Linux Administration & Maintenance: Difference between revisions
Line 98: | Line 98: | ||
Example /etc/pam.d/system-auth | Example /etc/pam.d/system-auth | ||
# Prompt user for pass, check against unix auth-method. | |||
# Includes nsswitch, so an LDAP pass will succeed, if nsswitch is configured. | |||
# Certain users or services may have blank passwords; we'll allow these to succeed | |||
auth | auth required pam_unix.so nullok | ||
account | # Account verification, password expiration. | ||
# Also checks LDAP, if nsswitch.conf is configured. | |||
account required pam_unix.so | |||
# We don't allow changing of (logged-in user account) passwords directly on this machine | |||
# Use tools on LDAP server instead | |||
password required pam_deny.so | |||
password | |||
# Log username and service to /var/log/messages (audit trail) | |||
session | session required pam_unix.so | ||
Revision as of 15:39, 4 March 2011
Gentoo
On-Campus, we can speed installation/updates by using a local source; in your /etc/make.conf:
GENTOO_MIRRORS="http://mirror.iat.sfu.ca/gentoo/"
An alternative is to use an NFS mount, but if NFS breaks or is unavailable... :-(
Robin: "For best performance, I recommend mounting
musashi.iat.sfu.ca:/export/gentoo/distfiles on /mnt/distfiles
and specifying that in your make.conf. The NFS route ensures that downloaded files go back into the mirror."
Gentoo Local-Mirror Operation
LDAP Authentication, and Home-Directory AutoMounting
First, make sure you have the necessary packages on your system:
hostname ~ # emerge -v pam_ldap nss_ldap autofs
There are seven configuration files, and two directories which must be correct:
/etc/ldap.conf /etc/nsswitch.conf /etc/auto.master /etc/conf.d/autofs /etc/localshell.conf /etc/pam.d/system-auth /bin/localshell
/home/users/ /home/projects/
Create the necessary directories:
hostname ~ # mkdir /home/users hostname ~ # mkdir /home/projects hostname ~ # mkdir /etc/localshell
Emerge localshell and copy over /etc/localshell.conf from a working machine.
Example /etc/ldap.conf, with commented-out portions omitted
# Your LDAP server. Must be resolvable without using LDAP. host 209.87.56.238 # The distinguished name of the search base. base dc=iat,dc=sfu,dc=ca # The distinguished name to bind to the server with. binddn cn=Reader,dc=iat,dc=sfu,dc=ca # The credentials to bind with. bindpw <supersecret!!> # RFC2307bis naming contexts nss_base_passwd ou=Users,dc=iat,dc=sfu,dc=ca nss_base_shadow ou=Users,dc=iat,dc=sfu,dc=ca nss_base_group ou=Group,dc=iat,dc=sfu,dc=ca nss_base_hosts ou=Hosts,dc=iat,dc=sfu,dc=ca nss_base_services ou=Services,dc=iat,dc=sfu,dc=ca nss_base_networks ou=Networks,dc=iat,dc=sfu,dc=ca nss_base_protocols ou=Protocols,dc=iat,dc=sfu,dc=ca nss_base_rpc ou=Rpc,dc=iat,dc=sfu,dc=ca nss_base_ethers ou=Ethers,dc=iat,dc=sfu,dc=ca nss_base_netmasks ou=Networks,dc=iat,dc=sfu,dc=ca nss_base_bootparams ou=Ethers,dc=iat,dc=sfu,dc=ca nss_base_aliases ou=Aliases,dc=iat,dc=sfu,dc=ca nss_base_netgroup ou=Netgroup,dc=iat,dc=sfu,dc=ca
Example nsswitch.conf:
passwd: compat ldap shadow: compat ldap group: compat ldap # passwd: db files nis # shadow: db files nis # group: db files nis hosts: files dns networks: files dns services: db files protocols: db files rpc: db files ethers: db files netmasks: files netgroup: files bootparams: files automount: files aliases: files
Example /etc/auto.master
/home/users ldap:209.87.56.238:ou=home.users,ou=AutoFS,dc=iat,dc=sfu,dc=ca /home/projects ldap:209.87.56.238:ou=home.projects,ou=AutoFS,dc=iat,dc=sfu,dc=ca
Example /etc/pam.d/system-auth
# Prompt user for pass, check against unix auth-method. # Includes nsswitch, so an LDAP pass will succeed, if nsswitch is configured. # Certain users or services may have blank passwords; we'll allow these to succeed auth required pam_unix.so nullok # Account verification, password expiration. # Also checks LDAP, if nsswitch.conf is configured. account required pam_unix.so # We don't allow changing of (logged-in user account) passwords directly on this machine # Use tools on LDAP server instead password required pam_deny.so # Log username and service to /var/log/messages (audit trail) session required pam_unix.so
Example /etc/conf.d/autofs
TIMEOUT=300 BROWSE_MODE="no" USE_MISC_DEVICE="yes" MAP_OBJECT_CLASS="organizationalUnit" ENTRY_OBJECT_CLASS="automount" MAP_ATTRIBUTE="ou" ENTRY_ATTRIBUTE="cn" VALUE_ATTRIBUTE="automountInformation"
Rescuing a Gentoo System
boot from a CD, typically
boot: gentoo
enable swap (of course, your swap-partition may differ! Most of ours are the second primary partion, whether /dev/hda2, or /dev/sda2, or /dev/sdb2)
livecd root # swapon /dev/sda2
mount the main (root) partition, optionally the boot partition
livecd root # mount /dev/sda3 /mnt/gentoo livecd root # mount /dev/sda1 /mnt/gentoo/boot
get some networking going
livecd root # dhcpcd & livecd root # ifconfig eth0 up livecd root # ifconfig (verify we got an IP)
prepare for chrooting
livecd root # mount -t proc none /mnt/gentoo/proc livecd root # mount -o bind /dev /mnt/gentoo/dev
set up a new environment root
livecd root # cd /mnt/gentoo livecd gentoo # chroot /mnt/gentoo /bin/bash livecd / # env-update livecd / # source /etc/profile
Now, do your rescue work. Good luck!
