
"olcDbIndex: objectClass eq\n"
11505
#: serverguide/C/network-auth.xml:165(para)
11507
"As an example of modifying the <emphasis>cn=config</emphasis> tree, add "
11508
"another attribute to the index list using "
11509
"<application>ldapmodify</application>:"
11512
#: serverguide/C/network-auth.xml:171(command) serverguide/C/network-auth.xml:722(command) serverguide/C/network-auth.xml:838(command) serverguide/C/network-auth.xml:861(command) serverguide/C/network-auth.xml:2417(command) serverguide/C/network-auth.xml:2434(command)
11513
msgid "ldapmodify -x -D cn=admin,cn=config -W"
11516
#: serverguide/C/network-auth.xml:175(userinput)
11520
"dn: olcDatabase={1}hdb,cn=config\n"
11521
"add: olcDbIndex\n"
11522
"olcDbIndex: entryUUID eq"
11525
#: serverguide/C/network-auth.xml:175(computeroutput)
11528
"Enter LDAP Password:<placeholder-1/>\n"
11530
"modifying entry \"olcDatabase={1}hdb,cn=config\"\n"
11533
#: serverguide/C/network-auth.xml:184(para)
11535
"Once the modification has completed, press <emphasis>Ctrl+D</emphasis> to "
11536
"exit the utility."
11539
#: serverguide/C/network-auth.xml:191(para)
11541
"<application>ldapmodify</application> can also read the changes from a file. "
11542
"Copy and paste the following into a file named "
11543
"<filename>uid_index.ldif</filename>:"
11546
#: serverguide/C/network-auth.xml:196(programlisting)
11550
"dn: olcDatabase={1}hdb,cn=config\n"
11551
"add: olcDbIndex\n"
11552
"olcDbIndex: uid eq,pres,sub\n"
11555
#: serverguide/C/network-auth.xml:202(para)
11556
msgid "Then execute <application>ldapmodify</application>:"
11559
#: serverguide/C/network-auth.xml:207(command)
11560
msgid "ldapmodify -x -D cn=admin,cn=config -W -f uid_index.ldif"
11563
#: serverguide/C/network-auth.xml:211(computeroutput)
11566
"Enter LDAP Password: \n"
11567
"modifying entry \"olcDatabase={1}hdb,cn=config\"\n"
11570
#: serverguide/C/network-auth.xml:216(para)
11571
msgid "The file method is very useful for large changes."
11574
#: serverguide/C/network-auth.xml:223(para)
11576
"Adding additional <emphasis>schemas</emphasis> to "
11577
"<application>slapd</application> requires the schema to be converted to LDIF "
11578
"format. Fortunately, the <application>slapd</application> program can be "
11579
"used to automate the conversion. The following example will add the "
11580
"<emphasis>misc.schema</emphasis>:"
11583
#: serverguide/C/network-auth.xml:231(para)
11585
"First, create a conversion <filename>schema_convert.conf</filename> file "
11586
"containing the following lines:"
11589
#: serverguide/C/network-auth.xml:236(programlisting)
11593
"include /etc/ldap/schema/core.schema\n"
11594
"include /etc/ldap/schema/collective.schema\n"
11595
"include /etc/ldap/schema/corba.schema\n"
11596
"include /etc/ldap/schema/cosine.schema\n"
11597
"include /etc/ldap/schema/duaconf.schema\n"
11598
"include /etc/ldap/schema/dyngroup.schema\n"
11599
"include /etc/ldap/schema/inetorgperson.schema\n"
11600
"include /etc/ldap/schema/java.schema\n"
11601
"include /etc/ldap/schema/misc.schema\n"
11602
"include /etc/ldap/schema/nis.schema\n"
11603
"include /etc/ldap/schema/openldap.schema\n"
11604
"include /etc/ldap/schema/ppolicy.schema\n"
11607
#: serverguide/C/network-auth.xml:254(para) serverguide/C/network-auth.xml:1318(para)
11608
msgid "Next, create a temporary directory to hold the output:"
11611
#: serverguide/C/network-auth.xml:259(command) serverguide/C/network-auth.xml:1323(command) serverguide/C/network-auth.xml:2347(command)
11612
msgid "mkdir /tmp/ldif_output"
11615
#: serverguide/C/network-auth.xml:265(para)
11617
"Now using <application>slapcat</application> convert the schema files to "
11621
#: serverguide/C/network-auth.xml:270(command)
11623
"slapcat -f schema_convert.conf -F /tmp/ldif_output -n0 -s "
11624
"\"cn={8}misc,cn=schema,cn=config\" > /tmp/cn=misc.ldif"
11627
#: serverguide/C/network-auth.xml:273(para)
11629
"Adjust the configuration file name and temporary directory names if yours "
11630
"are different. Also, it may be worthwhile to keep the "
11631
"<filename>ldif_output</filename> directory around in case you want to add "
11632
"additional schemas in the future."
11635
#: serverguide/C/network-auth.xml:282(para)
11637
"Edit the <filename>/tmp/cn\\=misc.ldif</filename> file, changing the "
11638
"following attributes:"
11641
#: serverguide/C/network-auth.xml:286(programlisting)
11645
"dn: cn=misc,cn=schema,cn=config\n"
11650
#: serverguide/C/network-auth.xml:292(para) serverguide/C/network-auth.xml:1354(para)
11651
msgid "And remove the following lines from the bottom of the file:"
11654
#: serverguide/C/network-auth.xml:296(programlisting)
11658
"structuralObjectClass: olcSchemaConfig\n"
11659
"entryUUID: 10dae0ea-0760-102d-80d3-f9366b7f7757\n"
11660
"creatorsName: cn=config\n"
11661
"createTimestamp: 20080826021140Z\n"
11662
"entryCSN: 20080826021140.791425Z#000000#000#000000\n"
11663
"modifiersName: cn=config\n"
11664
"modifyTimestamp: 20080826021140Z\n"
11667
#: serverguide/C/network-auth.xml:307(para) serverguide/C/network-auth.xml:1369(para) serverguide/C/network-auth.xml:2393(para)
11669
"The attribute values will vary, just be sure the attributes are removed."
11672
#: serverguide/C/network-auth.xml:315(para) serverguide/C/network-auth.xml:1377(para)
11674
"Finally, using the <application>ldapadd</application> utility, add the new "
11675
"schema to the directory:"
11678
#: serverguide/C/network-auth.xml:321(command)
11679
msgid "ldapadd -x -D cn=admin,cn=config -W -f /tmp/cn\\=misc.ldif"
11682
#: serverguide/C/network-auth.xml:327(para)
11684
"There should now be a <emphasis>dn: "
11685
"cn={4}misc,cn=schema,cn=config</emphasis> entry in the cn=config tree."
11688
#: serverguide/C/network-auth.xml:336(title)
11689
msgid "Populating LDAP"
11692
#: serverguide/C/network-auth.xml:338(para)
11694
"The directory has been created during installation and reconfiguration, and "
11695
"now it is time to populate it. It will be populated with a \"classical\" "
11696
"scheme that will be compatible with address book applications and with Unix "
11697
"Posix accounts. Posix accounts will allow authentication to various "
11698
"applications, such as web applications, email Mail Transfer Agent (MTA) "
11699
"applications, etc."
11702
#: serverguide/C/network-auth.xml:347(para)
11704
"For external applications to authenticate using LDAP they will each need to "
11705
"be specifically configured to do so. Refer to the individual application "
11706
"documentation for details."
11709
#: serverguide/C/network-auth.xml:354(para)
11711
"LDAP directories can be populated with LDIF (LDAP Directory Interchange "
11712
"Format) files. Copy the following example LDIF file, naming it "
11713
"<filename>example.com.ldif</filename>, somewhere on your system:"
11716
#: serverguide/C/network-auth.xml:360(programlisting)
11720
"dn: ou=people,dc=example,dc=com\n"
11721
"objectClass: organizationalUnit\n"
11724
"dn: ou=groups,dc=example,dc=com\n"
11725
"objectClass: organizationalUnit\n"
11728
"dn: uid=john,ou=people,dc=example,dc=com\n"
11729
"objectClass: inetOrgPerson\n"
11730
"objectClass: posixAccount\n"
11731
"objectClass: shadowAccount\n"
11734
"givenName: John\n"
11736
"displayName: John Doe\n"
11737
"uidNumber: 1000\n"
11738
"gidNumber: 10000\n"
11739
"userPassword: password\n"
11740
"gecos: John Doe\n"
11741
"loginShell: /bin/bash\n"
11742
"homeDirectory: /home/john\n"
11743
"shadowExpire: -1\n"
11745
"shadowWarning: 7\n"
11747
"shadowMax: 999999\n"
11748
"shadowLastChange: 10877\n"
11749
"mail: john.doe@example.com\n"
11750
"postalCode: 31000\n"
11753
"mobile: +33 (0)6 xx xx xx xx\n"
11754
"homePhone: +33 (0)5 xx xx xx xx\n"
11755
"title: System Administrator\n"
11756
"postalAddress: \n"
11759
"dn: cn=example,ou=groups,dc=example,dc=com\n"
11760
"objectClass: posixGroup\n"
11762
"gidNumber: 10000\n"
11765
#: serverguide/C/network-auth.xml:406(para)
11767
"In this example the directory structure, a user, and a group have been "
11768
"setup. In other examples you might see the <emphasis>objectClass: "
11769
"top</emphasis> added in every entry, but that is the default behaviour so "
11770
"you do not have to add it explicitly."
11773
#: serverguide/C/network-auth.xml:413(para)
11775
"To add the entries to the LDAP directory use the "
11776
"<application>ldapadd</application> utility:"
11779
#: serverguide/C/network-auth.xml:419(command)
11780
msgid "ldapadd -x -D cn=admin,dc=example,dc=com -W -f example.com.ldif"
11783
#: serverguide/C/network-auth.xml:422(para)
11785
"We can check that the content has been correctly added with the tools from "
11786
"the <application>ldap-utils</application> package. In order to execute a "
11787
"search of the LDAP directory:"
11790
#: serverguide/C/network-auth.xml:429(command)
11791
msgid "ldapsearch -xLLL -b \"dc=example,dc=com\" uid=john sn givenName cn"
11794
#: serverguide/C/network-auth.xml:430(computeroutput)
11798
"dn: uid=john,ou=people,dc=example,dc=com\n"
11801
"givenName: John\n"
11804
#: serverguide/C/network-auth.xml:438(para)
11805
msgid "Just a quick explanation:"
11808
#: serverguide/C/network-auth.xml:444(para)
11810
"<emphasis>-x:</emphasis> will not use SASL authentication method, which is "
11814
#: serverguide/C/network-auth.xml:450(para)
11815
msgid "<emphasis>-LLL:</emphasis> disable printing LDIF schema information."
11818
#: serverguide/C/network-auth.xml:459(title)
11819
msgid "LDAP replication"
11822
#: serverguide/C/network-auth.xml:461(para)
11824
"LDAP often quickly becomes a highly critical service to the network. "
11825
"Multiple systems will come to depend on LDAP for authentication, "
11826
"authorization, configuration, etc. It is a good idea to setup a redundant "
11827
"system through replication."
11830
#: serverguide/C/network-auth.xml:467(para)
11832
"Replication is achieved using the <emphasis>Syncrepl</emphasis> engine. "
11833
"Syncrepl allows the directory to be synced using either a "
11834
"<emphasis>push</emphasis> or <emphasis>pull</emphasis> based system. In a "
11835
"push based configuration a <quote>primary</quote> server will push directory "
11836
"updates to <quote>secondary</quote> servers, while a pull based approach "
11837
"allows replication servers to sync on a time based interval."
11840
#: serverguide/C/network-auth.xml:475(para)
11842
"The following is an example of a <emphasis>Multi-Master</emphasis> "
11843
"configuration. In this configuration each OpenLDAP server is configured for "
11844
"both <emphasis>push</emphasis> and <emphasis>pull</emphasis> replication."
11847
#: serverguide/C/network-auth.xml:483(para)
11849
"First, configure the server to sync the <emphasis>cn=config</emphasis> "
11850
"database. Copy the following to a file named <filename>syncrepl_cn-"
11851
"config.ldif</filename>:"
11854
#: serverguide/C/network-auth.xml:488(programlisting)
11858
"dn: cn=module{0},cn=config\n"
11859
"changetype: modify\n"
11860
"add: olcModuleLoad\n"
11861
"olcModuleLoad: syncprov\n"
11864
"changetype: modify\n"
11865
"replace: olcServerID\n"
11866
"olcServerID: 1 ldap://ldap01.example.com\n"
11867
"olcServerID: 2 ldap://ldap02.example.com\n"
11869
"dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config\n"
11870
"changetype: add\n"
11871
"objectClass: olcOverlayConfig\n"
11872
"objectClass: olcSyncProvConfig\n"
11873
"olcOverlay: syncprov\n"
11875
"dn: olcDatabase={0}config,cn=config\n"
11876
"changetype: modify\n"
11877
"add: olcSyncRepl\n"
11878
"olcSyncRepl: rid=001 provider=ldap://ldap01.example.com "
11879
"binddn=\"cn=admin,cn=config\" bindmethod=simple\n"
11880
" credentials=secret searchbase=\"cn=config\" type=refreshAndPersist\n"
11881
" retry=\"5 5 300 5\" timeout=1\n"
11882
"olcSyncRepl: rid=002 provider=ldap://ldap02.example.com "
11883
"binddn=\"cn=admin,cn=config\" bindmethod=simple\n"
11884
" credentials=secret searchbase=\"cn=config\" type=refreshAndPersist\n"
11885
" retry=\"5 5 300 5\" timeout=1\n"
11887
"add: olcMirrorMode\n"
11888
"olcMirrorMode: TRUE\n"
11891
#: serverguide/C/network-auth.xml:523(para)
11892
msgid "Edit the file changing:"
11895
#: serverguide/C/network-auth.xml:529(para)
11897
"<emphasis>ldap://ldap01.example.com</emphasis> and "
11898
"<emphasis>ldap://ldap02.example.com</emphasis> to the hostnames of your LDAP "
11902
#: serverguide/C/network-auth.xml:534(para)
11904
"You can have more than two LDAP servers, and when a change is made to one of "
11905
"them it will by synced to the rest. Be sure to increment the "
11906
"<emphasis>olcServerID</emphasis> for each server, and the "
11907
"<emphasis>rid</emphasis> for each <emphasis>olcSyncRepl</emphasis> entry."
11910
#: serverguide/C/network-auth.xml:542(para)
11912
"And adjust <emphasis>credentials=secret</emphasis> to match your admin "
11916
#: serverguide/C/network-auth.xml:552(para)
11918
"Next, add the LDIF file using the <application>ldapmodify</application> "
11922
#: serverguide/C/network-auth.xml:557(command)
11923
msgid "ldapmodify -x -D cn=admin,cn=config -W -f syncrepl_cn-config.ldif"
11926
#: serverguide/C/network-auth.xml:563(para)
11928
"Copy the <filename>syncrepl_cn-config.ldif</filename> file to the next LDAP "
11929
"server and repeat the <application>ldapmodify</application> command above."
11932
#: serverguide/C/network-auth.xml:571(para)
11934
"Because a new module has been added, the <application>slapd</application> "
11935
"daemon, on all replicated servers, needs to be restarted:"
11938
#: serverguide/C/network-auth.xml:577(command) serverguide/C/network-auth.xml:779(command) serverguide/C/network-auth.xml:895(command)
11939
msgid "sudo /etc/init.d/slapd restart"
11942
#: serverguide/C/network-auth.xml:583(para)
11944
"Now that the configuration database is synced between servers, the "
11945
"<emphasis>backend</emphasis> database needs to be synced as well. Copy and "
11946
"paste the following into another LDIF file named "
11947
"<filename>syncrepl_backend.ldif</filename>:"
11950
#: serverguide/C/network-auth.xml:589(programlisting)
11954
"dn: olcDatabase={1}hdb,cn=config\n"
11955
"changetype: modify\n"
11957
"olcRootDN: cn=admin,dc=example,dc=com\n"
11959
"add: olcSyncRepl\n"
11960
"olcSyncRepl: rid=003 provider=ldap://ldap01.example.com "
11961
"binddn=\"cn=admin,dc=example,dc=com\" \n"
11962
" bindmethod=simple credentials=secret searchbase=\"dc=example,dc=com\" "
11963
"type=refreshOnly \n"
11964
" interval=00:00:00:10 retry=\"5 5 300 5\" timeout=1\n"
11965
"olcSyncRepl: rid=004 provider=ldap://ldap02.example.com "
11966
"binddn=\"cn=admin,dc=example,dc=com\" \n"
11967
" bindmethod=simple credentials=secret searchbase=\"dc=example,dc=com\" "
11968
"type=refreshOnly \n"
11969
" interval=00:00:00:10 retry=\"5 5 300 5\" timeout=1\n"
11971
"add: olcMirrorMode\n"
11972
"olcMirrorMode: TRUE\n"
11974
"dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config\n"
11975
"changetype: add\n"
11976
"objectClass: olcOverlayConfig\n"
11977
"objectClass: olcSyncProvConfig\n"
11978
"olcOverlay: syncprov\n"
11981
#: serverguide/C/network-auth.xml:616(para)
11982
msgid "Like the previous LDIF file, edit this one changing:"
11985
#: serverguide/C/network-auth.xml:622(para)
11987
"<emphasis>searchbase=\"dc=example,dc=com\"</emphasis> to your directory's "
11991
#: serverguide/C/network-auth.xml:627(para)
11993
"If you use a different admin user, change "
11994
"<emphasis>binddn=\"cn=admin,dc=example,dc=com\"</emphasis>."
11997
#: serverguide/C/network-auth.xml:632(para)
11999
"Also, replace <emphasis>credentials=secret</emphasis> with your admin "
12003
#: serverguide/C/network-auth.xml:641(para)
12004
msgid "Add the LDIF file:"
12007
#: serverguide/C/network-auth.xml:646(command)
12008
msgid "ldapmodify -x -D cn=admin,cn=config -W -f syncrepl_backend.ldif"
12011
#: serverguide/C/network-auth.xml:649(para)
12013
"Because the servers' configuration is already synced there is no need to "
12014
"copy this LDIF file to the other servers."
12017
#: serverguide/C/network-auth.xml:657(para)
12019
"The configuration and backend databases should now sycnc to the other "
12020
"servers. You can add additional servers using the "
12021
"<application>ldapmodify</application> utility as the need arises. See <xref "
12022
"linkend=\"openldap-configuration\"/> for details."
12025
#: serverguide/C/network-auth.xml:667(programlisting)
12027
msgid "127.0.0.1\tldap01.example.com ldap01"
12030
#: serverguide/C/network-auth.xml:663(para)
12032
"The <application>slapd</application> daemon will send log information to "
12033
"<filename>/var/log/syslog</filename> by default. So if all does "
12034
"<emphasis>not</emphasis> go well check there for errors and other "
12035
"troubleshooting information. Also, be sure that each server knows it's Fully "
12036
"Qualified Domain Name (FQDN). This is configured in "
12037
"<filename>/etc/hosts</filename> with a line similar to: <placeholder-1/>."
12040
#: serverguide/C/network-auth.xml:674(title)
12041
msgid "Setting up ACL"
12044
#: serverguide/C/network-auth.xml:676(para)
12046
"Authentication requires access to the password field, that should be not "
12047
"accessible by default. Also, in order for users to change their own "
12048
"password, using <command>passwd</command> or other utilities, "
12049
"<emphasis>shadowLastChange</emphasis> needs to be accessible once a user has "
12053
#: serverguide/C/network-auth.xml:683(para)
12055
"To view the Access Control List (ACL), use the "
12056
"<application>ldapsearch</application> utility:"
12059
#: serverguide/C/network-auth.xml:688(command)
12061
"ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W olcDatabase=hdb "
12065
#: serverguide/C/network-auth.xml:692(computeroutput)
12068
"Enter LDAP Password: \n"
12069
"dn: olcDatabase={1}hdb,cn=config\n"
12070
"olcAccess: {0}to attrs=userPassword,shadowLastChange by "
12071
"dn=\"cn=admin,dc=exampl\n"
12072
" e,dc=com\" write by anonymous auth by self write by * none\n"
12073
"olcAccess: {1}to dn.base=\"\" by * read\n"
12074
"olcAccess: {2}to * by dn=\"cn=admin,dc=example,dc=com\" write by * read\n"
12077
#: serverguide/C/network-auth.xml:704(title)
12078
msgid "TLS and SSL"
12081
#: serverguide/C/network-auth.xml:706(para)
12083
"When authenticating to an OpenLDAP server it is best to do so using an "
12084
"encrypted session. This can be accomplished using Transport Layer Security "
12085
"(TLS) and/or Secure Sockets Layer (SSL)."
12088
#: serverguide/C/network-auth.xml:711(para)
12090
"The first step in the process is to obtain or create a "
12091
"<emphasis>certificate</emphasis>. See <xref linkend=\"certificates-and-"
12092
"security\"/> and <xref linkend=\"certificate-authority\"/> for details."
12095
#: serverguide/C/network-auth.xml:716(para)
12097
"Once you have a certificate, key, and CA cert installed, use "
12098
"<application>ldapmodify</application> to add the new configuration options:"
12101
#: serverguide/C/network-auth.xml:727(userinput)
12105
"add: olcTLSCACertificateFile\n"
12106
"olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem\n"
12108
"add: olcTLSCertificateFile\n"
12109
"olcTLSCertificateFile: /etc/ssl/certs/server.crt\n"
12111
"add: olcTLSCertificateKeyFile\n"
12112
"olcTLSCertificateKeyFile: /etc/ssl/private/server.key"
12115
#: serverguide/C/network-auth.xml:726(computeroutput)
12118
"Enter LDAP Password:\n"
12119
"<placeholder-1/>\n"
12121
"modifying entry \"cn=config\"\n"
12124
#: serverguide/C/network-auth.xml:742(para)
12126
"Adjust the <filename>server.crt</filename>, <filename>server.key</filename>, "
12127
"and <filename>cacert.pem</filename> names if yours are different. If you "
12128
"have a self-signed certificate, do <emphasis>NOT</emphasis> add the "
12129
"olcTLSCACertificateFile property, as it will cause GnuTLS to fail.."
12132
#: serverguide/C/network-auth.xml:749(para)
12134
"Next, edit <filename>/etc/default/slapd</filename> uncomment the "
12135
"<emphasis>SLAPD_SERVICES</emphasis> option:"
12138
#: serverguide/C/network-auth.xml:753(programlisting)
12142
"SLAPD_SERVICES=\"ldap:/// ldapi:/// ldaps:///\"\n"
12145
#: serverguide/C/network-auth.xml:757(para)
12147
"Now the <emphasis>openldap</emphasis> user needs access to the certificate:"
12150
#: serverguide/C/network-auth.xml:762(command)
12151
msgid "sudo adduser openldap ssl-cert"
12154
#: serverguide/C/network-auth.xml:763(command)
12155
msgid "sudo chgrp ssl-cert /etc/ssl/private/server.key"
12158
#: serverguide/C/network-auth.xml:764(command)
12159
msgid "sudo chmod g+r /etc/ssl/private/server.key"
12162
#: serverguide/C/network-auth.xml:768(para)
12164
"If the <filename role=\"directory\">/etc/ssl/private</filename> and "
12165
"<filename>/etc/ssl/private/server.key</filename> have different permissions, "
12166
"adjust the commands appropriately."
12169
#: serverguide/C/network-auth.xml:774(para)
12170
msgid "Finally, restart <application>slapd</application>:"
12173
#: serverguide/C/network-auth.xml:782(para)
12175
"The <application>slapd</application> daemon should now be listening for "
12176
"LDAPS connections and be able to use STARTTLS during authentication."
12179
#: serverguide/C/network-auth.xml:788(para)
12181
"If you run into troubles with the server not starting, check the "
12182
"/var/log/syslog. If you see errors like main: TLS init def ctx failed: -1, "
12183
"it is likely there is a configuration problem. Check that the certificate is "
12184
"signed by the authority from in the files configured, and that the ssl-cert "
12185
"group has read permissions on the private key."
12188
#: serverguide/C/network-auth.xml:800(title)
12189
msgid "TLS Replication"
12192
#: serverguide/C/network-auth.xml:802(para)
12194
"If you have setup <application>Syncrepl</application> between servers, it is "
12195
"prudent to encrypt the replication traffic using <emphasis>Transport Layer "
12196
"Security (TLS)</emphasis>. For details on setting up replication see <xref "
12197
"linkend=\"openldap-server-replication\"/>."
12200
#: serverguide/C/network-auth.xml:808(para)
12202
"After setting up replication, and following the instructions in <xref "
12203
"linkend=\"openldap-tls\"/>, there are a couple of consequences that should "
12207
#: serverguide/C/network-auth.xml:815(para)
12209
"The configuration only needs to be modified on <emphasis>one</emphasis> "
12213
#: serverguide/C/network-auth.xml:820(para)
12215
"The path names for the <emphasis>certificate</emphasis> and "
12216
"<emphasis>key</emphasis> must be the same on all servers."
12219
#: serverguide/C/network-auth.xml:827(para)
12221
"So on each replicated server: install a certificate, edit "
12222
"<filename>/etc/default/slapd</filename>, and restart "
12223
"<application>slapd</application>."
12226
#: serverguide/C/network-auth.xml:832(para)
12228
"Once <emphasis>TLS</emphasis> has been setup on each server, modify the "
12229
"<emphasis>cn=config</emphasis> replication by entering the following in a "
12233
#: serverguide/C/network-auth.xml:843(userinput)
12236
"dn: olcDatabase={0}config,cn=config\n"
12237
"replace: olcSyncrepl\n"
12238
"olcSyncrepl: {0}rid=001 provider=ldap://ldap01.example.com "
12239
"binddn=\"cn=admin,cn\n"
12240
" =config\" bindmethod=simple credentials=secret searchbase=\"cn=config\" "
12242
" shAndPersist retry=\"5 5 300 5\" timeout=1 starttls=yes\n"
12243
"olcSyncrepl: {1}rid=002 provider=ldap://ldap02.example.com "
12244
"binddn=\"cn=admin,cn\n"
12245
" =config\" bindmethod=simple credentials=secret searchbase=\"cn=config\" "
12247
" shAndPersist retry=\"5 5 300 5\" timeout=1 starttls=yes"
12250
#: serverguide/C/network-auth.xml:842(computeroutput)
12253
"Enter LDAP Password: \n"
12254
"<placeholder-1/>\n"
12256
"modifying entry \"olcDatabase={0}config,cn=config\"\n"
12259
#: serverguide/C/network-auth.xml:856(para)
12260
msgid "Now adjust the <emphasis>backend</emphasis> database replication:"
12263
#: serverguide/C/network-auth.xml:866(userinput)
12266
"dn: olcDatabase={1}hdb,cn=config\n"
12267
"replace: olcSyncrepl\n"
12268
"olcSyncrepl: {0}rid=003 provider=ldap://ldap01.example.com "
12269
"binddn=\"cn=admin,dc=example,dc=\n"
12270
" com\" bindmethod=simple credentials=secret searchbase=\"dc=example,dc=com\" "
12272
" efreshOnly interval=00:00:00:10 retry=\"5 5 300 5\" timeout=1 starttls=yes\n"
12273
"olcSyncrepl: {1}rid=004 provider=ldap://ldap02.example.com "
12274
"binddn=\"cn=admin,dc=example,dc=\n"
12275
" com\" bindmethod=simple credentials=secret searchbase=\"dc=example,dc=com\" "
12277
" efreshOnly interval=00:00:00:10 retry=\"5 5 300 5\" timeout=1 starttls=yes"
12280
#: serverguide/C/network-auth.xml:865(computeroutput) serverguide/C/network-auth.xml:2418(computeroutput)
12283
"Enter LDAP Password:\n"
12284
"<placeholder-1/>\n"
12286
"modifying entry \"olcDatabase={1}hdb,cn=config\""
12289
#: serverguide/C/network-auth.xml:878(para)
12291
"If the LDAP server hostname does not match the Fully Qualified Domain Name "
12292
"(FQDN) in the certificate, you may have to edit "
12293
"<filename>/etc/ldap/ldap.conf</filename> and add the following TLS options:"
12296
#: serverguide/C/network-auth.xml:883(programlisting)
12300
"TLS_CERT /etc/ssl/certs/server.crt\n"
12301
"TLS_KEY /etc/ssl/private/server.key\n"
12302
"TLS_CACERT /etc/ssl/certs/cacert.pem\n"
12305
#: serverguide/C/network-auth.xml:890(para)
12307
"Finally, restart <application>slapd</application> on each of the servers:"
12310
#: serverguide/C/network-auth.xml:903(title)
12311
msgid "LDAP Authentication"
12314
#: serverguide/C/network-auth.xml:905(para)
12316
"Once you have a working LDAP server, the <application>auth-client-"
12317
"config</application> and <application>libnss-ldap</application> packages "
12318
"take the pain out of configuring an Ubuntu client to authenticate using "
12319
"LDAP. To install the packages from, a terminal prompt enter:"
12322
#: serverguide/C/network-auth.xml:912(command)
12323
msgid "sudo apt-get install libnss-ldap"
12326
#: serverguide/C/network-auth.xml:915(para)
12328
"During the install a menu dialog will ask you connection details about your "
12332
#: serverguide/C/network-auth.xml:919(para)
12334
"If you make a mistake when entering your information you can execute the "
12335
"dialog again using:"
12338
#: serverguide/C/network-auth.xml:924(command)
12339
msgid "sudo dpkg-reconfigure ldap-auth-config"
12342
#: serverguide/C/network-auth.xml:927(para)
12344
"The results of the dialog can be seen in "
12345
"<filename>/etc/ldap.conf</filename>. If your server requires options not "
12346
"covered in the menu edit this file accordingly."
12349
#: serverguide/C/network-auth.xml:932(para)
12351
"Now that <application>libnss-ldap</application> is configured enable the "
12352
"<application>auth-client-config</application> LDAP profile by entering:"
12355
#: serverguide/C/network-auth.xml:938(command)
12356
msgid "sudo auth-client-config -t nss -p lac_ldap"
12359
#: serverguide/C/network-auth.xml:943(para)
12361
"<emphasis>-t:</emphasis> only modifies "
12362
"<filename>/etc/nsswitch.conf</filename>."
12365
#: serverguide/C/network-auth.xml:948(para)
12366
msgid "<emphasis>-p:</emphasis> name of the profile to enable, disable, etc."
12369
#: serverguide/C/network-auth.xml:953(para)
12371
"<emphasis>lac_ldap:</emphasis> the <application>auth-client-"
12372
"config</application> profile that is part of the <application>ldap-auth-"
12373
"config</application> package."
12376
#: serverguide/C/network-auth.xml:960(para)
12378
"Using the <application>pam-auth-update</application> utility, configure the "
12379
"system to use LDAP for authentication:"
12382
#: serverguide/C/network-auth.xml:965(command)
12383
msgid "sudo pam-auth-update"
12386
#: serverguide/C/network-auth.xml:968(para)
12388
"From the <application>pam-auth-update</application> menu, choose LDAP and "
12389
"any other authentication mechanisms you need."
12392
#: serverguide/C/network-auth.xml:972(para)
12394
"You should now be able to login using user credentials stored in the LDAP "
12398
#: serverguide/C/network-auth.xml:977(para)
12400
"If you are going to use LDAP to store Samba users you will need to configure "
12401
"the server to authenticate using LDAP. See <xref linkend=\"samba-ldap\"/> "
12405
#: serverguide/C/network-auth.xml:985(title)
12406
msgid "User and Group Management"
12409
#: serverguide/C/network-auth.xml:987(para)
12411
"The <application>ldap-utils</application> package comes with multiple "
12412
"utilities to manage the directory, but the long string of options needed, "
12413
"can make them a burden to use. The <application>ldapscripts</application> "
12414
"package contains configurable scripts to easily manage LDAP users and groups."
12417
#: serverguide/C/network-auth.xml:993(para)
12418
msgid "To install the package, from a terminal enter:"
12421
#: serverguide/C/network-auth.xml:998(command)
12422
msgid "sudo apt-get install ldapscripts"
12425
#: serverguide/C/network-auth.xml:1001(para)
12427
"Next, edit the config file "
12428
"<filename>/etc/ldapscripts/ldapscripts.conf</filename> uncommenting and "
12429
"changing the following to match your environment:"
12432
#: serverguide/C/network-auth.xml:1006(programlisting)
12436
"SERVER=localhost\n"
12437
"BINDDN='cn=admin,dc=example,dc=com'\n"
12438
"BINDPWDFILE=\"/etc/ldapscripts/ldapscripts.passwd\"\n"
12439
"SUFFIX='dc=example,dc=com'\n"
12440
"GSUFFIX='ou=Groups'\n"
12441
"USUFFIX='ou=People'\n"
12442
"MSUFFIX='ou=Computers'\n"
12448
#: serverguide/C/network-auth.xml:1019(para)
12450
"Now, create the <filename>ldapscripts.passwd</filename> file to allow "
12451
"authenticated access to the directory:"
12454
#: serverguide/C/network-auth.xml:1024(command)
12456
"sudo sh -c \"echo -n 'secret' > /etc/ldapscripts/ldapscripts.passwd\""
12459
#: serverguide/C/network-auth.xml:1025(command)
12460
msgid "sudo chmod 400 /etc/ldapscripts/ldapscripts.passwd"
12463
#: serverguide/C/network-auth.xml:1029(para)
12465
"Replace <quote>secret</quote> with the actual password for your LDAP admin "
12469
#: serverguide/C/network-auth.xml:1034(para)
12471
"The <application>ldapscripts</application> are now ready to help manage your "
12472
"directory. The following are some examples of how to use the scripts:"
12475
#: serverguide/C/network-auth.xml:1041(para)
12476
msgid "Create a new user:"
12479
#: serverguide/C/network-auth.xml:1045(command)
12480
msgid "sudo ldapadduser george example"
12483
#: serverguide/C/network-auth.xml:1047(para)
12485
"This will create a user with uid <emphasis role=\"italic\">george</emphasis> "
12486
"and set the user's primary group (gid) to <emphasis "
12487
"role=\"italic\">example</emphasis>"
12490
#: serverguide/C/network-auth.xml:1053(para)
12491
msgid "Change a user's password:"
12494
#: serverguide/C/network-auth.xml:1057(command)
12495
msgid "sudo ldapsetpasswd george"
12498
#: serverguide/C/network-auth.xml:1058(computeroutput)
12500
msgid "Changing password for user uid=george,ou=People,dc=example,dc=com"
12503
#: serverguide/C/network-auth.xml:1059(userinput)
12505
msgid "New Password: "
12508
#: serverguide/C/network-auth.xml:1060(userinput)
12510
msgid "New Password (verify): "
12513
#: serverguide/C/network-auth.xml:1064(para)
12514
msgid "Delete a user:"
12517
#: serverguide/C/network-auth.xml:1068(command)
12518
msgid "sudo ldapdeleteuser george"
12521
#: serverguide/C/network-auth.xml:1073(para)
12522
msgid "Add a group:"
12525
#: serverguide/C/network-auth.xml:1077(command)
12526
msgid "sudo ldapaddgroup qa"
12529
#: serverguide/C/network-auth.xml:1081(para)
12530
msgid "Delete a group:"
12533
#: serverguide/C/network-auth.xml:1085(command)
12534
msgid "sudo ldapdeletegroup qa"
12537
#: serverguide/C/network-auth.xml:1089(para)
12538
msgid "Add a user to a group:"
12541
#: serverguide/C/network-auth.xml:1093(command)
12542
msgid "sudo ldapaddusertogroup george qa"
12545
#: serverguide/C/network-auth.xml:1095(para)
12547
"You should now see a <emphasis>memberUid</emphasis> attribute for the "
12548
"<emphasis role=\"italic\">qa</emphasis> group with a value of <emphasis "
12549
"role=\"italic\">george</emphasis>."
12552
#: serverguide/C/network-auth.xml:1101(para)
12553
msgid "Remove a user from a group:"
12556
#: serverguide/C/network-auth.xml:1105(command)
12557
msgid "sudo ldapdeleteuserfromgroup george qa"
12560
#: serverguide/C/network-auth.xml:1107(para)
12562
"The <emphasis>memberUid</emphasis> attribute should now be removed from the "
12563
"<emphasis role=\"italic\">qa</emphasis> group."
12566
#: serverguide/C/network-auth.xml:1113(para)
12568
"The <application>ldapmodifyuser</application> script allows you to add, "
12569
"remove, or replace a user's attributes. The script uses the same syntax as "
12570
"the <application>ldapmodify</application> utility. For example:"
12573
#: serverguide/C/network-auth.xml:1118(command)
12574
msgid "sudo ldapmodifyuser george"
12577
#: serverguide/C/network-auth.xml:1119(computeroutput)
12580
"# About to modify the following entry :\n"
12581
"dn: uid=george,ou=People,dc=example,dc=com\n"
12582
"objectClass: account\n"
12583
"objectClass: posixAccount\n"
12586
"uidNumber: 1001\n"
12587
"gidNumber: 1001\n"
12588
"homeDirectory: /home/george\n"
12589
"loginShell: /bin/bash\n"
12591
"description: User account\n"
12592
"userPassword:: e1NTSEF9eXFsTFcyWlhwWkF1eGUybVdFWHZKRzJVMjFTSG9vcHk=\n"
12594
"# Enter your modifications here, end with CTRL-D.\n"
12595
"dn: uid=george,ou=People,dc=example,dc=com"
12598
#: serverguide/C/network-auth.xml:1135(userinput)
12602
"gecos: George Carlin"
12605
#: serverguide/C/network-auth.xml:1138(para)
12607
"The user's <emphasis>gecos</emphasis> should now be <quote>George "
12611
#: serverguide/C/network-auth.xml:1143(para)
12613
"Another great feature of <application>ldapscripts</application>, is the "
12614
"template system. Templates allow you to customize the attributes of user, "
12615
"group, and machine objectes. For example, to enable the "
12616
"<emphasis>user</emphasis> template edit "
12617
"<filename>/etc/ldapscripts/ldapscripts.conf</filename> changing:"
12620
#: serverguide/C/network-auth.xml:1150(programlisting)
12624
"UTEMPLATE=\"/etc/ldapscripts/ldapadduser.template\"\n"
12627
#: serverguide/C/network-auth.xml:1154(para)
12629
"There are <emphasis role=\"italic\">sample</emphasis> templates in the "
12630
"<filename>/etc/ldapscripts</filename> directory. Copy or rename the "
12631
"<filename>ldapadduser.template.sample</filename> file to "
12632
"<filename>/etc/ldapscripts/ldapadduser.template</filename>:"
12635
#: serverguide/C/network-auth.xml:1161(command)
12637
"sudo cp /etc/ldapscripts/ldapadduser.template.sample "
12638
"/etc/ldapscripts/ldapadduser.template"
12641
#: serverguide/C/network-auth.xml:1164(para)
12643
"Edit the new template to add the desired attributes. The following will "
12644
"create new user's as with an <emphasis>objectClass</emphasis> of "
12645
"<emphasis>inetOrgPerson</emphasis>:"
12648
#: serverguide/C/network-auth.xml:1169(programlisting)
12652
"dn: uid=<user>,<usuffix>,<suffix>\n"
12653
"objectClass: inetOrgPerson\n"
12654
"objectClass: posixAccount\n"
12655
"cn: <user>\n"
12656
"sn: <ask>\n"
12657
"uid: <user>\n"
12658
"uidNumber: <uid>\n"
12659
"gidNumber: <gid>\n"
12660
"homeDirectory: <home>\n"
12661
"loginShell: <shell>\n"
12662
"gecos: <user>\n"
12663
"description: User account\n"
12664
"title: Employee\n"
12667
#: serverguide/C/network-auth.xml:1185(para)
12669
"Notice the <emphasis><ask></emphasis> option used for the "
12670
"<emphasis>cn</emphasis> value. Using <ask> will configure "
12671
"<application>ldapadduser</application> to prompt you for the attribute value "
12672
"during user creation."
12675
#: serverguide/C/network-auth.xml:1193(para)
12677
"There are more useful scripts in the package, to see a full list enter: "
12678
"<command>dpkg -L ldapscripts | grep bin</command>"
12681
#: serverguide/C/network-auth.xml:1202(para)
12683
"For more information see <ulink url=\"http://www.openldap.org/\">OpenLDAP "
12684
"Home Page</ulink>"
12687
#: serverguide/C/network-auth.xml:1207(para)
12689
"Though starting to show it's age, a great source for in depth LDAP "
12690
"information is O'Reilly's <ulink "
12691
"url=\"http://www.oreilly.com/catalog/ldapsa/\">LDAP System "
12692
"Administration</ulink>"
12695
#: serverguide/C/network-auth.xml:1213(para)
12697
"Packt's <ulink url=\"http://www.packtpub.com/OpenLDAP-Developers-Server-Open-"
12698
"Source-Linux/book\">Mastering OpenLDAP</ulink> is a great reference covering "
12699
"newer versions of OpenLDAP."
12702
#: serverguide/C/network-auth.xml:1219(para)
12704
"For more information on <application>auth-client-config</application> see "
12705
"the man page: <command>man auth-client-config</command>."
12708
#: serverguide/C/network-auth.xml:1224(para)
12710
"For more details regarding the <application>ldapscripts</application> "
12711
"package see the man pages: <command>man ldapscripts</command>, <command>man "
12712
"ldapadduser</command>, <command>man ldapaddgroup</command>, etc."
12715
#: serverguide/C/network-auth.xml:1234(title)
12716
msgid "Samba and LDAP"
12719
#: serverguide/C/network-auth.xml:1236(para)
12721
"This section covers configuring Samba to use LDAP for user, group, and "
12722
"machine account information and authentication. The assumption is, you "
12723
"already have a working OpenLDAP directory installed and the server is "
12724
"configured to use it for authentication. See <xref linkend=\"openldap-"
12725
"server\"/> and <xref linkend=\"openldap-auth-config\"/> for details on "
12726
"setting up OpenLDAP. For more information on installing and configuring "
12727
"Samba see <xref linkend=\"windows-networking\"/>."
12730
#: serverguide/C/network-auth.xml:1246(para)
12732
"There are three packages needed when integrating Samba with LDAP. "
12733
"<application>samba</application>, <application>samba-doc</application>, and "
12734
"<application>smbldap-tools</application> packages . To install the packages, "
12735
"from a terminal enter:"
12738
#: serverguide/C/network-auth.xml:1252(command)
12739
msgid "sudo apt-get install samba samba-doc smbldap-tools"
12742
#: serverguide/C/network-auth.xml:1255(para)
12744
"Strictly speaking the <application>smbldap-tools</application> package isn't "
12745
"needed, but unless you have another package or custom scripts, a method of "
12746
"managing users, groups, and computer accounts is needed."
12749
#: serverguide/C/network-auth.xml:1262(title)
12750
msgid "OpenLDAP Configuration"
12753
#: serverguide/C/network-auth.xml:1264(para)
12755
"In order for Samba to use OpenLDAP as a <emphasis>passdb backend</emphasis>, "
12756
"the user objects in the directory will need additional attributes. This "
12757
"section assumes you want Samba to be configured as a Windows NT domain "
12758
"controller, and will add the necessary LDAP objects and attributes."
