1
# Danish translation for ubuntu-docs
2
# Copyright (c) (c) 2006 Canonical Ltd, and Rosetta Contributors 2006
3
# This file is distributed under the same license as the ubuntu-docs package.
4
# FIRST AUTHOR <EMAIL@ADDRESS>, 2006.
8
"Project-Id-Version: ubuntu-docs\n"
9
"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
10
"POT-Creation-Date: 2008-10-12 20:19+0100\n"
11
"PO-Revision-Date: 2008-10-25 04:09+0000\n"
12
"Last-Translator: Launchpad Translations Administrators "
13
"<rosetta@launchpad.net>\n"
14
"Language-Team: Danish <da@li.org>\n"
16
"Content-Type: text/plain; charset=UTF-8\n"
17
"Content-Transfer-Encoding: 8bit\n"
18
"X-Launchpad-Export-Date: 2009-07-16 10:00+0000\n"
19
"X-Generator: Launchpad (build Unknown)\n"
21
#: serverguide/C/windows-networking.xml:13(title)
22
msgid "Windows Networking"
23
msgstr "Windows Networking"
25
#: serverguide/C/windows-networking.xml:25(title) serverguide/C/virtualization.xml:389(title) serverguide/C/security.xml:412(title) serverguide/C/remote-administration.xml:22(title) serverguide/C/package-management.xml:20(title) serverguide/C/jeos.xml:16(title) serverguide/C/introduction.xml:13(title)
29
#: serverguide/C/windows-networking.xml:27(para)
31
"Successfully networking your Ubuntu system with Windows clients involves "
32
"providing and integrating with services common to Windows environments. Such "
33
"services assist the sharing of data and information about the computers and "
34
"users involved in the network, and may be classified under three major "
35
"categories of functionality:"
37
"For at anvende Ubuntu systemer sammen med Windows klienter er det nødvendigt "
38
"at anvende tjenester som er kendte af Windows miljøet. Sådanne tjenester "
39
"hjælper til med at dele data og information om de computere og brugere der "
40
"er sluttet til netværket. Disse tjenester kan opdeles i tre store kategorier:"
42
#: serverguide/C/windows-networking.xml:35(para)
44
"<emphasis role=\"bold\">File and Printer Sharing Services</emphasis>. Using "
45
"the Server Message Block (SMB) protocol to facilitate the sharing of files, "
46
"folders, volumes, and the sharing of printers throughout the network."
48
"<emphasis role=\"bold\">Fil- og udskriftsdeling</emphasis>. Anvender "
49
"protokollen Server Message Block (SMB) til at dele filer, mapper, enheder og "
50
"printere i netværket."
52
#: serverguide/C/windows-networking.xml:41(para)
54
"<emphasis role=\"bold\">Directory Services</emphasis>. Sharing vital "
55
"information about the computers and users of the network with such "
56
"technologies as the Lightweight Directory Access Protocol (LDAP) and "
57
"Microsoft <trademark class=\"registered\">Active Directory</trademark>."
59
"<emphasis role=\"bold\">Katalogtjenester</emphasis>. Denne tjeneste deler "
60
"vigtige informationer om computere og brugere i netværket ved hjælp at "
61
"teknikker som Lightweight Directory Access Protocol (LDAP) og Microsoft "
62
"<trademark class=\"registered\">Active Directory</trademark>."
64
#: serverguide/C/windows-networking.xml:48(para)
66
"<emphasis role=\"bold\">Authentication and Access</emphasis>. Establishing "
67
"the identity of a computer or user of the network and determining the "
68
"information the computer or user is authorized to access using such "
69
"principles and technologies as file permissions, group policies, and the "
70
"Kerberos authentication service."
72
"<emphasis role=\"bold\">Godkendelse og Adgang</emphasis>. Konstaterer "
73
"identiteten af en computer eller en bruger i netværket og afgør hvilken "
74
"information som computeren eller brugeren har tilladelse til at få adgang "
75
"til, ved at anvende retningslinjer og teknikker som filrettigheder, "
76
"grupperetningslinjer, og godkendelsestjenesten Kerberos."
78
#: serverguide/C/network-auth.xml:1636(title)
82
#. Put one translator per line, in the form of NAME <EMAIL>, YEAR1, YEAR2.
83
#: serverguide/C/backups.xml:0(None)
84
msgid "translator-credits"
86
"Launchpad Contributions:\n"
87
" Per Jensen https://launchpad.net/~grontoft\n"
89
"Launchpad Contributions:\n"
90
" Launchpad Translations Administrators https://launchpad.net/~rosetta-"
92
" Per Jensen https://launchpad.net/~grontoft\n"
94
"Launchpad Contributions:\n"
95
" Launchpad Translations Administrators https://launchpad.net/~rosetta-"
97
" Per Jensen https://launchpad.net/~grontoft\n"
99
"Launchpad Contributions:\n"
100
" Launchpad Translations Administrators https://launchpad.net/~rosetta-"
102
" Per Jensen https://launchpad.net/~grontoft\n"
104
"Launchpad Contributions:\n"
105
" Launchpad Translations Administrators https://launchpad.net/~rosetta-"
107
" Per Jensen https://launchpad.net/~grontoft"
109
#: serverguide/C/serverguide-C.omf:6(creator) serverguide/C/serverguide-C.omf:7(maintainer)
110
msgid "ubuntu-doc@lists.ubuntu.com (Ubuntu Documentation Project)"
113
#: serverguide/C/serverguide-C.omf:8(title) serverguide/C/serverguide-C.omf:11(description) serverguide/C/serverguide.xml:14(title) serverguide/C/bookinfo.xml:13(title)
114
msgid "Ubuntu Server Guide"
117
#: serverguide/C/serverguide-C.omf:9(date)
121
#: serverguide/C/windows-networking.xml:15(para)
123
"Computer networks are often comprised of diverse systems, and while "
124
"operating a network made up entirely of Ubuntu desktop and server computers "
125
"would certainly be fun, some network environments must consist of both "
126
"Ubuntu and <trademark class=\"registered\">Microsoft</trademark><trademark "
127
"class=\"registered\">Windows</trademark> systems working together in "
128
"harmony. This section of the <phrase>Ubuntu</phrase> Server Guide introduces "
129
"principles and tools used in configuring your Ubuntu Server for sharing "
130
"network resources with Windows computers."
133
#: serverguide/C/windows-networking.xml:56(para)
135
"Fortunately, your Ubuntu system may provide all such facilities to Windows "
136
"clients and share network resources among them. One of the principal pieces "
137
"of software your Ubuntu system includes for Windows networking is the Samba "
138
"suite of SMB server applications and tools."
141
#: serverguide/C/windows-networking.xml:62(para)
143
"This section of the <phrase>Ubuntu</phrase> Server Guide will introduce some "
144
"of the common Samba use cases, and how to install and configure the "
145
"necessary packages. Additional detailed documentation and information on "
146
"Samba can be found on the <ulink url=\"http://www.samba.org\">Samba "
150
#: serverguide/C/windows-networking.xml:70(title)
151
msgid "Samba File Server"
154
#: serverguide/C/windows-networking.xml:72(para)
156
"One of the most common ways to network Ubuntu and Windows computers is to "
157
"configure Samba as a File Server. This section covers setting up a "
158
"<application>Samba</application> server to share files with Windows clients."
161
#: serverguide/C/windows-networking.xml:77(para)
163
"The server will be configured to share files with any client on the network "
164
"without prompting for a password. If your environment requires stricter "
165
"Access Controls see <xref linkend=\"samba-fileprint-security\"/>"
168
#: serverguide/C/windows-networking.xml:83(title) serverguide/C/windows-networking.xml:282(title) serverguide/C/windows-networking.xml:1268(title) serverguide/C/wikis.xml:29(title) serverguide/C/wikis.xml:158(title) serverguide/C/web-servers.xml:41(title) serverguide/C/web-servers.xml:514(title) serverguide/C/web-servers.xml:630(title) serverguide/C/web-servers.xml:751(title) serverguide/C/virtualization.xml:62(title) serverguide/C/vcs.xml:28(title) serverguide/C/vcs.xml:86(title) serverguide/C/vcs.xml:389(title) serverguide/C/remote-administration.xml:52(title) serverguide/C/remote-administration.xml:220(title) serverguide/C/network-config.xml:570(title) serverguide/C/network-auth.xml:52(title) serverguide/C/network-auth.xml:1209(title) serverguide/C/network-auth.xml:1715(title) serverguide/C/network-auth.xml:2106(title) serverguide/C/mail.xml:33(title) serverguide/C/mail.xml:419(title) serverguide/C/mail.xml:575(title) serverguide/C/mail.xml:703(title) serverguide/C/mail.xml:1184(title) serverguide/C/installation.xml:13(title) serverguide/C/file-server.xml:158(title) serverguide/C/file-server.xml:270(title) serverguide/C/dns.xml:23(title) serverguide/C/databases.xml:40(title) serverguide/C/databases.xml:143(title) serverguide/C/backups.xml:593(title)
172
#: serverguide/C/windows-networking.xml:85(para)
174
"The first step is to install the <application>samba</application> package. "
175
"From a terminal prompt enter:"
178
#: serverguide/C/windows-networking.xml:90(command) serverguide/C/windows-networking.xml:294(command)
179
msgid "sudo apt-get install samba"
182
#: serverguide/C/windows-networking.xml:93(para)
184
"That's all there is to it; you are now ready to configure Samba to share "
188
#: serverguide/C/windows-networking.xml:99(title) serverguide/C/windows-networking.xml:299(title) serverguide/C/wikis.xml:47(title) serverguide/C/wikis.xml:179(title) serverguide/C/web-servers.xml:61(title) serverguide/C/web-servers.xml:565(title) serverguide/C/web-servers.xml:641(title) serverguide/C/web-servers.xml:778(title) serverguide/C/web-servers.xml:854(title) serverguide/C/vcs.xml:39(title) serverguide/C/vcs.xml:409(title) serverguide/C/remote-administration.xml:74(title) serverguide/C/remote-administration.xml:247(title) serverguide/C/package-management.xml:365(title) serverguide/C/network-config.xml:592(title) serverguide/C/network-auth.xml:88(title) serverguide/C/network-auth.xml:1754(title) serverguide/C/network-auth.xml:2127(title) serverguide/C/mail.xml:428(title) serverguide/C/mail.xml:585(title) serverguide/C/mail.xml:789(title) serverguide/C/mail.xml:1209(title) serverguide/C/file-server.xml:171(title) serverguide/C/file-server.xml:296(title) serverguide/C/dns.xml:39(title) serverguide/C/databases.xml:82(title) serverguide/C/databases.xml:162(title) serverguide/C/backups.xml:616(title)
189
msgid "Configuration"
192
#: serverguide/C/windows-networking.xml:101(para)
194
"The main Samba configuration file is located in "
195
"<filename>/etc/samba/smb.conf</filename>. The default configuration file has "
196
"a significant amount of comments in order to document various configuration "
200
#: serverguide/C/windows-networking.xml:106(para)
202
"Not all the available options are included in the default configuration "
203
"file. See the <filename>smb.conf</filename><application>man</application> "
204
"page or the <ulink url=\"http://samba.org/samba/docs/man/Samba-HOWTO-"
205
"Collection/\">Samba HOWTO Collection</ulink> for more details."
208
#: serverguide/C/windows-networking.xml:116(para)
210
"First, edit the following key/value pairs in the "
211
"<emphasis>[global]</emphasis> section of "
212
"<filename>/etc/samba/smb.conf</filename>:"
215
#: serverguide/C/windows-networking.xml:121(programlisting) serverguide/C/windows-networking.xml:306(programlisting) serverguide/C/windows-networking.xml:761(programlisting) serverguide/C/windows-networking.xml:975(programlisting)
219
" workgroup = EXAMPLE\n"
224
#: serverguide/C/windows-networking.xml:127(para)
226
"The <emphasis>security</emphasis> parameter is farther down in the [global] "
227
"section, and is commented by default. Also, change "
228
"<emphasis>EXAMPLE</emphasis> to better match your environment."
231
#: serverguide/C/windows-networking.xml:135(para)
233
"Create a new section at the bottom of the file, or uncomment one of the "
234
"examples, for the directory to be shared:"
237
#: serverguide/C/windows-networking.xml:139(programlisting)
242
" comment = Ubuntu File Server Share\n"
243
" path = /srv/samba/share\n"
247
" create mask = 0755\n"
250
#: serverguide/C/windows-networking.xml:151(para)
252
"<emphasis>comment:</emphasis> a short description of the share. Adjust to "
256
#: serverguide/C/windows-networking.xml:156(para)
257
msgid "<emphasis>path:</emphasis> the path to the directory to share."
260
#: serverguide/C/windows-networking.xml:159(para)
262
"This example uses <filename>/srv/samba/sharename</filename> because, "
263
"according to the <emphasis>Filesystem Hierarchy Standard (FHS)</emphasis>, "
264
"<ulink url=\"http://www.pathname.com/fhs/pub/fhs-"
265
"2.3.html#SRVDATAFORSERVICESPROVIDEDBYSYSTEM\">/srv</ulink> is where site-"
266
"specific data should be served. Technically Samba shares can be placed "
267
"anywhere on the filesystem as long as the permissions are correct, but "
268
"adhering to standards is recommended."
271
#: serverguide/C/windows-networking.xml:168(para)
273
"<emphasis>browsable:</emphasis> enables Windows clients to browse the shared "
274
"directory using <application>Windows Explorer</application>."
277
#: serverguide/C/windows-networking.xml:174(para)
279
"<emphasis>guest ok:</emphasis> allows clients to connect to the share "
280
"without supplying a password."
283
#: serverguide/C/windows-networking.xml:179(para)
285
"<emphasis>read only:</emphasis> gives write access to the shared directory."
288
#: serverguide/C/windows-networking.xml:184(para)
290
"<emphasis>create mask:</emphasis> determines the permissions new files will "
294
#: serverguide/C/windows-networking.xml:193(para)
296
"Now that <application>Samba</application> is configured, the directory needs "
297
"to be created and the permissions changed. From a terminal enter:"
300
#: serverguide/C/windows-networking.xml:199(command)
301
msgid "sudo mkdir -p /srv/samba/share"
304
#: serverguide/C/windows-networking.xml:200(command)
305
msgid "sudo chown nobody.nogroup /srv/samba/share/"
308
#: serverguide/C/windows-networking.xml:204(para)
310
"The <emphasis>-p</emphasis> switch tells mkdir to create the entire "
311
"directory tree if it doesn't exist. Change the share name to fit your "
315
#: serverguide/C/windows-networking.xml:213(para)
317
"Finally, restart the <application>samba</application> services to enable the "
321
#: serverguide/C/windows-networking.xml:218(command) serverguide/C/windows-networking.xml:326(command) serverguide/C/windows-networking.xml:458(command) serverguide/C/windows-networking.xml:557(command) serverguide/C/windows-networking.xml:922(command) serverguide/C/windows-networking.xml:1032(command) serverguide/C/windows-networking.xml:1142(command) serverguide/C/network-auth.xml:1489(command)
322
msgid "sudo /etc/init.d/samba restart"
325
#: serverguide/C/windows-networking.xml:225(para)
327
"Once again, the above configuration gives all access to any client on the "
328
"local network. For a more secure configuration see <xref linkend=\"samba-"
329
"fileprint-security\"/>."
332
#: serverguide/C/windows-networking.xml:231(para)
334
"From a Windows client you should now be able to browse to the Ubuntu file "
335
"server and see the shared directory. To check that everything is working try "
336
"creating a directory from Windows."
339
#: serverguide/C/windows-networking.xml:236(para)
341
"To create additional shares simply create new <emphasis>[dir]</emphasis> "
342
"sections in <filename>/etc/samba/smb.conf</filename>, and restart "
343
"<emphasis>Samba</emphasis>. Just make sure that the directory you want to "
344
"share actually exists and the permissions are correct."
347
#: serverguide/C/windows-networking.xml:243(title) serverguide/C/windows-networking.xml:336(title) serverguide/C/windows-networking.xml:686(title) serverguide/C/windows-networking.xml:1051(title) serverguide/C/virtualization.xml:358(title) serverguide/C/virtualization.xml:1155(title) serverguide/C/remote-administration.xml:480(title) serverguide/C/network-auth.xml:1165(title) serverguide/C/network-auth.xml:1604(title) serverguide/C/network-auth.xml:2202(title) serverguide/C/jeos.xml:782(title) serverguide/C/installation.xml:804(title) serverguide/C/databases.xml:106(title) serverguide/C/databases.xml:252(title) serverguide/C/backups.xml:855(title)
351
#: serverguide/C/windows-networking.xml:247(para) serverguide/C/windows-networking.xml:340(para) serverguide/C/windows-networking.xml:690(para) serverguide/C/windows-networking.xml:1055(para)
353
"For in depth Samba configurations see the <ulink "
354
"url=\"http://samba.org/samba/docs/man/Samba-HOWTO-Collection/\">Samba HOWTO "
358
#: serverguide/C/windows-networking.xml:253(para) serverguide/C/windows-networking.xml:346(para) serverguide/C/windows-networking.xml:696(para) serverguide/C/windows-networking.xml:1061(para)
360
"The guide is also available in <ulink "
361
"url=\"http://www.amazon.com/exec/obidos/tg/detail/-/0131882228\">printed "
365
#: serverguide/C/windows-networking.xml:259(para) serverguide/C/windows-networking.xml:352(para)
368
"url=\"http://www.oreilly.com/catalog/9780596007690/\">Using Samba</ulink> is "
369
"another good reference."
372
#: serverguide/C/windows-networking.xml:269(title)
373
msgid "Samba Print Server"
376
#: serverguide/C/windows-networking.xml:271(para)
378
"Another common use of Samba is to configure it to share printers installed, "
379
"either locally or over the network, on an Ubuntu server. Similar to <xref "
380
"linkend=\"samba-fileserver\"/> this section will configure Samba to allow "
381
"any client on the local network to use the installed printers without "
382
"prompting for a username and password."
385
#: serverguide/C/windows-networking.xml:277(para)
387
"For a more secure configuration see <xref linkend=\"samba-fileprint-"
391
#: serverguide/C/windows-networking.xml:284(para)
393
"Before installing and configuring Samba it is best to already have a working "
394
"<application>CUPS</application> installation. See <xref linkend=\"cups\"/> "
398
#: serverguide/C/windows-networking.xml:289(para)
400
"To install the <application>samba</application> package, from a terminal "
404
#: serverguide/C/windows-networking.xml:300(para)
406
"After installing samba edit <filename>/etc/samba/smb.conf</filename>. Change "
407
"the <emphasis>workgroup</emphasis> attribute to what is appropriate for your "
408
"network, and change <emphasis>security</emphasis> to <emphasis "
409
"role=\"italic\">share</emphasis>:"
412
#: serverguide/C/windows-networking.xml:312(para)
414
"In the <emphasis>[printers]</emphasis> section change the <emphasis>guest "
415
"ok</emphasis> option to <emphasis role=\"italic\">yes</emphasis>:"
418
#: serverguide/C/windows-networking.xml:316(programlisting)
426
msgid "After editing <filename>smb.conf</filename> restart the Samaba:"
429
#: serverguide/C/windows-networking.xml:329(para)
431
"The default Samba configuration will automatically share any printers "
432
"installed. Simply install the printer locally on your Windows clients."
435
#: serverguide/C/windows-networking.xml:358(para)
437
"Also, see the <ulink url=\"http://www.cups.org/\">CUPS Website</ulink> for "
438
"more information on configuring CUPS."
441
#: serverguide/C/windows-networking.xml:367(title)
442
msgid "Securing a Samba File and Print Server"
445
#: serverguide/C/windows-networking.xml:370(title)
446
msgid "Samba Security Modes"
449
#: serverguide/C/windows-networking.xml:372(para)
451
"There are two security levels available to the Common Internet Filesystem "
452
"(CIFS) network protocol <emphasis>user-level</emphasis> and <emphasis>share-"
453
"level</emphasis>. Samba's <emphasis>security mode</emphasis> implementation "
454
"allows more flexibility, providing four ways of implementing user-level "
455
"security and one way to implement share-level:"
458
#: serverguide/C/windows-networking.xml:381(para)
460
"<emphasis>security = user:</emphasis> requires clients to supply a username "
461
"and password to connect to shares. Samba user accounts are separate from "
462
"system accounts, but the <application>libpam-smbpass</application> package "
463
"will sync system users and passwords with the Samba user database."
466
#: serverguide/C/windows-networking.xml:388(para)
468
"<emphasis>security = domain:</emphasis> this mode allows the Samba server to "
469
"appear to Windows clients as a Primary Domain Controller (PDC), Backup "
470
"Domain Controller (BDC), or a Domain Member Server (DMS). See <xref "
471
"linkend=\"samba-dc\"/> for further information."
474
#: serverguide/C/windows-networking.xml:395(para)
476
"<emphasis>security = ADS:</emphasis> allows the Samba server to join an "
477
"Active Directory domain as a native member. See <xref linkend=\"samba-ad-"
478
"integration\"/> for details."
481
#: serverguide/C/windows-networking.xml:401(para)
483
"<emphasis>security = server:</emphasis> this mode is left over from before "
484
"Samba could become a member server, and due to some security issues should "
485
"not be used. See the <ulink url=\"http://samba.org/samba/docs/man/Samba-"
486
"HOWTO-Collection/ServerType.html#id349531\">Server Security</ulink> section "
487
"of the Samba guide for more details."
490
#: serverguide/C/windows-networking.xml:409(para)
492
"<emphasis>security = share:</emphasis> allows clients to connect to shares "
493
"without supplying a username and password."
496
#: serverguide/C/windows-networking.xml:416(para)
498
"The security mode you choose will depend on your environment and what you "
499
"need the Samba server to accomplish."
502
#: serverguide/C/windows-networking.xml:422(title)
503
msgid "Security = User"
506
#: serverguide/C/windows-networking.xml:424(para)
508
"This section will reconfigure the Samba file and print server, from <xref "
509
"linkend=\"samba-fileserver\"/> and <xref linkend=\"samba-printserver\"/>, to "
510
"require authentication."
513
#: serverguide/C/windows-networking.xml:429(para)
515
"First, install the <application>libpam-smbpass</application> package which "
516
"will sync the system users to the Samba user database:"
519
#: serverguide/C/windows-networking.xml:435(command)
520
msgid "sudo apt-get install libpam-smbpass"
523
#: serverguide/C/windows-networking.xml:439(para)
525
"If you chose the <emphasis>Samba Server</emphasis> task during installation "
526
"<application>libpam-smbpass</application> is already installed."
529
#: serverguide/C/windows-networking.xml:445(para)
531
"Edit <filename>/etc/samba/smb.conf</filename>, and in the "
532
"<emphasis>[share]</emphasis> section change:"
535
#: serverguide/C/windows-networking.xml:449(programlisting)
542
#: serverguide/C/windows-networking.xml:453(para)
543
msgid "Finally, restart Samba for the new settings to take effect:"
546
#: serverguide/C/windows-networking.xml:461(para)
548
"Now when connecting to the shared directories or printers you should be "
549
"prompted for a username and password."
552
#: serverguide/C/windows-networking.xml:466(para)
554
"If you choose to map a network drive to the share you can check the "
555
"<quote>Reconnect at Logon</quote> check box, which will require you to only "
556
"enter the username and password once, at least until the password changes."
559
#: serverguide/C/windows-networking.xml:474(title)
560
msgid "Share Security"
563
#: serverguide/C/windows-networking.xml:476(para)
565
"There are several options available to increase the security for each "
566
"individual shared directory. Using the <emphasis>[share]</emphasis> example, "
567
"this section will cover some common options."
570
#: serverguide/C/windows-networking.xml:482(title)
574
#: serverguide/C/windows-networking.xml:484(para)
576
"Groups define a collection of computers or users which have a common level "
577
"of access to particular network resources and offer a level of granularity "
578
"in controlling access to such resources. For example, if a group <emphasis "
579
"role=\"italic\">qa</emphasis> is defined and contains the users <emphasis "
580
"role=\"italic\">freda</emphasis>, <emphasis "
581
"role=\"italic\">danika</emphasis>, and <emphasis "
582
"role=\"italic\">rob</emphasis> and a second group <emphasis "
583
"role=\"italic\">support</emphasis> is defined and consists of users "
584
"<emphasis role=\"italic\">danika</emphasis>, <emphasis "
585
"role=\"italic\">jeremy</emphasis>, and <emphasis "
586
"role=\"italic\">vincent</emphasis> then certain network resources configured "
587
"to allow access by the <emphasis role=\"italic\">qa</emphasis> group will "
588
"subsequently enable access by freda, danika, and rob, but not jeremy or "
589
"vincent. Since the user <emphasis role=\"italic\">danika</emphasis> belongs "
590
"to both the <emphasis role=\"italic\">qa</emphasis> and <emphasis "
591
"role=\"italic\">support</emphasis> groups, she will be able to access "
592
"resources configured for access by both groups, whereas all other users will "
593
"have only access to resources explicitly allowing the group they are part of."
596
#: serverguide/C/windows-networking.xml:498(para)
598
"By default Samba looks for the local system groups defined in "
599
"<filename>/etc/group</filename> to determine which users belong to which "
600
"groups. For more information on adding and removing users from groups see "
601
"<xref linkend=\"adding-deleting-users\"/>."
604
#: serverguide/C/windows-networking.xml:504(para)
606
"When defining groups in the Samba configuration file, "
607
"<filename>/etc/samba/smb.conf</filename>, the recognized syntax is to "
608
"preface the group name with an \"@\" symbol. For example, if you wished to "
609
"define a group named <emphasis role=\"italic\">sysadmin</emphasis> in a "
610
"certain section of the <filename>/etc/samba/smb.conf</filename>, you would "
611
"do so by entering the group name as <emphasis "
612
"role=\"bold\">@sysadmin</emphasis>."
615
#: serverguide/C/windows-networking.xml:513(title)
616
msgid "File Permissions"
619
#: serverguide/C/windows-networking.xml:515(para)
621
"File Permissions define the explicit rights a computer or user has to a "
622
"particular directory, file, or set of files. Such permissions may be defined "
623
"by editing the <filename>/etc/samba/smb.conf</filename> file and specifying "
624
"the explicit permissions of a defined file share."
627
#: serverguide/C/windows-networking.xml:521(para)
629
"For example, if you have defined a Samba share called "
630
"<emphasis>share</emphasis> and wish to give <emphasis role=\"italic\">read-"
631
"only</emphasis> permissions to the group of users known as <emphasis "
632
"role=\"italic\">qa</emphasis>, but wanted to allow writing to the share by "
633
"the group called <emphasis role=\"italic\">sysadmin</emphasis> and the user "
634
"named <emphasis role=\"italic\">vincent</emphasis>, then you could edit the "
635
"<filename>/etc/samba/smb.conf</filename> file, and add the following entries "
636
"under the <emphasis>[share]</emphasis> entry:"
639
#: serverguide/C/windows-networking.xml:530(programlisting)
644
" write list = @sysadmin, vincent\n"
647
#: serverguide/C/windows-networking.xml:535(para)
649
"Another possible Samba permission is to declare "
650
"<emphasis>administrative</emphasis> permissions to a particular shared "
651
"resource. Users having administrative permissions may read, write, or modify "
652
"any information contained in the resource the user has been given explicit "
653
"administrative permissions to."
656
#: serverguide/C/windows-networking.xml:541(para)
658
"For example, if you wanted to give the user <emphasis "
659
"role=\"italic\">melissa</emphasis> administrative permissions to the "
660
"<emphasis role=\"italic\">share</emphasis> example, you would edit the "
661
"<filename>/etc/samba/smb.conf</filename> file, and add the following line "
662
"under the <emphasis>[share]</emphasis> entry:"
665
#: serverguide/C/windows-networking.xml:548(programlisting)
669
" admin users = melissa\n"
672
#: serverguide/C/windows-networking.xml:552(para)
674
"After editing <filename>/etc/samba/smb.conf</filename>, restart Samba for "
675
"the changes to take effect:"
678
#: serverguide/C/windows-networking.xml:561(para)
680
"For the <emphasis>read list</emphasis> and <emphasis>write list</emphasis> "
681
"to work the Samba security mode must <emphasis>not</emphasis> be set to "
682
"<emphasis role=\"italic\">security = share</emphasis>"
685
#: serverguide/C/windows-networking.xml:567(para)
687
"Now that Samba has been configured to limit which groups have access to the "
688
"shared directory, the filesystem permissions need to be updated."
691
#: serverguide/C/windows-networking.xml:572(para)
693
"Traditional Linux file permissions do not map well to Windows NT Access "
694
"Control Lists (ACLs). Fortunately POSIX ACLs are available on Ubuntu servers "
695
"providing more fine grained control. For example, to enable ACLs on "
696
"<filename>/srv</filename> an EXT3 filesystem, edit "
697
"<filename>/etc/fstab</filename> adding the <emphasis>acl</emphasis> option:"
700
#: serverguide/C/windows-networking.xml:579(programlisting)
704
"UUID=66bcdd2e-8861-4fb0-b7e4-e61c569fe17d /srv ext3 noatime,relatime,acl "
708
#: serverguide/C/windows-networking.xml:583(para)
709
msgid "Then remount the partition:"
712
#: serverguide/C/windows-networking.xml:588(command)
713
msgid "sudo mount -v -o remount /srv"
716
#: serverguide/C/windows-networking.xml:592(para)
718
"The above example assumes <filename>/srv</filename> on a separate partition. "
719
"If <filename>/srv</filename>, or wherever you have configured your share "
720
"path, is part of the <filename>/</filename> partition a reboot may be "
724
#: serverguide/C/windows-networking.xml:599(para)
726
"To match the Samba configuration above the <emphasis>sysadmin</emphasis> "
727
"group will be given read, write, and execute permissions to "
728
"<filename>/srv/samba/share</filename>, the <emphasis>qa</emphasis> group "
729
"will be given read and execute permissions, and the files will be owned by "
730
"the username <emphasis>melissa</emphasis>. Enter the following in a terminal:"
733
#: serverguide/C/windows-networking.xml:607(command)
734
msgid "sudo chown -R melissa /srv/samba/share/"
737
#: serverguide/C/windows-networking.xml:608(command)
738
msgid "sudo chgrp -R sysadmin /srv/samba/share/"
741
#: serverguide/C/windows-networking.xml:609(command)
742
msgid "sudo setfacl -R -m g:qa:rx /srv/samba/share/"
745
#: serverguide/C/windows-networking.xml:613(para)
747
"The <application>setfacl</application> command above gives "
748
"<emphasis>execute</emphasis> permissions to all files in the "
749
"<filename>/srv/samba/share</filename> directory, which you may or may not "
753
#: serverguide/C/windows-networking.xml:619(para)
755
"Now from a Windows client you should notice the new file permissions are "
756
"implemented. See the <application>acl</application> and "
757
"<application>setfacl</application> man pages for more information on POSIX "
761
#: serverguide/C/windows-networking.xml:627(title)
762
msgid "Samba AppArmor Profile"
765
#: serverguide/C/windows-networking.xml:629(para)
767
"Ubuntu comes with the <application>AppArmor</application> security module, "
768
"which provides mandatory access controls. The default AppArmor profile for "
769
"Samba will need to be adapted to your configuration. For more details on "
770
"using AppArmor see <xref linkend=\"apparmor\"/>."
773
#: serverguide/C/windows-networking.xml:635(para)
775
"There are default AppArmor profiles for <filename>/usr/sbin/smbd</filename> "
776
"and <filename>/usr/sbin/nmbd</filename>, the Samba daemon binaries, as part "
777
"of the <application>apparmor-profiles</application> packages. To install the "
778
"package, from a terminal prompt enter:"
781
#: serverguide/C/windows-networking.xml:642(command) serverguide/C/security.xml:962(command)
782
msgid "sudo apt-get install apparmor-profiles"
785
#: serverguide/C/windows-networking.xml:646(para)
786
msgid "This package contains profiles for several other binaries."
789
#: serverguide/C/windows-networking.xml:651(para)
791
"By default the profiles for <application>smbd</application> and "
792
"<application>nmbd</application> are in <emphasis>complain</emphasis> mode "
793
"allowing Samba to work without modifying the profile, and only logging "
794
"errors. To place the <application>smbd</application> profile into "
795
"<emphasis>enforce</emphasis> mode, and have Samba work as expected, the "
796
"profile will need to be modified to reflect any directories that are shared."
799
#: serverguide/C/windows-networking.xml:658(para)
801
"Edit <filename>/etc/apparmor.d/usr.sbin.smbd</filename> adding information "
802
"for <emphasis>[share]</emphasis> from the file server example:"
805
#: serverguide/C/windows-networking.xml:663(programlisting)
809
" /srv/samba/share/ r,\n"
810
" /srv/samba/share/** rwkix,\n"
813
#: serverguide/C/windows-networking.xml:668(para)
815
"Now place the profile into <emphasis>enforce</emphasis> and reload it:"
818
#: serverguide/C/windows-networking.xml:673(command)
819
msgid "sudo aa-enforce /usr/sbin/smbd"
822
#: serverguide/C/windows-networking.xml:674(command)
823
msgid "cat /etc/apparmor.d/usr.sbin.smbd | sudo apparmor_parser -r"
826
#: serverguide/C/windows-networking.xml:677(para)
828
"You should now be able to read, write, and execute files in the shared "
829
"directory as normal, and the <application>smbd</application> binary will "
830
"have access to only the configured files and direcotories. Be sure to add "
831
"entries for each directory you configure Samba to share. Also, any errors "
832
"will be logged to <filename>/var/log/syslog</filename>."
835
#: serverguide/C/windows-networking.xml:702(para) serverguide/C/windows-networking.xml:1067(para)
838
"url=\"http://www.oreilly.com/catalog/9780596007690/\">Using Samba</ulink> is "
839
"also a good reference."
842
#: serverguide/C/windows-networking.xml:708(para)
844
"<ulink url=\"http://samba.org/samba/docs/man/Samba-HOWTO-Collection/securing-"
845
"samba.html\">Chapter 18</ulink> of the Samba HOWTO Collection is devoted to "
849
#: serverguide/C/windows-networking.xml:714(para)
851
"For more information on Samba and ACLs see the <ulink "
852
"url=\"http://samba.org/samba/docs/man/Samba-HOWTO-"
853
"Collection/AccessControls.html#id397568\">Samba ACLs page </ulink>."
856
#: serverguide/C/windows-networking.xml:725(title)
857
msgid "Samba as a Domain Controller"
860
#: serverguide/C/windows-networking.xml:727(para)
862
"Although it cannot act as an Active Directory Primary Domain Controller "
863
"(PDC), a Samba server can be configured to appear as a Windows NT4-style "
864
"domain controller. A major advantage of this configuration is the ability to "
865
"centralize user and machine credentials. Samba can also use multiple "
866
"backends to store the user information."
869
#: serverguide/C/windows-networking.xml:734(title)
870
msgid "Primary Domain Controller"
873
#: serverguide/C/windows-networking.xml:736(para)
875
"This section covers configuring Samba as a Primary Domain Controller (PDC) "
876
"using the default smbpasswd backend."
879
#: serverguide/C/windows-networking.xml:743(para)
881
"First, install Samba, and <application>libpam-smbpass</application> to sync "
882
"the user accounts, by entering the following in a terminal prompt:"
885
#: serverguide/C/windows-networking.xml:749(command) serverguide/C/windows-networking.xml:965(command)
886
msgid "sudo apt-get install samba libpam-smbpass"
889
#: serverguide/C/windows-networking.xml:755(para)
891
"Next, configure Samba by editing <filename>/etc/samba/smb.conf</filename>. "
892
"The <emphasis>security</emphasis> mode should be set to <emphasis "
893
"role=\"italic\">user</emphasis>, and the <emphasis>workgroup</emphasis> "
894
"should relate to your organization:"
897
#: serverguide/C/windows-networking.xml:770(para)
899
"In the commented <quote>Domains</quote> section add or uncomment the "
903
#: serverguide/C/windows-networking.xml:774(programlisting)
907
" domain logons = yes\n"
908
" logon path = \\\\%N\\%U\\profile\n"
909
" logon drive = H:\n"
910
" logon home = \\\\%N\\%U\n"
911
" logon script = logon.cmd\n"
912
" add machine script = sudo /usr/sbin/useradd -n -g machines -c Machine -d "
913
"/var/lib/samba -s /bin/false %u\n"
916
#: serverguide/C/windows-networking.xml:785(para)
918
"<emphasis>domain logons:</emphasis> provides the netlogon service causing "
919
"Samba to act as a domain controller."
922
#: serverguide/C/windows-networking.xml:790(para)
924
"<emphasis>logon path:</emphasis> places the user's Windows profile into "
925
"their home directory. It is also possible to configure a "
926
"<emphasis>[profiles]</emphasis> share placing all profiles under a single "
930
#: serverguide/C/windows-networking.xml:796(para)
932
"<emphasis>logon drive:</emphasis> specifies the home directory local path."
935
#: serverguide/C/windows-networking.xml:801(para)
937
"<emphasis>logon home:</emphasis> specifies the home directory location."
940
#: serverguide/C/windows-networking.xml:806(para)
942
"<emphasis>logon script:</emphasis> determines the script to be run locally "
943
"once a user has logged in. The script needs to be placed in the "
944
"<emphasis>[netlogon]</emphasis> share."
947
#: serverguide/C/windows-networking.xml:812(para)
949
"<emphasis>add machine script:</emphasis> a script that will automatically "
950
"create the <emphasis>Machine Trust Account</emphasis> needed for a "
951
"workstation to join the domain."
954
#: serverguide/C/windows-networking.xml:816(para)
956
"In this example the <emphasis>machines</emphasis> group will need to be "
957
"created using the <application>addgroup</application> utility see <xref "
958
"linkend=\"adding-deleting-users\"/> for details."
961
#: serverguide/C/windows-networking.xml:824(para)
963
"If you wish to not use <emphasis>Roaming Profiles</emphasis> leave the "
964
"<emphasis>logon home</emphasis> and <emphasis>logon path</emphasis> options "
968
#: serverguide/C/windows-networking.xml:833(para)
970
"Uncomment the <emphasis>[homes]</emphasis> share to allow the <emphasis "
971
"role=\"italic\">logon home</emphasis> to be mapped:"
974
#: serverguide/C/windows-networking.xml:838(programlisting)
979
" comment = Home Directories\n"
982
" create mask = 0700\n"
983
" directory mask = 0700\n"
984
" valid users = %S\n"
987
#: serverguide/C/windows-networking.xml:851(para)
989
"When configured as a domain controller a <emphasis>[netlogon]</emphasis> "
990
"share needs to be configured. To enable the share, uncomment:"
993
#: serverguide/C/windows-networking.xml:856(programlisting)
998
" comment = Network Logon Service\n"
999
" path = /srv/samba/netlogon\n"
1001
" read only = yes\n"
1002
" share modes = no\n"
1005
#: serverguide/C/windows-networking.xml:866(para)
1007
"The original <emphasis>netlogon</emphasis> share path is "
1008
"<filename>/home/samba/netlogon</filename>, but according to the Filesystem "
1009
"Hierarchy Standard (FHS), <ulink url=\"http://www.pathname.com/fhs/pub/fhs-"
1010
"2.3.html#SRVDATAFORSERVICESPROVIDEDBYSYSTEM\">/srv</ulink> is the correct "
1011
"location for site-specific data provided by the system."
1014
#: serverguide/C/windows-networking.xml:877(para)
1016
"Now create the <filename role=\"directory\">netlogon</filename> directory, "
1017
"and an empty (for now) <filename>logon.cmd</filename> script file:"
1020
#: serverguide/C/windows-networking.xml:883(command)
1021
msgid "sudo mkdir -p /srv/samba/netlogon"
1024
#: serverguide/C/windows-networking.xml:884(command)
1025
msgid "sudo touch /srv/samba/netlogon/logon.cmd"
1028
#: serverguide/C/windows-networking.xml:887(para)
1030
"You can enter any normal Windows logon script commands in "
1031
"<filename>logon.cmd</filename> to customize the client's environment."
1034
#: serverguide/C/windows-networking.xml:895(para)
1036
"With <emphasis>root</emphasis> being disabled by default, in order to join a "
1037
"workstation to the domain, a system group needs to be mapped to the Windows "
1038
"<emphasis>Domain Admins</emphasis> group. Using the "
1039
"<application>net</application> utility, from a terminal enter:"
1042
#: serverguide/C/windows-networking.xml:902(command)
1044
"sudo net groupmap add ntgroup=\"Domain Admins\" unixgroup=sysadmin rid=512 "
1048
#: serverguide/C/windows-networking.xml:906(para)
1050
"Change <emphasis role=\"italic\">sysadmin</emphasis> to whichever group you "
1051
"prefer. Also, the user used to join the domain needs to be a member of the "
1052
"<emphasis>sysadmin</emphasis> group, as well as a member of the system "
1053
"<emphasis>admin</emphasis> group. The <emphasis>admin</emphasis> group "
1054
"allows <application>sudo</application> use."
1057
#: serverguide/C/windows-networking.xml:917(para)
1058
msgid "Finally, restart Samba to enable the new domain controller:"
1061
#: serverguide/C/windows-networking.xml:928(para)
1063
"You should now be able to join Windows clients to the Domain in the same "
1064
"manner as joining them to an NT4 domain running on a Windows server."
1067
#: serverguide/C/windows-networking.xml:938(title)
1068
msgid "Backup Domain Controller"
1071
#: serverguide/C/windows-networking.xml:940(para)
1073
"With a Primary Domain Controller (PDC) on the network it is best to have a "
1074
"Backup Domain Controller (BDC) as well. This will allow clients to "
1075
"authenticate in case the PDC becomes unavailable."
1078
#: serverguide/C/windows-networking.xml:945(para)
1080
"When configuring Samba as a BDC you need a way to sync account information "
1081
"with the PDC. There are multiple ways of accomplishing this "
1082
"<application>scp</application>, <application>rsync</application>, or by "
1083
"using <application>LDAP</application> as the <emphasis>passdb "
1084
"backend</emphasis>."
1087
#: serverguide/C/windows-networking.xml:951(para)
1089
"Using LDAP is the most robust way to sync account information, because both "
1090
"domain controllers can use the same information in real time. However, "
1091
"setting up a LDAP server may be overly complicated for a small number of "
1092
"user and computer accounts. See <xref linkend=\"samba-ldap\"/> for details."
1095
#: serverguide/C/windows-networking.xml:960(para)
1097
"First, install <application>samba</application> and <application>libpam-"
1098
"smbpass</application>. From a terminal enter:"
1101
#: serverguide/C/windows-networking.xml:971(para)
1103
"Now, edit <filename>/etc/samba/smb.conf</filename> and uncomment the "
1104
"following in the <emphasis>[global]</emphasis>:"
1107
#: serverguide/C/windows-networking.xml:984(para)
1108
msgid "In the commented <emphasis>Domains</emphasis> uncomment or add:"
1111
#: serverguide/C/windows-networking.xml:988(programlisting)
1115
" domain logons = yes\n"
1116
" domain master = no\n"
1119
#: serverguide/C/windows-networking.xml:996(para)
1121
"Make sure a user has rights to read the files in "
1122
"<filename>/var/lib/samba</filename>. For example, to allow users in the "
1123
"<emphasis>admin</emphasis> group to <application>scp</application> the "
1127
#: serverguide/C/windows-networking.xml:1002(command)
1128
msgid "sudo chgrp -R admin /var/lib/samba"
1131
#: serverguide/C/windows-networking.xml:1008(para)
1133
"Next, sync the user accounts, using <application>scp</application> to copy "
1134
"the <filename>/var/lib/samba</filename> directory from the PDC:"
1137
#: serverguide/C/windows-networking.xml:1014(command)
1138
msgid "sudo scp -r username@pdc:/var/lib/samba /var/lib"
1141
#: serverguide/C/windows-networking.xml:1018(para)
1143
"Replace <emphasis>username</emphasis> with a valid username and "
1144
"<emphasis>pdc</emphasis> with the hostname or IP Address of your actual PDC."
1147
#: serverguide/C/windows-networking.xml:1027(para)
1148
msgid "Finally, restart <application>samba</application>:"
1151
#: serverguide/C/windows-networking.xml:1038(para)
1153
"You can test that your Backup Domain controller is working by stopping the "
1154
"Samba daemon on the PDC, then trying to login to a Windows client joined to "
1158
#: serverguide/C/windows-networking.xml:1043(para)
1160
"Another thing to keep in mind is if you have configured the <emphasis>logon "
1161
"home</emphasis> option as a directory on the PDC, and the PDC becomes "
1162
"unavailable, access to the user's <emphasis>Home</emphasis> drive will also "
1163
"be unavailable. For this reason it is best to configure the <emphasis>logon "
1164
"home</emphasis> to reside on a separate file server from the PDC and BDC."
1167
#: serverguide/C/windows-networking.xml:1073(para)
1169
"<ulink url=\"http://samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-"
1170
"pdc.html\">Chapter 4</ulink> of the Samba HOWTO Collection explains setting "
1171
"up a Primary Domain Controller."
1174
#: serverguide/C/windows-networking.xml:1079(para)
1176
"<ulink url=\"http://us3.samba.org/samba/docs/man/Samba-HOWTO-"
1177
"Collection/samba-bdc.html\">Chapter 5</ulink> of the Samba HOWTO Collection "
1178
"explains setting up a Backup Domain Controller."
1181
#: serverguide/C/windows-networking.xml:1089(title)
1182
msgid "Samba Active Directory Integration"
1185
#: serverguide/C/windows-networking.xml:1092(title)
1186
msgid "Accessing a Samba Share"
1189
#: serverguide/C/windows-networking.xml:1094(para)
1191
"Another, use for Samba is to integrate into an existing Windows network. "
1192
"Once part of an Active Directory domain, Samba can provide file and print "
1193
"services to AD users."
1196
#: serverguide/C/windows-networking.xml:1099(para)
1198
"The simplest way to join an AD domain is to use <application>Likewise-"
1199
"open</application>. For detailed instructions see <xref linkend=\"likewise-"
1203
#: serverguide/C/windows-networking.xml:1104(para)
1204
msgid "Once part of the domain, install the following packages:"
1207
#: serverguide/C/windows-networking.xml:1109(command)
1208
msgid "sudo apt-get install samba smbfs smbclient"
1211
#: serverguide/C/windows-networking.xml:1112(para)
1213
"Since the <application>likewise-open</application> and "
1214
"<application>samba</application> packages use separate "
1215
"<filename>secrets.tdb</filename> files, a symlink will need to be created in "
1216
"<filename role=\"directory\">/var/lib/samba</filename>:"
1219
#: serverguide/C/windows-networking.xml:1118(command)
1220
msgid "sudo mv /var/lib/samba/secrets.tdb /var/lib/samba/secrets.tdb.orig"
1223
#: serverguide/C/windows-networking.xml:1119(command)
1224
msgid "sudo ln -s /etc/samba/secrets.tdb /var/lib/samba"
1227
#: serverguide/C/windows-networking.xml:1122(para)
1228
msgid "Next, edit <filename>/etc/samba/smb.conf</filename> changing:"
1231
#: serverguide/C/windows-networking.xml:1126(programlisting)
1235
" workgroup = EXAMPLE\n"
1238
" realm = EXAMPLE.COM\n"
1240
" idmap backend = lwopen\n"
1241
" idmap uid = 50-9999999999\n"
1242
" idmap gid = 50-9999999999\n"
1245
#: serverguide/C/windows-networking.xml:1137(para)
1247
"Restart <application>samba</application> for the new settings to take effect:"
1250
#: serverguide/C/windows-networking.xml:1145(para)
1252
"You should now be able to access any <application>Samba</application> shares "
1253
"from a Windows client. However, be sure to give the appropriate AD users or "
1254
"groups access to the share directory. See <xref linkend=\"samba-fileprint-"
1255
"security\"/> for more details."
1258
#: serverguide/C/windows-networking.xml:1153(title)
1259
msgid "Accessing a Windows Share"
1262
#: serverguide/C/windows-networking.xml:1155(para)
1264
"Now that the Samba server is part of the Active Directory domain you can "
1265
"access any Windows server shares:"
1268
#: serverguide/C/windows-networking.xml:1162(para)
1270
"To mount a Windows file share enter the following in a terminal prompt:"
1273
#: serverguide/C/windows-networking.xml:1166(command)
1274
msgid "mount.cifs //fs01.example.com/share mount_point"
1277
#: serverguide/C/windows-networking.xml:1169(para)
1279
"It is also possible to access shares on computers not part of an AD domain, "
1280
"but a username and password will need to be provided."
1283
#: serverguide/C/windows-networking.xml:1177(para)
1285
"To mount the share during boot place an entry in "
1286
"<filename>/etc/fstab</filename>, for example:"
1289
#: serverguide/C/windows-networking.xml:1181(programlisting)
1293
"//192.168.0.5/share /mnt/windows cifs auto,username=steve,password=secret,rw "
1297
#: serverguide/C/windows-networking.xml:1188(para)
1299
"Another way to copy files from a Windows server is to use the "
1300
"<application>smbclient</application> utility. To list the files in a Windows "
1304
#: serverguide/C/windows-networking.xml:1194(command)
1305
msgid "smbclient //fs01.example.com/share -k -c \"ls\""
1308
#: serverguide/C/windows-networking.xml:1200(para)
1309
msgid "To copy a file from the share, enter:"
1312
#: serverguide/C/windows-networking.xml:1205(command)
1313
msgid "smbclient //fs01.example.com/share -k -c \"get file.txt\""
1316
#: serverguide/C/windows-networking.xml:1208(para)
1318
"This will copy the <filename>file.txt</filename> into the current directory."
1321
#: serverguide/C/windows-networking.xml:1215(para)
1322
msgid "And to copy a file to the share:"
1325
#: serverguide/C/windows-networking.xml:1220(command)
1326
msgid "smbclient //fs01.example.com/share -k -c \"put /etc/hosts hosts\""
1329
#: serverguide/C/windows-networking.xml:1223(para)
1331
"This will copy the the <filename>/etc/hosts</filename> to "
1332
"<filename>//fs01.example.com/share/hosts</filename>."
1335
#: serverguide/C/windows-networking.xml:1230(para)
1337
"The <emphasis>-c</emphasis> option used above allows you to execute the "
1338
"<application>smbclient</application> command all at once. This is useful for "
1339
"scripting and minor file operations. To enter the <emphasis>smb: \\"
1340
"></emphasis> prompt, a FTP like prompt where you can execute normal file "
1341
"and directory commands, simply execute:"
1344
#: serverguide/C/windows-networking.xml:1237(command)
1345
msgid "smbclient //fs01.example.com/share -k"
1348
#: serverguide/C/windows-networking.xml:1244(para)
1350
"Replace all instances of <emphasis>fs01.example.com/share</emphasis>, "
1351
"<emphasis>//192.168.0.5/share</emphasis>, "
1352
"<emphasis>username=steve,password=secret</emphasis>, and "
1353
"<emphasis>file.txt</emphasis> with your server's IP, hostname, share name, "
1354
"file name, and an actual username and password with rights to the share."
1358
"For more <application>smbclient</application> options see the man page: "
1359
"<command>man smbclient</command>"
1362
#: serverguide/C/windows-networking.xml:1259(title)
1363
msgid "Likewise Open"
1366
#: serverguide/C/windows-networking.xml:1261(para)
1368
"<application>Likewise Open</application> simplifies the necessary "
1369
"configuration needed to authenticate a Linux machine to an Active Directory "
1370
"domain. Based on <application>winbind</application>, the "
1371
"<application>likewise-open</application> package takes the pain out of "
1372
"integrating Ubuntu authentication into an existing Windows network."
1375
#: serverguide/C/windows-networking.xml:1270(para)
1377
"There are two ways to use Likewise Open, <application>likewise-"
1378
"open</application> the command line utility and <application>likewise-open-"
1379
"gui</application>. This section focuses on the command line utility."
1382
#: serverguide/C/windows-networking.xml:1275(para)
1384
"To install the <application>likewise-open</application> package, open a "
1385
"terminal prompt and enter:"
1388
#: serverguide/C/windows-networking.xml:1280(command)
1389
msgid "sudo apt-get install likewise-open"
1392
#: serverguide/C/windows-networking.xml:1285(title)
1393
msgid "Joining a Domain"
1397
"The main executable file of the <application>likewise-open</application> "
1398
"package is <filename>/usr/bin/domainjoin-cli</filename>, which is used to "
1399
"join your computer to the domain. Before you join a domain you will need to "
1400
"make sure and have:"
1403
#: serverguide/C/windows-networking.xml:1295(para)
1405
"Access to an Active Directory user with appropriate rights to join the "
1409
#: serverguide/C/windows-networking.xml:1300(para)
1411
"The <emphasis>Fully Qualified Domain Name</emphasis> (FQDN) of the domain "
1412
"you want to join. If your AD domain does not match a valid domain such as "
1413
"<emphasis role=\"italic\">example.com</emphasis>, it is likely that it has "
1414
"the form of <emphasis>domainname.local</emphasis>."
1417
#: serverguide/C/windows-networking.xml:1307(para)
1419
"DNS for the domain setup properly. In a production AD environment this "
1420
"should be the case. Proper Microsoft DNS is needed so that client "
1421
"workstations can determine the Active Directory domain is available."
1424
#: serverguide/C/windows-networking.xml:1311(para)
1426
"If you don't have a Windows DNS server on your network, see <xref "
1427
"linkend=\"likewise-open-ms-dns\"/> for details."
1430
#: serverguide/C/windows-networking.xml:1318(para)
1431
msgid "To join a domain, from a terminal prompt enter:"
1434
#: serverguide/C/windows-networking.xml:1323(command)
1435
msgid "sudo domainjoin-cli join example.com Administrator"
1438
#: serverguide/C/windows-networking.xml:1327(para)
1440
"Replace <emphasis>example.com</emphasis> with your domain name, and "
1441
"<emphasis>Administrator</emphasis> with the appropriate user name."
1444
#: serverguide/C/windows-networking.xml:1333(para)
1446
"You will then be prompted for the user's password. If all goes well a "
1447
"<emphasis>SUCCESS</emphasis> message should be printed to the console."
1450
#: serverguide/C/windows-networking.xml:1338(para)
1452
"After successfully joining an Ubuntu machine to an Active Directory domain "
1453
"you can authenticate using any valid AD user. To login you will need to "
1454
"enter the user name as 'domain\\username'. For example to ssh to a server "
1455
"joined to the domain enter:"
1458
#: serverguide/C/windows-networking.xml:1345(command)
1459
msgid "ssh 'example\\steve'@hostname"
1462
#: serverguide/C/windows-networking.xml:1349(para)
1464
"If configuring a Desktop the user name will need to be prefixed with "
1465
"<emphasis role=\"italic\">domain\\</emphasis> in the graphical logon as well."
1468
#: serverguide/C/windows-networking.xml:1355(para)
1470
"To make likewise-open use a default domain, you can add the following "
1471
"statement to <filename>/etc/samba/lwiauthd.conf</filename>:"
1474
#: serverguide/C/windows-networking.xml:1359(programlisting)
1478
"winbind use default domain = yes\n"
1481
#: serverguide/C/windows-networking.xml:1363(para)
1482
msgid "Then restart the <application>likewise-open</application> daemons:"
1485
#: serverguide/C/windows-networking.xml:1368(command)
1486
msgid "sudo /etc/init.d/likewise-open restart"
1489
#: serverguide/C/windows-networking.xml:1372(para)
1491
"Once configured for a <emphasis>default domain</emphasis> the <emphasis "
1492
"role=\"italic\">'domain\\'</emphasis> is no longer required, users can login "
1493
"using only their username."
1496
#: serverguide/C/windows-networking.xml:1378(para)
1498
"The <application>domainjoin-cli</application> utility can also be used to "
1499
"leave the domain. From a terminal:"
1502
#: serverguide/C/windows-networking.xml:1383(command)
1503
msgid "sudo domainjoin-cli leave"
1506
#: serverguide/C/windows-networking.xml:1388(title)
1507
msgid "Other Utilities"
1510
#: serverguide/C/windows-networking.xml:1390(para)
1512
"The <application>likewise-open</application> package comes with a few other "
1513
"utilities that may be useful for gathering information about the Active "
1514
"Directory environment. These utilities are used to join the machine to the "
1515
"domain, and are the same as those available in the <application>samba-"
1516
"common</application> and <application>winbind</application> packages:"
1519
#: serverguide/C/windows-networking.xml:1399(para)
1521
"<application>lwinet</application>: Returns information about the network and "
1525
#: serverguide/C/windows-networking.xml:1404(para)
1527
"<application>lwimsg</application>: Allows interaction with the "
1528
"<application>likewise-winbindd</application> daemon."
1531
#: serverguide/C/windows-networking.xml:1409(para)
1533
"<application>lwiinfo</application>: Displays information about various parts "
1537
#: serverguide/C/windows-networking.xml:1415(para)
1538
msgid "Please refer to each utility's man page specific for details."
1541
#: serverguide/C/windows-networking.xml:1421(title) serverguide/C/mail.xml:277(title) serverguide/C/mail.xml:1451(title) serverguide/C/dns.xml:328(title)
1542
msgid "Troubleshooting"
1545
#: serverguide/C/windows-networking.xml:1425(para)
1547
"If the client has trouble joining the domain, double check that the "
1548
"Microsoft DNS is listed first in <filename>/etc/resolv.conf</filename>. For "
1552
#: serverguide/C/windows-networking.xml:1430(programlisting)
1556
"nameserver 192.168.0.1\n"
1559
#: serverguide/C/windows-networking.xml:1435(para)
1561
"For more information when joining a domain, use the <emphasis>--loglevel "
1562
"verbose</emphasis> or <emphasis>--advanced</emphasis> option of the "
1563
"<application>domainjoin-cli</application> utility:"
1566
#: serverguide/C/windows-networking.xml:1441(command)
1567
msgid "sudo domainjoin-cli --loglevel verbose join example.com Administrator"
1570
#: serverguide/C/windows-networking.xml:1445(para)
1572
"If an Active Directory user has trouble logging in, check the "
1573
"<filename>/var/log/auth.log</filename> for details."
1576
#: serverguide/C/windows-networking.xml:1450(para)
1578
"When joining an Ubuntu Desktop workstation to a domain, you may need to edit "
1579
"<filename>/etc/nsswitch.conf</filename> if your AD domain uses the <emphasis "
1580
"role=\"italic\">.local</emphasis> syntax. In order to join the domain the "
1581
"<emphasis>\"mdns4\"</emphasis> entry from the <emphasis>hosts</emphasis> "
1582
"option. For example:"
1585
#: serverguide/C/windows-networking.xml:1456(programlisting)
1589
"hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4\n"
1592
#: serverguide/C/windows-networking.xml:1460(para)
1593
msgid "Change the above to:"
1596
#: serverguide/C/windows-networking.xml:1464(programlisting)
1600
"hosts: files dns [NOTFOUND=return]\n"
1603
#: serverguide/C/windows-networking.xml:1468(para)
1604
msgid "Then restart networking by entering:"
1607
#: serverguide/C/windows-networking.xml:1473(command) serverguide/C/network-config.xml:237(command)
1608
msgid "sudo /etc/init.d/networking restart"
1611
#: serverguide/C/windows-networking.xml:1476(para)
1612
msgid "You should now be able to join the Active Directory domain."
1615
#: serverguide/C/windows-networking.xml:1484(title)
1616
msgid "Microsoft DNS"
1619
#: serverguide/C/windows-networking.xml:1486(para)
1621
"The following are instructions for installing DNS on an Active Directory "
1622
"domain controller running Windows Server 2003, but the instructions should "
1623
"be similar for other versions:"
1626
#: serverguide/C/windows-networking.xml:1493(para)
1629
"<menuchoice><guimenuitem>Start</guimenuitem><guimenuitem>Administrative Tools"
1630
"</guimenuitem><guimenuitem>Manager Your Server</guimenuitem></menuchoice>. "
1631
"This will open the <application>Server Role Mangement</application> utility."
1634
#: serverguide/C/windows-networking.xml:1501(para)
1635
msgid "Click Add or remove a role"
1638
#: serverguide/C/windows-networking.xml:1502(para) serverguide/C/windows-networking.xml:1504(para) serverguide/C/windows-networking.xml:1507(para)
1642
#: serverguide/C/windows-networking.xml:1503(para)
1643
msgid "Select \"DNS Server\""
1646
#: serverguide/C/windows-networking.xml:1505(para)
1650
#: serverguide/C/windows-networking.xml:1506(para)
1651
msgid "Select \"Create a forward lookup zone\" if it is not selected."
1654
#: serverguide/C/windows-networking.xml:1508(para)
1656
"Make sure \"This server maintains the zone\" is selected and click Next."
1659
#: serverguide/C/windows-networking.xml:1509(para)
1660
msgid "Enter your domain name and click Next"
1663
#: serverguide/C/windows-networking.xml:1510(para) serverguide/C/windows-networking.xml:1511(para)
1664
msgid "Click Next to \"Allow only secure dynamic updates\""
1667
#: serverguide/C/windows-networking.xml:1513(para)
1669
"Enter the IP for DNS servers to forward queries to, or Select \"No, it "
1670
"should not forward queries\" and click Next."
1673
#: serverguide/C/windows-networking.xml:1517(para) serverguide/C/windows-networking.xml:1518(para)
1674
msgid "Click Finish"
1677
#: serverguide/C/windows-networking.xml:1520(para)
1679
"DNS is now installed and can be further configured using the "
1680
"<application>Microsoft Management Console</application> DNS snap-in."
1683
#: serverguide/C/windows-networking.xml:1528(para)
1687
#: serverguide/C/windows-networking.xml:1529(para)
1688
msgid "Control Panel"
1691
#: serverguide/C/windows-networking.xml:1530(para)
1692
msgid "Network Connections"
1695
#: serverguide/C/windows-networking.xml:1531(para)
1696
msgid "Right Click \"Local Area Connection\""
1699
#: serverguide/C/windows-networking.xml:1532(para)
1700
msgid "Click Properties"
1703
#: serverguide/C/windows-networking.xml:1533(para)
1704
msgid "Double click \"Internet Protocol (TCP/IP)\""
1707
#: serverguide/C/windows-networking.xml:1534(para)
1708
msgid "Enter the Server's IP Address as the \"Preferred DNS server\""
1711
#: serverguide/C/windows-networking.xml:1535(para)
1715
#: serverguide/C/windows-networking.xml:1536(para)
1716
msgid "Click Ok again to save the settings"
1719
#: serverguide/C/windows-networking.xml:1525(para)
1721
"Next, configure the Server to use itself for DNS queries: <placeholder-1/>"
1724
#: serverguide/C/windows-networking.xml:1543(title) serverguide/C/web-servers.xml:490(title) serverguide/C/web-servers.xml:736(title) serverguide/C/vcs.xml:525(title) serverguide/C/security.xml:919(title) serverguide/C/security.xml:1248(title) serverguide/C/security.xml:1648(title) serverguide/C/remote-administration.xml:203(title) serverguide/C/package-management.xml:429(title) serverguide/C/network-config.xml:639(title) serverguide/C/mail.xml:385(title) serverguide/C/mail.xml:1089(title) serverguide/C/mail.xml:1499(title) serverguide/C/file-server.xml:247(title) serverguide/C/file-server.xml:408(title) serverguide/C/dns.xml:560(title) serverguide/C/backups.xml:297(title)
1728
#: serverguide/C/windows-networking.xml:1545(para)
1730
"Please refer to the <ulink "
1731
"url=\"http://www.likewisesoftware.com/\">Likewise</ulink> home page for "
1732
"further information."
1735
#: serverguide/C/windows-networking.xml:1549(para)
1737
"For more <application>domainjoin-cli</application> options see the man page: "
1738
"<command>man domainjoin-cli</command>."
1741
msgid "Wiki Applications"
1744
#: serverguide/C/wikis.xml:14(para)
1746
"A Wiki is a website that allows the visitors to easily add, remove and "
1747
"modify available content easily. The ease of interaction and operation makes "
1748
"Wiki an effective tool for mass collaborative authoring. The term Wiki is "
1749
"also referred to the collaborative software."
1753
"In this section, we explain howto install and configure the Wiki "
1754
"applications, <application>MoinMoin</application> and "
1755
"<application>MediaWiki</application> on your Ubuntu system."
1758
#: serverguide/C/wikis.xml:25(title)
1762
#: serverguide/C/wikis.xml:26(para)
1764
"MoinMoin is a Wiki engine implemented in Python, based on the PikiPiki Wiki "
1765
"engine, and licensed under the GNU GPL."
1768
#: serverguide/C/wikis.xml:30(para)
1770
"To install <application>MoinMoin</application>, run the following command in "
1771
"the command prompt:"
1774
#: serverguide/C/wikis.xml:37(command)
1775
msgid "sudo apt-get install python-moinmoin"
1778
#: serverguide/C/wikis.xml:40(para)
1780
"You should also install <application>apache2</application> web server. For "
1781
"installing <application>apache2</application> web server, please refer to "
1782
"<xref linkend=\"http-installation\"/> sub-section in <xref "
1783
"linkend=\"httpd\"/> section."
1786
#: serverguide/C/wikis.xml:48(para)
1788
"For configuring your first Wiki application, please run the following set of "
1789
"commands. Let us assume that you are creating a Wiki named "
1790
"<emphasis>mywiki</emphasis>:"
1796
"cd /usr/share/moin\n"
1797
"sudo mkdir mywiki\n"
1798
"sudo cp -R data mywiki\n"
1799
"sudo cp -R underlay mywiki\n"
1800
"sudo cp server/moin.cgi mywiki\n"
1801
"sudo chown -R www-data.www-data mywiki \n"
1802
"sudo chmod -R ug+rwX mywiki\n"
1803
"sudo chmod -R o-rwx mywiki\n"
1806
#: serverguide/C/wikis.xml:63(para)
1808
"Now you should configure <application>MoinMoin</application> to find your "
1809
"new Wiki <emphasis>mywiki</emphasis>. To configure "
1810
"<application>MoinMoin</application>, open "
1811
"<filename>/etc/moin/mywiki.py</filename> file and change the following line:"
1815
msgid "data_dir = '/org/moin/mywiki/data'"
1818
#: serverguide/C/wikis.xml:72(para) serverguide/C/file-server.xml:69(para)
1822
#: serverguide/C/wikis.xml:75(programlisting)
1824
msgid "data_dir = '/usr/share/moin/mywiki/data'"
1827
#: serverguide/C/wikis.xml:78(para)
1829
"If the <filename>/etc/moin/mywiki.py</filename> file does not exists, you "
1830
"should copy <filename>/etc/moin/moinmaster.py</filename> file to "
1831
"<filename>/etc/moin/mywiki.py</filename> file and do the above mentioned "
1835
#: serverguide/C/wikis.xml:87(para)
1837
"If you have named your Wiki as <emphasis>my_wiki_name</emphasis> you should "
1838
"insert a line <quote>(\"my_wiki_name\", r\".*\")</quote> in "
1839
"<filename>/etc/moin/farmconfig.py</filename> file after the line "
1840
"<quote>(\"mywiki\", r\".*\")</quote>."
1843
#: serverguide/C/wikis.xml:95(para)
1845
"Once you have configured <application>MoinMoin</application> to find your "
1846
"first Wiki application <emphasis>mywiki</emphasis>, you should configure "
1847
"<application>apache2</application> and make it ready for your Wiki "
1851
#: serverguide/C/wikis.xml:102(para)
1853
"You should add the following lines in <filename>/etc/apache2/sites-"
1854
"available/default</filename> file inside the <quote><VirtualHost "
1855
"*></quote> tag:"
1862
" ScriptAlias /mywiki \"/usr/share/moin/mywiki/moin.cgi\"\n"
1863
" alias /wiki \"/usr/share/moin/htdocs\"\n"
1864
" <Directory /usr/share/moin/htdocs>\n"
1865
" Order allow,deny\n"
1867
" </Directory>\n"
1872
#: serverguide/C/wikis.xml:118(para)
1874
"Once you configure the <application>apache2</application> web server and "
1875
"make it ready for your Wiki application, you should restart it. You can run "
1876
"the following command to restart the <application>apache2</application> web "
1880
#: serverguide/C/wikis.xml:126(command) serverguide/C/web-servers.xml:472(command) serverguide/C/mail.xml:813(command)
1881
msgid "sudo /etc/init.d/apache2 restart"
1884
#: serverguide/C/wikis.xml:130(title)
1885
msgid "Verification"
1888
#: serverguide/C/wikis.xml:131(para)
1890
"You can verify the Wiki application and see if it works by pointing your web "
1891
"browser to the following URL:"
1894
#: serverguide/C/wikis.xml:134(programlisting)
1898
"http://localhost/mywiki\n"
1901
#: serverguide/C/wikis.xml:138(para)
1903
"You can also run the test command by pointing your web browser to the "
1907
#: serverguide/C/wikis.xml:142(programlisting)
1911
"http://localhost/mywiki?action=test\n"
1915
"For more details, please refer to the <ulink "
1916
"url=\"http://moinmoin.wikiwikiweb.de/\">MoinMoin</ulink> web site."
1919
#: serverguide/C/wikis.xml:152(title)
1923
#: serverguide/C/wikis.xml:153(para)
1925
"MediaWiki is an web based Wiki software written in the PHP language. It can "
1926
"either use <application>MySQL</application> or "
1927
"<application>PostgreSQL</application> Database Management System."
1930
#: serverguide/C/wikis.xml:159(para)
1932
"Before installing <application>MediaWiki</application> you should also "
1933
"install <application>Apache2</application>, the "
1934
"<application>PHP5</application> scripting language and Database a Management "
1935
"System. <application>MySQL</application> or "
1936
"<application>PostgreSQL</application> are the most common, choose one "
1937
"depending on your need. Please refer to those sections in this manual for "
1938
"installation instructions."
1941
#: serverguide/C/wikis.xml:166(para)
1943
"To install <application>MediaWiki</application>, run the following command "
1944
"in the command prompt:"
1947
#: serverguide/C/wikis.xml:172(command)
1948
msgid "sudo apt-get install mediawiki php5-gd"
1951
#: serverguide/C/wikis.xml:180(para)
1952
msgid "Run the following commands to configure MediaWiki:"
1955
#: serverguide/C/wikis.xml:185(command)
1956
msgid "sudo ln -s /var/lib/mediawiki /var/www/mediawiki"
1959
#: serverguide/C/wikis.xml:188(para)
1960
msgid "Point your web browser to the following URL for MediaWiki setup:"
1963
#: serverguide/C/wikis.xml:192(programlisting)
1967
"http://localhost/mediawiki/config/index.php\n"
1970
#: serverguide/C/wikis.xml:196(para)
1972
"Please read the <quote>Checking environment...</quote> section in this page. "
1973
"You should be able to fix many issues by carefully reading this section."
1976
#: serverguide/C/wikis.xml:202(para)
1978
"For more details, please refer to the <ulink "
1979
"url=\"http://www.mediawiki.org\">MediaWiki</ulink> web site."
1982
#: serverguide/C/web-servers.xml:13(title)
1986
#: serverguide/C/web-servers.xml:14(para)
1988
"A Web server is a software responsible for accepting HTTP requests from "
1989
"clients, which are known as Web browsers, and serving them HTTP responses "
1990
"along with optional data contents, which usually are Web pages such as HTML "
1991
"documents and linked objects (images, etc.)."
1994
#: serverguide/C/web-servers.xml:19(title)
1995
msgid "HTTPD - Apache2 Web Server"
1998
#: serverguide/C/web-servers.xml:20(para)
2000
"Apache is the most commonly used Web Server on Linux systems. Web Servers "
2001
"are used to serve Web Pages requested by client computers. Clients typically "
2002
"request and view Web Pages using Web Browser applications such as "
2003
"<application>Firefox</application>, <application>Opera</application>, or "
2004
"<application>Mozilla</application>."
2007
#: serverguide/C/web-servers.xml:24(para)
2009
"Users enter a Uniform Resource Locator (URL) to point to a Web server by "
2010
"means of its Fully Qualified Domain Name (FQDN) and a path to the required "
2011
"resource. For example, to view the home page of the <ulink "
2012
"url=\"http://www.ubuntu.com\">Ubuntu Web site</ulink> a user will enter only "
2013
"the FQDN. To request specific information about <ulink "
2014
"url=\"http://www.ubuntu.com/support/paid\">paid support</ulink>, a user will "
2015
"enter the FQDN followed by a path."
2018
#: serverguide/C/web-servers.xml:29(para)
2020
"The most common protocol used to transfer Web pages is the Hyper Text "
2021
"Transfer Protocol (HTTP). Protocols such as Hyper Text Transfer Protocol "
2022
"over Secure Sockets Layer (HTTPS), and File Transfer Protocol (FTP), a "
2023
"protocol for uploading and downloading files, are also supported."
2026
#: serverguide/C/web-servers.xml:33(para)
2028
"Apache Web Servers are often used in combination with the "
2029
"<application>MySQL</application> database engine, the HyperText Preprocessor "
2030
"(<application>PHP</application>) scripting language, and other popular "
2031
"scripting languages such as <application>Python</application> and "
2032
"<application>Perl</application>. This configuration is termed LAMP (Linux, "
2033
"Apache, MySQL and Perl/Python/PHP) and forms a powerful and robust platform "
2034
"for the development and deployment of Web-based applications."
2037
#: serverguide/C/web-servers.xml:42(para)
2039
"The Apache2 web server is available in Ubuntu Linux. To install Apache2:"
2042
#: serverguide/C/web-servers.xml:48(para)
2043
msgid "At a terminal prompt enter the following command:"
2046
#: serverguide/C/web-servers.xml:53(command)
2047
msgid "sudo apt-get install apache2"
2050
#: serverguide/C/web-servers.xml:63(para)
2052
"Apache is configured by placing <emphasis>directives</emphasis> in plain "
2053
"text configuration files. The main configuration file is called "
2054
"<filename>apache2.conf</filename>. In addition, other configuration files "
2055
"may be added using the <emphasis>Include</emphasis> directive, and wildcards "
2056
"can be used to include many configuration files. Any directive may be placed "
2057
"in any of these configuration files. Changes to the main configuration files "
2058
"are only recognized by Apache2 when it is started or restarted."
2061
#: serverguide/C/web-servers.xml:74(para)
2063
"The server also reads a file containing mime document types; the filename is "
2064
"set by the <emphasis>TypesConfig</emphasis> directive, and is "
2065
"<filename>mime.types</filename> by default."
