Scientific Linux CERN 6 (SLC6) Installation
Scientific Linux CERN 5 (SLC5) Installation
System Installation
Follow the instructions on http://linux.web.cern.ch/linux/scientific5/docs/install.shtml
- Create a boot image for a 64 bit system
- Reboot your computer and press F2 (F12) at startup
- In the BIOS setup add CD/DVD to boot devices; save BIOS setup and reboot
- Select http as installation method
- Installation server is: linuxsoft.cern.ch
- Installation path is: /cern/slc5X/x86_64/
- Keep default partition layout
- Set host name to xxx.physics.purdue.edu: e.g. serret.physics.purdue.edu
- Enable network time protocol (server: harbor.ecn.purdue.edu)
- Set Time Zone to: America/Indianapolis
Customize System
Follow these instructions to mount PCN home directories with pam-cifs.
Do not forget:
ln -s /lib/security/pam_cifs.so /lib64/security/pam_cifs.so
- Create /data
All users should create their own directory in /data (e.g. mkdir /data/norbert) to store local data (no backup).
mkdir /data chmod a+rwx /data
- /etc/sysconfig/network
NETWORKING=yes HOSTNAME=xxxx.physics.purdue.edu NISDOMAIN=purdue-pcn
- /etc/hosts
127.0.0.1 localhost.localdomain localhost xxx.physics.purdue.edu
- /etc/group
zh:x:1399: phys:x:1109:
- Install CUPS printers: Add the following line to the file /etc/cups/client.conf
ServerName spool.physics.purdue.edu
- Install the amd automounter and make sure autofs is switched off
yum install am-utils
- /etc/amd.conf
# GLOBAL OPTIONS SECTION [ global ] normalize_hostnames = no print_pid = yes pid_file = /var/run/amd.pid restart_mounts = yes auto_dir = /net #log_file = /var/log/amd log_file = syslog log_options = all #debug_options = all plock = no selectors_on_default = yes print_version = no #map_type = file search_path = /etc browsable_dirs = yes show_statfs_entries = no fully_qualified_hosts = no cache_duration = 300 # DEFINE AN AMD MOUNT POINT [/home] map_name = amd.home [/project] map_name = amd.project
- /etc/amd.home
/etc/amd.project
#comment: amd.home map /defaults fs:=/net/${rhost}/home;\ opts:=rw,bg,grpid,intr,nosuid,nodevs,quota,proto=udp,vers=3,\ rsize=8192,wsize=8192,timeo=8,retrans=4;\ rfs:=/net/${rhost}/home;\ sublink:=${key};\ type:=nfsl #-- All other accounts # Everbody else falls back to a * entry * rhost:=aristotle
#comment: amd.project map /defaults fs:=/net/${rhost.}/project;\ opts:=rw,bg,grpid,intr,nosuid,nodevs,proto=tcp,vers=3,\ rsize=16384,wsize=16384,timeo=8,retrans=4;\ rfs:=/net/${rhost.}/project;\ sublink:="${key}";\ type:=nfsl cmsphys rhost:=kepler;rfs:=/net/${rhost.}/project0;fs:=${rfs}
- /etc/krb5.conf
[libdefaults] default_realm = CERN.CH ticket_lifetime = 25h renew_lifetime = 120h forwardable = true proxiable = true default_tkt_enctypes = arcfour-hmac-md5 aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc [realms] CERN.CH = { default_domain = cern.ch kpasswd_server = afskrb5m.cern.ch admin_server = afskrb5m.cern.ch kdc = cerndc.cern.ch v4_name_convert = { host = { rcmd = host } } } FNAL.GOV = { default_domain = fnal.gov admin_server = krb-fnal-admin.fnal.gov kdc = krb-fnal-1.fnal.gov:88 kdc = krb-fnal-2.fnal.gov:88 kdc = krb-fnal-3.fnal.gov:88 } CENTRAL.PURDUE.LCL = { kdc = 128.210.63.203 kdc = 1061cendc01.central.purdue.lcl admin_server = 1061cendc01.central.purdue.lcl default_domain = 1061cendc01.central.purdue.lcl } [domain_realm] .cern.ch = CERN.CH .fnal.gov = FNAL.GOV .central.purdue.lcl = CENTRAL.PURDUE.LCL central.purdue.lcl = CENTRAL.PURDUE.LCL [appdefaults] pam = { external = true krb4_convert = false krb4_convert_524 = false krb4_use_as_req = false ticket_lifetime = 25h }
- /etc/yp.conf
domain purdue-pcn broadcast
- /etc/ldap.conf
host volta.physics.purdue.edu base dc=physics,dc=purdue,dc=edu uri ldaps://volta.physics.purdue.edu ssl start_tls ssl on ldap_version 3 tls_checkpeer yes tls_cacertfile /usr/share/purple/ca-certs/Thawte_Premium_Server_CA.pem tls_cacertdir /etc/openldap/cacerts # you may need to symlink Thawte_Premium_Server_CA.pem in /etc/openldap/cacerts rootbinddn cn=admin,dc=physics,dc=purdue,dc=edu pam_password md5 binddn cn=unsupported,dc=physics,dc=purdue,dc=edu bindpw *********
- chmod 0600 /etc/ldap.conf (Note: Because of a bug it needs to be chmod 0644 /etc/ldap.conf)
- ln -s /bin/bash /usr/local/bin/bash
- ln -s /usr/share/purple/ca-certs/Thawte_Premium_Server_CA.pem /etc/openldap/cacerts/.
