- 1 Serial console
- 2 Getting user information from LDAP
- 3 Authenticating with LDAP
- 4 For Red Hat-based Distros
- 5 Restricting access to admins
- 6 Multiple VLANs
- 7 Logging to the Log host
- 8 Email config
- 9 NTP
- 10 Munin
- 11 Server addresses
- 12 DNS
- 13 Others
- 14 See also
- 15 Other stuff that should be documented here, but isn't
If the machine is only providing serial output during bootup, then it may not have been configured for serial logins. Check that the
/etc/inittab file contains a line like
T0:23:respawn:/sbin/getty -L ttyS0 9600 vt100
which tells init to start the program to provide login prompts.
The original kernel shipped with Debian sarge has a broken serial driver for Ultra 5s. The version in the security updates should work.
I found this guide to be very useful as it lists answers to the debconf questions. The only difference between the recommended configuration and tardis' is that "Local crypt to use when changing passwords." should be 'exop'.
Getting user information from LDAP
libnss-ldap package handles fetching account information from LDAP.
Also make sure that
nscd is installed, otherwise bad things may happen.
libnss-ldap where to look, you need to edit
/etc/libnss-ldap.conf. At the very least, you'll need to
give the host and base (
To tell libc to use
libnss-ldap, you need to amend the appropriate lines in
passwd: files ldap group: files ldap shadow: files ldap
The other databases are best left alone; we don't bother putting host information or such like in LDAP because we don't see much benefit.
getent program is useful for testing.
Authenticating with LDAP
libpam-ldap package is used for authentication against LDAP. You need to configure
/etc/pam_ldap.conf along the same lines as
/etc/libnss_ldap.conf. A typical example is:
host piper base dc=tardis,dc=ed,dc=ac,dc=uk rootbinddn cn=admin,dc=tardis,dc=ed,dc=ac,dc=uk ldap_version 3 # NSS lookups need to be restricted to the appropriate parts of the tree. # If other lookups are added to /etc/nsswitch.conf, they need to be put # here too. nss_base_passwd ou=People,dc=tardis,dc=ed,dc=ac,dc=uk nss_base_group ou=Group,dc=tardis,dc=ed,dc=ac,dc=uk nss_base_shadow ou=People,dc=tardis,dc=ed,dc=ac,dc=uk # Use funky generic LDAP password changing. pam_password exop
PAM needs to be told to use
libpam-ldap, as well as the normal authentication for
# ** Use trick from /usr/share/doc/libpam-ldap/README.Debian # auth [success=1 default=ignore] pam_unix.so nullok_secure auth required pam_ldap.so use_first_pass auth required pam_permit.so
use_first_pass option. Without it logins will ask for a password for pam_unix, then one for pam_ldap, and so on, causing every other attempt to enter your password to fail even when you get it right. You need to set up
/etc/pam.d/common-account in the same way.
For Red Hat-based Distros
This guide was tested with Fedora Server 21 (on Valiant).
- Run `authconfig-tui` (if not installed, `yum install -y authconfig`
- Check 'Use LDAP' and 'Use LDAP Authentication'. Make sure 'Local authorization is sufficient' is also checked.
- Leave `Use TLS` unchecked.
- Set server to `ldap://ldap/`
- Set Base DN to `dc=tardis,dc=ed,dc=ac,dc=uk`
Restricting access to admins
+:ALL:cron -:ALL EXCEPT root admin:ALL
[Hmmm... maybe that should be
LOCAL instead of
/etc/pam.d/common-account ensure that the pam_access
module is used to restrict access. For example,
account [success=1 default=ignore] pam_unix.so debug account required pam_ldap.so debug account required pam_access.so
Some systems need to appear on several VLANs, most notably the router. First, add
to the end of
/etc/modules so that the kernel knows how to deal with the VLAN tagged packets. (Use
modprobe 8021q to load it immediately if you don't want to reboot.) Then install the
vlan Debian package, and add extra stanzas to
/etc/network/interfaces for the new VLANs. For example,
# Admin VLAN auto eth0.1 iface eth0.1 inet static address 192.168.1.6 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255
eth0.1 means VLAN number
1 on interface
eth0. Finally, configure the switch so that the port is on the extra VLANs.
