F12 ntp

March 19, 2010

To keep kerberos happy you need your client machines to have their clocks fairly well synchronised with the KDCs. The easiest way to achieve this is to use ntp. I’ve added an LCFG header, inf/options/ntp.h which uses the file component to do a simple setup on F12. The file /etc/ntp.conf now just contains:

driftfile /var/lib/ntp/drift
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
restrict -6 ::1
server ntp0.inf.ed.ac.uk
server ntp1.inf.ed.ac.uk
server ntp2.inf.ed.ac.uk
includefile /etc/ntp/crypto/pw
keys /etc/ntp/keys

As usual, one of the problems with the file component is that it cannot restart services after a configuration file has changed. So, once this is in place it is necessary to do /etc/init.d/ntpd restart.

If ntpd was not previously running (you can check first) then it is necessary to use chkconfig to activate the service:

# chkconfig --list ntpd
ntpd            0:off   1:off   2:off   3:off   4:off   5:off   6:off
# chkconfig --level 2345 ntpd on
chkconfig --list ntpd
ntpd            0:off   1:off   2:on    3:on    4:on    5:on    6:off

openafs on F12

March 10, 2010

Moving straight on from getting kerberized logins working it’s time to get openafs running. The packages for F12 are all pre-compiled and the official repository supports yum so that’s the easiest approach. Here is the yum repository config file (openafs.repo) for 1.4.11:

name=Openafs 1.4.11 for F12

Once that is in /etc/yum.repos.d, it is possible to do:

yum install openafs-authlibs openafs-client openafs-server openafs-krb5 openafs-docs

It is also necessary to grab a kmod-openafs package, for some reason I have experienced problems with the automatic support for this on F12 so it’s best to grab the correct version of the RPM for the running kernel from the openafs website and install it manually.

Once that is done:

echo inf.ed.ac.uk > /usr/vice/etc/ThisCell
/etc/init.d/openafs-client start

it might be necessary to also edit /etc/sysconfig/openafs. I made it contain:

AFSD_ARGS="-dynroot -afsdb -fakestat -daemons 5 -volumes 200 -chunksize 20  -nosettime"

Network, Kerberos and openssh on F12

March 10, 2010

Firstly we need to deactivate the nastiness that is NetworkManager and switch to configuring the network interface so that it comes up at boot time and uses DHCP to get an address and DNS configuration. This is done by using the system-config-network tool as root and doing an “Edit” on the eth0 device. After finishing the alterations the networking needs restarting with /etc/init.d/network restart

To make sure this continues to work after a reboot, as root, do:

chkconfig --levels 2345 NetworkManager off
chkconfig --levels 2345 network on

As well as this, to get the machine to have the correct hostname and domain name, I had to edit /etc/hosts to look like:   localhost
::1         localhost bowmore.inf.ed.ac.uk bowmore

and set the domainname like:

domainname inf.ed.ac.uk

The next step is to start using kerberos for authentication and LDAP for user info. That is done using the system-config-authentication tool, again as root. The LDAP base DN is dc=inf,dc=ed,dc=ac,dc=uk and I used ldap://infdir.inf.ed.ac.uk for the server.

For kerberos authentication the realm is INF.ED.AC.UK, I didn’t list any KDCs but rather ticked both options to use DNS. The admin server is kdc.inf.ed.ac.uk:749.

If you don’t have AFS available then on the “Options” tab you probably want to select “Create home directories on first login”.

I can never be bothered with typing in my password all the time so the next step is to get kerberos up and running and then configure openssh appropriately. Nicely Fedora finally includes all the patches provided by Simon which we have been applying locally for years so no rebuilding is necessary.

The next step is to grab the hostclient and host principals for the specific machine. If it is a new machine you will need to create it first, if it already exists then (as root) you can do something like:

kadmin -p squinney/admin \
            -q 'ktadd -k /etc/krb5.keytab host/foo.inf.ed.ac.uk'
kadmin -p squinney/admin \
            -q 'ktadd -k /etc/krb5.keytab hostclient/foo.inf.ed.ac.uk'

You can now configure openssh to work like a normal DICE machine. You will need to copy over /etc/ssh/ssh_config and /etc/ssh/sshd_config to your f12 machine. Note that the daemon config file is only visible by root. After reconfiguration restart the sshd.

It should now be possible to ssh in without a password!

Starting on F12/x86_64

March 10, 2010

I’ve made a start on the F12/x86_64 port. The first thing I did was to install from the F12 CD and make a base packages list:

 rpm -qa --queryformat '%{NAME}-%{VERSION}-%{RELEASE}/%{ARCH}\n' \ 
| perl -pe 's{/x86_64$}{}; > lcfg_f12_64_base.rpms

On this platform, at this stage, there are no packages with architectures other than x86_64 and noarch so I did not have to worry any more about getting the formatting correct.

The next stage was to get yum working with our local repositories:

su -
perl -pi -e 's/enabled=1/enabled=0/' /etc/yum.repos.d/* /etc/yum/pluginconf.d/presto.conf
cd /etc/yum.repos.d/
wget http://homepages.inf.ed.ac.uk/squinney/inf-f12.repo
yum check-update

This deactivates any existing repositories in use and turns off the presto plugin which does the delta-rpm stuff which we do not need.

I have put together a yum configuration file for our Informatics F12 repository. Note that, by default, only the base directory is enabled. This makes it possible to easily install extra base packages with yum and know that the changes are directly applicable to the LCFG F12 base package lists. At a later point when updaterpms is installed and being run the updates can be applied.

F12 network configuration

February 17, 2010

I’ve been struggling to get an F12 machine installed and working with network logins enabled for a couple of days. I think I have finally worked out what is causing my troubles. F12 uses networkmanager to start networking but that only happens after a user has logged in. That is clearly going to cause problems when you need the network up first to authenticate/authorize the user… You would think that when an installer offers the opportunity to configure network logins it would have the intelligence to switch to starting networking in the boot process. The solution is to boot single-user and run system-config-network and configure eth0 to use dhcp. This means hitting the tab key as soon as grub starts and then editting the boot command to add a -s to the boot prompt. You might also want to remove some of the graphical boot gubbins to see what is happening. A quick reboot and it should all be working.