User:iwm21

From Computer Laboratory System Administration
Jump to navigationJump to search

System resources access diagram

<UnderConstruction>

Proposed changes/additions to the CL wiki:

DHCP failure

Subject: Re: [rt.cl.cam.ac.uk #95369] [Comment] DHCP failing (Re: DHCP request now processed)
>
> Most of our VLANs do not use dynamic DHCP addresses so in most cases you
> need to add an address to the DNS when a new machine is added to the VLAN.

Piete Brooks:
When you add the DHCP registration on the VLAN to the host, it says whether it is static or dynamic (there is a pull down menu which allows you to select if both are available)


In the last comment I responded with the fact that Vince and I responded with "... but we cannot change that from static"


Server types

There are three main classes of machines:

  1. user Workstations
  2. group servers
  3. departmental servers (including the MPhil pool)

A fairly simple rule covers all three: If an extra package is wanted, ask the person who owns /etc/user-config/bundles to add the package.

In the case of (1), there's normally only one user, so they do it themselves.

In the case of (2), there is normally an 'assigned manager' so that there aren't too many people fiddling with things at the same time, and one person can keep a general overall biew of what's going on.

In the case of (3), it's "any member of the CO / HelpDesk team". A fairly strong case is needed to do it. It should be done to all machines in that class (e.g. all slog servers, or all MPhil machines).


Items are generally case (2), so

laira:~: ls -l /etc/user-config/bundles -rw-rw-r--+ 1 awm22 sysadmin 3996 Nov 15 2014 /etc/user-config/bundles nile:~:

redirect the user to awm22.

Hmm -- the '+' means that theer is an ACL, so use getfacl:

laira:~: getfacl /etc/user-config/bundles getfacl: Removing leading '/' from absolute path names

  1. file: /etc/user-config/bundles
  2. owner: awm22
  3. group: sysadmin

user::rw- user:tm444:rw- group::rw- group:srg-tsars:rw- mask::rw- other::r--

laira:~:

KERBEROS access renewal

When you log into a server (e.g. the remote server) in the Computer Laboratory, your home-directory is automatically 'mounted'.

iwm21@svr-ssh-1:/$ cl-krenew --status
no processes found refreshing or distributing keys


Workflow checklist for RT tickets

Visitor

New user

Visitor's machine

DNS resolution check

Machines that do not resolve in the DNS (script to list them):

What is to be done for /etc/resolv.conf on the following machines?

laira:cd /usr/groups/linux/ownfiles
laira:/usr/groups/linux/ownfiles: grep -l 128.232.13 $(cd CKSUM; find * -type f -mtime -300 | sed \
 's=$=/etc/resolv.conf=') 2>/dev/null | sed 's=/.*=='
bretzel.xen
condor68-negotiator-0
linux-serv0
linux-serv1
mta0
mta3
ssh-remote-0
svr-acjf3-armie
svr-acr31-acsmobile
svr-acr31-ormchem
svr-acr31-trac
svr-hotcrp
svr-qs101-pico
sxp01.xen
sxp03.xen
sxp05.xen
sxp06.xen
sxp08.xen
sxp09.xen
sxp18.xen
sxp23.xen
www-ecad

SSH access overview

Comments to help HelDesk rather than intended for user directly.

> How do I get SSH from an external machine to a group server to work every time?

There are two basic ssh auth methods we support: ssh user key and kerberos.

A) ssh user key:
1) ensure that the client has a suitable private user key
2) ensure that the server has the public user key enabled for the calling host.

Either the public key can be stored locally on the server,
or it can be stored on the filer, in which case a TGT is needed to access it.

B) Kerberos:
1) ensure that the client can access the kerberos servers
2) get a TGT on the client

In either case, that should allow ssh access to the server.
(filer access will require a TGT)

To protect the systems, when an external IPv4 address calls the system,
a counter is incremented. If this reaches a treshold within a certain
interval, the IPv4 address is deemed to be attacking the system,
and it drops the packets, causing ssh connection to be very slow.
To avoid this being a problem
1) the client should not make lots of ssh calls in a short time
2) the client should use a VPN or tunnel so that it is deemed 'local'
3) the server should clear the counter each time an ssh connection works.

> I have SSH from my laptop to a server working some of the time, but it's
> random. For instance:
> fossil-3:autobuilder atm26$ ssh -L 5901:localhost:5901 > versace.cl.cam.ac.uk
> Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
... and what looks like it failing in the SAME way seven times - did I miss something?

