Sep 12, 2010, 6:00:55 PM (14 years ago)
Dramatically expand LDAP and installation documentation.
1 edited


  • branches/fc13-dev/server/doc/install-howto.sh

    r1620 r1645  
    2727# Start with a normal install of Fedora.
     29# Take updates
     30    YUM update
    2932if [ $boot = 0 ]; then
    7174    svn co svn://$source_server/$branch repository
     76    # XXX These sed scripts don't work
    7377    sed -i 's/^(# *)*store-passwords.*/store-passwords = no/' /root/.subversion/config
    7478    sed -i 's/^(# *)*store-auth-creds.*/store-auth-creds = no/' /root/.subversion/config
    9094    # won't work.
     96# Get some packages necessary for OpenAFS
     97    YUM install -y redhat-lsb
     98    YUM install -y autofs
    92100# Add scripts-build to the group 'mock'
    93101    usermod -a -G mock scripts-build
    110118# You can get password SSH back by editing /etc/ssh/sshd_config (allow
    111119# password auth) and /etc/pam.d/sshd (comment out the first three auth
    112 # lines)
     120# lines).  However, you can also temporarily install krb5 and setup the
     121# keytabs and k5login to get Kerberized authentication.
    114123    service named start
    118127# packages for a new Fedora release.  Consult 'upgrade-tips' for more
    119128# information.
    121 # In the case of the Kerberos libraries, you'll be told that
    122 # there are conflicting files with the 64-bit versions of the packages,
    123 # which we scriptsify.  You'll have to use --force to install those
    124 # rpms despite the conflicts.  After doing that, you may want to
    125 # install the corresponding 64-bit scriptsified versions again, just
    126 # to be safe in case the 32-bit versions overwrite files that differ.
    127 # When you try this, it will complain that you already have the same
    128 # version installed; again, you'll need to use --force to do it anyway.
    130 # We need yumdownloader to force some RPMs
    131     # XXX: This might be wrong. Sanity check what packages ou
    132     # have when done
    133     YUM install -y yum-utils
    134     yumdownloader krb5-libs
    135     # XXX: These version numbers are hardcoded, need some cli-fu to generalize
    136     # FC13: Check if they are necessary
    137     rpm -i krb5-libs-*.i586.rpm
    138     rpm -U --force krb5-libs-*.scripts.1138.x86_64.rpm
    140130# env NSS_NONLOCAL_IGNORE=1 yum install scripts-base
    174164    YUM install -y nrpe
    175165    YUM install -y nagios-plugins-all
     166    YUM install -y fprintd-pam
    177168# Disable NetworkManager with chkconfig NetworkManager off. Configure
    198189# Edit the parameters in /etc/sysconfig/openafs
    200 # Figure out why Zephyr isn't working. Most recently, it was because there
    201 # was a 64-bit RPM installed; remove it and install Joe's 32-bit one
    202     YUM erase -y mit-zephyr
    203     # mit-zephyr has a spurious dependency on mit-krb-config
    204     yumdownloader mit-zephyr.i386
    205     # if deps change, this breaks
    206     YUM install -y libXaw.i586 libXext.i586 libXmu.i586 ncurses-libs.i586 readline.i586
    207     rpm -i --nodeps mit-zephyr-2.1-6-linux.i386.rpm
    208     # test if it worked by sending an un-authed message
    209     zwrite -d -c scripts -i test
     191# Test that zephyr is working
     192    chkconfig zhm on
     193    service zhm start
     194    echo 'Test!' | zwrite -d -c scripts -i test
    211196# Install the athena-base, athena-lprng, and athena-lprng-misc RPMs
    251236    mkdir vice
    252237    cd vice
    253     svn co svn://scripts.mit.edu/trunk/server/fedora/config/usr/vice/etc etc
     238    svn co svn://scripts.mit.edu/$branch/server/fedora/config/usr/vice/etc etc
    254239    \cp -a etc /usr/vice
    308293    echo 'import site, os.path; site.addsitedir(os.path.expanduser("~/lib/python2.6/site-packages"))' > /usr/lib/python2.6/site-packages/00scripts-home.pth
    310 # Install the credentials.  There are a lot of things to remember here:
     295# Install the credentials.  There are a lot of things to remember here.
     296# Be sure to make sure the permissions match up (ls -l on an existing
     297# server!).
    311298#   o This will be different if you're setting up our build/update server.
    312299#   o You probably installed the machine keytab long ago
    313300    ls -l /etc/krb5.keytab
    314 #   o Use ktutil to combine the host/scripts.mit.edu and
     301#     Use ktutil to combine the host/scripts.mit.edu and
    315302#     host/scripts-vhosts.mit.edu keys with host/this-server.mit.edu in
    316303#     the keytab.  Do not use 'k5srvutil change' on the combined keytab
    317 #     or you'll break the other servers. (real servers only)
     304#     or you'll break the other servers. (real servers only).  Be
     305#     careful about writing out the keytab: if you write it to an
     306#     existing file the keys will just get appended
    318307#   o The daemon.scripts keytab
    319308    ls -l /etc/daemon.keytab
    320309#   o The SSL cert private key (real servers only)
     310    ls -l /etc/pki/tls/private/scripts.key
    321311#   o The LDAP password for the signup process (real servers only)
    322 #   o The SQL password for the signup process (real servers only)
     312    ls -l /etc/signup-ldap-pw
     313#   o The SQL password for the signup process (real servers only) (you
     314#     only need one)
     315    ls -l /usr/local/etc/sql-mit-edu.cfg.php
     316    ls -l /etc/sql-mit-edu.cfg.php
    323317#   o The whoisd password (real servers only)
    324 #   o The LDAP keytab for this server, which will be used later (real servers only)
     318#   o The LDAP keytab for this server, which will be used later (real
     319#     servers only).
     320    ls -l /etc/dirsrv/keytab
    325321#   o Replace the ssh host keys with the ones common to all scripts servers (real servers only)
    326 #   o You'll install an LDAP certificate signed by the scripts CA later (real servers only)
     322    ls -l /etc/ssh/*key*
    327323#   o Make sure root's .k5login is correct
    328324    cat /root/.k5login
    329325#   o Make sure logview's .k5login is correct (real servers only)
     326    cat /home/logview/.k5login
    331328# If you are setting up a test server, pay attention to
    353350    vim /home/afsagent/renew # replace all mentions of daemon.scripts.mit.edu
    355 # Install 389-ds-base and set up replication (see ./HOWTO-SETUP-LDAP
    356 #   and ./389-ds-enable-ssl-and-kerberos.diff).
     352# Install 389-ds-base and set up replication (see ./HOWTO-SETUP-LDAP).
    358354# Make the services dirsrv, nslcd, nscd, postfix, and httpd start at
    421417# XXX: our SVN checkout should be updated to use scripts.mit.edu
    422 # (repository and etc)
     418# (repository and etc) once serving actually works.
Note: See TracChangeset for help on using the changeset viewer.