====== SL7 installation ====== systemd-analyze systemctl list-unit-files --type=service hostnamectl status hostnamectl set-hostname alexandria.aoe.vt.edu ===== Mac Style natural scrolling ===== sudo xmodmap -e "pointer = 1 2 3 5 4 7 6 8 9 10 11 12" Then press alt-F2 and enter gnome-session-properties Add xmodmap -e "pointer = 1 2 3 5 4 7 6 8 9 10 11 12" ===== Add VT yum repo servers ===== /etc/yum.repos.d/sl7 baseurl=http://mirror.cc.vt.edu/pub3/scientific/$slreleaseserver/$basesearch/os/ yum -y update ===== Update Time server sources ===== * ntp or chrond * modify /etc/ntp/step-tickers to add ntp-[1-4].vt.edu for ??? * MODIFY /etc/chrony.conf for chrony systemctl restart chronyd.service ===== Forward system email ===== cat > /root/.forward root@aoe.vt.edu (Ctrl-d) restorecon -v .forward ===== Install Local software ===== yum -y install yum-updateonboot chkconfig yum-updateonboot on yum update crontab -e @daily yum check-update > /dev/null || yum check-update yum -y install yum-priorities yum -y install elrepo-release epel-release yum -y install freerdp lynx vim-X11 gettext-devel denyhosts gnuplot subversion compat-gcc-34-g77 lyx numpy scipy lapack python-matplotlib ksh screen libXp qtwebkit logwatch libXp openmotif colordiff htop octave gsl To use xfreerdp xfreerdp -d aoe -u stedwar1 gl-gauss.aoe.vt.edu or roycfd lab machines yum -y groupinstall "Development Tools" yum -y install git gitk emacs yum -y install openmpi-devel for other ?? compat-libstdc++33 For Dakota asking for libXm.so.2, which is in a motif package called lesstif. yum -y install lesstif For compiling OpenFOAM (not tested with OpenFOAM--may not be required): yum install yum-conf-softwarecollections yum install devtoolset-3 yum install devtoolset-3-runtime devtoolset-3-gcc.x86_64 devtoolset-3-gcc-c++.x86_64 from user mode: $ scl enable devtoolset-3 bash (CGAL also needed from dl-atrpms) to compile 32 bit code on 64 bit installs: yum install glibc-devel.i686 libgcc.i686 libstdc++-devel.i686 Patran ?? export LCALL=C Add this line to use common modulefiles, which comes with openmpi: cat >> /usr/share/Modules/init/.modulespath /aoe/etc/modulefiles ?? yum groupinstall "TeX support" for Xiao ??yum install scitool* ipython* (Check the wildcard results.) Also for Dr Xiao, EPD, Enthought Python Distribuiton matplotlib Video for SL 6 yum install yum-priorities yum install rpmforge-release yum install compat-libstdc++-33 libdvdcss libdvdread libdvdplay libdvdnav lsdvd libquicktime yum install flash-plugin mplayer mplayer-gui gstreamer-ffmpeg gstreamer-plugins-ugly yum install ffmpeg ffmpeg-devel mplayer mencoder kernel exclusions (optional if needed) untested on sl7 yum autoupdate exclusions are listed here: /etc/sysconfig/yum-autoupdate EXCLUDE=“kernel* openafs* *-kmdl-* kmod-* *firmware*” To disable kernel updates when using command line (this was required on typhon and apogee because it broke the graphics), edit /etc/yum.conf and add: /etc/yum.conf EXCLUDE=kernel or specific verions EXCLUDE=kernel-2.6.32-220* or EXCLUDE=kernel-2.6.32-220.2.1.el6.x86_64 To temporarily override the exclusion: yum –disableexclues=all update or a specific kernel: yum –disableexcludes=all update kernel-2.6.32-220.2.1.el6.x86_64 apogee and typhon also needed reboot=pci added to the kernel line in grub.conf kernel /vmlinuz-2.6.32-131.0.15.el6.x86_64 ro root=/dev/mapper/vg_apogee-lv_root rd_LVM_LV=vg_apogee/lv_root rd_LVM_LV=vg_apogee/lv_swap rd_NO_LUKS rd_NO_MD rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc KEYTABLE=us rhgb reboot=pci ===== Disable "show user accounts" ===== edit the file vim /etc/gconf/gconf.xml.defaults/%gconf-tree.xml and change the boolean for disable_user_list from false to true ===== Disable Root Access via ssh ===== vim /etc/ssh/sshd_config PermitRootLogin no systemctl restart sshd.service ===== ssh login speed and login persistence tweaks(optional) (untested on sl7) ===== vim /etc/ssh/sshd_conf ClientAliveInterval 120 UseDNS no service sshd restart