Boot to the Network install boot CD or to the PXE boot installer if available.

select

Install or upgrade an existing system

• Skip the media test

URL

default are fine

OK

(if this fails, turn OFF the computer and restart. A cold boot might help.

ftp://192.168.2.10/linux/scientific/6.4/x86_64/os

it should immediately start to download the installer image.

SL6

Next

language

English 
Next

keyboard

English 
Next

What type of devices will you installation involve?

Basic Storage Devices
Next

something.aoe.vt.edu

America/New York
Check: System clock uses UTC

Domain root password

Use All Space
Check: Review and modify partitioning layout

click on the volume group below LVM Volume Groups

vg_<hostname>

click edit

Delete /home

click add

Mount Point:

/var

File System Type:

ext4

Logical Volume Name:

lv_var

Size (depends)

51200

click add again

/tmp

File System Type:

ext4

Logical Volume Name:

lv_tmp

Size (depends)

51200

click add again

/l (as in local)

File System Type:

ext4

Logical Volume Name:

lv_local

Size (depends)

the rest

next, Write changes to disk

Check

Use a boot loader password

set to the old crystals password

Desktop

The defaults are fine. Servers might be better with minimal.

Leave the user information blank as this will be set in Advanced… === Use Network Login… === == User Account Configuration == User Account Database: NIS NIS Domain: aoe NIS Server: alexandria.aoe.vt.edu == Authentication Configuration == Authentication Method: Kerberos Password Realm: AOE.VT.EDU KDCs: neptune.aoe.vt.edu Admin Servers: neptune.aoe.vt.edu Leave the “Use DNS” setting unchecked

Click “Add User”

Fill in the fields as appropriate

Change the Home Directory from /home/… to

/l/<user name as entered above>

useradd -u 501  -c "Steve" -d /l/steve -m -s /bin/bash steve
yum install -y policycoreutils-python
semanage fcontext -a -t home_root_t "/l"
semanage fcontext -a -e /home /l
restorecon -R -v /l

Check

Synchronize date and time over the network

NTP Servers (Delete the old entries)

ntp-1.vt.edu
ntp-2.vt.edu
ntp-3.vt.edu
ntp-4.vt.edu

Uncheck KDump

Set BIOS password and disable all bootable devices except the hard disk. A password should be required to boot from CD or USB, etc.

Set up system email forwarding.

cat > /root/.forward
root@aoe.vt.edu
(Ctrl-d)
restorecon .forward

yum install yum-conf-sl6x Then disable sl6.1 repos

vim /etc/yum.repos.d/sl.repo

edit enabled=1 to enabled=0

Note: This is supposed to be another way but it is not quite right: yum –releasever=6x update https://www.scientificlinux.org/documentation/howto/upgrade.6x

edit sl6x.repo (only for machines in Randolph until mirror is available to other machines.)

vim /etc/yum.repos.d/sl6x.repo

comment out baseurl lines and add mirror.aoe.vt.edu

[sl6x]
name=Scientific Linux 6x - $basearch
baseurl=ftp://mirror.aoe.vt.edu/linux/scientific/6x/$basearch/os/
#baseurl=http://ftp.scientificlinux.org/linux/scientific/6x/$basearch/os/
#               http://ftp1.scientificlinux.org/linux/scientific/6x/$basearch/os/
#               http://ftp2.scientificlinux.org/linux/scientific/6x/$basearch/os/
#               ftp://ftp.scientificlinux.org/linux/scientific/6x/$basearch/os/
#mirrorlist=http://ftp.scientificlinux.org/linux/scientific/mirrorlist/sl-base-6x.txt
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-sl file:///etc/pki/rpm-gpg/RPM-GPG-KEY-dawson

[sl6x-security]
name=Scientific Linux 6x - $basearch - security updates
baseurl=ftp://mirror.aoe.vt.edu/linux/scientific/6x/$basearch/updates/security/
#baseurl=http://ftp.scientificlinux.org/linux/scientific/6x/$basearch/updates/security/
#		http://ftp1.scientificlinux.org/linux/scientific/6x/$basearch/updates/security/
#		http://ftp2.scientificlinux.org/linux/scientific/6x/$basearch/updates/security/
#		ftp://ftp.scientificlinux.org/linux/scientific/6x/$basearch/updates/security/
#mirrorlist=http://ftp.scientificlinux.org/linux/scientific/mirrorlist/sl-security-6x.txt
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-sl file:///etc/pki/rpm-gpg/RPM-GPG-KEY-dawson

[sl6x-fastbugs]
name=Scientific Linux 6x - $basearch - fastbug updates
baseurl=http://ftp.scientificlinux.org/linux/scientific/6x/$basearch/updates/fastbugs/
		http://ftp1.scientificlinux.org/linux/scientific/6x/$basearch/updates/fastbugs/
		http://ftp2.scientificlinux.org/linux/scientific/6x/$basearch/updates/fastbugs/
		ftp://ftp.scientificlinux.org/linux/scientific/6x/$basearch/updates/fastbugs/
#mirrorlist=http://ftp.scientificlinux.org/linux/scientific/mirrorlist/sl-fastbugs-6x.txt
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-sl file:///etc/pki/rpm-gpg/RPM-GPG-KEY-dawson

yum -y install yum-updateonboot
chkconfig yum-updateonboot on

yum update

crontab -e

add

@daily yum check-update > /dev/null || yum check-update

Install extra software

yum -y install yum-priorities
yum -y install elrepo-release epel-release
yum -y install rdesktop lynx vim-X11 gettext-devel denyhosts gnuplot subversion compat-gcc-34-g77 lyx numpy scipy lapack python-matplotlib ksh screen libXp qtwebkit logwatch libXp openmotif colordiff htop octave gsl

for roycfd lab machines

yum -y groupinstall "Development Tools"
yum -y install git gitk emacs
yum -y install openmpi-devel
yum -y install libXaw

for other ??

compat-libstdc++33
emacs

For Dakota asking for libXm.so.2, which is in a motif package called lesstif.

yum -y install lesstif

For compiling OpenFOAM:

yum install http://ftp.scientificlinux.org/linux/scientific/6x/external_products/devtoolset/yum-conf-devtoolset-1.0-1.el6.noarch.rpm
yum install devtoolset-1.1-runtime devtoolset-1.1-gcc.x86_64 devtoolset-1.1-gcc-c++.x86_64
$ scl enable devtoolset-1.1 bash

(CGAL also needed from dl-atrpms)

to compile 32 bit code on 64 bit installs:

yum install glibc-devel.i686 libgcc.i686 libstdc++-devel.i686

Patran

export LCALL=C

Add this line to use common modulefiles, which comes with openmpi:

cat >> /usr/share/Modules/init/.modulespath
/aoe/etc/modulefiles

yum –enablerepo epel-testing install scipy (scipy is now available in the main epel repo)

yum groupinstall "TeX support"

for Xiao

yum install scitool* ipython*

(Check the wildcard results.)

Also for Dr Xiao, EPD, Enthought Python Distribuiton matplotlib

yum install yum-priorities
yum install rpmforge-release
yum install compat-libstdc++-33 libdvdcss libdvdread libdvdplay libdvdnav lsdvd libquicktime
yum install flash-plugin mplayer mplayer-gui gstreamer-ffmpeg gstreamer-plugins-ugly
yum install ffmpeg ffmpeg-devel mplayer mencoder

yum autoupdate exclusions are listed here: /etc/sysconfig/yum-autoupdate EXCLUDE=“kernel* openafs* *-kmdl-* kmod-* *firmware*” To disable kernel updates when using command line (this was required on typhon and apogee because it broke the graphics), edit /etc/yum.conf and add: /etc/yum.conf EXCLUDE=kernel or specific verions EXCLUDE=kernel-2.6.32-220* or EXCLUDE=kernel-2.6.32-220.2.1.el6.x86_64 To temporarily override the exclusion: yum –disableexclues=all update or a specific kernel: yum –disableexcludes=all update kernel-2.6.32-220.2.1.el6.x86_64 apogee and typhon also needed reboot=pci added to the kernel line in grub.conf kernel /vmlinuz-2.6.32-131.0.15.el6.x86_64 ro root=/dev/mapper/vg_apogee-lv_root rd_LVM_LV=vg_apogee/lv_root rd_LVM_LV=vg_apogee/lv_swap rd_NO_LUKS rd_NO_MD rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc KEYTABLE=us rhgb reboot=pci

edit the file

vim /etc/gconf/gconf.xml.defaults/%gconf-tree.xml

and change the boolean for

disable_user_list

from false to true

vim /etc/ssh/sshd_config

PermitRootLogin no

service sshd restart

vim /etc/ssh/sshd_conf
ClientAliveInterval 120
UseDNS no
service sshd restart

vim /etc/ssh/ssh_conf
ServerAliveInterval 120

vim /etc/resolv.conf
options single-request-reopen

Copy and paste the file below into /etc/syscofig/iptables using the following command:

cat > /etc/sysconfig/iptables

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT

#-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

#-A INPUT -m state --state NEW -m tcp -p tcp -s 198.82.0.0/16 -m tcp --sport 1024:65535 --dport 22 -j ACCEPT
#-A INPUT -m state --state NEW -m tcp -p tcp -s 128.173.0.0/16 -m tcp --sport 1024:65535 --dport 22 -j ACCEPT

