One day, it would be nice to have a standard operating environment for UCC clubroom machines. Currently the state of them could be described as varying degrees of broken, partly due to having no defined procedure for setting them up. The purpose of this page is to brainstorm what this procedure should be.

Steps marked with require a wheel member, anything else can be done by a winadmin.

Windows Profiles

Please see WindowsProfiles for more information on how these work / how you should manage them.

Windows 7

Steps to do before/during installation

• Add forward and reverse DNS entries for the machine. Not essential for setup

• Add the machine to DHCP. Not essential for setup

During/after installation

• Install Win7 Pro, not the home edition, or you won't be able to add it to the domain
• Make sure you create at least 3 disk partitions - one for windows, one for games/other, and one or more for linux
• Enable the Administrator account and set a password, nuke the user you created during install
  • Handy hint: Instead of logging in with LOCALMACHINENAME\Administrator, log in with .\Administrator

• Install F-Prot antivirus, You will need a wheel member to give you the registration key

• Install device drivers (graphics and sound most importantly).

• Run the registry hack from http://wiki.samba.org/index.php/Windows7 - you won't be able to add the machine to the domain without doing this)

• Configure it to be part of the domain 'UCCDOMAIN'. (Control Panel, System, Advanced System Settings, Computer Name) Ignore the error message

• Install and configure wpkg.
  • Both the client installer and the config files will be in //Mylah/wpkg
  • Import settings using the "import settings" button from //Mylah/wpkg/settings.xml

  • Go into service management and change the WPKG Service startup type to Automatic (Delayed Start) This step is essential, wpkg will not work without it

  • Restart the computer
• Set up printing.
• Add Winadmins to computer administrators.
• Add static route for 130.95.13.0/26: at a command prompt, type

route add -p 130.95.13.0 MASK 255.255.255.192 130.95.13.65

• This prevents a VPN connection from trying to steal the default route to users home directories.

Software to install

Software in this list should either be free to download and install, or something that the UCC has a license for. Some preference is given to software which is easily deployed with WPKG.

Installed automatically via WPKG

• Putty

• OpenOffice

• Firefox
• Security policy to hide last logged in user
• Windows experience index test after initial install

• WinSCP

• OCS Inventory

• FoxIT Reader

• GIMP

• Ario (MPD client: http://ario-player.sourceforge.net/)

• Xming
• Inkscape

• CD Burning Software: InfraRecorder (isorecorder is no longer needed, as infrarecorder can do images)

Install by hand

• WolfET
• Steam

• MikTex then Lyx (in that order, be sure to enable auto-package downloads in MikTex)

• Thunderbird
• VLC

• Daemon Tools (v3.46 was the last release before it was bundled with spyware, see http://www.daemon-tools.cc/dtcc/download.php?mode=Download&id=70)

• PrimoPDF (a print to PDF utility)

Windows XP

Steps to do before/during installation

• Add forward and reverse DNS entries for the machine. Not essential for setup

• Add the machine to DHCP. Not essential for setup

• Add the machine template to Samba. As root on Mylah, run /home/wheel/bin/ucc-addwinpc computername.

During/after installation

• Install Windows XP SP3 and configure it to be part of the domain 'UCCDOMAIN'.
• Install device drivers (graphics and sound most importantly).
• Set up printing.
• Add Winadmins to computer administrators.

• Configure WPKG. Install WPKG Client 1.3.9.msi, and load settings.xml using 'import settings', both in //mylah/wpkg

  • As winxp is no longer the default profile, you will need to edit /wpkg/hosts.xml and make an entry for the machine
• Turn Windows Updates on to fully-automatic.
• Add static route for 130.95.13.0/26: at a command prompt, type

route add -p 130.95.13.0 MASK 255.255.255.192 130.95.13.65

Software to install

Software in this list should either be free to download and install, or something that the UCC has a license for. Some preference is given to software which is easily deployed with WPKG.