2068
#: serverguide/C/web-servers.xml:78(para)
2070
"The default Apache2 configuration file is "
2071
"<filename>/etc/apache2/apache2.conf</filename> . You can edit this file to "
2072
"configure the Apache2 server. You can configure the port number, document "
2073
"root, modules, log files, virtual hosts, etc."
2076
#: serverguide/C/web-servers.xml:84(title)
2077
msgid "Basic Settings"
2080
#: serverguide/C/web-servers.xml:85(para)
2082
"This section explains Apache2 server essential configuration parameters. "
2083
"Refer to the <ulink url=\"http://httpd.apache.org/docs/2.2/\">Apache2 "
2084
"Documentation</ulink> for more details."
2087
#: serverguide/C/web-servers.xml:93(para)
2089
"Apache2 ships with a virtual-host-friendly default configuration. That is, "
2090
"it is configured with a single default virtual host (using the "
2091
"<emphasis>VirtualHost</emphasis> directive) which can modified or used as-is "
2092
"if you have a single site, or used as a template for additional virtual "
2093
"hosts if you have multiple sites. If left alone, the default virtual host "
2094
"will serve as your default site, or the site users will see if the URL they "
2095
"enter does not match the <emphasis>ServerName</emphasis> directive of any of "
2096
"your custom sites. To modify the default virtual host, edit the file "
2097
"<filename>/etc/apache2/sites-available/default</filename>. If you wish to "
2098
"configure a new virtual host or site, copy that file into the same directory "
2099
"with a name you choose. For example, <command>sudo cp /etc/apache2/sites-"
2100
"available/default /etc/apache2/sites-available/mynewsite</command> Edit the "
2101
"new file to configure the new site using some of the directives described "
2105
#: serverguide/C/web-servers.xml:110(para)
2107
"The <emphasis>ServerAdmin</emphasis> directive specifies the email address "
2108
"to be advertised for the server's administrator. The default value is "
2109
"webmaster@localhost. This should be changed to an email address that is "
2110
"delivered to you (if you are the server's administrator). If your website "
2111
"has a problem, Apache2 will display an error message containing this email "
2112
"address to report the problem to. Find this directive in your site's "
2113
"configuration file in /etc/apache2/sites-available."
2116
#: serverguide/C/web-servers.xml:120(para)
2118
"The <emphasis>Listen</emphasis> directive specifies the port, and optionally "
2119
"the IP address, Apache2 should listen on. If the IP address is not "
2120
"specified, Apache2 will listen on all IP addresses assigned to the machine "
2121
"it runs on. The default value for the Listen directive is 80. Change this to "
2122
"127.0.0.1:80 to cause Apache2 to listen only on your loopback interface so "
2123
"that it will not be available to the Internet, to (for example) 81 to change "
2124
"the port that it listens on, or leave it as is for normal operation. This "
2125
"directive can be found and changed in its own file, "
2126
"<filename>/etc/apache2/ports.conf</filename>"
2129
#: serverguide/C/web-servers.xml:143(para)
2131
"You may also want your site to respond to www.ubunturocks.com, since many "
2132
"users will assume the www prefix is appropriate. Use the "
2133
"<emphasis>ServerAlias</emphasis> directive for this. You may also use "
2134
"wildcards in the ServerAlias directive. For example, <command>ServerAlias "
2135
"*.ubunturocks.com</command> will cause your site to respond to any domain "
2136
"request ending in .ubunturocks.com."
2139
#: serverguide/C/web-servers.xml:132(para)
2141
"The <emphasis>ServerName</emphasis> directive is optional and specifies what "
2142
"FQDN your site should answer to. The default virtual host has no ServerName "
2143
"directive specified, so it will respond to all requests that do not match a "
2144
"ServerName directive in another virtual host. If you have just acquired the "
2145
"domain name ubunturocks.com and wish to host it on your Ubuntu server, the "
2146
"value of the ServerName directive in your virtual host configuration file "
2147
"should be ubunturocks.com. Add this directive to the new virtual host file "
2148
"you created earlier (<filename>/etc/apache2/sites-"
2149
"available/mynewsite</filename>). <placeholder-1/>"
2152
#: serverguide/C/web-servers.xml:153(para)
2154
"The <emphasis>DocumentRoot</emphasis> directive specifies where Apache "
2155
"should look for the files that make up the site. The default value is "
2156
"/var/www. No site is configured there, but if you uncomment the "
2157
"<emphasis>RedirectMatch</emphasis> directive in "
2158
"<filename>/etc/apache2/apache2.conf</filename> requests will be redirected "
2159
"to /var/www/apache2-default where the default Apache2 site awaits. Change "
2160
"this value in your site's virtual host file, and remember to create that "
2161
"directory if necessary!"
2164
#: serverguide/C/web-servers.xml:164(para)
2166
"The /etc/apache2/sites-available directory is <emphasis role=\"bold\"> "
2167
"not</emphasis> parsed by Apache2. Symbolic links in /etc/apache2/sites-"
2168
"enabled point to \"available\" sites. Use the a2ensite (Apache2 Enable Site) "
2169
"utility to create those symbolic links, like so: <command>sudo a2ensite "
2170
"mynewsite</command> where your site's configuration file is <filename> "
2171
"/etc/apache2/sites-available/mynewsite</filename>. Similarly, the a2dissite "
2172
"utility should be used to disable sites."
2175
#: serverguide/C/web-servers.xml:177(title)
2176
msgid "Default Settings"
2179
#: serverguide/C/web-servers.xml:178(para)
2181
"This section explains configuration of the Apache2 server default settings. "
2182
"For example, if you add a virtual host, the settings you configure for the "
2183
"virtual host take precedence for that virtual host. For a directive not "
2184
"defined within the virtual host settings, the default value is used."
2187
#: serverguide/C/web-servers.xml:189(para)
2189
"The <emphasis>DirectoryIndex</emphasis> is the default page served by the "
2190
"server when a user requests an index of a directory by specifying a forward "
2191
"slash (/) at the end of the directory name."
2194
#: serverguide/C/web-servers.xml:195(para)
2196
"For example, when a user requests the page "
2197
"http://www.example.com/this_directory/, he or she will get either the "
2198
"DirectoryIndex page if it exists, a server-generated directory list if it "
2199
"does not and the Indexes option is specified, or a Permission Denied page if "
2200
"neither is true. The server will try to find one of the files listed in the "
2201
"DirectoryIndex directive and will return the first one it finds. If it does "
2202
"not find any of these files and if Options Indexes is set for that "
2203
"directory, the server will generate and return a list, in HTML format, of "
2204
"the subdirectories and files in the directory. The default value, found in "
2205
"<filename>/etc/apache2/apache2.conf</filename> is \" index.html index.cgi "
2206
"index.pl index.php index.xhtml\". Thus, if Apache2 finds a file in a "
2207
"requested directory matching any of these names, the first will be displayed."
2210
#: serverguide/C/web-servers.xml:215(para)
2212
"The <emphasis>ErrorDocument</emphasis> directive allows you to specify a "
2213
"file for Apache to use for specific error events. For example, if a user "
2214
"requests a resource that does not exist, a 404 error will occur, and per "
2215
"Apache2's default configuration, the file "
2216
"<filename>/usr/share/apache2/error/HTTP_NOT_FOUND.html.var </filename> will "
2217
"be displayed. That file is not in the server's DocumentRoot, but there is an "
2218
"Alias directive in <filename>/etc/apache2/apache2.conf</filename> that "
2219
"redirects requests to the /error directory to /usr/share/apache2/error/. To "
2220
"see a list of the default ErrorDocument directives, use this command: "
2221
"<command>grep ErrorDocument /etc/apache2/apache2.conf</command>"
2224
#: serverguide/C/web-servers.xml:233(para)
2226
"By default, the server writes the transfer log to the file "
2227
"/var/log/apache2/access.log. You can change this on a per-site basis in your "
2228
"virtual host configuration files with the <emphasis>CustomLog</emphasis> "
2229
"directive, or omit it to accept the default, specified in <filename> "
2230
"/etc/apache2/apache2.conf</filename>. You may also specify the file to which "
2231
"errors are logged, via the <emphasis>ErrorLog</emphasis> directive, whose "
2232
"default is <filename>/var/log/apache2/error.log</filename>. These are kept "
2233
"separate from the transfer logs to aid in troubleshooting problems with your "
2234
"Apache2 server. You may also specify the <emphasis>LogLevel</emphasis> (the "
2235
"default value is \"warn\") and the <emphasis>LogFormat</emphasis> (see "
2236
"<filename> /etc/apache2/apache2.conf</filename> for the default value)."
2240
"Some options are specified on a per-directory basis rather than per-server. "
2241
"Option is one of these directives. A Directory stanza is enclosed in XML-"
2242
"like tags, like so:"
2245
msgid "<Directory /var/www/mynewsite> ... </Directory>"
2248
#: serverguide/C/web-servers.xml:259(para)
2250
"The Options directive within a Directory stanza accepts one or more of the "
2251
"following values (among others), separated by spaces:"
2254
#: serverguide/C/web-servers.xml:268(para)
2256
"Most files should not be executed as CGI scripts. This would be very "
2257
"dangerous. CGI scripts should kept in a directory separate from and outside "
2258
"your DocumentRoot, and only this directory should have the ExecCGI option "
2259
"set. This is the default, and the default location for CGI scripts is "
2263
#: serverguide/C/web-servers.xml:265(para)
2265
"<emphasis role=\"bold\">ExecCGI</emphasis> - Allow execution of CGI scripts. "
2266
"CGI scripts are not executed if this option is not chosen. <placeholder-1/>"
2269
#: serverguide/C/web-servers.xml:277(para)
2271
"<emphasis role=\"bold\">Includes</emphasis> - Allow server-side includes. "
2272
"Server-side includes allow an HTML file to <emphasis> include</emphasis> "
2273
"other files. This is not a common option. See <ulink "
2274
"url=\"http://httpd.apache.org/docs/2.2/howto/ssi.html\">the Apache2 SSI "
2275
"HOWTO</ulink> for more information."
2278
#: serverguide/C/web-servers.xml:284(para)
2280
"<emphasis role=\"bold\">IncludesNOEXEC</emphasis> - Allow server-side "
2281
"includes, but disable the #exec and #include commands in CGI scripts."
2284
#: serverguide/C/web-servers.xml:295(para)
2286
"For security reasons, this should usually not be set, and certainly should "
2287
"not be set on your DocumentRoot directory. Enable this option carefully on a "
2288
"per-directory basis only if you are certain you want users to see the entire "
2289
"contents of the directory."
2292
#: serverguide/C/web-servers.xml:290(para)
2294
"<emphasis role=\"bold\">Indexes</emphasis> - Display a formatted list of the "
2295
"directory's contents, if no <emphasis>DirectoryIndex</emphasis> (such as "
2296
"index.html) exists in the requested directory. <placeholder-1/>"
2299
#: serverguide/C/web-servers.xml:302(para)
2301
"<emphasis role=\"bold\">Multiview</emphasis> - Support content-negotiated "
2302
"multiviews; this option is disabled by default for security reasons. See the "
2304
"url=\"http://httpd.apache.org/docs/2.2/mod/mod_negotiation.html#multiviews\">"
2305
"Apache2 documentation on this option</ulink>."
2308
#: serverguide/C/web-servers.xml:310(para)
2310
"<emphasis role=\"bold\">SymLinksIfOwnerMatch</emphasis> - Only follow "
2311
"symbolic links if the target file or directory has the same owner as the "
2315
#: serverguide/C/web-servers.xml:323(title)
2316
msgid "Virtual Hosts Settings"
2319
#: serverguide/C/web-servers.xml:324(para)
2321
"Virtual hosts allow you to run different servers for different IP addresses, "
2322
"different host names, or different ports on the same machine. For example, "
2323
"you can run the website for http://www.example.com and "
2324
"http://www.anotherexample.com on the same Web server using virtual hosts. "
2325
"This option corresponds to the <VirtualHost> directive for the default "
2326
"virtual host and IP-based virtual hosts. It corresponds to the "
2327
"<NameVirtualHost> directive for a name-based virtual host."
2330
#: serverguide/C/web-servers.xml:333(para)
2332
"The directives set for a virtual host only apply to that particular virtual "
2333
"host. If a directive is set server-wide and not defined within the virtual "
2334
"host settings, the default setting is used. For example, you can define a "
2335
"Webmaster email address and not define individual email addresses for each "
2339
#: serverguide/C/web-servers.xml:340(para)
2341
"Set the DocumentRoot directive to the directory that contains the root "
2342
"document (such as index.html) for the virtual host. The default DocumentRoot "
2343
"is <filename>/var/www</filename>."
2346
#: serverguide/C/web-servers.xml:345(para)
2348
"The ServerAdmin directive within the VirtualHost stanza is the email address "
2349
"used in the footer of error pages if you choose to show a footer with an "
2350
"email address on the error pages."
2353
#: serverguide/C/web-servers.xml:352(title)
2354
msgid "Server Settings"
2357
#: serverguide/C/web-servers.xml:353(para)
2358
msgid "This section explains how to configure basic server settings."
2361
#: serverguide/C/web-servers.xml:355(para)
2363
"<emphasis role=\"bold\">LockFile</emphasis> - The LockFile directive sets "
2364
"the path to the lockfile used when the server is compiled with either "
2365
"USE_FCNTL_SERIALIZED_ACCEPT or USE_FLOCK_SERIALIZED_ACCEPT. It must be "
2366
"stored on the local disk. It should be left to the default value unless the "
2367
"logs directory is located on an NFS share. If this is the case, the default "
2368
"value should be changed to a location on the local disk and to a directory "
2369
"that is readable only by root."
2372
#: serverguide/C/web-servers.xml:362(para)
2374
"<emphasis role=\"bold\">PidFile</emphasis> - The PidFile directive sets the "
2375
"file in which the server records its process ID (pid). This file should only "
2376
"be readable by root. In most cases, it should be left to the default value."
2379
#: serverguide/C/web-servers.xml:366(para)
2381
"<emphasis role=\"bold\">User</emphasis> - The User directive sets the userid "
2382
"used by the server to answer requests. This setting determines the server's "
2383
"access. Any files inaccessible to this user will also be inaccessible to "
2384
"your website's visitors. The default value for User is www-data."
2387
#: serverguide/C/web-servers.xml:370(para)
2389
"Unless you know exactly what you are doing, do not set the User directive to "
2390
"root. Using root as the User will create large security holes for your Web "
2394
#: serverguide/C/web-servers.xml:373(para)
2396
"The Group directive is similar to the User directive. Group sets the group "
2397
"under which the server will answer requests. The default group is also www-"
2401
#: serverguide/C/web-servers.xml:377(title)
2402
msgid "Apache Modules"
2406
"Apache is a modular server. This implies that only the most basic "
2407
"functionality is included in the core server. Extended features are "
2408
"available through modules which can be loaded into Apache. By default, a "
2409
"base set of modules is included in the server at compile-time. If the server "
2410
"is compiled to use dynamically loaded modules, then modules can be compiled "
2411
"separately, and added at any time using the LoadModule directive. Otherwise, "
2412
"Apache must be recompiled to add or remove modules. Ubuntu compiles Apache2 "
2413
"to allow the dynamic loading of modules. Configuration directives may be "
2414
"conditionally included on the presence of a particular module by enclosing "
2415
"them in an <IfModule> block. You can install additional Apache2 "
2416
"modules and use them with your Web server. You can install Apache2 modules "
2417
"using the <application>apt-get</application> command. For example, to "
2418
"install the Apache2 module for MySQL authentication, you can run the "
2419
"following command from a terminal prompt:"
2422
#: serverguide/C/web-servers.xml:402(command)
2423
msgid "sudo apt-get install libapache2-mod-auth-mysql"
2426
#: serverguide/C/web-servers.xml:405(para)
2428
"Once you install the module, the module will be available in the "
2429
"<filename>/etc/apache2/mods-available</filename> directory. You can use the "
2430
"<application>a2enmod</application> command to enable a module. You can use "
2431
"the <application>a2dismod</application> command to disable a module. Once "
2432
"you enable the module, the module will be available in the the "
2433
"<filename>/etc/apache2/mods-enabled</filename> directory."
2436
#: serverguide/C/web-servers.xml:419(title)
2437
msgid "HTTPS Configuration"
2440
#: serverguide/C/web-servers.xml:421(para)
2442
"The <application>mod_ssl</application> module adds an important feature to "
2443
"the Apache2 server - the ability to encrypt communications. Thus, when your "
2444
"browser is communicating using SSL, the https:// prefix is used at the "
2445
"beginning of the Uniform Resource Locator (URL) in the browser navigation "
2449
#: serverguide/C/web-servers.xml:430(para)
2451
"The <application>mod_ssl</application> module is available in "
2452
"<application>apache2-common</application> package. Execute the following "
2453
"command from a terminal prompt to enable the "
2454
"<application>mod_ssl</application> module:"
2457
#: serverguide/C/web-servers.xml:437(command)
2458
msgid "sudo a2enmod ssl"
2461
#: serverguide/C/web-servers.xml:440(para)
2463
"There is a default HTTPS configuration file in <filename>/etc/apache2/sites-"
2464
"available/default-ssl</filename>. In order for "
2465
"<application>Apache</application> to provide HTTPS, a "
2466
"<emphasis>certificate</emphasis> and <emphasis>key</emphasis> file are also "
2467
"needed. The default HTTPS configuration will use a certificate and key "
2468
"generated by the <application>ssl-cert</application> package. They are good "
2469
"for testing, but the auto-generated certificate and key should be replaced "
2470
"by a certificate specific to the site or server. For information on "
2471
"generating a key and obtaining a certificate see <xref "
2472
"linkend=\"certificates-and-security\"/>"
2475
#: serverguide/C/web-servers.xml:450(para)
2477
"To configure <application>Apache</application> for HTTPS, enter the "
2481
#: serverguide/C/web-servers.xml:455(command)
2482
msgid "sudo a2ensite default-ssl"
2485
#: serverguide/C/web-servers.xml:459(para)
2487
"The directories <filename>/etc/ssl/certs</filename> and "
2488
"<filename>/etc/ssl/private</filename> are the default locations. If you "
2489
"install the certificate and key in another directory make sure to change "
2490
"<emphasis>SSLCertificateFile</emphasis> and "
2491
"<emphasis>SSLCertificateKeyFile</emphasis> appropriately."
2494
#: serverguide/C/web-servers.xml:466(para)
2496
"With Apache now configured for HTTPS, restart the service to enable the new "
2500
#: serverguide/C/web-servers.xml:477(para)
2502
"Depending on how you obtained your certificate you may need to enter a "
2503
"passphrase when <application>Apache</application> starts."
2506
#: serverguide/C/web-servers.xml:483(para)
2508
"You can access the secure server pages by typing https://your_hostname/url/ "
2509
"in your browser address bar."
2512
#: serverguide/C/web-servers.xml:492(ulink)
2513
msgid "Apache2 Documentation"
2516
#: serverguide/C/web-servers.xml:496(ulink)
2517
msgid "Mod SSL Documentation"
2520
#: serverguide/C/web-servers.xml:503(title)
2521
msgid "PHP5 - Scripting Language"
2524
#: serverguide/C/web-servers.xml:504(para)
2526
"PHP is a general-purpose scripting language suited for Web development. The "
2527
"PHP script can be embedded into HTML. This section explains how to install "
2528
"and configure PHP5 in Ubuntu System with Apache2 and MySQL."
2531
#: serverguide/C/web-servers.xml:508(para)
2533
"This section assumes you have installed and configured Apache 2 Web Server "
2534
"and MySQL Database Server. You can refer to Apache 2 section and MySQL "
2535
"sections in this document to install and configure Apache 2 and MySQL "
2539
#: serverguide/C/web-servers.xml:515(para)
2540
msgid "The PHP5 is available in Ubuntu Linux."
2543
#: serverguide/C/web-servers.xml:517(para)
2545
"To install PHP5 you can enter the following command in the terminal prompt: "
2547
"<command>sudo apt-get install php5 libapache2-mod-php5</command>\n"
2551
#: serverguide/C/web-servers.xml:526(para)
2553
"You can run PHP5 scripts from command line. To run PHP5 scripts from command "
2554
"line you should install <application>php5-cli</application> package. To "
2555
"install <application>php5-cli</application> you can enter the following "
2556
"command in the terminal prompt: <screen>\n"
2557
"<command>sudo apt-get install php5-cli</command>\n"
2561
#: serverguide/C/web-servers.xml:535(para)
2563
"You can also execute PHP5 scripts without installing PHP5 Apache module. To "
2564
"accomplish this, you should install <application>php5-cgi</application> "
2565
"package. You can run the following command in a terminal prompt to install "
2566
"<application>php5-cgi</application> package: <screen>\n"
2567
"<command>sudo apt-get install php5-cgi</command>\n"
2571
#: serverguide/C/web-servers.xml:545(para)
2573
"To use <application>MySQL</application> with PHP5 you should install "
2574
"<application>php5-mysql</application> package. To install <application>php5-"
2575
"mysql</application> you can enter the following command in the terminal "
2576
"prompt: <screen>\n"
2577
"<command>sudo apt-get install php5-mysql</command>\n"
2581
#: serverguide/C/web-servers.xml:553(para)
2583
"Similarly, to use <application>PostgreSQL</application> with PHP5 you should "
2584
"install <application>php5-pgsql</application> package. To install "
2585
"<application>php5-pgsql</application> you can enter the following command in "
2586
"the terminal prompt: <screen>\n"
2587
"<command>sudo apt-get install php5-pgsql</command>\n"
2591
#: serverguide/C/web-servers.xml:566(para)
2593
"Once you install PHP5, you can run PHP5 scripts from your web browser. If "
2594
"you have installed <application>php5-cli</application> package, you can run "
2595
"PHP5 scripts from your command prompt."
2598
#: serverguide/C/web-servers.xml:573(para)
2600
"By default, the Apache 2 Web server is configured to run PHP5 scripts. In "
2601
"other words, the PHP5 module is enabled in Apache2 Web server automatically "
2602
"when you install the module. Please verify if the files "
2603
"<filename>/etc/apache2/mods-enabled/php5.conf</filename> and "
2604
"<filename>/etc/apache2/mods-enabled/php5.load</filename> exist. If they do "
2605
"not exists, you can enable the module using <command>a2enmod</command> "
2609
#: serverguide/C/web-servers.xml:584(para)
2611
"Once you install PHP5 related packages and enabled PHP5 Apache 2 module, you "
2612
"should restart Apache2 Web server to run PHP5 scripts. You can run the "
2613
"following command at a terminal prompt to restart your web server: "
2614
"<screen><command>sudo /etc/init.d/apache2 restart</command> </screen>"
2617
#: serverguide/C/web-servers.xml:592(title) serverguide/C/mail.xml:246(title) serverguide/C/mail.xml:1422(title) serverguide/C/dns.xml:333(title)
2621
#: serverguide/C/web-servers.xml:593(para)
2623
"To verify your installation, you can run following PHP5 phpinfo script:"
2626
#: serverguide/C/web-servers.xml:596(programlisting)
2631
"print_r (phpinfo());\n"
2635
#: serverguide/C/web-servers.xml:601(para)
2637
"You can save the content in a file <filename>phpinfo.php</filename> and "
2638
"place it under <command>DocumentRoot</command> directory of Apache2 Web "
2639
"server. When point your browser to "
2640
"<filename>http://hostname/phpinfo.php</filename>, it would display values of "
2641
"various PHP5 configuration parameters."
2644
#: serverguide/C/web-servers.xml:613(title)
2645
msgid "Squid - Proxy Server"
2648
#: serverguide/C/web-servers.xml:614(para)
2650
"Squid is a full-featured web proxy cache server application which provides "
2651
"proxy and cache services for Hyper Text Transport Protocol (HTTP), File "
2652
"Transfer Protocol (FTP), and other popular network protocols. Squid can "
2653
"implement caching and proxying of Secure Sockets Layer (SSL) requests and "
2654
"caching of Domain Name Server (DNS) lookups, and perform transparent "
2655
"caching. Squid also supports a wide variety of caching protocols, such as "
2656
"Internet Cache Protocol, (ICP) the Hyper Text Caching Protocol, (HTCP) the "
2657
"Cache Array Routing Protocol (CARP), and the Web Cache Coordination "
2661
#: serverguide/C/web-servers.xml:622(para)
2663
"The Squid proxy cache server is an excellent solution to a variety of proxy "
2664
"and caching server needs, and scales from the branch office to enterprise "
2665
"level networks while providing extensive, granular access control mechanisms "
2666
"and monitoring of critical parameters via the Simple Network Management "
2667
"Protocol (SNMP). When selecting a computer system for use as a dedicated "
2668
"Squid proxy, or caching servers, ensure your system is configured with a "
2669
"large amount of physical memory, as Squid maintains an in-memory cache for "
2670
"increased performance."
2673
#: serverguide/C/web-servers.xml:631(para)
2675
"At a terminal prompt, enter the following command to install the Squid "
2679
#: serverguide/C/web-servers.xml:636(command)
2680
msgid "sudo apt-get install squid"
2683
#: serverguide/C/web-servers.xml:642(para)
2685
"Squid is configured by editing the directives contained within the "
2686
"<filename>/etc/squid/squid.conf</filename> configuration file. The following "
2687
"examples illustrate some of the directives which may be modified to affect "
2688
"the behavior of the Squid server. For more in-depth configuration of Squid, "
2689
"see the References section."
2692
#: serverguide/C/web-servers.xml:648(para)
2694
"Prior to editing the configuration file, you should make a copy of the "
2695
"original file and protect it from writing so you will have the original "
2696
"settings as a reference, and to re-use as necessary."
2699
#: serverguide/C/web-servers.xml:651(para)
2701
"Copy the <filename>/etc/squid/squid.conf</filename> file and protect it from "
2702
"writing with the following commands entered at a terminal prompt:"
2705
#: serverguide/C/web-servers.xml:656(command)
2706
msgid "sudo cp /etc/squid/squid.conf /etc/squid/squid.conf.original"
2709
#: serverguide/C/web-servers.xml:657(command)
2710
msgid "sudo chmod a-w /etc/squid/squid.conf.original"
2713
#: serverguide/C/web-servers.xml:663(para)
2715
"To set your Squid server to listen on TCP port 8888 instead of the default "
2716
"TCP port 3128, change the http_port directive as such:"
2719
#: serverguide/C/web-servers.xml:667(programlisting)
2726
#: serverguide/C/web-servers.xml:672(para)
2728
"Change the visible_hostname directive in order to give the Squid server a "
2729
"specific hostname. This hostname does not necessarily need to be the "
2730
"computer's hostname. In this example it is set to <emphasis>weezie</emphasis>"
2733
#: serverguide/C/web-servers.xml:676(programlisting)
2737
"visible_hostname weezie\n"
2740
#: serverguide/C/web-servers.xml:681(para)
2742
"Again, Using Squid's access control, you may configure use of Internet "
2743
"services proxied by Squid to be available only users with certain Internet "
2744
"Protocol (IP) addresses. For example, we will illustrate access by users of "
2745
"the 192.168.42.0/24 subnetwork only:"
2748
#: serverguide/C/web-servers.xml:686(para) serverguide/C/web-servers.xml:706(para)
2750
"Add the following to the <emphasis role=\"bold\">bottom</emphasis> of the "
2751
"ACL section of your <filename>/etc/squid/squid.conf</filename> file:"
2754
#: serverguide/C/web-servers.xml:689(programlisting)
2758
"acl fortytwo_network src 192.168.42.0/24\n"
2761
#: serverguide/C/web-servers.xml:692(para) serverguide/C/web-servers.xml:713(para)
2763
"Then, add the following to the <emphasis role=\"bold\">top</emphasis> of the "
2764
"http_access section of your <filename>/etc/squid/squid.conf</filename> file:"
2767
#: serverguide/C/web-servers.xml:696(programlisting)
2771
"http_access allow fortytwo_network\n"
2774
#: serverguide/C/web-servers.xml:701(para)
2776
"Using the excellent access control features of Squid, you may configure use "
2777
"of Internet services proxied by Squid to be available only during normal "
2778
"business hours. For example, we'll illustrate access by employees of a "
2779
"business which is operating between 9:00AM and 5:00PM, Monday through "
2780
"Friday, and which uses the 10.1.42.0/42 subnetwork:"
2783
#: serverguide/C/web-servers.xml:709(programlisting)
2787
"acl biz_network src 10.1.42.0/24\n"
2788
"acl biz_hours time M T W T F 9:00-17:00\n"
2791
#: serverguide/C/web-servers.xml:717(programlisting)
2795
"http_access allow biz_network biz_hours\n"
2798
#: serverguide/C/web-servers.xml:724(para)
2800
"After making changes to the <filename>/etc/squid/squid.conf</filename> file, "
2801
"save the file and restart the <application>squid</application> server "
2802
"application to effect the changes using the following command entered at a "
2806
#: serverguide/C/web-servers.xml:731(command)
2807
msgid "sudo /etc/init.d/squid restart"
2810
#: serverguide/C/web-servers.xml:738(ulink)
2811
msgid "Squid Website"
2814
#: serverguide/C/web-servers.xml:744(title)
2815
msgid "Ruby on Rails"
2818
#: serverguide/C/web-servers.xml:745(para)
2820
"Ruby on Rails is an open source web framework for developing database backed "
2821
"web applications. It is optimized for sustainable productivity of the "
2822
"programmer since it lets the programmer to write code by favouring "
2823
"convention over configuration."
2826
#: serverguide/C/web-servers.xml:752(para)
2828
"Before installing <application>Rails</application> you should install "
2829
"<application>Apache</application> and <application>MySQL</application>. To "
2830
"install the <application>Apache</application> package, please refer to <xref "
2831
"linkend=\"httpd\"/>. For instructions on installing "
2832
"<application>MySQL</application> refer to <xref linkend=\"mysql\"/>."
2835
#: serverguide/C/web-servers.xml:760(para)
2837
"Once you have <application>Apache</application> and "
2838
"<application>MySQL</application> packages installed, you are ready to "
2839
"install <application>Ruby on Rails</application> package."
2842
#: serverguide/C/web-servers.xml:767(para)
2844
"To install the <application>Ruby</application> base packages and "
2845
"<application>Ruby on Rails</application>, you can enter the following "
2846
"command in the terminal prompt:"
2849
#: serverguide/C/web-servers.xml:773(command)
2850
msgid "sudo apt-get install rails"
2853
#: serverguide/C/web-servers.xml:779(para)
2855
"Modify the <filename>/etc/apache2/sites-available/default</filename> "
2856
"configuration file to setup your domains."
2859
#: serverguide/C/web-servers.xml:783(para)
2861
"The first thing to change is the <emphasis>DocumentRoot</emphasis> directive:"
2864
#: serverguide/C/web-servers.xml:787(programlisting)
2868
"DocumentRoot /path/to/rails/application/public\n"
2871
#: serverguide/C/web-servers.xml:790(para)
2873
"Next, change the <Directory \"/path/to/rails/application/public\"> "
2877
#: serverguide/C/web-servers.xml:794(programlisting)
2881
"<Directory \"/path/to/rails/application/public\">\n"
2882
" Options Indexes FollowSymLinks MultiViews ExecCGI\n"
2883
" AllowOverride All\n"
2884
" Order allow,deny\n"
2886
" AddHandler cgi-script .cgi\n"
2887
"</Directory>\n"
2890
#: serverguide/C/web-servers.xml:804(para)
2892
"You should also enable the <application>mod_rewrite</application> module for "
2893
"Apache. To enable <application>mod_rewrite</application> module, please "
2894
"enter the following command in a terminal prompt:"
2897
#: serverguide/C/web-servers.xml:810(command)
2898
msgid "sudo a2enmod rewrite"
2901
#: serverguide/C/web-servers.xml:813(para)
2903
"Finally you will need to change the ownership of the "
2904
"<filename>/path/to/rails/application/public</filename> and "
2905
"<filename>/path/to/rails/application/tmp</filename> directories to the user "
2906
"used to run the <application>Apache</application> process:"
2909
#: serverguide/C/web-servers.xml:819(command)
2910
msgid "sudo chown -R www-data:www-data /path/to/rails/application/public"
2913
#: serverguide/C/web-servers.xml:820(command)
2914
msgid "sudo chown -R www-data:www-data /path/to/rails/application/tmp"
2917
#: serverguide/C/web-servers.xml:823(para)
2919
"That's it! Now you have your Server ready for your <application>Ruby on "
2920
"Rails</application> applications."
2923
#: serverguide/C/web-servers.xml:830(title)
2924
msgid "Apache Tomcat"
2927
#: serverguide/C/web-servers.xml:831(para)
2929
"Apache Tomcat is a web container that allows you to serve Java Servlets and "
2930
"JSP (Java Server Pages) web applications."
2933
#: serverguide/C/web-servers.xml:833(para)
2935
"The <application>Tomcat 6.0</application> packages in Ubuntu support two "
2936
"different ways of running Tomcat. You can install them as a classic unique "
2937
"system-wide instance, that will be started at boot time and will run as the "
2938
"tomcat6 unpriviledged user. But you can also deploy private instances that "
2939
"will run with your own user rights, and that you should start and stop by "
2940
"yourself. This second way is particularly useful in a development server "
2941
"context where multiple users need to test on their own private Tomcat "
2945
#: serverguide/C/web-servers.xml:843(title)
2946
msgid "System-wide installation"
2949
#: serverguide/C/web-servers.xml:844(para)
2951
"To install the <application>Tomcat</application> server, you can enter the "
2952
"following command in the terminal prompt:"
2955
#: serverguide/C/web-servers.xml:847(command)
2956
msgid "sudo apt-get install tomcat6"
2959
#: serverguide/C/web-servers.xml:849(para)
2961
"This will install a Tomcat server with just a default ROOT webapp that "
2962
"displays a minimal \"It works\" page by default."
2965
#: serverguide/C/web-servers.xml:855(para)
2967
"Tomcat configuration files can be found in "
2968
"<filename>/etc/tomcat6</filename>. Only a few common configuration tweaks "
2969
"will be described here, please see <ulink "
2970
"url=\"http://tomcat.apache.org/tomcat-6.0-doc/index.html\">Tomcat 6.0 "
2971
"documentation</ulink> for more."
2974
#: serverguide/C/web-servers.xml:861(title)
2975
msgid "Changing default ports"
2978
#: serverguide/C/web-servers.xml:862(para)
2980
"By default Tomcat 6.0 runs a HTTP connector on port 8080 and an AJP "
2981
"connector on port 8009. You might want to change those default ports to "
2982
"avoid conflict with another server on the system. This is done by changing "
2983
"the following lines in <filename>/etc/tomcat6/server.xml</filename>:"
2986
#: serverguide/C/web-servers.xml:867(programlisting)
2990
"<Connector port=\"8080\" protocol=\"HTTP/1.1\" \n"
2991
" connectionTimeout=\"20000\" \n"
2992
" redirectPort=\"8443\" />\n"
2994
"<Connector port=\"8009\" protocol=\"AJP/1.3\" redirectPort=\"8443\" "
2998
#: serverguide/C/web-servers.xml:876(title)
2999
msgid "Changing JVM used"
3002
#: serverguide/C/web-servers.xml:877(para)
3004
"By default Tomcat will run preferably with OpenJDK-6, then try Sun's JVM, "
3005
"then try some other JVMs. If you have various JVMs installed, you can set "
3006
"which should be used by setting JAVA_HOME in "
3007
"<filename>/etc/default/tomcat6</filename>:"
3010
#: serverguide/C/web-servers.xml:881(programlisting)
3014
"JAVA_HOME=/usr/lib/jvm/java-6-sun\n"
3017
#: serverguide/C/web-servers.xml:886(title)
3018
msgid "Declaring users and roles"
3021
#: serverguide/C/web-servers.xml:887(para)
3023
"Usernames, passwords and roles (groups) can be defined centrally in a "
3024
"Servlet container. In Tomcat 6.0 this is done in the "
3025
"<filename>/etc/tomcat6/tomcat-users.xml</filename> file:"
3028
#: serverguide/C/web-servers.xml:890(programlisting)
3032
"<role rolename=\"admin\"/>\n"
3033
"<user username=\"tomcat\" password=\"s3cret\" roles=\"admin\"/>\n"
3036
#: serverguide/C/web-servers.xml:898(title)
3037
msgid "Using Tomcat standard webapps"
3040
#: serverguide/C/web-servers.xml:899(para)
3042
"Tomcat is shipped with webapps that you can install for documentation, "
3043
"administration or demo purposes."
3046
#: serverguide/C/web-servers.xml:902(title)
3047
msgid "Tomcat documentation"
3050
#: serverguide/C/web-servers.xml:903(para)
3052
"The <application>tomcat6-docs</application> package contains Tomcat 6.0 "
3053
"documentation, packaged as a webapp that you can access by default at "
3054
"http://yourserver:8080/docs. You can install it by entering the following "
3055
"command in the terminal prompt:"
3058
#: serverguide/C/web-servers.xml:908(command)
3059
msgid "sudo apt-get install tomcat6-docs"
3062
#: serverguide/C/web-servers.xml:912(title)
3063
msgid "Tomcat administration webapps"
3066
#: serverguide/C/web-servers.xml:913(para)
3068
"The <application>tomcat6-admin</application> package contains two webapps "
3069
"that can be used to administer the Tomcat server using a web interface. You "
3070
"can install them by entering the following command in the terminal prompt:"
3073
#: serverguide/C/web-servers.xml:918(command)
3074
msgid "sudo apt-get install tomcat6-admin"
3077
#: serverguide/C/web-servers.xml:920(para)
3079
"The first one is the <emphasis>manager</emphasis> webapp, which you can "
3080
"access by default at http://yourserver:8080/manager/html. It is primarily "
3081
"used to get server status and restart webapps."
3084
#: serverguide/C/web-servers.xml:923(para)
3086
"Access to the <emphasis>manager</emphasis> application is protected by "
3087
"default: you need to define a user with the role \"manager\" in "
3088
"<filename>/etc/tomcat6/tomcat-users.xml</filename> before you can access it."
3091
#: serverguide/C/web-servers.xml:927(para)
3093
"The second one is the <emphasis>host-manager</emphasis> webapp, which you "
3094
"can access by default at http://yourserver:8080/host-manager/html. It can be "
3095
"used to create virtual hosts dynamically."
3098
#: serverguide/C/web-servers.xml:931(para)
3100
"Access to the <emphasis>host-manager</emphasis> application is also "
3101
"protected by default: you need to define a user with the role \"admin\" in "
3102
"<filename>/etc/tomcat6/tomcat-users.xml</filename> before you can access it."
3105
#: serverguide/C/web-servers.xml:936(para)
3107
"For security reasons, the tomcat6 user cannot write to the "
3108
"<filename>/etc/tomcat6</filename> directory by default. Some features in "
3109
"these admin webapps (application deployment, virtual host creation) need "
3110
"write access to that directory. If you want to use these features execute "
3111
"the following, to give users in the tomcat6 group the necessary rights:"
3114
#: serverguide/C/web-servers.xml:943(command)
3115
msgid "sudo chgrp -R tomcat6 /etc/tomcat6"
3118
#: serverguide/C/web-servers.xml:944(command)
3119
msgid "sudo chmod -R g+w /etc/tomcat6"
3122
#: serverguide/C/web-servers.xml:949(title)
3123
msgid "Tomcat examples webapps"
3126
#: serverguide/C/web-servers.xml:950(para)
3128
"The <application>tomcat6-examples</application> package contains two webapps "
3129
"that can be used to test or demonstrate Servlets and JSP features, which you "
3130
"can access them by default at http://yourserver:8080/examples. You can "
3131
"install them by entering the following command in the terminal prompt:"
3134
#: serverguide/C/web-servers.xml:956(command)
3135
msgid "sudo apt-get install tomcat6-examples"
3138
#: serverguide/C/web-servers.xml:962(title)
3139
msgid "Using private instances"
3142
#: serverguide/C/web-servers.xml:963(para)
3144
"Tomcat is heavily used in development and testing scenarios where using a "
3145
"single system-wide instance doesn't meet the requirements of multiple users "
3146
"on a single system. The Tomcat 6.0 packages in Ubuntu come with tools to "
3147
"help deploy your own user-oriented instances, allowing every user on a "
3148
"system to run (without root rights) separate private instances while still "
3149
"using the system-installed libraries."
3152
#: serverguide/C/web-servers.xml:970(para)
3154
"It is possible to run the system-wide instance and the private instances in "
3155
"parallel, as long as they do not use the same TCP ports."
3158
#: serverguide/C/web-servers.xml:974(title)
3159
msgid "Installing private instance support"
3162
#: serverguide/C/web-servers.xml:975(para)
3164
"You can install everything necessary to run private instances by entering "
3165
"the following command in the terminal prompt:"
3168
#: serverguide/C/web-servers.xml:978(command)
3169
msgid "sudo apt-get install tomcat6-user"
3172
#: serverguide/C/web-servers.xml:982(title)
3173
msgid "Creating a private instance"
3176
#: serverguide/C/web-servers.xml:983(para)
3178
"You can create a private instance directory by entering the following "
3179
"command in the terminal prompt:"
3182
#: serverguide/C/web-servers.xml:986(command)
3183
msgid "tomcat6-instance-create my-instance"
3186
#: serverguide/C/web-servers.xml:988(para)
3188
"This will create a new <filename>my-instance</filename> directory with all "
3189
"the necessary subdirectories and scripts. You can for example install your "
3190
"common libraries in the <filename>lib/</filename> subdirectory and deploy "
3191
"your webapps in the <filename>webapps/</filename> subdirectory. No webapps "
3192
"are deployed by default."
3195
#: serverguide/C/web-servers.xml:996(title)
3196
msgid "Configuring your private instance"
3199
#: serverguide/C/web-servers.xml:997(para)
3201
"You will find the classic Tomcat configuration files for your private "
3202
"instance in the <filename>conf/</filename> subdirectory. You should for "
3203
"example certainly edit the <filename>conf/server.xml</filename> file to "
3204
"change the default ports used by your private Tomcat instance to avoid "
3205
"conflict with other instances that might be running."
3208
#: serverguide/C/web-servers.xml:1005(title)
3209
msgid "Starting/stopping your private instance"
3212
#: serverguide/C/web-servers.xml:1006(para)
3214
"You can start your private instance by entering the following command in the "
3215
"terminal prompt (supposing your instance is located in the <filename>my-"
3216
"instance</filename> directory):"
3219
#: serverguide/C/web-servers.xml:1010(command)
3220
msgid "my-instance/bin/startup.sh"
3223
#: serverguide/C/web-servers.xml:1012(para)
3225
"You should check the <filename>logs/</filename> subdirectory for any error. "
3226
"If you have a <emphasis>java.net.BindException: Address already in "
3227
"use<null>:8080</emphasis> error, it means that the port you're using "
3228
"is already taken and that you should change it."
3231
#: serverguide/C/web-servers.xml:1017(para)
3233
"You can stop your instance by entering the following command in the terminal "
3234
"prompt (supposing your instance is located in the <filename>my-"
3235
"instance</filename> directory):"
3238
#: serverguide/C/web-servers.xml:1021(command)
3239
msgid "my-instance/bin/shutdown.sh"
3242
#: serverguide/C/virtualization.xml:13(title)
3243
msgid "Virtualization"
3246
#: serverguide/C/virtualization.xml:14(para)
3248
"Virtualization is being adopted in many different environments and "
3249
"situations. If you are a developer, virtualization can provide you with a "
3250
"contained environment where you can safely do almost any sort of development "
3251
"safe from messing up your main working environment. If you are a systems "
3252
"administrator, you can use virtualization to more easily separate your "
3253
"services and move them around based on demand."
3256
#: serverguide/C/virtualization.xml:20(para)
3258
"The default virtualization technology supported in Ubuntu is "
3259
"<application>KVM</application>, a technology that takes advantage of "
3260
"virtualization extensions built into Intel and AMD hardware. For hardware "
3261
"without virtualization extensions <application>Xen</application> and "
3262
"<application>Qemu</application> are popular solutions."
3265
#: serverguide/C/virtualization.xml:27(title)
3269
#: serverguide/C/virtualization.xml:28(para)
3271
"The <application>libvirt</application> library is used to interface with "
3272
"different virtualization technologies. Before getting started with "
3273
"<application>libvirt</application> it is best to make sure your hardware "
3274
"supports the necessary virtualization extensions for "
3275
"<application>KVM</application>. Enter the following from a terminal prompt:"
3278
#: serverguide/C/virtualization.xml:34(command)
3279
msgid "egrep '(vmx|svm)' /proc/cpuinfo"
3282
#: serverguide/C/virtualization.xml:36(para)
3284
"If nothing is printed, it means that your cpu does <emphasis>not</emphasis> "
3285
"support hardware virtualization."
3288
#: serverguide/C/virtualization.xml:40(para)
3290
"On most computer whose processor supports virtualization, it is necessary to "
3291
"activate an option in the bios to enable it. The method described above does "
3292
"not show the status of it's activation."
3295
#: serverguide/C/virtualization.xml:47(title)
3296
msgid "Virtual Networking"
3299
#: serverguide/C/virtualization.xml:49(para)
3301
"There are a few different ways to allow a virtual machine access to the "
3302
"external network. The default virtual network configuration is "
3303
"<emphasis>usermode</emphasis> networking, which uses the SLIRP protocol and "
3304
"traffic is NATed through the host interface to the outside network."
3307
#: serverguide/C/virtualization.xml:54(para)
3309
"To enable external hosts to directly access services on virtual machines a "
3310
"<emphasis>bridge</emphasis> needs to be configured. This allows the virtual "
3311
"interfaces to connect to the outside network through the physical interface, "
3312
"making them appear as normal hosts to the rest of the network. For "
3313
"information on setting up a bridge see <xref linkend=\"bridging\"/>."
3316
#: serverguide/C/virtualization.xml:63(para)
3317
msgid "To install the necessary packages, from a terminal prompt enter:"
3320
#: serverguide/C/virtualization.xml:67(command)
3321
msgid "sudo apt-get install kvm libvirt-bin"
3324
#: serverguide/C/virtualization.xml:69(para)
3326
"After installing <application>libvirt-bin</application>, the user used to "
3327
"manage virtual machines will need to be added to the "
3328
"<emphasis>libvirtd</emphasis> group. Doing so will grant the user access to "
3329
"the advanced networking options."
3332
#: serverguide/C/virtualization.xml:73(para)
3333
msgid "In a terminal enter:"
3336
msgid "sudo adduser $USERNAME libvirtd"
3339
#: serverguide/C/virtualization.xml:80(para)
3341
"If the user chosen is the current user, you will need to log out and back in "
3342
"for the new group membership to take effect."
3345
#: serverguide/C/virtualization.xml:84(para)
3347
"You are now ready to install a <emphasis>Guest</emphasis> operating system. "
3348
"Installing a virtual machine follows the same process as installing the "
3349
"operating system directly on the hardware. You either need a way to automate "
3350
"the installation, or a keyboard and monitor will need to be attached to the "
3354
#: serverguide/C/virtualization.xml:89(para)
3356
"In the case of virtual machines a Graphical User Interface (GUI) is "
3357
"analogous to using a physical keyboard and mouse. Instead of installing a "
3358
"GUI the <application>virt-viewer</application> application can be used to "
3359
"connect to a virtual machine's console using <application>VNC</application>. "
3360
"See <xref linkend=\"libvirt-virt-viewer\"/> for more information."
3364
"There are several ways to automate the Ubuntu installation process, for "
3365
"example using preseeds, kickstart, etc. Refer to the <ulink "
3366
"url=\"https://help.ubuntu.com/8.10/installation-guide/\">Ubuntu Installation "
3367
"Guide</ulink> for details."
3370
#: serverguide/C/virtualization.xml:98(para)
3372
"Yet another way to install an Ubuntu virtual machine is to use "
3373
"<application>ubuntu-vm-builder</application>. <application>ubuntu-vm-"
3374
"builder</application> allows you to setup advanced partitions, execute "
3375
"custom post-install scripts, etc. For details see <xref linkend=\"jeos-and-"
3379
#: serverguide/C/virtualization.xml:104(title)
3380
msgid "virt-install"
3383
#: serverguide/C/virtualization.xml:105(para)
3385
"<application>virt-install</application> is part of the <application>python-"
3386
"virtinst</application> package. To install it, from a terminal prompt enter:"
3389
#: serverguide/C/virtualization.xml:109(command)
3390
msgid "sudo apt-get install python-virtinst"
3393
#: serverguide/C/virtualization.xml:111(para)
3395
"There are several options available when using <application>virt-"
3396
"install</application>. For example:"
3400
"sudo virt-install -n web_devel -r 256 -f web_devel.img -s 4 -c jeos.iso --"
3401
"accelerate --connect=qemu:///system --vnc --noautoconsole"
3404
#: serverguide/C/virtualization.xml:119(para)
3406
"<emphasis>-n web_devel:</emphasis> the name of the new virtual machine will "
3407
"be <emphasis>web_devel</emphasis> in this example."
3410
#: serverguide/C/virtualization.xml:124(para)
3412
"<emphasis>-r 256:</emphasis> specifies the amount of memory the virtual "
3416
#: serverguide/C/virtualization.xml:129(para)
3418
"<emphasis>-f web_devel.img:</emphasis> indicates the path to the virtual "
3419
"disk which can be a file, partition, or logical volume. In this example a "
3420
"file named <filename>web_devel.img</filename>."
3423
#: serverguide/C/virtualization.xml:135(para)
3424
msgid "<emphasis>-s 4:</emphasis> the size of the virtual disk."
3427
#: serverguide/C/virtualization.xml:140(para)
3429
"<emphasis>-c jeos.iso:</emphasis> file to be used as a virtual CDROM. The "
3430
"file can be either an ISO file or the path to the host's CDROM device."
3433
#: serverguide/C/virtualization.xml:146(para)
3435
"<emphasis>--accelerate:</emphasis> enables the kernel's acceleration "
3439
#: serverguide/C/virtualization.xml:151(para)
3441
"<emphasis>--vnc:</emphasis> exports the guest's virtual console using VNC."
3444
#: serverguide/C/virtualization.xml:156(para)
3446
"<emphasis>--noautoconsole:</emphasis> will not automatically connect to the "
3447
"virtual machine's console."
3450
#: serverguide/C/virtualization.xml:161(para)
3452
"After launching <application>virt-install</application> you can connect to "
3453
"the virtual machine's console either locally using a GUI or with the "
3454
"<application>virt-viewer</application> utility."
3457
#: serverguide/C/virtualization.xml:167(title)
3461
#: serverguide/C/virtualization.xml:168(para)
3463
"The <application>virt-clone</application> application can be used to copy "
3464
"one virtual machine to another. For example:"
3467
#: serverguide/C/virtualization.xml:172(command)
3469
"sudo virt-clone -o web_devel -n database_devel -f "
3470
"/path/to/database_devel.img --connect=qemu:///system"
3473
#: serverguide/C/virtualization.xml:176(para)
3474
msgid "<emphasis>-o:</emphasis> original virtual machine."
3477
#: serverguide/C/virtualization.xml:181(para)
3478
msgid "<emphasis>-n:</emphasis> name of the new virtual machine."
3481
#: serverguide/C/virtualization.xml:186(para)
3483
"<emphasis>-f:</emphasis> path to the file, logical volume, or partition to "
3484
"be used by the new virtual machine."
3487
#: serverguide/C/virtualization.xml:191(para)
3489
"<emphasis>--connect:</emphasis> specifies which hypervisor to connect to."
3492
#: serverguide/C/virtualization.xml:196(para)
3494
"Also, use <emphasis>-d</emphasis> or <emphasis>--debug</emphasis> option to "
3495
"help troubleshoot problems with <application>virt-clone</application>."
3498
#: serverguide/C/virtualization.xml:201(para)
3500
"Replace <emphasis>web_devel</emphasis> and "
3501
"<emphasis>database_devel</emphasis> with appropriate virtual machine names."
3504
#: serverguide/C/virtualization.xml:207(title)
3505
msgid "Virtual Machine Management"
3508
#: serverguide/C/virtualization.xml:209(title)
3512
#: serverguide/C/virtualization.xml:210(para)
3514
"There are several utilities available to manage virtual machines and "
3515
"<application>libvirt</application>. The <application>virsh</application> "
3516
"utility can be used from the command line. Some examples:"
3519
#: serverguide/C/virtualization.xml:216(para)
3520
msgid "To list running virtual machines:"
3523
#: serverguide/C/virtualization.xml:220(command)
3524
msgid "virsh -c qemu:///system list"
3527
#: serverguide/C/virtualization.xml:224(para)
3528
msgid "To start a virtual machine:"
3531
#: serverguide/C/virtualization.xml:228(command)
3532
msgid "virsh -c qemu:///system start web_devel"
3535
#: serverguide/C/virtualization.xml:232(para)
3536
msgid "Similarly, to start a virtual machine at boot:"
3539
#: serverguide/C/virtualization.xml:236(command)
3540
msgid "virsh -c qemu:///system autostart web_devel"
3543
#: serverguide/C/virtualization.xml:240(para)
3544
msgid "Reboot a virtual machine with:"
3547
#: serverguide/C/virtualization.xml:244(command)
3548
msgid "virsh -c qemu:///system reboot web_devel"
3551
#: serverguide/C/virtualization.xml:248(para)
3553
"The <emphasis>state</emphasis> of virtual machines can be saved to a file in "
3554
"order to be restored later. The following will save the virtual machine "
3555
"state into a file named according to the date:"
3558
#: serverguide/C/virtualization.xml:253(command)
3559
msgid "virsh -c qemu:///system save web_devel web_devel-022708.state"
3562
#: serverguide/C/virtualization.xml:255(para)
3563
msgid "Once saved the virtual machine will no longer be running."
3566
#: serverguide/C/virtualization.xml:260(para)
3567
msgid "A saved virtual machine can be restored using:"
3570
#: serverguide/C/virtualization.xml:264(command)
3571
msgid "virsh -c qemu:///system restore web_devel-022708.state"
3574
#: serverguide/C/virtualization.xml:268(para)
3575
msgid "To shutdown a virtual machine do:"
3578
#: serverguide/C/virtualization.xml:272(command)
3579
msgid "virsh -c qemu:///system shutdown web_devel"
3582
#: serverguide/C/virtualization.xml:276(para)
3583
msgid "A CDROM device can be mounted in a virtual machine by entering:"
3586
#: serverguide/C/virtualization.xml:280(command)
3587
msgid "virsh -c qemu:///system attach-disk web_devel /dev/cdrom /media/cdrom"
3590
#: serverguide/C/virtualization.xml:285(para)
3592
"In the above examples replace <emphasis>web_devel</emphasis> with the "
3593
"appropriate virtual machine name, and <filename>web_devel-"
3594
"022708.state</filename> with a descriptive file name."
3597
#: serverguide/C/virtualization.xml:292(title)
3598
msgid "Virtual Machine Manager"
3601
#: serverguide/C/virtualization.xml:293(para)
3603
"The <application>virt-manager</application> package contains a graphical "
3604
"utility to manage local and remote virtual machines. To install virt-manager "
3608
#: serverguide/C/virtualization.xml:298(command)
3609
msgid "sudo apt-get install virt-manager"
3612
#: serverguide/C/virtualization.xml:300(para)
3614
"Since <application>virt-manager</application> requires a Graphical User "
3615
"Interface (GUI) environment it is recommended to be installed on a "
3616
"workstation or test machine instead of a production server. To connect to "
3617
"the local <application>libvirt</application> service enter:"
3620
#: serverguide/C/virtualization.xml:306(command)
3621
msgid "virt-manager -c qemu:///system"
3624
#: serverguide/C/virtualization.xml:308(para)
3626
"You can connect to the <application>libvirt</application> service running on "
3627
"another host by entering the following in a terminal prompt:"
3630
#: serverguide/C/virtualization.xml:312(command)
3631
msgid "virt-manager -c qemu+ssh://virtnode1.mydomain.com/system"
3634
#: serverguide/C/virtualization.xml:315(para)
3636
"The above example assumes that <application>SSH</application> connectivity "
3637
"between the management system and virtnode1.mydomain.com has already been "
3638
"configured, and uses SSH keys for authentication. SSH "
3639
"<emphasis>keys</emphasis> are needed because "
3640
"<application>libvirt</application> sends the password prompt to another "
3641
"process. For details on configuring <application>SSH</application> see <xref "
3642
"linkend=\"openssh-server\"/>"
3645
#: serverguide/C/virtualization.xml:325(title)
3646
msgid "Virtual Machine Viewer"
3649
#: serverguide/C/virtualization.xml:326(para)
3651
"The <application>virt-viewer</application> application allows you to connect "
3652
"to a virtual machine's console. <application>virt-viewer</application> does "
3653
"require a Graphical User Interface (GUI) to interface with the virtual "
3657
#: serverguide/C/virtualization.xml:330(para)
3659
"To install <application>virt-viewer</application> from a terminal enter:"
3662
#: serverguide/C/virtualization.xml:334(command)
3663
msgid "sudo apt-get install virt-viewer"
3666
#: serverguide/C/virtualization.xml:336(para)
3668
"Once a virtual machine is installed and running you can connect to the "
3669
"virtual machine's console by using:"
3672
msgid "virt-viewer qemu:///system web_devel"
3675
#: serverguide/C/virtualization.xml:342(para)
3677
"Similar to <application>virt-manager</application>, <application>virt-"
3678
"viewer</application> can connect to a remote host using "
3679
"<emphasis>SSH</emphasis> with key authentication, as well:"
3682
#: serverguide/C/virtualization.xml:347(command)
3683
msgid "virt-viewer -c qemu+ssh://virtnode1.mydomain.com/system web_devel"
3686
#: serverguide/C/virtualization.xml:349(para)
3688
"Be sure to replace <emphasis role=\"italic\">web_devel</emphasis> with the "
3689
"appropriate virtual machine name."
3692
#: serverguide/C/virtualization.xml:352(para)
3694
"If configured to use a <emphasis>bridged</emphasis> network interface you "
3695
"can also setup <application>SSH</application> access to the virtual machine. "
3696
"See <xref linkend=\"openssh-server\"/> and <xref linkend=\"bridging\"/> for "
3700
#: serverguide/C/virtualization.xml:361(para)
3702
"See the <ulink url=\"http://kvm.qumranet.com/kvmwiki\">KVM</ulink> home page "
3706
#: serverguide/C/virtualization.xml:366(para)
3708
"For more information on <application>libvirt</application> see the <ulink "
3709
"url=\"http://libvirt.org/\">libvirt home page</ulink>"
3712
#: serverguide/C/virtualization.xml:371(para)
3714
"The <ulink url=\"http://virt-manager.et.redhat.com/\">Virtual Machine "
3715
"Manager</ulink> site has more information on <application>virt-"
3716
"manager</application> development."
3719
#: serverguide/C/virtualization.xml:377(para)
3721
"Also, stop by the <emphasis>#ubuntu-virt</emphasis> IRC channel on <ulink "
3722
"url=\"http://freenode.net/\">freenode</ulink> to discuss virtualization "
3723
"technology in Ubuntu."
3726
#: serverguide/C/virtualization.xml:386(title) serverguide/C/jeos.xml:13(title)
3727
msgid "JeOS and vmbuilder"
3730
#: serverguide/C/virtualization.xml:392(title) serverguide/C/jeos.xml:19(title)
3731
msgid "What is JeOS"
3734
#: serverguide/C/virtualization.xml:394(para) serverguide/C/jeos.xml:21(para)
3736
"Ubuntu <emphasis>JeOS</emphasis> (pronounced \"Juice\") is an efficient "
3737
"variant of the Ubuntu Server operating system, configured specifically for "
3738
"virtual appliances. No longer available as a CD-ROM ISO for download, but "
3739
"only as an option either:"
3742
#: serverguide/C/virtualization.xml:401(para)
3744
"While installing from the Server Edition ISO (pressing "
3745
"<emphasis>F4</emphasis> on the first screen will allow you to pick \"Minimal "
3746
"installation\", which is the package selection equivalent to JeOS)."
3749
#: serverguide/C/virtualization.xml:407(para) serverguide/C/jeos.xml:34(para)
3750
msgid "Or to be built using Ubuntu's vmbuilder, which is described here."
3753
#: serverguide/C/virtualization.xml:413(para) serverguide/C/jeos.xml:40(para)
3755
"JeOS is a specialized installation of Ubuntu Server Edition with a tuned "
3756
"kernel that only contains the base elements needed to run within a "
3757
"virtualized environment."
3760
#: serverguide/C/virtualization.xml:418(para) serverguide/C/jeos.xml:45(para)
3762
"Ubuntu JeOS has been tuned to take advantage of key performance technologies "
3763
"in the latest virtualization products from VMware. This combination of "
3764
"reduced size and optimized performance ensures that Ubuntu JeOS Edition "
3765
"delivers a highly efficient use of server resources in large virtual "
3769
#: serverguide/C/virtualization.xml:424(para) serverguide/C/jeos.xml:51(para)
3771
"Without unnecessary drivers, and only the minimal required packages, ISVs "
3772
"can configure their supporting OS exactly as they require. They have the "
3773
"peace of mind that updates, whether for security or enhancement reasons, "
3774
"will be limited to the bare minimum of what is required in their specific "
3775
"environment. In turn, users deploying virtual appliances built on top of "
3776
"JeOS will have to go through fewer updates and therefore less maintenance "
3777
"than they would have had to with a standard full installation of a server."
3780
#: serverguide/C/virtualization.xml:433(title) serverguide/C/jeos.xml:60(title)
3781
msgid "What is vmbuilder"
3784
#: serverguide/C/virtualization.xml:435(para) serverguide/C/jeos.xml:62(para)
3786
"With vmbuilder, there is no need to download a JeOS ISO anymore. vmbuilder "
3787
"will fetch the various package and build a virtual machine tailored for our "
3788
"need in about a minute for us. Vmbuilder is a Script that automates the "
3789
"process of creating a ready to use Linux based VM. The currently supported "
3790
"hypervisors are KVM and Xen."
3793
#: serverguide/C/virtualization.xml:441(para) serverguide/C/jeos.xml:68(para)
3795
"You can pass command line options to add extra packages, remove packages, "
3796
"choose which version of Ubuntu, which mirror etc. On recent hardware with "
3797
"plenty of RAM, tmpdir in <filename>/dev/shm</filename> or using a tmpfs, and "
3798
"a local mirror, you can bootstrap a VM in less than a minute."
3801
#: serverguide/C/virtualization.xml:447(para) serverguide/C/jeos.xml:74(para)
3803
"First introduced as a shell script in Ubuntu 8.04LTS, <application>ubuntu-vm-"
3804
"builder</application> started with little emphasis as a hack to help "
3805
"developers test their new code in a virtual machine without having to "
3806
"restart from scratch each time. As a few Ubuntu administrators started to "
3807
"notice this script, a few of them went on improving it and adapting it for "
3808
"so many use case that Soren Hansen (the author of the script and Ubuntu "
3809
"virtualization specialist, not the golf player) decided to rewrite it from "
3810
"scratch for Intrepid as a python script with a few new design goals:"
3813
#: serverguide/C/virtualization.xml:457(para) serverguide/C/jeos.xml:84(para)
3814
msgid "Develop it so that it can be reused by other distributions."
3817
#: serverguide/C/virtualization.xml:462(para) serverguide/C/jeos.xml:89(para)
3819
"Use a plugin mechanisms for all virtualization interactions so that others "
3820
"can easily add logic for other virtualization environments."
3823
#: serverguide/C/virtualization.xml:467(para) serverguide/C/jeos.xml:94(para)
3825
"Provide an easy to maintain web interface as an option to the command line "
3829
#: serverguide/C/virtualization.xml:473(para) serverguide/C/jeos.xml:100(para)
3830
msgid "But the general principles and commands remain the same."
3833
#: serverguide/C/virtualization.xml:480(title) serverguide/C/jeos.xml:107(title)
3834
msgid "Initial Setup"
3837
#: serverguide/C/virtualization.xml:482(para) serverguide/C/jeos.xml:109(para)
3839
"It is assumed that you have installed and configured "
3840
"<application>libvirt</application> and <application>KVM</application> "
3841
"locally on the machine you are using. For details on how to perform this, "
3845
#: serverguide/C/virtualization.xml:494(para) serverguide/C/jeos.xml:121(para)
3847
"The <ulink url=\"https://help.ubuntu.com/community/KVM\">KVM</ulink> Wiki "
3851
#: serverguide/C/virtualization.xml:500(para) serverguide/C/jeos.xml:127(para)
3853
"We also assume that you know how to use a text based text editor such as "
3854
"nano or vi. If you have not used any of them before, you can get an overview "
3855
"of the various text editors available by reading the <ulink "
3856
"url=\"https://help.ubuntu.com/community/PowerUsersTextEditors\">PowerUsersTex"
3857
"tEditors</ulink> page. This tutorial has been done on KVM, but the general "
3858
"principle should remain on other virtualization technologies."
3861
#: serverguide/C/virtualization.xml:508(title) serverguide/C/jeos.xml:135(title)
3862
msgid "Install vmbuilder"
3865
#: serverguide/C/virtualization.xml:510(para) serverguide/C/jeos.xml:137(para)
3867
"The name of the package that we need to install is <application>python-vm-"
3868
"builder</application>. In a terminal prompt enter:"
3871
#: serverguide/C/virtualization.xml:515(command) serverguide/C/jeos.xml:142(command)
3872
msgid "sudo apt-get install python-vm-builder"
3875
#: serverguide/C/virtualization.xml:519(para) serverguide/C/jeos.xml:146(para)
3877
"If you are running Hardy, you can still perform most of this using the older "
3878
"version of the package named <application>ubuntu-vm-builder</application>, "
3879
"there are only a few changes to the syntax of the tool."
3882
#: serverguide/C/virtualization.xml:528(title) serverguide/C/jeos.xml:155(title)
3883
msgid "Defining Your Virtual Machine"
3886
#: serverguide/C/virtualization.xml:530(para) serverguide/C/jeos.xml:157(para)
3888
"Defining a virtual machine with Ubuntu's vmbuilder is quite simple, but here "
3889
"are a few thing to consider:"
3892
#: serverguide/C/virtualization.xml:536(para) serverguide/C/jeos.xml:163(para)
3894
"If you plan on shipping a virtual appliance, do not assume that the end-user "
3895
"will know how to extend disk size to fit their need, so either plan for a "
3896
"large virtual disk to allow for your appliance to grow, or explain fairly "
3897
"well in your documentation how to allocate more space. It might actually be "
3898
"a good idea to store data on some separate external storage."
3901
#: serverguide/C/virtualization.xml:543(para) serverguide/C/jeos.xml:170(para)
3903
"Given that RAM is much easier to allocate in a VM, RAM size should be set to "
3904
"whatever you think is a safe minimum for your appliance."
3907
#: serverguide/C/virtualization.xml:549(para) serverguide/C/jeos.xml:176(para)
3909
"The <application>vmbuilder</application> command has 2 main parameters: the "
3910
"<emphasis>virtualization technology (hypervisor)</emphasis> and the targeted "
3911
"<emphasis>distribution</emphasis>. Optional parameters are quite numerous "
3912
"and can be found using the following command:"
3915
#: serverguide/C/virtualization.xml:555(command) serverguide/C/jeos.xml:182(command)
3916
msgid "vmbuilder --help"
3919
#: serverguide/C/virtualization.xml:559(title) serverguide/C/jeos.xml:186(title)
3920
msgid "Base Parameters"
3924
"As this example is based on <application>KVM</application> and Ubuntu 8.10 "
3925
"(Intrepid Ibex), and we are likely to rebuild the same virtual machine "
3926
"multiple time, we'll invoke vmbuilder with the following first parameters:"
3930
"sudo vmbuilder kvm ubuntu --suite intrepid --flavour virtual --arch i386 -o -"
3931
"-libvirt qemu:///system"
3934
#: serverguide/C/virtualization.xml:570(para) serverguide/C/jeos.xml:197(para)
3936
"The <emphasis>--suite</emphasis> defines the Ubuntu release, the <emphasis>--"
3937
"flavour</emphasis> specifies that we want to use the virtual kernel (that's "
3938
"the one used to build a JeOS image), the <emphasis>--arch</emphasis> tells "
3939
"that we want to use a 32 bit machine, the <emphasis>-o</emphasis> tells "
3940
"vmbuilder to overwrite the previous version of the VM and the <emphasis>--"
3941
"libvirt</emphasis> tells to inform the local virtualization environment to "
3942
"add the resulting VM to the list of available machines."
3945
#: serverguide/C/virtualization.xml:578(para) serverguide/C/jeos.xml:205(para)
3949
#: serverguide/C/virtualization.xml:584(para)
3951
"Because of the nature of operations performed by vmbuilder, it needs to have "
3952
"root privilege, hence the use of sudo."
3955
#: serverguide/C/virtualization.xml:589(para) serverguide/C/jeos.xml:216(para)
3957
"If your virtual machine needs to use more than 3Gb of ram, you should build "
3958
"a 64 bit machine (--arch amd64)."
3961
#: serverguide/C/virtualization.xml:594(para) serverguide/C/jeos.xml:221(para)
3963
"Until Ubuntu 8.10, the virtual kernel was only built for 32 bit "
3964
"architecture, so if you want to define an amd64 machine on Hardy, you should "
3965
"use <emphasis>--flavour</emphasis> server instead."
3968
#: serverguide/C/virtualization.xml:602(title) serverguide/C/jeos.xml:229(title)
3969
msgid "JeOS Installation Parameters"
3972
#: serverguide/C/virtualization.xml:605(title) serverguide/C/jeos.xml:232(title)
3973
msgid "JeOS Networking"
3976
#: serverguide/C/virtualization.xml:608(title) serverguide/C/jeos.xml:235(title)
3977
msgid "Assigning a fixed IP address"
3980
#: serverguide/C/virtualization.xml:610(para) serverguide/C/jeos.xml:237(para)
3982
"As a virtual appliance that may be deployed on various very different "
3983
"networks, it is very difficult to know what the actual network will look "
3984
"like. In order to simplify configuration, it is a good idea to take an "
3985
"approach similar to what network hardware vendors usually do, namely "
3986
"assigning an initial fixed IP address to the appliance in a private class "
3987
"network that you will provide in your documentation. An address in the range "
3988
"192.168.0.0/255 is usually a good choice."
3991
#: serverguide/C/virtualization.xml:617(para) serverguide/C/jeos.xml:244(para)
3992
msgid "To do this we'll use the following parameters:"
3995
#: serverguide/C/virtualization.xml:623(para) serverguide/C/jeos.xml:250(para)
3997
"<emphasis>--ip ADDRESS</emphasis>: IP address in dotted form (defaults to "
3998
"dhcp if not specified)"
4001
#: serverguide/C/virtualization.xml:628(para) serverguide/C/jeos.xml:255(para)
4003
"<emphasis>--mask VALUE</emphasis>: IP mask in dotted form (default: "
4007
#: serverguide/C/virtualization.xml:633(para) serverguide/C/jeos.xml:260(para)
4008
msgid "<emphasis>--net VALUE</emphasis>: IP net address (default: X.X.X.0)"
4011
#: serverguide/C/virtualization.xml:638(para) serverguide/C/jeos.xml:265(para)
4012
msgid "<emphasis>--bcast VALUE</emphasis>: IP broadcast (default: X.X.X.255)"
4015
#: serverguide/C/virtualization.xml:643(para) serverguide/C/jeos.xml:270(para)
4016
msgid "<emphasis>--gw ADDRESS</emphasis>: Gateway address (default: X.X.X.1)"
4019
#: serverguide/C/virtualization.xml:648(para) serverguide/C/jeos.xml:275(para)
4021
"<emphasis>--dns ADDRESS</emphasis>: Name server address (default: X.X.X.1)"
4024
#: serverguide/C/virtualization.xml:654(para) serverguide/C/jeos.xml:281(para)
4026
"We assume for now that default values are good enough, so the resulting "
4027
"invocation becomes:"
4031
"sudo vmbuilder kvm ubuntu --suite intrepid --flavour virtual --arch i386 -o -"
4032
"-libvirt qemu:///system --ip 192.168.0.100"
4035
#: serverguide/C/virtualization.xml:664(title) serverguide/C/jeos.xml:291(title)
4036
msgid "Modifying the libvirt Template to use Bridging"
4039
#: serverguide/C/virtualization.xml:666(para) serverguide/C/jeos.xml:293(para)
4041
"Because our appliance will be likely to need to be accessed by remote hosts, "
4042
"we need to configure libvirt so that the appliance uses bridge networking. "
4043
"To do this we use vmbuilder template mechanism to modify the default one."
4046
#: serverguide/C/virtualization.xml:671(para) serverguide/C/jeos.xml:298(para)
4048
"In our working directory we create the template hierarchy and copy the "
4052
#: serverguide/C/virtualization.xml:676(command) serverguide/C/jeos.xml:303(command)
4053
msgid "mkdir -p VMBuilder/plugins/libvirt/templates"
4056
#: serverguide/C/virtualization.xml:677(command) serverguide/C/jeos.xml:304(command)
4057
msgid "cp /etc/vmbuilder/libvirt/* VMBuilder/plugins/libvirt/templates/"
4060
#: serverguide/C/virtualization.xml:680(para) serverguide/C/jeos.xml:307(para)
4063
"<filename>VMBuilder/plugins/libvirt/templates/libvirtxml.tmpl</filename> to "
4067
#: serverguide/C/virtualization.xml:684(programlisting) serverguide/C/jeos.xml:311(programlisting)
4071
" <interface type='network'>\n"
4072
" <source network='default'/>\n"
4073
" </interface>\n"
4076
#: serverguide/C/virtualization.xml:690(para) serverguide/C/jeos.xml:317(para)
4080
#: serverguide/C/virtualization.xml:694(programlisting) serverguide/C/jeos.xml:321(programlisting)
4084
" <interface type='bridge'>\n"
4085
" <source network='br0'/>\n"
4086
" </interface>\n"
4089
#: serverguide/C/virtualization.xml:704(title) serverguide/C/jeos.xml:331(title) serverguide/C/installation.xml:397(title)
4090
msgid "Partitioning"
4093
#: serverguide/C/virtualization.xml:706(para) serverguide/C/jeos.xml:333(para)
4095
"Partitioning of the virtual appliance will have to take into consideration "
4096
"what you are planning to do with is. Because most appliances want to have a "
4097
"separate storage for data, having a separate <filename>/var</filename> would "
4101
#: serverguide/C/virtualization.xml:711(para) serverguide/C/jeos.xml:338(para)
4103
"In order to do this vmbuilder provides us with <emphasis>--part</emphasis>:"
4106
#: serverguide/C/virtualization.xml:715(programlisting) serverguide/C/jeos.xml:342(programlisting)
4111
" Allows to specify a partition table in partfile each line of partfile "
4114
" mountpoint size\n"
4115
" where size is in megabytes. You can have up to 4 virtual disks, a new "
4116
"disk starts on a\n"
4117
" line with ’---’. ie :\n"
4126
#: serverguide/C/virtualization.xml:730(para) serverguide/C/jeos.xml:357(para)
4128
"In our case we will define a text file name "
4129
"<filename>vmbuilder.partition</filename> which will contain the following:"
4132
#: serverguide/C/virtualization.xml:734(programlisting) serverguide/C/jeos.xml:361(programlisting)
4142
#: serverguide/C/virtualization.xml:742(para) serverguide/C/jeos.xml:369(para)
4144
"Note that as we are using virtual disk images, the actual sizes that we put "
4145
"here are maximum sizes for these volumes."
