aoe:sl7
Table of Contents
SL7 installation
systemd-analyze systemctl list-unit-files --type=service
hostnamectl status hostnamectl set-hostname alexandria.aoe.vt.edu
Mac Style natural scrolling
sudo xmodmap -e "pointer = 1 2 3 5 4 7 6 8 9 10 11 12"
Then press alt-F2 and enter
gnome-session-properties
Add
xmodmap -e "pointer = 1 2 3 5 4 7 6 8 9 10 11 12"
Add VT yum repo servers
/etc/yum.repos.d/sl7
baseurl=http://mirror.cc.vt.edu/pub3/scientific/$slreleaseserver/$basesearch/os/
yum -y update
Update Time server sources
- ntp or chrond
- modify /etc/ntp/step-tickers to add ntp-[1-4].vt.edu for ???
- MODIFY /etc/chrony.conf for chrony
systemctl restart chronyd.service
Forward system email
cat > /root/.forward root@aoe.vt.edu (Ctrl-d) restorecon -v .forward
Install Local software
yum -y install yum-updateonboot chkconfig yum-updateonboot on
yum update crontab -e @daily yum check-update > /dev/null || yum check-update yum -y install yum-priorities yum -y install elrepo-release epel-release yum -y install freerdp lynx vim-X11 gettext-devel denyhosts gnuplot subversion compat-gcc-34-g77 lyx numpy scipy lapack python-matplotlib ksh screen libXp qtwebkit logwatch libXp openmotif colordiff htop octave gsl
To use xfreerdp
xfreerdp -d aoe -u stedwar1 gl-gauss.aoe.vt.edu
or roycfd lab machines
yum -y groupinstall "Development Tools"
yum -y install git gitk emacs yum -y install openmpi-devel
for other ??
compat-libstdc++33 For Dakota asking for libXm.so.2, which is in a motif package called lesstif.
yum -y install lesstif
For compiling OpenFOAM (not tested with OpenFOAM–may not be required):
yum install yum-conf-softwarecollections yum install devtoolset-3 yum install devtoolset-3-runtime devtoolset-3-gcc.x86_64 devtoolset-3-gcc-c++.x86_64
from user mode:
$ scl enable devtoolset-3 bash
(CGAL also needed from dl-atrpms)
to compile 32 bit code on 64 bit installs:
yum install glibc-devel.i686 libgcc.i686 libstdc++-devel.i686
Patran ??
export LCALL=C
Add this line to use common modulefiles, which comes with openmpi:
cat » /usr/share/Modules/init/.modulespath /aoe/etc/modulefiles
?? yum groupinstall "TeX support"
for Xiao
??yum install scitool* ipython*
(Check the wildcard results.)
Also for Dr Xiao, EPD, Enthought Python Distribuiton matplotlib
Video for SL 6
yum install yum-priorities yum install rpmforge-release yum install compat-libstdc++-33 libdvdcss libdvdread libdvdplay libdvdnav lsdvd libquicktime yum install flash-plugin mplayer mplayer-gui gstreamer-ffmpeg gstreamer-plugins-ugly yum install ffmpeg ffmpeg-devel mplayer mencoder
kernel exclusions (optional if needed) untested on sl7
yum autoupdate exclusions are listed here: /etc/sysconfig/yum-autoupdate EXCLUDE=“kernel* openafs* *-kmdl-* kmod-* *firmware*” To disable kernel updates when using command line (this was required on typhon and apogee because it broke the graphics), edit /etc/yum.conf and add: /etc/yum.conf EXCLUDE=kernel or specific verions EXCLUDE=kernel-2.6.32-220* or EXCLUDE=kernel-2.6.32-220.2.1.el6.x86_64 To temporarily override the exclusion: yum –disableexclues=all update or a specific kernel: yum –disableexcludes=all update kernel-2.6.32-220.2.1.el6.x86_64 apogee and typhon also needed reboot=pci added to the kernel line in grub.conf kernel /vmlinuz-2.6.32-131.0.15.el6.x86_64 ro root=/dev/mapper/vg_apogee-lv_root rd_LVM_LV=vg_apogee/lv_root rd_LVM_LV=vg_apogee/lv_swap rd_NO_LUKS rd_NO_MD rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc KEYTABLE=us rhgb reboot=pci
