1
# Lithuanian translation for ubuntu-docs
2
# Copyright (c) (c) 2006 Canonical Ltd, and Rosetta Contributors 2006
3
# This file is distributed under the same license as the ubuntu-docs package.
4
# FIRST AUTHOR <EMAIL@ADDRESS>, 2006.
8
"Project-Id-Version: ubuntu-docs\n"
9
"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
10
"POT-Creation-Date: 2009-04-09 23:58+0100\n"
11
"PO-Revision-Date: 2009-04-10 07:31+0000\n"
12
"Last-Translator: Launchpad Translations Administrators "
13
"<rosetta@launchpad.net>\n"
14
"Language-Team: Lithuanian <lt@li.org>\n"
16
"Content-Type: text/plain; charset=UTF-8\n"
17
"Content-Transfer-Encoding: 8bit\n"
18
"X-Launchpad-Export-Date: 2009-07-13 07:26+0000\n"
19
"X-Generator: Launchpad (build Unknown)\n"
21
#: serverguide/C/serverguide-C.omf:6(creator) serverguide/C/serverguide-C.omf:7(maintainer)
22
msgid "ubuntu-doc@lists.ubuntu.com (Ubuntu Documentation Project)"
25
#: serverguide/C/serverguide-C.omf:8(title) serverguide/C/serverguide-C.omf:11(description) serverguide/C/serverguide.xml:14(title) serverguide/C/bookinfo.xml:13(title)
26
msgid "Ubuntu Server Guide"
29
#: serverguide/C/serverguide-C.omf:9(date)
33
#: serverguide/C/windows-networking.xml:13(title)
34
msgid "Windows Networking"
35
msgstr "Windows'ų tinklas"
37
#: serverguide/C/windows-networking.xml:15(para)
39
"Computer networks are often comprised of diverse systems, and while "
40
"operating a network made up entirely of Ubuntu desktop and server computers "
41
"would certainly be fun, some network environments must consist of both "
42
"Ubuntu and <trademark class=\"registered\">Microsoft</trademark><trademark "
43
"class=\"registered\">Windows</trademark> systems working together in "
44
"harmony. This section of the <phrase>Ubuntu</phrase> Server Guide introduces "
45
"principles and tools used in configuring your Ubuntu Server for sharing "
46
"network resources with Windows computers."
49
#: serverguide/C/windows-networking.xml:25(title) serverguide/C/virtualization.xml:397(title) serverguide/C/security.xml:412(title) serverguide/C/remote-administration.xml:22(title) serverguide/C/package-management.xml:20(title) serverguide/C/jeos.xml:16(title) serverguide/C/introduction.xml:13(title)
53
#: serverguide/C/windows-networking.xml:27(para)
55
"Successfully networking your Ubuntu system with Windows clients involves "
56
"providing and integrating with services common to Windows environments. Such "
57
"services assist the sharing of data and information about the computers and "
58
"users involved in the network, and may be classified under three major "
59
"categories of functionality:"
62
#: serverguide/C/windows-networking.xml:35(para)
64
"<emphasis role=\"bold\">File and Printer Sharing Services</emphasis>. Using "
65
"the Server Message Block (SMB) protocol to facilitate the sharing of files, "
66
"folders, volumes, and the sharing of printers throughout the network."
69
#: serverguide/C/windows-networking.xml:41(para)
71
"<emphasis role=\"bold\">Directory Services</emphasis>. Sharing vital "
72
"information about the computers and users of the network with such "
73
"technologies as the Lightweight Directory Access Protocol (LDAP) and "
74
"Microsoft <trademark class=\"registered\">Active Directory</trademark>."
77
#: serverguide/C/windows-networking.xml:48(para)
79
"<emphasis role=\"bold\">Authentication and Access</emphasis>. Establishing "
80
"the identity of a computer or user of the network and determining the "
81
"information the computer or user is authorized to access using such "
82
"principles and technologies as file permissions, group policies, and the "
83
"Kerberos authentication service."
86
#: serverguide/C/windows-networking.xml:56(para)
88
"Fortunately, your Ubuntu system may provide all such facilities to Windows "
89
"clients and share network resources among them. One of the principal pieces "
90
"of software your Ubuntu system includes for Windows networking is the Samba "
91
"suite of SMB server applications and tools."
94
#: serverguide/C/windows-networking.xml:62(para)
96
"This section of the <phrase>Ubuntu</phrase> Server Guide will introduce some "
97
"of the common Samba use cases, and how to install and configure the "
98
"necessary packages. Additional detailed documentation and information on "
99
"Samba can be found on the <ulink url=\"http://www.samba.org\">Samba "
103
#: serverguide/C/windows-networking.xml:70(title)
104
msgid "Samba File Server"
107
#: serverguide/C/windows-networking.xml:72(para)
109
"One of the most common ways to network Ubuntu and Windows computers is to "
110
"configure Samba as a File Server. This section covers setting up a "
111
"<application>Samba</application> server to share files with Windows clients."
114
#: serverguide/C/windows-networking.xml:77(para)
116
"The server will be configured to share files with any client on the network "
117
"without prompting for a password. If your environment requires stricter "
118
"Access Controls see <xref linkend=\"samba-fileprint-security\"/>"
121
#: serverguide/C/windows-networking.xml:83(title) serverguide/C/windows-networking.xml:282(title) serverguide/C/windows-networking.xml:1279(title) serverguide/C/web-servers.xml:41(title) serverguide/C/web-servers.xml:669(title) serverguide/C/web-servers.xml:804(title) serverguide/C/web-servers.xml:925(title) serverguide/C/virtualization.xml:62(title) serverguide/C/virtualization.xml:1341(title) serverguide/C/vcs.xml:28(title) serverguide/C/vcs.xml:86(title) serverguide/C/vcs.xml:400(title) serverguide/C/remote-administration.xml:52(title) serverguide/C/remote-administration.xml:220(title) serverguide/C/network-config.xml:625(title) serverguide/C/network-auth.xml:52(title) serverguide/C/network-auth.xml:1230(title) serverguide/C/network-auth.xml:1736(title) serverguide/C/network-auth.xml:2127(title) serverguide/C/mail.xml:33(title) serverguide/C/mail.xml:297(title) serverguide/C/mail.xml:470(title) serverguide/C/mail.xml:614(title) serverguide/C/mail.xml:1103(title) serverguide/C/lamp-applications.xml:108(title) serverguide/C/lamp-applications.xml:275(title) serverguide/C/lamp-applications.xml:391(title) serverguide/C/installation.xml:13(title) serverguide/C/installation.xml:907(title) serverguide/C/file-server.xml:342(title) serverguide/C/file-server.xml:454(title) serverguide/C/dns.xml:23(title) serverguide/C/databases.xml:40(title) serverguide/C/databases.xml:159(title) serverguide/C/chat.xml:37(title) serverguide/C/chat.xml:134(title) serverguide/C/backups.xml:593(title)
125
#: serverguide/C/windows-networking.xml:85(para)
127
"The first step is to install the <application>samba</application> package. "
128
"From a terminal prompt enter:"
131
#: serverguide/C/windows-networking.xml:90(command) serverguide/C/windows-networking.xml:294(command)
132
msgid "sudo apt-get install samba"
135
#: serverguide/C/windows-networking.xml:93(para)
137
"That's all there is to it; you are now ready to configure Samba to share "
141
#: serverguide/C/windows-networking.xml:99(title) serverguide/C/windows-networking.xml:299(title) serverguide/C/web-servers.xml:61(title) serverguide/C/web-servers.xml:720(title) serverguide/C/web-servers.xml:815(title) serverguide/C/web-servers.xml:952(title) serverguide/C/web-servers.xml:1046(title) serverguide/C/virtualization.xml:1226(title) serverguide/C/virtualization.xml:1415(title) serverguide/C/vcs.xml:39(title) serverguide/C/vcs.xml:418(title) serverguide/C/remote-administration.xml:74(title) serverguide/C/remote-administration.xml:245(title) serverguide/C/package-management.xml:365(title) serverguide/C/network-config.xml:647(title) serverguide/C/network-auth.xml:88(title) serverguide/C/network-auth.xml:1775(title) serverguide/C/network-auth.xml:2148(title) serverguide/C/mail.xml:306(title) serverguide/C/mail.xml:480(title) serverguide/C/mail.xml:699(title) serverguide/C/mail.xml:1128(title) serverguide/C/lamp-applications.xml:128(title) serverguide/C/lamp-applications.xml:302(title) serverguide/C/lamp-applications.xml:421(title) serverguide/C/file-server.xml:355(title) serverguide/C/file-server.xml:480(title) serverguide/C/dns.xml:39(title) serverguide/C/databases.xml:84(title) serverguide/C/databases.xml:178(title) serverguide/C/clustering.xml:39(title) serverguide/C/chat.xml:57(title) serverguide/C/chat.xml:142(title) serverguide/C/backups.xml:616(title)
142
msgid "Configuration"
145
#: serverguide/C/windows-networking.xml:101(para)
147
"The main Samba configuration file is located in "
148
"<filename>/etc/samba/smb.conf</filename>. The default configuration file has "
149
"a significant amount of comments in order to document various configuration "
153
#: serverguide/C/windows-networking.xml:106(para)
155
"Not all the available options are included in the default configuration "
156
"file. See the <filename>smb.conf</filename><application>man</application> "
157
"page or the <ulink url=\"http://samba.org/samba/docs/man/Samba-HOWTO-"
158
"Collection/\">Samba HOWTO Collection</ulink> for more details."
161
#: serverguide/C/windows-networking.xml:116(para)
163
"First, edit the following key/value pairs in the "
164
"<emphasis>[global]</emphasis> section of "
165
"<filename>/etc/samba/smb.conf</filename>:"
168
#: serverguide/C/windows-networking.xml:121(programlisting) serverguide/C/windows-networking.xml:306(programlisting) serverguide/C/windows-networking.xml:975(programlisting)
172
" workgroup = EXAMPLE\n"
177
#: serverguide/C/windows-networking.xml:127(para)
179
"The <emphasis>security</emphasis> parameter is farther down in the [global] "
180
"section, and is commented by default. Also, change "
181
"<emphasis>EXAMPLE</emphasis> to better match your environment."
184
#: serverguide/C/windows-networking.xml:135(para)
186
"Create a new section at the bottom of the file, or uncomment one of the "
187
"examples, for the directory to be shared:"
190
#: serverguide/C/windows-networking.xml:139(programlisting)
195
" comment = Ubuntu File Server Share\n"
196
" path = /srv/samba/share\n"
200
" create mask = 0755\n"
203
#: serverguide/C/windows-networking.xml:151(para)
205
"<emphasis>comment:</emphasis> a short description of the share. Adjust to "
209
#: serverguide/C/windows-networking.xml:156(para)
210
msgid "<emphasis>path:</emphasis> the path to the directory to share."
213
#: serverguide/C/windows-networking.xml:159(para)
215
"This example uses <filename>/srv/samba/sharename</filename> because, "
216
"according to the <emphasis>Filesystem Hierarchy Standard (FHS)</emphasis>, "
217
"<ulink url=\"http://www.pathname.com/fhs/pub/fhs-"
218
"2.3.html#SRVDATAFORSERVICESPROVIDEDBYSYSTEM\">/srv</ulink> is where site-"
219
"specific data should be served. Technically Samba shares can be placed "
220
"anywhere on the filesystem as long as the permissions are correct, but "
221
"adhering to standards is recommended."
224
#: serverguide/C/windows-networking.xml:168(para)
226
"<emphasis>browsable:</emphasis> enables Windows clients to browse the shared "
227
"directory using <application>Windows Explorer</application>."
230
#: serverguide/C/windows-networking.xml:174(para)
232
"<emphasis>guest ok:</emphasis> allows clients to connect to the share "
233
"without supplying a password."
236
#: serverguide/C/windows-networking.xml:179(para)
238
"<emphasis>read only:</emphasis> gives write access to the shared directory."
241
#: serverguide/C/windows-networking.xml:184(para)
243
"<emphasis>create mask:</emphasis> determines the permissions new files will "
247
#: serverguide/C/windows-networking.xml:193(para)
249
"Now that <application>Samba</application> is configured, the directory needs "
250
"to be created and the permissions changed. From a terminal enter:"
253
#: serverguide/C/windows-networking.xml:199(command)
254
msgid "sudo mkdir -p /srv/samba/share"
257
#: serverguide/C/windows-networking.xml:200(command)
258
msgid "sudo chown nobody.nogroup /srv/samba/share/"
261
#: serverguide/C/windows-networking.xml:204(para)
263
"The <emphasis>-p</emphasis> switch tells mkdir to create the entire "
264
"directory tree if it doesn't exist. Change the share name to fit your "
268
#: serverguide/C/windows-networking.xml:213(para)
270
"Finally, restart the <application>samba</application> services to enable the "
274
#: serverguide/C/windows-networking.xml:218(command) serverguide/C/windows-networking.xml:326(command) serverguide/C/windows-networking.xml:458(command) serverguide/C/windows-networking.xml:557(command) serverguide/C/windows-networking.xml:922(command) serverguide/C/windows-networking.xml:1032(command) serverguide/C/windows-networking.xml:1142(command) serverguide/C/network-auth.xml:1510(command)
275
msgid "sudo /etc/init.d/samba restart"
278
#: serverguide/C/windows-networking.xml:225(para)
280
"Once again, the above configuration gives all access to any client on the "
281
"local network. For a more secure configuration see <xref linkend=\"samba-"
282
"fileprint-security\"/>."
285
#: serverguide/C/windows-networking.xml:231(para)
287
"From a Windows client you should now be able to browse to the Ubuntu file "
288
"server and see the shared directory. To check that everything is working try "
289
"creating a directory from Windows."
292
#: serverguide/C/windows-networking.xml:236(para)
294
"To create additional shares simply create new <emphasis>[dir]</emphasis> "
295
"sections in <filename>/etc/samba/smb.conf</filename>, and restart "
296
"<emphasis>Samba</emphasis>. Just make sure that the directory you want to "
297
"share actually exists and the permissions are correct."
300
#: serverguide/C/windows-networking.xml:243(title) serverguide/C/windows-networking.xml:336(title) serverguide/C/windows-networking.xml:686(title) serverguide/C/windows-networking.xml:1051(title) serverguide/C/windows-networking.xml:1253(title) serverguide/C/virtualization.xml:366(title) serverguide/C/virtualization.xml:1163(title) serverguide/C/remote-administration.xml:478(title) serverguide/C/network-config.xml:269(title) serverguide/C/network-config.xml:512(title) serverguide/C/network-auth.xml:1186(title) serverguide/C/network-auth.xml:1625(title) serverguide/C/network-auth.xml:2223(title) serverguide/C/network-auth.xml:2727(title) serverguide/C/jeos.xml:782(title) serverguide/C/installation.xml:847(title) serverguide/C/installation.xml:1123(title) serverguide/C/databases.xml:122(title) serverguide/C/databases.xml:268(title) serverguide/C/backups.xml:855(title)
304
#: serverguide/C/windows-networking.xml:247(para) serverguide/C/windows-networking.xml:340(para) serverguide/C/windows-networking.xml:690(para) serverguide/C/windows-networking.xml:1055(para)
306
"For in depth Samba configurations see the <ulink "
307
"url=\"http://samba.org/samba/docs/man/Samba-HOWTO-Collection/\">Samba HOWTO "
311
#: serverguide/C/windows-networking.xml:253(para) serverguide/C/windows-networking.xml:346(para) serverguide/C/windows-networking.xml:696(para) serverguide/C/windows-networking.xml:1061(para)
313
"The guide is also available in <ulink "
314
"url=\"http://www.amazon.com/exec/obidos/tg/detail/-/0131882228\">printed "
318
#: serverguide/C/windows-networking.xml:259(para) serverguide/C/windows-networking.xml:352(para)
321
"url=\"http://www.oreilly.com/catalog/9780596007690/\">Using Samba</ulink> is "
322
"another good reference."
325
#: serverguide/C/windows-networking.xml:269(title)
326
msgid "Samba Print Server"
329
#: serverguide/C/windows-networking.xml:271(para)
331
"Another common use of Samba is to configure it to share printers installed, "
332
"either locally or over the network, on an Ubuntu server. Similar to <xref "
333
"linkend=\"samba-fileserver\"/> this section will configure Samba to allow "
334
"any client on the local network to use the installed printers without "
335
"prompting for a username and password."
338
#: serverguide/C/windows-networking.xml:277(para)
340
"For a more secure configuration see <xref linkend=\"samba-fileprint-"
344
#: serverguide/C/windows-networking.xml:284(para)
346
"Before installing and configuring Samba it is best to already have a working "
347
"<application>CUPS</application> installation. See <xref linkend=\"cups\"/> "
351
#: serverguide/C/windows-networking.xml:289(para)
353
"To install the <application>samba</application> package, from a terminal "
357
#: serverguide/C/windows-networking.xml:300(para)
359
"After installing samba edit <filename>/etc/samba/smb.conf</filename>. Change "
360
"the <emphasis>workgroup</emphasis> attribute to what is appropriate for your "
361
"network, and change <emphasis>security</emphasis> to <emphasis "
362
"role=\"italic\">share</emphasis>:"
365
#: serverguide/C/windows-networking.xml:312(para)
367
"In the <emphasis>[printers]</emphasis> section change the <emphasis>guest "
368
"ok</emphasis> option to <emphasis role=\"italic\">yes</emphasis>:"
371
#: serverguide/C/windows-networking.xml:316(programlisting)
379
#: serverguide/C/windows-networking.xml:321(para)
380
msgid "After editing <filename>smb.conf</filename> restart Samba:"
383
#: serverguide/C/windows-networking.xml:329(para)
385
"The default Samba configuration will automatically share any printers "
386
"installed. Simply install the printer locally on your Windows clients."
389
#: serverguide/C/windows-networking.xml:358(para)
391
"Also, see the <ulink url=\"http://www.cups.org/\">CUPS Website</ulink> for "
392
"more information on configuring CUPS."
395
#: serverguide/C/windows-networking.xml:367(title)
396
msgid "Securing a Samba File and Print Server"
399
#: serverguide/C/windows-networking.xml:370(title)
400
msgid "Samba Security Modes"
403
#: serverguide/C/windows-networking.xml:372(para)
405
"There are two security levels available to the Common Internet Filesystem "
406
"(CIFS) network protocol <emphasis>user-level</emphasis> and <emphasis>share-"
407
"level</emphasis>. Samba's <emphasis>security mode</emphasis> implementation "
408
"allows more flexibility, providing four ways of implementing user-level "
409
"security and one way to implement share-level:"
412
#: serverguide/C/windows-networking.xml:381(para)
414
"<emphasis>security = user:</emphasis> requires clients to supply a username "
415
"and password to connect to shares. Samba user accounts are separate from "
416
"system accounts, but the <application>libpam-smbpass</application> package "
417
"will sync system users and passwords with the Samba user database."
420
#: serverguide/C/windows-networking.xml:388(para)
422
"<emphasis>security = domain:</emphasis> this mode allows the Samba server to "
423
"appear to Windows clients as a Primary Domain Controller (PDC), Backup "
424
"Domain Controller (BDC), or a Domain Member Server (DMS). See <xref "
425
"linkend=\"samba-dc\"/> for further information."
428
#: serverguide/C/windows-networking.xml:395(para)
430
"<emphasis>security = ADS:</emphasis> allows the Samba server to join an "
431
"Active Directory domain as a native member. See <xref linkend=\"samba-ad-"
432
"integration\"/> for details."
435
#: serverguide/C/windows-networking.xml:401(para)
437
"<emphasis>security = server:</emphasis> this mode is left over from before "
438
"Samba could become a member server, and due to some security issues should "
439
"not be used. See the <ulink url=\"http://samba.org/samba/docs/man/Samba-"
440
"HOWTO-Collection/ServerType.html#id349531\">Server Security</ulink> section "
441
"of the Samba guide for more details."
444
#: serverguide/C/windows-networking.xml:409(para)
446
"<emphasis>security = share:</emphasis> allows clients to connect to shares "
447
"without supplying a username and password."
450
#: serverguide/C/windows-networking.xml:416(para)
452
"The security mode you choose will depend on your environment and what you "
453
"need the Samba server to accomplish."
456
#: serverguide/C/windows-networking.xml:422(title)
457
msgid "Security = User"
460
#: serverguide/C/windows-networking.xml:424(para)
462
"This section will reconfigure the Samba file and print server, from <xref "
463
"linkend=\"samba-fileserver\"/> and <xref linkend=\"samba-printserver\"/>, to "
464
"require authentication."
467
#: serverguide/C/windows-networking.xml:429(para)
469
"First, install the <application>libpam-smbpass</application> package which "
470
"will sync the system users to the Samba user database:"
473
#: serverguide/C/windows-networking.xml:435(command)
474
msgid "sudo apt-get install libpam-smbpass"
477
#: serverguide/C/windows-networking.xml:439(para)
479
"If you chose the <emphasis>Samba Server</emphasis> task during installation "
480
"<application>libpam-smbpass</application> is already installed."
483
#: serverguide/C/windows-networking.xml:445(para)
485
"Edit <filename>/etc/samba/smb.conf</filename>, and in the "
486
"<emphasis>[share]</emphasis> section change:"
489
#: serverguide/C/windows-networking.xml:449(programlisting)
496
#: serverguide/C/windows-networking.xml:453(para)
497
msgid "Finally, restart Samba for the new settings to take effect:"
500
#: serverguide/C/windows-networking.xml:461(para)
502
"Now when connecting to the shared directories or printers you should be "
503
"prompted for a username and password."
506
#: serverguide/C/windows-networking.xml:466(para)
508
"If you choose to map a network drive to the share you can check the "
509
"<quote>Reconnect at Logon</quote> check box, which will require you to only "
510
"enter the username and password once, at least until the password changes."
513
#: serverguide/C/windows-networking.xml:474(title)
514
msgid "Share Security"
517
#: serverguide/C/windows-networking.xml:476(para)
519
"There are several options available to increase the security for each "
520
"individual shared directory. Using the <emphasis>[share]</emphasis> example, "
521
"this section will cover some common options."
524
#: serverguide/C/windows-networking.xml:482(title)
528
#: serverguide/C/windows-networking.xml:484(para)
530
"Groups define a collection of computers or users which have a common level "
531
"of access to particular network resources and offer a level of granularity "
532
"in controlling access to such resources. For example, if a group <emphasis "
533
"role=\"italic\">qa</emphasis> is defined and contains the users <emphasis "
534
"role=\"italic\">freda</emphasis>, <emphasis "
535
"role=\"italic\">danika</emphasis>, and <emphasis "
536
"role=\"italic\">rob</emphasis> and a second group <emphasis "
537
"role=\"italic\">support</emphasis> is defined and consists of users "
538
"<emphasis role=\"italic\">danika</emphasis>, <emphasis "
539
"role=\"italic\">jeremy</emphasis>, and <emphasis "
540
"role=\"italic\">vincent</emphasis> then certain network resources configured "
541
"to allow access by the <emphasis role=\"italic\">qa</emphasis> group will "
542
"subsequently enable access by freda, danika, and rob, but not jeremy or "
543
"vincent. Since the user <emphasis role=\"italic\">danika</emphasis> belongs "
544
"to both the <emphasis role=\"italic\">qa</emphasis> and <emphasis "
545
"role=\"italic\">support</emphasis> groups, she will be able to access "
546
"resources configured for access by both groups, whereas all other users will "
547
"have only access to resources explicitly allowing the group they are part of."
550
#: serverguide/C/windows-networking.xml:498(para)
552
"By default Samba looks for the local system groups defined in "
553
"<filename>/etc/group</filename> to determine which users belong to which "
554
"groups. For more information on adding and removing users from groups see "
555
"<xref linkend=\"adding-deleting-users\"/>."
558
#: serverguide/C/windows-networking.xml:504(para)
560
"When defining groups in the Samba configuration file, "
561
"<filename>/etc/samba/smb.conf</filename>, the recognized syntax is to "
562
"preface the group name with an \"@\" symbol. For example, if you wished to "
563
"define a group named <emphasis role=\"italic\">sysadmin</emphasis> in a "
564
"certain section of the <filename>/etc/samba/smb.conf</filename>, you would "
565
"do so by entering the group name as <emphasis "
566
"role=\"bold\">@sysadmin</emphasis>."
569
#: serverguide/C/windows-networking.xml:513(title)
570
msgid "File Permissions"
571
msgstr "Failų Teisės"
573
#: serverguide/C/windows-networking.xml:515(para)
575
"File Permissions define the explicit rights a computer or user has to a "
576
"particular directory, file, or set of files. Such permissions may be defined "
577
"by editing the <filename>/etc/samba/smb.conf</filename> file and specifying "
578
"the explicit permissions of a defined file share."
581
#: serverguide/C/windows-networking.xml:521(para)
583
"For example, if you have defined a Samba share called "
584
"<emphasis>share</emphasis> and wish to give <emphasis role=\"italic\">read-"
585
"only</emphasis> permissions to the group of users known as <emphasis "
586
"role=\"italic\">qa</emphasis>, but wanted to allow writing to the share by "
587
"the group called <emphasis role=\"italic\">sysadmin</emphasis> and the user "
588
"named <emphasis role=\"italic\">vincent</emphasis>, then you could edit the "
589
"<filename>/etc/samba/smb.conf</filename> file, and add the following entries "
590
"under the <emphasis>[share]</emphasis> entry:"
593
#: serverguide/C/windows-networking.xml:530(programlisting)
598
" write list = @sysadmin, vincent\n"
601
#: serverguide/C/windows-networking.xml:535(para)
603
"Another possible Samba permission is to declare "
604
"<emphasis>administrative</emphasis> permissions to a particular shared "
605
"resource. Users having administrative permissions may read, write, or modify "
606
"any information contained in the resource the user has been given explicit "
607
"administrative permissions to."
610
#: serverguide/C/windows-networking.xml:541(para)
612
"For example, if you wanted to give the user <emphasis "
613
"role=\"italic\">melissa</emphasis> administrative permissions to the "
614
"<emphasis role=\"italic\">share</emphasis> example, you would edit the "
615
"<filename>/etc/samba/smb.conf</filename> file, and add the following line "
616
"under the <emphasis>[share]</emphasis> entry:"
619
#: serverguide/C/windows-networking.xml:548(programlisting)
623
" admin users = melissa\n"
626
#: serverguide/C/windows-networking.xml:552(para)
628
"After editing <filename>/etc/samba/smb.conf</filename>, restart Samba for "
629
"the changes to take effect:"
632
#: serverguide/C/windows-networking.xml:561(para)
634
"For the <emphasis>read list</emphasis> and <emphasis>write list</emphasis> "
635
"to work the Samba security mode must <emphasis>not</emphasis> be set to "
636
"<emphasis role=\"italic\">security = share</emphasis>"
639
#: serverguide/C/windows-networking.xml:567(para)
641
"Now that Samba has been configured to limit which groups have access to the "
642
"shared directory, the filesystem permissions need to be updated."
645
#: serverguide/C/windows-networking.xml:572(para)
647
"Traditional Linux file permissions do not map well to Windows NT Access "
648
"Control Lists (ACLs). Fortunately POSIX ACLs are available on Ubuntu servers "
649
"providing more fine grained control. For example, to enable ACLs on "
650
"<filename>/srv</filename> an EXT3 filesystem, edit "
651
"<filename>/etc/fstab</filename> adding the <emphasis>acl</emphasis> option:"
654
#: serverguide/C/windows-networking.xml:579(programlisting)
658
"UUID=66bcdd2e-8861-4fb0-b7e4-e61c569fe17d /srv ext3 noatime,relatime,acl "
662
#: serverguide/C/windows-networking.xml:583(para)
663
msgid "Then remount the partition:"
666
#: serverguide/C/windows-networking.xml:588(command)
667
msgid "sudo mount -v -o remount /srv"
670
#: serverguide/C/windows-networking.xml:592(para)
672
"The above example assumes <filename>/srv</filename> on a separate partition. "
673
"If <filename>/srv</filename>, or wherever you have configured your share "
674
"path, is part of the <filename>/</filename> partition a reboot may be "
678
#: serverguide/C/windows-networking.xml:599(para)
680
"To match the Samba configuration above the <emphasis>sysadmin</emphasis> "
681
"group will be given read, write, and execute permissions to "
682
"<filename>/srv/samba/share</filename>, the <emphasis>qa</emphasis> group "
683
"will be given read and execute permissions, and the files will be owned by "
684
"the username <emphasis>melissa</emphasis>. Enter the following in a terminal:"
687
#: serverguide/C/windows-networking.xml:607(command)
688
msgid "sudo chown -R melissa /srv/samba/share/"
691
#: serverguide/C/windows-networking.xml:608(command)
692
msgid "sudo chgrp -R sysadmin /srv/samba/share/"
695
#: serverguide/C/windows-networking.xml:609(command)
696
msgid "sudo setfacl -R -m g:qa:rx /srv/samba/share/"
699
#: serverguide/C/windows-networking.xml:613(para)
701
"The <application>setfacl</application> command above gives "
702
"<emphasis>execute</emphasis> permissions to all files in the "
703
"<filename>/srv/samba/share</filename> directory, which you may or may not "
707
#: serverguide/C/windows-networking.xml:619(para)
709
"Now from a Windows client you should notice the new file permissions are "
710
"implemented. See the <application>acl</application> and "
711
"<application>setfacl</application> man pages for more information on POSIX "
715
#: serverguide/C/windows-networking.xml:627(title)
716
msgid "Samba AppArmor Profile"
719
#: serverguide/C/windows-networking.xml:629(para)
721
"Ubuntu comes with the <application>AppArmor</application> security module, "
722
"which provides mandatory access controls. The default AppArmor profile for "
723
"Samba will need to be adapted to your configuration. For more details on "
724
"using AppArmor see <xref linkend=\"apparmor\"/>."
727
#: serverguide/C/windows-networking.xml:635(para)
729
"There are default AppArmor profiles for <filename>/usr/sbin/smbd</filename> "
730
"and <filename>/usr/sbin/nmbd</filename>, the Samba daemon binaries, as part "
731
"of the <application>apparmor-profiles</application> packages. To install the "
732
"package, from a terminal prompt enter:"
735
#: serverguide/C/windows-networking.xml:642(command) serverguide/C/security.xml:978(command)
736
msgid "sudo apt-get install apparmor-profiles"
739
#: serverguide/C/windows-networking.xml:646(para)
740
msgid "This package contains profiles for several other binaries."
743
#: serverguide/C/windows-networking.xml:651(para)
745
"By default the profiles for <application>smbd</application> and "
746
"<application>nmbd</application> are in <emphasis>complain</emphasis> mode "
747
"allowing Samba to work without modifying the profile, and only logging "
748
"errors. To place the <application>smbd</application> profile into "
749
"<emphasis>enforce</emphasis> mode, and have Samba work as expected, the "
750
"profile will need to be modified to reflect any directories that are shared."
753
#: serverguide/C/windows-networking.xml:658(para)
755
"Edit <filename>/etc/apparmor.d/usr.sbin.smbd</filename> adding information "
756
"for <emphasis>[share]</emphasis> from the file server example:"
759
#: serverguide/C/windows-networking.xml:663(programlisting)
763
" /srv/samba/share/ r,\n"
764
" /srv/samba/share/** rwkix,\n"
767
#: serverguide/C/windows-networking.xml:668(para)
769
"Now place the profile into <emphasis>enforce</emphasis> and reload it:"
772
#: serverguide/C/windows-networking.xml:673(command)
773
msgid "sudo aa-enforce /usr/sbin/smbd"
776
#: serverguide/C/windows-networking.xml:674(command)
777
msgid "cat /etc/apparmor.d/usr.sbin.smbd | sudo apparmor_parser -r"
780
#: serverguide/C/windows-networking.xml:677(para)
782
"You should now be able to read, write, and execute files in the shared "
783
"directory as normal, and the <application>smbd</application> binary will "
784
"have access to only the configured files and direcotories. Be sure to add "
785
"entries for each directory you configure Samba to share. Also, any errors "
786
"will be logged to <filename>/var/log/syslog</filename>."
789
#: serverguide/C/windows-networking.xml:702(para) serverguide/C/windows-networking.xml:1067(para)
792
"url=\"http://www.oreilly.com/catalog/9780596007690/\">Using Samba</ulink> is "
793
"also a good reference."
796
#: serverguide/C/windows-networking.xml:708(para)
798
"<ulink url=\"http://samba.org/samba/docs/man/Samba-HOWTO-Collection/securing-"
799
"samba.html\">Chapter 18</ulink> of the Samba HOWTO Collection is devoted to "
803
#: serverguide/C/windows-networking.xml:714(para)
805
"For more information on Samba and ACLs see the <ulink "
806
"url=\"http://samba.org/samba/docs/man/Samba-HOWTO-"
807
"Collection/AccessControls.html#id397568\">Samba ACLs page </ulink>."
810
#: serverguide/C/windows-networking.xml:725(title)
811
msgid "Samba as a Domain Controller"
814
#: serverguide/C/windows-networking.xml:727(para)
816
"Although it cannot act as an Active Directory Primary Domain Controller "
817
"(PDC), a Samba server can be configured to appear as a Windows NT4-style "
818
"domain controller. A major advantage of this configuration is the ability to "
819
"centralize user and machine credentials. Samba can also use multiple "
820
"backends to store the user information."
823
#: serverguide/C/windows-networking.xml:734(title)
824
msgid "Primary Domain Controller"
827
#: serverguide/C/windows-networking.xml:736(para)
829
"This section covers configuring Samba as a Primary Domain Controller (PDC) "
830
"using the default smbpasswd backend."
833
#: serverguide/C/windows-networking.xml:743(para)
835
"First, install Samba, and <application>libpam-smbpass</application> to sync "
836
"the user accounts, by entering the following in a terminal prompt:"
839
#: serverguide/C/windows-networking.xml:749(command) serverguide/C/windows-networking.xml:965(command)
840
msgid "sudo apt-get install samba libpam-smbpass"
843
#: serverguide/C/windows-networking.xml:755(para)
845
"Next, configure Samba by editing <filename>/etc/samba/smb.conf</filename>. "
846
"The <emphasis>security</emphasis> mode should be set to <emphasis "
847
"role=\"italic\">user</emphasis>, and the <emphasis>workgroup</emphasis> "
848
"should relate to your organization:"
851
#: serverguide/C/windows-networking.xml:761(programlisting)
855
" workgroup = EXAMPLE\n"
857
" security = domain\n"
860
#: serverguide/C/windows-networking.xml:770(para)
862
"In the commented <quote>Domains</quote> section add or uncomment the "
866
#: serverguide/C/windows-networking.xml:774(programlisting)
870
" domain logons = yes\n"
871
" logon path = \\\\%N\\%U\\profile\n"
872
" logon drive = H:\n"
873
" logon home = \\\\%N\\%U\n"
874
" logon script = logon.cmd\n"
875
" add machine script = sudo /usr/sbin/useradd -n -g machines -c Machine -d "
876
"/var/lib/samba -s /bin/false %u\n"
879
#: serverguide/C/windows-networking.xml:785(para)
881
"<emphasis>domain logons:</emphasis> provides the netlogon service causing "
882
"Samba to act as a domain controller."
885
#: serverguide/C/windows-networking.xml:790(para)
887
"<emphasis>logon path:</emphasis> places the user's Windows profile into "
888
"their home directory. It is also possible to configure a "
889
"<emphasis>[profiles]</emphasis> share placing all profiles under a single "
893
#: serverguide/C/windows-networking.xml:796(para)
895
"<emphasis>logon drive:</emphasis> specifies the home directory local path."
898
#: serverguide/C/windows-networking.xml:801(para)
900
"<emphasis>logon home:</emphasis> specifies the home directory location."
903
#: serverguide/C/windows-networking.xml:806(para)
905
"<emphasis>logon script:</emphasis> determines the script to be run locally "
906
"once a user has logged in. The script needs to be placed in the "
907
"<emphasis>[netlogon]</emphasis> share."
910
#: serverguide/C/windows-networking.xml:812(para)
912
"<emphasis>add machine script:</emphasis> a script that will automatically "
913
"create the <emphasis>Machine Trust Account</emphasis> needed for a "
914
"workstation to join the domain."
917
#: serverguide/C/windows-networking.xml:816(para)
919
"In this example the <emphasis>machines</emphasis> group will need to be "
920
"created using the <application>addgroup</application> utility see <xref "
921
"linkend=\"adding-deleting-users\"/> for details."
924
#: serverguide/C/windows-networking.xml:824(para)
926
"If you wish to not use <emphasis>Roaming Profiles</emphasis> leave the "
927
"<emphasis>logon home</emphasis> and <emphasis>logon path</emphasis> options "
931
#: serverguide/C/windows-networking.xml:833(para)
933
"Uncomment the <emphasis>[homes]</emphasis> share to allow the <emphasis "
934
"role=\"italic\">logon home</emphasis> to be mapped:"
937
#: serverguide/C/windows-networking.xml:838(programlisting)
942
" comment = Home Directories\n"
945
" create mask = 0700\n"
946
" directory mask = 0700\n"
947
" valid users = %S\n"
950
#: serverguide/C/windows-networking.xml:851(para)
952
"When configured as a domain controller a <emphasis>[netlogon]</emphasis> "
953
"share needs to be configured. To enable the share, uncomment:"
956
#: serverguide/C/windows-networking.xml:856(programlisting)
961
" comment = Network Logon Service\n"
962
" path = /srv/samba/netlogon\n"
965
" share modes = no\n"
968
#: serverguide/C/windows-networking.xml:866(para)
970
"The original <emphasis>netlogon</emphasis> share path is "
971
"<filename>/home/samba/netlogon</filename>, but according to the Filesystem "
972
"Hierarchy Standard (FHS), <ulink url=\"http://www.pathname.com/fhs/pub/fhs-"
973
"2.3.html#SRVDATAFORSERVICESPROVIDEDBYSYSTEM\">/srv</ulink> is the correct "
974
"location for site-specific data provided by the system."
977
#: serverguide/C/windows-networking.xml:877(para)
979
"Now create the <filename role=\"directory\">netlogon</filename> directory, "
980
"and an empty (for now) <filename>logon.cmd</filename> script file:"
983
#: serverguide/C/windows-networking.xml:883(command)
984
msgid "sudo mkdir -p /srv/samba/netlogon"
987
#: serverguide/C/windows-networking.xml:884(command)
988
msgid "sudo touch /srv/samba/netlogon/logon.cmd"
991
#: serverguide/C/windows-networking.xml:887(para)
993
"You can enter any normal Windows logon script commands in "
994
"<filename>logon.cmd</filename> to customize the client's environment."
997
#: serverguide/C/windows-networking.xml:895(para)
999
"With <emphasis>root</emphasis> being disabled by default, in order to join a "
1000
"workstation to the domain, a system group needs to be mapped to the Windows "
1001
"<emphasis>Domain Admins</emphasis> group. Using the "
1002
"<application>net</application> utility, from a terminal enter:"
1005
#: serverguide/C/windows-networking.xml:902(command)
1007
"sudo net groupmap add ntgroup=\"Domain Admins\" unixgroup=sysadmin rid=512 "
1011
#: serverguide/C/windows-networking.xml:906(para)
1013
"Change <emphasis role=\"italic\">sysadmin</emphasis> to whichever group you "
1014
"prefer. Also, the user used to join the domain needs to be a member of the "
1015
"<emphasis>sysadmin</emphasis> group, as well as a member of the system "
1016
"<emphasis>admin</emphasis> group. The <emphasis>admin</emphasis> group "
1017
"allows <application>sudo</application> use."
1020
#: serverguide/C/windows-networking.xml:917(para)
1021
msgid "Finally, restart Samba to enable the new domain controller:"
1024
#: serverguide/C/windows-networking.xml:928(para)
1026
"You should now be able to join Windows clients to the Domain in the same "
1027
"manner as joining them to an NT4 domain running on a Windows server."
1030
#: serverguide/C/windows-networking.xml:938(title)
1031
msgid "Backup Domain Controller"
1034
#: serverguide/C/windows-networking.xml:940(para)
1036
"With a Primary Domain Controller (PDC) on the network it is best to have a "
1037
"Backup Domain Controller (BDC) as well. This will allow clients to "
1038
"authenticate in case the PDC becomes unavailable."
1041
#: serverguide/C/windows-networking.xml:945(para)
1043
"When configuring Samba as a BDC you need a way to sync account information "
1044
"with the PDC. There are multiple ways of accomplishing this "
1045
"<application>scp</application>, <application>rsync</application>, or by "
1046
"using <application>LDAP</application> as the <emphasis>passdb "
1047
"backend</emphasis>."
1050
#: serverguide/C/windows-networking.xml:951(para)
1052
"Using LDAP is the most robust way to sync account information, because both "
1053
"domain controllers can use the same information in real time. However, "
1054
"setting up a LDAP server may be overly complicated for a small number of "
1055
"user and computer accounts. See <xref linkend=\"samba-ldap\"/> for details."
1058
#: serverguide/C/windows-networking.xml:960(para)
1060
"First, install <application>samba</application> and <application>libpam-"
1061
"smbpass</application>. From a terminal enter:"
1064
#: serverguide/C/windows-networking.xml:971(para)
1066
"Now, edit <filename>/etc/samba/smb.conf</filename> and uncomment the "
1067
"following in the <emphasis>[global]</emphasis>:"
1070
#: serverguide/C/windows-networking.xml:984(para)
1071
msgid "In the commented <emphasis>Domains</emphasis> uncomment or add:"
1074
#: serverguide/C/windows-networking.xml:988(programlisting)
1078
" domain logons = yes\n"
1079
" domain master = no\n"
1082
#: serverguide/C/windows-networking.xml:996(para)
1084
"Make sure a user has rights to read the files in "
1085
"<filename>/var/lib/samba</filename>. For example, to allow users in the "
1086
"<emphasis>admin</emphasis> group to <application>scp</application> the "
1090
#: serverguide/C/windows-networking.xml:1002(command)
1091
msgid "sudo chgrp -R admin /var/lib/samba"
1094
#: serverguide/C/windows-networking.xml:1008(para)
1096
"Next, sync the user accounts, using <application>scp</application> to copy "
1097
"the <filename>/var/lib/samba</filename> directory from the PDC:"
1100
#: serverguide/C/windows-networking.xml:1014(command)
1101
msgid "sudo scp -r username@pdc:/var/lib/samba /var/lib"
1104
#: serverguide/C/windows-networking.xml:1018(para)
1106
"Replace <emphasis>username</emphasis> with a valid username and "
1107
"<emphasis>pdc</emphasis> with the hostname or IP Address of your actual PDC."
1110
#: serverguide/C/windows-networking.xml:1027(para)
1111
msgid "Finally, restart <application>samba</application>:"
1114
#: serverguide/C/windows-networking.xml:1038(para)
1116
"You can test that your Backup Domain controller is working by stopping the "
1117
"Samba daemon on the PDC, then trying to login to a Windows client joined to "
1121
#: serverguide/C/windows-networking.xml:1043(para)
1123
"Another thing to keep in mind is if you have configured the <emphasis>logon "
1124
"home</emphasis> option as a directory on the PDC, and the PDC becomes "
1125
"unavailable, access to the user's <emphasis>Home</emphasis> drive will also "
1126
"be unavailable. For this reason it is best to configure the <emphasis>logon "
1127
"home</emphasis> to reside on a separate file server from the PDC and BDC."
1130
#: serverguide/C/windows-networking.xml:1073(para)
1132
"<ulink url=\"http://samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-"
1133
"pdc.html\">Chapter 4</ulink> of the Samba HOWTO Collection explains setting "
1134
"up a Primary Domain Controller."
1137
#: serverguide/C/windows-networking.xml:1079(para)
1139
"<ulink url=\"http://us3.samba.org/samba/docs/man/Samba-HOWTO-"
1140
"Collection/samba-bdc.html\">Chapter 5</ulink> of the Samba HOWTO Collection "
1141
"explains setting up a Backup Domain Controller."
1144
#: serverguide/C/windows-networking.xml:1089(title)
1145
msgid "Samba Active Directory Integration"
1148
#: serverguide/C/windows-networking.xml:1092(title)
1149
msgid "Accessing a Samba Share"
1152
#: serverguide/C/windows-networking.xml:1094(para)
1154
"Another, use for Samba is to integrate into an existing Windows network. "
1155
"Once part of an Active Directory domain, Samba can provide file and print "
1156
"services to AD users."
1159
#: serverguide/C/windows-networking.xml:1099(para)
1161
"The simplest way to join an AD domain is to use <application>Likewise-"
1162
"open</application>. For detailed instructions see <xref linkend=\"likewise-"
1166
#: serverguide/C/windows-networking.xml:1104(para)
1167
msgid "Once part of the domain, install the following packages:"
1170
#: serverguide/C/windows-networking.xml:1109(command)
1171
msgid "sudo apt-get install samba smbfs smbclient"
1174
#: serverguide/C/windows-networking.xml:1112(para)
1176
"Since the <application>likewise-open</application> and "
1177
"<application>samba</application> packages use separate "
1178
"<filename>secrets.tdb</filename> files, a symlink will need to be created in "
1179
"<filename role=\"directory\">/var/lib/samba</filename>:"
1182
#: serverguide/C/windows-networking.xml:1118(command)
1183
msgid "sudo mv /var/lib/samba/secrets.tdb /var/lib/samba/secrets.tdb.orig"
1186
#: serverguide/C/windows-networking.xml:1119(command)
1187
msgid "sudo ln -s /etc/samba/secrets.tdb /var/lib/samba"
1190
#: serverguide/C/windows-networking.xml:1122(para)
1191
msgid "Next, edit <filename>/etc/samba/smb.conf</filename> changing:"
1194
#: serverguide/C/windows-networking.xml:1126(programlisting)
1198
" workgroup = EXAMPLE\n"
1201
" realm = EXAMPLE.COM\n"
1203
" idmap backend = lwopen\n"
1204
" idmap uid = 50-9999999999\n"
1205
" idmap gid = 50-9999999999\n"
1208
#: serverguide/C/windows-networking.xml:1137(para)
1210
"Restart <application>samba</application> for the new settings to take effect:"
1213
#: serverguide/C/windows-networking.xml:1145(para)
1215
"You should now be able to access any <application>Samba</application> shares "
1216
"from a Windows client. However, be sure to give the appropriate AD users or "
1217
"groups access to the share directory. See <xref linkend=\"samba-fileprint-"
1218
"security\"/> for more details."
1221
#: serverguide/C/windows-networking.xml:1153(title)
1222
msgid "Accessing a Windows Share"
1225
#: serverguide/C/windows-networking.xml:1155(para)
1227
"Now that the Samba server is part of the Active Directory domain you can "
1228
"access any Windows server shares:"
1231
#: serverguide/C/windows-networking.xml:1162(para)
1233
"To mount a Windows file share enter the following in a terminal prompt:"
1236
#: serverguide/C/windows-networking.xml:1166(command)
1237
msgid "mount.cifs //fs01.example.com/share mount_point"
1240
#: serverguide/C/windows-networking.xml:1169(para)
1242
"It is also possible to access shares on computers not part of an AD domain, "
1243
"but a username and password will need to be provided."
1246
#: serverguide/C/windows-networking.xml:1177(para)
1248
"To mount the share during boot place an entry in "
1249
"<filename>/etc/fstab</filename>, for example:"
1252
#: serverguide/C/windows-networking.xml:1181(programlisting)
1256
"//192.168.0.5/share /mnt/windows cifs auto,username=steve,password=secret,rw "
1260
#: serverguide/C/windows-networking.xml:1188(para)
1262
"Another way to copy files from a Windows server is to use the "
1263
"<application>smbclient</application> utility. To list the files in a Windows "
1267
#: serverguide/C/windows-networking.xml:1194(command)
1268
msgid "smbclient //fs01.example.com/share -k -c \"ls\""
1271
#: serverguide/C/windows-networking.xml:1200(para)
1272
msgid "To copy a file from the share, enter:"
1275
#: serverguide/C/windows-networking.xml:1205(command)
1276
msgid "smbclient //fs01.example.com/share -k -c \"get file.txt\""
1279
#: serverguide/C/windows-networking.xml:1208(para)
1281
"This will copy the <filename>file.txt</filename> into the current directory."
1284
#: serverguide/C/windows-networking.xml:1215(para)
1285
msgid "And to copy a file to the share:"
1288
#: serverguide/C/windows-networking.xml:1220(command)
1289
msgid "smbclient //fs01.example.com/share -k -c \"put /etc/hosts hosts\""
1292
#: serverguide/C/windows-networking.xml:1223(para)
1294
"This will copy the the <filename>/etc/hosts</filename> to "
1295
"<filename>//fs01.example.com/share/hosts</filename>."
1298
#: serverguide/C/windows-networking.xml:1230(para)
1300
"The <emphasis>-c</emphasis> option used above allows you to execute the "
1301
"<application>smbclient</application> command all at once. This is useful for "
1302
"scripting and minor file operations. To enter the <emphasis>smb: \\"
1303
"></emphasis> prompt, a FTP like prompt where you can execute normal file "
1304
"and directory commands, simply execute:"
1307
#: serverguide/C/windows-networking.xml:1237(command)
1308
msgid "smbclient //fs01.example.com/share -k"
1311
#: serverguide/C/windows-networking.xml:1244(para)
1313
"Replace all instances of <emphasis>fs01.example.com/share</emphasis>, "
1314
"<emphasis>//192.168.0.5/share</emphasis>, "
1315
"<emphasis>username=steve,password=secret</emphasis>, and "
1316
"<emphasis>file.txt</emphasis> with your server's IP, hostname, share name, "
1317
"file name, and an actual username and password with rights to the share."
1320
#: serverguide/C/windows-networking.xml:1255(para)
1322
"For more <application>smbclient</application> options see the man page: "
1323
"<command>man smbclient</command>, also available <ulink "
1324
"url=\"http://manpages.ubuntu.com/manpages/jaunty/en/man1/smbclient.1.html\">o"
1328
#: serverguide/C/windows-networking.xml:1260(para)
1330
"The <application>mount.cifs</application><ulink "
1331
"url=\"http://manpages.ubuntu.com/manpages/jaunty/en/man8/mount.cifs.8.html\">"
1332
"man page</ulink> is also useful for more detailed information."
1335
#: serverguide/C/windows-networking.xml:1270(title)
1336
msgid "Likewise Open"
1339
#: serverguide/C/windows-networking.xml:1272(para)
1341
"<application>Likewise Open</application> simplifies the necessary "
1342
"configuration needed to authenticate a Linux machine to an Active Directory "
1343
"domain. Based on <application>winbind</application>, the "
1344
"<application>likewise-open</application> package takes the pain out of "
1345
"integrating Ubuntu authentication into an existing Windows network."
1348
#: serverguide/C/windows-networking.xml:1281(para)
1350
"There are two ways to use Likewise Open, <application>likewise-"
1351
"open</application> the command line utility and <application>likewise-open-"
1352
"gui</application>. This section focuses on the command line utility."
1355
#: serverguide/C/windows-networking.xml:1286(para)
1357
"To install the <application>likewise-open</application> package, open a "
1358
"terminal prompt and enter:"
1361
#: serverguide/C/windows-networking.xml:1291(command)
1362
msgid "sudo apt-get install likewise-open"
1365
#: serverguide/C/windows-networking.xml:1294(para)
1367
"With Ubuntu 9.04 <application>Likewise Open 5.0</application> is available "
1368
"in the <emphasis>Universe</emphasis> repository. However, since upgrading "
1369
"from <application>Likewise Open 4.1</application> currently requires the "
1370
"system to leave the domain and re-join, a separate package for version five "
1374
#: serverguide/C/windows-networking.xml:1300(para)
1375
msgid "To install <application>Likewise Open 5.0</application> enter:"
1378
#: serverguide/C/windows-networking.xml:1305(command)
1379
msgid "sudo apt-get install likewise-open5"
1382
#: serverguide/C/windows-networking.xml:1309(para)
1384
"Installing likewise-open5 over an existing likewise-open (4.1) installation "
1385
"will replace it. You will have to rejoin the domain after install."
1388
#: serverguide/C/windows-networking.xml:1316(para)
1390
"The command line tools, and GUI interface, for likewise-open5 are the same "
1394
#: serverguide/C/windows-networking.xml:1324(title)
1395
msgid "Joining a Domain"
1398
#: serverguide/C/windows-networking.xml:1326(para)
1400
"The main executable file of the <application>likewise-open</application> "
1401
"package is <filename>/usr/bin/domainjoin-cli</filename>, which is used to "
1402
"join your computer to the domain. Before you join a domain you will need to "
1403
"make sure you have:"
1406
#: serverguide/C/windows-networking.xml:1334(para)
1408
"Access to an Active Directory user with appropriate rights to join the "
1412
#: serverguide/C/windows-networking.xml:1339(para)
1414
"The <emphasis>Fully Qualified Domain Name</emphasis> (FQDN) of the domain "
1415
"you want to join. If your AD domain does not match a valid domain such as "
1416
"<emphasis role=\"italic\">example.com</emphasis>, it is likely that it has "
1417
"the form of <emphasis>domainname.local</emphasis>."
1420
#: serverguide/C/windows-networking.xml:1346(para)
1422
"DNS for the domain setup properly. In a production AD environment this "
1423
"should be the case. Proper Microsoft DNS is needed so that client "
1424
"workstations can determine the Active Directory domain is available."
1427
#: serverguide/C/windows-networking.xml:1350(para)
1429
"If you don't have a Windows DNS server on your network, see <xref "
1430
"linkend=\"likewise-open-ms-dns\"/> for details."
1433
#: serverguide/C/windows-networking.xml:1357(para)
1434
msgid "To join a domain, from a terminal prompt enter:"
1437
#: serverguide/C/windows-networking.xml:1362(command)
1438
msgid "sudo domainjoin-cli join example.com Administrator"
1441
#: serverguide/C/windows-networking.xml:1366(para)
1443
"Replace <emphasis>example.com</emphasis> with your domain name, and "
1444
"<emphasis>Administrator</emphasis> with the appropriate user name."
1447
#: serverguide/C/windows-networking.xml:1372(para)
1449
"You will then be prompted for the user's password. If all goes well a "
1450
"<emphasis>SUCCESS</emphasis> message should be printed to the console."
1453
#: serverguide/C/windows-networking.xml:1377(para)
1455
"After successfully joining an Ubuntu machine to an Active Directory domain "
1456
"you can authenticate using any valid AD user. To login you will need to "
1457
"enter the user name as 'domain\\username'. For example to ssh to a server "
1458
"joined to the domain enter:"
1461
#: serverguide/C/windows-networking.xml:1384(command)
1462
msgid "ssh 'example\\steve'@hostname"
1465
#: serverguide/C/windows-networking.xml:1388(para)
1467
"If configuring a Desktop the user name will need to be prefixed with "
1468
"<emphasis role=\"italic\">domain\\</emphasis> in the graphical logon as well."
1471
#: serverguide/C/windows-networking.xml:1394(para)
1473
"To make likewise-open use a default domain, you can add the following "
1474
"statement to <filename>/etc/samba/lwiauthd.conf</filename>:"
1477
#: serverguide/C/windows-networking.xml:1398(programlisting)
1481
"winbind use default domain = yes\n"
1484
#: serverguide/C/windows-networking.xml:1402(para)
1485
msgid "Then restart the <application>likewise-open</application> daemons:"
1488
#: serverguide/C/windows-networking.xml:1407(command)
1489
msgid "sudo /etc/init.d/likewise-open restart"
1492
#: serverguide/C/windows-networking.xml:1411(para)
1494
"Once configured for a <emphasis>default domain</emphasis> the <emphasis "
1495
"role=\"italic\">'domain\\'</emphasis> is no longer required, users can login "
1496
"using only their username."
1499
#: serverguide/C/windows-networking.xml:1417(para)
1501
"The <application>domainjoin-cli</application> utility can also be used to "
1502
"leave the domain. From a terminal:"
1505
#: serverguide/C/windows-networking.xml:1422(command)
1506
msgid "sudo domainjoin-cli leave"
1509
#: serverguide/C/windows-networking.xml:1427(title) serverguide/C/security.xml:1830(title)
1510
msgid "Other Utilities"
1513
#: serverguide/C/windows-networking.xml:1429(para)
1515
"The <application>likewise-open</application> package comes with a few other "
1516
"utilities that may be useful for gathering information about the Active "
1517
"Directory environment. These utilities are used to join the machine to the "
1518
"domain, and are the same as those available in the <application>samba-"
1519
"common</application> and <application>winbind</application> packages:"
1522
#: serverguide/C/windows-networking.xml:1438(para)
1524
"<application>lwinet</application>: Returns information about the network and "
1528
#: serverguide/C/windows-networking.xml:1443(para)
1530
"<application>lwimsg</application>: Allows interaction with the "
1531
"<application>likewise-winbindd</application> daemon."
1534
#: serverguide/C/windows-networking.xml:1448(para)
1536
"<application>lwiinfo</application>: Displays information about various parts "
1540
#: serverguide/C/windows-networking.xml:1454(para)
1541
msgid "Please refer to each utility's man page specific for details."
1544
#: serverguide/C/windows-networking.xml:1460(title) serverguide/C/mail.xml:155(title) serverguide/C/mail.xml:1370(title) serverguide/C/dns.xml:338(title)
1545
msgid "Troubleshooting"
1548
#: serverguide/C/windows-networking.xml:1464(para)
1550
"If the client has trouble joining the domain, double check that the "
1551
"Microsoft DNS is listed first in <filename>/etc/resolv.conf</filename>. For "
1555
#: serverguide/C/windows-networking.xml:1469(programlisting)
1559
"nameserver 192.168.0.1\n"
1562
#: serverguide/C/windows-networking.xml:1474(para)
1564
"For more information when joining a domain, use the <emphasis>--loglevel "
1565
"verbose</emphasis> or <emphasis>--advanced</emphasis> option of the "
1566
"<application>domainjoin-cli</application> utility:"
1569
#: serverguide/C/windows-networking.xml:1480(command)
1570
msgid "sudo domainjoin-cli --loglevel verbose join example.com Administrator"
1573
#: serverguide/C/windows-networking.xml:1484(para)
1575
"If an Active Directory user has trouble logging in, check the "
1576
"<filename>/var/log/auth.log</filename> for details."
1579
#: serverguide/C/windows-networking.xml:1489(para)
1581
"When joining an Ubuntu Desktop workstation to a domain, you may need to edit "
1582
"<filename>/etc/nsswitch.conf</filename> if your AD domain uses the <emphasis "
1583
"role=\"italic\">.local</emphasis> syntax. In order to join the domain the "
1584
"<emphasis>\"mdns4\"</emphasis> entry from the <emphasis>hosts</emphasis> "
1585
"option. For example:"
1588
#: serverguide/C/windows-networking.xml:1495(programlisting)
1592
"hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4\n"
1595
#: serverguide/C/windows-networking.xml:1499(para)
1596
msgid "Change the above to:"
1599
#: serverguide/C/windows-networking.xml:1503(programlisting)
1603
"hosts: files dns [NOTFOUND=return]\n"
1606
#: serverguide/C/windows-networking.xml:1507(para)
1607
msgid "Then restart networking by entering:"
1610
#: serverguide/C/windows-networking.xml:1512(command) serverguide/C/network-config.xml:237(command)
1611
msgid "sudo /etc/init.d/networking restart"
1614
#: serverguide/C/windows-networking.xml:1515(para)
1615
msgid "You should now be able to join the Active Directory domain."
1618
#: serverguide/C/windows-networking.xml:1523(title)
1619
msgid "Microsoft DNS"
1622
#: serverguide/C/windows-networking.xml:1525(para)
1624
"The following are instructions for installing DNS on an Active Directory "
1625
"domain controller running Windows Server 2003, but the instructions should "
1626
"be similar for other versions:"
1629
#: serverguide/C/windows-networking.xml:1532(para)
1632
"<menuchoice><guimenuitem>Start</guimenuitem><guimenuitem>Administrative Tools"
1633
"</guimenuitem><guimenuitem>Manager Your Server</guimenuitem></menuchoice>. "
1634
"This will open the <application>Server Role Mangement</application> utility."
1637
#: serverguide/C/windows-networking.xml:1540(para)
1638
msgid "Click Add or remove a role"
1641
#: serverguide/C/windows-networking.xml:1541(para) serverguide/C/windows-networking.xml:1543(para) serverguide/C/windows-networking.xml:1546(para)
1645
#: serverguide/C/windows-networking.xml:1542(para)
1646
msgid "Select \"DNS Server\""
1649
#: serverguide/C/windows-networking.xml:1544(para)
1653
#: serverguide/C/windows-networking.xml:1545(para)
1654
msgid "Select \"Create a forward lookup zone\" if it is not selected."
1657
#: serverguide/C/windows-networking.xml:1547(para)
1659
"Make sure \"This server maintains the zone\" is selected and click Next."
1662
#: serverguide/C/windows-networking.xml:1548(para)
1663
msgid "Enter your domain name and click Next"
1666
#: serverguide/C/windows-networking.xml:1549(para) serverguide/C/windows-networking.xml:1550(para)
1667
msgid "Click Next to \"Allow only secure dynamic updates\""
1670
#: serverguide/C/windows-networking.xml:1552(para)
1672
"Enter the IP for DNS servers to forward queries to, or Select \"No, it "
1673
"should not forward queries\" and click Next."
1676
#: serverguide/C/windows-networking.xml:1556(para) serverguide/C/windows-networking.xml:1557(para)
1677
msgid "Click Finish"
1680
#: serverguide/C/windows-networking.xml:1559(para)
1682
"DNS is now installed and can be further configured using the "
1683
"<application>Microsoft Management Console</application> DNS snap-in."
1686
#: serverguide/C/windows-networking.xml:1567(para)
1690
#: serverguide/C/windows-networking.xml:1568(para)
1691
msgid "Control Panel"
1694
#: serverguide/C/windows-networking.xml:1569(para)
1695
msgid "Network Connections"
1698
#: serverguide/C/windows-networking.xml:1570(para)
1699
msgid "Right Click \"Local Area Connection\""
1702
#: serverguide/C/windows-networking.xml:1571(para)
1703
msgid "Click Properties"
1706
#: serverguide/C/windows-networking.xml:1572(para)
1707
msgid "Double click \"Internet Protocol (TCP/IP)\""
1710
#: serverguide/C/windows-networking.xml:1573(para)
1711
msgid "Enter the Server's IP Address as the \"Preferred DNS server\""
1714
#: serverguide/C/windows-networking.xml:1574(para)
1718
#: serverguide/C/windows-networking.xml:1575(para)
1719
msgid "Click Ok again to save the settings"
1722
#: serverguide/C/windows-networking.xml:1564(para)
1724
"Next, configure the Server to use itself for DNS queries: <placeholder-1/>"
1727
#: serverguide/C/windows-networking.xml:1582(title) serverguide/C/web-servers.xml:624(title) serverguide/C/web-servers.xml:766(title) serverguide/C/web-servers.xml:910(title) serverguide/C/web-servers.xml:1002(title) serverguide/C/web-servers.xml:1218(title) serverguide/C/virtualization.xml:1303(title) serverguide/C/virtualization.xml:1492(title) serverguide/C/vcs.xml:534(title) serverguide/C/security.xml:935(title) serverguide/C/security.xml:1264(title) serverguide/C/security.xml:1679(title) serverguide/C/security.xml:1870(title) serverguide/C/remote-administration.xml:203(title) serverguide/C/package-management.xml:432(title) serverguide/C/other-apps.xml:379(title) serverguide/C/network-config.xml:694(title) serverguide/C/mail.xml:263(title) serverguide/C/mail.xml:444(title) serverguide/C/mail.xml:591(title) serverguide/C/mail.xml:1008(title) serverguide/C/mail.xml:1418(title) serverguide/C/lamp-applications.xml:252(title) serverguide/C/lamp-applications.xml:362(title) serverguide/C/lamp-applications.xml:464(title) serverguide/C/file-server.xml:284(title) serverguide/C/file-server.xml:431(title) serverguide/C/file-server.xml:592(title) serverguide/C/dns.xml:572(title) serverguide/C/clustering.xml:227(title) serverguide/C/chat.xml:107(title) serverguide/C/chat.xml:150(title) serverguide/C/backups.xml:297(title)
1731
#: serverguide/C/windows-networking.xml:1584(para)
1733
"Please refer to the <ulink "
1734
"url=\"http://www.likewisesoftware.com/\">Likewise</ulink> home page for "
1735
"further information."
1738
#: serverguide/C/windows-networking.xml:1588(para)
1740
"For more <application>domainjoin-cli</application> options see the man page: "
1741
"<command>man domainjoin-cli</command>."
1744
#: serverguide/C/web-servers.xml:13(title)
1746
msgstr "Žiniatinklio Serveriai"
1748
#: serverguide/C/web-servers.xml:14(para)
1750
"A Web server is a software responsible for accepting HTTP requests from "
1751
"clients, which are known as Web browsers, and serving them HTTP responses "
1752
"along with optional data contents, which usually are Web pages such as HTML "
1753
"documents and linked objects (images, etc.)."
1756
#: serverguide/C/web-servers.xml:19(title)
1757
msgid "HTTPD - Apache2 Web Server"
1758
msgstr "HTTPD - Apache2 Žiniatinklio serveris"
1760
#: serverguide/C/web-servers.xml:20(para)
1762
"Apache is the most commonly used Web Server on Linux systems. Web Servers "
1763
"are used to serve Web Pages requested by client computers. Clients typically "
1764
"request and view Web Pages using Web Browser applications such as "
1765
"<application>Firefox</application>, <application>Opera</application>, or "
1766
"<application>Mozilla</application>."
1769
#: serverguide/C/web-servers.xml:24(para)
1771
"Users enter a Uniform Resource Locator (URL) to point to a Web server by "
1772
"means of its Fully Qualified Domain Name (FQDN) and a path to the required "
1773
"resource. For example, to view the home page of the <ulink "
1774
"url=\"http://www.ubuntu.com\">Ubuntu Web site</ulink> a user will enter only "
1775
"the FQDN. To request specific information about <ulink "
1776
"url=\"http://www.ubuntu.com/support/paid\">paid support</ulink>, a user will "
1777
"enter the FQDN followed by a path."
1780
#: serverguide/C/web-servers.xml:29(para)
1782
"The most common protocol used to transfer Web pages is the Hyper Text "
1783
"Transfer Protocol (HTTP). Protocols such as Hyper Text Transfer Protocol "
1784
"over Secure Sockets Layer (HTTPS), and File Transfer Protocol (FTP), a "
1785
"protocol for uploading and downloading files, are also supported."
1788
#: serverguide/C/web-servers.xml:33(para)
1790
"Apache Web Servers are often used in combination with the "
1791
"<application>MySQL</application> database engine, the HyperText Preprocessor "
1792
"(<application>PHP</application>) scripting language, and other popular "
1793
"scripting languages such as <application>Python</application> and "
1794
"<application>Perl</application>. This configuration is termed LAMP (Linux, "
1795
"Apache, MySQL and Perl/Python/PHP) and forms a powerful and robust platform "
1796
"for the development and deployment of Web-based applications."
1799
#: serverguide/C/web-servers.xml:42(para)
1801
"The Apache2 web server is available in Ubuntu Linux. To install Apache2:"
1803
"Apache2 žiniatinklio serveris pasiekiamas Ubuntu Linux. Apache2 įdiegimui:"
1805
#: serverguide/C/web-servers.xml:48(para)
1806
msgid "At a terminal prompt enter the following command:"
1809
#: serverguide/C/web-servers.xml:53(command)
1810
msgid "sudo apt-get install apache2"
1813
#: serverguide/C/web-servers.xml:63(para)
1815
"Apache2 is configured by placing <emphasis>directives</emphasis> in plain "
1816
"text configuration files. The configuration files are separated between the "
1817
"following files and directories:"
1820
#: serverguide/C/web-servers.xml:71(para)
1822
"<emphasis>apache2.conf:</emphasis> the main Apache2 configuration file. "
1823
"Contains settings that are <emphasis>global</emphasis> to Apache2."
1826
#: serverguide/C/web-servers.xml:77(para)
1828
"<emphasis>conf.d:</emphasis> contains configuration files which apply "
1829
"<emphasis>globally</emphasis> to Apache. Other packages that use Apache2 to "
1830
"serve content may add files, or symlinks, to this directory."
1833
#: serverguide/C/web-servers.xml:83(para)
1835
"<emphasis>envvars:</emphasis> file where Apache2 "
1836
"<emphasis>environment</emphasis> variables are set."
1839
#: serverguide/C/web-servers.xml:88(para)
1841
"<emphasis>httpd.conf:</emphasis> historically the main Apache2 configuration "
1842
"file, named after the <application>httpd</application> daemon. The file can "
1843
"be used for <emphasis>user specific</emphasis> configuration options that "
1844
"globally effect Apache2."
1847
#: serverguide/C/web-servers.xml:95(para)
1849
"<emphasis>mods-available:</emphasis> this directory contains configuration "
1850
"files to both load <emphasis>modules</emphasis> and configure them. Not all "
1851
"modules will have specific configuration files, however."
1854
#: serverguide/C/web-servers.xml:101(para)
1856
"<emphasis>mods-enabled:</emphasis> holds <emphasis>symlinks</emphasis> to "
1857
"the files in <filename>/etc/apache2/mods-available</filename>. When a module "
1858
"configuration file is symlinked it will be enabled the next time "
1859
"<application>apache2</application> is restarted."
1862
#: serverguide/C/web-servers.xml:108(para)
1864
"<emphasis>ports.conf:</emphasis> houses the directives that determine which "
1865
"TCP ports Apache2 is listening on."
1868
#: serverguide/C/web-servers.xml:113(para)
1870
"<emphasis>sites-available:</emphasis> this directory has configuration files "
1871
"for Apache <emphasis>Virtual Hosts</emphasis>. Virtual Hosts allow Apache2 "
1872
"to be configured for multiple sites that have separate configurations."
1875
#: serverguide/C/web-servers.xml:119(para)
1877
"<emphasis>sites-enabled:</emphasis> like mods-enabled, <filename "
1878
"role=\"directory\">sites-enabled</filename> contains symlinks to the "
1879
"<filename>/etc/apache2/sites-available</filename> directory. Similarly when "
1880
"a configuration file in sites-available is symlinked it will be active once "
1881
"Apache is restarted."
1884
#: serverguide/C/web-servers.xml:127(para)
1886
"In addition, other configuration files may be added using the "
1887
"<emphasis>Include</emphasis> directive, and wildcards can be used to include "
1888
"many configuration files. Any directive may be placed in any of these "
1889
"configuration files. Changes to the main configuration files are only "
1890
"recognized by Apache2 when it is started or restarted."
1893
#: serverguide/C/web-servers.xml:136(para)
1895
"The server also reads a file containing mime document types; the filename is "
1896
"set by the <emphasis>TypesConfig</emphasis> directive, and is "
1897
"<filename>/etc/mime.types</filename> by default."
1900
#: serverguide/C/web-servers.xml:141(title)
1901
msgid "Basic Settings"
1904
#: serverguide/C/web-servers.xml:142(para)
1906
"This section explains Apache2 server essential configuration parameters. "
1907
"Refer to the <ulink url=\"http://httpd.apache.org/docs/2.2/\">Apache2 "
1908
"Documentation</ulink> for more details."
1911
#: serverguide/C/web-servers.xml:150(para)
1913
"Apache2 ships with a virtual-host-friendly default configuration. That is, "
1914
"it is configured with a single default virtual host (using the "
1915
"<emphasis>VirtualHost</emphasis> directive) which can modified or used as-is "
1916
"if you have a single site, or used as a template for additional virtual "
1917
"hosts if you have multiple sites. If left alone, the default virtual host "
1918
"will serve as your default site, or the site users will see if the URL they "
1919
"enter does not match the <emphasis>ServerName</emphasis> directive of any of "
1920
"your custom sites. To modify the default virtual host, edit the file "
1921
"<filename>/etc/apache2/sites-available/default</filename>."
1924
#: serverguide/C/web-servers.xml:163(para)
1926
"The directives set for a virtual host only apply to that particular virtual "
1927
"host. If a directive is set server-wide and not defined within the virtual "
1928
"host settings, the default setting is used. For example, you can define a "
1929
"Webmaster email address and not define individual email addresses for each "
1933
#: serverguide/C/web-servers.xml:171(para)
1935
"If you wish to configure a new virtual host or site, copy that file into the "
1936
"same directory with a name you choose. For example:"
1939
#: serverguide/C/web-servers.xml:177(command)
1941
"sudo cp /etc/apache2/sites-available/default /etc/apache2/sites-"
1942
"available/mynewsite"
1945
#: serverguide/C/web-servers.xml:180(para)
1947
"Edit the new file to configure the new site using some of the directives "
1951
#: serverguide/C/web-servers.xml:187(para)
1953
"The <emphasis>ServerAdmin</emphasis> directive specifies the email address "
1954
"to be advertised for the server's administrator. The default value is "
1955
"webmaster@localhost. This should be changed to an email address that is "
1956
"delivered to you (if you are the server's administrator). If your website "
1957
"has a problem, Apache2 will display an error message containing this email "
1958
"address to report the problem to. Find this directive in your site's "
1959
"configuration file in /etc/apache2/sites-available."
1962
#: serverguide/C/web-servers.xml:198(para)
1964
"The <emphasis>Listen</emphasis> directive specifies the port, and optionally "
1965
"the IP address, Apache2 should listen on. If the IP address is not "
1966
"specified, Apache2 will listen on all IP addresses assigned to the machine "
1967
"it runs on. The default value for the Listen directive is 80. Change this to "
1968
"127.0.0.1:80 to cause Apache2 to listen only on your loopback interface so "
1969
"that it will not be available to the Internet, to (for example) 81 to change "
1970
"the port that it listens on, or leave it as is for normal operation. This "
1971
"directive can be found and changed in its own file, "
1972
"<filename>/etc/apache2/ports.conf</filename>"
1975
#: serverguide/C/web-servers.xml:211(para)
1977
"The <emphasis>ServerName</emphasis> directive is optional and specifies what "
1978
"FQDN your site should answer to. The default virtual host has no ServerName "
1979
"directive specified, so it will respond to all requests that do not match a "
1980
"ServerName directive in another virtual host. If you have just acquired the "
1981
"domain name ubunturocks.com and wish to host it on your Ubuntu server, the "
1982
"value of the ServerName directive in your virtual host configuration file "
1983
"should be ubunturocks.com. Add this directive to the new virtual host file "
1984
"you created earlier (<filename>/etc/apache2/sites-"
1985
"available/mynewsite</filename>)."
1988
#: serverguide/C/web-servers.xml:223(para)
1990
"You may also want your site to respond to www.ubunturocks.com, since many "
1991
"users will assume the www prefix is appropriate. Use the "
1992
"<emphasis>ServerAlias</emphasis> directive for this. You may also use "
1993
"wildcards in the ServerAlias directive."
1996
#: serverguide/C/web-servers.xml:230(para)
1998
"For example, the following configuration will cause your site to respond to "
1999
"any domain request ending in <emphasis>.ubunturocks.com</emphasis>."
2002
#: serverguide/C/web-servers.xml:236(programlisting)
2006
"ServerAlias *.ubunturocks.com\n"
2009
#: serverguide/C/web-servers.xml:242(para)
2011
"The <emphasis>DocumentRoot</emphasis> directive specifies where Apache "
2012
"should look for the files that make up the site. The default value is "
2013
"/var/www. No site is configured there, but if you uncomment the "
2014
"<emphasis>RedirectMatch</emphasis> directive in "
2015
"<filename>/etc/apache2/apache2.conf</filename> requests will be redirected "
2016
"to /var/www/apache2-default where the default Apache2 site awaits. Change "
2017
"this value in your site's virtual host file, and remember to create that "
2018
"directory if necessary!"
2021
#: serverguide/C/web-servers.xml:254(para)
2023
"The /etc/apache2/sites-available directory is <emphasis role=\"bold\"> "
2024
"not</emphasis> parsed by Apache2. Symbolic links in /etc/apache2/sites-"
2025
"enabled point to \"available\" sites."
2028
#: serverguide/C/web-servers.xml:260(para)
2030
"Enable the new <emphasis>VirtualHost</emphasis> using the "
2031
"<application>a2ensite</application> utility and restart Apache:"
2034
#: serverguide/C/web-servers.xml:266(command)
2035
msgid "sudo a2ensite mynewsite"
2038
#: serverguide/C/web-servers.xml:267(command) serverguide/C/web-servers.xml:285(command) serverguide/C/web-servers.xml:538(command) serverguide/C/web-servers.xml:547(command) serverguide/C/web-servers.xml:606(command) serverguide/C/mail.xml:723(command) serverguide/C/lamp-applications.xml:221(command)
2039
msgid "sudo /etc/init.d/apache2 restart"
2042
#: serverguide/C/web-servers.xml:271(para)
2044
"Be sure to replace <emphasis>mynewsite</emphasis> with a more descriptive "
2045
"name for the VirtualHost. One method is to name the file after the "
2046
"<emphasis>ServerName</emphasis> directive of the VirtualHost."
2049
#: serverguide/C/web-servers.xml:278(para)
2051
"Similarly, use the <application>a2dissite</application> utility to disable "
2052
"sites. This is can be useful when troubleshooting configuration problems "
2053
"with multiple VirtualHosts:"
2056
#: serverguide/C/web-servers.xml:284(command)
2057
msgid "sudo a2dissite mynewsite"
2060
#: serverguide/C/web-servers.xml:290(title)
2061
msgid "Default Settings"
2062
msgstr "Nuostatos pagal nutylėjimą"
2064
#: serverguide/C/web-servers.xml:292(para)
2066
"This section explains configuration of the Apache2 server default settings. "
2067
"For example, if you add a virtual host, the settings you configure for the "
2068
"virtual host take precedence for that virtual host. For a directive not "
2069
"defined within the virtual host settings, the default value is used."
2072
#: serverguide/C/web-servers.xml:304(para)
2074
"The <emphasis>DirectoryIndex</emphasis> is the default page served by the "
2075
"server when a user requests an index of a directory by specifying a forward "
2076
"slash (/) at the end of the directory name."
2079
#: serverguide/C/web-servers.xml:311(para)
2081
"For example, when a user requests the page "
2082
"http://www.example.com/this_directory/, he or she will get either the "
2083
"DirectoryIndex page if it exists, a server-generated directory list if it "
2084
"does not and the Indexes option is specified, or a Permission Denied page if "
2085
"neither is true. The server will try to find one of the files listed in the "
2086
"DirectoryIndex directive and will return the first one it finds. If it does "
2087
"not find any of these files and if Options Indexes is set for that "
2088
"directory, the server will generate and return a list, in HTML format, of "
2089
"the subdirectories and files in the directory. The default value, found in "
2090
"<filename>/etc/apache2/apache2.conf</filename> is \" index.html index.cgi "
2091
"index.pl index.php index.xhtml\". Thus, if Apache2 finds a file in a "
2092
"requested directory matching any of these names, the first will be displayed."
2095
#: serverguide/C/web-servers.xml:332(para)
2097
"The <emphasis>ErrorDocument</emphasis> directive allows you to specify a "
2098
"file for Apache to use for specific error events. For example, if a user "
2099
"requests a resource that does not exist, a 404 error will occur, and per "
2100
"Apache2's default configuration, the file "
2101
"<filename>/usr/share/apache2/error/HTTP_NOT_FOUND.html.var </filename> will "
2102
"be displayed. That file is not in the server's DocumentRoot, but there is an "
2103
"Alias directive in <filename>/etc/apache2/apache2.conf</filename> that "
2104
"redirects requests to the /error directory to "
2105
"<filename>/usr/share/apache2/error/</filename>."
2108
#: serverguide/C/web-servers.xml:344(para)
2110
"To see a list of the default ErrorDocument directives, use this command:"
2113
#: serverguide/C/web-servers.xml:350(command)
2114
msgid "grep ErrorDocument /etc/apache2/apache2.conf"
2117
#: serverguide/C/web-servers.xml:355(para)
2119
"By default, the server writes the transfer log to the file "
2120
"<filename>/var/log/apache2/access.log</filename>. You can change this on a "
2121
"per-site basis in your virtual host configuration files with the "
2122
"<emphasis>CustomLog</emphasis> directive, or omit it to accept the default, "
2123
"specified in <filename> /etc/apache2/apache2.conf</filename>. You may also "
2124
"specify the file to which errors are logged, via the "
2125
"<emphasis>ErrorLog</emphasis> directive, whose default is "
2126
"<filename>/var/log/apache2/error.log</filename>. These are kept separate "
2127
"from the transfer logs to aid in troubleshooting problems with your Apache2 "
2128
"server. You may also specify the <emphasis>LogLevel</emphasis> (the default "
2129
"value is \"warn\") and the <emphasis>LogFormat</emphasis> (see <filename> "
2130
"/etc/apache2/apache2.conf</filename> for the default value)."
2133
#: serverguide/C/web-servers.xml:370(para)
2135
"Some options are specified on a per-directory basis rather than per-server. "
2136
"<emphasis>Options</emphasis> is one of these directives. A Directory stanza "
2137
"is enclosed in XML-like tags, like so:"
2140
#: serverguide/C/web-servers.xml:376(programlisting)
2144
"<Directory /var/www/mynewsite>\n"
2146
"</Directory>\n"
2149
#: serverguide/C/web-servers.xml:382(para)
2151
"The <emphasis>Options</emphasis> directive within a Directory stanza accepts "
2152
"one or more of the following values (among others), separated by spaces:"
2155
#: serverguide/C/web-servers.xml:394(para)
2157
"Most files should not be executed as CGI scripts. This would be very "
2158
"dangerous. CGI scripts should kept in a directory separate from and outside "
2159
"your DocumentRoot, and only this directory should have the ExecCGI option "
2160
"set. This is the default, and the default location for CGI scripts is "
2161
"<filename>/usr/lib/cgi-bin</filename>."
2164
#: serverguide/C/web-servers.xml:389(para)
2166
"<emphasis role=\"bold\">ExecCGI</emphasis> - Allow execution of CGI scripts. "
2167
"CGI scripts are not executed if this option is not chosen. <placeholder-1/>"
2170
#: serverguide/C/web-servers.xml:405(para)
2172
"<emphasis role=\"bold\">Includes</emphasis> - Allow server-side includes. "
2173
"Server-side includes allow an HTML file to <emphasis> include</emphasis> "
2174
"other files. This is not a common option. See <ulink "
2175
"url=\"http://httpd.apache.org/docs/2.2/howto/ssi.html\">the Apache2 SSI "
2176
"HOWTO</ulink> for more information."
2179
#: serverguide/C/web-servers.xml:414(para)
2181
"<emphasis role=\"bold\">IncludesNOEXEC</emphasis> - Allow server-side "
2182
"includes, but disable the <emphasis>#exec</emphasis> and "
2183
"<emphasis>#include</emphasis> commands in CGI scripts."
2186
#: serverguide/C/web-servers.xml:426(para)
2188
"For security reasons, this should usually not be set, and certainly should "
2189
"not be set on your DocumentRoot directory. Enable this option carefully on a "
2190
"per-directory basis only if you are certain you want users to see the entire "
2191
"contents of the directory."
2194
#: serverguide/C/web-servers.xml:421(para)
2196
"<emphasis role=\"bold\">Indexes</emphasis> - Display a formatted list of the "
2197
"directory's contents, if no <emphasis>DirectoryIndex</emphasis> (such as "
2198
"index.html) exists in the requested directory. <placeholder-1/>"
2201
#: serverguide/C/web-servers.xml:436(para)
2203
"<emphasis role=\"bold\">Multiview</emphasis> - Support content-negotiated "
2204
"multiviews; this option is disabled by default for security reasons. See the "
2206
"url=\"http://httpd.apache.org/docs/2.2/mod/mod_negotiation.html#multiviews\">"
2207
"Apache2 documentation on this option</ulink>."
2210
#: serverguide/C/web-servers.xml:444(para)
2212
"<emphasis role=\"bold\">SymLinksIfOwnerMatch</emphasis> - Only follow "
2213
"symbolic links if the target file or directory has the same owner as the "
2217
#: serverguide/C/web-servers.xml:456(title)
2218
msgid "httpd Settings"
2221
#: serverguide/C/web-servers.xml:458(para)
2223
"This section explains some basic <application>httpd</application> daemon "
2224
"configuration settings."
2227
#: serverguide/C/web-servers.xml:462(para)
2229
"<emphasis role=\"bold\">LockFile</emphasis> - The LockFile directive sets "
2230
"the path to the lockfile used when the server is compiled with either "
2231
"USE_FCNTL_SERIALIZED_ACCEPT or USE_FLOCK_SERIALIZED_ACCEPT. It must be "
2232
"stored on the local disk. It should be left to the default value unless the "
2233
"logs directory is located on an NFS share. If this is the case, the default "
2234
"value should be changed to a location on the local disk and to a directory "
2235
"that is readable only by root."
2238
#: serverguide/C/web-servers.xml:471(para)
2240
"<emphasis role=\"bold\">PidFile</emphasis> - The PidFile directive sets the "
2241
"file in which the server records its process ID (pid). This file should only "
2242
"be readable by root. In most cases, it should be left to the default value."
2245
#: serverguide/C/web-servers.xml:477(para)
2247
"<emphasis role=\"bold\">User</emphasis> - The User directive sets the userid "
2248
"used by the server to answer requests. This setting determines the server's "
2249
"access. Any files inaccessible to this user will also be inaccessible to "
2250
"your website's visitors. The default value for User is www-data."
2253
#: serverguide/C/web-servers.xml:484(para)
2255
"Unless you know exactly what you are doing, do not set the User directive to "
2256
"root. Using root as the User will create large security holes for your Web "
2260
#: serverguide/C/web-servers.xml:490(para)
2262
"The Group directive is similar to the User directive. Group sets the group "
2263
"under which the server will answer requests. The default group is also www-"
2267
#: serverguide/C/web-servers.xml:496(title)
2268
msgid "Apache Modules"
2269
msgstr "Apache Moduliai"
2271
#: serverguide/C/web-servers.xml:498(para)
2273
"Apache is a modular server. This implies that only the most basic "
2274
"functionality is included in the core server. Extended features are "
2275
"available through modules which can be loaded into Apache. By default, a "
2276
"base set of modules is included in the server at compile-time. If the server "
2277
"is compiled to use dynamically loaded modules, then modules can be compiled "
2278
"separately, and added at any time using the LoadModule directive. Otherwise, "
2279
"Apache must be recompiled to add or remove modules."
2282
#: serverguide/C/web-servers.xml:510(para)
2284
"Ubuntu compiles Apache2 to allow the dynamic loading of modules. "
2285
"Configuration directives may be conditionally included on the presence of a "
2286
"particular module by enclosing them in an "
2287
"<emphasis><IfModule></emphasis> block."
2290
#: serverguide/C/web-servers.xml:517(para)
2292
"You can install additional Apache2 modules and use them with your Web "
2293
"server. For example, run the following command from a terminal prompt to "
2294
"install the <emphasis>MySQL Authentication</emphasis> module:"
2297
#: serverguide/C/web-servers.xml:524(command)
2298
msgid "sudo apt-get install libapache2-mod-auth-mysql"
2299
msgstr "sudo apt-get install libapache2-mod-auth-mysql"
2301
#: serverguide/C/web-servers.xml:527(para)
2303
"See the <filename>/etc/apache2/mods-available</filename> directory, for "
2304
"additional modules."
