New Machine Setup

Dell only
Download Dell OMSA packages from ftp://ftp.sara.nl/pub/outgoing/dell/ for viewing hardware diagnostics

Manual steps

 * Set networking config
 * Make sure that all necessary packages are installed (TODO: list)
 * Obtain a principal with randkey for the host from the KDC - you'll need host/ .ugcs.caltech.edu
 * Export the principal using ktadd -k to a temporary file and copy it to /etc/krb5.keytab on the new machine
 * Install CFengine and point at demeter

Done by CFEngine
BASE   dc=ugcs,dc=caltech,dc=edu URI    ldaps://apollo.ugcs.caltech.edu/
 * Copy /opt/CA/cacert.pem from the CA server (currently apollo) to /etc/
 * Set the contents of /etc/ldap/ldap.conf

TLS_CACERT     /opt/CA/cacert.pem TLS_REQCERT    demand base dc=ugcs,dc=caltech,dc=edu uri ldaps://apollo.ugcs.caltech.edu/ ldap_version 3 port 636 passwd:        files ldap group:         files ldap shadow:        files ldap auth   sufficient      pam_krb5.so minimum_uid=1000 auth   optional        pam_afs_session.so session optional        pam_krb5.so minimum_uid=1000 session required       pam_afs_session.so account required        pam_krb5.so minimum_uid=1000 account required       pam_unix.so password   sufficient pam_krb5.so minimum_uid=1000 [appdefaults] aklog_homedir = true libkafs = { UGCS.CALTECH.EDU = { afs-use-524 = no               } }
 * Set the contents of /etc/libnss-ldap.conf
 * Edit /etc/nsswitch.conf - 's/compat/files ldap/'
 * Add the following PAM lines in the appropriate places in /etc/pam.d/common-*
 * Add the following lines to /etc/krb5.conf

[libdefaults] default_realm = UGCS.CALTECH.EDU ... [realms] UGCS.CALTECH.EDU = { kdc = apollo admin_server = apollo } ... [domain_realm] .ugcs.caltech.edu = UGCS.CALTECH.EDU ugcs.caltech.edu = UGCS.CALTECH.EDU ... KerberosAuthentication yes KerberosOrLocalPasswd yes KerberosTicketCleanup yes
 * Change the following settings in /etc/ssh/sshd_config
 * 1) Kerberos options
 * 1) KerberosGetAFSToken yes

GSSAPIAuthentication yes GSSAPICleanupCredentials yes GSSAPIKeyExchange yes
 * 1) GSSAPI options

%sysadmin ALL=(ALL) NOPASSWD:ALL
 * Add the following line to sudoers: