path: root/base/root/scripts/conf.base

# a rough base config used by setup_samba.sh
# created using "sofs conf backup"
[CTDB_MANAGES_SAMBA]
	yes

[CTDB_MANAGES_HTTPD]
	yes

[CTDB_MANAGES_VSFTPD]
	yes

[CTDB_MANAGES_NFS]
	yes

[CTDB_MANAGES_SCP]
	yes

[vsftpd]
	# no anon access
	anonymous_enable=NO
	# put locks onto the files currently transferred
	lock_upload_files=YES
	# enable write access
	write_enable=YES
	# prevent changing access rights – ACLs get screwed otherwise
	chmod_enable=NO
	# enable that user is able to see the root of gpfs
	chroot_local_user=YES
	# allow local user access
	local_enable=YES
	listen=YES
	pam_service_name=vsftpd
	# set the ftp root directory users can see when they connect to the FTP
	local_root=/var/opt/IBM/sofs/ftproot
	log_ftp_protocol=YES
	syslog_enable=YES

[scpglobal]
	allowscp
	allowsftp
	chrootpath=/var/opt/IBM/sofs/scproot
	logfacility=LOG_USER

[ftpexports]
	data=/gpfs/data

[httpexports]
	ScriptAlias "/data" "/var/www/cgi-bin/browse.cgi"
	RewriteRule ^/data(/(.*)$|$) - [E=CGIBROWSE_PREFIX:/gpfs/data]

[nfsexports]
	"/gpfs/data"	*(rw,no_root_squash,fsid=834258092)
	
[nfssharenames]
	#
	#Thu Jul 24 22:43:21 EST 2008
	/gpfs/data=data
	
[scpexports]
	data=/gpfs/data

[smbconf/global]
	netbios name = @@CLUSTER@@
	workgroup = @@WORKGROUP@@
	realm = @@DOMAIN@@
	server string = "IBM SoFS Cluster"
	disable netbios = yes
	disable spoolss = yes
	fileid:mapping = fsname
	use mmap = no
	gpfs:sharemodes = yes
	gpfs:leases = yes
	passdb backend = tdbsam
	idmap backend = tdb2
	idmap:cache = no
	security = ADS
	preferred master = no
	idmap gid = 10000000-11000000
	idmap uid = 10000000-11000000
	kernel oplocks = yes
	syslog = 1
	host msdfs = no
	notify:inotify = no
	vfs objects = shadow_copy2 syncops gpfs fileid
	shadow:snapdir = .snapshots
	shadow:fixinodes = yes
	wide links = no
	auth methods = guest sam winbind
	smbd:backgroundqueue = False
	read only = no
	use sendfile = yes
	strict locking = yes
	posix locking = yes
	large readwrite = yes
	force unknown acl user = yes
	nfs4:mode = special
	nfs4:chown = yes
	nfs4:acedup = merge
	nfs4:sidmap = /etc/samba/sidmap.tdb
	groupdb:backend = tdb
	winbind:online check timeout = 30
	template shell = /usr/bin/rssh
	template homedir = /var/opt/IBM/sofs/scproot
	dmapi support = no

[smbconf/data]
	path = /gpfs/data
	comment = Data Share
	guest ok = no
	read only = no
	browseable = yes

[/etc/ctdb/public_addresses:@@CLUSTER@@n1.@@DOMAIN@@]

[/etc/ctdb/public_addresses:@@CLUSTER@@n2.@@DOMAIN@@]
	@@IPBASE@@.1.101/24 eth1
	@@IPBASE@@.1.102/24 eth1
	@@IPBASE@@.1.103/24 eth1
	@@IPBASE@@.2.101/24 eth2
	@@IPBASE@@.2.102/24 eth2
	@@IPBASE@@.2.103/24 eth2

