UCS 2.4 - Univention
UCS 2.4 - Univention
UCS 2.4 - Univention
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Univention</strong> Corporate Server<br />
Manual for users and administrators
Version <strong>2.4</strong>-4<br />
Revision 11656<br />
Date: December 22, 2011<br />
Alle Rechte vorbehalten. / All rights reserved.<br />
(c) 2002 bis 2011<br />
<strong>Univention</strong> GmbH<br />
Mary-Somerville-Straße 1<br />
28359 Bremen<br />
Deutschland<br />
feedback@univention.de<br />
Jede aufgeführte Marke und jedes Warenzeichen steht im Eigentum ihrer jeweiligen eingetragenen Rechtsin-<br />
haber. Linux ist ein eingetragenes Warenzeichen von Linus Torvalds.<br />
The mentioned brand names and registered trademarks are owned by the respective legal owners in each<br />
case. Linux is a registered trademark of Linus Torvalds.
Contents<br />
1 Introduction 11<br />
1.1 What is <strong>Univention</strong> Corporate Server? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11<br />
1.2 <strong>UCS</strong> Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11<br />
1.3 Further documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13<br />
1.4 Symbols and conventions used in this manual . . . . . . . . . . . . . . . . . . . . . . . . . . 14<br />
2 Domain concept 15<br />
2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15<br />
2.2 <strong>UCS</strong> system roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16<br />
2.2.1 Domain controller master . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16<br />
2.2.2 Domain controller backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16<br />
2.2.3 Domain controller slave . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17<br />
2.<strong>2.4</strong> Member server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17<br />
2.2.5 Base system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17<br />
2.2.6 Managed client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17<br />
2.2.7 Mobile client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18<br />
2.2.8 Thin Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18<br />
2.3 System roles in Windows domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18<br />
2.3.1 How are these roles integrated in the <strong>UCS</strong> concept? . . . . . . . . . . . . . . . . . . 18<br />
<strong>2.4</strong> Joining domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19<br />
<strong>2.4</strong>.1 How <strong>UCS</strong> systems join domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19<br />
<strong>2.4</strong>.2 How to join domains with Windows clients . . . . . . . . . . . . . . . . . . . . . . . . 21<br />
<strong>2.4</strong>.3 Rotation of machine account passwords . . . . . . . . . . . . . . . . . . . . . . . . . 23<br />
3 Installation 25<br />
3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25<br />
3.2 Text-based Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25<br />
3.2.1 Operating the Installer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27<br />
3.2.2 The Procedures of Text-based Installation . . . . . . . . . . . . . . . . . . . . . . . . 27<br />
3.3 Hardware-related Installation problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38<br />
3.3.1 Starting the Installation with additional kernel parameters . . . . . . . . . . . . . . . 38<br />
3.3.2 Additional kernel parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38<br />
3.3.3 Adjusting the automatic hardware detection . . . . . . . . . . . . . . . . . . . . . . . 38<br />
3.4 Installing and Renewing Licences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39<br />
3.5 Subsequent Installation of Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39<br />
4 <strong>Univention</strong> Directory Manager 41<br />
3
Contents<br />
4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41<br />
4.2 Instructions for Operating the Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44<br />
4.2.1 Notes on list fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45<br />
4.2.2 Notes on group membership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46<br />
4.3 <strong>Univention</strong> Directory Manager Wizards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47<br />
4.3.1 The ”Search” submenu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47<br />
4.3.2 The ”Add” submenu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49<br />
4.4 Navigation in LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50<br />
4.4.1 Navigating the directory tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50<br />
4.4.2 Displaying and editing objects in the LDAP navigation . . . . . . . . . . . . . . . . . 52<br />
4.5 <strong>Univention</strong> Directory Manager modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53<br />
4.5.1 User administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53<br />
4.5.2 Group management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63<br />
4.5.3 Network administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65<br />
4.5.4 Host management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67<br />
4.5.5 Shares management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75<br />
4.5.6 Samba . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85<br />
4.5.7 Printer management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87<br />
4.5.8 Containers, organisational units, domains . . . . . . . . . . . . . . . . . . . . . . . . 91<br />
4.5.9 DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93<br />
4.5.10 DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101<br />
4.5.11 Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108<br />
4.5.12 <strong>Univention</strong> Directory Manager settings . . . . . . . . . . . . . . . . . . . . . . . . . . 129<br />
4.5.13 User-defined attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137<br />
4.5.14 Extended attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141<br />
4.6 Policy-controlled Layouts for the Web Front-End of <strong>Univention</strong> Directory Manager . . . . . . 146<br />
5 <strong>Univention</strong> Management Console 153<br />
4<br />
5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153<br />
5.2 Layout of the Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154<br />
5.2.1 Login Mask . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154<br />
5.2.2 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154<br />
5.3 Standard modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155<br />
5.3.1 System statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156<br />
5.3.2 Kernel modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157<br />
5.3.3 VNC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157<br />
5.3.4 System information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158<br />
5.3.5 <strong>Univention</strong> Configuration Registry . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158<br />
5.3.6 Printer administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159<br />
5.3.7 Process overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159<br />
5.3.8 Filesystem quotas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160<br />
5.3.9 System services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162<br />
5.3.10 Joining a domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163<br />
5.3.11 Package management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Contents<br />
5.3.12 Reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164<br />
5.3.13 Online update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165<br />
5.4 Wizards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167<br />
5.4.1 Basis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167<br />
5.4.2 Nagios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168<br />
5.4.3 Mail server configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168<br />
6 <strong>Univention</strong> Virtual Machine Manager (UVMM) 169<br />
6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169<br />
6.1.1 Paravirtualisation / virtIO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169<br />
6.2 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170<br />
6.3 Managing virtual machines with UVMM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171<br />
6.3.1 Creating a virtual instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171<br />
6.3.2 Modifying virtual machines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173<br />
6.3.3 Migration of virtual machines from failed virtualization servers . . . . . . . . . . . . . 178<br />
7 <strong>UCS</strong> Directory service 181<br />
7.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181<br />
7.2 Logging of LDAP changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181<br />
7.2.1 Installation and setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181<br />
7.2.2 Format of the log file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182<br />
7.3 Timeout for inactive LDAP connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182<br />
7.4 Configuration of LDAP ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183<br />
7.4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183<br />
7.4.2 Definition of objects for which a rule applies (access to) . . . . . . . . . . . . . . . . 184<br />
7.4.3 Definition of the access permissions on the objects . . . . . . . . . . . . . . . . . . . 184<br />
7.4.4 Definition of the permission on the objects . . . . . . . . . . . . . . . . . . . . . . . . 185<br />
7.4.5 Definition of the handling of further rules with applied rules . . . . . . . . . . . . . . 185<br />
7.4.6 Delegation of the privilege to reset user passwords . . . . . . . . . . . . . . . . . . . 186<br />
8 Services for Windows 187<br />
8.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187<br />
8.2 <strong>Univention</strong> Corporate Server and Samba . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187<br />
8.2.1 Authentication Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188<br />
8.2.2 File server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188<br />
8.2.3 Print server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189<br />
8.<strong>2.4</strong> NetBIOS Network Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189<br />
8.3 Building Samba domains with <strong>UCS</strong> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189<br />
8.4 Extended Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190<br />
8.4.1 Trust relationships . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190<br />
8.4.2 WINS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195<br />
8.4.3 NETLOGON share . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196<br />
8.4.4 Creating objects in the LDAP directory using Samba . . . . . . . . . . . . . . . . . . 197<br />
8.4.5 Configuring Windows user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . 197<br />
8.4.6 Configuring Samba servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200<br />
5
Contents<br />
9 Desktop systems 203<br />
9.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203<br />
9.2 Desktop system roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204<br />
9.2.1 Thin clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204<br />
9.2.2 Managed clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204<br />
9.2.3 Mobile clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205<br />
9.3 Managing desktop systems with <strong>Univention</strong> Directory Manager . . . . . . . . . . . . . . . . 205<br />
9.3.1 Graphical user interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205<br />
9.3.2 Connection to server systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205<br />
9.3.3 Autostart scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206<br />
9.3.4 NX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207<br />
9.4 VNC desktop sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207<br />
9.4.1 Configuring VNC access for thin clients . . . . . . . . . . . . . . . . . . . . . . . . . 208<br />
9.4.2 Configuring VNC access for managed/mobile clients . . . . . . . . . . . . . . . . . . 208<br />
9.5 Thin client environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208<br />
9.5.1 Support for booting from Compact Flash cards or USB sticks . . . . . . . . . . . . . 210<br />
9.5.2 Thin client components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211<br />
9.6 Home directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215<br />
9.6.1 Creation of new home directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215<br />
9.6.2 Modifying the default content of home directories . . . . . . . . . . . . . . . . . . . . 215<br />
9.6.3 Setting environment variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216<br />
9.7 Global home directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216<br />
9.7.1 Creating and modifying global home directories . . . . . . . . . . . . . . . . . . . . . 217<br />
10 Basic System Services 221<br />
6<br />
10.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222<br />
10.2 Server Homepage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222<br />
10.3 Packet filter with <strong>Univention</strong> Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223<br />
10.3.1 Service definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223<br />
10.3.2 Service profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223<br />
10.3.3 Local filter rules by <strong>Univention</strong> Configuration Registry . . . . . . . . . . . . . . . . . 224<br />
10.3.4 Local filter rules via iptables commands . . . . . . . . . . . . . . . . . . . . . . . . . 224<br />
10.3.5 Testing <strong>Univention</strong> Firewall settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225<br />
10.4 Authentication / PAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225<br />
10.4.1 Automatic lockout of users after failed login attempts . . . . . . . . . . . . . . . . . . 227<br />
10.5 Network configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228<br />
10.5.1 Network interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228<br />
10.5.2 DNS servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228<br />
10.5.3 Proxy configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228<br />
10.6 Logging of system messages and system status . . . . . . . . . . . . . . . . . . . . . . . . 229<br />
10.6.1 Log files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229<br />
10.6.2 Logging the system status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229<br />
10.7 Kernel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230<br />
10.7.1 Available kernel variants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Contents<br />
10.7.2 Hardware drivers / kernel modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230<br />
10.8 GRUB boot manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231<br />
10.9 Executing recurring actions with Cron . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232<br />
10.9.1 Hourly/daily/weekly/monthly execution of scripts . . . . . . . . . . . . . . . . . . . . 232<br />
10.9.2 Defining local cron jobs in /etc/cron.d . . . . . . . . . . . . . . . . . . . . . . . . . . 232<br />
10.9.3 Defining cron jobs in <strong>Univention</strong> Configuration Registry . . . . . . . . . . . . . . . . 233<br />
10.10Kerberos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233<br />
10.11Name resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233<br />
10.11.1Name Service Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233<br />
10.11.2LDAP NSS module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234<br />
10.11.3Nameserver cache daemon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234<br />
10.11.4Configuration of /etc/hosts in <strong>Univention</strong> Configuration Registry . . . . . . . . . . . . 235<br />
10.12SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235<br />
10.13Time synchronisation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236<br />
11 Software maintenance 237<br />
11.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237<br />
11.2 <strong>UCS</strong> updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238<br />
11.2.1 <strong>UCS</strong> security updates and hotfixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238<br />
11.2.2 <strong>UCS</strong> release updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239<br />
11.3 Package maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240<br />
11.3.1 Assigning repository servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241<br />
11.3.2 Updating packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241<br />
11.3.3 Adding component repositories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242<br />
11.3.4 Managing package lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243<br />
11.3.5 Release updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245<br />
11.3.6 Manual package maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246<br />
11.4 Software monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247<br />
11.5 Repository management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248<br />
11.5.1 Creating a repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249<br />
11.5.2 Adding packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249<br />
11.5.3 Removing packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250<br />
11.5.4 Merging repositories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250<br />
11.5.5 Repository synchronisation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251<br />
12 Mail 255<br />
12.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255<br />
12.2 Basic mail services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256<br />
12.3 Setting up the mail server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256<br />
12.3.1 SMTP server (Postfix) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256<br />
12.3.2 IMAP/POP3 server (Cyrus) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258<br />
12.3.3 Mail quota . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259<br />
12.3.4 Log files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260<br />
1<strong>2.4</strong> Spam filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260<br />
7
Contents<br />
12.5 Virus filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261<br />
12.6 Configuring mail clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262<br />
12.6.1 Kontact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262<br />
12.6.2 Outlook Express . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264<br />
13 Print services 265<br />
13.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265<br />
13.2 Installing print servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266<br />
13.2.1 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266<br />
13.2.2 Server systems as print servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266<br />
13.2.3 Windows systems as print servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267<br />
13.<strong>2.4</strong> Thin clients as print servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267<br />
13.2.5 Managed/mobile clients as print servers . . . . . . . . . . . . . . . . . . . . . . . . . 267<br />
13.2.6 Policy-based assignment of a print server . . . . . . . . . . . . . . . . . . . . . . . . 268<br />
13.3 Configuring printer shares . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268<br />
13.3.1 Configuring a locally connected printer . . . . . . . . . . . . . . . . . . . . . . . . . . 268<br />
13.3.2 Setting up network printers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269<br />
13.3.3 Setting up PDF printers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269<br />
13.3.4 Setting up printer groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269<br />
13.4 Adding printer shares in Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270<br />
13.5 Print quota . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271<br />
13.5.1 Activating the print quotas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272<br />
13.5.2 Creating a print quota policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272<br />
13.5.3 Analysing the print quotas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273<br />
13.5.4 Modifying the print quotas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274<br />
13.6 <strong>Univention</strong> Configuration Registry variables . . . . . . . . . . . . . . . . . . . . . . . . . . . 276<br />
13.6.1 Settings for print clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276<br />
13.6.2 Settings for the authentication on printer shares . . . . . . . . . . . . . . . . . . . . . 276<br />
13.6.3 Settings for printer shares . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276<br />
13.6.4 Settings for print quotas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276<br />
14 <strong>Univention</strong> Configuration Registry 277<br />
8<br />
14.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277<br />
14.2 Displaying current settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278<br />
14.3 Using variables in shell scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279<br />
14.4 Changing <strong>Univention</strong> Configuration Registry variables . . . . . . . . . . . . . . . . . . . . . 280<br />
14.5 Creating new <strong>Univention</strong> Configuration Registry variables . . . . . . . . . . . . . . . . . . . 281<br />
14.6 Deleting <strong>Univention</strong> Configuration Registry variables . . . . . . . . . . . . . . . . . . . . . . 281<br />
14.7 Registering <strong>Univention</strong> Configuration Registry variables . . . . . . . . . . . . . . . . . . . . 281<br />
14.8 Regeneration of configuration files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283<br />
14.9 Policy-based configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283<br />
14.9.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283<br />
14.9.2 Configuring the policy in <strong>Univention</strong> Directory Manager . . . . . . . . . . . . . . . . 284<br />
14.10<strong>Univention</strong> Configuration Registry in manually created packages . . . . . . . . . . . . . . . 284
Contents<br />
14.11Including additional configuration files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286<br />
14.12Integrating Python code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286<br />
15 <strong>Univention</strong> System Setup 289<br />
15.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289<br />
15.2 <strong>Univention</strong> System Setup modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290<br />
15.2.1 Basic settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290<br />
15.2.2 Keyboard settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291<br />
15.2.3 Language settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292<br />
15.<strong>2.4</strong> Network settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294<br />
15.2.5 Software components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296<br />
15.2.6 Time zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297<br />
15.3 <strong>Univention</strong> System Setup event registration . . . . . . . . . . . . . . . . . . . . . . . . . . . 297<br />
15.4 Configuration for executing at system start . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298<br />
15.5 Changing machine passwords/SSL certificates during system start . . . . . . . . . . . . . . 299<br />
16 Frequently asked questions 301<br />
16.1 How do I replace the DC master with a DC backup? . . . . . . . . . . . . . . . . . . . . . . 301<br />
16.2 How can I install Microsoft TrueType fonts subsequently? . . . . . . . . . . . . . . . . . . . 302<br />
16.3 How does a user change his password? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303<br />
16.3.1 On a Linux workstation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303<br />
16.3.2 On a Windows workstation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303<br />
16.3.3 When logging on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303<br />
16.3.4 Via <strong>Univention</strong> Directory Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303<br />
16.4 How is the password for root changed? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303<br />
16.5 What criteria must a password satisfy? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304<br />
16.6 Individual websites cannot be accessed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304<br />
16.7 Thin clients experience log-in problems in a domain spread over several locations . . . . . 305<br />
16.8 How do I change the <strong>Univention</strong> Directory Manager timeout? . . . . . . . . . . . . . . . . . 305<br />
16.9 Why are NFS shares not mounted during boot-up? . . . . . . . . . . . . . . . . . . . . . . . 305<br />
16.10What does ”No DB server name found.” mean? . . . . . . . . . . . . . . . . . . . . . . . . . 306<br />
16.11Computer name and network settings in Windows XP Prof. . . . . . . . . . . . . . . . . . . 306<br />
16.12Avoiding double log-ins on Windows terminal servers . . . . . . . . . . . . . . . . . . . . . . 307<br />
Further documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309<br />
9
Contents<br />
10
1 Introduction<br />
Contents<br />
1.1 What is <strong>Univention</strong> Corporate Server? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11<br />
1.2 <strong>UCS</strong> Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11<br />
1.3 Further documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13<br />
1.4 Symbols and conventions used in this manual . . . . . . . . . . . . . . . . . . . . . . . . . . 14<br />
1.1 What is <strong>Univention</strong> Corporate Server?<br />
<strong>Univention</strong> Corporate Server (<strong>UCS</strong>) is a Linux-based operating system realising an overall concept with<br />
central administration from the server right through to the client. In doing so, it makes copious use of a<br />
comprehensive domain concept.<br />
<strong>UCS</strong> consists of three main elements<br />
1. <strong>UCS</strong> base system<br />
2. <strong>Univention</strong> Management System<br />
3. <strong>UCS</strong> components<br />
The base system consists of the operating system (The <strong>UCS</strong> Linux distribution based on Debian GNU/Linux)<br />
and tools for the installation, updates and for local configuration management of clients and servers.<br />
The <strong>Univention</strong> Management System realises a single point of administration where the accounts of all<br />
domain members (users, groups, and hosts) and services like DHCP and DNS are managed in a single<br />
directory service. For this purpose, the system makes use of the standard components OpenLDAP, Ker-<br />
beros, DNS, and SSL. It can be used via a web-based or a command-line-based interface. It is extendable<br />
and provides a flexible client-server architecture which allows changes to be transferred to the involved<br />
systems and be activated there.<br />
<strong>UCS</strong> components extend the system with functions such as the thin client infrastructure, terminal ser-<br />
vices, groupware or services for Windows, which all integrate in the <strong>Univention</strong> Management System.<br />
<strong>UCS</strong> allows not only simple, comfortable management of individual services, but also the administration<br />
of complex permission schemes of large organisations on multiple sites with many servers and clients and<br />
tens of thousands of users. It’s modular design provides many interfaces for extension and modification.<br />
1.2 <strong>UCS</strong> Overview<br />
As an operating system designed for multi-user and multi-tasking application right from the start, where<br />
the focus was always on stability, safety, and compatibility to other operating systems, Linux is predestined<br />
11
1 Introduction<br />
for being used in complex environments. In general opinion, however, the management of Linux systems<br />
used to be regarded as being difficult and far from comfortable. This is the point where <strong>UCS</strong> comes into<br />
play.<br />
<strong>UCS</strong> allows Linux to be deployed as a central and economic component within your IT infrastructure. All<br />
the business-critical applications are integrated in a uniform concept, adapted to each other, and pre-<br />
configured for professional utilisation. <strong>UCS</strong> is equally suitable for small organisations with few servers and<br />
clients, as for complex, heterogeneous environments where several tens of thousands of users work at<br />
computers with a variety of different operating systems and tasks.<br />
The deployment of <strong>UCS</strong> starts with the easy installation, which can be run interactively on profile-based<br />
from a DVD or via the network. During the installation, a system role is assigned to the host. As with Win-<br />
dows, all <strong>UCS</strong> hosts are controlled within a common security and trust context - the <strong>UCS</strong> domain. Available<br />
system roles are domain controllers, member servers and client. Additionally, stand alone servers can be<br />
integrated into the domain.<br />
Depending on the role the computer is to play within the domain such services as Kerberos, OpenLDAP,<br />
modules for a notification mechanism, or a Root CA (certification centre) are installed on the computer<br />
and are automatically configured for the selected role within the system. Thus manual implementation<br />
and configuration of every single service and application are not required. Due to the modular design,<br />
tailor-made solutions to individual requirements can nevertheless be realised.<br />
By selecting additional components during installation, the feature set of a host can be expanded. Due<br />
to its modular design, <strong>UCS</strong> scales well and can easily be adapted to local needs. The components<br />
are preconfigured according to the <strong>UCS</strong> design concept and integrate seamlessly into the <strong>Univention</strong><br />
Management System.<br />
With <strong>Univention</strong> Management System all elements of the <strong>UCS</strong> domain can be centrally organised across<br />
system, OS and site boundaries. As such, it provides a single point of administration. A key factor of<br />
the <strong>Univention</strong> Management System is the LDAP directory, which contains all data relevant for central<br />
administration. Apart from user accounts and related information it also contains information of services<br />
such as the DHCP service. Central data storage avoid multiple configuration of system and reduces the<br />
possibility of errors and inconsistencies considerably.<br />
A LDAP directory is a tree-based structure, whose root node provides the base entry of the <strong>UCS</strong> domain.<br />
The <strong>UCS</strong> domain provides the security and trust context for it’s users. A user is a member of the domain if<br />
he has an account in the LDAP directory, hosts perform a domain join. Windows users and hosts can join<br />
the domain as well.<br />
When logging into the domain, the user is authenticated against the LDAP directory, and receives a Ker-<br />
beros ticket. He can then access all the shared resources of the domain, such as files, applications and<br />
computers, according to his rights, without having to enter his username and password again, since his<br />
Kerberos ticket handles his internal authentication (The implementation of this single-sign-on is still pend-<br />
ing for some of the services).<br />
<strong>UCS</strong> uses OpenLDAP for the directory service. It is being provided on the domain controller master and<br />
replicated to all domain controllers of the domain. Since it is being designed to replace the DC master in<br />
case of a hardware failure, the full LDAP directory is replicated to the DC backup. The replication to DC<br />
slaves can also be limited to some parts of the directory through access control lists (ACLs), which allows<br />
12
1.3 Further documentation<br />
selective LDAP replication. This can be needed if data is only to be stored on some systems for security<br />
reasons. To encrypt LDAP commucation and further services, <strong>UCS</strong> also integrates a root CA (certificate<br />
authority).<br />
Access to the LDAP directory is achieved via the program <strong>Univention</strong> Directory Manager which provides<br />
a web front-end and a command line interface. The latter is particularly useful for performing administra-<br />
tive tasks via scripts. The web front-end is a graphic interface with intuitive user guidance. In principle,<br />
<strong>Univention</strong> Directory Manager allows the user to access the LDAP directory from any location.<br />
<strong>Univention</strong> Directory Manager makes it possible to enter data into the LDAP directory, to view these data, to<br />
edit and delete them. Searching for data is also possible with a wide range of filter criteria. The web front-<br />
end provides wizards for managing Benutzern, Gruppen, Netzwerken, Rechnern, Verzeichnisfreigaben<br />
und Druckern The administration of computers also comprises comprehensive functions for distributing<br />
and updating software.<br />
Advanced setttings like DHCP, DNS, policies and the settings for <strong>Univention</strong> Directory Manager itself are<br />
available through the navigation. It also allows easy definition of custom attributes.<br />
Policies simplify administration since a policy transfers its settings to all the linked objects. These objects<br />
in turn pass the settings on to subordinated objects.<br />
If, for example, the company uses computers with the same type of screen in different locations within the<br />
enterprise, then the graphics settings have to be outlined just once in a policy and linked to the relevant<br />
computers to be valid. If the settings are to be valid for all the computers of a node of the LDAP directory,<br />
then the policy is linked to the relevant node. The inheritance mechanism makes sure that the policy will<br />
be valid for all the subordinated computers.<br />
A major element of the <strong>Univention</strong> Management System is the listener/notifier system. It triggers events<br />
on arbitrary hosts based on modifications in the LDAP directory. If, for example, a directory is configured<br />
in <strong>Univention</strong> Directory Manager to be shared through NFS and Samba, the share is not only added to the<br />
LDAP directory, but also integrated into the configuration files for Samba and NFS on the target host. Ad-<br />
ditionally the directory to be shared is created if it doesn’t exist yet. As such, the <strong>Univention</strong> Management<br />
System ensures that the necessary steps are taken even on remote hosts. The listener/notifier system<br />
can easily be expanded for site-specific needs.<br />
Apart from <strong>Univention</strong> Directory Manager as a means to access the LDAP directory containing the domain<br />
data, <strong>Univention</strong> Management Console is available as a program which allows web-based configuration<br />
and administration of individual computers. This program allows, among other things, to set parameters<br />
which are then automatically passed on to all relevant configuration files, local software administration,<br />
and for monitoring and controlling the services and the operating system. Thus, <strong>Univention</strong> Management<br />
System makes it possible to manage domain data as well as local computer data from any location via<br />
comfortable graphic, web-based interfaces.<br />
1.3 Further documentation<br />
This manual addresses just a small selection of the possibilities in <strong>UCS</strong>. Among other things, <strong>UCS</strong> con-<br />
tains:<br />
13
1 Introduction<br />
• Comprehensive support for complex server environments and replication scenarios<br />
• Advanced capabilities for Windows environments (e. g. automatic Windows client installation)<br />
• Central network management with DNS and DHCP<br />
• Monitoring systems and networks with Nagios<br />
• Print server functionalities<br />
• Thin Client support<br />
• Fax service<br />
• Proxy server<br />
• Virtualisation with Xen<br />
• Integrated backup functions<br />
• Linux desktop for business operations<br />
Further documentation related to <strong>UCS</strong> and further issues is published under [1].<br />
1.4 Symbols and conventions used in this manual<br />
The manual uses the following symbols:<br />
Attention:<br />
This symbol points to an issue which should be noted in the present context.<br />
Info box ’Conventions’<br />
Attention:<br />
The info symbol points out info boxes summarising information on a certain topic.<br />
Menu entries, button labels, and similar details are printed in bold lettering. In addition, [button labels]<br />
are represented in square brackets.<br />
Notes are in italics.<br />
Computer names, LDAP DNs, program names, file names, file paths, internet addresses, and op-<br />
tions are also optically accented.<br />
Commands and other keyboard input is printed in the Courier font.<br />
In addition, excerpts from configuration files, screen output, etc are<br />
printed on a grey background.<br />
A backslash \ at the end of a line signifies that the subsequent line feed is not to be understood as an end<br />
of line. This circumstance may occur, for example, where commands cannot be represented in one line<br />
in the manual, yet have to be entered in the command line in one piece without the backslash or with the<br />
backslash and a subsequent Enter.<br />
The path to a function is represented in a similar way to a file path. Users ➞ Add means for example, you<br />
have to click Users in the main menu and Add in the submenu.<br />
14
2 Domain concept<br />
Contents<br />
2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15<br />
2.2 <strong>UCS</strong> system roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16<br />
2.2.1 Domain controller master . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16<br />
2.2.2 Domain controller backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16<br />
2.2.3 Domain controller slave . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17<br />
2.<strong>2.4</strong> Member server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17<br />
2.2.5 Base system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17<br />
2.2.6 Managed client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17<br />
2.2.7 Mobile client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18<br />
2.2.8 Thin Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18<br />
2.3 System roles in Windows domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18<br />
2.3.1 How are these roles integrated in the <strong>UCS</strong> concept? . . . . . . . . . . . . . . . . . . 18<br />
<strong>2.4</strong> Joining domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19<br />
2.1 Introduction<br />
<strong>2.4</strong>.1 How <strong>UCS</strong> systems join domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19<br />
<strong>2.4</strong>.2 How to join domains with Windows clients . . . . . . . . . . . . . . . . . . . . . . . . 21<br />
<strong>2.4</strong>.3 Rotation of machine account passwords . . . . . . . . . . . . . . . . . . . . . . . . . 23<br />
<strong>Univention</strong> Corporate Server offers a cross platform domain concept with a common trust context between<br />
Linux and/or Windows systems. Within this domain a user is known to all systems via his username and<br />
password stored in the <strong>Univention</strong> Management System and can use all services which are authorised for<br />
him.<br />
Replication of the directory data within a <strong>UCS</strong> domain occurs via the <strong>Univention</strong> Directory Listener/Notifier<br />
mechanism: On the master domain controller the notifier service monitors changes in the LDAP directory<br />
and makes the selected changes available transaction-based to the listener services on the other domain<br />
systems with a copy of the LDAP. Alongside replication of the LDAP contents, the dissemination of the<br />
domain-wide file changes also includes transfer of the changes to LDAP contents in configuration files of<br />
non-LDAP-compatible services (e.g., NFS). The following diagram offers an overview; for more detailed<br />
documentation of the technical processes and the possibilities of the error analysis, please refer to the [2]<br />
technical document.<br />
15
2 Domain concept<br />
2.2 <strong>UCS</strong> system roles<br />
Figure 2.1: Listener/Notifier mechanism<br />
In a <strong>UCS</strong> domain systems can be installed in different system roles. The following gives a short charac-<br />
terisation of the different systems:<br />
2.2.1 Domain controller master<br />
The domain controller master (DC master for short) contains the original dataset for the entire LDAP<br />
directory. Changes to the LDAP directory are only performed on this server. For this reason, this must be<br />
the first system to be commissioned and there can only be one of them within a domain. In addition, the<br />
Root Certification Authority (root CA) is also on the DC master. All SSL certificates created are archived<br />
on the DC master.<br />
2.2.2 Domain controller backup<br />
Servers with the role of domain controller backup (DC backup for short) contain a replicated copy of the<br />
entire LDAP directory, which cannot be changed as all write accesses occur exclusively on the DC master.<br />
A copy of all SSL certificates including the private key of the root CA is kept on the DC backup.<br />
The root CA is created on the DC master during installation. The root CA directory<br />
/etc/univention/ssl is transferred when the DC backup joins the domain and then maintained syn-<br />
chronised. The computer account is accepted into a special group for this (DC backup hosts). Only this<br />
group can read the complete data of the root CA directory. The information on the DC master is also avail-<br />
able at many other places in the domain. This allows the load to be distributed between the DC master<br />
and one or more DC backups and means that the domain can still operate via the other servers if one<br />
server collapses.<br />
16
2.2 <strong>UCS</strong> system roles<br />
The DC backup is as such a backup copy of the DC master. If the DC master should collapse completely,<br />
running the univention-backup2master command allows the DC backup can take over the role of<br />
the DC master permanently in a very short time. This is only necessary if changes are to be made to the<br />
LDAP directory or new certificates are to be given, as these tasks can only be fulfilled by a DC master.<br />
2.2.3 Domain controller slave<br />
Each domain controller slave (DC slave for short) contains a replicated copy of the entire LDAP directory,<br />
which cannot be changed as all write accesses occur on the DC master. The copy can either contain the<br />
entire directory or be limited to the files required by a location through selective replication.<br />
The DC slave only stores a copy of its own and the public SSL certificate of the root CA.<br />
A DC slave system cannot be promoted to a DC master.<br />
2.<strong>2.4</strong> Member server<br />
Member servers are members of a LDAP domain and offer services such as file storage for the domain.<br />
Member servers do not contain a copy of the LDAP directory.<br />
It only stores a copy of its own and the public SSL certificate of the root CA.<br />
2.2.5 Base system<br />
A base system is an independent system. It is not a member of a domain and does not maintain trust<br />
relationships with other servers or domains.<br />
A base system is thus suitable for services which are operated outside of the trust context of the domain,<br />
such as a web server or a firewall.<br />
The services of a base system cannot be configured over the <strong>UCS</strong> management system. However, it is<br />
possible to configure DNS and DHCP settings for base systems via the <strong>Univention</strong> Management System<br />
as long as the base system is entered as an IP managed client in the directory service. (See Chapter<br />
4.5.4).<br />
2.2.6 Managed client<br />
A managed client is a PC with a Linux desktop which is a member of the <strong>UCS</strong> domain. As standard it saves<br />
the passwords of the last three different users temporarily so that these three users can log in without the<br />
need for a network connection to a domain controller. Applications are run locally on the client. These two<br />
factors render it largely independent of server systems.<br />
17
2 Domain concept<br />
2.2.7 Mobile client<br />
A mobile client offers a Linux desktop like a managed client, includes the last three passwords in its<br />
cache and is a member of the <strong>UCS</strong> domain. However, it also offers the possibility of maintaining software<br />
specially suited to notebook hardware.<br />
2.2.8 Thin Client<br />
A thin client is a diskless computer which is booted over the network and displays applications run on a<br />
terminal server (Linux or Windows).<br />
There is also no operating system installed on the thin client, which means that it requires very little<br />
maintenance.<br />
2.3 System roles in Windows domains<br />
In a Windows NT domain, which can be provided by <strong>UCS</strong> using the Samba software, there must always be<br />
a primary domain controller (PDC). There can also be backup domain controllers (BDC), member servers<br />
and clients. The PDC provides the password database. BDCs retrieve a copy of the password database<br />
from the PDC so that they can take some of the load off the PDC or take over its role in the case of a<br />
collapse. The copies must not, however, be changed directly. Changes are usually always performed on<br />
the originals on the PDC and then replicated on the BDCs. In a Windows NT domain there can only be<br />
one original password database. There can thus only be one PDC. A member server offers services such<br />
as file storage. In contrast to the PDC and BDCs, it does not have a password database.<br />
2.3.1 How are these roles integrated in the <strong>UCS</strong> concept?<br />
The LDAP directory is used in <strong>UCS</strong> as a password database and for further administrative tasks in the<br />
Windows domain. As the LDAP directory in which the changes should be made is usually provided by<br />
the DC master, it also usually accepts the role of the PDC. BDC are usually found on the DC backup or<br />
DC slave. Any deviations from this pattern are usually implemented with a LDAP referral, with the help of<br />
which the PDC can make changes in the LDAP directory on the DC master. Replication is not possible<br />
between Windows NT-based domain controllers and <strong>UCS</strong>-based ones. For this reason, the PDC and all<br />
BDCs in a <strong>UCS</strong>-based Windows domain need to be <strong>UCS</strong>-based, whilst member servers can be operated<br />
with both <strong>UCS</strong> and Windows. The PDC and BDCS identify themselves as such to the Windows client<br />
so that Windows client can execute operations on the PDC where the user database is changed (e.g.,<br />
changing a user password). The replication of the password database is performed by the replication of<br />
the LDAP directory. The replication is automatically set up using the system role which you specify during<br />
the installation of a computer. Manual configuration is then not necessary if you add a further server to<br />
the domain at a later point in time. Servers and clients on which a Microsoft Windows operating system is<br />
installed locally are administrated as Windows computers in the LDAP directory.<br />
18
<strong>2.4</strong> Joining domains<br />
<strong>2.4</strong> Joining domains<br />
All users, Linux and Windows systems within a <strong>UCS</strong> domain have a domain account. This allows system-<br />
to-system or user-to-system authentication. The management system keeps the account synchronised for<br />
the windows log-in, Linux/Posix systems and Kerberos.<br />
A <strong>UCS</strong> or Windows system must join the domain after installation. The following describes the different<br />
possibilities to do this:<br />
<strong>2.4</strong>.1 How <strong>UCS</strong> systems join domains<br />
There are three possibilities for a <strong>UCS</strong> system to join an existing domain; directly after installation in the<br />
<strong>Univention</strong> Installer (see Chapter 13) or subsequently using the command univention-join or using<br />
the <strong>Univention</strong> Management Console.<br />
The domain controller master should always be installed at the most up-to-date release stand of the do-<br />
mains, as problems can arise with an outdated domain control master when a system using the current<br />
version joins.<br />
When a computer joins, a computer account is created, the SSL certificates are synchronised and an<br />
LDAP copy is initiated if necessary. The join scripts are also run at the end of the join process. These<br />
register further objects, etc., in the directory service using the software packages installed on the system.<br />
The joining of the domain is registered on the client side in the /var/log/univention/join.log log<br />
file, which can be used for reference in error analysis. Actions run on the domain controller master are<br />
stored in the /home//.univention-server-join.log log file.<br />
The joining process can be repeated at any time. Systems may even be required to rejoin following certain<br />
administrative steps (such as changes to important system features on the domain controller master).<br />
<strong>2.4</strong>.1.1 Joining domains with univention-join<br />
univention-join retrieves a number of essential parameters interactively; however, it can also be<br />
configured using a number of parameters:<br />
• The domain controller master is usually detected via a DNS request. If that is not possible (e.g., a<br />
DC slave server with a different DNS domain is set to join), the computer name of the DC master<br />
can also be entered directly using the -dcname HOSTNAME parameter. The computer name must<br />
then be entered as a fully qualified name, e.g., master.company.com.<br />
The DNS reference can also be set up on an existing external DNS server at a later date. To do this,<br />
a service record with the name _domaincontroller_master._tcp.<br />
must be added to the zone file. The fully qualified domain name (FQDN) of the DC master with a full<br />
stop at the end should be entered as the computer name.<br />
• A user account which is authorised to add systems to the <strong>UCS</strong> domains is called a join account. By<br />
default, this is the Administrator user or a member of the Domain Admins group. The join account<br />
can be assigned using the -dcaccount ACCOUNTNAME parameter.<br />
19
2 Domain concept<br />
• The password can be set using the -dcpwd FILE parameter. The password is then read out of the<br />
specified file.<br />
<strong>2.4</strong>.1.2 Joining domains with <strong>Univention</strong> Management Console<br />
A domain can also be joined over the web via the <strong>Univention</strong> Management Console, which can be called<br />
up under https:///univention-management-console/ on the joining computer. As<br />
the domain-wide administrator user does not yet exist on a system which has yet to join the domain, the<br />
log-in to <strong>Univention</strong> Management Console is done as the root user.<br />
The button of the same name must be selected in the Domain join module of the <strong>Univention</strong> Management<br />
Console. The username and password of a user authorised to add computers to a domain must now be<br />
entered in the resulting dialogue.<br />
As for the domain joining procedure via the command line, a DNS service record on the DC master is also<br />
required for the <strong>Univention</strong> Management Console. There is no possibility here of entering the FQDN of the<br />
DC master explicitly.<br />
Clicking on the [Repeat domain join] button restarts the joining procedure (see Figure 2.2). The informa-<br />
tion released in the process can be monitored via Log files.<br />
Figure 2.2: Repeated join through <strong>Univention</strong> Management Console<br />
Additional services which are yet to be initialised are shown on the Status of domain join tab. Selecting<br />
[Repeat] allows this to be made up for each individual service. The username and password of the user<br />
authorised to add computers to a domain must also be entered here.<br />
<strong>2.4</strong>.1.3 Subsequent running of join scripts<br />
The univention-run-join-scripts command is used to run all of the join scripts installed on a<br />
system. The scripts check automatically whether they have already been initiated.<br />
The name of the join script, the issue of the script and the exitcode are also recorded in<br />
/var/log/univention/join.log.<br />
If univention-run-join-scripts is run on another system role as a domain controller master or<br />
domain controller backup, the user will be asked to input a username and password.<br />
20
<strong>2.4</strong>.2 How to join domains with Windows clients<br />
<strong>2.4</strong> Joining domains<br />
The procedure for joining a Windows system to a <strong>UCS</strong> domain made available via Samba is now described<br />
for Windows 7, Windows Vista, Windows XP Professional, Windows 2000 Server and Windows NT 4.0<br />
Workstation. The process is similar for other Windows versions. For Windows 95/98/Me/XP Home Edition<br />
only the authentication against a domain is possible; not the joining into a domain.<br />
A Samba account can be created automatically for a computer in the LDAP directory when joining the do-<br />
main - i.e., a Windows-type computer object - which only contains the computer name and the predefined,<br />
primary group. The <strong>Univention</strong> Configuration Registry variable samba/defaultcontainer/computer<br />
can be used to specify a container in which the computer is stored (the predefined value is<br />
cn=computers,). If the computer object should be saved at another place in the LDAP direc-<br />
tory, the Windows computer must be entered with <strong>Univention</strong> Directory Manager before the domain joining<br />
(see also Chapter 8.4.4). Information concerning MAC and IP addresses, the network, DHCP or DNS can<br />
be expanded on prior to or after joining the domain with <strong>Univention</strong> Directory Manager.<br />
Then, following local log-in as an administrator, the instructions of the Windows version used should be<br />
followed (see below).<br />
Attention:<br />
If the computer name is changed via Hostname, the computer must be restarted before the domain join<br />
can go ahead. The computer name must match that entered via <strong>Univention</strong> Directory Manager in the<br />
LDAP directory.<br />
Joining the domain takes some time and the process must not be cancelled prematurely. After successful<br />
joining a small window appears with the message Welcome to the domain . This should<br />
be confirmed with [OK]. The computer must then be restarted for the changes to take effect.<br />
Domain names must be limited to 15 characters as they are otherwise truncated at the Windows client and<br />
this can lead to log-in errors.<br />
<strong>2.4</strong>.2.1 Windows 7<br />
The joining of domains is only possible with the Professional, Enterprise or Ultimate editions of Windows<br />
7.<br />
When using Windows 7 certain settings must be made in the Windows registry before joining the domain.<br />
A corresponding REG file can be downloaded from http://sdb.univention.de/1102. The system<br />
must then be restarted.<br />
The basic configuration dialogue is found under Start ➞ Control Panel ➞ System and Security ➞ See<br />
the name of this computer . Change settings must be selected and Change clicked under Computer<br />
name, domain, and workgroup settings.<br />
The Domain option field must be ticked and the name of the Samba domain entered in the input field for<br />
the domain join. After clicking on the [OK] button, the Administrator must be entered in the input field<br />
Name and the password from uid=Administrator,cn=users, transferred to the Password<br />
input field. The process for joining the domain can then be started by clicking on [OK].<br />
21
2 Domain concept<br />
<strong>2.4</strong>.2.2 Windows Vista<br />
The joining of domains is only possible with the Professional, Enterprise or Ultimate editions of Windows<br />
Vista.<br />
The basic configuration dialogue is found under Start ➞ Settings ➞ Control Panel ➞ System Change<br />
settings must be selected, the subsequent security request confirmed and Change clicked under Com-<br />
puter name, domain, and workgroup settings.<br />
The Domain option field must be ticked and the name of the Samba domain entered in the input field for<br />
the domain join. After clicking on the [OK] button, the Administrator must be entered in the input field<br />
Name and the password from uid=Administrator,cn=users, transferred to the Password<br />
input field. The process for joining the domain can then be started by clicking on [OK].<br />
<strong>2.4</strong>.2.3 Windows XP Professional<br />
The dialogue for joining domains can be reached by right clicking on the Desktop entry in the start menu.<br />
Properties ➞ Computer name ➞ Modify must be selected there.<br />
The Domain option field must be ticked and the name of the Samba domain entered in the input field for<br />
joining the domain. After clicking on the [OK] button, Administrator must be entered in the input field<br />
Name and the password from uid=Administrator,cn=users, transferred to the Password<br />
input field. The process for joining the domain can then be started by clicking on [OK].<br />
<strong>2.4</strong>.<strong>2.4</strong> Windows 2000 Server<br />
The domain join can be initiated under Properties ➞ Network identification ➞ Properties in the menu<br />
shown when you right click on the Desktop icon<br />
The Domain option field must be ticked and the name of the Samba domain entered in the input field. After<br />
clicking on the [OK] button, the Administrator must be entered in the input field Name and the password<br />
from uid=Administrator,cn=users, transferred to the Password input field. By default this is<br />
the same as the password of the local user root on the DC master. The process for joining the domain<br />
can then be started by clicking on [OK].<br />
<strong>2.4</strong>.2.5 Windows NT 4.0 Workstation<br />
An input mask is reached via Start ➞ Settings ➞ System control ➞ Network ➞ Identification ➞ Modify<br />
in which the Domain must be ticked and the name of the Samba domain must be entered in the input field.<br />
If the computer was already entered in the LDAP directory with <strong>Univention</strong> Directory Manager and the<br />
Initialize password with hostname checkbox was ticked on the Machine account tab, the process for<br />
joining the domain can be begun by clicking the [OK] button. The password is changed when the domain<br />
is joined. (If the computer is to rejoin the domain, the password must be reset to the computer name by<br />
checking the Initialize password with hostname checkbox.)<br />
22
<strong>2.4</strong> Joining domains<br />
If the computer has not yet been entered in the LDAP directory, the Create machine account in domain<br />
checkbox must be ticked first, the name Administrator entered in the User name input field and the<br />
password from uid=Administrator,cn=users, entered in the Password input field. This is<br />
the same as the password of the local user root on the DC master. The process for joining the domain<br />
can then be started by clicking on [OK].<br />
<strong>2.4</strong>.3 Rotation of machine account passwords<br />
The passwords of the machine accounts of the server system roles are automatically changed<br />
on a three week rotation as standard. The <strong>Univention</strong> Configuration Registry variable<br />
server/password/interval can be used to input a different value in days.<br />
The old passwords are saved in the /etc/machine.secret.old file and the procedure is documented<br />
in the /var/log/univention/server_password_change.log file.<br />
23
2 Domain concept<br />
24
3 Installation<br />
Contents<br />
3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25<br />
3.2 Text-based Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25<br />
3.2.1 Operating the Installer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27<br />
3.2.2 The Procedures of Text-based Installation . . . . . . . . . . . . . . . . . . . . . . . . 27<br />
3.3 Hardware-related Installation problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38<br />
3.3.1 Starting the Installation with additional kernel parameters . . . . . . . . . . . . . . . 38<br />
3.3.2 Additional kernel parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38<br />
3.3.3 Adjusting the automatic hardware detection . . . . . . . . . . . . . . . . . . . . . . . 38<br />
3.4 Installing and Renewing Licences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39<br />
3.5 Subsequent Installation of Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39<br />
3.1 Introduction<br />
The following documentation describes how to install <strong>Univention</strong> Corporate Server.<br />
Generally speaking, installation of <strong>Univention</strong> Corporate Server is similar to that of other Linux distributions.<br />
The difference lies in that the function of the system to be installed is largely dependent on the system role<br />
selected. System roles are components of the <strong>UCS</strong> domain concepts and are described in Chapter 2.1.<br />
Several types of installation are supported:<br />
• <strong>Univention</strong> Corporate Server can be installed from the DVD. The installation of the first <strong>UCS</strong> system<br />
of a domain usually occurs from DVD. There is either a text-based installation or an automated<br />
installation via a pre-configured installation profile. With text-based installation, all system settings<br />
are to be entered by the user, see chapter 3.2.<br />
• With profile-based installation, system settings are stored in text files, the so-called installation pro-<br />
files. Further information on this issue can be found in a separate document [3]. Installation profiles<br />
can be integrated locally via floppy disks or USB storage media, or they can be stored beforehand<br />
on the installation medium in the form of an adjusted installation DVD.<br />
• In addition, installation profiles can be retrieved from an installation server during a net-based instal-<br />
lation using the <strong>Univention</strong> Net Installer, see [3].<br />
3.2 Text-based Installation<br />
After booting the system from the installation medium, the boot prompt is displayed as shown in illustration<br />
3.1.<br />
25
3 Installation<br />
Figure 3.1: Installation boot prompt<br />
Now you can choose between several installation procedures.<br />
26<br />
• <strong>Univention</strong> Installer starts the text-based installation routine on the basis of the Linux kernel in<br />
version 2.6.32. With text-based installation, the system requests a number of parameters such as<br />
network settings, hard drive partitions, system role, and the selection of software components for the<br />
computer to be installed. Then the installation is performed. Text-based installation is documented<br />
in chapter 3.2.2.<br />
• Additional options allows the selection of advanced options for the installation process. First a<br />
request appears, requesting the Linux kernel to be installed. Unlike the standard installation, a<br />
kernel based on Linux 2.6.18 can also be selected here.<br />
Different installation versions can then be selected:<br />
– <strong>Univention</strong> Installer (normal mode) performs an interactive standard installation.<br />
– <strong>Univention</strong> Installer Software RAID (expert mode) also starts a text-based installation like<br />
the previous mode. In this version the partitioning, however, is not performed with the support of<br />
the installer, but effected manually. To do this a number of programs including cfdisk, mdadm<br />
and mkfs.ext3 are available. This mode can, for example, be used to set up a software<br />
RAID or an encrypted hard drive partition. After the partitioning, the text-based installation is
continued.<br />
3.2 Text-based Installation<br />
– <strong>Univention</strong> Installer Profile starts the profile-based installation. With profile-based installa-<br />
tion, a pre-arranged installation profile is selected from which the system reads the installation<br />
parameters. The installation profile to be used is taken from a directory on the installation<br />
medium. Profile-based installation is described in a separate documentation under [3].<br />
– <strong>Univention</strong> Installer Profile Floppy also starts a profile-based installation. The installation<br />
profile is taken from a floppy disk.<br />
– <strong>Univention</strong> Installer Profile USB also starts a profile-based installation. The installation profile<br />
is taken from a USB storage medium.<br />
• Boot from first hard drive partition does not start the <strong>UCS</strong> installation, but the operating system<br />
installed on the first hard drive instead.<br />
Now, the kernel is loaded from the installation medium and status messages appear on the screen. The<br />
installation itself is divided into modules. Each module contains settings which are connected as regards<br />
content. There are modules for network configuration or for selecting the software to be installed, among<br />
others.<br />
3.2.1 Operating the Installer<br />
The input screens of the modules are operated via keyboard exclusively:<br />
• The TAB key moves the cursor to the next entry field.<br />
• Use Shift-TAB to go back to the previous entry field.<br />
• The RETURN key is used for transmitting values entered into an entry field, and for confirming<br />
buttons.<br />
• Within a list or table, the arrow keys can be used for navigating between entries.<br />
• For further information on a module, the F1 function key may be pressed for calling a help dialog.<br />
• The next module is called via the F12 function key, while the F11 function key lets you go back to<br />
modules already processed. As an alternative to F11 and F12, the buttons can also be used.<br />
Further assignments of function keys are given below in the descriptions of the individual modules.<br />
Attention:<br />
In the left-hand window on the installation surface, a list of all the modules is displayed. The active module<br />
is highlighted in colour. This list cannot be used for navigation, it is only for orientation purposes.<br />
3.2.2 The Procedures of Text-based Installation<br />
The modules are executed in a pre-defined order. The description of the modules follows this order. In<br />
dependence of the selected system role, some of the modules are not available.<br />
1. Selecting the installation language<br />
The language which is to be used during the installation process, is selected here. Available lan-<br />
guages are German and English.<br />
27
3 Installation<br />
28<br />
2. Hardware detection<br />
The hardware components of the computer are detected automatically. For devices which are sup-<br />
ported by the kernel, the relevant modules will be loaded. The [Add modules] button opens a list<br />
containing all the available modules. By selecting additional modules, devices can be activated which<br />
were not detected automatically.<br />
3. Selecting the installation medium<br />
The installation medium is detected. The installation medium to be used is specified via the F2<br />
function key. This parameter can be used in case problems with one or several CD drives occur, or<br />
if the net-based installation is to be executed from a different installation server. The F4 function key<br />
is used for rescanning the list of installation media.<br />
4. Selecting the time zone<br />
Here the desired time zone can be selected. If German was chosen as the installation language,<br />
then the time zone Europe/Berlin will be pre-selected; if English was chosen, then US/Eastern will<br />
be the pre-selected zone.<br />
5. Selecting the keyboard layout<br />
Here the keyboard layout of the keyboard in use is selected. If German was chosen as the installation<br />
language, then the qwertz:de-latin1 will be pre-selected; if English was chosen, then qwerty/us<br />
will be used.<br />
The selected keyboard layout will be activated as soon as this dialogue is confirmed.<br />
6. Selecting the system language(s)<br />
Here you can select the system language you wish to use. The selection has an influence on the<br />
use of language-specific characters and permits the representation of program output in the selected<br />
languages.<br />
Several languages can be selected. The administrator can specify the language to be used later via<br />
the <strong>Univention</strong> Configuration Registry variable locale.<br />
7. Selecting the standard system language<br />
Here one of the previously selected system languages is defined as the standard system language.<br />
This language will be used, for example, for <strong>Univention</strong> Directory Manager or for <strong>Univention</strong> Man-<br />
agement Console, provided an appropriate translation is available.<br />
8. Selecting the system role<br />
The system role for the system to be installed is selected here.<br />
The following are available to choose from:<br />
a) Domain controller master<br />
b) Domain controller backup<br />
c) Domain controller slave<br />
d) Member server<br />
e) Managed client<br />
f) Mobile client
g) Base system<br />
Attention:<br />
3.2 Text-based Installation<br />
The first system to be installed on a <strong>UCS</strong> domain should always be a domain controller master.<br />
The installation of further <strong>UCS</strong> systems requires a domain controller master to be running during<br />
installation. The sole exception to this is the base system system role, which can be installed<br />
without a connection to a domain controller master.<br />
The system roles are described in Chapter 2.1.<br />
9. Domain settings<br />
System name is the name by which the host is to be accessible within the network. The name<br />
must consist of a combination of the following characters: letters a-z in lower case, numerals 0-9,<br />
hyphens, and underlines. The host name has to begin with a letter and must not be longer than 15<br />
characters.<br />
Domain name is the name of the <strong>UCS</strong> domain, for example, firma.de.<br />
Once the domain name is set, the fields LDAP base and Windows domain will be assigned by<br />
derived values. If the LDAP basis is to be changed, the name conventions for DNs have to be<br />
observed. The basis DN has to begin with ’cn=’, ’dc=’, ’c=’, ’l=’, or ’o=’. Basis DNs violating these<br />
conventions will be rejected.<br />
The name of the Windows domain may have a maximum length of 15 characters; it may consists of<br />
letters, numerals and hyphens exclusively. The entry field LDAP base appears solely in the system<br />
role of Domain Controller Master.<br />
Root password is the password for the user ’root’. This password is also set for the user ’Administra-<br />
tor’. The user ’Administrator’ is used for joining Windows clients into the <strong>UCS</strong> domain. In subsequent<br />
operation, the passwords of the users ’root’ and ’Administrator’ can be managed independently. The<br />
password is entered for a second time in the final entry field. This double input is necessary to avoid<br />
spelling errors since the entered characters are not displayed on the screen, see 3.2.<br />
For security reasons, the root passwords needs to consist of at least eight characters.<br />
10. Partitioning dialog<br />
This menu is used for partitioning the existing hard drives. It is recommended to use at least two<br />
partitions - one for the root file system, and one for the swap area which is used internally by Linux.<br />
At the first opening of this menu, the installer offers automatic partitioning of the system. On<br />
confirmation, the installer displays a partitioning proposal in which all the existing hard drives are<br />
newly partitioned and formatted using the Logical Volume Manager (LVM).<br />
Attention:<br />
All the data stored on these hard drives will be lost during this process! Should the proposed parti-<br />
tioning be undesirable, it can be rejected by pressing the F5 function key. The disk space of external<br />
storage media, such as USB sticks and USB hard drives, is also included in the automatic partitioning<br />
procedure, so these media should be disconnected if necessary.<br />
The properties of the detected drives, existing partitions, and LVM media (name, range of a partition,<br />
type, formatting, directory in which the partition is to be mounted, and size in MB) are displayed in a<br />
table. See Illustration 3.3.<br />
29
3 Installation<br />
30<br />
Figure 3.2: Domain settings<br />
For creating a new partition, select the free entry of the desired drive and select the [F2-Create]<br />
button. In the next dialogue, enter the directory where the partition is to be mounted (mount point),<br />
the size of the partition to be created in megabytes, the file system which is to be created on the<br />
partition, and the type of partition (primary partition or logical partition within an extended partition).<br />
If a partition is to be created for the swap area, it is not necessary to give the name of a directory<br />
where the partition is to be mounted. If all settings are made, click the [F6-Write partitions] button<br />
to confirm and store the settings.<br />
If you wish to include a partition from a former installation, or to correct settings made during the<br />
creation of a new partition, just select the appropriate partition and [F3-Edit]. The following input can<br />
be made: the directory for the partition to be included in, the file system, and whether the partition is<br />
to be formatted. If the [Format] option is selected, all data in this partition will be deleted. The size<br />
of the partition cannot be changed later.<br />
New partitions, or partitions created during previous installation procedures, can be deleted by se-<br />
lecting the partition and then selecting [F4-Delete].<br />
It is also possible to use the Logical Volume Manager during manual partitioning of hard drives. The<br />
installer will only support a single LVM media group (volume group) which is automatically named<br />
vg_ucs. The possibility of creating physical and logical LVM media (volumes) will only be available<br />
if LVM support was activated manually beforehand, or if a physical LVM medium is already existing<br />
on one of the connected hard drives.<br />
When deleting LVM media (physical volumes), it should be noted that the installer will support this
Figure 3.3: Partitioning hard drives<br />
3.2 Text-based Installation<br />
procedure only if all existing logical LVM media were deleted via the installer beforehand. Otherwise<br />
the contents of the physical LVM medium have to be manually moved to other physical LVM media<br />
via the pvmove command, and the physical LVM medium then removed from the LVM media group<br />
and deleted, via the vgreduce and pvremove commands.<br />
The settings for a new partition are not immediately activated. The [F5-Reset changes] button (F5<br />
function key) can be used for restoring the previous settings. Only if the [F6-Write partitions] button<br />
(F6 function key) is used, will the new partition table be written to the hard drive.<br />
11. Boot loader<br />
In this dialogue box you can select whether the boot loader should be installed in the master boot<br />
record (MBR), or in the first sector of a bootable hard drive partition. If the <strong>UCS</strong> system is the only<br />
operating system installed on the computer, then the master boot record and the corresponding hard<br />
drive should be selected here.<br />
12. Network configuration<br />
With the first execution of the network configuration, a dialogue box will open which allows you to<br />
make the settings for the first detected network interface card.<br />
If the DHCP option was not chosen, the IP address to be bound to the network card must be entered.<br />
In addition to the IP address the net mask must also be entered. F5 DHCP request is used to<br />
request an address from a DHCP server. This is used as the default and can also be configured<br />
statically.<br />
Once the first network card is set up, further network-specific settings can be made. The IP address<br />
or full name of the standard gateway present in the subnet can be entered in the field Gateway.<br />
31
3 Installation<br />
32<br />
Figure 3.4: Network settings<br />
The IP address of the name server which is to be used for resolving host names to IP addresses,<br />
can be entered in the field Name Server. The [More] button offers the possibility of entering multiple<br />
name servers.<br />
If the name server cannot be contacted during installation, it should not be configured during instal-<br />
lation, but rather set after installation using <strong>Univention</strong> System Setup. This prevents long timeouts<br />
during the installation.<br />
Forwarders are only registered if a local name server is operated within the system. If host names<br />
or IP addresses from DNS requests to the local name server cannot be answered, then the request<br />
is passed on to the forwarder. The reply given by the forwarder is then returned to the requesting<br />
host. The [More] button offers the possibility of entering multiple forwarders.<br />
DNS forwarders are only queried when installing the system roles domain controller master, domain<br />
controller backup and domain controller slave.<br />
Three different situations are possible during DNS setup:<br />
a) The installed system is a domain controller master. A name server for the <strong>UCS</strong> domain should<br />
be operated here. This name server only administrates computer names and IP addresses<br />
belonging to the <strong>UCS</strong> domain. To be able to answer requests from external computer names,<br />
an external name server must be entered as forwarder for this server.<br />
If packages are downloaded from external web servers during system installation, the name<br />
server must be specified over which computer names from the web server can be resolved.<br />
The name server already entered as forwarder or another external name server can be used
3.2 Text-based Installation<br />
as the name server. In later use the domain controller master will only use its local name<br />
server. The external name server(s) will be used as the forwarder and if the local name server<br />
is not available.<br />
b) The installed system is another <strong>UCS</strong> server system on which a name sever should be operated<br />
for the <strong>UCS</strong> domain. The IP address of a computer must be entered under name server over<br />
which DNS service records used within the <strong>UCS</strong> domain can be resolved. This is usually the<br />
domain controller master or backup. This name server will only be used in later operation<br />
if the local name server is not available. IP addresses from external name servers or other<br />
<strong>UCS</strong> server systems with name servers which themselves have an external name server as a<br />
forwarder can be entered as forwarder.<br />
c) No local name server is operated on the installed system. The IP address of at least one<br />
computer must be entered under name server over which DNS service records used within<br />
the <strong>UCS</strong> domain can be resolved. No forwarder needs to be entered.<br />
Attention:<br />
It is recommended to install the name server on at least one of the <strong>UCS</strong> server systems and<br />
enter this <strong>UCS</strong> server as the first name server for all other <strong>UCS</strong> systems as so-called DNS<br />
service records and alias names are used in the <strong>UCS</strong> domain which are sometimes changed<br />
automatically by the management system. For example, during installation of a second repos-<br />
itory server, the DNS alias univention-repository is placed on the new repository server.<br />
<strong>Univention</strong> offers a technical document for the use of an external name server, which explains<br />
the different service records and DNS alias names which an external name server must provide<br />
alongside the individual <strong>UCS</strong> computer name.<br />
During the installation of some of the packages, files such as the installation images for the<br />
univention-windows-installer-image package, have to be downloaded from external web servers<br />
due to legal restrictions. Should the <strong>UCS</strong> system have no direct access to the internet, the URL of<br />
an accessible proxy server can be entered in the HTTP Proxy field, which can be used for handling<br />
the download procedures. The format of the URL is: http://:<br />
Attention:<br />
Since, depending on the installed components, the resolution of host names during the installation<br />
procedure cannot be ensured at any time, the IP address of the proxy server should be entered.<br />
For integrating multiple network cards, or for configuring further virtual network adapters on an al-<br />
ready integrated network card, the corresponding entry in the table is selected and the [F2-Add]<br />
key pressed. The dialogue box for entering the IP address, broadcast address, subnet mask, and<br />
network area will again be opened.<br />
13. Join options<br />
This input mask does not appear with the domain controller master and base system system roles.<br />
As standard the <strong>UCS</strong> domain is joined at the end of the installation. The Start join at the end of<br />
installation option can be used to suppress the joining procedure. The system must then join the<br />
domain when running using the univention-join command.<br />
33
3 Installation<br />
34<br />
If a <strong>UCS</strong> server system was entered in the corresponding settings mask as a name server, the name<br />
of the domain controller master is confirmed via a DNS request. In all other cases, the Search<br />
Domain controller Master in DNS option must be deactivated and the fully qualified domain name<br />
of the domain controller master entered in the Hostname of Domain controller Master field.<br />
A user account which is authorised to add systems to the <strong>UCS</strong> domain is called a join account.<br />
As standard this is the Administrator user, which was created during installation of the domain<br />
controller master. The corresponding password of the user account must be given under Password.<br />
The password must be entered identically in both fields.<br />
Further information on joining a domain can be found in Chapter <strong>2.4</strong>.1.<br />
14. SSL settings<br />
This input mask only appears with the domain controller master system role. A SSL certificate<br />
infrastructure is managed on an <strong>UCS</strong> domain controller master. The certificates are used by the<br />
<strong>UCS</strong> systems for mutual authentication and for encrypting network connections. In the Country<br />
code field the 2-character token of the country name as per ISO 3166-1 should be entered, e.g.<br />
DE for Germany; in the State field the federal state or province; in the City field the location of the<br />
company, and in the Department field the name of the department. The mail address will be created<br />
from the domain name. It will be used in the certificates of this certificate infrastructure.<br />
15. Security options<br />
The <strong>Univention</strong> Installer makes it possible to pre-configure package filter profiles. The following three<br />
profiles are available:<br />
• Disabled (no service will be blocked).<br />
• Typical selection of services (some typically unnecessary services will be filtered).<br />
• Locked-down setup. Only SSH, LDAP and HTTPS are allowed.<br />
Further details on this topic can be found in chapter 10.3.2.<br />
16. Selecting software components<br />
Components are software packages which are connected with each other as regards content, and<br />
can be installed for providing a variety of services. Components can themselves consist of several<br />
subcomponents. The subcomponents can be installed individually, or all together.<br />
Navigation within a list of components is done via the arrow keys. To access the subcomponents,<br />
select a component and press the TAB key.<br />
There are three states of selection for a component. These states are displayed in a checkbox<br />
in front of each component. If all the subcomponents belonging to a component are selected for<br />
installation, the checkbox shows an X. If none of the subcomponents was selected for installation,<br />
the checkbox is empty. If only some of the subcomponents are selected for installation, the checkbox<br />
shows a slash (/). See Illustration 3.5.<br />
The following components are available:<br />
• Services for Windows<br />
– Samba - allows the application of Linux computers as domain controller or file server in a<br />
Windows domain (see Chapter 8).
Figure 3.5: Selection of components<br />
3.2 Text-based Installation<br />
– Windows Installer - Allows the completely automatic installation of Windows comput-<br />
ers(see [4]).<br />
– Samba PDC on Non-DC Master - This option allows operation of a Windows PDC on<br />
other system roles than the domain controller master (only available on domain controller<br />
slave/backup and member servers, see also Chapter 8.3).<br />
– Winbind - This service is particularly required in trust settings between <strong>UCS</strong> and Windows<br />
domains (see Chapter 8.4.1).<br />
– <strong>Univention</strong> AD Connector - Solution for bidirectional synchronisation of the <strong>Univention</strong><br />
Directory Service and Active Directory.<br />
• Mail/Groupware<br />
– Standard mail services - Basic mail services based on Postfix for sending mail via SMTP<br />
and Cyrus for providing mailboxes via IMAP and POP3. Virus scans via ClamAV and spam<br />
detection via Spamassassin are integrated (see Chapter 12).<br />
– Kolab 2 for <strong>UCS</strong> - A groupware solution according to the Kolab standard.<br />
• IP management<br />
– DNS - Service for resolving computer names into IP addresses using Bind.<br />
– DHCP - Dynamic IP management service.<br />
– Squid proxy server - Service for central caching and policy management of visited web<br />
sites.<br />
• System services<br />
– Terminal server - Linux terminal server for operating Linux-based thin clients. (see chapter<br />
9.5).<br />
35
3 Installation<br />
36<br />
– Thin client environment - Components for operating thin clients. (see chapter 9.5).<br />
– Print server - Print server based on CUPS.<br />
– Print quota - Allows quota arrangement of print jobs.<br />
– Nagios server - System and network monitoring using Nagios.<br />
– Nagios client - Allows integration of Nagios systems via the NRPE protocol.<br />
– Fax server - Management of incoming and outgoing fax messages based on Hylafax (see<br />
[5]).<br />
– OpenSSH server - server for providing an encrypted SSH remote login.<br />
– FreeNX server - Server for providing a NX remote login. NX offers efficient compression<br />
and can be used interactively even over a slow connection.<br />
• Virtualization<br />
– Virtual Machine Manager (UVMM) - UMC Module for management of virtual machines<br />
– Xen virtualization server - Virtualisation of systems using the Xen hypervisor<br />
– KVM virtualization server - Virtualisation of systems using KVM<br />
• Administrative tools<br />
– <strong>Univention</strong> Directory Manager - central component of the <strong>UCS</strong> management system (see<br />
chapter 4.1).<br />
– <strong>Univention</strong> Management Console - administration of <strong>UCS</strong> systems via a web interface.<br />
– <strong>Univention</strong> Software Monitor - Central collection of installed software packages on <strong>UCS</strong><br />
systems.<br />
– <strong>UCS</strong> Net Installer - Net-based installation of <strong>UCS</strong> systems supported by installation pro-<br />
files.<br />
• Backup<br />
– Backup (Bacula) - Enterprise backup solution<br />
– Unidump - Tool for file backup on a tape drive.<br />
– Remote backup - File backup for distant computers.<br />
• Desktop environment<br />
• Tools<br />
– Graphical user interface - X.org infrastructure and GDM login manager.<br />
– KDE desktop - A user-friendly desktop environment.<br />
– KDE add-ons - Further KDE desktop applications, including k3b for burning DVD/CDs and<br />
the video and music players Amarok, Kaffeine and MPlayer.<br />
– OpenOffice.org - An office package including a word processor, spreadsheet, presenta-<br />
tion program and database management program.<br />
– Mozilla Firefox - a web browser.<br />
– Java plugin/runtime - Java integration for the Firefox browser.<br />
– Flash plugin - An installation program for integrating the Flash plugin into the Firefox<br />
browser.<br />
– Mplayer plugin - A plug-in for the Firefox browser to play videos.<br />
– Microsoft fonts - An installation programm for the integration of free-of-charge Truetype<br />
standard fonts from Microsoft.<br />
– Java - The Sun Java runtime environment.