- /etc/nsswitch.conf
passwd: files ldap nis shadow: files ldap group: files nis hosts: files nis dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: files nis ldap publickey: nisplus automount: files nis ldap aliases: files nisplus
- /etc/sysconfig/authconfig
USEMD5=no USECRACKLIB=yes USEDB=no USEHESIOD=no USELDAP=yes USENIS=yes USEPASSWDQC=no USEWINBIND=no USEKERBEROS=yes USELDAPAUTH=yes USESHADOW=yes USESMBAUTH=no USEWINBINDAUTH=no USELOCAUTHORIZE=yes PASSWDALGORITHM=md5
- /etc/ssh/ssh_config
GSSAPIAuthentication yes GSSAPIDelegateCredentials yes PubkeyAuthentication no PasswordAuthentication yes
- AFS
/sbin/chkconfig --add afs /sbin/chkconfig --add amd /sbin/chkconfig --del autofs /sbin/chkconfig autofs off /sbin/chkconfig amd on /sbin/service autofs stop /sbin/service amd start
- /etc/passwd (This will allow you to login with your CERN afs account and mounts your CERN afs home directory)
neumeist:x:11701:1399:Norbert NEUMEISTER:/afs/cern.ch/user/n/neumeist:/bin/tcsh aeverett:x:8547:1399:Adam EVERETT:/afs/cern.ch/user/a/aeverett:/bin/tcsh hdyoo:x:34127:1399:Hwidong YOO:/afs/cern.ch/user/h/hdyoo:/bin/tcsh asvyatko:x:24584:1399:Alexey SVYATKOVKIY:/afs/cern.ch/user/a/asvyatko:/bin/tcsh
- /etc/pam.d/system-auth (for pam_cifs mounted homedirs)
auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth required pam_cifs.so debug auth sufficient pam_krb5.so use_first_pass auth sufficient pam_ldap.so use_first_pass debug auth required pam_deny.so account sufficient pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_krb5.so account [default=bad success=ok user_unknown=ignore] pam_ldap.so debug account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nis nullok try_first_pass use_authtok password sufficient pam_krb5.so use_authtok password sufficient pam_ldap.so use_authtok debug password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_mkhomedir.so umask=077 skel=/etc/skel session required pam_unix.so session required pam_krb5.so session optional pam_cifs.so debug background=0 prefix=/home mount_home=1 source=//gutenberg.physics.purdue.edu windomain=ONEPURDUE
- /etc/pam.d/system-auth (for amd mounted homedirs)
auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_krb5.so use_first_pass auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account sufficient pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account [default=bad success=ok user_unknown=ignore] pam_krb5.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nis nullok try_first_pass use_authtok password sufficient pam_krb5.so use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session required pam_krb5.so session optional pam_ldap.so
- Firewall: Switch off iptables
- Java: Download and install Java SE Runtime Environment JRE 6 (select Linux_64)
- /etc/mime.types
type=application/x-java-jnlp-file desc="Java Web Start" exts="jnlp
- In addition you want to install: flash-plugin.x86_64, mplayer.x86_64, mplayer-gui.x86_64, gnome-mplayer.x86_64, kmplayer.x86_64, mplayer-codecs-addon.i386, mplayer-doc.x86_64, jre.x86_64
- switch off nscd: /etc/init.d/nscd stop
Scientific Linux CERN 6 (SLC6) Installation
Customize System
- Install
yum install openldap_clients yum install nss_ldapd
- turn on ypbind
- turn off sssd
- instead of /etc/ldap.conf use /etc/pam_ldap.conf and /etc/nslcd.conf
- run
authconfig --enablekrb5 --enablenis --enableldap --update
- /etc/nslcd.conf add the following lines
uri ldaps://volta.physics.purdue.edu base dc=physics,dc=purdue,dc=edu ssl no ldap_version 3 binddn cn=unsupported,dc=physics,dc=purdue,dc=edu bindpw ********** tls_reqcert allow #tls_cacertfile /usr/share/purple/ca-certs/Thawte_Premium_Server_CA.pem #tls_cacertdir /etc/openldap/cacerts