12761
#: serverguide/C/network-auth.xml:1272(para)
12763
"The Samba attributes are defined in the <filename>samba.schema</filename> "
12764
"file which is part of the <application>samba-doc</application> package. The "
12765
"schema file needs to be unzipped and copied to "
12766
"<filename>/etc/ldap/schema</filename>. From a terminal prompt enter:"
12769
#: serverguide/C/network-auth.xml:1279(command)
12771
"sudo cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz "
12772
"/etc/ldap/schema/"
12775
#: serverguide/C/network-auth.xml:1280(command)
12776
msgid "sudo gzip -d /etc/ldap/schema/samba.schema.gz"
12779
#: serverguide/C/network-auth.xml:1286(para)
12781
"The <emphasis>samba</emphasis> schema needs to be added to the "
12782
"<emphasis>cn=config</emphasis> tree. The procedure to add a new schema to "
12783
"<application>slapd</application> is also detailed in <xref "
12784
"linkend=\"openldap-configuration\"/>."
12787
#: serverguide/C/network-auth.xml:1294(para) serverguide/C/network-auth.xml:2318(para)
12789
"First, create a configuration file named "
12790
"<filename>schema_convert.conf</filename>, or a similar descriptive name, "
12791
"containing the following lines:"
12794
#: serverguide/C/network-auth.xml:1299(programlisting)
12798
"include /etc/ldap/schema/core.schema\n"
12799
"include /etc/ldap/schema/collective.schema\n"
12800
"include /etc/ldap/schema/corba.schema\n"
12801
"include /etc/ldap/schema/cosine.schema\n"
12802
"include /etc/ldap/schema/duaconf.schema\n"
12803
"include /etc/ldap/schema/dyngroup.schema\n"
12804
"include /etc/ldap/schema/inetorgperson.schema\n"
12805
"include /etc/ldap/schema/java.schema\n"
12806
"include /etc/ldap/schema/misc.schema\n"
12807
"include /etc/ldap/schema/nis.schema\n"
12808
"include /etc/ldap/schema/openldap.schema\n"
12809
"include /etc/ldap/schema/ppolicy.schema\n"
12810
"include /etc/ldap/schema/samba.schema\n"
12813
#: serverguide/C/network-auth.xml:1329(para) serverguide/C/network-auth.xml:2353(para)
12815
"Now use <application>slapcat</application> to convert the schema files:"
12818
#: serverguide/C/network-auth.xml:1334(command)
12820
"slapcat -f schema_convert.conf -F /tmp/ldif_output -n0 -s "
12821
"\"cn={12}samba,cn=schema,cn=config\" > /tmp/cn=samba.ldif"
12824
#: serverguide/C/network-auth.xml:1337(para) serverguide/C/network-auth.xml:2361(para)
12826
"Change the above file and path names to match your own if they are different."
12829
#: serverguide/C/network-auth.xml:1344(para)
12831
"Edit the generated <filename>/tmp/cn\\=samba.ldif</filename> file, changing "
12832
"the following attributes:"
12835
#: serverguide/C/network-auth.xml:1348(programlisting)
12839
"dn: cn=samba,cn=schema,cn=config\n"
12844
#: serverguide/C/network-auth.xml:1358(programlisting)
12848
"structuralObjectClass: olcSchemaConfig\n"
12849
"entryUUID: b53b75ca-083f-102d-9fff-2f64fd123c95\n"
12850
"creatorsName: cn=config\n"
12851
"createTimestamp: 20080827045234Z\n"
12852
"entryCSN: 20080827045234.341425Z#000000#000#000000\n"
12853
"modifiersName: cn=config\n"
12854
"modifyTimestamp: 20080827045234Z\n"
12857
#: serverguide/C/network-auth.xml:1383(command)
12858
msgid "ldapadd -x -D cn=admin,cn=config -W -f /tmp/cn\\=samba.ldif"
12861
#: serverguide/C/network-auth.xml:1389(para)
12863
"There should now be a <emphasis>dn: "
12864
"cn={X}misc,cn=schema,cn=config</emphasis>, where \"X\" is the next "
12865
"sequential schema, entry in the cn=config tree."
12868
#: serverguide/C/network-auth.xml:1397(para)
12870
"Copy and paste the following into a file named "
12871
"<filename>samba_indexes.ldif</filename>:"
12874
#: serverguide/C/network-auth.xml:1401(programlisting)
12878
"dn: olcDatabase={1}hdb,cn=config\n"
12879
"changetype: modify\n"
12880
"add: olcDbIndex\n"
12881
"olcDbIndex: uidNumber eq\n"
12882
"olcDbIndex: gidNumber eq\n"
12883
"olcDbIndex: loginShell eq\n"
12884
"olcDbIndex: uid eq,pres,sub\n"
12885
"olcDbIndex: memberUid eq,pres,sub\n"
12886
"olcDbIndex: uniqueMember eq,pres\n"
12887
"olcDbIndex: sambaSID eq\n"
12888
"olcDbIndex: sambaPrimaryGroupSID eq\n"
12889
"olcDbIndex: sambaGroupType eq\n"
12890
"olcDbIndex: sambaSIDList eq\n"
12891
"olcDbIndex: sambaDomainName eq\n"
12892
"olcDbIndex: default sub\n"
12895
#: serverguide/C/network-auth.xml:1419(para)
12897
"Using the <application>ldapmodify</application> utility load the new indexes:"
12900
#: serverguide/C/network-auth.xml:1424(command)
12901
msgid "ldapmodify -x -D cn=admin,cn=config -W -f samba_indexes.ldif"
12904
#: serverguide/C/network-auth.xml:1426(para)
12906
"If all went well you should see the new indexes using "
12907
"<application>ldapsearch</application>:"
12910
#: serverguide/C/network-auth.xml:1431(command)
12912
"ldapsearch -xLLL -D cn=admin,cn=config -x -b cn=config -W olcDatabase={1}hdb"
12915
#: serverguide/C/network-auth.xml:1437(para)
12917
"Next, configure the <application>smbldap-tools</application> package to "
12918
"match your environment. The package comes with a configuration script that "
12919
"will ask questions about the needed options. To run the script enter:"
12922
#: serverguide/C/network-auth.xml:1443(command)
12923
msgid "sudo gzip -d /usr/share/doc/smbldap-tools/configure.pl.gz"
12926
#: serverguide/C/network-auth.xml:1444(command)
12927
msgid "sudo perl /usr/share/doc/smbldap-tools/configure.pl"
12930
#: serverguide/C/network-auth.xml:1447(para)
12932
"Once you have answered the questions, there should be <filename>/etc/smbldap-"
12933
"tools/smbldap.conf</filename> and <filename>/etc/smbldap-"
12934
"tools/smbldap_bind.conf</filename> files. These files are generated by the "
12935
"configure script, so if you made any mistakes while executing the script it "
12936
"may be simpler to edit the file appropriately."
12939
#: serverguide/C/network-auth.xml:1457(para)
12941
"The <application>smbldap-populate</application> script will add the "
12942
"necessary users, groups, and LDAP objects required for Samba. It is a good "
12943
"idea to make a backup LDAP Data Interchange Format (LDIF) file with "
12944
"<application>slapcat</application> before executing the command:"
12947
#: serverguide/C/network-auth.xml:1464(command)
12948
msgid "sudo slapcat -l backup.ldif"
12951
#: serverguide/C/network-auth.xml:1470(para)
12953
"Once you have a current backup execute <application>smbldap-"
12954
"populate</application> by entering:"
12957
#: serverguide/C/network-auth.xml:1475(command)
12958
msgid "sudo smbldap-populate"
12961
#: serverguide/C/network-auth.xml:1479(para)
12963
"You can create an LDIF file containing the new Samba objects by executing "
12964
"<command>sudo smbldap-populate -e samba.ldif</command>. This allows you to "
12965
"look over the changes making sure everything is correct."
12968
#: serverguide/C/network-auth.xml:1487(para)
12970
"Your LDAP directory now has the necessary domain information to authenticate "
12974
#: serverguide/C/network-auth.xml:1493(title)
12975
msgid "Samba Configuration"
12978
#: serverguide/C/network-auth.xml:1495(para)
12980
"There a multiple ways to configure Samba for details on some common "
12981
"configurations see <xref linkend=\"windows-networking\"/>. To configure "
12982
"Samba to use LDAP, edit the main Samba configuration file "
12983
"<filename>/etc/samba/smb.conf</filename> commenting the <emphasis>passdb "
12984
"backend</emphasis> option and adding the following:"
12987
#: serverguide/C/network-auth.xml:1501(programlisting)
12991
"# passdb backend = tdbsam\n"
12993
"# LDAP Settings\n"
12994
" passdb backend = ldapsam:ldap://hostname\n"
12995
" ldap suffix = dc=example,dc=com\n"
12996
" ldap user suffix = ou=People\n"
12997
" ldap group suffix = ou=Groups\n"
12998
" ldap machine suffix = ou=Computers\n"
12999
" ldap idmap suffix = ou=Idmap\n"
13000
" ldap admin dn = cn=admin,dc=example,dc=com\n"
13001
" ldap ssl = start tls\n"
13002
" ldap passwd sync = yes\n"
13004
" add machine script = sudo /usr/sbin/smbldap-useradd -t 0 -w \"%u\"\n"
13007
#: serverguide/C/network-auth.xml:1518(para)
13008
msgid "Restart <application>samba</application> to enable the new settings:"
13011
#: serverguide/C/network-auth.xml:1526(para)
13013
"Now Samba needs to know the LDAP admin password. From a terminal prompt "
13017
#: serverguide/C/network-auth.xml:1531(command)
13018
msgid "sudo smbpasswd -w secret"
13021
#: serverguide/C/network-auth.xml:1535(para)
13023
"Replacing <emphasis role=\"italic\">secret</emphasis> with your LDAP admin "
13027
#: serverguide/C/network-auth.xml:1540(para)
13029
"If you currently have users in LDAP, and you want them to authenticate using "
13030
"Samba, they will need some Samba attributes defined in the "
13031
"<filename>samba.schema</filename> file. Add the Samba attributes to existing "
13032
"users using the <application>smbpasswd</application> utility, replacing "
13033
"<emphasis role=\"italic\">username</emphasis> with an actual user:"
13036
#: serverguide/C/network-auth.xml:1548(command)
13037
msgid "sudo smbpasswd -a username"
13040
#: serverguide/C/network-auth.xml:1551(para)
13041
msgid "You will then be asked to enter the user's password."
13044
#: serverguide/C/network-auth.xml:1555(para)
13046
"To add new user, group, and machine accounts use the utilities from the "
13047
"<application>smbldap-tools</application> package. Here are some examples:"
13050
#: serverguide/C/network-auth.xml:1562(para)
13052
"To add a new user to LDAP with Samba attributes enter the following, "
13053
"replacing username with an actual username:"
13056
#: serverguide/C/network-auth.xml:1566(command)
13057
msgid "sudo smbldap-useradd -a -P username"
13060
#: serverguide/C/network-auth.xml:1568(para)
13062
"The <emphasis>-a</emphasis> option adds the Samba attributes, and the "
13063
"<emphasis>-P</emphasis> options calls the <application>smbldap-"
13064
"passwd</application> utility after the user is created allowing you to enter "
13065
"a password for the user."
13068
#: serverguide/C/network-auth.xml:1574(para)
13069
msgid "To remove a user from the directory enter:"
13072
#: serverguide/C/network-auth.xml:1578(command)
13073
msgid "sudo smbldap-userdel username"
13076
#: serverguide/C/network-auth.xml:1580(para)
13078
"The <application>smbldap-userdel</application> utility also has a <emphasis>-"
13079
"r</emphasis> option to remove the user's home directory."
13082
#: serverguide/C/network-auth.xml:1585(para)
13084
"Use <application>smbldap-groupadd</application> to add a group, replacing "
13085
"groupname with an appropriate group:"
13088
#: serverguide/C/network-auth.xml:1589(command)
13089
msgid "sudo smbldap-groupadd -a groupname"
13092
#: serverguide/C/network-auth.xml:1591(para)
13094
"Similar to <application>smbldap-useradd</application>, the <emphasis>-"
13095
"a</emphasis> adds the Samba attributes."
13098
#: serverguide/C/network-auth.xml:1596(para)
13100
"To add a user to a group use <application>smbldap-groupmod</application>:"
13103
#: serverguide/C/network-auth.xml:1600(command)
13104
msgid "sudo smbldap-groupmod -m username groupname"
13107
#: serverguide/C/network-auth.xml:1602(para)
13109
"Be sure to replace <emphasis>username</emphasis> with a real user. Also, the "
13110
"<emphasis>-m</emphasis> option can add more than one user at a time by "
13111
"listing them in <emphasis>comma separated</emphasis> format."
13114
#: serverguide/C/network-auth.xml:1608(para)
13116
"<application>smbldap-groupmod</application> can also be used to remove a "
13117
"user from a group:"
13120
#: serverguide/C/network-auth.xml:1612(command)
13121
msgid "sudo smbldap-groupmod -x username groupname"
13124
#: serverguide/C/network-auth.xml:1616(para)
13126
"Additionally, the <application>smbldap-useradd</application> utility can add "
13127
"Samba machine accounts:"
13130
#: serverguide/C/network-auth.xml:1620(command)
13131
msgid "sudo smbldap-useradd -t 0 -w username"
13134
#: serverguide/C/network-auth.xml:1622(para)
13136
"Replace <emphasis>username</emphasis> with the name of the workstation. The "
13137
"<emphasis>-t 0</emphasis> option creates the machine account without a "
13138
"delay, while the <emphasis>-w</emphasis> option specifies the user as a "
13139
"machine account. Also, note the <emphasis>add machine script</emphasis> "
13140
"option in <filename>/etc/samba/smb.conf</filename> was changed to use "
13141
"<application>smbldap-useradd</application>."
13144
#: serverguide/C/network-auth.xml:1631(para)
13146
"There are more useful utilities and options in the <application>smbldap-"
13147
"tools</application> package. The man page for each utility provides more "
13151
#: serverguide/C/network-auth.xml:1642(para)
13153
"There are multiple places where LDAP and Samba is documented in the <ulink "
13154
"url=\"http://samba.org/samba/docs/man/Samba-HOWTO-Collection/\">Samba HOWTO "
13155
"Collection</ulink>."
13158
#: serverguide/C/network-auth.xml:1648(para)
13160
"Specifically see the <ulink url=\"http://samba.org/samba/docs/man/Samba-"
13161
"HOWTO-Collection/passdb.html\">passdb section</ulink>."
13164
#: serverguide/C/network-auth.xml:1654(para)
13166
"Another good site is <ulink url=\"http://www.iallanis.info/smbldap-"
13167
"tools/docs/samba-ldap-howto/\">Samba OpenLDAP HOWTO</ulink>."
13170
#: serverguide/C/network-auth.xml:1660(para)
13172
"Again, for more information on <application>smbldap-tools</application> see "
13173
"the man pages: <command>man smbldap-useradd</command>, <command>man smbldap-"
13174
"groupadd</command>, <command>man smbldap-populate</command>, etc."
13177
#: serverguide/C/network-auth.xml:1670(title)
13181
#: serverguide/C/network-auth.xml:1672(para)
13183
"<application>Kerberos</application> is a network authentication system based "
13184
"on the principal of a trusted third party. The other two parties being the "
13185
"user and the service the user wishes to authenticate to. Not all services "
13186
"and applications can use Kerberos, but for those that can, it brings the "
13187
"network environment one step closer to being Single Sign On (SSO)."
13190
#: serverguide/C/network-auth.xml:1678(para)
13192
"This section covers installation and configuration of a Kerberos server, and "
13193
"some example client configurations."
13196
#: serverguide/C/network-auth.xml:1685(para)
13198
"If you are new to Kerberos there are a few terms that are good to understand "
13199
"before setting up a Kerberos server. Most of the terms will relate to things "
13200
"you may be familiar with in other environments:"
13203
#: serverguide/C/network-auth.xml:1692(para)
13205
"<emphasis>Principal:</emphasis> any users, computers, and services provided "
13206
"by servers need to be defined as Kerberos Principals."
13209
#: serverguide/C/network-auth.xml:1697(para)
13211
"<emphasis>Instances:</emphasis> are used for service principals and special "
13212
"administrative principals."
13215
#: serverguide/C/network-auth.xml:1702(para)
13217
"<emphasis>Realms:</emphasis> the unique realm of control provided by the "
13218
"Kerberos installation. Usually the DNS domain converted to uppercase "
13222
#: serverguide/C/network-auth.xml:1708(para)
13224
"<emphasis>Key Distribution Center:</emphasis> (KDC) consist of three parts, "
13225
"a database of all principals, the authentication server, and the ticket "
13226
"granting server. For each realm there must be at least one KDC."
13229
#: serverguide/C/network-auth.xml:1714(para)
13231
"<emphasis>Ticket Granting Ticket:</emphasis> issued by the Authentication "
13232
"Server (AS), the Ticket Granting Ticket (TGT) is encrypted in the user's "
13233
"password which is known only to the user and the KDC."
13236
#: serverguide/C/network-auth.xml:1720(para)
13238
"<emphasis>Ticket Granting Server:</emphasis> (TGS) issues service tickets to "
13239
"clients upon request."
13242
#: serverguide/C/network-auth.xml:1725(para)
13244
"<emphasis>Tickets:</emphasis> confirm the identity of the two principals. "
13245
"One principal being a user and the other a service requested by the user. "
13246
"Tickets establish an encryption key used for secure communication during the "
13247
"authenticated session."
13250
#: serverguide/C/network-auth.xml:1731(para)
13252
"<emphasis>Keytab Files:</emphasis> are files extracted from the KDC "
13253
"principal database and contain the encryption key for a service or host."
13256
#: serverguide/C/network-auth.xml:1738(para)
13258
"To put the pieces together, a Realm has at least one KDC, preferably two for "
13259
"redundancy, which contains a database of Principals. When a user principal "
13260
"logs into a workstation, configured for Kerberos authentication, the KDC "
13261
"issues a Ticket Granting Ticket (TGT). If the user supplied credentials "
13262
"match, the user is authenticated and can then request tickets for Kerberized "
13263
"services from the Ticket Granting Server (TGS). The service tickets allow "
13264
"the user to authenticate to the service without entering another username "
13268
#: serverguide/C/network-auth.xml:1747(title)
13269
msgid "Kerberos Server"
13272
#: serverguide/C/network-auth.xml:1751(para)
13274
"Before installing the Kerberos server a properly configured DNS server is "
13275
"needed for your domain. Since the Kerberos Realm by convention matches the "
13276
"domain name, this section uses the <emphasis>example.com</emphasis> domain "
13277
"configured in <xref linkend=\"dns-primarymaster-configuration\"/>."
13280
#: serverguide/C/network-auth.xml:1757(para)
13282
"Also, Kerberos is a time sensitive protocol. So if the local system time "
13283
"between a client machine and the server differs by more than five minutes "
13284
"(by default), the workstation will not be able to authenticate. To correct "
13285
"the problem all hosts should have their time synchronized using the "
13286
"<emphasis>Network Time Protocol (NTP)</emphasis>. For details on setting up "
13287
"NTP see <xref linkend=\"NTP\"/>."
13290
#: serverguide/C/network-auth.xml:1764(para)
13292
"The first step in installing a Kerberos Realm is to install the "
13293
"<application>krb5-kdc</application> and <application>krb5-admin-"
13294
"server</application> packages. From a terminal enter:"
13297
#: serverguide/C/network-auth.xml:1770(command) serverguide/C/network-auth.xml:1945(command)
13298
msgid "sudo apt-get install krb5-kdc krb5-admin-server"
13301
#: serverguide/C/network-auth.xml:1773(para)
13303
"You will be asked at the end of the install to supply a name for the "
13304
"Kerberos and Admin servers, which may or may not be the same server, for the "
13308
#: serverguide/C/network-auth.xml:1778(para)
13310
"Next, create the new realm with the <application>kdb5_newrealm</application> "
13314
#: serverguide/C/network-auth.xml:1783(command)
13315
msgid "sudo krb5_newrealm"
13318
#: serverguide/C/network-auth.xml:1790(para)
13320
"The questions asked during installation are used to configure the "
13321
"<filename>/etc/krb5.conf</filename> file. If you need to adjust the Key "
13322
"Distribution Center (KDC) settings simply edit the file and restart the "
13323
"<application>krb5-kdc</application> daemon."
13326
#: serverguide/C/network-auth.xml:1798(para)
13328
"Now that the KDC running an admin user is needed. It is recommended to use a "
13329
"different username from your everyday username. Using the "
13330
"<application>kadmin.local</application> utility in a terminal prompt enter:"
13333
#: serverguide/C/network-auth.xml:1804(command) serverguide/C/network-auth.xml:2595(command)
13334
msgid "sudo kadmin.local"
13337
#: serverguide/C/network-auth.xml:1805(computeroutput)
13340
"Authenticating as principal root/admin@EXAMPLE.COM with password.\n"
13344
#: serverguide/C/network-auth.xml:1806(userinput)
13346
msgid " addprinc steve/admin"
13349
#: serverguide/C/network-auth.xml:1807(computeroutput)
13352
"WARNING: no policy specified for steve/admin@EXAMPLE.COM; defaulting to no "
13354
"Enter password for principal \"steve/admin@EXAMPLE.COM\": \n"
13355
"Re-enter password for principal \"steve/admin@EXAMPLE.COM\": \n"
13356
"Principal \"steve/admin@EXAMPLE.COM\" created.\n"
13360
#: serverguide/C/network-auth.xml:1811(userinput)
13365
#: serverguide/C/network-auth.xml:1814(para)
13367
"In the above example <emphasis role=\"italic\">steve</emphasis> is the "
13368
"<emphasis>Principal</emphasis>, <emphasis role=\"italic\">/admin</emphasis> "
13369
"is an <emphasis>Instance</emphasis>, and <emphasis "
13370
"role=\"italic\">@EXAMPLE.COM</emphasis> signifies the realm. The <emphasis "
13371
"role=\"italic\">\"every day\"</emphasis> Principal would be "
13372
"<emphasis>steve@EXAMPLE.COM</emphasis>, and should have only normal user "
13376
#: serverguide/C/network-auth.xml:1822(para)
13378
"Replace <emphasis>EXAMPLE.COM</emphasis> and <emphasis>steve</emphasis> with "
13379
"your Realm and admin username."
13382
#: serverguide/C/network-auth.xml:1830(para)
13384
"Next, the new admin user needs to have the appropriate Access Control List "
13385
"(ACL) permissions. The permissions are configured in the "
13386
"<filename>/etc/krb5kdc/kadm5.acl</filename> file:"
13389
#: serverguide/C/network-auth.xml:1835(programlisting)
13393
"steve/admin@EXAMPLE.COM *\n"
13396
#: serverguide/C/network-auth.xml:1839(para)
13398
"This entry grants <emphasis>steve/admin</emphasis> the ability to perform "
13399
"any operation on all principals in the realm."
13402
#: serverguide/C/network-auth.xml:1846(para)
13404
"Now restart the <application>krb5-admin-server</application> for the new ACL "
13408
#: serverguide/C/network-auth.xml:1851(command)
13409
msgid "sudo /etc/init.d/krb5-admin-server restart"
13412
#: serverguide/C/network-auth.xml:1857(para)
13414
"The new user principal can be tested using the <application>kinit "
13415
"utility</application>:"
13418
#: serverguide/C/network-auth.xml:1862(command)
13419
msgid "kinit steve/admin"
13422
#: serverguide/C/network-auth.xml:1863(computeroutput)
13424
msgid "steve/admin@EXAMPLE.COM's Password:"
13427
#: serverguide/C/network-auth.xml:1866(para)
13429
"After entering the password, use the <application>klist</application> "
13430
"utility to view information about the Ticket Granting Ticket (TGT):"
13433
#: serverguide/C/network-auth.xml:1872(command) serverguide/C/network-auth.xml:2207(command)
13437
#: serverguide/C/network-auth.xml:1873(computeroutput)
13440
"Credentials cache: FILE:/tmp/krb5cc_1000\n"
13441
" Principal: steve/admin@EXAMPLE.COM\n"
13443
" Issued Expires Principal\n"
13444
"Jul 13 17:53:34 Jul 14 03:53:34 krbtgt/EXAMPLE.COM@EXAMPLE.COM"
13447
#: serverguide/C/network-auth.xml:1880(para)
13449
"You may need to add an entry into the <filename>/etc/hosts</filename> for "
13450
"the KDC. For example:"
13453
#: serverguide/C/network-auth.xml:1884(programlisting)
13457
"192.168.0.1 kdc01.example.com kdc01\n"
13460
#: serverguide/C/network-auth.xml:1888(para)
13462
"Replacing <emphasis>192.168.0.1</emphasis> with the IP address of your KDC."
13465
#: serverguide/C/network-auth.xml:1895(para)
13467
"In order for clients to determine the KDC for the Realm some DNS SRV records "
13468
"are needed. Add the following to "
13469
"<filename>/etc/named/db.example.com</filename>:"
13472
#: serverguide/C/network-auth.xml:1900(programlisting)
13476
"_kerberos._udp.EXAMPLE.COM. IN SRV 1 0 88 kdc01.example.com.\n"
13477
"_kerberos._tcp.EXAMPLE.COM. IN SRV 1 0 88 kdc01.example.com.\n"
13478
"_kerberos._udp.EXAMPLE.COM. IN SRV 10 0 88 kdc02.example.com. \n"
13479
"_kerberos._tcp.EXAMPLE.COM. IN SRV 10 0 88 kdc02.example.com. \n"
13480
"_kerberos-adm._tcp.EXAMPLE.COM. IN SRV 1 0 749 kdc01.example.com.\n"
13481
"_kpasswd._udp.EXAMPLE.COM. IN SRV 1 0 464 kdc01.example.com.\n"
13484
#: serverguide/C/network-auth.xml:1910(para)
13486
"Replace <emphasis>EXAMPLE.COM</emphasis>, <emphasis>kdc01</emphasis>, and "
13487
"<emphasis>kdc02</emphasis> with your domain name, primary KDC, and secondary "
13491
#: serverguide/C/network-auth.xml:1916(para)
13493
"See <xref linkend=\"dns\"/> for detailed instructions on setting up DNS."
13496
#: serverguide/C/network-auth.xml:1923(para)
13497
msgid "Your new Kerberos Realm is now ready to authenticate clients."
13500
#: serverguide/C/network-auth.xml:1930(title)
13501
msgid "Secondary KDC"
13504
#: serverguide/C/network-auth.xml:1932(para)
13506
"Once you have one Key Distribution Center (KDC) on your network, it is good "
13507
"practice to have a Secondary KDC in case the primary becomes unavailable."
13510
#: serverguide/C/network-auth.xml:1940(para)
13512
"First, install the packages, and when asked for the Kerberos and Admin "
13513
"server names enter the name of the Primary KDC:"
13516
#: serverguide/C/network-auth.xml:1951(para)
13518
"Once you have the packages installed, create the Secondary KDC's host "
13519
"principal. From a terminal prompt, enter:"
13522
#: serverguide/C/network-auth.xml:1956(command)
13523
msgid "kadmin -q \"addprinc -randkey host/kdc02.example.com\""
13526
#: serverguide/C/network-auth.xml:1960(para)
13528
"After, issuing any <application>kadmin</application> commands you will be "
13529
"prompted for your <emphasis>username/admin@EXAMPLE.COM</emphasis> principal "
13533
#: serverguide/C/network-auth.xml:1969(para)
13534
msgid "Extract the <emphasis>keytab</emphasis> file:"
13537
#: serverguide/C/network-auth.xml:1974(command)
13538
msgid "kadmin -q \"ktadd -k keytab.kdc02 host/kdc02.example.com\""
13541
#: serverguide/C/network-auth.xml:1980(para)
13543
"There should now be a <filename>keytab.kdc02</filename> in the current "
13544
"directory, move the file to <filename>/etc/krb5.keytab</filename>:"
13547
#: serverguide/C/network-auth.xml:1986(command)
13548
msgid "sudo mv keytab.kdc02 /etc/krb5.keytab"
13551
#: serverguide/C/network-auth.xml:1990(para)
13553
"If the path to the <filename>keytab.kdc02</filename> file is different "
13554
"adjust accordingly."
13557
#: serverguide/C/network-auth.xml:1995(para)
13559
"Also, you can list the principals in a Keytab file, which can be useful when "
13560
"troubleshooting, using the <application>klist</application> utility:"
13563
#: serverguide/C/network-auth.xml:2001(command)
13564
msgid "sudo klist -k /etc/krb5.keytab"
13567
#: serverguide/C/network-auth.xml:2007(para)
13569
"Next, there needs to be a <filename>kpropd.acl</filename> file on each KDC "
13570
"that lists all KDCs for the Realm. For example, on both primary and "
13571
"secondary KDC, create <filename>/etc/krb5kdc/kpropd.acl</filename>:"
13574
#: serverguide/C/network-auth.xml:2012(programlisting)
13578
"host/kdc01.example.com@EXAMPLE.COM\n"
13579
"host/kdc02.example.com@EXAMPLE.COM\n"
13582
#: serverguide/C/network-auth.xml:2020(para)
13583
msgid "Create an empty database on the <emphasis>Secondary KDC</emphasis>:"
13586
#: serverguide/C/network-auth.xml:2025(command)
13587
msgid "sudo kdb5_util -s create"
13590
#: serverguide/C/network-auth.xml:2031(para)
13592
"Now start the <application>kpropd</application> daemon, which listens for "
13593
"connections from the <application>kprop</application> utility. "
13594
"<application>kprop</application> is used to transfer dump files:"
13597
#: serverguide/C/network-auth.xml:2038(command)
13598
msgid "sudo kpropd -S"
13601
#: serverguide/C/network-auth.xml:2044(para)
13603
"From a terminal on the <emphasis>Primary KDC</emphasis>, create a dump file "
13604
"of the principal database:"
13607
#: serverguide/C/network-auth.xml:2049(command)
13608
msgid "sudo kdb5_util dump /var/lib/krb5kdc/dump"
13611
#: serverguide/C/network-auth.xml:2055(para)
13613
"Extract the Primary KDC's <emphasis>keytab</emphasis> file and copy it to "
13614
"<filename>/etc/krb5.keytab</filename>:"
13617
#: serverguide/C/network-auth.xml:2060(command)
13618
msgid "kadmin -q \"ktadd -k keytab.kdc01 host/kdc01.example.com\""
13621
#: serverguide/C/network-auth.xml:2061(command)
13622
msgid "sudo mv keytab.kdc01 /etc/kr5b.keytab"
13625
#: serverguide/C/network-auth.xml:2065(para)
13627
"Make sure there is a <emphasis>host</emphasis> for "
13628
"<emphasis>kdc01.example.com</emphasis> before extracting the Keytab."
13631
#: serverguide/C/network-auth.xml:2073(para)
13633
"Using the <application>kprop</application> utility push the database to the "
13637
#: serverguide/C/network-auth.xml:2078(command)
13638
msgid "sudo kprop -r EXAMPLE.COM -f /var/lib/krb5kdc/dump kdc02.example.com"
13641
#: serverguide/C/network-auth.xml:2082(para)
13643
"There should be a <emphasis>SUCCEEDED</emphasis> message if the propagation "
13644
"worked. If there is an error message check "
13645
"<filename>/var/log/syslog</filename> on the secondary KDC for more "
13649
#: serverguide/C/network-auth.xml:2088(para)
13651
"You may also want to create a <application>cron</application> job to "
13652
"periodically update the database on the Secondary KDC. For example, the "
13653
"following will push the database every hour:"
13656
#: serverguide/C/network-auth.xml:2093(programlisting)
13660
"# m h dom mon dow command\n"
13661
"0 * * * * /usr/sbin/kdb5_util dump /var/lib/krb5kdc/dump && "
13662
"/usr/sbin/kprop -r EXAMPLE.COM -f /var/lib/krb5kdc/dump kdc02.example.com\n"
13665
#: serverguide/C/network-auth.xml:2101(para)
13667
"Back on the <emphasis>Secondary KDC</emphasis>, create a "
13668
"<emphasis>stash</emphasis> file to hold the Kerberos master key:"
13671
#: serverguide/C/network-auth.xml:2107(command)
13672
msgid "sudo kdb5_util stash"
13675
#: serverguide/C/network-auth.xml:2113(para)
13677
"Finally, start the <application>krb5-kdc</application> daemon on the "
13681
#: serverguide/C/network-auth.xml:2118(command) serverguide/C/network-auth.xml:2725(command)
13682
msgid "sudo /etc/init.d/krb5-kdc start"
13685
#: serverguide/C/network-auth.xml:2124(para)
13687
"The <emphasis>Secondary KDC</emphasis> should now be able to issue tickets "
13688
"for the Realm. You can test this by stopping the <application>krb5-"
13689
"kdc</application> daemon on the Primary KDC, then use "
13690
"<application>kinit</application> to request a ticket. If all goes well you "
13691
"should receive a ticket from the Secondary KDC."
13694
#: serverguide/C/network-auth.xml:2132(title)
13695
msgid "Kerberos Linux Client"
13698
#: serverguide/C/network-auth.xml:2134(para)
13700
"This section covers configuring a Linux system as a "
13701
"<application>Kerberos</application> client. This will allow access to any "
13702
"kerberized services once a user has successfully logged into the system."
13705
#: serverguide/C/network-auth.xml:2142(para)
13707
"In order to authenticate to a Kerberos Realm, the <application>krb5-"
13708
"user</application> and <application>libpam-krb5</application> packages are "
13709
"needed, along with a few others that are not strictly necessary but make "
13710
"life easier. To install the packages enter the following in a terminal "
13714
#: serverguide/C/network-auth.xml:2149(command)
13716
"sudo apt-get install krb5-user libpam-krb5 libpam-ccreds auth-client-config"
13719
#: serverguide/C/network-auth.xml:2152(para)
13721
"The <application>auth-client-config</application> package allows simple "
13722
"configuration of PAM for authentication from multiple sources, and the "
13723
"<application>libpam-ccreds</application> will cache authentication "
13724
"credentials allowing you to login in case the Key Distribution Center (KDC) "
13725
"is unavailable. This package is also useful for laptops that may "
13726
"authenticate using Kerberos while on the corporate network, but will need to "
13727
"be accessed off the network as well."
13730
#: serverguide/C/network-auth.xml:2163(para)
13731
msgid "To configure the client in a terminal enter:"
13734
#: serverguide/C/network-auth.xml:2168(command)
13735
msgid "sudo dpkg-reconfigure krb5-config"
13738
#: serverguide/C/network-auth.xml:2171(para)
13740
"You will then be prompted to enter the name of the Kerberos Realm. Also, if "
13741
"you don't have DNS configured with Kerberos <emphasis>SRV</emphasis> "
13742
"records, the menu will prompt you for the hostname of the Key Distribution "
13743
"Center (KDC) and Realm Administration server."
13746
#: serverguide/C/network-auth.xml:2177(para)
13748
"The <application>dpkg-reconfigure</application> adds entries to the "
13749
"<filename>/etc/krb5.conf</filename> file for your Realm. You should have "
13750
"entries similar to the following:"
13753
#: serverguide/C/network-auth.xml:2182(programlisting)
13758
" default_realm = EXAMPLE.COM\n"
13761
" EXAMPLE.COM = } \n"
13762
" kdc = 192.168.0.1 \n"
13763
" admin_server = 192.168.0.1\n"
13767
#: serverguide/C/network-auth.xml:2193(para)
13769
"You can test the configuration by requesting a ticket using the "
13770
"<application>kinit</application> utility. For example:"
13773
#: serverguide/C/network-auth.xml:2198(command)
13774
msgid "kinit steve@EXAMPLE.COM"
13777
#: serverguide/C/network-auth.xml:2199(computeroutput)
13779
msgid "Password for steve@EXAMPLE.COM:"
13782
#: serverguide/C/network-auth.xml:2202(para)
13784
"When a ticket has been granted, the details can be viewed using "
13785
"<application>klist</application>:"
13788
#: serverguide/C/network-auth.xml:2208(computeroutput)
13791
"Ticket cache: FILE:/tmp/krb5cc_1000\n"
13792
"Default principal: steve@EXAMPLE.COM\n"
13794
"Valid starting Expires Service principal\n"
13795
"07/24/08 05:18:56 07/24/08 15:18:56 krbtgt/EXAMPLE.COM@EXAMPLE.COM\n"
13796
" renew until 07/25/08 05:18:57\n"
13799
"Kerberos 4 ticket cache: /tmp/tkt1000\n"
13800
"klist: You have no tickets cached"
13803
#: serverguide/C/network-auth.xml:2220(para)
13805
"Next, use the <application>auth-client-config</application> to configure the "
13806
"<application>libpam-krb5</application> module to request a ticket during "
13810
#: serverguide/C/network-auth.xml:2226(command)
13811
msgid "sudo auth-client-config -a -p kerberos_example"
13814
#: serverguide/C/network-auth.xml:2229(para)
13816
"You will should now receive a ticket upon successful login authentication."
13819
#: serverguide/C/network-auth.xml:2240(para)
13821
"For more information on Kerberos see the <ulink "
13822
"url=\"http://web.mit.edu/Kerberos/\">MIT Kerberos</ulink> site."
13825
#: serverguide/C/network-auth.xml:2245(para)
13827
"O'Reilly's <ulink "
13828
"url=\"http://oreilly.com/catalog/9780596004033/\">Kerberos: The Definitive "
13829
"Guide</ulink> is a great reference when setting up Kerberos."
13832
#: serverguide/C/network-auth.xml:2251(para)
13834
"Also, feel free to stop by the <emphasis>#ubuntu-server</emphasis> IRC "
13835
"channel on <ulink url=\"http://freenode.net/\">Freenode</ulink> if you have "
13836
"Kerberos questions."
13839
#: serverguide/C/network-auth.xml:2261(title)
13840
msgid "Kerberos and LDAP"
13843
#: serverguide/C/network-auth.xml:2263(para)
13845
"Replicating a Kerberos principal database between two servers can be "
13846
"complicated, and adds an additional user database to your network. "
13847
"Fortunately, MIT Kerberos can be configured to use an "
13848
"<application>LDAP</application> directory as a principal database. This "
13849
"section covers configuring a primary and secondary kerberos server to use "
13850
"<application>OpenLDAP</application> for the principal database."
13853
#: serverguide/C/network-auth.xml:2271(title)
13854
msgid "Configuring OpenLDAP"
13857
#: serverguide/C/network-auth.xml:2273(para)
13859
"First, the necessary <emphasis>schema</emphasis> needs to be loaded on an "
13860
"<application>OpenLDAP</application> server that has network connectivity to "
13861
"the Primary and Secondary KDCs. The rest of this section assumes that you "
13862
"also have LDAP replication configured between at least two servers. For "
13863
"information on setting up OpenLDAP see <xref linkend=\"openldap-server\"/>."
13866
#: serverguide/C/network-auth.xml:2280(para)
13868
"It is also required to configure OpenLDAP for TLS and SSL connections, so "
13869
"that traffic between the KDC and LDAP server is encrypted. See <xref "
13870
"linkend=\"openldap-tls\"/> for details."
13873
#: serverguide/C/network-auth.xml:2287(para)
13875
"To load the schema into LDAP, on the LDAP server install the "
13876
"<application>krb5-kdc-ldap</application> package. From a terminal enter:"
13879
#: serverguide/C/network-auth.xml:2293(command)
13880
msgid "sudo apt-get install krb5-kdc-ldap"
13883
#: serverguide/C/network-auth.xml:2298(para)
13884
msgid "Next, extract the <filename>kerberos.schema.gz</filename> file:"
13887
#: serverguide/C/network-auth.xml:2303(command)
13888
msgid "sudo gzip -d /usr/share/doc/krb5-kdc-ldap/kerberos.schema.gz"
13891
#: serverguide/C/network-auth.xml:2304(command)
13893
"sudo cp /usr/share/doc/krb5-kdc-ldap/kerberos.schema /etc/ldap/schema/"
13896
#: serverguide/C/network-auth.xml:2310(para)
13898
"The <emphasis>kerberos</emphasis> schema needs to be added to the "
13899
"<emphasis>cn=config</emphasis> tree. The procedure to add a new schema to "
13900
"<application>slapd</application> is also detailed in <xref "
13901
"linkend=\"openldap-configuration\"/>."
