Differences between revisions 3 and 222 (spanning 219 versions)
Revision 3 as of 2008-08-19 12:44:30
Size: 1151
Editor: sinatra
Comment:
Revision 222 as of 2019-04-11 20:33:02
Size: 22779
Editor: 192
Comment:
Deletions are marked like this. Additions are marked like this.
Line 3: Line 3:
<<TableOfContents(2)>>
Line 5: Line 7:
= All Machines =

== Steps to do for installation ==
  * Add forward and reverse DNS entries for the machine. <!>
  * Add the machine to DHCP. <!>
  * Make sure all licenses required are on hand

== Steps to do after ==
 * Check everything works as expected
 * Email tech@ Informing them that it has been set up/re-installed

= Windows Profiles =

Please see WindowsProfiles for more information on how these work / how you should manage them.

= Windows 7 =
Line 7: Line 25:
 * Add forward and reverse DNS entries for the machine. <!>
 * Add the machine to DHCP. <!>
 * Add the machine to Samba (create a local account for it on musundo). <!>
Line 12: Line 27:
 * Install Windows XP SP2 and configure it to be part of the domain 'UCCDOMAIN'. <!>
 * Install device drivers (graphics and sound most importantly).
 * Install Win7 Pro, not the home edition, or you won't be able to add it to the domain
 * Make sure you create at 2 disk partitions (or separate hard drives) - one for windows, one for games/other
 * Enable the Administrator account and set it to use clubroom password. See [[http://www.howtogeek.com/howto/windows-vista/enable-the-hidden-administrator-account-on-windows-vista/]]
 * nuke the user you created during install
 * Join the machine to the domain `UCCDOMAYNE` as described in [[ActiveDirectory]]
  * --(Run the registry hack from [[https://wiki.samba.org/index.php/Required_Settings_for_Samba_NT4_Domains#Joining_Windows_7_and_Later_.2F_Windows_Server_2008_and_Later_to_a_Samba_NT4_Domain]] - you won't be able to add the machine to the domain without doing this) )--
  * --(Configure it to be part of the domain 'UCCDOMAIN'. (Control Panel, System, Advanced System Settings, Computer Name) ''Ignore the error message'' .
 * Add Winadmins to computer administrators.
 * Add static route for 130.95.13.0/26: at a command prompt type:
 . {{{
route add -p 130.95.13.0 MASK 255.255.255.192 130.95.13.65
}}}
 . ''This prevents a VPN connection from trying to steal the default route to users home directories.''
 * Enable pings (alternatively, follow [http://www.fixya.com/support/r5359816-allow_ping_icmp_echo_request_windows_7]):
 . {{{
netsh firewall set icmpsetting 8 enable
}}}
 * Install Chocolatey, and SOE Packages
 * Set up drivers (particularly Graphics)
Line 15: Line 47:
 * Add Winadmins to computer administrators.
= Windows 10 =

== Joining the Domayne ==

See the [[http://wiki.samba.org/index.php/Joining_a_Windows_Client_or_Server_to_a_Domain#Joining_a_Windows_Client_or_Server_to_a_Domain|Samba Docs]] for more information.

Follow the instruxtions in [[ActiveDirectory]].


== Fixing the "No logon servers available" error ==
If accounts are unable to login, and you get the "No logon servers available" error do the following:
 * add the following line to the smb.conf file found at "/usr/local/etc/smb.conf" or uncomment the line if it is there:
 . {{{
# Be aware, that this setting prevent your clients to use
# newer SMB protocol versions, than SMB1 with this server!
max protocol = NT1
}}}
 * restart the service by typing
 . {{{
service samba_server restart
}}}
 * restart windows 10
 * log in to an account on the UCCDOMAIN
 * comment out the "max protocol = NT1" line (it should work now without the line)
Line 18: Line 74:
 * 7zip
 * OpenOffice
 * Media Player 11
 * Adobe Reader
 * Firefox
 * PuTTY
 * CD Burning Software
 * F-Prot Antivirus
 * VLC
 * Flash player
 * Daemon Tools
 * Windows Live messenger
 * Steam
 * Java Runtime Environment
 * Audacity
Software in this list should either be free to download and install, or something that the UCC has a license for.

Install the following packages using administrator powershell
using chocolatey. After which install steam and battle.net manually onto the games partition.

 . {{{
Set-ExecutionPolicy Bypass; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))

 choco install -y googlechrome firefox flashplayerplugin microsoftsecurityessentials keepass.install notepadplusplus.install 7zip.install discord javaruntime vlc chocolateygui opera foxitreader hwmonitor paint.net gimp inkscape adobereader libreoffice winscp.install putty miktex texstudio windirstat lyx
}}}

Run the registry changes to hide the last logged in user: [[attachment:registry_hacks.reg]]

Install ocsinventory agent from https://www.ocsinventory-ng.org/en/ . This software maintains a registry of all our hardware and is used to determine which machines need upgrading. The server to point it at is ocsinventory.ucc.asn.au

