Customizing SUSE Linux
December 19, 2008
Customizing SUSE Desktop Version 10 Service Pack 1
I am posting this here, as I find it useful to have reference to the setup now and again, when creating a setup for another person. It assumes a moderate amount of Linux knowledge, including shell use, running commands and directory navigation etc, and it may contain information that is beyond the beginner in Linux. If you wish any clarifying comments to be added, feel free to add a blog comment.
I make no claims about the SUSE Linux distribution apart from the fact that it has a lineage from Novell which I have used for a number of years professionally. I also like Debian, and for portability Slax which I have on a pendrive.
Ok, back to the article at hand. The customizations are designed to get a SUSE Linux distribution up and running with the following additions:
- Adding Microsoft Truetype Fonts
- Adding Additional YAST Installation Sources
- ATI Video Driver Update
- W32 Codecs
- Disabling Zenworks Synchronization
- Installing and Configuring Mplayer
- Installing and Configuring The Squid Proxy Cache
- Generating a Self Signed Certificate for Use with Firefox and Thunderbird
Adding Microsoft TrueType Fonts
Copy the TrueType fonts from your C:\Windows\Fonts directory
(just select the .TTF extension files)
Paste them in:
/usr/X11R6/lib/X11/fonts/truetype
Start up a root console session, and type the following command:
SuSEconfig -module fonts <enter>
(<enter> means hit the keyboard ‘Enter’ key, it is case sensitive)
If you wish have the fonts immediately available in the current session type:
xset fp rehash <enter>
You will now have access to the truetype fonts you have copied over, and they should be available in Firefox and OpenOffice.
Adding Additional YAST Installation Sources
Start up YAST, and add the following package source:
Type:
HTTP
Server Name:
packman.unixheads.com
Directory:
/suse/10.1
Also, the following can be added:
download.opensuse.org/distribution/SL-10.1/non-oss-inst-source
download.opensuse.org/distribution/SL-10.1/inst-source
Click through all the Oks to apply your settings.
ATI Video Driver Update
You may have an ATI Graphics card, so to obtain the ATI Linux driver go to:
http://ati.amd.com/support/drivers/linux/linux-radeon.html
(current at this time, but all links subject to change!)
Once you have downloaed the file, you will need to add execute permissions, as it will need to be run from the command line.
You can run this command from the console:
chmod +x <filename> (where filename is the name of the downloaded binary file)
Or you can use Nautilus to add the executable permission to this file.
Once you have added the executable permission, execute the installer file as follows from a console prompt, in the directory where the file is stored (you may have to ‘cd’ or change directory to get to the files location):
./ati-driver-installer-8.40
(the version number will almost certainly be different, so replace the name with the name of the file you have downloaded, also don’t forget to add the ./ at the start, otherwise it will complain that the file is not there)
The installation process will commence, and should end without error.
So, you have now finished the installation process, and once installed, return to your console prompt, and type:
aticonfig
If the X Server fails to launch, try typing:
aticonfig –initial -f
Using W32 Codecs
It is common for distributions to be given out without any real codec support, therefore it may be difficult to play those DVD movies or other media files. Not much point in having a working Linux distro without any media playing capability, so you may wish to address this situation!
The codecs can be found searching YAST ‘w32′, and the codecs can be only installed via YAST after the packman installation source is added.
Install as per a normal program installation from YAST.
Disabling Zenworks Synchronization
There are some early issues with Zenworks synchronization, and you may find your session either seizing up, or just hanging with the Zenworks Synchronization which happens after a program install from YAST. To get around this behaviour, you may wish to disable it. If you are in a corporate environment, and are using Zenworks, then this will not be the answer for you!
run a console session, and type the following:
rczmd stop
Start YAST
Add a new catalog source:
Type:
ftp
Server Name:
Directory:
/pub/suse/update/10.1
Uncheck the ‘Synchronize with ZENworks‘ checkbox
click finish
Once the system has been successfully updated via YAST over the Internet, remove the zmd packages by typing the following at a console:
rpm -e zmd libzypp-zmd-backend sqlite-zmd rug zen-updater
Installing And Configuring Mplayer
Well, Mplayer is my current favourite in terms of media applications, so again, install via YAST.