17. System settings<br />
3.2 Text-based Installation<br />
– Commandline tools - The editors vim and emacs, the less tool for viewing text files, the<br />
text-based web browser elinks, the port scanner nmap, the compression tools zip and<br />
unzip, the download tool wget and eject for script-controlled opening of a DVD drive.<br />
In this dialogue you can specify whether a local software repository should be set up on the <strong>UCS</strong><br />
system. The local <strong>UCS</strong> system and other <strong>UCS</strong> systems can use this software repository for software<br />
installations and updates. A software repository is also required for net-based installations. The<br />
Create home share option specifies, whether the /home directory is to be shared via NFS and - in<br />
case the Services for Windows component is installed - as the user directory via Samba.<br />
18. Overview<br />
This dialogue shows the major settings that were made. If all the settings are correct, the installation<br />
of the software can be initiated by clicking the [Start installation] button.<br />
During installation, a large number of status messages will be displayed on the screen. The system will<br />
format the hard drives as stated, mount the partitions to the directory tree, and install first the basic system<br />
and afterwards, if necessary, additional components and packages.<br />
Attention:<br />
During the installation of certain components, attempts will be made to download files from the internet,<br />
e.g. the Flash plugin. Should the download fail, these files can be installed at a later date. The overall<br />
installation is not impaired by this fact.However, repeated attempts to download files during installation can<br />
increase the overall installation time.<br />
With the prerequisite that the Start join at the end of installation option has not been deactivated, all<br />
computers apart from base systems and domain controller masters try to join the <strong>UCS</strong> domain, read<br />
configuration settings for their services out of the LDAP directory and configure their services accordingly.<br />
Chapter <strong>2.4</strong> explains how the joining of the domain can be initiated anew if the attempt to join during the<br />
installation failed.<br />
The installation protocol of the <strong>Univention</strong> installer is stored as installer.log and the protocol of the<br />
package installation as installation.log in the /var/log/univention/directory. As a final<br />
step, the installation profile installation_profile which was created during installation, is copied to<br />
the /etc/univention/ directory. If the appropriate command is given via the Create local repository<br />
setting, the installation CD is also copied to /var/lib/univention-repository.<br />
For completing the installation, the Enter key is to be pressed for restarting the system. The DVD should<br />
be ejected during restart to avoid the system booting from the installation DVD again. Alternatively, the<br />
computer’s BIOS can be configured in such a way that the hard drive is the first boot drive, and the CD<br />
drive the second.<br />
The system will then boot from the hard drive. After the booting process, the user root or Administrator<br />
can login using the password stated during installation. If the computer was installed as a Domain Con-<br />
troller Master, the licence can now be entered (see paragraph 1.6). For managing the system, there is,<br />
among others, the web front-end <strong>Univention</strong> Directory Manager (see chapter 4.1) available.<br />
37
3 Installation<br />
3.3 Hardware-related Installation problems<br />
In case any hardware-related problems occur during installation, these can usually be circumvented by<br />
additional kernel parameters or by adjusting the automatic hardware detection.<br />
3.3.1 Starting the Installation with additional kernel parameters<br />
To start the installation with additional kernel parameters, select the desired installation procedure at the<br />
boot prompt (cf. Illustration 3.1 on page 26) by using the arrow keys.<br />
Press the ’e’ key for having the configuration lines of the boot loader displayed for the selected installation<br />
procedure. The uppermost line, which begins with kernel, will be selected. After pressing the ’e’ key once<br />
again, the list of boot parameters can be adjusted. Additional kernel parameters have to be added at the<br />
end of each line. Where several parameters are to be added, these must be separated by blanks.<br />
The input is confirmed by pressing the Return key. Pressing the ’b’ key causes the computer to boot<br />
with the changed boot parameters. After successful installation, the <strong>UCS</strong> Installer automatically transfers<br />
the additional parameters to the <strong>Univention</strong> Configuration Registry variable grub/append so that the<br />
parameters will be considered during future boot procedures.<br />
3.3.2 Additional kernel parameters<br />
Some graphic cards do not support the VESA standard for frame buffers which is necessary for represent-<br />
ing bootsplash graphics. On such systems, the use of the frame buffer can be suppressed by the kernel<br />
parameter<br />
video=vga16:off<br />
However, this parameter is not permanently adopted into the boot configuration.<br />
When using older hardware, problems might occur when using the ’Advanced Configuration and Power<br />
Interface’ (ACPI). In such cases, the use of ACPI should be disabled via the kernel parameter<br />
acpi=off<br />
3.3.3 Adjusting the automatic hardware detection<br />
During start-up, the <strong>UCS</strong> Installer executes an automatic hardware detection. If during the automatic<br />
hardware detection a system crash or hardware trouble should occur, the automatic hardware detection<br />
can be disabled via the additional boot parameter noprobe.<br />
As standard the <strong>Univention</strong> Installer uses udev for device management. To deactivate automatic hardware<br />
detection udev must also be disabled with the boot parameter noudev.<br />
The boot parameter is interpreted exclusively by the <strong>UCS</strong> Installer; it is to be declared at the boot prompt<br />
in the same way as an additional kernel parameter. It should be noted, that for a successful installation, all<br />
38
3.4 Installing and Renewing Licences<br />
the necessary kernel drivers (for hard drives, Ethernet adapter, etc.) have to be declared manually in the<br />
<strong>UCS</strong> Installer.<br />
The boot parameter loadmodules can be used at the boot prompt for including certain kernel drivers into<br />
the list of drivers to be loaded (e.g. for a profile-based installation). This parameter can consist of several<br />
kernel drivers. The individual drivers are to be separated by blanks:<br />
loadmodules="driver1,driver2,driver3"<br />
In some cases it might be necessary to suppress the loading of certain kernel drivers. The boot parameter<br />
excludemodules prevents the declared kernel drivers from being automatically loaded during hardware<br />
detection. When excluding several kernel drivers, the individual drivers are to be separated by commas:<br />
excludemodules="driver1,driver2,driver3"<br />
Attention:<br />
When loading kernel drivers, the kernel treats hyphens ’–’ and underlines ’_’ which might be included in<br />
the driver names, as synonymous. This means, when using loadmodules, no difference has to be made<br />
between usb-storage and usb_storage. excludemodules, in contrast, requires the accurate spelling in<br />
the present use of the kernel. The relevant kernel drivers should therefore be declared in excludemodules<br />
using both spellings (hyhpen only or underline only):<br />
excludemodules="usb-storage,usb_storage"<br />
3.4 Installing and Renewing Licences<br />
The licence is installed in the <strong>Univention</strong> Directory Manager. For this purpose, the About dialogue is to be<br />
called as the user Administrator in <strong>Univention</strong> Directory Manager. Here, the licence file can be selected<br />
by clicking on the Search button. After confirming via the Load file button, the file is transferred to the DC<br />
Master and installed. Then after successful installation, a renewed login at <strong>Univention</strong> Directory Manager<br />
Manager is necessary. Then the information on the installed licence can be viewed via the About dialogue.<br />
3.5 Subsequent Installation of Software<br />
<strong>UCS</strong> is based on Debian which is the most frequently used Linux distribution in the professional sector.<br />
The advantages of Debian - and thus also of <strong>UCS</strong> - include a very flexible and well thought-out package<br />
management.<br />
The DVD used to install <strong>UCS</strong> contains packages for the installation of the <strong>UCS</strong> base system and packages<br />
for the different roles of a <strong>UCS</strong> computer (e.g., DC master, DC backup, DC slave, member server, managed<br />
client). In addition, the <strong>UCS</strong> DVD also includes other packages which are not required for the operation of<br />
<strong>UCS</strong>, but do expand <strong>UCS</strong> with practical functions.<br />
If additional packages are to be installed on an <strong>Univention</strong> Corporate Server system, it is recommended to<br />
browse the DVD first to see if the desired functionality can be provided by one of the available packages.<br />
The advantage of using the programs supplied is that their compatibility with <strong>UCS</strong> has already been con-<br />
firmed by <strong>Univention</strong>. On request, <strong>Univention</strong> can also offer further packages in many cases.<br />
39
3 Installation<br />
The recommended method for integration of third-party software in <strong>UCS</strong> is compiling the software on the<br />
<strong>UCS</strong> computer in question with the Debian source packages and installing the binary program which is<br />
built. During the installation it is important to ensure that no other packages are updated or uninstalled in<br />
the installation as this can cause functional errors in the <strong>UCS</strong> system. On request, <strong>Univention</strong> can offer<br />
further packages in many cases.<br />
Package sources for installing Debian packages are included in the file /etc/apt/sources.list. This<br />
file already contains several entries which should not be changed or deleted.<br />
<strong>Univention</strong> also offers an online repository. The current, relevant sources.list entries are published under<br />
http://apt.univention.de.<br />
Besides the usual way via software distribution, there are basically three further methods for installing<br />
additional Debian packages: The <strong>Univention</strong> Management Console, univention-install, and dpkg.<br />
<strong>Univention</strong> Management Console offers a comfortable way of managing software packages via the graphi-<br />
cal interface of a web browser. This is achieved by using the apt mechanism. It is capable of automatically<br />
resolving dependencies, yet it can only read packages from package sources.<br />
( The repository serves as a package source. Chapter 11 explains how to add packages to the repository.)<br />
When using dpkg, packages can be installed from any directory. Dependencies which might not be satis-<br />
fied, are not automatically resolved by dpkg.<br />
Example for installing the package univention-samba:<br />
univention-install univention-samba<br />
In the first example, a package called univention-samba has to be present in any of the package sources<br />
included in /etc/apt/sources.list. After entering the command, the package - together with its<br />
potential dependencies - is taken from the available package sources, and installed.<br />
With the dpkg -i command no dependencies to other packages are resolved, thus no further packages<br />
from any package sources are installed. Only the Debian package declared as a parameter is installed.<br />
Software which is not available in the form of Debian packages, should, if possible, be installed into the<br />
/opt or /usr/local directories. These directories are not used for installing <strong>UCS</strong> or Debian packages,<br />
thus a clean separation between <strong>UCS</strong>/Debian-specific software and other software is ensured.<br />
40
4 <strong>Univention</strong> Directory Manager<br />
Contents<br />
4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41<br />
4.2 Instructions for Operating the Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44<br />
4.2.1 Notes on list fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45<br />
4.2.2 Notes on group membership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46<br />
4.3 <strong>Univention</strong> Directory Manager Wizards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47<br />
4.3.1 The ”Search” submenu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47<br />
4.3.2 The ”Add” submenu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49<br />
4.4 Navigation in LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50<br />
4.4.1 Navigating the directory tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50<br />
4.4.2 Displaying and editing objects in the LDAP navigation . . . . . . . . . . . . . . . . . 52<br />
4.5 <strong>Univention</strong> Directory Manager modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53<br />
4.5.1 User administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53<br />
4.5.2 Group management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63<br />
4.5.3 Network administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65<br />
4.5.4 Host management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67<br />
4.5.5 Shares management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75<br />
4.5.6 Samba . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85<br />
4.5.7 Printer management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87<br />
4.5.8 Containers, organisational units, domains . . . . . . . . . . . . . . . . . . . . . . . . 91<br />
4.5.9 DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93<br />
4.5.10 DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101<br />
4.5.11 Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108<br />
4.5.12 <strong>Univention</strong> Directory Manager settings . . . . . . . . . . . . . . . . . . . . . . . . . . 129<br />
4.5.13 User-defined attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137<br />
4.5.14 Extended attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141<br />
4.6 Policy-controlled Layouts for the Web Front-End of <strong>Univention</strong> Directory Manager . . . . . . 146<br />
4.1 Introduction<br />
<strong>Univention</strong> Directory Manager allows a comfortable web-based management of objects in an LDAP direc-<br />
tory.<br />
Objects can be, for example, users, groups, computers or DHCP entries. Alongside the <strong>Univention</strong> Direc-<br />
tory Manager web interface described here, there is also a command line interface, see [6]. The scope of<br />
operations which a user of <strong>Univention</strong> Directory Manager may carry out, is defined by his access rights in<br />
the directory service (ACLs). <strong>Univention</strong> Directory Manager itself does not perform any management and<br />
41
4 <strong>Univention</strong> Directory Manager<br />
evaluation of rights, it merely passes on the authentication information and users’ requests to the directory<br />
service.<br />
The <strong>Univention</strong> Directory Manager web interface can be accessed by a browser by just entering<br />
the URL https://IP-address-of-server/univention-directory-manager/ into the address<br />
field. In doing so, IP-address-of-server is to be replaced by the IP address of the server where<br />
<strong>Univention</strong> Directory Manager is installed. If the name resolution is correctly implemented, direct<br />
access to the name of the <strong>Univention</strong> Directory Manager host is also possible. For this purpose,<br />
https://name-of-server.domainname/univention-directory-manager/ is to be entered.<br />
<strong>Univention</strong> Directory Manager is installed on the DC master as standard. If the name resolution is con-<br />
figured correctly, <strong>Univention</strong> Directory Manager can also be accessed through the host name by entering<br />
https://name-of-server.domainname/univention-directory-manager/.<br />
<strong>Univention</strong> Directory Manager uses Javascript and CSS functions to display the web surface, which may<br />
cause display problems in some browsers. If the interface is opened with any other browser than Firefox<br />
3.x or Internet Explorer versions as of 6.0, a warning appears.<br />
In certain circumstances it may be necessary to access the <strong>Univention</strong> Directory<br />
Manager over an insecure connection. This can be the case if no SSL certifi-<br />
cates have been created for this system yet. The insecure access can be per-<br />
formed via http://IP-address-of-server/univention-directory-manager/ or<br />
http://IP-address-of-server.domainname/univention-directory-manager/.<br />
Attention:<br />
In such a case, passwords will be sent across the network unencrypted.<br />
The login form will appear on the screen. When logging into the system for the first time, the user Admin-<br />
istrator can be used with the password specified for user root during the installation of the DC Master.<br />
Also, the user interface language of the <strong>Univention</strong> Directory Manager can be selected. By default German<br />
and English are available.<br />
After entering user name and password, the login procedure is completed by clicking the [Login] button.<br />
After successful login, the <strong>Univention</strong> Directory Manager start page will open. See also Illustration 4.2.<br />
The main menu can be found on the left-hand side. Below the main menu, there is a status field where<br />
relevant messages relating to the user’s input or to other actions are displayed. At the upper border, the<br />
name of the logged-in user is displayed, in this case Administrator.<br />
The menu item Navigation allows the user to navigate through the LDAP directory, and to create, modify<br />
or delete objects within the LDAP directory. Further details can be found in chapter 4.4.<br />
The other menu items on the left side - called wizards in the following descriptions - allow a comfortable<br />
handling of certain objects.<br />
Depending on the licence and installation used, the wizards shown may vary. More information can be<br />
found in Chapter 4.5.<br />
The header contains links which allow you direct access to frequently used functions: creating a host or<br />
user object; accessing the Navigation and signing out from the surface.<br />
42
Figure 4.1: Unsecured start page<br />
4.1 Introduction<br />
The menu item About UDM offers, among other things, information on the licence used and on the Uni-<br />
vention Directory Manager program version. The submenu item Update licence via File can be used for<br />
importing a software licence file.<br />
Clicking Logout in the main menu opens a dialogue box asking whether to proceed with logging out. The<br />
[Abort] button leads back to the previous menu item and back into the program. The [Ok] button causes<br />
the system to proceed with the log-out. After login the user out, a page with a link for renewed login is<br />
displayed.<br />
A similar window will appear if a running <strong>Univention</strong> Directory Manager session is automatically closed<br />
down for security reasons due to a time-out.<br />
Renewed login is possible by clicking Login.<br />
To change the time interval for automatic close-down, the <strong>Univention</strong> Configuration Registry variable<br />
directory/manager/timeout can be adjusted. The interval is to be entered in seconds. Thus, for<br />
setting the interval for automatically closing down the session to ten minutes, the value 600 has to be<br />
entered.<br />
The language used by <strong>Univention</strong> Directory Manager can be controlled with the <strong>Univention</strong> Configuration<br />
Registry variable directory/manager/web/language. For the English version of <strong>Univention</strong> Directory<br />
Manager, the variable has to be set to us.<br />
In the default setting, the <strong>UCS</strong> system checks for available updates regularly. If an update is available, a<br />
corresponding message will be displayed in the upper part of the welcome page (Abbildung 4.2). This mes-<br />
sage is only shown to users who are represented in at least one of the groups specified in the <strong>Univention</strong><br />
Configuration Registry variable directory/manager/web/update/available/groups. The default<br />
setting is set as Domain Admins during installation. The groups should be specified separated by com-<br />
43
4 <strong>Univention</strong> Directory Manager<br />
mas.<br />
Figure 4.2: Start page<br />
4.2 Instructions for Operating the Program<br />
<strong>Univention</strong> Directory Manager is optimised for the application of web browsers which support JavaScript.<br />
This is why the manual on hand assumes in its illustrations and descriptions that a graphic browser with<br />
activated JavaScript functionality is used. Without activated JavaScript functionality, some of the functions<br />
are not executed automatically, which will result in deviations in the program’s operations.<br />
Input fields in <strong>Univention</strong> Directory Manager, which are marked by an asterisk (*) are compulsory, all the<br />
other fields are optional.<br />
Unless otherwise indicated, all characters are permitted, including < and >, ä, ö, ü, and ß.<br />
44
Figure 4.3: Automatic log-out after time-out<br />
4.2 Instructions for Operating the Program<br />
In list fields, the [Ctrl] and [Shift] keys, arrow keys, as well as the mouse can be used for selecting multiple<br />
entries at the same time.<br />
4.2.1 Notes on list fields<br />
Among the entry fields of <strong>Univention</strong> Directory Manager there are special list fields which are applied<br />
whenever there is a choice of one or multiple values to be entered. Illustration 4.4 shows an example for a<br />
list field including a description of its functions.<br />
In the entry field (➊ in Illustration 4.4), the desired value can be entered and accepted by clicking the [+]<br />
button ➋. The value will then be displayed in the list field Entries ➌.<br />
There are several variants of list fields which differ in the type of the entry field ➊. Instead of a single entry<br />
field, several entry fields can also be displayed. Furthermore, select lists or combinations of entry fields<br />
and select lists can be used. The behaviour of the list fields is the same in all these variants.<br />
In some cases it might be necessary to bring the entries of a list field into a certain order. After having<br />
been selected by a single mouse click, the relevant entry can be moved up and down within the list via the<br />
buttons [△] ➍ and [▽] ➎.<br />
45
4 <strong>Univention</strong> Directory Manager<br />
Figure 4.4: Declaring DNS servers via a list field.<br />
When using the [Ctrl] and [Shift] keys, several entries can be selected at the same time for being moved<br />
or deleted.<br />
The button [-] ➏ makes it possible to delete one or multiple selected entries.<br />
Attention:<br />
Values entered into the entry field ➊ without being accepted by clicking the [+] button, will not be added to<br />
the list field Entries when the user subsequently confirms the changes in the object!<br />
4.2.2 Notes on group membership<br />
To allow a comfortable management of the group members, an additional dialogue element was introduced<br />
(see Illustration 4.5). With the help of this dialogue element, a search for certain criteria within a set of<br />
objects, can be performed, and selected objects of this set can be added to the group . The element is<br />
used, among other things, for selecting members for a user group.<br />
In the select list Property (➊ in Illustration 4.5), an attribute can be selected as a search criterion. With<br />
some attributes, an entry field replacing the placeholder none ➋, will automatically be loaded after the<br />
selection was made.<br />
In the additional entry field ➋, which is named after the attribute, a search pattern can be entered. In doing<br />
so, an asterisk ’*’ can be used as a placeholder for a string of arbitrary characters.<br />
46<br />
Figure 4.5: Example for group membership
4.3 <strong>Univention</strong> Directory Manager Wizards<br />
Clicking the [show] button causes all objects which fit the entered search criterion, to be displayed in the<br />
list field All ➌. The list field Current ➍ shows the currently selected objects.<br />
The [▹] and [◃] ➎ buttons can be used for swapping the selected objects between the list fields All and<br />
Current, and thus for including them in or excluding them from the group.<br />
4.3 <strong>Univention</strong> Directory Manager Wizards<br />
Besides the LDAP Navigation for navigating within the directory tree, <strong>Univention</strong> Directory Manager offers<br />
a number of wizards in the main menu on the left-hand side of the page (see Illustration 4.2). These<br />
wizards are interfaces for frequently occurring administrative procedures. By default, the following wizards<br />
are displayed:<br />
• Users<br />
• Groups<br />
• Networks<br />
• Computer<br />
• DNS<br />
• DHCP<br />
• Printers<br />
• Shares<br />
• Policies<br />
Depending on the installed software and the licence used, the number of wizards may vary.<br />
After clicking a wizard, a submenu will open, and the items Search and Add will be displayed. The<br />
search is activated and a search performed for the current object type. If you do not wish to search<br />
directly - perhaps in large environments with many objects - this function can be suppressed by setting the<br />
<strong>Univention</strong> Configuration Registry variable directory/manager/web/modules/autosearch to 0.<br />
4.3.1 The ”Search” submenu<br />
The Search submenu is a simple means of searching and/or editing objects of a certain type or of a certain<br />
group of types.<br />
In the Search select list, the user can choose between different search areas; thus he can specify which<br />
parts of the LDAP directory are to be searched. Further details on the registered containers can be found<br />
in chapter 4.5.12.7.<br />
If the wizard applies to several <strong>Univention</strong> Directory Manager modules, then a list of valid object types is<br />
displayed under Select type.<br />
The Property select list makes it possible to restrict the search to certain attributes. With some properties<br />
(e.g. when searching for users with the property Disabled, a checkbox will appear. For most of the<br />
remaining properties, an entry field will appear where the value of the relevant attribute can be entered.<br />
47
4 <strong>Univention</strong> Directory Manager<br />
Figure 4.6: Searching for user names<br />
Wildcards such as the asterisk * can be used; the success of the search then depends on the schema<br />
specifications of the LDAP directory.<br />
Example:<br />
A search is to be performed for all users with the last name beginning with the letter m. First the user<br />
wizard is started. In the select list Property, the Last name attribute is selected, and in the entry field, m*<br />
is entered.<br />
The Results per page entry field is for specifying how many objects are to be displayed on one page.<br />
By default a maximum of 1,000 objects is displayed on one page (this behaviour can be adapted with<br />
the <strong>Univention</strong> Configuration Registry variable directory/manager/web/ldap/sizelimit). If more<br />
than one page is necessary to display all the objects, then a mouse click on the page numbers makes it<br />
possible to browse the pages. The page number of the currently displayed page is optically highlighted.<br />
Clicking the Search button starts the procedure using the selected criteria. Clicking the Reset button<br />
resets all criteria to their default values. In such a case, no search is performed. The wizards for users and<br />
for groups offer the additional button [create report]. This makes it possible to export the search results to<br />
a PDF document or, alternatively, to a file in the CSV format. Details on the <strong>Univention</strong> Directory Reports<br />
can be found in the documentation under [7].<br />
Clicking the Search button produces a search result which is displayed in a table consisting of the follow-<br />
ing columns: Object, Property (if applicable), Location, and Select (checkboxes). The Object column<br />
contains all the results meeting the search criteria. Each result is represented by a symbol for the object,<br />
and the name of the object.<br />
If a certain Property was selected, an additional column titled according to the selected property is in-<br />
cluded in the table, containing the appropriate values as entries. For example, if the search concerned the<br />
48
last names of the users, a column with the last names will be displayed.<br />
4.3 <strong>Univention</strong> Directory Manager Wizards<br />
The Location column shows the position of the search result within the LDAP directory. The position is a<br />
value consisting of the domain, followed by the name of the currently selected container.<br />
The final column Select contains a checkbox for each of the objects. Below these checkboxes, a list field<br />
offers several operations to be performed on the selected objects. The Invert selection option unselects<br />
the selected objects and selects the rest of the objects instead. The Edit option allows several objects<br />
to be edited at the same time. For example, if several users are to be deactivated at the same time, this<br />
command can be used. The Delete option makes it possible to delete objects.<br />
Clicking the name of the object or the symbol in front of the name in the list of search results opens the data<br />
of the object for viewing/editing. The data are distributed among several tabs and basically correspond to<br />
the data in the object adding mode. The differences are described in the relevant <strong>Univention</strong> Directory<br />
Manager module documentation (see chapters 4.5.1 to 4.5.12).<br />
When editing is finished, the changes can either be written to the LDAP directory by clicking the [Ok]<br />
button, or be discarded by clicking [Cancel].<br />
Attention:<br />
When clicking one of the mentioned buttons, the previously buffered search results are displayed again.<br />
Changes made in the meantime are not yet included in the buffered search results!<br />
4.3.2 The ”Add” submenu<br />
Figure 4.7: Adding a user<br />
The Add submenu is a simple means of adding objects of a certain type.<br />
The Select container select list makes it possible to choose between different positions within the LDAP<br />
directory. Further details on the registered containers can be found in chapter 4.5.12.7.<br />
If the wizard applies to several different <strong>Univention</strong> Directory Manager modules, then a list will be displayed<br />
from which the desired type can be selected.<br />
If the <strong>Univention</strong> Directory Manager module, which is concerned with this wizard, supports templates, then<br />
a list of possible templates will be presented under Select Template.<br />
Clicking the [Cancel] button discards the input and activates the wizard’s Search submenu.<br />
Clicking [Next] shows the tabs of the new object. On these tabs, all the relevant data concerning the<br />
new object can be entered. By a final click on the [Ok] button, the entered data are written to the LDAP<br />
49
4 <strong>Univention</strong> Directory Manager<br />
directory, by clicking [Cancel] the data entry is discarded. Instructions to the tabs can be found in the<br />
relevant chapters relating to the <strong>Univention</strong> Directory Manager modules, see chapters 4.5.1 to 4.5.12.<br />
4.4 Navigation in LDAP<br />
4.4.1 Navigating the directory tree<br />
The Navigation menu item makes it possible to navigate the LDAP directory, to create new objects in the<br />
LDAP directory, to modify these objects, or to delete them.<br />
Clicking the Navigation menu item opens a page on which a table with an excerpt of the data in the LDAP<br />
directory is displayed. This table will be called the summary in the below description (see Illustration 4.8).<br />
Figure 4.8: Summary of the directory<br />
The shown position (➊ in Illustration 4.8) indicates the position within the directory tree of the domain. The<br />
uppermost level is represented by the name of the domain. If the display level is changed, say by clicking<br />
the users container ➋, the current path will be shown in the Position field. Individual path segments can<br />
be clicked for switching to the corresponding levels.<br />
50
4.4 Navigation in LDAP<br />
By clicking the up-labelled upwards arrow (➌ in Illustration 4.9), the user can navigate one level upwards<br />
within the LDAP directory. At the uppermost level, the symbol up is not displayed.<br />
Figure 4.9: Displaying user objects<br />
The select list Add new object at current position ➍ offers object types which can be created at this<br />
position within the LDAP directory.<br />
Via the select list type ➎ and the [show] button ➏, the user can control which of the objects are to be<br />
displayed in addition to the container objects of this level. If a type is selected in the list ➎, an additional<br />
select list property ➐ will be displayed if applicable. Once the desired property has been selected, a<br />
further entry field will be displayed, if applicable, in which a search string can be entered.<br />
In the entry field Results per page ➑, the user can specify how many objects are to be displayed on<br />
one page. If more than one page is necessary to display all the objects, then a mouse click on the page<br />
numbers ➒ makes it possible to browse the pages. The page number of the currently displayed page is<br />
optically highlighted.<br />
Clicking the [Search] button ➏ causes all objects of the current level, which meet the search criteria, to be<br />
displayed in the summary. The directory objects are displayed irrespectively of the search criteria.<br />
For each object, a symbol signifying the object type, and a name are displayed in the Object column of<br />
51
4 <strong>Univention</strong> Directory Manager<br />
the summary. In the Type column, the type of the object is represented in words. If a search criterion<br />
was defined, then the next column will show the result of the search criterion. The final column Select<br />
contains a checkbox for each of the objects. Below these checkboxes, a list field offers several operations<br />
to be performed on the selected objects. The Invert selection option unselects the selected objects and<br />
selects the rest of the objects instead. The Edit option allows several objects to be edited at the same<br />
time. For example, if several users are to be deactivated at the same time, this command can be used.<br />
The Delete option makes it possible to delete objects. With the Move option, the user can move one or<br />
multiple objects to a different position within the directory tree.<br />
4.4.2 Displaying and editing objects in the LDAP navigation<br />
The information stored on an object can be displayed and edited by clicking the symbol or the name of the<br />
object in the summary. So-called tabs will be displayed which contain information on the corresponding<br />
object (see Illustration 4.10).<br />
Figure 4.10: User object of the Administrator<br />
If the object in question is a container which might contain further objects, then the contents of the container<br />
will be displayed in a directory view. The object itself is represented in this view by its symbol and the<br />
52
4.5 <strong>Univention</strong> Directory Manager modules<br />
remark (current). A mouse click on the symbol or on (current) causes the tabs and information relating<br />
to the object to be displayed.<br />
The tabs in the editing mode correspond to those in the ’adding objects’ mode, and will be described in<br />
detail in the corresponding section of this manual (see chapter 4.5.<br />
If the information is merely to be viewed, then the object should, after viewing, be quit by clicking the<br />
[Cancel] button.<br />
Some values are protected from changing and cannot be edited. Such values are displayed in grey.<br />
Other values are compulsory; such values can usually be changed but not deleted. The field caption of<br />
such a value is usually followed by an asterisk in brackets (*). These values have to be entered before the<br />
tab can be left. Apart from this, random switching of the tabs is possible. The entered values are preserved<br />
when switching tabs.<br />
Once all the desired changes to an object have been executed, clicking the [Ok] button causes the entered<br />
data to be accepted. The corresponding changes are then carried out in the LDAP directory.<br />
4.5 <strong>Univention</strong> Directory Manager modules<br />
Apart from the possibility to modify the LDAP directory via the LDAP browser, <strong>Univention</strong> Directory Man-<br />
ager also provides several modules making it easier for the user to search, add, modify, and delete LDAP<br />
objects, by combining common procedures (e.g. creating DHCP entries and DNS entries when creating a<br />
new client object.<br />
The attributes which can be administrated in an <strong>Univention</strong> Directory Manager module are subdi-<br />
vided into standard attributes and advanced attributes. In the default settings only the standard at-<br />
tributes are shown in the tabs of a module. Clicking Show the advanced settings shows the remain-<br />
ing tabs. All attributes are shown as standard when the <strong>Univention</strong> Configuration Registry variable<br />
directory/manager/web/modules/advancedview is set to 1.<br />
A summary of the full scope of functions can be found in [8]).<br />
4.5.1 User administration<br />
The following policy objects can be applied/inherited to the user administration (see chapter 4.5.11):<br />
• Mail quota<br />
• Password policy<br />
• <strong>Univention</strong> Directory Manager view<br />
• Desktop settings<br />
• UMC access<br />
53
4 <strong>Univention</strong> Directory Manager<br />
54<br />
’General’ tab<br />
User name (*)<br />
This is the name, by which the user logs into the system. Specifying a user name is obligatory for<br />
any user; the name has to begin with a letter which has to be followed by: letters a-z in lower case,<br />
numerals 0-9, dots, hyphens, or underlines. Only the first letter may be an uppercase letter.<br />
Attention:<br />
In order to ensure compatibility to non-<strong>UCS</strong> systems, <strong>Univention</strong> Directory Manager prevents the<br />
creation of users which are only distinguished from each other by upper and lower case letters. Thus,<br />
if the user name ’smith’ already exists, then the user name ’Smith’ cannot be created.<br />
Description<br />
Arbitrary descriptions for the user can be entered here.<br />
Password (*)<br />
The user’s password has to be entered here.<br />
Password (retype) (*)<br />
In order to avoid spelling errors, the user’s password has to be entered for a second time.<br />
Override password history<br />
By checking this box, the password history is overridden for this user and for this password change.<br />
This means, with this change the user can be assigned a password which is already in use. Further<br />
details on the password policies for users can be found in chapter 4.5.11.5.<br />
Override password check<br />
By checking this box, the requirements for the length of the password and for password quality checks<br />
are overridden for this user and for this password change. This means, the user can e.g. be assigned<br />
a shorter password than would be possible according to the defined minimum length. Further details<br />
on the password policies for users can be found in chapter 4.5.11.5.<br />
First name<br />
The first name of the user is to be entered here.<br />
Last name (*)<br />
The last name of the user is to be entered here.<br />
Title<br />
The title of the user is to be entered here.<br />
Organisation<br />
The organisation is to be entered here.
’User account’ tab<br />
Account expiry date<br />
4.5 <strong>Univention</strong> Directory Manager modules<br />
In this entry field, the date is specified by which the user account becomes invalid. The format of the<br />
date is dd mm yy, e.g. 05 03 08 for 5 March 2008. From this date onwards, a user trying to log into<br />
the system will be notified of the fact that his user account has become invalid; he has no longer any<br />
access to the system. If the date is deleted or replaced by a different, future date, the user will regain<br />
the right to log in.<br />
Password expiry date<br />
If the password is subject to an expiry date, then this date is displayed in this entry field. The format<br />
of the date is dd mm yy, e.g. 05 03 08 for 5 March 2008. These entry fields cannot be directly edited.<br />
The date can be changed/influenced via the checkbox Change password on next login on this tab,<br />
or via the entry field Expiry Interval on the policies tab.<br />
If the date of password expiry is reached or exceeded, the user is asked to change his password.<br />
Once the password is changed, the user will regain his access to the system.<br />
If a value is declared for the Expiry Interval on the Password policies tab, or if the value is inherited<br />
from a higher-level object, then the expiry date is automatically adjusted once the user has changed<br />
his password. The new expiry date is calculated by the date the password was changed plus the<br />
value declared in the Expiry Interval field.<br />
If no Expiry interval is declared, the old expiry date will be deleted and no new date will be set.<br />
Account deactivation<br />
The Account deactivation selection field can be used to deactivate the user account for one or more<br />
login methods. As long as the respective account type is deactivated, the user cannot log into the<br />
system. This is typically used when a user leaves the company. In a heterogeneous environment, an<br />
account deactivation might also be caused by external tools; in that case the selection field reflects<br />
the account status. Normally users should always be deactivated for all account types. The following<br />
deactivation states can be realised:<br />
• None - Basic status; all logins are possible.<br />
• All disabled - All account types are blocked.<br />
• Windows disabled<br />
• Kerberos disabled<br />
• POSIX disabled<br />
• Windows und POSIX disabled<br />
• Windows und Kerberos disabled<br />
• POSIX und Kerberos disabled<br />
55
4 <strong>Univention</strong> Directory Manager<br />
56<br />
The following interconnections between the different login methods are derived from the <strong>UCS</strong> PAM<br />
configuration:<br />
• The Linux login (e.g., on GDM or a tty) is only deactivated if all login methods are deactivated;<br />
a deactivated POSIX account alone is not enough.<br />
• Samba requires a not-deactivated POSIX account - that means that the deactivation of the<br />
POSIX account automatically deactivates Samba as well.<br />
• The Kerberos library (Heimdal) also evaluates the Samba account settings - that means that<br />
the deactivation of the Windows account will also deactivate Kerberos.<br />
Change password on next login<br />
If this checkbox is ticked, then the user has to change his password during the next login procedure.<br />
If the option is activated, the present date will be used as the expiry date for the current password.<br />
Further details can be found in the description Expiry Date on the same tab.<br />
Locked login methods<br />
This selection field can be used to block individual login methods. This can happen automatically<br />
for security reasons, for example, if a user has entered his password incorrectly too often. Normally<br />
users should always be blocked for all login methods.<br />
In contrast to Account deactivation, the account is not blocked, but the login is denied. The following<br />
login methods can be restricted:<br />
• None<br />
• Locked all login methods<br />
• Locked Windows/Kerberos only<br />
• Locked POSIX/LDAP only<br />
’Mail’ tab<br />
Primary e-mail address<br />
The primary e-mail address of the user is declared here. E-mail addresses can consist of the following<br />
characters: letters a-z, numerals 0-9, dots, hyphens, and underlines. The address has to begin with<br />
a letter and must include an @ character.<br />
Alternative e-mail addresses<br />
Further e-mail addresses can be declared here for the user. E-mails to these addresses will be<br />
delivered to the same inbox as mails sent to the user’s primary e-mail address. It is possible for<br />
several users to use the same alternative e-mail address. However the multi-used alternative e-mail<br />
address should not be used as the primary e-mail address by one of the users.
Attention:<br />
4.5 <strong>Univention</strong> Directory Manager modules<br />
Wird Scalix für <strong>UCS</strong> verwendet, so ist der Betrieb von mehreren Benutzern mit identischer alternativer<br />
Email-Adresse nicht möglich.<br />
Use global spam folder<br />
If this option is used, e-mails classified as spam will not be delivered to the user’s personal spam<br />
folder but to a global spam folder instead.<br />
’Contact’ tab<br />
Attention:<br />
The data relating to the phone number, street, city, and post code are stored in the attributes for the<br />
business address within the LDAP directory. The private contact data can be entered on the Private<br />
contact tab.<br />
E-Mail address(es)<br />
The e-mail address of the user is declared here. The values of this attribute are stored in the attribute<br />
mail of the LDAP directory service. Most of the address books using an LDAP search function will<br />
search for an e-mail address by this attribute. The syntax is identical to that of the Primary e-mail<br />
address attribute.<br />
Telephone number(s)<br />
This field contains the user’s phone number. Valid characters include the numerals 0-9, the letters<br />
a-z in upper and lower case, and the ), (, /, + and - characters.<br />
Street<br />
The user’s street and house number can be entered here.<br />
Postal code<br />
This field contains the post code of the user’s address.<br />
City<br />
This field contains the city of the user’s address.<br />
Birthday<br />
This field is used to save a user’s birthday.<br />
User’s picture (JPEG format)<br />
This mask can be used to save a picture of the user in LDAP in JPEG format. In the default settings<br />
the file size is not limited; a size limit can be imposed using <strong>Univention</strong> Configuration Registry variable<br />
directory/manager/jpegphoto/maxsize.<br />
57
4 <strong>Univention</strong> Directory Manager<br />
58<br />
’Private contact’ tab<br />
Phone numbers can consist of the numerals 0-9, the letters a-z in upper and lower case, and the ), (,<br />
/, + and - characters.<br />
Mobile telephone number<br />
The user’s mobile numbers can be entered here.<br />
Home telephone number<br />
The private fixed network phone number can be entered here.<br />
Pager telephone number<br />
Pager numbers can be entered here.<br />
Home postal address<br />
One or more of the user’s private postal addresses can be entered in this field. In <strong>UCS</strong> versions prior<br />
to 2.3 only one address could be saved in this field. If you have updated from an earlier version it will<br />
only be possible to save one address here.<br />
’Organisation’ tab<br />
Employee number<br />
Numbers for staff members can be entered in this field.<br />
Employee type<br />
The category of the staff member can be entered here.<br />
Department number<br />
The department number of the staff member can be entered here.<br />
Room number<br />
The room number of the staff member.<br />
Superior<br />
The superior of the user can be selected here.<br />
’POSIX (Linux/UNIX)’ tab<br />
UNIX home directory (*)<br />
The path of the user’s home directory is to be entered here. By default, /home/ followed by the user<br />
name is preset. The declaration of the home directory should be unique across the domain.
Further information can be found in the desktop documentation in Chapter 9.7.<br />
Login shell<br />
4.5 <strong>Univention</strong> Directory Manager modules<br />
The user’s login shell is to be entered in this field. This program is started if the user performs a<br />
text-based login. By default, /bin/bash is preset.<br />
User ID<br />
If the user is to be assigned a certain user ID, the ID in question can be entered in this field. If no<br />
user ID is assigned, <strong>Univention</strong> Directory Manager will assign an available user ID when creating the<br />
user. The user ID can only be declared when adding the user. When the user data are subsequently<br />
edited, the user ID will be represented in grey and barred from change.<br />
Group ID<br />
When adding the user, the group ID of the user’s primary group will be entered here. This value<br />
can only be changed while adding the user. During editing, the primary group can be edited on the<br />
Groups tab.<br />
Home share<br />
An alternative shared directory can be selected here, where the user’s home directory is located, or<br />
where it is to be created. By default the local home share is used.<br />
Home share path<br />
The path of the home directory relative to the Home share is declared here. The username is already<br />
preset as a default value.<br />
Attention:<br />
Only if both values are entered (Home share and Home share path), will the settings be adopted<br />
into the LDAP directory.<br />
GECOS<br />
User entries in the /etc/passwd file are also known as GECOS fiels. However, a username entered<br />
in this input field is not written to /etc/passwd, but stored in the LDAP attribute gecos.<br />
When creating a new user this attribute is preset to ’ ’. (Special charac-<br />
ters are replaced)<br />
When editing either the first name or the family name of a user, the input field is altered automatically<br />
if the previous value had been set to ’ ’.<br />
59
4 <strong>Univention</strong> Directory Manager<br />
60<br />
’Windows’ tab<br />
This tab is used for the settings of the user’s Windows account. Standard values from the Samba<br />
configuration are used for empty fields.<br />
Windows home path<br />
The path of the directory which is to be the user’s Windows home directory, is to be entered here.<br />
Example:<br />
\\ucs-file-server\smith<br />
Windows home drive<br />
If the Windows home directory for this user is to show up on a different Windows drive than that<br />
specified by the Samba configuration, then the corresponding drive letter can be entered here.<br />
Example:<br />
M:<br />
Windows logon script<br />
The user-specific logon script relative to the Netlogon share is entered here.<br />
Example:<br />
scripts\user.bat<br />
Windows profile directory<br />
The profile directory for the user can be entered here.<br />
Example:<br />
\\ucs-file-server\user\profile<br />
Relative ID<br />
The relative ID (RID) is the local part of the SID. If a user is to be assigned a certain RID, the ID in<br />
question can be entered in this field. If no RID is assigned, the next available RID will automatically be<br />
used. The RID cannot be subsequently changed. Integers from 1000 upwards are permitted. RIDs<br />
below 1000 are reserved to standard groups and other special objects.<br />
Logon<br />
In this entry field, the Administrator can define certain times of the day (0-24h) in one hour intervals,<br />
when this user may log into a Windows client. This means, a time window can be specified within<br />
which the user may log in. If no entry is made in this field, the user can log in at any time of day.<br />
Allowed hosts<br />
This setting specifies the clients where the user may log in. If no settings are made, the user can log<br />
into any client.
’Groups’ tab<br />
4.5 <strong>Univention</strong> Directory Manager modules<br />
This tab has the purpose of defining the user’s group membership. If no settings are made on this<br />
tab when creating the user, the preset value for the primary group will be stored.<br />
Primary group<br />
This select list can be used for specifying the user’s primary group. All the groups registered in the<br />
domain are open for selection. By default, the group Domain Users is preset. This setting can be<br />
changed, further details on this issue can be found in chapter 4.5.12.6. If the primary group of a user<br />
has been removed by an external LDAP modification, the default group is assigned to the user object<br />
the next time the object will be modified.<br />
Groups<br />
Additional groups can be assigned to the user here, in which he is to be a member.<br />
’Windows Advanced’ tab<br />
Settings for working on Windows terminal servers can be made here.<br />
Home directory for Windows terminal services<br />
The directory path which is to be the user’s Windows home directory on the terminal server can be<br />
entered here.<br />
Example:<br />
\\ucs-file-server\ts\user<br />
Home drive for Windows terminal services<br />
If the Windows home directory for this user is to appear on different Windows drive than specified in<br />
the Samba configuration, the respective letter of the drive can be entered here followed by a colon,<br />
e.g. M:.<br />
Startup command<br />
Path to a program which should be run when a terminal session is started. The Explorer is started as<br />
standard for Microsoft Windows.<br />
Working directory for startup command<br />
The program’s working directory, which is entered under Startup command.<br />
Use client configuration for startup command<br />
Both configuration settings Startup command and Working directory for startup command can<br />
be overwritten by the client application. If this checkbox is activated, the client configuration is used.<br />
61
4 <strong>Univention</strong> Directory Manager<br />
62<br />
Profile directory for Windows terminal services<br />
The path to the Windows profile which is to be used in the terminal server session should be entered<br />
here. If no value is entered, the standard profile path is used.<br />
Keyboard layout<br />
The keyboard layout for the terminal server session.<br />
Allow Windows terminal server login<br />
If this checkbox is activated the user can log on to a terminal server.<br />
Connect client drives at login<br />
The client drives can be made available during a terminal server session when this checkbox is<br />
activated.<br />
Connect client printers at login<br />
The client printers are connected during log-in to the terminal server and are thus available during<br />
the terminal server session.<br />
Make client default printer the default printer for Windows terminal services<br />
If this checkbox is activated the client standard printer will be declared the standard printer for this<br />
terminal server session.<br />
CTX Mirroring<br />
This selection list specifies whether a user session can be mirrored. If Disabled is selected the<br />
session cannot be mirrored.<br />
If an entry with the Input On option is selected, the user who initiated the mirroring will be given the<br />
permission to perform keyboard inputs and mouse action in the mirrored session. If an entry with the<br />
Message On option is selected, a message is shown on the client stating that a request has been<br />
made to mirror the session.<br />
Terminated or timed-out sessions<br />
In this selection list one can select whether ended or expired connections should be Disconnecteded<br />
or Reset.<br />
Reconnect session<br />
You can select here whether the ended connection to each client or just the previous client can be<br />
rebuilt.<br />
CTX RAS Dialin<br />
This option configures the callback function of a remote access server. If enabled, the dialin line of
the user is disconnected after authentication and the user is called back.<br />
’(Options)’ tab<br />
4.5 <strong>Univention</strong> Directory Manager modules<br />
This tab makes it possible to discard individual LDAP object classes for the user. Entry fields for the<br />
attributes of deactivated classes are disabled.<br />
Mail account<br />
If this checkbox is not ticked, the user will not be assigned the object class univentionMail.<br />
Kerberos principal<br />
If this checkbox is not ticked, the user will not be assigned the object classes krb5Principal and<br />
krb5KDCEntry.<br />
Samba account<br />
If this checkbox is not ticked, the user will not be assigned the object class sambaSamAccount.<br />
POSIX account<br />
If this checkbox is not ticked, the user will not be assigned the object classes posixAccount and<br />
shadowAccount.<br />
Personal information<br />
If this checkbox is not ticked, the user will not be assigned the object classes organizationalPerson<br />
and inetOrgPerson.<br />
Groupware account<br />
If this checkbox is not ticked, the user will not be assigned the object classes univentionKolabIne-<br />
tOrgPerson and kolabInetOrgPerson.<br />
Public key infrastructure account<br />
If this checkbox is not ticked, the user will not be assigned the object class pkiUser.<br />
Simple authentication account<br />
This option can be used for creating user objects which have only a username and a password. With<br />
these users, authentication is possible against the LDAP directory service exclusively; logging into<br />
<strong>UCS</strong> or Windows systems is not possible. If this option is activated, the object classes uidObject<br />
and simpleSecurityObject will be used.<br />
4.5.2 Group management<br />
The following policy objects can be applied/inherited to the group administration (see Chapter 4.5.11):<br />
63
4 <strong>Univention</strong> Directory Manager<br />
64<br />
• UMC Access<br />
’General’ tab<br />
Name (*)<br />
The name of the group has to begin and end with a letter or a numeral. The rest of the characters<br />
which form the group name may include letters, numerals, spaces, hyphens, or dots.<br />
Description<br />
A description of the group can be entered here.<br />
Group ID<br />
If a group is to be assigned a certain group ID, the ID in question can be entered in this field. Other-<br />
wise, <strong>Univention</strong> Directory Manager will automatically assign the next available group ID when adding<br />
the group. The group ID cannot be subsequently changed. When editing the group, the group ID will<br />
be represented in grey. The group ID may consist of integers between 1000 and 59999 and between<br />
65536 and 100000.<br />
Relative ID<br />
The relative ID (RID) is the local part of the Security ID (SID) and is used in Windows and Samba<br />
domains. If a group is to be assigned a certain RID, the ID in question can be entered in this field.<br />
Otherwise, <strong>Univention</strong> Directory Manager will automatically assign the next available group ID when<br />
adding the group. The RID cannot be subsequently changed. When editing the group, the group<br />
ID will be represented in grey. Since RIDs have to be unique across the domain, <strong>Univention</strong> Direc-<br />
tory Manager prevents an RID from being assigned twice. For RIDs, integers higher than 999 are<br />
permitted. RIDs below 1000 are reserved for standard groups and other special objects.<br />
Samba group type<br />
Three types of groups can be distinguished:<br />
• Domain Group:<br />
These groups are known across the domain. In <strong>Univention</strong> Directory Manager, new groups<br />
belong to the type ’Global group’ by default.<br />
• Local Group:<br />
Local groups are relevant on Windows servers exclusively. If a local group is created on a<br />
Windows server, this group is known solely to the server; it is not available across the domain.<br />
<strong>UCS</strong>, in contrast, does not differentiate between local and global groups. After taking over an<br />
NT domain, local groups in <strong>UCS</strong> can be handled in the same way as global groups.<br />
• Well-Known Group:<br />
This type contains groups pre-configured by Samba servers or by Windows servers, which can<br />
be available across the domain or locally restricted.<br />
Example:<br />
Adminusers, Printer Admins, etc.
Mail address<br />
4.5 <strong>Univention</strong> Directory Manager modules<br />
The e-mail address by which all the members of this group can be addressed, can be entered in this<br />
field.<br />
’Members’ tab<br />
Users<br />
This tab can be used for accepting users as members of the group.<br />
’Nested groups’ tab<br />
Membership of other Groups<br />
On this tab, other groups can be added as members of the current group (groups in groups).<br />
Circular dependencies of nested groups are automatically detected and refused.<br />
This check can be disabled with the <strong>Univention</strong> Configuration Registry variable<br />
directory/manager/web/modules/groups/group/checks/circular_dependency.<br />
’Member of’ tab<br />
Membership in other Groups<br />
On this tab, the current group can be added as a member to other groups.<br />
’(Options)’ tab<br />
This tab is only available when adding groups, not when editing groups. Certain LDAP object classes<br />
for the group can be de-selected here. The entry fields for the attributes of these classes can then no<br />
longer be filled in.<br />
Samba group<br />
This checkbox indicates whether the group contains the object class SambaGroupMapping.<br />
Posix group<br />
This checkbox indicates whether the group contains the object classPosixGroup.<br />
4.5.3 Network administration<br />
Networks provide network-capable machines such as computers and printers with an appropriate IP ad-<br />
dress automatically as well as creating DNS and DHCP entries.<br />
65
4 <strong>Univention</strong> Directory Manager<br />
66<br />
’General’ tab<br />
Name (*)<br />
The name of the network is entered in this input field. The network appears under this name in other<br />
areas of <strong>Univention</strong> Directory Managers such as in computer management (see Section 4.5.4).<br />
Network (*)<br />
The network address is entered in dot-decimal form in this input field.<br />
Example:<br />
192.168.1.0<br />
Netmask (*)<br />
The network mask can be entered in this input field in binary (network prefix) or dot-decimal form.<br />
Attention:<br />
If the network mask is entered in dot-decimal form it will be subsequently be converted into the<br />
corresponding network prefix and later also shown so.<br />
Example:<br />
The network mask 255.255.255.0 will be shown as 24 later.<br />
’IP’ tab<br />
One or more IP ranges can be stored in this tab. When a host is assigned to this network at a later<br />
point, it will automatically be assigned the next, free IP address from the IP range entered here.<br />
When no IP range is entered here, the system automatically uses the area suggested by the network<br />
and the subnet mark entered on the General tab.<br />
Attention:<br />
If a single IP address is entered as a range, the IP address must be entered in both the First Address<br />
and Last Address input fields.<br />
Attention:<br />
The IP ranges must not overlap. Otherwise an error warning will be given alerting you of the overlap<br />
when you confirm with the [OK] button.<br />
’DNS’ tab<br />
Forward lookup zones and reverse lookup zones can be selected on this tab. When a unit is assigned<br />
to this network at a later point, a host record in the forward lookup zone and/or a pointer record in<br />
the reverse lookup zone will be created for the unit automatically. If no zone is selected, no automatic<br />
entries will be created. There is always the possibility of editing the settings both on the unit object<br />
and directly in the DNS zones.
DNS Entry<br />
4.5 <strong>Univention</strong> Directory Manager modules<br />
The forward lookup zone where units from the network should be entered must be specified here. All<br />
the forward lookup zones entered in the domain and their subcontainers are available for selection.<br />
DNS Entry Reverse<br />
The reverse lookup zone where units from the network should be entered must be specified here. All<br />
the reverse lookup zones entered in the domain and their subordinate subcontainers are available for<br />
selection.<br />
’DHCP’ tab<br />
A DHCP service can be assigned to the network on this tab. When a unit is assigned to this network<br />
at a later point, a DHCP host entry with a fixed IP address will be created for the unit automatically<br />
in the selected DHCP service. If no DHCP service is selected here, there will also be no DHCP host<br />
entry automatically created. There is always the possibility of editing the settings on the unit object or<br />
under the DHCP service.<br />
4.5.4 Host management<br />
The following host objects can be created in computer management. Further information on the individual<br />
system roles can be found in Chapter 2.1.<br />
• Domain controller master<br />
The domain controller master, also called DC master, maintains the writable copy of the directory<br />
service. There can only ever be one DC master in a <strong>UCS</strong> domain.<br />
• Domain controller backup<br />
A domain controller backup, also called DC backup, contains an exact copy of the directory service.<br />
A DC backup can be promoted to a DC master. There can be any number of DC backup systems in<br />
a <strong>UCS</strong> domain.<br />
• Domain controller slave<br />
A domain controller slave, also called DC slave, contains a copy of the directory service. This copy<br />
may contain all or just one part of the data. There can be any number of DC slaves systems in a<br />
<strong>UCS</strong> domain.<br />
• Member server<br />
In contrast to the other domain controller system roles, the member server does not have a copy of<br />
the directory service. It is still fully integrated in the <strong>UCS</strong> domain, for example, all users and groups of<br />
the domain are also available on the member server. There can be any number of member servers<br />
in a <strong>UCS</strong> domain.<br />
• Domain trust account<br />
A domain trust account is set up for trust relationships between Windows and <strong>UCS</strong> domains.<br />
67
4 <strong>Univention</strong> Directory Manager<br />
• IP managed client<br />
An IP managed client is specially intended for non-<strong>UCS</strong> systems, for example for network printers<br />
and routers, to allow simplified DNS and DHCP management. <strong>UCS</strong> base systems can also be<br />
created as IP managed client.<br />
• Mac OS X client<br />
A MAC OS X client can be created for the administration and integration of Max OS X clients.<br />
• Managed client<br />
A managed client is a <strong>UCS</strong> domain member with a Linux desktop<br />
• Mobile client<br />
A mobile client is similar to the managed client except that the focus with mobile clients is on note-<br />
books.<br />
• Thin client<br />
A thin client is a host which simply displays applications which are run on a terminal server (Linux or<br />
Windows). A thin client thus requires very little maintenance.<br />
• Windows<br />
The Windows role is specially designed for Windows hosts. If a Windows system joins the <strong>UCS</strong><br />
domain, a Windows account is automatically created unless it has been created in advance.<br />
The following policy objects can be used on these host objects (see also Chapter 4.5.11):<br />
68<br />
• Autostart<br />
• Client devices<br />
• Display settings<br />
• Print server<br />
• LDAP server<br />
• Packages Client<br />
• Packages Master<br />
• Packages Member<br />
• Packages Mobile Client<br />
• Packages Slave<br />
• Maintenance<br />
• Release<br />
• Repository server<br />
• Repository synchronisation<br />
• Sound Settings<br />
• Thin client configuration<br />
• Windows installation
’General’ tab<br />
Name (*)<br />
4.5 <strong>Univention</strong> Directory Manager modules<br />
The name for the host should be entered in this input field. The following information in the “Computer<br />
names” infobox should be observed.<br />
Description<br />
Any description can be entered for the host in this input field.<br />
MAC address<br />
The MAC address of the host can be entered here. It is required if the host is to receive a DHCP<br />
entry. The MAC address must always be given for thin clients, as thin clients cannot be commissioned<br />
without a DHCP entry. Example:<br />
2e:44:56:3f:12:32<br />
or<br />
2e-44-56-3f-12-32<br />
Network<br />
The host can be assigned to a newly created network. All networks registered in the domain are<br />
available for selection. The host will then be allotted the next free IP address from this network<br />
automatically. When the network contains DNS and DHCP settings the host will automatically also<br />
be entered in the DNS and DHCP service. The values which are automatically assigned after network<br />
selection on the IP, DNS und DHCP tabs can be checked and changed subsequently.<br />
Inventory number<br />
Inventory numbers for hosts can be stored here.<br />
Infobox ’Host names’<br />
In theory, computer names can be selected without requirements. Under certain circumstances, e.g.,<br />
when using Windows operating systems, the computer name entered in the LDAP directory must be<br />
identical to that entered in the DNS domain, which was entered directly locally on the host (usually<br />
during installation of the operating system).<br />
When the name of the domain to which the host belongs is added to the computer name, we are left<br />
with the fully qualified domain name of the host. This is better known by the acronym FQDN.<br />
To guarantee compatibility with different operating systems and services, computer names should<br />
only contain the lowercase letters a to z, numbers, hyphens and underscores.<br />
69
4 <strong>Univention</strong> Directory Manager<br />
70<br />
Umlauts and special characters are not permitted. The full stop is used as a separating mark between<br />
the individual components of a FQDN and must therefore not appear as part of the computer name.<br />
Computer names must begin with a letter.<br />
Microsoft Windows accepts computer names with a maximum of 15 characters, so as a rule computer<br />
names should be limited to 15 characters if there is any chance that Microsoft Windows will be used.<br />
’IP’ tab<br />
IP address<br />
Fixed IP addresses for the host can be given here. If a network was selected on the General tab, the<br />
IP address assigned to the host from the network will be shown here automatically. The IP addresses<br />
shown here can still be changed at another time. A thin client needs a fixed IP address under all<br />
circumstances.<br />
Attention:<br />
An IP address entered here (and in the LDAP directory) can be now be transmitted to the host via<br />
DHCP. If no DHCP server is being used, the IP address can also be transferred to the host locally.<br />
Attention:<br />
If the IP addresses entered for a host are changed without the DNS zones being changed, they are<br />
automatically changed in the computer object and — where they exist — in the DNS entries of the<br />
forward and reverse lookup zones. If the IP address of the host was entered at other places as well,<br />
these entries must be changed manually! For example, if the IP address was given in a DHCP boot<br />
policy instead of the name of the boot server, this IP address will need to be changed manually by<br />
editing the policy.<br />
’DNS’ tab<br />
This tab allows selection of the forward and reverse lookup zones in which the host is entered and<br />
specification of a DNS alias. A fixed IP address is required for these entries, which must be entered<br />
on the IP tab so that the DNS entries can be created automatically. No entries are created so long<br />
as no zones have been selected. In order for a thin client to function correctly it requires a DNS entry<br />
(Host record in the forward lookup zone).<br />
More detailed information on the topic of DNS can be found in the Chapter 4.5.9.<br />
Forward zone for DNS entry<br />
A forward lookup zone for the host can be selected here. All the forward lookup zones entered in the<br />
domain and their subcontainers are available for selection. In addition it is also necessary to select<br />
one of the host’s IP addresses with which the host should be included in the forward lookup zone.
Reverse zone for DNS entry<br />
4.5 <strong>Univention</strong> Directory Manager modules<br />
A reverse lookup zone for the host can be selected here. All the reverse lookup zones entered in the<br />
domain and their subcontainers are available for selection. In addition it is also necessary to select<br />
one of the host’s IP addresses corresponding to the reverse lookup zones with which the host should<br />
be mounted in the reverse lookup zone.<br />
Alias<br />
If a zone entry for forward mapping has been set up for the host in the Forward zone for DNS entry<br />
field, the additional alias entries via which the host can be reached can be configured here.<br />
’DHCP’ tab<br />
More detailed information on the topic of DHCP can be found in the Chapter 4.5.10.<br />
DHCP<br />
In order for a host to receive an IP address from a DHCP service an entry must consist of DHCP<br />
service, MAC address and IP address.<br />
The DHCP service which should assign the host an IP address should be selected in the first selec-<br />
tion field. The DHCP services registered in the domain are available for selection. Please note that<br />
the selected DHCP server must be responsible for the physical network.<br />
The MAC address of the network card with which the host requests an IP address from the DHCP<br />
service must be entered in the second selection field. The MAC address of the host’s network card<br />
required for this must firstly be entered on the General tab.<br />
The IP address which the DHCP service assigns to the host should be selected in the third selection<br />
field.<br />
If a network is selected on the General tab an appropriate entry for the network will be added auto-<br />
matically. This can be adapted subsequently. A DHCP entry is necessary for a thin client under all<br />
circumstances.<br />
’Account’ tab’<br />
This tab is only found on host types which join the <strong>UCS</strong> domain, e.g., domain controller, managed<br />
clients, Mac OS X clients, . . .<br />
Password<br />
Hosts which are member of the <strong>UCS</strong> domain require a password to be able to read and change<br />
their own data in the LDAP directory. The host creates a password automatically when joining the<br />
domain and makes a note of this in the /etc/machine.secret file and in the LDAP directory. Any<br />
71
4 <strong>Univention</strong> Directory Manager<br />
72<br />
passwords already entered there are overwritten. If the password here is set or changed it must also<br />
be entered locally on the host in the /etc/machine.secret file.<br />
Password (retype)<br />
If the password is entered or changed manually in the Password input field, it must be repeated in<br />
this input field to exclude the risk of typing errors.<br />
Primary group<br />
The primary group of the host can be selected in this selection field. This is only necessary when<br />
they deviate from the automatically created default values. The default value for a DC master or DC<br />
backup is DC Backup Hosts, for a DC slave DC Slave Hosts and for member services, managed<br />
clients and mobile clients Computers.<br />
’Unix account’ tab<br />
This tab is only found on computer types which join the <strong>UCS</strong> domain, e.g., domain controller, man-<br />
aged clients, Mac OS X clients, . . .<br />
Unix home directory (*)<br />
A different input field for the host account can be entered here. The automatically created default<br />
value for the home directory is /dev/null.<br />
Login shell<br />
If a different login shell from the default value is to be used for the computer account, the login shell<br />
can be adapted manually in this input field. The automatically set default value assumes a login shell<br />
of /bin/bash.<br />
’Machine account’ tab<br />
This tab is only found on Windows computers.<br />
Machine account group<br />
This selection list allows you to specify the primary group for the Windows host. The Windows Hosts<br />
default value does not usually need to be changed.<br />
Initialize password with hostname<br />
This checkbox must be selected for Windows NT 4.0 computers which are to join the domain. The<br />
computer name is then saved as the password. The computer object is not selected when it is<br />
opened with <strong>Univention</strong> Directory Manager again. The password is changed when the domain is<br />
joined (Windows NT 4.0 expects the password to be the same as the computer name when joining<br />
the domain).
’Deployment’ tab<br />
4.5 <strong>Univention</strong> Directory Manager modules<br />
This tab is found on DC master, DC backup, DC slave, member servers, managed clients, mobile<br />
clients and Windows hosts. Further information on the automatic installation can be found in the<br />
documentation for the profile-based <strong>UCS</strong> installation [3] and the <strong>Univention</strong> Windows Installer [4].<br />
(Re-)install on next boot<br />
This checkbox should be selected if <strong>UCS</strong> should be installed automatically the next time the host is<br />
booted.<br />
Attention:<br />
The check must be removed again with <strong>Univention</strong> Directory Manager during or after the installation<br />
or else it will be reinstalled every time the host is booted!<br />
This checkbox must be selected for Windows hosts if Windows should be installed automatically<br />
on the host the next time it is booted. In addition a unattend.txt file should be entered on the<br />
[Windows installation] tab. The check is automatically removed during the Windows installation.<br />
Name of installation profile<br />
An installation profile can be specified for the host in this input field for <strong>UCS</strong> hosts. Profile should be<br />
made available in the /var/lib/univention-repository/profiles/ directory on the server<br />
on which the <strong>Univention</strong> Net Installer is executed. The file name of the profile should be entered<br />
without specifying the path.<br />
Additional start options<br />
The options from this input field are passed to the kernel during the network based installation, e.g.<br />
for the deactivation of ACPI during system startup.<br />
Interactive installation<br />
A profile-based installation is executed as standard in installation with the <strong>Univention</strong> Net Installer.<br />
This checkbox must be selected if an interactive installation should be executed instead. Values in<br />
the Name of installation profile input field are saved in the LDAP directory but not used during the<br />
installation.<br />
The Name of installation profile input field and the Interactive installation checkbox are not found<br />
on this tab for Windows hosts. The [Windows installation] tab should be used instead.<br />
’Services’ tab<br />
This tab is available on the DC master, DC backup, DC slave and member server hosts.<br />
73
4 <strong>Univention</strong> Directory Manager<br />
Service<br />
The system services provided by this <strong>UCS</strong> system can be selected from the default values and<br />
entered in this list field.<br />
’(Options)’ tab<br />
This tab is only available when adding a host and only for computer types which receive a computer<br />
account as standard. The tab is not shown when editing hosts. The tab allows selection of certain<br />
object classes for the host. The input fields for attributes of deselected object classes are not shown.<br />
For <strong>UCS</strong> hosts:<br />
Kerberos principal<br />
If this checkbox is not selected the host does not receive the krb5Principal and krb5KDCEntry<br />
object classes.<br />
Posix account<br />
If this checkbox is not selected the host does not receive the posixAccount object class.<br />
Nagios support<br />
If this checkbox is not selected the host does not receive the univentionNagiosHostClass object<br />
class.<br />
For Windows hosts:<br />
Samba account<br />
If this checkbox is not selected the host does not receive the sambaSamAccount object class.<br />
Nagios support<br />
If this checkbox is not selected the host does not receive the univentionNagiosHostClass object<br />
class.<br />
4.5.4.1 Domain trust account<br />
Windows domains (Windows NT/2000/2003, Samba) which allow the <strong>UCS</strong> Samba domain a trust relation-<br />
ship require a domain trust account entry in the LDAP directory (see also Chapter 8.4.1.1).<br />
74
’General’ tab<br />
Name (*)<br />
4.5 <strong>Univention</strong> Directory Manager modules<br />
The name of the Windows domain which trusts the Samba domain should be entered in this input<br />
field.<br />
Description<br />
A description of your choice for the domain trust account can be entered in this input field.<br />
’Domain Trust Account’ tab<br />
Password (*)<br />
The password which will later be used on the PDC of the Windows domain must be entered in this<br />
input field. The password can be chosen freely, although the general requirements for passwords<br />
must be taken into account when doing so.<br />
Password (retype) (*)<br />
To avoid the risk of typing errors the above password must be reentered.<br />
4.5.5 Shares management<br />
In the sharing management, directory shares for NFS and Samba can be added, searched, edited, and<br />
deleted. Shares deleted in <strong>Univention</strong> Directory Manager will automatically be removed from the system.<br />
The data contained in the shared directory are preserved when the share is removed.<br />
The following policy objects can be used for or inherited in share management (see Chapter 4.5.11):<br />
• User quota<br />
’General’ tab<br />
Name (*)<br />
The name of the share is to be entered here.<br />
Host<br />
The server where the share is located. This setting cannot be subsequently edited. All of the domain<br />
controller master/backup/slave computers and member servers entered in the LDAP directory for the<br />
domain are available for selection which are entered in a DNS forward lookup zone in the LDAP<br />
directory. This setting cannot be subsequently edited.<br />
Directory (*)<br />
The absolute path of the directory to be shared, without quotation marks (this also applies if the<br />
name includes special characters such as spaces). If the directory does not exist, it will be created<br />
75
4 <strong>Univention</strong> Directory Manager<br />
76<br />
automatically on the selected server. No shares can be created in and below /proc, /tmp, /root,<br />
/dev and /sys.<br />
Directory owner<br />
The user who is to own the share. All the users registered for the domain in the LDAP directory<br />
are available for selection. If more than 1000 users are found (this value can be configured with<br />
the <strong>Univention</strong> Configuration Registry variable directory/manager/web/sizelimit), or if the<br />
search for users within the LDAP directory takes longer than ten seconds, an entry field will be<br />
displayed instead of the select list, in which the username is to be entered.<br />
Directory owner group<br />
The group which is to own the share. All the groups registered for the domain in the LDAP directory<br />
are available for selection. If more than 1000 groups are found (this value can be configured with<br />
the <strong>Univention</strong> Configuration Registry variable directory/manager/web/sizelimit), or if the<br />
search for groups within the LDAP directory takes longer than ten seconds, an entry field will be<br />
displayed instead of the select list, in which the group name is to be entered.<br />
Directory mode<br />
Read, write, and access permissions for the share.<br />
Attention:<br />
<strong>Univention</strong> Directory Manager stores the set values for users, groups, and access rights in the LDAP<br />
directory, and makes sure that the directory exists and shared appropriately. Should the directory al-<br />
ready exist, then the values defined in the file system will be overwritten by the values taken from the<br />
LDAP directory. Changes in the shared directory, which were carried out directly in the file system,<br />
are not passed on to the LDAP directory, and can therefore not be displayed by <strong>Univention</strong> Directory<br />
Manager. If the shared object is edited within the LDAP directory, then the changes in the file sys-<br />
tem will be overwritten. Therefore, settings should be made and changed with <strong>Univention</strong> Directory<br />
Manager exclusively.<br />
’Samba general’ tab<br />
Samba name<br />
The name of the share to be used by Samba (NetBIOS name). This is the name by which the<br />
directory is represented, for example, on Windows clients within the network environment. When<br />
adding a directory share, <strong>Univention</strong> Directory Manager automatically adopts the name entered in<br />
the Name (*) field of the General tab as the Samba name.<br />
Attention:<br />
The homes share plays a special role within Samba. This share is used for sharing the home directo-<br />
ries of the users. This share is automatically converted to the user’s home directory. Samba therefore<br />
ignores the rights assigned in the share, and uses the rights of the respective home directory instead.
Browseable<br />
4.5 <strong>Univention</strong> Directory Manager modules<br />
Specifies whether the share in question is to show up on Windows clients within the network environ-<br />
ment.<br />
Public<br />
Permits access to this share without a password. Every access is carried out by means of the com-<br />
mon guest user nobody.<br />
Postexec script<br />
A script or command which is to be executed if the connection to this share is finished.<br />
Preexec script<br />
A script or command which is to be executed each time a connection to this share is established.<br />
VFS Objects<br />
Virtual File System (VFS) modules are used in Samba for performing actions before an ac-<br />
cess to the file system of a share is made. A VFS module can be, for example, an<br />
anti-virus software which moves each infected file that is accessed within the share, to a<br />
quarantine area. VFS modules are documented in the official Samba HOWTO manual at<br />
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/VFS.html.<br />
MSDFS Root<br />
A distributed file system makes it possible to map shares spanning several servers and paths to a<br />
virtual directory hierarchy. This mechanism can be utilised for distributing loads to several servers, or<br />
to outsource storage locations. It also represents an improved method for mapping logical structures.<br />
MSDFS means Microsoft Distributed File System, and represents the implementation of a distributed<br />
file system.<br />
Setting the MSDFS Root option indicates that the shared directory is a share which can be used for<br />
the MSDFS. References to other shares are only displayed in such an MSDFS root, elsewhere they<br />
are hidden.<br />
To be able to utilise the functions of a distributed file system, the <strong>Univention</strong> Configuration Registry<br />
variable samba/enable-msdfs has to be set to yes. Afterwards Samba has to be restarted.<br />
For creating a reference from server sa within the share fa to share fb on the server sb, the following<br />
command has to be executed in directory fa:<br />
ln -s msdfs:sb\\fb zufb<br />
77
4 <strong>Univention</strong> Directory Manager<br />
78<br />
This reference will be displayed on every client capable of MSDFS (e.g. Windows 2000 and XP) as a<br />
regular directory.<br />
Attention:<br />
Only restricted user groups should have write access to root directories. Otherwise, it would be pos-<br />
sible for users to redirect references to other shares, and intercept or manipulate files. In addition,<br />
paths to the shares, as well as the references are to be spelt entirely in lower case.<br />
If changes are made in the references, the concerned clients have to be restarted. Further informa-<br />
tion on this issue can be found in the Samba documentation [9] in the chapter ’Hosting a Microsoft<br />
Distributed File System Tree’.<br />
Users with write access may modify permissions<br />
According to the Unix file permission concept, only those users who own a file may change access<br />
permissions. Samba has adopted this scheme. If this option is activated, all users with write permis-<br />
sion to a file are allowed to change permissions, ACL entries, and file ownership rights. It has to be<br />
noted that users of an owner group, who merely have read permission, are not authorised to carry<br />
out any changes.<br />
Hide unreadable files/directories<br />
If this option is activated, all files which are nonreadable for the user due to their file permissions, will<br />
be hidden.<br />
’Samba permissions’ tab<br />
Samba write access<br />
Permits writing access to this share from Windows clients.<br />
Force user<br />
This username and its permissions and primary group is used for performing all the file operations<br />
of all users. The username is only used once the user has established a connection to the Samba<br />
share by using his real username and password. A common username is useful for using data in a<br />
shared way, yet improper application might cause security problems.<br />
Force group<br />
A group which is to be used by all users connecting with this share, as their primary group. Thereby,<br />
the permissions of this group automatically apply as the group permissions of all these users. A group<br />
registered here has a higher priority than a group which was assigned as the primary group of a user<br />
via the Force user entry field.<br />
If a + sign is prefixed to the group name, then the group is assigned as a primary group solely to<br />
those users which are already members of this group. All other users retain their primary groups.
Valid users<br />
4.5 <strong>Univention</strong> Directory Manager modules<br />
Names of users or groups which are authorised to access this Samba share. To all other users,<br />
access is denied. If the field is empty, all users may access the share - if necessary after entering a<br />
password.<br />
The entries are to be separated by spaces. The special characters @, + and & can be used in<br />
connection with the group name for assigning certain permissions to the users of the stated group for<br />
accessing the Samba share:<br />
• A name beginning with the character @ will first be interpreted as a NIS Netgroup. Should no<br />
NIS Netgroup of this name be found, the name will be considered as a UNIX group.<br />
• A name beginning with the character + will be exclusively considered as a UNIX group, a name<br />
beginning with the character & will be exclusively considered as a NIS Netgroup.<br />
• A name beginning with the characters +&, will first be interpreted as a UNIX group. Should<br />
Hide files<br />
no UNIX group of this name be found, the name will be considered as a NIS Netgroup. The<br />
characters &+ as the beginning of a name correspond to the character @.<br />
Files and directories to be accessed under Windows, yet not to be visible. Such files or directories<br />
are assigned the DOS attribute hidden.<br />
When entering the names of files and directories, upper and lower case letters are to be differentiated.<br />
Each entry is to be separated from the next by a slash. Since the slash can thus not be used for<br />
structuring path names, the input of path names is not possible. All files and directories of this name<br />
within the share will be hidden. The names may include spaces and the wildcards * and ?.<br />
Example:<br />
/.*/test/ hides all files and directories the names of which begin with a dot, or which are called test.<br />
Attention:<br />
Entries in this field have an impact on the speed of Samba since every time particular contents of the<br />
share are to be displayed, all files and directories have to be checked according to the active filters.<br />
NT ACL support<br />
If this option is activated, Samba will try to show POSIX ACLs under Windows, and to adopt changes<br />
to the ACLs, which were performed under Windows, for the POSIX ACLs. For this purpose, the Linux<br />
file system has to support POSIX ACLs. In <strong>UCS</strong> the file systems ext3 and XFS support POSIX-ACLs.<br />
If this option is not set, existing POSIX ACLs are effective but not shown under Windows, and conse-<br />
quently cannot be changed under Windows.<br />
79
4 <strong>Univention</strong> Directory Manager<br />
80<br />
Users with write access<br />
Only the users and groups listed here have write permission for the corresponding share.<br />
Inherit ACLs<br />
When activating this option, each file created in this share will inherit the ACL (Access Control List)<br />
of the directory where the file was created.<br />
Inherit owner<br />
When activating this option, each newly created file will not be assigned of the user who created the<br />
file, but to the owner of the superior directory instead.<br />
Inherit permissions<br />
When activating this option, for each file or directory created in this share, the UNIX permissions of<br />
the superior directory will automatically be adopted.<br />
’Samba custom settings’ tab<br />
Custom settings for Samba shares<br />
Apart from the properties which can, as a standard feature, be configured in a Samba share, this<br />
setting makes it possible to define further arbitrary Samba settings within the share. A list of available<br />
options can be obtained by the command man smb.conf. In Key the name of the option is to be<br />
entered, and in the Value field the value to be set. Double entries of configuration options are not<br />
checked.<br />
Attention:<br />
The definition of extended Samba settings is only necessary in very special cases. The options<br />
should be thoroughly checked before setting since they might have security-relevant effects.<br />
Samba extended permissions<br />
If a new file is created on a Samba server from a Windows client, the file permissions will be set in<br />
several steps:<br />
1. First, only the DOS permissions are translated into UNIX permissions.<br />
2. Then the permissions are filtered via the File mode. UNIX permissions which are marked in<br />
File mode, are the only ones preserved. Permissions not set here, will be removed. Thus, the<br />
permissions have to be set as UNIX permissions and in File mode in order to be preserved.<br />
3. In the next step, the permissions under Force file mode are added. As a result, the file will<br />
have all the permissions set after step 2 or under Force file mode. This means, permissions<br />
marked under Force file mode are set in any case.
