Things I Learned Setting up a Linux Lab
2016 May 06

This is a list of things I learned setting up a Linux lab for my university. The lab contains 10 workstations, and 1 server. The users are authenticated centrally against LDAP, and their home directories are mounted as NFS shares on the server. The lab is powered by Scientific Linux, which is a Red Hat Enterprise Linux derivative.

Network Service Not Working? Check the Firewall

Do you have a service running on one machine, but cannot access it on the another? Then you might have an issue with the firewall. The default firewall settings are very restrictive on the lab server, and you might think that you enabled the port permanently, but you didn't. So FirewallD can be kind of weird. Remember to pass the --permanent flag to firewall-cmd when adding services or ports to the firewall rules, otherwise that rule be wiped out during a reboot.

BIND Configuration Files are Strict

BIND is considered the standard DNS server, it is pretty much the reference implementation. However writing the zone files for the first time and configuring the forwarding can be a bit of a challenge for the first time, but after you get it done the first time it runs smoothly. For instance, indentation matters when it comes to NS records, if you don't indent the NS records it will fail to start with a cryptic message.

If you just remember two tools for working with bind, it should be named-checkzone and named-checkconf. You use the tools as shown below.

named-checkzone <zone-name> <zone-file>
named-checkconf <conf-file>

<zone-name> in the example above is the name of the actual domain you are configuring, like lets say every machine's name in your domain ends with .lan, then your zone would be named lan.

OpenLDAP is Very Touchy

OpenLDAP is probably one of the most touchy programs out there. This program was the biggest pain to get setup for the lab, when combined with PAM. If you modified the slapd.conf file and restart the service, it would complain and just quit with an incredibly cryptic error message regarding some checksum does not match. Every configuration change has to be made via OLC, while the service is running. Webmin is amazing when it comes to setting up LDAP, it is smart enough to install all of the required packages, configure the rootdn, and create users.

However, if I didn't have LDAP configured, it would not work nearly as well as it does now. As I would not be able to create as many users as quickly and manage them as easily. Additionally, LDAP is infinitely better than NIS, which passes passwords to the server in clear text, and has a two step update process. Also, LDAP actually supports logging who logged in at which workstation, while NIS does not, due to clients ability to cache the entire database.

UNIX File Permissions Are Awesome

The simplicity of the whole permissions system of UNIX is pure genius. It is broken down to be just granular enough to do the job right. Starting from user, group, and world permissions is just beautiful. It is so simple, and it makes perfect sense. After all, if we were storing every single user who has access to a file it would get big very quickly, but if we just create a group of users, and say that this group has access to the following files, it reduces the amount of storage required to store the access list, due to smaller constant factor. These permissions are real helpful when it comes to limiting who can do what on the system, and what these users do. It is pure genius for working with any number of people who needed to have the permissions limited.

These are just a few of the lessons I learned setting up the lab. When I actually start administrating the lab, I will make another post about what I learned dealing with the users of the lab when it is full swing, when I have some experience with that.

*****
Written by Henry J Schmale on 2016 May 06