= Linux Servers =
 * At installation:
  * Avoid setting package sources to the UWA mirror as they are frequently out of date. AARNET seems to be the most reliable mirror at this stage
  * Beware of copying the apt_sources list from another server without copying the apt_preferences file too. You might suddenly find yourself with much newer versions of packages than you want.
  * The UCC standard install has all volumes in LVM on md raid. Generally var and home are put on a separate logical volume to root. You had better have a good reason if you're not following this guideline!
 * Add a root user and nuke the initial unprivileged user:
  * That's as simple as running `passwd` as a super user, re-logging in as root and running `deluser` on the original user
 * If the machine has an SSD (or several thereof), ensure that TRIM (aka discard) is enabled at all layers (lvm and disk layer)
 * Set up DNS on [[Mooneye]]:
  * Add an entry to /etc/bind/domains/primary/ucc.machines then close the file and run zonemake.py in the same directory
  * If zonemake has errors, go back and fix them before proceeding!
  * Use `rndc reload` to get bind to reload the zone files
 * Set up DHCP on [[Murasoi]]:
  * Add the ethernet (MAC) address /etc/dhcp/dhcpd.conf
  * Restart the DHCP server with `service isc-dhcp-server restart`
 * Set up NFS:
  * Only do this once you have DNS set up and working properly
  * Add the machine to the /etc/exports files on the appropriate servers ([[Motsugo]] for /home, [[Molmol]] (or just host "away") for /away and nortel+onetel for /services). Reload the server config with `exportfs -r` (Linux) or `service mountd reload` (FreeBSD)
  * Remember that only machines on the machine room subnet and physically within the machine room should mount /home while pretty much every machine should mount /away
  * Add the fstab line (copy off [[Motsugo]] or something)
  * `mount -av` and hope
 * Configure the SSH server:
  * Copy the SSH banner (usually in /etc/issue.net) from another server and modify it to suit
  * Ensure the correct banner file is set in /etc/ssh/sshd_config
  * Enable root ssh logins and X11 forwarding in /etc/ssh/sshd_config
  * Restart the SSH server and confirm all working
 * Add the UCC root SSH keys:
  * Add the hostname to /home/wheel/bin/uccroot/push.sh (this will add wheel keys to the machine when the script is run)
  * For adding non-wheelians to certain machines, add their public key to the <machine name>-extra in that same folder
  * Start an ssh-agent using {{{eval `ssh-agent`}}} and authenticate your root key using {{{ssh-add ~<username>/.ssh/id_rsa}}}, then run the updated push.sh script
 * Setup Active Directory. Follow the instructions at [[ActiveDirectory]]
 * Install dispense: Go to {{{/home/wheel/tpg/gitclones/opendispense2}}}, run {{{make -C src/client clean all}}} and copy {{{dispense}}} to {{{/usr/local/bin}}} on the target server.
 * Install postfix, set the mail host to {{{mailhost.ucc.gu.uwa.edu.au}}}
   * To have mail delivered locally, see [[http://www.postfix.org/STANDARD_CONFIGURATION_README.html|http://www.postfix.org/STANDARD_CONFIGURATION_README.html]]
 * Packages to install:
##these are formatted like this so you can paste them straight into the terminal after apt-get install, keep them in alphabetical order please. [BOB]
 . {{{
alpine apache2 biff finger fish joe ladvd logwatch molly-guard mosh ncurses-term ocsinventory-agent openbsd-inetd rkhunter rssh screen subversion sudo strace sxid tig tmux tshark vim zsh
}}}
 * For file servers, you should also install:
 . {{{
acl clamav iotop nfs-common nfs-kernel-server
}}}
 * Copy rkhunter.conf, mailname from another server
 * Install the UCC motd system on machines which mount /home:
  * Add the following line to /etc/inetd.conf:
  . {{{
motda stream tcp nowait root /home/wheel/bin/motd.update.sh motda
}}}
  * Also add the following line to /etc/services (keeping things in order!):
  . {{{
motda 377/tcp # UCC MOTD update
}}}
  * Finally, run vimotd as root on mussel, add the appropriate information and save the file (which then triggers a global motd push to all servers)
 * Add the following line to the bottom of /etc/rsyslog.conf to enable central logging
 . {{{
*.* @130.95.13.1
}}}

= Linux Desktops =
'''''Mint with cinnamon is the agreed SOE - don't install other operating systems or distros.'''''

 * Only install Linux Mint x64 Cinnamon
  * Do '''NOT''' install Mint KDE, Mint LXDE or Mint Mate
  * Do '''NOT''' install 32-bit Mint
  * Do '''NOT''' install Mint Debian - we want Mint built from Ubuntu
  * These instructions work for Linux Mint up to and including Mint 18.3. Mint 19 can and has been installed (eg. on [[Porcupine]] and [[Cobra]]) but requires `realmd` to get AD working properly. This should be updated at some point.
 * Add a root user and nuke the initial unprivileged user
 * Set up [[ActiveDirectory|Active Directory]]
 * Ensure wheel group and sprocket group have sudo permission {{{sudo visudo}}}
 . {{{
%wheel ALL=(ALL:ALL) ALL
%sprocket ALL=(ALL:ALL) ALL
}}}
 * Modify /etc/fstab to mount /away
Something like this (differs with distro):
 . {{{
# Mint 17
away.ucc.gu.uwa.edu.au:/space/away/home /home nfs nfsvers=3,auto,rw,tcp,nosuid,nodev,rsize=8169,wsize=8169,soft 0 0
# Mint 18
# Note that in Mint 18.3 this line needs to be ABOVE the line that mounts swap, otherwise nfs fails to automount
away.ucc.gu.uwa.edu.au:/space/away/home /home nfs nfsvers=3,auto,rw,tcp,nosuid,nodev,rsize=8169,wsize=8169,soft,x-systemd.device-timeout=10,x-systemd-requires=network.target 0 1
}}}