13904
#: serverguide/C/network-auth.xml:2323(programlisting)
13908
"include /etc/ldap/schema/core.schema\n"
13909
"include /etc/ldap/schema/collective.schema\n"
13910
"include /etc/ldap/schema/corba.schema\n"
13911
"include /etc/ldap/schema/cosine.schema\n"
13912
"include /etc/ldap/schema/duaconf.schema\n"
13913
"include /etc/ldap/schema/dyngroup.schema\n"
13914
"include /etc/ldap/schema/inetorgperson.schema\n"
13915
"include /etc/ldap/schema/java.schema\n"
13916
"include /etc/ldap/schema/misc.schema\n"
13917
"include /etc/ldap/schema/nis.schema\n"
13918
"include /etc/ldap/schema/openldap.schema\n"
13919
"include /etc/ldap/schema/ppolicy.schema\n"
13920
"include /etc/ldap/schema/kerberos.schema\n"
13923
#: serverguide/C/network-auth.xml:2343(para)
13924
msgid "Create a temporary directory to hold the LDIF files:"
13927
#: serverguide/C/network-auth.xml:2358(command)
13929
"slapcat -f schema_convert.conf -F /tmp/ldif_output -n0 -s "
13930
"\"cn={12}kerberos,cn=schema,cn=config\" > /tmp/cn=kerberos.ldif"
13933
#: serverguide/C/network-auth.xml:2368(para)
13935
"Edit the generated <filename>/tmp/cn\\=kerberos.ldif</filename> file, "
13936
"changing the following attributes:"
13939
#: serverguide/C/network-auth.xml:2372(programlisting)
13943
"dn: cn=kerberos,cn=schema,cn=config\n"
13948
#: serverguide/C/network-auth.xml:2378(para)
13949
msgid "And remove the following lines from the end of the file:"
13952
#: serverguide/C/network-auth.xml:2382(programlisting)
13956
"structuralObjectClass: olcSchemaConfig\n"
13957
"entryUUID: 18ccd010-746b-102d-9fbe-3760cca765dc\n"
13958
"creatorsName: cn=config\n"
13959
"createTimestamp: 20090111203515Z\n"
13960
"entryCSN: 20090111203515.326445Z#000000#000#000000\n"
13961
"modifiersName: cn=config\n"
13962
"modifyTimestamp: 20090111203515Z\n"
13965
#: serverguide/C/network-auth.xml:2401(para)
13966
msgid "Load the new schema with <application>ldapadd</application>:"
13969
#: serverguide/C/network-auth.xml:2406(command)
13970
msgid "ldapadd -x -D cn=admin,cn=config -W -f /tmp/cn\\=kerberos.ldif"
13973
#: serverguide/C/network-auth.xml:2412(para)
13975
"Add an index for the <emphasis>krb5principalname</emphasis> attribute:"
13978
#: serverguide/C/network-auth.xml:2419(userinput)
13981
"dn: olcDatabase={1}hdb,cn=config\n"
13982
"add: olcDbIndex\n"
13983
"olcDbIndex: krbPrincipalName eq,pres,sub"
13986
#: serverguide/C/network-auth.xml:2429(para)
13987
msgid "Finally, update the Access Control Lists (ACL):"
13990
#: serverguide/C/network-auth.xml:2436(userinput)
13993
"dn: olcDatabase={1}hdb,cn=config\n"
13994
"replace: olcAccess\n"
13995
"olcAccess: to attrs=userPassword,shadowLastChange,krbPrincipalKey by "
13996
"dn=\"cn=admin,dc=exampl\n"
13997
" e,dc=com\" write by anonymous auth by self write by * none\n"
14000
"olcAccess: to dn.base=\"\" by * read\n"
14003
"olcAccess: to * by dn=\"cn=admin,dc=example,dc=com\" write by * read"
14006
#: serverguide/C/network-auth.xml:2435(computeroutput)
14009
"Enter LDAP Password: \n"
14010
"<placeholder-1/>\n"
14012
"modifying entry \"olcDatabase={1}hdb,cn=config\"\n"
14015
#: serverguide/C/network-auth.xml:2456(para)
14017
"That's it, your LDAP directory is now ready to serve as a Kerberos principal "
14021
#: serverguide/C/network-auth.xml:2462(title)
14022
msgid "Primary KDC Configuration"
14025
#: serverguide/C/network-auth.xml:2464(para)
14027
"With <application>OpenLDAP</application> configured it is time to configure "
14031
#: serverguide/C/network-auth.xml:2470(para)
14032
msgid "First, install the necessary packages, from a terminal enter:"
14035
#: serverguide/C/network-auth.xml:2475(command) serverguide/C/network-auth.xml:2632(command)
14036
msgid "sudo apt-get install krb5-kdc krb5-admin-server krb5-kdc-ldap"
14039
#: serverguide/C/network-auth.xml:2481(para)
14041
"Now edit <filename>/etc/krb5.conf</filename> adding the following options to "
14042
"under the appropriate sections:"
14045
#: serverguide/C/network-auth.xml:2485(programlisting)
14050
" default_realm = EXAMPLE.COM\n"
14055
" EXAMPLE.COM = {\n"
14056
" kdc = kdc01.example.com\n"
14057
" kdc = kdc02.example.com\n"
14058
" admin_server = kdc01.example.com\n"
14059
" admin_server = kdc02.example.com\n"
14060
" default_domain = example.com\n"
14061
" database_module = openldap_ldapconf\n"
14067
" .example.com = EXAMPLE.COM\n"
14073
" ldap_kerberos_container_dn = dc=example,dc=com\n"
14076
" openldap_ldapconf = {\n"
14077
" db_library = kldap\n"
14078
" ldap_kdc_dn = \"cn=admin,dc=example,dc=com\"\n"
14080
" # this object needs to have read rights on\n"
14081
" # the realm container, principal container and realm sub-"
14083
" ldap_kadmind_dn = \"cn=admin,dc=example,dc=com\"\n"
14085
" # this object needs to have read and write rights on\n"
14086
" # the realm container, principal container and realm sub-"
14088
" ldap_service_password_file = /etc/krb5kdc/service.keyfile\n"
14089
" ldap_servers = ldaps://ldap01.example.com "
14090
"ldaps://ldap02.example.com\n"
14091
" ldap_conns_per_server = 5\n"
14095
#: serverguide/C/network-auth.xml:2530(para)
14097
"Change <emphasis>example.com</emphasis>, "
14098
"<emphasis>dc=example,dc=com</emphasis>, "
14099
"<emphasis>cn=admin,dc=example,dc=com</emphasis>, and "
14100
"<emphasis>ldap01.example.com</emphasis> to the appropriate domain, LDAP "
14101
"object, and LDAP server for your network."
14104
#: serverguide/C/network-auth.xml:2539(para)
14106
"Next, use the <application>kdb5_ldap_util</application> utility to create "
14110
#: serverguide/C/network-auth.xml:2544(command)
14112
"sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com create -subtrees "
14113
"dc=example,dc=com -r EXAMPLE.COM -s -H ldap://ldap01.example.com"
14116
#: serverguide/C/network-auth.xml:2550(para)
14118
"Create a stash of the password used to bind to the LDAP server. This "
14119
"password is used by the <emphasis>ldap_kdc_dn</emphasis> and "
14120
"<emphasis>ldap_kadmin_dn</emphasis> options in "
14121
"<filename>/etc/krb5.conf</filename>:"
14124
#: serverguide/C/network-auth.xml:2556(command) serverguide/C/network-auth.xml:2694(command)
14126
"sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com stashsrvpw -f "
14127
"/etc/krb5kdc/service.keyfile cn=admin,dc=example,dc=com"
14130
#: serverguide/C/network-auth.xml:2562(para)
14131
msgid "Copy the CA certificate from the LDAP server:"
14134
#: serverguide/C/network-auth.xml:2567(command)
14135
msgid "scp ldap01:/etc/ssl/certs/cacert.pem ."
14138
#: serverguide/C/network-auth.xml:2568(command)
14139
msgid "sudo cp cacert.pem /etc/ssl/certs"
14142
#: serverguide/C/network-auth.xml:2571(para)
14144
"And edit <filename>/etc/ldap/ldap.conf</filename> to use the certificate:"
14147
#: serverguide/C/network-auth.xml:2575(programlisting)
14151
"TLS_CACERT /etc/ssl/certs/cacert.pem\n"
14154
#: serverguide/C/network-auth.xml:2580(para)
14156
"The certificate will also need to be copied to the Secondary KDC, to allow "
14157
"the connection to the LDAP servers using LDAPS."
14160
#: serverguide/C/network-auth.xml:2589(para)
14162
"You can now add Kerberos principals to the LDAP database, and they will be "
14163
"copied to any other LDAP servers configured for replication. To add a "
14164
"principal using the <application>kadmin.local</application> utility enter:"
14167
#: serverguide/C/network-auth.xml:2597(userinput)
14169
msgid "addprinc -x dn=\"uid=steve,ou=people,dc=example,dc=com\" steve"
14172
#: serverguide/C/network-auth.xml:2596(computeroutput)
14175
"Authenticating as principal root/admin@EXAMPLE.COM with password.\n"
14176
"kadmin.local: <placeholder-1/>\n"
14177
"WARNING: no policy specified for steve@EXAMPLE.COM; defaulting to no policy\n"
14178
"Enter password for principal \"steve@EXAMPLE.COM\": \n"
14179
"Re-enter password for principal \"steve@EXAMPLE.COM\": \n"
14180
"Principal \"steve@EXAMPLE.COM\" created."
14183
#: serverguide/C/network-auth.xml:2604(para)
14185
"There should now be krbPrincipalName, krbPrincipalKey, krbLastPwdChange, and "
14186
"krbExtraData attributes added to the "
14187
"<emphasis>uid=steve,ou=people,dc=example,dc=com</emphasis> user object. Use "
14188
"the <application>kinit</application> and <application>klist</application> "
14189
"utilities to test that the user is indeed issued a ticket."
14192
#: serverguide/C/network-auth.xml:2611(para)
14194
"If the user object is already created the <emphasis>-x dn=\"...\"</emphasis> "
14195
"option is needed to add the Kerberos attributes. Otherwise a new "
14196
"<emphasis>principal</emphasis> object will be created in the realm subtree."
14199
#: serverguide/C/network-auth.xml:2619(title)
14200
msgid "Secondary KDC Configuration"
14203
#: serverguide/C/network-auth.xml:2621(para)
14205
"Configuring a Secondary KDC using the LDAP backend is similar to configuring "
14206
"one using the normal Kerberos database."
14209
#: serverguide/C/network-auth.xml:2627(para)
14210
msgid "First, install the necessary packages. In a terminal enter:"
14213
#: serverguide/C/network-auth.xml:2638(para)
14215
"Next, edit <filename>/etc/krb5.conf</filename> to use the LDAP backend:"
14218
#: serverguide/C/network-auth.xml:2642(programlisting)
14223
" default_realm = EXAMPLE.COM\n"
14228
" EXAMPLE.COM = {\n"
14229
" kdc = kdc01.example.com\n"
14230
" kdc = kdc02.example.com\n"
14231
" admin_server = kdc01.example.com\n"
14232
" admin_server = kdc02.example.com\n"
14233
" default_domain = example.com\n"
14234
" database_module = openldap_ldapconf\n"
14240
" .example.com = EXAMPLE.COM\n"
14245
" ldap_kerberos_container_dn = dc=example,dc=com\n"
14248
" openldap_ldapconf = {\n"
14249
" db_library = kldap\n"
14250
" ldap_kdc_dn = \"cn=admin,dc=example,dc=com\"\n"
14252
" # this object needs to have read rights on\n"
14253
" # the realm container, principal container and realm sub-"
14255
" ldap_kadmind_dn = \"cn=admin,dc=example,dc=com\"\n"
14257
" # this object needs to have read and write rights on\n"
14258
" # the realm container, principal container and realm sub-"
14260
" ldap_service_password_file = /etc/krb5kdc/service.keyfile\n"
14261
" ldap_servers = ldaps://ldap01.example.com "
14262
"ldaps://ldap02.example.com\n"
14263
" ldap_conns_per_server = 5\n"
14267
#: serverguide/C/network-auth.xml:2689(para)
14268
msgid "Create the stash for the LDAP bind password:"
14271
#: serverguide/C/network-auth.xml:2700(para)
14273
"Now, on the <emphasis>Primary KDC</emphasis> copy the "
14274
"<filename>/etc/krb5kdc/.k5.EXAMPLE.COM</filename><emphasis>Master "
14275
"Key</emphasis> stash to the Secondary KDC. Be sure to copy the file over an "
14276
"encrypted connection such as <application>scp</application>, or on physical "
14280
#: serverguide/C/network-auth.xml:2707(command)
14281
msgid "sudo scp /etc/krb5kdc/.k5.EXAMPLE.COM steve@kdc02.example.com:~"
14284
#: serverguide/C/network-auth.xml:2708(command)
14285
msgid "sudo mv .k5.EXAMPLE.COM /etc/krb5kdc/"
14288
#: serverguide/C/network-auth.xml:2712(para)
14290
"Again, replace <emphasis>EXAMPLE.COM</emphasis> with your actual realm."
14293
#: serverguide/C/network-auth.xml:2720(para)
14294
msgid "Finally, start the <application>krb5-kdc</application> daemon:"
14297
#: serverguide/C/network-auth.xml:2731(para)
14299
"You now have redundant KDCs on your network, and with redundant LDAP servers "
14300
"you should be able to continue to authenticate users if one LDAP server, one "
14301
"Kerberos server, or one LDAP and one Kerberos server become unavailable."
14304
#: serverguide/C/network-auth.xml:2743(para)
14306
"The <ulink url=\"http://web.mit.edu/Kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-"
14307
"admin.html#Configuring-Kerberos-with-OpenLDAP-back_002dend\"> Kerberos Admin "
14308
"Guide</ulink> has some additional details."
14311
#: serverguide/C/network-auth.xml:2749(para)
14313
"For more information on <application>kdb5_ldap_util</application> see <ulink "
14314
"url=\"http://web.mit.edu/Kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-"
14315
"admin.html#Global-Operations-on-the-Kerberos-LDAP-Database\"> Section "
14316
"5.6</ulink> and the <ulink "
14317
"url=\"http://manpages.ubuntu.com/manpages/jaunty/en/man8/kdb5_ldap_util.8.htm"
14318
"l\">kdb5_ldap_util man page</ulink>."
14321
#: serverguide/C/network-auth.xml:2757(para)
14323
"Another useful link is the <ulink "
14324
"url=\"http://manpages.ubuntu.com/manpages/jaunty/en/man5/krb5.conf.5.html\">k"
14325
"rb5.conf man page</ulink>."
14328
#: serverguide/C/monitoring.xml:13(title)
14332
#: serverguide/C/monitoring.xml:17(para)
14334
"The monitoring of essential servers and services is an important part of "
14335
"system administration. Most network services are monitored for performance, "
14336
"availability, or both. This section will cover installation and "
14337
"configuration of <application>Nagios</application> for availability "
14338
"monitoring, and <application>Munin</application> for performance monitoring."
14341
#: serverguide/C/monitoring.xml:24(para)
14343
"The examples in this section will use two servers with hostnames "
14344
"<emphasis>server01</emphasis> and <emphasis>server02</emphasis>. "
14345
"<emphasis>Server01</emphasis> will be configured with "
14346
"<application>Nagios</application> to monitor services on itself and "
14347
"<emphasis>server02</emphasis>. Server01 will also be setup with the "
14348
"<application>munin</application> package to gather information from the "
14349
"network. Using the <application>munin-node</application> package, "
14350
"<emphasis>server02</emphasis> will be configured to send information to "
14351
"<emphasis>server01</emphasis>."
14354
#: serverguide/C/monitoring.xml:33(para)
14356
"Hopefully these simple examples will allow you to monitor additional servers "
14357
"and services on your network."
14360
#: serverguide/C/monitoring.xml:39(title)
14364
#: serverguide/C/monitoring.xml:44(para)
14366
"First, on <emphasis>server01</emphasis> install the "
14367
"<application>nagios</application> package. In a terminal enter:"
14370
#: serverguide/C/monitoring.xml:50(command)
14371
msgid "sudo apt-get install nagios3 nagios-nrpe-plugin"
14374
#: serverguide/C/monitoring.xml:53(para)
14376
"You will be asked to enter a password for the "
14377
"<emphasis>nagiosadmin</emphasis> user. The user's credentials are stored in "
14378
"<filename>/etc/nagios3/htpasswd.users</filename>. To change the "
14379
"<emphasis>nagiosadmin</emphasis> password, or add additional users to the "
14380
"Nagios CGI scripts, use the <application>htpasswd</application> that is part "
14381
"of the <application>apache2-utils</application> package."
14384
#: serverguide/C/monitoring.xml:60(para)
14386
"For example, to change the password for the <emphasis>nagiosadmin</emphasis> "
14390
#: serverguide/C/monitoring.xml:65(command)
14391
msgid "sudo htpasswd /etc/nagios3/htpasswd.users nagiosadmin"
14394
#: serverguide/C/monitoring.xml:68(para)
14395
msgid "To add a user:"
14398
#: serverguide/C/monitoring.xml:73(command)
14399
msgid "sudo htpasswd /etc/nagios3/htpasswd.users steve"
14402
#: serverguide/C/monitoring.xml:76(para)
14404
"Next, on <emphasis>server02</emphasis> install the <application>nagios-nrpe-"
14405
"server</application> package. From a terminal on server02 enter:"
14408
#: serverguide/C/monitoring.xml:82(command)
14409
msgid "sudo apt-get install nagios-nrpe-server"
14412
#: serverguide/C/monitoring.xml:86(para)
14414
"<application>NRPE</application> allows you to execute local checks on remote "
14415
"hosts. There are other ways of accomplishing this through other Nagios "
14416
"plugins as well as other checks."
14419
#: serverguide/C/monitoring.xml:94(title)
14420
msgid "Configuration Overview"
14423
#: serverguide/C/monitoring.xml:96(para)
14425
"There are a couple of directories containing "
14426
"<application>Nagios</application> configuration and check files."
14429
#: serverguide/C/monitoring.xml:102(para)
14431
"<filename>/etc/nagios3</filename>: contains configuration files for the "
14432
"operation of the <application>nagios</application> daemon, CGI files, hosts, "
14436
#: serverguide/C/monitoring.xml:108(para)
14438
"<filename>/etc/nagios-plugins</filename>: houses configuration files for the "
14442
#: serverguide/C/monitoring.xml:113(para)
14444
"<filename>/etc/nagios</filename>: on the remote host contains the "
14445
"<application>nagios-nrpe-server</application> configuration files."
14448
#: serverguide/C/monitoring.xml:118(para)
14450
"<filename>/usr/lib/nagios/plugins/</filename>: where the check binaries are "
14451
"stored. To see the options of a check use the <emphasis>-h</emphasis> option."
14454
#: serverguide/C/monitoring.xml:123(para)
14455
msgid "For example: <command>/usr/lib/nagios/plugins/check_dhcp -h</command>"
14458
#: serverguide/C/monitoring.xml:129(para)
14460
"There are a plethora of checks <application>Nagios</application> can be "
14461
"configured to execute for any given host. For this example Nagios will be "
14462
"configured to check disk space, DNS, and a MySQL hostgroup. The DNS check "
14463
"will be on <emphasis>server02</emphasis>, and the MySQL hostgroup will "
14464
"include both <emphasis>server01</emphasis> and <emphasis>server02</emphasis>."
14467
#: serverguide/C/monitoring.xml:136(para)
14469
"See <xref linkend=\"httpd\"/> for details on setting up Apache, <xref "
14470
"linkend=\"dns\"/> for DNS, and <xref linkend=\"mysql\"/> for MySQL."
14473
#: serverguide/C/monitoring.xml:141(para)
14475
"Additionally, there are some terms that once explained will hopefully make "
14476
"understanding Nagios configuration easier:"
14479
#: serverguide/C/monitoring.xml:147(para)
14481
"<emphasis>Host</emphasis>: a server, workstation, network device, etc that "
14482
"is being monitored."
14485
#: serverguide/C/monitoring.xml:152(para)
14487
"<emphasis>Host Group</emphasis>: a group of similar hosts. For example, you "
14488
"could group all web servers, file server, etc."
14491
#: serverguide/C/monitoring.xml:157(para)
14493
"<emphasis>Service</emphasis>: the service being monitored on the host. Such "
14494
"as HTTP, DNS, NFS, etc."
14497
#: serverguide/C/monitoring.xml:162(para)
14499
"<emphasis>Service Group</emphasis>: allows you to group multiple services "
14500
"together. This is useful for grouping multiple HTTP for example."
14503
#: serverguide/C/monitoring.xml:168(para)
14505
"<emphasis>Contact</emphasis>: person to be notified when an event takes "
14506
"place. Nagios can be configured to send emails, SMS messages, etc."
14509
#: serverguide/C/monitoring.xml:174(para)
14511
"By default Nagios is configured to check HTTP, disk space, SSH, current "
14512
"users, processes, and load on the <emphasis>localhost</emphasis>. Nagios "
14513
"will also <application>ping</application> check the "
14514
"<emphasis>gateway</emphasis>."
14517
#: serverguide/C/monitoring.xml:179(para)
14519
"Large Nagios installations can be quite complex to configure. It is usually "
14520
"best to start small, one or two hosts, get things configured the way you "
14521
"like then expand."
14524
#: serverguide/C/monitoring.xml:194(para)
14526
"First, create a <emphasis>host</emphasis> configuration file for "
14527
"<emphasis>server02</emphasis>. In a terminal enter:"
14530
#: serverguide/C/monitoring.xml:199(command)
14532
"sudo cp /etc/nagios3/conf.d/localhost_nagios2.cfg "
14533
"/etc/nagios3/conf.d/server02.cfg"
14536
#: serverguide/C/monitoring.xml:203(para)
14538
"In the above and following command examples, replace "
14539
"<emphasis>\"server01\"</emphasis>, "
14540
"<emphasis>\"server02\"</emphasis><emphasis>172.18.100.100</emphasis>, and "
14541
"<emphasis>172.18.100.101</emphasis> with the host names and IP addresses of "
14545
#: serverguide/C/monitoring.xml:212(para)
14546
msgid "Next, edit <filename>/etc/nagios3/conf.d/server02.cfg</filename>:"
14549
#: serverguide/C/monitoring.xml:216(programlisting)
14554
" use generic-host ; Name of host "
14555
"template to use\n"
14556
" host_name server02\n"
14557
" alias Server 02\n"
14558
" address 172.18.100.101\n"
14561
"# check DNS service.\n"
14562
"define service {\n"
14563
" use generic-service\n"
14564
" host_name server02\n"
14565
" service_description DNS\n"
14566
" check_command check_dns!172.18.100.101\n"
14570
#: serverguide/C/monitoring.xml:236(para)
14572
"Restart the <application>nagios</application> daemon to enable the new "
14576
#: serverguide/C/monitoring.xml:241(command) serverguide/C/monitoring.xml:308(command) serverguide/C/monitoring.xml:375(command)
14577
msgid "sudo /etc/init.d/nagios3 restart"
14580
#: serverguide/C/monitoring.xml:251(para)
14582
"Now add a service definition for the MySQL check by adding the following to "
14583
"<filename>/etc/nagios3/conf.d/services_nagios2.cfg</filename>:"
14586
#: serverguide/C/monitoring.xml:255(programlisting)
14590
"# check MySQL servers.\n"
14591
"define service {\n"
14592
" hostgroup_name mysql-servers\n"
14593
" service_description MySQL\n"
14595
"check_mysql_cmdlinecred!nagios!secret!$HOSTADDRESS\n"
14596
" use generic-service\n"
14597
" notification_interval 0 ; set > 0 if you want to be "
14602
#: serverguide/C/monitoring.xml:269(para)
14604
"A <emphasis>mysqsl-servers</emphasis> hostgroup now needs to be defined. "
14605
"Edit <filename>/etc/nagios3/conf.d/hostgroups_nagios2.cfg</filename> adding:"
14608
#: serverguide/C/monitoring.xml:274(programlisting)
14612
"# MySQL hostgroup.\n"
14613
"define hostgroup {\n"
14614
" hostgroup_name mysql-servers\n"
14615
" alias MySQL servers\n"
14616
" members localhost, server02\n"
14620
#: serverguide/C/monitoring.xml:286(para)
14622
"The Nagios check needs to authenticate to MySQL. To add a "
14623
"<emphasis>nagios</emphasis> user to MySQL enter:"
14626
#: serverguide/C/monitoring.xml:291(command)
14627
msgid "mysql -u root -p -e \"create user nagios identified by 'secret';\""
14630
#: serverguide/C/monitoring.xml:295(para)
14632
"The <emphasis>nagios</emphasis> user will need to be added all hosts in the "
14633
"<emphasis>mysql-servers</emphasis> hostgroup."
14636
#: serverguide/C/monitoring.xml:303(para)
14638
"Restart <application>nagios</application> to start checking the MySQL "
14642
#: serverguide/C/monitoring.xml:318(para)
14644
"Lastly configure NRPE to check the disk space on "
14645
"<emphasis>server02</emphasis>."
14648
#: serverguide/C/monitoring.xml:322(para)
14650
"On <emphasis>server01</emphasis> add the service check to "
14651
"<filename>/etc/nagios3/conf.d/server02.cfg</filename>:"
14654
#: serverguide/C/monitoring.xml:327(programlisting)
14658
"# NRPE disk check.\n"
14659
"define service {\n"
14660
" use generic-service\n"
14661
" host_name server02\n"
14662
" service_description nrpe-disk\n"
14664
"check_nrpe_1arg!check_all_disks!172.18.100.101\n"
14668
#: serverguide/C/monitoring.xml:340(para)
14670
"Now on <emphasis>server02</emphasis> edit "
14671
"<filename>/etc/nagios/nrpe.cfg</filename> changing:"
14674
#: serverguide/C/monitoring.xml:344(programlisting)
14678
"allowed_hosts=172.18.100.100\n"
14681
#: serverguide/C/monitoring.xml:348(para)
14682
msgid "And below in the command definition area add:"
14685
#: serverguide/C/monitoring.xml:352(programlisting)
14689
"command[check_all_disks]=/usr/lib/nagios/plugins/check_disk -w 20% -c 10% -"
14693
#: serverguide/C/monitoring.xml:359(para)
14694
msgid "Finally, restart <application>nagios-nrpe-server</application>:"
14697
#: serverguide/C/monitoring.xml:364(command)
14698
msgid "sudo /etc/init.d/nagios-nrpe-server restart"
14701
#: serverguide/C/monitoring.xml:370(para)
14703
"Also, on <emphasis>server01</emphasis> restart "
14704
"<application>nagios</application>:"
14707
#: serverguide/C/monitoring.xml:383(para)
14709
"You should now be able to see the host and service checks in the Nagios CGI "
14710
"files. To access them point a browser to http://server01/nagios3. You will "
14711
"then be prompted for the <emphasis>nagiosadmin</emphasis> username and "
14715
#: serverguide/C/monitoring.xml:393(para)
14717
"This section has just scratched the surface of Nagios' features. The "
14718
"<application>nagios-plugins-extra</application> and <application>nagios-snmp-"
14719
"plugins</application> contain many more service checks."
14722
#: serverguide/C/monitoring.xml:400(para)
14724
"For more information see <ulink "
14725
"url=\"http://www.nagios.org/\">Nagios</ulink> website."
14728
#: serverguide/C/monitoring.xml:405(para)
14730
"Specifically the <ulink "
14731
"url=\"http://nagios.sourceforge.net/docs/3_0/\">Online Documentation</ulink> "
14735
#: serverguide/C/monitoring.xml:410(para)
14737
"There is also a list of <ulink "
14738
"url=\"http://www.nagios.org/propaganda/books/\">books</ulink> related to "
14739
"Nagios and network monitoring:"
14742
#: serverguide/C/monitoring.xml:420(title)
14746
#: serverguide/C/monitoring.xml:425(para)
14748
"Before installing <application>Munin</application> on "
14749
"<emphasis>server01</emphasis><application>apache2</application> will need to "
14750
"be installed. The default configuration is fine for running a "
14751
"<application>munin</application> server. For more information see <xref "
14752
"linkend=\"httpd\"/>."
14755
#: serverguide/C/monitoring.xml:431(para)
14757
"First, on <emphasis>server01</emphasis> install "
14758
"<application>munin</application>. In a terminal enter:"
14761
#: serverguide/C/monitoring.xml:436(command)
14762
msgid "sudo apt-get install munin"
14765
#: serverguide/C/monitoring.xml:439(para)
14767
"Now on <emphasis>server02</emphasis> install the <application>munin-"
14768
"node</application> package:"
14771
#: serverguide/C/monitoring.xml:444(command)
14772
msgid "sudo apt-get install munin-node"
14775
#: serverguide/C/monitoring.xml:451(para)
14777
"On <emphasis>server01</emphasis> edit the "
14778
"<filename>/etc/munin/munin.conf</filename> adding the IP address for "
14779
"<emphasis>server02</emphasis>:"
14782
#: serverguide/C/monitoring.xml:456(programlisting)
14786
"## First our \"normal\" host.\n"
14788
" address 172.18.100.101\n"
14791
#: serverguide/C/monitoring.xml:463(para)
14793
"Replace <emphasis>server02</emphasis> and "
14794
"<emphasis>172.18.100.101</emphasis> with the actual hostname and IP address "
14798
#: serverguide/C/monitoring.xml:469(para)
14800
"Next, configure <application>munin-node</application> on "
14801
"<emphasis>server02</emphasis>. Edit <filename>/etc/munin/munin-"
14802
"node.conf</filename> to allow access by <emphasis>server01</emphasis>:"
14805
#: serverguide/C/monitoring.xml:474(programlisting)
14809
"allow ^172\\.18\\.100\\.100$\n"
14812
#: serverguide/C/monitoring.xml:479(para)
14814
"Replace <emphasis>^172\\.18\\.100\\.100$</emphasis> with IP address for your "
14815
"<application>munin</application> server."
14818
#: serverguide/C/monitoring.xml:484(para)
14820
"Now restart <application>munin-node</application> on "
14821
"<emphasis>server02</emphasis> for the changes to take effect:"
14824
#: serverguide/C/monitoring.xml:489(command)
14825
msgid "sudo /etc/init.d/munin-node restart"
14828
#: serverguide/C/monitoring.xml:492(para)
14830
"Finally, in a browser go to <emphasis>http://server01/munin</emphasis>, and "
14831
"you should see links to nice graphs displaying information from the standard "
14832
"<emphasis>munin-plugins</emphasis> for disk, network, processes, and system."
14835
#: serverguide/C/monitoring.xml:498(para)
14837
"Since this is a new install it may take some time for the graphs to display "
14841
#: serverguide/C/monitoring.xml:505(title)
14842
msgid "Additional Plugins"
14845
#: serverguide/C/monitoring.xml:507(para)
14847
"The <application>munin-plugins-extra</application> package contains "
14848
"performance checks additional services such as DNS, DHCP, Samba, etc. To "
14849
"install the package, from a terminal enter:"
14852
#: serverguide/C/monitoring.xml:513(command)
14853
msgid "sudo apt-get install munin-plugins-extra"
14856
#: serverguide/C/monitoring.xml:516(para)
14857
msgid "Be sure to install the package on both the server and node machines."
14860
#: serverguide/C/monitoring.xml:526(para)
14862
"See the <ulink url=\"http://munin.projects.linpro.no/\">Munin</ulink> "
14863
"website for more details."
14866
#: serverguide/C/monitoring.xml:531(para)
14868
"Specifically the <ulink "
14869
"url=\"http://munin.projects.linpro.no/wiki/Documentation\">Munin "
14870
"Documentation</ulink> page includes information on additional plugins, "
14871
"writing plugins, etc."
14874
#: serverguide/C/monitoring.xml:537(para)
14876
"Also, there is a book in German by Open Source Press: <ulink "
14877
"url=\"https://www.opensourcepress.de/index.php?26&backPID=178&tt_prod"
14878
"ucts=152\">Munin Graphisches Netzwerk- und System-Monitoring</ulink>."
14881
#: serverguide/C/mail.xml:13(title)
14882
msgid "Email Services"
14885
#: serverguide/C/mail.xml:14(para)
14887
"The process of getting an email from one person to another over a network or "
14888
"the Internet involves many systems working together. Each of these systems "
14889
"must be correctly configured for the process to work. The sender uses a "
14890
"<emphasis>Mail User Agent</emphasis> (MUA), or email client, to send the "
14891
"message through one or more <emphasis>Mail Transfer Agents</emphasis> (MTA), "
14892
"the last of which will hand it off to a <emphasis>Mail Delivery "
14893
"Agent</emphasis> (MDA) for delivery to the recipient's mailbox, from which "
14894
"it will be retrieved by the recipient's email client, usually via a POP3 or "
14898
#: serverguide/C/mail.xml:24(title) serverguide/C/mail.xml:804(application) serverguide/C/mail.xml:838(title) serverguide/C/mail.xml:916(title) serverguide/C/mail.xml:1475(title)
14902
#: serverguide/C/mail.xml:25(para)
14904
"<application>Postfix</application> is the default Mail Transfer Agent (MTA) "
14905
"in Ubuntu. It attempts to be fast and easy to administer and secure. It is "
14906
"compatible with the MTA <application>sendmail</application>. This section "
14907
"explains how to install and configure <application>postfix</application>. It "
14908
"also explains how to set it up as an SMTP server using a secure connection "
14909
"(for sending emails securely)."
14912
#: serverguide/C/mail.xml:34(para)
14914
"This guide does not cover setting up Postfix <emphasis>Virtual "
14915
"Domains</emphasis>, for information on Virtual Domains and other advanced "
14916
"configurations see <xref linkend=\"postfix-references\"/>."
14919
#: serverguide/C/mail.xml:41(para)
14921
"To install <application>postfix</application> run the following command:"
14924
#: serverguide/C/mail.xml:47(para)
14926
"Simply press return when the installation process asks questions, the "
14927
"configuration will be done in greater detail in the next stage."
14930
#: serverguide/C/mail.xml:52(title)
14931
msgid "Basic Configuration"
14934
#: serverguide/C/mail.xml:53(para)
14936
"To configure <application>postfix</application>, run the following command:"
14939
#: serverguide/C/mail.xml:57(command)
14940
msgid "sudo dpkg-reconfigure postfix"
14943
#: serverguide/C/mail.xml:63(para)
14944
msgid "Internet Site"
14947
#: serverguide/C/mail.xml:64(para)
14948
msgid "mail.example.com"
14951
#: serverguide/C/mail.xml:65(para)
14955
#: serverguide/C/mail.xml:66(para)
14956
msgid "mail.example.com, localhost.localdomain, localhost"
14959
#: serverguide/C/mail.xml:67(para)
14963
#: serverguide/C/mail.xml:68(para)
14964
msgid "127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.0/24"
14967
#: serverguide/C/mail.xml:69(para)
14971
#: serverguide/C/mail.xml:70(para)
14975
#: serverguide/C/mail.xml:71(para)
14979
#: serverguide/C/mail.xml:59(para)
14981
"The user interface will be displayed. On each screen, select the following "
14982
"values: <placeholder-1/>"
14985
#: serverguide/C/mail.xml:75(para)
14987
"Replace mail.example.com with the domain for which you'll accept email, "
14988
"192.168.0/24 with the actual network and class range of your mail server, "
14989
"and steve with the appropriate username."
14992
#: serverguide/C/mail.xml:81(para)
14994
"Now is a good time to decide which mailbox format you want to use. By "
14995
"default Postfix will use <emphasis role=\"strong\">mbox</emphasis> for the "
14996
"mailbox format. Rather than editing the configuration file directly, you can "
14997
"use the <command>postconf</command> command to configure all "
14998
"<application>postfix</application> parameters. The configuration parameters "
14999
"will be stored in <filename>/etc/postfix/main.cf</filename> file. Later if "
15000
"you wish to re-configure a particular parameter, you can either run the "
15001
"command or change it manually in the file."
15004
#: serverguide/C/mail.xml:92(para)
15006
"To configure the mailbox format for <emphasis "
15007
"role=\"strong\">Maildir:</emphasis>"
15010
#: serverguide/C/mail.xml:97(command)
15011
msgid "sudo postconf -e 'home_mailbox = Maildir/'"
15014
#: serverguide/C/mail.xml:100(para)
15016
"This will place new mail in /home/<emphasis "
15017
"role=\"italic\">username</emphasis>/Maildir so you will need to configure "
15018
"your Mail Delivery Agent (MDA) to use the same path."
15021
#: serverguide/C/mail.xml:108(title) serverguide/C/mail.xml:538(title)
15022
msgid "SMTP Authentication"
15025
#: serverguide/C/mail.xml:110(para)
15027
"SMTP-AUTH allows a client to identify itself through an authentication "
15028
"mechanism (SASL). Transport Layer Security (TLS) should be used to encrypt "
15029
"the authentication process. Once authenticated the SMTP server will allow "
15030
"the client to relay mail."
15033
#: serverguide/C/mail.xml:117(para)
15034
msgid "Configure Postfix for SMTP-AUTH using SASL (Dovecot SASL):"
15037
#: serverguide/C/mail.xml:120(screen)
15041
"sudo postconf -e 'smtpd_sasl_type = dovecot'\n"
15042
"sudo postconf -e 'smtpd_sasl_path = private/auth-client'\n"
15043
"sudo postconf -e 'smtpd_sasl_local_domain ='\n"
15044
"sudo postconf -e 'smtpd_sasl_security_options = noanonymous'\n"
15045
"sudo postconf -e 'broken_sasl_auth_clients = yes'\n"
15046
"sudo postconf -e 'smtpd_sasl_auth_enable = yes'\n"
15047
"sudo postconf -e 'smtpd_recipient_restrictions = "
15048
"permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'\n"
15049
"sudo postconf -e 'inet_interfaces = all'\n"
15052
#: serverguide/C/mail.xml:131(para)
15054
"The <emphasis>smtpd_sasl_path</emphasis> configuration is a path relative to "
15055
"the Postfix queue directory."
15058
#: serverguide/C/mail.xml:137(para)
15060
"Next, obtain a digital certificate for TLS. See <xref linkend=\"certificates-"
15061
"and-security\"/> for details. This example also uses a Certificate Authority "
15062
"(CA). For information on generating a CA certificate see <xref "
15063
"linkend=\"certificate-authority\"/>."
15066
#: serverguide/C/mail.xml:143(para)
15068
"You can get the digital certificate from a certificate authority. But unlike "
15069
"web clients, SMTP clients rarely complain about \"self-signed "
15070
"certificates\", so alternatively, you can create the certificate yourself. "
15071
"Refer to <xref linkend=\"creating-a-self-signed-certificate\"/> for more "
15075
#: serverguide/C/mail.xml:155(para)
15077
"Once you have a certificate, configure Postfix to provide TLS encryption for "
15078
"both incoming and outgoing mail:"
15081
#: serverguide/C/mail.xml:158(screen)
15085
"sudo postconf -e 'smtpd_tls_auth_only = no'\n"
15086
"sudo postconf -e 'smtp_use_tls = yes'\n"
15087
"sudo postconf -e 'smtpd_use_tls = yes'\n"
15088
"sudo postconf -e 'smtp_tls_note_starttls_offer = yes'\n"
15089
"sudo postconf -e 'smtpd_tls_key_file = /etc/ssl/private/server.key'\n"
15090
"sudo postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/server.crt'\n"
15091
"sudo postconf -e 'smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem'\n"
15092
"sudo postconf -e 'smtpd_tls_loglevel = 1'\n"
15093
"sudo postconf -e 'smtpd_tls_received_header = yes'\n"
15094
"sudo postconf -e 'smtpd_tls_session_cache_timeout = 3600s'\n"
15095
"sudo postconf -e 'tls_random_source = dev:/dev/urandom'\n"
15096
"sudo postconf -e 'myhostname = mail.example.com'\n"
15099
#: serverguide/C/mail.xml:175(para)
15101
"After running all the commands, <application>Postfix</application> is "
15102
"configured for SMTP-AUTH and a self-signed certificate has been created for "
15106
#: serverguide/C/mail.xml:180(para)
15108
"Now, the file <filename>/etc/postfix/main.cf</filename> should look like "
15109
"<ulink url=\"../sample/postfix_configuration\">this</ulink>."
15112
#: serverguide/C/mail.xml:184(para)
15114
"The postfix initial configuration is complete. Run the following command to "
15115
"restart the postfix daemon:"
15118
#: serverguide/C/mail.xml:189(para)
15120
"<application>Postfix</application> supports SMTP-AUTH as defined in <ulink "
15121
"url=\"ftp://ftp.isi.edu/in-notes/rfc2554.txt\">RFC2554</ulink>. It is based "
15122
"on <ulink url=\"ftp://ftp.isi.edu/in-notes/rfc2222.txt\">SASL</ulink>. "
15123
"However it is still necessary to set up SASL authentication before you can "
15127
#: serverguide/C/mail.xml:199(title) serverguide/C/mail.xml:591(title)
15128
msgid "Configuring SASL"
15131
#: serverguide/C/mail.xml:200(para)
15133
"Postfix supports two SASL implementations Cyrus SASL and Dovecot SASL. To "
15134
"enable Dovecot SASL the <application>dovecot-common</application> package "
15135
"will need to be installed. From a terminal prompt enter the following:"
15138
#: serverguide/C/mail.xml:206(command)
15139
msgid "sudo apt-get install dovecot-common"
15142
#: serverguide/C/mail.xml:208(para)
15144
"Next you will need to edit <filename>/etc/dovecot/dovecot.conf</filename>. "
15145
"In the <emphasis>auth default</emphasis> section uncomment the "
15146
"<emphasis>socket listen</emphasis> option and change the following:"
15149
#: serverguide/C/mail.xml:212(programlisting)
15153
" socket listen {\n"
15155
" # Master socket provides access to userdb information. It's typically\n"
15156
" # used to give Dovecot's local delivery agent access to userdb so it\n"
15157
" # can find mailbox locations.\n"
15158
" #path = /var/run/dovecot/auth-master\n"
15160
" # Default user/group is the one who started dovecot-auth (root)\n"
15165
" # The client socket is generally safe to export to everyone. Typical "
15167
" # is to export it to your SMTP server so it can do SMTP AUTH lookups\n"
15169
" path = /var/spool/postfix/private/auth-client\n"
15171
" user = postfix\n"
15172
" group = postfix\n"
15177
#: serverguide/C/mail.xml:236(para)
15179
"In order to let <application>Outlook</application> clients use SMTPAUTH, in "
15180
"the <emphasis>auth default</emphasis> section of /etc/dovecot/dovecot.conf "
15181
"add <emphasis>\"login\"</emphasis>:"
15184
#: serverguide/C/mail.xml:241(programlisting)
15188
" mechanisms = plain login\n"
15191
#: serverguide/C/mail.xml:245(para)
15193
"Once you have <application>Dovecot</application> configured restart it with:"
15196
#: serverguide/C/mail.xml:249(command) serverguide/C/mail.xml:712(command)
15197
msgid "sudo /etc/init.d/dovecot restart"
15200
#: serverguide/C/mail.xml:254(title)
15201
msgid "Postfix-Dovecot"
15204
#: serverguide/C/mail.xml:256(para)
15206
"Another option for configuring <application>Postfix</application> for SMTP-"
15207
"AUTH is using the <application>dovecot-postfix</application> package. This "
15208
"package will install <application>Dovecot</application> and configure "
15209
"<application>Postfix</application> to use it for both SASL authentication "
15210
"and as a Mail Delivery Agent (MDA). The package also configures "
15211
"<application>Dovecot</application> for IMAP, IMAPS, POP3, and POP3S."
15214
#: serverguide/C/mail.xml:265(para)
15216
"You may or may not want to run IMAP, IMAPS, POP3, or POP3S on your mail "
15217
"server. For example, if you are configuring your server to be a mail "
15218
"gateway, spam/virus filter, etc. If this is the case it may be easier to use "
15219
"the above commands to configure Postfix for SMTPAUTH."
15222
#: serverguide/C/mail.xml:272(para)
15223
msgid "To install the package, from a terminal prompt enter:"
15226
#: serverguide/C/mail.xml:277(command)
15227
msgid "sudo apt-get install dovecot-postfix"
15230
#: serverguide/C/mail.xml:280(para)
15232
"You should now have a working mail server, but there are a few options that "
15233
"you may wish to further customize. For example, the package uses the "
15234
"certificate and key from the <application>ssl-cert</application> package, "
15235
"and in a production environment you should use a certificate and key "
15236
"generated for the host. See <xref linkend=\"certificates-and-security\"/> "
15237
"for more details."
15240
#: serverguide/C/mail.xml:286(para)
15242
"Once you have a customized certificate and key for the host, change the "
15243
"following options in <filename>/etc/postfix/main.cf</filename>:"
15246
#: serverguide/C/mail.xml:290(programlisting)
15250
"smtpd_tls_cert_file = /etc/ssl/certs/ssl-mail.pem\n"
15251
"smtpd_tls_key_file = /etc/ssl/private/ssl-mail.key\n"
15254
#: serverguide/C/mail.xml:295(para)
15255
msgid "Then restart Postfix:"
15258
#: serverguide/C/mail.xml:300(command) serverguide/C/mail.xml:363(command) serverguide/C/mail.xml:956(command) serverguide/C/mail.xml:1526(command)
15259
msgid "sudo /etc/init.d/postfix restart"
15262
#: serverguide/C/mail.xml:306(para)
15264
"SMTP-AUTH configuration is complete. Now it is time to test the setup."
15267
#: serverguide/C/mail.xml:309(para)
15268
msgid "To see if SMTP-AUTH and TLS work properly, run the following command:"
15271
#: serverguide/C/mail.xml:314(command)
15272
msgid "telnet mail.example.com 25"
15275
#: serverguide/C/mail.xml:316(para)
15277
"After you have established the connection to the postfix mail server, type:"
15280
#: serverguide/C/mail.xml:320(screen)
15284
"ehlo mail.example.com\n"
15287
#: serverguide/C/mail.xml:323(para)
15289
"If you see the following lines among others, then everything is working "
15290
"perfectly. Type <command>quit</command> to exit."
15293
#: serverguide/C/mail.xml:327(programlisting)
15298
"250-AUTH LOGIN PLAIN\n"
15299
"250-AUTH=LOGIN PLAIN\n"
15303
#: serverguide/C/mail.xml:337(para)
15305
"This section introduces some common ways to determine the cause if problems "
15309
#: serverguide/C/mail.xml:341(title)
15310
msgid "Escaping chroot"
15313
#: serverguide/C/mail.xml:342(para)
15315
"The Ubuntu <application>postfix</application> package will by default "
15316
"install into a <emphasis>chroot</emphasis> environment for security reasons. "
15317
"This can add greater complexity when troubleshooting problems."
