advertisement
![Novell Kanaka for Mac Administration Guide | Manualzz Novell Kanaka for Mac Administration Guide | Manualzz](http://s1.manualzz.com/store/data/013017536_1-581ce04d040471600e72907becbc6bd8-360x466.png)
www.novell.com/documentation
Installation and Administration
Guide
Novell Kanaka for Mac
Version 2.8.2
November 3, 2015
Legal Notices
Condrey Corporation makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further,
Condrey Corporation reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.
Further, Condrey Corporation makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Condrey Corporation reserves the right to make changes to any and all parts of the software at any time, without obligation to notify any person or entity of such revisions or changes. See the Software EULA for full license and warranty information with regard to the
Software.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export, or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. Condrey Corporation assumes no responsibility for your failure to obtain any necessary export approvals.
Copyright © 2015 Condrey Corporation. All Rights Reserved.
No part of this publication may be reproduced, photocopied, or transmitted in any fashion with out the express written consent of the publisher.
Condrey Corporation
122 North Laurens St.
Greenville, SC, 29601
U.S.A.
http://condrey.co
Trademarks
The Condrey Corporation “C’s” logo is a trademark of Condrey Corporation in the U.S. and other jurisdictions. Mac, and Mac
OS X are trademarks or registered trademarks of Apple, Inc. in the U.S. and other countries. Novell, NetWare, eDirectory, and
SUSE are trademarks or registered trademarks of Novell, Inc. in the U.S. and other countries. Linux is a trademark or registered trademark of Linus Torvalds in the U.S. and other countries.
For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/trademarks/ tmlist.html) .
Third-Party Materials
All third-party trademarks are the property of their respective owners.
Contents
About This Guide 5
1 What’s New
7
2 Overview
9
3 Prerequisites
17
4 Upgrading from Version 2.7 to 2.8.2
25
5 Installing and Configuring the Engine
27
6 Installing the Plug-In and the Desktop Client
37
Contents 3
7 Using the Kanaka Plug-In
43
8 Using the Kanaka Desktop Client
47
9 eDirectory Password Expiration
51
10 Migrating from Kanaka for eDirectory to Novell Kanaka for Mac
57
11 Parsing Novell Login Scripts
59
12 Reference
63
A Documentation Updates 77
4 Novell Kanaka for Mac 2.8.2 Installation and Administration Guide
About This Guide
This guide is written to provide network administrators the conceptual and procedural information for enabling Mac connectivity to Novell network storage resources through Novell Kanaka for Mac.
Chapter 1, “What’s New,” on page 7
Chapter 2, “Overview,” on page 9
Chapter 3, “Prerequisites,” on page 17
Chapter 4, “Upgrading from Version 2.7 to 2.8.2,” on page 25
Chapter 5, “Installing and Configuring the Engine,” on page 27
Chapter 6, “Installing the Plug-In and the Desktop Client,” on page 37
Chapter 7, “Using the Kanaka Plug-In,” on page 43
Chapter 8, “Using the Kanaka Desktop Client,” on page 47
Chapter 9, “eDirectory Password Expiration,” on page 51
Chapter 10, “Migrating from Kanaka for eDirectory to Novell Kanaka for Mac,” on page 57
Chapter 11, “Parsing Novell Login Scripts,” on page 59
Chapter 12, “Reference,” on page 63
Appendix A, “Documentation Updates,” on page 77
Audience
This guide is intended for network administrators who manage network client access to Novell storage resources in Novell eDirectory.
Feedback
We want to hear your comments and suggestions about this guide. Please use the User Comment feature at the bottom of each page of the online documentation, or go to www.novell.com/ documentation/feedback.html and enter your comments there.
Documentation Updates
For the most recent version of the Novell Kanaka for Mac Installation and Administration Guide, visit the Novell Kanaka for Mac Documentation Web site (http://www.novell.com/documentation/kanaka) .
About This Guide 5
6 Novell Kanaka for Mac 2.8.2 Installation and Administration Guide
1
What’s New
Version 2.8.2 of Novell Kanaka for Mac is the latest version of a product that was first introduced in
2005. There have been enhancements with each new version of the product. An overview of some of the more notable changes in architecture, performance, features, and distribution follows:
Section 1.1, “New in Version 2.8.2,” on page 7
Section 1.2, “New in Version 2.8.1,” on page 7
Section 1.3, “New in Version 2.8,” on page 7
Section 1.4, “New in Version 2.7,” on page 7
Section 1.5, “New in Version 2.6,” on page 8
1.1
New in Version 2.8.2
Bug Fix: Client Connections Exhaust Engine Threads
During the TLS handshake, a timeout or error condition in the Kanaka Plug-in could cause the
Kanaka Engine to exhaust its maximum number of incoming threads. This resulted in the Engine being unable to accept new connections and required a restart of the Engine service for clients to connect again.
1.2
New in Version 2.8.1
Support for OS X Yosemite
Yosemite, Mac OS X 10.10 is supported.
1.3
New in Version 2.8
Security Update During Installation
Novell Kanaka for Mac 2.8 was developed to address a very minor security vulnerability that takes place while the product is being installed. In comparison to Novell Kanaka for Mac 2.7, there are no new features in Version 2.8. If you are currently running Novell Kanaka for Mac 2.7, we recommend that you do not upgrade to Version 2.8.
1.4
New in Version 2.7
Updated Interface
The interfaces for the installation packages, Web browser-based management, Desktop Client login, and user self-management have all been updated.
What’s New 7
Login Script Parsing
Novell Kanaka for Mac 2.7 offers the ability to parse login scripts. When you select an option in the
Kanaka policy, the Kanaka Plug-in or Desktop Client mounts storage based on drive mappings in the eDirectory login scripts.
For more information, see Chapter 11, “Parsing Novell Login Scripts,” on page 59 and
.
Certificate Management
Enhanced SSL Certificate Management enables you to generate your own SSL certificates. The certificate is a 2048-bit RSA private key and is stored as a .pem file in the Engine config directory.
Novell Storage Manager Container Based Collaborative Storage
Support
In addition to group based collaborative storage support in Novell Storage Manager, Novell Kanaka for Mac now supports container based storage.
For more information, see
Section 12.3, “Collaborative Storage,” on page 65
.
1.5
New in Version 2.6
Distribution through Novell
With the release of Novell Open Enterprise Server 11, Novell and Condrey Corporation have negotiated that the Condrey Corporation product formerly known as Kanaka for eDirectory be renamed Novell Kanaka for Mac and be distributed through Novell.
Removal of Product License
Previous versions of the product required a product license. Version 2.6 of Novell Kanaka for Mac does not require a product license.
Updated Interface
The interface for the installation packages, Web browser-based management, Desktop Client login, and user self-management have all been updated.
8 Novell Kanaka for Mac 2.8.2 Installation and Administration Guide
2
Overview
Section 2.1, “Installers and Executables,” on page 10
Section 2.2, “Engine,” on page 10
Section 2.3, “Management Interface,” on page 10
Section 2.4, “Kanaka Plug-In,” on page 10
Section 2.5, “Kanaka Desktop Client,” on page 14
Section 2.6, “Deciding Which Access Method to Use,” on page 15
Novell Kanaka for Mac provides Mac OS X users automated single login access to Novell eDirectory storage resources through flexible login options. The Kanaka Plug-in component allows users to simultaneously log in to Mac OS X and mount storage resources through a single username and password. The Kanaka Desktop Client allows users to access network storage resources after they have logged in as a local user to Mac OS X.
Figure 2-1 Novell Kanaka for Mac Architecture
The components of Novell Kanaka for Mac include the Engine, the management interface, and two methods of accessing Novell storage resources from a Mac: the Kanaka Plug-in and the Kanaka
Desktop Client. An expanded discussion of each of these components follows:
Overview 9
2.1
Installers and Executables
Novell Kanaka for Mac is delivered via an ISO image. All components are in the ISO.
NOTE: Novell Open Enterprise customers with a current Maintenance contract can download Novell
Kanaka for Mac for free through the Novell Customer Care Center (https:// login.attachmategroup.com/nidp/idff/sso?id=5&sid=4&option=credential&sid=4) .
2.2
Engine
The Engine performs actions that enable communication between Macs and Novell eDirectory. These actions include:
Extending the eDirectory schema
Creating a proxy user for performing certain tasks
Storing volume client protocol information in eDirectory
Assigning group home folders
Authenticating users
2.3
Management Interface
All Novell Kanaka for Mac management tasks are done through a browser-based management interface. The management interface is available after the Engine has been installed.
2.4
Kanaka Plug-In
Introduced in 2005, the Kanaka Plug-in simplifies authentication to eDirectory along with access to a user’s network home directory and collaborative storage through a single password login process.