You will almost certainly wish to view some of your DVDs, so to get DVDs To Play, go to the following website:
http://www.pctech101.com/dvd_playback.php
(current as of blog posting)
Download the following files:
libdvdcss-1.2.8-2.network.i386.rpm
libdvbpsi4-0.1.5-1.pm.1.i586.rpm
libxine1-1.1.0cvs-051002.i686.rpm
xine-mozilla-plugin-0.2-051004.i586.rpm
libmp4v2-1.4.1-3.i586.rpm
w32codec-0.52-1.i386.rpm
xvid-1.1.0-0.pm.4.i686.rpm
install all the packages with the following console command
rpm -Uvh <package name>
(where <package name> is the name of each package above)
(Some of the packages may not install, as they might already be installed, check for any errors on installation, and address these before continuing)
The packages will need to be installed as root, or su from the command line.
(to SU, precede any command line with the word ‘su’ (superuser), and when prompted enter the root password)
Installing And Configuring The Squid Proxy Cache
Installing Squid is an optional extra, but where you have a number of PCs, Laptops, PDAs etc at home, you may wish to take advantage of Squids caching abilities. This can result in less information being downloaded from the Internet, but will of course depend on your surfing habits.
Check with YAST or Software Installation, to see if the package is installed. If not, install it. (search for Squid)
Once the package has successfully installed, you may wish to play around with the Squid configuration file. It is beyond the scope of this article to discuss that, but here is a sample squid.conf (working)
http_port 3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl localnet src 192.168.x.0/255.255.255.0
acl to_localhost dst 127.0.0.0/8
acl to_localnet dst 192.168.x.0/255.255.255.0
acl SSL_ports port 443 563
acl CONNECT method CONNECT
http_access allow manager localhost localnet
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl our_networks src 192.168.x.0/255.255.255.0
http_access allow our_networks
http_access allow localhost
http_access deny all
http_reply_access allow all
Note: You will need to alter any lines above which have: 192.168.x.0, as this is a n example subnet only! This should match your home, or business network setup. Most home networks will have something like: 192.168.1.0 with a subnet mask of 255.255.255.0
Also, the Squid.conf file usually contains a truck load of comments and explanatory text. This is useful when first setting it up, but if you wish to strip all those comments out, then use the following command:
cat /etc/squid/squid.conf | sed '/ *#/d; /^ *$/d' > newsquid.conf
This will take out all the comments, and leave you with a core squid.conf file. Of course you will need to overwrite the existing squid.conf with the newsquid.conf you have just created. I would suggest you copy the existing squid.conf file to a safe location, just in case you wish to have a look at the explanatory text in the future.
The configuration file can be found in the following directory:
/etc/squid/squid.conf
Use gedit or your favourite editor to edit the file, make sure that under the http_access section the following items are present:
acl our_networks src 192.168.x.0/255.255.255.0
http_access allow our_networks
http_access allow localhost
This can vary depending on your network subnet mask and setup, so check it out beforehand!
The default port that Squid runs on is 3128, however you may wish to run it on an alternate port. Just change the port number in your setting above, and make sure it does not clash with any existing port setup. You will also have to clear a hole in your firewall, if you have one setup, so that port 3128 traffic can come through to your host!
Once you have installed Squid, and modified your configuration to suit your purposes, you will need to initialize Squid.
To setup Squid for the first time, run a terminal session and type:
squid -z
This will setup the directories for squid to use.
Ok, if you are still running so far, with no errors, then you will want to try it out.
To run Squid:
/etc/init.d/squid start (other options are: |restart|stop|reload)
To check that Squid is running type the following in a console:
ps -aux |grep squid
This should show a Squid process running.
You will now want to use this on your PC, or even a number of PCs if you have a home network.
Open up your favourite browser, Firefox for example, and go to the following menus:
Edit/Preferences/Advanced/Network/Settings
Enter as the proxy: 192.168.x.x port 3128 where x.x is the current IP address for the server that is running Squid, for example: 192.168.1.1
If you are planning to run Squid long term, it is best to set the IP address for the server/PC network card manually, to avoid getting a different address each time. Most routers allow for IP address allocation based upon the mac address, or you can set it permanently yourself through YAST.
Once this information is entered, try browsing to a web page. If all is correct, you should see it come up. If not, check all the settings above.
You can view the Squid logfile, by running a terminal session, and changing directory to:
cd /var/log/squid
Then, to view the log contents on a continuous basis, type the following:
tail -f access.log
Note: This will show you a continuously updating Squid log, which may scroll quite quickly.