15320
#: serverguide/C/mail.xml:346(para)
15322
"To turn off the chroot operation locate for the following line in the "
15323
"<filename>/etc/postfix/master.cf</filename> configuration file:"
15326
#: serverguide/C/mail.xml:350(screen)
15330
"smtp inet n - - - - smtpd\n"
15333
#: serverguide/C/mail.xml:353(para)
15334
msgid "and modify it as follows:"
15337
#: serverguide/C/mail.xml:356(screen)
15341
"smtp inet n - n - - smtpd\n"
15344
#: serverguide/C/mail.xml:359(para)
15346
"You will then need to restart Postfix to use the new configuration. From a "
15347
"terminal prompt enter:"
15350
#: serverguide/C/mail.xml:367(title)
15354
#: serverguide/C/mail.xml:368(para)
15356
"<application>Postfix</application> sends all log messages to "
15357
"<filename>/var/log/mail.log</filename>. However error and warning messages "
15358
"can sometimes get lost in the normal log output so they are also logged to "
15359
"<filename>/var/log/mail.err</filename> and "
15360
"<filename>/var/log/mail.warn</filename> respectively."
15363
#: serverguide/C/mail.xml:373(para)
15365
"To see messages entered into the logs in real time you can use the "
15366
"<application>tail -f</application> command:"
15369
#: serverguide/C/mail.xml:378(command)
15370
msgid "tail -f /var/log/mail.err"
15373
#: serverguide/C/mail.xml:380(para)
15375
"The amount of detail that is recorded in the logs can be increased. Below "
15376
"are some configuration options for increasing the log level for some of the "
15377
"areas covered above."
15380
#: serverguide/C/mail.xml:386(para)
15382
"To increase <emphasis>TLS</emphasis> activity logging set the "
15383
"<emphasis>smtpd_tls_loglevel</emphasis> option to a value from 1 to 4."
15386
#: serverguide/C/mail.xml:390(command)
15387
msgid "sudo postconf -e 'smtpd_tls_loglevel = 4'"
15390
#: serverguide/C/mail.xml:394(para)
15392
"If you are having trouble sending or receiving mail from a specific domain "
15393
"you can add the domain to the <emphasis>debug_peer_list</emphasis> parameter."
15396
#: serverguide/C/mail.xml:399(command)
15397
msgid "sudo postconf -e 'debug_peer_list = problem.domain'"
15400
#: serverguide/C/mail.xml:403(para)
15402
"You can increase the verbosity of any <application>Postfix</application> "
15403
"daemon process by editing the <filename>/etc/postfix/master.cf</filename> "
15404
"and adding a <emphasis>-v</emphasis> after the entry. For example edit the "
15405
"<emphasis>smtp</emphasis> entry:"
15408
#: serverguide/C/mail.xml:407(programlisting)
15412
"smtp unix - - - - - smtp -v\n"
15415
#: serverguide/C/mail.xml:413(para)
15417
"It is important to note that after making one of the logging changes above "
15418
"the <application>Postfix</application> process will need to be reloaded in "
15419
"order to recognize the new configuration: <command>sudo /etc/init.d/postfix "
15423
#: serverguide/C/mail.xml:420(para)
15425
"To increase the amount of information logged when troubleshooting "
15426
"<emphasis>SASL</emphasis> issues you can set the following options in "
15427
"<filename>/etc/dovecot/dovecot.conf</filename>"
15430
#: serverguide/C/mail.xml:424(programlisting)
15435
"auth_debug_passwords=yes\n"
15438
#: serverguide/C/mail.xml:431(para)
15440
"Just like <application>Postfix</application> if you change a "
15441
"<application>Dovecot</application> configuration the process will need to be "
15442
"reloaded: <command>sudo /etc/init.d/dovecot reload</command>."
15445
#: serverguide/C/mail.xml:437(para)
15447
"Some of the options above can drastically increase the amount of information "
15448
"sent to the log files. Remember to return the log level back to normal after "
15449
"you have corrected the problem. Then reload the appropriate daemon for the "
15450
"new configuration to take affect."
15453
#: serverguide/C/mail.xml:445(para)
15455
"Administering a <application>Postfix</application> server can be a very "
15456
"complicated task. At some point you may need to turn to the Ubuntu community "
15457
"for more experienced help."
15460
#: serverguide/C/mail.xml:449(para)
15462
"A great place to ask for <application>Postfix</application> assistance, and "
15463
"get involved with the Ubuntu Server community, is the <emphasis>#ubuntu-"
15464
"server</emphasis> IRC channel on <ulink "
15465
"url=\"http://freenode.net\">freenode</ulink>. You can also post a message to "
15466
"one of the <ulink "
15467
"url=\"http://www.ubuntu.com/support/community/webforums\">Web Forums</ulink>."
15470
#: serverguide/C/mail.xml:454(para)
15472
"For in depth <application>Postfix</application> information Ubuntu "
15473
"developers highly recommend: <ulink url=\"http://www.postfix-book.com/\">The "
15474
"Book of Postfix</ulink>."
15477
#: serverguide/C/mail.xml:458(para)
15479
"Finally, the <ulink "
15480
"url=\"http://www.postfix.org/documentation.html\">Postfix</ulink> website "
15481
"also has great documentation on all the different configuration options "
15485
#: serverguide/C/mail.xml:467(title) serverguide/C/mail.xml:844(title) serverguide/C/mail.xml:960(title)
15489
#: serverguide/C/mail.xml:468(para)
15491
"<application>Exim4</application> is another Message Transfer Agent (MTA) "
15492
"developed at the University of Cambridge for use on Unix systems connected "
15493
"to the Internet. Exim can be installed in place of "
15494
"<application>sendmail</application>, although the configuration of "
15495
"<application>exim</application> is quite different to that of "
15496
"<application>sendmail</application>."
15499
#: serverguide/C/mail.xml:479(para)
15501
"To install <application>exim4</application>, run the following command: "
15503
"<command>sudo apt-get install exim4</command>\n"
15507
#: serverguide/C/mail.xml:488(para)
15509
"To configure <application>Exim4</application>, run the following command:"
15512
#: serverguide/C/mail.xml:492(command)
15513
msgid "sudo dpkg-reconfigure exim4-config"
15516
#: serverguide/C/mail.xml:494(para)
15518
"The user interface will be displayed. The user interface lets you configure "
15519
"many parameters. For example, In <application>Exim4</application> the "
15520
"configuration files are split among multiple files. If you wish to have them "
15521
"in one file you can configure accordingly in this user interface."
15524
#: serverguide/C/mail.xml:502(para)
15526
"All the parameters you configure in the user interface are stored in "
15527
"<filename>/etc/exim4/update-exim4.conf.conf</filename> file. If you wish to "
15528
"re-configure, either you re-run the configuration wizard or manually edit "
15529
"this file using your favorite editor. Once you configure, you can run the "
15530
"following command to generate the master configuration file:"
15533
#: serverguide/C/mail.xml:513(command) serverguide/C/mail.xml:586(command)
15534
msgid "sudo update-exim4.conf"
15537
#: serverguide/C/mail.xml:515(para)
15539
"The master configuration file, is generated and it is stored in "
15540
"<filename>/var/lib/exim4/config.autogenerated</filename>."
15543
#: serverguide/C/mail.xml:521(para)
15545
"At any time, you should not edit the master configuration file, "
15546
"<filename>/var/lib/exim4/config.autogenerated</filename> manually. It is "
15547
"updated automatically every time you run <command>update-exim4.conf</command>"
15550
#: serverguide/C/mail.xml:529(para)
15552
"You can run the following command to start <application>Exim4</application> "
15556
#: serverguide/C/mail.xml:534(command) serverguide/C/mail.xml:966(command)
15557
msgid "sudo /etc/init.d/exim4 start"
15560
#: serverguide/C/mail.xml:539(para)
15562
"This section covers configuring Exim4 to use SMTP-AUTH with TLS and SASL."
15565
#: serverguide/C/mail.xml:542(para)
15567
"The first step is to create a certificate for use with TLS. Enter the "
15568
"following into a terminal prompt:"
15571
#: serverguide/C/mail.xml:546(command)
15572
msgid "sudo /usr/share/doc/exim4-base/examples/exim-gencert"
15575
#: serverguide/C/mail.xml:548(para)
15577
"Now Exim4 needs to be configured for TLS by editing "
15578
"<filename>/etc/exim4/conf.d/main/03_exim4-config_tlsoptions</filename> add "
15582
#: serverguide/C/mail.xml:552(programlisting)
15586
"MAIN_TLS_ENABLE = yes\n"
15589
#: serverguide/C/mail.xml:555(para)
15591
"Next you need to configure <application>Exim4</application> to use the "
15592
"<application>saslauthd</application> for authentication. Edit "
15593
"<filename>/etc/exim4/conf.d/auth/30_exim4-config_examples</filename> and "
15594
"uncomment the <emphasis>plain_saslauthd_server</emphasis> and "
15595
"<emphasis>login_saslauthd_server</emphasis> sections:"
15598
#: serverguide/C/mail.xml:560(programlisting)
15602
" plain_saslauthd_server:\n"
15603
" driver = plaintext\n"
15604
" public_name = PLAIN\n"
15605
" server_condition = ${if saslauthd{{$auth2}{$auth3}}{1}{0}}\n"
15606
" server_set_id = $auth2\n"
15607
" server_prompts = :\n"
15608
" .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS\n"
15609
" server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}\n"
15612
" login_saslauthd_server:\n"
15613
" driver = plaintext\n"
15614
" public_name = LOGIN\n"
15615
" server_prompts = \"Username:: : Password::\"\n"
15616
" # don't send system passwords over unencrypted connections\n"
15617
" server_condition = ${if saslauthd{{$auth1}{$auth2}}{1}{0}}\n"
15618
" server_set_id = $auth1\n"
15619
" .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS\n"
15620
" server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}\n"
15624
#: serverguide/C/mail.xml:582(para)
15625
msgid "Finally, update the Exim4 configuration and restart the service:"
15628
#: serverguide/C/mail.xml:587(command)
15629
msgid "sudo /etc/init.d/exim4 restart"
15632
#: serverguide/C/mail.xml:592(para)
15634
"This section provides details on configuring the saslauthd to provide "
15635
"authentication for <application>Exim4</application>."
15638
#: serverguide/C/mail.xml:595(para)
15640
"The first step is to install the sasl2-bin package. From a terminal prompt "
15641
"enter the following:"
15644
#: serverguide/C/mail.xml:599(command)
15645
msgid "sudo apt-get install sasl2-bin"
15648
#: serverguide/C/mail.xml:601(para)
15650
"To configure saslauthd edit the /etc/default/saslauthd configuration file "
15651
"and set START=no to:"
15654
#: serverguide/C/mail.xml:604(programlisting)
15661
#: serverguide/C/mail.xml:607(para)
15663
"Next the <emphasis>Debian-exim</emphasis> user needs to be part of the "
15664
"<emphasis>sasl</emphasis> group in order for Exim4 to use the saslauthd "
15668
#: serverguide/C/mail.xml:612(command)
15669
msgid "sudo adduser Debian-exim sasl"
15672
#: serverguide/C/mail.xml:614(para)
15673
msgid "Now start the <application>saslauthd</application> service:"
15676
#: serverguide/C/mail.xml:618(command)
15677
msgid "sudo /etc/init.d/saslauthd start"
15680
#: serverguide/C/mail.xml:620(para)
15682
"<application>Exim4</application> is now configured with SMTP-AUTH using TLS "
15683
"and SASL authentication."
15686
#: serverguide/C/mail.xml:629(para)
15688
"See <ulink url=\"http://www.exim.org/\">exim.org</ulink> for more "
15692
#: serverguide/C/mail.xml:634(para)
15694
"There is also an <ulink url=\"http://www.uit.co.uk/content/exim-smtp-mail-"
15695
"server\">Exim4 Book</ulink> available."
15698
#: serverguide/C/mail.xml:643(title)
15699
msgid "Dovecot Server"
15702
#: serverguide/C/mail.xml:644(para)
15704
"<application>Dovecot</application> is a Mail Delivery Agent, written with "
15705
"security primarily in mind. It supports the major mailbox formats: mbox or "
15706
"Maildir. This section explain how to set it up as an imap or pop3 server."
15709
#: serverguide/C/mail.xml:652(para)
15711
"To install <application>dovecot</application>, run the following command in "
15712
"the command prompt:"
15715
#: serverguide/C/mail.xml:657(command)
15716
msgid "sudo apt-get install dovecot-imapd dovecot-pop3d"
15719
#: serverguide/C/mail.xml:662(para)
15721
"To configure <application>dovecot</application>, you can edit the file "
15722
"<filename>/etc/dovecot/dovecot.conf</filename>. You can choose the protocol "
15723
"you use. It could be pop3, pop3s (pop3 secure), imap and imaps (imap "
15724
"secure). A description of these protocols is beyond the scope of this guide. "
15725
"For further information, refer to the Wikipedia articles on <ulink "
15726
"url=\"http://en.wikipedia.org/wiki/POP3\">POP3</ulink> and <ulink "
15727
"url=\"http://en.wikipedia.org/wiki/Internet_Message_Access_Protocol\">IMAP</u"
15731
#: serverguide/C/mail.xml:672(para)
15733
"IMAPS and POP3S are more secure that the simple IMAP and POP3 because they "
15734
"use SSL encryption to connect. Once you have chosen the protocol, amend the "
15735
"following line in the file <filename>/etc/dovecot/dovecot.conf</filename>:"
15738
#: serverguide/C/mail.xml:678(programlisting)
15742
"protocols = pop3 pop3s imap imaps\n"
15745
#: serverguide/C/mail.xml:681(para)
15747
"Next, choose the mailbox you would like to use. "
15748
"<application>Dovecot</application> supports <emphasis "
15749
"role=\"strong\">maildir</emphasis> and <emphasis "
15750
"role=\"strong\">mbox</emphasis> formats. These are the most commonly used "
15751
"mailbox formats. They both have their own benefits and are discussed on "
15752
"<ulink url=\"http://wiki.dovecot.org/MailboxFormat\">the Dovecot web "
15756
#: serverguide/C/mail.xml:689(para)
15758
"Once you have chosen your mailbox type, edit the file "
15759
"<filename>/etc/dovecot/dovecot.conf</filename> and change the following line:"
15762
#: serverguide/C/mail.xml:694(programlisting)
15766
"mail_location = maildir:~/Maildir # (for maildir)\n"
15768
"mail_location = mbox:~/mail:INBOX=/var/spool/mail/%u # (for mbox)\n"
15771
#: serverguide/C/mail.xml:700(para)
15773
"You should configure your Mail Transport Agent (MTA) to transfer the "
15774
"incoming mail to this type of mailbox if it is different from the one you "
15778
#: serverguide/C/mail.xml:706(para)
15780
"Once you have configured dovecot, restart the "
15781
"<application>dovecot</application> daemon in order to test your setup:"
15784
#: serverguide/C/mail.xml:715(para)
15786
"If you have enabled imap, or pop3, you can also try to log in with the "
15787
"commands <command>telnet localhost pop3</command> or <command>telnet "
15788
"localhost imap2</command>. If you see something like the following, the "
15789
"installation has been successful:"
15792
#: serverguide/C/mail.xml:722(programlisting)
15796
"bhuvan@rainbow:~$ telnet localhost pop3\n"
15797
"Trying 127.0.0.1...\n"
15798
"Connected to localhost.localdomain.\n"
15799
"Escape character is '^]'.\n"
15800
"+OK Dovecot ready.\n"
15803
#: serverguide/C/mail.xml:731(title)
15804
msgid "Dovecot SSL Configuration"
15807
#: serverguide/C/mail.xml:732(para)
15809
"To configure <application>dovecot</application> to use SSL, you can edit the "
15810
"file <filename>/etc/dovecot/dovecot.conf</filename> and amend following "
15814
#: serverguide/C/mail.xml:737(programlisting)
15818
"ssl_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem\n"
15819
"ssl_key_file = /etc/ssl/private/ssl-cert-snakeoil.key\n"
15820
"ssl_disable = no\n"
15821
"disable_plaintext_auth = no\n"
15824
#: serverguide/C/mail.xml:743(para)
15826
"You can get the SSL certificate from a Certificate Issuing Authority or you "
15827
"can create self signed SSL certificate. The latter is a good option for "
15828
"email, because SMTP clients rarely complain about \"self-signed "
15829
"certificates\". Please refer to <xref linkend=\"certificates-and-"
15830
"security\"/> for details about how to create self signed SSL certificate. "
15831
"Once you create the certificate, you will have a key file and a certificate "
15832
"file. Please copy them to the location pointed in the "
15833
"<filename>/etc/dovecot/dovecot.conf</filename> configuration file."
15836
#: serverguide/C/mail.xml:758(title)
15837
msgid "Firewall Configuration for an Email Server"
15840
#: serverguide/C/mail.xml:764(para)
15844
#: serverguide/C/mail.xml:765(para)
15845
msgid "IMAPS - 993"
15848
#: serverguide/C/mail.xml:766(para)
15852
#: serverguide/C/mail.xml:767(para)
15853
msgid "POP3S - 995"
15856
#: serverguide/C/mail.xml:759(para)
15858
"To access your mail server from another computer, you must configure your "
15859
"firewall to allow connections to the server on the necessary ports. "
15863
#: serverguide/C/mail.xml:776(para)
15865
"See the <ulink url=\"http://www.dovecot.org/\">Dovecot website</ulink> for "
15866
"more information."
15869
#: serverguide/C/mail.xml:785(title) serverguide/C/mail.xml:862(title) serverguide/C/mail.xml:1085(title)
15873
#: serverguide/C/mail.xml:786(para)
15875
"Mailman is an open source program for managing electronic mail discussions "
15876
"and e-newsletter lists. Many open source mailing lists (including all the "
15877
"<ulink url=\"http://lists.ubuntu.com\">Ubuntu mailing lists</ulink>) use "
15878
"Mailman as their mailing list software. It is powerful and easy to install "
15882
#: serverguide/C/mail.xml:796(para)
15884
"Mailman provides a web interface for the administrators and users, using an "
15885
"external mail server to send and receive emails. It works perfectly with the "
15886
"following mail servers:"
15889
#: serverguide/C/mail.xml:807(application)
15893
#: serverguide/C/mail.xml:810(application)
15897
#: serverguide/C/mail.xml:813(application)
15901
#: serverguide/C/mail.xml:818(para)
15903
"We will see how to install and configure Mailman with, the Apache web "
15904
"server, and either the Postfix or Exim mail server. If you wish to install "
15905
"Mailman with a different mail server, please refer to the references section."
15908
#: serverguide/C/mail.xml:825(para)
15910
"You only need to install one mail server and "
15911
"<application>Postfix</application> is the default Ubuntu Mail Transfer Agent."
15914
#: serverguide/C/mail.xml:830(title) serverguide/C/mail.xml:889(title)
15918
#: serverguide/C/mail.xml:831(para)
15920
"To install apache2 you refer to <ulink url=\"./web-servers.xml#http-"
15921
"installation\">HTTPD Installation</ulink> section for details."
15924
#: serverguide/C/mail.xml:839(para)
15926
"For instructions on installing and configuring Postfix refer to <xref "
15927
"linkend=\"postfix\"/>"
15930
#: serverguide/C/mail.xml:845(para)
15931
msgid "To install Exim4 refer to <xref linkend=\"exim4\"/>."
15934
#: serverguide/C/mail.xml:856(application)
15935
msgid "dc_use_split_config='true'"
15938
#: serverguide/C/mail.xml:848(para)
15940
"Once exim4 is installed, the configuration files are stored in the "
15941
"<filename>/etc/exim4</filename> directory. In Ubuntu, by default, the exim4 "
15942
"configuration files are split across different files. You can change this "
15943
"behavior by changing the following variable in the "
15944
"<filename>/etc/exim4/update-exim4.conf</filename> file: <placeholder-1/>"
15947
#: serverguide/C/mail.xml:863(para)
15949
"To install <application>Mailman</application>, run following command at a "
15953
#: serverguide/C/mail.xml:867(command)
15954
msgid "sudo apt-get install mailman"
15957
#: serverguide/C/mail.xml:869(para)
15959
"It copies the installation files in "
15960
"<application>/var/lib/mailman</application> directory. It installs the CGI "
15961
"scripts in <application>/usr/lib/cgi-bin/mailman</application> directory. It "
15962
"creates <emphasis>list</emphasis> linux user. It creates the "
15963
"<emphasis>list</emphasis> linux group. The mailman process will be owned by "
15967
#: serverguide/C/mail.xml:881(para)
15969
"This section assumes you have successfully installed "
15970
"<application>mailman</application>, <application>apache2</application>, and "
15971
"<application>postfix</application> or <application>exim4</application>. Now "
15972
"you just need to configure them."
15975
#: serverguide/C/mail.xml:890(para)
15977
"An example Apache configuration file comes with "
15978
"<application>Mailman</application> and is placed in "
15979
"<filename>/etc/mailman/apache.conf</filename>. In order for Apache to use "
15980
"the config file it needs to be copied to <filename>/etc/apache2/sites-"
15981
"available</filename>:"
15984
#: serverguide/C/mail.xml:896(command)
15986
"sudo cp /etc/mailman/apache.conf /etc/apache2/sites-available/mailman.conf"
15989
#: serverguide/C/mail.xml:898(para)
15991
"This will setup a new Apache <emphasis>VirtualHost</emphasis> for the "
15992
"Mailman administration site. Now enable the new configuration and restart "
15996
#: serverguide/C/mail.xml:903(command)
15997
msgid "sudo a2ensite mailman.conf"
16000
#: serverguide/C/mail.xml:906(para)
16002
"Mailman uses apache2 to render its CGI scripts. The mailman CGI scripts are "
16003
"installed in the <application>/usr/lib/cgi-bin/mailman</application> "
16004
"directory. So, the mailman url will be http://hostname/cgi-bin/mailman/. You "
16005
"can make changes to the <filename>/etc/apache2/sites-"
16006
"available/mailman.conf</filename> file if you wish to change this behavior."
16009
#: serverguide/C/mail.xml:917(para)
16011
"For <application>Postfix</application> integration, we will associate the "
16012
"domain lists.example.com with the mailing lists. Please replace "
16013
"<emphasis>lists.example.com</emphasis> with the domain of your choosing."
16016
#: serverguide/C/mail.xml:921(para)
16018
"You can use the postconf command to add the necessary configuration to "
16019
"<filename>/etc/postfix/main.cf</filename>:"
16022
#: serverguide/C/mail.xml:925(command)
16023
msgid "sudo postconf -e 'relay_domains = lists.example.com'"
16026
#: serverguide/C/mail.xml:926(command)
16027
msgid "sudo postconf -e 'transport_maps = hash:/etc/postfix/transport'"
16030
#: serverguide/C/mail.xml:927(command)
16031
msgid "sudo postconf -e 'mailman_destination_recipient_limit = 1'"
16034
#: serverguide/C/mail.xml:929(para)
16036
"In <filename>/etc/postfix/master.cf</filename> double check that you have "
16037
"the following transport:"
16040
#: serverguide/C/mail.xml:932(programlisting)
16044
"mailman unix - n n - - pipe\n"
16045
" flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py\n"
16046
" ${nexthop} ${user}\n"
16049
#: serverguide/C/mail.xml:937(para)
16051
"It calls the <emphasis>postfix-to-mailman.py</emphasis> script when a mail "
16052
"is delivered to a list."
16055
#: serverguide/C/mail.xml:940(para)
16057
"Associate the domain lists.example.com to the Mailman transport with the "
16058
"transport map. Edit the file <filename>/etc/postfix/transport</filename>:"
16061
#: serverguide/C/mail.xml:943(programlisting)
16065
"lists.example.com mailman:\n"
16068
#: serverguide/C/mail.xml:946(para)
16070
"Now have <application>Postfix</application> build the transport map by "
16071
"entering the following from a terminal prompt:"
16074
#: serverguide/C/mail.xml:950(command)
16075
msgid "sudo postmap -v /etc/postfix/transport"
16078
#: serverguide/C/mail.xml:952(para)
16079
msgid "Then restart Postfix to enable the new configurations:"
16082
#: serverguide/C/mail.xml:961(para)
16084
"Once Exim4 is installed, you can start the Exim server using the following "
16085
"command from a terminal prompt:"
16088
#: serverguide/C/mail.xml:977(para) serverguide/C/mail.xml:992(title)
16092
#: serverguide/C/mail.xml:980(para) serverguide/C/mail.xml:1032(title)
16096
#: serverguide/C/mail.xml:983(para) serverguide/C/mail.xml:1055(title)
16100
#: serverguide/C/mail.xml:968(para)
16102
"In order to make mailman work with Exim4, you need to configure Exim4. As "
16103
"mentioned earlier, by default, Exim4 uses multiple configuration files of "
16104
"different types. For details, please refer to the <ulink "
16105
"url=\"http://www.exim.org\">Exim</ulink> web site. To run mailman, we should "
16106
"add new a configuration file to the following configuration types: "
16107
"<placeholder-1/> Exim creates a master configuration file by sorting all "
16108
"these mini configuration files. So, the order of these configuration files "
16109
"is very important."
16112
#: serverguide/C/mail.xml:999(programlisting)
16117
"# Home dir for your Mailman installation -- aka Mailman's prefix\n"
16119
"# On Ubuntu this should be \"/var/lib/mailman\"\n"
16120
"# This is normally the same as ~mailman\n"
16121
"MM_HOME=/var/lib/mailman\n"
16123
"# User and group for Mailman, should match your --with-mail-gid\n"
16124
"# switch to Mailman's configure script. Value is normally \"mailman\"\n"
16128
"# Domains that your lists are in - colon separated list\n"
16129
"# you may wish to add these into local_domains as well\n"
16130
"domainlist mm_domains=hostname.com\n"
16132
"# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n"
16134
"# These values are derived from the ones above and should not need\n"
16135
"# editing unless you have munged your mailman installation\n"
16137
"# The path of the Mailman mail wrapper script\n"
16138
"MM_WRAP=MM_HOME/mail/mailman\n"
16140
"# The path of the list config file (used as a required file when\n"
16141
"# verifying list addresses)\n"
16142
"MM_LISTCHK=MM_HOME/lists/${lc::$local_part}/config.pck\n"
16146
#: serverguide/C/mail.xml:993(para)
16148
"All the configuration files belonging to the main type are stored in the "
16149
"<filename>/etc/exim4/conf.d/main/</filename> directory. You can add the "
16150
"following content to a new file, named <filename>04_exim4-"
16151
"config_mailman</filename>: <placeholder-1/>"
16154
#: serverguide/C/mail.xml:1039(programlisting)
16158
" mailman_transport:\n"
16160
" command = MM_WRAP \\\n"
16161
" '${if def:local_part_suffix \\\n"
16162
" {${sg{$local_part_suffix}{-(\\\\w+)(\\\\+.*)?}{\\$1}}} "
16166
" current_directory = MM_HOME\n"
16167
" home_directory = MM_HOME\n"
16169
" group = MM_GID\n"
16172
#: serverguide/C/mail.xml:1033(para)
16174
"All the configuration files belonging to transport type are stored in the "
16175
"<filename>/etc/exim4/conf.d/transport/</filename> directory. You can add the "
16176
"following content to a new file named <filename> 40_exim4-"
16177
"config_mailman</filename>: <placeholder-1/>"
16180
#: serverguide/C/mail.xml:1060(programlisting)
16184
" mailman_router:\n"
16185
" driver = accept\n"
16186
" require_files = MM_HOME/lists/$local_part/config.pck\n"
16187
" local_part_suffix_optional\n"
16188
" local_part_suffix = -bounces : -bounces+* : \\\n"
16189
" -confirm+* : -join : -leave : \\\n"
16190
" -owner : -request : -admin\n"
16191
" transport = mailman_transport\n"
16194
#: serverguide/C/mail.xml:1056(para)
16196
"All the configuration files belonging to router type are stored in the "
16197
"<filename>/etc/exim4/conf.d/router/</filename> directory. You can add the "
16198
"following content in to a new file named <filename>101_exim4-"
16199
"config_mailman</filename>: <placeholder-1/>"
16202
#: serverguide/C/mail.xml:1073(para)
16204
"The order of main and transport configuration files can be in any order. "
16205
"But, the order of router configuration files must be the same. This "
16206
"particular file must appear before the <application>200_exim4-"
16207
"config_primary</application> file. These two configuration files contain "
16208
"same type of information. The first file takes the precedence. For more "
16209
"details, please refer to the references section."
16212
#: serverguide/C/mail.xml:1086(para)
16214
"Once mailman is installed, you can run it using the following command:"
16217
#: serverguide/C/mail.xml:1090(command)
16218
msgid "sudo /etc/init.d/mailman start"
16221
#: serverguide/C/mail.xml:1092(para)
16223
"Once mailman is installed, you should create the default mailing list. Run "
16224
"the following command to create the mailing list:"
16227
#: serverguide/C/mail.xml:1098(command)
16228
msgid "sudo /usr/sbin/newlist mailman"
16231
#: serverguide/C/mail.xml:1101(programlisting)
16235
" Enter the email address of the person running the list: bhuvan at "
16237
" Initial mailman password:\n"
16238
" To finish creating your mailing list, you must edit your "
16239
"<filename>/etc/aliases</filename> (or\n"
16240
" equivalent) file by adding the following lines, and possibly running the\n"
16241
" `newaliases' program:\n"
16243
" ## mailman mailing list\n"
16244
" mailman: \"|/var/lib/mailman/mail/mailman post mailman\"\n"
16245
" mailman-admin: \"|/var/lib/mailman/mail/mailman admin mailman\"\n"
16246
" mailman-bounces: \"|/var/lib/mailman/mail/mailman bounces mailman\"\n"
16247
" mailman-confirm: \"|/var/lib/mailman/mail/mailman confirm mailman\"\n"
16248
" mailman-join: \"|/var/lib/mailman/mail/mailman join mailman\"\n"
16249
" mailman-leave: \"|/var/lib/mailman/mail/mailman leave mailman\"\n"
16250
" mailman-owner: \"|/var/lib/mailman/mail/mailman owner mailman\"\n"
16251
" mailman-request: \"|/var/lib/mailman/mail/mailman request mailman\"\n"
16252
" mailman-subscribe: \"|/var/lib/mailman/mail/mailman subscribe "
16254
" mailman-unsubscribe: \"|/var/lib/mailman/mail/mailman unsubscribe "
16257
" Hit enter to notify mailman owner...\n"
16262
#: serverguide/C/mail.xml:1124(para)
16264
"We have configured either Postfix or Exim4 to recognize all emails from "
16265
"mailman. So, it is not mandatory to make any new entries in "
16266
"<filename>/etc/aliases</filename>. If you have made any changes to the "
16267
"configuration files, please ensure that you restart those services before "
16268
"continuing to next section."
16271
#: serverguide/C/mail.xml:1132(para)
16273
"The Exim4 does not use the above aliases to forward mails to Mailman, as it "
16274
"uses a <emphasis>discover</emphasis> approach. To suppress the aliases while "
16275
"creating the list, you can add <emphasis>MTA=None</emphasis> line in Mailman "
16276
"configuration file, <filename>/etc/mailman/mm_cfg.py</filename>."
16279
#: serverguide/C/mail.xml:1143(title)
16280
msgid "Administration"
16283
#: serverguide/C/mail.xml:1144(para)
16285
"We assume you have a default installation. The mailman cgi scripts are still "
16286
"in the <application>/usr/lib/cgi-bin/mailman/</application> directory. "
16287
"Mailman provides a web based administration facility. To access this page, "
16288
"point your browser to the following url:"
16291
#: serverguide/C/mail.xml:1152(para)
16292
msgid "http://hostname/cgi-bin/mailman/admin"
16295
#: serverguide/C/mail.xml:1156(para)
16297
"The default mailing list, <emphasis>mailman</emphasis>, will appear in this "
16298
"screen. If you click the mailing list name, it will ask for your "
16299
"authentication password. If you enter the correct password, you will be able "
16300
"to change administrative settings of this mailing list. You can create a new "
16301
"mailing list using the command line utility "
16302
"(<command>/usr/sbin/newlist</command>). Alternatively, you can create a new "
16303
"mailing list using the web interface."
16306
#: serverguide/C/mail.xml:1169(title)
16310
#: serverguide/C/mail.xml:1170(para)
16312
"Mailman provides a web based interface for users. To access this page, point "
16313
"your browser to the following url:"
16316
#: serverguide/C/mail.xml:1175(para)
16317
msgid "http://hostname/cgi-bin/mailman/listinfo"
16320
#: serverguide/C/mail.xml:1179(para)
16322
"The default mailing list, <emphasis>mailman</emphasis>, will appear in this "
16323
"screen. If you click the mailing list name, it will display the subscription "
16324
"form. You can enter your email address, name (optional), and password to "
16325
"subscribe. An email invitation will be sent to you. You can follow the "
16326
"instructions in the email to subscribe."
16329
#: serverguide/C/mail.xml:1191(ulink)
16330
msgid "GNU Mailman - Installation Manual"
16333
#: serverguide/C/mail.xml:1195(ulink)
16334
msgid "HOWTO - Using Exim 4 and Mailman 2.1 together"
16337
#: serverguide/C/mail.xml:1201(title)
16338
msgid "Mail Filtering"
16341
#: serverguide/C/mail.xml:1202(para)
16343
"One of the largest issues with email today is the problem of Unsolicited "
16344
"Bulk Email (UBE). Also known as SPAM, such messages may also carry viruses "
16345
"and other forms of malware. According to some reports these messages make up "
16346
"the bulk of all email traffic on the Internet."
16349
#: serverguide/C/mail.xml:1207(para)
16351
"This section will cover integrating <application>Amavisd-new</application>, "
16352
"<application>Spamassassin</application>, and "
16353
"<application>ClamAV</application> with the "
16354
"<application>Postfix</application> Mail Transport Agent (MTA). "
16355
"<application>Postfix</application> can also check email validity by passing "
16356
"it through external content filters. These filters can sometimes determine "
16357
"if a message is spam without needing to process it with more resource "
16358
"intensive applications. Two common filters are <application>dkim-"
16359
"filter</application> and <application>python-policyd-spf</application>."
16362
#: serverguide/C/mail.xml:1217(para)
16364
"<application>Amavisd-new</application> is a wrapper program that can call "
16365
"any number of content filtering programs for spam detection, antivirus, etc."
16368
#: serverguide/C/mail.xml:1223(para)
16370
"<application>Spamassassin</application> uses a variety of mechanisms to "
16371
"filter email based on the message content."
16374
#: serverguide/C/mail.xml:1228(para)
16376
"<application>ClamAV</application> is an open source antivirus application."
16379
#: serverguide/C/mail.xml:1233(para)
16381
"<application>dkim-filter</application> implements a Sendmail Mail Filter "
16382
"(Milter) for the DomainKeys Identified Mail (DKIM) standard."
16385
#: serverguide/C/mail.xml:1239(para)
16387
"<application>python-policyd-spf</application> enables Sender Policy "
16388
"Framework (SPF) checking with <application>Postfix</application>."
16391
#: serverguide/C/mail.xml:1244(para)
16392
msgid "This is how the pieces fit together:"
16395
#: serverguide/C/mail.xml:1249(para)
16396
msgid "An email message is accepted by <application>Postfix</application>."
16399
#: serverguide/C/mail.xml:1254(para)
16401
"The message is passed through any external filters <application>dkim-"
16402
"filter</application> and <application>python-policyd-spf</application> in "
16406
#: serverguide/C/mail.xml:1260(para)
16407
msgid "<application>Amavisd-new</application> then processes the message."
16410
#: serverguide/C/mail.xml:1265(para)
16412
"<application>ClamAV</application> is used to scan the message. If the "
16413
"message contains a virus <application>Postfix</application> will reject the "
16417
#: serverguide/C/mail.xml:1271(para)
16419
"Clean messages will then be analyzed by "
16420
"<application>Spamassassin</application> to find out if the message is spam. "
16421
"<application>Spamassassin</application> will then add X-Header lines "
16422
"allowing <application>Amavisd-new</application> to further manipulate the "
16426
#: serverguide/C/mail.xml:1278(para)
16428
"For example, if a message has a Spam score of over fifty the message could "
16429
"be automatically dropped from the queue without the recipient ever having to "
16430
"be bothered. Another, way to handle flagged messages is to deliver them to "
16431
"the Mail User Agent (MUA) allowing the user to deal with the message as they "
16435
#: serverguide/C/mail.xml:1285(para)
16437
"See <xref linkend=\"postfix\"/> for instructions on installing and "
16438
"configuring Postfix."
16441
#: serverguide/C/mail.xml:1288(para)
16443
"To install the rest of the applications enter the following from a terminal "
16447
#: serverguide/C/mail.xml:1292(command)
16448
msgid "sudo apt-get install amavisd-new spamassassin clamav-daemon"
16451
#: serverguide/C/mail.xml:1293(command)
16452
msgid "sudo apt-get install dkim-filter python-policyd-spf"
16455
#: serverguide/C/mail.xml:1295(para)
16457
"There are some optional packages that integrate with "
16458
"<application>Spamassassin</application> for better spam detection:"
16461
#: serverguide/C/mail.xml:1299(command)
16462
msgid "sudo apt-get install pyzor razor"
16465
#: serverguide/C/mail.xml:1301(para)
16467
"Along with the main filtering applications compression utilities are needed "
16468
"to process some email attachments:"
16471
#: serverguide/C/mail.xml:1305(command)
16473
"sudo apt-get install arj cabextract cpio lha nomarch pax rar unrar unzip zip"
16476
#: serverguide/C/mail.xml:1310(para)
16477
msgid "Now configure everything to work together and filter email."
16480
#: serverguide/C/mail.xml:1314(title)
16484
#: serverguide/C/mail.xml:1315(para)
16486
"The default behaviour of <application>ClamAV</application> will fit our "
16487
"needs. For more ClamAV configuration options, check the configuration files "
16488
"in <filename>/etc/clamav</filename>."
16491
#: serverguide/C/mail.xml:1320(para)
16493
"Add the <emphasis>clamav</emphasis> user to the <emphasis>amavis</emphasis> "
16494
"group in order for <application>Amavisd-new</application> to have the "
16495
"appropriate access to scan files:"
16498
#: serverguide/C/mail.xml:1325(command)
16499
msgid "sudo adduser clamav amavis"
16502
#: serverguide/C/mail.xml:1329(title)
16503
msgid "Spamassassin"
16506
#: serverguide/C/mail.xml:1330(para)
16508
"Spamassassin automatically detects optional components and will use them if "
16509
"they are present. This means that there is no need to configure "
16510
"<application>pyzor</application> and <application>razor</application>."
16513
#: serverguide/C/mail.xml:1334(para)
16515
"Edit <filename>/etc/default/spamassassin</filename> to activate the "
16516
"<application>Spamassassin</application> daemon. Change "
16517
"<emphasis>ENABLED=0</emphasis> to:"
16520
#: serverguide/C/mail.xml:1338(programlisting)
16527
#: serverguide/C/mail.xml:1341(para)
16528
msgid "Now start the daemon:"
16531
#: serverguide/C/mail.xml:1345(command)
16532
msgid "sudo /etc/init.d/spamassassin start"
16535
#: serverguide/C/mail.xml:1349(title)
16536
msgid "Amavisd-new"
16539
#: serverguide/C/mail.xml:1350(para)
16541
"First activate spam and antivirus detection in <application>Amavisd-"
16542
"new</application> by editing <filename>/etc/amavis/conf.d/15-"
16543
"content_filter_mode</filename>:"
16546
#: serverguide/C/mail.xml:1354(programlisting)
16552
"# You can modify this file to re-enable SPAM checking through spamassassin\n"
16553
"# and to re-enable antivirus checking.\n"
16556
"# Default antivirus checking mode\n"
16557
"# Uncomment the two lines below to enable it\n"
16560
"@bypass_virus_checks_maps = (\n"
16561
" \\%bypass_virus_checks, \\@bypass_virus_checks_acl, \\"
16562
"$bypass_virus_checks_re);\n"
16566
"# Default SPAM checking mode\n"
16567
"# Uncomment the two lines below to enable it\n"
16570
"@bypass_spam_checks_maps = (\n"
16571
" \\%bypass_spam_checks, \\@bypass_spam_checks_acl, \\"
16572
"$bypass_spam_checks_re);\n"
16574
"1; # insure a defined return\n"
16577
#: serverguide/C/mail.xml:1379(para)
16579
"Bouncing spam can be a bad idea as the return address is often faked. "
16580
"Consider editing <filename>/etc/amavis/conf.d/20-debian_defaults</filename> "
16581
"to set <emphasis>$final_spam_destiny</emphasis> to D_DISCARD rather than "
16582
"D_BOUNCE, as follows:"
16585
#: serverguide/C/mail.xml:1385(programlisting)
16589
"$final_spam_destiny = D_DISCARD;\n"
16592
#: serverguide/C/mail.xml:1389(para)
16594
"Additionally, you may want to adjust the following options to flag more "
16595
"messages as spam:"
16598
#: serverguide/C/mail.xml:1393(programlisting)
16602
"$sa_tag_level_deflt = -999; # add spam info headers if at, or above that "
16604
"$sa_tag2_level_deflt = 6.0; # add 'spam detected' headers at that level\n"
16605
"$sa_kill_level_deflt = 21.0; # triggers spam evasive actions\n"
16606
"$sa_dsn_cutoff_level = 4; # spam level beyond which a DSN is not sent\n"
16609
#: serverguide/C/mail.xml:1400(para)
16611
"If the server's <emphasis>hostname</emphasis> is different from the domain's "
16612
"MX record you may need to manually set the <emphasis>$myhostname</emphasis> "
16613
"option. Also, if the server receives mail for multiple domains the "
16614
"<emphasis>@local_domains_acl</emphasis> option will need to be customized. "
16615
"Edit the <filename>/etc/amavis/conf.d/50-user</filename> file:"
16618
#: serverguide/C/mail.xml:1407(programlisting)
16622
"$myhostname = 'mail.example.com';\n"
16623
"@local_domains_acl = ( \"example.com\", \"example.org\" );\n"
16626
#: serverguide/C/mail.xml:1412(para)
16628
"After configuration <application>Amavisd-new</application> needs to be "
16632
#: serverguide/C/mail.xml:1416(command) serverguide/C/mail.xml:1462(command)
16633
msgid "sudo /etc/init.d/amavis restart"
16636
#: serverguide/C/mail.xml:1419(title)
16637
msgid "DKIM Whitelist"
16640
#: serverguide/C/mail.xml:1421(para)
16642
"<application>Amavisd-new</application> can be configured to automatically "
16643
"<emphasis>Whitelist</emphasis> addresses from domains with valid Domain "
16644
"Keys. There are some pre-configured domains in the "
16645
"<filename>/etc/amavis/conf.d/40-policy_banks</filename>."
16648
#: serverguide/C/mail.xml:1427(para)
16649
msgid "There are multiple ways to configure the Whitelist for a domain:"
16652
#: serverguide/C/mail.xml:1433(para)
16654
"<emphasis>'example.com' => 'WHITELIST',</emphasis>: will whitelist any "
16655
"address from the \"example.com\" domain."