# Block brute force attacks - interface specific
# Drop repeated ssh connection attempts within 20 seconds interval
#-A INPUT -p tcp -m tcp -m state -m recent -i eth0 -s 198.82.0.0/16 --dport 22 --state NEW -j DROP --rcheck --seconds 20 --name THROTTLE --rsource
#-A INPUT -p tcp -m tcp -m state -m recent -i eth0 -s 128.173.0.0/16 --dport 22 --state NEW -j DROP --rcheck --seconds 20 --name THROTTLE --rsource

# Accept ssh connection if not attempted within past 20 sec.
#-A INPUT -p tcp -m tcp -m state -m recent -i eth0  -s 198.82.0.0/16 --dport 22 --state NEW -j ACCEPT --set --name THROTTLE --rsource
#-A INPUT -p tcp -m tcp -m state -m recent -i eth0  -s 128.173.0.0/16 --dport 22 --state NEW -j ACCEPT --set --name THROTTLE --rsource

# Block brute force attacks - all interfaces
# Drop repeated ssh connection attempts within 20 seconds interval
-A INPUT -p tcp -m tcp -m state -m recent -s 198.82.0.0/16 --dport 22 --state NEW -j DROP --rcheck --seconds 20 --name THROTTLE --rsource
-A INPUT -p tcp -m tcp -m state -m recent -s 128.173.0.0/16 --dport 22 --state NEW -j DROP --rcheck --seconds 20 --name THROTTLE --rsource

# Accept ssh connection if not attempted within past 20 sec.
-A INPUT -p tcp -m tcp -m state -m recent -s 198.82.0.0/16 --dport 22 --state NEW -j ACCEPT --set --name THROTTLE --rsource
-A INPUT -p tcp -m tcp -m state -m recent -s 128.173.0.0/16 --dport 22 --state NEW -j ACCEPT --set --name THROTTLE --rsource

# torricelli.cs.wright.edu
#-A INPUT -s 130.108.14.110 -j ACCEPT

# VT subnet
# reject on campus udp 67,68,137,138 without logging

-A INPUT -m udp -p udp -s 198.82.0.0/16 -m multiport --dports 67,68,137,138 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -m udp -p udp -s 128.173.0.0/16 -m multiport --dports 67,68,137,138 -j REJECT --reject-with icmp-host-prohibited

#ignore DHCP requests
-A INPUT -s 0.0.0.0 -m udp -p udp --dport 67 --sport 68 -j DROP

# reject on campus, logging the rest

#-A INPUT -m tcp -p tcp -s 198.82.0.0/16 -j LOG --log-level info --log-prefix "FIREWALL-TCP-REJECTED "
-A INPUT -m tcp -p tcp -s 198.82.0.0/16 -j REJECT --reject-with icmp-host-prohibited
#-A INPUT -m tcp -p tcp -s 128.173.0.0/16 -j LOG --log-level info --log-prefix "FIREWALL-TCP-REJECTED "
-A INPUT -m tcp -p tcp -s 128.173.0.0/16 -j REJECT --reject-with icmp-host-prohibited
#-A INPUT -m udp -p udp -s 198.82.0.0/16 -j LOG --log-level info --log-prefix "FIREWALL-UDP-REJECTED "
-A INPUT -m udp -p udp -s 198.82.0.0/16 -j REJECT --reject-with icmp-host-prohibited
#-A INPUT -m udp -p udp -s 128.173.0.0/16 -j LOG --log-level info --log-prefix "FIREWALL-UDP-REJECTED "
-A INPUT -m udp -p udp -s 128.173.0.0/16 -j REJECT --reject-with icmp-host-prohibited

# drop off campus requests

#-A INPUT -j LOG --log-level info --log-prefix "FIREWALL-DROPPED "
-A INPUT -j DROP

#-A INPUT -j REJECT --reject-with icmp-host-prohibited

-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

service iptables restart

Copy and paste file the below into /etc/syscofig/ip6tables using the following command:

cat > /etc/sysconfig/ip6tables

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state INVALID -j LOG --log-prefix "FIREWALL-IPV6-INVALID "
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT

# allow IPsec
#
# IKE negotiations
-A INPUT  -p udp --sport 500 --dport 500 -j ACCEPT
-A OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
# ESP encryption and authentication
-A INPUT  -p 50 -j ACCEPT
-A OUTPUT -p 50 -j ACCEPT

#-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j LOG --log-prefix "FIREWALL-SSH-ACCEPT "
#-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

# VT subnet
-A INPUT -m state --state NEW -m tcp -p tcp -s 2001:468:c80::/48 --dport 22 -j LOG --log-prefix "FIREWALL-IPV6-SSH-ACCEPT "
-A INPUT -m state --state NEW -m tcp -p tcp -s 2001:468:c80::/48 --dport 22 -j ACCEPT
# Allow domain controllers
-A INPUT -m tcp -p tcp -s 2001:0468:0c80:610c:6496:9744:111b:76b6 -j LOG --log-prefix "FIREWALL-IPV6-NEPTUNE-ACCEPT "
-A INPUT -m tcp -p tcp -s 2001:0468:0c80:610c:6496:9744:111b:76b6 -j ACCEPT
-A INPUT -m tcp -p tcp -s 2001:468:c80:610c:b92c:3f7b:e1c7:76f3 -j LOG --log-prefix "FIREWALL-IPV6-PLUTO-ACCEPT "
-A INPUT -m tcp -p tcp -s 2001:468:c80:610c:b92c:3f7b:e1c7:76f3 -j ACCEPT
-A INPUT -m tcp -p tcp -s 2001:468:c80:610c:b94f:dde9:482d:f606 -j LOG --log-prefix "FIREWALL-IPV6-TATOOINE-ACCEPT "
-A INPUT -m tcp -p tcp -s 2001:468:c80:610c:b94f:dde9:482d:f606 -j ACCEPT

# Block brute force attacks
# Drop repeated ssh connection attempts within 20 seconds interval
-A INPUT -p tcp -m tcp -m state -m recent -s 2001:468:c80::/48 --dport 22 --state NEW -j DROP --rcheck --seconds 20 --name THROTTLE --rsource
# Accept ssh connection if not attempted within past 20 sec.
-A INPUT -p tcp -m tcp -m state -m recent -s 2001:468:c80::/48 --dport 22 --state NEW -j ACCEPT --set --name THROTTLE --rsource

-A INPUT -j LOG --log-level info --log-prefix "FIREWALL-IPV6-DROPPED "
#-A INPUT -j DROP
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited

# specific to this machine:
#
COMMIT

service ip6tables restart

Stop NetworkManager

service NetworkManager stop
chkconfig NetworkManager off

Stop

service avahi-daemon stop
chkconfig avahi-daemon off

Other services as not needed

chkconfig --list |grep :on

service bluetooth stop
chkconfig bluetooth off

Check the /etc/sysconfig/network file

cat /etc/sysconfig/network

HOSTNAME=apogee.aoe.vt.edu
NETWORKING=yes

Modify the network adapter. The adapter name will vary. em1 is just an example.

vim /etc/sysconfig/network-scripts/ifcfg-em1 

DEVICE="em1"
HWADDR="??:??:??:??:??:??"
IPV6INIT="yes"
IPV6_AUTOCONF="yes"
ONBOOT="yes"
TYPE="Ethernet"
NM_CONTROLLED="no"
BOOTPROTO=static

#Randolph
IPADDR=128.173.188.28
BROADCAST=128.173.191.255
NETMASK=255.255.252.0
NETWORK=128.173.188.0
GATEWAY=128.173.188.1

#Hancock
#IPADDR=128.173.167.15
#BROADCAST=128.173.167.255
#NETMASK=255.255.252.0
#NETWORK=128.173.164.0
#GATEWAY=128.173.164.1

#Femoyer
#IPADDR=128.173.105.33
#BROADCAST=128.173.105.255
#NETMASK=255.255.255.0
#NETWORK=128.173.105.0
#GATEWAY=128.173.105.1

