Despite the fact that Linux systems are increasingly common, many academic institutions are married to Microsoft and make it challenging to run Linux and other Unices on laptops, workstations and servers. In bioinformatics, most tools are developed on Linux to run on servers it only makes sense to run Linux everywhere. That is what we do and that is what we document here where we proudly run Linux at the University of Tennessee.
Note that there are people in the IT departments who know Linux. Simply because they also have to run Linux machines!
For some other useful tips on using Linux see ./TIPS.org.
Eduroam works great on Linux with wpa_supplicant and network managers. The configuration looks like:
cat /etc/wpa_supplicant_eduroam.conf
# Copied from https://github.com/RasmusWL/eduroam ctrl_interface=/var/run/wpa_supplicant eapol_version=1 ap_scan=1 fast_reauth=1 network={ ssid="eduroam" # key_mgmt=IEEE8021X WPA-NONE WPA-EAP key_mgmt=WPA-EAP pairwise=CCMP group=CCMP TKIP eap=PEAP identity="[email protected]" password="***" #ca_cert="/location/of/cert" # This might not be required. phase1="tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1" phase2="auth=MSCHAPV2" priority=2 auth_alg=OPEN }
Using your E-mail address and password. Start wpa_supplicant with something like
pkill wpa_supplicant ; wpa_supplicant -Dwext -i$WLAN -c /etc/wpa_supplicant_eduroam.conf &
where WLAN is your wifi interface, see
ip a
E.g.
export WLAN=wlp3s0
Next fire up dhcp so you can get on the network
pkill dhclient ; dhclient -v $WLAN
Eduroam works great but it puts you on a separate VLAN with no access to printers. To get access to the proper VLAN login with just your netid (not your E-mail address!!) using the same wpa_supplicant configuration as with eduroam. On success the IP address you get from dhclient should be different. If that is not the case send the output of
ip a
to your support desk and ask them to put your machine on the VLAN. After their confirmation you should see the printers. It may help to send the IP address of the printer too.
With CUPS you can install a printer. One printer in our VLAN is configured as
cat /etc/cups/printers.conf
<DefaultPrinter Xerox6360Color> UUID urn:uuid:9a41b18c-c26b-3bf6-5d34-287b3d3457a7 Info Xerox6360Color MakeModel Xerox Phaser 6360 Foomatic/Postscript (recommended) DeviceURI socket://172.21.216.173 State Idle StateTime 1558107438 ConfigTime 1558028722 Type 8433692 Accepting Yes Shared No JobSheets none none QuotaPeriod 0 PageLimit 0 KLimit 0 OpPolicy default ErrorPolicy retry-job Attribute marker-colors \#00FFFF,#FF00FF,#FFFF00,#000000,none,none,none Attribute marker-levels 23,29,20,78,90,95,-1 Attribute marker-names Cyan High Capacity Toner Cartridge, Phaser 6360, P/N 106R01218,Magenta High Capacity Toner Cartridge, Phaser 6360, P/N 106R01219,Yellow High Capacity Toner Cartridge, Phaser 6360, P/N 106R01220,Black High Capacity Toner Cartridge, Phaser 6360, P/N 106R01221,Imaging Unit, Phaser 6360, P/N 108R00645,Fuser, Phaser 6360, P/N 115R00055 (110 V)/115R00056 (220 V),Transfer Roller, Phaser 6360, P/N 108R00646 Attribute marker-types toner,toner,toner,toner,opc,fuser,transfer-unit Attribute marker-change-time 1558107438 </DefaultPrinter>
Note that while IPP is configured on this printer it did not respond to ipp://. It does work with above socket link. It may be advisable to use the DNS name, e.g. socket://tsrb-81795-410h.uthsc.edu. The driver that works best is Xerox Phaser 6360DN - CUPS+Gutenprint v5.2.11 (grayscale, 2-sided printing).
2-factor authentication was recently introduced. It requires a special app for Android/iPhone. Not exactly Linux specific and UT does not advertise it, but you can also get a token from the help desk. This is a preferred option because it is more secure and always works (until the battery runs out).
IMAP and forwarding are no longer available since January 2022. This is a real PAIN. Worse is the fact that UT is heavily in bed with Microsoft. And that means dealing with proprietary interfaces.
Webmail and other web-based tools work in Firefox. Some SAP-based tools require the Chrome browser. Your mileage may vary, but in general it is a good idea to try different browsers.
Microsoft software provided by UT does not work on Linux. You can opt to use Libreoffice/Openoffice and such, but it may be painful collaborating with people that use these tools (at least for shared writing). Note: it is possible to run Microsoft Office 2012 in Wine on Linux. That may be good enough for most of us.
UTHSC VPN requires two factor DUO authentication (2FA) using the propietary closed source (!) Cisco anyconnect tool. Note that anyconnect takes over the whole network on your Linux machine. May pay to run a VM. What works is getting a recent version of the client *)
tar xvzf anyconnect-linux64-$VER-predeploy-k9.tar.gz cd any*/vpn
Note the install script wants to install in /opt/cisco. You can modify that.
mkdir /opt/cisco ./vpn_install.sh
Which is running as /opt/cisco/anyconnect/bin/vpnagentd
daemon. Start
as root:
/opt/cisco/anyconnect/bin/vpnagentd -execv_instance &
The VPN clients can be found in
/opt/cisco/anyconnect/bin
. Important: as a normal user make sure the
PATH is up-to-date and
“`sh export PATH=/opt/cisco/anyconnect/bin:$PATH vpnui “`
For description type UTHSC
. Make sure to use upper case. For the
Server Address field type uthscvpn1.uthsc.edu
. Then click “Save”.