vim /etc/ssh/ssh_conf ServerAliveInterval 120 vim /etc/resolv.conf options single-request-reopen ===== firewalld ===== https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html graphical configuration firewall-config command line configuration firewall-cmd The configuration for firewalld is stored in various XML files in /usr/lib/firewalld/ (Don't edit these) and /etc/firewalld/ See the firewalld.richlanguage(5) man page for more examples. cat /etc/firewalld/zones/public.xml Public For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted. ===== Network Manager and the config scripts ===== https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Networking_Guide/sec-Using_the_NetworkManager_Command_Line_Tool_nmcli.html systemctl start|stop|restart|status network nmcli connection reload nmcli con load /etc/sysconfig/network-scripts/ifcfg-ifname nmcli dev disconnect interface-name nmcli con up interface-name ===== LDAP ===== system-config-authentication User Account Database ldap Download CA Certificate: https://www.dept.aoe.vt.edu/~stedwar1/aoe-neptune.crt ===== Kerberos Settings ===== Realm: AOE.VT.EDU KDC: neptune.aoe.vt.edu Admin Server: neptune.aoe.vt.edu Leave the "Use DNS" checkboxes cleared ===== Name Service Switch ===== in /etc/nsswitch.conf vim /etc/nsswitch.conf remove nis in hosts: #hosts: db files nisplus nis dns hosts: files nis dns should be: #hosts: db files nisplus nis dns hosts: files dns ===== Add sudoers ===== visudo After: ## Allow root to run any commands anywhere root ALL=(ALL) ALL (Some items optional for audit data collection) Add: %bigwheel ALL=(ALL) ALL On local user only machines: steve ALL=(ALL) ALL Also add in appropriate sections: aoebackup ALL= NOPASSWD:/usr/bin/rsync stedwar1 ALL= NOPASSWD:/bin/netstat,/sbin/iptables,/sbin/iptables-save,/sbin/ip6tables,/sbin/ip6tables-save steve ALL= NOPASSWD:/bin/netstat,/sbin/iptables,/sbin/iptables-save,/sbin/ip6tables,/sbin/ip6tables-save and Defaults:aoebackup,steve !requiretty or Defaults:aoebackup,stedwar1 !requiretty ===== AOE Domain Software ===== ==== first, add access to alexandria ==== modify as required: Add host to hosts file vim /etc/hosts To modify running iptables: iptables -L --line-numbers Pick a place to insert the rule and add the new rule iptables -I INPUT 56 -s apogee.aoe.vt.edu -j ACCEPT Add the entry to the startup file for iptables vim /etc/sysconfig/iptables the script in /home/sysadmin/bin/exports will generate send the exports text to std out. Pipe the output to the /etc/exports file. vim /home/sysadmin/bin/exports/exports.sh /home/sysadmin/bin/exports/exports.sh > /etc/exports exportfs -ra Old vim replace command that can be used on the /etc/exports file for temporary changes: :%s/aphrodite.aoe.vt.edu(rw,sync,root_squash) \\\n/altus.aoe.vt.edu(rw,sync,root_squash) \\\r aphrodite.aoe.vt.edu(rw,sync,root_squash) \\\r/ ===== then add the mounts in the new Linux machine ===== go back to the new Linux box. ***be very careful here! Add the line to /etc/fstab cat >> /etc/fstab alexandria:/export/apps/aoe-linux-x86_64 /aoe nfs tcp 0 0 Then run these commands: mkdir /aoe mount /aoe cd /etc/profile.d ln -s /aoe/etc/aoe_profile.sh ln -s /aoe/etc/aoe_profile.csh ===== Local Directories ===== mkdir /l chown root:root /l chmod 777 /l ===== boot screen ===== plymouth-set-default-theme details --rebuild-initrd ===== Logging ===== yum install openswan Place neptune's CA certificate in openssl's CA list. Use the pem from the authconfig download step. cp /etc/openldap/cacerts/authconfig_downloaded.pem /etc/pki/tls/certs/aoe-ca.pem ln -s /etc/pki/tls/certs/aoe-ca.pem /etc/pki/tls/certs/`openssl x509 -hash -noout -in /etc/pki/tls/certs/aoe-ca.pem`.0 yum install rsyslog-gnutls cd /etc/pki/rsyslog openssl genrsa -out key.pem 2048 chmod 400 key.pem openssl req -new -key key.pem -out request-$(hostname -s).req -config /aoe/etc/openssl.cnf -nodes openssl req -text -in request-$(hostname -s).req -noout -verify copy the csr to neptune