2307
#: serverguide/C/web-servers.xml:531(para)
2309
"Use the <application>a2enmod</application> utility to enable a module:"
2312
#: serverguide/C/web-servers.xml:537(command)
2313
msgid "sudo a2enmod auth_mysql"
2316
#: serverguide/C/web-servers.xml:541(para)
2317
msgid "Similarly, <application>a2dismod</application> will disable a module:"
2320
#: serverguide/C/web-servers.xml:546(command)
2321
msgid "sudo a2dismod auth_mysql"
2324
#: serverguide/C/web-servers.xml:553(title)
2325
msgid "HTTPS Configuration"
2326
msgstr "HTTPS Konfigūracija"
2328
#: serverguide/C/web-servers.xml:555(para)
2330
"The <application>mod_ssl</application> module adds an important feature to "
2331
"the Apache2 server - the ability to encrypt communications. Thus, when your "
2332
"browser is communicating using SSL, the https:// prefix is used at the "
2333
"beginning of the Uniform Resource Locator (URL) in the browser navigation "
2337
#: serverguide/C/web-servers.xml:564(para)
2339
"The <application>mod_ssl</application> module is available in "
2340
"<application>apache2-common</application> package. Execute the following "
2341
"command from a terminal prompt to enable the "
2342
"<application>mod_ssl</application> module:"
2345
#: serverguide/C/web-servers.xml:571(command)
2346
msgid "sudo a2enmod ssl"
2347
msgstr "sudo a2enmod ssl"
2349
#: serverguide/C/web-servers.xml:574(para)
2351
"There is a default HTTPS configuration file in <filename>/etc/apache2/sites-"
2352
"available/default-ssl</filename>. In order for "
2353
"<application>Apache</application> to provide HTTPS, a "
2354
"<emphasis>certificate</emphasis> and <emphasis>key</emphasis> file are also "
2355
"needed. The default HTTPS configuration will use a certificate and key "
2356
"generated by the <application>ssl-cert</application> package. They are good "
2357
"for testing, but the auto-generated certificate and key should be replaced "
2358
"by a certificate specific to the site or server. For information on "
2359
"generating a key and obtaining a certificate see <xref "
2360
"linkend=\"certificates-and-security\"/>"
2363
#: serverguide/C/web-servers.xml:584(para)
2365
"To configure <application>Apache</application> for HTTPS, enter the "
2369
#: serverguide/C/web-servers.xml:589(command)
2370
msgid "sudo a2ensite default-ssl"
2373
#: serverguide/C/web-servers.xml:593(para)
2375
"The directories <filename>/etc/ssl/certs</filename> and "
2376
"<filename>/etc/ssl/private</filename> are the default locations. If you "
2377
"install the certificate and key in another directory make sure to change "
2378
"<emphasis>SSLCertificateFile</emphasis> and "
2379
"<emphasis>SSLCertificateKeyFile</emphasis> appropriately."
2382
#: serverguide/C/web-servers.xml:600(para)
2384
"With Apache now configured for HTTPS, restart the service to enable the new "
2388
#: serverguide/C/web-servers.xml:611(para)
2390
"Depending on how you obtained your certificate you may need to enter a "
2391
"passphrase when <application>Apache</application> starts."
2394
#: serverguide/C/web-servers.xml:617(para)
2396
"You can access the secure server pages by typing https://your_hostname/url/ "
2397
"in your browser address bar."
2400
#: serverguide/C/web-servers.xml:628(para)
2402
"<ulink url=\"http://httpd.apache.org/docs/2.2/\">Apache2 "
2403
"Documentation</ulink> contains in depth information on Apache2 configuration "
2404
"directives. Also, see the <application>apache2-doc</application> package for "
2405
"the official Apache2 docs."
2408
#: serverguide/C/web-servers.xml:635(para)
2410
"See the <ulink url=\"http://www.modssl.org/docs/\">Mod SSL "
2411
"Documentation</ulink> site for more SSL related information."
2414
#: serverguide/C/web-servers.xml:641(para)
2416
"O'Reilly's <ulink url=\"http://oreilly.com/catalog/9780596001919/\">Apache "
2417
"Cookbook</ulink> is a good resource for accomplishing specific Apache2 "
2421
#: serverguide/C/web-servers.xml:647(para)
2423
"For Ubuntu specific Apache2 questions, ask in the <emphasis>#ubuntu-"
2424
"server</emphasis> IRC channel on <ulink "
2425
"url=\"http://freenode.net/\">freenode.net</ulink>."
2428
#: serverguide/C/web-servers.xml:658(title)
2429
msgid "PHP5 - Scripting Language"
2432
#: serverguide/C/web-servers.xml:659(para)
2434
"PHP is a general-purpose scripting language suited for Web development. The "
2435
"PHP script can be embedded into HTML. This section explains how to install "
2436
"and configure PHP5 in Ubuntu System with Apache2 and MySQL."
2439
#: serverguide/C/web-servers.xml:663(para)
2441
"This section assumes you have installed and configured Apache 2 Web Server "
2442
"and MySQL Database Server. You can refer to Apache 2 section and MySQL "
2443
"sections in this document to install and configure Apache 2 and MySQL "
2447
#: serverguide/C/web-servers.xml:670(para)
2448
msgid "The PHP5 is available in Ubuntu Linux."
2451
#: serverguide/C/web-servers.xml:672(para)
2453
"To install PHP5 you can enter the following command in the terminal prompt: "
2455
"<command>sudo apt-get install php5 libapache2-mod-php5</command>\n"
2459
#: serverguide/C/web-servers.xml:681(para)
2461
"You can run PHP5 scripts from command line. To run PHP5 scripts from command "
2462
"line you should install <application>php5-cli</application> package. To "
2463
"install <application>php5-cli</application> you can enter the following "
2464
"command in the terminal prompt: <screen>\n"
2465
"<command>sudo apt-get install php5-cli</command>\n"
2469
#: serverguide/C/web-servers.xml:690(para)
2471
"You can also execute PHP5 scripts without installing PHP5 Apache module. To "
2472
"accomplish this, you should install <application>php5-cgi</application> "
2473
"package. You can run the following command in a terminal prompt to install "
2474
"<application>php5-cgi</application> package: <screen>\n"
2475
"<command>sudo apt-get install php5-cgi</command>\n"
2479
#: serverguide/C/web-servers.xml:700(para)
2481
"To use <application>MySQL</application> with PHP5 you should install "
2482
"<application>php5-mysql</application> package. To install <application>php5-"
2483
"mysql</application> you can enter the following command in the terminal "
2484
"prompt: <screen>\n"
2485
"<command>sudo apt-get install php5-mysql</command>\n"
2489
#: serverguide/C/web-servers.xml:708(para)
2491
"Similarly, to use <application>PostgreSQL</application> with PHP5 you should "
2492
"install <application>php5-pgsql</application> package. To install "
2493
"<application>php5-pgsql</application> you can enter the following command in "
2494
"the terminal prompt: <screen>\n"
2495
"<command>sudo apt-get install php5-pgsql</command>\n"
2499
#: serverguide/C/web-servers.xml:721(para)
2501
"Once you install PHP5, you can run PHP5 scripts from your web browser. If "
2502
"you have installed <application>php5-cli</application> package, you can run "
2503
"PHP5 scripts from your command prompt."
2506
#: serverguide/C/web-servers.xml:728(para)
2508
"By default, the Apache 2 Web server is configured to run PHP5 scripts. In "
2509
"other words, the PHP5 module is enabled in Apache2 Web server automatically "
2510
"when you install the module. Please verify if the files "
2511
"<filename>/etc/apache2/mods-enabled/php5.conf</filename> and "
2512
"<filename>/etc/apache2/mods-enabled/php5.load</filename> exist. If they do "
2513
"not exists, you can enable the module using <command>a2enmod</command> "
2517
#: serverguide/C/web-servers.xml:739(para)
2519
"Once you install PHP5 related packages and enabled PHP5 Apache 2 module, you "
2520
"should restart Apache2 Web server to run PHP5 scripts. You can run the "
2521
"following command at a terminal prompt to restart your web server: "
2522
"<screen><command>sudo /etc/init.d/apache2 restart</command> </screen>"
2525
#: serverguide/C/web-servers.xml:747(title) serverguide/C/mail.xml:124(title) serverguide/C/mail.xml:1341(title) serverguide/C/dns.xml:343(title) serverguide/C/clustering.xml:177(title)
2529
#: serverguide/C/web-servers.xml:748(para)
2531
"To verify your installation, you can run following PHP5 phpinfo script:"
2534
#: serverguide/C/web-servers.xml:751(programlisting)
2539
"print_r (phpinfo());\n"
2543
#: serverguide/C/web-servers.xml:756(para)
2545
"You can save the content in a file <filename>phpinfo.php</filename> and "
2546
"place it under <command>DocumentRoot</command> directory of Apache2 Web "
2547
"server. When point your browser to "
2548
"<filename>http://hostname/phpinfo.php</filename>, it would display values of "
2549
"various PHP5 configuration parameters."
2552
#: serverguide/C/web-servers.xml:770(para)
2554
"For more in depth information see <ulink "
2555
"url=\"http://www.php.net/docs.php\">php.net</ulink> documentation."
2558
#: serverguide/C/web-servers.xml:775(para)
2560
"There are a plethora of books on PHP. Two good books from O'Reilly are "
2561
"<ulink url=\"http://oreilly.com/catalog/9780596005603/\">Learning PHP "
2562
"5</ulink> and the <ulink "
2563
"url=\"http://oreilly.com/catalog/9781565926813/\">PHP Cook Book</ulink>."
2566
#: serverguide/C/web-servers.xml:787(title)
2567
msgid "Squid - Proxy Server"
2568
msgstr "Squid - Įgaliotasis Serveris"
2570
#: serverguide/C/web-servers.xml:788(para)
2572
"Squid is a full-featured web proxy cache server application which provides "
2573
"proxy and cache services for Hyper Text Transport Protocol (HTTP), File "
2574
"Transfer Protocol (FTP), and other popular network protocols. Squid can "
2575
"implement caching and proxying of Secure Sockets Layer (SSL) requests and "
2576
"caching of Domain Name Server (DNS) lookups, and perform transparent "
2577
"caching. Squid also supports a wide variety of caching protocols, such as "
2578
"Internet Cache Protocol, (ICP) the Hyper Text Caching Protocol, (HTCP) the "
2579
"Cache Array Routing Protocol (CARP), and the Web Cache Coordination "
2583
#: serverguide/C/web-servers.xml:796(para)
2585
"The Squid proxy cache server is an excellent solution to a variety of proxy "
2586
"and caching server needs, and scales from the branch office to enterprise "
2587
"level networks while providing extensive, granular access control mechanisms "
2588
"and monitoring of critical parameters via the Simple Network Management "
2589
"Protocol (SNMP). When selecting a computer system for use as a dedicated "
2590
"Squid proxy, or caching servers, ensure your system is configured with a "
2591
"large amount of physical memory, as Squid maintains an in-memory cache for "
2592
"increased performance."
2595
#: serverguide/C/web-servers.xml:805(para)
2597
"At a terminal prompt, enter the following command to install the Squid "
2601
#: serverguide/C/web-servers.xml:810(command)
2602
msgid "sudo apt-get install squid"
2605
#: serverguide/C/web-servers.xml:816(para)
2607
"Squid is configured by editing the directives contained within the "
2608
"<filename>/etc/squid/squid.conf</filename> configuration file. The following "
2609
"examples illustrate some of the directives which may be modified to affect "
2610
"the behavior of the Squid server. For more in-depth configuration of Squid, "
2611
"see the References section."
2614
#: serverguide/C/web-servers.xml:822(para)
2616
"Prior to editing the configuration file, you should make a copy of the "
2617
"original file and protect it from writing so you will have the original "
2618
"settings as a reference, and to re-use as necessary."
2621
#: serverguide/C/web-servers.xml:825(para)
2623
"Copy the <filename>/etc/squid/squid.conf</filename> file and protect it from "
2624
"writing with the following commands entered at a terminal prompt:"
2627
#: serverguide/C/web-servers.xml:830(command)
2628
msgid "sudo cp /etc/squid/squid.conf /etc/squid/squid.conf.original"
2631
#: serverguide/C/web-servers.xml:831(command)
2632
msgid "sudo chmod a-w /etc/squid/squid.conf.original"
2635
#: serverguide/C/web-servers.xml:837(para)
2637
"To set your Squid server to listen on TCP port 8888 instead of the default "
2638
"TCP port 3128, change the http_port directive as such:"
2641
#: serverguide/C/web-servers.xml:841(programlisting)
2648
#: serverguide/C/web-servers.xml:846(para)
2650
"Change the visible_hostname directive in order to give the Squid server a "
2651
"specific hostname. This hostname does not necessarily need to be the "
2652
"computer's hostname. In this example it is set to <emphasis>weezie</emphasis>"
2655
#: serverguide/C/web-servers.xml:850(programlisting)
2659
"visible_hostname weezie\n"
2662
#: serverguide/C/web-servers.xml:855(para)
2664
"Again, Using Squid's access control, you may configure use of Internet "
2665
"services proxied by Squid to be available only users with certain Internet "
2666
"Protocol (IP) addresses. For example, we will illustrate access by users of "
2667
"the 192.168.42.0/24 subnetwork only:"
2670
#: serverguide/C/web-servers.xml:860(para) serverguide/C/web-servers.xml:880(para)
2672
"Add the following to the <emphasis role=\"bold\">bottom</emphasis> of the "
2673
"ACL section of your <filename>/etc/squid/squid.conf</filename> file:"
2676
#: serverguide/C/web-servers.xml:863(programlisting)
2680
"acl fortytwo_network src 192.168.42.0/24\n"
2683
#: serverguide/C/web-servers.xml:866(para) serverguide/C/web-servers.xml:887(para)
2685
"Then, add the following to the <emphasis role=\"bold\">top</emphasis> of the "
2686
"http_access section of your <filename>/etc/squid/squid.conf</filename> file:"
2689
#: serverguide/C/web-servers.xml:870(programlisting)
2693
"http_access allow fortytwo_network\n"
2696
#: serverguide/C/web-servers.xml:875(para)
2698
"Using the excellent access control features of Squid, you may configure use "
2699
"of Internet services proxied by Squid to be available only during normal "
2700
"business hours. For example, we'll illustrate access by employees of a "
2701
"business which is operating between 9:00AM and 5:00PM, Monday through "
2702
"Friday, and which uses the 10.1.42.0/42 subnetwork:"
2705
#: serverguide/C/web-servers.xml:883(programlisting)
2709
"acl biz_network src 10.1.42.0/24\n"
2710
"acl biz_hours time M T W T F 9:00-17:00\n"
2713
#: serverguide/C/web-servers.xml:891(programlisting)
2717
"http_access allow biz_network biz_hours\n"
2720
#: serverguide/C/web-servers.xml:898(para)
2722
"After making changes to the <filename>/etc/squid/squid.conf</filename> file, "
2723
"save the file and restart the <application>squid</application> server "
2724
"application to effect the changes using the following command entered at a "
2728
#: serverguide/C/web-servers.xml:905(command)
2729
msgid "sudo /etc/init.d/squid restart"
2732
#: serverguide/C/web-servers.xml:912(ulink)
2733
msgid "Squid Website"
2736
#: serverguide/C/web-servers.xml:918(title)
2737
msgid "Ruby on Rails"
2740
#: serverguide/C/web-servers.xml:919(para)
2742
"Ruby on Rails is an open source web framework for developing database backed "
2743
"web applications. It is optimized for sustainable productivity of the "
2744
"programmer since it lets the programmer to write code by favouring "
2745
"convention over configuration."
2748
#: serverguide/C/web-servers.xml:926(para)
2750
"Before installing <application>Rails</application> you should install "
2751
"<application>Apache</application> and <application>MySQL</application>. To "
2752
"install the <application>Apache</application> package, please refer to <xref "
2753
"linkend=\"httpd\"/>. For instructions on installing "
2754
"<application>MySQL</application> refer to <xref linkend=\"mysql\"/>."
2757
#: serverguide/C/web-servers.xml:934(para)
2759
"Once you have <application>Apache</application> and "
2760
"<application>MySQL</application> packages installed, you are ready to "
2761
"install <application>Ruby on Rails</application> package."
2764
#: serverguide/C/web-servers.xml:941(para)
2766
"To install the <application>Ruby</application> base packages and "
2767
"<application>Ruby on Rails</application>, you can enter the following "
2768
"command in the terminal prompt:"
2771
#: serverguide/C/web-servers.xml:947(command)
2772
msgid "sudo apt-get install rails"
2775
#: serverguide/C/web-servers.xml:953(para)
2777
"Modify the <filename>/etc/apache2/sites-available/default</filename> "
2778
"configuration file to setup your domains."
2781
#: serverguide/C/web-servers.xml:957(para)
2783
"The first thing to change is the <emphasis>DocumentRoot</emphasis> directive:"
2786
#: serverguide/C/web-servers.xml:961(programlisting)
2790
"DocumentRoot /path/to/rails/application/public\n"
2793
#: serverguide/C/web-servers.xml:964(para)
2795
"Next, change the <Directory \"/path/to/rails/application/public\"> "
2799
#: serverguide/C/web-servers.xml:968(programlisting)
2803
"<Directory \"/path/to/rails/application/public\">\n"
2804
" Options Indexes FollowSymLinks MultiViews ExecCGI\n"
2805
" AllowOverride All\n"
2806
" Order allow,deny\n"
2808
" AddHandler cgi-script .cgi\n"
2809
"</Directory>\n"
2812
#: serverguide/C/web-servers.xml:978(para)
2814
"You should also enable the <application>mod_rewrite</application> module for "
2815
"Apache. To enable <application>mod_rewrite</application> module, please "
2816
"enter the following command in a terminal prompt:"
2819
#: serverguide/C/web-servers.xml:984(command)
2820
msgid "sudo a2enmod rewrite"
2823
#: serverguide/C/web-servers.xml:987(para)
2825
"Finally you will need to change the ownership of the "
2826
"<filename>/path/to/rails/application/public</filename> and "
2827
"<filename>/path/to/rails/application/tmp</filename> directories to the user "
2828
"used to run the <application>Apache</application> process:"
2831
#: serverguide/C/web-servers.xml:993(command)
2832
msgid "sudo chown -R www-data:www-data /path/to/rails/application/public"
2835
#: serverguide/C/web-servers.xml:994(command)
2836
msgid "sudo chown -R www-data:www-data /path/to/rails/application/tmp"
2839
#: serverguide/C/web-servers.xml:997(para)
2841
"That's it! Now you have your Server ready for your <application>Ruby on "
2842
"Rails</application> applications."
2845
#: serverguide/C/web-servers.xml:1006(para)
2847
"See the <ulink url=\"http://rubyonrails.org/\">Ruby on Rails</ulink> website "
2848
"for more information."
2851
#: serverguide/C/web-servers.xml:1011(para)
2853
"Also <ulink url=\"http://pragprog.com/titles/rails3/agile-web-development-"
2854
"with-rails-third-edition\">Agile Development with Rails</ulink> is a great "
2858
#: serverguide/C/web-servers.xml:1022(title)
2859
msgid "Apache Tomcat"
2862
#: serverguide/C/web-servers.xml:1023(para)
2864
"Apache Tomcat is a web container that allows you to serve Java Servlets and "
2865
"JSP (Java Server Pages) web applications."
2868
#: serverguide/C/web-servers.xml:1025(para)
2870
"The <application>Tomcat 6.0</application> packages in Ubuntu support two "
2871
"different ways of running Tomcat. You can install them as a classic unique "
2872
"system-wide instance, that will be started at boot time and will run as the "
2873
"tomcat6 unpriviledged user. But you can also deploy private instances that "
2874
"will run with your own user rights, and that you should start and stop by "
2875
"yourself. This second way is particularly useful in a development server "
2876
"context where multiple users need to test on their own private Tomcat "
2880
#: serverguide/C/web-servers.xml:1035(title)
2881
msgid "System-wide installation"
2884
#: serverguide/C/web-servers.xml:1036(para)
2886
"To install the <application>Tomcat</application> server, you can enter the "
2887
"following command in the terminal prompt:"
2890
#: serverguide/C/web-servers.xml:1039(command)
2891
msgid "sudo apt-get install tomcat6"
2894
#: serverguide/C/web-servers.xml:1041(para)
2896
"This will install a Tomcat server with just a default ROOT webapp that "
2897
"displays a minimal \"It works\" page by default."
2900
#: serverguide/C/web-servers.xml:1047(para)
2902
"Tomcat configuration files can be found in "
2903
"<filename>/etc/tomcat6</filename>. Only a few common configuration tweaks "
2904
"will be described here, please see <ulink "
2905
"url=\"http://tomcat.apache.org/tomcat-6.0-doc/index.html\">Tomcat 6.0 "
2906
"documentation</ulink> for more."
2909
#: serverguide/C/web-servers.xml:1053(title)
2910
msgid "Changing default ports"
2913
#: serverguide/C/web-servers.xml:1054(para)
2915
"By default Tomcat 6.0 runs a HTTP connector on port 8080 and an AJP "
2916
"connector on port 8009. You might want to change those default ports to "
2917
"avoid conflict with another server on the system. This is done by changing "
2918
"the following lines in <filename>/etc/tomcat6/server.xml</filename>:"
2921
#: serverguide/C/web-servers.xml:1059(programlisting)
2925
"<Connector port=\"8080\" protocol=\"HTTP/1.1\" \n"
2926
" connectionTimeout=\"20000\" \n"
2927
" redirectPort=\"8443\" />\n"
2929
"<Connector port=\"8009\" protocol=\"AJP/1.3\" redirectPort=\"8443\" "
2933
#: serverguide/C/web-servers.xml:1068(title)
2934
msgid "Changing JVM used"
2937
#: serverguide/C/web-servers.xml:1069(para)
2939
"By default Tomcat will run preferably with OpenJDK-6, then try Sun's JVM, "
2940
"then try some other JVMs. If you have various JVMs installed, you can set "
2941
"which should be used by setting JAVA_HOME in "
2942
"<filename>/etc/default/tomcat6</filename>:"
2945
#: serverguide/C/web-servers.xml:1073(programlisting)
2949
"JAVA_HOME=/usr/lib/jvm/java-6-sun\n"
2952
#: serverguide/C/web-servers.xml:1078(title)
2953
msgid "Declaring users and roles"
2956
#: serverguide/C/web-servers.xml:1079(para)
2958
"Usernames, passwords and roles (groups) can be defined centrally in a "
2959
"Servlet container. In Tomcat 6.0 this is done in the "
2960
"<filename>/etc/tomcat6/tomcat-users.xml</filename> file:"
2963
#: serverguide/C/web-servers.xml:1082(programlisting)
2967
"<role rolename=\"admin\"/>\n"
2968
"<user username=\"tomcat\" password=\"s3cret\" roles=\"admin\"/>\n"
2971
#: serverguide/C/web-servers.xml:1090(title)
2972
msgid "Using Tomcat standard webapps"
2975
#: serverguide/C/web-servers.xml:1091(para)
2977
"Tomcat is shipped with webapps that you can install for documentation, "
2978
"administration or demo purposes."
2981
#: serverguide/C/web-servers.xml:1094(title)
2982
msgid "Tomcat documentation"
2985
#: serverguide/C/web-servers.xml:1095(para)
2987
"The <application>tomcat6-docs</application> package contains Tomcat 6.0 "
2988
"documentation, packaged as a webapp that you can access by default at "
2989
"http://yourserver:8080/docs. You can install it by entering the following "
2990
"command in the terminal prompt:"
2993
#: serverguide/C/web-servers.xml:1100(command)
2994
msgid "sudo apt-get install tomcat6-docs"
2997
#: serverguide/C/web-servers.xml:1104(title)
2998
msgid "Tomcat administration webapps"
3001
#: serverguide/C/web-servers.xml:1105(para)
3003
"The <application>tomcat6-admin</application> package contains two webapps "
3004
"that can be used to administer the Tomcat server using a web interface. You "
3005
"can install them by entering the following command in the terminal prompt:"
3008
#: serverguide/C/web-servers.xml:1110(command)
3009
msgid "sudo apt-get install tomcat6-admin"
3012
#: serverguide/C/web-servers.xml:1112(para)
3014
"The first one is the <emphasis>manager</emphasis> webapp, which you can "
3015
"access by default at http://yourserver:8080/manager/html. It is primarily "
3016
"used to get server status and restart webapps."
3019
#: serverguide/C/web-servers.xml:1115(para)
3021
"Access to the <emphasis>manager</emphasis> application is protected by "
3022
"default: you need to define a user with the role \"manager\" in "
3023
"<filename>/etc/tomcat6/tomcat-users.xml</filename> before you can access it."
3026
#: serverguide/C/web-servers.xml:1119(para)
3028
"The second one is the <emphasis>host-manager</emphasis> webapp, which you "
3029
"can access by default at http://yourserver:8080/host-manager/html. It can be "
3030
"used to create virtual hosts dynamically."
3033
#: serverguide/C/web-servers.xml:1123(para)
3035
"Access to the <emphasis>host-manager</emphasis> application is also "
3036
"protected by default: you need to define a user with the role \"admin\" in "
3037
"<filename>/etc/tomcat6/tomcat-users.xml</filename> before you can access it."
3040
#: serverguide/C/web-servers.xml:1128(para)
3042
"For security reasons, the tomcat6 user cannot write to the "
3043
"<filename>/etc/tomcat6</filename> directory by default. Some features in "
3044
"these admin webapps (application deployment, virtual host creation) need "
3045
"write access to that directory. If you want to use these features execute "
3046
"the following, to give users in the tomcat6 group the necessary rights:"
3049
#: serverguide/C/web-servers.xml:1135(command)
3050
msgid "sudo chgrp -R tomcat6 /etc/tomcat6"
3053
#: serverguide/C/web-servers.xml:1136(command)
3054
msgid "sudo chmod -R g+w /etc/tomcat6"
3057
#: serverguide/C/web-servers.xml:1141(title)
3058
msgid "Tomcat examples webapps"
3061
#: serverguide/C/web-servers.xml:1142(para)
3063
"The <application>tomcat6-examples</application> package contains two webapps "
3064
"that can be used to test or demonstrate Servlets and JSP features, which you "
3065
"can access them by default at http://yourserver:8080/examples. You can "
3066
"install them by entering the following command in the terminal prompt:"
3069
#: serverguide/C/web-servers.xml:1148(command)
3070
msgid "sudo apt-get install tomcat6-examples"
3073
#: serverguide/C/web-servers.xml:1154(title)
3074
msgid "Using private instances"
3077
#: serverguide/C/web-servers.xml:1155(para)
3079
"Tomcat is heavily used in development and testing scenarios where using a "
3080
"single system-wide instance doesn't meet the requirements of multiple users "
3081
"on a single system. The Tomcat 6.0 packages in Ubuntu come with tools to "
3082
"help deploy your own user-oriented instances, allowing every user on a "
3083
"system to run (without root rights) separate private instances while still "
3084
"using the system-installed libraries."
3087
#: serverguide/C/web-servers.xml:1162(para)
3089
"It is possible to run the system-wide instance and the private instances in "
3090
"parallel, as long as they do not use the same TCP ports."
3093
#: serverguide/C/web-servers.xml:1166(title)
3094
msgid "Installing private instance support"
3097
#: serverguide/C/web-servers.xml:1167(para)
3099
"You can install everything necessary to run private instances by entering "
3100
"the following command in the terminal prompt:"
3103
#: serverguide/C/web-servers.xml:1170(command)
3104
msgid "sudo apt-get install tomcat6-user"
3107
#: serverguide/C/web-servers.xml:1174(title)
3108
msgid "Creating a private instance"
3111
#: serverguide/C/web-servers.xml:1175(para)
3113
"You can create a private instance directory by entering the following "
3114
"command in the terminal prompt:"
3117
#: serverguide/C/web-servers.xml:1178(command)
3118
msgid "tomcat6-instance-create my-instance"
3121
#: serverguide/C/web-servers.xml:1180(para)
3123
"This will create a new <filename>my-instance</filename> directory with all "
3124
"the necessary subdirectories and scripts. You can for example install your "
3125
"common libraries in the <filename>lib/</filename> subdirectory and deploy "
3126
"your webapps in the <filename>webapps/</filename> subdirectory. No webapps "
3127
"are deployed by default."
3130
#: serverguide/C/web-servers.xml:1188(title)
3131
msgid "Configuring your private instance"
3134
#: serverguide/C/web-servers.xml:1189(para)
3136
"You will find the classic Tomcat configuration files for your private "
3137
"instance in the <filename>conf/</filename> subdirectory. You should for "
3138
"example certainly edit the <filename>conf/server.xml</filename> file to "
3139
"change the default ports used by your private Tomcat instance to avoid "
3140
"conflict with other instances that might be running."
3143
#: serverguide/C/web-servers.xml:1197(title)
3144
msgid "Starting/stopping your private instance"
3147
#: serverguide/C/web-servers.xml:1198(para)
3149
"You can start your private instance by entering the following command in the "
3150
"terminal prompt (supposing your instance is located in the <filename>my-"
3151
"instance</filename> directory):"
3154
#: serverguide/C/web-servers.xml:1202(command)
3155
msgid "my-instance/bin/startup.sh"
3158
#: serverguide/C/web-servers.xml:1204(para)
3160
"You should check the <filename>logs/</filename> subdirectory for any error. "
3161
"If you have a <emphasis>java.net.BindException: Address already in "
3162
"use<null>:8080</emphasis> error, it means that the port you're using "
3163
"is already taken and that you should change it."
3166
#: serverguide/C/web-servers.xml:1209(para)
3168
"You can stop your instance by entering the following command in the terminal "
3169
"prompt (supposing your instance is located in the <filename>my-"
3170
"instance</filename> directory):"
3173
#: serverguide/C/web-servers.xml:1213(command)
3174
msgid "my-instance/bin/shutdown.sh"
3177
#: serverguide/C/web-servers.xml:1222(para)
3179
"See the <ulink url=\"http://tomcat.apache.org/\">Apache Tomcat</ulink> "
3180
"website for more information."
3183
#: serverguide/C/web-servers.xml:1227(para)
3185
"<ulink url=\"http://oreilly.com/catalog/9780596003180/\">Tomcat: The "
3186
"Definitive Guide</ulink> is a good resource for building web applications "
3190
#: serverguide/C/web-servers.xml:1233(para)
3192
"For additional books see the <ulink "
3193
"url=\"http://wiki.apache.org/tomcat/Tomcat/Books\">Tomcat Books</ulink> list "
3197
#: serverguide/C/virtualization.xml:13(title)
3198
msgid "Virtualization"
3201
#: serverguide/C/virtualization.xml:14(para)
3203
"Virtualization is being adopted in many different environments and "
3204
"situations. If you are a developer, virtualization can provide you with a "
3205
"contained environment where you can safely do almost any sort of development "
3206
"safe from messing up your main working environment. If you are a systems "
3207
"administrator, you can use virtualization to more easily separate your "
3208
"services and move them around based on demand."
3211
#: serverguide/C/virtualization.xml:20(para)
3213
"The default virtualization technology supported in Ubuntu is "
3214
"<application>KVM</application>, a technology that takes advantage of "
3215
"virtualization extensions built into Intel and AMD hardware. For hardware "
3216
"without virtualization extensions <application>Xen</application> and "
3217
"<application>Qemu</application> are popular solutions."
3220
#: serverguide/C/virtualization.xml:27(title)
3224
#: serverguide/C/virtualization.xml:28(para)
3226
"The <application>libvirt</application> library is used to interface with "
3227
"different virtualization technologies. Before getting started with "
3228
"<application>libvirt</application> it is best to make sure your hardware "
3229
"supports the necessary virtualization extensions for "
3230
"<application>KVM</application>. Enter the following from a terminal prompt:"
3233
#: serverguide/C/virtualization.xml:34(command)
3234
msgid "egrep '(vmx|svm)' /proc/cpuinfo"
3237
#: serverguide/C/virtualization.xml:36(para)
3239
"If nothing is printed, it means that your cpu does <emphasis>not</emphasis> "
3240
"support hardware virtualization."
3243
#: serverguide/C/virtualization.xml:40(para)
3245
"On most computer whose processor supports virtualization, it is necessary to "
3246
"activate an option in the bios to enable it. The method described above does "
3247
"not show the status of it's activation."
3250
#: serverguide/C/virtualization.xml:47(title)
3251
msgid "Virtual Networking"
3254
#: serverguide/C/virtualization.xml:49(para)
3256
"There are a few different ways to allow a virtual machine access to the "
3257
"external network. The default virtual network configuration is "
3258
"<emphasis>usermode</emphasis> networking, which uses the SLIRP protocol and "
3259
"traffic is NATed through the host interface to the outside network."
3262
#: serverguide/C/virtualization.xml:54(para)
3264
"To enable external hosts to directly access services on virtual machines a "
3265
"<emphasis>bridge</emphasis> needs to be configured. This allows the virtual "
3266
"interfaces to connect to the outside network through the physical interface, "
3267
"making them appear as normal hosts to the rest of the network. For "
3268
"information on setting up a bridge see <xref linkend=\"bridging\"/>."
3271
#: serverguide/C/virtualization.xml:63(para)
3272
msgid "To install the necessary packages, from a terminal prompt enter:"
3275
#: serverguide/C/virtualization.xml:67(command)
3276
msgid "sudo apt-get install kvm libvirt-bin"
3279
#: serverguide/C/virtualization.xml:69(para)
3281
"After installing <application>libvirt-bin</application>, the user used to "
3282
"manage virtual machines will need to be added to the "
3283
"<emphasis>libvirtd</emphasis> group. Doing so will grant the user access to "
3284
"the advanced networking options."
3287
#: serverguide/C/virtualization.xml:73(para)
3288
msgid "In a terminal enter:"
3291
#: serverguide/C/virtualization.xml:77(command)
3292
msgid "sudo adduser $USER libvirtd"
3295
#: serverguide/C/virtualization.xml:80(para)
3297
"If the user chosen is the current user, you will need to log out and back in "
3298
"for the new group membership to take effect."
3301
#: serverguide/C/virtualization.xml:84(para)
3303
"You are now ready to install a <emphasis>Guest</emphasis> operating system. "
3304
"Installing a virtual machine follows the same process as installing the "
3305
"operating system directly on the hardware. You either need a way to automate "
3306
"the installation, or a keyboard and monitor will need to be attached to the "
3310
#: serverguide/C/virtualization.xml:89(para)
3312
"In the case of virtual machines a Graphical User Interface (GUI) is "
3313
"analogous to using a physical keyboard and mouse. Instead of installing a "
3314
"GUI the <application>virt-viewer</application> application can be used to "
3315
"connect to a virtual machine's console using <application>VNC</application>. "
3316
"See <xref linkend=\"libvirt-virt-viewer\"/> for more information."
3319
#: serverguide/C/virtualization.xml:94(para)
3321
"There are several ways to automate the Ubuntu installation process, for "
3322
"example using preseeds, kickstart, etc. Refer to the <ulink "
3323
"url=\"https://help.ubuntu.com/9.04/installation-guide/\">Ubuntu Installation "
3324
"Guide</ulink> for details."
3327
#: serverguide/C/virtualization.xml:98(para)
3329
"Yet another way to install an Ubuntu virtual machine is to use "
3330
"<application>ubuntu-vm-builder</application>. <application>ubuntu-vm-"
3331
"builder</application> allows you to setup advanced partitions, execute "
3332
"custom post-install scripts, etc. For details see <xref linkend=\"jeos-and-"
3336
#: serverguide/C/virtualization.xml:104(title)
3337
msgid "virt-install"
3340
#: serverguide/C/virtualization.xml:105(para)
3342
"<application>virt-install</application> is part of the <application>python-"
3343
"virtinst</application> package. To install it, from a terminal prompt enter:"
3346
#: serverguide/C/virtualization.xml:109(command)
3347
msgid "sudo apt-get install python-virtinst"
3350
#: serverguide/C/virtualization.xml:111(para)
3352
"There are several options available when using <application>virt-"
3353
"install</application>. For example:"
3356
#: serverguide/C/virtualization.xml:115(command)
3358
"sudo virt-install -n web_devel -r 256 -f web_devel.img \\ -s 4 -c jeos.iso --"
3359
"accelerate \\ --connect=qemu:///system --vnc \\ --noautoconsole -v"
3362
#: serverguide/C/virtualization.xml:122(para)
3364
"<emphasis>-n web_devel:</emphasis> the name of the new virtual machine will "
3365
"be <emphasis>web_devel</emphasis> in this example."
3368
#: serverguide/C/virtualization.xml:127(para)
3370
"<emphasis>-r 256:</emphasis> specifies the amount of memory the virtual "
3374
#: serverguide/C/virtualization.xml:132(para)
3376
"<emphasis>-f web_devel.img:</emphasis> indicates the path to the virtual "
3377
"disk which can be a file, partition, or logical volume. In this example a "
3378
"file named <filename>web_devel.img</filename>."
3381
#: serverguide/C/virtualization.xml:138(para)
3382
msgid "<emphasis>-s 4:</emphasis> the size of the virtual disk."
3385
#: serverguide/C/virtualization.xml:143(para)
3387
"<emphasis>-c jeos.iso:</emphasis> file to be used as a virtual CDROM. The "
3388
"file can be either an ISO file or the path to the host's CDROM device."
3391
#: serverguide/C/virtualization.xml:149(para)
3393
"<emphasis>--accelerate:</emphasis> enables the kernel's acceleration "
3397
#: serverguide/C/virtualization.xml:154(para)
3399
"<emphasis>--vnc:</emphasis> exports the guest's virtual console using VNC."
3402
#: serverguide/C/virtualization.xml:159(para)
3404
"<emphasis>--noautoconsole:</emphasis> will not automatically connect to the "
3405
"virtual machine's console."
3408
#: serverguide/C/virtualization.xml:164(para)
3409
msgid "<emphasis>-v:</emphasis> creates a fully virtualized guest."
3412
#: serverguide/C/virtualization.xml:169(para)
3414
"After launching <application>virt-install</application> you can connect to "
3415
"the virtual machine's console either locally using a GUI or with the "
3416
"<application>virt-viewer</application> utility."
3419
#: serverguide/C/virtualization.xml:175(title)
3423
#: serverguide/C/virtualization.xml:176(para)
3425
"The <application>virt-clone</application> application can be used to copy "
3426
"one virtual machine to another. For example:"
3429
#: serverguide/C/virtualization.xml:180(command)
3431
"sudo virt-clone -o web_devel -n database_devel -f "
3432
"/path/to/database_devel.img --connect=qemu:///system"
3435
#: serverguide/C/virtualization.xml:184(para)
3436
msgid "<emphasis>-o:</emphasis> original virtual machine."
3439
#: serverguide/C/virtualization.xml:189(para)
3440
msgid "<emphasis>-n:</emphasis> name of the new virtual machine."
3443
#: serverguide/C/virtualization.xml:194(para)
3445
"<emphasis>-f:</emphasis> path to the file, logical volume, or partition to "
3446
"be used by the new virtual machine."
3449
#: serverguide/C/virtualization.xml:199(para)
3451
"<emphasis>--connect:</emphasis> specifies which hypervisor to connect to."
3454
#: serverguide/C/virtualization.xml:204(para)
3456
"Also, use <emphasis>-d</emphasis> or <emphasis>--debug</emphasis> option to "
3457
"help troubleshoot problems with <application>virt-clone</application>."
3460
#: serverguide/C/virtualization.xml:209(para)
3462
"Replace <emphasis>web_devel</emphasis> and "
3463
"<emphasis>database_devel</emphasis> with appropriate virtual machine names."
3466
#: serverguide/C/virtualization.xml:215(title)
3467
msgid "Virtual Machine Management"
3470
#: serverguide/C/virtualization.xml:217(title)
3474
#: serverguide/C/virtualization.xml:218(para)
3476
"There are several utilities available to manage virtual machines and "
3477
"<application>libvirt</application>. The <application>virsh</application> "
3478
"utility can be used from the command line. Some examples:"
3481
#: serverguide/C/virtualization.xml:224(para)
3482
msgid "To list running virtual machines:"
3485
#: serverguide/C/virtualization.xml:228(command)
3486
msgid "virsh -c qemu:///system list"
3489
#: serverguide/C/virtualization.xml:232(para)
3490
msgid "To start a virtual machine:"
3493
#: serverguide/C/virtualization.xml:236(command)
3494
msgid "virsh -c qemu:///system start web_devel"
3497
#: serverguide/C/virtualization.xml:240(para)
3498
msgid "Similarly, to start a virtual machine at boot:"
3501
#: serverguide/C/virtualization.xml:244(command)
3502
msgid "virsh -c qemu:///system autostart web_devel"
3505
#: serverguide/C/virtualization.xml:248(para)
3506
msgid "Reboot a virtual machine with:"
3509
#: serverguide/C/virtualization.xml:252(command)
3510
msgid "virsh -c qemu:///system reboot web_devel"
3513
#: serverguide/C/virtualization.xml:256(para)
3515
"The <emphasis>state</emphasis> of virtual machines can be saved to a file in "
3516
"order to be restored later. The following will save the virtual machine "
3517
"state into a file named according to the date:"
3520
#: serverguide/C/virtualization.xml:261(command)
3521
msgid "virsh -c qemu:///system save web_devel web_devel-022708.state"
3524
#: serverguide/C/virtualization.xml:263(para)
3525
msgid "Once saved the virtual machine will no longer be running."
3528
#: serverguide/C/virtualization.xml:268(para)
3529
msgid "A saved virtual machine can be restored using:"
3532
#: serverguide/C/virtualization.xml:272(command)
3533
msgid "virsh -c qemu:///system restore web_devel-022708.state"
3536
#: serverguide/C/virtualization.xml:276(para)
3537
msgid "To shutdown a virtual machine do:"
3540
#: serverguide/C/virtualization.xml:280(command)
3541
msgid "virsh -c qemu:///system shutdown web_devel"
3544
#: serverguide/C/virtualization.xml:284(para)
3545
msgid "A CDROM device can be mounted in a virtual machine by entering:"
3548
#: serverguide/C/virtualization.xml:288(command)
3549
msgid "virsh -c qemu:///system attach-disk web_devel /dev/cdrom /media/cdrom"
3552
#: serverguide/C/virtualization.xml:293(para)
3554
"In the above examples replace <emphasis>web_devel</emphasis> with the "
3555
"appropriate virtual machine name, and <filename>web_devel-"
3556
"022708.state</filename> with a descriptive file name."
3559
#: serverguide/C/virtualization.xml:300(title)
3560
msgid "Virtual Machine Manager"
3563
#: serverguide/C/virtualization.xml:301(para)
3565
"The <application>virt-manager</application> package contains a graphical "
3566
"utility to manage local and remote virtual machines. To install virt-manager "
3570
#: serverguide/C/virtualization.xml:306(command)
3571
msgid "sudo apt-get install virt-manager"
3574
#: serverguide/C/virtualization.xml:308(para)
3576
"Since <application>virt-manager</application> requires a Graphical User "
3577
"Interface (GUI) environment it is recommended to be installed on a "
3578
"workstation or test machine instead of a production server. To connect to "
3579
"the local <application>libvirt</application> service enter:"
3582
#: serverguide/C/virtualization.xml:314(command)
3583
msgid "virt-manager -c qemu:///system"
3586
#: serverguide/C/virtualization.xml:316(para)
3588
"You can connect to the <application>libvirt</application> service running on "
3589
"another host by entering the following in a terminal prompt:"
3592
#: serverguide/C/virtualization.xml:320(command)
3593
msgid "virt-manager -c qemu+ssh://virtnode1.mydomain.com/system"
3596
#: serverguide/C/virtualization.xml:323(para)
3598
"The above example assumes that <application>SSH</application> connectivity "
3599
"between the management system and virtnode1.mydomain.com has already been "
3600
"configured, and uses SSH keys for authentication. SSH "
3601
"<emphasis>keys</emphasis> are needed because "
3602
"<application>libvirt</application> sends the password prompt to another "
3603
"process. For details on configuring <application>SSH</application> see <xref "
3604
"linkend=\"openssh-server\"/>"
3607
#: serverguide/C/virtualization.xml:333(title)
3608
msgid "Virtual Machine Viewer"
3611
#: serverguide/C/virtualization.xml:334(para)
3613
"The <application>virt-viewer</application> application allows you to connect "
3614
"to a virtual machine's console. <application>virt-viewer</application> does "
3615
"require a Graphical User Interface (GUI) to interface with the virtual "
3619
#: serverguide/C/virtualization.xml:338(para)
3621
"To install <application>virt-viewer</application> from a terminal enter:"
3624
#: serverguide/C/virtualization.xml:342(command)
3625
msgid "sudo apt-get install virt-viewer"
3628
#: serverguide/C/virtualization.xml:344(para)
3630
"Once a virtual machine is installed and running you can connect to the "
3631
"virtual machine's console by using:"
3634
#: serverguide/C/virtualization.xml:348(command)
3635
msgid "virt-viewer -c qemu:///system web_devel"
3638
#: serverguide/C/virtualization.xml:350(para)
3640
"Similar to <application>virt-manager</application>, <application>virt-"
3641
"viewer</application> can connect to a remote host using "
3642
"<emphasis>SSH</emphasis> with key authentication, as well:"
3645
#: serverguide/C/virtualization.xml:355(command)
3646
msgid "virt-viewer -c qemu+ssh://virtnode1.mydomain.com/system web_devel"
3649
#: serverguide/C/virtualization.xml:357(para)
3651
"Be sure to replace <emphasis role=\"italic\">web_devel</emphasis> with the "
3652
"appropriate virtual machine name."
3655
#: serverguide/C/virtualization.xml:360(para)
3657
"If configured to use a <emphasis>bridged</emphasis> network interface you "
3658
"can also setup <application>SSH</application> access to the virtual machine. "
3659
"See <xref linkend=\"openssh-server\"/> and <xref linkend=\"bridging\"/> for "
3663
#: serverguide/C/virtualization.xml:369(para)
3665
"See the <ulink url=\"http://kvm.qumranet.com/kvmwiki\">KVM</ulink> home page "
3669
#: serverguide/C/virtualization.xml:374(para)
3671
"For more information on <application>libvirt</application> see the <ulink "
3672
"url=\"http://libvirt.org/\">libvirt home page</ulink>"
3675
#: serverguide/C/virtualization.xml:379(para)
3677
"The <ulink url=\"http://virt-manager.et.redhat.com/\">Virtual Machine "
3678
"Manager</ulink> site has more information on <application>virt-"
3679
"manager</application> development."
3682
#: serverguide/C/virtualization.xml:385(para)
3684
"Also, stop by the <emphasis>#ubuntu-virt</emphasis> IRC channel on <ulink "
3685
"url=\"http://freenode.net/\">freenode</ulink> to discuss virtualization "
3686
"technology in Ubuntu."
3689
#: serverguide/C/virtualization.xml:394(title) serverguide/C/jeos.xml:13(title)
3690
msgid "JeOS and vmbuilder"
3693
#: serverguide/C/virtualization.xml:400(title) serverguide/C/jeos.xml:19(title)
3694
msgid "What is JeOS"
3697
#: serverguide/C/virtualization.xml:402(para) serverguide/C/jeos.xml:21(para)
3699
"Ubuntu <emphasis>JeOS</emphasis> (pronounced \"Juice\") is an efficient "
3700
"variant of the Ubuntu Server operating system, configured specifically for "
3701
"virtual appliances. No longer available as a CD-ROM ISO for download, but "
3702
"only as an option either:"
3705
#: serverguide/C/virtualization.xml:409(para)
3707
"While installing from the Server Edition ISO (pressing "
3708
"<emphasis>F4</emphasis> on the first screen will allow you to pick \"Minimal "
3709
"installation\", which is the package selection equivalent to JeOS)."
3712
#: serverguide/C/virtualization.xml:415(para) serverguide/C/jeos.xml:34(para)
3713
msgid "Or to be built using Ubuntu's vmbuilder, which is described here."
3716
#: serverguide/C/virtualization.xml:421(para) serverguide/C/jeos.xml:40(para)
3718
"JeOS is a specialized installation of Ubuntu Server Edition with a tuned "
3719
"kernel that only contains the base elements needed to run within a "
3720
"virtualized environment."
3723
#: serverguide/C/virtualization.xml:426(para) serverguide/C/jeos.xml:45(para)
3725
"Ubuntu JeOS has been tuned to take advantage of key performance technologies "
3726
"in the latest virtualization products from VMware. This combination of "
3727
"reduced size and optimized performance ensures that Ubuntu JeOS Edition "
3728
"delivers a highly efficient use of server resources in large virtual "
3732
#: serverguide/C/virtualization.xml:432(para) serverguide/C/jeos.xml:51(para)
3734
"Without unnecessary drivers, and only the minimal required packages, ISVs "
3735
"can configure their supporting OS exactly as they require. They have the "
3736
"peace of mind that updates, whether for security or enhancement reasons, "
3737
"will be limited to the bare minimum of what is required in their specific "
3738
"environment. In turn, users deploying virtual appliances built on top of "
3739
"JeOS will have to go through fewer updates and therefore less maintenance "
3740
"than they would have had to with a standard full installation of a server."
3743
#: serverguide/C/virtualization.xml:441(title) serverguide/C/jeos.xml:60(title)
3744
msgid "What is vmbuilder"
3747
#: serverguide/C/virtualization.xml:443(para) serverguide/C/jeos.xml:62(para)
3749
"With vmbuilder, there is no need to download a JeOS ISO anymore. vmbuilder "
3750
"will fetch the various package and build a virtual machine tailored for our "
3751
"need in about a minute for us. Vmbuilder is a Script that automates the "
3752
"process of creating a ready to use Linux based VM. The currently supported "
3753
"hypervisors are KVM and Xen."
3756
#: serverguide/C/virtualization.xml:449(para) serverguide/C/jeos.xml:68(para)
3758
"You can pass command line options to add extra packages, remove packages, "
3759
"choose which version of Ubuntu, which mirror etc. On recent hardware with "
3760
"plenty of RAM, tmpdir in <filename>/dev/shm</filename> or using a tmpfs, and "
3761
"a local mirror, you can bootstrap a VM in less than a minute."
3764
#: serverguide/C/virtualization.xml:455(para) serverguide/C/jeos.xml:74(para)
3766
"First introduced as a shell script in Ubuntu 8.04LTS, <application>ubuntu-vm-"
3767
"builder</application> started with little emphasis as a hack to help "
3768
"developers test their new code in a virtual machine without having to "
3769
"restart from scratch each time. As a few Ubuntu administrators started to "
3770
"notice this script, a few of them went on improving it and adapting it for "
3771
"so many use case that Soren Hansen (the author of the script and Ubuntu "
3772
"virtualization specialist, not the golf player) decided to rewrite it from "
3773
"scratch for Intrepid as a python script with a few new design goals:"
3776
#: serverguide/C/virtualization.xml:465(para) serverguide/C/jeos.xml:84(para)
3777
msgid "Develop it so that it can be reused by other distributions."
3780
#: serverguide/C/virtualization.xml:470(para) serverguide/C/jeos.xml:89(para)
3782
"Use a plugin mechanisms for all virtualization interactions so that others "
3783
"can easily add logic for other virtualization environments."
3786
#: serverguide/C/virtualization.xml:475(para) serverguide/C/jeos.xml:94(para)
3788
"Provide an easy to maintain web interface as an option to the command line "
3792
#: serverguide/C/virtualization.xml:481(para) serverguide/C/jeos.xml:100(para)
3793
msgid "But the general principles and commands remain the same."
3796
#: serverguide/C/virtualization.xml:488(title) serverguide/C/jeos.xml:107(title)
3797
msgid "Initial Setup"
3800
#: serverguide/C/virtualization.xml:490(para) serverguide/C/jeos.xml:109(para)
3802
"It is assumed that you have installed and configured "
3803
"<application>libvirt</application> and <application>KVM</application> "
3804
"locally on the machine you are using. For details on how to perform this, "
3808
#: serverguide/C/virtualization.xml:502(para) serverguide/C/jeos.xml:121(para)
3810
"The <ulink url=\"https://help.ubuntu.com/community/KVM\">KVM</ulink> Wiki "
3814
#: serverguide/C/virtualization.xml:508(para) serverguide/C/jeos.xml:127(para)
3816
"We also assume that you know how to use a text based text editor such as "
3817
"nano or vi. If you have not used any of them before, you can get an overview "
3818
"of the various text editors available by reading the <ulink "
3819
"url=\"https://help.ubuntu.com/community/PowerUsersTextEditors\">PowerUsersTex"
3820
"tEditors</ulink> page. This tutorial has been done on KVM, but the general "
3821
"principle should remain on other virtualization technologies."
3824
#: serverguide/C/virtualization.xml:516(title) serverguide/C/jeos.xml:135(title)
3825
msgid "Install vmbuilder"
3828
#: serverguide/C/virtualization.xml:518(para) serverguide/C/jeos.xml:137(para)
3830
"The name of the package that we need to install is <application>python-vm-"
3831
"builder</application>. In a terminal prompt enter:"
3834
#: serverguide/C/virtualization.xml:523(command) serverguide/C/jeos.xml:142(command)
3835
msgid "sudo apt-get install python-vm-builder"
3838
#: serverguide/C/virtualization.xml:527(para) serverguide/C/jeos.xml:146(para)
3840
"If you are running Hardy, you can still perform most of this using the older "
3841
"version of the package named <application>ubuntu-vm-builder</application>, "
3842
"there are only a few changes to the syntax of the tool."
3845
#: serverguide/C/virtualization.xml:536(title) serverguide/C/jeos.xml:155(title)
3846
msgid "Defining Your Virtual Machine"
3849
#: serverguide/C/virtualization.xml:538(para) serverguide/C/jeos.xml:157(para)
3851
"Defining a virtual machine with Ubuntu's vmbuilder is quite simple, but here "
3852
"are a few thing to consider:"
3855
#: serverguide/C/virtualization.xml:544(para) serverguide/C/jeos.xml:163(para)
3857
"If you plan on shipping a virtual appliance, do not assume that the end-user "
3858
"will know how to extend disk size to fit their need, so either plan for a "
3859
"large virtual disk to allow for your appliance to grow, or explain fairly "
3860
"well in your documentation how to allocate more space. It might actually be "
3861
"a good idea to store data on some separate external storage."
3864
#: serverguide/C/virtualization.xml:551(para) serverguide/C/jeos.xml:170(para)
3866
"Given that RAM is much easier to allocate in a VM, RAM size should be set to "
3867
"whatever you think is a safe minimum for your appliance."
3870
#: serverguide/C/virtualization.xml:557(para) serverguide/C/jeos.xml:176(para)
3872
"The <application>vmbuilder</application> command has 2 main parameters: the "
3873
"<emphasis>virtualization technology (hypervisor)</emphasis> and the targeted "
3874
"<emphasis>distribution</emphasis>. Optional parameters are quite numerous "
3875
"and can be found using the following command:"
3878
#: serverguide/C/virtualization.xml:563(command) serverguide/C/jeos.xml:182(command)
3879
msgid "vmbuilder --help"
3882
#: serverguide/C/virtualization.xml:567(title) serverguide/C/jeos.xml:186(title)
3883
msgid "Base Parameters"
3886
#: serverguide/C/virtualization.xml:569(para) serverguide/C/jeos.xml:188(para)
3888
"As this example is based on <application>KVM</application> and Ubuntu 9.04 "
3889
"(Jaunty Jackalope), and we are likely to rebuild the same virtual machine "
3890
"multiple time, we'll invoke vmbuilder with the following first parameters:"
3893
#: serverguide/C/virtualization.xml:575(command) serverguide/C/jeos.xml:194(command)
3895
"sudo vmbuilder kvm ubuntu --suite jaunty --flavour virtual --arch i386 -o --"
3896
"libvirt qemu:///system"
3899
#: serverguide/C/virtualization.xml:578(para) serverguide/C/jeos.xml:197(para)
3901
"The <emphasis>--suite</emphasis> defines the Ubuntu release, the <emphasis>--"
3902
"flavour</emphasis> specifies that we want to use the virtual kernel (that's "
3903
"the one used to build a JeOS image), the <emphasis>--arch</emphasis> tells "
3904
"that we want to use a 32 bit machine, the <emphasis>-o</emphasis> tells "
3905
"vmbuilder to overwrite the previous version of the VM and the <emphasis>--"
3906
"libvirt</emphasis> tells to inform the local virtualization environment to "
3907
"add the resulting VM to the list of available machines."
3910
#: serverguide/C/virtualization.xml:586(para) serverguide/C/jeos.xml:205(para)
3914
#: serverguide/C/virtualization.xml:592(para)
3916
"Because of the nature of operations performed by vmbuilder, it needs to have "
3917
"root privilege, hence the use of sudo."
3920
#: serverguide/C/virtualization.xml:597(para) serverguide/C/jeos.xml:216(para)
3922
"If your virtual machine needs to use more than 3Gb of ram, you should build "
3923
"a 64 bit machine (--arch amd64)."
3926
#: serverguide/C/virtualization.xml:602(para) serverguide/C/jeos.xml:221(para)
3928
"Until Ubuntu 8.10, the virtual kernel was only built for 32 bit "
3929
"architecture, so if you want to define an amd64 machine on Hardy, you should "
3930
"use <emphasis>--flavour</emphasis> server instead."
3933
#: serverguide/C/virtualization.xml:610(title) serverguide/C/jeos.xml:229(title)
3934
msgid "JeOS Installation Parameters"
3937
#: serverguide/C/virtualization.xml:613(title) serverguide/C/jeos.xml:232(title)
3938
msgid "JeOS Networking"
3941
#: serverguide/C/virtualization.xml:616(title) serverguide/C/jeos.xml:235(title)
3942
msgid "Assigning a fixed IP address"
3945
#: serverguide/C/virtualization.xml:618(para) serverguide/C/jeos.xml:237(para)
3947
"As a virtual appliance that may be deployed on various very different "
3948
"networks, it is very difficult to know what the actual network will look "
3949
"like. In order to simplify configuration, it is a good idea to take an "
3950
"approach similar to what network hardware vendors usually do, namely "
3951
"assigning an initial fixed IP address to the appliance in a private class "
3952
"network that you will provide in your documentation. An address in the range "
3953
"192.168.0.0/255 is usually a good choice."
3956
#: serverguide/C/virtualization.xml:625(para) serverguide/C/jeos.xml:244(para)
3957
msgid "To do this we'll use the following parameters:"
3960
#: serverguide/C/virtualization.xml:631(para) serverguide/C/jeos.xml:250(para)
3962
"<emphasis>--ip ADDRESS</emphasis>: IP address in dotted form (defaults to "
3963
"dhcp if not specified)"
3966
#: serverguide/C/virtualization.xml:636(para) serverguide/C/jeos.xml:255(para)
3968
"<emphasis>--mask VALUE</emphasis>: IP mask in dotted form (default: "
3972
#: serverguide/C/virtualization.xml:641(para) serverguide/C/jeos.xml:260(para)
3973
msgid "<emphasis>--net VALUE</emphasis>: IP net address (default: X.X.X.0)"
3976
#: serverguide/C/virtualization.xml:646(para) serverguide/C/jeos.xml:265(para)
3977
msgid "<emphasis>--bcast VALUE</emphasis>: IP broadcast (default: X.X.X.255)"
3980
#: serverguide/C/virtualization.xml:651(para) serverguide/C/jeos.xml:270(para)
3981
msgid "<emphasis>--gw ADDRESS</emphasis>: Gateway address (default: X.X.X.1)"
3984
#: serverguide/C/virtualization.xml:656(para) serverguide/C/jeos.xml:275(para)
3986
"<emphasis>--dns ADDRESS</emphasis>: Name server address (default: X.X.X.1)"
3989
#: serverguide/C/virtualization.xml:662(para) serverguide/C/jeos.xml:281(para)
3991
"We assume for now that default values are good enough, so the resulting "
3992
"invocation becomes:"
3995
#: serverguide/C/virtualization.xml:667(command) serverguide/C/jeos.xml:286(command)
3997
"sudo vmbuilder kvm ubuntu --suite jaunty --flavour virtual --arch i386 -o --"
3998
"libvirt qemu:///system --ip 192.168.0.100"
4001
#: serverguide/C/virtualization.xml:672(title) serverguide/C/jeos.xml:291(title)
4002
msgid "Modifying the libvirt Template to use Bridging"
4005
#: serverguide/C/virtualization.xml:674(para) serverguide/C/jeos.xml:293(para)
4007
"Because our appliance will be likely to need to be accessed by remote hosts, "
4008
"we need to configure libvirt so that the appliance uses bridge networking. "
4009
"To do this we use vmbuilder template mechanism to modify the default one."
4012
#: serverguide/C/virtualization.xml:679(para) serverguide/C/jeos.xml:298(para)
4014
"In our working directory we create the template hierarchy and copy the "
4018
#: serverguide/C/virtualization.xml:684(command) serverguide/C/jeos.xml:303(command)
4019
msgid "mkdir -p VMBuilder/plugins/libvirt/templates"
4022
#: serverguide/C/virtualization.xml:685(command) serverguide/C/jeos.xml:304(command)
4023
msgid "cp /etc/vmbuilder/libvirt/* VMBuilder/plugins/libvirt/templates/"
4026
#: serverguide/C/virtualization.xml:688(para) serverguide/C/jeos.xml:307(para)
4029
"<filename>VMBuilder/plugins/libvirt/templates/libvirtxml.tmpl</filename> to "
4033
#: serverguide/C/virtualization.xml:692(programlisting) serverguide/C/jeos.xml:311(programlisting)
4037
" <interface type='network'>\n"
4038
" <source network='default'/>\n"
4039
" </interface>\n"
4042
#: serverguide/C/virtualization.xml:698(para) serverguide/C/jeos.xml:317(para)
4046
#: serverguide/C/virtualization.xml:702(programlisting)
4050
" <interface type='bridge'>\n"
4051
" <source bridge='br0'/>\n"
4052
" </interface>\n"
4055
#: serverguide/C/virtualization.xml:712(title) serverguide/C/jeos.xml:331(title) serverguide/C/installation.xml:406(title)
4056
msgid "Partitioning"
4059
#: serverguide/C/virtualization.xml:714(para) serverguide/C/jeos.xml:333(para)
4061
"Partitioning of the virtual appliance will have to take into consideration "
4062
"what you are planning to do with is. Because most appliances want to have a "
4063
"separate storage for data, having a separate <filename>/var</filename> would "
4067
#: serverguide/C/virtualization.xml:719(para) serverguide/C/jeos.xml:338(para)
4069
"In order to do this vmbuilder provides us with <emphasis>--part</emphasis>:"
4072
#: serverguide/C/virtualization.xml:723(programlisting) serverguide/C/jeos.xml:342(programlisting)
4077
" Allows to specify a partition table in partfile each line of partfile "
4080
" mountpoint size\n"
4081
" where size is in megabytes. You can have up to 4 virtual disks, a new "
4082
"disk starts on a\n"
4083
" line with ’---’. ie :\n"
4092
#: serverguide/C/virtualization.xml:738(para) serverguide/C/jeos.xml:357(para)
4094
"In our case we will define a text file name "
4095
"<filename>vmbuilder.partition</filename> which will contain the following:"
4098
#: serverguide/C/virtualization.xml:742(programlisting) serverguide/C/jeos.xml:361(programlisting)
4108
#: serverguide/C/virtualization.xml:750(para) serverguide/C/jeos.xml:369(para)
4110
"Note that as we are using virtual disk images, the actual sizes that we put "
4111
"here are maximum sizes for these volumes."
4114
#: serverguide/C/virtualization.xml:755(para) serverguide/C/jeos.xml:374(para)
4115
msgid "Our command line now looks like:"
4118
#: serverguide/C/virtualization.xml:760(command) serverguide/C/jeos.xml:379(command)
4120
"sudo vmbuilder kvm ubuntu --suite jaunty --flavour virtual --arch i386 \\ -o "
4121
"--libvirt qemu:///system --ip 192.168.0.100 --part vmbuilder.partition"
4124
#: serverguide/C/virtualization.xml:765(para) serverguide/C/jeos.xml:384(para)
4126
"Using a \"\\\" in a command will allow long command strings to wrap to the "
4130
#: serverguide/C/virtualization.xml:772(title) serverguide/C/jeos.xml:391(title)
4131
msgid "User and Password"
4134
#: serverguide/C/virtualization.xml:774(para) serverguide/C/jeos.xml:393(para)
4136
"Again setting up a virtual appliance, you will need to provide a default "
4137
"user and password that is generic so that you can include it in your "
4138
"documentation. We will see later on in this tutorial how we will provide "
4139
"some security by defining a script that will be run the first time a user "
4140
"actually logs in the appliance, that will, among other things, ask him to "
4141
"change his password. In this example I will use <emphasis>'user'</emphasis> "
4142
"as my user name, and <emphasis>'default'</emphasis> as the password."
4145
#: serverguide/C/virtualization.xml:782(para) serverguide/C/jeos.xml:401(para)
4146
msgid "To do this we use the following optional parameters:"
4149
#: serverguide/C/virtualization.xml:788(para) serverguide/C/jeos.xml:407(para)
4151
"<emphasis>--user USERNAME:</emphasis> Sets the name of the user to be added. "
4155
#: serverguide/C/virtualization.xml:793(para) serverguide/C/jeos.xml:412(para)
4157
"<emphasis>--name FULLNAME:</emphasis> Sets the full name of the user to be "
4158
"added. Default: Ubuntu."
4161
#: serverguide/C/virtualization.xml:798(para) serverguide/C/jeos.xml:417(para)
4163
"<emphasis>--pass PASSWORD:</emphasis> Sets the password for the user. "
4167
#: serverguide/C/virtualization.xml:804(para) serverguide/C/jeos.xml:423(para)
4168
msgid "Our resulting command line becomes:"
4171
#: serverguide/C/virtualization.xml:809(command) serverguide/C/jeos.xml:428(command)
4173
"sudo vmbuilder kvm ubuntu --suite intrepid --flavour virtual --arch i386 \\ -"
4174
"o --libvirt qemu:///system --ip 192.168.0.100 --part vmbuilder.partition \\ -"
4175
"-user user --name user --pass default"
4178
#: serverguide/C/virtualization.xml:817(title) serverguide/C/jeos.xml:436(title)
4179
msgid "Installing Required Packages"
4182
#: serverguide/C/virtualization.xml:819(para) serverguide/C/jeos.xml:438(para)
4184
"In this example we will be installing a package "
4185
"<application>(Limesurvey)</application> that accesses a "
4186
"<application>MySQL</application> database and has a web interface. We will "
4187
"therefore require our OS to provide us with:"
4190
#: serverguide/C/virtualization.xml:826(para) serverguide/C/jeos.xml:445(para)
4194
#: serverguide/C/virtualization.xml:827(para) serverguide/C/jeos.xml:446(para)
4198
#: serverguide/C/virtualization.xml:828(para) serverguide/C/jeos.xml:447(para) serverguide/C/databases.xml:19(trademark) serverguide/C/databases.xml:31(title)
4202
#: serverguide/C/virtualization.xml:829(para) serverguide/C/remote-administration.xml:20(title) serverguide/C/jeos.xml:448(para)
4203
msgid "OpenSSH Server"
4206
#: serverguide/C/virtualization.xml:830(para) serverguide/C/jeos.xml:449(para)
4207
msgid "Limesurvey (as an example application that we have packaged)"
4210
#: serverguide/C/virtualization.xml:833(para) serverguide/C/jeos.xml:452(para)
4212
"This is done using vmbuilder by specifying the --addpkg command multiple "
4216
#: serverguide/C/virtualization.xml:837(programlisting) serverguide/C/jeos.xml:456(programlisting)
4221
" Install PKG into the guest (can be specfied multiple times)\n"
4224
#: serverguide/C/virtualization.xml:842(para) serverguide/C/jeos.xml:461(para)
4226
"However, due to the way vmbuilder operates, packages that have to ask "
4227
"questions to the user during the post install phase are not supported and "
4228
"should instead be installed while interactivity can occur. This is the case "
4229
"of Limesurvey, which we will have to install later, once the user logs in."
4232
#: serverguide/C/virtualization.xml:848(para) serverguide/C/jeos.xml:467(para)
4234
"Other packages that ask simple debconf question, such as <application>mysql-"
4235
"server</application> asking to set a password, the package can be installed "
4236
"immediately, but we will have to reconfigure it the first time the user logs "
4240
#: serverguide/C/virtualization.xml:854(para) serverguide/C/jeos.xml:473(para)
4242
"If some packages that we need to install are not in main, we need to enable "
4243
"the additional repositories using --comp and --ppa:"
4246
#: serverguide/C/virtualization.xml:858(programlisting) serverguide/C/jeos.xml:477(programlisting)
4250
"--components COMP1,COMP2,...,COMPN\n"
4251
" A comma separated list of distro components to include (e.g. "
4252
"main,universe). This defaults\n"
4254
"--ppa=PPA Add ppa belonging to PPA to the vm's sources.list.\n"
4257
#: serverguide/C/virtualization.xml:865(para) serverguide/C/jeos.xml:484(para)
4259
"Limesurvey not being part of the archive at the moment, we'll specify it's "
4260
"PPA (personal package archive) address so that it is added to the VM "
4261
"<filename>/etc/apt/source.list</filename>, so we add the following options "
4262
"to the command line:"
4265
#: serverguide/C/virtualization.xml:871(command) serverguide/C/jeos.xml:490(command)
4267
"--addpkg apache2 --addpkg apache2-mpm-prefork --addpkg apache2-utils --"
4268
"addpkg apache2.2-common \\ --addpkg dbconfig-common --addpkg libapache2-mod-"
4269
"php5 --addpkg mysql-client --addpkg php5-cli \\ --addpkg php5-gd --addpkg "
4270
"php5-ldap --addpkg php5-mysql --addpkg wwwconfig-common \\ --addpkg mysql-"
4271
"server --ppa nijaba"
4274
#: serverguide/C/virtualization.xml:878(title) serverguide/C/jeos.xml:497(title)
4278
#: serverguide/C/virtualization.xml:880(para)
4280
"Another convenient tool that we want to have on our appliance is OpenSSH, as "
4281
"it will allow our admins to access the appliance remotely. However, pushing "
4282
"in the wild an appliance with a pre-installed OpenSSH server is a big "
4283
"security risk as all these server will share the same secret key, making it "
4284
"very easy for hackers to target our appliance with all the tools they need "
4285
"to crack it open in a breeze. As for the user password, we will instead rely "
4286
"on a script that will install OpenSSH the first time a user logs in so that "
4287
"the key generated will be different for each appliance. For this we'll use a "
4288
"<emphasis>--firstboot</emphasis> script, as it does not need any user "
4292
#: serverguide/C/virtualization.xml:892(title) serverguide/C/jeos.xml:511(title)
4293
msgid "Speed Considerations"
4296
#: serverguide/C/virtualization.xml:895(title) serverguide/C/jeos.xml:514(title)
4297
msgid "Package Caching"
4300
#: serverguide/C/virtualization.xml:897(para) serverguide/C/jeos.xml:516(para)
4302
"When vmbuilder creates builds your system, it has to go fetch each one of "
4303
"the packages that composes it over the network to one of the official "
4304
"repositories, which, depending on your internet connection speed and the "
4305
"load of the mirror, can have a big impact on the actual build time. In order "
4306
"to reduce this, it is recommended to either have a local repository (which "
4307
"can be created using <application>apt-mirror</application>) or using a "
4308
"caching proxy such as <application>apt-cache</application>. The later option "
4309
"being much simpler to implement and requiring less disk space, it is the one "
4310
"we will pick in this tutorial. To install it, simply type:"
4313
#: serverguide/C/virtualization.xml:907(command) serverguide/C/jeos.xml:526(command)
4314
msgid "sudo apt-get install apt-proxy"
4317
#: serverguide/C/virtualization.xml:910(para) serverguide/C/jeos.xml:529(para)
4319
"Once this is complete, your (empty) proxy is ready for use on "
4320
"http://mirroraddress:9999 and will find ubuntu repository under /ubuntu. For "
4321
"vmbuilder to use it, we'll have to use the <emphasis>--mirror</emphasis> "
4325
#: serverguide/C/virtualization.xml:915(programlisting) serverguide/C/jeos.xml:534(programlisting)
4329
"--mirror=URL Use Ubuntu mirror at URL instead of the default, which\n"
4330
" is http://archive.ubuntu.com/ubuntu for official\n"
4331
" arches and http://ports.ubuntu.com/ubuntu-ports\n"
4335
#: serverguide/C/virtualization.xml:922(para) serverguide/C/jeos.xml:541(para)
4336
msgid "So we add to the command line:"
4339
#: serverguide/C/virtualization.xml:927(command) serverguide/C/jeos.xml:546(command)
4340
msgid "--mirror http://mirroraddress:9999/ubuntu"
4343
#: serverguide/C/virtualization.xml:931(para) serverguide/C/jeos.xml:550(para)
4345
"The mirror address specified here will also be used in the "
4346
"<filename>/etc/apt/source.list</filename> of the newly created guest, so it "
4347
"is usefull to specify here an address that can be resolved by the guest or "
4348
"to plan on reseting this address later on, such as in a <emphasis>--"
4349
"firstboot</emphasis> script."
4352
#: serverguide/C/virtualization.xml:940(title) serverguide/C/jeos.xml:559(title)
4353
msgid "Install a Local Mirror"
4356
#: serverguide/C/virtualization.xml:942(para) serverguide/C/jeos.xml:561(para)
4358
"If we are in a larger environment, it may make sense to setup a local mirror "
4359
"of the Ubuntu repositories. The package apt-mirror provides you with a "
4360
"script that will handle the mirroring for you. You should plan on having "
4361
"about 20 gigabyte of free space per supported release and architecture."
4364
#: serverguide/C/virtualization.xml:948(para) serverguide/C/jeos.xml:567(para)
4366
"By default, <application>apt-mirror</application> uses the configuration "
4367
"file in <filename>/etc/apt/mirror.list</filename>. As it is set up, it will "
4368
"replicate only the architecture of the local machine. If you would like to "
4369
"support other architectures on your mirror, simply duplicate the lines "
4370
"starting with “deb”, replacing the deb keyword by /deb-{arch} where arch can "
4371
"be i386, amd64, etc... For example, on an amd64 machine, to have the i386 "
4372
"archives as well, you will have:"
4375
#: serverguide/C/virtualization.xml:955(programlisting) serverguide/C/jeos.xml:574(programlisting)
4379
"deb http://archive.ubuntu.com/ubuntu jaunty main restricted universe "
4381
"/deb-i386 http://archive.ubuntu.com/ubuntu jaunty main restricted universe "
4384
"deb http://archive.ubuntu.com/ubuntu jaunty-updates main restricted "
4385
"universe multiverse \n"
4386
"/deb-i386 http://archive.ubuntu.com/ubuntu jaunty-updates main restricted "
4387
"universe multiverse \n"
4389
"deb http://archive.ubuntu.com/ubuntu/ jaunty-backports main restricted "
4390
"universe multiverse \n"
4391
"/deb-i386 http://archive.ubuntu.com/ubuntu jaunty-backports main restricted "
4392
"universe multiverse \n"
4394
"deb http://security.ubuntu.com/ubuntu jaunty-security main restricted "
4395
"universe multiverse \n"
4396
"/deb-i386 http://security.ubuntu.com/ubuntu jaunty-security main restricted "
4397
"universe multiverse \n"
4399
"deb http://archive.ubuntu.com/ubuntu jaunty main/debian-installer "
4400
"restricted/debian-installer universe/debian-installer multiverse/debian-"
4402
"/deb-i386 http://archive.ubuntu.com/ubuntu jaunty main/debian-installer "
4403
"restricted/debian-installer universe/debian-installer multiverse/debian-"
4407
#: serverguide/C/virtualization.xml:972(para) serverguide/C/jeos.xml:591(para)
4409
"Notice that the source packages are not mirrored as they are seldom used "
4410
"compared to the binaries and they do take a lot more space, but they can be "
4411
"easily added to the list."
4414
#: serverguide/C/virtualization.xml:977(para) serverguide/C/jeos.xml:596(para)
4416
"Once the mirror has finished replicating (and this can be quite long), you "
4417
"need to configure Apache so that your mirror files (in "
4418
"<filename>/var/spool/apt-mirror</filename> if you did not change the "
4419
"default), are published by your Apache server. For more information on "
4420
"Apache see <xref linkend=\"httpd\"/>."
4423
#: serverguide/C/virtualization.xml:986(title) serverguide/C/jeos.xml:605(title)
4424
msgid "Installing in a RAM Disk"
4427
#: serverguide/C/virtualization.xml:988(para) serverguide/C/jeos.xml:607(para)
4429
"As you can easily imagine, writing to RAM is a <emphasis>LOT</emphasis> "
4430
"faster than writing to disk. If you have some free memory, letting vmbuilder "
4431
"perform its operation in a RAMdisk will help a lot and the option <emphasis>-"
4432
"-tmpfs</emphasis> will help you do just that:"
4435
#: serverguide/C/virtualization.xml:994(programlisting) serverguide/C/jeos.xml:613(programlisting)
4439
"--tmpfs OPTS Use a tmpfs as the working directory, specifying its\n"
4440
" size or \"-\" to use tmpfs default (suid,dev,size=1G).\n"
4443
#: serverguide/C/virtualization.xml:999(para) serverguide/C/jeos.xml:618(para)
4445
"So adding <command>--tmpfs -</command> sounds like a very good idea if you "
4446
"have 1G of free ram."
4449
#: serverguide/C/virtualization.xml:1006(title) serverguide/C/jeos.xml:625(title)
4450
msgid "Package the Application"
4453
#: serverguide/C/virtualization.xml:1008(para) serverguide/C/jeos.xml:627(para)
4454
msgid "Two option are available to us:"
4457
#: serverguide/C/virtualization.xml:1014(para) serverguide/C/jeos.xml:633(para)
4459
"The recommended method to do so is to make a <emphasis>Debian</emphasis> "
4460
"package. Since this is outside of the scope of this tutorial, we will not "
4461
"perform this here and invite the reader to read the documentation on how to "
4462
"do this in the <ulink url=\"https://wiki.ubuntu.com/PackagingGuide\">Ubuntu "
4463
"Packaging Guide</ulink>. In this case it is also a good idea to setup a "
4464
"repository for your package so that updates can be conveniently pulled from "
4465
"it. See the <ulink url=\"http://www.debian-"
4466
"administration.org/articles/286\">Debian Administration</ulink> article for "
4467
"a tutorial on this."
4470
#: serverguide/C/virtualization.xml:1023(para) serverguide/C/jeos.xml:642(para)
4472
"Manually install the application under <filename>/opt</filename> as "
4473
"recommended by the <ulink url=\"http://www.pathname.com/fhs/\">FHS "
4474
"guidelines</ulink>."
4477
#: serverguide/C/virtualization.xml:1030(para) serverguide/C/jeos.xml:649(para)
4479
"In our case we'll use <application>Limesurvey</application> as example web "
4480
"application for which we wish to provide a virtual appliance. As noted "
4481
"before, we've made a version of the package available in a PPA (Personal "
4485
#: serverguide/C/virtualization.xml:1037(title) serverguide/C/jeos.xml:656(title)
4486
msgid "Finishing Install"
4489
#: serverguide/C/virtualization.xml:1040(title) serverguide/C/jeos.xml:659(title)
4493
#: serverguide/C/virtualization.xml:1042(para) serverguide/C/jeos.xml:661(para)
4495
"As we mentioned earlier, the first time the machine boots we'll need to "
4496
"install <application>openssh-server</application> so that the key generated "
4497
"for it is unique for each machine. To do this, we'll write a script called "
4498
"<filename>boot.sh</filename> as follows:"
4501
#: serverguide/C/virtualization.xml:1048(programlisting) serverguide/C/jeos.xml:667(programlisting)
4505
"# This script will run the first time the virtual machine boots\n"
4506
"# It is ran as root.\n"
4509
"apt-get install -qqy --force-yes openssh-server\n"
4512
#: serverguide/C/virtualization.xml:1056(para) serverguide/C/jeos.xml:675(para)
4514
"And we add the <command>--firstboot boot.sh</command> option to our command "
4518
#: serverguide/C/virtualization.xml:1062(title) serverguide/C/jeos.xml:681(title)
4522
#: serverguide/C/virtualization.xml:1064(para) serverguide/C/jeos.xml:683(para)
4524
"Mysql and Limesurvey needing some user interaction during their setup, we'll "
4525
"set them up the first time a user logs in using a script named login.sh. "
4526
"We'll also use this script to let the user specify:"
4529
#: serverguide/C/virtualization.xml:1070(para) serverguide/C/jeos.xml:689(para)
4530
msgid "His own password"
4533
#: serverguide/C/virtualization.xml:1071(para) serverguide/C/jeos.xml:690(para)
4534
msgid "Define the keyboard and other locale info he wants to use"
4537
#: serverguide/C/virtualization.xml:1074(para) serverguide/C/jeos.xml:693(para)
4538
msgid "So we'll define <filename>login.sh</filename> as follows:"
4541
#: serverguide/C/virtualization.xml:1078(programlisting) serverguide/C/jeos.xml:697(programlisting)
4545
"# This script is ran the first time a user logs in\n"
4547
"echo \"Your appliance is about to be finished to be set up.\"\n"
4548
"echo \"In order to do it, we'll need to ask you a few questions,\"\n"
4549
"echo \"starting by changing your user password.\"\n"
4553
"#give the opportunity to change the keyboard\n"
4554
"sudo dpkg-reconfigure console-setup\n"
4556
"#configure the mysql server root password\n"
4557
"sudo dpkg-reconfigure mysql-server-5.0\n"
4559
"#install limesurvey\n"
4560
"sudo apt-get install -qqy --force-yes limesurvey\n"
4562
"echo \"Your appliance is now configured. To use it point your\"\n"
4563
"echo \"browser to http://serverip/limesurvey/admin\"\n"
4566
#: serverguide/C/virtualization.xml:1100(para) serverguide/C/jeos.xml:719(para)
4568
"And we add the <command>--firstlogin login.sh</command> option to our "
4572
#: serverguide/C/virtualization.xml:1107(title) serverguide/C/jeos.xml:726(title)
4573
msgid "Useful Additions"
4576
#: serverguide/C/virtualization.xml:1110(title) serverguide/C/jeos.xml:729(title)
4577
msgid "Configuring Automatic Updates"
4580
#: serverguide/C/virtualization.xml:1112(para) serverguide/C/jeos.xml:731(para)
4582
"To have your system be configured to update itself on a regular basis, we "
4583
"will just install <application>unattended-upgrades</application>, so we add "
4584
"the following option to our command line:"
4587
#: serverguide/C/virtualization.xml:1118(command) serverguide/C/jeos.xml:737(command)
4588
msgid "--addpkg unattended-upgrades"
4591
#: serverguide/C/virtualization.xml:1121(para) serverguide/C/jeos.xml:740(para)
4593
"As we have put our application package in a PPA, the process will update not "
4594
"only the system, but also the application each time we update the version in "
4598
#: serverguide/C/virtualization.xml:1128(title) serverguide/C/jeos.xml:747(title)
4599
msgid "ACPI Event Handling"
4602
#: serverguide/C/virtualization.xml:1130(para) serverguide/C/jeos.xml:749(para)
4604
"For your virtual machine to be able to handle restart and shutdown events it "
4605
"is being sent, it is a good idea to install the acpid package as well. To do "
4606
"this we just add the following option:"
4609
#: serverguide/C/virtualization.xml:1136(command) serverguide/C/jeos.xml:755(command)
4610
msgid "--addpkg acpid"
4613
#: serverguide/C/virtualization.xml:1142(title) serverguide/C/jeos.xml:761(title)
4614
msgid "Final Command"
4617
#: serverguide/C/virtualization.xml:1144(para) serverguide/C/jeos.xml:763(para)
4618
msgid "Here is what the command with all the options discussed above:"
4621
#: serverguide/C/virtualization.xml:1149(command) serverguide/C/jeos.xml:768(command)
4623
"sudo vmbuilder kvm ubuntu --suite intrepid --flavour virtual --arch i386 -o "
4624
"\\ --libvirt qemu:///system --ip 192.168.0.100 --part vmbuilder.partition --"
4625
"user user \\ --name user --pass default --addpkg apache2 --addpkg apache2-"
4626
"mpm-prefork \\ --addpkg apache2-utils --addpkg apache2.2-common --addpkg "
4627
"dbconfig-common \\ --addpkg libapache2-mod-php5 --addpkg mysql-client --"
4628
"addpkg php5-cli \\ --addpkg php5-gd --addpkg php5-ldap --addpkg php5-mysql --"
4629
"addpkg wwwconfig-common \\ --addpkg mysql-server --addpkg unattended-"
4630
"upgrades --addpkg acpid --ppa nijaba \\ --mirror "
4631
"http://mirroraddress:9999/ubuntu --tmpfs - --firstboot boot.sh \\ --"
4632
"firstlogin login.sh es"
4635
#: serverguide/C/virtualization.xml:1164(para) serverguide/C/jeos.xml:783(para)
4637
"If you are interested in learning more, have questions or suggestions, "
4638
"please contact the Ubuntu Server Team at:"
4641
#: serverguide/C/virtualization.xml:1169(para) serverguide/C/jeos.xml:788(para)
4642
msgid "IRC: #ubuntu-server on freenode"
4645
#: serverguide/C/virtualization.xml:1174(para) serverguide/C/jeos.xml:793(para)
4647
"Mailing list: <ulink url=\"https://lists.ubuntu.com/mailman/listinfo/ubuntu-"
4648
"server\">ubuntu-server at lists.ubuntu.com</ulink>"
4651
#: serverguide/C/virtualization.xml:1182(title)
4655
#: serverguide/C/virtualization.xml:1185(title) serverguide/C/network-auth.xml:1670(title) serverguide/C/lamp-applications.xml:17(title) serverguide/C/installation.xml:878(title) serverguide/C/dns.xml:64(title) serverguide/C/chat.xml:17(title) serverguide/C/backups.xml:541(title)
4659
#: serverguide/C/virtualization.xml:1187(para)
4661
"<emphasis>Eucalyptus</emphasis> is an open-source software infrastructure "
4662
"for implementing \"cloud computing\" on your own clusters. "
4663
"<emphasis>Eucalyptus</emphasis> allows you to create your own cloud "
4664
"computing environment in order to maximize computing resources and provide a "
4665
"cloud computing environment to your users."
4668
#: serverguide/C/virtualization.xml:1193(para)
4670
"This section will cover setting up a Cloud Computing environment using "
4671
"<application>Eucalyptus</application> with <application>KVM</application>. "
4672
"For more information on KVM see <xref linkend=\"libvirt\"/>."
4675
#: serverguide/C/virtualization.xml:1198(para)
4677
"The Cloud Computing environment will consist of three components, typically "
4678
"installed on at least two separate machines (termed the 'front-end' and "
4679
"'node(s)' for the rest of this document):"
4682
#: serverguide/C/virtualization.xml:1205(para)
4684
"<emphasis>One Front-End:</emphasis> hosts one Cloud Controller, a Java based "
4685
"Web configuration interface, and a Cluster Controller, which determines "
4686
"where virtual machines (VMs) will be housed and manages cluster level VM "
4690
#: serverguide/C/virtualization.xml:1211(para)
4692
"<emphasis>One or more Compute Nodes:</emphasis> runs the Node Controller "
4693
"component of Eucalyptus, which allows the machine to be part of the cloud as "
4697
#: serverguide/C/virtualization.xml:1218(para)
4699
"The simple <emphasis>System</emphasis> networking option will be used by "
4700
"default. This network method allows virtual machine instances, to obtain IP "
4701
"addresses from the local LAN, assuming that a DHCP server is properly "
4702
"configured on the LAN to hand out IPs dynamically to VMs that request them. "
4703
"Each node will be configured for bridge networking. For more details see "
4704
"<xref linkend=\"bridging\"/>."
