accessible view | jump to content | search | jump to site-wide navigation
LSA Package Selector
PLEASE read this entire document carefully - skimming may result in an insecure or non-functional machine.This page will help guide you through SOME of the available packages that you can install manually. As a reminder, it is always best to install these through SimpleNetInstall to ensure everything is installed and in the proper order. All of the packages were built with the assumption that SimpleNetInstall would be used to install them, so some dependencies may not be known. If you discover one, please let us know.
All packages are available from afp://lsa-swl2.lsa.umich.edu/Packages Complete
You will need a UMICH.EDU Kerberos password and your account will need to
be added to a group before you can access that server. Send a request to
lsa-dev-osx if you do not have access to that server and need it.
All of the packages should be installed in the order they are listed on this page.
ALL Machines (REQUIRED packages)
The following packages should be installed on every machine:- plistbuddy.pkg (allows us to programmatically modify plists)
- MacOSXHooks.pkg (automatically run scripts at login or logout)
- Kerberos.pkg (configure Kerberos for UMICH servers)
- KeyAccess.pkg OR KeyMobile.pkg (allow you to run keyed apps)
- repairPermissions.pkg (automatically does a repair-permissions every night)
Any Machine (Optional packages)
The following are optional depending on your desired behavior:
Do you want people to be able to access their IFS/AFS space?
If so, install OpenAFS.pkg
Do you want people to use their LSA.UMICH.EDU Kerberos password instead
of their UMICH.EDU (ITCS) Kerberos password?
If so, install KerbAFS-Defaults-LSA.pkg
Should people be able to login to their machines using Kerberos?
If so, install Kerberized-Console.pkg. This will enable the use
of a Kerberos password IN ADDITION TO their local password for most of the
GUI password prompts such as loginwindow, preferences, installer,
screen saver, etc. Passwords need not be synchronized for this to work, but to
obtain Kerberos tickets, they will need to use their Kerberos password.
NOTE: By itself, this does not allow any additional
people to login to the machine - people must either have local accounts on the
machine or you must bind to an LDAP directory (see below).
Should people be able to use Kerberos to SSH or sudo into their machine?
If so, install Kerberos-PAM_KFM.pkg. This will enable the use of
a Kerberos password IN ADDITION TO their local password for most of the
command-line applications, such as sudo, su, and when SSHing to the
machine.
Passwords need not be synchronized for this to work, but to obtain Kerberos tickets, they will need to use their Kerberos password.
NOTE: By itself, this does not allow any additional
people to login to the machine - people must either have local accounts on the
machine or you must bind to an LDAP directory (see below).
Who should be able to login to the machine?
- Specific people - just create local accounts for everyone that should be allowed to use the machine.
- Any UofM Person - install the LDAPumich.pkg along with either or both of the Kerberized-Console.pkg and/or Kerberos-PAM_KFM.pkg packages above. Home directories are not automatically created for LDAP users - you'll want to also install one of the Home Directory packages listed below.
- Your department - you'll need your own LDAP server and local LDAP configuration for this. This is not college-supported, so you'll need to provide your own solution.
Is the user a UNIX user?
You will probably want to install X11User.pkg, UnixTools.mpkg, and XcodeTools.mpkg. Don't forget to select each pkg inside of these mpkg's. You should also enable Remote Login through the Sharing preference pane if they want to SSH to their machine (this is done automatically with an SNI install).
Lab Machines
In addition to the packages listed in the All Machines section above, you can install some of the following packages to make your machine behave like a lab machine:
Home Directories
If you're using network accounts through LDAP, you'll probably also need to install a home directory creation package:
- Created and left alone: Install AutoHomeDirs-UnManaged.pkg
- Created and deleted after use: Install LabHomeDirs.pkg - this will create home dirs automatically when a user logs in and then delete the home directory after a (configurable) period of time or when the disk has reached a (configurable) fullness (whichever comes first).
- Mounted from fileserver: Currently the only supported mechanisms of network home directories are AFP and NFS home directories. Neither of these are recommended here, but are mentioned because they are supported by Apple. A package will be completed shortly that will enable certain portions of one's home directory to be automatically symlinked into AFS and Windows file space.
Should there be a logout button?
If so, install LSALogoutApp.pkg. This will place an applescript on
every user's desktop that does the same thing as the logout option from the
pull-down Apple menu.
Need a shortcut to login.itd.umich.edu?
If so, install LSA ITD Login Term.pkg. This will palce a shortcut
in /Applications/Utilities/ that ssh's to login.itd.umich.edu
Need your OpenFirmware locked?
If so, read this document: How do I use the OpenFirmware Lock packages?
Non-Image Machines
It is important to stress that there are a number of packages installed as part of the LSA loadset that are there to make their machines significantly more stable and more secure. This is all done automatically through SimpleNetInstall.Currently there are few (if any) known reasons to do this all manually rather than use SimpleNetInstall. If you have some concerns, please let them be heard so we can improve the automated install process.
The LSA loadset is not present to be heavy handed, it's used to save everyone time (not just the users, but also the DSAs that have to fix the machines later), which trickles down to saving the university money.