===== Disable “show user accounts” =====
edit the file
vim /etc/gconf/gconf.xml.defaults/%gconf-tree.xml
and change the boolean for
disable_user_list
from false to true
Disable Root Access via ssh
vim /etc/ssh/sshd_config
PermitRootLogin no systemctl restart sshd.service
ssh login speed and login persistence tweaks(optional) (untested on sl7)
vim /etc/ssh/sshd_conf ClientAliveInterval 120 UseDNS no service sshd restart
vim /etc/ssh/ssh_conf ServerAliveInterval 120
vim /etc/resolv.conf options single-request-reopen
firewalld
graphical configuration
firewall-config
command line configuration
firewall-cmd
The configuration for firewalld is stored in various XML files in /usr/lib/firewalld/ (Don't edit these) and /etc/firewalld/
See the firewalld.richlanguage(5) man page for more examples.
cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="dhcpv6-client"/>
<rule family="ipv4">
<source address="128.173.0.0/16"/>
<port protocol="tcp" port="22"/>
<log prefix="FIREWALLD" level="info">
<limit value="2/m"/>
</log>
<audit>
<limit value="2/m"/>
</audit>
<accept>
<limit value="2/m"/>
</accept>
</rule>
<rule family="ipv6">
<source address="2001:468:c80::/48"/>
<port protocol="tcp" port="22"/>
<log prefix="FIREWALLD6" level="info">
<limit value="2/m"/>
</log>
<audit>
<limit value="2/m"/>
</audit>
<accept>
<limit value="2/m"/>
</accept>
</rule>
</zone>
Network Manager and the config scripts
systemctl start|stop|restart|status network nmcli connection reload nmcli con load /etc/sysconfig/network-scripts/ifcfg-ifname nmcli dev disconnect interface-name nmcli con up interface-name
LDAP
system-config-authentication
User Account Database
ldap
Download CA Certificate:
https://www.dept.aoe.vt.edu/~stedwar1/aoe-neptune.crt
Kerberos Settings
Realm:
AOE.VT.EDU
KDC:
neptune.aoe.vt.edu
Admin Server:
neptune.aoe.vt.edu
Leave the “Use DNS” checkboxes cleared
Name Service Switch
in /etc/nsswitch.conf
vim /etc/nsswitch.conf
remove nis in hosts:
#hosts: db files nisplus nis dns hosts: files nis dns
should be:
#hosts: db files nisplus nis dns hosts: files dns
Add sudoers
visudo
After:
## Allow root to run any commands anywhere root ALL=(ALL) ALL
(Some items optional for audit data collection)
Add:
%bigwheel ALL=(ALL) ALL
On local user only machines:
steve ALL=(ALL) ALL
Also add in appropriate sections:
aoebackup ALL= NOPASSWD:/usr/bin/rsync
stedwar1 ALL= NOPASSWD:/bin/netstat,/sbin/iptables,/sbin/iptables-save,/sbin/ip6tables,/sbin/ip6tables-save
steve ALL= NOPASSWD:/bin/netstat,/sbin/iptables,/sbin/iptables-save,/sbin/ip6tables,/sbin/ip6tables-save
and
Defaults:aoebackup,steve !requiretty
or
Defaults:aoebackup,stedwar1 !requiretty
AOE Domain Software
first, add access to alexandria
modify as required: Add host to hosts file
vim /etc/hosts
To modify running iptables:
iptables -L --line-numbers
Pick a place to insert the rule and add the new rule
iptables -I INPUT 56 -s apogee.aoe.vt.edu -j ACCEPT
Add the entry to the startup file for iptables
vim /etc/sysconfig/iptables
the script in /home/sysadmin/bin/exports will generate send the exports text to std out. Pipe the output to the /etc/exports file.