4707
#: serverguide/C/virtualization.xml:1228(para)
4709
"First, on the <emphasis>Front-End</emphasis> install the appropriate "
4710
"packages. In a terminal prompt on the Front-End enter:"
4713
#: serverguide/C/virtualization.xml:1233(command)
4714
msgid "sudo apt-get install eucalyptus-cloud eucalyptus-cc"
4717
#: serverguide/C/virtualization.xml:1236(para)
4719
"Next, on the each <emphasis>Compute Node</emphasis> install the node "
4720
"controller package. In a terminal prompt on each Compute Node enter:"
4723
#: serverguide/C/virtualization.xml:1241(command)
4724
msgid "sudo apt-get install eucalyptus-nc"
4727
#: serverguide/C/virtualization.xml:1244(para)
4729
"Once the installation is complete, and it may take a while, in a browser go "
4730
"to <emphasis>https://front-end:8443</emphasis> and login to the "
4731
"administration interface using the default username and password of "
4732
"<emphasis>admin</emphasis>. You will then be prompted to change the "
4733
"password, configure an email address for the admin user, and set the storage "
4737
#: serverguide/C/virtualization.xml:1250(para)
4739
"In the web interface's <emphasis>\"Configuration\"</emphasis> tab, add a "
4740
"cluster under the <emphasis>\"Clusters\"</emphasis> heading (in this "
4741
"configuration, the cluster controller is on the same system as the cloud "
4742
"controller, so entering 'localhost' as the cluster hostname is correct). "
4743
"Once the form is filled out click the <emphasis>\"Add Cluster\"</emphasis> "
4747
#: serverguide/C/virtualization.xml:1256(para)
4749
"Now, back on the <emphasis>Front-End</emphasis>, add the nodes to the "
4753
#: serverguide/C/virtualization.xml:1261(command)
4754
msgid "sudo euca_conf -addnode hostname_of_node"
4757
#: serverguide/C/virtualization.xml:1264(para)
4759
"You will then be prompted to log into your Node, install the "
4760
"<application>eucalyptus-nc</application> package, and add the "
4761
"<emphasis>eucalyptus</emphasis> user's ssh key to the node's "
4762
"<filename>authorized_keys</filename> file, and confirm authenticity of the "
4763
"host's OpenSSH RSA key fingerprint. Finally, the command will complete by "
4764
"synchronizing the eucalyptus component keys and node registration is "
4768
#: serverguide/C/virtualization.xml:1270(para)
4770
"On the Node, the <filename>/etc/eucalyptus/eucalyptus.conf</filename> "
4771
"configuration file will need editing to use your node's bridge interface "
4772
"(assuming here that the interface is named <emphasis>'br0'</emphasis>):"
4775
#: serverguide/C/virtualization.xml:1275(programlisting)
4779
"VNET_INTERFACE=\"br0\"\n"
4781
"VNET_BRIDGE=\"br0\"\n"
4784
#: serverguide/C/virtualization.xml:1281(para)
4785
msgid "Finally, restart <application>eucalyptus-nc</application>:"
4788
#: serverguide/C/virtualization.xml:1286(command)
4789
msgid "sudo /etc/init.d/eucalyptus-nc restart"
4792
#: serverguide/C/virtualization.xml:1291(para)
4794
"Be sure to replace <emphasis>nodecontroller</emphasis>, "
4795
"<emphasis>node01</emphasis>, and <emphasis>node02</emphasis> with actual "
4799
#: serverguide/C/virtualization.xml:1297(para)
4801
"<application>Eucalyptus</application> is now ready to host images on the "
4805
#: serverguide/C/virtualization.xml:1307(para)
4807
"See the <ulink url=\"http://eucalyptus.cs.ucsb.edu/\">Eucalyptus "
4808
"website</ulink> for more information."
4811
#: serverguide/C/virtualization.xml:1312(para)
4813
"For information on loading instances see the <ulink "
4814
"url=\"https://help.ubuntu.com/community/Eucalyptus\">Eucalyptus Wiki</ulink> "
4818
#: serverguide/C/virtualization.xml:1317(para)
4820
"You can also find help in the <emphasis>#ubuntu-virt</emphasis>, "
4821
"<emphasis>#eucalyptus</emphasis>, and <emphasis>#ubuntu-server</emphasis> "
4822
"IRC channels on <ulink url=\"http://freenode.net\">Freenode</ulink>."
4825
#: serverguide/C/virtualization.xml:1327(title)
4829
#: serverguide/C/virtualization.xml:1329(para)
4831
"<application>OpenNebula</application> allows virtual machines to be placed "
4832
"and re-placed dynamically on a pool of physical resources. This allows a "
4833
"virtual machine to be hosted from any location available."
4836
#: serverguide/C/virtualization.xml:1334(para)
4838
"This section will detail configuring an OpenNebula cluster using three "
4839
"machines: one <emphasis>Front-End</emphasis> host, and two <emphasis>Compute "
4840
"Nodes</emphasis> used to run the virtual machines. The Compute Nodes will "
4841
"also need a bridge configured to allow the virtual machines access to the "
4842
"local network. For details see <xref linkend=\"bridging\"/>."
4845
#: serverguide/C/virtualization.xml:1343(para)
4846
msgid "First, from a terminal on the Front-End enter:"
4849
#: serverguide/C/virtualization.xml:1348(command)
4850
msgid "sudo apt-get install opennebula"
4853
#: serverguide/C/virtualization.xml:1351(para)
4854
msgid "On each Compute Node install:"
4857
#: serverguide/C/virtualization.xml:1356(command)
4858
msgid "sudo apt-get install opennebula-node"
4861
#: serverguide/C/virtualization.xml:1359(para)
4863
"In order to copy SSH keys, the <emphasis>oneadmin</emphasis> user will need "
4864
"to have a password. On each machine execute:"
4867
#: serverguide/C/virtualization.xml:1364(command)
4868
msgid "sudo passwd oneadmin"
4871
#: serverguide/C/virtualization.xml:1367(para)
4873
"Next, copy the <emphasis>oneadmin</emphasis> user's SSH key to the Compute "
4874
"Nodes, and to the Front-End's <filename>authorized_keys</filename> file:"
4877
#: serverguide/C/virtualization.xml:1372(command)
4879
"sudo scp /var/lib/one/.ssh/id_rsa.pub "
4880
"oneadmin@node01:/var/lib/one/.ssh/authorized_keys"
4883
#: serverguide/C/virtualization.xml:1373(command)
4885
"sudo scp /var/lib/one/.ssh/id_rsa.pub "
4886
"oneadmin@node02:/var/lib/one/.ssh/authorized_keys"
4889
#: serverguide/C/virtualization.xml:1374(command)
4891
"sudo sh -c \"cat /var/lib/one/.ssh/id_rsa.pub >> "
4892
"/var/lib/one/.ssh/authorized_keys\""
4895
#: serverguide/C/virtualization.xml:1377(para)
4897
"The SSH key for the Compute Nodes needs to be added to the "
4898
"<filename>/etc/ssh/ssh_known_hosts</filename> file on the Front-End host. To "
4899
"accomplish this <application>ssh</application> to each Compute Node as a "
4900
"user other than <emphasis>oneadmin</emphasis>. Then exit from the SSH "
4901
"session, and execute the following to copy the SSH key from "
4902
"<filename>~/.ssh/known_hosts</filename> to "
4903
"<filename>/etc/ssh/ssh_known_hosts</filename>:"
4906
#: serverguide/C/virtualization.xml:1384(command)
4908
"sudo sh -c \"ssh-keygen -f .ssh/known_hosts -F node01 1>> "
4909
"/etc/ssh/ssh_known_hosts\""
4912
#: serverguide/C/virtualization.xml:1385(command)
4914
"sudo sh -c \"ssh-keygen -f .ssh/known_hosts -F node02 1>> "
4915
"/etc/ssh/ssh_known_hosts\""
4918
#: serverguide/C/virtualization.xml:1389(para)
4920
"Replace <emphasis>node01</emphasis> and <emphasis>node02</emphasis> with the "
4921
"appropriate host names."
4924
#: serverguide/C/virtualization.xml:1394(para)
4926
"This allows the <emphasis>oneadmin</emphasis> to use "
4927
"<application>scp</application>, without a password or manual intervention, "
4928
"to deploy an image to the Compute Nodes."
4931
#: serverguide/C/virtualization.xml:1399(para)
4933
"On the Front-End create a directory to store the VM images, giving the "
4934
"<emphasis>oneadmin</emphasis> user access to the directory:"
4937
#: serverguide/C/virtualization.xml:1404(command)
4938
msgid "sudo mkdir /var/lib/one/images"
4941
#: serverguide/C/virtualization.xml:1405(command)
4942
msgid "sudo chown oneadmin /var/lib/one/images/"
4945
#: serverguide/C/virtualization.xml:1408(para)
4947
"Finally, copy a virtual machine disk file into "
4948
"<filename>/var/lib/one/images</filename>. You can create an Ubuntu virtual "
4949
"machine using <application>vmbuilder</application>, see <xref linkend=\"jeos-"
4950
"and-vmbuilder\"/> for details."
4953
#: serverguide/C/virtualization.xml:1417(para)
4955
"The <emphasis>OpenNebula Cluster</emphasis> is now ready to be configured, "
4956
"and virtual machines added to the cluster."
4959
#: serverguide/C/virtualization.xml:1421(para)
4960
msgid "From a terminal prompt enter:"
4963
#: serverguide/C/virtualization.xml:1426(command)
4964
msgid "onehost create node01 im_kvm vmm_kvm tm_ssh"
4967
#: serverguide/C/virtualization.xml:1427(command)
4968
msgid "onehost create node02 im_kvm vmm_kvm tm_ssh"
4971
#: serverguide/C/virtualization.xml:1430(para)
4973
"Next, create a <emphasis>Virtual Network</emphasis> template file named "
4974
"<filename>vnet01.template</filename>:"
4977
#: serverguide/C/virtualization.xml:1434(programlisting)
4984
"NETWORK_SIZE = C\n"
4985
"NETWORK_ADDRESS = 192.168.0.0\n"
4988
#: serverguide/C/virtualization.xml:1443(para)
4990
"Be sure to change <emphasis>192.168.0.0</emphasis> to your local network."
4993
#: serverguide/C/virtualization.xml:1448(para)
4995
"Using the <application>onevnet</application> utility, add the virtual "
4996
"network to OpenNebula:"
4999
#: serverguide/C/virtualization.xml:1453(command)
5000
msgid "onevnet create vnet01.template"
5003
#: serverguide/C/virtualization.xml:1456(para)
5005
"Now create a <emphasis>VM Template</emphasis> file named "
5006
"<filename>vm01.template</filename>:"
5009
#: serverguide/C/virtualization.xml:1460(programlisting)
5017
"OS = [ BOOT = hd ]\n"
5020
" source = \"/var/lib/one/images/vm01.qcow2\",\n"
5021
" target = \"hda\",\n"
5022
" readonly = \"no\" ]\n"
5024
"NIC = [ NETWORK=\"LAN\" ]\n"
5026
"GRAPHICS = [type=\"vnc\",listen=\"127.0.0.1\",port=\"-1\"]\n"
5029
#: serverguide/C/virtualization.xml:1477(para)
5030
msgid "Start the virtual machine using <application>onevm</application>:"
5033
#: serverguide/C/virtualization.xml:1482(command)
5034
msgid "onevm submit vm01.template"
5037
#: serverguide/C/virtualization.xml:1485(para)
5039
"Use the <application>onevm list</application> option to view information "
5040
"about virtual machines. Also, the <application>onevm show vm01</application> "
5041
"option will display more details about a specific virtual machine."
5044
#: serverguide/C/virtualization.xml:1496(para)
5047
"url=\"http://www.opennebula.org/doku.php?id=start\">OpenNebula website</ulink"
5048
"> for more information."
5051
#: serverguide/C/virtualization.xml:1501(para)
5053
"You can also find help in the <emphasis>#ubuntu-virt</emphasis> and "
5054
"<emphasis>#ubuntu-server</emphasis> IRC channels on <ulink "
5055
"url=\"http://freenode.net\">Freenode</ulink>."
5058
#: serverguide/C/vcs.xml:13(title)
5059
msgid "Version Control System"
5062
#: serverguide/C/vcs.xml:14(para)
5064
"Version control is the art of managing changes to information. It has long "
5065
"been a critical tool for programmers, who typically spend their time making "
5066
"small changes to software and then undoing those changes the next day. But "
5067
"the usefulness of version control software extends far beyond the bounds of "
5068
"the software development world. Anywhere you can find people using computers "
5069
"to manage information that changes often, there is room for version control."
5072
#: serverguide/C/vcs.xml:17(title)
5076
#: serverguide/C/vcs.xml:18(para)
5078
"Bazaar is a new version control system sponsored by Canonical, the "
5079
"commercial company behind Ubuntu. Unlike Subversion and CVS that only "
5080
"support a central repository model, Bazaar also supports "
5081
"<emphasis>distributed version control</emphasis>, giving people the ability "
5082
"to collaborate more efficiently. In particular, Bazaar is designed to "
5083
"maximize the level of community participation in open source projects."
5086
#: serverguide/C/vcs.xml:29(para)
5088
"At a terminal prompt, enter the following command to install "
5089
"<application>bzr</application>: <screen>\n"
5090
"<command>sudo apt-get install bzr</command>\n"
5094
#: serverguide/C/vcs.xml:40(para)
5096
"To introduce yourself to <application>bzr</application>, use the "
5097
"<emphasis>whoami</emphasis> command like this: <screen>\n"
5098
"<command>$ bzr whoami 'Joe Doe <joe.doe@gmail.com>'</command>\n"
5102
#: serverguide/C/vcs.xml:49(title)
5103
msgid "Learning Bazaar"
5106
#: serverguide/C/vcs.xml:50(para)
5108
"Bazaar comes with bundled documentation installed into "
5109
"<application>/usr/share/doc/bzr/html</application> by default. The tutorial "
5110
"is a good place to start. The <application>bzr</application> command also "
5111
"comes with built-in help: <screen>\n"
5112
"<command>$ bzr help</command>\n"
5116
#: serverguide/C/vcs.xml:60(para)
5118
"To learn more about the <emphasis>foo</emphasis> command: <screen>\n"
5119
"<command>$ bzr help foo</command>\n"
5123
#: serverguide/C/vcs.xml:68(title)
5124
msgid "Launchpad Integration"
5127
#: serverguide/C/vcs.xml:69(para)
5129
"While highly useful as a stand-alone system, Bazaar has good, optional "
5130
"integration with <ulink url=\"https://launchpad.net/\">Launchpad</ulink>, "
5131
"the collaborative development system used by Canonical and the broader open "
5132
"source community to manage and extend Ubuntu itself. For information on how "
5133
"Bazaar can be used with Launchpad to collaborate on open source projects, "
5134
"see <ulink url=\"http://bazaar-vcs.org/LaunchpadIntegration/\"> "
5135
"http://bazaar-vcs.org/LaunchpadIntegration</ulink>."
5138
#: serverguide/C/vcs.xml:81(title)
5142
#: serverguide/C/vcs.xml:82(para)
5144
"Subversion is an open source version control system. Using Subversion, you "
5145
"can record the history of source files and documents. It manages files and "
5146
"directories over time. A tree of files is placed into a central repository. "
5147
"The repository is much like an ordinary file server, except that it "
5148
"remembers every change ever made to files and directories."
5151
#: serverguide/C/vcs.xml:87(para)
5153
"To access Subversion repository using the HTTP protocol, you must install "
5154
"and configure a web server. Apache2 is proven to work with Subversion. "
5155
"Please refer to the HTTP subsection in the Apache2 section to install and "
5156
"configure Apache2. To access the Subversion repository using the HTTPS "
5157
"protocol, you must install and configure a digital certificate in your "
5158
"Apache 2 web server. Please refer to the HTTPS subsection in the Apache2 "
5159
"section to install and configure the digital certificate."
5162
#: serverguide/C/vcs.xml:96(para)
5164
"To install Subversion, run the following command from a terminal prompt:"
5167
#: serverguide/C/vcs.xml:101(command)
5168
msgid "sudo apt-get install subversion libapache2-svn"
5171
#: serverguide/C/vcs.xml:107(title)
5172
msgid "Server Configuration"
5173
msgstr "Serverio Konfigūracija"
5175
#: serverguide/C/vcs.xml:108(para)
5177
"This step assumes you have installed above mentioned packages on your "
5178
"system. This section explains how to create a Subversion repository and "
5179
"access the project."
5182
#: serverguide/C/vcs.xml:111(title)
5183
msgid "Create Subversion Repository"
5186
#: serverguide/C/vcs.xml:112(para)
5188
"The Subversion repository can be created using the following command from a "
5192
#: serverguide/C/vcs.xml:116(command)
5193
msgid "svnadmin create /path/to/repos/project"
5196
#: serverguide/C/vcs.xml:121(title)
5197
msgid "Importing Files"
5200
#: serverguide/C/vcs.xml:122(para)
5202
"Once you create the repository you can <emphasis>import</emphasis> files "
5203
"into the repository. To import a directory, enter the following from a "
5204
"terminal prompt: <screen>\n"
5205
"<command>svn import /path/to/import/directory "
5206
"file:///path/to/repos/project</command>\n"
5210
#: serverguide/C/vcs.xml:134(title) serverguide/C/vcs.xml:139(title)
5211
msgid "Access Methods"
5214
#: serverguide/C/vcs.xml:135(para)
5216
"Subversion repositories can be accessed (checked out) through many different "
5217
"methods --on local disk, or through various network protocols. A repository "
5218
"location, however, is always a URL. The table describes how different URL "
5219
"schemes map to the available access methods."
5222
#: serverguide/C/vcs.xml:146(para)
5226
#: serverguide/C/vcs.xml:147(para)
5227
msgid "Access Method"
5228
msgstr "Prieigos Metodas"
5230
#: serverguide/C/vcs.xml:152(para)
5234
#: serverguide/C/vcs.xml:153(para)
5235
msgid "direct repository access (on local disk)"
5238
#: serverguide/C/vcs.xml:156(para)
5242
#: serverguide/C/vcs.xml:157(para)
5243
msgid "Access via WebDAV protocol to Subversion-aware Apache2 web server"
5246
#: serverguide/C/vcs.xml:160(para)
5250
#: serverguide/C/vcs.xml:161(para)
5251
msgid "Same as http://, but with SSL encryption"
5254
#: serverguide/C/vcs.xml:164(para)
5258
#: serverguide/C/vcs.xml:165(para)
5259
msgid "Access via custom protocol to an svnserve server"
5262
#: serverguide/C/vcs.xml:168(para)
5266
#: serverguide/C/vcs.xml:169(para)
5267
msgid "Same as svn://, but through an SSH tunnel"
5270
#: serverguide/C/vcs.xml:175(para)
5272
"In this section, we will see how to configure Subversion for all these "
5273
"access methods. Here, we cover the basics. For more advanced usage details, "
5274
"refer to the <ulink url=\"http://svnbook.red-bean.com/\">svn book</ulink>."
5277
#: serverguide/C/vcs.xml:182(title)
5278
msgid "Direct repository access (file://)"
5281
#: serverguide/C/vcs.xml:183(para)
5283
"This is the simplest of all access methods. It does not require any "
5284
"Subversion server process to be running. This access method is used to "
5285
"access Subversion from the same machine. The syntax of the command, entered "
5286
"at a terminal prompt, is as follows:"
5289
#: serverguide/C/vcs.xml:190(command)
5290
msgid "svn co file:///path/to/repos/project"
5293
#: serverguide/C/vcs.xml:193(para)
5297
#: serverguide/C/vcs.xml:196(command)
5298
msgid "svn co file://localhost/path/to/repos/project"
5301
#: serverguide/C/vcs.xml:200(para)
5303
"If you do not specify the hostname, there are three forward slashes (///) -- "
5304
"two for the protocol (file, in this case) plus the leading slash in the "
5305
"path. If you specify the hostname, you must use two forward slashes (//)."
5308
#: serverguide/C/vcs.xml:202(para)
5310
"The repository permissions depend on filesystem permissions. If the user has "
5311
"read/write permission, he can checkout from and commit to the repository."
5314
#: serverguide/C/vcs.xml:205(title)
5315
msgid "Access via WebDAV protocol (http://)"
5318
#: serverguide/C/vcs.xml:206(para)
5320
"To access the Subversion repository via WebDAV protocol, you must configure "
5321
"your Apache 2 web server. You must add the following snippet in your "
5322
"<filename>/etc/apache2/apache2.conf</filename> file:"
5325
#: serverguide/C/vcs.xml:208(programlisting)
5328
" <Location /svn>\n"
5330
" SVNParentPath /home/svn\n"
5332
" AuthName \"Your repository name\"\n"
5333
" AuthUserFile /etc/subversion/passwd\n"
5334
" <LimitExcept GET PROPFIND OPTIONS REPORT>\n"
5335
" Require valid-user\n"
5336
" </LimitExcept>\n"
5337
" </Location> "
5340
#: serverguide/C/vcs.xml:219(para)
5342
"The above configuration snippet assumes that Subversion repositories are "
5343
"created under <filename>/home/svn/</filename> directory using "
5344
"<command>svnadmin</command> command. They can be accessible using "
5345
"<command>htpp://hostname/svn/repos_name</command> url."
5348
#: serverguide/C/vcs.xml:225(para)
5350
"To import or commit files to your Subversion repository over HTTP, the "
5351
"repository should be owned by the HTTP user. In Ubuntu systems, normally the "
5352
"HTTP user is <command>www-data</command>. To change the ownership of the "
5353
"repository files enter the following command from terminal prompt:"
5356
#: serverguide/C/vcs.xml:234(command)
5357
msgid "sudo chown -R www-data:www-data /path/to/repos"
5360
#: serverguide/C/vcs.xml:237(para)
5362
"By changing the ownership of repository as <command>www-data</command> you "
5363
"will not be able to import or commit files into the repository by running "
5364
"<command>svn import file:///</command> command as any user other than "
5365
"<command>www-data</command>."
5368
#: serverguide/C/vcs.xml:246(para)
5370
"Next, you must create the <filename>/etc/subversion/passwd</filename> file "
5371
"that will contain user authentication details. To create a file issue the "
5372
"following command at a command prompt (which will create the file and add "
5376
#: serverguide/C/vcs.xml:252(command)
5377
msgid "sudo htpasswd -c /etc/subversion/passwd user_name"
5380
#: serverguide/C/vcs.xml:255(para)
5382
"To add additional users omit the <emphasis>\"-c\"</emphasis> option as this "
5383
"option replaces the old file. Instead use this form:"
5386
#: serverguide/C/vcs.xml:260(command)
5387
msgid "sudo htpasswd /etc/subversion/password user_name"
5390
#: serverguide/C/vcs.xml:264(para)
5392
"This command will prompt you to enter the password. Once you enter the "
5393
"password, the user is added. Now, to access the repository you can run the "
5394
"following command:"
5397
#: serverguide/C/vcs.xml:265(command)
5398
msgid "svn co http://servername/svn"
5401
#: serverguide/C/vcs.xml:267(para)
5403
"The password is transmitted as plain text. If you are worried about password "
5404
"snooping, you are advised to use SSL encryption. For details, please refer "
5408
#: serverguide/C/vcs.xml:273(title)
5409
msgid "Access via WebDAV protocol with SSL encryption (https://)"
5412
#: serverguide/C/vcs.xml:274(para)
5414
"Accessing Subversion repository via WebDAV protocol with SSL encryption "
5415
"(https://) is similar to http:// except that you must install and configure "
5416
"the digital certificate in your Apache2 web server."
5419
#: serverguide/C/vcs.xml:281(para)
5421
"You can install a digital certificate issued by a signing authority like "
5422
"Verisign. Alternatively, you can install your own self-signed certificate."
5425
#: serverguide/C/vcs.xml:286(para)
5427
"This step assumes you have installed and configured a digital certificate in "
5428
"your Apache 2 web server. Now, to access the Subversion repository, please "
5429
"refer to the above section! The access methods are exactly the same, except "
5430
"the protocol. You must use https:// to access the Subversion repository."
5433
#: serverguide/C/vcs.xml:296(title)
5434
msgid "Access via custom protocol (svn://)"
5437
#: serverguide/C/vcs.xml:297(para)
5439
"Once the Subversion repository is created, you can configure the access "
5440
"control. You can edit the <filename> "
5441
"/path/to/repos/project/conf/svnserve.conf</filename> file to configure the "
5442
"access control. For example, to set up authentication, you can uncomment the "
5443
"following lines in the configuration file:"
5446
#: serverguide/C/vcs.xml:304(programlisting)
5450
"# password-db = passwd"
5453
#: serverguide/C/vcs.xml:307(para)
5455
"After uncommenting the above lines, you can maintain the user list in the "
5456
"passwd file. So, edit the file <filename>passwd </filename> in the same "
5457
"directory and add the new user. The syntax is as follows:"
5460
#: serverguide/C/vcs.xml:313(programlisting)
5462
msgid "username = password"
5463
msgstr "vartotojo vardas = slaptažodis"
5465
#: serverguide/C/vcs.xml:314(para)
5466
msgid "For more details, please refer to the file."
5469
#: serverguide/C/vcs.xml:318(para)
5471
"Now, to access Subversion via the svn:// custom protocol, either from the "
5472
"same machine or a different machine, you can run svnserver using svnserve "
5473
"command. The syntax is as follows:"
5476
#: serverguide/C/vcs.xml:323(programlisting)
5479
"$ svnserve -d --foreground -r /path/to/repos\n"
5480
"# -d -- daemon mode\n"
5481
"# --foreground -- run in foreground (useful for debugging)\n"
5482
"# -r -- root of directory to serve\n"
5484
"For more usage details, please refer to:\n"
5488
#: serverguide/C/vcs.xml:331(para)
5490
"Once you run this command, Subversion starts listening on default port "
5491
"(3690). To access the project repository, you must run the following command "
5492
"from a terminal prompt:"
5495
#: serverguide/C/vcs.xml:334(command)
5496
msgid "svn co svn://hostname/project project --username user_name"
5499
#: serverguide/C/vcs.xml:337(para)
5501
"Based on server configuration, it prompts for password. Once you are "
5502
"authenticated, it checks out the code from Subversion repository. To "
5503
"synchronize the project repository with the local copy, you can run the "
5504
"<command>update</command> sub-command. The syntax of the command, entered at "
5505
"a terminal prompt, is as follows:"
5508
#: serverguide/C/vcs.xml:345(command)
5509
msgid "cd project_dir ; svn update"
5512
#: serverguide/C/vcs.xml:348(para)
5514
"For more details about using each Subversion sub-command, you can refer to "
5515
"the manual. For example, to learn more about the co (checkout) command, "
5516
"please run the following command from a terminal prompt:"
5519
#: serverguide/C/vcs.xml:352(command)
5523
#: serverguide/C/vcs.xml:356(title)
5524
msgid "Access via custom protocol with SSL encryption (svn+ssh://)"
5527
#: serverguide/C/vcs.xml:357(para)
5529
"The configuration and server process is same as in the svn:// method. For "
5530
"details, please refer to the above section. This step assumes you have "
5531
"followed the above step and started the Subversion server using "
5532
"<application>svnserve</application> command."
5535
#: serverguide/C/vcs.xml:363(para)
5537
"It is also assumed that the ssh server is running on that machine and that "
5538
"it is allowing incoming connections. To confirm, please try to login to that "
5539
"machine using ssh. If you can login, everything is perfect. If you cannot "
5540
"login, please address it before continuing further."
5543
#: serverguide/C/vcs.xml:369(para)
5545
"The svn+ssh:// protocol is used to access the Subversion repository using "
5546
"SSL encryption. The data transfer is encrypted using this method. To access "
5547
"the project repository (for example with a checkout), you must use the "
5548
"following command syntax:"
5551
#: serverguide/C/vcs.xml:376(command)
5552
msgid "svn co svn+ssh://hostname/var/svn/repos/project"
5555
#: serverguide/C/vcs.xml:380(para)
5557
"You must use the full path (/path/to/repos/project) to access the Subversion "
5558
"repository using this access method."
5561
#: serverguide/C/vcs.xml:383(para)
5563
"Based on server configuration, it prompts for password. You must enter the "
5564
"password you use to login via ssh. Once you are authenticated, it checks out "
5565
"the code from the Subversion repository."
5568
#: serverguide/C/vcs.xml:394(title)
5570
msgstr "CVS Serveris"
5572
#: serverguide/C/vcs.xml:395(para)
5574
"CVS is a version control system. You can use it to record the history of "
5578
#: serverguide/C/vcs.xml:401(para)
5580
"To install <application>CVS</application>, run the following command from a "
5581
"terminal prompt: <screen>\n"
5582
"<command>sudo apt-get install cvs</command>\n"
5583
"</screen> After you install <application>cvs</application>, you should "
5584
"install <application>xinetd</application> to start/stop the cvs server. At "
5585
"the prompt, enter the following command to install "
5586
"<application>xinetd</application>: <screen>\n"
5587
"<command>sudo apt-get install xinetd</command>\n"
5591
#: serverguide/C/vcs.xml:434(programlisting)
5595
"service cvspserver\n"
5598
" socket_type = stream\n"
5602
" type = UNLISTED\n"
5603
" server = /usr/bin/cvs\n"
5604
" server_args = -f --allow-root /var/lib/cvs pserver\n"
5609
#: serverguide/C/vcs.xml:450(para)
5611
"Be sure to edit the repository if you have changed the default repository "
5612
"(<application>/var/lib/cvs</application>) directory."
5615
#: serverguide/C/vcs.xml:419(para)
5617
"Once you install cvs, the repository will be automatically initialized. By "
5618
"default, the repository resides under the "
5619
"<application>/var/lib/cvs</application> directory. You can change this path "
5620
"by running following command: <screen>\n"
5621
"<command>cvs -d /your/new/cvs/repo init</command>\n"
5622
"</screen> Once the initial repository is set up, you can configure "
5623
"<application>xinetd</application> to start the CVS server. You can copy the "
5624
"following lines to the <filename> /etc/xinetd.d/cvspserver</filename> file. "
5625
"<placeholder-1/><placeholder-2/> Once you have configured "
5626
"<application>xinetd</application> you can start the cvs server by running "
5627
"following command: <screen>\n"
5628
"<command>sudo /etc/init.d/xinetd restart</command>\n"
5632
#: serverguide/C/vcs.xml:463(para)
5634
"You can confirm that the CVS server is running by issuing the following "
5638
#: serverguide/C/vcs.xml:470(command)
5639
msgid "sudo netstat -tap | grep cvs"
5642
#: serverguide/C/vcs.xml:474(para) serverguide/C/databases.xml:65(para)
5644
"When you run this command, you should see the following line or something "
5648
#: serverguide/C/vcs.xml:479(programlisting)
5652
"tcp 0 0 *:cvspserver *:* LISTEN \n"
5655
#: serverguide/C/vcs.xml:483(para)
5657
"From here you can continue to add users, add new projects, and manage the "
5661
#: serverguide/C/vcs.xml:488(para)
5663
"CVS allows the user to add users independently of the underlying OS "
5664
"installation. Probably the easiest way is to use the Linux Users for CVS, "
5665
"although it has potential security issues. Please refer to the CVS manual "
5669
#: serverguide/C/vcs.xml:498(title)
5670
msgid "Add Projects"
5673
#: serverguide/C/vcs.xml:510(para)
5675
"You can use the CVSROOT environment variable to store the CVS root "
5676
"directory. Once you export the CVSROOT environment variable, you can avoid "
5677
"using -d option in the above cvs command."
5680
#: serverguide/C/vcs.xml:522(para)
5682
"When you add a new project, the CVS user you use must have write access to "
5683
"the CVS repository (<application>/var/lib/cvs</application>). By default, "
5684
"the <application>src</application> group has write access to the CVS "
5685
"repository. So, you can add the user to this group, and he can then add and "
5686
"manage projects in the CVS repository."
5689
#: serverguide/C/vcs.xml:499(para)
5691
"This section explains how to add new project to the CVS repository. Create "
5692
"the directory and add necessary document and source files to the directory. "
5693
"Now, run the following command to add this project to CVS repository: "
5695
"<command>cd your/project</command>\n"
5696
"<command>cvs -d :pserver:username@hostname.com:/var/lib/cvs import -m "
5697
"\"Importing my project to CVS repository\" . new_project start</command>\n"
5698
"</screen><placeholder-1/> The string <emphasis>new_project</emphasis> is a "
5699
"vendor tag, and <emphasis>start</emphasis> is a release tag. They serve no "
5700
"purpose in this context, but since CVS requires them, they must be present. "
5704
#: serverguide/C/vcs.xml:535(ulink)
5705
msgid "Bazaar Home Page"
5708
#: serverguide/C/vcs.xml:536(ulink)
5712
#: serverguide/C/vcs.xml:537(ulink)
5713
msgid "Subversion Home Page"
5714
msgstr "Namų Puslapio Poversijis"
5716
#: serverguide/C/vcs.xml:538(ulink)
5717
msgid "Subversion Book"
5720
#: serverguide/C/vcs.xml:540(ulink)
5722
msgstr "CVS Vadovas"
5724
#: serverguide/C/serverguide.xml:3(title) serverguide/C/bookinfo.xml:3(title)
5725
msgid "Credits and License"
5728
#: serverguide/C/serverguide.xml:4(para) serverguide/C/bookinfo.xml:4(para)
5730
"This document is maintained by the Ubuntu documentation team "
5731
"(https://wiki.ubuntu.com/DocumentationTeam). For a list of contributors, see "
5732
"the <ulink url=\"../../libs/C/contributors.xml\">contributors page</ulink>"
5735
#: serverguide/C/serverguide.xml:5(para) serverguide/C/bookinfo.xml:5(para)
5737
"This document is made available under the Creative Commons ShareAlike 2.5 "
5738
"License (CC-BY-SA)."
5741
#: serverguide/C/serverguide.xml:6(para) serverguide/C/bookinfo.xml:6(para)
5743
"You are free to modify, extend, and improve the Ubuntu documentation source "
5744
"code under the terms of this license. All derivative works must be released "
5745
"under this license."
5748
#: serverguide/C/serverguide.xml:8(para) serverguide/C/bookinfo.xml:8(para)
5750
"This documentation is distributed in the hope that it will be useful, but "
5751
"WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY "
5752
"or FITNESS FOR A PARTICULAR PURPOSE AS DESCRIBED IN THE DISCLAIMER."
5755
#: serverguide/C/serverguide.xml:11(para) serverguide/C/bookinfo.xml:11(para)
5757
"A copy of the license is available here: <ulink url=\"/usr/share/ubuntu-"
5758
"docs/libs/C/ccbysa.xml\">Creative Commons ShareAlike License</ulink>."
5761
#: serverguide/C/serverguide.xml:14(year) serverguide/C/bookinfo.xml:14(year)
5765
#: serverguide/C/serverguide.xml:15(ulink) serverguide/C/bookinfo.xml:15(ulink)
5766
msgid "Ubuntu Documentation Project"
5769
#: serverguide/C/serverguide.xml:15(holder) serverguide/C/bookinfo.xml:15(holder)
5770
msgid "Canonical Ltd. and members of the <placeholder-1/>"
5773
#: serverguide/C/serverguide.xml:18(publishername) serverguide/C/bookinfo.xml:18(publishername)
5774
msgid "The Ubuntu Documentation Project"
5777
#: serverguide/C/serverguide.xml:17(para)
5779
"Welcome to the <emphasis>Ubuntu Server Guide</emphasis>! It contains "
5780
"information on how to install and configure various server applications on "
5781
"your Ubuntu system to fit your needs. It is a step-by-step, task-oriented "
5782
"guide for configuring and customizing your system."
5785
#: serverguide/C/security.xml:13(title)
5789
#: serverguide/C/security.xml:14(para)
5791
"Security should always be considered when installing, deploying, and using "
5792
"any type of computer system. Although a fresh installation of Ubuntu is "
5793
"relatively safe for immediate use on the Internet, it is important to have a "
5794
"balanced understanding of your systems security posture based on how it will "
5795
"be used after deployment."
5798
#: serverguide/C/security.xml:17(para)
5800
"This chapter provides an overview of security related topics as they pertain "
5801
"to Ubuntu 9.04 Server Edition, and outlines simple measures you may use to "
5802
"protect your server and network from any number of potential security "
5806
#: serverguide/C/security.xml:21(title)
5807
msgid "User Management"
5810
#: serverguide/C/security.xml:22(para)
5812
"User management is a critical part of maintaining a secure system. "
5813
"Ineffective user and privilege management often lead many systems into being "
5814
"compromised. Therefore, it is important that you understand how you can "
5815
"protect your server through simple and effective user account management "
5819
#: serverguide/C/security.xml:26(title)
5820
msgid "Where is root?"
5823
#: serverguide/C/security.xml:27(para)
5825
"Ubuntu developers made a conscientious decision to disable the "
5826
"administrative root account by default in all Ubuntu installations. This "
5827
"does not mean that the root account has been deleted or that it may not be "
5828
"accessed. It merely has been given a password which matches no possible "
5829
"encrypted value, therefore may not log in directly by itself."
5832
#: serverguide/C/security.xml:30(para)
5834
"Instead, users are encouraged to make use of a tool by the name of "
5835
"<application>sudo</application> to carry out system administrative duties. "
5836
"<application>Sudo</application> allows an authorized user to temporarily "
5837
"elevate their privileges using their own password instead of having to know "
5838
"the password belonging to the root account. This simple yet effective "
5839
"methodology provides accountability for all user actions, and gives the "
5840
"administrator granular control over which actions a user can perform with "
5844
#: serverguide/C/security.xml:35(para)
5846
"If for some reason you wish to enable the root account, simply give it a "
5850
#: serverguide/C/security.xml:39(command)
5854
#: serverguide/C/security.xml:41(para)
5856
"Sudo will prompt you for your password, and then ask you to supply a new "
5857
"password for root as shown below:"
5860
#: serverguide/C/security.xml:44(userinput)
5862
msgid "(enter your own password)"
5865
#: serverguide/C/security.xml:45(userinput)
5867
msgid "(enter a new password for root)"
5870
#: serverguide/C/security.xml:46(userinput)
5872
msgid "(repeat new password for root)"
5875
#: serverguide/C/security.xml:44(computeroutput)
5878
"[sudo] password for username: <placeholder-1/>\n"
5879
"Enter new UNIX password: <placeholder-2/>\n"
5880
"Retype new UNIX password: <placeholder-3/>\n"
5881
"passwd: password updated successfully"
5884
#: serverguide/C/security.xml:51(para)
5885
msgid "To disable the root account, use the following passwd syntax:"
5888
#: serverguide/C/security.xml:55(command)
5889
msgid "sudo passwd -l root"
5892
#: serverguide/C/security.xml:59(para)
5894
"You should read more on <application>Sudo</application> by checking out it's "
5898
#: serverguide/C/security.xml:63(command)
5902
#: serverguide/C/security.xml:67(para)
5904
"By default, the initial user created by the Ubuntu installer is a member of "
5905
"the group \"admin\" which is added to the file "
5906
"<filename>/etc/sudoers</filename> as an authorized sudo user. If you wish to "
5907
"give any other account full root access through "
5908
"<application>sudo</application>, simply add them to the admin group."
5911
#: serverguide/C/security.xml:73(title)
5912
msgid "Adding and Deleting Users"
5915
#: serverguide/C/security.xml:74(para)
5917
"The process for managing local users and groups is straight forward and "
5918
"differs very little from most other GNU/Linux operating systems. Ubuntu and "
5919
"other Debian based distributions, encourage the use of the \"adduser\" "
5920
"package for account management."
5923
#: serverguide/C/security.xml:79(para)
5925
"To add a user account, use the following syntax, and follow the prompts to "
5926
"give the account a password and identifiable characteristics such as a full "
5927
"name, phone number, etc."
5930
#: serverguide/C/security.xml:83(command)
5931
msgid "sudo adduser username"
5934
#: serverguide/C/security.xml:87(para)
5936
"To delete a user account and its primary group, use the following syntax:"
5939
#: serverguide/C/security.xml:91(command)
5940
msgid "sudo deluser username"
5943
#: serverguide/C/security.xml:93(para)
5945
"Deleting an account does not remove their respective home folder. It is up "
5946
"to you whether or not you wish to delete the folder manually or keep it "
5947
"according to your desired retention policies."
5950
#: serverguide/C/security.xml:96(para)
5952
"Remember, any user added later on with the same UID/GID as the previous "
5953
"owner will now have access to this folder if you have not taken the "
5954
"necessary precautions."
5957
#: serverguide/C/security.xml:99(para)
5959
"You may want to change these UID/GID values to something more appropriate, "
5960
"such as the root account, and perhaps even relocate the folder to avoid "
5964
#: serverguide/C/security.xml:103(command)
5965
msgid "sudo chown -R root:root /home/username/"
5968
#: serverguide/C/security.xml:104(command)
5969
msgid "sudo mkdir /home/archived_users/"
5972
#: serverguide/C/security.xml:105(command)
5973
msgid "sudo mv /home/username /home/archived_users/"
5976
#: serverguide/C/security.xml:109(para)
5978
"To temporarily lock or unlock a user account, use the following syntax, "
5982
#: serverguide/C/security.xml:113(command)
5983
msgid "sudo passwd -l username"
5986
#: serverguide/C/security.xml:114(command)
5987
msgid "sudo passwd -u username"
5990
#: serverguide/C/security.xml:118(para)
5992
"To add or delete a personalized group, use the following syntax, "
5996
#: serverguide/C/security.xml:122(command)
5997
msgid "sudo addgroup groupname"
6000
#: serverguide/C/security.xml:123(command)
6001
msgid "sudo delgroup groupname"
6004
#: serverguide/C/security.xml:127(para)
6005
msgid "To add a user to a group, use the following syntax:"
6008
#: serverguide/C/security.xml:131(command)
6009
msgid "sudo adduser username groupname"
6012
#: serverguide/C/security.xml:138(title)
6013
msgid "User Profile Security"
6016
#: serverguide/C/security.xml:139(para)
6018
"When a new user is created, the adduser utility creates a brand new home "
6019
"directory named <filename class=\"directory\">/home/username</filename>, "
6020
"respectively. The default profile is modeled after the contents found in the "
6021
"directory of <filename class=\"directory\">/etc/skel</filename>, which "
6022
"includes all profile basics."
6025
#: serverguide/C/security.xml:142(para)
6027
"If your server will be home to multiple users, you should pay close "
6028
"attention to the user home directory permissions to ensure confidentiality. "
6029
"By default, user home directories in Ubuntu are created with world "
6030
"read/execute permissions. This means that all users can browse and access "
6031
"the contents of other users home directories. This may not be suitable for "
6035
#: serverguide/C/security.xml:147(para)
6037
"To verify your current users home directory permissions, use the following "
6041
#: serverguide/C/security.xml:151(command) serverguide/C/security.xml:183(command)
6042
msgid "ls -ld /home/username"
6045
#: serverguide/C/security.xml:153(para)
6047
"The following output shows that the directory <filename "
6048
"class=\"directory\">/home/username</filename> has world readable permissions:"
6051
#: serverguide/C/security.xml:156(computeroutput)
6053
msgid "drwxr-xr-x 2 username username 4096 2007-10-02 20:03 username"
6056
#: serverguide/C/security.xml:160(para)
6058
"You can remove the world readable permissions using the following syntax:"
6061
#: serverguide/C/security.xml:164(command)
6062
msgid "sudo chmod 0750 /home/username"
6065
#: serverguide/C/security.xml:167(para)
6067
"Some people tend to use the recursive option (-R) indiscriminately which "
6068
"modifies all child folders and files, but this is not necessary, and may "
6069
"yield other undesirable results. The parent directory alone is sufficient "
6070
"for preventing unauthorized access to anything below the parent."
6073
#: serverguide/C/security.xml:171(para)
6075
"A much more efficient approach to the matter would be to modify the "
6076
"<application>adduser</application> global default permissions when creating "
6077
"user home folders. Simply edit the file "
6078
"<filename>/etc/adduser.conf</filename> and modify the "
6079
"<varname>DIR_MODE</varname> variable to something appropriate, so that all "
6080
"new home directories will receive the correct permissions."
6083
#: serverguide/C/security.xml:174(programlisting)
6090
#: serverguide/C/security.xml:179(para)
6092
"After correcting the directory permissions using any of the previously "
6093
"mentioned techniques, verify the results using the following syntax:"
6096
#: serverguide/C/security.xml:185(para)
6098
"The results below show that world readable permissions have been removed:"
6101
#: serverguide/C/security.xml:188(computeroutput)
6103
msgid "drwxr-x--- 2 username username 4096 2007-10-02 20:03 username"
6106
#: serverguide/C/security.xml:195(title)
6107
msgid "Password Policy"
6110
#: serverguide/C/security.xml:196(para)
6112
"A strong password policy is one of the most important aspects of your "
6113
"security posture. Many successful security breaches involve simple brute "
6114
"force and dictionary attacks against weak passwords. If you intend to offer "
6115
"any form of remote access involving your local password system, make sure "
6116
"you adequately address minimum password complexity requirements, maximum "
6117
"password lifetimes, and frequent audits of your authentication systems."
6120
#: serverguide/C/security.xml:200(title)
6121
msgid "Minimum Password Length"
6124
#: serverguide/C/security.xml:201(para)
6126
"By default, Ubuntu requires a minimum password length of 4 characters, as "
6127
"well as some basic entropy checks. These values are controlled in the file "
6128
"<filename>/etc/pam.d/common-password</filename>, which is outlined below."
6131
#: serverguide/C/security.xml:204(programlisting)
6135
"password required pam_unix.so nullok obscure min=4 max=8 md5\n"
6138
#: serverguide/C/security.xml:207(para)
6140
"If you would like to adjust the minimum length to 6 characters, change the "
6141
"appropriate variable to min=6. The modification is outlined below."
6144
#: serverguide/C/security.xml:210(programlisting)
6148
"password required pam_unix.so nullok obscure min=6 max=8 md5\n"
6151
#: serverguide/C/security.xml:214(para)
6153
"The <varname>max=8</varname> variable does not represent the maximum length "
6154
"of a password. It only means that complexity requirements will not be "
6155
"checked on passwords over 8 characters. You may want to look at the "
6156
"<application>libpam-cracklib</application> package for additional password "
6157
"entropy assistance."
6160
#: serverguide/C/security.xml:220(title)
6161
msgid "Password Expiration"
6164
#: serverguide/C/security.xml:221(para)
6166
"When creating user accounts, you should make it a policy to have a minimum "
6167
"and maximum password age forcing users to change their passwords when they "
6171
#: serverguide/C/security.xml:226(para)
6173
"To easily view the current status of a user account, use the following "
6177
#: serverguide/C/security.xml:230(command) serverguide/C/security.xml:263(command)
6178
msgid "sudo chage -l username"
6181
#: serverguide/C/security.xml:232(para)
6183
"The output below shows interesting facts about the user account, namely that "
6184
"there are no policies applied:"
6187
#: serverguide/C/security.xml:235(computeroutput)
6190
"Last password change : Jan 20, 2008\n"
6191
"Password expires : never\n"
6192
"Password inactive : never\n"
6193
"Account expires : never\n"
6194
"Minimum number of days between password change : 0\n"
6195
"Maximum number of days between password change : 99999\n"
6196
"Number of days of warning before password expires : 7"
6199
#: serverguide/C/security.xml:245(para)
6201
"To set any of these values, simply use the following syntax, and follow the "
6202
"interactive prompts:"
6205
#: serverguide/C/security.xml:249(command)
6206
msgid "sudo chage username"
6209
#: serverguide/C/security.xml:251(para)
6211
"The following is also an example of how you can manually change the explicit "
6212
"expiration date (-E) to 01/31/2008, minimum password age (-m) of 5 days, "
6213
"maximum password age (-M) of 90 days, inactivity period (-I) of 5 days after "
6214
"password expiration, and a warning time period (-W) of 14 days before "
6215
"password expiration."
6218
#: serverguide/C/security.xml:255(command)
6219
msgid "sudo chage -E 01/31/2008 -m 5 -M 90 -I 30 -W 14 username"
6222
#: serverguide/C/security.xml:259(para)
6223
msgid "To verify changes, use the same syntax as mentioned previously:"
6226
#: serverguide/C/security.xml:265(para)
6228
"The output below shows the new policies that have been established for the "
6232
#: serverguide/C/security.xml:268(computeroutput)
6235
"Last password change : Jan 20, 2008\n"
6236
"Password expires : Apr 19, 2008\n"
6237
"Password inactive : May 19, 2008\n"
6238
"Account expires : Jan 31, 2008\n"
6239
"Minimum number of days between password change : 5\n"
6240
"Maximum number of days between password change : 90\n"
6241
"Number of days of warning before password expires : 14"
6244
#: serverguide/C/security.xml:284(title)
6245
msgid "Other Security Considerations"
6248
#: serverguide/C/security.xml:285(para)
6250
"Many applications use alternate authentication mechanisms that can be easily "
6251
"overlooked by even experienced system administrators. Therefore, it is "
6252
"important to understand and control how users authenticate and gain access "
6253
"to services and applications on your server."
6256
#: serverguide/C/security.xml:290(title)
6257
msgid "SSH Access by Disabled Users"
6260
#: serverguide/C/security.xml:291(para)
6262
"Simply disabling/locking a user account will not prevent a user from logging "
6263
"into your server remotely if they have previously set up RSA public key "
6264
"authentication. They will still be able to gain shell access to the server, "
6265
"without the need for any password. Remember to check the users home "
6266
"directory for files that will allow for this type of authenticated SSH "
6267
"access. e.g. <filename>/home/username/.ssh/authorized_keys</filename>."
6270
#: serverguide/C/security.xml:294(para)
6272
"Remove or rename the directory <filename "
6273
"class=\"directory\">.ssh/</filename> in the user's home folder to prevent "
6274
"further SSH authentication capabilities."
6277
#: serverguide/C/security.xml:297(para)
6279
"Be sure to check for any established SSH connections by the disabled user, "
6280
"as it is possible they may have existing inbound or outbound connections. "
6281
"Kill any that are found."
6284
#: serverguide/C/security.xml:300(para)
6286
"Restrict SSH access to only user accounts that should have it. For example, "
6287
"you may create a group called \"sshlogin\" and add the group name as the "
6288
"value associated with the <varname>AllowGroups</varname> variable located in "
6289
"the file <filename>/etc/ssh/sshd_config</filename>."
6292
#: serverguide/C/security.xml:303(programlisting)
6296
"AllowGroups sshlogin\n"
6299
#: serverguide/C/security.xml:306(para)
6301
"Then add your permitted SSH users to the group \"sshlogin\", and restart the "
6305
#: serverguide/C/security.xml:310(command)
6306
msgid "sudo adduser username sshlogin"
6309
#: serverguide/C/security.xml:311(command) serverguide/C/remote-administration.xml:150(command)
6310
msgid "sudo /etc/init.d/ssh restart"
6313
#: serverguide/C/security.xml:315(title)
6314
msgid "External User Database Authentication"
6317
#: serverguide/C/security.xml:316(para)
6319
"Most enterprise networks require centralized authentication and access "
6320
"controls for all system resources. If you have configured your server to "
6321
"authenticate users against external databases, be sure to disable the user "
6322
"accounts both externally and locally, this way you ensure that local "
6323
"fallback authentication is not possible."
6326
#: serverguide/C/security.xml:325(title)
6327
msgid "Console Security"
6330
#: serverguide/C/security.xml:326(para)
6332
"As with any other security barrier you put in place to protect your server, "
6333
"it is pretty tough to defend against untold damage caused by someone with "
6334
"physical access to your environment, for example, theft of hard drives, "
6335
"power or service disruption and so on. Therefore, console security should be "
6336
"addressed merely as one component of your overall physical security "
6337
"strategy. A locked \"screen door\" may deter a casual criminal, or at the "
6338
"very least slow down a determined one, so it is still advisable to perform "
6339
"basic precautions with regard to console security."
6342
#: serverguide/C/security.xml:329(para)
6344
"The following instructions will help defend your server against issues that "
6345
"could otherwise yield very serious consequences."
6348
#: serverguide/C/security.xml:334(title)
6349
msgid "Disable Ctrl+Alt+Delete"
6352
#: serverguide/C/security.xml:335(para)
6354
"First and foremost, anyone that has physical access to the keyboard can "
6356
"<keycombo><keycap>Ctrl</keycap><keycap>Alt</keycap><keycap>Delete</keycap></k"
6357
"eycombo> key combination to reboot the server without having to log on. "
6358
"Sure, someone could simply unplug the power source, but you should still "
6359
"prevent the use of this key combination on a production server. This forces "
6360
"an attacker to take more drastic measures to reboot the server, and will "
6361
"prevent accidental reboots at the same time."
6364
#: serverguide/C/security.xml:340(para)
6366
"To disable the reboot action taken by pressing the "
6367
"<keycombo><keycap>Ctrl</keycap><keycap>Alt</keycap><keycap>Delete</keycap></k"
6368
"eycombo> key combination, comment out the following line in the file "
6369
"<filename>/etc/event.d/control-alt-delete</filename>."
6372
#: serverguide/C/security.xml:343(programlisting)
6376
"#exec /sbin/shutdown -r now \"Control-Alt-Delete pressed\"\n"
6379
#: serverguide/C/security.xml:350(title)
6380
msgid "GRUB Password Security"
6383
#: serverguide/C/security.xml:351(para)
6385
"Ubuntu installs GNU GRUB as its default boot loader, which allows for great "
6386
"flexibility and recovery options. For example, when you install additional "
6387
"kernel images, these are automatically added as available boot options in "
6388
"the <application>grub</application> menu. Also, by default, alternate boot "
6389
"options are available for each kernel entry that may be used for system "
6390
"recovery, aptly labeled (recovery mode). Recovery mode simply boots the "
6391
"corresponding kernel image into single user mode (init 1), which lands the "
6392
"administrator at a root prompt without the need for any password."
6395
#: serverguide/C/security.xml:354(para)
6397
"Therefore, it is important to control who may edit the "
6398
"<application>grub</application> menu items which, would otherwise allow for "
6399
"someone to perform the following dangerous actions:"
6402
#: serverguide/C/security.xml:359(para)
6403
msgid "Pass kernel options at boot up."
6406
#: serverguide/C/security.xml:364(para)
6407
msgid "Boot the server into single user mode."
6410
#: serverguide/C/security.xml:369(para)
6412
"You can prevent these actions by adding a password to GRUB's configuration "
6413
"file of <filename>/boot/grub/menu.lst</filename>, which will be required to "
6414
"unlock GRUB's more advanced features prior to use."
6417
#: serverguide/C/security.xml:374(para)
6419
"To add a password for use with <application>grub</application>, first you "
6420
"must generate an md5 password hash using the <application>grub-md5-"
6421
"crypt</application> utility:"
6424
#: serverguide/C/security.xml:378(command)
6425
msgid "grub-md5-crypt"
6428
#: serverguide/C/security.xml:380(para)
6430
"The command will ask you to enter a password and offer a resulting hash "
6431
"value as shown below:"
6434
#: serverguide/C/security.xml:383(userinput)
6436
msgid "(enter new password)"
6439
#: serverguide/C/security.xml:384(userinput)
6441
msgid "(repeat password)"
6444
#: serverguide/C/security.xml:383(computeroutput)
6447
"Password: <placeholder-1/>\n"
6448
"Retype password: <placeholder-2/>\n"
6449
"$1$s3YiK$M3lxAbqA6JLm2FbDWnClQ0"
6452
#: serverguide/C/security.xml:389(para)
6454
"Add the resulting hash value to the file "
6455
"<filename>/boot/grub/menu.lst</filename> in the following format:"
6458
#: serverguide/C/security.xml:392(programlisting)
6460
msgid "password --md5 $1$s3YiK$M3lxAbqA6JLm2FbDWnClQ0"
6463
#: serverguide/C/security.xml:395(para)
6465
"To require use of the password for entering single user mode, change the "
6466
"value of the <varname>lockalternative</varname> variable in the file "
6467
"<filename>/boot/grub/menu.lst</filename> to <varname>true</varname>, as "
6468
"shown in the following example."
6471
#: serverguide/C/security.xml:398(programlisting)
6473
msgid "# lockalternative=true"
6476
#: serverguide/C/security.xml:402(para)
6478
"This does not prevent someone from booting the server from alternate media. "
6479
"A determined attacker would simply boot into an alternate environment, "
6480
"overwrite your master boot record, mount or copy your physical volumes, "
6481
"destroy your data, or anything else they can imagine. Please explore other "
6482
"countermeasures that may help you with these types of attacks."
6485
#: serverguide/C/security.xml:410(title)
6489
#: serverguide/C/security.xml:413(para)
6491
"The Linux kernel includes the <emphasis>Netfilter</emphasis> subsystem, "
6492
"which is used to manipulate or decide the fate of network traffic headed "
6493
"into or through your server. All modern Linux firewall solutions use this "
6494
"system for packet filtering."
6497
#: serverguide/C/security.xml:418(para)
6499
"The kernel's packet filtering system would be of little use to "
6500
"administrators without a userspace interface to manage it. This is the "
6501
"purpose of iptables. When a packet reaches your server, it will be handed "
6502
"off to the Netfilter subsystem for acceptance, manipulation, or rejection "
6503
"based on the rules supplied to it from userspace via iptables. Thus, "
6504
"iptables is all you need to manage your firewall if you're familiar with it, "
6505
"but many frontends are available to simplify the task."
6508
#: serverguide/C/security.xml:428(title)
6509
msgid "ufw - Uncomplicated Firewall"
6512
#: serverguide/C/security.xml:429(para)
6514
"The default firewall configuration tool for Ubuntu is "
6515
"<application>ufw</application>. Developed to ease iptables firewall "
6516
"configuration, <application>ufw</application> provides a user friendly way "
6517
"to create an IPv4 or IPv6 host-based firewall."
6520
#: serverguide/C/security.xml:433(para)
6522
"<application>ufw</application> by default is initially disabled. From the "
6523
"<application>ufw</application> man page:"
6526
#: serverguide/C/security.xml:437(quote)
6528
"ufw is not intended to provide complete firewall functionality via its "
6529
"command interface, but instead provides an easy way to add or remove simple "
6530
"rules. It is currently mainly used for host-based firewalls."
6533
#: serverguide/C/security.xml:441(para)
6535
"The following are some examples of how to use <application>ufw</application>:"
6538
#: serverguide/C/security.xml:446(para)
6540
"First, <application>ufw</application> needs to be enabled. From a terminal "
6544
#: serverguide/C/security.xml:450(command)
6545
msgid "sudo ufw enable"
6548
#: serverguide/C/security.xml:454(para)
6549
msgid "To open a port (ssh in this example):"
6552
#: serverguide/C/security.xml:458(command)
6553
msgid "sudo ufw allow 22"
6556
#: serverguide/C/security.xml:462(para)
6557
msgid "Rules can also be added using a <emphasis>numbered</emphasis> format:"
6560
#: serverguide/C/security.xml:466(command)
6561
msgid "sudo ufw insert 1 allow 80"
6564
#: serverguide/C/security.xml:470(para)
6565
msgid "Similarly, to close an opened port:"
6568
#: serverguide/C/security.xml:474(command)
6569
msgid "sudo ufw deny 22"
6572
#: serverguide/C/security.xml:478(para)
6573
msgid "To remove a rule, use delete followed by the rule:"
6576
#: serverguide/C/security.xml:482(command)
6577
msgid "sudo ufw delete deny 22"
6580
#: serverguide/C/security.xml:486(para)
6582
"It is also possible to allow access from specific hosts or networks to a "
6583
"port. The following example allows ssh access from host 192.168.0.2 to any "
6584
"ip address on this host:"
6587
#: serverguide/C/security.xml:491(command)
6588
msgid "sudo ufw allow proto tcp from 192.168.0.2 to any port 22"
6591
#: serverguide/C/security.xml:493(para)
6593
"Replace 192.168.0.2 with 192.168.0.0/24 to allow ssh access from the entire "
6597
#: serverguide/C/security.xml:499(para)
6599
"Adding the <emphasis>--dry-run</emphasis> option to a "
6600
"<emphasis>ufw</emphasis> command will output the resulting rules, but not "
6601
"apply them. For example, the following is what would be applied if opening "
6605
#: serverguide/C/security.xml:505(command)
6606
msgid "sudo ufw --dry-run allow http"
6609
#: serverguide/C/security.xml:509(computeroutput)
6613
":ufw-user-input - [0:0]\n"
6614
":ufw-user-output - [0:0]\n"
6615
":ufw-user-forward - [0:0]\n"
6616
":ufw-user-limit - [0:0]\n"
6617
":ufw-user-limit-accept - [0:0]\n"
6620
"### tuple ### allow tcp 80 0.0.0.0/0 any 0.0.0.0/0\n"
6621
"-A ufw-user-input -p tcp --dport 80 -j ACCEPT\n"
6623
"### END RULES ###\n"
6624
"-A ufw-user-input -j RETURN\n"
6625
"-A ufw-user-output -j RETURN\n"
6626
"-A ufw-user-forward -j RETURN\n"
6627
"-A ufw-user-limit -m limit --limit 3/minute -j LOG --log-prefix \"[UFW "
6629
"-A ufw-user-limit -j REJECT\n"
6630
"-A ufw-user-limit-accept -j ACCEPT\n"
6635
#: serverguide/C/security.xml:533(para)
6636
msgid "<application>ufw</application> can be disabled by:"
6639
#: serverguide/C/security.xml:537(command)
6640
msgid "sudo ufw disable"
6643
#: serverguide/C/security.xml:541(para)
6644
msgid "To see the firewall status, enter:"
6647
#: serverguide/C/security.xml:545(command)
6648
msgid "sudo ufw status"
6651
#: serverguide/C/security.xml:549(para)
6652
msgid "And for more verbose status information use:"
6655
#: serverguide/C/security.xml:553(command)
6656
msgid "sudo ufw status verbose"
6659
#: serverguide/C/security.xml:557(para)
6660
msgid "To view the <emphasis>numbered</emphasis> format:"
6663
#: serverguide/C/security.xml:561(command)
6664
msgid "sudo ufw status numbered"
6667
#: serverguide/C/security.xml:566(para)
6669
"If the port you want to open or close is defined in "
6670
"<filename>/etc/services</filename>, you can use the port name instead of the "
6671
"number. In the above examples, replace <emphasis>22</emphasis> with "
6672
"<emphasis>ssh</emphasis>."
6675
#: serverguide/C/security.xml:572(para)
6677
"This is a quick introduction to using <application>ufw</application>. Please "
6678
"refer to the <application>ufw</application> man page for more information."
6681
#: serverguide/C/security.xml:578(title)
6682
msgid "ufw Application Integration"
6685
#: serverguide/C/security.xml:580(para)
6687
"Applications that open ports can include an <application>ufw</application> "
6688
"profile, which details the ports needed for the application to function "
6689
"properly. The profiles are kept in <filename "
6690
"role=\"directory\">/etc/ufw/applications.d</filename>, and can be edited if "
6691
"the default ports have been changed."
6694
#: serverguide/C/security.xml:589(para)
6696
"To view which applications have installed a profile, enter the following in "
6700
#: serverguide/C/security.xml:594(command)
6701
msgid "sudo ufw app list"
6704
#: serverguide/C/security.xml:600(para)
6706
"Similar to allowing traffic to a port, using an application profile is "
6707
"accomplished by entering:"
6710
#: serverguide/C/security.xml:605(command)
6711
msgid "sudo ufw allow Samba"
6714
#: serverguide/C/security.xml:611(para)
6715
msgid "An extended syntax is available as well:"
6718
#: serverguide/C/security.xml:616(command)
6719
msgid "ufw allow from 192.168.0.0/24 to any app Samba"
6722
#: serverguide/C/security.xml:619(para)
6724
"Replace <emphasis>Samba</emphasis> and <emphasis>192.168.0.0/24</emphasis> "
6725
"with the application profile you are using and the IP range for your network."
6728
#: serverguide/C/security.xml:625(para)
6730
"There is no need to specify the <emphasis>protocol</emphasis> for the "
6731
"application, because that information is detailed in the profile. Also, note "
6732
"that the <emphasis>app</emphasis> name replaces the "
6733
"<emphasis>port</emphasis> number."
6736
#: serverguide/C/security.xml:634(para)
6738
"To view details about which ports, protocols, etc are defined for an "
6739
"application, enter:"
6742
#: serverguide/C/security.xml:639(command)
6743
msgid "sudo ufw app info Samba"
6746
#: serverguide/C/security.xml:645(para)
6748
"Not all applications that require opening a network port come with "
6749
"<application>ufw</application> profiles, but if you have profiled an "
6750
"application and want the file to be included with the package, please file a "
6751
"bug against the package in <ulink "
6752
"url=\"https://launchpad.net/\">Launchpad</ulink>."
6755
#: serverguide/C/security.xml:654(title)
6756
msgid "IP Masquerading"
6759
#: serverguide/C/security.xml:655(para)
6761
"The purpose of IP Masquerading is to allow machines with private, non-"
6762
"routable IP addresses on your network to access the Internet through the "
6763
"machine doing the masquerading. Traffic from your private network destined "
6764
"for the Internet must be manipulated for replies to be routable back to the "
6765
"machine that made the request. To do this, the kernel must modify the "
6766
"<emphasis>source</emphasis> IP address of each packet so that replies will "
6767
"be routed back to it, rather than to the private IP address that made the "
6768
"request, which is impossible over the Internet. Linux uses "
6769
"<emphasis>Connection Tracking</emphasis> (conntrack) to keep track of which "
6770
"connections belong to which machines and reroute each return packet "
6771
"accordingly. Traffic leaving your private network is thus \"masqueraded\" as "
6772
"having originated from your Ubuntu gateway machine. This process is referred "
6773
"to in Microsoft documentation as Internet Connection Sharing."
6776
#: serverguide/C/security.xml:671(title)
6777
msgid "ufw Masquerading"
6780
#: serverguide/C/security.xml:672(para)
6782
"IP Masquerading can be achieved using custom <application>ufw</application> "
6783
"rules. This is possible because the current back-end for "
6784
"<application>ufw</application> is <application>iptables-"
6785
"restore</application> with the rules files located in "
6786
"<filename>/etc/ufw/*.rules</filename>. These files are a great place to add "
6787
"legacy iptables rules used without <application>ufw</application>, and rules "
6788
"that are more network gateway or bridge related."
6791
#: serverguide/C/security.xml:678(para)
6793
"The rules are split into two different files, rules that should be executed "
6794
"before <application>ufw</application> command line rules, and rules that are "
6795
"executed after <application>ufw</application> command line rules."
6798
#: serverguide/C/security.xml:684(para)
6800
"First, packet forwarding needs to be enabled in "
6801
"<application>ufw</application>. Two configuration files will need to be "
6802
"adjusted, in <filename>/etc/default/ufw</filename> change the "
6803
"<emphasis>DEFAULT_FORWARD_POLICY</emphasis> to <quote>ACCEPT</quote>:"
6806
#: serverguide/C/security.xml:688(programlisting)
6810
"DEFAULT_FORWARD_POLICY=\"ACCEPT\"\n"
6813
#: serverguide/C/security.xml:691(para)
6814
msgid "Then edit <filename>/etc/ufw/sysctl.conf</filename> and uncomment:"
6817
#: serverguide/C/security.xml:694(programlisting) serverguide/C/security.xml:772(programlisting)
6821
"net.ipv4.ip_forward=1\n"
6824
#: serverguide/C/security.xml:697(para)
6825
msgid "Similarly, for IPv6 forwarding uncomment:"
6828
#: serverguide/C/security.xml:700(programlisting) serverguide/C/security.xml:778(programlisting)
6832
"net.ipv6.conf.default.forwarding=1\n"
6835
#: serverguide/C/security.xml:705(para)
6837
"Now we will add rules to the <filename>/etc/ufw/before.rules</filename> "
6838
"file. The default rules only configure the <emphasis>filter</emphasis> "
6839
"table, and to enable masquerading the <emphasis>nat</emphasis> table will "
6840
"need to be configured. Add the following to the top of the file just after "
6841
"the header comments:"
6844
#: serverguide/C/security.xml:710(programlisting)
6848
"# nat Table rules\n"
6850
":POSTROUTING ACCEPT [0:0]\n"
6852
"# Forward traffic from eth1 through eth0.\n"
6853
"-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE\n"
6855
"# don't delete the 'COMMIT' line or these nat table rules won't be "
6860
#: serverguide/C/security.xml:721(para)
6862
"The comments are not strictly necessary, but it is considered good practice "
6863
"to document your configuration. Also, when modifying any of the "
6864
"<emphasis>rules</emphasis> files in <filename "
6865
"class=\"directory\">/etc/ufw</filename>, make sure these lines are the last "
6866
"line for each table modified:"
6869
#: serverguide/C/security.xml:727(programlisting)
6873
"# don't delete the 'COMMIT' line or these rules won't be processed\n"
6877
#: serverguide/C/security.xml:732(para)
6879
"For each <emphasis>Table</emphasis> a corresponding "
6880
"<emphasis>COMMIT</emphasis> statement is required. In these examples only "
6881
"the <emphasis>nat</emphasis> and <emphasis>filter</emphasis> tables are "
6882
"shown, but you can also add rules for the <emphasis>raw</emphasis> and "
6883
"<emphasis>mangle</emphasis> tables."
6886
#: serverguide/C/security.xml:739(para)
6888
"In the above example replace <emphasis>eth0</emphasis>, "
6889
"<emphasis>eth1</emphasis>, and <emphasis>192.168.0.0/24</emphasis> with the "
6890
"appropriate interfaces and IP range for your network."
6893
#: serverguide/C/security.xml:747(para)
6895
"Finally, disable and re-enable <application>ufw</application> to apply the "
6899
#: serverguide/C/security.xml:751(command)
6900
msgid "sudo ufw disable && sudo ufw enable"
6903
#: serverguide/C/security.xml:755(para)
6905
"IP Masquerading should now be enabled. You can also add any additional "
6906
"FORWARD rules to the <filename>/etc/ufw/before.rules</filename>. It is "
6907
"recommended that these additional rules be added to the <emphasis>ufw-before-"
6908
"forward</emphasis> chain."
6911
#: serverguide/C/security.xml:762(title)
6912
msgid "iptables Masquerading"
6915
#: serverguide/C/security.xml:763(para)
6917
"<application>iptables</application> can also be used to enable masquerading."
6920
#: serverguide/C/security.xml:768(para)
6922
"Similar to <application>ufw</application>, the first step is to enable IPv4 "
6923
"packet forwarding by editing <filename>/etc/sysctl.conf</filename> and "
6924
"uncomment the following line"
6927
#: serverguide/C/security.xml:775(para)
6928
msgid "If you wish to enable IPv6 forwarding also uncomment:"
6931
#: serverguide/C/security.xml:783(para)
6933
"Next, execute the <application>sysctl</application> command to enable the "
6934
"new settings in the configuration file:"
6937
#: serverguide/C/security.xml:787(command)
6938
msgid "sudo sysctl -p"
6941
#: serverguide/C/security.xml:791(para)
6943
"IP Masquerading can now be accomplished with a single iptables rule, which "
6944
"may differ slightly based on your network configuration:"
6947
#: serverguide/C/security.xml:794(screen)
6951
"sudo iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o ppp0 -j MASQUERADE\n"
6954
#: serverguide/C/security.xml:797(para)
6956
"The above command assumes that your private address space is 192.168.0.0/16 "
6957
"and that your Internet-facing device is ppp0. The syntax is broken down as "
6961
#: serverguide/C/security.xml:802(para)
6962
msgid "-t nat -- the rule is to go into the nat table"
6965
#: serverguide/C/security.xml:803(para)
6967
"-A POSTROUTING -- the rule is to be appended (-A) to the POSTROUTING chain"
6970
#: serverguide/C/security.xml:804(para)
6972
"-s 192.168.0.0/16 -- the rule applies to traffic originating from the "
6973
"specified address space"
6976
#: serverguide/C/security.xml:805(para)
6978
"-o ppp0 -- the rule applies to traffic scheduled to be routed through the "
6979
"specified network device"
6982
#: serverguide/C/security.xml:807(para)
6984
"-j MASQUERADE -- traffic matching this rule is to \"jump\" (-j) to the "
6985
"MASQUERADE target to be manipulated as described above"
6988
#: serverguide/C/security.xml:815(para)
6990
"Also, each chain in the filter table (the default table, and where most or "
6991
"all packet filtering occurs) has a default <emphasis>policy</emphasis> of "
6992
"ACCEPT, but if you are creating a firewall in addition to a gateway device, "
6993
"you may have set the policies to DROP or REJECT, in which case your "
6994
"masqueraded traffic needs to be allowed through the FORWARD chain for the "
6995
"above rule to work:"
6998
#: serverguide/C/security.xml:822(screen)
7002
"sudo iptables -A FORWARD -s 192.168.0.0/16 -o ppp0 -j ACCEPT\n"
7003
"sudo iptables -A FORWARD -d 192.168.0.0/16 -m state --state "
7004
"ESTABLISHED,RELATED -i ppp0 -j ACCEPT\n"
7007
#: serverguide/C/security.xml:826(para)
7009
"The above commands will allow all connections from your local network to the "
7010
"Internet and all traffic related to those connections to return to the "
7011
"machine that initiated them."
7014
#: serverguide/C/security.xml:833(para)
7016
"If you want masquerading to be enabled on reboot, which you probably do, "
7017
"edit <filename>/etc/rc.local</filename> and add any commands used above. For "
7018
"example add the first command with no filtering:"
7021
#: serverguide/C/security.xml:837(screen)
7025
"iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o ppp0 -j MASQUERADE\n"
7028
#: serverguide/C/security.xml:845(title)
7032
#: serverguide/C/security.xml:846(para)
7034
"Firewall logs are essential for recognizing attacks, troubleshooting your "
7035
"firewall rules, and noticing unusual activity on your network. You must "
7036
"include logging rules in your firewall for them to be generated, though, and "
7037
"logging rules must come before any applicable terminating rule (a rule with "
7038
"a target that decides the fate of the packet, such as ACCEPT, DROP, or "
7042
#: serverguide/C/security.xml:853(para)
7044
"If you are using <application>ufw</application>, you can turn on logging by "
7045
"entering the following in a terminal:"
7048
#: serverguide/C/security.xml:857(command)
7049
msgid "sudo ufw logging on"
7052
#: serverguide/C/security.xml:859(para)
7054
"To turn logging off in <application>ufw</application>, simply replace "
7055
"<emphasis role=\"italic\">on</emphasis> with <emphasis "
7056
"role=\"italic\">off</emphasis> in the above command."
7059
#: serverguide/C/security.xml:862(para)
7061
"If using <application>iptables</application> instead of "
7062
"<application>ufw</application>, enter:"
7065
#: serverguide/C/security.xml:865(screen)
7069
"sudo iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j LOG --log-"
7070
"prefix \"NEW_HTTP_CONN: \"\n"
7073
#: serverguide/C/security.xml:868(para)
7075
"A request on port 80 from the local machine, then, would generate a log in "
7076
"dmesg that looks like this:"
7079
#: serverguide/C/security.xml:873(programlisting)
7082
"[4304885.870000] NEW_HTTP_CONN: IN=lo OUT= "
7083
"MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 "
7084
"LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=58288 DF PROTO=TCP SPT=53981 DPT=80 "
7085
"WINDOW=32767 RES=0x00 SYN URGP=0"
7088
#: serverguide/C/security.xml:875(para)
7090
"The above log will also appear in <filename>/var/log/messages</filename>, "
7091
"<filename>/var/log/syslog</filename>, and "
7092
"<filename>/var/log/kern.log</filename>. This behavior can be modified by "
7093
"editing <filename>/etc/syslog.conf</filename> appropriately or by installing "
7094
"and configuring <application>ulogd</application> and using the ULOG target "
7095
"instead of LOG. The <application>ulogd</application> daemon is a userspace "
7096
"server that listens for logging instructions from the kernel specifically "
7097
"for firewalls, and can log to any file you like, or even to a "
7098
"<application>PostgreSQL</application> or <application>MySQL</application> "
7099
"database. Making sense of your firewall logs can be simplified by using a "
7100
"log analyzing tool such as <application>fwanalog</application>, "
7101
"<application> fwlogwatch</application>, or <application>lire</application>."
7104
#: serverguide/C/security.xml:890(title)
7108
#: serverguide/C/security.xml:891(para)
7110
"There are many tools available to help you construct a complete firewall "
7111
"without intimate knowledge of iptables. For the GUI-inclined:"
7114
#: serverguide/C/security.xml:897(para)
7116
"<ulink url=\"http://www.fs-security.com/\">Firestarter</ulink> is quite "
7117
"popular and easy to use."
7120
#: serverguide/C/security.xml:902(para)
7122
"<ulink url=\"http://www.fwbuilder.org/\">fwbuilder</ulink> is very powerful "
7123
"and will look familiar to an administrator who has used a commercial "
7124
"firewall utility such as <application>Checkpoint FireWall-1</application>."
7127
#: serverguide/C/security.xml:908(para)
7129
"If you prefer a command-line tool with plain-text configuration files:"
7132
#: serverguide/C/security.xml:913(para)
7134
"<ulink url=\"http://www.shorewall.net/\">Shorewall</ulink> is a very "
7135
"powerful solution to help you configure an advanced firewall for any network."
7138
#: serverguide/C/security.xml:919(para)
7140
"<ulink url=\"http://www.linuxkungfu.org/\">ipkungfu</ulink> should give you "
7141
"a working firewall \"out of the box\" with zero configuration, and will "
7142
"allow you to easily set up a more advanced firewall by editing simple, well-"
7143
"documented configuration files."
7146
#: serverguide/C/security.xml:926(para)
7148
"<ulink url=\"http://fireflier.sourceforge.net/\">fireflier</ulink> is "
7149
"designed to be a desktop firewall application. It is made up of a server "
7150
"(fireflier-server) and your choice of GUI clients (GTK or QT), and behaves "
7151
"like many popular interactive firewall applications for Windows."
7154
#: serverguide/C/security.xml:938(para)
7156
"The <ulink url=\"https://wiki.ubuntu.com/UbuntuFirewall\">Ubuntu "
7157
"Firewall</ulink> wiki page contains information on the development of "
7158
"<application>ufw</application>."
7161
#: serverguide/C/security.xml:944(para)
7163
"Also, the <application>ufw</application> manual page contains some very "
7164
"useful information: <command>man ufw</command>."
7167
#: serverguide/C/security.xml:949(para)
7169
"See the <ulink url=\"http://www.netfilter.org/documentation/HOWTO/packet-"
7170
"filtering-HOWTO.html\">packet-filtering-HOWTO</ulink> for more information "
7171
"on using <application>iptables</application>."
7174
#: serverguide/C/security.xml:955(para)
7176
"The <ulink url=\"http://www.netfilter.org/documentation/HOWTO/NAT-"
7177
"HOWTO.html\">nat-HOWTO</ulink> contains further details on masquerading."
7180
#: serverguide/C/security.xml:964(title)
7184
#: serverguide/C/security.xml:965(para)
7186
"<application>AppArmor</application> is a Linux Security Module "
7187
"implementation of name-based mandatory access controls. AppArmor confines "
7188
"individual programs to a set of listed files and posix 1003.1e draft "
7192
#: serverguide/C/security.xml:969(para)
7194
"<application>AppArmor</application> is installed and loaded by default. It "
7195
"uses <emphasis>profiles</emphasis> of an application to determine what files "
7196
"and permissions the application requires. Some packages will install their "
7197
"own profiles, and additional profiles can be found in the "
7198
"<application>apparmor-profiles</application> package."
7201
#: serverguide/C/security.xml:974(para)
7203
"To install the <application>apparmor-profiles</application> package from a "
7207
#: serverguide/C/security.xml:980(para)
7208
msgid "AppArmor profiles have two modes of execution:"
7211
#: serverguide/C/security.xml:985(para)
7213
"Complaining/Learning: profile violations are permitted and logged. Useful "
7214
"for testing and developing new profiles."
7217
#: serverguide/C/security.xml:990(para)
7219
"Enforced/Confined: enforces profile policy as well as logging the violation."
7222
#: serverguide/C/security.xml:996(title)
7223
msgid "Using AppArmor"
7226
#: serverguide/C/security.xml:997(para)
7228
"The <application>apparmor-utils</application> package contains command line "
7229
"utilities that you can use to change the <application>AppArmor</application> "
7230
"execution mode, find the status of a profile, create new profiles, etc."
7233
#: serverguide/C/security.xml:1003(para)
7235
"<application>apparmor_status</application> is used to view the current "
7236
"status of AppArmor profiles."
7239
#: serverguide/C/security.xml:1007(command)
7240
msgid "sudo apparmor_status"
7243
#: serverguide/C/security.xml:1011(para)
7245
"<application>aa-complain</application> places a profile into "
7246
"<emphasis>complain</emphasis> mode."
7249
#: serverguide/C/security.xml:1015(command)
7250
msgid "sudo aa-complain /path/to/bin"
7253
#: serverguide/C/security.xml:1019(para)
7255
"<application>aa-enforce</application> places a profile into "
7256
"<emphasis>enforce</emphasis> mode."
7259
#: serverguide/C/security.xml:1023(command)
7260
msgid "sudo aa-enforce /path/to/bin"
7263
#: serverguide/C/security.xml:1027(para)
7265
"The <filename>/etc/apparmor.d</filename> directory is where the AppArmor "
7266
"profiles are located. It can be used to manipulate the "
7267
"<emphasis>mode</emphasis> of all profiles."
7270
#: serverguide/C/security.xml:1031(para)
7271
msgid "Enter the following to place all profiles into complain mode:"
7274
#: serverguide/C/security.xml:1035(command)
7275
msgid "sudo aa-complain /etc/apparmor.d/*"
7278
#: serverguide/C/security.xml:1037(para)
7279
msgid "To place all profiles in enforce mode:"
7282
#: serverguide/C/security.xml:1041(command)
7283
msgid "sudo aa-enforce /etc/apparmor.d/*"
7286
#: serverguide/C/security.xml:1045(para)
7288
"<application>apparmor_parser</application> is used to load a profile into "
7289
"the kernel. It can also be used to reload a currently loaded profile using "
7290
"the <emphasis>-r</emphasis> option. To load a profile:"
7293
#: serverguide/C/security.xml:1050(command) serverguide/C/security.xml:1082(command)
7294
msgid "cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a"
7297
#: serverguide/C/security.xml:1052(para)
7298
msgid "To reload a profile:"
7301
#: serverguide/C/security.xml:1056(command)
7302
msgid "cat /etc/apparmor.d/profile.name | sudo apparmor_parser -r"
7305
#: serverguide/C/security.xml:1060(para)
7307
"<filename>/etc/init.d/apparmor</filename> can be used to "
7308
"<emphasis>reload</emphasis> all profiles:"
7311
#: serverguide/C/security.xml:1064(command)
7312
msgid "sudo /etc/init.d/apparmor reload"
7315
#: serverguide/C/security.xml:1068(para)
7317
"The <filename>/etc/apparmor.d/disable</filename> directory can be used along "
7318
"with the <application>apparmor_parser -R</application> option to "
7319
"<emphasis>disable</emphasis> a profile."
7322
#: serverguide/C/security.xml:1073(command)
7323
msgid "sudo ln -s /etc/apparmor.d/profile.name /etc/apparmor.d/disable/"
7326
#: serverguide/C/security.xml:1074(command)
7327
msgid "sudo apparmor_parser -R /etc/apparmor.d/profile.name"
7330
#: serverguide/C/security.xml:1076(para)
7332
"To <emphasis>re-enable</emphasis> a disabled profile remove the symbolic "
7333
"link to the profile in <filename>/etc/apparmor.d/disable/</filename>. Then "
7334
"load the profile using the <emphasis>-a</emphasis> option."
7337
#: serverguide/C/security.xml:1081(command)
7338
msgid "sudo rm /etc/apparmor.d/disable/profile.name"
7341
#: serverguide/C/security.xml:1086(para)
7343
"<application>AppArmor</application> can be disabled, and the kernel module "
7344
"unloaded by entering the following:"
7347
#: serverguide/C/security.xml:1090(command)
7348
msgid "sudo /etc/init.d/apparmor stop"
7351
#: serverguide/C/security.xml:1091(command)
7352
msgid "sudo update-rc.d -f apparmor remove"
7355
#: serverguide/C/security.xml:1095(para)
7356
msgid "To re-enable <application>AppArmor</application> enter:"
7359
#: serverguide/C/security.xml:1099(command)
7360
msgid "sudo /etc/init.d/apparmor start"
7363
#: serverguide/C/security.xml:1100(command)
7364
msgid "sudo update-rc.d apparmor defaults"
7367
#: serverguide/C/security.xml:1105(para)
7369
"Replace <emphasis>profile.name</emphasis> with the name of the profile you "
7370
"want to manipulate. Also, replace <filename>/path/to/bin/</filename> with "
7371
"the actual executable file path. For example for the "
7372
"<application>ping</application> command use <filename>/bin/ping</filename>"
7375
#: serverguide/C/security.xml:1113(title)
7379
#: serverguide/C/security.xml:1114(para)
7381
"<application>AppArmor</application> profiles are simple text files located "
7382
"in <filename>/etc/apparmor.d/</filename>. The files are named after the full "
7383
"path to the executable they profile replacing the \"/\" with \".\". For "
7384
"example <filename>/etc/apparmor.d/bin.ping</filename> is the AppArmor "
7385
"profile for the <filename>/bin/ping</filename> command."
7388
#: serverguide/C/security.xml:1120(para)
7389
msgid "There are two main type of rules used in profiles:"
7392
#: serverguide/C/security.xml:1125(para)
7394
"<emphasis>Path entries:</emphasis> which detail which files an application "
7395
"can access in the file system."
7398
#: serverguide/C/security.xml:1130(para)
7400
"<emphasis>Capability entries:</emphasis> determine what privileges a "
7401
"confined process is allowed to use."
7404
#: serverguide/C/security.xml:1135(para)
7406
"As an example take a look at <filename>/etc/apparmor.d/bin.ping</filename>:"
7409
#: serverguide/C/security.xml:1138(programlisting)
7413
"#include <tunables/global>\n"
7414
"/bin/ping flags=(complain) {\n"
7415
" #include <abstractions/base>\n"
7416
" #include <abstractions/consoles>\n"
7417
" #include <abstractions/nameservice>\n"
7419
" capability net_raw,\n"
7420
" capability setuid,\n"
7421
" network inet raw,\n"
7423
" /bin/ping mixr,\n"
7424
" /etc/modules.conf r,\n"
7428
#: serverguide/C/security.xml:1155(para)
7430
"<emphasis>#include <tunables/global>:</emphasis> include statements "
7431
"from other files. This allows statements pertaining to multiple applications "
7432
"to be placed in a common file."
7435
#: serverguide/C/security.xml:1161(para)
7437
"<emphasis>/bin/ping flags=(complain):</emphasis> path to the profiled "
7438
"program, also setting the mode to <emphasis>complain</emphasis>."
7441
#: serverguide/C/security.xml:1167(para)
7443
"<emphasis>capability net_raw,:</emphasis> allows the application access to "
7444
"the CAP_NET_RAW Posix.1e capability."
7447
#: serverguide/C/security.xml:1172(para)
7449
"<emphasis>/bin/ping mixr,:</emphasis> allows the application read and "
7450
"execute access to the file."
7453
#: serverguide/C/security.xml:1178(para)
7455
"After editing a profile file the profile must be reloaded. See <xref "
7456
"linkend=\"apparmor-usage\"/> for details."
7459
#: serverguide/C/security.xml:1183(title)
7460
msgid "Creating a Profile"
7463
#: serverguide/C/security.xml:1186(para)
7465
"<emphasis>Design a test plan:</emphasis> Try to think about how the "
7466
"application should be exercised. The test plan should be divided into small "
7467
"test cases. Each test case should have a small description and list the "
7471
#: serverguide/C/security.xml:1190(para)
7472
msgid "Some standard test cases are:"
7475
#: serverguide/C/security.xml:1195(para)
7476
msgid "Starting the program."
7479
#: serverguide/C/security.xml:1200(para)
7480
msgid "Stopping the program."
7483
#: serverguide/C/security.xml:1205(para)
7484
msgid "Reloading the program."
7487
#: serverguide/C/security.xml:1210(para)
7488
msgid "Testing all the commands supported by the init script."
7491
#: serverguide/C/security.xml:1217(para)
7493
"<emphasis>Generate the new profile:</emphasis> Use <application>aa-"
7494
"genprof</application> to generate a new profile. From a terminal:"
7497
#: serverguide/C/security.xml:1222(command)
7498
msgid "sudo aa-genprof executable"
7501
#: serverguide/C/security.xml:1224(para)
7502
msgid "For example:"
7505
#: serverguide/C/security.xml:1228(command)
7506
msgid "sudo aa-genprof slapd"
7509
#: serverguide/C/security.xml:1232(para)
7511
"To get your new profile included in the <application>apparmor-"
7512
"profiles</application> package, file a bug in <emphasis>Launchpad</emphasis> "
7513
"against the <ulink "
7514
"url=\"https://bugs.launchpad.net/ubuntu/+source/apparmor/+filebug\">AppArmor<"
7518
#: serverguide/C/security.xml:1239(para)
7519
msgid "Include your test plan and test cases."
7522
#: serverguide/C/security.xml:1244(para)
7523
msgid "Attach your new profile to the bug."