The Kanaka Plug-in requires users to enter valid eDirectory credentials via the Mac OS X login window in order to log in and gain access to the desktop and any storage resources that are made available to them.
10 Novell Kanaka for Mac 2.8.2 Installation and Administration Guide
Figure 2-2 The Kanaka Plug-In Authenticates via the Mac OS X Login Window
NOTE: The technology in Novell Kanaka for Mac was developed with the encouragement and on-site engineering support from the Apple Directory Services Engineering group. Apple recommends the product as a preferred solution for Mac integration with Novell eDirectory.
As an identity-based product, Kanaka utilizes Novell eDirectory to view network user and collaborative storage attributes that pertain to a user and then mounts the storage resources accordingly.
Figure 2-3 Mac OS X Finder
Overview 11
The screen shot above shows the Mac OS X Finder displaying a user’s network storage resources.
Novell Kanaka for Mac can be configured so that these storage resources are mounted on the Mac
OS X desktop or as shortcuts in the Dock.
Novell Kanaka for Mac brings together native Mac OS X technology, standard eDirectory authentication, and Novell’s Native File Access connectivity. Kanaka communicates with Novell eDirectory to perform contextless user authentication and retrieve identity information in order to automatically mount both user home directories and collaborative storage resources located on
Novell file servers via Novell’s Native File Access protocols.
Native File Access allows OS X systems to connect to Novell servers through AFP or CIFS/SMB
(Common Internet File System/Server Message Block) protocols. Novell Kanaka for Mac also leverages Novell NetStorage by providing the ability to automatically mount storage resources defined by Storage Location Objects.
2.4.1
Authentication and Mounting via the Kanaka Plug-In
While logging in to Mac OS X, the user is simultaneously authenticated to eDirectory through a Novell
Simple or Universal password. From eDirectory, Novell Kanaka for Mac then retrieves identity information specific to the user including the home directory, Novell login script, and collaborative storage attributes.
Upon retrieving these attributes, the Kanaka Plug-in converts them from their native format into a
URL format that is needed by Mac OS X to mount the storage resource. Depending on the configuration, the URL format can be AFP or CIFS/SMB.
The process for mounting collaborative storage resources, as well as eDirectory Storage Location
Objects, is the same as the process for mounting user home directories.
IMPORTANT: When authenticating using the Kanaka Plug-In, the Mac workstation must not contain a local user account with the same name as the network account. If Mobility is enabled, a local
“Mobile” account will be created.
2.4.2
Kanaka Plug-In, OS X, and Mobile Accounts
The Kanaka Plug-in leverages Apple’s Mobile Account feature. Mobile accounts combine the ease of management in network accounts with the performance and portability of local home directories. The concept is that the user account information is stored in a network directory service. At login, it is cloned to the local directory on a client system. You have the option of cloning network home directory contents to the local system and the flexibility to configure the mirroring of your work so that your network home directory and your local home directory always contain the same data.
When a user logs into a Mac, based on its configuration, the Kanaka Engine indicates if the user is to be a network account or a mobile account. If mobile accounts are enabled, Mac OS X creates a mobile account for the user if one doesn’t already exist. If a mobile account does exist, Mac OS X updates its locally cached information for the user and the login proceeds. In both cases the user’s network home directory and collaborative storage resources are mounted.
Mobile Accounts provide several benefits:
Less network traffic than traditional network accounts. Reading and writing from the user’s network home directory can be minimized.
User’s network home directory quotas can be smaller. ~/Library is not stored in the network home directory.
12 Novell Kanaka for Mac 2.8.2 Installation and Administration Guide
If the network is down or the laptop is not on the corporate network, users can still log in to their local accounts with their eDirectory usernames and passwords.
Apple provides a synchronization service for users to sync their local home directories with their network home directories and vice versa.
2.4.3
Kanaka Plug-In Console
Users who authenticate to eDirectory via the Kanaka Plug-in can use the Kanaka Plug-in Console to view and minimally manage their identity within eDirectory. Kanaka Plug-in Console options let users view select user account information, monitor the quota for their network user and collaborative storage space, and change their eDirectory passwords.
Figure 2-4 Identity Information Displayed in the Kanaka Plug-In Console
Clicking Identity displays eDirectory identity information, including the user’s FDN (fully distinguished name).
The Kanaka Plug-in Console lists all mounted network storage resources for the user along with storage quota data.
Overview 13
Figure 2-5 eDirectory Password Management through the Kanaka Plug?in Console
The Kanaka Plug-in Console also lets users change their eDirectory passwords natively through the
OS X platform.
2.5
Kanaka Desktop Client
The Kanaka Desktop Client is the sensible connectivity option for users who require access to network storage resources, but are not required to authenticate to eDirectory each time they log in to a Mac. Users who already have local accounts, for example, might prefer this option because it does not require a process to convert their local account to a network account, which is required with the
Kanaka Plug-in.
Additionally, the Kanaka Desktop Client is ideal for Mac users who are on the go and often connect to the organization’s network via VPN. Novell Kanaka for Mac allows you to first log in to your organization’s VPN and then use the Kanaka Desktop Client to access your network storage.
14 Novell Kanaka for Mac 2.8.2 Installation and Administration Guide
2.5.1
Authentication and Storage Mounting via the Kanaka
Desktop Client
The process for authenticating to eDirectory begins with entering your eDirectory username and password in the Kanaka Desktop Client login window:
Figure 2-6 The Kanaka Desktop Client
From there, the process of mounting your network home directory and collaborative storage follows the same process as the Kanaka Plug-in.
2.6
Deciding Which Access Method to Use
Depending on your environment, there might be scenarios where the Kanaka Plug-in is the preferred method of access over the Kanaka Desktop Client, and vice-versa. The table below provides some scenarios where one access method might be preferred over another.
Table 2-1 Decision Matrix for Which Method of Access to Use
Scenario Suggested Access Method
Mac OS X users in a computer lab setting Kanaka Plug-in
Mac OS X users with assigned workstations and local accounts
Kanaka Desktop Client
Overview 15
Scenario Suggested Access Method
Mac OS X users who do not want to go through the login window to access network storage resources
Kanaka Desktop Client
Mac OS X users who do not want to lose their workstation settings when accessing network storage resources
Kanaka Desktop Client
Mac OS X mobile users who frequently work at home and connect to the organization’s network via VPN
Kanaka Desktop Client
Mac OS X 10.4 users Kanaka Plug-in (The Kanaka Desktop Client works only with Mac OS X 10.5 and above)
16 Novell Kanaka for Mac 2.8.2 Installation and Administration Guide
3
Prerequisites
This section provides the procedures for completing necessary prerequisite tasks before you can install and configure Novell Kanaka for Mac.
Section 3.1, “Enabling Native File Access and Protocols,” on page 17
Section 3.2, “Determining Which Protocols to Enable,” on page 17
Section 3.3, “Password Management,” on page 18
Section 3.4, “Testing AFP or CIFS,” on page 19
Section 3.5, “Generating Certificates,” on page 20
3.1
Enabling Native File Access and Protocols
Novell Kanaka for Mac enables communication between Macs and Novell eDirectory through either
AFP (Apple File Protocol) or CIFS/SMB (Common Internet File System/Server Message Block).
When you enable either of these protocols, you subsequently enable Novell Native File Access, allowing Mac users to do several things:
Access files on the network
Map network drives
Create shortcuts to the servers
IMPORTANT: Novell Kanaka for Mac adds considerable functionality to Mac OS X connected systems through Novell Native File Access. Native File Access must be configured on each server that a Mac with either the Kanaka Plug-in or the Kanaka Desktop Client might want to connect to.
This includes servers with user home directories as well as servers with collaborative storage folders.
The native protocols allow Mac users to perform the following tasks on the network as if they were working locally:
Create files
Open files
Move files
Save files
Copy files
Delete files
3.2
Determining Which Protocols to Enable
Novell Open Enterprise Server supports both the AFP and CIFS/SMB (listed simply as CIFS in the
YaST Control Center interface) protocols.
NOTE: If you prefer, you can enable both AFP and CIFS on the same server.
Prerequisites 17
3.2.1
AFP
AFP is Apple's network protocol solution to provide network file services for Mac OS X and classic
Mac OS. Large numbers of Mac clients can mount a remotely located volume (file system) through
AFP and use the files simultaneously.
For more information, including procedures for enabling AFP, see the Novell AFP for Linux
Administration Guide (http://www.novell.com/documentation/oes11/file_afp_lx/data/h9izvdye.html) .
3.2.2
CIFS
CIFS is a network file system plus a set of auxiliary services supported by underlying protocols. CIFS allows the sharing of directories, files, printers, and advertisement across a network. CIFS includes protocols for service announcement, naming, authentication, and authorization.
