Difference between revisions of "Client Recipe"

From Nuclear Physics Group Documentation Pages
Jump to navigationJump to search
Line 88: Line 88:
  
 
== Ubuntu 9.04 Howto ==
 
== Ubuntu 9.04 Howto ==
 +
 +
It's best to not use Ubuntu 9.04 at this time. There are issues with binding as an anonymous user for password authentication. Autofs and getent password work fine with the following instructions, but without password authentication, the workstation is useless. If we were willing to set up a proxy user for ldap searching purposes, we could use Ubuntu, but I'm currently unwilling to do this, as I feel it's a security risk.
  
 
* Install as usual, making a user called "localuser" with the root password. We'll be deleting this account later.
 
* Install as usual, making a user called "localuser" with the root password. We'll be deleting this account later.
 
* Log in as localuser
 
* Log in as localuser
 +
* System > Preferences > Network Connections
 +
** Delete the connection "auto eth0"
 +
** Add a connection, name it "unh", set the appropriate manual IP.
 +
* sudo apt-get update
 
* sudo apt-get install libpam-ldap libnss-ldapd libnss-ldapd nss-updatedb libnss-db ldap-auth-client ldap-utils
 
* sudo apt-get install libpam-ldap libnss-ldapd libnss-ldapd nss-updatedb libnss-db ldap-auth-client ldap-utils
* sudo auth-client-config -a -p lac_ldap
+
** When asked, set the following:
 +
ldap://einstein.unh.edu
 +
dc=physics,dc=unh,dc=edu
 +
on services, check off passwd, shadow, groups.
 +
say no to making root the database admin
 +
* cd /etc/ssl/certs
 +
* wget http://nuclear.unh.edu/~maurik/unh_physics_ca.crt
 +
* edit /etc/ldap.conf:
 +
** bind_policy soft
 +
** ssl start_tls
 +
** tls_cacertdir /etc/ssl/certs
 
* sudo apt-get install autofs nfs-common
 
* sudo apt-get install autofs nfs-common
 
* sudo scp nuclear.unh.edu:/etc/auto.* /etc/ (remember nuclear is roentgen!)
 
* sudo scp nuclear.unh.edu:/etc/auto.* /etc/ (remember nuclear is roentgen!)
 
* sudo service autofs restart
 
* sudo service autofs restart
*
+
* sudo apt-get install openssh-server
 +
* sudo service sshd restart

Revision as of 18:17, 6 October 2009

A simple n-step process to set up a client lickety-split:

  1. Install Fedora in the typical fashion, skipping the steps for creating a default user and network authentication
    1. When configuring network authentication, check LDAP configuration, and download the certificate from http://nuclear.unh.edu/~maurik/unh_physics_ca.crt
  2. Log in as root
  3. Disable NetworkManager if it hasn't already been disabled. (hint: chkconfig)
  4. Run system-config-network
  5. If there isn't one already, add an ethernet device on eth0.
  6. If this client is not in the server room (and therefore not going to use a VLAN), skip to the next full step
    1. Choose to statically set the IP address to an available local number (10.0.0.*)
    2. Give the device the alias "farm".
    3. Make sure it has onboot=yes so that it automatically comes up
    4. Run vconfig add eth0 2 to create a virtual device "eth0.2" while the network is up. Might need to run ifup eth0.
    5. Use system-config-network to add an ethernet device to eth0.2
  7. Alias it "unh"
  8. Make sure it has onboot=yes in the so that it automatically comes up
  9. Choose to statically set the IP address to whatever was registered for the client
  10. Set the gateway to 132.177.88.1
  11. Under the general network configuration "DNS" tab, put the appropriate IPs of einstein and roentgen for primary and secondary DNS (local for farm as the primary connection, unh for unh as the primary connection)
  12. Save the changes made with system-config-network
  13. If a virtual device was added:
    1. Open /etc/sysconfig/network-scripts/ifcfg-unh in a text editor
    2. Add the line VLAN=yes, and save
  14. If there are any more devices already present, disable, remove or configure them as well. Whatever you do, don't leave them defaulted to DHCP mode, otherwise their existence will change /etc/resolv.conf !
  15. Run gtk-authconfig
  16. Check "Enable LDAP Support" under the "User Information" and "Authentication" tabs
  17. Click "Configure LDAP..."
  18. The base DN is dc=physics,dc=unh,dc=edu and the server is einstein.unh.edu.
  19. "Download CA Certificate" doesn't ever seem to work, so get "unh_physics_ca.crt" from einstein and put it in /etc/openldap/cacerts" (hint: scp).
  20. Click OK in LDAP Settings.
  21. Click OK in authconfig
    1. If this is an Ubuntu workstation, /etc/openldap is actually /etc/ldap, or something like that. It'll make sense when you see it.
  22. Disable SELinux
  23. Install autofs
  24. Copy the appropriate content into the Autofs Configuration Files
    1. If this is an Ubuntu workstation, you most likely need to install the package nfs-common.
  25. Reboot

ALSO NEEDS THE IPTABLES SETUP!