7526
#: serverguide/C/security.xml:1253(title)
7527
msgid "Updating Profiles"
7530
#: serverguide/C/security.xml:1254(para)
7532
"When the program is misbehaving, audit messages are sent to the log files. "
7533
"The program <application>aa-logprof</application> can be used to scan log "
7534
"files for <application>AppArmor</application> audit messages, review them "
7535
"and update the profiles. From a terminal:"
7538
#: serverguide/C/security.xml:1259(command)
7539
msgid "sudo aa-logprof"
7542
#: serverguide/C/security.xml:1267(para)
7545
"url=\"http://www.novell.com/documentation/apparmor/apparmor201_sp10_admin/ind"
7546
"ex.html?page=/documentation/apparmor/apparmor201_sp10_admin/data/book_apparmo"
7547
"r_admin.html\">AppArmor Administration Guide</ulink> for advanced "
7548
"configuration options."
7551
#: serverguide/C/security.xml:1274(para)
7553
"For details using AppArmor with other Ubuntu releases see the <ulink "
7554
"url=\"https://help.ubuntu.com/community/AppArmor\"> AppArmor Community "
7555
"Wiki</ulink> page."
7558
#: serverguide/C/security.xml:1282(para)
7560
"The <ulink url=\"http://en.opensuse.org/AppArmor\">OpenSUSE AppArmor</ulink> "
7561
"page is another introduction to AppArmor."
7564
#: serverguide/C/security.xml:1289(para)
7566
"A great place to ask for <application>AppArmor</application> assistance, and "
7567
"get involved with the Ubuntu Server community, is the <emphasis>#ubuntu-"
7568
"server</emphasis> IRC channel on <ulink "
7569
"url=\"http://freenode.net\">freenode</ulink>."
7572
#: serverguide/C/security.xml:1299(title)
7573
msgid "Certificates"
7576
#: serverguide/C/security.xml:1300(para)
7578
"One of the most common forms of cryptography today is <emphasis>public-"
7579
"key</emphasis> cryptography. Public-key cryptography utilizes a "
7580
"<emphasis>public key</emphasis> and a <emphasis>private key</emphasis>. The "
7581
"system works by <emphasis>encrypting</emphasis> information using the public "
7582
"key. The information can then only be <emphasis>decrypted</emphasis> using "
7586
#: serverguide/C/security.xml:1306(para)
7588
"A common use for public-key cryptography is encrypting application traffic "
7589
"using a Secure Socket Layer (SSL) or Transport Layer Security (TLS) "
7590
"connection. For example, configuring Apache to provide "
7591
"<emphasis>HTTPS</emphasis>, the HTTP protocol over SSL. This allows a way to "
7592
"encrypt traffic using a protocol that does not itself provide encryption."
7595
#: serverguide/C/security.xml:1311(para)
7597
"A <emphasis>Certificate</emphasis> is a method used to distribute a "
7598
"<emphasis>public key</emphasis> and other information about a server and the "
7599
"organization who is responsible for it. Certificates can be digitally signed "
7600
"by a <emphasis>Certification Authority</emphasis> or CA. A CA is a trusted "
7601
"third party that has confirmed that the information contained in the "
7602
"certificate is accurate."
7605
#: serverguide/C/security.xml:1318(title)
7606
msgid "Types of Certificates"
7607
msgstr "Sertifikatų rūšys"
7609
#: serverguide/C/security.xml:1319(para)
7611
"To set up a secure server using public-key cryptography, in most cases, you "
7612
"send your certificate request (including your public key), proof of your "
7613
"company's identity, and payment to a CA. The CA verifies the certificate "
7614
"request and your identity, and then sends back a certificate for your secure "
7615
"server. Alternatively, you can create your own <emphasis>self-"
7616
"signed</emphasis> certificate."
7619
#: serverguide/C/security.xml:1329(para)
7621
"Note, that self-signed certificates should not be used in most production "
7625
#: serverguide/C/security.xml:1333(para)
7627
"Continuing the HTTPS example, a CA-signed certificate provides two important "
7628
"capabilities that a self-signed certificate does not:"
7631
#: serverguide/C/security.xml:1340(para)
7633
"Browsers (usually) automatically recognize the certificate and allow a "
7634
"secure connection to be made without prompting the user."
7637
#: serverguide/C/security.xml:1347(para)
7639
"When a CA issues a signed certificate, it is guaranteeing the identity of "
7640
"the organization that is providing the web pages to the browser."
7643
#: serverguide/C/security.xml:1355(para)
7645
"Most Web browsers, and computers, that support SSL have a list of CAs whose "
7646
"certificates they automatically accept. If a browser encounters a "
7647
"certificate whose authorizing CA is not in the list, the browser asks the "
7648
"user to either accept or decline the connection. Also, other applications "
7649
"may generate an error message when using a self-singed certificate."
7652
#: serverguide/C/security.xml:1363(para)
7654
"The process of getting a certificate from a CA is fairly easy. A quick "
7655
"overview is as follows:"
7658
#: serverguide/C/security.xml:1370(para)
7659
msgid "Create a private and public encryption key pair."
7662
#: serverguide/C/security.xml:1373(para)
7664
"Create a certificate request based on the public key. The certificate "
7665
"request contains information about your server and the company hosting it."
7668
#: serverguide/C/security.xml:1378(para)
7670
"Send the certificate request, along with documents proving your identity, to "
7671
"a CA. We cannot tell you which certificate authority to choose. Your "
7672
"decision may be based on your past experiences, or on the experiences of "
7673
"your friends or colleagues, or purely on monetary factors."
7676
#: serverguide/C/security.xml:1384(para)
7678
"Once you have decided upon a CA, you need to follow the instructions they "
7679
"provide on how to obtain a certificate from them."
7682
#: serverguide/C/security.xml:1389(para)
7684
"When the CA is satisfied that you are indeed who you claim to be, they send "
7685
"you a digital certificate."
7688
#: serverguide/C/security.xml:1393(para)
7690
"Install this certificate on your secure server, and configure the "
7691
"appropriate applications to use the certificate."
7694
#: serverguide/C/security.xml:1402(title)
7695
msgid "Generating a Certificate Signing Request (CSR)"
7698
#: serverguide/C/security.xml:1404(para)
7700
"Whether you are getting a certificate from a CA or generating your own self-"
7701
"signed certificate, the first step is to generate a key."
7704
#: serverguide/C/security.xml:1409(para)
7706
"If the certificate will be used by service daemons, such as Apache, Postfix, "
7707
"Dovecot, etc, a key without a passphrase is often appropriate. Not having a "
7708
"passphrase allows the services to start without manual intervention, usually "
7709
"the preferred way to start a daemon."
7712
#: serverguide/C/security.xml:1415(para)
7714
"This section will cover generating a key with a passphrase, and one without. "
7715
"The non-passphrase key will then be used to generate a certificate that can "
7716
"be used with various service daemons."
7719
#: serverguide/C/security.xml:1421(para)
7721
"Running your secure service without a passphrase is convenient because you "
7722
"will not need to enter the passphrase every time you start your secure "
7723
"service. But it is insecure and a compromise of the key means a compromise "
7724
"of the server as well."
7727
#: serverguide/C/security.xml:1428(para)
7729
"To generate the <emphasis>keys</emphasis> for the Certificate Signing "
7730
"Request (CSR) run the following command from a terminal prompt:"
7733
#: serverguide/C/security.xml:1434(command)
7734
msgid "openssl genrsa -des3 -out server.key 1024"
7737
#: serverguide/C/security.xml:1437(programlisting)
7741
"Generating RSA private key, 1024 bit long modulus\n"
7742
".....................++++++\n"
7743
".................++++++\n"
7744
"unable to write 'random state'\n"
7745
"e is 65537 (0x10001)\n"
7746
"Enter pass phrase for server.key:\n"
7749
#: serverguide/C/security.xml:1446(para)
7751
"You can now enter your passphrase. For best security, it should at least "
7752
"contain eight characters. The minimum length when specifying -des3 is four "
7753
"characters. It should include numbers and/or punctuation and not be a word "
7754
"in a dictionary. Also remember that your passphrase is case-sensitive."
7757
#: serverguide/C/security.xml:1454(para)
7759
"Re-type the passphrase to verify. Once you have re-typed it correctly, the "
7760
"server key is generated and stored in the <filename>server.key</filename> "
7764
#: serverguide/C/security.xml:1460(para)
7766
"Now create the insecure key, the one without a passphrase, and shuffle the "
7770
#: serverguide/C/security.xml:1466(command)
7771
msgid "openssl rsa -in server.key -out server.key.insecure"
7772
msgstr "openssl rsa -in server.key -out server.key.insecure"
7774
#: serverguide/C/security.xml:1467(command)
7775
msgid "mv server.key server.key.secure"
7778
#: serverguide/C/security.xml:1468(command)
7779
msgid "mv server.key.insecure server.key"
7782
#: serverguide/C/security.xml:1471(para)
7784
"The insecure key is now named <filename>server.key</filename>, and you can "
7785
"use this file to generate the CSR without passphrase."
7788
#: serverguide/C/security.xml:1476(para)
7789
msgid "To create the CSR, run the following command at a terminal prompt:"
7792
#: serverguide/C/security.xml:1481(command)
7793
msgid "openssl req -new -key server.key -out server.csr"
7794
msgstr "openssl req -new -key server.key -out server.csr"
7796
#: serverguide/C/security.xml:1484(para)
7798
"It will prompt you enter the passphrase. If you enter the correct "
7799
"passphrase, it will prompt you to enter Company Name, Once you enter all "
7800
"these details, your CSR will be created and it will be stored in the "
7801
"<filename>server.csr</filename> file. Site Name, Email Id, etc."
7804
#: serverguide/C/security.xml:1492(para)
7806
"You can now submit this CSR file to a CA for processing. The CA will use "
7807
"this CSR file and issue the certificate. On the other hand, you can create "
7808
"self-signed certificate using this CSR."
7811
#: serverguide/C/security.xml:1500(title)
7812
msgid "Creating a Self-Signed Certificate"
7815
#: serverguide/C/security.xml:1501(para)
7817
"To create the self-signed certificate, run the following command at a "
7821
#: serverguide/C/security.xml:1506(command)
7823
"openssl x509 -req -days 365 -in server.csr -signkey server.key -out "
7826
"openssl x509 -req -days 365 -in server.csr -signkey server.key -out "
7829
#: serverguide/C/security.xml:1509(para)
7831
"The above command will prompt you to enter the passphrase. Once you enter "
7832
"the correct passphrase, your certificate will be created and it will be "
7833
"stored in the <filename>server.crt</filename> file."
7836
#: serverguide/C/security.xml:1514(para)
7838
"If your secure server is to be used in a production environment, you "
7839
"probably need a CA-signed certificate. It is not recommended to use self-"
7840
"signed certificate."
7843
#: serverguide/C/security.xml:1522(title)
7844
msgid "Installing the Certificate"
7845
msgstr "Diegiamas Sertifikatas"
7847
#: serverguide/C/security.xml:1524(para)
7849
"You can install the key file <filename>server.key</filename> and certificate "
7850
"file <filename>server.crt</filename>, or the certificate file issued by your "
7851
"CA, by running following commands at a terminal prompt:"
7854
#: serverguide/C/security.xml:1530(command)
7855
msgid "sudo cp server.crt /etc/ssl/certs"
7858
#: serverguide/C/security.xml:1531(command)
7859
msgid "sudo cp server.key /etc/ssl/private"
7862
#: serverguide/C/security.xml:1533(para)
7864
"Now simply configure any applications, with the ability to use public-key "
7865
"cryptography, to use the <emphasis>certificate</emphasis> and "
7866
"<emphasis>key</emphasis> files. For example, "
7867
"<application>Apache</application> can provide HTTPS, "
7868
"<application>Dovecot</application> can provide IMAPS and POP3S, etc."
7871
#: serverguide/C/security.xml:1540(title)
7872
msgid "Certification Authority"
7875
#: serverguide/C/security.xml:1542(para)
7877
"If the services on your network require more than a few self-signed "
7878
"certificates it may be worth the additional effort to setup your own "
7879
"internal <emphasis>Certification Authority (CA)</emphasis>. Using "
7880
"certificates signed by your own CA, allows the various services using the "
7881
"certificates to easily trust other services using certificates issued from "
7885
#: serverguide/C/security.xml:1552(para)
7887
"First, create the directories to hold the CA certificate and related files:"
7890
#: serverguide/C/security.xml:1557(command)
7891
msgid "sudo mkdir /etc/ssl/CA"
7894
#: serverguide/C/security.xml:1558(command)
7895
msgid "sudo mkdir /etc/ssl/newcerts"
7898
#: serverguide/C/security.xml:1564(para)
7900
"The CA needs a few additional files to operate, one to keep track of the "
7901
"last serial number used by the CA, each certificate must have a unique "
7902
"serial number, and another file to record which certificates have been "
7906
#: serverguide/C/security.xml:1571(command)
7907
msgid "sudo sh -c \"echo '01' > /etc/ssl/CA/serial\""
7910
#: serverguide/C/security.xml:1572(command)
7911
msgid "sudo touch /etc/ssl/CA/index.txt"
7914
#: serverguide/C/security.xml:1578(para)
7916
"The third file is a CA configuration file. Though not strictly necessary, it "
7917
"is very convenient when issuing multiple certificates. Edit "
7918
"<filename>/etc/ssl/openssl.cnf</filename>, and in the <emphasis>[ CA_default "
7919
"]</emphasis> change:"
7922
#: serverguide/C/security.xml:1584(programlisting)
7926
"dir = /etc/ssl/ # Where everything is kept\n"
7927
"database = $dir/CA/index.txt # database index file.\n"
7928
"certificate = $dir/certs/cacert.pem # The CA certificate\n"
7929
"serial = $dir/CA/serial # The current serial number\n"
7930
"private_key = $dir/private/cakey.pem# The private key\n"
7933
#: serverguide/C/security.xml:1595(para)
7934
msgid "Next, create the self-singed root certificate:"
7937
#: serverguide/C/security.xml:1600(command)
7939
"openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -"
7943
#: serverguide/C/security.xml:1603(para)
7944
msgid "You will then be asked to enter the details about the certificate."
7947
#: serverguide/C/security.xml:1610(para)
7948
msgid "Now install the root certificate and key:"
7951
#: serverguide/C/security.xml:1615(command)
7952
msgid "sudo mv cakey.pem /etc/ssl/private/"
7955
#: serverguide/C/security.xml:1616(command)
7956
msgid "sudo mv cacert.pem /etc/ssl/certs/"
7959
#: serverguide/C/security.xml:1622(para)
7961
"You are now ready to start signing certificates. The first item needed is a "
7962
"Certificate Signing Request (CSR), see <xref linkend=\"generating-a-csr\"/> "
7963
"for details. Once you have a CSR, enter the following to generate a "
7964
"certificate signed by the CA:"
7967
#: serverguide/C/security.xml:1629(command)
7968
msgid "sudo openssl ca -in server.csr -config /etc/ssl/openssl.cnf"
7971
#: serverguide/C/security.xml:1632(para)
7973
"After entering the password for the CA key, you will be prompted to sign the "
7974
"certificate, and again to commit the new certificate. You should then see a "
7975
"somewhat large amount of output related to the certificate creation."
7978
#: serverguide/C/security.xml:1641(para)
7980
"There should now be a new file, "
7981
"<filename>/etc/ssl/newcerts/01.pem</filename>, containing the same output. "
7982
"Copy and paste everything between the <emphasis>-----BEGIN CERTIFICATE-----"
7983
"</emphasis> and <emphasis>----END CERTIFICATE-----</emphasis> lines to a "
7984
"file named after the hostname of the server where the certificate will be "
7985
"installed. For example <filename>mail.example.com.crt</filename>, is a nice "
7989
#: serverguide/C/security.xml:1649(para)
7991
"Subsequent certificates will be named <filename>02.pem</filename>, "
7992
"<filename>03.pem</filename>, etc."
7995
#: serverguide/C/security.xml:1654(para)
7997
"Replace <emphasis>mail.example.com.crt</emphasis> with your own descriptive "
8001
#: serverguide/C/security.xml:1662(para)
8003
"Finally, copy the new certificate to the host that needs it, and configure "
8004
"the appropriate applications to use it. The default location to install "
8005
"certificates is <filename role=\"directory\">/etc/ssl/certs</filename>. This "
8006
"enables multiple services to use the same certificate without overly "
8007
"complicated file permissions."
8010
#: serverguide/C/security.xml:1668(para)
8012
"For applications that can be configured to use a CA certificate, you should "
8013
"also copy the <filename>/etc/ssl/certs/cacert.pem</filename> file to the "
8014
"<filename role=\"directory\">/etc/ssl/certs/</filename> directory on each "
8018
#: serverguide/C/security.xml:1682(para)
8020
"For more detailed instructions on using cryptography see the <ulink "
8021
"url=\"http://tldp.org/HOWTO/SSL-Certificates-HOWTO/index.html\">SSL "
8022
"Certificates HOWTO</ulink> by tlpd.org"
8025
#: serverguide/C/security.xml:1688(para)
8027
"<ulink url=\"http://www.pki-page.org/\">The PKI Page</ulink> contains a list "
8028
"of Certificate Authorities."
8031
#: serverguide/C/security.xml:1693(para)
8033
"The Wikipedia <ulink "
8034
"url=\"http://en.wikipedia.org/wiki/Https\">HTTPS</ulink> page has more "
8035
"information regarding HTTPS."
8038
#: serverguide/C/security.xml:1698(para)
8040
"For more information on <emphasis>OpenSSL</emphasis> see the <ulink "
8041
"url=\"http://www.openssl.org/\">OpenSSL Home Page</ulink>."
8044
#: serverguide/C/security.xml:1703(para)
8046
"Also, O'Reilly's <ulink "
8047
"url=\"http://oreilly.com/catalog/9780596002701/\">Network Security with "
8048
"OpenSSL</ulink> is a good in depth reference."
8051
#: serverguide/C/security.xml:1712(title)
8055
#: serverguide/C/security.xml:1714(para)
8057
"<emphasis>eCryptfs</emphasis> is a POSIX-compliant enterprise-class stacked "
8058
"cryptographic filesystem for Linux. Layering on top of the filesystem layer "
8059
"<emphasis>eCryptfs</emphasis> protects files no matter the underlying "
8060
"filesystem, partition type, etc."
8063
#: serverguide/C/security.xml:1720(para)
8065
"During installation there is an option to encrypt the <filename "
8066
"role=\"directory\">/home</filename> partition. This will automatically "
8067
"configure everything needed to encrypt and mount the partition."
8070
#: serverguide/C/security.xml:1725(para)
8072
"As an example, this section will cover configuring <filename "
8073
"role=\"directory\">/srv</filename> to be encrypted using eCryptfs."
8076
#: serverguide/C/security.xml:1730(title)
8077
msgid "Using eCryptfs"
8080
#: serverguide/C/security.xml:1732(para)
8081
msgid "First, install the necessary packages. From a terminal prompt enter:"
8084
#: serverguide/C/security.xml:1737(command)
8085
msgid "sudo apt-get install ecryptfs-utils"
8088
#: serverguide/C/security.xml:1740(para)
8089
msgid "Now mount the partition to be encrypted:"
8092
#: serverguide/C/security.xml:1745(command)
8093
msgid "sudo mount -t ecryptfs /srv /srv"
8096
#: serverguide/C/security.xml:1748(para)
8098
"You will then be prompted for some details on how "
8099
"<application>ecryptfs</application> should encrypt the data."
8102
#: serverguide/C/security.xml:1752(para)
8104
"To test that files placed in <filename>/srv</filename> are indeed encrypted "
8105
"copy the <filename>/etc/default</filename> folder to "
8106
"<filename>/srv</filename>:"
8109
#: serverguide/C/security.xml:1758(command) serverguide/C/clustering.xml:185(command)
8110
msgid "sudo cp -r /etc/default /srv"
8113
#: serverguide/C/security.xml:1761(para)
8114
msgid "Now unmount <filename>/srv</filename>, and try to view a file:"
8117
#: serverguide/C/security.xml:1766(command) serverguide/C/installation.xml:1088(command) serverguide/C/clustering.xml:193(command)
8118
msgid "sudo umount /srv"
8121
#: serverguide/C/security.xml:1767(command)
8122
msgid "cat /srv/default/cron"
8125
#: serverguide/C/security.xml:1770(para)
8127
"Remounting <filename>/srv</filename> using "
8128
"<application>ecryptfs</application> will make the data viewable once again."
8131
#: serverguide/C/security.xml:1776(title)
8132
msgid "Automatically Mounting Encrypted Partitions"
8135
#: serverguide/C/security.xml:1778(para)
8137
"There are a couple of ways to automatically mount an "
8138
"<application>ecryptfs</application> encrypted filesystem at boot. This "
8139
"example will use a <filename>/root/.ecryptfsrc</filename> file containing "
8140
"mount options, along with a passphrase file residing on a USB key."
8143
#: serverguide/C/security.xml:1784(para)
8144
msgid "First, create <filename>/root/.ecryptfsrc</filename> containing:"
8147
#: serverguide/C/security.xml:1788(programlisting)
8151
"key=passphrase:passphrase_passwd_file=/mnt/usb/passwd_file.txt\n"
8152
"ecryptfs_sig=5826dd62cf81c615\n"
8153
"ecryptfs_cipher=aes\n"
8154
"ecryptfs_key_bytes=16\n"
8155
"ecryptfs_passthrough=n\n"
8156
"ecryptfs_enable_filename_crypto=n\n"
8159
#: serverguide/C/security.xml:1798(para)
8161
"Adjust the <emphasis>ecryptfs_sig</emphasis> to the signature in "
8162
"<filename>/root/.ecryptfs/sig-cache.txt</filename>."
8165
#: serverguide/C/security.xml:1803(para)
8167
"Next, create the <filename>/mnt/usb/passwd_file.txt</filename> passphrase "
8171
#: serverguide/C/security.xml:1807(programlisting)
8175
"passphrase_passwd=[secrets]\n"
8178
#: serverguide/C/security.xml:1811(para)
8179
msgid "Now add the necessary lines to <filename>/etc/fstab</filename>:"
8182
#: serverguide/C/security.xml:1815(programlisting)
8186
"/dev/sdb1 /mnt/usb ext3 ro 0 0\n"
8187
"/srv /srv ecryptfs defaults 0 0\n"
8190
#: serverguide/C/security.xml:1820(para)
8191
msgid "Make sure the USB drive is mounted before the encrypted partition."
8194
#: serverguide/C/security.xml:1824(para)
8196
"Finally, reboot and the <filename>/srv</filename> should be mounted using "
8200
#: serverguide/C/security.xml:1832(para)
8202
"The <application>ecryptfs-utils</application> package includes several other "
8206
#: serverguide/C/security.xml:1838(para)
8208
"<emphasis>ecryptfs-setup-private:</emphasis> creates a "
8209
"<filename>~/Private</filename> directory to contain encrypted information. "
8210
"This utility can be run by unprivileged users to keep data private from "
8211
"other users on the system."
8214
#: serverguide/C/security.xml:1845(para)
8216
"<emphasis>ecryptfs-mount-private and ecryptfs-umount-private:</emphasis> "
8217
"will mount and unmount respectively, a users <filename>~/Private</filename> "
8221
#: serverguide/C/security.xml:1851(para)
8223
"<emphasis>ecryptfs-add-passphrase:</emphasis> adds a new passphrase to the "
8227
#: serverguide/C/security.xml:1856(para)
8229
"<emphasis>ecryptfs-manager:</emphasis> manages "
8230
"<application>eCryptfs</application> objects such as keys."
8233
#: serverguide/C/security.xml:1861(para)
8235
"<emphasis>ecryptfs-stat:</emphasis> allows you to view the "
8236
"<application>ecryptfs</application> meta information for a file."
8239
#: serverguide/C/security.xml:1874(para)
8241
"For more information on eCryptfs see the <ulink "
8242
"url=\"https://launchpad.net/ecryptfs\">Launch Pad project page</ulink>"
8245
#: serverguide/C/security.xml:1879(para)
8247
"There is also a <ulink "
8248
"url=\"http://www.linuxjournal.com/article/9400\">Linux Journal</ulink> "
8249
"article covering eCryptfs."
8252
#: serverguide/C/security.xml:1884(para)
8254
"Also, for more <application>ecryptfs</application> options see the <ulink "
8255
"url=\"http://manpages.ubuntu.com/manpages/jaunty/en/man7/ecryptfs.7.html\">ec"
8256
"ryptfs man page</ulink>."
8259
#: serverguide/C/remote-administration.xml:13(title)
8260
msgid "Remote Administration"
8263
#: serverguide/C/remote-administration.xml:14(para)
8265
"There are many ways to remotely administer a Linux server. This chapter will "
8266
"cover one of the most popular <application>SSH</application> as well as "
8267
"<application>eBox</application>, a web based administration framework."
8270
#: serverguide/C/remote-administration.xml:23(para)
8272
"This section of the Ubuntu Server Guide introduces a powerful collection of "
8273
"tools for the remote control of networked computers and transfer of data "
8274
"between networked computers, called <emphasis>OpenSSH</emphasis>. You will "
8275
"also learn about some of the configuration settings possible with the "
8276
"OpenSSH server application and how to change them on your Ubuntu system."
8279
#: serverguide/C/remote-administration.xml:30(para)
8281
"OpenSSH is a freely available version of the Secure Shell (SSH) protocol "
8282
"family of tools for remotely controlling a computer or transferring files "
8283
"between computers. Traditional tools used to accomplish these functions, "
8284
"such as <application>telnet</application> or <application>rcp</application>, "
8285
"are insecure and transmit the user's password in cleartext when used. "
8286
"OpenSSH provides a server daemon and client tools to facilitate secure, "
8287
"encrypted remote control and file transfer operations, effectively replacing "
8291
#: serverguide/C/remote-administration.xml:39(para)
8293
"The OpenSSH server component, <application>sshd</application>, listens "
8294
"continuously for client connections from any of the client tools. When a "
8295
"connection request occurs, <application>sshd</application> sets up the "
8296
"correct connection depending on the type of client tool connecting. For "
8297
"example, if the remote computer is connecting with the "
8298
"<application>ssh</application> client application, the OpenSSH server sets "
8299
"up a remote control session after authentication. If a remote user connects "
8300
"to an OpenSSH server with <application>scp</application>, the OpenSSH server "
8301
"daemon initiates a secure copy of files between the server and client after "
8302
"authentication. OpenSSH can use many authentication methods, including plain "
8303
"password, public key, and <application>Kerberos</application> tickets."
8306
#: serverguide/C/remote-administration.xml:53(para)
8308
"Installation of the OpenSSH client and server applications is simple. To "
8309
"install the OpenSSH client applications on your Ubuntu system, use this "
8310
"command at a terminal prompt:"
8313
#: serverguide/C/remote-administration.xml:59(command)
8314
msgid "sudo apt-get install openssh-client"
8317
#: serverguide/C/remote-administration.xml:61(para)
8319
"To install the OpenSSH server application, and related support files, use "
8320
"this command at a terminal prompt:"
8323
#: serverguide/C/remote-administration.xml:66(command)
8324
msgid "sudo apt-get install openssh-server"
8327
#: serverguide/C/remote-administration.xml:68(para)
8329
"The <application>openssh-server</application> package can also be selected "
8330
"to install during the Server Edition installation process."
8333
#: serverguide/C/remote-administration.xml:75(para)
8335
"You may configure the default behavior of the OpenSSH server application, "
8336
"<application>sshd</application>, by editing the file "
8337
"<filename>/etc/ssh/sshd_config</filename>. For information about the "
8338
"configuration directives used in this file, you may view the appropriate "
8339
"manual page with the following command, issued at a terminal prompt:"
8342
#: serverguide/C/remote-administration.xml:83(command)
8343
msgid "man sshd_config"
8346
#: serverguide/C/remote-administration.xml:85(para)
8348
"There are many directives in the <application>sshd</application> "
8349
"configuration file controlling such things as communication settings and "
8350
"authentication modes. The following are examples of configuration directives "
8351
"that can be changed by editing the <filename>/etc/ssh/sshd_config</filename> "
8355
#: serverguide/C/remote-administration.xml:92(para)
8357
"Prior to editing the configuration file, you should make a copy of the "
8358
"original file and protect it from writing so you will have the original "
8359
"settings as a reference and to reuse as necessary."
8362
#: serverguide/C/remote-administration.xml:96(para)
8364
"Copy the <filename>/etc/ssh/sshd_config</filename> file and protect it from "
8365
"writing with the following commands, issued at a terminal prompt:"
8368
#: serverguide/C/remote-administration.xml:101(command)
8369
msgid "sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.original"
8372
#: serverguide/C/remote-administration.xml:102(command)
8373
msgid "sudo chmod a-w /etc/ssh/sshd_config.original"
8376
#: serverguide/C/remote-administration.xml:104(para)
8378
"The following are examples of configuration directives you may change:"
8381
#: serverguide/C/remote-administration.xml:109(para)
8383
"To set your OpenSSH to listen on TCP port 2222 instead of the default TCP "
8384
"port 22, change the Port directive as such:"
8387
#: serverguide/C/remote-administration.xml:113(para)
8391
#: serverguide/C/remote-administration.xml:118(para)
8393
"To have <application>sshd</application> allow public key-based login "
8394
"credentials, simply add or modify the line:"
8397
#: serverguide/C/remote-administration.xml:122(para)
8398
msgid "PubkeyAuthentication yes"
8401
#: serverguide/C/remote-administration.xml:125(para)
8403
"In the <filename>/etc/ssh/sshd_config</filename> file, or if already "
8404
"present, ensure the line is not commented out."
8407
#: serverguide/C/remote-administration.xml:131(para)
8409
"To make your OpenSSH server display the contents of the "
8410
"<filename>/etc/issue.net</filename> file as a pre-login banner, simply add "
8411
"or modify the line:"
8414
#: serverguide/C/remote-administration.xml:136(para)
8415
msgid "Banner /etc/issue.net"
8418
#: serverguide/C/remote-administration.xml:139(para)
8419
msgid "In the <filename>/etc/ssh/sshd_config</filename> file."
8422
#: serverguide/C/remote-administration.xml:144(para)
8424
"After making changes to the <filename>/etc/ssh/sshd_config</filename> file, "
8425
"save the file, and restart the <application>sshd</application> server "
8426
"application to effect the changes using the following command at a terminal "
8430
#: serverguide/C/remote-administration.xml:153(para)
8432
"Many other configuration directives for <application>sshd</application> are "
8433
"available for changing the server application's behavior to fit your needs. "
8434
"Be advised, however, if your only method of access to a server is "
8435
"<application>ssh</application>, and you make a mistake in configuring "
8436
"<application>sshd</application> via the "
8437
"<filename>/etc/ssh/sshd_config</filename> file, you may find you are locked "
8438
"out of the server upon restarting it, or that the "
8439
"<application>sshd</application> server refuses to start due to an incorrect "
8440
"configuration directive, so be extra careful when editing this file on a "
8444
#: serverguide/C/remote-administration.xml:168(title)
8448
#: serverguide/C/remote-administration.xml:169(para)
8450
"SSH <emphasis>keys</emphasis> allow authentication between two hosts without "
8451
"the need of a password. SSH key authentication uses two keys a "
8452
"<emphasis>private</emphasis> key and a <emphasis>public</emphasis> key."
8455
#: serverguide/C/remote-administration.xml:173(para)
8456
msgid "To generate the keys, from a terminal prompt enter:"
8459
#: serverguide/C/remote-administration.xml:177(command)
8460
msgid "ssh-keygen -t dsa"
8463
#: serverguide/C/remote-administration.xml:179(para)
8465
"This will generate the keys using a <emphasis>DSA</emphasis> authentication "
8466
"identity of the user. During the process you will be prompted for a "
8467
"password. Simply hit <emphasis>Enter</emphasis> when prompted to create the "
8471
#: serverguide/C/remote-administration.xml:183(para)
8473
"By default the <emphasis>public</emphasis> key is saved in the file "
8474
"<filename>~/.ssh/id_dsa.pub</filename>, while "
8475
"<filename>~/.ssh/id_dsa</filename> is the <emphasis>private</emphasis> key. "
8476
"Now copy the <filename>id_dsa.pub</filename> file to the remote host and "
8477
"append it to <filename>~/.ssh/authorized_keys</filename> by entering:"
8480
#: serverguide/C/remote-administration.xml:189(command)
8481
msgid "ssh-copy-id username@remotehost"
8484
#: serverguide/C/remote-administration.xml:191(para)
8486
"Finally, double check the permissions on the "
8487
"<filename>authorized_keys</filename> file, only the authenticated user "
8488
"should have read and write permissions. If the permissions are not correct "
8492
#: serverguide/C/remote-administration.xml:196(command)
8493
msgid "chmod 644 .ssh/authorized_keys"
8496
#: serverguide/C/remote-administration.xml:198(para)
8498
"You should now be able to SSH to the host without being prompted for a "
8502
#: serverguide/C/remote-administration.xml:205(ulink)
8503
msgid "OpenSSH Website"
8506
#: serverguide/C/remote-administration.xml:208(ulink)
8507
msgid "Advanced OpenSSH Wiki Page"
8510
#: serverguide/C/remote-administration.xml:213(title)
8514
#: serverguide/C/remote-administration.xml:214(para)
8516
"<application>eBox</application> is a web framework used to manage server "
8517
"application configuration. The modular design of eBox allows you to pick and "
8518
"choose which services you want to configure using eBox."
8521
#: serverguide/C/remote-administration.xml:221(para)
8523
"The different <application>eBox</application> modules are split into "
8524
"different packages, allowing you to only install those necessary. One way to "
8525
"view the available packages is to enter the following from a terminal:"
8528
#: serverguide/C/remote-administration.xml:227(command)
8529
msgid "apt-cache rdepends ebox | uniq"
8532
#: serverguide/C/remote-administration.xml:229(para)
8534
"To install the <application>ebox</application> package, which contains the "
8535
"default modules, enter the following:"
8538
#: serverguide/C/remote-administration.xml:234(command)
8539
msgid "sudo apt-get install ebox"
8542
#: serverguide/C/remote-administration.xml:237(para)
8544
"During the installation you will be asked to supply a password for the ebox "
8545
"user. After installing eBox the web interface can be accessed from: "
8546
"<emphasis>https://yourserver/ebox</emphasis>."
8549
#: serverguide/C/remote-administration.xml:246(para)
8551
"An important thing to remember when using <application>eBox</application> is "
8552
"that when configuring most modules there is a <emphasis>Change</emphasis> "
8553
"button that implements the new configuration. After clicking the Change "
8554
"button most, but not all, modules will then need to be "
8555
"<emphasis>Saved</emphasis>. To save the new configuration click on the "
8556
"<quote>Save changes</quote> link in the top right hand corner."
8559
#: serverguide/C/remote-administration.xml:254(para)
8561
"Once you make a change that requires a Save, the link will change from green "
8565
#: serverguide/C/remote-administration.xml:260(title)
8566
msgid "eBox Modules"
8569
#: serverguide/C/remote-administration.xml:261(para)
8571
"By default all eBox <emphasis>Modules</emphasis> are not enabled, and when a "
8572
"new module is installed it will not be automatically enabled."
8575
#: serverguide/C/remote-administration.xml:265(para)
8577
"To enable a disabled module click on the <emphasis>Module status</emphasis> "
8578
"link in the left hand menu. Then <emphasis role=\"italic\">check</emphasis> "
8579
"which modules you would like to enable and click the <quote>Save</quote> "
8583
#: serverguide/C/remote-administration.xml:271(title)
8584
msgid "Default Modules"
8587
#: serverguide/C/remote-administration.xml:272(para)
8589
"This section provides a quick summary of the default "
8590
"<application>eBox</application> modules."
8593
#: serverguide/C/remote-administration.xml:278(para)
8595
"<emphasis>System:</emphasis> contains options allowing configuration of "
8596
"general eBox items."
8599
#: serverguide/C/remote-administration.xml:284(para)
8601
"<emphasis>General:</emphasis> allows you to set the language, port number, "
8602
"and contains a change password form."
8605
#: serverguide/C/remote-administration.xml:290(para)
8607
"<emphasis>Disk Usage:</emphasis> displays a graph detailing information "
8611
#: serverguide/C/remote-administration.xml:296(para)
8613
"<emphasis>Backup:</emphasis> is used to backup "
8614
"<application>eBox</application> configuration information, and the "
8615
"<emphasis>Full Backup</emphasis> option allows you to save all eBox "
8616
"information not included in the <emphasis>Configuration</emphasis> option "
8617
"such as log files."
8620
#: serverguide/C/remote-administration.xml:304(para)
8622
"<emphasis>Halt/Reboot:</emphasis> will shutdown the system or reboot it."
8625
#: serverguide/C/remote-administration.xml:309(para)
8627
"<emphasis>Bug Report:</emphasis> creates a file containing details helpful "
8628
"when reporting bugs to the eBox developers."
8631
#: serverguide/C/remote-administration.xml:317(para)
8633
"<emphasis>Logs:</emphasis> allows <application>eBox</application> logs to be "
8634
"queried depending on the purge time configured."
8637
#: serverguide/C/remote-administration.xml:323(para)
8639
"<emphasis>Events:</emphasis> this module has the ability to send alerts "
8640
"through rss, jabber, and log file."
8643
#: serverguide/C/remote-administration.xml:330(emphasis)
8644
msgid "Available Events:"
8647
#: serverguide/C/remote-administration.xml:334(para)
8649
"<emphasis>Free Storage Space:</emphasis> will send alert if free disk space "
8650
"drops below a configured percentage, 10% by default."
8653
#: serverguide/C/remote-administration.xml:340(para)
8655
"<emphasis>Log Observer:</emphasis> unfortunately this event does not work "
8656
"with the <application>eBox</application> version shipped with Ubuntu 7.10."
8659
#: serverguide/C/remote-administration.xml:346(para)
8661
"<emphasis>RAID:</emphasis> will monitor the RAID system and send alerts if "
8665
#: serverguide/C/remote-administration.xml:352(para)
8667
"<emphasis>Service:</emphasis> sends alerts if a service restarts multiple "
8668
"times in a short time period."
8671
#: serverguide/C/remote-administration.xml:358(para)
8673
"<emphasis>State:</emphasis> alerts on the state of "
8674
"<application>eBox</application>, either up or down."
8677
#: serverguide/C/remote-administration.xml:367(emphasis)
8678
msgid "Dispatchers:"
8681
#: serverguide/C/remote-administration.xml:371(para)
8683
"<emphasis>Log:</emphasis> this dispatcher will send event messages to the "
8684
"<application>eBox</application> log file "
8685
"<filename>/var/log/ebox/ebox.log</filename>."
8688
#: serverguide/C/remote-administration.xml:378(para)
8690
"<emphasis>Jabber:</emphasis> before enabling this dispatcher you must first "
8691
"configure it by clicking on the <quote>Configure</quote> icon."
8694
#: serverguide/C/remote-administration.xml:384(para)
8696
"<emphasis>RSS:</emphasis> once this dispatcher is configured you can "
8697
"subscribe to the link in order to view event alerts."
8700
#: serverguide/C/remote-administration.xml:397(title)
8701
msgid "Additional Modules"
8704
#: serverguide/C/remote-administration.xml:398(para)
8706
"Here is a quick description of other available "
8707
"<application>eBox</application> modules:"
8710
#: serverguide/C/remote-administration.xml:403(para)
8712
"<emphasis>Network:</emphasis> allows configuration of the server's network "
8713
"options through eBox."
8716
#: serverguide/C/remote-administration.xml:409(para)
8718
"<emphasis>Firewall:</emphasis> configures firewall options for the eBox host."
8721
#: serverguide/C/remote-administration.xml:414(para)
8723
"<emphasis>UsersandGroups:</emphasis> this module will manage users and "
8724
"groups contained in an <application>OpenLDAP</application> LDAP directory."
8727
#: serverguide/C/remote-administration.xml:420(para)
8729
"<emphasis>DHCP:</emphasis> provides an interface for configuring a DHCP "
8733
#: serverguide/C/remote-administration.xml:425(para)
8735
"<emphasis>DNS:</emphasis> provides <application>BIND9</application> DNS "
8736
"server configuration options."
8739
#: serverguide/C/remote-administration.xml:431(para)
8741
"<emphasis>Objects:</emphasis> allow configuration of eBox <emphasis>Network "
8742
"Objects</emphasis>, which allow you to assign a name to an IP address or "
8746
#: serverguide/C/remote-administration.xml:438(para)
8748
"<emphasis>Services:</emphasis> displays configuration information for "
8749
"services that are available to the network."
8752
#: serverguide/C/remote-administration.xml:444(para)
8754
"<emphasis>Squid:</emphasis> configuration options for the "
8755
"<application>Squid</application> proxy server."
8758
#: serverguide/C/remote-administration.xml:450(para)
8760
"<emphasis>CA:</emphasis> configures a Certificate Authority for the server."
8763
#: serverguide/C/remote-administration.xml:455(para)
8764
msgid "<emphasis>NTP:</emphasis> set Network Time Protocol options."
8767
#: serverguide/C/remote-administration.xml:460(para)
8768
msgid "<emphasis>Printers:</emphasis> allows the configuration of printers."
8771
#: serverguide/C/remote-administration.xml:465(para)
8772
msgid "<emphasis>Samba:</emphasis> configuration options for Samba."
8775
#: serverguide/C/remote-administration.xml:470(para)
8777
"<emphasis>OpenVPN:</emphasis> setup options for OpenVPN Virtual Private "
8778
"Network application."
8781
#: serverguide/C/remote-administration.xml:481(para)
8783
"For more information see the <ulink url=\"http://ebox-platform.com/\">eBox "
8784
"Home Page</ulink>."
8787
#: serverguide/C/package-management.xml:13(title)
8788
msgid "Package Management"
8789
msgstr "Paketų Tvarkymas"
8791
#: serverguide/C/package-management.xml:14(para)
8793
"Ubuntu features a comprehensive package management system for the "
8794
"installation, upgrade, configuration, and removal of software. In addition "
8795
"to providing access to an organized base of over 24,000 software packages "
8796
"for your Ubuntu computer, the package management facilities also feature "
8797
"dependency resolution capabilities and software update checking."
8800
#: serverguide/C/package-management.xml:16(para)
8802
"Several tools are available for interacting with Ubuntu's package management "
8803
"system, from simple command-line utilities which may be easily automated by "
8804
"system administrators, to a simple graphical interface which is easy to use "
8805
"by those new to Ubuntu."
8808
#: serverguide/C/package-management.xml:21(para)
8810
"Ubuntu's package management system is derived from the same system used by "
8811
"the Debian GNU/Linux distribution. The package files contain all of the "
8812
"necessary files, meta-data, and instructions to implement a particular "
8813
"functionality or software application on your Ubuntu computer."
8816
#: serverguide/C/package-management.xml:24(para)
8818
"Debian package files typically have the extension '.deb', and typically "
8819
"exist in <emphasis role=\"italics\">repositories</emphasis> which are "
8820
"collections of packages found on various media, such as CD-ROM discs, or "
8821
"online. Packages are normally of the pre-compiled binary format; thus "
8822
"installation is quick and requires no compiling of software."
8825
#: serverguide/C/package-management.xml:27(para)
8827
"Many complex packages use the concept of <emphasis "
8828
"role=\"italics\">dependencies</emphasis>. Dependencies are additional "
8829
"packages required by the principal package in order to function properly. "
8830
"For example, the speech synthesis package "
8831
"<application>Festival</application> depends upon the package "
8832
"<application>libasound2</application>, which is a package supplying the "
8833
"<application>ALSA</application> sound library needed for audio playback. In "
8834
"order for <application>Festival</application> to function, it and all of its "
8835
"dependencies must be installed. The software management tools in Ubuntu will "
8836
"do this automatically."
8839
#: serverguide/C/package-management.xml:32(title)
8843
#: serverguide/C/package-management.xml:34(para)
8845
"<application>dpkg</application> is a package manager for "
8846
"<emphasis>Debian</emphasis> based systems. It can install, remove, and build "
8847
"packages, but unlike other package management system's it can not "
8848
"automatically download and install packages and their dependencies. This "
8849
"section covers using <application>dpkg</application> to manage locally "
8850
"installed packages:"
8853
#: serverguide/C/package-management.xml:43(para)
8855
"To list all packages installed on the system, from a terminal prompt enter:"
8858
#: serverguide/C/package-management.xml:48(command)
8862
#: serverguide/C/package-management.xml:54(para)
8864
"Depending on the amount of packages on your system, this can generate a "
8865
"large amount of output. Pipe the output through "
8866
"<application>grep</application> to see if a specific package is installed:"
8869
#: serverguide/C/package-management.xml:60(command)
8870
msgid "dpkg -l | grep apache2"
8873
#: serverguide/C/package-management.xml:63(para)
8875
"Replace <emphasis>apache2</emphasis> with any package name, part of a "
8876
"package name, or other regular expression."
8879
#: serverguide/C/package-management.xml:70(para)
8881
"To list the files installed by a package, in this case the "
8882
"<application>ufw</application> package, enter:"
8885
#: serverguide/C/package-management.xml:75(command)
8889
#: serverguide/C/package-management.xml:81(para)
8891
"If you are not sure which package installed a file, <application>dpkg -"
8892
"S</application> may be able to tell you. For example:"
8895
#: serverguide/C/package-management.xml:87(command)
8896
msgid "dpkg -S /etc/host.conf"
8899
#: serverguide/C/package-management.xml:88(computeroutput)
8901
msgid "base-files: /etc/host.conf"
8904
#: serverguide/C/package-management.xml:91(para)
8906
"The output shows that the <filename>/etc/host.conf</filename> belongs to the "
8907
"<application>base-files</application> package."
8910
#: serverguide/C/package-management.xml:96(para)
8912
"Many files are automatically generated during the package install process, "
8913
"and even though they are on the filesystem <command>dpkg -S</command> may "
8914
"not know which package they belong to."
8917
#: serverguide/C/package-management.xml:105(para)
8918
msgid "You can install a local <emphasis>.deb</emphasis> file by entering:"
8921
#: serverguide/C/package-management.xml:110(command)
8922
msgid "sudo dpkg -i zip_2.32-1_i386.deb"
8925
#: serverguide/C/package-management.xml:113(para)
8927
"Change <filename>zip_2.32-1_i386.deb</filename> to the actual file name of "
8928
"the local .deb file."
8931
#: serverguide/C/package-management.xml:120(para)
8932
msgid "Uninstalling a package can be accomplished by:"
8935
#: serverguide/C/package-management.xml:125(command)
8936
msgid "sudo dpkg -r zip"
8939
#: serverguide/C/package-management.xml:129(para)
8941
"Uninstalling packages using <application>dpkg</application>, in most cases, "
8942
"is <emphasis>NOT</emphasis> recommended. It is better to use a package "
8943
"manager that handles dependencies, to ensure that the system is in a "
8944
"consistent state. For example using <command>dpkg -r</command> you can "
8945
"remove the <application>zip</application> package, but any packages that "
8946
"depend on it will still be installed and may no longer function correctly."
8949
#: serverguide/C/package-management.xml:140(para)
8951
"For more <application>dpkg</application> options see the man page: "
8952
"<command>man dpkg</command>."
8955
#: serverguide/C/package-management.xml:146(title)
8959
#: serverguide/C/package-management.xml:147(para)
8961
"The <application>apt-get</application> command is a powerful command-line "
8962
"tool used to work with Ubuntu's <emphasis>Advanced Packaging Tool</emphasis> "
8963
"(APT) performing such functions as installation of new software packages, "
8964
"upgrade of existing software packages, updating of the package list index, "
8965
"and even upgrading the entire Ubuntu system."
8968
#: serverguide/C/package-management.xml:150(para)
8970
"Being a simple command-line tool, <application>apt-get</application> has "
8971
"numerous advantages over other package management tools available in Ubuntu "
8972
"for server administrators. Some of these advantages include ease of use over "
8973
"simple terminal connections (SSH) and the ability to be used in system "
8974
"administration scripts, which can in turn be automated by the "
8975
"<application>cron</application> scheduling utility."
8978
#: serverguide/C/package-management.xml:157(para)
8980
"<emphasis role=\"bold\">Install a Package</emphasis>: Installation of "
8981
"packages using the <application>apt-get</application> tool is quite simple. "
8982
"For example, to install the network scanner <emphasis "
8983
"role=\"italics\">nmap</emphasis>, type the following: <screen>\n"
8984
"<command>sudo apt-get install nmap</command>\n"
8988
#: serverguide/C/package-management.xml:165(para)
8990
"<emphasis role=\"bold\">Remove a Package</emphasis>: Removal of a package or "
8991
"packages is also a straightforward and simple process. To remove the nmap "
8992
"package installed in the previous example, type the following: <screen>\n"
8993
"<command>sudo apt-get remove nmap</command>\n"
8997
#: serverguide/C/package-management.xml:172(para)
8999
"<emphasis role=\"bold\">Multiple Packages</emphasis>: You may specify "
9000
"multiple packages to be installed or removed, separated by spaces."
9003
#: serverguide/C/package-management.xml:175(para)
9005
"Also, adding the <emphasis>--purge</emphasis> options to <command>apt-get "
9006
"remove</command> will remove the package configuration files as well. This "
9007
"may or may not be the desired effect so use with caution."
9010
#: serverguide/C/package-management.xml:181(para)
9012
"<emphasis role=\"bold\">Update the Package Index</emphasis>: The APT package "
9013
"index is essentially a database of available packages from the repositories "
9014
"defined in the <filename>/etc/apt/sources.list</filename> file. To update "
9015
"the local package index with the latest changes made in repositories, type "
9016
"the following: <screen>\n"
9017
"<command>sudo apt-get update</command>\n"
9021
#: serverguide/C/package-management.xml:189(para)
9023
"<emphasis role=\"bold\">Upgrade Packages</emphasis>: Over time, updated "
9024
"versions of packages currently installed on your computer may become "
9025
"available from the package repositories (for example security updates). To "
9026
"upgrade your system, first update your package index as outlined above, and "
9027
"then type: <screen>\n"
9028
"<command>sudo apt-get upgrade</command>\n"
9032
#: serverguide/C/package-management.xml:195(para)
9034
"For information on upgrading to a new Ubuntu release see <xref "
9035
"linkend=\"installing-upgrading\"/>."
9038
#: serverguide/C/package-management.xml:153(para)
9040
"Some examples of popular uses for the <application>apt-get</application> "
9041
"utility: <placeholder-1/>"
9044
#: serverguide/C/package-management.xml:201(para)
9046
"Actions of the <application>apt-get</application> command, such as "
9047
"installation and removal of packages, are logged in the /var/log/dpkg.log "
9051
#: serverguide/C/package-management.xml:204(para)
9053
"For further information about the use of <application>APT</application>, "
9054
"read the comprehensive <ulink url=\"http://www.debian.org/doc/user-"
9055
"manuals#apt-howto\">Debian APT User Manual</ulink> or type: <screen>apt-get "
9059
#: serverguide/C/package-management.xml:208(title)
9063
#: serverguide/C/package-management.xml:209(para)
9065
"<application>Aptitude</application> is a menu-driven, text-based front-end "
9066
"to the <emphasis>Advanced Packaging Tool</emphasis> (APT) system. Many of "
9067
"the common package management functions, such as installation, removal, and "
9068
"upgrade, are performed in <application>Aptitude</application> with single-"
9069
"key commands, which are typically lowercase letters."
9072
#: serverguide/C/package-management.xml:212(para)
9074
"<application>Aptitude</application> is best suited for use in a non-"
9075
"graphical terminal environment to ensure proper functioning of the command "
9076
"keys. You may start <application>Aptitude</application> as a normal user "
9077
"with the following command at a terminal prompt: <screen>\n"
9078
"<command>sudo aptitude</command>\n"
9082
#: serverguide/C/package-management.xml:219(para)
9084
"When <application>Aptitude</application> starts, you will see a menu bar at "
9085
"the top of the screen and two panes below the menu bar. The top pane "
9086
"contains package categories, such as <emphasis role=\"italics\">New "
9087
"Packages</emphasis> and <emphasis role=\"italics\">Not Installed "
9088
"Packages</emphasis>. The bottom pane contains information related to the "
9089
"packages and package categories."
9092
#: serverguide/C/package-management.xml:222(para)
9094
"Using <application>Aptitude</application> for package management is "
9095
"relatively straightforward, and the user interface makes common tasks simple "
9096
"to perform. The following are examples of common package management "
9097
"functions as performed in <application>Aptitude</application>:"
9100
#: serverguide/C/package-management.xml:226(para)
9102
"<emphasis role=\"bold\">Install Packages</emphasis>: To install a package, "
9103
"locate the package via the Not Installed Packages package category, for "
9104
"example, by using the keyboard arrow keys and the <keycap>ENTER</keycap> "
9105
"key, and highlight the package you wish to install. After highlighting the "
9106
"package you wish to install, press the <keycap>+</keycap> key, and the "
9107
"package entry should turn <emphasis role=\"italics\">green</emphasis>, "
9108
"indicating it has been marked for installation. Now press <keycap>g</keycap> "
9109
"to be presented with a summary of package actions. Press <keycap>g</keycap> "
9110
"again, and you will be prompted to become root to complete the installation. "
9111
"Press <keycap>ENTER</keycap> which will result in a Password: prompt. Enter "
9112
"your user password to become root. Finally, press <keycap>g</keycap> once "
9113
"more and you'll be prompted to download the package. Press "
9114
"<keycap>ENTER</keycap> on the <emphasis role=\"italics\">Continue</emphasis> "
9115
"prompt, and downloading and installation of the package will commence."
9118
#: serverguide/C/package-management.xml:230(para)
9120
"<emphasis role=\"bold\">Remove Packages</emphasis>: To remove a package, "
9121
"locate the package via the Installed Packages package category, for example, "
9122
"by using the keyboard arrow keys and the <keycap>ENTER</keycap> key, and "
9123
"highlight the package you wish to remove. After highlighting the package you "
9124
"wish to install, press the <keycap>-</keycap> key, and the package entry "
9125
"should turn <emphasis role=\"italics\">pink</emphasis>, indicating it has "
9126
"been marked for removal. Now press <keycap>g</keycap> to be presented with a "
9127
"summary of package actions. Press <keycap>g</keycap> again, and you will be "
9128
"prompted to become root to complete the installation. Press "
9129
"<keycap>ENTER</keycap> which will result in a Password: prompt. Enter your "
9130
"user password to become root. Finally, press <keycap>g</keycap> once more, "
9131
"and you'll be prompted to download the package. Press <keycap>ENTER</keycap> "
9132
"on the <emphasis role=\"italics\">Continue</emphasis> prompt, and removal of "
9133
"the package will commence."
9136
#: serverguide/C/package-management.xml:234(para)
9138
"<emphasis role=\"bold\">Update Package Index</emphasis>: To update the "
9139
"package index, simply press the <keycap>u</keycap> key and you will be "
9140
"prompted to become root to complete the update. Press <keycap>ENTER</keycap> "
9141
"which will result in a Password: prompt. Enter your user password to become "
9142
"root. Updating of the package index will commence. Press "
9143
"<keycap>ENTER</keycap> on the OK prompt when the download dialog is "
9144
"presented to complete the process."
9147
#: serverguide/C/package-management.xml:238(para)
9149
"<emphasis role=\"bold\">Upgrade Packages</emphasis>: To upgrade packages, "
9150
"perform the update of the package index as detailed above, and then press "
9151
"the <keycap>U</keycap> key to mark all packages with updates. Now press "
9152
"<keycap>g</keycap> whereby you'll be presented with a summary of package "
9153
"actions. Press <keycap>g</keycap> again, and you will be prompted to become "
9154
"root to complete the installation. Press <keycap>ENTER</keycap> which will "
9155
"result in a Password: prompt. Enter your user password to become root. "
9156
"Finally, press <keycap>g</keycap> once more, and you'll be prompted to "
9157
"download the packages. Press <keycap>ENTER</keycap> on the <emphasis "
9158
"role=\"italics\">Continue</emphasis> prompt, and upgrade of the packages "
9162
#: serverguide/C/package-management.xml:245(para)
9163
msgid "<emphasis role=\"bold\">i</emphasis>: Installed package"
9166
#: serverguide/C/package-management.xml:250(para)
9168
"<emphasis role=\"bold\">c</emphasis>: Package not installed, but package "
9169
"configuration remains on system"
9172
#: serverguide/C/package-management.xml:254(para)
9173
msgid "<emphasis role=\"bold\">p</emphasis>: Purged from system"
9176
#: serverguide/C/package-management.xml:258(para)
9177
msgid "<emphasis role=\"bold\">v</emphasis>: Virtual package"
9180
#: serverguide/C/package-management.xml:262(para)
9181
msgid "<emphasis role=\"bold\">B</emphasis>: Broken package"
9184
#: serverguide/C/package-management.xml:266(para)
9186
"<emphasis role=\"bold\">u</emphasis>: Unpacked files, but package not yet "
9190
#: serverguide/C/package-management.xml:270(para)
9192
"<emphasis role=\"bold\">C</emphasis>: Half-configured - Configuration failed "
9196
#: serverguide/C/package-management.xml:274(para)
9198
"<emphasis role=\"bold\">H</emphasis>: Half-installed - Removal failed and "
9202
#: serverguide/C/package-management.xml:242(para)
9204
"The first column of information displayed in the package list in the top "
9205
"pane, when actually viewing packages lists the current state of the package, "
9206
"and uses the following key to describe the state of the package: "
9210
#: serverguide/C/package-management.xml:280(para)
9212
"To exit Aptitude, simply press the <keycap>q</keycap> key and confirm you "
9213
"wish to exit. Many other functions are available from the Aptitude menu by "
9214
"pressing the <keycap>F10</keycap> key."
9217
#: serverguide/C/package-management.xml:285(title)
9218
msgid "Automatic Updates"
9221
#: serverguide/C/package-management.xml:287(para)
9223
"The <application>unattended-upgrades</application> package can be used to "
9224
"automatically install updated packages, and can be configured to update all "
9225
"packages or just install security updates. First, install the package by "
9226
"entering the following in a terminal:"
9229
#: serverguide/C/package-management.xml:293(command)
9230
msgid "sudo apt-get install unattended-upgrades"
9233
#: serverguide/C/package-management.xml:296(para)
9235
"To configure <application>unattended-upgrades</application>, edit "
9236
"<filename>/etc/apt/apt.conf.d/50unattended-upgrades</filename> and adjust "
9237
"the following to fit your needs:"
9240
#: serverguide/C/package-management.xml:301(programlisting)
9244
"Unattended-Upgrade::Allowed-Origins {\n"
9245
" \"Ubuntu jaunty-security\";\n"
9246
"// \"Ubuntu jaunty-updates\";\n"
9250
#: serverguide/C/package-management.xml:308(para)
9252
"Certain packages can also be <emphasis>blacklisted</emphasis> and therefore "
9253
"will not be automatically updated. To blacklist a package, add it to the "
9257
#: serverguide/C/package-management.xml:313(programlisting)
9261
"Unattended-Upgrade::Package-Blacklist {\n"
9264
"// \"libc6-dev\";\n"
9265
"// \"libc6-i686\";\n"
9269
#: serverguide/C/package-management.xml:323(para)
9271
"The double <emphasis><quote>//</quote></emphasis> serve as comments, so "
9272
"whatever follows \"//\" will not be evaluated."
9275
#: serverguide/C/package-management.xml:328(para)
9277
"The results of <application>unattended-upgrades</application> will be logged "
9278
"to <filename>/var/log/unattended-upgrades</filename>."
9281
#: serverguide/C/package-management.xml:333(title)
9282
msgid "Notifications"
9285
#: serverguide/C/package-management.xml:335(para)
9287
"Configuring <emphasis>Unattended-Upgrade::Mail</emphasis> in "
9288
"<filename>/etc/apt/apt.conf.d/50unattended-upgrades</filename> will enable "
9289
"<application>unattended-upgrades</application> to email an administrator "
9290
"detailing any packages that need upgrading or have problems."
9293
#: serverguide/C/package-management.xml:340(para)
9295
"Another useful package is <application>apticron</application>. "
9296
"<application>apticron</application> will configure a "
9297
"<application>cron</application> job to email an administrator information "
9298
"about any packages on the system that need updated as well as a summary of "
9299
"changes in each package."
9302
#: serverguide/C/package-management.xml:346(para)
9304
"To install the <application>apticron</application> package, in a terminal "
9308
#: serverguide/C/package-management.xml:351(command)
9309
msgid "sudo apt-get install apticron"
9312
#: serverguide/C/package-management.xml:354(para)
9314
"Once the package is installed edit "
9315
"<filename>/etc/apticron/apticron.conf</filename>, to set the email address "
9316
"and other options:"
9319
#: serverguide/C/package-management.xml:358(programlisting)
9323
"EMAIL=\"root@example.com\"\n"
9326
#: serverguide/C/package-management.xml:367(para)
9328
"Configuration of the <emphasis>Advanced Packaging Tool</emphasis> (APT) "
9329
"system repositories is stored in the /etc/apt/sources.list configuration "
9330
"file. An example of this file is referenced here, along with information on "
9331
"adding or removing repository references from the file."
9334
#: serverguide/C/package-management.xml:373(para)
9336
"<ulink url=\"../sample/sources.list\">Here</ulink> is a simple example of a "
9337
"typical <filename>/etc/apt/sources.list</filename> file."
9340
#: serverguide/C/package-management.xml:377(para)
9342
"You may edit the file to enable repositories or disable them. For example, "
9343
"to disable the requirement of inserting the Ubuntu CD-ROM whenever package "
9344
"operations occur, simply comment out the appropriate line for the CD-ROM, "
9345
"which appears at the top of the file:"
9348
#: serverguide/C/package-management.xml:382(screen)
9352
"# no more prompting for CD-ROM please\n"
9353
"# deb cdrom:[Ubuntu 9.04_Jaunty_Jackalope - Release i386 (20070419.1)]/ "
9354
"jaunty main restricted\n"
9357
#: serverguide/C/package-management.xml:388(title)
9358
msgid "Extra Repositories"
9361
#: serverguide/C/package-management.xml:389(para)
9363
"In addition to the officially supported package repositories available for "
9364
"Ubuntu, there exist additional community-maintained repositories which add "
9365
"thousands more potential packages for installation. Two of the most popular "
9366
"are the <emphasis>Universe</emphasis> and <emphasis>Multiverse</emphasis> "
9367
"repositories. These repositories are not officially supported by Ubuntu, but "
9368
"because they are maintained by the community they generally provide packages "
9369
"which are safe for use with your Ubuntu computer."
9372
#: serverguide/C/package-management.xml:392(para)
9374
"Packages in the <emphasis>Multiverse</emphasis> repository often have "
9375
"licensing issues that prevent them from being distributed with a free "
9376
"operating system, and they may be illegal in your locality."
9379
#: serverguide/C/package-management.xml:394(para)
9381
"Be advised that neither the <emphasis>Universe</emphasis> or "
9382
"<emphasis>Multiverse</emphasis> repositories contain officially supported "
9383
"packages. In particular, there may not be security updates for these "
9387
#: serverguide/C/package-management.xml:398(para)
9389
"Many other package sources are available, sometimes even offering only one "
9390
"package, as in the case of package sources provided by the developer of a "
9391
"single application. You should always be very careful and cautious when "
9392
"using non-standard package sources, however. Research the source and "
9393
"packages carefully before performing any installation, as some package "
9394
"sources and their packages could render your system unstable or non-"
9395
"functional in some respects."
9398
#: serverguide/C/package-management.xml:401(para)
9400
"By default, the <emphasis>Universe</emphasis> and "
9401
"<emphasis>Multiverse</emphasis> repositories are enabled but if you would "
9402
"like to disable them edit <filename>/etc/apt/sources.list</filename> and "
9403
"comment the following lines:"
9406
#: serverguide/C/package-management.xml:408(programlisting)
9410
"deb http://archive.ubuntu.com/ubuntu jaunty universe multiverse\n"
9411
"deb-src http://archive.ubuntu.com/ubuntu jaunty universe multiverse\n"
9413
"deb http://us.archive.ubuntu.com/ubuntu/ jaunty universe\n"
9414
"deb-src http://us.archive.ubuntu.com/ubuntu/ jaunty universe\n"
9415
"deb http://us.archive.ubuntu.com/ubuntu/ jaunty-updates universe\n"
9416
"deb-src http://us.archive.ubuntu.com/ubuntu/ jaunty-updates universe\n"
9418
"deb http://us.archive.ubuntu.com/ubuntu/ jaunty multiverse\n"
9419
"deb-src http://us.archive.ubuntu.com/ubuntu/ jaunty multiverse\n"
9420
"deb http://us.archive.ubuntu.com/ubuntu/ jaunty-updates multiverse\n"
9421
"deb-src http://us.archive.ubuntu.com/ubuntu/ jaunty-updates multiverse\n"
9423
"deb http://security.ubuntu.com/ubuntu jaunty-security universe\n"
9424
"deb-src http://security.ubuntu.com/ubuntu jaunty-security universe\n"
9425
"deb http://security.ubuntu.com/ubuntu jaunty-security multiverse\n"
9426
"deb-src http://security.ubuntu.com/ubuntu jaunty-security multiverse\n"
9429
#: serverguide/C/package-management.xml:434(para)
9431
"Most of the material covered in this chapter is available in "
9432
"<application>man</application> pages, many of which are available online."
9435
#: serverguide/C/package-management.xml:441(para)
9437
"For more <application>dpkg</application> details see the <ulink "
9438
"url=\"http://manpages.ubuntu.com/manpages/jaunty/en/man1/dpkg.1.html\">dpkg "
9442
#: serverguide/C/package-management.xml:447(para)
9444
"The <ulink url=\"http://www.debian.org/doc/manuals/apt-howto/\">APT "
9445
"HOWTO</ulink> and <ulink "
9446
"url=\"http://manpages.ubuntu.com/manpages/jaunty/en/man8/apt-"
9447
"get.8.html\">apt-get man page</ulink> contain useful information regarding "
9448
"<application>apt-get</application> usage."
9451
#: serverguide/C/package-management.xml:454(para)
9454
"url=\"http://manpages.ubuntu.com/manpages/jaunty/man8/aptitude.8.html\">aptit"
9455
"ude man page</ulink> for more <application>aptitude</application> options."
9458
#: serverguide/C/package-management.xml:460(para)
9461
"url=\"https://help.ubuntu.com/community/Repositories/Ubuntu\">Adding "
9462
"Repositories HOWTO (Ubuntu Wiki)</ulink> page contains more details on "
9463
"adding repositories."
9466
#: serverguide/C/other-apps.xml:13(title)
9467
msgid "Other Useful Applications"
9470
#: serverguide/C/other-apps.xml:15(para)
9472
"There are many very useful applications developed by the Ubuntu Server Team, "
9473
"and others that are well integrated with Ubuntu Server Edition, that might "
9474
"not be well known. This chapter will showcase some useful applications that "
9475
"can make administering an Ubuntu server, or many Ubuntu servers, that much "
9479
#: serverguide/C/other-apps.xml:23(title)
9483
#: serverguide/C/other-apps.xml:25(para)
9485
"When logging into an Ubuntu server you may have noticed the informative "
9486
"Message Of The Day (MOTD). This information is obtained and displayed using "
9487
"a couple of packages:"
9490
#: serverguide/C/other-apps.xml:32(para)
9492
"<emphasis>landscape-common:</emphasis> provides the core libraries of "
9493
"<application>landscape-client</application>, which can be used to manage "
9494
"systems using the web based <emphasis>Landscape</emphasis> application. The "
9495
"package includes the <application>/usr/bin/landscape-sysinfo</application> "
9496
"utility which is used to gather the information displayed in the MOTD."
9499
#: serverguide/C/other-apps.xml:40(para)
9501
"<emphasis>update-motd:</emphasis> is used to automatically update the MOTD "
9502
"via <application>cron</application>."
9505
#: serverguide/C/other-apps.xml:46(para)
9507
"The <application>update-motd</application> utility has several options to "
9508
"further customize the MOTD:"
9511
#: serverguide/C/other-apps.xml:52(para)
9513
"<emphasis>--disable:</emphasis> prevents automatic updates of the MOTD. "
9514
"Using this option creates the <filename>/var/lib/update-"
9515
"motd/disabled</filename> file, which if present stops <application>update-"
9516
"motd</application> from modifying <filename>/etc/motd</filename>."
9519
#: serverguide/C/other-apps.xml:59(para)
9521
"<emphasis>--enable:</emphasis> enables the automatic MOTD updates. If "
9522
"<filename>/var/lib/update-motd</filename> is present it will be removed."
9525
#: serverguide/C/other-apps.xml:65(para)
9527
"<emphasis>--force:</emphasis> does a one time update of "
9528
"<filename>/etc/motd</filename>, overriding <application>update-"
9529
"motd</application> if it has been disabled."
9532
#: serverguide/C/other-apps.xml:71(para)
9534
"<emphasis>d, hourly, weekly, monthly:</emphasis> option will run the scripts "
9535
"in <filename>/etc/update-motd.d/</filename> (default), <filename>/etc/update-"
9536
"motd.d/hourly</filename>, <filename>/etc/update-motd.d/weekly</filename>, or "
9537
"<filename>/etc/update-motd.d/monthly</filename> respectively."
9540
#: serverguide/C/other-apps.xml:79(para)
9542
"<application>update-motd</application> executes the scripts in "
9543
"<filename>/etc/update-motd.d</filename> in order based on the number "
9544
"prepended to the script. Separate <application>cron</application> scripts "
9545
"execute every ten minutes, hourly, weekly, and monthly running the "
9546
"corresponding scripts in <filename>/etc/update-motd.d</filename>. The output "
9547
"of the scripts is written to <filename>/var/run/update-motd/</filename>, "
9548
"keeping the numerical order, then concatenated with "
9549
"<filename>/etc/motd.tail</filename> and written to "
9550
"<filename>/etc/motd</filename>."
9553
#: serverguide/C/other-apps.xml:87(para)
9555
"You can add your own dynamic information to the MOTD. For example, to add "
9556
"local weather information:"
9559
#: serverguide/C/other-apps.xml:93(para)
9560
msgid "First, install the <application>weather-util</application> package:"
9563
#: serverguide/C/other-apps.xml:98(command)
9564
msgid "sudo apt-get install weather-util"
9567
#: serverguide/C/other-apps.xml:103(para)
9569
"The <application>weather</application> utility uses METAR data from the "
9570
"National Oceanic and Atmospheric Administration and forecasts from the "
9571
"National Weather Service. In order to find local information you will need "
9572
"the 4-character ICAO location indicator. This can be determined by browsing "
9573
"to the <ulink url=\"http://www.weather.gov/tg/siteloc.shtml\">National "
9574
"Weather Service</ulink> site."
9577
#: serverguide/C/other-apps.xml:110(para)
9579
"Although the National Weather Service is a United States government agency "
9580
"there are weather stations available world wide. However, local weather "
9581
"information for all locations outside the U.S. may not be available."
9584
#: serverguide/C/other-apps.xml:116(para)
9586
"Create <filename>/usr/local/bin/local-weather</filename>, a simple shell "
9587
"script to use <application>weather</application> with your local ICAO "
9591
#: serverguide/C/other-apps.xml:121(programlisting)
9596
"##########################################################################\n"
9598
"# Prints the local weather to /var/run/update-motd/60-local-weather \n"
9599
"# for update-motd.\n"
9601
"##########################################################################\n"
9603
"# Replace KINT with your local weather station.\n"
9604
"# Local stations can be found here: http://www.weather.gov/tg/siteloc.shtml\n"
9606
"echo \"\" > /var/run/update-motd/60-local-weather\n"
9607
"weather -i KINT >> /var/run/update-motd/60-local-weather\n"
9611
#: serverguide/C/other-apps.xml:139(para)
9612
msgid "Make the script executable:"
9615
#: serverguide/C/other-apps.xml:144(command)
9616
msgid "sudo chmod 755 /usr/local/bin/local-weather"
9619
#: serverguide/C/other-apps.xml:148(para)
9621
"Next, create a symlink to <filename>/etc/update-motd.d/60-local-"
9622
"weather</filename>:"
9625
#: serverguide/C/other-apps.xml:153(command)
9627
"sudo ln -s /usr/local/bin/local-weather /etc/update-motd.d/60-local-weather"
9630
#: serverguide/C/other-apps.xml:157(para)
9631
msgid "Finally, update the MOTD:"
9634
#: serverguide/C/other-apps.xml:162(command)
9635
msgid "sudo update-motd"
9638
#: serverguide/C/other-apps.xml:167(para)
9640
"You should now be greeted with some useful information, and some information "
9641
"about the local weather that may not be quite so useful. Hopefully the "
9642
"<application>local-weather</application> example demonstrates the "
9643
"flexibility of <application>update-motd</application>."
9646
#: serverguide/C/other-apps.xml:175(title)
9650
#: serverguide/C/other-apps.xml:177(para)
9652
"<application>etckeeper</application> allows the contents of <filename "
9653
"role=\"directory\">/etc</filename> be easily stored in Version Control "
9654
"System (VCS) repository. It hooks into <application>apt</application> to "
9655
"automatically commit changes to <filename>/etc</filename> when packages are "
9656
"installed or upgraded. Placing <filename>/etc</filename> under version "
9657
"control is considered an industry best practice, and the goal of "
9658
"<application>etckeeper</application> is to make this process as painless as "
9662
#: serverguide/C/other-apps.xml:185(para)
9664
"Install <application>etckeeper</application> by entering the following in a "
9668
#: serverguide/C/other-apps.xml:190(command)
9669
msgid "sudo apt-get install etckeeper"
9672
#: serverguide/C/other-apps.xml:193(para)
9674
"The main configuration file, "
9675
"<filename>/etc/etckeeper/etckeeper.conf</filename>, is fairly simple. The "
9676
"main options being which VCS and which package management system to use. By "
9677
"default <application>etckeeper</application> is configured to use "
9678
"<application>bzr</application> for version control, "
9679
"<application>apt</application> for high level package mangement, and "
9680
"<application>dpkg</application> for low level package management."
9683
#: serverguide/C/other-apps.xml:200(para)
9685
"With the package installed, it is time to initialize the repository. In a "
9689
#: serverguide/C/other-apps.xml:205(command)
9690
msgid "sudo etckeeper init"
9693
#: serverguide/C/other-apps.xml:208(para)
9694
msgid "Next, commit the files to the repository:"
9697
#: serverguide/C/other-apps.xml:213(command)
9698
msgid "sudo etckeeper commit \"initial import\""
9701
#: serverguide/C/other-apps.xml:216(para)
9703
"Using the VCS commands you can view log information about files in "
9704
"<filename>/etc</filename>:"
9707
#: serverguide/C/other-apps.xml:221(command)
9708
msgid "sudo bzr log /etc/passswd"
9711
#: serverguide/C/other-apps.xml:224(para)
9713
"To demonstrate the integration with the package management system, install "
9714
"<application>postfix</application>:"
9717
#: serverguide/C/other-apps.xml:229(command) serverguide/C/mail.xml:38(command)
9718
msgid "sudo apt-get install postfix"
9721
#: serverguide/C/other-apps.xml:232(para)
9723
"When the installation is finished, all the "
9724
"<application>postfix</application> configuration files should be committed "
9725
"to the repository:"
9728
#: serverguide/C/other-apps.xml:238(computeroutput)
9731
"Committing to: /etc/\n"
9732
"added aliases.db\n"
9735
"modified gshadow\n"
9736
"modified gshadow-\n"
9738
"modified passwd-\n"
9740
"added resolvconf\n"
9743
"modified shadow-\n"
9744
"added init.d/postfix\n"
9745
"added network/if-down.d/postfix\n"
9746
"added network/if-up.d/postfix\n"
9747
"added postfix/dynamicmaps.cf\n"
9748
"added postfix/main.cf\n"
9749
"added postfix/master.cf\n"
9750
"added postfix/post-install\n"
9751
"added postfix/postfix-files\n"
9752
"added postfix/postfix-script\n"
9753
"added postfix/sasl\n"
9754
"added ppp/ip-down.d\n"
9755
"added ppp/ip-down.d/postfix\n"
9756
"added ppp/ip-up.d/postfix\n"
9757
"added rc0.d/K20postfix\n"
9758
"added rc1.d/K20postfix\n"
9759
"added rc2.d/S20postfix\n"
9760
"added rc3.d/S20postfix\n"
9761
"added rc4.d/S20postfix\n"
9762
"added rc5.d/S20postfix\n"
9763
"added rc6.d/K20postfix\n"
9764
"added resolvconf/update-libc.d\n"
9765
"added resolvconf/update-libc.d/postfix\n"
9766
"added rsyslog.d/postfix.conf\n"
9767
"added ufw/applications.d/postfix\n"
9768
"Committed revision 2."
9771
#: serverguide/C/other-apps.xml:278(para)
9773
"For an example of how <application>etckeeper</application> tracks manual "
9774
"changes, add new a host to <filename>/etc/hosts</filename>. Using "
9775
"<application>bzr</application> you can see which files have been modified:"
9778
#: serverguide/C/other-apps.xml:284(command)
9779
msgid "sudo bzr status /etc/"
9782
#: serverguide/C/other-apps.xml:285(computeroutput)
9789
#: serverguide/C/other-apps.xml:289(para)
9790
msgid "Now commit the changes:"
9793
#: serverguide/C/other-apps.xml:294(command)
9794
msgid "sudo etckeeper commit \"new host\""
9797
#: serverguide/C/other-apps.xml:297(para)
9799
"For more information on <application>bzr</application> see <xref "
9800
"linkend=\"bazaar\"/>."
9803
#: serverguide/C/other-apps.xml:303(title)
9804
msgid "Screen Profiles"
9807
#: serverguide/C/other-apps.xml:305(para)
9809
"One of the most useful applications for any system administrator is "
9810
"<application>screen</application>. It allows the execution of multiple "
9811
"shells in one terminal. To make some of the advanced "
9812
"<application>screen</application> features more user friendly, and provide "
9813
"some useful information about the system, the <application>screen-"
9814
"profiles</application> package was created."
9817
#: serverguide/C/other-apps.xml:312(para)
9819
"When executing <application>screen</application> for the first time you will "
9820
"be presented with the <application>screen-profiles-helper</application> "
9821
"menu. This menu will allow you to:"
9824
#: serverguide/C/other-apps.xml:318(para)
9825
msgid "View the Help menu"
9828
#: serverguide/C/other-apps.xml:319(para)
9829
msgid "Change the key binding set"
9832
#: serverguide/C/other-apps.xml:320(para)
9833
msgid "Change screen profiles"
9836
#: serverguide/C/other-apps.xml:321(para)
9837
msgid "Change the escape sequence"
9840
#: serverguide/C/other-apps.xml:322(para)
9841
msgid "Create new screen windows"
9844
#: serverguide/C/other-apps.xml:323(para)
9845
msgid "Manage the default windows"
9848
#: serverguide/C/other-apps.xml:324(para)
9849
msgid "Install screen by default at login"
9852
#: serverguide/C/other-apps.xml:327(para)
9854
"The <emphasis>key bindings</emphasis> determine such things as the escape "
9855
"sequence, new window, change window, etc. There are two key binding sets to "
9856
"choose from <emphasis>common</emphasis> and <emphasis>none</emphasis>. If "
9857
"you wish to use the original key bindings choose the "
9858
"<emphasis>none</emphasis> set."
9861
#: serverguide/C/other-apps.xml:333(para)
9863
"The Ubuntu <application>screen-profiles</application> provide a menu which "
9864
"displays the Ubuntu release, processor information, memory information, and "
9865
"the time and date. The effect is similar to a desktop menu. When a profile "
9866
"is selected it will be symlinked to <filename>~/.screenrc</filename>. The "
9867
"<application>select-screen-profile</application> utility can also be used to "
9868
"change profiles, in a terminal enter:"
9871
#: serverguide/C/other-apps.xml:341(command)
9872
msgid "select-screen-profile -s ubuntu-light"
9875
#: serverguide/C/other-apps.xml:344(para)
9877
"The <emphasis>plain</emphasis> profile will change "
9878
"<application>screen</application> back to the defaults, which does not "
9879
"include the information menu at the bottom."
9882
#: serverguide/C/other-apps.xml:349(para)
9884
"Using the <emphasis>\"Install screen by default at login\"</emphasis> option "
9885
"will cause screen to be executed any time a terminal is opened. Changes made "
9886
"to <application>screen</application> are on a per user basis, and will not "
9887
"affect other users on the system."
9890
#: serverguide/C/other-apps.xml:354(para)
9892
"One difference when using screen is the <emphasis>scrollback</emphasis> "
9893
"mode. If you are using one of the Ubuntu profiles press the "
9894
"<emphasis>F7</emphasis>, or <emphasis>Ctrl+a+[</emphasis> if not, to enter "
9895
"scrollback mode. Scrollback mode allows you to navigate past output using "
9896
"<emphasis>vi</emphasis> like commands. Here is a quick list of movement "
9900
#: serverguide/C/other-apps.xml:361(para)
9901
msgid "<emphasis>h</emphasis> - Move the cursor left by one character"
9904
#: serverguide/C/other-apps.xml:362(para)
9905
msgid "<emphasis>j</emphasis> - Move the cursor down by one line"
9908
#: serverguide/C/other-apps.xml:363(para)
9909
msgid "<emphasis>k</emphasis> - Move the cursor up by one line"
9912
#: serverguide/C/other-apps.xml:364(para)
9913
msgid "<emphasis>l</emphasis> - Move the cursor right by one character"
9916
#: serverguide/C/other-apps.xml:365(para)
9917
msgid "<emphasis>0</emphasis> - Move to the beginning of the current line"
9920
#: serverguide/C/other-apps.xml:366(para)
9921
msgid "<emphasis>$</emphasis> - Move to the end of the current line"
9924
#: serverguide/C/other-apps.xml:367(para)
9926
"<emphasis>G</emphasis> - Moves to the specified line (defaults to the end of "
9930
#: serverguide/C/other-apps.xml:368(para)
9931
msgid "<emphasis>C-u</emphasis> - Scrolls a half page up"
9934
#: serverguide/C/other-apps.xml:369(para)
9935
msgid "<emphasis>C-b</emphasis> - Scrolls a full page up"
9938
#: serverguide/C/other-apps.xml:370(para)
9939
msgid "<emphasis>C-d</emphasis> - Scrolls a half page down"
9942
#: serverguide/C/other-apps.xml:371(para)
9943
msgid "<emphasis>C-f</emphasis> - Scrolls the full page down"
9946
#: serverguide/C/other-apps.xml:372(para)
9947
msgid "<emphasis>/</emphasis> - Search forward"
9950
#: serverguide/C/other-apps.xml:373(para)
9951
msgid "<emphasis>?</emphasis> - Search backward"
9954
#: serverguide/C/other-apps.xml:374(para)
9956
"<emphasis>n</emphasis> - Moves to the next match, either forward or backword"
9959
#: serverguide/C/other-apps.xml:383(para)
9962
"url=\"http://manpages.ubuntu.com/manpages/jaunty/en/man1/update-"
9963
"motd.1.html\">update-motd man page</ulink> for more options available to "
9964
"<application>update-motd</application>."
9967
#: serverguide/C/other-apps.xml:389(para)
9969
"The Debian Package of the Day <ulink "
9970
"url=\"http://debaday.debian.net/2007/10/04/weather-check-weather-conditions-"
9971
"and-forecasts-on-the-command-line/\">weather</ulink> article has more "
9972
"details about using the <application>weather</application>utility."
9975
#: serverguide/C/other-apps.xml:396(para)
9978
"url=\"http://kitenet.net/~joey/code/etckeeper/\">etckeeper</ulink> site for "
9979
"more details on using <application>etckeeper</application>."
9982
#: serverguide/C/other-apps.xml:402(para)
9984
"For the latest news and information about <application>bzr</application> see "
9985
"the <ulink url=\"http://bazaar-vcs.org/\">bzr</ulink> web site."
9988
#: serverguide/C/other-apps.xml:407(para)
9990
"For more information on <application>screen</application> see the <ulink "
9991
"url=\"http://www.gnu.org/software/screen/\">screen web site</ulink>."
9994
#: serverguide/C/other-apps.xml:412(para)
9996
"Also, see the <application>screen-profiles</application><ulink "
9997
"url=\"https://launchpad.net/screen-profiles\">project page</ulink> for more "
10001
#: serverguide/C/network-config.xml:13(title)
10005
#: serverguide/C/network-config.xml:14(para)
10007
"Networks consist of two or more devices, such as computer systems, printers, "
10008
"and related equipment which are connected by either physical cabling or "
10009
"wireless links for the purpose of sharing and distributing information among "
10010
"the connected devices."
10013
#: serverguide/C/network-config.xml:20(para)
10015
"This section provides general and specific information pertaining to "
10016
"networking, including an overview of network concepts and detailed "
10017
"discussion of popular network protocols."
10020
#: serverguide/C/network-config.xml:26(title)
10021
msgid "Network Configuration"
10024
#: serverguide/C/network-config.xml:27(para)
10026
"Ubuntu ships with a number of graphical utilities to configure your network "
10027
"devices. This document is geared toward server administrators and will focus "
10028
"on managing your network on the command line."
10031
#: serverguide/C/network-config.xml:33(title)
10035
#: serverguide/C/network-config.xml:34(para)
10037
"Most Ethernet configuration is centralized in a single file, "
10038
"<filename>/etc/network/interfaces</filename>. If you have no Ethernet "
10039
"devices, only the loopback interface will appear in this file, and it will "
10040
"look something like this:"
10043
#: serverguide/C/network-config.xml:40(programlisting)
10047
"# This file describes the network interfaces available on your system\n"
10048
"# and how to activate them. For more information, see interfaces(5).\n"
10050
"# The loopback network interface\n"
10052
"iface lo inet loopback\n"
10053
"address 127.0.0.1\n"
10054
"netmask 255.0.0.0\n"
10057
#: serverguide/C/network-config.xml:50(para)
10059
"If you have only one Ethernet device, eth0, and it gets its configuration "
10060
"from a DHCP server, and it should come up automatically at boot, only two "
10061
"additional lines are required:"
10064
#: serverguide/C/network-config.xml:55(programlisting)
10069
"iface eth0 inet dhcp\n"
10072
#: serverguide/C/network-config.xml:59(para)
10074
"The first line specifies that the eth0 device should come up automatically "
10075
"when you boot. The second line means that interface (<quote>iface</quote>) "
10076
"eth0 should have an IPv4 address space (replace <quote>inet</quote> with "
10077
"<quote>inet6</quote> for an IPv6 device) and that it should get its "
10078
"configuration automatically from DHCP. Assuming your network and DHCP server "
10079
"are properly configured, this machine's network should need no further "
10080
"configuration to operate properly. The DHCP server will provide the default "
10081
"gateway (implemented via the <application>route</application> command), the "
10082
"device's IP address (implemented via the <application>ifconfig</application> "
10083
"command), and DNS servers used on the network (implemented in the "
10084
"<filename>/etc/resolv.conf</filename> file.)"
10087
#: serverguide/C/network-config.xml:72(para)
10089
"To configure your Ethernet device with a static IP address and custom "
10090
"configuration, some more information will be required. Suppose you want to "
10091
"assign the IP address 192.168.0.2 to the device eth1, with the typical "
10092
"netmask of 255.255.255.0. Your default gateway's IP address is 192.168.0.1. "
10093
"You would enter something like this into "
10094
"<filename>/etc/network/interfaces</filename>:"
10097
#: serverguide/C/network-config.xml:79(programlisting)
10101
"iface eth1 inet static\n"
10102
"\taddress 192.168.0.2\n"
10103
"\tnetmask 255.255.255.0\n"
10104
"\tgateway 192.168.0.1\n"
10107
#: serverguide/C/network-config.xml:85(para)
10109
"In this case, you will need to specify your DNS servers manually in "
10110
"<filename>/etc/resolv.conf</filename>, which should look something like this:"
10113
#: serverguide/C/network-config.xml:89(programlisting)
10117
"search mydomain.example\n"
10118
"nameserver 192.168.0.1\n"
10119
"nameserver 4.2.2.2\n"
10122
#: serverguide/C/network-config.xml:94(para)
10124
"The <emphasis role=\"italics\">search</emphasis> directive will append "
10125
"mydomain.example to hostname queries in an attempt to resolve names to your "
10126
"network. For example, if your network's domain is mydomain.example and you "
10127
"try to ping the host <quote>mybox</quote>, the DNS query will be modified to "
10128
"<quote>mybox.mydomain.example</quote> for resolution. The <emphasis "
10129
"role=\"italics\">nameserver</emphasis> directives specify DNS servers to be "
10130
"used to resolve hostnames to IP addresses. If you use your own nameserver, "
10131
"enter it here. Otherwise, ask your Internet Service Provider for the primary "
10132
"and secondary DNS servers to use, and enter them into "
10133
"<filename>/etc/resolv.conf</filename> as shown above."