vim /home/sysadmin/bin/exports/exports.sh /home/sysadmin/bin/exports/exports.sh > /etc/exports exportfs -ra
Old vim replace command that can be used on the /etc/exports file for temporary changes:
:%s/aphrodite.aoe.vt.edu(rw,sync,root_squash) \\\n/altus.aoe.vt.edu(rw,sync,root_squash) \\\r aphrodite.aoe.vt.edu(rw,sync,root_squash) \\\r/
then add the mounts in the new Linux machine
go back to the new Linux box. ***be very careful here! Add the line to /etc/fstab cat >> /etc/fstab
alexandria:/export/apps/aoe-linux-x86_64 /aoe nfs tcp 0 0
Then run these commands:
mkdir /aoe mount /aoe cd /etc/profile.d ln -s /aoe/etc/aoe_profile.sh ln -s /aoe/etc/aoe_profile.csh
Local Directories
mkdir /l chown root:root /l chmod 777 /l
boot screen
plymouth-set-default-theme details --rebuild-initrd
Logging
yum install openswan
Place neptune's CA certificate in openssl's CA list. Use the pem from the authconfig download step.
cp /etc/openldap/cacerts/authconfig_downloaded.pem /etc/pki/tls/certs/aoe-ca.pem ln -s /etc/pki/tls/certs/aoe-ca.pem /etc/pki/tls/certs/`openssl x509 -hash -noout -in /etc/pki/tls/certs/aoe-ca.pem`.0
yum install rsyslog-gnutls
cd /etc/pki/rsyslog openssl genrsa -out key.pem 2048 chmod 400 key.pem openssl req -new -key key.pem -out request-$(hostname -s).req -config /aoe/etc/openssl.cnf -nodes openssl req -text -in request-$(hostname -s).req -noout -verify
copy the csr to neptune
chmod 600 request* scp request* stedwar1@alexandria.aoe.vt.edu:~/sandbox/openssl/rsyslog
perform these steps on neptune
ps > certreq.exe -submit -attrib "CertificateTemplate:WebServerLoghostIPSec" ./request-traininglt.req training.cer
If manual approval is required, then find the issued certificate in the CA and open it.
Select the Details tab and click “copy to file”.
Select Base-64 encoded, and click “next”.
click browse and navigte to the desired folder on the Z: drive to place the certificate.
Name it cert-<client name>
copy cert back to client and rename it
scp stedwar1@alexandria.aoe.vt.edu:~/sandbox/openssl/rsyslog/cert-$( hostname -s ).cer cert.pem
From the Linux client. Check the file extenstion as the export may append .cer:
scp stedwar1@alexandria.aoe.vt.edu:~/sandbox/openssl/rsyslog/cert-$( hostname -s ).cer cert.pem
Fix selinux on certificate files
restorecon -RvF /etc/pki
cat >> /etc/rsyslog.d/tls.conf
# extra config file for rsyslog to be placed in /etc/rsyslog.d to enable # tls for rsyslog. # make gtls driver the default $DefaultNetstreamDriver gtls # certificate files $DefaultNetstreamDriverCAFile /etc/pki/tls/certs/aoe-ca.pem $DefaultNetstreamDriverCertFile /etc/pki/rsyslog/cert.pem $DefaultNetstreamDriverKeyFile /etc/pki/rsyslog/key.pem $ActionSendStreamDriverAuthMode x509/name $ActionSendStreamDriverPermittedPeer artemis.aoe.vt.edu $ActionSendStreamDriverMode 1 # run driver in TLS-only mode #*.* @@central.example.net:10514 # forward everything to remote server
After the following lines to /etc/rsyslog.conf
# Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages
vim /etc/rsyslog.conf
add vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv the whole line!