16658
#: serverguide/C/mail.xml:1438(para)
16660
"<emphasis>'.example.com' => 'WHITELIST',</emphasis>: will whitelist any "
16661
"address from any <emphasis>subdomains</emphasis> of \"example.com\" that "
16662
"have a valid signature."
16665
#: serverguide/C/mail.xml:1444(para)
16667
"<emphasis>'.example.com/@example.com' => 'WHITELIST',</emphasis>: will "
16668
"whitelist subdomains of \"example.com\" that use the signature of <emphasis "
16669
"role=\"italic\">example.com</emphasis> the parent domain."
16672
#: serverguide/C/mail.xml:1450(para)
16674
"<emphasis>'./@example.com' => 'WHITELIST',</emphasis>: adds addresses "
16675
"that have a valid signature from \"example.com\". This is usually used for "
16676
"discussion groups that sign thier messages."
16679
#: serverguide/C/mail.xml:1457(para)
16681
"A domain can also have multiple Whitelist configurations. After, editing the "
16682
"file restart <application>amaisd-new</application>:"
16685
#: serverguide/C/mail.xml:1466(para)
16687
"In this context, once a domain has been added to the Whitelist the message "
16688
"will not receive any anti-virus or spam filtering. This may or may not be "
16689
"the intended behavior you wish for a domain."
16692
#: serverguide/C/mail.xml:1476(para)
16694
"For <application>Postfix</application> integration, enter the following from "
16695
"a terminal prompt:"
16698
#: serverguide/C/mail.xml:1480(command)
16699
msgid "sudo postconf -e 'content_filter = smtp-amavis:[127.0.0.1]:10024'"
16702
#: serverguide/C/mail.xml:1482(para)
16704
"Next edit <filename>/etc/postfix/master.cf</filename> and add the following "
16705
"to the end of the file:"
16708
#: serverguide/C/mail.xml:1485(programlisting)
16712
"smtp-amavis unix - - - - 2 smtp\n"
16713
" -o smtp_data_done_timeout=1200\n"
16714
" -o smtp_send_xforward_command=yes\n"
16715
" -o disable_dns_lookups=yes\n"
16718
"127.0.0.1:10025 inet n - - - - smtpd\n"
16719
" -o content_filter=\n"
16720
" -o local_recipient_maps=\n"
16721
" -o relay_recipient_maps=\n"
16722
" -o smtpd_restriction_classes=\n"
16723
" -o smtpd_delay_reject=no\n"
16724
" -o smtpd_client_restrictions=permit_mynetworks,reject\n"
16725
" -o smtpd_helo_restrictions=\n"
16726
" -o smtpd_sender_restrictions=\n"
16727
" -o smtpd_recipient_restrictions=permit_mynetworks,reject\n"
16728
" -o smtpd_data_restrictions=reject_unauth_pipelining\n"
16729
" -o smtpd_end_of_data_restrictions=\n"
16730
" -o mynetworks=127.0.0.0/8\n"
16731
" -o smtpd_error_sleep_time=0\n"
16732
" -o smtpd_soft_error_limit=1001\n"
16733
" -o smtpd_hard_error_limit=1000\n"
16734
" -o smtpd_client_connection_count_limit=0\n"
16735
" -o smtpd_client_connection_rate_limit=0\n"
16737
"receive_override_options=no_header_body_checks,no_unknown_recipient_checks\n"
16740
#: serverguide/C/mail.xml:1512(para)
16742
"Also add the following two lines immediately below the "
16743
"<emphasis>\"pickup\"</emphasis> transport service:"
16746
#: serverguide/C/mail.xml:1515(programlisting)
16750
" -o content_filter=\n"
16751
" -o receive_override_options=no_header_body_checks\n"
16754
#: serverguide/C/mail.xml:1519(para)
16756
"This will prevent messages that are generated to report on spam from being "
16757
"classified as spam."
16760
#: serverguide/C/mail.xml:1522(para)
16761
msgid "Now restart <application>Postfix</application>:"
16764
#: serverguide/C/mail.xml:1528(para)
16765
msgid "Content filtering with spam and virus detection is now enabled."
16768
#: serverguide/C/mail.xml:1535(para)
16770
"First, test that the <application>Amavisd-new</application> SMTP is "
16774
#: serverguide/C/mail.xml:1538(programlisting)
16778
"telnet localhost 10024\n"
16779
"Trying 127.0.0.1...\n"
16780
"Connected to localhost.\n"
16781
"Escape character is '^]'.\n"
16782
"220 [127.0.0.1] ESMTP amavisd-new service ready\n"
16786
#: serverguide/C/mail.xml:1546(para)
16788
"In the Header of messages that go through the content filter you should see:"
16791
#: serverguide/C/mail.xml:1549(programlisting)
16796
"X-Virus-Scanned: Debian amavisd-new at example.com\n"
16797
"X-Spam-Status: No, hits=-2.3 tagged_above=-1000.0 required=5.0 tests=AWL, "
16802
#: serverguide/C/mail.xml:1556(para)
16804
"Your output will vary, but the important thing is that there are <emphasis>X-"
16805
"Virus-Scanned</emphasis> and <emphasis>X-Spam-Status</emphasis> entries."
16808
#: serverguide/C/mail.xml:1564(para)
16810
"The best way to figure out why something is going wrong is to check the log "
16814
#: serverguide/C/mail.xml:1569(para)
16816
"For instructions on <application>Postfix</application> logging see the <xref "
16817
"linkend=\"postfix-troubleshooting\"/> section."
16820
#: serverguide/C/mail.xml:1575(para)
16822
"<application>Amavisd-new</application> uses "
16823
"<application>Syslog</application> to send messages to "
16824
"<filename>/var/log/mail.log</filename>. The amount of detail can be "
16825
"increased by adding the <emphasis>$log_level</emphasis> option to "
16826
"<filename>/etc/amavis/conf.d/50-user</filename>, and setting the value from "
16830
#: serverguide/C/mail.xml:1580(programlisting)
16834
"$log_level = 2;\n"
16837
#: serverguide/C/mail.xml:1584(para)
16839
"When the <application>Amavisd-new</application> log output is increased "
16840
"<application>Spamassassin</application> log output is also increased."
16843
#: serverguide/C/mail.xml:1591(para)
16845
"The <application>ClamAV</application> log level can be increased by editing "
16846
"<filename>/etc/clamav/clamd.conf</filename> and setting the following option:"
16849
#: serverguide/C/mail.xml:1595(programlisting)
16853
"LogVerbose true\n"
16856
#: serverguide/C/mail.xml:1598(para)
16858
"By default <application>ClamAV</application> will send log messages to "
16859
"<filename>/var/log/clamav/clamav.log</filename>."
16862
#: serverguide/C/mail.xml:1604(para)
16864
"After changing an applications log settings remember to restart the service "
16865
"for the new settings to take affect. Also, once the issue you are "
16866
"troubleshooting is resolved it is a good idea to change the log settings "
16870
#: serverguide/C/mail.xml:1612(para)
16871
msgid "For more information on filtering mail see the following links:"
16874
#: serverguide/C/mail.xml:1618(ulink)
16875
msgid "Amavisd-new Documentation"
16878
#: serverguide/C/mail.xml:1622(para)
16880
"<ulink url=\"http://www.clamav.org/doc/latest/html/\">ClamAV "
16881
"Documentation</ulink> and <ulink "
16882
"url=\"http://wiki.clamav.net/Main/WebHome\">ClamAV Wiki</ulink>"
16885
#: serverguide/C/mail.xml:1629(ulink)
16886
msgid "Spamassassin Wiki"
16889
#: serverguide/C/mail.xml:1634(ulink)
16890
msgid "Pyzor Homepage"
16893
#: serverguide/C/mail.xml:1639(ulink)
16894
msgid "Razor Homepage"
16897
#: serverguide/C/mail.xml:1644(ulink)
16901
#: serverguide/C/mail.xml:1648(para)
16903
"Also, feel free to ask questions in the <emphasis>#ubuntu-server</emphasis> "
16904
"IRC channel on <ulink url=\"http://freenode.net\">freenode</ulink>."
16907
#: serverguide/C/lamp-applications.xml:13(title)
16908
msgid "LAMP Applications"
16911
#: serverguide/C/lamp-applications.xml:19(para)
16913
"LAMP installations (Linux + Apache + MySQL + PHP) are a popular setup for "
16914
"Ubuntu servers. There is a plethora of Open Source applications written "
16915
"using the LAMP application stack. Some popular LAMP applications are Wiki's, "
16916
"Content Management Systems, and Management Software such as phpMyAdmin."
16919
#: serverguide/C/lamp-applications.xml:26(para)
16921
"One advantage of LAMP is the substantial flexibility for different database, "
16922
"web server, and scripting languages. Popular substitutes for MySQL include "
16923
"Posgresql and SQLite. Python, Perl, and Ruby are also frequently used "
16927
#: serverguide/C/lamp-applications.xml:32(para)
16929
"The traditional way to install most <emphasis>LAMP</emphasis> applications "
16933
#: serverguide/C/lamp-applications.xml:38(para)
16934
msgid "Download an archive containing the application source files."
16937
#: serverguide/C/lamp-applications.xml:43(para)
16939
"Unpack the archive, usually in a directory accessible to a web server."
16942
#: serverguide/C/lamp-applications.xml:48(para)
16944
"Depending on where the source was extracted, configure a web browser to "
16948
#: serverguide/C/lamp-applications.xml:53(para)
16949
msgid "Configure the application to connect to the database."
16952
#: serverguide/C/lamp-applications.xml:58(para)
16954
"Run a script, or browse to a page of the application, to install the "
16955
"database needed by the application."
16958
#: serverguide/C/lamp-applications.xml:63(para)
16960
"Once the steps above, or similar steps, are completed you are ready to begin "
16961
"using the application."
16964
#: serverguide/C/lamp-applications.xml:69(para)
16966
"A disadvantage of using this approach is that the application files are not "
16967
"placed in the file system in a standard way, which can cause confusion as to "
16968
"where the application is installed. Another larger disadvantage is updating "
16969
"the application. When a new version is released, the same process used to "
16970
"install the application is needed to apply updates."
16973
#: serverguide/C/lamp-applications.xml:76(para)
16975
"Fortunately, a number of <emphasis>LAMP</emphasis> applications are already "
16976
"packaged for Ubuntu, and are available for installation in the same way as "
16977
"non-LAMP applications. Depending on the application some extra configuration "
16978
"and setup steps may be needed, however."
16981
#: serverguide/C/lamp-applications.xml:82(para)
16983
"This section covers howto install and configure the Wiki applications "
16984
"<application>MoinMoin</application>, <application>MediaWiki</application>, "
16985
"and the MySQL management application <application>phpMyAdmin</application>."
16988
#: serverguide/C/lamp-applications.xml:88(para)
16990
"A Wiki is a website that allows the visitors to easily add, remove and "
16991
"modify available content easily. The ease of interaction and operation makes "
16992
"Wiki an effective tool for mass collaborative authoring. The term Wiki is "
16993
"also referred to the collaborative software."
16996
#: serverguide/C/lamp-applications.xml:100(title)
17000
#: serverguide/C/lamp-applications.xml:102(para)
17002
"MoinMoin is a Wiki engine implemented in Python, based on the PikiPiki Wiki "
17003
"engine, and licensed under the GNU GPL."
17006
#: serverguide/C/lamp-applications.xml:110(para)
17008
"To install <application>MoinMoin</application>, run the following command in "
17009
"the command prompt:"
17012
#: serverguide/C/lamp-applications.xml:116(command)
17013
msgid "sudo apt-get install python-moinmoin"
17016
#: serverguide/C/lamp-applications.xml:119(para)
17018
"You should also install <application>apache2</application> web server. For "
17019
"installing <application>apache2</application> web server, please refer to "
17020
"<xref linkend=\"http-installation\"/> sub-section in <xref "
17021
"linkend=\"httpd\"/> section."
17024
#: serverguide/C/lamp-applications.xml:130(para)
17026
"For configuring your first Wiki application, please run the following set of "
17027
"commands. Let us assume that you are creating a Wiki named "
17028
"<emphasis>mywiki</emphasis>:"
17031
#: serverguide/C/lamp-applications.xml:137(command)
17032
msgid "cd /usr/share/moin"
17035
#: serverguide/C/lamp-applications.xml:138(command)
17036
msgid "sudo mkdir mywiki"
17039
#: serverguide/C/lamp-applications.xml:139(command)
17040
msgid "sudo cp -R data mywiki"
17043
#: serverguide/C/lamp-applications.xml:140(command)
17044
msgid "sudo cp -R underlay mywiki"
17047
#: serverguide/C/lamp-applications.xml:141(command)
17048
msgid "sudo cp server/moin.cgi mywiki"
17051
#: serverguide/C/lamp-applications.xml:142(command)
17052
msgid "sudo chown -R www-data.www-data mywiki"
17055
#: serverguide/C/lamp-applications.xml:143(command)
17056
msgid "sudo chmod -R ug+rwX mywiki"
17059
#: serverguide/C/lamp-applications.xml:144(command)
17060
msgid "sudo chmod -R o-rwx mywiki"
17063
#: serverguide/C/lamp-applications.xml:147(para)
17065
"Now you should configure <application>MoinMoin</application> to find your "
17066
"new Wiki <emphasis>mywiki</emphasis>. To configure "
17067
"<application>MoinMoin</application>, open "
17068
"<filename>/etc/moin/mywiki.py</filename> file and change the following line:"
17071
#: serverguide/C/lamp-applications.xml:155(programlisting)
17073
msgid "data_dir = '/org/mywiki/data'"
17076
#: serverguide/C/lamp-applications.xml:157(para)
17080
#: serverguide/C/lamp-applications.xml:161(programlisting)
17082
msgid "data_dir = '/usr/share/moin/mywiki/data'"
17085
#: serverguide/C/lamp-applications.xml:163(para)
17087
"Also, below the <emphasis>data_dir</emphasis> option add the "
17088
"<emphasis>data_underlay_dir</emphasis>:"
17091
#: serverguide/C/lamp-applications.xml:167(programlisting)
17095
"data_underlay_dir='/usr/share/moin/mywiki/underlay'\n"
17098
#: serverguide/C/lamp-applications.xml:172(para)
17100
"If the <filename>/etc/moin/mywiki.py</filename> file does not exists, you "
17101
"should copy <filename>/etc/moin/moinmaster.py</filename> file to "
17102
"<filename>/etc/moin/mywiki.py</filename> file and do the above mentioned "
17106
#: serverguide/C/lamp-applications.xml:181(para)
17108
"If you have named your Wiki as <emphasis>my_wiki_name</emphasis> you should "
17109
"insert a line <quote>(\"my_wiki_name\", r\".*\")</quote> in "
17110
"<filename>/etc/moin/farmconfig.py</filename> file after the line "
17111
"<quote>(\"mywiki\", r\".*\")</quote>."
17114
#: serverguide/C/lamp-applications.xml:189(para)
17116
"Once you have configured <application>MoinMoin</application> to find your "
17117
"first Wiki application <emphasis>mywiki</emphasis>, you should configure "
17118
"<application>apache2</application> and make it ready for your Wiki "
17122
#: serverguide/C/lamp-applications.xml:196(para)
17124
"You should add the following lines in <filename>/etc/apache2/sites-"
17125
"available/default</filename> file inside the <quote><VirtualHost "
17126
"*></quote> tag:"
17129
#: serverguide/C/lamp-applications.xml:202(programlisting)
17134
" ScriptAlias /mywiki \"/usr/share/moin/mywiki/moin.cgi\"\n"
17135
" alias /moin_static184 \"/usr/share/moin/htdocs\"\n"
17136
" <Directory /usr/share/moin/htdocs>\n"
17137
" Order allow,deny\n"
17138
" allow from all\n"
17139
" </Directory>\n"
17143
#: serverguide/C/lamp-applications.xml:214(para)
17145
"Adjust the <emphasis>\"moin_static184\"</emphasis> in the "
17146
"<emphasis>alias</emphasis> line above, to the "
17147
"<application>moinmoin</application> version installed."
17150
#: serverguide/C/lamp-applications.xml:220(para)
17152
"Once you configure the <application>apache2</application> web server and "
17153
"make it ready for your Wiki application, you should restart it. You can run "
17154
"the following command to restart the <application>apache2</application> web "
17158
#: serverguide/C/lamp-applications.xml:233(title)
17159
msgid "Verification"
17162
#: serverguide/C/lamp-applications.xml:235(para)
17164
"You can verify the Wiki application and see if it works by pointing your web "
17165
"browser to the following URL:"
17168
#: serverguide/C/lamp-applications.xml:239(programlisting)
17172
"http://localhost/mywiki\n"
17175
#: serverguide/C/lamp-applications.xml:243(para)
17177
"You can also run the test command by pointing your web browser to the "
17181
#: serverguide/C/lamp-applications.xml:248(programlisting)
17185
"http://localhost/mywiki?action=test\n"
17188
#: serverguide/C/lamp-applications.xml:252(para)
17190
"For more details, please refer to the <ulink "
17191
"url=\"http://moinmo.in/\">MoinMoin</ulink> web site."
17194
#: serverguide/C/lamp-applications.xml:263(para)
17196
"For more information see the <ulink url=\"http://moinmo.in/\">moinmoin "
17200
#: serverguide/C/lamp-applications.xml:272(title)
17204
#: serverguide/C/lamp-applications.xml:274(para)
17206
"MediaWiki is an web based Wiki software written in the PHP language. It can "
17207
"either use <application>MySQL</application> or "
17208
"<application>PostgreSQL</application> Database Management System."
17211
#: serverguide/C/lamp-applications.xml:284(para)
17213
"Before installing <application>MediaWiki</application> you should also "
17214
"install <application>Apache2</application>, the "
17215
"<application>PHP5</application> scripting language and Database a Management "
17216
"System. <application>MySQL</application> or "
17217
"<application>PostgreSQL</application> are the most common, choose one "
17218
"depending on your need. Please refer to those sections in this manual for "
17219
"installation instructions."
17222
#: serverguide/C/lamp-applications.xml:292(para)
17224
"To install <application>MediaWiki</application>, run the following command "
17225
"in the command prompt:"
17228
#: serverguide/C/lamp-applications.xml:298(command)
17229
msgid "sudo apt-get install mediawiki php5-gd"
17232
#: serverguide/C/lamp-applications.xml:301(para)
17234
"For additional <application>MediaWiki</application> functionality see the "
17235
"<application>mediawiki-extensions</application> package."
17238
#: serverguide/C/lamp-applications.xml:311(para)
17240
"The Apache configuration file <filename>mediawiki.conf</filename> for "
17241
"MediaWiki is installed in <filename>/etc/apache2/conf.d/</filename> "
17242
"directory. You should uncomment the following line in this file to access "
17243
"MediaWiki application."
17246
#: serverguide/C/lamp-applications.xml:319(screen)
17250
"# Alias /mediawiki /var/lib/mediawiki\n"
17253
#: serverguide/C/lamp-applications.xml:323(para)
17255
"After you uncomment the above line, restart Apache server and access "
17256
"MediaWiki using the following url:"
17259
#: serverguide/C/lamp-applications.xml:328(programlisting)
17263
"http://localhost/mediawiki/config/index.php\n"
17266
#: serverguide/C/lamp-applications.xml:333(para)
17268
"Please read the <quote>Checking environment...</quote> section in this page. "
17269
"You should be able to fix many issues by carefully reading this section."
17272
#: serverguide/C/lamp-applications.xml:340(para)
17274
"Once the configuration is complete, you should copy the "
17275
"<filename>/var/lib/mediawiki/LocalSettings.php</filename> file to "
17276
"<filename>/etc/mediawiki</filename> directory."
17279
#: serverguide/C/lamp-applications.xml:348(title)
17283
#: serverguide/C/lamp-applications.xml:349(para)
17285
"The extensions add new features and enhancements for the MediaWiki "
17286
"application. The extensions give wiki administrators and end users the "
17287
"ability to customize MediaWiki to their requirements."
17290
#: serverguide/C/lamp-applications.xml:355(para)
17292
"You can download MediaWiki extensions as an archive file or checkout from "
17293
"the Subversion repository. You should copy it to "
17294
"<filename>/var/lib/mediawiki/extensions</filename> directory. You should "
17295
"also add the following line at the end of file: "
17296
"<filename>/etc/mediawiki/LocalSettings.php</filename>."
17299
#: serverguide/C/lamp-applications.xml:363(programlisting)
17303
"require_once \"$IP/extensions/ExtentionName/ExtentionName.php\";\n"
17306
#: serverguide/C/lamp-applications.xml:373(para)
17308
"For more details, please refer to the <ulink "
17309
"url=\"http://www.mediawiki.org\">MediaWiki</ulink> web site."
17312
#: serverguide/C/lamp-applications.xml:379(para)
17314
"The <ulink url=\"http://www.packtpub.com/Mediawiki/book\">MediaWiki "
17315
"Administrators’ Tutorial Guide</ulink> contains a wealth of information for "
17316
"new MediaWiki administrators."
17319
#: serverguide/C/lamp-applications.xml:389(title)
17323
#: serverguide/C/lamp-applications.xml:391(para)
17325
"<application>phpMyAdmin</application> is a LAMP application specifically "
17326
"written for administering <application>MySQL</application> servers. Written "
17327
"in <application>PHP</application>, and accessed through a web browser, "
17328
"phpMyAdmin provides a graphical interface for database administration tasks."
17331
#: serverguide/C/lamp-applications.xml:400(para)
17333
"Before installing <application>phpMyAdmin</application> you will need access "
17334
"to a <application>MySQL</application> database either on the same host as "
17335
"that phpMyAdmin is installed on, or on a host accessible over the network. "
17336
"For more information see <xref linkend=\"mysql\"/>. From a terminal prompt "
17340
#: serverguide/C/lamp-applications.xml:407(command)
17341
msgid "sudo apt-get install phpmyadmin"
17344
#: serverguide/C/lamp-applications.xml:410(para)
17346
"At the prompt choose which web server to be configured for "
17347
"<application>phpMyAdmin</application>. The rest of this section will use "
17348
"<application>Apache2</application> for the web server."
17351
#: serverguide/C/lamp-applications.xml:415(para)
17353
"In a browser go to <emphasis>http://servername/phpmyadmin</emphasis>, "
17354
"replacing <emphasis role=\"italic\">serveranme</emphasis> with the server's "
17355
"actual hostname. At the login, page enter <emphasis>root</emphasis> for the "
17356
"<emphasis>username</emphasis>, or another <application>MySQL</application> "
17357
"user if you any setup, and enter the <application>MySQL</application> user's "
17361
#: serverguide/C/lamp-applications.xml:422(para)
17363
"Once logged in you can reset the <emphasis>root</emphasis> password if "
17364
"needed, create users, create/destroy databases and tables, etc."
17367
#: serverguide/C/lamp-applications.xml:430(para)
17369
"The configuration files for <application>phpMyAdmin</application> are "
17370
"located in <filename>/etc/phpmyadmin</filename>. The main configuration file "
17371
"is <filename>/etc/phpmyadmin/config.inc.php</filename>. This file contains "
17372
"configuration options that apply globally to "
17373
"<application>phpMyAdmin</application>."
17376
#: serverguide/C/lamp-applications.xml:436(para)
17378
"To use <application>phpMyAdmin</application> to administer a MySQL database "
17379
"hosted on another server, adjust the following in "
17380
"<filename>/etc/phpmyadmin/config.inc.php</filename>:"
17383
#: serverguide/C/lamp-applications.xml:441(programlisting)
17387
"$cfg['Servers'][$i]['host'] = 'db_server';\n"
17390
#: serverguide/C/lamp-applications.xml:446(para)
17392
"Replace <emphasis role=\"italic\">db_server</emphasis> with the actual "
17393
"remote database server name or IP address. Also, be sure that the "
17394
"<application>phpMyAdmin</application> host has permissions to access the "
17398
#: serverguide/C/lamp-applications.xml:452(para)
17400
"Once configured, log out of <application>phpMyAdmin</application> and back "
17401
"in, and you should be accessing the new server."
17404
#: serverguide/C/lamp-applications.xml:456(para)
17406
"The <filename>config.header.inc.php</filename> and "
17407
"<filename>config.footer.inc.php</filename> files are used to add a HTML "
17408
"header and footer to <application>phpMyAdmin</application>."
17411
#: serverguide/C/lamp-applications.xml:461(para)
17413
"Another important configuration file is "
17414
"<filename>/etc/phpmyadmin/apache.conf</filename>, this file is symlinked to "
17415
"<filename>/etc/apache2/conf.d/phpmyadmin.conf</filename>, and is used to "
17416
"configure <application>Apache2</application> to serve the "
17417
"<application>phpMyAdmin</application> site. The file contains directives for "
17418
"loading <application>PHP</application>, directory permissions, etc. For more "
17419
"information on configuring <application>Apache2</application> see <xref "
17420
"linkend=\"httpd\"/>."
17423
#: serverguide/C/lamp-applications.xml:475(para)
17425
"The <application>phpMyAdmin</application> documentation comes installed with "
17426
"the package and can be accessed from the <emphasis>phpMyAdmin "
17427
"Documentation</emphasis> link (a question mark with a box around it) under "
17428
"the phpMyAdmin logo. The official docs can also be access on the <ulink "
17429
"url=\"http://www.phpmyadmin.net/home_page/docs.php\">phpMyAdmin</ulink> site."
17432
#: serverguide/C/lamp-applications.xml:482(para)
17434
"Also, <ulink url=\"http://www.packtpub.com/phpmyadmin-3rd-"
17435
"edition/book\">Mastering phpMyAdmin</ulink> is a great resource."
17438
#: serverguide/C/introduction.xml:14(para)
17439
msgid "Welcome to the <emphasis>Ubuntu Server Guide</emphasis>!"
17442
#: serverguide/C/introduction.xml:15(para)
17444
"Here you can find information on how to install and configure various server "
17445
"applications. It is a step-by-step, task-oriented guide for configuring and "
17446
"customizing your system."
17449
#: serverguide/C/introduction.xml:19(para)
17451
"This guide assumes you have a basic understanding of your Ubuntu system. "
17452
"Some installation details are covered in <xref linkend=\"installation\"/>, "
17453
"but if you need detailed instructions installing Ubuntu please refer to the "
17454
"<ulink url=\"https://help.ubuntu.com/9.10/installation-guide/\">Ubuntu "
17455
"Installation Guide</ulink>."
17458
#: serverguide/C/introduction.xml:25(para)
17460
"A HTML version of the manual is available online at <ulink "
17461
"url=\"http://help.ubuntu.com\">the Ubuntu Documentation website</ulink>. The "
17462
"HTML files are also available in the <application>ubuntu-"
17463
"serverguide</application> package. See <xref linkend=\"package-"
17464
"management\"/> for details on installing packages."
17467
#: serverguide/C/introduction.xml:32(para)
17469
"If you choose to install the <application>ubuntu-serverguide</application> "
17470
"you can view this document from a console by:"
17473
#: serverguide/C/introduction.xml:36(command)
17474
msgid "w3m /usr/share/ubuntu-serverguide/html/en_GB/index.html"
17477
#: serverguide/C/introduction.xml:39(para)
17478
msgid "Replace <emphasis>en_GB</emphasis> with your language localization."
17481
#: serverguide/C/introduction.xml:53(title)
17485
#: serverguide/C/introduction.xml:55(para)
17487
"There a couple of different ways that Ubuntu Server Edition is supported, "
17488
"commercial support and community support. The main commercial support (and "
17489
"development funding) is available from Canonical Ltd. They supply reasonably "
17490
"priced support contracts on a per desktop or per server basis. For more "
17491
"information see the <ulink "
17492
"url=\"http://www.canonical.com/services/support\">Canonical Services</ulink> "
17496
#: serverguide/C/introduction.xml:62(para)
17498
"Community support is also provided by dedicated individuals, and companies, "
17499
"that wish to make Ubuntu the best distribution possible. Support is provided "
17500
"through multiple mailing lists, IRC channels, forums, blogs, wikis, etc. The "
17501
"large amount of information available can be overwhelming, but a good search "
17502
"engine query can usually provide an answer to your questions. See the <ulink "
17503
"url=\"http://www.ubuntu.com/support\">Ubuntu Support</ulink> page for more "
17507
#: serverguide/C/installation.xml:14(para)
17509
"This chapter provides a quick overview of installing Ubuntu 9.10 Server "
17510
"Edition. For more detailed instructions, please refer to the <ulink "
17511
"url=\"https://help.ubuntu.com/9.10/installation-guide/\">Ubuntu Installation "
17515
#: serverguide/C/installation.xml:19(title)
17516
msgid "Preparing to Install"
17519
#: serverguide/C/installation.xml:20(para)
17521
"This section explains various aspects to consider before starting the "
17525
#: serverguide/C/installation.xml:24(title)
17526
msgid "System Requirements"
17529
#: serverguide/C/installation.xml:25(para)
17531
"Ubuntu 9.10 Server Edition supports two (2) major architectures: Intel x86 "
17532
"and AMD64. The table below lists recommended hardware specifications. "
17533
"Depending on your needs, you might manage with less than this. However, most "
17534
"users risk being frustrated if they ignore these suggestions."
17537
#: serverguide/C/installation.xml:27(title)
17538
msgid "Recommended Minimum Requirements"
17541
#: serverguide/C/installation.xml:35(para)
17542
msgid "Install Type"
17545
#: serverguide/C/installation.xml:36(para)
17549
#: serverguide/C/installation.xml:37(para)
17550
msgid "Hard Drive Space"
17553
#: serverguide/C/installation.xml:40(para)
17554
msgid "Base System"
17557
#: serverguide/C/installation.xml:41(para)
17558
msgid "All Tasks Installed"
17561
#: serverguide/C/installation.xml:46(para)
17565
#: serverguide/C/installation.xml:47(para)
17566
msgid "128 megabytes"
17569
#: serverguide/C/installation.xml:48(para)
17570
msgid "500 megabytes"
17573
#: serverguide/C/installation.xml:49(para)
17577
#: serverguide/C/installation.xml:54(para)
17579
"The Server Edition provides a common base for all sorts of server "
17580
"applications. It is a minimalist design providing a platform for the desired "
17581
"services, such as file/print services, web hosting, email hosting, etc."
17584
#: serverguide/C/installation.xml:62(title)
17585
msgid "Server and Desktop Differences"
17588
#: serverguide/C/installation.xml:63(para)
17590
"There are a few differences between the <emphasis>Ubuntu Server "
17591
"Edition</emphasis> and the <emphasis>Ubuntu Desktop Edition</emphasis>. It "
17592
"should be noted that both editions use the same "
17593
"<application>apt</application> repositories. Making it just as easy to "
17594
"install a <emphasis role=\"italic\">server</emphasis> application on the "
17595
"Desktop Edition as it is on the Server Edition."
17598
#: serverguide/C/installation.xml:69(para)
17600
"The differences between the two editions are the lack of an X window "
17601
"environment in the Server Edition, the installation process, and different "
17605
#: serverguide/C/installation.xml:76(title)
17606
msgid "Kernel Differences:"
17609
#: serverguide/C/installation.xml:79(para)
17611
"The Server Edition uses the <emphasis>Deadline</emphasis> I/O scheduler "
17612
"instead of the <emphasis>CFQ</emphasis> scheduler used by the Desktop "
17616
#: serverguide/C/installation.xml:85(para)
17617
msgid "<emphasis>Preemption</emphasis> is turned off in the Server Edition."
17620
#: serverguide/C/installation.xml:90(para)
17622
"The timer interrupt is 100 Hz in the Server Edition and 250 Hz in the "
17626
#: serverguide/C/installation.xml:96(para)
17628
"When running a 64-bit version of Ubuntu on 64-bit processors you are not "
17629
"limited by memory addressing space."
17632
#: serverguide/C/installation.xml:101(para)
17634
"To see all kernel configuration options you can look through "
17635
"<filename>/boot/config-2.6.31-server</filename>. Also, <ulink "
17636
"url=\"http://www.kroah.com/lkn/\">Linux Kernel in a Nutshell</ulink> is a "
17637
"great resource on the options available."
17640
#: serverguide/C/installation.xml:110(title)
17644
#: serverguide/C/installation.xml:113(para)
17646
"Before installing <application>Ubuntu Server Edition</application> you "
17647
"should make sure all data on the system is backed up. See <xref "
17648
"linkend=\"backups\"/> for backup options."
17651
#: serverguide/C/installation.xml:117(para)
17653
"If this is not the first time an operating system has been installed on your "
17654
"computer, it is likely you will need to re-partition your disk to make room "
17658
#: serverguide/C/installation.xml:121(para)
17660
"Any time you partition your disk, you should be prepared to lose everything "
17661
"on the disk should you make a mistake or something goes wrong during "
17662
"partitioning. The programs used in installation are quite reliable, most "
17663
"have seen years of use, but they also perform destructive actions."
17666
#: serverguide/C/installation.xml:133(title)
17667
msgid "Installing from CD"
17670
#: serverguide/C/installation.xml:134(para)
17672
"The basic steps to install Ubuntu Server Edition from CD are the same for "
17673
"installing any operating system from CD. Unlike the <emphasis>Desktop "
17674
"Edition</emphasis> the <emphasis>Server Edition</emphasis> does not include "
17675
"a graphical installation program. Instead the Server Edition uses a console "
17676
"menu based process."
17679
#: serverguide/C/installation.xml:141(para)
17681
"First, download and burn the appropriate ISO file from the <ulink "
17682
"url=\"http://www.ubuntu.com/getubuntu/download\"> Ubuntu web site</ulink>."
17685
#: serverguide/C/installation.xml:147(para)
17686
msgid "Boot the system from the CD-ROM drive."
17689
#: serverguide/C/installation.xml:152(para)
17691
"At the boot prompt you will be asked to select the language. Afterwards the "
17692
"installation process begins by asking for your keyboard layout."
17695
#: serverguide/C/installation.xml:158(para)
17697
"The installer then discovers your hardware configuration, and configures the "
17698
"network settings using DHCP. If you do not wish to use DHCP at the next "
17699
"screen choose \"Go Back\", and you have the option to \"Configure the "
17700
"network manually\"."
17703
#: serverguide/C/installation.xml:165(para)
17704
msgid "Next, the installer asks for the system's hostname and Time Zone."
17707
#: serverguide/C/installation.xml:170(para)
17709
"You can then choose from several options to configure the hard drive layout. "
17710
"For advanced disk options see <xref linkend=\"advanced-installation\"/>."
17713
#: serverguide/C/installation.xml:176(para)
17714
msgid "The Ubuntu base system is then installed."
17717
#: serverguide/C/installation.xml:181(para)
17719
"A new user is setup, this user will have <emphasis>root</emphasis> access "
17720
"through the <application>sudo</application> utility."
17723
#: serverguide/C/installation.xml:187(para)
17725
"After the user is setup, you will be asked to encrypt your <filename "
17726
"role=\"directory\">home</filename> directory."
17729
#: serverguide/C/installation.xml:193(para)
17731
"The next step in the installation process is to decide how you want to "
17732
"update the system. There are three options:"
17735
#: serverguide/C/installation.xml:199(para)
17737
"<emphasis>No automatic updates</emphasis>: this requires an administrator to "
17738
"log into the machine and manually install updates."
17741
#: serverguide/C/installation.xml:205(para)
17743
"<emphasis>Install security updates Automatically</emphasis>: will install "
17744
"the <application>unattended-upgrades</application> package, which will "
17745
"install security updates without the intervention of an administrator. For "
17746
"more details see <xref linkend=\"automatic-updates\"/>."
17749
#: serverguide/C/installation.xml:212(para)
17751
"<emphasis>Manage the system with Landscape</emphasis>: Landscape is a paid "
17752
"service provided by Canonical to help manage your Ubuntu machines. See the "
17753
"<ulink url=\"http://www.canonical.com/projects/landscape\">Landscape</ulink> "
17754
"site for details."
17757
#: serverguide/C/installation.xml:221(para)
17759
"You now have the option to install, or not install, several package tasks. "
17760
"See <xref linkend=\"install-tasks\"/> for details. Also, there is an option "
17761
"to launch <application>aptitude</application> to choose specific packages to "
17762
"install. For more information see <xref linkend=\"aptitude\"/>."
17765
#: serverguide/C/installation.xml:229(para)
17766
msgid "Finally, the last step before rebooting is to set the clock to UTC."
17769
#: serverguide/C/installation.xml:235(para)
17771
"If at any point during installation you are not satisfied by the default "
17772
"setting, use the \"Go Back\" function at any prompt to be brought to a "
17773
"detailed installation menu that will allow you to modify the default "
17777
#: serverguide/C/installation.xml:240(para)
17779
"At some point during the installation process you may want to read the help "
17780
"screen provided by the installation system. To do this, press F1."
17783
#: serverguide/C/installation.xml:245(para)
17785
"Once again, for detailed instructions see the <ulink "
17786
"url=\"https://help.ubuntu.com/9.10/installation-guide/\"> Ubuntu "
17787
"Installation Guide</ulink>."
17790
#: serverguide/C/installation.xml:251(title)
17791
msgid "Package Tasks"
17794
#: serverguide/C/installation.xml:252(para)
17796
"During the Server Edition installation you have the option of installing "
17797
"additional packages from the CD. The packages are grouped by the type of "
17798
"service they provide."
17801
#: serverguide/C/installation.xml:258(para)
17802
msgid "DNS server: Selects the BIND DNS server and its documentation."
17805
#: serverguide/C/installation.xml:263(para)
17806
msgid "LAMP server: Selects a ready-made Linux/Apache/MySQL/PHP server."
17809
#: serverguide/C/installation.xml:268(para)
17811
"Mail server: This task selects a variety of package useful for a general "
17812
"purpose mail server system."
17815
#: serverguide/C/installation.xml:273(para)
17816
msgid "OpenSSH server: Selects packages needed for an OpenSSH server."
17819
#: serverguide/C/installation.xml:278(para)
17821
"PostgreSQL database: This task selects client and server packages for the "
17822
"PostgreSQL database."
17825
#: serverguide/C/installation.xml:283(para)
17826
msgid "Print server: This task sets up your system to be a print server."
17829
#: serverguide/C/installation.xml:288(para)
17831
"Samba File server: This task sets up your system to be a Samba file server, "
17832
"which is especially suitable in networks with both Windows and Linux systems."
17835
#: serverguide/C/installation.xml:294(para)
17837
"Tomcat server: Installs the Apache Tomcat and needed dependencies Java, gcj, "
17841
#: serverguide/C/installation.xml:299(para)
17843
"Virtual machine host: Includes packages needed to run KVM virtual machines."
17846
#: serverguide/C/installation.xml:304(para)
17848
"Installing the package groups is accomplished using the "
17849
"<application>tasksel</application> utility. One of the important difference "
17850
"between Ubuntu (or Debian) and other GNU/Linux distribution is that, when "
17851
"installed, a package is also configured to reasonable defaults, eventually "
17852
"prompting you for additional required information. Likewise, when installing "
17853
"a task, the packages are not only installed, but also configured to provided "
17854
"a fully integrated service."
17857
#: serverguide/C/installation.xml:311(para)
17859
"Once the installation process has finished you can view a list of available "
17860
"tasks by entering the following from a terminal prompt:"
17863
#: serverguide/C/installation.xml:316(command)
17864
msgid "tasksel --list-tasks"
17867
#: serverguide/C/installation.xml:319(para)
17869
"The output will list tasks from other Ubuntu based distributions such as "
17870
"Kubuntu and Edubuntu. Note that you can also invoke the "
17871
"<command>tasksel</command> command by itself, which will bring up a menu of "
17872
"the different tasks available."
17875
#: serverguide/C/installation.xml:325(para)
17877
"You can view a list of which packages are installed with each task using the "
17878
"<emphasis>--task-packages</emphasis> option. For example, to list the "
17879
"packages installed with the <emphasis>DNS Server</emphasis> task enter the "
17883
#: serverguide/C/installation.xml:330(command)
17884
msgid "tasksel --task-packages dns-server"
17887
#: serverguide/C/installation.xml:332(para)
17888
msgid "The output of the command should list:"
17891
#: serverguide/C/installation.xml:335(programlisting)
17900
#: serverguide/C/installation.xml:340(para)
17902
"Also, if you did not install one of the tasks during the installation "
17903
"process, but for example you decide to make your new LAMP server a DNS "
17904
"server as well. Simply insert the installation CD and from a terminal:"
17907
#: serverguide/C/installation.xml:345(command)
17908
msgid "sudo tasksel install dns-server"
17911
#: serverguide/C/installation.xml:350(title)
17915
#: serverguide/C/installation.xml:351(para)
17917
"There are several ways to upgrade from one Ubuntu release to another. This "
17918
"section gives an overview of the recommended upgrade method."
17921
#: serverguide/C/installation.xml:355(title) serverguide/C/installation.xml:370(command)
17922
msgid "do-release-upgrade"
17925
#: serverguide/C/installation.xml:356(para)
17927
"The recommended way to upgrade a Server Edition installation is to use the "
17928
"<application>do-release-upgrade</application> utility. Part of the "
17929
"<emphasis>update-manager-core</emphasis> package, it does not have any "
17930
"graphical dependencies and is installed by default."
17933
#: serverguide/C/installation.xml:361(para)
17935
"Debian based systems can also be upgraded by using <command>apt-get dist-"
17936
"upgrade</command>. However, using <application>do-release-"
17937
"upgrade</application> is recommended because it has the ability to handle "
17938
"system configuration changes sometimes needed between releases."
17941
#: serverguide/C/installation.xml:366(para)
17942
msgid "To upgrade to a newer release, from a terminal prompt enter:"
17945
#: serverguide/C/installation.xml:372(para)
17947
"It is also possible to use <application>do-release-upgrade</application> to "
17948
"upgrade to a development version of Ubuntu. To accomplish this use the "
17949
"<emphasis>-d</emphasis> switch:"
17952
#: serverguide/C/installation.xml:377(command)
17953
msgid "do-release-upgrade -d"
17956
#: serverguide/C/installation.xml:380(para)
17958
"Upgrading to a development release is <emphasis>not</emphasis> recommended "
17959
"for production environments."
17962
#: serverguide/C/installation.xml:387(title)
17963
msgid "Advanced Installation"
17966
#: serverguide/C/installation.xml:390(title)
17967
msgid "Software RAID"
17970
#: serverguide/C/installation.xml:392(para)
17972
"RAID is a method of configuring multiple hard drives to act as one, reducing "
17973
"the probability of catastrophic data loss in case of drive failure. RAID is "
17974
"implemented in either software (where the operating system knows about both "
17975
"drives and actively maintains both of them) or hardware (where a special "
17976
"controller makes the OS think there's only one drive and maintains the "
17977
"drives 'invisibly')."
17980
#: serverguide/C/installation.xml:399(para)
17982
"The RAID software included with current versions of Linux (and Ubuntu) is "
17983
"based on the <application>'mdadm'</application> driver and works very well, "
17984
"better even than many so-called 'hardware' RAID controllers. This section "
17985
"will guide you through installing Ubuntu Server Edition using two RAID1 "
17986
"partitions on two physical hard drives, one for <emphasis>/</emphasis> and "
17987
"another for <emphasis>swap</emphasis>."
