Page tree

Disclaimer

These information are provided "as-is", and might need an experienced sysadmin to implement them on a given distribution.

Should you run your system in the DESY internal network, make sure to follow the RSR rules:

http://rechnersicherheit.desy.de/regeln_und_empfehlungen/systeme_im_internen_netzwerk/index_ger.html

and have the following form filled in:

http://rechnersicherheit.desy.de/fuer_anwender/private_hardware/index_ger.html

Updates

  • Enable automatic updates for your distribution, and reboot if needed
  • Do not run distributions that are out of support.

Getting Kerberos configured as a client

  • we usually install MIT Kerberos clients
  • have a look at /etc/krb5.conf on a PAL most similar to your machine (e.g. pal.desy.de for an EL example or paul.desy.de for Ubuntu) to get the current parameters
  • We usually do not provide kerberos keytabs to non-IT managed systems

LDAP

  • LDAP integration for DESY users and password is difficult. We suggest that you use local accounts with same name and UID/GID as your DESY account.
  • Should you need LDAP support: basic parameters for configuration are (status 6.12.2019)
    id_provider = ldap
    ldap_uri = ldap://it-ldap-slave.desy.de:1389,ldap://it-ldap-slave03.desy.de:1389,ldap://it-ldap-slave04.desy.de:1389
    ldap_search_base = ou=RGY,o=DESY,c=DE
    ldap_group_member = uniqueMember
    auth_provider = krb5
    krb5_server = kerberos2.desy.de:88,kerberos3.desy.de:88,kerberos1.desy.de:88
    krb5_realm = DESY.DE
  • You need to adjust PAM and /etc/security/... files

SSH client and server

  • Please have a look at /etc/ssh/ssh_config and /etc/ssh/sshd_config on a DESY configured machine

Postfix configuration

Timeserver

  • have a look at /etc/ntp.conf on a reference system

Network and resolution

  • should be configured by DHCP

Printing

  •  have a look at /etc/cups/client.conf on a reference system and adapt this to your group
  • No labels