 * Add the following lines to /etc/network/interfaces. If you don't do this, network manager takes over the interface and nfs shares don't correctly mount at boot:
 . {{{
auto eth0
allow-hotplug eth0
iface eth0 inet dhcp
}}}
  * In Mint 19 and above, the default network names are [[https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/|predictable]] and replace `eth0` with the appropriate interface name (something like `enp31s0`).
 * (MINT 18*,19) Create `/etc/systemd/network/<ifname>.network` and insert the following
 . {{{
[Match]
Name=<ifname>

[Network]
DHCP=ipv4
}}}

 * (MINT 18*,19) Run
 . {{{
systemctl enable systemd-resolved.service
systemctl enable systemd-networkd.service
systemctl start systemd-resolved.service
systemctl start systemd-networkd.service
}}}

 * Install ssh and nfs packages
 . {{{
nfs-common openssh-server
}}}

 * Add the UCC root SSH keys: add the hostname to /home/wheel/bin/uccroot/push.sh, then run that script.

 Ensure the following packages are installed:
##these are formatted like this so you can paste them straight into the terminal after apt-get install, keep them in alphabetical order please. [BOB]
 . {{{
adobe-flashplugin arduino blender build-essential cvs chromium-browser eagle eclipse fish freeglut3-dev geeqie gimp glew-utils gnucash gtk2-engines-oxygen hugin inkscape jhead keepass2 ladvd libglew-dev libglew1.10 libreoffice locate mplayer nasm nfs-common nslcd ocsinventory-agent openjdk-7-jdk openssh-server pepperflashplugin-nonfree pidgin python remmina remmina-plugin-rdp rdesktop rssh subversion thunderbird tig vim-gtk vlc zsh
}}}


 * The server for ocs inventory is ocsinventory.ucc.gu.uwa.edu.au

 * Run the following commands to install google chrome (chromium is already installed). Do not install using a .deb from a web browser because it then doesn't automatically update:
 . {{{
sudo add-apt-repository "deb http://dl.google.com/linux/chrome/deb/ stable main"
wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | sudo apt-key add -
sudo apt-get update
sudo aptitude install google-chrome-stable
}}}

 * Set up the current printer - (`blacklight` at time of writing)
  * Open the print control panel
  * Add printer directly (list its hostname in the insert field)
  * If the definition file cannot be located, download from the manufacturer's website (some googling may be required)

 then (These ones are non-crucial/take a long time_)
 . {{{
apt-get install {lyx texlive}
}}}

 * Log in and go to login window preferences in the main menu
  * Set theme to elegance
  * Go to options and deselect "automatically select the last logged in user"
  * Also change the default session from "Automatically detected" to "cinnamon"


Install vivaldi browser (there's no repo package at the moment) - go to https://www.vivaldi.com and install from there

== Linux Laptops ==
* These are not part of the SOE, set them up however you like, but try to follow the instructions above for Linux desktops.

=== Proprietary NVidia Drivers ===
NOTE: nouveau is preferred if it works, as it integrates with the kernel.

 1. Locate the driver edition for the card (the major number of the driver version specified on http://www.nvidia.com/Download/index.aspx?lang=en-us)
  * DON'T DOWNLOAD FROM HERE
  * Remember to select "Linux x64" as the OS
 1. Install the relevant package `sudo apt-get install nvidia-<VER>`
  * E.g. `nvidia-340` for the GeForce 9600
 1. Reboot
 1. If the graphics don't work (e.g. falls back to software rendering), `sudo apt-get purge nvidia-<VER>`

== Debian or Ubuntu ==
 * Add a root user and nuke the initial unprivileged user
 * Ensure the package sources are pointing at AARNET's mirror, not UWA's
 * Set up [[LDAP]] by following the instructions in the linux servers section of this page
 * Modify /etc/fstab to mount /away
Something like this (differs with distro):
 . {{{
services.ucc.gu.uwa.edu.au:/space/away/home /home nfs nfsvers=3,auto,rw,tcp,nosuid,nodev,rsize=8169,wsize=8169,soft 0 0
}}}
 * Add the UCC root SSH keys: add the hostname to /home/wheel/bin/uccroot/push.sh, then run that script.

 Ensure the following packages are installed:
##these are formatted like this so you can paste them straight into the terminal after apt-get install, keep them in alphabetical order please. [BOB]
 . {{{
blender build-essential cvs chromium-browser compizconfig-settings-manager freeglut3-dev geeqie gimp glew-utils gnome-desktop-environment gnucash hugin inkscape jhead joe keepass2 ladvd libglew-dev libglew1.8 locate mplayer nasm nfs-common nslcd pidgin rssh openjdk-7-jdk openssh-server python remmina subversion thunderbird tig ubuntu-restricted-extras vim-gtk vlc zsh
}}}
Ensure the following packages are NOT installed:
 . {{{
ubuntuone-client unity-lens-shopping
}}}
then (These ones are non-crucial/take a long time_)
apt-get install {lyx}

 * Ensure wheel group and sprocket group have sudo permission {{{sudo visudo}}}
 . {{{
%wheel ALL=(ALL:ALL) ALL
%sprocket ALL=(ALL:ALL) ALL
}}}

Install vivaldi browser (there's no repo package at the moment) - go to https://www.vivaldi.com and install from there

=== Graphics Don't Work? ===

If you get messages like "Hooray! GNOME3 won't work because your graphics hardware does not support it", or {{{glxinfo}}} segfaults, or {{{glxgears}}} does not show anything,
then you have entered the wonderful world of troubleshooting graphics drivers!