17990
#: serverguide/C/installation.xml:409(para) serverguide/C/installation.xml:926(para)
17992
"Follow the installation steps until you get to the <emphasis>Partition "
17993
"disks</emphasis> step, then:"
17996
#: serverguide/C/installation.xml:416(para)
17997
msgid "Select <emphasis>Manual</emphasis> as the partition method."
18000
#: serverguide/C/installation.xml:423(para)
18002
"Select the first hard drive, and agree to <emphasis>\"Create a new empty "
18003
"partition table on this device?\"</emphasis>."
18006
#: serverguide/C/installation.xml:427(para)
18008
"Repeat this step for each drive you wish to be part of the RAID array."
18011
#: serverguide/C/installation.xml:434(para)
18013
"Select the <emphasis>\"FREE SPACE\"</emphasis> on the first drive then "
18014
"select <emphasis>\"Create a new partition\"</emphasis>."
18017
#: serverguide/C/installation.xml:441(para)
18019
"Next, select the <emphasis>Size</emphasis> of the partition. This partition "
18020
"will be the <emphasis>swap</emphasis> partition, and a general rule for swap "
18021
"size is twice that of RAM. Enter the partition size, then choose "
18022
"<emphasis>Primary</emphasis>, then <emphasis>Beginning</emphasis>."
18025
#: serverguide/C/installation.xml:450(para)
18027
"Select the <emphasis>\"Use as:\"</emphasis> line at the top. By default this "
18028
"is <emphasis role=\"italic\">\"Ext3 journaling file system\"</emphasis>, "
18029
"change that to <emphasis>\"physical volume for RAID\"</emphasis> then "
18030
"<emphasis>\"Done setting up partition\"</emphasis>."
18033
#: serverguide/C/installation.xml:459(para)
18035
"For the <emphasis>/</emphasis> partition once again select <emphasis>\"Free "
18036
"Space\"</emphasis> on the first drive then <emphasis>\"Create a new "
18037
"partition\"</emphasis>."
18040
#: serverguide/C/installation.xml:467(para)
18042
"Use the rest of the free space on the drive and choose "
18043
"<emphasis>Continue</emphasis>, then <emphasis>Primary</emphasis>."
18046
#: serverguide/C/installation.xml:474(para)
18048
"As with the swap partition, select the <emphasis>\"Use as:\"</emphasis> line "
18049
"at the top, changing it to <emphasis>\"physical volume for RAID\"</emphasis> "
18050
"then choose <emphasis>\"Done setting up partition\"</emphasis>."
18053
#: serverguide/C/installation.xml:482(para)
18054
msgid "Repeat steps three through eight for the other disk and partitions."
18057
#: serverguide/C/installation.xml:491(title)
18058
msgid "RAID Configuration"
18061
#: serverguide/C/installation.xml:493(para)
18062
msgid "With the partitions setup the arrays are ready to be configured:"
18065
#: serverguide/C/installation.xml:500(para)
18067
"Back in the main \"Partition Disks\" page, select <emphasis>\"Configure "
18068
"Software RAID\"</emphasis> at the top."
18071
#: serverguide/C/installation.xml:507(para)
18072
msgid "Select <emphasis>\"yes\"</emphasis> to write the changes to disk."
18075
#: serverguide/C/installation.xml:514(para)
18076
msgid "Choose <emphasis>\"Create MD drive\"</emphasis>."
18079
#: serverguide/C/installation.xml:521(para)
18081
"For this example, select <emphasis>\"RAID1\"</emphasis>, but if you are "
18082
"using a different setup choose the appropriate type (RAID0 RAID1 RAID5)."
18085
#: serverguide/C/installation.xml:527(para)
18087
"In order to use <emphasis>RAID5</emphasis> you need at least "
18088
"<emphasis>three</emphasis> drives. Using RAID0 or RAID1 only "
18089
"<emphasis>two</emphasis> drives are required."
18092
#: serverguide/C/installation.xml:536(para)
18094
"Enter the number of active devices <emphasis>\"2\"</emphasis>, or the amount "
18095
"of hard drives you have, for the array. Then select "
18096
"<emphasis>\"Continue\"</emphasis>."
18099
#: serverguide/C/installation.xml:544(para)
18101
"Next, enter the number of spare devices <emphasis>\"0\"</emphasis> by "
18102
"default, then choose <emphasis>\"Continue\"</emphasis>."
18105
#: serverguide/C/installation.xml:551(para)
18107
"Choose which partitions to use. Generally they will be sda1, sdb1, sdc1, "
18108
"etc. The numbers will usually match and the different letters correspond to "
18109
"different hard drives."
18112
#: serverguide/C/installation.xml:556(para)
18114
"For the <emphasis>swap</emphasis> partition choose <emphasis>sda1</emphasis> "
18115
"and <emphasis>sdb1</emphasis>. Select <emphasis>\"Continue\"</emphasis> to "
18116
"go to the next step."
18119
#: serverguide/C/installation.xml:564(para)
18121
"Repeat steps <emphasis>three</emphasis> through <emphasis>seven</emphasis> "
18122
"for the <emphasis>/</emphasis> partition choosing <emphasis>sda2</emphasis> "
18123
"and <emphasis>sdb2</emphasis>."
18126
#: serverguide/C/installation.xml:572(para)
18127
msgid "Once done select <emphasis>\"Finish\"</emphasis>."
18130
#: serverguide/C/installation.xml:582(title)
18134
#: serverguide/C/installation.xml:584(para)
18136
"There should now be a list of hard drives and RAID devices. The next step is "
18137
"to format and set the mount point for the RAID devices. Treat the RAID "
18138
"device as a local hard drive, format and mount accordingly."
18141
#: serverguide/C/installation.xml:592(para)
18142
msgid "Select the <emphasis>RAID1 device #0</emphasis> partition."
18145
#: serverguide/C/installation.xml:599(para)
18147
"Choose <emphasis>\"Use as:\"</emphasis>. Then select <emphasis>\"swap "
18148
"area\"</emphasis>, then <emphasis>\"Done setting up partition\"</emphasis>."
18151
#: serverguide/C/installation.xml:607(para)
18152
msgid "Next, select the <emphasis>RAID1 device #1</emphasis> partition."
18155
#: serverguide/C/installation.xml:614(para)
18157
"Choose <emphasis>\"Use as:\"</emphasis>. Then select <emphasis>\"Ext3 "
18158
"journaling file system\"</emphasis>."
18161
#: serverguide/C/installation.xml:621(para)
18163
"Then select the <emphasis>\"Mount point\"</emphasis> and choose "
18164
"<emphasis>\"/ - the root file system\"</emphasis>. Change any of the other "
18165
"options as appropriate, then select <emphasis>\"Done setting up "
18166
"partition\"</emphasis>."
18169
#: serverguide/C/installation.xml:629(para)
18171
"Finally, select <emphasis>\"Finish partitioning and write changes to "
18172
"disk\"</emphasis>."
18175
#: serverguide/C/installation.xml:636(para)
18177
"If you choose to place the root partition on a RAID array, the installer "
18178
"will then ask if you would like to boot in a <emphasis>degraded</emphasis> "
18179
"state. See <xref linkend=\"raid-degraded\"/> for further details."
18182
#: serverguide/C/installation.xml:641(para)
18183
msgid "The installation process will then continue normally."
18186
#: serverguide/C/installation.xml:647(title)
18187
msgid "Degraded RAID"
18190
#: serverguide/C/installation.xml:649(para)
18192
"At some point in the life of the computer a disk failure event may occur. "
18193
"When this happens, using Software RAID, the operating system will place the "
18194
"array into what is known as a <emphasis>degraded</emphasis> state."
18197
#: serverguide/C/installation.xml:654(para)
18199
"If the array has become degraded, due to the chance of data corruption, by "
18200
"default Ubuntu Server Edition will boot to <emphasis>initramfs</emphasis> "
18201
"after thirty seconds. Once the initramfs has booted there is a fifteen "
18202
"second prompt giving you the option to go ahead and boot the system, or "
18203
"attempt manual recover. Booting to the initramfs prompt may or may not be "
18204
"the desired behavior, especially if the machine is in a remote location. "
18205
"Booting to a degraded array can be configured several ways:"
18208
#: serverguide/C/installation.xml:665(para)
18210
"The <application>dpkg-reconfigure</application> utility can be used to "
18211
"configure the default behavior, and during the process you will be queried "
18212
"about additional settings related to the array. Such as monitoring, email "
18213
"alerts, etc. To reconfigure <application>mdadm</application> enter the "
18217
#: serverguide/C/installation.xml:672(command)
18218
msgid "sudo dpkg-reconfigure mdadm"
18221
#: serverguide/C/installation.xml:678(para)
18223
"The <command>dpkg-reconfigure mdadm</command> process will change the "
18224
"<filename>/etc/initramfs-tools/conf.d/mdadm</filename> configuration file. "
18225
"The file has the advantage of being able to pre-configure the system's "
18226
"behavior, and can also be manually edited:"
18229
#: serverguide/C/installation.xml:684(programlisting)
18233
"BOOT_DEGRADED=true\n"
18236
#: serverguide/C/installation.xml:689(para)
18237
msgid "The configuration file can be overridden by using a Kernel argument."
18240
#: serverguide/C/installation.xml:697(para)
18242
"Using a Kernel argument will allow the system to boot to a degraded array as "
18246
#: serverguide/C/installation.xml:703(para)
18248
"When the server is booting press <emphasis>ESC</emphasis> to open the "
18249
"<application>Grub</application> menu."
18252
#: serverguide/C/installation.xml:708(para)
18253
msgid "Press <emphasis>\"e\"</emphasis> to edit your Kernel command options."
18256
#: serverguide/C/installation.xml:713(para)
18258
"Press the <emphasis>DOWN</emphasis> arrow to highlight the kernel line."
18261
#: serverguide/C/installation.xml:718(para)
18263
"Press the <emphasis>\"e\"</emphasis> key again to edit the kernel line."
18266
#: serverguide/C/installation.xml:723(para)
18268
"Add <emphasis>\"bootdegraded=true\"</emphasis> (without the quotes) to the "
18272
#: serverguide/C/installation.xml:728(para)
18273
msgid "Press <emphasis>\"ENTER\"</emphasis>."
18276
#: serverguide/C/installation.xml:733(para)
18277
msgid "Finally, press <emphasis>\"b\"</emphasis> to boot the system."
18280
#: serverguide/C/installation.xml:742(para)
18282
"Once the system has booted you can either repair the array see <xref "
18283
"linkend=\"raid-maintenance\"/> for details, or copy important data to "
18284
"another machine due to major hardware failure."
18287
#: serverguide/C/installation.xml:749(title)
18288
msgid "RAID Maintenance"
18291
#: serverguide/C/installation.xml:751(para)
18293
"The <application>mdadm</application> utility can be used to view the status "
18294
"of an array, add disks to an array, remove disks, etc:"
18297
#: serverguide/C/installation.xml:758(para)
18298
msgid "To view the status of an array, from a terminal prompt enter:"
18301
#: serverguide/C/installation.xml:762(command)
18302
msgid "sudo mdadm -D /dev/md0"
18305
#: serverguide/C/installation.xml:765(para)
18307
"The <emphasis>-D</emphasis> tells <application>mdadm</application> to "
18308
"display <emphasis>detailed</emphasis> information about the "
18309
"<filename>/dev/md0</filename> device. Replace <filename>/dev/md0</filename> "
18310
"with the appropriate RAID device."
18313
#: serverguide/C/installation.xml:771(para)
18314
msgid "To view the status of a disk in an array:"
18317
#: serverguide/C/installation.xml:775(command)
18318
msgid "sudo mdadm -E /dev/sda1"
18321
#: serverguide/C/installation.xml:777(para)
18323
"The output if very similar to the <command>mdadm -D</command> command, "
18324
"adjust <filename>/dev/sda1</filename> for each disk."
18327
#: serverguide/C/installation.xml:782(para)
18328
msgid "If a disk fails and needs to be removed from an array enter:"
18331
#: serverguide/C/installation.xml:786(command)
18332
msgid "sudo mdadm --remove /dev/md0 /dev/sda1"
18335
#: serverguide/C/installation.xml:788(para)
18337
"Change <filename>/dev/md0</filename> and <filename>/dev/sda1</filename> to "
18338
"the appropriate RAID device and disk."
18341
#: serverguide/C/installation.xml:793(para)
18342
msgid "Similarly, to add a new disk:"
18345
#: serverguide/C/installation.xml:797(command)
18346
msgid "sudo mdadm --add /dev/md0 /dev/sda1"
18349
#: serverguide/C/installation.xml:802(para)
18351
"Sometimes a disk can change to a <emphasis>faulty</emphasis> state even "
18352
"though there is nothing physically wrong with the drive. It is usually "
18353
"worthwhile to remove the drive from the array then re-add it. This will "
18354
"cause the drive to re-sync with the array. If the drive will not sync with "
18355
"the array, it is a good indication of hardware failure."
18358
#: serverguide/C/installation.xml:808(para)
18360
"The <filename>/proc/mdstat</filename> file also contains useful information "
18361
"about the system's RAID devices:"
18364
#: serverguide/C/installation.xml:813(command)
18365
msgid "cat /proc/mdstat"
18368
#: serverguide/C/installation.xml:814(computeroutput)
18371
"Personalities : [linear] [multipath] [raid0] [raid1] [raid6] [raid5] [raid4] "
18373
"md0 : active raid1 sda1[0] sdb1[1]\n"
18374
" 10016384 blocks [2/2] [UU]\n"
18376
"unused devices: <none>"
18379
#: serverguide/C/installation.xml:821(para)
18381
"The following command is great for watching the status of a syncing drive:"
18384
#: serverguide/C/installation.xml:826(command)
18385
msgid "watch -n1 cat /proc/mdstat"
18388
#: serverguide/C/installation.xml:829(para)
18390
"Press <emphasis>Ctrl+c</emphasis> to stop the "
18391
"<application>watch</application> command."
18394
#: serverguide/C/installation.xml:833(para)
18396
"If you do need to replace a faulty drive, after the drive has been replaced "
18397
"and synced, <application>grub</application> will need to be installed. To "
18398
"install <application>grub</application> on the new drive, enter the "
18402
#: serverguide/C/installation.xml:839(command)
18403
msgid "sudo grub-install /dev/md0"
18406
#: serverguide/C/installation.xml:842(para)
18408
"Replace <filename>/dev/md0</filename> with the appropriate array device name."
18411
#: serverguide/C/installation.xml:850(para)
18413
"The topic of RAID arrays is a complex one due to the plethora of ways RAID "
18414
"can be configured. Please see the following links for more information:"
18417
#: serverguide/C/installation.xml:858(ulink)
18418
msgid "Software RAID HOWTO"
18421
#: serverguide/C/installation.xml:863(ulink)
18422
msgid "Managing RAID on Linux"
18425
#: serverguide/C/installation.xml:870(title)
18426
msgid "Logical Volume Manager (LVM)"
18429
#: serverguide/C/installation.xml:872(para)
18431
"Logical Volume Manger, or <emphasis>LVM</emphasis>, allows administrators to "
18432
"create <emphasis>logical</emphasis> volumes out of one or multiple physical "
18433
"hard disks. LVM volumes can be created on both software RAID partitions and "
18434
"standard partitions residing on a single disk. Volumes can also be extended, "
18435
"giving greater flexibility to systems as requirements change."
18438
#: serverguide/C/installation.xml:881(para)
18440
"A side effect of LVM's power and flexibility is a greater degree of "
18441
"complication. Before diving into the LVM installation process, it is best to "
18442
"get familiar with some terms."
18445
#: serverguide/C/installation.xml:888(para)
18447
"<emphasis>Volume Group (VG):</emphasis> contains one or several Logical "
18451
#: serverguide/C/installation.xml:893(para)
18453
"<emphasis>Logical Volume (LV):</emphasis> is similar to a partition in a non-"
18454
"LVM system. Multiple Physical Volumes (PV) can make up one LV, on top of "
18455
"which resides the actual EXT3, XFS, JFS, etc filesystem."
18458
#: serverguide/C/installation.xml:899(para)
18460
"<emphasis>Physical Volume (PV):</emphasis> physical hard disk or software "
18461
"RAID partition. The Volume Group can be extended by adding more PVs."
18464
#: serverguide/C/installation.xml:910(para)
18466
"As an example this section covers installing Ubuntu Server Edition with "
18467
"<filename role=\"directory\">/srv</filename> mounted on a LVM volume. During "
18468
"the initial install only one Physical Volume (PV) will be part of the Volume "
18469
"Group (VG). Another PV will be added after install to demonstrate how a VG "
18473
#: serverguide/C/installation.xml:916(para)
18475
"There are several installation options for LVM, <emphasis>\"Guided - use the "
18476
"entire disk and setup LVM\"</emphasis> which will also allow you to assign a "
18477
"portion of the available space to LVM, <emphasis>\"Guided - use entire and "
18478
"setup encrypted LVM\"</emphasis>, or <emphasis>Manually</emphasis> setup the "
18479
"partitions and configure LVM. At this time the only way to configure a "
18480
"system with both LVM and standard partitions, during installation, is to use "
18481
"the Manual approach."
18484
#: serverguide/C/installation.xml:933(para)
18486
"At the <emphasis>\"Partition Disks</emphasis> screen choose "
18487
"<emphasis>\"Manual\"</emphasis>."
18490
#: serverguide/C/installation.xml:940(para)
18492
"Select the hard disk and on the next screen choose \"yes\" to "
18493
"<emphasis>\"Create a new empty partition table on this device\"</emphasis>."
18496
#: serverguide/C/installation.xml:947(para)
18498
"Next, create standard <emphasis>/boot</emphasis>, <emphasis>swap</emphasis>, "
18499
"and <emphasis>/</emphasis> partitions with whichever filesystem you prefer."
18502
#: serverguide/C/installation.xml:955(para)
18504
"For the LVM <emphasis>/srv</emphasis>, create a new "
18505
"<emphasis>Logical</emphasis> partition. Then change <emphasis>\"Use "
18506
"as\"</emphasis> to <emphasis>\"physical volume for LVM\"</emphasis> then "
18507
"<emphasis>\"Done setting up the partition\"</emphasis>."
18510
#: serverguide/C/installation.xml:963(para)
18512
"Now select <emphasis>\"Configure the Logical Volume Manager\"</emphasis> at "
18513
"the top, and choose <emphasis>\"Yes\"</emphasis> to write the changes to "
18517
#: serverguide/C/installation.xml:971(para)
18519
"For the <emphasis>\"LVM configuration action\"</emphasis> on the next "
18520
"screen, choose <emphasis>\"Create volume group\"</emphasis>. Enter a name "
18521
"for the VG such as <emphasis>vg01</emphasis>, or something more descriptive. "
18522
"After entering a name, select the partition configured for LVM, and choose "
18523
"<emphasis>\"Continue\"</emphasis>."
18526
#: serverguide/C/installation.xml:980(para)
18528
"Back at the <emphasis>\"LVM configuration action\"</emphasis> screen, select "
18529
"<emphasis>\"Create logical volume\"</emphasis>. Select the newly created "
18530
"volume group, and enter a name for the new LV, for example "
18531
"<emphasis>srv</emphasis> since that is the intended mount point. Then choose "
18532
"a size, which may be the full partition because it can always be extended "
18533
"later. Choose <emphasis>\"Finish\"</emphasis> and you should be back at the "
18534
"main <emphasis>\"Partition Disks\"</emphasis> screen."
18537
#: serverguide/C/installation.xml:990(para)
18539
"Now add a filesystem to the new LVM. Select the partition under "
18540
"<emphasis>\"LVM VG vg01, LV srv\"</emphasis>, or whatever name you have "
18541
"chosen, the choose <emphasis>Use as</emphasis>. Setup a file system as "
18542
"normal selecting <emphasis>/srv</emphasis> as the mount point. Once done, "
18543
"select <emphasis>\"Done setting up the partition\"</emphasis>."
18546
#: serverguide/C/installation.xml:999(para)
18548
"Finally, select <emphasis>\"Finish partitioning and write changes to "
18549
"disk\"</emphasis>. Then confirm the changes and continue with the rest of "
18550
"the installation."
18553
#: serverguide/C/installation.xml:1007(para)
18554
msgid "There are some useful utilities to view information about LVM:"
18557
#: serverguide/C/installation.xml:1012(para)
18559
"<emphasis>vgdisplay:</emphasis> shows information about Volume Groups."
18562
#: serverguide/C/installation.xml:1013(para)
18564
"<emphasis>lvdisplay:</emphasis> has information about Logical Volumes."
18567
#: serverguide/C/installation.xml:1014(para)
18569
"<emphasis>pvdisplay:</emphasis> similarly displays information about "
18570
"Physical Volumes."
18573
#: serverguide/C/installation.xml:1019(title)
18574
msgid "Extending Volume Groups"
18577
#: serverguide/C/installation.xml:1021(para)
18579
"Continuing with <emphasis>srv</emphasis> as an LVM volume example, this "
18580
"section covers adding a second hard disk, creating a Physical Volume (PV), "
18581
"adding it to the volume group (VG), extending the logical volume <filename "
18582
"role=\"directory\">srv</filename> and finally extending the filesystem. This "
18583
"example assumes a second hard disk has been added to the system. This hard "
18584
"disk will be named <filename>/dev/sdb</filename> in our example. BEWARE: "
18585
"make sure you don't already have an existing <filename>/dev/sdb</filename> "
18586
"before issuing the commands below. You could lose some data if you issue "
18587
"those commands on a non-empty disk. In our example we will use the entire "
18588
"disk as a physical volume (you could choose to create partitions and use "
18589
"them as different physical volumes)"
18592
#: serverguide/C/installation.xml:1033(para)
18593
msgid "First, create the physical volume, in a terminal execute:"
18596
#: serverguide/C/installation.xml:1038(command)
18597
msgid "sudo pvcreate /dev/sdb"
18600
#: serverguide/C/installation.xml:1044(para)
18601
msgid "Now extend the Volume Group (VG):"
18604
#: serverguide/C/installation.xml:1049(command)
18605
msgid "sudo vgextend vg01 /dev/sdb"
18608
#: serverguide/C/installation.xml:1055(para)
18610
"Use <application>vgdisplay</application> to find out the free physical "
18611
"extents - Free PE / size (the size you can allocate). We will assume a free "
18612
"size of 511 PE (equivalent to 2GB with a PE size of 4MB) and we will use the "
18613
"whole free space available. Use your own PE and/or free space."
18616
#: serverguide/C/installation.xml:1061(para)
18618
"The Logical Volume (LV) can now be extended by different methods, we will "
18619
"only see how to use the PE to extend the LV:"
18622
#: serverguide/C/installation.xml:1066(command)
18623
msgid "sudo lvextend /dev/vg01/srv -l +511"
18626
#: serverguide/C/installation.xml:1069(para)
18628
"The <emphasis>-l</emphasis> option allows the LV to be extended using PE. "
18629
"The <emphasis>-L</emphasis> option allows the LV to be extended using Meg, "
18630
"Gig, Tera, etc bytes."
18633
#: serverguide/C/installation.xml:1077(para)
18635
"Even though you are supposed to be able to <emphasis>expand</emphasis> an "
18636
"ext3 or ext4 filesystem without unmounting it first, it may be a good "
18637
"pratice to unmount it anyway and check the filesystem, so that you don't "
18638
"mess up the day you want to reduce a logical volume (in that case unmounting "
18639
"first is compulsory)."
18642
#: serverguide/C/installation.xml:1083(para)
18644
"The following commands are for an <emphasis>EXT3</emphasis> or "
18645
"<emphasis>EXT4</emphasis> filesystem. If you are using another filesystem "
18646
"there may be other utilities available."
18649
#: serverguide/C/installation.xml:1090(command)
18650
msgid "sudo e2fsck -f /dev/vg01/srv"
18653
#: serverguide/C/installation.xml:1093(para)
18655
"The <emphasis>-f</emphasis> option of <application>e2fsck</application> "
18656
"forces checking even if the system seems clean."
18659
#: serverguide/C/installation.xml:1100(para)
18660
msgid "Finally, resize the filesystem:"
18663
#: serverguide/C/installation.xml:1105(command)
18664
msgid "sudo resize2fs /dev/vg01/srv"
18667
#: serverguide/C/installation.xml:1111(para)
18668
msgid "Now mount the partition and check its size."
18671
#: serverguide/C/installation.xml:1116(command)
18672
msgid "mount /dev/vg01/srv /srv && df -h /srv"
18675
#: serverguide/C/installation.xml:1128(para)
18677
"See the <ulink url=\"http://tldp.org/HOWTO/LVM-HOWTO/index.html\">LVM "
18678
"HOWTO</ulink> for more information."
18681
#: serverguide/C/installation.xml:1133(para)
18683
"Another good article is <ulink "
18684
"url=\"http://www.linuxdevcenter.com/pub/a/linux/2006/04/27/managing-disk-"
18685
"space-with-lvm.html\">Managing Disk Space with LVM</ulink> on O'Reilly's "
18686
"linuxdevcenter.com site."
18689
#: serverguide/C/installation.xml:1140(para)
18691
"For more information on <application>fdisk</application> see the <ulink "
18692
"url=\"http://manpages.ubuntu.com/manpages/jaunty/en/man8/fdisk.8.html\">fdisk"
18693
" man page</ulink>."
18696
#: serverguide/C/file-server.xml:13(title)
18697
msgid "File Servers"
18700
#: serverguide/C/file-server.xml:15(para)
18702
"If you have more than one computer on a single network. At some point you "
18703
"will probably need to share files between them. In this section we cover "
18704
"installing and configuring FTP, NFS, and CUPS."
18707
#: serverguide/C/file-server.xml:22(title)
18711
#: serverguide/C/file-server.xml:24(para)
18713
"File Transfer Protocol (FTP) is a TCP protocol for uploading and downloading "
18714
"files between computers. FTP works on a client/server model. The server "
18715
"component is called an <emphasis>FTP daemon</emphasis>. It continuously "
18716
"listens for FTP requests from remote clients. When a request is received, it "
18717
"manages the login and sets up the connection. For the duration of the "
18718
"session it executes any of commands sent by the FTP client."
18721
#: serverguide/C/file-server.xml:33(para)
18722
msgid "Access to an FTP server can be managed in two ways:"
18725
#: serverguide/C/file-server.xml:37(para)
18729
#: serverguide/C/file-server.xml:40(para)
18730
msgid "Authenticated"
18733
#: serverguide/C/file-server.xml:43(para)
18735
"In the Anonymous mode, remote clients can access the FTP server by using the "
18736
"default user account called \"anonymous\" or \"ftp\" and sending an email "
18737
"address as the password. In the Authenticated mode a user must have an "
18738
"account and a password. User access to the FTP server directories and files "
18739
"is dependent on the permissions defined for the account used at login. As a "
18740
"general rule, the FTP daemon will hide the root directory of the FTP server "
18741
"and change it to the FTP Home directory. This hides the rest of the file "
18742
"system from remote sessions."
18745
#: serverguide/C/file-server.xml:55(title)
18746
msgid "vsftpd - FTP Server Installation"
18749
#: serverguide/C/file-server.xml:57(para)
18751
"vsftpd is an FTP daemon available in Ubuntu. It is easy to install, set up, "
18752
"and maintain. To install <application>vsftpd</application> you can run the "
18753
"following command:"
18756
#: serverguide/C/file-server.xml:65(command)
18757
msgid "sudo apt-get install vsftpd"
18760
#: serverguide/C/file-server.xml:71(title)
18761
msgid "Anonymous FTP Configuration"
18764
#: serverguide/C/file-server.xml:73(para)
18766
"By default <application>vsftpd</application> is configured to only allow "
18767
"anonymous download. During installation a <emphasis>ftp</emphasis> user is "
18768
"created with a home directory of <filename>/home/ftp</filename>. This is the "
18769
"default FTP directory."
18772
#: serverguide/C/file-server.xml:80(para)
18774
"If you wish to change this location, to <filename>/srv/ftp</filename> for "
18775
"example, simply create a directory in another location and change the "
18776
"<emphasis>ftp</emphasis> user's home directory:"
18779
#: serverguide/C/file-server.xml:87(command)
18780
msgid "sudo mkdir /srv/ftp"
18783
#: serverguide/C/file-server.xml:88(command)
18784
msgid "sudo usermod -d /srv/ftp ftp"
18787
#: serverguide/C/file-server.xml:91(para)
18788
msgid "After making the change restart <application>vsftpd</application>:"
18791
#: serverguide/C/file-server.xml:96(command) serverguide/C/file-server.xml:124(command) serverguide/C/file-server.xml:189(command) serverguide/C/file-server.xml:237(command)
18792
msgid "sudo /etc/init.d/vsftpd restart"
18795
#: serverguide/C/file-server.xml:99(para)
18797
"Finally, copy any files and directories you would like to make available "
18798
"through anonymous FTP to <filename>/srv/ftp</filename>."
18801
#: serverguide/C/file-server.xml:106(title)
18802
msgid "User Authenticated FTP Configuration"
18805
#: serverguide/C/file-server.xml:108(para)
18807
"To configure <application>vsftpd</application> to authenticate system users "
18808
"and allow them to upload files edit <filename>/etc/vsftpd.conf</filename>:"
18811
#: serverguide/C/file-server.xml:114(programlisting)
18815
"local_enable=YES\n"
18816
"write_enable=YES\n"
18819
#: serverguide/C/file-server.xml:119(para)
18820
msgid "Now restart <application>vsftpd</application>:"
18823
#: serverguide/C/file-server.xml:127(para)
18825
"Now when system users login to FTP they will start in their "
18826
"<emphasis>home</emphasis> directories where they can download, upload, "
18827
"create directories, etc."
18830
#: serverguide/C/file-server.xml:133(para)
18832
"Similarly, by default, the anonymous users are not allowed to upload files "
18833
"to FTP server. To change this setting, you should uncomment the following "
18834
"line, and restart <application>vsftpd</application>:"
18837
#: serverguide/C/file-server.xml:140(programlisting)
18841
"anon_upload_enable=YES\n"
18844
#: serverguide/C/file-server.xml:145(para)
18846
"Enabling anonymous FTP upload can be an extreme security risk. It is best to "
18847
"not enable anonymous upload on servers accessed directly from the Internet."
18850
#: serverguide/C/file-server.xml:151(para)
18852
"The configuration file consists of many configuration parameters. The "
18853
"information about each parameter is available in the configuration file. "
18854
"Alternatively, you can refer to the man page, <command>man 5 "
18855
"vsftpd.conf</command> for details of each parameter."
18858
#: serverguide/C/file-server.xml:162(title)
18859
msgid "Securing FTP"
18862
#: serverguide/C/file-server.xml:164(para)
18864
"There are options in <filename>/etc/vsftpd.conf</filename> to help make "
18865
"<application>vsftpd</application> more secure. For example users can be "
18866
"limited to their home directories by uncommenting:"
18869
#: serverguide/C/file-server.xml:170(programlisting)
18873
"chroot_local_user=YES\n"
18876
#: serverguide/C/file-server.xml:174(para)
18878
"You can also limit a specific list of users to just their home directories:"
18881
#: serverguide/C/file-server.xml:178(programlisting)
18885
"chroot_list_enable=YES\n"
18886
"chroot_list_file=/etc/vsftpd.chroot_list\n"
18889
#: serverguide/C/file-server.xml:183(para)
18891
"After uncommenting the above options, create a "
18892
"<filename>/etc/vsftpd.chroot_list</filename> containing a list of users one "
18893
"per line. Then restart <application>vsftpd</application>:"
18896
#: serverguide/C/file-server.xml:192(para)
18898
"Also, the <filename>/etc/ftpusers</filename> file is a list of users that "
18899
"are <emphasis>disallowed</emphasis> FTP access. The default list includes "
18900
"root, daemon, nobody, etc. To disable FTP access for additional users simply "
18901
"add them to the list."
18904
#: serverguide/C/file-server.xml:199(para)
18906
"FTP can also be encrypted using <emphasis>FTPS</emphasis>. Different from "
18907
"<emphasis>SFTP</emphasis>, <emphasis>FTPS</emphasis> is FTP over Secure "
18908
"Socket Layer (SSL). <emphasis>SFTP</emphasis> is a FTP like session over an "
18909
"encrypted <emphasis>SSH</emphasis> connection. A major difference is that "
18910
"users of SFTP need to have a <emphasis>shell</emphasis> account on the "
18911
"system, instead of a <emphasis>nologin</emphasis> shell. Providing all users "
18912
"with a shell may not be ideal for some environments, such as a shared web "
18916
#: serverguide/C/file-server.xml:208(para)
18918
"To configure <emphasis>FTPS</emphasis>, edit "
18919
"<filename>/etc/vsftpd.conf</filename> and at the bottom add:"
18922
#: serverguide/C/file-server.xml:212(programlisting)
18929
#: serverguide/C/file-server.xml:216(para)
18930
msgid "Also, notice the certificate and key related options:"
18933
#: serverguide/C/file-server.xml:220(programlisting)
18937
"rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem\n"
18938
"rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key\n"
18941
#: serverguide/C/file-server.xml:225(para)
18943
"By default these options are set the certificate and key provided by the "
18944
"<application>ssl-cert</application> package. In a production environment "
18945
"these should be replaced with a certificate and key generated for the "
18946
"specific host. For more information on certificates see <xref "
18947
"linkend=\"certificates-and-security\"/>."
18950
#: serverguide/C/file-server.xml:231(para)
18952
"Now restart <application>vsftpd</application>, and non-anonymous users will "
18953
"be forced to use <emphasis>FTPS</emphasis>:"
18956
#: serverguide/C/file-server.xml:240(para)
18958
"To allow users with a shell of <filename>/usr/sbin/nologin</filename> access "
18959
"to FTP, but have no shell access, edit <filename>/etc/shells</filename> "
18960
"adding the <emphasis>nologin</emphasis> shell:"
18963
#: serverguide/C/file-server.xml:245(programlisting)
18967
"# /etc/shells: valid login shells\n"
18980
"/usr/bin/screen\n"
18981
"/usr/sbin/nologin\n"
18984
#: serverguide/C/file-server.xml:263(para)
18986
"This is necessary because, by default <application>vsftpd</application> uses "
18987
"PAM for authentication, and the <filename>/etc/pam.d/vsftpd</filename> "
18988
"configuration file contains:"
18991
#: serverguide/C/file-server.xml:268(programlisting)
18995
"auth required pam_shells.so\n"
18998
#: serverguide/C/file-server.xml:272(para)
19000
"The <emphasis>shells</emphasis> PAM module restricts access to shells listed "
19001
"in the <filename>/etc/shells</filename> file."
19004
#: serverguide/C/file-server.xml:277(para)
19006
"Most popular FTP clients can be configured connect using FTPS. The "
19007
"<application>lftp</application> command line FTP client has the ability to "
19008
"use FTPS as well."
19011
#: serverguide/C/file-server.xml:288(para)
19013
"See the <ulink url=\"http://vsftpd.beasts.org/vsftpd_conf.html\">vsftpd "
19014
"website</ulink> for more information."
19017
#: serverguide/C/file-server.xml:293(para)
19019
"For detailed <filename>/etc/vsftpd.conf</filename> options see the <ulink "
19020
"url=\"http://manpages.ubuntu.com/manpages/jaunty/en/man5/vsftpd.conf.5.html\""
19021
">vsftpd.conf man page</ulink>."
19024
#: serverguide/C/file-server.xml:299(para)
19026
"The CodeGurus article <ulink "
19027
"url=\"http://www.codeguru.com/csharp/.net/net_general/internet/article.php/c1"
19028
"4329\"> FTPS vs. SFTP: What to Choose</ulink> has useful information "
19029
"contrasting FTPS and SFTP."
19032
#: serverguide/C/file-server.xml:310(title)
19033
msgid "Network File System (NFS)"
19036
#: serverguide/C/file-server.xml:311(para)
19038
"NFS allows a system to share directories and files with others over a "
19039
"network. By using NFS, users and programs can access files on remote systems "
19040
"almost as if they were local files."
19043
#: serverguide/C/file-server.xml:317(para)
19044
msgid "Some of the most notable benefits that NFS can provide are:"
19047
#: serverguide/C/file-server.xml:323(para)
19049
"Local workstations use less disk space because commonly used data can be "
19050
"stored on a single machine and still remain accessible to others over the "
19054
#: serverguide/C/file-server.xml:328(para)
19056
"There is no need for users to have separate home directories on every "
19057
"network machine. Home directories could be set up on the NFS server and made "
19058
"available throughout the network."
19061
#: serverguide/C/file-server.xml:334(para)
19063
"Storage devices such as floppy disks, CDROM drives, and USB Thumb drives can "
19064
"be used by other machines on the network. This may reduce the number of "
19065
"removable media drives throughout the network."
19068
#: serverguide/C/file-server.xml:344(para)
19070
"At a terminal prompt enter the following command to install the NFS Server:"
19073
#: serverguide/C/file-server.xml:350(command)
19074
msgid "sudo apt-get install nfs-kernel-server"
19077
#: serverguide/C/file-server.xml:356(para)
19079
"You can configure the directories to be exported by adding them to the "
19080
"<filename>/etc/exports</filename> file. For example:"
19083
#: serverguide/C/file-server.xml:361(screen)
19087
"/ubuntu *(ro,sync,no_root_squash)\n"
19088
"/home *(rw,sync,no_root_squash)\n"
19091
#: serverguide/C/file-server.xml:367(para)
19093
"You can replace * with one of the hostname formats. Make the hostname "
19094
"declaration as specific as possible so unwanted systems cannot access the "
19098
#: serverguide/C/file-server.xml:373(para)
19100
"To start the NFS server, you can run the following command at a terminal "
19104
#: serverguide/C/file-server.xml:378(command)
19105
msgid "sudo /etc/init.d/nfs-kernel-server start"
19108
#: serverguide/C/file-server.xml:383(title)
19109
msgid "NFS Client Configuration"
19112
#: serverguide/C/file-server.xml:384(para)
19114
"Use the <application>mount</application> command to mount a shared NFS "
19115
"directory from another machine, by typing a command line similar to the "
19116
"following at a terminal prompt:"
19119
#: serverguide/C/file-server.xml:390(command)
19120
msgid "sudo mount example.hostname.com:/ubuntu /local/ubuntu"
19123
#: serverguide/C/file-server.xml:394(para)
19125
"The mount point directory <filename>/local/ubuntu</filename> must exist. "
19126
"There should be no files or subdirectories in the "
19127
"<filename>/local/ubuntu</filename> directory."
19130
#: serverguide/C/file-server.xml:401(para)
19132
"An alternate way to mount an NFS share from another machine is to add a line "
19133
"to the <filename>/etc/fstab</filename> file. The line must state the "
19134
"hostname of the NFS server, the directory on the server being exported, and "
19135
"the directory on the local machine where the NFS share is to be mounted."
19138
#: serverguide/C/file-server.xml:409(para)
19140
"The general syntax for the line in <filename>/etc/fstab</filename> file is "
19144
#: serverguide/C/file-server.xml:415(programlisting)
19148
"example.hostname.com:/ubuntu /local/ubuntu nfs "
19149
"rsize=8192,wsize=8192,timeo=14,intr\n"
19152
#: serverguide/C/file-server.xml:419(para)
19154
"If you have trouble mounting an NFS share, make sure the <application>nfs-"
19155
"common</application> package is installed on your client. To install "
19156
"<application>nfs-common</application> enter the following command at the "
19157
"terminal prompt: <screen>\n"
19158
"<command>sudo apt-get install nfs-common</command>\n"
19162
#: serverguide/C/file-server.xml:432(ulink)
19163
msgid "Linux NFS faq"
19166
#: serverguide/C/file-server.xml:437(title)
19167
msgid "CUPS - Print Server"
19170
#: serverguide/C/file-server.xml:438(para)
19172
"The primary mechanism for Ubuntu printing and print services is the "
19173
"<emphasis role=\"bold\">Common UNIX Printing System</emphasis> (CUPS). This "
19174
"printing system is a freely available, portable printing layer which has "
19175
"become the new standard for printing in most Linux distributions."
19178
#: serverguide/C/file-server.xml:445(para)
19180
"CUPS manages print jobs and queues and provides network printing using the "
19181
"standard Internet Printing Protocol (IPP), while offering support for a very "
19182
"large range of printers, from dot-matrix to laser and many in between. CUPS "
19183
"also supports PostScript Printer Description (PPD) and auto-detection of "
19184
"network printers, and features a simple web-based configuration and "
19185
"administration tool."
19188
#: serverguide/C/file-server.xml:455(para)
19190
"To install CUPS on your Ubuntu computer, simply use "
19191
"<application>sudo</application> with the <application>apt-get</application> "
19192
"command and give the packages to install as the first parameter. A complete "
19193
"CUPS install has many package dependencies, but they may all be specified on "
19194
"the same command line. Enter the following at a terminal prompt to install "
19198
#: serverguide/C/file-server.xml:460(command)
19199
msgid "sudo apt-get install cups"
19202
#: serverguide/C/file-server.xml:463(para)
19204
"Upon authenticating with your user password, the packages should be "
19205
"downloaded and installed without error. Upon the conclusion of installation, "
19206
"the CUPS server will be started automatically."
19209
#: serverguide/C/file-server.xml:468(para)
19211
"For troubleshooting purposes, you can access CUPS server errors via the "
19212
"error log file at: <filename>/var/log/cups/error_log</filename>. If the "
19213
"error log does not show enough information to troubleshoot any problems you "
19214
"encounter, the verbosity of the CUPS log can be increased by changing the "
19215
"<emphasis role=\"bold\">LogLevel</emphasis> directive in the configuration "
19216
"file (discussed below) to \"debug\" or even \"debug2\", which logs "
19217
"everything, from the default of \"info\". If you make this change, remember "
19218
"to change it back once you've solved your problem, to prevent the log file "
19219
"from becoming overly large."
19222
#: serverguide/C/file-server.xml:481(para)
19224
"The Common UNIX Printing System server's behavior is configured through the "
19225
"directives contained in the file <filename>/etc/cups/cupsd.conf</filename>. "
19226
"The CUPS configuration file follows the same syntax as the primary "
19227
"configuration file for the Apache HTTP server, so users familiar with "
19228
"editing Apache's configuration file should feel at ease when editing the "
19229
"CUPS configuration file. Some examples of settings you may wish to change "
19230
"initially will be presented here."
19233
#: serverguide/C/file-server.xml:491(para)
19235
"Prior to editing the configuration file, you should make a copy of the "
19236
"original file and protect it from writing, so you will have the original "
19237
"settings as a reference, and to reuse as necessary."