DNS1=128.173.188.25
DNS2=128.173.188.26
DOMAIN=aoe.vt.edu

The following step to edit resolv.conf may not be required with the DNS settings above:

edit /etc/resolv.conf

vim /etc/resolv.conf

search aoe.vt.edu
nameserver 128.173.188.25
nameserver 128.173.188.26

Put on open network and bounce the interface

ifdown eth0
ifup eth0

===== NIS Domain, etc (Do Not Use NIS)===== If not joined to the domain during setup, join to the AOE nis domain authconfig-tui

=== User Information === Select Use NIS === Authentication === Select Use MD5 Passwords Use Shadow Passwords Use Kerberos Local authorization is sufficient (verify the meaning of this setting) Next

=== NIS === Domain: aoe Server: alexandria.aoe.vt.edu

system-config-authentication

User Account Database

ldap

Download CA Certificate:

https://www.dept.aoe.vt.edu/~stedwar1/aoe-neptune.crt

Realm:

AOE.VT.EDU

KDC:

neptune.aoe.vt.edu

Admin Server:

neptune.aoe.vt.edu

Leave the “Use DNS” checkboxes cleared

in /etc/nsswitch.conf

vim /etc/nsswitch.conf

remove nis in hosts:

#hosts:     db files nisplus nis dns
hosts:      files nis dns

should be:

#hosts:     db files nisplus nis dns
hosts:      files dns

visudo

After:

## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL

(Some items optional for audit data collection)

Add:

%bigwheel ALL=(ALL)         ALL

On local user only machines:

steve   ALL=(ALL)       ALL

Also add in appropriate sections:

aoebackup       ALL=            NOPASSWD:/usr/bin/rsync

stedwar1        ALL=            NOPASSWD:/bin/netstat,/sbin/iptables,/sbin/iptables-save,/sbin/ip6tables,/sbin/ip6tables-save

steve           ALL=            NOPASSWD:/bin/netstat,/sbin/iptables,/sbin/iptables-save,/sbin/ip6tables,/sbin/ip6tables-save

and

Defaults:aoebackup,steve !requiretty

or

Defaults:aoebackup,stedwar1 !requiretty

modify as required: Add host to hosts file

vim /etc/hosts

To modify running iptables:

iptables -L --line-numbers

Pick a place to insert the rule and add the new rule

iptables -I INPUT 56 -s apogee.aoe.vt.edu -j ACCEPT

Add the entry to the startup file for iptables

vim /etc/sysconfig/iptables

the script in /home/sysadmin/bin/exports will generate send the exports text to std out. Pipe the output to the /etc/exports file.

vim /home/sysadmin/bin/exports/exports.sh
/home/sysadmin/bin/exports/exports.sh > /etc/exports
exportfs -ra
  

Old vim replace command that can be used on the /etc/exports file for temporary changes:

:%s/aphrodite.aoe.vt.edu(rw,sync,root_squash) \\\n/altus.aoe.vt.edu(rw,sync,root_squash) \\\r        aphrodite.aoe.vt.edu(rw,sync,root_squash) \\\r/

* go back to the new Linux box. *be very careful here! Add the line to /etc/fstab

cat >> /etc/fstab

alexandria:/export/apps/aoe-linux-x86_64 /aoe 	nfs 	tcp 		0 0

Then run these commands:

mkdir /aoe
mount /aoe
cd /etc/profile.d
ln -s /aoe/etc/aoe_profile.sh
ln -s /aoe/etc/aoe_profile.csh

mkdir /l
chown root:root /l
chmod 777 /l

plymouth-set-default-theme details --rebuild-initrd

yum install openswan

Place neptune's CA certificate in openssl's CA list. Use the pem from the authconfig download step.

cp /etc/openldap/cacerts/authconfig_downloaded.pem /etc/pki/tls/certs/aoe-ca.pem
ln -s /etc/pki/tls/certs/aoe-ca.pem /etc/pki/tls/certs/`openssl x509 -hash -noout -in /etc/pki/tls/certs/aoe-ca.pem`.0

yum install rsyslog-gnutls

cd /etc/pki/rsyslog
openssl genrsa -out key.pem 2048
chmod 400 key.pem

openssl req -new -key key.pem -out request-$(hostname -s).req -config /aoe/etc/openssl.cnf -nodes
openssl req -text -in request-$(hostname -s).req -noout -verify

copy the csr to neptune

chmod 600 request*
scp request* stedwar1@alexandria.aoe.vt.edu:~/sandbox/openssl/rsyslog

perform these steps on neptune

ps > certreq.exe -submit -attrib "CertificateTemplate:WebServerLoghostIPSec" ./request-traininglt.req training.cer

If manual approval is required, then find the issued certificate in the CA and open it.

Select the Details tab and click “copy to file”.

Select Base-64 encoded, and click “next”.

click browse and navigte to the desired folder on the Z: drive to place the certificate.

Name it cert-<client name>

copy cert back to client and rename it

scp stedwar1@alexandria.aoe.vt.edu:~/sandbox/openssl/rsyslog/cert-$( hostname -s ).cer cert.pem

From the Linux client. Check the file extenstion as the export may append .cer:

scp stedwar1@alexandria.aoe.vt.edu:~/sandbox/openssl/rsyslog/cert-$( hostname -s ).cer cert.pem

Fix selinux on certificate files

restorecon -RvF /etc/pki

cat >> /etc/rsyslog.d/tls.conf

# extra config file for rsyslog to be placed in /etc/rsyslog.d to enable
# tls for rsyslog.
# make gtls driver the default
$DefaultNetstreamDriver gtls

# certificate files
$DefaultNetstreamDriverCAFile /etc/pki/tls/certs/aoe-ca.pem
$DefaultNetstreamDriverCertFile /etc/pki/rsyslog/cert.pem
$DefaultNetstreamDriverKeyFile /etc/pki/rsyslog/key.pem

$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer artemis.aoe.vt.edu
$ActionSendStreamDriverMode 1 # run driver in TLS-only mode
#*.* @@central.example.net:10514 # forward everything to remote server

After the following lines to /etc/rsyslog.conf

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

vim /etc/rsyslog.conf

add vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv the whole line!

#*.info;authpriv.none                                    @loghost
*.info;authpriv.none                          @@artemis.aoe.vt.edu:6514

From artemis, watch the log:

[root@artemis ~]# watch 'tail -1000 /var/log/messages|grep -v FIREWALL|grep -v last|tail -30'

on the client:

service rsyslog restart
logger test

Append the following to /etc/openldap/ldap.conf

cat >> /etc/openldap/ldap.conf

sasl_secprops maxssf=0
TLS_REQCERT never
URI ldaps://neptune.aoe.vt.edu

Modify to add ca to certs:

vim /etc/openldap/ldap.conf

TLS_CACERTDIR   /etc/openldap/cacerts

Enter computer name in DNS and make sure reverse lookups get updated.

==== Method 1 ==== Only good for a single spn Create a computer account in the UnixOU/Unix-computers OU, then set the service principal setspn -A host/centos-test.aoe.vt.edu@AOE.VT.EDU centos-test setspn -L centos-test ktpass /princ host/centos-test.aoe.vt.edu@AOE.VT.EDU /out centos-test.keytab /crypto all /ptype KRB5_NT_PRINCIPAL -desonly /mapuser AOE\centos-test$ +rndPass Securely copy the key to /etc/krb5.keytab with root:root 600 permissions. chmod 600 /etc/krb5.keytab chown root:root /etc/krb5.keytab restorecon /etc/krb5.keytab klist

creates multiple spn's per computer account.

yum install msktutil
kinit stedwar1
export host=$(hostname -s)
msktutil -u --server neptune --user-creds-only -s host/$host.aoe.vt.edu -s host/$host --upn host/$host.aoe.vt.edu

Move the computer into the Unix OU from Active Directory

Comment out this line in /etc/openldap/ldap.conf:

vim /etc/openldap/ldap.conf

#TLS_REQCERT never

kinit -k -t /etc/krb5.keytab $host$

This requires upn be specified when requesting the computer account with msktutil

kinit -k -t /etc/krb5.keytab host/$host.aoe.vt.edu@AOE.VT.EDU

yum install openldap-clients
kinit stedwar1  (if not already done)
ldapsearch -H ldaps://neptune.aoe.vt.edu -Y GSSAPI -N -b dc=aoe,dc=vt,dc=edu "(&(objectClass=user)(sAMAccountName=stedwar1))"

cp -a /etc/sssd/sssd.conf /etc/sssd/sssd.conf.back

vim /etc/sssd/sssd.conf

For SL5, Use these contents, but change the name for ldap_sasl_authid

ldap/kerberos version - for SL5 or SL6(not prefered)