NVidea should just work. If you have problems, remove the {{{nouveu}}} driver and replace it with the non-free {{{nvidia}}} driver.

If things seem totally fucked, you probably have an AMD graphics card. Eg:
 . {{{
    $ lspci | grep vga
    00:01.0 VGA compatible controller: Advanced Micro Devices [AMD] nee ATI BeaverCreek [Radeon HD 6550D]
}}}

You have two options; if one doesn't work try the other.

 * Install the debian {{{non-free}}} version of {{{fglrx}}} which may or may not explode
 * Install the official AMD {{{fglrx}}} which will definitely explode but may take longer to do so: [[http://support.amd.com/en-us/download]]

If none of this works you are doomed and need to try a different OS. However, debian or ubuntu are usually actually the best for {{{fglrx}}}, so you're probably still doomed.

== OpenSUSE ==
 * Rule 1: don't go messing with text config files (eg ldap, pam, nsswitch) - OpenSUSE is mostly configured through the GUI, and you'll be frustrated if you try and mix the two.
 * You can put it on ldap within the installer, so you won't need to create an unprivileged account like in Ubuntu
 * Put the machine on LDAP
  * Open YaST, either from the GUI or the command line, and select 'LDAP Client'
   * Set the address of LDAP servers to `mussel.ucc.gu.uwa.edu.au motsugo.ucc.gu.uwa.edu.au`
   * Click on 'Fetch DN' and the UCC dn should appear
   * 'Use LDAP' should be selected, deselect all other checkboxes
   * Click on advanced configuration
    * Deselect 'Use SSSD'
    * Set the user map to ou=People,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au
    * Set the password map to dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au
    * Set the group map to ou=group,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au
  * Run the following commands from a terminal as root:
   * `pam-config -a --ldap`
   * `pam-config -d --sss`
   * Running `id accmurph` should show `uid=666(accmurph) gid=666(winadmin) groups=666(winadmin)` if everything is working
 * Mount user home directories
  * Ensure there is a /away export to the machine from mylah
  * Delete or move the old /home directory: `rm -rf /home` (don't even leave an empty directory in / )
  * Set up automounting of home directories
   * OpenSUSE 11.4:
     * Uncomment the "/net -hosts" line in /etc/auto.master
     * Ensure you can ping mylah
     * Open YaST, go to 'System Services (Runlevel)', and enable the autofs and rpcbind services FROM SIMPLE MODE
     * Create a magic link to the home directories `ln -s /net/mylah/space/away/home /home`
     * Check this works by going to /home and listing the directory contents
     * If things aren't working the way they should, test mounting /away manually with the `mount` command after creating the /home directory. Don't forget to unmount /home and delete the empty directory when you're done.
   * OpenSUSE 12.2:
     * autofs is deprecated! Yay! We use systemd now.
     * From YaST, go to 'System Services (Runlevel)', and enable the 'nfs' and 'rpcbind' services.
     * Edit /etc/fstab (even though, strictly speaking, it's deprecated -- gotta love systemd)
     * Add this line: {{{
services.ucc.gu.uwa.edu.au:/space/away/home /home nfs nfsvers=3,rw,tcp,nosuid,nodev,rsize=8169,wsize=8169,soft,nolock,noauto,comment=systemd.automount 0 0 }}}
     * Maybe reboot (it can't hurt, right...)
     * ls /home (or do something in the directory in order to make it mount)
     * Everything should work
   * Check this is still working after a reboot!
 * Run a quick upgrade of all packages using `zypper up` before going any further.
 * The package management tool in OpenSUSE is zypper. Install the following packages using `zypper install` from a terminal
 . {{{
blender compiz compiz-plugins-extra compizconfig-settings-manager findutils-locate finger freeglut-devel glew glew-devel gcc geeqie gimp git hugin jhead joe nasm opera pidgin MozillaThunderbird zsh
}}}
 * OpenSUSE also supports 'pattern' packages (much like the build-essential package in Debian). Install the following patterns using `zypper install -t pattern`
 . {{{
devel_C_C++ devel_ide devel_java devel_mono devel_perl devel_python devel_qt4 devel_rpm_build devel_ruby devel_web remote_desktop
}}}
 * OpenSUSE 11.4 only: Compiz on OpenSUSE 11.4 has a problem where compiz-manager doesn't start correctly for users using compiz, so those users have no window borders, this can be solved by creating /etc/xdg/autostart/compiz-manager.desktop and putting the following contents in it:
 . {{{
[Desktop Entry]
Type=Application
Exec=/usr/bin/compiz-manager
Hidden=false
X-GNOME-Autostart-enabled=true
Name[C]=Compiz Manager (fix)
Name=Compiz Manager (fix)
Comment[C]=Fixes the annoying issue
Comment=Fixes the annoying issue
}}}
 * Install suitable graphics drivers. For ATI and nVidia chips see: http://en.opensuse.org/SDB:ATI_drivers and http://en.opensuse.org/SDB:NVIDIA_drivers
  * To use nouveau instead of nvidia, remove nvidia-computeG02 nvidia-gfxG02-kmp-desktop x11-video-nvidiaG02 and install Mesa-nouveau3d
  * Check compiz is working after a reboot (wobbly windows!)
 * Install vlc from this site: http://www.videolan.org/vlc/download-suse.html
 * Install google chrome (these instructions assume 64-bit openSUSE)
  * `wget https://dl-ssl.google.com/linux/direct/google-chrome-stable_current_x86_64.rpm`
  * `zypper install google-chrome-stable_current_x86_64.rpm`
 * Enable ssh and add the root keys:
  * Enable the sshd service through YaST
  * Allow Secure Shell Server through the firewall using YaST
  * Add the hostname to /home/wheel/bin/uccroot/push.sh and run that script
 * Add wheel to sudoers using visudo, and delete the two lines in the file that are mentioned in the comments in the file
 * Add printers. Phosphorous on mussel is currently best added as a samba printer

