Index: server/fedora/config/etc/ha.d/ha.cf =================================================================== --- server/fedora/config/etc/ha.d/ha.cf (revision 482) +++ server/fedora/config/etc/ha.d/ha.cf (revision 484) @@ -1,9 +1,9 @@ -logfacility local0 -udpport 695 -bcast eth0 +logfacility local0 +udpport 695 +bcast eth0 mcast eth0 225.0.0.1 695 1 0 auto_failback off -node old-faithful -node better-mousetrap +node old-faithful +node better-mousetrap respawn hacluster /usr/lib64/heartbeat/ipfail apiauth ipfail gid=haclient uid=hacluster Index: server/fedora/config/etc/ha.d/haresources =================================================================== --- server/fedora/config/etc/ha.d/haresources (revision 482) +++ server/fedora/config/etc/ha.d/haresources (revision 484) @@ -1,1 +1,1 @@ -old-faithful nfs +old-faithful crond Index: server/fedora/config/etc/ldap.conf =================================================================== --- server/fedora/config/etc/ldap.conf (revision 484) +++ server/fedora/config/etc/ldap.conf (revision 484) @@ -0,0 +1,295 @@ +# @(#)$Id: ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $ +# +# This is the configuration file for the LDAP nameservice +# switch library and the LDAP PAM module. +# +# The man pages for this file are nss_ldap(5) and pam_ldap(5) +# +# PADL Software +# http://www.padl.com +# + +# Your LDAP server. Must be resolvable without using LDAP. +# Multiple hosts may be specified, each separated by a +# space. How long nss_ldap takes to failover depends on +# whether your LDAP client library supports configurable +# network or connect timeouts (see bind_timelimit). +host 127.0.0.1 + +# The distinguished name of the search base. +base dc=scripts,dc=mit,dc=edu + +# Another way to specify your LDAP server is to provide an +# uri with the server name. This allows to use +# Unix Domain Sockets to connect to a local LDAP Server. +#uri ldap://127.0.0.1/ +#uri ldaps://127.0.0.1/ +#uri ldapi://%2fvar%2frun%2fldapi_sock/ +# Note: %2f encodes the '/' used as directory separator + +# The LDAP version to use (defaults to 3 +# if supported by client library) +#ldap_version 3 + +# The distinguished name to bind to the server with. +# Optional: default is to bind anonymously. +#binddn cn=proxyuser,dc=example,dc=com + +# The credentials to bind with. +# Optional: default is no credential. +#bindpw secret + +# The distinguished name to bind to the server with +# if the effective user ID is root. Password is +# stored in /etc/ldap.secret (mode 600) +#rootbinddn cn=manager,dc=example,dc=com + +# The port. +# Optional: default is 389. +#port 389 + +# The search scope. +#scope sub +#scope one +#scope base + +# Search timelimit +#timelimit 30 +timelimit 120 + +# Bind/connect timelimit +#bind_timelimit 30 +bind_timelimit 120 + +# Reconnect policy: hard (default) will retry connecting to +# the software with exponential backoff, soft will fail +# immediately. +#bind_policy hard + +# Idle timelimit; client will close connections +# (nss_ldap only) if the server has not been contacted +# for the number of seconds specified below. +#idle_timelimit 3600 +idle_timelimit 3600 + +# Filter to AND with uid=%s +#pam_filter objectclass=account + +# The user ID attribute (defaults to uid) +#pam_login_attribute uid + +# Search the root DSE for the password policy (works +# with Netscape Directory Server) +#pam_lookup_policy yes + +# Check the 'host' attribute for access control +# Default is no; if set to yes, and user has no +# value for the host attribute, and pam_ldap is +# configured for account management (authorization) +# then the user will not be allowed to login. +#pam_check_host_attr yes + +# Check the 'authorizedService' attribute for access +# control +# Default is no; if set to yes, and the user has no +# value for the authorizedService attribute, and +# pam_ldap is configured for account management +# (authorization) then the user will not be allowed +# to login. +#pam_check_service_attr yes + +# Group to enforce membership of +#pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com + +# Group member attribute +#pam_member_attribute uniquemember + +# Specify a minium or maximum UID number allowed +#pam_min_uid 0 +#pam_max_uid 0 + +# Template login attribute, default template user +# (can be overriden by value of former attribute +# in user's entry) +#pam_login_attribute userPrincipalName +#pam_template_login_attribute uid +#pam_template_login nobody + +# HEADS UP: the pam_crypt, pam_nds_passwd, +# and