New Machine Setup
From UGCS
Dell only
Download Dell OMSA packages from ftp://ftp.sara.nl/pub/outgoing/dell/ for viewing hardware diagnostics
Manual steps
- Set networking config
- Make sure that all necessary packages are installed (TODO: list)
- Obtain a principal with randkey for the host from the KDC - you'll need host/<hostname>.ugcs.caltech.edu
- Export the principal using ktadd -k to a temporary file and copy it to /etc/krb5.keytab on the new machine
- Install CFengine and point at demeter
Done by CFEngine
- Copy /opt/CA/cacert.pem from the CA server (currently apollo) to /etc/
- Set the contents of /etc/ldap/ldap.conf
BASE dc=ugcs,dc=caltech,dc=edu URI ldaps://apollo.ugcs.caltech.edu/ TLS_CACERT /opt/CA/cacert.pem TLS_REQCERT demand
- Set the contents of /etc/libnss-ldap.conf
base dc=ugcs,dc=caltech,dc=edu uri ldaps://apollo.ugcs.caltech.edu/ ldap_version 3 port 636
- Edit /etc/nsswitch.conf - 's/compat/files ldap/'
passwd: files ldap group: files ldap shadow: files ldap
- Add the following PAM lines in the appropriate places in /etc/pam.d/common-*
auth sufficient pam_krb5.so minimum_uid=1000 auth optional pam_afs_session.so session optional pam_krb5.so minimum_uid=1000 session required pam_afs_session.so account required pam_krb5.so minimum_uid=1000 account required pam_unix.so password sufficient pam_krb5.so minimum_uid=1000
- Add the following lines to /etc/krb5.conf
[appdefaults]
aklog_homedir = true
libkafs = {
UGCS.CALTECH.EDU = {
afs-use-524 = no
}
}
[libdefaults]
default_realm = UGCS.CALTECH.EDU
...
[realms]
UGCS.CALTECH.EDU = {
kdc = apollo
admin_server = apollo
}
...
[domain_realm]
.ugcs.caltech.edu = UGCS.CALTECH.EDU
ugcs.caltech.edu = UGCS.CALTECH.EDU
...
- Change the following settings in /etc/ssh/sshd_config
# Kerberos options KerberosAuthentication yes #KerberosGetAFSToken yes KerberosOrLocalPasswd yes KerberosTicketCleanup yes # GSSAPI options GSSAPIAuthentication yes GSSAPICleanupCredentials yes GSSAPIKeyExchange yes
- Add the following line to sudoers:
%sysadmin ALL=(ALL) NOPASSWD:ALL
