Difference between revisions of "Client Recipe"

From Nuclear Physics Group Documentation Pages
Jump to navigationJump to search
m (Printer)
 
(5 intermediate revisions by one other user not shown)
Line 1: Line 1:
 
A simple ''n''-step process to set up a client lickety-split:
 
A simple ''n''-step process to set up a client lickety-split:
# Install Fedora in the typical fashion, skipping the steps for creating a default user and network authentication
+
 
## When configuring network authentication, check LDAP configuration, and download the certificate from http://nuclear.unh.edu/~maurik/unh_physics_ca.crt
+
== CentOS 7 ==
# Log in as root
+
# Run the CentOS installer disk.
# Disable NetworkManager if it hasn't already been disabled. (hint: chkconfig)
+
## Localization:
# Run system-config-network
+
### Date & Time: Americas/New York
# If there isn't one already, add an ethernet device on eth0.
+
### Keyboard: English (US)
# If this client is not in the server room (and therefore not going to use a VLAN), skip to the next full step
+
### Language Support: English (United States)
## Choose to statically set the IP address to an available local number (10.0.0.*)
+
## Software:
## Give the device the alias "farm".
+
### Installation Source: Local Media
## Make sure it has onboot=yes so that it automatically comes up
+
### Software Selection: Select GNOME Desktop with the following Add-ons:
## Run <code>vconfig add eth0 2</code> to create a virtual device "eth0.2" while the network is up. Might need to run <code>ifup eth0</code>.
+
#### GNOME Applications
## Use system-config-network to add an ethernet device to eth0.2
+
#### Internet Applications
# Alias it "unh"
+
#### Office Suite and Productivity
# Make sure it has onboot=yes in the so that it automatically comes up
+
#### Compatibility Libraries
# Choose to statically set the IP address to whatever was registered for the client
+
## Installation Destination: Disk to be installed (Note that Automatic Partitioning is suggested. You may need to reclaim space if the drive is not new).
# Set the gateway to 132.177.88.1
+
## Network and Hostname:
# Under the general network configuration "DNS" tab, put the appropriate IPs of einstein and roentgen for primary and secondary DNS (local for farm as the primary connection, unh for unh as the primary connection)
+
### For wired clients:
# Save the changes made with system-config-network
+
#### First select "Configure" in the bottom right.
# If a virtual device was added:
+
#### In the General tab, select "Automatically connect to this network when it is available".
## Open /etc/sysconfig/network-scripts/ifcfg-unh in a text editor
+
#### In the IPv4 Settings tab, select Manual for the Method.
## Add the line <code>VLAN=yes</code>, and save
+
#### Add an appropriate IP, Netmask, and Gateway (these are assigned to us by the UNH network, if you don't know the IP to give it, use DHCP instead).
# If there are any more devices already present, disable, remove or configure them as well. Whatever you do, don't leave them defaulted to DHCP mode, otherwise their existence will change /etc/resolv.conf !
+
#### Add the appropriate DNS servers.
# Run gtk-authconfig
+
#### Add "unh.edu" as the Search Domain.
# Check "Enable LDAP Support" under the "User Information" and "Authentication" tabs
+
#### Save the configuration.
# Click "Configure LDAP..."
+
### (TODO: Figure out how to set up wireless clients with OpenVPN.
# The base DN is dc=physics,dc=unh,dc=edu and the server is einstein.unh.edu.
+
### Set the hostname in the bottom left corner (this should include the domain, ex; 'benfranklin.unh.edu')
# "Download CA Certificate" doesn't ever seem to work, so get "unh_physics_ca.crt" from einstein and put it in /etc/openldap/cacerts" (hint: <code>scp</code>).
+
## Select Begin Installation
# Click OK in LDAP Settings.
+
## Set the root password.
# Click OK in authconfig
+
## Create a user with the following credentials:
## If this is an Ubuntu workstation, /etc/openldap is actually /etc/ldap, or something like that. It'll make sense when you see it.
+
### Full name: Test
# Disable SELinux
+
### Username: test
# Install autofs
+
### Uncheck 'Make this user administrator'
# Copy the appropriate content into the [[Autofs Configuration Files]]
+
### Check 'Require a password to use this account'
## If this is an Ubuntu workstation, you most likely need to install the package nfs-common.
+
### Set a secure password (even though this account is temporary, the computer may still be vulnerable to network attacks).
 
