Despite the fact that Linux systems are increasingly common, many academic institutions are married to Microsoft and make it challenging to run Linux and other Unices on laptops, workstations and servers. In bioinformatics, most tools are developed on Linux to run on servers it only makes sense to run Linux everywhere. That is what we do and that is what we document here where we proudly run Linux at the University of Tennessee.
Note that there are people in the IT departments who know Linux. Simply because they also have to run Linux machines!
For some other useful tips on using Linux see ./TIPS.org.
Eduroam works great on Linux with wpa_supplicant and network managers. The configuration looks like:
cat /etc/wpa_supplicant_eduroam.conf
# Copied from https://github.com/RasmusWL/eduroam
ctrl_interface=/var/run/wpa_supplicant
eapol_version=1
ap_scan=1
fast_reauth=1
network={
ssid="eduroam"
# key_mgmt=IEEE8021X WPA-NONE WPA-EAP
key_mgmt=WPA-EAP
pairwise=CCMP
group=CCMP TKIP
eap=PEAP
identity="[email protected]"
password="***"
#ca_cert="/location/of/cert" # This might not be required.
phase1="tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1"
phase2="auth=MSCHAPV2"
priority=2
auth_alg=OPEN
}
Using your E-mail address and password. Start wpa_supplicant with something like
pkill wpa_supplicant ; wpa_supplicant -Dwext -i$WLAN -c /etc/wpa_supplicant_eduroam.conf &
where WLAN is your wifi interface, see
ip a
E.g.
export WLAN=wlp3s0
Next fire up dhcp so you can get on the network
pkill dhclient ; dhclient -v $WLAN
Eduroam works great but it puts you on a separate VLAN with no access to printers. To get access to the proper VLAN login with just your netid (not your E-mail address!!) using the same wpa_supplicant configuration as with eduroam. On success the IP address you get from dhclient should be different. If that is not the case send the output of
ip a
to your support desk and ask them to put your machine on the VLAN. After their confirmation you should see the printers. It may help to send the IP address of the printer too.
With CUPS you can install a printer. One printer in our VLAN is configured as
cat /etc/cups/printers.conf
<DefaultPrinter Xerox6360Color> UUID urn:uuid:9a41b18c-c26b-3bf6-5d34-287b3d3457a7 Info Xerox6360Color MakeModel Xerox Phaser 6360 Foomatic/Postscript (recommended) DeviceURI socket:https://172.21.216.173 State Idle StateTime 1558107438 ConfigTime 1558028722 Type 8433692 Accepting Yes Shared No JobSheets none none QuotaPeriod 0 PageLimit 0 KLimit 0 OpPolicy default ErrorPolicy retry-job Attribute marker-colors \#00FFFF,#FF00FF,#FFFF00,#000000,none,none,none Attribute marker-levels 23,29,20,78,90,95,-1 Attribute marker-names Cyan High Capacity Toner Cartridge, Phaser 6360, P/N 106R01218,Magenta High Capacity Toner Cartridge, Phaser 6360, P/N 106R01219,Yellow High Capacity Toner Cartridge, Phaser 6360, P/N 106R01220,Black High Capacity Toner Cartridge, Phaser 6360, P/N 106R01221,Imaging Unit, Phaser 6360, P/N 108R00645,Fuser, Phaser 6360, P/N 115R00055 (110 V)/115R00056 (220 V),Transfer Roller, Phaser 6360, P/N 108R00646 Attribute marker-types toner,toner,toner,toner,opc,fuser,transfer-unit Attribute marker-change-time 1558107438 </DefaultPrinter>
Note that while IPP is configured on this printer it did not respond to ipp:https://. It does work with above socket link. It may be advisable to use the DNS name, e.g. socket:https://tsrb-81795-410h.uthsc.edu. The driver that works best is Xerox Phaser 6360DN - CUPS+Gutenprint v5.2.11 (grayscale, 2-sided printing).
2-factor authentication was recently introduced. It requires a special app for Android/iPhone. Not exactly Linux specific, and UT does not advertise it, but you can also get a token from the help desk. This is a preferred option because it is more secure and always works (until the battery runs out). Renew the token every two years.