chmod 600 request* scp request* stedwar1@alexandria.aoe.vt.edu:~/sandbox/openssl/rsyslog perform these steps on neptune ps > certreq.exe -submit -attrib "CertificateTemplate:WebServerLoghostIPSec" ./request-traininglt.req training.cer If manual approval is required, then find the issued certificate in the CA and open it. Select the Details tab and click "copy to file". Select Base-64 encoded, and click "next". click browse and navigte to the desired folder on the Z: drive to place the certificate. Name it cert- copy cert back to client and rename it scp stedwar1@alexandria.aoe.vt.edu:~/sandbox/openssl/rsyslog/cert-$( hostname -s ).cer cert.pem From the Linux client. Check the file extenstion as the export may append .cer: scp stedwar1@alexandria.aoe.vt.edu:~/sandbox/openssl/rsyslog/cert-$( hostname -s ).cer cert.pem Fix selinux on certificate files restorecon -RvF /etc/pki cat >> /etc/rsyslog.d/tls.conf # extra config file for rsyslog to be placed in /etc/rsyslog.d to enable # tls for rsyslog. # make gtls driver the default $DefaultNetstreamDriver gtls # certificate files $DefaultNetstreamDriverCAFile /etc/pki/tls/certs/aoe-ca.pem $DefaultNetstreamDriverCertFile /etc/pki/rsyslog/cert.pem $DefaultNetstreamDriverKeyFile /etc/pki/rsyslog/key.pem $ActionSendStreamDriverAuthMode x509/name $ActionSendStreamDriverPermittedPeer artemis.aoe.vt.edu $ActionSendStreamDriverMode 1 # run driver in TLS-only mode #*.* @@central.example.net:10514 # forward everything to remote server After the following lines to /etc/rsyslog.conf # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages vim /etc/rsyslog.conf add vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv the whole line! #*.info;authpriv.none @loghost *.info;authpriv.none @@artemis.aoe.vt.edu:6514 From artemis, watch the log: [root@artemis ~]# watch 'tail -1000 /var/log/messages|grep -v FIREWALL|grep -v last|tail -30' on the client: service rsyslog restart logger test ===== ldap/kerberos ===== /etc/openldap/ldap.conf # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writeable. #BASE dc=example,dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never TLS_CACERTDIR /etc/openldap/cacerts SASL_SECPROPS maxsff=0 #TLS_REQCERT never #TLS_REQCERT allow # Turning this off breaks GSSAPI used with krb5 when rdns = false SASL_NOCANON on #URI ldap://neptune.aoe.vt.edu/ #BASE dc=aoe,dc=vt,dc=edu # Enable debugging logdir /var/log debug 255 Enter computer name in DNS and make sure reverse lookups get updated. ==== Method 3 - realm command ==== Join Domain kinit stedwar1 realm join --computer-ou="ou=Unix-computers,ou=UnixOU,dc=aoe,dc=vt,dc=edu" --user-principal=host/trireme.aoe.vt.edu aoe.vt.edu To leave domain realm leave --remove -U stedwar1 aoe.vt.edu ==== Verify new keytab file ==== kinit -k -t /etc/krb5.keytab $host$ This requires upn be specified when requesting the computer account with msktutil kinit -k -t /etc/krb5.keytab host/$host.aoe.vt.edu@AOE.VT.EDU yum install openldap-clients kinit stedwar1 (if not already done) ldapsearch -H ldaps://neptune.aoe.vt.edu -Y GSSAPI -N -b dc=aoe,dc=vt,dc=edu "(&(objectClass=user)(sAMAccountName=stedwar1))" ==== Configure sssd ==== cp -a /etc/sssd/sssd.conf /etc/sssd/sssd.conf.back cat > /etc/sssd/sssd.conf [domain/default] debug_level = 9 cache_credentials = false enumerate = false ldap_id_mapping = false id_provider = ad auth_provider = ad chpass_provider = ad access_provider = ad ad_domain = aoe.vt.edu ad_server = neptune.aoe.vt.edu #ldap_schema = ad ldap_schema = rfc2307bis ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true ldap_disable_referrals = true ldap_tls_reqcert = never # #ldap_id_use_start_tls = True ldap_tls_cacertdir = /etc/openldap/cacerts ldap_referrals = false ldap_uri = ldap://neptune.aoe.vt.edu #krb5_realm = AOE.VT.EDU ldap_sasl_mech = gssapi ldap_sasl_authid = host/trireme.aoe.vt.edu@AOE.VT.EDU #krb5_keytab = /etc/krb5.keytab ldap_krb5_init_creds = true #ldap_force_upper_case_realm = true #krb5_server = neptune.aoe.vt.edu #krb5_kpasswd = neptune.aoe.vt.edu ldap_tls_cacertdir = /etc/openldap/cacerts autofs_provider=ldap #autofs_provider=ad <--not implemented yet? ldap_autofs_search_base=CN=ypServ30,CN=RpcServices,CN=System,dc=aoe,dc=vt,dc=edu ldap_autofs_map_object_class = nisMap ldap_autofs_entry_object_class = nisObject ldap_autofs_map_name = nisMapName ldap_autofs_entry_key = cn ldap_autofs_entry_value = nisMapEntry ldap_autofs_map_master_name = auto.master [sssd] services = nss, pam, autofs config_file_version = 2 domains = default [nss] [pam] [sudo] [autofs] [ssh] ===== Automount ===== vim /etc/sysconfig/autofs #mount_nfs_default_protocol = 3 mount_nfs_default_protocol = 4 ... # logging - set default log level "none", "verbose" or "debug" # #logging = none logging = verbose ... #ldap_uri = "" LDAP_URI="ldap://neptune.aoe.vt.edu" ... #search_base = "" SEARCH_BASE="CN=ypServ30,CN=RpcServices,CN=System,dc=aoe,dc=vt,dc=edu" # # Define the LDAP schema to used for lookups # # If no schema is set autofs will check each of the schemas # below in the order given to try and locate an appropriate # basdn for lookups. If you want to minimize the number of # queries to the server set the values here. # map_object_class = nisMap entry_object_class = nisObject map_attribute = nisMapName entry_attribute = cn Complete cat /etc/autofs.conf # # Define default options for autofs. # [ autofs ] # # master_map_name - default map name for the master map. # #master_map_name = auto.master # # timeout - set the default mount timeout in secons. The internal # program default is 10 minutes, but the default installed # configuration overrides this and sets the timeout to 5 # minutes to be consistent with earlier autofs releases. # timeout = 300 # # negative_timeout - set the default negative timeout for # failed mount attempts (default 60). # #negative_timeout = 60 # # mount_wait - time to wait for a response from mount(8). # Setting this timeout can cause problems when # mount would otherwise wait for a server that # is temporarily unavailable, such as when it's # restarting. The default setting (-1) of waiting # for mount(8) usually results in a wait of around # 3 minutes. # #mount_wait = -1 # # umount_wait - time to wait for a response from umount(8). # #umount_wait = 12 # # browse_mode - maps are browsable by default. # browse_mode = no # # mount_nfs_default_protocol - specify the default protocol used by # mount.nfs(8). Since we can't identify # the default automatically we need to # set it in our configuration. # #mount_nfs_default_protocol = 3 mount_nfs_default_protocol = 4 # # append_options - append to global options instead of replace. # #append_options = yes # # logging - set default log level "none", "verbose" or "debug" # #logging = none logging = verbose # # Define base dn for map dn lookup. # # Define server URIs # # ldap_uri - space seperated list of server uris of the form # ://[/] where can be ldap # or ldaps. The option can be given multiple times. # Map entries that include a server name override # this option. # # This configuration option can also be used to # request autofs lookup SRV RRs for a domain of # the form :///[]. Note that a # trailing "/" is not allowed when using this form. # If the domain dn is not specified the dns domain # name (if any) is used to construct the domain dn # for the SRV RR lookup. The server list returned # from an SRV RR lookup is refreshed according to # the minimum ttl found in the SRV RR records or # after one hour, whichever is less. # #ldap_uri = "" LDAP_URI="ldap://neptune.aoe.vt.edu" # # ldap_timeout - timeout value for the synchronous API calls # (default is LDAP library default). # #ldap_timeout = -1 # # ldap_network_timeout - set the network response timeout (default 8). # #ldap_network_timeout = 8 # # search_base - base dn to use for searching for map search dn. # Multiple entries can be given and they are checked # in the order they occur here. # #search_base = "" SEARCH_BASE="CN=ypServ30,CN=RpcServices,CN=System,dc=aoe,dc=vt,dc=edu" # # Define the LDAP schema to used for lookups # # If no schema is set autofs will check each of the schemas # below in the order given to try and locate an appropriate # basdn for lookups. If you want to minimize the number of # queries to the server set the values here. # map_object_class = nisMap entry_object_class = nisObject map_attribute = nisMapName entry_attribute = cn value_attribute= nisMapEntry # # Other common LDAP nameing # #map_object_class = automountMap #entry_object_class = automount #map_attribute = ou #entry_attribute = cn #value_attribute= automountInformation # #map_object_class = automountMap #entry_object_class = automount #map_attribute = automountMapName #entry_attribute = automountKey #value_attribute= automountInformation # # auth_conf_file - set the default location for the SASL # authentication configuration file. # auth_conf_file = /etc/autofs_ldap_auth.conf # # map_hash_table_size - set the map cache hash table size. # Should be a power of 2 with a ratio roughly # between 1:10 and 1:20 for each map. # #map_hash_table_size = 1024 # # # Otions for the amd parser within autofs. # # amd configuration options that are aren't used, haven't been # implemented or have different behaviour within autofs. # # A number of the amd configuration options are not used by autofs, # some because they are not relevant within autofs, some because # they are done differently in autofs and others that are not yet # implemented. # # Since "mount_type" is always autofs (because there's no user space # NFS server) the configuration entries relating to that aren't used. # Also, server availability is done differently within autofs so the # options that relate to the amd server monitoring sub-system are # also not used. # # These options are mount_type, auto_attrcache, portmap_program, # nfs_vers_ping, nfs_allow_any_interface, nfs_allow_insecure_port, # nfs_proto, nfs_retransmit_counter, nfs_retransmit_counter_udp, # nfs_retransmit_counter_tcp, nfs_retransmit_counter_toplvl, # nfs_retry_interval, nfs_retry_interval_udp, nfs_retry_interval_tcp, # nfs_retry_interval_toplvl and nfs_vers. # # # Other options that are not used within the autofs implementation: # # log_file, truncate_log - autofs used either stderr when running in # the foreground or sends its output to syslog so an alternate # log file (or truncating the log) can't be used. # # print_pid - there's no corresponding option for this within autofs. # # use_tcpwrappers, show_statfs_entries - there's no user space NFS # server to control access to so this option isn't relevant. # The show_statfs_entries can't be implemented for the same # reason. # # debug_mtab_file - there's no user space NFS server and autofs # avoids using file based mtab whenever possible. # # sun_map_syntax - obviously, are provided by autofs itself. # # plock, show_statfs_entries, preferred_amq_port - not supported. # # ldap_cache_maxmem, ldap_cache_seconds - external ldap caching # is not used by autofs. # # ldap_proto_version - autofs always attempts to use the highest # available ldap protocol version. # # cache_duration, map_reload_interval, map_options - the map # entry cache is continually updated and stale entries # cleaned on re-load, which is done when map changes are # detected so these configuration entries are not used # by autofs. # # localhost_address - is not used within autofs. This # configuration option was only used in the amd user # space server code and is not relevant within autofs. # # # Options that are handled differently within autofs: # # pid_file - must be given as a command line option on startup. # # print_version - program version and feature information is obtained # by using the automount command line option "-V". # # debug_options, log_options - autofs has somewhat more limited # logging and debug logging options. When the log_options # options is encountered it is converted to the nearest # matching autofs logging option. Since the configuration # option debug_options would be handled the same way it # is ignored. # # restart_mounts - has no sensible meaning within autofs because autofs # always tries to re-connect to existing mounts. While this # has its own set of problems not re-connecting to existing # mounts always results in a non-functional automount tree if # mounts were busy at the last shutdown (as is also the case # with amd when using mount_type autofs). # # forced_unmounts - detaching mounts often causes serious problems # for users of existing mounts. It is used by autofs in some # cases, either at the explicit request of the user (with a # command line or init option) and in some special cases during # program operation but is avoided whenever possible. # # # A number of configuration options are not yet implemented: # # fully_qualified_hosts - not yet implemented. # # unmount_on_exit - since autofs always tries to re-connect # to mounts left mounted from a previous shutdown this # is a sensible option to implement and that will be # done. # # browsable_dirs - not yet implemented. # # exec_map_timeout - a timeout is not currently used for # for program maps, might be implemented. # # tag - the tag option is not implemented within autofs. # # # Supported options: # # arch, karch, os, osver - these options default to what is returned # from uname(2) and can be overridden if required. # # full_os - has no default and must be set in the configuration # if used in maps. # # cluster - if not set defaults to the host domain name. This option # corresponds to the HP_UX cluster name (according to the amd # source) and is probably not used in Linux but is set anyway. # # vendor - has a default value of "unknown", it must be set in the # configuration if used in maps. # # auto_dir - is the base name of the mount tree used for external # mounts that are sometimes needed by amd maps. Its default # value is "/a". # # map_type - specifies the autofs map source, such as file, nis, # ldap etc. and has no default value set. # # map_defaults - is used to override /defaults entries within maps # and can be used to provide different defaults on specific # machines without having to modify centrally managed maps. # It is empty by default. # # search_path - colon seperated paths to search for maps that # are not specified as a full path. # # dismount_interval - is equivalent to the autofs timeout option. It # is only possible to use this with type "auto" mounts due # to the way the autofs kernel module performs expiry. It # takes its default value from the autofs internal default # of 600 seconds. # # autofs_use_lofs - if set to "yes" autofs will attempt to use bind # mounts for type "auto" when possible. # # nis_domain - allows setting of a domain name other than the system # default. # # local_domain - is used to override (or set) the host domain name. # # normalize_hostnames - if set to "yes" then the contents of ${rhost} # is translated in its official host name. # # domain_strip - if set to "yes" the domain name part of the host # is strippped when normalizing hostnames. This can be useful # when using of the same maps in a multiple domain environment. # # normalize_slashes - is set to "yes" by default and will collapse # multiple unescaped occurrences of "/" to a single "/". # # selectors_in_defaults, selectors_on_default - has a default value # of "no". If set to "yes" then any defaults entry will be # checked for selectors to determine the values to be used. # selectors_in_defaults is the preferred option to use. # # ldap_base - has no default value. It must be set to the base dn # that is used for queries if ldap is to be used as a map # source. # # ldap_hostports - has no default value set. It must be set to # the URI of the LDAP server to be used for lookups when # ldap is used a map source. It may contain a comma or # space seperated list of LDAP URIs. # # hesiod_base - the base name used