Differences

This shows you the differences between two versions of the page.

--- sysadmin:procedures:ldapkerbsetup [2018/07/05 15:08] – drea
+++ sysadmin:procedures:ldapkerbsetup [Unknown date] (current) – removed - external edit (Unknown date) 127.0.0.1
@@ Line 1: / Line 1: @@
-====== Run automated config tasks with Ansible ======
-  * **ssh** to ansible.socs and copy //.ssh/rsa_id.pub// to new vm //.ssh/authorized_keys// (append if exists already)
-  * Add sysadmin account on new to local sudo group (via **visudo**, sudo must be installed)
-  * Run **scripts/dhcp-free-addresses.py** to find a free 48.x ip (or 49.x if 48 exhausted). Student stuff can go directly on 49.x.
-  * In **ldapvi** find the sOARecord for socs.uoguelph.ca (see **492 relativeDomainName=@** and increment the first int in the line (this is picked up by an hourly cron on fluffy that will trigger bind dns to update).
-    * Also do the same for ldap record 512 (49.x ip's) or 514 (48.x)
-  * On the ansible server, add name/ip of new machine to provision group in **/etc/ansible/** hosts, run **$ ansible -m ping provision**
-  * Run **ansible-playbook playbook/role.yml** (Make sure role.yml includes //ldap2//)
-====== Kerberize host ======
-**DEPRECATED - REPLACED BY KYLE'S POWERSHELL SCRIPT**
-  * run scripts/ldap-machine-create.py <machine name> <machine ip> "<text desc>"
-  * on fluffy, run **/usr/local/sbin/updatezone.sh** this forces the Bind to update the zone records
-  * BE CAREFUL NOW, THERE BE DRAGONS
-    * Run **kadmin -l** then: > **get *<machine name>*** to confirm that a record exists for the new vm
-    * If a similar machine exists, run get *server* to determine an appropriate principle for the service you plan to run (i.e. HTTP, postgres, mail,   etc)
-    * Run the following, DO NOT FORGET TO INCLUDE **--keytab=/somepath** OTHERWISE fluffy's KEYTAB WILL BE OVERWRITTEN IE VERY BAD:
-      * **ext_keytab --keytab=/tmp/newvmname.keytab *newvmname***
-  * **scp** keytab to new vm: ///etc/krb5.keytab// make sure ///etc/krb5.conf// is present
-====== Final steps ======
-  * Restart autofs on new machine and confirm that ldap home dirs can be mounted. A system reboot may be required before dirs will mount.
-  * Unless other groups need ssh access, append //simple_allow_groups = sysadmin// to ///etc/sssd/sssd.conf//
-  * In ///etc/ssh/sshd_config// uncomment //GSSAPIAuthentication// and //GSSAPICleanupCredentials// and set both to 'yes'. If you want to make sure only a specific group can access ssh, append AllowGroups sysadmin to the file.