[domain/default]
#debug_level = 9
cache_credentials = false
enumerate = false

id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap
ldap_uri = ldaps://neptune.aoe.vt.edu
#ldap_search_base = dc=aoe,dc=vt,dc=edu

ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/changeme.aoe.vt.edu@AOE.VT.EDU

ldap_schema = rfc2307bis

ldap_user_object_class = user
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_user_name = sAMAccountName

ldap_group_object_class = group

ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
ldap_disable_referrals = true

krb5_realm = AOE.VT.EDU
krb5_canonicalize = false
ldap_force_upper_case_realm = true
ldap_tls_reqcert = never
#ldap_tls_cacert = /etc/openldap/cacerts/authconfig_downloaded.pem

ldap_id_use_start_tls = False
krb5_server = neptune.aoe.vt.edu
krb5_kpasswd = neptune.aoe.vt.edu
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_krb5_keytab = /etc/krb5.keytab
ldap_referrals = false

#Try setting ldap_group_nesting_level=1
[sssd]
services = nss, pam
config_file_version = 2

domains = default
[nss]

[pam]

[sudo]

[autofs]

[ssh]

Active Directory version - for SL6 only(prefered)

For SL6, Use these contents

cat > /etc/sssd/sssd.conf

[domain/default]
#debug_level = 9
cache_credentials = false
enumerate = false

ldap_id_mapping = False

id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad

ad_domain = aoe.vt.edu
ad_server = neptune,pluto

ldap_schema = ad

ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
ldap_disable_referrals = true

ldap_tls_reqcert = never
#ldap_tls_cacert = /etc/openldap/cacerts/authconfig_downloaded.pem

#ldap_id_use_start_tls = False
ldap_id_use_start_tls = True
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_referrals = false

#Try setting ldap_group_nesting_level=1
[sssd]
services = nss, pam
config_file_version = 2

domains = default
[nss]

[pam]

[sudo]

[autofs]

[ssh]

vim /etc/sysconfig/autofs

#
# MOUNT_NFS_DEFAULT_PROTOCOL - specify the default protocol used by
#                              mount.nfs(8). Since we can't identify
#                              the default automatically we need to
#                              set it in our configuration.
#
MOUNT_NFS_DEFAULT_PROTOCOL=3
#MOUNT_NFS_DEFAULT_PROTOCOL=4

...

LDAP_URI="ldaps://neptune.aoe.vt.edu"

SEARCH_BASE="CN=ypServ30,CN=RpcServices,CN=System,dc=aoe,dc=vt,dc=edu"

...

# If no schema is set autofs will check each of the schemas
# below in the order given to try and locate an appropriate
# basdn for lookups. If you want to minimize the number of
# queries to the server set the values here.
#
MAP_OBJECT_CLASS="nisMap"
MAP_ATTRIBUTE="nisMapName"
ENTRY_OBJECT_CLASS="nisObject"
ENTRY_ATTRIBUTE="cn"
VALUE_ATTRIBUTE="nisMapEntry"

...

# AUTH_CONF_FILE - set the default location for the SASL
#                          authentication configuration file.
#
AUTH_CONF_FILE="/etc/autofs_ldap_auth.conf"

vim /etc/autofs_ldap_auth.conf

<autofs_ldap_sasl_conf
      usetls="no"
      tlsrequired="no"
      authrequired="yes"
      authtype="GSSAPI"
      clientprinc = "host/changeme.aoe.vt.edu@AOE.VT.EDU"
/>

Note:

TLS/SSL automount can be achieved with either the above method using

ldaps://neptune.aoe.vt.edu

or setting

usetls="yes"
tlsrequired="yes"

in /etc/autofs_ldap_auth.conf and using

ldap://neptune.aoe.vt.edu

(without the “ldaps” since start TLS uses the standard 389 port to start the ssl session.)

service sssd restart
service autofs restart

Make sure the DNS name is entered correctly, or maybe adjust /etc/idmap.conf so the domain names match.

vim /etc/idmap.conf

Workaround:

vim /etc/nfsmount.conf

Defaultvers=3

as a user, run:

matlab

patran

Symptom: Key login was not working.

Check permissions on nfs mounted directory

Investigation showed permissions on mounted nfs volumes as nobody:nobody.

Verify that the /etc/hosts file on alexandria is correct. It had an incorrect short name that messed it up on pegasus.

restart rpcidmapd on both machines

service rpcidmapd restart

Possible selinux interference?

Possible /etc/idmapd.conf needed DOMAIN=aoe.vt.edu

/etc/hosts needs ip address and hostname entry on nfs client for alexandria and the client.

Possible /etc/resolv.conf problem

Error processing keytab file [/etc/krb5.keytab]: Principal [host/columbia.aoe.vt.edu@AOE.VT.EDU] was not found. Unable to create GSSAPI-encrypted LDAP connection.

Answer?: Check case and name with

klist -k -t /etc/krb5.keytab

I changed host to HOST in sssd config and autofs config.

vim /etc/openldap/ldap.conf

TLS_REQCERT never
sasl_secprops maxssf=0

Then start at method 2

Then

system-config-authentication

User Account Database

ldap

Download CA Certificate:

https://www.dept.aoe.vt.edu/~stedwar1/aoe-neptune.crt

[root@riccioli ks]# cat ks-superstation.cfg 
#platform=x86, AMD64, or Intel EM64T
#version=DEVEL
# Firewall configuration
firewall --enabled --ssh
# Install OS instead of upgrade
install
# Use network installation
url --url="ftp://192.168.2.10/linux/scientific/6.5/x86_64/os"
# Root password
rootpw  --iscrypted $6$xi4xSBxAYmyH6gpb$GPGKSG4GDe2Z6WeqdVQB208pntHS8nYlpoK9OIywpkB.FKZ4uHaAvh27ikxGZY89BZTiRzpQ1.2yGmMk/KOKB0
# System authorization information
auth  --useshadow  --passalgo=sha512 --enableldap --enableldaptls --enablesssd --ldapserver=neptune.aoe.vt.edu --ldapbasedn=dc=aoe,dc=vt,dc=edu --ldaploadcacert=https://www.dept.aoe.vt.edu/~stedwar1/aoe-neptune.crt --enablekrb5 --krb5realm=AOE.VT.EDU --krb5kdc=neptune.aoe.vt.edu --krb5adminserver=neptune.aoe.vt.edu
# Use text mode install
#text
cmdline
# Run the Setup Agent on first boot
#firstboot --enable
# Use interactive kickstart installation method
#interactive
# System keyboard
keyboard us
# System language
lang en_US.UTF-8
# SELinux configuration
selinux --enforcing
# Installation logging level
logging --level=debug

# System timezone
timezone --isUtc America/New_York
# Network information
%include /tmp/network.ks
# System bootloader configuration
bootloader --location=mbr --driveorder=sda --append="crashkernel=auto rhgb quiet" --iscrypted --password=$6$lJ8K61J9Ad4gldMi$17LLCDpPN1CJ9b1ytswZajjkmxpR9pQLMEuZEVVSfIRNeN3dr2F/yJr7QvWRs2avuODr8KRLDlLJLIyv3m2nd/
# Clear the Master Boot Record
zerombr
# Partition clearing information
clearpart --all --initlabel --drives=sda
# Disk partitioning information
part /boot --asprimary --fstype="ext4" --size=1000

part pv.008002 --grow --size=1

volgroup vg_superstation --pesize=4096 pv.008002
logvol /tmp --fstype=ext4 --name=LogVolTmp --vgname=vg_superstation --size=51200
logvol /var --fstype=ext4 --name=LogVolVar --vgname=vg_superstation --size=51200
logvol / --fstype=ext4 --name=lv_root --vgname=vg_superstation --size=51200
logvol swap --name=lv_swap --vgname=vg_superstation --size=8192
#logvol /l --fstype=ext4 --name=LogVolLocal --vgname=vg_superstation --size=100
logvol /l --fstype=ext4 --name=LogVolLocal --vgname=vg_superstation --grow --size=1

repo --name="Scientific Linux"  --baseurl=ftp://192.168.2.10/linux/scientific/6.5/x86_64/os --cost=100