For more information, including procedures for enabling CIFS, see the Novell CIFS for Linux
Administration Guide (http://www.novell.com/documentation/oes11/file_cifs_lx/data/front.html) .
3.3
Password Management
Password management is generally outside the scope of this guide and is covered appropriately in documentation such as the Novell Modular Authentication Services (NMAS) Administration Guide
(http://www.novell.com/documentation/nmas33/admin/?page=/documentation/nmas33/admin/data/ allq21t.html) and the Novell Password Management Administration Guide (http://www.novell.com/ documentation/password_management33/pwm_administration/?page=/documentation/ password_management33/pwm_administration/data/bwx6mik.html) .
Novell password technologies are in a state of transition, moving slowly from Simple Password authentication to Universal Password authentication. Both password authentication methods are supported in Novell Open Enterprise Server 11 and Novell Kanaka for Mac.
When authenticating to a Mac OS X system, Novell Kanaka for Mac determines the fully distinguished name of the user and then makes the appropriate API calls to verify the password with
Novell eDirectory. These APIs are currently limited to only the eDirectory password.
After authentication, user information and storage information are retrieved and returned to the
Kanaka Plug-in and Desktop Client. The storage connection information is passed through to the Mac
OS X operating system so that it automatically connects to the appropriate network storage through
Native File Access. As these connections occur, Native File Access attempts to connect with the same password.
The eDirectory password you use for authentication must match the password you use for Native File
Access, whether it’s Simple Password or Universal Password.
If you are using the Simple Password authentication method, you can use either ConsoleOne or iManager to set the Simple Password.
If you are using the Universal Password authentication method, you can use iManager to set up
Universal Password policies and apply them to users or containers. After the password policies are put into place, the Universal Password must be populated for each user. In most cases, this means that the user must go through a password change process.
Consult the Novell Password Administration Guide (http://www.novell.com/documentation/ password_management33/) .
18 Novell Kanaka for Mac 2.8.2 Installation and Administration Guide
Universal Password is easier than Simple Password to maintain throughout the lifecycle of a user.
Beginning with eDirectory 8.8, Novell APIs have been updated and Novell Kanaka for Mac has been engineered to automatically use the Universal Password for all aspects of authentication and password change, so no synchronization is required.
3.4
Testing AFP or CIFS
Before you install Novell Kanaka for Mac, you should test your Mac connectivity to your Novell Open
Enterprise Server machine.
1 From a Mac, log in with a local account.
2 Press Command+K.
3 Do one of the following:
For Macs connected via AFP, type afp://IP_ADDRESS, press Return, then click Connect.
For Macs connected via CIFS, type cifs://IP_ADDRESS, press Return, then click Connect.
4 Log in as a user that has storage on the server.
This should be a user that you intend to be a Kanaka for Mac user.
Prerequisites 19
After authentication, you should see volumes that are accessible via AFP or CIFS.
3.5
Generating Certificates
Novell Kanaka for Mac 2.8.2 now requires you to provide an x.509 certificate signed by a well-known certificate authority. The certificate must be in Privacy Enhanced Mail (PEM) format and must be installed in the appropriate secured location where the Kanaka Engine is running.
Section 3.5.1, “Certificate Types,” on page 20
Section 3.5.2, “Creating a PEM File,” on page 21
3.5.1
Certificate Types
There are two ways of obtaining a trusted certificate. Each method has its pros and cons.
Create a certificate signing request, and have your internal eDirectory certificate authority (CA) sign the certificate. This is referred to as an internal CA.
Create a certificate signing request, and have a trusted third-party certificate authority (CA) sign the certificate. This is referred to as an external CA.
Table 3-1 Internal and External Certificate Authority Considerations
Certificate Authority Pros
Internal
Free
The expiration date can be extended much further than one issued by an external CA.
Cons
You need to install the certificate on each Mac workstation running Novell
Kanaka for Mac 2.8.2.
20 Novell Kanaka for Mac 2.8.2 Installation and Administration Guide
Certificate Authority Pros
External
The trusted root is already trusted by the Mac OS X workstation.
Cons
You must depend on a third-party certificate provider.
The certificate can be expensive.
The certificate normally expires in one or two years.
If you decide to use an external CA, you can obtain a list of CAs that are already trusted from your workstation by going to the Keychain Access and viewing the System Roots.
Figure 3-1 List of Trusted Certificate Authorities
3.5.2
Creating a PEM File
A PEM file is a Base64 ASCII file containing both the certificate and the private key. It is used by the
Kanaka Engine for encryption.
Prerequisites 21
IMPORTANT: Be sure to store all your certificates in a secure location.
1 At the server that will host the Kanaka Engine, launch a terminal session.
2 Create a private key and certificate signing request via OpenSSL.
The following command uses OpenSSL to create your private key and certificate signing request
(CSR) with a single command.
openssl req –newkey rsa:2048 –keyout private.key –out server.csr
3 When prompted, answer each of the questions pertaining to the certificate.
Question
Country Name (two-letter code)
State or Province (full name)
Locality Name (such as the city)
Organization Name
Organizational Unit
Common Name
Email Address
Challenge Password
Explanation
The ISO 3166 two-letter country code pertaining to the country where Kanaka Engine is located.
The complete name of your state or province.
The complete name of your city.
The name of your company or organization.
The name of your department (optional).
The name of your server.
The email address of the certificate administrator.
Generally optional, but required by some third-party certificate providers.
4 Submit the server.csr contents to the certificate authority of your choosing.
The certificate authority creates a certificate based the contents of the CSR file you created in
. The certificate authority creates the certificate in one of many formats, such as DER,
CER, CRT, or PEM. You can use any of these formats to produce the final PEM format that
Novell Kanaka for Mac will use.
5 Convert the certificate to PEM format: openssl x509 –inform DER –outform PEM –in certificate.crt -out certificate.pem
6 Remove the passphrase or password from the certificate: openssl x509 –in certificate.pem -out insecure.certificate.pem
7 Decrypt the private key: openssl rsa –in private.key -out decrypted.private.key
The private key is encrypted by default and needs to be decrypted for the Kanaka Engine to use.
8 Remove the passphrase or password from the certificate: openssl rsa –in decrypted.private.key -out insecure.decrypted.private.key
9 Create the server.pem file with both the private key and certificate files: cat insecure.decrypted.private.key insecure.certificate.pem > server.pem
The output file must be named server.pem.
For example:
22 Novell Kanaka for Mac 2.8.2 Installation and Administration Guide
10
Proceed with Chapter 5, “Installing and Configuring the Engine,” on page 27
.
Prerequisites 23
24 Novell Kanaka for Mac 2.8.2 Installation and Administration Guide
4
Upgrading from Version 2.7 to 2.8.2
IMPORTANT: Novell Kanaka for Mac 2.8 was developed to address a very minor security vulnerability that takes place while the product is being installed. In comparison to Novell Kanaka for
Mac 2.7, there are no new features in Version 2.8. or 2.8.2. If you are currently running Novell Kanaka for Mac 2.7, we recommend that you do not upgrade to Version 2.8 or 2.8.2.
However, if you choose to upgrade from Version 2.7 to 2.8, please refer to the considerations in this section.
4.1
Upgrade Considerations
With Novell Kanaka for Mac 2.8.2, the Kanaka Engine and clients validate the certificate being used.
This certificate must be trusted by the Mac OS X operating system, and must verify that each of the
Mac workstations can communicate with the server specified in the certificate.
This change requires that the Kanaka Engine and all clients be upgraded at the same time. Neither component is backward compatible with a previous version; this compatibility was not possible under the time constraints provided.
Use the ISO HTML installer or copy the appropriate RPM to the server and issue the following command: rpm –Uvh novell-kanaka-engine-2.8.x-x.x~
Upgrading from Version 2.7 to 2.8.2
25
26 Novell Kanaka for Mac 2.8.2 Installation and Administration Guide
5
Installing and Configuring the Engine
The Kanaka Plug-in and Kanaka Desktop Client have four basic needs for interacting with the Novell network infrastructure:
Authenticating the user to eDirectory
Retrieving information and interacting with eDirectory
Retrieving information from the Novell File System
Providing access to the Novell File System
All of these are accomplished via the Kanaka Engine, which you install and set up by following the procedures in this section.
Section 5.1, “System Requirements,” on page 27
Section 5.2, “Installing the Kanaka Engine,” on page 28
Section 5.3, “Configuring the Engine,” on page 29
Section 5.4, “Replacing the PEM File,” on page 36
IMPORTANT: You can have multiple Kanaka Engines in the same eDirectory tree. To do so, you must select or create a separate Kanaka proxy object for each server instance in Step 2 of the Setup
Wizard.
This is important because each instance of a Kanaka Engine sets a different password for its Kanaka proxy object. If you use the same Kanaka proxy object for each Kanaka Engine, upon completion of the Setup Wizard, the new instance of the Kanaka Engine overwrites the current password for the object in eDirectory. This results in failures to perform operations for the Kanaka Engine instance that was initially configured for the proxy object.