IMAP and forwarding are no longer available since January 2022. This is a real PAIN. Worse is the fact that UT is heavily in bed with Microsoft. And that means dealing with proprietary interfaces. The best fix is to use davmail Exchange EWS which is typically exposed so people can run Outlook on their phones. To get it going test davmail with Thunderbird E-mail. After that any IMAP client should work:
A recent version >5.5 of davmail supports 2FA. I used the following settings with success from outside the VPN:
- Exchange protocol: O365Manual
- Exchange URL: https://outlook.office365.com/EWS/Exchange.asmx
- IMAP port local: 1143
- SMTP port local: 1025
Your configuration may look similar to
cat .davmail.properties
davmail.ssl.keystoreType= davmail.ssl.keystorePass= davmail.proxyPassword= davmail.oauth.tenantId= [email protected]={AES}M+BnyqKpDlwJ72v9I+KdskKA== etc. davmail.oauth.clientId= davmail.smtpPort=1025 davmail.enableKerberos=false davmail.folderSizeLimit= davmail.forceActiveSyncUpdate=false davmail.imapAutoExpunge=true davmail.useSystemProxies=false davmail.proxyUser= davmail.caldavEditNotifications=false davmail.ssl.nosecuresmtp=false davmail.caldavPastDelay=0 davmail.ssl.keyPass= log4j.logger.httpclient.wire=WARN davmail.noProxyFor= davmail.server=false log4j.logger.org.apache.commons.httpclient=WARN davmail.popMarkReadOnRetr=false davmail.ssl.nosecureimap=false davmail.disableTrayActivitySwitch=false davmail.caldavAutoSchedule=true davmail.enableProxy=false davmail.proxyPort= davmail.logFileSize= davmail.mode=O365Manual davmail.smtpSaveInSent=true davmail.bindAddress= davmail.ssl.nosecurepop=false davmail.ssl.pkcs11Library= log4j.rootLogger=WARN davmail.ssl.keystoreFile= log4j.logger.davmail=DEBUG davmail.ssl.clientKeystoreType= davmail.clientSoTimeout= davmail.ssl.pkcs11Config= davmail.imapPort=1143 davmail.ssl.clientKeystorePass= davmail.url=https://outlook.office365.com/EWS/Exchange.asmx davmail.sentKeepDelay=0 davmail.ssl.nosecureldap=false davmail.imapAlwaysApproxMsgSize=false davmail.ssl.nosecurecaldav=false davmail.popPort= davmail.defaultDomain= davmail.showStartupBanner=true davmail.proxyHost= davmail.ldapPort=1389 davmail.server.certificate.hash= log4j.logger.org.apache.http.wire=WARN davmail.disableGuiNotifications=false davmail.imapIdleDelay= davmail.allowRemote=false davmail.disableUpdateCheck=false log4j.logger.org.apache.http=WARN davmail.caldavPort=1080 davmail.enableKeepAlive=false davmail.ssl.clientKeystoreFile= davmail.logFilePath= davmail.carddavReadPhoto=true davmail.keepDelay=30 davmail.oauth.redirectUri= davmail.caldavAlarmSound=
Note the oauth token appears the first time after logging in with 2FA and Thunderbird!
Set up thunderbird after above davmail setup.
To receive mail choose IMAP:
- servername ‘localhost’
- port 1143
- with your UTHSC email as user name
- set connection security to ‘None’
- password submitted insecurely
Note that your details are sent securely to the remote server - we are just setting a local transport here that you can tweak after it works.
Now you should be able to scan your E-mail. A 2FA screen should pop up.
Next set up sending E-mail in the ‘Outgoing Server’ dialog. I added a new server with settings
- server name ‘localhost’
- port 1025
- connection security ‘None’
- password sent insecured and
- username my UTHSC email again
Now try to send E-mail.
Note that thunderbird can use multiple E-mail servers through its ’ View|Folders|Unified’ functionality.
Webmail and other web-based tools work in Firefox. Some SAP-based tools require the Chrome browser. Your mileage may vary, but in general it is a good idea to try different browsers.
Microsoft software provided by UT does not work on Linux. You can opt to use Libreoffice/Openoffice and such, but it may be painful collaborating with people that use these tools (at least for shared writing). Note: it is possible to run Microsoft Office 2012 in Wine on Linux. That may be good enough for most of us.
I am increasingly writing text in emacs markdown. Markdown can be translated to Word files using the `pandoc` tool. That includes references read from a bibtex database!
UTHSC VPN requires two factor DUO authentication (2FA). Both the proprietary tool and openconnect should work.
Update: openconnect-sso does work now!
UT uses Cisco VPNs which allow you to use your machine from outside as if it is on the local network. The following is fixed with (duo) 2FA:
UTHSC VPN requires two factor DUO authentication (2FA) using the propietary closed source (!) Cisco anyconnect tool. Note that anyconnect takes over the whole network on your Linux machine. May pay to run a VM. What works is getting a recent version of the client *)
tar xvzf anyconnect-linux64-$VER-predeploy-k9.tar.gz cd any*/vpn
Note the install script wants to install in /opt/cisco. You can modify that.
mkdir /opt/cisco ./vpn_install.sh
Which is running as /opt/cisco/anyconnect/bin/vpnagentd daemon. Start
as root:
/opt/cisco/anyconnect/bin/vpnagentd -execv_instance &
The VPN clients can be found in
/opt/cisco/anyconnect/bin. Important: as a normal user make sure the
PATH is up-to-date and
“`sh export PATH=/opt/cisco/anyconnect/bin:$PATH vpnui “`
For description type UTHSC. Make sure to use upper case. For the
Server Address field type uthscvpn1.uthsc.edu. Then click “Save”.