Some ethernet hardware does not like the slightly larger ethernet frames used by VLAN tagging. We have already had problems with sunhme and a four port tulip card. You can test it by sending large pings:
ping -s 1472 davison.tardis.ed.ac.uk
These will produce a frame that is as large as possible (fragmenting the ping, if necessary). If the hardware or driver does not support large frames properly then that frame may be lost. If you are curious about which direction is failing, you can check with wireshark (
tshark) or tcpdump.
We have had success with a 3c905 PCI card, and the old 10Mb/s subqe interfaces.
Logging to the Log host
To make syslog send logs to the log host, put
into /etc/syslog.conf. It is a good idea to keep the local logging too, in case of network problems.
Install the exim4 package and execute 'dpkg-reconfigure exim4-config' to configure it with the details below:
Split configuration into small files: NO General type of mail configuration: mail sent by smarthost; no local mail System mail name: HOSTNAME.tardis.ed.ac.uk IP-addresses to listen on for incoming SMTP connections: 127.0.0.1 Other destinations for which mail is accepted: HOSTNAME.tardis.ed.ac.uk Visible domain name for local users: tardis.ed.ac.uk IP address or host name of the outgoing smarthost: mailhost.tardis.ed.ac.uk Keep number of DNS-queries minimal (Dial-on-Demand): NO
davison, provides other machine with an NTP service. In turn, it synchronises with the (external-facing) Informatics servers. Here's how to update '/etc/ntp.conf':
--- /etc/ntp.conf (revision 17) +++ /etc/ntp.conf (working copy) @@ -10,17 +10,8 @@ # You do need to talk to an NTP server or two (or three). -#server ntp.your-provider.example +server davison -# pool.ntp.org maps to more than 300 low-stratum NTP servers. -# Your server will pick a different set every time it starts up. -# *** Please consider joining the pool! *** -# *** <http://www.pool.ntp.org/join.html> *** -server 0.debian.pool.ntp.org iburst -server 1.debian.pool.ntp.org iburst -server 2.debian.pool.ntp.org iburst -server 3.debian.pool.ntp.org iburst - # By default, exchange time with everybody, but don't allow configuration. # See /usr/share/doc/ntp-doc/html/accopt.html for details. restrict -4 default kod notrap nomodify nopeer noquery
Install munin-node on the client (the new Linux box) and update '/etc/munin/munin-node.conf' like so:
--- etc/munin/munin-node.conf (revision 28) +++ etc/munin/munin-node.conf (working copy) @@ -34,4 +34,4 @@ # the allow line as many times as you'd like allow ^127\.0\.0\.1$ - +allow ^18.104.22.168$
Then run '/etc/init.d/munin-node restart' to update the daemon. Connect to the web server and update '/etc/munin/munin.conf' like so:
--- munin.conf.pert 2007-06-22 17:47:27.593900598 +0100 +++ munin.conf 2007-06-22 17:48:26.781493093 +0100 @@ -101,9 +101,11 @@ [mara.tardis.ed.ac.uk] address 22.214.171.124 use_node_name yes - +[wotan.tardis.ed.ac.uk] + address 126.96.36.199 + use_node_name yes
This provides the addresses of various servers which a Tardis machine might need to use.
We have an internal caching nameserver, currently
188.8.131.52. However, other machines should be able to cope if it's down for maintenence, so we also use one of the university's servers. (Currently
184.108.40.206, but we should check if that's what we're supposed to use.)
Thus most machines have a
/etc/resolv.conf along the lines of:
search tardis.ed.ac.uk nameserver 220.127.116.11 nameserver 18.104.22.168
Other stuff that should be documented here, but isn't
- Configuring machines to pass mail on to the mail hub
- Configuring ntp
- Booting our suns from the LAN
- Installing munin