19240
#: serverguide/C/file-server.xml:495(para)
19242
"Copy the <filename>/etc/cups/cupsd.conf</filename> file and protect it from "
19243
"writing with the following commands, issued at a terminal prompt:"
19246
#: serverguide/C/file-server.xml:501(command)
19247
msgid "sudo cp /etc/cups/cupsd.conf /etc/cups/cupsd.conf.original"
19250
#: serverguide/C/file-server.xml:502(command)
19251
msgid "sudo chmod a-w /etc/cups/cupsd.conf.original"
19254
#: serverguide/C/file-server.xml:507(para)
19256
"<emphasis role=\"bold\">ServerAdmin</emphasis>: To configure the email "
19257
"address of the designated administrator of the CUPS server, simply edit the "
19258
"<filename>/etc/cups/cupsd.conf</filename> configuration file with your "
19259
"preferred text editor, and add or modify the <emphasis "
19260
"role=\"italics\">ServerAdmin</emphasis> line accordingly. For example, if "
19261
"you are the Administrator for the CUPS server, and your e-mail address is "
19262
"'bjoy@somebigco.com', then you would modify the ServerAdmin line to appear "
19266
#: serverguide/C/file-server.xml:518(screen)
19270
"ServerAdmin bjoy@somebigco.com\n"
19273
#: serverguide/C/file-server.xml:524(para)
19275
"<emphasis role=\"bold\">Listen</emphasis>: By default on Ubuntu, the CUPS "
19276
"server installation listens only on the loopback interface at IP address "
19277
"<emphasis>127.0.0.1</emphasis>. In order to instruct the CUPS server to "
19278
"listen on an actual network adapter's IP address, you must specify either a "
19279
"hostname, the IP address, or optionally, an IP address/port pairing via the "
19280
"addition of a Listen directive. For example, if your CUPS server resides on "
19281
"a local network at the IP address <emphasis "
19282
"role=\"italics\">192.168.10.250</emphasis> and you'd like to make it "
19283
"accessible to the other systems on this subnetwork, you would edit the "
19284
"<filename>/etc/cups/cupsd.conf</filename> and add a Listen directive, as "
19288
#: serverguide/C/file-server.xml:538(screen)
19292
"Listen 127.0.0.1:631 # existing loopback Listen\n"
19293
"Listen /var/run/cups/cups.sock # existing socket Listen\n"
19294
"Listen 192.168.10.250:631 # Listen on the LAN interface, Port 631 "
19298
#: serverguide/C/file-server.xml:544(para)
19300
"In the example above, you may comment out or remove the reference to the "
19301
"Loopback address (127.0.0.1) if you do not wish <application>cupsd "
19302
"</application> to listen on that interface, but would rather have it only "
19303
"listen on the Ethernet interfaces of the Local Area Network (LAN). To enable "
19304
"listening for all network interfaces for which a certain hostname is bound, "
19305
"including the Loopback, you could create a Listen entry for the hostname "
19306
"<emphasis>socrates</emphasis> as such:"
19309
#: serverguide/C/file-server.xml:554(screen)
19313
"Listen socrates:631 # Listen on all interfaces for the hostname 'socrates'\n"
19316
#: serverguide/C/file-server.xml:558(para)
19318
"or by omitting the Listen directive and using <emphasis>Port</emphasis> "
19322
#: serverguide/C/file-server.xml:560(screen)
19326
"Port 631 # Listen on port 631 on all interfaces\n"
19329
#: serverguide/C/file-server.xml:567(para)
19331
"For more examples of configuration directives in the CUPS server "
19332
"configuration file, view the associated system manual page by entering the "
19333
"following command at a terminal prompt:"
19336
#: serverguide/C/file-server.xml:574(command)
19337
msgid "man cupsd.conf"
19340
#: serverguide/C/file-server.xml:578(para)
19342
"Whenever you make changes to the <filename>/etc/cups/cupsd.conf</filename> "
19343
"configuration file, you'll need to restart the CUPS server by typing the "
19344
"following command at a terminal prompt:"
19347
#: serverguide/C/file-server.xml:584(command)
19348
msgid "sudo /etc/init.d/cups restart"
19351
#: serverguide/C/file-server.xml:590(title)
19352
msgid "Web Interface"
19355
#: serverguide/C/file-server.xml:592(para)
19357
"CUPS can be configured and monitored using a web interface, which by default "
19358
"is available at <ulink "
19359
"url=\"http://localhost:631/admin\">http://localhost:631/admin</ulink>. The "
19360
"web interface can be used to perform all printer management tasks."
19363
#: serverguide/C/file-server.xml:596(para)
19365
"In order to perform administrative tasks via the web interface, you must "
19366
"either have the root account enabled on your server, or authenticate as a "
19367
"user in the <emphasis role=\"italic\">lpadmin</emphasis> group. For security "
19368
"reasons, CUPS won't authenticate a user that doesn't have a password."
19371
#: serverguide/C/file-server.xml:599(para)
19373
"To add a user to the <emphasis role=\"italic\">lpadmin</emphasis> group, run "
19374
"at the terminal prompt: <screen>\n"
19375
"<command>sudo usermod -aG lpadmin username</command>\n"
19379
#: serverguide/C/file-server.xml:605(para)
19381
"Further documentation is available in the <emphasis "
19382
"role=\"italic\">Documentation/Help</emphasis> tab of the web interface."
19385
#: serverguide/C/file-server.xml:613(ulink)
19386
msgid "CUPS Website"
19389
#: serverguide/C/dns.xml:13(title)
19390
msgid "Domain Name Service (DNS)"
19393
#: serverguide/C/dns.xml:14(para)
19395
"Domain Name Service (DNS) is an Internet service that maps IP addresses and "
19396
"fully qualified domain names (FQDN) to one another. In this way, DNS "
19397
"alleviates the need to remember IP addresses. Computers that run DNS are "
19398
"called <emphasis>name servers</emphasis>. Ubuntu ships with "
19399
"<application>BIND</application> (Berkley Internet Naming Daemon), the most "
19400
"common program used for maintaining a name server on Linux."
19403
#: serverguide/C/dns.xml:24(para)
19405
"At a terminal prompt, enter the following command to install "
19406
"<application>dns</application>:"
19409
#: serverguide/C/dns.xml:28(command)
19410
msgid "sudo apt-get install bind9"
19413
#: serverguide/C/dns.xml:30(para)
19415
"A very useful package for testing and troubleshooting DNS issues is the "
19416
"dnsutils package. To install <application>dnsutils</application> enter the "
19420
#: serverguide/C/dns.xml:35(command)
19421
msgid "sudo apt-get install dnsutils"
19424
#: serverguide/C/dns.xml:40(para)
19426
"There a many ways to configure <application>BIND9</application>. Some of the "
19427
"most common configurations are a caching nameserver, primary master, and a "
19428
"as a secondary master."
19431
#: serverguide/C/dns.xml:46(para)
19433
"When configured as a caching nameserver BIND9 will find the answer to name "
19434
"queries and remember the answer when the domain is queried again."
19437
#: serverguide/C/dns.xml:52(para)
19439
"As a primary master server BIND9 reads the data for a zone from a file on "
19440
"it's host and is authoritative for that zone."
19443
#: serverguide/C/dns.xml:57(para)
19445
"In a secondary master configuration BIND9 gets the zone data from another "
19446
"nameserver authoritative for the zone."
19449
#: serverguide/C/dns.xml:65(para)
19451
"The DNS configuration files are stored in the <filename>/etc/bind</filename> "
19452
"directory. The primary configuration file is "
19453
"<filename>/etc/bind/named.conf</filename>."
19456
#: serverguide/C/dns.xml:72(para)
19458
"The <emphasis>include</emphasis> line specifies the filename which contains "
19459
"the DNS options. The <emphasis>directory</emphasis> line in the "
19460
"<filename>/etc/bind/named.conf.options</filename> file tells DNS where to "
19461
"look for files. All files BIND uses will be relative to this directory."
19464
#: serverguide/C/dns.xml:80(para)
19466
"The file named <filename>/etc/bind/db.root</filename> describes the root "
19467
"nameservers in the world. The servers change over time, so the "
19468
"<filename>/etc/bind/db.root</filename> file must be maintained now and then. "
19469
"This is usually done as updates to the <application>bind9</application> "
19470
"package. The <emphasis>zone</emphasis> section defines a master server, and "
19471
"it is stored in a file mentioned in the <emphasis>file</emphasis> option."
19474
#: serverguide/C/dns.xml:90(para)
19476
"It is possible to configure the same server to be a caching name server, "
19477
"primary master, and secondary master. A server can be the Start of Authority "
19478
"(SOA) for one zone, while providing secondary service for another zone. All "
19479
"the while providing caching services for hosts on the local LAN."
19482
#: serverguide/C/dns.xml:98(title)
19483
msgid "Caching Nameserver"
19486
#: serverguide/C/dns.xml:99(para)
19488
"The default configuration is setup to act as a caching server. All that is "
19489
"required is simply adding the IP Addresses of your ISP's DNS servers. Simply "
19490
"uncomment and edit the following in "
19491
"<filename>/etc/bind/named.conf.options</filename>:"
19494
#: serverguide/C/dns.xml:103(programlisting)
19504
#: serverguide/C/dns.xml:110(para)
19506
"Replace <emphasis>1.2.3.4</emphasis> and <emphasis>5.6.7.8</emphasis> with "
19507
"the IP Adresses of actual nameservers."
19510
#: serverguide/C/dns.xml:114(para)
19512
"Now restart the DNS server, to enable the new configuration. From a terminal "
19516
#: serverguide/C/dns.xml:118(command) serverguide/C/dns.xml:194(command) serverguide/C/dns.xml:253(command) serverguide/C/dns.xml:312(command) serverguide/C/dns.xml:561(command)
19517
msgid "sudo /etc/init.d/bind9 restart"
19520
#: serverguide/C/dns.xml:120(para)
19522
"See <xref linkend=\"dns-testing-dig\"/> for information on testing a caching "
19526
#: serverguide/C/dns.xml:125(title)
19527
msgid "Primary Master"
19530
#: serverguide/C/dns.xml:126(para)
19532
"In this section <application>BIND9</application> will be configured as the "
19533
"Primary Master for the domain <emphasis>example.com</emphasis>. Simply "
19534
"replace <emphasis role=\"italic\">example.com</emphasis> with your FQDN "
19535
"(Fully Qualified Domain Name)."
19538
#: serverguide/C/dns.xml:132(title)
19539
msgid "Forward Zone File"
19542
#: serverguide/C/dns.xml:133(para)
19544
"To add a DNS zone to BIND9, turning BIND9 into a Primary Master server, the "
19545
"first step is to edit <filename>/etc/bind/named.conf.local</filename>:"
19548
#: serverguide/C/dns.xml:137(programlisting)
19552
"zone \"example.com\" {\n"
19554
" file \"/etc/bind/db.example.com\";\n"
19558
#: serverguide/C/dns.xml:143(para)
19560
"Now use an existing zone file as a template to create the "
19561
"<filename>/etc/bind/db.example.com</filename> file:"
19564
#: serverguide/C/dns.xml:147(command)
19565
msgid "sudo cp /etc/bind/db.local /etc/bind/db.example.com"
19568
#: serverguide/C/dns.xml:149(para)
19570
"Edit the new zone file <filename>/etc/bind/db.example.com</filename> change "
19571
"<emphasis>localhost.</emphasis> to the FQDN of your server, leaving the "
19572
"additional \".\" at the end. Change <emphasis>127.0.0.1</emphasis> to the "
19573
"nameserver's IP Address and <emphasis>root.localhost</emphasis> to a valid "
19574
"email address, but with a \".\" instead of the usual \"@\" symbol, again "
19575
"leaving the \".\" at the end."
19578
#: serverguide/C/dns.xml:155(para)
19580
"Also, create an <emphasis>A record</emphasis> for <emphasis "
19581
"role=\"italic\">ns.example.com</emphasis>. The name server in this example:"
19584
#: serverguide/C/dns.xml:159(programlisting)
19589
"; BIND data file for local loopback interface\n"
19592
"@ IN SOA ns.example.com. root.example.com. (\n"
19594
" 604800 ; Refresh\n"
19596
" 2419200 ; Expire\n"
19597
" 604800 ) ; Negative Cache TTL\n"
19599
"@ IN NS ns.example.com.\n"
19600
"@ IN A 127.0.0.1\n"
19602
"ns IN A 192.168.1.10\n"
19605
#: serverguide/C/dns.xml:176(para)
19607
"You must increment the <emphasis>Serial Number</emphasis> every time you "
19608
"make changes to the zone file. If you make multiple changes before "
19609
"restarting BIND9, simply increment the Serial once."
19612
#: serverguide/C/dns.xml:180(para)
19614
"Now, you can add DNS records to the bottom of the zone file. See <xref "
19615
"linkend=\"dns-record-types\"/> for details."
19618
#: serverguide/C/dns.xml:184(para)
19620
"Many admins like to use the last date edited as the serial of a zone, such "
19621
"as <emphasis>2007010100</emphasis> which is yyyymmddss (where "
19622
"<emphasis>ss</emphasis> is the Serial Number)"
19625
#: serverguide/C/dns.xml:189(para)
19627
"Once you have made a change to the zone file "
19628
"<application>BIND9</application> will need to be restarted for the changes "
19632
#: serverguide/C/dns.xml:198(title)
19633
msgid "Reverse Zone File"
19636
#: serverguide/C/dns.xml:199(para)
19638
"Now that the zone is setup and resolving names to IP Adresses a "
19639
"<emphasis>Reverse zone</emphasis> is also required. A Reverse zone allows "
19640
"DNS to resolve an address to a name."
19643
#: serverguide/C/dns.xml:203(para)
19644
msgid "Edit /etc/bind/named.conf.local and add the following:"
19647
#: serverguide/C/dns.xml:206(programlisting)
19651
"zone \"1.168.192.in-addr.arpa\" {\n"
19654
" file \"/etc/bind/db.192\";\n"
19658
#: serverguide/C/dns.xml:214(para)
19660
"Replace <emphasis>1.168.192</emphasis> with the first three octets of "
19661
"whatever network you are using. Also, name the zone file "
19662
"<filename>/etc/bind/db.192</filename> appropriately. It should match the "
19663
"first octet of your network."
19666
#: serverguide/C/dns.xml:219(para)
19667
msgid "Now create the <filename>/etc/bind/db.192</filename> file:"
19670
#: serverguide/C/dns.xml:223(command)
19671
msgid "sudo cp /etc/bind/db.127 /etc/bind/db.192"
19674
#: serverguide/C/dns.xml:225(para)
19676
"Next edit <filename>/etc/bind/db.192</filename> changing the basically the "
19677
"same options as <filename>/etc/bind/db.example.com</filename>:"
19680
#: serverguide/C/dns.xml:229(programlisting)
19685
"; BIND reverse data file for local loopback interface\n"
19688
"@ IN SOA ns.example.com. root.example.com. (\n"
19690
" 604800 ; Refresh\n"
19692
" 2419200 ; Expire\n"
19693
" 604800 ) ; Negative Cache TTL\n"
19696
"10 IN PTR ns.example.com.\n"
19699
#: serverguide/C/dns.xml:244(para)
19701
"The <emphasis>Serial Number</emphasis> in the Reverse zone needs to be "
19702
"incremented on each changes as well. For each <emphasis>A record</emphasis> "
19703
"you configure in <filename>/etc/bind/db.example.com</filename> you need to "
19704
"create a <emphasis>PTR record</emphasis> in "
19705
"<filename>/etc/bind/db.192</filename>."
19708
#: serverguide/C/dns.xml:249(para)
19710
"After creating the reverse zone file restart "
19711
"<application>BIND9</application>:"
19714
#: serverguide/C/dns.xml:258(title)
19715
msgid "Secondary Master"
19718
#: serverguide/C/dns.xml:259(para)
19720
"Once a <emphasis>Primary Master</emphasis> has been configured a "
19721
"<emphasis>Secondary Master</emphasis> is needed in order to maintain the "
19722
"availability of the domain should the Primary become unavailable."
19725
#: serverguide/C/dns.xml:263(para)
19727
"First, on the Primary Master server, the zone transfer needs to be allowed. "
19728
"Add the <emphasis>allow-transfer</emphasis> option to the example Forward "
19729
"and Reverse zone definitions in "
19730
"<filename>/etc/bind/named.conf.local</filename>:"
19733
#: serverguide/C/dns.xml:267(programlisting)
19737
"zone \"example.com\" {\n"
19739
"\tfile \"/etc/bind/db.example.com\";\n"
19740
" allow-transfer { 192.168.1.11; };\n"
19743
"zone \"1.168.192.in-addr.arpa\" {\n"
19746
" file \"/etc/bind/db.192\";\n"
19747
"\tallow-transfer { 192.168.1.11; };\n"
19751
#: serverguide/C/dns.xml:282(para)
19753
"Replace <emphasis>192.168.1.11</emphasis> with the IP Address of your "
19754
"Secondary nameserver."
19757
#: serverguide/C/dns.xml:286(para)
19759
"Next, on the Secondary Master, install the <application>bind9</application> "
19760
"package the same way as on the Primary. Then edit the "
19761
"<filename>/etc/bind/named.conf.local</filename> and add the following "
19762
"declarations for the Forward and Reverse zones:"
19765
#: serverguide/C/dns.xml:290(programlisting)
19769
"zone \"example.com\" {\n"
19771
" file \"/var/cache/bind/db.example.com\";\n"
19772
" masters { 192.168.1.10; };\n"
19775
"zone \"1.168.192.in-addr.arpa\" {\n"
19777
" file \"/var/cache/bind/db.192\";\n"
19778
" masters { 192.168.1.10; };\n"
19782
#: serverguide/C/dns.xml:304(para)
19784
"Replace <emphasis>192.168.1.10</emphasis> with the IP Address of your "
19785
"Primary nameserver."
19788
#: serverguide/C/dns.xml:308(para)
19789
msgid "Restart <application>BIND9</application> on the Secondary Master:"
19792
#: serverguide/C/dns.xml:314(para)
19794
"In <filename>/var/log/syslog</filename> you should see something similar to:"
19797
#: serverguide/C/dns.xml:317(programlisting)
19801
"slave zone \"example.com\" (IN) loaded (serial 6)\n"
19802
"slave zone \"100.18.172.in-addr.arpa\" (IN) loaded (serial 3)\n"
19805
#: serverguide/C/dns.xml:322(para)
19807
"Note: A zone is only transferred if the <emphasis>Serial Number</emphasis> "
19808
"on the Primary is larger than the one on the Secondary."
19811
#: serverguide/C/dns.xml:328(para)
19813
"The default directory for non-authoritative zone files is "
19814
"<filename>/var/cache/bind/</filename>. This directory is also configured in "
19815
"<application>AppArmor</application> to allow the "
19816
"<application>named</application> daemon to write to. For more information on "
19817
"AppArmor see <xref linkend=\"apparmor\"/>."
19820
#: serverguide/C/dns.xml:339(para)
19822
"This section covers ways to help determine the cause when problems happen "
19823
"with DNS and <application>BIND9</application>."
19826
#: serverguide/C/dns.xml:345(title)
19827
msgid "resolv.conf"
19830
#: serverguide/C/dns.xml:346(para)
19832
"The first step in testing <application>BIND9</application> is to add the "
19833
"nameserver's IP Address to a hosts resolver. The Primary nameserver should "
19834
"be configured as well as another host to double check things. Simply edit "
19835
"<filename>/etc/resolv.conf</filename> and add the following:"
19838
#: serverguide/C/dns.xml:351(programlisting)
19842
"nameserver\t192.168.1.10\n"
19843
"nameserver\t192.168.1.11\n"
19846
#: serverguide/C/dns.xml:356(para)
19848
"You should also add the IP Address of the Secondary nameserver in case the "
19849
"Primary becomes unavailable."
19852
#: serverguide/C/dns.xml:362(title)
19856
#: serverguide/C/dns.xml:363(para)
19858
"If you installed the <application>dnsutils</application> package you can "
19859
"test your setup using the DNS lookup utility <application>dig</application>:"
19862
#: serverguide/C/dns.xml:369(para)
19864
"After installing <application>BIND9</application> use "
19865
"<application>dig</application> against the loopback interface to make sure "
19866
"it is listening on port 53. From a terminal prompt:"
19869
#: serverguide/C/dns.xml:374(command)
19870
msgid "dig -x 127.0.0.1"
19873
#: serverguide/C/dns.xml:376(para)
19874
msgid "You should see lines similar to the following in the command output:"
19877
#: serverguide/C/dns.xml:379(programlisting)
19881
";; Query time: 1 msec\n"
19882
";; SERVER: 192.168.1.10#53(192.168.1.10)\n"
19885
#: serverguide/C/dns.xml:385(para)
19887
"If you have configured <application>BIND9</application> as a "
19888
"<emphasis>Caching</emphasis> nameserver \"dig\" an outside domain to check "
19892
#: serverguide/C/dns.xml:390(command)
19893
msgid "dig ubuntu.com"
19896
#: serverguide/C/dns.xml:392(para)
19897
msgid "Note the query time toward the end of the command output:"
19900
#: serverguide/C/dns.xml:395(programlisting)
19904
";; Query time: 49 msec\n"
19907
#: serverguide/C/dns.xml:398(para)
19908
msgid "After a second dig there should be improvement:"
19911
#: serverguide/C/dns.xml:401(programlisting)
19915
";; Query time: 1 msec\n"
19918
#: serverguide/C/dns.xml:408(title)
19922
#: serverguide/C/dns.xml:410(para)
19924
"Now to demonstrate how applications make use of DNS to resolve a host name "
19925
"use the <application>ping</application> utility to send an ICMP echo "
19926
"request. From a terminal prompt enter:"
19929
#: serverguide/C/dns.xml:416(command)
19930
msgid "ping example.com"
19933
#: serverguide/C/dns.xml:418(para)
19935
"This tests if the nameserver can resolve the name "
19936
"<emphasis>ns.example.com</emphasis> to an IP Address. The command output "
19940
#: serverguide/C/dns.xml:422(programlisting)
19944
"PING ns.example.com (192.168.1.10) 56(84) bytes of data.\n"
19945
"64 bytes from 192.168.1.10: icmp_seq=1 ttl=64 time=0.800 ms\n"
19946
"64 bytes from 192.168.1.10: icmp_seq=2 ttl=64 time=0.813 ms\n"
19949
#: serverguide/C/dns.xml:429(title)
19950
msgid "named-checkzone"
19953
#: serverguide/C/dns.xml:430(para)
19955
"A great way to test your zone files is by using the <application>named-"
19956
"checkzone</application> utility installed with the "
19957
"<application>bind9</application> package. This utility allows you to make "
19958
"sure the configuration is correct before restarting "
19959
"<application>BIND9</application> and making the changes live."
19962
#: serverguide/C/dns.xml:437(para)
19964
"To test our example Forward zone file enter the following from a command "
19968
#: serverguide/C/dns.xml:441(command)
19969
msgid "named-checkzone example.com /etc/bind/db.example.com"
19972
#: serverguide/C/dns.xml:443(para)
19974
"If everything is configured correctly you should see output similar to:"
19977
#: serverguide/C/dns.xml:446(programlisting)
19981
"zone example.com/IN: loaded serial 6\n"
19985
#: serverguide/C/dns.xml:452(para)
19986
msgid "Similarly, to test the Reverse zone file enter the following:"
19989
#: serverguide/C/dns.xml:456(command)
19990
msgid "named-checkzone example.com /etc/bind/db.192"
19993
#: serverguide/C/dns.xml:458(para)
19994
msgid "The output should be similar to:"
19997
#: serverguide/C/dns.xml:461(programlisting)
20001
"zone example.com/IN: loaded serial 3\n"
20005
#: serverguide/C/dns.xml:468(para)
20007
"The <emphasis>Serial Number</emphasis> of your zone file will probably be "
20011
#: serverguide/C/dns.xml:475(title)
20015
#: serverguide/C/dns.xml:476(para)
20017
"<application>BIND9</application> has a wide variety of logging configuration "
20018
"options available. There are two main options. The "
20019
"<emphasis>channel</emphasis> option configures where logs go, and the "
20020
"<emphasis>category</emphasis> option determines what information to log."
20023
#: serverguide/C/dns.xml:480(para)
20024
msgid "If no logging option is configured the default option is:"
20027
#: serverguide/C/dns.xml:483(programlisting)
20032
" category default { default_syslog; default_debug; };\n"
20033
" category unmatched { null; };\n"
20037
#: serverguide/C/dns.xml:489(para)
20039
"This section covers configuring <application>BIND9</application> to send "
20040
"<emphasis>debug</emphasis> messages related to DNS queries to a separate "
20044
#: serverguide/C/dns.xml:494(para)
20046
"First, we need to configure a channel to specify which file to send the "
20047
"messages to. Edit <filename>/etc/bind/named.conf.local</filename> and add "
20051
#: serverguide/C/dns.xml:498(programlisting)
20056
" channel query.log { \n"
20057
" file \"/var/log/query.log\";\n"
20058
" severity debug 3; \n"
20063
#: serverguide/C/dns.xml:508(para)
20064
msgid "Next, configure a category to send all DNS queries to the query file:"
20067
#: serverguide/C/dns.xml:511(programlisting)
20072
" channel query.log { \n"
20073
" file \"/var/log/query.log\"; \n"
20074
" severity debug 3; \n"
20076
" <emphasis>category queries { query.log; };</emphasis> \n"
20080
#: serverguide/C/dns.xml:523(para)
20082
"Note: the <emphasis>debug</emphasis> option can be set from 1 to 3. If a "
20083
"level isn't specified level 1 is the default."
20086
#: serverguide/C/dns.xml:529(para)
20088
"Since the <emphasis>named daemon</emphasis> runs as the "
20089
"<emphasis>bind</emphasis> user the <filename>/var/log/query.log</filename> "
20090
"file must be created and the ownership changed:"
20093
#: serverguide/C/dns.xml:534(command)
20094
msgid "sudo touch /var/log/query.log"
20097
#: serverguide/C/dns.xml:535(command)
20098
msgid "sudo chown bind /var/log/query.log"
20101
#: serverguide/C/dns.xml:539(para)
20103
"Before <application>named</application> daemon can write to the new log file "
20104
"the <application>AppArmor</application> profile must be updated. First, edit "
20105
"<filename>/etc/apparmor.d/usr.sbin.named</filename> and add:"
20108
#: serverguide/C/dns.xml:543(programlisting)
20112
"/var/log/query.log w,\n"
20115
#: serverguide/C/dns.xml:546(para)
20116
msgid "Next, reload the profile:"
20119
#: serverguide/C/dns.xml:550(command)
20120
msgid "cat /etc/apparmor.d/usr.sbin.named | sudo apparmor_parser -r"
20123
#: serverguide/C/dns.xml:552(para)
20125
"For more information on <application>AppArmor</application> see <xref "
20126
"linkend=\"apparmor\"/>"
20129
#: serverguide/C/dns.xml:557(para)
20131
"Now restart <application>BIND9</application> for the changes to take effect:"
20134
#: serverguide/C/dns.xml:565(para)
20136
"You should see the file <filename>/var/log/query.log</filename> fill with "
20137
"query information. This is a simple example of the "
20138
"<application>BIND9</application> logging options. For coverage of advanced "
20139
"options see <xref linkend=\"dns-more-info\"/>."
20142
#: serverguide/C/dns.xml:574(title)
20143
msgid "Common Record Types"
20146
#: serverguide/C/dns.xml:575(para)
20147
msgid "This section covers some of the most common DNS record types."
20150
#: serverguide/C/dns.xml:580(para)
20152
"<emphasis>A</emphasis> record: This record maps an IP Address to a hostname."
20155
#: serverguide/C/dns.xml:583(programlisting)
20159
"www IN A 192.168.1.12\n"
20162
#: serverguide/C/dns.xml:588(para)
20164
"<emphasis>CNAME</emphasis> record: Used to create an alias to an existing A "
20165
"record. You cannot create a CNAME record pointing to another CNAME record."
20168
#: serverguide/C/dns.xml:591(programlisting)
20172
"web IN CNAME www\n"
20175
#: serverguide/C/dns.xml:596(para)
20177
"<emphasis>MX</emphasis> record: Used to define where email should be sent "
20178
"to. Must point to an A record, not a CNAME."
20181
#: serverguide/C/dns.xml:599(programlisting)
20185
" IN MX 1 mail.example.com.\n"
20186
"mail IN A 192.168.1.13\n"
20189
#: serverguide/C/dns.xml:605(para)
20191
"<emphasis>NS</emphasis> record: Used to define which servers serve copies of "
20192
"a zone. It must point to an A record, not a CNAME. This is where Primary and "
20193
"Secondary servers are defined."
20196
#: serverguide/C/dns.xml:609(programlisting)
20200
" IN NS ns.example.com.\n"
20201
"\tIN NS ns2.example.com.\n"
20202
"ns IN A 192.168.1.10\n"
20203
"ns2\tIN A\t 192.168.1.11\n"
20206
#: serverguide/C/dns.xml:619(title)
20207
msgid "More Information"
20210
#: serverguide/C/dns.xml:620(para)
20212
"The <ulink url=\"http://www.tldp.org/HOWTO/DNS-HOWTO.html\">DNS "
20213
"HOWTO</ulink> explains more advanced options for configuring BIND9."
20216
#: serverguide/C/dns.xml:623(para)
20218
"For in depth coverage of <emphasis>DNS</emphasis> and "
20219
"<application>BIND9</application> see <ulink "
20220
"url=\"http://www.bind9.net/\">Bind9.net</ulink>."
20223
#: serverguide/C/dns.xml:626(para)
20225
"<ulink url=\"http://www.oreilly.com/catalog/dns5/index.html\">DNS and "
20226
"BIND</ulink> is a popular book now in it's fifth edition."
20229
#: serverguide/C/dns.xml:629(para)
20231
"A great place to ask for <application>BIND9</application> assistance, and "
20232
"get involved with the Ubuntu Server community, is the <emphasis>#ubuntu-"
20233
"server</emphasis> IRC channel on <ulink "
20234
"url=\"http://freenode.net\">freenode</ulink>."
20237
#: serverguide/C/databases.xml:13(title)
20241
#: serverguide/C/databases.xml:14(para)
20242
msgid "Ubuntu provides two popular database servers. They are:"
20245
#: serverguide/C/databases.xml:22(application) serverguide/C/databases.xml:152(title)
20249
#: serverguide/C/databases.xml:25(para)
20251
"They are available in the main repository. This section explains how to "
20252
"install and configure these database servers."
20255
#: serverguide/C/databases.xml:32(para)
20257
"MySQL is a fast, multi-threaded, multi-user, and robust SQL database server. "
20258
"It is intended for mission-critical, heavy-load production systems as well "
20259
"as for embedding into mass-deployed software."
20262
#: serverguide/C/databases.xml:41(para)
20263
msgid "To install MySQL, run the following command from a terminal prompt:"
20266
#: serverguide/C/databases.xml:46(command)
20267
msgid "sudo apt-get install mysql-server"
20270
#: serverguide/C/databases.xml:48(para)
20272
"During the installation process you will be prompted to enter a password for "
20273
"the <application>MySQL</application> root user."
20276
#: serverguide/C/databases.xml:53(para)
20278
"Once the installation is complete, the MySQL server should be started "
20279
"automatically. You can run the following command from a terminal prompt to "
20280
"check whether the MySQL server is running:"
20283
#: serverguide/C/databases.xml:61(command)
20284
msgid "sudo netstat -tap | grep mysql"
20287
#: serverguide/C/databases.xml:70(programlisting)
20291
"tcp 0 0 localhost:mysql *:* LISTEN "
20295
#: serverguide/C/databases.xml:74(para)
20297
"If the server is not running correctly, you can type the following command "
20301
#: serverguide/C/databases.xml:79(command) serverguide/C/databases.xml:104(command)
20302
msgid "sudo /etc/init.d/mysql restart"
20305
#: serverguide/C/databases.xml:85(para)
20307
"You can edit the <filename>/etc/mysql/my.cnf</filename> file to configure "
20308
"the basic settings -- log file, port number, etc. For example, to configure "
20309
"<application>MySQL</application> to listen for connections from network "
20310
"hosts, change the <emphasis>bind_address</emphasis> directive to the "
20311
"server's IP address:"
20314
#: serverguide/C/databases.xml:91(programlisting)
20318
"bind-address = 192.168.0.5\n"
20321
#: serverguide/C/databases.xml:95(para)
20322
msgid "Replace 192.168.0.5 with the appropriate address."
20325
#: serverguide/C/databases.xml:99(para)
20327
"After making a change to <filename>/etc/mysql/my.cnf</filename> the "
20328
"<application>mysql</application> daemon will need to be restarted:"
20331
#: serverguide/C/databases.xml:107(para)
20333
"If you would like to change the "
20334
"<application>MySQL</application><emphasis>root</emphasis> password, in a "
20338
#: serverguide/C/databases.xml:113(command)
20339
msgid "sudo dpkg-reconfigure mysql-server-5.0"
20342
#: serverguide/C/databases.xml:116(para)
20344
"The <application>mysql</application> daemon will be stopped, and you will be "
20345
"prompted to enter a new password."
20348
#: serverguide/C/databases.xml:125(para)
20350
"See the <ulink url=\"http://www.mysql.com/\">MySQL Home Page</ulink> for "
20351
"more information."
20354
#: serverguide/C/databases.xml:130(para)
20356
"The <emphasis>MySQL Handbook</emphasis> is also available in the "
20357
"<application>mysql-doc-5.0</application> package. To install the package "
20358
"enter the following in a terminal:"
20361
#: serverguide/C/databases.xml:135(command)
20362
msgid "sudo apt-get install mysql-doc-5.0"
20365
#: serverguide/C/databases.xml:137(para)
20367
"The documentation is in HTML format, to view them enter "
20368
"<command>file:///usr/share/doc/mysql-doc-5.0/refman-5.0-en.html-"
20369
"chapter/index.html</command> in your browser's address bar."
20372
#: serverguide/C/databases.xml:143(para) serverguide/C/databases.xml:285(para)
20374
"For general SQL information see <ulink "
20375
"url=\"http://www.informit.com/store/product.aspx?isbn=0768664128\">Using SQL "
20376
"Special Edition</ulink> by Rafe Colburn."
20379
#: serverguide/C/databases.xml:153(para)
20381
"PostgreSQL is an object-relational database system that has the features of "
20382
"traditional commercial database systems with enhancements to be found in "
20383
"next-generation DBMS systems."
20386
#: serverguide/C/databases.xml:160(para)
20388
"To install PostgreSQL, run the following command in the command prompt:"
20391
#: serverguide/C/databases.xml:167(command)
20392
msgid "sudo apt-get install postgresql"
20395
#: serverguide/C/databases.xml:171(para)
20397
"Once the installation is complete, you should configure the PostgreSQL "
20398
"server based on your needs, although the default configuration is viable."
20401
#: serverguide/C/databases.xml:179(para)
20403
"By default, connection via TCP/IP is disabled. PostgreSQL supports multiple "
20404
"client authentication methods. By default, IDENT authentication method is "
20405
"used for <application>postgres</application> and local users. Please refer "
20406
"<ulink url=\"http://www.postgresql.org/docs/8.4/static/admin.html\"> the "
20407
"PostgreSQL Administrator's Guide</ulink>."
20410
#: serverguide/C/databases.xml:186(para)
20412
"The following discussion assumes that you wish to enable TCP/IP connections "
20413
"and use the MD5 method for client authentication. PostgreSQL configuration "
20414
"files are stored in the "
20415
"<filename>/etc/postgresql/<version>/main</filename> directory. For "
20416
"example, if you install PostgreSQL 8.4, the configuration files are stored "
20417
"in the <filename>/etc/postgresql/8.4/main</filename> directory."
20420
#: serverguide/C/databases.xml:196(para)
20422
"To configure <emphasis>ident</emphasis> authentication, add entries to the "
20423
"<filename>/etc/postgresql/8.4/main/pg_ident.conf</filename> file."
20426
#: serverguide/C/databases.xml:203(para)
20428
"To enable TCP/IP connections, edit the file "
20429
"<filename>/etc/postgresql/8.4/main/postgresql.conf</filename>"
20432
#: serverguide/C/databases.xml:205(para)
20434
"Locate the line <emphasis>#listen_addresses = 'localhost'</emphasis> and "
20438
#: serverguide/C/databases.xml:208(programlisting)
20442
"listen_addresses = 'localhost'\n"
20445
#: serverguide/C/databases.xml:212(para)
20447
"To allow other computers to connect to your "
20448
"<application>PostgreSQL</application> server replace 'localhost' with the "
20449
"<emphasis>IP Address</emphasis> of your server."
20452
#: serverguide/C/databases.xml:217(para)
20454
"You may also edit all other parameters, if you know what you are doing! For "
20455
"details, refer to the configuration file or to the PostgreSQL documentation."
20458
#: serverguide/C/databases.xml:222(para)
20460
"Now that we can connect to our <application>PostgreSQL</application> server, "
20461
"the next step is to set a password for the <emphasis>postgres</emphasis> "
20462
"user. Run the following command at a terminal prompt to connect to the "
20463
"default PostgreSQL template database:"
20466
#: serverguide/C/databases.xml:229(command)
20467
msgid "sudo -u postgres psql template1"
20470
#: serverguide/C/databases.xml:231(para)
20472
"The above command connects to PostgreSQL database "
20473
"<emphasis>template1</emphasis> as user <emphasis>postgres</emphasis>. Once "
20474
"you connect to the PostgreSQL server, you will be at a SQL prompt. You can "
20475
"run the following SQL command at the <application>psql</application> prompt "
20476
"to configure the password for the user <emphasis "
20477
"role=\"italics\">postgres</emphasis>."
20480
#: serverguide/C/databases.xml:239(command)
20481
msgid "ALTER USER postgres with encrypted password 'your_password';"
20484
#: serverguide/C/databases.xml:241(para)
20486
"After configuring the password, edit the file "
20487
"<filename>/etc/postgresql/8.4/main/pg_hba.conf</filename> to use "
20488
"<emphasis>MD5</emphasis> authentication with the "
20489
"<emphasis>postgres</emphasis> user:"
20492
#: serverguide/C/databases.xml:247(programlisting)
20496
"local all postgres md5 sameuser\n"
20499
#: serverguide/C/databases.xml:251(para)
20501
"Finally, you should restart the <application>PostgreSQL</application> "
20502
"service to initialize the new configuration. From a terminal prompt enter "
20503
"the following to restart <application>PostgreSQL</application>:"
20506
#: serverguide/C/databases.xml:257(command)
20507
msgid "sudo /etc/init.d/postgresql-8.4 restart"
20510
#: serverguide/C/databases.xml:260(para)
20512
"The above configuration is not complete by any means. Please refer <ulink "
20513
"url=\"http://www.postgresql.org/docs/8.4/static/admin.html\"> the PostgreSQL "
20514
"Administrator's Guide</ulink> to configure more parameters."
20517
#: serverguide/C/databases.xml:271(para)
20519
"As mentioned above the <ulink "
20520
"url=\"http://www.postgresql.org/docs/8.4/static/admin.html\">Administrator's "
20521
"Guide</ulink> is an excellent resource. The guide is also available in the "
20522
"<application>postgresql-doc-8.4</application> package. Execute the following "
20523
"in a terminal to install the package:"
20526
#: serverguide/C/databases.xml:277(command)
20527
msgid "sudo apt-get install postgresql-doc-8.4"
20530
#: serverguide/C/databases.xml:279(para)
20532
"To view the guide enter <command>file:///usr/share/doc/postgresql-doc-"
20533
"8.4/html/index.html</command> into the address bar of your browser."
20536
#: serverguide/C/clustering.xml:13(title)
20540
#: serverguide/C/clustering.xml:16(title)
20544
#: serverguide/C/clustering.xml:18(para)
20546
"Distributed Replicated Block Device (DRBD) mirrors block devices between "
20547
"multiple hosts. The replication is transparent to other applications on the "
20548
"host systems. Any block device hard disks, partitions, RAID devices, logical "
20549
"volumes, etc can be mirrored."
20552
#: serverguide/C/clustering.xml:24(para)
20554
"To get started using <application>drbd</application>, first install the "
20555
"necessary packages. From a terminal enter:"
20558
#: serverguide/C/clustering.xml:29(command)
20559
msgid "sudo apt-get install drbd8-utils"
20562
#: serverguide/C/clustering.xml:33(para)
20564
"If you are using the <emphasis>virtual kernel</emphasis> as part of a "
20565
"virtual machine you will need to manually compile the "
20566
"<application>drbd</application> module. It may be easier to install the "
20567
"<application>linux-server</application> package inside the virtual machine."
20570
#: serverguide/C/clustering.xml:40(para)
20572
"This section covers setting up a <application>drbd</application> to "
20573
"replicate a separate <filename>/srv</filename> partition, with an "
20574
"<application>ext3</application> filesystem between two hosts. The partition "
20575
"size is not particularly relevant, but both partitions need to be the same "
20579
#: serverguide/C/clustering.xml:49(para)
20581
"The two hosts in this example will be called <emphasis>drbd01</emphasis> and "
20582
"<emphasis>drbd02</emphasis>. They will need to have name resolution "
20583
"configured either through DNS or the <filename>/etc/hosts</filename> file. "
20584
"See <xref linkend=\"dns\"/> for details."
20587
#: serverguide/C/clustering.xml:57(para)
20589
"To configure <application>drbd</application>, on the first host edit "
20590
"<filename>/etc/drbd.conf</filename>:"
20593
#: serverguide/C/clustering.xml:61(programlisting)
20597
"global { usage-count no; }\n"
20598
"common { syncer { rate 100M; } }\n"
20602
" wfc-timeout 15;\n"
20603
" degr-wfc-timeout 60;\n"
20606
" cram-hmac-alg sha1;\n"
20607
" shared-secret \"secret\";\n"
20610
" device /dev/drbd0;\n"
20611
" disk /dev/sdb1;\n"
20612
" address 192.168.0.1:7788;\n"
20613
" meta-disk internal;\n"
20616
" device /dev/drbd0;\n"
20617
" disk /dev/sdb1;\n"
20618
" address 192.168.0.2:7788;\n"
20619
" meta-disk internal;\n"
20624
#: serverguide/C/clustering.xml:90(para)
20626
"There are many other options in <filename>/etc/drbd.conf</filename>, but for "
20627
"this example their default values are fine."
20630
#: serverguide/C/clustering.xml:98(para)
20631
msgid "Now copy <filename>/etc/drbd.conf</filename> to the second host:"
20634
#: serverguide/C/clustering.xml:103(command)
20635
msgid "scp /etc/drbd.conf drbd02:~"
20638
#: serverguide/C/clustering.xml:109(para)
20640
"And, on <emphasis>drbd02</emphasis> move the file to "
20641
"<filename>/etc</filename>:"
20644
#: serverguide/C/clustering.xml:114(command)
20645
msgid "sudo mv drbd.conf /etc/"
20648
#: serverguide/C/clustering.xml:120(para)
20650
"Next, on both hosts, start the <application>drbd</application> daemon:"
20653
#: serverguide/C/clustering.xml:125(command)
20654
msgid "sudo /etc/init.d/drbd start"
20657
#: serverguide/C/clustering.xml:131(para)
20659
"Now using the <application>drbdadm</application> utility initialize the meta "
20660
"data storage. On each server execute:"
20663
#: serverguide/C/clustering.xml:137(command)
20664
msgid "sudo drbdadm create-md r0"
20667
#: serverguide/C/clustering.xml:143(para)
20669
"On the <emphasis>drbd01</emphasis>, or whichever host you wish to be the "
20670
"primary, enter the following:"
20673
#: serverguide/C/clustering.xml:148(command)
20674
msgid "sudo drbdadm -- --overwrite-data-of-peer primary all"
20677
#: serverguide/C/clustering.xml:154(para)
20679
"After executing the above command, the data will start syncing with the "
20680
"secondary host. To watch the progresss, on <emphasis>drbd02</emphasis> enter "
20684
#: serverguide/C/clustering.xml:160(command)
20685
msgid "watch -n1 cat /proc/drbd"
20688
#: serverguide/C/clustering.xml:163(para)
20689
msgid "To stop watching the output press <emphasis>Ctrl+c</emphasis>."