#*.info;authpriv.none @loghost *.info;authpriv.none @@artemis.aoe.vt.edu:6514
From artemis, watch the log:
[root@artemis ~]# watch 'tail -1000 /var/log/messages|grep -v FIREWALL|grep -v last|tail -30'
on the client:
service rsyslog restart logger test
ldap/kerberos
/etc/openldap/ldap.conf
# # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writeable. #BASE dc=example,dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never TLS_CACERTDIR /etc/openldap/cacerts SASL_SECPROPS maxsff=0 #TLS_REQCERT never #TLS_REQCERT allow # Turning this off breaks GSSAPI used with krb5 when rdns = false SASL_NOCANON on #URI ldap://neptune.aoe.vt.edu/ #BASE dc=aoe,dc=vt,dc=edu # Enable debugging logdir /var/log debug 255
Enter computer name in DNS and make sure reverse lookups get updated.
Method 3 - realm command
Join Domain
kinit stedwar1 realm join --computer-ou="ou=Unix-computers,ou=UnixOU,dc=aoe,dc=vt,dc=edu" --user-principal=host/trireme.aoe.vt.edu aoe.vt.edu
To leave domain
realm leave --remove -U stedwar1 aoe.vt.edu
Verify new keytab file
kinit -k -t /etc/krb5.keytab $host$
This requires upn be specified when requesting the computer account with msktutil
kinit -k -t /etc/krb5.keytab host/$host.aoe.vt.edu@AOE.VT.EDU
yum install openldap-clients kinit stedwar1 (if not already done) ldapsearch -H ldaps://neptune.aoe.vt.edu -Y GSSAPI -N -b dc=aoe,dc=vt,dc=edu "(&(objectClass=user)(sAMAccountName=stedwar1))"
Configure sssd
cp -a /etc/sssd/sssd.conf /etc/sssd/sssd.conf.back
cat > /etc/sssd/sssd.conf
[domain/default] debug_level = 9 cache_credentials = false enumerate = false ldap_id_mapping = false id_provider = ad auth_provider = ad chpass_provider = ad access_provider = ad ad_domain = aoe.vt.edu ad_server = neptune.aoe.vt.edu #ldap_schema = ad ldap_schema = rfc2307bis ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true ldap_disable_referrals = true ldap_tls_reqcert = never # #ldap_id_use_start_tls = True ldap_tls_cacertdir = /etc/openldap/cacerts ldap_referrals = false ldap_uri = ldap://neptune.aoe.vt.edu #krb5_realm = AOE.VT.EDU ldap_sasl_mech = gssapi ldap_sasl_authid = host/trireme.aoe.vt.edu@AOE.VT.EDU #krb5_keytab = /etc/krb5.keytab ldap_krb5_init_creds = true #ldap_force_upper_case_realm = true #krb5_server = neptune.aoe.vt.edu #krb5_kpasswd = neptune.aoe.vt.edu ldap_tls_cacertdir = /etc/openldap/cacerts autofs_provider=ldap #autofs_provider=ad <--not implemented yet? ldap_autofs_search_base=CN=ypServ30,CN=RpcServices,CN=System,dc=aoe,dc=vt,dc=edu ldap_autofs_map_object_class = nisMap ldap_autofs_entry_object_class = nisObject ldap_autofs_map_name = nisMapName ldap_autofs_entry_key = cn ldap_autofs_entry_value = nisMapEntry ldap_autofs_map_master_name = auto.master [sssd] services = nss, pam, autofs config_file_version = 2 domains = default [nss] [pam] [sudo] [autofs] [ssh]
Automount
vim /etc/sysconfig/autofs
#mount_nfs_default_protocol = 3 mount_nfs_default_protocol = 4 ... # logging - set default log level "none", "verbose" or "debug" # #logging = none logging = verbose ... #ldap_uri = "" LDAP_URI="ldap://neptune.aoe.vt.edu" ... #search_base = "" SEARCH_BASE="CN=ypServ30,CN=RpcServices,CN=System,dc=aoe,dc=vt,dc=edu" # # Define the LDAP schema to used for lookups # # If no schema is set autofs will check each of the schemas # below in the order given to try and locate an appropriate # basdn for lookups. If you want to minimize the number of # queries to the server set the values here. # map_object_class = nisMap entry_object_class = nisObject map_attribute = nisMapName entry_attribute = cn