4148
#: serverguide/C/virtualization.xml:747(para) serverguide/C/jeos.xml:374(para)
4149
msgid "Our command line now looks like:"
4153
"sudo vmbuilder kvm ubuntu --suite intrepid --flavour virtual --arch i386 \\ -"
4154
"o --libvirt qemu:///system --ip 192.168.0.100 --part vmbuilder.partition"
4157
#: serverguide/C/virtualization.xml:757(para) serverguide/C/jeos.xml:384(para)
4159
"Using a \"\\\" in a command will allow long command strings to wrap to the "
4163
#: serverguide/C/virtualization.xml:764(title) serverguide/C/jeos.xml:391(title)
4164
msgid "User and Password"
4167
#: serverguide/C/virtualization.xml:766(para) serverguide/C/jeos.xml:393(para)
4169
"Again setting up a virtual appliance, you will need to provide a default "
4170
"user and password that is generic so that you can include it in your "
4171
"documentation. We will see later on in this tutorial how we will provide "
4172
"some security by defining a script that will be run the first time a user "
4173
"actually logs in the appliance, that will, among other things, ask him to "
4174
"change his password. In this example I will use <emphasis>'user'</emphasis> "
4175
"as my user name, and <emphasis>'default'</emphasis> as the password."
4178
#: serverguide/C/virtualization.xml:774(para) serverguide/C/jeos.xml:401(para)
4179
msgid "To do this we use the following optional parameters:"
4182
#: serverguide/C/virtualization.xml:780(para) serverguide/C/jeos.xml:407(para)
4184
"<emphasis>--user USERNAME:</emphasis> Sets the name of the user to be added. "
4188
#: serverguide/C/virtualization.xml:785(para) serverguide/C/jeos.xml:412(para)
4190
"<emphasis>--name FULLNAME:</emphasis> Sets the full name of the user to be "
4191
"added. Default: Ubuntu."
4194
#: serverguide/C/virtualization.xml:790(para) serverguide/C/jeos.xml:417(para)
4196
"<emphasis>--pass PASSWORD:</emphasis> Sets the password for the user. "
4200
#: serverguide/C/virtualization.xml:796(para) serverguide/C/jeos.xml:423(para)
4201
msgid "Our resulting command line becomes:"
4204
#: serverguide/C/virtualization.xml:801(command) serverguide/C/jeos.xml:428(command)
4206
"sudo vmbuilder kvm ubuntu --suite intrepid --flavour virtual --arch i386 \\ -"
4207
"o --libvirt qemu:///system --ip 192.168.0.100 --part vmbuilder.partition \\ -"
4208
"-user user --name user --pass default"
4211
#: serverguide/C/virtualization.xml:809(title) serverguide/C/jeos.xml:436(title)
4212
msgid "Installing Required Packages"
4215
#: serverguide/C/virtualization.xml:811(para) serverguide/C/jeos.xml:438(para)
4217
"In this example we will be installing a package "
4218
"<application>(Limesurvey)</application> that accesses a "
4219
"<application>MySQL</application> database and has a web interface. We will "
4220
"therefore require our OS to provide us with:"
4223
#: serverguide/C/virtualization.xml:818(para) serverguide/C/jeos.xml:445(para)
4227
#: serverguide/C/virtualization.xml:819(para) serverguide/C/jeos.xml:446(para)
4231
#: serverguide/C/virtualization.xml:820(para) serverguide/C/jeos.xml:447(para) serverguide/C/databases.xml:19(trademark) serverguide/C/databases.xml:31(title)
4235
#: serverguide/C/virtualization.xml:821(para) serverguide/C/remote-administration.xml:20(title) serverguide/C/jeos.xml:448(para)
4236
msgid "OpenSSH Server"
4239
#: serverguide/C/virtualization.xml:822(para) serverguide/C/jeos.xml:449(para)
4240
msgid "Limesurvey (as an example application that we have packaged)"
4243
#: serverguide/C/virtualization.xml:825(para) serverguide/C/jeos.xml:452(para)
4245
"This is done using vmbuilder by specifying the --addpkg command multiple "
4249
#: serverguide/C/virtualization.xml:829(programlisting) serverguide/C/jeos.xml:456(programlisting)
4254
" Install PKG into the guest (can be specfied multiple times)\n"
4257
#: serverguide/C/virtualization.xml:834(para) serverguide/C/jeos.xml:461(para)
4259
"However, due to the way vmbuilder operates, packages that have to ask "
4260
"questions to the user during the post install phase are not supported and "
4261
"should instead be installed while interactivity can occur. This is the case "
4262
"of Limesurvey, which we will have to install later, once the user logs in."
4265
#: serverguide/C/virtualization.xml:840(para) serverguide/C/jeos.xml:467(para)
4267
"Other packages that ask simple debconf question, such as <application>mysql-"
4268
"server</application> asking to set a password, the package can be installed "
4269
"immediately, but we will have to reconfigure it the first time the user logs "
4273
#: serverguide/C/virtualization.xml:846(para) serverguide/C/jeos.xml:473(para)
4275
"If some packages that we need to install are not in main, we need to enable "
4276
"the additional repositories using --comp and --ppa:"
4279
#: serverguide/C/virtualization.xml:850(programlisting) serverguide/C/jeos.xml:477(programlisting)
4283
"--components COMP1,COMP2,...,COMPN\n"
4284
" A comma separated list of distro components to include (e.g. "
4285
"main,universe). This defaults\n"
4287
"--ppa=PPA Add ppa belonging to PPA to the vm's sources.list.\n"
4290
#: serverguide/C/virtualization.xml:857(para) serverguide/C/jeos.xml:484(para)
4292
"Limesurvey not being part of the archive at the moment, we'll specify it's "
4293
"PPA (personal package archive) address so that it is added to the VM "
4294
"<filename>/etc/apt/source.list</filename>, so we add the following options "
4295
"to the command line:"
4298
#: serverguide/C/virtualization.xml:863(command) serverguide/C/jeos.xml:490(command)
4300
"--addpkg apache2 --addpkg apache2-mpm-prefork --addpkg apache2-utils --"
4301
"addpkg apache2.2-common \\ --addpkg dbconfig-common --addpkg libapache2-mod-"
4302
"php5 --addpkg mysql-client --addpkg php5-cli \\ --addpkg php5-gd --addpkg "
4303
"php5-ldap --addpkg php5-mysql --addpkg wwwconfig-common \\ --addpkg mysql-"
4304
"server --ppa nijaba"
4307
#: serverguide/C/virtualization.xml:870(title) serverguide/C/jeos.xml:497(title)
4311
#: serverguide/C/virtualization.xml:872(para) serverguide/C/jeos.xml:499(para)
4313
"Another convenient tool that we want to have on our appliance is OpenSSH, as "
4314
"it will provide our admins to access to access the appliance remotely. "
4315
"However, pushing in the wild an appliance with a pre-installed OpenSSH "
4316
"server is a big security risk as all these server will share the same secret "
4317
"key, making it very easy for hackers to target our appliance with all the "
4318
"tools they need to crack it open in a breeze. As for the user password, we "
4319
"will instead rely on a script that will install OpenSSH the first time a "
4320
"user logs in so that the key generated will be different for each appliance. "
4321
"For this we'll use a <emphasis>--firstboot</emphasis> script, as it does not "
4322
"need any user interaction."
4325
#: serverguide/C/virtualization.xml:884(title) serverguide/C/jeos.xml:511(title)
4326
msgid "Speed Considerations"
4329
#: serverguide/C/virtualization.xml:887(title) serverguide/C/jeos.xml:514(title)
4330
msgid "Package Caching"
4333
#: serverguide/C/virtualization.xml:889(para) serverguide/C/jeos.xml:516(para)
4335
"When vmbuilder creates builds your system, it has to go fetch each one of "
4336
"the packages that composes it over the network to one of the official "
4337
"repositories, which, depending on your internet connection speed and the "
4338
"load of the mirror, can have a big impact on the actual build time. In order "
4339
"to reduce this, it is recommended to either have a local repository (which "
4340
"can be created using <application>apt-mirror</application>) or using a "
4341
"caching proxy such as <application>apt-cache</application>. The later option "
4342
"being much simpler to implement and requiring less disk space, it is the one "
4343
"we will pick in this tutorial. To install it, simply type:"
4346
#: serverguide/C/virtualization.xml:899(command) serverguide/C/jeos.xml:526(command)
4347
msgid "sudo apt-get install apt-proxy"
4350
#: serverguide/C/virtualization.xml:902(para) serverguide/C/jeos.xml:529(para)
4352
"Once this is complete, your (empty) proxy is ready for use on "
4353
"http://mirroraddress:9999 and will find ubuntu repository under /ubuntu. For "
4354
"vmbuilder to use it, we'll have to use the <emphasis>--mirror</emphasis> "
4358
#: serverguide/C/virtualization.xml:907(programlisting) serverguide/C/jeos.xml:534(programlisting)
4362
"--mirror=URL Use Ubuntu mirror at URL instead of the default, which\n"
4363
" is http://archive.ubuntu.com/ubuntu for official\n"
4364
" arches and http://ports.ubuntu.com/ubuntu-ports\n"
4368
#: serverguide/C/virtualization.xml:914(para) serverguide/C/jeos.xml:541(para)
4369
msgid "So we add to the command line:"
4372
#: serverguide/C/virtualization.xml:919(command) serverguide/C/jeos.xml:546(command)
4373
msgid "--mirror http://mirroraddress:9999/ubuntu"
4376
#: serverguide/C/virtualization.xml:923(para) serverguide/C/jeos.xml:550(para)
4378
"The mirror address specified here will also be used in the "
4379
"<filename>/etc/apt/source.list</filename> of the newly created guest, so it "
4380
"is usefull to specify here an address that can be resolved by the guest or "
4381
"to plan on reseting this address later on, such as in a <emphasis>--"
4382
"firstboot</emphasis> script."
4385
#: serverguide/C/virtualization.xml:932(title) serverguide/C/jeos.xml:559(title)
4386
msgid "Install a Local Mirror"
4389
#: serverguide/C/virtualization.xml:934(para) serverguide/C/jeos.xml:561(para)
4391
"If we are in a larger environment, it may make sense to setup a local mirror "
4392
"of the Ubuntu repositories. The package apt-mirror provides you with a "
4393
"script that will handle the mirroring for you. You should plan on having "
4394
"about 20 gigabyte of free space per supported release and architecture."
4397
#: serverguide/C/virtualization.xml:940(para) serverguide/C/jeos.xml:567(para)
4399
"By default, <application>apt-mirror</application> uses the configuration "
4400
"file in <filename>/etc/apt/mirror.list</filename>. As it is set up, it will "
4401
"replicate only the architecture of the local machine. If you would like to "
4402
"support other architectures on your mirror, simply duplicate the lines "
4403
"starting with “deb”, replacing the deb keyword by /deb-{arch} where arch can "
4404
"be i386, amd64, etc... For example, on an amd64 machine, to have the i386 "
4405
"archives as well, you will have:"
4411
"deb http://archive.ubuntu.com/ubuntu intrepid main restricted universe "
4413
"/deb-i386 http://archive.ubuntu.com/ubuntu intrepid main restricted "
4414
"universe multiverse\n"
4416
"deb http://archive.ubuntu.com/ubuntu intrepid-updates main restricted "
4417
"universe multiverse \n"
4418
"/deb-i386 http://archive.ubuntu.com/ubuntu intrepid-updates main restricted "
4419
"universe multiverse \n"
4421
"deb http://archive.ubuntu.com/ubuntu/ intrepid-backports main restricted "
4422
"universe multiverse \n"
4423
"/deb-i386 http://archive.ubuntu.com/ubuntu intrepid-backports main "
4424
"restricted universe multiverse \n"
4426
"deb http://security.ubuntu.com/ubuntu intrepid-security main restricted "
4427
"universe multiverse \n"
4428
"/deb-i386 http://security.ubuntu.com/ubuntu intrepid-security main "
4429
"restricted universe multiverse \n"
4431
"deb http://archive.ubuntu.com/ubuntu intrepid main/debian-installer "
4432
"restricted/debian-installer universe/debian-installer multiverse/debian-"
4434
"/deb-i386 http://archive.ubuntu.com/ubuntu intrepid main/debian-installer "
4435
"restricted/debian-installer universe/debian-installer multiverse/debian-"
4439
#: serverguide/C/virtualization.xml:964(para) serverguide/C/jeos.xml:591(para)
4441
"Notice that the source packages are not mirrored as they are seldom used "
4442
"compared to the binaries and they do take a lot more space, but they can be "
4443
"easily added to the list."
4446
#: serverguide/C/virtualization.xml:969(para) serverguide/C/jeos.xml:596(para)
4448
"Once the mirror has finished replicating (and this can be quite long), you "
4449
"need to configure Apache so that your mirror files (in "
4450
"<filename>/var/spool/apt-mirror</filename> if you did not change the "
4451
"default), are published by your Apache server. For more information on "
4452
"Apache see <xref linkend=\"httpd\"/>."
4455
#: serverguide/C/virtualization.xml:978(title) serverguide/C/jeos.xml:605(title)
4456
msgid "Installing in a RAM Disk"
4459
#: serverguide/C/virtualization.xml:980(para) serverguide/C/jeos.xml:607(para)
4461
"As you can easily imagine, writing to RAM is a <emphasis>LOT</emphasis> "
4462
"faster than writing to disk. If you have some free memory, letting vmbuilder "
4463
"perform its operation in a RAMdisk will help a lot and the option <emphasis>-"
4464
"-tmpfs</emphasis> will help you do just that:"
4467
#: serverguide/C/virtualization.xml:986(programlisting) serverguide/C/jeos.xml:613(programlisting)
4471
"--tmpfs OPTS Use a tmpfs as the working directory, specifying its\n"
4472
" size or \"-\" to use tmpfs default (suid,dev,size=1G).\n"
4475
#: serverguide/C/virtualization.xml:991(para) serverguide/C/jeos.xml:618(para)
4477
"So adding <command>--tmpfs -</command> sounds like a very good idea if you "
4478
"have 1G of free ram."
4481
#: serverguide/C/virtualization.xml:998(title) serverguide/C/jeos.xml:625(title)
4482
msgid "Package the Application"
4485
#: serverguide/C/virtualization.xml:1000(para) serverguide/C/jeos.xml:627(para)
4486
msgid "Two option are available to us:"
4489
#: serverguide/C/virtualization.xml:1006(para) serverguide/C/jeos.xml:633(para)
4491
"The recommended method to do so is to make a <emphasis>Debian</emphasis> "
4492
"package. Since this is outside of the scope of this tutorial, we will not "
4493
"perform this here and invite the reader to read the documentation on how to "
4494
"do this in the <ulink url=\"https://wiki.ubuntu.com/PackagingGuide\">Ubuntu "
4495
"Packaging Guide</ulink>. In this case it is also a good idea to setup a "
4496
"repository for your package so that updates can be conveniently pulled from "
4497
"it. See the <ulink url=\"http://www.debian-"
4498
"administration.org/articles/286\">Debian Administration</ulink> article for "
4499
"a tutorial on this."
4502
#: serverguide/C/virtualization.xml:1015(para) serverguide/C/jeos.xml:642(para)
4504
"Manually install the application under <filename>/opt</filename> as "
4505
"recommended by the <ulink url=\"http://www.pathname.com/fhs/\">FHS "
4506
"guidelines</ulink>."
4509
#: serverguide/C/virtualization.xml:1022(para) serverguide/C/jeos.xml:649(para)
4511
"In our case we'll use <application>Limesurvey</application> as example web "
4512
"application for which we wish to provide a virtual appliance. As noted "
4513
"before, we've made a version of the package available in a PPA (Personal "
4517
#: serverguide/C/virtualization.xml:1029(title) serverguide/C/jeos.xml:656(title)
4518
msgid "Finishing Install"
4521
#: serverguide/C/virtualization.xml:1032(title) serverguide/C/jeos.xml:659(title)
4525
#: serverguide/C/virtualization.xml:1034(para) serverguide/C/jeos.xml:661(para)
4527
"As we mentioned earlier, the first time the machine boots we'll need to "
4528
"install <application>openssh-server</application> so that the key generated "
4529
"for it is unique for each machine. To do this, we'll write a script called "
4530
"<filename>boot.sh</filename> as follows:"
4533
#: serverguide/C/virtualization.xml:1040(programlisting) serverguide/C/jeos.xml:667(programlisting)
4537
"# This script will run the first time the virtual machine boots\n"
4538
"# It is ran as root.\n"
4541
"apt-get install -qqy --force-yes openssh-server\n"
4544
#: serverguide/C/virtualization.xml:1048(para) serverguide/C/jeos.xml:675(para)
4546
"And we add the <command>--firstboot boot.sh</command> option to our command "
4550
#: serverguide/C/virtualization.xml:1054(title) serverguide/C/jeos.xml:681(title)
4554
#: serverguide/C/virtualization.xml:1056(para) serverguide/C/jeos.xml:683(para)
4556
"Mysql and Limesurvey needing some user interaction during their setup, we'll "
4557
"set them up the first time a user logs in using a script named login.sh. "
4558
"We'll also use this script to let the user specify:"
4561
#: serverguide/C/virtualization.xml:1062(para) serverguide/C/jeos.xml:689(para)
4562
msgid "His own password"
4565
#: serverguide/C/virtualization.xml:1063(para) serverguide/C/jeos.xml:690(para)
4566
msgid "Define the keyboard and other locale info he wants to use"
4569
#: serverguide/C/virtualization.xml:1066(para) serverguide/C/jeos.xml:693(para)
4570
msgid "So we'll define <filename>login.sh</filename> as follows:"
4573
#: serverguide/C/virtualization.xml:1070(programlisting) serverguide/C/jeos.xml:697(programlisting)
4577
"# This script is ran the first time a user logs in\n"
4579
"echo \"Your appliance is about to be finished to be set up.\"\n"
4580
"echo \"In order to do it, we'll need to ask you a few questions,\"\n"
4581
"echo \"starting by changing your user password.\"\n"
4585
"#give the opportunity to change the keyboard\n"
4586
"sudo dpkg-reconfigure console-setup\n"
4588
"#configure the mysql server root password\n"
4589
"sudo dpkg-reconfigure mysql-server-5.0\n"
4591
"#install limesurvey\n"
4592
"sudo apt-get install -qqy --force-yes limesurvey\n"
4594
"echo \"Your appliance is now configured. To use it point your\"\n"
4595
"echo \"browser to http://serverip/limesurvey/admin\"\n"
4598
#: serverguide/C/virtualization.xml:1092(para) serverguide/C/jeos.xml:719(para)
4600
"And we add the <command>--firstlogin login.sh</command> option to our "
4604
#: serverguide/C/virtualization.xml:1099(title) serverguide/C/jeos.xml:726(title)
4605
msgid "Useful Additions"
4608
#: serverguide/C/virtualization.xml:1102(title) serverguide/C/jeos.xml:729(title)
4609
msgid "Configuring Automatic Updates"
4612
#: serverguide/C/virtualization.xml:1104(para) serverguide/C/jeos.xml:731(para)
4614
"To have your system be configured to update itself on a regular basis, we "
4615
"will just install <application>unattended-upgrades</application>, so we add "
4616
"the following option to our command line:"
4619
#: serverguide/C/virtualization.xml:1110(command) serverguide/C/jeos.xml:737(command)
4620
msgid "--addpkg unattended-upgrades"
4623
#: serverguide/C/virtualization.xml:1113(para) serverguide/C/jeos.xml:740(para)
4625
"As we have put our application package in a PPA, the process will update not "
4626
"only the system, but also the application each time we update the version in "
4630
#: serverguide/C/virtualization.xml:1120(title) serverguide/C/jeos.xml:747(title)
4631
msgid "ACPI Event Handling"
4634
#: serverguide/C/virtualization.xml:1122(para) serverguide/C/jeos.xml:749(para)
4636
"For your virtual machine to be able to handle restart and shutdown events it "
4637
"is being sent, it is a good idea to install the acpid package as well. To do "
4638
"this we just add the following option:"
4641
#: serverguide/C/virtualization.xml:1128(command) serverguide/C/jeos.xml:755(command)
4642
msgid "--addpkg acpid"
4645
#: serverguide/C/virtualization.xml:1134(title) serverguide/C/jeos.xml:761(title)
4646
msgid "Final Command"
4649
#: serverguide/C/virtualization.xml:1136(para) serverguide/C/jeos.xml:763(para)
4650
msgid "Here is what the command with all the options discussed above:"
4653
#: serverguide/C/virtualization.xml:1141(command) serverguide/C/jeos.xml:768(command)
4655
"sudo vmbuilder kvm ubuntu --suite intrepid --flavour virtual --arch i386 -o "
4656
"\\ --libvirt qemu:///system --ip 192.168.0.100 --part vmbuilder.partition --"
4657
"user user \\ --name user --pass default --addpkg apache2 --addpkg apache2-"
4658
"mpm-prefork \\ --addpkg apache2-utils --addpkg apache2.2-common --addpkg "
4659
"dbconfig-common \\ --addpkg libapache2-mod-php5 --addpkg mysql-client --"
4660
"addpkg php5-cli \\ --addpkg php5-gd --addpkg php5-ldap --addpkg php5-mysql --"
4661
"addpkg wwwconfig-common \\ --addpkg mysql-server --addpkg unattended-"
4662
"upgrades --addpkg acpid --ppa nijaba \\ --mirror "
4663
"http://mirroraddress:9999/ubuntu --tmpfs - --firstboot boot.sh \\ --"
4664
"firstlogin login.sh es"
4667
#: serverguide/C/virtualization.xml:1156(para) serverguide/C/jeos.xml:783(para)
4669
"If you are interested in learning more, have questions or suggestions, "
4670
"please contact the Ubuntu Server Team at:"
4673
#: serverguide/C/virtualization.xml:1161(para) serverguide/C/jeos.xml:788(para)
4674
msgid "IRC: #ubuntu-server on freenode"
4677
#: serverguide/C/virtualization.xml:1166(para) serverguide/C/jeos.xml:793(para)
4679
"Mailing list: <ulink url=\"https://lists.ubuntu.com/mailman/listinfo/ubuntu-"
4680
"server\">ubuntu-server at lists.ubuntu.com</ulink>"
4683
#: serverguide/C/vcs.xml:13(title)
4684
msgid "Version Control System"
4687
#: serverguide/C/vcs.xml:14(para)
4689
"Version control is the art of managing changes to information. It has long "
4690
"been a critical tool for programmers, who typically spend their time making "
4691
"small changes to software and then undoing those changes the next day. But "
4692
"the usefulness of version control software extends far beyond the bounds of "
4693
"the software development world. Anywhere you can find people using computers "
4694
"to manage information that changes often, there is room for version control."
4697
#: serverguide/C/vcs.xml:17(title)
4701
#: serverguide/C/vcs.xml:18(para)
4703
"Bazaar is a new version control system sponsored by Canonical, the "
4704
"commercial company behind Ubuntu. Unlike Subversion and CVS that only "
4705
"support a central repository model, Bazaar also supports "
4706
"<emphasis>distributed version control</emphasis>, giving people the ability "
4707
"to collaborate more efficiently. In particular, Bazaar is designed to "
4708
"maximize the level of community participation in open source projects."
4711
#: serverguide/C/vcs.xml:29(para)
4713
"At a terminal prompt, enter the following command to install "
4714
"<application>bzr</application>: <screen>\n"
4715
"<command>sudo apt-get install bzr</command>\n"
4719
#: serverguide/C/vcs.xml:40(para)
4721
"To introduce yourself to <application>bzr</application>, use the "
4722
"<emphasis>whoami</emphasis> command like this: <screen>\n"
4723
"<command>$ bzr whoami 'Joe Doe <joe.doe@gmail.com>'</command>\n"
4727
#: serverguide/C/vcs.xml:49(title)
4728
msgid "Learning Bazaar"
4731
#: serverguide/C/vcs.xml:50(para)
4733
"Bazaar comes with bundled documentation installed into "
4734
"<application>/usr/share/doc/bzr/html</application> by default. The tutorial "
4735
"is a good place to start. The <application>bzr</application> command also "
4736
"comes with built-in help: <screen>\n"
4737
"<command>$ bzr help</command>\n"
4741
#: serverguide/C/vcs.xml:60(para)
4743
"To learn more about the <emphasis>foo</emphasis> command: <screen>\n"
4744
"<command>$ bzr help foo</command>\n"
4748
#: serverguide/C/vcs.xml:68(title)
4749
msgid "Launchpad Integration"
4752
#: serverguide/C/vcs.xml:69(para)
4754
"While highly useful as a stand-alone system, Bazaar has good, optional "
4755
"integration with <ulink url=\"https://launchpad.net/\">Launchpad</ulink>, "
4756
"the collaborative development system used by Canonical and the broader open "
4757
"source community to manage and extend Ubuntu itself. For information on how "
4758
"Bazaar can be used with Launchpad to collaborate on open source projects, "
4759
"see <ulink url=\"http://bazaar-vcs.org/LaunchpadIntegration/\"> "
4760
"http://bazaar-vcs.org/LaunchpadIntegration</ulink>."
4763
#: serverguide/C/vcs.xml:81(title)
4767
#: serverguide/C/vcs.xml:82(para)
4769
"Subversion is an open source version control system. Using Subversion, you "
4770
"can record the history of source files and documents. It manages files and "
4771
"directories over time. A tree of files is placed into a central repository. "
4772
"The repository is much like an ordinary file server, except that it "
4773
"remembers every change ever made to files and directories."
4776
#: serverguide/C/vcs.xml:87(para)
4778
"To access Subversion repository using the HTTP protocol, you must install "
4779
"and configure a web server. Apache2 is proven to work with Subversion. "
4780
"Please refer to the HTTP subsection in the Apache2 section to install and "
4781
"configure Apache2. To access the Subversion repository using the HTTPS "
4782
"protocol, you must install and configure a digital certificate in your "
4783
"Apache 2 web server. Please refer to the HTTPS subsection in the Apache2 "
4784
"section to install and configure the digital certificate."
4787
#: serverguide/C/vcs.xml:96(para)
4789
"To install Subversion, run the following command from a terminal prompt:"
4792
#: serverguide/C/vcs.xml:101(command)
4793
msgid "sudo apt-get install subversion libapache2-svn"
4796
#: serverguide/C/vcs.xml:107(title)
4797
msgid "Server Configuration"
4800
#: serverguide/C/vcs.xml:108(para)
4802
"This step assumes you have installed above mentioned packages on your "
4803
"system. This section explains how to create a Subversion repository and "
4804
"access the project."
4807
#: serverguide/C/vcs.xml:111(title)
4808
msgid "Create Subversion Repository"
4811
#: serverguide/C/vcs.xml:112(para)
4813
"The Subversion repository can be created using the following command from a "
4817
#: serverguide/C/vcs.xml:116(command)
4818
msgid "svnadmin create /path/to/repos/project"
4821
#: serverguide/C/vcs.xml:121(title)
4822
msgid "Importing Files"
4825
#: serverguide/C/vcs.xml:122(para)
4827
"Once you create the repository you can <emphasis>import</emphasis> files "
4828
"into the repository. To import a directory, enter the following from a "
4829
"terminal prompt: <screen>\n"
4830
"<command>svn import /path/to/import/directory "
4831
"file:///path/to/repos/project</command>\n"
4835
#: serverguide/C/vcs.xml:134(title) serverguide/C/vcs.xml:139(title)
4836
msgid "Access Methods"
4839
#: serverguide/C/vcs.xml:135(para)
4841
"Subversion repositories can be accessed (checked out) through many different "
4842
"methods --on local disk, or through various network protocols. A repository "
4843
"location, however, is always a URL. The table describes how different URL "
4844
"schemes map to the available access methods."
4847
#: serverguide/C/vcs.xml:146(para)
4851
#: serverguide/C/vcs.xml:147(para)
4852
msgid "Access Method"
4855
#: serverguide/C/vcs.xml:152(para)
4859
#: serverguide/C/vcs.xml:153(para)
4860
msgid "direct repository access (on local disk)"
4863
#: serverguide/C/vcs.xml:156(para)
4867
#: serverguide/C/vcs.xml:157(para)
4868
msgid "Access via WebDAV protocol to Subversion-aware Apache2 web server"
4871
#: serverguide/C/vcs.xml:160(para)
4875
#: serverguide/C/vcs.xml:161(para)
4876
msgid "Same as http://, but with SSL encryption"
4879
#: serverguide/C/vcs.xml:164(para)
4883
#: serverguide/C/vcs.xml:165(para)
4884
msgid "Access via custom protocol to an svnserve server"
4887
#: serverguide/C/vcs.xml:168(para)
4891
#: serverguide/C/vcs.xml:169(para)
4892
msgid "Same as svn://, but through an SSH tunnel"
4895
#: serverguide/C/vcs.xml:175(para)
4897
"In this section, we will see how to configure Subversion for all these "
4898
"access methods. Here, we cover the basics. For more advanced usage details, "
4899
"refer to the <ulink url=\"http://svnbook.red-bean.com/\">svn book</ulink>."
4902
#: serverguide/C/vcs.xml:182(title)
4903
msgid "Direct repository access (file://)"
4906
#: serverguide/C/vcs.xml:183(para)
4908
"This is the simplest of all access methods. It does not require any "
4909
"Subversion server process to be running. This access method is used to "
4910
"access Subversion from the same machine. The syntax of the command, entered "
4911
"at a terminal prompt, is as follows:"
4914
#: serverguide/C/vcs.xml:190(command)
4915
msgid "svn co file:///path/to/repos/project"
4918
#: serverguide/C/vcs.xml:193(para)
4922
#: serverguide/C/vcs.xml:196(command)
4923
msgid "svn co file://localhost/path/to/repos/project"
4926
#: serverguide/C/vcs.xml:200(para)
4928
"If you do not specify the hostname, there are three forward slashes (///) -- "
4929
"two for the protocol (file, in this case) plus the leading slash in the "
4930
"path. If you specify the hostname, you must use two forward slashes (//)."
4933
#: serverguide/C/vcs.xml:202(para)
4935
"The repository permissions depend on filesystem permissions. If the user has "
4936
"read/write permission, he can checkout from and commit to the repository."
4939
#: serverguide/C/vcs.xml:205(title)
4940
msgid "Access via WebDAV protocol (http://)"
4943
#: serverguide/C/vcs.xml:206(para)
4945
"To access the Subversion repository via WebDAV protocol, you must configure "
4946
"your Apache 2 web server. You must add the following snippet in your "
4947
"<filename>/etc/apache2/apache2.conf</filename> file:"
4950
#: serverguide/C/vcs.xml:208(programlisting)
4953
" <Location /svn>\n"
4955
" SVNParentPath /home/svn\n"
4957
" AuthName \"Your repository name\"\n"
4958
" AuthUserFile /etc/subversion/passwd\n"
4959
" <LimitExcept GET PROPFIND OPTIONS REPORT>\n"
4960
" Require valid-user\n"
4961
" </LimitExcept>\n"
4962
" </Location> "
4965
#: serverguide/C/vcs.xml:219(para)
4967
"The above configuration snippet assumes that Subversion repositories are "
4968
"created under <filename>/home/svn/</filename> directory using "
4969
"<command>svnadmin</command> command. They can be accessible using "
4970
"<command>htpp://hostname/svn/repos_name</command> url."
4973
#: serverguide/C/vcs.xml:225(para)
4975
"To import or commit files to your Subversion repository over HTTP, the "
4976
"repository should be owned by the HTTP user. In Ubuntu systems, normally the "
4977
"HTTP user is <command>www-data</command>. To change the ownership of the "
4978
"repository files enter the following command from terminal prompt:"
4981
#: serverguide/C/vcs.xml:234(command)
4982
msgid "sudo chown -R www-data:www-data /path/to/repos"
4985
#: serverguide/C/vcs.xml:237(para)
4987
"By changing the ownership of repository as <command>www-data</command> you "
4988
"will not be able to import or commit files into the repository by running "
4989
"<command>svn import file:///</command> command as any user other than "
4990
"<command>www-data</command>."
4993
#: serverguide/C/vcs.xml:245(para)
4995
"Next, you must create the <filename>/etc/subversion/passwd</filename> file. "
4996
"This file contains user authentication details. To add an entry, i.e. to add "
4997
"a user, you can run the following command from a terminal prompt:"
5000
#: serverguide/C/vcs.xml:250(command)
5001
msgid "sudo htpasswd -c /etc/subversion/passwd user_name"
5004
#: serverguide/C/vcs.xml:253(para)
5006
"This command will prompt you to enter the password. Once you enter the "
5007
"password, the user is added. Now, to access the repository you can run the "
5008
"following command:"
5011
#: serverguide/C/vcs.xml:254(command)
5012
msgid "svn co http://servername/svn"
5015
#: serverguide/C/vcs.xml:256(para)
5017
"The password is transmitted as plain text. If you are worried about password "
5018
"snooping, you are advised to use SSL encryption. For details, please refer "
5022
#: serverguide/C/vcs.xml:262(title)
5023
msgid "Access via WebDAV protocol with SSL encryption (https://)"
5026
#: serverguide/C/vcs.xml:263(para)
5028
"Accessing Subversion repository via WebDAV protocol with SSL encryption "
5029
"(https://) is similar to http:// except that you must install and configure "
5030
"the digital certificate in your Apache2 web server."
5033
#: serverguide/C/vcs.xml:270(para)
5035
"You can install a digital certificate issued by a signing authority like "
5036
"Verisign. Alternatively, you can install your own self-signed certificate."
5039
#: serverguide/C/vcs.xml:275(para)
5041
"This step assumes you have installed and configured a digital certificate in "
5042
"your Apache 2 web server. Now, to access the Subversion repository, please "
5043
"refer to the above section! The access methods are exactly the same, except "
5044
"the protocol. You must use https:// to access the Subversion repository."
5047
#: serverguide/C/vcs.xml:285(title)
5048
msgid "Access via custom protocol (svn://)"
5051
#: serverguide/C/vcs.xml:286(para)
5053
"Once the Subversion repository is created, you can configure the access "
5054
"control. You can edit the <filename> "
5055
"/path/to/repos/project/conf/svnserve.conf</filename> file to configure the "
5056
"access control. For example, to set up authentication, you can uncomment the "
5057
"following lines in the configuration file:"
5060
#: serverguide/C/vcs.xml:293(programlisting)
5064
"# password-db = passwd"
5067
#: serverguide/C/vcs.xml:296(para)
5069
"After uncommenting the above lines, you can maintain the user list in the "
5070
"passwd file. So, edit the file <filename>passwd </filename> in the same "
5071
"directory and add the new user. The syntax is as follows:"
5074
#: serverguide/C/vcs.xml:302(programlisting)
5076
msgid "username = password"
5079
#: serverguide/C/vcs.xml:303(para)
5080
msgid "For more details, please refer to the file."
5083
#: serverguide/C/vcs.xml:307(para)
5085
"Now, to access Subversion via the svn:// custom protocol, either from the "
5086
"same machine or a different machine, you can run svnserver using svnserve "
5087
"command. The syntax is as follows:"
5090
#: serverguide/C/vcs.xml:312(programlisting)
5093
"$ svnserve -d --foreground -r /path/to/repos\n"
5094
"# -d -- daemon mode\n"
5095
"# --foreground -- run in foreground (useful for debugging)\n"
5096
"# -r -- root of directory to serve\n"
5098
"For more usage details, please refer to:\n"
5102
#: serverguide/C/vcs.xml:320(para)
5104
"Once you run this command, Subversion starts listening on default port "
5105
"(3690). To access the project repository, you must run the following command "
5106
"from a terminal prompt:"
5109
#: serverguide/C/vcs.xml:323(command)
5110
msgid "svn co svn://hostname/project project --username user_name"
5113
#: serverguide/C/vcs.xml:326(para)
5115
"Based on server configuration, it prompts for password. Once you are "
5116
"authenticated, it checks out the code from Subversion repository. To "
5117
"synchronize the project repository with the local copy, you can run the "
5118
"<command>update</command> sub-command. The syntax of the command, entered at "
5119
"a terminal prompt, is as follows:"
5122
#: serverguide/C/vcs.xml:334(command)
5123
msgid "cd project_dir ; svn update"
5126
#: serverguide/C/vcs.xml:337(para)
5128
"For more details about using each Subversion sub-command, you can refer to "
5129
"the manual. For example, to learn more about the co (checkout) command, "
5130
"please run the following command from a terminal prompt:"
5133
#: serverguide/C/vcs.xml:341(command)
5137
#: serverguide/C/vcs.xml:345(title)
5138
msgid "Access via custom protocol with SSL encryption (svn+ssh://)"
5141
#: serverguide/C/vcs.xml:346(para)
5143
"The configuration and server process is same as in the svn:// method. For "
5144
"details, please refer to the above section. This step assumes you have "
5145
"followed the above step and started the Subversion server using "
5146
"<application>svnserve</application> command."
5149
#: serverguide/C/vcs.xml:352(para)
5151
"It is also assumed that the ssh server is running on that machine and that "
5152
"it is allowing incoming connections. To confirm, please try to login to that "
5153
"machine using ssh. If you can login, everything is perfect. If you cannot "
5154
"login, please address it before continuing further."
5157
#: serverguide/C/vcs.xml:358(para)
5159
"The svn+ssh:// protocol is used to access the Subversion repository using "
5160
"SSL encryption. The data transfer is encrypted using this method. To access "
5161
"the project repository (for example with a checkout), you must use the "
5162
"following command syntax:"
5165
#: serverguide/C/vcs.xml:365(command)
5166
msgid "svn co svn+ssh://hostname/var/svn/repos/project"
5169
#: serverguide/C/vcs.xml:369(para)
5171
"You must use the full path (/path/to/repos/project) to access the Subversion "
5172
"repository using this access method."
5175
#: serverguide/C/vcs.xml:372(para)
5177
"Based on server configuration, it prompts for password. You must enter the "
5178
"password you use to login via ssh. Once you are authenticated, it checks out "
5179
"the code from the Subversion repository."
5182
#: serverguide/C/vcs.xml:383(title)
5186
#: serverguide/C/vcs.xml:384(para)
5188
"CVS is a version control system. You can use it to record the history of "
5192
#: serverguide/C/vcs.xml:390(para)
5194
"At a terminal prompt, enter the following command to install "
5195
"<application>cvs</application>: <screen>\n"
5196
"<command>sudo apt-get install cvs</command>\n"
5197
"</screen> After you install <application>cvs</application>, you should "
5198
"install <application>xinetd</application> to start/stop the cvs server. At "
5199
"the prompt, enter the following command to install "
5200
"<application>xinetd</application>: <screen>\n"
5201
"<command>sudo apt-get install xinetd</command>\n"
5205
#: serverguide/C/vcs.xml:425(programlisting)
5209
"service cvspserver\n"
5212
" socket_type = stream\n"
5216
" type = UNLISTED\n"
5217
" server = /usr/bin/cvs\n"
5218
" server_args = -f --allow-root /var/lib/cvs pserver\n"
5223
#: serverguide/C/vcs.xml:441(para)
5225
"Be sure to edit the repository if you have changed the default repository "
5226
"(<application>/var/lib/cvs</application>) directory."
5230
"Once you install cvs, the repository will be automatically initialized. By "
5231
"default, the repository resides under the "
5232
"<application>/var/lib/cvs</application> directory. You can change this path "
5233
"by running following command: <screen>\n"
5234
"<command>cvs -d /your/new/cvs/repo init</command>\n"
5235
"</screen> Once the initial repository is set up, you can configure "
5236
"<application>xinetd</application> to start the CVS server. You can copy the "
5237
"following lines to the <filename> /etc/xinetd.d/cvspserver</filename> file. "
5238
"<placeholder-1/><placeholder-2/> Once you have configured "
5239
"<application>xinetd</application> you can start the cvs server by running "
5240
"following command: <screen>\n"
5241
"<command>sudo /etc/init.d/xinetd start</command>\n"
5245
#: serverguide/C/vcs.xml:454(para)
5247
"You can confirm that the CVS server is running by issuing the following "
5251
#: serverguide/C/vcs.xml:461(command)
5252
msgid "sudo netstat -tap | grep cvs"
5255
#: serverguide/C/vcs.xml:465(para) serverguide/C/databases.xml:65(para)
5257
"When you run this command, you should see the following line or something "
5261
#: serverguide/C/vcs.xml:470(programlisting)
5265
"tcp 0 0 *:cvspserver *:* LISTEN \n"
5268
#: serverguide/C/vcs.xml:474(para)
5270
"From here you can continue to add users, add new projects, and manage the "
5274
#: serverguide/C/vcs.xml:479(para)
5276
"CVS allows the user to add users independently of the underlying OS "
5277
"installation. Probably the easiest way is to use the Linux Users for CVS, "
5278
"although it has potential security issues. Please refer to the CVS manual "
5282
#: serverguide/C/vcs.xml:489(title)
5283
msgid "Add Projects"
5286
#: serverguide/C/vcs.xml:501(para)
5288
"You can use the CVSROOT environment variable to store the CVS root "
5289
"directory. Once you export the CVSROOT environment variable, you can avoid "
5290
"using -d option in the above cvs command."
5293
#: serverguide/C/vcs.xml:513(para)
5295
"When you add a new project, the CVS user you use must have write access to "
5296
"the CVS repository (<application>/var/lib/cvs</application>). By default, "
5297
"the <application>src</application> group has write access to the CVS "
5298
"repository. So, you can add the user to this group, and he can then add and "
5299
"manage projects in the CVS repository."
5302
#: serverguide/C/vcs.xml:490(para)
5304
"This section explains how to add new project to the CVS repository. Create "
5305
"the directory and add necessary document and source files to the directory. "
5306
"Now, run the following command to add this project to CVS repository: "
5308
"<command>cd your/project</command>\n"
5309
"<command>cvs -d :pserver:username@hostname.com:/var/lib/cvs import -m "
5310
"\"Importing my project to CVS repository\" . new_project start</command>\n"
5311
"</screen><placeholder-1/> The string <emphasis>new_project</emphasis> is a "
5312
"vendor tag, and <emphasis>start</emphasis> is a release tag. They serve no "
5313
"purpose in this context, but since CVS requires them, they must be present. "
5317
#: serverguide/C/vcs.xml:526(ulink)
5318
msgid "Bazaar Home Page"
5321
#: serverguide/C/vcs.xml:527(ulink)
5325
#: serverguide/C/vcs.xml:528(ulink)
5326
msgid "Subversion Home Page"
5329
#: serverguide/C/vcs.xml:529(ulink)
5330
msgid "Subversion Book"
5333
#: serverguide/C/vcs.xml:531(ulink)
5337
#: serverguide/C/serverguide.xml:3(title) serverguide/C/bookinfo.xml:3(title)
5338
msgid "Credits and License"
5341
#: serverguide/C/serverguide.xml:4(para) serverguide/C/bookinfo.xml:4(para)
5343
"This document is maintained by the Ubuntu documentation team "
5344
"(https://wiki.ubuntu.com/DocumentationTeam). For a list of contributors, see "
5345
"the <ulink url=\"../../libs/C/contributors.xml\">contributors page</ulink>"
5348
#: serverguide/C/serverguide.xml:5(para) serverguide/C/bookinfo.xml:5(para)
5350
"This document is made available under the Creative Commons ShareAlike 2.5 "
5351
"License (CC-BY-SA)."
5354
#: serverguide/C/serverguide.xml:6(para) serverguide/C/bookinfo.xml:6(para)
5356
"You are free to modify, extend, and improve the Ubuntu documentation source "
5357
"code under the terms of this license. All derivative works must be released "
5358
"under this license."
5361
#: serverguide/C/serverguide.xml:8(para) serverguide/C/bookinfo.xml:8(para)
5363
"This documentation is distributed in the hope that it will be useful, but "
5364
"WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY "
5365
"or FITNESS FOR A PARTICULAR PURPOSE AS DESCRIBED IN THE DISCLAIMER."
5368
#: serverguide/C/serverguide.xml:11(para) serverguide/C/bookinfo.xml:11(para)
5370
"A copy of the license is available here: <ulink url=\"/usr/share/ubuntu-"
5371
"docs/libs/C/ccbysa.xml\">Creative Commons ShareAlike License</ulink>."
5374
#: serverguide/C/serverguide.xml:14(year) serverguide/C/bookinfo.xml:14(year)
5378
#: serverguide/C/serverguide.xml:15(ulink) serverguide/C/bookinfo.xml:15(ulink)
5379
msgid "Ubuntu Documentation Project"
5382
#: serverguide/C/serverguide.xml:15(holder) serverguide/C/bookinfo.xml:15(holder)
5383
msgid "Canonical Ltd. and members of the <placeholder-1/>"
5386
#: serverguide/C/serverguide.xml:18(publishername) serverguide/C/bookinfo.xml:18(publishername)
5387
msgid "The Ubuntu Documentation Project"
5390
#: serverguide/C/serverguide.xml:17(para)
5392
"Welcome to the <emphasis>Ubuntu Server Guide</emphasis>! It contains "
5393
"information on how to install and configure various server applications on "
5394
"your Ubuntu system to fit your needs. It is a step-by-step, task-oriented "
5395
"guide for configuring and customizing your system."
5398
#: serverguide/C/security.xml:13(title)
5402
#: serverguide/C/security.xml:14(para)
5404
"Security should always be considered when installing, deploying, and using "
5405
"any type of computer system. Although a fresh installation of Ubuntu is "
5406
"relatively safe for immediate use on the Internet, it is important to have a "
5407
"balanced understanding of your systems security posture based on how it will "
5408
"be used after deployment."
5412
"This chapter provides an overview of security related topics as they pertain "
5413
"to Ubuntu 8.10 Server Edition, and outlines simple measures you may use to "
5414
"protect your server and network from any number of potential security "
5418
#: serverguide/C/security.xml:21(title)
5419
msgid "User Management"
5422
#: serverguide/C/security.xml:22(para)
5424
"User management is a critical part of maintaining a secure system. "
5425
"Ineffective user and privilege management often lead many systems into being "
5426
"compromised. Therefore, it is important that you understand how you can "
5427
"protect your server through simple and effective user account management "
5431
#: serverguide/C/security.xml:26(title)
5432
msgid "Where is root?"
5435
#: serverguide/C/security.xml:27(para)
5437
"Ubuntu developers made a conscientious decision to disable the "
5438
"administrative root account by default in all Ubuntu installations. This "
5439
"does not mean that the root account has been deleted or that it may not be "
5440
"accessed. It merely has been given a password which matches no possible "
5441
"encrypted value, therefore may not log in directly by itself."
5444
#: serverguide/C/security.xml:30(para)
5446
"Instead, users are encouraged to make use of a tool by the name of "
5447
"<application>sudo</application> to carry out system administrative duties. "
5448
"<application>Sudo</application> allows an authorized user to temporarily "
5449
"elevate their privileges using their own password instead of having to know "
5450
"the password belonging to the root account. This simple yet effective "
5451
"methodology provides accountability for all user actions, and gives the "
5452
"administrator granular control over which actions a user can perform with "
5456
#: serverguide/C/security.xml:35(para)
5458
"If for some reason you wish to enable the root account, simply give it a "
5462
#: serverguide/C/security.xml:39(command)
5466
#: serverguide/C/security.xml:41(para)
5468
"Sudo will prompt you for your password, and then ask you to supply a new "
5469
"password for root as shown below:"
5472
#: serverguide/C/security.xml:44(userinput)
5474
msgid "(enter your own password)"
5477
#: serverguide/C/security.xml:45(userinput)
5479
msgid "(enter a new password for root)"
5482
#: serverguide/C/security.xml:46(userinput)
5484
msgid "(repeat new password for root)"
5487
#: serverguide/C/security.xml:44(computeroutput)
5490
"[sudo] password for username: <placeholder-1/>\n"
5491
"Enter new UNIX password: <placeholder-2/>\n"
5492
"Retype new UNIX password: <placeholder-3/>\n"
5493
"passwd: password updated successfully"
5496
#: serverguide/C/security.xml:51(para)
5497
msgid "To disable the root account, use the following passwd syntax:"
5500
#: serverguide/C/security.xml:55(command)
5501
msgid "sudo passwd -l root"
5504
#: serverguide/C/security.xml:59(para)
5506
"You should read more on <application>Sudo</application> by checking out it's "
5510
#: serverguide/C/security.xml:63(command)
5514
#: serverguide/C/security.xml:67(para)
5516
"By default, the initial user created by the Ubuntu installer is a member of "
5517
"the group \"admin\" which is added to the file "
5518
"<filename>/etc/sudoers</filename> as an authorized sudo user. If you wish to "
5519
"give any other account full root access through "
5520
"<application>sudo</application>, simply add them to the admin group."
5523
#: serverguide/C/security.xml:73(title)
5524
msgid "Adding and Deleting Users"
5527
#: serverguide/C/security.xml:74(para)
5529
"The process for managing local users and groups is straight forward and "
5530
"differs very little from most other GNU/Linux operating systems. Ubuntu and "
5531
"other Debian based distributions, encourage the use of the \"adduser\" "
5532
"package for account management."
5535
#: serverguide/C/security.xml:79(para)
5537
"To add a user account, use the following syntax, and follow the prompts to "
5538
"give the account a password and identifiable characteristics such as a full "
5539
"name, phone number, etc."
5542
#: serverguide/C/security.xml:83(command)
5543
msgid "sudo adduser username"
5546
#: serverguide/C/security.xml:87(para)
5548
"To delete a user account and its primary group, use the following syntax:"
5551
#: serverguide/C/security.xml:91(command)
5552
msgid "sudo deluser username"
5555
#: serverguide/C/security.xml:93(para)
5557
"Deleting an account does not remove their respective home folder. It is up "
5558
"to you whether or not you wish to delete the folder manually or keep it "
5559
"according to your desired retention policies."
5562
#: serverguide/C/security.xml:96(para)
5564
"Remember, any user added later on with the same UID/GID as the previous "
5565
"owner will now have access to this folder if you have not taken the "
5566
"necessary precautions."
5569
#: serverguide/C/security.xml:99(para)
5571
"You may want to change these UID/GID values to something more appropriate, "
5572
"such as the root account, and perhaps even relocate the folder to avoid "
5576
#: serverguide/C/security.xml:103(command)
5577
msgid "sudo chown -R root:root /home/username/"
5580
#: serverguide/C/security.xml:104(command)
5581
msgid "sudo mkdir /home/archived_users/"
5584
#: serverguide/C/security.xml:105(command)
5585
msgid "sudo mv /home/username /home/archived_users/"
5588
#: serverguide/C/security.xml:109(para)
5590
"To temporarily lock or unlock a user account, use the following syntax, "
5594
#: serverguide/C/security.xml:113(command)
5595
msgid "sudo passwd -l username"
5598
#: serverguide/C/security.xml:114(command)
5599
msgid "sudo passwd -u username"
5602
#: serverguide/C/security.xml:118(para)
5604
"To add or delete a personalized group, use the following syntax, "
5608
#: serverguide/C/security.xml:122(command)
5609
msgid "sudo addgroup groupname"
5612
#: serverguide/C/security.xml:123(command)
5613
msgid "sudo delgroup groupname"
5616
#: serverguide/C/security.xml:127(para)
5617
msgid "To add a user to a group, use the following syntax:"
5620
#: serverguide/C/security.xml:131(command)
5621
msgid "sudo adduser username groupname"
5624
#: serverguide/C/security.xml:138(title)
5625
msgid "User Profile Security"
5628
#: serverguide/C/security.xml:139(para)
5630
"When a new user is created, the adduser utility creates a brand new home "
5631
"directory named <filename class=\"directory\">/home/username</filename>, "
5632
"respectively. The default profile is modeled after the contents found in the "
5633
"directory of <filename class=\"directory\">/etc/skel</filename>, which "
5634
"includes all profile basics."
5637
#: serverguide/C/security.xml:142(para)
5639
"If your server will be home to multiple users, you should pay close "
5640
"attention to the user home directory permissions to ensure confidentiality. "
5641
"By default, user home directories in Ubuntu are created with world "
5642
"read/execute permissions. This means that all users can browse and access "
5643
"the contents of other users home directories. This may not be suitable for "
5647
#: serverguide/C/security.xml:147(para)
5649
"To verify your current users home directory permissions, use the following "
5653
#: serverguide/C/security.xml:151(command) serverguide/C/security.xml:183(command)
5654
msgid "ls -ld /home/username"
5657
#: serverguide/C/security.xml:153(para)
5659
"The following output shows that the directory <filename "
5660
"class=\"directory\">/home/username</filename> has world readable permissions:"
5663
#: serverguide/C/security.xml:156(computeroutput)
5665
msgid "drwxr-xr-x 2 username username 4096 2007-10-02 20:03 username"
5668
#: serverguide/C/security.xml:160(para)
5670
"You can remove the world readable permissions using the following syntax:"
5673
#: serverguide/C/security.xml:164(command)
5674
msgid "sudo chmod 0750 /home/username"
5677
#: serverguide/C/security.xml:167(para)
5679
"Some people tend to use the recursive option (-R) indiscriminately which "
5680
"modifies all child folders and files, but this is not necessary, and may "
5681
"yield other undesirable results. The parent directory alone is sufficient "
5682
"for preventing unauthorized access to anything below the parent."
5685
#: serverguide/C/security.xml:171(para)
5687
"A much more efficient approach to the matter would be to modify the "
5688
"<application>adduser</application> global default permissions when creating "
5689
"user home folders. Simply edit the file "
5690
"<filename>/etc/adduser.conf</filename> and modify the "
5691
"<varname>DIR_MODE</varname> variable to something appropriate, so that all "
5692
"new home directories will receive the correct permissions."
5695
#: serverguide/C/security.xml:174(programlisting)
5702
#: serverguide/C/security.xml:179(para)
5704
"After correcting the directory permissions using any of the previously "
5705
"mentioned techniques, verify the results using the following syntax:"
5708
#: serverguide/C/security.xml:185(para)
5710
"The results below show that world readable permissions have been removed:"
5713
#: serverguide/C/security.xml:188(computeroutput)
5715
msgid "drwxr-x--- 2 username username 4096 2007-10-02 20:03 username"
5718
#: serverguide/C/security.xml:195(title)
5719
msgid "Password Policy"
5722
#: serverguide/C/security.xml:196(para)
5724
"A strong password policy is one of the most important aspects of your "
5725
"security posture. Many successful security breaches involve simple brute "
5726
"force and dictionary attacks against weak passwords. If you intend to offer "
5727
"any form of remote access involving your local password system, make sure "
5728
"you adequately address minimum password complexity requirements, maximum "
5729
"password lifetimes, and frequent audits of your authentication systems."
5732
#: serverguide/C/security.xml:200(title)
5733
msgid "Minimum Password Length"
5736
#: serverguide/C/security.xml:201(para)
5738
"By default, Ubuntu requires a minimum password length of 4 characters, as "
5739
"well as some basic entropy checks. These values are controlled in the file "
5740
"<filename>/etc/pam.d/common-password</filename>, which is outlined below."
5743
#: serverguide/C/security.xml:204(programlisting)
5747
"password required pam_unix.so nullok obscure min=4 max=8 md5\n"
5750
#: serverguide/C/security.xml:207(para)
5752
"If you would like to adjust the minimum length to 6 characters, change the "
5753
"appropriate variable to min=6. The modification is outlined below."
5756
#: serverguide/C/security.xml:210(programlisting)
5760
"password required pam_unix.so nullok obscure min=6 max=8 md5\n"
5763
#: serverguide/C/security.xml:214(para)
5765
"The <varname>max=8</varname> variable does not represent the maximum length "
5766
"of a password. It only means that complexity requirements will not be "
5767
"checked on passwords over 8 characters. You may want to look at the "
5768
"<application>libpam-cracklib</application> package for additional password "
5769
"entropy assistance."
5772
#: serverguide/C/security.xml:220(title)
5773
msgid "Password Expiration"
5776
#: serverguide/C/security.xml:221(para)
5778
"When creating user accounts, you should make it a policy to have a minimum "
5779
"and maximum password age forcing users to change their passwords when they "
5783
#: serverguide/C/security.xml:226(para)
5785
"To easily view the current status of a user account, use the following "
5789
#: serverguide/C/security.xml:230(command) serverguide/C/security.xml:263(command)
5790
msgid "sudo chage -l username"
5793
#: serverguide/C/security.xml:232(para)
5795
"The output below shows interesting facts about the user account, namely that "
5796
"there are no policies applied:"
5799
#: serverguide/C/security.xml:235(computeroutput)
5802
"Last password change : Jan 20, 2008\n"
5803
"Password expires : never\n"
5804
"Password inactive : never\n"
5805
"Account expires : never\n"
5806
"Minimum number of days between password change : 0\n"
5807
"Maximum number of days between password change : 99999\n"
5808
"Number of days of warning before password expires : 7"
5811
#: serverguide/C/security.xml:245(para)
5813
"To set any of these values, simply use the following syntax, and follow the "
5814
"interactive prompts:"
5817
#: serverguide/C/security.xml:249(command)
5818
msgid "sudo chage username"
5821
#: serverguide/C/security.xml:251(para)
5823
"The following is also an example of how you can manually change the explicit "
5824
"expiration date (-E) to 01/31/2008, minimum password age (-m) of 5 days, "
5825
"maximum password age (-M) of 90 days, inactivity period (-I) of 5 days after "
5826
"password expiration, and a warning time period (-W) of 14 days before "
5827
"password expiration."
5830
#: serverguide/C/security.xml:255(command)
5831
msgid "sudo chage -E 01/31/2008 -m 5 -M 90 -I 30 -W 14 username"
5834
#: serverguide/C/security.xml:259(para)
5835
msgid "To verify changes, use the same syntax as mentioned previously:"
5838
#: serverguide/C/security.xml:265(para)
5840
"The output below shows the new policies that have been established for the "
5844
#: serverguide/C/security.xml:268(computeroutput)
5847
"Last password change : Jan 20, 2008\n"
5848
"Password expires : Apr 19, 2008\n"
5849
"Password inactive : May 19, 2008\n"
5850
"Account expires : Jan 31, 2008\n"
5851
"Minimum number of days between password change : 5\n"
5852
"Maximum number of days between password change : 90\n"
5853
"Number of days of warning before password expires : 14"
5856
#: serverguide/C/security.xml:284(title)
5857
msgid "Other Security Considerations"
5860
#: serverguide/C/security.xml:285(para)
5862
"Many applications use alternate authentication mechanisms that can be easily "
5863
"overlooked by even experienced system administrators. Therefore, it is "
5864
"important to understand and control how users authenticate and gain access "
5865
"to services and applications on your server."
5868
#: serverguide/C/security.xml:290(title)
5869
msgid "SSH Access by Disabled Users"
5872
#: serverguide/C/security.xml:291(para)
5874
"Simply disabling/locking a user account will not prevent a user from logging "
5875
"into your server remotely if they have previously set up RSA public key "
5876
"authentication. They will still be able to gain shell access to the server, "
5877
"without the need for any password. Remember to check the users home "
5878
"directory for files that will allow for this type of authenticated SSH "
5879
"access. e.g. <filename>/home/username/.ssh/authorized_keys</filename>."
5882
#: serverguide/C/security.xml:294(para)
5884
"Remove or rename the directory <filename "
5885
"class=\"directory\">.ssh/</filename> in the user's home folder to prevent "
5886
"further SSH authentication capabilities."
5889
#: serverguide/C/security.xml:297(para)
5891
"Be sure to check for any established SSH connections by the disabled user, "
5892
"as it is possible they may have existing inbound or outbound connections. "
5893
"Kill any that are found."
5896
#: serverguide/C/security.xml:300(para)
5898
"Restrict SSH access to only user accounts that should have it. For example, "
5899
"you may create a group called \"sshlogin\" and add the group name as the "
5900
"value associated with the <varname>AllowGroups</varname> variable located in "
5901
"the file <filename>/etc/ssh/sshd_config</filename>."
5904
#: serverguide/C/security.xml:303(programlisting)
5908
"AllowGroups sshlogin\n"
5911
#: serverguide/C/security.xml:306(para)
5913
"Then add your permitted SSH users to the group \"sshlogin\", and restart the "
5917
#: serverguide/C/security.xml:310(command)
5918
msgid "sudo adduser username sshlogin"
5921
#: serverguide/C/security.xml:311(command) serverguide/C/remote-administration.xml:150(command)
5922
msgid "sudo /etc/init.d/ssh restart"
5925
#: serverguide/C/security.xml:315(title)
5926
msgid "External User Database Authentication"
5929
#: serverguide/C/security.xml:316(para)
5931
"Most enterprise networks require centralized authentication and access "
5932
"controls for all system resources. If you have configured your server to "
5933
"authenticate users against external databases, be sure to disable the user "
5934
"accounts both externally and locally, this way you ensure that local "
5935
"fallback authentication is not possible."
5938
#: serverguide/C/security.xml:325(title)
5939
msgid "Console Security"
5942
#: serverguide/C/security.xml:326(para)
5944
"As with any other security barrier you put in place to protect your server, "
5945
"it is pretty tough to defend against untold damage caused by someone with "
5946
"physical access to your environment, for example, theft of hard drives, "
5947
"power or service disruption and so on. Therefore, console security should be "
5948
"addressed merely as one component of your overall physical security "
5949
"strategy. A locked \"screen door\" may deter a casual criminal, or at the "
5950
"very least slow down a determined one, so it is still advisable to perform "
5951
"basic precautions with regard to console security."
5954
#: serverguide/C/security.xml:329(para)
5956
"The following instructions will help defend your server against issues that "
5957
"could otherwise yield very serious consequences."
5960
#: serverguide/C/security.xml:334(title)
5961
msgid "Disable Ctrl+Alt+Delete"
5964
#: serverguide/C/security.xml:335(para)
5966
"First and foremost, anyone that has physical access to the keyboard can "
5968
"<keycombo><keycap>Ctrl</keycap><keycap>Alt</keycap><keycap>Delete</keycap></k"
5969
"eycombo> key combination to reboot the server without having to log on. "
5970
"Sure, someone could simply unplug the power source, but you should still "
5971
"prevent the use of this key combination on a production server. This forces "
5972
"an attacker to take more drastic measures to reboot the server, and will "
5973
"prevent accidental reboots at the same time."
5976
#: serverguide/C/security.xml:340(para)
5978
"To disable the reboot action taken by pressing the "
5979
"<keycombo><keycap>Ctrl</keycap><keycap>Alt</keycap><keycap>Delete</keycap></k"
5980
"eycombo> key combination, comment out the following line in the file "
5981
"<filename>/etc/event.d/control-alt-delete</filename>."
5984
#: serverguide/C/security.xml:343(programlisting)
5988
"#exec /sbin/shutdown -r now \"Control-Alt-Delete pressed\"\n"
5991
#: serverguide/C/security.xml:350(title)
5992
msgid "GRUB Password Security"
5995
#: serverguide/C/security.xml:351(para)
5997
"Ubuntu installs GNU GRUB as its default boot loader, which allows for great "
5998
"flexibility and recovery options. For example, when you install additional "
5999
"kernel images, these are automatically added as available boot options in "
6000
"the <application>grub</application> menu. Also, by default, alternate boot "
6001
"options are available for each kernel entry that may be used for system "
6002
"recovery, aptly labeled (recovery mode). Recovery mode simply boots the "
6003
"corresponding kernel image into single user mode (init 1), which lands the "
6004
"administrator at a root prompt without the need for any password."
6007
#: serverguide/C/security.xml:354(para)
6009
"Therefore, it is important to control who may edit the "
6010
"<application>grub</application> menu items which, would otherwise allow for "
6011
"someone to perform the following dangerous actions:"
6014
#: serverguide/C/security.xml:359(para)
6015
msgid "Pass kernel options at boot up."
6018
#: serverguide/C/security.xml:364(para)
6019
msgid "Boot the server into single user mode."
6022
#: serverguide/C/security.xml:369(para)
6024
"You can prevent these actions by adding a password to GRUB's configuration "
6025
"file of <filename>/boot/grub/menu.lst</filename>, which will be required to "
6026
"unlock GRUB's more advanced features prior to use."
6029
#: serverguide/C/security.xml:374(para)
6031
"To add a password for use with <application>grub</application>, first you "
6032
"must generate an md5 password hash using the <application>grub-md5-"
6033
"crypt</application> utility:"
6036
#: serverguide/C/security.xml:378(command)
6037
msgid "grub-md5-crypt"
6040
#: serverguide/C/security.xml:380(para)
6042
"The command will ask you to enter a password and offer a resulting hash "
6043
"value as shown below:"
6046
#: serverguide/C/security.xml:383(userinput)
6048
msgid "(enter new password)"
6051
#: serverguide/C/security.xml:384(userinput)
6053
msgid "(repeat password)"
6056
#: serverguide/C/security.xml:383(computeroutput)
6059
"Password: <placeholder-1/>\n"
6060
"Retype password: <placeholder-2/>\n"
6061
"$1$s3YiK$M3lxAbqA6JLm2FbDWnClQ0"
6064
#: serverguide/C/security.xml:389(para)
6066
"Add the resulting hash value to the file "
6067
"<filename>/boot/grub/menu.lst</filename> in the following format:"
6070
#: serverguide/C/security.xml:392(programlisting)
6072
msgid "password --md5 $1$s3YiK$M3lxAbqA6JLm2FbDWnClQ0"
6075
#: serverguide/C/security.xml:395(para)
6077
"To require use of the password for entering single user mode, change the "
6078
"value of the <varname>lockalternative</varname> variable in the file "
6079
"<filename>/boot/grub/menu.lst</filename> to <varname>true</varname>, as "
6080
"shown in the following example."
6083
#: serverguide/C/security.xml:398(programlisting)
6085
msgid "# lockalternative=true"
6088
#: serverguide/C/security.xml:402(para)
6090
"This does not prevent someone from booting the server from alternate media. "
6091
"A determined attacker would simply boot into an alternate environment, "
6092
"overwrite your master boot record, mount or copy your physical volumes, "
6093
"destroy your data, or anything else they can imagine. Please explore other "
6094
"countermeasures that may help you with these types of attacks."
6097
#: serverguide/C/security.xml:410(title)
6101
#: serverguide/C/security.xml:413(para)
6103
"The Linux kernel includes the <emphasis>Netfilter</emphasis> subsystem, "
6104
"which is used to manipulate or decide the fate of network traffic headed "
6105
"into or through your server. All modern Linux firewall solutions use this "
6106
"system for packet filtering."
6109
#: serverguide/C/security.xml:418(para)
6111
"The kernel's packet filtering system would be of little use to "
6112
"administrators without a userspace interface to manage it. This is the "
6113
"purpose of iptables. When a packet reaches your server, it will be handed "
6114
"off to the Netfilter subsystem for acceptance, manipulation, or rejection "
6115
"based on the rules supplied to it from userspace via iptables. Thus, "
6116
"iptables is all you need to manage your firewall if you're familiar with it, "
6117
"but many frontends are available to simplify the task."
6120
#: serverguide/C/security.xml:428(title)
6121
msgid "ufw - Uncomplicated Firewall"
6124
#: serverguide/C/security.xml:429(para)
6126
"The default firewall configuration tool for Ubuntu is "
6127
"<application>ufw</application>. Developed to ease iptables firewall "
6128
"configuration, <application>ufw</application> provides a user friendly way "
6129
"to create an IPv4 or IPv6 host-based firewall."
6132
#: serverguide/C/security.xml:433(para)
6134
"<application>ufw</application> by default is initially disabled. From the "
6135
"<application>ufw</application> man page:"
6138
#: serverguide/C/security.xml:437(quote)
6140
"ufw is not intended to provide complete firewall functionality via its "
6141
"command interface, but instead provides an easy way to add or remove simple "
6142
"rules. It is currently mainly used for host-based firewalls."
6145
#: serverguide/C/security.xml:441(para)
6147
"The following are some examples of how to use <application>ufw</application>:"
6150
#: serverguide/C/security.xml:446(para)
6152
"First, <application>ufw</application> needs to be enabled. From a terminal "
6156
#: serverguide/C/security.xml:450(command)
6157
msgid "sudo ufw enable"
6160
#: serverguide/C/security.xml:454(para)
6161
msgid "To open a port (ssh in this example):"
6164
#: serverguide/C/security.xml:458(command)
6165
msgid "sudo ufw allow 22"
6168
#: serverguide/C/security.xml:462(para)
6169
msgid "Similarly, to close an opened port:"
6172
#: serverguide/C/security.xml:466(command)
6173
msgid "sudo ufw deny 22"
6176
#: serverguide/C/security.xml:470(para)
6177
msgid "To remove a rule, use delete followed by the rule:"
6180
#: serverguide/C/security.xml:474(command)
6181
msgid "sudo ufw delete deny 22"
6184
#: serverguide/C/security.xml:478(para)
6186
"It is also possible to allow access from specific hosts or networks to a "
6187
"port. The following example allows ssh access from host 192.168.0.2 to any "
6188
"ip address on this host:"
6191
#: serverguide/C/security.xml:483(command)
6192
msgid "sudo ufw allow proto tcp from 192.168.0.2 to any port 22"
6195
#: serverguide/C/security.xml:485(para)
6197
"Replace 192.168.0.2 with 192.168.0.0/24 to allow ssh access from the entire "
6201
#: serverguide/C/security.xml:491(para)
6203
"Adding the <emphasis>--dry-run</emphasis> option to a "
6204
"<emphasis>ufw</emphasis> command will output the resulting rules, but not "
6205
"apply them. For example, the following is what would be applied if opening "
6209
#: serverguide/C/security.xml:497(command)
6210
msgid "sudo ufw --dry-run allow http"
6213
#: serverguide/C/security.xml:501(computeroutput)
6217
":ufw-user-input - [0:0]\n"
6218
":ufw-user-output - [0:0]\n"
6219
":ufw-user-forward - [0:0]\n"
6220
":ufw-user-limit - [0:0]\n"
6221
":ufw-user-limit-accept - [0:0]\n"
6224
"### tuple ### allow tcp 80 0.0.0.0/0 any 0.0.0.0/0\n"
6225
"-A ufw-user-input -p tcp --dport 80 -j ACCEPT\n"
6227
"### END RULES ###\n"
6228
"-A ufw-user-input -j RETURN\n"
6229
"-A ufw-user-output -j RETURN\n"
6230
"-A ufw-user-forward -j RETURN\n"
6231
"-A ufw-user-limit -m limit --limit 3/minute -j LOG --log-prefix \"[UFW "
6233
"-A ufw-user-limit -j REJECT\n"
6234
"-A ufw-user-limit-accept -j ACCEPT\n"
6239
#: serverguide/C/security.xml:525(para)
6240
msgid "<application>ufw</application> can be disabled by:"
6243
#: serverguide/C/security.xml:529(command)
6244
msgid "sudo ufw disable"
6247
#: serverguide/C/security.xml:533(para)
6248
msgid "To see the firewall status, enter:"
6251
#: serverguide/C/security.xml:537(command)
6252
msgid "sudo ufw status"
6255
#: serverguide/C/security.xml:541(para)
6256
msgid "And for more verbose status information use:"
6259
#: serverguide/C/security.xml:545(command)
6260
msgid "sudo ufw status verbose"
6263
#: serverguide/C/security.xml:550(para)
6265
"If the port you want to open or close is defined in "
6266
"<filename>/etc/services</filename>, you can use the port name instead of the "
6267
"number. In the above examples, replace <emphasis>22</emphasis> with "
6268
"<emphasis>ssh</emphasis>."
6271
#: serverguide/C/security.xml:556(para)
6273
"This is a quick introduction to using <application>ufw</application>. Please "
6274
"refer to the <application>ufw</application> man page for more information."
6277
#: serverguide/C/security.xml:562(title)
6278
msgid "ufw Application Integration"
6281
#: serverguide/C/security.xml:564(para)
6283
"Applications that open ports can include an <application>ufw</application> "
6284
"profile, which details the ports needed for the application to function "
6285
"properly. The profiles are kept in <filename "
6286
"role=\"directory\">/etc/ufw/applications.d</filename>, and can be edited if "
6287
"the default ports have been changed."
6290
#: serverguide/C/security.xml:573(para)
6292
"To view which applications have installed a profile, enter the following in "
6296
#: serverguide/C/security.xml:578(command)
6297
msgid "sudo ufw app list"
6300
#: serverguide/C/security.xml:584(para)
6302
"Similar to allowing traffic to a port, using an application profile is "
6303
"accomplished by entering:"
6306
#: serverguide/C/security.xml:589(command)
6307
msgid "sudo ufw allow Samba"
6310
#: serverguide/C/security.xml:595(para)
6311
msgid "An extended syntax is available as well:"
6314
#: serverguide/C/security.xml:600(command)
6315
msgid "ufw allow from 192.168.0.0/24 to any app Samba"
6318
#: serverguide/C/security.xml:603(para)
6320
"Replace <emphasis>Samba</emphasis> and <emphasis>192.168.0.0/24</emphasis> "
6321
"with the application profile you are using and the IP range for your network."
6324
#: serverguide/C/security.xml:609(para)
6326
"There is no need to specify the <emphasis>protocol</emphasis> for the "
6327
"application, because that information is detailed in the profile. Also, note "
6328
"that the <emphasis>app</emphasis> name replaces the "
6329
"<emphasis>port</emphasis> number."
6332
#: serverguide/C/security.xml:618(para)
6334
"To view details about which ports, protocols, etc are defined for an "
6335
"application, enter:"
6338
msgid "sudo ufw info Samba"
6341
#: serverguide/C/security.xml:629(para)
6343
"Not all applications that require opening a network port come with "
6344
"<application>ufw</application> profiles, but if you have profiled an "
6345
"application and want the file to be included with the package, please file a "
6346
"bug against the package in <ulink "
6347
"url=\"https://launchpad.net/\">Launchpad</ulink>."