To back out of the chroot, and check your fix(es)
livecd / # exit livecd root # cd / livecd root # umount /mnt/gentoo/boot /mnt/gentoo/proc /mnt/gentoo/dev /mnt/gentoo livecd root # reboot
SUSE
On-Campus, we can speed installation/updates by using a local source:
nfs://export/mirror/suse
- TODO: Instructions for install with LDAP working
- TODO: Instructions for auto-update configuration
RedHat/Fedora
- TODO: Instructions for install with LDAP working
Ubuntu
Below are instructions for setting up a Ubuntu Linux workstation. All instructions are for version 7.04.
To enable the use of dual-monitor display on an Nvidia video card, follow these instructions:
- First enable the Nvidia driver, by clicking on System > Administration > Restricted Drivers Manger, authenticating, and checking "Enabled". Close the manager, and restart the computer.
- Next run the following command in a Terminal, and authenticate when prompted:
hostname ~ # sudo apt-get install nvidia-settings hostname ~ # gksudo nvidia-settings
- On the left side of the GUI, go to 'X Server Display Configuration'. Enable both displays, and choose TwinView for Configuration type. Make sure the resolutions match your monitors. Hit 'Apply' to see if these setting work for you. Your monitors should now turn into one big screen. Accept the configuration if this is true, otherwise cancel and fix the settings.
- Now press 'Quit' in the bottom right, log out, then log back in. You should no longer see one large screen, but a main display on the left and a secondary on the right (if this is how you configured it), and you should be able to drag windows from a window back to the other.
- Run the 'gksudo nvidia-settings' command above one more time. If you are satisfied with your settings, click 'Save to X Configuration File' and quit.
To turn on the root account enter the following command in a Terminal, authenticate, then enter/confirm a root password when prompted:
hostname ~ # sudo passwd root
To enable ssh on the machine, enter the following command in a Terminal:
hostname ~ # sudo apt-get install ssh openssh-server
LDAP Authentication, and Home-Directory Automounting
First of all, make sure you have all the required packages installed on your system:
- libnss-ldap
- libpam-ldap
- ldap-utils
- autofs
- autofs-ldap
The easiest way of installing them is using the Synaptic Package Manager, found under System > Administration > Synaptic Package Manager. Also install all dependencies for the packages above. Note that when you install the libnss-ldap package, you will have to enter information regarding the LDAP setup. You can leave all these as default and change them later (actually, the only thing you should change is the tick-box that says "Make local root Database admin"; make sure its deselected), or use the info below to guide you. You will need to edit the config files manually later anyway.
There are several configuration files you will need, as well as several directories that must be correct:
/etc/libnss-ldap.conf /etc/pam_ldap.conf /etc/nsswitch.conf /etc/auto.master /etc/pam.d/common-account /etc/pam.d/common-auth /etc/pam.d/common-password /etc/pam.d/common-session /etc/localshell/ /bin/locashell /home/users/ /home/projects/
Create the following directories:
hostname ~ # mkdir /home/users hostname ~ # mkdir /home/projects hostname ~ # mkdir /etc/localshell
Copy over the /etc/localshell/* and /bin/localshell from a working machine.
Examples of the required files are given below, note that libnss-ldap.conf and pam_ldap.conf are identical except for one line. (See below).
Example libnss-ldap.conf and pam_ldap.conf file, with commented out lines ommitted:
NOTE - the first line is commented out in the pam_ldap.conf file.