That’s about it for Squid, you can also enter the proxy settings on your other PCs if you have them, so they can take advantage of Squids caching abilities.
Generating a Self-Signed Certificate for Use With Firefox And Thunderbird
You may wish to have your emails signed by a self signed security certificate. There are many reasons to want to do this, and also some for not doing so! I wont go into that right now, but will explain how you can do so.
You will need to install ‘openssl’ via YAST, so do this if you haven’t already done so.
Once installed, enter the following in a root console:
openssl genrsa -des3 1024 > name.cert
openssl req -new -key ./name.cert -x509 -days 365 -out name.pem
openssl pkcs12 -export -out sscates.p12 -name “Your Name Personal Certificate” -inkey name.cert -in name.pem
Note: You will want to change ‘name’ above to your own name, jsmith for example, and also change the “Your Name Personal Certificate” to “John Smith Personal Certificate”, but obviously use your own name here!
This will create a name.p12 file, which can then be installed in Firefox. To install, run up Firefox, and go to the following menu:
Edit/Preferences/Advanced/Encryption
Press the ‘View Certificates‘ button.
Press the ‘Import‘ button
It can also be imported into Thunderbird in the same fashion.
Well, that is a fair amount of information for a blog entry, but if you have any constructive comments, or additions, then they are welcome.
Creating A Certificate Server For Use With OWA (Exchange Server)
December 6, 2008
I have installed Outlook Web Access (henceforth known as OWA) for many different organisations. The concept is reasonably simple, and can make a large difference for a company, particularly with a mobile workforce. Staff who wish to work from home, or who are ill on a given day, are generally very grateful to be able to reach their corporate email from home, or even on holidays (not always appreciated as much 
Some pre-requisites for installation:
A working Microsoft 2003 or later server,
Internet Information Services (IIS), if not already installed, do so through Start Menu, Add or Remove Programs, then Add/Remove Windows Components:
Select the check box for IIS, then click ‘Next’ to install. Reboot if requested.
Other prerequisites are a working server, with Internet access and correctly configured DNS, with the full dns name of the server registered within DNS, and propagated to the Internet. You must be able to ping the host from the Internet, or if pings are filtered, to be able to contact the server through any configured ports. Usually, this will be port 443 for HTTPS so you can access the secure email port for exchange.
You will need a permanent IP address for this to work, or have a working setup to map changes to IP to a host name through DYNDNS or similar organization.
Finally, you will need to be able to pass on any ports through your firewall/router infrastructure. In the case of a Cisco setup or an ADSL router, a port forwarding rule will need to be put in place to forward port 443 from the router to your internal server.
Certificate Services Installation
The next step is to install Certificate Services, in which case go through the same process as before, but this time select ‘Certificate Services’
You will get a pop up as follows:
Click ‘Yes’, then ‘Next’ (This basically warns you against changing either the machine name or the domain membership after installing Certificate Services.
You will now be asked what type of Certificate Services server you wish to install, and in our case it will be:
Enterprise Root CA
Click ‘Next’ to continue.
You will now be asked to enter the Common Name for the CA, in which case you will enter the full dns name of the machine you are installing to, for example:
mail.domain.com where <domain> is the name of your own domain.
Do not enter any data into any other fields, but click ‘Next’
You will now be asked to enter paths for logs and associated database paths. I would recommend that you leave these as defaults.
Click ‘Next’
Certificate Services should now go ahead and install with the information you have entered.
Creating A Certificate Request
After the Certificate Server component has installed, you will need to create a Certificate Request. This is so you can forward it to your chosen agency for Certificate signing.
Click on ‘Start’, ‘Administrative Tools’, ‘Internet Information Services (IIS) Manager’, then expand the ‘Websites’ item and right click on ‘Default Website’, then choose ‘Properties’.
Click on the ‘Directory Security’ tab and on ‘Secure Communications’ click on ‘Server Certificate’
We are creating a new certificate, so leave the default selection which is ‘Create a new certificate’, and as we are going to be our own CA, click on ‘Prepare the request now, but send it later’ then click on ‘Next’
Type in a name for the Certificate, use something memorable and that will relate to what you are doing, such as OWA SSL Certificate. Leave the Bit Length as is, and click ‘Next’
You will now need to enter your ‘Organization Name’ and the ‘Organizational Unit’. These should correspond with any current Active Directory setup you have for the sake of keeping things structured, however you can name them as you wish.