NOTE: Novell Kanaka for Mac does not support clusters, but you can install two engines with identical configurations and then add both servers to the Mac’s Directory Utility when you configure
the Kanaka Plug-in (see Step 4 on page 39 ).
5.1
System Requirements
The Kanaka Engine can be hosted on any of the following machines:
Novell Open Enterprise Server 11 or later
Installing and Configuring the Engine 27
5.2
Installing the Kanaka Engine
IMPORTANT: These procedures do not work unless you have first generated a certificate and created a PEM file. If you have not done so already, do so now by following the procedures in
Section 3.5, “Generating Certificates,” on page 20 .
1 From the ISO image, copy the RPM file that is applicable to the operating system and architecture of the server that will host the Kanaka Engine.
2 From the server that will host the Kanaka Engine, open a terminal session.
3 Navigate to the RPM file you copied in
.
4 At the terminal console, run the following command: rpm –i novell-kanaka-engine-2.8.x.x.x~.rpm
5 At the terminal console, run the following command: novell-kanakaengine-config
This launches the Novell Kanaka for Mac Engine Configuration utility.
6 Press Enter to select the default data path.
or
Specify a new data path.
7 Press 0 to select the displayed IP address.
or
Specify a new IP address.
8 When the HTTP Port [0] option appears, type 0.
28 Novell Kanaka for Mac 2.8.2 Installation and Administration Guide
9 Unless there is a conflict, accept the default HTTP port number of 3089.
If you need to use another port number, provide the new port number.
10 Press Enter to continue.
11 Select Q to quit and save the configuration.
12 When are asked if you want to restart the service, do not do so until completing
13
Copy the PEM file that you created in Step 9 on page 22 to the following location:
/etc/opt/novell/kanaka/engine/config
14 Restart the service by selecting Y.
5.3
Configuring the Engine
The Kanaka Engine services all requests made by the Kanaka Plug-in or the Kanaka Desktop Client.
Besides performing the initial authentication, the Kanaka Engine allows the Kanaka Plug-in or the
Kanaka Desktop Client to operate in a contextless manner to pull relevant individual user and storage access information from eDirectory and the file system and return the information in a format relative to the native Mac OS X operating system.
The Engine also services password change requests, specifies client storage information through the
Kanaka Plug-in Console, and informs Novell Kanaka for Mac users of password expirations that will occur in the near future.
1 From a Web browser, launch the management interface by entering https://
server_ip_or_DNS_name:3089 .
2 Enter eDirectory credentials capable of modifying directory services and schema, such as an
Admin or Admin equivalent.
Installing and Configuring the Engine 29
Because you are performing administrative work, your must log in using a fully distinguished name in the Username field. You can use a format such as cn=user.o=org or user.org.
The management interface launches the Setup Wizard.
3 Click Next to extend the eDirectory schema.
As with all schema extensions, be aware that it might take some time for the schema extensions to be synchronized in a large tree.
The following page appears for you to create a proxy user and administration group:
30 Novell Kanaka for Mac 2.8.2 Installation and Administration Guide
A proxy user is needed because Novell Kanaka for Mac authenticates and operates under the rights of a proxy user.
4 Use the Browse button that corresponds to the Kanaka Proxy Object field to browse to the container where you want the Novell Kanaka for Mac proxy user to reside, then click Save.
Ensure that this user has rights to retrieve user and group information from eDirectory as well as view quota information in the file system of all volumes holding user and collaborative storage.
The name KanakaProxy is appended to the path you specify.
The proxy user object is created in eDirectory after you have completed all tasks in the Setup
Wizard.
5 Use the Browse button that corresponds to the Kanaka Administrators Group field to do one of the following:
Locate and select a group whose members you want to be Novell Kanaka for Mac administrators.
Browse to the location where you want the new KanakaAdmins group to reside in eDirectory.
The name KanakaAdmins is appended to the path you specify.
The proxy user account and password are self-managed by the Kanaka Engine. The password is never stored in any location, so there is no concern for security of the password. No two Kanaka Proxy users ever have the same password.
6 Leave the check box selected so the user you are logged in as can be a member of the administrators group.
7 Click Next.
The Kanaka Administrators Group object is created and the logged-in user is added to the group.
Installing and Configuring the Engine 31
The Kanaka Proxy Object is also created. By default, this user object is automatically assigned
Supervisor rights at the root of the eDirectory tree. You can remove this rights assignment and assign rights more granularly to the tree and the associated file systems. The object needs the following minimum rights:
Browse Entry rights to the eDirectory tree
Read and Compare Attribute rights to any of the following objects that might be used or accessed through Novell Kanaka for Mac:
Users
Groups
Containers, including Os, OUs, Domains, Countries, and Locales
Login scripts
Profiles
Servers
Volumes
Read and FileScan rights to any file system directories that might be used or accessed by a
Novell Kanaka for Mac user, including user home directories, group home directories, or any file system that might be mapped and later accessed through a login script.
The following page appears for you to create a user index:
32 Novell Kanaka for Mac 2.8.2 Installation and Administration Guide
Novell Kanaka for Mac maintains an index of user objects for the purpose of supporting contextless logins from the Kanaka Plug-in and Kanaka Desktop Client. The index is made up of user objects in a set of search object containers in eDirectory.
8 Use the Browse button to locate a context where your Novell Kanaka for Mac users reside in eDirectory.
9
Click Add, then repeat Step 8 to add another container.
Installing and Configuring the Engine 33
Repeat this step until you have added all the contexts you want to the list.
Novell Kanaka for Mac does not have the ability to differentiate users with the same name in different contexts. If you index containers with users having identical names, those users cannot log in.
10 In the Search Depth region, specify whether you want Novell Kanaka for Mac to search for users only at the top layer of the container, or within subcontainers as well.
11 In the Rebuild Times region, specify the hours when you want Novell Kanaka for Mac to rebuild the index.
You should choose an hour when there is minimal network activity.
12 Click Next.
This begins the build process for the initial index of users.
The index is updated under different circumstances:
Automatically based on individual users logging in.
If a given user is not found in the index, the user is automatically located in the given search containers and dynamically added to the index.
Automatically based on the hourly rebuild times schedule set in the configuration.
Automatically 90 seconds after the engine loads.
On demand using the Novell Kanaka for Mac management interface.
The following page appears:
34 Novell Kanaka for Mac 2.8.2 Installation and Administration Guide
Novell Kanaka for Mac must be configured for each AFP or CIFS volume name for each volume on the network containing home directories or collaborative storage.
For a description of the process that Novell Kanaka for Mac uses to retrieve mount points for
Mac OS X machines, see
Section 12.1, “Storage Resources,” on page 63
.
If the volume list is empty, this indicates that the initial volume index has not yet completed.
13 Wait until the server has completed the process of creating the volume index.
14 Reload in the browser to refresh the page.
15 After each volume is listed and assigned, click Finish Wizard to conclude the Setup Wizard.
At this point the Kanaka Engine is configured and operational.
When you assign a volume name in the Volume Info section, you must use correct case. AFP mounts in Mac OS X Tiger and later are case-sensitive. You can remove this requirement if you force AFP to be case-insensitive. To do this, go to the server console where you have AFP installed, open a terminal session, and issue the following command: afpnames case- insensitive vol .
Installing and Configuring the Engine 35
The Server Status page appears, indicating that the Kanaka Engine is now configured.
5.4
Replacing the PEM File
Follow the procedures below to replace the default PEM file with the new PEM file that you created in
Section 3.5, “Generating Certificates,” on page 20 .
1 From the server hosting the Kanaka Engine, launch a terminal session.
2
Copy the PEM file that you created in Step 9 on page 22 to the following path:
/etc/opt/novell/kanaka/engine/config
3 Stop the Kanaka Engine: rcnovell-kanakaengined stop
4 Restart the Kanaka Engine: rcnovell-kanakaengined start
36 Novell Kanaka for Mac 2.8.2 Installation and Administration Guide
6
Installing the Plug-In and the Desktop
Client
This section includes the procedures for installing the two client options for Novell Kanaka for Mac, which are the Kanaka Plug-in and the Kanaka Desktop Client. For a discussion of each of these
components, see Section 2.4, “Kanaka Plug-In,” on page 10
and Section 2.5, “Kanaka Desktop
.
Section 6.1, “Retrieving the Installation File,” on page 37
Section 6.2, “Installing the Kanaka Plug-In,” on page 37
Section 6.3, “Configuring the Kanaka Plug-In,” on page 38
Section 6.4, “Installing the Kanaka Desktop Client,” on page 40
6.1
Retrieving the Installation File
The Kanaka Plug-in and Desktop client are installed through a single DMG file.