The connect is to UTHSCVPN
with group UTHSC
.
*) Note: there is no point in signing up with Cisco’s website - they still don’t allow the client download. Best way is to get the software from UTHSC directly (contact support).
Note openconnect is not working right now! See anyconnect
UT uses Cisco VPNs which allow you to use your machine from outside as if it is on the local network. The following used to work but needs to be fixed with (duo) 2FA:
This information is out of date:
I use the following entry point for UTHSC using openconnect, but there are others you can use. Simply
openconnect --user=yourname https://uthscvpn1.uthsc.edu/ --passwd-on-stdin
Type your password and ENTER and you should be able to get in.
anyconnect writes messages to /var/log/daemon.log.
- Authentication failed due to problem retrieving the single sign-on URL
This is due to not setting the PATH to the cisco BIN directory.
- Other issues
On my machine the profile /opt/cisco/anyconnect/profile/UTHSC.xml
looks like
<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
<ClientInitialization>
<UseStartBeforeLogon UserControllable="true">true</UseStartBeforeLogon>
<AutomaticCertSelection UserControllable="true">false</AutomaticCertSelection>
<ShowPreConnectMessage>true</ShowPreConnectMessage>
<CertificateStore>All</CertificateStore>
<CertificateStoreMac>All</CertificateStoreMac>
<CertificateStoreOverride>false</CertificateStoreOverride>
<ProxySettings>Native</ProxySettings>
<AllowLocalProxyConnections>true</AllowLocalProxyConnections>
<AuthenticationTimeout>12</AuthenticationTimeout>
<AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart>
<MinimizeOnConnect UserControllable="true">false</MinimizeOnConnect>
<LocalLanAccess UserControllable="true">true</LocalLanAccess>
<DisableCaptivePortalDetection UserControllable="false">false</DisableCaptivePortalDetection>
<ClearSmartcardPin UserControllable="true">true</ClearSmartcardPin>
<IPProtocolSupport>IPv4</IPProtocolSupport>
<AutoReconnect UserControllable="false">true
<AutoReconnectBehavior UserControllable="false">ReconnectAfterResume</AutoReconnectBehavior>
</AutoReconnect>
<AutoUpdate UserControllable="false">true</AutoUpdate>
<RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>
<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
<WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>
<AutomaticVPNPolicy>false</AutomaticVPNPolicy>
<PPPExclusion UserControllable="false">Disable
<PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP>
</PPPExclusion>
<EnableScripting UserControllable="false">false</EnableScripting>
<EnableAutomaticServerSelection UserControllable="false">false
<AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>
<AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>
</EnableAutomaticServerSelection>
<RetainVpnOnLogoff>false
</RetainVpnOnLogoff>
<AllowManualHostInput>true</AllowManualHostInput>
</ClientInitialization>
<ServerList>
<HostEntry>
<HostName>UTHSCVPN</HostName>
<HostAddress>UTHSCVPN1.UTHSC.EDU</HostAddress>
<BackupServerList>
<HostAddress>UTHSCVPN2.UTHSC.EDU</HostAddress>
</BackupServerList>
</HostEntry>
</ServerList>
</AnyConnectProfile>
and the policy file is standard
<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectLocalPolicy xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectLocalPolicy.xsd" acversion="4.9.00086">
<BypassDownloader>false</BypassDownloader>
<ExcludeFirefoxNSSCertStore>false</ExcludeFirefoxNSSCertStore>
<ExcludeMacNativeCertStore>false</ExcludeMacNativeCertStore>
<ExcludePemFileCertStore>false</ExcludePemFileCertStore>
<ExcludeWinNativeCertStore>false</ExcludeWinNativeCertStore>
<FipsMode>false</FipsMode>
<RestrictPreferenceCaching>false</RestrictPreferenceCaching>
<RestrictTunnelProtocols>false</RestrictTunnelProtocols>
<RestrictWebLaunch>false</RestrictWebLaunch>
<StrictCertificateTrust>false</StrictCertificateTrust>
<UpdatePolicy>
<AllowComplianceModuleUpdatesFromAnyServer>true</AllowComplianceModuleUpdatesFromAnyServer>
<AllowISEProfileUpdatesFromAnyServer>true</AllowISEProfileUpdatesFromAnyServer>
<AllowManagementVPNProfileUpdatesFromAnyServer>true</AllowManagementVPNProfileUpdatesFromAnyServer>
<AllowServiceProfileUpdatesFromAnyServer>true</AllowServiceProfileUpdatesFromAnyServer>
<AllowSoftwareUpdatesFromAnyServer>true</AllowSoftwareUpdatesFromAnyServer>
<AllowVPNProfileUpdatesFromAnyServer>true</AllowVPNProfileUpdatesFromAnyServer></UpdatePolicy>
</AnyConnectLocalPolicy>