4.5 <strong>Univention</strong> Directory Manager modules<br />
Accordingly, a newly created directory will initially be assigned the same permissions as that which<br />
are set as UNIX permissions and in Directory mode at the same time. Then these permissions are<br />
completed by those marked under Force directory mode.<br />
In a similar way, the security settings are adopted for existing files and directories the permissions of<br />
which are edited under Windows:<br />
Only those permissions can be changed under Windows, which are marked in Security mode or in<br />
Directory security mode. Once this is done, the permissions marked under Force security mode<br />
of under Force directory security mode are set in any case.<br />
Thus, the parameters File mode and Force file mode, or Directory mode and Force directory<br />
mode are applied during the creation of a file or directory, while the parameters Security mode and<br />
Force Security Mode or Security directory mode and Force security directory mode are applied<br />
when changing permissions.<br />
Attention:<br />
The security settings only relate to the access via Samba.<br />
The user on the Windows side does not receive any notification of the fact that the file or directory<br />
authorisations might by changed according to the Samba settings on this tab.<br />
File mode<br />
The permissions Samba is to adopt when creating a file, provided they are set under Windows.<br />
By default, this parameter is set to 0744, i.e. the owner has full access, the group and others have<br />
read permission.<br />
Directory mode<br />
The permissions Samba is to adopt when creating a directory, provided they are set under Windows.<br />
By default, this parameter is set to 0755, i.e. the owner has full authorisation, the group and others<br />
only have the permission to list the contents of the directory, and to change into the directory.<br />
Force file mode<br />
The permissions Samba is to set in any case when creating a file, irrespective of whether they are<br />
set under Windows or not.<br />
By default, this parameter is set to 0000, i.e. no additional permissions are set.<br />
Force directory mode<br />
The permissions Samba is to set in any case when creating a directory, irrespective of whether they<br />
81
4 <strong>Univention</strong> Directory Manager<br />
82<br />
are set under Windows or not.<br />
By default, this parameter is set to 0000, i.e. no additional permissions are set.<br />
Security mode<br />
The file permissions to which Samba is to permit changes made from Windows side.<br />
By default, this parameter is set to 0777, meaning all permissions may be changed.<br />
Directory security mode<br />
The directory authorisations to which Samba is to permit changes made from Windows side.<br />
By default, this parameter is set to 0777, meaning all authorisations may be changed.<br />
Force security mode<br />
The permissions Samba is to set in any case (irrespective of whether they are set under Windows or<br />
not), if file permissions are changed from Windows side.<br />
By default, this parameter is set to 0000, meaning no permissions will be set compulsively in case of<br />
changes.<br />
Force directory security mode<br />
The permissions Samba is to set in any case if directory permissions are changed from Windows<br />
side (irrespective of whether they are set under Windows or not).<br />
By default, this parameter is set to 0000, meaning no permissions will be set compulsively in case of<br />
changes.<br />
’Samba performance’ tab<br />
Locking<br />
Locking means preventing concurrent access to one resource, making an exclusive access possible.<br />
When activating this checkbox, Samba will lock the access to files on the client’s request.<br />
If Locking is deactivated, the execution of lock and unlock requests is only pretended. All lock<br />
requests will be answered by the assertion, the requested file could be locked.<br />
This option can be useful for improving performance, yet it should generally not be set in shares with<br />
write access, since without locking, files might be corrupted due to concurrent access.<br />
Blocking locks
Clients can send a lock request with a time limit for a certain area of an open file.<br />
4.5 <strong>Univention</strong> Directory Manager modules<br />
In case Samba is unable to comply with a the lock request, and this option is activated, then Samba<br />
will - in periodical intervals until the expiry of the time limit - try to lock the requested file area. If the<br />
option is deactivated, no further attempt will be made.<br />
Strict locking<br />
If this option is activated, Samba will with each read or write access check if the file is locked, and will<br />
deny access if required. On some systems, this procedure can take a long time.<br />
If this option is deactivated, Samba will check if the file is locked on the client’s request exclusively.<br />
Well configured clients ask for a check in all important cases, so that this option is usually unneces-<br />
sary.<br />
Oplocks<br />
If this option is activated, Samba will use so-called opportunistic locks. This can improve the speed<br />
of file access considerably. However, the option permits clients local caching of files on a large scale.<br />
In unreliable networks it might therefore be necessary to do without Oplocks.<br />
Level 2 oplocks<br />
When activating this option, Samba will support an extended form of Oplocks, the so-called oppor-<br />
tunistic read-only locks or Level 2 Oplocks. Windows clients receiving a read/write Oplock for a<br />
file can then scale down this Oplock to a read-only Oplock instead of having to abandon the Oplock<br />
completely as soon as a second client opens the file. All clients supporting Level 2 Oplocks, will then<br />
cache read access processes to the file exclusively. Should one of the clients write to the file, all the<br />
other clients will be asked to abandon their Oplocks, and to empty their caches.<br />
It is recommended to activate this option to speed up access to files which are normally not written to<br />
(e.g. programs / executable files).<br />
Attention:<br />
If kernel Oplocks are supported, Level 2 Oplocks will not be allowed, even if the option is activated.<br />
Only if the checkbox Oplocks is also ticked, this option will become valid.<br />
Fake oplocks<br />
When activating this option, Samba will allow all Oplock requests irrespective of the number of clients<br />
having access to a file. This method considerably improves performance, and is useful for shares<br />
which can only be accessed for reading (e.g. CD-ROMs), or where it is ensured that there can never<br />
occur a situation when several clients make access at the same time.<br />
If it cannot be excluded that several clients make reading and writing access to a file at the same<br />
83
4 <strong>Univention</strong> Directory Manager<br />
84<br />
time, this option should not be activated, since it may cause data loss.<br />
Block size<br />
The block size in which unoccupied disk space is to be reported to the clients. By default, this size is<br />
defined as 1024 bytes.<br />
Client-side caching policy<br />
This option specifies in which way the clients are to cache the files of this share offline. The available<br />
alternatives are manual, documents, programs, and disable.<br />
’(Options)’ tab<br />
Export for Samba clients<br />
This option defines whether the share is to be exported for Samba clients.<br />
Export for NFS clients<br />
This option defines whether the share is to be exported for NFS clients.<br />
Export for Web clients<br />
This option defines whether the share is to be exported for web access through the Horde client.<br />
’NFS General’ tab<br />
NFS write access<br />
Permits writing NFS access to this share.<br />
NFS synchronisation<br />
The synchronisation mode for the share. The sync setting causes immediate synchronisation of the<br />
data, async initiates synchronisation when the workload of the server permits to do so. Synchroni-<br />
sation is then performed in the background.<br />
Redirect root access<br />
In the NFS standard procedure, identification of users is achieved via user IDs. To prevent a local<br />
root user from working with root permissions on other shares, root access can be redirected. If this<br />
option is activated, access operations are executed as user nobody.<br />
Attention:<br />
The local group staff , which is by default empty, owns privileges which come quite close to root<br />
permissions, yet this group is not considered by the redirection mechanism. This fact should be<br />
borne in mind when adding users to this group.
Subtree checking<br />
4.5 <strong>Univention</strong> Directory Manager modules<br />
If only one subdirectory of a file system is exported, the NFS server has to check whether an accessed<br />
file is located on the exported file system and in the exported path, each time access is made. Path<br />
information is passed on to the client for this check. Activating this function might cause problems if<br />
a file opened by the client, is renamed.<br />
Allowed hosts<br />
By default, all hosts are permitted access to a share. In this select list, host names and IP addresses<br />
can be included, to which the access to the share is to be restricted. For example, access to a share<br />
containing mail data could be restricted to the mail server of the domain.<br />
4.5.6 Samba<br />
With its extensive range of functions Samba is an important link between <strong>UCS</strong> domains and Windows<br />
computers. Certain Samba settings can be performed in <strong>Univention</strong> Directory Manager. For example, it is<br />
possible to manage the settings for passwords and RIDs.<br />
4.5.6.1 Settings: Samba Domain<br />
The Settings: Samba Domain object can be used to control the issuing of RIDs for users, groups and<br />
other groups as well as performing password-relevant settings. It is normally stored in the samba container<br />
in the LDAP navigation.<br />
’General’ tab<br />
Samba Domain Name (*)<br />
The Samba domain name given here is assigned to the Samba security ID (SID). The Samba domain<br />
name can also be changed after the object is created.<br />
When changes are made, the <strong>Univention</strong> Configuration Registry variable windows/domain must<br />
also be set to the respectively used domain names on the Samba servers locally (see Chapter 8.4.6).<br />
Samba SID<br />
The Samba security ID can only be given or modified when creating an object. Subsequent changes<br />
are not possible. The field is greyed out in this case.<br />
Next User RID<br />
The figure given here is issued as the next Samba user RID. If no setting is made, Samba manages<br />
the RIDs itself.<br />
Next Group RID<br />
85
4 <strong>Univention</strong> Directory Manager<br />
86<br />
The figure given here is issued as the next Samba group RID. If no setting is made, Samba manages<br />
the RIDs itself.<br />
Next RID<br />
The figure given here is issued as the next RID for objects which are neither users nor groups.<br />
Password Length<br />
Specifies the minimum length for passwords. The user cannot set passwords shorter than this length.<br />
Password History<br />
To force the user to use different passwords, the recently used passwords are archived here. If an<br />
attempt is made to use an existing password when setting a new password, this password will be<br />
rejected. The number of passwords archived can set in this input field.<br />
Minimum Password Age<br />
If a minimum password age is set, the user can only reuse this password once the time period given<br />
has expired. This can be set in seconds, minutes, hours or days.<br />
Maximum Password Age<br />
If a maximum password age is set, the user will be asked to change his password when the time since<br />
the last password change exceeds the time period given here. This can be set in seconds, minutes,<br />
hours or days.<br />
Bad Lockout Attempts<br />
To suppress or slow down repeated attempts at guessing passwords, a user can be blocked automat-<br />
ically after the number of failed attempts to log in given here.<br />
Lockout Duration Minutes<br />
A user who has been blocked following too many failed attempts to log in will have this block lifted<br />
after the time period given here elapses. This can be set in seconds, minutes, hours or days.<br />
Reset Count Minutes<br />
The counter for failed log-in attempts will be automatically reset once the time period given here<br />
elapses. This time period is set in minutes.<br />
User must Logon to Change Password<br />
Selecting this checkbox requires a user to be logged on before he can change his password. If the<br />
maximum password age has already been exceeded, the user can no longer log in and must ask<br />
an administrator to reset the password. If the checkbox is not selected, the user can change the<br />
password when logging in
Disconnect Time<br />
4.5 <strong>Univention</strong> Directory Manager modules<br />
This input field is used to specify after what period of inactivity the connection to the Samba share<br />
should be teared down. This can be set in seconds, minutes, hours or days.<br />
4.5.7 Printer management<br />
Printer shares can be added, searched, edited and removed in printer management. When a printer share<br />
is added, the printer is automatically set up in CUPS. All printers set up in CUPS are automatically provided<br />
for Windows computers via Samba. When a printer share is removed, the printer is also automatically<br />
removed from the CUPS configuration and, when appropriate, from the Samba configuration.<br />
Attention:<br />
Network printers with their own network interface should be entered as an IP managed client in computer<br />
management.<br />
In addition, printer groups can be defined, the members of which are used in rotation to process print jobs,<br />
which distributes the loads automatically amongst printers set up near to each other. Printer groups are<br />
described as a part of the whole <strong>UCS</strong> print system in Chapter 13.3.4.<br />
Print Quota settings can be applied/inherited to the printer management using a policy (see Chapter<br />
4.5.11):<br />
4.5.7.1 Printers<br />
’General’ tab<br />
Name (*)<br />
This input field contains the name of the printer share, which is used by CUPS. The printer appears<br />
under this name in Linux and Windows. The name may contain alphanumeric characters (i.e., upper-<br />
case and lowercase letters a to z and numbers 0 to 9) as well as hyphens and underscores. Other<br />
characters (including blank spaces) are not permitted.<br />
Spool host (*)<br />
A print server (spooler) manages the printer queue for the printers to be shared. It converts the data<br />
to be printed into a compatible print format when this is necessary. If the printer is not ready, the print<br />
server saves the print jobs temporarily and forwards them on to the printer subsequently. If more than<br />
one print server is specified, the print job from the client will be sent to the first print server to become<br />
available.<br />
Protocol and Destination (*)<br />
These two input fields create the URI (Universal Ressource Identifier). A resource (e.g., a queue)<br />
can be addressed using the communications protocol (http://, ipp://, . . . ) and the path. The following<br />
table describes the syntax of the individual protocols and gives an example for each:<br />
87
4 <strong>Univention</strong> Directory Manager<br />
88<br />
Protocol Target syntax Example<br />
file:/ /tmp/print.file<br />
http:// [:]/ 192.168.0.10:631/printers/remote_prn<br />
ipp:// /printers/ printer_01/printers/laser<br />
lpd:// / 10.200.18.30/bwdraft<br />
parallel:/ dev/lp0<br />
socket:// : printer_03:9100<br />
usb:/ dev/usb/lp0<br />
smb:// / prroom104/slot3<br />
cups-pdf:/
Manufacturer<br />
4.5 <strong>Univention</strong> Directory Manager modules<br />
When the printer manufacturer is selected, the Printer model selection list updates automatically.<br />
Printer model (*)<br />
This selection list shows all the printers available from the selected manufacturer. If the required<br />
printer model is not there, a similar model can be selected and a test print used to establish correct<br />
function. Chapter 4.5.12.2 explains how to expand the list of printer models.<br />
Attention:<br />
The “Printer models” None and smb can be found under “Manufacturer” misc. The None model can<br />
be selected if the printer is PostScript-compatible and the printing hosts sends print jobs in PostScript<br />
format. This is also the case is the computer send print jobs which are already in the format of the<br />
printer. The print jobs are then spooled from CUPS and not filtered.<br />
The smb model is suitable for printers which can be contacted using the smb protocol. This is usually<br />
the case for printers connected to a Windows computer.<br />
Samba name<br />
A printer can also be assigned an additional name by which it can be reached from Windows. Unlike<br />
the CUPS name (see Name), the Samba name may contain blank spaces and umlauts. The printer<br />
is then available to Windows under both the CUPS name and the Samba name.<br />
Using a Samba name in addition to the CUPS name is practical, for example, if the printer was already<br />
in use in Windows under a name which contains blank spaces or umlauts. The printer can then still<br />
be reached under this name without the need to reconfigure the Windows computers.<br />
Enable quota support<br />
If quota were activated for this printer, the quota settings on the [Print Quota] tab apply.<br />
Attention:<br />
The ’Services/Print quota’ components need to have been selected during installation or installed by<br />
running the univention-system-setup-software in order to be able to calculate print quotas<br />
and print costs.<br />
Price per page<br />
The user is charged the value given in this input field for every page printed. The incurred costs are<br />
summarised in the user’s account and used for the accurate calculation of print costs. If no value is<br />
specified, print costs will not be calculated.<br />
Price per print job<br />
The user is charged the value given in this input field for every print job. The incurred costs are<br />
summarised in the user’s account and used for the accurate calculation of print costs. If no value is<br />
89
4 <strong>Univention</strong> Directory Manager<br />
specified, print costs will not be calculated.<br />
Location<br />
This is displayed by some applications when selecting the printer. It can be filled with any text.<br />
Description<br />
This is displayed by some applications when selecting the printer. It can be filled with any text.<br />
’Access Control’ tab<br />
Access control<br />
Access rights for the printer can be specified here. Access can be limited to certain groups or users<br />
or generally allowed and certain groups or users blocked specifically. As standard, access is available<br />
for all groups and users. These rights are also adopted for the corresponding Samba printer shares,<br />
so that the same access rights apply when printing via Samba as when printing directly via CUPS.<br />
Allowed/denied users<br />
This lists individual users for whom access should be controlled.<br />
Allowed/denied groups<br />
This lists individual groups for whom access should be controlled.<br />
4.5.7.2 Printer groups<br />
90<br />
’General’ tab<br />
Name (*)<br />
This input field contains the names of the printer group share, which is used by CUPS. The printer<br />
group appears under this name in Linux and Windows.<br />
The name may contain alphanumeric characters (i.e., uppercase and lowercase letters a to z and<br />
numbers 0 to 9) as well as hyphens and underscores. Other characters (including blank spaces) are<br />
not permitted.<br />
Spool host (*)<br />
A range of print servers (spoolers) can be specified here to expand the list of printers available for<br />
selection. Printers which are assigned to the servers specified here can then be adopted in the Group<br />
members list from the selection arranged below them.<br />
Samba name<br />
A printer group can also be assigned an additional name by which it can reached from Windows.
4.5 <strong>Univention</strong> Directory Manager modules<br />
Unlike the CUPS name (see Name), the Samba name may contain blank spaces and umlauts. The<br />
printer is then available to Windows under both the CUPS name and the Samba name.<br />
Using a Samba name in addition to the CUPS name is practical, for example, if the printer group was<br />
already in use in Windows under a name which contains blank spaces or umlauts. The printer group<br />
can then still be reached under this name without the need to reconfigure the Windows computers.<br />
Group members<br />
This list is used to assign printers to the printer group.<br />
Enable quota support<br />
If quota were activated for this printer group, the quota settings on the [Print Quota] tab apply.<br />
Attention:<br />
The ’Services/Print quota’ components need to have been selected during installation or installed by<br />
running the univention-system-setup-software in order to be able to calculate print quotas<br />
and print costs.<br />
Price per page<br />
The user is charged the value given in this input field for every page printed. The incurred costs are<br />
summarised in the user’s account and used for the accurate calculation of print costs. If no value is<br />
specified, print costs will not be calculated.<br />
Price per print job<br />
The user is charged the value given in this input field for every print job. The incurred costs are<br />
summarised in the user’s account and used for the accurate calculation of print costs. If no value is<br />
specified, print costs will not be calculated.<br />
4.5.8 Containers, organisational units, domains<br />
4.5.8.1 Adding containers and organisational units<br />
As a means of structuring the data of the LDAP directory, containers and organisational units can be<br />
included at any position within this structure. Organisational units represent units existing in the real world,<br />
such as the departments of a company or an institution, while containers stand for fictional units within the<br />
enterprise, e. g. all the computers of the company.<br />
’General’ tab<br />
Name (*)<br />
A random name for the container / organisational unit.<br />
91
4 <strong>Univention</strong> Directory Manager<br />
Description<br />
A random description for the container / organisational unit.<br />
’Container settings’ tab<br />
Add to standard containers<br />
If this option is activated, the container or organisational unit will be regarded as a standard container<br />
for a certain object type (see chapter 4.5.12.7).<br />
’Policies’ tab<br />
This tab is described in chapter 4.5.11.3.<br />
4.5.8.2 Edit domain<br />
The domain object is automatically created in the LDAP directory during installation. It forms the basis of<br />
the LDAP directory and can be edited via <strong>Univention</strong> Directory Manager.<br />
This directory is often called the directory tree, with the domain object as its root.<br />
92<br />
’General’ tab<br />
Name (*)<br />
The name of the domain. Once the domain has been created, the name cannot be changed again.<br />
’Domain Password’ tab<br />
This tab is not used in one-domain concepts.<br />
’DNS’ tab<br />
All the DNS zones stored within the domain are listed here. The procedures for creating, editing and<br />
deleting DNS zones are established in Chapter 4.5.9; alterations there are automatically adopted in<br />
the lists shown here. The lists on this tab cannot be altered manually.<br />
DNS forward lookup zone<br />
All the Forward Lookup Zones stored within the domain are listed here.<br />
DNS reverse lookup zone<br />
All the Reverse Zones stored within the domain are listed here.
’Samba’ tab<br />
4.5 <strong>Univention</strong> Directory Manager modules<br />
The Samba settings are only performed here if installation was performed with a <strong>UCS</strong> version up to<br />
1.2-3. As of <strong>UCS</strong> 1.2-4 Samba settings are managed in their own objects (see Chapter 4.5.6).<br />
Samba domain name (*)<br />
Names of Samba domains can be added and removed here. In this, the Samba domain names<br />
are simply allocated to the Samba SIDs visible on this tab. In addition, the <strong>Univention</strong> Configuration<br />
Registry variable windows/domain must also be set to the respectively used domain names on the<br />
Samba servers (see Chapter 8.4.6.1).<br />
Samba SID (*)<br />
The Samba SID is shown here. The SID is displayed in grey as it cannot be changed.<br />
Next Samba user RID (*)<br />
This option can be used to configure what number should be allocated as the next Samba user RID.<br />
Next Samba group RID (*)<br />
This option can be used to configure what number should be allocated as the next Samba group RID.<br />
’Kerberos’ tab<br />
Kerberos realm (*)<br />
The name of the Kerberos realm. This entry is displayed in grey and barred from being changed.<br />
’Mail’ tab<br />
Mail relay server<br />
You can enter the FQDN of clients here, which are to be used as relay hosts. (siehe Kapitel 12) .<br />
’Policies’ tab<br />
The policies tab is described in chapter 4.5.11.3.<br />
4.5.9 DNS<br />
DNS files are stored in the cn=dns, container as standard. Forward and reverse lookup zones<br />
are stored directly in the container. Additional DNS objects such as pointer records can be stored in the<br />
respective zones.<br />
The relative or fully qualified domain name (FQDN) (see the information on host names, page 69) should<br />
always be used in the input fields for computers and not the computer’s IP address. A FQDN should always<br />
93
4 <strong>Univention</strong> Directory Manager<br />
end in a full stop to avoid the domain name being added anew.<br />
4.5.9.1 Forward lookup zone<br />
A forward lookup zone contains information which is used to resolve DNS names into IP addresses.<br />
94<br />
’General’ tab<br />
Zone name (*)<br />
This is the complete name of the DNS domain for which the zone will be responsible.<br />
Attention:<br />
The domain name must not end in a full stop in zone names!<br />
Zone Time-to-Live (*)<br />
The time to live specifies how long these files may be cached by other DNS servers. The preset value<br />
is three hours.<br />
’Start of Authority’ tab<br />
Each DNS zone has at least one authoritative, primary name server whose information governs the<br />
zone. Subordinate servers synchronise themselves with the authoritative server via zone transfers.<br />
The entry which defines such a zone is called a "SOA record" in DNS terminology.<br />
Contact person (*)<br />
The e-mail address of the person responsible for administrating the zone (with a full stop at the end).<br />
Name server (*)<br />
The fully qualified domain name with a full stop at the end or the relative domain name of the primary<br />
master name server.<br />
Attention:<br />
Only the primary master name server should be entered in this field. Further name servers can be<br />
entered on the Name servers tab.<br />
Serial number (*)<br />
Other DNS servers use the serial number to recognise whether zone data have changed. The slave<br />
name server compares the serial number of its copy with that on the master name server. If the serial<br />
number of the slave is lower than that on the master, the slave copies the changed data.<br />
There are two commonly used patterns for this serial number:<br />
• Start with 1 and increment the serial number with each change
4.5 <strong>Univention</strong> Directory Manager modules<br />
• By including the date the number can be entered in the format YYYYMMDDNN, where Y stands<br />
for year, M for month, D for day and N for the number of the change of this day.<br />
If the serial number is not changed manually, <strong>Univention</strong> Directory Manager automatically increases<br />
the value by 1 if [OK] was clicked. If the process is cancelled, the serial number remains unchanged.<br />
Refresh interval (*)<br />
The time span after which the slave name server checks that its copy of the zone data is up-to-date.<br />
Common values are between one and 24 hours. The preset value is eight hours.<br />
Retry interval (*)<br />
The time span after which the slave name server tries again to check that its copy of the zone data<br />
is up-to-date after a failed attempt to update. This time span is usually set to be less than the update<br />
interval, but can also be equal. The preset value is two hours.<br />
Expiry interval (*)<br />
The time span after which the copy of the zone data on the slave becomes invalid if it could not be<br />
checked to be up-to-date.<br />
For example, an expiry interval of one week means that the copy of the zone data becomes invalid<br />
when all requests to update in one week fail. In this case, it is assumed that the files are too outdated<br />
after the expiry interval date to be used further. The slave name server can then no longer answer<br />
name resolution requests for this zone.<br />
Common periods for this are one week. Longer expiry intervals can be selected if there are problems<br />
with the network connections to the master name server. The preset value is one week.<br />
Minimum Time-to-Live (*)<br />
The minimum time to live specifies how long other servers can cache no-such-domain (NXDOMAIN)<br />
answers. This value cannot be set at more than 3 hours, the preset value is 3 hours.<br />
’Name servers’ tab<br />
Name servers (usually called NS records in DNS terminology) can be assigned to a zone on this tab.<br />
The name server entered on the Start of Authorty tab appears automatically in the Entries list field.<br />
Name server (*)<br />
The fully qualified domain name with a full stop at the end of the relative domain name of the name<br />
server.<br />
Attention:<br />
The name server which appears at the top of the list is always the master, irrespective of what is<br />
95
4 <strong>Univention</strong> Directory Manager<br />
entered in the Name server input field of the Start of Authority tab.<br />
’TXT records’ tab<br />
Text records (known as TXT records in DNS terminology) can be defined here. These contain human-<br />
readable text and can contain descriptive information, which is used in anti-spam measures, for ex-<br />
ample.<br />
TXT Record<br />
Descriptive text for this zone. Text records must not contain umlauts or other special characters.<br />
’MX records’ tab<br />
The mail exchanger entry for a zone (called MX record in DNS terminology) is important DNS infor-<br />
mation necessary for e-mail routing. It points to the computer which accepts e-mails for a domain.<br />
Priority (*)<br />
A numerical value between 0 and 65535. If several mail servers are available for the MX record, an<br />
attempt will be made to engage the server with the lowest priority value first.<br />
Mail Server (*)<br />
The mail server responsible for this domain as fully qualified domain name with a full stop at the end.<br />
Only canonical names and no alias names can be used here.<br />
4.5.9.2 Alias record<br />
A pointer to an existing, canonical DNS name can be defined here using an alias record (also known as<br />
CNAME record in DNS terminology). Any number of alias records can be defined to one canonical name.<br />
An alias record must always be assigned to a forward lookup zone and can therefore only be added to a<br />
forward lookup zone or a subordinate container.<br />
96<br />
’General’ tab<br />
Alias (*)<br />
The alias name as fully qualified domain name with a full stop at the end or as a relative domain name<br />
which should point to the canonical name.<br />
Zone Time-to-Live<br />
The time to live specifies how long these files may be cached by other DNS servers. The preset value<br />
is three hours.
’Alias’ tab<br />
Canonical name (*)<br />
4.5 <strong>Univention</strong> Directory Manager modules<br />
The canonical name of the computer that the alias should point to, entered as a fully qualified domain<br />
name with a full stop at the end or a relative domain name.<br />
The canonical name is the name which was entered in the Hostname input field on the host object.<br />
If the host object was created automatically when adding a computer, the value is the same as the<br />
computer name entered at the time.<br />
4.5.9.3 Host record<br />
Additional information about a computer and its configuration can be defined in a host record. It must<br />
always be assigned to a forward lookup zone and can therefore only be added to a forward lookup zone or<br />
a subordinate container.<br />
Attention:<br />
When adding or editing a computer a host record can be created automatically or edited.<br />
Karteikarte ’Allgemein’<br />
Hostname (*)<br />
The FQDN with a full stop at the end or the relative domain name of the name server. The notes on<br />
computer names (Chapter 4.5.4) must be observed.<br />
IP Address<br />
A host record assigns an Ipv4 address to a DNS name. This entry creates such a record for the<br />
current host.<br />
Zone Time-to-Live<br />
The time to live specifies how long these files may be cached by other DNS servers. The preset value<br />
is three hours.<br />
’IP addresses’ tab<br />
Further IP addresses for the computer (and further A records) can be entered and removed here.<br />
IP Address<br />
Additional IP addresses where the computer can be reached.<br />
Attention:<br />
In this variant, all IP addresses are assigned to the same canonical name. If each IP address should<br />
97
4 <strong>Univention</strong> Directory Manager<br />
be able to be reached under its own canonical name, a host record must be created for each IP<br />
address and different names entered in the Hostname input field.<br />
4.5.9.4 Service record<br />
Service records (SRV record in DNS terminology) offer the possibility of storing information on available<br />
system services in the DNS. In <strong>UCS</strong> service records are used amongst other things to make LDAP servers<br />
or the domain controller master known domain-wide.<br />
A service record must always be assigned to a forward lookup zone and can therefore only be added to a<br />
forward lookup zone or a subordinate container.<br />
98<br />
’General’ tab<br />
Service (*)<br />
The name under which the service should be reachable.<br />
Protocol (*)<br />
TCP and UDP are available.<br />
Priority (*)<br />
A whole number between 0 and 65535. If more than one server offer the same service, the client will<br />
approach the server with the lowest priority value first.<br />
Weight (*)<br />
A whole number between 0 and 65535. The weight function is used for load balancing between<br />
servers with the same priority. When more than one server offer the same service and have the<br />
same priority the load is distributed across the servers in relation to the weight function.<br />
Example: Server1 has a priority of 1 and a weight function of 1, whilst Server2 also has a priority<br />
of 1, but has a weight function of 3. In this case, Server2 will be used three times as often as<br />
Server1. The load is measured depending on the service, for example, as the number of requests or<br />
connection.<br />
Port (*)<br />
The port where the service can be reached on the server (valid value from 1 to 65535).<br />
Server (*)<br />
The name of the server on which the service will be made available, as a fully qualified domain name<br />
with a full stop at the end or a relative domain name.<br />
Zone Time-to-Live
4.5 <strong>Univention</strong> Directory Manager modules<br />
The time to live specifies how long these files may be cached by other DNS servers. The preset value<br />
is three hours.<br />
Several servers can be entered for each service via the check box.<br />
4.5.9.5 Reverse lookup zone<br />
A reverse lookup zone is used to resolve IP address into host names.<br />
’General’ tab<br />
Subnet (*)<br />
The IP address of the network for which the reverse lookup zone shall apply. For example, if the<br />
network in question consisted of the IP addresses 192.168.1.0 to 192.168.1.255, 192.168.1 should<br />
be entered.<br />
Zone Time-to-Live (*)<br />
The time to live specifies how long these files may be cached by other DNS servers. The preset value<br />
is three hours.<br />
’Start of Authority’ tab<br />
Each DNS zone has at least one authoritative, primary name server whose information governs the<br />
zone. Subordinate servers synchronise themselves with the authoritative server via zone transfers.<br />
The entry which defines such a zone is called a SOA record in DNS terminology.<br />
Contact person (*)<br />
The e-mail address of the person responsible for administrating the zone (with a full stop at the end).<br />
Name server (*)<br />
The fully qualified domain name with a full stop at the end or the relative domain name of the primary<br />
master name server.<br />
Attention:<br />
Only the primary master name server should be entered in this field. Further name servers can be<br />
entered on the Name server<br />
Serial number (*)<br />
Other DNS servers use the serial number to recognise whether zone data have changed. The slave<br />
name server compares the serial number of its copy with that on the master name server. If the serial<br />
number of the slave is lower than that on the master, the slave copies the changed data.<br />
99
4 <strong>Univention</strong> Directory Manager<br />
100<br />
There are two commonly used patterns for this serial number:<br />
• Start with 1 and increment the serial number with each change.<br />
• By including the date the number can be entered in the format YYYYMMDDNN, where Y stands<br />
for year, M for month, D for day and N for the number of the change of this day.<br />
If the serial number is not changed manually, <strong>Univention</strong> Directory Manager automatically increases<br />
the value by 1 if [OK] was clicked. If the process is cancelled, the serial number remains unchanged.<br />
Refresh interval (*)<br />
The time span after which the slave name server checks that its copy of the zone data is up-to-date.<br />
Common values are between one and 24 hours. The preset value is eight hours.<br />
Retry interval (*)<br />
The time span after which the slave name server tries again to check that its copy of the zone data<br />
is up-to-date after a failed attempt to update. This time span is usually set to be less than the update<br />
interval, but can also be equal. The preset value is two hours.<br />
Expiry interval (*)<br />
The time span after which the copy of the zone data on the slave becomes invalid if it could not be<br />
checked to be up-to-date.<br />
For example, an expiry interval of one week means that the copy of the zone data becomes invalid<br />
when all requests to update in one week fail. In this case, it is assumed that the files are too outdated<br />
after the expiry interval date to be used further. The slave name server can then no longer answer<br />
name resolution requests for this zone.<br />
Common periods for this are one week. Longer expiry intervals can be selected if there are problems<br />
with the network connections to the master name server. The preset value is one week.<br />
Minimum Time-to-Live (*)<br />
The minimum time to live specifies how long other servers can cache no-such-domain (NXDOMAIN)<br />
answers. This value cannot be set at more than 3 hours, the preset value is 3 hours.<br />
’Name servers’ tab<br />
Name servers (usually called NS records in DNS terminology) can be assigned to a zone on the<br />
Name servers tab. The name server entered on the Start of Authority tab appears automatically in<br />
the Entries list field.<br />
Name servers (*)<br />
The fully qualified domain name with a full stop at the end of the relative domain name of the name
server.<br />
Attention:<br />
4.5 <strong>Univention</strong> Directory Manager modules<br />
The name server which appears at the top of the list is always the master, irrespective of what is<br />
entered in the Name server input field of the Start of Authority tab.<br />
4.5.9.6 Pointer record<br />
A pointer record (usually called PTR record in DNS terminology) allows resolution of an IP address into a<br />
host name. It thus represents the equivalent in a reverse lookup zone of a host record in a forward lookup<br />
zone. This entry is only available within reverse lookup zones.<br />
’General’ tab<br />
Address (*)<br />
The last octet of the computer’s IP address (depends on network prefix, see below).<br />
Pointer<br />
The computer’s fully qualified domain name with a full stop at the end.<br />
Example:<br />
In a network with a 24-bit network prefix (subnet mask 255.255.255.0) a pointer should be created for<br />
the client001 computer with the IP address 192.168.1.101. 101 must then be entered in the Address<br />
field and client001.company.com. in Pointer.<br />
Example:<br />
For a network with a 16-bit network prefix (subnet mask 255.255.0.0) the last two octets should be<br />
entered in reverse order for this computer (here 101.1). client001.company.com. also needs to be<br />
entered in the Pointer field here.<br />
4.5.10 DHCP<br />
The Dynamic Host Configuration Protocol (DHCP) assigns computers an IP address, the subnet mask<br />
and further information on the router or NetBIOS server as necessary. The IP address can be either fixed<br />
or variable. The aim of this procedure is that the IP addresses are not entered locally on the computers,<br />
but rather on a central DHCP server (or in the LDAP directory), where they can be managed from one<br />
location.<br />
Thin clients are even set to retrieve an IP address via the DHCP when they have no persistent memory and<br />
therefore cannot store information locally for considerable periods of time. In addition, the DHCP service<br />
informs them which boot file should be used to boot from which server.<br />
101
4 <strong>Univention</strong> Directory Manager<br />
DHCP servers with a common configuration are compiled in a DHCP service. Global configuration pa-<br />
rameters are entered in the DHCP service; specific parameters in the subordinate objects.<br />
A number of DHCP servers within one DHCP service can be used if only fixed IP addresses are assigned.<br />
If variable IP addresses are also assigned, a maximum of two DHCP servers can be used in combination<br />
with the DHCP failover mechanism.<br />
A DHCP host entry is used to make the DHCP service aware of a computer. These computer entries can<br />
be created automatically when adding or editing a computer in computer management or in the navigation.<br />
A computer entry is required for computers attempting to retrieve a fixed IP address over the DHCP.<br />
A DHCP subnet entry is required for every subnet, irrespective of whether variable IP addresses are<br />
allocated from this subnet.<br />
Configuration parameters can be assigned to the different IP ranges by creating DHCP pools within sub-<br />
nets. In this way unknown computers can be allowed in one IP range and excluded in another IP range.<br />
DHCP failover can also be set-up in DHCP pool objects. DHCP pools can only be created below DHCP<br />
subnet objects.<br />
If several subnets use the same common, physical network, this should be entered as a DHCP shared<br />
subnet below a DHCP shared network. DHCP shared subnet objects can only be created below DHCP<br />
shared network objects.<br />
Instead of DHCP group declarations, containers can be created to accept the objects to be grouped. The<br />
parameters of such an object group are determined via a policy, which is linked to the container.<br />
Values which are input on a DHCP configuration level always apply for this level and all subordinate levels,<br />
unless other values are specified there. Similar to with the policies, the value which is closest to the object<br />
always applies. Unlike for the general policies, it is not possible here to set it so that a value cannot be<br />
altered from lower levels.<br />
Attention:<br />
Note that values assigned to an object via a policy are inherited by all subordinate objects. For example, if<br />
the domain name company.com is fixed in a DHCP service object via a policy and a DHCP host object is<br />
created in the same DHCP service object, the DHCP host object automatically adopts the domain name<br />
because of the inherited policy settings. If the DHCP host object now retrieves an IP address from a<br />
DHCP pool where the domain name sales.company.com was entered, the domain name company.com<br />
will remain valid for the DHCP host object.<br />
This applies to all settings which are made on tabs where the writing at the top of the tab is enclosed in<br />
square brackets. The inherited values are displayed on the respective tabs of the subordinate objects and<br />
can be altered there (see also Chapter 4.5.11).<br />
The following policies can be applied for the DHCP objects described below:<br />
102<br />
• Boot parameters<br />
• DHCP miscellaneous<br />
• DNS<br />
• DNS update<br />
• Allow/Forbid
• Lease time<br />
• NetBIOS<br />
• Routing<br />
More information on these can be found in Chapter 4.5.11.5.<br />
4.5.10.1 DHCP service<br />
4.5 <strong>Univention</strong> Directory Manager modules<br />
DHCP services are stored in the dhcp container by default, which is automatically created when the<br />
domains are created.<br />
’General’ tab<br />
Service name (*)<br />
Any unique name can be entered in this entry field for the DHCP service.<br />
The following parameters are often set at this level which then apply to all the computers which are served<br />
by this DHCP service (unless other values are entered in lower levels):<br />
• Domain name and Domain name servers on the [DNS] tab<br />
• NetBIOS name servers on the [NetBIOS] tab<br />
A description of this and the other input possibilities in the policy-based tabs can be found in Chap-<br />
ter 4.5.11.5.<br />
4.5.10.2 DHCP server<br />
Each server which should offer the DCHP service requires a DHCP server entry in the LDAP directory.<br />
Otherwise the DHCP service will not be started.<br />
To add the DHCP server, the first step is to open the DHCP service object. The DHCP service object can<br />
usually be found in Navigation ➞ dhcp. A DHCP server object can now be created in the DHCP service<br />
object.<br />
’General’ tab<br />
Server name (*)<br />
The computer name which will offer the DHCP service should be entered in this input field.<br />
Attention:<br />
A server cannot be entered in more than one DHCP service at the same time.<br />
Attention:<br />
If several DHCP servers are entered in the same DHCP service, the DHCP failover mechanism must be<br />
activated to be able to assign variable IP addresses.<br />
103
4 <strong>Univention</strong> Directory Manager<br />
4.5.10.3 DHCP subnet<br />
Attention:<br />
A DHCP subnet entry is required for every subnet from which variable or fixed IP addresses are to be<br />
assigned. It is only necessary to input IP ranges when variable IP addresses are to be assigned.<br />
To add a DHCP subnet, the first step is to open the corresponding DHCP service in Navigation where the<br />
DHCP subnet object is to be created.<br />
If DHCP shared subnet objects are to be used, the corresponding subnets should be created below the<br />
DHCP shared subnet container created for this purpose (see Chapter 4.5.10.7).<br />
104<br />
’General’ tab’<br />
Subnet address (*)<br />
The IP address of the subnet should be input here in dot-decimal form, e.g. 255.255.255.0.<br />
Netmask (*)<br />
The network mask can be entered in this input field as the network prefix as a decimal number in or<br />
dot-decimal form.<br />
Attention:<br />
If the network mask is entered in dot-decimal form it will be subsequently be converted into the<br />
corresponding network prefix and later also shown so.<br />
Example:<br />
The network mask 255.255.255.0 will be shown as 24 later.<br />
Broadcast address<br />
The broadcast address can be entered in this input field in dot-decimal form, e.g. 192.168.1.255.<br />
’Dynamic address assignment’ tab<br />
A single or several IP ranges can be set up on this tab. The IP addresses from these ranges are then<br />
available for dynamic allocation.<br />
Attention:<br />
IP ranges for a subnet should always either be specified exclusively in the subnet entry or exclusively<br />
in one or more special pool entries. The types of IP range entries within a subnet must not be mixed!<br />
If different IP ranges with different configurations are be set up in one subnet, pool entries must be<br />
created for this purpose. Pool entries must also be used to set up the DHCP failover mechanism in a<br />
subnet immediately or at a later date.<br />
First address<br />
The lowest IP address in the IP range should be entered here in dot-decimal form, e.g. 192.168.1.100.
Last address<br />
4.5 <strong>Univention</strong> Directory Manager modules<br />
The highest IP address in the IP range should be entered here in dot-decimal form, e.g.<br />
192.168.1.200.<br />
Attention:<br />
To enter a single IP address as a range, this IP address must simply be entered in both fields.<br />
This is often the level where the following parameter is fixed, which applies to all computers in this subnet<br />
(unless other values are entered in lower levels).<br />
• Routers on the [Routing] tab<br />
A description of this and the other input possibilities in the policy-based tabs can be found in Chap-<br />
ter 4.5.11.5.<br />
4.5.10.4 DHCP pool<br />
Attention:<br />
If DHCP pools are to be created in a subnet, there should be no IP ranges defined in the subnet entry.<br />
These should only be created in the pool entries.<br />
A DHCP pool object must always be created below a DHCP subnet object.<br />
’General’ tab<br />
Name (*)<br />
Any unique name can be entered in this entry field for the DHCP pool, e.g. sales.company.com.<br />
First address<br />
The lowest IP address in the IP range should be entered here in dot-decimal form, e.g. 192.168.1.100.<br />
Last address<br />
The highest IP address in the IP range should be entered here in dot-decimal form, e.g.<br />
192.168.1.200.<br />
Attention:<br />
To enter a single IP address as a range, this IP address must simply be entered in both fields.<br />
’Advanced’ tab<br />
Failover peer<br />
If the DHCP failover mechanism is to be included, the unique identifier for the DHCP server pair must<br />
105
4 <strong>Univention</strong> Directory Manager<br />
106<br />
be given in this input field which is responsible for this pool. The identifier entered here must match<br />
the identifier entered for both the participating DHCP servers in the /etc/dhcp3/dhcpd.conf file.<br />
As dynamic BOOTP is not compatible with the DHCP failover mechanism, the entry deny must be<br />
selected in the Allow dynamic BOOTP clients select list. It is not sufficient to select deny in the<br />
BOOTP select list on the [Allow/Deny] tab for the DHCP server or DHCP subnet!<br />
Attention:<br />
The servers which make up the failover pair must be configured accordingly for the DHCP failover<br />
mechanism to work. TO do this, the configuration files are adapted locally on the servers and thus<br />
the configuration cannot be performed with the <strong>Univention</strong> Directory Manager.<br />
Allow known clients<br />
When the allow entry is selected, the DHCP service assigns IP addresses from the pool to clients<br />
with a DHCP host entry below the DHCP service. If deny is selected, the DCHP service does not<br />
assign these clients IP addresses from this pool (see Note below).<br />
Allow unknown clients<br />
When the allow entry is selected, the DHCP service assigns IP addresses from the pool to clients<br />
without a DHCP host entry under the DHCP service. If deny is selected, the DCHP service does not<br />
assign these clients IP addresses from this pool (see Note below).<br />
Allow dynamic BOOTP clients<br />
When the allow entry is selected, the DHCP service also assigns IP addresses from the pool to<br />
clients which sent a request via the BOOTP protocol. Dynamic BOOTP clients do not receive an IP<br />
address from this pool if the deny entry is selected (see Note below).<br />
All clients<br />
When the allow entry is selected, the DHCP service assigns IP addresses from the pool to any clients<br />
as long as they are not already excluded by other settings. The DHCP service does not assign IP<br />
addresses from this pool, irrespective of the type of client making the request, if the deny entry is<br />
selected (see Note below).<br />
This setting can be used to force all active clients to allow themselves to be assigned a new IP<br />
address when they renew their existing IP address as part of an address restructuring in the network.<br />
Attention:<br />
If allow has been selected in one of more select lists, a client must fulfill the allow settings for at least<br />
one of these to receive an IP address. If at least one deny setting applies to a client, the client will<br />
not be assigned an IP address, even if other allow settings would permit this.
4.5.10.5 DHCP host<br />
4.5 <strong>Univention</strong> Directory Manager modules<br />
A DHCP host entry is used to make the DHCP service aware of the respective computer. A computer may<br />
be treated differently depending on whether it is known to the DHCP service or not. Moreover, only known<br />
computers can receive fixed IP addresses from the DHCP service. Unknown computers only receive<br />
variable IP addresses.<br />
DHCP host entries are normally added automatically when a computer is added via the computer wizard<br />
or the navigation. Below the DHCP service object you have the possibility of adding DHCP host entries<br />
or editing existing entries manually, irrespective of whether they were created manually or automatically.<br />
A DHCP host object must be created below a DHCP service object.<br />
’General’ tab<br />
Hostname (*)<br />
This entry field contains the name for the host. The computer usually also has a computer object<br />
entry in computer management. It is recommended to enter the same name and the same MAC<br />
address for the computer in both entries to facilitate assignment.<br />
Type (*)<br />
The type of network used can be selected here.<br />
Attention:<br />
The FDDI network type is not currently supported by DHCP.<br />
Address (*)<br />
The MAC address of the network adaptor is entered in this input field, e.g. 2e:44:56:3f:12:32 or<br />
2e-44-56-3f-12-32.<br />
’Fixed IP adresses’ tab<br />
Fixed IP address<br />
One or more fixed IP addresses can be assigned to the computer here as required. Alongside an IP<br />
address, a FQDN can also be entered, which will be resolved into one or more IP addresses by the<br />
DNS server.<br />
The following parameter is often determined on this level. It is then applicable for this computer:<br />
• Boot server on the [Boot parameters] tab<br />
4.5.10.6 DHCP shared network<br />
DHCP shared network objects accept subnets which use a common physical network. A DHCP shared<br />
network object must be added below a DHCP service object.<br />
107
4 <strong>Univention</strong> Directory Manager<br />
Attention:<br />
A shared subnet should be entered in the shared network under all circumstances as otherwise the DHCP<br />
server will terminate and needed to be restarted if it finds an empty shared network in its configuration.<br />
’General’ tab<br />
Shared network name (*)<br />
A name for the shared network should be entered in this input field. The name must begin with a<br />
letter (a to z). The remaining characters of the name may contains the letters a to z, numbers 0 to 9,<br />
full stops, hyphens and underscores.<br />
4.5.10.7 DHCP shared subnet<br />
Subnets are declared as DHCP shared subnet when they use the same, common physical network.<br />
All subnets which use the same network should be stored below the same shared network container. A<br />
separate DHCP shared subnet object must be created for each subnet. DHCP shared subnet objects<br />
are exclusively available below the DHCP shared network objects.<br />
4.5.11 Policies<br />
Policies are a means of simplifying administration by passing on configuration settings to objects which<br />
are linked to the corresponding policies or to objects subordinate to the objects linked to said policies.<br />
If an object is linked to a policy, the statements of the policy are applied to the object. For example, the<br />
configuration of a graphic user interface can be defined by a policy for a certain client model, and the client<br />
object can be linked to the policy. The values set by the policy are then also valid for this client.<br />
In the same way, the values set by a policy in a superordinate container, will be valid for all objects within<br />
this container. This mechanism is called inheritance.<br />
If, for example, the same password interval is to be defined for all users of a location, then a special<br />
container can be created for these users. After moving the users into the container, a password policy can<br />
be linked to the container. This policy is valid for all user objects within the container.<br />
For every object, the applied value is always that which lies closest to the object in question. The values<br />
of superordinate policies can be overwritten by the values of subordinate policies. Thus it is possible to<br />
define, for example, an alternative keyboard layout for an individual client object, even if the superordinate<br />
policy defines a different keyboard layout.<br />
An exception to this rule is a value which was defined in a policy in the form of Fixed attributes. Such<br />
values cannot be overwritten by subordinate policies.<br />
The mechanisms of linking objects to policies, of inheriting and defining individual values, are an extensive<br />
and flexible way of achieving comfortable and central methods of configuring and administrating a <strong>UCS</strong><br />
domain.<br />
108
4.5.11.1 Adding a policy<br />
4.5 <strong>Univention</strong> Directory Manager modules<br />
<strong>Univention</strong> Directory Manager allows direct as well as indirect creation of policies. When directly creating<br />
a policy, the user can use the LDAP Browser to jump to the desired location within the LDAP directory and<br />
select the desired type of policy via the select list Add new object at current position.<br />
Alternatively, new policies can be directly created via the policies wizard (Policies ➞ Add). After having<br />
selected the desired type of policy and the target container, the new values of the policy can be entered.<br />
Policies can also be indirectly created via <strong>Univention</strong> Directory Manager by filling in or editing a tab for an<br />
object if the caption of the tab is set in square brackets, and Select configuration is available (see chapter<br />
4.5.11.4). The values adapted on these tabs are stored as policies.<br />
By default, policies are stored in the container policies which was automatically generated during the<br />
creation of the domain. For further structuring, the container policies includes containers for each policy<br />
type.<br />
When adding or editing objects, policies of a suitable type are available from the registered policies con-<br />
tainers in the select list Select configuration on the relevant tab.<br />
Attention:<br />
It has to be ensured that the container wherein a policy is created, is registered as a standard container<br />
for policies (see chapter 4.5.12.7). Otherwise, the policy will not be found. The automatically generated<br />
container policies is already registered as a standard container for policies.<br />
Settings, which can be made for the different types of policies, will be explained together with the tabs<br />
of the corresponding objects. When directly adding a policy, the entry field Name is displayed, wherein<br />
a random name for the policy can be entered. Furthermore, an Object tab will only be displayed when<br />
directly creating or editing a policy.<br />
’Object’ tab<br />
This tab is available for every policies object. It enables the user to make settings relating to object<br />
classes and attributes.<br />
Required object classes<br />
Object classes can be stated here, to which the objects have to belong so that they can be linked to<br />
this policy.<br />
Prohibited object classes<br />
Object classes can be stated here, to which the objects to be linked with this policy may no belong.<br />
Fixed attributes<br />
Attributes can be selected here, the values of which may not be changed by subordinate policies.<br />
Empty attributes<br />
Attributes can be selected here, which are to be set to empty in the policy, meaning they will be<br />
stored without containing a value. This can be useful for removing values inherited by an object<br />
109
4 <strong>Univention</strong> Directory Manager<br />
from a superordinate policy. In subordinate policies, new values can be assigned to the attributes in<br />
question.<br />
Attention:<br />
If one of the entry fields of a subordinate policy remains empty, this means that the value of the superordi-<br />
nate policy is adopted unchanged. To make sure that the value of the superordinate policy is not valid in<br />
subordinate objects, the appropriate entry field is to be declared in Empty attributes in the Object tab.<br />
4.5.11.2 Applying policies<br />
Policies can be linked to container objects via the Policies tab. With other objects, the appropriate policy<br />
types are available on the individual tabs, where an existing policy can be selected or a new policy created<br />
for the object.<br />
If an object is linked to a policy, or inherits policy settings which cannot be applied to the object, the settings<br />
remain without effect for the object. This makes it possible, for example, to link a policy to the root of the<br />
LDAP directory, which is then valid for all the objects of the domain which can apply this policy. Objects<br />
which cannot apply this policy are not affected.<br />
Attention:<br />
To every object which is linked to a policy, the current settings of this policy always apply. Thus, when<br />
editing a policy, the settings for all the objects linked to this policy are changed! The values from the<br />
changed policy apply to objects already registered in the system and linked to the policy, in the same way<br />
as to objects added in the future.<br />
The Referencing objects tab of the policies objects shows a list of all objects linked to the policy.<br />
4.5.11.3 Linking policies to containers<br />
110<br />
’Policies’ tab<br />
This tab is available for containers, organisational units and domains. It shows the policies currently<br />
linked to the object (see Illustration 4.11). The tab offers the possibility to edit the settings of a policy,<br />
and to link the changed settings to the objects as a new policy. Furthermore, linked policies can be<br />
unlinked from the object.<br />
In the first column, all the available policy types are listed. The second column states which concrete<br />
policy of the relevant type is valid for the present object. In this context, inherited means if any<br />
policies are set for superordinate objects, the present object will inherit these policies.<br />
Inheritance works over a random number of levels. The superordinate object can therefore have in-<br />
herited the policy from the next higher object. Inherited is the standard setting. Inherited is displayed<br />
even if none of the superordinate objects has a policy assigned. This circumstance is illustrated in
4.5 <strong>Univention</strong> Directory Manager modules<br />
Illustration 4.11 which shows the Policies tab for the domain, i.e. the root of the LDAP directory of a<br />
typical <strong>UCS</strong> installation.<br />
Inheritance cannot be switched off directly. Yet, the object can be linked to a new policy in which the<br />
fields can be freely defined, meaning they can also be defined as being empty.<br />
To link the object to another/new policy, the appropriate policy type has to be clicked on the Policies<br />
tab. Another tab will then open where the settings for the policy can be made. Alternatively, an<br />
existing policy can be selected from the Select configuration list (see chapter 4.5.11.4).<br />
After confirmation by clicking [OK], the new settings are adopted, unless the editing process as a<br />
whole is aborted. A new or changed policy is stored under a unique name which is derived from<br />
the name of the container (see chapter 4.5.11.4). The original settings are retained unchanged if<br />
[Cancel] is clicked.<br />
To unlink a policy from its present object, the checkbox behind the policy is to be ticked first. If the<br />
user then clicks [Disconnect], Inherited will be displayed on the tab instead of the previous policy.<br />
The unlinking process is confirmed by clicking [OK].<br />
4.5.11.4 Linking policies to other objects<br />
Square brackets on a tab indicate that the settings on this tab can be performed via policies.<br />
The Select configuration list shows existing policies which can be applied to the present position. The<br />
preset configuration is Inherited in which the configuration parameters of the superordinate container are<br />
adopted for the current object.<br />
Once a configuration has been selected, the values resulting from the policy will be displayed in the<br />
corresponding fields on the tab. Greyed-out values cannot be changed. All values displayed in black<br />
lettering as well as all empty fields can be adjusted at random.<br />
A new policy is generated by <strong>Univention</strong> Directory Manager from the new values. A container for each<br />
policy type is prepared in the policies container. The policies generated by <strong>Univention</strong> Directory Manager<br />
are automatically stored in these containers.<br />
A policy generated by <strong>Univention</strong> Directory Manager is named after the object for which it was created. If<br />
there is already a policy of the same name, the suffix _uv0 will be appended to the name of the new policy.<br />
Further policies with conflicting names will be numbered consecutively, by the endings _uv1, _uv2, etc..<br />
The policy can be found under this name in the container for the corresponding policy type. If one of the<br />
existing policies is changed, these changes will affect all objects to which the policy in question is applied.<br />
If, in contrast, a value is changed via the Policies tab of the object for which the policy was created, a new<br />
policy will automatically be created with the changed values, and the original policy remains unchanged.<br />
So, the new values apply only to the present object and, if applicable, to subordinate objects.<br />
111
4 <strong>Univention</strong> Directory Manager<br />
4.5.11.5 Policy-based tabs<br />
112<br />
’[Autostart]’ tab<br />
This tab is only available on thin clients, managed clients and mobile clients.<br />
Thin clients can be operated without a log-in mask to start a Citrix client automatically and exclusively<br />
every time the computer is switched on, for example.<br />
Autostart session<br />
The name of the autostart script should be entered here which should be started the next time<br />
the client is started. An autostart script is a shell script in which programs are entered which<br />
are started each time the user autostart logs in automatically. This script must be saved un-<br />
der /var/lib/univention-client-root/etc/gdm/Autostart/ on the thin client’s terminal<br />
server. On a managed or mobile client it is saved under /etc/gdm/Autostart/.<br />
Examples for integrating the Citrix client, nxclient or rdesktop in autostart scripts can be found<br />
on a <strong>UCS</strong> server with installed thin client infrastructure package (univention-thin-client) under<br />
/var/lib/univention-client-root/etc/gdm/Autostart/.<br />
’[Boot parameters]’ tab<br />
A DHCP boot policy can be used to assign computer configuration parameters for booting from a<br />
server. Changes values are used as of the next time which the respective computer is started.<br />
Attention:<br />
As thin clients can not boot without these parameters, <strong>Univention</strong> Corporate Server already includes<br />
a DHCP boot policy. As the boot server is not set in this policy, the client uses the DHCP server from<br />
which it retrieves its IP address as its boot server. The pxelinux.0 file is entered as the boot file as<br />
standard. The policy is linked with the ldap base so that it applies automatically for all thin clients in<br />
the domain, in so far as nothing else has been defined closer to the client object.<br />
Computers which are not booted from the server, but rather start from a locally installed operating<br />
system, do not require this input. The inputs are ignored by these computers.<br />
Boot server<br />
The IP address or FQDN of the boot server from which the client should load the boot file should be<br />
entered in this input field. If no value is entered in this input field, the client boots from the DHCP<br />
server from which it retrieves its IP address.<br />
Boot filename<br />
The path to the boot file is entered here. The path must be entered relative to the base directory of<br />
the TFTP service.
4.5 <strong>Univention</strong> Directory Manager modules<br />
The directory to be shared is entered as a parameter when starting the TFTP service. If this case<br />
the path to the boot file should be entered relative to the /var/lib/univention-client-boot<br />
directory.<br />
If the required file is called linux.0 and stored in the directory<br />
/var/lib/univention-client-boot/kernel/, Boot filename the path kernel/linux.0<br />
must be entered in the input field.<br />
’[Client devices]’ tab<br />
This tab is only found on thin client computers.<br />
Activate access to client devices<br />
Selecting this checkbox allows access from this thin client to peripherals such as CD-ROM and disk<br />
drives connected to this thin client.<br />
’[<strong>Univention</strong> Configuration Registry]’ tab<br />
Detailed information on the policy-based inheritance of <strong>Univention</strong> Configuration Registry variables<br />
can be found in Chapter 14.9.<br />
’[Desktop settings]’ tab<br />
The appearance of the KDE Linux interface can be configured for the user on this tab.<br />
Desktop language<br />
The user’s KDE language setting.<br />
Attention:<br />
For the selection to take effect, the corresponding KDE language package must be installed on the<br />
computer - on the terminal server for thin clients.<br />
Desktop profile<br />
A profile which stipulates the appearance of the KDE Linux interface for the user. The profiles entered<br />
in the univention container in the default object are available for selection (see Chapter 4.5.12.6 and<br />
[10]).<br />
Logon scripts<br />
The script entered here is run during the user’s KDE log-in.<br />
113
4 <strong>Univention</strong> Directory Manager<br />
114<br />
Attention:<br />
For the selection to take effect, the corresponding file must be executable on the computer - on the<br />
terminal server for thin clients.<br />
Logout scripts<br />
The script entered here is run when the user logs out of the KDE session.<br />
Attention:<br />
For the selection to take effect, the corresponding file must be executable on the computer - on the<br />
terminal server for thin clients.<br />
’[DHCP Allow/Deny]’ tab<br />
Attention:<br />
The keyword ignore used in the tab is only different from deny in that it prohibits the logging of denied<br />
requests.<br />
Unknown clients<br />
If allow is selected from the list, the DHCP service also issues IP addresses to clients which do not<br />
have a DHCP computer entry. If on the other hand deny or ignore is selected, the DHCP service<br />
does not issue IP addresses to unknown clients.<br />
It is recommended not to perform this setting globally or on the subnet level, but rather at the pool<br />
level. (see Advanced tab in DHCP:Pool objects on page 105).<br />
BOOTP<br />
When nothing or allow is selected from the list, the DHCP replies to BOOTP requests, otherwise it<br />
does not reply to these requests.<br />
Booting<br />
This input stipulates whether requests (from a particular client) are replied to (no selection or allow)<br />
or not (deny or ignore selected) by the DHCP service. If the DHCP service does not reply, the client<br />
is not assigned an IP address. The setting is usually only made directly for a DHCP computer object.<br />
Duplicates<br />
When nothing or allow is selected in this list, the DHCP service allows clients to receive a new lease<br />
and keep existing leases which belong to the same MAC address.<br />
If the entry deny is used and the MAC address of the client submitting the request matches a DCP<br />
computer entry, the DHCP discards all leases which match the same MAC address. This action is a<br />
breach of the DHCP protocol, but can avoid the case of clients with a client identifier which changes<br />
often receiving many leases at the same time.
Declines<br />
4.5 <strong>Univention</strong> Directory Manager modules<br />
If nothing or allow is selected in the list, the DHCP service accepts DHCPDECLINE messages from<br />
the client. The client sends these messages when it deems the proffered IP address invalid. The<br />
DHCP service then gives this IP address the status abandoned and does not use it for a certain<br />
period of time. A defective or malicious client can exhaust the pool of free addresses by sending<br />
DHCPDECLINE messages excessively. If deny or ignore is selected, the DHCP service ignores<br />
these messages.<br />
’[DHCP DNS]’ tab<br />
Domain name<br />
Name of the domain which the client automatically hangs on computer names that he send to the<br />
DNS server for resolution and which are not fully qualified domain names. Usually this is the name of<br />
the domain to which the client belongs.<br />
Domain name servers<br />
IP addresses or fully qualified domain names for DNS servers can be added here. When using fully<br />
qualified domain names ensure that the DHCP server can resolve them to IP addresses. The DNS<br />
servers are contacted by the clients according to the order specified here. It can thus be practical to<br />
reorder the DNS servers specified.<br />
’[DHCP Dynamic DNS]’ tab<br />
Settings for dynamic DNS updates can be performed on this tab. For technical reasons these cannot<br />
yet be performed with a <strong>UCS</strong>-based DNS service, but only with external servers.<br />
DDNS hostname<br />
As standard, the DHCP service uses the computer name delivered from the client for DDNS updates.<br />
If a string is entered in this input field, this is used instead of the delivered computer name.<br />
DDNS domain name<br />
The domain name entered here is used together with the client’s computer name to compile a fully<br />
qualified domainn name.<br />
DDNS reverse domain name<br />
The domain name entered here is hung onto a reversed IP address to compose a name for a pointer<br />
record (PTR record). If no domain name is entered, the standard value in-addr.arpa. is used.<br />
DDNS updates<br />
If this setting is set to on, the DHCP service attempts a DNS update if a lease is confirmed. No<br />
update is performed when off is selected. The standard setting is on.<br />
115
4 <strong>Univention</strong> Directory Manager<br />
116<br />
DDNS update style<br />
There are currently two DNS update patterns available: the ad-hoc DNS update mode (ad-hoc) and<br />
the interim DHCP-DNS interaction draft update mode (interim). The ad-hoc mode is now outdated<br />
and should no longer be used. Attention:<br />
This setting is evaluated once by the DHCP service when importing the configuration. It is thus not<br />
possible to stipulate the update style for each client individually.<br />
DDNS Forward Updates<br />
If the True value is selected, the DHCP service updates the DNS computer entry (A record) if a DHCP<br />
client requests or renews a lease. No update is performed if the setting is set to false. This input<br />
only applies when DNS updates are activated and the DDNS update style is set to interim. DDNS<br />
forward updates are performed as standard.<br />
Update static leases<br />
If the True value is selected, the DHCP service performs DNS updates, even when they are assigned<br />
a static IP address. No update is performed if the setting is set to false. This input only applies when<br />
DNS updates are activated and the DDNS Update Stil is set to interim.<br />
Client updates<br />
When the Allow value is selected, the DHCP service notes the intention of the DHCP client to update<br />
its own DNS computer entry (A record). This input only applies when DNS updates are activated and<br />
the DDNS Update Stil is set to interim.<br />
’[DHCP lease time]’ time<br />
Default lease time<br />
If the client does not ask for a specified lease time it will be assigned the standard lease time. If this<br />
input field is left empty, the DHCP server’s default value is used. That is 43200 seconds (12 hours).<br />
Maximum lease time<br />
The maximum lease time specifies the longest period of time for which a lease can be granted. If this<br />
input field is left empty, the DHCP server’s default value is used. That is 86400 seconds (24 hours).<br />
Minimum lease time<br />
The minimum lease time specifies the shortest time for which a lease can be valid. If this input field<br />
is left empty, the DHCP server’s default value is used. That is one second.
’[DHCP NetBIOS]’ tab<br />
NetBIOS name servers<br />
4.5 <strong>Univention</strong> Directory Manager modules<br />
Also called NBNS or WINS servers. The names or IP addresses of the NetBIOS name servers are to<br />
be entered here. It must be verified that the DHCP server can resolve these names in IP addresses.<br />
The servers entered are contacted by the client in the order in which they stand in the selection list.<br />
NetBIOS scope<br />
The NetBIOS over TCP/IP scope for the client according to the specification in RFC1001 and<br />
RFC1002.<br />
Attention:<br />
Attention must be paid to uppercase and lowercase when entering the NetBIOS scope. Further<br />
information on the character set to use can be found in RFC1035.<br />
NetBIOS Node Type<br />
Dieses Auswahlfeld legt den Node Type eines Clients fest. Mögliche Werte sind:<br />
• 1 B node (Broadcast: no WINS)<br />
• 2 P node (Peer: only WINS)<br />
• 4 M node (Mixed: first Broadcast, then WINS)<br />
• 8 H node (Hybrid: first WINS, then Broadcast)<br />
’[NFS mounts]’ tab<br />
This policy can be used to configure NFS shares mounted on the server or client. There is a NFS<br />
Share for selection, which is mounted in the file path specified under Mount point.<br />
’[DHCP routing]’ tab<br />
Routers<br />
The names or IP addresses of the routers are to be entered here. It must be verified that the DHCP<br />
server can resolve these names in IP addresses. The routers are contacted by the client in the order<br />
in which they stand in the selection list.<br />
Attention:<br />
Routers usually have several network interfaces each with its own IP address. If the name of the<br />
router is entered instead of the IP address, it must be verified that the name definitely points to the<br />
required network interface on the router!<br />
117
4 <strong>Univention</strong> Directory Manager<br />
118<br />
’[DHCP statements]’ tab<br />
Authoritative<br />
This selection controls the sending of DHCPNAK messages to incorrectly configured clients.<br />
Attention:<br />
The Yes setting should only be selected if the consequences of this setting can be estimated and the<br />
DHCP service has been correctly configured!<br />
The Yes setting prompts the DHCP service to send a DHCPNAK message to each incorrectly con-<br />
figured client. If this is not done, clients are not in a position after changing subnets (e.g., notebooks)<br />
to receive a correct IP address until their old lease has expired. This can take some time.<br />
If nothing or no is selected, the DHCP service does not send any DHCPNAK messages. This is<br />
the standard procedure for the DHCP service and should avoid any problems with an insufficiently or<br />
incorrectly configured DHCP service.<br />
Setting the setting is only practical for physical network segments. The setting should be made for<br />
a DHCP shared network or a DHCP subnet. The setting should be avoided for a DHCP shared<br />
subnet and DHCP pool- and DHCP host objects!<br />
Boot unknown clients<br />
If True is selected from the list, the DHCP service also issues IP addresses to clients which do not<br />
have a DHCP computer entry. The prerequisite for this is that an appropriate pool of IP addresses<br />
is set up. Limits to the issuing of IP address made on the DHCP pool object are taken into account<br />
here. If the entry False is selected, the DHCP service does not issue IP addresses to client which do<br />
not have a DHCP computer entry.<br />
This setting is overwritten at DHCP pool level by the settings on the Advanced tab.<br />
Ping check<br />
If nothing or True is selected, the DHCP server uses a ping to check whether an IP address is free<br />
before issuing it dynamically. This delays the reply to the client by a second. If this represents a<br />
problem for the client submitting the request, the setting No should be selected here. The availability<br />
check via the ping is then not performed and the DHCP server replies immediately.<br />
Add hostnames to leases<br />
If True is selected from the lst, the DHCP server resolves all IP addresses for which this input applies<br />
into the respective computer name in the DNS domain and uses it for the hostname DHCP option. If<br />
nothing or False is selected, the DHCP server does not use the DNS domain names.<br />
Server identifier<br />
The IP address of the server the clients should use to communicate with the DHCP server. This field
4.5 <strong>Univention</strong> Directory Manager modules<br />
should only be filled out in justified exceptional cases. It must be ensured that the correct DHCP<br />
server is used if several servers are set in a DHCP service.<br />
Server name<br />
This name is provided to a client as the name of the server from which it boots.<br />
’[Display]’ tab<br />
This tab is only found on managed client, mobile client and thin client computers. This tab is used to<br />
configure the graphics adapter, monitor, keyboard and mouse for the computer. Changes are applied<br />
the next time the computer is started when there is a connection to the LDPA directory.<br />
Automatic detection<br />
When this option is activated, the drivers required for the graphics card are recognised automatically.<br />
If no suitable driver is available for the card, the VESA driver is used. The matching screen resolution<br />
for the connected monitor is also recognised and activated.<br />
Graphics adapter driver<br />
The appropriate driver for the graphics adapter can be selected from this selection list.<br />
Resolution of primary display<br />
The monitor resolution of the primary monitor is entered here. The values for width and height should<br />
be separated by a x.<br />
Example:<br />
1024x768<br />
Resolution of secondary display<br />
The monitor resolution of a secondary monitor, if used. Combined with the primary monitor a shared<br />
screen is displayed.<br />
Position of secondary display<br />
This selection specifies the relative position of the secondary monitor with respect to the primary<br />
monitor.<br />
Color depth<br />
The colour depth should be entered in bits per pixel. Admissable values are 1, 2, 4, 8, 16 and 24.<br />
Mouse protocol<br />
A number of different mouse protocols are available for using a mouse.<br />
• Auto usually chooses the correct protocol for the mouse used automatically.<br />
• IMPS/2 is used for mice with a wheel on the PS/2 connection.<br />
119
4 <strong>Univention</strong> Directory Manager<br />
120<br />
• PS/2 is used for simple mice on the PS/2 connection.<br />
• Serial is used for mice on the serial port (ttyS0 or ttyS1 and in Windows/DOS COM1 or COM2).<br />
• USB is required for USB mice.<br />
In addition there are also further special mice protocols available:<br />
ExplorerPS/2, ThinkingMouse, ThinkingMousePS/2, NetScrollPS/2, Intellimouse, NetMousePS/2,<br />
GlidePoint, GlidePointPS/2 and MouseManPlusPS/2.<br />
Mouse device<br />
The connection where the mouse is connected to the computer is selected here. PS/2, Serial and<br />
USB are available for selection.<br />
Keyboard layout<br />
Selecting the country activates the conventional keyboard layout for this country on the computer.<br />
This includes Germany for a German and United States for an English layout. There is also the<br />
possibility of not performing any settings pertaining to the keyboard layout.<br />
Keyboard variant<br />
At this point a keyword can be entered to select the keyboard layout variant. German keyboard<br />
layouts usually use the nodeadkeys variant. This has the effect that particular special accents such<br />
as the tilde “~” can be entered by simply pressing the key. Nevertheless, the accent can then not be<br />
written over another character. In the basic variant, the key for the accent must be pressed and then<br />
the key for character above which the accent should appear. For example, to write the word “senor”<br />
with the letter “ñ”, the tilde must be pressed first followed by “n”. To insert a tilde on its own, the tilde<br />
is pressed first followed by the spacebar.<br />
Enable VNC export<br />
The option allows administrators to access the graphic interface of the computer and take over control<br />
of the mouse and keyboard if the user allows this by confirming a security dialog. This option is used<br />
for example in troubleshooting if a user finds himself in a situation he cannot follow or he cannot rectify<br />
on his own. This option is deactivated as standard.<br />
This policy is only evaluated with thin clients.<br />
Viewonly VNC export<br />
This option allows administrators to view the user’s desktop without being able to change anything<br />
via keyboard inputs or mouse movements. A security dialog is displayed which the user must confirm<br />
in order to grant the administrator access. This option is activated as standard.<br />
This policy is only evaluated with thin clients.