6350
#: serverguide/C/security.xml:638(title)
6351
msgid "IP Masquerading"
6354
#: serverguide/C/security.xml:639(para)
6356
"The purpose of IP Masquerading is to allow machines with private, non-"
6357
"routable IP addresses on your network to access the Internet through the "
6358
"machine doing the masquerading. Traffic from your private network destined "
6359
"for the Internet must be manipulated for replies to be routable back to the "
6360
"machine that made the request. To do this, the kernel must modify the "
6361
"<emphasis>source</emphasis> IP address of each packet so that replies will "
6362
"be routed back to it, rather than to the private IP address that made the "
6363
"request, which is impossible over the Internet. Linux uses "
6364
"<emphasis>Connection Tracking</emphasis> (conntrack) to keep track of which "
6365
"connections belong to which machines and reroute each return packet "
6366
"accordingly. Traffic leaving your private network is thus \"masqueraded\" as "
6367
"having originated from your Ubuntu gateway machine. This process is referred "
6368
"to in Microsoft documentation as Internet Connection Sharing."
6371
#: serverguide/C/security.xml:655(title)
6372
msgid "ufw Masquerading"
6375
#: serverguide/C/security.xml:656(para)
6377
"IP Masquerading can be achieved using custom <application>ufw</application> "
6378
"rules. This is possible because the current back-end for "
6379
"<application>ufw</application> is <application>iptables-"
6380
"restore</application> with the rules files located in "
6381
"<filename>/etc/ufw/*.rules</filename>. These files are a great place to add "
6382
"legacy iptables rules used without <application>ufw</application>, and rules "
6383
"that are more network gateway or bridge related."
6386
#: serverguide/C/security.xml:662(para)
6388
"The rules are split into two different files, rules that should be executed "
6389
"before <application>ufw</application> command line rules, and rules that are "
6390
"executed after <application>ufw</application> command line rules."
6393
#: serverguide/C/security.xml:668(para)
6395
"First, packet forwarding needs to be enabled in "
6396
"<application>ufw</application>. Two configuration files will need to be "
6397
"adjusted, in <filename>/etc/default/ufw</filename> change the "
6398
"<emphasis>DEFAULT_FORWARD_POLICY</emphasis> to <quote>ACCEPT</quote>:"
6401
#: serverguide/C/security.xml:672(programlisting)
6405
"DEFAULT_FORWARD_POLICY=\"ACCEPT\"\n"
6408
#: serverguide/C/security.xml:675(para)
6409
msgid "Then edit <filename>/etc/ufw/sysctl.conf</filename> and uncomment:"
6412
#: serverguide/C/security.xml:678(programlisting) serverguide/C/security.xml:756(programlisting)
6416
"net.ipv4.ip_forward=1\n"
6419
#: serverguide/C/security.xml:681(para)
6420
msgid "Similarly, for IPv6 forwarding uncomment:"
6423
#: serverguide/C/security.xml:684(programlisting) serverguide/C/security.xml:762(programlisting)
6427
"net.ipv6.conf.default.forwarding=1\n"
6430
#: serverguide/C/security.xml:689(para)
6432
"Now we will add rules to the <filename>/etc/ufw/before.rules</filename> "
6433
"file. The default rules only configure the <emphasis>filter</emphasis> "
6434
"table, and to enable masquerading the <emphasis>nat</emphasis> table will "
6435
"need to be configured. Add the following to the top of the file just after "
6436
"the header comments:"
6439
#: serverguide/C/security.xml:694(programlisting)
6443
"# nat Table rules\n"
6445
":POSTROUTING ACCEPT [0:0]\n"
6447
"# Forward traffic from eth1 through eth0.\n"
6448
"-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE\n"
6450
"# don't delete the 'COMMIT' line or these nat table rules won't be "
6455
#: serverguide/C/security.xml:705(para)
6457
"The comments are not strictly necessary, but it is considered good practice "
6458
"to document your configuration. Also, when modifying any of the "
6459
"<emphasis>rules</emphasis> files in <filename "
6460
"class=\"directory\">/etc/ufw</filename>, make sure these lines are the last "
6461
"line for each table modified:"
6464
#: serverguide/C/security.xml:711(programlisting)
6468
"# don't delete the 'COMMIT' line or these rules won't be processed\n"
6472
#: serverguide/C/security.xml:716(para)
6474
"For each <emphasis>Table</emphasis> a corresponding "
6475
"<emphasis>COMMIT</emphasis> statement is required. In these examples only "
6476
"the <emphasis>nat</emphasis> and <emphasis>filter</emphasis> tables are "
6477
"shown, but you can also add rules for the <emphasis>raw</emphasis> and "
6478
"<emphasis>mangle</emphasis> tables."
6481
#: serverguide/C/security.xml:723(para)
6483
"In the above example replace <emphasis>eth0</emphasis>, "
6484
"<emphasis>eth1</emphasis>, and <emphasis>192.168.0.0/24</emphasis> with the "
6485
"appropriate interfaces and IP range for your network."
6488
#: serverguide/C/security.xml:731(para)
6490
"Finally, disable and re-enable <application>ufw</application> to apply the "
6494
#: serverguide/C/security.xml:735(command)
6495
msgid "sudo ufw disable && sudo ufw enable"
6498
#: serverguide/C/security.xml:739(para)
6500
"IP Masquerading should now be enabled. You can also add any additional "
6501
"FORWARD rules to the <filename>/etc/ufw/before.rules</filename>. It is "
6502
"recommended that these additional rules be added to the <emphasis>ufw-before-"
6503
"forward</emphasis> chain."
6506
#: serverguide/C/security.xml:746(title)
6507
msgid "iptables Masquerading"
6510
#: serverguide/C/security.xml:747(para)
6512
"<application>iptables</application> can also be used to enable masquerading."
6515
#: serverguide/C/security.xml:752(para)
6517
"Similar to <application>ufw</application>, the first step is to enable IPv4 "
6518
"packet forwarding by editing <filename>/etc/sysctl.conf</filename> and "
6519
"uncomment the following line"
6522
#: serverguide/C/security.xml:759(para)
6523
msgid "If you wish to enable IPv6 forwarding also uncomment:"
6526
#: serverguide/C/security.xml:767(para)
6528
"Next, execute the <application>sysctl</application> command to enable the "
6529
"new settings in the configuration file:"
6532
#: serverguide/C/security.xml:771(command)
6533
msgid "sudo sysctl -p"
6536
#: serverguide/C/security.xml:775(para)
6538
"IP Masquerading can now be accomplished with a single iptables rule, which "
6539
"may differ slightly based on your network configuration:"
6542
#: serverguide/C/security.xml:778(screen)
6546
"sudo iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o ppp0 -j MASQUERADE\n"
6549
#: serverguide/C/security.xml:781(para)
6551
"The above command assumes that your private address space is 192.168.0.0/16 "
6552
"and that your Internet-facing device is ppp0. The syntax is broken down as "
6556
#: serverguide/C/security.xml:786(para)
6557
msgid "-t nat -- the rule is to go into the nat table"
6560
#: serverguide/C/security.xml:787(para)
6562
"-A POSTROUTING -- the rule is to be appended (-A) to the POSTROUTING chain"
6565
#: serverguide/C/security.xml:788(para)
6567
"-s 192.168.0.0/16 -- the rule applies to traffic originating from the "
6568
"specified address space"
6571
#: serverguide/C/security.xml:789(para)
6573
"-o ppp0 -- the rule applies to traffic scheduled to be routed through the "
6574
"specified network device"
6577
#: serverguide/C/security.xml:791(para)
6579
"-j MASQUERADE -- traffic matching this rule is to \"jump\" (-j) to the "
6580
"MASQUERADE target to be manipulated as described above"
6583
#: serverguide/C/security.xml:799(para)
6585
"Also, each chain in the filter table (the default table, and where most or "
6586
"all packet filtering occurs) has a default <emphasis>policy</emphasis> of "
6587
"ACCEPT, but if you are creating a firewall in addition to a gateway device, "
6588
"you may have set the policies to DROP or REJECT, in which case your "
6589
"masqueraded traffic needs to be allowed through the FORWARD chain for the "
6590
"above rule to work:"
6593
#: serverguide/C/security.xml:806(screen)
6597
"sudo iptables -A FORWARD -s 192.168.0.0/16 -o ppp0 -j ACCEPT\n"
6598
"sudo iptables -A FORWARD -d 192.168.0.0/16 -m state --state "
6599
"ESTABLISHED,RELATED -i ppp0 -j ACCEPT\n"
6602
#: serverguide/C/security.xml:810(para)
6604
"The above commands will allow all connections from your local network to the "
6605
"Internet and all traffic related to those connections to return to the "
6606
"machine that initiated them."
6609
#: serverguide/C/security.xml:817(para)
6611
"If you want masquerading to be enabled on reboot, which you probably do, "
6612
"edit <filename>/etc/rc.local</filename> and add any commands used above. For "
6613
"example add the first command with no filtering:"
6616
#: serverguide/C/security.xml:821(screen)
6620
"iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o ppp0 -j MASQUERADE\n"
6623
#: serverguide/C/security.xml:829(title)
6627
#: serverguide/C/security.xml:830(para)
6629
"Firewall logs are essential for recognizing attacks, troubleshooting your "
6630
"firewall rules, and noticing unusual activity on your network. You must "
6631
"include logging rules in your firewall for them to be generated, though, and "
6632
"logging rules must come before any applicable terminating rule (a rule with "
6633
"a target that decides the fate of the packet, such as ACCEPT, DROP, or "
6637
#: serverguide/C/security.xml:837(para)
6639
"If you are using <application>ufw</application>, you can turn on logging by "
6640
"entering the following in a terminal:"
6643
#: serverguide/C/security.xml:841(command)
6644
msgid "sudo ufw logging on"
6647
#: serverguide/C/security.xml:843(para)
6649
"To turn logging off in <application>ufw</application>, simply replace "
6650
"<emphasis role=\"italic\">on</emphasis> with <emphasis "
6651
"role=\"italic\">off</emphasis> in the above command."
6654
#: serverguide/C/security.xml:846(para)
6656
"If using <application>iptables</application> instead of "
6657
"<application>ufw</application>, enter:"
6660
#: serverguide/C/security.xml:849(screen)
6664
"sudo iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j LOG --log-"
6665
"prefix \"NEW_HTTP_CONN: \"\n"
6668
#: serverguide/C/security.xml:852(para)
6670
"A request on port 80 from the local machine, then, would generate a log in "
6671
"dmesg that looks like this:"
6674
#: serverguide/C/security.xml:857(programlisting)
6677
"[4304885.870000] NEW_HTTP_CONN: IN=lo OUT= "
6678
"MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 "
6679
"LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=58288 DF PROTO=TCP SPT=53981 DPT=80 "
6680
"WINDOW=32767 RES=0x00 SYN URGP=0"
6683
#: serverguide/C/security.xml:859(para)
6685
"The above log will also appear in <filename>/var/log/messages</filename>, "
6686
"<filename>/var/log/syslog</filename>, and "
6687
"<filename>/var/log/kern.log</filename>. This behavior can be modified by "
6688
"editing <filename>/etc/syslog.conf</filename> appropriately or by installing "
6689
"and configuring <application>ulogd</application> and using the ULOG target "
6690
"instead of LOG. The <application>ulogd</application> daemon is a userspace "
6691
"server that listens for logging instructions from the kernel specifically "
6692
"for firewalls, and can log to any file you like, or even to a "
6693
"<application>PostgreSQL</application> or <application>MySQL</application> "
6694
"database. Making sense of your firewall logs can be simplified by using a "
6695
"log analyzing tool such as <application>fwanalog</application>, "
6696
"<application> fwlogwatch</application>, or <application>lire</application>."
6699
#: serverguide/C/security.xml:874(title)
6703
#: serverguide/C/security.xml:875(para)
6705
"There are many tools available to help you construct a complete firewall "
6706
"without intimate knowledge of iptables. For the GUI-inclined:"
6709
#: serverguide/C/security.xml:881(para)
6711
"<ulink url=\"http://www.fs-security.com/\">Firestarter</ulink> is quite "
6712
"popular and easy to use."
6715
#: serverguide/C/security.xml:886(para)
6717
"<ulink url=\"http://www.fwbuilder.org/\">fwbuilder</ulink> is very powerful "
6718
"and will look familiar to an administrator who has used a commercial "
6719
"firewall utility such as <application>Checkpoint FireWall-1</application>."
6722
#: serverguide/C/security.xml:892(para)
6724
"If you prefer a command-line tool with plain-text configuration files:"
6727
#: serverguide/C/security.xml:897(para)
6729
"<ulink url=\"http://www.shorewall.net/\">Shorewall</ulink> is a very "
6730
"powerful solution to help you configure an advanced firewall for any network."
6733
#: serverguide/C/security.xml:903(para)
6735
"<ulink url=\"http://www.linuxkungfu.org/\">ipkungfu</ulink> should give you "
6736
"a working firewall \"out of the box\" with zero configuration, and will "
6737
"allow you to easily set up a more advanced firewall by editing simple, well-"
6738
"documented configuration files."
6741
#: serverguide/C/security.xml:910(para)
6743
"<ulink url=\"http://fireflier.sourceforge.net/\">fireflier</ulink> is "
6744
"designed to be a desktop firewall application. It is made up of a server "
6745
"(fireflier-server) and your choice of GUI clients (GTK or QT), and behaves "
6746
"like many popular interactive firewall applications for Windows."
6749
#: serverguide/C/security.xml:922(para)
6751
"The <ulink url=\"https://wiki.ubuntu.com/UbuntuFirewall\">Ubuntu "
6752
"Firewall</ulink> wiki page contains information on the development of "
6753
"<application>ufw</application>."
6756
#: serverguide/C/security.xml:928(para)
6758
"Also, the <application>ufw</application> manual page contains some very "
6759
"useful information: <command>man ufw</command>."
6762
#: serverguide/C/security.xml:933(para)
6764
"See the <ulink url=\"http://www.netfilter.org/documentation/HOWTO/packet-"
6765
"filtering-HOWTO.html\">packet-filtering-HOWTO</ulink> for more information "
6766
"on using <application>iptables</application>."
6769
#: serverguide/C/security.xml:939(para)
6771
"The <ulink url=\"http://www.netfilter.org/documentation/HOWTO/NAT-"
6772
"HOWTO.html\">nat-HOWTO</ulink> contains further details on masquerading."
6775
#: serverguide/C/security.xml:948(title)
6779
#: serverguide/C/security.xml:949(para)
6781
"<application>AppArmor</application> is a Linux Security Module "
6782
"implementation of name-based mandatory access controls. AppArmor confines "
6783
"individual programs to a set of listed files and posix 1003.1e draft "
6787
#: serverguide/C/security.xml:953(para)
6789
"<application>AppArmor</application> is installed and loaded by default. It "
6790
"uses <emphasis>profiles</emphasis> of an application to determine what files "
6791
"and permissions the application requires. Some packages will install their "
6792
"own profiles, and additional profiles can be found in the "
6793
"<application>apparmor-profiles</application> package."
6796
#: serverguide/C/security.xml:958(para)
6798
"To install the <application>apparmor-profiles</application> package from a "
6802
#: serverguide/C/security.xml:964(para)
6803
msgid "AppArmor profiles have two modes of execution:"
6806
#: serverguide/C/security.xml:969(para)
6808
"Complaining/Learning: profile violations are permitted and logged. Useful "
6809
"for testing and developing new profiles."
6812
#: serverguide/C/security.xml:974(para)
6814
"Enforced/Confined: enforces profile policy as well as logging the violation."
6817
#: serverguide/C/security.xml:980(title)
6818
msgid "Using AppArmor"
6821
#: serverguide/C/security.xml:981(para)
6823
"The <application>apparmor-utils</application> package contains command line "
6824
"utilities that you can use to change the <application>AppArmor</application> "
6825
"execution mode, find the status of a profile, create new profiles, etc."
6828
#: serverguide/C/security.xml:987(para)
6830
"<application>apparmor_status</application> is used to view the current "
6831
"status of AppArmor profiles."
6834
#: serverguide/C/security.xml:991(command)
6835
msgid "sudo apparmor_status"
6838
#: serverguide/C/security.xml:995(para)
6840
"<application>aa-complain</application> places a profile into "
6841
"<emphasis>complain</emphasis> mode."
6844
#: serverguide/C/security.xml:999(command)
6845
msgid "sudo aa-complain /path/to/bin"
6848
#: serverguide/C/security.xml:1003(para)
6850
"<application>aa-enforce</application> places a profile into "
6851
"<emphasis>enforce</emphasis> mode."
6854
#: serverguide/C/security.xml:1007(command)
6855
msgid "sudo aa-enforce /path/to/bin"
6858
#: serverguide/C/security.xml:1011(para)
6860
"The <filename>/etc/apparmor.d</filename> directory is where the AppArmor "
6861
"profiles are located. It can be used to manipulate the "
6862
"<emphasis>mode</emphasis> of all profiles."
6865
#: serverguide/C/security.xml:1015(para)
6866
msgid "Enter the following to place all profiles into complain mode:"
6869
#: serverguide/C/security.xml:1019(command)
6870
msgid "sudo aa-complain /etc/apparmor.d/*"
6873
#: serverguide/C/security.xml:1021(para)
6874
msgid "To place all profiles in enforce mode:"
6877
#: serverguide/C/security.xml:1025(command)
6878
msgid "sudo aa-enforce /etc/apparmor.d/*"
6881
#: serverguide/C/security.xml:1029(para)
6883
"<application>apparmor_parser</application> is used to load a profile into "
6884
"the kernel. It can also be used to reload a currently loaded profile using "
6885
"the <emphasis>-r</emphasis> option. To load a profile:"
6888
#: serverguide/C/security.xml:1034(command) serverguide/C/security.xml:1066(command)
6889
msgid "cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a"
6892
#: serverguide/C/security.xml:1036(para)
6893
msgid "To reload a profile:"
6896
#: serverguide/C/security.xml:1040(command)
6897
msgid "cat /etc/apparmor.d/profile.name | sudo apparmor_parser -r"
6900
#: serverguide/C/security.xml:1044(para)
6902
"<filename>/etc/init.d/apparmor</filename> can be used to "
6903
"<emphasis>reload</emphasis> all profiles:"
6906
#: serverguide/C/security.xml:1048(command)
6907
msgid "sudo /etc/init.d/apparmor reload"
6910
#: serverguide/C/security.xml:1052(para)
6912
"The <filename>/etc/apparmor.d/disable</filename> directory can be used along "
6913
"with the <application>apparmor_parser -R</application> option to "
6914
"<emphasis>disable</emphasis> a profile."
6917
#: serverguide/C/security.xml:1057(command)
6918
msgid "sudo ln -s /etc/apparmor.d/profile.name /etc/apparmor.d/disable/"
6921
#: serverguide/C/security.xml:1058(command)
6922
msgid "sudo apparmor_parser -R /etc/apparmor.d/profile.name"
6925
#: serverguide/C/security.xml:1060(para)
6927
"To <emphasis>re-enable</emphasis> a disabled profile remove the symbolic "
6928
"link to the profile in <filename>/etc/apparmor.d/disable/</filename>. Then "
6929
"load the profile using the <emphasis>-a</emphasis> option."
6932
#: serverguide/C/security.xml:1065(command)
6933
msgid "sudo rm /etc/apparmor.d/disable/profile.name"
6936
#: serverguide/C/security.xml:1070(para)
6938
"<application>AppArmor</application> can be disabled, and the kernel module "
6939
"unloaded by entering the following:"
6942
#: serverguide/C/security.xml:1074(command)
6943
msgid "sudo /etc/init.d/apparmor stop"
6946
#: serverguide/C/security.xml:1075(command)
6947
msgid "sudo update-rc.d -f apparmor remove"
6950
#: serverguide/C/security.xml:1079(para)
6951
msgid "To re-enable <application>AppArmor</application> enter:"
6954
#: serverguide/C/security.xml:1083(command)
6955
msgid "sudo /etc/init.d/apparmor start"
6958
#: serverguide/C/security.xml:1084(command)
6959
msgid "sudo update-rc.d apparmor defaults"
6962
#: serverguide/C/security.xml:1089(para)
6964
"Replace <emphasis>profile.name</emphasis> with the name of the profile you "
6965
"want to manipulate. Also, replace <filename>/path/to/bin/</filename> with "
6966
"the actual executable file path. For example for the "
6967
"<application>ping</application> command use <filename>/bin/ping</filename>"
6970
#: serverguide/C/security.xml:1097(title)
6974
#: serverguide/C/security.xml:1098(para)
6976
"<application>AppArmor</application> profiles are simple text files located "
6977
"in <filename>/etc/apparmor.d/</filename>. The files are named after the full "
6978
"path to the executable they profile replacing the \"/\" with \".\". For "
6979
"example <filename>/etc/apparmor.d/bin.ping</filename> is the AppArmor "
6980
"profile for the <filename>/bin/ping</filename> command."
6983
#: serverguide/C/security.xml:1104(para)
6984
msgid "There are two main type of rules used in profiles:"
6987
#: serverguide/C/security.xml:1109(para)
6989
"<emphasis>Path entries:</emphasis> which detail which files an application "
6990
"can access in the file system."
6993
#: serverguide/C/security.xml:1114(para)
6995
"<emphasis>Capability entries:</emphasis> determine what privileges a "
6996
"confined process is allowed to use."
6999
#: serverguide/C/security.xml:1119(para)
7001
"As an example take a look at <filename>/etc/apparmor.d/bin.ping</filename>:"
7004
#: serverguide/C/security.xml:1122(programlisting)
7008
"#include <tunables/global>\n"
7009
"/bin/ping flags=(complain) {\n"
7010
" #include <abstractions/base>\n"
7011
" #include <abstractions/consoles>\n"
7012
" #include <abstractions/nameservice>\n"
7014
" capability net_raw,\n"
7015
" capability setuid,\n"
7016
" network inet raw,\n"
7018
" /bin/ping mixr,\n"
7019
" /etc/modules.conf r,\n"
7023
#: serverguide/C/security.xml:1139(para)
7025
"<emphasis>#include <tunables/global>:</emphasis> include statements "
7026
"from other files. This allows statements pertaining to multiple applications "
7027
"to be placed in a common file."
7030
#: serverguide/C/security.xml:1145(para)
7032
"<emphasis>/bin/ping flags=(complain):</emphasis> path to the profiled "
7033
"program, also setting the mode to <emphasis>complain</emphasis>."
7036
#: serverguide/C/security.xml:1151(para)
7038
"<emphasis>capability net_raw,:</emphasis> allows the application access to "
7039
"the CAP_NET_RAW Posix.1e capability."
7042
#: serverguide/C/security.xml:1156(para)
7044
"<emphasis>/bin/ping mixr,:</emphasis> allows the application read and "
7045
"execute access to the file."
7048
#: serverguide/C/security.xml:1162(para)
7050
"After editing a profile file the profile must be reloaded. See <xref "
7051
"linkend=\"apparmor-usage\"/> for details."
7054
#: serverguide/C/security.xml:1167(title)
7055
msgid "Creating a Profile"
7058
#: serverguide/C/security.xml:1170(para)
7060
"<emphasis>Design a test plan:</emphasis> Try to think about how the "
7061
"application should be exercised. The test plan should be divided into small "
7062
"test cases. Each test case should have a small description and list the "
7066
#: serverguide/C/security.xml:1174(para)
7067
msgid "Some standard test cases are:"
7070
#: serverguide/C/security.xml:1179(para)
7071
msgid "Starting the program."
7074
#: serverguide/C/security.xml:1184(para)
7075
msgid "Stopping the program."
7078
#: serverguide/C/security.xml:1189(para)
7079
msgid "Reloading the program."
7082
#: serverguide/C/security.xml:1194(para)
7083
msgid "Testing all the commands supported by the init script."
7086
#: serverguide/C/security.xml:1201(para)
7088
"<emphasis>Generate the new profile:</emphasis> Use <application>aa-"
7089
"genprof</application> to generate a new profile. From a terminal:"
7092
#: serverguide/C/security.xml:1206(command)
7093
msgid "sudo aa-genprof executable"
7096
#: serverguide/C/security.xml:1208(para)
7097
msgid "For example:"
7100
#: serverguide/C/security.xml:1212(command)
7101
msgid "sudo aa-genprof slapd"
7104
#: serverguide/C/security.xml:1216(para)
7106
"To get your new profile included in the <application>apparmor-"
7107
"profiles</application> package, file a bug in <emphasis>Launchpad</emphasis> "
7108
"against the <ulink "
7109
"url=\"https://bugs.launchpad.net/ubuntu/+source/apparmor/+filebug\">AppArmor<"
7113
#: serverguide/C/security.xml:1223(para)
7114
msgid "Include your test plan and test cases."
7117
#: serverguide/C/security.xml:1228(para)
7118
msgid "Attach your new profile to the bug."
7121
#: serverguide/C/security.xml:1237(title)
7122
msgid "Updating Profiles"
7125
#: serverguide/C/security.xml:1238(para)
7127
"When the program is misbehaving, audit messages are sent to the log files. "
7128
"The program <application>aa-logprof</application> can be used to scan log "
7129
"files for <application>AppArmor</application> audit messages, review them "
7130
"and update the profiles. From a terminal:"
7133
#: serverguide/C/security.xml:1243(command)
7134
msgid "sudo aa-logprof"
7137
#: serverguide/C/security.xml:1251(para)
7140
"url=\"http://www.novell.com/documentation/apparmor/apparmor201_sp10_admin/ind"
7141
"ex.html?page=/documentation/apparmor/apparmor201_sp10_admin/data/book_apparmo"
7142
"r_admin.html\">AppArmor Administration Guide</ulink> for advanced "
7143
"configuration options."
7146
#: serverguide/C/security.xml:1258(para)
7148
"For details using AppArmor with other Ubuntu releases see the <ulink "
7149
"url=\"https://help.ubuntu.com/community/AppArmor\"> AppArmor Community "
7150
"Wiki</ulink> page."
7153
#: serverguide/C/security.xml:1266(para)
7155
"The <ulink url=\"http://en.opensuse.org/AppArmor\">OpenSUSE AppArmor</ulink> "
7156
"page is another introduction to AppArmor."
7159
#: serverguide/C/security.xml:1273(para)
7161
"A great place to ask for <application>AppArmor</application> assistance, and "
7162
"get involved with the Ubuntu Server community, is the <emphasis>#ubuntu-"
7163
"server</emphasis> IRC channel on <ulink "
7164
"url=\"http://freenode.net\">freenode</ulink>."
7167
#: serverguide/C/security.xml:1283(title)
7168
msgid "Certificates"
7171
#: serverguide/C/security.xml:1284(para)
7173
"One of the most common forms of cryptography today is <emphasis>public-"
7174
"key</emphasis> cryptography. Public-key cryptography utilizes a "
7175
"<emphasis>public key</emphasis> and a <emphasis>private key</emphasis>. The "
7176
"system works by <emphasis>encrypting</emphasis> information using the public "
7177
"key. The information can then only be <emphasis>decrypted</emphasis> using "
7181
#: serverguide/C/security.xml:1290(para)
7183
"A common use for public-key cryptography is encrypting application traffic "
7184
"using a Secure Socket Layer (SSL) or Transport Layer Security (TLS) "
7185
"connection. For example, configuring Apache to provide "
7186
"<emphasis>HTTPS</emphasis>, the HTTP protocol over SSL. This allows a way to "
7187
"encrypt traffic using a protocol that does not itself provide encryption."
7190
#: serverguide/C/security.xml:1295(para)
7192
"A <emphasis>Certificate</emphasis> is a method used to distribute a "
7193
"<emphasis>public key</emphasis> and other information about a server and the "
7194
"organization who is responsible for it. Certificates can be digitally signed "
7195
"by a <emphasis>Certification Authority</emphasis> or CA. A CA is a trusted "
7196
"third party that has confirmed that the information contained in the "
7197
"certificate is accurate."
7200
#: serverguide/C/security.xml:1302(title)
7201
msgid "Types of Certificates"
7204
#: serverguide/C/security.xml:1303(para)
7206
"To set up a secure server using public-key cryptography, in most cases, you "
7207
"send your certificate request (including your public key), proof of your "
7208
"company's identity, and payment to a CA. The CA verifies the certificate "
7209
"request and your identity, and then sends back a certificate for your secure "
7210
"server. Alternatively, you can create your own <emphasis>self-"
7211
"signed</emphasis> certificate."
7214
#: serverguide/C/security.xml:1313(para)
7216
"Note, that self-signed certificates should not be used in most production "
7220
#: serverguide/C/security.xml:1317(para)
7222
"Continuing the HTTPS example, a CA-signed certificate provides two important "
7223
"capabilities that a self-signed certificate does not:"
7226
#: serverguide/C/security.xml:1324(para)
7228
"Browsers (usually) automatically recognize the certificate and allow a "
7229
"secure connection to be made without prompting the user."
7232
#: serverguide/C/security.xml:1331(para)
7234
"When a CA issues a signed certificate, it is guaranteeing the identity of "
7235
"the organization that is providing the web pages to the browser."
7238
#: serverguide/C/security.xml:1339(para)
7240
"Most Web browsers, and computers, that support SSL have a list of CAs whose "
7241
"certificates they automatically accept. If a browser encounters a "
7242
"certificate whose authorizing CA is not in the list, the browser asks the "
7243
"user to either accept or decline the connection. Also, other applications "
7244
"may generate an error message when using a self-singed certificate."
7247
#: serverguide/C/security.xml:1347(para)
7249
"The process of getting a certificate from a CA is fairly easy. A quick "
7250
"overview is as follows:"
7253
#: serverguide/C/security.xml:1354(para)
7254
msgid "Create a private and public encryption key pair."
7257
#: serverguide/C/security.xml:1357(para)
7259
"Create a certificate request based on the public key. The certificate "
7260
"request contains information about your server and the company hosting it."
7263
#: serverguide/C/security.xml:1362(para)
7265
"Send the certificate request, along with documents proving your identity, to "
7266
"a CA. We cannot tell you which certificate authority to choose. Your "
7267
"decision may be based on your past experiences, or on the experiences of "
7268
"your friends or colleagues, or purely on monetary factors."
7271
#: serverguide/C/security.xml:1368(para)
7273
"Once you have decided upon a CA, you need to follow the instructions they "
7274
"provide on how to obtain a certificate from them."
7277
#: serverguide/C/security.xml:1373(para)
7279
"When the CA is satisfied that you are indeed who you claim to be, they send "
7280
"you a digital certificate."
7283
#: serverguide/C/security.xml:1377(para)
7285
"Install this certificate on your secure server, and configure the "
7286
"appropriate applications to use the certificate."
7289
#: serverguide/C/security.xml:1386(title)
7290
msgid "Generating a Certificate Signing Request (CSR)"
7293
#: serverguide/C/security.xml:1387(para)
7295
"Whether you are getting a certificate from a CA or generating your own self-"
7296
"signed certificate, the first step is to generate a key."
7299
#: serverguide/C/security.xml:1390(para)
7301
"To generate the <emphasis>keys</emphasis> for the Certificate Signing "
7302
"Request (CSR) run the following command from a terminal prompt:"
7305
#: serverguide/C/security.xml:1395(command)
7306
msgid "openssl genrsa -des3 -out server.key 1024"
7309
#: serverguide/C/security.xml:1398(programlisting)
7313
"Generating RSA private key, 1024 bit long modulus\n"
7314
".....................++++++\n"
7315
".................++++++\n"
7316
"unable to write 'random state'\n"
7317
"e is 65537 (0x10001)\n"
7318
"Enter pass phrase for server.key:\n"
7321
#: serverguide/C/security.xml:1407(para)
7323
"You can now enter your passphrase. For best security, it should at least "
7324
"contain eight characters. The minimum length when specifying -des3 is four "
7325
"characters. It should include numbers and/or punctuation and not be a word "
7326
"in a dictionary. Also remember that your passphrase is case-sensitive."
7329
#: serverguide/C/security.xml:1415(para)
7331
"Re-type the passphrase to verify. Once you have re-typed it correctly, the "
7332
"server key is generated and stored in the <filename>server.key</filename> "
7336
#: serverguide/C/security.xml:1422(para)
7338
"You can also run your secure service without a passphrase. This is "
7339
"convenient because you will not need to enter the passphrase every time you "
7340
"start your secure service. But it is highly insecure and a compromise of the "
7341
"key means a compromise of the server as well."
7345
"In any case, you can choose to run your secure service without a passphrase "
7346
"by leaving out the -des3 switch in the generation phase or by issuing the "
7347
"following command at a terminal prompt:"
7350
#: serverguide/C/security.xml:1438(command)
7351
msgid "openssl rsa -in server.key -out server.key.insecure"
7354
#: serverguide/C/security.xml:1440(para)
7356
"Once you run the above command, the insecure key will be stored in the "
7357
"<filename>server.key.insecure</filename> file. You can use this file to "
7358
"generate the CSR without passphrase."
7361
#: serverguide/C/security.xml:1446(para)
7362
msgid "To create the CSR, run the following command at a terminal prompt:"
7365
#: serverguide/C/security.xml:1450(command)
7366
msgid "openssl req -new -key server.key -out server.csr"
7369
#: serverguide/C/security.xml:1453(para)
7371
"It will prompt you enter the passphrase. If you enter the correct "
7372
"passphrase, it will prompt you to enter Company Name, Once you enter all "
7373
"these details, your CSR will be created and it will be stored in the "
7374
"<filename>server.csr</filename> file. Site Name, Email Id, etc."
7377
#: serverguide/C/security.xml:1461(para)
7379
"You can now submit this CSR file to a CA for processing. The CA will use "
7380
"this CSR file and issue the certificate. On the other hand, you can create "
7381
"self-signed certificate using this CSR."
7384
#: serverguide/C/security.xml:1469(title)
7385
msgid "Creating a Self-Signed Certificate"
7388
#: serverguide/C/security.xml:1470(para)
7390
"To create the self-signed certificate, run the following command at a "
7394
#: serverguide/C/security.xml:1475(command)
7396
"openssl x509 -req -days 365 -in server.csr -signkey server.key -out "
7400
#: serverguide/C/security.xml:1478(para)
7402
"The above command will prompt you to enter the passphrase. Once you enter "
7403
"the correct passphrase, your certificate will be created and it will be "
7404
"stored in the <filename>server.crt</filename> file."
7407
#: serverguide/C/security.xml:1483(para)
7409
"If your secure server is to be used in a production environment, you "
7410
"probably need a CA-signed certificate. It is not recommended to use self-"
7411
"signed certificate."
7414
#: serverguide/C/security.xml:1491(title)
7415
msgid "Installing the Certificate"
7418
#: serverguide/C/security.xml:1493(para)
7420
"You can install the key file <filename>server.key</filename> and certificate "
7421
"file <filename>server.crt</filename>, or the certificate file issued by your "
7422
"CA, by running following commands at a terminal prompt:"
7425
#: serverguide/C/security.xml:1499(command)
7426
msgid "sudo cp server.crt /etc/ssl/certs"
7429
#: serverguide/C/security.xml:1500(command)
7430
msgid "sudo cp server.key /etc/ssl/private"
7433
#: serverguide/C/security.xml:1502(para)
7435
"Now simply configure any applications, with the ability to use public-key "
7436
"cryptography, to use the <emphasis>certificate</emphasis> and "
7437
"<emphasis>key</emphasis> files. For example, "
7438
"<application>Apache</application> can provide HTTPS, "
7439
"<application>Dovecot</application> can provide IMAPS and POP3S, etc."
7442
#: serverguide/C/security.xml:1509(title)
7443
msgid "Certification Authority"
7446
#: serverguide/C/security.xml:1511(para)
7448
"If the services on your network require more than a few self-signed "
7449
"certificates it may be worth the additional effort to setup your own "
7450
"internal <emphasis>Certification Authority (CA)</emphasis>. Using "
7451
"certificates signed by your own CA, allows the various services using the "
7452
"certificates to easily trust other services using certificates issued from "
7456
#: serverguide/C/security.xml:1521(para)
7458
"First, create the directories to hold the CA certificate and related files:"
7461
#: serverguide/C/security.xml:1526(command)
7462
msgid "sudo mkdir /etc/ssl/CA"
7465
#: serverguide/C/security.xml:1527(command)
7466
msgid "sudo mkdir /etc/ssl/newcerts"
7469
#: serverguide/C/security.xml:1533(para)
7471
"The CA needs a few additional files to operate, one to keep track of the "
7472
"last serial number used by the CA, each certificate must have a unique "
7473
"serial number, and another file to record which certificates have been "
7477
#: serverguide/C/security.xml:1540(command)
7478
msgid "sudo sh -c \"echo '01' > /etc/ssl/CA/serial\""
7481
#: serverguide/C/security.xml:1541(command)
7482
msgid "sudo touch /etc/ssl/CA/index.txt"
7485
#: serverguide/C/security.xml:1547(para)
7487
"The third file is a CA configuration file. Though not strictly necessary, it "
7488
"is very convenient when issuing multiple certificates. Edit "
7489
"<filename>/etc/ssl/openssl.cnf</filename>, and in the <emphasis>[ CA_default "
7490
"]</emphasis> change:"
7493
#: serverguide/C/security.xml:1553(programlisting)
7497
"dir = /etc/ssl/ # Where everything is kept\n"
7498
"database = $dir/CA/index.txt # database index file.\n"
7499
"certificate = $dir/certs/cacert.pem # The CA certificate\n"
7500
"serial = $dir/CA/serial # The current serial number\n"
7501
"private_key = $dir/private/cakey.pem# The private key\n"
7504
#: serverguide/C/security.xml:1564(para)
7505
msgid "Next, create the self-singed root certificate:"
7508
#: serverguide/C/security.xml:1569(command)
7510
"openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -"
7514
#: serverguide/C/security.xml:1572(para)
7515
msgid "You will then be asked to enter the details about the certificate."
7518
#: serverguide/C/security.xml:1579(para)
7519
msgid "Now install the root certificate and key:"
7522
#: serverguide/C/security.xml:1584(command)
7523
msgid "sudo mv cakey.pem /etc/ssl/private/"
7526
#: serverguide/C/security.xml:1585(command)
7527
msgid "sudo mv cacert.pem /etc/ssl/certs/"
7530
#: serverguide/C/security.xml:1591(para)
7532
"You are now ready to start signing certificates. The first item needed is a "
7533
"Certificate Signing Request (CSR), see <xref linkend=\"generating-a-csr\"/> "
7534
"for details. Once you have a CSR, enter the following to generate a "
7535
"certificate signed by the CA:"
7538
#: serverguide/C/security.xml:1598(command)
7539
msgid "sudo openssl ca -in server.csr -config /etc/ssl/openssl.cnf"
7542
#: serverguide/C/security.xml:1601(para)
7544
"After entering the password for the CA key, you will be prompted to sign the "
7545
"certificate, and again to commit the new certificate. You should then see a "
7546
"somewhat large amount of output related to the certificate creation."
7549
#: serverguide/C/security.xml:1610(para)
7551
"There should now be a new file, "
7552
"<filename>/etc/ssl/newcerts/01.pem</filename>, containing the same output. "
7553
"Copy and paste everything between the <emphasis>-----BEGIN CERTIFICATE-----"
7554
"</emphasis> and <emphasis>----END CERTIFICATE-----</emphasis> lines to a "
7555
"file named after the hostname of the server where the certificate will be "
7556
"installed. For example <filename>mail.example.com.crt</filename>, is a nice "
7560
#: serverguide/C/security.xml:1618(para)
7562
"Subsequent certificates will be named <filename>02.pem</filename>, "
7563
"<filename>03.pem</filename>, etc."
7566
#: serverguide/C/security.xml:1623(para)
7568
"Replace <emphasis>mail.example.com.crt</emphasis> with your own descriptive "
7572
#: serverguide/C/security.xml:1631(para)
7574
"Finally, copy the new certificate to the host that needs it, and configure "
7575
"the appropriate applications to use it. The default location to install "
7576
"certificates is <filename role=\"directory\">/etc/ssl/certs</filename>. This "
7577
"enables multiple services to use the same certificate without overly "
7578
"complicated file permissions."
7581
#: serverguide/C/security.xml:1637(para)
7583
"For applications that can be configured to use a CA certificate, you should "
7584
"also copy the <filename>/etc/ssl/certs/cacert.pem</filename> file to the "
7585
"<filename role=\"directory\">/etc/ssl/certs/</filename> directory on each "
7589
#: serverguide/C/security.xml:1651(para)
7591
"For more detailed instructions on using cryptography see the <ulink "
7592
"url=\"http://tldp.org/HOWTO/SSL-Certificates-HOWTO/index.html\">SSL "
7593
"Certificates HOWTO</ulink> by tlpd.org"
7596
#: serverguide/C/security.xml:1657(para)
7598
"<ulink url=\"http://www.pki-page.org/\">The PKI Page</ulink> contains a list "
7599
"of Certificate Authorities."
7602
#: serverguide/C/security.xml:1662(para)
7604
"The Wikipedia <ulink "
7605
"url=\"http://en.wikipedia.org/wiki/Https\">HTTPS</ulink> page has more "
7606
"information regarding HTTPS."
7609
#: serverguide/C/security.xml:1667(para)
7611
"For more information on <emphasis>OpenSSL</emphasis> see the <ulink "
7612
"url=\"http://www.openssl.org/\">OpenSSL Home Page</ulink>."
7615
#: serverguide/C/security.xml:1672(para)
7617
"Also, O'Reilly's <ulink "
7618
"url=\"http://oreilly.com/catalog/9780596002701/\">Network Security with "
7619
"OpenSSL</ulink> is a good in depth reference."
7622
#: serverguide/C/remote-administration.xml:13(title)
7623
msgid "Remote Administration"
7626
#: serverguide/C/remote-administration.xml:14(para)
7628
"There are many ways to remotely administer a Linux server. This chapter will "
7629
"cover one of the most popular <application>SSH</application> as well as "
7630
"<application>eBox</application>, a web based administration framework."
7633
#: serverguide/C/remote-administration.xml:23(para)
7635
"This section of the Ubuntu Server Guide introduces a powerful collection of "
7636
"tools for the remote control of networked computers and transfer of data "
7637
"between networked computers, called <emphasis>OpenSSH</emphasis>. You will "
7638
"also learn about some of the configuration settings possible with the "
7639
"OpenSSH server application and how to change them on your Ubuntu system."
7642
#: serverguide/C/remote-administration.xml:30(para)
7644
"OpenSSH is a freely available version of the Secure Shell (SSH) protocol "
7645
"family of tools for remotely controlling a computer or transferring files "
7646
"between computers. Traditional tools used to accomplish these functions, "
7647
"such as <application>telnet</application> or <application>rcp</application>, "
7648
"are insecure and transmit the user's password in cleartext when used. "
7649
"OpenSSH provides a server daemon and client tools to facilitate secure, "
7650
"encrypted remote control and file transfer operations, effectively replacing "
7654
#: serverguide/C/remote-administration.xml:39(para)
7656
"The OpenSSH server component, <application>sshd</application>, listens "
7657
"continuously for client connections from any of the client tools. When a "
7658
"connection request occurs, <application>sshd</application> sets up the "
7659
"correct connection depending on the type of client tool connecting. For "
7660
"example, if the remote computer is connecting with the "
7661
"<application>ssh</application> client application, the OpenSSH server sets "
7662
"up a remote control session after authentication. If a remote user connects "
7663
"to an OpenSSH server with <application>scp</application>, the OpenSSH server "
7664
"daemon initiates a secure copy of files between the server and client after "
7665
"authentication. OpenSSH can use many authentication methods, including plain "
7666
"password, public key, and <application>Kerberos</application> tickets."
7669
#: serverguide/C/remote-administration.xml:53(para)
7671
"Installation of the OpenSSH client and server applications is simple. To "
7672
"install the OpenSSH client applications on your Ubuntu system, use this "
7673
"command at a terminal prompt:"
7676
#: serverguide/C/remote-administration.xml:59(command)
7677
msgid "sudo apt-get install openssh-client"
7680
#: serverguide/C/remote-administration.xml:61(para)
7682
"To install the OpenSSH server application, and related support files, use "
7683
"this command at a terminal prompt:"
7686
#: serverguide/C/remote-administration.xml:66(command)
7687
msgid "sudo apt-get install openssh-server"
7690
#: serverguide/C/remote-administration.xml:68(para)
7692
"The <application>openssh-server</application> package can also be selected "
7693
"to install during the Server Edition installation process."
7696
#: serverguide/C/remote-administration.xml:75(para)
7698
"You may configure the default behavior of the OpenSSH server application, "
7699
"<application>sshd</application>, by editing the file "
7700
"<filename>/etc/ssh/sshd_config</filename>. For information about the "
7701
"configuration directives used in this file, you may view the appropriate "
7702
"manual page with the following command, issued at a terminal prompt:"
7705
#: serverguide/C/remote-administration.xml:83(command)
7706
msgid "man sshd_config"
7709
#: serverguide/C/remote-administration.xml:85(para)
7711
"There are many directives in the <application>sshd</application> "
7712
"configuration file controlling such things as communications settings and "
7713
"authentication modes. The following are examples of configuration directives "
7714
"that can be changed by editing the <filename>/etc/ssh/ssh_config</filename> "
7718
#: serverguide/C/remote-administration.xml:92(para)
7720
"Prior to editing the configuration file, you should make a copy of the "
7721
"original file and protect it from writing so you will have the original "
7722
"settings as a reference and to reuse as necessary."
7725
#: serverguide/C/remote-administration.xml:96(para)
7727
"Copy the <filename>/etc/ssh/sshd_config</filename> file and protect it from "
7728
"writing with the following commands, issued at a terminal prompt:"
7731
#: serverguide/C/remote-administration.xml:101(command)
7732
msgid "sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.original"
7735
#: serverguide/C/remote-administration.xml:102(command)
7736
msgid "sudo chmod a-w /etc/ssh/sshd_config.original"
7739
#: serverguide/C/remote-administration.xml:104(para)
7741
"The following are examples of configuration directives you may change:"
7744
#: serverguide/C/remote-administration.xml:109(para)
7746
"To set your OpenSSH to listen on TCP port 2222 instead of the default TCP "
7747
"port 22, change the Port directive as such:"
7750
#: serverguide/C/remote-administration.xml:113(para)
7754
#: serverguide/C/remote-administration.xml:118(para)
7756
"To have <application>sshd</application> allow public key-based login "
7757
"credentials, simply add or modify the line:"
7760
#: serverguide/C/remote-administration.xml:122(para)
7761
msgid "PubkeyAuthentication yes"
7764
#: serverguide/C/remote-administration.xml:125(para)
7766
"In the <filename>/etc/ssh/sshd_config</filename> file, or if already "
7767
"present, ensure the line is not commented out."
7770
#: serverguide/C/remote-administration.xml:131(para)
7772
"To make your OpenSSH server display the contents of the "
7773
"<filename>/etc/issue.net</filename> file as a pre-login banner, simply add "
7774
"or modify the line:"
7777
#: serverguide/C/remote-administration.xml:136(para)
7778
msgid "Banner /etc/issue.net"
7781
#: serverguide/C/remote-administration.xml:139(para)
7782
msgid "In the <filename>/etc/ssh/sshd_config</filename> file."
7785
#: serverguide/C/remote-administration.xml:144(para)
7787
"After making changes to the <filename>/etc/ssh/sshd_config</filename> file, "
7788
"save the file, and restart the <application>sshd</application> server "
7789
"application to effect the changes using the following command at a terminal "
7793
#: serverguide/C/remote-administration.xml:153(para)
7795
"Many other configuration directives for <application>sshd</application> are "
7796
"available for changing the server application's behavior to fit your needs. "
7797
"Be advised, however, if your only method of access to a server is "
7798
"<application>ssh</application>, and you make a mistake in configuring "
7799
"<application>sshd</application> via the "
7800
"<filename>/etc/ssh/sshd_config</filename> file, you may find you are locked "
7801
"out of the server upon restarting it, or that the "
7802
"<application>sshd</application> server refuses to start due to an incorrect "
7803
"configuration directive, so be extra careful when editing this file on a "
7807
#: serverguide/C/remote-administration.xml:168(title)
7811
#: serverguide/C/remote-administration.xml:169(para)
7813
"SSH <emphasis>keys</emphasis> allow authentication between two hosts without "
7814
"the need of a password. SSH key authentication uses two keys a "
7815
"<emphasis>private</emphasis> key and a <emphasis>public</emphasis> key."
7818
#: serverguide/C/remote-administration.xml:173(para)
7819
msgid "To generate the keys, from a terminal prompt enter:"
7822
#: serverguide/C/remote-administration.xml:177(command)
7823
msgid "ssh-keygen -t dsa"
7826
#: serverguide/C/remote-administration.xml:179(para)
7828
"This will generate the keys using a <emphasis>DSA</emphasis> authentication "
7829
"identity of the user. During the process you will be prompted for a "
7830
"password. Simply hit <emphasis>Enter</emphasis> when prompted to create the "
7834
#: serverguide/C/remote-administration.xml:183(para)
7836
"By default the <emphasis>public</emphasis> key is saved in the file "
7837
"<filename>~/.ssh/id_dsa.pub</filename>, while "
7838
"<filename>~/.ssh/id_dsa</filename> is the <emphasis>private</emphasis> key. "
7839
"Now copy the <filename>id_dsa.pub</filename> file to the remote host and "
7840
"appended it to <filename>~/.ssh/authorized_keys2</filename>:"
7843
msgid "cat id_dsa.pub >> .ssh/authorized_keys2"
7847
"Finally, double check the permissions on the "
7848
"<filename>authorized_keys2</filename> file, only the authenticated user "
7849
"should have read and write permissions. If the permissions are not correct "
7853
msgid "chmod 644 .ssh/authorized_keys2"
7856
#: serverguide/C/remote-administration.xml:198(para)
7858
"You should now be able to SSH to the host without being prompted for a "
7862
#: serverguide/C/remote-administration.xml:205(ulink)
7863
msgid "OpenSSH Website"
7866
#: serverguide/C/remote-administration.xml:208(ulink)
7867
msgid "Advanced OpenSSH Wiki Page"
7870
#: serverguide/C/remote-administration.xml:213(title)
7875
"<application>eBox</application> is a web framework used to manager server "
7876
"application configuration. The modular design of eBox allows you to pick and "
7877
"choose which services you want to configure using eBox."
7880
#: serverguide/C/remote-administration.xml:221(para)
7882
"The different <application>eBox</application> modules are split into "
7883
"different packages, allowing you to only install those necessary. One way to "
7884
"view the available packages is to enter the following from a terminal:"
7887
#: serverguide/C/remote-administration.xml:227(command)
7888
msgid "apt-cache rdepends ebox | uniq"
7891
#: serverguide/C/remote-administration.xml:229(para)
7893
"To install the <application>ebox</application> package, which contains the "
7894
"default modules, enter the following:"
7897
#: serverguide/C/remote-administration.xml:234(command)
7898
msgid "sudo apt-get install ebox"
7902
"If you want to install all the available modules, the <application>ebox-"
7903
"all</application> meta package will install all the modules."
7906
#: serverguide/C/remote-administration.xml:240(para)
7908
"During the installation you will be asked to supply a password for the ebox "
7909
"user. After installing eBox the web interface can be accessed from: "
7910
"<emphasis>https://yourserver/ebox</emphasis>."
7913
#: serverguide/C/remote-administration.xml:248(para)
7915
"An important thing to remember when using <application>eBox</application> is "
7916
"that when configuring most modules there is a <emphasis>Change</emphasis> "
7917
"button that implements the new configuration. After clicking the Change "
7918
"button most, but not all, modules will then need to be "
7919
"<emphasis>Saved</emphasis>. To save the new configuration click on the "
7920
"<quote>Save changes</quote> link in the top right hand corner."
7923
#: serverguide/C/remote-administration.xml:256(para)
7925
"Once you make a change that requires a Save, the link will change from green "
7929
#: serverguide/C/remote-administration.xml:262(title)
7930
msgid "eBox Modules"
7933
#: serverguide/C/remote-administration.xml:263(para)
7935
"By default all eBox <emphasis>Modules</emphasis> are not enabled, and when a "
7936
"new module is installed it will not be automatically enabled."
7939
#: serverguide/C/remote-administration.xml:267(para)
7941
"To enable a disabled module click on the <emphasis>Module status</emphasis> "
7942
"link in the left hand menu. Then <emphasis role=\"italic\">check</emphasis> "
7943
"which modules you would like to enable and click the <quote>Save</quote> "
7947
#: serverguide/C/remote-administration.xml:273(title)
7948
msgid "Default Modules"
7951
#: serverguide/C/remote-administration.xml:274(para)
7953
"This section provides a quick summary of the default "
7954
"<application>eBox</application> modules."
7957
#: serverguide/C/remote-administration.xml:280(para)
7959
"<emphasis>System:</emphasis> contains options allowing configuration of "
7960
"general eBox items."
7963
#: serverguide/C/remote-administration.xml:286(para)
7965
"<emphasis>General:</emphasis> allows you to set the language, port number, "
7966
"and contains a change password form."
7969
#: serverguide/C/remote-administration.xml:292(para)
7971
"<emphasis>Disk Usage:</emphasis> displays a graph detailing information "
7975
#: serverguide/C/remote-administration.xml:298(para)
7977
"<emphasis>Backup:</emphasis> is used to backup "
7978
"<application>eBox</application> configuration information, and the "
7979
"<emphasis>Full Backup</emphasis> option allows you to save all eBox "
7980
"information not included in the <emphasis>Configuration</emphasis> option "
7981
"such as log files."
7984
#: serverguide/C/remote-administration.xml:306(para)
7986
"<emphasis>Halt/Reboot:</emphasis> will shutdown the system or reboot it."
7989
#: serverguide/C/remote-administration.xml:311(para)
7991
"<emphasis>Bug Report:</emphasis> creates a file containing details helpful "
7992
"when reporting bugs to the eBox developers."
7995
#: serverguide/C/remote-administration.xml:319(para)
7997
"<emphasis>Logs:</emphasis> allows <application>eBox</application> logs to be "
7998
"queried depending on the purge time configured."
8001
#: serverguide/C/remote-administration.xml:325(para)
8003
"<emphasis>Events:</emphasis> this module has the ability to send alerts "
8004
"through rss, jabber, and log file."
8007
#: serverguide/C/remote-administration.xml:332(emphasis)
8008
msgid "Available Events:"
8011
#: serverguide/C/remote-administration.xml:336(para)
8013
"<emphasis>Free Storage Space:</emphasis> will send alert if free disk space "
8014
"drops below a configured percentage, 10% by default."
8017
#: serverguide/C/remote-administration.xml:342(para)
8019
"<emphasis>Log Observer:</emphasis> unfortunately this event does not work "
8020
"with the <application>eBox</application> version shipped with Ubuntu 7.10."
8023
#: serverguide/C/remote-administration.xml:348(para)
8025
"<emphasis>RAID:</emphasis> will monitor the RAID system and send alerts if "
8029
#: serverguide/C/remote-administration.xml:354(para)
8031
"<emphasis>Service:</emphasis> sends alerts if a service restarts multiple "
8032
"times in a short time period."
8035
#: serverguide/C/remote-administration.xml:360(para)
8037
"<emphasis>State:</emphasis> alerts on the state of "
8038
"<application>eBox</application>, either up or down."
8041
#: serverguide/C/remote-administration.xml:369(emphasis)
8042
msgid "Dispatchers:"
8045
#: serverguide/C/remote-administration.xml:373(para)
8047
"<emphasis>Log:</emphasis> this dispatcher will send event messages to the "
8048
"<application>eBox</application> log file "
8049
"<filename>/var/log/ebox/ebox.log</filename>."
8052
#: serverguide/C/remote-administration.xml:380(para)
8054
"<emphasis>Jabber:</emphasis> before enabling this dispatcher you must first "
8055
"configure it by clicking on the <quote>Configure</quote> icon."
8058
#: serverguide/C/remote-administration.xml:386(para)
8060
"<emphasis>RSS:</emphasis> once this dispatcher is configured you can "
8061
"subscribe to the link in order to view event alerts."
8064
#: serverguide/C/remote-administration.xml:399(title)
8065
msgid "Additional Modules"
8068
#: serverguide/C/remote-administration.xml:400(para)
8070
"Here is a quick description of other available "
8071
"<application>eBox</application> modules:"
8074
#: serverguide/C/remote-administration.xml:405(para)
8076
"<emphasis>Network:</emphasis> allows configuration of the server's network "
8077
"options through eBox."
8080
#: serverguide/C/remote-administration.xml:411(para)
8082
"<emphasis>Firewall:</emphasis> configures firewall options for the eBox host."
8085
#: serverguide/C/remote-administration.xml:416(para)
8087
"<emphasis>UsersandGroups:</emphasis> this module will manage users and "
8088
"groups contained in an <application>OpenLDAP</application> LDAP directory."
8091
#: serverguide/C/remote-administration.xml:422(para)
8093
"<emphasis>DHCP:</emphasis> provides an interface for configuring a DHCP "
8097
#: serverguide/C/remote-administration.xml:427(para)
8099
"<emphasis>DNS:</emphasis> provides <application>BIND9</application> DNS "
8100
"server configuration options."
8103
#: serverguide/C/remote-administration.xml:433(para)
8105
"<emphasis>Objects:</emphasis> allow configuration of eBox <emphasis>Network "
8106
"Objects</emphasis>, which allow you to assign a name to an IP address or "
8110
#: serverguide/C/remote-administration.xml:440(para)
8112
"<emphasis>Services:</emphasis> displays configuration information for "
8113
"services that are available to the network."
8116
#: serverguide/C/remote-administration.xml:446(para)
8118
"<emphasis>Squid:</emphasis> configuration options for the "
8119
"<application>Squid</application> proxy server."
8122
#: serverguide/C/remote-administration.xml:452(para)
8124
"<emphasis>CA:</emphasis> configures a Certificate Authority for the server."
8127
#: serverguide/C/remote-administration.xml:457(para)
8128
msgid "<emphasis>NTP:</emphasis> set Network Time Protocol options."
8131
#: serverguide/C/remote-administration.xml:462(para)
8132
msgid "<emphasis>Printers:</emphasis> allows the configuration of printers."
8135
#: serverguide/C/remote-administration.xml:467(para)
8136
msgid "<emphasis>Samba:</emphasis> configuration options for Samba."
8139
#: serverguide/C/remote-administration.xml:472(para)
8141
"<emphasis>OpenVPN:</emphasis> setup options for OpenVPN Virtual Private "
8142
"Network application."
8145
#: serverguide/C/remote-administration.xml:483(para)
8147
"For more information see the <ulink url=\"http://ebox-platform.com/\">eBox "
8148
"Home Page</ulink>."
8151
#: serverguide/C/package-management.xml:13(title)
8152
msgid "Package Management"
8155
#: serverguide/C/package-management.xml:14(para)
8157
"Ubuntu features a comprehensive package management system for the "
8158
"installation, upgrade, configuration, and removal of software. In addition "
8159
"to providing access to an organized base of over 24,000 software packages "
8160
"for your Ubuntu computer, the package management facilities also feature "
8161
"dependency resolution capabilities and software update checking."
8164
#: serverguide/C/package-management.xml:16(para)
8166
"Several tools are available for interacting with Ubuntu's package management "
8167
"system, from simple command-line utilities which may be easily automated by "
8168
"system administrators, to a simple graphical interface which is easy to use "
8169
"by those new to Ubuntu."
8172
#: serverguide/C/package-management.xml:21(para)
8174
"Ubuntu's package management system is derived from the same system used by "
8175
"the Debian GNU/Linux distribution. The package files contain all of the "
8176
"necessary files, meta-data, and instructions to implement a particular "
8177
"functionality or software application on your Ubuntu computer."
8180
#: serverguide/C/package-management.xml:24(para)
8182
"Debian package files typically have the extension '.deb', and typically "
8183
"exist in <emphasis role=\"italics\">repositories</emphasis> which are "
8184
"collections of packages found on various media, such as CD-ROM discs, or "
8185
"online. Packages are normally of the pre-compiled binary format; thus "
8186
"installation is quick and requires no compiling of software."
8190
"Many complex packages use the concept of <emphasis "
8191
"role=\"italics\">dependencies</emphasis>. Dependencies are additional "
8192
"packages required by the principal package in order to function properly. "
8193
"For example, the speech synthesis package "
8194
"<application>Festival</application> depends upon the package "
8195
"<application>libasound2</application>, which is a package supplying the "
8196
"<application>ALSA</application> sound library needed for audio playback. In "
8197
"order for <application>Festival</application> to function, it and all of "
8198
"it's dependencies must be installed. The software management tools in Ubuntu "
8199
"will do this automatically."
8202
#: serverguide/C/package-management.xml:32(title)
8206
#: serverguide/C/package-management.xml:34(para)
8208
"<application>dpkg</application> is a package manager for "
8209
"<emphasis>Debian</emphasis> based systems. It can install, remove, and build "
8210
"packages, but unlike other package management system's it can not "
8211
"automatically download and install packages and their dependencies. This "
8212
"section covers using <application>dpkg</application> to manage locally "
8213
"installed packages:"
8216
#: serverguide/C/package-management.xml:43(para)
8218
"To list all packages installed on the system, from a terminal prompt enter:"
8221
#: serverguide/C/package-management.xml:48(command)
8225
#: serverguide/C/package-management.xml:54(para)
8227
"Depending on the amount of packages on your system, this can generate a "
8228
"large amount of output. Pipe the output through "
8229
"<application>grep</application> to see if a specific package is installed:"
8232
#: serverguide/C/package-management.xml:60(command)
8233
msgid "dpkg -l | grep apache2"
8236
#: serverguide/C/package-management.xml:63(para)
8238
"Replace <emphasis>apache2</emphasis> with any package name, part of a "
8239
"package name, or other regular expression."
8242
#: serverguide/C/package-management.xml:70(para)
8244
"To list the files installed by a package, in this case the "
8245
"<application>ufw</application> package, enter:"
8248
#: serverguide/C/package-management.xml:75(command)
8252
#: serverguide/C/package-management.xml:81(para)
8254
"If you are not sure which package installed a file, <application>dpkg -"
8255
"S</application> may be able to tell you. For example:"
8258
#: serverguide/C/package-management.xml:87(command)
8259
msgid "dpkg -S /etc/host.conf"
8262
#: serverguide/C/package-management.xml:88(computeroutput)
8264
msgid "base-files: /etc/host.conf"
8267
#: serverguide/C/package-management.xml:91(para)
8269
"The output shows that the <filename>/etc/host.conf</filename> belongs to the "
8270
"<application>base-files</application> package."
8273
#: serverguide/C/package-management.xml:96(para)
8275
"Many files are automatically generated during the package install process, "
8276
"and even though they are on the filesystem <command>dpkg -S</command> may "
8277
"not know which package they belong to."
8280
#: serverguide/C/package-management.xml:105(para)
8281
msgid "You can install a local <emphasis>.deb</emphasis> file by entering:"
8284
#: serverguide/C/package-management.xml:110(command)
8285
msgid "sudo dpkg -i zip_2.32-1_i386.deb"
8288
#: serverguide/C/package-management.xml:113(para)
8290
"Change <filename>zip_2.32-1_i386.deb</filename> to the actual file name of "
8291
"the local .deb file."
8294
#: serverguide/C/package-management.xml:120(para)
8295
msgid "Uninstalling a package can be accomplished by:"
8298
#: serverguide/C/package-management.xml:125(command)
8299
msgid "sudo dpkg -r zip"
8302
#: serverguide/C/package-management.xml:129(para)
8304
"Uninstalling packages using <application>dpkg</application>, in most cases, "
8305
"is <emphasis>NOT</emphasis> recommended. It is better to use a package "
8306
"manager that handles dependencies, to ensure that the system is in a "
8307
"consistent state. For example using <command>dpkg -r</command> you can "
8308
"remove the <application>zip</application> package, but any packages that "
8309
"depend on it will still be installed and may no longer function correctly."
8312
#: serverguide/C/package-management.xml:140(para)
8314
"For more <application>dpkg</application> options see the man page: "
8315
"<command>man dpkg</command>."
8318
#: serverguide/C/package-management.xml:146(title)
8322
#: serverguide/C/package-management.xml:147(para)
8324
"The <application>apt-get</application> command is a powerful command-line "
8325
"tool used to work with Ubuntu's <emphasis>Advanced Packaging Tool</emphasis> "
8326
"(APT) performing such functions as installation of new software packages, "
8327
"upgrade of existing software packages, updating of the package list index, "
8328
"and even upgrading the entire Ubuntu system."
8331
#: serverguide/C/package-management.xml:150(para)
8333
"Being a simple command-line tool, <application>apt-get</application> has "
8334
"numerous advantages over other package management tools available in Ubuntu "
8335
"for server administrators. Some of these advantages include ease of use over "
8336
"simple terminal connections (SSH) and the ability to be used in system "
8337
"administration scripts, which can in turn be automated by the "
8338
"<application>cron</application> scheduling utility."
8341
#: serverguide/C/package-management.xml:157(para)
8343
"<emphasis role=\"bold\">Install a Package</emphasis>: Installation of "
8344
"packages using the <application>apt-get</application> tool is quite simple. "
8345
"For example, to install the network scanner <emphasis "
8346
"role=\"italics\">nmap</emphasis>, type the following: <screen>\n"
8347
"<command>sudo apt-get install nmap</command>\n"
8351
#: serverguide/C/package-management.xml:165(para)
8353
"<emphasis role=\"bold\">Remove a Package</emphasis>: Removal of a package or "
8354
"packages is also a straightforward and simple process. To remove the nmap "
8355
"package installed in the previous example, type the following: <screen>\n"
8356
"<command>sudo apt-get remove nmap</command>\n"
8360
#: serverguide/C/package-management.xml:172(para)
8362
"<emphasis role=\"bold\">Multiple Packages</emphasis>: You may specify "
8363
"multiple packages to be installed or removed, separated by spaces."
8366
#: serverguide/C/package-management.xml:175(para)
8368
"Also, adding the <emphasis>--purge</emphasis> options to <command>apt-get "
8369
"remove</command> will remove the package configuration files as well. This "
8370
"may or may not be the desired effect so use with caution."
8373
#: serverguide/C/package-management.xml:181(para)
8375
"<emphasis role=\"bold\">Update the Package Index</emphasis>: The APT package "
8376
"index is essentially a database of available packages from the repositories "
8377
"defined in the <filename>/etc/apt/sources.list</filename> file. To update "
8378
"the local package index with the latest changes made in repositories, type "
8379
"the following: <screen>\n"
8380
"<command>sudo apt-get update</command>\n"
8384
#: serverguide/C/package-management.xml:189(para)
8386
"<emphasis role=\"bold\">Upgrade Packages</emphasis>: Over time, updated "
8387
"versions of packages currently installed on your computer may become "
8388
"available from the package repositories (for example security updates). To "
8389
"upgrade your system, first update your package index as outlined above, and "
8390
"then type: <screen>\n"
8391
"<command>sudo apt-get upgrade</command>\n"
8395
#: serverguide/C/package-management.xml:195(para)
8397
"For information on upgrading to a new Ubuntu release see <xref "
8398
"linkend=\"installing-upgrading\"/>."
8401
#: serverguide/C/package-management.xml:153(para)
8403
"Some examples of popular uses for the <application>apt-get</application> "
8404
"utility: <placeholder-1/>"
8407
#: serverguide/C/package-management.xml:201(para)
8409
"Actions of the <application>apt-get</application> command, such as "
8410
"installation and removal of packages, are logged in the /var/log/dpkg.log "
8414
#: serverguide/C/package-management.xml:204(para)
8416
"For further information about the use of <application>APT</application>, "
8417
"read the comprehensive <ulink url=\"http://www.debian.org/doc/user-"
8418
"manuals#apt-howto\">Debian APT User Manual</ulink> or type: <screen>apt-get "
8422
#: serverguide/C/package-management.xml:208(title)
8426
#: serverguide/C/package-management.xml:209(para)
8428
"<application>Aptitude</application> is a menu-driven, text-based front-end "
8429
"to the <emphasis>Advanced Packaging Tool</emphasis> (APT) system. Many of "
8430
"the common package management functions, such as installation, removal, and "
8431
"upgrade, are performed in <application>Aptitude</application> with single-"
8432
"key commands, which are typically lowercase letters."
8435
#: serverguide/C/package-management.xml:212(para)
8437
"<application>Aptitude</application> is best suited for use in a non-"
8438
"graphical terminal environment to ensure proper functioning of the command "
8439
"keys. You may start <application>Aptitude</application> as a normal user "
8440
"with the following command at a terminal prompt: <screen>\n"
8441
"<command>sudo aptitude</command>\n"
8445
#: serverguide/C/package-management.xml:219(para)
8447
"When <application>Aptitude</application> starts, you will see a menu bar at "
8448
"the top of the screen and two panes below the menu bar. The top pane "
8449
"contains package categories, such as <emphasis role=\"italics\">New "
8450
"Packages</emphasis> and <emphasis role=\"italics\">Not Installed "
8451
"Packages</emphasis>. The bottom pane contains information related to the "
8452
"packages and package categories."
8455
#: serverguide/C/package-management.xml:222(para)
8457
"Using <application>Aptitude</application> for package management is "
8458
"relatively straightforward, and the user interface makes common tasks simple "
8459
"to perform. The following are examples of common package management "
8460
"functions as performed in <application>Aptitude</application>:"
8463
#: serverguide/C/package-management.xml:226(para)
8465
"<emphasis role=\"bold\">Install Packages</emphasis>: To install a package, "
8466
"locate the package via the Not Installed Packages package category, for "
8467
"example, by using the keyboard arrow keys and the <keycap>ENTER</keycap> "
8468
"key, and highlight the package you wish to install. After highlighting the "
8469
"package you wish to install, press the <keycap>+</keycap> key, and the "
8470
"package entry should turn <emphasis role=\"italics\">green</emphasis>, "
8471
"indicating it has been marked for installation. Now press <keycap>g</keycap> "
8472
"to be presented with a summary of package actions. Press <keycap>g</keycap> "
8473
"again, and you will be prompted to become root to complete the installation. "
8474
"Press <keycap>ENTER</keycap> which will result in a Password: prompt. Enter "
8475
"your user password to become root. Finally, press <keycap>g</keycap> once "
8476
"more and you'll be prompted to download the package. Press "
8477
"<keycap>ENTER</keycap> on the <emphasis role=\"italics\">Continue</emphasis> "
8478
"prompt, and downloading and installation of the package will commence."
8481
#: serverguide/C/package-management.xml:230(para)
8483
"<emphasis role=\"bold\">Remove Packages</emphasis>: To remove a package, "
8484
"locate the package via the Installed Packages package category, for example, "
8485
"by using the keyboard arrow keys and the <keycap>ENTER</keycap> key, and "
8486
"highlight the package you wish to remove. After highlighting the package you "
8487
"wish to install, press the <keycap>-</keycap> key, and the package entry "
8488
"should turn <emphasis role=\"italics\">pink</emphasis>, indicating it has "
8489
"been marked for removal. Now press <keycap>g</keycap> to be presented with a "
8490
"summary of package actions. Press <keycap>g</keycap> again, and you will be "
8491
"prompted to become root to complete the installation. Press "
8492
"<keycap>ENTER</keycap> which will result in a Password: prompt. Enter your "
8493
"user password to become root. Finally, press <keycap>g</keycap> once more, "
8494
"and you'll be prompted to download the package. Press <keycap>ENTER</keycap> "
8495
"on the <emphasis role=\"italics\">Continue</emphasis> prompt, and removal of "
8496
"the package will commence."
8499
#: serverguide/C/package-management.xml:234(para)
8501
"<emphasis role=\"bold\">Update Package Index</emphasis>: To update the "
8502
"package index, simply press the <keycap>u</keycap> key and you will be "
8503
"prompted to become root to complete the update. Press <keycap>ENTER</keycap> "
8504
"which will result in a Password: prompt. Enter your user password to become "
8505
"root. Updating of the package index will commence. Press "
8506
"<keycap>ENTER</keycap> on the OK prompt when the download dialog is "
8507
"presented to complete the process."
8510
#: serverguide/C/package-management.xml:238(para)
8512
"<emphasis role=\"bold\">Upgrade Packages</emphasis>: To upgrade packages, "
8513
"perform the update of the package index as detailed above, and then press "
8514
"the <keycap>U</keycap> key to mark all packages with updates. Now press "
8515
"<keycap>g</keycap> whereby you'll be presented with a summary of package "
8516
"actions. Press <keycap>g</keycap> again, and you will be prompted to become "
8517
"root to complete the installation. Press <keycap>ENTER</keycap> which will "
8518
"result in a Password: prompt. Enter your user password to become root. "
8519
"Finally, press <keycap>g</keycap> once more, and you'll be prompted to "
8520
"download the packages. Press <keycap>ENTER</keycap> on the <emphasis "
8521
"role=\"italics\">Continue</emphasis> prompt, and upgrade of the packages "
8525
#: serverguide/C/package-management.xml:245(para)
8526
msgid "<emphasis role=\"bold\">i</emphasis>: Installed package"
8529
#: serverguide/C/package-management.xml:250(para)
8531
"<emphasis role=\"bold\">c</emphasis>: Package not installed, but package "
8532
"configuration remains on system"
8535
#: serverguide/C/package-management.xml:254(para)
8536
msgid "<emphasis role=\"bold\">p</emphasis>: Purged from system"
8539
#: serverguide/C/package-management.xml:258(para)
8540
msgid "<emphasis role=\"bold\">v</emphasis>: Virtual package"
8543
#: serverguide/C/package-management.xml:262(para)
8544
msgid "<emphasis role=\"bold\">B</emphasis>: Broken package"
8547
#: serverguide/C/package-management.xml:266(para)
8549
"<emphasis role=\"bold\">u</emphasis>: Unpacked files, but package not yet "
8553
#: serverguide/C/package-management.xml:270(para)
8555
"<emphasis role=\"bold\">C</emphasis>: Half-configured - Configuration failed "
8559
#: serverguide/C/package-management.xml:274(para)
8561
"<emphasis role=\"bold\">H</emphasis>: Half-installed - Removal failed and "
8565
#: serverguide/C/package-management.xml:242(para)
8567
"The first column of information displayed in the package list in the top "
8568
"pane, when actually viewing packages lists the current state of the package, "
8569
"and uses the following key to describe the state of the package: "
8573
#: serverguide/C/package-management.xml:280(para)
8575
"To exit Aptitude, simply press the <keycap>q</keycap> key and confirm you "
8576
"wish to exit. Many other functions are available from the Aptitude menu by "
8577
"pressing the <keycap>F10</keycap> key."