= Mac Desktops =
 * Do a fresh install of the operating system
 * Enable Remote Login http://support.apple.com/kb/PH18726
 * Add the UCC CA
  * Download https://ucc.asn.au/UCC-CA.crt
  * Add to System keychain
  * Trust root certificate
 * Settings > Users and Groups > Join Network Account Server
   * Open Directory Utility
    * Select LDAP then click the pencil icon
    * Add mussel.ucc.gu.uwa.edu.au
    * Enable Encrypt using SSL
   * Set RFC2307 mappings
   * Set search base to `dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au`
   * Edit the server settings
    * Disable "Use custom port"
 * Set up home directories
  * Open terminal and sudo to root
  * `mv /home /home2` to move the old `/home` out of the way, probably something still has it open
  * `ln -s /net/services.ucc.gu.uwa.edu.au/space/away/home /home` to use the automounter for `/home`, if you don't understand this, ask.
  * `ls -l /home` should now show `ucc`, `wheel`, etc. If not you need to work out why.
 * Reboot and SSH etc. should work.

----
CategorySystemAdministration

One day, it would be nice to have a standard operating environment for UCC clubroom machines. Currently the state of them could be described as varying degrees of broken, partly due to having no defined procedure for setting them up. The purpose of this page is to brainstorm what this procedure should be.

Steps marked with <!> require a wheel member, anything else can be done by a winadmin.

All Machines

Steps to do for installation

  • Add forward and reverse DNS entries for the machine. <!>

  • Add the machine to DHCP. <!>

  • Make sure all licenses required are on hand

Steps to do after

  • Check everything works as expected
  • Email tech@ Informing them that it has been set up/re-installed

Windows Profiles

Please see WindowsProfiles for more information on how these work / how you should manage them.

Windows 7

Steps to do before/during installation

During/after installation

Windows 10

Joining the Domayne

See the Samba Docs for more information.

Follow the instruxtions in ActiveDirectory.

Fixing the "No logon servers available" error

If accounts are unable to login, and you get the "No logon servers available" error do the following:

  • add the following line to the smb.conf file found at "/usr/local/etc/smb.conf" or uncomment the line if it is there:
  • # Be aware, that this setting prevent your clients to use
    # newer SMB protocol versions, than SMB1 with this server!
    max protocol = NT1
  • restart the service by typing
  • service samba_server restart
  • restart windows 10
  • log in to an account on the UCCDOMAIN
  • comment out the "max protocol = NT1" line (it should work now without the line)

Software to install

Software in this list should either be free to download and install, or something that the UCC has a license for.

Install the following packages using administrator powershell using chocolatey. After which install steam and battle.net manually onto the games partition.

  • Set-ExecutionPolicy Bypass; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
    
     choco install -y googlechrome firefox flashplayerplugin  microsoftsecurityessentials keepass.install notepadplusplus.install 7zip.install discord javaruntime vlc chocolateygui opera foxitreader hwmonitor paint.net gimp inkscape adobereader libreoffice winscp.install putty miktex texstudio windirstat lyx

Run the registry changes to hide the last logged in user: registry_hacks.reg

Install ocsinventory agent from https://www.ocsinventory-ng.org/en/ . This software maintains a registry of all our hardware and is used to determine which machines need upgrading. The server to point it at is ocsinventory.ucc.asn.au

Linux Servers

  • At installation:
    • Avoid setting package sources to the UWA mirror as they are frequently out of date. AARNET seems to be the most reliable mirror at this stage
    • Beware of copying the apt_sources list from another server without copying the apt_preferences file too. You might suddenly find yourself with much newer versions of packages than you want.
    • The UCC standard install has all volumes in LVM on md raid. Generally var and home are put on a separate logical volume to root. You had better have a good reason if you're not following this guideline!
  • Add a root user and nuke the initial unprivileged user:
    • That's as simple as running passwd as a super user, re-logging in as root and running deluser on the original user

  • If the machine has an SSD (or several thereof), ensure that TRIM (aka discard) is enabled at all layers (lvm and disk layer)
  • Set up DNS on Mooneye:

    • Add an entry to /etc/bind/domains/primary/ucc.machines then close the file and run zonemake.py in the same directory
    • If zonemake has errors, go back and fix them before proceeding!
    • Use rndc reload to get bind to reload the zone files

  • Set up DHCP on Murasoi:

    • Add the ethernet (MAC) address /etc/dhcp/dhcpd.conf
    • Restart the DHCP server with service isc-dhcp-server restart

  • Set up NFS:
    • Only do this once you have DNS set up and working properly
    • Add the machine to the /etc/exports files on the appropriate servers (Motsugo for /home, Molmol (or just host "away") for /away and nortel+onetel for /services). Reload the server config with exportfs -r (Linux) or service mountd reload (FreeBSD)

    • Remember that only machines on the machine room subnet and physically within the machine room should mount /home while pretty much every machine should mount /away
    • Add the fstab line (copy off Motsugo or something)

    • mount -av and hope

  • Configure the SSH server:
    • Copy the SSH banner (usually in /etc/issue.net) from another server and modify it to suit
    • Ensure the correct banner file is set in /etc/ssh/sshd_config
    • Enable root ssh logins and X11 forwarding in /etc/ssh/sshd_config
    • Restart the SSH server and confirm all working
  • Add the UCC root SSH keys:
    • Add the hostname to /home/wheel/bin/uccroot/push.sh (this will add wheel keys to the machine when the script is run)
    • For adding non-wheelians to certain machines, add their public key to the <machine name>-extra in that same folder

    • Start an ssh-agent using eval `ssh-agent` and authenticate your root key using ssh-add ~<username>/.ssh/id_rsa, then run the updated push.sh script

  • Setup Active Directory. Follow the instructions at ActiveDirectory

  • Install dispense: Go to /home/wheel/tpg/gitclones/opendispense2, run make -C src/client clean all and copy dispense to /usr/local/bin on the target server.

  • Install postfix, set the mail host to mailhost.ucc.gu.uwa.edu.au

  • Packages to install:

  • alpine apache2 biff finger fish joe ladvd logwatch molly-guard mosh ncurses-term ocsinventory-agent openbsd-inetd rkhunter rssh screen subversion sudo strace sxid tig tmux tshark vim zsh 
  • For file servers, you should also install:
  • acl clamav iotop nfs-common nfs-kernel-server
  • Copy rkhunter.conf, mailname from another server
  • Install the UCC motd system on machines which mount /home:
    • Add the following line to /etc/inetd.conf:
    • motda   stream  tcp     nowait  root    /home/wheel/bin/motd.update.sh motda
    • Also add the following line to /etc/services (keeping things in order!):
    • motda           377/tcp                        # UCC MOTD update
    • Finally, run vimotd as root on mussel, add the appropriate information and save the file (which then triggers a global motd push to all servers)
  • Add the following line to the bottom of /etc/rsyslog.conf to enable central logging
  • *.* @130.95.13.1

Linux Desktops

Mint with cinnamon is the agreed SOE - don't install other operating systems or distros.

  • Only install Linux Mint x64 Cinnamon
    • Do NOT install Mint KDE, Mint LXDE or Mint Mate

    • Do NOT install 32-bit Mint

    • Do NOT install Mint Debian - we want Mint built from Ubuntu

    • These instructions work for Linux Mint up to and including Mint 18.3. Mint 19 can and has been installed (eg. on Porcupine and Cobra) but requires realmd to get AD working properly. This should be updated at some point.

  • Add a root user and nuke the initial unprivileged user
  • Set up Active Directory

  • Ensure wheel group and sprocket group have sudo permission sudo visudo

  • %wheel ALL=(ALL:ALL) ALL
    %sprocket ALL=(ALL:ALL) ALL
  • Modify /etc/fstab to mount /away

Something like this (differs with distro):

  • # Mint 17
    away.ucc.gu.uwa.edu.au:/space/away/home     /home   nfs     nfsvers=3,auto,rw,tcp,nosuid,nodev,rsize=8169,wsize=8169,soft   0       0
    # Mint 18
    # Note that in Mint 18.3 this line needs to be ABOVE the line that mounts swap, otherwise nfs fails to automount
    away.ucc.gu.uwa.edu.au:/space/away/home     /home   nfs     nfsvers=3,auto,rw,tcp,nosuid,nodev,rsize=8169,wsize=8169,soft,x-systemd.device-timeout=10,x-systemd-requires=network.target      0       1
  • Add the following lines to /etc/network/interfaces. If you don't do this, network manager takes over the interface and nfs shares don't correctly mount at boot:
  • auto eth0
    allow-hotplug eth0
    iface eth0 inet dhcp
    • In Mint 19 and above, the default network names are predictable and replace eth0 with the appropriate interface name (something like enp31s0).