pam_ad_passwd options are no +# longer supported. +# +# Do not hash the password at all; presume +# the directory server will do it, if +# necessary. This is the default. +#pam_password clear + +# Hash password locally; required for University of +# Michigan LDAP server, and works with Netscape +# Directory Server if you're using the UNIX-Crypt +# hash mechanism and not using the NT Synchronization +# service. +#pam_password crypt + +# Remove old password first, then update in +# cleartext. Necessary for use with Novell +# Directory Services (NDS) +#pam_password clear_remove_old +#pam_password nds + +# RACF is an alias for the above. For use with +# IBM RACF +#pam_password racf + +# Update Active Directory password, by +# creating Unicode password and updating +# unicodePwd attribute. +#pam_password ad + +# Use the OpenLDAP password change +# extended operation to update the password. +#pam_password exop + +# Redirect users to a URL or somesuch on password +# changes. +#pam_password_prohibit_message Please visit http://internal to change your password. + +# RFC2307bis naming contexts +# Syntax: +# nss_base_XXX base?scope?filter +# where scope is {base,one,sub} +# and filter is a filter to be &'d with the +# default filter. +# You can omit the suffix eg: +# nss_base_passwd ou=People, +# to append the default base DN but this +# may incur a small performance impact. +nss_base_passwd ou=People,dc=scripts,dc=mit,dc=edu?one +#nss_base_shadow ou=People,dc=example,dc=com?one +nss_base_group ou=Groups,dc=scripts,dc=mit,dc=edu?one +#nss_base_hosts ou=Hosts,dc=example,dc=com?one +#nss_base_services ou=Services,dc=example,dc=com?one +#nss_base_networks ou=Networks,dc=example,dc=com?one +#nss_base_protocols ou=Protocols,dc=example,dc=com?one +#nss_base_rpc ou=Rpc,dc=example,dc=com?one +#nss_base_ethers ou=Ethers,dc=example,dc=com?one +#nss_base_netmasks ou=Networks,dc=example,dc=com?ne +#nss_base_bootparams ou=Ethers,dc=example,dc=com?one +#nss_base_aliases ou=Aliases,dc=example,dc=com?one +#nss_base_netgroup ou=Netgroup,dc=example,dc=com?one + +# Just assume that there are no supplemental groups for these named users +nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd + +# attribute/objectclass mapping +# Syntax: +#nss_map_attribute rfc2307attribute mapped_attribute +#nss_map_objectclass rfc2307objectclass mapped_objectclass + +# configure --enable-nds is no longer supported. +# NDS mappings +#nss_map_attribute uniqueMember member + +# Services for UNIX 3.5 mappings +#nss_map_objectclass posixAccount User +#nss_map_objectclass shadowAccount User +#nss_map_attribute uid msSFU30Name +#nss_map_attribute uniqueMember msSFU30PosixMember +#nss_map_attribute userPassword msSFU30Password +#nss_map_attribute homeDirectory msSFU30HomeDirectory +#nss_map_attribute homeDirectory msSFUHomeDirectory +#nss_map_objectclass posixGroup Group +#pam_login_attribute msSFU30Name +#pam_filter objectclass=User +#pam_password ad + +# configure --enable-mssfu-schema is no longer supported. +# Services for UNIX 2.0 mappings +#nss_map_objectclass posixAccount User +#nss_map_objectclass shadowAccount user +#nss_map_attribute uid msSFUName +#nss_map_attribute uniqueMember posixMember +#nss_map_attribute userPassword msSFUPassword +#nss_map_attribute homeDirectory msSFUHomeDirectory +#nss_map_attribute shadowLastChange pwdLastSet +#nss_map_objectclass posixGroup Group +#nss_map_attribute cn msSFUName +#pam_login_attribute msSFUName +#pam_filter objectclass=User +#pam_password ad + +# RFC 2307 (AD) mappings +#nss_map_objectclass posixAccount user +#nss_map_objectclass shadowAccount user +#nss_map_attribute uid sAMAccountName +#nss_map_attribute homeDirectory unixHomeDirectory +#nss_map_attribute shadowLastChange pwdLastSet +#nss_map_objectclass posixGroup group +#nss_map_attribute uniqueMember member +#pam_login_attribute sAMAccountName +#pam_filter objectclass=User +#pam_password ad + +# configure --enable-authpassword is no longer supported +# AuthPassword mappings +#nss_map_attribute userPassword authPassword + +# AIX SecureWay mappings +#nss_map_objectclass posixAccount aixAccount +#nss_base_passwd ou=aixaccount,?one +#nss_map_attribute uid userName +#nss_map_attribute gidNumber gid +#nss_map_attribute uidNumber uid +#nss_map_attribute userPassword passwordChar +#nss_map_objectclass posixGroup aixAccessGroup +#nss_base_group ou=aixgroup,?one +#nss_map_attribute cn groupName +#nss_map_attribute uniqueMember member +#pam_login_attribute userName +#pam_filter