8580
#: serverguide/C/package-management.xml:285(title)
8581
msgid "Automatic Updates"
8584
#: serverguide/C/package-management.xml:287(para)
8586
"The <application>unattended-upgrades</application> package can be used to "
8587
"automatically install updated packages, and can be configured to update all "
8588
"packages or just install security updates. First, install the package by "
8589
"entering the following in a terminal:"
8592
#: serverguide/C/package-management.xml:293(command)
8593
msgid "sudo apt-get install unattended-upgrades"
8596
#: serverguide/C/package-management.xml:296(para)
8598
"To configure <application>unattended-upgrades</application>, edit "
8599
"<filename>/etc/apt/apt.conf.d/50unattended-upgrades</filename> and adjust "
8600
"the following to fit your needs:"
8606
"Unattended-Upgrade::Allowed-Origins {\n"
8607
" \"Ubuntu intrepid-security\";\n"
8608
"// \"Ubuntu intrepid-updates\";\n"
8612
#: serverguide/C/package-management.xml:308(para)
8614
"Certain packages can also be <emphasis>blacklisted</emphasis> and therefore "
8615
"will not be automatically updated. To blacklist a package, add it to the "
8619
#: serverguide/C/package-management.xml:313(programlisting)
8623
"Unattended-Upgrade::Package-Blacklist {\n"
8626
"// \"libc6-dev\";\n"
8627
"// \"libc6-i686\";\n"
8631
#: serverguide/C/package-management.xml:323(para)
8633
"The double <emphasis><quote>//</quote></emphasis> serve as comments, so "
8634
"whatever follows \"//\" will not be evaluated."
8637
#: serverguide/C/package-management.xml:328(para)
8639
"The results of <application>unattended-upgrades</application> will be logged "
8640
"to <filename>/var/log/unattended-upgrades</filename>."
8643
#: serverguide/C/package-management.xml:333(title)
8644
msgid "Notifications"
8647
#: serverguide/C/package-management.xml:335(para)
8649
"Configuring <emphasis>Unattended-Upgrade::Mail</emphasis> in "
8650
"<filename>/etc/apt/apt.conf.d/50unattended-upgrades</filename> will enable "
8651
"<application>unattended-upgrades</application> to email an administrator "
8652
"detailing any packages that need upgrading or have problems."
8655
#: serverguide/C/package-management.xml:340(para)
8657
"Another useful package is <application>apticron</application>. "
8658
"<application>apticron</application> will configure a "
8659
"<application>cron</application> job to email an administrator information "
8660
"about any packages on the system that need updated as well as a summary of "
8661
"changes in each package."
8664
#: serverguide/C/package-management.xml:346(para)
8666
"To install the <application>apticron</application> package, in a terminal "
8670
#: serverguide/C/package-management.xml:351(command)
8671
msgid "sudo apt-get install apticron"
8674
#: serverguide/C/package-management.xml:354(para)
8676
"Once the package is installed edit "
8677
"<filename>/etc/apticron/apticron.conf</filename>, to set the email address "
8678
"and other options:"
8681
#: serverguide/C/package-management.xml:358(programlisting)
8685
"EMAIL=\"root@example.com\"\n"
8688
#: serverguide/C/package-management.xml:367(para)
8690
"Configuration of the <emphasis>Advanced Packaging Tool</emphasis> (APT) "
8691
"system repositories is stored in the /etc/apt/sources.list configuration "
8692
"file. An example of this file is referenced here, along with information on "
8693
"adding or removing repository references from the file."
8696
#: serverguide/C/package-management.xml:373(para)
8698
"<ulink url=\"../sample/sources.list\">Here</ulink> is a simple example of a "
8699
"typical <filename>/etc/apt/sources.list</filename> file."
8702
#: serverguide/C/package-management.xml:377(para)
8704
"You may edit the file to enable repositories or disable them. For example, "
8705
"to disable the requirement of inserting the Ubuntu CD-ROM whenever package "
8706
"operations occur, simply comment out the appropriate line for the CD-ROM, "
8707
"which appears at the top of the file:"
8713
"# no more prompting for CD-ROM please\n"
8714
"# deb cdrom:[Ubuntu 8.10_Intrepid_Ibex - Release i386 (20070419.1)]/ "
8715
"intrepid main restricted\n"
8718
#: serverguide/C/package-management.xml:388(title)
8719
msgid "Extra Repositories"
8722
#: serverguide/C/package-management.xml:389(para)
8724
"In addition to the officially supported package repositories available for "
8725
"Ubuntu, there exist additional community-maintained repositories which add "
8726
"thousands more potential packages for installation. Two of the most popular "
8727
"are the <emphasis>Universe</emphasis> and <emphasis>Multiverse</emphasis> "
8728
"repositories. These repositories are not officially supported by Ubuntu, but "
8729
"because they are maintained by the community they generally provide packages "
8730
"which are safe for use with your Ubuntu computer."
8733
#: serverguide/C/package-management.xml:392(para)
8735
"Packages in the <emphasis>Multiverse</emphasis> repository often have "
8736
"licensing issues that prevent them from being distributed with a free "
8737
"operating system, and they may be illegal in your locality."
8740
#: serverguide/C/package-management.xml:394(para)
8742
"Be advised that neither the <emphasis>Universe</emphasis> or "
8743
"<emphasis>Multiverse</emphasis> repositories contain officially supported "
8744
"packages. In particular, there may not be security updates for these "
8748
#: serverguide/C/package-management.xml:398(para)
8750
"Many other package sources are available, sometimes even offering only one "
8751
"package, as in the case of package sources provided by the developer of a "
8752
"single application. You should always be very careful and cautious when "
8753
"using non-standard package sources, however. Research the source and "
8754
"packages carefully before performing any installation, as some package "
8755
"sources and their packages could render your system unstable or non-"
8756
"functional in some respects."
8759
#: serverguide/C/package-management.xml:401(para)
8761
"By default, the <emphasis>Universe</emphasis> and "
8762
"<emphasis>Multiverse</emphasis> repositories are enabled but if you would "
8763
"like to disable them edit <filename>/etc/apt/sources.list</filename> and "
8764
"comment the following lines:"
8770
"deb http://archive.ubuntu.com/ubuntu intrepid universe multiverse\n"
8771
"deb-src http://archive.ubuntu.com/ubuntu intrepid universe multiverse\n"
8773
"deb http://us.archive.ubuntu.com/ubuntu/ intrepid universe\n"
8774
"deb-src http://us.archive.ubuntu.com/ubuntu/ intrepid universe\n"
8775
"deb http://us.archive.ubuntu.com/ubuntu/ intrepid-updates universe\n"
8776
"deb-src http://us.archive.ubuntu.com/ubuntu/ intrepid-updates universe\n"
8778
"deb http://us.archive.ubuntu.com/ubuntu/ intrepid multiverse\n"
8779
"deb-src http://us.archive.ubuntu.com/ubuntu/ intrepid multiverse\n"
8780
"deb http://us.archive.ubuntu.com/ubuntu/ intrepid-updates multiverse\n"
8781
"deb-src http://us.archive.ubuntu.com/ubuntu/ intrepid-updates multiverse\n"
8783
"deb http://security.ubuntu.com/ubuntu intrepid-security universe\n"
8784
"deb-src http://security.ubuntu.com/ubuntu intrepid-security universe\n"
8785
"deb http://security.ubuntu.com/ubuntu intrepid-security multiverse\n"
8786
"deb-src http://security.ubuntu.com/ubuntu intrepid-security multiverse\n"
8789
msgid "Adding Repositories HOWTO (Ubuntu Wiki)"
8792
#: serverguide/C/network-config.xml:13(title)
8796
#: serverguide/C/network-config.xml:14(para)
8798
"Networks consist of two or more devices, such as computer systems, printers, "
8799
"and related equipment which are connected by either physical cabling or "
8800
"wireless links for the purpose of sharing and distributing information among "
8801
"the connected devices."
8804
#: serverguide/C/network-config.xml:20(para)
8806
"This section provides general and specific information pertaining to "
8807
"networking, including an overview of network concepts and detailed "
8808
"discussion of popular network protocols."
8811
#: serverguide/C/network-config.xml:26(title)
8812
msgid "Network Configuration"
8815
#: serverguide/C/network-config.xml:27(para)
8817
"Ubuntu ships with a number of graphical utilities to configure your network "
8818
"devices. This document is geared toward server administrators and will focus "
8819
"on managing your network on the command line."
8822
#: serverguide/C/network-config.xml:33(title)
8826
#: serverguide/C/network-config.xml:34(para)
8828
"Most Ethernet configuration is centralized in a single file, "
8829
"<filename>/etc/network/interfaces</filename>. If you have no Ethernet "
8830
"devices, only the loopback interface will appear in this file, and it will "
8831
"look something like this:"
8834
#: serverguide/C/network-config.xml:40(programlisting)
8838
"# This file describes the network interfaces available on your system\n"
8839
"# and how to activate them. For more information, see interfaces(5).\n"
8841
"# The loopback network interface\n"
8843
"iface lo inet loopback\n"
8844
"address 127.0.0.1\n"
8845
"netmask 255.0.0.0\n"
8848
#: serverguide/C/network-config.xml:50(para)
8850
"If you have only one Ethernet device, eth0, and it gets its configuration "
8851
"from a DHCP server, and it should come up automatically at boot, only two "
8852
"additional lines are required:"
8855
#: serverguide/C/network-config.xml:55(programlisting)
8860
"iface eth0 inet dhcp\n"
8863
#: serverguide/C/network-config.xml:59(para)
8865
"The first line specifies that the eth0 device should come up automatically "
8866
"when you boot. The second line means that interface (<quote>iface</quote>) "
8867
"eth0 should have an IPv4 address space (replace <quote>inet</quote> with "
8868
"<quote>inet6</quote> for an IPv6 device) and that it should get its "
8869
"configuration automatically from DHCP. Assuming your network and DHCP server "
8870
"are properly configured, this machine's network should need no further "
8871
"configuration to operate properly. The DHCP server will provide the default "
8872
"gateway (implemented via the <application>route</application> command), the "
8873
"device's IP address (implemented via the <application>ifconfig</application> "
8874
"command), and DNS servers used on the network (implemented in the "
8875
"<filename>/etc/resolv.conf</filename> file.)"
8878
#: serverguide/C/network-config.xml:72(para)
8880
"To configure your Ethernet device with a static IP address and custom "
8881
"configuration, some more information will be required. Suppose you want to "
8882
"assign the IP address 192.168.0.2 to the device eth1, with the typical "
8883
"netmask of 255.255.255.0. Your default gateway's IP address is 192.168.0.1. "
8884
"You would enter something like this into "
8885
"<filename>/etc/network/interfaces</filename>:"
8888
#: serverguide/C/network-config.xml:79(programlisting)
8892
"iface eth1 inet static\n"
8893
"\taddress 192.168.0.2\n"
8894
"\tnetmask 255.255.255.0\n"
8895
"\tgateway 192.168.0.1\n"
8898
#: serverguide/C/network-config.xml:85(para)
8900
"In this case, you will need to specify your DNS servers manually in "
8901
"<filename>/etc/resolv.conf</filename>, which should look something like this:"
8904
#: serverguide/C/network-config.xml:89(programlisting)
8908
"search mydomain.example\n"
8909
"nameserver 192.168.0.1\n"
8910
"nameserver 4.2.2.2\n"
8913
#: serverguide/C/network-config.xml:94(para)
8915
"The <emphasis role=\"italics\">search</emphasis> directive will append "
8916
"mydomain.example to hostname queries in an attempt to resolve names to your "
8917
"network. For example, if your network's domain is mydomain.example and you "
8918
"try to ping the host <quote>mybox</quote>, the DNS query will be modified to "
8919
"<quote>mybox.mydomain.example</quote> for resolution. The <emphasis "
8920
"role=\"italics\">nameserver</emphasis> directives specify DNS servers to be "
8921
"used to resolve hostnames to IP addresses. If you use your own nameserver, "
8922
"enter it here. Otherwise, ask your Internet Service Provider for the primary "
8923
"and secondary DNS servers to use, and enter them into "
8924
"<filename>/etc/resolv.conf</filename> as shown above."
8927
#: serverguide/C/network-config.xml:106(para)
8929
"Many more configurations are possible, including dialup PPP interfaces, IPv6 "
8930
"networking, VPN devices, etc. Refer to <application>man 5 "
8931
"interfaces</application> for more information and supported options. "
8932
"Remember that <filename>/etc/network/interfaces</filename> is used by the "
8933
"<application>ifup</application>/<application>ifdown</application> scripts as "
8934
"a higher level configuration scheme than may be used in some other Linux "
8935
"distributions, and that the traditional, lower level utilities such as "
8936
"<application>ifconfig</application>, <application>route</application>, and "
8937
"<application>dhclient</application> are still available to you for ad hoc "
8941
#: serverguide/C/network-config.xml:120(title)
8942
msgid "Managing DNS Entries"
8945
#: serverguide/C/network-config.xml:121(para)
8947
"This section explains how to configure which nameserver to use when "
8948
"resolving IP addresses to hostnames and vice versa. It does not explain how "
8949
"to configure the system as a name server."
8952
#: serverguide/C/network-config.xml:126(para)
8954
"To manage DNS entries, you can add, edit, or remove DNS names from the "
8955
"<filename>/etc/resolv.conf</filename> file. A sample file is given below:"
8958
#: serverguide/C/network-config.xml:130(programlisting)
8963
"nameserver 204.11.126.131\n"
8964
"nameserver 64.125.134.133\n"
8965
"nameserver 64.125.134.132\n"
8966
"nameserver 208.185.179.218\n"
8969
#: serverguide/C/network-config.xml:138(para)
8971
"The <application>search</application> key specifies the string which will be "
8972
"appended to an incomplete hostname. Here, we have configured it to "
8973
"<application>com</application>. So, when we run: <command>ping "
8974
"ubuntu</command> it would be interpreted as <command>ping "
8975
"ubuntu.com</command>."
8978
#: serverguide/C/network-config.xml:146(para)
8980
"The <application>nameserver</application> key specifies the nameserver IP "
8981
"address. It will be used to resolve a given IP address or hostname. This "
8982
"file can have multiple nameserver entries. The nameservers will be used by "
8983
"the network query in the same order."
8986
#: serverguide/C/network-config.xml:155(para)
8988
"If the DNS server names are retrieved dynamically from DHCP or PPPoE "
8989
"(retrieved from your ISP), do not add nameserver entries in this file. It "
8990
"will be overwritten."
8993
#: serverguide/C/network-config.xml:164(title)
8994
msgid "Managing Hosts"
8997
#: serverguide/C/network-config.xml:165(para)
8999
"To manage hosts, you can add, edit, or remove hosts from "
9000
"<filename>/etc/hosts</filename> file. The file contains IP addresses and "
9001
"their corresponding hostnames. When your system tries to resolve a hostname "
9002
"to an IP address or determine the hostname for an IP address, it refers to "
9003
"the <filename>/etc/hosts</filename> file before using the name servers. If "
9004
"the IP address is listed in the <filename>/etc/hosts</filename> file, the "
9005
"name servers are not used. This behavior can be modified by editing "
9006
"<filename>/etc/nsswitch.conf</filename> at your peril."
9009
#: serverguide/C/network-config.xml:178(para)
9011
"If your network contains computers whose IP addresses are not listed in DNS, "
9012
"it is recommended that you add them to the <filename>/etc/hosts</filename> "
9016
#: serverguide/C/network-config.xml:186(title)
9020
#: serverguide/C/network-config.xml:188(para)
9022
"Bridging multiple interfaces is a more advanced configuration, but is very "
9023
"useful in multiple scenarios. One scenario is setting up a bridge with "
9024
"multiple network interfaces, then using a firewall to filter traffic between "
9025
"two network segments. Another scenario is using bridge on a system with one "
9026
"interface to allow virtual machines direct access to the outside network. "
9027
"The following example covers the latter scenario."
9030
#: serverguide/C/network-config.xml:195(para)
9032
"Before configuring a bridge you will need to install the <application>bridge-"
9033
"utils</application> package. To install the package, in a terminal enter:"
9036
#: serverguide/C/network-config.xml:201(command)
9037
msgid "sudo apt-get install bridge-utils"
9040
#: serverguide/C/network-config.xml:204(para)
9042
"Next, configure the bridge by editing "
9043
"<filename>/etc/network/interfaces</filename>:"
9046
#: serverguide/C/network-config.xml:208(programlisting)
9051
"iface lo inet loopback\n"
9054
"iface br0 inet static\n"
9055
" address 192.168.0.10\n"
9056
" network 192.168.0.0\n"
9057
" netmask 255.255.255.0\n"
9058
" broadcast 192.168.0.255\n"
9059
" gateway 192.168.0.1\n"
9060
" bridge_ports eth0\n"
9063
" bridge_maxage 12\n"
9067
#: serverguide/C/network-config.xml:227(para)
9068
msgid "Enter the appropriate values for your physical interface and network."
9071
#: serverguide/C/network-config.xml:232(para)
9072
msgid "Now restart networking to enable the bridge interface:"
9075
#: serverguide/C/network-config.xml:240(para)
9077
"If setting up a bridge interface using Ubuntu Desktop Edition, or if "
9078
"<application>dhcdbd</application> is installed, the "
9079
"<application>dhcdbd</application> daemon will need to be stopped and "
9083
#: serverguide/C/network-config.xml:245(para)
9085
"After configuring the bridge in "
9086
"<filename>/etc/network/interfaces</filename>, shutdown "
9087
"<application>dhcdbd</application> by:"
9090
#: serverguide/C/network-config.xml:250(command)
9091
msgid "sudo /etc/init.d/dhcdbd stop"
9094
#: serverguide/C/network-config.xml:253(para)
9095
msgid "Now to disable it from starting on boot enter:"
9098
#: serverguide/C/network-config.xml:258(command)
9099
msgid "sudo update-rc.d -f dhcdbd remove"
9102
#: serverguide/C/network-config.xml:261(para)
9104
"The new bridge interface should now be up and running. The "
9105
"<application>brctl</application> provides useful information about the state "
9106
"of the bridge, controls which interfaces are part of the bridge, etc. See "
9107
"<command>man brctl</command> for more information."
9110
#: serverguide/C/network-config.xml:270(title)
9114
#: serverguide/C/network-config.xml:271(para)
9116
"The Transmission Control Protocol and Internet Protocol (TCP/IP) is a "
9117
"standard set of protocols developed in the late 1970s by the Defense "
9118
"Advanced Research Projects Agency (DARPA) as a means of communication "
9119
"between different types of computers and computer networks. TCP/IP is the "
9120
"driving force of the Internet, and thus it is the most popular set of "
9121
"network protocols on Earth."
9124
#: serverguide/C/network-config.xml:279(title)
9125
msgid "TCP/IP Introduction"
9128
#: serverguide/C/network-config.xml:280(para)
9130
"The two protocol components of TCP/IP deal with different aspects of "
9131
"computer networking. <emphasis>Internet Protocol</emphasis>, the \"IP\" of "
9132
"TCP/IP is a connectionless protocol which deals only with network packet "
9133
"routing using the <emphasis role=\"italics\">IP Datagram</emphasis> as the "
9134
"basic unit of networking information. The IP Datagram consists of a header "
9135
"followed by a message. The <emphasis> Transmission Control "
9136
"Protocol</emphasis> is the \"TCP\" of TCP/IP and enables network hosts to "
9137
"establish connections which may be used to exchange data streams. TCP also "
9138
"guarantees that the data between connections is delivered and that it "
9139
"arrives at one network host in the same order as sent from another network "
9143
#: serverguide/C/network-config.xml:293(title)
9144
msgid "TCP/IP Configuration"
9147
#: serverguide/C/network-config.xml:294(para)
9149
"The TCP/IP protocol configuration consists of several elements which must be "
9150
"set by editing the appropriate configuration files, or deploying solutions "
9151
"such as the Dynamic Host Configuration Protocol (DHCP) server which in turn, "
9152
"can be configured to provide the proper TCP/IP configuration settings to "
9153
"network clients automatically. These configuration values must be set "
9154
"correctly in order to facilitate the proper network operation of your Ubuntu "
9158
#: serverguide/C/network-config.xml:306(para)
9160
"<emphasis role=\"bold\">IP address</emphasis> The IP address is a unique "
9161
"identifying string expressed as four decimal numbers ranging from zero (0) "
9162
"to two-hundred and fifty-five (255), separated by periods, with each of the "
9163
"four numbers representing eight (8) bits of the address for a total length "
9164
"of thirty-two (32) bits for the whole address. This format is called "
9165
"<emphasis>dotted quad notation</emphasis>."
9168
#: serverguide/C/network-config.xml:316(para)
9170
"<emphasis role=\"bold\">Netmask</emphasis> The Subnet Mask (or simply, "
9171
"<emphasis>netmask</emphasis>) is a local bit mask, or set of flags which "
9172
"separate the portions of an IP address significant to the network from the "
9173
"bits significant to the <emphasis>subnetwork</emphasis>. For example, in a "
9174
"Class C network, the standard netmask is 255.255.255.0 which masks the first "
9175
"three bytes of the IP address and allows the last byte of the IP address to "
9176
"remain available for specifying hosts on the subnetwork."
9179
#: serverguide/C/network-config.xml:327(para)
9181
"<emphasis role=\"bold\">Network Address</emphasis> The Network Address "
9182
"represents the bytes comprising the network portion of an IP address. For "
9183
"example, the host 12.128.1.2 in a Class A network would use 12.0.0.0 as the "
9184
"network address, where twelve (12) represents the first byte of the IP "
9185
"address, (the network part) and zeroes (0) in all of the remaining three "
9186
"bytes to represent the potential host values. A network host using the "
9187
"private IP address 192.168.1.100 would in turn use a Network Address of "
9188
"192.168.1.0, which specifies the first three bytes of the Class C 192.168.1 "
9189
"network and a zero (0) for all the possible hosts on the network."
9192
#: serverguide/C/network-config.xml:340(para)
9194
"<emphasis role=\"bold\">Broadcast Address</emphasis> The Broadcast Address "
9195
"is an IP address which allows network data to be sent simultaneously to all "
9196
"hosts on a given subnetwork rather than specifying a particular host. The "
9197
"standard general broadcast address for IP networks is 255.255.255.255, but "
9198
"this broadcast address cannot be used to send a broadcast message to every "
9199
"host on the Internet because routers block it. A more appropriate broadcast "
9200
"address is set to match a specific subnetwork. For example, on the private "
9201
"Class C IP network, 192.168.1.0, the broadcast address is 192.168.1.255. "
9202
"Broadcast messages are typically produced by network protocols such as the "
9203
"Address Resolution Protocol (ARP) and the Routing Information Protocol (RIP)."
9206
#: serverguide/C/network-config.xml:353(para)
9208
"<emphasis role=\"bold\">Gateway Address</emphasis> A Gateway Address is the "
9209
"IP address through which a particular network, or host on a network, may be "
9210
"reached. If one network host wishes to communicate with another network "
9211
"host, and that host is not located on the same network, then a "
9212
"<emphasis>gateway</emphasis> must be used. In many cases, the Gateway "
9213
"Address will be that of a router on the same network, which will in turn "
9214
"pass traffic on to other networks or hosts, such as Internet hosts. The "
9215
"value of the Gateway Address setting must be correct, or your system will "
9216
"not be able to reach any hosts beyond those on the same network."
9219
#: serverguide/C/network-config.xml:364(para)
9221
"<emphasis role=\"bold\">Nameserver Address</emphasis> Nameserver Addresses "
9222
"represent the IP addresses of Domain Name Service (DNS) systems, which "
9223
"resolve network hostnames into IP addresses. There are three levels of "
9224
"Nameserver Addresses, which may be specified in order of precedence: The "
9225
"<emphasis>Primary</emphasis> Nameserver, the <emphasis>Secondary</emphasis> "
9226
"Nameserver, and the <emphasis>Tertiary</emphasis> Nameserver. In order for "
9227
"your system to be able to resolve network hostnames into their corresponding "
9228
"IP addresses, you must specify valid Nameserver Addresses which you are "
9229
"authorized to use in your system's TCP/IP configuration. In many cases these "
9230
"addresses can and will be provided by your network service provider, but "
9231
"many free and publicly accessible nameservers are available for use, such as "
9232
"the Level3 (Verizon) servers with IP addresses from 4.2.2.1 to 4.2.2.6."
9235
#: serverguide/C/network-config.xml:378(para)
9237
"The IP address, Netmask, Network Address, Broadcast Address, and Gateway "
9238
"Address are typically specified via the appropriate directives in the file "
9239
"<filename>/etc/network/interfaces</filename>. The Nameserver Addresses are "
9240
"typically specified via <emphasis>nameserver</emphasis> directives in the "
9241
"file <filename>/etc/resolv.conf</filename>. For more information, view the "
9242
"system manual page for <filename>interfaces</filename> or "
9243
"<filename>resolv.conf</filename> respectively, with the following commands "
9244
"typed at a terminal prompt:"
9247
#: serverguide/C/network-config.xml:385(para)
9249
"Access the system manual page for <filename>interfaces</filename> with the "
9250
"following command:"
9253
#: serverguide/C/network-config.xml:390(command)
9254
msgid "man interfaces"
9257
#: serverguide/C/network-config.xml:393(para)
9259
"Access the system manual page for <filename>resolv.conf</filename> with the "
9260
"following command:"
9263
#: serverguide/C/network-config.xml:397(command)
9264
msgid "man resolv.conf"
9267
#: serverguide/C/network-config.xml:302(para)
9269
"The common configuration elements of TCP/IP and their purposes are as "
9270
"follows: <placeholder-1/>"
9273
#: serverguide/C/network-config.xml:404(title)
9277
#: serverguide/C/network-config.xml:405(para)
9279
"IP routing is a means of specifying and discovering paths in a TCP/IP "
9280
"network along which network data may be sent. Routing uses a set of "
9281
"<emphasis>routing tables</emphasis> to direct the forwarding of network data "
9282
"packets from their source to the destination, often via many intermediary "
9283
"network nodes known as <emphasis>routers</emphasis>. There are two primary "
9284
"forms of IP routing: <emphasis>Static Routing</emphasis> and "
9285
"<emphasis>Dynamic Routing.</emphasis>"
9288
#: serverguide/C/network-config.xml:414(para)
9290
"Static routing involves manually adding IP routes to the system's routing "
9291
"table, and this is usually done by manipulating the routing table with the "
9292
"<application>route</application> command. Static routing enjoys many "
9293
"advantages over dynamic routing, such as simplicity of implementation on "
9294
"smaller networks, predictability (the routing table is always computed in "
9295
"advance, and thus the route is precisely the same each time it is used), and "
9296
"low overhead on other routers and network links due to the lack of a dynamic "
9297
"routing protocol. However, static routing does present some disadvantages as "
9298
"well. For example, static routing is limited to small networks and does not "
9299
"scale well. Static routing also fails completely to adapt to network outages "
9300
"and failures along the route due to the fixed nature of the route."
9303
#: serverguide/C/network-config.xml:424(para)
9305
"Dynamic routing depends on large networks with multiple possible IP routes "
9306
"from a source to a destination and makes use of special routing protocols, "
9307
"such as the Router Information Protocol (RIP), which handle the automatic "
9308
"adjustments in routing tables that make dynamic routing possible. Dynamic "
9309
"routing has several advantages over static routing, such as superior "
9310
"scalability and the ability to adapt to failures and outages along network "
9311
"routes. Additionally, there is less manual configuration of the routing "
9312
"tables, since routers learn from one another about their existence and "
9313
"available routes. This trait also eliminates the possibility of introducing "
9314
"mistakes in the routing tables via human error. Dynamic routing is not "
9315
"perfect, however, and presents disadvantages such as heightened complexity "
9316
"and additional network overhead from router communications, which does not "
9317
"immediately benefit the end users, but still consumes network bandwidth."
9320
#: serverguide/C/network-config.xml:438(title)
9324
#: serverguide/C/network-config.xml:439(para)
9326
"TCP is a connection-based protocol, offering error correction and guaranteed "
9327
"delivery of data via what is known as <emphasis>flow control</emphasis>. "
9328
"Flow control determines when the flow of a data stream needs to be stopped, "
9329
"and previously sent data packets should to be re-sent due to problems such "
9330
"as <emphasis>collisions</emphasis>, for example, thus ensuring complete and "
9331
"accurate delivery of the data. TCP is typically used in the exchange of "
9332
"important information such as database transactions."
9335
#: serverguide/C/network-config.xml:447(para)
9337
"The User Datagram Protocol (UDP), on the other hand, is a "
9338
"<emphasis>connectionless</emphasis> protocol which seldom deals with the "
9339
"transmission of important data because it lacks flow control or any other "
9340
"method to ensure reliable delivery of the data. UDP is commonly used in such "
9341
"applications as audio and video streaming, where it is considerably faster "
9342
"than TCP due to the lack of error correction and flow control, and where the "
9343
"loss of a few packets is not generally catastrophic."
9346
#: serverguide/C/network-config.xml:457(title)
9350
#: serverguide/C/network-config.xml:458(para)
9352
"The Internet Control Messaging Protocol (ICMP) is an extension to the "
9353
"Internet Protocol (IP) as defined in the Request For Comments (RFC) #792 and "
9354
"supports network packets containing control, error, and informational "
9355
"messages. ICMP is used by such network applications as the "
9356
"<application>ping</application> utility, which can determine the "
9357
"availability of a network host or device. Examples of some error messages "
9358
"returned by ICMP which are useful to both network hosts and devices such as "
9359
"routers, include <emphasis>Destination Unreachable</emphasis> and "
9360
"<emphasis>Time Exceeded</emphasis>."
9363
#: serverguide/C/network-config.xml:468(title)
9367
#: serverguide/C/network-config.xml:469(para)
9369
"Daemons are special system applications which typically execute continuously "
9370
"in the background and await requests for the functions they provide from "
9371
"other applications. Many daemons are network-centric; that is, a large "
9372
"number of daemons executing in the background on an Ubuntu system may "
9373
"provide network-related functionality. Some examples of such network daemons "
9374
"include the <emphasis>Hyper Text Transport Protocol Daemon</emphasis> "
9375
"(httpd), which provides web server functionality; the <emphasis>Secure SHell "
9376
"Daemon</emphasis> (sshd), which provides secure remote login shell and file "
9377
"transfer capabilities; and the <emphasis>Internet Message Access Protocol "
9378
"Daemon</emphasis> (imapd), which provides E-Mail services."
9381
#: serverguide/C/network-config.xml:482(title)
9382
msgid "Dynamic Host Configuration Protocol (DHCP)"
9385
#: serverguide/C/network-config.xml:483(para)
9387
"The Dynamic Host Configuration Protocol (DHCP) is a network service that "
9388
"enables host computers to be automatically assigned settings from a server "
9389
"as opposed to manually configuring each network host. Computers configured "
9390
"to be DHCP clients have no control over the settings they receive from the "
9391
"DHCP server, and the configuration is transparent to the computer's user."
9394
#: serverguide/C/network-config.xml:490(para)
9396
"The most common settings provided by a DHCP server to DHCP clients include:"
9399
#: serverguide/C/network-config.xml:495(para)
9400
msgid "IP-Address and Netmask"
9403
#: serverguide/C/network-config.xml:498(para)
9407
#: serverguide/C/network-config.xml:501(para)
9411
#: serverguide/C/network-config.xml:504(para)
9413
"However, a DHCP server can also supply configuration properties such as:"
9416
#: serverguide/C/network-config.xml:509(para)
9420
#: serverguide/C/network-config.xml:512(para)
9424
#: serverguide/C/network-config.xml:515(para)
9425
msgid "Default Gateway"
9428
#: serverguide/C/network-config.xml:518(para)
9432
#: serverguide/C/network-config.xml:521(para)
9433
msgid "Print Server"
9436
#: serverguide/C/network-config.xml:524(para)
9438
"The advantage of using DHCP is that changes to the network, for example a "
9439
"change in the address of the DNS server, need only be changed at the DHCP "
9440
"server, and all network hosts will be reconfigured the next time their DHCP "
9441
"clients poll the DHCP server. As an added advantage, it is also easier to "
9442
"integrate new computers into the network, as there is no need to check for "
9443
"the availability of an IP address. Conflicts in IP address allocation are "
9447
#: serverguide/C/network-config.xml:532(para)
9448
msgid "A DHCP server can provide configuration settings using two methods:"
9451
#: serverguide/C/network-config.xml:537(term)
9455
#: serverguide/C/network-config.xml:539(para)
9457
"This method entails using DHCP to identify the unique hardware address of "
9458
"each network card connected to the network and then continually supplying a "
9459
"constant configuration each time the DHCP client makes a request to the DHCP "
9460
"server using that network device."
9463
#: serverguide/C/network-config.xml:548(term)
9464
msgid "Address Pool"
9467
#: serverguide/C/network-config.xml:550(para)
9469
"This method entails defining a pool (sometimes also called a range or scope) "
9470
"of IP addresses from which DHCP clients are supplied their configuration "
9471
"properties dynamically and on a fist come first serve basis. When a DHCP "
9472
"client is no longer on the network for a specified period, the configuration "
9473
"is expired and released back to the address pool for use by other DHCP "
9477
#: serverguide/C/network-config.xml:561(para)
9479
"Ubuntu is shipped with both DHCP server and client. The server is "
9480
"<application>dhcpd</application> (dynamic host configuration protocol "
9481
"daemon). The client provided with Ubuntu is "
9482
"<application>dhclient</application> and should be installed on all computers "
9483
"required to be automatically configured. Both programs are easy to install "
9484
"and configure and will be automatically started at system boot."
9487
#: serverguide/C/network-config.xml:571(para)
9489
"At a terminal prompt, enter the following command to install "
9490
"<application>dhcpd</application>:"
9493
#: serverguide/C/network-config.xml:576(command)
9494
msgid "sudo apt-get install dhcp3-server"
9497
#: serverguide/C/network-config.xml:578(para)
9499
"You will probably need to change the default configuration by editing "
9500
"/etc/dhcp3/dhcpd.conf to suit your needs and particular configuration."
9503
#: serverguide/C/network-config.xml:582(para)
9505
"You also need to edit /etc/default/dhcp3-server to specify the interfaces "
9506
"dhcpd should listen to. By default it listens to eth0."
9509
#: serverguide/C/network-config.xml:586(para)
9511
"NOTE: dhcpd's messages are being sent to syslog. Look there for diagnostics "
9515
#: serverguide/C/network-config.xml:593(para)
9517
"The error message the installation ends with might be a little confusing, "
9518
"but the following steps will help you configure the service:"
9521
#: serverguide/C/network-config.xml:597(para)
9523
"Most commonly, what you want to do is assign an IP address randomly. This "
9524
"can be done with settings as follows:"
9527
#: serverguide/C/network-config.xml:601(programlisting)
9531
"# Sample /etc/dhcpd.conf\n"
9532
"# (add your comments here) \n"
9533
"default-lease-time 600;\n"
9534
"max-lease-time 7200;\n"
9535
"option subnet-mask 255.255.255.0;\n"
9536
"option broadcast-address 192.168.1.255;\n"
9537
"option routers 192.168.1.254;\n"
9538
"option domain-name-servers 192.168.1.1, 192.168.1.2;\n"
9539
"option domain-name \"mydomain.example\";\n"
9541
"subnet 192.168.1.0 netmask 255.255.255.0 {\n"
9542
"range 192.168.1.10 192.168.1.100;\n"
9543
"range 192.168.1.150 192.168.1.200;\n"
9547
#: serverguide/C/network-config.xml:617(para)
9549
"This will result in the DHCP server giving a client an IP address from the "
9550
"range 192.168.1.10-192.168.1.100 or 192.168.1.150-192.168.1.200. It will "
9551
"lease an IP address for 600 seconds if the client doesn't ask for a specific "
9552
"time frame. Otherwise the maximum (allowed) lease will be 7200 seconds. The "
9553
"server will also \"advise\" the client that it should use 255.255.255.0 as "
9554
"its subnet mask, 192.168.1.255 as its broadcast address, 192.168.1.254 as "
9555
"the router/gateway and 192.168.1.1 and 192.168.1.2 as its DNS servers."
9558
#: serverguide/C/network-config.xml:626(para)
9560
"If you need to specify a WINS server for your Windows clients, you will need "
9561
"to include the netbios-name-servers option, e.g."
9564
#: serverguide/C/network-config.xml:630(programlisting)
9568
"option netbios-name-servers 192.168.1.1; \n"
9571
#: serverguide/C/network-config.xml:633(para)
9573
"Dhcpd configuration settings are taken from the DHCP mini-HOWTO, which can "
9575
"url=\"http://www.tldp.org/HOWTO/DHCP/index.html\">here</ulink>."
9578
#: serverguide/C/network-config.xml:641(ulink)
9582
#: serverguide/C/network-config.xml:647(title)
9583
msgid "Time Synchronisation with NTP"
9586
#: serverguide/C/network-config.xml:648(para)
9588
"This page describes methods for keeping your computer's time accurate. This "
9589
"is useful for servers, but is not necessary (or desirable) for desktop "
9593
#: serverguide/C/network-config.xml:651(para)
9595
"NTP is a TCP/IP protocol for synchronising time over a network. Basically a "
9596
"client requests the current time from a server, and uses it to set its own "
9600
#: serverguide/C/network-config.xml:654(para)
9602
"Behind this simple description, there is a lot of complexity - there are "
9603
"tiers of NTP servers, with the tier one NTP servers connected to atomic "
9604
"clocks (often via GPS), and tier two and three servers spreading the load of "
9605
"actually handling requests across the Internet. Also the client software is "
9606
"a lot more complex than you might think - it has to factor out communication "
9607
"delays, and adjust the time in a way that does not upset all the other "
9608
"processes that run on the server. But luckily all that complexity is hidden "
9612
#: serverguide/C/network-config.xml:657(para)
9614
"Ubuntu has two ways of automatically setting your time: ntpdate and ntpd."
9617
#: serverguide/C/network-config.xml:662(title)
9621
#: serverguide/C/network-config.xml:663(para)
9623
"Ubuntu comes with ntpdate as standard, and will run it once at boot time to "
9624
"set up your time according to Ubuntu's NTP server. However, a server's clock "
9625
"is likely to drift considerably between reboots, so it makes sense to "
9626
"correct the time occasionally. The easiest way to do this is to get cron to "
9627
"run ntpdate every day. With your favourite editor, as root, create a file "
9628
"<code>/etc/cron.daily/ntpdate</code> containing:"
9631
#: serverguide/C/network-config.xml:668(screen)
9633
msgid "ntpdate ntp.ubuntu.com\n"
9636
#: serverguide/C/network-config.xml:670(para)
9638
"The file <code>/etc/cron.daily/ntpdate</code> must also be executable."
9641
#: serverguide/C/network-config.xml:673(screen)
9643
msgid "sudo chmod 755 /etc/cron.daily/ntpdate\n"
9646
#: serverguide/C/network-config.xml:677(title)
9650
#: serverguide/C/network-config.xml:678(para)
9652
"ntpdate is a bit of a blunt instrument - it can only adjust the time once a "
9653
"day, in one big correction. The ntp daemon ntpd is far more subtle. It "
9654
"calculates the drift of your system clock and continuously adjusts it, so "
9655
"there are no large corrections that could lead to inconsistent logs for "
9656
"instance. The cost is a little processing power and memory, but for a modern "
9657
"server this is negligible."
9660
#: serverguide/C/network-config.xml:681(para)
9661
msgid "To set up ntpd:"
9664
#: serverguide/C/network-config.xml:682(screen)
9666
msgid "sudo apt-get install ntp\n"
9669
#: serverguide/C/network-config.xml:687(title)
9670
msgid "Changing Time Servers"
9673
#: serverguide/C/network-config.xml:688(para)
9675
"In both cases above, your system will use Ubuntu's NTP server at "
9676
"<code>ntp.ubuntu.com</code> by default. This is OK, but you might want to "
9677
"use several servers to increase accuracy and resilience, and you may want to "
9678
"use time servers that are geographically closer to you. to do this for "
9679
"ntpdate, change the contents of <code>/etc/cron.daily/ntpdate</code> to:"
9682
#: serverguide/C/network-config.xml:695(screen)
9684
msgid "ntpdate ntp.ubuntu.com pool.ntp.org \n"
9687
#: serverguide/C/network-config.xml:697(para)
9689
"And for ntpd edit <code>/etc/ntp.conf</code> to include additional server "
9693
#: serverguide/C/network-config.xml:702(screen)
9696
"server ntp.ubuntu.com\n"
9697
"server pool.ntp.org\n"
9700
#: serverguide/C/network-config.xml:705(para)
9702
"You may notice <code>pool.ntp.org</code> in the examples above. This is a "
9703
"really good idea which uses round-robin DNS to return an NTP server from a "
9704
"pool, spreading the load between several different servers. Even better, "
9705
"they have pools for different regions - for instance, if you are in New "
9706
"Zealand, so you could use <code>nz.pool.ntp.org</code> instead of "
9707
"<code>pool.ntp.org</code> . Look at <ulink "
9708
"url=\"http://www.pool.ntp.org/\">http://www.pool.ntp.org/</ulink> for more "
9712
#: serverguide/C/network-config.xml:716(para)
9714
"You can also Google for NTP servers in your region, and add these to your "
9715
"configuration. To test that a server works, just type <code>sudo ntpdate "
9716
"ntp.server.name</code> and see what happens."
9719
#: serverguide/C/network-config.xml:724(title)
9720
msgid "Related Pages"
9723
#: serverguide/C/network-config.xml:728(ulink)
9727
#: serverguide/C/network-config.xml:733(ulink)
9728
msgid "The NTP FAQ and HOWTO"
9731
#: serverguide/C/network-auth.xml:13(title)
9732
msgid "Network Authentication"
9735
#: serverguide/C/network-auth.xml:15(para)
9736
msgid "This section explains various Network Authentication protocols."
9739
#: serverguide/C/network-auth.xml:19(title)
9740
msgid "OpenLDAP Server"
9743
#: serverguide/C/network-auth.xml:20(para)
9745
"LDAP is an acronym for Lightweight Directory Access Protocol, it is a "
9746
"simplified version of the X.500 protocol. The directory setup in this "
9747
"section will be used for authentication. Nevertheless, LDAP can be used in "
9748
"numerous ways: authentication, shared directory (for mail clients), address "
9752
#: serverguide/C/network-auth.xml:28(para)
9754
"To describe LDAP quickly, all information is stored in a tree structure. "
9755
"With <application>OpenLDAP</application> you have freedom to determine the "
9756
"directory arborescence (the Directory Information Tree: the DIT) yourself. "
9757
"We will begin with a basic tree containing two nodes below the root:"
9760
#: serverguide/C/network-auth.xml:37(para)
9761
msgid "\"People\" node where your users will be stored"
9764
#: serverguide/C/network-auth.xml:40(para)
9765
msgid "\"Groups\" node where your groups will be stored"
9768
#: serverguide/C/network-auth.xml:44(para)
9770
"Before beginning, you should determine what the root of your LDAP directory "
9771
"will be. By default, your tree will be determined by your Fully Qualified "
9772
"Domain Name (FQDN). If your domain is example.com (which we will use in this "
9773
"example), your root node will be dc=example,dc=com."
9776
#: serverguide/C/network-auth.xml:54(para)
9778
"First, install the <application>OpenLDAP</application> server daemon "
9779
"<application>slapd</application> and <application>ldap-utils</application>, "
9780
"a package containing LDAP management utilities:"
9783
#: serverguide/C/network-auth.xml:60(command)
9784
msgid "sudo apt-get install slapd ldap-utils"
9787
#: serverguide/C/network-auth.xml:63(para)
9789
"The installation process will prompt you for the LDAP directory admin "
9790
"password and confirmation."
9793
#: serverguide/C/network-auth.xml:68(para)
9795
"By default the directory suffix will match the domain name of the server. "
9796
"For example, if the machine's Fully Qualified Domain Name (FQDN) is "
9797
"ldap.example.com, the default suffix will be "
9798
"<emphasis>dc=example,dc=com</emphasis>. If you require a different suffix, "
9799
"the directory can be reconfigured using <application>dpkg-"
9800
"reconfigure</application>. Enter the following in a terminal prompt:"
9803
#: serverguide/C/network-auth.xml:78(command)
9804
msgid "sudo dpkg-reconfigure slapd"
9807
#: serverguide/C/network-auth.xml:81(para)
9809
"You will then be taken through a menu based configuration dialog, allowing "
9810
"you to configure various <application>slapd</application> options."
9813
#: serverguide/C/network-auth.xml:90(para)
9815
"<application>OpenLDAP</application> uses a separate database which contains "
9816
"the <emphasis>cn=config</emphasis> Directory Information Tree (DIT). The "
9817
"<emphasis>cn=config</emphasis> DIT is used to dynamically configure the "
9818
"<application>slapd</application> daemon, allowing the modification of schema "
9819
"definitions, indexes, ACLs, etc without stopping the service."
9822
#: serverguide/C/network-auth.xml:98(para)
9824
"The <emphasis>cn=config</emphasis> tree can be manipulated using the "
9825
"utilities in the <application>ldap-utils</application> package. For example:"
9828
#: serverguide/C/network-auth.xml:106(para)
9830
"Use <application>ldapsearch</application> to view the tree, entering the "
9831
"admin password set during installation or reconfiguration:"
9834
#: serverguide/C/network-auth.xml:112(command)
9836
"ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W olcDatabase={1}hdb"
9839
#: serverguide/C/network-auth.xml:116(computeroutput)
9842
"Enter LDAP Password: \n"
9843
"dn: olcDatabase={1}hdb,cn=config\n"
9844
"objectClass: olcDatabaseConfig\n"
9845
"objectClass: olcHdbConfig\n"
9846
"olcDatabase: {1}hdb\n"
9847
"olcDbDirectory: /var/lib/ldap\n"
9848
"olcSuffix: dc=example,dc=com\n"
9849
"olcAccess: {0}to attrs=userPassword,shadowLastChange by "
9850
"dn=\"cn=admin,dc=exampl\n"
9851
" e,dc=com\" write by anonymous auth by self write by * none\n"
9852
"olcAccess: {1}to dn.base=\"\" by * read\n"
9853
"olcAccess: {2}to * by dn=\"cn=admin,dc=example,dc=com\" write by * read\n"
9854
"olcLastMod: TRUE\n"
9855
"olcDbCheckpoint: 512 30\n"
9856
"olcDbConfig: {0}set_cachesize 0 2097152 0\n"
9857
"olcDbConfig: {1}set_lk_max_objects 1500\n"
9858
"olcDbConfig: {2}set_lk_max_locks 1500\n"
9859
"olcDbConfig: {3}set_lk_max_lockers 1500\n"
9860
"olcDbIndex: objectClass eq\n"
9863
#: serverguide/C/network-auth.xml:137(para)
9865
"The output above is the current configuration options for the "
9866
"<emphasis>hdb</emphasis> backend database. Which in this case containes the "
9867
"<emphasis>dc=example,dc=com</emphasis> suffix."
9870
#: serverguide/C/network-auth.xml:146(para)
9872
"Refine the search by supplying a <emphasis "
9873
"role=\"italic\">filter</emphasis>, in this case only show which attributes "
9877
#: serverguide/C/network-auth.xml:152(command)
9879
"ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W olcDatabase={1}hdb "
9883
#: serverguide/C/network-auth.xml:156(computeroutput)
9886
"Enter LDAP Password: \n"
9887
"dn: olcDatabase={1}hdb,cn=config\n"
9888
"olcDbIndex: objectClass eq\n"
9891
#: serverguide/C/network-auth.xml:165(para)
9893
"As an example of modifying the <emphasis>cn=config</emphasis> tree, add "
9894
"another attribute to the index list using "
9895
"<application>ldapmodify</application>:"
9898
#: serverguide/C/network-auth.xml:171(command) serverguide/C/network-auth.xml:721(command) serverguide/C/network-auth.xml:823(command) serverguide/C/network-auth.xml:846(command)
9899
msgid "ldapmodify -x -D cn=admin,cn=config -W"
9905
"dn: olcDatabase={1}hdb,cn=config\n"
9907
"olcDbIndex: cn eq,pres,sub"
9910
#: serverguide/C/network-auth.xml:175(computeroutput)
9913
"Enter LDAP Password:<placeholder-1/>\n"
9915
"modifying entry \"olcDatabase={1}hdb,cn=config\"\n"
9918
#: serverguide/C/network-auth.xml:184(para)
9920
"Once the modification has completed, press <emphasis>Ctrl+D</emphasis> to "
9924
#: serverguide/C/network-auth.xml:191(para)
9926
"<application>ldapmodify</application> can also read the changes from a file. "
9927
"Copy and paste the following into a file named "
9928
"<filename>uid_index.ldif</filename>:"
9931
#: serverguide/C/network-auth.xml:196(programlisting)
9935
"dn: olcDatabase={1}hdb,cn=config\n"
9937
"olcDbIndex: uid eq,pres,sub\n"
9940
#: serverguide/C/network-auth.xml:202(para)
9941
msgid "Then execute <application>ldapmodify</application>:"
9944
#: serverguide/C/network-auth.xml:207(command)
9945
msgid "ldapmodify -x -D cn=admin,cn=config -W -f uid_index.ldif"
9948
#: serverguide/C/network-auth.xml:211(computeroutput)
9951
"Enter LDAP Password: \n"
9952
"modifying entry \"olcDatabase={1}hdb,cn=config\"\n"
9955
#: serverguide/C/network-auth.xml:216(para)
9956
msgid "The file method is very useful for large changes."
9959
#: serverguide/C/network-auth.xml:223(para)
9961
"Adding additional <emphasis>schemas</emphasis> to "
9962
"<application>slapd</application> requires the schema to be converted to LDIF "
9963
"format. Fortunately, the <application>slapd</application> program can be "
9964
"used to automate the conversion. The following example will add the "
9965
"<emphasis>misc.schema</emphasis>:"
9968
#: serverguide/C/network-auth.xml:231(para)
9970
"First, create a conversion <filename>schema_convert.conf</filename> file "
9971
"containing the following lines:"
9974
#: serverguide/C/network-auth.xml:236(programlisting)
9978
"include /etc/ldap/schema/core.schema\n"
9979
"include /etc/ldap/schema/collective.schema\n"
9980
"include /etc/ldap/schema/corba.schema\n"
9981
"include /etc/ldap/schema/cosine.schema\n"
9982
"include /etc/ldap/schema/duaconf.schema\n"
9983
"include /etc/ldap/schema/dyngroup.schema\n"
9984
"include /etc/ldap/schema/inetorgperson.schema\n"
9985
"include /etc/ldap/schema/java.schema\n"
9986
"include /etc/ldap/schema/misc.schema\n"
9987
"include /etc/ldap/schema/nis.schema\n"
9988
"include /etc/ldap/schema/openldap.schema\n"
9989
"include /etc/ldap/schema/ppolicy.schema\n"
9992
#: serverguide/C/network-auth.xml:254(para) serverguide/C/network-auth.xml:1283(para)
9993
msgid "Next, create a temporary directory to hold the output:"
9996
#: serverguide/C/network-auth.xml:259(command) serverguide/C/network-auth.xml:1288(command)
9997
msgid "mkdir /tmp/ldif_output"
10000
#: serverguide/C/network-auth.xml:265(para)
10002
"Now using <application>slaptest</application> convert the schema files to "
10006
#: serverguide/C/network-auth.xml:270(command) serverguide/C/network-auth.xml:1299(command)
10007
msgid "slaptest -f schema_convert.conf -F /tmp/ldif_output"
10010
#: serverguide/C/network-auth.xml:273(para)
10012
"Adjust the configuration file name and temporary directory names if yours "
10013
"are different. Also, it may be worthwhile to keep the "
10014
"<filename>ldif_output</filename> directory around in case you want to add "
10015
"additional schemas in the future."
10018
#: serverguide/C/network-auth.xml:282(para)
10021
"<filename>/tmp/ldif_output/cn=config/cn=schema/cn={8}misc.ldif</filename> "
10022
"file, changing the following attributes:"
10025
#: serverguide/C/network-auth.xml:287(programlisting)
10029
"dn: cn=misc,cn=schema,cn=config\n"
10034
#: serverguide/C/network-auth.xml:293(para) serverguide/C/network-auth.xml:1320(para)
10035
msgid "And remove the following lines from the bottom of the file:"
10038
#: serverguide/C/network-auth.xml:297(programlisting)
10042
"structuralObjectClass: olcSchemaConfig\n"
10043
"entryUUID: 10dae0ea-0760-102d-80d3-f9366b7f7757\n"
10044
"creatorsName: cn=config\n"
10045
"createTimestamp: 20080826021140Z\n"
10046
"entryCSN: 20080826021140.791425Z#000000#000#000000\n"
10047
"modifiersName: cn=config\n"
10048
"modifyTimestamp: 20080826021140Z\n"
10051
#: serverguide/C/network-auth.xml:308(para) serverguide/C/network-auth.xml:1335(para)
10053
"The attribute values will vary, just be sure the attributes are removed."
10056
#: serverguide/C/network-auth.xml:316(para) serverguide/C/network-auth.xml:1343(para)
10058
"Finally, using the <application>ldapadd</application> utility, add the new "
10059
"schema to the directory:"
10063
"ldapadd -x -D cn=admin,cn=config -f /tmp/ldif_output/cn\\=config/cn\\"
10064
"=schema/cn\\=\\{8\\}misc.ldif"
10067
#: serverguide/C/network-auth.xml:328(para)
10069
"There should now be a <emphasis>dn: "
10070
"cn={4}misc,cn=schema,cn=config</emphasis> entry in the cn=config tree."
10073
#: serverguide/C/network-auth.xml:337(title)
10074
msgid "Populating LDAP"
10077
#: serverguide/C/network-auth.xml:339(para)
10079
"The directory has been created during installation and reconfiguration, and "
10080
"now it is time to populate it. It will be populated with a \"classical\" "
10081
"scheme that will be compatible with address book applications and with Unix "
10082
"Posix accounts. Posix accounts will allow authentication to various "
10083
"applications, such as web applications, email Mail Transfer Agent (MTA) "
10084
"applications, etc."
10087
#: serverguide/C/network-auth.xml:348(para)
10089
"For external applications to authenticate using LDAP they will each need to "
10090
"be specifically configured to do so. Refer to the individual application "
10091
"documentation for details."
10094
#: serverguide/C/network-auth.xml:355(para)
10096
"LDAP directories can be populated with LDIF (LDAP Directory Interchange "
10097
"Format) files. Copy the following example LDIF file, naming it "
10098
"<filename>example.com.ldif</filename>, somewhere on your system:"
10101
#: serverguide/C/network-auth.xml:361(programlisting)
10105
"dn: ou=people,dc=example,dc=com\n"
10106
"objectClass: organizationalUnit\n"
10109
"dn: ou=groups,dc=example,dc=com\n"
10110
"objectClass: organizationalUnit\n"
10113
"dn: uid=john,ou=people,dc=example,dc=com\n"
10114
"objectClass: inetOrgPerson\n"
10115
"objectClass: posixAccount\n"
10116
"objectClass: shadowAccount\n"
10119
"givenName: John\n"
10121
"displayName: John Doe\n"
10122
"uidNumber: 1000\n"
10123
"gidNumber: 10000\n"
10124
"userPassword: password\n"
10125
"gecos: John Doe\n"
10126
"loginShell: /bin/bash\n"
10127
"homeDirectory: /home/john\n"
10128
"shadowExpire: -1\n"
10130
"shadowWarning: 7\n"
10132
"shadowMax: 999999\n"
10133
"shadowLastChange: 10877\n"
10134
"mail: john.doe@example.com\n"
10135
"postalCode: 31000\n"
10138
"mobile: +33 (0)6 xx xx xx xx\n"
10139
"homePhone: +33 (0)5 xx xx xx xx\n"
10140
"title: System Administrator\n"
10141
"postalAddress: \n"
10144
"dn: cn=example,ou=groups,dc=example,dc=com\n"
10145
"objectClass: posixGroup\n"
10147
"gidNumber: 10000\n"
10150
#: serverguide/C/network-auth.xml:407(para)
10152
"In this example the directory structure, a user, and a group have been "
10153
"setup. In other examples you might see the <emphasis>objectClass: "
10154
"top</emphasis> added in every entry, but that is the default behaviour so "
10155
"you do not have to add it explicitly."
10158
#: serverguide/C/network-auth.xml:414(para)
10160
"To add the entries to the LDAP directory use the "
10161
"<application>ldapadd</application> utility:"
10164
#: serverguide/C/network-auth.xml:420(command)
10165
msgid "ldapadd -x -D cn=admin,dc=example,dc=com -W -f example.com.ldif"
10168
#: serverguide/C/network-auth.xml:423(para)
10170
"We can check that the content has been correctly added with the tools from "
10171
"the <application>ldap-utils</application> package. In order to execute a "
10172
"search of the LDAP directory:"
10175
#: serverguide/C/network-auth.xml:430(command)
10176
msgid "ldapsearch -xLLL -b \"dc=example,dc=com\" uid=john sn givenName cn"
10179
#: serverguide/C/network-auth.xml:431(computeroutput)
10183
"dn: uid=john,ou=people,dc=example,dc=com\n"
10186
"givenName: John\n"
10189
#: serverguide/C/network-auth.xml:439(para)
10190
msgid "Just a quick explanation:"
10193
#: serverguide/C/network-auth.xml:445(para)
10195
"<emphasis>-x:</emphasis> will not use SASL authentication method, which is "
10199
#: serverguide/C/network-auth.xml:451(para)
10200
msgid "<emphasis>-LLL:</emphasis> disable printing LDIF schema information."
10203
#: serverguide/C/network-auth.xml:460(title)
10204
msgid "LDAP replication"
10207
#: serverguide/C/network-auth.xml:462(para)
10209
"LDAP often quickly becomes a highly critical service to the network. "
10210
"Multiple systems will come to depend on LDAP for authentication, "
10211
"authorization, configuration, etc. It is a good idea to setup a redundant "
10212
"system through replication."
10215
#: serverguide/C/network-auth.xml:468(para)
10217
"Replication is achieved using the <emphasis>Syncrepl</emphasis> engine. "
10218
"Syncrepl allows the directory to be synced using either a "
10219
"<emphasis>push</emphasis> or <emphasis>pull</emphasis> based system. In a "
10220
"push based configuration a <quote>primary</quote> server will push directory "
10221
"updates to <quote>secondary</quote> servers, while a pull based approach "
10222
"allows replication servers to sync on a time based interval."
10225
#: serverguide/C/network-auth.xml:476(para)
10227
"The following is an example of a <emphasis>Multi-Master</emphasis> "
10228
"configuration. In this configuration each OpenLDAP server is configured for "
10229
"both <emphasis>push</emphasis> and <emphasis>pull</emphasis> replication."
10232
#: serverguide/C/network-auth.xml:484(para)
10234
"First, configure the server to sync the <emphasis>cn=config</emphasis> "
10235
"database. Copy the following to a file named <filename>syncrepl_cn-"
10236
"config.ldif</filename>:"
10239
#: serverguide/C/network-auth.xml:489(programlisting)
10243
"dn: cn=module{0},cn=config\n"
10244
"changetype: modify\n"
10245
"add: olcModuleLoad\n"
10246
"olcModuleLoad: syncprov\n"
10249
"changetype: modify\n"
10250
"replace: olcServerID\n"
10251
"olcServerID: 1 ldap://ldap01.example.com\n"
10252
"olcServerID: 2 ldap://ldap02.example.com\n"
10254
"dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config\n"
10255
"changetype: add\n"
10256
"objectClass: olcOverlayConfig\n"
10257
"objectClass: olcSyncProvConfig\n"
10258
"olcOverlay: syncprov\n"
10260
"dn: olcDatabase={0}config,cn=config\n"
10261
"changetype: modify\n"
10262
"add: olcSyncRepl\n"
10263
"olcSyncRepl: rid=001 provider=ldap://ldap01.example.com "
10264
"binddn=\"cn=admin,cn=config\" bindmethod=simple\n"
10265
" credentials=secret searchbase=\"cn=config\" type=refreshAndPersist\n"
10266
" retry=\"5 5 300 5\" timeout=1\n"
10267
"olcSyncRepl: rid=002 provider=ldap://ldap02.example.com "
10268
"binddn=\"cn=admin,cn=config\" bindmethod=simple\n"
10269
" credentials=secret searchbase=\"cn=config\" type=refreshAndPersist\n"
10270
" retry=\"5 5 300 5\" timeout=1\n"
10272
"add: olcMirrorMode\n"
10273
"olcMirrorMode: TRUE\n"
10276
#: serverguide/C/network-auth.xml:524(para)
10277
msgid "Edit the file changing:"
10280
#: serverguide/C/network-auth.xml:530(para)
10282
"<emphasis>ldap://ldap01.example.com</emphasis> and "
10283
"<emphasis>ldap://ldap02.example.com</emphasis> to the hostnames of your LDAP "
10287
#: serverguide/C/network-auth.xml:535(para)
10289
"You can have more than two LDAP servers, and when a change is made to one of "
10290
"them it will by synced to the rest. Be sure to increment the "
10291
"<emphasis>olcServerID</emphasis> for each server, and the "
10292
"<emphasis>rid</emphasis> for each <emphasis>olcSyncRepl</emphasis> entry."
10295
#: serverguide/C/network-auth.xml:543(para)
10297
"And adjust <emphasis>credentials=secret</emphasis> to match your admin "
10301
#: serverguide/C/network-auth.xml:553(para)
10303
"Next, add the LDIF file using the <application>ldapmodify</application> "
10307
#: serverguide/C/network-auth.xml:558(command)
10308
msgid "ldapmodify -x -D cn=admin,cn=config -W -f syncrepl_cn-config.ldif"
10311
#: serverguide/C/network-auth.xml:564(para)
10313
"Copy the <filename>syncrepl_cn-config.ldif</filename> file to the next LDAP "
10314
"server and repeat the <application>ldapmodify</application> command above."
10317
#: serverguide/C/network-auth.xml:572(para)
10319
"Because a new module has been added, the <application>slapd</application> "
10320
"daemon, on all replicated servers, needs to be restarted:"
10323
#: serverguide/C/network-auth.xml:578(command) serverguide/C/network-auth.xml:776(command) serverguide/C/network-auth.xml:880(command)
10324
msgid "sudo /etc/init.d/slapd restart"
10327
#: serverguide/C/network-auth.xml:584(para)
10329
"Now that the configuration database is synced between servers, the "
10330
"<emphasis>backend</emphasis> database needs to be synced as well. Copy and "
10331
"paste the following into another LDIF file named "
10332
"<filename>syncrepl_backend.ldif</filename>:"
10338
"dn: olcDatabase={1}hdb,cn=config\n"
10339
"changetype: modify\n"
10341
"olcRootDN: cn=admin,dc=example,dc=edu\n"
10343
"add: olcSyncRepl\n"
10344
"olcSyncRepl: rid=003 provider=ldap://ldap01.example.com "
10345
"binddn=\"cn=admin,dc=example,dc=com\" \n"
10346
" bindmethod=simple credentials=secret searchbase=\"dc=example,dc=com\" "
10347
"type=refreshOnly \n"
10348
" interval=00:00:00:10 retry=\"5 5 300 5\" timeout=1\n"
10349
"olcSyncRepl: rid=004 provider=ldap://ldap02.example.com "
10350
"binddn=\"cn=admin,dc=example,dc=com\" \n"
10351
" bindmethod=simple credentials=secret searchbase=\"dc=example,dc=com\" "
10352
"type=refreshOnly \n"
10353
" interval=00:00:00:10 retry=\"5 5 300 5\" timeout=1\n"
10355
"add: olcMirrorMode\n"
10356
"olcMirrorMode: TRUE\n"
10358
"dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config\n"
10359
"changetype: add\n"
10360
"objectClass: olcOverlayConfig\n"
10361
"objectClass: olcSyncProvConfig\n"
10362
"olcOverlay: syncprov\n"
10365
#: serverguide/C/network-auth.xml:617(para)
10366
msgid "Like the previous LDIF file, edit this one changing:"
10369
#: serverguide/C/network-auth.xml:623(para)
10371
"<emphasis>searchbase=\"dc=example,dc=com\"</emphasis> to your directory's "
10375
#: serverguide/C/network-auth.xml:628(para)
10377
"If you use a different admin user, change "
10378
"<emphasis>binddn=\"cn=admin,dc=example,dc=com\"</emphasis>."
10381
#: serverguide/C/network-auth.xml:633(para)
10383
"Also, replace <emphasis>credentials=secret</emphasis> with your admin "
10387
#: serverguide/C/network-auth.xml:642(para)
10388
msgid "Add the LDIF file:"
10391
#: serverguide/C/network-auth.xml:647(command)
10392
msgid "ldapmodify -x -D cn=admin,cn=config -W -f syncrepl_backend.ldif"
10395
#: serverguide/C/network-auth.xml:650(para)
10397
"Because the servers' configuration is already synced there is no need to "
10398
"copy this LDIF file to the other servers."
10401
#: serverguide/C/network-auth.xml:658(para)
10403
"The configuration and backend databases should now sycnc to the other "
10404
"servers. You can add additional servers using the "
10405
"<application>ldapmodify</application> utility as the need arises. See <xref "
10406
"linkend=\"openldap-configuration\"/> for details."
10410
"The <application>slapd</application> daemon will send log information to "
10411
"<filename>/var/log/syslog</filename> by default. So if all does "
10412
"<emphasis>not</emphasis> go well check there for errors and other "
10413
"troubleshooting information."
10416
#: serverguide/C/network-auth.xml:673(title)
10417
msgid "Setting up ACL"
10420
#: serverguide/C/network-auth.xml:675(para)
10422
"Authentication requires access to the password field, that should be not "
10423
"accessible by default. Also, in order for users to change their own "
10424
"password, using <command>passwd</command> or other utilities, "
10425
"<emphasis>shadowLastChange</emphasis> needs to be accessible once a user has "
10429
#: serverguide/C/network-auth.xml:682(para)
10431
"To view the Access Control List (ACL), use the "
10432
"<application>ldapsearch</application> utility:"
10435
#: serverguide/C/network-auth.xml:687(command)
10437
"ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W olcDatabase=hdb "
10441
#: serverguide/C/network-auth.xml:691(computeroutput)
10444
"Enter LDAP Password: \n"
10445
"dn: olcDatabase={1}hdb,cn=config\n"
10446
"olcAccess: {0}to attrs=userPassword,shadowLastChange by "
10447
"dn=\"cn=admin,dc=exampl\n"
10448
" e,dc=com\" write by anonymous auth by self write by * none\n"
10449
"olcAccess: {1}to dn.base=\"\" by * read\n"
10450
"olcAccess: {2}to * by dn=\"cn=admin,dc=example,dc=com\" write by * read\n"
10453
#: serverguide/C/network-auth.xml:703(title)
10454
msgid "TLS and SSL"
10457
#: serverguide/C/network-auth.xml:705(para)
10459
"When authenticating to an OpenLDAP server it is best to do so using an "
10460
"encrypted session. This can be accomplished using Transport Layer Security "
10461
"(TLS) and/or Secure Sockets Layer (SSL)."
10464
#: serverguide/C/network-auth.xml:710(para)
10466
"The first step in the process is to obtain or create a "
10467
"<emphasis>certificate</emphasis>. See <xref linkend=\"certificates-and-"
10468
"security\"/> and <xref linkend=\"certificate-authority\"/> for details."
10471
#: serverguide/C/network-auth.xml:715(para)
10473
"Once you have a certificate, key, and CA cert installed, use "
10474
"<application>ldapmodify</application> to add the new configuration options:"
10477
#: serverguide/C/network-auth.xml:726(userinput)
10481
"add: olcTLSCACertificateFile\n"
10482
"olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem\n"
10484
"add: olcTLSCertificateFile\n"
10485
"olcTLSCertificateFile: /etc/ssl/certs/server.crt\n"
10487
"add: olcTLSCertificateKeyFile\n"
10488
"olcTLSCertificateKeyFile: /etc/ssl/private/server.key"
10491
#: serverguide/C/network-auth.xml:725(computeroutput)
10494
"Enter LDAP Password:\n"
10495
"<placeholder-1/>\n"
10497
"modifying entry \"cn=config\"\n"
10500
#: serverguide/C/network-auth.xml:741(para)
10502
"Adjust the <filename>server.crt</filename>, <filename>server.key</filename>, "
10503
"and <filename>cacert.pem</filename> names if yours are different."
10506
#: serverguide/C/network-auth.xml:747(para)
10508
"Next, edit <filename>/etc/default/slapd</filename> uncomment the "
10509
"<emphasis>SLAPD_SERVICES</emphasis> option:"
10515
"SLAPD_SERVICES=\"ldap://127.0.0.1:389/ ldaps:/// ldapi:///\"\n"
10518
#: serverguide/C/network-auth.xml:755(para)
10520
"Now the <emphasis>openldap</emphasis> user needs access to the certificate:"
10523
#: serverguide/C/network-auth.xml:760(command)
10524
msgid "sudo adduser openldap ssl-cert"
10527
#: serverguide/C/network-auth.xml:761(command)
10528
msgid "sudo chgrp ssl-cert /etc/ssl/private/server.key"
10531
#: serverguide/C/network-auth.xml:765(para)
10533
"If the <filename role=\"directory\">/etc/ssl/private</filename> and "
10534
"<filename>/etc/ssl/private/server.key</filename> have different permissions, "
10535
"adjust the commands appropriately."
10538
#: serverguide/C/network-auth.xml:771(para)
10539
msgid "Finally, restart <application>slapd</application>:"
10542
#: serverguide/C/network-auth.xml:779(para)
10544
"The <application>slapd</application> daemon should now be listening for "
10545
"LDAPS connections and be able to use STARTTLS during authentication."
10548
#: serverguide/C/network-auth.xml:785(title)
10549
msgid "TLS Replication"
10552
#: serverguide/C/network-auth.xml:787(para)
10554
"If you have setup <application>Syncrepl</application> between servers, it is "
10555
"prudent to encrypt the replication traffic using <emphasis>Transport Layer "
10556
"Security (TLS)</emphasis>. For details on setting up replication see <xref "
10557
"linkend=\"openldap-server-replication\"/>."
10560
#: serverguide/C/network-auth.xml:793(para)
10562
"After setting up replication, and following the instructions in <xref "
10563
"linkend=\"openldap-tls\"/>, there are a couple of consequences that should "
10567
#: serverguide/C/network-auth.xml:800(para)
10569
"The configuration only needs to be modified on <emphasis>one</emphasis> "
10573
#: serverguide/C/network-auth.xml:805(para)
10575
"The path names for the <emphasis>certificate</emphasis> and "
10576
"<emphasis>key</emphasis> must be the same on all servers."
10579
#: serverguide/C/network-auth.xml:812(para)
10581
"So on each replicated server: install a certificate, edit "
10582
"<filename>/etc/default/slapd</filename>, and restart "
10583
"<application>slapd</application>."
10586
#: serverguide/C/network-auth.xml:817(para)
10588
"Once <emphasis>TLS</emphasis> has been setup on each server, modify the "
10589
"<emphasis>cn=config</emphasis> replication by entering the following in a "
10593
#: serverguide/C/network-auth.xml:828(userinput)
10596
"dn: olcDatabase={0}config,cn=config\n"
10597
"replace: olcSyncrepl\n"
10598
"olcSyncrepl: {0}rid=001 provider=ldap://ldap01.example.com "
10599
"binddn=\"cn=admin,cn\n"
10600
" =config\" bindmethod=simple credentials=secret searchbase=\"cn=config\" "
10602
" shAndPersist retry=\"5 5 300 5\" timeout=1 starttls=yes\n"
10603
"olcSyncrepl: {1}rid=002 provider=ldap://ldap02.example.com "
10604
"binddn=\"cn=admin,cn\n"
10605
" =config\" bindmethod=simple credentials=secret searchbase=\"cn=config\" "
10607
" shAndPersist retry=\"5 5 300 5\" timeout=1 starttls=yes"
10610
#: serverguide/C/network-auth.xml:827(computeroutput)
10613
"Enter LDAP Password: \n"
10614
"<placeholder-1/>\n"
10616
"modifying entry \"olcDatabase={0}config,cn=config\"\n"
10619
#: serverguide/C/network-auth.xml:841(para)
10620
msgid "Now adjust the <emphasis>backend</emphasis> database replication:"
10623
#: serverguide/C/network-auth.xml:851(userinput)
10626
"dn: olcDatabase={1}hdb,cn=config\n"
10627
"replace: olcSyncrepl\n"
10628
"olcSyncrepl: {0}rid=003 provider=ldap://ldap01.example.com "
10629
"binddn=\"cn=admin,dc=example,dc=\n"
10630
" com\" bindmethod=simple credentials=secret searchbase=\"dc=example,dc=com\" "
10632
" efreshOnly interval=00:00:00:10 retry=\"5 5 300 5\" timeout=1 starttls=yes\n"
10633
"olcSyncrepl: {1}rid=004 provider=ldap://ldap02.example.com "
10634
"binddn=\"cn=admin,dc=example,dc=\n"
10635
" com\" bindmethod=simple credentials=secret searchbase=\"dc=example,dc=com\" "
10637
" efreshOnly interval=00:00:00:10 retry=\"5 5 300 5\" timeout=1 starttls=yes"
10640
#: serverguide/C/network-auth.xml:850(computeroutput)
10643
"Enter LDAP Password:\n"
10644
"<placeholder-1/>\n"
10646
"modifying entry \"olcDatabase={1}hdb,cn=config\""
10649
#: serverguide/C/network-auth.xml:863(para)
10651
"If the LDAP server hostname does not match the Fully Qualified Domain Name "
10652
"(FQDN) in the certificate, you may have to edit "
10653
"<filename>/etc/ldap/ldap.conf</filename> and add the following TLS options:"
10656
#: serverguide/C/network-auth.xml:868(programlisting)
10660
"TLS_CERT /etc/ssl/certs/server.crt\n"
10661
"TLS_KEY /etc/ssl/private/server.key\n"
10662
"TLS_CACERT /etc/ssl/certs/cacert.pem\n"
10665
#: serverguide/C/network-auth.xml:875(para)
10667
"Finally, restart <application>slapd</application> on each of the servers:"
10670
#: serverguide/C/network-auth.xml:888(title)
10671
msgid "LDAP Authentication"
10674
#: serverguide/C/network-auth.xml:890(para)
10676
"Once you have a working LDAP server, the <application>auth-client-"
10677
"config</application> and <application>libnss-ldap</application> packages "
10678
"take the pain out of configuring an Ubuntu client to authenticate using "
10679
"LDAP. To install the packages from, a terminal prompt enter:"
10682
#: serverguide/C/network-auth.xml:897(command)
10683
msgid "sudo apt-get install libnss-ldap"
10686
#: serverguide/C/network-auth.xml:900(para)
10688
"During the install a menu dialog will ask you connection details about your "
10692
#: serverguide/C/network-auth.xml:904(para)
10694
"If you make a mistake when entering your information you can execute the "
10695
"dialog again using:"
10698
#: serverguide/C/network-auth.xml:909(command)
10699
msgid "sudo dpkg-reconfigure ldap-auth-config"
10702
#: serverguide/C/network-auth.xml:912(para)
10704
"The results of the dialog can be seen in "
10705
"<filename>/etc/ldap.conf</filename>. If your server requires options not "
10706
"covered in the menu edit this file accordingly."