NOTE: In the previously-published version of this guide, procedures for retrieving the installation file from the ISO and a web browser were included. This update does not include those procedures because a new DMG file has been released to support Mac OS X El Capitan (10.11) and the DMG file is available only through the Novell Patch Channel.
1 From the Mac where you want to copy the installation file, open a browser and go to: https://download.novell.com/patch/finder/ (https://download.novell.com/patch/finder/)
2 From the Select a Product drop-down menu, select Open Enterprise Server.
3 From the All Versions drop-down menu, select Novell Kanaka for Mac 2.8.2.
4 From the new download page, click proceed to download.
5 When requested, enter your Novell name and password.
6 Accept the download terms.
7 Download the Kanaka-2.8.2.1.dmg file.
6.2
Installing the Kanaka Plug-In
1 Double-click the Novell_Kanaka_for_Mac-2.8.2.1.dmg file.
Installing the Plug-In and the Desktop Client 37
2 Double-click Install Kanaka Plug-in.
3 Click Continue.
4 Accept the license agreement.
The Kanaka Plug-in is installed on the root volume that contains the System, Library and
Applications folders.
6.3
Configuring the Kanaka Plug-In
Depending on which version of OS X you are running on your Mac, you configure the Kanaka Plug-in with either the Directory Access or the Directory Utility application. The application name and location is different in Tiger, Leopard, Snow Leopard, Lion, and Yosemite. The following table shows the location and name:
38 Novell Kanaka for Mac 2.8.2 Installation and Administration Guide
Table 6-1 Kanaka Plug-In Configuration
Mac OS X Version Utility Name Location
Tiger
Leopard
Snow Leopard
Directory Access
Directory Utility
Directory Utility
/Applications/Utilities
/Applications/Utilities
Lion (10.7)
Mountain Lion - 10.8
Mavericks - 10.9
Yosemite - 10.10
El Capitan - 10.11
Directory Utility
System Preferences>Accounts>Login Options>Network
Account Server>Open Directory Utility
System Preferences>Users & Groups>Login
Options>Network Account Server>Open Directory
Utility
6.3.1
Configuring the Kanaka Plug-In
1 Launch the Directory Utility.
2 Click Enable.
3 Double-click the Kanaka row.
4 Specify the IP addresses of the Kanaka Engine servers.
Installing the Plug-In and the Desktop Client 39
Novell Kanaka for Mac does not support clusters, but you can install two engines with identical configurations and then add both servers to the Mac’s Directory Utility. The Mac tries to connect to the servers in order. If the first one is down, it connects to the next one.
5 Select SSL Port 3089.
You can enter as many servers running Novell Kanaka for Mac as you want.
6 Click OK.
7 Click Apply.
The Kanaka Plug-in is now configured and ready for use.
6.4
Installing the Kanaka Desktop Client
The Kanaka Desktop Client is designed to be a post-login window authentication client. Typical use is for users at home who log in to a local machine, use a VPN to their place of work, then use the client to authenticate to their eDirectory tree and access their home directories and group directories.
1 Double-click the Novell_Kanaka_for_Mac-2.8.2.1.dmg file.
40 Novell Kanaka for Mac 2.8.2 Installation and Administration Guide
2 Drag the Kanaka Client icon over to the Applications icon.
No configuration is needed for the Kanaka Desktop Client.
Installing the Plug-In and the Desktop Client 41
42 Novell Kanaka for Mac 2.8.2 Installation and Administration Guide
7
Using the Kanaka Plug-In
To use the Kanaka Plug-in, simply log in as an eDirectory user. Kanaka provides contextless login, so just the common name of the user is needed. After login, the user’s home directory is mounted and a link is placed in the Dock or the mount point is displayed on the desktop. Kanaka also discovers and mounts group shared storage and places it in the Dock or on the desktop.
Figure 7-1 Mac OS X Dock with the Kanaka Plug-In and Mounted Home Directories Displayed
In the graphic above, the home directory is mounted and is displayed as the home icon. All of the shared directories to which the user has access are placed on the Dock next to the home folder icon.
The contents of the home directory and one of the shared directories are displayed.The Kanaka Plugin Console provides users identity information, current quota details, and the ability to change the eDirectory password.
Figure 7-2 The Kanaka Plug?in Console Displays Identity Information
Using the Kanaka Plug-In 43
Figure 7-3 The Kanaka Plug?in Console Allows Password Management
44 Novell Kanaka for Mac 2.8.2 Installation and Administration Guide
Figure 7-4 The Kanaka Plug?in Console Displays Storage Capacity Information
Using the Kanaka Plug-In 45
46 Novell Kanaka for Mac 2.8.2 Installation and Administration Guide
8
Using the Kanaka Desktop Client
Section 8.1, “Authentication,” on page 47
Section 8.2, “Storage Properties,” on page 48
Section 8.3, “Home Directory,” on page 49
8.1
Authentication
To use the Kanaka Desktop Client, simply open the Applications folder and double-click the Kanaka
Desktop Client icon.
Figure 8-1 The Kanaka Desktop Client Icon
You are prompted to authenticate.
Using the Kanaka Desktop Client 47
Figure 8-2 Desktop Client Login
Use your contextless eDirectory credentials.
8.2
Storage Properties
Click the home folder to change to the Storage Properties page.
48 Novell Kanaka for Mac 2.8.2 Installation and Administration Guide
Figure 8-3 Kanaka Desktop Client Property Page
8.3
Home Directory
Double-click the home directory icon to view, browse, and access the contents of the directory.
Using the Kanaka Desktop Client 49
Figure 8-4 Kanaka Desktop Client Displaying Home Directory Contents
50 Novell Kanaka for Mac 2.8.2 Installation and Administration Guide
9
eDirectory Password Expiration
Section 9.1, “Kanaka Plug-In,” on page 51
Section 9.2, “Kanaka Desktop Client,” on page 53
9.1
Kanaka Plug-In
When your eDirectory password expires and you have the Kanaka Plug-in installed on your Mac, you are prompted at login time to change your password. The Kanaka Plug-in does not honor grace logins set by ConsoleOne or Universal Password policies, and requires you to enter a new password immediately.
Figure 9-1 Kanaka Plug-In Password Change Dialog Box eDirectory Password Expiration 51
9.1.1
Kanaka Plug-In Console
While you are logged into the network, the Kanaka Plug-in Console periodically checks for your password to expire and notifies you exactly five days before it expires.
Figure 9-2 Kanaka Plug-In Console with Password Expiration Information
To change your password, click Change Password in the toolbar.
52 Novell Kanaka for Mac 2.8.2 Installation and Administration Guide
Figure 9-3
9.2
Kanaka Desktop Client
The Kanaka Desktop Client prompts you to change your password if it has expired. The Desktop
Client does not recognize grace logins.
eDirectory Password Expiration 53
Figure 9-4 Password Error
After you change your password, use the new password to log in.
IMPORTANT: If you are using Universal Passwords and do not have Advanced Password Rules that are identical to settings in ConsoleOne, the Universal Password policy overwrites your ConsoleOne settings. It can remove password expiration altogether if you have nothing set in the Universal
Password policy.
54 Novell Kanaka for Mac 2.8.2 Installation and Administration Guide
Figure 9-5 iManager Password Policy Page eDirectory Password Expiration 55
56 Novell Kanaka for Mac 2.8.2 Installation and Administration Guide
10
Migrating from Kanaka for eDirectory to
Novell Kanaka for Mac
Use the following procedures to migrate Condrey Corporation’s Kanaka for eDirectory 2.5 or 2.6 to
Novell Kanaka for Mac 2.8.2.
1 Follow the procedures in
Chapter 5, “Installing and Configuring the Engine,” on page 27
in the
Novell Kanaka for Mac Installation and Administration Guide.
2 When you are prompted to start the service do not do so until directed in
.
3 On the server running the Condrey Corporation Kanaka for eDirectory Engine, locate and copy the following files from the /var/opt/condreycorporation/kanaka/engine/data directory to the /var/opt/novell/kanaka/engine/data directory on the Novell Kanaka for Mac Engine:
clients.dat
policy.dat
storage-resources.dat
userindex.dat cp /var/opt/condreycorporation/kanaka/engine/data/*.dat \ /var/opt/novell/ kanaka/engine/data
4 On the server running the Condrey Corporation Kanaka for eDirectory Engine, locate and copy the kanaka.conf file from the /etc/opt/condreycorporation/kanaka/engine/config/ directory to the /etc/opt/novell/kanaka/engine/config/ directory on the Novell Kanaka for
Mac Engine: cp /etc/opt/condreycorporation/kanaka/engine/config/kanaka.conf \ /etc/opt/ novell/kanaka/engine/config/kanaka.conf
5 Edit the /etc/opt/novell/kanaka/engine/config/kanaka.conf file so that no data paths point to the old location.
For example:
<DataPath>/var/opt/novell/kanaka/engine/data</DataPath>
<WebRoot>/var/opt/novell/kanaka/engine/data/www</WebRoot>
<Path>/var/opt/novell/kanaka/engine/log</Path>
6 Shut down the Condrey Corporation Kanaka for eDirectory Engine by entering rckanakaengined stop .
WARNING: You must shut down the previous instance of the Kanaka Engine because once the new Kanaka Engine starts, it resets the proxy object's password, and thus causes any new connections to the previous instance of the Kanaka Engine to fail.
