Scientific Linux CERN 6 (SLC6) Installation

Scientific Linux CERN 5 (SLC5) Installation

System Installation

Follow the instructions on http://linux.web.cern.ch/linux/scientific5/docs/install.shtml

1. Create a boot image for a 64 bit system
2. Reboot your computer and press F2 (F12) at startup
3. In the BIOS setup add CD/DVD to boot devices; save BIOS setup and reboot
4. Select http as installation method
5. Installation server is: linuxsoft.cern.ch
6. Installation path is: /cern/slc5X/x86_64/
7. Keep default partition layout
8. Set host name to xxx.physics.purdue.edu: e.g. serret.physics.purdue.edu
9. Enable network time protocol (server: harbor.ecn.purdue.edu)
10. Set Time Zone to: America/Indianapolis

Customize System

Follow these instructions to mount PCN home directories with pam-cifs.
Do not forget:

ln -s /lib/security/pam_cifs.so /lib64/security/pam_cifs.so

1. Create /data

   mkdir /data
   chmod a+rwx /data
   

   All users should create their own directory in /data (e.g. mkdir /data/norbert) to store local data (no backup).
2. /etc/sysconfig/network

   NETWORKING=yes
   HOSTNAME=xxxx.physics.purdue.edu
   NISDOMAIN=purdue-pcn
   

3. /etc/hosts

   127.0.0.1               localhost.localdomain localhost xxx.physics.purdue.edu
   

4. /etc/group

   zh:x:1399:
   phys:x:1109:
   

5. Install CUPS printers: Add the following line to the file /etc/cups/client.conf

   ServerName spool.physics.purdue.edu
   

6. Install the amd automounter and make sure autofs is switched off

   yum install am-utils
   

7. /etc/amd.conf

   # GLOBAL OPTIONS SECTION
   [ global ]
   normalize_hostnames =   no
   print_pid =             yes
   pid_file =              /var/run/amd.pid
   restart_mounts =        yes
   auto_dir =              /net
   #log_file =             /var/log/amd
   log_file =              syslog
   log_options =           all
   #debug_options =        all
   plock =                 no
   selectors_on_default =  yes
   print_version =         no
   #map_type =             file
   search_path =           /etc
   browsable_dirs =        yes
   show_statfs_entries =   no
   fully_qualified_hosts = no
   cache_duration =        300
   
   # DEFINE AN AMD MOUNT POINT
   [/home]
   map_name = amd.home
   
   [/project]
   map_name = amd.project
   

8. /etc/amd.home

   #comment: amd.home map
   /defaults       fs:=/net/${rhost}/home;\
                   opts:=rw,bg,grpid,intr,nosuid,nodevs,quota,proto=udp,vers=3,\
                   rsize=8192,wsize=8192,timeo=8,retrans=4;\
                   rfs:=/net/${rhost}/home;\
                   sublink:=${key};\
                   type:=nfsl
   
   #-- All other accounts
   
   # Everbody else falls back to a * entry
   *               rhost:=aristotle
   

   /etc/amd.project

   #comment: amd.project map
   /defaults       fs:=/net/${rhost.}/project;\
                   opts:=rw,bg,grpid,intr,nosuid,nodevs,proto=tcp,vers=3,\
                   rsize=16384,wsize=16384,timeo=8,retrans=4;\
                   rfs:=/net/${rhost.}/project;\
                   sublink:="${key}";\
                   type:=nfsl
   
   cmsphys         rhost:=kepler;rfs:=/net/${rhost.}/project0;fs:=${rfs}
   

9. /etc/krb5.conf

   [libdefaults]
    default_realm = CERN.CH
    ticket_lifetime = 25h
    renew_lifetime = 120h
    forwardable = true
    proxiable = true
    default_tkt_enctypes = arcfour-hmac-md5 aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
   
   [realms]
    CERN.CH = {
     default_domain = cern.ch
     kpasswd_server = afskrb5m.cern.ch
     admin_server = afskrb5m.cern.ch
     kdc = cerndc.cern.ch
   
     v4_name_convert = {
        host = {
            rcmd = host
        }
     }
    }
   