10709
#: serverguide/C/network-auth.xml:917(para)
10711
"Now that <application>libnss-ldap</application> is configured enable the "
10712
"<application>auth-client-config</application> LDAP profile by entering:"
10715
msgid "sudo auth-client-config -a -p lac_ldap"
10718
msgid "<emphasis>-a:</emphasis> applies the specified profile."
10721
#: serverguide/C/network-auth.xml:933(para)
10722
msgid "<emphasis>-p:</emphasis> name of the profile to enable, disable, etc."
10725
#: serverguide/C/network-auth.xml:938(para)
10727
"<emphasis>lac_ldap:</emphasis> the <application>auth-client-"
10728
"config</application> profile that is part of the <application>ldap-auth-"
10729
"config</application> package."
10732
#: serverguide/C/network-auth.xml:945(para)
10734
"You should now be able to login using user credentials stored in the LDAP "
10738
#: serverguide/C/network-auth.xml:951(title)
10739
msgid "User and Group Management"
10742
#: serverguide/C/network-auth.xml:953(para)
10744
"The <application>ldap-utils</application> package comes with multiple "
10745
"utilities to manage the directory, but the long string of options needed, "
10746
"can make them a burden to use. The <application>ldapscripts</application> "
10747
"package contains configurable scripts to easily manage LDAP users and groups."
10750
#: serverguide/C/network-auth.xml:959(para)
10751
msgid "To install the package, from a terminal enter:"
10754
#: serverguide/C/network-auth.xml:964(command)
10755
msgid "sudo apt-get install ldapscripts"
10758
#: serverguide/C/network-auth.xml:967(para)
10760
"Next, edit the config file "
10761
"<filename>/etc/ldapscripts/ldapscripts.conf</filename> uncommenting and "
10762
"changing the following to match your environment:"
10765
#: serverguide/C/network-auth.xml:972(programlisting)
10769
"SERVER=localhost\n"
10770
"BINDDN='cn=admin,dc=example,dc=com'\n"
10771
"BINDPWDFILE=\"/etc/ldapscripts/ldapscripts.passwd\"\n"
10772
"SUFFIX='dc=example,dc=com'\n"
10773
"GSUFFIX='ou=Groups'\n"
10774
"USUFFIX='ou=People'\n"
10775
"MSUFFIX='ou=Computers'\n"
10781
#: serverguide/C/network-auth.xml:985(para)
10783
"Now, create the <filename>ldapscripts.passwd</filename> file to allow "
10784
"authenticated access to the directory:"
10787
#: serverguide/C/network-auth.xml:990(command)
10789
"sudo sh -c \"echo -n 'secret' > /etc/ldapscripts/ldapscripts.passwd\""
10792
#: serverguide/C/network-auth.xml:991(command)
10793
msgid "sudo chmod 400 /etc/ldapscripts/ldapscripts.passwd"
10796
#: serverguide/C/network-auth.xml:995(para)
10798
"Replace <quote>secret</quote> with the actual password for your LDAP admin "
10802
#: serverguide/C/network-auth.xml:1000(para)
10804
"The <application>ldapscripts</application> are now ready to help manage your "
10805
"directory. The following are some examples of how to use the scripts:"
10808
#: serverguide/C/network-auth.xml:1007(para)
10809
msgid "Create a new user:"
10812
#: serverguide/C/network-auth.xml:1011(command)
10813
msgid "sudo ldapadduser george example"
10816
#: serverguide/C/network-auth.xml:1013(para)
10818
"This will create a user with uid <emphasis role=\"italic\">george</emphasis> "
10819
"and set the user's primary group (gid) to <emphasis "
10820
"role=\"italic\">example</emphasis>"
10823
#: serverguide/C/network-auth.xml:1019(para)
10824
msgid "Change a user's password:"
10827
#: serverguide/C/network-auth.xml:1023(command)
10828
msgid "sudo ldapsetpasswd george"
10831
#: serverguide/C/network-auth.xml:1024(computeroutput)
10833
msgid "Changing password for user uid=george,ou=People,dc=example,dc=com"
10836
#: serverguide/C/network-auth.xml:1025(userinput)
10838
msgid "New Password: "
10841
#: serverguide/C/network-auth.xml:1026(userinput)
10843
msgid "New Password (verify): "
10846
#: serverguide/C/network-auth.xml:1030(para)
10847
msgid "Delete a user:"
10850
#: serverguide/C/network-auth.xml:1034(command)
10851
msgid "sudo ldapdeleteuser george"
10854
#: serverguide/C/network-auth.xml:1039(para)
10855
msgid "Add a group:"
10858
#: serverguide/C/network-auth.xml:1043(command)
10859
msgid "sudo ldapaddgroup qa"
10862
#: serverguide/C/network-auth.xml:1047(para)
10863
msgid "Delete a group:"
10866
#: serverguide/C/network-auth.xml:1051(command)
10867
msgid "sudo ldapdeletegroup qa"
10870
#: serverguide/C/network-auth.xml:1055(para)
10871
msgid "Add a user to a group:"
10874
#: serverguide/C/network-auth.xml:1059(command)
10875
msgid "sudo ldapaddusertogroup george qa"
10878
#: serverguide/C/network-auth.xml:1061(para)
10880
"You should now see a <emphasis>memberUid</emphasis> attribute for the "
10881
"<emphasis role=\"italic\">qa</emphasis> group with a value of <emphasis "
10882
"role=\"italic\">george</emphasis>."
10885
#: serverguide/C/network-auth.xml:1067(para)
10886
msgid "Remove a user from a group:"
10889
#: serverguide/C/network-auth.xml:1071(command)
10890
msgid "sudo ldapdeleteuserfromgroup george qa"
10893
#: serverguide/C/network-auth.xml:1073(para)
10895
"The <emphasis>memberUid</emphasis> attribute should now be removed from the "
10896
"<emphasis role=\"italic\">qa</emphasis> group."
10899
#: serverguide/C/network-auth.xml:1079(para)
10901
"The <application>ldapmodifyuser</application> script allows you to add, "
10902
"remove, or replace a user's attributes. The script uses the same syntax as "
10903
"the <application>ldapmodify</application> utility. For example:"
10906
#: serverguide/C/network-auth.xml:1084(command)
10907
msgid "sudo ldapmodifyuser george"
10910
#: serverguide/C/network-auth.xml:1085(computeroutput)
10913
"# About to modify the following entry :\n"
10914
"dn: uid=george,ou=People,dc=example,dc=com\n"
10915
"objectClass: account\n"
10916
"objectClass: posixAccount\n"
10919
"uidNumber: 1001\n"
10920
"gidNumber: 1001\n"
10921
"homeDirectory: /home/george\n"
10922
"loginShell: /bin/bash\n"
10924
"description: User account\n"
10925
"userPassword:: e1NTSEF9eXFsTFcyWlhwWkF1eGUybVdFWHZKRzJVMjFTSG9vcHk=\n"
10927
"# Enter your modifications here, end with CTRL-D.\n"
10928
"dn: uid=george,ou=People,dc=example,dc=com"
10931
#: serverguide/C/network-auth.xml:1101(userinput)
10935
"gecos: George Carlin"
10938
#: serverguide/C/network-auth.xml:1104(para)
10940
"The user's <emphasis>gecos</emphasis> should now be <quote>George "
10944
#: serverguide/C/network-auth.xml:1109(para)
10946
"Another great feature of <application>ldapscripts</application>, is the "
10947
"template system. Templates allow you to customize the attributes of user, "
10948
"group, and machine objectes. For example, to enable the "
10949
"<emphasis>user</emphasis> template edit "
10950
"<filename>/etc/ldapscripts/ldapscripts.conf</filename> changing:"
10953
#: serverguide/C/network-auth.xml:1116(programlisting)
10957
"UTEMPLATE=\"/etc/ldapscripts/ldapadduser.template\"\n"
10960
#: serverguide/C/network-auth.xml:1120(para)
10962
"There are <emphasis role=\"italic\">sample</emphasis> templates in the "
10963
"<filename>/etc/ldapscripts</filename> directory. Copy or rename the "
10964
"<filename>ldapadduser.template.sample</filename> file to "
10965
"<filename>/etc/ldapscripts/ldapadduser.template</filename>:"
10968
#: serverguide/C/network-auth.xml:1127(command)
10970
"sudo cp /etc/ldapscripts/ldapadduser.template.sample "
10971
"/etc/ldapscripts/ldapadduser.template"
10974
#: serverguide/C/network-auth.xml:1130(para)
10976
"Edit the new template to add the desired attributes. The following will "
10977
"create new user's as with an <emphasis>objectClass</emphasis> of "
10978
"<emphasis>inetOrgPerson</emphasis>:"
10981
#: serverguide/C/network-auth.xml:1135(programlisting)
10985
"dn: uid=<user>,<usuffix>,<suffix>\n"
10986
"objectClass: inetOrgPerson\n"
10987
"objectClass: posixAccount\n"
10988
"cn: <user>\n"
10989
"sn: <ask>\n"
10990
"uid: <user>\n"
10991
"uidNumber: <uid>\n"
10992
"gidNumber: <gid>\n"
10993
"homeDirectory: <home>\n"
10994
"loginShell: <shell>\n"
10995
"gecos: <user>\n"
10996
"description: User account\n"
10997
"title: Employee\n"
11000
#: serverguide/C/network-auth.xml:1151(para)
11002
"Notice the <emphasis><ask></emphasis> option used for the "
11003
"<emphasis>cn</emphasis> value. Using <ask> will configure "
11004
"<application>ldapadduser</application> to prompt you for the attribute value "
11005
"during user creation."
11008
#: serverguide/C/network-auth.xml:1159(para)
11010
"There are more useful scripts in the package, to see a full list enter: "
11011
"<command>dpkg -L ldapscripts | grep bin</command>"
11014
#: serverguide/C/network-auth.xml:1168(para)
11016
"For more information see <ulink url=\"http://www.openldap.org/\">OpenLDAP "
11017
"Home Page</ulink>"
11020
#: serverguide/C/network-auth.xml:1173(para)
11022
"Though starting to show it's age, a great source for in depth LDAP "
11023
"information is O'Reilly's <ulink "
11024
"url=\"http://www.oreilly.com/catalog/ldapsa/\">LDAP System "
11025
"Administration</ulink>"
11028
#: serverguide/C/network-auth.xml:1179(para)
11030
"Packt's <ulink url=\"http://www.packtpub.com/OpenLDAP-Developers-Server-Open-"
11031
"Source-Linux/book\">Mastering OpenLDAP</ulink> is a great reference covering "
11032
"newer versions of OpenLDAP."
11035
#: serverguide/C/network-auth.xml:1185(para)
11037
"For more information on <application>auth-client-config</application> see "
11038
"the man page: <command>man auth-client-config</command>."
11041
#: serverguide/C/network-auth.xml:1190(para)
11043
"For more details regarding the <application>ldapscripts</application> "
11044
"package see the man pages: <command>man ldapscripts</command>, <command>man "
11045
"ldapadduser</command>, <command>man ldapaddgroup</command>, etc."
11048
#: serverguide/C/network-auth.xml:1200(title)
11049
msgid "Samba and LDAP"
11052
#: serverguide/C/network-auth.xml:1202(para)
11054
"This section covers configuring Samba to use LDAP for user, group, and "
11055
"machine account information and authentication. The assumption is, you "
11056
"already have a working OpenLDAP directory installed and the server is "
11057
"configured to use it for authentication. See <xref linkend=\"openldap-"
11058
"server\"/> and <xref linkend=\"openldap-auth-config\"/> for details on "
11059
"setting up OpenLDAP."
11062
#: serverguide/C/network-auth.xml:1211(para)
11064
"There are three packages needed when integrating Samba with LDAP. "
11065
"<application>samba</application>, <application>samba-doc</application>, and "
11066
"<application>smbldap-tools</application> packages . To install the packages, "
11067
"from a terminal enter:"
11070
#: serverguide/C/network-auth.xml:1217(command)
11071
msgid "sudo apt-get install samba samba-doc smbldap-tools"
11074
#: serverguide/C/network-auth.xml:1220(para)
11076
"Strictly speaking the <application>smbldap-tools</application> package isn't "
11077
"needed, but unless you have another package or custom scripts, a method of "
11078
"managing users, groups, and computer accounts is needed."
11081
#: serverguide/C/network-auth.xml:1227(title)
11082
msgid "OpenLDAP Configuration"
11085
#: serverguide/C/network-auth.xml:1229(para)
11087
"In order for Samba to use OpenLDAP as a <emphasis>passdb backend</emphasis>, "
11088
"the user objects in the directory will need additional attributes. This "
11089
"section assumes you want Samba to be configured as a Windows NT domain "
11090
"controller, and will add the necessary LDAP objects and attributes."
11093
#: serverguide/C/network-auth.xml:1237(para)
11095
"The Samba attributes are defined in the <filename>samba.schema</filename> "
11096
"file which is part of the <application>samba-doc</application> package. The "
11097
"schema file needs to be unzipped and copied to "
11098
"<filename>/etc/ldap/schema</filename>. From a terminal prompt enter:"
11101
#: serverguide/C/network-auth.xml:1244(command)
11103
"sudo cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz "
11104
"/etc/ldap/schema/"
11107
#: serverguide/C/network-auth.xml:1245(command)
11108
msgid "sudo gzip -d /etc/ldap/schema/samba.schema.gz"
11111
#: serverguide/C/network-auth.xml:1251(para)
11113
"The <emphasis>samba</emphasis> schema needs to be added to the "
11114
"<emphasis>cn=config</emphasis> tree. The procedure to add a new schema to "
11115
"<application>slapd</application> is also detailed in <xref "
11116
"linkend=\"openldap-configuration\"/>."
11119
#: serverguide/C/network-auth.xml:1259(para)
11121
"First, create a configuration file named "
11122
"<filename>schema_convert.conf</filename>, or a similar descriptive name, "
11123
"containing the following lines:"
11126
#: serverguide/C/network-auth.xml:1264(programlisting)
11130
"include /etc/ldap/schema/core.schema\n"
11131
"include /etc/ldap/schema/collective.schema\n"
11132
"include /etc/ldap/schema/corba.schema\n"
11133
"include /etc/ldap/schema/cosine.schema\n"
11134
"include /etc/ldap/schema/duaconf.schema\n"
11135
"include /etc/ldap/schema/dyngroup.schema\n"
11136
"include /etc/ldap/schema/inetorgperson.schema\n"
11137
"include /etc/ldap/schema/java.schema\n"
11138
"include /etc/ldap/schema/misc.schema\n"
11139
"include /etc/ldap/schema/nis.schema\n"
11140
"include /etc/ldap/schema/openldap.schema\n"
11141
"include /etc/ldap/schema/ppolicy.schema\n"
11142
"include /etc/ldap/schema/samba.schema\n"
11145
#: serverguide/C/network-auth.xml:1294(para)
11147
"Now use <application>slaptest</application> to convert the schema files:"
11150
#: serverguide/C/network-auth.xml:1302(para)
11152
"Change the above file and path names to match your own if they are different."
11155
#: serverguide/C/network-auth.xml:1309(para)
11157
"Edit the generated "
11158
"<filename>/tmp/ldif_output/cn=config/cn=schema/cn={12}samba.ldif</filename> "
11159
"file, changing the following attributes:"
11162
#: serverguide/C/network-auth.xml:1314(programlisting)
11166
"dn: cn=samba,cn=schema,cn=config\n"
11171
#: serverguide/C/network-auth.xml:1324(programlisting)
11175
"structuralObjectClass: olcSchemaConfig\n"
11176
"entryUUID: b53b75ca-083f-102d-9fff-2f64fd123c95\n"
11177
"creatorsName: cn=config\n"
11178
"createTimestamp: 20080827045234Z\n"
11179
"entryCSN: 20080827045234.341425Z#000000#000#000000\n"
11180
"modifiersName: cn=config\n"
11181
"modifyTimestamp: 20080827045234Z\n"
11185
"ldapadd -x -D cn=admin,cn=config -f /tmp/ldif_output/cn\\=config/cn\\"
11186
"=schema/cn\\=\\{12\\}misc.ldif"
11189
#: serverguide/C/network-auth.xml:1355(para)
11191
"There should now be a <emphasis>dn: "
11192
"cn={X}misc,cn=schema,cn=config</emphasis>, where \"X\" is the next "
11193
"sequential schema, entry in the cn=config tree."
11196
#: serverguide/C/network-auth.xml:1363(para)
11198
"Copy and paste the following into a file named "
11199
"<filename>samba_indexes.ldif</filename>:"
11202
#: serverguide/C/network-auth.xml:1367(programlisting)
11206
"dn: olcDatabase={1}hdb,cn=config\n"
11207
"changetype: modify\n"
11208
"add: olcDbIndex\n"
11209
"olcDbIndex: uidNumber eq\n"
11210
"olcDbIndex: gidNumber eq\n"
11211
"olcDbIndex: loginShell eq\n"
11212
"olcDbIndex: uid eq,pres,sub\n"
11213
"olcDbIndex: memberUid eq,pres,sub\n"
11214
"olcDbIndex: uniqueMember eq,pres\n"
11215
"olcDbIndex: sambaSID eq\n"
11216
"olcDbIndex: sambaPrimaryGroupSID eq\n"
11217
"olcDbIndex: sambaGroupType eq\n"
11218
"olcDbIndex: sambaSIDList eq\n"
11219
"olcDbIndex: sambaDomainName eq\n"
11220
"olcDbIndex: default sub\n"
11223
#: serverguide/C/network-auth.xml:1385(para)
11225
"Using the <application>ldapmodify</application> utility load the new indexes:"
11228
#: serverguide/C/network-auth.xml:1390(command)
11229
msgid "ldapmodify -x -D cn=admin,cn=config -W -f samba_indexes.ldif"
11232
#: serverguide/C/network-auth.xml:1392(para)
11234
"If all went well you should see the new indexes using "
11235
"<application>ldapsearch</application>:"
11238
#: serverguide/C/network-auth.xml:1397(command)
11240
"ldapsearch -xLLL -D cn=admin,cn=config -x -b cn=config -W olcDatabase={1}hdb"
11243
#: serverguide/C/network-auth.xml:1403(para)
11245
"Next, configure the <application>smbldap-tools</application> package to "
11246
"match your environment. The package comes with a configuration script that "
11247
"will ask questions about the needed options. To run the script enter:"
11250
#: serverguide/C/network-auth.xml:1409(command)
11251
msgid "sudo gzip -d /usr/share/doc/smbldap-tools/configure.pl.gz"
11254
#: serverguide/C/network-auth.xml:1410(command)
11255
msgid "sudo perl /usr/share/doc/smbldap-tools/configure.pl"
11258
#: serverguide/C/network-auth.xml:1413(para)
11260
"Once you have answered the questions, there should be <filename>/etc/smbldap-"
11261
"tools/smbldap.conf</filename> and <filename>/etc/smbldap-"
11262
"tools/smbldap_bind.conf</filename> files. These files are generated by the "
11263
"configure script, so if you made any mistakes while executing the script it "
11264
"may be simpler to edit the file appropriately."
11267
#: serverguide/C/network-auth.xml:1423(para)
11269
"The <application>smbldap-populate</application> script will add the "
11270
"necessary users, groups, and LDAP objects required for Samba. It is a good "
11271
"idea to make a backup LDAP Data Interchange Format (LDIF) file with "
11272
"<application>slapcat</application> before executing the command:"
11275
#: serverguide/C/network-auth.xml:1430(command)
11276
msgid "sudo slapcat -l backup.ldif"
11279
#: serverguide/C/network-auth.xml:1436(para)
11281
"Once you have a current backup execute <application>smbldap-"
11282
"populate</application> by entering:"
11285
#: serverguide/C/network-auth.xml:1441(command)
11286
msgid "sudo smbldap-populate"
11289
#: serverguide/C/network-auth.xml:1445(para)
11291
"You can create an LDIF file containing the new Samba objects by executing "
11292
"<command>sudo smbldap-populate -e samba.ldif</command>. This allows you to "
11293
"look over the changes making sure everything is correct."
11296
#: serverguide/C/network-auth.xml:1453(para)
11298
"Your LDAP directory now has the necessary domain information to authenticate "
11302
#: serverguide/C/network-auth.xml:1459(title)
11303
msgid "Samba Configuration"
11306
#: serverguide/C/network-auth.xml:1461(para)
11308
"There a multiple ways to configure Samba for details on some common "
11309
"configurations see <xref linkend=\"windows-networking\"/>. To configure "
11310
"Samba to use LDAP, edit the main Samba configuration file "
11311
"<filename>/etc/samba/smb.conf</filename> commenting the <emphasis>passdb "
11312
"backend</emphasis> option and adding the following:"
11318
"# passdb backend = tdbsam\n"
11320
"# LDAP Settings\n"
11321
" passdb backend = ldapsam:ldap://hostname\n"
11322
" ldap suffix = dc=example,dc=com\n"
11323
" ldap user suffix = ou=People\n"
11324
" ldap group suffix = ou=Groups\n"
11325
" ldap machine suffix = ou=Computers\n"
11326
" ldap idmap suffix = dc=example,dc=com\n"
11327
" ldap admin dn = cn=admin,dc=example,dc=com\n"
11328
" ldap ssl = start tls\n"
11329
" ldap passwd sync = yes\n"
11331
" add machine script = sudo /usr/sbin/smbldap-useradd -t 0 -w \"%u\"\n"
11334
#: serverguide/C/network-auth.xml:1484(para)
11335
msgid "Restart <application>samba</application> to enable the new settings:"
11338
#: serverguide/C/network-auth.xml:1492(para)
11340
"Now Samba needs to know the LDAP admin password. From a terminal prompt "
11344
#: serverguide/C/network-auth.xml:1497(command)
11345
msgid "sudo smbpasswd -w secret"
11348
#: serverguide/C/network-auth.xml:1501(para)
11350
"Replacing <emphasis role=\"italic\">secret</emphasis> with your LDAP admin "
11354
#: serverguide/C/network-auth.xml:1506(para)
11356
"If you currently have users in LDAP, and you want them to authenticate using "
11357
"Samba, they will need some Samba attributes defined in the "
11358
"<filename>samba.schema</filename> file. Add the Samba attributes to existing "
11359
"users using the <application>smbpasswd</application> utility, replacing "
11360
"<emphasis role=\"italic\">username</emphasis> with an actual user:"
11363
#: serverguide/C/network-auth.xml:1514(command)
11364
msgid "sudo smbpasswd -a username"
11367
#: serverguide/C/network-auth.xml:1517(para)
11368
msgid "You will then be asked to enter the user's password."
11371
#: serverguide/C/network-auth.xml:1521(para)
11373
"To add new user, group, and machine accounts use the utilities from the "
11374
"<application>smbldap-tools</application> package. Here are some examples:"
11377
#: serverguide/C/network-auth.xml:1528(para)
11379
"To add a new user to LDAP with Samba attributes enter the following, "
11380
"replacing username with an actual username:"
11383
#: serverguide/C/network-auth.xml:1532(command)
11384
msgid "sudo smbldap-useradd -a -P username"
11387
#: serverguide/C/network-auth.xml:1534(para)
11389
"The <emphasis>-a</emphasis> option adds the Samba attributes, and the "
11390
"<emphasis>-P</emphasis> options calls the <application>smbldap-"
11391
"passwd</application> utility after the user is created allowing you to enter "
11392
"a password for the user."
11395
#: serverguide/C/network-auth.xml:1540(para)
11396
msgid "To remove a user from the directory enter:"
11399
#: serverguide/C/network-auth.xml:1544(command)
11400
msgid "sudo smbldap-userdel username"
11403
#: serverguide/C/network-auth.xml:1546(para)
11405
"The <application>smbldap-userdel</application> utility also has a <emphasis>-"
11406
"r</emphasis> option to remove the user's home directory."
11409
#: serverguide/C/network-auth.xml:1551(para)
11411
"Use <application>smbldap-groupadd</application> to add a group, replacing "
11412
"groupname with an appropriate group:"
11415
#: serverguide/C/network-auth.xml:1555(command)
11416
msgid "sudo smbldap-groupadd -a groupname"
11419
#: serverguide/C/network-auth.xml:1557(para)
11421
"Similar to <application>smbldap-useradd</application>, the <emphasis>-"
11422
"a</emphasis> adds the Samba attributes."
11425
#: serverguide/C/network-auth.xml:1562(para)
11427
"To add a user to a group use <application>smbldap-groupmod</application>:"
11430
#: serverguide/C/network-auth.xml:1566(command)
11431
msgid "sudo smbldap-groupmod -m username groupname"
11434
#: serverguide/C/network-auth.xml:1568(para)
11436
"Be sure to replace <emphasis>username</emphasis> with a real user. Also, the "
11437
"<emphasis>-m</emphasis> option can add more than one user at a time by "
11438
"listing them in <emphasis>comma separated</emphasis> format."
11441
#: serverguide/C/network-auth.xml:1574(para)
11443
"<application>smbldap-groupmod</application> can also be used to remove a "
11444
"user from a group:"
11447
#: serverguide/C/network-auth.xml:1578(command)
11448
msgid "sudo smbldap-groupmod -x username groupname"
11451
#: serverguide/C/network-auth.xml:1582(para)
11453
"Additionally, the <application>smbldap-useradd</application> utility can add "
11454
"Samba machine accounts:"
11457
#: serverguide/C/network-auth.xml:1586(command)
11458
msgid "sudo smbldap-useradd -t 0 -w username"
11461
#: serverguide/C/network-auth.xml:1588(para)
11463
"Replace <emphasis>username</emphasis> with the name of the workstation. The "
11464
"<emphasis>-t 0</emphasis> option creates the machine account without a "
11465
"delay, while the <emphasis>-w</emphasis> option specifies the user as a "
11466
"machine account. Also, note the <emphasis>add machine script</emphasis> "
11467
"option in <filename>/etc/samba/smb.conf</filename> was changed to use "
11468
"<application>smbldap-useradd</application>."
11471
#: serverguide/C/network-auth.xml:1597(para)
11473
"There are more useful utilities and options in the <application>smbldap-"
11474
"tools</application> package. The man page for each utility provides more "
11478
#: serverguide/C/network-auth.xml:1608(para)
11480
"There are multiple places where LDAP and Samba is documented in the <ulink "
11481
"url=\"http://samba.org/samba/docs/man/Samba-HOWTO-Collection/\">Samba HOWTO "
11482
"Collection</ulink>."
11485
#: serverguide/C/network-auth.xml:1614(para)
11487
"Specifically see the <ulink url=\"http://samba.org/samba/docs/man/Samba-"
11488
"HOWTO-Collection/passdb.html\">passdb section</ulink>."
11491
#: serverguide/C/network-auth.xml:1620(para)
11493
"Another good site is <ulink url=\"http://www.iallanis.info/smbldap-"
11494
"tools/docs/samba-ldap-howto/\">Samba OpenLDAP HOWTO</ulink>."
11497
#: serverguide/C/network-auth.xml:1626(para)
11499
"Again, for more information on <application>smbldap-tools</application> see "
11500
"the man pages: <command>man smbldap-useradd</command>, <command>man smbldap-"
11501
"groupadd</command>, <command>man smbldap-populate</command>, etc."
11504
#: serverguide/C/network-auth.xml:1638(para)
11506
"<application>Kerberos</application> is a network authentication system based "
11507
"on the principal of a trusted third party. The other two parties being the "
11508
"user and the service the user wishes to authenticate to. Not all services "
11509
"and applications can use Kerberos, but for those that can, it brings the "
11510
"network environment one step closer to being Single Sign On (SSO)."
11513
#: serverguide/C/network-auth.xml:1644(para)
11515
"This section covers installation and configuration of a Kerberos server, and "
11516
"some example client configurations."
11519
#: serverguide/C/network-auth.xml:1649(title) serverguide/C/dns.xml:64(title) serverguide/C/backups.xml:541(title)
11523
#: serverguide/C/network-auth.xml:1651(para)
11525
"If you are new to Kerberos there are a few terms that are good to understand "
11526
"before setting up a Kerberos server. Most of the terms will relate to things "
11527
"you may be familiar with in other environments:"
11530
#: serverguide/C/network-auth.xml:1658(para)
11532
"<emphasis>Principal:</emphasis> any users, computers, and services provided "
11533
"by servers need to be defined as Kerberos Principals."
11536
#: serverguide/C/network-auth.xml:1663(para)
11538
"<emphasis>Instances:</emphasis> are used for service principals and special "
11539
"administrative principals."
11542
#: serverguide/C/network-auth.xml:1668(para)
11544
"<emphasis>Realms:</emphasis> the unique realm of control provided by the "
11545
"Kerberos installation. Usually the DNS domain converted to uppercase "
11549
#: serverguide/C/network-auth.xml:1674(para)
11551
"<emphasis>Key Distribution Center:</emphasis> (KDC) consist of three parts, "
11552
"a database of all principals, the authentication server, and the ticket "
11553
"granting server. For each realm there must be at least one KDC."
11556
#: serverguide/C/network-auth.xml:1680(para)
11558
"<emphasis>Ticket Granting Ticket:</emphasis> issued by the Authentication "
11559
"Server (AS), the Ticket Granting Ticket (TGT) is encrypted in the user's "
11560
"password which is known only to the user and the KDC."
11563
#: serverguide/C/network-auth.xml:1686(para)
11565
"<emphasis>Ticket Granting Server:</emphasis> (TGS) issues service tickets to "
11566
"clients upon request."
11569
#: serverguide/C/network-auth.xml:1691(para)
11571
"<emphasis>Tickets:</emphasis> confirm the identity of the two principals. "
11572
"One principal being a user and the other a service requested by the user. "
11573
"Tickets establish an encryption key used for secure communication during the "
11574
"authenticated session."
11577
#: serverguide/C/network-auth.xml:1697(para)
11579
"<emphasis>Keytab Files:</emphasis> are files extracted from the KDC "
11580
"principal database and contain the encryption key for a service or host."
11583
#: serverguide/C/network-auth.xml:1704(para)
11585
"To put the pieces together, a Realm has at least one KDC, preferably two for "
11586
"redundancy, which contains a database of Principals. When a user principal "
11587
"logs into a workstation, configured for Kerberos authentication, the KDC "
11588
"issues a Ticket Granting Ticket (TGT). If the user supplied credentials "
11589
"match, the user is authenticated and can then request tickets for Kerberized "
11590
"services from the Ticket Granting Server (TGS). The service tickets allow "
11591
"the user to authenticate to the service without entering another username "
11595
#: serverguide/C/network-auth.xml:1713(title)
11596
msgid "Kerberos Server"
11599
#: serverguide/C/network-auth.xml:1717(para)
11601
"Before installing the Kerberos server a properly configured DNS server is "
11602
"needed for your domain. Since the Kerberos Realm by convention matches the "
11603
"domain name, this section uses the <emphasis>example.com</emphasis> domain "
11604
"configured in <xref linkend=\"dns-primarymaster-configuration\"/>."
11607
#: serverguide/C/network-auth.xml:1723(para)
11609
"Also, Kerberos is a time sensitive protocol. So if the local system time "
11610
"between a client machine and the server differs by more than five minutes "
11611
"(by default), the workstation will not be able to authenticate. To correct "
11612
"the problem all hosts should have their time synchronized using the "
11613
"<emphasis>Network Time Protocol (NTP)</emphasis>. For details on setting up "
11614
"NTP see <xref linkend=\"NTP\"/>."
11617
#: serverguide/C/network-auth.xml:1730(para)
11619
"The first step in installing a Kerberos Realm is to install the "
11620
"<application>krb5-kdc</application> and <application>krb5-admin-"
11621
"server</application> packages. From a terminal enter:"
11624
#: serverguide/C/network-auth.xml:1736(command) serverguide/C/network-auth.xml:1911(command)
11625
msgid "sudo apt-get install krb5-kdc krb5-admin-server"
11628
#: serverguide/C/network-auth.xml:1739(para)
11630
"You will be asked at the end of the install to supply a name for the "
11631
"Kerberos and Admin servers, which may or may not be the same server, for the "
11635
#: serverguide/C/network-auth.xml:1744(para)
11637
"Next, create the new realm with the <application>kdb5_newrealm</application> "
11641
#: serverguide/C/network-auth.xml:1749(command)
11642
msgid "sudo krb5_newrealm"
11645
#: serverguide/C/network-auth.xml:1756(para)
11647
"The questions asked during installation are used to configure the "
11648
"<filename>/etc/krb5.conf</filename> file. If you need to adjust the Key "
11649
"Distribution Center (KDC) settings simply edit the file and restart the "
11650
"<application>krb5-kdc</application> daemon."
11653
#: serverguide/C/network-auth.xml:1764(para)
11655
"Now that the KDC running an admin user is needed. It is recommended to use a "
11656
"different username from your everyday username. Using the "
11657
"<application>kadmin.local</application> utility in a terminal prompt enter:"
11660
#: serverguide/C/network-auth.xml:1770(command)
11661
msgid "sudo kadmin.local"
11664
#: serverguide/C/network-auth.xml:1771(computeroutput)
11667
"Authenticating as principal root/admin@EXAMPLE.COM with password.\n"
11671
#: serverguide/C/network-auth.xml:1772(userinput)
11673
msgid " addprinc steve/admin"
11676
#: serverguide/C/network-auth.xml:1773(computeroutput)
11679
"WARNING: no policy specified for steve/admin@EXAMPLE.COM; defaulting to no "
11681
"Enter password for principal \"steve/admin@EXAMPLE.COM\": \n"
11682
"Re-enter password for principal \"steve/admin@EXAMPLE.COM\": \n"
11683
"Principal \"steve/admin@EXAMPLE.COM\" created.\n"
11687
#: serverguide/C/network-auth.xml:1777(userinput)
11692
#: serverguide/C/network-auth.xml:1780(para)
11694
"In the the above example <emphasis role=\"italic\">steve</emphasis> is the "
11695
"<emphasis>Principal</emphasis>, <emphasis role=\"italic\">/admin</emphasis> "
11696
"is an <emphasis>Instance</emphasis>, and <emphasis "
11697
"role=\"italic\">@EXAMPLE.COM</emphasis> signifies the realm. The <emphasis "
11698
"role=\"italic\">\"every day\"</emphasis> Principal would be "
11699
"<emphasis>steve@EXAMPLE.COM</emphasis>, and should have only normal user "
11703
#: serverguide/C/network-auth.xml:1788(para)
11705
"Replace <emphasis>EXAMPLE.COM</emphasis> and <emphasis>steve</emphasis> with "
11706
"your Realm and admin username."
11709
#: serverguide/C/network-auth.xml:1796(para)
11711
"Next, the new admin user needs to have the appropriate Access Control List "
11712
"(ACL) permissions. The permissions are configured in the "
11713
"<filename>/etc/krb5kdc/kadm5.acl</filename> file:"
11716
#: serverguide/C/network-auth.xml:1801(programlisting)
11720
"steve/admin@EXAMPLE.COM *\n"
11723
#: serverguide/C/network-auth.xml:1805(para)
11725
"This entry grants <emphasis>steve/admin</emphasis> the ability to perform "
11726
"any operation on all principals in the realm."
11729
#: serverguide/C/network-auth.xml:1812(para)
11731
"Now restart the <application>krb5-admin-server</application> for the new ACL "
11735
#: serverguide/C/network-auth.xml:1817(command)
11736
msgid "sudo /etc/init.d/krb5-admin-server restart"
11739
#: serverguide/C/network-auth.xml:1823(para)
11741
"The new user principal can be tested using the <application>kinit "
11742
"utility</application>:"
11745
#: serverguide/C/network-auth.xml:1828(command)
11746
msgid "kinit steve/admin"
11749
#: serverguide/C/network-auth.xml:1829(computeroutput)
11751
msgid "steve/admin@EXAMPLE.COM's Password:"
11754
#: serverguide/C/network-auth.xml:1832(para)
11756
"After entering the password, use the <application>klist</application> "
11757
"utility to view information about the Ticket Granting Ticket (TGT):"
11760
#: serverguide/C/network-auth.xml:1838(command) serverguide/C/network-auth.xml:2173(command)
11764
#: serverguide/C/network-auth.xml:1839(computeroutput)
11767
"Credentials cache: FILE:/tmp/krb5cc_1000\n"
11768
" Principal: steve/admin@EXAMPLE.COM\n"
11770
" Issued Expires Principal\n"
11771
"Jul 13 17:53:34 Jul 14 03:53:34 krbtgt/EXAMPLE.COM@EXAMPLE.COM"
11774
#: serverguide/C/network-auth.xml:1846(para)
11776
"You may need to add an entry into the <filename>/etc/hosts</filename> for "
11777
"the KDC. For example:"
11780
#: serverguide/C/network-auth.xml:1850(programlisting)
11784
"192.168.0.1 kdc01.example.com kdc01\n"
11787
#: serverguide/C/network-auth.xml:1854(para)
11789
"Replacing <emphasis>192.168.0.1</emphasis> with the IP address of your KDC."
11792
#: serverguide/C/network-auth.xml:1861(para)
11794
"In order for clients to determine the KDC for the Realm some DNS SRV records "
11795
"are needed. Add the following to "
11796
"<filename>/etc/named/db.example.com</filename>:"
11799
#: serverguide/C/network-auth.xml:1866(programlisting)
11803
"_kerberos._udp.EXAMPLE.COM. IN SRV 1 0 88 kdc01.example.com.\n"
11804
"_kerberos._tcp.EXAMPLE.COM. IN SRV 1 0 88 kdc01.example.com.\n"
11805
"_kerberos._udp.EXAMPLE.COM. IN SRV 10 0 88 kdc02.example.com. \n"
11806
"_kerberos._tcp.EXAMPLE.COM. IN SRV 10 0 88 kdc02.example.com. \n"
11807
"_kerberos-adm._tcp.EXAMPLE.COM. IN SRV 1 0 749 kdc01.example.com.\n"
11808
"_kpasswd._udp.EXAMPLE.COM. IN SRV 1 0 464 kdc01.example.com.\n"
11811
#: serverguide/C/network-auth.xml:1876(para)
11813
"Replace <emphasis>EXAMPLE.COM</emphasis>, <emphasis>kdc01</emphasis>, and "
11814
"<emphasis>kdc02</emphasis> with your domain name, primary KDC, and secondary "
11818
#: serverguide/C/network-auth.xml:1882(para)
11820
"See <xref linkend=\"dns\"/> for detailed instructions on setting up DNS."
11823
#: serverguide/C/network-auth.xml:1889(para)
11824
msgid "Your new Kerberos Realm is now ready to authenticate clients."
11827
#: serverguide/C/network-auth.xml:1896(title)
11828
msgid "Secondary KDC"
11831
#: serverguide/C/network-auth.xml:1898(para)
11833
"Once you have one Key Distribution Center (KDC) on your network, it is good "
11834
"practice to have a Secondary KDC in case the primary becomes unavailable."
11837
#: serverguide/C/network-auth.xml:1906(para)
11839
"First, install the packages, and when asked for the Kerberos and Admin "
11840
"server names enter the name of the Primary KDC:"
11843
#: serverguide/C/network-auth.xml:1917(para)
11845
"Once you have the packages installed, create the Secondary KDC's host "
11846
"principal. From a terminal prompt, enter:"
11849
#: serverguide/C/network-auth.xml:1922(command)
11850
msgid "kadmin -q \"addprinc -randkey host/kdc02.example.com\""
11853
#: serverguide/C/network-auth.xml:1926(para)
11855
"After, issuing any <application>kadmin</application> commands you will be "
11856
"prompted for your <emphasis>username/admin@EXAMPLE.COM</emphasis> principal "
11860
#: serverguide/C/network-auth.xml:1935(para)
11861
msgid "Extract the <emphasis>keytab</emphasis> file:"
11864
#: serverguide/C/network-auth.xml:1940(command)
11865
msgid "kadmin -q \"ktadd -k keytab.kdc02 host/kdc02.example.com\""
11868
#: serverguide/C/network-auth.xml:1946(para)
11870
"There should now be a <filename>keytab.kdc02</filename> in the current "
11871
"directory, move the file to <filename>/etc/krb5.keytab</filename>:"
11874
#: serverguide/C/network-auth.xml:1952(command)
11875
msgid "sudo mv keytab.kdc02 /etc/krb5.keytab"
11878
#: serverguide/C/network-auth.xml:1956(para)
11880
"If the path to the <filename>keytab.kdc02</filename> file is different "
11881
"adjust accordingly."
11884
#: serverguide/C/network-auth.xml:1961(para)
11886
"Also, you can list the principals in a Keytab file, which can be useful when "
11887
"troubleshooting, using the <application>klist</application> utility:"
11890
#: serverguide/C/network-auth.xml:1967(command)
11891
msgid "sudo klist -k /etc/krb5.keytab"
11894
#: serverguide/C/network-auth.xml:1973(para)
11896
"Next, there needs to be a <filename>kpropd.acl</filename> file on each KDC "
11897
"that lists all KDCs for the Realm. For example, on both primary and "
11898
"secondary KDC, create <filename>/etc/krb5kdc/kpropd.acl</filename>:"
11901
#: serverguide/C/network-auth.xml:1978(programlisting)
11905
"host/kdc01.example.com@EXAMPLE.COM\n"
11906
"host/kdc02.example.com@EXAMPLE.COM\n"
11909
#: serverguide/C/network-auth.xml:1986(para)
11910
msgid "Create an empty database on the <emphasis>Secondary KDC</emphasis>:"
11913
#: serverguide/C/network-auth.xml:1991(command)
11914
msgid "sudo kdb5_util -s create"
11917
#: serverguide/C/network-auth.xml:1997(para)
11919
"Now start the <application>kpropd</application> daemon, which listens for "
11920
"connections from the <application>kprop</application> utility. "
11921
"<application>kprop</application> is used to transfer dump files:"
11924
#: serverguide/C/network-auth.xml:2004(command)
11925
msgid "sudo kpropd -S"
11928
#: serverguide/C/network-auth.xml:2010(para)
11930
"From a terminal on the <emphasis>Primary KDC</emphasis>, create a dump file "
11931
"of the principal database:"
11934
#: serverguide/C/network-auth.xml:2015(command)
11935
msgid "sudo kdb5_util dump /var/lib/krb5kdc/dump"
11938
#: serverguide/C/network-auth.xml:2021(para)
11940
"Extract the Primary KDC's <emphasis>keytab</emphasis> file and copy it to "
11941
"<filename>/etc/krb5.keytab</filename>:"
11944
#: serverguide/C/network-auth.xml:2026(command)
11945
msgid "kadmin -q \"ktadd -k keytab.kdc01 host/kdc01.example.com\""
11948
#: serverguide/C/network-auth.xml:2027(command)
11949
msgid "sudo mv keytab.kdc01 /etc/kr5b.keytab"
11952
#: serverguide/C/network-auth.xml:2031(para)
11954
"Make sure there is a <emphasis>host</emphasis> for "
11955
"<emphasis>kdc01.example.com</emphasis> before extracting the Keytab."
11958
#: serverguide/C/network-auth.xml:2039(para)
11960
"Using the <application>kprop</application> utility push the database to the "
11964
#: serverguide/C/network-auth.xml:2044(command)
11965
msgid "sudo kprop -r EXAMPLE.COM -f /var/lib/krb5kdc/dump kdc02.example.com"
11968
#: serverguide/C/network-auth.xml:2048(para)
11970
"There should be a <emphasis>SUCCEEDED</emphasis> message if the propagation "
11971
"worked. If there is an error message check "
11972
"<filename>/var/log/syslog</filename> on the secondary KDC for more "
11976
#: serverguide/C/network-auth.xml:2054(para)
11978
"You may also want to create a <application>cron</application> job to "
11979
"periodically update the database on the Secondary KDC. For example, the "
11980
"following will push the database every hour:"
11983
#: serverguide/C/network-auth.xml:2059(programlisting)
11987
"# m h dom mon dow command\n"
11988
"0 * * * * /usr/sbin/kdb5_util dump /var/lib/krb5kdc/dump && "
11989
"/usr/sbin/kprop -r EXAMPLE.COM -f /var/lib/krb5kdc/dump kdc02.example.com\n"
11992
#: serverguide/C/network-auth.xml:2067(para)
11994
"Back on the <emphasis>Secondary KDC</emphasis>, create a "
11995
"<emphasis>stash</emphasis> file to hold the Kerberos master key:"
11998
#: serverguide/C/network-auth.xml:2073(command)
11999
msgid "sudo kdb5_util stash"
12002
#: serverguide/C/network-auth.xml:2079(para)
12004
"Finally, start the <application>krb5-kdc</application> daemon on the "
12008
#: serverguide/C/network-auth.xml:2084(command)
12009
msgid "sudo /etc/init.d/krb5-kdc start"
12012
#: serverguide/C/network-auth.xml:2090(para)
12014
"The <emphasis>Secondary KDC</emphasis> should now be able to issue tickets "
12015
"for the Realm. You can test this by stopping the <application>krb5-"
12016
"kdc</application> daemon on the Primary KDC, then use "
12017
"<application>kinit</application> to request a ticket. If all goes well you "
12018
"should receive a ticket from the Secondary KDC."
12021
#: serverguide/C/network-auth.xml:2098(title)
12022
msgid "Kerberos Linux Client"
12025
#: serverguide/C/network-auth.xml:2100(para)
12027
"This section covers configuring a Linux system as a "
12028
"<application>Kerberos</application> client. This will allow access to any "
12029
"kerberized services once a user has successfully logged into the system."
12032
#: serverguide/C/network-auth.xml:2108(para)
12034
"In order to authenticate to a Kerberos Realm, the <application>krb5-"
12035
"user</application> and <application>libpam-krb5</application> packages are "
12036
"needed, along with a few others that are not strictly necessary but make "
12037
"life easier. To install the packages enter the following in a terminal "
12041
#: serverguide/C/network-auth.xml:2115(command)
12043
"sudo apt-get install krb5-user libpam-krb5 libpam-ccreds auth-client-config"
12046
#: serverguide/C/network-auth.xml:2118(para)
12048
"The <application>auth-client-config</application> package allows simple "
12049
"configuration of PAM for authentication from multiple sources, and the "
12050
"<application>libpam-ccreds</application> will cache authentication "
12051
"credentials allowing you to login in case the Key Distribution Center (KDC) "
12052
"is unavailable. This package is also useful for laptops that may "
12053
"authenticate using Kerberos while on the corporate network, but will need to "
12054
"be accessed off the network as well."
12057
#: serverguide/C/network-auth.xml:2129(para)
12058
msgid "To configure the client in a terminal enter:"
12061
#: serverguide/C/network-auth.xml:2134(command)
12062
msgid "sudo dpkg-reconfigure krb5-config"
12065
#: serverguide/C/network-auth.xml:2137(para)
12067
"You will then be prompted to enter the name of the Kerberos Realm. Also, if "
12068
"you don't have DNS configured with Kerberos <emphasis>SRV</emphasis> "
12069
"records, the menu will prompt you for the hostname of the Key Distribution "
12070
"Center (KDC) and Realm Administration server."
12073
#: serverguide/C/network-auth.xml:2143(para)
12075
"The <application>dpkg-reconfigure</application> adds entries to the "
12076
"<filename>/etc/krb5.conf</filename> file for your Realm. You should have "
12077
"entries similar to the following:"
12080
#: serverguide/C/network-auth.xml:2148(programlisting)
12085
" default_realm = EXAMPLE.COM\n"
12088
" EXAMPLE.COM = } \n"
12089
" kdc = 192.168.0.1 \n"
12090
" admin_server = 192.168.0.1\n"
12094
#: serverguide/C/network-auth.xml:2159(para)
12096
"You can test the configuration by requesting a ticket using the "
12097
"<application>kinit</application> utility. For example:"
12100
#: serverguide/C/network-auth.xml:2164(command)
12101
msgid "kinit steve@EXAMPLE.COM"
12104
#: serverguide/C/network-auth.xml:2165(computeroutput)
12106
msgid "Password for steve@EXAMPLE.COM:"
12109
#: serverguide/C/network-auth.xml:2168(para)
12111
"When a ticket has been granted, the details can be viewed using "
12112
"<application>klist</application>:"
12115
#: serverguide/C/network-auth.xml:2174(computeroutput)
12118
"Ticket cache: FILE:/tmp/krb5cc_1000\n"
12119
"Default principal: steve@EXAMPLE.COM\n"
12121
"Valid starting Expires Service principal\n"
12122
"07/24/08 05:18:56 07/24/08 15:18:56 krbtgt/EXAMPLE.COM@EXAMPLE.COM\n"
12123
" renew until 07/25/08 05:18:57\n"
12126
"Kerberos 4 ticket cache: /tmp/tkt1000\n"
12127
"klist: You have no tickets cached"
12130
#: serverguide/C/network-auth.xml:2186(para)
12132
"Next, use the <application>auth-client-config</application> to configure the "
12133
"<application>libpam-krb5</application> module to request a ticket during "
12137
#: serverguide/C/network-auth.xml:2192(command)
12138
msgid "sudo auth-client-config -a -p kerberos_example"
12141
#: serverguide/C/network-auth.xml:2195(para)
12143
"You will should now receive a ticket upon successful login authentication."
12146
#: serverguide/C/network-auth.xml:2206(para)
12148
"For more information on Kerberos see the <ulink "
12149
"url=\"http://web.mit.edu/Kerberos/\">MIT Kerberos</ulink> site."
12152
#: serverguide/C/network-auth.xml:2211(para)
12154
"O'Reilly's <ulink "
12155
"url=\"http://oreilly.com/catalog/9780596004033/\">Kerberos: The Definitive "
12156
"Guide</ulink> is a great reference when setting up Kerberos."
12159
#: serverguide/C/network-auth.xml:2217(para)
12161
"Also, feel free to stop by the <emphasis>#ubuntu-server</emphasis> IRC "
12162
"channel on <ulink url=\"http://freenode.net/\">Freenode</ulink> if you have "
12163
"Kerberos questions."
12166
#: serverguide/C/mail.xml:13(title)
12167
msgid "Email Services"
12170
#: serverguide/C/mail.xml:14(para)
12172
"The process of getting an email from one person to another over a network or "
12173
"the Internet involves many systems working together. Each of these systems "
12174
"must be correctly configured for the process to work. The sender uses a "
12175
"<emphasis>Mail User Agent</emphasis> (MUA), or email client, to send the "
12176
"message through one or more <emphasis>Mail Transfer Agents</emphasis> (MTA), "
12177
"the last of which will hand it off to a <emphasis>Mail Delivery "
12178
"Agent</emphasis> (MDA) for delivery to the recipient's mailbox, from which "
12179
"it will be retrieved by the recipient's email client, usually via a POP3 or "
12183
#: serverguide/C/mail.xml:24(title) serverguide/C/mail.xml:713(application) serverguide/C/mail.xml:747(title) serverguide/C/mail.xml:825(title) serverguide/C/mail.xml:1363(title)
12187
#: serverguide/C/mail.xml:25(para)
12189
"<application>Postfix</application> is the default Mail Transfer Agent (MTA) "
12190
"in Ubuntu. It attempts to be fast and easy to administer and secure. It is "
12191
"compatible with the MTA <application>sendmail</application>. This section "
12192
"explains how to install and configure <application>postfix</application>. It "
12193
"also explains how to set it up as an SMTP server using a secure connection "
12194
"(for sending emails securely)."
12197
#: serverguide/C/mail.xml:34(para)
12199
"To install <application>postfix</application> run the following command:"
12202
#: serverguide/C/mail.xml:38(command)
12203
msgid "sudo apt-get install postfix"
12206
#: serverguide/C/mail.xml:40(para)
12208
"Simply press return when the installation process asks questions, the "
12209
"configuration will be done in greater detail in the next stage."
12212
#: serverguide/C/mail.xml:45(title)
12213
msgid "Basic Configuration"
12216
#: serverguide/C/mail.xml:46(para)
12218
"To configure <application>postfix</application>, run the following command:"
12221
#: serverguide/C/mail.xml:50(command)
12222
msgid "sudo dpkg-reconfigure postfix"
12225
#: serverguide/C/mail.xml:56(para)
12226
msgid "Internet Site"
12229
#: serverguide/C/mail.xml:57(para)
12230
msgid "mail.example.com"
12233
#: serverguide/C/mail.xml:58(para)
12237
#: serverguide/C/mail.xml:59(para)
12238
msgid "mail.example.com, localhost.localdomain, localhost"
12241
#: serverguide/C/mail.xml:60(para)
12245
#: serverguide/C/mail.xml:61(para)
12246
msgid "127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.0/24"
12249
#: serverguide/C/mail.xml:62(para)
12253
#: serverguide/C/mail.xml:63(para)
12257
#: serverguide/C/mail.xml:64(para)
12261
#: serverguide/C/mail.xml:52(para)
12263
"The user interface will be displayed. On each screen, select the following "
12264
"values: <placeholder-1/>"
12267
#: serverguide/C/mail.xml:68(para)
12269
"Replace mail.example.com with your mail server hostname, 192.168.0/24 with "
12270
"the actual network and class range of your mail server, and steve with the "
12271
"appropriate username."
12275
"Now is a good time to decide which mailbox format you want to use. By "
12276
"default Postifx will use <emphasis role=\"strong\">mbox</emphasis> for the "
12277
"mailbox format. Rather than editing the configuration file directly, you can "
12278
"use the <command>postconf</command> command to configure all "
12279
"<application>postfix</application> parameters. The configuration parameters "
12280
"will be stored in <filename>/etc/postfix/main.cf</filename> file. Later if "
12281
"you wish to re-configure a particular parameter, you can either run the "
12282
"command or change it manually in the file."
12286
"To configure the mailbox format for <emphasis "
12287
"role=\"strong\">Maildir:</emphasis>"
12290
msgid "sudo postconf -e 'home_mailbox = Maildir/'"
12294
"This will place new mail in /home/<emphasis "
12295
"role=\"italic\">username</emphasis>/Maildir so you will need to configure "
12296
"your Mail Delivery Agent (MDA) to use the same path."
12299
#: serverguide/C/mail.xml:98(title) serverguide/C/mail.xml:479(title)
12300
msgid "SMTP Authentication"
12303
#: serverguide/C/mail.xml:99(para)
12305
"SMTP-AUTH allows a client to identify itself through an authentication "
12306
"mechanism (SASL). Transport Layer Security (TLS) should be used to encrypt "
12307
"the authentication process. Once authenticated the SMTP server will allow "
12308
"the client to relay mail."
12311
msgid "Configure Postfix for SMTP-AUTH using SASL (Dovecot SASL):"
12317
"sudo postconf -e 'smtpd_sasl_type = dovecot'\n"
12318
"sudo postconf -e 'smtpd_sasl_path = private/auth-client'\n"
12319
"sudo postconf -e 'smtpd_sasl_local_domain ='\n"
12320
"sudo postconf -e 'smtpd_sasl_security_options = noanonymous'\n"
12321
"sudo postconf -e 'broken_sasl_auth_clients = yes'\n"
12322
"sudo postconf -e 'smtpd_sasl_auth_enable = yes'\n"
12323
"sudo postconf -e 'smtpd_recipient_restrictions = "
12324
"permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'\n"
12325
"sudo postconf -e 'inet_interfaces = all'\n"
12329
"The <emphasis>smtpd_sasl_path</emphasis> configuration is a path relative to "
12330
"the Postfix queue directory."
12334
"Next, configure the digital certificate for TLS. When asked questions, "
12335
"follow the instructions and answer appropriately:"
12341
"openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024\n"
12342
"chmod 600 smtpd.key\n"
12343
"openssl req -new -key smtpd.key -out smtpd.csr\n"
12344
"sudo openssl x509 -req -days 365 -in smtpd.csr -signkey smtpd.key -out "
12346
"openssl rsa -in smtpd.key -out smtpd.key.unencrypted\n"
12347
"mv -f smtpd.key.unencrypted smtpd.key\n"
12348
"openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -"
12350
"sudo mv smtpd.key /etc/ssl/private/\n"
12351
"sudo mv smtpd.crt /etc/ssl/certs/\n"
12352
"sudo mv cakey.pem /etc/ssl/private/\n"
12353
"sudo mv cacert.pem /etc/ssl/certs/\n"
12357
"You can get the digital certificate from a certificate authority. But unlike "
12358
"web clients, SMTP clients rarely complain about \"self-signed "
12359
"certificates\", so alternatively, you can create the certificate yourself. "
12360
"Refer to <xref linkend=\"creating-a-self-signed-certificate\"/> for more "
12365
"Configure Postfix to provide TLS encryption for both incoming and outgoing "
12372
"sudo postconf -e 'smtpd_tls_auth_only = no'\n"
12373
"sudo postconf -e 'smtp_use_tls = yes'\n"
12374
"sudo postconf -e 'smtpd_use_tls = yes'\n"
12375
"sudo postconf -e 'smtp_tls_note_starttls_offer = yes'\n"
12376
"sudo postconf -e 'smtpd_tls_key_file = /etc/ssl/private/smtpd.key'\n"
12377
"sudo postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt'\n"
12378
"sudo postconf -e 'smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem'\n"
12379
"sudo postconf -e 'smtpd_tls_loglevel = 1'\n"
12380
"sudo postconf -e 'smtpd_tls_received_header = yes'\n"
12381
"sudo postconf -e 'smtpd_tls_session_cache_timeout = 3600s'\n"
12382
"sudo postconf -e 'tls_random_source = dev:/dev/urandom'\n"
12383
"sudo postconf -e 'myhostname = mail.example.com'\n"
12386
#: serverguide/C/mail.xml:176(para)
12388
"After running all the commands, <application>Postfix</application> is "
12389
"configured for SMTP-AUTH and a self-signed certificate has been created for "
12393
#: serverguide/C/mail.xml:181(para)
12395
"Now, the file <filename>/etc/postfix/main.cf</filename> should look like "
12396
"<ulink url=\"../sample/postfix_configuration\">this</ulink>."
12400
"The postfix initial configuration is complete. Run the following command to "
12401
"restart the postfix daemon:"
12404
#: serverguide/C/mail.xml:190(command) serverguide/C/mail.xml:304(command) serverguide/C/mail.xml:865(command) serverguide/C/mail.xml:1414(command)
12405
msgid "sudo /etc/init.d/postfix restart"
12409
"<application>Postfix</application> supports SMTP-AUTH as defined in <ulink "
12410
"url=\"ftp://ftp.isi.edu/in-notes/rfc2554.txt\">RFC2554</ulink>. It is based "
12411
"on <ulink url=\"ftp://ftp.isi.edu/in-notes/rfc2222.txt\">SASL</ulink>. "
12412
"However it is still necessary to set up SASL authentication before you can "
12416
#: serverguide/C/mail.xml:202(title) serverguide/C/mail.xml:532(title)
12417
msgid "Configuring SASL"
12421
"Postfix supports two SASL implementations Cyrus SASL and Dovecot SASL. To "
12422
"enable Dovecot SASL the <application>dovecot-common</application> package "
12423
"will need to be installed. From a terminal prompt enter the following:"
12426
msgid "sudo apt-get install dovecot-common"
12430
"Next you will need to edit <filename>/etc/dovecot/dovecot.conf</filename>. "
12431
"In the <emphasis>auth default</emphasis> section uncomment the "
12432
"<emphasis>socket listen</emphasis> option and change the following:"
12438
" socket listen {\n"
12440
" # Master socket provides access to userdb information. It's typically\n"
12441
" # used to give Dovecot's local delivery agent access to userdb so it\n"
12442
" # can find mailbox locations.\n"
12443
" #path = /var/run/dovecot/auth-master\n"
12445
" # Default user/group is the one who started dovecot-auth (root)\n"
12450
" # The client socket is generally safe to export to everyone. Typical "
12452
" # is to export it to your SMTP server so it can do SMTP AUTH lookups\n"
12454
" path = /var/spool/postfix/private/auth-client\n"
12456
" user = postfix\n"
12457
" group = postfix\n"
12463
"Once you have <application>Dovecot</application> configured restart it with:"
12466
#: serverguide/C/mail.xml:242(command) serverguide/C/mail.xml:634(command)
12467
msgid "sudo /etc/init.d/dovecot restart"
12470
#: serverguide/C/mail.xml:247(para)
12472
"SMTP-AUTH configuration is complete. Now it is time to test the setup."
12475
#: serverguide/C/mail.xml:250(para)
12476
msgid "To see if SMTP-AUTH and TLS work properly, run the following command:"
12479
#: serverguide/C/mail.xml:255(command)
12480
msgid "telnet mail.example.com 25"
12483
#: serverguide/C/mail.xml:257(para)
12485
"After you have established the connection to the postfix mail server, type:"
12488
#: serverguide/C/mail.xml:261(screen)
12492
"ehlo mail.example.com\n"
12495
#: serverguide/C/mail.xml:264(para)
12497
"If you see the following lines among others, then everything is working "
12498
"perfectly. Type <command>quit</command> to exit."
12501
#: serverguide/C/mail.xml:268(programlisting)
12506
"250-AUTH LOGIN PLAIN\n"
12507
"250-AUTH=LOGIN PLAIN\n"
12511
#: serverguide/C/mail.xml:278(para)
12513
"This section introduces some common ways to determine the cause if problems "
12517
#: serverguide/C/mail.xml:282(title)
12518
msgid "Escaping chroot"
12521
#: serverguide/C/mail.xml:283(para)
12523
"The Ubuntu <application>postfix</application> package will by default "
12524
"install into a <emphasis>chroot</emphasis> environment for security reasons. "
12525
"This can add greater complexity when troubleshooting problems."
12528
#: serverguide/C/mail.xml:287(para)
12530
"To turn off the chroot operation locate for the following line in the "
12531
"<filename>/etc/postfix/master.cf</filename> configuration file:"
12534
#: serverguide/C/mail.xml:291(screen)
12538
"smtp inet n - - - - smtpd\n"
12541
#: serverguide/C/mail.xml:294(para)
12542
msgid "and modify it as follows:"
12545
#: serverguide/C/mail.xml:297(screen)
12549
"smtp inet n - n - - smtpd\n"
12552
#: serverguide/C/mail.xml:300(para)
12554
"You will then need to restart Postfix to use the new configuration. From a "
12555
"terminal prompt enter:"
12558
#: serverguide/C/mail.xml:308(title)
12562
#: serverguide/C/mail.xml:309(para)
12564
"<application>Postfix</application> sends all log messages to "
12565
"<filename>/var/log/mail.log</filename>. However error and warning messages "
12566
"can sometimes get lost in the normal log output so they are also logged to "
12567
"<filename>/var/log/mail.err</filename> and "
12568
"<filename>/var/log/mail.warn</filename> respectively."
12571
#: serverguide/C/mail.xml:314(para)
12573
"To see messages entered into the logs in real time you can use the "
12574
"<application>tail -f</application> command:"
12577
#: serverguide/C/mail.xml:319(command)
12578
msgid "tail -f /var/log/mail.err"
12581
#: serverguide/C/mail.xml:321(para)
12583
"The amount of detail that is recorded in the logs can be increased. Below "
12584
"are some configuration options for increasing the log level for some of the "
12585
"areas covered above."
12588
#: serverguide/C/mail.xml:327(para)
12590
"To increase <emphasis>TLS</emphasis> activity logging set the "
12591
"<emphasis>smtpd_tls_loglevel</emphasis> option to a value from 1 to 4."
12594
#: serverguide/C/mail.xml:331(command)
12595
msgid "sudo postconf -e 'smtpd_tls_loglevel = 4'"
12598
#: serverguide/C/mail.xml:335(para)
12600
"If you are having trouble sending or receiving mail from a specific domain "
12601
"you can add the domain to the <emphasis>debug_peer_list</emphasis> parameter."
12604
#: serverguide/C/mail.xml:340(command)
12605
msgid "sudo postconf -e 'debug_peer_list = problem.domain'"
12608
#: serverguide/C/mail.xml:344(para)
12610
"You can increase the verbosity of any <application>Postfix</application> "
12611
"daemon process by editing the <filename>/etc/postfix/master.cf</filename> "
12612
"and adding a <emphasis>-v</emphasis> after the entry. For example edit the "
12613
"<emphasis>smtp</emphasis> entry:"
12616
#: serverguide/C/mail.xml:348(programlisting)
12620
"smtp unix - - - - - smtp -v\n"
12623
#: serverguide/C/mail.xml:354(para)
12625
"It is important to note that after making one of the logging changes above "
12626
"the <application>Postfix</application> process will need to be reloaded in "
12627
"order to recognize the new configuration: <command>sudo /etc/init.d/postfix "
12631
#: serverguide/C/mail.xml:361(para)
12633
"To increase the amount of information logged when troubleshooting "
12634
"<emphasis>SASL</emphasis> issues you can set the following options in "
12635
"<filename>/etc/dovecot/dovecot.conf</filename>"
12638
#: serverguide/C/mail.xml:365(programlisting)
12643
"auth_debug_passwords=yes\n"
12646
#: serverguide/C/mail.xml:372(para)
12648
"Just like <application>Postfix</application> if you change a "
12649
"<application>Dovecot</application> configuration the process will need to be "
12650
"reloaded: <command>sudo /etc/init.d/dovecot reload</command>."
12653
#: serverguide/C/mail.xml:378(para)
12655
"Some of the options above can drastically increase the amount of information "
12656
"sent to the log files. Remember to return the log level back to normal after "
12657
"you have corrected the problem. Then reload the appropriate daemon for the "
12658
"new configuration to take affect."
12661
#: serverguide/C/mail.xml:386(para)
12663
"Administering a <application>Postfix</application> server can be a very "
12664
"complicated task. At some point you may need to turn to the Ubuntu community "
12665
"for more experienced help."
12668
#: serverguide/C/mail.xml:390(para)
12670
"A great place to ask for <application>Postfix</application> assistance, and "
12671
"get involved with the Ubuntu Server community, is the <emphasis>#ubuntu-"
12672
"server</emphasis> IRC channel on <ulink "
12673
"url=\"http://freenode.net\">freenode</ulink>. You can also post a message to "
12674
"one of the <ulink "
12675
"url=\"http://www.ubuntu.com/support/community/webforums\">Web Forums</ulink>."
12678
#: serverguide/C/mail.xml:395(para)
12680
"For in depth <application>Postfix</application> information Ubuntu "
12681
"developers highly recommend: <ulink url=\"http://www.postfix-book.com/\">The "
12682
"Book of Postfix</ulink>."
12685
#: serverguide/C/mail.xml:399(para)
12687
"Finally, the <ulink "
12688
"url=\"http://www.postfix.org/documentation.html\">Postfix</ulink> website "
12689
"also has great documentation on all the different configuration options "
12693
#: serverguide/C/mail.xml:408(title) serverguide/C/mail.xml:753(title) serverguide/C/mail.xml:869(title)
12697
#: serverguide/C/mail.xml:409(para)
12699
"<application>Exim4</application> is another Message Transfer Agent (MTA) "
12700
"developed at the University of Cambridge for use on Unix systems connected "
12701
"to the Internet. Exim can be installed in place of "
12702
"<application>sendmail</application>, although the configuration of "
12703
"<application>exim</application> is quite different to that of "
12704
"<application>sendmail</application>."
12707
#: serverguide/C/mail.xml:420(para)
12709
"To install <application>exim4</application>, run the following command: "
12711
"<command>sudo apt-get install exim4</command>\n"
12715
#: serverguide/C/mail.xml:429(para)
12717
"To configure <application>Exim4</application>, run the following command:"
12720
#: serverguide/C/mail.xml:433(command)
12721
msgid "sudo dpkg-reconfigure exim4-config"
12724
#: serverguide/C/mail.xml:435(para)
12726
"The user interface will be displayed. The user interface lets you configure "
12727
"many parameters. For example, In <application>Exim4</application> the "
12728
"configuration files are split among multiple files. If you wish to have them "
12729
"in one file you can configure accordingly in this user interface."
12732
#: serverguide/C/mail.xml:443(para)
12734
"All the parameters you configure in the user interface are stored in "
12735
"<filename>/etc/exim4/update-exim4.conf.conf</filename> file. If you wish to "
12736
"re-configure, either you re-run the configuration wizard or manually edit "
12737
"this file using your favourite editor. Once you configure, you can run the "
12738
"following command to generate the master configuration file:"
12741
#: serverguide/C/mail.xml:454(command) serverguide/C/mail.xml:527(command)
12742
msgid "sudo update-exim4.conf"
12745
#: serverguide/C/mail.xml:456(para)
12747
"The master configuration file, is generated and it is stored in "
12748
"<filename>/var/lib/exim4/config.autogenerated</filename>."
12751
#: serverguide/C/mail.xml:462(para)
12753
"At any time, you should not edit the master configuration file, "
12754
"<filename>/var/lib/exim4/config.autogenerated</filename> manually. It is "
12755
"updated automatically every time you run <command>update-exim4.conf</command>"
12758
#: serverguide/C/mail.xml:470(para)
12760
"You can run the following command to start <application>Exim4</application> "
12764
#: serverguide/C/mail.xml:475(command) serverguide/C/mail.xml:875(command)
12765
msgid "sudo /etc/init.d/exim4 start"
12768
#: serverguide/C/mail.xml:480(para)
12770
"This section covers configuring Exim4 to use SMTP-AUTH with TLS and SASL."
12773
#: serverguide/C/mail.xml:483(para)
12775
"The first step is to create a certificate for use with TLS. Enter the "
12776
"following into a terminal prompt:"
12779
#: serverguide/C/mail.xml:487(command)
12780
msgid "sudo /usr/share/doc/exim4-base/examples/exim-gencert"
12783
#: serverguide/C/mail.xml:489(para)
12785
"Now Exim4 needs to be configured for TLS by editing "
12786
"<filename>/etc/exim4/conf.d/main/03_exim4-config_tlsoptions</filename> add "
12790
#: serverguide/C/mail.xml:493(programlisting)
12794
"MAIN_TLS_ENABLE = yes\n"
12797
#: serverguide/C/mail.xml:496(para)
12799
"Next you need to configure <application>Exim4</application> to use the "
12800
"<application>saslauthd</application> for authentication. Edit "
12801
"<filename>/etc/exim4/conf.d/auth/30_exim4-config_examples</filename> and "
12802
"uncomment the <emphasis>plain_saslauthd_server</emphasis> and "
12803
"<emphasis>login_saslauthd_server</emphasis> sections:"
12806
#: serverguide/C/mail.xml:501(programlisting)
12810
" plain_saslauthd_server:\n"
12811
" driver = plaintext\n"
12812
" public_name = PLAIN\n"
12813
" server_condition = ${if saslauthd{{$auth2}{$auth3}}{1}{0}}\n"
12814
" server_set_id = $auth2\n"
12815
" server_prompts = :\n"
12816
" .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS\n"
12817
" server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}\n"
12820
" login_saslauthd_server:\n"
12821
" driver = plaintext\n"
12822
" public_name = LOGIN\n"
12823
" server_prompts = \"Username:: : Password::\"\n"
12824
" # don't send system passwords over unencrypted connections\n"
12825
" server_condition = ${if saslauthd{{$auth1}{$auth2}}{1}{0}}\n"
12826
" server_set_id = $auth1\n"
12827
" .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS\n"
12828
" server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}\n"
12832
#: serverguide/C/mail.xml:523(para)
12833
msgid "Finally, update the Exim4 configuration and restart the service:"
12836
#: serverguide/C/mail.xml:528(command)
12837
msgid "sudo /etc/init.d/exim4 restart"
12840
#: serverguide/C/mail.xml:533(para)
12842
"This section provides details on configuring the saslauthd to provide "
12843
"authentication for <application>Exim4</application>."
12846
#: serverguide/C/mail.xml:536(para)
12848
"The first step is to install the sasl2-bin package. From a terminal prompt "
12849
"enter the following:"
12852
#: serverguide/C/mail.xml:540(command)
12853
msgid "sudo apt-get install sasl2-bin"
12856
#: serverguide/C/mail.xml:542(para)
12858
"To configure saslauthd edit the /etc/default/saslauthd configuration file "
12859
"and set START=no to:"
12862
#: serverguide/C/mail.xml:545(programlisting)
12869
#: serverguide/C/mail.xml:548(para)
12871
"Next the <emphasis>Debian-exim</emphasis> user needs to be part of the "
12872
"<emphasis>sasl</emphasis> group in order for Exim4 to use the saslauthd "
12876
#: serverguide/C/mail.xml:553(command)
12877
msgid "sudo adduser Debian-exim sasl"
12880
#: serverguide/C/mail.xml:555(para)
12881
msgid "Now start the <application>saslauthd</application> service:"
12884
#: serverguide/C/mail.xml:559(command)
12885
msgid "sudo /etc/init.d/saslauthd start"
12888
#: serverguide/C/mail.xml:561(para)
12890
"<application>Exim4</application> is now configured with SMTP-AUTH using TLS "
12891
"and SASL authentication."
12894
#: serverguide/C/mail.xml:567(title)
12895
msgid "Dovecot Server"
12898
#: serverguide/C/mail.xml:568(para)
12900
"<application>Dovecot</application> is a Mail Delivery Agent, written with "
12901
"security primarily in mind. It supports the major mailbox formats: mbox or "
12902
"Maildir. This section explain how to set it up as an imap or pop3 server."