Complete
cat /etc/autofs.conf
#
# Define default options for autofs.
#
[ autofs ]
#
# master_map_name - default map name for the master map.
#
#master_map_name = auto.master
#
# timeout - set the default mount timeout in secons. The internal
# program default is 10 minutes, but the default installed
# configuration overrides this and sets the timeout to 5
# minutes to be consistent with earlier autofs releases.
#
timeout = 300
#
# negative_timeout - set the default negative timeout for
# failed mount attempts (default 60).
#
#negative_timeout = 60
#
# mount_wait - time to wait for a response from mount(8).
# Setting this timeout can cause problems when
# mount would otherwise wait for a server that
# is temporarily unavailable, such as when it's
# restarting. The default setting (-1) of waiting
# for mount(8) usually results in a wait of around
# 3 minutes.
#
#mount_wait = -1
#
# umount_wait - time to wait for a response from umount(8).
#
#umount_wait = 12
#
# browse_mode - maps are browsable by default.
#
browse_mode = no
#
# mount_nfs_default_protocol - specify the default protocol used by
# mount.nfs(8). Since we can't identify
# the default automatically we need to
# set it in our configuration.
#
#mount_nfs_default_protocol = 3
mount_nfs_default_protocol = 4
#
# append_options - append to global options instead of replace.
#
#append_options = yes
#
# logging - set default log level "none", "verbose" or "debug"
#
#logging = none
logging = verbose
#
# Define base dn for map dn lookup.
#
# Define server URIs
#
# ldap_uri - space seperated list of server uris of the form
# <proto>://<server>[/] where <proto> can be ldap
# or ldaps. The option can be given multiple times.
# Map entries that include a server name override
# this option.
#
# This configuration option can also be used to
# request autofs lookup SRV RRs for a domain of
# the form <proto>:///[<domain dn>]. Note that a
# trailing "/" is not allowed when using this form.
# If the domain dn is not specified the dns domain
# name (if any) is used to construct the domain dn
# for the SRV RR lookup. The server list returned
# from an SRV RR lookup is refreshed according to
# the minimum ttl found in the SRV RR records or
# after one hour, whichever is less.
#
#ldap_uri = ""
LDAP_URI="ldap://neptune.aoe.vt.edu"
#
# ldap_timeout - timeout value for the synchronous API calls
# (default is LDAP library default).
#
#ldap_timeout = -1
#
# ldap_network_timeout - set the network response timeout (default 8).
#
#ldap_network_timeout = 8
#
# search_base - base dn to use for searching for map search dn.
# Multiple entries can be given and they are checked
# in the order they occur here.
#
#search_base = ""
SEARCH_BASE="CN=ypServ30,CN=RpcServices,CN=System,dc=aoe,dc=vt,dc=edu"
