Debian setup for SCL

Information provided here is intended solely for internal use by the users of the Scalable Computing Laboratory. If you have any questions or problems, please contact help@scl.ameslab.gov

Please read this entire document before proceeding with the install. There are items near the end that may come up during an install process near the top or the middle of this document.

/etc/apt/sources.list

deb http://security.debian.org/ sarge/updates main

deb http://mirror.scl.ameslab.gov/debian sarge main
deb-src http://mirror.scl.ameslab.gov/debian sarge main

AFS setup - 2.4.27 kernel

version= [ -1-686 -1-686-smp -1-k7 -1-k7-smp ] apt-get install kernel-image-2.4.27[version]
[should reboot now]

Do not choose manual package installation
(Choose Desktop + any others desired) apt-get install -t testing openafs-client
AFS cell is: scl.ameslab.gov
Cache size (whatever you want, but recommend 100,000 or more)
Do not dynamically generate the contents of afs
Database servers for the home cell are: wopr hal

You'll get an error because you don't have the kernel module installed. apt-get install openafs-krb5 ssh-krb5 krb5-user libpam-krb5 libpam-openafs-session
Default kerberos 5 realm: SCL.AMESLAB.GOV
Kerberos servers for your realm: kerberos-1 kerberos-2 kerberos-3
Kerberos admin server is: kerberos-1

Precompiled AFS module packages are available at this link

If not available, use this script to build and install the module. Now install the openafs modules
dpkg -i openafs-modules-2.4.27[version][some-other-stuff].deb
Start openafs

  /etc/init.d/openafs-client start     (if this doesn't work, something is wrong!)

You will get a 'warning' about a tainted kernel

You may need to mkdir /root/.ssh
cp /afs/scl/software/ssh/id_dsa.pub /root/.ssh/authorized_keys chmod 600 /root/.ssh/authorized_keys

PAM setup (/etc/pam.d/common-auth and /etc/pam.d/common-session)

(Note: You will need to add the lines below, or copy the complete files from this link)

Add the 2 lines below to the beginning of the common-auth file

  auth      [success=ok default=1] pam_krb5.so forwardable	
  auth      [default=done] pam_openafs_session.so


Add the 2 lines below to the beginning of the common-session file

  session    optional     pam_krb5.so
  session    optional     pam_openafs_session.so

ldap setup

apt-get install libnss-ldap
host ldap.scl.ameslab.gov
dc=scl,dc=ameslab,dc=gov
Choose LDAP version 3
The LDAP database does not require login
Do not make the configuration file readable by the owner only

dpkg-reconfigure libnss-ldap ---> this allows you to reconfigure at ANY time!

Check that configuration is correct by viewing this file: /etc/libnss-ldap.conf:
The contents should have the following:

# Your LDAP server. Must be resolvable without using LDAP.
host ldap.scl.ameslab.gov

# The distinguished name of the search base.
base dc=scl,dc=ameslab,dc=gov

# Choose LDAP version 3

/etc/nsswitch.conf

#/etc/nsswitch.conf - edit your file to look like this.
# DO NOT use the one that the installer tells you to. It will
# cause segmentation fault on boot.

passwd: compat ldap
group: compat ldap
shadow: compat

hosts: files dns 
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

netgroup: nis

Install the motd files

The issue and issue.net banner files can be gotten from this link
Complete installation instructions are available at http://www.internal.ameslab.gov/is/security/baselines/banner.html
Note for the kdm included with Sarge the kdmrc file is in /etc/kde3/kdm/.
If you are using kdm you should probably also uncomment the GreetFont line and set the point size to 10 and uncomment the UserList=false line to disable the list of user names.
Basically, edit the /etc/ssh/sshd_config file and add a Banner line:

   Banner /etc/issue.net

cp issue issue.net /etc

Suggested ssh configurations

Adding the following lines to the end of /etc/ssh/ssh_config will prevent ssh from passing your kerberos tickets to non-local systems.

#Don't pass kerberos (GSSAPI) creds to non-scl hosts.
Host *.*
        GSSAPIDelegateCredentials no

#Assume anything that does not have a dot is local, and safe to pass
#kerberos tickets too.
Host *
        GSSAPIDelegateCredentials yes

Reboot

Or at least kill -HUP sshd

SSH Configuration

To allow SSH into the box with Kerberos ticket forwarding, you need to use kadmin to get a keytab for the principal host/hostname.scl.ameslab.gov, replacing hostname with your host. This requires admin tokens to do, so an administrator will be needed to set this up.

Once the keytab is in place if ticket forwarding into the new system fails there are a few common problems to check.

Check that the hostname is the fully qualified name. ie the output of hostname should be planck.scl.ameslab.gov instead of planck. If it isn't you can set it with the hostname command and edit the /etc/hostname file to make it stick.
Check that the sshd_config file has the proper options turned on.
Make sure the fully qualified hostname is NOT in the /etc/hosts file on the localhost line. I think the Debian installer may put it there by default.
Check the time. You probably want the ntp server package installed with time.scl.ameslab.gov specified as the server twice.