12905
#: serverguide/C/mail.xml:576(para)
12907
"To install <application>dovecot</application>, run the following command in "
12908
"the command prompt:"
12911
#: serverguide/C/mail.xml:581(command)
12912
msgid "sudo apt-get install dovecot-imapd dovecot-pop3d"
12915
#: serverguide/C/mail.xml:586(para)
12917
"To configure <application>dovecot</application>, you can edit the file "
12918
"<filename>/etc/dovecot/dovecot.conf</filename>. You can choose the protocol "
12919
"you use. It could be pop3, pop3s (pop3 secure), imap and imaps (imap "
12920
"secure). A description of these protocols is beyond the scope of this guide. "
12921
"For further information, refer to the Wikipedia articles on <ulink "
12922
"url=\"http://en.wikipedia.org/wiki/POP3\">POP3</ulink> and <ulink "
12923
"url=\"http://en.wikipedia.org/wiki/Internet_Message_Access_Protocol\">IMAP</u"
12927
#: serverguide/C/mail.xml:596(para)
12929
"IMAPS and POP3S are more secure that the simple IMAP and POP3 because they "
12930
"use SSL encryption to connect. Once you have chosen the protocol, amend the "
12931
"following line in the file <filename>/etc/dovecot/dovecot.conf</filename>:"
12934
#: serverguide/C/mail.xml:602(programlisting)
12938
"protocols = pop3 pop3s imap imaps\n"
12941
#: serverguide/C/mail.xml:605(para)
12943
"Next, choose the mailbox you would like to use. "
12944
"<application>Dovecot</application> supports <emphasis "
12945
"role=\"strong\">maildir</emphasis> and <emphasis "
12946
"role=\"strong\">mbox</emphasis> formats. These are the most commonly used "
12947
"mailbox formats. They both have their own benefits and are discussed on "
12948
"<ulink url=\"http://wiki.dovecot.org/MailboxFormat\">the Dovecot web "
12952
#: serverguide/C/mail.xml:613(para)
12954
"Once you have chosen your mailbox type, edit the file "
12955
"<filename>/etc/dovecot/dovecot.conf</filename> and change the following line:"
12958
#: serverguide/C/mail.xml:618(programlisting)
12962
"mail_location = maildir:~/Maildir # (for maildir)\n"
12964
"mail_location = mbox:~/mail:INBOX=/var/spool/mail/%u # (for mbox)\n"
12967
#: serverguide/C/mail.xml:624(para)
12969
"You should configure your Mail Transport Agent (MTA) to transfer the "
12970
"incoming mail to this type of mailbox if it is different from the one you "
12974
#: serverguide/C/mail.xml:630(para)
12976
"Once you have configured dovecot, restart the "
12977
"<application>dovecot</application> daemon in order to test your setup:"
12980
#: serverguide/C/mail.xml:635(para)
12982
"If you have enabled imap, or pop3, you can also try to log in with the "
12983
"commands <command>telnet localhost pop3</command> or <command>telnet "
12984
"localhost imap2</command>. If you see something like the following, the "
12985
"installation has been successful:"
12988
#: serverguide/C/mail.xml:642(programlisting)
12992
"bhuvan@rainbow:~$ telnet localhost pop3\n"
12993
"Trying 127.0.0.1...\n"
12994
"Connected to localhost.localdomain.\n"
12995
"Escape character is '^]'.\n"
12996
"+OK Dovecot ready.\n"
12999
#: serverguide/C/mail.xml:651(title)
13000
msgid "Dovecot SSL Configuration"
13003
#: serverguide/C/mail.xml:652(para)
13005
"To configure <application>dovecot</application> to use SSL, you can edit the "
13006
"file <filename>/etc/dovecot/dovecot.conf</filename> and amend following "
13010
#: serverguide/C/mail.xml:657(programlisting)
13014
"ssl_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem\n"
13015
"ssl_key_file = /etc/ssl/private/ssl-cert-snakeoil.key\n"
13016
"ssl_disable = no\n"
13017
"disable_plaintext_auth = no\n"
13020
#: serverguide/C/mail.xml:663(para)
13022
"You can get the SSL certificate from a Certificate Issuing Authority or you "
13023
"can create self signed SSL certificate. The latter is a good option for "
13024
"email, because SMTP clients rarely complain about \"self-signed "
13025
"certificates\". Please refer to <xref linkend=\"certificates-and-"
13026
"security\"/> for details about how to create self signed SSL certificate. "
13027
"Once you create the certificate, you will have a key file and a certificate "
13028
"file. Please copy them to the location pointed in the "
13029
"<filename>/etc/dovecot/dovecot.conf</filename> configuration file."
13032
#: serverguide/C/mail.xml:678(title)
13033
msgid "Firewall Configuration for an Email Server"
13036
#: serverguide/C/mail.xml:684(para)
13040
#: serverguide/C/mail.xml:685(para)
13041
msgid "IMAPS - 993"
13044
#: serverguide/C/mail.xml:686(para)
13048
#: serverguide/C/mail.xml:687(para)
13049
msgid "POP3S - 995"
13052
#: serverguide/C/mail.xml:679(para)
13054
"To access your mail server from another computer, you must configure your "
13055
"firewall to allow connections to the server on the necessary ports. "
13059
#: serverguide/C/mail.xml:693(title) serverguide/C/mail.xml:771(title) serverguide/C/mail.xml:994(title)
13063
#: serverguide/C/mail.xml:694(para)
13065
"Mailman is an open source program for managing electronic mail discussions "
13066
"and e-newsletter lists. Many open source mailing lists (including all the "
13067
"<ulink url=\"http://lists.ubuntu.com\">Ubuntu mailing lists</ulink>) use "
13068
"Mailman as their mailing list software. It is powerful and easy to install "
13073
"Mailman provides a web interface for the administrators and users. So, it "
13074
"requires Apache with mod_perl support. Mailman uses an external mail server "
13075
"to send and receive emails. It works perfectly with the following mail "
13079
#: serverguide/C/mail.xml:716(application)
13083
#: serverguide/C/mail.xml:719(application)
13087
#: serverguide/C/mail.xml:722(application)
13091
#: serverguide/C/mail.xml:727(para)
13093
"We will see how to install and configure Mailman with, the Apache web "
13094
"server, and either the Postfix or Exim mail server. If you wish to install "
13095
"Mailman with a different mail server, please refer to the references section."
13098
#: serverguide/C/mail.xml:734(para)
13100
"You only need to install one mail server and "
13101
"<application>Postfix</application> is the default Ubuntu Mail Transfer Agent."
13104
#: serverguide/C/mail.xml:739(title) serverguide/C/mail.xml:798(title)
13108
#: serverguide/C/mail.xml:740(para)
13110
"To install apache2 you refer to <ulink url=\"./web-servers.xml#http-"
13111
"installation\">HTTPD Installation</ulink> section for details."
13114
#: serverguide/C/mail.xml:748(para)
13116
"For instructions on installing and configuring Postfix refer to <xref "
13117
"linkend=\"postfix\"/>"
13120
#: serverguide/C/mail.xml:754(para)
13121
msgid "To install Exim4 refer to <xref linkend=\"exim4\"/>."
13124
#: serverguide/C/mail.xml:765(application)
13125
msgid "dc_use_split_config='true'"
13128
#: serverguide/C/mail.xml:757(para)
13130
"Once exim4 is installed, the configuration files are stored in the "
13131
"<filename>/etc/exim4</filename> directory. In Ubuntu, by default, the exim4 "
13132
"configuration files are split across different files. You can change this "
13133
"behavior by changing the following variable in the "
13134
"<filename>/etc/exim4/update-exim4.conf</filename> file: <placeholder-1/>"
13137
#: serverguide/C/mail.xml:772(para)
13139
"To install <application>Mailman</application>, run following command at a "
13143
#: serverguide/C/mail.xml:776(command)
13144
msgid "sudo apt-get install mailman"
13147
#: serverguide/C/mail.xml:778(para)
13149
"It copies the installation files in "
13150
"<application>/var/lib/mailman</application> directory. It installs the CGI "
13151
"scripts in <application>/usr/lib/cgi-bin/mailman</application> directory. It "
13152
"creates <emphasis>list</emphasis> linux user. It creates the "
13153
"<emphasis>list</emphasis> linux group. The mailman process will be owned by "
13157
#: serverguide/C/mail.xml:790(para)
13159
"This section assumes you have successfully installed "
13160
"<application>mailman</application>, <application>apache2</application>, and "
13161
"<application>postfix</application> or <application>exim4</application>. Now "
13162
"you just need to configure them."
13165
#: serverguide/C/mail.xml:799(para)
13167
"An example Apache configuration file comes with "
13168
"<application>Mailman</application> and is placed in "
13169
"<filename>/etc/mailman/apache.conf</filename>. In order for Apache to use "
13170
"the config file it needs to be copied to <filename>/etc/apache2/sites-"
13171
"available</filename>:"
13174
#: serverguide/C/mail.xml:805(command)
13176
"sudo cp /etc/mailman/apache.conf /etc/apache2/sites-available/mailman.conf"
13179
#: serverguide/C/mail.xml:807(para)
13181
"This will setup a new Apache <emphasis>VirtualHost</emphasis> for the "
13182
"Mailman administration site. Now enable the new configuration and restart "
13186
#: serverguide/C/mail.xml:812(command)
13187
msgid "sudo a2ensite mailman.conf"
13190
#: serverguide/C/mail.xml:815(para)
13192
"Mailman uses apache2 to render its CGI scripts. The mailman CGI scripts are "
13193
"installed in the <application>/usr/lib/cgi-bin/mailman</application> "
13194
"directory. So, the mailman url will be http://hostname/cgi-bin/mailman/. You "
13195
"can make changes to the <filename>/etc/apache2/sites-"
13196
"available/mailman.conf</filename> file if you wish to change this behavior."
13199
#: serverguide/C/mail.xml:826(para)
13201
"For <application>Postfix</application> integration, we will associate the "
13202
"domain lists.example.com with the mailing lists. Please replace "
13203
"<emphasis>lists.example.com</emphasis> with the domain of your choosing."
13206
#: serverguide/C/mail.xml:830(para)
13208
"You can use the postconf command to add the necessary configuration to "
13209
"<filename>/etc/postfix/main.cf</filename>:"
13212
#: serverguide/C/mail.xml:834(command)
13213
msgid "sudo postconf -e 'relay_domains = lists.example.com'"
13216
#: serverguide/C/mail.xml:835(command)
13217
msgid "sudo postconf -e 'transport_maps = hash:/etc/postfix/transport'"
13220
#: serverguide/C/mail.xml:836(command)
13221
msgid "sudo postconf -e 'mailman_destination_recipient_limit = 1'"
13224
#: serverguide/C/mail.xml:838(para)
13226
"In <filename>/etc/postfix/master.cf</filename> double check that you have "
13227
"the following transport:"
13230
#: serverguide/C/mail.xml:841(programlisting)
13234
"mailman unix - n n - - pipe\n"
13235
" flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py\n"
13236
" ${nexthop} ${user}\n"
13239
#: serverguide/C/mail.xml:846(para)
13241
"It calls the <emphasis>postfix-to-mailman.py</emphasis> script when a mail "
13242
"is delivered to a list."
13245
#: serverguide/C/mail.xml:849(para)
13247
"Associate the domain lists.example.com to the Mailman transport with the "
13248
"transport map. Edit the file <filename>/etc/postfix/transport</filename>:"
13251
#: serverguide/C/mail.xml:852(programlisting)
13255
"lists.example.com mailman:\n"
13258
#: serverguide/C/mail.xml:855(para)
13260
"Now have <application>Postfix</application> build the transport map by "
13261
"entering the following from a terminal prompt:"
13264
#: serverguide/C/mail.xml:859(command)
13265
msgid "sudo postmap -v /etc/postfix/transport"
13268
#: serverguide/C/mail.xml:861(para)
13269
msgid "Then restart Postfix to enable the new configurations:"
13272
#: serverguide/C/mail.xml:870(para)
13274
"Once Exim4 is installed, you can start the Exim server using the following "
13275
"command from a terminal prompt:"
13278
#: serverguide/C/mail.xml:886(para) serverguide/C/mail.xml:901(title)
13282
#: serverguide/C/mail.xml:889(para) serverguide/C/mail.xml:941(title)
13286
#: serverguide/C/mail.xml:892(para) serverguide/C/mail.xml:964(title)
13290
#: serverguide/C/mail.xml:877(para)
13292
"In order to make mailman work with Exim4, you need to configure Exim4. As "
13293
"mentioned earlier, by default, Exim4 uses multiple configuration files of "
13294
"different types. For details, please refer to the <ulink "
13295
"url=\"http://www.exim.org\">Exim</ulink> web site. To run mailman, we should "
13296
"add new a configuration file to the following configuration types: "
13297
"<placeholder-1/> Exim creates a master configuration file by sorting all "
13298
"these mini configuration files. So, the order of these configuration files "
13299
"is very important."
13302
#: serverguide/C/mail.xml:908(programlisting)
13307
"# Home dir for your Mailman installation -- aka Mailman's prefix\n"
13309
"# On Ubuntu this should be \"/var/lib/mailman\"\n"
13310
"# This is normally the same as ~mailman\n"
13311
"MM_HOME=/var/lib/mailman\n"
13313
"# User and group for Mailman, should match your --with-mail-gid\n"
13314
"# switch to Mailman's configure script. Value is normally \"mailman\"\n"
13318
"# Domains that your lists are in - colon separated list\n"
13319
"# you may wish to add these into local_domains as well\n"
13320
"domainlist mm_domains=hostname.com\n"
13322
"# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n"
13324
"# These values are derived from the ones above and should not need\n"
13325
"# editing unless you have munged your mailman installation\n"
13327
"# The path of the Mailman mail wrapper script\n"
13328
"MM_WRAP=MM_HOME/mail/mailman\n"
13330
"# The path of the list config file (used as a required file when\n"
13331
"# verifying list addresses)\n"
13332
"MM_LISTCHK=MM_HOME/lists/${lc::$local_part}/config.pck\n"
13336
#: serverguide/C/mail.xml:902(para)
13338
"All the configuration files belonging to the main type are stored in the "
13339
"<filename>/etc/exim4/conf.d/main/</filename> directory. You can add the "
13340
"following content to a new file, named <filename>04_exim4-"
13341
"config_mailman</filename>: <placeholder-1/>"
13344
#: serverguide/C/mail.xml:948(programlisting)
13348
" mailman_transport:\n"
13350
" command = MM_WRAP \\\n"
13351
" '${if def:local_part_suffix \\\n"
13352
" {${sg{$local_part_suffix}{-(\\\\w+)(\\\\+.*)?}{\\$1}}} "
13356
" current_directory = MM_HOME\n"
13357
" home_directory = MM_HOME\n"
13359
" group = MM_GID\n"
13362
#: serverguide/C/mail.xml:942(para)
13364
"All the configuration files belonging to transport type are stored in the "
13365
"<filename>/etc/exim4/conf.d/transport/</filename> directory. You can add the "
13366
"following content to a new file named <filename> 40_exim4-"
13367
"config_mailman</filename>: <placeholder-1/>"
13370
#: serverguide/C/mail.xml:969(programlisting)
13374
" mailman_router:\n"
13375
" driver = accept\n"
13376
" require_files = MM_HOME/lists/$local_part/config.pck\n"
13377
" local_part_suffix_optional\n"
13378
" local_part_suffix = -bounces : -bounces+* : \\\n"
13379
" -confirm+* : -join : -leave : \\\n"
13380
" -owner : -request : -admin\n"
13381
" transport = mailman_transport\n"
13384
#: serverguide/C/mail.xml:965(para)
13386
"All the configuration files belonging to router type are stored in the "
13387
"<filename>/etc/exim4/conf.d/router/</filename> directory. You can add the "
13388
"following content in to a new file named <filename>101_exim4-"
13389
"config_mailman</filename>: <placeholder-1/>"
13392
#: serverguide/C/mail.xml:982(para)
13394
"The order of main and transport configuration files can be in any order. "
13395
"But, the order of router configuration files must be the same. This "
13396
"particular file must appear before the <application>200_exim4-"
13397
"config_primary</application> file. These two configuration files contain "
13398
"same type of information. The first file takes the precedence. For more "
13399
"details, please refer to the references section."
13402
#: serverguide/C/mail.xml:995(para)
13404
"Once mailman is installed, you can run it using the following command:"
13407
#: serverguide/C/mail.xml:999(command)
13408
msgid "sudo /etc/init.d/mailman start"
13411
#: serverguide/C/mail.xml:1001(para)
13413
"Once mailman is installed, you should create the default mailing list. Run "
13414
"the following command to create the mailing list:"
13417
#: serverguide/C/mail.xml:1007(command)
13418
msgid "sudo /usr/sbin/newlist mailman"
13421
#: serverguide/C/mail.xml:1010(programlisting)
13425
" Enter the email address of the person running the list: bhuvan at "
13427
" Initial mailman password:\n"
13428
" To finish creating your mailing list, you must edit your "
13429
"<filename>/etc/aliases</filename> (or\n"
13430
" equivalent) file by adding the following lines, and possibly running the\n"
13431
" `newaliases' program:\n"
13433
" ## mailman mailing list\n"
13434
" mailman: \"|/var/lib/mailman/mail/mailman post mailman\"\n"
13435
" mailman-admin: \"|/var/lib/mailman/mail/mailman admin mailman\"\n"
13436
" mailman-bounces: \"|/var/lib/mailman/mail/mailman bounces mailman\"\n"
13437
" mailman-confirm: \"|/var/lib/mailman/mail/mailman confirm mailman\"\n"
13438
" mailman-join: \"|/var/lib/mailman/mail/mailman join mailman\"\n"
13439
" mailman-leave: \"|/var/lib/mailman/mail/mailman leave mailman\"\n"
13440
" mailman-owner: \"|/var/lib/mailman/mail/mailman owner mailman\"\n"
13441
" mailman-request: \"|/var/lib/mailman/mail/mailman request mailman\"\n"
13442
" mailman-subscribe: \"|/var/lib/mailman/mail/mailman subscribe "
13444
" mailman-unsubscribe: \"|/var/lib/mailman/mail/mailman unsubscribe "
13447
" Hit enter to notify mailman owner...\n"
13452
#: serverguide/C/mail.xml:1033(para)
13454
"We have configured either Postfix or Exim4 to recognize all emails from "
13455
"mailman. So, it is not mandatory to make any new entries in "
13456
"<filename>/etc/aliases</filename>. If you have made any changes to the "
13457
"configuration files, please ensure that you restart those services before "
13458
"continuing to next section."
13461
#: serverguide/C/mail.xml:1043(title)
13462
msgid "Administration"
13465
#: serverguide/C/mail.xml:1044(para)
13467
"We assume you have a default installation. The mailman cgi scripts are still "
13468
"in the <application>/usr/lib/cgi-bin/mailman/</application> directory. "
13469
"Mailman provides a web based administration facility. To access this page, "
13470
"point your browser to the following url:"
13473
#: serverguide/C/mail.xml:1052(para)
13474
msgid "http://hostname/cgi-bin/mailman/admin"
13477
#: serverguide/C/mail.xml:1056(para)
13479
"The default mailing list, <emphasis>mailman</emphasis>, will appear in this "
13480
"screen. If you click the mailing list name, it will ask for your "
13481
"authentication password. If you enter the correct password, you will be able "
13482
"to change administrative settings of this mailing list. You can create a new "
13483
"mailing list using the command line utility "
13484
"(<command>/usr/sbin/newlist</command>). Alternatively, you can create a new "
13485
"mailing list using the web interface."
13488
#: serverguide/C/mail.xml:1069(title)
13492
#: serverguide/C/mail.xml:1070(para)
13494
"Mailman provides a web based interface for users. To access this page, point "
13495
"your browser to the following url:"
13498
#: serverguide/C/mail.xml:1075(para)
13499
msgid "http://hostname/cgi-bin/mailman/listinfo"
13502
#: serverguide/C/mail.xml:1079(para)
13504
"The default mailing list, <emphasis>mailman</emphasis>, will appear in this "
13505
"screen. If you click the mailing list name, it will display the subscription "
13506
"form. You can enter your email address, name (optional), and password to "
13507
"subscribe. An email invitation will be sent to you. You can follow the "
13508
"instructions in the email to subscribe."
13511
#: serverguide/C/mail.xml:1091(ulink)
13512
msgid "GNU Mailman - Installation Manual"
13515
#: serverguide/C/mail.xml:1095(ulink)
13516
msgid "HOWTO - Using Exim 4 and Mailman 2.1 together"
13519
#: serverguide/C/mail.xml:1101(title)
13520
msgid "Mail Filtering"
13523
#: serverguide/C/mail.xml:1102(para)
13525
"One of the largest issues with email today is the problem of Unsolicited "
13526
"Bulk Email (UBE). Also known as SPAM, such messages may also carry viruses "
13527
"and other forms of malware. According to some reports these messages make up "
13528
"the bulk of all email traffic on the Internet."
13531
#: serverguide/C/mail.xml:1107(para)
13533
"This section will cover integrating <application>Amavisd-new</application>, "
13534
"<application>Spamassassin</application>, and "
13535
"<application>ClamAV</application> with the "
13536
"<application>Postfix</application> Mail Transport Agent (MTA). "
13537
"<application>Postfix</application> can also check email validity by passing "
13538
"it through external content filters. These filters can sometimes determine "
13539
"if a message is spam without needing to process it with more resource "
13540
"intensive applications. Two common filters are <application>dkim-"
13541
"filter</application> and <application>python-policyd-spf</application>."
13544
#: serverguide/C/mail.xml:1117(para)
13546
"<application>Amavisd-new</application> is a wrapper program that can call "
13547
"any number of content filtering programs for spam detection, antivirus, etc."
13550
#: serverguide/C/mail.xml:1123(para)
13552
"<application>Spamassassin</application> uses a variety of mechanisms to "
13553
"filter email based on the message content."
13556
#: serverguide/C/mail.xml:1128(para)
13558
"<application>ClamAV</application> is an open source antivirus application."
13561
#: serverguide/C/mail.xml:1133(para)
13563
"<application>dkim-filter</application> implements a Sendmail Mail Filter "
13564
"(Milter) for the DomainKeys Identified Mail (DKIM) standard."
13567
#: serverguide/C/mail.xml:1139(para)
13569
"<application>python-policyd-spf</application> enables Sender Policy "
13570
"Framework (SPF) checking with <application>Postfix</application>."
13573
#: serverguide/C/mail.xml:1144(para)
13574
msgid "This is how the pieces fit together:"
13577
#: serverguide/C/mail.xml:1149(para)
13578
msgid "An email message is accepted by <application>Postfix</application>."
13581
#: serverguide/C/mail.xml:1154(para)
13583
"The message is passed through any external filters <application>dkim-"
13584
"filter</application> and <application>python-policyd-spf</application> in "
13588
#: serverguide/C/mail.xml:1160(para)
13589
msgid "<application>Amavisd-new</application> then processes the message."
13592
#: serverguide/C/mail.xml:1165(para)
13594
"<application>ClamAV</application> is used to scan the message. If the "
13595
"message contains a virus <application>Postfix</application> will reject the "
13599
#: serverguide/C/mail.xml:1171(para)
13601
"Clean messages will then be analyzed by "
13602
"<application>Spamassassin</application> to find out if the message is spam. "
13603
"<application>Spamassassin</application> will then add X-Header lines "
13604
"allowing <application>Amavisd-new</application> to further manipulate the "
13608
#: serverguide/C/mail.xml:1178(para)
13610
"For example, if a message has a Spam score of over fifty the message could "
13611
"be automatically dropped from the queue without the recipient ever having to "
13612
"be bothered. Another, way to handle flagged messages is to deliver them to "
13613
"the Mail User Agent (MUA) allowing the user to deal with the message as they "
13617
#: serverguide/C/mail.xml:1185(para)
13619
"See <xref linkend=\"postfix\"/> for instructions on installing and "
13620
"configuring Postfix."
13623
#: serverguide/C/mail.xml:1188(para)
13625
"To install the rest of the applications enter the following from a terminal "
13629
#: serverguide/C/mail.xml:1192(command)
13630
msgid "sudo apt-get install amavisd-new spamassassin clamav-daemon"
13633
#: serverguide/C/mail.xml:1193(command)
13634
msgid "sudo apt-get install dkim-filter python-policyd-spf"
13637
#: serverguide/C/mail.xml:1195(para)
13639
"There are some optional packages that integrate with "
13640
"<application>Spamassassin</application> for better spam detection:"
13643
#: serverguide/C/mail.xml:1199(command)
13644
msgid "sudo apt-get install pyzor razor"
13647
#: serverguide/C/mail.xml:1201(para)
13649
"Along with the main filtering applications compression utilities are needed "
13650
"to process some email attachments:"
13654
"sudo apt-get install arj cabextract cpio lha nomarch pax rar unrar unzip "
13658
#: serverguide/C/mail.xml:1210(para)
13659
msgid "Now configure everything to work together and filter email."
13662
#: serverguide/C/mail.xml:1214(title)
13666
#: serverguide/C/mail.xml:1215(para)
13668
"The default behaviour of <application>ClamAV</application> will fit our "
13669
"needs. For more ClamAV configuration options, check the configuration files "
13670
"in <filename>/etc/clamav</filename>."
13673
#: serverguide/C/mail.xml:1220(para)
13675
"Add the <emphasis>clamav</emphasis> user to the <emphasis>amavis</emphasis> "
13676
"group in order for <application>Amavisd-new</application> to have the "
13677
"appropriate access to scan files:"
13680
#: serverguide/C/mail.xml:1225(command)
13681
msgid "sudo adduser clamav amavis"
13684
#: serverguide/C/mail.xml:1229(title)
13685
msgid "Spamassassin"
13688
#: serverguide/C/mail.xml:1230(para)
13690
"Spamassassin automatically detects optional components and will use them if "
13691
"they are present. This means that there is no need to configure "
13692
"<application>pyzor</application> and <application>razor</application>."
13695
#: serverguide/C/mail.xml:1234(para)
13697
"Edit <filename>/etc/default/spamassassin</filename> to activate the "
13698
"<application>Spamassassin</application> daemon. Change "
13699
"<emphasis>ENABLED=0</emphasis> to:"
13702
#: serverguide/C/mail.xml:1238(programlisting)
13709
#: serverguide/C/mail.xml:1241(para)
13710
msgid "Now start the daemon:"
13713
#: serverguide/C/mail.xml:1245(command)
13714
msgid "sudo /etc/init.d/spamassassin start"
13717
#: serverguide/C/mail.xml:1249(title)
13718
msgid "Amavisd-new"
13721
#: serverguide/C/mail.xml:1250(para)
13723
"First activate spam and antivirus detection in <application>Amavisd-"
13724
"new</application> by editing <filename>/etc/amavis/conf.d/15-"
13725
"content_filter_mode</filename>:"
13728
#: serverguide/C/mail.xml:1254(programlisting)
13734
"# You can modify this file to re-enable SPAM checking through spamassassin\n"
13735
"# and to re-enable antivirus checking.\n"
13738
"# Default antivirus checking mode\n"
13739
"# Uncomment the two lines below to enable it\n"
13742
"@bypass_virus_checks_maps = (\n"
13743
" \\%bypass_virus_checks, \\@bypass_virus_checks_acl, \\"
13744
"$bypass_virus_checks_re);\n"
13748
"# Default SPAM checking mode\n"
13749
"# Uncomment the two lines below to enable it\n"
13752
"@bypass_spam_checks_maps = (\n"
13753
" \\%bypass_spam_checks, \\@bypass_spam_checks_acl, \\"
13754
"$bypass_spam_checks_re);\n"
13756
"1; # insure a defined return\n"
13759
#: serverguide/C/mail.xml:1279(para)
13761
"Bouncing spam can be a bad idea as the return address is often faked. "
13762
"Consider editing <filename>/etc/amavis/conf.d/20-debian_defaults</filename> "
13763
"to set <emphasis>$final_spam_destiny</emphasis> to D_DISCARD rather than "
13764
"D_BOUNCE, as follows:"
13767
#: serverguide/C/mail.xml:1284(programlisting)
13771
"$final_spam_destiny = D_DISCARD;\n"
13774
#: serverguide/C/mail.xml:1288(para)
13776
"If the server's <emphasis>hostname</emphasis> is different from the domain's "
13777
"MX record you may need to manually set the <emphasis>$myhostname</emphasis> "
13778
"option. Also, if the server receives mail for multiple domains the "
13779
"<emphasis>@local_domains_acl</emphasis> option will need to be customized. "
13780
"Edit the <filename>/etc/amavis/conf.d/50-user</filename> file:"
13783
#: serverguide/C/mail.xml:1295(programlisting)
13787
"$myhostname = 'mail.example.com';\n"
13788
"@local_domains_acl = ( \"example.com\", \"example.org\" );\n"
13791
#: serverguide/C/mail.xml:1300(para)
13793
"After configuration <application>Amavisd-new</application> needs to be "
13797
#: serverguide/C/mail.xml:1304(command) serverguide/C/mail.xml:1350(command)
13798
msgid "sudo /etc/init.d/amavis restart"
13801
#: serverguide/C/mail.xml:1307(title)
13802
msgid "DKIM Whitelist"
13805
#: serverguide/C/mail.xml:1309(para)
13807
"<application>Amavisd-new</application> can be configured to automatically "
13808
"<emphasis>Whitelist</emphasis> addresses from domains with valid Domain "
13809
"Keys. There are some pre-configured domains in the "
13810
"<filename>/etc/amavis/conf.d/40-policy_banks</filename>."
13813
#: serverguide/C/mail.xml:1315(para)
13814
msgid "There are multiple ways to configure the Whitelist for a domain:"
13817
#: serverguide/C/mail.xml:1321(para)
13819
"<emphasis>'example.com' => 'WHITELIST',</emphasis>: will whitelist any "
13820
"address from the \"example.com\" domain."
13823
#: serverguide/C/mail.xml:1326(para)
13825
"<emphasis>'.example.com' => 'WHITELIST',</emphasis>: will whitelist any "
13826
"address from any <emphasis>subdomains</emphasis> of \"example.com\" that "
13827
"have a valid signature."
13830
#: serverguide/C/mail.xml:1332(para)
13832
"<emphasis>'.example.com/@example.com' => 'WHITELIST',</emphasis>: will "
13833
"whitelist subdomains of \"example.com\" that use the signature of <emphasis "
13834
"role=\"italic\">example.com</emphasis> the parent domain."
13837
#: serverguide/C/mail.xml:1338(para)
13839
"<emphasis>'./@example.com' => 'WHITELIST',</emphasis>: adds addresses "
13840
"that have a valid signature from \"example.com\". This is usually used for "
13841
"discussion groups that sign thier messages."
13844
#: serverguide/C/mail.xml:1345(para)
13846
"A domain can also have multiple Whitelist configurations. After, editing the "
13847
"file restart <application>amaisd-new</application>:"
13850
#: serverguide/C/mail.xml:1354(para)
13852
"In this context, once a domain has been added to the Whitelist the message "
13853
"will not receive any anti-virus or spam filtering. This may or may not be "
13854
"the intended behavior you wish for a domain."
13857
#: serverguide/C/mail.xml:1364(para)
13859
"For <application>Postfix</application> integration, enter the following from "
13860
"a terminal prompt:"
13863
#: serverguide/C/mail.xml:1368(command)
13864
msgid "sudo postconf -e 'content_filter = smtp-amavis:[127.0.0.1]:10024'"
13867
#: serverguide/C/mail.xml:1370(para)
13869
"Next edit <filename>/etc/postfix/master.cf</filename> and add the following "
13870
"to the end of the file:"
13873
#: serverguide/C/mail.xml:1373(programlisting)
13877
"smtp-amavis unix - - - - 2 smtp\n"
13878
" -o smtp_data_done_timeout=1200\n"
13879
" -o smtp_send_xforward_command=yes\n"
13880
" -o disable_dns_lookups=yes\n"
13883
"127.0.0.1:10025 inet n - - - - smtpd\n"
13884
" -o content_filter=\n"
13885
" -o local_recipient_maps=\n"
13886
" -o relay_recipient_maps=\n"
13887
" -o smtpd_restriction_classes=\n"
13888
" -o smtpd_delay_reject=no\n"
13889
" -o smtpd_client_restrictions=permit_mynetworks,reject\n"
13890
" -o smtpd_helo_restrictions=\n"
13891
" -o smtpd_sender_restrictions=\n"
13892
" -o smtpd_recipient_restrictions=permit_mynetworks,reject\n"
13893
" -o smtpd_data_restrictions=reject_unauth_pipelining\n"
13894
" -o smtpd_end_of_data_restrictions=\n"
13895
" -o mynetworks=127.0.0.0/8\n"
13896
" -o smtpd_error_sleep_time=0\n"
13897
" -o smtpd_soft_error_limit=1001\n"
13898
" -o smtpd_hard_error_limit=1000\n"
13899
" -o smtpd_client_connection_count_limit=0\n"
13900
" -o smtpd_client_connection_rate_limit=0\n"
13902
"receive_override_options=no_header_body_checks,no_unknown_recipient_checks\n"
13905
#: serverguide/C/mail.xml:1400(para)
13907
"Also add the following two lines immediately below the "
13908
"<emphasis>\"pickup\"</emphasis> transport service:"
13911
#: serverguide/C/mail.xml:1403(programlisting)
13915
" -o content_filter=\n"
13916
" -o receive_override_options=no_header_body_checks\n"
13919
#: serverguide/C/mail.xml:1407(para)
13921
"This will prevent messages that are generated to report on spam from being "
13922
"classified as spam."
13925
#: serverguide/C/mail.xml:1410(para)
13926
msgid "Now restart <application>Postfix</application>:"
13929
#: serverguide/C/mail.xml:1416(para)
13930
msgid "Content filtering with spam and virus detection is now enabled."
13933
#: serverguide/C/mail.xml:1423(para)
13935
"First, test that the <application>Amavisd-new</application> SMTP is "
13939
#: serverguide/C/mail.xml:1426(programlisting)
13943
"telnet localhost 10024\n"
13944
"Trying 127.0.0.1...\n"
13945
"Connected to localhost.\n"
13946
"Escape character is '^]'.\n"
13947
"220 [127.0.0.1] ESMTP amavisd-new service ready\n"
13951
#: serverguide/C/mail.xml:1434(para)
13953
"In the Header of messages that go through the content filter you should see:"
13956
#: serverguide/C/mail.xml:1437(programlisting)
13961
"X-Virus-Scanned: Debian amavisd-new at example.com\n"
13962
"X-Spam-Status: No, hits=-2.3 tagged_above=-1000.0 required=5.0 tests=AWL, "
13967
#: serverguide/C/mail.xml:1444(para)
13969
"Your output will vary, but the important thing is that there are <emphasis>X-"
13970
"Virus-Scanned</emphasis> and <emphasis>X-Spam-Status</emphasis> entries."
13973
#: serverguide/C/mail.xml:1452(para)
13975
"The best way to figure out why something is going wrong is to check the log "
13979
#: serverguide/C/mail.xml:1457(para)
13981
"For instructions on <application>Postfix</application> logging see the <xref "
13982
"linkend=\"postfix-troubleshooting\"/> section."
13985
#: serverguide/C/mail.xml:1463(para)
13987
"<application>Amavisd-new</application> uses "
13988
"<application>Syslog</application> to send messages to "
13989
"<filename>/var/log/mail.log</filename>. The amount of detail can be "
13990
"increased by adding the <emphasis>$log_level</emphasis> option to "
13991
"<filename>/etc/amavis/conf.d/50-user</filename>, and setting the value from "
13995
#: serverguide/C/mail.xml:1468(programlisting)
13999
"$log_level = 2;\n"
14002
#: serverguide/C/mail.xml:1472(para)
14004
"When the <application>Amavisd-new</application> log output is increased "
14005
"<application>Spamassassin</application> log output is also increased."
14008
#: serverguide/C/mail.xml:1479(para)
14010
"The <application>ClamAV</application> log level can be increased by editing "
14011
"<filename>/etc/clamav/clamd.conf</filename> and setting the following option:"
14014
#: serverguide/C/mail.xml:1483(programlisting)
14018
"LogVerbose true\n"
14021
#: serverguide/C/mail.xml:1486(para)
14023
"By default <application>ClamAV</application> will send log messages to "
14024
"<filename>/var/log/clamav/clamav.log</filename>."
14027
#: serverguide/C/mail.xml:1492(para)
14029
"After changing an applications log settings remember to restart the service "
14030
"for the new settings to take affect. Also, once the issue you are "
14031
"troubleshooting is resolved it is a good idea to change the log settings "
14035
#: serverguide/C/mail.xml:1500(para)
14036
msgid "For more information on filtering mail see the following links:"
14039
#: serverguide/C/mail.xml:1506(ulink)
14040
msgid "Amavisd-new Documentation"
14043
#: serverguide/C/mail.xml:1510(para)
14045
"<ulink url=\"http://www.clamav.org/doc/latest/html/\">ClamAV "
14046
"Documentation</ulink> and <ulink "
14047
"url=\"http://wiki.clamav.net/Main/WebHome\">ClamAV Wiki</ulink>"
14050
#: serverguide/C/mail.xml:1517(ulink)
14051
msgid "Spamassassin Wiki"
14054
#: serverguide/C/mail.xml:1522(ulink)
14055
msgid "Pyzor Homepage"
14058
#: serverguide/C/mail.xml:1527(ulink)
14059
msgid "Razor Homepage"
14062
#: serverguide/C/mail.xml:1532(ulink)
14066
#: serverguide/C/mail.xml:1536(para)
14068
"Also, feel free to ask questions in the <emphasis>#ubuntu-server</emphasis> "
14069
"IRC channel on <ulink url=\"http://freenode.net\">freenode</ulink>."
14072
#: serverguide/C/jeos.xml:28(para)
14074
"While installing from the Server Edition ISO (pressing "
14075
"<emphasis>F4</emphasis> on the first screen will allow you to pick \"Minimal "
14076
"installation\", which is the package selection equivalent to JeOS)"
14079
#: serverguide/C/jeos.xml:211(para)
14081
"Because of the nature of operations performed by vmbuilder, it needs to have "
14082
"root priviledge, hence the use of sudo."
14085
#: serverguide/C/introduction.xml:14(para)
14086
msgid "Welcome to the <emphasis>Ubuntu Server Guide</emphasis>!"
14089
#: serverguide/C/introduction.xml:15(para)
14091
"Here you can find information on how to install and configure various server "
14092
"applications. It is a step-by-step, task-oriented guide for configuring and "
14093
"customizing your system."
14096
#: serverguide/C/introduction.xml:19(para)
14098
"This guide assumes you have a basic understanding of your Ubuntu system. "
14099
"Some installation details are covered in <xref linkend=\"installation\"/>, "
14100
"but if you need detailed instructions installing Ubuntu please refer to the "
14101
"<ulink url=\"https://help.ubuntu.com/8.10/installation-guide/\">Ubuntu "
14102
"Installation Guide</ulink>."
14105
#: serverguide/C/introduction.xml:25(para)
14107
"A HTML version of the manual is available online at <ulink "
14108
"url=\"http://help.ubuntu.com\">the Ubuntu Documentation website</ulink>. The "
14109
"HTML files are also available in the <application>ubuntu-"
14110
"serverguide</application> package. See <xref linkend=\"package-"
14111
"management\"/> for details on installing packages."
14114
#: serverguide/C/introduction.xml:32(para)
14116
"If you choose to install the <application>ubuntu-serverguide</application> "
14117
"you can view this document from a console by:"
14120
#: serverguide/C/introduction.xml:36(command)
14121
msgid "w3m /usr/share/ubuntu-serverguide/html/en_GB/index.html"
14124
#: serverguide/C/introduction.xml:39(para)
14125
msgid "Replace <emphasis>en_GB</emphasis> with your language localization."
14128
#: serverguide/C/introduction.xml:53(title)
14132
#: serverguide/C/introduction.xml:55(para)
14134
"There a couple of different ways that Ubuntu Server Edition is supported, "
14135
"commercial support and community support. The main commercial support (and "
14136
"development funding) is available from Canonical Ltd. They supply reasonably "
14137
"priced support contracts on a per desktop or per server basis. For more "
14138
"information see the <ulink "
14139
"url=\"http://www.canonical.com/services/support\">Canonical Services</ulink> "
14143
#: serverguide/C/introduction.xml:62(para)
14145
"Community support is also provided by dedicated individuals, and companies, "
14146
"that wish to make Ubuntu the best distribution possible. Support is provided "
14147
"through multiple mailing lists, IRC channels, forums, blogs, wikis, etc. The "
14148
"large amount of information available can be overwhelming, but a good search "
14149
"engine query can usually provide an answer to your questions. See the <ulink "
14150
"url=\"http://www.ubuntu.com/support\">Ubuntu Support</ulink> page for more "
14154
#: serverguide/C/installation.xml:14(para)
14156
"This chapter provides a quick overview of installing Ubuntu 8.10 Server "
14157
"Edition. For more detailed instructions, please refer to the <ulink "
14158
"url=\"https://help.ubuntu.com/8.10/installation-guide/\">Ubuntu Installation "
14162
#: serverguide/C/installation.xml:19(title)
14163
msgid "Preparing to Install"
14166
#: serverguide/C/installation.xml:20(para)
14168
"This section explains various aspects to consider before starting the "
14172
#: serverguide/C/installation.xml:24(title)
14173
msgid "System Requirements"
14176
#: serverguide/C/installation.xml:25(para)
14178
"Ubuntu 8.10 Server Edition supports two (2) major architectures: Intel x86 "
14179
"and AMD64. The table below lists recommended hardware specifications. "
14180
"Depending on your needs, you might manage with less than this. However, most "
14181
"users risk being frustrated if they ignore these suggestions."
14184
#: serverguide/C/installation.xml:27(title)
14185
msgid "Recommended Minimum Requirements"
14188
#: serverguide/C/installation.xml:35(para)
14189
msgid "Install Type"
14192
#: serverguide/C/installation.xml:36(para)
14196
#: serverguide/C/installation.xml:37(para)
14197
msgid "Hard Drive Space"
14200
#: serverguide/C/installation.xml:40(para)
14201
msgid "Base System"
14204
#: serverguide/C/installation.xml:41(para)
14205
msgid "All Tasks Installed"
14208
#: serverguide/C/installation.xml:46(para)
14212
#: serverguide/C/installation.xml:47(para)
14213
msgid "128 megabytes"
14216
#: serverguide/C/installation.xml:48(para)
14217
msgid "500 megabytes"
14220
#: serverguide/C/installation.xml:49(para)
14224
#: serverguide/C/installation.xml:54(para)
14226
"The Server Edition provides a common base for all sorts of server "
14227
"applications. It is a minimalist design providing a platform for the desired "
14228
"services, such as file/print services, web hosting, email hosting, etc."
14231
#: serverguide/C/installation.xml:62(title)
14232
msgid "Server and Desktop Differences"
14235
#: serverguide/C/installation.xml:63(para)
14237
"There are a few differences between the <emphasis>Ubuntu Server "
14238
"Edition</emphasis> and the <emphasis>Ubuntu Desktop Edition</emphasis>. It "
14239
"should be noted that both editions use the same "
14240
"<application>apt</application> repositories. Making it just as easy to "
14241
"install a <emphasis role=\"italic\">server</emphasis> application on the "
14242
"Desktop Edition as it is on the Server Edition."
14245
#: serverguide/C/installation.xml:69(para)
14247
"The differences between the two editions are the lack of an X window "
14248
"environment in the Server Edition, the installation process, and different "
14252
#: serverguide/C/installation.xml:76(title)
14253
msgid "Kernel Differences:"
14256
#: serverguide/C/installation.xml:79(para)
14258
"The Server Edition uses the <emphasis>Deadline</emphasis> I/O scheduler "
14259
"instead of the <emphasis>CFQ</emphasis> scheduler used by the Desktop "
14263
#: serverguide/C/installation.xml:85(para)
14264
msgid "<emphasis>Preemption</emphasis> is turned off in the Server Edition."
14267
#: serverguide/C/installation.xml:90(para)
14269
"The timer interrupt is 100 Hz in the Server Edition and 250 Hz in the "
14273
#: serverguide/C/installation.xml:96(para)
14275
"When running a 64-bit version of Ubuntu on 64-bit processors you are not "
14276
"limited by memory addressing space."
14279
#: serverguide/C/installation.xml:101(para)
14281
"To see all kernel configuration options you can look through "
14282
"<filename>/boot/config-2.6.27-server</filename>. Also, <ulink "
14283
"url=\"http://www.kroah.com/lkn/\">Linux Kernel in a Nutshell</ulink> is a "
14284
"great resource on the options available."
14287
#: serverguide/C/installation.xml:110(title)
14291
#: serverguide/C/installation.xml:113(para)
14293
"Before installing <application>Ubuntu Server Edition</application> you "
14294
"should make sure all data on the system is backed up. See <xref "
14295
"linkend=\"backups\"/> for backup options."
14298
#: serverguide/C/installation.xml:117(para)
14300
"If this is not the first time an operating system has been installed on your "
14301
"computer, it is likely you will need to re-partition your disk to make room "
14305
#: serverguide/C/installation.xml:121(para)
14307
"Any time you partition your disk, you should be prepared to lose everything "
14308
"on the disk should you make a mistake or something goes wrong during "
14309
"partitioning. The programs used in installation are quite reliable, most "
14310
"have seen years of use, but they also perform destructive actions."
14313
#: serverguide/C/installation.xml:133(title)
14314
msgid "Installing from CD"
14317
#: serverguide/C/installation.xml:134(para)
14319
"The basic steps to install Ubuntu Server Edition from CD are the same for "
14320
"installing any operating system from CD. Unlike the <emphasis>Desktop "
14321
"Edition</emphasis> the <emphasis>Server Edition</emphasis> does not include "
14322
"a graphical installation program. Instead the Server Edition uses a console "
14323
"menu based process."
14326
#: serverguide/C/installation.xml:141(para)
14328
"First, download and burn the appropriate ISO file from the <ulink "
14329
"url=\"http://www.ubuntu.com/getubuntu/download\"> Ubuntu web site</ulink>."
14332
#: serverguide/C/installation.xml:147(para)
14333
msgid "Boot the system from the CD-ROM drive."
14336
#: serverguide/C/installation.xml:152(para)
14338
"At the boot prompt you will be asked to select the language. Afterwards the "
14339
"installation process begins by asking for your keyboard layout."
14342
#: serverguide/C/installation.xml:158(para)
14344
"The installer then discovers your hardware configuration, and configures the "
14345
"network settings using DHCP."
14348
#: serverguide/C/installation.xml:164(para)
14349
msgid "Next, the installer asks for the system's hostname and Time Zone."
14352
#: serverguide/C/installation.xml:169(para)
14354
"You can then choose from several options to configure the hard drive layout. "
14355
"For advanced disk options see <xref linkend=\"advanced-installation\"/>."
14358
#: serverguide/C/installation.xml:175(para)
14359
msgid "The Ubuntu base system is then installed."
14362
#: serverguide/C/installation.xml:180(para)
14364
"A new user is setup, this user will have <emphasis>root</emphasis> access "
14365
"through the <application>sudo</application> utility."
14368
#: serverguide/C/installation.xml:186(para)
14370
"After the user is setup, you will be asked to setup an encrypted <filename "
14371
"role=\"directory\">Private</filename> directory. If you choose to setup the "
14372
"directory you will then be prompted for an encryption password."
14375
#: serverguide/C/installation.xml:193(para)
14377
"The next step in the installation process is to decide how you want to "
14378
"update the system. There are three options:"
14381
#: serverguide/C/installation.xml:199(para)
14383
"<emphasis>No automatic updates</emphasis>: this requires an administrator to "
14384
"log into the machine and manually install updates."
14387
#: serverguide/C/installation.xml:205(para)
14389
"<emphasis>Install security updates Automatically</emphasis>: will install "
14390
"the <application>unattended-upgrades</application> package, which will "
14391
"install security updates without the intervention of an administrator. For "
14392
"more details see <xref linkend=\"automatic-updates\"/>."
14395
#: serverguide/C/installation.xml:212(para)
14397
"<emphasis>Manage the system with Landscape</emphasis>: Landscape is a paid "
14398
"service provided by Canonical to help manager your Ubuntu machines. See the "
14399
"<ulink url=\"http://www.canonical.com/projects/landscape\">Landscape</ulink> "
14400
"site for details."
14404
"You now have the option to install, or not install, several package tasks. "
14405
"See <xref linkend=\"install-tasks\"/> for details."
14408
#: serverguide/C/installation.xml:227(para)
14409
msgid "Finally, the last step before rebooting is to set the clock to UTC."
14412
#: serverguide/C/installation.xml:233(para)
14414
"If at any point during installation you are not satisfied by the default "
14415
"setting, use the \"Go Back\" function at any prompt to be brought to a "
14416
"detailed installation menu that will allow you to modify the default "
14420
#: serverguide/C/installation.xml:238(para)
14422
"At some point during the installation process you may want to read the help "
14423
"screen provided by the installation system. To do this, press F1."
14426
#: serverguide/C/installation.xml:243(para)
14428
"Once again, for detailed instructions see the <ulink "
14429
"url=\"https://help.ubuntu.com/8.10/installation-guide/\"> Ubuntu "
14430
"Installation Guide</ulink>."
14433
#: serverguide/C/installation.xml:249(title)
14434
msgid "Package Tasks"
14437
#: serverguide/C/installation.xml:250(para)
14439
"During the Server Edition installation you have the option of installing "
14440
"additional packages from the CD. The packages are grouped by the type of "
14441
"service they provide."
14444
#: serverguide/C/installation.xml:256(para)
14445
msgid "DNS server: Selects the BIND DNS server and its documentation."
14448
#: serverguide/C/installation.xml:261(para)
14449
msgid "LAMP server: Selects a ready-made Linux/Apache/MySQL/PHP server."
14452
#: serverguide/C/installation.xml:266(para)
14454
"Mail server: This task selects a variety of package useful for a general "
14455
"purpose mail server system."
14458
#: serverguide/C/installation.xml:271(para)
14459
msgid "OpenSSH server: Selects packages needed for an OpenSSH server."
14462
#: serverguide/C/installation.xml:276(para)
14464
"PostgreSQL database: This task selects client and server packages for the "
14465
"PostgreSQL database."
14468
#: serverguide/C/installation.xml:281(para)
14469
msgid "Print server: This task sets up your system to be a print server."
14472
#: serverguide/C/installation.xml:286(para)
14474
"Samba File server: This task sets up your system to be a Samba file server, "
14475
"which is especially suitable in networks with both Windows and Linux systems."
14478
#: serverguide/C/installation.xml:292(para)
14480
"Tomcat server: Installs the Apache Tomcat and needed dependencies Java, gcj, "
14484
#: serverguide/C/installation.xml:297(para)
14486
"Installing the package groups is accomplished using the "
14487
"<application>tasksel</application> utility. One of the important difference "
14488
"between Ubuntu (or Debian) and other GNU/Linux distribution is that, when "
14489
"installed, a package is also configured to reasonable defaults, eventually "
14490
"prompting you for additional required information. Likewise, when installing "
14491
"a task, the packages are not only installed, but also configured to provided "
14492
"a fully integrated service."
14495
#: serverguide/C/installation.xml:304(para)
14497
"Once the installation process has finished you can view a list of available "
14498
"tasks by entering the following from a terminal prompt:"
14501
#: serverguide/C/installation.xml:309(command)
14502
msgid "tasksel --list-tasks"
14505
#: serverguide/C/installation.xml:312(para)
14507
"The output will list tasks from other Ubuntu based distributions such as "
14508
"Kubuntu and Edubuntu. Note that you can also invoke the "
14509
"<command>tasksel</command> command by itself, which will bring up a menu of "
14510
"the different tasks available."
14513
#: serverguide/C/installation.xml:318(para)
14515
"You can view a list of which packages are installed with each task using the "
14516
"<emphasis>--task-packages</emphasis> option. For example, to list the "
14517
"packages installed with the <emphasis>DNS Server</emphasis> task enter the "
14521
#: serverguide/C/installation.xml:323(command)
14522
msgid "tasksel --task-packages dns-server"
14525
#: serverguide/C/installation.xml:325(para)
14526
msgid "The output of the command should list:"
14529
#: serverguide/C/installation.xml:328(programlisting)
14537
#: serverguide/C/installation.xml:332(para)
14539
"Also, if you did not install one of the tasks during the installation "
14540
"process, but for example you decide to make your new LAMP server a DNS "
14541
"server as well. Simply insert the installation CD and from a terminal:"
14544
#: serverguide/C/installation.xml:337(command)
14545
msgid "sudo tasksel install dns-server"
14548
#: serverguide/C/installation.xml:342(title)
14552
#: serverguide/C/installation.xml:343(para)
14554
"There are several ways to upgrade from one Ubuntu release to another. This "
14555
"section gives an overview of the recommended upgrade method."
14558
#: serverguide/C/installation.xml:347(title) serverguide/C/installation.xml:362(command)
14559
msgid "do-release-upgrade"
14562
#: serverguide/C/installation.xml:348(para)
14564
"The recommended way to upgrade a Server Edition installation is to use the "
14565
"<application>do-release-upgrade</application> utility. Part of the "
14566
"<emphasis>update-manager-core</emphasis> package, it does not have any "
14567
"graphical dependencies and is installed by default."
14570
#: serverguide/C/installation.xml:353(para)
14572
"Debian based systems can also be upgraded by using <command>apt-get dist-"
14573
"upgrade</command>. However, using <application>do-release-"
14574
"upgrade</application> is recommended because it has the ability to handle "
14575
"system configuration changes sometimes needed between releases."
14578
#: serverguide/C/installation.xml:358(para)
14579
msgid "To upgrade to a newer release, from a terminal prompt enter:"
14582
#: serverguide/C/installation.xml:364(para)
14584
"It is also possible to use <application>do-release-upgrade</application> to "
14585
"upgrade to a development version of Ubuntu. To accomplish this use the "
14586
"<emphasis>-d</emphasis> switch:"
14589
#: serverguide/C/installation.xml:369(command)
14590
msgid "do-release-upgrade -d"
14593
#: serverguide/C/installation.xml:372(para)
14595
"Upgrading to a development release is <emphasis>not</emphasis> recommended "
14596
"for production environments."
14599
#: serverguide/C/installation.xml:379(title)
14600
msgid "Advanced Installation"
14603
#: serverguide/C/installation.xml:382(title)
14604
msgid "Software RAID"
14607
#: serverguide/C/installation.xml:384(para)
14609
"RAID is a method of configuring multiple hard drives to act as one, reducing "
14610
"the probability of catastrophic data loss in case of drive failure. RAID is "
14611
"implemented in either software (where the operating system knows about both "
14612
"drives and actively maintains both of them) or hardware (where a special "
14613
"controller makes the OS think there's only one drive and maintains the "
14614
"drives 'invisibly')."
14617
#: serverguide/C/installation.xml:391(para)
14619
"The RAID software included with current versions of Linux (and Ubuntu) is "
14620
"based on the <application>'mdadm'</application> driver and works very well, "
14621
"better even than many so-called 'hardware' RAID controllers."
14624
#: serverguide/C/installation.xml:399(para)
14626
"Follow the installation steps until you get to the <emphasis>Partition "
14627
"disks</emphasis> step, then:"
14630
#: serverguide/C/installation.xml:406(para)
14631
msgid "Select <emphasis>Manual</emphasis> as the partition method."
14634
#: serverguide/C/installation.xml:413(para)
14636
"Select the first hard drive, and agree to <emphasis>\"Create a new empty "
14637
"partition table on this device?\"</emphasis>."
14640
#: serverguide/C/installation.xml:417(para)
14642
"Repeat this step for each drive you wish to be part of the RAID array."
14645
#: serverguide/C/installation.xml:424(para)
14647
"Select the <emphasis>\"FREE SPACE\"</emphasis> on the first drive then "
14648
"select <emphasis>\"Create a new partition\"</emphasis>."
14651
#: serverguide/C/installation.xml:431(para)
14653
"Next, select the <emphasis>Size</emphasis> of the partition, then choose "
14654
"<emphasis>Primary</emphasis>, then <emphasis>Beginnning</emphasis>."
14657
#: serverguide/C/installation.xml:439(para)
14659
"Select the <emphasis>\"Use as:\"</emphasis> line at the top. By default this "
14660
"is <emphasis role=\"italic\">\"Ext3 journaling file system\"</emphasis>, "
14661
"change that to <emphasis>\"physical volume for RAID\"</emphasis>."
14664
#: serverguide/C/installation.xml:447(para)
14665
msgid "Repeat steps three through five for the other disks and partitions."
14668
#: serverguide/C/installation.xml:456(title)
14669
msgid "RAID Configuration"
14672
#: serverguide/C/installation.xml:458(para)
14673
msgid "With the partitions setup the array is ready to be configured:"
14676
#: serverguide/C/installation.xml:465(para)
14678
"Back in the main \"Partition Disks\" page, select <emphasis>\"Configure "
14679
"Software RAID\"</emphasis> at the top."
14682
#: serverguide/C/installation.xml:472(para)
14683
msgid "Select <emphasis>\"yes\"</emphasis> to write the changes to disk."
14686
#: serverguide/C/installation.xml:479(para)
14687
msgid "Choose <emphasis>\"Create new MD drive\"</emphasis>."
14690
#: serverguide/C/installation.xml:486(para)
14692
"Select <emphasis>\"RAID1\"</emphasis>, or the type of RAID you want (RAID0 "
14696
#: serverguide/C/installation.xml:491(para)
14698
"In order to use <emphasis>RAID5</emphasis> you need at least "
14699
"<emphasis>three</emphasis> drives. Using RAID0 or RAID1 only "
14700
"<emphasis>two</emphasis> drives are required."
14703
#: serverguide/C/installation.xml:500(para)
14705
"Enter the number of active devices <emphasis>\"2\"</emphasis>, or the amount "
14706
"of hard drives you have, for the array. Then select "
14707
"<emphasis>\"Continue\"</emphasis>."
14710
#: serverguide/C/installation.xml:508(para)
14712
"Next, enter the number of spare devices <emphasis>\"0\"</emphasis> by "
14713
"default, then choose <emphasis>\"Continue\"</emphasis>."
14716
#: serverguide/C/installation.xml:515(para)
14718
"Choose which partitions to use. Generally they will be sda1, sdb1, sdc1, "
14719
"etc. The numbers will usually match and the different letters correspond to "
14720
"different hard drives."
14723
#: serverguide/C/installation.xml:520(para)
14724
msgid "Select <emphasis>\"Continue\"</emphasis> to go to the next step."
14727
#: serverguide/C/installation.xml:527(para)
14729
"Repeat steps <emphasis>three</emphasis> through <emphasis>seven</emphasis> "
14730
"with each pair of partitions you have created (you may only have one pair)."
14733
#: serverguide/C/installation.xml:535(para)
14734
msgid "Once done select <emphasis>\"Finish\"</emphasis>."
14737
#: serverguide/C/installation.xml:545(title)
14741
#: serverguide/C/installation.xml:547(para)
14743
"There should now be a list of hard drives and RAID devices. The next step is "
14744
"to format and set the mount point for the RAID devices. Treat the RAID "
14745
"device as a local hard drive, format and mount accordingly."
14748
#: serverguide/C/installation.xml:555(para)
14749
msgid "Select first RAID device partition."
14752
#: serverguide/C/installation.xml:562(para)
14754
"Choose <emphasis>\"Use as:\"</emphasis>. Then select <emphasis>\"Ext3 "
14755
"journaling file system\"</emphasis>, or whichever filesystem you prefer."
14758
#: serverguide/C/installation.xml:570(para)
14760
"If you selected Ext3, then select your mount point. You can also create "
14761
"multiple partitions on one RAID device or use multiple RAID devices for "
14762
"different partitions. As an example, if you only have one partition for "
14763
"choose <emphasis>\"/\"</emphasis> as the mount point."
14766
#: serverguide/C/installation.xml:578(para)
14767
msgid "Repeat for any additional RAID devices."
14770
#: serverguide/C/installation.xml:585(para)
14772
"Finally, select <emphasis>\"Finish partitioning and write changes to "
14773
"disk\"</emphasis>."
14776
#: serverguide/C/installation.xml:592(para)
14778
"If you choose to place the root partition on a RAID array, the installer "
14779
"will then ask if you would like to boot in a <emphasis>degraded</emphasis> "
14780
"state. See <xref linkend=\"raid-degraded\"/> for further details."
14783
#: serverguide/C/installation.xml:597(para)
14784
msgid "The installation process will then continue normally."
14787
#: serverguide/C/installation.xml:603(title)
14788
msgid "Degraded RAID"
14791
#: serverguide/C/installation.xml:605(para)
14793
"At some point in the life of the computer a disk failure event may occur. "
14794
"When this happens, using Software RAID, the operating system will place the "
14795
"array into what is known as a <emphasis>degraded</emphasis> state."
14798
#: serverguide/C/installation.xml:610(para)
14800
"If the array has become degraded, due to the chance of data corruption, by "
14801
"default Ubuntu Server Edition will boot to <emphasis>initramfs</emphasis> "
14802
"after thirty seconds. Once the initramfs has booted there is a fifteen "
14803
"second prompt giving you the option to go ahead and boot the system, or "
14804
"attempt manual recover. Booting to the initramfs prompt may or may not be "
14805
"the desired behavior, especially if the machine is in a remote location. "
14806
"Booting to a degraded array can be configured several ways:"
14809
#: serverguide/C/installation.xml:621(para)
14811
"The <application>dpkg-reconfigure</application> utility can be used to "
14812
"configure the default behavior, and during the process you will be queried "
14813
"about additional settings related to the array. Such as monitoring, email "
14814
"alerts, etc. To reconfigure <application>mdadm</application> enter the "
14818
#: serverguide/C/installation.xml:628(command)
14819
msgid "sudo dpkg-reconfigure mdadm"
14822
#: serverguide/C/installation.xml:634(para)
14824
"The <command>dpkg-reconfigure mdadm</command> process will change the "
14825
"<filename>/etc/initramfs-tools/conf.d/mdadm</filename> configuration file. "
14826
"The file has the advantage of being able to pre-configure the system's "
14827
"behavior, and can also be manually edited:"
14830
#: serverguide/C/installation.xml:640(programlisting)
14834
"BOOT_DEGRADED=true\n"
14837
#: serverguide/C/installation.xml:645(para)
14838
msgid "The configuration file can be overridden by using a Kernel argument."
14841
#: serverguide/C/installation.xml:653(para)
14843
"Using a Kernel argument will allow the system to boot to a degraded array as "
14847
#: serverguide/C/installation.xml:659(para)
14849
"When the server is booting press <emphasis>ESC</emphasis> to open the "
14850
"<application>Grub</application> menu."
14853
#: serverguide/C/installation.xml:664(para)
14854
msgid "Press <emphasis>\"e\"</emphasis> to edit your Kernel command options."
14857
#: serverguide/C/installation.xml:669(para)
14859
"Press the <emphasis>DOWN</emphasis> arrow to highlight the kernel line."
14862
#: serverguide/C/installation.xml:674(para)
14864
"Press the <emphasis>\"e\"</emphasis> key again to edit the kernel line."
14867
#: serverguide/C/installation.xml:679(para)
14869
"Add <emphasis>\"bootdegraded=true\"</emphasis> (without the quotes) to the "
14873
#: serverguide/C/installation.xml:684(para)
14874
msgid "Press <emphasis>\"ENTER\"</emphasis>."
14877
#: serverguide/C/installation.xml:689(para)
14878
msgid "Finally, press <emphasis>\"b\"</emphasis> to boot the system."
14881
#: serverguide/C/installation.xml:698(para)
14883
"Once the system has booted you can either repair the array see <xref "
14884
"linkend=\"raid-maintenance\"/> for details, or copy important data to "
14885
"another machine due to major hardware failure."
14888
#: serverguide/C/installation.xml:705(title)
14889
msgid "RAID Maintenance"
14892
#: serverguide/C/installation.xml:707(para)
14894
"The <application>mdadm</application> utility can be used to view the status "
14895
"of an array, add disks to an array, remove disks, etc:"
14898
#: serverguide/C/installation.xml:714(para)
14899
msgid "To view the status of an array, from a terminal prompt enter:"
14902
#: serverguide/C/installation.xml:718(command)
14903
msgid "sudo mdadm -D /dev/md0"
14906
#: serverguide/C/installation.xml:721(para)
14908
"The <emphasis>-D</emphasis> tells <application>mdadm</application> to "
14909
"display <emphasis>detailed</emphasis> information about the "
14910
"<filename>/dev/md0</filename> device. Replace <filename>/dev/md0</filename> "
14911
"with the appropriate RAID device."
14914
#: serverguide/C/installation.xml:727(para)
14915
msgid "To view the status of a disk in an array:"
14918
#: serverguide/C/installation.xml:731(command)
14919
msgid "sudo mdadm -E /dev/sda1"
14922
#: serverguide/C/installation.xml:733(para)
14924
"The output if very similar to the <command>mdadm -D</command> command, "
14925
"adjust <filename>/dev/sda1</filename> for each disk."
14928
#: serverguide/C/installation.xml:738(para)
14929
msgid "If a disk fails and needs to be removed from an array enter:"
14932
#: serverguide/C/installation.xml:742(command)
14933
msgid "sudo mdadm --remove /dev/md0 /dev/sda1"
14936
#: serverguide/C/installation.xml:744(para)
14938
"Change <filename>/dev/md0</filename> and <filename>/dev/sda1</filename> to "
14939
"the appropriate RAID device and disk."
14942
#: serverguide/C/installation.xml:749(para)
14943
msgid "Similarly, to add a new disk:"
14946
#: serverguide/C/installation.xml:753(command)
14947
msgid "sudo mdadm --add /dev/md0 /dev/sda1"
14950
#: serverguide/C/installation.xml:758(para)
14952
"Sometimes a disk can change to a <emphasis>faulty</emphasis> state even "
14953
"though there is nothing physically wrong with the drive. It is usually "
14954
"worthwhile to remove the drive from the array then re-add it. This will "
14955
"cause the drive to re-sync with the array. If the drive will not sync with "
14956
"the array, it is a good indication of hardware failure."
14959
#: serverguide/C/installation.xml:764(para)
14961
"The <filename>/proc/mdstat</filename> file also contains useful information "
14962
"about the system's RAID devices:"
14965
#: serverguide/C/installation.xml:769(command)
14966
msgid "cat /proc/mdstat"
14969
#: serverguide/C/installation.xml:770(computeroutput)
14972
"Personalities : [linear] [multipath] [raid0] [raid1] [raid6] [raid5] [raid4] "
14974
"md0 : active raid1 sda1[0] sdb1[1]\n"
14975
" 10016384 blocks [2/2] [UU]\n"
14977
"unused devices: <none>"
14980
#: serverguide/C/installation.xml:777(para)
14982
"The following command is great for watching the status of a syncing drive:"
14985
#: serverguide/C/installation.xml:782(command)
14986
msgid "watch -n1 cat /proc/mdstat"
14989
#: serverguide/C/installation.xml:785(para)
14991
"Press <emphasis>Ctrl+c</emphasis> to stop the "
14992
"<application>watch</application> command."
14995
#: serverguide/C/installation.xml:789(para)
14997
"If you do need to replace a faulty drive, after the drive has been replaced "
14998
"and synced, <application>grub</application> will need to be installed. To "
14999
"install <application>grub</application> on the new drive, enter the "
15003
#: serverguide/C/installation.xml:795(command)
15004
msgid "sudo grub-install /dev/md0"
15007
#: serverguide/C/installation.xml:798(para)
15009
"Replace <filename>/dev/md0</filename> with the appropriate array device name."
15012
#: serverguide/C/installation.xml:806(para)
15014
"The topic of RAID arrays is a complex one due to the plethora of ways RAID "
15015
"can be configured. Please see the following links for more information:"
15018
#: serverguide/C/installation.xml:814(ulink)
15019
msgid "Software RAID HOWTO"
15022
#: serverguide/C/installation.xml:819(ulink)
15023
msgid "Managing RAID on Linux"
15026
#: serverguide/C/file-server.xml:13(title)
15027
msgid "File Servers"
15031
#: serverguide/C/file-server.xml:15(para)
15033
"If you have more than one computer on a single network. At some point you "
15034
"will probably need to share files between them. In this section we cover "
15035
"installing and configuring FTP, NFS, and CUPS."
15038
#: serverguide/C/file-server.xml:21(title)
15042
#: serverguide/C/file-server.xml:22(para)
15044
"File Transfer Protocol (FTP) is a TCP protocol for uploading and downloading "
15045
"files between computers. FTP works on a client/server model. The server "
15046
"component is called an <emphasis>FTP daemon</emphasis>. It continuously "
15047
"listens for FTP requests from remote clients. When a request is received, it "
15048
"manages the login and sets up the connection. For the duration of the "
15049
"session it executes any of commands sent by the FTP client."
15052
#: serverguide/C/file-server.xml:28(para)
15053
msgid "Access to an FTP server can be managed in two ways:"
15056
#: serverguide/C/file-server.xml:31(para)
15060
#: serverguide/C/file-server.xml:34(para)
15061
msgid "Authenticated"
15064
#: serverguide/C/file-server.xml:37(para)
15066
"In the Anonymous mode, remote clients can access the FTP server by using the "
15067
"default user account called \"anonymous\" or \"ftp\" and sending an email "
15068
"address as the password. In the Authenticated mode a user must have an "
15069
"account and a password. User access to the FTP server directories and files "
15070
"is dependent on the permissions defined for the account used at login. As a "
15071
"general rule, the FTP daemon will hide the root directory of the FTP server "
15072
"and change it to the FTP Home directory. This hides the rest of the file "
15073
"system from remote sessions."
15076
#: serverguide/C/file-server.xml:46(title)
15077
msgid "vsftpd - FTP Server Installation"
15080
#: serverguide/C/file-server.xml:47(para)
15082
"vsftpd is an FTP daemon available in Ubuntu. It is easy to install, set up, "
15083
"and maintain. To install <application>vsftpd</application> you can run the "
15084
"following command: <screen> <command>sudo apt-get install vsftpd</command> "
15088
#: serverguide/C/file-server.xml:56(title)
15089
msgid "vsftpd - FTP Server Configuration"
15093
"You can edit the vsftpd configuration file, "
15094
"<filename>/etc/vsftpd.conf</filename>, to change the default settings. By "
15095
"default only anonymous FTP is allowed. If you wish to disable this option, "
15096
"you should change the following line:"
15099
#: serverguide/C/file-server.xml:66(programlisting)
15103
"anonymous_enable=YES\n"
15106
#: serverguide/C/file-server.xml:72(programlisting)
15110
"anonymous_enable=NO\n"
15114
"By default, local system users are not allowed to login to FTP server. To "
15115
"change this setting, you should uncomment the following line:"
15118
#: serverguide/C/file-server.xml:80(programlisting)
15122
"#local_enable=YES\n"
15126
"By default, users are allowed to download files from FTP server. They are "
15127
"not allowed to upload files to FTP server. To change this setting, you "
15128
"should uncomment the following line:"
15131
#: serverguide/C/file-server.xml:89(programlisting)
15135
"#write_enable=YES\n"
15139
"Similarly, by default, the anonymous users are not allowed to upload files "
15140
"to FTP server. To change this setting, you should uncomment the following "
15144
#: serverguide/C/file-server.xml:98(programlisting)
15148
"#anon_upload_enable=YES\n"
15151
#: serverguide/C/file-server.xml:101(para)
15153
"The configuration file consists of many configuration parameters. The "
15154
"information about each parameter is available in the configuration file. "
15155
"Alternatively, you can refer to the man page, <command>man 5 "
15156
"vsftpd.conf</command> for details of each parameter."
15160
"Once you configure <application>vsftpd</application> you can start the "
15161
"daemon. You can run following command to run the "
15162
"<application>vsftpd</application> daemon:"
15165
msgid "sudo /etc/init.d/vsftpd start"
15168
#: serverguide/C/file-server.xml:117(para)
15170
"Please note that the defaults in the configuration file are set as they are "
15171
"for security reasons. Each of the above changes makes the system a little "
15172
"less secure, so make them only if you need them."
15175
#: serverguide/C/file-server.xml:126(title)
15176
msgid "Network File System (NFS)"
15179
#: serverguide/C/file-server.xml:127(para)
15181
"NFS allows a system to share directories and files with others over a "
15182
"network. By using NFS, users and programs can access files on remote systems "
15183
"almost as if they were local files."
15186
#: serverguide/C/file-server.xml:133(para)
15187
msgid "Some of the most notable benefits that NFS can provide are:"
15190
#: serverguide/C/file-server.xml:139(para)
15192
"Local workstations use less disk space because commonly used data can be "
15193
"stored on a single machine and still remain accessible to others over the "
15197
#: serverguide/C/file-server.xml:144(para)
15199
"There is no need for users to have separate home directories on every "
15200
"network machine. Home directories could be set up on the NFS server and made "
15201
"available throughout the network."
15204
#: serverguide/C/file-server.xml:150(para)
15206
"Storage devices such as floppy disks, CDROM drives, and USB Thumb drives can "
15207
"be used by other machines on the network. This may reduce the number of "
15208
"removable media drives throughout the network."
15211
#: serverguide/C/file-server.xml:160(para)
15213
"At a terminal prompt enter the following command to install the NFS Server:"
15216
#: serverguide/C/file-server.xml:166(command)
15217
msgid "sudo apt-get install nfs-kernel-server"
15220
#: serverguide/C/file-server.xml:172(para)
15222
"You can configure the directories to be exported by adding them to the "
15223
"<filename>/etc/exports</filename> file. For example:"
15226
#: serverguide/C/file-server.xml:177(screen)
15230
"/ubuntu *(ro,sync,no_root_squash)\n"
15231
"/home *(rw,sync,no_root_squash)\n"
15234
#: serverguide/C/file-server.xml:183(para)
15236
"You can replace * with one of the hostname formats. Make the hostname "
15237
"declaration as specific as possible so unwanted systems cannot access the "
15241
#: serverguide/C/file-server.xml:189(para)
15243
"To start the NFS server, you can run the following command at a terminal "
15247
#: serverguide/C/file-server.xml:194(command)
15248
msgid "sudo /etc/init.d/nfs-kernel-server start"
15251
#: serverguide/C/file-server.xml:199(title)
15252
msgid "NFS Client Configuration"
15255
#: serverguide/C/file-server.xml:200(para)
15257
"Use the <application>mount</application> command to mount a shared NFS "
15258
"directory from another machine, by typing a command line similar to the "
15259
"following at a terminal prompt:"
15262
#: serverguide/C/file-server.xml:206(command)
15263
msgid "sudo mount example.hostname.com:/ubuntu /local/ubuntu"
15266
#: serverguide/C/file-server.xml:210(para)
15268
"The mount point directory <filename>/local/ubuntu</filename> must exist. "
15269
"There should be no files or subdirectories in the "
15270
"<filename>/local/ubuntu</filename> directory."
15273
#: serverguide/C/file-server.xml:217(para)
15275
"An alternate way to mount an NFS share from another machine is to add a line "
15276
"to the <filename>/etc/fstab</filename> file. The line must state the "
15277
"hostname of the NFS server, the directory on the server being exported, and "
15278
"the directory on the local machine where the NFS share is to be mounted."