Fedora 11 Howto

From livecd:

  • Double click "install to hard drive."
  • Provide a hostname.
  • Use default partitioning unless this is a special case.
    • This will make /boot the first partition, LVM the second, and / and swap on the LVM.
  • Wait for the install to finish.
  • Reboot, remove cd, boot into new install
  • On "Create User," select network login.
    • Select "Enable LDAP support" under "User Information."
    • Click "Configure LDAP."
    • Check "Use TLS to encrypt connections," download CA certificate, and give the URL: http://nuclear.unh.edu/~maurik/unh_physics_ca.crt
    • LDAP search base DN: dc=physics,dc=unh,dc=edu
    • LDAP server: ldap://einstein.unh.edu
    • Check "Enable LDAP support" under "Authentication."
    • Click OK
  • On Date and Time, go to the Network Time Protocol tab and chekc "enable network time protocol."
  • Sending profile is optional
  • GDM will come up, Ctrl-Alt-F2 to get to a commandline. Log in as root.
  • yum install autofs
  • scp nuclear.unh.edu:/etc/auto.* /etc/ (remember, nuclear is roentgen!)
  • service autofs start; chkconfig --add autofs
  • system-config-network
    • Configure eth0
      • Name: UNH
      • Static IP
      • Netmask: 255.255.252.0
      • Gateway: 132.177.88.1
      • Primary DNS: 132.177.88.52
      • Secondary DNS: 132.177.128.99
  • Edit /etc/sysconfig/networking/profile/default/hosts
    • Add "132.177.88.52 einstein einstein.unh.edu" to the file.
  • Edit /etc/sysconfig/networking/profile/default/ifcfg-unh
    • Change the file so that it has ONBOOT=yes
  • service NetworkManager restart
  • Edit /etc/openldap/ldap.conf
    • Change the URI line to "URI ldap://einstein.unh.edu/" if it isn't already.
  • Edit /etc/ldap.conf
    • Change the line with bind_policy to "bind_policy soft" in order to avoid lockups when einstein can't be reached.
  • Edit /etc/sudoers
    • Add "%domain_admins ALL=(ALL) ALL" right below "root ALL=(ALL) ALL"
  • Make everyone happy: yum install vim emacs
  • Disable SELinux.

If you want rpmfusion for extra packages and proprietary drivers: rpm -Uvh http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-stable.noarch.rpm http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-stable.noarch.rpm


Ubuntu 9.04 Howto

It's best to not use Ubuntu 9.04 at this time. There are issues with binding as an anonymous user for password authentication. Autofs and getent password work fine with the following instructions, but without password authentication, the workstation is useless. If we were willing to set up a proxy user for ldap searching purposes, we could use Ubuntu, but I'm currently unwilling to do this, as I feel it's a security risk.

  • Install as usual, making a user called "localuser" with the root password. We'll be deleting this account later.
  • Log in as localuser
  • System > Preferences > Network Connections
    • Delete the connection "auto eth0"
    • Add a connection, name it "unh", set the appropriate manual IP.
  • sudo apt-get update
  • sudo apt-get install libpam-ldap libnss-ldapd libnss-ldapd nss-updatedb libnss-db ldap-auth-client ldap-utils
    • When asked, set the following:
ldap://einstein.unh.edu
dc=physics,dc=unh,dc=edu
on services, check off passwd, shadow, groups.
say no to making root the database admin
  • cd /etc/ssl/certs
  • wget http://nuclear.unh.edu/~maurik/unh_physics_ca.crt
  • edit /etc/ldap.conf:
    • bind_policy soft
    • ssl start_tls
    • tls_cacertdir /etc/ssl/certs
  • sudo apt-get install autofs nfs-common
  • sudo scp nuclear.unh.edu:/etc/auto.* /etc/ (remember nuclear is roentgen!)
  • sudo service autofs restart
  • sudo apt-get install openssh-server
  • sudo service sshd restart