for hesiod map sources. # # Additional configuration options added: # # linux_ufs_mount_type - set the default system filesystem type that's # used for mount type ufs. There's no simple way to determine # what the system default filesystem is and am-utils needs to # be continually updated to do this and can easily get it wrong # anyway. # # # Define global options for the amd parser within autofs. # [ amd ] # # Override the internal default with the same timeout that # is used by the override in the autofs configuration, sanity # only change. # dismount_interval = 300 # # map_type = file # # Overriding this can cause autofs to use less resources because # it will use symlinks instead of bind mounts in certain cases. # You should ensure that the autofs kernel module your using # supports expration of symlinks for best results (although this # appears to work reasonably well most of the time without the # update). # # autofs_use_lofs = yes # # Several configuration options can be set per mount point. # In particulr map_type, map_name, map_defaults, search_path, # browsable_dirs, dismount_interval and selectors_in_defaults # (not all of which are currently implemented, see above). # # Also, if a section for an amd mount point is defined here # it isn't necessary to specify the format in the corresponding # master map entry and the format will be inherited for type # "auto" mounts. # # [ /expamle/mount ] # dismount_interval = 60 # map_type = nis vim /etc/autofs_ldap_auth.conf cat /etc/autofs_ldap_auth.conf ===== start service ===== service sssd restart service autofs restart Make sure the DNS name is entered correctly, or maybe adjust /etc/idmap.conf so the domain names match. vim /etc/idmap.conf Workaround: vim /etc/nfsmount.conf Defaultvers=3 ===== Test ===== as a user, run: matlab patran [root@trireme ~]# cat /etc/sssd/sssd.conf [domain/default] debug_level = 9 cache_credentials = false enumerate = false ldap_id_mapping = false id_provider = ad auth_provider = ad chpass_provider = ad access_provider = ad ad_domain = aoe.vt.edu ad_server = neptune.aoe.vt.edu #ldap_schema = ad ldap_schema = rfc2307bis ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true ldap_disable_referrals = true ldap_tls_reqcert = never # #ldap_id_use_start_tls = True ldap_tls_cacertdir = /etc/openldap/cacerts ldap_referrals = false ldap_uri = ldap://neptune.aoe.vt.edu #krb5_realm = AOE.VT.EDU ldap_sasl_mech = gssapi ldap_sasl_authid = host/trireme.aoe.vt.edu@AOE.VT.EDU #krb5_keytab = /etc/krb5.keytab ldap_krb5_init_creds = true #ldap_force_upper_case_realm = true #krb5_server = neptune.aoe.vt.edu #krb5_kpasswd = neptune.aoe.vt.edu ldap_tls_cacertdir = /etc/openldap/cacerts autofs_provider=ldap #autofs_provider=ad <--not implemented yet? ldap_autofs_search_base=CN=ypServ30,CN=RpcServices,CN=System,dc=aoe,dc=vt,dc=edu ldap_autofs_map_object_class = nisMap ldap_autofs_entry_object_class = nisObject ldap_autofs_map_name = nisMapName ldap_autofs_entry_key = cn ldap_autofs_entry_value = nisMapEntry ldap_autofs_map_master_name = auto.master [sssd] services = nss, pam, autofs config_file_version = 2 domains = default [nss] [pam] [sudo] [autofs] [ssh] [root@trireme ~]# cat /etc/autofs_ldap_auth.conf ===== Accept NFS Home Dirs ===== setsebool -P use_nfs_home_dirs 1 ===== Accept yum keys ===== ===== Add Text to Gnome Login Screen ===== https://help.gnome.org/admin/system-admin-guide/3.8/login-banner.html.en https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Desktop_Migration_and_Administration_Guide/customizing-login-screen.html https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Desktop_Migration_and_Administration_Guide/introducing-GNOME3-desktop.html cat > 01-banner-message [org/gnome/login-screen] banner-message-enable=true banner-message-text='This computer is operated in accordance with the Acceptable Use Policy of Virginia Tech. See the following URL for details: http://www.policies.vt.edu/acceptableuse.html' Then run: dconf update