objectclass=aixAccount +#pam_password clear + +# Netscape SDK LDAPS +#ssl on + +# Netscape SDK SSL options +#sslpath /etc/ssl/certs + +# OpenLDAP SSL mechanism +# start_tls mechanism uses the normal LDAP port, LDAPS typically 636 +#ssl start_tls +#ssl on + +# OpenLDAP SSL options +# Require and verify server certificate (yes/no) +# Default is to use libldap's default behavior, which can be configured in +# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for +# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes". +#tls_checkpeer yes + +# CA certificates for server certificate verification +# At least one of these are required if tls_checkpeer is "yes" +#tls_cacertfile /etc/ssl/ca.cert +#tls_cacertdir /etc/ssl/certs + +# Seed the PRNG if /dev/urandom is not provided +#tls_randfile /var/run/egd-pool + +# SSL cipher suite +# See man ciphers for syntax +#tls_ciphers TLSv1 + +# Client certificate and key +# Use these, if your server requires client authentication. +#tls_cert +#tls_key + +# Disable SASL security layers. This is needed for AD. +#sasl_secprops maxssf=0 + +# Override the default Kerberos ticket cache location. +#krb5_ccname FILE:/etc/.ldapcache + +# SASL mechanism for PAM authentication - use is experimental +# at present and does not support password policy control +#pam_sasl_mech DIGEST-MD5 Index: server/fedora/config/etc/openafs/SuidCells =================================================================== --- server/fedora/config/etc/openafs/SuidCells (revision 482) +++ server/fedora/config/etc/openafs/SuidCells (revision 484) @@ -0,0 +1,5 @@ +athena.mit.edu +net.mit.edu +sipb.mit.edu +dev.mit.edu +ops.mit.edu Index: server/fedora/config/etc/postfix/main.cf =================================================================== --- server/fedora/config/etc/postfix/main.cf (revision 482) +++ server/fedora/config/etc/postfix/main.cf (revision 484) @@ -17,2 +17,14 @@ recipient_delimiter = + inet_interfaces = all +readme_directory = /usr/share/doc/postfix-2.4.3/README_FILES +sample_directory = /usr/share/doc/postfix-2.4.3/samples +sendmail_path = /usr/sbin/sendmail +html_directory = no +setgid_group = postdrop +command_directory = /usr/sbin +manpage_directory = /usr/share/man +daemon_directory = /usr/libexec/postfix +newaliases_path = /usr/bin/newaliases +mailq_path = /usr/bin/mailq +queue_directory = /var/spool/postfix +mail_owner = postfix Index: server/fedora/config/etc/sysconfig/iptables =================================================================== --- server/fedora/config/etc/sysconfig/iptables (revision 482) +++ server/fedora/config/etc/sysconfig/iptables (revision 484) @@ -23,5 +23,5 @@ -A INPUT -p tcp -m tcp --dport 5666 -s ! 18.187.1.128/255.255.255.255 -j REJECT -A INPUT -p tcp -m tcp --dport 199 -s ! 18.187.1.128/255.255.255.255 -j REJECT --A INPUT -p udp -m udp --dport 161 -s ! 18.187.1.128/255.255.255.255 -j REJECT +-A INPUT -p udp -m udp --dport 161 -s ! 18.0.0.0/8 -j REJECT -A INPUT -p tcp -m tcp -m state --state NEW -m multiport --dports 111,2049 -s 127.0.0.1/255.0.0.0 -j ACCEPT -A INPUT -p tcp -m tcp -m state --state NEW -m multiport --dports 111,2049 -s 18.181.0.53/255.255.255.255 -j ACCEPT Index: server/fedora/config/etc/sysconfig/network =================================================================== --- server/fedora/config/etc/sysconfig/network (revision 482) +++ server/fedora/config/etc/sysconfig/network (revision 484) @@ -1,3 +1,3 @@ NETWORKING=yes -HOSTNAME=scripts.mit.edu +HOSTNAME=better-mousetrap.mit.edu GATEWAY=18.181.0.1 Index: server/fedora/config/etc/sysconfig/openafs =================================================================== --- server/fedora/config/etc/sysconfig/openafs (revision 482) +++ server/fedora/config/etc/sysconfig/openafs (revision 484) @@ -1,3 +1,3 @@ -AFSD_ARGS="-afsdb -dynroot -fakestat-all -daemons 6" +AFSD_ARGS="-afsdb -dynroot -fakestat-all -stat 10000 -daemons 6 -volumes 400 -files 40000 -chunksize 19" BOSSERVER_ARGS= Index: server/fedora/config/etc/yum.conf =================================================================== --- server/fedora/config/etc/yum.conf (revision 482) +++ server/fedora/config/etc/yum.conf (revision 484) @@ -1,10 +1,7 @@ [main] cachedir=/var/cache/yum -keepcache=1 +keepcache=0 debuglevel=2 logfile=/var/log/yum.log -pkgpolicy=newest -distroverpkg=redhat-release -tolerant=0 exactarch=1 obsoletes=1 @@ -12,5 +9,4 @@ plugins=1 metadata_expire=1800 -exclude="httpd krb5-libs" # PUT YOUR REPOS HERE OR IN separate files named file.repo