# XWindows configuration information
xconfig --startxonboot

reboot

%packages
@base
@client-mgmt-tools
@core
@debugging
@basic-desktop
@desktop-debugging
@desktop-platform
@directory-client
@fonts
@general-desktop
@graphical-admin-tools
@input-methods
@internet-applications
@internet-browser
@java-platform
@legacy-x
@misc-sl
@network-file-system-client
@office-suite
@print-client
@remote-desktop-clients
@scalable-file-systems
@server-platform
@x11
mtools
oddjob
wodim
sgpio
genisoimage
device-mapper-persistent-data
pax
#samba-winbind
certmonger
pam_krb5
krb5-workstation
libXmu
SL_desktop_tweaks
pam_ldap

yum-priorities
yum-updateonboot
elrepo-release
epel-release
rdesktop
lynx
vim-X11
gettext-devel
gnuplot
subversion
compat-gcc-34-g77
numpy
scipy
lapack
python-matplotlib
ksh
screen
libXp
logwatch
libXp
openmotif
gsl
@ Development Tools
git
gitk
openmpi-devel
libXaw
compat-libstdc++-33
@ TeX support
policycoreutils-python
openswan
rsyslog-gnutls
openldap-clients
#devtoolset-1.1-runtime
#devtoolset-1.1-gcc.x86_64
#devtoolset-1.1-gcc-c++.x86_64

%end

%pre
#!/bin/sh
for x in `cat /proc/cmdline`; do
        case $x in SERVERNAME*)
	        eval $x
		echo "network --onboot yes --device eth0 --bootproto dhcp --ipv6 auto --hostname ${SERVERNAME}.aoe.vt.edu" > /tmp/network.ks
                echo "${SERVERNAME}" > /tmp/servername.ks
                ;;

                AOEIP4*)
                eval $x
                echo "${AOEIP4}" > /tmp/ip4.ks
                ;;
	        esac;
	done
%end

%post --nochroot
cp /tmp/*.ks /mnt/sysimage/tmp # /mnt/sysimage/tmp is /tmp in chrooted env

%post
#!/bin/bash


## redirect the output to the log file.  Interaction is confusing since input has to happen on tty1....
## This would be best if no interaction is needed with the post installation or for debugging ks.
#exec >/root/ks-post-anaconda.log 2>&1
## show the output on the 7th console
#tail -f /root/ks-post-anaconda.log >/dev/tty7 &
## changing to VT 7 that we can see what's going on....
#/usr/bin/chvt 7

#this allows interaction with the postinstall portion on the current tty
curTTY=`tty`
exec < $curTTY > $curTTY 2> $curTTY
clear

read aoeip4 < /tmp/ip4.ks #read the var
echo $aoeip4 # print its value, should be SOMEVAL
#rm -rf /tmp/ip4.ks # cleanup
read servername < /tmp/servername.ks #read the var
echo $servername # print its value, should be SOMEVAL
#rm -rf /tmp/servername.ks # cleanup

# set log forwarding to root@aoe
echo 'root@aoe.vt.edu' >> /root/.forward
restorecon /root/.forward

# grab the setup files and replace the contents of the existing files
wget ftp://192.168.2.10/linux/scientific/ks/postinstallsetup.tgz
if [ $? -eq 0 ]; then
  tar xzf postinstallsetup.tgz

# replace the contents of these files
  [ -f /etc/yum.repos.d/sl.repo ] && cat postinstallsetup/sl.repo > /etc/yum.repos.d/sl.repo || echo "sl.repo does not exist yet."
  cat postinstallsetup/sl.repo > /etc/yum.repos.d/sl.repo
  [ -f /etc/yum.repos.d/sl6x.repo ] && cat postinstallsetup/sl6x.repo > /etc/yum.repos.d/sl6x.repo || echo "sl6x.repo does not exist yet." 
  cat postinstallsetup/sl6x.repo > /etc/yum.repos.d/sl6x.repo 
else
  echo "Could not get tar file"
fi

# setup update on boot
chkconfig yum-updateonboot on
yum -y update

# install packages from epel and elrepo
yum -y install lyx denyhosts qtwebkit colordiff htop octave emacs msktutil

#set up yum check-update in cron job - even though it is not a great implementation
crontab -l | { cat ; echo '@daily yum check-update > /dev/null || yum check-update'; } | crontab -

#append aoe modulefiles
echo '/aoe/etc/modulefiles' >> /usr/share/Modules/init/.modulespath

# turn off unused services
service bluetooth stop
chkconfig bluetooth off
chkconfig NetworkManager off
chkconfig avahi-daemon off
chkconfig kdump off
chkconfig ntpd on

# set up new user
useradd -u 501  -c "Steve" -d /l/steve -m -s /bin/bash steve
semanage fcontext -a -t home_root_t "/l"
semanage fcontext -a -e /home /l
restorecon -R -v /l

# grab the setup files and replace the contents of the existing files
if [ -d postinstallsetup ]; then

# replace the contents of these files
  [ -f /etc/yum.repos.d/sl.repo ] && cat postinstallsetup/sl.repo > /etc/yum.repos.d/sl.repo || echo "sl.repo does not exist yet."
  cat postinstallsetup/sl.repo > /etc/yum.repos.d/sl.repo
  [ -f /etc/yum.repos.d/sl6x.repo ] && cat postinstallsetup/sl6x.repo > /etc/yum.repos.d/sl6x.repo || echo "sl6x.repo does not exist yet." 
  cat postinstallsetup/sl6x.repo > /etc/yum.repos.d/sl6x.repo 
  [ -f /etc/ssh/sshd_config ] && cat postinstallsetup/sshd_config > /etc/ssh/sshd_config || echo "sshd_config does not exist yet."
  cat postinstallsetup/sshd_config > /etc/ssh/sshd_config
  [ -f /etc/sysconfig/network-scripts/ifcfg-eth1 ] &&  cat postinstallsetup/ifcfg-eth1 > /etc/sysconfig/network-scripts/ifcfg-eth1 || echo "ifcfg-eth1 does not exist yet."
  cat postinstallsetup/ifcfg-eth1 > /etc/sysconfig/network-scripts/ifcfg-eth1
  [ -f /etc/sysconfig/network-scripts/ifcfg-eth0 ] &&  cat postinstallsetup/ifcfg-eth0 > /etc/sysconfig/network-scripts/ifcfg-eth0 || echo "ifcfg-eth0 does not exist yet."
  cat postinstallsetup/ifcfg-eth0 > /etc/sysconfig/network-scripts/ifcfg-eth0
  [ -f /etc/sysconfig/network-scripts/ifcfg-eth2 ] &&  cat postinstallsetup/ifcfg-eth2 > /etc/sysconfig/network-scripts/ifcfg-eth2 || echo "ifcfg-eth2 does not exist yet."
  cat postinstallsetup/ifcfg-eth2 > /etc/sysconfig/network-scripts/ifcfg-eth2
  [ -f /etc/sysconfig/network-scripts/ifcfg-eth3 ] &&  cat postinstallsetup/ifcfg-eth3 > /etc/sysconfig/network-scripts/ifcfg-eth3 || echo "ifcfg-eth3 does not exist yet."
  cat postinstallsetup/ifcfg-eth3 > /etc/sysconfig/network-scripts/ifcfg-eth3
  [ -f /etc/sysconfig/autofs ] &&  cat postinstallsetup/autofs > /etc/sysconfig/autofs || echo "autofs does not exist yet."
  cat postinstallsetup/autofs > /etc/sysconfig/autofs
  [ -f /etc/autofs_ldap_auth.conf ] &&    cat postinstallsetup/autofs_ldap_auth.conf > /etc/autofs_ldap_auth.conf || echo "autofs_ldap_auth.conf does not exist yet."
  cat postinstallsetup/autofs_ldap_auth.conf > /etc/autofs_ldap_auth.conf
  [ -f /etc/ntp.conf ] &&    cat postinstallsetup/ntp.conf > /etc/ntp.conf || echo "ntp.conf does not exist yet."
  cat postinstallsetup/ntp.conf > /etc/npt.conf
  [ -f /etc/sudoers ] &&    cat postinstallsetup/sudoers > /etc/sudoers || echo "sudoers does not exist yet."
  cat postinstallsetup/sudoers > /etc/sudoers
  [ -f /etc/sysconfig/iptables ] &&    cat postinstallsetup/iptables > /etc/sysconfig/iptables || echo "iptables does not exist yet."
  cat postinstallsetup/iptables > /etc/sysconfig/iptables
  [ -f /etc/sysconfig/ip6tables ] &&    cat postinstallsetup/ip6tables > /etc/sysconfig/ip6tables || echo "ip6tables does not exist yet."
  cat postinstallsetup/ip6tables > /etc/sysconfig/ip6tables