7 On the server running the Condrey Corporation Kanaka for eDirectory Engine, locate and copy the following file from the /var/opt/condreycorporation/kanaka/engine/data/state/ salt.dat
directory to the /var/opt/novell/kanaka/engine/data/state/salt.dat directory on the Novell Kanaka for Mac Engine: cp /var/opt/condreycorporation/kanaka/engine/data/state/salt.dat \ /var/opt/ novell/kanaka/engine/data/state/salt.dat
Migrating from Kanaka for eDirectory to Novell Kanaka for Mac 57
8 On the server running the Novell Kanaka for Mac Engine, start the service by entering rcnovell-kanakaengined start.
9 Check your log file for any errors by viewing the file at /var/opt/novell/kanaka/engine/log/ novell-kanakaengined.log
.
10 Uninstall the Condrey Corporation Kanaka for eDirectory Engine RPM by entering: rpm -q -a | grep kanaka and then: rpm -e kanaka-engine-2.x.x-xx
58 Novell Kanaka for Mac 2.8.2 Installation and Administration Guide
11
Parsing Novell Login Scripts
Since the release of Version 2.7, Novell Kanaka for Mac can parse eDirectory login scripts and mount the storage for access from the Kanaka clients.
For information on Novell login scripts, refer to the Novell Login Scripts Guide (http://www.novell.com/ documentation/linux_client/login/?page=/documentation/linux_client/login/data/ak1lvlq.html) .
Additional documentation is available from (http://www.novell.com/support/kb/ doc.php?id=10068983) .
Section 11.1, “Login Script Overview,” on page 59
Section 11.2, “Login Script Sample,” on page 60
11.1
Login Script Overview
A login script is a set of instructions that is executed when a user logs in using the Novell Client for
Windows, the Novell Client for Linux, or some other method of login that accesses Novell eDirectory object properties. A login script is simply a text file that the login executable interprets and runs line by line.
When a user successfully logs in to the network, one or more login scripts can be executed that automatically set up the workstation environment.
Login scripts are similar to batch files and are executed by the Novell LOGIN utility.
You can use login scripts to map drives and search drives to directories, display messages, set environment variables, and execute programs or menus.
Login scripts are properties of specific eDirectory objects.
There are four types of login scripts:
Container: Sets the general environments for all users in that container. Container login scripts are executed first and can be associated with Organization or Organizational Unit objects. A user can use only one container login script.
Profile: Sets environments for several users at the same time. Profile login scripts are executed after the container login script and are associated with Profile objects. A user can be assigned only one profile login script that is then associated with the User object in eDirectory. However, other profile login scripts can be assigned by using the PROFILE command in the login script or by selecting a different Profile login script from the Novell Login window.
User: Sets environments (such as printing options or an e-mail username) specific to a single user. User login scripts are executed after any container and profile login scripts and are associated with User objects. A user can have only one user login script. However, the User login script can be overwritten by selecting a different login script from the Novell Login window.
Default: Contains only essential commands, such as drive mappings to certain utilities, and cannot be edited. The default login script runs if a user (including user Admin) doesn’t have a user login script, even if a container or profile login script exists.
Parsing Novell Login Scripts 59
NOTE: If you don't want to create any user login scripts and you don't want the default login script to execute for any users, you can disable the default login script by including the NO_DEFAULT command in the container or profile login script.
Maintaining many user login scripts can be time consuming. Therefore, you should try to include as much customization information as possible in the container and profile login scripts, which are fewer in number and easier to maintain.
For example, if all users need access to particular utilities in the same volume, put the search drive mapping to that volume in a single container login script rather than in every user login script.
Create profile login scripts if several users have identical login script needs. Profile login scripts are sometimes thought of as group login scripts.
Finally, in user login scripts, include only those individual items that can't be included in profile or container login scripts. For example, personal drive mappings could be included in the user login script.
IMPORTANT: Because three or more login scripts can execute whenever a user logs in, conflicts can occur and drive mappings can be overwritten by consecutive login scripts. The last login script to execute (usually the user login script) overrides any conflicting commands in a previous login script.
11.2
Login Script Sample
The login script consists of any statements available to NetStorage. In addition, you can use the following statement:
IF <KANAKA> = "1" THEN
MAP *
MAP *
END
This section of the login script is always processed by Novell Kanaka for Mac.
60 Novell Kanaka for Mac 2.8.2 Installation and Administration Guide
Figure 11-1 Sample Login Script with Mount Instructions for Kanaka for Mac
When you preview the login script parsing from the Kanaka User Interface, you see all the drive mappings that will occur for any particular user.
Figure 11-2 Preview Login Script
Parsing Novell Login Scripts 61
62 Novell Kanaka for Mac 2.8.2 Installation and Administration Guide
12
Reference
Section 12.1, “Storage Resources,” on page 63
Section 12.2, “Cluster Volumes,” on page 64
Section 12.3, “Collaborative Storage,” on page 65
Section 12.4, “Proxy Home,” on page 67
Section 12.5, “Policy,” on page 68
Section 12.6, “NetStorage Integration and Storage Location Objects,” on page 75
12.1
Storage Resources
Before the Kanaka Plug-in or Kanaka Desktop Client can attach to a volume, the AFP/CIFS volume name must be stored in eDirectory for each volume on each server that a Kanaka-based client might want to connect to. This includes servers holding user home directories as well as servers holding collaborative storage. By default the volume name is SERVER.VOLNAME. You can rename how the
AFP volume is displayed with the appropriate AFP volume configuration file (for example, /etc/opt/ novell/afptcpd/afpvols.conf
).
In setting up the Storage Resource list, access can be provided through either AFP or CIFS/SMB. If both are configured, either one can be selected as the access method for a given volume.
As part of the configuration of Native File Access protocols, Apple Filing Protocol (AFP) must be configured for each server and volume. AFP requires that each volume be given a specific name. By default, this name follows the convention SERVER_NAME.VOLUME_NAME. However, these are simply default names and you can name the volumes anything you want. Also, the AFP volume information is not stored in eDirectory, but in AFP-related files.
IMPORTANT: AFP mounts on Mac OS X Tiger and later are case-sensitive.
CIFS requires that each volume be given a specific CIFS virtual server name. By default, this name follows the convention SERVERNAME-W. In addition, the volume must be shared with a particular name. By default, all volumes are shared as their volume name (such as SYS or VOL1). However, these are simply default names and you can name the volumes anything you want. Also, CIFS share and volume information is not stored in eDirectory, but in CIFS-related files.
If only one protocol is configured, it is listed as the access method in the Client Access Protocol column of the Storage Resources list. If both protocols are configured, one access protocol is indicated as the selected protocol, and the option to change to the other is indicated in the same field.
Kanaka clients connect to the Kanaka Engine to retrieve volume and path information that can then be used to auto-mount both user home directories and collaborative (group) storage located on file servers.
In order for Novell Kanaka for Mac to convert a standard path into its AFP equivalent path, it must know the AFP volume name. Therefore, eDirectory must hold a copy of the AFP volume name. One of the Novell Kanaka for Mac schema extensions is an attribute added to the VOLUME object class that allows you to store the AFP volume name along with the volume itself. The Kanaka eDirectory configuration interface adds the schema extensions and provides the Web-based user interface that allows you to set the attribute accordingly.
Reference 63
In order for Novell Kanaka for Mac to convert a standard Novell path into its CIFS equivalent path, it must know the CIFS virtual server name and shared volume names. Therefore, eDirectory must hold a copy of the CIFS virtual server name and shared volume names. One of the Novell Kanaka for Mac schema extensions is an attribute added to the VOLUME object class that allows you to store the
CIFS virtual server name along with the shared volume name itself. The Kanaka eDirectory
Configuration Interface adds the schema extensions and provides the Web-based user interface that allows you to set the attribute accordingly.
12.2
Cluster Volumes
To attach to a cluster volume, you need to set an alias in the afpvols.conf file in the /etc/opt/ novell/afptcpd directory. The contents of the file follow.
This file describes information required to rename and export NSS volumes through the AFP server. If the EXPORT_ALL_VOLUMES configuration option is set to Yes, the information provided in this file is not used to export volumes through AFP server.