    FNAL.GOV = {
     default_domain = fnal.gov
     admin_server = krb-fnal-admin.fnal.gov
     kdc = krb-fnal-1.fnal.gov:88
     kdc = krb-fnal-2.fnal.gov:88
     kdc = krb-fnal-3.fnal.gov:88
    }
   
    CENTRAL.PURDUE.LCL = {
     kdc = 128.210.63.203
     kdc = 1061cendc01.central.purdue.lcl
     admin_server = 1061cendc01.central.purdue.lcl
     default_domain = 1061cendc01.central.purdue.lcl
    }
   
   [domain_realm]
    .cern.ch = CERN.CH
    .fnal.gov = FNAL.GOV
    .central.purdue.lcl = CENTRAL.PURDUE.LCL
    central.purdue.lcl = CENTRAL.PURDUE.LCL
   
   [appdefaults]
    pam = {
      external = true
      krb4_convert = false
      krb4_convert_524 = false
      krb4_use_as_req = false
      ticket_lifetime = 25h
    }
   
   

10. /etc/yp.conf

    domain purdue-pcn broadcast
    

11. /etc/ldap.conf

    host volta.physics.purdue.edu
    base dc=physics,dc=purdue,dc=edu
    uri ldaps://volta.physics.purdue.edu
    ssl start_tls
    ssl on
    ldap_version 3
    tls_checkpeer yes
    tls_cacertfile /usr/share/purple/ca-certs/Thawte_Premium_Server_CA.pem
    tls_cacertdir /etc/openldap/cacerts
    # you may need to symlink Thawte_Premium_Server_CA.pem in /etc/openldap/cacerts
    rootbinddn cn=admin,dc=physics,dc=purdue,dc=edu
    
    pam_password md5
    
    binddn cn=unsupported,dc=physics,dc=purdue,dc=edu
    bindpw *********
    

12. chmod 0600 /etc/ldap.conf (Note: Because of a bug it needs to be chmod 0644 /etc/ldap.conf)
13. ln -s /bin/bash /usr/local/bin/bash
14. ln -s /usr/share/purple/ca-certs/Thawte_Premium_Server_CA.pem /etc/openldap/cacerts/.
15. /etc/nsswitch.conf

    passwd:     files ldap nis
    shadow:     files ldap
    group:      files nis
    
    hosts:      files nis dns
    
    bootparams: nisplus [NOTFOUND=return] files
    
    ethers:     files
    netmasks:   files
    networks:   files
    protocols:  files
    rpc:        files
    services:   files
    
    netgroup:   files nis ldap
    
    publickey:  nisplus
    
    automount:  files nis ldap
    aliases:    files nisplus
    

16. /etc/sysconfig/authconfig

    USEMD5=no
    USECRACKLIB=yes
    USEDB=no
    USEHESIOD=no
    USELDAP=yes
    USENIS=yes
    USEPASSWDQC=no
    USEWINBIND=no
    USEKERBEROS=yes
    USELDAPAUTH=yes
    USESHADOW=yes
    USESMBAUTH=no
    USEWINBINDAUTH=no
    USELOCAUTHORIZE=yes
    PASSWDALGORITHM=md5
    

17. /etc/ssh/ssh_config

    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials yes
    PubkeyAuthentication no
    PasswordAuthentication yes
    

18. AFS

     /sbin/chkconfig --add afs
     /sbin/chkconfig --add amd
     /sbin/chkconfig --del autofs
     /sbin/chkconfig autofs off
     /sbin/chkconfig amd on
     /sbin/service autofs stop
     /sbin/service amd start
    

19. /etc/passwd (This will allow you to login with your CERN afs account and mounts your CERN afs home directory)

    neumeist:x:11701:1399:Norbert NEUMEISTER:/afs/cern.ch/user/n/neumeist:/bin/tcsh
    aeverett:x:8547:1399:Adam EVERETT:/afs/cern.ch/user/a/aeverett:/bin/tcsh
    hdyoo:x:34127:1399:Hwidong YOO:/afs/cern.ch/user/h/hdyoo:/bin/tcsh
    asvyatko:x:24584:1399:Alexey SVYATKOVKIY:/afs/cern.ch/user/a/asvyatko:/bin/tcsh
    