  [ -f /etc/sssd/sssd.conf ] &&    cat postinstallsetup/sssd.conf > /etc/sssd/sssd.conf || echo "sssd.conf does not exist yet."
  cat postinstallsetup/sssd.conf > /etc/sssd/sssd.conf
  chmod 600 /etc/sssd/sssd.conf
  [ -f /etc/rsyslog.d/tls.conf ] &&    cat postinstallsetup/tls.conf > /etc/rsyslog.d/tls.conf || echo "tls.conf does not exist yet."
  cat postinstallsetup/tls.conf > /etc/rsyslog.d/tls.conf
  chmod 600 /etc/rsyslog.d/tls.conf
# Modify these files
  [ -f /etc/openldap/ldap.conf ] && tail -2 postinstallsetup/ldap.conf >> /etc/openldap/ldap.conf || cat postinstallsetup/ldap.conf > /etc/openldap/ldap.conf

  [ -f /etc/gconf/gconf.xml.defaults/%gconf-tree.xml ] && cat postinstallsetup/%gconf-tree.xml > /etc/gconf/gconf.xml.defaults/%gconf-tree.xml || echo "%gconf-tree.xml does not exist yet."
  cat postinstallsetup/%gconf-tree.xml > /etc/gconf/gconf.xml.defaults/%gconf-tree.xml

else
  echo "Could not get tar file"
fi
hwaddr=$( ifconfig eth0 | grep eth0| awk '{print $5}' )
sed -i "s/xx:xx:xx:xx:xx:xx/$hwaddr/" /etc/sysconfig/network-scripts/ifcfg-eth0
hwaddr=$( ifconfig eth1 | grep eth1| awk '{print $5}' )
sed -i "s/xx:xx:xx:xx:xx:xx/$hwaddr/" /etc/sysconfig/network-scripts/ifcfg-eth1
hwaddr=$( ifconfig eth2 | grep eth2| awk '{print $5}' )
sed -i "s/xx:xx:xx:xx:xx:xx/$hwaddr/" /etc/sysconfig/network-scripts/ifcfg-eth2
hwaddr=$( ifconfig eth3 | grep eth3| awk '{print $5}' )
sed -i "s/xx:xx:xx:xx:xx:xx/$hwaddr/" /etc/sysconfig/network-scripts/ifcfg-eth3

sed -i "s/128.173.188.28/$aoeip4/" /etc/sysconfig/network-scripts/ifcfg-eth1

#bounce the network
ifdown eth0
ifdown eth1
echo -n "switch to the open network.  Enter a username: "
read ksuser

ifup eth1

echo 'alexandria:/export/apps/aoe-linux-x86_64 /aoe 	nfs 	tcp 		0 0' >> /etc/fstab
mkdir /aoe

mount /aoe
if [ $? -eq 0 ]; then
  cd /etc/profile.d
  ln -s /aoe/etc/aoe_profile.sh
  ln -s /aoe/etc/aoe_profile.csh
fi
#mkdir /l
chown root:root /l
chmod 777 /l
plymouth-set-default-theme details --rebuild-initrd

cp /etc/openldap/cacerts/authconfig_downloaded.pem /etc/pki/tls/certs/aoe-ca.pem
ln -s /etc/pki/tls/certs/aoe-ca.pem /etc/pki/tls/certs/`openssl x509 -hash -noout -in /etc/pki/tls/certs/aoe-ca.pem`.0

#
# Set the correct time
#
/usr/sbin/ntpdate -bus ntp-1.vt.edu ntp-2.vt.edu ntp-3.vt.edu ntp-4.vt.edu
/sbin/clock --systohc

cd /etc/pki/rsyslog
openssl genrsa -out key.pem 2048
chmod 400 key.pem
export HOSTNAME=$servername.aoe.vt.edu
openssl req -new -key key.pem -out request-$servername.req -config /aoe/etc/openssl.cnf -nodes
openssl req -text -in request-$servername.req -noout -verify

chmod 600 request*
#scp request* stedwar1@alexandria.aoe.vt.edu:~/sandbox/openssl/rsyslog
scp request* $ksuser@alexandria.aoe.vt.edu:~/sandbox/openssl/rsyslog

echo " run this on neptune:"
echo 'ps > certreq.exe -submit -attrib "CertificateTemplate:WebServerLoghostIPSec" ./request-traininglt.req training.cer'
echo "press enter when complete"
read waithere
echo " scp may want a password here--wait for it to ask: "
#scp stedwar1@alexandria.aoe.vt.edu:~/sandbox/openssl/rsyslog/cert-$servername.cer cert.pem
scp $ksuser@alexandria.aoe.vt.edu:~/sandbox/openssl/rsyslog/cert-$servername.cer cert.pem
restorecon -RvF /etc/pki

sed -i "\/var\/log\/messages/a *.info;authpriv.none                                    @@artemis.aoe.vt.edu:6514" /etc/rsyslog.conf
sed -i "\/var\/log\/messages/a #*.info;authpriv.none                                    @loghost" /etc/rsyslog.conf
service rsyslog start
logger test

echo -n " user credentials: " 
#kinit stedwar1
kinit $ksuser
export host=$servername
msktutil -u --server neptune --computer-name $host --user-creds-only -s host/$host.aoe.vt.edu -s host/$host --upn host/$host.aoe.vt.edu
if [ $? -ne 0 ]; then
  echo " There was a problem adding computer to domain.  Hit return to continue. "
  read waithere
else
  echo " looks like the domain join worked. press return to continue "
  read waithere
fi
#change ldap.conf back
sed -i "s/TLS_REQCERT never/#TLS_REQCERT never/" /etc/openldap/ldap.conf
sed -i "s/^URI ldap/#URI ldap/" /etc/openldap/ldap.conf

#change the hostname in autofs_ldap_auth.conf
sed -i "s/changeme/$servername/" /etc/autofs_ldap_auth.conf

#Set default NFS version to 3 because file ownership does not work with v4
[ -f /etc/nfsmount.conf ] && sed -i "/# Defaultvers=4/a Defaultvers=3" /etc/nfsmount.conf || echo "nfsmount.conf does not exist"
%end

#platform=x86, AMD64, or Intel EM64T
#version=DEVEL
# Firewall configuration
firewall --enabled --ssh
# Install OS instead of upgrade
install
# Use network installation
url --url="ftp://192.168.2.10/linux/scientific/6.5/x86_64/os"
# Root password
rootpw  --iscrypted $6$xi4xSBxAYmyH6gpb$GPGKSG4GDe2Z6WeqdVQB208pntHS8nYlpoK9OIywpkB.FKZ4uHaAvh27ikxGZY89BZTiRzpQ1.2yGmMk/KOKB0
# System authorization information
auth  --useshadow  --passalgo=sha512 --enableldap --enableldaptls --enablesssd --ldapserver=neptune.aoe.vt.edu --ldapbasedn=dc=aoe,dc=vt,dc=edu --ldaploadcacert=https://www.dept.aoe.vt.edu/~stedwar1/aoe-neptune.crt --enablekrb5 --krb5realm=AOE.VT.EDU --krb5kdc=neptune.aoe.vt.edu --krb5adminserver=neptune.aoe.vt.edu
# Use text mode install
#text
cmdline
# Run the Setup Agent on first boot
#firstboot --enable
# Use interactive kickstart installation method
#interactive
# System keyboard
keyboard us
# System language
lang en_US.UTF-8
# SELinux configuration
selinux --enforcing
# Installation logging level
logging --level=debug

# System timezone
timezone --isUtc America/New_York
# Network information
%include /tmp/network.ks
# System bootloader configuration
bootloader --location=mbr --driveorder=sda --append="crashkernel=auto rhgb quiet" --iscrypted --password=$6$D4nAyc/Bl1bTjcDl$q3JkiI58Akk3USPcCqhN04K1P1xMjQuyATFGsCUgpDJzF/gog9B4ypIkaNMeKer9GXbnOXYdAebuFNp3NKKQl.
# Clear the Master Boot Record
zerombr
# Partition clearing information
clearpart --all --initlabel --drives=sda
# Disk partitioning information
part /boot --asprimary --fstype="ext4" --size=1000

part pv.008002 --grow --size=1

volgroup vg_aoelocal --pesize=4096 pv.008002
logvol /tmp --fstype=ext4 --name=LogVolTmp --vgname=vg_aoelocal --size=10240
logvol /var --fstype=ext4 --name=LogVolVar --vgname=vg_aoelocal --size=10240
logvol / --fstype=ext4 --name=lv_root --vgname=vg_aoelocal --size=10240
logvol swap --name=lv_swap --vgname=vg_aoelocal --size=8192
#logvol /l --fstype=ext4 --name=LogVolLocal --vgname=vg_superstation --size=100
logvol /l --fstype=ext4 --name=LogVolLocal --vgname=vg_aoelocal --grow --size=1

