h1. Scientific Linux CERN 6 (SLC6) Installation

h2. System Installation

Follow the instructions on [http://linux.web.cern.ch/linux/scientific6/docs/install.shtml]
# Create a boot image for a 64 bit system
# Reboot your computer and press F2 (F12) at startup
# In the BIOS setup add CD/DVD to boot devices; save BIOS setup and reboot
# Select *http* as installation method
# Installation server is: linuxsoft.cern.ch
# Installation path is: /cern/slc6X/x86_64/
# Keep default partition layout
# Set host name to *xxx*.physics.purdue.edu: e.g. serret.physics.purdue.edu
# Enable network time protocol (server: harbor.ecn.purdue.edu)
# Set Time Zone to: America/Indianapolis

h2. Customize System

# Create /data
{code:xml}mkdir /data
chmod a+rwx /data
{code}All users should create their own directory in /data (e.g. mkdir /data/norbert) to store local data (no backup).
# /etc/sysconfig/network
{code:xml}NETWORKING=yes
HOSTNAME=xxxx.physics.purdue.edu
NISDOMAIN=purdue-pcn
{code}
# /etc/hosts
{code:xml}
127.0.0.1               localhost.localdomain localhost xxx.physics.purdue.edu
{code}
# /etc/group
{code:xml}zh:x:1399:
phys:x:1109:
{code}
# Install CUPS printers: Add the following line to the file /etc/cups/client.conf
{code:xml}
ServerName spool.physics.purdue.edu
{code}
# Install ldap
{code:xml}
yum install openldap-clients
yum install nss-pam-ldapd
{code}
# Configure ldap: Edit /etc/pam_ldap.conf and  /etc/nslcd.conf
{code:xml}
host volta.physics.purdue.edu
{code}
{code:xml}
base dc=physics,dc=purdue,dc=edu
uri ldaps://volta.physics.purdue.edu
ssl start_tls
ssl on
ldap_version 3
tls_checkpeer yes
tls_cacertfile /usr/share/purple/ca-certs/Thawte_Premium_Server_CA.pem
tls_cacertdir /etc/openldap/cacerts
# you may need to symlink Thawte_Premium_Server_CA.pem in /etc/openldap/cacerts
rootbinddn cn=admin,dc=physics,dc=purdue,dc=edu

pam_password md5

binddn cn=unsupported,dc=physics,dc=purdue,dc=edu
bindpw *********
{code}
# ln \-s /usr/share/purple/ca-certs/Thawte_Premium_Server_CA.pem /etc/openldap/cacerts/.
# ln \-s /bin/bash /usr/local/bin/bash
# /etc/nsswitch.conf
# Automount /project, /home, /cvmfs:
/etc/auto.master:
{code:xml}
#
/misc    /etc/auto.misc
/project /etc/auto.project
/home    /etc/auto.home
/cvmfs   /etc/auto.cvmfs
/net    -hosts
+auto.master
{code}
/etc/auto.home:
{code:xml}
#
* -fstype=nfs,rw,soft,intr,rsize=32768,wsize=32768,nolock aristotle.physics.purdue.edu:/net/aristotle/home/&
{code}
/etc/auto.project:
{code:xml}
#
cmsphys -fstype=nfs,rw,grpid,soft,intr,nosuid,nodev,rsize=16384,wsize=16384,timeo=8,retrans=4,proto=tcp kepler:/net/kepler/project0/cmsphys

*       -fstype=nfs,rw,grpid,soft,intr,nosuid,nodev,rsize=16384,wsize=16384,timeo=9,retrans=4,proto=tcp kepler:/net/kepler/project0/&
{code}
# /etc/krb5.conf
{code:xml}[libdefaults]
 default_realm = CERN.CH
 ticket_lifetime = 25h
 renew_lifetime = 120h
 forwardable = true
 proxiable = true
 default_tkt_enctypes = arcfour-hmac-md5 aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc

[realms]
 CERN.CH = {
  default_domain = cern.ch
  kpasswd_server = afskrb5m.cern.ch
  admin_server = afskrb5m.cern.ch
  kdc = cerndc.cern.ch

  v4_name_convert = {
     host = {
         rcmd = host
     }
  }
 }

 FNAL.GOV = {
  default_domain = fnal.gov
  admin_server = krb-fnal-admin.fnal.gov
  kdc = krb-fnal-1.fnal.gov:88
  kdc = krb-fnal-2.fnal.gov:88
  kdc = krb-fnal-3.fnal.gov:88
 }