#
# Define the LDAP schema to used for lookups
#
# If no schema is set autofs will check each of the schemas
# below in the order given to try and locate an appropriate
# basdn for lookups. If you want to minimize the number of
# queries to the server set the values here.
#
map_object_class = nisMap
entry_object_class = nisObject
map_attribute = nisMapName
entry_attribute = cn
value_attribute= nisMapEntry
#
# Other common LDAP nameing
#
#map_object_class = automountMap
#entry_object_class = automount
#map_attribute = ou
#entry_attribute = cn
#value_attribute= automountInformation
#
#map_object_class = automountMap
#entry_object_class = automount
#map_attribute = automountMapName
#entry_attribute = automountKey
#value_attribute= automountInformation
#
# auth_conf_file - set the default location for the SASL
# authentication configuration file.
#
auth_conf_file = /etc/autofs_ldap_auth.conf
#
# map_hash_table_size - set the map cache hash table size.
# Should be a power of 2 with a ratio roughly
# between 1:10 and 1:20 for each map.
#
#map_hash_table_size = 1024
#
#
# Otions for the amd parser within autofs.
#
# amd configuration options that are aren't used, haven't been
# implemented or have different behaviour within autofs.
#
# A number of the amd configuration options are not used by autofs,
# some because they are not relevant within autofs, some because
# they are done differently in autofs and others that are not yet
# implemented.
#
# Since "mount_type" is always autofs (because there's no user space
# NFS server) the configuration entries relating to that aren't used.
# Also, server availability is done differently within autofs so the
# options that relate to the amd server monitoring sub-system are
# also not used.
#
# These options are mount_type, auto_attrcache, portmap_program,
# nfs_vers_ping, nfs_allow_any_interface, nfs_allow_insecure_port,
# nfs_proto, nfs_retransmit_counter, nfs_retransmit_counter_udp,
# nfs_retransmit_counter_tcp, nfs_retransmit_counter_toplvl,
# nfs_retry_interval, nfs_retry_interval_udp, nfs_retry_interval_tcp,
# nfs_retry_interval_toplvl and nfs_vers.
#
#
# Other options that are not used within the autofs implementation:
#
# log_file, truncate_log - autofs used either stderr when running in
# the foreground or sends its output to syslog so an alternate
# log file (or truncating the log) can't be used.
#
# print_pid - there's no corresponding option for this within autofs.
#
# use_tcpwrappers, show_statfs_entries - there's no user space NFS
# server to control access to so this option isn't relevant.
# The show_statfs_entries can't be implemented for the same
# reason.
#
# debug_mtab_file - there's no user space NFS server and autofs
# avoids using file based mtab whenever possible.
#
# sun_map_syntax - obviously, are provided by autofs itself.
#
# plock, show_statfs_entries, preferred_amq_port - not supported.
#
# ldap_cache_maxmem, ldap_cache_seconds - external ldap caching
# is not used by autofs.
#
# ldap_proto_version - autofs always attempts to use the highest
# available ldap protocol version.
#
# cache_duration, map_reload_interval, map_options - the map
# entry cache is continually updated and stale entries
# cleaned on re-load, which is done when map changes are
# detected so these configuration entries are not used
# by autofs.
#
# localhost_address - is not used within autofs. This
# configuration option was only used in the amd user
# space server code and is not relevant within autofs.
#
#
# Options that are handled differently within autofs:
#
# pid_file - must be given as a command line option on startup.
#
# print_version - program version and feature information is obtained
# by using the automount command line option "-V".
#
# debug_options, log_options - autofs has somewhat more limited
# logging and debug logging options. When the log_options
# options is encountered it is converted to the nearest
# matching autofs logging option. Since the configuration
# option debug_options would be handled the same way it
# is ignored.
#
# restart_mounts - has no sensible meaning within autofs because autofs
# always tries to re-connect to existing mounts. While this
# has its own set of problems not re-connecting to existing
# mounts always results in a non-functional automount tree if
# mounts were busy at the last shutdown (as is also the case
# with amd when using mount_type autofs).
#
# forced_unmounts - detaching mounts often causes serious problems
# for users of existing mounts. It is used by autofs in some
# cases, either at the explicit request of the user (with a
# command line or init option) and in some special cases during
# program operation but is avoided whenever possible.
#
#
# A number of configuration options are not yet implemented:
#
# fully_qualified_hosts - not yet implemented.