RAM on the graphics adapter in kb<br />
4.5 <strong>Univention</strong> Directory Manager modules<br />
If the graphics driver does not recognise the amount of graphics memory, the correct size of the RAM<br />
on the graphics card can be entered in this input field. This is entered in kilobytes.<br />
Virtual size of dual monitor desktop<br />
The graphics interface can also be displayed on two monitors. The attained display size of the virtual<br />
desktop must be specified in advance. This is calculated by adding together the screen dimensions;<br />
for example, if two monitors with a resolution of 1024x768 pixels are operated next to each other, the<br />
size of the virtual desktop will be 2048x768. The setting must be given in the x y format, i.e., with<br />
a blank space as a separator, e.g., 2048 768. This setting usually does not need to be specified,<br />
but rather is calculated from the settings for Resolution of primary display and Resolution of<br />
secondary display.<br />
Name of primary display<br />
The X-11 internal identifier for the primary monitor, e.g. LVDS or VGA. The device name varies de-<br />
pending on the model of the graphics card and can be ascertained by running the xrandr command.<br />
If there is no identifier specified here, the identifier is auto-detected in the GDM init script.<br />
Display size (mm) of primary display<br />
If the measured length of the diagonal screen size is entered the monitor resolution (dpi) can be<br />
calculated automatically. The entry is made in XxY format in millimetres.<br />
This setting is only applied if the Name of primary display has been set.<br />
Horizontal sync of primary display<br />
The horizontal line frequency of the monitor should be given as a single number or as a range in kHz.<br />
When entering a range, the two values should be separated by a minus sign, e.g. 30-70.<br />
This setting is only applied if the Name of primary display has been set.<br />
Vertical refresh of primary display<br />
The vertical line frequency of the monitor should be given as a single number or as a range in Hz.<br />
When entering a range, the two values should be separated by a minus sign, e.g. 50-90.<br />
This setting is only applied if the Name of primary display has been set.<br />
Name of secondary display<br />
The X-11 internal identifier for the secondary monitor, e.g. LVDS or VGA. The device name varies de-<br />
pending on the model of the graphics card and can be ascertained by running the xrandr command.<br />
If there is no identifier specified here, the identifier is auto-detected in the GDM init script.<br />
121
4 <strong>Univention</strong> Directory Manager<br />
122<br />
Display size (mm) of secondary display<br />
If the measured length of the diagonal screen size is entered the monitor resolution (dpi) can be<br />
calculated automatically. The entry is made in XxY format in millimetres.<br />
This setting is only applied if the Name of secondary display has been set.<br />
Horizontal sync of secondary display<br />
The horizontal line frequency of the monitor should be given as a single number or as a range in kHz.<br />
When entering a range, the two values should be separated by a minus sign, e.g. 30-70.<br />
This setting is only applied if the Name of secondary display has been set.<br />
Vertical refresh of secondary display<br />
The vertical line frequency of the monitor should be given as a single number or as a range in Hz.<br />
When entering a range, the two values should be separated by a minus sign, e.g. 50-90.<br />
This setting is only applied if the Name of secondary display has been set.<br />
’LDAP server’ tab<br />
LDAP server<br />
The computer uses the LDAP server specified here for requests to the LDAP directory. The order of<br />
the servers determines the order of the computer’s requests to the server if a LDAP server cannot be<br />
reached.<br />
’[Mail quota]’ tab<br />
Quota limit (MB)<br />
The maximum size of the mailbox of a user in megabytes. If this limit is reached, no further mails<br />
will be delivered to the mailbox until the user provides storage place by deleting older mails from his<br />
account.<br />
’[Maintenance]’ tab<br />
This option is used to control the time for (un)installation or packages and system updates.<br />
System startup<br />
If this option is activated, the packages selected on the Packages [. . . ] tab are (un)installed when<br />
the computer is started.
System shutdown<br />
4.5 <strong>Univention</strong> Directory Manager modules<br />
If this option is activated, the packages selected on the Packages [. . . ] tab are (un)installed when<br />
the computer is shutdown.<br />
Reboot after maintenance<br />
This option makes it possible to perform an automatic system restart following a <strong>UCS</strong> update. The<br />
following values are available for selection.<br />
• No Reboot: the boot process is continued as normal following the update. The restart must<br />
then be initiated manually.<br />
• Immediately: the system restart is performed directly after the update<br />
• specifies the time between 15 minutes (00:15) and 23 hours and 45 minutes (23:45) between<br />
Attention:<br />
the update and the automatic system restart.<br />
When the system restart is activated, the restart only occurs after a <strong>UCS</strong> update to a higher version<br />
number. No restart is initiated after (un)installation of individual packages!<br />
Use Cron settings<br />
If this field is activated, the fields Month, Day of week, Day, Hour and Minute can be used to<br />
specify an exact time when the new package should be (un)installed.<br />
’[Packages . . . ]’ tab<br />
This tab is available for every <strong>UCS</strong> system type apart from thin clients.<br />
This option can be used to create a list for packages to be installed or uninstalled to facilitate the main-<br />
tenance of installed software packages. These lists are processed by the system affected (managed<br />
client, mobile client, member server or domain controller) at the next (un)installation interval.<br />
This tab is directly linked to the Maintenance tab where the (un)installation time can be set.<br />
Package list<br />
The package list containing the required package is selected here. Package lists can be managed<br />
via a Settings: Package list object (see Chapter 4.5.12.9).<br />
Package installation list<br />
Once the required package has been selected it can be added to the installation list. Any number of<br />
packages can be installed subsequently in this way.<br />
Package removal list<br />
The package to be uninstalled is to be selected here.<br />
123
4 <strong>Univention</strong> Directory Manager<br />
124<br />
’[Passwords]’ tab<br />
Intervals for change or expiry of passwords can be specified on this tab.<br />
History length<br />
The number of passwords stored for the user. The user may not utilise any of these passwords as<br />
a new password. Example: If the number 3 is entered in this field, the last three passwords will be<br />
barred from being accepted as new passwords.<br />
Attention:<br />
The passwords are not stored retroactively. Example: If ten passwords were stored, and the value<br />
is reduced to three, the oldest seven passwords will be deleted during the next password change. If<br />
then the value is increased again, the number of stored passwords initially remains at three, and is<br />
only increased by each password change.<br />
Password expiry interval<br />
The interval (in days) after which the user has to change his password.<br />
Password quality check<br />
If this option is activated, additional checks - including dictionary checks - are performed for pass-<br />
word changes in Samba, <strong>Univention</strong> Directory Manager and Kerberos. The configuration is done via<br />
<strong>Univention</strong> Configuration Registry and should occur on all login servers. The following checks can be<br />
enforced:<br />
• Minimum number of digits in the new password (password/quality/credit/digits).<br />
• Minimum number of uppercase letters in the new password (password/quality/credit/upper).<br />
• Minimum number of lowercase letters in the new password (password/quality/credit/lower).<br />
• Minimum number of characters in the new password which are neither letters nor digits<br />
(password/quality/credit/other).<br />
• Individual characters/digits can be excluded (password/quality/forbidden/chars).<br />
• Individual characters/figures can be made compulsory (password/quality/required/chars).<br />
Password length<br />
The minimum number of characters of which a user password is to consist. If no value is entered<br />
here, the minimum size is eight characters.<br />
Attention:<br />
The default value of eight characters for password length is fixed in <strong>Univention</strong> Directory Manager, so<br />
it always applies if no policy is set and the checkbox Override password length is not ticked. This<br />
means it even applies if the default settings password policy were deleted.
’[Print quota]’ tab<br />
Attention:<br />
4.5 <strong>Univention</strong> Directory Manager modules<br />
The ’Print quota’ component need to have been selected during installation or installed by running<br />
the univention-system-setup-software in order to be able to calculate print quotas and print<br />
costs.<br />
Print quota for users<br />
A print quota is established for the user selected here.<br />
Soft-Limit (Pages)<br />
If a user reaches the number of pages entered here, he receives a warning message per e-mail that<br />
his print contingent is almost exhausted. The limit is removed by entering 0. Further information can<br />
be found in Chapter 13.5.2.<br />
Hard-Limit (Pages)<br />
If a user reaches the number of pages entered here, all further print jobs from this user will be denied.<br />
Only an administrator can reactivate the user’s contingent. The limit is removed by entering 0. Further<br />
information can be found in Chapter 13.5.2.<br />
Print quota for groups per user<br />
The soft limit and hard limit are set for every user of the group specified here. The quotas are<br />
evaluated for each user individually.<br />
Print quota for groups<br />
The group specified here is assigned a common contingent. All users belonging to the group can use<br />
this contingent.<br />
If more than 200 users or groups are found, or if the search in the LDAP directory takes longer than<br />
ten seconds, an input field will be displayed instead of the select list, in which the user name or group<br />
name is to be entered.<br />
’[Print server]’ tab<br />
Print server<br />
The name of the print server whose printer the computer should use can be entered here.<br />
’[Release]’ tab<br />
Activate policy<br />
If this field is activated, the computer performs an automatic system update. Release version is<br />
used to specify to which version number the update should go. If this field is not activated, there is no<br />
125
4 <strong>Univention</strong> Directory Manager<br />
automatic system update.<br />
Release version<br />
This input field contains the version number where the system update should stop. The system stops<br />
at the version number given there and doesn’t import any updates with a higher version number<br />
automatically. If no entry is made, the system continues updating to the highest available version<br />
number.<br />
’[Repository server]’ tab<br />
Repository server<br />
The computer retrieves its installation packages from the repository server entered in this input field.<br />
’[Repository synchronisation]’ tab<br />
This tab is only available on <strong>UCS</strong> server systems.<br />
Repository syncronisation settings<br />
The fields Month, Day of week, Day, Hour and Minute can be used to specify an exact time when<br />
repository synchronisation should be performed.<br />
’[Sound]’ tab<br />
This tab sets up the sound output. It is only shown on thin client computers.<br />
Sound enabled<br />
Selecting this checkbox activates sound support. As standard sound support is not activated.<br />
Sound module<br />
Normally the setting auto detect provides an appropriate driver module for sound support automat-<br />
ically. Alternatively, a driver module for the sound card can be specified manually in the selection<br />
list.<br />
126<br />
’[Thin client]’ tab<br />
This tab is only found on thin client computers. Changed values will apply from the next time the thin<br />
client is booted. Some input fields require a server to be specified. To avoid problems during the<br />
resolution of names, the fully qualified domain name should always be entered. In addition, it must<br />
be verified it can be resolved in an IP address.<br />
Authentication server
4.5 <strong>Univention</strong> Directory Manager modules<br />
The users who log on to this thin client authenticate themselves on the servers specified here.<br />
If nothing is entered here and a user tries to log on, the system establishes all Kerberos servers using<br />
service records in the DNS. The system then attempts to authenticate the user using one of these<br />
Kerberos servers.<br />
File server<br />
The file server for the thin client can be entered and edited here. The /home directory is mounted<br />
on the thin client from this server when a user logs on, for whom no mountable share is defined (see<br />
also POSIX (Linux/UNIX) tab in Chapter 4.5.1 on page 58). If a mountable share is entered for the<br />
user, it is mounted. There is no need to enter the file server if a mountable share is entered for all<br />
users. Users can not log on without a mounted home directory.<br />
Attention:<br />
If the user data should be saved on the file server by the Linux terminal server, the file server must<br />
be mounted on the terminal server manually! It goes without saying that this is not necessary when<br />
the terminal server and the file server are in fact the same computer. Windows terminal servers find<br />
out where a user’s home directory is via the log-in server.<br />
If more than one file server is entered the thin client tries to connect the file server at the top in the<br />
Entries list first. If this fails, it tries the next one, etc.<br />
Linux terminal server<br />
One or more Linux terminal servers can be added or edited here for the thin client.<br />
A Linux terminal server is a server which provides the programs for the Linux workstation on which<br />
the Terminal services component is installed.<br />
The decision of which server is used when multiple entries exist is taken automatically by <strong>UCS</strong> using<br />
a load balancing mechanism.<br />
Windows terminal server<br />
If the users should be provided with a Windows environment on this thin client, a server must be<br />
entered in this input field which is to provide this Windows interface.<br />
If several Windows terminal servers are entered, the first one in the list will be used.<br />
Windows domain<br />
If the users should be provided with a Windows workstation on this thin client, the name of the<br />
Windows domain where the user is registered is to be entered in this input field.<br />
127
4 <strong>Univention</strong> Directory Manager<br />
128<br />
Attention:<br />
As standard, a default-settings policy is created, which is valid for the whole domain. Computers on<br />
which the Terminal services component is installed enter themselves automatically as Linux terminal<br />
servers in the policy when a domain is joined; computers on which the univention-nfs package is<br />
installed enter themselves as file servers. The package is installed on all <strong>UCS</strong> servers (DC masters,<br />
backups and slaves) as standard.<br />
’[<strong>Univention</strong> Directory Manager View]’ tab<br />
This tab is explained in chapter 4.6.<br />
’[User quota]’ tab<br />
Detailed information about quota can be found in the <strong>UCS</strong> quota documentation under [11].<br />
User quota can be configured according to the quantity of files or the space occupied by files. Quota<br />
limits are set for users during registration.<br />
The following settings apply for all users of a directory share; it is not possible to establish different<br />
quota settings for different users in one share.<br />
Illustration 4.12: 10 MB soft limit and 20 MB hard limit for all directory shares in the<br />
container shares<br />
Changes to the quota limit only apply to users when they re-login after the change is made. Users for<br />
whom quotas are already set are not affected by the changes. Quotas for these users can be edited
4.5 <strong>Univention</strong> Directory Manager modules<br />
and listed with the Linux commands setquota and repquota. Further information can be found in<br />
the <strong>UCS</strong> quota documentation under [11].<br />
Alternatively, group-based assignment is possible via univention-quota-group. The use is also<br />
described in the documentation mentioned above.<br />
Soft limit (Bytes)<br />
The disk space in bytes at which the user is requested to free up disk space (as standard within seven<br />
days).<br />
Hard limit (Bytes)<br />
The maximum disk space in bytes which each user can occupy permanently in this share.<br />
Soft limit (Files)<br />
The quantity of files at which the user is requested to free up disk space (as standard within seven<br />
days).<br />
Hard limit (Files)<br />
The maximum quantity of files which each user can save permanently in this share.<br />
’[Windows installation]’ tab<br />
This tab is only found on Windows computers.<br />
Filename of unattend installation profile<br />
The name of the unattend.txt file entered in this input field is used for the auto-<br />
matic installation of Windows on the computer. The file name is entered relative to the<br />
/var/lib/univention-windows-installer/install/policy.<br />
Ssyn<br />
4.5.12 <strong>Univention</strong> Directory Manager settings<br />
In the <strong>Univention</strong> settings container univention, configuration options for the behaviour of <strong>Univention</strong><br />
Directory Manager are defined.<br />
4.5.12.1 License<br />
The container univention ➞license contains information on the scope of the currently installed licence.<br />
These entries are purely informative and cannot be changed with <strong>Univention</strong> Directory Manager. Instruc-<br />
tions on installing and updating licences can be found in chapter 3.4.<br />
129
4 <strong>Univention</strong> Directory Manager<br />
’License’ tab<br />
Name (*)<br />
The Name of the licence object.<br />
Module (*)<br />
This field states the module for which the licence was granted.<br />
Expiry date (*)<br />
The date by which the licence becomes invalid.<br />
Base DN (*)<br />
The Base DN for which the licence was granted. The licence can only be used if the Base DN of the<br />
licence is identical to the Base DN of the LDAP directory.<br />
Max. user accounts<br />
The maximum number of user accounts covered by this licence.<br />
Max. groupware accounts<br />
The maximum number of groupware accounts covered by this licence.<br />
Max. clients<br />
The maximum number of clients covered by this licence.<br />
Max. desktops<br />
The maximum number of desktops covered by this licence.<br />
Valid product types<br />
The licence applies to the product types registered here. Product types not listed here are not covered<br />
by the licence and will not be activated by <strong>Univention</strong> Directory Manager.<br />
Signature (*)<br />
The digital signature of the licence.<br />
4.5.12.2 Printer driver lists<br />
As standard the printer driver lists for printer management are saved in the univention ➞cups container.<br />
New lists can be added here or existing ones edited.<br />
130
’General’ tab<br />
Name (*)<br />
4.5 <strong>Univention</strong> Directory Manager modules<br />
The name of the printer driver list. The name under which the list appears in the Manufacturer<br />
selection list on the General tab for printer shares.<br />
Driver<br />
The path to the ppd file or to the /usr/share/cups/model/ directory. For example, if the<br />
/usr/share/cups/model/laserjet.ppd should be used, laserjet.ppd must be entered here.<br />
gzip compressed files can also be entered here.<br />
Attention:<br />
Ensure that printer drivers entered are saved on the respective printer server under the<br />
/usr/share/cups/model/ directory.<br />
Description<br />
A description of the printer driver, under which it appears in the Printer model selection list on the<br />
General tab for printer shares.<br />
4.5.12.3 Printer URI Lists<br />
When setting up a printer via <strong>Univention</strong> Directory Manager (see Chapter 4.5.7) the fields Protocol and<br />
Destination must be filled out. If the required protocol is not available in the displayed Protocol selection<br />
list, it can be added via a Printer URI List object.<br />
As standard the printer URI lists are saved in the univention ➞cups container.<br />
’General’ tab<br />
Name (*)<br />
The freely selectable name of the printer URI list.<br />
Printer URI<br />
One or more protocols can be entered in this field, which are then displayed in the Protocol selection<br />
field when setting up a printer, e.g ftp:// .<br />
4.5.1<strong>2.4</strong> User templates<br />
User templates can speed up the process of creating a user by presetting certain values. Predefined user<br />
templates can be found in the user administration under Add in the Select Template list.<br />
User templates can only be created beneath cn=univention,, and are stored in<br />
cn=templates,cn=univention, by default.<br />
131
4 <strong>Univention</strong> Directory Manager<br />
User templates named following the pattern . Groupware Account are automatically<br />
provided for each Kolab home server during a Kolab for <strong>UCS</strong> installation. More detailed information<br />
can be found in the Kolab for <strong>UCS</strong> manual. Attributes can be included in the template by use of angle<br />
brackets. A list of possible attributes can be called by the command:<br />
univention-directory-manager users/user<br />
in the section users/user variables of the output.<br />
For example: A user-defined UNIX home directory can be created as /home/ - this corre-<br />
sponds to the standard if no user template is applied - or as /home/.. The e-mail<br />
address could, for example, be predefined by .@firma.com.<br />
Such replacements are generally possibly for any value, there is no syntax or semantics check. So, if no<br />
first name is given during the creation of a user, the above e-mail address would begin with a dot and would<br />
thus be invalid according to the e-mail standard. Similar sources of error can also occur when handling file<br />
paths etc.<br />
Irresolvable attributes are deleted. If due to a spelling error in a user template the e-mail address<br />
is predefined, for example, as .@firma.com, then the result will be .@firma.com.<br />
If only a single character of the attribute is required, the index of the required character can be given in the<br />
user template in square brackets after the name of the attribute. The count of characters of the attribute<br />
begins with 0, so that index 1 corresponds to the second character of the attribute value. Accordingly,<br />
[0].@firma.com means, an e-mail address will consist of the first letter of the<br />
first name plus the second name.<br />
A substring of the attribute value can be defined by declaring a scope within square brackets. In doing<br />
so, the index of the first required character and the index of the last required character plus one are to be<br />
entered. The input [2:5] returns the third to fifth character of the first name.<br />
Appending :lower or :upper to the attribute name converts the attribute value to lower or upper case, e.g.<br />
.<br />
Attention:<br />
If a user template is used for adding a user, this template will overwrite all the fields with the preset values<br />
of the template. In doing so, an empty field is set to ””. Thus, if the user template has ”” as the UNIX home<br />
directory, then this field is empty when the user is added, so that a value can be entered manually. If <strong>UCS</strong><br />
standard behaviour is desired, the standard values documented in this chapter should be entered into the<br />
template.<br />
Detailed documentation of attributes configurable within a user template can be found in Chapter 4.5.1.<br />
4.5.12.5 Locked values<br />
The data contained in the temporary container are created and used on a program-internal basis exclu-<br />
sively.<br />
The values of some of the attributes have to be unique. If a certain value is to be set, a search within the<br />
LDAP directory will be performed beforehand in order to check whether the value is already in use.<br />
132
4.5 <strong>Univention</strong> Directory Manager modules<br />
Values presently edited - and therefore not accessible for search - are locked during editing in order to<br />
ensure that these values are not used a second time. Such values are reserved for the editing process<br />
and cannot be utilised by any other process. Once editing is finished, the lock is lifted.<br />
In case of an error, a lock can sometimes persist by accident. To ensure an error-free operation, <strong>Univention</strong><br />
Directory Manager automatically releases locked values after a maximum locking time (five minutes).<br />
Locked values are stored in the appropriate containers beneath the temporary container, and are checked<br />
and, eventually, deleted in <strong>Univention</strong> Directory Manager like any other objects. Manual deleting is not<br />
recommended except in special cases:<br />
• If, due to an error, the lock was not lifted, and the value is to be used again before the locking time<br />
is expired. In such a case, it has to be ensured that the persistence of the lock is indeed due to an<br />
error, and not just to the fact that another process has made access to the value in the meantime.<br />
• The lock was lifted, yet the locked object was not automatically removed from<br />
cn=,cn=temporary,cn=univention,. Such objects do not disturb<br />
the program flow, they will be overwritten by <strong>Univention</strong> Directory Manager as soon as the necessity<br />
arises.<br />
’General’ tab<br />
Name (*)<br />
The name of the locked object. The name corresponds to the value to be set as the attribute.<br />
Locked until<br />
The time (in seconds), from 1 January 1970 onwards, when the object is automatically released after<br />
the expiry of the maximum locking time.<br />
4.5.12.6 Default values<br />
Certain default values can be set in the default object.<br />
’General’ tab<br />
Name (*)<br />
The name of the object. The name is fixed and cannot be changed so the box is shown in grey.<br />
’Primary groups’ tab<br />
Default values for the primary groups of different object types can be set on this tab.<br />
’Default Primary Group’ tab<br />
A default value for the primary group of users, which should be entered in advance when adding a<br />
133
4 <strong>Univention</strong> Directory Manager<br />
user object as the primary group of the user. As standard this is the Domain Users groups.<br />
’Default Computer Group’ tab<br />
The default value for the primary group for Windows computers, which should be selected in advance<br />
in the Machine account group selection list on the Machine account tab when adding a Windows<br />
computer. As standard this is the Windows Hosts group.<br />
’Default DC Master & Backup Server Group’ tab<br />
The default value for the primary group for domain controller master and domain controller backup<br />
computers. As standard this is the DC Backup Hosts group.<br />
’Default DC Slave Computer Group’ tab<br />
The default value for the primary group for domain controller slave computers. As standard this is the<br />
DC Slave Hosts group.<br />
’Default Member Server Group’ tab<br />
The default value for the primary group for member server computers. As standard this is the Com-<br />
puters group.<br />
’Default Client Computer Group’ tab<br />
The default value for the primary group for client computers. As standard this is the Computers<br />
group.<br />
’KDE Profiles’ tab<br />
Default KDE Profiles<br />
Absolute path to the profiles for the KDE graphic interface. The profiles are available when adding or<br />
editing a user on the [Desktop Settings] tab.<br />
As standard KDE profiles are saved in the /usr/share/univention-kde-profiles/ directory.<br />
The univention-kde-profile-builder program can be used to create packages from these<br />
profiles. The contained profiles are automatically saved in the standard directory during installation<br />
of these packages. Further information can be found in Chapter 9 bzw. [10].<br />
4.5.12.7 Default containers<br />
Distinguished Names (DN), which have to be known within the system, are stored in the object default<br />
containers. These include, for example, the DNs of the containers which are offered by the search function<br />
for restricting the search area, or DNs required by <strong>Univention</strong> Directory Manager or other programs, such<br />
as the storage location of licences.<br />
134
The DNs of the predefined containers are registered here by default.<br />
4.5 <strong>Univention</strong> Directory Manager modules<br />
To register a container as a standard container, the object default containers is to be opened in the<br />
univention container via the LDAP browser. There is a tab for each standard container type in this object,<br />
on which the list of standard containers can be edited. If, for example, the DN of a standard container for<br />
clients is to be added, then the Clients tab is to be selected, and the DN of the container to be defined as<br />
the standard container for clients is to be entered in the entry field standard client container. Alternatively,<br />
the DN can be entered automatically during adding or editing a container or an organisational unit (see<br />
chapter 4.5.8.1).<br />
’General’ tab<br />
Name (*)<br />
This field states the name of the object. For the standard container, this name is preset to default<br />
containers, and cannot be changed.<br />
’Users’ tab<br />
User Link<br />
The DNs of the containers to be used as standard containers for user objects, is to be entered here.<br />
’Groups’ tab<br />
Group Link<br />
The DNs of the containers to be used as standard containers for group objects, is to be entered here.<br />
’Computers’ tab<br />
Computer Links<br />
The DNs of the containers to be used as standard containers for client objects, is to be entered here.<br />
’Policies’ tab<br />
Policy Link<br />
The DNs of the containers to be used as standard containers for policy objects, is to be entered here.<br />
’DNS’ tab<br />
DNS Link<br />
The DNs of the containers to be used as standard containers for DNS objects, is to be entered here.<br />
135
4 <strong>Univention</strong> Directory Manager<br />
’DHCP’ tab<br />
DHCP Link<br />
The DNs of the containers to be used as standard containers for DHCP objects, is to be entered here.<br />
’Network’ tab<br />
Network Link<br />
The DNs of the containers to be used as standard containers for network objects, is to be entered<br />
here.<br />
’Shares’ tab<br />
Share Link<br />
The DNs of the containers to be used as standard containers for share objects, is to be entered here.<br />
’Printers’ tab<br />
Printer Link<br />
The DNs of the containers to be used as standard containers for printer objects, is to be entered here.<br />
’Mail’ tab<br />
Mail Link<br />
The DNs of the containers to be used as standard containers for mail objects, is to be entered here.<br />
’License’ tab<br />
License Link<br />
The DNs of the containers to be used as standard containers for licence objects, is to be entered<br />
here.<br />
4.5.12.8 Prohibited user names<br />
By adding a Settings: Prohibited user names object, a list of usernames can be defined, which may<br />
not be added by <strong>Univention</strong> Directory Manager. Thus the use of usernames can be prevented which, for<br />
example, already exist in a local password file. When migrating a Windows domain, user accounts with<br />
forbidden usernames are not migrated.<br />
136
’General’ tab<br />
Name (*)<br />
The name of the object which prohibits usernames.<br />
Prohibited user name<br />
4.5 <strong>Univention</strong> Directory Manager modules<br />
A list of usernames, the use of which in <strong>Univention</strong> Directory Manager is to be excluded.<br />
4.5.12.9 Package lists<br />
Software packages for the distribution of software can be compiled in Settings: Package List objects.<br />
Package lists are stored in the packages container. More detailed information can be found in Chap-<br />
ter 11.3.4.<br />
’General’ tab<br />
Name (*)<br />
The name of the package list.<br />
Package list<br />
The names of the software packages should be entered in this field that are to be installed or unin-<br />
stalled via software distribution.<br />
4.5.12.10 Services<br />
With Settings: Service objects, preset values can be defined which specify whether a <strong>UCS</strong> system is to<br />
offer a certain system service.<br />
The default values defined here can be assigned to individual computers in computer management (see<br />
’Services’ tab in the Chapter 4.5.4). This is currently supported on the <strong>Univention</strong> groupware server<br />
systems for the Kolab service and Scalix service.<br />
’General’ tab<br />
Service name (*)<br />
The name of the service to be offered by a <strong>UCS</strong> system.<br />
4.5.13 User-defined attributes<br />
One of the targets when developing <strong>UCS</strong> is the possibility for the operator to extend the system. Therefore,<br />
on the one hand <strong>UCS</strong> utilises open standards such as LDAP, on the other hand especially developed<br />
interfaces are documented and designed for extendibility. In <strong>Univention</strong> Directory Manager, user-defined<br />
137
4 <strong>Univention</strong> Directory Manager<br />
attributes offer a mechanism for assigning unused or newly created LDAP attributes to dialogue masks for<br />
objects managed by <strong>UCS</strong>, which can be freely configured. Furthermore, user-defined attributes make it<br />
possible to adjust existing settings.<br />
Creating user-defined attributes at the web front-end User-defined attributes are LDAP objects of the<br />
type Settings:Attribute which are stored in the LDAP directory under univention ➞custom attributes.<br />
All settings are stored in attributes of the object.<br />
138<br />
’General’ tab<br />
Name (*)<br />
The name of the LDAP object for storing the user-defined attribute. Within a container, the name has<br />
to be unique. In <strong>Univention</strong> Directory Manager, this name is used exclusively for the output of data<br />
via the command line interface.<br />
Required module (*)<br />
The <strong>Univention</strong> Directory Manager module which is to be extended by the user-defined attribute.<br />
The command univention-directory-manager modules can be used for displaying a list of<br />
all modules at the command line. Several modules can be added to the list via the Add button. For<br />
extending a group property, groups/group is to be entered here, for a user property, users/user.<br />
The major <strong>Univention</strong> Directory Manager modules are:<br />
Property of <strong>Univention</strong> Directory Manager"=Modul<br />
Users users/user<br />
Groups groups/group<br />
Computers computers/computer<br />
computers/domaincontroller_backup<br />
computers/domaincontroller_master<br />
computers/domaincontroller_slave<br />
computers/ipmanagedclient<br />
computers/macos<br />
computers/managedclient<br />
computers/memberserver<br />
computers/mobileclient<br />
computers/thinclient<br />
computers/windows
Tab name<br />
4.5 <strong>Univention</strong> Directory Manager modules<br />
The name of the tab at the <strong>Univention</strong> Directory Manager web front-end. Names of tabs belonging to<br />
the standard scope of <strong>UCS</strong> can also be entered. It has to be considered that only the user-defined<br />
attributes are displayed on the tabs. The range of possible settings in <strong>Univention</strong> Directory Manager<br />
can thus be extended or restricted. Some attributes, e. g. the expiry date of the password or the<br />
group membership, cannot be handled by user-defined attributes.<br />
Number on tab<br />
If several user-defined attributes are to be managed on one tab, the position of the individual attributes<br />
on the tab can be influenced here. A random number of attributes can be displayed on one tab.<br />
Description<br />
Short Description (*)<br />
This entry will be used as the title of the entry field in the <strong>Univention</strong> Directory Manager web front-end,<br />
and for changing the value via the <strong>Univention</strong> Directory Managerr command line interface. Umlauts<br />
may not be used for the short description.<br />
Long description<br />
This extended description will be displayed in the <strong>Univention</strong> Directory Manager web front-end as a<br />
tool tip.<br />
Object classes<br />
Object Class (*)<br />
The object class to which the attribute entered on the LDAP Mapping tab belongs. Schema defi-<br />
nitions define which attributes are provided by an object class. Every LDAP object which is to be<br />
extended by an attribute, has to contain the object class to which the desired attribute belongs.<br />
Delete object class<br />
If the value of a user-defined attribute in <strong>Univention</strong> Directory Manager is deleted, the attribute is<br />
removed from the LDAP object. If no further attributes of the object class registered as Object Class<br />
are used in this LDAP object, then the object class will also be removed from the LDAP object if this<br />
option is activated.<br />
’LDAP Mapping’ tab<br />
Syntax<br />
The data type of the LDAP syntax in the schema definition of the value to be managed for this<br />
attribute. Apart from standard data types for strings and integers, there are two possibilities for<br />
expressing a binary condition: TrueFalse is represented internally by the strings true and false, while<br />
139
4 <strong>Univention</strong> Directory Manager<br />
TrueFalseUpper corresponds to the OpenLDAP boolean values TRUE and FALSE. Additionally, it is<br />
possible to enter the name of a <strong>Univention</strong> Directory Manager syntax definition here. These definitions<br />
will be explained below.<br />
LDAP mapping (*)<br />
The name of the attribute where the values of the LDAP object are to be stored in. The attribute has<br />
to be included in the schema definition of the stated object class.<br />
Multivalue<br />
Specifies whether a single value or several values can be stored in the attribute. Permitted values<br />
to be entered are 1 for activated and 0 (default) for deactivated. The schema definition of the LDAP<br />
attribute specifies whether one or several instances of the attribute may be used in one LDAP object.<br />
Default value<br />
If a preset value is defined here, newly created objects will be initialised with this value. Existing<br />
LDAP objects remain unchanged.<br />
<strong>Univention</strong> Directory Manager syntax definitions The extended <strong>Univention</strong> Directory Manager syntax<br />
definitions make it possible to establish the permitted values for an attribute via an LDAP search. Moreover,<br />
user-defined attributes can be created the values of which are displayed for information purposes, but not<br />
stored, as a list at a foreign object (see, for example, the Referencing objects tab in chapter 4.5.11.2).<br />
The syntax definitions can be created via the LDAP browser of the <strong>Univention</strong> Directory Manager beneath<br />
the container cn=univention.<br />
For creating a new syntax definition, a new object of the type Settings: Syntax Definition is to be created<br />
in the desired container. In the subsequent dialogue, the following values are to be entered:<br />
140<br />
’General’ tab<br />
Syntax name (*)<br />
The unique name of the syntax definition.<br />
Short description<br />
An optional description of the syntax definition.<br />
LDAP search filter (*)<br />
This search filter is used for selecting the objects which define the set of permitted values.<br />
Example:<br />
(&(objectClass=univentionHost)(cn=a*))<br />
sucht alle Rechner"=Objekte, deren Name mit ’a’ beginnt.
Displayed attributes<br />
4.5 <strong>Univention</strong> Directory Manager modules<br />
Two select fields allow the selection of the object and the attribute to be displayed. When using<br />
the syntax definition in a user-defined attribute in <strong>Univention</strong> Directory Manager, solely the attribute<br />
selected here will be displayed. DN can be selected for displaying the LDAP DN of the object.<br />
Displayed LDAP attributes<br />
Instead of setting Displayed Attributes via the <strong>Univention</strong> Directory Manager modules in Attributes<br />
to be displayed, a list of LDAP attribute names can also be defined.<br />
Stored attribute<br />
The attribute to be stored when selecting an LDAP object, is selected via two fields. The attribute to<br />
be stored can differ from the attribute to be displayed. Example: In <strong>Univention</strong> Directory Manager, the<br />
staff member number of the users specified by a search filter can be displayed, whereas in the LDAP<br />
directory the pager number is stored. DN can also be stated for storing the LDAP DN of the object.<br />
Stored LDAP attribute<br />
Instead of setting the selection of attributes to be stored via the <strong>Univention</strong> Directory Manager mod-<br />
ules in Stored Attribute, the name of the LDAP attribute can also be directly defined.<br />
LDAP base<br />
The base entry in the LDAP directory service where the search is to start.<br />
Example:<br />
cn=branch2,cn=users,dc=ucs,dc=local<br />
Show only<br />
If this option is activated, the attribute will only be displayed as a list at the related object. The list<br />
elements are references pointing to the view of these objects.<br />
If a syntax definition thus created is to be used in a user-defined attribute, it is sufficient to state the syntax<br />
name of the syntax definition in the field Syntax of the user-defined attribute.<br />
4.5.14 Extended attributes<br />
To expand the aim of the administrator’s possibility to extend the <strong>UCS</strong> system, the mechanism of the<br />
user-defined attributes was developed further and the result provided to the user as extended attributes<br />
Extended attributes encompass the complete scope of functions of the user-defined attributes and offer<br />
additional, more in-depth possibilities to extend the <strong>Univention</strong> Directory Manager with your own settings<br />
masks.<br />
Creating extended attributes in the <strong>Univention</strong> Directory Manager web interface<br />
141
4 <strong>Univention</strong> Directory Manager<br />
Extended attributes are Settings: Extended attributes objects and created in the navigation (LDAP<br />
browser) under univention ➞custom attributes. All required settings are stored in attributes of the<br />
object.<br />
142<br />
’General’ tab<br />
Name (*)<br />
The name of the LDAP object which will be used to store the extended attribute. Within a container,<br />
the name has to be unique.<br />
Default short description (*)<br />
Used as title of the input field in the <strong>Univention</strong> Directory Manager web interface or as the attribute de-<br />
scription in the <strong>Univention</strong> Directory Manager command line interface. The standard short description<br />
should be compiled in English as this is the standard language for <strong>Univention</strong> Directory Manager.<br />
Default short description<br />
This long description is shown as a tool tip in the input fields in <strong>Univention</strong> Directory Manager web in-<br />
terface. This long standard description should be compiled in English as this is the standard language<br />
for <strong>Univention</strong> Directory Manager.<br />
Translated short description<br />
Translated short descriptions can be saved in several languages so that the title of extended attributes<br />
is also output with other language settings in the respective national language. This can be done by<br />
assigning the respective short description to a language code (e.g., de_DE or fr_FR) in this input<br />
field.<br />
Translated short description<br />
Additional information displayed in the tool tip for an extended attribute can also be saved for several<br />
languages. This can be done by assigning the respective long description to a language code (e.g.,<br />
de_DE or fr_FR) in this input field.<br />
UDM Web<br />
Tab name<br />
The name of the tab in the <strong>Univention</strong> Directory Manager web interface on which the extended at-<br />
tribute should be displayed. If the tab does not already exist, it will be created automatically. Names<br />
of tabs belonging to the standard scope of <strong>UCS</strong> can also be entered. The name of the tab should be<br />
compiled in English as this is the standard language for <strong>Univention</strong> Directory Manager.<br />
If no tab name is entered, user-defined will be used.<br />
Translated tab name<br />
If a user with different language settings logs on to <strong>Univention</strong> Directory Manager, the names of
4.5 <strong>Univention</strong> Directory Manager modules<br />
the tabs will also be translated accordingly. To ensure that extended attributes are also displayed<br />
on the correct tab when using a different language, translated tab names can be assigned to the<br />
corresponding language code (z.B. de_DE oder fr_FR) in this input field.<br />
Span both columns<br />
As standard all input fields are grouped into two columns. This option can be used for overlong input<br />
fields, which need the full width of the tab.<br />
Position number on tab<br />
If several extended attributes are to be managed on one tab, the order of the individual attributes on<br />
the tab can be influenced here. They are added to the end of the tab in question in ascending order<br />
of their numbers.<br />
If extended attributes have the same number, they are listed in a random order. If the difference<br />
between two consecutive numbers is larger than 1 and the first attribute is shown in the left column,<br />
the second will be displayed in the next line.<br />
If the Overwrite existing tab option is activated, the numbers will be used to overwrite an existing<br />
input field. The numbering of the input fields starts in the top left of the tab with 1.<br />
Overwrite existing widget<br />
In some cases it is practical to overwrite predefined input fields with extended attributes. If this option<br />
is activated, the input field located at the specified number will be overwritten with this extended<br />
attribute. It must be noted that this option can cause problems with compulsory fields.<br />
Overwrite existing tab<br />
If this option is activated, the tab in question is overwritten before the extended attributes are posi-<br />
tioned on it. This option can be used to hide existing input fields on a predefined tab. It must be noted<br />
that this option can cause problems with compulsory fields.<br />
Advanced tab<br />
Settings possibilities which are not often used can be placed on tabs with extended settings. These<br />
tabs are only visible when the Show the advanced settings option has been activated. If there is an<br />
extended attribute on the specified tab for which the Advanced tab is deactivated, this option will not<br />
be used.<br />
Add an empty value to choicelist<br />
If the attribute’s syntax offers a select list - e.g., a list of all computers - this option can be used to add<br />
an empty value as an additional selection.<br />
143
4 <strong>Univention</strong> Directory Manager<br />
144<br />
UDM General<br />
UDM CLI name of extended attribute (*)<br />
The specified attribute name should be used when employing the <strong>Univention</strong> Directory Manager<br />
command line interface. When the extended attribute is saved, the Name of the General tab is<br />
automatically adopted and can be subsequently modified.<br />
Options<br />
Some extended attributes can only be used practically if certain options are activated on the (Op-<br />
tions) tab. One or more options can optionally be saved in this input field so that this extended<br />
attribute is displayed or editable. Only existing options can be drawn on - it is not possible to define<br />
new options.<br />
Hook<br />
The functions of the hook class specified here are used during saving, modifying and<br />
deleting the objects with extended attributes. Additional information can be found at<br />
http://sdb.univention.de/1080 (currently only available in German).<br />
Needed module (*)<br />
The <strong>Univention</strong> Directory Manager module which is to be expanded with the extended attribute. The<br />
command univention-directory-manager modules can be used for displaying a list of all<br />
modules at the command line. Several modules can be added to the list via the Add button.<br />
To add a user property, the users/user module needs to be entered here, for example.<br />
The most important <strong>Univention</strong> Directory Manager" modules:<br />
Property of <strong>Univention</strong> Directory Manager moduke<br />
Users users/user<br />
Groups groups/group<br />
Computers computers/computer<br />
computers/domaincontroller_backup<br />
computers/domaincontroller_master<br />
computers/domaincontroller_slave<br />
computers/ipmanagedclient<br />
computers/macos<br />
computers/managedclient<br />
computers/memberserver<br />
computers/mobileclient<br />
computers/thinclient<br />
computers/windows
Data type<br />
Syntax<br />
4.5 <strong>Univention</strong> Directory Manager modules<br />
When values are entered, the <strong>Univention</strong> Directory Manager performs a syntax check so that no<br />
LDAP error messages appear when the values are subsequently saved. The syntax to be used is<br />
dependent on the LDAP scheme used and the intended application. Apart from standard syntax<br />
definitions (string) and (integer), there are three possibilities for expressing a binary condition: The<br />
syntax TrueFalse is represented at LDAP level using the strings true and false, while the syntax<br />
TrueFalseUppercorresponds to the OpenLDAP boolean values TRUE and FALSE and the syntax<br />
boolean does not save any value or the string 1.<br />
If no syntax is specified, the syntax string is used automatically. Custom syntax definitions which<br />
can also be used at this point are described in the user-defined attributes in Section 4.5.13.<br />
Default value<br />
If a preset value is defined here, new objects to be created will be initialised with this value. The value<br />
can still be edited manually during creation. Existing objects remain unchanged.<br />
Multi value<br />
This option establishes whether a single value or multiple values can be entered in the input mask.<br />
The scheme definition of the LDAP attribute specifies whether one or several instances of the attribute<br />
may be used in one LDAP object.<br />
May change<br />
This option establishes whether the object saved in the extended attribute can only be modified when<br />
saving the object, or whether it can also be modified subsequently.<br />
Value required<br />
If this option is active, a valid value must be entered for the extended attribute in order to create or<br />
save the object in question.<br />
Unsearchable<br />
If it should not be possible to search for an extended attribute in the search window of a wizard, this<br />
option can be activated to remove the extended attribute from the list of possible search criteria. For<br />
example, this can be the case when using your own, very special syntax definitions.<br />
Value not editable<br />
If this option is activated, the attribute cannot be modified by the administrator, neither at creation<br />
time, nor later. This is useful for internal state information configured through a hook function or<br />
internally inside a <strong>Univention</strong> Directory Manager module.<br />
145
4 <strong>Univention</strong> Directory Manager<br />
LDAP<br />
Object class (*)<br />
Object class to which the attribute entered under LDAP mapping belongs. In LDAP scheme def-<br />
initions it is established which LDAP attributes are provided by an LDAP object class. Each LDAP<br />
object which should be extended with an attribute is automatically extended with the LDAP object<br />
class specified here if a value for the extended attribute has been entered by the user.<br />
LDAP mapping (*)<br />
The name of the LDAP attribute where the values of the LDAP object are to be stored. The LDAP<br />
attribute must be included in the specified Object class.<br />
Delete object class<br />
If the value of a extended attribute in <strong>Univention</strong> Directory Manager is deleted, the attribute is removed<br />
from the LDAP object. If no further attributes of the registered object class are used in this LDAP<br />
object, the Objektklasse will also be removed from the LDAP object if this option is activated.<br />
<strong>UCS</strong> LDAP schema for customer extensions<br />
To keep the efforts required for small extensions in LDAP as low as possible, <strong>Univention</strong> Corporate Server<br />
has its own LDAP scheme for customer extensions. The LDAP object class univentionFreeAttributes<br />
can be used for user-defined attributes or extended attributes without restrictions. The LDAP object class<br />
offers 20 freely usable attributes (univentionFreeAttribute1 to univentionFreeAttribute20) and can be<br />
used in connection with any LDAP object (e.g., a user object).<br />
4.6 Policy-controlled Layouts for the Web Front-End of <strong>Univention</strong> Directory<br />
Manager<br />
The layout of <strong>Univention</strong> Directory Manager can be modified by policies in order to allow users a differen-<br />
tiated access to the functions of the <strong>Univention</strong> Directory Manager. The policy type <strong>Univention</strong> Directory<br />
Manager View makes it the possible to pre-define the available <strong>Univention</strong> Directory Manager modules<br />
for the users. Available modules include:<br />
146<br />
• About<br />
Shows information on the installed <strong>UCS</strong> version, the validity period of the <strong>UCS</strong> root certificate of the<br />
domain, and currently valid licences.<br />
• Browse<br />
By activating ’Browse’, the user is permitted direct access to the LDAP (see below under ’LDAP base<br />
DN’).<br />
• Personal settings<br />
Permits the user to define the settings of his user object at his own discretion (see below under ’Self<br />
tabs list’).
• Wizards<br />
4.6 Policy-controlled Layouts for the Web Front-End of <strong>Univention</strong> Directory Manager<br />
Besides the menu items ’About’, ’Browse’ and the ’Personal settings’, the wizards can be used as a<br />
simple means for modifying the LDAP directory (see below under ’Visible Web-Admin Wizards’).<br />
Besides the configuration of the menu items of <strong>Univention</strong> Directory Manager, presets for the LDAP<br />
Browser can also be specified. The attributes defined in the field Show these attributes in the navi-<br />
gation are displayed in the form of additional columns (see ➊ in Illustration 4.13). If the attribute values of<br />
the objects are not set, then the corresponding fields in the column will remain empty.<br />
When using the wizard’s search function, it is often helpful to have additional attribute values for the found<br />
objects displayed. In a similar way as in the LDAP Browser, the attribute values are displayed in additional<br />
columns ➋ (see Illustration 4.14). The scope of displayed attribute columns complies with the object type<br />
declared in the search ➌.<br />
With the standard setting, the layouts are defined by two policies: default-admins and default-users.<br />
These policies specify the layouts of administrators and the rest of the users, respectively, and can be<br />
found in the container policies ➞ users ➞ admin-settings.<br />
Below, the settings for the policy type ’<strong>Univention</strong> Directory Manager View’ are explained.<br />
<strong>Univention</strong> Directory Manager settings<br />
Name<br />
Name of the policy<br />
LDAP base DN<br />
If in Visible <strong>Univention</strong> Directory Manager modules the browse module was selected, an LDAP<br />
base DN can be entered here for restricting the access to the LDAP navigation. Once the setting has<br />
been made, the user can only access the mentioned Basis DN and its child objects.<br />
Visible <strong>Univention</strong> Directory Manager modules<br />
The <strong>Univention</strong> Directory Manager modules selected in this field are made available for the user in<br />
the main menu of <strong>Univention</strong> Directory Manager. Selecting the Wizards module makes it possible to<br />
define which wizards are being shown, via Visible Web-Admin Wizards.<br />
Visible <strong>Univention</strong> Directory Manager wizards<br />
The selected wizards are shown in the menu of <strong>Univention</strong> Directory Manager.<br />
Attention:<br />
If no entries are made here, all wizards will be shown. If no wizards are to be shown, None has to be<br />
selected.<br />
Visible tabs for personal settings<br />
If the Personal settings module was activated, elements of the user object can be selected in Visible<br />
tabs for personal settings, which are to be shown to and can be edited by the user. This setting<br />
can be used, for example, to permit a user to configure an e-mail forwarding.<br />
147
4 <strong>Univention</strong> Directory Manager<br />
148<br />
Show these attributes in search results<br />
If a search is performed via a wizard, additional attributes can be displayed in the results table, apart<br />
from the name and location of the objects. The attributes declared in Show these Attributes in<br />
search results are shown in the results table in the form of additional columns. If a certain attribute<br />
value of an object is not set, the corresponding field in the table will remain empty.<br />
Show these attributes in the navigation<br />
The output of the LDAP Browser can be extended by additional columns, which show the attribute<br />
values of the corresponding objects. The attributes declared in Show these attributes in the nav-<br />
igation are shown in the results table in the form of additional columns in the LDAP Browser. If a<br />
certain object does not have the stated attribute, then the corresponding field in the table will remain<br />
empty.<br />
Allow Personal <strong>Univention</strong> Directory Manager settings<br />
If this setting is activated, the user can modify the settings of the user view for his account at his own<br />
discretion. User-made settings relating to the <strong>Univention</strong> Directory Manager layout have priority over<br />
the presets of the relevant policy.<br />
Attention:<br />
If the option Allow personal <strong>Univention</strong> Directory Manager settings is activated, a user can ac-<br />
tivate all the wizards available for his account, and thus gains read access to the data stored in the<br />
LDAP directory, unless this access is restricted by LDAP Access Control Lists.
4.6 Policy-controlled Layouts for the Web Front-End of <strong>Univention</strong> Directory Manager<br />
Figure 4.11: Policies tab’<br />
149
4 <strong>Univention</strong> Directory Manager<br />
150<br />
Figure 4.13: Adapted layout in the LDAP Browser
4.6 Policy-controlled Layouts for the Web Front-End of <strong>Univention</strong> Directory Manager<br />
Figure 4.14: Adapted search for objects<br />
151
4 <strong>Univention</strong> Directory Manager<br />
152
5 <strong>Univention</strong> Management Console<br />
Contents<br />
5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153<br />
5.2 Layout of the Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154<br />
5.2.1 Login Mask . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154<br />
5.2.2 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154<br />
5.3 Standard modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155<br />
5.3.1 System statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156<br />
5.3.2 Kernel modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157<br />
5.3.3 VNC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157<br />
5.3.4 System information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158<br />
5.3.5 <strong>Univention</strong> Configuration Registry . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158<br />
5.3.6 Printer administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159<br />
5.3.7 Process overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159<br />
5.3.8 Filesystem quotas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160<br />
5.3.9 System services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162<br />
5.3.10 Joining a domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163<br />
5.3.11 Package management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163<br />
5.3.12 Reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164<br />
5.3.13 Online update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165<br />
5.4 Wizards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167<br />
5.1 Introduction<br />
5.4.1 Basis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167<br />
5.4.2 Nagios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168<br />
5.4.3 Mail server configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168<br />
<strong>Univention</strong> Management Console is a modularly designed, web-based application for the administration of<br />
individual <strong>Univention</strong> Corporate Server systems. The application allows the user to control services, check<br />
system utilisation, and check or adjust system parameters.<br />
The web interface of the <strong>Univention</strong> Management Console can be used by any client. The permission<br />
concept of <strong>Univention</strong> Management Console is based on policies. This makes it possible to define for<br />
each user or group the services they may influence, the extent of the exerted influence, and on which<br />
servers they may do so. In this way, for example, certain people can be assigned the permission to<br />
administrate the print service of one or a number of servers, whilst another group can only use the quotas.<br />
A further group could only be given a restricted permission to delete print jobs, but not restart paused<br />
153
5 <strong>Univention</strong> Management Console<br />
printers. This method permits a targeted authorisation of the required functions without confusing the<br />
user by a load of unnecessary options.<br />
By default, the members of the Domain Admins group have permission to use all modules and functions<br />
of the <strong>Univention</strong> Management Console.<br />
The operation of <strong>Univention</strong> Management Console is described in the following chapters. After some<br />
instructions on how to handle <strong>Univention</strong> Management Console and the diverse controlling elements and<br />
structures, the individual modules and functions will be explained in detail.<br />
5.2 Layout of the Web Interface<br />
With its web interface, <strong>Univention</strong> Management Console offers an easy way of performing administrative<br />
tasks from any client. The possibilities for the individual user depend to a large degree on which permis-<br />
sions are defined for this user.<br />
The following paragraphs comprise an illustrated description of the layout and operation of the user in-<br />
terface of the <strong>Univention</strong> Management Console. Details relating to the functionalities of the individual<br />
modules can be found in subsequent chapters.<br />
5.2.1 Login Mask<br />
The simplest way of accessing <strong>Univention</strong> Management Console is to enter the URL<br />
https:///umc/ in the address field of a web browser. Replace by the client<br />
name or by the IP address of the system, e. g. https://ucs-master.univention.local/umc/.<br />
Under special circumstances, it might be necessary to access <strong>Univention</strong> Management Con-<br />
sole via a secure connection. This can be the case if there haven’t been any SSL certifi-<br />
cates created yet for this system. Insecure access is performed via the http address, e. g.<br />
http://ucs-master.univention.local/umc/.<br />
Attention:<br />
In this case, passwords are transmitted in plain text across the network.<br />
The login mask is displayed as the welcome page for the user (see Illustration 5.1). He can log in via<br />
his username from the <strong>UCS</strong> domain and the appropriate password. Depending on the user’s authorisa-<br />
tions, the subsequent screens displayed in the web browser might look slightly different from the below<br />
screenshots.<br />
The Administrator account is generally used for administrative accesses.<br />
Also, the language of the user interface can be selected during login.<br />
5.2.2 Overview<br />
After successful login, and if sufficient permissions were assigned to the user, an overview of all available<br />
modules will be displayed as shown in Illustration 5.2. The display will only include modules to which the<br />
154
Figure 5.1: Login mask of <strong>Univention</strong> Management Console<br />
5.3 Standard modules<br />
user is granted access permission. For example, if a user has no permission for printer administration,<br />
then the corresponding module will be hidden.<br />
The Overview tab is always the first to be opened. The subdivision into tabs follows the layout of the<br />
<strong>Univention</strong> Directory Manager. In addition there are so-called categories in <strong>Univention</strong> Management Con-<br />
sole, which are displayed in the upper area of each tab. Illustration 5.2 shows an example in which the<br />
categories All modules, System, and Wizards are displayed in the tab. According to the presets, the<br />
category All modules is always the first in line.<br />
Starting from the Overview tab, the user can jump to the individual modules via the displayed icons. If<br />
the module has not yet been activated during the current session, then a new tab for this module will be<br />
opened and displayed automatically. If the module was already used, the existing tab will come to the<br />
front. Thus, several modules can be active, and the user can switch between modules via Overview. This<br />
means, if a long-term task is being performed in one module, the user is not compelled to wait for the end<br />
of the task; instead he can perform other tasks in other modules. At a later date, he can return to the initial<br />
module and check the status or results of the performed task, or abort the task. A tab can be closed via the<br />
Close button. However, this merely affects the display; the module will keep on working in the background<br />
until its task is finished.<br />
Apart from the Overview tab, there is the About tab. This tab contains information on the installed program<br />
version.<br />
5.3 Standard modules<br />
Having described the layout and navigation within <strong>Univention</strong> Management Console above, we will now<br />
address the individual functions of he standard modules in detail.<br />
155
5 <strong>Univention</strong> Management Console<br />
Figure 5.2: Overview page of <strong>Univention</strong> Management Console<br />
Some software packages include further UMC modules; the documentation for these modules can be<br />
found in the respective chapters or documentation.<br />
5.3.1 System statistics<br />
The utilisation statistic displays the utilisation of the system. For this purpose, a diagram is displayed for<br />
different periods:<br />
• The past 24 hours<br />
• The past week<br />
• The past month<br />
• The past year<br />
The following system information is documented:<br />
• The utilisation of the main memory in percent<br />
• The processor utilisation of the system<br />
• The number of terminal server sessions active<br />
• The utilisation of the swap file<br />
For the operation of this module, the univention-maintenance package has to be installed. If the package<br />
is not installed, a corresponding message will be displayed.<br />
156
5.3.2 Kernel modules<br />
5.3 Standard modules<br />
The module Kernel modules offers the possibility of loading or unloading existing kernel modules. The<br />
start page contains a search mask for searching kernel modules. Apart from selecting the module cat-<br />
egory, such as drivers/video or drivers/usb, and the name, the user can restrict the display to loaded<br />
modules.<br />
In the search list, each module will be displayed and can be loaded or unloaded after prior confirmation.<br />
5.3.3 VNC<br />
The VNC protocol (Virtual Network Computing) can be used to display graphic screen outputs from a<br />
distant computer on a local computer. This module allows the displaying of the desktop in the web browser,<br />
see Figure 5.3.<br />
Figure 5.3: Desktop in web browser<br />
Once the module has been loaded, a password must be entered, which can later be used to start the<br />
VNC session. The password is saved in an encrypted form in the .vnc/passwd file in the user’s home<br />
directory. If the file is deleted, the request is shown again.<br />
A check is then run to determine whether a VNC server is already running. If no VNC server is running,<br />
a VNC server can be started using the Start link. As soon as a VNC server is running, it can be stopped<br />
using the Stop VNC server link or a connection can be created to the VNC server. To do this, a java applet<br />
is loaded in the web browser and the <strong>UCS</strong> system can be accessed graphically in the web browser.<br />
157
5 <strong>Univention</strong> Management Console<br />
5.3.4 System information<br />
The system information module collects information relating to the hardware of the current system. This<br />
can then be requested in a support case, for instance. The transmission of the information is also used to<br />
broaden the database of hardware supported by <strong>UCS</strong>.<br />
All files are forwarded to <strong>Univention</strong> anonymously and only transferred once permission has been received<br />
from the user.<br />
The start dialogue contains the entry fields Manufacturer and Model, which must be completed with the<br />
values determined from the DMI information of the hardware. The fields can also be adapted and an<br />
additional Descriptive comment added.<br />
If the system information is transferred as part of a support request, the This is related to a support case<br />
option should be activated. A ticket number can be entered in the next field; this facilitates assignment and<br />
allows quicker processing.<br />
Clicking on Next offers an overview of the transferred system information. In addition, a compressed<br />
.tar archive is created, which contains a list of the hardware components used in the system and can be<br />
downloaded via Archive with system information.<br />
Clicking on Next again allows you to select the way the data are transferred to <strong>Univention</strong>. Upload trans-<br />
mits the data via HTTPS, Send mail (optional) opens a dialogue, which can be used to initiate sending<br />
via e-mail.<br />
5.3.5 <strong>Univention</strong> Configuration Registry<br />
The <strong>Univention</strong> Configuration Registry module is used to display and change <strong>Univention</strong> Configuration<br />
Registry variables. There is also the possibility of registering new <strong>Univention</strong> Configuration Registry vari-<br />
ables. Further information on <strong>Univention</strong> Configuration Registry can be found in Chapter 14.<br />
A search mask is displayed on the start page. Along with the category, search filters can also be selected<br />
for variable names, the value or the description. Following a successful search, the variables found are<br />
displayed in a table with the variable name, the value, the description and the category (see Figure 5.4.<br />
Clicking on the variable name opens the editing mask for a variable. The following settings can be made<br />
there:<br />
• the value<br />
• the category (e.g., desktop or mail)<br />
• the type (e.g., string)<br />
• the description in a number of languages<br />
A few core variables - e.g. the domain name - cannot be modified directly, but only indirectly by means of<br />
<strong>Univention</strong> System Setup or the UMC base wizards. These variables are displayed grayed-out. Changes<br />
using the command line frontend are still possible.<br />
Once changes have been made, the action can be completed with the Set button or cancelled with the<br />
Cancel button. The last search is then displayed.<br />
158
Figure 5.4: <strong>Univention</strong> Configuration Registry search mask<br />
5.3 Standard modules<br />
New <strong>Univention</strong> Configuration Registryvariables can be added in the subcategory Add. Unlike the editing<br />
mask, the name of the variable can also be given here; the page is otherwise structured identically.<br />
5.3.6 Printer administration<br />
This module offers the possibility of checking the status of individual printers, restarting paused printers or<br />
deleting print jobs out of the queue.<br />
The start page of the module contains a search mask with which the available printers can be selected.<br />
The results list displays the server, name, status, print quota properties, location and description of the<br />
respective printer. The status of more than one printer can be changed simultaneously by selecting the<br />
printers and running either the deactivate or activate function.<br />
Clicking on the printer name displays details of the selected printer. The information displayed includes<br />
a list of the print jobs currently in the printer queue. These print jobs can be deleted from the queue by<br />
selecting the jobs and running the [Delete] function.<br />
5.3.7 Process overview<br />
The module Process overview shows all current processes in a table. By default, a maximum of 50<br />
processes are displayed. The menu item Number of processes allows this value to be changed to 10,<br />
159
5 <strong>Univention</strong> Management Console<br />
Figure 5.5: List of available printers<br />
20, or all processes. In addition, the processes can be sorted according to several criteria:<br />
• CPU utilisation<br />
• Username<br />
• Resident size of working memory<br />
• Virtual size of working memory<br />
• Process ID<br />
After having changed the selection, the user can confirm the changes via Reload.<br />
5.3.8 Filesystem quotas<br />
The module for Filesystem quotas management offers the possibility of limiting or expanding the space<br />
on the hard drive that users are allowed to use for their files on the server. The space for each partition on<br />
a system can be limited individually here.<br />
If the Filesystem quotas module is selected in the Overview tab, a page is shown at the beginning which<br />
is similar to the 5.6 figure. This shows a list of all the available partitions of a computer. In addition to the<br />
partition names and the mount point, information on the size and available space is also shown. Further<br />
information which is important for quota management can be found in the Quota column: The deactivated<br />
status means that no quota settings can be made on the partition at this time. The support must firstly be<br />
160
Figure 5.6: List of partitions<br />
5.3 Standard modules<br />
activated. On the other hand, if the activated status is shown in the column next to partitions, the quota<br />
has already been activated.<br />
To activate this support for one or more partitions subsequently, it must be selected and activated in the<br />
table.<br />
If the quota management on a partition is activated, it is possible to change to the Partition overview<br />
category via the partition name in the table. This view shows details on current quota settings on the<br />
selected partition. An example of this can be seen in Figure 5.7.<br />
The quota settings for individual users can be added, deleted or changed here. There is an input mask for<br />
each task. The values inputted limit the file quantities for each user on the selected partition. In general,<br />
such limitations are defined by two values:<br />
Soft limit When this limit is met, the user is warned that he has reached his quota limit. This value must<br />
be smaller than the hard limit so that the user still has the possibility of deleting files.<br />
Hard limit When this limit is reached the user can no longer write on the partition. For example, if this<br />
applies to the home directory it can lead to problems with log-ins.<br />
These two limit values can be specified in different units.<br />
Files The soft and hard limits for files limit the quantity of user files by imposing a limit on the number of<br />
files created.<br />
Blocks The limitation of blocks applies to the file quantity in respect of the total size of all the user’s files<br />
in a partition.<br />
The difference between the soft and hard limits should be selected large enough to allow users sufficient<br />
time to clean up and save files.<br />
161
5 <strong>Univention</strong> Management Console<br />
Figure 5.7: Details on a partition<br />
Alternatively, group-based assignment is possible via univention-quota-group. The use is docu-<br />
mented under [11].<br />
5.3.9 System services<br />
On the System services start page, the current services are displayed in a table, as shown in Illustration<br />
5.8. Apart from its name and an icon, the status of each service is shown as well as the starting mode and<br />
a short description.<br />
At the end of the table several actions can be performed via a select list. The following actions are possible:<br />
• Invert selection<br />
• Select all<br />
• Start services<br />
• Stop services<br />
• Start automatically<br />
• Start manually<br />
• Start never<br />
The items Start automatically/manually refer to the start of the system.<br />
The option Start never additionally prevents the manual service start by the administrator.<br />
162
5.3.10 Joining a domain<br />
Figure 5.8: Overview of System Services<br />
5.3 Standard modules<br />
The <strong>Univention</strong> Management Consolemodule for joining a domain is described in Chapter <strong>2.4</strong>.1.2.<br />
5.3.11 Package management<br />
The Package management module helps install or uninstall software packages.<br />
A search mask is displayed on the start page in which the user can select the package category, a search<br />
filter (name or description) or whether installed software packages are to be displayed exclusively. An<br />
example dialogue can be found in Illustration 5.9. The results are displayed in a table with the following<br />
columns:<br />
• Package name<br />
• Section/category<br />
• Installation status<br />
• Package description<br />
Clicking the name of the software package opens a detailed information page with a comprehensive de-<br />
scription and the priority of the package, among other things. In addition, one or more buttons will be<br />
163
5 <strong>Univention</strong> Management Console<br />
Figure 5.9: Package management search mask<br />
displayed: Install is displayed if the software package is not installed yet; Uninstall is displayed if the soft-<br />
ware package is installed and Actualise is displayed if the software package is installed but not updated.<br />
Abort can be used for returning to the previous search request.<br />
5.3.12 Reboot<br />
The Reboot module can be used for restarting or shutting down the system.<br />
On the Reboot module page, the user can choose between shut-down or restart. Additionally, a system<br />
message can be entered which will be logged in /var/log/syslog.<br />
After confirmation via the Proceed button, the system message will be displayed on the screen, and the<br />
action will be performed immediately.<br />
164
5.3.13 Online update<br />
Figure 5.10: Reboot input mask<br />
The Online updates module allows the installation of version updates and security updates.<br />
5.3 Standard modules<br />
Figure 5.11 shows the overview page of the module. The currently installed version is displayed under<br />
Release updates in the upper part of the dialogue box.<br />
Figure 5.11: Online update module<br />
If a newer <strong>UCS</strong> version is available, a select list is displayed. Clicking on Install release updates presents<br />
a link to the release notes and after confirmation all updates up to the respective version are installed.<br />
Before the installation process is started, a message will be displayed informing the user of possible<br />
165
5 <strong>Univention</strong> Management Console<br />
restrictions of the server services during the update. Any intermediate versions are also installed automat-<br />
ically.<br />
Clicking on Install available security updates installs all the available security updates for the current<br />
release.<br />
Package updates activates an update of the package sources currently entered. This can be used, for<br />
example, if an updated version is provided for a component.<br />
The following configuration changes can be made in the Settings tab.<br />
Figure 5.12: Online update: repository settings<br />
The Repository server and, if applicable, a Repository prefix can be specified in Release settings. In<br />
addition, one can configure which repository options should be used:<br />
Use maintained repositories This is activated in the preset values and integrates the standard package<br />
repository.<br />
Use unmaintained repositories Further software for <strong>UCS</strong> releases can be found in the unmaintained<br />
repositories, which can be integrated with this option. As standard this is not activated.<br />
Use hotfix repositories This option can be activated in order to be able to use the <strong>Univention</strong> hotfixes.<br />
Further details can be found in Section 11.2.1.<br />
An overview of software components which expand the scope of function of <strong>Univention</strong> Corporate Server<br />
can be found under Component settings.<br />
The Add a new component button allows a new software component to be installed. Name identifies<br />
the component on the download server. A free text can be entered under Description, for example, for<br />
describing the functions of the component in more detail. The host name of the download server is to be<br />
entered in the input field Server name, and, if necessary, an additional file path in Prefix. A Username and<br />
166
Figure 5.13: Online update: component settings<br />
5.4 Wizards<br />
Password can be configured for download servers which require an authentication. A software component<br />
is only available in the Package management after it has been Enabled.<br />
All these settings can be subsequently made for components which are already configured, by clicking the<br />
Configure button in the list.<br />
The Version specifies for which <strong>UCS</strong> versions a component should be installed. If the field is left blank,<br />
the component is integrated for all currently installed minor releases, e.g., for an installation with <strong>UCS</strong> 2.3<br />
for <strong>UCS</strong> 2.0 to 2.3. Similarly, if current is entered in this field, all minor releases for this components are<br />
enabled, with the additional verification, however, that an update to a new minor release can only occur if<br />
the component for this minor release is also available.<br />
As with the standard repositories, components are differentiated between maintained and unmaintained<br />
components.<br />
5.4 Wizards<br />
<strong>Univention</strong> Management Console offers several wizards for performing standard procedures during the<br />
implementation of services. These wizards combine the basic settings of individual <strong>UCS</strong> components, and<br />
can be of particular help in during the initial implementation.<br />
5.4.1 Basis<br />
The Basis wizard has the purpose of performing basic settings of the <strong>UCS</strong> system; these include the<br />
following values:<br />
• Host name<br />
167
5 <strong>Univention</strong> Management Console<br />
• DNS domain name<br />
• LDAP basis<br />
• Windows domain name<br />
Affected system services will be restarted during the changes. Since these are basic settings, the overall<br />
system should also be restarted once all the changes are made.<br />
More information can be found in Chapter <strong>2.4</strong>.<br />
5.4.2 Nagios<br />
A telephone number can be entered here for Nagios. With this option, Nagios not only sends events to<br />
an e-mail address, an SMS is also sent to a mobile phone. More information can be found in the Nagios<br />
documentation [12].<br />
5.4.3 Mail server configuration<br />
Basic settings for the mail server are performed in the mail server wizard.<br />
168<br />
• Spam filtering<br />
This checkbox is used to activate/deactivate spam filtering. Further information can be found in<br />
Chapter 1<strong>2.4</strong>.<br />
• Virus detection<br />
This checkbox is used to activate/deactivate virus detection. Further information can be found in<br />
Chapter 12.5.<br />
• IMAP access<br />
IMAP access to mailboxes can be switched on and off here.<br />
• IMAP quota support<br />
This option can be used to enforce a setting so that the size of the inbox is checked when IMAP<br />
mailboxes are accessed.<br />
• POP3 access<br />
POP3 access to mailboxes can be switched on and off here.<br />
• Maximum message size<br />
The maximum size in bytes for acceptable e-mails can be set here.<br />
• Alternative e-mail address for root<br />
Many system servers send the root user status e-mails. An alternative recipient for the root user<br />
can be specified here.