@(#)$Id: ldap.conf,v 2.47 2006/05/15 08:13:44 lukeh Exp $ # Your LDAP server. Must be resolvable without using LDAP. host 209.87.56.238 # The distinguished name of the search base. base dc=iat,dc=sfu,dc=ca # The LDAP version to use (defaults to 3 # if supported by client library) ldap_version 2 # The distinguished name to bind to the server with. binddn cn=Reader,dc=iat,dc=sfu,dc=ca # The credentials to bind with. bindpw <secret!!!> # Reconnect policy: bind_policy hard nss_base_passwd ou=Users,dc=iat,dc=sfu,dc=ca nss_base_shadow ou=Users,dc=iat,dc=sfu,dc=ca nss_base_group ou=Group,dc=iat,dc=sfu,dc=ca nss_base_hosts ou=Hosts,dc=iat,dc=sfu,dc=ca nss_base_services ou=Services,dc=iat,dc=sfu,dc=ca nss_base_networks ou=Networks,dc=iat,dc=sfu,dc=ca nss_base_protocols ou=Protocols,dc=iat,dc=sfu,dc=ca nss_base_rpc ou=Rpc,dc=iat,dc=sfu,dc=ca nss_base_ethers ou=Ethers,dc=iat,dc=sfu,dc=ca nss_base_netmasks ou=Networks,dc=iat,dc=sfu,dc=ca nss_base_bootparams ou=Ethers,dc=iat,dc=sfu,dc=ca nss_base_aliases ou=Aliases,dc=iat,dc=sfu,dc=ca nss_base_netgroup ou=Netgroup,dc=iat,dc=sfu,dc=ca
Example nsswitch.conf file:
passwd: files ldap group: files ldap shadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis
Example common-account file:
account sufficient pam_ldap.so account required pam_unix.so
Example common-auth file:
auth sufficient pam_ldap.so auth required pam_unix.so nullok_secure use_first_pass
Example common-password file:
password sufficient pam_ldap.so password required pam_unix.so nullok obscure min=4 max=8 md5
Example common-session file:
session sufficient pam_ldap.so session required pam_unix.so session optional pam_foreground.so
Example auto.master file:
/home/users ldap:209.87.56.238:ou=home.users,ou=AutoFS,dc=iat,dc=sfu,dc=ca /home/projects ldap:209.87.56.238:ou=home.projects,ou=AutoFS,dc=iat,dc=sfu,dc=ca
Troubleshooting
The above instructions should work, although it may need a kick-start. Things to try:
- Reboot the machine, many, many times.
- Purposely break the conf files, reboot, fix, then reboot again.
- Start autofs, and log in using Terminal as an ldap user using the command: ssh user@localhost
- Comment-out (using #) the "bind_policy hard" line in libnss-ldap.conf and pam_ldap.conf
Rescuing a Ubuntu System
Boot from the Ubuntu installation CD (live CD), and enter the following commands in a Terminal to mount your filesystem:
To identify the HD/partition you wish to mount:
hostname ~ # fdisk -l
To mount:
hostname ~ # mount -t ext3 -o defaults /dev/$partition /mnt/
The command above mounts $partition to /mnt/.
Customizing Compiz on Ubuntu 8.04
Compiz now comes pre-installed on Ubuntu, however it doesn't allow you for much customization. To be able to tweak all the settings, follow these instructions:
hostname ~ # sudo apt-get install simple-ccsm hostname ~ # sudo apt-get install compizconfig-settings-manager
Now you can rum the Compiz Custom Settings Manager, from System > Preferences > Advanced Desktop Effects Settings
Installing Beryl on Ubuntu 7.04
Beryl has been outdated, and you may want to install Compiz instead. The latest Ubuntu comes with Compiz pre-installed, but if for some reason you have an older system and are stubborn enough to install Beryl, here's how:
The instructions below are copied from the Beryl Docs, they work very well. Note, these instructions are for nVidia cards only. If for any reason they don't work or you have a different card installed, the link to the Beryl-Ubuntu installation docs is here: http://wiki.beryl-project.org/wiki/Install_Beryl_on_Ubuntu#Ubuntu_7.04_.28Feisty_Fawn.29
- Open a terminal. Execute:
sudo echo "Beryl & nVidia installation script for ubuntu Ubuntu Feisty"
(this one line requires your password so that, the next text paste is uninterrupted.)
- Copy and paste all the text into the Terminal in one action. [Select all the text. Then middle button click in terminal]
sudo cp /etc/X11/xorg.conf /etc/X11/xorg.conf.backup.beryl-script sudo cp /etc/apt/sources.list /etc/apt/sources.list.backup.beryl-script echo "deb http://ubuntu.beryl-project.org feisty main deb-src http://ubuntu.beryl-project.org feisty main" | sudo tee -a /etc/apt/sources.list wget http://ubuntu.beryl-project.org/root@lupine.me.uk.gpg -O- | sudo apt-key add - sudo apt-get update sudo apt-get -y install beryl beryl-manager emerald-themes sudo nvidia-xconfig --add-argb-glx-visuals sudo cp /usr/share/applications/beryl-manager.desktop /etc/xdg/autostart/beryl-manager.desktop cp /usr/share/applications/beryl-manager.desktop ~/Desktop/beryl-manager.desktop echo -e "Logout now and then press \e[0;31mCTRL+ALT+BACKSPACE\e[0m to restart xorg" echo "Installation completed !"
- Now Logout and then press [CTRL+ALT+BACKSPACE] to restart xorg.