The connect is to UTHSCVPN with group UTHSC.
*) Note: there is no point in signing up with Cisco’s website - they still don’t allow the client download. Best way is to get the software from UTHSC directly (contact support).
anyconnect writes messages to /var/log/daemon.log.
- Authentication failed due to problem retrieving the single sign-on URL
This is due to not setting the PATH to the cisco BIN directory.
- Other issues
On my machine the profile /opt/cisco/anyconnect/profile/UTHSC.xml
looks like
<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="https://schemas.xmlsoap.org/encoding/" xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="https://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
<ClientInitialization>
<UseStartBeforeLogon UserControllable="true">true</UseStartBeforeLogon>
<AutomaticCertSelection UserControllable="true">false</AutomaticCertSelection>
<ShowPreConnectMessage>true</ShowPreConnectMessage>
<CertificateStore>All</CertificateStore>
<CertificateStoreMac>All</CertificateStoreMac>
<CertificateStoreOverride>false</CertificateStoreOverride>
<ProxySettings>Native</ProxySettings>
<AllowLocalProxyConnections>true</AllowLocalProxyConnections>
<AuthenticationTimeout>12</AuthenticationTimeout>
<AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart>
<MinimizeOnConnect UserControllable="true">false</MinimizeOnConnect>
<LocalLanAccess UserControllable="true">true</LocalLanAccess>
<DisableCaptivePortalDetection UserControllable="false">false</DisableCaptivePortalDetection>
<ClearSmartcardPin UserControllable="true">true</ClearSmartcardPin>
<IPProtocolSupport>IPv4</IPProtocolSupport>
<AutoReconnect UserControllable="false">true
<AutoReconnectBehavior UserControllable="false">ReconnectAfterResume</AutoReconnectBehavior>
</AutoReconnect>
<AutoUpdate UserControllable="false">true</AutoUpdate>
<RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>
<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
<WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>
<AutomaticVPNPolicy>false</AutomaticVPNPolicy>
<PPPExclusion UserControllable="false">Disable
<PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP>
</PPPExclusion>
<EnableScripting UserControllable="false">false</EnableScripting>
<EnableAutomaticServerSelection UserControllable="false">false
<AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>
<AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>
</EnableAutomaticServerSelection>
<RetainVpnOnLogoff>false
</RetainVpnOnLogoff>
<AllowManualHostInput>true</AllowManualHostInput>
</ClientInitialization>
<ServerList>
<HostEntry>
<HostName>UTHSCVPN</HostName>
<HostAddress>UTHSCVPN1.UTHSC.EDU</HostAddress>
<BackupServerList>
<HostAddress>UTHSCVPN2.UTHSC.EDU</HostAddress>
</BackupServerList>
</HostEntry>
</ServerList>
</AnyConnectProfile>and the policy file is standard
<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectLocalPolicy xmlns="https://schemas.xmlsoap.org/encoding/" xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="https://schemas.xmlsoap.org/encoding/ AnyConnectLocalPolicy.xsd" acversion="4.9.00086">
<BypassDownloader>false</BypassDownloader>
<ExcludeFirefoxNSSCertStore>false</ExcludeFirefoxNSSCertStore>
<ExcludeMacNativeCertStore>false</ExcludeMacNativeCertStore>
<ExcludePemFileCertStore>false</ExcludePemFileCertStore>
<ExcludeWinNativeCertStore>false</ExcludeWinNativeCertStore>
<FipsMode>false</FipsMode>
<RestrictPreferenceCaching>false</RestrictPreferenceCaching>
<RestrictTunnelProtocols>false</RestrictTunnelProtocols>
<RestrictWebLaunch>false</RestrictWebLaunch>
<StrictCertificateTrust>false</StrictCertificateTrust>
<UpdatePolicy>
<AllowComplianceModuleUpdatesFromAnyServer>true</AllowComplianceModuleUpdatesFromAnyServer>
<AllowISEProfileUpdatesFromAnyServer>true</AllowISEProfileUpdatesFromAnyServer>
<AllowManagementVPNProfileUpdatesFromAnyServer>true</AllowManagementVPNProfileUpdatesFromAnyServer>
<AllowServiceProfileUpdatesFromAnyServer>true</AllowServiceProfileUpdatesFromAnyServer>
<AllowSoftwareUpdatesFromAnyServer>true</AllowSoftwareUpdatesFromAnyServer>
<AllowVPNProfileUpdatesFromAnyServer>true</AllowVPNProfileUpdatesFromAnyServer></UpdatePolicy>
</AnyConnectLocalPolicy>