# Reboot
 
# Reboot
 
+
# Accept the EULA and select 'Finish Configuration'
'''All systems should have [[iptables]] and [[denyhosts]] setup!'''
+
# Kdump: Leave at default settings
 
+
# Log in to the Test account and proceed to set up [[SSSD]], [[Automount]], and [[Printer]].
 
 
== Fedora 11 and 12 Howto ==
 
From livecd:
 
* Double click "install to hard drive."
 
* Provide a hostname.
 
* Use default partitioning unless this is a special case.
 
** This will make /boot the first partition, LVM the second, and / and swap on the LVM.
 
* Wait for the install to finish.
 
* Reboot, remove cd, boot into new install
 
* On "Create User," select network login.
 
** Select "Enable LDAP support" under "User Information."
 
** Click "Configure LDAP."
 
** Check "Use TLS to encrypt connections," download CA certificate, and give the URL: http://nuclear.unh.edu/~maurik/unh_physics_ca.crt
 
** LDAP search base DN: dc=physics,dc=unh,dc=edu
 
** LDAP server: ldap://einstein.unh.edu
 
** Check "Enable LDAP support" under "Authentication."
 
** Click OK
 
* On Date and Time, go to the Network Time Protocol tab and chekc "enable network time protocol."
 
* Sending profile is optional
 
* GDM will come up, Ctrl-Alt-F2 to get to a commandline. Log in as root.
 
* <code>system-config-network</code>
 
** Configure eth0
 
*** Name: UNH
 
*** Static IP
 
*** Netmask: 255.255.252.0
 
*** Gateway: 132.177.88.1
 
*** Primary DNS: 132.177.88.52
 
*** Secondary DNS: 132.177.128.99
 
* Edit /etc/sysconfig/networking/profile/default/hosts
 
** Add "132.177.88.52 einstein einstein.unh.edu" to the file.
 
* Edit /etc/sysconfig/networking/profile/default/ifcfg-unh
 
** Change the file so that it has ONBOOT=yes
 
* <code>service NetworkManager restart</code>
 
* Make everyone happy: <code> yum install vim emacs</code>
 
* <code>yum install autofs</code>
 
* <code>scp nuclear.unh.edu:/etc/auto.* /etc/ </code> (remember, nuclear is roentgen!)
 
* <code>service autofs start; chkconfig --add autofs</code>
 
* Edit /etc/openldap/ldap.conf
 
** Change the URI line to "URI ldap://einstein.unh.edu/" if it isn't already.
 
* Edit /etc/ldap.conf
 
** Change the line with bind_policy to "bind_policy soft" in order to avoid lockups when einstein can't be reached.
 
* Edit /etc/sudoers
 
** Add "%domain_admins ALL=(ALL) ALL" right below "root ALL=(ALL) ALL"
 
* Edit /etc/sysconfig/selinux
 
** Change the line with SELINUX=enforcing to "SELINUX=disabled" because selinux is a pain.
 
* chkconfig sshd on
 
* reboot
 
You should now be good to go!
 
 
 
If you want rpmfusion for extra packages and proprietary drivers:
 
<code>rpm -Uvh http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-stable.noarch.rpm http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-stable.noarch.rpm</code>
 
 
 
== Fedora 13 ==
 
 
 
The above instructions should work for Fedora 13 with one exception. It appears that unless NFS can do a DNS reverse lookup on a server's IP Address it will not work properly. I'm not sure why this changed from the previous version of Fedora, but what it means in practical terms is that home folders won't work correctly on Fedora 13 machines. They'll mount, but you'll have weird issues like browsers being unable to load saved profile information.
 