#volgroup vg_superstation --pesize=4096 pv.008002
#logvol /tmp --fstype=ext4 --name=LogVolTmp --vgname=vg_superstation --size=51200
#logvol /var --fstype=ext4 --name=LogVolVar --vgname=vg_superstation --size=51200
#logvol / --fstype=ext4 --name=lv_root --vgname=vg_superstation --size=51200
#logvol swap --name=lv_swap --vgname=vg_superstation --size=8192
##logvol /l --fstype=ext4 --name=LogVolLocal --vgname=vg_superstation --size=100
#logvol /l --fstype=ext4 --name=LogVolLocal --vgname=vg_superstation --grow --size=1

repo --name="Scientific Linux"  --baseurl=ftp://192.168.2.10/linux/scientific/6.5/x86_64/os --cost=100

# XWindows configuration information
xconfig --startxonboot

reboot

%packages
@base
@client-mgmt-tools
@core
@debugging
@basic-desktop
@desktop-debugging
@desktop-platform
@directory-client
@fonts
@general-desktop
@graphical-admin-tools
@input-methods
@internet-applications
@internet-browser
@java-platform
@legacy-x
@misc-sl
@network-file-system-client
@office-suite
@print-client
@remote-desktop-clients
@scalable-file-systems
@server-platform
@x11
mtools
oddjob
wodim
sgpio
genisoimage
device-mapper-persistent-data
pax
#samba-winbind
certmonger
pam_krb5
krb5-workstation
libXmu
SL_desktop_tweaks
pam_ldap

yum-priorities
yum-updateonboot
elrepo-release
epel-release
rdesktop
lynx
vim-X11
gettext-devel
gnuplot
subversion
compat-gcc-34-g77
numpy
scipy
lapack
python-matplotlib
ksh
screen
libXp
logwatch
libXp
openmotif
gsl
@ Development Tools
git
gitk
openmpi-devel
libXaw
compat-libstdc++-33
@ TeX support
policycoreutils-python
openswan
rsyslog-gnutls
openldap-clients
#devtoolset-1.1-runtime
#devtoolset-1.1-gcc.x86_64
#devtoolset-1.1-gcc-c++.x86_64

%end

%pre
#!/bin/sh
for x in `cat /proc/cmdline`; do
        case $x in SERVERNAME*)
	        eval $x
		echo "network --onboot yes --device eth0 --bootproto dhcp --ipv6 auto --hostname ${SERVERNAME}.aoe.vt.edu" > /tmp/network.ks
                echo "${SERVERNAME}" > /tmp/servername.ks
                ;;

                AOEIP4*)
                eval $x
                echo "${AOEIP4}" > /tmp/ip4.ks
                ;;
	        esac;
	done
if [ ! -f /tmp/network.ks ] ; then
  curTTY=`tty`
  exec < $curTTY > $curTTY 2> $curTTY
  #clear
  echo -n "Not enough cmd line args. Enter a Hostname: "
  read SERVERNAME
  echo "network --onboot yes --device eth0 --bootproto dhcp --ipv6 auto --hostname ${SERVERNAME}.aoe.vt.edu" > /tmp/network.ks
  echo "${SERVERNAME}" > /tmp/servername.ks
fi
%end

%post --nochroot
cp /tmp/*.ks /mnt/sysimage/tmp # /mnt/sysimage/tmp is /tmp in chrooted env
killall NetworkManager
echo 'nameserver 128.173.188.25' > /etc/resolv.conf
echo 'nameserver 128.173.188.26' >> /etc/resolv.conf
echo 'search aoe.vt.edu' >> /etc/resolv.conf

%post
#!/bin/bash


## redirect the output to the log file.  Interaction is confusing since input has to happen on tty1....
## This would be best if no interaction is needed with the post installation or for debugging ks.
#exec >/root/ks-post-anaconda.log 2>&1
## show the output on the 7th console
#tail -f /root/ks-post-anaconda.log >/dev/tty7 &
## changing to VT 7 that we can see what's going on....
#/usr/bin/chvt 7

#this allows interaction with the postinstall portion on the current tty
curTTY=`tty`
exec < $curTTY > $curTTY 2> $curTTY
clear

if [ -f /tmp/ip4.ks ] ; then
  read aoeip4 < /tmp/ip4.ks #read the var
  echo $aoeip4 # print its value, should be SOMEVAL
  #rm -rf /tmp/ip4.ks # cleanup
else
  echo -n "enter an ipv4 address: "
  read aoeip4
fi

if [ -f /tmp/servername.ks ] ; then
  read servername < /tmp/servername.ks #read the var
  echo $servername # print its value, should be SOMEVAL
  #rm -rf /tmp/servername.ks # cleanup
else
  echo -n "Enter a hostname: "
  read servername
fi

# set log forwarding to root@aoe
echo 'root@aoe.vt.edu' >> /root/.forward
restorecon /root/.forward

# grab the setup files and replace the contents of the existing files
wget ftp://192.168.2.10/linux/scientific/ks/postinstallsetup.tgz
if [ $? -eq 0 ]; then
  tar xzf postinstallsetup.tgz

# replace the contents of these files
  [ -f /etc/yum.repos.d/sl.repo ] && cat postinstallsetup/sl.repo > /etc/yum.repos.d/sl.repo || echo "sl.repo does not exist yet."
  cat postinstallsetup/sl.repo > /etc/yum.repos.d/sl.repo
  [ -f /etc/yum.repos.d/sl6x.repo ] && cat postinstallsetup/sl6x.repo > /etc/yum.repos.d/sl6x.repo || echo "sl6x.repo does not exist yet." 
  cat postinstallsetup/sl6x.repo > /etc/yum.repos.d/sl6x.repo 
else
  echo "Could not get tar file"
  read waithere
fi

# setup update on boot
chkconfig yum-updateonboot on
yum -y update

# install packages from epel and elrepo
yum -y install lyx denyhosts qtwebkit colordiff htop octave emacs msktutil

#set up yum check-update in cron job - even though it is not a great implementation
crontab -l | { cat ; echo '@daily yum check-update > /dev/null || yum check-update'; } | crontab -

#append aoe modulefiles
echo '/aoe/etc/modulefiles' >> /usr/share/Modules/init/.modulespath

# turn off unused services
service bluetooth stop
chkconfig bluetooth off
chkconfig NetworkManager off
service NetworkManager stop
chkconfig avahi-daemon off
chkconfig kdump off
chkconfig ntpd on

# set up new user
useradd -u 501  -c "Steve" -d /l/steve -m -s /bin/bash steve
semanage fcontext -a -t home_root_t "/l"
semanage fcontext -a -e /home /l
restorecon -R -v /l

# grab the setup files and replace the contents of the existing files
if [ -d postinstallsetup ]; then

# replace the contents of these files
  [ -f /etc/ssh/sshd_config ] && cat postinstallsetup/sshd_config > /etc/ssh/sshd_config || echo "sshd_config does not exist yet."
  cat postinstallsetup/sshd_config > /etc/ssh/sshd_config
#  [ -f /etc/sysconfig/network-scripts/ifcfg-eth1 ] &&  cat postinstallsetup/ifcfg-eth1 > /etc/sysconfig/network-scripts/ifcfg-eth1 || echo "ifcfg-eth1 does not exist yet."
#  cat postinstallsetup/ifcfg-eth1 > /etc/sysconfig/network-scripts/ifcfg-eth1
  [ -f /etc/sysconfig/network-scripts/ifcfg-eth0 ] &&  cat postinstallsetup/ifcfg-eth1 > /etc/sysconfig/network-scripts/ifcfg-eth0 || echo "ifcfg-eth0 does not exist yet."
  sed -i 's/eth1/eth0/' /etc/sysconfig/network-scripts/ifcfg-eth0
#  cat postinstallsetup/ifcfg-eth0 > /etc/sysconfig/network-scripts/ifcfg-eth0
#  [ -f /etc/sysconfig/network-scripts/ifcfg-eth2 ] &&  cat postinstallsetup/ifcfg-eth2 > /etc/sysconfig/network-scripts/ifcfg-eth2 || echo "ifcfg-eth2 does not exist yet."
#  cat postinstallsetup/ifcfg-eth2 > /etc/sysconfig/network-scripts/ifcfg-eth2
#  [ -f /etc/sysconfig/network-scripts/ifcfg-eth3 ] &&  cat postinstallsetup/ifcfg-eth3 > /etc/sysconfig/network-scripts/ifcfg-eth3 || echo "ifcfg-eth3 does not exist yet."
#  cat postinstallsetup/ifcfg-eth3 > /etc/sysconfig/network-scripts/ifcfg-eth3
  [ -f /etc/sysconfig/autofs ] &&  cat postinstallsetup/autofs > /etc/sysconfig/autofs || echo "autofs does not exist yet."
  cat postinstallsetup/autofs > /etc/sysconfig/autofs
  [ -f /etc/autofs_ldap_auth.conf ] &&    cat postinstallsetup/autofs_ldap_auth.conf > /etc/autofs_ldap_auth.conf || echo "autofs_ldap_auth.conf does not exist yet."
  cat postinstallsetup/autofs_ldap_auth.conf > /etc/autofs_ldap_auth.conf
  [ -f /etc/ntp.conf ] &&    cat postinstallsetup/ntp.conf > /etc/ntp.conf || echo "ntp.conf does not exist yet."