> fossil-3:autobuilder atm26$ ssh sandy.cl.cam.ac.uk
> Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).
> fossil-3:autobuilder atm26$ ssh sandy.cl.cam.ac.uk
> Welcome to Ubuntu 14.04.2 LTS (GNU/Linux 3.13.0-51-generic x86_64)

That I do not understand.
With the times, we could look in the logs on sandy.
Might it be alternating between IPv4 and IPv6?

He does not give any timing info.
If a long delay it might be trying IPv4, timing out as it seems to be attacking,
so fall back to IPv6, which fails as the calling address isn't permitted.

Eventually IPv4 is allowed in, and its address is permitted.

> Sometimes I can SSH into sandy, then into ventura, making sure I have
> Kerberos keys and filesystem access, but external SSH still fails.

That would be explained if the calling address / DNS name is not permitted.
We really need 'ssh -v' info to show what address is being called - IPv4 or IPv6.

> Sometimes I can't even SSH into sandy.

Again, only guess is IPv4 vs IPv6 - but I am clutching at straws - most
systems use IPv6 and then IPv4, or are at least consistent - they don't do
Round Robin between IPv4 and IPv6 addresses ...

> Or it works second time around,

IPv4 vs IPv6??

> one time out of ten,

Hard to explain.

> if I wait half an hour, or some other variable I can't quite grasp.

That might be the counter being cleared,
or it might be 'it works one time in two' ...

> Is there a foolproof way to have reliable SSH connections?

Almost certainly - we just need to know what the setup is,
and what is causing it to fail.

> For instance, I can VPN into vpdn-pptp (I know it's old, but it was to hand), and it
> seems to make no difference to the lottery of getting in.

He should be told to use the UIS provided CL VPN.

> I have no problem using a VPN if that will solve the problem.

It should help.

> The use case is I want to make lots of SSH connections in a short space of
> time (eg scp or multiple remote X sessions)

I'd put in PAM magic to reset the counter to avoid 'timeout' problems.

> These are things for which indirecting via sandy and friends is no good
(As I remember, I managed to get scp etc working via ssh-relay)

OS upgrade prompts (Linux)

Subject: Upgrade to 14.10 ubuntu

Hi,
My updater is asking me to update ubuntu to 14.10. Is it in line with
the department policy?

First off, thank him for contacting us, as per http://www.wiki.cl.cam.ac.uk/clwiki/SysInfo/LinuxDosAndDonts

Then ask the user to confirm which machine they are asking about, and note that that is generally useful info to include to avoid possible confusion.

The CL installs LTS (Long Term Support) systems and only push people to upgrade when support runs out (5 years), so as to avoid 3 year visitors (such as Research Students) from having to have the disruption of an upgrade.

LTS systems normally do not ask to upgrade to a non LTS version, so 12.04LTS would ask about 14.04LTS but 14.04LTS should not ask about 14.10. I suspect the user (or some package) may have taken it out of LTS mode.

The user should be informed that some people require non-LTS versions, and we do not stop them from using them, but the level of support is reduced. We 'expect' them to work, and will try to fix up any problems which he may have, but at some point we may have to simply offer to do a fresh install of the lastest supported LTS version.


Granting "user admin" access

Example of adding user admin privelage on a machine (e.g. username = $user = "ke293", machine "smew")

CL guide: http://www.wiki.cl.cam.ac.uk/clwiki/SysInfo/MachineSetup#useradmin

Attach to the machine using your KERBEROS credentials

ssh -K smew

This shows how to grant 'user admin' access to a lab-managed machine.

user=ke293
cl-asuser cl-hostid-fix --user $user

then generally follow this with

cl-asuser cl-hostid-fix --user $user -a

Then grant permissions on the bundles (so they can add/remove/update packages)

sudo setfacl -m u:$user:rw /etc/user-config/bundles


Below is a sample script that can be used. Enter the 1st line using the user's username, then the rest of the liens use that:

user=ke293
cl-asuser cl-hostid-fix --user $user

if output looks ok run it again with "-a" then set the user's privilege on the application package list (bundles) and the list of apps to update (patches)

cl-asuser cl-hostid-fix --user $user -a
sudo setfacl -m u:$user:rw /etc/user-config/bundles
sudo setfacl -m u:$user:w /etc/user-config/patches


If the machine is a short term loan, use the command 'setfacl -x' on the machine to remove the packages installed by the user. This should be undone when use finishes, so when done, set the ticket status to 'stalled', set owner as 'nobody' and the 'Due date' to the end of the visit.

To remove the packages added by the user in the previous (setfact -m -u:...), on a privileged machine enter the following:

ssh -K smew
sudo setfacl -x