School of Computer Science Wiki

Site Tools

Trace: 3410conda nagioscleanup nagioscerts 3401projector minio gocodegirl kubesupport 3110docker oracleheartbeat certrefresh
sysadmin:procedures:ldapkerbsetup

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
sysadmin:procedures:ldapkerbsetup [2018/02/21 18:04] dreasysadmin:procedures:ldapkerbsetup [Unknown date] (current) – removed - external edit (Unknown date) 127.0.0.1
Line 1: Line 1:
-====== Run automated config tasks with Ansible ====== 
  
-  * **ssh** to ansible.socs and copy //.ssh/rsa_id.pub// to new vm //.ssh/authorized_keys// (append if exists already) 
-  * Add sysadmin account on new to local sudo group (via **visudo**, sudo must be installed) 
-  * Run **scripts/dhcp-free-addresses.py** to find a free 48.x ip (or 49.x if 48 exhausted). Student stuff can go directly on 49.x. 
-  * In **ldapvi** find the sOARecord for socs.uoguelph.ca and increment the first int in the line (this is picked up by an hourly cron on fluffy that will trigger bind dns to update). 
-    * Also do the same for ldap record 512 (49.x ip's) or 514 (48.x) 
-  * On the ansible server, add name/ip of new machine to provision group in **/etc/ansible/** hosts, run **$ ansible -m ping provision** 
-  * Run **ansible-playbook playbook/role.yml** (Make sure role.yml includes //ldap2//) 
- 
-====== Kerberize host ====== 
-  
-  * run scripts/ldap-machine-create.py <machine name> <machine ip> "<text desc>" 
-  * on fluffy, run **/usr/local/sbin/updatezone.sh** this forces the Bind to update the zone records 
-  * BE CAREFUL NOW, THERE BE DRAGONS 
-    * Run **kadmin -l** then: > **get *<machine name>*** to confirm that a record exists for the new vm 
-    * If a similar machine exists, run get *server* to determine an appropriate principle for the service you plan to run (i.e. HTTP, postgres, mail,   etc) 
-    * Run the following, DO NOT FORGET TO INCLUDE **--keytab=/somepath** OTHERWISE fluffy's KEYTAB WILL BE OVERWRITTEN IE VERY BAD:  
-      * **ext_keytab --keytab=/tmp/newvmname.keytab *newvmname*** 
-  * **scp** keytab to new vm: ///etc/krb5.keytab// make sure ///etc/krb5.conf// is present 
- 
- 
-====== Final steps ====== 
- 
-  * Restart autofs on new machine and confirm that ldap home dirs can be mounted. A system reboot may be required before dirs will mount. 
-  * Unless other groups need ssh access, append //simple_allow_groups = sysadmin// to ///etc/sssd/sssd.conf// 
-  * In ///etc/ssh/sshd_config// uncomment //GSSAPIAuthentication// and //GSSAPICleanupCredentials// and set both to 'yes'. If you want to make sure only a specific group can access ssh, append AllowGroups sysadmin to the file. 
sysadmin/procedures/ldapkerbsetup.1519236240.txt.gz · Last modified: 2018/02/21 18:04 by drea