6 <strong>Univention</strong> Virtual Machine Manager (UVMM)<br />
Contents<br />
6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169<br />
6.1.1 Paravirtualisation / virtIO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169<br />
6.2 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170<br />
6.3 Managing virtual machines with UVMM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171<br />
6.1 Introduction<br />
6.3.1 Creating a virtual instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171<br />
6.3.2 Modifying virtual machines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173<br />
6.3.3 Migration of virtual machines from failed virtualization servers . . . . . . . . . . . . . 178<br />
<strong>Univention</strong> Virtual Machine Manager (UVMM) is a management system for virtualisation servers and virtual<br />
machines. It offers the possibility of monitoring all the virtualisation servers (based on Xen or KVM)<br />
registered in the <strong>UCS</strong> domain and administrating the virtual instances on these systems.<br />
A <strong>Univention</strong> Management Console module forms the management interface; it can be installed on any<br />
system in the <strong>UCS</strong> domain (however, a domain controller is preferable). All virtualisation servers are then<br />
administrated from this management system.<br />
Section 6.2 describes the installation of the management system and the virtualisation servers and the<br />
functions of the <strong>Univention</strong> Management Console module.<br />
<strong>Univention</strong> Wiki (http://wiki.univention.de) includes a step-by-step quickstart guide [13] and fur-<br />
ther technical documentation as well as howtos [14]. (Currently only available in German)<br />
6.1.1 Paravirtualisation / virtIO<br />
In principle, the virtualised systems can run arbitrary operating systems. This mode of operation is called<br />
fully virtualised systems.<br />
KVM and Xen each offer interfaces to provide the virtualised systems with direct access to the resources<br />
of the virtualisation server. This considerably improves performance.<br />
In Xen, this technology is referred to as paravirtualisation. Current Linux systems support paravirtualisa-<br />
tion as standard; support drivers need to be installed for Microsoft Windows systems (see [14]).<br />
KVM offers the virtIO interface. This allows network and storage devices a direct connection to the KVM<br />
resources. This technology is comparable to paravirtualisation. When menu points in UVMM refer to<br />
paravirtualisation, this also includes virtIO.<br />
169
6 <strong>Univention</strong> Virtual Machine Manager (UVMM)<br />
UVMM supports both full virtualisation and paravirtualisation for virtualised systems. Using paravirtualisa-<br />
tion/virtIO is recommended.<br />
virtIO and Xen paravirtualisation drivers for Microsoft Windows are included in <strong>UCS</strong> as of version <strong>2.4</strong>-4.<br />
Installing the respective KVM or Xen packages provides ISO images, which can be added in the drive<br />
settings of a virtual machine. The images are added to the storage pool specified with the <strong>Univention</strong><br />
Configuration Registry variable uvmm/pool/default/path:<br />
• On Xen virtualization servers an ISO image named Xen Windows drivers (gplpv 308) is provided<br />
, which contains the GPLPV virtualization driver for Microsoft Windows.<br />
• On KVM virtualization servers an ISO and a floppy image named KVM Windows drivers (virtio<br />
1.1.16) is provided, which contains the virtIO virtualization driver for Microsoft Windows.<br />
6.2 Installation<br />
<strong>Univention</strong> Virtual Machine Manager comprises three different packages. They can all be selected di-<br />
rectly when installing the <strong>UCS</strong> system or alternatively installed subsequently via <strong>Univention</strong> Management<br />
Console.<br />
Virtual Machine Manager (UVMM) (Package: univention-virtual-machine-manager-daemon) This<br />
package must be installed on the management system. In doing so, both an additional service<br />
and the <strong>Univention</strong> Management Console module are set up. This package should be installed on<br />
a domain controller in the <strong>UCS</strong> domain. The installation on member servers requires additional<br />
configuration steps, which are documented in [14]. If UVMM is installed on a slave domain controller<br />
or backup domain controller, the package univention-virtual-machine-manager-schema needs to<br />
be installed on the master domain controller beforehand.<br />
Xen virtualisation server (Package: univention-virtual-machine-manager-node-xen) This package<br />
must be installed on each system which is to be used as a Xen-based virtualisation server.<br />
KVM virtualisation server (Package: univention-virtual-machine-manager-node-kvm) If KVM is to<br />
be used for the virtualisation, this package should be installed on the virtualisation servers.<br />
The two packages for the virtualisation servers register the service in the LDAP directory. Additionally, a<br />
particular kernel is installed on Xen systems, which is necessary to allow Xen to be used.<br />
When installing the virtualisation servers, only one virtualisation technology should be used per server.<br />
Xen and KVM are both equally supported by <strong>Univention</strong> Virtual Machine Manager. However, the technolo-<br />
gies have different advantages and disadvantages depending on the host systems and hardware used.<br />
For example, KVM requires virtualisation support in the central processing unit, while Xen can also virtu-<br />
alise (within limits) systems without support from the hardware. More detailed information can be found on<br />
their respective websites: http://www.linux-kvm.org/ and http://www.xen.org/.<br />
Additionally, the architecture must also be taken into account during installation of the virtualisation servers.<br />
64 bit systems can only be virtualised on <strong>UCS</strong> systems where are installed using the amd64 architecture.<br />
A 64-bit system (amd64) is recommended for use as the virtualisation server.<br />
Where possible, hard drives images should be accessed paravirtualised:<br />
170
6.3 Managing virtual machines with UVMM<br />
• In <strong>UCS</strong> systems installed under Xen or KVM, a paravirtualised access is automatically activated via<br />
the profile.<br />
• In Windows systems installed under Xen, no UVMM configuration adaptations are necessary; in this<br />
case, Windows drivers merely need to be subsequently installed on the machine. (See [14])<br />
• In Windows systems installed under KVM, paravirtualisation must be activated before beginning the<br />
Windows installation, see [14] and Section 6.3.2.<br />
6.3 Managing virtual machines with UVMM<br />
The <strong>Univention</strong> Management Console module Virtual machines (UVMM) offers the possibility to create,<br />
edit and delete virtual instances/machines and to change their status. In principle, these functions are<br />
independent of the virtualisation technology employed (Xen or KVM), however they may vary slightly de-<br />
pending on the hypervisor in use. The items that must be observed are illustrated in the following section<br />
on the description of the functions.<br />
Once the UMC module has been opened, a tree structure is displayed on the left-hand side, which gives<br />
an overview of the existing virtualisation servers and the virtual instances defined there.<br />
All the other entries in the tree structure can also be selected. If a virtualisation server is selected, an<br />
overview showing the status of the server itself and the existing virtual instances with CPU utilisation and<br />
memory requirements is listed. This overview can be seen in Figure 6.1. The Refresh button which can<br />
be seen in the top right can be used to refresh the information.<br />
Figure 6.1: Overview of a virtualisation server<br />
When selecting a virtual machine, the status can be seen from the symbol in the tree structure, i.e.,<br />
whether it is running, paused or stopped. As can be seen in Figure 6.2, the configurations are also shown<br />
in addition to the statistics when a virtual instance is selected. All the settings of the instance can be<br />
changed and saved here.<br />
6.3.1 Creating a virtual instance<br />
Virtual machines can be created in just a few steps in UVMM using a wizard.<br />
171
6 <strong>Univention</strong> Virtual Machine Manager (UVMM)<br />
Figure 6.2: Overview of a virtual instance<br />
In the first step a profile is selected (Figure 6.3) which specifies some of the basic settings for the virtual<br />
machine (e.g., a name prefix, number of CPUs, RAM and whether the direct access per VNC should be<br />
activated).<br />
The existing UVMM profiles are stored in the LDAP directory and can also be edited there. The<br />
profiles can be found in the Navigation section of <strong>Univention</strong> Directory Manager in the container<br />
cn=Profiles,cn=Virtual Machine Manager. Additional profiles can also be added there.<br />
The virtual machine is now given a Name (up to 25 characters) and a Description and assigned Memory<br />
and CPUs.<br />
The Enable direct access option specifies whether the machine can be accessed via the VNC protocol.<br />
This is generally required for the initial operating system installation.<br />
Now the disk drives of the virtual machines are configured. The setup is documented in Section 6.3.2.3.<br />
Clicking Finish concludes the creation of the virtual machine.<br />
172
6.3.2 Modifying virtual machines<br />
Figure 6.3: Assistant for creating a virtual machine<br />
6.3 Managing virtual machines with UVMM<br />
The overview page of a virtual machine is divided into multiple sections (Figure 6.4):<br />
173
6 <strong>Univention</strong> Virtual Machine Manager (UVMM)<br />
6.3.2.1 Snapshots<br />
Figure 6.4: Settings of a virtual machine<br />
UVMM offers the possibility to save the contents of the main and hard drive memory of a virtual machine in<br />
snapshots. This allows the administrator to revert to these snapshots at a later point in time, which makes<br />
them a useful “safety net” when installing software updates.<br />
Snapshots can only be used with KVM instances which access all their hard drive images in Qcow2 format.<br />
All snapshots are stored using copy-on-write (see 6.3.1) directly in the hard drive image file.<br />
Create new snapshot can be used to create a snapshot with the name of your choice, e.g., DC Master<br />
before update to <strong>UCS</strong> <strong>2.4</strong>-2. In addition to the description the time is saved when the snapshot is created.<br />
The following list shows all available snapshots ordered reverse-chronologically. Revert can be used to<br />
return the machine to an earlier snapshot and Delete can be used to remove a snapshot.<br />
174
6.3.2.2 Operations (Starting/stopping/suspending virtual machines)<br />
6.3 Managing virtual machines with UVMM<br />
Instances created via UVMM are turned off in the initial status. This status can changed in the overview<br />
of the respective virtualisation server in the respective list entry or in the overview of the virtual machine<br />
itself. In the latter case, there is an Operations section, in which the status can be set. The following<br />
possibilities exist:<br />
Start starts the virtual machine.<br />
Stop turns the virtual machine off. It must be noted that the operating system is not shutdown first, i.e., it<br />
should be compared with turning off a computer by pulling the power plug.<br />
Pause assigns the instance no further CPU time. This still uses the working memory on the virtualisation<br />
server, but the instance itself is paused.<br />
Suspend saves the contents of the machine’s system memory on the hard drive and does not assign the<br />
machine further CPU time, i.e., compared with Pause the working memory is also freed. Suspended<br />
machines can be restarted with Start. This function is only available on KVM-based virtualisation<br />
servers.<br />
Resume starts assigning the instance CPU time again, so that it continues in the state it was prior to the<br />
pausing.<br />
Remove Virtual instances no longer required can be deleted along with all their hard drives and ISO<br />
images. The images to be deleted can be selected from a list. It must be noted that ISO images and<br />
sometimes also hard drive images may still be used by other instances. They should only be deleted<br />
when they are no longer used by any instance.<br />
A further function which can be found in the Operations section of the overview is the possibility of migrat-<br />
ing a virtual machine to another virtualisation server. This works with both paused and running instances<br />
(live migration). The option is only displayed if at least two compatible virtualisation servers are available<br />
in the domain.<br />
During the migration it must be noted that the images of the mounted hard drives and CDROM drive must<br />
be accesible by both virtualisation servers. This can be achieved, for example, by storing the images in a<br />
central storage system. Notes on the setting up of this type of environment can be found under [14].<br />
6.3.2.3 Drives (Hard drives/CD-ROM/DVD-ROM/floppy)<br />
The Drives section contains a list of the defined drives with the type, image file and size as well as the<br />
assigned storage pool. At the end of each line there is a Delete button, which can be used to remove the<br />
drive (the image file can also optionally be deleted with it). In addition, a wizard can be used to create new<br />
hard drives and CDROM drives.<br />
Adding a drive If virtual hard drives are added, image files are usually used for the data keeping. An<br />
image file can either be generated for this purpose or an existing image file can be assigned to a virtual<br />
machine. Alternatively, a hard drive partition can also be assigned to a virtual machine via the Use a local<br />
device option.<br />
175
6 <strong>Univention</strong> Virtual Machine Manager (UVMM)<br />
Hard drive images can be administrated in two ways on KVM systems; by default images are saved in<br />
the Extended format (qcow2). This format supports Copy-on-write which means that changes do not<br />
overwrite the original version, but store new versions in different locations. The internal references of<br />
the file administration are then updated to allow both access to the original and the new version. This<br />
technique is a prerequisite for efficiently managing snapshots of virtual machines.<br />
Alternatively, you can also access a hard drive image in Simple format (raw). Snapshots can only be<br />
created when using hard drive images in Extended format.<br />
Only the Simple format is available on Xen systems.<br />
These image files are stored in so-called storage pools. Each virtualisation server already provides a<br />
storage pool with the name Local directory in the default setting. This can be found on the virtualisation<br />
servers in the /var/lib/libvirt/images directory.<br />
If a live migration of virtual machines between different virtualisation servers is planned, the storage pool<br />
must be stored on a system which can be accessed by all virtualisation servers (e.g., an NFS share or an<br />
iSCSI target). This is described in [14].<br />
Image files are created as sparse files with the specified size, i.e., these files only grow when they are<br />
used and then up to the maximally specified size and thus initially require only minimal disk space.<br />
It is also possible to provide a virtual machine with a disk drive via an image (in VFD format) or the<br />
passthrough of a physical drive.<br />
If drives are defined for a new virtual machine, it must be ensured that it is possible to boot from the<br />
CDROM drive. The UVMM profile specifies the boot order for the fully-virtualised instances in advance.<br />
For the paravirtualised instances, it is defined by the order on the definition of the drives and can be<br />
adapted subsequently in the settings section.<br />
Modifying a drive In the settings of a drive, Paravirtual drive allows specification of whether the access<br />
to the drive should be paravirtualised. Where possible, this setting should not be changed for a virtual<br />
machine which already has an operating system installed, as this may disrupt the access of partitions.<br />
If drives or network interfaces are subsequently added to a virtual instance, the utilisation of paravirtuali-<br />
sation is determined by heuristics.<br />
If installation of a KVM-based Windows system with the virtIO drivers is planned, the setting must be<br />
activated before beginning the Windows installation. Further information can be found under [14].<br />
6.3.<strong>2.4</strong> Network Interfaces<br />
When a virtual machine is created, it is automatically assigned a network card with a randomly generated<br />
MAC address.<br />
This menu contains a list of all network cards; in addition, new cards can be added or existing ones edited.<br />
The Type specifies the network connection. In the basic settings, a Bridge on the virtualisation server is<br />
used to access the network directly. The virtual instance uses its own IP address for this.<br />
176
6.3 Managing virtual machines with UVMM<br />
NAT network cards are defined in a private network on the virtualisation server. To do so, the virtual<br />
machine(s) must be assigned an IP address from the 192.168.122.0/24 network. This virtual instance is<br />
granted the access to the external network via NAT, so that the access is performed via the virtualisation<br />
server’s IP address.<br />
The UVMM servers are already preconfigured for both types of network cards. However, there are restric-<br />
tions for bridged network cards. On the UVMM servers, the physical network card to which the standard<br />
route is set, is converted to a bridge in the default setting. If additional network cards are integrated in<br />
the server, these are not adapted accordingly. If several bridge network cards are required in a virtual<br />
instance, an additional network card must be configured as a bridge on the server in advance. If a bridge<br />
is used, the Source of the network interface used can be selected.<br />
NAT network cards are only restricted by the IP addresses available in the 192.168.122.0/24 network.<br />
The Driver can be used to select what type of card will be provided. The Realteak RTL-8139 is supported<br />
by almost all operating systems, the Intel Pro-1000 offers advanced abilities and a Paravirtual device<br />
offers the best performance.<br />
The MAC address is generated automatically, but may also be subsequently changed.<br />
6.3.2.5 Settings<br />
The basic settings of a virtual machine can only be changed if it is turned off.<br />
Name defines the name of the virtual machine. This does not have to be the same as the name of the<br />
host in the LDAP directory.<br />
Operating System can contain a description of the virtual instance or of the operating system used.<br />
Contact defines the contact person for the virtual machine, e.g., in the form of an e-mail address.<br />
Description can describe the function of the virtual machine, e.g. mail server.<br />
Architecture specifies the architecture of the emulated hardware. It must be noted that virtual 64 bit<br />
machines can only be created on virtualisation servers using the amd64 architecture. This setting is<br />
not shown on i386 systems.<br />
Number of CPUs defines how many virtual CPUs are assigned to the virtual instance.<br />
Memory specifies the size of the system memory.<br />
6.3.2.6 Extended settings<br />
The extended settings of a virtual machine can only be changed if it is turned off.<br />
Virtualization Technology shows the technology used for virtualisation. This setting can only be speci-<br />
fied when creating a virtual instance.<br />
Boot order specifies the order in which the emulated BIOS of the virtual machine searches the drives<br />
for bootable media. This setting is only available for fully-virtualised instances. In paravirtualised<br />
instances, the Set as boot device option can be used in the drive settings.<br />
177
6 <strong>Univention</strong> Virtual Machine Manager (UVMM)<br />
Direct access defines whether VNC access to the virtual machine is available. If the option is activated,<br />
the UMC module can be used to start a VNC program directly. The VNC URL is displayed in a tool tip.<br />
A Java VNC program is used for this in the default setting. By switching the <strong>Univention</strong> Configuration<br />
Registry variable uvmm/umc/vnc to the value of external, an external program can be used instead.<br />
This requires the web browser on the workstation computer to be configured properly to handle the<br />
URI scheme vnc://.<br />
Available globally defines whether the VNC remote access is also possible from remote systems. If the<br />
option is not activated, the VNC session can only be accessed from the virtualisation server.<br />
Password sets a password for the VNC connection.<br />
Keyboard layout defines the layout for the keyboard in the VNC session.<br />
6.3.3 Migration of virtual machines from failed virtualization servers<br />
As of <strong>UCS</strong> <strong>2.4</strong>-4, information about the virtual machines running on the virtualization servers is stored<br />
centrally via the <strong>Univention</strong> Virtual Machine Manager. If the image files of the virtual machines are stored<br />
in a storage pool, the machine can be migrated to another server and restarted there if a virtualization<br />
server fails.<br />
How to set up one of these storage pools is documented in the <strong>Univention</strong> Wiki [14] and is a prerequisite<br />
for migrations.<br />
If a server fails (failure detection is performed periodically every 15 seconds), the server and the virtual<br />
instances operated on it are identified as inactive with a red symbol, a warning appears (see Figure 6.5)<br />
and Migrate is offered as the only operation in the menu.<br />
178<br />
Figure 6.5: Migrating a failed virtual machine from a failed virtualization server
6.3 Managing virtual machines with UVMM<br />
Following the migration, the virtual instance is no longer displayed in the overview tree of the failed virtual-<br />
ization server in the UVMM, but it is not possible for UVMM to report back to the virtualization server as it<br />
is no longer available.<br />
Attention:<br />
It must be ensured under all circumstances that the virtual machine on the original and the secondary<br />
server are not started in parallel; this would involve their both writing in the image files simultaneously,<br />
which would result in data loss. If virtual machines are started automatically after startup, simultaneous<br />
access must be prohibited by disconnecting the network connection or restricting access to the storage<br />
pool.<br />
If the failed computer is reactivated - e.g., in the case of a temporary power failure - the virtual machines re-<br />
main available on the system locally and are reported to UVMM; consequently, there are then two versions<br />
of the instance.<br />
As such, one of the two instances should subsequently be deleted. However, the employed image files for<br />
the drives should not be deleted at the same time.<br />
179
6 <strong>Univention</strong> Virtual Machine Manager (UVMM)<br />
180
7 <strong>UCS</strong> Directory service<br />
Contents<br />
7.1 Overview<br />
7.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181<br />
7.2 Logging of LDAP changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181<br />
7.2.1 Installation and setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181<br />
7.2.2 Format of the log file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182<br />
7.3 Timeout for inactive LDAP connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182<br />
7.4 Configuration of LDAP ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183<br />
7.4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183<br />
7.4.2 Definition of objects for which a rule applies (access to) . . . . . . . . . . . . . . . . 184<br />
7.4.3 Definition of the access permissions on the objects . . . . . . . . . . . . . . . . . . . 184<br />
7.4.4 Definition of the permission on the objects . . . . . . . . . . . . . . . . . . . . . . . . 185<br />
7.4.5 Definition of the handling of further rules with applied rules . . . . . . . . . . . . . . 185<br />
7.4.6 Delegation of the privilege to reset user passwords . . . . . . . . . . . . . . . . . . . 186<br />
<strong>Univention</strong> Corporate Server saves domain-wide data in a LDAP directory service based on OpenLDAP.<br />
This chapter describes the advanced configuration and coordination of OpenLDAP. Alongside the logging<br />
of LDAP modifications there is also the possibility of adapting the access control lists to the directory<br />
service.<br />
7.2 Logging of LDAP changes<br />
The univention-directory-logger package allows logging of all changes in the LDAP directory<br />
service. In addition, an integrated hash sum ensures that no changes can be deleted from the log file.<br />
7.2.1 Installation and setup<br />
Logging is activated as standard following installation of the package and can be deactivated using the<br />
<strong>Univention</strong> Configuration Registry variable ldap/logging (yes/no).<br />
Individual areas of the directory service can be excluded from the logging. These branches can be config-<br />
ured over the ldap/logging/exclude1, ldap/logging/exclude2 etc. variables. As standard the<br />
container is excluded in which temporary objects are stored (cn=temporary,cn=univention,Base-DN).<br />
181
7 <strong>UCS</strong> Directory service<br />
Logging of the LDAP changes is effected by a <strong>Univention</strong> directory listener module. The univention-<br />
directory-listener service should be restarted if changes are made to the <strong>Univention</strong> Configuration Reg-<br />
istry.<br />
7.2.2 Format of the log file<br />
Changes to the directory service are documented in the /var/log/univention/directory-logger.log<br />
file as a series of data records in the following format:<br />
START<br />
Old hash: <br />
DN: <br />
ID: <br />
Modifier: <br />
Time stamp: <br />
Action: <br />
Old values:<br />
<br />
New values:<br />
<br />
END<br />
There are three types of changes:<br />
• For added entries (add), only the New Values section appears.<br />
• For changed entries (modify), both the New Values section and the Old Values section appear.<br />
• For deleted entries (delete), only the Old Values section appears.<br />
A hash sum is calculated for each logged data record and documented as a line in the daemon.info<br />
section of the Syslog service in the following format:<br />
directory_logger:<br />
DN=<br />
ID=<br />
Modifier=<br />
Timestamp=<br />
New Hash=<br />
The new hash sum is also saved in the /var/lib/univention-directory-logger/cache file to<br />
allow further rotation of the directory-logger.log via Logrotate. Both files are saved in such a way<br />
that read access is limited to the root Posix user and the adm Posix group.<br />
As each data record contains the hash value of the old data record, manipulations of the log file - such as<br />
deleted entries - can be uncovered.<br />
7.3 Timeout for inactive LDAP connections<br />
The LDAP server accepts 1024 connections as standard. When many clients create connections which<br />
they only use sporadically, the point may come when the LDAP server cannot accept any more connec-<br />
182
tions.<br />
7.4 Configuration of LDAP ACLs<br />
The <strong>Univention</strong> Configuration Registry variable ldap/idletimeout is used to configure a time period<br />
in seconds after which the connection is cut off on the server side. When the value is set to 0, no expiry<br />
period is in use.<br />
The nssldap/idle/timelimit variable can be used to set the timeout for the NSS-LDAP interface.<br />
When this runs out libnss-ldap shuts down the connection to the LDAP server itself and recreates it for<br />
the next request.<br />
When a value is set for ldap/idletimeout, a smaller value should be chosen for<br />
nssldap/idle/timelimit.<br />
7.4 Configuration of LDAP ACLs<br />
7.4.1 Introduction<br />
Access to the information contained in the LDAP directory is controlled by Access Con-<br />
trol Lists (ACLs) on the server side. The ACLs are defined in the central configuration<br />
file /etc/ldap/slapd.conf and managed using <strong>Univention</strong> Configuration Registry. The<br />
slapd.conf is managed using a multifile template; further ACL elements can be added<br />
below /etc/univention/templates/files/etc/ldap/slapd.conf.d/ between the<br />
60univention-ldap-server_acl-master and 70univention-ldap-server_acl-master-end<br />
files or the existing templates expanded upon.<br />
The standard permissions of the LDAP server make it possible for each user to read all attributes and<br />
changes to be made exclusively through a special account: the root DN.<br />
In addition, <strong>UCS</strong> offers a number of further ACLs installed as standard which suppress access to sensitive<br />
files (e.g., the user password) and establish rules which are necessary for operation (e.g., necessary<br />
accesses to computer accounts for log-ins). The read and write access to this sensitive information if only<br />
intended for members of the Domain Admins group. Nested groups are also supported. The <strong>Univention</strong><br />
Configuration Registry variable ldap/acl/nestedgroups can be used to deactivate the nested groups<br />
function for LDAP ACLs, which will result in a speed increase for directory requests.<br />
Each rule comprises up to four elements:<br />
• Which object in the LDAP is the rule applied to?<br />
• Which users will be assigned the permission?<br />
• Which permission will be assigned?<br />
• How should further rules be handled?<br />
If errors should be investigated during ACL processing, it is advisable to set the log level of the LDAP<br />
server to 129 using the <strong>Univention</strong> Configuration Registry variable ldap/debug/level and restart the<br />
LDAP server. The debug output can be found in /var/log/syslog.<br />
ACL expansions should be packaged in Debian package format where possible so that the adapted ACLs<br />
can be installed easily on domain controller backup systems.<br />
183
7 <strong>UCS</strong> Directory service<br />
If ACL settings are subsequently relaxed, replication problems may arise if change transactions<br />
apply to an object which was formerly subject to stricter ACLs. In this case it is recom-<br />
mended to start a new replication on the slave domain controller and backup systems using the<br />
univention-directory-listener-ctrl resync replication command.<br />
7.4.2 Definition of objects for which a rule applies (access to)<br />
Access rules are implemented via access to access directives. Rules can be defined on three different<br />
classes of objects. These can be used in any combination:<br />
• The directive can be assigned to a DN, i.e., to an unique position in the LDAP directory. For example,<br />
the identifying part of the directive, which allows access to a database administration account would<br />
look as follows:<br />
access to dn="uid=databaseadmin,cn=users,dc=company,dc=com"<br />
The DNs can also be defined with a regular expression. The regular expressions are given here in<br />
the POSIX standard:<br />
access to dn.regex="cn=.*,cn=dc,cn=computers,dc=company,dc=com"<br />
• The directive can be defined using a LDAP filter. For example, the access can be limited to MAC<br />
addresses using an object class.<br />
access to filter="(objectClass=macAddress)"<br />
• The attributes affected by the directive can be defined using attrs, the following uses the user and<br />
group IDs as an example:<br />
access to attrs=uidNumber,gidNumber<br />
7.4.3 Definition of the access permissions on the objects<br />
Each permission directive starts with the by statement. It determines which user can access the object<br />
specified in the access directive. A number of syntax possibilities are available here:<br />
Each definition of users with access permissions is followed by the assigned permission and optionally an<br />
option, which controls the manner in which subsequent rules are controlled; see the following Sections:<br />
184<br />
• * applies the rule to all users.<br />
• Non-authenticated accesses are covered by anonymous. This makes it possible, for example, to<br />
allow access to an attribute necessary for an authentication only for the authentication phase and<br />
block it for users who are already logged on.<br />
• The opposite to the above-mentioned anonymous is users.<br />
• The self rule defines the accessing object’s access to its own attributes. This allows a user or<br />
computer object to change its own attributes.<br />
• dn can be used to specify the access using the accessing object’s DN. This can be entered in<br />
different forms:
– Using a concrete DN via dn.base, e.g., via<br />
by dn.base="uid=database-admin,cn=users,dc=company,dc=com"<br />
– Using a regular expression, e.g., via<br />
by dn.regex="cn=.*,cn=dc,cn=computers,dc=company,dc=com"<br />
7.4 Configuration of LDAP ACLs<br />
• group can be used to set the permission for a member of a group. In addition, the object class of<br />
the group object and the attribute must be specified, which identifies a member. A group permission<br />
in <strong>UCS</strong> looks as follows:<br />
by group/univentionGroup/uniqueMember="cn=Domain Admins,cn=groups,dc=company,dc=com"<br />
• peername, sockname and domain allow the definition of the socket file name or the network origin<br />
of the accessing user. Some examples:<br />
by sockname="PATH=/var/run/slapd/ldapi"<br />
by peername.ip=127.0.0.1<br />
by domain.subtree=example.com<br />
7.4.4 Definition of the permission on the objects<br />
Each by directive is completed with the assigned permission. The rules are ordered hierarchically with<br />
each following rule receiving all the privileges of its predecessor.<br />
• none denies every access.<br />
• disclose denies the access but still issues an error warning.<br />
• auth limits access to authentication and authorisation requests.<br />
• compare limits the access to compare operations.<br />
• search limits the access to search requests.<br />
• none allows read-only access.<br />
• write allows write access.<br />
7.4.5 Definition of the handling of further rules with applied rules<br />
For each by directive there are three possibilities for controlling how further rules are handled:<br />
• As standard the processing of further access rules is stopped when a rule applies. This can also be<br />
fixed explicitly using a stop directive.<br />
• continue allows the processing of further permission rules within an access rule.<br />
• break checks further access rules to see whether they apply.<br />
185
7 <strong>UCS</strong> Directory service<br />
7.4.6 Delegation of the privilege to reset user passwords<br />
To facilitate the delegation of the privilege to reset user passwords, the univention-admingrp-user-<br />
passwordreset package can be installed. It uses a join script to create the User Password Admins<br />
user group, in so far as this does not already exist.<br />
Members of this group receive the permission via additional LDAP ACLs to reset the passwords<br />
of other users. These LDAP ACLs are activated automatically during the package installation. To<br />
use another group, or a group that already exists, instead of the User Password Admins group,<br />
the DN of the group to be used can be entered in the <strong>Univention</strong> Configuration Registry variable<br />
ldap/acl/user/passwordreset/accesslist/groups/dn.<br />
Passwords can be reset via <strong>Univention</strong> Directory Manager. In the default setting, <strong>Univention</strong> Directory<br />
Manager only offers the user wizard to the Administrator user, which allows the setting of new passwords.<br />
During the installation a new default-user-password-admins policy is created automatically, which can<br />
be linked to the members of the User Password Admins group and/or a corresponding container in the<br />
LDAP directory.<br />
The policy makes it possible to search for users and create an overview of all the attributes of a user object.<br />
If an attempt is made to modify further attributes in addition to the password when the user does not have<br />
sufficient access rights to the LDAP directory, <strong>Univention</strong> Directory Manager denies him write access with<br />
the message Permission denied.<br />
Attention:<br />
The package should be installed on the domain controller master and the domain controller backup sys-<br />
tems. During the installation, the LDAP server is restarted and is thus temporarily unavailable.<br />
To prevent the resetting of the passwords for certain users (e.g., domain administrators), the UIDs of the<br />
users to be protected can be entered, separated by commas, in the <strong>Univention</strong> Configuration Registry<br />
variable ldap/acl/user/passwordreset/protected/uid. Once a variable has been changed, it is<br />
necessary to restart the LDAP directoy service using the /etc/init.d/slapd restart command for<br />
the changed LDAP ACLs to take effect. In the default setting, the Administrator user is protected against<br />
having his password changed by the User Password Admins group.<br />
If access to additional LDAP attributes should be necessary for changing the pass-<br />
word, the attribute names can be expanded in <strong>Univention</strong> Configuration Registry variable<br />
ldap/acl/user/passwordreset/attributes. After the change, the LDAP directory service<br />
must be restarted for the change to take effect. This variable is already set appropriately for a <strong>UCS</strong><br />
standard installation.<br />
186
8 Services for Windows<br />
Contents<br />
8.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187<br />
8.2 <strong>Univention</strong> Corporate Server and Samba . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187<br />
8.2.1 Authentication Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188<br />
8.2.2 File server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188<br />
8.2.3 Print server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189<br />
8.<strong>2.4</strong> NetBIOS Network Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189<br />
8.3 Building Samba domains with <strong>UCS</strong> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189<br />
8.4 Extended Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190<br />
8.1 Introduction<br />
8.4.1 Trust relationships . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190<br />
8.4.2 WINS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195<br />
8.4.3 NETLOGON share . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196<br />
8.4.4 Creating objects in the LDAP directory using Samba . . . . . . . . . . . . . . . . . . 197<br />
8.4.5 Configuring Windows user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . 197<br />
8.4.6 Configuring Samba servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200<br />
For the purposes of Windows systems, <strong>Univention</strong> Corporate Server can assume the tasks of Windows<br />
server systems. These tasks comprise, among other things, the functions of a domain controller as well<br />
as file services and authentication services within Samba domains.<br />
Printer services can also be provided over Samba. Trust relationships are possible between Samba and<br />
Windows domains.<br />
Alongside the chapters listed here there is also further documentation available on the topics of Windows<br />
domain migration with <strong>UCS</strong> [15] and the automatic installation of Windows clients with <strong>UCS</strong> [4].<br />
8.2 <strong>Univention</strong> Corporate Server and Samba<br />
In the following, a domain with domain controllers based on <strong>UCS</strong> with the Samba component in which the<br />
members communicate using the SMB/CIFS protocol amongst other things is called a Samba domain.<br />
In the following, a domain with domain controllers based on Microsoft Windows NT in which the members<br />
also communicate using the SMB/CIFS protocol is called a Windows NT domain. The same applies for<br />
Windows 2000/2003 etc. domains.<br />
The program Samba serves as a kind of switchboard between the Windows clients and the <strong>UCS</strong> server.<br />
187
8 Services for Windows<br />
With this program a <strong>UCS</strong> server can adopt the role of a member server and the role of a primary domain<br />
controller (PDC) or a backup domain controller (BDC) in the domain (More information on server roles can<br />
be found in Chapter 2.1.<br />
Thus, the combination Samba/OpenLDAP is a hybrid between Windows NT domains and Active Directory.<br />
From the perspective of a Windows client, it is a Windows NT domain. <strong>Univention</strong> AD Connector can be<br />
used for connecting an Active Directory service.<br />
However, as far as the administration of user, group and computer information is concerned, it is a complete<br />
directory service based solution with all of its advantages.<br />
Attention:<br />
Replication between Windows-based and Linux-based domain controllers is not implemented in Samba as<br />
standard. <strong>Univention</strong> can, however, provide Samba BDC packages for <strong>UCS</strong>, with which a <strong>UCS</strong> system can<br />
be operated under a Windows NT PDC (primary domain controller) in a Windows NT domain as a BDC<br />
(backup domain controller). Otherwise only domain controllers with the same directory service can be used<br />
within one domain, so that changes can be replicated to the other directories from the changed master<br />
directory. That means that without the expansion mention above, it is not possible to operate Windows-<br />
based domain controllers and Samba-based domain controllers with OpenLDAP in one domain. Notes on<br />
the synchronisation of directory service objects with Windows 2000/2003/2008 with Active Directory can<br />
be found in the documentation for the <strong>Univention</strong> Active Directory Connector [16]<br />
Further reading on Samba can be found on the website http://www.samba.org/.<br />
8.2.1 Authentication Service<br />
The passwords are stored in the LDAP directory. Users are authenticated against the LDAP directory<br />
when logging into the domain with their username and password, and can then access all the shared<br />
resources of the domain without having to enter their username and password again. Computers with any<br />
kind of Windows operating systems are authenticated in the same way as in Windows NT domains, via<br />
the NTLMv2 protocol.<br />
8.2.2 File server<br />
Users working on Windows clients can also store their files on an <strong>UCS</strong> server. This process is transparent<br />
for the users since they can store their files on a drive, as with Windows. Per default the home directories<br />
of all users are shared by Samba and assigned as drive I: after login. <strong>Univention</strong> Directory Manager allows<br />
the drive letters to be adapted in a comfortable way for each user (see chapter 4.5.1, tab Windows).<br />
The share management of <strong>Univention</strong> Directory Manager makes it possible for users to share other direc-<br />
tories of the Linux file system within the domain in the form of Windows shares (see chapter 4.5.5).<br />
Recommendable file systems on the Linux side are ext3 and XFS. These file systems allow the use of<br />
Access Control Lists (ACLs) and disk space restrictions (quotas) for users or user groups. Both of these<br />
features can be configured under Windows.<br />
188
8.2.3 Print server<br />
8.3 Building Samba domains with <strong>UCS</strong><br />
Samba offers the possibility of sharing printers set up under Linux as network printers for Windows clients.<br />
In <strong>UCS</strong>, printers can be configured in the <strong>Univention</strong> Directory Manager printer management (see Chap-<br />
ter 4.5.7). When doing so, it is possible to use a printer driver coordinated for the printer in question on the<br />
client or to set a PostScript printer driver for all printers, whereby the Linux print system then converts the<br />
PostScript into the appropriate printer language.<br />
The second solution (PostScript) offers the advantage that no further printer driver administration is re-<br />
quired on the Windows side. On the other hand, PostScript printer drivers cannot satisfy certain require-<br />
ments of some printer models, so that the use of Windows printer drivers may be necessary in these<br />
cases. These drivers can be provided centrally on the Samba server and are available to all Windows<br />
clients.<br />
As standard, <strong>UCS</strong> uses Common UNIX Printing System (CUPS) as the spool system for Linux. CUPS<br />
is ideally suited because it supports a large number of printers and printer protocols. In addition, CUPS<br />
offers a web interface which allows local changes such as printer restarts.<br />
8.<strong>2.4</strong> NetBIOS Network Service<br />
Windows systems use NetBIOS as a network protocol for resolving host names and for network commu-<br />
nication wich is usually based on TCP/IP.<br />
Host names can have a maximal length of 15 characters in Windows networks, the notification to other<br />
systems is performed via broadcasts.<br />
Samba maps NetBIOS functions by means of the system service nmbd, and thus permits a seamless<br />
integration in <strong>Univention</strong> Corporate Server.<br />
The NetBIOS name of a <strong>UCS</strong> system by default corresponds to the host name. In <strong>Univention</strong> Management<br />
Console, a different NetBIOS name can be assigned with the help of the <strong>Univention</strong> Configuration Registry<br />
variable samba/netbios/name. The variable samba/netbios/aliases can be used for arranging<br />
additional NetBIOS aliases for the system. Thus, in case of a migration, processor names used within the<br />
Windows domain can be assigned as NetBIOS names or NetBIOS aliases beforehand. After changes to<br />
the NetBIOS service, Samba has to be restarted.<br />
8.3 Building Samba domains with <strong>UCS</strong><br />
This chapter uses the example of building of a new Samba domain with <strong>UCS</strong> in an organisation with<br />
headquarters and two branches to illustrate this concept.<br />
A PDC is set up in the headquarters along with a BDC which helps the PDC in cases of high traffic and<br />
can replace it in the event of a collapse. So that the branches can also continue to function if there are<br />
network problems, they also receive a BDC each. These BDCs function solely as authentication servers<br />
and are not intended to replace the PDC in the event of a collapse.<br />
Windows-based clients can be integrated into the Samba domain as in a Windows NT domain. The Samba<br />
domain receives the first part of the DNS domain as its name (see also Chapter 8.4.6.1).<br />
189
8 Services for Windows<br />
A DC master with Samba automatically offers the PDC function. DC backup and DC slave servers with<br />
Samba can be used as BDCs; member servers with Samba as so-called member servers. The package<br />
univention-samba-slave-pdc is used to use systems apart from the DC master as the PDC (e.g., domain<br />
controller backup, domain controller slave and member server). In general it should be noted that only one<br />
PDC can be installed on a network as visible via Broadcast and WINS (see also Chapter 8.4.2).<br />
Building a Samba domain involves the following steps:<br />
1. As standard the PDC of a Samba domain is on the DC master. The DC master must thus be<br />
installed using the Samba package from the Services for Windows component. A PDC must be<br />
set up before join scripts of other Samba systems can be run.<br />
2. Windows clients are joining the domain<br />
3. Installation of BDC in headquarters as DC backup with Samba. The joining of the domain and<br />
replication of the LDAP directory from the DC master occur automatically.<br />
4. Installation of BDCs in the branches as DC slave with Samba. The joining of the domain and repli-<br />
cation of the LDAP directory from the DC master occur automatically again.<br />
5. Addition of further objects in the LDAP directory <strong>Univention</strong> Directory Manager.<br />
The domain joins of the Windows clients can also be effected at the end. It is only important the DC master<br />
is installed first of all. Changes to the LDAP directory can only be made on the DC master and are then<br />
automatically replicated on the Samba domain controllers.<br />
To increase security, the replication range of the Samba domain controllers in the branches can be limited.<br />
To do this, the LDAP ACLs are adapted so that only the branches of the LDAP directory which are actually<br />
needed in the branch are replicated in the branch and there is no access to the other areas.<br />
Notes on joining domains with Windows systems can be found in Chapter <strong>2.4</strong>.2.<br />
8.4 Extended Configuration<br />
8.4.1 Trust relationships<br />
Trust relationships between domains make it possible for users from one domain to log on to computers<br />
from another domain. If a Windows domain trusts a Samba domain, there is also the possibility to log<br />
on to the Samba domain alongside the Windows domain when logging on to computers belonging to the<br />
Windows domain. Users from the Samba domain signal this when logging on and are authenticated by a<br />
domain controller in the Samba domain.<br />
If a Samba domain trusts a Windows domain, users from the Windows domain enter the user name<br />
+ when logging on to a Linux computer belonging to the<br />
Samba domain. In this way the users can also log on on the Linux workstations of the <strong>UCS</strong> domain.<br />
The user’s home directory is created under /home/- on<br />
the PC or BDC on which the user was authenticated.<br />
A user smith from the WIN domain would thus enter e.g., WIN+smith to log-in. His home directory would<br />
have the path /home/WIN-smith in Linux.<br />
190
8.4 Extended Configuration<br />
When setting up and using the trust relationship the domain controllers of both domains must be able to<br />
reach each other over the network and identify each other using broadcasts or WINS.<br />
8.4.1.1 Windows domain trusts Samba domain<br />
1. In <strong>Univention</strong> Directory Manager ➞ Computer a Domain Trust Account must be created - with a<br />
name reflecting the NetBIOS name of the Windows domain - and a password issued for the account.<br />
The password quality requirements which may apply to Windows domains must be observed.<br />
2. A trust relationship must be created on the Windows PDC (see below). The NetBIOS name of the<br />
Samba domain is required for this.<br />
3. The trust relationship between the Windows domain and the Samba domain can be removed by<br />
deleting the trust relationship on the Windows PDC and the domain trust account in <strong>Univention</strong><br />
Directory Manager.<br />
Windows NT<br />
1. The user manager usrmgr.exe must be started on the Windows PDC and selected in the menu<br />
Policies ➞ Trust Relationships ➞ Trusted domains ➞ [Add].<br />
2. The NetBIOS name of the Samba domain must be entered in the input field Domain and the pass-<br />
word of the domain trust account entered in the input field Password. Clicking [OK] prompts the<br />
message The trust relationship with has been set up successfully.<br />
Windows 2000<br />
1. The menu for trust relationships can be found under Start ➞ Programs ➞ Administrative tools ➞<br />
User manager for domains on the Windows PDC. Right clicking on the personal domain opens the<br />
Properties dialogue.<br />
2. Following selection of Trust relationships ➞ Trusting domains ➞ [Add], the NetBIOS name of the<br />
Samba domain can be entered in the input field Trusting Domain and the password of the domain<br />
trust account can be entered in the input field Initial password. The password must be repeated.<br />
Clicking [OK] set up the trust relationship. If the procedure is successful, a confirmation message is<br />
displayed, which can be confirmed with [OK].<br />
Windows 2003<br />
Attention:<br />
The documentation was based on Windows Server 2003 Standard Edition.<br />
1. The menu for trust relationships on the Windows PDC can be reached via Start ➞ Administrative<br />
Tools ➞ Active Directory Domains and Trusts. Right clicking on the personal domain opens the<br />
Properties dialogue.<br />
2. When Trusts ➞ New Trust is selected, the New Trust Wizard is opened and must be confirmed<br />
with [Next].<br />
191
8 Services for Windows<br />
3. Once the NetBIOS name of the Samba domain has been entered, this must also be confirmed with<br />
[Next].<br />
4. One-way: outgoing must be selected as the direction for the trust relationship and confirmed with<br />
[Next].<br />
Three functions are available:<br />
A unidirectional trust relationship is a connection created between two domains for authentication in<br />
one direction. This means that in a unidirectional trust relationship between domain A and domain<br />
B, the users in domain A have access to the resources in domain B. The users in domain B do not,<br />
however, have accesses to the resources in domain A. If such a trust relationship is to be set up<br />
in domain A, the One-way: outgoing function should be selected. If domain B should receive this<br />
permission, One-way: incoming should be selected in domain A. In One-way relationships it is<br />
important to note whether the connection is to be transitive or not.<br />
The transitivity determines whether a trust relationship can be expanded on domains apart from the<br />
two domains in which it was created. A transitive trust relationship can be used to expand trust<br />
relationships on other domains whilst non-transitive ones do not allow this expansion.<br />
In a bidirectional trust relationship domain A trusts domain B and domain B trusts domain A. This<br />
means that the authentication requests are exchanged in both directions between the two domains.<br />
5. If users from the Samba domain should be made equal to users from Windows domains, Domain-<br />
wide authentication must be activated. If users from the Samba domain should only be endowed<br />
with certain permissions in the Windows domain, ucsMenuEntrySelective authentication is sufficient.<br />
The permissions can be configured in Windows once the trust relationship has been concluded.<br />
[Next] must then be clicked to move to the next dialogue.<br />
6. Once the domain trust account password has been given in the input fields Trust password and<br />
Confirm trust password, [Next] is used to pass to the next setting.<br />
7. Once the settings for the trust relationship have been checked, any necessary changes can be made.<br />
Clicking [Next] creates the trust relationship.<br />
8. This step simply shows the changes made. [Next] is used to pass to the next step.<br />
9. When it has been verified that a domain trust account has been created and a connection can be<br />
made to the PDC, Yes, confirm the outgoing trust. must be activated and [Next] selected.<br />
10. The change status The trust relationship was successfully created and confirmed. is now<br />
shown and this step confirmed with [Finish].<br />
8.4.1.2 Samba domain trusts Windows domain<br />
192<br />
1. The winbind package must be installed on the Samba PDC and the Winbind service winbindd<br />
must be running. Winbind assigns UNIX IDs to Windows users and groups<br />
<strong>Univention</strong> Management Console can be used to check whether the winbind package is installed<br />
on the server. If this is not the case, it must be installed (see Chapter 5.3.11).<br />
Once installed, the winbind service starts automatically. Depending on which services are<br />
to use winbind, the <strong>Univention</strong> Configuration Registryvariables auth/admin/methods and/or
8.4 Extended Configuration<br />
auth/user/methods must be expanded with winbind using <strong>Univention</strong> Management Console (see<br />
Chapter 5.3.5), e.g., to krb5 ldap unix winbind.<br />
If the winbindd process cannot be found in the process list in <strong>Univention</strong> Management Console, it<br />
must be started there (see Chapter 5.3.9).<br />
On a domaincontroller master/backup<br />
net idmap secret WINDOWSDOMAIN $(cat /etc/ldap.secret)<br />
needs to be called.<br />
On a domain controller slave or a member server<br />
net idmap secret WINDOWSDOMAIN $(cat /etc/machine.secret)<br />
needs to be executed instead.<br />
2. A trust relationship must be created on the Windows PDC (see Chapter 8.4.1.2). Any requirements<br />
for Windows applicable to the Windows domain must be taken into account when choosing the<br />
password for the trust relationship. The NetBIOS name of the Samba domain is required for this.<br />
3. The root user must run the following command on the Samba PDC:<br />
net rpc trustdom establish <br />
The winbind service must then be restarted over <strong>Univention</strong> Management Console.<br />
must be replaced with the NetBIOS name of the Windows domain. The com-<br />
mand requests the input of a password; the password used on the Windows PDC must be entered.<br />
The message Trust to domain established then appears.<br />
Attention:<br />
This command must be run on all Samba log-in servers (domain controller master, backup and<br />
slave).<br />
The command occasionally provokes unjustified error messages such as Could not connect to<br />
server . The following command can be used to check that the trust<br />
relationship has been added correctly:<br />
net rpc trustdom list<br />
The password of emphroot on the Samba PDC or BDC should be used. The command display<br />
should be similar to the following:<br />
Trusted domains list:<br />
S-1-5-21-1275210071-1060284298-839522115<br />
Trusting domains list:<br />
none<br />
The System log in Windows can offer help in problem containment when troubleshooting.<br />
4. The command<br />
net rpc trustdom revoke <br />
can be used to remove the trust relationship with the Windows domain. The trust relationship must<br />
also be removed from the Windows PDC.<br />
193
8 Services for Windows<br />
194<br />
5. Attention:<br />
The nscd service must be restarted following each of the following settings, e.g., over <strong>Univention</strong><br />
Management Console.<br />
Windows NT<br />
a) The user manager usrmgr.exe must be started on the Windows PDC and selected in the menu<br />
Policies ➞ Trust relationships ➞ Trusted domains ➞ Add.<br />
b) The NetBIOS name of the Samba domain must be entered in the input field Account for<br />
domain and a password of your choice entered in the input field Password. Once the password<br />
has been confirmed, the set-up can be completed by clicking on [OK].<br />
Windows 2000<br />
a) After selecting Start ➞ Programs ➞ Administrative tools ➞ User manager for domains on<br />
the Windows PDC, right clicking on the individual domain and selecting Properties ➞ Trust<br />
relationships ➞ Trusting domains ➞ [Add] opens the set-up dialogue. The NetBIOS name<br />
of the Samba domain must be entered in the input field Trusting domain and a password of<br />
your choice entered in the input field Password. Once the password has been repeated, this<br />
can be confirmed with [OK].<br />
b) If the message To verify the new trust, you must have permissions to administer trusts<br />
for the domain ’Name of Samba domain’. Do you want to verify the new trust? appears,<br />
it should be declined with [No].<br />
Windows 2003 Attention:<br />
The documentation was based on Windows Server 2003 Standard Edition.<br />
a) After selection of Start ➞ Administrative tools ➞ User manager for domains on the Win-<br />
dows PDC, right clicking on the individual domain opens the Properties dialogue.<br />
b) The Windows domain must be operated in mixed mode. This is displayed on the General tab<br />
by Domain mode: Windows 2000 mixed mode.<br />
c) Following selection of Trust relationships ➞ [New trust relationship] the assistant for new<br />
trust relationships opens, which can be continued with [Next].<br />
d) The NetBIOS name of the Samba domain must be entered in the input field Name; this must<br />
be confirmed with [Next].<br />
e) The connection should be configured as Intransitive to suppress access to the resources of<br />
domains with which the Windows domain already has entered into a trust relationship.<br />
f) One-way incoming must be selected as the direction for the trust relationship and confirmed<br />
with [Next].<br />
g) Following entry of a password into the input fields Trust password, [Next] must be clicked.<br />
h) Following verification of the settings for the trust relationship and performance of any necessary<br />
changes, the trust relationship can be established by clicking [Next].<br />
i) The changes shown must be confirmed [Next].
8.4.2 WINS<br />
8.4 Extended Configuration<br />
j) No, do not confirm the incoming trust should be selected and confirmed with [Next].<br />
k) The displayed change status of The trust relationship was successfully created and con-<br />
firmed. must be confirmed by clicking on [Fertig stellen].<br />
l) The trust relationship is displayed under Trusted domains (outgoing trust relationship)<br />
Windows operating systems use so-called NetBIOS names when operating in networks. Similar to DNS in<br />
TCP/IP networks, the Windows Internet Name Service (WINS) is used for resolving such NetBIOS names<br />
into IP addresses. In addition, WINS provides information on the services of the hosts.<br />
The WINS service can also be adopted by Samba. WINS data can also be replicated among several<br />
systems. Information on setting up WINS replication can be found in the <strong>Univention</strong> Support database at<br />
http://sdb.univention.de/1107<br />
If only one WINS server is being used and this server should collapse, the WINS server can be activated<br />
on another Samba server by inputting a few commands (see Chapter 8.4.2.1).<br />
WINS is activated by setting the <strong>Univention</strong> Configuration Registry variable windows/wins-support<br />
on the desired Samba server to yes. (Correspondingly, WINS is deactivated by emptying the variable or<br />
setting it to no).<br />
As standard, WINS support is activated on the PDC. If more than one Samba server is being used, other<br />
servers can be assigned the FQDN or the IP address or the WINS server via the <strong>Univention</strong> Configuration<br />
Registry variable windows/wins-server.<br />
The <strong>Univention</strong> Configuration Registry variables are used for setting the Samba parameters wins sup-<br />
port and wins server. On a Samba server where WINS is activated, there may be no WINS server<br />
entered in the Samba configuration. This is why the value of the <strong>Univention</strong> Configuration Registry vari-<br />
able windows/wins-server is only entered into the Samba configuration if windows/wins-support<br />
is not set to yes.<br />
If the value of windows/wins-support or windows/wins-server is changed, Samba has to be re-<br />
started via <strong>Univention</strong> Management Console in order to make the changes valid.<br />
The WINS server can be made known to the Windows clients via DHCP. To do this the WINS server must<br />
be entered in the [NetBIOS] tab for the corresponding DHCP object in <strong>Univention</strong> Directory Manager or<br />
connected with a container above the object using a DHCP-NetBIOS policy.<br />
When migrating a Windows domain where the Samba-WINS server is using the same IP address as the<br />
Windows-WINS server, there is no need to enter a new WINSServer on Windows clients which have no<br />
DHCP. A virtual network interface on the Samba-WINS server which has the IP address of the Windows-<br />
WINS server assigned, serves the same purpose.<br />
8.4.2.1 Replacing a collapsed WINS server<br />
The following steps must be taken to replace a collapsed WINS server.<br />
195
8 Services for Windows<br />
1. The <strong>Univention</strong> Configuration Registry variable windows/wins-support must be set to yes using<br />
<strong>Univention</strong> Management Console on the Samba server which should offer WINS from this point<br />
onwards<br />
2. The Samba service must be restarted<br />
3. Existing systems must be configured to the address of the new WINS server using, for<br />
example, a DNS alias record (see Chapter 4.5.9.2), a DHCP-NetBIOS policy (see Chap-<br />
ter 4.5.11.5) or for Samba servers by configuring the <strong>Univention</strong> Configuration Registry variable<br />
windows/wins-server.<br />
8.4.3 NETLOGON share<br />
The NETLOGON share serves the purpose of providing system policies and logon scripts in Windows<br />
domains. Under <strong>UCS</strong>, the directory /var/lib/samba/netlogon is set up as the Samba share NETL-<br />
OGON.<br />
The NETLOGON share must be available on all Samba domain controllers and contain the same contents.<br />
To provide this guarantee,changes are only made on the DC master (even when Samba is not installed on<br />
the DC master) and synchronised (as standard hourly) encrypted with the help of the programs rsync und<br />
ssh to all DC backup and DC slave systems on which Samba is installed The synchronisation intervals<br />
can be changed on the individual servers in the /etc/cron.d/univention-samba file.<br />
8.4.3.1 Logon Scripts<br />
Logon scripts are executed on Windows computers after successful login of a user. They permit a variety<br />
of changes to be made in the user’s environment before he can work within the system. The logon script<br />
can be found in the scripts directory of the Samba share NETLOGON. Chapter 8.4.5 explains how other<br />
login scripts on Samba level and on user level can be defined. Scripts have to be saved in a format which<br />
can be executed by Windows, such as bat and cmd.<br />
Under Windows, the<br />
net user / domain<br />
command is used for checking if a logon script is assigned to the user stated in username and if so, which<br />
script this is.<br />
The <strong>Univention</strong> Configuration Registry variable samba/logonscript can be used for defining a global<br />
logon script. If this variable is set on a Samba server, then all users logging into this Samba server have<br />
the specified logon script assigned.<br />
8.4.3.2 System policies<br />
Samba supports the use of so-called system policies which are created and edited under Windows by the<br />
tool poledit.exe. System policies allow a large number of presettings to be made concerning users and<br />
clients. For example: Users can be restricted to execute only a small number of predefined programs.<br />
196
8.4 Extended Configuration<br />
System policies have to be stored in a Windows or Samba domain in the NETLOGON share and have to<br />
be named ntconfig.pol.<br />
8.4.4 Creating objects in the LDAP directory using Samba<br />
If user or group accounts are created in a Samba domain or a Windows computer joins the domain, these<br />
data are entered in the LDAP directory via Samba.<br />
To do this, initially it is checked if an object with the same name already exists in the LDAP directory. These<br />
existing objects will be adapted to the new data.<br />
If the objects do not yet exist in the LDAP directory, the accounts are created in stan-<br />
dard containers. These standard container can be determined with the <strong>Univention</strong> Configura-<br />
tion Registry variables samba/defaultcontainer/user, samba/defaultcontainer/group and<br />
samba/defaultcontainer/computer. The full DN of the container in question must be used. For<br />
example, if the <strong>Univention</strong> Configuration Registry variable samba/defaultcontainer/group is config-<br />
ured to the cn=windows-groups,cn=groups,dc=firma,dc=com container using <strong>Univention</strong> Management<br />
Console, this becomes the standard container for group accounts. The variables can contain differing val-<br />
ues on different Samba servers. In this way, for example, computers at location 1 can be stored in a differ-<br />
ent container from computers at location 2. If these variable are not set, the containers cn=users,, cn=groups, and cn=computers, are used.<br />
When NT user accounts are imported, the standard containers are used of the server on which the migra-<br />
tion script is run. Existing objects are described in more detail in the migration documentation [15].<br />
8.4.5 Configuring Windows user accounts<br />
Settings which are to be valid for all the Windows user accounts, are made in the Samba configuration.<br />
This configuration consists of the file /etc/samba/smb.conf and the files integrated therein. Many<br />
parameters of the Samba configuration can be set via the <strong>Univention</strong> Configuration Registry variables.<br />
Where several servers are in use, the Samba configuration applicable for each user is that one which<br />
belongs to the server against which the user is authenticated. User-specific settings can be defined via<br />
the menu <strong>Univention</strong> Directory Manager ➞ Add/Find Users ➞ Windows<br />
UNIX directories which are to be used under Windows, have to be set up as Samba shares (see chapter<br />
4.5.5). In the following examples, is to be replaced with the NetBIOS name of the server<br />
on which the directory is located (siehe Kapitel 8.4.6).<br />
8.4.5.1 Windows home directory<br />
Samba automatically provides the user’s Linux home directory as a drive letter under Windows.<br />
The Samba configuration contains the parameter logon home, which by default is resolved to<br />
\\\, for example \\ucs-samba-server\meier. Accordingly,<br />
the directory will show up under Windows on the home drive (see chapter 8.4.5.2) as a directory named<br />
after the username.<br />
197
8 Services for Windows<br />
A different server can be arranged in the Samba configuration via the <strong>Univention</strong> Configuration Reg-<br />
istry variable samba/homedirserver, and a different directory for logon home via samba/homedirpath.<br />
These values will then be valid for all the users.<br />
If these variables as well as samba/homedirletter are set to local, then no directory will be automati-<br />
cally provided under Windows, and the settings specified in <strong>Univention</strong> Directory Manager, if available, are<br />
used.<br />
In <strong>Univention</strong> Directory Manager, a user-specific server and directory can be defined in the entry field<br />
Windows Home Path. If a different server than that which is predefined in the Samba configuration, is to<br />
be applied for the user, then this server as well as the username for the home directory is to be entered in<br />
the corresponding entry field., e. g.: \\ucs-file-server\meier.<br />
If instead of the user’s UNIX home directory, a different UNIX directory is to be displayed as the home<br />
directory on the Windows drive, then this server as well as the home directory is to be entered in the<br />
Windows Home Path entry field.<br />
8.4.5.2 Drive for the home directory<br />
The parameter logon drive within the Samba configuration defines on which Windows drive the users’<br />
UNIX home directories are to show up by default. Under <strong>UCS</strong>, this drive is by default I:.<br />
Should this drive letter be assigned otherwise, or if a different drive letter is to be used for<br />
other reasons, then this value can be changed via the <strong>Univention</strong> Configuration Registry variable<br />
samba/homedirletter in the Samba configuration.<br />
If this variable as well as samba/homedirserver and samba/homedirpath are set to local, then no<br />
drive will be mounted, and the settings from <strong>Univention</strong> Directory Manager, if available, will be used.<br />
If only a certain number of the users are to have their home directories show up on a different Windows<br />
drive, then the respective drive letter and colon is to be entered in the entry field Windows Home Drive in<br />
<strong>Univention</strong> Directory Manager.<br />
8.4.5.3 Logon Script<br />
If a user logs into Windows, a so-called logon script can automatically be started. The default logon script<br />
can be found in the scripts directory in der Samba share NETLOGON which in <strong>UCS</strong> provides the directory<br />
/var/lib/samba/netlogon (see chapters 8.4.3 and 8.4.3.1).<br />
A different, user-specific login script relative to the NETLOGON share, meaning relative to<br />
/var/lib/samba/netlogon, can be arranged in the entry field Logon script of <strong>Univention</strong> Directory<br />
Manager. If for example, /var/lib/samba/netlogon/scripts/meier.bat is to be applicable to the<br />
use meier, then scripts\meier.bat is to be entered. This corresponds to the Samba configuration<br />
parameter login script.<br />
198
8.4.5.4 Profile directory<br />
8.4 Extended Configuration<br />
The user profile for the Windows user interface is stored in the profile directory. In the Samba<br />
configuration there is the parameter logon path, which under <strong>UCS</strong> is by default resolved to<br />
\\\\windows-profiles\.<br />
This directory is also used for storing the files which the user saves under Windows in the My documents<br />
folder. Initially, these files are stored locally on the Windows computer; they are only stored on the drive of<br />
the Samba server after the user has logged out of Windows.<br />
The <strong>Univention</strong> Configuration Registry variable samba/profileserver can be used for specifying a<br />
different server, the variable samba/profilepath for defining a different directory for logon path.<br />
A different path or server for the user’s profile directory can be configured in the Windows Profile Path<br />
entry field of <strong>Univention</strong> Directory Manager Example: \\ucs-file-server\meier\profiles\winXP.<br />
If the path is changed at a later date, then a new profile directory will be created. The data in the old profile<br />
directory will be kept. These data can be manually copied or moved to the new profile directory. Finally,<br />
the old profile directory can be deleted.<br />
Profiles stored on the server can be deactivated by setting the <strong>Univention</strong> Configuration Registry variables<br />
samba/profilepath and samba/profileserver to local. The Samba service has to be restarted<br />
after this procedure.<br />
If further BDCs should be used alongside the PDC, this setting must also be performed on other systems.<br />
8.4.5.5 Relative ID<br />
All users, groups and processors within a Windows domain have a security ID (SID) consisting of two<br />
parts. The first part is identical for all users and groups of the domain, and different from those of other<br />
domains. The second part is used for distinguishing the users and groups within the domain. This part<br />
is called relative ID (RID). Thus the overall SID is unique for each object. The RIDs from 0 to 999 are<br />
reserved for standard groups and similar special objects.<br />
8.4.5.6 Password characteristics for Windows clients<br />
In <strong>Univention</strong> Directory Manager, specifications for user passwords can be defined regarding minimum<br />
length, password quality and password history, via the policy Password. These presettings have an<br />
indirect influence on passwords changed under Windows.<br />
The background: Samba accepts password changes made by Windows clients, and passes them on to<br />
the <strong>Univention</strong> Directory Manager. In <strong>Univention</strong> Directory Manager the policy Password is analysed;<br />
if the policy is violated, say by a password consisting of too few characters, then the password change<br />
is rejected. Samba returns to the Windows client the message: You are not authorised to change the<br />
password.<br />
To make it possible for Samba to return meaningful error messages to the client, some settings regarding<br />
password properties can be made in the Samba configuration.<br />
199
8 Services for Windows<br />
To do this, the Samba domain object must be edited in <strong>Univention</strong> Directory Manager.<br />
In <strong>Univention</strong> Directory Manager the ucsMenuEntrysamba container can be opened via Navigation. This<br />
contains the entry Settings: Samba domain, which can be edited.<br />
The same value should be used as Password length as is used in the Password policy (the preset value<br />
of the policy 8). The same value should be used for Passwort history as is used in the Password policy<br />
(the preset value is 3). These settings can be saved by clicking [Ok]. To facilitate later troubleshooting, the<br />
settings in the Password policy and Samba settings object should be identical.<br />
The next time passwords are changed on Windows computers an appropriate error message will be given<br />
if this setting is violated.<br />
Attention:<br />
The settings of the Samba Domain object only apply to Windows clients. Settings which can be also<br />
be configured in the same way in <strong>Univention</strong> Directory Manager should be kept synchronised wherever<br />
possible.<br />
Further Samba domain password features for Windows clients can be configured via the Samba domain<br />
object.<br />
Parameter Description<br />
Minimum password age This is the minimum interval which must elapse before a pass-<br />
word can be changed again. If no value is set, the password<br />
can be changed again immediately.<br />
Maximum password age The maximum age of a password before it must be changed.<br />
Failed log-in attempts before<br />
blocking<br />
If no value is configured, the password will remain valid indefi-<br />
nitely. It is advisable to keep the password expiry intervals for<br />
the <strong>UCS</strong> and Samba domains the same.<br />
The number of possible failed log-in attempts before an account<br />
is blocked.<br />
Duration of blocking Duration of blocking when log-in fails too many times.<br />
Reset failed log-in attempts The number of successful log-ins which are required to reset<br />
Password change requires log-<br />
in<br />
the saved number of failed attempts.<br />
When the option is selected, passwords can only be changed<br />
when the user is logged in successfully.<br />
Disconnect after Configures the maximum length of a logged-in session.<br />
Reject change to computer<br />
password<br />
8.4.6 Configuring Samba servers<br />
8.4.6.1 Samba domain name<br />
This option declines all requests to change a computer pass-<br />
word.<br />
As standard a Samba domain in <strong>UCS</strong> receives the first part of the DNS domain name as its name. Thus<br />
if the DNS domain name is firma.com, the Samba domain is called firma.<br />
200
8.4 Extended Configuration<br />
This name is stored in the LDAP directory when the DC master is installed, irrespective of whether the<br />
Services für Windows component is saved on the DC master or not.<br />
When the univention-samba package is installed, the <strong>Univention</strong> Configuration Registry variable<br />
windows/domain is also set to this name, in so far as it doesn’t already exist.<br />
In environments in which the Samba domain, for example, should have different names at different loca-<br />
tions, the <strong>Univention</strong> Configuration Registry variable windows/domain can be set to the desired name<br />
on the respective local Samba servers. These names must be entered under Navigation ➞ samba in<br />
<strong>Univention</strong> Directory Manager as Settings: Samba Domain LDAP objects. When doing this, it must be<br />
noted that the objects are connected with the same Samba SID despite having different Samba domain<br />
names in order to compose one single Samba doman despite the different names.<br />
8.4.6.2 LDAP replication sleep<br />
The <strong>Univention</strong> Configuration Registry variable samba/ldap/replication/sleep is used to adapt<br />
the ldap replication sleep parameter in the Samba configuration. The parameter sets the time interval<br />
foreseen in Samba for the replication of changes in the LDAP directory (in milliseconds). The preset value<br />
is 1000 milliseconds (i.e., a second). In environments in which the replication causes delays, e.g., due to a<br />
slow network connection, it is advisable to set the value higher. The maximum value is 5000 milliseconds.<br />
8.4.6.3 Windows permissions<br />
Samba gives administrators the possibility of transferring permissions to other users and thus distributing<br />
the administrative workload particularly in larger environments.<br />
Users who are to receive administrator permissions can be entered in the <strong>Univention</strong> Configuration Reg-<br />
istry variable samba/adminusers. These users are assigned to the Adminusers Samba group in which<br />
only the Administrator user is entered as standard.<br />
To keep the number of Adminusers low, it is advisable to grant users individual privileges rather than full<br />
administrator permissions.<br />
That means that the administrator can grant a user a particular privilege which otherwise only the admin-<br />
istrator would have. To transfer these privileges to other users, they must firstly be activated in Samba,<br />
where the <strong>Univention</strong> Configuration Registry variable samba/enable-privileges is set to yes.<br />
The following command can be used to list the available privileges:<br />
net rpc rights list -U Administrator<br />
Here is the output with explanations:<br />
Privilege Description<br />
SeMachineAccountPrivilege Allows joining of computers in the domain<br />
SePrintOperatorPrivilege Allows printer management<br />
SeAddUsersPrivilege Allows adding of domain users and domain groups<br />
SeRemoteShutdownPrivilege Allows restart of another computer<br />
201
8 Services for Windows<br />
SeDiskOperatorPrivilege Allows management of directory shares<br />
SeBackupPrivilege Allows data backup of files and directories<br />
SeRestorePrivilege Allows restoration of files and directories<br />
SeTakeOwnershipPrivilege Allows ownership to be taken of files and directories and thus<br />
the changing of permissions<br />
The following command assigns a privilege to specified users:<br />
net rpc rights grant -U Administrator <br />
For example:<br />
net rpc rights grant -U Administrator USER1 SeMachineAccountPrivilege<br />
The following output appears once the root password has been entered.<br />
Successfully granted rights.<br />
USER1 now has the privilege to add new computers to the domain.<br />
The following command can be used to revoke this privilege:<br />
net rpc rights revoke -U Administrator <br />
The following output should appear when the administrator password is entered a second time:<br />
Successfully revoked rights.<br />
The following command can be used to list which privileges are assigned to a user:<br />
net rpc rights list -U Administrator <br />
8.4.6.4 Samba character sets<br />
For different systems to be able to communicate with each other, they need to use the same character<br />
sets (e.g., the German umlauts and the ß are not used in all character sets). The <strong>Univention</strong> Configuration<br />
Registry variables samba/charset/unix, samba/charset/dos and samba/charset/display can<br />
be used to configure character sets.<br />
As standard the named <strong>Univention</strong> Configuration Registry variables are empty and Samba uses the preset<br />
of the operating system, e.g., UFT-8 as the character set.<br />
8.4.6.5 Support for permissions from extended attributes<br />
The Samba configuration in <strong>Univention</strong> Corporate Server allows the saving of DOS file attributes<br />
(ARCHIVE, HIDDEN, SYSTEM, READ-ONLY) in advanced attributes of the Unix file system. The DOS<br />
attributes are saved there in user.DOSATTRIB attributes.<br />
To use extended attributes, the partition must be mounted using the mount option user_xattr.<br />
Support for the advanced attributes is activated as standard in the <strong>UCS</strong> kernels for ext2, ext3 and XFS.<br />
202
9 Desktop systems<br />
Contents<br />
9.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203<br />
9.2 Desktop system roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204<br />
9.2.1 Thin clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204<br />
9.2.2 Managed clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204<br />
9.2.3 Mobile clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205<br />
9.3 Managing desktop systems with <strong>Univention</strong> Directory Manager . . . . . . . . . . . . . . . . 205<br />
9.3.1 Graphical user interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205<br />
9.3.2 Connection to server systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205<br />
9.3.3 Autostart scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206<br />
9.3.4 NX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207<br />
9.4 VNC desktop sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207<br />
9.4.1 Configuring VNC access for thin clients . . . . . . . . . . . . . . . . . . . . . . . . . 208<br />
9.4.2 Configuring VNC access for managed/mobile clients . . . . . . . . . . . . . . . . . . 208<br />
9.5 Thin client environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208<br />
9.5.1 Support for booting from Compact Flash cards or USB sticks . . . . . . . . . . . . . 210<br />
9.5.2 Thin client components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211<br />
9.6 Home directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215<br />
9.6.1 Creation of new home directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215<br />
9.6.2 Modifying the default content of home directories . . . . . . . . . . . . . . . . . . . . 215<br />
9.6.3 Setting environment variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216<br />
9.7 Global home directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216<br />
9.1 Introduction<br />
9.7.1 Creating and modifying global home directories . . . . . . . . . . . . . . . . . . . . . 217<br />
<strong>Univention</strong> Corporate Desktop (UCD) allows the flexible application of centrally managed Linux clients for<br />
desktop workstations and is specially coordinated for use with <strong>Univention</strong> server systems.<br />
<strong>Univention</strong> Corporate Server offers three different types of desktop systems: the managed client for<br />
stationary desktop systems; the mobile client for mobile clients such as notebook and the thin client for<br />
diskless workstations.<br />
A KDE-based user interface and applications configured specially for use in the business landscape (e.g.,<br />
OpenOffice.org) allow efficient work in a modern environment.<br />
As of <strong>UCS</strong> 2.3 the GNOME desktop environment is also available. Instructions for setting up GNOME are<br />
available in the <strong>Univention</strong> Support database: http://sdb.univention.de/1094<br />
This chapter describes the configuration and administration of desktop systems, adaptations to the desktop<br />
and the use of policies in the efficient configuration of larger environments.<br />
203
9 Desktop systems<br />
9.2 Desktop system roles<br />
<strong>UCS</strong> contains three different desktop system roles which can be administrated in <strong>Univention</strong> Directory<br />
Manager and were each optimally conceived with a specific field of application in mind.<br />
The desktop environment can also be installed on any server system role.<br />
9.2.1 Thin clients<br />
Thin clients are systems which do not include a hard drive. These systems boot over the network from a<br />
DC Master, DC Backup or DC Slave server, which acts like a boot server and allows registration on a <strong>UCS</strong><br />
or Windows terminal server.<br />
When a user logs on to a thin client, the user’s request is forwarded to the authentication server. If<br />
authentication on the server is successful, a check is performed for whether the home directory is available<br />
locally or must be called up and mounted from another server. Users can be logged on to several clients<br />
at the same time, but some applications, e.g. Kontact, can only be used in one user session at a time.<br />
Having several, simultaneous sessions running can lead to unstable processes. This means that although<br />
working on two workstations is possible, it is not recommended.<br />
Thin clients offer no locally installed files, as all software is installed on a server system (the so-called client<br />
base system). This central administration means that the necessary maintenance work for the installed<br />
software is considerably reduced. Thin clients cannot be operated when they are not linked up to the<br />
server systems. From the thin client, the user has access to all resources of the domain as long as any<br />
relevant permissions have been granted. In addition, thin clients can use local printers connected via USB<br />
or parallel ports.<br />
9.2.2 Managed clients<br />
<strong>UCS</strong> systems are classified as managed clients when they have a local <strong>UCS</strong> installation and access to the<br />
services on the server system. Managed clients can be administrated in <strong>Univention</strong> Directory Manager<br />
and usually employ central repository servers for package maintenance. Authentication is performed via<br />
an LDAP server or using locally cached log-in information.<br />
Managed clients have a locally installed operating system, which allows them to boot without the need for<br />
a network connection. The users’ home directories are saved locally and only available for one client. It<br />
is also possible to save the home directories on a central server; this is described in 9.7. In this case, a<br />
network connection to this server is necessary for the log-in.<br />
The log-in and user information and group memberships of the last three users to log on are cached in<br />
the managed client - the number of log-ins cached can be configured in <strong>Univention</strong> Configuration Registry<br />
variable auth/passwdcache/max_user - so that these users can be authenticated without the need for<br />
a network connection. If the password for this user is changed in the <strong>Univention</strong> Directory Manager whilst<br />
the client is not connected to the domain controller via the network, the user will still need to log-in using<br />
his old password. The password change will be adopted with the next connection to the network.<br />
204
9.2.3 Mobile clients<br />
9.3 Managing desktop systems with <strong>Univention</strong> Directory Manager<br />
Mobile clients have the same central features as managed clients, e.g., local operating system and access<br />
to services on the server systems. The mobile client system role is intended for easier identification of<br />
mobile computers, such as laptops, which are not constantly connected to the domain and on which other<br />
software is sometimes installed.<br />
9.3 Managing desktop systems with <strong>Univention</strong> Directory Manager<br />
<strong>Univention</strong> Directory Manager offers a number of different possibilities for managing <strong>UCS</strong> desktop system,<br />
which simply the administration of computer environments.<br />
9.3.1 Graphical user interface<br />
<strong>UCS</strong> desktop systems offer a graphical user interface. The X server is used to present this interface. This<br />
is a program which accepts the output instructions of other programs (e.g., “draw the program interface<br />
and output the letter A”) and controls the computer hardware accordingly in order to display the graphics<br />
on the screen. The X server also accepts user inputs via the keyboard and mouse and forwards them on<br />
to the various user programs.<br />
In order for the X server to be able to process all information optimally, it must be configured to the<br />
hardware of the respective computer system (graphics card, keyboard, mouse, monitor). When the <strong>UCS</strong><br />
desktop system is started, the existing hardware is checked automatically and the configuration adapted<br />
accordingly.<br />
It can often be preferable to adapt the automatic X server configuration to suit your personal needs, for ex-<br />
ample: to select a certain screen resolution or a particular keyboard layout. Under certain circumstances,<br />
e.g., very new hardware, the automatic hardware recognition may not function completely as desired.<br />
The X server configuration can be adapted in the <strong>Univention</strong> Directory Manager under Computers ➞<br />
[Display settings]. It is also possible to use policies to configure the same settings for complete subtrees<br />
in the LDAP directory. Further information on the possible settings for the [Display settings] tab can be<br />
found in the Chapter 4.5.11.5.<br />
Settings specified here will be read out by the <strong>UCS</strong> desktop system during system start and adopted in<br />
the X server configuration. Prerequisite therefor is that the directory service can be accessed at this time.<br />
9.3.2 Connection to server systems<br />
Client systems are often mounted in environments with numerous servers systems which can be used<br />
for various tasks. Services are often distributed over different servers so that any operative loss resulting<br />
from hardware breakdown is kept as low as possible. The client must thus be aware of which server offers<br />
which services.<br />
The most important service, which is used by all <strong>UCS</strong> desktop systems, is the LDAP server service, which<br />
is executed on domain controller master, backup and slave systems. During start-up, managed and mobile<br />
205
9 Desktop systems<br />
clients use the LDAP server service on the DC Master as standard. Thin clients search via DNS service<br />
records for _ldap._tcp. during start-up and - as long as they are available - attempt to select<br />
an accessible server in the local subnet.<br />
If you wish to specify further LDAP servers, these can be entered in the respective computer object on<br />
the [LDAP servers] tab. This can also be done for several computers using policies. This guarantees<br />
that if one LDAP server should not be accessible, attempts will be made to revert to further LDAP servers<br />
for user log-ins and other functions. In addition, entering more LDAP servers can help avoid long waiting<br />
times when many users attempt to log-on simultaneously.<br />
For thin clients, the authentication, file, Linux terminal and Windows terminal servers used can also be con-<br />
figured. These can be entered in the <strong>Univention</strong> Directory Manager under Computers ➞ ➞ [Thin client configuration]. The authentication server is thus responsible for the Kerberos-based<br />
user authentication; the file server defines on which server the user’s home directory will be mounted.<br />
Attention:<br />
The home directory stated here is used during user log-in to the log-in manager gdm to save the settings<br />
of the last used session amongst other things. The use of another can be configured for the user for the<br />
provision of the home directory that will be mounted after successful log-in. Further information on this<br />
topic can be found in 9.7.<br />
Alongside <strong>UCS</strong> terminal servers, thin clients can also access Windows terminal servers. The terminal<br />
servers that can be used can be entered in the [Thin client configuration] tab. It must be noted for all<br />
entries that the computer names are stated as fully qualified domain names (FQDN).<br />
9.3.3 Autostart scripts<br />
For certain applications, it may be desirable that a <strong>UCS</strong> desktop system does not require a log-in. This can<br />
be the case in publically located "surf terminals" or on workstations where one or more users only require<br />
very few applications and no user-specific data need to be saved. This can be implemented via autostart<br />