[/etc/ctdb/public_addresses:@@CLUSTER@@n3.@@DOMAIN@@]
	@@IPBASE@@.1.101/24 eth1
	@@IPBASE@@.1.102/24 eth1
	@@IPBASE@@.1.103/24 eth1
	@@IPBASE@@.2.101/24 eth2
	@@IPBASE@@.2.102/24 eth2
	@@IPBASE@@.2.103/24 eth2

[/etc/krb5.conf]
	[logging]
	 default = FILE:/var/log/krb5libs.log
	 kdc = FILE:/var/log/krb5kdc.log
	 admin_server = FILE:/var/log/kadmind.log
	
	[libdefaults]
	 default_realm = EXAMPLE.COM
	 dns_lookup_realm = false
	 dns_lookup_kdc = false
	 ticket_lifetime = 24h
	 forwardable = yes
	
	[realms]
		@@DOMAIN@@ = {  	
			kdc = sofs1-ad.@@DOMAIN@@
		} 		
	 EXAMPLE.COM = {
	  kdc = kerberos.example.com:88
	  admin_server = kerberos.example.com:749
	  default_domain = example.com
	 }
	
	[domain_realm]
	 .example.com = EXAMPLE.COM
	 example.com = EXAMPLE.COM
	
	[appdefaults]
	 pam = {
	   debug = false
	   ticket_lifetime = 36000
	   renew_lifetime = 36000
	   forwardable = true
	   krb4_convert = false
	 }

[/etc/samba/smb.conf]
	# Samba Configuration file.
	#
	# ****************** WARNING ********************************
	# The contents of this file should not be modified directly !
	#
	# The samba options are stored in the registry.
	# Use the "net conf" command to add/modify samba options in the registry
	# ***************************************************************
	
	[global]
		# enable clustering
		clustering=yes
		ctdb:registry.tdb=yes
		private dir=/gpfs/.ctdb/
		# Load options from registry
		include=registry 

[/etc/sysconfig/authconfig]
	USEWINBINDAUTH=yes
	USEKERBEROS=no
	USESYSNETAUTH=no
	USEPAMACCESS=no
	USEMKHOMEDIR=no
	FORCESMARTCARD=no
	USESMBAUTH=no
	USESMARTCARD=no
	USELDAPAUTH=no
	USEDB=no
	USEWINBIND=no
	USESHADOW=yes
	PASSWDALGORITHM=md5
	USELOCAUTHORIZE=no
	USEPASSWDQC=no
	USELDAP=no
	USEHESIOD=no
	USECRACKLIB=yes
	USENIS=no

