This is an old revision of the document!

Run automated config tasks with Ansible

ssh to ansible.socs and copy .ssh/rsa_id.pub to new vm .ssh/authorized_keys (append if exists already)
Add sysadmin account on new to local sudo group (via visudo, sudo must be installed)
Run scripts/dhcp-free-addresses.py to find a free 48.x ip (or 49.x if 48 exhausted). Student stuff can go directly on 49.x.
In ldapvi find the sOARecord for socs.uoguelph.ca and increment the first int in the line (this is picked up by an hourly cron on fluffy that will trigger bind dns to update).
- Also do the same for ldap record 514
On the ansible server, add name/ip of new machine to provision group in /etc/ansible/ hosts, run $ ansible -m ping provision
Run ansible-playbook playbook/role.yml (Make sure role.yml includes ldap2)

Kerberize host

run scripts/ldap-machine-create.py <machine name> <machine ip> “<text desc>”
on fluffy, run /usr/local/sbin/updatezone.sh this forces the Bind to update the zone records
BE CAREFUL NOW, THERE BE DRAGONS
- Run kadmin -l then: > get *<machine name>* to confirm that a record exists for the new vm
- If a similar machine exists, run get *server* to determine an appropriate principle for the service you plan to run (i.e. HTTP, postgres, mail, etc)
- Run the following, DO NOT FORGET TO INCLUDE –keytab=/somepath OTHERWISE fluffy's KEYTAB WILL BE OVERWRITTEN IE VERY BAD:
  - ext_keytab –keytab=/tmp/newvmname.keytab *newvmname*
scp keytab to new vm: /etc/krb5.keytab make sure /etc/krb5.conf is present

Restart autofs on new machine and confirm that ldap home dirs can be mounted
Unless other groups need ssh access, append simple_allow_groups = sysadmin to /etc/sssd/sssd.conf
In /etc/ssh/sshd_config uncomment GSSAPIAuthentication and GSSAPICleanupCredentials and set both to 'yes'. If you want to make sure only a specific group can access ssh, append AllowGroups sysadmin to the file.