 CENTRAL.PURDUE.LCL = {
  kdc = 128.210.63.203
  kdc = 1061cendc01.central.purdue.lcl
  admin_server = 1061cendc01.central.purdue.lcl
  default_domain = 1061cendc01.central.purdue.lcl
 }

[domain_realm]
 .cern.ch = CERN.CH
 .fnal.gov = FNAL.GOV
 .central.purdue.lcl = CENTRAL.PURDUE.LCL
 central.purdue.lcl = CENTRAL.PURDUE.LCL

[appdefaults]
 pam = {
   external = true
   krb4_convert = false
   krb4_convert_524 = false
   krb4_use_as_req = false
   ticket_lifetime = 25h
 }

{code}
# /etc/yp.conf
{code:xml}domain purdue-pcn broadcast
{code:xml}
passwd:     files ldap nis
shadow:     files ldap
group:      files nis

hosts:      files nis dns

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files

netgroup:   files nis ldap

publickey:  nisplus

automount:  files nis ldap
aliases:    files nisplus
{code}
# /etc/sysconfig/authconfig
{code:xml}USEMD5=no
USECRACKLIB=yes
USEDB=no
USEHESIOD=no
USELDAP=yes
USENIS=yes
USEPASSWDQC=no
USEWINBIND=no
USEKERBEROS=yes
USELDAPAUTH=yes
USESHADOW=yes
USESMBAUTH=no
USEWINBINDAUTH=no
USELOCAUTHORIZE=yes
PASSWDALGORITHM=md5
{code}
# /etc/ssh/ssh_config
{code:xml}GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
GSSAPIKeyExchange no
GSSAPITrustDNS yes
PubkeyAuthentication no
PasswordAuthentication yes
{code}
# AFS
{code:xml}
 /sbin/chkconfig --add afs
 /sbin/chkconfig --del iptables
 /sbin/chkconfig autofs on
 /sbin/chkconfig iptables off
 /sbin/service autofs start
 /sbin/service iptables stop
{code}
# /etc/passwd  (This will allow you to login with your CERN afs account and mounts your CERN afs home directory)
{code:xml}
neumeist:x:11701:1399:Norbert NEUMEISTER:/afs/cern.ch/user/n/neumeist:/bin/tcsh
aeverett:x:8547:1399:Adam EVERETT:/afs/cern.ch/user/a/aeverett:/bin/tcsh
hdyoo:x:34127:1399:Hwidong YOO:/afs/cern.ch/user/h/hdyoo:/bin/tcsh
asvyatko:x:24584:1399:Alexey SVYATKOVKIY:/afs/cern.ch/user/a/asvyatko:/bin/tcsh
{code}
# /etc/pam.d/system-auth
{code:xml}
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     sufficient    pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nis nullok try_first_pass use_authtok
password    sufficient    pam_krb5.so use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     required      pam_krb5.so
session     optional      pam_ldap.so
{code}
# Firewall: Switch off iptables
# Java: Download and install [Java SE Runtime Environment JRE 6|https://cds.sun.com/is-bin/INTERSHOP.enfinity/WFS/CDS-CDS_Developer-Site/en_US/-/USD/ViewProductDetail-Start?ProductRef=jre-6u17-oth-JPR@CDS-CDS_Developer] (select Linux_64)
# /etc/mime.types
{code:xml}type=application/x-java-jnlp-file desc="Java Web Start" exts="jnlp
{code}
# In addition you want to install: flash-plugin.x86_64, mplayer.x86_64, mplayer-gui.x86_64, gnome-mplayer.x86_64, kmplayer.x86_64, mplayer-codecs-addon.i386, mplayer-doc.x86_64, jre.x86_64
# switch off nscd: /etc/init.d/nscd stop
# turn on ypbind
# turn off sssd
{code:xml}
 /sbin/chkconfig --del sssd
 /sbin/chkconfig --add ypbind
 /sbin/chkconfig sssd off
 /sbin/chkconfig ypbind on
 service autofs stop
 service ypbind start
{code}
# instead of /etc/ldap.conf use /etc/pam_ldap.conf and  /etc/nslcd.conf
# run
{code:xml}
authconfig --enablekrb5 --enablenis --enableldap --update
{code}
# /etc/nslcd.conf add the following lines
{code:xml}
uri ldaps://volta.physics.purdue.edu
base dc=physics,dc=purdue,dc=edu
ssl no
ldap_version 3
binddn cn=unsupported,dc=physics,dc=purdue,dc=edu
bindpw **********
tls_reqcert allow