[/etc/sysconfig/ctdb]
	# Options to ctdbd. This is read by /etc/init.d/ctdb
	# you must specify the location of a shared lock file across all the
	# nodes. This must be on shared storage
	# there is no default
	CTDB_RECOVERY_LOCK=/gpfs/.ctdb/shared
	# should ctdb do IP takeover? If it should, then specify a file
	# containing the list of public IP addresses that ctdb will manage
	# Note that these IPs must be different from those in $NODES above
	# there is no default
	CTDB_PUBLIC_ADDRESSES=/etc/ctdb/public_addresses
	# when doing IP takeover you also must specify what network interface
	# to use for the public addresses
	# there is no default
	CTDB_PUBLIC_INTERFACE=eth0
	# should ctdb manage starting/stopping the Samba service for you?
	# default is to not manage Samba
	CTDB_MANAGES_SAMBA=yes
	# should ctdb manage starting/stopping the winbind service for you?
	# default is autodetect
	CTDB_MANAGES_WINBIND=yes
	# should ctdb monitor GPFS filesystems and disks
	CTDB_MANAGES_GPFS=yes
	# you may wish to raise the file descriptor limit for ctdb
	# use a ulimit command here. ctdb needs one file descriptor per
	# connected client (ie. one per connected client in Samba)
	ulimit -n 10000
	DAEMON_COREFILE_LIMIT="unlimited"
	# the NODES file must be specified or ctdb won't start
	# it should contain a list of IPs that ctdb will use
	# it must be exactly the same on all cluster nodes
	# defaults to /etc/ctdb/nodes
	CTDB_NODES=/etc/ctdb/nodes
	# the directory to put the local ctdb database files in
	# defaults to /var/ctdb
	CTDB_DBDIR=/var/ctdb
	# the script to run when ctdb needs to ask the OS for help,
	# such as when a IP address needs to be taken or released
	# defaults to /etc/ctdb/events
	CTDB_EVENT_SCRIPT=/etc/ctdb/events.d
	# the location of the local ctdb socket
	# defaults to /tmp/ctdb.socket
	CTDB_SOCKET=/tmp/ctdb.socket
	# what transport to use. Only tcp is currently supported
	# defaults to tcp
	CTDB_TRANSPORT="tcp"
	# where to log messages
	# the default is /var/log/log.ctdb
	CTDB_LOGFILE=/var/log/log.ctdb
	# what debug level to run at. Higher means more verbose
	# the default is 0
	CTDB_DEBUGLEVEL=0
	# set any default tuning options for ctdb
	# use CTDB_SET_XXXX=value where XXXX is the name of the tuning
	# variable
	# for example
	#CTDB_SET_TRAVERSETIMEOUT=60
	#Disable the share check during monitor
	CTDB_SAMBA_SKIP_SHARE_CHECK=yes
	#Disable the config check during monitor
	CTDB_SAMBA_SKIP_CONF_CHECK=yes
	#Specify the SMB ports to check during monitor
	CTDB_SAMBA_CHECK_PORTS="445"
	# you can get a list of variables using "ctdb listvars"
	# any other options you might want. Run ctdbd --help for a list
	CTDB_OPTIONS=--syslog

[/etc/sysconfig/vsftpd]
	# should ctdb manage starting/stopping the service for you?
	# default is to not manage it
	CTDB_MANAGES_VSFTPD=yes

[/etc/sysconfig/http]
	# should ctdb manage starting/stopping the service for you?
	# default is to not manage it
	CTDB_MANAGES_HTTPD=yes

[/etc/sysconfig/nfs]
	#
	# Define which protocol versions mountd 
	# will advertise. The values are "no" or "yes"
	# with yes being the default
	#MOUNTD_NFS_V1="no"
	#MOUNTD_NFS_V2="no"
	#MOUNTD_NFS_V3="no"
	#
	#
	# Path to remote quota server. See rquotad(8)
	#RQUOTAD="/usr/sbin/rpc.rquotad"
	# Port rquotad should listen on.
	#RQUOTAD_PORT=875
	# Optinal options passed to rquotad
	#RPCRQUOTADOPTS=""
	#
	#
	# TCP port rpc.lockd should listen on.
	#LOCKD_TCPPORT=32803
	# UDP port rpc.lockd should listen on.
	#LOCKD_UDPPORT=32769
	#
	#
	# Optional arguments passed to rpc.nfsd. See rpc.nfsd(8)
	#RPCNFSDARGS
	# Number of nfs server processes to be started.
	# The default is 8. 
	#RPCNFSDCOUNT=8
	#
	#
	# Optional arguments passed to rpc.mountd. See rpc.mountd(8)
	#RPCMOUNTDOPTS=""
	# Port rpc.mountd should listen on.
	#MOUNTD_PORT=892
	#
	#
	# Optional arguments passed to rpc.statd. See rpc.statd(8)
	#STATDARG=""
	# Port rpc.statd should listen on.
	#STATD_PORT=662
	# Outgoing port statd should used. The default is port
	# is random
	#STATD_OUTGOING_PORT=2020
	# Specify callout program 
	#STATD_HA_CALLOUT="/usr/local/bin/foo"
	#
	#
	# Optional arguments passed to rpc.idmapd. See rpc.idmapd(8)
	#RPCIDMAPDARGS=""
	#
	# Set to turn on Secure NFS mounts. 
	#SECURE_NFS="yes"
	# Optional arguments passed to rpc.gssd. See rpc.gssd(8)
	#RPCGSSDARGS="-vvv"
	# Optional arguments passed to rpc.svcgssd. See rpc.svcgssd(8)
	#RPCSVCGSSDARGS="-vvv"
	# Don't load security modules in to the kernel
	#SECURE_NFS_MODS="noload"
	#
	# Don't load sunrpc module.
	#RPCMTAB="noload"
	#
	# should ctdb manage starting/stopping the service for you?
	# default is to not manage it
	CTDB_MANAGES_NFS=yes
	STATD_PORT=32765
	STATD_OUTGOING_PORT=32766
	MOUNTD_PORT=32767
	RQUOTAD_PORT=32768
	LOCKD_UDPPORT=32769
	LOCKD_TCPPORT=32769
	NFS_TICKLE_SHARED_DIRECTORY=/gpfs/.ctdb/nfs-tickles
	STATD_SHARED_DIRECTORY=/gpfs/.ctdb/nfs-state
	NFS_HOSTNAME="@@CLUSTER@@"
	STATD_HOSTNAME="$NFS_HOSTNAME -H /etc/ctdb/statd-callout "
	RPCNFSDARGS="-N 4"

