• ssh to ansible.socs and copy .ssh/rsa_id.pub to new vm .ssh/authorized_keys (append if exists already)
• Add sysadmin account on new to local sudo group (via visudo, sudo must be installed)
• Run scripts/dhcp-free-addresses.py to find a free 48.x ip (or 49.x if 48 exhausted). Student stuff can go directly on 49.x.
• In ldapvi find the sOARecord for socs.uoguelph.ca (see 492 relativeDomainName=@ and increment the first int in the line (this is picked up by an hourly cron on fluffy that will trigger bind dns to update).
  • Also do the same for ldap record 512 (49.x ip's) or 514 (48.x)
• On the ansible server, add name/ip of new machine to provision group in /etc/ansible/ hosts, run $ ansible -m ping provision
• Run ansible-playbook playbook/role.yml (Make sure role.yml includes ldap2)

DEPRECATED - REPLACED BY KYLE'S POWERSHELL SCRIPT

• run scripts/ldap-machine-create.py <machine name> <machine ip> “<text desc>”
• on fluffy, run /usr/local/sbin/updatezone.sh this forces the Bind to update the zone records
• BE CAREFUL NOW, THERE BE DRAGONS
  • Run kadmin -l then: > get *<machine name>* to confirm that a record exists for the new vm
  • If a similar machine exists, run get *server* to determine an appropriate principle for the service you plan to run (i.e. HTTP, postgres, mail, etc)
  • Run the following, DO NOT FORGET TO INCLUDE –keytab=/somepath OTHERWISE fluffy's KEYTAB WILL BE OVERWRITTEN IE VERY BAD:
    • ext_keytab –keytab=/tmp/newvmname.keytab *newvmname*
• scp keytab to new vm: /etc/krb5.keytab make sure /etc/krb5.conf is present

• Restart autofs on new machine and confirm that ldap home dirs can be mounted. A system reboot may be required before dirs will mount.
• Unless other groups need ssh access, append simple_allow_groups = sysadmin to /etc/sssd/sssd.conf
• In /etc/ssh/sshd_config uncomment GSSAPIAuthentication and GSSAPICleanupCredentials and set both to 'yes'. If you want to make sure only a specific group can access ssh, append AllowGroups sysadmin to the file.