10136
#: serverguide/C/network-config.xml:106(para)
10138
"Many more configurations are possible, including dialup PPP interfaces, IPv6 "
10139
"networking, VPN devices, etc. Refer to <application>man 5 "
10140
"interfaces</application> for more information and supported options. "
10141
"Remember that <filename>/etc/network/interfaces</filename> is used by the "
10142
"<application>ifup</application>/<application>ifdown</application> scripts as "
10143
"a higher level configuration scheme than may be used in some other Linux "
10144
"distributions, and that the traditional, lower level utilities such as "
10145
"<application>ifconfig</application>, <application>route</application>, and "
10146
"<application>dhclient</application> are still available to you for ad hoc "
10150
#: serverguide/C/network-config.xml:120(title)
10151
msgid "Managing DNS Entries"
10154
#: serverguide/C/network-config.xml:121(para)
10156
"This section explains how to configure which nameserver to use when "
10157
"resolving IP addresses to hostnames and vice versa. It does not explain how "
10158
"to configure the system as a name server."
10161
#: serverguide/C/network-config.xml:126(para)
10163
"To manage DNS entries, you can add, edit, or remove DNS names from the "
10164
"<filename>/etc/resolv.conf</filename> file. A sample file is given below:"
10167
#: serverguide/C/network-config.xml:130(programlisting)
10172
"nameserver 204.11.126.131\n"
10173
"nameserver 64.125.134.133\n"
10174
"nameserver 64.125.134.132\n"
10175
"nameserver 208.185.179.218\n"
10178
#: serverguide/C/network-config.xml:138(para)
10180
"The <application>search</application> key specifies the string which will be "
10181
"appended to an incomplete hostname. Here, we have configured it to "
10182
"<application>com</application>. So, when we run: <command>ping "
10183
"ubuntu</command> it would be interpreted as <command>ping "
10184
"ubuntu.com</command>."
10187
#: serverguide/C/network-config.xml:146(para)
10189
"The <application>nameserver</application> key specifies the nameserver IP "
10190
"address. It will be used to resolve a given IP address or hostname. This "
10191
"file can have multiple nameserver entries. The nameservers will be used by "
10192
"the network query in the same order."
10195
#: serverguide/C/network-config.xml:155(para)
10197
"If the DNS server names are retrieved dynamically from DHCP or PPPoE "
10198
"(retrieved from your ISP), do not add nameserver entries in this file. It "
10199
"will be overwritten."
10202
#: serverguide/C/network-config.xml:164(title)
10203
msgid "Managing Hosts"
10206
#: serverguide/C/network-config.xml:165(para)
10208
"To manage hosts, you can add, edit, or remove hosts from "
10209
"<filename>/etc/hosts</filename> file. The file contains IP addresses and "
10210
"their corresponding hostnames. When your system tries to resolve a hostname "
10211
"to an IP address or determine the hostname for an IP address, it refers to "
10212
"the <filename>/etc/hosts</filename> file before using the name servers. If "
10213
"the IP address is listed in the <filename>/etc/hosts</filename> file, the "
10214
"name servers are not used. This behavior can be modified by editing "
10215
"<filename>/etc/nsswitch.conf</filename> at your peril."
10218
#: serverguide/C/network-config.xml:178(para)
10220
"If your network contains computers whose IP addresses are not listed in DNS, "
10221
"it is recommended that you add them to the <filename>/etc/hosts</filename> "
10225
#: serverguide/C/network-config.xml:186(title)
10229
#: serverguide/C/network-config.xml:188(para)
10231
"Bridging multiple interfaces is a more advanced configuration, but is very "
10232
"useful in multiple scenarios. One scenario is setting up a bridge with "
10233
"multiple network interfaces, then using a firewall to filter traffic between "
10234
"two network segments. Another scenario is using bridge on a system with one "
10235
"interface to allow virtual machines direct access to the outside network. "
10236
"The following example covers the latter scenario."
10239
#: serverguide/C/network-config.xml:195(para)
10241
"Before configuring a bridge you will need to install the <application>bridge-"
10242
"utils</application> package. To install the package, in a terminal enter:"
10245
#: serverguide/C/network-config.xml:201(command)
10246
msgid "sudo apt-get install bridge-utils"
10249
#: serverguide/C/network-config.xml:204(para)
10251
"Next, configure the bridge by editing "
10252
"<filename>/etc/network/interfaces</filename>:"
10255
#: serverguide/C/network-config.xml:208(programlisting)
10260
"iface lo inet loopback\n"
10263
"iface br0 inet static\n"
10264
" address 192.168.0.10\n"
10265
" network 192.168.0.0\n"
10266
" netmask 255.255.255.0\n"
10267
" broadcast 192.168.0.255\n"
10268
" gateway 192.168.0.1\n"
10269
" bridge_ports eth0\n"
10271
" bridge_hello 2\n"
10272
" bridge_maxage 12\n"
10273
" bridge_stp off\n"
10276
#: serverguide/C/network-config.xml:227(para)
10277
msgid "Enter the appropriate values for your physical interface and network."
10280
#: serverguide/C/network-config.xml:232(para)
10281
msgid "Now restart networking to enable the bridge interface:"
10284
#: serverguide/C/network-config.xml:240(para)
10286
"If setting up a bridge interface using Ubuntu Desktop Edition, or if "
10287
"<application>dhcdbd</application> is installed, the "
10288
"<application>dhcdbd</application> daemon will need to be stopped and "
10292
#: serverguide/C/network-config.xml:245(para)
10294
"After configuring the bridge in "
10295
"<filename>/etc/network/interfaces</filename>, shutdown "
10296
"<application>dhcdbd</application> by:"
10299
#: serverguide/C/network-config.xml:250(command)
10300
msgid "sudo /etc/init.d/dhcdbd stop"
10303
#: serverguide/C/network-config.xml:253(para)
10304
msgid "Now to disable it from starting on boot enter:"
10307
#: serverguide/C/network-config.xml:258(command)
10308
msgid "sudo update-rc.d -f dhcdbd remove"
10311
#: serverguide/C/network-config.xml:261(para)
10313
"The new bridge interface should now be up and running. The "
10314
"<application>brctl</application> provides useful information about the state "
10315
"of the bridge, controls which interfaces are part of the bridge, etc. See "
10316
"<command>man brctl</command> for more information."
10319
#: serverguide/C/network-config.xml:277(para)
10322
"url=\"http://manpages.ubuntu.com/manpages/jaunty/en/man5/interfaces.5.html\">"
10323
"interafaces man page</ulink> has details on more options for "
10324
"<filename>/etc/network/interfaces</filename>."
10327
#: serverguide/C/network-config.xml:283(para)
10329
"For more information on DNS client configuration see the <ulink "
10330
"url=\"http://manpages.ubuntu.com/manpages/jaunty/en/man5/resolver.5.html\">re"
10331
"solver man page</ulink>. Also, Chapter 6 of O'Reilly's <ulink "
10332
"url=\"http://oreilly.com/catalog/linag2/book/ch06.html\">Linux Network "
10333
"Administrator's Guide</ulink> is a good source of resolver and name service "
10334
"configuration information."
10337
#: serverguide/C/network-config.xml:291(para)
10339
"For more information on <emphasis>bridging</emphasis> see the <ulink "
10340
"url=\"http://manpages.ubuntu.com/manpages/jaunty/en/man8/brctl.8.html\">brctl"
10341
" man page</ulink> and the Linux Foundation's <ulink "
10342
"url=\"http://www.linuxfoundation.org/en/Net:Bridge\">Net:Bridge</ulink> page."
10345
#: serverguide/C/network-config.xml:302(title)
10349
#: serverguide/C/network-config.xml:303(para)
10351
"The Transmission Control Protocol and Internet Protocol (TCP/IP) is a "
10352
"standard set of protocols developed in the late 1970s by the Defense "
10353
"Advanced Research Projects Agency (DARPA) as a means of communication "
10354
"between different types of computers and computer networks. TCP/IP is the "
10355
"driving force of the Internet, and thus it is the most popular set of "
10356
"network protocols on Earth."
10359
#: serverguide/C/network-config.xml:311(title)
10360
msgid "TCP/IP Introduction"
10361
msgstr "Įvadas į TCP/IP"
10363
#: serverguide/C/network-config.xml:312(para)
10365
"The two protocol components of TCP/IP deal with different aspects of "
10366
"computer networking. <emphasis>Internet Protocol</emphasis>, the \"IP\" of "
10367
"TCP/IP is a connectionless protocol which deals only with network packet "
10368
"routing using the <emphasis role=\"italics\">IP Datagram</emphasis> as the "
10369
"basic unit of networking information. The IP Datagram consists of a header "
10370
"followed by a message. The <emphasis> Transmission Control "
10371
"Protocol</emphasis> is the \"TCP\" of TCP/IP and enables network hosts to "
10372
"establish connections which may be used to exchange data streams. TCP also "
10373
"guarantees that the data between connections is delivered and that it "
10374
"arrives at one network host in the same order as sent from another network "
10378
#: serverguide/C/network-config.xml:325(title)
10379
msgid "TCP/IP Configuration"
10380
msgstr "TCP/IP Konfigūracija"
10382
#: serverguide/C/network-config.xml:326(para)
10384
"The TCP/IP protocol configuration consists of several elements which must be "
10385
"set by editing the appropriate configuration files, or deploying solutions "
10386
"such as the Dynamic Host Configuration Protocol (DHCP) server which in turn, "
10387
"can be configured to provide the proper TCP/IP configuration settings to "
10388
"network clients automatically. These configuration values must be set "
10389
"correctly in order to facilitate the proper network operation of your Ubuntu "
10393
#: serverguide/C/network-config.xml:338(para)
10395
"<emphasis role=\"bold\">IP address</emphasis> The IP address is a unique "
10396
"identifying string expressed as four decimal numbers ranging from zero (0) "
10397
"to two-hundred and fifty-five (255), separated by periods, with each of the "
10398
"four numbers representing eight (8) bits of the address for a total length "
10399
"of thirty-two (32) bits for the whole address. This format is called "
10400
"<emphasis>dotted quad notation</emphasis>."
10403
#: serverguide/C/network-config.xml:348(para)
10405
"<emphasis role=\"bold\">Netmask</emphasis> The Subnet Mask (or simply, "
10406
"<emphasis>netmask</emphasis>) is a local bit mask, or set of flags which "
10407
"separate the portions of an IP address significant to the network from the "
10408
"bits significant to the <emphasis>subnetwork</emphasis>. For example, in a "
10409
"Class C network, the standard netmask is 255.255.255.0 which masks the first "
10410
"three bytes of the IP address and allows the last byte of the IP address to "
10411
"remain available for specifying hosts on the subnetwork."
10414
#: serverguide/C/network-config.xml:359(para)
10416
"<emphasis role=\"bold\">Network Address</emphasis> The Network Address "
10417
"represents the bytes comprising the network portion of an IP address. For "
10418
"example, the host 12.128.1.2 in a Class A network would use 12.0.0.0 as the "
10419
"network address, where twelve (12) represents the first byte of the IP "
10420
"address, (the network part) and zeroes (0) in all of the remaining three "
10421
"bytes to represent the potential host values. A network host using the "
10422
"private IP address 192.168.1.100 would in turn use a Network Address of "
10423
"192.168.1.0, which specifies the first three bytes of the Class C 192.168.1 "
10424
"network and a zero (0) for all the possible hosts on the network."
10427
#: serverguide/C/network-config.xml:372(para)
10429
"<emphasis role=\"bold\">Broadcast Address</emphasis> The Broadcast Address "
10430
"is an IP address which allows network data to be sent simultaneously to all "
10431
"hosts on a given subnetwork rather than specifying a particular host. The "
10432
"standard general broadcast address for IP networks is 255.255.255.255, but "
10433
"this broadcast address cannot be used to send a broadcast message to every "
10434
"host on the Internet because routers block it. A more appropriate broadcast "
10435
"address is set to match a specific subnetwork. For example, on the private "
10436
"Class C IP network, 192.168.1.0, the broadcast address is 192.168.1.255. "
10437
"Broadcast messages are typically produced by network protocols such as the "
10438
"Address Resolution Protocol (ARP) and the Routing Information Protocol (RIP)."
10441
#: serverguide/C/network-config.xml:385(para)
10443
"<emphasis role=\"bold\">Gateway Address</emphasis> A Gateway Address is the "
10444
"IP address through which a particular network, or host on a network, may be "
10445
"reached. If one network host wishes to communicate with another network "
10446
"host, and that host is not located on the same network, then a "
10447
"<emphasis>gateway</emphasis> must be used. In many cases, the Gateway "
10448
"Address will be that of a router on the same network, which will in turn "
10449
"pass traffic on to other networks or hosts, such as Internet hosts. The "
10450
"value of the Gateway Address setting must be correct, or your system will "
10451
"not be able to reach any hosts beyond those on the same network."
10454
#: serverguide/C/network-config.xml:396(para)
10456
"<emphasis role=\"bold\">Nameserver Address</emphasis> Nameserver Addresses "
10457
"represent the IP addresses of Domain Name Service (DNS) systems, which "
10458
"resolve network hostnames into IP addresses. There are three levels of "
10459
"Nameserver Addresses, which may be specified in order of precedence: The "
10460
"<emphasis>Primary</emphasis> Nameserver, the <emphasis>Secondary</emphasis> "
10461
"Nameserver, and the <emphasis>Tertiary</emphasis> Nameserver. In order for "
10462
"your system to be able to resolve network hostnames into their corresponding "
10463
"IP addresses, you must specify valid Nameserver Addresses which you are "
10464
"authorized to use in your system's TCP/IP configuration. In many cases these "
10465
"addresses can and will be provided by your network service provider, but "
10466
"many free and publicly accessible nameservers are available for use, such as "
10467
"the Level3 (Verizon) servers with IP addresses from 4.2.2.1 to 4.2.2.6."
10470
#: serverguide/C/network-config.xml:410(para)
10472
"The IP address, Netmask, Network Address, Broadcast Address, and Gateway "
10473
"Address are typically specified via the appropriate directives in the file "
10474
"<filename>/etc/network/interfaces</filename>. The Nameserver Addresses are "
10475
"typically specified via <emphasis>nameserver</emphasis> directives in the "
10476
"file <filename>/etc/resolv.conf</filename>. For more information, view the "
10477
"system manual page for <filename>interfaces</filename> or "
10478
"<filename>resolv.conf</filename> respectively, with the following commands "
10479
"typed at a terminal prompt:"
10482
#: serverguide/C/network-config.xml:417(para)
10484
"Access the system manual page for <filename>interfaces</filename> with the "
10485
"following command:"
10488
#: serverguide/C/network-config.xml:422(command)
10489
msgid "man interfaces"
10492
#: serverguide/C/network-config.xml:425(para)
10494
"Access the system manual page for <filename>resolv.conf</filename> with the "
10495
"following command:"
10498
#: serverguide/C/network-config.xml:429(command)
10499
msgid "man resolv.conf"
10502
#: serverguide/C/network-config.xml:334(para)
10504
"The common configuration elements of TCP/IP and their purposes are as "
10505
"follows: <placeholder-1/>"
10508
#: serverguide/C/network-config.xml:436(title)
10510
msgstr "IP Maršruto Patikrinimas"
10512
#: serverguide/C/network-config.xml:437(para)
10514
"IP routing is a means of specifying and discovering paths in a TCP/IP "
10515
"network along which network data may be sent. Routing uses a set of "
10516
"<emphasis>routing tables</emphasis> to direct the forwarding of network data "
10517
"packets from their source to the destination, often via many intermediary "
10518
"network nodes known as <emphasis>routers</emphasis>. There are two primary "
10519
"forms of IP routing: <emphasis>Static Routing</emphasis> and "
10520
"<emphasis>Dynamic Routing.</emphasis>"
10523
#: serverguide/C/network-config.xml:446(para)
10525
"Static routing involves manually adding IP routes to the system's routing "
10526
"table, and this is usually done by manipulating the routing table with the "
10527
"<application>route</application> command. Static routing enjoys many "
10528
"advantages over dynamic routing, such as simplicity of implementation on "
10529
"smaller networks, predictability (the routing table is always computed in "
10530
"advance, and thus the route is precisely the same each time it is used), and "
10531
"low overhead on other routers and network links due to the lack of a dynamic "
10532
"routing protocol. However, static routing does present some disadvantages as "
10533
"well. For example, static routing is limited to small networks and does not "
10534
"scale well. Static routing also fails completely to adapt to network outages "
10535
"and failures along the route due to the fixed nature of the route."
10538
#: serverguide/C/network-config.xml:456(para)
10540
"Dynamic routing depends on large networks with multiple possible IP routes "
10541
"from a source to a destination and makes use of special routing protocols, "
10542
"such as the Router Information Protocol (RIP), which handle the automatic "
10543
"adjustments in routing tables that make dynamic routing possible. Dynamic "
10544
"routing has several advantages over static routing, such as superior "
10545
"scalability and the ability to adapt to failures and outages along network "
10546
"routes. Additionally, there is less manual configuration of the routing "
10547
"tables, since routers learn from one another about their existence and "
10548
"available routes. This trait also eliminates the possibility of introducing "
10549
"mistakes in the routing tables via human error. Dynamic routing is not "
10550
"perfect, however, and presents disadvantages such as heightened complexity "
10551
"and additional network overhead from router communications, which does not "
10552
"immediately benefit the end users, but still consumes network bandwidth."
10555
#: serverguide/C/network-config.xml:470(title)
10556
msgid "TCP and UDP"
10557
msgstr "TCP ir UDP"
10559
#: serverguide/C/network-config.xml:471(para)
10561
"TCP is a connection-based protocol, offering error correction and guaranteed "
10562
"delivery of data via what is known as <emphasis>flow control</emphasis>. "
10563
"Flow control determines when the flow of a data stream needs to be stopped, "
10564
"and previously sent data packets should to be re-sent due to problems such "
10565
"as <emphasis>collisions</emphasis>, for example, thus ensuring complete and "
10566
"accurate delivery of the data. TCP is typically used in the exchange of "
10567
"important information such as database transactions."
10570
#: serverguide/C/network-config.xml:479(para)
10572
"The User Datagram Protocol (UDP), on the other hand, is a "
10573
"<emphasis>connectionless</emphasis> protocol which seldom deals with the "
10574
"transmission of important data because it lacks flow control or any other "
10575
"method to ensure reliable delivery of the data. UDP is commonly used in such "
10576
"applications as audio and video streaming, where it is considerably faster "
10577
"than TCP due to the lack of error correction and flow control, and where the "
10578
"loss of a few packets is not generally catastrophic."
10581
#: serverguide/C/network-config.xml:489(title)
10585
#: serverguide/C/network-config.xml:490(para)
10587
"The Internet Control Messaging Protocol (ICMP) is an extension to the "
10588
"Internet Protocol (IP) as defined in the Request For Comments (RFC) #792 and "
10589
"supports network packets containing control, error, and informational "
10590
"messages. ICMP is used by such network applications as the "
10591
"<application>ping</application> utility, which can determine the "
10592
"availability of a network host or device. Examples of some error messages "
10593
"returned by ICMP which are useful to both network hosts and devices such as "
10594
"routers, include <emphasis>Destination Unreachable</emphasis> and "
10595
"<emphasis>Time Exceeded</emphasis>."
10598
#: serverguide/C/network-config.xml:500(title)
10602
#: serverguide/C/network-config.xml:501(para)
10604
"Daemons are special system applications which typically execute continuously "
10605
"in the background and await requests for the functions they provide from "
10606
"other applications. Many daemons are network-centric; that is, a large "
10607
"number of daemons executing in the background on an Ubuntu system may "
10608
"provide network-related functionality. Some examples of such network daemons "
10609
"include the <emphasis>Hyper Text Transport Protocol Daemon</emphasis> "
10610
"(httpd), which provides web server functionality; the <emphasis>Secure SHell "
10611
"Daemon</emphasis> (sshd), which provides secure remote login shell and file "
10612
"transfer capabilities; and the <emphasis>Internet Message Access Protocol "
10613
"Daemon</emphasis> (imapd), which provides E-Mail services."
10616
#: serverguide/C/network-config.xml:516(para)
10618
"There are man pages for <ulink "
10619
"url=\"http://manpages.ubuntu.com/manpages/jaunty/en/man7/tcp.7.html\">TCP</ul"
10621
"url=\"http://manpages.ubuntu.com/manpages/jaunty/man7/ip.7.html\">IP</ulink> "
10622
"that contain more useful information."
10625
#: serverguide/C/network-config.xml:522(para)
10627
"Also, see the <ulink "
10628
"url=\"http://www.redbooks.ibm.com/abstracts/gg243376.html\">TCP/IP Tutorial "
10629
"and Technical Overview</ulink> IBM Redbook."
10632
#: serverguide/C/network-config.xml:528(para)
10634
"Another resource is O'Reilly's <ulink "
10635
"url=\"http://oreilly.com/catalog/9780596002978/\">TCP/IP Network "
10636
"Administration</ulink>."
10639
#: serverguide/C/network-config.xml:537(title)
10640
msgid "Dynamic Host Configuration Protocol (DHCP)"
10643
#: serverguide/C/network-config.xml:538(para)
10645
"The Dynamic Host Configuration Protocol (DHCP) is a network service that "
10646
"enables host computers to be automatically assigned settings from a server "
10647
"as opposed to manually configuring each network host. Computers configured "
10648
"to be DHCP clients have no control over the settings they receive from the "
10649
"DHCP server, and the configuration is transparent to the computer's user."
10652
#: serverguide/C/network-config.xml:545(para)
10654
"The most common settings provided by a DHCP server to DHCP clients include:"
10657
#: serverguide/C/network-config.xml:550(para)
10658
msgid "IP-Address and Netmask"
10661
#: serverguide/C/network-config.xml:553(para)
10665
#: serverguide/C/network-config.xml:556(para)
10669
#: serverguide/C/network-config.xml:559(para)
10671
"However, a DHCP server can also supply configuration properties such as:"
10674
#: serverguide/C/network-config.xml:564(para)
10678
#: serverguide/C/network-config.xml:567(para)
10679
msgid "Domain Name"
10680
msgstr "Srities Pavadinimas"
10682
#: serverguide/C/network-config.xml:570(para)
10683
msgid "Default Gateway"
10686
#: serverguide/C/network-config.xml:573(para)
10687
msgid "Time Server"
10688
msgstr "Laiko Serveris"
10690
#: serverguide/C/network-config.xml:576(para)
10691
msgid "Print Server"
10692
msgstr "Spausdinimo serveris"
10694
#: serverguide/C/network-config.xml:579(para)
10696
"The advantage of using DHCP is that changes to the network, for example a "
10697
"change in the address of the DNS server, need only be changed at the DHCP "
10698
"server, and all network hosts will be reconfigured the next time their DHCP "
10699
"clients poll the DHCP server. As an added advantage, it is also easier to "
10700
"integrate new computers into the network, as there is no need to check for "
10701
"the availability of an IP address. Conflicts in IP address allocation are "
10705
#: serverguide/C/network-config.xml:587(para)
10706
msgid "A DHCP server can provide configuration settings using two methods:"
10709
#: serverguide/C/network-config.xml:592(term)
10710
msgid "MAC Address"
10711
msgstr "MAC Adresas"
10713
#: serverguide/C/network-config.xml:594(para)
10715
"This method entails using DHCP to identify the unique hardware address of "
10716
"each network card connected to the network and then continually supplying a "
10717
"constant configuration each time the DHCP client makes a request to the DHCP "
10718
"server using that network device."
10721
#: serverguide/C/network-config.xml:603(term)
10722
msgid "Address Pool"
10723
msgstr "Adresų Telkinys"
10725
#: serverguide/C/network-config.xml:605(para)
10727
"This method entails defining a pool (sometimes also called a range or scope) "
10728
"of IP addresses from which DHCP clients are supplied their configuration "
10729
"properties dynamically and on a \"first come, first served\" basis. When a "
10730
"DHCP client is no longer on the network for a specified period, the "
10731
"configuration is expired and released back to the address pool for use by "
10732
"other DHCP Clients."
10735
#: serverguide/C/network-config.xml:616(para)
10737
"Ubuntu is shipped with both DHCP server and client. The server is "
10738
"<application>dhcpd</application> (dynamic host configuration protocol "
10739
"daemon). The client provided with Ubuntu is "
10740
"<application>dhclient</application> and should be installed on all computers "
10741
"required to be automatically configured. Both programs are easy to install "
10742
"and configure and will be automatically started at system boot."
10745
#: serverguide/C/network-config.xml:626(para)
10747
"At a terminal prompt, enter the following command to install "
10748
"<application>dhcpd</application>:"
10751
#: serverguide/C/network-config.xml:631(command)
10752
msgid "sudo apt-get install dhcp3-server"
10755
#: serverguide/C/network-config.xml:633(para)
10757
"You will probably need to change the default configuration by editing "
10758
"/etc/dhcp3/dhcpd.conf to suit your needs and particular configuration."
10761
#: serverguide/C/network-config.xml:637(para)
10763
"You also need to edit /etc/default/dhcp3-server to specify the interfaces "
10764
"dhcpd should listen to. By default it listens to eth0."
10767
#: serverguide/C/network-config.xml:641(para)
10769
"NOTE: dhcpd's messages are being sent to syslog. Look there for diagnostics "
10773
#: serverguide/C/network-config.xml:648(para)
10775
"The error message the installation ends with might be a little confusing, "
10776
"but the following steps will help you configure the service:"
10779
#: serverguide/C/network-config.xml:652(para)
10781
"Most commonly, what you want to do is assign an IP address randomly. This "
10782
"can be done with settings as follows:"
10785
#: serverguide/C/network-config.xml:656(programlisting)
10789
"# Sample /etc/dhcpd.conf\n"
10790
"# (add your comments here) \n"
10791
"default-lease-time 600;\n"
10792
"max-lease-time 7200;\n"
10793
"option subnet-mask 255.255.255.0;\n"
10794
"option broadcast-address 192.168.1.255;\n"
10795
"option routers 192.168.1.254;\n"
10796
"option domain-name-servers 192.168.1.1, 192.168.1.2;\n"
10797
"option domain-name \"mydomain.example\";\n"
10799
"subnet 192.168.1.0 netmask 255.255.255.0 {\n"
10800
"range 192.168.1.10 192.168.1.100;\n"
10801
"range 192.168.1.150 192.168.1.200;\n"
10805
#: serverguide/C/network-config.xml:672(para)
10807
"This will result in the DHCP server giving a client an IP address from the "
10808
"range 192.168.1.10-192.168.1.100 or 192.168.1.150-192.168.1.200. It will "
10809
"lease an IP address for 600 seconds if the client doesn't ask for a specific "
10810
"time frame. Otherwise the maximum (allowed) lease will be 7200 seconds. The "
10811
"server will also \"advise\" the client that it should use 255.255.255.0 as "
10812
"its subnet mask, 192.168.1.255 as its broadcast address, 192.168.1.254 as "
10813
"the router/gateway and 192.168.1.1 and 192.168.1.2 as its DNS servers."
10816
#: serverguide/C/network-config.xml:681(para)
10818
"If you need to specify a WINS server for your Windows clients, you will need "
10819
"to include the netbios-name-servers option, e.g."
10822
#: serverguide/C/network-config.xml:685(programlisting)
10826
"option netbios-name-servers 192.168.1.1; \n"
10829
#: serverguide/C/network-config.xml:688(para)
10831
"Dhcpd configuration settings are taken from the DHCP mini-HOWTO, which can "
10833
"url=\"http://www.tldp.org/HOWTO/DHCP/index.html\">here</ulink>."
10836
#: serverguide/C/network-config.xml:698(para)
10838
"For more <filename>/etc/dhcp3/dchpd.conf</filename> options see the <ulink "
10839
"url=\"http://manpages.ubuntu.com/manpages/jaunty/en/man5/dhcpd.conf.5.html\">"
10840
"dhcpd.conf man page</ulink>."
10843
#: serverguide/C/network-config.xml:704(para)
10845
"Also see the <ulink url=\"http://www.dhcp-handbook.com/dhcp_faq.html\">DHCP "
10849
#: serverguide/C/network-config.xml:714(title)
10850
msgid "Time Synchronisation with NTP"
10853
#: serverguide/C/network-config.xml:715(para)
10855
"This page describes methods for keeping your computer's time accurate. This "
10856
"is useful for servers, but is not necessary (or desirable) for desktop "
10860
#: serverguide/C/network-config.xml:718(para)
10862
"NTP is a TCP/IP protocol for synchronising time over a network. Basically a "
10863
"client requests the current time from a server, and uses it to set its own "
10867
#: serverguide/C/network-config.xml:721(para)
10869
"Behind this simple description, there is a lot of complexity - there are "
10870
"tiers of NTP servers, with the tier one NTP servers connected to atomic "
10871
"clocks (often via GPS), and tier two and three servers spreading the load of "
10872
"actually handling requests across the Internet. Also the client software is "
10873
"a lot more complex than you might think - it has to factor out communication "
10874
"delays, and adjust the time in a way that does not upset all the other "
10875
"processes that run on the server. But luckily all that complexity is hidden "
10879
#: serverguide/C/network-config.xml:724(para)
10881
"Ubuntu has two ways of automatically setting your time: ntpdate and ntpd."
10884
#: serverguide/C/network-config.xml:729(title)
10888
#: serverguide/C/network-config.xml:730(para)
10890
"Ubuntu comes with ntpdate as standard, and will run it once at boot time to "
10891
"set up your time according to Ubuntu's NTP server. However, a server's clock "
10892
"is likely to drift considerably between reboots, so it makes sense to "
10893
"correct the time occasionally. The easiest way to do this is to get cron to "
10894
"run ntpdate every day. With your favourite editor, as root, create a file "
10895
"<code>/etc/cron.daily/ntpdate</code> containing:"
10898
#: serverguide/C/network-config.xml:735(screen)
10900
msgid "ntpdate ntp.ubuntu.com\n"
10903
#: serverguide/C/network-config.xml:737(para)
10905
"The file <code>/etc/cron.daily/ntpdate</code> must also be executable."
10908
#: serverguide/C/network-config.xml:740(screen)
10910
msgid "sudo chmod 755 /etc/cron.daily/ntpdate\n"
10913
#: serverguide/C/network-config.xml:744(title)
10917
#: serverguide/C/network-config.xml:745(para)
10919
"ntpdate is a bit of a blunt instrument - it can only adjust the time once a "
10920
"day, in one big correction. The ntp daemon ntpd is far more subtle. It "
10921
"calculates the drift of your system clock and continuously adjusts it, so "
10922
"there are no large corrections that could lead to inconsistent logs for "
10923
"instance. The cost is a little processing power and memory, but for a modern "
10924
"server this is negligible."
10927
#: serverguide/C/network-config.xml:748(para)
10928
msgid "To set up ntpd:"
10931
#: serverguide/C/network-config.xml:749(screen)
10933
msgid "sudo apt-get install ntp\n"
10936
#: serverguide/C/network-config.xml:754(title)
10937
msgid "Changing Time Servers"
10938
msgstr "Laiko Serverių Keitimas"
10940
#: serverguide/C/network-config.xml:755(para)
10942
"In both cases above, your system will use Ubuntu's NTP server at "
10943
"<code>ntp.ubuntu.com</code> by default. This is OK, but you might want to "
10944
"use several servers to increase accuracy and resilience, and you may want to "
10945
"use time servers that are geographically closer to you. to do this for "
10946
"ntpdate, change the contents of <code>/etc/cron.daily/ntpdate</code> to:"
10949
#: serverguide/C/network-config.xml:762(screen)
10951
msgid "ntpdate ntp.ubuntu.com pool.ntp.org \n"
10954
#: serverguide/C/network-config.xml:764(para)
10956
"And for ntpd edit <code>/etc/ntp.conf</code> to include additional server "
10960
#: serverguide/C/network-config.xml:769(screen)
10963
"server ntp.ubuntu.com\n"
10964
"server pool.ntp.org\n"
10967
#: serverguide/C/network-config.xml:772(para)
10969
"You may notice <code>pool.ntp.org</code> in the examples above. This is a "
10970
"really good idea which uses round-robin DNS to return an NTP server from a "
10971
"pool, spreading the load between several different servers. Even better, "
10972
"they have pools for different regions - for instance, if you are in New "
10973
"Zealand, so you could use <code>nz.pool.ntp.org</code> instead of "
10974
"<code>pool.ntp.org</code> . Look at <ulink "
10975
"url=\"http://www.pool.ntp.org/\">http://www.pool.ntp.org/</ulink> for more "
10979
#: serverguide/C/network-config.xml:783(para)
10981
"You can also Google for NTP servers in your region, and add these to your "
10982
"configuration. To test that a server works, just type <code>sudo ntpdate "
10983
"ntp.server.name</code> and see what happens."
10986
#: serverguide/C/network-config.xml:791(title)
10987
msgid "Related Pages"
10990
#: serverguide/C/network-config.xml:795(ulink)
10991
msgid "NTP Support"
10992
msgstr "NTP Palaikymas"
10994
#: serverguide/C/network-config.xml:800(ulink)
10995
msgid "The NTP FAQ and HOWTO"
10998
#: serverguide/C/network-auth.xml:13(title)
10999
msgid "Network Authentication"
11000
msgstr "Tinklo Autentifikavimas"
11002
#: serverguide/C/network-auth.xml:15(para)
11003
msgid "This section explains various Network Authentication protocols."
11006
#: serverguide/C/network-auth.xml:19(title)
11007
msgid "OpenLDAP Server"
11010
#: serverguide/C/network-auth.xml:20(para)
11012
"LDAP is an acronym for Lightweight Directory Access Protocol, it is a "
11013
"simplified version of the X.500 protocol. The directory setup in this "
11014
"section will be used for authentication. Nevertheless, LDAP can be used in "
11015
"numerous ways: authentication, shared directory (for mail clients), address "
11019
#: serverguide/C/network-auth.xml:28(para)
11021
"To describe LDAP quickly, all information is stored in a tree structure. "
11022
"With <application>OpenLDAP</application> you have freedom to determine the "
11023
"directory arborescence (the Directory Information Tree: the DIT) yourself. "
11024
"We will begin with a basic tree containing two nodes below the root:"
11027
#: serverguide/C/network-auth.xml:37(para)
11028
msgid "\"People\" node where your users will be stored"
11031
#: serverguide/C/network-auth.xml:40(para)
11032
msgid "\"Groups\" node where your groups will be stored"
11035
#: serverguide/C/network-auth.xml:44(para)
11037
"Before beginning, you should determine what the root of your LDAP directory "
11038
"will be. By default, your tree will be determined by your Fully Qualified "
11039
"Domain Name (FQDN). If your domain is example.com (which we will use in this "
11040
"example), your root node will be dc=example,dc=com."
11043
#: serverguide/C/network-auth.xml:54(para)
11045
"First, install the <application>OpenLDAP</application> server daemon "
11046
"<application>slapd</application> and <application>ldap-utils</application>, "
11047
"a package containing LDAP management utilities:"
11050
#: serverguide/C/network-auth.xml:60(command)
11051
msgid "sudo apt-get install slapd ldap-utils"
11054
#: serverguide/C/network-auth.xml:63(para)
11056
"The installation process will prompt you for the LDAP directory admin "
11057
"password and confirmation."
11060
#: serverguide/C/network-auth.xml:68(para)
11062
"By default the directory suffix will match the domain name of the server. "
11063
"For example, if the machine's Fully Qualified Domain Name (FQDN) is "
11064
"ldap.example.com, the default suffix will be "
11065
"<emphasis>dc=example,dc=com</emphasis>. If you require a different suffix, "
11066
"the directory can be reconfigured using <application>dpkg-"
11067
"reconfigure</application>. Enter the following in a terminal prompt:"
11070
#: serverguide/C/network-auth.xml:78(command)
11071
msgid "sudo dpkg-reconfigure slapd"
11074
#: serverguide/C/network-auth.xml:81(para)
11076
"You will then be taken through a menu based configuration dialog, allowing "
11077
"you to configure various <application>slapd</application> options."
11080
#: serverguide/C/network-auth.xml:90(para)
11082
"<application>OpenLDAP</application> uses a separate database which contains "
11083
"the <emphasis>cn=config</emphasis> Directory Information Tree (DIT). The "
11084
"<emphasis>cn=config</emphasis> DIT is used to dynamically configure the "
11085
"<application>slapd</application> daemon, allowing the modification of schema "
11086
"definitions, indexes, ACLs, etc without stopping the service."
11089
#: serverguide/C/network-auth.xml:98(para)
11091
"The <emphasis>cn=config</emphasis> tree can be manipulated using the "
11092
"utilities in the <application>ldap-utils</application> package. For example:"
11095
#: serverguide/C/network-auth.xml:106(para)
11097
"Use <application>ldapsearch</application> to view the tree, entering the "
11098
"admin password set during installation or reconfiguration:"
11101
#: serverguide/C/network-auth.xml:112(command)
11103
"ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W olcDatabase={1}hdb"
11106
#: serverguide/C/network-auth.xml:116(computeroutput)
11109
"Enter LDAP Password: \n"
11110
"dn: olcDatabase={1}hdb,cn=config\n"
11111
"objectClass: olcDatabaseConfig\n"
11112
"objectClass: olcHdbConfig\n"
11113
"olcDatabase: {1}hdb\n"
11114
"olcDbDirectory: /var/lib/ldap\n"
11115
"olcSuffix: dc=example,dc=com\n"
11116
"olcAccess: {0}to attrs=userPassword,shadowLastChange by "
11117
"dn=\"cn=admin,dc=exampl\n"
11118
" e,dc=com\" write by anonymous auth by self write by * none\n"
11119
"olcAccess: {1}to dn.base=\"\" by * read\n"
11120
"olcAccess: {2}to * by dn=\"cn=admin,dc=example,dc=com\" write by * read\n"
11121
"olcLastMod: TRUE\n"
11122
"olcDbCheckpoint: 512 30\n"
11123
"olcDbConfig: {0}set_cachesize 0 2097152 0\n"
11124
"olcDbConfig: {1}set_lk_max_objects 1500\n"
11125
"olcDbConfig: {2}set_lk_max_locks 1500\n"
11126
"olcDbConfig: {3}set_lk_max_lockers 1500\n"
11127
"olcDbIndex: objectClass eq\n"
11130
#: serverguide/C/network-auth.xml:137(para)
11132
"The output above is the current configuration options for the "
11133
"<emphasis>hdb</emphasis> backend database. Which in this case containes the "
11134
"<emphasis>dc=example,dc=com</emphasis> suffix."
11137
#: serverguide/C/network-auth.xml:146(para)
11139
"Refine the search by supplying a <emphasis "
11140
"role=\"italic\">filter</emphasis>, in this case only show which attributes "
11144
#: serverguide/C/network-auth.xml:152(command)
11146
"ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W olcDatabase={1}hdb "
11150
#: serverguide/C/network-auth.xml:156(computeroutput)
11153
"Enter LDAP Password: \n"
11154
"dn: olcDatabase={1}hdb,cn=config\n"
11155
"olcDbIndex: objectClass eq\n"
11158
#: serverguide/C/network-auth.xml:165(para)
11160
"As an example of modifying the <emphasis>cn=config</emphasis> tree, add "
11161
"another attribute to the index list using "
11162
"<application>ldapmodify</application>:"
11165
#: serverguide/C/network-auth.xml:171(command) serverguide/C/network-auth.xml:723(command) serverguide/C/network-auth.xml:825(command) serverguide/C/network-auth.xml:848(command) serverguide/C/network-auth.xml:2405(command) serverguide/C/network-auth.xml:2422(command)
11166
msgid "ldapmodify -x -D cn=admin,cn=config -W"
11169
#: serverguide/C/network-auth.xml:175(userinput)
11173
"dn: olcDatabase={1}hdb,cn=config\n"
11174
"add: olcDbIndex\n"
11175
"olcDbIndex: entryUUID eq"
11178
#: serverguide/C/network-auth.xml:175(computeroutput)
11181
"Enter LDAP Password:<placeholder-1/>\n"
11183
"modifying entry \"olcDatabase={1}hdb,cn=config\"\n"
11186
#: serverguide/C/network-auth.xml:184(para)
11188
"Once the modification has completed, press <emphasis>Ctrl+D</emphasis> to "
11189
"exit the utility."
11192
#: serverguide/C/network-auth.xml:191(para)
11194
"<application>ldapmodify</application> can also read the changes from a file. "
11195
"Copy and paste the following into a file named "
11196
"<filename>uid_index.ldif</filename>:"
11199
#: serverguide/C/network-auth.xml:196(programlisting)
11203
"dn: olcDatabase={1}hdb,cn=config\n"
11204
"add: olcDbIndex\n"
11205
"olcDbIndex: uid eq,pres,sub\n"
11208
#: serverguide/C/network-auth.xml:202(para)
11209
msgid "Then execute <application>ldapmodify</application>:"
11212
#: serverguide/C/network-auth.xml:207(command)
11213
msgid "ldapmodify -x -D cn=admin,cn=config -W -f uid_index.ldif"
11216
#: serverguide/C/network-auth.xml:211(computeroutput)
11219
"Enter LDAP Password: \n"
11220
"modifying entry \"olcDatabase={1}hdb,cn=config\"\n"
11223
#: serverguide/C/network-auth.xml:216(para)
11224
msgid "The file method is very useful for large changes."
11227
#: serverguide/C/network-auth.xml:223(para)
11229
"Adding additional <emphasis>schemas</emphasis> to "
11230
"<application>slapd</application> requires the schema to be converted to LDIF "
11231
"format. Fortunately, the <application>slapd</application> program can be "
11232
"used to automate the conversion. The following example will add the "
11233
"<emphasis>misc.schema</emphasis>:"
11236
#: serverguide/C/network-auth.xml:231(para)
11238
"First, create a conversion <filename>schema_convert.conf</filename> file "
11239
"containing the following lines:"
11242
#: serverguide/C/network-auth.xml:236(programlisting)
11246
"include /etc/ldap/schema/core.schema\n"
11247
"include /etc/ldap/schema/collective.schema\n"
11248
"include /etc/ldap/schema/corba.schema\n"
11249
"include /etc/ldap/schema/cosine.schema\n"
11250
"include /etc/ldap/schema/duaconf.schema\n"
11251
"include /etc/ldap/schema/dyngroup.schema\n"
11252
"include /etc/ldap/schema/inetorgperson.schema\n"
11253
"include /etc/ldap/schema/java.schema\n"
11254
"include /etc/ldap/schema/misc.schema\n"
11255
"include /etc/ldap/schema/nis.schema\n"
11256
"include /etc/ldap/schema/openldap.schema\n"
11257
"include /etc/ldap/schema/ppolicy.schema\n"
11260
#: serverguide/C/network-auth.xml:254(para) serverguide/C/network-auth.xml:1304(para)
11261
msgid "Next, create a temporary directory to hold the output:"
11264
#: serverguide/C/network-auth.xml:259(command) serverguide/C/network-auth.xml:1309(command) serverguide/C/network-auth.xml:2334(command)
11265
msgid "mkdir /tmp/ldif_output"
11268
#: serverguide/C/network-auth.xml:265(para)
11270
"Now using <application>slaptest</application> convert the schema files to "
11274
#: serverguide/C/network-auth.xml:270(command) serverguide/C/network-auth.xml:1320(command) serverguide/C/network-auth.xml:2345(command)
11275
msgid "slaptest -f schema_convert.conf -F /tmp/ldif_output"
11278
#: serverguide/C/network-auth.xml:273(para)
11280
"Adjust the configuration file name and temporary directory names if yours "
11281
"are different. Also, it may be worthwhile to keep the "
11282
"<filename>ldif_output</filename> directory around in case you want to add "
11283
"additional schemas in the future."
11286
#: serverguide/C/network-auth.xml:282(para)
11289
"<filename>/tmp/ldif_output/cn=config/cn=schema/cn={8}misc.ldif</filename> "
11290
"file, changing the following attributes:"
11293
#: serverguide/C/network-auth.xml:287(programlisting)
11297
"dn: cn=misc,cn=schema,cn=config\n"
11302
#: serverguide/C/network-auth.xml:293(para) serverguide/C/network-auth.xml:1341(para)
11303
msgid "And remove the following lines from the bottom of the file:"
11306
#: serverguide/C/network-auth.xml:297(programlisting)
11310
"structuralObjectClass: olcSchemaConfig\n"
11311
"entryUUID: 10dae0ea-0760-102d-80d3-f9366b7f7757\n"
11312
"creatorsName: cn=config\n"
11313
"createTimestamp: 20080826021140Z\n"
11314
"entryCSN: 20080826021140.791425Z#000000#000#000000\n"
11315
"modifiersName: cn=config\n"
11316
"modifyTimestamp: 20080826021140Z\n"
11319
#: serverguide/C/network-auth.xml:308(para) serverguide/C/network-auth.xml:1356(para) serverguide/C/network-auth.xml:2381(para)
11321
"The attribute values will vary, just be sure the attributes are removed."
11324
#: serverguide/C/network-auth.xml:316(para) serverguide/C/network-auth.xml:1364(para)
11326
"Finally, using the <application>ldapadd</application> utility, add the new "
11327
"schema to the directory:"
11330
#: serverguide/C/network-auth.xml:322(command)
11332
"ldapadd -x -D cn=admin,cn=config -W -f /tmp/ldif_output/cn\\=config/cn\\"
11333
"=schema/cn\\=\\{8\\}misc.ldif"
11336
#: serverguide/C/network-auth.xml:328(para)
11338
"There should now be a <emphasis>dn: "
11339
"cn={4}misc,cn=schema,cn=config</emphasis> entry in the cn=config tree."
11342
#: serverguide/C/network-auth.xml:337(title)
11343
msgid "Populating LDAP"
11346
#: serverguide/C/network-auth.xml:339(para)
11348
"The directory has been created during installation and reconfiguration, and "
11349
"now it is time to populate it. It will be populated with a \"classical\" "
11350
"scheme that will be compatible with address book applications and with Unix "
11351
"Posix accounts. Posix accounts will allow authentication to various "
11352
"applications, such as web applications, email Mail Transfer Agent (MTA) "
11353
"applications, etc."
11356
#: serverguide/C/network-auth.xml:348(para)
11358
"For external applications to authenticate using LDAP they will each need to "
11359
"be specifically configured to do so. Refer to the individual application "
11360
"documentation for details."
11363
#: serverguide/C/network-auth.xml:355(para)
11365
"LDAP directories can be populated with LDIF (LDAP Directory Interchange "
11366
"Format) files. Copy the following example LDIF file, naming it "
11367
"<filename>example.com.ldif</filename>, somewhere on your system:"
11370
#: serverguide/C/network-auth.xml:361(programlisting)
11374
"dn: ou=people,dc=example,dc=com\n"
11375
"objectClass: organizationalUnit\n"
11378
"dn: ou=groups,dc=example,dc=com\n"
11379
"objectClass: organizationalUnit\n"
11382
"dn: uid=john,ou=people,dc=example,dc=com\n"
11383
"objectClass: inetOrgPerson\n"
11384
"objectClass: posixAccount\n"
11385
"objectClass: shadowAccount\n"
11388
"givenName: John\n"
11390
"displayName: John Doe\n"
11391
"uidNumber: 1000\n"
11392
"gidNumber: 10000\n"
11393
"userPassword: password\n"
11394
"gecos: John Doe\n"
11395
"loginShell: /bin/bash\n"
11396
"homeDirectory: /home/john\n"
11397
"shadowExpire: -1\n"
11399
"shadowWarning: 7\n"
11401
"shadowMax: 999999\n"
11402
"shadowLastChange: 10877\n"
11403
"mail: john.doe@example.com\n"
11404
"postalCode: 31000\n"
11407
"mobile: +33 (0)6 xx xx xx xx\n"
11408
"homePhone: +33 (0)5 xx xx xx xx\n"
11409
"title: System Administrator\n"
11410
"postalAddress: \n"
11413
"dn: cn=example,ou=groups,dc=example,dc=com\n"
11414
"objectClass: posixGroup\n"
11416
"gidNumber: 10000\n"
11419
#: serverguide/C/network-auth.xml:407(para)
11421
"In this example the directory structure, a user, and a group have been "
11422
"setup. In other examples you might see the <emphasis>objectClass: "
11423
"top</emphasis> added in every entry, but that is the default behaviour so "
11424
"you do not have to add it explicitly."
11427
#: serverguide/C/network-auth.xml:414(para)
11429
"To add the entries to the LDAP directory use the "
11430
"<application>ldapadd</application> utility:"
11433
#: serverguide/C/network-auth.xml:420(command)
11434
msgid "ldapadd -x -D cn=admin,dc=example,dc=com -W -f example.com.ldif"
11437
#: serverguide/C/network-auth.xml:423(para)
11439
"We can check that the content has been correctly added with the tools from "
11440
"the <application>ldap-utils</application> package. In order to execute a "
11441
"search of the LDAP directory:"
11444
#: serverguide/C/network-auth.xml:430(command)
11445
msgid "ldapsearch -xLLL -b \"dc=example,dc=com\" uid=john sn givenName cn"
11448
#: serverguide/C/network-auth.xml:431(computeroutput)
11452
"dn: uid=john,ou=people,dc=example,dc=com\n"
11455
"givenName: John\n"
11458
#: serverguide/C/network-auth.xml:439(para)
11459
msgid "Just a quick explanation:"
11462
#: serverguide/C/network-auth.xml:445(para)
11464
"<emphasis>-x:</emphasis> will not use SASL authentication method, which is "
11468
#: serverguide/C/network-auth.xml:451(para)
11469
msgid "<emphasis>-LLL:</emphasis> disable printing LDIF schema information."
11472
#: serverguide/C/network-auth.xml:460(title)
11473
msgid "LDAP replication"
11474
msgstr "LDAP replikavimas"
11476
#: serverguide/C/network-auth.xml:462(para)
11478
"LDAP often quickly becomes a highly critical service to the network. "
11479
"Multiple systems will come to depend on LDAP for authentication, "
11480
"authorization, configuration, etc. It is a good idea to setup a redundant "
11481
"system through replication."
11484
#: serverguide/C/network-auth.xml:468(para)
11486
"Replication is achieved using the <emphasis>Syncrepl</emphasis> engine. "
11487
"Syncrepl allows the directory to be synced using either a "
11488
"<emphasis>push</emphasis> or <emphasis>pull</emphasis> based system. In a "
11489
"push based configuration a <quote>primary</quote> server will push directory "
11490
"updates to <quote>secondary</quote> servers, while a pull based approach "
11491
"allows replication servers to sync on a time based interval."
11494
#: serverguide/C/network-auth.xml:476(para)
11496
"The following is an example of a <emphasis>Multi-Master</emphasis> "
11497
"configuration. In this configuration each OpenLDAP server is configured for "
11498
"both <emphasis>push</emphasis> and <emphasis>pull</emphasis> replication."
11501
#: serverguide/C/network-auth.xml:484(para)
11503
"First, configure the server to sync the <emphasis>cn=config</emphasis> "
11504
"database. Copy the following to a file named <filename>syncrepl_cn-"
11505
"config.ldif</filename>:"
11508
#: serverguide/C/network-auth.xml:489(programlisting)
11512
"dn: cn=module{0},cn=config\n"
11513
"changetype: modify\n"
11514
"add: olcModuleLoad\n"
11515
"olcModuleLoad: syncprov\n"
11518
"changetype: modify\n"
11519
"replace: olcServerID\n"
11520
"olcServerID: 1 ldap://ldap01.example.com\n"
11521
"olcServerID: 2 ldap://ldap02.example.com\n"
11523
"dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config\n"
11524
"changetype: add\n"
11525
"objectClass: olcOverlayConfig\n"
11526
"objectClass: olcSyncProvConfig\n"
11527
"olcOverlay: syncprov\n"
11529
"dn: olcDatabase={0}config,cn=config\n"
11530
"changetype: modify\n"
11531
"add: olcSyncRepl\n"
11532
"olcSyncRepl: rid=001 provider=ldap://ldap01.example.com "
11533
"binddn=\"cn=admin,cn=config\" bindmethod=simple\n"
11534
" credentials=secret searchbase=\"cn=config\" type=refreshAndPersist\n"
11535
" retry=\"5 5 300 5\" timeout=1\n"
11536
"olcSyncRepl: rid=002 provider=ldap://ldap02.example.com "
11537
"binddn=\"cn=admin,cn=config\" bindmethod=simple\n"
11538
" credentials=secret searchbase=\"cn=config\" type=refreshAndPersist\n"
11539
" retry=\"5 5 300 5\" timeout=1\n"
11541
"add: olcMirrorMode\n"
11542
"olcMirrorMode: TRUE\n"
11545
#: serverguide/C/network-auth.xml:524(para)
11546
msgid "Edit the file changing:"
11549
#: serverguide/C/network-auth.xml:530(para)
11551
"<emphasis>ldap://ldap01.example.com</emphasis> and "
11552
"<emphasis>ldap://ldap02.example.com</emphasis> to the hostnames of your LDAP "
11556
#: serverguide/C/network-auth.xml:535(para)
11558
"You can have more than two LDAP servers, and when a change is made to one of "
11559
"them it will by synced to the rest. Be sure to increment the "
11560
"<emphasis>olcServerID</emphasis> for each server, and the "
11561
"<emphasis>rid</emphasis> for each <emphasis>olcSyncRepl</emphasis> entry."
11564
#: serverguide/C/network-auth.xml:543(para)
11566
"And adjust <emphasis>credentials=secret</emphasis> to match your admin "
11570
#: serverguide/C/network-auth.xml:553(para)
11572
"Next, add the LDIF file using the <application>ldapmodify</application> "
11576
#: serverguide/C/network-auth.xml:558(command)
11577
msgid "ldapmodify -x -D cn=admin,cn=config -W -f syncrepl_cn-config.ldif"
11580
#: serverguide/C/network-auth.xml:564(para)
11582
"Copy the <filename>syncrepl_cn-config.ldif</filename> file to the next LDAP "
11583
"server and repeat the <application>ldapmodify</application> command above."
11586
#: serverguide/C/network-auth.xml:572(para)
11588
"Because a new module has been added, the <application>slapd</application> "
11589
"daemon, on all replicated servers, needs to be restarted:"
11592
#: serverguide/C/network-auth.xml:578(command) serverguide/C/network-auth.xml:778(command) serverguide/C/network-auth.xml:882(command)
11593
msgid "sudo /etc/init.d/slapd restart"
11596
#: serverguide/C/network-auth.xml:584(para)
11598
"Now that the configuration database is synced between servers, the "
11599
"<emphasis>backend</emphasis> database needs to be synced as well. Copy and "
11600
"paste the following into another LDIF file named "
11601
"<filename>syncrepl_backend.ldif</filename>:"
11604
#: serverguide/C/network-auth.xml:590(programlisting)
11608
"dn: olcDatabase={1}hdb,cn=config\n"
11609
"changetype: modify\n"
11611
"olcRootDN: cn=admin,dc=example,dc=com\n"
11613
"add: olcSyncRepl\n"
11614
"olcSyncRepl: rid=003 provider=ldap://ldap01.example.com "
11615
"binddn=\"cn=admin,dc=example,dc=com\" \n"
11616
" bindmethod=simple credentials=secret searchbase=\"dc=example,dc=com\" "
11617
"type=refreshOnly \n"
11618
" interval=00:00:00:10 retry=\"5 5 300 5\" timeout=1\n"
11619
"olcSyncRepl: rid=004 provider=ldap://ldap02.example.com "
11620
"binddn=\"cn=admin,dc=example,dc=com\" \n"
11621
" bindmethod=simple credentials=secret searchbase=\"dc=example,dc=com\" "
11622
"type=refreshOnly \n"
11623
" interval=00:00:00:10 retry=\"5 5 300 5\" timeout=1\n"
11625
"add: olcMirrorMode\n"
11626
"olcMirrorMode: TRUE\n"
11628
"dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config\n"
11629
"changetype: add\n"
11630
"objectClass: olcOverlayConfig\n"
11631
"objectClass: olcSyncProvConfig\n"
11632
"olcOverlay: syncprov\n"
11635
#: serverguide/C/network-auth.xml:617(para)
11636
msgid "Like the previous LDIF file, edit this one changing:"
11639
#: serverguide/C/network-auth.xml:623(para)
11641
"<emphasis>searchbase=\"dc=example,dc=com\"</emphasis> to your directory's "
11645
#: serverguide/C/network-auth.xml:628(para)
11647
"If you use a different admin user, change "
11648
"<emphasis>binddn=\"cn=admin,dc=example,dc=com\"</emphasis>."
11651
#: serverguide/C/network-auth.xml:633(para)
11653
"Also, replace <emphasis>credentials=secret</emphasis> with your admin "
11657
#: serverguide/C/network-auth.xml:642(para)
11658
msgid "Add the LDIF file:"
11661
#: serverguide/C/network-auth.xml:647(command)
11662
msgid "ldapmodify -x -D cn=admin,cn=config -W -f syncrepl_backend.ldif"
11665
#: serverguide/C/network-auth.xml:650(para)
11667
"Because the servers' configuration is already synced there is no need to "
11668
"copy this LDIF file to the other servers."
11671
#: serverguide/C/network-auth.xml:658(para)
11673
"The configuration and backend databases should now sycnc to the other "
11674
"servers. You can add additional servers using the "
11675
"<application>ldapmodify</application> utility as the need arises. See <xref "
11676
"linkend=\"openldap-configuration\"/> for details."
11679
#: serverguide/C/network-auth.xml:668(programlisting)
11681
msgid "127.0.0.1\tldap01.example.com ldap01"
11684
#: serverguide/C/network-auth.xml:664(para)
11686
"The <application>slapd</application> daemon will send log information to "
11687
"<filename>/var/log/syslog</filename> by default. So if all does "
11688
"<emphasis>not</emphasis> go well check there for errors and other "
11689
"troubleshooting information. Also, be sure that each server knows it's Fully "
11690
"Qualified Domain Name (FQDN). This is configured in "
11691
"<filename>/etc/hosts</filename> with a line similar to: <placeholder-1/>."
11694
#: serverguide/C/network-auth.xml:675(title)
11695
msgid "Setting up ACL"
11698
#: serverguide/C/network-auth.xml:677(para)
11700
"Authentication requires access to the password field, that should be not "
11701
"accessible by default. Also, in order for users to change their own "
11702
"password, using <command>passwd</command> or other utilities, "
11703
"<emphasis>shadowLastChange</emphasis> needs to be accessible once a user has "
11707
#: serverguide/C/network-auth.xml:684(para)
11709
"To view the Access Control List (ACL), use the "
11710
"<application>ldapsearch</application> utility:"
11713
#: serverguide/C/network-auth.xml:689(command)
11715
"ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W olcDatabase=hdb "
11719
#: serverguide/C/network-auth.xml:693(computeroutput)
11722
"Enter LDAP Password: \n"
11723
"dn: olcDatabase={1}hdb,cn=config\n"
11724
"olcAccess: {0}to attrs=userPassword,shadowLastChange by "
11725
"dn=\"cn=admin,dc=exampl\n"
11726
" e,dc=com\" write by anonymous auth by self write by * none\n"
11727
"olcAccess: {1}to dn.base=\"\" by * read\n"
11728
"olcAccess: {2}to * by dn=\"cn=admin,dc=example,dc=com\" write by * read\n"
11731
#: serverguide/C/network-auth.xml:705(title)
11732
msgid "TLS and SSL"
11735
#: serverguide/C/network-auth.xml:707(para)
11737
"When authenticating to an OpenLDAP server it is best to do so using an "
11738
"encrypted session. This can be accomplished using Transport Layer Security "
11739
"(TLS) and/or Secure Sockets Layer (SSL)."
11742
#: serverguide/C/network-auth.xml:712(para)
11744
"The first step in the process is to obtain or create a "
11745
"<emphasis>certificate</emphasis>. See <xref linkend=\"certificates-and-"
11746
"security\"/> and <xref linkend=\"certificate-authority\"/> for details."
11749
#: serverguide/C/network-auth.xml:717(para)
11751
"Once you have a certificate, key, and CA cert installed, use "
11752
"<application>ldapmodify</application> to add the new configuration options:"
11755
#: serverguide/C/network-auth.xml:728(userinput)
11759
"add: olcTLSCACertificateFile\n"
11760
"olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem\n"
11762
"add: olcTLSCertificateFile\n"
11763
"olcTLSCertificateFile: /etc/ssl/certs/server.crt\n"
11765
"add: olcTLSCertificateKeyFile\n"
11766
"olcTLSCertificateKeyFile: /etc/ssl/private/server.key"
11769
#: serverguide/C/network-auth.xml:727(computeroutput)
11772
"Enter LDAP Password:\n"
11773
"<placeholder-1/>\n"
11775
"modifying entry \"cn=config\"\n"
11778
#: serverguide/C/network-auth.xml:743(para)
11780
"Adjust the <filename>server.crt</filename>, <filename>server.key</filename>, "
11781
"and <filename>cacert.pem</filename> names if yours are different."
11784
#: serverguide/C/network-auth.xml:749(para)
11786
"Next, edit <filename>/etc/default/slapd</filename> uncomment the "
11787
"<emphasis>SLAPD_SERVICES</emphasis> option:"
11790
#: serverguide/C/network-auth.xml:753(programlisting)
11794
"SLAPD_SERVICES=\"ldap:/// ldapi:/// ldaps:///\"\n"
11797
#: serverguide/C/network-auth.xml:757(para)
11799
"Now the <emphasis>openldap</emphasis> user needs access to the certificate:"
11802
#: serverguide/C/network-auth.xml:762(command)
11803
msgid "sudo adduser openldap ssl-cert"
11806
#: serverguide/C/network-auth.xml:763(command)
11807
msgid "sudo chgrp ssl-cert /etc/ssl/private/server.key"
11810
#: serverguide/C/network-auth.xml:767(para)
11812
"If the <filename role=\"directory\">/etc/ssl/private</filename> and "
11813
"<filename>/etc/ssl/private/server.key</filename> have different permissions, "
11814
"adjust the commands appropriately."
11817
#: serverguide/C/network-auth.xml:773(para)
11818
msgid "Finally, restart <application>slapd</application>:"
11821
#: serverguide/C/network-auth.xml:781(para)
11823
"The <application>slapd</application> daemon should now be listening for "
11824
"LDAPS connections and be able to use STARTTLS during authentication."
11827
#: serverguide/C/network-auth.xml:787(title)
11828
msgid "TLS Replication"
11831
#: serverguide/C/network-auth.xml:789(para)
11833
"If you have setup <application>Syncrepl</application> between servers, it is "
11834
"prudent to encrypt the replication traffic using <emphasis>Transport Layer "
11835
"Security (TLS)</emphasis>. For details on setting up replication see <xref "
11836
"linkend=\"openldap-server-replication\"/>."
11839
#: serverguide/C/network-auth.xml:795(para)
11841
"After setting up replication, and following the instructions in <xref "
11842
"linkend=\"openldap-tls\"/>, there are a couple of consequences that should "
11846
#: serverguide/C/network-auth.xml:802(para)
11848
"The configuration only needs to be modified on <emphasis>one</emphasis> "
11852
#: serverguide/C/network-auth.xml:807(para)
11854
"The path names for the <emphasis>certificate</emphasis> and "
11855
"<emphasis>key</emphasis> must be the same on all servers."
11858
#: serverguide/C/network-auth.xml:814(para)
11860
"So on each replicated server: install a certificate, edit "
11861
"<filename>/etc/default/slapd</filename>, and restart "
11862
"<application>slapd</application>."
11865
#: serverguide/C/network-auth.xml:819(para)
11867
"Once <emphasis>TLS</emphasis> has been setup on each server, modify the "
11868
"<emphasis>cn=config</emphasis> replication by entering the following in a "
11872
#: serverguide/C/network-auth.xml:830(userinput)
11875
"dn: olcDatabase={0}config,cn=config\n"
11876
"replace: olcSyncrepl\n"
11877
"olcSyncrepl: {0}rid=001 provider=ldap://ldap01.example.com "
11878
"binddn=\"cn=admin,cn\n"
11879
" =config\" bindmethod=simple credentials=secret searchbase=\"cn=config\" "
11881
" shAndPersist retry=\"5 5 300 5\" timeout=1 starttls=yes\n"
11882
"olcSyncrepl: {1}rid=002 provider=ldap://ldap02.example.com "
11883
"binddn=\"cn=admin,cn\n"
11884
" =config\" bindmethod=simple credentials=secret searchbase=\"cn=config\" "
11886
" shAndPersist retry=\"5 5 300 5\" timeout=1 starttls=yes"
11889
#: serverguide/C/network-auth.xml:829(computeroutput)
11892
"Enter LDAP Password: \n"
11893
"<placeholder-1/>\n"
11895
"modifying entry \"olcDatabase={0}config,cn=config\"\n"
11898
#: serverguide/C/network-auth.xml:843(para)
11899
msgid "Now adjust the <emphasis>backend</emphasis> database replication:"
11902
#: serverguide/C/network-auth.xml:853(userinput)
11905
"dn: olcDatabase={1}hdb,cn=config\n"
11906
"replace: olcSyncrepl\n"
11907
"olcSyncrepl: {0}rid=003 provider=ldap://ldap01.example.com "
11908
"binddn=\"cn=admin,dc=example,dc=\n"
11909
" com\" bindmethod=simple credentials=secret searchbase=\"dc=example,dc=com\" "
11911
" efreshOnly interval=00:00:00:10 retry=\"5 5 300 5\" timeout=1 starttls=yes\n"
11912
"olcSyncrepl: {1}rid=004 provider=ldap://ldap02.example.com "
11913
"binddn=\"cn=admin,dc=example,dc=\n"
11914
" com\" bindmethod=simple credentials=secret searchbase=\"dc=example,dc=com\" "
11916
" efreshOnly interval=00:00:00:10 retry=\"5 5 300 5\" timeout=1 starttls=yes"
11919
#: serverguide/C/network-auth.xml:852(computeroutput) serverguide/C/network-auth.xml:2406(computeroutput)
11922
"Enter LDAP Password:\n"
11923
"<placeholder-1/>\n"
11925
"modifying entry \"olcDatabase={1}hdb,cn=config\""
11928
#: serverguide/C/network-auth.xml:865(para)
11930
"If the LDAP server hostname does not match the Fully Qualified Domain Name "
11931
"(FQDN) in the certificate, you may have to edit "
11932
"<filename>/etc/ldap/ldap.conf</filename> and add the following TLS options:"
11935
#: serverguide/C/network-auth.xml:870(programlisting)
11939
"TLS_CERT /etc/ssl/certs/server.crt\n"
11940
"TLS_KEY /etc/ssl/private/server.key\n"
11941
"TLS_CACERT /etc/ssl/certs/cacert.pem\n"
11944
#: serverguide/C/network-auth.xml:877(para)
11946
"Finally, restart <application>slapd</application> on each of the servers:"
11949
#: serverguide/C/network-auth.xml:890(title)
11950
msgid "LDAP Authentication"
11953
#: serverguide/C/network-auth.xml:892(para)
11955
"Once you have a working LDAP server, the <application>auth-client-"
11956
"config</application> and <application>libnss-ldap</application> packages "
11957
"take the pain out of configuring an Ubuntu client to authenticate using "
11958
"LDAP. To install the packages from, a terminal prompt enter:"
11961
#: serverguide/C/network-auth.xml:899(command)
11962
msgid "sudo apt-get install libnss-ldap"
11965
#: serverguide/C/network-auth.xml:902(para)
11967
"During the install a menu dialog will ask you connection details about your "
11971
#: serverguide/C/network-auth.xml:906(para)
11973
"If you make a mistake when entering your information you can execute the "
11974
"dialog again using:"
11977
#: serverguide/C/network-auth.xml:911(command)
11978
msgid "sudo dpkg-reconfigure ldap-auth-config"
11981
#: serverguide/C/network-auth.xml:914(para)
11983
"The results of the dialog can be seen in "
11984
"<filename>/etc/ldap.conf</filename>. If your server requires options not "
11985
"covered in the menu edit this file accordingly."
11988
#: serverguide/C/network-auth.xml:919(para)
11990
"Now that <application>libnss-ldap</application> is configured enable the "
11991
"<application>auth-client-config</application> LDAP profile by entering:"
11994
#: serverguide/C/network-auth.xml:925(command)
11995
msgid "sudo auth-client-config -t nss -p lac_ldap"
11998
#: serverguide/C/network-auth.xml:930(para)
12000
"<emphasis>-t:</emphasis> only modifies "
12001
"<filename>/etc/nsswitch.conf</filename>."
12004
#: serverguide/C/network-auth.xml:935(para)
12005
msgid "<emphasis>-p:</emphasis> name of the profile to enable, disable, etc."
12008
#: serverguide/C/network-auth.xml:940(para)
12010
"<emphasis>lac_ldap:</emphasis> the <application>auth-client-"
12011
"config</application> profile that is part of the <application>ldap-auth-"
12012
"config</application> package."
12015
#: serverguide/C/network-auth.xml:947(para)
12017
"Using the <application>pam-auth-update</application> utility, configure the "
12018
"system to use LDAP for authentication:"
12021
#: serverguide/C/network-auth.xml:952(command)
12022
msgid "sudo pam-auth-update"
12025
#: serverguide/C/network-auth.xml:955(para)
12027
"From the <application>pam-auth-update</application> menu, choose LDAP and "
12028
"any other authentication mechanisms you need."
12031
#: serverguide/C/network-auth.xml:959(para)
12033
"You should now be able to login using user credentials stored in the LDAP "
12037
#: serverguide/C/network-auth.xml:964(para)
12039
"If you are going to use LDAP to store Samba users you will need to configure "
12040
"the server to authenticate using LDAP. See <xref linkend=\"samba-ldap\"/> "
12044
#: serverguide/C/network-auth.xml:972(title)
12045
msgid "User and Group Management"
12048
#: serverguide/C/network-auth.xml:974(para)
12050
"The <application>ldap-utils</application> package comes with multiple "
12051
"utilities to manage the directory, but the long string of options needed, "
12052
"can make them a burden to use. The <application>ldapscripts</application> "
12053
"package contains configurable scripts to easily manage LDAP users and groups."
12056
#: serverguide/C/network-auth.xml:980(para)
12057
msgid "To install the package, from a terminal enter:"
12060
#: serverguide/C/network-auth.xml:985(command)
12061
msgid "sudo apt-get install ldapscripts"
12064
#: serverguide/C/network-auth.xml:988(para)
12066
"Next, edit the config file "
12067
"<filename>/etc/ldapscripts/ldapscripts.conf</filename> uncommenting and "
12068
"changing the following to match your environment:"
12071
#: serverguide/C/network-auth.xml:993(programlisting)
12075
"SERVER=localhost\n"
12076
"BINDDN='cn=admin,dc=example,dc=com'\n"
12077
"BINDPWDFILE=\"/etc/ldapscripts/ldapscripts.passwd\"\n"
12078
"SUFFIX='dc=example,dc=com'\n"
12079
"GSUFFIX='ou=Groups'\n"
12080
"USUFFIX='ou=People'\n"
12081
"MSUFFIX='ou=Computers'\n"
12087
#: serverguide/C/network-auth.xml:1006(para)
12089
"Now, create the <filename>ldapscripts.passwd</filename> file to allow "
12090
"authenticated access to the directory:"
12093
#: serverguide/C/network-auth.xml:1011(command)
12095
"sudo sh -c \"echo -n 'secret' > /etc/ldapscripts/ldapscripts.passwd\""
12098
#: serverguide/C/network-auth.xml:1012(command)
12099
msgid "sudo chmod 400 /etc/ldapscripts/ldapscripts.passwd"
12102
#: serverguide/C/network-auth.xml:1016(para)
12104
"Replace <quote>secret</quote> with the actual password for your LDAP admin "
12108
#: serverguide/C/network-auth.xml:1021(para)
12110
"The <application>ldapscripts</application> are now ready to help manage your "
12111
"directory. The following are some examples of how to use the scripts:"
12114
#: serverguide/C/network-auth.xml:1028(para)
12115
msgid "Create a new user:"
12118
#: serverguide/C/network-auth.xml:1032(command)
12119
msgid "sudo ldapadduser george example"
12122
#: serverguide/C/network-auth.xml:1034(para)
12124
"This will create a user with uid <emphasis role=\"italic\">george</emphasis> "
12125
"and set the user's primary group (gid) to <emphasis "
12126
"role=\"italic\">example</emphasis>"
12129
#: serverguide/C/network-auth.xml:1040(para)
12130
msgid "Change a user's password:"
12133
#: serverguide/C/network-auth.xml:1044(command)
12134
msgid "sudo ldapsetpasswd george"
12137
#: serverguide/C/network-auth.xml:1045(computeroutput)
12139
msgid "Changing password for user uid=george,ou=People,dc=example,dc=com"
12142
#: serverguide/C/network-auth.xml:1046(userinput)
12144
msgid "New Password: "
12147
#: serverguide/C/network-auth.xml:1047(userinput)
12149
msgid "New Password (verify): "
12152
#: serverguide/C/network-auth.xml:1051(para)
12153
msgid "Delete a user:"
12156
#: serverguide/C/network-auth.xml:1055(command)
12157
msgid "sudo ldapdeleteuser george"
12160
#: serverguide/C/network-auth.xml:1060(para)
12161
msgid "Add a group:"
12164
#: serverguide/C/network-auth.xml:1064(command)
12165
msgid "sudo ldapaddgroup qa"
12168
#: serverguide/C/network-auth.xml:1068(para)
12169
msgid "Delete a group:"
12172
#: serverguide/C/network-auth.xml:1072(command)
12173
msgid "sudo ldapdeletegroup qa"
12176
#: serverguide/C/network-auth.xml:1076(para)
12177
msgid "Add a user to a group:"
12180
#: serverguide/C/network-auth.xml:1080(command)
12181
msgid "sudo ldapaddusertogroup george qa"
12184
#: serverguide/C/network-auth.xml:1082(para)
12186
"You should now see a <emphasis>memberUid</emphasis> attribute for the "
12187
"<emphasis role=\"italic\">qa</emphasis> group with a value of <emphasis "
12188
"role=\"italic\">george</emphasis>."
12191
#: serverguide/C/network-auth.xml:1088(para)
12192
msgid "Remove a user from a group:"
12195
#: serverguide/C/network-auth.xml:1092(command)
12196
msgid "sudo ldapdeleteuserfromgroup george qa"
12199
#: serverguide/C/network-auth.xml:1094(para)
12201
"The <emphasis>memberUid</emphasis> attribute should now be removed from the "
12202
"<emphasis role=\"italic\">qa</emphasis> group."
12205
#: serverguide/C/network-auth.xml:1100(para)
12207
"The <application>ldapmodifyuser</application> script allows you to add, "
12208
"remove, or replace a user's attributes. The script uses the same syntax as "
12209
"the <application>ldapmodify</application> utility. For example:"
12212
#: serverguide/C/network-auth.xml:1105(command)
12213
msgid "sudo ldapmodifyuser george"
12216
#: serverguide/C/network-auth.xml:1106(computeroutput)
12219
"# About to modify the following entry :\n"
12220
"dn: uid=george,ou=People,dc=example,dc=com\n"
12221
"objectClass: account\n"
12222
"objectClass: posixAccount\n"
12225
"uidNumber: 1001\n"
12226
"gidNumber: 1001\n"
12227
"homeDirectory: /home/george\n"
12228
"loginShell: /bin/bash\n"
12230
"description: User account\n"
12231
"userPassword:: e1NTSEF9eXFsTFcyWlhwWkF1eGUybVdFWHZKRzJVMjFTSG9vcHk=\n"
12233
"# Enter your modifications here, end with CTRL-D.\n"
12234
"dn: uid=george,ou=People,dc=example,dc=com"
12237
#: serverguide/C/network-auth.xml:1122(userinput)
12241
"gecos: George Carlin"
12244
#: serverguide/C/network-auth.xml:1125(para)
12246
"The user's <emphasis>gecos</emphasis> should now be <quote>George "
12250
#: serverguide/C/network-auth.xml:1130(para)
12252
"Another great feature of <application>ldapscripts</application>, is the "
12253
"template system. Templates allow you to customize the attributes of user, "
12254
"group, and machine objectes. For example, to enable the "
12255
"<emphasis>user</emphasis> template edit "
12256
"<filename>/etc/ldapscripts/ldapscripts.conf</filename> changing:"
12259
#: serverguide/C/network-auth.xml:1137(programlisting)
12263
"UTEMPLATE=\"/etc/ldapscripts/ldapadduser.template\"\n"
12266
#: serverguide/C/network-auth.xml:1141(para)
12268
"There are <emphasis role=\"italic\">sample</emphasis> templates in the "
12269
"<filename>/etc/ldapscripts</filename> directory. Copy or rename the "
12270
"<filename>ldapadduser.template.sample</filename> file to "
12271
"<filename>/etc/ldapscripts/ldapadduser.template</filename>:"
12274
#: serverguide/C/network-auth.xml:1148(command)
12276
"sudo cp /etc/ldapscripts/ldapadduser.template.sample "
12277
"/etc/ldapscripts/ldapadduser.template"
12280
#: serverguide/C/network-auth.xml:1151(para)
12282
"Edit the new template to add the desired attributes. The following will "
12283
"create new user's as with an <emphasis>objectClass</emphasis> of "
12284
"<emphasis>inetOrgPerson</emphasis>:"
12287
#: serverguide/C/network-auth.xml:1156(programlisting)
12291
"dn: uid=<user>,<usuffix>,<suffix>\n"
12292
"objectClass: inetOrgPerson\n"
12293
"objectClass: posixAccount\n"
12294
"cn: <user>\n"
12295
"sn: <ask>\n"
12296
"uid: <user>\n"
12297
"uidNumber: <uid>\n"
12298
"gidNumber: <gid>\n"
12299
"homeDirectory: <home>\n"
12300
"loginShell: <shell>\n"
12301
"gecos: <user>\n"
12302
"description: User account\n"
12303
"title: Employee\n"
12306
#: serverguide/C/network-auth.xml:1172(para)
12308
"Notice the <emphasis><ask></emphasis> option used for the "
12309
"<emphasis>cn</emphasis> value. Using <ask> will configure "
12310
"<application>ldapadduser</application> to prompt you for the attribute value "
12311
"during user creation."
12314
#: serverguide/C/network-auth.xml:1180(para)
12316
"There are more useful scripts in the package, to see a full list enter: "
12317
"<command>dpkg -L ldapscripts | grep bin</command>"
12320
#: serverguide/C/network-auth.xml:1189(para)
12322
"For more information see <ulink url=\"http://www.openldap.org/\">OpenLDAP "
12323
"Home Page</ulink>"
12326
#: serverguide/C/network-auth.xml:1194(para)
12328
"Though starting to show it's age, a great source for in depth LDAP "
12329
"information is O'Reilly's <ulink "
12330
"url=\"http://www.oreilly.com/catalog/ldapsa/\">LDAP System "
12331
"Administration</ulink>"
12334
#: serverguide/C/network-auth.xml:1200(para)
12336
"Packt's <ulink url=\"http://www.packtpub.com/OpenLDAP-Developers-Server-Open-"
12337
"Source-Linux/book\">Mastering OpenLDAP</ulink> is a great reference covering "
12338
"newer versions of OpenLDAP."
12341
#: serverguide/C/network-auth.xml:1206(para)
12343
"For more information on <application>auth-client-config</application> see "
12344
"the man page: <command>man auth-client-config</command>."
12347
#: serverguide/C/network-auth.xml:1211(para)
12349
"For more details regarding the <application>ldapscripts</application> "
12350
"package see the man pages: <command>man ldapscripts</command>, <command>man "
12351
"ldapadduser</command>, <command>man ldapaddgroup</command>, etc."
12354
#: serverguide/C/network-auth.xml:1221(title)
12355
msgid "Samba and LDAP"
12358
#: serverguide/C/network-auth.xml:1223(para)
12360
"This section covers configuring Samba to use LDAP for user, group, and "
12361
"machine account information and authentication. The assumption is, you "
12362
"already have a working OpenLDAP directory installed and the server is "
12363
"configured to use it for authentication. See <xref linkend=\"openldap-"
12364
"server\"/> and <xref linkend=\"openldap-auth-config\"/> for details on "
12365
"setting up OpenLDAP."
12368
#: serverguide/C/network-auth.xml:1232(para)
12370
"There are three packages needed when integrating Samba with LDAP. "
12371
"<application>samba</application>, <application>samba-doc</application>, and "
12372
"<application>smbldap-tools</application> packages . To install the packages, "
12373
"from a terminal enter:"
12376
#: serverguide/C/network-auth.xml:1238(command)
12377
msgid "sudo apt-get install samba samba-doc smbldap-tools"
12380
#: serverguide/C/network-auth.xml:1241(para)
12382
"Strictly speaking the <application>smbldap-tools</application> package isn't "
12383
"needed, but unless you have another package or custom scripts, a method of "
12384
"managing users, groups, and computer accounts is needed."
12387
#: serverguide/C/network-auth.xml:1248(title)
12388
msgid "OpenLDAP Configuration"
12391
#: serverguide/C/network-auth.xml:1250(para)
12393
"In order for Samba to use OpenLDAP as a <emphasis>passdb backend</emphasis>, "
12394
"the user objects in the directory will need additional attributes. This "
12395
"section assumes you want Samba to be configured as a Windows NT domain "
12396
"controller, and will add the necessary LDAP objects and attributes."
12399
#: serverguide/C/network-auth.xml:1258(para)
12401
"The Samba attributes are defined in the <filename>samba.schema</filename> "
12402
"file which is part of the <application>samba-doc</application> package. The "
12403
"schema file needs to be unzipped and copied to "
12404
"<filename>/etc/ldap/schema</filename>. From a terminal prompt enter:"
12407
#: serverguide/C/network-auth.xml:1265(command)
12409
"sudo cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz "
12410
"/etc/ldap/schema/"
12413
#: serverguide/C/network-auth.xml:1266(command)
12414
msgid "sudo gzip -d /etc/ldap/schema/samba.schema.gz"
12417
#: serverguide/C/network-auth.xml:1272(para)
12419
"The <emphasis>samba</emphasis> schema needs to be added to the "
12420
"<emphasis>cn=config</emphasis> tree. The procedure to add a new schema to "
12421
"<application>slapd</application> is also detailed in <xref "
12422
"linkend=\"openldap-configuration\"/>."
12425
#: serverguide/C/network-auth.xml:1280(para) serverguide/C/network-auth.xml:2305(para)
12427
"First, create a configuration file named "
12428
"<filename>schema_convert.conf</filename>, or a similar descriptive name, "
12429
"containing the following lines:"
12432
#: serverguide/C/network-auth.xml:1285(programlisting)
12436
"include /etc/ldap/schema/core.schema\n"
12437
"include /etc/ldap/schema/collective.schema\n"
12438
"include /etc/ldap/schema/corba.schema\n"
12439
"include /etc/ldap/schema/cosine.schema\n"
12440
"include /etc/ldap/schema/duaconf.schema\n"
12441
"include /etc/ldap/schema/dyngroup.schema\n"
12442
"include /etc/ldap/schema/inetorgperson.schema\n"
12443
"include /etc/ldap/schema/java.schema\n"
12444
"include /etc/ldap/schema/misc.schema\n"
12445
"include /etc/ldap/schema/nis.schema\n"
12446
"include /etc/ldap/schema/openldap.schema\n"
12447
"include /etc/ldap/schema/ppolicy.schema\n"
12448
"include /etc/ldap/schema/samba.schema\n"
12451
#: serverguide/C/network-auth.xml:1315(para) serverguide/C/network-auth.xml:2340(para)
12453
"Now use <application>slaptest</application> to convert the schema files:"
12456
#: serverguide/C/network-auth.xml:1323(para) serverguide/C/network-auth.xml:2348(para)
12458
"Change the above file and path names to match your own if they are different."
12461
#: serverguide/C/network-auth.xml:1330(para)
12463
"Edit the generated "
12464
"<filename>/tmp/ldif_output/cn=config/cn=schema/cn={12}samba.ldif</filename> "
12465
"file, changing the following attributes:"
12468
#: serverguide/C/network-auth.xml:1335(programlisting)
12472
"dn: cn=samba,cn=schema,cn=config\n"
12477
#: serverguide/C/network-auth.xml:1345(programlisting)
12481
"structuralObjectClass: olcSchemaConfig\n"
12482
"entryUUID: b53b75ca-083f-102d-9fff-2f64fd123c95\n"
12483
"creatorsName: cn=config\n"
12484
"createTimestamp: 20080827045234Z\n"
12485
"entryCSN: 20080827045234.341425Z#000000#000#000000\n"
12486
"modifiersName: cn=config\n"
12487
"modifyTimestamp: 20080827045234Z\n"
12490
#: serverguide/C/network-auth.xml:1370(command)
12492
"ldapadd -x -D cn=admin,cn=config -W -f /tmp/ldif_output/cn\\=config/cn\\"
12493
"=schema/cn\\=\\{12\\}samba.ldif"
12496
#: serverguide/C/network-auth.xml:1376(para)
12498
"There should now be a <emphasis>dn: "
12499
"cn={X}misc,cn=schema,cn=config</emphasis>, where \"X\" is the next "
12500
"sequential schema, entry in the cn=config tree."
12503
#: serverguide/C/network-auth.xml:1384(para)
12505
"Copy and paste the following into a file named "
12506
"<filename>samba_indexes.ldif</filename>:"
12509
#: serverguide/C/network-auth.xml:1388(programlisting)
12513
"dn: olcDatabase={1}hdb,cn=config\n"
12514
"changetype: modify\n"
12515
"add: olcDbIndex\n"
12516
"olcDbIndex: uidNumber eq\n"
12517
"olcDbIndex: gidNumber eq\n"
12518
"olcDbIndex: loginShell eq\n"
12519
"olcDbIndex: uid eq,pres,sub\n"
12520
"olcDbIndex: memberUid eq,pres,sub\n"
12521
"olcDbIndex: uniqueMember eq,pres\n"
12522
"olcDbIndex: sambaSID eq\n"
12523
"olcDbIndex: sambaPrimaryGroupSID eq\n"
12524
"olcDbIndex: sambaGroupType eq\n"
12525
"olcDbIndex: sambaSIDList eq\n"
12526
"olcDbIndex: sambaDomainName eq\n"
12527
"olcDbIndex: default sub\n"
12530
#: serverguide/C/network-auth.xml:1406(para)
12532
"Using the <application>ldapmodify</application> utility load the new indexes:"
12535
#: serverguide/C/network-auth.xml:1411(command)
12536
msgid "ldapmodify -x -D cn=admin,cn=config -W -f samba_indexes.ldif"
12539
#: serverguide/C/network-auth.xml:1413(para)
12541
"If all went well you should see the new indexes using "
12542
"<application>ldapsearch</application>:"
12545
#: serverguide/C/network-auth.xml:1418(command)
12547
"ldapsearch -xLLL -D cn=admin,cn=config -x -b cn=config -W olcDatabase={1}hdb"
12550
#: serverguide/C/network-auth.xml:1424(para)
12552
"Next, configure the <application>smbldap-tools</application> package to "
12553
"match your environment. The package comes with a configuration script that "
12554
"will ask questions about the needed options. To run the script enter:"
12557
#: serverguide/C/network-auth.xml:1430(command)
12558
msgid "sudo gzip -d /usr/share/doc/smbldap-tools/configure.pl.gz"
12561
#: serverguide/C/network-auth.xml:1431(command)
12562
msgid "sudo perl /usr/share/doc/smbldap-tools/configure.pl"
12565
#: serverguide/C/network-auth.xml:1434(para)
12567
"Once you have answered the questions, there should be <filename>/etc/smbldap-"
12568
"tools/smbldap.conf</filename> and <filename>/etc/smbldap-"
12569
"tools/smbldap_bind.conf</filename> files. These files are generated by the "
12570
"configure script, so if you made any mistakes while executing the script it "
12571
"may be simpler to edit the file appropriately."