[/etc/nsswitch.conf]
	#
	# /etc/nsswitch.conf
	#
	# An example Name Service Switch config file. This file should be
	# sorted with the most-used services at the beginning.
	#
	# The entry '[NOTFOUND=return]' means that the search for an
	# entry should stop if the search in the previous entry turned
	# up nothing. Note that if the search failed due to some other reason
	# (like no NIS server responding) then the search continues with the
	# next entry.
	#
	# Legal entries are:
	#
	#	nisplus or nis+		Use NIS+ (NIS version 3)
	#	nis or yp		Use NIS (NIS version 2), also called YP
	#	dns			Use DNS (Domain Name Service)
	#	files			Use the local files
	#	db			Use the local database (.db) files
	#	compat			Use NIS on compat mode
	#	hesiod			Use Hesiod for user lookups
	#	[NOTFOUND=return]	Stop searching if not found so far
	#
	
	# To use db, put the "db" in front of "files" for entries you want to be
	# looked up first in the databases
	#
	# Example:
	#passwd:    db files nisplus nis
	#shadow:    db files nisplus nis
	#group:     db files nisplus nis
	
	passwd:     files winbind
	shadow:     files
	group:      files winbind 
	
	#hosts:     db files nisplus nis dns
	hosts:      files dns
	
	# Example - obey only what nisplus tells us...
	#services:   nisplus [NOTFOUND=return] files
	#networks:   nisplus [NOTFOUND=return] files
	#protocols:  nisplus [NOTFOUND=return] files
	#rpc:        nisplus [NOTFOUND=return] files
	#ethers:     nisplus [NOTFOUND=return] files
	#netmasks:   nisplus [NOTFOUND=return] files     
	
	bootparams: nisplus [NOTFOUND=return] files
	
	ethers:     files
	netmasks:   files
	networks:   files
	protocols:  files
	rpc:        files
	services:   files
	
	netgroup:   nisplus
	
	publickey:  nisplus
	
	automount:  files nisplus
	aliases:    files nisplus
	

[/etc/pam.d/system-auth-ac]
	#%PAM-1.0
	# This file is auto-generated.
	# User changes will be destroyed the next time authconfig is run.
	auth        required      pam_env.so
	auth        sufficient    pam_unix.so nullok try_first_pass
	auth        requisite     pam_succeed_if.so uid >= 500 quiet
	auth        sufficient    pam_winbind.so use_first_pass
	auth        required      pam_deny.so
	
	account     required      pam_unix.so broken_shadow
	account     sufficient    pam_succeed_if.so uid < 500 quiet
	account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
	account     required      pam_permit.so
	
	password    requisite     pam_cracklib.so try_first_pass retry=3
	password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
	password    sufficient    pam_winbind.so use_authtok
	password    required      pam_deny.so
	
	session     optional      pam_keyinit.so revoke
	session     required      pam_limits.so
	session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
	session     required      pam_unix.so