20. /etc/pam.d/system-auth (for pam_cifs mounted homedirs)

    auth        required      pam_env.so
    auth        sufficient    pam_unix.so nullok try_first_pass
    auth        required      pam_cifs.so debug
    auth        sufficient    pam_krb5.so use_first_pass
    auth        sufficient    pam_ldap.so use_first_pass debug
    auth        required      pam_deny.so
    
    account     sufficient    pam_unix.so broken_shadow
    account     sufficient    pam_localuser.so
    account     sufficient    pam_succeed_if.so uid < 500 quiet
    account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
    account     [default=bad success=ok user_unknown=ignore] pam_ldap.so debug
    account     required      pam_permit.so
    
    password    requisite     pam_cracklib.so try_first_pass retry=3
    password    sufficient    pam_unix.so md5 shadow nis nullok try_first_pass use_authtok
    password    sufficient    pam_krb5.so use_authtok
    password    sufficient    pam_ldap.so use_authtok debug
    password    required      pam_deny.so
    
    session    optional     pam_keyinit.so revoke
    session    required     pam_limits.so
    session    [success=1   default=ignore] pam_succeed_if.so service in crond quiet use_uid
    session    required     pam_mkhomedir.so umask=077 skel=/etc/skel
    session    required     pam_unix.so
    session    required     pam_krb5.so
    session    optional     pam_cifs.so debug background=0 prefix=/home mount_home=1 source=//gutenberg.physics.purdue.edu windomain=ONEPURDUE
    

21. /etc/pam.d/system-auth (for amd mounted homedirs)

    auth        required      pam_env.so
    auth        sufficient    pam_unix.so nullok try_first_pass
    auth        requisite     pam_succeed_if.so uid >= 500 quiet
    auth        sufficient    pam_krb5.so use_first_pass
    auth        sufficient    pam_ldap.so use_first_pass
    auth        required      pam_deny.so
    
    account     sufficient    pam_unix.so broken_shadow
    account     sufficient    pam_localuser.so
    account     sufficient    pam_succeed_if.so uid < 500 quiet
    account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
    account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
    account     required      pam_permit.so
    
    password    requisite     pam_cracklib.so try_first_pass retry=3
    password    sufficient    pam_unix.so md5 shadow nis nullok try_first_pass use_authtok
    password    sufficient    pam_krb5.so use_authtok
    password    sufficient    pam_ldap.so use_authtok
    password    required      pam_deny.so
    
    session     optional      pam_keyinit.so revoke
    session     required      pam_limits.so
    session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
    session     required      pam_unix.so
    session     required      pam_krb5.so
    session     optional      pam_ldap.so
    

22. Firewall: Switch off iptables
23. Java: Download and install Java SE Runtime Environment JRE 6 (select Linux_64)
24. /etc/mime.types

    type=application/x-java-jnlp-file desc="Java Web Start" exts="jnlp
    

25. In addition you want to install: flash-plugin.x86_64, mplayer.x86_64, mplayer-gui.x86_64, gnome-mplayer.x86_64, kmplayer.x86_64, mplayer-codecs-addon.i386, mplayer-doc.x86_64, jre.x86_64
26. switch off nscd: /etc/init.d/nscd stop

Scientific Linux CERN 6 (SLC6) Installation

Customize System

1. Install

   yum install openldap_clients
   yum install nss_ldapd
   

2. turn on ypbind
3. turn off sssd
4. instead of /etc/ldap.conf use /etc/pam_ldap.conf and /etc/nslcd.conf
5. run

   authconfig --enablekrb5 --enablenis --enableldap --update
   

6. /etc/nslcd.conf add the following lines

   uri ldaps://volta.physics.purdue.edu
   base dc=physics,dc=purdue,dc=edu
   ssl no
   ldap_version 3
   binddn cn=unsupported,dc=physics,dc=purdue,dc=edu
   bindpw **********
   tls_reqcert allow
   
   #tls_cacertfile /usr/share/purple/ca-certs/Thawte_Premium_Server_CA.pem
   #tls_cacertdir /etc/openldap/cacerts