Linux Self-Maintained Workstation Guide

Note that while we cannot provide support for self-maintained or unsupported workstations, use the following information as a guide for your workstation.

You also are expected to be aware of and follow the SecurePurdue Guidelines and University IT policies.

Although your workstation may not be maintained by PCN, this does not mean that you cannot print to or use department resources.

On a linux host, install CUPS and then simply point your cups server to us to be able to print like normal.

#/etc/cups/client.conf
ServerName spool.physics.purdue.edu

The various department shares and project directories may be mounted from Gutenberg using samba just like Mac and Windows workstations access those shares.

smb://gutenberg.physics.purdue.edu

If you would like to mount a folder, you can use the below syntax via a terminal window.

#Make sure the location you're mounting to already exists (eg: /mount/UserGutenHome)
mount.smbfs -o rw,username=CareerAccount //gutenberg.physics.purdue.edu/Username /mount/UserGutenHome

In the above example, we mounted a home directory on gutenberg to /mount/UserGutenHome.

For more information, please see the Debian System Administor's Guide of this topic.

There are a number of solutions for accessing centralized authentication. We document them here to offer a choice of solutions depending upon users' needs.

It is generally a good idea to match the userid and groupid locally to the department versions to ensure that files created are owned by the same people if the files will be transferred to other workstations. Your userid and groupid can be found via:

> ssh username@bohr.physics.purdue.edu
> id
uid=12345(username) gid=1234(group) groups=1234(group)

The following setup is best suited for self-maintained users who want the convenience of having centralized authentication while also having the flexibility of an auto-mounted home directory.

The following directions will show how to setup LDAP Authentication with pam_cifs for home directory auto-mounting on an SLC5.3 Linux distribution. These directions assume a completely fresh and default system installation. You may need to tweak these directions for other distributions or system setups.

• Begin by disabling the firewall. This can be done at System → Administration → Security Level and Firewall. Set the firewall state to disabled and click OK.
• Install all updates

  yum update

• Install necessary development packages

  yum install pam-devel openldap-devel gcc

• Compile pam_cifs

  cd /root
  wget http://downloads.sourceforge.net/project/pam-cifs/pam-cifs/pam-cifs-0.5.5/pam-cifs-0.5.5.tgz?use_mirror=cdnetworks-us-1
  tar zxvf pam-cifs-0.5.5.tgz
  cd pam-cifs
  vim Makefile
  #Set the following changes:
  # max_uid = 524288
  # min_uid = 5000
  # windomain = '"ONEPURDUE"'
  :wq
  make all
  make install

• Setup LDAP Authentication
  • Use system-config-authentication to get started (System → Administration → Authentication).
  • In the User Information tab, check Enable NIS Support and Enable LDAP Support. Next click the Configure NIS button. Use purdue-pcn for the NIS domain and volta.physics.purdue.edu for the server name. Click OK.
  • On the Authentication tab, check Enable LDAP Support. Click the Configure LDAP button. Use TLS. LDAP search base dc=physics,dc=purdue,dc=edu. LDAP server volta.physics.purdue.edu. Ensure you have Thawte_Premium_Server_CA.pem where ldap.conf is looking for it. Click OK.
  • On the Options tab, check Cache User Information and Local authorization is sufficient for local users. Click OK.
  • Now confirm your configuration looks like this and replace file contents as necessary:
    • /etc/ldap.conf

      host volta.physics.purdue.edu
      base dc=physics,dc=purdue,dc=edu
      uri ldaps://volta.physics.purdue.edu
      ssl start_tls
      ssl on
      ldap_version 3
      tls_checkpeer yes
      tls_cacertfile /usr/share/purple/ca-certs/Thawte_Premium_Server_CA.pem
      tls_cacertdir /etc/openldap/cacerts
      # you may need to symlink Thawte_Premium_Server_CA.pem in /etc/openldap/cacerts
      rootbinddn cn=admin,dc=physics,dc=purdue,dc=edu
      
      pam_password md5
      
      #following two lines are additional that may not be required for most setups
      nss_initgroups_ignoreusers root,ldap
      tls_reqcert allow
      
      binddn cn=unsupported,dc=physics,dc=purdue,dc=edu
      bindpw *********
      #See PCN in-person for bindpw Password
      #Per University Policy we cannot email/publish passwords

    • Be sure to change the permissions on your ldap.conf

      chmod 0600 /etc/ldap.conf

    • If it exists, remove /etc/ldap.secret as it is not needed and can lead to issues

      rm /etc/ldap.secret

    • /etc/yp.conf

      domain purdue-pcn broadcast

• Next, finish pam_cifs setup by altering your system-auth file to match the one listed below:
  • Edit /etc/pam.d/system-auth to look like the following config

    #%PAM-1.0
    # This file is auto-generated.
    # User changes will be destroyed the next time authconfig is run.
    auth        required      pam_env.so
    auth        sufficient    pam_unix.so nullok try_first_pass
    auth		required	pam_cifs.so debug
    auth        sufficient    pam_ldap.so use_first_pass debug
    auth        required      pam_deny.so
    
    account     required      pam_unix.so broken_shadow
    account     sufficient    pam_succeed_if.so uid < 500 quiet
    account     [default=bad success=ok user_unknown=ignore] pam_ldap.so debug
    account     required      pam_permit.so
    
    password    requisite     pam_cracklib.so try_first_pass retry=3
    password    sufficient    pam_unix.so md5 shadow nis nullok try_first_pass use_authtok
    password    sufficient    pam_ldap.so use_authtok debug
    password    required      pam_deny.so
    
    session     required      pam_limits.so
    session    required     pam_mkhomedir.so umask=077 skel=/etc/skel 
    session    required     pam_unix.so
    session    optional     pam_cifs.so debug background=0 prefix=/home mount_home=1 source=//gutenberg.physics.purdue.edu windomain=ONEPURDUE

• Depending on your user configuration, you may have to modify /etc/shells and/or install missing shell software to be able to login successfully.
• On login, a generic homedir should be created for each user and then will be mounted to their homedir on Gutenberg.

• The screensaver has issues when attempting to unlock for unknown reasons. Disable screensaver locking as a work-around to this.