[/etc/pam.d/vsftpd]
	#%PAM-1.0
	session    optional     pam_keyinit.so    force revoke
	auth       required     pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
	#auth       required     pam_shells.so
	auth       sufficient   pam_winbind.so
	auth       include      system-auth
	account    sufficient   pam_winbind.so
	account    include      system-auth
	session    include      system-auth
	session    required     pam_loginuid.so

[/etc/rssh.conf]
	allowscp
	allowsftp
	chrootpath=/var/opt/IBM/sofs/scproot
	logfacility=LOG_USER

[/etc/httpd/conf.d/shares.config]
	ScriptAlias "/data" "/var/www/cgi-bin/browse.cgi"
	RewriteRule ^/data(/(.*)$|$) - [E=CGIBROWSE_PREFIX:/gpfs/data]

[/etc/vsftpd/vsftpd.conf]
	# no anon access
	anonymous_enable=NO
	# put locks onto the files currently transferred
	lock_upload_files=YES
	# enable write access
	write_enable=YES
	# prevent changing access rights – ACLs get screwed otherwise
	chmod_enable=NO
	# enable that user is able to see the root of gpfs
	chroot_local_user=YES
	# allow local user access
	local_enable=YES
	listen=YES
	pam_service_name=vsftpd
	# set the ftp root directory users can see when they connect to the FTP
	local_root=/var/opt/IBM/sofs/ftproot
	log_ftp_protocol=YES
	syslog_enable=YES

[/var/opt/IBM/sofs/configs/scpexports]
	data=/gpfs/data

[/var/opt/IBM/sofs/configs/ftpexports]
	data=/gpfs/data

[/var/opt/IBM/sofs/scproot/etc/nsswitch.conf]
	#
	# /etc/nsswitch.conf
	#
	# An example Name Service Switch config file. This file should be
	# sorted with the most-used services at the beginning.
	#
	# The entry '[NOTFOUND=return]' means that the search for an
	# entry should stop if the search in the previous entry turned
	# up nothing. Note that if the search failed due to some other reason
	# (like no NIS server responding) then the search continues with the
	# next entry.
	#
	# Legal entries are:
	#
	#	nisplus or nis+		Use NIS+ (NIS version 3)
	#	nis or yp		Use NIS (NIS version 2), also called YP
	#	dns			Use DNS (Domain Name Service)
	#	files			Use the local files
	#	db			Use the local database (.db) files
	#	compat			Use NIS on compat mode
	#	hesiod			Use Hesiod for user lookups
	#	[NOTFOUND=return]	Stop searching if not found so far
	#
	
	# To use db, put the "db" in front of "files" for entries you want to be
	# looked up first in the databases
	#
	# Example:
	#passwd:    db files nisplus nis
	#shadow:    db files nisplus nis
	#group:     db files nisplus nis
	
	passwd:     files winbind
	shadow:     files
	group:      files winbind 
	
	#hosts:     db files nisplus nis dns
	hosts:      files dns
	
	# Example - obey only what nisplus tells us...
	#services:   nisplus [NOTFOUND=return] files
	#networks:   nisplus [NOTFOUND=return] files
	#protocols:  nisplus [NOTFOUND=return] files
	#rpc:        nisplus [NOTFOUND=return] files
	#ethers:     nisplus [NOTFOUND=return] files
	#netmasks:   nisplus [NOTFOUND=return] files     
	
	bootparams: nisplus [NOTFOUND=return] files
	
	ethers:     files
	netmasks:   files
	networks:   files
	protocols:  files
	rpc:        files
	services:   files
	
	netgroup:   nisplus
	
	publickey:  nisplus
	
	automount:  files nisplus
	aliases:    files nisplus