• OpenOffice

• Media Player 11

• CD Burning Software such as? possibilities include http://www.deepburner.com/ and http://infrarecorder.sourceforge.net/

• F-Prot Antivirus \\musundo\fprot\ contains installers (use the MSI packages) and license codes in licenses.txt. You will need a handy wheel member to open licences.txt for you.
• VLC

• Daemon Tools (v3.46 was the last release before it was bundled with spyware, see http://www.daemon-tools.cc/dtcc/download.php?mode=Download&id=70)

• Windows Live messenger
• Steam
• Audacity
• Google Talk
• irfanview (and the plugin that knows about jpeg orientation jfif tags)
• winscp
• DirectX 9 runtime
• Notepad++

What about...

• ActiveState ActivePython and/or ActivePerl

• Eclipse? Massive but apparently Java programmers love it

• NetBeans? Not nearly as massive (but still quite large)

• Komodo Edit, a rather nice lightweight programmers' editor
• gVim, the logical alternative to the above
• TortoiseSVN

• Cygwin I vote no, it's horrible [DAA]

• sequoiaview?
• Hardware design tools like ..
• SwitcherCADIII (free download with very active support list)
• Ultium Designer (on at least one machine) or Free (limited) version of Eagle

• Pushing the UCC CA out over WPKG? http://wpkg.org/SSL_CA_Install

• Inkscape
• The GIMP

Installed automatically via WPKG

• Java Runtime Environment
• Firefox 3
• Flash player

• PuTTY (also add the binary directory to %PATH% [RVS] - not done yet)

• Xming
• GTK+ 2.14
• 7zip

• FileZilla

• Thunderbird

• ISORecorder

• Ario (MPD client: http://ario-player.sourceforge.net/)

• BZFlag
• Adobe Reader 9

• InfraRecorder

Linux Servers

• Add a root user and nuke the initial unprivileged user
• Change sources.list to use UWA's mirror %s/au.archive.ubuntu.com/mirrors.uwa.edu.au\/ubuntu/
  • Beware of copying the apt_sources list from another server without copying the apt_preferences file too. You might suddenly find yourself with much newer versions of packages than you want.
• Set up NFS:
  • Add the machine to DNS if it isn't there already
  • Add the ethernet (MAC) address to madako's /etc/dhcp3/dhcpd.conf if it isn't there already
  • Add the machine to the /etc/exports files on the appropriate servers (motsugo for /home, mylah for /away and /services)
  • Add the fstab line (copy off motsugo or something)
  • mount -a and hope
• Add the UCC root SSH keys: add the hostname to /home/wheel/bin/uccroot/push.sh, start an ssh-agent and authenticate your root key, then run that script.
  • Copy the ssh banner from another server and modify it to suit
  • Enable root ssh logins and X11 forwarding in /etc/ssh/sshd_config

• Set up LDAP - you may need to use libnss-ldapd and libpam-ldapd on newer Ubuntu and Debian (as opposed to the old libnss-ldap)

  • Ensure nsswitch.conf uses ldap for groups, passwd, and services - the latter is not done by default on most configurations.
  • You will also need to copy /etc/groups from another server
• Install dispense: TODO, ask [TPG] how to do it for now.
• Install Phonehome:

  • apt-get install python-zsi rsync apt-listchanges

  • As root on mooneye, start an ssh-agent and authenticate your root key, then cd /usr/local/phonehome && ./setup.zsh $HOSTNAME

• Install postfix, then edit the root: line of /etc/aliases to direct mail to the ucc hostmaster address, then run newaliases

• Packages to install:

alpine apache2 biff build-essential ccache cvs distcc finger fortune ircii irssi joe ladvd logwatch molly-guard monotone ncurses-term openbsd-inetd ocsinventory-agent rkhunter rssh screen subversion sudo sun-java6-jdk susv3 strace sxid vim wireshark zsh 

• If ladvd is not availble, choose lldpd instead. Edit /etc/init.d/ladvd or /etc/init.d/lldpd and add either -C or -c (respectively) to the daemon args, this will enable cdp and hence compatibility with cisco switches. Make sure you then restart the service.