Your Organization Name should be whatever your business name is, and the Organizational Unit should be something like your own structural division.
For example: My Corporation, Information Technology.
Click ‘Next’ again.
The next screen is critical to your setup working correctly, so be careful when entering the data!
The ‘Common name’ should be the WORKING DNS name that you have already established through DNS. This will be something like:
mail.domain.com (where <domain> is the name of your company)
For example, if your company is accessed by www.domain.com, use <domain> as your name.
Note: If your DNS is handled by your ISP, which is very common for small organisations, you will need them to set this up for you. Put in a request, explaining what you are doing, and adding all the relevant data you wish to be included, such as the internet name. You will still need to forward any data through your firewall or router to the internal email host. Your ISP will then create an ‘A’ record in DNS which will point to your public IP address. (a public ip address, is the address you receive from your ISP when you connect to them. If you receive a permanent IP address, all this will work fine. If not, you will need to use another organisation such as DYNDNS to permanently map the changes to your IP to a permanent name. I will cover this in a different article.)
You will now need to enter the Country/Region, State/province and City/Locality information. This is as per your own specific geographical region data. Such as:
AU (Australia), Western Australia, Perth
Or whatever is the case for your server.
Click ‘Next’
You will now be asked to save the request into a file. Choose wherever you wish, as long as you remember where you stored it!
Click ‘Next’ again
You will now be able to view all the information as you have entered it, so go through it carefully and click on the ‘Back’ button to correct any mistakes.
If you are satisfied, click ‘Finish’
Ok, we now have a (hopefully) working Certificate Server, and a request pending.
On your Server, open up Internet Explorer, and type in:
http://servername/certsrv
Where <servername> is the name of your server you are working on.
If all is working ok, you should see a screen with a line which says:
Microsoft Certificate Services – <servername>
Click on ‘Request a certificate’
Click ‘Advanced Certificate Request’
Then, select:
‘Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file’
(the second one! I know it is long winded, but it will be fine)
Ok, now you need to open the certificate request you created earlier, so open the text file with the certificate request in ‘Notepad’ or any text editor and copy all the content (CTRL-A will do this for you, after clicking anywhere in the text file. Do not drag to select, as you may miss something)
Paste the clipboard contents into the box provided (Base-64), you should see a long line of alpha characters, with BEGIN NEW CERTIFICATE REQUEST near the top.
Click on ‘Submit’
Then select ‘Base 64 encoded’ and then ‘Download Certificate’
Click ‘Save’
and save the ‘certnew.cer‘ onto your C: drive at the root level (easier to find)
Close off the Internet Explorer window if all has gone ok.
Attaching the Certificate to your Default Website.
Right, we have obtained a working certificate, and we need to attach this to our website.
Click on Start, Administrative Tools, Internet Information Services (IIS) Manager.
Expand the Websites item, and right click on ‘Default Website’, then choose ‘Properties’
Select the ‘Directory Security’ tab item and under ‘Secure Communications’ click on ‘Server Certificate’ then click ‘Next’
You will need to select ‘Process the pending request and install the certificate’, and then click ‘Next’
Choose the path and filename of the file you saved just recently, for example: c:\certnew.txt then click ‘Next’
If you are choosing the default SSL port, you will enter ’443′ in the next box, and click ‘Next’
Again, you will be shown a summary of your actions, so check it all out and be sure it is correct!
If so, click ‘Next’ again and you will be shown a ‘successfully completed’ message.
Click ‘Finish’
To enable this you need to click on the ‘Edit button under ‘Secure Communications’ on the Default Website, and check the box next to ‘Require secure channel (SSL) and require 128 bit encryption, as follows:
Then click ‘OK”
Testing Your SSL Configuration
Now, the final touch. Testing your configuration! Open up Internet Explorer again, and type in the following:
https://servername/exchange
You should then receive a pop up message as follows:
The warning message is fine, and it is because you are accessing the server using its domain name instead of the full DNS domain name.
So click ‘Yes’
If all goes well, you should be in receipt of another box which is asking you to enter your login name and password to access the OWA server!
Use your Administrator login for these purposes, to test that it works.
Congratulations, you are now in possession of a working SSL enabled OWA server to present to management and your users!