#
# unmount_on_exit - since autofs always tries to re-connect
# to mounts left mounted from a previous shutdown this
# is a sensible option to implement and that will be
# done.
#
# browsable_dirs - not yet implemented.
#
# exec_map_timeout - a timeout is not currently used for
# for program maps, might be implemented.
#
# tag - the tag option is not implemented within autofs.
#
#
# Supported options:
#
# arch, karch, os, osver - these options default to what is returned
# from uname(2) and can be overridden if required.
#
# full_os - has no default and must be set in the configuration
# if used in maps.
#
# cluster - if not set defaults to the host domain name. This option
# corresponds to the HP_UX cluster name (according to the amd
# source) and is probably not used in Linux but is set anyway.
#
# vendor - has a default value of "unknown", it must be set in the
# configuration if used in maps.
#
# auto_dir - is the base name of the mount tree used for external
# mounts that are sometimes needed by amd maps. Its default
# value is "/a".
#
# map_type - specifies the autofs map source, such as file, nis,
# ldap etc. and has no default value set.
#
# map_defaults - is used to override /defaults entries within maps
# and can be used to provide different defaults on specific
# machines without having to modify centrally managed maps.
# It is empty by default.
#
# search_path - colon seperated paths to search for maps that
# are not specified as a full path.
#
# dismount_interval - is equivalent to the autofs timeout option. It
# is only possible to use this with type "auto" mounts due
# to the way the autofs kernel module performs expiry. It
# takes its default value from the autofs internal default
# of 600 seconds.
#
# autofs_use_lofs - if set to "yes" autofs will attempt to use bind
# mounts for type "auto" when possible.
#
# nis_domain - allows setting of a domain name other than the system
# default.
#
# local_domain - is used to override (or set) the host domain name.
#
# normalize_hostnames - if set to "yes" then the contents of ${rhost}
# is translated in its official host name.
#
# domain_strip - if set to "yes" the domain name part of the host
# is strippped when normalizing hostnames. This can be useful
# when using of the same maps in a multiple domain environment.
#
# normalize_slashes - is set to "yes" by default and will collapse
# multiple unescaped occurrences of "/" to a single "/".
#
# selectors_in_defaults, selectors_on_default - has a default value
# of "no". If set to "yes" then any defaults entry will be
# checked for selectors to determine the values to be used.
# selectors_in_defaults is the preferred option to use.
#
# ldap_base - has no default value. It must be set to the base dn
# that is used for queries if ldap is to be used as a map
# source.
#
# ldap_hostports - has no default value set. It must be set to
# the URI of the LDAP server to be used for lookups when
# ldap is used a map source. It may contain a comma or
# space seperated list of LDAP URIs.
#
# hesiod_base - the base name used for hesiod map sources.
#
# Additional configuration options added:
#
# linux_ufs_mount_type - set the default system filesystem type that's
# used for mount type ufs. There's no simple way to determine
# what the system default filesystem is and am-utils needs to
# be continually updated to do this and can easily get it wrong
# anyway.
#
#
# Define global options for the amd parser within autofs.
#
[ amd ]
#
# Override the internal default with the same timeout that
# is used by the override in the autofs configuration, sanity
# only change.
#
dismount_interval = 300
#
# map_type = file
#
# Overriding this can cause autofs to use less resources because
# it will use symlinks instead of bind mounts in certain cases.
# You should ensure that the autofs kernel module your using
# supports expration of symlinks for best results (although this
# appears to work reasonably well most of the time without the
# update).
#
# autofs_use_lofs = yes
#
# Several configuration options can be set per mount point.
# In particulr map_type, map_name, map_defaults, search_path,
# browsable_dirs, dismount_interval and selectors_in_defaults
# (not all of which are currently implemented, see above).
#
# Also, if a section for an amd mount point is defined here
# it isn't necessary to specify the format in the corresponding
# master map entry and the format will be inherited for type
# "auto" mounts.
#
# [ /expamle/mount ]
# dismount_interval = 60
# map_type = nis
vim /etc/autofs_ldap_auth.conf
<autofs_ldap_sasl_conf
usetls="no"
tlsrequired="no"
authrequired="yes"
authtype="GSSAPI"
clientprinc = "host/changeme.aoe.vt.edu@AOE.VT.EDU"
/>
cat /etc/autofs_ldap_auth.conf
<?xml version="1.0" ?>
<!--
This files contains a single entry with multiple attributes tied to it.