• The server for ocs inventory is ocsinventory-ng.ucc.gu.uwa.edu.au
• For distcc, you will need to copy the config off another server from /etc/default/distcc

• For file servers, you should also install:

acl clamav iotop nfs-common nfs-kernel-server

• Copy rkhunter.conf, pine.conf, mailname from another server

• Install the UCC motd system on machines which mount /home: add the following line to /etc/inetd.conf:

motda   stream  tcp     nowait  root    /home/wheel/bin/motd.update.sh motda

• Also add the following line to /etc/services (keeping things in order!):

motda           377/tcp                        # UCC MOTD update

• Add the following line to /etc/rsyslog.conf to enable central logging

*.* @murasoi

Linux Desktops

Debian or Ubuntu

• Add a root user and nuke the initial unprivileged user
• Change sources.list to use UWA's mirror %s/au.archive.ubuntu.com/mirrors.uwa.edu.au\/ubuntu/

• Set up LDAP - you may need to use libnss-ldapd and libpam-ldapd on newer Ubuntu and Debian (as opposed to the old libnss-ldap)

  • apt-get install --no-install-recommends libnss-ldapd libpam-ldapd

  • Set server to ldaps://mussel.ucc.gu.uwa.edu.au/ ldaps://motsugo.ucc.gu.uwa.edu.au/ - do not use the ucc.asn.au domain

  • Set search base to dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au

  • Check server SSL certificate: demand

  • wget -O /etc/ssl/UCC-CA.crt http://ucc.asn.au/UCC-CA.crt to copy the UCC certificate authority

  • Edit /etc/nslcd.conf and add the line tls_cacertfile /etc/ssl/UCC-CA.crt

  • Restart nslcd: /etc/init.d/nslcd restart

  • Edit /etc/nsswitch.conf to include for groups, passwd, and services - the latter is not done by default on most configurations.

  • The following pam instructions are 80% of what's required for lenny, but mostly useless for squeeze. Check out motsugo's pam.d directory for a newer example.

  • Edit /etc/pam.d/common-auth (order of unix & LDAP is important, as is use_first_pass rather than try_first_pass):

auth    sufficient      pam_unix.so nullok_secure
auth    required        pam_ldap.so use_first_pass

• Edit /etc/pam.d/common-account (order of unix & LDAP is important):

account sufficient      pam_unix.so
account required        pam_ldap.so use_first_pass

• Test: id accmurph should show uid=666(accmurph) gid=666(winadmin) groups=666(winadmin) - if so, libnss-ldapd is working.

• Test: login and try your username and password - if ok, libpam-ldapd is working.

• Modify /etc/fstab to mount /away
• Add the UCC root SSH keys: add the hostname to /home/wheel/bin/uccroot/push.sh, then run that script.
• Install Phonehome:

  • apt-get install python-zsi rsync apt-listchanges

  • As root on mooneye
    • Add your root key by running:

      • eval `ssh-agent`

      • ssh-add ~<username>/.ssh/id_rsa

    • Then run the following command once you have unlocked your key cd /usr/local/phonehome && ./setup.zsh <hostname>

    • Finally, kill the ssh-agent using ssh-agent -k

Ensure the following packages are installed:

build-essential bzflag cvs chromium-browser compizconfig-settings-manager freeglut3-dev geeqie gimp gnome-desktop-environment gnucash hugin inkscape jhead joe ladvd locate lyx mplayer nasm nfs-common nslcd ocsinventory-agent pidgin rssh openjdk-6-jdk openssh-server python remmina subversion thunderbird ubuntu-restricted-extras vim vlc zsh

• If ladvd is not availble, choose lldpd instead

• The server for ocs inventory is ocsinventory-ng.ucc.gu.uwa.edu.au

OpenSUSE

• Rule 1: don't go messing with text config files (eg ldap, pam, nsswitch) - OpenSUSE is mostly configured through the GUI, and you'll be frustrated if you try and mix the two.
• You can put it on ldap within the installer, so you won't need to create an unprivileged account like in Ubuntu
• Put the machine on LDAP
  • Open YaST, either from the GUI or the command line, and select 'LDAP Client'