scripts. In this case, a preconfigured user (usually autostart, who only has limited permissions) is logged<br />
on automatically and one or more preconfigured applications are started.<br />
A further application case is represented by remote desktop applications like NX, Citrix and rdesktop.<br />
These automatically create a connection to the relevant server system, where the actual user log-in occurs.<br />
If an autostart script is already configured for a computer, there is no possibility to log-in to the log-in<br />
manager GDM or select a session. The automatically logged-on user autostart is not a domain user.<br />
The required autostart script must be entered in the [Autostart] tab in the <strong>Univention</strong> Directory Manager<br />
on the computer object.<br />
The scripts must be saved under<br />
/var/lib/univention-client-root/etc/gdm/Autostart<br />
on the <strong>UCS</strong> terminal server. When used on <strong>UCS</strong> managed or mobile clients, they should be saved in<br />
/etc/gdm/Autostart.<br />
The sample scripts can already be found there.<br />
206
9.3.4 NX<br />
9.4 VNC desktop sharing<br />
Like VNC, the Windows remote desktop support or Citrix, NX offers the possibility to access the graphic<br />
interface of a distant system. It offers the possibility to interrupt running sessions temporarily and then<br />
reinstate them at a later point in time, whereby users logging on to an existing session will find their<br />
working environment in the same state as it was left with all the previously opened programs running.<br />
The server components of NX can be installed on all <strong>UCS</strong> server systems on which the necessary libraries<br />
for graphic interfaces are also installed. The NX client can be executed on all UCs desktop systems, either<br />
as an autostart script or manually following user log-in.<br />
The current NX packages for an NX server can be found in the online repository. The system acting as a<br />
login host must be able to install the NX server package. The clients must be equipped with the NX client,<br />
which can be downloaded from the website of the manufacturer, NoMachine.<br />
The following packages must be installed on the clients for the NX client to run:<br />
libxcomp1, libxcompext1, nxlibs, libstdc++2.10-glibc2.2, nxclient<br />
Apart from the nxclient package, which must be downloaded separately, all packages are contained in<br />
the online repository. The packages should be stored in the repository server used.<br />
If the NX client is used on a managed or mobile client, the packages can either be installed manually or<br />
via software distribution. If the NX client is started by an autostart script on a thin client, the necessary<br />
packages must be installed in the client base system on the terminal server.<br />
For this, use chroot when on the terminal server to change to the client base system. The necessary<br />
packages can then be installed with univention-thin-client-apt.<br />
Following installation the NX client can be used for the autostart script. A sample script for NX can be found<br />
under /var/lib/univention-client-root/etc/gdm/Autostart/nx. If the file name of the script<br />
is entered in [Autostart] ➞ Autostart session in the <strong>Univention</strong> Directory Manager, NX client is started<br />
when the thin client starts up and the user will be connected to the session stated in the script.<br />
9.4 VNC desktop sharing<br />
VNC offers users the possibility to connect to another user’s screen. For example, if problems occur for<br />
users, administrators have the possibility of viewing the situation and are then in a better position to help<br />
without having to be at the same client as the user. In addition, there is also the possibility of transferring<br />
control of the mouse and keyboard over the VNC connection for a limited period of time, so that problems<br />
can be investigated and solved personally. Before the VNC connection is effected, the user whose interface<br />
will be shared over VNC must confirm. This request cannot be avoided. Once the user has agreed, VNC<br />
transmits the data of the local X server to the display of the remote observer and forwards all mouse and<br />
keyboard activity.<br />
The access to the client is executed with a VNC remote assistance program. For example, krdc can be<br />
used in Linux or Ultra VNC in Microsoft Windows.<br />
207
9 Desktop systems<br />
9.4.1 Configuring VNC access for thin clients<br />
The package univention-thin-client-vnc needs to be installed on the terminal server for VNC access to<br />
thin clients.<br />
For thin clients the connection is controlled by a policy in <strong>Univention</strong> Directory Manager. To do so, the<br />
Enable VNC export option must be activated in the Display settings policy. If the tick is placed in<br />
Viewonly VNC export, the remote user cannot perform any user inputs.<br />
When the connection is formed, a single-use password is generated which the user who is sharing his<br />
connection must then pass on.<br />
9.4.2 Configuring VNC access for managed/mobile clients<br />
To set up VNC access on a managed or mobile client, this needs to be configured in KDE.<br />
To do so, the Allow uninvited connections option must be activated in the KDE Control Center under<br />
Internet & Network ➞ Desktop Sharing<br />
The option Confirm uninvited connections before accepting (activated by default) ensures that the user<br />
is informed of the incoming connection request and asked to verify the remote access.<br />
It is also possible to set a Password.<br />
The <strong>Univention</strong> Directory Manager policy referred to in Chapter 9.4.1 is not evaluated for VNC access to<br />
managed/mobile clients.<br />
9.5 Thin client environment<br />
The thin client environment is a self-contained software installation in a subdirectory on each terminal<br />
server. A booting thin client mounts this subdirectory as its root directory via NFS and starts thus in the<br />
configured work environment.<br />
The requirements concerning available programs and services differ depending on the environment and<br />
the application scenarios. The system is constructed in a modular fashion to allow the possibility to adapt<br />
the thin client environment flexibly.<br />
The following describes the main components of the modular base system and how new components can<br />
be installed. An overview of the general mechanisms for configuring the thin client environment is also<br />
given.<br />
Overview<br />
The central univention-thin-client-basesystem package of the thin client environment provides a base<br />
system. This allows the booting of thin clients and log-in on the console.<br />
The univention-thin-client-x-base package must be installed to make a graphic interface available. This<br />
displays a graphic log-in mask on the thin client from which different X sessions can be started. The fonts<br />
208
9.5 Thin client environment<br />
are not installed automatically. These can be found in the additional package univention-thin-client-<br />
x-fonts. If this package is not installed, they can alternatively be fetched from a font server. Further<br />
information can be found in Section 9.5.2.7.<br />
Support for local printers attached to the thin client is provided by a separate package (univention-thin-<br />
client-cups). The same applies for the use of local USB devices on the thin client (univention-thin-client-<br />
ltsp) and audio output (univention-thin-client-sound).<br />
These packages replace all functions of the monolithic thin client base system from earlier <strong>UCS</strong> versions.<br />
All these packages are installed as replacements when <strong>UCS</strong> installations are updated.<br />
Installation<br />
All components of the thin client base system are installed via the standard package management tool<br />
(see Chapter 11). The components contain meta packages which install the necessary expansions for the<br />
respective components in the subdirectory in the thin client environment.<br />
The thin client base package includes the command univention-thin-client-apt for this mecha-<br />
nism, which makes it possible to install packages (including dependencies) in the subdirectory of the thin<br />
client environment. The tool supports all parameters from apt-get and a few additional, optional, parame-<br />
ters of its own. When they are given these must be listed before the apt-get options. ’--’ should be entered<br />
as a separating sign before the apt-get options. The following parameters are available:<br />
--help, -h: Displays a short help for using the command.<br />
--prefix, -p: Defines the directory in which the packages should be installed. The predefined value is the<br />
directory for the thin client environment.<br />
--arch, -a: Specifies the architecture to be used for the packages. The predefined value here is i386, i.e.,<br />
the thin client environment is also uses i386 packages on amd64 systems.<br />
--debug, -d: Sets the log level. Possible values are in the region from 0 (no output) to 4 (detailed informa-<br />
tion)<br />
With univenton-thin-client-apt further packages can be installed in the thin client environment which are<br />
not included in the existing components. For example, the following command can be executed to install<br />
the Emacs editor in the thin client environment.<br />
univention-thin-client-apt install emacs21<br />
For example, the following command can be executed to simulate the installation of the emacs21 package<br />
in a thin client environment below /var/lib/thin-client2.<br />
univention-thin-client-apt -s -- -p /var/lib/thin-client2 -d 4 install emacs21<br />
In this the APT configuration of the sources and the cache directory of the terminal server are used. Nec-<br />
essary dependencies are resolved directly and installed in the thin client environment. A i386 repository is<br />
necessary for this on amd64 systems.<br />
Configuration<br />
The configuration of services on <strong>UCS</strong> systems is normally performed using <strong>Univention</strong> Configuration Reg-<br />
istry. On thin client systems this is possible using <strong>Univention</strong> Configuration Registry policies (see Section<br />
14). These can be created in <strong>Univention</strong> Directory Manager and linked with the thin client objects.<br />
209
9 Desktop systems<br />
In addition to the <strong>Univention</strong> Configuration Registry variables which refer directly to the function of individ-<br />
ual components, there are also certain variable which influence the general behaviour of the thin client:<br />
thinclient/mount/homedir: The home directory of the logged-on user is mounted per NFS during set-up.<br />
This can be suppressed with this variable by setting the value to no.<br />
gdm/sessions/disabled: This variable can be used to remove individual sessions from the GDM selec-<br />
tion. To do this the sessions script should be given under /etc/gdm/Sessions/ . Where more than<br />
one session script is used, they should be separated with a colon.<br />
kernel/modules: If hardware components are not automatically identified, this variable can be used to<br />
define a list of kernel modules, which are then loaded specifically. The semicolon is used as a<br />
separating sign when specifying several modules.<br />
There is also the possibility of deactivating certain services included in the components if they are not<br />
required. For this, a <strong>Univention</strong> Configuration Registry variable must be set to no:<br />
sshd/autostart: Deactivates the SSH service on the thin client.<br />
portmap/autostart: If the thin client boots over a flash card, the portmapper service is not required. This<br />
variable can be used to deactivate the service.<br />
cups/autostart: To suppress the use of printers on thin clients, this variable can be used to deactivate<br />
the CUPS service itself when the corresponding component is installed.<br />
9.5.1 Support for booting from Compact Flash cards or USB sticks<br />
In the standard configuration a thin client boots over the network and mounts its root directory on the<br />
terminal server with NFS. As an alternative, many thin client models also now have an internal flash card,<br />
which can be used to boot a minimal system. This technology is supported by the thin client component<br />
univention-thin-client-flash.<br />
As an alternative to a local system start from Compact Flash, many thin clients offer the possibility of<br />
booting from USB mass storage - usually a USB stick. The update process is performed in the same way<br />
as Compact Flash memory is updated, but the USB device to be recorded on must be configured with<br />
the <strong>Univention</strong> Configuration Registry variable thinclient/flash/update/disk. The information is<br />
entered in the internal notation of the Linux kernel, e.g., /dev/sda1.<br />
To allow a thin client to boot from an internal flash card, an image must first be installed which contains<br />
the minimal operating system. This is created from the thin client environment on a terminal server. In this<br />
way, a thin client which boots over a flash card has the same functions as the thin clients which boot from<br />
the terminal server on which the image was created.<br />
The univention-thin-client-flash tool is available for creating the flash image. In the standard configura-<br />
tion an image is created from the thin client environment available on the terminal server. Alternatively,<br />
parameters can be used to signal another directory from which the image should be created.<br />
When booting, a thin client checks whether there is a flash image available. If an image is available on the<br />
server, a check is performed as to whether it is more up-to-date than the local one (when there is one). If<br />
the server contains a more up-to-date one, it is downloaded and installed. The next time it is booted the<br />
thin client can boot the new system from the flash card.<br />
210
9.5 Thin client environment<br />
If thin clients with different abilities and configuration are to be included in one environment, there is the<br />
possibility of creating more than one image. As standard, the flash image created is called root.img. The<br />
name can be entered when creating the image. A personal version number is maintained for each image,<br />
so that changes to an image do not affect thin clients with other images.<br />
The update procedure is carried out for all supported booting methods (PXE, from Compact Flash and from<br />
USB sticks). The exact procedure can be influenced using <strong>Univention</strong> Configuration Registry variables:<br />
thinclient/flash/update: If this variable is set to no the thin client does not perform a flash update, even<br />
when a newer image is available on the server.<br />
thinclient/flash/update/url: Defines the URL under which the flash images can be found. The<br />
name of the image file does not need to be entered here. If the variable is not set,<br />
a search will be performed for the image under the following URL on the terminal server:<br />
http:///univention-thin-client-flash/<br />
thinclient/flash/update/image: Defines the name of the image file relative to the configured URL.<br />
9.5.2 Thin client components<br />
Apart from the basic components, which were also already available in earlier <strong>UCS</strong> versions for the thin<br />
client environment, new abilities have also developed, which can be installed optionally in the environment.<br />
The following section describes the functions and configuration of these components.<br />
9.5.2.1 Local USB storage devices<br />
The possibility of mounting local devices on thin clients was already possible in earlier <strong>UCS</strong> versions but<br />
has been thoroughly overhauled for <strong>UCS</strong> 2.1.<br />
Support for local devices is included in the univention-thin-client-ltsp package. Following installation, a<br />
service is started on the terminal server, which makes the USB units on the thin client available for the<br />
terminal server or applications.<br />
Access to the local units on the thin client occurs over an icon, which is created on the user’s desktop for<br />
each device. When a unit is removed, the icon is automatically deleted from the desktop.<br />
9.5.2.2 Secured connections with IPSec<br />
To use thin clients as a home office, it is advisable to encrypt the communication with the server. This<br />
possibility is offered by the component for IPSec support. Together with the component for flash cards a<br />
thin client can boot locally and then open an IPSec tunnel to encode the connection with the corporate<br />
network.<br />
The package univention-thin-client-ipsec must be installed on the terminal server to provide IPSec sup-<br />
port for thin clients. The necessary packages are installed in the thin client environment. This installs a<br />
service which allows the automatic update of IPSec configurations. If the thin client is started on a local<br />
network using the flash card, this service checks whether an update for the IPSec configuration is available<br />
under a specified URL. If this is the case, the configuration is downloaded and saved on the flash card.<br />
211
9 Desktop systems<br />
The following <strong>Univention</strong> Configuration Registry variables can be used to configure IPSec:<br />
thinclient/ipsec/update: This variable must be set to yes so that the thin client performs an IPSec con-<br />
figuration update when booting.<br />
thinclient/ipsec/update/url: A URL can be given here where the IPSec configuration can be found. If the<br />
variable is not set, a search will be performed for the IPSec configuration under the following URL<br />
on the terminal server: http:///univention-thin-client-ipsec/<br />
The IPSec configuration for a thin client must be packed (compressed with gzip) in a tar archive containing<br />
the following directories and files:<br />
ipsec.d/cacerts/<br />
ipsec.d/certs/<br />
ipsec.d/private/<br />
ipsec.conf<br />
ipsec.secrets<br />
ipsec-setup.sh<br />
This archive is unpacked directly in the /config 1 directory on the thin client and the corresponding<br />
symbolic links created in /etc.<br />
Optionally, a script with the name ipsec-setup.sh can be contained in the archive, which is run before<br />
the initiation of IPSec. This gives the opportunity to adapt to the respective environment, e.g., setting name<br />
servers or special routers.<br />
This type of archive must be created for each thin client which is going to use IPSec and stored on the web<br />
server. The archive must be named as follows: .tar.gz. The MAC address here is written<br />
in hyphen notation (e.g., 00-01-02-03-04-05).<br />
If the archive is saved on the web server and the <strong>Univention</strong> Configuration Registry variable<br />
thinclient/ipsec/update set to yes, the thin client will attempt to import a new configuration as<br />
described above. Thereafter, whenever it is booted the thin client will open a IPSec tunnel over the flash<br />
card before establishing a connection to the LDAP server.<br />
9.5.2.3 Audio<br />
Audio output on the thin client has been thoroughly restructured in <strong>UCS</strong> 2.1. (Enlightenment Sound Dae-<br />
mon). ARTS (analog Real time synthesizer) is still the standard network sound server, but this can alter-<br />
natively be replaced with ESD (Enlightenment Sound Daemon) or PulseAudio. In addition, a <strong>Univention</strong><br />
Configuration Registry policy can be used to set the corresponding variable:<br />
thinclient/sound/daemon: This variable can optionally be set to esd to use the ESD for audio output and<br />
to pulseaudio to use PulseAudio.<br />
thinclient/sound/volume: Defines the volume in percent to be set during start-up.<br />
The audio service selected is started when a user logs on if support is selected in the management system<br />
(further details can be found in Section 4.5.11. The service is ended when a user logs off.<br />
1 This directory mounts a writeable partition on the flash card in the thin client.<br />
212
9.5 Thin client environment<br />
If ESD is to be used for audio output, the settings must be adapted in the KDE control centre. To do this,<br />
the following options must be set in the General tab from the Sound & Multimedia category in the Sound<br />
System area.<br />
• Enable the sound system<br />
• Enable networked sound<br />
In addition, the Enlightened Sound Daemon value must be selected for the Select the audio device<br />
option on the Hardware tab.<br />
9.5.<strong>2.4</strong> Scanners<br />
The univention-thin-client-sane package is used to provide a component which makes it possible to<br />
operate scanners connected to the thin client.<br />
The SANE protocol is used for scanner support; it allows scanners to be used over the network. As soon<br />
as a scanner is connected to a thin client and recognised by SANE an icon appears on the desktop of<br />
the user who is logged on. This icon can be used to access the scanner. The icon is deleted when the<br />
scanner is removed.<br />
Before using a scanner it should be checked whether the model is supported by SANE and to what extent.<br />
For some models it is also necessary to make a firmware file available on the thin client. This file must be<br />
copied into the subdirectory of the thin client environment.<br />
If support from SANE has been verified, the scanner can be connected to the thin client and accessed<br />
directly using the icon on the user’s desktop. As standard the scanner can only be used from one terminal<br />
server. If several terminal servers are to be used in the environment or access permitted for other com-<br />
puters, the <strong>Univention</strong> Configuration Registry variable thinclient/saned/networks can be set. This<br />
variable can contain a list of networks separated by commas:<br />
thinclient/saned/networks=192.168.0.0/24,192.168.1.0/24<br />
9.5.2.5 SSH access<br />
The thin client component univention-thin-client-ssh can be used to provide the SSH service on thin<br />
clients. This offers the possibility of remote diagnosis for thin clients without the need to access the user’s<br />
x-session.<br />
When the component is installed a host key is created which is used as standard for all thin clients<br />
which retrieve their file system from the terminal server or boot a flash image which was created<br />
on the terminal server. This renders the thin client’s booting process considerably more quick, but<br />
means that the thin client cannot be clearly identified. The <strong>Univention</strong> Configuration Registry variable<br />
thinclient/sshd/generate_key prompts thin clients to create their own host keys during booting.<br />
For this, the variable must be set to yes.<br />
213
9 Desktop systems<br />
9.5.2.6 Nagios monitoring<br />
The component univention-thin-client-nagios is available for monitoring thin clients with Nagios. This<br />
allows monitoring of both accessibility and the degree of utilisation.<br />
For monitoring how accessible the thin client is the Nagios service UNIVENTION_PING can be activated<br />
on the thin client object as for other <strong>UCS</strong> system roles in <strong>Univention</strong> Directory Manager. For monitoring<br />
the degree of utilisation, a new Nagios service object must be created in <strong>Univention</strong> Directory Manager<br />
with the name UNIVENTION_LOAD. Only the compulsory fields need to be filled out for this.<br />
The parameterisation of the monitoring of the degree of utilisation is performed via two <strong>Univention</strong> Config-<br />
uration Registry variables on the thin client:<br />
thinclient/nagios/load/warning: Defines the thresholds for a warning for the Nagios plugin. The value<br />
is composed of three figures, which define the limits for the time intervals 1, 5 and 15 minutes<br />
respectively,<br />
thinclient/nagios/load/critical: Defines the thresholds for a critical state. The value is composed in the<br />
Example:<br />
same way as for the warning level.<br />
thinclient/nagios/load/warning=0.5,0.4,0.3<br />
thinclient/nagios/load/critical=0.8,0.7,0.6<br />
If these variables are not set via a policy, the following preset values are defined:<br />
thinclient/nagios/load/warning=0.1,0.1,0.1<br />
thinclient/nagios/load/critical=0.5,0.5,0.5<br />
The Nagios service UNIVENTION_LOAD can then be added as for other Nagios services on the thin client<br />
object.<br />
For this Nagios plugin it is necessary for the Nagios server to have access to the thin client. The NRPE<br />
service running on the thin client must allow this access. As standard, the LDAP server is allowed access.<br />
The <strong>Univention</strong> Configuration Registry variable nagios/client/allowedhosts can be set to allow<br />
other computers access. The variable must contain a list of IP addresses separated by commas.<br />
9.5.2.7 Font server<br />
A font server can be used to save space on thin clients with flash cards or use a central font collection.<br />
This service is used by the thin client’s x-server to request fonts from the font server entered instead of<br />
using local fonts. There is also the possibility of combining both versions.<br />
The <strong>Univention</strong> Configuration Registry variable xorg/fonts/server can be set using a <strong>Univention</strong> Con-<br />
figuration Registry policy to allow thin clients to use a font server in addition to local fonts. The value must<br />
reflect the syntax, which must also be used in the xorg.conf file:<br />
xorg/fonts/server=/:<br />
For this, must be replaced with tcp or unix depending on which transport protocol is used to<br />
access the font server. tcp should be selected here for thin clients. The fully qualified domain name of the<br />
214
9.6 Home directories<br />
computer on which the font server is operated must be entered for . 7100 is usually selected<br />
when entering the port as this is the standard setting for the font server. For example, if a font<br />
server is operated on port 7100 of the master.ucs.test computer, the variable can be set to the following<br />
value:<br />
xorg/fonts/server=tcp/master.ucs.local:7100<br />
9.6 Home directories<br />
Each user is allocated his own home directory. This directory is usually stored under /home/ and<br />
contains amongst other things all program settings which have been changed by the user. As each user<br />
has write permission for his home directory, this is normally also the place where his personal documents<br />
can be saved.<br />
There are a number of different descriptions for a user’s home directory:<br />
• home directory<br />
• /home/<br />
• $HOME<br />
• ~<br />
• home<br />
If an alternate path than /home/ is required for the home directory, this can be entered in the<br />
<strong>Univention</strong> Directory Manager in the user object under UNIX home directory. This is, however, only<br />
required and necessary in exceptional cases. The login shell to be used, by default /bin/bash, can also<br />
be amended or deleted here.<br />
9.6.1 Creation of new home directories<br />
The home directories of new users do not need to be created manually. As soon as a user logs on, each<br />
<strong>UCS</strong> system automatically checks whether a home directory already exists for this user. If this is not the<br />
case, a home directory is created.<br />
When creating a new home directory, the home directory configured for the user is created on the system<br />
on which the log-in occurs. The univention-skel mechanism then creates specific, predefined files and<br />
directories in this directory.<br />
9.6.2 Modifying the default content of home directories<br />
When creating a new home directory, univention-skel copies the contents of /etc/univention/skel/<br />
into this home directory and changes the owner and file groups over to the newly created user. Sub folders<br />
are created in the home directories as relative paths.<br />
For already existing user directories, changes to the contents of /etc/univention/skel/ have the<br />
following consequences:<br />
215
9 Desktop systems<br />
• If files are added, these files are copied into the user’s home directory at the next user log-in. If files<br />
with the same name already exist, these will be overwritten.<br />
• If a file is removed and the user has not made any amendments to this file in his home directory, it<br />
will be removed.<br />
• If a file is removed and the user has made amendments to this file in his home directory, it will not<br />
be removed.<br />
• If the user amends files created by univention-skel, these amendments remain unchanged at later<br />
log-ins. If a user deletes files, there are recreated at the next log-in.<br />
Files are created with 0600 permissions and directories with 0700 as default. These default values can<br />
be changed with the <strong>Univention</strong> Configuration Registry variable skel/permissions/directory or the<br />
<strong>Univention</strong> Configuration Registry variable skel/permissions/file.<br />
To adapt newly created directories or files subsequently (e.g., file permissions), the possibility exists of<br />
storing a script below /etc/univention/skel.meta/.<br />
For example, the script /etc/univention/skel.meta/.bashrc can be created to amend the<br />
file .bashrc subsequently. If the directory .emacs needs to be modified subsequently, a<br />
/etc/univention/skel.meta/.emacs/.directory can be created.<br />
9.6.3 Setting environment variables<br />
If environment variables need to be set for users which are valid for the whole KDE session and amongst<br />
other things can be used in KDE desktop profiles (see following section), this can be done via entries in the<br />
file /home//.univention-environment. For example, the following entry must be made in<br />
this file to set the variable $KOLABSERVER to ugs-server01.company.com for the whole KDE session:<br />
export KOLABSERVER=ugs-server01.company.com<br />
For users who already have a home directory, this must be entered in<br />
/home//.univention-environment. To incorporate this for all new users, this file can<br />
be stored under /etc/univention/skel/ accordingly.<br />
9.7 Global home directories<br />
For managed and mobile clients, home directories are automatically created and used on the local hard-<br />
drive as standard. This has the disadvantage that user settings and files can only be saved on the client<br />
currently being used and are not available for log-ins on another client.<br />
It poses a possible problem for thin clients that by default the home directory is used on the terminal server<br />
on which the terminal session was started. If more than one terminal server is available, however, the<br />
log-in occurs randomly on one of the systems and the respective local home directory is used.<br />
To have uniform home directories across all clients, global home directories must be used. These direc-<br />
tories are saved on a shared server on which all the clients are mounted, and which are thus accessible<br />
from every client. However, in this case, it must be noted that these home directories are not available for<br />
managed and mobile clients when there is no connection to the shared server.<br />
216
9.7.1 Creating and modifying global home directories<br />
Global home directories can be created in a number of ways:<br />
9.7 Global home directories<br />
• Via the user management of <strong>Univention</strong> Directory Manager (POSIX (Linux/UNIX) settings and Win-<br />
dows settings)<br />
• Via the Samba configuration<br />
• Via the file /etc/fstab<br />
In any case, the server used must provide a /home share. This is the case as standard when Create<br />
home share was selected during the installation.<br />
9.7.1.1 POSIX (Linux/UNIX) settings<br />
The configuration of the POSIX (Linux/UNIX) settings is done in the <strong>Univention</strong> Directory Manager user<br />
management on the POSIX (Linux/UNIX) tab. This setting must be configured separately for each user.<br />
The file share on the server is stated under Home share, below which the home directory can be found.<br />
This is usually /home. The directory below the share which will be used as the home directory must be<br />
given under Home share path. This is usually the username.<br />
On the clients, the <strong>Univention</strong> Configuration Registry variable homedir/mount is used to control whether<br />
the mountable share is actually mounted. This variable is set to no for managed and mobile clients as<br />
standard. If this variable is set to yes or does not exist, the stated share will automatically be mounted at<br />
the user log-in to the client.<br />
9.7.1.2 Windows settings<br />
The configuration of Windows settings is performed in the <strong>Univention</strong> Directory Manager user man-<br />
agement on the Windows tab. Here the network path to be used as the home directory, e.g.,<br />
\\fileserver\smith, can be given in the Windows home path field. This setting must be performed<br />
separately for each user.<br />
The user profile continues to be saved on the Samba server used to log in. If the user profile is also<br />
to be saved in a certain share, this should be entered in the Windows profile directory field, e.g.,<br />
\\fileserver\smith\windows-profiles\WinXP.<br />
9.7.1.3 Global configuration in Samba<br />
If the Windows settings are to be set for all users, it is recommendable to do this directly in the Samba<br />
configuration. In addition, the <strong>Univention</strong> Configuration Registry variable samba/homedirserver should<br />
be set to the file server on all Samba log-in servers. For this, the server must be specified which hosts<br />
the home directories. If the Windows user profiles are also to be saved centrally, this must be configured<br />
using the <strong>Univention</strong> Configuration Registry variable samba/profileserver.<br />
217
9 Desktop systems<br />
9.7.1.4 Mounting the shares in /etc/fstab<br />
A further possibility for mounting home directories on managed and mobile clients and terminal servers is<br />
to mount the directory shared by the shared server with all home directories statically. This is performed<br />
via an entry in the file /etc/fstab:<br />
:/home /home nfs defaults,timeo=21,retrans=9 1 2<br />
The share is automatically mounted during booting by entering mount -a or mount /home.<br />
218
Figure 9.1: <strong>Univention</strong> Directory Manager display settings<br />
9.7 Global home directories<br />
219
9 Desktop systems<br />
220<br />
Figure 9.2: Selection of the session during log-on
10 Basic System Services<br />
Contents<br />
10.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222<br />
10.2 Server Homepage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222<br />
10.3 Packet filter with <strong>Univention</strong> Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223<br />
10.3.1 Service definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223<br />
10.3.2 Service profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223<br />
10.3.3 Local filter rules by <strong>Univention</strong> Configuration Registry . . . . . . . . . . . . . . . . . 224<br />
10.3.4 Local filter rules via iptables commands . . . . . . . . . . . . . . . . . . . . . . . . . 224<br />
10.3.5 Testing <strong>Univention</strong> Firewall settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225<br />
10.4 Authentication / PAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225<br />
10.4.1 Automatic lockout of users after failed login attempts . . . . . . . . . . . . . . . . . . 227<br />
10.5 Network configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228<br />
10.5.1 Network interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228<br />
10.5.2 DNS servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228<br />
10.5.3 Proxy configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228<br />
10.6 Logging of system messages and system status . . . . . . . . . . . . . . . . . . . . . . . . 229<br />
10.6.1 Log files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229<br />
10.6.2 Logging the system status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229<br />
10.7 Kernel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230<br />
10.7.1 Available kernel variants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230<br />
10.7.2 Hardware drivers / kernel modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230<br />
10.8 GRUB boot manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231<br />
10.9 Executing recurring actions with Cron . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232<br />
10.9.1 Hourly/daily/weekly/monthly execution of scripts . . . . . . . . . . . . . . . . . . . . 232<br />
10.9.2 Defining local cron jobs in /etc/cron.d . . . . . . . . . . . . . . . . . . . . . . . . . . 232<br />
10.9.3 Defining cron jobs in <strong>Univention</strong> Configuration Registry . . . . . . . . . . . . . . . . 233<br />
10.10Kerberos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233<br />
10.11Name resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233<br />
10.11.1Name Service Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233<br />
10.11.2LDAP NSS module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234<br />
10.11.3Nameserver cache daemon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234<br />
10.11.4Configuration of /etc/hosts in <strong>Univention</strong> Configuration Registry . . . . . . . . . . . . 235<br />
10.12SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235<br />
10.13Time synchronisation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236<br />
221
10 Basic System Services<br />
10.1 Summary<br />
This chapter describes basic system services of a <strong>UCS</strong> Installation such as the configuration of the kernel<br />
and boot manager, the network configuration, Kerberos, SSH, NSS, and the NSCD.<br />
In addition, the settings possibilities of the PAM authentication interface are also described.<br />
10.2 Server Homepage<br />
Every <strong>UCS</strong> server system offers on its web homepage (at http(s)://HOSTNAME or<br />
http(s)://IPADDRESS) hyperlinks to services installed in the system (such as <strong>Univention</strong> Man-<br />
agement Console or, at the Domain Controller Master, the <strong>Univention</strong> Directory Manager). An example<br />
can be found in Illustration 10.1.<br />
This homepage is defined via the <strong>Univention</strong> Configuration Registry variable apache2/startsite<br />
which by default refers to the file ucs-overview/de.html in the Apache directory<br />
/var/www. This file is managed as a <strong>Univention</strong> Configuration Registry multi file and can<br />
be amended, for example by entering links to special in-house applications into the directory<br />
/etc/univention/templates/files/var/www/ucs-overview/de.html.d/ (and accordingly<br />
on the English homepage).<br />
222<br />
Figure 10.1: Homepage of a DC Master
10.3 Packet filter with <strong>Univention</strong> Firewall<br />
10.3 Packet filter with <strong>Univention</strong> Firewall<br />
<strong>Univention</strong> Firewall offers an integration of the packet filter IPTables into <strong>Univention</strong> Corporate Server. This<br />
filter permits targeted filtering of undesired services, and the protection of computers during installation<br />
works. Furthermore it provides the basis for complex scenarios such as firewalls and Application Level<br />
Gateways. <strong>Univention</strong> Firewall is included in all <strong>Univention</strong> Corporate Server installations as a standard<br />
feature.<br />
The configuration for the packet filter can be found in the directory /etc/security/netfilter.d/.<br />
The configuration elements available in this directory, are executed in alphabetical order. The name of<br />
each script begins with two digits, which makes it easy to create a numbered order.<br />
After changing the packet filter settings, the service univention-iptables has to be restarted.<br />
<strong>Univention</strong> Firewall can be deactivated by setting the <strong>Univention</strong> Configuration Registry variable<br />
security/packetfilter/disabled to true.<br />
10.3.1 Service definitions<br />
<strong>Univention</strong> Firewall allows selective filtering of individual services by <strong>Univention</strong> Configuration Registry, for<br />
example if a service is temporarily not required or to be deactivated for test purposes. At present, the<br />
following services are supported in <strong>UCS</strong>:<br />
smtp pop3 imap kerberos<br />
krsh nfs umc nagios<br />
ipp notifier dhcp dns<br />
ftp http x11 https<br />
ldap postgres samba ssh<br />
telnet ftp<br />
If the <strong>Univention</strong> Configuration Registry variable security/services/SERVICE is set to disabled, the cor-<br />
responding service is filtered out.<br />
Attention:<br />
These services are filtered by means of their default ports. If a service is operated at a different port, then<br />
the corresponding <strong>Univention</strong> Configuration Registry template has to be adapted.<br />
10.3.2 Service profiles<br />
<strong>Univention</strong> Firewall supports pre-defined service profiles for each system role. The services to be filtered<br />
out, are defined for each role in the above-mentioned <strong>Univention</strong> Configuration Registry settings.<br />
Attention:<br />
It has to be considered that it is merely a selective filter which is used here. If additional local services are<br />
applied, they have to be registered subsequently.<br />
223
10 Basic System Services<br />
The service profiles can be selected during installation (e.g. for a secure installation) and changed in an<br />
installed system at a later date via univention-system-setup-security.<br />
There are three profiles which can be selected during installation or at runtime via <strong>Univention</strong> System<br />
Setup:<br />
• Disabled (no service will be blocked).<br />
• Typical selection of services, recommended (see below)<br />
• Locked-down setup. Only SSH, LDAP, and HTTPS are allowed.<br />
For the recommended selection some typically unused services are filtered out.<br />
• On domain controller master/backup/slave and member servers: Telnet and FTP<br />
• On managed, mobile clients and base systems: SMTP, Pop3, Notifier, KRSH, Kerberos, IMAP, Na-<br />
gios, DHCP, DNS, FTP, LDAP, Postgres, Telnet and TFTP<br />
10.3.3 Local filter rules by <strong>Univention</strong> Configuration Registry<br />
Besides pre-defined service definitions, <strong>Univention</strong> Firewall also allows the implementation<br />
of package filter rules via <strong>Univention</strong> Configuration Registry These rules are included in<br />
/etc/security/netfilter.d/ via a <strong>Univention</strong> Configuration Registry module.<br />
All <strong>Univention</strong> Configuration Registry settings for local filter rules are entered in the following format:<br />
security/packetfilter/[tcp|udp]/[accept|deny]=ports<br />
tcp is used for server services via the Transmission Control Protocol, udp for stateless datagram services.<br />
If a rule is registered as deny, then the packages to this port will be discarded; filtering can be overridden<br />
by accept. (IPtables rules are executed until one rule applies; thus, if a package is accepted by a rule<br />
which is discarded by a later rule, then the rule for discarding the package does not become valid).<br />
Ports can be defined either as a number or as a range separated by a colon X:Y .<br />
Some examples:<br />
• security/packetfilter/tcp/deny=2000<br />
• security/packetfilter/udp/accept=500:600<br />
10.3.4 Local filter rules via iptables commands<br />
Besides the existing possibilities for settings via <strong>Univention</strong> Configuration Registry, there is also the pos-<br />
sibility of integrating user-defined enhanced configurations in /etc/security/netfilter.d/, e.g. for<br />
realising a firewall or Network Address Translation. The enhancements should be realised in the form of<br />
shell scripts which execute the corresponding iptables calls.<br />
Full documentation can be found at http://www.netfilter.org/.<br />
224
10.3.5 Testing <strong>Univention</strong> Firewall settings<br />
10.4 Authentication / PAM<br />
Package filter settings should always be thoroughly tested. The network scanner nmap, which is integrated<br />
in <strong>Univention</strong> Corporate Server as a standard feature, can be used for testing the status of individual ports:<br />
Since Nmap requires elevated privileges in the network stack, it should be started as root user. A TCP<br />
port can be tested with the following command:<br />
nmap HOSTNAME -p PORT(s)<br />
A UDP port can be tested with the following command:<br />
nmap HOSTNAME -sU -p PORT(s)<br />
Examples:<br />
• nmap 192.168.1.100 -p 400<br />
• nmap 192.168.1.110 -sU -p 400-500<br />
10.4 Authentication / PAM<br />
Authentication services in <strong>Univention</strong> Corporate Server are realised via Pluggable Authentication Mod-<br />
ules (PAM). To this end different log-in procedures are displayed on a common interface so that a new<br />
log-in method does not require adaptation for existing applications.<br />
In the <strong>UCS</strong> PAM configuration, different methods can be used for the authentication of user accounts.<br />
unix verifies the hashed password using the /etc/shadow file, ldap performs a bind attempt on the<br />
LDAP server and krb5 verifies the password using a Kerberos key, which is also stored in LDAP. There<br />
are also other methods, e.g., the secure shell (ssh) uses a key pair for verification of whether the user is<br />
really the user he claims to be.<br />
In <strong>UCS</strong> it is normally sufficient if the identity can be verified using one of these methods. Which<br />
method should be used can be configured using the <strong>Univention</strong> Configuration Registry variable<br />
auth/admin/methods for the administrator and the <strong>Univention</strong> Configuration Registry variable<br />
auth/user/methods for all other users. The default setting is krb5 ldap unix, which allows all three<br />
methods.<br />
Alongside this verification, certain services also require a valid user account: This assigns a user his<br />
home directory, his numerical user identification (UID) and his group memberships. This information is<br />
required among other things for logins on GDM, on the text console or via SSH. Samba also requires<br />
this information to store information saved by the user onto the UNIX file system or to verify whether the<br />
access to files and directories is allowed. In addition, the account data also includes additional information<br />
such as the age of the password, whether the account is deactivated or whether the account should only<br />
be valid on certain hosts.<br />
Here too different methods are used via PAM, which can sometimes be expanded and restricted: unix<br />
uses the information from /etc/passwd, /etc/group, /etc/shadow and /etc/nsswitch.conf,<br />
which can be used to mount further information sources. The latter is used to mount all the users<br />
225
10 Basic System Services<br />
from LDAP in <strong>UCS</strong>. This is particularly necessary for allowing programs to request users and groups<br />
via getent.<br />
It must be observed that the data structures for the shadow method are very restricted and cannot be<br />
expanded. This prevents the use of other information stored in LDAP among other things. As a result, ldap<br />
is included again to decide whether a user account is valid on a host based on further criteria. Thirdly,<br />
krb5 is also used here, which offers the possibility like ldap of deciding which criteria should be taken into<br />
account during the verification. An important difference is that the Kerberos service does not assign user<br />
names to the required POSIX information such as UID, GID, GECOS, HOME, Shell, etc. Services which<br />
require this information, must thus stringently use ldap or unix as well.<br />
Each of these three methods for account verification uses information from the LDAP directory: unix<br />
evaluates the shadow information, ldap also uses the host attribute or other filters if necessary and krb5<br />
evaluates the Samba attributes (sambaAcctFlags). The methods are thus not completely independent of<br />
each other and (mutually) influence each other.<br />
The configured PAM log-in procedures can be configured via <strong>Univention</strong> Configuration Registry. Two kinds<br />
of variables are differentiated here; services reserved for administrators are configured in the <strong>Univention</strong><br />
Configuration Registry variable auth/admin/services and services for unprivileged users are config-<br />
ured in the <strong>Univention</strong> Configuration Registry variable auth/user/services.<br />
The following authentication procedures are available as standard:<br />
226<br />
Name Description of the authenticated<br />
service<br />
ftp FTP service<br />
gdm GDM for log-ins onto KDE/X11<br />
log-in Shadow log-in<br />
other fallback for non-configured ser-<br />
vices<br />
ppp PPP processes with log-in op-<br />
tion<br />
rlogin remote log-in (rlogin) (typically<br />
obsolete)<br />
screen screen terminal tool<br />
chfn chfn tool from Shadow to<br />
change user data<br />
chsh chsh tool from Shadow to<br />
change log-in shell<br />
kde KDE applications in general<br />
kscreensaver KDE screensaver<br />
kcheckpass KDE password verification<br />
rsh remote shell (rsh) (typically ob-<br />
solete)<br />
ssh secure shell<br />
su tool for changing user identity
sudo tool for running users with ele-<br />
vated privileges<br />
passwd passwd tool from Shadow<br />
cron Cron daemon<br />
10.4 Authentication / PAM<br />
The authorised users for various services can also be restricted using a PAM module. If<br />
the <strong>Univention</strong> Configuration Registry variables auth/ftpd/accessfile, auth/gdm/accessfile,<br />
auth/sshd/accessfile or auth/nagios/accessfile are configured to a file name, access to the<br />
relevant services is restricted to those users listed in the file separated by commas.<br />
10.4.1 Automatic lockout of users after failed login attempts<br />
As standard, a user can enter his password incorrectly any number of times. To hinder brute force attacks<br />
on passwords, an automatic lockout for user accounts can be activated after a configured number of failed<br />
log-in attempts. The lockout is activated locally per computer system as standard. In other words, if a user<br />
enters his password incorrectly too many times on one system, he can still login on another system. Setting<br />
the <strong>Univention</strong> Configuration Registry variable auth/faillog/lock_global will make the lock effective<br />
globally and register it in the LDAP. The global lock can only be set on domain controller master/backup<br />
systems as other system roles do not possess the requisite permissions in the LDAP directory. On these<br />
system roles, the user is, however, locally locked or unlocked again via the listener module.<br />
Attention:<br />
This setting can also be misused, for example when a user has locked his screen and another user enters<br />
the password incorrectly several times in his absence. In this case, the user must contact the administrator<br />
to have his account unlocked.<br />
The automatic lockout of users following failed logins can be activated by setting the <strong>Univention</strong><br />
Configuration Registry variable auth/faillog to yes. The upper limit of failed log-in attempts at<br />
which an account lockout is activated is configured in the <strong>Univention</strong> Configuration Registry variable<br />
auth/faillog/limit. The counter is reset each time the password is entered correctly.<br />
As standard, the root user is excluded from the password lock, but can also be subjected to it by setting<br />
the <strong>Univention</strong> Configuration Registry variable auth/faillog/root to yes.<br />
As standard the lockout is not subject to time limitations and must be reset by the administrator. However,<br />
it can also be reset automatically after a certain interval has elapsed. This is done by specifying a time<br />
period in seconds in <strong>Univention</strong> Configuration Registry variable auth/faillog/unlock_time. If the<br />
value is set to 0, the lock is reset immediately.<br />
If accounts are locked locally, the administrator can unlock a user by entering the command faillog -r<br />
USERNAME. If the lock occurs globally in the LDAP, the user can be reset in the User account tab of a user<br />
in <strong>Univention</strong> Directory Manager.<br />
227
10 Basic System Services<br />
10.5 Network configuration<br />
10.5.1 Network interfaces<br />
Network interfaces settings are stored in <strong>Univention</strong> Configuration Registry. They can be changed via<br />
<strong>Univention</strong> System Setup (see chapter 15.<strong>2.4</strong>), or stored directly in <strong>Univention</strong> Configuration Registry. For<br />
each interface there must be four properties stored in <strong>Univention</strong> Configuration Registry variables:<br />
• interfaces/ethX/address for the IP address which is to be linked to an interface.<br />
• interfaces/ethX/broadcast for the Broadcast address of the interface<br />
• interfaces/ethX/netmask for the subnet mask of the interface<br />
• interfaces/ethX/network for the network of the interface<br />
Besides the physical interfaces, additional virtual interfaces can also be defined in the form inter-<br />
faces/ethX_Y/property.<br />
The default gateway is configured by the <strong>Univention</strong> Configuration Registry variable gateway.<br />
On mobile clients where <strong>UCS</strong> versions as of 2.3 are installed, Network Manager is used for the IP config-<br />
uration.<br />
If a server is configured over DHCP, an address is configured in <strong>Univention</strong> Configuration Reg-<br />
istry which can be resorted to if the DHCP request should fail. The setting is specified<br />
by the <strong>Univention</strong> Configuration Registry variables interfaces/ethX/fallback/address and<br />
interfaces/ethX/fallback/netmask. Network and broadcast addresses can be specified us-<br />
ing the <strong>Univention</strong> Configuration Registry variables interfaces/ethX/fallback/network and<br />
interfaces/ethX/fallback/broadcast. A gateway can be specified with gateway/fallback.<br />
If the <strong>Univention</strong> Configuration Registry variable networkmanager/dhcp/options/fallback is set<br />
to yes, options which are not set by the DHCP server are read out of the previously listed <strong>Univention</strong><br />
Configuration Registry variables.<br />
10.5.2 DNS servers<br />
One or more DNS servers can be configured for each system in the <strong>Univention</strong> Configuration Registry<br />
variables nameserver1, nameserver2 and nameserver3.<br />
For each configured network interface, the entry in the /etc/hosts can be configured through<br />
interfaces/ethX_Y/hosts.<br />
Information on the configuration of the name resolution through the /etc/hosts file can be found in<br />
Chapter 10.11.4.<br />
10.5.3 Proxy configuration<br />
The majority of the command line tools which access web servers (e.g., wget, elinks or curl) check<br />
whether the environment variable http_proxy is set. If this is the case, the proxy server set in this<br />
variable is used automatically.<br />
228
10.6 Logging of system messages and system status<br />
The <strong>Univention</strong> Configuration Registry variable proxy/http can also be used to activate the setting of<br />
this environment variable via an entry in /etc/profile.<br />
The proxy URL must be specified for this, e.g., http://192.168.1.100. The proxy port<br />
can be specified in the proxy URL using a colon, e.g., http://192.168.1.100:3128. If<br />
the proxy requires authentication for the accessing user, this can be provided in the form<br />
http://username:password@192.168.1.100.<br />
The environment variable is not adopted for sessions currently opened. A relogin is required for the change<br />
to be activated.<br />
The <strong>Univention</strong> tools for software updates also support operation via a proxy and query the <strong>Univention</strong><br />
Configuration Registry variable .<br />
Individual domains can be excluded from use by the proxy by including them separated by commas in the<br />
<strong>Univention</strong> Configuration Registry variable proxy/no_proxy. Subdomains are taken into account; e.g.<br />
an exception for univention.de also applies for apt.univention.de.<br />
10.6 Logging of system messages and system status<br />
10.6.1 Log files<br />
All <strong>UCS</strong>-specific log files (e.g., for the listener/notifier replication) are stored in the<br />
/var/log/univention directory. Services log in their own standard log files: for example, Samba in<br />
/var/log/samba/log.smbd and /var/log/samba/log.nmbd.<br />
The log files are managed by Logrotate. It ensures that log files are named in series in intervals (can<br />
be configured in weeks using the <strong>Univention</strong> Configuration Registry variable log/rotate/weeks, with<br />
the default setting being 12) and older log files are then deleted. For example, the current log file for<br />
the <strong>Univention</strong> Directory Listener is found in the listener.log file; the one for the previous week in<br />
listener.log.1, etc.<br />
The <strong>Univention</strong> Configuration Registry variable log/rotate/univention/compress is used to config-<br />
ure whether the older log files are additionally zipped with Gzip.<br />
10.6.2 Logging the system status<br />
univention-system-stats (available as of <strong>UCS</strong> <strong>2.4</strong>-1) can be used to document the current system<br />
status in the /var/log/univention/system-stats.log file. The following values are logged:<br />
• The free disk space on the system partitions (df -lhT)<br />
• The current process list (ps auxf)<br />
• Two top lists of the current processes and system load (top -b -n2)<br />
• The current free system memory (free)<br />
• The time elapsed since the system was started (uptime)<br />
• Temperature, fan and voltage indices from LM sensors (sensors)<br />
229
10 Basic System Services<br />
• A list of the current Samba connections (smbstatus)<br />
The runtimes in which the system status should be logged can be defined in Cron syntax via the <strong>Univention</strong><br />
Configuration Registry variable system/stats/cron, e.g., 0,30 * * * * for logging every half and full hour.<br />
The logging is activated by setting the <strong>Univention</strong> Configuration Registry variable system/stats to yes.<br />
10.7 Kernel<br />
10.7.1 Available kernel variants<br />
Several kernel variants are provided in <strong>UCS</strong> in order to be able to adapt systems efficiently to the require-<br />
ments of different environments.<br />
The standard kernel in <strong>UCS</strong> <strong>2.4</strong> is based on the official Linux kernel 2.6.30. In principle, there are three<br />
different types of kernel packages:<br />
• A kernel image package provides an executable kernel which can be installed and started.<br />
• A kernel source package provides the source code for a kernel. From this source, a tailor-made<br />
kernel can be created, and functions can be activated or deactivated.<br />
• A kernel header package provides interface information which is required by external packages if<br />
these have to access kernel functions. This information is usually necessary for compiling external<br />
kernel drivers.<br />
Normally, the operation of a <strong>UCS</strong> system only requires the installation of one kernel image package.<br />
The standard kernel in <strong>UCS</strong> for i386-based systems supports 64 GB RAM in installations as of Version <strong>2.4</strong><br />
(the so-called bigmem kernel for processors with PAE support). The standard kernel for amd64 systems<br />
directly supports more than 4 GB working memory, which renders a 64 GB version for amd64 systems<br />
unnecessary.<br />
Several kernel versions can be installed in parallel. This makes sure that there is always an older version<br />
available to which can be reverted in case of an error. So-called meta packages are available which always<br />
refer to the kernel version currently recommended by <strong>UCS</strong>. In case of an update, the new kernel version<br />
will be installed, making it possible to keep the system up to date at any time.<br />
A full list of all meta packages can be found in the <strong>Univention</strong> Wiki:<br />
http://wiki.univention.de/index.php?title=Supported_kernel_variants<br />
10.7.2 Hardware drivers / kernel modules<br />
Unlike other operating systems, the Linux kernel (with very few exceptions) provides all drivers for hardware<br />
components from one source. For this reason, it is not normally necessary to install drivers from external<br />
sources subsequently.<br />
The boot process occurs in two steps using an initial ramdisk (’initrd’ for short). This is composed of an<br />
archive with further drivers and programs.<br />
230
10.8 GRUB boot manager<br />
The GRUB boot manager (see Chapter 10.8) loads the kernel and the initrd into the system memory, where<br />
the initrd archive is extracted and mounted as a temporary root file system. The real root file system can<br />
then be mounted onto this, before the temporary archive is removed and the system start implemented.<br />
The <strong>Univention</strong> Configuration Registry variable initramfs/modules can then be used to configure<br />
which modules should be integrated into the initrd. If it is set to most, all framebuffer, ACPI, file system<br />
and hard drive modules are integrated; netboot only adds basic and network drivers and dep performs<br />
automatic recognition of the modules which are to be integrated.<br />
If the <strong>Univention</strong> Configuration Registry variable initramfs/busybox is set to yes, Busybox, a compact<br />
implementation of the standard Unix tools, is added, which is useful in failure analysis amongst other<br />
things.<br />
The drivers to be used are recognised automatically during system start and loaded via the udev device<br />
manager. At this point, the necessary device links are also created under /dev. If drivers are not recog-<br />
nised (which can occur if no respective hardware IDs are registered or hardware is employed which cannot<br />
be recognised automatically, e.g., ISA boards), kernel modules to be loaded automatically can be added<br />
via <strong>Univention</strong> Configuration Registry variable kernel/modules. If more than one kernel module is to be<br />
added, these must be separated by a semicolon.<br />
10.8 GRUB boot manager<br />
In <strong>Univention</strong> Corporate Server GNU GRUB is used as the boot manager. GRUB provides a menu which<br />
allows the selection of a Linux kernel or another operating system to be booted. In contrast to the boot<br />
loader LILO, which was used in earlier <strong>UCS</strong> versions, GRUB can also access file systems directly and can<br />
thus, for example, load another kernel in case of an error.<br />
The selection of kernels to be started in the boot menu is stored in the file /boot/grub/menu.lst.<br />
There is a five second waiting period during which a selection can be made. This value can be changed<br />
via the <strong>Univention</strong> Configuration Registry variable grub/timeout.<br />
In the basic setting, a screen of 1024x768 pixels size and 16 Bit colour depth is pre-set. A different value<br />
can be set via the <strong>Univention</strong> Configuration Registry variable grub/vga. A list of available modes can be<br />
found at http://en.wikipedia.org/wiki/VESA_BIOS_Extensions.<br />
Setting the <strong>Univention</strong> Configuration Registry variable grub/memtest86 to true means a memory test<br />
program is included in the boot selection. For this purpose, the package memtest86+ has to be installed<br />
on the corresponding system.<br />
GRUB loads the operating system in a two-step procedure; in the Master Boot Record of the hard drive,<br />
the Stage 1 loader is written which refers to the data of Stage 2, which in turn manage the rest of the boot<br />
procedure.<br />
The kernel which is about to be booted, can be provided with configuration options by setting the <strong>Univention</strong><br />
Configuration Registry variable grub/append.<br />
GRUB uses its own notation for the partitions of a hard drive, which is independent from the device names<br />
under Linux. The format of this notation is (hdX,Y), wherein X means the drive within the system, and Y<br />
the partition on the drive (counting begins with 0 in each case). So (hd0,0) means the first partition on the<br />
231
10 Basic System Services<br />
first hard drive. The Grub root partition can be represented in this notation by the <strong>Univention</strong> Configuration<br />
Registry variable grub/groot.<br />
The root partition which is handed over to the booting kernel, is independent from the above notation. It<br />
can be changed via the <strong>Univention</strong> Configuration Registry variable grub/root, and has to be declared in<br />
standard Linux partitions syntax.<br />
10.9 Executing recurring actions with Cron<br />
Regularly recurring actions (e.g., the processing of log files) can be started at a defined time with the Cron<br />
service. Such an action is known as a cron job.<br />
10.9.1 Hourly/daily/weekly/monthly execution of scripts<br />
Four directories are predefined on every <strong>UCS</strong> system, /etc/cron.hourly/, /etc/cron.daily/,<br />
/etc/cron.weekly/ and /etc/cron.monthly/. Shell scripts which are placed in these directories<br />
and marked as executable are run automatically every hour, day, week or month.<br />
10.9.2 Defining local cron jobs in /etc/cron.d<br />
A cron job is defined in a line, which is composed of a total of seven columns:<br />
• Minute (0-59)<br />
• Hour (0-23)<br />
• Day (1-31)<br />
• Month (1-12)<br />
• Weekday (0-7) (0 and 7 both stand for Sunday)<br />
• Name of user executing the job (e.g., root)<br />
• The command to be run<br />
The time specifications can be set in different ways. One can specify a specific minute/hour/etc. or run<br />
an action every minute/hour/etc. with an *. Intervals can also be defined, for example */2 as a minute<br />
specification runs an action every two minutes.<br />
Some examples:<br />
30 * * * * root /usr/sbin/jitter 600 /usr/share/univention-samba/slave-sync<br />
*/5 * * * * www-data /usr/bin/php -q /usr/share/horde3/kronolith/scripts/reminders.php<br />
232
10.9.3 Defining cron jobs in <strong>Univention</strong> Configuration Registry<br />
10.10 Kerberos<br />
Cron jobs can also be defined in <strong>Univention</strong> Configuration Registry. This is particularly useful if they are<br />
set via a <strong>Univention</strong> Directory Manager policy and are thus used on more than one computer.<br />
Each cron job is composed of at least two <strong>Univention</strong> Configuration Registry variables. JOBNAME is a<br />
general description.<br />
• cron/JOBNAME/command specifies the command to be run (required)<br />
• cron/JOBNAME/time specifies the execution time (see 10.9.2) (required)<br />
• As standard, the cron job is run as a user root. cron/JOBNAME/user can be used to specify a<br />
different user.<br />
• If an e-mail address is specified under cron/JOBNAME/mailto, the output of the cron job is sent<br />
there per e-mail.<br />
• cron/JOBNAME/description can be used to provide a description.<br />
10.10 Kerberos<br />
Kerberos is an authentication framework the purpose of which is to permit secure identification in the po-<br />
tentially insecure connections of decentralised networks. In Kerberos, all clients use a foundation of mutual<br />
trust, the Key Distribution Centre (KDC). A client authenticates at this KDC and receives an authenti-<br />
cation token, the so-called ticket which can be used for authentication within the Kerberos environment<br />
(the so-called Kerberos Realm). The name of the Kerberos Realm can be defined via the <strong>Univention</strong><br />
Configuration Registry variable kerberos/realm.<br />
Tickets have a standard validity period of 8 hours; this is why it is vital for a Kerberos domain to have the<br />
system time synchronised for all the systems belonging to the Kerberos Realm.<br />
<strong>Univention</strong> Corporate Server uses the Heimdal Kerberos implementation. Several domain controllers can<br />
be operated as a KDC within one domain; by default, each Domain Controller Master, Domain Controller<br />
Backup and Domain Controller Slave works as a KDC. The KDC used by a system can be reconfigured<br />
via the <strong>Univention</strong> Configuration Registry variable kerberos/kdc.<br />
The Kerberos admin server, on which the administrative settings of the domain can be made, runs on the<br />
Domain Controller Master. Most of the settings in <strong>Univention</strong> Corporate Server are taken from the LDAP<br />
directory, so that the major remaining function is changing passwords. This can be achieved by means of<br />
the Tool kpasswd; the passwords are then changed in the LDAP too. The Kerberos admin server can be<br />
configured on a system via the <strong>Univention</strong> Configuration Registry variable kerberos/adminserver.<br />
10.11 Name resolution<br />
10.11.1 Name Service Switch<br />
With the Name Service Switch, the GNU C standard library (glibc) used in <strong>Univention</strong> Corporate Server<br />
offers a modular interface for resolving the names of users, groups and hosts.<br />
233
10 Basic System Services<br />
Instead of the traditional configuration files (such as /etc/passwd or /etc/hosts), the data usually<br />
returned from function calls for resolving data related to users, groups and hosts, can be drawn from other<br />
sources such as LDAP or an SQL database.<br />
The data are stored in the file /etc/nsswitch.conf, which can be managed via <strong>Univention</strong> Configura-<br />
tion Registry. By default, the LDAP directory service is used for this purpose. By setting the <strong>Univention</strong><br />
Configuration Registry variable nsswitch/ldap to no, the exclusive use of /etc/passwd, /etc/group<br />
and /etc/hosts can be specified.<br />
10.11.2 LDAP NSS module<br />
The LDAP NSS module is used on <strong>UCS</strong> systems for access to the domain data (e.g., users) as<br />
standard. The module queries the LDAP server specified in the <strong>Univention</strong> Configuration Reg-<br />
istry variable ldap/server/name (and if necessary the <strong>Univention</strong> Configuration Registry variable<br />
ldap/server/addition).<br />
What measures should be taken if the LDAP server cannot be reached can be specified by the <strong>Univention</strong><br />
Configuration Registry variable nssldap/bindpolicy. As standard, if the server cannot be reached, a<br />
new connection attempt is made. If the variable is set to soft, then no new attempt is made to connect.<br />
This can considerably accelerate the boot of a system if the LDAP server cannot be reached, e.g., in an<br />
isolated test environment.<br />
10.11.3 Nameserver cache daemon<br />
Data of the NSS service can be cached by the Name Server Cache Daemon (NSCD) in order to speed up<br />
frequently recurring requests for unchanged data. Thus, if a repeat request occurs, instead of a complete<br />
LDAP request to be processed, the data are simply drawn directly from the cache.<br />
The central configuration file of the (/etc/nscd.conf) is managed by <strong>Univention</strong> Configuration Registry.<br />
The access to the cache is handled via a hash table. The size of the hash table can be specified in<br />
<strong>Univention</strong> Configuration Registry, and should be higher than the number of simultaneously used group-<br />
s/users/hosts. For technical reasons, a prime number should be used for the size of the table. The following<br />
table shows the standard values of the variables:<br />
Variable Default size of the hash table<br />
nscd/group/size 3001<br />
nscd/hosts/size 3001<br />
nscd/passwd/size 3001<br />
With very big caches it may be necessary to increase the size of the cache database in the<br />
system memory. This can be configured through the <strong>Univention</strong> Configuration Registry variables<br />
nscd/hosts/maxdbsize, nscd/group/maxdbsize and nscd/passwd/maxdbsize.<br />
As standard, five threads are started by NSCD. In environments with many accesses it may prove neces-<br />
sary to increase the number via the <strong>Univention</strong> Configuration Registry variable nscd/threads.<br />
234
10.12 SSH<br />
In the basic setting, a resolved group or host name is kept in cache for one hour, a user name for ten min-<br />
utes. With the <strong>Univention</strong> Configuration Registry variables nscd/group/positive_time_to_live,<br />
nscd/hosts/positive_time_to_live and nscd/passwd/positive_time_to_live these peri-<br />
ods can be extended or diminished (in seconds).<br />
As of <strong>UCS</strong> 2.3 a <strong>Univention</strong> Directory Listener module is also included, which empties the group cache<br />
when a change is made to group memberships. This listener module can be activated/deactivated<br />
via the <strong>Univention</strong> Configuration Registry variable nscd/group/invalidate_cache_on_changes<br />
(true/false).<br />
From time to time it might be necessary to manually invalidate the cache of the NSCD. This can be done<br />
individually for each cache table with the following commands:<br />
nscd -i passwd<br />
nscd -i group<br />
nscd -i hosts<br />
The verbosity of the log messages can be configured through the <strong>Univention</strong> Configuration Registry vari-<br />
able nscd/debug/level.<br />
10.11.4 Configuration of /etc/hosts in <strong>Univention</strong> Configuration Registry<br />
The configuration file /etc/hosts is managed through a <strong>Univention</strong> Configuration Registry template.<br />
Individual entries can be added through a <strong>Univention</strong> Configuration Registry variable in the format<br />
hosts/static/192.168.1.1="test.local test".<br />
10.12 SSH<br />
When installing a <strong>UCS</strong> system, an SSH server is also installed per preselection. SSH is used for realising<br />
encrypted connections to other hosts, wherein the identity of a host can be assured via a check sum.<br />
Essential aspects of the SSH server’s configuration can be adjusted in <strong>Univention</strong> Configuration Registry.<br />
By default the login of the privileged root user is permitted by SSH (e.g. for configuring a newly installed<br />
system where no users have been created yet, from a remote location). If the <strong>Univention</strong> Configuration<br />
Registry variable sshd/permitroot is set to without-password, then no interactive password request<br />
will be performed for the root user, but only a login based on a public key. By this means brute force<br />
attacks to passwords can be avoided. If the variable is set to no, then the root user cannot login via SSH.<br />
The <strong>Univention</strong> Configuration Registry variable sshd/xforwarding can be used to configure whether<br />
an X11 output should be passed on via SSH. This is necessary, for example, for allowing a user to start a<br />
program with graphic output on a remote computer by logging in with ssh -X TARGETHOST. Valid settings<br />
are yes and no.<br />
The standard port for SSH connections is port 22 via TCP. If a different port is to be used, this can be<br />
arranged via the <strong>Univention</strong> Configuration Registry variable sshd/port.<br />
235
10 Basic System Services<br />
10.13 Time synchronisation<br />
Asynchronous system times between individual hosts of a domain can be the source of a large number of<br />
errors: the reliability of log files is impaired; Kerberos operation is disrupted; the correct evaluation of the<br />
validity periods of passwords can be disturbed; etc.<br />
Usually the Domain Controller Master functions as the time server of a domain. With the <strong>Univention</strong><br />
Configuration Registry variables timeserver, timeserver2 and timeserver3 external NTP servers<br />
can be included as time sources.<br />
Manual time synchronisation can be started by the command ntpdate.<br />
236
11 Software maintenance<br />
Contents<br />
11.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237<br />
11.2 <strong>UCS</strong> updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238<br />
11.2.1 <strong>UCS</strong> security updates and hotfixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238<br />
11.2.2 <strong>UCS</strong> release updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239<br />
11.3 Package maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240<br />
11.3.1 Assigning repository servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241<br />
11.3.2 Updating packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241<br />
11.3.3 Adding component repositories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242<br />
11.3.4 Managing package lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243<br />
11.3.5 Release updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245<br />
11.3.6 Manual package maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246<br />
11.4 Software monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247<br />
11.5 Repository management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248<br />
11.1 Introduction<br />
11.5.1 Creating a repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249<br />
11.5.2 Adding packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249<br />
11.5.3 Removing packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250<br />
11.5.4 Merging repositories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250<br />
11.5.5 Repository synchronisation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251<br />
The software distribution and maintenance mechanism integrated in <strong>UCS</strong> is an extensive mechanism for<br />
the central administration of releases and package versions on all <strong>UCS</strong> systems within a domain. Updates<br />
for <strong>UCS</strong> are provided as release and security updates and hotfixes. These can be retrieved from DVDs or<br />
so-called repository servers.<br />
These repository servers provide the systems of a <strong>UCS</strong> domain with software in the form of packages<br />
which can be downloaded by the <strong>UCS</strong> systems for installation. As of Version 2.2 of <strong>UCS</strong> the possibility<br />
has existed of installing releases updates, security updates, hotfixes and additional components from the<br />
online repository http://apt.univention.de. This negates the need for a local repository server in<br />
many <strong>UCS</strong> domains. Environments where there is no access to an external repository server available, for<br />
example, can still use a local repository server.<br />
These mechanisms for software maintenance only cover the <strong>UCS</strong> systems in a <strong>UCS</strong> domain. Windows<br />
systems are not currently supported, although there is the possibility of starting a script-based software<br />
installation within the scope of an installation using <strong>Univention</strong> Windows Installer. Alternatively, the<br />
237
11 Software maintenance<br />
product opsi4ucs can be used for an automatic Windows installation and software distribution, the admin-<br />
istration of which is possible via the <strong>UCS</strong> management system. Further information can be found on the<br />
manufacturer’s website at http://www.uib.de.<br />
This chapter describes these processes and functions, i.e., it documents the processes for installing up-<br />
dates, the advanced functions of the <strong>UCS</strong> management system for software maintenance and the man-<br />
agement of repositories.<br />
11.2 <strong>UCS</strong> updates<br />
Updates for <strong>UCS</strong> are always imported on <strong>UCS</strong> systems via a repository. Depending on the size and infras-<br />
tructure of the environment, this can be performed using local repositories or using the online repository.<br />
Details on the management of repositories can be found in Section 11.5.<br />
<strong>Univention</strong> Configuration Registry variables are used to define which repository servers a system uses<br />
to retrieve updates. As of <strong>UCS</strong> 2.2 a list of files with the repositories for release and security updates,<br />
hotfixes and components is created automatically in the /etc/apt/sources.list.d directory based<br />
on these variables. Which <strong>Univention</strong> Configuration Registry variables influence this list of repositories is<br />
explained in the following sections. If further repositories are required on a system, these can be entered<br />
in the /etc/apt/sources.list file.<br />
If you do not require the automatic creation of the repository lists, this can be deactivated by setting the<br />
<strong>Univention</strong> Configuration Registry variable repository/online to false.<br />
The following explains the installation of release and security updates and hotfixes.<br />
11.2.1 <strong>UCS</strong> security updates and hotfixes<br />
If security risks or serious errors become apparent in software packages, <strong>Univention</strong> provides secu-<br />
rity updates. The availability of new security updates is announced per e-mail. An advisory docu-<br />
ment is published for each security update, which names the updated packages and the reason for<br />
their updating. The e-mail announcement and the advisory documents will both state whether a sys-<br />
tem requires restarting after the update. Security updates for current <strong>UCS</strong> versions can be found at<br />
http://www.univention.de/updates/security.<br />
The <strong>Univention</strong> Configuration Registry variable version/security-patchlevel can be read out to<br />
check the status of a system as far as security updates are concerned. If new security updates are<br />
announced, these can either be installed using the <strong>Univention</strong> Management Console or the command line<br />
programs outlined below.<br />
The univention-security-update command is used to install security updates. net or local are<br />
supported as run parameters. The option --silent can also be entered in addition to the two versions,<br />
whereby the display of all error messages is suppressed. Independent of this option, all messages are<br />
logged in the file /var/log/univention/security-updates.log.<br />
When univention-security-update net is used, the security updates for the system are down-<br />
loaded from the network and installed on the system. If additional security updates are available for the<br />
238
11.2 <strong>UCS</strong> updates<br />
system version which have not yet been installed, these are installed as well so that the system is kept<br />
up-to-date. The security updates are downloaded from the set repository server. This is entered in the<br />
<strong>Univention</strong> Configuration Registry variable repository/online/server. The web proxy settings of<br />
the system are taken into account when accessing the server.<br />
Alternatively, security updates can be downloaded as .tar archives and installed using the<br />
univention-security-update local command. These variants can, however, only be used on<br />
repository servers. An example usage is:<br />
univention-security-update local --file ucs-security-2.2sec1.tar.gz<br />
In advance it must be checked whether the archive was downloaded completely and correctly. This can<br />
be done using the md5sum command, which creates a unique check sum for the archive. The check sums<br />
of all the archives can be found under the specified URL for comparison. If the MD5 sum is correct, the<br />
security update can be imported with the named command. Firstly the local repository is updated and then<br />
security update is installed on the system.<br />
Security updates for <strong>UCS</strong> usually contains several packages to correct security risks and serious errors.<br />
This eliminates the need to import new packages individually time and time again. In certain circumstances<br />
it may be necessary to retrieve the corrections for certain packages as soon as possible. This is done using<br />
<strong>Univention</strong> hotfixes. As soon as a package is created with the corresponding correction and this has been<br />
tested, it is provided in the hotfix repository and the update announced per e-mail. <strong>Univention</strong> hotfixes can<br />
be imported on <strong>UCS</strong> systems from this repository using the command univention-actualise. The<br />
<strong>Univention</strong> Configuration Registry variable repository/online/hotfixes needs to be set to yes for<br />
the inclusion of the hotfix repository.<br />
11.2.2 <strong>UCS</strong> release updates<br />
An important part in the development of <strong>UCS</strong> is the update-ability. This means that a <strong>UCS</strong> environment<br />
can be updated to the next versions without the need for extensive interventions. It is usually not necessary<br />
for the security updates available for the previous versions to have been imported.<br />
Parallel to the installation DVDs for a new <strong>UCS</strong> release, <strong>Univention</strong> also publishes update DVDs in the form<br />
of ISO images for the update. Alternatively to the update via an update DVD, this can also be performed<br />
via the online repository. A changelog document is published for each release update listing the packages<br />
which have been updated and the reason for their updating or additional functions. In addition, a document<br />
is published with the release notes containing important information which must be observed.<br />
As with security updates, in a <strong>UCS</strong> release update the packages for new <strong>UCS</strong> version are imported in a<br />
repository using univention-repository-update before the remaining <strong>UCS</strong> systems are updated.<br />
If the online repository should be used, the system update can be begun immediately. When importing<br />
a release update in a <strong>UCS</strong> environment, the domain controller master should be the first system to be<br />
updated. Once the release update has been imported, the respective system must be rebooted.<br />
It is recommended to update a <strong>UCS</strong> system directly on the console or using the <strong>Univention</strong> Management<br />
Console Updating over a network connection (e.g., SSH session) is not advisable as this may result in the<br />
update procedure being cancelled. If updating should occur over a network connection nevertheless, it<br />
239
11 Software maintenance<br />
must be verified that the update continues despite disconnection from the network. The tools screen and<br />
at can be used for this. GNU Screen has been installed automatically as standard since <strong>UCS</strong> <strong>2.4</strong>.<br />
The package maintenance policies can be used for the update, which allow an automatic release update.<br />
This is described in Section 11.3.5.<br />
The command univention-updater can be used to install <strong>UCS</strong> release updates directly on the con-<br />
sole. This supports the following variants:<br />
• The univention-updater cdrom command is used to update a system from an inserted update<br />
DVD or an ISO image. This can only be done on repository servers. As standard, the command<br />
mount /cdrom is used to try to mount the DVD. The parameter −−cdrom can be used to add an<br />
alternative path. The parameter −−iso can be used to access an existing ISO image.<br />
If the system possesses a local repository, this is updated firstly.<br />
• The command univention-updater net is used to update a system via the online repository<br />
or a local repository in the domain. The update server is set by the <strong>Univention</strong> Configuration Reg-<br />
istry variable repository/online/server. In this case too if an existing local repository on the<br />
system is updated firstly, the update will use the local repository.<br />
• If a <strong>UCS</strong> release update has already been imported in the systems’s local repository,<br />
univention-updater local can be executed. The update then uses the local repository.<br />
The parameter −−updateto can be used in all named run applications to specify to which version a<br />
system should be updated. Higher versions are then not installed even if they are available.<br />
Prior to the installation of a release update, a link to the release notes is displayed and a minute is waited<br />
in which the update can still be cancelled. This can be skipped via the −−ignore-releasenotes option<br />
or by setting the <strong>Univention</strong> Configuration Registry variable update/warning/releasenotes to no.<br />
If the update has been performed successfully, a check should be made for whether new or updated<br />
join scripts need to be run. This is not normally required on the DC master and DC backup sys-<br />
tem roles. The <strong>Univention</strong> Management Console module Domain join or the command line program<br />
univention-run-join-scripts, which can be found in the /usr/share/univention-join di-<br />
rectory, is used for checking and starting the join scripts (see Section 5.3.10).<br />
Attention:<br />
It should be noted, that components marked as critical can block an upgrade to the next minor or major<br />
release. More information can be found in Section 11.3.3.<br />
11.3 Package maintenance<br />
Packages can be installed, updated or removed on all <strong>UCS</strong> systems apart from thin clients. The three<br />
processes are grouped under the term package maintenance.<br />
<strong>UCS</strong> systems access repository servers during package maintenance. Package maintenance can be per-<br />
formed manually or automatically. In automatic package maintenance the <strong>UCS</strong> systems check indepen-<br />
dently whether updated packages are available, new packages should be installed or installed packages<br />
should be deleted. The package maintenance also installs available security updates. Corresponding<br />
commands and tools can be used to perform these actions manually.<br />
240
11.3.1 Assigning repository servers<br />
11.3 Package maintenance<br />
Which repository server is used for package management can be set for each <strong>UCS</strong> system. If there is<br />
no local repository server in the <strong>UCS</strong> domain, the online repository http://apt.univention.de is<br />
used. Otherwise the local repository server is set. This can usually be reached under the DNS alias<br />
univention-repository.<br />
When several repository servers are in operation, the <strong>UCS</strong> systems can distribute the load among several<br />
repository servers. In <strong>Univention</strong> Directory Manager the repository server to be used can be entered on<br />
the computer onjects of the <strong>UCS</strong> systems in the [Repository server] tab. As this is a policy setting, the<br />
setting does not need to be performed on each individual computer. Policies are inherited by subordinate<br />
objects in the directory tree.<br />
11.3.2 Updating packages<br />
Figure 11.1: ’Repository server’ tab<br />
Manual updating of a <strong>UCS</strong> system is performed using the command univention-actualise as the<br />
user root. In this, no release updates are performed, but packages are updated from the configured<br />
repositories. univention-actualise performs a number of actions. Firstly a list of the available pack-<br />
ages and their versions is requested from the repository server. Once the list has been compared with the<br />
packages currently installed locally, all packages which are available in newer versions on the repository<br />
server are downloaded and installed.<br />
Updates can be installed automatically if the Maintenance policy is assigned to the desired systems.<br />
Whether the update should be performed during a system start, during shutdown or at a certain time can<br />
be set in the package maintenance policy. As package maintenance policies are inherited just like all<br />
policies in <strong>UCS</strong>, settings for automatic updating can be made in a computer container. The settings apply<br />
for all computer objects subordinate to the container.<br />
It must be noted that certain packages, e.g., the kernel, are not updated by univention-actualise<br />
241
11 Software maintenance<br />
as standard. To update these packages, univention-actualise must be run with the command line<br />
option −−dist-upgrade. These packages can thus not be updated via a package maintenance policy.<br />
Updating is possible if the package is checked in advance in a package list for installation (see following<br />
section).<br />
Attention:<br />
When packages are updated, a check is performed for whether any changes have been made to the<br />
configuration files. If configuration files are no longer there in the form in which they were delivered,<br />
they will not be overwritten. Instead a new version will be created in the same directory with the<br />
ending .dpkg-new or .dpkg-dist. If changes should be made to <strong>Univention</strong> Configuration Reg-<br />
istry templates, these templates are also not overwritten. Messages relating to this are written in the<br />
/var/log/univention/actualise.log log file.<br />
The messages created by univention-actualise during the update are also written on the updated<br />
system in /var/log/univention/actualise.log except for the standard display. If messages to the<br />
standard display are suppressed, univention-actualise can be run with the option −−silent.<br />
If a package is not found, it may be the case that it is available in a repository which is not configured for<br />
this system. The unmaintained section is a repository section with numerous, further packages, which is<br />
available for every <strong>UCS</strong> version. If this area should be mounted on a system, this can be done by setting<br />
the <strong>Univention</strong> Configuration Registry variable repository/online/unmaintained to yes. If local<br />
repository servers are set, it must be observed that the unmaintained section will also be synchronised in<br />
this case and the repository thus requires more memory space on the hard drive.<br />
11.3.3 Adding component repositories<br />
In addition to the standard repositories, additional software components can also be integrated. There<br />
are two possible variations to use these. On the one hand, the <strong>Univention</strong> Management Console module<br />
Online updates can be used. Alternatively this can be performed using the following <strong>Univention</strong> Configu-<br />
ration Registry variables:<br />
repository/online/component//server The repository server on which the components are<br />
available. If this variable is not set, the server from the <strong>Univention</strong> Configuration Registry variable<br />
repository/online/server uses<br />
repository/online/component/ This variable must be set to enabled if the components are to<br />
be mounted.<br />
repository/online/component//localmirror This variable can be used to configure whether the<br />
component is mirrored locally. In combination with the <strong>Univention</strong> Configuration Registry variable<br />
repository/online/component//server, a configuration can be set up so that the<br />
component is mirrored, but not activated, or that it is activated, but not mirrored.<br />
repository/online/component//description A descriptive name for the repository.<br />
repository/online/component//prefix Defines the URL prefix which is used on the repository<br />
server. This variable is usually not set.<br />
repository/online/component//username If the repository server requires authentication, the<br />
242<br />
user name can be entered in this variable.