#tls_cacertfile /usr/share/purple/ca-certs/Thawte_Premium_Server_CA.pem
#tls_cacertdir /etc/openldap/cacerts
{code}
{code:xml}
mount -t nfs aristotle:/net/aristotle/home /home -o rw,bg,intr,nosuid,udp,rsize=8192,wsize=8192,timeo=8
{code}

h1. Scientific Linux CERN 5 (SLC5) Installation

h2. System Installation

Follow the instructions on [http://linux.web.cern.ch/linux/scientific5/docs/install.shtml]
# Create a boot image for a 64 bit system
# Reboot your computer and press F2 (F12) at startup
# In the BIOS setup add CD/DVD to boot devices; save BIOS setup and reboot
# Select *http* as installation method
# Installation server is: linuxsoft.cern.ch
# Installation path is: /cern/slc5X/x86_64/
# Keep default partition layout
# Set host name to *xxx*.physics.purdue.edu: e.g. serret.physics.purdue.edu
# Enable network time protocol (server: harbor.ecn.purdue.edu)
# Set Time Zone to: America/Indianapolis

h2. Customize System

Follow [these instructions|http://www.physics.purdue.edu/PCN/doc/wiki/doku.php?id=wiki:procedures:self_maintained:linux] to mount PCN home directories with pam-cifs.
Do not forget:
{code:xml}
ln -s /lib/security/pam_cifs.so /lib64/security/pam_cifs.so
{code}
# Create /data
{code:xml}mkdir /data
chmod a+rwx /data
{code}All users should create their own directory in /data (e.g. mkdir /data/norbert) to store local data (no backup).
# /etc/sysconfig/network
{code:xml}NETWORKING=yes
HOSTNAME=xxxx.physics.purdue.edu
NISDOMAIN=purdue-pcn
{code}
# /etc/hosts
{code:xml}
127.0.0.1               localhost.localdomain localhost xxx.physics.purdue.edu
{code}
# /etc/group
{code:xml}zh:x:1399:
phys:x:1109:
{code}
# Install CUPS printers: Add the following line to the file /etc/cups/client.conf
{code:xml}
ServerName spool.physics.purdue.edu
{code}
# Install the amd automounter and make sure autofs is switched off
{code:xml}
yum install am-utils
{code}
# /etc/amd.conf
{code:xml}
# GLOBAL OPTIONS SECTION
[ global ]
normalize_hostnames =   no
print_pid =             yes
pid_file =              /var/run/amd.pid
restart_mounts =        yes
auto_dir =              /net
#log_file =             /var/log/amd
log_file =              syslog
log_options =           all
#debug_options =        all
plock =                 no
selectors_on_default =  yes
print_version =         no
#map_type =             file
search_path =           /etc
browsable_dirs =        yes
show_statfs_entries =   no
fully_qualified_hosts = no
cache_duration =        300

# DEFINE AN AMD MOUNT POINT
[/home]
map_name = amd.home

[/project]
map_name = amd.project
{code}
# /etc/amd.home
{code:xml}#comment: amd.home map
/defaults       fs:=/net/${rhost}/home;\
                opts:=rw,bg,grpid,intr,nosuid,nodev,quota,proto=udp,vers=3,\
                rsize=8192,wsize=8192,timeo=8,retrans=4;\
                rfs:=/net/${rhost}/home;\
                sublink:=${key};\
                type:=nfsl

#-- All other accounts

# Everbody else falls back to a * entry
*               rhost:=aristotle
{code}
/etc/amd.project
{code:xml}
#comment: amd.project map
/defaults       fs:=/net/${rhost.}/project;\
                opts:=rw,bg,grpid,intr,nosuid,nodev,proto=tcp,vers=3,\
                rsize=16384,wsize=16384,timeo=8,retrans=4;\
                rfs:=/net/${rhost.}/project;\
                sublink:="${key}";\
                type:=nfsl

cmsphys         rhost:=kepler;rfs:=/net/${rhost.}/project0;fs:=${rfs}
{code}
# /etc/krb5.conf
{code:xml}[libdefaults]
 default_realm = CERN.CH
 ticket_lifetime = 25h
 renew_lifetime = 120h
 forwardable = true
 proxiable = true
 default_tkt_enctypes = arcfour-hmac-md5 aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc

[realms]
 CERN.CH = {
  default_domain = cern.ch
  kpasswd_server = afskrb5m.cern.ch
  admin_server = afskrb5m.cern.ch
  kdc = cerndc.cern.ch

  v4_name_convert = {
     host = {
         rcmd = host
     }
  }
 }

 FNAL.GOV = {
  default_domain = fnal.gov
  admin_server = krb-fnal-admin.fnal.gov
  kdc = krb-fnal-1.fnal.gov:88
  kdc = krb-fnal-2.fnal.gov:88
  kdc = krb-fnal-3.fnal.gov:88
 }

 CENTRAL.PURDUE.LCL = {
  kdc = 128.210.63.203
  kdc = 1061cendc01.central.purdue.lcl
  admin_server = 1061cendc01.central.purdue.lcl
  default_domain = 1061cendc01.central.purdue.lcl
 }

[domain_realm]
 .cern.ch = CERN.CH
 .fnal.gov = FNAL.GOV
 .central.purdue.lcl = CENTRAL.PURDUE.LCL
 central.purdue.lcl = CENTRAL.PURDUE.LCL

[appdefaults]
 pam = {
   external = true
   krb4_convert = false
   krb4_convert_524 = false
   krb4_use_as_req = false
   ticket_lifetime = 25h
 }

{code}
# /etc/yp.conf
{code:xml}domain purdue-pcn broadcast
{code}
# /etc/ldap.conf
{code:xml}host volta.physics.purdue.edu
base dc=physics,dc=purdue,dc=edu
uri ldaps://volta.physics.purdue.edu
ssl start_tls
ssl on
ldap_version 3
tls_checkpeer yes
tls_cacertfile /usr/share/purple/ca-certs/Thawte_Premium_Server_CA.pem
tls_cacertdir /etc/openldap/cacerts
# you may need to symlink Thawte_Premium_Server_CA.pem in /etc/openldap/cacerts
rootbinddn cn=admin,dc=physics,dc=purdue,dc=edu

pam_password md5

binddn cn=unsupported,dc=physics,dc=purdue,dc=edu
bindpw *********
{code}
# chmod 0600 /etc/ldap.conf (Note: Because of a bug it needs to be chmod 0644 /etc/ldap.conf)
# ln \-s /bin/bash /usr/local/bin/bash
# ln \-s /usr/share/purple/ca-certs/Thawte_Premium_Server_CA.pem /etc/openldap/cacerts/.
# /etc/nsswitch.conf
{code:xml}
passwd:     files ldap nis
shadow:     files ldap
group:      files nis

hosts:      files nis dns

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files

netgroup:   files nis ldap

publickey:  nisplus

automount:  files nis ldap
aliases:    files nisplus
{code}
# /etc/sysconfig/authconfig
{code:xml}USEMD5=no
USECRACKLIB=yes
USEDB=no
USEHESIOD=no
USELDAP=yes
USENIS=yes
USEPASSWDQC=no
USEWINBIND=no
USEKERBEROS=yes
USELDAPAUTH=yes
USESHADOW=yes
USESMBAUTH=no
USEWINBINDAUTH=no
USELOCAUTHORIZE=yes
PASSWDALGORITHM=md5
{code}
# /etc/ssh/ssh_config
{code:xml}GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
GSSAPIKeyExchange no
GSSAPITrustDNS yes
PubkeyAuthentication no
PasswordAuthentication yes
{code}
# AFS
{code:xml}
 /sbin/chkconfig --add afs
 /sbin/chkconfig --add amd
 /sbin/chkconfig --del autofs
 /sbin/chkconfig --del iptables
 /sbin/chkconfig autofs off
 /sbin/chkconfig iptables off
 /sbin/chkconfig amd on
 /sbin/service autofs stop
 /sbin/service iptables stop
 /sbin/service amd start
{code}
# /etc/passwd  (This will allow you to login with your CERN afs account and mounts your CERN afs home directory)
{code:xml}
neumeist:x:11701:1399:Norbert NEUMEISTER:/afs/cern.ch/user/n/neumeist:/bin/tcsh
aeverett:x:8547:1399:Adam EVERETT:/afs/cern.ch/user/a/aeverett:/bin/tcsh
hdyoo:x:34127:1399:Hwidong YOO:/afs/cern.ch/user/h/hdyoo:/bin/tcsh
asvyatko:x:24584:1399:Alexey SVYATKOVKIY:/afs/cern.ch/user/a/asvyatko:/bin/tcsh
{code}
# /etc/pam.d/system-auth (for pam_cifs mounted homedirs)
{code:xml}
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        required      pam_cifs.so debug
auth        sufficient    pam_krb5.so use_first_pass
auth        sufficient    pam_ldap.so use_first_pass debug
auth        required      pam_deny.so

