New Machine Setup

From UGCS
Jump to: navigation, search

Dell only

Download Dell OMSA packages from ftp://ftp.sara.nl/pub/outgoing/dell/ for viewing hardware diagnostics

Manual steps

  • Set networking config
  • Make sure that all necessary packages are installed (TODO: list)
  • Obtain a principal with randkey for the host from the KDC - you'll need host/<hostname>.ugcs.caltech.edu
  • Export the principal using ktadd -k to a temporary file and copy it to /etc/krb5.keytab on the new machine
  • Install CFengine and point at demeter

Done by CFEngine

  • Copy /opt/CA/cacert.pem from the CA server (currently apollo) to /etc/
  • Set the contents of /etc/ldap/ldap.conf
BASE    dc=ugcs,dc=caltech,dc=edu
URI     ldaps://apollo.ugcs.caltech.edu/

TLS_CACERT      /opt/CA/cacert.pem
TLS_REQCERT     demand
  • Set the contents of /etc/libnss-ldap.conf
base dc=ugcs,dc=caltech,dc=edu
uri ldaps://apollo.ugcs.caltech.edu/
ldap_version 3
port 636
  • Edit /etc/nsswitch.conf - 's/compat/files ldap/'
passwd:         files ldap
group:          files ldap
shadow:         files ldap
  • Add the following PAM lines in the appropriate places in /etc/pam.d/common-*
auth    sufficient      pam_krb5.so minimum_uid=1000
auth    optional        pam_afs_session.so
session optional        pam_krb5.so minimum_uid=1000
session required        pam_afs_session.so
account required        pam_krb5.so minimum_uid=1000
account required        pam_unix.so
password   sufficient pam_krb5.so minimum_uid=1000
  • Add the following lines to /etc/krb5.conf
[appdefaults]
        aklog_homedir = true
        libkafs = {
                UGCS.CALTECH.EDU = {
                        afs-use-524 = no
                }
        }

[libdefaults]
        default_realm = UGCS.CALTECH.EDU
...
[realms]
        UGCS.CALTECH.EDU = {
                kdc = apollo
                admin_server = apollo
        }
...
[domain_realm]
        .ugcs.caltech.edu = UGCS.CALTECH.EDU
        ugcs.caltech.edu = UGCS.CALTECH.EDU
...
  • Change the following settings in /etc/ssh/sshd_config
# Kerberos options
KerberosAuthentication yes
#KerberosGetAFSToken yes
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIKeyExchange yes
  • Add the following line to sudoers:
%sysadmin ALL=(ALL) NOPASSWD:ALL
Personal tools