11.3 Package maintenance<br />
repository/online/component//password If the repository server requires authentication, the<br />
password can be entered in this variable.<br />
repository/online/component//version This variable controls the versions to include. The fol-<br />
lowing variants are possible:<br />
empty or unset All versions of the same major number will be used. If for example <strong>UCS</strong>-2.3 is<br />
installed, all repositories of the component with version numbers 2.0, 2.1, 2.2 and 2.3 will be<br />
used if available.<br />
current Using the keyword „current” will likewise include all versions of the same major version.<br />
Additionally it will block all minor and major upgrades of the installed <strong>UCS</strong> system until the<br />
respective component is also available for the new release. Patch level and security updates<br />
are not affected. If for example <strong>UCS</strong>-2.3 is currently installed and <strong>UCS</strong>-<strong>2.4</strong> or <strong>UCS</strong>-3.0 is<br />
already available, the release updated will be postponed until the component is also available<br />
for version <strong>2.4</strong> and 3.0 respectively.<br />
major.minor By specifying an explicit version number only the specified version of the component<br />
will be used. Release updates of the system will not be hindered by such components. Multiple<br />
versions can be given using commas as delimiters, for example 2.0,2.3.<br />
repository/online/component//defaultpackages A list of package names separated by blanks.<br />
The UMC module Online updates offers the installation of this component if at least one of the pack-<br />
ages is not installed. Specifying the package list eases the subsequent installation of components.<br />
The name of the repository on the server must be given for . For example, to mount the<br />
<strong>UCS</strong>@School component, the following variable must be set:<br />
ucr set repository/online/component/ucsschool/description="<strong>UCS</strong>@School packages" \<br />
repository/online/component/ucsschool/server=apt.univention.de \<br />
repository/online/component/ucsschool=yes<br />
The following, additional repositories are then mounted on the system:<br />
deb http://apt.univention.de/2.2/maintained/component ucsschool/all/<br />
deb http://apt.univention.de/2.2/maintained/component ucsschool/extern/<br />
deb http://apt.univention.de/2.2/maintained/component ucsschool/amd64/<br />
The last line in the list is dependent on the architectures available.<br />
11.3.4 Managing package lists<br />
Alongside automatic system updates, package maintenance in <strong>UCS</strong> also supports the installation and<br />
removal of packages.<br />
Each system role in <strong>UCS</strong> is installed with a selection of packages, selected components expand this range.<br />
When installation profiles are used, single packages can be added additionally during the installation.<br />
Package lists are used for the subsequent installation of packages on a wide range of systems.<br />
Packages installed on a system via a package list, are also renewed within the scope of an update when a<br />
newer version is available in the repository. Packages to be removed must only be removed once. These<br />
packages are also removed again if they are discovered on the system during the regular system updates.<br />
243
11 Software maintenance<br />
The package lists themselves do not prompt the installation or removal or packages. Package lists are<br />
used much more often in package policies relating to specific system roles, which allow the installation or<br />
removal of packages.<br />
Specific package policies are available for the different system roles (see table). This makes it possible to<br />
link the policies with the domain base and apply a single policy to all computers with the same system role<br />
in the domain without any consequences for computers with other system roles. For example, a package<br />
selection in the package policy for managed clients only applies to computer with the managed client<br />
system role. The policies can also be edited on the appropriate tab of the respective computer objects.<br />
Package policy <strong>UCS</strong> system role<br />
Packages Master DC Master and DC Backup<br />
Packages Slave DC Slave<br />
Packages Member Member server<br />
Packages Client Managed client<br />
Packages Mobile client Mobile client<br />
The following steps must be performed when using package lists.<br />
New packages list are created under Navigation ➞ univention ➞ packages in <strong>Univention</strong> Directory<br />
Manager.<br />
Notes on the creation of package list objects can be found in Chapters 4.4 und 4.5.11.<br />
The entry Settings: Package list is selected from the Add new object at current position menu and a<br />
Name for the package list entered in the appropriate text field.<br />
The name of the desired package is entered in the Package List input field. For example, if the Emacs<br />
editor should be installed on all managed clients. The name of the package is entered without the version<br />
number and the ending .deb, which gives emacs. The package is entered with the [Add] button. Further<br />
package names can be entered as required.<br />
The package list is saved by clicking on [Ok]. The package lists created can be used in a package policy<br />
specific to a system role. A policy is then created directly on a computer object.<br />
A computer object is opened on which the packages from the package list should be installed, e.g., on a<br />
managed client. The [Packages] tab is opened (see Figure 11.2). There are two areas in which package<br />
lists can be selected. Packages which should be installed can be given in the upper area and packages<br />
which should be deleted can be given in the lower area. The previously created package list is selected<br />
from the Package list menu. The package names contained in the package list can not be selected after<br />
each other under Package Installation list and added to the list of packages to be installed using the Add<br />
button.<br />
The settings are saved by clicking on [Ok].<br />
A package policy specific to system roles created in this way can also be reused. The path to the policy is<br />
given in the Configuration field on the policy itself. For example, the entry Packages can be selected via<br />
(current) ➞ Policies on a computer object and the previously created policy selected in the Configuration<br />
menu . Once the page has been refreshed, the values are shown in the text field which were entered<br />
originally. These settings apply to all managed clients below the computer container on activation.<br />
244
Figure 11.2: Package list client<br />
11.3 Package maintenance<br />
If a package maintenance policy has been created for this computer object (see Section 11.3.2), the<br />
packages will be installed by univention-actualise the next time the package update is started.<br />
Attention:<br />
Alternatively, <strong>Univention</strong> Management Console can be used if software is only to be (un)installed on one<br />
computer. Further information can be found in Chapter 5.1.<br />
11.3.5 Release updates<br />
When more than one <strong>UCS</strong> release is contained in a repository (see Section 11.5), <strong>UCS</strong> systems can be<br />
updated to the latest release manually or automatic. The manual update via univention-updater is<br />
described in Section 11.2.2.<br />
The automated release update uses two policies. A <strong>UCS</strong> version number can be given in the Release<br />
policy, which stipulates to which version a <strong>UCS</strong> system is updated. The format of the version is that of the<br />
<strong>UCS</strong> version formats used elsewhere (2.0-0, 2.0-1 etc.). The time of the release update is specified by the<br />
Maintenance policy. If automatic package maintenance is activated for a computer (see Section 11.3.2),<br />
245
11 Software maintenance<br />
the univention-updater command is executed at a certain time. The package update is performed<br />
after the release update.<br />
The outputs of univention-updater during the automated release update are written to<br />
/var/log/univention/updater.log on the updated systems.<br />
11.3.6 Manual package maintenance<br />
All package maintenance processes can either be performed with the <strong>Univention</strong> Management Console<br />
package management (see Chapter 5.3.11) or using command line-based tools. The conventional Debian<br />
tools are used.<br />
Further information can be found in [17].<br />
11.3.6.1 Installing packages<br />
Individual packages are installed using the command<br />
univention-install PACKAGENAME<br />
The repository server is used as the installation medium. When installing a package it is sometimes<br />
necessary to install additional packages, which are required for the proper functioning of the package.<br />
These are called packages dependencies. The installation can be simulated with the parameter -s to<br />
check in advance which dependencies are retrieved.<br />
Each system receives a local list of available packages. Before the installation of a package, the repository<br />
server’s package list should be updated to ensure that the up-to-date version is used and all dependencies<br />
are resolved:<br />
apt-get update<br />
11.3.6.2 Searching for available packages<br />
If the name of a package is known, the command apt-cache search can be used to search for the<br />
package. Parts of the name or words which appear in the description of the package are listed.<br />
apt-cache search fax<br />
The package list must also be updated here to ensure that search is performed in the up-to-date package<br />
vault (see 11.3.6.1).<br />
11.3.6.3 Removing packages<br />
Individual packages are removed with the command<br />
apt-get remove PACKAGENAME<br />
Packages required by the package removed are also removed in turn.<br />
This procedure can be simulated using the -s parameter.<br />
246
11.3.6.4 Information about installed packages<br />
11.4 Software monitor<br />
Information regarding the installed packages can be shown using the command dpkg. The run parameter<br />
-l and the package name can be entered to show the version number of an installed package. Using<br />
the run parameter -l without package names will result in the display of a list of all known packages.<br />
Wildcards in package names can be used to limit the search to certain packages. Wildcards can be an<br />
asterisk (’*’ - for no or many characters) or a question mark (’?’ - for exactly one character). It may be<br />
necessary to escape the wildcard when using asterisks as these may otherwise be interpreted by the shell.<br />
dpkg -l univention-config-registry<br />
dpkg -l<br />
dpkg -l univention-\*<br />
dpkg with the run parameter -L and a package name can be used to discover which files are contained<br />
in an installed package. No wildcards can be used with the run parameter -L.<br />
dpkg -L univention-ldap-server<br />
dpkg with the run parameter -S and a file name can be used to discover which package a file belongs<br />
to. The search can take some time as it encompasses the complete databases of the installed packages.<br />
Files that have been created by packages following installation cannot be assigned to a package by dpkg<br />
-S.<br />
dpkg -S /var/lib/univention-ldap/replog<br />
Further information on the dpkg command can be found on the man page (man dpkg).<br />
11.4 Software monitor<br />
The software monitor is a database in which information is stored concerning the software packages<br />
installed across the domain. This database offers an administrator an overview of which release and<br />
package versions are installed in the domain and offers information for the step-by-step updating of a <strong>UCS</strong><br />
domain and for use in identifying problems.<br />
<strong>UCS</strong> systems update their entries automatically when software is installed, uninstalled or updated.<br />
The database can be set up by selecting the Software monitor component in the <strong>Univention</strong> Installer. As<br />
standard, the component is only preselected on the domain controller master.<br />
The system on which the database is operated is set up by the DNS service record _pkgdb._tcp during<br />
installation of the packageunivention-pkgdb. If it is installed subsequently on other system roles, the<br />
DNS service record<br />
pkgdb tcp 0 0 5432 <br />
must be created manually. Further information can be found in the Chapter 4.5.9.4.<br />
The software monitor’s web-based interface integrates in the <strong>Univention</strong> Management Console. (General<br />
information on <strong>Univention</strong> Management Console can be found in Chapter 5.1) The following software<br />
monitor functions can be used:<br />
247
11 Software maintenance<br />
• Search systems lists all systems with the set filter features. System names, <strong>UCS</strong> versions or system<br />
roles can be combined flexibly as filters. Search filter can be saved permanently.<br />
• Search packages lists all systems where a certain package is installed. This allows searches for<br />
the installation status of individual packages as well as package names. Search filters can be saved<br />
permanently.<br />
The following gives an overview of the search possibilities available for the installation status of<br />
packages:<br />
– The Package selection state influences the action taken when updating a package. Install is<br />
used to select a package for installation. If a package is configured to Hold it will be excluded<br />
from further updates. There are two possibilities for uninstalling a package: A package re-<br />
moved with DeInstall keeps locally created configuration data, whilst a package removed with<br />
PurgePurge is completely deleted.<br />
– The Installation state describes the status of an installed package in relation to upcoming<br />
updates. The normal status is Ok, which leads to a package being updated when a newer<br />
version exists. If a package is configured to Hold it will be excluded from the update.<br />
– The Current package state describes the status of a set-up package. The normal status here<br />
is Installed for installed packages and ConfigFiles for removed packages. All other statuses<br />
appear when the package’s installation was cancelled in different phases.<br />
• Identify problems allows automatic identification of installation problems:<br />
– The installed package version can be compared with the expected package status of any cho-<br />
sen release. This allows the efficient discovery of out-of-date software in large environments.<br />
– Incompletely installed software packages can be identified.<br />
If you do not wish <strong>UCS</strong> systems to store installation processes in the software monitor (e.g., when there<br />
is no network connection to the database), this can be arranged by setting the <strong>Univention</strong> Configuration<br />
Registry variable pkgdb/scan to no.<br />
Should storing be reactivated at a later date, the command univention-pkgdb-scan must be executed<br />
to ensure that package versions installed in the meanwhile are also adopted in the database.<br />
As standard only systems from the database server subnet can store their configuration in the soft-<br />
ware monitor. To grant systems from other subnets access, an appropriate network range or network<br />
mask must be entered in the <strong>Univention</strong> Configuration Registry variables pgsql/pkgdb/network and<br />
pgsql/pkgdb/netmask. An example:<br />
univention-config-registry set pgsql/pkgdb/network=10.200.0.0<br />
univention-config-registry set pgsql/pkgdb/netmask=255.255.0.0<br />
Following these changes the Postgresql service must be restarted (e.g. using the <strong>Univention</strong> Management<br />
Console).<br />
11.5 Repository management<br />
A repository contains the software packages and updates and makes them available to other <strong>UCS</strong> sys-<br />
tems. Repositories can be set up on <strong>UCS</strong> domain controllers and member servers. A server which offers<br />
248
11.5 Repository management<br />
a repository is known as a repository server. The univention-debmirror package must be installed<br />
on repository servers.<br />
As of <strong>UCS</strong> 2.2 <strong>UCS</strong> domains can also be operated without a local repository server. In this case,<br />
the systems access the online repository. If local repository servers are used, the synchronisation be-<br />
tween the servers must be configured. For this, the repository serves as the master repository and all<br />
other repositories are slave repositories which contain a copy of the master repository or another slave<br />
repository. The hierarchies of repositories are dealt with in Section 11.5.5. The repository is under the<br />
/var/lib/univention-repository/mirror directory on <strong>UCS</strong> servers.<br />
The <strong>Univention</strong> Configuration Registry variable local/repository can activate/deactivate the local<br />
repository (yes/no).<br />
The software packages stored in the repository are provided in the Debian package format.<br />
The tools described in Section 11.2.1 and 11.2.2 are used when <strong>UCS</strong> security or release updates are<br />
imported.<br />
An example software distribution architecture for a <strong>UCS</strong> domain with two locations can be seen in Fig-<br />
ure 11.3. Three repository servers are operated. The domain controller master updates its repository from<br />
the online repository. The domain controller backup retrieves updated packages from the DC Master ex-<br />
clusively via repository synchronisation. The domain controller slave as the location server retrieves these<br />
packages from the DC backup via repository synchronisation.<br />
A repository server is set for each <strong>UCS</strong> system in the domain, from which packages are downloaded for<br />
subsequent installation or updating. To distribute the loads the <strong>UCS</strong> systems from the central location are<br />
shared amongst the repository servers. The <strong>UCS</strong> systems from the external location use the repository<br />
server. All <strong>UCS</strong> systems report changes to installed packages to the software monitor on the DC master.<br />
The repository on the DC master can retrieve new updates directly from the online repository.<br />
11.5.1 Creating a repository<br />
Repositories can be created during the installation of <strong>UCS</strong> server systems using <strong>Univention</strong> Installer.<br />
The univention-repository-create command is used to create a local repository (also subse-<br />
quently). The command must be run as user root. To set up a repository, the univention-debmirror<br />
package must be installed.<br />
11.5.2 Adding packages<br />
Generally, packages are added to repositories with the corresponding tools after the initialisation of a<br />
repository via security updates or release updates. Further packages can be added to the master reposi-<br />
tory using the univention-repository-addpackage program. The newly added packages can then<br />
be automatically distributed or installed in the <strong>UCS</strong> domain. The program receives the target directory and<br />
the packets which were added as parameters. Example:<br />
univention-repository-addpackage \<br />
--dest /var/lib/univention-repository/mirror/2.2/maintained/2.2-0/ \<br />
--file kde-profiles-test1.deb kde-profiles-test2.deb<br />
249
11 Software maintenance<br />
11.5.3 Removing packages<br />
Figure 11.3: Example setup of software distribution<br />
Packages are removed from the master repository with univention-repository-delpackage pro-<br />
gram. The package must also be removed from all slave repositories. The program receives the packages<br />
to be deleted as parameters. Example:<br />
univention-repository-delpackage --file \<br />
/var/lib/univention-repository/mirror/2.2/maintained/2.2-0/all/profile\_*.deb<br />
11.5.4 Merging repositories<br />
The univention-repository-merge program is used to move all the packages from one directory to<br />
another. If it already contains other versions of a package, the program ensures that the up-to-date version<br />
is saved automatically and all older versions are deleted.<br />
In principle, univention-repository-merge can be used with any directories. As standard it is used<br />
to merge packages from the update directory with packages from the package directory and only keep the<br />
up-to-date package version.<br />
Attention:<br />
Before update directories can be merged, all <strong>UCS</strong> systems must be updated to the same release status.<br />
The update directories are required for future updates, even when they no longer contain packages. The<br />
must therefore not be deleted!<br />
The univention-repository-merge program is executed as follows:<br />
250
univention-repository-merge --dest \<br />
--src <br />
11.5 Repository management<br />
In this, the parameter stipulates the directory in which the packages should be<br />
merged, whilst the parameter is the directory out of which the packages should be<br />
moved. Example:<br />
univention-repository-merge --dest /var/lib/univention-repository/new --src \<br />
/var/lib/univention-repository/mirror/2.2/maintained/2.2-0/ --src \<br />
/var/lib/univention-repository/mirror/2.1/maintained/2.1-0/<br />
When cleaning several update directories, the highest version number should be used first. This speeds<br />
up the merge as only newer versions are moved. Older package versions are simply deleted without the<br />
index file of the target directory needing to be updated, which takes time.<br />
If repository synchronisation is active, the merge of the update directories must be performed on the<br />
master repository. Otherwise the original status will be restored the next time synchronisation runs. When<br />
merges are carried out on the master repository, the changes are adopted by the subordinate repositories.<br />
11.5.5 Repository synchronisation<br />
Operation of several local repository servers can prove practical in certain scenarios. For example, in <strong>UCS</strong><br />
domain with several locations, a repository server can be run at each location. Without repository syn-<br />
chronisation, the administrator must ensure himself that all repositories are up-to-date, i.e., all repositories<br />
must be updated manually by the administrator. This applies for release updates, security updates and<br />
additional packages. Repository synchronisation reduces maintenance down to one repository server.<br />
Alternatively, environments can also do without local repository servers entirely and set up a direct access<br />
to the online repository or synchronisation of the local repository servers can be configured with the online<br />
repository.<br />
One repository server is designated the master repository server in the repository synchronisation. Only<br />
changes such as security and release updates are performed in this repository; packages are added and<br />
removed individually. Other repository servers, so-called slave repository servers, check regularly to see<br />
if changes have been made on the master repository server and adopt them. When synchronisation is<br />
performed with the online repository, this is regarded as the master repository. If additional packages are<br />
required which are not available over the online repository, a locally repository server must be used for this<br />
purpose. All other local repository servers should be synchronised over this repository server.<br />
A slave repository server does not need to access the master directly. Slave repository servers can be used<br />
for the synchronisation of another slave repository server which retrieves changes from a superordinate<br />
repository server.<br />
The tool univention-repository-update is used to import a package from a <strong>UCS</strong> release update<br />
onto the master repository server. This supports two modes:<br />
univention-repository-update cdrom Here the repository is updated with an update DVD.<br />
251
11 Software maintenance<br />
univention-repository-update net Here the repository is synchronised with another spec-<br />
ified repository server. This is defined in the <strong>Univention</strong> Configuration Registry variable<br />
repository/mirror/server.<br />
The possibility also exists of integrating a release update into the repository without directly starting an<br />
update using the univention-repository-update command. This can be done from another repos-<br />
itory with the net option (this can also be the online repository) or from an update DVD with the cdrom<br />
option.<br />
univention-repository-update net<br />
univention-repository-update cdrom --cdrom --iso ucs_update.iso<br />
When setting up repository synchronisation, the assignment to a superordinate server and the time will be<br />
configured by policies.<br />
As described in Section 11.3.1, the repository server policy can be used to specify which repository server<br />
should be used for package installations for each <strong>UCS</strong> system. This policy sets which repository server<br />
should be used as the superordinate repository for the synchronisation on all <strong>UCS</strong> systems with an active<br />
local repository at the same time. For this reason, no repository server is entered for a master repository<br />
server.<br />
The time for the automatic repository replication of the individual slave repository servers can be defined<br />
in the Repository synchronisation policy. The month, weekday, day, hour and minute can be specified.<br />
The synchronisation with the superordinate repository server will be started whenever all of the settings<br />
are met.<br />
Repository synchronisation can also be configured locally on the systems using <strong>Univention</strong> Configura-<br />
tion Registry variables. The <strong>Univention</strong> Configuration Registry variable repository/mirror/server<br />
defines the repository server which will serve as the source for the synchronisation. For example, to syn-<br />
chronise directly with the online repository, the <strong>Univention</strong> Configuration Registry variable must be set to<br />
apt.univention.de. Alternatively, to synchronise with another local repository server, the fully qualified<br />
computer name of the system is given.<br />
univention-config-registry set repository/mirror/server=apt.univention.de<br />
As standard, the repository is only initialised with packages for the architecture of the repository server.<br />
If the <strong>UCS</strong> domain is operated with systems of differing architectures, the architectures can be specified<br />
through the <strong>Univention</strong> Configuration Registry variable repository/mirror/architectures. The<br />
format is to be used in a list separated by blanks.<br />
Which standard repositories are synchronised is defined by the <strong>Univention</strong> Con-<br />
figuration Registry variables repository/online/maintained for the maintained<br />
section, repository/online/unmaintained for the unmaintained section and<br />
repository/online/hotfixes for the hotfixes. As standard, only the variable<br />
repository/online/maintained is set to yes.<br />
If repositories for components are set on the system, these are also synchronised by the specified server.<br />
The <strong>Univention</strong> Configuration Registry variable repository/mirror/version/start is used to de-<br />
termine as of which <strong>Univention</strong> Corporate Server version the repositories should be synchronised. For<br />
252
example, synchronisation as of <strong>UCS</strong> 2.1-0 can be confirmed by:<br />
univention-config-registry set repository/mirror/version/start=2.1-0<br />
11.5 Repository management<br />
All changes which are made during synchronisation on a repository server are documented locally in the<br />
/var/log/univention/repository.log file.<br />
253
11 Software maintenance<br />
254
12 Mail<br />
Contents<br />
12.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255<br />
12.2 Basic mail services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256<br />
12.3 Setting up the mail server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256<br />
12.3.1 SMTP server (Postfix) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256<br />
12.3.2 IMAP/POP3 server (Cyrus) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258<br />
12.3.3 Mail quota . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259<br />
12.3.4 Log files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260<br />
1<strong>2.4</strong> Spam filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260<br />
12.5 Virus filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261<br />
12.6 Configuring mail clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262<br />
12.1 Introduction<br />
12.6.1 Kontact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262<br />
12.6.2 Outlook Express . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264<br />
The <strong>UCS</strong> mail system provides mail services in two variants.<br />
Basic mail services are installed on all <strong>UCS</strong> server systems and managed and mobile clients (Package<br />
univention-mail-postfix-forward). These deliver local e-mails UNIX typically in the /var/spool/mail<br />
directory. E-mails for other recipients are forwarded to a relay host defined in the LDAP directory, which<br />
proceeds to provide them via POP/IMAP or forward them other servers.<br />
The mail component is available for DC master/backup and slave servers during installation. This installs<br />
expanded mail services, which are made available to all users registered in <strong>UCS</strong> and other <strong>UCS</strong> systems<br />
as a relay host. Services like SMTP, POP and IMAP are preconfigured.<br />
Installation of the mail component is also possible on <strong>UCS</strong> member servers, but this is not recommended.<br />
This component is closely linked to the LDAP directory and should thus only be installed on systems with<br />
a local LDAP server. It can otherwise become quite stretched when there is a lot of e-mail traffic.<br />
In typical installations only one mail server is used; in small networks this role can be adopted by the DC<br />
master. If the mail service is also installed on the DC backup, it will be deactivated initially. Due to the data<br />
quantity no automatic calibration of the mailboxes is performed.<br />
Alongside the <strong>UCS</strong> mail system there are also further groupware systems based on <strong>UCS</strong>, which also offer<br />
integration into the <strong>UCS</strong> management system, for example: Kolab2 for <strong>UCS</strong> [18], Scalix for <strong>UCS</strong> [19],<br />
Zarafa or Open-Xchange.<br />
255
12 Mail<br />
12.2 Basic mail services<br />
The basic configuration allows the sending of e-mails via local programs. The relay host used for non-local<br />
addresses can be entered overall for all clients in <strong>Univention</strong> Directory Manager. The respective listener<br />
module then sets the <strong>Univention</strong> Configuration Registry variable mail/relay and prompts the mail server<br />
(Postfix) to reimport its configuration files.<br />
If this variable is not set or no relay host is entered in the LDAP directory, an attempt will be made to<br />
resolve the responsible mail server via DNS (MX record) for non-local e-mails. If the delivery fails, the<br />
e-mail is returned to the sender.<br />
In addition, mail/alias/= <strong>Univention</strong> Configuration Registry variables maintain<br />
aliases. The preset is:<br />
mail/alias/root=systemmail@.<br />
mail/alias/postmaster=root<br />
For this the user systemmail is set up in the system, so that e-mails which are sent locally to root or<br />
postmaster are stored in the /var/spool/mail/systemmail mailbox.<br />
The variables can be configured to collect e-mails from the <strong>UCS</strong> systems on the relay host, for example.<br />
For this, the following should be entered in the <strong>UCS</strong> system command line:<br />
univention-config-registry set mail/alias/root=administrator@<br />
newaliases<br />
should be replaced with the DNS domain. The e-mails to root are no longer treated as<br />
local e-mails, but rather forwarded to the relay host. As postmaster is an alias for root, this also applies to<br />
the e-mails addressed to him. That is also possible when setting any new alias. The command newaliases<br />
is necessary to publish the changed Postfix settings.<br />
12.3 Setting up the mail server<br />
Selecting the Mail component during installation installs the necessary packages for configuring a com-<br />
plete mail server.<br />
The required functions are provided by the installed packages Postfix (sends e-mails via SMTP) and Cyrus<br />
(provides e-mail access via POP and IMAP).<br />
During the installation the server is automatically entered in the LDAP directory on the domain object as<br />
the relay host.<br />
If mail services are not set up in the scope of the initial installation, this set-up can be effected subsequently<br />
by installing the univention-mail-postfix and univention-mail-cyrus packages.<br />
12.3.1 SMTP server (Postfix)<br />
The configurations preset by the univention-mail-postfix package use Postfix to offer all users registered<br />
in the domain with a SMTP service.<br />
256
12.3 Setting up the mail server<br />
To assign a user an e-mail address, his primary e-mail address must be entered in Primary e-mail ad-<br />
dress of the the Mail tab of a user object in <strong>Univention</strong> Directory Manager. This is used for authentication<br />
on the mail server. Additionally any number of further addresses under which the user should be reachable<br />
can be entered in the Alternative e-mail addresses field. The e-mails sent to the entered user addresses<br />
are all delivered to the same inbox. If two users have the same alternative e-mail address, they both<br />
receive all the e-mails which are sent to this address. Primary e-mail addresses on the other hand must<br />
always be unique.<br />
Postfix differentiates between the delivery of e-mails between local and external domains. Delivery to<br />
mailboxes defined in the LDAP directory is only conducted for e-mail address from local domains. The<br />
DNS domain of the mail server is preset for this. If e-mail addresses should be assigned to local mailboxes<br />
which are not from the server’s domain, a list of the domains to be used can be defined using the <strong>Univention</strong><br />
Configuration Registry variable mail/hosteddomains. Example:<br />
univention-config-registry set mail/hosteddomains="mydomain.com \<br />
myotherdomain.com subdomain.mydomain.com"<br />
In this it must be noted that the otherwise preset domains of the server must be a component of this list to<br />
process e-mails from the local domain. Then the command<br />
postmap /etc/postfix/transport<br />
must be executed to adopt the changes via Postfix.<br />
For incoming e-mails Postfix performs a validity test in the form of a search of the LDAP directory for<br />
domains from the thus defined field of responsibility. That means that e-mails are only accepted for e-mail<br />
addresses defined in the LDAP directory or via an alias.<br />
Following the optional filtering for spam and viruses, the received e-mails are forwarded to the local<br />
POP/IMAP server Cyrus.<br />
E-Mails to foreign domains are sent directly to the responsible server as standard, which is resolved<br />
via MX records. If the output should be taken over by a relay host, e.g., the Internet provider, the fully<br />
qualified domain name of the relay host must be entered in the <strong>Univention</strong> Configuration Registry variable<br />
mail/relayhost.<br />
If authentication is necessary on the relay host for sending, the <strong>Univention</strong> Configuration Registry variable<br />
mail/relayauth must be set to yes and the /etc/postfix/smtp_auth file edited. The relay host,<br />
user name and password must be saved in this file in one line.<br />
:<br />
The following command must then be executed for this file to adopt the changes via Postfix.<br />
postmap /etc/postfix/smtp_auth<br />
The <strong>Univention</strong> Configuration Registry variable mail/messagesizelimit can be used to set the maxi-<br />
mum size in bytes for incoming and outgoing e-mails. The preset maximum size is 10240000 bytes. If the<br />
value is configured to 0 the limit is effectively removed.<br />
After modifying configuration settings Postfix must be restarted to ensure correct functioning in accordance<br />
with the settings. This is done with:<br />
257
12 Mail<br />
/etc/init.d/postfix restart<br />
If the <strong>Univention</strong> Configuration Registry variable mail/archivefolder is set to an e-mail address, Post-<br />
fix sends a blind carbon copy of all incoming and outgoing e-mails to this address. This results in an<br />
archiving of all e-mails. As standard the variable is not set. If there is no mailbox for this address, one will<br />
be created automatically.<br />
The <strong>Univention</strong> Configuration Registry variable mail/postfix/dnslookups (yes/no) is used to config-<br />
ure the DNS resolution of hostnames for the delivery via SMTP and LMTP. If the variable is set to no the<br />
resolution occurs over the standard system routine, which typically also enters entries in the /etc/hosts<br />
file.<br />
In a number of error situations (e.g., for non-existent users) the result may lead to a mail bounce, i.e.,<br />
the mail cannot be delivered and is returned to the sender. When the <strong>Univention</strong> Configuration Registry<br />
variable mail/postfix/softbounce is set to yes mails are never returned after a bounce, but instead<br />
are held in the queue. This setting is particularly useful during configuration work on the mail server.<br />
Mail routing is usually effected via MX records saved in DNS. In special cases - for example, the operation<br />
of a tunnel between two servers which cannot be resolved via DNS - it may be necessary to configure a<br />
manual transport route. Thus can be added to the file /etc/postfix/transport using the <strong>Univention</strong><br />
Configuration Registry variable mail/maps/transport/IDENTIFIER. An example:<br />
mail/maps/transport/1="somedomain.org smtp:[mail.somedomain.com]"<br />
Sometimes it is necessary to rewrite e-mail addresses, for example when new e-mail addresses are<br />
added during a restructuring operation. This can be effected using canonical mappings. The Univen-<br />
tion Configuration Registry variable mail/maps/canonical/sender/enable can be used to rewrite<br />
on the server side either using the file /etc/postfix/canonical_sender (file) or via access to the<br />
LDAP (ldap). The settings for reformulating recipient addresses are performed over <strong>Univention</strong> Configu-<br />
ration Registry variable mail/maps/canonical/recipient/enable. If it is configured to file, the file<br />
/etc/postfix/canonical_recipient is read out; access to the LDAP (ldap) is also possible here.<br />
<strong>Univention</strong> Configuration Registry variable mail/maps/canonical/sender/classes can be config-<br />
ured to specify which address information should be converted. The options available for selection are<br />
envelope_sender and/or header_sender.<br />
If the package univention-mail-cyrus is installed, SMTP authentication is available as standard.<br />
If univention-mail-postfix is intended to be operated independently, the configuration for the au-<br />
thentication service saslauthd must be adjusted manually and the following entry entered in the<br />
/etc/default/saslauthd file:<br />
START=yes<br />
Postfix then uses the saslauthd for the authentication.<br />
12.3.2 IMAP/POP3 server (Cyrus)<br />
Cyrus offers IMAP and POP services preconfigured using the univention-mail-cyrus package. The au-<br />
thentication is performed using the primary e-mail address. That means that the e-mail address should be<br />
258
12.3 Setting up the mail server<br />
entered as the user name in mail clients for POP or IMAP access. Configuration examples for Kontact and<br />
Outlook can be found at the end of this Chapter.<br />
The services can be deactivated separately with <strong>Univention</strong> Configuration Registry. If no access should be<br />
available via POP, <strong>Univention</strong> Configuration Registry variable mail/cyrus/pop must be set to no. The<br />
same applies to IMAP and <strong>Univention</strong> Configuration Registry variable mail/cyrus/imap.<br />
As soon as a user in the LDAP directory is assigned a primary e-mail address, a listener module<br />
creates a mailbox on the Cyrus server under /var/spool/cyrus/mail/domain in the subdirectory<br />
//
12 Mail<br />
12.3.4 Log files<br />
As standard, Postfix, Cyrus and where used spam and virus scanners write information pertaining to<br />
each e-mail in the log files saved in /var/log/mail.. It is advisable to limit these out-<br />
puts on servers with high e-mail traffic. This is done by adapting the configuration of Syslog in the file<br />
/etc/syslog.conf.<br />
The following lines are found in the file:<br />
mail.info -/var/log/mail.info<br />
mail.warn -/var/log/mail.warn<br />
mail.err /var/log/mail.err<br />
For example, messages from the info category containing several notes on each successfully processed<br />
e-mail can be re-routed to /dev/null and thus the space used on the hard drive and system loads<br />
reduced. For this, the line with mail.info is replaced with:<br />
mail.info /dev/null<br />
The changes must then be made known to the Syslog service:<br />
/etc/init.d/sysklogd reload<br />
Attention: It is not recommended to direct all of the mail server’s messages to /dev/null. If this is the<br />
case, there is no way to receive an overview of the e-mails already affected in the case of an error.<br />
1<strong>2.4</strong> Spam filters<br />
The term “spam” refers to all e-mails which the recipient neither requested nor appreciated. They demand<br />
recipients’ work time and abuse their trust in the medium of e-mail.<br />
In the standard configuration the univention-spamassassin is installed on a <strong>UCS</strong> mail server. The pack-<br />
age can, however, be deactivated during installation in the advanced selection possibilities.<br />
Spamassassin is a program which attempts to identify whether an e-mail is desirable or not based on<br />
its origin, form and content. It operates a scoring system, which uses an increasing number of points to<br />
express a high probability of the e-mail being spam. Points are awarded according to different criteria, for<br />
example, keywords within the e-mail or a lacking layout. There is also the possibility of evaluating e-mails<br />
with a bayesian classificator. It compares an incoming e-mail with statistical data already gathered from<br />
previously processed e-mails and uses this to adapt it’s evaluation to e-mail tendencies.<br />
When modifying <strong>Univention</strong> Configuration Registry variables concerning spam detection, the Amavis ser-<br />
vice und Postfix must be restarted subsequently.<br />
The installed package includes a filtering of all e-mails received via SMTP using a preconfigured Spamas-<br />
sassin. In the standard configuration only mails with a size of up to 300 kilobytes are scanned, this can be<br />
adjusted using the <strong>Univention</strong> Configuration Registry variable mail/antispam/bodysizelimit.<br />
E-mails which are classified as spam because they exceed a certain number of points are not deliv-<br />
ered in the recipient’s inbox by Cyrus, but rather in the spam folder below it. This standard procedure<br />
260
12.5 Virus filters<br />
can be changed in the <strong>Univention</strong> Directory Manager user management on the Mail tab of a user ob-<br />
ject via Use global spam folder. If the attribute is set, all e-mails identified as spam are sent to the<br />
spam@ address and can be checked in the appropriate IMAP directory, but are no longer<br />
available for the original recipient to access. The e-mail address for the global spam recipient can be<br />
configured in the <strong>Univention</strong> Configuration Registry variable mail/antispam/globalfolder.<br />
The scoring threshold at which the e-mails are declared to be spam can also be configured. To do this,<br />
<strong>Univention</strong> Configuration Registry variable mail/antispam/requiredhits must be set to a number:<br />
the preset is 5. This value is practical for processing with an active Bayes classifier, which generally leads<br />
to higher point numbers. Depending on experience in your personal environment, this value can also be<br />
set lower. This will, however, result in more e-mails being incorrectly designated as spam.<br />
The Bayes classifier will only become active when a sufficient number of undesirable (spam) and desirable<br />
(ham) e-mails are converted into a learning algorithm. To allow the users to pass on their spam and falsely<br />
classified e-mails to the learning algorithm, the Spam and Ham folders are created for each user when<br />
setting up his inbox. These must be created manually for the user accounts created with a <strong>UCS</strong> version<br />
lower than 2.3.<br />
If the <strong>Univention</strong> Configuration Registry variable mail/antispam/learndaily on the server is set to<br />
yes, the Cyrus service searches the Spam and Ham folders of all users and the global spam recipient<br />
daily for unknown e-mails. If data are found which have not yet been collected or were previously classified<br />
incorrectly, these are used to update a shared database of collected, statistical data. This function is<br />
deactivated as default.<br />
Alternatively, the learning process can be executed manually using the program sa-learn. If e-mails are<br />
in a file in Mbox format, as is often used or exported by mail programs, the e-mails contained therein can<br />
be classified as spam using the following command:<br />
sa-learn --spam --mbox <br />
or as ham, i.e., desirable e-mails, using<br />
sa-learn --ham --mbox <br />
For the classification of e-mails it is advisable to provide the same quantity of desirable and undesirable<br />
e-mails as is processed via the server. If no manual learning is performed, Spamassassin learns automat-<br />
ically during the filtering procedure. That means that Spamassassin learns incorrectly classified e-mails<br />
incorrectly.<br />
The spam filtering can be deactivated by setting <strong>Univention</strong> Configuration Registry variable<br />
mail/antivir/spam to no or reactivated by setting it to yes.<br />
Postfix must be subsequently restarted. (See Chapter 12.3.1) When set to no every incoming e-mail is<br />
sent to respective user without being checked first.<br />
12.5 Virus filters<br />
The package univention-antivir-mail sets up the program Amavisd-new as an interface between Postfix<br />
and different virus scanners. The free virus scanner ClamAV is included in the package and enters op-<br />
eration immediately after installation. Other virus scanners can be mounted alternatively or additionally<br />
261
12 Mail<br />
by entering them in the <strong>Univention</strong> Configuration Registry variable mail/antivir/scanner. Kaspersky<br />
and Sweep (Sophos) are currently tested. The configuration for numerous other scanners is prepared<br />
untested, the settings can be requested from <strong>UCS</strong> support.<br />
Following installation, the virus scanner ClamAV is active as standard. If another virus scanner<br />
is to be used in addition to or instead of ClamAV, the <strong>Univention</strong> Configuration Registry variable<br />
mail/antivir/scanner must be set accordingly. If several virus scanners are given they are sepa-<br />
rated by blank spaces. Example:<br />
univention-config-registry set mail/antivir/scanner="clamav sweep"<br />
The <strong>Univention</strong> Configuration Registry variable mail/antivir is used to activate virus scanners with<br />
(yes) or deactivate them with (no). Changes to mail/antivir/scanner and mail/antivir will only take effect<br />
the next time Postfix and Amavis are restarted.<br />
All incoming and outgoing e-mails are scanned for viruses. If the scanner recognises a virus, the e-mail is<br />
sent to quarantine. That means that the e-mail is stored on the server where it is not accessible to the user.<br />
The original recipient receives a message per e-mail stating that this measure has been taken. If neces-<br />
sary, the administrator can restore or delete this from the /var/lib/amavis/virusmails directory.<br />
Automatic deletion is not performed.<br />
12.6 Configuring mail clients<br />
The following uses Kontact and Outlook Express as examples for which settings are necessary to use the<br />
<strong>UCS</strong> mail server. Note that the Cyrus inbox server expects the user name to be the primary e-mail address<br />
in lowercase.<br />
Detailed instructions on the configuration possibilities can be taken from the separate documentation avail-<br />
able on the <strong>Univention</strong> groupware server at http://www.univention.de/download_doku.html.<br />
12.6.1 Kontact<br />
Kontact 1.<strong>2.4</strong> (enterprise 20071102-731871) was used for the documentation.<br />
When Kontact is started the component E-Mail should be selected in the left margin. The configuration<br />
dialogue for the mail component of Kontact is executed via Settings ➞Configure KMail.<br />
For this, the following listed settings should be performed as described and any other settings performed<br />
as necessary.<br />
262<br />
• A standard identity is already set up under Identities. This can be edited by selecting [Modify]. The<br />
user’s primary e-mail address configured on the Mail tab in <strong>Univention</strong> Directory Manager must be<br />
entered in the Email address field.<br />
• A new outbox must be set up under Accounts on the Sending tab. After selecting [Modify] the<br />
mailing type SMTP must be selected. In the following dialogue window all relevant settings for the<br />
mail server must be performed.
Field Value to be entered<br />
12.6 Configuring mail clients<br />
Name This name signifies the name of the new outbox and be chosen<br />
freely. It is best to choose a short name which makes it easy<br />
to see that the mails are sent over the <strong>UCS</strong> mail server (e.g.,<br />
"ucs-mail").<br />
Host The name of the <strong>UCS</strong> mail server on the network. This can<br />
either only be given with the host name, the FQDN or the IP<br />
address of the mail server.<br />
Port 25 should be entered here.<br />
Server requires authentication This field must be activated.<br />
Login The primary e-mail address should be entered here as when<br />
editing the user’s identity<br />
Password The user’s password.<br />
Store SMTP password If this field is activated, the user password is saved in an acces-<br />
sible file, which means the user does not need to reenter his<br />
password every time he sends an e-mail. Saving a password in<br />
a file may present a security risk.<br />
Table 12.1: Configuration options for the new outbox<br />
• The [Check What the server supports] point should then be selected on the Security tab and the<br />
determined value adopted. A note may be displayed here that authentication of the server certificate<br />
has failed. After checking the certificate via [Details], [Continue] and then in the next dialogue<br />
[Permanently] can be selected to make the <strong>UCS</strong> mail server trust the certificate permanently.<br />
Clicking [OK] completes the set-up of the new outbox. An inbox must also be created to retrieve e-mails<br />
from the <strong>UCS</strong> mail server.<br />
• The [Add] button must be selected on the Receiving tab.<br />
• The type of new mailbox must the be selected. The concrete selection is then dependent on the<br />
personal requirements; IMAP is normally selected here.<br />
• In the following dialogue window all relevant settings for mail receipt are performed.<br />
Field Value to be entered<br />
Name This name signifies the name of the new inbox and be chosen<br />
freely. It is best to choose a short name which makes it clearly<br />
visible that the mails are retrieved from the <strong>UCS</strong> mail server<br />
(e.g., "ucs-mail").<br />
Login The primary e-mail address should be entered here as when<br />
editing the user’s identity.<br />
Password The user’s password.<br />
Host The name of the <strong>UCS</strong> mail server on the network. This can<br />
either only be given with the host name, the FQDN or the IP<br />
address of the mail server.<br />
263
12 Mail<br />
Port IMAP 143 should be specified here.<br />
Store IMAP password The same notes for saving passwords apply here as to when<br />
setting up an outbox.<br />
Table 12.2: Configuration options for the new inbox<br />
• The advanced options are dependent on the type of the new mailbox. For a IMAP, DIMAP or POP3<br />
account [Check What the server supports] should be selected again on the Security tab and the<br />
determined value adopted.<br />
• Clicking [OK] completes the set-up of the new inbox account.<br />
The Settings ➞Configure KMail set-up dialogue is set up using the [OK] button. E-mails can now be<br />
retrieved from the mail server using the symbol showing an envelope and a green and white arrow.<br />
12.6.2 Outlook Express<br />
Outlook Express 6 in Windows XP Professional Service Pack 2 was used for this documentation.<br />
To create a new e-mail account, the assistant for Internet access must be started. This opens automatically<br />
when Outlook Express is started as long as no e-mail account has been set up in Outlook Express yet.<br />
It can otherwise be opened via Extras ➞Accounts ➞E-Mail tab ➞Add ➞E-Mail. For this, the following<br />
listed settings should be performed as described and any other settings performed as necessary.<br />
The primary e-mail address as entered for this user on the Mail tab in <strong>Univention</strong> Directory Manager must<br />
also be entered here in the Email address input field.<br />
POP3 or IMAP must be selected in the selection list in the phrase The server for incoming mail is a ...<br />
server. The FQDN of the <strong>UCS</strong> mail server responsible for the receipt of e-mails must be entered in the<br />
inbox server (POP3, IMAP or HTTP).<br />
The fully qualified domain name of the <strong>UCS</strong> mail server set up to send e-mails must be entered in the<br />
Server for outgoing mail (SMTP) input field.<br />
The e-mail address given as the primary e-mail address for this user on the Mail tab in <strong>Univention</strong> Directory<br />
Manager should be entered in lowercase in the Account name input field. The password entered for the<br />
user on the General tab in <strong>Univention</strong> Directory Manager should be entered in the Password input field.<br />
The checkbox Login through secure password authentication (SPA) should not be selected.<br />
If an existing e-mail account is to be reconfigured for the use of the <strong>UCS</strong> mail server, Extras > Accounts<br />
must be run in Outlook Express. The account should be selected on the E-mail tab and Properties clicked.<br />
The inbox server (IMAP or POP3), outbox server (STMP), account name and password input field must<br />
be filled in on the following Server tab as described above. Changing from IMAP to POP3 or vice versa<br />
requires the creation of a new e-mail account.<br />
264
13 Print services<br />
Contents<br />
13.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265<br />
13.2 Installing print servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266<br />
13.2.1 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266<br />
13.2.2 Server systems as print servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266<br />
13.2.3 Windows systems as print servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267<br />
13.<strong>2.4</strong> Thin clients as print servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267<br />
13.2.5 Managed/mobile clients as print servers . . . . . . . . . . . . . . . . . . . . . . . . . 267<br />
13.2.6 Policy-based assignment of a print server . . . . . . . . . . . . . . . . . . . . . . . . 268<br />
13.3 Configuring printer shares . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268<br />
13.3.1 Configuring a locally connected printer . . . . . . . . . . . . . . . . . . . . . . . . . . 268<br />
13.3.2 Setting up network printers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269<br />
13.3.3 Setting up PDF printers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269<br />
13.3.4 Setting up printer groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269<br />
13.4 Adding printer shares in Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270<br />
13.5 Print quota . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271<br />
13.5.1 Activating the print quotas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272<br />
13.5.2 Creating a print quota policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272<br />
13.5.3 Analysing the print quotas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273<br />
13.5.4 Modifying the print quotas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274<br />
13.6 <strong>Univention</strong> Configuration Registry variables . . . . . . . . . . . . . . . . . . . . . . . . . . . 276<br />
13.1 Introduction<br />
13.6.1 Settings for print clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276<br />
13.6.2 Settings for the authentication on printer shares . . . . . . . . . . . . . . . . . . . . . 276<br />
13.6.3 Settings for printer shares . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276<br />
13.6.4 Settings for print quotas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276<br />
<strong>Univention</strong> Corporate Server includes a print system, which can also be used to realise complex en-<br />
vironments. Printers and printer groups can be created and configured conveniently in ucsUDM (see<br />
Section 4.5.7). Extensions for cost calculation and page limitation can be installed subsequently using the<br />
print quota system.<br />
The print services are based on CUPS (Common Unix Printing System). CUPS manages print jobs in<br />
queues and where needed converts them to file formats that the respective printer can read. A wide range<br />
of filters are provided in the foomatic-filters package so that many printers can be employed without the<br />
need to install additional drivers.<br />
265
13 Print services<br />
Not all print jobs are converted by CUPS. Print jobs in formats which are not recognised by CUPS or<br />
which can be read directly by the printer are forwarded on to the printer as (raw) files. This feature<br />
enables printing over a CUPS print server with Windows printer drivers.<br />
The connection to the printer is defined using the printer URI. For example, a printer on a local parallel<br />
port receives the printer URI parallel:/dev/lp0, which is composed of the protocol parallel: and<br />
the target /dev/lp0. Further documentation on URI formats can be found in the Section 4.5.7.<br />
The packages in the overview:<br />
• cupsys contains the CUPS print server.<br />
• foomatic-filters, foomatic-db, foomatic-filters-ppds provide a wide range of different printer<br />
drivers and filters.<br />
• univention-printclient composes the configuration for print clients in <strong>UCS</strong>.<br />
• univention-printserver depends on the cupsys and foomatic packages and composes the con-<br />
figuration for print servers in <strong>UCS</strong>.<br />
• univention-winprinters allows the import of Windows printer shares in <strong>UCS</strong>.<br />
• pykota provides a quota system for printer services.<br />
• univention-printquota integrates quota support for print services in <strong>UCS</strong>.<br />
• univention-printquotadb saves the information about print quotas in a database.<br />
• univention-printserver-pdf integrates the cups-pdf package in <strong>Univention</strong> Corporate Server,<br />
which is used in the creation of PDFs on the server.<br />
13.2 Installing print servers<br />
All system roles can be used as print servers and/or spool hosts in <strong>UCS</strong>. Initially in <strong>Univention</strong> Directory<br />
Manager, however, only server systems are available for selection (master, backup, slave and member<br />
servers). The command line can also be used to employ managed and mobile clients as print servers.<br />
Further information can be found in the <strong>Univention</strong> Directory Manager command line description [6].<br />
13.2.1 Requirements<br />
The univention-printserver package must be installed to operate a print server. This pack-<br />
age installs and configures the required components. During the system installation the Print<br />
server component can also be selected. Post-installation it is possible to perform the set-up using<br />
univention-system-setup-software or installing the univention-printserver package via Univen-<br />
tion Management Console (see Section 5.3.11).<br />
13.2.2 Server systems as print servers<br />
There is a possibility for <strong>UCS</strong> server systems to store and configure printers and printer groups in Univen-<br />
tion Directory Manager. The printers stored there are then available to the network for Linux and Windows<br />
clients as printer shares.<br />
266
13.2.3 Windows systems as print servers<br />
13.2 Installing print servers<br />
Printer shares on Windows systems can also be mounted. This share can be set up on the print server in<br />
<strong>Univention</strong> Directory Manager.<br />
For example, to integrate the laser01 printer share from Windows system win01 via <strong>Univention</strong> Directory<br />
Manager, a printer share must be created with the protocol smb:// and the target win01/laser01. The<br />
manufacturer and model must be selected according to the unit in question.<br />
The print server uses the printer model settings to convert the print jobs where necessary and send these<br />
directly to the URI smb://win01/laser01. No Windows drivers are used in this.<br />
Independant of these settings, the printer share can be mounted by other Windows systems with the<br />
corresponding printer drivers.<br />
13.<strong>2.4</strong> Thin clients as print servers<br />
As standard, a print server is operated on a thin client, which is preconfigured for the connection of printers<br />
via parallel or USB ports. This print server forwards print jobs to the respective port without performing<br />
any conversions.<br />
The thin client accepts print jobs from its own subnet and the desktop server on which the thin client<br />
session was started. Where necessary these print jobs must be converted to a format which the printer<br />
can read on the print server in advance as thin clients cannot perform filtering.<br />
To operate a printer on the parallel port of the thin client thin01, the printer share must be created on, for<br />
example, the responsible desktop server and assigned to the following printer URI:<br />
ipp://thin01.firma.com/printers/lp0<br />
For operation via a USB port it must be:<br />
ipp://thin01.firma.com/printers/usb0<br />
13.2.5 Managed/mobile clients as print servers<br />
To use a workstation as a print server, the univention-printserver package must firstly be installed.<br />
Clients cannot be selected as servers in the <strong>Univention</strong> Directory Manager printer management. However,<br />
printer shares can also be set to clients in the command line using univention-directory-manager.<br />
For example, the following command can be entered to add the laser01.domain.net printer as a printer<br />
share on the client01.domain.net client.<br />
univention-directory-manager shares/printer create --set name=laser01 \<br />
--set spoolHost=client01.domain.net \<br />
--set uri=parallel:/dev/lp0 --set model=None \<br />
--position cn=printers,dc=domain,dc=net<br />
The printer share created can now be configured further in <strong>Univention</strong> Directory Manager.<br />
267
13 Print services<br />
13.2.6 Policy-based assignment of a print server<br />
The Print server policy can be used to assign certain printer servers to the different server and client<br />
systems explicitly. The installation of the univention-printclient package on the respective system is a<br />
requirement for this.<br />
For general information on policies, please see Section 4.5.11.<br />
These settings configured through the policy are activated following the first policy evaluation (once an<br />
hour by default).<br />
As a result of the policy evaluation the configured print server is written in the <strong>Univention</strong> Configuration<br />
Registry variable cups/server on the client.<br />
13.3 Configuring printer shares<br />
New printer shares can be easily set up using <strong>Univention</strong> Directory Manager. The <strong>Univention</strong> Directory<br />
Manager module for printer management is described in detail in Section 4.5.7.<br />
As the type of printer share can vary considerably, the following examples should serve to illustrate some<br />
possibilities.<br />
13.3.1 Configuring a locally connected printer<br />
A HP laserjet 2100 is connected to the parallel port of the member01.domain.net member server and<br />
should be shared as laser01 in the domain domain.<br />
A new Printer object must be created in <strong>Univention</strong> Directory Manager under Printer ➞ Add. laser01<br />
should be entered as the name and the corresponding server added to the server list. The protocol<br />
parallel:/ and target dev/lp0 are combined to give the printer URI (parallel:/dev/lp0). Once<br />
the manufacturer HP and corresponding printer model Laserjet 2100 have been selected, the entry must<br />
be confirmed with [OK]. The printer is then shared in the domain as laser01.<br />
The stored printer laser01 should also be set as a printer share for the member02.domain.net member<br />
server. It should be known here as laser02.<br />
The printer is connected locally to member01. member02 forwards its print jobs to member01, which<br />
converts them for laser01 and prints them on laser01.<br />
The following steps set up the example:<br />
A new Printer object with the name laser02 must be set up in <strong>Univention</strong> Directory Manager. mem-<br />
ber02.domain.net should be selected as the server. The printer URI in this case is composed of the<br />
protocol http:// and the target member01.domain.net:631/printers/laser01. misc is selected<br />
as the manufacturer and None as the model, which means that no filters are installed for the printer and<br />
the print jobs are forwarded without conversion. After confirming the entry with [OK], the printer is now<br />
shared as laser01 on member01 and as laser02 on member02.<br />
The printer should now be connected to a Windows system in another room. The Windows system is<br />
known in the domain as win06 and shares the printer in the domain as laser03.<br />
268
13.3 Configuring printer shares<br />
Once laser01 changes the printer URI from parallel:/dev/lp0 to smb://win06/laser03, the<br />
printer is still available as laser01 on member01 and as laser02 on member02. In addition, Windows<br />
systems with the correct drivers can also use the laser03 share on win06.<br />
13.3.2 Setting up network printers<br />
To integrate network-capable printers as shared printers, these must firstly be added to the domain as IP<br />
managed clients. This is necessary to avoid IP conflicts and to make use of the DHCP/DNS services.<br />
To configure the network printer as a printer share, a new Printer object must be created in <strong>Univention</strong><br />
Directory Manager giving the name and server of the share. In addition, the protocol used by the net-<br />
work printer (e.g., ipp:// or lpd://), the target (the name of the IP managed client) and, as required,<br />
expansions specific to the unit must also be configured.<br />
As an example, the later01 network printer, which supports the lpd protocol and accepts LPT jobs ac-<br />
cording to the manufacturer’s handbook, is to be shared. The complete printer URI is composed of the<br />
protocol, the name of the managed client and the expansion specific to the lpd://laser01/LPT unit.<br />
13.3.3 Setting up PDF printers<br />
Installing the univention-printserver-pdf package expands the print server with a special cups-pdf<br />
printer type, which converts incoming print jobs into PDF documents and add them in a specified directory<br />
on the printer server where they are readable for the respective user.<br />
The cups-pdf:/ protocol must be selected when storing a PDF printer in <strong>Univention</strong> Directory Manager; the<br />
target field remains empty. The target directory is set using the <strong>Univention</strong> Configuration Registry variable<br />
cups/cups-pdf/directory. As standard it is set to /var/cache/cups-pdf/%U so that cups-pdf<br />
uses a different directory for each user. Print jobs coming in anonymously are printed in the directory spec-<br />
ified by the <strong>Univention</strong> Configuration Registry variable cups/cups-pdf/anonymous (standard setting:<br />
/var/cache/cups-pdf).<br />
13.3.4 Setting up printer groups<br />
CUPS offers the possibility to group printers into Classes. These are implemented in <strong>UCS</strong> as printer<br />
groups. Printer groups are provided in the working environment like printers. The aim of such a printer<br />
group is to create a higher availability of printer services. If the printer group is used to print, the job is sent<br />
to the first printer in the printer group to become available. The printers are selected based on the round<br />
robin principle so that the degree of utilisation is kept uniform.<br />
A printer group must have at least one printer as a member. Only printers from the same server can be<br />
members of the group.<br />
The following examples emphasise the possibilities when creating printer groups:<br />
• Four identical printers are connected to the server member01. These are referred to as laser01,<br />
laser02, laser03 and laser04 and set up as printer shares. These printers are to be grouped under<br />
the laserprinters printer group.<br />
269
13 Print services<br />
To do this, select the Printer group type under the menu item Printer ➞ Add in <strong>Univention</strong> Di-<br />
rectory Manager and confirm with [Next]. laserprinters is given as the name and the appropriate<br />
server name added to the server list. The printers known for this printer server are now listed in the<br />
Group members selection field. The printers can now be added to the printer group individually;<br />
the selected members are listed in the field below. When the details are confirmed with [OK], the<br />
laserprinters printer group is made available to the domain as a printer share.<br />
• The printer shares laser01 on member01 and ink02 on member02 are to be grouped into the<br />
Attention:<br />
colorprinters printer group on the member server member03. This can only be done in one way<br />
as - as mentioned above - only printers from the same serve can be grouped in printer groups.<br />
A printer share with the name laser01v2 and the printer URI<br />
http://member01.domain.net:631/printers/laser01 and a further printer share with the<br />
name ink01v2 and the printer URI http://member02.domain.net:631/printers/ink02<br />
should be created on member03. Both printer shares are set up using the misc manufacturer and<br />
None model. A new printer group can now be added as in the example above and laser01v2 and<br />
ink02v2 selected as group members.<br />
The possibility described in the last example of grouping printers shares from different printer servers in a<br />
printer group makes it possible to select printer groups as members of a printer group. This could result in<br />
a printer group adopting itself as a group member. This must not be allowed to happen.<br />
13.4 Adding printer shares in Windows<br />
The printer shares set up in <strong>Univention</strong> Directory Manager can be added to Windows systems as network<br />
printers. The network printer must simply be set up on the Windows side with a standard Postscript printer<br />
driver. If a colour printer should be accessed, a driver for a Postscript-compatible colour printer should be<br />
used on the Windows side, e.g., HP Color Laserjet 8550. Printer shares can also be operated using the<br />
Windows printer drivers provided. If printer quotas are in place, it must be checked in advance whether<br />
the data format of the driver is supported (see also Section 13.5).<br />
Attention:<br />
The printer can only be accessed by a regular user when he has local permissions for driver installation or<br />
the respective printer drivers were stored on the printer server. If this is not the case, Windows may issue<br />
an error warning that the permissions are insufficient to establish a connection to the printer.<br />
The following steps make it possible to install a new printer driver on the printer server:<br />
270<br />
1. When logged on to Windows as Administrator you can open the printer server and the printer<br />
directory it contains.<br />
2. Right clicking in a free area of the window opens the context menu where you can open the Server<br />
properties dialogue. Clicking on Add on the Drivers tab allows you to select a printer driver for the<br />
system architecture required and load this onto the server all via menus.<br />
3. A right click on the printer will now run the Eigenschaften dialogue. The Properties tab contains a<br />
selction field for the drivers already installed. Clicking on [OK] assigns the driver to the printer and<br />
means that even users without privileges can access the printer without the need to install a driver.