The information provided is used only to rename AFP volumes.
Syntax:
CURRENT_NAME [new_vol] where
CURRENT_NAME is the volume name as seen on the Finder in Mac. new_vol is the new volume name.
Use a new line for each volume to be renamed.
Example 1: export data volume on server serverA.data
Example 2: rename img volume on serverA to Graphics serverA.img Graphics
Renaming volumes for clusters:
All shared volumes in a cluster needs to be renamed to the same volume name in order for a cluster to be transparent to the user. For example, if your cluster has
2 servers serverA and serverB and they share 2 volumes, vol1 and vol2, then each server needs to have an afpvols.conf file that renames the volumes to a common volume name that the user will see in the Finder. Then the AFP user will use the same volume name to mount the shared volume and will not know or care whether it's using serverA or serverB.
Example 3: Renaming cluster volumes afpvols.conf for serverA: serverA.vol1 sharedVol1 serverA.vol2 sharedVol2 afpvols.conf for serverB serverB.vol1 sharedVol1 serverB.vol2 sharedVol2
64 Novell Kanaka for Mac 2.8.2 Installation and Administration Guide
12.3
Collaborative Storage
Novell Kanaka for Mac has the capability to automatically mount collaborative (group) storage on Mac
OS X. It does this based solely on the identity of the user. Novell Kanaka for Mac uses the
Home_Directory attribute, and now the login script attribute, to locate and mount the storage.
The concept of using the Home_Directory attribute to manage group storage originated with Novell
Storage Manager, which is a policy-based storage-management solution that revolutionizes use of the Novell file system. Novell Storage Manager unites the user-provisioning functionality of Novell eDirectory solutions with the storage-provisioning capabilities of the Novell file system. As a result,
Novell Storage Manager completely automates the creation, management, and deletion of personal and collaborative storage, delivering the industry's only identity-based storage management solution.
Novell Storage Manager extends the Home_Directory concept to the group by adding a
Home_Directory attribute to the Group object. Therefore, much like a single user’s home directory, it is easy to locate the storage for the group simply by looking at the Home_Directory attribute of the group.
Novell Kanaka for Mac leverages the Home_Directory attribute of the user object to locate and mount the home directory for the given user. Novell Kanaka for Mac also leverages the group home directory concept invented by Novell Storage Manager by running the group membership list for the user and pulling the Home_Directory attribute for each group the user is a member of and mounting each group directory on the user's Mac OS X system.
However, Novell Storage Manager is not required for Novell Kanaka for Mac to deal with collaborative
(group) storage. When the Novell Kanaka for Mac schema extensions are applied to the tree, the
Novell Storage Manager group home directory is also added, if it is not already present. This Web interface provides a methodology for assigning the group Home_Directory attribute for each group in the tree, analogous to setting the home directory attribute on a user.
If all group storage is already managed with Novell Storage Manager, there is nothing that you need to do for Novell Kanaka for Mac to auto-mount group storage for all users. Otherwise, you should use
Novell Kanaka for Mac to assign the Home_Directory attribute for each group that is not managed by
Novell Storage Manager. Simply click Browse the Tree in the menu to the left, locate the group, and click Assign. This allows the administrator to browse to a destination path and set the home directory for the given group.
IMPORTANT: The Engine does not assign the chosen object as a trustee of the directory. You should perform this step via traditional methods.
Reference 65
Figure 12-1 Assigning the Home Directory Attribute to a Group
Figure 12-2 Specifying a Group Directory Path
66 Novell Kanaka for Mac 2.8.2 Installation and Administration Guide
Figure 12-3 Assigned Group Directories
Figure 12-4 Assigned Container Based Directory
12.4
Proxy Home
Proxy home directories are useful in helping to avoid user problems logging in because of incorrectly assigned home directories and incorrectly managed volumes.
Mac OS X fails the login if a home directory is not provided as a part of the login process.
Reference 67
However, Novell Kanaka for Mac can communicate to the user (and the administrator) and indicate the reason why the login is failing. A proxy home directory is passed back to the client for mounting when mounting the “real” home directory is not possible for some reason.
The proxy directories are managed in the Web management interface for Novell Kanaka for Mac at https://server_ip_or_DNS_name:3089
IMPORTANT: It is very important for the volume of the server where the Kanaka Engine is running to have the Novell Kanaka for Mac AFP/CIFS volume name configured and have AFP/CIFS configured so that all users can reference it.
Figure 12-5 Change Proxy Home Page
12.5
Policy
There are several options available in Novell Kanaka for Mac to direct the behavior of the client.
These options offer some flexibility in the setup to allow a more customized fit for individual installations. There are options for User Management, and for Managed Client Settings. The Mobility managed client option requires Mac OS X v10.4 and above, and Mobility Synchronization requires
Mac OS X v10.4 and above.
Section 12.5.1, “User Management,” on page 69
Section 12.5.2, “Managed Client Settings,” on page 73
68 Novell Kanaka for Mac 2.8.2 Installation and Administration Guide
12.5.1
User Management
Figure 12-6 User Management Page
Novell Kanaka for Mac clients request various items of user-related information from eDirectory. The following options allow you to configure how these items are obtained as well as the operation of the clients themselves.
Figure 12-7 Password Management Settings
These two self-explanatory settings are selected by default.
Reference 69
Figure 12-8 UID Management Settings
The UID is a User ID that is unique for each user logging in to the Mac. This option allows you to use an existing number or use a randomly generated number from a range of numbers defined by Novell
Kanaka for Mac.
The auxiliary attribute class is posixAccount. The attribute is uidNumber.
Figure 12-9 GID Management Settings
The GID is a primary Group ID for a user. It defines security levels on the Mac. By default, the GID is set to 20 (equivalent to “staff” on OS X) in Novell Kanaka for Mac. If you want your users to have admin privileges on the Mac, you can set the GID to 80 (equivalent to “admin” on OS X), but this is not recommended for lab environments. The auxiliary attribute class is posixAccount. The attribute is gidNumber.
The third option is based on an extended attribute that is added during the Kanaka installation. The class in eDirectory is named cccKanakaGidNumberClass and the attribute name is cccKanakaGidNumber. You can use this attribute to define the GID for users individually.
For example, if you want students to have a GID of 20 (staff) and teachers or administrators to have a
GID of 80 (admin), you can set the cccKanakaGidNumber attribute for the teachers or administrators to a value of 80 and choose the Use Kanaka alternate GID attribute option.
Figure 12-10 Full Name Management Options
This region lets you specify how the name is displayed in the Kanaka Plug-in Console, Desktop
Client, and the logout option.
Figure 12-11 Home Directory Management Settings
70 Novell Kanaka for Mac 2.8.2 Installation and Administration Guide
This setting gives you the option to allow the user to log in or not if the Home Directory attribute is not populated. If you choose the proxy directory option, you need to add and configure a proxy home directory for your environment. This is a directory with limited rights, and you can display a message to explain (such as a document or HTML page) that the user does not have a home directory defined, and perhaps direct them to a contact at the Help Desk.
Figure 12-12 Settings for Invalid Home Directory Path
This setting indicates whether Novell Kanaka for Mac should actually test for the existence of the path specified in the home directory attribute. This can take a lot of time. By default, this option should be turned off. If you do test for existence and the path doesn’t exist, you have the option to use the proxy directory or deny login.
Figure 12-13 Shell Management Setting
This is the default shell for running a terminal session on the Mac.
Figure 12-14 Identity Driven Access Settings
These settings enable the mounting of additional storage other than the user’s home directory.
Enable Kanaka Identity Driven Access: Selecting this option enables you to select the options below.
Enable Group storage lookup: During the installation of Novell Kanaka for Mac, Group objects are extended with an attribute called ccx-FSFManagedPath. In its simplest explanation, it is analogous to having a home directory attribute on a Group object.
NOTE: The base class is not extended until the first collaborative storage is defined in Novell Kanaka for Mac.
Enable Container Collaborative storage lookup: With the release of Novell Kanaka for Mac 2.8.2, container objects can also be extended with an attribute named ccx-FSFManagedPath. In its simplest explanation, it is analogous to having a home directory attribute on a Container object. It treats users in a container as if they were members of a group, without having to manage a group object for those users.
Reference 71
Enable Auxiliary storage lookup: This option works only when you have Novell Storage Manager implemented with Auxiliary storage defined and enabled. Auxiliary Storage is like having multiple home directory attributes.
Enable Storage Location Object lookup: These are traditional Storage Location Objects in eDirectory. Novell Kanaka for Mac supports only NCP Storage Location Objects.
Figure 12-15 Login Script Settings
By enabling the Login Script Parser, the Kanaka Plug-In and the Kanaka Desktop Client parse any login scripts associated with the user. Login scripts are parsed with the same criteria as NetStorage logins.
