This is an old revision of the document!
Linux Self-Maintained Workstation Guide
Note that while we cannot provide support for self-maintained or unsupported workstations, use the following information as a guide for your workstation.
Department Printers
Although your workstation may not be maintained by PCN, this does not mean that you cannot print to or use department resources.
On a linux host, install CUPS and then simply point your cups server to us to be able to print like normal.
#/etc/cups/client.conf
ServerName spool.physics.purdue.edu
Department Shares/Project Directories
The various department shares and project directories may be mounted from Gutenberg using samba just like Mac and Windows workstations access those shares.
smb://gutenberg.physics.purdue.edu
If you would like to mount a folder, you can use the below syntax via a terminal window.
#Make sure the location you're mounting to already exists (eg: /mount/UserGutenHome) mount.smbfs -o rw,username=CareerAccount //gutenberg.physics.purdue.edu/Username /mount/UserGutenHome
In the above example, we mounted a home directory on gutenberg to /mount/UserGutenHome.
For more information, please see the Debian System Administor's Guide of this topic.
Logins/Authentication
There are a number of solutions for accessing centralized authentication. We document them here to offer a choice of solutions depending upon users' needs.
It is generally a good idea to match the userid and groupid locally to the department versions to ensure that files created are owned by the same people if the files will be transferred to other workstations. Your userid and groupid can be found via:
> ssh username@bohr.physics.purdue.edu > id uid=12345(username) gid=1234(group) groups=1234(group)
LDAP/pam_cifs
The following setup is best suited for self-maintained users who want the convenience of having centralized authentication while also having the flexibility of an auto-mounted home directory.
The following directions will show how to setup LDAP Authentication with pam_cifs for home directory auto-mounting on an SLC5.3 Linux distribution. These directions assume a completely fresh and default system installation. You may need to tweak these directions for other distributions or system setups.
- Begin by disabling the firewall. This can be done at System → Administration → Security Level and Firewall. Set the firewall state to disabled and click OK.
- Install all updates
yum update
- Install necessary development packages
yum install pam-devel openldap-devel gcc
- Compile pam_cifs
cd /root wget http://downloads.sourceforge.net/project/pam-cifs/pam-cifs/pam-cifs-0.5.5/pam-cifs-0.5.5.tgz?use_mirror=cdnetworks-us-1 tar zxvf pam-cifs-0.5.5.tgz cd pam-cifs vim Makefile #Set the following changes: # max_uid = 524288 # min_uid = 5000 # windomain = '"ONEPURDUE"' :wq make all make install
- Setup LDAP Authentication
- Use system-config-authentication to get started (System → Administration → Authentication).
- In the User Information tab, check Enable NIS Support and Enable LDAP Support. Next click the Configure NIS button. Use purdue-pcn for the NIS domain and volta.physics.purdue.edu for the server name. Click OK.
- On the Authentication tab, check Enable LDAP Support. Click the Configure LDAP button. Use TLS. LDAP search base dc=physics,dc=purdue,dc=edu. LDAP server volta.physics.purdue.edu. Ensure you have Thawte_Premium_Server_CA.pem where ldap.conf is looking for it. Click OK.
- On the Options tab, check Cache User Information and Local authorization is sufficient for local users. Click OK.
- Now confirm your configuration looks like this and replace file contents as necessary:
- /etc/ldap.conf
host volta.physics.purdue.edu base dc=physics,dc=purdue,dc=edu uri ldaps://volta.physics.purdue.edu ssl start_tls ssl on ldap_version 3 tls_checkpeer yes tls_cacertfile /usr/share/purple/ca-certs/Thawte_Premium_Server_CA.pem tls_cacertdir /etc/openldap/cacerts # you may need to symlink Thawte_Premium_Server_CA.pem in /etc/openldap/cacerts rootbinddn cn=admin,dc=physics,dc=purdue,dc=edu pam_password md5 #following two lines are additional that may not be required for most setups nss_initgroups_ignoreusers root,ldap tls_reqcert allow binddn cn=unsupported,dc=physics,dc=purdue,dc=edu bindpw ********* #See PCN in-person for bindpw Password #Per University Policy we cannot email/publish passwords
- Be sure to change the permissions on your ldap.conf
chmod 0600 /etc/ldap.conf
- If it exists, remove /etc/ldap.secret as it is not needed and can lead to issues
rm /etc/ldap.secret
- /etc/yp.conf
domain purdue-pcn broadcast
- Next, finish pam_cifs setup by altering your system-auth file to match the one listed below:
- Edit /etc/pam.d/system-auth to look like the following config
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth required pam_cifs.so debug auth sufficient pam_ldap.so use_first_pass debug auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so debug account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nis nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok debug password required pam_deny.so session required pam_limits.so session required pam_mkhomedir.so umask=077 skel=/etc/skel session required pam_unix.so session optional pam_cifs.so debug background=0 prefix=/home mount_home=1 source=//gutenberg.physics.purdue.edu windomain=ONEPURDUE
- Depending on your user configuration, you may have to modify /etc/shells and/or install missing shell software to be able to login successfully.
- On login, a generic homedir should be created for each user and then will be mounted to their homedir on Gutenberg.
Known Issues
- The screensaver has issues when attempting to unlock for unknown reasons. Disable screensaver locking as a work-around to this.