13.5 Print quota<br />
13.5 Print quota<br />
The univention-printquota package allows print quotas to be set for printer groups and printers. The<br />
quota policies can be defined for certain users and user groups either per each user or per user group.<br />
The print quota system switches automatically between CUPS and the respective printer. In doing so<br />
it checks the user’s permissions and print limits. In addition the costs are calculated for each print job<br />
and documented in a print job history. Different reports can be created from this collected data using the<br />
appropriate programs.<br />
When operating a printer with a quota, the print job history in the CUPS web interface loses its validity. To<br />
ensure that CUPS operates correctly, it always receives a report that the print was successful.<br />
A page counter is updated for each user after every print. When a user excesses his soft limit, he receives<br />
an e-mail - in so far as <strong>Univention</strong> Configuration Registry is configured in this way (see Section 13.6.4) -<br />
which informs him that he is nearing his hard limit. If the user’s page counter reaches the hard limit, the<br />
print job which exceeds the limit will not be finished. An e-mail informs the user that he can no longer print<br />
on the printer in question. This e-mail is sent to the user’s primary e-mail address.<br />
Attention:<br />
The possibility to set quotas for users and user groups on printers and printer groups can result in confusing<br />
quota policies. Printer quotas should thus be planned thoroughly in order to avoid later overlaps in the<br />
policies.<br />
The print quota system determines the size of the print job during printing. This is done by analysing the<br />
data sent to the printer after conversion by CUPS. If the data format is not recognised or the quote limits<br />
are exceeded the print job is interrupted. The following data formats are analysed correctly:<br />
• PostScript<br />
• PDF<br />
• PCL1, PCL2, PCL3, PCL4, PCL5<br />
• PCLXL ( PCL6 )<br />
• ESC/P2<br />
The print quota system saves all data in a database. For this it uses a PostgreSQL database, which is<br />
installed with the univention-printquotadb package.<br />
Now when a user prints, the quota set for the user for the printer used is requested firstly. It is then checked<br />
whether the print job exceeds the quota and if necessary the print job cancelled and the user informed by<br />
e-mail.<br />
If a user does not have a quota for a printer in the database, the print quota policies set in <strong>Univention</strong><br />
Directory Manager are requested. When there are entries here for the user, these are entered in the<br />
database and the print job carried out as along as it does not exceed the quota. When the user has no<br />
policy, the print job is cancelled.<br />
271
13 Print services<br />
13.5.1 Activating the print quotas<br />
Activating the print quotas provokes an internal change to the printer URI. If a quote is activated for a<br />
printer on a print server without univention-printquota, the printer will be deactivated with the first print<br />
job.<br />
To activate the print quota for a printer, the respective printer or printer group must be selected in <strong>Univention</strong><br />
Directory Manager using the printer menu item and the Activate quota entry selected on the General<br />
tab. An existing policy can now be selected in the Configuration selection field or a new policy created<br />
for the current printer share on the [Print quota] policy tab.<br />
Attention:<br />
The quota system cannot be used for printer shares which print in a file (file:/) or via a parallel port<br />
(parallel:/). This can otherwise lead to the printer being deactivated.<br />
13.5.2 Creating a print quota policy<br />
A Print quota policy object can be added in the <strong>Univention</strong> Directory Manager policy wizard to create print<br />
quota policies.<br />
The policy must be set in the input mask which opens and then individual ucsMenuEntryPrint quota for<br />
users, Print quota for groups or Print quota for groups per user added with the appropriate page limits<br />
(see also Section 4.5.11). Soft-Limit can be used to define a page limit where the user is informed when<br />
he exceeds the limit. Hard-Limit can be used to set the limit of the page contingent for the user. The<br />
quota system interprets the values set minus 1. I.e., if the user has a Hard-Limit of 100, a maximum of 99<br />
pages can be printed. This gives the following special values:<br />
0 - No limit<br />
1 - No page contingent<br />
The following examples should emphasise the possibilities available with print quota policies:<br />
272<br />
• To set each user from the Domain Users group a soft limit of 200 pages and a hard limit of 250 pages<br />
for the laser01 printer, the laser01 printer must be selected in the Printer module in <strong>Univention</strong><br />
Directory Manager and a soft limit of 201 pages and a hard limit of 251 pages entered in the Print<br />
quota for groups per user field for the Domain Users group on the [Print Quota] tab. Confirming<br />
with the [Add] and [OK] buttons enters the quota policy and saves it.<br />
• As a member of the Domain Users group, the user user01 is then subject to the print quota policies<br />
in place for the printer laser01. If the user is assigned another user-specific print quota with a soft<br />
limit of 400 pages and a hard limit of 450 pages in the same manner as described above, he may<br />
still only print a maximum of 250 pages. The print quota system does not allow the limit of the other<br />
policy to be exceeded.<br />
• Each user of the Power Printers group should be assigned a Soft-Limit of 1000 pages and a Hard-<br />
Limit of 1200 pages for all inkjet printers in the domain. A new Ink jet printer group needs to be<br />
created for this and all the inkjet printers in the domain added to it (see Section 13.3.4). Soft and<br />
hard limits are now assigned to the Power Printers group in the Print quota for groups per user<br />
field using a Print quota policy with the name PP limit as already described above. Once the added
13.5 Print quota<br />
entry is confirmed with [OK], the PP limit can be assigned to the Ink jet printer group and all inkjet<br />
printers in the printer management on the Print quota tab and the details confirmed with [OK].<br />
13.5.3 Analysing the print quotas<br />
repykota generates a report about the print quota set. The command can be used by each user to request<br />
details of his current page use.<br />
Command Description<br />
repykota output of all quotas per user for each printer<br />
repykota -P printer01 output of all quotas per user for the unit printer01<br />
repykota -g -P<br />
printer01<br />
output of all quotas per user group for the unit printer01<br />
repykota -g output of all quotas per group for each printer<br />
repykota user01 output of quotas for user01 on all printers<br />
repykota user*<br />
repykota -P laser*<br />
output of all quotas for the users whose name begins with user<br />
output of the quotas for all users on the printers with names<br />
beginning with laser<br />
dumpykota offers the possibility of exporting different information from the print quota system in different<br />
formats:<br />
dumpykota -d type -f format -o file<br />
Variable Decription<br />
typ determines the data to be output<br />
history print job history<br />
users users<br />
groups user groups<br />
printers printers<br />
upquotas User quota<br />
gpquotas User group quota<br />
payments Costs per user<br />
pmembers Printer group members<br />
umembers User group members<br />
format determines the output format:<br />
csv columns separated by commas<br />
csv columns separated by semicolons<br />
csv columns separated by tabs<br />
xml output in XML format<br />
Example:<br />
273
13 Print services<br />
dumpykota -d upquotas -f csv -o userquota.csv<br />
Output of all user quotas in CSV format in the userquota.csv file<br />
13.5.3.1 pykotme<br />
The program pykotme can be used to determine the page contents of a Postscript file and the costs<br />
incurred through its printing.<br />
pykotme --printer printer01,laser01 < file01.ps<br />
Lists the respective costs for the printing of file01.ps on printer01 and laser01.<br />
pykotme --printer laser01 file01.ps file02.ps<br />
Lists the costs for the printing of file01.ps and file02.ps on laser01.<br />
13.5.4 Modifying the print quotas<br />
13.5.4.1 edpykota<br />
The program edpykota is used to alter the quotas of individual users or groups directly. It also offers<br />
possibilities for storing printers and assigning printers and users to groups.<br />
Attention:<br />
Printers and the assigning of printers and the assignment of printers and users to groups should only be<br />
specified with <strong>Univention</strong> Directory Manager wherever possible. As edpykota only changes the entries<br />
in the quota system, these changes are not passed on to the CUPS print system.<br />
edpykota [options] user1 user2 ... userN<br />
edpykota [options] group1 group2 ... groupN<br />
274<br />
Parameter Description<br />
-v –version Outputs the version number<br />
-h –help Help on command usage with syntax and examples<br />
-a –add Add users and/or printers to the quota database<br />
-d –delete Deletes users/user groups out of the quota database<br />
-c –charge p[,j] Fixes the price per page (p) and per job (j) for a specific printer.<br />
The price per job is optional. Values are separated with commas<br />
when they are set. Floating point number are permitted and<br />
input with a decimal point (e.g., 3.412).<br />
-i –ingroups g1[,g2...] Places a user in each specified user group (e.g., g1). The user<br />
groups must already exist in the quota database.<br />
-u –users Edit user quota (standard)<br />
-P –printer p Only the quota for printer p is edited. Wild cards (e.g., p*) are<br />
permitted. Multiple entries are separated by commas.
13.5 Print quota<br />
-G –pgroups pg1[,pg2...] Add the printer to the printer groups pg1,pg2.... The printer<br />
groups must already exist.<br />
-g –groups Edit user groups.<br />
-p –prototype u|g Uses user u or user group g as the prototype for setting the<br />
quotas.<br />
-n –noquota No quotas are set, but the costs and print history activated.<br />
-r –reset Resets the counter for the current page usage. The life time<br />
counter is not changed.<br />
-R –hardreset Resets all counters for page usage.<br />
-S –softlimit X Sets the soft limit to X pages.<br />
-H –hardlimit X Sets the hard limit to X pages.<br />
edpykota --add -S 50 -H 60 user01<br />
user01 receives a soft limit of 50 pages and a hard limit of 60 pages on all printers. If user01 has yet to<br />
be created, it will be created in the print quota system. In other cases the entry will be adapted.<br />
edpykota --add --printer printer01 -S 50 -H 60 user01<br />
user01 receives a soft limit of 50 pages and a hard limit of 60 pages on printer01. If both printer01 and<br />
user01 are yet to be created, they are created. In other cases the entries will be adapted.<br />
edpykota --reset user01<br />
Resets the counter for current page usage foruser01 to 0 on all printers. The life time counter for user01<br />
remains unchanged.<br />
edpykota --add -g testgroup01<br />
Creates the user group testgroup01 in the print quota system.<br />
edpykota -g -S 500 -H 650 testgroup01<br />
The group testgroup01 receives a soft limit of 500 pages and a hard limit of 650 pages.<br />
edpykota -i testgroup01 user01<br />
Adds user01 to the testgroup01 group.<br />
edpykota --add --printer printer01 -i testgroup01 -S 50 -H 60 user01<br />
Sets user01 a soft limit of 50 pages and a hard limit of 60 pages for printer01 and assigns him to the<br />
testgroup01 group. If printer01 or user01 is not yet in the quota system, it is created.<br />
edpykota --delete user01<br />
Completely removes user01 from the quota system.<br />
edpykota --printer lp --charge 12,7<br />
Sets the price per page at 12 and the price per print job at 7 for lp.<br />
275
13 Print services<br />
13.6 <strong>Univention</strong> Configuration Registry variables<br />
13.6.1 Settings for print clients<br />
cups/server: The print server the system should use. This value is overwritten by the Print server<br />
policy and should thus be set in <strong>Univention</strong> Directory Manager.<br />
13.6.2 Settings for the authentication on printer shares<br />
cups/restrictedprinters: A list of printers with access restrictions.<br />
cups/automaticrestrict: If this variable is set to no, the list of printers in<br />
cups/restrictedprinters is no longer automatically modified by the Cups listener mod-<br />
ule if printers are created, modified or deleted.<br />
13.6.3 Settings for printer shares<br />
samba/printmode/usergroup/GROUPNAME: These variables makes it possible to prohibit or provide<br />
certain groups access to printers via Samba printer shares. If the corresponding variable is set to<br />
all for a group with the name GROUPNAME, it will be noted as an approved group on all local<br />
printer shares in Samba. If on the contrary the variable is set to none, the corresponding group<br />
will be entered as invalid for all local printer shares. Access rights given with these <strong>Univention</strong><br />
Configuration Registry"=Variablen apply in addition to those which were set on the individual printer<br />
objects by <strong>Univention</strong> Directory Manager on the Access control tab (see Section 4.5.7). The way in<br />
which Samba analyses share permissions means that a user who is a member of both an approved<br />
group and an invalid group cannot print.<br />
13.6.4 Settings for print quotas<br />
cups/quota/account: The quota information are saved in a PostgreSQL database. This setting regis-<br />
ters the PostgreSQL user for access. The standard setting is pykotaadmin.<br />
cups/quota/admin/mail: The e-mail address of the quota administrator. The standard setting is<br />
root@.<br />
cups/quota/inform: (De)activates the e-mail notification that a quota has been exceeded. Possible<br />
values are no (standard) and yes.<br />
cups/quota/secret: Path entry to the password file for the quota database. The standard setting is<br />
/etc/pykota/pykota.secret<br />
cups/quota/server/access: The methods of accessing the quota database. The standard setting is<br />
local.<br />
cups/quota/server/name: The name of the server where the quota database is operated. The stan-<br />
276<br />
dard setting is localhost.
14 <strong>Univention</strong> Configuration Registry<br />
Contents<br />
14.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277<br />
14.2 Displaying current settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278<br />
14.3 Using variables in shell scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279<br />
14.4 Changing <strong>Univention</strong> Configuration Registry variables . . . . . . . . . . . . . . . . . . . . . 280<br />
14.5 Creating new <strong>Univention</strong> Configuration Registry variables . . . . . . . . . . . . . . . . . . . 281<br />
14.6 Deleting <strong>Univention</strong> Configuration Registry variables . . . . . . . . . . . . . . . . . . . . . . 281<br />
14.7 Registering <strong>Univention</strong> Configuration Registry variables . . . . . . . . . . . . . . . . . . . . 281<br />
14.8 Regeneration of configuration files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283<br />
14.9 Policy-based configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283<br />
14.9.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283<br />
14.9.2 Configuring the policy in <strong>Univention</strong> Directory Manager . . . . . . . . . . . . . . . . 284<br />
14.10<strong>Univention</strong> Configuration Registry in manually created packages . . . . . . . . . . . . . . . 284<br />
14.11Including additional configuration files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286<br />
14.12Integrating Python code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286<br />
14.1 Introduction<br />
<strong>Univention</strong> Configuration Registry is the central tool for managing the local system configuration of a <strong>UCS</strong>-<br />
based system. <strong>Univention</strong> Configuration Registry is a registry mechanism for system settings similar to<br />
other operating systems. Individual settings are managed via so-called <strong>Univention</strong> Configuration Registry<br />
variables, which are comparable to the environment variables of the shell regarding the setting and reading,<br />
and their fields of application. <strong>Univention</strong> Configuration Registry variables are managed by the command<br />
univention-config-registry or via <strong>Univention</strong> Management Console.<br />
The <strong>Univention</strong> Configuration Registry mechanism makes connection between the <strong>Univention</strong> Configura-<br />
tion Registry variables and the configuration files of various services.<br />
The <strong>Univention</strong> Configuration Registry mechanism makes sure that in case of a change in a <strong>Univention</strong><br />
Configuration Registry variable, all configuration files referenced by the changed variable, will be created<br />
anew. This process releases the system administrator from editing the configuration files of the various<br />
services himself (under consideration of the syntax applicable in each case). During this process, the<br />
configuration files are retained in their original form, and can be manually edited under consideration of<br />
the functions of the <strong>Univention</strong> Configuration Registry mechanism if the need should arise.<br />
During the installation of a <strong>UCS</strong> system, a number of central, low-level settings are generated via Univen-<br />
tion Configuration Registry variables, e. g. the name of a client which is listed in the system configuration<br />
itself under /etc/hostname and, at the same time, in the configuration of system services such as the<br />
277
14 <strong>Univention</strong> Configuration Registry<br />
LDAP server. Further settings and configuration files can be included in the <strong>Univention</strong> Configuration<br />
Registry mechanism if necessary.<br />
Apart from managing configuration files, <strong>Univention</strong> Configuration Registry variables can be used very<br />
efficiently in low-level shell scripts for accessing current settings. In combination with the <strong>Univention</strong> Con-<br />
figuration Registry command line in particular, there are a range of possibilities for managing a <strong>UCS</strong><br />
system.<br />
14.2 Displaying current settings<br />
The univention-config-registry command can be run with three different parameters to display the Uni-<br />
vention Configuration Registry variables and their current assignments. The short form ucr can also be<br />
given instead of univention-config-registry.<br />
The parameter dump can be used to display all currently registered variables.<br />
# univention-config-registry dump<br />
admin/cmd/debug/level: 0<br />
admin/cmd/timeout: 300<br />
admin/timeout: 300<br />
admin/web/debug/level: 0<br />
admin/web/language: de<br />
apache/accessfilename: .htaccess<br />
apache/documentroot: /var/www<br />
apache/userdir: public_html<br />
auth/admin/methods: krb5 ldap unix<br />
...<br />
One <strong>Univention</strong> Configuration Registry variable and the currently assigned value are displayed per line.<br />
The <strong>Univention</strong> Configuration Registry variables are named according to a tree structure with a forward<br />
slash being used to separate components of the name. For example, <strong>Univention</strong> Configuration Registry<br />
variables beginning with ldap are settings which apply to the local directory service.<br />
<strong>Univention</strong> Configuration Registry supports a variable name search function using the parameter search:<br />
univention-config-registry search <br />
This command searches for variable names which contain and displays these with their current<br />
assignments. Alternatively, searches can also be performed for set variable values:<br />
univention-config-registry search --value <br />
# univention-config-registry search debug<br />
admin/cmd/debug/level: 0<br />
console/web/debug/level: 0<br />
listener/debug/level: 2<br />
samba/debug/level: 0<br />
# univention-config-registry search --value yes<br />
nsswitch/ldap: yes<br />
pkgdb/scan: yes<br />
postfix/autostart: yes<br />
278
sshd/permitroot: yes<br />
sshd/xforwarding: yes<br />
14.3 Using variables in shell scripts<br />
Regular expressions can be used when searching for <strong>Univention</strong> Configuration Registry variables in order<br />
only to display variables which correspond to a predetermined search template. <strong>Univention</strong> Configuration<br />
Registry supports all regular expressions which are supported by the python module re. An extensive<br />
explanation of the syntax can be found in the documentation of the re module. It can also be displayed<br />
with the command pydoc re in the command line on <strong>UCS</strong> systems. The following gives some examples:<br />
• Search for all <strong>Univention</strong> Configuration Registry variables which begin with ’ldap’ or ’ssl’:<br />
univention-config-registry search ’^(ldap|ssl)’<br />
• Search for all <strong>Univention</strong> Configuration Registry variables which include ’ssl’ or ’ssh’:<br />
univention-config-registry search ’ss(l|h)’<br />
• Search for all <strong>Univention</strong> Configuration Registry variables with a current value composed of the<br />
string ’mail’, any character string and the string ’Address’. The asterisk (*) is used to determine that<br />
preceding characters should occur never, once or more than once. To use the asterisk for different<br />
characters as in the bash shell, it must be used in combination with the full stop (.) as a wildcard for<br />
an alphanumeric character.<br />
univention-config-registry search --value ’mail.*Address’<br />
Individual <strong>Univention</strong> Configuration Registry variables can be displayed with the parameter get. Unlike the<br />
parameters dump and search only the current value of the <strong>Univention</strong> Configuration Registry variable is<br />
shown here without variable names.<br />
# univention-config-registry get ldap/server/name<br />
master.firma.de<br />
# univention-config-registry get ldap/server/ip<br />
192.168.0.2<br />
14.3 Using variables in shell scripts<br />
The parameter shell is used to display <strong>Univention</strong> Configuration Registry variables and their current as-<br />
signments in a format that can be used in shell scripts.<br />
univention-config-registry shell<br />
This command displays the values of all <strong>Univention</strong> Configuration Registry variables as a pair per line as<br />
variablenname="wert"<br />
Different conversions are involved in this: forward slashes in variable names are replaced with underscores<br />
and characters in the values which have a particular significance in shell scripts are included in quotation<br />
marks to ensure they are not altered.<br />
Individual values can be displayed when the shell parameter is expanded with the desired variable name:<br />
univention-config-registry shell ldap/server/name<br />
279
14 <strong>Univention</strong> Configuration Registry<br />
<strong>Univention</strong> Configuration Registry must be executed via the command eval for <strong>Univention</strong> Configuration<br />
Registry variables to be able to be read in a shell script as environment variables:<br />
# eval $(univention-config-registry shell ldap/server/name)<br />
# echo $ldap_server_name<br />
master.firma.de<br />
14.4 Changing <strong>Univention</strong> Configuration Registry variables<br />
The command<br />
univention-config-registry set =""<br />
can be used to change a variable’s value. This initiates a syntax check. In the following example, the value<br />
of the variable nameserver1 is set to 192.168.0.1:<br />
univention-config-registry set nameserver1="192.168.0.1"<br />
The change to a <strong>Univention</strong> Configuration Registry variable results in all configuration files for which the<br />
<strong>Univention</strong> Configuration Registry variable is registered (see Chapter 14.8), being rewritten immediately.<br />
The files in question are output on the terminal output:<br />
# univention-config-registry set sshd/xforwarding=yes<br />
Setting sshd/xforwarding<br />
File: /etc/ssh/sshd_config<br />
In doing so it must be noted that although the configuration of a service is updated, the system service<br />
in question is not restarted automatically. These services must generally be restarted manually using the<br />
corresponding init scripts below /etc/init.d. The execution of scripts to follow changes to <strong>Univention</strong><br />
Configuration Registry variables is described in Chapter 14.10.<br />
If, for example, the debug level of the Samba service is changed, this must then be restarted:<br />
# univention-config-registry set samba/debug/level=2<br />
Setting samba/debug/level<br />
Multifile: /etc/samba/smb.conf<br />
# /etc/init.d/samba restart<br />
Stopping Samba daemons: nmbd smbd.<br />
Starting Samba daemons: nmbd smbd.<br />
Simultaneous changes to more than one variable are possible in one command line (in so far as they refer<br />
to the same configuration file, this will only be rewritten once):<br />
# univention-config-registry set \<br />
dns/forwarder1=192.168.0.2 \<br />
sshd/xforwarding="no" \<br />
sshd/port=2222<br />
280
14.5 Creating new <strong>Univention</strong> Configuration Registry variables<br />
14.5 Creating new <strong>Univention</strong> Configuration Registry variables<br />
A new variable can be registered with univention-config-registry and the parameter set. The<br />
variable can be given any name consisting exclusively of lowercase letters, full stops, figures, hyphens<br />
and forward slashes. If the newly created <strong>Univention</strong> Configuration Registry variable is to be automatically<br />
used in configuration files it should be registered (see Chapter 14.7).<br />
# univention-config-registry set test/variable=neu<br />
Create test/variable<br />
A conditional setting of variables is also possible. For example, if a value should only be saved in a<br />
<strong>Univention</strong> Configuration Registry variable when the variable is empty, this can be done by entering a<br />
question mark instead of the equals sign when assigning values.<br />
univention-config-registry set dns/forwarder1?192.168.0.2<br />
In this example, the variable dns/forwarder1 is only set to the value 192.168.0.2 when it was previously<br />
empty. When the variable already contains a value, this is not changed.<br />
When setting and changing <strong>Univention</strong> Configuration Registry variables, numerous variables can be en-<br />
tered in one execution.<br />
14.6 Deleting <strong>Univention</strong> Configuration Registry variables<br />
The parameter unset is used to delete a variable. The following example deletes the variable dns/for-<br />
warder2. It is also possible here to specify several variables to be deleted.<br />
univention-config-registry unset dns/forwarder2<br />
When deleting a variable, univention-config-registry displays which files are affected by the change and<br />
rewritten.<br />
14.7 Registering <strong>Univention</strong> Configuration Registry variables<br />
The <strong>Univention</strong> Configuration Registry system guarantees the regeneration of the configuration files for<br />
which a variable is registered when a change is made to this variable. This is done using <strong>Univention</strong><br />
Configuration Registry templates. Essentially, a <strong>Univention</strong> Configuration Registry template is a copy of<br />
the original configuration file in which the lines in which the value of a <strong>Univention</strong> Configuration Registry<br />
variable are entered are partially replaced with program code.<br />
The <strong>Univention</strong> Configuration Registry variables used in the configuration files are registered in info files<br />
in /etc/univention/templates/info which are named after the package name with the file ending<br />
.info. An example for the package univention-dhcp:<br />
Type: file<br />
File: etc/dhcp3/dhcpd.conf<br />
Variables: ldap/base<br />
Variables: dhcpd/ldap/base<br />
281
14 <strong>Univention</strong> Configuration Registry<br />
Variables: ldap/server/name<br />
Variables: dhcpd/enable<br />
Type: file<br />
File: etc/init.d/dhcp3-server<br />
The templates for all configuration files managed with <strong>Univention</strong> Configuration Registry can be<br />
found in the /etc/univention/templates/files. The path to the templates is the abso-<br />
lute path to the configuration file with the prefixed path to the template directory. For ex-<br />
ample, the template for the /etc/dhcp3/dhcpd.conf configuration file can be found under<br />
/etc/univention/templates/files/etc/dhcp3/dhcpd.conf.<br />
The templates contain wildcards for the variables used in the registration. If the value of a variable is<br />
changed, <strong>Univention</strong> Configuration Registry reads the template and replaces the wildcard with the corre-<br />
sponding variable value before rewriting the configuration file.<br />
The following excerpt serves as an example of a line with wildcards from the template for the file<br />
/etc/ssh/sshd_config. The name of the <strong>Univention</strong> Configuration Registry variable framed by the<br />
string @%@ represents the wildcard.<br />
X11Forwarding @%@sshd/xforwarding@%@<br />
The original configuration file is overwritten when a registered <strong>Univention</strong> Configuration Registry variable<br />
is changed, which means that manual changes previously made to the configuration file will be lost. If<br />
these changes are to be permanent, they must be made to the template. Once the template has been<br />
changed, the configuration file needs to be rewritten (see Chapter 14.8).<br />
Attention:<br />
For the configuration files to be processed correctly by <strong>Univention</strong> Configuration Registry they must be<br />
in UNIX format. If configuration files are edited in DOS or Windows, for example, control characters are<br />
inserted to indicate line breaks, which can disrupt the way <strong>Univention</strong> Configuration Registry uses the file.<br />
The string @!@ can also be used alongside the string @%@ for individual <strong>Univention</strong> Configuration Reg-<br />
istry variables. It is used to mark Python codes embedded in blocks. The Python code is also executed<br />
when a registered <strong>Univention</strong> Configuration Registry variable is changed. For example, these blocks can<br />
be used to set it so that when a parameter is changed via a variable, further dependent settings in are au-<br />
tomatically adopted in the configuration file. The following code sequence configures for example network<br />
settings using the <strong>Univention</strong> Configuration Registry settings:<br />
@!@<br />
for i in range(0,4):<br />
if baseConfig[’interfaces/eth%s/address’ % i]:<br />
print ’%s\tunivention-directory-manager.%s univention-directory-manager’ % \<br />
(baseConfig[’interfaces/eth%s/address’ % i],baseConfig[’domainname’])<br />
@!@<br />
If new Python code is entered into the templates or the existing code changed in such a way that it requires<br />
additional or different variable, the .info files in /etc/univention/templates/info will need to be<br />
expanded or changed accordingly (see Chapter 14.10).<br />
Attention:<br />
<strong>Univention</strong> Configuration Registry templates are included in the corresponding software packages as<br />
282
14.8 Regeneration of configuration files<br />
configuration files. When packages are updated, a check is performed for whether any changes have<br />
been made to the configuration files. If configuration files are no longer there in the form in which they<br />
were delivered, they will not be overwritten. Instead a new version will be created in the same directory<br />
with the ending .debian.dpkg-new. If changes are to be made on the <strong>Univention</strong> Configuration Reg-<br />
istry templates, these templates are also not overwritten during the update and are instead resaved in<br />
the same directory with the ending .dpkg-new or .dpkg-dist. Corresponding notes are written in the<br />
/var/log/univention/actualise.log log file.<br />
14.8 Regeneration of configuration files<br />
The command<br />
univention-config-registry commit <br />
is used to regenerate configuration files from their templates, which may be necessary, for example, if a<br />
change is made to a configuration file as a test or the corresponding <strong>Univention</strong> Configuration Registry<br />
template has been edited.<br />
If no file name is given when running univention-config-registry, all of the files managed by <strong>Univention</strong><br />
Configuration Registry will be regenerated from the templates. It is, however, not generally necessary to<br />
regenerate all the configuration files.<br />
The command<br />
univention-config-registry commit /etc/samba/smb.conf<br />
is used to rewrite the configuration file for the Samba service, for example.<br />
14.9 Policy-based configuration<br />
14.9.1 Overview<br />
Part of the settings stored in <strong>Univention</strong> Configuration Registry are system-specific (e.g., the computer<br />
name); many other settings can, however, be used on more then one computer. To automate the distribu-<br />
tion of the settings, you can configure the <strong>Univention</strong> Configuration Registry variables using a policy in the<br />
directory service. General information on policies can be found in Chapter4.5.11.<br />
The evaluation of the <strong>Univention</strong> Configuration Registry variables on a <strong>UCS</strong> system comprises four stages:<br />
• First the local <strong>Univention</strong> Configuration Registry variables are evaluated.<br />
• The local variables are overruled by policy variables which are usually sourced from the directory<br />
service using unvention-policy-result.<br />
• The schedule option is used to set local variables which are only intended to apply for a certain<br />
period of time. This level of the <strong>Univention</strong> Configuration Registry is reserved for local settings which<br />
are automated by time-controlled mechanisms in <strong>Univention</strong> Corporate Server.<br />
283
14 <strong>Univention</strong> Configuration Registry<br />
• When the force option is used in setting a local variable, settings adopted from the directory service<br />
and variables from the schedule level are overruled and the given value for the local system fixed<br />
instead. An example:<br />
univention-config-registry set --force mail/messagesizelimit=1000000<br />
If a variable is set which is overwritten by a superordinate policy, a warning message is given.<br />
14.9.2 Configuring the policy in <strong>Univention</strong> Directory Manager<br />
When creating the policy object, <strong>Univention</strong> Configuration Registry needs to be selected. Firstly a<br />
name must be set for the policy which is to be created, under which the variables will later be assigned to<br />
the individual computer objects.<br />
In addition, at least one <strong>Univention</strong> Configuration Registry variable must be configured. Firstly, the name<br />
of the variable must be entered under Name of the new Configuration Registry variable. Clicking the<br />
plus sign next to the input field changes the input field to Variable: NAME. The value to be set must now<br />
be entered here.<br />
Clicking on Ok saves the policy; alternatively, further variables can also be created.<br />
This policy can then be assigned to a computer object. Note that the display of configured values dif-<br />
fers from the remaining policies: the values are not display directly in <strong>Univention</strong> Directory Manager but<br />
rather written on the assigned computer by <strong>Univention</strong> Directory Policy. The time interval used for this is<br />
configured by the <strong>Univention</strong> Configuration Registry variable ldap/policy/cron and set at one hour as<br />
standard.<br />
14.10 <strong>Univention</strong> Configuration Registry in manually created packages<br />
Configuration files can also be integrated in the <strong>Univention</strong> Configuration Registry system when creating<br />
individual software packages for use in <strong>UCS</strong>. The complete procedure for package creation in <strong>UCS</strong> is<br />
documented separately (see [20]).<br />
A subdirectory with the name conffiles must be created in the directory with the package<br />
sources. The configuration files and any subdirectories are copied here. For example, if the file<br />
/etc/ldap/slapd.conf should be managed by <strong>Univention</strong> Configuration Registry, it is copied to<br />
conffiles/etc/ldap/slapd.conf.<br />
Wildcards can now be integrated into the configuration files in conffiles for the variables and any neces-<br />
sary Python code.<br />
In any case default values for the variables used by the respective binary package can be issued<br />
in debian/postinst or debian/.postinst through certain settings (see<br />
Chapter 14.5).<br />
The line<br />
univention-install-config-registry<br />
284
14.10 <strong>Univention</strong> Configuration Registry in manually created packages<br />
must be added in the install section of the debian/rules file so that <strong>Univention</strong> Configuration Registry is<br />
integrated when creating the package.<br />
In addition, the debian/control file must be adapted, the source package expanded with a dependency on<br />
univention-config-dev and all binary packages using <strong>Univention</strong> Configuration Registry expanded with a<br />
dependency on univention-config-registry.<br />
Each binary package also requires a file called debian/.univention-config-registry<br />
to be created, in which is must be specified which files and scripts are to be managed by <strong>Univention</strong><br />
Configuration Registry and which variables are contained therein.<br />
The syntax of the file can be seen in the following examples:<br />
• Two configuration files and the variables used in them. The assignment of variables to files can be<br />
omitted if no Python code is used in the corresponding configuration file.<br />
# cat univention-dhcp.info<br />
Type: file<br />
File: etc/dhcp3/dhcpd.conf<br />
Variables: ldap/base<br />
Variables: dhcpd/ldap/base<br />
Variables: ldap/server/name<br />
Variables: dhcpd/enable<br />
Type: file<br />
File: etc/init.d/dhcp3-server<br />
• Scripts can also be integrated in <strong>Univention</strong> Configuration Registry alongside configuration files.<br />
These scripts can be run when certain variables are set. Scripts installed with packages are saved<br />
in /etc/univention/templates/scripts. Further scripts which should be created individually<br />
and then registered with <strong>Univention</strong> Configuration Registry must also be copied in the directory.<br />
Additional scripts must also be entered in the <strong>Univention</strong> Configuration Registry info files. They must<br />
be executable and also copied in the conffiles directory.<br />
In the following example the interfaces.sh script is run when the values of the inter-<br />
faces/eth0/address or interfaces/eth0/network variables are changed:<br />
Type: script<br />
Script: interfaces.sh<br />
Variables: interfaces/eth0/address<br />
Variables: interfaces/eth0/network<br />
• The following example shows a file (multifile), which is compiled from several individual files (subfile)<br />
if the value of a variable is changed. In this way, different packages can combine individual parts of<br />
a configuration file, which are thus merged.<br />
Type: multifile<br />
Multifile: etc/ldap/slapd.conf<br />
Type: subfile<br />
Multifile: etc/ldap/slapd.conf<br />
Subfile: etc/ldap/slapd.conf.d/10schema-core<br />
Variables: ldap/base<br />
285
14 <strong>Univention</strong> Configuration Registry<br />
Type: subfile<br />
Multifile: etc/ldap/slapd.conf<br />
Subfile: etc/ldap/slapd.conf.d/20acl<br />
Variables: ldap/base<br />
A multifile template must be created to generate a configuration file from several templates. To do this<br />
a directory is created with a name composed of the template name and the endung .d. Several part<br />
templates can be saved in this directory.<br />
The file names of these part templates must begin with double-digit figures, which determine the order<br />
according to which the parts will be evaluated and merged. This is particularly useful if the individual parts<br />
are from different packages, are to be managed or individual expansions are to be integrated.<br />
For example, /etc/univention/templates/files/etc/ contains the directory config.d. This<br />
contains the files 00header, 05base and 11extensions. These are merged and evaluated by Univen-<br />
tion Configuration Registry in ascending order according to their numerical prefix in order to create the<br />
/etc/config file.<br />
If the template (single or multifile) were created, they must be registered before they can be used by<br />
<strong>Univention</strong> Configuration Registry (see Chapter 14.11).<br />
14.11 Including additional configuration files<br />
Configuration files that do not originate from an installation package can also be registered in <strong>Univention</strong><br />
Configuration Registry. The following description only applies to configuration files which are not installed<br />
from a package.<br />
Firstly, one or more template files must be created or adapted and saved under the<br />
/etc/univention/templates/files directory. The syntax and exact saving location of the template<br />
files are described in Chapter 14.7.<br />
A file must be saved in the /etc/univention/templates/info directory listing the con-<br />
figuration files used and the variables used in them. The name of file can be chosen<br />
freely as long as it ends in .info. The syntax corresponds to the scheme named for the<br />
debian/.univention-config-registry file in Chapter 14.10.<br />
The /var/cache/univention-config/cache cache file must then be deleted. The additional con-<br />
figuration files are registered the next time it is run. As soon as a <strong>Univention</strong> Configuration Registry<br />
variable registered for this file is changed or the command univention-config-registry commit<br />
is executed for this file, a new configuration file is created from the template file taking into account the<br />
<strong>Univention</strong> Configuration Registry variables.<br />
14.12 Integrating Python code<br />
If integrating individual <strong>Univention</strong> Configuration Registry variables proves insufficient for creating a con-<br />
figuration file, Python code can be integrated directly in the file. A Python code block is introduced and<br />
286
closed with the string @!@.<br />
14.12 Integrating Python code<br />
In the following example the template /etc/univention/templates/files/etc/issue (from which<br />
the /etc/issue file is created) is expanded with Python code. Before it looks like this:<br />
@!@<br />
if baseConfig[’version/version’] and baseConfig[’version/patchlevel’]:<br />
print ’<strong>UCS</strong> \%s-\%s \BS\BSn \BS\BSl’ \% \<br />
(baseConfig[’version/version’], \<br />
baseConfig[’version/patchlevel’])<br />
@!@<br />
If the value of a <strong>Univention</strong> Configuration Registry variable should be queried in Python code, the baseC-<br />
onfig Python object can be used as shown in the example. When using Python code it is important to note<br />
that the variables used in the Python code are specified when creating the package (see Chapter 14.10).<br />
Two <strong>Univention</strong> Configuration Registry variables, hostname and domainname, are now added outside of<br />
the Python code, while the /etc/univention/templates/files/etc/issue template is edited as<br />
follows:<br />
@!@<br />
if baseConfig[’version/version’] and baseConfig[’version/patchlevel’]:<br />
print ’<strong>UCS</strong> \%s-\%s \BS\BSn \BS\BSl’ \% \<br />
(baseConfig[’version/version’], \<br />
baseConfig[’version/patchlevel’])<br />
@!@<br />
The host name is: @%@hostname@%@<br />
The domain name is: @%@domainname@%@<br />
The /etc/issue file can now be regenerated from its template using the following command:<br />
univention-config-registry commit /etc/issue<br />
If new variables are introduced, it is important to follow the naming scheme (see Chapter 14.5). The<br />
following example introduces two new variables, my/variable1 and my/variable2:<br />
@!@<br />
if baseConfig[’version/version’] and baseConfig[’version/patchlevel’]:<br />
print ’<strong>UCS</strong> \%s-\%s \BS\BSn \BS\BSl’ \% \<br />
(baseConfig[’version/version’], \<br />
baseConfig[’version/patchlevel’])<br />
@!@<br />
My first variable: @%@my/variable1@%@<br />
My second variable: @%@my/variable2@%@<br />
To fill the new variables defined in inline Python code with values, the cache file must be deleted once from<br />
<strong>Univention</strong> Configuration Registry.<br />
rm /var/cache/univention-config/cache<br />
The new variables can then be set as described in Chapter 14.5.<br />
univention-config-registry set my/variable1="foo" set my/variable2="bar"<br />
The /etc/issue file is now regenerated from its template.<br />
287
14 <strong>Univention</strong> Configuration Registry<br />
288
15 <strong>Univention</strong> System Setup<br />
Contents<br />
15.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289<br />
15.2 <strong>Univention</strong> System Setup modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290<br />
15.2.1 Basic settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290<br />
15.2.2 Keyboard settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291<br />
15.2.3 Language settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292<br />
15.<strong>2.4</strong> Network settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294<br />
15.2.5 Software components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296<br />
15.2.6 Time zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297<br />
15.3 <strong>Univention</strong> System Setup event registration . . . . . . . . . . . . . . . . . . . . . . . . . . . 297<br />
15.4 Configuration for executing at system start . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298<br />
15.5 Changing machine passwords/SSL certificates during system start . . . . . . . . . . . . . . 299<br />
15.1 Introduction<br />
<strong>Univention</strong> System Setup is a tool for reconfiguring a <strong>UCS</strong> system. It can be used for adapting system<br />
characteristics to changed circumstances as well as for preparing system installations.<br />
User guidance is keyboard-based: The active menu item is displayed on a red background; the arrow keys<br />
UP/DOWN, or the TAB/Shift+TAB keys can be used for navigating between the items.<br />
The input for a <strong>Univention</strong> System Setup module can be finished by the F12 key; the F11 key can be<br />
used for returning to the previous module (provided that several modules are active). The F8 key is for<br />
exiting <strong>Univention</strong> System Setup; selection fields can be activated by pressing the space bar. Online help<br />
is accessible via the F1 key.<br />
If <strong>Univention</strong> System Setup is run on system roles other than domain controller master and information<br />
cannot be written to the LDAP directory, <strong>Univention</strong> System Setup emits a warning and only performs the<br />
configuration steps which are possible without network access. The computer must then be re-joined in<br />
the domain using univention-join at a later point.<br />
Error analyses are possible by using the log file /var/log/univention/setup.log.<br />
<strong>Univention</strong> System Setup is based on the Curses library which is used for terminal-based screen display.<br />
The setup requires certain minimum dimensions for the terminal window for proper display. Should the<br />
start be aborted with an error message, then the terminal window is to be enlarged.<br />
289
15 <strong>Univention</strong> System Setup<br />
Figure 15.1: The selected menu item in this example is Europe/Berlin<br />
15.2 <strong>Univention</strong> System Setup modules<br />
<strong>Univention</strong> System Setup has a modular design and presently consists of seven modules. These modules<br />
can be started all together (univention-setup-all) as well as separately; for example, univention-<br />
system-setup-net for the network settings. Apart from this, there is the possibility of loading a selection<br />
of modules: The univention-system-setup -modules net,basis command, for example, loads<br />
solely the modules for basic and network configuration.<br />
15.2.1 Basic settings<br />
Central system properties can be configured with univention-system-setup-basis:<br />
The host name and domain name can be changed by <strong>Univention</strong> System Setup. For this purpose, adjust-<br />
ments for several server services are also made in <strong>Univention</strong> Configuration Registry (e.g. Mail aliases at<br />
the mail server).<br />
In addition, a new SSL certificate will be created on a domain controller master. Other system roles obtain<br />
a new certificate from the DC master.<br />
Changing the domain name may require the adaption of further systems. If the name of the entire DNS<br />
domain is to be changed, the change must be implemented on all systems. If the domain name of individual<br />
systems is changed, service records for example, which are responsible for locating the domain controller<br />
master amongst other things, may no longer be correctly resolved. In such cases, the corresponding<br />
service records must be created manually in <strong>Univention</strong> Directory Manager. The changed system should<br />
be restarted following these changes.<br />
290
Figure 15.2: Basic settings in <strong>Univention</strong> System Setup<br />
15.2 <strong>Univention</strong> System Setup modules<br />
The LDAP basis can also be changed at a later date by <strong>Univention</strong> System Setup. Changing the LDAP<br />
basis requires the installation of an adapted licence, a repeated join and a restart of all systems.<br />
Changes to the LDAP base cannot be replicated in all scenarios, other systems in the domain need to be<br />
adapted manually.<br />
Changing the DNS domain name or the LDAP base on the domain controller master changes fundamental<br />
parameters of the other systems of the domain. The computer objects of the other <strong>UCS</strong> systems should<br />
be deleted in <strong>Univention</strong> Directory Manager and the computers should join the domain anew (see also<br />
Chapter <strong>2.4</strong>.1).<br />
Windows domain names can be changed. For reasons of compatibility, the name of a domain is not<br />
case-sensitive and should not exceed a maximum of 14 characters.<br />
The password for the local root user can also be changed by <strong>Univention</strong> System Setup. In addition, the<br />
password for the administrator account in LDAP is changed on domain controller master systems. It must<br />
be pointed out that this process does not include any checks regarding either the length of the password<br />
or the passwords used in the past. To avoid subsequent errors by misspelling, the password has to be<br />
entered twice.<br />
15.2.2 Keyboard settings<br />
The keyboard layout used on the computer can be changed by<br />
univention-system-setup-keyboard.<br />
291
15 <strong>Univention</strong> System Setup<br />
15.2.3 Language settings<br />
Figure 15.3: Keyboard settings in <strong>Univention</strong> System Setup<br />
In <strong>UCS</strong>, localisation properties for software are defined in so-called locales. Configuration includes, among<br />
other things, settings for date and currency format, and the set of characters in use. Apart from this, the lan-<br />
guage used for internationalised programs is specified. With univention-system-setup-language<br />
the locales for a system can be created.<br />
Moreover, a standard locale can be defined with univention-system-setup-defaultlocale. The<br />
locales created via univention-system-setup-language are available for selection.<br />
292
Figure 15.4: Language settings in <strong>Univention</strong> System Setup<br />
15.2 <strong>Univention</strong> System Setup modules<br />
293
15 <strong>Univention</strong> System Setup<br />
15.<strong>2.4</strong> Network settings<br />
univention-system-setup-net is a comfortable means for changing the network settings of a com-<br />
puter. Up to four physical network adapters can be configured with static as well as dynamical address<br />
allocation.<br />
Figure 15.5: Network settings in <strong>Univention</strong> System Setup<br />
With static configuration, apart from the IP addresses there are also the routing-relevant settings for the<br />
net mask, broadcast address, and network address to be made. For this purpose, standard values are<br />
proposed based on the IP address, in order to simplify configuration.<br />
The allocation of the IP address can also be achieved dynamically via the Dynamic Host Configuration<br />
Protocol (DHCP). DC Master, DC Backup, DC Slave, and member server can be operated by static<br />
addressing exclusively.<br />
The standard gateway can also be configured. DC Master should be configured as a name server (it is<br />
possible to register multiple hosts), further servers for DNS lookups can be configured as DNS forwarders<br />
(e. g. the DNS server of the internet service provider).<br />
Furthermore, access via a web proxy can be set.<br />
Changes in computer properties are adopted in the LDAP and in <strong>Univention</strong> Configuration Registry and<br />
become valid immediately. This also concerns changes in the routing properties, a fact which is to be<br />
taken into consideration for remote access.<br />
The change of an IP address of a DC master cannot be replicated in all replication scenarios; other<br />
systems in the domain are usually required to rejoin the domain using univention-join.<br />
294
15.2 <strong>Univention</strong> System Setup modules<br />
Figure 15.6: Network interface configuration in <strong>Univention</strong> System Setup<br />
295
15 <strong>Univention</strong> System Setup<br />
15.2.5 Software components<br />
The univention-system-setup-software command can be used for subsequent, menu-controlled<br />
installation of software components. Besides the components, individual packages can also be selected.<br />
Switching columns is possible via the arrow keys LEFT/RIGHT. The software packages are then installed<br />
from the repository.<br />
296<br />
Figure 15.7: Software selection in <strong>Univention</strong> System Setup
15.2.6 Time zone<br />
Time zones can be configured with univention-system-setup-timezone.<br />
15.3 <strong>Univention</strong> System Setup event registration<br />
Figure 15.8: Configuring time zones in <strong>Univention</strong> System Setup<br />
15.3 <strong>Univention</strong> System Setup event registration<br />
Any necessary changes will be made for standard system features of a <strong>Univention</strong> Corporate Server<br />
system when a system feature is changed. For local extensions there is the possibility of storing shell<br />
scripts, which are then run by <strong>Univention</strong> System Setup when system features are changed.<br />
Scripts in the following directories are run before or after the changing of a system feature in alphabetical<br />
order:<br />
/var/lib/univention-system-setup/hostname.pre Host name<br />
/var/lib/univention-system-setup/hostname.post Host name<br />
/var/lib/univention-system-setup/domainname.pre Domain name<br />
/var/lib/univention-system-setup/domainname.post Domain name<br />
/var/lib/univention-system-setup/ldapbase.pre LDAP base<br />
/var/lib/univention-system-setup/ldapbase.post LDAP base<br />
/var/lib/univention-system-setup/windowsdomain.pre Windows domain<br />
/var/lib/univention-system-setup/windowsdomain.post Windows domain<br />
/var/lib/univention-system-setup/interfaces.post Network interface settings<br />
/var/lib/univention-system-setup/gateway.post Network gateway<br />
297
15 <strong>Univention</strong> System Setup<br />
/var/lib/univention-setup/nameserver.post Name server<br />
/var/lib/univention-setup/dnsforwarder.post DNS forwarder<br />
/var/lib/univention-setup/httpproxy.post HTTP proxy<br />
Scripts with file names which end in pre are run before the change is adopted, and scripts with post<br />
afterwards. The file names of the scripts must not include any additional full stops.<br />
For the respective shell script the old value is taken as the first and the new value as the second parameter.<br />
For some module several values must be transferred to the scripts. These are summarised to one value<br />
in a special syntax.<br />
The syntax for network interfaces is:<br />
#DEVICE-IP-NETWORK-NETMASK(..)<br />
For example, if the user changes the IP address of the first network card eth0 from 10.200.3.100<br />
to 10.200.3.200 whilst keeping the network properties the same, the parameters #eth0-10.200.3.100-<br />
10.200.100.0-255.255.255 and #eth0-10.200.3.200-10.200.100.0-255.255.255 would be transferred to<br />
the shell script.<br />
The syntax for forwarders and name servers is:<br />
#SERVER1#SERVER2#SERVER3<br />
For example, if two name servers are configured for one system, the value #name-<br />
server1.firma.com#nameserver2.firma.com would be transferred to the shell script.<br />
15.4 Configuration for executing at system start<br />
There is a possibility to run <strong>Univention</strong> System Setup automatically during the system start. This is done by<br />
installing the univention-system-setup-boot package and setting the <strong>Univention</strong> Configuration Registry<br />
variable boot/setup/start to true.<br />
Furthermore, the modules to be started can be defined in the <strong>Univention</strong> Configuration Registry<br />
variable boot/setup/modules. The values correspond to the file name components behind<br />
univention-system-setup. For example, if only the modules for network and keyboard layout should<br />
be shown, the variable should be set to net,keyboard. If the keyboard module has been selected, it is<br />
always run firstly so that the changed setting applies directly for the following modules.<br />
If <strong>Univention</strong> System Setup was run at the system start, the <strong>Univention</strong> Configuration Registry variable<br />
boot/setup/start variable will then be automatically reset to false. For example, this allows precon-<br />
figuration of a system so that only the locally required parameters need to be changed during set-up.<br />
298
15.5 Changing machine passwords/SSL certificates during system start<br />
15.5 Changing machine passwords/SSL certificates during system start<br />
The univention-system-setup-appliance package is available for the operation of preconfigured <strong>UCS</strong><br />
installations. This offers the possibility of regenerating the SSL certificates and host passwords during the<br />
next system start.<br />
If the <strong>Univention</strong> Configuration Registry variable system/setup/appliance/start is set to true, the<br />
passwords in the /etc/ldap.secret and /etc/ldap-backup.secret files will be reset the next time<br />
that univention-system-setup-boot is run. In addition, the passwords for the join-slave and join-backup<br />
system users will also be reset.<br />
If ssl is set in the <strong>Univention</strong> Configuration Registry variable boot/setup/modules, the root cer-<br />
tificate and host certificates are regenerated the next time univention-system-setup-boot is started<br />
on a domain controller master. The settings for the new certificate are read out of the <strong>Univention</strong><br />
Configuration Registry variables ssl/country, ssl/email, ssl/locality, ssl/organization,<br />
ssl/organizationalunit and ssl/state.<br />
299
15 <strong>Univention</strong> System Setup<br />
300
16 Frequently asked questions<br />
Contents<br />
16.1 How do I replace the DC master with a DC backup? . . . . . . . . . . . . . . . . . . . . . . 301<br />
16.2 How can I install Microsoft TrueType fonts subsequently? . . . . . . . . . . . . . . . . . . . 302<br />
16.3 How does a user change his password? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303<br />
16.3.1 On a Linux workstation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303<br />
16.3.2 On a Windows workstation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303<br />
16.3.3 When logging on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303<br />
16.3.4 Via <strong>Univention</strong> Directory Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303<br />
16.4 How is the password for root changed? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303<br />
16.5 What criteria must a password satisfy? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304<br />
16.6 Individual websites cannot be accessed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304<br />
16.7 Thin clients experience log-in problems in a domain spread over several locations . . . . . 305<br />
16.8 How do I change the <strong>Univention</strong> Directory Manager timeout? . . . . . . . . . . . . . . . . . 305<br />
16.9 Why are NFS shares not mounted during boot-up? . . . . . . . . . . . . . . . . . . . . . . . 305<br />
16.10What does ”No DB server name found.” mean? . . . . . . . . . . . . . . . . . . . . . . . . . 306<br />
16.11Computer name and network settings in Windows XP Prof. . . . . . . . . . . . . . . . . . . 306<br />
16.12Avoiding double log-ins on Windows terminal servers . . . . . . . . . . . . . . . . . . . . . . 307<br />
Further documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309<br />
16.1 How do I replace the DC master with a DC backup?<br />
To promote a DC backup to a DC master, the command<br />
/usr/lib/univention-ldap/univention-backup2master<br />
must be executed on the DC backup.<br />
Attention:<br />
There can only be one DC master within a LDAP domain. The script can only be run if the original DC<br />
master is not available.<br />
The script switches off replication on the former DC backup. It activates the WINS service, configures the<br />
system as a Kerberos admin server and changes the LDAP server to write mode. The OpenLDAP, Samba,<br />
Kerberos, <strong>Univention</strong> Directory Listener and <strong>Univention</strong> Directory Notifier services are then restarted.<br />
Samba then works as the primary domain controller (PDC).<br />
Then the script replaces the former DC master with the former DC backup in the DNS service record for<br />
the Kerberos admin. The _domaincontroller_master._tcp DNS service record is also transferred to the<br />
previous DC backup. In so far as the former DC master was entered in the DNS alias records for univention<br />
301
16 Frequently asked questions<br />
directory manager and univention repository and as the name server in the SOA records for forward and<br />
reverse zones, the script also exchanges it in these sites for the former DC backup.<br />
Attention:<br />
If an external DNS service is being used, the entries must be adapted there manually.<br />
If the former DC master was entered in the LDAP directory as a mail relay host, the script also changes<br />
this entry to the former DC backup. This change is performed with <strong>Univention</strong> Directory Manager; the<br />
LDAP replication automatically adapts the <strong>Univention</strong> Configuration Registry variable mail/relay on all<br />
systems.<br />
The script changes the server role entered in the LDAP directory of the former DC backup to DC master<br />
and deletes the former DC master and, where applicable, its DNS host entry in the forward lookup zone,<br />
its pointer in the reverse lookup zone and its DHCP host entry from the LDAP directory.<br />
Note that the former DC backup is entered as the name server on all computers in the domain if the internal<br />
DNS service is switched on. Usually, the DC backup should be entered as the second name server after<br />
the DC master during the installation of each computer.<br />
Along with the automatic changes, some changes must be performed manually:<br />
1. Further DNS settings which point to the former DC master.<br />
2. DHCP settings which point to the former DC master (e.g., name server and WINS server).<br />
3. <strong>Univention</strong> Configuration Registry settings which point to the former DC master.<br />
The respective entries in the LDAP directory must be adapted with <strong>Univention</strong> Directory Manager and<br />
those on the computers with <strong>Univention</strong> Configuration Registry.<br />
The univention-backup2master script only ensures that the domain controller master function is<br />
adopted by the DC backup. The script does not set up replacements for other services that the former DC<br />
master may have provided, e.g., groupware or terminal services.<br />
A new DC backup should be put in place to reinstate system redundancy.<br />
16.2 How can I install Microsoft TrueType fonts subsequently?<br />
Some applications use Microsoft TrueType fonts as standard. When these are not available they are<br />
usually replaced with other fonts automatically.<br />
For licensing reasons the Microsoft TrueType fonts cannot be delivered on the <strong>UCS</strong> installation CD. An<br />
attempt is made during the installation to download these from the Internet from sourceforge.net.<br />
If this attempt fails during the installation, e.g., when there is no Internet connection available, the fonts<br />
can be installed at any other time using the command update-ms-fonts.<br />
If installation of the Microsoft TrueType fonts was deselected during the installation, it can be made avail-<br />
able by subsequent installation of the msttcorefonts package.<br />
302
16.3 How does a user change his password?<br />
16.3 How does a user change his password?<br />
There are a number of ways for users to change their password. The new password must always comply<br />
with the security policy. If this is not the case, this may result in different error messages depending on<br />
the mechanism used. If you have problems changing your password, you should firstly check whether the<br />
security requirements are complied with.<br />
16.3.1 On a Linux workstation<br />
If the user is logged on to a Linux workstation, he can open the program with which he can change his<br />
password via K menu ➞ Control Center ➞ Security & Privacy ➞ Password & User Account ➞ Change<br />
Password. The program requests the old password first and then the new password. If the new password<br />
is longer than eight characters a warning is given, which can be confirmed by clicking on the [Use As Is]<br />
button.<br />
If the password does not comply with the security requirements, the message Your password has not<br />
been changed appears together with an explanation of why the change failed.<br />
The user can also change his password using kpasswd on the command line. More detailed error mes-<br />
sages are given there. (see Chapter 16.5).<br />
16.3.2 On a Windows workstation<br />
If the user is logged on to a Windows workstation he can open the dialogue for changing his password<br />
with ”Ctrl + Alt + Del”.<br />
16.3.3 When logging on<br />
If a user’s password is no longer valid and the user tries to log on to the domain, a window opens automat-<br />
ically asking him to change his password. For setting the password expiry interval see Chapter 4.5.11.<br />
16.3.4 Via <strong>Univention</strong> Directory Manager<br />
The ucsUCRVldap/acl/user/password/change must be set to yes on the DC master for the user to be able<br />
to change his password via <strong>Univention</strong> Directory Manager.<br />
After logging on to <strong>Univention</strong> Directory Manager, the dialogue for changing a user password can be<br />
opened by choosing Password in the left screen margin. The new password must be given identically in<br />
the Password (*) and Password (retype) (*) fields.<br />
16.4 How is the password for root changed?<br />
Each <strong>UCS</strong> computer has a root user. Its password is changed locally on the computer using the passwd<br />
command.<br />
303
16 Frequently asked questions<br />
16.5 What criteria must a password satisfy?<br />
The following security requirements are implemented in <strong>UCS</strong> as standard:<br />
• The password must be at least as long as the minimum length stipulated in the password length<br />
policy. The preset value is eight characters.<br />
• The password must not be the same as any other password saved in the user’s password history.<br />
• As standard no further requirements with regard to the password quality are set through the pass-<br />
word policy.<br />
The security requirements of the pam_cracklib.so PAM module also apply when changing a password<br />
with kdepasswd or passwd. These include:<br />
• The password must not be too similar to the previous password, i.e., at least a minimum number<br />
of the characters must be different. The minimum number is usually ten characters or half of the<br />
characters in the new password (the lower of the two applies).<br />
• The password must not be a ”normal” word. This is checked using a dictionary which contains<br />
predominantly English terms.<br />
• The password must not only be different from the previous password in that formerly uppercase<br />
letters are now lowercase and vice-versa.<br />
The libpam_doc package contains further information on Cracklib.<br />
16.6 Individual websites cannot be accessed<br />
Problem:<br />
It is not possible to connect to certain websites although other websites on the Internet and computers in<br />
the Internet are accessible.<br />
Potential cause:<br />
The router to the Internet does not support ECN.<br />
Background:<br />
ECN (Explicit Congestion Notification) is an extension of the Internet protocol, which has replaced TOS and<br />
now represents the standard. ECN recognises possible network connection overloads early and adapts<br />
the flow of files sent per time unit accordingly. This means that fewer file packages go missing and fewer<br />
files need to be resent. The file quantities are reduced on the whole and file transfer accelerated.<br />
<strong>UCS</strong> is configured as standard that ECN is used.<br />
ECN is supported by almost all network components (hardware and software). Nevertheless, for data<br />
exchange via the Internet, a computer wishing to use ECN will always check first that the communications<br />
partner understands ECN to be on the safe side. If one of the computers does not understand ECN, ECN<br />
will not be used.<br />
Problems can still occur when one of the connecting links between the sending and receiving computers<br />
does not support ECN and changes the data package. (Normally connecting links simply pass on the<br />
304
16.7 Thin clients experience log-in problems in a domain spread over several locations<br />
package unchanged so that any lack of ECN support in the connecting links will not have any negative<br />
consequences. If the router to the Internet is what is causing the disruptions, websites which use ECN will<br />
not be accessible. To-date we have had a report of this from a Netgear router.<br />
Solution: If the router to the Internet is what is causing the disruptions, the router’s firmware must be<br />
updated.<br />
Alternatively, ECN can be deactivated on a <strong>UCS</strong> server by including the line<br />
net/ipv4/tcp_ecn=0<br />
in the /etc/sysctl.conf file.<br />
16.7 Thin clients experience log-in problems in a domain spread over several<br />
locations<br />
If no authentication server (Kerberos server) is specified for thin clients in the Thin client configuration<br />
tab or via a policy, this is determined by the thin client using service records in DNS. The thin client attempts<br />
to authenticate itself over the determined Kerberos server. Log-in problems may be experienced when not<br />
all users can be authenticated via all the Kerberos servers in a domain.<br />
This situation typically occurs in organisations with several locations, where users are only allowed to log-<br />
in at certain locations, but where the Kerberos servers for all locations can be located over DNS. This<br />
problem can be avoided when the Kerberos server(s) for the location where the thin client is connected<br />
are entered there.<br />
16.8 How do I change the <strong>Univention</strong> Directory Manager timeout?<br />
The timeout for the <strong>Univention</strong> Directory Manager web interface can be set using the <strong>Univention</strong> Config-<br />
uration Registry variable directory/manager/timeout. The desired length is given in seconds. The<br />
command<br />
univention-config-registry set directory/manager/timeout=3600<br />
is used to set the timeout, e.g., at one hour. Is is also possible to set the <strong>Univention</strong> Configuration Registry<br />
variable with <strong>Univention</strong> Management Console.<br />
16.9 Why are NFS shares not mounted during boot-up?<br />
This problem can occur when the NFS shares are entered in the /etc/fstab file with the computer name<br />
instead of the IP address.<br />
The directories which are entered in the /etc/fstab file are mounted right at the beginning when the<br />
computer is started. Services such as the BIND DNS service are only started later. For this reason,<br />
computer names in the /etc/fstab file can not yet be resolved by the internal DNS service and NFS<br />
shares without an IP address cannot be mounted. So that these NFS shares can be mounted in the future,<br />
305
16 Frequently asked questions<br />
• the computer name must be replaced with the IP address or<br />
• an external DNS server must be used which can resolve the computer name<br />
• the server must be entered in the /etc/hosts file.<br />
The /etc/hosts file is generated from several files under <strong>UCS</strong>. The server must thus be entered in a<br />
customer-specific file below /etc/univention/templates/files/etc/hosts.d/.<br />
Example:<br />
The NFS share can be found on a server with the FQDN ucs-file-server.company.com and the IP ad-<br />
dress 192.168.0.34. A /etc/univention/templates/files/etc/hosts.d/20-custom file with<br />
the following contents must be created:<br />
192.168.0.34 ucs-file-server.firma.com ucs-file-server<br />
The new <strong>Univention</strong> Configuration Registry file must then be published and the configuration file rewritten<br />
(see Chapter 14).<br />
16.10 What does ”No DB server name found.” mean?<br />
The following message may appear when installing software with the univention-install command:<br />
Cannot find Service-Record of _pkgdb._tcp.<br />
No DB-Server-Name found.<br />
The message states that no DNS service record with the name _pkgdb._tcp has been found and the<br />
computer thus does not know the name of the package status database server.<br />
As standard, all <strong>UCS</strong> systems attempt to share their installation status with the software monitor. For<br />
this reason, they search for the DNS service record of the package status database following software<br />
installation. If the software monitor is not used, there is no corresponding DNS service record and the<br />
message appears. By setting the <strong>Univention</strong> Configuration Registry variable pkgdb/scan to no, the the<br />
affected computer can be configured to not send information to the software monitor. The DNS request is<br />
then not run and the message will not be shown. There is no urgency in changing this setting as the failed<br />
DNS request for the service record does not cause a notable time delay or any particular network load.<br />
16.11 Computer name and network settings in Windows XP Prof.<br />
The current network configuration can be displayed on a Windows computer via Start ➞ Run ➞ Open ➞<br />
cmd ➞ [OK] ➞ ipconfig /all.<br />
The MAC address is designated as Physical address in the display. Ensure that the individual parts of<br />
the MAC address in <strong>Univention</strong> Directory Manager are saved separated by colons (“:”). MAC addresses<br />
that are input separated by (“-”) will also later be shown with colons.<br />
The DHCP activated output shows whether the IP address was retrieved over a DHCP server or entered<br />
locally on the computer. The network configuration can be changed as follows:<br />
306
16.12 Avoiding double log-ins on Windows terminal servers<br />
• Opening Start ➞ System control ➞ Network- and internet connections ➞ Network connections<br />
➞ LAN connection<br />
• Select the [Settings] button in the dialogue that opens on the General tab.<br />
• The Settings of LAN connection dialogue opens, in which Internet protocol (TCP/IP) must be<br />
ticked and the [Properties] button selected.<br />
• To deactivate local settings, the Retrieve IP address automatically and Retrieve DNS Ssrver ad-<br />
dress automaticallly checkboxes on the General tab must be activated and the change confirmed<br />
with [OK].<br />
For a computer to join a domain, the locally entered computer name must also match the name entered<br />
in the LDAP directory with <strong>Univention</strong> Directory Manager. Right click on System in the Start menu and<br />
select the entry Properties to adapt the computer name. A dialogue for changing the computer name can<br />
then be opened via the Modify button on the Computer name tab. The new name should be entered in<br />
the Computer name input field and the change confirmed with OK. Windows computers then need to be<br />
restarted for the changes to take effect.<br />
16.12 Avoiding double log-ins on Windows terminal servers<br />
If a connection to a Windows terminal server is selected as the type of session on an <strong>UCS</strong> thin client,<br />
the user normally needs to log in twice. In the first step he logs in to the GDM log-in manager and the<br />
second step is a renewed log-in to the terminal server. This is necessary as Windows terminal servers<br />
with standard settings do not allow transferral of the password from the accessing application (in this case:<br />
rdesktop) to the user log-in. This prevents rdesktop from using the user password transferred from the<br />
gdm log-in manager directly for the log-in.<br />
To avoid the renewed log-in request on the terminal server, select Start ➞ System Services ➞ Terminal<br />
services configurationn ➞ Connections (Windows 2000) or Start ➞ Programs ➞ Connections ➞<br />
Terminal services configuration ➞ Connection (Windows 2003) RDP TCP connection with a right<br />
click. The Login settings can be found under Properties. Selecting Login settings and deactivating<br />
the Always request password control box adopts the change. It is now no longer necessary to enter the<br />
password a second time when choosing the ”Windows terminal server” session type.<br />
307
16 Frequently asked questions<br />
308
Bibliography<br />
[1] <strong>Univention</strong>. Overview of available <strong>UCS</strong> documentation. 2010.<br />
http://www.univention.de/en/download/documentation/documentation/.<br />
[2] <strong>Univention</strong>. Listener/Notifier replication (currently only available in German). 2010.<br />
http://www.univention.de/fileadmin/download/dokumentation_<strong>2.4</strong>/ucs-<br />
listener-notifier.pdf.<br />
[3] <strong>Univention</strong>. Profile-based <strong>UCS</strong> installations (currently only available in German) . 2010.<br />
http://www.univention.de/fileadmin/download/dokumentation_<strong>2.4</strong>/ucs-<br />
installation-profil.pdf.<br />
[4] <strong>Univention</strong>. <strong>UCS</strong> Windows Installer (currently only available in German). 2010.<br />
http://www.univention.de/fileadmin/download/dokumentation_<strong>2.4</strong>/ucs-<br />
windows-installer.pdf.<br />
[5] <strong>Univention</strong>. <strong>UCS</strong> Fax services (currently only available in German) . 2010.<br />
http://www.univention.de/fileadmin/download/dokumentation_<strong>2.4</strong>/ucs-fax.pdf.<br />
[6] <strong>Univention</strong>. Administrating <strong>Univention</strong> Directory Manager on the command line (currently only<br />
available in German). 2010.<br />
http://www.univention.de/fileadmin/download/dokumentation_<strong>2.4</strong>/univention-<br />
directory-manager-cli.pdf.<br />
[7] <strong>Univention</strong>. <strong>Univention</strong> Directory Reports (currently only available in German). 2010.<br />
http://www.univention.de/fileadmin/download/dokumentation_<strong>2.4</strong>/ucs-<br />
directory-reports.pdf.<br />
[8] <strong>Univention</strong>. <strong>Univention</strong> Corporate Server - Manual for users and administrators. 2010.<br />
http://www.univention.de/fileadmin/download/documentation_english/<br />
handbuch_ucs24_en.pdf.<br />
[9] Jelmer R. Vernooij, John H. Terpstra, and Gerald (Jerry) Carter. The Official Samba 3.2.x HOWTO<br />
and Reference Guide. 2010.<br />
http://samba.org/samba/docs/Samba3-HOWTO.pdf.<br />
[10] <strong>Univention</strong>. Managing KDE desktop profiles (currently only available in German). 2010.<br />
http://www.univention.de/fileadmin/download/dokumentation_<strong>2.4</strong>/ucs-kde-<br />
profile.pdf.<br />
[11] <strong>Univention</strong>. Filesystem quota (currently only available in German). 2010.<br />
http://www.univention.de/fileadmin/download/dokumentation_<strong>2.4</strong>/ucs-<br />
benutzer-quota.pdf.<br />
309
Bibliography<br />
[12] <strong>Univention</strong>. Nagios with <strong>UCS</strong> (currently only available in German). 2010.<br />
http://www.univention.de/fileadmin/download/dokumentation_<strong>2.4</strong>/ucs-<br />
nagios.pdf.<br />
[13] <strong>Univention</strong>. <strong>Univention</strong> Wiki - UVMM - Quickstart Guide (currently only available in German). 2011.<br />
http://http://wiki.univention.de/index.php?title=UVMM_Quickstart.<br />
[14] <strong>Univention</strong>. <strong>Univention</strong> Wiki - UVMM - Technische Details (currently only available in German). 2011.<br />
http://wiki.univention.de/index.php?title=UVMM_Technische_Details.<br />
[15] <strong>Univention</strong>. Migrating Windows domains to <strong>UCS</strong> (currently only available in German). 2010.<br />
http://www.univention.de/fileadmin/download/dokumentation_<strong>2.4</strong>/ucs-<br />
windows-migration.pdf.<br />
[16] <strong>Univention</strong>. <strong>Univention</strong> Active Directory Connector. 2010.<br />
http://www.univention.de/fileadmin/download/documentation_english/ucs-ad-<br />
connector_en.pdf.<br />
[17] Gustavo Noronha Silva. APT HOWTO . 2010.<br />
http://www.debian.org/doc/manuals/apt-howto/.<br />
[18] <strong>Univention</strong>. Kolab2 for <strong>UCS</strong> document (currently only available in German). 2010.<br />
http://www.univention.de/fileadmin/download/dokumentation_<strong>2.4</strong>/kolab2-<br />
ucs.pdf.<br />
[19] <strong>Univention</strong>. Scalix for <strong>UCS</strong> (currently only available in German). 2010.<br />
http://www.univention.de/fileadmin/download/dokumentation_2.2/ucs-<br />
scalix.pdf.<br />
[20] <strong>Univention</strong>. Creating software package for <strong>UCS</strong> (currently only available in German). 2010.<br />
http://wiki.univention.de/index.php?title=Paketierung_von_Software_f%C3%<br />
BCr_<strong>UCS</strong>.<br />
[21] <strong>Univention</strong>. <strong>Univention</strong> Corporate Desktop - Manual for aministrators. 2011.<br />
http://www.univention.de/fileadmin/download/dokumentation_ucd/handbuch-<br />
ucd-3.1_en.pdf.<br />
[22] <strong>Univention</strong>. UVMM - Windows-Systeme mit virtIO installieren (currently only available in German).<br />
2011.<br />
http://wiki.univention.de/index.php?title=UVMM-Windows-Systeme-mit-<br />
virtio-Treibern-installieren.<br />
[23] <strong>Univention</strong>. <strong>Univention</strong> Wiki - DVS - Technische Details (currently only available in German). 2011.<br />
http://wiki.univention.de/index.php?title=DVS-Technische-Details.<br />
[24] <strong>Univention</strong>. Software RAID with <strong>UCS</strong> (currently only available in German). 2010.<br />
http://www.univention.de/fileadmin/download/dokumentation_<strong>2.4</strong>/ucs-expert-<br />
partition.pdf.<br />
[25] <strong>Univention</strong>. Opsi (open pc server integration). 2011.<br />
310<br />
http://wiki.univention.de/index.php?title=Opsi_%28open_pc_server_integration%<br />
29.
[26] <strong>Univention</strong>. Web proxies with <strong>UCS</strong> (currently only available in German). 2010.<br />
http://www.univention.de/fileadmin/download/dokumentation_<strong>2.4</strong>/ucs-<br />
proxy.pdf.<br />
[27] <strong>Univention</strong>. <strong>UCS</strong> Backup (currently only available in German). 2010.<br />
http://www.univention.de/fileadmin/download/dokumentation_<strong>2.4</strong>/ucs-<br />
backup.pdf.<br />
[28] <strong>Univention</strong>. Managing SSL certificates with <strong>UCS</strong> (currently only available in German). 2010.<br />
Bibliography<br />
http://www.univention.de/fileadmin/download/dokumentation_<strong>2.4</strong>/ucs-ssl.pdf.<br />
[29] <strong>Univention</strong>. Integrating external Unix/Linux systems (currently only available in German). 2010.<br />
http://www.univention.de/fileadmin/download/dokumentation_<strong>2.4</strong>/ucs-<br />
einbindung-unix-systeme.pdf.<br />
[30] <strong>Univention</strong>. <strong>UCS</strong> Performance guide (currently only available in German). 2010.<br />
http://www.univention.de/fileadmin/download/dokumentation_<strong>2.4</strong>/ucs-<br />
performance-guide.pdf.<br />
[31] <strong>Univention</strong>. Usage scenarios for <strong>Univention</strong> Corporate Server. 2010.<br />
http://www.univention.de/fileadmin/download/documentation_english/ucs-<br />
szenarien_en.pdf.<br />
[32] Tobias Doerffel. iTALC - Intelligent Teaching And Learning with Computers. 2010.<br />
http://italc.sourceforge.net/.<br />
[33] <strong>Univention</strong>. <strong>UCS</strong> Thin Client Services 3.1 - Manual (currently only available in German). 2010.<br />
http://www.univention.de/fileadmin/download/dokumentation_ucs_tcs/ucs-<br />
tcs_3_1.pdf.<br />
311