15281
#: serverguide/C/file-server.xml:225(para)
15283
"The general syntax for the line in <filename>/etc/fstab</filename> file is "
15287
#: serverguide/C/file-server.xml:231(programlisting)
15291
"example.hostname.com:/ubuntu /local/ubuntu nfs "
15292
"rsize=8192,wsize=8192,timeo=14,intr\n"
15295
#: serverguide/C/file-server.xml:235(para)
15297
"If you have trouble mounting an NFS share, make sure the <application>nfs-"
15298
"common</application> package is installed on your client. To install "
15299
"<application>nfs-common</application> enter the following command at the "
15300
"terminal prompt: <screen>\n"
15301
"<command>sudo apt-get install nfs-common</command>\n"
15305
#: serverguide/C/file-server.xml:248(ulink)
15306
msgid "Linux NFS faq"
15309
#: serverguide/C/file-server.xml:253(title)
15310
msgid "CUPS - Print Server"
15313
#: serverguide/C/file-server.xml:254(para)
15315
"The primary mechanism for Ubuntu printing and print services is the "
15316
"<emphasis role=\"bold\">Common UNIX Printing System</emphasis> (CUPS). This "
15317
"printing system is a freely available, portable printing layer which has "
15318
"become the new standard for printing in most Linux distributions."
15321
#: serverguide/C/file-server.xml:261(para)
15323
"CUPS manages print jobs and queues and provides network printing using the "
15324
"standard Internet Printing Protocol (IPP), while offering support for a very "
15325
"large range of printers, from dot-matrix to laser and many in between. CUPS "
15326
"also supports PostScript Printer Description (PPD) and auto-detection of "
15327
"network printers, and features a simple web-based configuration and "
15328
"administration tool."
15331
#: serverguide/C/file-server.xml:271(para)
15333
"To install CUPS on your Ubuntu computer, simply use "
15334
"<application>sudo</application> with the <application>apt-get</application> "
15335
"command and give the packages to install as the first parameter. A complete "
15336
"CUPS install has many package dependencies, but they may all be specified on "
15337
"the same command line. Enter the following at a terminal prompt to install "
15341
#: serverguide/C/file-server.xml:276(command)
15342
msgid "sudo apt-get install cupsys"
15345
#: serverguide/C/file-server.xml:279(para)
15347
"Upon authenticating with your user password, the packages should be "
15348
"downloaded and installed without error. Upon the conclusion of installation, "
15349
"the CUPS server will be started automatically."
15352
#: serverguide/C/file-server.xml:284(para)
15354
"For troubleshooting purposes, you can access CUPS server errors via the "
15355
"error log file at: <filename>/var/log/cups/error_log</filename>. If the "
15356
"error log does not show enough information to troubleshoot any problems you "
15357
"encounter, the verbosity of the CUPS log can be increased by changing the "
15358
"<emphasis role=\"bold\">LogLevel</emphasis> directive in the configuration "
15359
"file (discussed below) to \"debug\" or even \"debug2\", which logs "
15360
"everything, from the default of \"info\". If you make this change, remember "
15361
"to change it back once you've solved your problem, to prevent the log file "
15362
"from becoming overly large."
15365
#: serverguide/C/file-server.xml:297(para)
15367
"The Common UNIX Printing System server's behavior is configured through the "
15368
"directives contained in the file <filename>/etc/cups/cupsd.conf</filename>. "
15369
"The CUPS configuration file follows the same syntax as the primary "
15370
"configuration file for the Apache HTTP server, so users familiar with "
15371
"editing Apache's configuration file should feel at ease when editing the "
15372
"CUPS configuration file. Some examples of settings you may wish to change "
15373
"initially will be presented here."
15376
#: serverguide/C/file-server.xml:307(para)
15378
"Prior to editing the configuration file, you should make a copy of the "
15379
"original file and protect it from writing, so you will have the original "
15380
"settings as a reference, and to reuse as necessary."
15383
#: serverguide/C/file-server.xml:311(para)
15385
"Copy the <filename>/etc/cups/cupsd.conf</filename> file and protect it from "
15386
"writing with the following commands, issued at a terminal prompt:"
15389
#: serverguide/C/file-server.xml:317(command)
15390
msgid "sudo cp /etc/cups/cupsd.conf /etc/cups/cupsd.conf.original"
15393
#: serverguide/C/file-server.xml:318(command)
15394
msgid "sudo chmod a-w /etc/cups/cupsd.conf.original"
15397
#: serverguide/C/file-server.xml:323(para)
15399
"<emphasis role=\"bold\">ServerAdmin</emphasis>: To configure the email "
15400
"address of the designated administrator of the CUPS server, simply edit the "
15401
"<filename>/etc/cups/cupsd.conf</filename> configuration file with your "
15402
"preferred text editor, and modify the <emphasis "
15403
"role=\"italics\">ServerAdmin</emphasis> line accordingly. For example, if "
15404
"you are the Administrator for the CUPS server, and your e-mail address is "
15405
"'bjoy@somebigco.com', then you would modify the ServerAdmin line to appear "
15409
#: serverguide/C/file-server.xml:334(screen)
15413
"ServerAdmin bjoy@somebigco.com\n"
15416
#: serverguide/C/file-server.xml:340(para)
15418
"For more examples of configuration directives in the CUPS server "
15419
"configuration file, view the associated system manual page by entering the "
15420
"following command at a terminal prompt:"
15423
#: serverguide/C/file-server.xml:347(command)
15424
msgid "man cupsd.conf"
15427
#: serverguide/C/file-server.xml:351(para)
15429
"Whenever you make changes to the <filename>/etc/cups/cupsd.conf</filename> "
15430
"configuration file, you'll need to restart the CUPS server by typing the "
15431
"following command at a terminal prompt:"
15434
#: serverguide/C/file-server.xml:357(command)
15435
msgid "sudo /etc/init.d/cupsys restart"
15438
#: serverguide/C/file-server.xml:360(para)
15440
"Some other configuration for the CUPS server is done in the file "
15441
"<filename>/etc/cups/cups.d/ports.conf</filename>:"
15444
#: serverguide/C/file-server.xml:363(para)
15446
"<emphasis role=\"bold\">Listen</emphasis>: By default on Ubuntu, the CUPS "
15447
"server installation listens only on the loopback interface at IP address "
15448
"<emphasis>127.0.0.1</emphasis>. In order to instruct the CUPS server to "
15449
"listen on an actual network adapter's IP address, you must specify either a "
15450
"hostname, the IP address, or optionally, an IP address/port pairing via the "
15451
"addition of a Listen directive. For example, if your CUPS server resides on "
15452
"a local network at the IP address <emphasis "
15453
"role=\"italics\">192.168.10.250</emphasis> and you'd like to make it "
15454
"accessible to the other systems on this subnetwork, you would edit the "
15455
"<filename>/etc/cups/cupsd.conf</filename> and add a Listen directive, as "
15459
#: serverguide/C/file-server.xml:377(screen)
15463
"Listen 127.0.0.1:631 # existing loopback Listen\n"
15464
"Listen /var/run/cups/cups.sock # existing socket Listen\n"
15465
"Listen 192.168.10.250:631 # Listen on the LAN interface, Port 631 "
15469
#: serverguide/C/file-server.xml:383(para)
15471
"In the example above, you may comment out or remove the reference to the "
15472
"Loopback address (127.0.0.1) if you do not wish <application>cupsd "
15473
"</application> to listen on that interface, but would rather have it only "
15474
"listen on the Ethernet interfaces of the Local Area Network (LAN). To enable "
15475
"listening for all network interfaces for which a certain hostname is bound, "
15476
"including the Loopback, you could create a Listen entry for the hostname "
15477
"<emphasis>socrates</emphasis> as such:"
15480
#: serverguide/C/file-server.xml:393(screen)
15484
"Listen socrates:631 # Listen on all interfaces for the hostname 'socrates'\n"
15487
#: serverguide/C/file-server.xml:397(para)
15489
"or by omitting the Listen directive and using <emphasis>Port</emphasis> "
15493
#: serverguide/C/file-server.xml:399(screen)
15497
"Port 631 # Listen on port 631 on all interfaces\n"
15500
#: serverguide/C/file-server.xml:410(ulink)
15501
msgid "CUPS Website"
15504
#: serverguide/C/dns.xml:13(title)
15505
msgid "Domain Name Service (DNS)"
15508
#: serverguide/C/dns.xml:14(para)
15510
"Domain Name Service (DNS) is an Internet service that maps IP addresses and "
15511
"fully qualified domain names (FQDN) to one another. In this way, DNS "
15512
"alleviates the need to remember IP addresses. Computers that run DNS are "
15513
"called <emphasis>name servers</emphasis>. Ubuntu ships with "
15514
"<application>BIND</application> (Berkley Internet Naming Daemon), the most "
15515
"common program used for maintaining a name server on Linux."
15518
#: serverguide/C/dns.xml:24(para)
15520
"At a terminal prompt, enter the following command to install "
15521
"<application>dns</application>:"
15524
#: serverguide/C/dns.xml:28(command)
15525
msgid "sudo apt-get install bind9"
15528
#: serverguide/C/dns.xml:30(para)
15530
"A very useful package for testing and troubleshooting DNS issues is the "
15531
"dnsutils package. To install <application>dnsutils</application> enter the "
15535
#: serverguide/C/dns.xml:35(command)
15536
msgid "sudo apt-get install dnsutils"
15539
#: serverguide/C/dns.xml:40(para)
15541
"There a many ways to configure <application>BIND9</application>. Some of the "
15542
"most common configurations are a caching nameserver, primary master, and a "
15543
"as a secondary master."
15546
#: serverguide/C/dns.xml:46(para)
15548
"When configured as a caching nameserver BIND9 will find the answer to name "
15549
"queries and remember the answer when the domain is queried again."
15552
#: serverguide/C/dns.xml:52(para)
15554
"As a primary master server BIND9 reads the data for a zone from a file on "
15555
"it's host and is authoritative for that zone."
15558
#: serverguide/C/dns.xml:57(para)
15560
"In a secondary master configuration BIND9 gets the zone data from another "
15561
"nameserver authoritative for the zone."
15564
#: serverguide/C/dns.xml:65(para)
15566
"The DNS configuration files are stored in the <filename>/etc/bind</filename> "
15567
"directory. The primary configuration file is "
15568
"<filename>/etc/bind/named.conf</filename>."
15571
#: serverguide/C/dns.xml:72(para)
15573
"The <emphasis>include</emphasis> line specifies the filename which contains "
15574
"the DNS options. The <emphasis>directory</emphasis> line in the "
15575
"<filename>/etc/bind/named.conf.options</filename> file tells DNS where to "
15576
"look for files. All files BIND uses will be relative to this directory."
15579
#: serverguide/C/dns.xml:80(para)
15581
"The file named <filename>/etc/bind/db.root</filename> describes the root "
15582
"nameservers in the world. The servers change over time, so the "
15583
"<filename>/etc/bind/db.root</filename> file must be maintained now and then. "
15584
"This is usually done as updates to the <application>bind9</application> "
15585
"package. The <emphasis>zone</emphasis> section defines a master server, and "
15586
"it is stored in a file mentioned in the <emphasis>file</emphasis> option."
15590
"It is possible to configure the same server to be a caching name server, "
15591
"primary master, and secondary master. A server and be the Start of Authority "
15592
"(SOA) for one zone, while providing secondary service for another zone. All "
15593
"the while providing caching services for hosts on the local LAN."
15596
#: serverguide/C/dns.xml:98(title)
15597
msgid "Caching Nameserver"
15600
#: serverguide/C/dns.xml:99(para)
15602
"The default configuration is setup to act as a caching server. All that is "
15603
"required is simply adding the IP Addresses of your ISP's DNS servers. Simply "
15604
"uncomment and edit the following in "
15605
"<filename>/etc/bind/named.conf.options</filename>:"
15608
#: serverguide/C/dns.xml:103(programlisting)
15618
#: serverguide/C/dns.xml:110(para)
15620
"Replace <emphasis>1.2.3.4</emphasis> and <emphasis>5.6.7.8</emphasis> with "
15621
"the IP Adresses of actual nameservers."
15624
#: serverguide/C/dns.xml:114(para)
15626
"Now restart the DNS server, to enable the new configuration. From a terminal "
15630
#: serverguide/C/dns.xml:118(command) serverguide/C/dns.xml:193(command) serverguide/C/dns.xml:252(command) serverguide/C/dns.xml:311(command) serverguide/C/dns.xml:549(command)
15631
msgid "sudo /etc/init.d/bind9 restart"
15634
#: serverguide/C/dns.xml:120(para)
15636
"See <xref linkend=\"dns-testing-dig\"/> for information on testing a caching "
15640
#: serverguide/C/dns.xml:125(title)
15641
msgid "Primary Master"
15644
#: serverguide/C/dns.xml:126(para)
15646
"In this section <application>BIND9</application> will be configured as the "
15647
"Primary Master for the domain <emphasis>example.com</emphasis>. Simply "
15648
"replace <emphasis role=\"italic\">example.com</emphasis> with your FQDN "
15649
"(Fully Qualified Domain Name)."
15652
#: serverguide/C/dns.xml:132(title)
15653
msgid "Forward Zone File"
15656
#: serverguide/C/dns.xml:133(para)
15658
"To add a DNS zone to BIND9, turning BIND9 into a Primary Master server, the "
15659
"first step is to edit <filename>/etc/bind/named.conf.local</filename>:"
15662
#: serverguide/C/dns.xml:137(programlisting)
15666
"zone \"example.com\" {\n"
15668
" file \"/etc/bind/db.example.com\";\n"
15672
#: serverguide/C/dns.xml:143(para)
15674
"Now use an existing zone file as a template to create the "
15675
"<filename>/etc/bind/db.example.com</filename> file:"
15678
#: serverguide/C/dns.xml:147(command)
15679
msgid "sudo cp /etc/bind/db.local /etc/bind/db.example.com"
15682
#: serverguide/C/dns.xml:149(para)
15684
"Edit the new zone file <filename>/etc/bind/db.example.com</filename> change "
15685
"<emphasis>localhost.</emphasis> to the FQDN of your server, leaving the "
15686
"additional \".\" at the end. Change <emphasis>127.0.0.1</emphasis> to the "
15687
"nameserver's IP Address and <emphasis>root.localhost</emphasis> to a valid "
15688
"email address, but with a \".\" instead of the usual \"@\" symbol, again "
15689
"leaving the \".\" at the end."
15692
#: serverguide/C/dns.xml:155(para)
15694
"Also, create an <emphasis>A record</emphasis> for <emphasis "
15695
"role=\"italic\">ns.example.com</emphasis>. The name server in this example:"
15702
"; BIND data file for local loopback interface\n"
15705
"@ IN SOA ns.example.com. root.example.com. (\n"
15707
" 604800 ; Refresh\n"
15709
" 2419200 ; Expire\n"
15710
" 604800 ) ; Negative Cache TTL\n"
15712
"@ IN NS ns.example.com.\n"
15713
"@ IN A 192.168.1.10\n"
15714
"ns IN A 192.168.1.10\n"
15717
#: serverguide/C/dns.xml:175(para)
15719
"You must increment the <emphasis>Serial Number</emphasis> every time you "
15720
"make changes to the zone file. If you make multiple changes before "
15721
"restarting BIND9, simply increment the Serial once."
15724
#: serverguide/C/dns.xml:179(para)
15726
"Now, you can add DNS records to the bottom of the zone file. See <xref "
15727
"linkend=\"dns-record-types\"/> for details."
15730
#: serverguide/C/dns.xml:183(para)
15732
"Many admins like to use the last date edited as the serial of a zone, such "
15733
"as <emphasis>2007010100</emphasis> which is yyyymmddss (where "
15734
"<emphasis>ss</emphasis> is the Serial Number)"
15738
"Once you have made a change to the zone file "
15739
"<application>BIND9</application> will need to be restarted for the changes "
15743
#: serverguide/C/dns.xml:197(title)
15744
msgid "Reverse Zone File"
15747
#: serverguide/C/dns.xml:198(para)
15749
"Now that the zone is setup and resolving names to IP Adresses a "
15750
"<emphasis>Reverse zone</emphasis> is also required. A Reverse zone allows "
15751
"DNS to resolve an address to a name."
15754
#: serverguide/C/dns.xml:202(para)
15755
msgid "Edit /etc/bind/named.conf.local and add the following:"
15758
#: serverguide/C/dns.xml:205(programlisting)
15762
"zone \"1.168.192.in-addr.arpa\" {\n"
15765
" file \"/etc/bind/db.192\";\n"
15769
#: serverguide/C/dns.xml:213(para)
15771
"Replace <emphasis>1.168.192</emphasis> with the first three octets of "
15772
"whatever network you are using. Also, name the zone file "
15773
"<filename>/etc/bind/db.192</filename> appropriately. It should match the "
15774
"first octet of your network."
15777
#: serverguide/C/dns.xml:218(para)
15778
msgid "Now create the <filename>/etc/bind/db.192</filename> file:"
15781
#: serverguide/C/dns.xml:222(command)
15782
msgid "sudo cp /etc/bind/db.127 /etc/bind/db.192"
15785
#: serverguide/C/dns.xml:224(para)
15787
"Next edit <filename>/etc/bind/db.192</filename> changing the basically the "
15788
"same options as <filename>/etc/bind/db.example.com</filename>:"
15791
#: serverguide/C/dns.xml:228(programlisting)
15796
"; BIND reverse data file for local loopback interface\n"
15799
"@ IN SOA ns.example.com. root.example.com. (\n"
15801
" 604800 ; Refresh\n"
15803
" 2419200 ; Expire\n"
15804
" 604800 ) ; Negative Cache TTL\n"
15807
"10 IN PTR ns.example.com.\n"
15810
#: serverguide/C/dns.xml:243(para)
15812
"The <emphasis>Serial Number</emphasis> in the Reverse zone needs to be "
15813
"incremented on each changes as well. For each <emphasis>A record</emphasis> "
15814
"you configure in <filename>/etc/bind/db.example.com</filename> you need to "
15815
"create a <emphasis>PTR record</emphasis> in "
15816
"<filename>/etc/bind/db.192</filename>."
15819
#: serverguide/C/dns.xml:248(para)
15821
"After creating the reverse zone file restart "
15822
"<application>BIND9</application>:"
15825
#: serverguide/C/dns.xml:257(title)
15826
msgid "Secondary Master"
15829
#: serverguide/C/dns.xml:258(para)
15831
"Once a <emphasis>Primary Master</emphasis> has been configured a "
15832
"<emphasis>Secondary Master</emphasis> is needed in order to maintain the "
15833
"availability of the domain should the Primary become unavailable."
15836
#: serverguide/C/dns.xml:262(para)
15838
"First, on the Primary Master server, the zone transfer needs to be allowed. "
15839
"Add the <emphasis>allow-transfer</emphasis> option to the example Forward "
15840
"and Reverse zone definitions in "
15841
"<filename>/etc/bind/named.conf.local</filename>:"
15844
#: serverguide/C/dns.xml:266(programlisting)
15848
"zone \"example.com\" {\n"
15850
"\tfile \"/etc/bind/db.example.com\";\n"
15851
" allow-transfer { 192.168.1.11; };\n"
15854
"zone \"1.168.192.in-addr.arpa\" {\n"
15857
" file \"/etc/bind/db.192\";\n"
15858
"\tallow-transfer { 192.168.1.11; };\n"
15862
#: serverguide/C/dns.xml:281(para)
15864
"Replace <emphasis>192.168.1.11</emphasis> with the IP Address of your "
15865
"Secondary nameserver."
15868
#: serverguide/C/dns.xml:285(para)
15870
"Next, on the Secondary Master, install the <application>bind9</application> "
15871
"package the same way as on the Primary. Then edit the "
15872
"<filename>/etc/bind/named.conf.local</filename> and add the following "
15873
"declarations for the Forward and Reverse zones:"
15879
"zone \"example.com\" {\n"
15881
" file \"db.example.com\";\n"
15882
" masters { 192.168.1.10; };\n"
15885
"zone \"1.168.192.in-addr.arpa\" {\n"
15887
" file \"db.192\";\n"
15888
" masters { 192.168.1.10; };\n"
15892
#: serverguide/C/dns.xml:303(para)
15894
"Replace <emphasis>192.168.1.10</emphasis> with the IP Address of your "
15895
"Primary nameserver."
15898
#: serverguide/C/dns.xml:307(para)
15899
msgid "Restart <application>BIND9</application> on the Secondary Master:"
15902
#: serverguide/C/dns.xml:313(para)
15904
"In <filename>/var/log/syslog</filename> you should see something similar to:"
15907
#: serverguide/C/dns.xml:316(programlisting)
15911
"slave zone \"example.com\" (IN) loaded (serial 6)\n"
15912
"slave zone \"100.18.172.in-addr.arpa\" (IN) loaded (serial 3)\n"
15915
#: serverguide/C/dns.xml:321(para)
15917
"Note: A zone is only transferred if the <emphasis>Serial Number</emphasis> "
15918
"on the Primary is larger than the one on the Secondary."
15921
#: serverguide/C/dns.xml:329(para)
15923
"This section covers ways to help determine the cause when problems happen "
15924
"with DNS and <application>BIND9</application>."
15927
#: serverguide/C/dns.xml:335(title)
15928
msgid "resolv.conf"
15931
#: serverguide/C/dns.xml:336(para)
15933
"The first step in testing <application>BIND9</application> is to add the "
15934
"nameserver's IP Address to a hosts resolver. The Primary nameserver should "
15935
"be configured as well as another host to double check things. Simply edit "
15936
"<filename>/etc/resolv.conf</filename> and add the following:"
15939
#: serverguide/C/dns.xml:341(programlisting)
15943
"nameserver\t192.168.1.10\n"
15944
"nameserver\t192.168.1.11\n"
15947
#: serverguide/C/dns.xml:346(para)
15949
"You should also add the IP Address of the Secondary nameserver in case the "
15950
"Primary becomes unavailable."
15953
#: serverguide/C/dns.xml:352(title)
15958
"Once a host has been configured to use the new nameserver one of the "
15959
"simplest tests is the <application>ping</application> utility. From a "
15960
"terminal prompt enter:"
15963
#: serverguide/C/dns.xml:358(command)
15964
msgid "ping example.com"
15968
"This tests if the nameserver can resolve the name "
15969
"<emphasis>example.com</emphasis> to an IP Address. The command output should "
15976
"PING example.com (192.168.1.10) 56(84) bytes of data.\n"
15977
"64 bytes from ns (192.168.1.10): icmp_seq=1 ttl=64 time=0.800 ms\n"
15978
"64 bytes from ns (192.168.1.10): icmp_seq=2 ttl=64 time=0.813 ms\n"
15981
#: serverguide/C/dns.xml:371(title)
15985
#: serverguide/C/dns.xml:372(para)
15987
"If you installed the <application>dnsutils</application> package you can "
15988
"test your setup using the DNS lookup utility <application>dig</application>:"
15991
#: serverguide/C/dns.xml:378(para)
15993
"After installing <application>BIND9</application> use "
15994
"<application>dig</application> against the loopback interface to make sure "
15995
"it is listening on port 53. From a terminal prompt:"
15998
#: serverguide/C/dns.xml:383(command)
15999
msgid "dig -x 127.0.0.1"
16002
#: serverguide/C/dns.xml:385(para)
16003
msgid "You should see lines similar to the following in the command output:"
16006
#: serverguide/C/dns.xml:388(programlisting)
16010
";; Query time: 1 msec\n"
16011
";; SERVER: 192.168.1.10#53(192.168.1.10)\n"
16014
#: serverguide/C/dns.xml:394(para)
16016
"If you have configured <application>BIND9</application> as a "
16017
"<emphasis>Caching</emphasis> nameserver \"dig\" an outside domain to check "
16021
#: serverguide/C/dns.xml:399(command)
16022
msgid "dig ubuntu.com"
16025
#: serverguide/C/dns.xml:401(para)
16026
msgid "Note the query time toward the end of the command output:"
16029
#: serverguide/C/dns.xml:404(programlisting)
16033
";; Query time: 49 msec\n"
16036
#: serverguide/C/dns.xml:407(para)
16037
msgid "After a second dig there should be improvement:"
16040
#: serverguide/C/dns.xml:410(programlisting)
16044
";; Query time: 1 msec\n"
16047
#: serverguide/C/dns.xml:417(title)
16048
msgid "named-checkzone"
16051
#: serverguide/C/dns.xml:418(para)
16053
"A great way to test your zone files is by using the <application>named-"
16054
"checkzone</application> utility installed with the "
16055
"<application>bind9</application> package. This utility allows you to make "
16056
"sure the configuration is correct before restarting "
16057
"<application>BIND9</application> and making the changes live."
16060
#: serverguide/C/dns.xml:425(para)
16062
"To test our example Forward zone file enter the following from a command "
16066
#: serverguide/C/dns.xml:429(command)
16067
msgid "named-checkzone example.com /etc/bind/db.example.com"
16070
#: serverguide/C/dns.xml:431(para)
16072
"If everything is configured correctly you should see output similar to:"
16075
#: serverguide/C/dns.xml:434(programlisting)
16079
"zone example.com/IN: loaded serial 6\n"
16083
#: serverguide/C/dns.xml:440(para)
16084
msgid "Similarly, to test the Reverse zone file enter the following:"
16087
#: serverguide/C/dns.xml:444(command)
16088
msgid "named-checkzone example.com /etc/bind/db.192"
16091
#: serverguide/C/dns.xml:446(para)
16092
msgid "The output should be similar to:"
16095
#: serverguide/C/dns.xml:449(programlisting)
16099
"zone example.com/IN: loaded serial 3\n"
16103
#: serverguide/C/dns.xml:456(para)
16105
"The <emphasis>Serial Number</emphasis> of your zone file will probably be "
16109
#: serverguide/C/dns.xml:463(title)
16113
#: serverguide/C/dns.xml:464(para)
16115
"<application>BIND9</application> has a wide variety of logging configuration "
16116
"options available. There are two main options. The "
16117
"<emphasis>channel</emphasis> option configures where logs go, and the the "
16118
"<emphasis>category</emphasis> option determines what information to log."
16121
#: serverguide/C/dns.xml:468(para)
16122
msgid "If no logging option is configured the default option is:"
16125
#: serverguide/C/dns.xml:471(programlisting)
16130
" category default { default_syslog; default_debug; };\n"
16131
" category unmatched { null; };\n"
16135
#: serverguide/C/dns.xml:477(para)
16137
"This section covers configuring <application>BIND9</application> to send "
16138
"<emphasis>debug</emphasis> messages related to DNS queries to a separate "
16142
#: serverguide/C/dns.xml:482(para)
16144
"First, we need to configure a channel to specify which file to send the "
16145
"messages to. Edit <filename>/etc/bind/named.conf.local</filename> and add "
16149
#: serverguide/C/dns.xml:486(programlisting)
16154
" channel query.log { \n"
16155
" file \"/var/log/query.log\";\n"
16156
" severity debug 3; \n"
16161
#: serverguide/C/dns.xml:496(para)
16162
msgid "Next, configure a category to send all DNS queries to the query file:"
16165
#: serverguide/C/dns.xml:499(programlisting)
16170
" channel query.log { \n"
16171
" file \"/var/log/query.log\"; \n"
16172
" severity debug 3; \n"
16174
" <emphasis>category queries { query.log; };</emphasis> \n"
16178
#: serverguide/C/dns.xml:511(para)
16180
"Note: the <emphasis>debug</emphasis> option can be set from 1 to 3. If a "
16181
"level isn't specified level 1 is the default."
16184
#: serverguide/C/dns.xml:517(para)
16186
"Since the <emphasis>named daemon</emphasis> runs as the "
16187
"<emphasis>bind</emphasis> user the <filename>/var/log/query.log</filename> "
16188
"file must be created and the ownership changed:"
16191
#: serverguide/C/dns.xml:522(command)
16192
msgid "sudo touch /var/log/query.log"
16195
#: serverguide/C/dns.xml:523(command)
16196
msgid "sudo chown bind /var/log/query.log"
16199
#: serverguide/C/dns.xml:527(para)
16201
"Before <application>named</application> daemon can write to the new log file "
16202
"the <application>AppArmor</application> profile must be updated. First, edit "
16203
"<filename>/etc/apparmor.d/usr.sbin.named</filename> and add:"
16206
#: serverguide/C/dns.xml:531(programlisting)
16210
"/var/log/query.log w,\n"
16213
#: serverguide/C/dns.xml:534(para)
16214
msgid "Next, reload the profile:"
16217
#: serverguide/C/dns.xml:538(command)
16218
msgid "cat /etc/apparmor.d/usr.sbin.named | sudo apparmor_parser -r"
16221
#: serverguide/C/dns.xml:540(para)
16223
"For more information on <application>AppArmor</application> see <xref "
16224
"linkend=\"apparmor\"/>"
16228
"Now restart <application>BIND9</application> for the changes to take affect:"
16231
#: serverguide/C/dns.xml:553(para)
16233
"You should see the file <filename>/var/log/query.log</filename> fill with "
16234
"query information. This is a simple example of the "
16235
"<application>BIND9</application> logging options. For coverage of advanced "
16236
"options see <xref linkend=\"dns-more-info\"/>."
16239
#: serverguide/C/dns.xml:562(title)
16240
msgid "Common Record Types"
16243
#: serverguide/C/dns.xml:563(para)
16244
msgid "This section covers some of the most common DNS record types."
16247
#: serverguide/C/dns.xml:568(para)
16249
"<emphasis>A</emphasis> record: This record maps an IP Address to a hostname."
16252
#: serverguide/C/dns.xml:571(programlisting)
16256
"www IN A 192.168.1.12\n"
16259
#: serverguide/C/dns.xml:576(para)
16261
"<emphasis>CNAME</emphasis> record: Used to create an alias to an existing A "
16262
"record. You cannot create a CNAME record pointing to another CNAME record."
16265
#: serverguide/C/dns.xml:579(programlisting)
16269
"web IN CNAME www\n"
16272
#: serverguide/C/dns.xml:584(para)
16274
"<emphasis>MX</emphasis> record: Used to define where email should be sent "
16275
"to. Must point to an A record, not a CNAME."
16278
#: serverguide/C/dns.xml:587(programlisting)
16282
" IN MX mail.example.com.\n"
16283
"mail IN A 192.168.1.13\n"
16286
#: serverguide/C/dns.xml:593(para)
16288
"<emphasis>NS</emphasis> record: Used to define which servers serve copies of "
16289
"a zone. It must point to an A record, not a CNAME. This is where Primary and "
16290
"Secondary servers are defined."
16293
#: serverguide/C/dns.xml:597(programlisting)
16297
" IN NS ns.example.com.\n"
16298
"\tIN NS ns2.example.com.\n"
16299
"ns IN A 192.168.1.10\n"
16300
"ns2\tIN A\t 192.168.1.11\n"
16303
#: serverguide/C/dns.xml:607(title)
16304
msgid "More Information"
16307
#: serverguide/C/dns.xml:608(para)
16309
"The <ulink url=\"http://www.tldp.org/HOWTO/DNS-HOWTO.html\">DNS "
16310
"HOWTO</ulink> explains more advanced options for configuring BIND9."
16313
#: serverguide/C/dns.xml:611(para)
16315
"For in depth coverage of <emphasis>DNS</emphasis> and "
16316
"<application>BIND9</application> see <ulink "
16317
"url=\"http://www.bind9.net/\">Bind9.net</ulink>."
16320
#: serverguide/C/dns.xml:614(para)
16322
"<ulink url=\"http://www.oreilly.com/catalog/dns5/index.html\">DNS and "
16323
"BIND</ulink> is a popular book now in it's fifth edition."
16326
#: serverguide/C/dns.xml:617(para)
16328
"A great place to ask for <application>BIND9</application> assistance, and "
16329
"get involved with the Ubuntu Server community, is the <emphasis>#ubuntu-"
16330
"server</emphasis> IRC channel on <ulink "
16331
"url=\"http://freenode.net\">freenode</ulink>."
16334
#: serverguide/C/databases.xml:13(title)
16338
#: serverguide/C/databases.xml:14(para)
16339
msgid "Ubuntu provides two popular database servers. They are:"
16342
#: serverguide/C/databases.xml:22(application) serverguide/C/databases.xml:136(title)
16346
#: serverguide/C/databases.xml:25(para)
16348
"They are available in the main repository. This section explains how to "
16349
"install and configure these database servers."
16352
#: serverguide/C/databases.xml:32(para)
16354
"MySQL is a fast, multi-threaded, multi-user, and robust SQL database server. "
16355
"It is intended for mission-critical, heavy-load production systems as well "
16356
"as for embedding into mass-deployed software."
16359
#: serverguide/C/databases.xml:41(para)
16360
msgid "To install MySQL, run the following command from a terminal prompt:"
16363
#: serverguide/C/databases.xml:46(command)
16364
msgid "sudo apt-get install mysql-server"
16367
#: serverguide/C/databases.xml:48(para)
16369
"During the installation process you will be prompted to enter a password for "
16370
"the <application>MySQL</application> root user."
16373
#: serverguide/C/databases.xml:53(para)
16375
"Once the installation is complete, the MySQL server should be started "
16376
"automatically. You can run the following command from a terminal prompt to "
16377
"check whether the MySQL server is running:"
16380
#: serverguide/C/databases.xml:61(command)
16381
msgid "sudo netstat -tap | grep mysql"
16384
#: serverguide/C/databases.xml:70(programlisting)
16388
"tcp 0 0 localhost.localdomain:mysql *:* LISTEN -\n"
16391
#: serverguide/C/databases.xml:73(para)
16393
"If the server is not running correctly, you can type the following command "
16397
#: serverguide/C/databases.xml:76(command) serverguide/C/databases.xml:102(command)
16398
msgid "sudo /etc/init.d/mysql restart"
16401
#: serverguide/C/databases.xml:83(para)
16403
"You can edit the <filename>/etc/mysql/my.cnf</filename> file to configure "
16404
"the basic settings -- log file, port number, etc. For example, to configure "
16405
"<application>MySQL</application> to listen for connections from network "
16406
"hosts, change the <emphasis>bind_address</emphasis> directive to the "
16407
"server's IP address:"
16410
#: serverguide/C/databases.xml:89(programlisting)
16414
"bind-address = 192.168.0.5\n"
16417
#: serverguide/C/databases.xml:93(para)
16418
msgid "Replace 192.168.0.5 with the appropriate address."
16421
#: serverguide/C/databases.xml:97(para)
16423
"After making a change to <filename>/etc/mysql/my.cnf</filename> the "
16424
"<application>mysql</application> daemon will need to be restarted:"
16427
#: serverguide/C/databases.xml:109(para)
16429
"See the <ulink url=\"http://www.mysql.com/\">MySQL Home Page</ulink> for "
16430
"more information."
16433
#: serverguide/C/databases.xml:114(para)
16435
"The <emphasis>MySQL Handbook</emphasis> is also available in the "
16436
"<application>mysql-doc-5.0</application> package. To install the package "
16437
"enter the following in a terminal:"
16440
#: serverguide/C/databases.xml:119(command)
16441
msgid "sudo apt-get install mysql-doc-5.0"
16444
#: serverguide/C/databases.xml:121(para)
16446
"The documentation is in HTML format, to view them enter "
16447
"<command>file:///usr/share/doc/mysql-doc-5.0/refman-5.0-en.html-"
16448
"chapter/index.html</command> in your browser's address bar."
16451
#: serverguide/C/databases.xml:127(para) serverguide/C/databases.xml:269(para)
16453
"For general SQL information see <ulink "
16454
"url=\"http://www.informit.com/store/product.aspx?isbn=0768664128\">Using SQL "
16455
"Special Edition</ulink> by Rafe Colburn."
16458
#: serverguide/C/databases.xml:137(para)
16460
"PostgreSQL is an object-relational database system that has the features of "
16461
"traditional commercial database systems with enhancements to be found in "
16462
"next-generation DBMS systems."
16465
#: serverguide/C/databases.xml:144(para)
16467
"To install PostgreSQL, run the following command in the command prompt:"
16470
#: serverguide/C/databases.xml:151(command)
16471
msgid "sudo apt-get install postgresql"
16474
#: serverguide/C/databases.xml:155(para)
16476
"Once the installation is complete, you should configure the PostgreSQL "
16477
"server based on your needs, although the default configuration is viable."
16480
#: serverguide/C/databases.xml:163(para)
16482
"By default, connection via TCP/IP is disabled. PostgreSQL supports multiple "
16483
"client authentication methods. By default, IDENT authentication method is "
16484
"used for <application>postgres</application> and local users. Please refer "
16485
"<ulink url=\"http://www.postgresql.org/docs/8.3/static/admin.html\"> the "
16486
"PostgreSQL Administrator's Guide</ulink>."
16489
#: serverguide/C/databases.xml:170(para)
16491
"The following discussion assumes that you wish to enable TCP/IP connections "
16492
"and use the MD5 method for client authentication. PostgreSQL configuration "
16493
"files are stored in the "
16494
"<filename>/etc/postgresql/<version>/main</filename> directory. For "
16495
"example, if you install PostgreSQL 8.3, the configuration files are stored "
16496
"in the <filename>/etc/postgresql/8.3/main</filename> directory."
16499
#: serverguide/C/databases.xml:180(para)
16501
"To configure <emphasis>ident</emphasis> authentication, add entries to the "
16502
"<filename>/etc/postgresql/8.3/main/pg_ident.conf</filename> file."
16505
#: serverguide/C/databases.xml:187(para)
16507
"To enable TCP/IP connections, edit the file "
16508
"<filename>/etc/postgresql/8.3/main/postgresql.conf</filename>"
16511
#: serverguide/C/databases.xml:189(para)
16513
"Locate the line <emphasis>#listen_addresses = 'localhost'</emphasis> and "
16517
#: serverguide/C/databases.xml:192(programlisting)
16521
"listen_addresses = 'localhost'\n"
16524
#: serverguide/C/databases.xml:196(para)
16526
"To allow other computers to connect to your "
16527
"<application>PostgreSQL</application> server replace 'localhost' with the "
16528
"<emphasis>IP Address</emphasis> of your server."
16531
#: serverguide/C/databases.xml:201(para)
16533
"You may also edit all other parameters, if you know what you are doing! For "
16534
"details, refer to the configuration file or to the PostgreSQL documentation."
16537
#: serverguide/C/databases.xml:206(para)
16539
"Now that we can connect to our <application>PostgreSQL</application> server, "
16540
"the next step is to set a password for the <emphasis>postgres</emphasis> "
16541
"user. Run the following command at a terminal prompt to connect to the "
16542
"default PostgreSQL template database:"
16545
#: serverguide/C/databases.xml:213(command)
16546
msgid "sudo -u postgres psql template1"
16549
#: serverguide/C/databases.xml:215(para)
16551
"The above command connects to PostgreSQL database "
16552
"<emphasis>template1</emphasis> as user <emphasis>postgres</emphasis>. Once "
16553
"you connect to the PostgreSQL server, you will be at a SQL prompt. You can "
16554
"run the following SQL command at the <application>psql</application> prompt "
16555
"to configure the password for the user <emphasis "
16556
"role=\"italics\">postgres</emphasis>."
16559
#: serverguide/C/databases.xml:223(command)
16560
msgid "ALTER USER postgres with encrypted password 'your_password';"
16563
#: serverguide/C/databases.xml:225(para)
16565
"After configuring the password, edit the file "
16566
"<filename>/etc/postgresql/8.3/main/pg_hba.conf</filename> to use "
16567
"<emphasis>MD5</emphasis> authentication with the "
16568
"<emphasis>postgres</emphasis> user:"
16571
#: serverguide/C/databases.xml:231(programlisting)
16575
"local all postgres md5 sameuser\n"
16578
#: serverguide/C/databases.xml:235(para)
16580
"Finally, you should restart the <application>PostgreSQL</application> "
16581
"service to initialize the new configuration. From a terminal prompt enter "
16582
"the following to restart <application>PostgreSQL</application>:"
16585
#: serverguide/C/databases.xml:241(command)
16586
msgid "sudo /etc/init.d/postgresql-8.3 restart"
16589
#: serverguide/C/databases.xml:244(para)
16591
"The above configuration is not complete by any means. Please refer <ulink "
16592
"url=\"http://www.postgresql.org/docs/8.3/static/admin.html\"> the PostgreSQL "
16593
"Administrator's Guide</ulink> to configure more parameters."
16596
#: serverguide/C/databases.xml:255(para)
16598
"As mentioned above the <ulink "
16599
"url=\"http://www.postgresql.org/docs/8.3/static/admin.html\">Administrator's "
16600
"Guide</ulink> is an excellent resource. The guide is also available in the "
16601
"<application>postgresql-doc-8.3</application> package. Execute the following "
16602
"in a terminal to install the package:"
16605
#: serverguide/C/databases.xml:261(command)
16606
msgid "sudo apt-get install postgresql-doc-8.3"
16609
#: serverguide/C/databases.xml:263(para)
16611
"To view the guide enter <command>file:///usr/share/doc/postgresql-doc-"
16612
"8.3/html/index.html</command> into the address bar of your browser."
16615
#: serverguide/C/backups.xml:13(title)
16620
"There are many ways to backup a Ubuntu installation. The most import thing "
16621
"about backups is to develop a <emphasis>backup plan</emphasis> consisting of "
16622
"what to backup, where to backup it up to, and how to restore it."
16625
#: serverguide/C/backups.xml:18(para)
16627
"The following sections discuss various ways of accomplishing these tasks."
16630
#: serverguide/C/backups.xml:22(title)
16631
msgid "Shell Scripts"
16634
#: serverguide/C/backups.xml:23(para)
16636
"One of the simplest ways to backup a system is using a <emphasis>shell "
16637
"script</emphasis>. For example, a script can be used to configure which "
16638
"directories to backup, and use those directories as arguments to the "
16639
"<application>tar</application> utility creating an archive file. The archive "
16640
"file can then be moved or copied to another location. The archive can also "
16641
"be created on a remote file system such as an <emphasis>NFS</emphasis> mount."
16644
#: serverguide/C/backups.xml:29(para)
16646
"The <application>tar</application> utility creates one archive file out of "
16647
"many files or directories. <application>tar</application> can also filter "
16648
"the files through compression utilities reducing the size of the archive "
16652
#: serverguide/C/backups.xml:35(title)
16653
msgid "Simple Shell Script"
16656
#: serverguide/C/backups.xml:36(para)
16658
"The following shell script uses <application>tar</application> to create an "
16659
"archive file on a remotely mounted NFS file system. The archive filename is "
16660
"determined using additional command line utilities."
16663
#: serverguide/C/backups.xml:40(programlisting)
16668
"####################################\n"
16670
"# Backup to NFS mount script.\n"
16672
"####################################\n"
16674
"# What to backup. \n"
16675
"backup_files=\"/home /var/spool/mail /etc /root /boot /opt\"\n"
16677
"# Where to backup to.\n"
16678
"dest=\"/mnt/backup\"\n"
16680
"# Create archive filename.\n"
16681
"day=$(date +%A)\n"
16682
"hostname=$(hostname -s)\n"
16683
"archive_file=\"$hostname-$day.tgz\"\n"
16685
"# Print start status message.\n"
16686
"echo \"Backing up $backup_files to $dest/$archive_file\"\n"
16690
"# Backup the files using tar.\n"
16691
"tar czf $dest/$archive_file $backup_files\n"
16693
"# Print end status message.\n"
16695
"echo \"Backup finished\"\n"
16698
"# Long listing of files in $dest to check file sizes.\n"
16702
#: serverguide/C/backups.xml:77(para)
16704
"<emphasis>$backup_files:</emphasis> a variable listing which directories you "
16705
"would like to backup. The list should be customized to fit your needs."
16708
#: serverguide/C/backups.xml:83(para)
16710
"<emphasis>$day:</emphasis> a variable holding the day of the week (Monday, "
16711
"Tuesday, Wednesday, etc). This is used to create an archive file for each "
16712
"day of the week, giving a backup history of seven days. There are other ways "
16713
"to accomplish this including other ways using the "
16714
"<application>date</application> utility."
16717
#: serverguide/C/backups.xml:90(para)
16719
"<emphasis>$hostname:</emphasis> variable containing the "
16720
"<emphasis>short</emphasis> hostname of the system. Using the hostname in the "
16721
"archive filename gives you the option of placing daily archive files from "
16722
"multiple systems in the same directory."
16725
#: serverguide/C/backups.xml:97(para)
16726
msgid "<emphasis>$archive_file:</emphasis> the full archive filename."
16729
#: serverguide/C/backups.xml:102(para)
16731
"<emphasis>$dest:</emphasis> destination of the archive file. The directory "
16732
"needs to be created and in this case <emphasis>mounted</emphasis> before "
16733
"executing the backup script. See <xref linkend=\"network-file-system\"/> for "
16734
"details using <emphasis>NFS</emphasis>."
16737
#: serverguide/C/backups.xml:109(para)
16739
"<emphasis>status messages:</emphasis> optional messages printed to the "
16740
"console using the <application>echo</application> utility."
16743
#: serverguide/C/backups.xml:115(para)
16745
"<emphasis>tar czf $dest/$archive_file $backup_files:</emphasis> the "
16746
"<application>tar</application> command used to create the archive file."
16749
#: serverguide/C/backups.xml:121(para)
16750
msgid "<emphasis>c:</emphasis> creates an archive."
16753
#: serverguide/C/backups.xml:126(para)
16755
"<emphasis>z:</emphasis> filter the archive through the "
16756
"<application>gzip</application> utility compressing the archive."
16759
#: serverguide/C/backups.xml:131(para)
16761
"<emphasis>f:</emphasis> use archive file. Otherwise the "
16762
"<application>tar</application> output will be sent to STDOUT."
16765
#: serverguide/C/backups.xml:138(para)
16767
"<emphasis>ls -lh $dest:</emphasis> optional statement prints a <emphasis>-"
16768
"l</emphasis> long listing in <emphasis>-h</emphasis> human readable format "
16769
"of the destination directory. This is useful for a quick file size check of "
16770
"the archive file. This check should not replace testing the archive file."
16773
#: serverguide/C/backups.xml:145(para)
16775
"This is a simple example of a backup shell script. There are large amount of "
16776
"options that can be included in a backup script. See <xref linkend=\"backup-"
16777
"shellscript-references\"/> for links to resources providing more in depth "
16778
"shell scripting information."
16781
#: serverguide/C/backups.xml:152(title)
16782
msgid "Executing the Script"
16785
#: serverguide/C/backups.xml:154(title)
16786
msgid "Executing from a Terminal"
16789
#: serverguide/C/backups.xml:155(para)
16791
"The simplest way of executing the above backup script is to copy and paste "
16792
"the contents into a file. <filename>backup.sh</filename> for example. Then "
16793
"from a terminal prompt:"
16796
#: serverguide/C/backups.xml:160(command)
16797
msgid "sudo bash backup.sh"
16800
#: serverguide/C/backups.xml:162(para)
16802
"This is a great way to test the script to make sure everything works as "
16806
#: serverguide/C/backups.xml:167(title)
16807
msgid "Executing with cron"
16810
#: serverguide/C/backups.xml:168(para)
16812
"The <application>cron</application> utility can be used to automate the "
16813
"script execution. The <application>cron</application> daemon allows the "
16814
"execution of scripts, or commands, at a specified time and date."
16817
#: serverguide/C/backups.xml:172(para)
16819
"<application>cron</application> is configured through entries in a "
16820
"<filename>crontab</filename> file. <filename>crontab</filename> files are "
16821
"separated into fields:"
16824
#: serverguide/C/backups.xml:176(programlisting)
16828
"# m h dom mon dow command\n"
16831
#: serverguide/C/backups.xml:181(para)
16833
"<emphasis>m:</emphasis> minute the command executes on between 0 and 59."
16836
#: serverguide/C/backups.xml:186(para)
16838
"<emphasis>h:</emphasis> hour the command executes on between 0 and 23."
16841
#: serverguide/C/backups.xml:191(para)
16842
msgid "<emphasis>dom:</emphasis> day of month the command executes on."
16845
#: serverguide/C/backups.xml:196(para)
16847
"<emphasis>mon:</emphasis> the month the command executes on between 1 and 12."
16850
#: serverguide/C/backups.xml:201(para)
16852
"<emphasis>dow:</emphasis> the day of the week the command executes on "
16853
"between 0 and 7. Sunday may be specified by using 0 or 7, both values are "
16857
#: serverguide/C/backups.xml:206(para)
16858
msgid "<emphasis>command:</emphasis> the command to execute."
16861
#: serverguide/C/backups.xml:211(para)
16863
"To add or change entries in a <filename>crontab</filename> file the "
16864
"<application>crontab -e</application> command should be used. Also, the "
16865
"contents of a <filename>crontab</filename> file can be viewed using the "
16866
"<application>crontab -l</application> command."
16869
#: serverguide/C/backups.xml:215(para)
16871
"To execute the <application>backup.sh</application> script listed above "
16872
"using <application>cron</application>. Enter the following from a terminal "
16876
#: serverguide/C/backups.xml:220(command)
16877
msgid "sudo crontab -e"
16880
#: serverguide/C/backups.xml:223(para)
16882
"Using <application>sudo</application> with the <application>crontab -"
16883
"e</application> command edits the <emphasis>root</emphasis> user's crontab. "
16884
"This is necessary if you are backing up directories only the root user has "
16888
#: serverguide/C/backups.xml:228(para)
16889
msgid "Add the following entry to the <filename>crontab</filename> file:"
16892
#: serverguide/C/backups.xml:231(programlisting)
16896
"# m h dom mon dow command\n"
16897
"0 0 * * * bash /usr/local/bin/backup.sh\n"
16900
#: serverguide/C/backups.xml:235(para)
16902
"The <application>backup.sh</application> script will now be executed every "
16906
#: serverguide/C/backups.xml:239(para)
16908
"The <application>backup.sh</application> script will need to be copied to "
16909
"the <filename>/usr/local/bin/</filename> directory in order for this entry "
16910
"to execute properly. The script can reside anywhere on the file system "
16911
"simply change the script path appropriately."
16914
#: serverguide/C/backups.xml:244(para)
16916
"For more in depth <application>crontab</application> options see <xref "
16917
"linkend=\"backup-shellscript-references\"/>."
16920
#: serverguide/C/backups.xml:250(title)
16921
msgid "Restoring from the Archive"
16924
#: serverguide/C/backups.xml:251(para)
16926
"Once an archive has been created it is important to test the archive. The "
16927
"archive can be tested by listing the files it contains, but the best test is "
16928
"to <emphasis>restore</emphasis> a file from the archive."
16931
#: serverguide/C/backups.xml:257(para)
16932
msgid "To see a listing of the archive contents. From a terminal prompt:"
16935
#: serverguide/C/backups.xml:261(command)
16936
msgid "tar -tzvf /mnt/backup/host-Monday.tgz"
16939
#: serverguide/C/backups.xml:265(para)
16940
msgid "To restore a file from the archive to a different directory enter:"
16943
#: serverguide/C/backups.xml:269(command)
16944
msgid "tar -xzvf /mnt/backup/host-Monday.tgz -C /tmp etc/hosts"
16947
#: serverguide/C/backups.xml:271(para)
16949
"The <emphasis>-C</emphasis> option to <application>tar</application> "
16950
"redirects the extracted files to the specified directory. The above example "
16951
"will extract the <filename>/etc/hosts</filename> file to "
16952
"<filename>/tmp/etc/hosts</filename>. <application>tar</application> "
16953
"recreates the directory structure that it contains."
16956
#: serverguide/C/backups.xml:276(para)
16958
"Also, notice the leading <emphasis>\"/\"</emphasis> is left off the path of "
16959
"the file to restore."
16962
#: serverguide/C/backups.xml:281(para)
16963
msgid "To restore all files in the archive enter the following:"
16966
#: serverguide/C/backups.xml:285(command)
16970
#: serverguide/C/backups.xml:286(command)
16971
msgid "sudo tar -xzvf /mnt/backup/host-Monday.tgz"
16974
#: serverguide/C/backups.xml:291(para)
16975
msgid "This will overwrite the files currently on the file system."
16978
#: serverguide/C/backups.xml:300(para)
16980
"For more information on shell scripting see the <ulink "
16981
"url=\"http://tldp.org/LDP/abs/html/\">Advanced Bash-Scripting Guide</ulink>"
16984
#: serverguide/C/backups.xml:305(para)
16986
"The book <ulink url=\"http://safari.samspublishing.com/0672323583\">Teach "
16987
"Yourself Shell Programming in 24 Hours</ulink> is available online and a "
16988
"great resource for shell scripting."
16991
#: serverguide/C/backups.xml:311(para)
16993
"The <ulink url=\"https://help.ubuntu.com/community/CronHowto\">CronHowto "
16994
"Wiki Page</ulink> contains details on advanced "
16995
"<application>cron</application> options."
16998
#: serverguide/C/backups.xml:318(para)
17000
"See the <ulink url=\"http://www.gnu.org/software/tar/manual/index.html\">GNU "
17001
"tar Manual</ulink> for more <application>tar</application> options."
17004
#: serverguide/C/backups.xml:324(para)
17006
"The Wikipedia <ulink "
17007
"url=\"http://en.wikipedia.org/wiki/Backup_rotation_scheme\">Backup Rotation "
17008
"Scheme</ulink> article contains information on other backup rotation schemes."
17011
#: serverguide/C/backups.xml:330(para)
17013
"The shell script uses <application>tar</application> to create the archive, "
17014
"but there many other command line utilities that can be used. For example:"
17017
#: serverguide/C/backups.xml:336(para)
17019
"<ulink url=\"http://www.gnu.org/software/cpio/\">cpio</ulink>: used to copy "
17020
"files to and from archives."
17023
#: serverguide/C/backups.xml:341(para)
17025
"<ulink url=\"http://www.gnu.org/software/coreutils/\">dd</ulink>: part of "
17026
"the <application>coreutils</application> package. A low level utility that "
17027
"can copy data from one format to another"
17030
#: serverguide/C/backups.xml:347(para)
17032
"<ulink url=\"http://www.rsnapshot.org/\">rsnapshot</ulink>: a file system "
17033
"snap shot utility used to create copies of an entire file system."
17036
#: serverguide/C/backups.xml:358(title)
17037
msgid "Archive Rotation"
17040
#: serverguide/C/backups.xml:359(para)
17042
"The shell script in section <xref linkend=\"backup-shellscripts\"/> only "
17043
"allows for seven different archives. For a server whose data doesn't change "
17044
"often this may be enough. If the server has a large amount of data a more "
17045
"robust rotation scheme should be used."
17048
#: serverguide/C/backups.xml:365(title)
17049
msgid "Rotating NFS Archives"
17052
#: serverguide/C/backups.xml:366(para)
17054
"In this section the shell script will be slightly modified to implement a "
17055
"grandfather-father-son rotation scheme (monthly-weekly-daily):"
17058
#: serverguide/C/backups.xml:372(para)
17060
"The rotation will do a <emphasis>daily</emphasis> backup Sunday through "
17064
#: serverguide/C/backups.xml:377(para)
17066
"On Saturday a <emphasis>weekly</emphasis> backup is done giving you four "
17067
"weekly backups a month."
17070
#: serverguide/C/backups.xml:382(para)
17072
"The <emphasis>monthly</emphasis> backup is done on the first of the month "
17073
"rotating two monthly backups based on if the month is odd or even."
17076
#: serverguide/C/backups.xml:388(para)
17077
msgid "Here is the new script:"
17080
#: serverguide/C/backups.xml:391(programlisting)
17085
"####################################\n"
17087
"# Backup to NFS mount script with\n"
17088
"# grandfather-father-son rotation.\n"
17090
"####################################\n"
17092
"# What to backup. \n"
17093
"backup_files=\"/home /var/spool/mail /etc /root /boot /opt\"\n"
17095
"# Where to backup to.\n"
17096
"dest=\"/mnt/backup\"\n"
17098
"# Setup variables for the archive filename.\n"
17099
"day=$(date +%A)\n"
17100
"hostname=$(hostname -s)\n"
17102
"# Find which week of the month 1-4 it is.\n"
17103
"day_num=$(date +%d)\n"
17104
"if (( $day_num <= 7 )); then\n"
17105
" week_file=\"$hostname-week1.tgz\"\n"
17106
"elif (( $day_num > 7 && $day_num <= 14 )); then\n"
17107
" week_file=\"$hostname-week2.tgz\"\n"
17108
"elif (( $day_num > 14 && $day_num <= 21 )); then\n"
17109
" week_file=\"$hostname-week3.tgz\"\n"
17110
"elif (( $day_num > 21 && $day_num < 32 )); then\n"
17111
" week_file=\"$hostname-week4.tgz\"\n"
17114
"# Find if the Month is odd or even.\n"
17115
"month_num=$(date +%m)\n"
17116
"month=$(expr $month_num % 2)\n"
17117
"if [ $month -eq 0 ]; then\n"
17118
" month_file=\"$hostname-month2.tgz\"\n"
17120
" month_file=\"$hostname-month1.tgz\"\n"
17123
"# Create archive filename.\n"
17124
"if [ $day_num == 1 ]; then\n"
17125
"\tarchive_file=$month_file\n"
17126
"elif [ $day != \"Saturday\" ]; then\n"
17127
" archive_file=\"$hostname-$day.tgz\"\n"
17129
"\tarchive_file=$week_file\n"
17132
"# Print start status message.\n"
17133
"echo \"Backing up $backup_files to $dest/$archive_file\"\n"
17137
"# Backup the files using tar.\n"
17138
"tar czf $dest/$archive_file $backup_files\n"
17140
"# Print end status message.\n"
17142
"echo \"Backup finished\"\n"
17145
"# Long listing of files in $dest to check file sizes.\n"
17149
#: serverguide/C/backups.xml:456(para)
17151
"The script can be executed using the same methods as in <xref "
17152
"linkend=\"backup-executing-shellscript\"/>."
17155
#: serverguide/C/backups.xml:459(para)
17157
"It is good practice to take backup media off site in case of a disaster. In "
17158
"the shell script example the backup media is another server providing an NFS "
17159
"share. In all likelihood taking the NFS server to another location would not "
17160
"be practical. Depending upon connection speeds it may be an option to copy "
17161
"the archive file over a WAN link to a server in another location."
17164
#: serverguide/C/backups.xml:465(para)
17166
"Another option is to copy the archive file to an external hard drive which "
17167
"can then be taken off site. Since the price of external hard drives continue "
17168
"to decrease it may be cost affective to use two drives for each archive "
17169
"level. This would allow you to have one external drive attached to the "
17170
"backup server and one in another location."
17173
#: serverguide/C/backups.xml:472(title)
17174
msgid "Tape Drives"
17177
#: serverguide/C/backups.xml:473(para)
17179
"A tape drive attached to the server can be used instead of a NFS share. "
17180
"Using a tape drive simplifies archive rotation, and taking the media off "
17184
#: serverguide/C/backups.xml:477(para)
17186
"When using a tape drive the filename portions of the script aren't needed "
17187
"because the date is sent directly to the tape device. Some commands to "
17188
"manipulate the tape are needed. This is accomplished using "
17189
"<application>mt</application>, a magnetic tape control utility part of the "
17190
"<application>cpio</application> package."
17193
#: serverguide/C/backups.xml:482(para)
17194
msgid "Here is the shell script modified to use a tape drive:"
17197
#: serverguide/C/backups.xml:485(programlisting)
17202
"####################################\n"
17204
"# Backup to tape drive script.\n"
17206
"####################################\n"
17208
"# What to backup. \n"
17209
"backup_files=\"/home /var/spool/mail /etc /root /boot /opt\"\n"
17211
"# Where to backup to.\n"
17212
"dest=\"/dev/st0\"\n"
17214
"# Print start status message.\n"
17215
"echo \"Backing up $backup_files to $dest\"\n"
17219
"# Make sure the tape is rewound.\n"
17220
"mt -f $dest rewind\n"
17222
"# Backup the files using tar.\n"
17223
"tar czf $dest $backup_files\n"
17225
"# Rewind and eject the tape.\n"
17226
"mt -f $dest rewoffl\n"
17228
"# Print end status message.\n"
17230
"echo \"Backup finished\"\n"
17234
#: serverguide/C/backups.xml:519(para)
17236
"The default device name for a SCSI tape drive is "
17237
"<filename>/dev/st0</filename>. Use the appropriate device path for your "
17241
#: serverguide/C/backups.xml:524(para)
17243
"Restoring from a tape drive is basically the same as restoring from a file. "
17244
"Simply rewind the tape and use the device path instead of a file path. For "
17245
"example to restore the <filename>/etc/hosts</filename> file to "
17246
"<filename>/tmp/etc/hosts</filename>:"
17249
#: serverguide/C/backups.xml:529(command)
17250
msgid "mt -f /dev/st0 rewind"
17253
#: serverguide/C/backups.xml:530(command)
17254
msgid "tar -xzf /dev/st0 -C /tmp etc/hosts"
17257
#: serverguide/C/backups.xml:535(title)
17261
#: serverguide/C/backups.xml:536(para)
17263
"<application>Bacula</application> is a backup program enabling you to "
17264
"backup, restore, and verify data across your network. There are Bacula "
17265
"clients for Linux, Windows, and Mac OSX. Making it a cross platform network "
17269
#: serverguide/C/backups.xml:542(para)
17271
"<application>Bacula</application> is made up of several components and "
17272
"services used to manage which files to backup and where to back them up to:"
17275
#: serverguide/C/backups.xml:548(para)
17277
"<application>Bacula Director:</application> a service that controls all "
17278
"backup, restore, verify, and archive operations."
17281
#: serverguide/C/backups.xml:553(para)
17283
"<application>Bacula Console:</application> an application allowing "
17284
"communication with the Director. There are three versions of the Console:"
17287
#: serverguide/C/backups.xml:558(para)
17288
msgid "Text based command line version."
17291
#: serverguide/C/backups.xml:559(para)
17292
msgid "Gnome based GTK+ Graphical User Interface (GUI) interface."
17295
#: serverguide/C/backups.xml:560(para)
17296
msgid "wxWidgets GUI interface."
17299
#: serverguide/C/backups.xml:564(para)
17301
"<application>Bacula File:</application> also known as the "
17302
"<application>Bacula Client</application> program. This application is "
17303
"installed on machines to be backed up, and is responsible for the data "
17304
"requested by the Director."
17307
#: serverguide/C/backups.xml:570(para)
17309
"<application>Bacula Storage:</application> the programs that perform the "
17310
"storage and recovery of data to the physical media."
17313
#: serverguide/C/backups.xml:575(para)
17315
"<application>Bacula Catalog:</application> is responsible for maintaining "
17316
"the file indexes and volume databases for all files backed up, enabling "
17317
"quick location and restoration of archived files. The Catalog supports three "
17318
"different databases MySQL, PostgreSQL, and SQLite."
17321
#: serverguide/C/backups.xml:581(para)
17323
"<application>Bacula Monitor:</application> allows the monitoring of the "
17324
"Director, File daemons, and Storage daemons. Currently the Monitor is only "
17325
"available as a GTK+ GUI application."
17328
#: serverguide/C/backups.xml:587(para)
17330
"These services and applications can be run on multiple servers and clients, "
17331
"or they can be installed on one machine if backing up a single disk or "
17335
#: serverguide/C/backups.xml:594(para)
17337
"There are multiple packages containing the different "
17338
"<application>Bacula</application> components. To install Bacula, from a "
17339
"terminal prompt enter:"
17342
#: serverguide/C/backups.xml:599(command)
17343
msgid "sudo apt-get install bacula"
17346
#: serverguide/C/backups.xml:601(para)
17348
"By default installing the <application>bacula</application> package will use "
17349
"a <application>MySQL</application> database for the Catalog. If you want to "
17350
"use SQLite or PostgreSQL, for the Catalog, install <application>bacula-"
17351
"director-sqlite3</application> or <application>bacula-director-"
17352
"pgsql</application> respectively."
17355
#: serverguide/C/backups.xml:607(para)
17357
"During the install process you will be asked to supply credentials for the "
17358
"database <emphasis>administrator</emphasis> and the "
17359
"<emphasis>bacula</emphasis> database <emphasis>owner</emphasis>. The "
17360
"database administrator will need to have the appropriate rights to create a "
17361
"database, see <xref linkend=\"mysql\"/> for more information."
17364
#: serverguide/C/backups.xml:617(para)
17366
"<application>Bacula</application> configuration files are formatted based on "
17367
"<emphasis>resources</emphasis> comprising of <emphasis>directives</emphasis> "
17368
"surrounded by <quote>{}</quote> braces. Each Bacula component has an "
17369
"individual file in the <filename role=\"directory\">/etc/bacula</filename> "
17373
#: serverguide/C/backups.xml:622(para)
17375
"The various <application>Bacula</application> components must authorize "
17376
"themselves to each other. This is accomplished using the "
17377
"<emphasis>password</emphasis> directive. For example, the "
17378
"<emphasis>Storage</emphasis> resource password in the "
17379
"<filename>/etc/bacula/bacula-dir.conf</filename> file must match the "
17380
"<emphasis>Director</emphasis> resource password in "
17381
"<filename>/etc/bacula/bacula-sd.conf</filename>."
17384
#: serverguide/C/backups.xml:628(para)
17386
"By default the backup job named <emphasis>Client1</emphasis> is configured "
17387
"to archive the <application>Bacula</application> Catalog. If you plan on "
17388
"using the server to backup more than one client you should change the name "
17389
"of this job to something more descriptive. To change the name edit "
17390
"<filename>/etc/bacula/bacula-dir.conf</filename>:"
17393
#: serverguide/C/backups.xml:633(programlisting)
17398
"# Define the main nightly save backup job\n"
17399
"# By default, this job will back up to disk in \n"
17401
" Name = \"BackupServer\"\n"
17402
" JobDefs = \"DefaultJob\"\n"
17403
" Write Bootstrap = \"/var/lib/bacula/Client1.bsr\"\n"
17407
#: serverguide/C/backups.xml:644(para)
17409
"The example above changes the job name to <emphasis>BackupServer</emphasis> "
17410
"matching the machine's host name. Replace <quote>BackupServer</quote> with "
17411
"your appropriate hostname, or other descriptive name."
17414
#: serverguide/C/backups.xml:649(para)
17416
"The <emphasis>Console</emphasis> can be used to query the "
17417
"<emphasis>Director</emphasis> about jobs, but to use the Console with a "
17418
"<emphasis>non-root</emphasis> user, the user needs to be in the "
17419
"<emphasis>bacula</emphasis> group. To add a user to the bacula group enter "
17420
"the following from a terminal:"
17423
#: serverguide/C/backups.xml:655(command)
17424
msgid "sudo adduser $username bacula"
17427
#: serverguide/C/backups.xml:658(para)
17429
"Replace <emphasis>$username</emphasis> with the actual username. Also, if "
17430
"you are adding the current user to the group you should log out and back in "
17431
"for the new permissions to take effect."
17434
#: serverguide/C/backups.xml:665(title)
17435
msgid "Localhost Backup"
17438
#: serverguide/C/backups.xml:666(para)
17440
"This section describes how to backup specified directories on a single host "
17441
"to a local tape drive."
17444
#: serverguide/C/backups.xml:671(para)
17446
"First, the <emphasis>Storage</emphasis> device needs to be configured. Edit "
17447
"<filename>/etc/bacula/bacula-sd.conf</filename> add:"
17450
#: serverguide/C/backups.xml:674(programlisting)
17455
" Name = \"Tape Drive\"\n"
17456
" Device Type = tape\n"
17457
" Media Type = DDS-4\n"
17458
" Archive Device = /dev/st0\n"
17459
" Hardware end of medium = No;\n"
17460
" AutomaticMount = yes; # when device opened, read it\n"
17461
" AlwaysOpen = Yes;\n"
17462
" RemovableMedia = yes;\n"
17463
" RandomAccess = no;\n"
17464
" Alert Command = \"sh -c 'tapeinfo -f %c | grep TapeAlert'\"\n"
17468
#: serverguide/C/backups.xml:688(para)
17470
"The example is for a <emphasis>DDS-4</emphasis> tape drive. Adjust the Media "
17471
"Type and Archive Device to match your hardware."
17474
#: serverguide/C/backups.xml:691(para)
17475
msgid "You could also uncomment one of the other examples in the file."
17478
#: serverguide/C/backups.xml:696(para)
17480
"After editing <filename>/etc/bacula/bacula-sd.conf</filename> the "
17481
"<application>Storage</application> daemon will need to be restarted:"
17484
#: serverguide/C/backups.xml:701(command)
17485
msgid "sudo /etc/init.d/bacula-sd restart"
17488
#: serverguide/C/backups.xml:705(para)
17490
"Now add a <emphasis>Storage</emphasis> resource in "
17491
"<filename>/etc/bacula/bacula-dir.conf</filename> to use the new Device:"
17494
#: serverguide/C/backups.xml:708(programlisting)
17498
"# Definition of \"Tape Drive\" storage device\n"
17500
" Name = TapeDrive\n"
17501
" # Do not use \"localhost\" here \n"
17502
" Address = backupserver # N.B. Use a fully qualified name "
17505
" Password = \"Cv70F6pf1t6pBopT4vQOnigDrR0v3LT3Cgkiyj\"\n"
17506
" Device = \"Tape Drive\"\n"
17507
" Media Type = tape\n"
17511
#: serverguide/C/backups.xml:720(para)
17513
"The <emphasis>Address</emphasis> directive needs to be the Fully Qualified "
17514
"Domain Name (FQDN) of the server. Change <emphasis>backupserver</emphasis> "
17515
"to the actual host name."
17518
#: serverguide/C/backups.xml:724(para)
17520
"Also, make sure the <emphasis>Password</emphasis> directive matches the "
17521
"password string in <filename>/etc/bacula/bacula-sd.conf</filename>."
17524
#: serverguide/C/backups.xml:730(para)
17526
"Create a new <emphasis>FileSet</emphasis>, which will determine what "
17527
"directories to backup, by adding:"
17530
#: serverguide/C/backups.xml:733(programlisting)
17534
"# LocalhostBacup FileSet.\n"
17536
" Name = \"LocalhostFiles\"\n"
17539
" signature = MD5\n"
17540
" compression=GZIP\n"
17548
#: serverguide/C/backups.xml:747(para)
17550
"This <emphasis>FileSet</emphasis> will backup the <filename "
17551
"role=\"directory\">/etc</filename> and <filename "
17552
"role=\"directory\">/home</filename> directories. The "
17553
"<emphasis>Options</emphasis> resource directives configure the FileSet to "
17554
"create a MD5 signature for each file backed up, and to compress the files "
17558
#: serverguide/C/backups.xml:754(para)
17559
msgid "Next, create a new <emphasis>Schedule</emphasis> for the backup job:"
17562
#: serverguide/C/backups.xml:757(programlisting)
17566
"# LocalhostBackup Schedule -- Daily.\n"
17568
" Name = \"LocalhostDaily\"\n"
17569
" Run = Full daily at 00:01\n"
17573
#: serverguide/C/backups.xml:764(para)
17575
"The job will run every day at 00:01 or 12:01 am. There are many other "
17576
"scheduling options available."
17579
#: serverguide/C/backups.xml:769(para)
17580
msgid "Finally create the <emphasis>Job</emphasis>:"
17583
#: serverguide/C/backups.xml:772(programlisting)
17587
"# Localhost backup.\n"
17589
" Name = \"LocalhostBackup\"\n"
17590
" JobDefs = \"DefaultJob\"\n"
17593
" FileSet = \"LocalhostFiles\"\n"
17594
" Schedule = \"LocalhostDaily\"\n"
17595
" Storage = TapeDrive\n"
17596
" Write Bootstrap = \"/var/lib/bacula/LocalhostBackup.bsr\"\n"
17600
#: serverguide/C/backups.xml:785(para)
17602
"The job will do a <emphasis>Full</emphasis> backup every day to the tape "
17606
#: serverguide/C/backups.xml:790(para)
17608
"Each tape used will need to have a <emphasis>Label</emphasis>. If the "
17609
"current tape does not have a label <application>Bacula</application> will "
17610
"send an email letting you know. To label a tape using the "
17611
"<application>Console</application> enter the following from a terminal:"
17614
#: serverguide/C/backups.xml:796(command)
17618
#: serverguide/C/backups.xml:800(para)
17619
msgid "At the Bacula Console prompt enter:"
17622
#: serverguide/C/backups.xml:804(command)
17626
#: serverguide/C/backups.xml:808(para)
17628
"You will then be prompted for the <emphasis>Storage</emphasis> resource:"
17631
#: serverguide/C/backups.xml:818(userinput)
17636
#: serverguide/C/backups.xml:812(computeroutput)
17640
"Automatically selected Catalog: MyCatalog\n"
17641
"Using Catalog \"MyCatalog\"\n"
17642
"The defined Storage resources are:\n"
17645
"Select Storage resource (1-2):<placeholder-1/>\n"
17648
#: serverguide/C/backups.xml:823(para)
17649
msgid "Enter the new <emphasis>Volume</emphasis> name:"
17652
#: serverguide/C/backups.xml:828(userinput)
17657
#: serverguide/C/backups.xml:827(computeroutput)
17661
"Enter new Volume name: <placeholder-1/>\n"
17667
#: serverguide/C/backups.xml:833(para)
17668
msgid "Replace <emphasis>Sunday</emphasis> with the desired label."
17671
#: serverguide/C/backups.xml:838(para)
17672
msgid "Now, select the <emphasis>Pool</emphasis>:"
17675
#: serverguide/C/backups.xml:843(userinput)
17680
#: serverguide/C/backups.xml:842(computeroutput)
17684
"Select the Pool (1-2): <placeholder-1/>\n"
17685
"Connecting to Storage daemon TapeDrive at backupserver:9103 ...\n"
17686
"Sending label command for Volume \"Sunday\" Slot 0 ...\n"
17689
#: serverguide/C/backups.xml:850(para)
17691
"Congratulations, you have now configured <emphasis>Bacula</emphasis> to "
17692
"backup the localhost to an attached tape drive."
17695
#: serverguide/C/backups.xml:858(para)
17697
"For more <emphasis>Bacula</emphasis> configuration options refer to the "
17698
"<ulink url=\"http://www.bacula.org/en/rel-manual/index.html\">Bacula User's "
17702
#: serverguide/C/backups.xml:864(para)
17704
"The <ulink url=\"http://www.bacula.org/\">Bacula Home Page</ulink> contains "
17705
"the latest Bacula news and developments."