See autofs_ldap_auth.conf(5) for more information.
authtype="DIGEST-MD5"
user="testaccount"
secret="T******1**!"
-->
<autofs_ldap_sasl_conf
usetls="yes"
tlsrequired="no"
authrequired="yes"
authtype="GSSAPI"
clientprinc="host/trireme.aoe.vt.edu@AOE.VT.EDU"
/>
start service
service sssd restart service autofs restart
Make sure the DNS name is entered correctly, or maybe adjust /etc/idmap.conf so the domain names match.
vim /etc/idmap.conf
Workaround:
vim /etc/nfsmount.conf
Defaultvers=3
Test
as a user, run:
matlab
patran
[root@trireme ~]# cat /etc/sssd/sssd.conf
[domain/default]
debug_level = 9
cache_credentials = false
enumerate = false
ldap_id_mapping = false
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
ad_domain = aoe.vt.edu
ad_server = neptune.aoe.vt.edu
#ldap_schema = ad
ldap_schema = rfc2307bis
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
ldap_disable_referrals = true
ldap_tls_reqcert = never
#
#ldap_id_use_start_tls = True
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_referrals = false
ldap_uri = ldap://neptune.aoe.vt.edu
#krb5_realm = AOE.VT.EDU
ldap_sasl_mech = gssapi
ldap_sasl_authid = host/trireme.aoe.vt.edu@AOE.VT.EDU
#krb5_keytab = /etc/krb5.keytab
ldap_krb5_init_creds = true
#ldap_force_upper_case_realm = true
#krb5_server = neptune.aoe.vt.edu
#krb5_kpasswd = neptune.aoe.vt.edu
ldap_tls_cacertdir = /etc/openldap/cacerts
autofs_provider=ldap
#autofs_provider=ad <--not implemented yet?
ldap_autofs_search_base=CN=ypServ30,CN=RpcServices,CN=System,dc=aoe,dc=vt,dc=edu
ldap_autofs_map_object_class = nisMap
ldap_autofs_entry_object_class = nisObject
ldap_autofs_map_name = nisMapName
ldap_autofs_entry_key = cn
ldap_autofs_entry_value = nisMapEntry
ldap_autofs_map_master_name = auto.master
[sssd]
services = nss, pam, autofs
config_file_version = 2
domains = default
[nss]
[pam]
[sudo]
[autofs]
[ssh]
[root@trireme ~]# cat /etc/autofs_ldap_auth.conf
<?xml version="1.0" ?>
<!--
This files contains a single entry with multiple attributes tied to it.
See autofs_ldap_auth.conf(5) for more information.
authtype="DIGEST-MD5"
user="testaccount"
secret="Trinity123!"
-->
<autofs_ldap_sasl_conf
usetls="yes"
tlsrequired="no"
authrequired="yes"
authtype="GSSAPI"
clientprinc="host/trireme.aoe.vt.edu@AOE.VT.EDU"
/>
Accept NFS Home Dirs
setsebool -P use_nfs_home_dirs 1
Accept yum keys
Add Text to Gnome Login Screen
https://help.gnome.org/admin/system-admin-guide/3.8/login-banner.html.en
cat > 01-banner-message [org/gnome/login-screen] banner-message-enable=true banner-message-text='This computer is operated in accordance with the Acceptable Use Policy of Virginia Tech. See the following URL for details: http://www.policies.vt.edu/acceptableuse.html'
Then run:
dconf update
aoe/sl7.txt · Last modified: 2019/04/08 15:22 by 127.0.0.1