 
 
The simple fix for this is to add a line to /etc/hosts for the file server, so it should look something like this for machines in the server room:
 
 
 
10.0.0.240    npghome npghome.farm.physics.unh.edu
 
 
 
or this for machines outside the server room:
 
 
 
132.177.91.210    npghome npghome.unh.edu
 
 
 
 
 
It doesn't appear that there are problems with any of the other NFS mounts, but they haven't been tested extensively either. This is an issue we should watch if we begin upgrading workstations to Fedora 13.
 
 
 
== Ubuntu 9.04 Howto ==
 
 
 
It's best to not use Ubuntu 9.04 at this time. There are issues with binding as an anonymous user for password authentication. Autofs and getent password work fine with the following instructions, but without password authentication, the workstation is useless. If we were willing to set up a proxy user for ldap searching purposes, we could use Ubuntu, but I'm currently unwilling to do this, as I feel it's a security risk.
 
 
 
* Install as usual, making a user called "localuser" with the root password. We'll be deleting this account later.
 
* Log in as localuser
 
* System > Preferences > Network Connections
 
** Delete the connection "auto eth0"
 
** Add a connection, name it "unh", set the appropriate manual IP.
 
* sudo apt-get update
 
* sudo apt-get install libpam-ldap libnss-ldapd libnss-ldapd nss-updatedb libnss-db ldap-auth-client ldap-utils
 
** When asked, set the following:
 
ldap://einstein.unh.edu
 
dc=physics,dc=unh,dc=edu
 
on services, check off passwd, shadow, groups.
 
say no to making root the database admin
 
* cd /etc/ssl/certs
 
* wget http://nuclear.unh.edu/~maurik/unh_physics_ca.crt
 
* edit /etc/ldap.conf:
 
** bind_policy soft
 
** ssl start_tls
 
** tls_cacertdir /etc/ssl/certs
 
* sudo apt-get install autofs nfs-common
 
* sudo scp nuclear.unh.edu:/etc/auto.* /etc/ (remember nuclear is roentgen!)
 
* sudo service autofs restart
 
* sudo apt-get install openssh-server
 
* sudo service sshd restart
 

Latest revision as of 21:41, 10 February 2015

A simple n-step process to set up a client lickety-split:

CentOS 7

  1. Run the CentOS installer disk.
    1. Localization:
      1. Date & Time: Americas/New York
      2. Keyboard: English (US)
      3. Language Support: English (United States)
    2. Software:
      1. Installation Source: Local Media
      2. Software Selection: Select GNOME Desktop with the following Add-ons:
        1. GNOME Applications
        2. Internet Applications
        3. Office Suite and Productivity
        4. Compatibility Libraries
    3. Installation Destination: Disk to be installed (Note that Automatic Partitioning is suggested. You may need to reclaim space if the drive is not new).
    4. Network and Hostname:
      1. For wired clients:
        1. First select "Configure" in the bottom right.
        2. In the General tab, select "Automatically connect to this network when it is available".
        3. In the IPv4 Settings tab, select Manual for the Method.
        4. Add an appropriate IP, Netmask, and Gateway (these are assigned to us by the UNH network, if you don't know the IP to give it, use DHCP instead).
        5. Add the appropriate DNS servers.
        6. Add "unh.edu" as the Search Domain.
        7. Save the configuration.
      2. (TODO: Figure out how to set up wireless clients with OpenVPN.
      3. Set the hostname in the bottom left corner (this should include the domain, ex; 'benfranklin.unh.edu')
    5. Select Begin Installation
    6. Set the root password.
    7. Create a user with the following credentials:
      1. Full name: Test
      2. Username: test
      3. Uncheck 'Make this user administrator'
      4. Check 'Require a password to use this account'
      5. Set a secure password (even though this account is temporary, the computer may still be vulnerable to network attacks).
  2. Reboot
  3. Accept the EULA and select 'Finish Configuration'
  4. Kdump: Leave at default settings
  5. Log in to the Test account and proceed to set up SSSD, Automount, and Printer.