12574
#: serverguide/C/network-auth.xml:1444(para)
12576
"The <application>smbldap-populate</application> script will add the "
12577
"necessary users, groups, and LDAP objects required for Samba. It is a good "
12578
"idea to make a backup LDAP Data Interchange Format (LDIF) file with "
12579
"<application>slapcat</application> before executing the command:"
12582
#: serverguide/C/network-auth.xml:1451(command)
12583
msgid "sudo slapcat -l backup.ldif"
12586
#: serverguide/C/network-auth.xml:1457(para)
12588
"Once you have a current backup execute <application>smbldap-"
12589
"populate</application> by entering:"
12592
#: serverguide/C/network-auth.xml:1462(command)
12593
msgid "sudo smbldap-populate"
12596
#: serverguide/C/network-auth.xml:1466(para)
12598
"You can create an LDIF file containing the new Samba objects by executing "
12599
"<command>sudo smbldap-populate -e samba.ldif</command>. This allows you to "
12600
"look over the changes making sure everything is correct."
12603
#: serverguide/C/network-auth.xml:1474(para)
12605
"Your LDAP directory now has the necessary domain information to authenticate "
12609
#: serverguide/C/network-auth.xml:1480(title)
12610
msgid "Samba Configuration"
12613
#: serverguide/C/network-auth.xml:1482(para)
12615
"There a multiple ways to configure Samba for details on some common "
12616
"configurations see <xref linkend=\"windows-networking\"/>. To configure "
12617
"Samba to use LDAP, edit the main Samba configuration file "
12618
"<filename>/etc/samba/smb.conf</filename> commenting the <emphasis>passdb "
12619
"backend</emphasis> option and adding the following:"
12622
#: serverguide/C/network-auth.xml:1488(programlisting)
12626
"# passdb backend = tdbsam\n"
12628
"# LDAP Settings\n"
12629
" passdb backend = ldapsam:ldap://hostname\n"
12630
" ldap suffix = dc=example,dc=com\n"
12631
" ldap user suffix = ou=People\n"
12632
" ldap group suffix = ou=Groups\n"
12633
" ldap machine suffix = ou=Computers\n"
12634
" ldap idmap suffix = ou=Idmap\n"
12635
" ldap admin dn = cn=admin,dc=example,dc=com\n"
12636
" ldap ssl = start tls\n"
12637
" ldap passwd sync = yes\n"
12639
" add machine script = sudo /usr/sbin/smbldap-useradd -t 0 -w \"%u\"\n"
12642
#: serverguide/C/network-auth.xml:1505(para)
12643
msgid "Restart <application>samba</application> to enable the new settings:"
12646
#: serverguide/C/network-auth.xml:1513(para)
12648
"Now Samba needs to know the LDAP admin password. From a terminal prompt "
12652
#: serverguide/C/network-auth.xml:1518(command)
12653
msgid "sudo smbpasswd -w secret"
12656
#: serverguide/C/network-auth.xml:1522(para)
12658
"Replacing <emphasis role=\"italic\">secret</emphasis> with your LDAP admin "
12662
#: serverguide/C/network-auth.xml:1527(para)
12664
"If you currently have users in LDAP, and you want them to authenticate using "
12665
"Samba, they will need some Samba attributes defined in the "
12666
"<filename>samba.schema</filename> file. Add the Samba attributes to existing "
12667
"users using the <application>smbpasswd</application> utility, replacing "
12668
"<emphasis role=\"italic\">username</emphasis> with an actual user:"
12671
#: serverguide/C/network-auth.xml:1535(command)
12672
msgid "sudo smbpasswd -a username"
12675
#: serverguide/C/network-auth.xml:1538(para)
12676
msgid "You will then be asked to enter the user's password."
12679
#: serverguide/C/network-auth.xml:1542(para)
12681
"To add new user, group, and machine accounts use the utilities from the "
12682
"<application>smbldap-tools</application> package. Here are some examples:"
12685
#: serverguide/C/network-auth.xml:1549(para)
12687
"To add a new user to LDAP with Samba attributes enter the following, "
12688
"replacing username with an actual username:"
12691
#: serverguide/C/network-auth.xml:1553(command)
12692
msgid "sudo smbldap-useradd -a -P username"
12695
#: serverguide/C/network-auth.xml:1555(para)
12697
"The <emphasis>-a</emphasis> option adds the Samba attributes, and the "
12698
"<emphasis>-P</emphasis> options calls the <application>smbldap-"
12699
"passwd</application> utility after the user is created allowing you to enter "
12700
"a password for the user."
12703
#: serverguide/C/network-auth.xml:1561(para)
12704
msgid "To remove a user from the directory enter:"
12707
#: serverguide/C/network-auth.xml:1565(command)
12708
msgid "sudo smbldap-userdel username"
12711
#: serverguide/C/network-auth.xml:1567(para)
12713
"The <application>smbldap-userdel</application> utility also has a <emphasis>-"
12714
"r</emphasis> option to remove the user's home directory."
12717
#: serverguide/C/network-auth.xml:1572(para)
12719
"Use <application>smbldap-groupadd</application> to add a group, replacing "
12720
"groupname with an appropriate group:"
12723
#: serverguide/C/network-auth.xml:1576(command)
12724
msgid "sudo smbldap-groupadd -a groupname"
12727
#: serverguide/C/network-auth.xml:1578(para)
12729
"Similar to <application>smbldap-useradd</application>, the <emphasis>-"
12730
"a</emphasis> adds the Samba attributes."
12733
#: serverguide/C/network-auth.xml:1583(para)
12735
"To add a user to a group use <application>smbldap-groupmod</application>:"
12738
#: serverguide/C/network-auth.xml:1587(command)
12739
msgid "sudo smbldap-groupmod -m username groupname"
12742
#: serverguide/C/network-auth.xml:1589(para)
12744
"Be sure to replace <emphasis>username</emphasis> with a real user. Also, the "
12745
"<emphasis>-m</emphasis> option can add more than one user at a time by "
12746
"listing them in <emphasis>comma separated</emphasis> format."
12749
#: serverguide/C/network-auth.xml:1595(para)
12751
"<application>smbldap-groupmod</application> can also be used to remove a "
12752
"user from a group:"
12755
#: serverguide/C/network-auth.xml:1599(command)
12756
msgid "sudo smbldap-groupmod -x username groupname"
12759
#: serverguide/C/network-auth.xml:1603(para)
12761
"Additionally, the <application>smbldap-useradd</application> utility can add "
12762
"Samba machine accounts:"
12765
#: serverguide/C/network-auth.xml:1607(command)
12766
msgid "sudo smbldap-useradd -t 0 -w username"
12769
#: serverguide/C/network-auth.xml:1609(para)
12771
"Replace <emphasis>username</emphasis> with the name of the workstation. The "
12772
"<emphasis>-t 0</emphasis> option creates the machine account without a "
12773
"delay, while the <emphasis>-w</emphasis> option specifies the user as a "
12774
"machine account. Also, note the <emphasis>add machine script</emphasis> "
12775
"option in <filename>/etc/samba/smb.conf</filename> was changed to use "
12776
"<application>smbldap-useradd</application>."
12779
#: serverguide/C/network-auth.xml:1618(para)
12781
"There are more useful utilities and options in the <application>smbldap-"
12782
"tools</application> package. The man page for each utility provides more "
12786
#: serverguide/C/network-auth.xml:1629(para)
12788
"There are multiple places where LDAP and Samba is documented in the <ulink "
12789
"url=\"http://samba.org/samba/docs/man/Samba-HOWTO-Collection/\">Samba HOWTO "
12790
"Collection</ulink>."
12793
#: serverguide/C/network-auth.xml:1635(para)
12795
"Specifically see the <ulink url=\"http://samba.org/samba/docs/man/Samba-"
12796
"HOWTO-Collection/passdb.html\">passdb section</ulink>."
12799
#: serverguide/C/network-auth.xml:1641(para)
12801
"Another good site is <ulink url=\"http://www.iallanis.info/smbldap-"
12802
"tools/docs/samba-ldap-howto/\">Samba OpenLDAP HOWTO</ulink>."
12805
#: serverguide/C/network-auth.xml:1647(para)
12807
"Again, for more information on <application>smbldap-tools</application> see "
12808
"the man pages: <command>man smbldap-useradd</command>, <command>man smbldap-"
12809
"groupadd</command>, <command>man smbldap-populate</command>, etc."
12812
#: serverguide/C/network-auth.xml:1657(title)
12816
#: serverguide/C/network-auth.xml:1659(para)
12818
"<application>Kerberos</application> is a network authentication system based "
12819
"on the principal of a trusted third party. The other two parties being the "
12820
"user and the service the user wishes to authenticate to. Not all services "
12821
"and applications can use Kerberos, but for those that can, it brings the "
12822
"network environment one step closer to being Single Sign On (SSO)."
12825
#: serverguide/C/network-auth.xml:1665(para)
12827
"This section covers installation and configuration of a Kerberos server, and "
12828
"some example client configurations."
12831
#: serverguide/C/network-auth.xml:1672(para)
12833
"If you are new to Kerberos there are a few terms that are good to understand "
12834
"before setting up a Kerberos server. Most of the terms will relate to things "
12835
"you may be familiar with in other environments:"
12838
#: serverguide/C/network-auth.xml:1679(para)
12840
"<emphasis>Principal:</emphasis> any users, computers, and services provided "
12841
"by servers need to be defined as Kerberos Principals."
12844
#: serverguide/C/network-auth.xml:1684(para)
12846
"<emphasis>Instances:</emphasis> are used for service principals and special "
12847
"administrative principals."
12850
#: serverguide/C/network-auth.xml:1689(para)
12852
"<emphasis>Realms:</emphasis> the unique realm of control provided by the "
12853
"Kerberos installation. Usually the DNS domain converted to uppercase "
12857
#: serverguide/C/network-auth.xml:1695(para)
12859
"<emphasis>Key Distribution Center:</emphasis> (KDC) consist of three parts, "
12860
"a database of all principals, the authentication server, and the ticket "
12861
"granting server. For each realm there must be at least one KDC."
12864
#: serverguide/C/network-auth.xml:1701(para)
12866
"<emphasis>Ticket Granting Ticket:</emphasis> issued by the Authentication "
12867
"Server (AS), the Ticket Granting Ticket (TGT) is encrypted in the user's "
12868
"password which is known only to the user and the KDC."
12871
#: serverguide/C/network-auth.xml:1707(para)
12873
"<emphasis>Ticket Granting Server:</emphasis> (TGS) issues service tickets to "
12874
"clients upon request."
12877
#: serverguide/C/network-auth.xml:1712(para)
12879
"<emphasis>Tickets:</emphasis> confirm the identity of the two principals. "
12880
"One principal being a user and the other a service requested by the user. "
12881
"Tickets establish an encryption key used for secure communication during the "
12882
"authenticated session."
12885
#: serverguide/C/network-auth.xml:1718(para)
12887
"<emphasis>Keytab Files:</emphasis> are files extracted from the KDC "
12888
"principal database and contain the encryption key for a service or host."
12891
#: serverguide/C/network-auth.xml:1725(para)
12893
"To put the pieces together, a Realm has at least one KDC, preferably two for "
12894
"redundancy, which contains a database of Principals. When a user principal "
12895
"logs into a workstation, configured for Kerberos authentication, the KDC "
12896
"issues a Ticket Granting Ticket (TGT). If the user supplied credentials "
12897
"match, the user is authenticated and can then request tickets for Kerberized "
12898
"services from the Ticket Granting Server (TGS). The service tickets allow "
12899
"the user to authenticate to the service without entering another username "
12903
#: serverguide/C/network-auth.xml:1734(title)
12904
msgid "Kerberos Server"
12907
#: serverguide/C/network-auth.xml:1738(para)
12909
"Before installing the Kerberos server a properly configured DNS server is "
12910
"needed for your domain. Since the Kerberos Realm by convention matches the "
12911
"domain name, this section uses the <emphasis>example.com</emphasis> domain "
12912
"configured in <xref linkend=\"dns-primarymaster-configuration\"/>."
12915
#: serverguide/C/network-auth.xml:1744(para)
12917
"Also, Kerberos is a time sensitive protocol. So if the local system time "
12918
"between a client machine and the server differs by more than five minutes "
12919
"(by default), the workstation will not be able to authenticate. To correct "
12920
"the problem all hosts should have their time synchronized using the "
12921
"<emphasis>Network Time Protocol (NTP)</emphasis>. For details on setting up "
12922
"NTP see <xref linkend=\"NTP\"/>."
12925
#: serverguide/C/network-auth.xml:1751(para)
12927
"The first step in installing a Kerberos Realm is to install the "
12928
"<application>krb5-kdc</application> and <application>krb5-admin-"
12929
"server</application> packages. From a terminal enter:"
12932
#: serverguide/C/network-auth.xml:1757(command) serverguide/C/network-auth.xml:1932(command)
12933
msgid "sudo apt-get install krb5-kdc krb5-admin-server"
12936
#: serverguide/C/network-auth.xml:1760(para)
12938
"You will be asked at the end of the install to supply a name for the "
12939
"Kerberos and Admin servers, which may or may not be the same server, for the "
12943
#: serverguide/C/network-auth.xml:1765(para)
12945
"Next, create the new realm with the <application>kdb5_newrealm</application> "
12949
#: serverguide/C/network-auth.xml:1770(command)
12950
msgid "sudo krb5_newrealm"
12953
#: serverguide/C/network-auth.xml:1777(para)
12955
"The questions asked during installation are used to configure the "
12956
"<filename>/etc/krb5.conf</filename> file. If you need to adjust the Key "
12957
"Distribution Center (KDC) settings simply edit the file and restart the "
12958
"<application>krb5-kdc</application> daemon."
12961
#: serverguide/C/network-auth.xml:1785(para)
12963
"Now that the KDC running an admin user is needed. It is recommended to use a "
12964
"different username from your everyday username. Using the "
12965
"<application>kadmin.local</application> utility in a terminal prompt enter:"
12968
#: serverguide/C/network-auth.xml:1791(command) serverguide/C/network-auth.xml:2583(command)
12969
msgid "sudo kadmin.local"
12972
#: serverguide/C/network-auth.xml:1792(computeroutput)
12975
"Authenticating as principal root/admin@EXAMPLE.COM with password.\n"
12979
#: serverguide/C/network-auth.xml:1793(userinput)
12981
msgid " addprinc steve/admin"
12984
#: serverguide/C/network-auth.xml:1794(computeroutput)
12987
"WARNING: no policy specified for steve/admin@EXAMPLE.COM; defaulting to no "
12989
"Enter password for principal \"steve/admin@EXAMPLE.COM\": \n"
12990
"Re-enter password for principal \"steve/admin@EXAMPLE.COM\": \n"
12991
"Principal \"steve/admin@EXAMPLE.COM\" created.\n"
12995
#: serverguide/C/network-auth.xml:1798(userinput)
13000
#: serverguide/C/network-auth.xml:1801(para)
13002
"In the the above example <emphasis role=\"italic\">steve</emphasis> is the "
13003
"<emphasis>Principal</emphasis>, <emphasis role=\"italic\">/admin</emphasis> "
13004
"is an <emphasis>Instance</emphasis>, and <emphasis "
13005
"role=\"italic\">@EXAMPLE.COM</emphasis> signifies the realm. The <emphasis "
13006
"role=\"italic\">\"every day\"</emphasis> Principal would be "
13007
"<emphasis>steve@EXAMPLE.COM</emphasis>, and should have only normal user "
13011
#: serverguide/C/network-auth.xml:1809(para)
13013
"Replace <emphasis>EXAMPLE.COM</emphasis> and <emphasis>steve</emphasis> with "
13014
"your Realm and admin username."
13017
#: serverguide/C/network-auth.xml:1817(para)
13019
"Next, the new admin user needs to have the appropriate Access Control List "
13020
"(ACL) permissions. The permissions are configured in the "
13021
"<filename>/etc/krb5kdc/kadm5.acl</filename> file:"
13024
#: serverguide/C/network-auth.xml:1822(programlisting)
13028
"steve/admin@EXAMPLE.COM *\n"
13031
#: serverguide/C/network-auth.xml:1826(para)
13033
"This entry grants <emphasis>steve/admin</emphasis> the ability to perform "
13034
"any operation on all principals in the realm."
13037
#: serverguide/C/network-auth.xml:1833(para)
13039
"Now restart the <application>krb5-admin-server</application> for the new ACL "
13043
#: serverguide/C/network-auth.xml:1838(command)
13044
msgid "sudo /etc/init.d/krb5-admin-server restart"
13047
#: serverguide/C/network-auth.xml:1844(para)
13049
"The new user principal can be tested using the <application>kinit "
13050
"utility</application>:"
13053
#: serverguide/C/network-auth.xml:1849(command)
13054
msgid "kinit steve/admin"
13057
#: serverguide/C/network-auth.xml:1850(computeroutput)
13059
msgid "steve/admin@EXAMPLE.COM's Password:"
13062
#: serverguide/C/network-auth.xml:1853(para)
13064
"After entering the password, use the <application>klist</application> "
13065
"utility to view information about the Ticket Granting Ticket (TGT):"
13068
#: serverguide/C/network-auth.xml:1859(command) serverguide/C/network-auth.xml:2194(command)
13072
#: serverguide/C/network-auth.xml:1860(computeroutput)
13075
"Credentials cache: FILE:/tmp/krb5cc_1000\n"
13076
" Principal: steve/admin@EXAMPLE.COM\n"
13078
" Issued Expires Principal\n"
13079
"Jul 13 17:53:34 Jul 14 03:53:34 krbtgt/EXAMPLE.COM@EXAMPLE.COM"
13082
#: serverguide/C/network-auth.xml:1867(para)
13084
"You may need to add an entry into the <filename>/etc/hosts</filename> for "
13085
"the KDC. For example:"
13088
#: serverguide/C/network-auth.xml:1871(programlisting)
13092
"192.168.0.1 kdc01.example.com kdc01\n"
13095
#: serverguide/C/network-auth.xml:1875(para)
13097
"Replacing <emphasis>192.168.0.1</emphasis> with the IP address of your KDC."
13100
#: serverguide/C/network-auth.xml:1882(para)
13102
"In order for clients to determine the KDC for the Realm some DNS SRV records "
13103
"are needed. Add the following to "
13104
"<filename>/etc/named/db.example.com</filename>:"
13107
#: serverguide/C/network-auth.xml:1887(programlisting)
13111
"_kerberos._udp.EXAMPLE.COM. IN SRV 1 0 88 kdc01.example.com.\n"
13112
"_kerberos._tcp.EXAMPLE.COM. IN SRV 1 0 88 kdc01.example.com.\n"
13113
"_kerberos._udp.EXAMPLE.COM. IN SRV 10 0 88 kdc02.example.com. \n"
13114
"_kerberos._tcp.EXAMPLE.COM. IN SRV 10 0 88 kdc02.example.com. \n"
13115
"_kerberos-adm._tcp.EXAMPLE.COM. IN SRV 1 0 749 kdc01.example.com.\n"
13116
"_kpasswd._udp.EXAMPLE.COM. IN SRV 1 0 464 kdc01.example.com.\n"
13119
#: serverguide/C/network-auth.xml:1897(para)
13121
"Replace <emphasis>EXAMPLE.COM</emphasis>, <emphasis>kdc01</emphasis>, and "
13122
"<emphasis>kdc02</emphasis> with your domain name, primary KDC, and secondary "
13126
#: serverguide/C/network-auth.xml:1903(para)
13128
"See <xref linkend=\"dns\"/> for detailed instructions on setting up DNS."
13131
#: serverguide/C/network-auth.xml:1910(para)
13132
msgid "Your new Kerberos Realm is now ready to authenticate clients."
13135
#: serverguide/C/network-auth.xml:1917(title)
13136
msgid "Secondary KDC"
13139
#: serverguide/C/network-auth.xml:1919(para)
13141
"Once you have one Key Distribution Center (KDC) on your network, it is good "
13142
"practice to have a Secondary KDC in case the primary becomes unavailable."
13145
#: serverguide/C/network-auth.xml:1927(para)
13147
"First, install the packages, and when asked for the Kerberos and Admin "
13148
"server names enter the name of the Primary KDC:"
13151
#: serverguide/C/network-auth.xml:1938(para)
13153
"Once you have the packages installed, create the Secondary KDC's host "
13154
"principal. From a terminal prompt, enter:"
13157
#: serverguide/C/network-auth.xml:1943(command)
13158
msgid "kadmin -q \"addprinc -randkey host/kdc02.example.com\""
13161
#: serverguide/C/network-auth.xml:1947(para)
13163
"After, issuing any <application>kadmin</application> commands you will be "
13164
"prompted for your <emphasis>username/admin@EXAMPLE.COM</emphasis> principal "
13168
#: serverguide/C/network-auth.xml:1956(para)
13169
msgid "Extract the <emphasis>keytab</emphasis> file:"
13172
#: serverguide/C/network-auth.xml:1961(command)
13173
msgid "kadmin -q \"ktadd -k keytab.kdc02 host/kdc02.example.com\""
13176
#: serverguide/C/network-auth.xml:1967(para)
13178
"There should now be a <filename>keytab.kdc02</filename> in the current "
13179
"directory, move the file to <filename>/etc/krb5.keytab</filename>:"
13182
#: serverguide/C/network-auth.xml:1973(command)
13183
msgid "sudo mv keytab.kdc02 /etc/krb5.keytab"
13186
#: serverguide/C/network-auth.xml:1977(para)
13188
"If the path to the <filename>keytab.kdc02</filename> file is different "
13189
"adjust accordingly."
13192
#: serverguide/C/network-auth.xml:1982(para)
13194
"Also, you can list the principals in a Keytab file, which can be useful when "
13195
"troubleshooting, using the <application>klist</application> utility:"
13198
#: serverguide/C/network-auth.xml:1988(command)
13199
msgid "sudo klist -k /etc/krb5.keytab"
13202
#: serverguide/C/network-auth.xml:1994(para)
13204
"Next, there needs to be a <filename>kpropd.acl</filename> file on each KDC "
13205
"that lists all KDCs for the Realm. For example, on both primary and "
13206
"secondary KDC, create <filename>/etc/krb5kdc/kpropd.acl</filename>:"
13209
#: serverguide/C/network-auth.xml:1999(programlisting)
13213
"host/kdc01.example.com@EXAMPLE.COM\n"
13214
"host/kdc02.example.com@EXAMPLE.COM\n"
13217
#: serverguide/C/network-auth.xml:2007(para)
13218
msgid "Create an empty database on the <emphasis>Secondary KDC</emphasis>:"
13221
#: serverguide/C/network-auth.xml:2012(command)
13222
msgid "sudo kdb5_util -s create"
13225
#: serverguide/C/network-auth.xml:2018(para)
13227
"Now start the <application>kpropd</application> daemon, which listens for "
13228
"connections from the <application>kprop</application> utility. "
13229
"<application>kprop</application> is used to transfer dump files:"
13232
#: serverguide/C/network-auth.xml:2025(command)
13233
msgid "sudo kpropd -S"
13236
#: serverguide/C/network-auth.xml:2031(para)
13238
"From a terminal on the <emphasis>Primary KDC</emphasis>, create a dump file "
13239
"of the principal database:"
13242
#: serverguide/C/network-auth.xml:2036(command)
13243
msgid "sudo kdb5_util dump /var/lib/krb5kdc/dump"
13246
#: serverguide/C/network-auth.xml:2042(para)
13248
"Extract the Primary KDC's <emphasis>keytab</emphasis> file and copy it to "
13249
"<filename>/etc/krb5.keytab</filename>:"
13252
#: serverguide/C/network-auth.xml:2047(command)
13253
msgid "kadmin -q \"ktadd -k keytab.kdc01 host/kdc01.example.com\""
13256
#: serverguide/C/network-auth.xml:2048(command)
13257
msgid "sudo mv keytab.kdc01 /etc/kr5b.keytab"
13260
#: serverguide/C/network-auth.xml:2052(para)
13262
"Make sure there is a <emphasis>host</emphasis> for "
13263
"<emphasis>kdc01.example.com</emphasis> before extracting the Keytab."
13266
#: serverguide/C/network-auth.xml:2060(para)
13268
"Using the <application>kprop</application> utility push the database to the "
13272
#: serverguide/C/network-auth.xml:2065(command)
13273
msgid "sudo kprop -r EXAMPLE.COM -f /var/lib/krb5kdc/dump kdc02.example.com"
13276
#: serverguide/C/network-auth.xml:2069(para)
13278
"There should be a <emphasis>SUCCEEDED</emphasis> message if the propagation "
13279
"worked. If there is an error message check "
13280
"<filename>/var/log/syslog</filename> on the secondary KDC for more "
13284
#: serverguide/C/network-auth.xml:2075(para)
13286
"You may also want to create a <application>cron</application> job to "
13287
"periodically update the database on the Secondary KDC. For example, the "
13288
"following will push the database every hour:"
13291
#: serverguide/C/network-auth.xml:2080(programlisting)
13295
"# m h dom mon dow command\n"
13296
"0 * * * * /usr/sbin/kdb5_util dump /var/lib/krb5kdc/dump && "
13297
"/usr/sbin/kprop -r EXAMPLE.COM -f /var/lib/krb5kdc/dump kdc02.example.com\n"
13300
#: serverguide/C/network-auth.xml:2088(para)
13302
"Back on the <emphasis>Secondary KDC</emphasis>, create a "
13303
"<emphasis>stash</emphasis> file to hold the Kerberos master key:"
13306
#: serverguide/C/network-auth.xml:2094(command)
13307
msgid "sudo kdb5_util stash"
13310
#: serverguide/C/network-auth.xml:2100(para)
13312
"Finally, start the <application>krb5-kdc</application> daemon on the "
13316
#: serverguide/C/network-auth.xml:2105(command) serverguide/C/network-auth.xml:2713(command)
13317
msgid "sudo /etc/init.d/krb5-kdc start"
13320
#: serverguide/C/network-auth.xml:2111(para)
13322
"The <emphasis>Secondary KDC</emphasis> should now be able to issue tickets "
13323
"for the Realm. You can test this by stopping the <application>krb5-"
13324
"kdc</application> daemon on the Primary KDC, then use "
13325
"<application>kinit</application> to request a ticket. If all goes well you "
13326
"should receive a ticket from the Secondary KDC."
13329
#: serverguide/C/network-auth.xml:2119(title)
13330
msgid "Kerberos Linux Client"
13333
#: serverguide/C/network-auth.xml:2121(para)
13335
"This section covers configuring a Linux system as a "
13336
"<application>Kerberos</application> client. This will allow access to any "
13337
"kerberized services once a user has successfully logged into the system."
13340
#: serverguide/C/network-auth.xml:2129(para)
13342
"In order to authenticate to a Kerberos Realm, the <application>krb5-"
13343
"user</application> and <application>libpam-krb5</application> packages are "
13344
"needed, along with a few others that are not strictly necessary but make "
13345
"life easier. To install the packages enter the following in a terminal "
13349
#: serverguide/C/network-auth.xml:2136(command)
13351
"sudo apt-get install krb5-user libpam-krb5 libpam-ccreds auth-client-config"
13354
#: serverguide/C/network-auth.xml:2139(para)
13356
"The <application>auth-client-config</application> package allows simple "
13357
"configuration of PAM for authentication from multiple sources, and the "
13358
"<application>libpam-ccreds</application> will cache authentication "
13359
"credentials allowing you to login in case the Key Distribution Center (KDC) "
13360
"is unavailable. This package is also useful for laptops that may "
13361
"authenticate using Kerberos while on the corporate network, but will need to "
13362
"be accessed off the network as well."
13365
#: serverguide/C/network-auth.xml:2150(para)
13366
msgid "To configure the client in a terminal enter:"
13369
#: serverguide/C/network-auth.xml:2155(command)
13370
msgid "sudo dpkg-reconfigure krb5-config"
13373
#: serverguide/C/network-auth.xml:2158(para)
13375
"You will then be prompted to enter the name of the Kerberos Realm. Also, if "
13376
"you don't have DNS configured with Kerberos <emphasis>SRV</emphasis> "
13377
"records, the menu will prompt you for the hostname of the Key Distribution "
13378
"Center (KDC) and Realm Administration server."
13381
#: serverguide/C/network-auth.xml:2164(para)
13383
"The <application>dpkg-reconfigure</application> adds entries to the "
13384
"<filename>/etc/krb5.conf</filename> file for your Realm. You should have "
13385
"entries similar to the following:"
13388
#: serverguide/C/network-auth.xml:2169(programlisting)
13393
" default_realm = EXAMPLE.COM\n"
13396
" EXAMPLE.COM = } \n"
13397
" kdc = 192.168.0.1 \n"
13398
" admin_server = 192.168.0.1\n"
13402
#: serverguide/C/network-auth.xml:2180(para)
13404
"You can test the configuration by requesting a ticket using the "
13405
"<application>kinit</application> utility. For example:"
13408
#: serverguide/C/network-auth.xml:2185(command)
13409
msgid "kinit steve@EXAMPLE.COM"
13412
#: serverguide/C/network-auth.xml:2186(computeroutput)
13414
msgid "Password for steve@EXAMPLE.COM:"
13417
#: serverguide/C/network-auth.xml:2189(para)
13419
"When a ticket has been granted, the details can be viewed using "
13420
"<application>klist</application>:"
13423
#: serverguide/C/network-auth.xml:2195(computeroutput)
13426
"Ticket cache: FILE:/tmp/krb5cc_1000\n"
13427
"Default principal: steve@EXAMPLE.COM\n"
13429
"Valid starting Expires Service principal\n"
13430
"07/24/08 05:18:56 07/24/08 15:18:56 krbtgt/EXAMPLE.COM@EXAMPLE.COM\n"
13431
" renew until 07/25/08 05:18:57\n"
13434
"Kerberos 4 ticket cache: /tmp/tkt1000\n"
13435
"klist: You have no tickets cached"
13438
#: serverguide/C/network-auth.xml:2207(para)
13440
"Next, use the <application>auth-client-config</application> to configure the "
13441
"<application>libpam-krb5</application> module to request a ticket during "
13445
#: serverguide/C/network-auth.xml:2213(command)
13446
msgid "sudo auth-client-config -a -p kerberos_example"
13449
#: serverguide/C/network-auth.xml:2216(para)
13451
"You will should now receive a ticket upon successful login authentication."
13454
#: serverguide/C/network-auth.xml:2227(para)
13456
"For more information on Kerberos see the <ulink "
13457
"url=\"http://web.mit.edu/Kerberos/\">MIT Kerberos</ulink> site."
13460
#: serverguide/C/network-auth.xml:2232(para)
13462
"O'Reilly's <ulink "
13463
"url=\"http://oreilly.com/catalog/9780596004033/\">Kerberos: The Definitive "
13464
"Guide</ulink> is a great reference when setting up Kerberos."
13467
#: serverguide/C/network-auth.xml:2238(para)
13469
"Also, feel free to stop by the <emphasis>#ubuntu-server</emphasis> IRC "
13470
"channel on <ulink url=\"http://freenode.net/\">Freenode</ulink> if you have "
13471
"Kerberos questions."
13474
#: serverguide/C/network-auth.xml:2248(title)
13475
msgid "Kerberos and LDAP"
13478
#: serverguide/C/network-auth.xml:2250(para)
13480
"Replicating a Kerberos principal database between two servers can be "
13481
"complicated, and adds an additional user database to your network. "
13482
"Fortunately, MIT Kerberos can be configured to use an "
13483
"<application>LDAP</application> directory as a principal database. This "
13484
"section covers configuring a primary and secondary kerberos server to use "
13485
"<application>OpenLDAP</application> for the principal database."
13488
#: serverguide/C/network-auth.xml:2258(title)
13489
msgid "Configuring OpenLDAP"
13492
#: serverguide/C/network-auth.xml:2260(para)
13494
"First, the necessary <emphasis>schema</emphasis> needs to be loaded on an "
13495
"<application>OpenLDAP</application> server that has network connectivity to "
13496
"the Primary and Secondary KDCs. The rest of this section assumes that you "
13497
"also have LDAP replication configured between at least two servers. For "
13498
"information on setting up OpenLDAP see <xref linkend=\"openldap-server\"/>."
13501
#: serverguide/C/network-auth.xml:2267(para)
13503
"It is also required to configure OpenLDAP for TLS and SSL connections, so "
13504
"that traffic between the KDC and LDAP server is encrypted. See <xref "
13505
"linkend=\"openldap-tls\"/> for details."
13508
#: serverguide/C/network-auth.xml:2274(para)
13510
"To load the schema into LDAP, on the LDAP server install the "
13511
"<application>krb5-kdc-ldap</application> package. From a terminal enter:"
13514
#: serverguide/C/network-auth.xml:2280(command)
13515
msgid "sudo apt-get install krb5-kdc-ldap"
13518
#: serverguide/C/network-auth.xml:2285(para)
13519
msgid "Next, extract the <filename>kerberos.schema.gz</filename> file:"
13522
#: serverguide/C/network-auth.xml:2290(command)
13523
msgid "sudo gzip -d /usr/share/doc/krb5-kdc-ldap/kerberos.schema.gz"
13526
#: serverguide/C/network-auth.xml:2291(command)
13528
"sudo cp /usr/share/doc/krb5-kdc-ldap/kerberos.schema /etc/ldap/schema/"
13531
#: serverguide/C/network-auth.xml:2297(para)
13533
"The <emphasis>kerberos</emphasis> schema needs to be added to the "
13534
"<emphasis>cn=config</emphasis> tree. The procedure to add a new schema to "
13535
"<application>slapd</application> is also detailed in <xref "
13536
"linkend=\"openldap-configuration\"/>."
13539
#: serverguide/C/network-auth.xml:2310(programlisting)
13543
"include /etc/ldap/schema/core.schema\n"
13544
"include /etc/ldap/schema/collective.schema\n"
13545
"include /etc/ldap/schema/corba.schema\n"
13546
"include /etc/ldap/schema/cosine.schema\n"
13547
"include /etc/ldap/schema/duaconf.schema\n"
13548
"include /etc/ldap/schema/dyngroup.schema\n"
13549
"include /etc/ldap/schema/inetorgperson.schema\n"
13550
"include /etc/ldap/schema/java.schema\n"
13551
"include /etc/ldap/schema/misc.schema\n"
13552
"include /etc/ldap/schema/nis.schema\n"
13553
"include /etc/ldap/schema/openldap.schema\n"
13554
"include /etc/ldap/schema/ppolicy.schema\n"
13555
"include /etc/ldap/schema/kerberos.schema\n"
13558
#: serverguide/C/network-auth.xml:2330(para)
13559
msgid "Create a temporary directory to hold the LDIF files:"
13562
#: serverguide/C/network-auth.xml:2355(para)
13564
"Edit the generated "
13565
"<filename>/tmp/ldif_output/cn=config/cn=schema/cn={12}kerberos.ldif</filename"
13566
"> file, changing the following attributes:"
13569
#: serverguide/C/network-auth.xml:2360(programlisting)
13573
"dn: cn=kerberos,cn=schema,cn=config\n"
13578
#: serverguide/C/network-auth.xml:2366(para)
13579
msgid "And remove the following lines from the end of the file:"
13582
#: serverguide/C/network-auth.xml:2370(programlisting)
13586
"structuralObjectClass: olcSchemaConfig\n"
13587
"entryUUID: 18ccd010-746b-102d-9fbe-3760cca765dc\n"
13588
"creatorsName: cn=config\n"
13589
"createTimestamp: 20090111203515Z\n"
13590
"entryCSN: 20090111203515.326445Z#000000#000#000000\n"
13591
"modifiersName: cn=config\n"
13592
"modifyTimestamp: 20090111203515Z\n"
13595
#: serverguide/C/network-auth.xml:2389(para)
13596
msgid "Load the new schema with <application>ldapadd</application>:"
13599
#: serverguide/C/network-auth.xml:2394(command)
13601
"ldapadd -x -D cn=admin,cn=config -W -f /tmp/ldif_output/cn\\=config/cn\\"
13602
"=schema/cn\\=\\{12\\}kerberos.ldif"
13605
#: serverguide/C/network-auth.xml:2400(para)
13607
"Add an index for the <emphasis>krb5principalname</emphasis> attribute:"
13610
#: serverguide/C/network-auth.xml:2407(userinput)
13613
"dn: olcDatabase={1}hdb,cn=config\n"
13614
"add: olcDbIndex\n"
13615
"olcDbIndex: krbPrincipalName eq,pres,sub"
13618
#: serverguide/C/network-auth.xml:2417(para)
13619
msgid "Finally, update the Access Control Lists (ACL):"
13622
#: serverguide/C/network-auth.xml:2424(userinput)
13625
"dn: olcDatabase={1}hdb,cn=config\n"
13626
"replace: olcAccess\n"
13627
"olcAccess: to attrs=userPassword,shadowLastChange,krbPrincipalKey by "
13628
"dn=\"cn=admin,dc=exampl\n"
13629
" e,dc=com\" write by anonymous auth by self write by * none\n"
13632
"olcAccess: to dn.base=\"\" by * read\n"
13635
"olcAccess: to * by dn=\"cn=admin,dc=example,dc=com\" write by * read"
13638
#: serverguide/C/network-auth.xml:2423(computeroutput)
13641
"Enter LDAP Password: \n"
13642
"<placeholder-1/>\n"
13644
"modifying entry \"olcDatabase={1}hdb,cn=config\"\n"
13647
#: serverguide/C/network-auth.xml:2444(para)
13649
"That's it, your LDAP directory is now ready to serve as a Kerberos principal "
13653
#: serverguide/C/network-auth.xml:2450(title)
13654
msgid "Primary KDC Configuration"
13657
#: serverguide/C/network-auth.xml:2452(para)
13659
"With <application>OpenLDAP</application> configured it is time to configure "
13663
#: serverguide/C/network-auth.xml:2458(para)
13664
msgid "First, install the necessary packages, from a terminal enter:"
13667
#: serverguide/C/network-auth.xml:2463(command) serverguide/C/network-auth.xml:2620(command)
13668
msgid "sudo apt-get install krb5-kdc krb5-admin-server krb5-kdc-ldap"
13671
#: serverguide/C/network-auth.xml:2469(para)
13673
"Now edit <filename>/etc/krb5.conf</filename> adding the following options to "
13674
"under the appropriate sections:"
13677
#: serverguide/C/network-auth.xml:2473(programlisting)
13682
" default_realm = EXAMPLE.COM\n"
13687
" EXAMPLE.COM = {\n"
13688
" kdc = kdc01.example.com\n"
13689
" kdc = kdc02.example.com\n"
13690
" admin_server = kdc01.example.com\n"
13691
" admin_server = kdc02.example.com\n"
13692
" default_domain = example.com\n"
13693
" database_module = openldap_ldapconf\n"
13699
" .example.com = EXAMPLE.COM\n"
13705
" ldap_kerberos_container_dn = dc=example,dc=com\n"
13708
" openldap_ldapconf = {\n"
13709
" db_library = kldap\n"
13710
" ldap_kdc_dn = \"cn=admin,dc=example,dc=com\"\n"
13712
" # this object needs to have read rights on\n"
13713
" # the realm container, principal container and realm sub-"
13715
" ldap_kadmind_dn = \"cn=admin,dc=example,dc=com\"\n"
13717
" # this object needs to have read and write rights on\n"
13718
" # the realm container, principal container and realm sub-"
13720
" ldap_service_password_file = /etc/krb5kdc/service.keyfile\n"
13721
" ldap_servers = ldaps://ldap01.example.com "
13722
"ldaps://ldap02.example.com\n"
13723
" ldap_conns_per_server = 5\n"
13727
#: serverguide/C/network-auth.xml:2518(para)
13729
"Change <emphasis>example.com</emphasis>, "
13730
"<emphasis>dc=example,dc=com</emphasis>, "
13731
"<emphasis>cn=admin,dc=example,dc=com</emphasis>, and "
13732
"<emphasis>ldap01.example.com</emphasis> to the appropriate domain, LDAP "
13733
"object, and LDAP server for your network."
13736
#: serverguide/C/network-auth.xml:2527(para)
13738
"Next, use the <application>kdb5_ldap_util</application> utility to create "
13742
#: serverguide/C/network-auth.xml:2532(command)
13744
"sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com create -subtrees "
13745
"dc=example,dc=com -r EXAMPLE.COM -s -H ldap://ldap01.example.com"
13748
#: serverguide/C/network-auth.xml:2538(para)
13750
"Create a stash of the password used to bind to the LDAP server. This "
13751
"password is used by the <emphasis>ldap_kdc_dn</emphasis> and "
13752
"<emphasis>ldap_kadmin_dn</emphasis> options in "
13753
"<filename>/etc/krb5.conf</filename>:"
13756
#: serverguide/C/network-auth.xml:2544(command) serverguide/C/network-auth.xml:2682(command)
13758
"sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com stashsrvpw -f "
13759
"/etc/krb5kdc/service.keyfile cn=admin,dc=example,dc=com"
13762
#: serverguide/C/network-auth.xml:2550(para)
13763
msgid "Copy the CA certificate from the LDAP server:"
13766
#: serverguide/C/network-auth.xml:2555(command)
13767
msgid "scp ldap01:/etc/ssl/certs/cacert.pem ."
13770
#: serverguide/C/network-auth.xml:2556(command)
13771
msgid "sudo cp cacert.pem /etc/ssl/certs"
13774
#: serverguide/C/network-auth.xml:2559(para)
13776
"And edit <filename>/etc/ldap/ldap.conf</filename> to use the certificate:"
13779
#: serverguide/C/network-auth.xml:2563(programlisting)
13783
"TLS_CACERT /etc/ssl/certs/cacert.pem\n"
13786
#: serverguide/C/network-auth.xml:2568(para)
13788
"The certificate will also need to be copied to the Secondary KDC, to allow "
13789
"the connection to the LDAP servers using LDAPS."
13792
#: serverguide/C/network-auth.xml:2577(para)
13794
"You can now add Kerberos principals to the LDAP database, and they will be "
13795
"copied to any other LDAP servers configured for replication. To add a "
13796
"principal using the <application>kadmin.local</application> utility enter:"
13799
#: serverguide/C/network-auth.xml:2585(userinput)
13801
msgid "addprinc -x dn=\"uid=steve,ou=people,dc=example,dc=com\" steve"
13804
#: serverguide/C/network-auth.xml:2584(computeroutput)
13807
"Authenticating as principal root/admin@EXAMPLE.COM with password.\n"
13808
"kadmin.local: <placeholder-1/>\n"
13809
"WARNING: no policy specified for steve@EXAMPLE.COM; defaulting to no policy\n"
13810
"Enter password for principal \"steve@EXAMPLE.COM\": \n"
13811
"Re-enter password for principal \"steve@EXAMPLE.COM\": \n"
13812
"Principal \"steve@EXAMPLE.COM\" created."
13815
#: serverguide/C/network-auth.xml:2592(para)
13817
"There should now be krbPrincipalName, krbPrincipalKey, krbLastPwdChange, and "
13818
"krbExtraData attributes added to the "
13819
"<emphasis>uid=steve,ou=people,dc=example,dc=com</emphasis> user object. Use "
13820
"the <application>kinit</application> and <application>klist</application> "
13821
"utilities to test that the user is indeed issued a ticket."
13824
#: serverguide/C/network-auth.xml:2599(para)
13826
"If the user object is already created the <emphasis>-x dn=\"...\"</emphasis> "
13827
"option is needed to add the Kerberos attributes. Otherwise a new "
13828
"<emphasis>principal</emphasis> object will be created in the realm subtree."
13831
#: serverguide/C/network-auth.xml:2607(title)
13832
msgid "Secondary KDC Configuration"
13835
#: serverguide/C/network-auth.xml:2609(para)
13837
"Configuring a Secondary KDC using the LDAP backend is similar to configuring "
13838
"one using the normal Kerberos database."
13841
#: serverguide/C/network-auth.xml:2615(para)
13842
msgid "First, install the necessary packages. In a terminal enter:"
13845
#: serverguide/C/network-auth.xml:2626(para)
13847
"Next, edit <filename>/etc/krb5.conf</filename> to use the LDAP backend:"
13850
#: serverguide/C/network-auth.xml:2630(programlisting)
13855
" default_realm = EXAMPLE.COM\n"
13860
" EXAMPLE.COM = {\n"
13861
" kdc = kdc01.example.com\n"
13862
" kdc = kdc02.example.com\n"
13863
" admin_server = kdc01.example.com\n"
13864
" admin_server = kdc02.example.com\n"
13865
" default_domain = example.com\n"
13866
" database_module = openldap_ldapconf\n"
13872
" .example.com = EXAMPLE.COM\n"
13877
" ldap_kerberos_container_dn = dc=example,dc=com\n"
13880
" openldap_ldapconf = {\n"
13881
" db_library = kldap\n"
13882
" ldap_kdc_dn = \"cn=admin,dc=example,dc=com\"\n"
13884
" # this object needs to have read rights on\n"
13885
" # the realm container, principal container and realm sub-"
13887
" ldap_kadmind_dn = \"cn=admin,dc=example,dc=com\"\n"
13889
" # this object needs to have read and write rights on\n"
13890
" # the realm container, principal container and realm sub-"
13892
" ldap_service_password_file = /etc/krb5kdc/service.keyfile\n"
13893
" ldap_servers = ldaps://ldap01.example.com "
13894
"ldaps://ldap02.example.com\n"
13895
" ldap_conns_per_server = 5\n"
13899
#: serverguide/C/network-auth.xml:2677(para)
13900
msgid "Create the stash for the LDAP bind password:"
13903
#: serverguide/C/network-auth.xml:2688(para)
13905
"Now, on the <emphasis>Primary KDC</emphasis> copy the "
13906
"<filename>/etc/krb5kdc/.k5.EXAMPLE.COM</filename><emphasis>Master "
13907
"Key</emphasis> stash to the Secondary KDC. Be sure to copy the file over an "
13908
"encrypted connection such as <application>scp</application>, or on physical "
13912
#: serverguide/C/network-auth.xml:2695(command)
13913
msgid "sudo scp /etc/krb5kdc/.k5.EXAMPLE.COM steve@kdc02.example.com:~"
13916
#: serverguide/C/network-auth.xml:2696(command)
13917
msgid "sudo mv .k5.EXAMPLE.COM /etc/krb5kdc/"
13920
#: serverguide/C/network-auth.xml:2700(para)
13922
"Again, replace <emphasis>EXAMPLE.COM</emphasis> with your actual realm."
13925
#: serverguide/C/network-auth.xml:2708(para)
13926
msgid "Finally, start the <application>krb5-kdc</application> daemon:"
13929
#: serverguide/C/network-auth.xml:2719(para)
13931
"You now have redundant KDCs on your network, and with redundant LDAP servers "
13932
"you should be able to continue to authenticate users if one LDAP server, one "
13933
"Kerberos server, or one LDAP and one Kerberos server become unavailable."
13936
#: serverguide/C/network-auth.xml:2731(para)
13938
"The <ulink url=\"http://web.mit.edu/Kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-"
13939
"admin.html#Configuring-Kerberos-with-OpenLDAP-back_002dend\"> Kerberos Admin "
13940
"Guide</ulink> has some additional details."
13943
#: serverguide/C/network-auth.xml:2737(para)
13945
"For more information on <application>kdb5_ldap_util</application> see <ulink "
13946
"url=\"http://web.mit.edu/Kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-"
13947
"admin.html#Global-Operations-on-the-Kerberos-LDAP-Database\"> Section "
13948
"5.6</ulink> and the <ulink "
13949
"url=\"http://manpages.ubuntu.com/manpages/jaunty/en/man8/kdb5_ldap_util.8.htm"
13950
"l\">kdb5_ldap_util man page</ulink>."
13953
#: serverguide/C/network-auth.xml:2745(para)
13955
"Another useful link is the <ulink "
13956
"url=\"http://manpages.ubuntu.com/manpages/jaunty/en/man5/krb5.conf.5.html\">k"
13957
"rb5.conf man page</ulink>."
13960
#: serverguide/C/mail.xml:13(title)
13961
msgid "Email Services"
13962
msgstr "Elektroninio Pašto Paslaugos"
13964
#: serverguide/C/mail.xml:14(para)
13966
"The process of getting an email from one person to another over a network or "
13967
"the Internet involves many systems working together. Each of these systems "
13968
"must be correctly configured for the process to work. The sender uses a "
13969
"<emphasis>Mail User Agent</emphasis> (MUA), or email client, to send the "
13970
"message through one or more <emphasis>Mail Transfer Agents</emphasis> (MTA), "
13971
"the last of which will hand it off to a <emphasis>Mail Delivery "
13972
"Agent</emphasis> (MDA) for delivery to the recipient's mailbox, from which "
13973
"it will be retrieved by the recipient's email client, usually via a POP3 or "
13977
#: serverguide/C/mail.xml:24(title) serverguide/C/mail.xml:623(application) serverguide/C/mail.xml:657(title) serverguide/C/mail.xml:735(title) serverguide/C/mail.xml:1282(title)
13981
#: serverguide/C/mail.xml:25(para)
13983
"<application>Postfix</application> is the default Mail Transfer Agent (MTA) "
13984
"in Ubuntu. It attempts to be fast and easy to administer and secure. It is "
13985
"compatible with the MTA <application>sendmail</application>. This section "
13986
"explains how to install and configure <application>postfix</application>. It "
13987
"also explains how to set it up as an SMTP server using a secure connection "
13988
"(for sending emails securely)."
13991
#: serverguide/C/mail.xml:34(para)
13993
"To install <application>postfix</application> run the following command:"
13996
#: serverguide/C/mail.xml:40(para)
13998
"Simply press return when the installation process asks questions, the "
13999
"configuration will be done in greater detail in the next stage."
14002
#: serverguide/C/mail.xml:45(title)
14003
msgid "Basic Configuration"
14004
msgstr "Pagrindinė Konfigūracija"
14006
#: serverguide/C/mail.xml:46(para)
14008
"To configure <application>postfix</application>, run the following command:"
14011
#: serverguide/C/mail.xml:50(command)
14012
msgid "sudo dpkg-reconfigure postfix"
14015
#: serverguide/C/mail.xml:56(para)
14016
msgid "Internet Site"
14019
#: serverguide/C/mail.xml:57(para)
14020
msgid "mail.example.com"
14021
msgstr "mail.example.com"
14023
#: serverguide/C/mail.xml:58(para)
14027
#: serverguide/C/mail.xml:59(para)
14028
msgid "mail.example.com, localhost.localdomain, localhost"
14031
#: serverguide/C/mail.xml:60(para)
14035
#: serverguide/C/mail.xml:61(para)
14036
msgid "127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.0/24"
14039
#: serverguide/C/mail.xml:62(para)
14043
#: serverguide/C/mail.xml:63(para)
14047
#: serverguide/C/mail.xml:64(para)
14051
#: serverguide/C/mail.xml:52(para)
14053
"The user interface will be displayed. On each screen, select the following "
14054
"values: <placeholder-1/>"
14057
#: serverguide/C/mail.xml:68(para)
14059
"Replace mail.example.com with your mail server hostname, 192.168.0/24 with "
14060
"the actual network and class range of your mail server, and steve with the "
14061
"appropriate username."
14064
#: serverguide/C/mail.xml:76(title) serverguide/C/mail.xml:357(title)
14065
msgid "SMTP Authentication"
14066
msgstr "SMTP Autentifikacija"
14068
#: serverguide/C/mail.xml:78(para)
14070
"SMTP-AUTH allows a client to identify itself through an authentication "
14071
"mechanism (SASL). Transport Layer Security (TLS) should be used to encrypt "
14072
"the authentication process. Once authenticated the SMTP server will allow "
14073
"the client to relay mail."
14076
#: serverguide/C/mail.xml:84(para)
14078
"Configuring <application>Postfix</application> for SMTP-AUTH is very simple "
14079
"using the <application>dovecot-postfix</application> package. This package "
14080
"will install <application>Dovecot</application> and configure "
14081
"<application>Postfix</application> to use it for both SASL authentication "
14082
"and as a Mail Delivery Agent (MDA). The package also configures "
14083
"<application>Dovecot</application> for IMAP, IMAPS, POP3, and POP3S."
14086
#: serverguide/C/mail.xml:91(para)
14087
msgid "To install the package, from a terminal prompt enter:"
14090
#: serverguide/C/mail.xml:96(command)
14091
msgid "sudo apt-get install dovecot-postfix"
14094
#: serverguide/C/mail.xml:99(para)
14096
"You should now have a working mail server, but there are a few options that "
14097
"you may wish to further customize. For example, the package uses the "
14098
"certificate and key from the <application>ssl-cert</application> package, "
14099
"and in a production environment you should use a certificate and key "
14100
"generated for the host. See <xref linkend=\"certificates-and-security\"/> "
14101
"for more details."
14104
#: serverguide/C/mail.xml:105(para)
14106
"Once you have a customized certificate and key for the host, change the "
14107
"following options in <filename>/etc/postfix/main.cf</filename>:"
14110
#: serverguide/C/mail.xml:109(programlisting)
14114
"smtpd_tls_cert_file = /etc/ssl/certs/ssl-mail.pem\n"
14115
"smtpd_tls_key_file = /etc/ssl/private/ssl-mail.key\n"
14118
#: serverguide/C/mail.xml:114(para)
14119
msgid "Then restart Postfix:"
14122
#: serverguide/C/mail.xml:119(command) serverguide/C/mail.xml:182(command) serverguide/C/mail.xml:775(command) serverguide/C/mail.xml:1333(command)
14123
msgid "sudo /etc/init.d/postfix restart"
14126
#: serverguide/C/mail.xml:125(para)
14128
"SMTP-AUTH configuration is complete. Now it is time to test the setup."
14131
#: serverguide/C/mail.xml:128(para)
14132
msgid "To see if SMTP-AUTH and TLS work properly, run the following command:"
14135
#: serverguide/C/mail.xml:133(command)
14136
msgid "telnet mail.example.com 25"
14139
#: serverguide/C/mail.xml:135(para)
14141
"After you have established the connection to the postfix mail server, type:"
14144
#: serverguide/C/mail.xml:139(screen)
14148
"ehlo mail.example.com\n"
14151
#: serverguide/C/mail.xml:142(para)
14153
"If you see the following lines among others, then everything is working "
14154
"perfectly. Type <command>quit</command> to exit."
14157
#: serverguide/C/mail.xml:146(programlisting)
14162
"250-AUTH LOGIN PLAIN\n"
14163
"250-AUTH=LOGIN PLAIN\n"
14167
#: serverguide/C/mail.xml:156(para)
14169
"This section introduces some common ways to determine the cause if problems "
14173
#: serverguide/C/mail.xml:160(title)
14174
msgid "Escaping chroot"
14177
#: serverguide/C/mail.xml:161(para)
14179
"The Ubuntu <application>postfix</application> package will by default "
14180
"install into a <emphasis>chroot</emphasis> environment for security reasons. "
14181
"This can add greater complexity when troubleshooting problems."
14184
#: serverguide/C/mail.xml:165(para)
14186
"To turn off the chroot operation locate for the following line in the "
14187
"<filename>/etc/postfix/master.cf</filename> configuration file:"
14190
#: serverguide/C/mail.xml:169(screen)
14194
"smtp inet n - - - - smtpd\n"
14197
#: serverguide/C/mail.xml:172(para)
14198
msgid "and modify it as follows:"
14201
#: serverguide/C/mail.xml:175(screen)
14205
"smtp inet n - n - - smtpd\n"
14208
#: serverguide/C/mail.xml:178(para)
14210
"You will then need to restart Postfix to use the new configuration. From a "
14211
"terminal prompt enter:"
14214
#: serverguide/C/mail.xml:186(title)
14218
#: serverguide/C/mail.xml:187(para)
14220
"<application>Postfix</application> sends all log messages to "
14221
"<filename>/var/log/mail.log</filename>. However error and warning messages "
14222
"can sometimes get lost in the normal log output so they are also logged to "
14223
"<filename>/var/log/mail.err</filename> and "
14224
"<filename>/var/log/mail.warn</filename> respectively."
14227
#: serverguide/C/mail.xml:192(para)
14229
"To see messages entered into the logs in real time you can use the "
14230
"<application>tail -f</application> command:"
14233
#: serverguide/C/mail.xml:197(command)
14234
msgid "tail -f /var/log/mail.err"
14237
#: serverguide/C/mail.xml:199(para)
14239
"The amount of detail that is recorded in the logs can be increased. Below "
14240
"are some configuration options for increasing the log level for some of the "
14241
"areas covered above."
14244
#: serverguide/C/mail.xml:205(para)
14246
"To increase <emphasis>TLS</emphasis> activity logging set the "
14247
"<emphasis>smtpd_tls_loglevel</emphasis> option to a value from 1 to 4."
14250
#: serverguide/C/mail.xml:209(command)
14251
msgid "sudo postconf -e 'smtpd_tls_loglevel = 4'"
14254
#: serverguide/C/mail.xml:213(para)
14256
"If you are having trouble sending or receiving mail from a specific domain "
14257
"you can add the domain to the <emphasis>debug_peer_list</emphasis> parameter."
14260
#: serverguide/C/mail.xml:218(command)
14261
msgid "sudo postconf -e 'debug_peer_list = problem.domain'"
14264
#: serverguide/C/mail.xml:222(para)
14266
"You can increase the verbosity of any <application>Postfix</application> "
14267
"daemon process by editing the <filename>/etc/postfix/master.cf</filename> "
14268
"and adding a <emphasis>-v</emphasis> after the entry. For example edit the "
14269
"<emphasis>smtp</emphasis> entry:"
14272
#: serverguide/C/mail.xml:226(programlisting)
14276
"smtp unix - - - - - smtp -v\n"
14279
#: serverguide/C/mail.xml:232(para)
14281
"It is important to note that after making one of the logging changes above "
14282
"the <application>Postfix</application> process will need to be reloaded in "
14283
"order to recognize the new configuration: <command>sudo /etc/init.d/postfix "
14287
#: serverguide/C/mail.xml:239(para)
14289
"To increase the amount of information logged when troubleshooting "
14290
"<emphasis>SASL</emphasis> issues you can set the following options in "
14291
"<filename>/etc/dovecot/dovecot.conf</filename>"
14294
#: serverguide/C/mail.xml:243(programlisting)
14299
"auth_debug_passwords=yes\n"
14302
#: serverguide/C/mail.xml:250(para)
14304
"Just like <application>Postfix</application> if you change a "
14305
"<application>Dovecot</application> configuration the process will need to be "
14306
"reloaded: <command>sudo /etc/init.d/dovecot reload</command>."
14309
#: serverguide/C/mail.xml:256(para)
14311
"Some of the options above can drastically increase the amount of information "
14312
"sent to the log files. Remember to return the log level back to normal after "
14313
"you have corrected the problem. Then reload the appropriate daemon for the "
14314
"new configuration to take affect."
14317
#: serverguide/C/mail.xml:264(para)
14319
"Administering a <application>Postfix</application> server can be a very "
14320
"complicated task. At some point you may need to turn to the Ubuntu community "
14321
"for more experienced help."
14324
#: serverguide/C/mail.xml:268(para)
14326
"A great place to ask for <application>Postfix</application> assistance, and "
14327
"get involved with the Ubuntu Server community, is the <emphasis>#ubuntu-"
14328
"server</emphasis> IRC channel on <ulink "
14329
"url=\"http://freenode.net\">freenode</ulink>. You can also post a message to "
14330
"one of the <ulink "
14331
"url=\"http://www.ubuntu.com/support/community/webforums\">Web Forums</ulink>."
14334
#: serverguide/C/mail.xml:273(para)
14336
"For in depth <application>Postfix</application> information Ubuntu "
14337
"developers highly recommend: <ulink url=\"http://www.postfix-book.com/\">The "
14338
"Book of Postfix</ulink>."
14341
#: serverguide/C/mail.xml:277(para)
14343
"Finally, the <ulink "
14344
"url=\"http://www.postfix.org/documentation.html\">Postfix</ulink> website "
14345
"also has great documentation on all the different configuration options "
14349
#: serverguide/C/mail.xml:286(title) serverguide/C/mail.xml:663(title) serverguide/C/mail.xml:779(title)
14353
#: serverguide/C/mail.xml:287(para)
14355
"<application>Exim4</application> is another Message Transfer Agent (MTA) "
14356
"developed at the University of Cambridge for use on Unix systems connected "
14357
"to the Internet. Exim can be installed in place of "
14358
"<application>sendmail</application>, although the configuration of "
14359
"<application>exim</application> is quite different to that of "
14360
"<application>sendmail</application>."
14363
#: serverguide/C/mail.xml:298(para)
14365
"To install <application>exim4</application>, run the following command: "
14367
"<command>sudo apt-get install exim4</command>\n"
14371
#: serverguide/C/mail.xml:307(para)
14373
"To configure <application>Exim4</application>, run the following command:"
14376
#: serverguide/C/mail.xml:311(command)
14377
msgid "sudo dpkg-reconfigure exim4-config"
14380
#: serverguide/C/mail.xml:313(para)
14382
"The user interface will be displayed. The user interface lets you configure "
14383
"many parameters. For example, In <application>Exim4</application> the "
14384
"configuration files are split among multiple files. If you wish to have them "
14385
"in one file you can configure accordingly in this user interface."
14388
#: serverguide/C/mail.xml:321(para)
14390
"All the parameters you configure in the user interface are stored in "
14391
"<filename>/etc/exim4/update-exim4.conf.conf</filename> file. If you wish to "
14392
"re-configure, either you re-run the configuration wizard or manually edit "
14393
"this file using your favourite editor. Once you configure, you can run the "
14394
"following command to generate the master configuration file:"
14397
#: serverguide/C/mail.xml:332(command) serverguide/C/mail.xml:405(command)
14398
msgid "sudo update-exim4.conf"
14401
#: serverguide/C/mail.xml:334(para)
14403
"The master configuration file, is generated and it is stored in "
14404
"<filename>/var/lib/exim4/config.autogenerated</filename>."
14407
#: serverguide/C/mail.xml:340(para)
14409
"At any time, you should not edit the master configuration file, "
14410
"<filename>/var/lib/exim4/config.autogenerated</filename> manually. It is "
14411
"updated automatically every time you run <command>update-exim4.conf</command>"
14414
#: serverguide/C/mail.xml:348(para)
14416
"You can run the following command to start <application>Exim4</application> "
14420
#: serverguide/C/mail.xml:353(command) serverguide/C/mail.xml:785(command)
14421
msgid "sudo /etc/init.d/exim4 start"
14424
#: serverguide/C/mail.xml:358(para)
14426
"This section covers configuring Exim4 to use SMTP-AUTH with TLS and SASL."
14429
#: serverguide/C/mail.xml:361(para)
14431
"The first step is to create a certificate for use with TLS. Enter the "
14432
"following into a terminal prompt:"
14435
#: serverguide/C/mail.xml:365(command)
14436
msgid "sudo /usr/share/doc/exim4-base/examples/exim-gencert"
14439
#: serverguide/C/mail.xml:367(para)
14441
"Now Exim4 needs to be configured for TLS by editing "
14442
"<filename>/etc/exim4/conf.d/main/03_exim4-config_tlsoptions</filename> add "
14446
#: serverguide/C/mail.xml:371(programlisting)
14450
"MAIN_TLS_ENABLE = yes\n"
14453
#: serverguide/C/mail.xml:374(para)
14455
"Next you need to configure <application>Exim4</application> to use the "
14456
"<application>saslauthd</application> for authentication. Edit "
14457
"<filename>/etc/exim4/conf.d/auth/30_exim4-config_examples</filename> and "
14458
"uncomment the <emphasis>plain_saslauthd_server</emphasis> and "
14459
"<emphasis>login_saslauthd_server</emphasis> sections:"
14462
#: serverguide/C/mail.xml:379(programlisting)
14466
" plain_saslauthd_server:\n"
14467
" driver = plaintext\n"
14468
" public_name = PLAIN\n"
14469
" server_condition = ${if saslauthd{{$auth2}{$auth3}}{1}{0}}\n"
14470
" server_set_id = $auth2\n"
14471
" server_prompts = :\n"
14472
" .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS\n"
14473
" server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}\n"
14476
" login_saslauthd_server:\n"
14477
" driver = plaintext\n"
14478
" public_name = LOGIN\n"
14479
" server_prompts = \"Username:: : Password::\"\n"
14480
" # don't send system passwords over unencrypted connections\n"
14481
" server_condition = ${if saslauthd{{$auth1}{$auth2}}{1}{0}}\n"
14482
" server_set_id = $auth1\n"
14483
" .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS\n"
14484
" server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}\n"
14488
#: serverguide/C/mail.xml:401(para)
14489
msgid "Finally, update the Exim4 configuration and restart the service:"
14492
#: serverguide/C/mail.xml:406(command)
14493
msgid "sudo /etc/init.d/exim4 restart"
14496
#: serverguide/C/mail.xml:410(title)
14497
msgid "Configuring SASL"
14498
msgstr "SASL Konfigūravimas"
14500
#: serverguide/C/mail.xml:411(para)
14502
"This section provides details on configuring the saslauthd to provide "
14503
"authentication for <application>Exim4</application>."
14506
#: serverguide/C/mail.xml:414(para)
14508
"The first step is to install the sasl2-bin package. From a terminal prompt "
14509
"enter the following:"
14512
#: serverguide/C/mail.xml:418(command)
14513
msgid "sudo apt-get install sasl2-bin"
14516
#: serverguide/C/mail.xml:420(para)
14518
"To configure saslauthd edit the /etc/default/saslauthd configuration file "
14519
"and set START=no to:"
14522
#: serverguide/C/mail.xml:423(programlisting)
14529
#: serverguide/C/mail.xml:426(para)
14531
"Next the <emphasis>Debian-exim</emphasis> user needs to be part of the "
14532
"<emphasis>sasl</emphasis> group in order for Exim4 to use the saslauthd "
14536
#: serverguide/C/mail.xml:431(command)
14537
msgid "sudo adduser Debian-exim sasl"
14540
#: serverguide/C/mail.xml:433(para)
14541
msgid "Now start the <application>saslauthd</application> service:"
14544
#: serverguide/C/mail.xml:437(command)
14545
msgid "sudo /etc/init.d/saslauthd start"
14548
#: serverguide/C/mail.xml:439(para)
14550
"<application>Exim4</application> is now configured with SMTP-AUTH using TLS "
14551
"and SASL authentication."
14554
#: serverguide/C/mail.xml:448(para)
14556
"See <ulink url=\"http://www.exim.org/\">exim.org</ulink> for more "
14560
#: serverguide/C/mail.xml:453(para)
14562
"There is also an <ulink url=\"http://www.uit.co.uk/content/exim-smtp-mail-"
14563
"server\">Exim4 Book</ulink> available."
14566
#: serverguide/C/mail.xml:462(title)
14567
msgid "Dovecot Server"
14570
#: serverguide/C/mail.xml:463(para)
14572
"<application>Dovecot</application> is a Mail Delivery Agent, written with "
14573
"security primarily in mind. It supports the major mailbox formats: mbox or "
14574
"Maildir. This section explain how to set it up as an imap or pop3 server."
14577
#: serverguide/C/mail.xml:471(para)
14579
"To install <application>dovecot</application>, run the following command in "
14580
"the command prompt:"
14583
#: serverguide/C/mail.xml:476(command)
14584
msgid "sudo apt-get install dovecot-imapd dovecot-pop3d"
14587
#: serverguide/C/mail.xml:481(para)
14589
"To configure <application>dovecot</application>, you can edit the file "
14590
"<filename>/etc/dovecot/dovecot.conf</filename>. You can choose the protocol "
14591
"you use. It could be pop3, pop3s (pop3 secure), imap and imaps (imap "
14592
"secure). A description of these protocols is beyond the scope of this guide. "
14593
"For further information, refer to the Wikipedia articles on <ulink "
14594
"url=\"http://en.wikipedia.org/wiki/POP3\">POP3</ulink> and <ulink "
14595
"url=\"http://en.wikipedia.org/wiki/Internet_Message_Access_Protocol\">IMAP</u"
14599
#: serverguide/C/mail.xml:491(para)
14601
"IMAPS and POP3S are more secure that the simple IMAP and POP3 because they "
14602
"use SSL encryption to connect. Once you have chosen the protocol, amend the "
14603
"following line in the file <filename>/etc/dovecot/dovecot.conf</filename>:"
14606
#: serverguide/C/mail.xml:497(programlisting)
14610
"protocols = pop3 pop3s imap imaps\n"
14613
#: serverguide/C/mail.xml:500(para)
14615
"Next, choose the mailbox you would like to use. "
14616
"<application>Dovecot</application> supports <emphasis "
14617
"role=\"strong\">maildir</emphasis> and <emphasis "
14618
"role=\"strong\">mbox</emphasis> formats. These are the most commonly used "
14619
"mailbox formats. They both have their own benefits and are discussed on "
14620
"<ulink url=\"http://wiki.dovecot.org/MailboxFormat\">the Dovecot web "
14624
#: serverguide/C/mail.xml:508(para)
14626
"Once you have chosen your mailbox type, edit the file "
14627
"<filename>/etc/dovecot/dovecot.conf</filename> and change the following line:"
14630
#: serverguide/C/mail.xml:513(programlisting)
14634
"mail_location = maildir:~/Maildir # (for maildir)\n"
14636
"mail_location = mbox:~/mail:INBOX=/var/spool/mail/%u # (for mbox)\n"
14639
#: serverguide/C/mail.xml:519(para)
14641
"You should configure your Mail Transport Agent (MTA) to transfer the "
14642
"incoming mail to this type of mailbox if it is different from the one you "
14646
#: serverguide/C/mail.xml:525(para)
14648
"Once you have configured dovecot, restart the "
14649
"<application>dovecot</application> daemon in order to test your setup:"
14652
#: serverguide/C/mail.xml:531(command)
14653
msgid "sudo /etc/init.d/dovecot restart"
14656
#: serverguide/C/mail.xml:534(para)
14658
"If you have enabled imap, or pop3, you can also try to log in with the "
14659
"commands <command>telnet localhost pop3</command> or <command>telnet "
14660
"localhost imap2</command>. If you see something like the following, the "
14661
"installation has been successful:"
14664
#: serverguide/C/mail.xml:541(programlisting)
14668
"bhuvan@rainbow:~$ telnet localhost pop3\n"
14669
"Trying 127.0.0.1...\n"
14670
"Connected to localhost.localdomain.\n"
14671
"Escape character is '^]'.\n"
14672
"+OK Dovecot ready.\n"
14675
#: serverguide/C/mail.xml:550(title)
14676
msgid "Dovecot SSL Configuration"
14679
#: serverguide/C/mail.xml:551(para)
14681
"To configure <application>dovecot</application> to use SSL, you can edit the "
14682
"file <filename>/etc/dovecot/dovecot.conf</filename> and amend following "
14686
#: serverguide/C/mail.xml:556(programlisting)
14690
"ssl_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem\n"
14691
"ssl_key_file = /etc/ssl/private/ssl-cert-snakeoil.key\n"
14692
"ssl_disable = no\n"
14693
"disable_plaintext_auth = no\n"
14696
#: serverguide/C/mail.xml:562(para)
14698
"You can get the SSL certificate from a Certificate Issuing Authority or you "
14699
"can create self signed SSL certificate. The latter is a good option for "
14700
"email, because SMTP clients rarely complain about \"self-signed "
14701
"certificates\". Please refer to <xref linkend=\"certificates-and-"
14702
"security\"/> for details about how to create self signed SSL certificate. "
14703
"Once you create the certificate, you will have a key file and a certificate "
14704
"file. Please copy them to the location pointed in the "
14705
"<filename>/etc/dovecot/dovecot.conf</filename> configuration file."
14708
#: serverguide/C/mail.xml:577(title)
14709
msgid "Firewall Configuration for an Email Server"
14710
msgstr "Elektroninio Pašto Serverio Užkardų Konfigūravimas"
14712
#: serverguide/C/mail.xml:583(para)
14714
msgstr "IMAP - 143"
14716
#: serverguide/C/mail.xml:584(para)
14717
msgid "IMAPS - 993"
14718
msgstr "IMAPS - 993"
14720
#: serverguide/C/mail.xml:585(para)
14722
msgstr "POP3 - 110"
14724
#: serverguide/C/mail.xml:586(para)
14725
msgid "POP3S - 995"
14726
msgstr "POP3S - 995"
14728
#: serverguide/C/mail.xml:578(para)
14730
"To access your mail server from another computer, you must configure your "
14731
"firewall to allow connections to the server on the necessary ports. "
14735
#: serverguide/C/mail.xml:595(para)
14737
"See the <ulink url=\"http://www.dovecot.org/\">Dovecot website</ulink> for "
14738
"more information."
14741
#: serverguide/C/mail.xml:604(title) serverguide/C/mail.xml:681(title) serverguide/C/mail.xml:904(title)
14745
#: serverguide/C/mail.xml:605(para)
14747
"Mailman is an open source program for managing electronic mail discussions "
14748
"and e-newsletter lists. Many open source mailing lists (including all the "
14749
"<ulink url=\"http://lists.ubuntu.com\">Ubuntu mailing lists</ulink>) use "
14750
"Mailman as their mailing list software. It is powerful and easy to install "
14754
#: serverguide/C/mail.xml:615(para)
14756
"Mailman provides a web interface for the administrators and users, using an "
14757
"external mail server to send and receive emails. It works perfectly with the "
14758
"following mail servers:"
14761
#: serverguide/C/mail.xml:626(application)
14765
#: serverguide/C/mail.xml:629(application)
14769
#: serverguide/C/mail.xml:632(application)
14773
#: serverguide/C/mail.xml:637(para)
14775
"We will see how to install and configure Mailman with, the Apache web "
14776
"server, and either the Postfix or Exim mail server. If you wish to install "
14777
"Mailman with a different mail server, please refer to the references section."
14780
#: serverguide/C/mail.xml:644(para)
14782
"You only need to install one mail server and "
14783
"<application>Postfix</application> is the default Ubuntu Mail Transfer Agent."
14786
#: serverguide/C/mail.xml:649(title) serverguide/C/mail.xml:708(title)
14790
#: serverguide/C/mail.xml:650(para)
14792
"To install apache2 you refer to <ulink url=\"./web-servers.xml#http-"
14793
"installation\">HTTPD Installation</ulink> section for details."
14796
#: serverguide/C/mail.xml:658(para)
14798
"For instructions on installing and configuring Postfix refer to <xref "
14799
"linkend=\"postfix\"/>"
14802
#: serverguide/C/mail.xml:664(para)
14803
msgid "To install Exim4 refer to <xref linkend=\"exim4\"/>."
14806
#: serverguide/C/mail.xml:675(application)
14807
msgid "dc_use_split_config='true'"
14810
#: serverguide/C/mail.xml:667(para)
14812
"Once exim4 is installed, the configuration files are stored in the "
14813
"<filename>/etc/exim4</filename> directory. In Ubuntu, by default, the exim4 "
14814
"configuration files are split across different files. You can change this "
14815
"behavior by changing the following variable in the "
14816
"<filename>/etc/exim4/update-exim4.conf</filename> file: <placeholder-1/>"
14819
#: serverguide/C/mail.xml:682(para)
14821
"To install <application>Mailman</application>, run following command at a "
14825
#: serverguide/C/mail.xml:686(command)
14826
msgid "sudo apt-get install mailman"
14829
#: serverguide/C/mail.xml:688(para)
14831
"It copies the installation files in "
14832
"<application>/var/lib/mailman</application> directory. It installs the CGI "
14833
"scripts in <application>/usr/lib/cgi-bin/mailman</application> directory. It "
14834
"creates <emphasis>list</emphasis> linux user. It creates the "
14835
"<emphasis>list</emphasis> linux group. The mailman process will be owned by "
14839
#: serverguide/C/mail.xml:700(para)
14841
"This section assumes you have successfully installed "
14842
"<application>mailman</application>, <application>apache2</application>, and "
14843
"<application>postfix</application> or <application>exim4</application>. Now "
14844
"you just need to configure them."
14847
#: serverguide/C/mail.xml:709(para)
14849
"An example Apache configuration file comes with "
14850
"<application>Mailman</application> and is placed in "
14851
"<filename>/etc/mailman/apache.conf</filename>. In order for Apache to use "
14852
"the config file it needs to be copied to <filename>/etc/apache2/sites-"
14853
"available</filename>:"
14856
#: serverguide/C/mail.xml:715(command)
14858
"sudo cp /etc/mailman/apache.conf /etc/apache2/sites-available/mailman.conf"
14861
#: serverguide/C/mail.xml:717(para)
14863
"This will setup a new Apache <emphasis>VirtualHost</emphasis> for the "
14864
"Mailman administration site. Now enable the new configuration and restart "
14868
#: serverguide/C/mail.xml:722(command)
14869
msgid "sudo a2ensite mailman.conf"
14872
#: serverguide/C/mail.xml:725(para)
14874
"Mailman uses apache2 to render its CGI scripts. The mailman CGI scripts are "
14875
"installed in the <application>/usr/lib/cgi-bin/mailman</application> "
14876
"directory. So, the mailman url will be http://hostname/cgi-bin/mailman/. You "
14877
"can make changes to the <filename>/etc/apache2/sites-"
14878
"available/mailman.conf</filename> file if you wish to change this behavior."
14881
#: serverguide/C/mail.xml:736(para)
14883
"For <application>Postfix</application> integration, we will associate the "
14884
"domain lists.example.com with the mailing lists. Please replace "
14885
"<emphasis>lists.example.com</emphasis> with the domain of your choosing."
14888
#: serverguide/C/mail.xml:740(para)
14890
"You can use the postconf command to add the necessary configuration to "
14891
"<filename>/etc/postfix/main.cf</filename>:"
14894
#: serverguide/C/mail.xml:744(command)
14895
msgid "sudo postconf -e 'relay_domains = lists.example.com'"
14898
#: serverguide/C/mail.xml:745(command)
14899
msgid "sudo postconf -e 'transport_maps = hash:/etc/postfix/transport'"
14902
#: serverguide/C/mail.xml:746(command)
14903
msgid "sudo postconf -e 'mailman_destination_recipient_limit = 1'"
14906
#: serverguide/C/mail.xml:748(para)
14908
"In <filename>/etc/postfix/master.cf</filename> double check that you have "
14909
"the following transport:"
14912
#: serverguide/C/mail.xml:751(programlisting)
14916
"mailman unix - n n - - pipe\n"
14917
" flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py\n"
14918
" ${nexthop} ${user}\n"
14921
#: serverguide/C/mail.xml:756(para)
14923
"It calls the <emphasis>postfix-to-mailman.py</emphasis> script when a mail "
14924
"is delivered to a list."
14927
#: serverguide/C/mail.xml:759(para)
14929
"Associate the domain lists.example.com to the Mailman transport with the "
14930
"transport map. Edit the file <filename>/etc/postfix/transport</filename>:"
14933
#: serverguide/C/mail.xml:762(programlisting)
14937
"lists.example.com mailman:\n"
14940
#: serverguide/C/mail.xml:765(para)
14942
"Now have <application>Postfix</application> build the transport map by "
14943
"entering the following from a terminal prompt:"
14946
#: serverguide/C/mail.xml:769(command)
14947
msgid "sudo postmap -v /etc/postfix/transport"
14950
#: serverguide/C/mail.xml:771(para)
14951
msgid "Then restart Postfix to enable the new configurations:"
14954
#: serverguide/C/mail.xml:780(para)
14956
"Once Exim4 is installed, you can start the Exim server using the following "
14957
"command from a terminal prompt:"
14960
#: serverguide/C/mail.xml:796(para) serverguide/C/mail.xml:811(title)
14964
#: serverguide/C/mail.xml:799(para) serverguide/C/mail.xml:851(title)
14968
#: serverguide/C/mail.xml:802(para) serverguide/C/mail.xml:874(title)
14972
#: serverguide/C/mail.xml:787(para)
14974
"In order to make mailman work with Exim4, you need to configure Exim4. As "
14975
"mentioned earlier, by default, Exim4 uses multiple configuration files of "
14976
"different types. For details, please refer to the <ulink "
14977
"url=\"http://www.exim.org\">Exim</ulink> web site. To run mailman, we should "
14978
"add new a configuration file to the following configuration types: "
14979
"<placeholder-1/> Exim creates a master configuration file by sorting all "
14980
"these mini configuration files. So, the order of these configuration files "
14981
"is very important."
14984
#: serverguide/C/mail.xml:818(programlisting)
14989
"# Home dir for your Mailman installation -- aka Mailman's prefix\n"
14991
"# On Ubuntu this should be \"/var/lib/mailman\"\n"
14992
"# This is normally the same as ~mailman\n"
14993
"MM_HOME=/var/lib/mailman\n"
14995
"# User and group for Mailman, should match your --with-mail-gid\n"
14996
"# switch to Mailman's configure script. Value is normally \"mailman\"\n"
15000
"# Domains that your lists are in - colon separated list\n"
15001
"# you may wish to add these into local_domains as well\n"
15002
"domainlist mm_domains=hostname.com\n"
15004
"# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n"
15006
"# These values are derived from the ones above and should not need\n"
15007
"# editing unless you have munged your mailman installation\n"
15009
"# The path of the Mailman mail wrapper script\n"
15010
"MM_WRAP=MM_HOME/mail/mailman\n"
15012
"# The path of the list config file (used as a required file when\n"
15013
"# verifying list addresses)\n"
15014
"MM_LISTCHK=MM_HOME/lists/${lc::$local_part}/config.pck\n"
15018
#: serverguide/C/mail.xml:812(para)
15020
"All the configuration files belonging to the main type are stored in the "
15021
"<filename>/etc/exim4/conf.d/main/</filename> directory. You can add the "
15022
"following content to a new file, named <filename>04_exim4-"
15023
"config_mailman</filename>: <placeholder-1/>"
15026
#: serverguide/C/mail.xml:858(programlisting)
15030
" mailman_transport:\n"
15032
" command = MM_WRAP \\\n"
15033
" '${if def:local_part_suffix \\\n"
15034
" {${sg{$local_part_suffix}{-(\\\\w+)(\\\\+.*)?}{\\$1}}} "
15038
" current_directory = MM_HOME\n"
15039
" home_directory = MM_HOME\n"
15041
" group = MM_GID\n"
15044
#: serverguide/C/mail.xml:852(para)
15046
"All the configuration files belonging to transport type are stored in the "
15047
"<filename>/etc/exim4/conf.d/transport/</filename> directory. You can add the "
15048
"following content to a new file named <filename> 40_exim4-"
15049
"config_mailman</filename>: <placeholder-1/>"
15052
#: serverguide/C/mail.xml:879(programlisting)
15056
" mailman_router:\n"
15057
" driver = accept\n"
15058
" require_files = MM_HOME/lists/$local_part/config.pck\n"
15059
" local_part_suffix_optional\n"
15060
" local_part_suffix = -bounces : -bounces+* : \\\n"
15061
" -confirm+* : -join : -leave : \\\n"
15062
" -owner : -request : -admin\n"
15063
" transport = mailman_transport\n"
15066
#: serverguide/C/mail.xml:875(para)
15068
"All the configuration files belonging to router type are stored in the "
15069
"<filename>/etc/exim4/conf.d/router/</filename> directory. You can add the "
15070
"following content in to a new file named <filename>101_exim4-"
15071
"config_mailman</filename>: <placeholder-1/>"
15074
#: serverguide/C/mail.xml:892(para)
15076
"The order of main and transport configuration files can be in any order. "
15077
"But, the order of router configuration files must be the same. This "
15078
"particular file must appear before the <application>200_exim4-"
15079
"config_primary</application> file. These two configuration files contain "
15080
"same type of information. The first file takes the precedence. For more "
15081
"details, please refer to the references section."
15084
#: serverguide/C/mail.xml:905(para)
15086
"Once mailman is installed, you can run it using the following command:"
15089
#: serverguide/C/mail.xml:909(command)
15090
msgid "sudo /etc/init.d/mailman start"
15093
#: serverguide/C/mail.xml:911(para)
15095
"Once mailman is installed, you should create the default mailing list. Run "
15096
"the following command to create the mailing list:"
15099
#: serverguide/C/mail.xml:917(command)
15100
msgid "sudo /usr/sbin/newlist mailman"
15103
#: serverguide/C/mail.xml:920(programlisting)
15107
" Enter the email address of the person running the list: bhuvan at "
15109
" Initial mailman password:\n"
15110
" To finish creating your mailing list, you must edit your "
15111
"<filename>/etc/aliases</filename> (or\n"
15112
" equivalent) file by adding the following lines, and possibly running the\n"
15113
" `newaliases' program:\n"
15115
" ## mailman mailing list\n"
15116
" mailman: \"|/var/lib/mailman/mail/mailman post mailman\"\n"
15117
" mailman-admin: \"|/var/lib/mailman/mail/mailman admin mailman\"\n"
15118
" mailman-bounces: \"|/var/lib/mailman/mail/mailman bounces mailman\"\n"
15119
" mailman-confirm: \"|/var/lib/mailman/mail/mailman confirm mailman\"\n"
15120
" mailman-join: \"|/var/lib/mailman/mail/mailman join mailman\"\n"
15121
" mailman-leave: \"|/var/lib/mailman/mail/mailman leave mailman\"\n"
15122
" mailman-owner: \"|/var/lib/mailman/mail/mailman owner mailman\"\n"
15123
" mailman-request: \"|/var/lib/mailman/mail/mailman request mailman\"\n"
15124
" mailman-subscribe: \"|/var/lib/mailman/mail/mailman subscribe "
15126
" mailman-unsubscribe: \"|/var/lib/mailman/mail/mailman unsubscribe "
15129
" Hit enter to notify mailman owner...\n"
15134
#: serverguide/C/mail.xml:943(para)
15136
"We have configured either Postfix or Exim4 to recognize all emails from "
15137
"mailman. So, it is not mandatory to make any new entries in "
15138
"<filename>/etc/aliases</filename>. If you have made any changes to the "
15139
"configuration files, please ensure that you restart those services before "
15140
"continuing to next section."
15143
#: serverguide/C/mail.xml:962(title)
15144
msgid "Administration"
15145
msgstr "Administravimas"
15147
#: serverguide/C/mail.xml:963(para)
15149
"We assume you have a default installation. The mailman cgi scripts are still "
15150
"in the <application>/usr/lib/cgi-bin/mailman/</application> directory. "
15151
"Mailman provides a web based administration facility. To access this page, "
15152
"point your browser to the following url:"
15155
#: serverguide/C/mail.xml:971(para)
15156
msgid "http://hostname/cgi-bin/mailman/admin"
15157
msgstr "http://hostname/cgi-bin/mailman/admin"
15159
#: serverguide/C/mail.xml:975(para)
15161
"The default mailing list, <emphasis>mailman</emphasis>, will appear in this "
15162
"screen. If you click the mailing list name, it will ask for your "
15163
"authentication password. If you enter the correct password, you will be able "
15164
"to change administrative settings of this mailing list. You can create a new "
15165
"mailing list using the command line utility "
15166
"(<command>/usr/sbin/newlist</command>). Alternatively, you can create a new "
15167
"mailing list using the web interface."
15170
#: serverguide/C/mail.xml:988(title)
15174
#: serverguide/C/mail.xml:989(para)
15176
"Mailman provides a web based interface for users. To access this page, point "
15177
"your browser to the following url:"
15180
#: serverguide/C/mail.xml:994(para)
15181
msgid "http://hostname/cgi-bin/mailman/listinfo"
15182
msgstr "http://hostname/cgi-bin/mailman/listinfo"
15184
#: serverguide/C/mail.xml:998(para)
15186
"The default mailing list, <emphasis>mailman</emphasis>, will appear in this "
15187
"screen. If you click the mailing list name, it will display the subscription "
15188
"form. You can enter your email address, name (optional), and password to "
15189
"subscribe. An email invitation will be sent to you. You can follow the "
15190
"instructions in the email to subscribe."
15193
#: serverguide/C/mail.xml:1010(ulink)
15194
msgid "GNU Mailman - Installation Manual"
15197
#: serverguide/C/mail.xml:1014(ulink)
15198
msgid "HOWTO - Using Exim 4 and Mailman 2.1 together"
15201
#: serverguide/C/mail.xml:1020(title)
15202
msgid "Mail Filtering"
15205
#: serverguide/C/mail.xml:1021(para)
15207
"One of the largest issues with email today is the problem of Unsolicited "
15208
"Bulk Email (UBE). Also known as SPAM, such messages may also carry viruses "
15209
"and other forms of malware. According to some reports these messages make up "
15210
"the bulk of all email traffic on the Internet."