Figure 12-16 Mounted Storage
72 Novell Kanaka for Mac 2.8.2 Installation and Administration Guide
12.5.2
Managed Client Settings
For several years, Apple has had a technology for managing workstations and the user experience, often referred to as MCX, or Managed Client for OS X via a Workgroup Manager server. Novell
Kanaka for Mac gives the administrator the ability to choose between Novell Kanaka for Mac or a
Workgroup Manager server to deliver these settings to the workstation.
Figure 12-17 Managed Client Settings Page
Novell Kanaka for Mac clients can receive Managed Client Settings (MCX) configured in the Kanaka policy or from a properly configured OS X server. The following options instruct the client to use MCX settings generated by Novell Kanaka for Mac or to use settings obtained from an OS X server.
Figure 12-18 MCX Settings
If you choose the setting for Workgroup Manager, you will need to verify that your LDAP v3 settings in the Mac Directory Utility point to that server.
Reference 73
Figure 12-19 Dock Settings
This option displays an icon on the Dock for the user’s home directory and for any group storage that is configured.
NOTE: You see a house icon if Mobility is not enabled and a folder icon if Mobility is enabled.
Figure 12-20 Desktop Settings
These options place a mount point on the user’s desktop. This mount point is at the root of the volume, so users will need to drill down to get to the folders and files they have rights to.
NOTE: Users can only see files they have rights to.
Figure 12-21 Kanaka Plug-in Console Setting
This setting enables the Kanaka Plug-in Console to automatically start after a login.
Figure 12-22 Mobility Settings
Create mobile account when user logs in to network account: This setting allows Novell Kanaka for Mac to create a local “mobile” account on the workstation and keep the user’s profile and other information local. This option has the most performance benefits, because it can read the profile locally much more quickly than from the network. If you do not create a mobile account, the user profile information is created in the user’s home directory on the network.
Create home using network home with default sync settings: Novell Kanaka for Mac creates a local home directory with login/logoff sync enabled. This could potentially slow down Novell Kanaka for Mac.
Require confirmation before creating mobile account: Warns the user of a mobile account that is created during login.
74 Novell Kanaka for Mac 2.8.2 Installation and Administration Guide
Figure 12-23 Mobility Synchronization Settings
These options synchronize the contents of the user’s network and local home directory at login or logout. The options are very network intensive and will cause delays in the login and logout process.
These settings are active only when the first option is selected.
The Synchronization interval in seconds option allows you to schedule syncing while you are logged in.
12.6
NetStorage Integration and Storage Location
Objects
Novell NetStorage introduces the concept of a Storage Location Object in eDirectory for assigning one or more storage locations to one or more objects in the tree and defining, among other things, a display name to use in referencing the storage.
Figure 12-24 Storage Location Object
In the figure above, a Storage Location Object has been created in eDirectory. The Storage Location
Object is pointing to the Sales subdirectory of the New York directory on a server. The Storage
Location Object has been assigned to the Sales group.
When users who are members of the Sales group logs in to NetStorage, they are automatically shown a link to this storage. The display name is defined in the Storage Location Object. The figure below is an example:
Reference 75
Figure 12-25 Linked Storage in NetStorage
A Storage Location Object can be assigned to users, groups, containers, or profile objects in eDirectory. Multiple Storage Location Objects can be assigned to the same object simultaneously.
Storage Location Objects can be used with or without NetStorage. However, NetStorage must be installed on at least one server in the tree in order for the Storage Location Object schema extensions to be added to the tree.
The Kanaka Engine automatically locates any Storage Location Objects that are either directly or indirectly assigned to the user during login. Indirect assignments include any groups that the user is a member of or any parent containers above the user in the tree hierarchy.
The Storage Location Object storage is returned to the client as collaborative storage in exactly the same way that group home directories are returned.
76 Novell Kanaka for Mac 2.8.2 Installation and Administration Guide
A
Documentation Updates
This section contains information about documentation content changes that were made in this Novell
Kanaka for Mac Installation and Administration Guide after the initial release of Novell Kanaka for
Mac 2.6. The changes are listed according to the date they were published.
The documentation for this product is provided on the Web in two formats: HTML and PDF. The
HTML and PDF documentation are both kept up-to-date with the changes listed in this section.
If you need to know whether a copy of the PDF documentation that you are using is the most recent, the PDF document includes a publication date on the title page.
The documentation was updated on the following dates:
A.1
November 3, 2015
Updates were made to the following sections:
Location
Section 6.1, “Retrieving the Installation File,” on page 37 .
.
Update
Updated the procedures for downloading the DMG file from the Novell Patch Channel.
Updated to include information on Mac OS X El
Capitan.
A.2
March 30, 2015
Updates were made to the following sections:
Location
Section 5.1, “System Requirements,” on page 27
.
Update
Removed reference of support for Novell Open
Enterprise Server 2.
A.3
October 29, 2014
Updates were made to the following sections:
Location
Various locations.
Update
Updated interface graphics.
A.4
August 14, 2013
Updates were made to the following sections:
Documentation Updates 77
Location
Section 3.5.2, “Creating a PEM File,” on page 21 .
Section 4.1, “Upgrade Considerations,” on page 25
.
Section 5.2, “Installing the Kanaka Engine,” on page 28 .
Section 5.2, “Installing the Kanaka Engine,” on page 28 .
Update
Corrected the syntax in the command line in Step 5 .
Corrected the syntax in the command line.
Corrected the syntax in the command line in Step 4 .
Inserted a new paragraph with the heading
IMPORTANT. Removed a screen shot that was no longer applicable. Inserted a new step (
A.5
August 6, 2013
Updates were made to the following sections:
Location Update
Chapter 5, “Installing and Configuring the Engine,” on page 27 .
Inserted a new paragraph with the heading
IMPORTANT.
. Inserted a new paragraph with the heading WARNING.
A.6
March 15, 2013
Updates were made to the following sections:
Location
Section 2.4.1, “Authentication and Mounting via the
.
Section 3.5, “Generating Certificates,” on page 20 .
Chapter 4, “Upgrading from Version 2.7 to 2.8.2,” on page 25 .
Section 5.2, “Installing the Kanaka Engine,” on page 28 .
Section 5.4, “Replacing the PEM File,” on page 36 .
Update
Inserted a new paragraph with the heading
IMPORTANT.
New section.
New chapter.
New procedures.
New section.
A.7
June 8, 2012
Updates were made to the following sections:
Location Update
Chapter 5, “Installing and Configuring the Engine,” on page 27 .
Updated procedures.
Section 9.2, “Kanaka Desktop Client,” on page 53 .
Updated information on how to change passwords.
78 Novell Kanaka for Mac 2.8.2 Installation and Administration Guide
Location
Chapter 11, “Parsing Novell Login Scripts,” on page 59 .
Chapter 12, “Reference,” on page 63
.
Update
New chapter.
Descriptions of new fields in the product interface.
A.8
March 13, 2012
Updates were made to the following sections:
Location Update Description
Chapter 5, “Installing and Configuring the Engine,” on page 27 .
Inserted a Note on installing multiple Engines and having two Engines with identical configurations to serve as a cluster substitute.
.
Expanded the explanation below the step.
Chapter 10, “Migrating from Kanaka for eDirectory to
Novell Kanaka for Mac,” on page 57 .
Added this new chapter.
A.9
January 31, 2012
Updates were made to the following sections:
Location Update Description
Chapter 2, “Overview,” on page 9
Chapter 4, “Upgrading from Version 2.7 to 2.8.2,” on page 25
Updated interface graphics.
Updated interface graphics.
A.10
January 26, 2012
Updates were made to the following sections:
Location
Update Description
New information added on rights assignments.
A.11
January 20, 2012
Updates were made to the following section:
Documentation Updates 79
Location
Update Description
Inserted a new paragraph on requirements for logging in.
The cross reference pertaining to information on mount points has been corrected.
80 Novell Kanaka for Mac 2.8.2 Installation and Administration Guide
advertisement
Related manuals
advertisement
Table of contents
- 37 Installing the Kanaka Plug-In
- 38 Configuring the Kanaka Plug-In
- 40 Installing the Kanaka Desktop Client
- 47 Authentication
- 48 Storage Properties
- 49 Home Directory
- 51 Kanaka Plug-In
- 52 Kanaka Plug-In Console
- 53 Kanaka Desktop Client
- 59 Login Script Overview
- 60 Login Script Sample
- 63 Storage Resources
- 64 Cluster Volumes
- 65 Collaborative Storage
- 67 Proxy Home
- 68 Policy
- 69 User Management
- 73 Managed Client Settings
- 75 NetStorage Integration and Storage Location Objects
- 77 November
- 77 March
- 77 October
- 77 August
- 78 March
- 79 January