    • Set the address of LDAP servers to mussel.ucc.gu.uwa.edu.au motsugo.ucc.gu.uwa.edu.au

    • Click on 'Fetch DN' and the UCC dn should appear
    • 'Use LDAP' should be selected, deselect all other checkboxes
    • Click on advanced configuration
      • Deselect 'Use SSSD'
      • Set the user map to ou=People,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au
      • Set the password map to dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au
      • Set the group map to ou=group,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au
  • Run the following commands from a terminal as root:

    • pam-config -a --ldap

    • pam-config -d --sss

    • Running id accmurph should show uid=666(accmurph) gid=666(winadmin) groups=666(winadmin) if everything is working

• Mount user home directories
  • Ensure there is a /away export to the machine from mylah

  • Delete or move the old /home directory: rm -rf /home (don't even leave an empty directory in / )

  • Set up automounting of home directories
    • Uncomment the "/net -hosts" line in /etc/auto.master
    • Ensure you can ping mylah
    • Open YaST, go to 'System Services (Runlevel)', and enable the autofs and rpcbind services FROM SIMPLE MODE

    • Create a magic link to the home directories ln -s /net/mylah/space/away/home /home

    • Check this works by going to /home and listing the directory contents

    • If things aren't working the way they should, test mounting /away manually with the mount command after creating the /home directory. Don't forget to unmount /home and delete the empty directory when you're done.

    • Check this is still working after a reboot!

• Run a quick upgrade of all packages using zypper up before going any further.

• The package management tool in OpenSUSE is zypper. Install the following packages using zypper install from a terminal

compiz compiz-plugins-extra compizconfig-settings-manager findutils-locate freeglut-devel gcc geeqie gimp git hugin jhead joe nasm opera pidgin MozillaThunderbird

• OpenSUSE also supports 'pattern' packages (much like the build-essential package in Debian). Install the following patterns using zypper install -t pattern

devel_C_C++ devel_ide devel_java devel_mono devel_perl devel_python devel_qt4 devel_rpm_build devel_ruby devel_web remote_desktop 

• Compiz on OpenSUSE has a problem where compiz-manager doesn't start correctly for users using compiz, so those users have no window borders, this can be solved by creating /etc/xdg/autostart/compiz-manager.desktop and putting the following contents in it:

[Desktop Entry]
Type=Application
Exec=/usr/bin/compiz-manager
Hidden=false
X-GNOME-Autostart-enabled=true
Name[C]=Compiz Manager (fix)
Name=Compiz Manager (fix)
Comment[C]=Fixes the annoying issue
Comment=Fixes the annoying issue

• Install suitable graphics drivers. For ATI and nVidia chips see: http://en.opensuse.org/SDB:ATI_drivers and http://en.opensuse.org/SDB:NVIDIA_drivers

  • To use nouveau instead of nvidia, remove nvidia-computeG02 nvidia-gfxG02-kmp-desktop x11-video-nvidiaG02 and install Mesa-nouveau3d
  • Check compiz is working after a reboot (wobbly windows!)

• Install vlc from this site: http://www.videolan.org/vlc/download-suse.html

• Install google chrome (these instructions assume 64-bit openSUSE)

  • wget https://dl-ssl.google.com/linux/direct/google-chrome-stable_current_x86_64.rpm

  • zypper install google-chrome-stable_current_x86_64.rpm

• Enable ssh and add the root keys:
  • Enable the sshd service through YaST
  • Allow Secure Shell Server through the firewall using YaST
  • Add the hostname to /home/wheel/bin/uccroot/push.sh and run that script
• Add wheel to sudoers using visudo, and delete the two lines in the file that are mentioned in the comments in the file
• Install ocs-inventory:

  • Download the source tarball from http://www.ocsinventory-ng.org/en/download/download-agent.html

  • Follow the instructions in the README to build and install it
  • The server for ocs inventory is ocsinventory-ng.ucc.gu.uwa.edu.au
• Add printers. Phosphorous on mussel is currently best added as a samba printer

CategorySystemAdministration