15213
#: serverguide/C/mail.xml:1026(para)
15215
"This section will cover integrating <application>Amavisd-new</application>, "
15216
"<application>Spamassassin</application>, and "
15217
"<application>ClamAV</application> with the "
15218
"<application>Postfix</application> Mail Transport Agent (MTA). "
15219
"<application>Postfix</application> can also check email validity by passing "
15220
"it through external content filters. These filters can sometimes determine "
15221
"if a message is spam without needing to process it with more resource "
15222
"intensive applications. Two common filters are <application>dkim-"
15223
"filter</application> and <application>python-policyd-spf</application>."
15226
#: serverguide/C/mail.xml:1036(para)
15228
"<application>Amavisd-new</application> is a wrapper program that can call "
15229
"any number of content filtering programs for spam detection, antivirus, etc."
15232
#: serverguide/C/mail.xml:1042(para)
15234
"<application>Spamassassin</application> uses a variety of mechanisms to "
15235
"filter email based on the message content."
15238
#: serverguide/C/mail.xml:1047(para)
15240
"<application>ClamAV</application> is an open source antivirus application."
15243
#: serverguide/C/mail.xml:1052(para)
15245
"<application>dkim-filter</application> implements a Sendmail Mail Filter "
15246
"(Milter) for the DomainKeys Identified Mail (DKIM) standard."
15249
#: serverguide/C/mail.xml:1058(para)
15251
"<application>python-policyd-spf</application> enables Sender Policy "
15252
"Framework (SPF) checking with <application>Postfix</application>."
15255
#: serverguide/C/mail.xml:1063(para)
15256
msgid "This is how the pieces fit together:"
15259
#: serverguide/C/mail.xml:1068(para)
15260
msgid "An email message is accepted by <application>Postfix</application>."
15263
#: serverguide/C/mail.xml:1073(para)
15265
"The message is passed through any external filters <application>dkim-"
15266
"filter</application> and <application>python-policyd-spf</application> in "
15270
#: serverguide/C/mail.xml:1079(para)
15271
msgid "<application>Amavisd-new</application> then processes the message."
15274
#: serverguide/C/mail.xml:1084(para)
15276
"<application>ClamAV</application> is used to scan the message. If the "
15277
"message contains a virus <application>Postfix</application> will reject the "
15281
#: serverguide/C/mail.xml:1090(para)
15283
"Clean messages will then be analyzed by "
15284
"<application>Spamassassin</application> to find out if the message is spam. "
15285
"<application>Spamassassin</application> will then add X-Header lines "
15286
"allowing <application>Amavisd-new</application> to further manipulate the "
15290
#: serverguide/C/mail.xml:1097(para)
15292
"For example, if a message has a Spam score of over fifty the message could "
15293
"be automatically dropped from the queue without the recipient ever having to "
15294
"be bothered. Another, way to handle flagged messages is to deliver them to "
15295
"the Mail User Agent (MUA) allowing the user to deal with the message as they "
15299
#: serverguide/C/mail.xml:1104(para)
15301
"See <xref linkend=\"postfix\"/> for instructions on installing and "
15302
"configuring Postfix."
15305
#: serverguide/C/mail.xml:1107(para)
15307
"To install the rest of the applications enter the following from a terminal "
15311
#: serverguide/C/mail.xml:1111(command)
15312
msgid "sudo apt-get install amavisd-new spamassassin clamav-daemon"
15315
#: serverguide/C/mail.xml:1112(command)
15316
msgid "sudo apt-get install dkim-filter python-policyd-spf"
15319
#: serverguide/C/mail.xml:1114(para)
15321
"There are some optional packages that integrate with "
15322
"<application>Spamassassin</application> for better spam detection:"
15325
#: serverguide/C/mail.xml:1118(command)
15326
msgid "sudo apt-get install pyzor razor"
15329
#: serverguide/C/mail.xml:1120(para)
15331
"Along with the main filtering applications compression utilities are needed "
15332
"to process some email attachments:"
15335
#: serverguide/C/mail.xml:1124(command)
15337
"sudo apt-get install arj cabextract cpio lha nomarch pax rar unrar unzip zip "
15341
#: serverguide/C/mail.xml:1129(para)
15342
msgid "Now configure everything to work together and filter email."
15345
#: serverguide/C/mail.xml:1133(title)
15349
#: serverguide/C/mail.xml:1134(para)
15351
"The default behaviour of <application>ClamAV</application> will fit our "
15352
"needs. For more ClamAV configuration options, check the configuration files "
15353
"in <filename>/etc/clamav</filename>."
15356
#: serverguide/C/mail.xml:1139(para)
15358
"Add the <emphasis>clamav</emphasis> user to the <emphasis>amavis</emphasis> "
15359
"group in order for <application>Amavisd-new</application> to have the "
15360
"appropriate access to scan files:"
15363
#: serverguide/C/mail.xml:1144(command)
15364
msgid "sudo adduser clamav amavis"
15367
#: serverguide/C/mail.xml:1148(title)
15368
msgid "Spamassassin"
15371
#: serverguide/C/mail.xml:1149(para)
15373
"Spamassassin automatically detects optional components and will use them if "
15374
"they are present. This means that there is no need to configure "
15375
"<application>pyzor</application> and <application>razor</application>."
15378
#: serverguide/C/mail.xml:1153(para)
15380
"Edit <filename>/etc/default/spamassassin</filename> to activate the "
15381
"<application>Spamassassin</application> daemon. Change "
15382
"<emphasis>ENABLED=0</emphasis> to:"
15385
#: serverguide/C/mail.xml:1157(programlisting)
15392
#: serverguide/C/mail.xml:1160(para)
15393
msgid "Now start the daemon:"
15396
#: serverguide/C/mail.xml:1164(command)
15397
msgid "sudo /etc/init.d/spamassassin start"
15400
#: serverguide/C/mail.xml:1168(title)
15401
msgid "Amavisd-new"
15404
#: serverguide/C/mail.xml:1169(para)
15406
"First activate spam and antivirus detection in <application>Amavisd-"
15407
"new</application> by editing <filename>/etc/amavis/conf.d/15-"
15408
"content_filter_mode</filename>:"
15411
#: serverguide/C/mail.xml:1173(programlisting)
15417
"# You can modify this file to re-enable SPAM checking through spamassassin\n"
15418
"# and to re-enable antivirus checking.\n"
15421
"# Default antivirus checking mode\n"
15422
"# Uncomment the two lines below to enable it\n"
15425
"@bypass_virus_checks_maps = (\n"
15426
" \\%bypass_virus_checks, \\@bypass_virus_checks_acl, \\"
15427
"$bypass_virus_checks_re);\n"
15431
"# Default SPAM checking mode\n"
15432
"# Uncomment the two lines below to enable it\n"
15435
"@bypass_spam_checks_maps = (\n"
15436
" \\%bypass_spam_checks, \\@bypass_spam_checks_acl, \\"
15437
"$bypass_spam_checks_re);\n"
15439
"1; # insure a defined return\n"
15442
#: serverguide/C/mail.xml:1198(para)
15444
"Bouncing spam can be a bad idea as the return address is often faked. "
15445
"Consider editing <filename>/etc/amavis/conf.d/20-debian_defaults</filename> "
15446
"to set <emphasis>$final_spam_destiny</emphasis> to D_DISCARD rather than "
15447
"D_BOUNCE, as follows:"
15450
#: serverguide/C/mail.xml:1203(programlisting)
15454
"$final_spam_destiny = D_DISCARD;\n"
15457
#: serverguide/C/mail.xml:1207(para)
15459
"If the server's <emphasis>hostname</emphasis> is different from the domain's "
15460
"MX record you may need to manually set the <emphasis>$myhostname</emphasis> "
15461
"option. Also, if the server receives mail for multiple domains the "
15462
"<emphasis>@local_domains_acl</emphasis> option will need to be customized. "
15463
"Edit the <filename>/etc/amavis/conf.d/50-user</filename> file:"
15466
#: serverguide/C/mail.xml:1214(programlisting)
15470
"$myhostname = 'mail.example.com';\n"
15471
"@local_domains_acl = ( \"example.com\", \"example.org\" );\n"
15474
#: serverguide/C/mail.xml:1219(para)
15476
"After configuration <application>Amavisd-new</application> needs to be "
15480
#: serverguide/C/mail.xml:1223(command) serverguide/C/mail.xml:1269(command)
15481
msgid "sudo /etc/init.d/amavis restart"
15484
#: serverguide/C/mail.xml:1226(title)
15485
msgid "DKIM Whitelist"
15488
#: serverguide/C/mail.xml:1228(para)
15490
"<application>Amavisd-new</application> can be configured to automatically "
15491
"<emphasis>Whitelist</emphasis> addresses from domains with valid Domain "
15492
"Keys. There are some pre-configured domains in the "
15493
"<filename>/etc/amavis/conf.d/40-policy_banks</filename>."
15496
#: serverguide/C/mail.xml:1234(para)
15497
msgid "There are multiple ways to configure the Whitelist for a domain:"
15500
#: serverguide/C/mail.xml:1240(para)
15502
"<emphasis>'example.com' => 'WHITELIST',</emphasis>: will whitelist any "
15503
"address from the \"example.com\" domain."
15506
#: serverguide/C/mail.xml:1245(para)
15508
"<emphasis>'.example.com' => 'WHITELIST',</emphasis>: will whitelist any "
15509
"address from any <emphasis>subdomains</emphasis> of \"example.com\" that "
15510
"have a valid signature."
15513
#: serverguide/C/mail.xml:1251(para)
15515
"<emphasis>'.example.com/@example.com' => 'WHITELIST',</emphasis>: will "
15516
"whitelist subdomains of \"example.com\" that use the signature of <emphasis "
15517
"role=\"italic\">example.com</emphasis> the parent domain."
15520
#: serverguide/C/mail.xml:1257(para)
15522
"<emphasis>'./@example.com' => 'WHITELIST',</emphasis>: adds addresses "
15523
"that have a valid signature from \"example.com\". This is usually used for "
15524
"discussion groups that sign thier messages."
15527
#: serverguide/C/mail.xml:1264(para)
15529
"A domain can also have multiple Whitelist configurations. After, editing the "
15530
"file restart <application>amaisd-new</application>:"
15533
#: serverguide/C/mail.xml:1273(para)
15535
"In this context, once a domain has been added to the Whitelist the message "
15536
"will not receive any anti-virus or spam filtering. This may or may not be "
15537
"the intended behavior you wish for a domain."
15540
#: serverguide/C/mail.xml:1283(para)
15542
"For <application>Postfix</application> integration, enter the following from "
15543
"a terminal prompt:"
15546
#: serverguide/C/mail.xml:1287(command)
15547
msgid "sudo postconf -e 'content_filter = smtp-amavis:[127.0.0.1]:10024'"
15550
#: serverguide/C/mail.xml:1289(para)
15552
"Next edit <filename>/etc/postfix/master.cf</filename> and add the following "
15553
"to the end of the file:"
15556
#: serverguide/C/mail.xml:1292(programlisting)
15560
"smtp-amavis unix - - - - 2 smtp\n"
15561
" -o smtp_data_done_timeout=1200\n"
15562
" -o smtp_send_xforward_command=yes\n"
15563
" -o disable_dns_lookups=yes\n"
15566
"127.0.0.1:10025 inet n - - - - smtpd\n"
15567
" -o content_filter=\n"
15568
" -o local_recipient_maps=\n"
15569
" -o relay_recipient_maps=\n"
15570
" -o smtpd_restriction_classes=\n"
15571
" -o smtpd_delay_reject=no\n"
15572
" -o smtpd_client_restrictions=permit_mynetworks,reject\n"
15573
" -o smtpd_helo_restrictions=\n"
15574
" -o smtpd_sender_restrictions=\n"
15575
" -o smtpd_recipient_restrictions=permit_mynetworks,reject\n"
15576
" -o smtpd_data_restrictions=reject_unauth_pipelining\n"
15577
" -o smtpd_end_of_data_restrictions=\n"
15578
" -o mynetworks=127.0.0.0/8\n"
15579
" -o smtpd_error_sleep_time=0\n"
15580
" -o smtpd_soft_error_limit=1001\n"
15581
" -o smtpd_hard_error_limit=1000\n"
15582
" -o smtpd_client_connection_count_limit=0\n"
15583
" -o smtpd_client_connection_rate_limit=0\n"
15585
"receive_override_options=no_header_body_checks,no_unknown_recipient_checks\n"
15588
#: serverguide/C/mail.xml:1319(para)
15590
"Also add the following two lines immediately below the "
15591
"<emphasis>\"pickup\"</emphasis> transport service:"
15594
#: serverguide/C/mail.xml:1322(programlisting)
15598
" -o content_filter=\n"
15599
" -o receive_override_options=no_header_body_checks\n"
15602
#: serverguide/C/mail.xml:1326(para)
15604
"This will prevent messages that are generated to report on spam from being "
15605
"classified as spam."
15608
#: serverguide/C/mail.xml:1329(para)
15609
msgid "Now restart <application>Postfix</application>:"
15612
#: serverguide/C/mail.xml:1335(para)
15613
msgid "Content filtering with spam and virus detection is now enabled."
15616
#: serverguide/C/mail.xml:1342(para)
15618
"First, test that the <application>Amavisd-new</application> SMTP is "
15622
#: serverguide/C/mail.xml:1345(programlisting)
15626
"telnet localhost 10024\n"
15627
"Trying 127.0.0.1...\n"
15628
"Connected to localhost.\n"
15629
"Escape character is '^]'.\n"
15630
"220 [127.0.0.1] ESMTP amavisd-new service ready\n"
15634
#: serverguide/C/mail.xml:1353(para)
15636
"In the Header of messages that go through the content filter you should see:"
15639
#: serverguide/C/mail.xml:1356(programlisting)
15644
"X-Virus-Scanned: Debian amavisd-new at example.com\n"
15645
"X-Spam-Status: No, hits=-2.3 tagged_above=-1000.0 required=5.0 tests=AWL, "
15650
#: serverguide/C/mail.xml:1363(para)
15652
"Your output will vary, but the important thing is that there are <emphasis>X-"
15653
"Virus-Scanned</emphasis> and <emphasis>X-Spam-Status</emphasis> entries."
15656
#: serverguide/C/mail.xml:1371(para)
15658
"The best way to figure out why something is going wrong is to check the log "
15662
#: serverguide/C/mail.xml:1376(para)
15664
"For instructions on <application>Postfix</application> logging see the <xref "
15665
"linkend=\"postfix-troubleshooting\"/> section."
15668
#: serverguide/C/mail.xml:1382(para)
15670
"<application>Amavisd-new</application> uses "
15671
"<application>Syslog</application> to send messages to "
15672
"<filename>/var/log/mail.log</filename>. The amount of detail can be "
15673
"increased by adding the <emphasis>$log_level</emphasis> option to "
15674
"<filename>/etc/amavis/conf.d/50-user</filename>, and setting the value from "
15678
#: serverguide/C/mail.xml:1387(programlisting)
15682
"$log_level = 2;\n"
15685
#: serverguide/C/mail.xml:1391(para)
15687
"When the <application>Amavisd-new</application> log output is increased "
15688
"<application>Spamassassin</application> log output is also increased."
15691
#: serverguide/C/mail.xml:1398(para)
15693
"The <application>ClamAV</application> log level can be increased by editing "
15694
"<filename>/etc/clamav/clamd.conf</filename> and setting the following option:"
15697
#: serverguide/C/mail.xml:1402(programlisting)
15701
"LogVerbose true\n"
15704
#: serverguide/C/mail.xml:1405(para)
15706
"By default <application>ClamAV</application> will send log messages to "
15707
"<filename>/var/log/clamav/clamav.log</filename>."
15710
#: serverguide/C/mail.xml:1411(para)
15712
"After changing an applications log settings remember to restart the service "
15713
"for the new settings to take affect. Also, once the issue you are "
15714
"troubleshooting is resolved it is a good idea to change the log settings "
15718
#: serverguide/C/mail.xml:1419(para)
15719
msgid "For more information on filtering mail see the following links:"
15722
#: serverguide/C/mail.xml:1425(ulink)
15723
msgid "Amavisd-new Documentation"
15726
#: serverguide/C/mail.xml:1429(para)
15728
"<ulink url=\"http://www.clamav.org/doc/latest/html/\">ClamAV "
15729
"Documentation</ulink> and <ulink "
15730
"url=\"http://wiki.clamav.net/Main/WebHome\">ClamAV Wiki</ulink>"
15733
#: serverguide/C/mail.xml:1436(ulink)
15734
msgid "Spamassassin Wiki"
15737
#: serverguide/C/mail.xml:1441(ulink)
15738
msgid "Pyzor Homepage"
15741
#: serverguide/C/mail.xml:1446(ulink)
15742
msgid "Razor Homepage"
15745
#: serverguide/C/mail.xml:1451(ulink)
15749
#: serverguide/C/mail.xml:1455(para)
15751
"Also, feel free to ask questions in the <emphasis>#ubuntu-server</emphasis> "
15752
"IRC channel on <ulink url=\"http://freenode.net\">freenode</ulink>."
15755
#: serverguide/C/lamp-applications.xml:13(title)
15756
msgid "LAMP Applications"
15759
#: serverguide/C/lamp-applications.xml:19(para)
15761
"LAMP installations (Linux + Apache + MySQL + PHP) are a popular setup for "
15762
"Ubuntu servers. There is a plethora of Open Source applications written "
15763
"using the LAMP application stack. Some popular LAMP applications are Wiki's, "
15764
"Content Management Systems, and Management Software such as phpMyAdmin."
15767
#: serverguide/C/lamp-applications.xml:26(para)
15769
"One advantage of LAMP is the substantial flexibility for different database, "
15770
"web server, and scripting languages. Popular substitutes for MySQL include "
15771
"Posgresql and SQLite. Python, Perl, and Ruby are also frequently used "
15775
#: serverguide/C/lamp-applications.xml:32(para)
15777
"The traditional way to install most <emphasis>LAMP</emphasis> applications "
15781
#: serverguide/C/lamp-applications.xml:38(para)
15782
msgid "Download an archive containing the application source files."
15785
#: serverguide/C/lamp-applications.xml:43(para)
15787
"Unpack the archive, usually in a directory accessible to a web server."
15790
#: serverguide/C/lamp-applications.xml:48(para)
15792
"Depending on where the source was extracted, configure a web browser to "
15796
#: serverguide/C/lamp-applications.xml:53(para)
15797
msgid "Configure the application to connect to the database."
15800
#: serverguide/C/lamp-applications.xml:58(para)
15802
"Run a script, or browse to a page of the application, to install the "
15803
"database needed by the application."
15806
#: serverguide/C/lamp-applications.xml:63(para)
15808
"Once the steps above, or similar steps, are completed you are ready to begin "
15809
"using the application."
15812
#: serverguide/C/lamp-applications.xml:69(para)
15814
"A disadvantage of using this approach is that the application files are not "
15815
"placed in the file system in a standard way, which can cause confusion as to "
15816
"where the application is installed. Another larger disadvantage is updating "
15817
"the application. When a new version is released, the same process used to "
15818
"install the application is needed to apply updates."
15821
#: serverguide/C/lamp-applications.xml:76(para)
15823
"Fortunately, a number of <emphasis>LAMP</emphasis> applications are already "
15824
"packaged for Ubuntu, and are available for installation in the same way as "
15825
"non-LAMP applications. Depending on the application some extra configuration "
15826
"and setup steps may be needed, however."
15829
#: serverguide/C/lamp-applications.xml:82(para)
15831
"This section covers howto install and configure the Wiki applications "
15832
"<application>MoinMoin</application>, <application>MediaWiki</application>, "
15833
"and the MySQL management application <application>phpMyAdmin</application>."
15836
#: serverguide/C/lamp-applications.xml:88(para)
15838
"A Wiki is a website that allows the visitors to easily add, remove and "
15839
"modify available content easily. The ease of interaction and operation makes "
15840
"Wiki an effective tool for mass collaborative authoring. The term Wiki is "
15841
"also referred to the collaborative software."
15844
#: serverguide/C/lamp-applications.xml:100(title)
15848
#: serverguide/C/lamp-applications.xml:102(para)
15850
"MoinMoin is a Wiki engine implemented in Python, based on the PikiPiki Wiki "
15851
"engine, and licensed under the GNU GPL."
15854
#: serverguide/C/lamp-applications.xml:110(para)
15856
"To install <application>MoinMoin</application>, run the following command in "
15857
"the command prompt:"
15860
#: serverguide/C/lamp-applications.xml:116(command)
15861
msgid "sudo apt-get install python-moinmoin"
15864
#: serverguide/C/lamp-applications.xml:119(para)
15866
"You should also install <application>apache2</application> web server. For "
15867
"installing <application>apache2</application> web server, please refer to "
15868
"<xref linkend=\"http-installation\"/> sub-section in <xref "
15869
"linkend=\"httpd\"/> section."
15872
#: serverguide/C/lamp-applications.xml:130(para)
15874
"For configuring your first Wiki application, please run the following set of "
15875
"commands. Let us assume that you are creating a Wiki named "
15876
"<emphasis>mywiki</emphasis>:"
15879
#: serverguide/C/lamp-applications.xml:137(command)
15880
msgid "cd /usr/share/moin"
15883
#: serverguide/C/lamp-applications.xml:138(command)
15884
msgid "sudo mkdir mywiki"
15887
#: serverguide/C/lamp-applications.xml:139(command)
15888
msgid "sudo cp -R data mywiki"
15891
#: serverguide/C/lamp-applications.xml:140(command)
15892
msgid "sudo cp -R underlay mywiki"
15895
#: serverguide/C/lamp-applications.xml:141(command)
15896
msgid "sudo cp server/moin.cgi mywiki"
15899
#: serverguide/C/lamp-applications.xml:142(command)
15900
msgid "sudo chown -R www-data.www-data mywiki"
15903
#: serverguide/C/lamp-applications.xml:143(command)
15904
msgid "sudo chmod -R ug+rwX mywiki"
15907
#: serverguide/C/lamp-applications.xml:144(command)
15908
msgid "sudo chmod -R o-rwx mywiki"
15911
#: serverguide/C/lamp-applications.xml:147(para)
15913
"Now you should configure <application>MoinMoin</application> to find your "
15914
"new Wiki <emphasis>mywiki</emphasis>. To configure "
15915
"<application>MoinMoin</application>, open "
15916
"<filename>/etc/moin/mywiki.py</filename> file and change the following line:"
15919
#: serverguide/C/lamp-applications.xml:155(programlisting)
15921
msgid "data_dir = '/org/mywiki/data'"
15924
#: serverguide/C/lamp-applications.xml:157(para)
15928
#: serverguide/C/lamp-applications.xml:161(programlisting)
15930
msgid "data_dir = '/usr/share/moin/mywiki/data'"
15933
#: serverguide/C/lamp-applications.xml:163(para)
15935
"Also, below the <emphasis>data_dir</emphasis> option add the "
15936
"<emphasis>data_underlay_dir</emphasis>:"
15939
#: serverguide/C/lamp-applications.xml:167(programlisting)
15943
"data_underlay_dir='/usr/share/moin/mywiki/underlay'\n"
15946
#: serverguide/C/lamp-applications.xml:172(para)
15948
"If the <filename>/etc/moin/mywiki.py</filename> file does not exists, you "
15949
"should copy <filename>/etc/moin/moinmaster.py</filename> file to "
15950
"<filename>/etc/moin/mywiki.py</filename> file and do the above mentioned "
15953
"Jeigu <filename>/etc/moin/mywiki.py</filename> byla neegzistuoja, jūs turite "
15954
"nukopijuoti <filename>/etc/moin/moinmaster.py</filename> bylą į "
15955
"<filename>/etc/moin/mywiki.py</filename> bylą ir padaryti aukščiau minėtą "
15958
#: serverguide/C/lamp-applications.xml:181(para)
15960
"If you have named your Wiki as <emphasis>my_wiki_name</emphasis> you should "
15961
"insert a line <quote>(\"my_wiki_name\", r\".*\")</quote> in "
15962
"<filename>/etc/moin/farmconfig.py</filename> file after the line "
15963
"<quote>(\"mywiki\", r\".*\")</quote>."
15965
"Jeigu jūs pavadinote Wiki <emphasis>my_wiki_name</emphasis> jūs turite "
15966
"įterpti eilutę <quote>(\"my_wiki_name\", r\".*\")</quote> į "
15967
"<filename>/etc/moin/farmconfig.py</filename> bylą po <quote>(\"mywiki\", "
15968
"r\".*\")</quote> eilutės."
15970
#: serverguide/C/lamp-applications.xml:189(para)
15972
"Once you have configured <application>MoinMoin</application> to find your "
15973
"first Wiki application <emphasis>mywiki</emphasis>, you should configure "
15974
"<application>apache2</application> and make it ready for your Wiki "
15978
#: serverguide/C/lamp-applications.xml:196(para)
15980
"You should add the following lines in <filename>/etc/apache2/sites-"
15981
"available/default</filename> file inside the <quote><VirtualHost "
15982
"*></quote> tag:"
15984
"Jūs turite pridėti šias eilutes prie <filename>/etc/apache2/sites-"
15985
"available/default</filename> bylos <quote><VirtualHost *></quote> "
15988
#: serverguide/C/lamp-applications.xml:202(programlisting)
15993
" ScriptAlias /mywiki \"/usr/share/moin/mywiki/moin.cgi\"\n"
15994
" alias /moin_static181 \"/usr/share/moin/htdocs\"\n"
15995
" <Directory /usr/share/moin/htdocs>\n"
15996
" Order allow,deny\n"
15997
" allow from all\n"
15998
" </Directory>\n"
16002
#: serverguide/C/lamp-applications.xml:213(para)
16004
"Once you configure the <application>apache2</application> web server and "
16005
"make it ready for your Wiki application, you should restart it. You can run "
16006
"the following command to restart the <application>apache2</application> web "
16010
#: serverguide/C/lamp-applications.xml:226(title)
16011
msgid "Verification"
16012
msgstr "Tikrinimas"
16014
#: serverguide/C/lamp-applications.xml:228(para)
16016
"You can verify the Wiki application and see if it works by pointing your web "
16017
"browser to the following URL:"
16020
#: serverguide/C/lamp-applications.xml:232(programlisting)
16024
"http://localhost/mywiki\n"
16027
"http://localhost/mywiki\n"
16029
#: serverguide/C/lamp-applications.xml:236(para)
16031
"You can also run the test command by pointing your web browser to the "
16035
#: serverguide/C/lamp-applications.xml:241(programlisting)
16039
"http://localhost/mywiki?action=test\n"
16042
#: serverguide/C/lamp-applications.xml:245(para)
16044
"For more details, please refer to the <ulink "
16045
"url=\"http://moinmo.in/\">MoinMoin</ulink> web site."
16048
#: serverguide/C/lamp-applications.xml:256(para)
16050
"For more information see the <ulink url=\"http://moinmo.in/\">moinmoin "
16054
#: serverguide/C/lamp-applications.xml:265(title)
16058
#: serverguide/C/lamp-applications.xml:267(para)
16060
"MediaWiki is an web based Wiki software written in the PHP language. It can "
16061
"either use <application>MySQL</application> or "
16062
"<application>PostgreSQL</application> Database Management System."
16065
#: serverguide/C/lamp-applications.xml:277(para)
16067
"Before installing <application>MediaWiki</application> you should also "
16068
"install <application>Apache2</application>, the "
16069
"<application>PHP5</application> scripting language and Database a Management "
16070
"System. <application>MySQL</application> or "
16071
"<application>PostgreSQL</application> are the most common, choose one "
16072
"depending on your need. Please refer to those sections in this manual for "
16073
"installation instructions."
16076
#: serverguide/C/lamp-applications.xml:285(para)
16078
"To install <application>MediaWiki</application>, run the following command "
16079
"in the command prompt:"
16082
#: serverguide/C/lamp-applications.xml:291(command)
16083
msgid "sudo apt-get install mediawiki php5-gd"
16086
#: serverguide/C/lamp-applications.xml:294(para)
16088
"For additional <application>MediaWiki</application> functionality see the "
16089
"<application>mediawiki-extensions</application> package."
16092
#: serverguide/C/lamp-applications.xml:304(para)
16093
msgid "Run the following commands to configure MediaWiki:"
16096
#: serverguide/C/lamp-applications.xml:309(command)
16097
msgid "sudo ln -s /var/lib/mediawiki /var/www/mediawiki"
16100
#: serverguide/C/lamp-applications.xml:312(para)
16101
msgid "Point your web browser to the following URL for MediaWiki setup:"
16104
#: serverguide/C/lamp-applications.xml:321(programlisting)
16108
"http://localhost/mediawiki/config/index.php\n"
16111
#: serverguide/C/lamp-applications.xml:326(para)
16113
"Please read the <quote>Checking environment...</quote> section in this page. "
16114
"You should be able to fix many issues by carefully reading this section."
16117
#: serverguide/C/lamp-applications.xml:366(para)
16119
"For more details, please refer to the <ulink "
16120
"url=\"http://www.mediawiki.org\">MediaWiki</ulink> web site."
16123
#: serverguide/C/lamp-applications.xml:372(para)
16125
"The <ulink url=\"http://www.packtpub.com/Mediawiki/book\">MediaWiki "
16126
"Administrators’ Tutorial Guide</ulink> contains a wealth of information for "
16127
"new MediaWiki administrators."
16130
#: serverguide/C/lamp-applications.xml:382(title)
16134
#: serverguide/C/lamp-applications.xml:384(para)
16136
"<application>phpMyAdmin</application> is a LAMP application specifically "
16137
"written for administering <application>MySQL</application> servers. Written "
16138
"in <application>PHP</application>, and accessed through a web browser, "
16139
"phpMyAdmin provides a graphical interface for database administration tasks."
16142
#: serverguide/C/lamp-applications.xml:393(para)
16144
"Before installing <application>phpMyAdmin</application> you will need access "
16145
"to a <application>MySQL</application> database either on the same host as "
16146
"that phpMyAdmin is installed on, or on a host accessible over the network. "
16147
"For more information see <xref linkend=\"mysql\"/>. From a terminal prompt "
16151
#: serverguide/C/lamp-applications.xml:400(command)
16152
msgid "sudo apt-get install phpmyadmin"
16155
#: serverguide/C/lamp-applications.xml:403(para)
16157
"At the prompt choose which web server to be configured for "
16158
"<application>phpMyAdmin</application>. The rest of this section will use "
16159
"<application>Apache2</application> for the web server."
16162
#: serverguide/C/lamp-applications.xml:408(para)
16164
"In a browser go to <emphasis>http://servername/phpmyadmin</emphasis>, "
16165
"replacing <emphasis role=\"italic\">serveranme</emphasis> with the server's "
16166
"actual hostname. At the login, page enter <emphasis>root</emphasis> for the "
16167
"<emphasis>username</emphasis>, or another <application>MySQL</application> "
16168
"user if you any setup, and enter the <application>MySQL</application> user's "
16172
#: serverguide/C/lamp-applications.xml:415(para)
16174
"Once logged in you can reset the <emphasis>root</emphasis> password if "
16175
"needed, create users, create/destroy databases and tables, etc."
16178
#: serverguide/C/lamp-applications.xml:423(para)
16180
"The configuration files for <application>phpMyAdmin</application> are "
16181
"located in <filename>/etc/phpmyadmin</filename>. The main configuration file "
16182
"is <filename>/etc/phpmyadmin/config.inc.php</filename>. This file contains "
16183
"configuration options that apply globally to "
16184
"<application>phpMyAdmin</application>."
16187
#: serverguide/C/lamp-applications.xml:429(para)
16189
"To use <application>phpMyAdmin</application> to administer a MySQL database "
16190
"hosted on another server, adjust the following in "
16191
"<filename>/etc/phpmyadmin/config.inc.php</filename>:"
16194
#: serverguide/C/lamp-applications.xml:434(programlisting)
16198
"$cfg['Servers'][$i]['host'] = 'db_server';\n"
16201
#: serverguide/C/lamp-applications.xml:439(para)
16203
"Replace <emphasis role=\"italic\">db_server</emphasis> with the actual "
16204
"remote database server name or IP address. Also, be sure that the "
16205
"<application>phpMyAdmin</application> host has permissions to access the "
16209
#: serverguide/C/lamp-applications.xml:445(para)
16211
"Once configured, log out of <application>phpMyAdmin</application> and back "
16212
"in, and you should be accessing the new server."
16215
#: serverguide/C/lamp-applications.xml:449(para)
16217
"The <filename>config.header.inc.php</filename> and "
16218
"<filename>config.footer.inc.php</filename> files are used to add a HTML "
16219
"header and footer to <application>phpMyAdmin</application>."
16222
#: serverguide/C/lamp-applications.xml:454(para)
16224
"Another important configuration file is "
16225
"<filename>/etc/phpmyadmin/apache.conf</filename>, this file is symlinked to "
16226
"<filename>/etc/apache2/conf.d/phpmyadmin.conf</filename>, and is used to "
16227
"configure <application>Apache2</application> to serve the "
16228
"<application>phpMyAdmin</application> site. The file contains directives for "
16229
"loading <application>PHP</application>, directory permissions, etc. For more "
16230
"information on configuring <application>Apache2</application> see <xref "
16231
"linkend=\"httpd\"/>."
16234
#: serverguide/C/lamp-applications.xml:468(para)
16236
"The <application>phpMyAdmin</application> documentation comes installed with "
16237
"the package and can be accessed from the <emphasis>phpMyAdmin "
16238
"Documentation</emphasis> link (a question mark with a box around it) under "
16239
"the phpMyAdmin logo. The official docs can also be access on the <ulink "
16240
"url=\"http://www.phpmyadmin.net/home_page/docs.php\">phpMyAdmin</ulink> site."
16243
#: serverguide/C/lamp-applications.xml:475(para)
16245
"Also, <ulink url=\"http://www.packtpub.com/phpmyadmin-3rd-"
16246
"edition/book\">Mastering phpMyAdmin</ulink> is a great resource."
16249
#: serverguide/C/jeos.xml:28(para)
16251
"While installing from the Server Edition ISO (pressing "
16252
"<emphasis>F4</emphasis> on the first screen will allow you to pick \"Minimal "
16253
"installation\", which is the package selection equivalent to JeOS)"
16256
#: serverguide/C/jeos.xml:211(para)
16258
"Because of the nature of operations performed by vmbuilder, it needs to have "
16259
"root priviledge, hence the use of sudo."
16262
#: serverguide/C/jeos.xml:321(programlisting)
16266
" <interface type='bridge'>\n"
16267
" <source network='br0'/>\n"
16268
" </interface>\n"
16271
#: serverguide/C/jeos.xml:499(para)
16273
"Another convenient tool that we want to have on our appliance is OpenSSH, as "
16274
"it will provide our admins to access to access the appliance remotely. "
16275
"However, pushing in the wild an appliance with a pre-installed OpenSSH "
16276
"server is a big security risk as all these server will share the same secret "
16277
"key, making it very easy for hackers to target our appliance with all the "
16278
"tools they need to crack it open in a breeze. As for the user password, we "
16279
"will instead rely on a script that will install OpenSSH the first time a "
16280
"user logs in so that the key generated will be different for each appliance. "
16281
"For this we'll use a <emphasis>--firstboot</emphasis> script, as it does not "
16282
"need any user interaction."
16285
#: serverguide/C/introduction.xml:14(para)
16286
msgid "Welcome to the <emphasis>Ubuntu Server Guide</emphasis>!"
16289
#: serverguide/C/introduction.xml:15(para)
16291
"Here you can find information on how to install and configure various server "
16292
"applications. It is a step-by-step, task-oriented guide for configuring and "
16293
"customizing your system."
16296
#: serverguide/C/introduction.xml:19(para)
16298
"This guide assumes you have a basic understanding of your Ubuntu system. "
16299
"Some installation details are covered in <xref linkend=\"installation\"/>, "
16300
"but if you need detailed instructions installing Ubuntu please refer to the "
16301
"<ulink url=\"https://help.ubuntu.com/9.04/installation-guide/\">Ubuntu "
16302
"Installation Guide</ulink>."
16305
#: serverguide/C/introduction.xml:25(para)
16307
"A HTML version of the manual is available online at <ulink "
16308
"url=\"http://help.ubuntu.com\">the Ubuntu Documentation website</ulink>. The "
16309
"HTML files are also available in the <application>ubuntu-"
16310
"serverguide</application> package. See <xref linkend=\"package-"
16311
"management\"/> for details on installing packages."
16314
#: serverguide/C/introduction.xml:32(para)
16316
"If you choose to install the <application>ubuntu-serverguide</application> "
16317
"you can view this document from a console by:"
16320
#: serverguide/C/introduction.xml:36(command)
16321
msgid "w3m /usr/share/ubuntu-serverguide/html/en_GB/index.html"
16324
#: serverguide/C/introduction.xml:39(para)
16325
msgid "Replace <emphasis>en_GB</emphasis> with your language localization."
16328
#: serverguide/C/introduction.xml:53(title)
16332
#: serverguide/C/introduction.xml:55(para)
16334
"There a couple of different ways that Ubuntu Server Edition is supported, "
16335
"commercial support and community support. The main commercial support (and "
16336
"development funding) is available from Canonical Ltd. They supply reasonably "
16337
"priced support contracts on a per desktop or per server basis. For more "
16338
"information see the <ulink "
16339
"url=\"http://www.canonical.com/services/support\">Canonical Services</ulink> "
16343
#: serverguide/C/introduction.xml:62(para)
16345
"Community support is also provided by dedicated individuals, and companies, "
16346
"that wish to make Ubuntu the best distribution possible. Support is provided "
16347
"through multiple mailing lists, IRC channels, forums, blogs, wikis, etc. The "
16348
"large amount of information available can be overwhelming, but a good search "
16349
"engine query can usually provide an answer to your questions. See the <ulink "
16350
"url=\"http://www.ubuntu.com/support\">Ubuntu Support</ulink> page for more "
16354
#: serverguide/C/installation.xml:14(para)
16356
"This chapter provides a quick overview of installing Ubuntu 9.04 Server "
16357
"Edition. For more detailed instructions, please refer to the <ulink "
16358
"url=\"https://help.ubuntu.com/9.04/installation-guide/\">Ubuntu Installation "
16362
#: serverguide/C/installation.xml:19(title)
16363
msgid "Preparing to Install"
16364
msgstr "Pasiruošimas Įdiegimui"
16366
#: serverguide/C/installation.xml:20(para)
16368
"This section explains various aspects to consider before starting the "
16372
#: serverguide/C/installation.xml:24(title)
16373
msgid "System Requirements"
16374
msgstr "Sistemos Reikalavimai"
16376
#: serverguide/C/installation.xml:25(para)
16378
"Ubuntu 9.04 Server Edition supports two (2) major architectures: Intel x86 "
16379
"and AMD64. The table below lists recommended hardware specifications. "
16380
"Depending on your needs, you might manage with less than this. However, most "
16381
"users risk being frustrated if they ignore these suggestions."
16384
#: serverguide/C/installation.xml:27(title)
16385
msgid "Recommended Minimum Requirements"
16388
#: serverguide/C/installation.xml:35(para)
16389
msgid "Install Type"
16390
msgstr "Įdiegimo Tipas"
16392
#: serverguide/C/installation.xml:36(para)
16396
#: serverguide/C/installation.xml:37(para)
16397
msgid "Hard Drive Space"
16400
#: serverguide/C/installation.xml:40(para)
16401
msgid "Base System"
16404
#: serverguide/C/installation.xml:41(para)
16405
msgid "All Tasks Installed"
16408
#: serverguide/C/installation.xml:46(para)
16412
#: serverguide/C/installation.xml:47(para)
16413
msgid "128 megabytes"
16416
#: serverguide/C/installation.xml:48(para)
16417
msgid "500 megabytes"
16420
#: serverguide/C/installation.xml:49(para)
16424
#: serverguide/C/installation.xml:54(para)
16426
"The Server Edition provides a common base for all sorts of server "
16427
"applications. It is a minimalist design providing a platform for the desired "
16428
"services, such as file/print services, web hosting, email hosting, etc."
16431
#: serverguide/C/installation.xml:62(title)
16432
msgid "Server and Desktop Differences"
16435
#: serverguide/C/installation.xml:63(para)
16437
"There are a few differences between the <emphasis>Ubuntu Server "
16438
"Edition</emphasis> and the <emphasis>Ubuntu Desktop Edition</emphasis>. It "
16439
"should be noted that both editions use the same "
16440
"<application>apt</application> repositories. Making it just as easy to "
16441
"install a <emphasis role=\"italic\">server</emphasis> application on the "
16442
"Desktop Edition as it is on the Server Edition."
16445
#: serverguide/C/installation.xml:69(para)
16447
"The differences between the two editions are the lack of an X window "
16448
"environment in the Server Edition, the installation process, and different "
16452
#: serverguide/C/installation.xml:76(title)
16453
msgid "Kernel Differences:"
16456
#: serverguide/C/installation.xml:79(para)
16458
"The Server Edition uses the <emphasis>Deadline</emphasis> I/O scheduler "
16459
"instead of the <emphasis>CFQ</emphasis> scheduler used by the Desktop "
16463
#: serverguide/C/installation.xml:85(para)
16464
msgid "<emphasis>Preemption</emphasis> is turned off in the Server Edition."
16467
#: serverguide/C/installation.xml:90(para)
16469
"The timer interrupt is 100 Hz in the Server Edition and 250 Hz in the "
16473
#: serverguide/C/installation.xml:96(para)
16475
"When running a 64-bit version of Ubuntu on 64-bit processors you are not "
16476
"limited by memory addressing space."
16479
#: serverguide/C/installation.xml:101(para)
16481
"To see all kernel configuration options you can look through "
16482
"<filename>/boot/config-2.6.27-server</filename>. Also, <ulink "
16483
"url=\"http://www.kroah.com/lkn/\">Linux Kernel in a Nutshell</ulink> is a "
16484
"great resource on the options available."
16487
#: serverguide/C/installation.xml:110(title)
16491
#: serverguide/C/installation.xml:113(para)
16493
"Before installing <application>Ubuntu Server Edition</application> you "
16494
"should make sure all data on the system is backed up. See <xref "
16495
"linkend=\"backups\"/> for backup options."
16498
#: serverguide/C/installation.xml:117(para)
16500
"If this is not the first time an operating system has been installed on your "
16501
"computer, it is likely you will need to re-partition your disk to make room "
16505
#: serverguide/C/installation.xml:121(para)
16507
"Any time you partition your disk, you should be prepared to lose everything "
16508
"on the disk should you make a mistake or something goes wrong during "
16509
"partitioning. The programs used in installation are quite reliable, most "
16510
"have seen years of use, but they also perform destructive actions."
16513
#: serverguide/C/installation.xml:133(title)
16514
msgid "Installing from CD"
16517
#: serverguide/C/installation.xml:134(para)
16519
"The basic steps to install Ubuntu Server Edition from CD are the same for "
16520
"installing any operating system from CD. Unlike the <emphasis>Desktop "
16521
"Edition</emphasis> the <emphasis>Server Edition</emphasis> does not include "
16522
"a graphical installation program. Instead the Server Edition uses a console "
16523
"menu based process."
16526
#: serverguide/C/installation.xml:141(para)
16528
"First, download and burn the appropriate ISO file from the <ulink "
16529
"url=\"http://www.ubuntu.com/getubuntu/download\"> Ubuntu web site</ulink>."
16532
#: serverguide/C/installation.xml:147(para)
16533
msgid "Boot the system from the CD-ROM drive."
16536
#: serverguide/C/installation.xml:152(para)
16538
"At the boot prompt you will be asked to select the language. Afterwards the "
16539
"installation process begins by asking for your keyboard layout."
16542
#: serverguide/C/installation.xml:158(para)
16544
"The installer then discovers your hardware configuration, and configures the "
16545
"network settings using DHCP. If you do not wish to use DHCP at the next "
16546
"screen choose \"Go Back\", and you have the option to \"Configure the "
16547
"network manually\"."
16550
#: serverguide/C/installation.xml:165(para)
16551
msgid "Next, the installer asks for the system's hostname and Time Zone."
16554
#: serverguide/C/installation.xml:170(para)
16556
"You can then choose from several options to configure the hard drive layout. "
16557
"For advanced disk options see <xref linkend=\"advanced-installation\"/>."
16560
#: serverguide/C/installation.xml:176(para)
16561
msgid "The Ubuntu base system is then installed."
16564
#: serverguide/C/installation.xml:181(para)
16566
"A new user is setup, this user will have <emphasis>root</emphasis> access "
16567
"through the <application>sudo</application> utility."
16570
#: serverguide/C/installation.xml:187(para)
16572
"After the user is setup, you will be asked to encrypt your <filename "
16573
"role=\"directory\">home</filename> directory."
16576
#: serverguide/C/installation.xml:193(para)
16578
"The next step in the installation process is to decide how you want to "
16579
"update the system. There are three options:"
16582
#: serverguide/C/installation.xml:199(para)
16584
"<emphasis>No automatic updates</emphasis>: this requires an administrator to "
16585
"log into the machine and manually install updates."
16588
#: serverguide/C/installation.xml:205(para)
16590
"<emphasis>Install security updates Automatically</emphasis>: will install "
16591
"the <application>unattended-upgrades</application> package, which will "
16592
"install security updates without the intervention of an administrator. For "
16593
"more details see <xref linkend=\"automatic-updates\"/>."
16596
#: serverguide/C/installation.xml:212(para)
16598
"<emphasis>Manage the system with Landscape</emphasis>: Landscape is a paid "
16599
"service provided by Canonical to help manager your Ubuntu machines. See the "
16600
"<ulink url=\"http://www.canonical.com/projects/landscape\">Landscape</ulink> "
16601
"site for details."
16604
#: serverguide/C/installation.xml:221(para)
16606
"You now have the option to install, or not install, several package tasks. "
16607
"See <xref linkend=\"install-tasks\"/> for details. Also, there is an option "
16608
"to launch <application>aptitude</application> to choose specific packages to "
16609
"install. For more information see <xref linkend=\"aptitude\"/>."
16612
#: serverguide/C/installation.xml:229(para)
16613
msgid "Finally, the last step before rebooting is to set the clock to UTC."
16616
#: serverguide/C/installation.xml:235(para)
16618
"If at any point during installation you are not satisfied by the default "
16619
"setting, use the \"Go Back\" function at any prompt to be brought to a "
16620
"detailed installation menu that will allow you to modify the default "
16624
#: serverguide/C/installation.xml:240(para)
16626
"At some point during the installation process you may want to read the help "
16627
"screen provided by the installation system. To do this, press F1."
16630
#: serverguide/C/installation.xml:245(para)
16632
"Once again, for detailed instructions see the <ulink "
16633
"url=\"https://help.ubuntu.com/9.04/installation-guide/\"> Ubuntu "
16634
"Installation Guide</ulink>."
16637
#: serverguide/C/installation.xml:251(title)
16638
msgid "Package Tasks"
16641
#: serverguide/C/installation.xml:252(para)
16643
"During the Server Edition installation you have the option of installing "
16644
"additional packages from the CD. The packages are grouped by the type of "
16645
"service they provide."
16648
#: serverguide/C/installation.xml:258(para)
16649
msgid "DNS server: Selects the BIND DNS server and its documentation."
16652
#: serverguide/C/installation.xml:263(para)
16653
msgid "LAMP server: Selects a ready-made Linux/Apache/MySQL/PHP server."
16656
#: serverguide/C/installation.xml:268(para)
16658
"Mail server: This task selects a variety of package useful for a general "
16659
"purpose mail server system."
16662
#: serverguide/C/installation.xml:273(para)
16663
msgid "OpenSSH server: Selects packages needed for an OpenSSH server."
16666
#: serverguide/C/installation.xml:278(para)
16668
"PostgreSQL database: This task selects client and server packages for the "
16669
"PostgreSQL database."
16672
#: serverguide/C/installation.xml:283(para)
16673
msgid "Print server: This task sets up your system to be a print server."
16676
#: serverguide/C/installation.xml:288(para)
16678
"Samba File server: This task sets up your system to be a Samba file server, "
16679
"which is especially suitable in networks with both Windows and Linux systems."
16682
#: serverguide/C/installation.xml:294(para)
16684
"Tomcat server: Installs the Apache Tomcat and needed dependencies Java, gcj, "
16688
#: serverguide/C/installation.xml:299(para)
16690
"Virtual machine host: Includes packages needed to run KVM virtual machines."
16693
#: serverguide/C/installation.xml:304(para)
16695
"Installing the package groups is accomplished using the "
16696
"<application>tasksel</application> utility. One of the important difference "
16697
"between Ubuntu (or Debian) and other GNU/Linux distribution is that, when "
16698
"installed, a package is also configured to reasonable defaults, eventually "
16699
"prompting you for additional required information. Likewise, when installing "
16700
"a task, the packages are not only installed, but also configured to provided "
16701
"a fully integrated service."
16704
#: serverguide/C/installation.xml:311(para)
16706
"Once the installation process has finished you can view a list of available "
16707
"tasks by entering the following from a terminal prompt:"
16710
#: serverguide/C/installation.xml:316(command)
16711
msgid "tasksel --list-tasks"
16714
#: serverguide/C/installation.xml:319(para)
16716
"The output will list tasks from other Ubuntu based distributions such as "
16717
"Kubuntu and Edubuntu. Note that you can also invoke the "
16718
"<command>tasksel</command> command by itself, which will bring up a menu of "
16719
"the different tasks available."
16722
#: serverguide/C/installation.xml:325(para)
16724
"You can view a list of which packages are installed with each task using the "
16725
"<emphasis>--task-packages</emphasis> option. For example, to list the "
16726
"packages installed with the <emphasis>DNS Server</emphasis> task enter the "
16730
#: serverguide/C/installation.xml:330(command)
16731
msgid "tasksel --task-packages dns-server"
16734
#: serverguide/C/installation.xml:332(para)
16735
msgid "The output of the command should list:"
16738
#: serverguide/C/installation.xml:335(programlisting)
16746
#: serverguide/C/installation.xml:339(para)
16748
"Also, if you did not install one of the tasks during the installation "
16749
"process, but for example you decide to make your new LAMP server a DNS "
16750
"server as well. Simply insert the installation CD and from a terminal:"
16753
#: serverguide/C/installation.xml:344(command)
16754
msgid "sudo tasksel install dns-server"
16757
#: serverguide/C/installation.xml:349(title)
16761
#: serverguide/C/installation.xml:350(para)
16763
"There are several ways to upgrade from one Ubuntu release to another. This "
16764
"section gives an overview of the recommended upgrade method."
16767
#: serverguide/C/installation.xml:354(title) serverguide/C/installation.xml:369(command)
16768
msgid "do-release-upgrade"
16771
#: serverguide/C/installation.xml:355(para)
16773
"The recommended way to upgrade a Server Edition installation is to use the "
16774
"<application>do-release-upgrade</application> utility. Part of the "
16775
"<emphasis>update-manager-core</emphasis> package, it does not have any "
16776
"graphical dependencies and is installed by default."
16779
#: serverguide/C/installation.xml:360(para)
16781
"Debian based systems can also be upgraded by using <command>apt-get dist-"
16782
"upgrade</command>. However, using <application>do-release-"
16783
"upgrade</application> is recommended because it has the ability to handle "
16784
"system configuration changes sometimes needed between releases."
16787
#: serverguide/C/installation.xml:365(para)
16788
msgid "To upgrade to a newer release, from a terminal prompt enter:"
16791
#: serverguide/C/installation.xml:371(para)
16793
"It is also possible to use <application>do-release-upgrade</application> to "
16794
"upgrade to a development version of Ubuntu. To accomplish this use the "
16795
"<emphasis>-d</emphasis> switch:"
16798
#: serverguide/C/installation.xml:376(command)
16799
msgid "do-release-upgrade -d"
16802
#: serverguide/C/installation.xml:379(para)
16804
"Upgrading to a development release is <emphasis>not</emphasis> recommended "
16805
"for production environments."
16808
#: serverguide/C/installation.xml:386(title)
16809
msgid "Advanced Installation"
16812
#: serverguide/C/installation.xml:389(title)
16813
msgid "Software RAID"
16816
#: serverguide/C/installation.xml:391(para)
16818
"RAID is a method of configuring multiple hard drives to act as one, reducing "
16819
"the probability of catastrophic data loss in case of drive failure. RAID is "
16820
"implemented in either software (where the operating system knows about both "
16821
"drives and actively maintains both of them) or hardware (where a special "
16822
"controller makes the OS think there's only one drive and maintains the "
16823
"drives 'invisibly')."
16826
#: serverguide/C/installation.xml:398(para)
16828
"The RAID software included with current versions of Linux (and Ubuntu) is "
16829
"based on the <application>'mdadm'</application> driver and works very well, "
16830
"better even than many so-called 'hardware' RAID controllers. This section "
16831
"will guide you through installing Ubuntu Server Edition using two RAID1 "
16832
"partitions on two physical hard drives, one for <emphasis>/</emphasis> and "
16833
"another for <emphasis>swap</emphasis>."
16836
#: serverguide/C/installation.xml:408(para) serverguide/C/installation.xml:925(para)
16838
"Follow the installation steps until you get to the <emphasis>Partition "
16839
"disks</emphasis> step, then:"
16842
#: serverguide/C/installation.xml:415(para)
16843
msgid "Select <emphasis>Manual</emphasis> as the partition method."
16846
#: serverguide/C/installation.xml:422(para)
16848
"Select the first hard drive, and agree to <emphasis>\"Create a new empty "
16849
"partition table on this device?\"</emphasis>."
16852
#: serverguide/C/installation.xml:426(para)
16854
"Repeat this step for each drive you wish to be part of the RAID array."
16857
#: serverguide/C/installation.xml:433(para)
16859
"Select the <emphasis>\"FREE SPACE\"</emphasis> on the first drive then "
16860
"select <emphasis>\"Create a new partition\"</emphasis>."
16863
#: serverguide/C/installation.xml:440(para)
16865
"Next, select the <emphasis>Size</emphasis> of the partition. This partition "
16866
"will be the <emphasis>swap</emphasis> partition, and a general rule for swap "
16867
"size is twice that of RAM. Enter the partition size, then choose "
16868
"<emphasis>Primary</emphasis>, then <emphasis>Beginning</emphasis>."
16871
#: serverguide/C/installation.xml:449(para)
16873
"Select the <emphasis>\"Use as:\"</emphasis> line at the top. By default this "
16874
"is <emphasis role=\"italic\">\"Ext3 journaling file system\"</emphasis>, "
16875
"change that to <emphasis>\"physical volume for RAID\"</emphasis> then "
16876
"<emphasis>\"Done setting up partition\"</emphasis>."
16879
#: serverguide/C/installation.xml:458(para)
16881
"For the <emphasis>/</emphasis> partition once again select <emphasis>\"Free "
16882
"Space\"</emphasis> on the first drive then <emphasis>\"Create a new "
16883
"partition\"</emphasis>."
16886
#: serverguide/C/installation.xml:466(para)
16888
"Use the rest of the free space on the drive and choose "
16889
"<emphasis>Continue</emphasis>, then <emphasis>Primary</emphasis>."
16892
#: serverguide/C/installation.xml:473(para)
16894
"As with the swap partition, select the <emphasis>\"Use as:\"</emphasis> line "
16895
"at the top, changing it to <emphasis>\"physical volume for RAID\"</emphasis> "
16896
"then choose <emphasis>\"Done setting up partition\"</emphasis>."
16899
#: serverguide/C/installation.xml:481(para)
16900
msgid "Repeat steps three through eight for the other disk and partitions."
16903
#: serverguide/C/installation.xml:490(title)
16904
msgid "RAID Configuration"
16907
#: serverguide/C/installation.xml:492(para)
16908
msgid "With the partitions setup the arrays are ready to be configured:"
16911
#: serverguide/C/installation.xml:499(para)
16913
"Back in the main \"Partition Disks\" page, select <emphasis>\"Configure "
16914
"Software RAID\"</emphasis> at the top."
16917
#: serverguide/C/installation.xml:506(para)
16918
msgid "Select <emphasis>\"yes\"</emphasis> to write the changes to disk."
16921
#: serverguide/C/installation.xml:513(para)
16922
msgid "Choose <emphasis>\"Create MD drive\"</emphasis>."
16925
#: serverguide/C/installation.xml:520(para)
16927
"For this example, select <emphasis>\"RAID1\"</emphasis>, but if you are "
16928
"using a different setup choose the appropriate type (RAID0 RAID1 RAID5)."
16931
#: serverguide/C/installation.xml:526(para)
16933
"In order to use <emphasis>RAID5</emphasis> you need at least "
16934
"<emphasis>three</emphasis> drives. Using RAID0 or RAID1 only "
16935
"<emphasis>two</emphasis> drives are required."
16938
#: serverguide/C/installation.xml:535(para)
16940
"Enter the number of active devices <emphasis>\"2\"</emphasis>, or the amount "
16941
"of hard drives you have, for the array. Then select "
16942
"<emphasis>\"Continue\"</emphasis>."
16945
#: serverguide/C/installation.xml:543(para)
16947
"Next, enter the number of spare devices <emphasis>\"0\"</emphasis> by "
16948
"default, then choose <emphasis>\"Continue\"</emphasis>."
16951
#: serverguide/C/installation.xml:550(para)
16953
"Choose which partitions to use. Generally they will be sda1, sdb1, sdc1, "
16954
"etc. The numbers will usually match and the different letters correspond to "
16955
"different hard drives."
16958
#: serverguide/C/installation.xml:555(para)
16960
"For the <emphasis>swap</emphasis> partition choose <emphasis>sda1</emphasis> "
16961
"and <emphasis>sdb1</emphasis>. Select <emphasis>\"Continue\"</emphasis> to "
16962
"go to the next step."
16965
#: serverguide/C/installation.xml:563(para)
16967
"Repeat steps <emphasis>three</emphasis> through <emphasis>seven</emphasis> "
16968
"for the <emphasis>/</emphasis> partition choosing <emphasis>sda2</emphasis> "
16969
"and <emphasis>sdb2</emphasis>."
16972
#: serverguide/C/installation.xml:571(para)
16973
msgid "Once done select <emphasis>\"Finish\"</emphasis>."
16976
#: serverguide/C/installation.xml:581(title)
16980
#: serverguide/C/installation.xml:583(para)
16982
"There should now be a list of hard drives and RAID devices. The next step is "
16983
"to format and set the mount point for the RAID devices. Treat the RAID "
16984
"device as a local hard drive, format and mount accordingly."
16987
#: serverguide/C/installation.xml:591(para)
16988
msgid "Select the <emphasis>RAID1 device #0</emphasis> partition."
16991
#: serverguide/C/installation.xml:598(para)
16993
"Choose <emphasis>\"Use as:\"</emphasis>. Then select <emphasis>\"swap "
16994
"area\"</emphasis>, then <emphasis>\"Done setting up partition\"</emphasis>."
16997
#: serverguide/C/installation.xml:606(para)
16998
msgid "Next, select the <emphasis>RAID1 device #1</emphasis> partition."
17001
#: serverguide/C/installation.xml:613(para)
17003
"Choose <emphasis>\"Use as:\"</emphasis>. Then select <emphasis>\"Ext3 "
17004
"journaling file system\"</emphasis>."
17007
#: serverguide/C/installation.xml:620(para)
17009
"Then select the <emphasis>\"Mount point\"</emphasis> and choose "
17010
"<emphasis>\"/ - the root file system\"</emphasis>. Change any of the other "
17011
"options as appropriate, then select <emphasis>\"Done setting up "
17012
"partition\"</emphasis>."
17015
#: serverguide/C/installation.xml:628(para)
17017
"Finally, select <emphasis>\"Finish partitioning and write changes to "
17018
"disk\"</emphasis>."
17021
#: serverguide/C/installation.xml:635(para)
17023
"If you choose to place the root partition on a RAID array, the installer "
17024
"will then ask if you would like to boot in a <emphasis>degraded</emphasis> "
17025
"state. See <xref linkend=\"raid-degraded\"/> for further details."
17028
#: serverguide/C/installation.xml:640(para)
17029
msgid "The installation process will then continue normally."
17032
#: serverguide/C/installation.xml:646(title)
17033
msgid "Degraded RAID"
17036
#: serverguide/C/installation.xml:648(para)
17038
"At some point in the life of the computer a disk failure event may occur. "
17039
"When this happens, using Software RAID, the operating system will place the "
17040
"array into what is known as a <emphasis>degraded</emphasis> state."
17043
#: serverguide/C/installation.xml:653(para)
17045
"If the array has become degraded, due to the chance of data corruption, by "
17046
"default Ubuntu Server Edition will boot to <emphasis>initramfs</emphasis> "
17047
"after thirty seconds. Once the initramfs has booted there is a fifteen "
17048
"second prompt giving you the option to go ahead and boot the system, or "
17049
"attempt manual recover. Booting to the initramfs prompt may or may not be "
17050
"the desired behavior, especially if the machine is in a remote location. "
17051
"Booting to a degraded array can be configured several ways:"
17054
#: serverguide/C/installation.xml:664(para)
17056
"The <application>dpkg-reconfigure</application> utility can be used to "
17057
"configure the default behavior, and during the process you will be queried "
17058
"about additional settings related to the array. Such as monitoring, email "
17059
"alerts, etc. To reconfigure <application>mdadm</application> enter the "
17063
#: serverguide/C/installation.xml:671(command)
17064
msgid "sudo dpkg-reconfigure mdadm"
17067
#: serverguide/C/installation.xml:677(para)
17069
"The <command>dpkg-reconfigure mdadm</command> process will change the "
17070
"<filename>/etc/initramfs-tools/conf.d/mdadm</filename> configuration file. "
17071
"The file has the advantage of being able to pre-configure the system's "
17072
"behavior, and can also be manually edited:"
17075
#: serverguide/C/installation.xml:683(programlisting)
17079
"BOOT_DEGRADED=true\n"
17082
#: serverguide/C/installation.xml:688(para)
17083
msgid "The configuration file can be overridden by using a Kernel argument."
17086
#: serverguide/C/installation.xml:696(para)
17088
"Using a Kernel argument will allow the system to boot to a degraded array as "
17092
#: serverguide/C/installation.xml:702(para)
17094
"When the server is booting press <emphasis>ESC</emphasis> to open the "
17095
"<application>Grub</application> menu."
17098
#: serverguide/C/installation.xml:707(para)
17099
msgid "Press <emphasis>\"e\"</emphasis> to edit your Kernel command options."
17102
#: serverguide/C/installation.xml:712(para)
17104
"Press the <emphasis>DOWN</emphasis> arrow to highlight the kernel line."
17107
#: serverguide/C/installation.xml:717(para)
17109
"Press the <emphasis>\"e\"</emphasis> key again to edit the kernel line."
17112
#: serverguide/C/installation.xml:722(para)
17114
"Add <emphasis>\"bootdegraded=true\"</emphasis> (without the quotes) to the "
17118
#: serverguide/C/installation.xml:727(para)
17119
msgid "Press <emphasis>\"ENTER\"</emphasis>."
17122
#: serverguide/C/installation.xml:732(para)
17123
msgid "Finally, press <emphasis>\"b\"</emphasis> to boot the system."
17126
#: serverguide/C/installation.xml:741(para)
17128
"Once the system has booted you can either repair the array see <xref "
17129
"linkend=\"raid-maintenance\"/> for details, or copy important data to "
17130
"another machine due to major hardware failure."
17133
#: serverguide/C/installation.xml:748(title)
17134
msgid "RAID Maintenance"
17137
#: serverguide/C/installation.xml:750(para)
17139
"The <application>mdadm</application> utility can be used to view the status "
17140
"of an array, add disks to an array, remove disks, etc:"
17143
#: serverguide/C/installation.xml:757(para)
17144
msgid "To view the status of an array, from a terminal prompt enter:"
17147
#: serverguide/C/installation.xml:761(command)
17148
msgid "sudo mdadm -D /dev/md0"
17151
#: serverguide/C/installation.xml:764(para)
17153
"The <emphasis>-D</emphasis> tells <application>mdadm</application> to "
17154
"display <emphasis>detailed</emphasis> information about the "
17155
"<filename>/dev/md0</filename> device. Replace <filename>/dev/md0</filename> "
17156
"with the appropriate RAID device."
17159
#: serverguide/C/installation.xml:770(para)
17160
msgid "To view the status of a disk in an array:"
17163
#: serverguide/C/installation.xml:774(command)
17164
msgid "sudo mdadm -E /dev/sda1"
17167
#: serverguide/C/installation.xml:776(para)
17169
"The output if very similar to the <command>mdadm -D</command> command, "
17170
"adjust <filename>/dev/sda1</filename> for each disk."
17173
#: serverguide/C/installation.xml:781(para)
17174
msgid "If a disk fails and needs to be removed from an array enter:"
17177
#: serverguide/C/installation.xml:785(command)
17178
msgid "sudo mdadm --remove /dev/md0 /dev/sda1"
17181
#: serverguide/C/installation.xml:787(para)
17183
"Change <filename>/dev/md0</filename> and <filename>/dev/sda1</filename> to "
17184
"the appropriate RAID device and disk."
17187
#: serverguide/C/installation.xml:792(para)
17188
msgid "Similarly, to add a new disk:"
17191
#: serverguide/C/installation.xml:796(command)
17192
msgid "sudo mdadm --add /dev/md0 /dev/sda1"
17195
#: serverguide/C/installation.xml:801(para)
17197
"Sometimes a disk can change to a <emphasis>faulty</emphasis> state even "
17198
"though there is nothing physically wrong with the drive. It is usually "
17199
"worthwhile to remove the drive from the array then re-add it. This will "
17200
"cause the drive to re-sync with the array. If the drive will not sync with "
17201
"the array, it is a good indication of hardware failure."
17204
#: serverguide/C/installation.xml:807(para)
17206
"The <filename>/proc/mdstat</filename> file also contains useful information "
17207
"about the system's RAID devices:"
17210
#: serverguide/C/installation.xml:812(command)
17211
msgid "cat /proc/mdstat"
17214
#: serverguide/C/installation.xml:813(computeroutput)
17217
"Personalities : [linear] [multipath] [raid0] [raid1] [raid6] [raid5] [raid4] "
17219
"md0 : active raid1 sda1[0] sdb1[1]\n"
17220
" 10016384 blocks [2/2] [UU]\n"
17222
"unused devices: <none>"
17225
#: serverguide/C/installation.xml:820(para)
17227
"The following command is great for watching the status of a syncing drive:"
17230
#: serverguide/C/installation.xml:825(command)
17231
msgid "watch -n1 cat /proc/mdstat"
17234
#: serverguide/C/installation.xml:828(para)
17236
"Press <emphasis>Ctrl+c</emphasis> to stop the "
17237
"<application>watch</application> command."
17240
#: serverguide/C/installation.xml:832(para)
17242
"If you do need to replace a faulty drive, after the drive has been replaced "
17243
"and synced, <application>grub</application> will need to be installed. To "
17244
"install <application>grub</application> on the new drive, enter the "
17248
#: serverguide/C/installation.xml:838(command)
17249
msgid "sudo grub-install /dev/md0"
17252
#: serverguide/C/installation.xml:841(para)
17254
"Replace <filename>/dev/md0</filename> with the appropriate array device name."
17257
#: serverguide/C/installation.xml:849(para)
17259
"The topic of RAID arrays is a complex one due to the plethora of ways RAID "
17260
"can be configured. Please see the following links for more information:"
17263
#: serverguide/C/installation.xml:857(ulink)
17264
msgid "Software RAID HOWTO"
17267
#: serverguide/C/installation.xml:862(ulink)
17268
msgid "Managing RAID on Linux"
17271
#: serverguide/C/installation.xml:869(title)
17272
msgid "Logical Volume Manager (LVM)"
17275
#: serverguide/C/installation.xml:871(para)
17277
"Logical Volume Manger, or <emphasis>LVM</emphasis>, allows administrators to "
17278
"create <emphasis>logical</emphasis> volumes out of one or multiple physical "
17279
"hard disks. LVM volumes can be created on both software RAID partitions and "
17280
"standard partitions residing on a single disk. Volumes can also be extended, "
17281
"giving greater flexibility to systems as requirements change."
17284
#: serverguide/C/installation.xml:880(para)
17286
"A side effect of LVM's power and flexibility is a greater degree of "
17287
"complication. Before diving into the LVM installation process, it is best to "
17288
"get familiar with some terms."
17291
#: serverguide/C/installation.xml:887(para)
17293
"<emphasis>Volume Group (VG):</emphasis> contains one or several Logical "
17297
#: serverguide/C/installation.xml:892(para)
17299
"<emphasis>Logical Volume (LV):</emphasis> is similar to a partition in a non-"
17300
"LVM system. Multiple Physical Volumes (PV) can make up one LV, on top of "
17301
"which resides the actual EXT3, XFS, JFS, etc filesystem."
17304
#: serverguide/C/installation.xml:898(para)
17306
"<emphasis>Physical Volume (PV):</emphasis> physical hard disk or software "
17307
"RAID partition. The Volume Group can be extended by adding more PVs."
17310
#: serverguide/C/installation.xml:909(para)
17312
"As an example this section covers installing Ubuntu Server Edition with "
17313
"<filename role=\"directory\">/srv</filename> mounted on a LVM volume. During "
17314
"the initial install only one Physical Volume (PV) will be part of the Volume "
17315
"Group (VG). Another PV will be added after install to demonstrate how a VG "
17319
#: serverguide/C/installation.xml:915(para)
17321
"There are several installation options for LVM, <emphasis>\"Guided - use the "
17322
"entire disk and setup LVM\"</emphasis> which will also allow you to assign a "
17323
"portion of the available space to LVM, <emphasis>\"Guided - use entire and "
17324
"setup encrypted LVM\"</emphasis>, or <emphasis>Manually</emphasis> setup the "
17325
"partitions and configure LVM. At this time the only way to configure a "
17326
"system with both LVM and standard partitions, during installation, is to use "
17327
"the Manual approach."
17330
#: serverguide/C/installation.xml:932(para)
17332
"At the <emphasis>\"Partition Disks</emphasis> screen choose "
17333
"<emphasis>\"Manual\"</emphasis>."
17336
#: serverguide/C/installation.xml:939(para)
17338
"Select the hard disk and on the next screen choose \"yes\" to "
17339
"<emphasis>\"Create a new empty partition table on this device\"</emphasis>."
17342
#: serverguide/C/installation.xml:946(para)
17344
"Next, create standard <emphasis>/boot</emphasis>, <emphasis>swap</emphasis>, "
17345
"and <emphasis>/</emphasis> partitions with whichever filesystem you prefer."
17348
#: serverguide/C/installation.xml:954(para)
17350
"For the LVM <emphasis>/srv</emphasis>, create a new "
17351
"<emphasis>Logical</emphasis> partition. Then change <emphasis>\"Use "
17352
"as\"</emphasis> to <emphasis>\"physical volume for LVM\"</emphasis> then "
17353
"<emphasis>\"Done setting up the partition\"</emphasis>."
17356
#: serverguide/C/installation.xml:962(para)
17358
"Now select <emphasis>\"Configure the Logical Volume Manager\"</emphasis> at "
17359
"the top, and choose <emphasis>\"Yes\"</emphasis> to write the changes to "
17363
#: serverguide/C/installation.xml:970(para)
17365
"For the <emphasis>\"LVM configuration action\"</emphasis> on the next "
17366
"screen, choose <emphasis>\"Create volume group\"</emphasis>. Enter a name "
17367
"for the VG such as <emphasis>vg01</emphasis>, or something more descriptive. "
17368
"After entering a name, select the partition configured for LVM, and choose "
17369
"<emphasis>\"Continue\"</emphasis>."
17372
#: serverguide/C/installation.xml:979(para)
17374
"Back at the <emphasis>\"LVM configuration action\"</emphasis> screen, select "
17375
"<emphasis>\"Create logical volume\"</emphasis>. Select the newly created "
17376
"volume group, and enter a name for the new LV, for example "
17377
"<emphasis>srv</emphasis> since that is the intended mount point. Then choose "
17378
"a size, which may be the full partition because it can always be extended "
17379
"later. Choose <emphasis>\"Finish\"</emphasis> and you should be back at the "
17380
"main <emphasis>\"Partition Disks\"</emphasis> screen."
17383
#: serverguide/C/installation.xml:989(para)
17385
"Now add a filesystem to the new LVM. Select the partition under "
17386
"<emphasis>\"LVM VG vg01, LV srv\"</emphasis>, or whatever name you have "
17387
"chosen, the choose <emphasis>Use as</emphasis>. Setup a file system as "
17388
"normal selecting <emphasis>/srv</emphasis> as the mount point. Once done, "
17389
"select <emphasis>\"Done setting up the partition\"</emphasis>."
17392
#: serverguide/C/installation.xml:998(para)
17394
"Finally, select <emphasis>\"Finish partitioning and write changes to "
17395
"disk\"</emphasis>. Then confirm the changes and continue with the rest of "
17396
"the installation."
17399
#: serverguide/C/installation.xml:1006(para)
17400
msgid "There are some useful utilities to view information about LVM:"
17403
#: serverguide/C/installation.xml:1011(para)
17405
"<emphasis>vgdisplay:</emphasis> shows information about Volume Groups."
17408
#: serverguide/C/installation.xml:1012(para)
17410
"<emphasis>lvdisplay:</emphasis> has information about Logical Volumes."
17413
#: serverguide/C/installation.xml:1013(para)
17415
"<emphasis>pvdisplay:</emphasis> similarly displays information about "
17416
"Physical Volumes."
17419
#: serverguide/C/installation.xml:1018(title)
17420
msgid "Extending Volume Groups"
17423
#: serverguide/C/installation.xml:1020(para)
17425
"Continuing with <emphasis>srv</emphasis> as an LVM volume example, this "
17426
"section covers adding a second hard disk, creating a Physical Volume (PV), "
17427
"adding it to the volume group (VG), extending the logical volume <filename "
17428
"role=\"directory\">srv</filename> and finally extending the filesystem. This "
17429
"example assumes a second hard disk has been added to the system. This hard "
17430
"disk will be named <filename>/dev/sdb</filename> in our example. BEWARE: "
17431
"make sure you don't already have an existing <filename>/dev/sdb</filename> "
17432
"before issuing the commands below. You could lose some data if you issue "
17433
"those commands on a non-empty disk. In our example we will use the entire "
17434
"disk as a physical volume (you could choose to create partitions and use "
17435
"them as different physical volumes)"
17438
#: serverguide/C/installation.xml:1032(para)
17439
msgid "First, create the physical volume, in a terminal execute:"
17442
#: serverguide/C/installation.xml:1037(command)
17443
msgid "sudo pvcreate /dev/sdb"
17446
#: serverguide/C/installation.xml:1043(para)
17447
msgid "Now extend the Volume Group (VG):"
17450
#: serverguide/C/installation.xml:1048(command)
17451
msgid "sudo vgextend vg01 /dev/sdb"
17454
#: serverguide/C/installation.xml:1054(para)
17456
"Use <application>vgdisplay</application> to find out the free physical "
17457
"extents - Free PE / size (the size you can allocate). We will assume a free "
17458
"size of 511 PE (equivalent to 2GB with a PE size of 4MB) and we will use the "
17459
"whole free space available. Use your own PE and/or free space."
17462
#: serverguide/C/installation.xml:1060(para)
17464
"The Logical Volume (LV) can now be extended by different methods, we will "
17465
"only see how to use the PE to extend the LV:"
17468
#: serverguide/C/installation.xml:1065(command)
17469
msgid "sudo lvextend /dev/vg01/srv -l +511"
17472
#: serverguide/C/installation.xml:1068(para)
17474
"The <emphasis>-l</emphasis> option allows the LV to be extended using PE. "
17475
"The <emphasis>-L</emphasis> option allows the LV to be extended using Meg, "
17476
"Gig, Tera, etc bytes."
17479
#: serverguide/C/installation.xml:1076(para)
17481
"Even though you are supposed to be able to <emphasis>expand</emphasis> an "
17482
"ext3 or ext4 filesystem without unmounting it first, it may be a good "
17483
"pratice to unmount it anyway and check the filesystem, so that you don't "
17484
"mess up the day you want to reduce a logical volume (in that case unmounting "
17485
"first is compulsory)."
17488
#: serverguide/C/installation.xml:1082(para)
17490
"The following commands are for an <emphasis>EXT3</emphasis> or "
17491
"<emphasis>EXT4</emphasis> filesystem. If you are using another filesystem "
17492
"there may be other utilities available."
17495
#: serverguide/C/installation.xml:1089(command)
17496
msgid "sudo e2fsck -f /dev/vg01/srv"
17499
#: serverguide/C/installation.xml:1092(para)
17501
"The <emphasis>-f</emphasis> option of <application>e2fsck</application> "
17502
"forces checking even if the system seems clean."
17505
#: serverguide/C/installation.xml:1099(para)
17506
msgid "Finally, resize the filesystem:"
17509
#: serverguide/C/installation.xml:1104(command)
17510
msgid "sudo resize2fs /dev/vg01/srv"
17513
#: serverguide/C/installation.xml:1110(para)
17514
msgid "Now mount the partition and check its size."
17517
#: serverguide/C/installation.xml:1115(command)
17518
msgid "mount /dev/vg01/srv /srv && df -h /srv"
17521
#: serverguide/C/installation.xml:1127(para)
17523
"See the <ulink url=\"http://tldp.org/HOWTO/LVM-HOWTO/index.html\">LVM "
17524
"HOWTO</ulink> for more information."
17527
#: serverguide/C/installation.xml:1132(para)
17529
"Another good article is <ulink "
17530
"url=\"http://www.linuxdevcenter.com/pub/a/linux/2006/04/27/managing-disk-"
17531
"space-with-lvm.html\">Managing Disk Space with LVM</ulink> on O'Reilly's "
17532
"linuxdevcenter.com site."
17535
#: serverguide/C/installation.xml:1139(para)
17537
"For more information on <application>fdisk</application> see the <ulink "
17538
"url=\"http://manpages.ubuntu.com/manpages/jaunty/en/man8/fdisk.8.html\">fdisk"
17539
" man page</ulink>."
17542
#: serverguide/C/file-server.xml:13(title)
17543
msgid "File Servers"
17544
msgstr "Failų Serveriai"
17546
#: serverguide/C/file-server.xml:15(para)
17548
"If you have more than one computer on a single network. At some point you "
17549
"will probably need to share files between them. In this section we cover "
17550
"installing and configuring FTP, NFS, and CUPS."
17553
#: serverguide/C/file-server.xml:22(title)
17555
msgstr "FTP Serveris"
17557
#: serverguide/C/file-server.xml:24(para)
17559
"File Transfer Protocol (FTP) is a TCP protocol for uploading and downloading "
17560
"files between computers. FTP works on a client/server model. The server "
17561
"component is called an <emphasis>FTP daemon</emphasis>. It continuously "
17562
"listens for FTP requests from remote clients. When a request is received, it "
17563
"manages the login and sets up the connection. For the duration of the "
17564
"session it executes any of commands sent by the FTP client."
17567
#: serverguide/C/file-server.xml:33(para)
17568
msgid "Access to an FTP server can be managed in two ways:"
17571
#: serverguide/C/file-server.xml:37(para)
17573
msgstr "Anonimiškas"
17575
#: serverguide/C/file-server.xml:40(para)
17576
msgid "Authenticated"
17577
msgstr "Autentifikuotas"
17579
#: serverguide/C/file-server.xml:43(para)
17581
"In the Anonymous mode, remote clients can access the FTP server by using the "
17582
"default user account called \"anonymous\" or \"ftp\" and sending an email "
17583
"address as the password. In the Authenticated mode a user must have an "
17584
"account and a password. User access to the FTP server directories and files "
17585
"is dependent on the permissions defined for the account used at login. As a "
17586
"general rule, the FTP daemon will hide the root directory of the FTP server "
17587
"and change it to the FTP Home directory. This hides the rest of the file "
17588
"system from remote sessions."
17591
#: serverguide/C/file-server.xml:55(title)
17592
msgid "vsftpd - FTP Server Installation"
17595
#: serverguide/C/file-server.xml:57(para)
17597
"vsftpd is an FTP daemon available in Ubuntu. It is easy to install, set up, "
17598
"and maintain. To install <application>vsftpd</application> you can run the "
17599
"following command:"
17602
#: serverguide/C/file-server.xml:65(command)
17603
msgid "sudo apt-get install vsftpd"
17606
#: serverguide/C/file-server.xml:71(title)
17607
msgid "Anonymous FTP Configuration"
17610
#: serverguide/C/file-server.xml:73(para)
17612
"By default <application>vsftpd</application> is configured to only allow "
17613
"anonymous download. During installation a <emphasis>ftp</emphasis> user is "
17614
"created with a home directory of <filename>/home/ftp</filename>. This is the "
17615
"default FTP directory."
17618
#: serverguide/C/file-server.xml:80(para)
17620
"If you wish to change this location, to <filename>/srv/ftp</filename> for "
17621
"example, simply create a directory in another location and change the "
17622
"<emphasis>ftp</emphasis> user's home directory:"
17625
#: serverguide/C/file-server.xml:87(command)
17626
msgid "sudo mkdir /srv/ftp"
17629
#: serverguide/C/file-server.xml:88(command)
17630
msgid "sudo usermod -d /srv/ftp ftp"
17633
#: serverguide/C/file-server.xml:91(para)
17634
msgid "After making the change restart <application>vsftpd</application>:"
17637
#: serverguide/C/file-server.xml:96(command) serverguide/C/file-server.xml:124(command) serverguide/C/file-server.xml:189(command) serverguide/C/file-server.xml:237(command)
17638
msgid "sudo /etc/init.d/vsftpd restart"
17641
#: serverguide/C/file-server.xml:99(para)
17643
"Finally, copy any files and directories you would like to make available "
17644
"through anonymous FTP to <filename>/srv/ftp</filename>."
17647
#: serverguide/C/file-server.xml:106(title)
17648
msgid "User Authenticated FTP Configuration"
17651
#: serverguide/C/file-server.xml:108(para)
17653
"To configure <application>vsftpd</application> to authenticate system users "
17654
"and allow them to upload files edit <filename>/etc/vsftpd.conf</filename>:"
17657
#: serverguide/C/file-server.xml:114(programlisting)
17661
"local_enable=YES\n"
17662
"write_enable=YES\n"
17665
#: serverguide/C/file-server.xml:119(para)
17666
msgid "Now restart <application>vsftpd</application>:"
17669
#: serverguide/C/file-server.xml:127(para)
17671
"Now when system users login to FTP they will start in their "
17672
"<emphasis>home</emphasis> directories where they can download, upload, "
17673
"create directories, etc."
17676
#: serverguide/C/file-server.xml:133(para)
17678
"Similarly, by default, the anonymous users are not allowed to upload files "
17679
"to FTP server. To change this setting, you should uncomment the following "
17680
"line, and restart <application>vsftpd</application>:"
17683
#: serverguide/C/file-server.xml:140(programlisting)
17687
"anon_upload_enable=YES\n"
17690
#: serverguide/C/file-server.xml:145(para)
17692
"Enabling anonymous FTP upload can be an extreme security risk. It is best to "
17693
"not enable anonymous upload on servers accessed directly from the Internet."
17696
#: serverguide/C/file-server.xml:151(para)
17698
"The configuration file consists of many configuration parameters. The "
17699
"information about each parameter is available in the configuration file. "
17700
"Alternatively, you can refer to the man page, <command>man 5 "
17701
"vsftpd.conf</command> for details of each parameter."
17704
#: serverguide/C/file-server.xml:162(title)
17705
msgid "Securing FTP"
17708
#: serverguide/C/file-server.xml:164(para)
17710
"There are options in <filename>/etc/vsftpd.conf</filename> to help make "
17711
"<application>vsftpd</application> more secure. For example users can be "
17712
"limited to their home directories by uncommenting:"
17715
#: serverguide/C/file-server.xml:170(programlisting)
17719
"chroot_local_user=YES\n"
17722
#: serverguide/C/file-server.xml:174(para)
17724
"You can also limit a specific list of users to just their home directories:"
17727
#: serverguide/C/file-server.xml:178(programlisting)
17731
"chroot_list_enable=YES\n"
17732
"chroot_list_file=/etc/vsftpd.chroot_list\n"
17735
#: serverguide/C/file-server.xml:183(para)
17737
"After uncommenting the above options, create a "
17738
"<filename>/etc/vsftpd.chroot_list</filename> containing a list of users one "
17739
"per line. Then restart <application>vsftpd</application>:"
17742
#: serverguide/C/file-server.xml:192(para)
17744
"Also, the <filename>/etc/ftpusers</filename> file is a list of users that "
17745
"are <emphasis>disallowed</emphasis> FTP access. The default list includes "
17746
"root, daemon, nobody, etc. To disable FTP access for additional users simply "
17747
"add them to the list."
17750
#: serverguide/C/file-server.xml:199(para)
17752
"FTP can also be encrypted using <emphasis>FTPS</emphasis>. Different from "
17753
"<emphasis>SFTP</emphasis>, <emphasis>FTPS</emphasis> is FTP over Secure "
17754
"Socket Layer (SSL). <emphasis>SFTP</emphasis> is a FTP like session over an "
17755
"encrypted <emphasis>SSH</emphasis> connection. A major difference is that "
17756
"users of SFTP need to have a <emphasis>shell</emphasis> account on the "
17757
"system, instead of a <emphasis>nologin</emphasis> shell. Providing all users "
17758
"with a shell may not be ideal for some environments, such as a shared web "
17762
#: serverguide/C/file-server.xml:208(para)
17764
"To configure <emphasis>FTPS</emphasis>, edit "
17765
"<filename>/etc/vsftpd.conf</filename> and at the bottom add:"
17768
#: serverguide/C/file-server.xml:212(programlisting)
17775
#: serverguide/C/file-server.xml:216(para)
17776
msgid "Also, notice the certificate and key related options:"
17779
#: serverguide/C/file-server.xml:220(programlisting)
17783
"rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem\n"
17784
"rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key\n"
17787
#: serverguide/C/file-server.xml:225(para)
17789
"By default these options are set the the certificate and key provided by the "
17790
"<application>ssl-cert</application> package. In a production environment "
17791
"these should be replaced with a certificate and key generated for the "
17792
"specific host. For more information on certificates see <xref "
17793
"linkend=\"certificates-and-security\"/>."
17796
#: serverguide/C/file-server.xml:231(para)
17798
"Now restart <application>vsftpd</application>, and non-anonymous users will "
17799
"be forced to use <emphasis>FTPS</emphasis>:"
17802
#: serverguide/C/file-server.xml:240(para)
17804
"To allow users with a shell of <filename>/usr/sbin/nologin</filename> access "
17805
"to FTP, but have no shell access, edit <filename>/etc/shells</filename> "
17806
"adding the <emphasis>nologin</emphasis> shell:"
17809
#: serverguide/C/file-server.xml:245(programlisting)
17813
"# /etc/shells: valid login shells\n"
17826
"/usr/bin/screen\n"
17827
"/usr/sbin/nologin\n"
17830
#: serverguide/C/file-server.xml:263(para)
17832
"This is necessary because, by default <application>vsftpd</application> uses "
17833
"PAM for authentication, and the <filename>/etc/pam.d/vsftpd</filename> "
17834
"configuration file contains:"
17837
#: serverguide/C/file-server.xml:268(programlisting)
17841
"auth required pam_shells.so\n"
17844
#: serverguide/C/file-server.xml:272(para)
17846
"The <emphasis>shells</emphasis> PAM module restricts access to shells listed "
17847
"in the <filename>/etc/shells</filename> file."
17850
#: serverguide/C/file-server.xml:277(para)
17852
"Most popular FTP clients can be configured connect using FTPS. The "
17853
"<application>lftp</application> command line FTP client has the ability to "
17854
"use FTPS as well."
17857
#: serverguide/C/file-server.xml:288(para)
17859
"See the <ulink url=\"http://vsftpd.beasts.org/vsftpd_conf.html\">vsftpd "
17860
"website</ulink> for more information."
17863
#: serverguide/C/file-server.xml:293(para)
17865
"For detailed <filename>/etc/vsftpd.conf</filename> options see the <ulink "
17866
"url=\"http://manpages.ubuntu.com/manpages/jaunty/en/man5/vsftpd.conf.5.html\""
17867
">vsftpd.conf man page</ulink>."
17870
#: serverguide/C/file-server.xml:299(para)
17872
"The CodeGurus article <ulink "
17873
"url=\"http://www.codeguru.com/csharp/.net/net_general/internet/article.php/c1"
17874
"4329\"> FTPS vs. SFTP: What to Choose</ulink> has useful information "
17875
"contrasting FTPS and SFTP."