  • (MINT 18*,19) Create /etc/systemd/network/<ifname>.network and insert the following

  • [Match]
    Name=<ifname>
    
    [Network]
    DHCP=ipv4
  • (MINT 18*,19) Run
  • systemctl enable systemd-resolved.service
    systemctl enable systemd-networkd.service
    systemctl start systemd-resolved.service
    systemctl start systemd-networkd.service
  • Install ssh and nfs packages
  • nfs-common openssh-server
  • Add the UCC root SSH keys: add the hostname to /home/wheel/bin/uccroot/push.sh, then run that script. Ensure the following packages are installed:

  • adobe-flashplugin arduino blender build-essential cvs chromium-browser eagle eclipse fish freeglut3-dev geeqie gimp glew-utils gnucash gtk2-engines-oxygen hugin inkscape jhead keepass2 ladvd libglew-dev libglew1.10 libreoffice locate mplayer nasm nfs-common nslcd ocsinventory-agent openjdk-7-jdk openssh-server pepperflashplugin-nonfree pidgin python remmina remmina-plugin-rdp rdesktop rssh subversion thunderbird tig vim-gtk vlc zsh
  • The server for ocs inventory is ocsinventory.ucc.gu.uwa.edu.au
  • Run the following commands to install google chrome (chromium is already installed). Do not install using a .deb from a web browser because it then doesn't automatically update:
  • sudo add-apt-repository "deb http://dl.google.com/linux/chrome/deb/ stable main"
    wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | sudo apt-key add -
    sudo apt-get update
    sudo aptitude install google-chrome-stable
  • Set up the current printer - (blacklight at time of writing)

    • Open the print control panel
    • Add printer directly (list its hostname in the insert field)
    • If the definition file cannot be located, download from the manufacturer's website (some googling may be required)
    then (These ones are non-crucial/take a long time_)
  • apt-get install {lyx texlive}
  • Log in and go to login window preferences in the main menu
    • Set theme to elegance
    • Go to options and deselect "automatically select the last logged in user"
    • Also change the default session from "Automatically detected" to "cinnamon"

Install vivaldi browser (there's no repo package at the moment) - go to https://www.vivaldi.com and install from there

Linux Laptops

* These are not part of the SOE, set them up however you like, but try to follow the instructions above for Linux desktops.

Proprietary NVidia Drivers

NOTE: nouveau is preferred if it works, as it integrates with the kernel.

  1. Locate the driver edition for the card (the major number of the driver version specified on http://www.nvidia.com/Download/index.aspx?lang=en-us)

    • DON'T DOWNLOAD FROM HERE
    • Remember to select "Linux x64" as the OS
  2. Install the relevant package sudo apt-get install nvidia-<VER>

    • E.g. nvidia-340 for the GeForce 9600

  3. Reboot
  4. If the graphics don't work (e.g. falls back to software rendering), sudo apt-get purge nvidia-<VER>

Debian or Ubuntu

  • Add a root user and nuke the initial unprivileged user
  • Ensure the package sources are pointing at AARNET's mirror, not UWA's
  • Set up LDAP by following the instructions in the linux servers section of this page

  • Modify /etc/fstab to mount /away

Something like this (differs with distro):

  • services.ucc.gu.uwa.edu.au:/space/away/home     /home   nfs     nfsvers=3,auto,rw,tcp,nosuid,nodev,rsize=8169,wsize=8169,soft   0       0
  • Add the UCC root SSH keys: add the hostname to /home/wheel/bin/uccroot/push.sh, then run that script. Ensure the following packages are installed:

  • blender build-essential cvs chromium-browser compizconfig-settings-manager freeglut3-dev geeqie gimp glew-utils gnome-desktop-environment gnucash hugin inkscape jhead joe keepass2 ladvd libglew-dev libglew1.8 locate mplayer nasm nfs-common nslcd pidgin rssh openjdk-7-jdk openssh-server python remmina subversion thunderbird tig ubuntu-restricted-extras vim-gtk vlc zsh

Ensure the following packages are NOT installed:

  • ubuntuone-client unity-lens-shopping

then (These ones are non-crucial/take a long time_) apt-get install {lyx}

  • Ensure wheel group and sprocket group have sudo permission sudo visudo

  • %wheel ALL=(ALL:ALL) ALL
    %sprocket ALL=(ALL:ALL) ALL

Install vivaldi browser (there's no repo package at the moment) - go to https://www.vivaldi.com and install from there

Graphics Don't Work?

If you get messages like "Hooray! GNOME3 won't work because your graphics hardware does not support it", or glxinfo segfaults, or glxgears does not show anything, then you have entered the wonderful world of troubleshooting graphics drivers!

NVidea should just work. If you have problems, remove the nouveu driver and replace it with the non-free nvidia driver.

If things seem totally fucked, you probably have an AMD graphics card. Eg:

  •     $ lspci | grep vga
        00:01.0 VGA compatible controller: Advanced Micro Devices [AMD] nee ATI BeaverCreek [Radeon HD 6550D]    

You have two options; if one doesn't work try the other.

  • Install the debian non-free version of fglrx which may or may not explode

  • Install the official AMD fglrx which will definitely explode but may take longer to do so: http://support.amd.com/en-us/download

If none of this works you are doomed and need to try a different OS. However, debian or ubuntu are usually actually the best for fglrx, so you're probably still doomed.