20692
#: serverguide/C/clustering.xml:170(para)
20694
"Finally, add a filesystem to <filename>/dev/drbd0</filename> and mount it:"
20697
#: serverguide/C/clustering.xml:175(command)
20698
msgid "sudo mkfs.ext3 /dev/drbd0"
20701
#: serverguide/C/clustering.xml:176(command) serverguide/C/clustering.xml:224(command)
20702
msgid "sudo mount /dev/drbd0 /srv"
20705
#: serverguide/C/clustering.xml:186(para)
20707
"To test that the data is actually syncing between the hosts copy some files "
20708
"on the <emphasis>drbd01</emphasis>, the primary, to "
20709
"<filename>/srv</filename>:"
20712
#: serverguide/C/clustering.xml:195(para)
20713
msgid "Next, unmount <filename>/srv</filename>:"
20716
#: serverguide/C/clustering.xml:203(para)
20718
"<emphasis>Demote</emphasis> the <emphasis>primary</emphasis> server to the "
20719
"<emphasis>secondary</emphasis> role:"
20722
#: serverguide/C/clustering.xml:208(command)
20723
msgid "sudo drbdadm secondary r0"
20726
#: serverguide/C/clustering.xml:211(para)
20728
"Now on the <emphasis>secondary</emphasis> server "
20729
"<emphasis>promote</emphasis> it to the <emphasis>primary</emphasis> role:"
20732
#: serverguide/C/clustering.xml:216(command)
20733
msgid "sudo drbdadm primary r0"
20736
#: serverguide/C/clustering.xml:219(para)
20737
msgid "Lastly, mount the partition:"
20740
#: serverguide/C/clustering.xml:227(para)
20742
"Using <emphasis>ls</emphasis> you should see "
20743
"<filename>/srv/default</filename> copied from the former "
20744
"<emphasis>primary</emphasis> host <emphasis>drbd01</emphasis>."
20747
#: serverguide/C/clustering.xml:238(para)
20749
"For more information on <application>DRBD</application> see the <ulink "
20750
"url=\"http://www.drbd.org/\">DRBD web site</ulink>."
20753
#: serverguide/C/clustering.xml:243(para)
20756
"url=\"http://manpages.ubuntu.com/manpages/jaunty/en/man5/drbd.conf.5.html\">d"
20757
"rbd.conf man page</ulink> contains details on the options not covered in "
20761
#: serverguide/C/clustering.xml:249(para)
20763
"Also, see the <ulink "
20764
"url=\"http://manpages.ubuntu.com/manpages/jaunty/en/man8/drbdadm.8.html\">drb"
20765
"dadm man page</ulink>."
20768
#: serverguide/C/chat.xml:13(title)
20769
msgid "Chat Applications"
20772
#: serverguide/C/chat.xml:19(para)
20774
"In this section, we will discuss how to install and configure a IRC server, "
20775
"<application>ircd-irc2</application>. We will also discuss how to install "
20776
"and configure Jabber, an instance messaging server."
20779
#: serverguide/C/chat.xml:28(title)
20783
#: serverguide/C/chat.xml:30(para)
20785
"The Ubuntu repository has many Internet Relay Chat servers. This section "
20786
"explains how to install and configure the original IRC server "
20787
"<application>ircd-irc2</application>."
20790
#: serverguide/C/chat.xml:39(para)
20792
"To install <application>ircd-irc2</application>, run the following command "
20793
"in the command prompt:"
20796
#: serverguide/C/chat.xml:45(command)
20797
msgid "sudo apt-get install ircd-irc2"
20800
#: serverguide/C/chat.xml:48(para)
20802
"The configuration files are stored in <filename>/etc/ircd</filename> "
20803
"directory. The documents are available in <filename>/usr/share/doc/ircd-"
20804
"irc2</filename> directory."
20807
#: serverguide/C/chat.xml:59(para)
20809
"The IRC settings can be done in the configuration file "
20810
"<filename>/etc/ircd/ircd.conf</filename>. You can set the IRC host name in "
20811
"this file by editing the following line:"
20814
#: serverguide/C/chat.xml:64(programlisting)
20818
"M:irc.localhost::Debian ircd default configuration::000A\n"
20821
#: serverguide/C/chat.xml:68(para)
20823
"Please make sure you add DNS aliases for the IRC host name. For instance, if "
20824
"you set irc.livecipher.com as IRC host name, please make sure "
20825
"irc.livecipher.com is resolvable in your Domain Name Server. The IRC host "
20826
"name should not be same as the host name."
20829
#: serverguide/C/chat.xml:75(para)
20831
"The IRC admin details can be configured by editting the following line:"
20834
#: serverguide/C/chat.xml:80(programlisting)
20838
"A:Organization, IRC dept.:Daemon <ircd@example.irc.org>:Client "
20839
"Server::IRCnet:\n"
20842
#: serverguide/C/chat.xml:84(para)
20844
"You should add specific lines to configure the list of IRC ports to listen "
20845
"on, to configure Operator credentials, to configure client authentication, "
20846
"etc. For details, please refer to the example configuration file "
20847
"<filename>/usr/share/doc/ircd-irc2/ircd.conf.example.gz</filename>."
20850
#: serverguide/C/chat.xml:92(para)
20852
"The IRC banner to be displayed in the IRC client, when the user connects to "
20853
"the server can be set in <filename>/etc/ircd/ircd.motd</filename> file."
20856
#: serverguide/C/chat.xml:97(para)
20858
"After making necessary changes to the configuration file, you can restart "
20859
"the IRC server using following command:"
20862
#: serverguide/C/chat.xml:101(programlisting)
20866
"sudo /etc/init.d/ircd-irc2 restart\n"
20869
#: serverguide/C/chat.xml:109(para)
20871
"You may also be interested to take a look at other IRC servers available in "
20872
"Ubuntu Repository. It includes, <application>ircd-ircu</application> and "
20873
"<application>ircd-hybrid</application>."
20876
#: serverguide/C/chat.xml:117(para)
20878
"Refer to <ulink url=\"http://www.irc.org/tech_docs/ircnet/faq.html\">IRCD "
20879
"FAQ</ulink> for more details about the IRC Server."
20882
#: serverguide/C/chat.xml:127(title)
20883
msgid "Jabber Instant Messaging Server"
20886
#: serverguide/C/chat.xml:129(para)
20888
"<emphasis>Jabber</emphasis> a popular instant message protocol is based on "
20889
"XMPP, an open standard for instant messaging, and used by many popular "
20890
"applications. This section covers setting up a <emphasis>Jabberd "
20891
"2</emphasis> server on a local LAN. This configuration can also be adapted "
20892
"to providing messaging services to users over the Internet."
20895
#: serverguide/C/chat.xml:138(para)
20896
msgid "To install <application>jabberd2</application>, in a terminal enter:"
20899
#: serverguide/C/chat.xml:143(command)
20900
msgid "sudo apt-get install jabberd2"
20903
#: serverguide/C/chat.xml:150(para)
20905
"A couple of XML configuration files will be used to configure "
20906
"<application>jabberd2</application> for <emphasis>Berkely DB</emphasis> user "
20907
"authentication. This is a very simple form of authentication. However, "
20908
"<application>jabberd2</application> can be configured to use LDAP, MySQL, "
20909
"Postgresql, etc for for user authentication."
20912
#: serverguide/C/chat.xml:157(para)
20913
msgid "First, edit <filename>/etc/jabberd2/sm.xml</filename> changing:"
20916
#: serverguide/C/chat.xml:161(programlisting)
20920
" <id>jabber.example.com</id>\n"
20923
#: serverguide/C/chat.xml:166(para)
20925
"Replace <emphasis>jabber.example.com</emphasis> with the hostname, or other "
20926
"id, of your server."
20929
#: serverguide/C/chat.xml:171(para)
20930
msgid "Now in the <storage> section change the <driver> to:"
20933
#: serverguide/C/chat.xml:175(programlisting)
20937
" <driver>db</driver>\n"
20940
#: serverguide/C/chat.xml:179(para)
20942
"Next, edit <filename>/etc/jabberd2/c2s.xml</filename> in the "
20943
"<emphasis><local></emphasis> section change:"
20946
#: serverguide/C/chat.xml:183(programlisting)
20950
" <id>jabber.example.com</id>\n"
20953
#: serverguide/C/chat.xml:187(para)
20955
"And in the <authreg> section adjust the <module> section to:"
20958
#: serverguide/C/chat.xml:191(programlisting)
20962
" <module>db</module>\n"
20965
#: serverguide/C/chat.xml:195(para)
20967
"Finally, restart <application>jabberd2</application> to enable the new "
20971
#: serverguide/C/chat.xml:200(command)
20972
msgid "sudo /etc/init.d/jabberd2 restart"
20975
#: serverguide/C/chat.xml:203(para)
20977
"You should now be able to connect to the server using a Jabber client like "
20978
"<application>Pidgin</application> for example."
20981
#: serverguide/C/chat.xml:208(para)
20983
"The advantage of using Berkeley DB for user data is that after being "
20984
"configured no additional maintenance is required. If you need more control "
20985
"over user accounts and credentials another authentication method is "
20989
#: serverguide/C/chat.xml:220(para)
20991
"The <ulink url=\"http://codex.xiaoka.com/wiki/jabberd2:start\">Jabberd2 Web "
20992
"Site</ulink> contains more details on configuring "
20993
"<application>Jabberd2</application>."
20996
#: serverguide/C/chat.xml:226(para)
20998
"For more authentication options see the <ulink "
20999
"url=\"http://jabberd2.xiaoka.com/wiki/InstallGuide\">Jabberd2 Install "
21003
#: serverguide/C/backups.xml:13(title)
21007
#: serverguide/C/backups.xml:14(para)
21009
"There are many ways to backup an Ubuntu installation. The most important "
21010
"thing about backups is to develop a <emphasis>backup plan</emphasis> "
21011
"consisting of what to backup, where to back it up to, and how to restore it."
21014
#: serverguide/C/backups.xml:18(para)
21016
"The following sections discuss various ways of accomplishing these tasks."
21019
#: serverguide/C/backups.xml:22(title)
21020
msgid "Shell Scripts"
21023
#: serverguide/C/backups.xml:23(para)
21025
"One of the simplest ways to backup a system is using a <emphasis>shell "
21026
"script</emphasis>. For example, a script can be used to configure which "
21027
"directories to backup, and use those directories as arguments to the "
21028
"<application>tar</application> utility creating an archive file. The archive "
21029
"file can then be moved or copied to another location. The archive can also "
21030
"be created on a remote file system such as an <emphasis>NFS</emphasis> mount."
21033
#: serverguide/C/backups.xml:29(para)
21035
"The <application>tar</application> utility creates one archive file out of "
21036
"many files or directories. <application>tar</application> can also filter "
21037
"the files through compression utilities reducing the size of the archive "
21041
#: serverguide/C/backups.xml:35(title)
21042
msgid "Simple Shell Script"
21045
#: serverguide/C/backups.xml:36(para)
21047
"The following shell script uses <application>tar</application> to create an "
21048
"archive file on a remotely mounted NFS file system. The archive filename is "
21049
"determined using additional command line utilities."
21052
#: serverguide/C/backups.xml:40(programlisting)
21057
"####################################\n"
21059
"# Backup to NFS mount script.\n"
21061
"####################################\n"
21063
"# What to backup. \n"
21064
"backup_files=\"/home /var/spool/mail /etc /root /boot /opt\"\n"
21066
"# Where to backup to.\n"
21067
"dest=\"/mnt/backup\"\n"
21069
"# Create archive filename.\n"
21070
"day=$(date +%A)\n"
21071
"hostname=$(hostname -s)\n"
21072
"archive_file=\"$hostname-$day.tgz\"\n"
21074
"# Print start status message.\n"
21075
"echo \"Backing up $backup_files to $dest/$archive_file\"\n"
21079
"# Backup the files using tar.\n"
21080
"tar czf $dest/$archive_file $backup_files\n"
21082
"# Print end status message.\n"
21084
"echo \"Backup finished\"\n"
21087
"# Long listing of files in $dest to check file sizes.\n"
21091
#: serverguide/C/backups.xml:77(para)
21093
"<emphasis>$backup_files:</emphasis> a variable listing which directories you "
21094
"would like to backup. The list should be customized to fit your needs."
21097
#: serverguide/C/backups.xml:83(para)
21099
"<emphasis>$day:</emphasis> a variable holding the day of the week (Monday, "
21100
"Tuesday, Wednesday, etc). This is used to create an archive file for each "
21101
"day of the week, giving a backup history of seven days. There are other ways "
21102
"to accomplish this including other ways using the "
21103
"<application>date</application> utility."
21106
#: serverguide/C/backups.xml:90(para)
21108
"<emphasis>$hostname:</emphasis> variable containing the "
21109
"<emphasis>short</emphasis> hostname of the system. Using the hostname in the "
21110
"archive filename gives you the option of placing daily archive files from "
21111
"multiple systems in the same directory."
21114
#: serverguide/C/backups.xml:97(para)
21115
msgid "<emphasis>$archive_file:</emphasis> the full archive filename."
21118
#: serverguide/C/backups.xml:102(para)
21120
"<emphasis>$dest:</emphasis> destination of the archive file. The directory "
21121
"needs to be created and in this case <emphasis>mounted</emphasis> before "
21122
"executing the backup script. See <xref linkend=\"network-file-system\"/> for "
21123
"details using <emphasis>NFS</emphasis>."
21126
#: serverguide/C/backups.xml:109(para)
21128
"<emphasis>status messages:</emphasis> optional messages printed to the "
21129
"console using the <application>echo</application> utility."
21132
#: serverguide/C/backups.xml:115(para)
21134
"<emphasis>tar czf $dest/$archive_file $backup_files:</emphasis> the "
21135
"<application>tar</application> command used to create the archive file."
21138
#: serverguide/C/backups.xml:121(para)
21139
msgid "<emphasis>c:</emphasis> creates an archive."
21142
#: serverguide/C/backups.xml:126(para)
21144
"<emphasis>z:</emphasis> filter the archive through the "
21145
"<application>gzip</application> utility compressing the archive."
21148
#: serverguide/C/backups.xml:131(para)
21150
"<emphasis>f:</emphasis> use archive file. Otherwise the "
21151
"<application>tar</application> output will be sent to STDOUT."
21154
#: serverguide/C/backups.xml:138(para)
21156
"<emphasis>ls -lh $dest:</emphasis> optional statement prints a <emphasis>-"
21157
"l</emphasis> long listing in <emphasis>-h</emphasis> human readable format "
21158
"of the destination directory. This is useful for a quick file size check of "
21159
"the archive file. This check should not replace testing the archive file."
21162
#: serverguide/C/backups.xml:145(para)
21164
"This is a simple example of a backup shell script. There are large amount of "
21165
"options that can be included in a backup script. See <xref linkend=\"backup-"
21166
"shellscript-references\"/> for links to resources providing more in depth "
21167
"shell scripting information."
21170
#: serverguide/C/backups.xml:152(title)
21171
msgid "Executing the Script"
21174
#: serverguide/C/backups.xml:154(title)
21175
msgid "Executing from a Terminal"
21178
#: serverguide/C/backups.xml:155(para)
21180
"The simplest way of executing the above backup script is to copy and paste "
21181
"the contents into a file. <filename>backup.sh</filename> for example. Then "
21182
"from a terminal prompt:"
21185
#: serverguide/C/backups.xml:160(command)
21186
msgid "sudo bash backup.sh"
21189
#: serverguide/C/backups.xml:162(para)
21191
"This is a great way to test the script to make sure everything works as "
21195
#: serverguide/C/backups.xml:167(title)
21196
msgid "Executing with cron"
21199
#: serverguide/C/backups.xml:168(para)
21201
"The <application>cron</application> utility can be used to automate the "
21202
"script execution. The <application>cron</application> daemon allows the "
21203
"execution of scripts, or commands, at a specified time and date."
21206
#: serverguide/C/backups.xml:172(para)
21208
"<application>cron</application> is configured through entries in a "
21209
"<filename>crontab</filename> file. <filename>crontab</filename> files are "
21210
"separated into fields:"
21213
#: serverguide/C/backups.xml:176(programlisting)
21217
"# m h dom mon dow command\n"
21220
#: serverguide/C/backups.xml:181(para)
21222
"<emphasis>m:</emphasis> minute the command executes on between 0 and 59."
21225
#: serverguide/C/backups.xml:186(para)
21227
"<emphasis>h:</emphasis> hour the command executes on between 0 and 23."
21230
#: serverguide/C/backups.xml:191(para)
21231
msgid "<emphasis>dom:</emphasis> day of month the command executes on."
21234
#: serverguide/C/backups.xml:196(para)
21236
"<emphasis>mon:</emphasis> the month the command executes on between 1 and 12."
21239
#: serverguide/C/backups.xml:201(para)
21241
"<emphasis>dow:</emphasis> the day of the week the command executes on "
21242
"between 0 and 7. Sunday may be specified by using 0 or 7, both values are "
21246
#: serverguide/C/backups.xml:206(para)
21247
msgid "<emphasis>command:</emphasis> the command to execute."
21250
#: serverguide/C/backups.xml:211(para)
21252
"To add or change entries in a <filename>crontab</filename> file the "
21253
"<application>crontab -e</application> command should be used. Also, the "
21254
"contents of a <filename>crontab</filename> file can be viewed using the "
21255
"<application>crontab -l</application> command."
21258
#: serverguide/C/backups.xml:215(para)
21260
"To execute the <application>backup.sh</application> script listed above "
21261
"using <application>cron</application>. Enter the following from a terminal "
21265
#: serverguide/C/backups.xml:220(command)
21266
msgid "sudo crontab -e"
21269
#: serverguide/C/backups.xml:223(para)
21271
"Using <application>sudo</application> with the <application>crontab -"
21272
"e</application> command edits the <emphasis>root</emphasis> user's crontab. "
21273
"This is necessary if you are backing up directories only the root user has "
21277
#: serverguide/C/backups.xml:228(para)
21278
msgid "Add the following entry to the <filename>crontab</filename> file:"
21281
#: serverguide/C/backups.xml:231(programlisting)
21285
"# m h dom mon dow command\n"
21286
"0 0 * * * bash /usr/local/bin/backup.sh\n"
21289
#: serverguide/C/backups.xml:235(para)
21291
"The <application>backup.sh</application> script will now be executed every "
21295
#: serverguide/C/backups.xml:239(para)
21297
"The <application>backup.sh</application> script will need to be copied to "
21298
"the <filename>/usr/local/bin/</filename> directory in order for this entry "
21299
"to execute properly. The script can reside anywhere on the file system "
21300
"simply change the script path appropriately."
21303
#: serverguide/C/backups.xml:244(para)
21305
"For more in depth <application>crontab</application> options see <xref "
21306
"linkend=\"backup-shellscript-references\"/>."
21309
#: serverguide/C/backups.xml:250(title)
21310
msgid "Restoring from the Archive"
21313
#: serverguide/C/backups.xml:251(para)
21315
"Once an archive has been created it is important to test the archive. The "
21316
"archive can be tested by listing the files it contains, but the best test is "
21317
"to <emphasis>restore</emphasis> a file from the archive."
21320
#: serverguide/C/backups.xml:257(para)
21321
msgid "To see a listing of the archive contents. From a terminal prompt:"
21324
#: serverguide/C/backups.xml:261(command)
21325
msgid "tar -tzvf /mnt/backup/host-Monday.tgz"
21328
#: serverguide/C/backups.xml:265(para)
21329
msgid "To restore a file from the archive to a different directory enter:"
21332
#: serverguide/C/backups.xml:269(command)
21333
msgid "tar -xzvf /mnt/backup/host-Monday.tgz -C /tmp etc/hosts"
21336
#: serverguide/C/backups.xml:271(para)
21338
"The <emphasis>-C</emphasis> option to <application>tar</application> "
21339
"redirects the extracted files to the specified directory. The above example "
21340
"will extract the <filename>/etc/hosts</filename> file to "
21341
"<filename>/tmp/etc/hosts</filename>. <application>tar</application> "
21342
"recreates the directory structure that it contains."
21345
#: serverguide/C/backups.xml:276(para)
21347
"Also, notice the leading <emphasis>\"/\"</emphasis> is left off the path of "
21348
"the file to restore."
21351
#: serverguide/C/backups.xml:281(para)
21352
msgid "To restore all files in the archive enter the following:"
21355
#: serverguide/C/backups.xml:285(command)
21359
#: serverguide/C/backups.xml:286(command)
21360
msgid "sudo tar -xzvf /mnt/backup/host-Monday.tgz"
21363
#: serverguide/C/backups.xml:291(para)
21364
msgid "This will overwrite the files currently on the file system."
21367
#: serverguide/C/backups.xml:300(para)
21369
"For more information on shell scripting see the <ulink "
21370
"url=\"http://tldp.org/LDP/abs/html/\">Advanced Bash-Scripting Guide</ulink>"
21373
#: serverguide/C/backups.xml:305(para)
21375
"The book <ulink url=\"http://safari.samspublishing.com/0672323583\">Teach "
21376
"Yourself Shell Programming in 24 Hours</ulink> is available online and a "
21377
"great resource for shell scripting."
21380
#: serverguide/C/backups.xml:311(para)
21382
"The <ulink url=\"https://help.ubuntu.com/community/CronHowto\">CronHowto "
21383
"Wiki Page</ulink> contains details on advanced "
21384
"<application>cron</application> options."
21387
#: serverguide/C/backups.xml:318(para)
21389
"See the <ulink url=\"http://www.gnu.org/software/tar/manual/index.html\">GNU "
21390
"tar Manual</ulink> for more <application>tar</application> options."
21393
#: serverguide/C/backups.xml:324(para)
21395
"The Wikipedia <ulink "
21396
"url=\"http://en.wikipedia.org/wiki/Backup_rotation_scheme\">Backup Rotation "
21397
"Scheme</ulink> article contains information on other backup rotation schemes."
21400
#: serverguide/C/backups.xml:330(para)
21402
"The shell script uses <application>tar</application> to create the archive, "
21403
"but there many other command line utilities that can be used. For example:"
21406
#: serverguide/C/backups.xml:336(para)
21408
"<ulink url=\"http://www.gnu.org/software/cpio/\">cpio</ulink>: used to copy "
21409
"files to and from archives."
21412
#: serverguide/C/backups.xml:341(para)
21414
"<ulink url=\"http://www.gnu.org/software/coreutils/\">dd</ulink>: part of "
21415
"the <application>coreutils</application> package. A low level utility that "
21416
"can copy data from one format to another"
21419
#: serverguide/C/backups.xml:347(para)
21421
"<ulink url=\"http://www.rsnapshot.org/\">rsnapshot</ulink>: a file system "
21422
"snap shot utility used to create copies of an entire file system."
21425
#: serverguide/C/backups.xml:358(title)
21426
msgid "Archive Rotation"
21429
#: serverguide/C/backups.xml:359(para)
21431
"The shell script in section <xref linkend=\"backup-shellscripts\"/> only "
21432
"allows for seven different archives. For a server whose data doesn't change "
21433
"often this may be enough. If the server has a large amount of data a more "
21434
"robust rotation scheme should be used."
21437
#: serverguide/C/backups.xml:365(title)
21438
msgid "Rotating NFS Archives"
21441
#: serverguide/C/backups.xml:366(para)
21443
"In this section the shell script will be slightly modified to implement a "
21444
"grandfather-father-son rotation scheme (monthly-weekly-daily):"
21447
#: serverguide/C/backups.xml:372(para)
21449
"The rotation will do a <emphasis>daily</emphasis> backup Sunday through "
21453
#: serverguide/C/backups.xml:377(para)
21455
"On Saturday a <emphasis>weekly</emphasis> backup is done giving you four "
21456
"weekly backups a month."
21459
#: serverguide/C/backups.xml:382(para)
21461
"The <emphasis>monthly</emphasis> backup is done on the first of the month "
21462
"rotating two monthly backups based on if the month is odd or even."
21465
#: serverguide/C/backups.xml:388(para)
21466
msgid "Here is the new script:"
21469
#: serverguide/C/backups.xml:391(programlisting)
21474
"####################################\n"
21476
"# Backup to NFS mount script with\n"
21477
"# grandfather-father-son rotation.\n"
21479
"####################################\n"
21481
"# What to backup. \n"
21482
"backup_files=\"/home /var/spool/mail /etc /root /boot /opt\"\n"
21484
"# Where to backup to.\n"
21485
"dest=\"/mnt/backup\"\n"
21487
"# Setup variables for the archive filename.\n"
21488
"day=$(date +%A)\n"
21489
"hostname=$(hostname -s)\n"
21491
"# Find which week of the month 1-4 it is.\n"
21492
"day_num=$(date +%d)\n"
21493
"if (( $day_num <= 7 )); then\n"
21494
" week_file=\"$hostname-week1.tgz\"\n"
21495
"elif (( $day_num > 7 && $day_num <= 14 )); then\n"
21496
" week_file=\"$hostname-week2.tgz\"\n"
21497
"elif (( $day_num > 14 && $day_num <= 21 )); then\n"
21498
" week_file=\"$hostname-week3.tgz\"\n"
21499
"elif (( $day_num > 21 && $day_num < 32 )); then\n"
21500
" week_file=\"$hostname-week4.tgz\"\n"
21503
"# Find if the Month is odd or even.\n"
21504
"month_num=$(date +%m)\n"
21505
"month=$(expr $month_num % 2)\n"
21506
"if [ $month -eq 0 ]; then\n"
21507
" month_file=\"$hostname-month2.tgz\"\n"
21509
" month_file=\"$hostname-month1.tgz\"\n"
21512
"# Create archive filename.\n"
21513
"if [ $day_num == 1 ]; then\n"
21514
"\tarchive_file=$month_file\n"
21515
"elif [ $day != \"Saturday\" ]; then\n"
21516
" archive_file=\"$hostname-$day.tgz\"\n"
21518
"\tarchive_file=$week_file\n"
21521
"# Print start status message.\n"
21522
"echo \"Backing up $backup_files to $dest/$archive_file\"\n"
21526
"# Backup the files using tar.\n"
21527
"tar czf $dest/$archive_file $backup_files\n"
21529
"# Print end status message.\n"
21531
"echo \"Backup finished\"\n"
21534
"# Long listing of files in $dest to check file sizes.\n"
21538
#: serverguide/C/backups.xml:456(para)
21540
"The script can be executed using the same methods as in <xref "
21541
"linkend=\"backup-executing-shellscript\"/>."
21544
#: serverguide/C/backups.xml:459(para)
21546
"It is good practice to take backup media off site in case of a disaster. In "
21547
"the shell script example the backup media is another server providing an NFS "
21548
"share. In all likelihood taking the NFS server to another location would not "
21549
"be practical. Depending upon connection speeds it may be an option to copy "
21550
"the archive file over a WAN link to a server in another location."
21553
#: serverguide/C/backups.xml:465(para)
21555
"Another option is to copy the archive file to an external hard drive which "
21556
"can then be taken off site. Since the price of external hard drives continue "
21557
"to decrease it may be cost affective to use two drives for each archive "
21558
"level. This would allow you to have one external drive attached to the "
21559
"backup server and one in another location."
21562
#: serverguide/C/backups.xml:472(title)
21563
msgid "Tape Drives"
21566
#: serverguide/C/backups.xml:473(para)
21568
"A tape drive attached to the server can be used instead of a NFS share. "
21569
"Using a tape drive simplifies archive rotation, and taking the media off "
21573
#: serverguide/C/backups.xml:477(para)
21575
"When using a tape drive the filename portions of the script aren't needed "
21576
"because the date is sent directly to the tape device. Some commands to "
21577
"manipulate the tape are needed. This is accomplished using "
21578
"<application>mt</application>, a magnetic tape control utility part of the "
21579
"<application>cpio</application> package."
21582
#: serverguide/C/backups.xml:482(para)
21583
msgid "Here is the shell script modified to use a tape drive:"
21586
#: serverguide/C/backups.xml:485(programlisting)
21591
"####################################\n"
21593
"# Backup to tape drive script.\n"
21595
"####################################\n"
21597
"# What to backup. \n"
21598
"backup_files=\"/home /var/spool/mail /etc /root /boot /opt\"\n"
21600
"# Where to backup to.\n"
21601
"dest=\"/dev/st0\"\n"
21603
"# Print start status message.\n"
21604
"echo \"Backing up $backup_files to $dest\"\n"
21608
"# Make sure the tape is rewound.\n"
21609
"mt -f $dest rewind\n"
21611
"# Backup the files using tar.\n"
21612
"tar czf $dest $backup_files\n"
21614
"# Rewind and eject the tape.\n"
21615
"mt -f $dest rewoffl\n"
21617
"# Print end status message.\n"
21619
"echo \"Backup finished\"\n"
21623
#: serverguide/C/backups.xml:519(para)
21625
"The default device name for a SCSI tape drive is "
21626
"<filename>/dev/st0</filename>. Use the appropriate device path for your "
21630
#: serverguide/C/backups.xml:524(para)
21632
"Restoring from a tape drive is basically the same as restoring from a file. "
21633
"Simply rewind the tape and use the device path instead of a file path. For "
21634
"example to restore the <filename>/etc/hosts</filename> file to "
21635
"<filename>/tmp/etc/hosts</filename>:"
21638
#: serverguide/C/backups.xml:529(command)
21639
msgid "mt -f /dev/st0 rewind"
21642
#: serverguide/C/backups.xml:530(command)
21643
msgid "tar -xzf /dev/st0 -C /tmp etc/hosts"
21646
#: serverguide/C/backups.xml:535(title)
21650
#: serverguide/C/backups.xml:536(para)
21652
"<application>Bacula</application> is a backup program enabling you to "
21653
"backup, restore, and verify data across your network. There are Bacula "
21654
"clients for Linux, Windows, and Mac OSX. Making it a cross platform network "
21658
#: serverguide/C/backups.xml:542(para)
21660
"<application>Bacula</application> is made up of several components and "
21661
"services used to manage which files to backup and where to back them up to:"
21664
#: serverguide/C/backups.xml:548(para)
21666
"<application>Bacula Director:</application> a service that controls all "
21667
"backup, restore, verify, and archive operations."
21670
#: serverguide/C/backups.xml:553(para)
21672
"<application>Bacula Console:</application> an application allowing "
21673
"communication with the Director. There are three versions of the Console:"
21676
#: serverguide/C/backups.xml:558(para)
21677
msgid "Text based command line version."
21680
#: serverguide/C/backups.xml:559(para)
21681
msgid "Gnome based GTK+ Graphical User Interface (GUI) interface."
21684
#: serverguide/C/backups.xml:560(para)
21685
msgid "wxWidgets GUI interface."
21688
#: serverguide/C/backups.xml:564(para)
21690
"<application>Bacula File:</application> also known as the "
21691
"<application>Bacula Client</application> program. This application is "
21692
"installed on machines to be backed up, and is responsible for the data "
21693
"requested by the Director."
21696
#: serverguide/C/backups.xml:570(para)
21698
"<application>Bacula Storage:</application> the programs that perform the "
21699
"storage and recovery of data to the physical media."
21702
#: serverguide/C/backups.xml:575(para)
21704
"<application>Bacula Catalog:</application> is responsible for maintaining "
21705
"the file indexes and volume databases for all files backed up, enabling "
21706
"quick location and restoration of archived files. The Catalog supports three "
21707
"different databases MySQL, PostgreSQL, and SQLite."
21710
#: serverguide/C/backups.xml:581(para)
21712
"<application>Bacula Monitor:</application> allows the monitoring of the "
21713
"Director, File daemons, and Storage daemons. Currently the Monitor is only "
21714
"available as a GTK+ GUI application."
21717
#: serverguide/C/backups.xml:587(para)
21719
"These services and applications can be run on multiple servers and clients, "
21720
"or they can be installed on one machine if backing up a single disk or "
21724
#: serverguide/C/backups.xml:594(para)
21726
"There are multiple packages containing the different "
21727
"<application>Bacula</application> components. To install Bacula, from a "
21728
"terminal prompt enter:"
21731
#: serverguide/C/backups.xml:599(command)
21732
msgid "sudo apt-get install bacula"
21735
#: serverguide/C/backups.xml:601(para)
21737
"By default installing the <application>bacula</application> package will use "
21738
"a <application>MySQL</application> database for the Catalog. If you want to "
21739
"use SQLite or PostgreSQL, for the Catalog, install <application>bacula-"
21740
"director-sqlite3</application> or <application>bacula-director-"
21741
"pgsql</application> respectively."
21744
#: serverguide/C/backups.xml:607(para)
21746
"During the install process you will be asked to supply credentials for the "
21747
"database <emphasis>administrator</emphasis> and the "
21748
"<emphasis>bacula</emphasis> database <emphasis>owner</emphasis>. The "
21749
"database administrator will need to have the appropriate rights to create a "
21750
"database, see <xref linkend=\"mysql\"/> for more information."
21753
#: serverguide/C/backups.xml:617(para)
21755
"<application>Bacula</application> configuration files are formatted based on "
21756
"<emphasis>resources</emphasis> comprising of <emphasis>directives</emphasis> "
21757
"surrounded by <quote>{}</quote> braces. Each Bacula component has an "
21758
"individual file in the <filename role=\"directory\">/etc/bacula</filename> "
21762
#: serverguide/C/backups.xml:622(para)
21764
"The various <application>Bacula</application> components must authorize "
21765
"themselves to each other. This is accomplished using the "
21766
"<emphasis>password</emphasis> directive. For example, the "
21767
"<emphasis>Storage</emphasis> resource password in the "
21768
"<filename>/etc/bacula/bacula-dir.conf</filename> file must match the "
21769
"<emphasis>Director</emphasis> resource password in "
21770
"<filename>/etc/bacula/bacula-sd.conf</filename>."
21773
#: serverguide/C/backups.xml:628(para)
21775
"By default the backup job named <emphasis>Client1</emphasis> is configured "
21776
"to archive the <application>Bacula</application> Catalog. If you plan on "
21777
"using the server to backup more than one client you should change the name "
21778
"of this job to something more descriptive. To change the name edit "
21779
"<filename>/etc/bacula/bacula-dir.conf</filename>:"
21782
#: serverguide/C/backups.xml:633(programlisting)
21787
"# Define the main nightly save backup job\n"
21788
"# By default, this job will back up to disk in \n"
21790
" Name = \"BackupServer\"\n"
21791
" JobDefs = \"DefaultJob\"\n"
21792
" Write Bootstrap = \"/var/lib/bacula/Client1.bsr\"\n"
21796
#: serverguide/C/backups.xml:644(para)
21798
"The example above changes the job name to <emphasis>BackupServer</emphasis> "
21799
"matching the machine's host name. Replace <quote>BackupServer</quote> with "
21800
"your appropriate hostname, or other descriptive name."
21803
#: serverguide/C/backups.xml:649(para)
21805
"The <emphasis>Console</emphasis> can be used to query the "
21806
"<emphasis>Director</emphasis> about jobs, but to use the Console with a "
21807
"<emphasis>non-root</emphasis> user, the user needs to be in the "
21808
"<emphasis>bacula</emphasis> group. To add a user to the bacula group enter "
21809
"the following from a terminal:"
21812
#: serverguide/C/backups.xml:655(command)
21813
msgid "sudo adduser $username bacula"
21816
#: serverguide/C/backups.xml:658(para)
21818
"Replace <emphasis>$username</emphasis> with the actual username. Also, if "
21819
"you are adding the current user to the group you should log out and back in "
21820
"for the new permissions to take effect."
21823
#: serverguide/C/backups.xml:665(title)
21824
msgid "Localhost Backup"
21827
#: serverguide/C/backups.xml:666(para)
21829
"This section describes how to backup specified directories on a single host "
21830
"to a local tape drive."
21833
#: serverguide/C/backups.xml:671(para)
21835
"First, the <emphasis>Storage</emphasis> device needs to be configured. Edit "
21836
"<filename>/etc/bacula/bacula-sd.conf</filename> add:"
21839
#: serverguide/C/backups.xml:674(programlisting)
21844
" Name = \"Tape Drive\"\n"
21845
" Device Type = tape\n"
21846
" Media Type = DDS-4\n"
21847
" Archive Device = /dev/st0\n"
21848
" Hardware end of medium = No;\n"
21849
" AutomaticMount = yes; # when device opened, read it\n"
21850
" AlwaysOpen = Yes;\n"
21851
" RemovableMedia = yes;\n"
21852
" RandomAccess = no;\n"
21853
" Alert Command = \"sh -c 'tapeinfo -f %c | grep TapeAlert'\"\n"
21857
#: serverguide/C/backups.xml:688(para)
21859
"The example is for a <emphasis>DDS-4</emphasis> tape drive. Adjust the Media "
21860
"Type and Archive Device to match your hardware."
21863
#: serverguide/C/backups.xml:691(para)
21864
msgid "You could also uncomment one of the other examples in the file."
21867
#: serverguide/C/backups.xml:696(para)
21869
"After editing <filename>/etc/bacula/bacula-sd.conf</filename> the "
21870
"<application>Storage</application> daemon will need to be restarted:"
21873
#: serverguide/C/backups.xml:701(command)
21874
msgid "sudo /etc/init.d/bacula-sd restart"
21877
#: serverguide/C/backups.xml:705(para)
21879
"Now add a <emphasis>Storage</emphasis> resource in "
21880
"<filename>/etc/bacula/bacula-dir.conf</filename> to use the new Device:"
21883
#: serverguide/C/backups.xml:708(programlisting)
21887
"# Definition of \"Tape Drive\" storage device\n"
21889
" Name = TapeDrive\n"
21890
" # Do not use \"localhost\" here \n"
21891
" Address = backupserver # N.B. Use a fully qualified name "
21894
" Password = \"Cv70F6pf1t6pBopT4vQOnigDrR0v3LT3Cgkiyj\"\n"
21895
" Device = \"Tape Drive\"\n"
21896
" Media Type = tape\n"
21900
#: serverguide/C/backups.xml:720(para)
21902
"The <emphasis>Address</emphasis> directive needs to be the Fully Qualified "
21903
"Domain Name (FQDN) of the server. Change <emphasis>backupserver</emphasis> "
21904
"to the actual host name."
21907
#: serverguide/C/backups.xml:724(para)
21909
"Also, make sure the <emphasis>Password</emphasis> directive matches the "
21910
"password string in <filename>/etc/bacula/bacula-sd.conf</filename>."
21913
#: serverguide/C/backups.xml:730(para)
21915
"Create a new <emphasis>FileSet</emphasis>, which will determine what "
21916
"directories to backup, by adding:"
21919
#: serverguide/C/backups.xml:733(programlisting)
21923
"# LocalhostBacup FileSet.\n"
21925
" Name = \"LocalhostFiles\"\n"
21928
" signature = MD5\n"
21929
" compression=GZIP\n"
21937
#: serverguide/C/backups.xml:747(para)
21939
"This <emphasis>FileSet</emphasis> will backup the <filename "
21940
"role=\"directory\">/etc</filename> and <filename "
21941
"role=\"directory\">/home</filename> directories. The "
21942
"<emphasis>Options</emphasis> resource directives configure the FileSet to "
21943
"create a MD5 signature for each file backed up, and to compress the files "
21947
#: serverguide/C/backups.xml:754(para)
21948
msgid "Next, create a new <emphasis>Schedule</emphasis> for the backup job:"
21951
#: serverguide/C/backups.xml:757(programlisting)
21955
"# LocalhostBackup Schedule -- Daily.\n"
21957
" Name = \"LocalhostDaily\"\n"
21958
" Run = Full daily at 00:01\n"
21962
#: serverguide/C/backups.xml:764(para)
21964
"The job will run every day at 00:01 or 12:01 am. There are many other "
21965
"scheduling options available."
21968
#: serverguide/C/backups.xml:769(para)
21969
msgid "Finally create the <emphasis>Job</emphasis>:"
21972
#: serverguide/C/backups.xml:772(programlisting)
21976
"# Localhost backup.\n"
21978
" Name = \"LocalhostBackup\"\n"
21979
" JobDefs = \"DefaultJob\"\n"
21982
" FileSet = \"LocalhostFiles\"\n"
21983
" Schedule = \"LocalhostDaily\"\n"
21984
" Storage = TapeDrive\n"
21985
" Write Bootstrap = \"/var/lib/bacula/LocalhostBackup.bsr\"\n"
21989
#: serverguide/C/backups.xml:785(para)
21991
"The job will do a <emphasis>Full</emphasis> backup every day to the tape "
21995
#: serverguide/C/backups.xml:790(para)
21997
"Each tape used will need to have a <emphasis>Label</emphasis>. If the "
21998
"current tape does not have a label <application>Bacula</application> will "
21999
"send an email letting you know. To label a tape using the "
22000
"<application>Console</application> enter the following from a terminal:"
22003
#: serverguide/C/backups.xml:796(command)
22007
#: serverguide/C/backups.xml:800(para)
22008
msgid "At the Bacula Console prompt enter:"
22011
#: serverguide/C/backups.xml:804(command)
22015
#: serverguide/C/backups.xml:808(para)
22017
"You will then be prompted for the <emphasis>Storage</emphasis> resource:"
22020
#: serverguide/C/backups.xml:818(userinput)
22025
#: serverguide/C/backups.xml:812(computeroutput)
22029
"Automatically selected Catalog: MyCatalog\n"
22030
"Using Catalog \"MyCatalog\"\n"
22031
"The defined Storage resources are:\n"
22034
"Select Storage resource (1-2):<placeholder-1/>\n"
22037
#: serverguide/C/backups.xml:823(para)
22038
msgid "Enter the new <emphasis>Volume</emphasis> name:"
22041
#: serverguide/C/backups.xml:828(userinput)
22046
#: serverguide/C/backups.xml:827(computeroutput)
22050
"Enter new Volume name: <placeholder-1/>\n"
22056
#: serverguide/C/backups.xml:833(para)
22057
msgid "Replace <emphasis>Sunday</emphasis> with the desired label."
22060
#: serverguide/C/backups.xml:838(para)
22061
msgid "Now, select the <emphasis>Pool</emphasis>:"
22064
#: serverguide/C/backups.xml:843(userinput)
22069
#: serverguide/C/backups.xml:842(computeroutput)
22073
"Select the Pool (1-2): <placeholder-1/>\n"
22074
"Connecting to Storage daemon TapeDrive at backupserver:9103 ...\n"
22075
"Sending label command for Volume \"Sunday\" Slot 0 ...\n"
22078
#: serverguide/C/backups.xml:850(para)
22080
"Congratulations, you have now configured <emphasis>Bacula</emphasis> to "
22081
"backup the localhost to an attached tape drive."
22084
#: serverguide/C/backups.xml:858(para)
22086
"For more <emphasis>Bacula</emphasis> configuration options refer to the "
22087
"<ulink url=\"http://www.bacula.org/en/rel-manual/index.html\">Bacula User's "
22091
#: serverguide/C/backups.xml:864(para)
22093
"The <ulink url=\"http://www.bacula.org/\">Bacula Home Page</ulink> contains "
22094
"the latest Bacula news and developments."
22097
#. Put one translator per line, in the form of NAME <EMAIL>, YEAR1, YEAR2
22098
#: serverguide/C/backups.xml:0(None)
22099
msgid "translator-credits"
22101
"Launchpad Contributions:\n"
22102
" Michael Moroni https://launchpad.net/~haikara90"