This is a list of things I learned setting up a Linux lab for my university. The lab contains 10 workstations, and 1 server. The users are authenticated centrally against LDAP, and their home directories are mounted as NFS shares on the server. The lab is powered by Scientific Linux, which is a Red Hat Enterprise Linux derivative.
Network Service Not Working? Check the Firewall
Do you have a service running on one machine, but cannot access it on the
another? Then you might have an issue with the firewall. The default
firewall settings are very restrictive on the lab server, and you might
think that you enabled the port permanently, but you didn’t. So FirewallD
can be kind of weird. Remember to pass the --permanent flag to
firewall-cmd when adding services or ports to the firewall rules,
otherwise that rule be wiped out during a reboot.
BIND Configuration Files are Strict
BIND is considered the standard DNS server, it is pretty much the reference implementation. However writing the zone files for the first time and configuring the forwarding can be a bit of a challenge for the first time, but after you get it done the first time it runs smoothly. For instance, indentation matters when it comes to NS records, if you don’t indent the NS records it will fail to start with a cryptic message.
If you just remember two tools for working with bind, it should be
named-checkzone and named-checkconf. You use the tools as shown below.
named-checkzone <zone-name> <zone-file>
named-checkconf <conf-file><zone-name> in the example above is the name of the actual domain you
are configuring, like lets say every machine’s name in your domain ends
with .lan, then your zone would be named lan.
OpenLDAP is Very Touchy
OpenLDAP is probably one of the most touchy programs out there. This
program was the biggest pain to get setup for the lab, when combined with
PAM. If you modified the slapd.conf file and restart the service, it
would complain and just quit with an incredibly cryptic error message
regarding some checksum does not match. Every configuration change has to
be made via OLC, while the service is running. Webmin is amazing when
it comes to setting up LDAP, it is smart enough to install all of the
required packages, configure the rootdn, and create users.
However, if I didn’t have LDAP configured, it would not work nearly as well as it does now. As I would not be able to create as many users as quickly and manage them as easily. Additionally, LDAP is infinitely better than NIS, which passes passwords to the server in clear text, and has a two step update process. Also, LDAP actually supports logging who logged in at which workstation, while NIS does not, due to clients ability to cache the entire database.
UNIX File Permissions Are Awesome
The simplicity of the whole permissions system of UNIX is pure genius. It is broken down to be just granular enough to do the job right. Starting from user, group, and world permissions is just beautiful. It is so simple, and it makes perfect sense. After all, if we were storing every single user who has access to a file it would get big very quickly, but if we just create a group of users, and say that this group has access to the following files, it reduces the amount of storage required to store the access list, due to smaller constant factor. These permissions are real helpful when it comes to limiting who can do what on the system, and what these users do. It is pure genius for working with any number of people who needed to have the permissions limited.
These are just a few of the lessons I learned setting up the lab. When I actually start administrating the lab, I will make another post about what I learned dealing with the users of the lab when it is full swing, when I have some experience with that.