OpenSUSE

  • Rule 1: don't go messing with text config files (eg ldap, pam, nsswitch) - OpenSUSE is mostly configured through the GUI, and you'll be frustrated if you try and mix the two.
  • You can put it on ldap within the installer, so you won't need to create an unprivileged account like in Ubuntu
  • Put the machine on LDAP
    • Open YaST, either from the GUI or the command line, and select 'LDAP Client'
      • Set the address of LDAP servers to mussel.ucc.gu.uwa.edu.au motsugo.ucc.gu.uwa.edu.au

      • Click on 'Fetch DN' and the UCC dn should appear
      • 'Use LDAP' should be selected, deselect all other checkboxes
      • Click on advanced configuration
        • Deselect 'Use SSSD'
        • Set the user map to ou=People,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au
        • Set the password map to dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au
        • Set the group map to ou=group,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au
    • Run the following commands from a terminal as root:
      • pam-config -a --ldap

      • pam-config -d --sss

      • Running id accmurph should show uid=666(accmurph) gid=666(winadmin) groups=666(winadmin) if everything is working

  • Mount user home directories
    • Ensure there is a /away export to the machine from mylah
    • Delete or move the old /home directory: rm -rf /home (don't even leave an empty directory in / )

    • Set up automounting of home directories
      • OpenSUSE 11.4:
        • Uncomment the "/net -hosts" line in /etc/auto.master
        • Ensure you can ping mylah
        • Open YaST, go to 'System Services (Runlevel)', and enable the autofs and rpcbind services FROM SIMPLE MODE
        • Create a magic link to the home directories ln -s /net/mylah/space/away/home /home

        • Check this works by going to /home and listing the directory contents
        • If things aren't working the way they should, test mounting /away manually with the mount command after creating the /home directory. Don't forget to unmount /home and delete the empty directory when you're done.

      • OpenSUSE 12.2:
        • autofs is deprecated! Yay! We use systemd now.
        • From YaST, go to 'System Services (Runlevel)', and enable the 'nfs' and 'rpcbind' services.
        • Edit /etc/fstab (even though, strictly speaking, it's deprecated -- gotta love systemd)
        • Add this line:

          services.ucc.gu.uwa.edu.au:/space/away/home     /home   nfs     nfsvers=3,rw,tcp,nosuid,nodev,rsize=8169,wsize=8169,soft,nolock,noauto,comment=systemd.automount   0       0 
        • Maybe reboot (it can't hurt, right...)
        • ls /home (or do something in the directory in order to make it mount)
        • Everything should work
      • Check this is still working after a reboot!
  • Run a quick upgrade of all packages using zypper up before going any further.

  • The package management tool in OpenSUSE is zypper. Install the following packages using zypper install from a terminal

  • blender compiz compiz-plugins-extra compizconfig-settings-manager findutils-locate finger freeglut-devel glew glew-devel gcc geeqie gimp git hugin jhead joe nasm opera pidgin MozillaThunderbird zsh
  • OpenSUSE also supports 'pattern' packages (much like the build-essential package in Debian). Install the following patterns using zypper install -t pattern

  • devel_C_C++ devel_ide devel_java devel_mono devel_perl devel_python devel_qt4 devel_rpm_build devel_ruby devel_web remote_desktop 
  • OpenSUSE 11.4 only: Compiz on OpenSUSE 11.4 has a problem where compiz-manager doesn't start correctly for users using compiz, so those users have no window borders, this can be solved by creating /etc/xdg/autostart/compiz-manager.desktop and putting the following contents in it:
  • [Desktop Entry]
    Type=Application
    Exec=/usr/bin/compiz-manager
    Hidden=false
    X-GNOME-Autostart-enabled=true
    Name[C]=Compiz Manager (fix)
    Name=Compiz Manager (fix)
    Comment[C]=Fixes the annoying issue
    Comment=Fixes the annoying issue
  • Install suitable graphics drivers. For ATI and nVidia chips see: http://en.opensuse.org/SDB:ATI_drivers and http://en.opensuse.org/SDB:NVIDIA_drivers

    • To use nouveau instead of nvidia, remove nvidia-computeG02 nvidia-gfxG02-kmp-desktop x11-video-nvidiaG02 and install Mesa-nouveau3d
    • Check compiz is working after a reboot (wobbly windows!)
  • Install vlc from this site: http://www.videolan.org/vlc/download-suse.html

  • Install google chrome (these instructions assume 64-bit openSUSE)
    • wget https://dl-ssl.google.com/linux/direct/google-chrome-stable_current_x86_64.rpm

    • zypper install google-chrome-stable_current_x86_64.rpm

  • Enable ssh and add the root keys:
    • Enable the sshd service through YaST
    • Allow Secure Shell Server through the firewall using YaST
    • Add the hostname to /home/wheel/bin/uccroot/push.sh and run that script
  • Add wheel to sudoers using visudo, and delete the two lines in the file that are mentioned in the comments in the file
  • Add printers. Phosphorous on mussel is currently best added as a samba printer

Mac Desktops

  • Do a fresh install of the operating system
  • Enable Remote Login http://support.apple.com/kb/PH18726

  • Add the UCC CA
  • Settings > Users and Groups > Join Network Account Server

    • Open Directory Utility
      • Select LDAP then click the pencil icon
      • Add mussel.ucc.gu.uwa.edu.au
      • Enable Encrypt using SSL
    • Set RFC2307 mappings
    • Set search base to dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au

    • Edit the server settings
      • Disable "Use custom port"
  • Set up home directories
    • Open terminal and sudo to root
    • mv /home /home2 to move the old /home out of the way, probably something still has it open

    • ln -s /net/services.ucc.gu.uwa.edu.au/space/away/home /home to use the automounter for /home, if you don't understand this, ask.

    • ls -l /home should now show ucc, wheel, etc. If not you need to work out why.

  • Reboot and SSH etc. should work.


CategorySystemAdministration