Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Own installation tips and tricks

Disclaimer

...

These information are provided "as-is", and might need an experienced sysadmin to implement them on a given distribution.

...

http://rechnersicherheit.desy.de/fuer_anwender/private_hardware/index_ger.html

 

 

Updates

...

  • Enable automatic updates for your distribution, and reboot if needed

...

  • Do not run distributions that are out of support.

Getting Kerberos configured as a client

...

  • we usually install MIT Kerberos clients

...

  • have a look at /etc/krb5.conf on a PAL most similar to your machine (e.g. pal

...

  • .desy.de for an EL example or paul.desy.de for Ubuntu) to get the current parameters

...

  • We usually do not provide kerberos keytabs to non-IT managed systems

LDAP

...

...

  • LDAP integration for DESY users and password is difficult. We suggest that you use local accounts with same name and UID/GID as your DESY account.

...

  • Should you need LDAP support: basic parameters for configuration are (status

...

  • 6.

...

  • 12.

...

  • 2019)
    id_provider

...

  • =

...

  • ldap

...


  • ldap_uri

...

  • =

...

  • ldap://it-ldap-slave.desy.de:1389,ldap://it-ldap-

...

  • slave03.desy.de:1389,ldap://it-ldap-

...

  • slave04.desy.de:1389

...


  • ldap_search_base

...

  • =

...

  • ou=RGY,o=DESY,c=DE

...


  • ldap_group_member

...

  • =

...

  • uniqueMember

...


  • auth_provider

...

  • =

...

  • krb5

...


  • krb5_server

...

  • =

...

  • kerberos2.desy.de:88,kerberos3.desy.de:88,kerberos1.desy.de:88

...


  • krb5_realm

...

  • =

...

  • DESY.DE

...

  • You need to adjust PAM and /etc/security/... files

SSH client and server

...

  • Please have a look at /etc/ssh/ssh_config and /etc/ssh/sshd_config on a DESY configured machine

Postfix configuration

...

  • You will need a postfix zeroconf client

...

- Have a look at the files we change:

grep -ri puppet /etc/postfix/*

/etc/postfix/main.cf:# Managed by puppet (postfix). Do NOT edit!

/etc/postfix/regexp.recipient_canonical:# Managed by puppet (postfix). Do NOT edit!

/etc/postfix/regexp.sender_canonical:# Managed by puppet (postfix). Do NOT edit!

/etc/postfix/virtual:# Managed by Puppet (postfix). Do NOT edit!

/etc/postfix/virtual:root YourAdressHere@desy.de

... and adapt the changes to your system (adapt the email to something meaningfule!)

Timeserver

...

Timeserver

  • have a look at /etc/ntp.conf on a reference system

Network and resolution

...

  • should be configured by DHCP

Printing

...

  •  have a look at /etc/cups/client.conf on a reference system and adapt this to your group