  cat postinstallsetup/sudoers > /etc/sudoers
  [ -f /etc/sysconfig/iptables ] &&    cat postinstallsetup/iptables > /etc/sysconfig/iptables || echo "iptables does not exist yet."
  cat postinstallsetup/iptables > /etc/sysconfig/iptables
  [ -f /etc/sysconfig/ip6tables ] &&    cat postinstallsetup/ip6tables > /etc/sysconfig/ip6tables || echo "ip6tables does not exist yet."
  cat postinstallsetup/ip6tables > /etc/sysconfig/ip6tables

  [ -f /etc/sssd/sssd.conf ] &&    cat postinstallsetup/sssd.conf > /etc/sssd/sssd.conf || echo "sssd.conf does not exist yet."
  cat postinstallsetup/sssd.conf > /etc/sssd/sssd.conf
  chmod 600 /etc/sssd/sssd.conf
  [ -f /etc/rsyslog.d/tls.conf ] &&    cat postinstallsetup/tls.conf > /etc/rsyslog.d/tls.conf || echo "tls.conf does not exist yet."
  cat postinstallsetup/tls.conf > /etc/rsyslog.d/tls.conf
  chmod 600 /etc/rsyslog.d/tls.conf
# Modify these files
  [ -f /etc/openldap/ldap.conf ] && tail -2 postinstallsetup/ldap.conf >> /etc/openldap/ldap.conf || cat postinstallsetup/ldap.conf > /etc/openldap/ldap.conf

#This is done at the end of this ks with sed
#  [ -f /etc/gconf/gconf.xml.defaults/%gconf-tree.xml ] && cat postinstallsetup/%gconf-tree.xml > /etc/gconf/gconf.xml.defaults/%gconf-tree.xml || echo "%gconf-tree.xml does not exist yet."
#  cat postinstallsetup/%gconf-tree.xml > /etc/gconf/gconf.xml.defaults/%gconf-tree.xml

else
  echo "Could not get tar file"
fi
hwaddr=$( ifconfig eth0 | grep eth0| awk '{print $5}' )
sed -i "s/xx:xx:xx:xx:xx:xx/$hwaddr/" /etc/sysconfig/network-scripts/ifcfg-eth0
#hwaddr=$( ifconfig eth1 | grep eth1| awk '{print $5}' )
#sed -i "s/xx:xx:xx:xx:xx:xx/$hwaddr/" /etc/sysconfig/network-scripts/ifcfg-eth1
#hwaddr=$( ifconfig eth2 | grep eth2| awk '{print $5}' )
#sed -i "s/xx:xx:xx:xx:xx:xx/$hwaddr/" /etc/sysconfig/network-scripts/ifcfg-eth2
#hwaddr=$( ifconfig eth3 | grep eth3| awk '{print $5}' )
#sed -i "s/xx:xx:xx:xx:xx:xx/$hwaddr/" /etc/sysconfig/network-scripts/ifcfg-eth3

#sed -i "s/128.173.188.28/$aoeip4/" /etc/sysconfig/network-scripts/ifcfg-eth1
sed -i "s/128.173.188.28/$aoeip4/" /etc/sysconfig/network-scripts/ifcfg-eth0

#bounce the network
ifdown eth0
ifdown eth1

sed -i 's/NM_CONTROLLED="yes"/NM_CONTROLLED="no"/' /etc/sysconfig/network-scripts/ifcfg-*

echo -n "switch to the open network.  Enter a username: "
read ksuser

ifup eth0

sleep 10

echo 'alexandria:/export/apps/aoe-linux-x86_64 /aoe 	nfs 	tcp 		0 0' >> /etc/fstab
mkdir /aoe

mount /aoe
if [ $? -eq 0 ]; then
  cd /etc/profile.d
  ln -s /aoe/etc/aoe_profile.sh
  ln -s /aoe/etc/aoe_profile.csh
else
  echo " /aoe not mounted "
  read waithere
fi
#mkdir /l
chown root:root /l
chmod 777 /l
plymouth-set-default-theme details --rebuild-initrd

cp /etc/openldap/cacerts/authconfig_downloaded.pem /etc/pki/tls/certs/aoe-ca.pem
ln -s /etc/pki/tls/certs/aoe-ca.pem /etc/pki/tls/certs/`openssl x509 -hash -noout -in /etc/pki/tls/certs/aoe-ca.pem`.0

#
# Set the correct time
#
sed -i 's/0.rhel.pool.ntp.org/ntp-1.vt.edu/' /etc/ntp.conf
sed -i 's/1.rhel.pool.ntp.org/ntp-2.vt.edu/' /etc/ntp.conf
sed -i 's/2.rhel.pool.ntp.org/ntp-3.vt.edu/' /etc/ntp.conf
sed -i 's/3.rhel.pool.ntp.org/ntp-4.vt.edu/' /etc/ntp.conf
/usr/sbin/ntpdate -bus ntp-1.vt.edu ntp-2.vt.edu ntp-3.vt.edu ntp-4.vt.edu
/sbin/clock --systohc

cd /etc/pki/rsyslog
openssl genrsa -out key.pem 2048
chmod 400 key.pem
export HOSTNAME=$servername.aoe.vt.edu
openssl req -new -key key.pem -out request-$servername.req -config /aoe/etc/openssl.cnf -nodes
openssl req -text -in request-$servername.req -noout -verify

chmod 600 request*
#scp request* stedwar1@alexandria.aoe.vt.edu:~/sandbox/openssl/rsyslog
scp request* $ksuser@alexandria.aoe.vt.edu:~/sandbox/openssl/rsyslog

echo " run this on neptune:"
echo 'ps > certreq.exe -submit -attrib "CertificateTemplate:WebServerLoghostIPSec" ./request-'$servername'.req '$servername'.cer'
echo "press enter when complete"
read waithere
echo " scp may want a password here--wait for it to ask: "
#scp stedwar1@alexandria.aoe.vt.edu:~/sandbox/openssl/rsyslog/cert-$servername.cer cert.pem
scp $ksuser@alexandria.aoe.vt.edu:~/sandbox/openssl/rsyslog/cert-$servername.cer cert.pem
restorecon -RvF /etc/pki

sed -i "\/var\/log\/messages/a *.info;authpriv.none                                    @@artemis.aoe.vt.edu:6514" /etc/rsyslog.conf
sed -i "\/var\/log\/messages/a #*.info;authpriv.none                                    @loghost" /etc/rsyslog.conf
service rsyslog start
logger test

echo -n " user credentials: " 
#kinit stedwar1
kinit $ksuser
export host=$servername
msktutil -u --server neptune --computer-name $host --user-creds-only -s host/$host.aoe.vt.edu -s host/$host --upn host/$host.aoe.vt.edu
if [ $? -ne 0 ]; then
  echo " There was a problem adding computer to domain.  Hit return to continue. "
  read waithere
else
  echo " looks like the domain join worked. press return to continue "
  read waithere
fi
#change ldap.conf back
sed -i "s/TLS_REQCERT never/#TLS_REQCERT never/" /etc/openldap/ldap.conf
sed -i "s/^URI ldap/#URI ldap/" /etc/openldap/ldap.conf

#change the hostname in autofs_ldap_auth.conf
sed -i "s/changeme/$servername/" /etc/autofs_ldap_auth.conf

#Set default NFS version to 3 because file ownership does not work with v4
[ -f /etc/nfsmount.conf ] && sed -i "/# Defaultvers=4/a Defaultvers=3" /etc/nfsmount.conf || echo "nfsmount.conf does not exist"

#change default logon screen to disable user list
sed -i '/disable_user_list/ { N ; /disable_user_list/ { N ; s/false/true/ } }' /etc/gconf/gconf.xml.defaults/%gconf-tree.xml

%end