17878
#: serverguide/C/file-server.xml:310(title)
17879
msgid "Network File System (NFS)"
17882
#: serverguide/C/file-server.xml:311(para)
17884
"NFS allows a system to share directories and files with others over a "
17885
"network. By using NFS, users and programs can access files on remote systems "
17886
"almost as if they were local files."
17889
#: serverguide/C/file-server.xml:317(para)
17890
msgid "Some of the most notable benefits that NFS can provide are:"
17893
#: serverguide/C/file-server.xml:323(para)
17895
"Local workstations use less disk space because commonly used data can be "
17896
"stored on a single machine and still remain accessible to others over the "
17900
#: serverguide/C/file-server.xml:328(para)
17902
"There is no need for users to have separate home directories on every "
17903
"network machine. Home directories could be set up on the NFS server and made "
17904
"available throughout the network."
17907
#: serverguide/C/file-server.xml:334(para)
17909
"Storage devices such as floppy disks, CDROM drives, and USB Thumb drives can "
17910
"be used by other machines on the network. This may reduce the number of "
17911
"removable media drives throughout the network."
17914
#: serverguide/C/file-server.xml:344(para)
17916
"At a terminal prompt enter the following command to install the NFS Server:"
17919
#: serverguide/C/file-server.xml:350(command)
17920
msgid "sudo apt-get install nfs-kernel-server"
17923
#: serverguide/C/file-server.xml:356(para)
17925
"You can configure the directories to be exported by adding them to the "
17926
"<filename>/etc/exports</filename> file. For example:"
17929
#: serverguide/C/file-server.xml:361(screen)
17933
"/ubuntu *(ro,sync,no_root_squash)\n"
17934
"/home *(rw,sync,no_root_squash)\n"
17937
#: serverguide/C/file-server.xml:367(para)
17939
"You can replace * with one of the hostname formats. Make the hostname "
17940
"declaration as specific as possible so unwanted systems cannot access the "
17944
#: serverguide/C/file-server.xml:373(para)
17946
"To start the NFS server, you can run the following command at a terminal "
17950
#: serverguide/C/file-server.xml:378(command)
17951
msgid "sudo /etc/init.d/nfs-kernel-server start"
17954
#: serverguide/C/file-server.xml:383(title)
17955
msgid "NFS Client Configuration"
17958
#: serverguide/C/file-server.xml:384(para)
17960
"Use the <application>mount</application> command to mount a shared NFS "
17961
"directory from another machine, by typing a command line similar to the "
17962
"following at a terminal prompt:"
17965
#: serverguide/C/file-server.xml:390(command)
17966
msgid "sudo mount example.hostname.com:/ubuntu /local/ubuntu"
17969
#: serverguide/C/file-server.xml:394(para)
17971
"The mount point directory <filename>/local/ubuntu</filename> must exist. "
17972
"There should be no files or subdirectories in the "
17973
"<filename>/local/ubuntu</filename> directory."
17976
#: serverguide/C/file-server.xml:401(para)
17978
"An alternate way to mount an NFS share from another machine is to add a line "
17979
"to the <filename>/etc/fstab</filename> file. The line must state the "
17980
"hostname of the NFS server, the directory on the server being exported, and "
17981
"the directory on the local machine where the NFS share is to be mounted."
17984
#: serverguide/C/file-server.xml:409(para)
17986
"The general syntax for the line in <filename>/etc/fstab</filename> file is "
17990
#: serverguide/C/file-server.xml:415(programlisting)
17994
"example.hostname.com:/ubuntu /local/ubuntu nfs "
17995
"rsize=8192,wsize=8192,timeo=14,intr\n"
17998
#: serverguide/C/file-server.xml:419(para)
18000
"If you have trouble mounting an NFS share, make sure the <application>nfs-"
18001
"common</application> package is installed on your client. To install "
18002
"<application>nfs-common</application> enter the following command at the "
18003
"terminal prompt: <screen>\n"
18004
"<command>sudo apt-get install nfs-common</command>\n"
18008
#: serverguide/C/file-server.xml:432(ulink)
18009
msgid "Linux NFS faq"
18012
#: serverguide/C/file-server.xml:437(title)
18013
msgid "CUPS - Print Server"
18016
#: serverguide/C/file-server.xml:438(para)
18018
"The primary mechanism for Ubuntu printing and print services is the "
18019
"<emphasis role=\"bold\">Common UNIX Printing System</emphasis> (CUPS). This "
18020
"printing system is a freely available, portable printing layer which has "
18021
"become the new standard for printing in most Linux distributions."
18024
#: serverguide/C/file-server.xml:445(para)
18026
"CUPS manages print jobs and queues and provides network printing using the "
18027
"standard Internet Printing Protocol (IPP), while offering support for a very "
18028
"large range of printers, from dot-matrix to laser and many in between. CUPS "
18029
"also supports PostScript Printer Description (PPD) and auto-detection of "
18030
"network printers, and features a simple web-based configuration and "
18031
"administration tool."
18034
#: serverguide/C/file-server.xml:455(para)
18036
"To install CUPS on your Ubuntu computer, simply use "
18037
"<application>sudo</application> with the <application>apt-get</application> "
18038
"command and give the packages to install as the first parameter. A complete "
18039
"CUPS install has many package dependencies, but they may all be specified on "
18040
"the same command line. Enter the following at a terminal prompt to install "
18044
#: serverguide/C/file-server.xml:460(command)
18045
msgid "sudo apt-get install cupsys"
18048
#: serverguide/C/file-server.xml:463(para)
18050
"Upon authenticating with your user password, the packages should be "
18051
"downloaded and installed without error. Upon the conclusion of installation, "
18052
"the CUPS server will be started automatically."
18055
#: serverguide/C/file-server.xml:468(para)
18057
"For troubleshooting purposes, you can access CUPS server errors via the "
18058
"error log file at: <filename>/var/log/cups/error_log</filename>. If the "
18059
"error log does not show enough information to troubleshoot any problems you "
18060
"encounter, the verbosity of the CUPS log can be increased by changing the "
18061
"<emphasis role=\"bold\">LogLevel</emphasis> directive in the configuration "
18062
"file (discussed below) to \"debug\" or even \"debug2\", which logs "
18063
"everything, from the default of \"info\". If you make this change, remember "
18064
"to change it back once you've solved your problem, to prevent the log file "
18065
"from becoming overly large."
18068
#: serverguide/C/file-server.xml:481(para)
18070
"The Common UNIX Printing System server's behavior is configured through the "
18071
"directives contained in the file <filename>/etc/cups/cupsd.conf</filename>. "
18072
"The CUPS configuration file follows the same syntax as the primary "
18073
"configuration file for the Apache HTTP server, so users familiar with "
18074
"editing Apache's configuration file should feel at ease when editing the "
18075
"CUPS configuration file. Some examples of settings you may wish to change "
18076
"initially will be presented here."
18079
#: serverguide/C/file-server.xml:491(para)
18081
"Prior to editing the configuration file, you should make a copy of the "
18082
"original file and protect it from writing, so you will have the original "
18083
"settings as a reference, and to reuse as necessary."
18086
#: serverguide/C/file-server.xml:495(para)
18088
"Copy the <filename>/etc/cups/cupsd.conf</filename> file and protect it from "
18089
"writing with the following commands, issued at a terminal prompt:"
18092
#: serverguide/C/file-server.xml:501(command)
18093
msgid "sudo cp /etc/cups/cupsd.conf /etc/cups/cupsd.conf.original"
18096
#: serverguide/C/file-server.xml:502(command)
18097
msgid "sudo chmod a-w /etc/cups/cupsd.conf.original"
18100
#: serverguide/C/file-server.xml:507(para)
18102
"<emphasis role=\"bold\">ServerAdmin</emphasis>: To configure the email "
18103
"address of the designated administrator of the CUPS server, simply edit the "
18104
"<filename>/etc/cups/cupsd.conf</filename> configuration file with your "
18105
"preferred text editor, and modify the <emphasis "
18106
"role=\"italics\">ServerAdmin</emphasis> line accordingly. For example, if "
18107
"you are the Administrator for the CUPS server, and your e-mail address is "
18108
"'bjoy@somebigco.com', then you would modify the ServerAdmin line to appear "
18112
#: serverguide/C/file-server.xml:518(screen)
18116
"ServerAdmin bjoy@somebigco.com\n"
18119
#: serverguide/C/file-server.xml:524(para)
18121
"For more examples of configuration directives in the CUPS server "
18122
"configuration file, view the associated system manual page by entering the "
18123
"following command at a terminal prompt:"
18126
#: serverguide/C/file-server.xml:531(command)
18127
msgid "man cupsd.conf"
18130
#: serverguide/C/file-server.xml:535(para)
18132
"Whenever you make changes to the <filename>/etc/cups/cupsd.conf</filename> "
18133
"configuration file, you'll need to restart the CUPS server by typing the "
18134
"following command at a terminal prompt:"
18137
#: serverguide/C/file-server.xml:541(command)
18138
msgid "sudo /etc/init.d/cupsys restart"
18141
#: serverguide/C/file-server.xml:544(para)
18143
"Some other configuration for the CUPS server is done in the file "
18144
"<filename>/etc/cups/cups.d/ports.conf</filename>:"
18147
#: serverguide/C/file-server.xml:547(para)
18149
"<emphasis role=\"bold\">Listen</emphasis>: By default on Ubuntu, the CUPS "
18150
"server installation listens only on the loopback interface at IP address "
18151
"<emphasis>127.0.0.1</emphasis>. In order to instruct the CUPS server to "
18152
"listen on an actual network adapter's IP address, you must specify either a "
18153
"hostname, the IP address, or optionally, an IP address/port pairing via the "
18154
"addition of a Listen directive. For example, if your CUPS server resides on "
18155
"a local network at the IP address <emphasis "
18156
"role=\"italics\">192.168.10.250</emphasis> and you'd like to make it "
18157
"accessible to the other systems on this subnetwork, you would edit the "
18158
"<filename>/etc/cups/cupsd.conf</filename> and add a Listen directive, as "
18162
#: serverguide/C/file-server.xml:561(screen)
18166
"Listen 127.0.0.1:631 # existing loopback Listen\n"
18167
"Listen /var/run/cups/cups.sock # existing socket Listen\n"
18168
"Listen 192.168.10.250:631 # Listen on the LAN interface, Port 631 "
18172
#: serverguide/C/file-server.xml:567(para)
18174
"In the example above, you may comment out or remove the reference to the "
18175
"Loopback address (127.0.0.1) if you do not wish <application>cupsd "
18176
"</application> to listen on that interface, but would rather have it only "
18177
"listen on the Ethernet interfaces of the Local Area Network (LAN). To enable "
18178
"listening for all network interfaces for which a certain hostname is bound, "
18179
"including the Loopback, you could create a Listen entry for the hostname "
18180
"<emphasis>socrates</emphasis> as such:"
18183
#: serverguide/C/file-server.xml:577(screen)
18187
"Listen socrates:631 # Listen on all interfaces for the hostname 'socrates'\n"
18190
#: serverguide/C/file-server.xml:581(para)
18192
"or by omitting the Listen directive and using <emphasis>Port</emphasis> "
18196
#: serverguide/C/file-server.xml:583(screen)
18200
"Port 631 # Listen on port 631 on all interfaces\n"
18203
#: serverguide/C/file-server.xml:594(ulink)
18204
msgid "CUPS Website"
18207
#: serverguide/C/dns.xml:13(title)
18208
msgid "Domain Name Service (DNS)"
18211
#: serverguide/C/dns.xml:14(para)
18213
"Domain Name Service (DNS) is an Internet service that maps IP addresses and "
18214
"fully qualified domain names (FQDN) to one another. In this way, DNS "
18215
"alleviates the need to remember IP addresses. Computers that run DNS are "
18216
"called <emphasis>name servers</emphasis>. Ubuntu ships with "
18217
"<application>BIND</application> (Berkley Internet Naming Daemon), the most "
18218
"common program used for maintaining a name server on Linux."
18221
#: serverguide/C/dns.xml:24(para)
18223
"At a terminal prompt, enter the following command to install "
18224
"<application>dns</application>:"
18227
#: serverguide/C/dns.xml:28(command)
18228
msgid "sudo apt-get install bind9"
18231
#: serverguide/C/dns.xml:30(para)
18233
"A very useful package for testing and troubleshooting DNS issues is the "
18234
"dnsutils package. To install <application>dnsutils</application> enter the "
18238
#: serverguide/C/dns.xml:35(command)
18239
msgid "sudo apt-get install dnsutils"
18242
#: serverguide/C/dns.xml:40(para)
18244
"There a many ways to configure <application>BIND9</application>. Some of the "
18245
"most common configurations are a caching nameserver, primary master, and a "
18246
"as a secondary master."
18249
#: serverguide/C/dns.xml:46(para)
18251
"When configured as a caching nameserver BIND9 will find the answer to name "
18252
"queries and remember the answer when the domain is queried again."
18255
#: serverguide/C/dns.xml:52(para)
18257
"As a primary master server BIND9 reads the data for a zone from a file on "
18258
"it's host and is authoritative for that zone."
18261
#: serverguide/C/dns.xml:57(para)
18263
"In a secondary master configuration BIND9 gets the zone data from another "
18264
"nameserver authoritative for the zone."
18267
#: serverguide/C/dns.xml:65(para)
18269
"The DNS configuration files are stored in the <filename>/etc/bind</filename> "
18270
"directory. The primary configuration file is "
18271
"<filename>/etc/bind/named.conf</filename>."
18274
#: serverguide/C/dns.xml:72(para)
18276
"The <emphasis>include</emphasis> line specifies the filename which contains "
18277
"the DNS options. The <emphasis>directory</emphasis> line in the "
18278
"<filename>/etc/bind/named.conf.options</filename> file tells DNS where to "
18279
"look for files. All files BIND uses will be relative to this directory."
18282
#: serverguide/C/dns.xml:80(para)
18284
"The file named <filename>/etc/bind/db.root</filename> describes the root "
18285
"nameservers in the world. The servers change over time, so the "
18286
"<filename>/etc/bind/db.root</filename> file must be maintained now and then. "
18287
"This is usually done as updates to the <application>bind9</application> "
18288
"package. The <emphasis>zone</emphasis> section defines a master server, and "
18289
"it is stored in a file mentioned in the <emphasis>file</emphasis> option."
18292
#: serverguide/C/dns.xml:90(para)
18294
"It is possible to configure the same server to be a caching name server, "
18295
"primary master, and secondary master. A server can be the Start of Authority "
18296
"(SOA) for one zone, while providing secondary service for another zone. All "
18297
"the while providing caching services for hosts on the local LAN."
18300
#: serverguide/C/dns.xml:98(title)
18301
msgid "Caching Nameserver"
18304
#: serverguide/C/dns.xml:99(para)
18306
"The default configuration is setup to act as a caching server. All that is "
18307
"required is simply adding the IP Addresses of your ISP's DNS servers. Simply "
18308
"uncomment and edit the following in "
18309
"<filename>/etc/bind/named.conf.options</filename>:"
18312
#: serverguide/C/dns.xml:103(programlisting)
18322
#: serverguide/C/dns.xml:110(para)
18324
"Replace <emphasis>1.2.3.4</emphasis> and <emphasis>5.6.7.8</emphasis> with "
18325
"the IP Adresses of actual nameservers."
18328
#: serverguide/C/dns.xml:114(para)
18330
"Now restart the DNS server, to enable the new configuration. From a terminal "
18334
#: serverguide/C/dns.xml:118(command) serverguide/C/dns.xml:194(command) serverguide/C/dns.xml:253(command) serverguide/C/dns.xml:312(command) serverguide/C/dns.xml:561(command)
18335
msgid "sudo /etc/init.d/bind9 restart"
18338
#: serverguide/C/dns.xml:120(para)
18340
"See <xref linkend=\"dns-testing-dig\"/> for information on testing a caching "
18344
#: serverguide/C/dns.xml:125(title)
18345
msgid "Primary Master"
18348
#: serverguide/C/dns.xml:126(para)
18350
"In this section <application>BIND9</application> will be configured as the "
18351
"Primary Master for the domain <emphasis>example.com</emphasis>. Simply "
18352
"replace <emphasis role=\"italic\">example.com</emphasis> with your FQDN "
18353
"(Fully Qualified Domain Name)."
18356
#: serverguide/C/dns.xml:132(title)
18357
msgid "Forward Zone File"
18360
#: serverguide/C/dns.xml:133(para)
18362
"To add a DNS zone to BIND9, turning BIND9 into a Primary Master server, the "
18363
"first step is to edit <filename>/etc/bind/named.conf.local</filename>:"
18366
#: serverguide/C/dns.xml:137(programlisting)
18370
"zone \"example.com\" {\n"
18372
" file \"/etc/bind/db.example.com\";\n"
18376
#: serverguide/C/dns.xml:143(para)
18378
"Now use an existing zone file as a template to create the "
18379
"<filename>/etc/bind/db.example.com</filename> file:"
18382
#: serverguide/C/dns.xml:147(command)
18383
msgid "sudo cp /etc/bind/db.local /etc/bind/db.example.com"
18386
#: serverguide/C/dns.xml:149(para)
18388
"Edit the new zone file <filename>/etc/bind/db.example.com</filename> change "
18389
"<emphasis>localhost.</emphasis> to the FQDN of your server, leaving the "
18390
"additional \".\" at the end. Change <emphasis>127.0.0.1</emphasis> to the "
18391
"nameserver's IP Address and <emphasis>root.localhost</emphasis> to a valid "
18392
"email address, but with a \".\" instead of the usual \"@\" symbol, again "
18393
"leaving the \".\" at the end."
18396
#: serverguide/C/dns.xml:155(para)
18398
"Also, create an <emphasis>A record</emphasis> for <emphasis "
18399
"role=\"italic\">ns.example.com</emphasis>. The name server in this example:"
18402
#: serverguide/C/dns.xml:159(programlisting)
18407
"; BIND data file for local loopback interface\n"
18410
"@ IN SOA ns.example.com. root.example.com. (\n"
18412
" 604800 ; Refresh\n"
18414
" 2419200 ; Expire\n"
18415
" 604800 ) ; Negative Cache TTL\n"
18417
"@ IN NS ns.example.com.\n"
18418
"@ IN A 127.0.0.1\n"
18420
"ns IN A 192.168.1.10\n"
18423
#: serverguide/C/dns.xml:176(para)
18425
"You must increment the <emphasis>Serial Number</emphasis> every time you "
18426
"make changes to the zone file. If you make multiple changes before "
18427
"restarting BIND9, simply increment the Serial once."
18430
#: serverguide/C/dns.xml:180(para)
18432
"Now, you can add DNS records to the bottom of the zone file. See <xref "
18433
"linkend=\"dns-record-types\"/> for details."
18436
#: serverguide/C/dns.xml:184(para)
18438
"Many admins like to use the last date edited as the serial of a zone, such "
18439
"as <emphasis>2007010100</emphasis> which is yyyymmddss (where "
18440
"<emphasis>ss</emphasis> is the Serial Number)"
18443
#: serverguide/C/dns.xml:189(para)
18445
"Once you have made a change to the zone file "
18446
"<application>BIND9</application> will need to be restarted for the changes "
18450
#: serverguide/C/dns.xml:198(title)
18451
msgid "Reverse Zone File"
18454
#: serverguide/C/dns.xml:199(para)
18456
"Now that the zone is setup and resolving names to IP Adresses a "
18457
"<emphasis>Reverse zone</emphasis> is also required. A Reverse zone allows "
18458
"DNS to resolve an address to a name."
18461
#: serverguide/C/dns.xml:203(para)
18462
msgid "Edit /etc/bind/named.conf.local and add the following:"
18465
#: serverguide/C/dns.xml:206(programlisting)
18469
"zone \"1.168.192.in-addr.arpa\" {\n"
18472
" file \"/etc/bind/db.192\";\n"
18476
#: serverguide/C/dns.xml:214(para)
18478
"Replace <emphasis>1.168.192</emphasis> with the first three octets of "
18479
"whatever network you are using. Also, name the zone file "
18480
"<filename>/etc/bind/db.192</filename> appropriately. It should match the "
18481
"first octet of your network."
18484
#: serverguide/C/dns.xml:219(para)
18485
msgid "Now create the <filename>/etc/bind/db.192</filename> file:"
18488
#: serverguide/C/dns.xml:223(command)
18489
msgid "sudo cp /etc/bind/db.127 /etc/bind/db.192"
18492
#: serverguide/C/dns.xml:225(para)
18494
"Next edit <filename>/etc/bind/db.192</filename> changing the basically the "
18495
"same options as <filename>/etc/bind/db.example.com</filename>:"
18498
#: serverguide/C/dns.xml:229(programlisting)
18503
"; BIND reverse data file for local loopback interface\n"
18506
"@ IN SOA ns.example.com. root.example.com. (\n"
18508
" 604800 ; Refresh\n"
18510
" 2419200 ; Expire\n"
18511
" 604800 ) ; Negative Cache TTL\n"
18514
"10 IN PTR ns.example.com.\n"
18517
#: serverguide/C/dns.xml:244(para)
18519
"The <emphasis>Serial Number</emphasis> in the Reverse zone needs to be "
18520
"incremented on each changes as well. For each <emphasis>A record</emphasis> "
18521
"you configure in <filename>/etc/bind/db.example.com</filename> you need to "
18522
"create a <emphasis>PTR record</emphasis> in "
18523
"<filename>/etc/bind/db.192</filename>."
18526
#: serverguide/C/dns.xml:249(para)
18528
"After creating the reverse zone file restart "
18529
"<application>BIND9</application>:"
18532
#: serverguide/C/dns.xml:258(title)
18533
msgid "Secondary Master"
18536
#: serverguide/C/dns.xml:259(para)
18538
"Once a <emphasis>Primary Master</emphasis> has been configured a "
18539
"<emphasis>Secondary Master</emphasis> is needed in order to maintain the "
18540
"availability of the domain should the Primary become unavailable."
18543
#: serverguide/C/dns.xml:263(para)
18545
"First, on the Primary Master server, the zone transfer needs to be allowed. "
18546
"Add the <emphasis>allow-transfer</emphasis> option to the example Forward "
18547
"and Reverse zone definitions in "
18548
"<filename>/etc/bind/named.conf.local</filename>:"
18551
#: serverguide/C/dns.xml:267(programlisting)
18555
"zone \"example.com\" {\n"
18557
"\tfile \"/etc/bind/db.example.com\";\n"
18558
" allow-transfer { 192.168.1.11; };\n"
18561
"zone \"1.168.192.in-addr.arpa\" {\n"
18564
" file \"/etc/bind/db.192\";\n"
18565
"\tallow-transfer { 192.168.1.11; };\n"
18569
#: serverguide/C/dns.xml:282(para)
18571
"Replace <emphasis>192.168.1.11</emphasis> with the IP Address of your "
18572
"Secondary nameserver."
18575
#: serverguide/C/dns.xml:286(para)
18577
"Next, on the Secondary Master, install the <application>bind9</application> "
18578
"package the same way as on the Primary. Then edit the "
18579
"<filename>/etc/bind/named.conf.local</filename> and add the following "
18580
"declarations for the Forward and Reverse zones:"
18583
#: serverguide/C/dns.xml:290(programlisting)
18587
"zone \"example.com\" {\n"
18589
" file \"/var/cache/bind/db.example.com\";\n"
18590
" masters { 192.168.1.10; };\n"
18593
"zone \"1.168.192.in-addr.arpa\" {\n"
18595
" file \"/var/cache/bind/db.192\";\n"
18596
" masters { 192.168.1.10; };\n"
18600
#: serverguide/C/dns.xml:304(para)
18602
"Replace <emphasis>192.168.1.10</emphasis> with the IP Address of your "
18603
"Primary nameserver."
18606
#: serverguide/C/dns.xml:308(para)
18607
msgid "Restart <application>BIND9</application> on the Secondary Master:"
18610
#: serverguide/C/dns.xml:314(para)
18612
"In <filename>/var/log/syslog</filename> you should see something similar to:"
18615
#: serverguide/C/dns.xml:317(programlisting)
18619
"slave zone \"example.com\" (IN) loaded (serial 6)\n"
18620
"slave zone \"100.18.172.in-addr.arpa\" (IN) loaded (serial 3)\n"
18623
#: serverguide/C/dns.xml:322(para)
18625
"Note: A zone is only transferred if the <emphasis>Serial Number</emphasis> "
18626
"on the Primary is larger than the one on the Secondary."
18629
#: serverguide/C/dns.xml:328(para)
18631
"The default directory for non-authoritative zone files is "
18632
"<filename>/var/cache/bind/</filename>. This directory is also configured in "
18633
"<application>AppArmor</application> to allow the "
18634
"<application>named</application> daemon to write to. For more information on "
18635
"AppArmor see <xref linkend=\"apparmor\"/>."
18638
#: serverguide/C/dns.xml:339(para)
18640
"This section covers ways to help determine the cause when problems happen "
18641
"with DNS and <application>BIND9</application>."
18644
#: serverguide/C/dns.xml:345(title)
18645
msgid "resolv.conf"
18648
#: serverguide/C/dns.xml:346(para)
18650
"The first step in testing <application>BIND9</application> is to add the "
18651
"nameserver's IP Address to a hosts resolver. The Primary nameserver should "
18652
"be configured as well as another host to double check things. Simply edit "
18653
"<filename>/etc/resolv.conf</filename> and add the following:"
18656
#: serverguide/C/dns.xml:351(programlisting)
18660
"nameserver\t192.168.1.10\n"
18661
"nameserver\t192.168.1.11\n"
18664
#: serverguide/C/dns.xml:356(para)
18666
"You should also add the IP Address of the Secondary nameserver in case the "
18667
"Primary becomes unavailable."
18670
#: serverguide/C/dns.xml:362(title)
18674
#: serverguide/C/dns.xml:363(para)
18676
"If you installed the <application>dnsutils</application> package you can "
18677
"test your setup using the DNS lookup utility <application>dig</application>:"
18680
#: serverguide/C/dns.xml:369(para)
18682
"After installing <application>BIND9</application> use "
18683
"<application>dig</application> against the loopback interface to make sure "
18684
"it is listening on port 53. From a terminal prompt:"
18687
#: serverguide/C/dns.xml:374(command)
18688
msgid "dig -x 127.0.0.1"
18691
#: serverguide/C/dns.xml:376(para)
18692
msgid "You should see lines similar to the following in the command output:"
18695
#: serverguide/C/dns.xml:379(programlisting)
18699
";; Query time: 1 msec\n"
18700
";; SERVER: 192.168.1.10#53(192.168.1.10)\n"
18703
#: serverguide/C/dns.xml:385(para)
18705
"If you have configured <application>BIND9</application> as a "
18706
"<emphasis>Caching</emphasis> nameserver \"dig\" an outside domain to check "
18710
#: serverguide/C/dns.xml:390(command)
18711
msgid "dig ubuntu.com"
18714
#: serverguide/C/dns.xml:392(para)
18715
msgid "Note the query time toward the end of the command output:"
18718
#: serverguide/C/dns.xml:395(programlisting)
18722
";; Query time: 49 msec\n"
18725
#: serverguide/C/dns.xml:398(para)
18726
msgid "After a second dig there should be improvement:"
18729
#: serverguide/C/dns.xml:401(programlisting)
18733
";; Query time: 1 msec\n"
18736
#: serverguide/C/dns.xml:408(title)
18740
#: serverguide/C/dns.xml:410(para)
18742
"Now to demonstrate how applications make use of DNS to resolve a host name "
18743
"use the <application>ping</application> utility to send an ICMP echo "
18744
"request. From a terminal prompt enter:"
18747
#: serverguide/C/dns.xml:416(command)
18748
msgid "ping example.com"
18751
#: serverguide/C/dns.xml:418(para)
18753
"This tests if the nameserver can resolve the name "
18754
"<emphasis>ns.example.com</emphasis> to an IP Address. The command output "
18758
#: serverguide/C/dns.xml:422(programlisting)
18762
"PING ns.example.com (192.168.1.10) 56(84) bytes of data.\n"
18763
"64 bytes from 192.168.1.10: icmp_seq=1 ttl=64 time=0.800 ms\n"
18764
"64 bytes from 192.168.1.10: icmp_seq=2 ttl=64 time=0.813 ms\n"
18767
#: serverguide/C/dns.xml:429(title)
18768
msgid "named-checkzone"
18771
#: serverguide/C/dns.xml:430(para)
18773
"A great way to test your zone files is by using the <application>named-"
18774
"checkzone</application> utility installed with the "
18775
"<application>bind9</application> package. This utility allows you to make "
18776
"sure the configuration is correct before restarting "
18777
"<application>BIND9</application> and making the changes live."
18780
#: serverguide/C/dns.xml:437(para)
18782
"To test our example Forward zone file enter the following from a command "
18786
#: serverguide/C/dns.xml:441(command)
18787
msgid "named-checkzone example.com /etc/bind/db.example.com"
18790
#: serverguide/C/dns.xml:443(para)
18792
"If everything is configured correctly you should see output similar to:"
18795
#: serverguide/C/dns.xml:446(programlisting)
18799
"zone example.com/IN: loaded serial 6\n"
18803
#: serverguide/C/dns.xml:452(para)
18804
msgid "Similarly, to test the Reverse zone file enter the following:"
18807
#: serverguide/C/dns.xml:456(command)
18808
msgid "named-checkzone example.com /etc/bind/db.192"
18811
#: serverguide/C/dns.xml:458(para)
18812
msgid "The output should be similar to:"
18815
#: serverguide/C/dns.xml:461(programlisting)
18819
"zone example.com/IN: loaded serial 3\n"
18823
#: serverguide/C/dns.xml:468(para)
18825
"The <emphasis>Serial Number</emphasis> of your zone file will probably be "
18829
#: serverguide/C/dns.xml:475(title)
18833
#: serverguide/C/dns.xml:476(para)
18835
"<application>BIND9</application> has a wide variety of logging configuration "
18836
"options available. There are two main options. The "
18837
"<emphasis>channel</emphasis> option configures where logs go, and the the "
18838
"<emphasis>category</emphasis> option determines what information to log."
18841
#: serverguide/C/dns.xml:480(para)
18842
msgid "If no logging option is configured the default option is:"
18845
#: serverguide/C/dns.xml:483(programlisting)
18850
" category default { default_syslog; default_debug; };\n"
18851
" category unmatched { null; };\n"
18855
#: serverguide/C/dns.xml:489(para)
18857
"This section covers configuring <application>BIND9</application> to send "
18858
"<emphasis>debug</emphasis> messages related to DNS queries to a separate "
18862
#: serverguide/C/dns.xml:494(para)
18864
"First, we need to configure a channel to specify which file to send the "
18865
"messages to. Edit <filename>/etc/bind/named.conf.local</filename> and add "
18869
#: serverguide/C/dns.xml:498(programlisting)
18874
" channel query.log { \n"
18875
" file \"/var/log/query.log\";\n"
18876
" severity debug 3; \n"
18881
#: serverguide/C/dns.xml:508(para)
18882
msgid "Next, configure a category to send all DNS queries to the query file:"
18885
#: serverguide/C/dns.xml:511(programlisting)
18890
" channel query.log { \n"
18891
" file \"/var/log/query.log\"; \n"
18892
" severity debug 3; \n"
18894
" <emphasis>category queries { query.log; };</emphasis> \n"
18898
#: serverguide/C/dns.xml:523(para)
18900
"Note: the <emphasis>debug</emphasis> option can be set from 1 to 3. If a "
18901
"level isn't specified level 1 is the default."
18904
#: serverguide/C/dns.xml:529(para)
18906
"Since the <emphasis>named daemon</emphasis> runs as the "
18907
"<emphasis>bind</emphasis> user the <filename>/var/log/query.log</filename> "
18908
"file must be created and the ownership changed:"
18911
#: serverguide/C/dns.xml:534(command)
18912
msgid "sudo touch /var/log/query.log"
18915
#: serverguide/C/dns.xml:535(command)
18916
msgid "sudo chown bind /var/log/query.log"
18919
#: serverguide/C/dns.xml:539(para)
18921
"Before <application>named</application> daemon can write to the new log file "
18922
"the <application>AppArmor</application> profile must be updated. First, edit "
18923
"<filename>/etc/apparmor.d/usr.sbin.named</filename> and add:"
18926
#: serverguide/C/dns.xml:543(programlisting)
18930
"/var/log/query.log w,\n"
18933
#: serverguide/C/dns.xml:546(para)
18934
msgid "Next, reload the profile:"
18937
#: serverguide/C/dns.xml:550(command)
18938
msgid "cat /etc/apparmor.d/usr.sbin.named | sudo apparmor_parser -r"
18941
#: serverguide/C/dns.xml:552(para)
18943
"For more information on <application>AppArmor</application> see <xref "
18944
"linkend=\"apparmor\"/>"
18947
#: serverguide/C/dns.xml:557(para)
18949
"Now restart <application>BIND9</application> for the changes to take effect:"
18952
#: serverguide/C/dns.xml:565(para)
18954
"You should see the file <filename>/var/log/query.log</filename> fill with "
18955
"query information. This is a simple example of the "
18956
"<application>BIND9</application> logging options. For coverage of advanced "
18957
"options see <xref linkend=\"dns-more-info\"/>."
18960
#: serverguide/C/dns.xml:574(title)
18961
msgid "Common Record Types"
18964
#: serverguide/C/dns.xml:575(para)
18965
msgid "This section covers some of the most common DNS record types."
18968
#: serverguide/C/dns.xml:580(para)
18970
"<emphasis>A</emphasis> record: This record maps an IP Address to a hostname."
18973
#: serverguide/C/dns.xml:583(programlisting)
18977
"www IN A 192.168.1.12\n"
18980
#: serverguide/C/dns.xml:588(para)
18982
"<emphasis>CNAME</emphasis> record: Used to create an alias to an existing A "
18983
"record. You cannot create a CNAME record pointing to another CNAME record."
18986
#: serverguide/C/dns.xml:591(programlisting)
18990
"web IN CNAME www\n"
18993
#: serverguide/C/dns.xml:596(para)
18995
"<emphasis>MX</emphasis> record: Used to define where email should be sent "
18996
"to. Must point to an A record, not a CNAME."
18999
#: serverguide/C/dns.xml:599(programlisting)
19003
" IN MX mail.example.com.\n"
19004
"mail IN A 192.168.1.13\n"
19007
#: serverguide/C/dns.xml:605(para)
19009
"<emphasis>NS</emphasis> record: Used to define which servers serve copies of "
19010
"a zone. It must point to an A record, not a CNAME. This is where Primary and "
19011
"Secondary servers are defined."
19014
#: serverguide/C/dns.xml:609(programlisting)
19018
" IN NS ns.example.com.\n"
19019
"\tIN NS ns2.example.com.\n"
19020
"ns IN A 192.168.1.10\n"
19021
"ns2\tIN A\t 192.168.1.11\n"
19024
#: serverguide/C/dns.xml:619(title)
19025
msgid "More Information"
19028
#: serverguide/C/dns.xml:620(para)
19030
"The <ulink url=\"http://www.tldp.org/HOWTO/DNS-HOWTO.html\">DNS "
19031
"HOWTO</ulink> explains more advanced options for configuring BIND9."
19034
#: serverguide/C/dns.xml:623(para)
19036
"For in depth coverage of <emphasis>DNS</emphasis> and "
19037
"<application>BIND9</application> see <ulink "
19038
"url=\"http://www.bind9.net/\">Bind9.net</ulink>."
19041
#: serverguide/C/dns.xml:626(para)
19043
"<ulink url=\"http://www.oreilly.com/catalog/dns5/index.html\">DNS and "
19044
"BIND</ulink> is a popular book now in it's fifth edition."
19047
#: serverguide/C/dns.xml:629(para)
19049
"A great place to ask for <application>BIND9</application> assistance, and "
19050
"get involved with the Ubuntu Server community, is the <emphasis>#ubuntu-"
19051
"server</emphasis> IRC channel on <ulink "
19052
"url=\"http://freenode.net\">freenode</ulink>."
19055
#: serverguide/C/databases.xml:13(title)
19057
msgstr "Duomenų bazės"
19059
#: serverguide/C/databases.xml:14(para)
19060
msgid "Ubuntu provides two popular database servers. They are:"
19063
#: serverguide/C/databases.xml:22(application) serverguide/C/databases.xml:152(title)
19065
msgstr "PostgreSQL"
19067
#: serverguide/C/databases.xml:25(para)
19069
"They are available in the main repository. This section explains how to "
19070
"install and configure these database servers."
19073
#: serverguide/C/databases.xml:32(para)
19075
"MySQL is a fast, multi-threaded, multi-user, and robust SQL database server. "
19076
"It is intended for mission-critical, heavy-load production systems as well "
19077
"as for embedding into mass-deployed software."
19080
#: serverguide/C/databases.xml:41(para)
19081
msgid "To install MySQL, run the following command from a terminal prompt:"
19084
#: serverguide/C/databases.xml:46(command)
19085
msgid "sudo apt-get install mysql-server"
19088
#: serverguide/C/databases.xml:48(para)
19090
"During the installation process you will be prompted to enter a password for "
19091
"the <application>MySQL</application> root user."
19094
#: serverguide/C/databases.xml:53(para)
19096
"Once the installation is complete, the MySQL server should be started "
19097
"automatically. You can run the following command from a terminal prompt to "
19098
"check whether the MySQL server is running:"
19101
#: serverguide/C/databases.xml:61(command)
19102
msgid "sudo netstat -tap | grep mysql"
19105
#: serverguide/C/databases.xml:70(programlisting)
19109
"tcp 0 0 localhost:mysql *:* LISTEN "
19113
#: serverguide/C/databases.xml:74(para)
19115
"If the server is not running correctly, you can type the following command "
19119
#: serverguide/C/databases.xml:79(command) serverguide/C/databases.xml:104(command)
19120
msgid "sudo /etc/init.d/mysql restart"
19123
#: serverguide/C/databases.xml:85(para)
19125
"You can edit the <filename>/etc/mysql/my.cnf</filename> file to configure "
19126
"the basic settings -- log file, port number, etc. For example, to configure "
19127
"<application>MySQL</application> to listen for connections from network "
19128
"hosts, change the <emphasis>bind_address</emphasis> directive to the "
19129
"server's IP address:"
19132
#: serverguide/C/databases.xml:91(programlisting)
19136
"bind-address = 192.168.0.5\n"
19139
#: serverguide/C/databases.xml:95(para)
19140
msgid "Replace 192.168.0.5 with the appropriate address."
19143
#: serverguide/C/databases.xml:99(para)
19145
"After making a change to <filename>/etc/mysql/my.cnf</filename> the "
19146
"<application>mysql</application> daemon will need to be restarted:"
19149
#: serverguide/C/databases.xml:107(para)
19151
"If you would like to change the "
19152
"<application>MySQL</application><emphasis>root</emphasis> password, in a "
19156
#: serverguide/C/databases.xml:113(command)
19157
msgid "sudo dpkg-reconfigure mysql-server-5.0"
19160
#: serverguide/C/databases.xml:116(para)
19162
"The <application>mysql</application> daemon will be stopped, and you will be "
19163
"prompted to enter a new password."
19166
#: serverguide/C/databases.xml:125(para)
19168
"See the <ulink url=\"http://www.mysql.com/\">MySQL Home Page</ulink> for "
19169
"more information."
19172
#: serverguide/C/databases.xml:130(para)
19174
"The <emphasis>MySQL Handbook</emphasis> is also available in the "
19175
"<application>mysql-doc-5.0</application> package. To install the package "
19176
"enter the following in a terminal:"
19179
#: serverguide/C/databases.xml:135(command)
19180
msgid "sudo apt-get install mysql-doc-5.0"
19183
#: serverguide/C/databases.xml:137(para)
19185
"The documentation is in HTML format, to view them enter "
19186
"<command>file:///usr/share/doc/mysql-doc-5.0/refman-5.0-en.html-"
19187
"chapter/index.html</command> in your browser's address bar."
19190
#: serverguide/C/databases.xml:143(para) serverguide/C/databases.xml:285(para)
19192
"For general SQL information see <ulink "
19193
"url=\"http://www.informit.com/store/product.aspx?isbn=0768664128\">Using SQL "
19194
"Special Edition</ulink> by Rafe Colburn."
19197
#: serverguide/C/databases.xml:153(para)
19199
"PostgreSQL is an object-relational database system that has the features of "
19200
"traditional commercial database systems with enhancements to be found in "
19201
"next-generation DBMS systems."
19204
#: serverguide/C/databases.xml:160(para)
19206
"To install PostgreSQL, run the following command in the command prompt:"
19209
#: serverguide/C/databases.xml:167(command)
19210
msgid "sudo apt-get install postgresql"
19213
#: serverguide/C/databases.xml:171(para)
19215
"Once the installation is complete, you should configure the PostgreSQL "
19216
"server based on your needs, although the default configuration is viable."
19219
#: serverguide/C/databases.xml:179(para)
19221
"By default, connection via TCP/IP is disabled. PostgreSQL supports multiple "
19222
"client authentication methods. By default, IDENT authentication method is "
19223
"used for <application>postgres</application> and local users. Please refer "
19224
"<ulink url=\"http://www.postgresql.org/docs/8.3/static/admin.html\"> the "
19225
"PostgreSQL Administrator's Guide</ulink>."
19228
#: serverguide/C/databases.xml:186(para)
19230
"The following discussion assumes that you wish to enable TCP/IP connections "
19231
"and use the MD5 method for client authentication. PostgreSQL configuration "
19232
"files are stored in the "
19233
"<filename>/etc/postgresql/<version>/main</filename> directory. For "
19234
"example, if you install PostgreSQL 8.3, the configuration files are stored "
19235
"in the <filename>/etc/postgresql/8.3/main</filename> directory."
19238
#: serverguide/C/databases.xml:196(para)
19240
"To configure <emphasis>ident</emphasis> authentication, add entries to the "
19241
"<filename>/etc/postgresql/8.3/main/pg_ident.conf</filename> file."
19244
#: serverguide/C/databases.xml:203(para)
19246
"To enable TCP/IP connections, edit the file "
19247
"<filename>/etc/postgresql/8.3/main/postgresql.conf</filename>"
19250
#: serverguide/C/databases.xml:205(para)
19252
"Locate the line <emphasis>#listen_addresses = 'localhost'</emphasis> and "
19256
#: serverguide/C/databases.xml:208(programlisting)
19260
"listen_addresses = 'localhost'\n"
19263
#: serverguide/C/databases.xml:212(para)
19265
"To allow other computers to connect to your "
19266
"<application>PostgreSQL</application> server replace 'localhost' with the "
19267
"<emphasis>IP Address</emphasis> of your server."
19270
#: serverguide/C/databases.xml:217(para)
19272
"You may also edit all other parameters, if you know what you are doing! For "
19273
"details, refer to the configuration file or to the PostgreSQL documentation."
19276
#: serverguide/C/databases.xml:222(para)
19278
"Now that we can connect to our <application>PostgreSQL</application> server, "
19279
"the next step is to set a password for the <emphasis>postgres</emphasis> "
19280
"user. Run the following command at a terminal prompt to connect to the "
19281
"default PostgreSQL template database:"
19284
#: serverguide/C/databases.xml:229(command)
19285
msgid "sudo -u postgres psql template1"
19288
#: serverguide/C/databases.xml:231(para)
19290
"The above command connects to PostgreSQL database "
19291
"<emphasis>template1</emphasis> as user <emphasis>postgres</emphasis>. Once "
19292
"you connect to the PostgreSQL server, you will be at a SQL prompt. You can "
19293
"run the following SQL command at the <application>psql</application> prompt "
19294
"to configure the password for the user <emphasis "
19295
"role=\"italics\">postgres</emphasis>."
19298
#: serverguide/C/databases.xml:239(command)
19299
msgid "ALTER USER postgres with encrypted password 'your_password';"
19302
#: serverguide/C/databases.xml:241(para)
19304
"After configuring the password, edit the file "
19305
"<filename>/etc/postgresql/8.3/main/pg_hba.conf</filename> to use "
19306
"<emphasis>MD5</emphasis> authentication with the "
19307
"<emphasis>postgres</emphasis> user:"
19310
#: serverguide/C/databases.xml:247(programlisting)
19314
"local all postgres md5 sameuser\n"
19317
#: serverguide/C/databases.xml:251(para)
19319
"Finally, you should restart the <application>PostgreSQL</application> "
19320
"service to initialize the new configuration. From a terminal prompt enter "
19321
"the following to restart <application>PostgreSQL</application>:"
19324
#: serverguide/C/databases.xml:257(command)
19325
msgid "sudo /etc/init.d/postgresql-8.3 restart"
19328
#: serverguide/C/databases.xml:260(para)
19330
"The above configuration is not complete by any means. Please refer <ulink "
19331
"url=\"http://www.postgresql.org/docs/8.3/static/admin.html\"> the PostgreSQL "
19332
"Administrator's Guide</ulink> to configure more parameters."
19335
#: serverguide/C/databases.xml:271(para)
19337
"As mentioned above the <ulink "
19338
"url=\"http://www.postgresql.org/docs/8.3/static/admin.html\">Administrator's "
19339
"Guide</ulink> is an excellent resource. The guide is also available in the "
19340
"<application>postgresql-doc-8.3</application> package. Execute the following "
19341
"in a terminal to install the package:"
19344
#: serverguide/C/databases.xml:277(command)
19345
msgid "sudo apt-get install postgresql-doc-8.3"
19348
#: serverguide/C/databases.xml:279(para)
19350
"To view the guide enter <command>file:///usr/share/doc/postgresql-doc-"
19351
"8.3/html/index.html</command> into the address bar of your browser."
19354
#: serverguide/C/clustering.xml:13(title)
19358
#: serverguide/C/clustering.xml:16(title)
19362
#: serverguide/C/clustering.xml:18(para)
19364
"Distributed Replicated Block Device (DRBD) mirrors block devices between "
19365
"multiple hosts. The replication is transparent to other applications on the "
19366
"host systems. Any block device hard disks, partitions, RAID devices, logical "
19367
"volumes, etc can be mirrored."
19370
#: serverguide/C/clustering.xml:24(para)
19372
"To get started using <application>drbd</application>, first install the "
19373
"necessary packages. From a terminal enter:"
19376
#: serverguide/C/clustering.xml:29(command)
19377
msgid "sudo apt-get install drbd8-utils"
19380
#: serverguide/C/clustering.xml:32(para)
19382
"This section covers setting up a <application>drbd</application> to "
19383
"replicate a separate <filename>/srv</filename> partition, with an "
19384
"<application>ext3</application> filesystem between two hosts. The partition "
19385
"size is not particularly relevant, but both partitions need to be the same "
19389
#: serverguide/C/clustering.xml:41(para)
19391
"The two hosts in this example will be called <emphasis>drbd01</emphasis> and "
19392
"<emphasis>drbd02</emphasis>. They will need to have name resolution "
19393
"configured either through DNS or the <filename>/etc/hosts</filename> file. "
19394
"See <xref linkend=\"dns\"/> for details."
19397
#: serverguide/C/clustering.xml:49(para)
19399
"To configure <application>drbd</application>, on the first host edit "
19400
"<filename>/etc/drbd.conf</filename>:"
19403
#: serverguide/C/clustering.xml:53(programlisting)
19407
"global { usage-count no; }\n"
19408
"common { syncer { rate 100M; } }\n"
19412
" wfc-timeout 15;\n"
19413
" degr-wfc-timeout 60;\n"
19416
" cram-hmac-alg sha1;\n"
19417
" shared-secret \"secret\";\n"
19418
" allow-two-primaries;\n"
19421
" device /dev/drbd0;\n"
19422
" disk /dev/sdb1;\n"
19423
" address 192.168.0.1:7788;\n"
19424
" meta-disk internal;\n"
19427
" device /dev/drbd0;\n"
19428
" disk /dev/sdb1;\n"
19429
" address 192.168.0.2:7788;\n"
19430
" meta-disk internal;\n"
19435
#: serverguide/C/clustering.xml:83(para)
19437
"There are many other options in <filename>/etc/drbd.conf</filename>, but for "
19438
"this example their default values are fine."
19441
#: serverguide/C/clustering.xml:91(para)
19442
msgid "Now copy <filename>/etc/drbd.conf</filename> to the second host:"
19445
#: serverguide/C/clustering.xml:96(command)
19446
msgid "scp /etc/drbd.conf drbd02:~"
19449
#: serverguide/C/clustering.xml:102(para)
19451
"And, on <emphasis>drbd02</emphasis> move the file to "
19452
"<filename>/etc</filename>:"
19455
#: serverguide/C/clustering.xml:107(command)
19456
msgid "sudo mv drbd.conf /etc/"
19459
#: serverguide/C/clustering.xml:113(para)
19461
"Next, on both hosts, start the <application>drbd</application> daemon:"
19464
#: serverguide/C/clustering.xml:118(command)
19465
msgid "sudo /etc/init.d/drbd start"
19468
#: serverguide/C/clustering.xml:124(para)
19470
"Now using the <application>drbdadm</application> utility initialize the meta "
19471
"data storage. On each server execute:"
19474
#: serverguide/C/clustering.xml:130(command)
19475
msgid "sudo drbdadm create-md r0"
19478
#: serverguide/C/clustering.xml:136(para)
19480
"On the <emphasis>drbd01</emphasis>, or whichever host you wish to be the "
19481
"primary, enter the following:"
19484
#: serverguide/C/clustering.xml:141(command)
19485
msgid "sudo drbdadm -- --overwrite-data-of-peer primary all"
19488
#: serverguide/C/clustering.xml:147(para)
19490
"After executing the above command, the data will start syncing with the "
19491
"secondary host. To watch the progresss, on <emphasis>drbd02</emphasis> enter "
19495
#: serverguide/C/clustering.xml:153(command)
19496
msgid "watch -n1 cat /proc/drbd"
19499
#: serverguide/C/clustering.xml:156(para)
19500
msgid "To stop watching the output press <emphasis>Ctrl+c</emphasis>."
19503
#: serverguide/C/clustering.xml:163(para)
19505
"Finally, add a filesystem to <filename>/dev/drbd0</filename> and mount it:"
19508
#: serverguide/C/clustering.xml:168(command)
19509
msgid "sudo mkfs.ext3 /dev/drbd0"
19512
#: serverguide/C/clustering.xml:169(command) serverguide/C/clustering.xml:217(command)
19513
msgid "sudo mount /dev/drbd0 /srv"
19516
#: serverguide/C/clustering.xml:179(para)
19518
"To test that the data is actually syncing between the hosts copy some files "
19519
"on the <emphasis>drbd01</emphasis>, the primary, to "
19520
"<filename>/srv</filename>:"
19523
#: serverguide/C/clustering.xml:188(para)
19524
msgid "Next, unmount <filename>/srv</filename>:"
19527
#: serverguide/C/clustering.xml:196(para)
19529
"<emphasis>Demote</emphasis> the <emphasis>primary</emphasis> server to the "
19530
"<emphasis>secondary</emphasis> role:"
19533
#: serverguide/C/clustering.xml:201(command)
19534
msgid "sudo drbdadm secondary r0"
19537
#: serverguide/C/clustering.xml:204(para)
19539
"Now on the the <emphasis>secondary</emphasis> server "
19540
"<emphasis>promote</emphasis> it to the <emphasis>primary</emphasis> role:"
19543
#: serverguide/C/clustering.xml:209(command)
19544
msgid "sudo drbdadm primary r0"
19547
#: serverguide/C/clustering.xml:212(para)
19548
msgid "Lastly, mount the partition:"
19551
#: serverguide/C/clustering.xml:220(para)
19553
"Using <emphasis>ls</emphasis> you should see "
19554
"<filename>/srv/default</filename> copied from the former "
19555
"<emphasis>primary</emphasis> host <emphasis>drbd01</emphasis>."
19558
#: serverguide/C/clustering.xml:231(para)
19560
"For more information on <application>DRBD</application> see the <ulink "
19561
"url=\"http://www.drbd.org/\">DRBD web site</ulink>."
19564
#: serverguide/C/clustering.xml:236(para)
19567
"url=\"http://manpages.ubuntu.com/manpages/jaunty/en/man5/drbd.conf.5.html\">d"
19568
"rbd.conf man page</ulink> contains details on the options not covered in "
19572
#: serverguide/C/clustering.xml:242(para)
19574
"Also, see the <ulink "
19575
"url=\"http://manpages.ubuntu.com/manpages/jaunty/en/man8/drbdadm.8.html\">drb"
19576
"dadm man page</ulink>."
19579
#: serverguide/C/backups.xml:13(title)
19583
#: serverguide/C/backups.xml:14(para)
19585
"There are many ways to backup an Ubuntu installation. The most important "
19586
"thing about backups is to develop a <emphasis>backup plan</emphasis> "
19587
"consisting of what to backup, where to back it up to, and how to restore it."
19590
#: serverguide/C/backups.xml:18(para)
19592
"The following sections discuss various ways of accomplishing these tasks."
19595
#: serverguide/C/backups.xml:22(title)
19596
msgid "Shell Scripts"
19599
#: serverguide/C/backups.xml:23(para)
19601
"One of the simplest ways to backup a system is using a <emphasis>shell "
19602
"script</emphasis>. For example, a script can be used to configure which "
19603
"directories to backup, and use those directories as arguments to the "
19604
"<application>tar</application> utility creating an archive file. The archive "
19605
"file can then be moved or copied to another location. The archive can also "
19606
"be created on a remote file system such as an <emphasis>NFS</emphasis> mount."
19609
#: serverguide/C/backups.xml:29(para)
19611
"The <application>tar</application> utility creates one archive file out of "
19612
"many files or directories. <application>tar</application> can also filter "
19613
"the files through compression utilities reducing the size of the archive "
19617
#: serverguide/C/backups.xml:35(title)
19618
msgid "Simple Shell Script"
19621
#: serverguide/C/backups.xml:36(para)
19623
"The following shell script uses <application>tar</application> to create an "
19624
"archive file on a remotely mounted NFS file system. The archive filename is "
19625
"determined using additional command line utilities."
19628
#: serverguide/C/backups.xml:40(programlisting)
19633
"####################################\n"
19635
"# Backup to NFS mount script.\n"
19637
"####################################\n"
19639
"# What to backup. \n"
19640
"backup_files=\"/home /var/spool/mail /etc /root /boot /opt\"\n"
19642
"# Where to backup to.\n"
19643
"dest=\"/mnt/backup\"\n"
19645
"# Create archive filename.\n"
19646
"day=$(date +%A)\n"
19647
"hostname=$(hostname -s)\n"
19648
"archive_file=\"$hostname-$day.tgz\"\n"
19650
"# Print start status message.\n"
19651
"echo \"Backing up $backup_files to $dest/$archive_file\"\n"
19655
"# Backup the files using tar.\n"
19656
"tar czf $dest/$archive_file $backup_files\n"
19658
"# Print end status message.\n"
19660
"echo \"Backup finished\"\n"
19663
"# Long listing of files in $dest to check file sizes.\n"
19667
#: serverguide/C/backups.xml:77(para)
19669
"<emphasis>$backup_files:</emphasis> a variable listing which directories you "
19670
"would like to backup. The list should be customized to fit your needs."
19673
#: serverguide/C/backups.xml:83(para)
19675
"<emphasis>$day:</emphasis> a variable holding the day of the week (Monday, "
19676
"Tuesday, Wednesday, etc). This is used to create an archive file for each "
19677
"day of the week, giving a backup history of seven days. There are other ways "
19678
"to accomplish this including other ways using the "
19679
"<application>date</application> utility."
19682
#: serverguide/C/backups.xml:90(para)
19684
"<emphasis>$hostname:</emphasis> variable containing the "
19685
"<emphasis>short</emphasis> hostname of the system. Using the hostname in the "
19686
"archive filename gives you the option of placing daily archive files from "
19687
"multiple systems in the same directory."
19690
#: serverguide/C/backups.xml:97(para)
19691
msgid "<emphasis>$archive_file:</emphasis> the full archive filename."
19694
#: serverguide/C/backups.xml:102(para)
19696
"<emphasis>$dest:</emphasis> destination of the archive file. The directory "
19697
"needs to be created and in this case <emphasis>mounted</emphasis> before "
19698
"executing the backup script. See <xref linkend=\"network-file-system\"/> for "
19699
"details using <emphasis>NFS</emphasis>."
19702
#: serverguide/C/backups.xml:109(para)
19704
"<emphasis>status messages:</emphasis> optional messages printed to the "
19705
"console using the <application>echo</application> utility."
19708
#: serverguide/C/backups.xml:115(para)
19710
"<emphasis>tar czf $dest/$archive_file $backup_files:</emphasis> the "
19711
"<application>tar</application> command used to create the archive file."
19714
#: serverguide/C/backups.xml:121(para)
19715
msgid "<emphasis>c:</emphasis> creates an archive."
19718
#: serverguide/C/backups.xml:126(para)
19720
"<emphasis>z:</emphasis> filter the archive through the "
19721
"<application>gzip</application> utility compressing the archive."
19724
#: serverguide/C/backups.xml:131(para)
19726
"<emphasis>f:</emphasis> use archive file. Otherwise the "
19727
"<application>tar</application> output will be sent to STDOUT."
19730
#: serverguide/C/backups.xml:138(para)
19732
"<emphasis>ls -lh $dest:</emphasis> optional statement prints a <emphasis>-"
19733
"l</emphasis> long listing in <emphasis>-h</emphasis> human readable format "
19734
"of the destination directory. This is useful for a quick file size check of "
19735
"the archive file. This check should not replace testing the archive file."
19738
#: serverguide/C/backups.xml:145(para)
19740
"This is a simple example of a backup shell script. There are large amount of "
19741
"options that can be included in a backup script. See <xref linkend=\"backup-"
19742
"shellscript-references\"/> for links to resources providing more in depth "
19743
"shell scripting information."
19746
#: serverguide/C/backups.xml:152(title)
19747
msgid "Executing the Script"
19750
#: serverguide/C/backups.xml:154(title)
19751
msgid "Executing from a Terminal"
19754
#: serverguide/C/backups.xml:155(para)
19756
"The simplest way of executing the above backup script is to copy and paste "
19757
"the contents into a file. <filename>backup.sh</filename> for example. Then "
19758
"from a terminal prompt:"
19761
#: serverguide/C/backups.xml:160(command)
19762
msgid "sudo bash backup.sh"
19765
#: serverguide/C/backups.xml:162(para)
19767
"This is a great way to test the script to make sure everything works as "
19771
#: serverguide/C/backups.xml:167(title)
19772
msgid "Executing with cron"
19775
#: serverguide/C/backups.xml:168(para)
19777
"The <application>cron</application> utility can be used to automate the "
19778
"script execution. The <application>cron</application> daemon allows the "
19779
"execution of scripts, or commands, at a specified time and date."
19782
#: serverguide/C/backups.xml:172(para)
19784
"<application>cron</application> is configured through entries in a "
19785
"<filename>crontab</filename> file. <filename>crontab</filename> files are "
19786
"separated into fields:"
19789
#: serverguide/C/backups.xml:176(programlisting)
19793
"# m h dom mon dow command\n"
19796
#: serverguide/C/backups.xml:181(para)
19798
"<emphasis>m:</emphasis> minute the command executes on between 0 and 59."
19801
#: serverguide/C/backups.xml:186(para)
19803
"<emphasis>h:</emphasis> hour the command executes on between 0 and 23."
19806
#: serverguide/C/backups.xml:191(para)
19807
msgid "<emphasis>dom:</emphasis> day of month the command executes on."
19810
#: serverguide/C/backups.xml:196(para)
19812
"<emphasis>mon:</emphasis> the month the command executes on between 1 and 12."
19815
#: serverguide/C/backups.xml:201(para)
19817
"<emphasis>dow:</emphasis> the day of the week the command executes on "
19818
"between 0 and 7. Sunday may be specified by using 0 or 7, both values are "
19822
#: serverguide/C/backups.xml:206(para)
19823
msgid "<emphasis>command:</emphasis> the command to execute."
19826
#: serverguide/C/backups.xml:211(para)
19828
"To add or change entries in a <filename>crontab</filename> file the "
19829
"<application>crontab -e</application> command should be used. Also, the "
19830
"contents of a <filename>crontab</filename> file can be viewed using the "
19831
"<application>crontab -l</application> command."
19834
#: serverguide/C/backups.xml:215(para)
19836
"To execute the <application>backup.sh</application> script listed above "
19837
"using <application>cron</application>. Enter the following from a terminal "
19841
#: serverguide/C/backups.xml:220(command)
19842
msgid "sudo crontab -e"
19845
#: serverguide/C/backups.xml:223(para)
19847
"Using <application>sudo</application> with the <application>crontab -"
19848
"e</application> command edits the <emphasis>root</emphasis> user's crontab. "
19849
"This is necessary if you are backing up directories only the root user has "
19853
#: serverguide/C/backups.xml:228(para)
19854
msgid "Add the following entry to the <filename>crontab</filename> file:"
19857
#: serverguide/C/backups.xml:231(programlisting)
19861
"# m h dom mon dow command\n"
19862
"0 0 * * * bash /usr/local/bin/backup.sh\n"
19865
#: serverguide/C/backups.xml:235(para)
19867
"The <application>backup.sh</application> script will now be executed every "
19871
#: serverguide/C/backups.xml:239(para)
19873
"The <application>backup.sh</application> script will need to be copied to "
19874
"the <filename>/usr/local/bin/</filename> directory in order for this entry "
19875
"to execute properly. The script can reside anywhere on the file system "
19876
"simply change the script path appropriately."
19879
#: serverguide/C/backups.xml:244(para)
19881
"For more in depth <application>crontab</application> options see <xref "
19882
"linkend=\"backup-shellscript-references\"/>."
19885
#: serverguide/C/backups.xml:250(title)
19886
msgid "Restoring from the Archive"
19889
#: serverguide/C/backups.xml:251(para)
19891
"Once an archive has been created it is important to test the archive. The "
19892
"archive can be tested by listing the files it contains, but the best test is "
19893
"to <emphasis>restore</emphasis> a file from the archive."
19896
#: serverguide/C/backups.xml:257(para)
19897
msgid "To see a listing of the archive contents. From a terminal prompt:"
19900
#: serverguide/C/backups.xml:261(command)
19901
msgid "tar -tzvf /mnt/backup/host-Monday.tgz"
19904
#: serverguide/C/backups.xml:265(para)
19905
msgid "To restore a file from the archive to a different directory enter:"
19908
#: serverguide/C/backups.xml:269(command)
19909
msgid "tar -xzvf /mnt/backup/host-Monday.tgz -C /tmp etc/hosts"
19912
#: serverguide/C/backups.xml:271(para)
19914
"The <emphasis>-C</emphasis> option to <application>tar</application> "
19915
"redirects the extracted files to the specified directory. The above example "
19916
"will extract the <filename>/etc/hosts</filename> file to "
19917
"<filename>/tmp/etc/hosts</filename>. <application>tar</application> "
19918
"recreates the directory structure that it contains."
19921
#: serverguide/C/backups.xml:276(para)
19923
"Also, notice the leading <emphasis>\"/\"</emphasis> is left off the path of "
19924
"the file to restore."
19927
#: serverguide/C/backups.xml:281(para)
19928
msgid "To restore all files in the archive enter the following:"
19931
#: serverguide/C/backups.xml:285(command)
19935
#: serverguide/C/backups.xml:286(command)
19936
msgid "sudo tar -xzvf /mnt/backup/host-Monday.tgz"
19939
#: serverguide/C/backups.xml:291(para)
19940
msgid "This will overwrite the files currently on the file system."
19943
#: serverguide/C/backups.xml:300(para)
19945
"For more information on shell scripting see the <ulink "
19946
"url=\"http://tldp.org/LDP/abs/html/\">Advanced Bash-Scripting Guide</ulink>"
19949
#: serverguide/C/backups.xml:305(para)
19951
"The book <ulink url=\"http://safari.samspublishing.com/0672323583\">Teach "
19952
"Yourself Shell Programming in 24 Hours</ulink> is available online and a "
19953
"great resource for shell scripting."
19956
#: serverguide/C/backups.xml:311(para)
19958
"The <ulink url=\"https://help.ubuntu.com/community/CronHowto\">CronHowto "
19959
"Wiki Page</ulink> contains details on advanced "
19960
"<application>cron</application> options."
19963
#: serverguide/C/backups.xml:318(para)
19965
"See the <ulink url=\"http://www.gnu.org/software/tar/manual/index.html\">GNU "
19966
"tar Manual</ulink> for more <application>tar</application> options."
19969
#: serverguide/C/backups.xml:324(para)
19971
"The Wikipedia <ulink "
19972
"url=\"http://en.wikipedia.org/wiki/Backup_rotation_scheme\">Backup Rotation "
19973
"Scheme</ulink> article contains information on other backup rotation schemes."
19976
#: serverguide/C/backups.xml:330(para)
19978
"The shell script uses <application>tar</application> to create the archive, "
19979
"but there many other command line utilities that can be used. For example:"
19982
#: serverguide/C/backups.xml:336(para)
19984
"<ulink url=\"http://www.gnu.org/software/cpio/\">cpio</ulink>: used to copy "
19985
"files to and from archives."
19988
#: serverguide/C/backups.xml:341(para)
19990
"<ulink url=\"http://www.gnu.org/software/coreutils/\">dd</ulink>: part of "
19991
"the <application>coreutils</application> package. A low level utility that "
19992
"can copy data from one format to another"
19995
#: serverguide/C/backups.xml:347(para)
19997
"<ulink url=\"http://www.rsnapshot.org/\">rsnapshot</ulink>: a file system "
19998
"snap shot utility used to create copies of an entire file system."
20001
#: serverguide/C/backups.xml:358(title)
20002
msgid "Archive Rotation"
20005
#: serverguide/C/backups.xml:359(para)
20007
"The shell script in section <xref linkend=\"backup-shellscripts\"/> only "
20008
"allows for seven different archives. For a server whose data doesn't change "
20009
"often this may be enough. If the server has a large amount of data a more "
20010
"robust rotation scheme should be used."
20013
#: serverguide/C/backups.xml:365(title)
20014
msgid "Rotating NFS Archives"
20017
#: serverguide/C/backups.xml:366(para)
20019
"In this section the shell script will be slightly modified to implement a "
20020
"grandfather-father-son rotation scheme (monthly-weekly-daily):"
20023
#: serverguide/C/backups.xml:372(para)
20025
"The rotation will do a <emphasis>daily</emphasis> backup Sunday through "
20029
#: serverguide/C/backups.xml:377(para)
20031
"On Saturday a <emphasis>weekly</emphasis> backup is done giving you four "
20032
"weekly backups a month."
20035
#: serverguide/C/backups.xml:382(para)
20037
"The <emphasis>monthly</emphasis> backup is done on the first of the month "
20038
"rotating two monthly backups based on if the month is odd or even."
20041
#: serverguide/C/backups.xml:388(para)
20042
msgid "Here is the new script:"
20045
#: serverguide/C/backups.xml:391(programlisting)
20050
"####################################\n"
20052
"# Backup to NFS mount script with\n"
20053
"# grandfather-father-son rotation.\n"
20055
"####################################\n"
20057
"# What to backup. \n"
20058
"backup_files=\"/home /var/spool/mail /etc /root /boot /opt\"\n"
20060
"# Where to backup to.\n"
20061
"dest=\"/mnt/backup\"\n"
20063
"# Setup variables for the archive filename.\n"
20064
"day=$(date +%A)\n"
20065
"hostname=$(hostname -s)\n"
20067
"# Find which week of the month 1-4 it is.\n"
20068
"day_num=$(date +%d)\n"
20069
"if (( $day_num <= 7 )); then\n"
20070
" week_file=\"$hostname-week1.tgz\"\n"
20071
"elif (( $day_num > 7 && $day_num <= 14 )); then\n"
20072
" week_file=\"$hostname-week2.tgz\"\n"
20073
"elif (( $day_num > 14 && $day_num <= 21 )); then\n"
20074
" week_file=\"$hostname-week3.tgz\"\n"
20075
"elif (( $day_num > 21 && $day_num < 32 )); then\n"
20076
" week_file=\"$hostname-week4.tgz\"\n"
20079
"# Find if the Month is odd or even.\n"
20080
"month_num=$(date +%m)\n"
20081
"month=$(expr $month_num % 2)\n"
20082
"if [ $month -eq 0 ]; then\n"
20083
" month_file=\"$hostname-month2.tgz\"\n"
20085
" month_file=\"$hostname-month1.tgz\"\n"
20088
"# Create archive filename.\n"
20089
"if [ $day_num == 1 ]; then\n"
20090
"\tarchive_file=$month_file\n"
20091
"elif [ $day != \"Saturday\" ]; then\n"
20092
" archive_file=\"$hostname-$day.tgz\"\n"
20094
"\tarchive_file=$week_file\n"
20097
"# Print start status message.\n"
20098
"echo \"Backing up $backup_files to $dest/$archive_file\"\n"
20102
"# Backup the files using tar.\n"
20103
"tar czf $dest/$archive_file $backup_files\n"
20105
"# Print end status message.\n"
20107
"echo \"Backup finished\"\n"
20110
"# Long listing of files in $dest to check file sizes.\n"
20114
#: serverguide/C/backups.xml:456(para)
20116
"The script can be executed using the same methods as in <xref "
20117
"linkend=\"backup-executing-shellscript\"/>."
20120
#: serverguide/C/backups.xml:459(para)
20122
"It is good practice to take backup media off site in case of a disaster. In "
20123
"the shell script example the backup media is another server providing an NFS "
20124
"share. In all likelihood taking the NFS server to another location would not "
20125
"be practical. Depending upon connection speeds it may be an option to copy "
20126
"the archive file over a WAN link to a server in another location."
20129
#: serverguide/C/backups.xml:465(para)
20131
"Another option is to copy the archive file to an external hard drive which "
20132
"can then be taken off site. Since the price of external hard drives continue "
20133
"to decrease it may be cost affective to use two drives for each archive "
20134
"level. This would allow you to have one external drive attached to the "
20135
"backup server and one in another location."
20138
#: serverguide/C/backups.xml:472(title)
20139
msgid "Tape Drives"
20142
#: serverguide/C/backups.xml:473(para)
20144
"A tape drive attached to the server can be used instead of a NFS share. "
20145
"Using a tape drive simplifies archive rotation, and taking the media off "
20149
#: serverguide/C/backups.xml:477(para)
20151
"When using a tape drive the filename portions of the script aren't needed "
20152
"because the date is sent directly to the tape device. Some commands to "
20153
"manipulate the tape are needed. This is accomplished using "
20154
"<application>mt</application>, a magnetic tape control utility part of the "
20155
"<application>cpio</application> package."
20158
#: serverguide/C/backups.xml:482(para)
20159
msgid "Here is the shell script modified to use a tape drive:"
20162
#: serverguide/C/backups.xml:485(programlisting)
20167
"####################################\n"
20169
"# Backup to tape drive script.\n"
20171
"####################################\n"
20173
"# What to backup. \n"
20174
"backup_files=\"/home /var/spool/mail /etc /root /boot /opt\"\n"
20176
"# Where to backup to.\n"
20177
"dest=\"/dev/st0\"\n"
20179
"# Print start status message.\n"
20180
"echo \"Backing up $backup_files to $dest\"\n"
20184
"# Make sure the tape is rewound.\n"
20185
"mt -f $dest rewind\n"
20187
"# Backup the files using tar.\n"
20188
"tar czf $dest $backup_files\n"
20190
"# Rewind and eject the tape.\n"
20191
"mt -f $dest rewoffl\n"
20193
"# Print end status message.\n"
20195
"echo \"Backup finished\"\n"
20199
#: serverguide/C/backups.xml:519(para)
20201
"The default device name for a SCSI tape drive is "
20202
"<filename>/dev/st0</filename>. Use the appropriate device path for your "
20206
#: serverguide/C/backups.xml:524(para)
20208
"Restoring from a tape drive is basically the same as restoring from a file. "
20209
"Simply rewind the tape and use the device path instead of a file path. For "
20210
"example to restore the <filename>/etc/hosts</filename> file to "
20211
"<filename>/tmp/etc/hosts</filename>:"
20214
#: serverguide/C/backups.xml:529(command)
20215
msgid "mt -f /dev/st0 rewind"
20218
#: serverguide/C/backups.xml:530(command)
20219
msgid "tar -xzf /dev/st0 -C /tmp etc/hosts"
20222
#: serverguide/C/backups.xml:535(title)
20226
#: serverguide/C/backups.xml:536(para)
20228
"<application>Bacula</application> is a backup program enabling you to "
20229
"backup, restore, and verify data across your network. There are Bacula "
20230
"clients for Linux, Windows, and Mac OSX. Making it a cross platform network "
20234
#: serverguide/C/backups.xml:542(para)
20236
"<application>Bacula</application> is made up of several components and "
20237
"services used to manage which files to backup and where to back them up to:"
20240
#: serverguide/C/backups.xml:548(para)
20242
"<application>Bacula Director:</application> a service that controls all "
20243
"backup, restore, verify, and archive operations."
20246
#: serverguide/C/backups.xml:553(para)
20248
"<application>Bacula Console:</application> an application allowing "
20249
"communication with the Director. There are three versions of the Console:"
20252
#: serverguide/C/backups.xml:558(para)
20253
msgid "Text based command line version."
20256
#: serverguide/C/backups.xml:559(para)
20257
msgid "Gnome based GTK+ Graphical User Interface (GUI) interface."
20260
#: serverguide/C/backups.xml:560(para)
20261
msgid "wxWidgets GUI interface."
20264
#: serverguide/C/backups.xml:564(para)
20266
"<application>Bacula File:</application> also known as the "
20267
"<application>Bacula Client</application> program. This application is "
20268
"installed on machines to be backed up, and is responsible for the data "
20269
"requested by the Director."
20272
#: serverguide/C/backups.xml:570(para)
20274
"<application>Bacula Storage:</application> the programs that perform the "
20275
"storage and recovery of data to the physical media."
20278
#: serverguide/C/backups.xml:575(para)
20280
"<application>Bacula Catalog:</application> is responsible for maintaining "
20281
"the file indexes and volume databases for all files backed up, enabling "
20282
"quick location and restoration of archived files. The Catalog supports three "
20283
"different databases MySQL, PostgreSQL, and SQLite."
20286
#: serverguide/C/backups.xml:581(para)
20288
"<application>Bacula Monitor:</application> allows the monitoring of the "
20289
"Director, File daemons, and Storage daemons. Currently the Monitor is only "
20290
"available as a GTK+ GUI application."
20293
#: serverguide/C/backups.xml:587(para)
20295
"These services and applications can be run on multiple servers and clients, "
20296
"or they can be installed on one machine if backing up a single disk or "
20300
#: serverguide/C/backups.xml:594(para)
20302
"There are multiple packages containing the different "
20303
"<application>Bacula</application> components. To install Bacula, from a "
20304
"terminal prompt enter:"
20307
#: serverguide/C/backups.xml:599(command)
20308
msgid "sudo apt-get install bacula"
20311
#: serverguide/C/backups.xml:601(para)
20313
"By default installing the <application>bacula</application> package will use "
20314
"a <application>MySQL</application> database for the Catalog. If you want to "
20315
"use SQLite or PostgreSQL, for the Catalog, install <application>bacula-"
20316
"director-sqlite3</application> or <application>bacula-director-"
20317
"pgsql</application> respectively."
20320
#: serverguide/C/backups.xml:607(para)
20322
"During the install process you will be asked to supply credentials for the "
20323
"database <emphasis>administrator</emphasis> and the "
20324
"<emphasis>bacula</emphasis> database <emphasis>owner</emphasis>. The "
20325
"database administrator will need to have the appropriate rights to create a "
20326
"database, see <xref linkend=\"mysql\"/> for more information."
20329
#: serverguide/C/backups.xml:617(para)
20331
"<application>Bacula</application> configuration files are formatted based on "
20332
"<emphasis>resources</emphasis> comprising of <emphasis>directives</emphasis> "
20333
"surrounded by <quote>{}</quote> braces. Each Bacula component has an "
20334
"individual file in the <filename role=\"directory\">/etc/bacula</filename> "
20338
#: serverguide/C/backups.xml:622(para)
20340
"The various <application>Bacula</application> components must authorize "
20341
"themselves to each other. This is accomplished using the "
20342
"<emphasis>password</emphasis> directive. For example, the "
20343
"<emphasis>Storage</emphasis> resource password in the "
20344
"<filename>/etc/bacula/bacula-dir.conf</filename> file must match the "
20345
"<emphasis>Director</emphasis> resource password in "
20346
"<filename>/etc/bacula/bacula-sd.conf</filename>."
20349
#: serverguide/C/backups.xml:628(para)
20351
"By default the backup job named <emphasis>Client1</emphasis> is configured "
20352
"to archive the <application>Bacula</application> Catalog. If you plan on "
20353
"using the server to backup more than one client you should change the name "
20354
"of this job to something more descriptive. To change the name edit "
20355
"<filename>/etc/bacula/bacula-dir.conf</filename>:"
20358
#: serverguide/C/backups.xml:633(programlisting)
20363
"# Define the main nightly save backup job\n"
20364
"# By default, this job will back up to disk in \n"
20366
" Name = \"BackupServer\"\n"
20367
" JobDefs = \"DefaultJob\"\n"
20368
" Write Bootstrap = \"/var/lib/bacula/Client1.bsr\"\n"
20372
#: serverguide/C/backups.xml:644(para)
20374
"The example above changes the job name to <emphasis>BackupServer</emphasis> "
20375
"matching the machine's host name. Replace <quote>BackupServer</quote> with "
20376
"your appropriate hostname, or other descriptive name."
20379
#: serverguide/C/backups.xml:649(para)
20381
"The <emphasis>Console</emphasis> can be used to query the "
20382
"<emphasis>Director</emphasis> about jobs, but to use the Console with a "
20383
"<emphasis>non-root</emphasis> user, the user needs to be in the "
20384
"<emphasis>bacula</emphasis> group. To add a user to the bacula group enter "
20385
"the following from a terminal:"
20388
#: serverguide/C/backups.xml:655(command)
20389
msgid "sudo adduser $username bacula"
20392
#: serverguide/C/backups.xml:658(para)
20394
"Replace <emphasis>$username</emphasis> with the actual username. Also, if "
20395
"you are adding the current user to the group you should log out and back in "
20396
"for the new permissions to take effect."
20399
#: serverguide/C/backups.xml:665(title)
20400
msgid "Localhost Backup"
20403
#: serverguide/C/backups.xml:666(para)
20405
"This section describes how to backup specified directories on a single host "
20406
"to a local tape drive."
20409
#: serverguide/C/backups.xml:671(para)
20411
"First, the <emphasis>Storage</emphasis> device needs to be configured. Edit "
20412
"<filename>/etc/bacula/bacula-sd.conf</filename> add:"
20415
#: serverguide/C/backups.xml:674(programlisting)
20420
" Name = \"Tape Drive\"\n"
20421
" Device Type = tape\n"
20422
" Media Type = DDS-4\n"
20423
" Archive Device = /dev/st0\n"
20424
" Hardware end of medium = No;\n"
20425
" AutomaticMount = yes; # when device opened, read it\n"
20426
" AlwaysOpen = Yes;\n"
20427
" RemovableMedia = yes;\n"
20428
" RandomAccess = no;\n"
20429
" Alert Command = \"sh -c 'tapeinfo -f %c | grep TapeAlert'\"\n"
20433
#: serverguide/C/backups.xml:688(para)
20435
"The example is for a <emphasis>DDS-4</emphasis> tape drive. Adjust the Media "
20436
"Type and Archive Device to match your hardware."
20439
#: serverguide/C/backups.xml:691(para)
20440
msgid "You could also uncomment one of the other examples in the file."
20443
#: serverguide/C/backups.xml:696(para)
20445
"After editing <filename>/etc/bacula/bacula-sd.conf</filename> the "
20446
"<application>Storage</application> daemon will need to be restarted:"
20449
#: serverguide/C/backups.xml:701(command)
20450
msgid "sudo /etc/init.d/bacula-sd restart"
20453
#: serverguide/C/backups.xml:705(para)
20455
"Now add a <emphasis>Storage</emphasis> resource in "
20456
"<filename>/etc/bacula/bacula-dir.conf</filename> to use the new Device:"
20459
#: serverguide/C/backups.xml:708(programlisting)
20463
"# Definition of \"Tape Drive\" storage device\n"
20465
" Name = TapeDrive\n"
20466
" # Do not use \"localhost\" here \n"
20467
" Address = backupserver # N.B. Use a fully qualified name "
20470
" Password = \"Cv70F6pf1t6pBopT4vQOnigDrR0v3LT3Cgkiyj\"\n"
20471
" Device = \"Tape Drive\"\n"
20472
" Media Type = tape\n"
20476
#: serverguide/C/backups.xml:720(para)
20478
"The <emphasis>Address</emphasis> directive needs to be the Fully Qualified "
20479
"Domain Name (FQDN) of the server. Change <emphasis>backupserver</emphasis> "
20480
"to the actual host name."
20483
#: serverguide/C/backups.xml:724(para)
20485
"Also, make sure the <emphasis>Password</emphasis> directive matches the "
20486
"password string in <filename>/etc/bacula/bacula-sd.conf</filename>."
20489
#: serverguide/C/backups.xml:730(para)
20491
"Create a new <emphasis>FileSet</emphasis>, which will determine what "
20492
"directories to backup, by adding:"
20495
#: serverguide/C/backups.xml:733(programlisting)
20499
"# LocalhostBacup FileSet.\n"
20501
" Name = \"LocalhostFiles\"\n"
20504
" signature = MD5\n"
20505
" compression=GZIP\n"
20513
#: serverguide/C/backups.xml:747(para)
20515
"This <emphasis>FileSet</emphasis> will backup the <filename "
20516
"role=\"directory\">/etc</filename> and <filename "
20517
"role=\"directory\">/home</filename> directories. The "
20518
"<emphasis>Options</emphasis> resource directives configure the FileSet to "
20519
"create a MD5 signature for each file backed up, and to compress the files "
20523
#: serverguide/C/backups.xml:754(para)
20524
msgid "Next, create a new <emphasis>Schedule</emphasis> for the backup job:"
20527
#: serverguide/C/backups.xml:757(programlisting)
20531
"# LocalhostBackup Schedule -- Daily.\n"
20533
" Name = \"LocalhostDaily\"\n"
20534
" Run = Full daily at 00:01\n"
20538
#: serverguide/C/backups.xml:764(para)
20540
"The job will run every day at 00:01 or 12:01 am. There are many other "
20541
"scheduling options available."
20544
#: serverguide/C/backups.xml:769(para)
20545
msgid "Finally create the <emphasis>Job</emphasis>:"
20548
#: serverguide/C/backups.xml:772(programlisting)
20552
"# Localhost backup.\n"
20554
" Name = \"LocalhostBackup\"\n"
20555
" JobDefs = \"DefaultJob\"\n"
20558
" FileSet = \"LocalhostFiles\"\n"
20559
" Schedule = \"LocalhostDaily\"\n"
20560
" Storage = TapeDrive\n"
20561
" Write Bootstrap = \"/var/lib/bacula/LocalhostBackup.bsr\"\n"
20565
#: serverguide/C/backups.xml:785(para)
20567
"The job will do a <emphasis>Full</emphasis> backup every day to the tape "
20571
#: serverguide/C/backups.xml:790(para)
20573
"Each tape used will need to have a <emphasis>Label</emphasis>. If the "
20574
"current tape does not have a label <application>Bacula</application> will "
20575
"send an email letting you know. To label a tape using the "
20576
"<application>Console</application> enter the following from a terminal:"
20579
#: serverguide/C/backups.xml:796(command)
20583
#: serverguide/C/backups.xml:800(para)
20584
msgid "At the Bacula Console prompt enter:"
20587
#: serverguide/C/backups.xml:804(command)
20591
#: serverguide/C/backups.xml:808(para)
20593
"You will then be prompted for the <emphasis>Storage</emphasis> resource:"
20596
#: serverguide/C/backups.xml:818(userinput)
20601
#: serverguide/C/backups.xml:812(computeroutput)
20605
"Automatically selected Catalog: MyCatalog\n"
20606
"Using Catalog \"MyCatalog\"\n"
20607
"The defined Storage resources are:\n"
20610
"Select Storage resource (1-2):<placeholder-1/>\n"
20613
#: serverguide/C/backups.xml:823(para)
20614
msgid "Enter the new <emphasis>Volume</emphasis> name:"
20617
#: serverguide/C/backups.xml:828(userinput)
20622
#: serverguide/C/backups.xml:827(computeroutput)
20626
"Enter new Volume name: <placeholder-1/>\n"
20632
#: serverguide/C/backups.xml:833(para)
20633
msgid "Replace <emphasis>Sunday</emphasis> with the desired label."
20636
#: serverguide/C/backups.xml:838(para)
20637
msgid "Now, select the <emphasis>Pool</emphasis>:"
20640
#: serverguide/C/backups.xml:843(userinput)
20645
#: serverguide/C/backups.xml:842(computeroutput)
20649
"Select the Pool (1-2): <placeholder-1/>\n"
20650
"Connecting to Storage daemon TapeDrive at backupserver:9103 ...\n"
20651
"Sending label command for Volume \"Sunday\" Slot 0 ...\n"
20654
#: serverguide/C/backups.xml:850(para)
20656
"Congratulations, you have now configured <emphasis>Bacula</emphasis> to "
20657
"backup the localhost to an attached tape drive."
20660
#: serverguide/C/backups.xml:858(para)
20662
"For more <emphasis>Bacula</emphasis> configuration options refer to the "
20663
"<ulink url=\"http://www.bacula.org/en/rel-manual/index.html\">Bacula User's "
20667
#: serverguide/C/backups.xml:864(para)
20669
"The <ulink url=\"http://www.bacula.org/\">Bacula Home Page</ulink> contains "
20670
"the latest Bacula news and developments."
20673
#. Put one translator per line, in the form of NAME <EMAIL>, YEAR1, YEAR2.
20674
#: serverguide/C/backups.xml:0(None)
20675
msgid "translator-credits"
20677
"Launchpad Contributions:\n"
20678
" Mantas Smelevičius https://launchpad.net/~mantas.smelevicius\n"
20680
"Launchpad Contributions:\n"
20681
" Andrius Dudavicius https://launchpad.net/~andrius-dudavicius\n"
20682
" Launchpad Translations Administrators https://launchpad.net/~rosetta-"
20684
" Mantas Smelevičius https://launchpad.net/~mantas.smelevicius\n"
20685
" lidya https://launchpad.net/~lidy2al\n"
20687
"Launchpad Contributions:\n"
20688
" Andrius Dudavicius https://launchpad.net/~andrius-dudavicius\n"
20689
" Launchpad Translations Administrators https://launchpad.net/~rosetta-"
20691
" Mantas Smelevičius https://launchpad.net/~mantas.smelevicius\n"
20692
" lidya https://launchpad.net/~lidy2al\n"
20694
"Launchpad Contributions:\n"
20695
" Andrius Dudavicius https://launchpad.net/~andrius-dudavicius\n"
20696
" Launchpad Translations Administrators https://launchpad.net/~rosetta-"
20698
" Mantas Smelevičius https://launchpad.net/~mantas.smelevicius\n"
20699
" lidya https://launchpad.net/~lidy2al\n"
20701
"Launchpad Contributions:\n"
20702
" Andrius Dudavicius https://launchpad.net/~andrius-dudavicius\n"
20703
" Launchpad Translations Administrators https://launchpad.net/~rosetta-"
20705
" Mantas Smelevičius https://launchpad.net/~mantas.smelevicius\n"
20706
" lidya https://launchpad.net/~lidy2al\n"
20708
"Launchpad Contributions:\n"
20709
" Andrius Dudavicius https://launchpad.net/~andrius-dudavicius\n"
20710
" Launchpad Translations Administrators https://launchpad.net/~rosetta-"
20712
" Mantas Smelevičius https://launchpad.net/~mantas.smelevicius\n"
20713
" lidya https://launchpad.net/~lidy2al\n"
20715
"Launchpad Contributions:\n"
20716
" Andrius Dudavicius https://launchpad.net/~andrius-dudavicius\n"
20717
" Launchpad Translations Administrators https://launchpad.net/~rosetta-"
20719
" Mantas Smelevičius https://launchpad.net/~mantas.smelevicius\n"
20720
" lidya https://launchpad.net/~lidy2al"