account     sufficient    pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so debug
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nis nullok try_first_pass use_authtok
password    sufficient    pam_krb5.so use_authtok
password    sufficient    pam_ldap.so use_authtok debug
password    required      pam_deny.so

session    optional     pam_keyinit.so revoke
session    required     pam_limits.so
session    [success=1   default=ignore] pam_succeed_if.so service in crond quiet use_uid
session    required     pam_mkhomedir.so umask=077 skel=/etc/skel
session    required     pam_unix.so
session    required     pam_krb5.so
session    optional     pam_cifs.so debug background=0 prefix=/home mount_home=1 source=//gutenberg.physics.purdue.edu windomain=ONEPURDUE
{code}
# /etc/pam.d/system-auth (for amd mounted homedirs)
{code:xml}
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     sufficient    pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nis nullok try_first_pass use_authtok
password    sufficient    pam_krb5.so use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     required      pam_krb5.so
session     optional      pam_ldap.so
{code}
# Firewall: Switch off iptables
# Java: Download and install [Java SE Runtime Environment JRE 6|https://cds.sun.com/is-bin/INTERSHOP.enfinity/WFS/CDS-CDS_Developer-Site/en_US/-/USD/ViewProductDetail-Start?ProductRef=jre-6u17-oth-JPR@CDS-CDS_Developer] (select Linux_64)
# /etc/mime.types
{code:xml}type=application/x-java-jnlp-file desc="Java Web Start" exts="jnlp
{code}
# In addition you want to install: flash-plugin.x86_64, mplayer.x86_64, mplayer-gui.x86_64, gnome-mplayer.x86_64, kmplayer.x86_64, mplayer-codecs-addon.i386, mplayer-doc.x86_64, jre.x86_64
# switch off nscd: /etc/init.d/nscd stop

h1. Scientific Linux CERN 6 (SLC6) Installation

h2. Customize System

# Install
{code:xml}
yum install openldap-clients
yum install nss-pam-ldapd
rpm -U am-utils-6.1.5-14.fc12.x86_64.rpm
{code}
# turn on ypbind
# turn off sssd
{code:xml}
 /sbin/chkconfig --del sssd
 /sbin/chkconfig --add ypbind
 /sbin/chkconfig sssd off
 /sbin/chkconfig ypbind on
 service autofs stop
 service ypbind start
{code}
# instead of /etc/ldap.conf use /etc/pam_ldap.conf and  /etc/nslcd.conf
# run
{code:xml}
authconfig --enablekrb5 --enablenis --enableldap --update
{code}
# /etc/nslcd.conf add the following lines
{code:xml}
uri ldaps://volta.physics.purdue.edu
base dc=physics,dc=purdue,dc=edu
ssl no
ldap_version 3
binddn cn=unsupported,dc=physics,dc=purdue,dc=edu
bindpw **********
tls_reqcert allow

#tls_cacertfile /usr/share/purple/ca-certs/Thawte_Premium_Server_CA.pem
#tls_cacertdir /etc/openldap/cacerts
{code}
{code:xml}
mount -t nfs aristotle:/net/aristotle/home /home -o rw,bg,intr,nosuid,udp,rsize=8192,wsize=8192,timeo=8
{code}